Impersonation does not work with 2FA
Concerned version
Version: %2.0.4
Platform: Nginx + Debian
Summary
On a clean install
- Enable Impersonation (rules and identity rules don't matter much)
- Enable mail or external 2FA
- Go to portal
No impersonation:
- Login with dwho/dwho
- Enter 2F code
- The portal displays a login error
- Browse to the portal again
- You are logged in (if 2F code was valid)
With impersonation:
- Logout and try to login as dwho/dwho impersonating rtyler
- Same error behavior, and you end up getting logged in as "dwho"
Logs
LLNG[18172]: Session granted for dwho by Demo (10.128.239.1)
LLNG[18172]: Processing code ref
LLNG[18172]: Launching ::Plugins::Impersonation::run
LLNG[18172]: No impersonation required
LLNG[18172]: Malformed spoofed Id
LLNG[18172]: Impersonation tried with spoofed Id:
LLNG[18172]: Rename real attributes...
... [ attribute related logs ] ...
LLNG[18172]: Processing getUser
LLNG[18172]: Prepare token
LLNG[18172]: Token 1559065148_-20052 created
LLNG[18172]: Returned error: 5
LLNG[18172]: Impersonation requested for an unvalid user ()
LLNG[18172]: Process returned error: 5
Possible fixes
I think this happens because of
my $spoofId = $req->param('spoofId') || $req->{user};
When doing the 2F code verification, the request only contains the 2F code and a token used to preserve login information. So obviously $req->param('spoofId')
no longer exists. And apparently $req->{user}
does not exist yet either, maybe the impersonation plugin triggers too early during the flow?
Either way, we'll need to store the spoofId inside the 2F token so that we can preserve it during the login flow.
That being said, I think that the impersonation feature should not be presented to users on the login form. What about kerberos users? It should perhaps be presented at the very end of the login process, and only on users who are authorized to use it. That way, regular users will never know it's there. I'm pretty sure some day this feature will be used for real, and not just for dev/testing.