Commit be26e3cb authored by Christophe Maudoux's avatar Christophe Maudoux 🐛
Browse files

WIP - Decrease authLevel skeleton (#1784)

parent bf8022b8
...@@ -193,12 +193,13 @@ sub defaultValuesInit { ...@@ -193,12 +193,13 @@ sub defaultValuesInit {
my ( $class, $conf ) = @_; my ( $class, $conf ) = @_;
$class->tsv->{$_} = $conf->{$_} foreach ( qw( $class->tsv->{$_} = $conf->{$_} foreach ( qw(
cookieExpiration cookieName customFunctions cookieExpiration cookieName customFunctions
cookieExpiration cookieName customFunctions cookieExpiration cookieName customFunctions
securedCookie timeout timeoutActivity securedCookie timeout timeoutActivity
timeoutActivityInterval useRedirectOnError useRedirectOnForbidden timeoutActivityInterval useRedirectOnError useRedirectOnForbidden
useSafeJail whatToTrace handlerInternalCache useSafeJail whatToTrace handlerInternalCache
handlerServiceTokenTTL decreaseAuthLevelInterval httpOnly handlerServiceTokenTTL decreaseAuthLevelInterval httpOnly
decreaseCounter
) )
); );
......
...@@ -11,6 +11,7 @@ use strict; ...@@ -11,6 +11,7 @@ use strict;
use MIME::Base64; use MIME::Base64;
use URI::Escape; use URI::Escape;
use Lemonldap::NG::Common::Session; use Lemonldap::NG::Common::Session;
use Data::Dumper;
# Methods that must be overloaded # Methods that must be overloaded
...@@ -148,8 +149,9 @@ sub run { ...@@ -148,8 +149,9 @@ sub run {
# ACCOUNTING (1. Inform web server) # ACCOUNTING (1. Inform web server)
$class->set_user( $req, $session->{ $class->tsv->{whatToTrace} } ); $class->set_user( $req, $session->{ $class->tsv->{whatToTrace} } );
# Decrease authentication level if required # # Decrease authentication level if required
$class->decreaseAuthLevel( $req, $session ); # $class->decreaseAuthLevel( $req, $session, $id )
# if ( $class->tsv->{decreaseAuthLevelInterval} );
# AUTHORIZATION # AUTHORIZATION
return ( $class->forbidden( $req, $session ), $session ) return ( $class->forbidden( $req, $session ), $session )
...@@ -437,7 +439,7 @@ sub retrieveSession { ...@@ -437,7 +439,7 @@ sub retrieveSession {
# 1. Search if the user was the same as previous (very efficient in # 1. Search if the user was the same as previous (very efficient in
# persistent connection). # persistent connection).
# NB: timout is here the same value as current HTTP/1.1 Keep-Alive timeout # NB: timout is here the same value as current HTTP/1.1 Keep-Alive timeout
# (15 seconds) # (15 seconds by default)
if ( defined $class->data->{_session_id} if ( defined $class->data->{_session_id}
and $id eq $class->data->{_session_id} and $id eq $class->data->{_session_id}
and and
...@@ -524,6 +526,33 @@ sub retrieveSession { ...@@ -524,6 +526,33 @@ sub retrieveSession {
} }
} }
if ( $class->tsv->{decreaseAuthLevelInterval}
&& ($session->data->{authenticationLevel} > 1) )
{
$class->logger->debug(" -> Check if AuthLevel must be decreased");
# Update the session to notify activity, if necessary
if ( $now > ( $class->tsv->{_lastAuthnUTime} +
$class->tsv->{decreaseAuthLevelInterval} * ($class->tsv->{_decreaseCounter} + 1)) )
{
my $authLevel = $session->{data}->{authenticationLevel};
my $counter = $session->{data}->{_decreaseCounter} || 0;
$class->logger->debug(
"****************** req :" . Data::Dumper::Dumper($req) );
$class->data( $session->data );
$class->logger->debug(
"Decrease $session->{data}->{uid} authenticationLevel from $authLevel to " . --$authLevel );
$req->data->{session}->update( { 'authenticationLevel' => 5,'_decreaseCounter' => ++$counter } );
if ( $session->error ) {
$class->logger->error("Cannot update session $id");
$class->logger->error( $req->data->{session}->error );
}
else {
$class->logger->debug("Update authenticationLevel with $authLevel");
}
}
}
$class->dataUpdate($now); $class->dataUpdate($now);
return $session->data; return $session->data;
} }
...@@ -834,13 +863,33 @@ sub postJavascript { ...@@ -834,13 +863,33 @@ sub postJavascript {
. "</script>\n"; . "</script>\n";
} }
sub decreaseAuthLevel { # sub decreaseAuthLevel {
my ( $class, $req, $session ) = @_; # my ( $class, $req, $session, $id ) = @_;
if ( $class->tsv->{decreaseAuthLevelInterval} ) { # return if ( $session->{authenticationLevel} == 1 );
$session->{authenticationLevel} = 1; # $class->logger->debug("************ -> Call decreaseAuthLevel");
#$session->update( { authenticationLevel => 1 } ); # my $now = time();
}
} # # Update the session to notify activity, if necessary
# if ( $now > $class->tsv->{_lastAuthnUTime} +
# $class->tsv->{decreaseAuthLevelInterval} )
# {
# $class->logger->debug("Decrease authnLevel". Data::Dumper::Dumper($session));
# $class->logger->debug("****************** req :" . Data::Dumper::Dumper($req));
# $req->data->{session}->update(
# { 'authenticationLevel' => 5 } ,{ updateCache => 2 } );
# $class->data( $session->data );
# if ( $session->error ) {
# $class->logger->error("Cannot update session $id");
# $class->logger->error( $req->data->{session}->error );
# }
# else {
# $class->logger->debug("Update _lastSeen with $now");
# }
# $class->dataUpdate($now);
# }
# }
1; 1;
...@@ -1087,6 +1087,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.] ...@@ -1087,6 +1087,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => 0, 'default' => 0,
'type' => 'int' 'type' => 'int'
}, },
'decreaseCounter' => {
'default' => 0,
'type' => 'int'
},
'demoExportedVars' => { 'demoExportedVars' => {
'default' => { 'default' => {
'cn' => 'cn', 'cn' => 'cn',
......
...@@ -531,6 +531,12 @@ sub attributes { ...@@ -531,6 +531,12 @@ sub attributes {
documentation => 'Decrease authentication level interval', documentation => 'Decrease authentication level interval',
flags => 'hp', flags => 'hp',
}, },
decreaseCounter => {
type => 'int',
default => 0,
documentation => 'Decrease counter',
flags => 'h',
},
# Loggers (ini only) # Loggers (ini only)
logLevel => { logLevel => {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment