Commit d93130d1 authored by Xavier Guimard's avatar Xavier Guimard

Adapt SAML forceAuth to new portal (#595)

parent e9025a06
......@@ -37,6 +37,9 @@ site/htdocs/manager.psgi
site/htdocs/static/bwr/angular-animate/angular-animate.js
site/htdocs/static/bwr/angular-animate/angular-animate.min.js
site/htdocs/static/bwr/angular-animate/angular-animate.min.js.map
site/htdocs/static/bwr/angular-aria/angular-aria.js
site/htdocs/static/bwr/angular-aria/angular-aria.min.js
site/htdocs/static/bwr/angular-aria/angular-aria.min.js.map
site/htdocs/static/bwr/angular-bootstrap/ui-bootstrap-tpls.js
site/htdocs/static/bwr/angular-bootstrap/ui-bootstrap-tpls.min.js
site/htdocs/static/bwr/angular-cookies/angular-cookies.js
......
......@@ -83,7 +83,6 @@ lib/Lemonldap/NG/Portal/Password/LDAP.pm
lib/Lemonldap/NG/Portal/Password/REST.pm
lib/Lemonldap/NG/Portal/Plugins/CDA.pm
lib/Lemonldap/NG/Portal/Plugins/External2F.pm
lib/Lemonldap/NG/Portal/Plugins/ForceAuth.pm
lib/Lemonldap/NG/Portal/Plugins/GrantSession.pm
lib/Lemonldap/NG/Portal/Plugins/History.pm
lib/Lemonldap/NG/Portal/Plugins/MailReset.pm
......
......@@ -394,93 +394,23 @@ sub run {
$self->logger->debug(
"Found ForceAuthn flag with value $force_authn");
# Get ForceAuthn sessions for this session_id
my $moduleOptions = $self->conf->{samlStorageOptions} || {};
$moduleOptions->{backend} = $self->conf->{samlStorage};
my $module = "Lemonldap::NG::Common::Apache::Session";
my $forceAuthn_sessions =
$module->searchOn( $moduleOptions, "_saml_id", $session_id );
my $forceAuthn_session;
my $forceAuthnSessionInfo;
# Force authentication if flag is on, or previous flag still active
if (
my @forceAuthn_sessions_keys =
keys %$forceAuthn_sessions
$force_authn
and (
time - $req->sessionInfo->{_utime} >
$self->conf->{portalForceAuthnInterval} )
)
{
# Warning if more than one session found
if ( $#forceAuthn_sessions_keys > 0 ) {
$self->logger->warn(
"More than one ForceAuthn session found for session $session_id"
);
}
# Take the first session
$forceAuthn_session = shift @forceAuthn_sessions_keys;
# Get session
$self->logger->debug(
"Retrieve ForceAuthn session $forceAuthn_session for session $session_id"
);
$forceAuthnSessionInfo =
$self->getSamlSession($forceAuthn_session);
# Check forceAuthn flag for current SP
if ( $forceAuthnSessionInfo->data->{$spConfKey} ) {
$self->logger->debug(
"User was already forced to reauthenticate for SP $spConfKey"
);
$force_authn = 1;
}
}
else {
$self->logger->debug(
"No ForceAuthn session found for session $session_id");
}
# Force authentication if flag is on, or previous flag still active
if ($force_authn) {
my $info = { $spConfKey => 1 };
unless ($forceAuthn_session) {
my $forceInfos;
$info->{'_type'} = "forceAuthn";
$info->{'_saml_id'} = $session_id;
$info->{'_utime'} = $time;
$self->logger->debug("Create ForceAuthn session");
}
# Store flag for further requests
$forceAuthnSessionInfo =
$self->getSamlSession( $forceAuthn_session, $info );
$forceAuthn_session = $forceAuthnSessionInfo->id
unless ($forceAuthn_session);
$self->logger->debug(
"Set ForceAuthn flag for SP $spConfKey in ForceAuthn session"
);
$self->userLogger->info(
"SAML SP $sp ask to refresh session of "
. $req->sessionInfo->{ $self->conf->{whatToTrace} } );
# Replay authentication process
return $self->reAuth($req);
}
# Else remove flag
elsif ($forceAuthn_session) {
$forceAuthnSessionInfo =
$self->getSamlSession( $forceAuthn_session,
{ $spConfKey => 0 } );
$forceAuthnSessionInfo->update( { $spConfKey => 0 } );
$self->logger->debug(
"Unset ForceAuthn flag for SP $spConfKey in ForceAuthn session $forceAuthn_session"
);
}
# Check Destination (only in non proxy mode)
unless ( $req->datas->{_proxiedRequest} ) {
return PE_SAML_DESTINATION_ERROR
......
......@@ -16,7 +16,6 @@ our @pList = (
portalDisplayResetPassword => '::Plugins::MailReset',
portalStatus => '::Plugins::Status',
cda => '::Plugins::CDA',
portalForceAuthn => '::Plugins::ForceAuth',
u2fActivation => '::Plugins::U2F',
ext2fActivation => '::Plugins::External2F',
grantSessionRule => '::Plugins::GrantSession',
......
package Lemonldap::NG::Portal::Plugins::ForceAuth;
use strict;
use Mouse;
use Lemonldap::NG::Portal::Main::Constants qw(PE_OK);
extends 'Lemonldap::NG::Portal::Main::Plugin';
our $VERSION = '2.0.0';
sub init { 1 }
sub forAuthUser { 'forceAuth' }
sub forceAuth {
my ( $self, $req ) = @_;
# Don't force authentication if password is going to be changed
return PE_OK if ( $req->param('newpassword') );
# Do not force authentication if last successful authentication is recent
my $last_authn_utime = $req->{sessionInfo}->{_lastAuthnUTime} || 0;
if ( time() - $last_authn_utime < $self->{portalForceAuthnInterval} ) {
$self->logger->debug(
"Authentication is recent, so do not force authentication for session $req->id"
);
}
else {
# Else, launch authentication process
$self->logger->debug("Force reauthentication for session $req->id");
$req->steps(
[
@{ $self->p->beforeAuth },
$self->p->authProcess,
@{ $self->p->betweenAuthAndDatas },
$self->p->sessionDatas,
@{ $self->p->afterDatas }
]
);
}
return PE_OK;
}
1
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment