lemonldap-ng/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Yubikey.pm

# Yubikey second factor authentication
#
# This plugin handle authentications to ask Yubikey second factor for users that
# have registered their Yubikey
package Lemonldap::NG::Portal::2F::Yubikey;

use strict;
use Mouse;
use JSON qw(from_json to_json);
use Lemonldap::NG::Portal::Main::Constants qw(
  PE_ERROR
  PE_BADCREDENTIALS
  PE_FORMEMPTY
  PE_OK
  PE_SENDRESPONSE
);

our $VERSION = '2.1.0';

extends 'Lemonldap::NG::Portal::Main::SecondFactor';

# INITIALIZATION

has prefix => ( is => 'ro', default => 'yubikey' );

has logo => ( is => 'rw', default => 'yubikey.png' );

has yubi => ( is => 'rw' );

sub init {
    my ($self) = @_;
    eval { require Auth::Yubikey_WebClient };
    if ($@) {
        $self->logger->error($@);
        return 0;
    }

    # If self registration is enabled and "activation" is just set to
    # "enabled", replace the rule to detect if user has registered its key
    if (    $self->conf->{yubikey2fSelfRegistration}
        and $self->conf->{yubikey2fActivation} eq '1' )
    {
        $self->conf->{yubikey2fActivation} =
          '$_2fDevices && $_2fDevices =~ /"type":\s*"UBK"/s';
    }
    unless ($self->conf->{yubikey2fClientID}
        and $self->conf->{yubikey2fSecretKey} )
    {
        $self->error('Missing mandatory parameters (Client ID and secret key)');
        return 0;
    }

    $self->yubi(
        Auth::Yubikey_WebClient->new( {
                id    => $self->conf->{yubikey2fClientID},
                api   => $self->conf->{yubikey2fSecretKey},
                nonce => $self->conf->{yubikey2fNonce},
                url   => $self->conf->{yubikey2fUrl}
            }
        )
    );
    return $self->SUPER::init();
}

sub run {
    my ( $self, $req, $token, $_2fDevices ) = @_;

    my $checkLogins = $req->param('checkLogins');
    $self->logger->debug("Yubikey checkLogins set") if ($checkLogins);

    my $yubikey = 0;
    if ( $req->{sessionInfo}->{_2fDevices} ) {
        $self->logger->debug("Loading 2F Devices ...");

        # Read existing 2FDevices
        $_2fDevices = eval {
            from_json( $req->{sessionInfo}->{_2fDevices},
                { allow_nonref => 1 } );
        };
        if ($@) {
            $self->logger->error("Bad encoding in _2fDevices: $@");
            return PE_ERROR;
        }
        $self->logger->debug("2F Device(s) found");

        foreach (@$_2fDevices) {
            $self->logger->debug("Reading Yubikey ...");
            if ( $_->{type} eq 'UBK' ) {
                $yubikey = $_->{_yubikey};
                last;
            }
        }
    }

    unless ($yubikey) {
        $self->userLogger->warn( 'User '
              . $req->{sessionInfo}->{ $self->conf->{whatToTrace} }
              . ' has no Yubikey registered' );
        return PE_BADCREDENTIALS;
    }
    $self->logger->debug("Found Yubikey : $yubikey");

    # Prepare form
    my $tmp = $self->p->sendHtml(
        $req,
        'ext2fcheck',
        params => {
            MAIN_LOGO   => $self->conf->{portalMainLogo},
            SKIN        => $self->conf->{portalSkin},
            TOKEN       => $token,
            TARGET      => '/yubikey2fcheck',
            INPUTLOGO   => 'yubikey.png',
            LEGEND      => 'clickOnYubikey',
            CHECKLOGINS => $checkLogins
        }
    );
    $self->logger->debug("Display Yubikey form");

    $req->response($tmp);
    return PE_SENDRESPONSE;
}

sub verify {
    my ( $self, $req, $session ) = @_;
    my $code;
    unless ( $code = $req->param('code') ) {
        $self->userLogger->error('Yubikey 2F: no code');
        return PE_FORMEMPTY;
    }

    # Verify OTP
    my $yubikey    = 0;
    my $_2fDevices = eval {
        $self->logger->debug("Looking for 2F Devices ...");
        from_json( $session->{_2fDevices}, { allow_nonref => 1 } );
    };

    foreach (@$_2fDevices) {
        $self->logger->debug("Reading Yubikey ...");
        if ( $_->{type} eq 'UBK' ) {
            $yubikey = $_->{_yubikey};
            last;
        }
    }

    if (
        index( $yubikey,
            substr( $code, 0, $self->conf->{yubikey2fPublicIDSize} ) ) == -1
      )
    {
        $self->userLogger->warn('Yubikey not registered');
        return PE_BADCREDENTIALS;
    }
    if ( $self->yubi->otp($code) ne 'OK' ) {
        $self->userLogger->warn('Yubikey verification failed');
        return PE_BADCREDENTIALS;
    }
    PE_OK;
}

1
Catch JSON errors (#1386) 2018-04-12 14:20:28 +02:00			`# Yubikey second factor authentication`
			`#`
			`# This plugin handle authentications to ask Yubikey second factor for users that`
			`# have registered their Yubikey`
Yubikey 2nd factor (closes: #1399) 2018-03-20 18:19:53 +01:00			`package Lemonldap::NG::Portal::2F::Yubikey;`

			`use strict;`
			`use Mouse;`
Use new Yubikey engine - WIP (#1386) 2018-04-06 00:10:41 +02:00			`use JSON qw(from_json to_json);`
Yubikey 2nd factor (closes: #1399) 2018-03-20 18:19:53 +01:00			`use Lemonldap::NG::Portal::Main::Constants qw(`
Catch JSON errors (#1386) 2018-04-12 14:20:28 +02:00			`PE_ERROR`
Yubikey 2nd factor (closes: #1399) 2018-03-20 18:19:53 +01:00			`PE_BADCREDENTIALS`
			`PE_FORMEMPTY`
			`PE_OK`
			`PE_SENDRESPONSE`
			`);`

Set master version to 2.1.0 2019-02-12 18:21:38 +01:00			`our $VERSION = '2.1.0';`
Yubikey 2nd factor (closes: #1399) 2018-03-20 18:19:53 +01:00
			`extends 'Lemonldap::NG::Portal::Main::SecondFactor';`

			`# INITIALIZATION`

			`has prefix => ( is => 'ro', default => 'yubikey' );`

Fix typo (#1386) 2018-04-07 13:22:06 +02:00			`has logo => ( is => 'rw', default => 'yubikey.png' );`
Yubikey 2nd factor (closes: #1399) 2018-03-20 18:19:53 +01:00
			`has yubi => ( is => 'rw' );`

			`sub init {`
			`my ($self) = @_;`
			`eval { require Auth::Yubikey_WebClient };`
			`if ($@) {`
			`$self->logger->error($@);`
			`return 0;`
			`}`
make tidy 2018-09-02 17:31:58 +02:00
Add comment 2018-08-18 23:15:38 +02:00			`# If self registration is enabled and "activation" is just set to`
			`# "enabled", replace the rule to detect if user has registered its key`
Yubikey 2nd factor (closes: #1399) 2018-03-20 18:19:53 +01:00			`if ( $self->conf->{yubikey2fSelfRegistration}`
			`and $self->conf->{yubikey2fActivation} eq '1' )`
			`{`
Typo (#1386) 2018-04-10 16:15:14 +02:00			`$self->conf->{yubikey2fActivation} =`
Hidde warning and improve debug msg 2018-08-21 17:37:14 +02:00			`'$_2fDevices && $_2fDevices =~ /"type":\s*"UBK"/s';`
Yubikey 2nd factor (closes: #1399) 2018-03-20 18:19:53 +01:00			`}`
			`unless ($self->conf->{yubikey2fClientID}`
			`and $self->conf->{yubikey2fSecretKey} )`
			`{`
Fix Yubikey errors (#1399) 2018-03-26 10:15:37 +02:00			`$self->error('Missing mandatory parameters (Client ID and secret key)');`
Yubikey 2nd factor (closes: #1399) 2018-03-20 18:19:53 +01:00			`return 0;`
			`}`
Use new Yubikey engine - WIP (#1386) 2018-04-06 00:10:41 +02:00
Yubikey 2nd factor (closes: #1399) 2018-03-20 18:19:53 +01:00			`$self->yubi(`
tidy with new conf 2019-02-07 09:27:56 +01:00			`Auth::Yubikey_WebClient->new( {`
Yubikey 2nd factor (closes: #1399) 2018-03-20 18:19:53 +01:00			`id => $self->conf->{yubikey2fClientID},`
			`api => $self->conf->{yubikey2fSecretKey},`
			`nonce => $self->conf->{yubikey2fNonce},`
			`url => $self->conf->{yubikey2fUrl}`
			`}`
			`)`
			`);`
			`return $self->SUPER::init();`
			`}`

			`sub run {`
Catch JSON errors (#1386) 2018-04-12 14:20:28 +02:00			`my ( $self, $req, $token, $_2fDevices ) = @_;`
Tidy 2018-06-21 21:35:16 +02:00
WIP - Display logins history when Yubikey is required (#1442) 2018-06-12 22:45:55 +02:00			`my $checkLogins = $req->param('checkLogins');`
			`$self->logger->debug("Yubikey checkLogins set") if ($checkLogins);`
Tidy 2018-06-21 21:35:16 +02:00
Catch JSON errors (#1386) 2018-04-12 14:20:28 +02:00			`my $yubikey = 0;`
			`if ( $req->{sessionInfo}->{_2fDevices} ) {`
			`$self->logger->debug("Loading 2F Devices ...");`
Use new Yubikey engine - WIP (#1386) 2018-04-06 00:10:41 +02:00
Catch JSON errors (#1386) 2018-04-12 14:20:28 +02:00			`# Read existing 2FDevices`
			`$_2fDevices = eval {`
			`from_json( $req->{sessionInfo}->{_2fDevices},`
			`{ allow_nonref => 1 } );`
			`};`
			`if ($@) {`
			`$self->logger->error("Bad encoding in _2fDevices: $@");`
			`return PE_ERROR;`
			`}`
			`$self->logger->debug("2F Device(s) found");`

