Commit a14d7183 authored by Xavier Guimard's avatar Xavier Guimard

U2F skeleton (#1148)

parent 5299f16f
......@@ -94,6 +94,10 @@ Files: lemonldap-ng-manager/site/static/bwr/angular/* lemonldap-ng-manager/site/
Copyright: 2010-2015, Google, Inc. http://angularjs.org
License: Expat
Files: lemonldap-ng-portal/site/htdocs/static/common/js/u2f-api.*
Copyright: 2014-2015, Google Inc.
License: Expat
Files: lemonldap-ng-manager/site/static/bwr/angular-bootstrap/*
Copyright: 2012-2016, the AngularUI Team, https://github.com/organizations/angular-ui/teams/291112
License: Expat
......
......@@ -94,6 +94,10 @@ Files: lemonldap-ng-manager/site/static/bwr/angular/* lemonldap-ng-manager/site/
Copyright: 2010-2015, Google, Inc. http://angularjs.org
License: Expat
Files: lemonldap-ng-portal/site/htdocs/static/common/js/u2f-api.*
Copyright: 2014-2015, Google Inc.
License: Expat
Files: lemonldap-ng-manager/site/static/bwr/angular-bootstrap/*
Copyright: 2012-2016, the AngularUI Team, https://github.com/organizations/angular-ui/teams/291112
License: Expat
......
......@@ -243,6 +243,7 @@ sub defaultValues {
'timeoutActivityInterval' => 60,
'trustedProxies' => '',
'twitterAuthnLevel' => 1,
'u2fAppId' => 'Lemonldap::NG',
'userControl' => '^[\\w\\.\\-@]+$',
'userDB' => 'Demo',
'useRedirectOnError' => 1,
......
......@@ -2826,6 +2826,14 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
'twitterSecret' => {
'type' => 'text'
},
'u2fActivation' => {
'default' => 0,
'type' => 'bool'
},
'u2fAppId' => {
'default' => 'Lemonldap::NG',
'type' => 'text'
},
'userControl' => {
'default' => '^[\\w\\.\\-@]+$',
'type' => 'pcre'
......
......@@ -661,8 +661,8 @@ sub attributes {
# Notification
oldNotifFormat => {
type => 'bool',
default => 0,
type => 'bool',
default => 0,
documentation => 'Use old XML format',
},
notificationWildcard => {
......@@ -948,6 +948,18 @@ sub attributes {
documentation => 'Register session timeout',
},
# U2F
u2fActivation => {
type => 'bool',
default => 0,
documentation => 'U2F activation',
},
u2fAppId => {
default => 'Lemonldap::NG',
type => 'text',
documentation => 'U2F application ID',
},
# Single session
notifyDeleted => {
default => 1,
......@@ -1755,12 +1767,12 @@ sub attributes {
authentication => {
type => 'select',
select => [
{ k => 'Apache', v => 'Apache' },
{ k => 'AD', v => 'Active Directory' },
{ k => 'Choice', v => 'authChoice' },
{ k => 'CAS', v => 'Central Authentication Service (CAS)' },
{ k => 'DBI', v => 'Database (DBI)' },
{ k => 'Demo', v => 'Demonstration' },
{ k => 'Apache', v => 'Apache' },
{ k => 'AD', v => 'Active Directory' },
{ k => 'Choice', v => 'authChoice' },
{ k => 'CAS', v => 'Central Authentication Service (CAS)' },
{ k => 'DBI', v => 'Database (DBI)' },
{ k => 'Demo', v => 'Demonstration' },
{ k => 'Facebook', v => 'Facebook' },
{ k => 'Google', v => 'Google' },
{ k => 'LDAP', v => 'LDAP' },
......@@ -2214,8 +2226,8 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
test => sub { 1 },
select => [
[
{ k => 'Apache', v => 'Apache' },
{ k => 'AD', v => 'Active Directory' },
{ k => 'Apache', v => 'Apache' },
{ k => 'AD', v => 'Active Directory' },
{ k => 'CAS', v => 'Central Authentication Service (CAS)' },
{ k => 'DBI', v => 'Database (DBI)' },
{ k => 'Demo', v => 'Demo' },
......
......@@ -579,6 +579,11 @@ sub tree {
'registerDoneSubject'
]
},
{
title => 'u2f',
form => 'simpleInputContainer',
nodes => [ 'u2fActivation', 'u2fAppId', ]
},
{
title => 'security',
help => 'security.html#configure_security_settings',
......
......@@ -629,6 +629,9 @@
"twitterKey": "API key",
"twitterParams": "Twitter parameters",
"twitterSecret": "API secret",
"u2f": "U2F",
"u2fActivation": "Activation",
"u2fAppId": "Application ID",
"uid": "Identifier",
"unknownAttrOrMacro": "Unknown attribute or macro",
"unknownError": "Unknown error",
......
......@@ -629,6 +629,9 @@
"twitterKey": "Clef de l'API",
"twitterParams": "Paramètres Twitter",
"twitterSecret": "Secret de l'API",
"u2f": "U2F",
"u2fActivation": "Activation",
"u2fAppId": "Identifiant de l'application",
"uid": "Identifiant",
"unknownAttrOrMacro": "Attribut ou macro inconnu",
"unknownError": "Erreur inconnue",
......
......@@ -74,10 +74,16 @@ sub enabledPlugins {
push @res, "::Password::$p" if ( $p ne 'Null' );
}
# U2F
if ( $self->conf->{u2fActivation} ) {
push @res, '::Register::U2F', '::Plugins::U2F';
}
# Check if custom plugins are required
# TODO: change this name
if ( $self->conf->{customPlugins} ) {
$self->lmLog( 'Custom plugins: ' . $self->conf->{customPlugins}, 'debug' );
$self->lmLog( 'Custom plugins: ' . $self->conf->{customPlugins},
'debug' );
push @res, grep ( /\w/, split( /,\s*/, $self->conf->{customPlugins} ) );
}
return @res;
......
package Lemonldap::NG::Portal::Plugins::U2F;
use strict;
use Mouse;
our $VERSION = '2.0.0';
extends 'Lemonldap::NG::Portal::Main::Plugin';
sub init {
1;
}
1;
package Lemonldap::NG::Portal::Register::U2F;
use strict;
use Mouse;
our $VERSION = '2.0.0';
extends 'Lemonldap::NG::Portal::Main::Plugin';
has crypter => ( is => 'rw' );
sub init {
my ($self) = @_;
eval 'use Crypt::U2F::Server::Simple';
if ($@) {
$self->error("Can't load U2F library: $@");
return 0;
}
unless (
$self->crypter(
Crypt::U2F::Server::Simple->new(
appId => $self->conf->{u2fAppId},
origin => $self->conf->{portal},
)
)
)
{
$self->error( Crypt::U2F::Server::Simple::lastError() );
return 0;
}
$self->addAuthRoute( u2f => 'run', [ 'GET', 'POST' ] );
return 1;
}
sub run {
my ( $self, $req ) = @_;
# Check for registration response
if ( my $rd = $req->param('registration') ) {
$self->lmLog( "Get registration data $rd", 'debug' );
my ( $keyHandle, $userKey ) = $self->crypter->registrationVerify($rd);
$self->lmLog( "Handle: $keyHandle, Key: $userKey", 'debug' );
$self->p->updatePersistentSession( $req,
{ _u2fHandle => $keyHandle, _u2fKey => $userKey } );
return $self->sendHtml( $req, 'u2fregister', params => { SUCCESS => 1 } );
}
return $self->sendHtml( $req, 'u2fregister',
params => { CHALLENGE => $challenge, APPID=>$self->conf->{u2fAppId} } );
}
1;
###
LemonLDAP::NG U2F registration script
###
register = ->
request =
challenge: window.datas.challenge
version: 'U2F_V2'
u2f.register window.datas.appId, request, [], (data) ->
$('#bind-data').val JSON.stringify data
$('#bind-form').submit()
$(document).ready ->
setTimeout register, 1000
This diff is collapsed.
