Add ForceAuth plugin (#595)

9 years ago · ac3b040223
parent f114992187
commit ac3b040223
3 changed files with 52 additions and 5 deletions
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugins.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugins.pm
@ -54,6 +54,7 @@ sub enabledPlugins {
    # TODO: write these plugins
    push @res, '::Plugins::GrantSession' if ( $self->conf->{grantSessionRule} );
    push @res, '::Plugins::CDA'          if ( $self->conf->{cda} );
+    push @res, '::Plugins::ForceAuth'    if ( $self->conf->{portalForceAuthn} );

    if ( my $p = $self->conf->{passwordDB} ) {
        push @res, "::Password::$p" if ( $p ne 'Null' );
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
@ -61,9 +61,9 @@ sub login {
    return $self->do(
        $req,
        [
-            'controlUrl',  @{ $self->beforeAuth },
-            &authProcess,  @{ $self->betweenAuthAndDatas },
-            &sessionDatas, @{ $self->afterDatas },
+            'controlUrl',        @{ $self->beforeAuth },
+            $self->authProcess,  @{ $self->betweenAuthAndDatas },
+            $self->sessionDatas, @{ $self->afterDatas },
        ]
    );
 }
@ -74,8 +74,8 @@ sub postLogin {
        $req,
        [
            'restoreArgs',                   'controlUrl',
-            @{ $self->beforeAuth },          &authProcess,
-            @{ $self->betweenAuthAndDatas }, &sessionDatas,
+            @{ $self->beforeAuth },          $self->authProcess,
+            @{ $self->betweenAuthAndDatas }, $self->sessionDatas,
            @{ $self->afterDatas },
        ]
    );
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ForceAuth.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/ForceAuth.pm
@ -0,0 +1,46 @@
+package Lemonldap::NG::Portal::Plugins::ForceAuth;
+
+use strict;
+use Mouse;
+use Lemonldap::NG::Portal::Main::Constants qw(PE_OK);
+
+extends 'Lemonldap::NG::Portal::Main::Plugin';
+
+our $VERSION = '2.0.0';
+
+sub init { 1 }
+
+sub forAuthUser { 'forceAuth' }
+
+sub forceAuth {
+    my ( $self, $req ) = @_;
+
+    # Don't force authentication if password is going to be changed
+    return PE_OK if ( $req->param('newpassword') );
+
+    # Do not force authentication if last successful authentication is recent
+    my $last_authn_utime = $req->{sessionInfo}->{_lastAuthnUTime} || 0;
+    if ( time() - $last_authn_utime < $self->{portalForceAuthnInterval} ) {
+        $self->lmLog(
+"Authentication is recent, so do not force authentication for session $req->id",
+            'debug'
+        );
+    }
+    else {
+
+        # Else, launch authentication process
+        $self->lmLog( "Force reauthentication for session $req->id", 'debug' );
+        $req->steps(
+            [
+                @{ $self->p->beforeAuth },
+                $self->p->authProcess,
+                @{ $self->p->betweenAuthAndDatas },
+                $self->p->sessionDatas,
+                @{ $self->p->afterDatas }
+            ]
+        );
+    }
+    return PE_OK;
+}
+
+1