From 3d5e7f8b05c0b05b0acd588bb512a9c85f84e2d9 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Mon, 22 Aug 2022 12:24:05 +0200 Subject: [PATCH 1/2] Do not check selfRegistration (#2712) --- .../lib/Lemonldap/NG/Portal/2F/TOTP.pm | 15 ++++++--------- .../lib/Lemonldap/NG/Portal/2F/U2F.pm | 15 ++++++--------- .../lib/Lemonldap/NG/Portal/2F/UTOTP.pm | 15 ++++----------- .../lib/Lemonldap/NG/Portal/2F/WebAuthn.pm | 15 ++++++--------- lemonldap-ng-portal/t/01-WebAuthn.t | 2 +- lemonldap-ng-portal/t/70-2F-TOTP-with-TTL.t | 2 +- .../t/73-2F-UTOTP-TOTP-and-U2F-with-History.t | 1 - 7 files changed, 24 insertions(+), 41 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/TOTP.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/TOTP.pm index 8304810540..07819d74c6 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/TOTP.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/TOTP.pm @@ -15,7 +15,7 @@ use Lemonldap::NG::Portal::Main::Constants qw( PE_SENDRESPONSE ); -our $VERSION = '2.0.10'; +our $VERSION = '2.0.15'; extends qw( Lemonldap::NG::Portal::Main::SecondFactor @@ -30,14 +30,11 @@ has logo => ( is => 'rw', default => 'totp.png' ); sub init { my ($self) = @_; - # If self registration is enabled and "activation" is just set to - # "enabled", replace the rule to detect if user has registered its key - if ( $self->conf->{totp2fSelfRegistration} - and $self->conf->{totp2fActivation} eq '1' ) - { - $self->conf->{totp2fActivation} = - '$_2fDevices && $_2fDevices =~ /"type":\s*"TOTP"/s'; - } + # If "activation" is just set to "enabled", + # replace the rule to detect if user has registered its key + $self->conf->{totp2fActivation} = 'has2f("TOTP")' + if $self->conf->{totp2fActivation} eq '1'; + return $self->SUPER::init(); } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/U2F.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/U2F.pm index cc766bb12c..0792faa753 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/U2F.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/U2F.pm @@ -16,7 +16,7 @@ use Lemonldap::NG::Portal::Main::Constants qw( PE_BADCREDENTIALS ); -our $VERSION = '2.0.12'; +our $VERSION = '2.0.15'; extends qw( Lemonldap::NG::Portal::Main::SecondFactor @@ -32,14 +32,11 @@ has logo => ( is => 'rw', default => 'u2f.png' ); sub init { my ($self) = @_; - # If self registration is enabled and "activation" is just set to - # "enabled", replace the rule to detect if user has registered its key - if ( $self->conf->{u2fSelfRegistration} - and $self->conf->{u2fActivation} eq '1' ) - { - $self->conf->{u2fActivation} = - '$_2fDevices && $_2fDevices =~ /"type":\s*"U2F"/s'; - } + # If "activation" is just set to "enabled", + # replace the rule to detect if user has registered its key + $self->conf->{u2fActivation} = 'has2f("U2F")' + if $self->conf->{u2fActivation} eq '1'; + return 0 unless ( $self->Lemonldap::NG::Portal::Main::SecondFactor::init() and $self->Lemonldap::NG::Portal::Lib::U2F::init() ); diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/UTOTP.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/UTOTP.pm index 778f685e62..6f2dc615aa 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/UTOTP.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/UTOTP.pm @@ -6,7 +6,7 @@ use JSON qw(from_json to_json); use Lemonldap::NG::Portal::Main::Constants qw( ); -our $VERSION = '2.0.8'; +our $VERSION = '2.0.15'; extends 'Lemonldap::NG::Portal::Main::SecondFactor'; @@ -26,16 +26,9 @@ use Lemonldap::NG::Portal::Main::Constants qw( sub init { my ($self) = @_; - if ( ( - $self->conf->{totp2fSelfRegistration} - or $self->conf->{u2fSelfRegistration} - ) - and $self->conf->{utotp2fActivation} eq '1' - ) - { - $self->conf->{utotp2fActivation} = - '$_2fDevices && $_2fDevices =~ /"type":\s*"(?:TOTP|U2F)"/s'; - } + $self->conf->{utotp2fActivation} = 'has2f("TOTP") or has2f("U2F")' + if ( $self->conf->{utotp2fActivation} eq '1' ); + foreach (qw(U2F TOTP)) { # Arg "noRoute" is set for sub 2F modules to avoid enabling direct diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/WebAuthn.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/WebAuthn.pm index ff27e4eea8..6f05c72ed6 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/WebAuthn.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/WebAuthn.pm @@ -31,15 +31,12 @@ has logo => ( is => 'rw', default => 'webauthn.png' ); sub init { my ($self) = @_; - # If self registration is enabled and "activation" is just set to - # "enabled", replace the rule to detect if user has registered its key - if ( $self->conf->{webauthn2fSelfRegistration} - and $self->conf->{webauthn2fActivation} eq '1' ) - { - $self->conf->{webauthn2fActivation} = 'has2f("WebAuthn")'; - } - return 0 - unless ( $self->Lemonldap::NG::Portal::Main::SecondFactor::init() ); + # If "activation" is just set to "enabled", + # replace the rule to detect if user has registered its key + $self->conf->{webauthn2fActivation} = 'has2f("WebAuthn")' + if $self->conf->{webauthn2fActivation} eq '1'; + + return 0 unless $self->SUPER::init(); return 1; } diff --git a/lemonldap-ng-portal/t/01-WebAuthn.t b/lemonldap-ng-portal/t/01-WebAuthn.t index 1e7d4632da..e52ba7e90b 100644 --- a/lemonldap-ng-portal/t/01-WebAuthn.t +++ b/lemonldap-ng-portal/t/01-WebAuthn.t @@ -40,7 +40,7 @@ ENDKEY ini => { logLevel => 'error', useSafeJail => 1, - webauthn2fSelfRegistration => 1, + webauthn2fSelfRegistration => 0, webauthn2fActivation => 1, webauthn2fUserCanRemoveKey => 1, } diff --git a/lemonldap-ng-portal/t/70-2F-TOTP-with-TTL.t b/lemonldap-ng-portal/t/70-2F-TOTP-with-TTL.t index b4d12be918..0f04fd935c 100644 --- a/lemonldap-ng-portal/t/70-2F-TOTP-with-TTL.t +++ b/lemonldap-ng-portal/t/70-2F-TOTP-with-TTL.t @@ -15,7 +15,7 @@ SKIP: { my $client = LLNG::Manager::Test->new( { ini => { logLevel => 'error', - totp2fSelfRegistration => 1, + totp2fSelfRegistration => '$uid eq "dwho"', totp2fActivation => 1, totp2fTTL => 120, sfManagerRule => 0, diff --git a/lemonldap-ng-portal/t/73-2F-UTOTP-TOTP-and-U2F-with-History.t b/lemonldap-ng-portal/t/73-2F-UTOTP-TOTP-and-U2F-with-History.t index d07cb632ac..fcf9e38640 100644 --- a/lemonldap-ng-portal/t/73-2F-UTOTP-TOTP-and-U2F-with-History.t +++ b/lemonldap-ng-portal/t/73-2F-UTOTP-TOTP-and-U2F-with-History.t @@ -22,7 +22,6 @@ SKIP: { logLevel => 'error', utotp2fActivation => 1, totp2fSelfRegistration => 1, - u2fSelfRegistration => 1, u2fSelfRegistration => '$_2fDevices =~ /"type":\s*"(?:TOTP|U2F)"/s', loginHistoryEnabled => 1, -- GitLab From c9449ed41d45646e05c50534634a40bab3b758c8 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Sun, 28 Aug 2022 23:23:32 +0200 Subject: [PATCH 2/2] Fix unit test (#2712) --- lemonldap-ng-portal/t/78-2F-UpgradeOnly-without-2F.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemonldap-ng-portal/t/78-2F-UpgradeOnly-without-2F.t b/lemonldap-ng-portal/t/78-2F-UpgradeOnly-without-2F.t index 40ed69840a..43acfaff27 100644 --- a/lemonldap-ng-portal/t/78-2F-UpgradeOnly-without-2F.t +++ b/lemonldap-ng-portal/t/78-2F-UpgradeOnly-without-2F.t @@ -79,7 +79,7 @@ SKIP: { expectCookie( $res, 'lemonldappdata' ); # A message warns the user that they do not have any 2FA available - expectPortalError( $res, 83 ); + expectPortalError( $res, 103 ); $query = 'user=rtyler&password=rtyler'; ok( -- GitLab