"use strict";var u2f=u2f||{};var js_api_version;u2f.EXTENSION_ID="kmendfapggjehodndflmmgagdbamhnfd";u2f.MessageTypes={U2F_REGISTER_REQUEST:"u2f_register_request",U2F_REGISTER_RESPONSE:"u2f_register_response",U2F_SIGN_REQUEST:"u2f_sign_request",U2F_SIGN_RESPONSE:"u2f_sign_response",U2F_GET_API_VERSION_REQUEST:"u2f_get_api_version_request",U2F_GET_API_VERSION_RESPONSE:"u2f_get_api_version_response"};u2f.ErrorCodes={OK:0,OTHER_ERROR:1,BAD_REQUEST:2,CONFIGURATION_UNSUPPORTED:3,DEVICE_INELIGIBLE:4,TIMEOUT:5};u2f.U2fRequest;u2f.U2fResponse;u2f.Error;u2f.Transport;u2f.Transports;u2f.SignRequest;u2f.SignResponse;u2f.RegisterRequest;u2f.RegisterResponse;u2f.RegisteredKey;u2f.GetJsApiVersionResponse;u2f.getMessagePort=function(b){if(typeof chrome!="undefined"&&chrome.runtime){var a={type:u2f.MessageTypes.U2F_SIGN_REQUEST,signRequests:[]};chrome.runtime.sendMessage(u2f.EXTENSION_ID,a,function(){if(!chrome.runtime.lastError){u2f.getChromeRuntimePort_(b)}else{u2f.getIframePort_(b)}})}else{if(u2f.isAndroidChrome_()){u2f.getAuthenticatorPort_(b)}else{if(u2f.isIosChrome_()){u2f.getIosPort_(b)}else{u2f.getIframePort_(b)}}}};u2f.isAndroidChrome_=function(){var a=navigator.userAgent;return a.indexOf("Chrome")!=-1&&a.indexOf("Android")!=-1};u2f.isIosChrome_=function(){return $.inArray(navigator.platform,["iPhone","iPad","iPod"])>-1};u2f.getChromeRuntimePort_=function(b){var a=chrome.runtime.connect(u2f.EXTENSION_ID,{includeTlsChannelId:true});setTimeout(function(){b(new u2f.WrappedChromeRuntimePort_(a))},0)};u2f.getAuthenticatorPort_=function(a){setTimeout(function(){a(new u2f.WrappedAuthenticatorPort_())},0)};u2f.getIosPort_=function(a){setTimeout(function(){a(new u2f.WrappedIosPort_())},0)};u2f.WrappedChromeRuntimePort_=function(a){this.port_=a};u2f.formatSignRequest_=function(g,d,b,a,f){if(js_api_version===undefined||js_api_version<1.1){var e=[];for(var c=0;c<b.length;c++){e[c]={version:b[c].version,challenge:d,keyHandle:b[c].keyHandle,appId:g}}return{type:u2f.MessageTypes.U2F_SIGN_REQUEST,signRequests:e,timeoutSeconds:a,requestId:f}}return{type:u2f.MessageTypes.U2F_SIGN_REQUEST,appId:g,challenge:d,registeredKeys:b,timeoutSeconds:a,requestId:f}};u2f.formatRegisterRequest_=function(g,c,a,b,f){if(js_api_version===undefined||js_api_version<1.1){for(var d=0;d<a.length;d++){a[d].appId=g}var e=[];for(var d=0;d<c.length;d++){e[d]={version:c[d].version,challenge:a[0],keyHandle:c[d].keyHandle,appId:g}}return{type:u2f.MessageTypes.U2F_REGISTER_REQUEST,signRequests:e,registerRequests:a,timeoutSeconds:b,requestId:f}}return{type:u2f.MessageTypes.U2F_REGISTER_REQUEST,appId:g,registerRequests:a,registeredKeys:c,timeoutSeconds:b,requestId:f}};u2f.WrappedChromeRuntimePort_.prototype.postMessage=function(a){this.port_.postMessage(a)};u2f.WrappedChromeRuntimePort_.prototype.addEventListener=function(a,c){var b=a.toLowerCase();if(b=="message"||b=="onmessage"){this.port_.onMessage.addListener(function(d){c({data:d})})}else{console.error("WrappedChromeRuntimePort only supports onMessage")}};u2f.WrappedAuthenticatorPort_=function(){this.requestId_=-1;this.requestObject_=null};u2f.WrappedAuthenticatorPort_.prototype.postMessage=function(a){var b=u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_+";S.request="+encodeURIComponent(JSON.stringify(a))+";end";document.location=b};u2f.WrappedAuthenticatorPort_.prototype.getPortType=function(){return"WrappedAuthenticatorPort_"};u2f.WrappedAuthenticatorPort_.prototype.addEventListener=function(b,d){var c=b.toLowerCase();if(c=="message"){var a=this;window.addEventListener("message",a.onRequestUpdate_.bind(a,d),false)}else{console.error("WrappedAuthenticatorPort only supports message")}};u2f.WrappedAuthenticatorPort_.prototype.onRequestUpdate_=function(f,c){var b=JSON.parse(c.data);var e=b.intentURL;var d=b.errorCode;var a=null;if(b.hasOwnProperty("data")){a=(JSON.parse(b.data))}f({data:a})};u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_="intent:#Intent;action=com.google.android.apps.authenticator.AUTHENTICATE";u2f.WrappedIosPort_=function(){};u2f.WrappedIosPort_.prototype.postMessage=function(b){var c=JSON.stringify(b);var a="u2f://auth?"+encodeURI(c);location.replace(a)};u2f.WrappedIosPort_.prototype.getPortType=function(){return"WrappedIosPort_"};u2f.WrappedIosPort_.prototype.addEventListener=function(a,c){var b=a.toLowerCase();if(b!=="message"){console.error("WrappedIosPort only supports message")}};u2f.getIframePort_=function(e){var d="chrome-extension://"+u2f.EXTENSION_ID;var b=document.createElement("iframe");b.src=d+"/u2f-comms.html";b.setAttribute("style","display:none");document.body.appendChild(b);var c=new MessageChannel();var a=function(f){if(f.data=="ready"){c.port1.removeEventListener("message",a);e(c.port1)}else{console.error('First event on iframe port was not "ready"')}};c.port1.addEventListener("message",a);c.port1.start();b.addEventListener("load",function(){b.contentWindow.postMessage("init",d,[c.port2])})};u2f.EXTENSION_TIMEOUT_SEC=30;u2f.port_=null;u2f.waitingForPort_=[];u2f.reqCounter_=0;u2f.callbackMap_={};u2f.getPortSingleton_=function(a){if(u2f.port_){a(u2f.port_)}else{if(u2f.waitingForPort_.length==0){u2f.getMessagePort(function(b){u2f.port_=b;u2f.port_.addEventListener("message",(u2f.responseHandler_));while(u2f.waitingForPort_.length){u2f.waitingForPort_.shift()(u2f.port_)}})}u2f.waitingForPort_.push(a)}};u2f.responseHandler_=function(c){var b=c.data;var d=b.requestId;if(!d||!u2f.callbackMap_[d]){console.error("Unknown or missing requestId in response.");return}var a=u2f.callbackMap_[d];delete u2f.callbackMap_[d];a(b.responseData)};u2f.sign=function(d,b,a,e,c){if(js_api_version===undefined){u2f.getApiVersion(function(f){js_api_version=f.js_api_version===undefined?0:f.js_api_version;console.log("Extension JS API Version: ",js_api_version);u2f.sendSignRequest(d,b,a,e,c)})}else{u2f.sendSignRequest(d,b,a,e,c)}};u2f.sendSignRequest=function(d,b,a,e,c){u2f.getPortSingleton_(function(f){var i=++u2f.reqCounter_;u2f.callbackMap_[i]=e;var g=(typeof c!=="undefined"?c:u2f.EXTENSION_TIMEOUT_SEC);var h=u2f.formatSignRequest_(d,b,a,g,i);f.postMessage(h)})};u2f.register=function(d,a,b,e,c){if(js_api_version===undefined){u2f.getApiVersion(function(f){js_api_version=f.js_api_version===undefined?0:f.js_api_version;console.log("Extension JS API Version: ",js_api_version);u2f.sendRegisterRequest(d,a,b,e,c)})}else{u2f.sendRegisterRequest(d,a,b,e,c)}};u2f.sendRegisterRequest=function(d,a,b,e,c){u2f.getPortSingleton_(function(f){var i=++u2f.reqCounter_;u2f.callbackMap_[i]=e;var g=(typeof c!=="undefined"?c:u2f.EXTENSION_TIMEOUT_SEC);var h=u2f.formatRegisterRequest_(d,b,a,g,i);f.postMessage(h)})};u2f.getApiVersion=function(b,a){u2f.getPortSingleton_(function(c){if(c.getPortType){var e;switch(c.getPortType()){case"WrappedIosPort_":case"WrappedAuthenticatorPort_":e=1.1;break;default:e=0;break}b({js_api_version:e});return}var f=++u2f.reqCounter_;u2f.callbackMap_[f]=b;var d={type:u2f.MessageTypes.U2F_GET_API_VERSION_REQUEST,timeoutSeconds:(typeof a!=="undefined"?a:u2f.EXTENSION_TIMEOUT_SEC),requestId:f};c.postMessage(d)})};
\ No newline at end of file
// Generated by CoffeeScript 1.10.0
/*
LemonLDAP::NG U2F registration script
*/
(function() {
var register;
register = function() {
var request;
request = {
challenge: window.datas.challenge,
version: 'U2F_V2'
};
return u2f.register(window.datas.appId, request, [], function(data) {
$('#bind-data').val(JSON.stringify(data));
return $('#bind-form').submit();
});
};
$(document).ready(function() {
return setTimeout(register, 1000);
});
}).call(this);
(function(){var a;a=function(){var b;b={challenge:window.datas.challenge,version:"U2F_V2"};return u2f.register(window.datas.appId,b,[],function(c){$("#bind-data").val(JSON.stringify(c));return $("#bind-form").submit()})};$(document).ready(function(){return setTimeout(a,1000)})}).call(this);
\ No newline at end of file
......@@ -186,6 +186,9 @@
"serviceProvidedBy":"Service provided by",
"SSOSessionInactive":"SSO session inactive",
"submit":"Submit",
"touchU2fDevice": "Please touch the flashing U2F device now.",
"u2fPermission": "You may be prompted to allow the site permission to access your security keys. After granting permission, the device will start to blink.",
"u2fSuccess": "Your key is registered",
"updateCdc": "Update Common Domain Cookie",
"user":"User",
"useYubikey":"use your Yubikey",
......
......@@ -186,6 +186,9 @@
"serviceProvidedBy":"Ce service est fourni par",
"SSOSessionInactive":"Session SSO inactive",
"submit":"Envoyer",
"touchU2fDevice": "Poser votre doigt sur le périphérique U2F",
"u2fPermission": "Il est possible qu'on vous demande d'autoriser le site à accéder à votre clef. Après votre accord, la clef clignotera.",
"u2fSuccess": "Votre clef est enregistrée",
"updateCdc": "Mise à jour du cookie de domaine commun",
"user":"Utilisateur",
"useYubikey":"utilisez votre Yubikey",
......
<TMPL_INCLUDE NAME="header.tpl">
<TMPL_IF NAME="CHALLENGE">
<p trspan="touchU2fDevice">Please touch the flashing U2F device now.</p>
<p trspan="u2fPermission">You may be prompted to allow the site permission to access your security keys. After granting permission, the device will start to blink.</p>
<form id="bind-form" action="#" method="post">
<input type="hidden" id="bind-data" name="registration" value="">
</form>
<script type="application/init">
{
"challenge":"<TMPL_VAR NAME="CHALLENGE">",
"appId": "<TMPL_VAR NAME="APPID">"
}
</script>
<!-- //if:jsminified
<script type="text/javascript" src="<TMPL_VAR NAME="STATIC_PREFIX">/common/js/u2f-api.min.js"></script>
<script type="text/javascript" src="<TMPL_VAR NAME="STATIC_PREFIX">/common/js/u2fregistration.min.js"></script>
//else -->
<script type="text/javascript" src="<TMPL_VAR NAME="STATIC_PREFIX">/common/js/u2f-api.js"></script>
<script type="text/javascript" src="<TMPL_VAR NAME="STATIC_PREFIX">/common/js/u2fregistration.js"></script>
<!-- //endif -->
</TMPL_IF>
<TMPL_IF NAME="SUCCESS">
<h3 trspan="u2fSuccess">Success</h3>
</TMPL_IF>
<TMPL_INCLUDE NAME="footer.tpl">
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment