UTOTP auth part works (#1391)

7 years ago · ffcc5dbd3e
parent fc5f7f5a65
commit ffcc5dbd3e
5 changed files with 66 additions and 30 deletions
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm
@ -34,7 +34,7 @@ sub init {
    my ($self) = @_;

    # Set default 2F list
-    $self->conf->{available2F}                 ||= 'TOTP,U2F,REST,Ext2F';
+    $self->conf->{available2F}                 ||= 'UTOTP,TOTP,U2F,REST,Ext2F';
    $self->conf->{available2FSelfRegistration} ||= 'TOTP,U2F';

    # Load 2F modules
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/UTOTP.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/UTOTP.pm
@ -7,13 +7,13 @@ use Lemonldap::NG::Portal::Main::Constants qw(

 our $VERSION = '2.0.0';

-extends 'Lemonldap::NG::Portal::Main::Plugin';
+extends 'Lemonldap::NG::Portal::Main::SecondFactor';

 # INITIALIZATION

-has prefix => ( is => 'ro', default => 'totp' );
+has prefix => ( is => 'ro', default => 'utotp' );

-has logo => ( is => 'rw', default => 'totp.png' );
+has logo => ( is => 'rw', default => 'utotp.png' );

 has u2f => ( is => 'rw' );

@ -27,13 +27,23 @@ use Lemonldap::NG::Portal::Main::Constants qw(

 sub init {
    my ($self) = @_;
+    if (    $self->conf->{utotp2fSelfRegistration}
+        and $self->conf->{utotp2fActivation} eq '1' )
+    {
+        $self->conf->{utotp2fActivation} =
+          '$_totp2fSecret or $_u2fKeyHandle and $_u2fUserKey';
+    }
    foreach (qw(U2F TOTP)) {
-        unless ( $self->{ lc($_) } = $self->p->loadPlugin("::2F::$_") ) {
+        # Arg "noRoute" is set for sub 2F modules to avoid enabling direct
+        # REST routes
+        unless ( $self->{ lc($_) } =
+            $self->p->loadModule( "::2F::$_", undef, noRoute => 1 ) )
+        {
            $self->error("Unable to load ::2F::$_");
            return 0;
        }
    }
-    return 1;
+    return $self->SUPER::init();
 }

 # RUNNING METHODS
@ -61,12 +71,14 @@ sub verify {
    my ( $self, $req, $session ) = @_;
    my ($r1);
    if ( $req->param('signature') ) {
+        $self->logger->debug('UTOTP: U2F response detected');
        my $r1 = $self->u2f->verify( $req, $session );
        if ( $r1 == PE_OK ) {
            return PE_OK;
        }
    }
    if ( $req->param('code') ) {
+        $self->logger->debug('UTOTP: TOTP response detected');
        return $self->totp->verify( $req, $session );
    }
    return ( $r1 ? $r1 : PE_FORMEMPTY );
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm
@ -348,7 +348,7 @@ sub findEP {
 }

 sub loadModule {
-    my ( $self, $module, $conf ) = @_;
+    my ( $self, $module, $conf, %args ) = @_;
    $conf //= $self->conf;
    my $obj;
    $module = "Lemonldap::NG::Portal$module" if ( $module =~ /^::/ );
@ -359,7 +359,7 @@ sub loadModule {
        return 0;
    }
    eval {
-        $obj = $module->new( { p => $self, conf => $conf } );
+        $obj = $module->new( { p => $self, conf => $conf, %args } );
        $self->logger->debug("Module $module loaded");
    };
    if ($@) {
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm
@ -28,10 +28,20 @@ has prefix => ( is => 'rw' );

 has logo => ( is => 'rw', default => '2f.png' );

+has noRoute => ( is => 'ro' );
+
 sub init {
    my ($self) = @_;
-    $self->addUnauthRoute( $self->prefix . '2fcheck' => '_verify',   ['POST'] );
-    $self->addUnauthRoute( $self->prefix . '2fcheck' => '_redirect', ['GET'] );
+    unless ( $self->noRoute ) {
+        $self->addUnauthRoute(
+            $self->prefix . '2fcheck' => '_verify',
+            ['POST']
+        );
+        $self->addUnauthRoute(
+            $self->prefix . '2fcheck' => '_redirect',
+            ['GET']
+        );
+    }
    1;
 }

--- a/lemonldap-ng-portal/site/templates/bootstrap/utotp2fcheck.tpl
+++ b/lemonldap-ng-portal/site/templates/bootstrap/utotp2fcheck.tpl
@ -10,20 +10,40 @@
  <p trspan="u2fFailed"></p>
 </TMPL_IF>

-<TMPL_IF NAME="CHALLENGE">
-  <div class="message message-positive alert"><span trspan="touchU2fDeviceOrEnterTotp"></span></div>
-  <form id="verify-form" action="/2fregisters/utotp" method="post">
-    <input type="hidden" id="verify-data" name="signature" value="">
-    <input type="hidden" id="verify-challenge" name="challenge" value="">
-    <input type="hidden" id="token" name="token" value="<TMPL_VAR NAME="TOKEN">">
-  </form>
-  <script type="application/init">
-  <TMPL_VAR NAME="CHALLENGE">
-  </script>
-    <div class="form-group input-group">
-        <span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i> </span>
-        <input name="code" value="" class="form-control" id="extcode" trplaceholder="code">
+<TMPL_IF NAME="AUTH_ERROR">
+  <div class="buttons">
+    <a href="<TMPL_VAR NAME="PORTAL_URL">" class="btn btn-primary" role="button">
+      <span class="glyphicon glyphicon-home"></span>&nbsp;
+      <span trspan="goToPortal">Go to portal</span>
+    </a>
+  </div>
+<TMPL_ELSE>
+ <form id="verify-form" action="/utotp2fcheck" method="post">
+   <input type="hidden" id="token" name="token" value="<TMPL_VAR NAME="TOKEN">">
+  <TMPL_IF NAME="CHALLENGE">
+    <div class="message message-positive alert">
+        <span trspan="touchU2fDeviceOrEnterTotp"></span>
+    </div>
+      <input type="hidden" id="verify-data" name="signature" value="">
+      <input type="hidden" id="verify-challenge" name="challenge" value="">
+    <script type="application/init">
+    <TMPL_VAR NAME="CHALLENGE">
+    </script>
+    <!-- //if:jsminified
+      <script type="text/javascript" src="<TMPL_VAR NAME="STATIC_PREFIX">/common/js/u2f-api.min.js"></script>
+      <script type="text/javascript" src="<TMPL_VAR NAME="STATIC_PREFIX">/common/js/u2fcheck.min.js"></script>
+    //else -->
+      <script type="text/javascript" src="<TMPL_VAR NAME="STATIC_PREFIX">/common/js/u2f-api.js"></script>
+      <script type="text/javascript" src="<TMPL_VAR NAME="STATIC_PREFIX">/common/js/u2fcheck.js"></script>
+    <!-- //endif -->
+  <TMPL_ELSE>
+    <div class="message message-positive alert">
+        <span trspan="enterTotpCode"></span>
    </div>
+  </TMPL_IF>
+  <div class="form-group input-group">
+      <span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i> </span>
+      <input name="code" value="" class="form-control" id="extcode" trplaceholder="code">
  </div>
  <div class="buttons">
    <button type="submit" class="btn btn-success">
@ -31,13 +51,7 @@
      <span trspan="connect">Connect</span>
    </button>
  </div>
-<!-- //if:jsminified
-  <script type="text/javascript" src="<TMPL_VAR NAME="STATIC_PREFIX">/common/js/u2f-api.min.js"></script>
-  <script type="text/javascript" src="<TMPL_VAR NAME="STATIC_PREFIX">/common/js/u2fcheck.min.js"></script>
-//else -->
-  <script type="text/javascript" src="<TMPL_VAR NAME="STATIC_PREFIX">/common/js/u2f-api.js"></script>
-  <script type="text/javascript" src="<TMPL_VAR NAME="STATIC_PREFIX">/common/js/u2fcheck.js"></script>
-<!-- //endif -->
+ </form>
 </TMPL_IF>

 </main>