			`foreach (@$_2fDevices) {`
			`$self->logger->debug("Reading Yubikey ...");`
			`if ( $_->{type} eq 'UBK' ) {`
			`$yubikey = $_->{_yubikey};`
			`last;`
			`}`
Use new Yubikey engine - WIP (#1386) 2018-04-06 00:10:41 +02:00			`}`
			`}`
Yubikey 2nd factor (closes: #1399) 2018-03-20 18:19:53 +01:00
Use new Yubikey engine - WIP (#1386) 2018-04-06 00:10:41 +02:00			`unless ($yubikey) {`
Yubikey 2nd factor (closes: #1399) 2018-03-20 18:19:53 +01:00			`$self->userLogger->warn( 'User '`
			`. $req->{sessionInfo}->{ $self->conf->{whatToTrace} }`
			`. ' has no Yubikey registered' );`
			`return PE_BADCREDENTIALS;`
			`}`
Use new Yubikey engine - WIP (#1386) 2018-04-06 00:10:41 +02:00			`$self->logger->debug("Found Yubikey : $yubikey");`
Yubikey 2nd factor (closes: #1399) 2018-03-20 18:19:53 +01:00
			`# Prepare form`
			`my $tmp = $self->p->sendHtml(`
			`$req,`
			`'ext2fcheck',`
			`params => {`
Append Portal main logo param (#1515) 2018-10-12 19:41:13 +02:00			`MAIN_LOGO => $self->conf->{portalMainLogo},`
Tidy 2018-06-21 21:35:16 +02:00			`SKIN => $self->conf->{portalSkin},`
			`TOKEN => $token,`
			`TARGET => '/yubikey2fcheck',`
			`INPUTLOGO => 'yubikey.png',`
			`LEGEND => 'clickOnYubikey',`
WIP - Display logins history when Yubikey is required (#1442) 2018-06-12 22:45:55 +02:00			`CHECKLOGINS => $checkLogins`
Yubikey 2nd factor (closes: #1399) 2018-03-20 18:19:53 +01:00			`}`
			`);`
			`$self->logger->debug("Display Yubikey form");`

			`$req->response($tmp);`
			`return PE_SENDRESPONSE;`
			`}`

			`sub verify {`
			`my ( $self, $req, $session ) = @_;`
			`my $code;`
			`unless ( $code = $req->param('code') ) {`
			`$self->userLogger->error('Yubikey 2F: no code');`
			`return PE_FORMEMPTY;`
			`}`

			`# Verify OTP`
Use new Yubikey engine - WIP (#1386) 2018-04-06 00:10:41 +02:00			`my $yubikey = 0;`
Fix typo (#1386) 2018-04-07 13:22:06 +02:00			`my $_2fDevices = eval {`
Use new Yubikey engine - WIP (#1386) 2018-04-06 00:10:41 +02:00			`$self->logger->debug("Looking for 2F Devices ...");`
Fix typo (#1386) 2018-04-07 13:22:06 +02:00			`from_json( $session->{_2fDevices}, { allow_nonref => 1 } );`
Use new Yubikey engine - WIP (#1386) 2018-04-06 00:10:41 +02:00			`};`

Fix typo (#1386) 2018-04-07 13:22:06 +02:00			`foreach (@$_2fDevices) {`
Use new Yubikey engine - WIP (#1386) 2018-04-06 00:10:41 +02:00			`$self->logger->debug("Reading Yubikey ...");`
			`if ( $_->{type} eq 'UBK' ) {`
			`$yubikey = $_->{_yubikey};`
			`last;`
			`}`
			`}`

Yubikey 2nd factor (closes: #1399) 2018-03-20 18:19:53 +01:00			`if (`
Use new Yubikey engine - WIP (#1386) 2018-04-06 00:10:41 +02:00			`index( $yubikey,`
Fix Yubikey errors (#1399) 2018-03-26 10:15:37 +02:00			`substr( $code, 0, $self->conf->{yubikey2fPublicIDSize} ) ) == -1`
Yubikey 2nd factor (closes: #1399) 2018-03-20 18:19:53 +01:00			`)`
			`{`
			`$self->userLogger->warn('Yubikey not registered');`
Revert "Fix badcredentials display (#1536)" This reverts commit 48c5ccc34f70a882df4bdb110ddc87808c991d95 2018-11-06 09:15:59 +01:00			`return PE_BADCREDENTIALS;`
Yubikey 2nd factor (closes: #1399) 2018-03-20 18:19:53 +01:00			`}`
			`if ( $self->yubi->otp($code) ne 'OK' ) {`
			`$self->userLogger->warn('Yubikey verification failed');`
Revert "Fix badcredentials display (#1536)" This reverts commit 48c5ccc34f70a882df4bdb110ddc87808c991d95 2018-11-06 09:15:59 +01:00			`return PE_BADCREDENTIALS;`
Yubikey 2nd factor (closes: #1399) 2018-03-20 18:19:53 +01:00			`}`
			`PE_OK;`
			`}`

			`1`