Commit 6a651b5b authored by Xavier Guimard's avatar Xavier Guimard

Try to implement SAML reauth (#595)

parent 4af8a59b
......@@ -237,6 +237,7 @@ sub defaultValues {
'trustedProxies' => '',
'twitterAuthnLevel' => 1,
'u2fActivation' => 0,
'upgradeSession' => 1,
'userControl' => '^[\\w\\.\\-@]+$',
'userDB' => 'Same',
'useRedirectOnError' => 1,
......
......@@ -100,6 +100,7 @@ sub portalTab {
82 => 'PE_TOKENEXPIRED',
83 => 'PE_U2FFAILED',
84 => 'PE_UNAUTHORIZEDPARTNER',
85 => 'PE_RENEWSESSION',
};
}
......
......@@ -2985,7 +2985,7 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
'type' => 'bool'
},
'upgradeSession' => {
'default' => 0,
'default' => 1,
'type' => 'bool'
},
'userControl' => {
......
......@@ -976,7 +976,7 @@ sub attributes {
# Upgrade session
upgradeSession => {
type => 'bool',
default => 0,
default => 1,
documentation => 'Upgrade session activation',
},
......
......@@ -2,6 +2,7 @@ package Lemonldap::NG::Portal::Issuer::SAML;
use strict;
use Mouse;
use MIME::Base64;
use Lemonldap::NG::Portal::Main::Constants qw(
PE_OK
PE_SAML_ART_ERROR
......@@ -451,8 +452,7 @@ sub run {
$info->{'_type'} = "forceAuthn";
$info->{'_saml_id'} = $session_id;
$info->{'_utime'} = $time;
$self->logger->debug(
"Create ForceAuthn session $forceAuthn_session");
$self->logger->debug("Create ForceAuthn session");
}
# Store flag for further requests
......@@ -462,29 +462,19 @@ sub run {
unless ($forceAuthn_session);
$self->logger->debug(
"Set ForceAuthn flag for SP $spConfKey in ForceAuthn session $forceAuthn_session"
"Set ForceAuthn flag for SP $spConfKey in ForceAuthn session"
);
# Replay authentication process
$req->{updateSession} = 1;
$req->steps(
[
@{ $self->p->beforeAuth },
$self->p->authProcess,
@{ $self->p->betweenAuthAndDatas },
$self->p->sessionDatas,
@{ $self->p->afterDatas }
]
);
$req->error( $self->p->process($req) );
# Return error if any
return $req->{error} if $req->{error} > 0;
return $self->reAuth($req);
}
# Else remove flag
# Else remove flag
elsif ($forceAuthn_session) {
$forceAuthnSessionInfo =
$self->getSamlSession( $forceAuthn_session,
{ $spConfKey => 0 } );
$forceAuthnSessionInfo->update( { $spConfKey => 0 } );
$self->logger->debug(
"Unset ForceAuthn flag for SP $spConfKey in ForceAuthn session $forceAuthn_session"
......@@ -1607,7 +1597,7 @@ sub sloServer {
else {
$req->{urldc} =
$self->conf->{portal} . '/saml/relaySingleLogoutTermination';
$self->p->setHiddenFormValue( 'relay', $relayID );
$self->p->setHiddenFormValue( $req, 'relay', $relayID );
return $self->do( $req, [] );
}
......
......@@ -89,6 +89,7 @@ use constant {
PE_TOKENEXPIRED => 82,
PE_U2FFAILED => 83,
PE_UNAUTHORIZEDPARTNER => 84,
PE_RENEWSESSION => 85,
};
# EXPORTER PARAMETERS
......@@ -114,7 +115,7 @@ our @EXPORT_OK = qw( PE_SENDRESPONSE PE_INFO PE_REDIRECT PE_DONE PE_OK
PE_RADIUSCONNECTFAILED PE_MUST_SUPPLY_OLD_PASSWORD PE_FORBIDDENIP
PE_CAPTCHAERROR PE_CAPTCHAEMPTY PE_REGISTERFIRSTACCESS PE_REGISTERFORMEMPTY
PE_REGISTERALREADYEXISTS PE_NOTOKEN PE_TOKENEXPIRED HANDLER PE_U2FFAILED
PE_UNAUTHORIZEDPARTNER
PE_UNAUTHORIZEDPARTNER PE_RENEWSESSION
);
our %EXPORT_TAGS = ( 'all' => [ @EXPORT_OK, 'import' ], );
......
......@@ -139,6 +139,16 @@ sub display {
);
}
elsif ( $req->error == PE_RENEWSESSION ) {
$skinfile = 'upgradesession';
%templateParams = (
MSG => 'askToRenew',
CONFIRMKEY => $self->stamp,
PORTAL => $self->conf->{portal},
URL => $req->datas->{_url},
);
}
# 2.3 Case : user authenticated but an error was returned (bas url,...)
elsif ( not $req->datas->{noerror} and $req->userData and %{ $req->userData } ) {
$skinfile = 'error';
......
......@@ -10,7 +10,10 @@ package Lemonldap::NG::Portal::Main::Issuer;
use strict;
use Mouse;
use IO::String;
use Lemonldap::NG::Portal::Main::Constants qw(PE_OK);
use Lemonldap::NG::Portal::Main::Constants qw(
PE_OK
PE_RENEWSESSION
);
extends 'Lemonldap::NG::Portal::Main::Plugin';
......@@ -72,7 +75,7 @@ sub _redirect {
my $ir =
$req->param( 'issuerRequest' . $self->path ) || $self->storeRequest($req);
$self->p->setHiddenFormValue( $req, 'issuerRequest' . $self->path,
$ir, '', 0 );
$ir, '' );
$req->{urldc} = $self->conf->{portal};
$req->{urldc} =~ s#/*$##;
$req->{urldc} .= $req->path . "?issuerRequest$self->{path}=$ir";
......@@ -149,6 +152,14 @@ sub restoreRequest {
return $req;
}
sub reAuth {
my ( $self, $req ) = @_;
$req->datas->{_url} = encode_base64(
$self->conf->{portal} . '?issuerRequest=' . $self->storeRequest($req),
'' );
return PE_RENEWSESSION;
}
1;
__END__
......
......@@ -47,6 +47,7 @@ sub ask {
$req,
'upgradesession',
params => {
MSG => 'askToUpgrade',
CONFIRMKEY => $self->p->stamp,
PORTAL => $self->conf->{portal},
URL => $req->param('url'),
......
......@@ -84,18 +84,13 @@
"PE82":"Exceeded authentication timeout",
"PE83":"U2F verification failed",
"PE84":"You're not authorizated to access to this host",
"PM8":"Select your Identity Provider",
"PM10":"Remember my choice",
"PM11":"Logout from service providers...",
"PM12":"Redirection in progress...",
"PM13":"Go back to service provider",
"PM17":"Update Common Domain Cookie",
"accept":"Accept",
"accessDenied":"You have no access authorization for this application",
"accountCreated":"Your account has been created, your temporary password has been sent to your mail address.",
"accountCreationSuccess":"Your account was successfully created.",
"anotherInformation":"Another information:",
"areYouSure":"Are you sure?",
"askToRenew":"This application needs a more recent authentication. Do you want to reauthenticate ?",
"askToUpgrade":"This application needs an higher authentication level. Do you want to reauthenticate ?",
"authPortal":"Authentication portal",
"authRemaining":"%s authentications remaining, change your password!",
......
......@@ -84,18 +84,13 @@
"PE82":"Délai d'authentification dépassé",
"PE83":"La vérification U2F a échoué",
"PE84":"Vous n'êtes pas autorisé à accéder à ce site",
"PM8":"Choisissez votre fournisseur d'identité",
"PM10":"Se souvenir de mon choix",
"PM11":"Déconnexion des services...",
"PM12":"Redirection en cours...",
"PM13":"Retourner sur le fournisseur de service",
"PM17":"Mise à jour du cookie de domaine commun",
"accept":"Accepter",
"accessDenied":"Vous n'avez pas les droits d'accès à cette application",
"accountCreated":"Votre compte a été créé, un mot de passe temporaire a été envoyé à votre adresse mail.",
"accountCreationSuccess":"Votre compte a bien été créé.",
"anotherInformation":"Une autre information :",
"areYouSure":"Êtes vous sûr ?",
"askToRenew":"Cette application nécessite une authentification plus récente. Voulez-vous vous réauthentifier ?",
"askToUpgrade":"Cette application nécessite un plus haut niveau d'authentification. Voulez-vous vous réauthentifier ?",
"authPortal":"Portail d'authentification",
"authRemaining":"%s authentifications restantes, changez votre mot de passe !",
......
<TMPL_INCLUDE NAME="header.tpl">
<div class="message message-positive alert"><span trspan="askToUpgrade"></span></div>
<div class="message message-positive alert"><span trspan="<TMPL_VAR NAME="MSG">"></span></div>
<form action="/upgradesession" method="post" class="password" role="form">
<div class="form">
<div class="form-group input-group">
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment