Commit 4ef9fa37 authored by Xavier Guimard's avatar Xavier Guimard

Add sfRequired option (#1487)

parent 6799ca92
...@@ -129,7 +129,7 @@ ...@@ -129,7 +129,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "llng-fastcgi-server 1" .IX Title "llng-fastcgi-server 1"
.TH llng-fastcgi-server 1 "2018-07-02" "perl v5.26.2" "User Contributed Perl Documentation" .TH llng-fastcgi-server 1 "2018-08-03" "perl v5.26.2" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents. .\" way too many mistakes in technical documents.
.if n .ad l .if n .ad l
......
...@@ -3056,6 +3056,9 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.] ...@@ -3056,6 +3056,9 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => '::2F::Engines::Default', 'default' => '::2F::Engines::Default',
'type' => 'text' 'type' => 'text'
}, },
'sfRequired' => {
'type' => 'bool'
},
'singleIP' => { 'singleIP' => {
'default' => 0, 'default' => 0,
'type' => 'bool' 'type' => 'bool'
......
...@@ -2281,6 +2281,10 @@ sub attributes { ...@@ -2281,6 +2281,10 @@ sub attributes {
default => '::2F::Engines::Default', default => '::2F::Engines::Default',
documentation => 'Second factor engine', documentation => 'Second factor engine',
}, },
sfRequired => {
type => 'bool',
documentation => 'Second factor required',
},
available2F => { available2F => {
type => 'text', type => 'text',
default => 'UTOTP,TOTP,U2F,REST,Ext2F,Yubikey', default => 'UTOTP,TOTP,U2F,REST,Ext2F,Yubikey',
......
...@@ -632,7 +632,7 @@ sub tree { ...@@ -632,7 +632,7 @@ sub tree {
{ {
title => 'stateCheck', title => 'stateCheck',
help => 'checkstate.html', help => 'checkstate.html',
form => 'simpleInputContainer', form => 'simpleInputContainer',
nodes => [ 'checkState', 'checkStateSecret', ], nodes => [ 'checkState', 'checkStateSecret', ],
}, },
] ]
...@@ -709,6 +709,7 @@ sub tree { ...@@ -709,6 +709,7 @@ sub tree {
'yubikey2fUserCanRemoveKey', 'yubikey2fUserCanRemoveKey',
], ],
}, },
'sfRequired',
] ]
}, },
{ {
......
...@@ -680,6 +680,7 @@ ...@@ -680,6 +680,7 @@
"sessionStorage":"تخزين الجلسات", "sessionStorage":"تخزين الجلسات",
"sessionTitle":"محتوى الجلسة", "sessionTitle":"محتوى الجلسة",
"sfaTitle":"Second Factors Authentication", "sfaTitle":"Second Factors Authentication",
"sfRequired":"Require 2FA",
"show":"عرض", "show":"عرض",
"showHelp":"عرض المساعدة", "showHelp":"عرض المساعدة",
"singleIP":"عنوان آي بي واحد لكل مستخدم", "singleIP":"عنوان آي بي واحد لكل مستخدم",
......
...@@ -680,6 +680,7 @@ ...@@ -680,6 +680,7 @@
"sessionStorage":"Sessions Storage", "sessionStorage":"Sessions Storage",
"sessionTitle":"Session content", "sessionTitle":"Session content",
"sfaTitle":"Second Factors Authentication", "sfaTitle":"Second Factors Authentication",
"sfRequired":"Require 2FA",
"show":"Show", "show":"Show",
"showHelp":"Show help", "showHelp":"Show help",
"singleIP":"One IP only by user", "singleIP":"One IP only by user",
......
...@@ -372,6 +372,7 @@ ...@@ -372,6 +372,7 @@
"logo":"Logo", "logo":"Logo",
"logout":"Déconnexion", "logout":"Déconnexion",
"logoutServices":"Transfert de la déconnexion", "logoutServices":"Transfert de la déconnexion",
"sfRequired":"Exiger 2FA",
"logParams":"Journalisation", "logParams":"Journalisation",
"lwpOpts":"Options pour les requêtes serveur", "lwpOpts":"Options pour les requêtes serveur",
"lwpSslOpts":"Options SSL pour les requêtes serveur", "lwpSslOpts":"Options SSL pour les requêtes serveur",
......
...@@ -97,6 +97,7 @@ ...@@ -97,6 +97,7 @@
"browserIdAuthnLevel":"Livello di autenticazione", "browserIdAuthnLevel":"Livello di autenticazione",
"browserIdAutoLogin":"Login automatico", "browserIdAutoLogin":"Login automatico",
"browserIdBackgroundColor":"Colore di sfondo", "browserIdBackgroundColor":"Colore di sfondo",
"sfRequired":"Require 2FA",
"browseridParams":"BrowserIDParams", "browseridParams":"BrowserIDParams",
"browserIdSiteLogo":"Logo del sito", "browserIdSiteLogo":"Logo del sito",
"browserIdSiteName":"Nome del sito", "browserIdSiteName":"Nome del sito",
......
...@@ -680,6 +680,7 @@ ...@@ -680,6 +680,7 @@
"sessionStorage":"Sessions lưu trữ", "sessionStorage":"Sessions lưu trữ",
"sessionTitle":"Nội dung phiên", "sessionTitle":"Nội dung phiên",
"sfaTitle":"Second Factors Authentication", "sfaTitle":"Second Factors Authentication",
"sfRequired":"Require 2FA",
"show":"Hiển thị", "show":"Hiển thị",
"showHelp":"Hiển thị trợ giúp", "showHelp":"Hiển thị trợ giúp",
"singleIP":"Chỉ một địa chỉ IP bởi người dùng", "singleIP":"Chỉ một địa chỉ IP bởi người dùng",
......
This source diff could not be displayed because it is too large. You can view the blob instead.
...@@ -99,6 +99,12 @@ sub init { ...@@ -99,6 +99,12 @@ sub init {
# Registration base # Registration base
$self->addAuthRoute( '2fregisters' => '_displayRegister', ['GET'] ); $self->addAuthRoute( '2fregisters' => '_displayRegister', ['GET'] );
$self->addAuthRoute( '2fregisters' => 'register', ['POST'] ); $self->addAuthRoute( '2fregisters' => 'register', ['POST'] );
if ( $self->conf->{sfRequired} ) {
$self->addUnauthRoute(
'2fregisters' => 'restoreSession',
[ 'GET', 'POST' ]
);
}
} }
return 1; return 1;
...@@ -131,7 +137,24 @@ sub run { ...@@ -131,7 +137,24 @@ sub run {
# If no 2F module is authorized, skipping 2F # If no 2F module is authorized, skipping 2F
# Note that a rule may forbid access after (GrantSession plugin) # Note that a rule may forbid access after (GrantSession plugin)
return PE_OK unless (@am); unless (@am) {
# Except if 2FA is required, move to registration
if ( $self->conf->{sfRequired} ) {
$req->pdata->{sfRegToken} =
$self->ott->createToken( $req->sessionInfo );
$req->response(
[
302, [ Location => $self->conf->{portal} . '/2fregisters' ],
[]
]
);
return PE_SENDRESPONSE;
}
else {
return PE_OK;
}
}
$self->userLogger->info( 'Second factor required for ' $self->userLogger->info( 'Second factor required for '
. $req->sessionInfo->{ $self->conf->{whatToTrace} } ); . $req->sessionInfo->{ $self->conf->{whatToTrace} } );
...@@ -319,4 +342,14 @@ sub register { ...@@ -319,4 +342,14 @@ sub register {
return $self->p->sendJSONresponse( $req, \@am ); return $self->p->sendJSONresponse( $req, \@am );
} }
sub restoreSession {
my ( $self, $req, @path ) = @_;
my $token = $req->pdata->{sfRegToken}
or return [ 302, [ Location => $self->conf->{portal} ], [] ];
$req->userData( $self->ott->getToken( $token, 1 ) );
return $req->method eq 'POST'
? $self->register( $req, @path )
: $self->_displayRegister( $req, @path );
}
1; 1;
...@@ -110,7 +110,7 @@ sub getToken { ...@@ -110,7 +110,7 @@ sub getToken {
return undef; return undef;
} }
my %h = %{ $tsession->{data} }; my %h = %{ $tsession->{data} };
$tsession->remove; $tsession->remove unless($keep);
return \%h; return \%h;
} }
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment