Commit 4ef9fa37 authored by Xavier Guimard's avatar Xavier Guimard

Add sfRequired option (#1487)

parent 6799ca92
......@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "llng-fastcgi-server 1"
.TH llng-fastcgi-server 1 "2018-07-02" "perl v5.26.2" "User Contributed Perl Documentation"
.TH llng-fastcgi-server 1 "2018-08-03" "perl v5.26.2" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
......
......@@ -3056,6 +3056,9 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => '::2F::Engines::Default',
'type' => 'text'
},
'sfRequired' => {
'type' => 'bool'
},
'singleIP' => {
'default' => 0,
'type' => 'bool'
......
......@@ -2281,6 +2281,10 @@ sub attributes {
default => '::2F::Engines::Default',
documentation => 'Second factor engine',
},
sfRequired => {
type => 'bool',
documentation => 'Second factor required',
},
available2F => {
type => 'text',
default => 'UTOTP,TOTP,U2F,REST,Ext2F,Yubikey',
......
......@@ -632,7 +632,7 @@ sub tree {
{
title => 'stateCheck',
help => 'checkstate.html',
form => 'simpleInputContainer',
form => 'simpleInputContainer',
nodes => [ 'checkState', 'checkStateSecret', ],
},
]
......@@ -709,6 +709,7 @@ sub tree {
'yubikey2fUserCanRemoveKey',
],
},
'sfRequired',
]
},
{
......
......@@ -680,6 +680,7 @@
"sessionStorage":"تخزين الجلسات",
"sessionTitle":"محتوى الجلسة",
"sfaTitle":"Second Factors Authentication",
"sfRequired":"Require 2FA",
"show":"عرض",
"showHelp":"عرض المساعدة",
"singleIP":"عنوان آي بي واحد لكل مستخدم",
......
......@@ -680,6 +680,7 @@
"sessionStorage":"Sessions Storage",
"sessionTitle":"Session content",
"sfaTitle":"Second Factors Authentication",
"sfRequired":"Require 2FA",
"show":"Show",
"showHelp":"Show help",
"singleIP":"One IP only by user",
......
......@@ -372,6 +372,7 @@
"logo":"Logo",
"logout":"Déconnexion",
"logoutServices":"Transfert de la déconnexion",
"sfRequired":"Exiger 2FA",
"logParams":"Journalisation",
"lwpOpts":"Options pour les requêtes serveur",
"lwpSslOpts":"Options SSL pour les requêtes serveur",
......
......@@ -97,6 +97,7 @@
"browserIdAuthnLevel":"Livello di autenticazione",
"browserIdAutoLogin":"Login automatico",
"browserIdBackgroundColor":"Colore di sfondo",
"sfRequired":"Require 2FA",
"browseridParams":"BrowserIDParams",
"browserIdSiteLogo":"Logo del sito",
"browserIdSiteName":"Nome del sito",
......
......@@ -680,6 +680,7 @@
"sessionStorage":"Sessions lưu trữ",
"sessionTitle":"Nội dung phiên",
"sfaTitle":"Second Factors Authentication",
"sfRequired":"Require 2FA",
"show":"Hiển thị",
"showHelp":"Hiển thị trợ giúp",
"singleIP":"Chỉ một địa chỉ IP bởi người dùng",
......
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -99,6 +99,12 @@ sub init {
# Registration base
$self->addAuthRoute( '2fregisters' => '_displayRegister', ['GET'] );
$self->addAuthRoute( '2fregisters' => 'register', ['POST'] );
if ( $self->conf->{sfRequired} ) {
$self->addUnauthRoute(
'2fregisters' => 'restoreSession',
[ 'GET', 'POST' ]
);
}
}
return 1;
......@@ -131,7 +137,24 @@ sub run {
# If no 2F module is authorized, skipping 2F
# Note that a rule may forbid access after (GrantSession plugin)
return PE_OK unless (@am);
unless (@am) {
# Except if 2FA is required, move to registration
if ( $self->conf->{sfRequired} ) {
$req->pdata->{sfRegToken} =
$self->ott->createToken( $req->sessionInfo );
$req->response(
[
302, [ Location => $self->conf->{portal} . '/2fregisters' ],
[]
]
);
return PE_SENDRESPONSE;
}
else {
return PE_OK;
}
}
$self->userLogger->info( 'Second factor required for '
. $req->sessionInfo->{ $self->conf->{whatToTrace} } );
......@@ -319,4 +342,14 @@ sub register {
return $self->p->sendJSONresponse( $req, \@am );
}
sub restoreSession {
my ( $self, $req, @path ) = @_;
my $token = $req->pdata->{sfRegToken}
or return [ 302, [ Location => $self->conf->{portal} ], [] ];
$req->userData( $self->ott->getToken( $token, 1 ) );
return $req->method eq 'POST'
? $self->register( $req, @path )
: $self->_displayRegister( $req, @path );
}
1;
......@@ -110,7 +110,7 @@ sub getToken {
return undef;
}
my %h = %{ $tsession->{data} };
$tsession->remove;
$tsession->remove unless($keep);
return \%h;
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment