lemonldap-ng/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/TOTP.pm

# TOTP second factor authentication
#
# This plugin handle authentications to ask TOTP second factor for users that
# have registered their TOTP secret
package Lemonldap::NG::Portal::2F::TOTP;

use strict;
use Mouse;
use JSON qw(from_json to_json);
use Lemonldap::NG::Portal::Main::Constants qw(
  PE_BADOTP
  PE_ERROR
  PE_FORMEMPTY
  PE_OK
  PE_SENDRESPONSE
);

our $VERSION = '2.0.8';

extends 'Lemonldap::NG::Portal::Main::SecondFactor',
  'Lemonldap::NG::Common::TOTP';

# INITIALIZATION

has prefix => ( is => 'ro', default => 'totp' );

has logo => ( is => 'rw', default => 'totp.png' );

sub init {
    my ($self) = @_;

    # If self registration is enabled and "activation" is just set to
    # "enabled", replace the rule to detect if user has registered its key
    if (    $self->conf->{totp2fSelfRegistration}
        and $self->conf->{totp2fActivation} eq '1' )
    {
        $self->conf->{totp2fActivation} =
          '$_2fDevices && $_2fDevices =~ /"type":\s*"TOTP"/s';
    }
    return $self->SUPER::init();
}

# RUNNING METHODS

sub run {
    my ( $self, $req, $token ) = @_;
    $self->logger->debug('Generate TOTP form');

    my $checkLogins = $req->param('checkLogins');
    $self->logger->debug("TOTP checkLogins set") if ($checkLogins);

    # Prepare form
    my $tmp = $self->p->sendHtml(
        $req,
        'totp2fcheck',
        params => {
            MAIN_LOGO   => $self->conf->{portalMainLogo},
            SKIN        => $self->p->getSkin($req),
            TOKEN       => $token,
            CHECKLOGINS => $checkLogins
        }
    );
    $self->logger->debug("Prepare TOTP 2F verification");

    $req->response($tmp);
    return PE_SENDRESPONSE;
}

sub verify {
    my ( $self, $req, $session ) = @_;
    $self->logger->debug('TOTP verification');
    my $code;
    unless ( $code = $req->param('code') ) {
        $self->userLogger->error('TOTP 2F: no code');
        return PE_FORMEMPTY;
    }

    my ( $secret, $_2fDevices );
    if ( $session->{_2fDevices} ) {
        $self->logger->debug("Loading 2F Devices ...");

        # Read existing 2FDevices
        $_2fDevices =
          eval { from_json( $session->{_2fDevices}, { allow_nonref => 1 } ); };
        if ($@) {
            $self->logger->error("Bad encoding in _2fDevices: $@");
            return PE_ERROR;
        }
        $self->logger->debug("2F Device(s) found");
        $self->logger->debug("Reading TOTP secret if exists...");

        $secret = $_->{_secret}
          foreach grep { $_->{type} eq 'TOTP' } @$_2fDevices;
    }

    unless ($secret) {
        $self->logger->debug("No TOTP secret found");
        return PE_BADOTP;
    }

    my $r = $self->verifyCode(
        $self->conf->{totp2fInterval},
        $self->conf->{totp2fRange},
        $self->conf->{totp2fDigits},
        $secret, $code
    );
    return PE_ERROR if ( $r == -1 );

    if ($r) {
        $self->userLogger->info('TOTP succeed');
        return PE_OK;
    }
    else {
        $self->userLogger->notice( 'Invalid TOTP for '
              . $session->{ $self->conf->{whatToTrace} }
              . ')' );
        return PE_BADOTP;
    }
}

1;
Catch JSON errors (#1386) 2018-04-12 14:20:28 +02:00			`# TOTP second factor authentication`
			`#`
			`# This plugin handle authentications to ask TOTP second factor for users that`
			`# have registered their TOTP secret`
TOTP verification skeleton (#1359) 2018-02-19 14:23:33 +01:00			`package Lemonldap::NG::Portal::2F::TOTP;`

			`use strict;`
			`use Mouse;`
Enabled new 2F engine (#1386) 2018-04-10 11:06:06 +02:00			`use JSON qw(from_json to_json);`
TOTP verification skeleton (#1359) 2018-02-19 14:23:33 +01:00			`use Lemonldap::NG::Portal::Main::Constants qw(`
Change portal error code on 2F failure (#2008) 2019-11-13 11:46:30 +01:00			`PE_BADOTP`
TOTP verification skeleton (#1359) 2018-02-19 14:23:33 +01:00			`PE_ERROR`
			`PE_FORMEMPTY`
			`PE_OK`
			`PE_SENDRESPONSE`
			`);`

Improve code 2020-02-17 23:22:31 +01:00			`our $VERSION = '2.0.8';`
TOTP verification skeleton (#1359) 2018-02-19 14:23:33 +01:00
Move TOTP verification in Common (#1359) This Common module will be used also in admin interface 2018-02-19 22:34:23 +01:00			`extends 'Lemonldap::NG::Portal::Main::SecondFactor',`
			`'Lemonldap::NG::Common::TOTP';`
TOTP verification skeleton (#1359) 2018-02-19 14:23:33 +01:00
			`# INITIALIZATION`

Bad 2F prefix (#1359) 2018-02-19 22:15:06 +01:00			`has prefix => ( is => 'ro', default => 'totp' );`

Update logos (#1148) 2018-03-09 16:51:15 +01:00			`has logo => ( is => 'rw', default => 'totp.png' );`

TOTP verification skeleton (#1359) 2018-02-19 14:23:33 +01:00			`sub init {`
			`my ($self) = @_;`
Manage rule (#1359) 2018-02-21 06:28:42 +01:00
Fix comments 2018-08-18 18:29:45 +02:00			`# If self registration is enabled and "activation" is just set to`
Fix typo (#1386) 2018-04-06 16:38:07 +02:00			`# "enabled", replace the rule to detect if user has registered its key`
2F engine works with 1 2F enabled (#1148) 2018-03-08 20:36:32 +01:00			`if ( $self->conf->{totp2fSelfRegistration}`
Manage rule (#1359) 2018-02-21 06:28:42 +01:00			`and $self->conf->{totp2fActivation} eq '1' )`
			`{`
make tidy 2018-09-02 17:31:58 +02:00			`$self->conf->{totp2fActivation} =`
			`'$_2fDevices && $_2fDevices =~ /"type":\s*"TOTP"/s';`
TOTP verification skeleton (#1359) 2018-02-19 14:23:33 +01:00			`}`
			`return $self->SUPER::init();`
			`}`

			`# RUNNING METHODS`

			`sub run {`
			`my ( $self, $req, $token ) = @_;`
TOTP Portal part seems finished (#1359) TODO: Manager attributes 2018-02-20 22:58:20 +01:00			`$self->logger->debug('Generate TOTP form');`
Tidy 2018-06-21 21:35:16 +02:00
WIP - Display logins history when TOTP is required (#1442) 2018-06-12 22:14:36 +02:00			`my $checkLogins = $req->param('checkLogins');`
			`$self->logger->debug("TOTP checkLogins set") if ($checkLogins);`
TOTP verification skeleton (#1359) 2018-02-19 14:23:33 +01:00
			`# Prepare form`
			`my $tmp = $self->p->sendHtml(`
			`$req,`
TOTP Portal part seems finished (#1359) TODO: Manager attributes 2018-02-20 22:58:20 +01:00			`'totp2fcheck',`
TOTP verification skeleton (#1359) 2018-02-19 14:23:33 +01:00			`params => {`
Append Portal main logo param (#1515) 2018-10-12 19:41:13 +02:00			`MAIN_LOGO => $self->conf->{portalMainLogo},`
Use skin rules in 2F plugins (#1828) 2019-06-28 15:56:57 +02:00			`SKIN => $self->p->getSkin($req),`
Tidy 2018-06-21 21:35:16 +02:00			`TOKEN => $token,`
WIP - Display logins history when TOTP is required (#1442) 2018-06-12 22:14:36 +02:00			`CHECKLOGINS => $checkLogins`
TOTP verification skeleton (#1359) 2018-02-19 14:23:33 +01:00			`}`
			`);`
			`$self->logger->debug("Prepare TOTP 2F verification");`

			`$req->response($tmp);`
			`return PE_SENDRESPONSE;`
			`}`

			`sub verify {`
			`my ( $self, $req, $session ) = @_;`
TOTP Portal part seems finished (#1359) TODO: Manager attributes 2018-02-20 22:58:20 +01:00			`$self->logger->debug('TOTP verification');`
TOTP verification skeleton (#1359) 2018-02-19 14:23:33 +01:00			`my $code;`
			`unless ( $code = $req->param('code') ) {`
			`$self->userLogger->error('TOTP 2F: no code');`
			`return PE_FORMEMPTY;`
			`}`
Enabled new 2F engine (#1386) 2018-04-10 11:06:06 +02:00
Improve code 2020-02-17 23:22:31 +01:00			`my ( $secret, $_2fDevices );`
Catch JSON errors (#1386) 2018-04-11 09:54:40 +02:00			`if ( $session->{_2fDevices} ) {`
Typo (#1386) 2018-04-10 16:15:14 +02:00			`$self->logger->debug("Loading 2F Devices ...");`
Enabled new 2F engine (#1386) 2018-04-10 11:06:06 +02:00
Typo (#1386) 2018-04-10 16:15:14 +02:00			`# Read existing 2FDevices`
Catch JSON errors (#1386) 2018-04-11 09:54:40 +02:00			`$_2fDevices =`
			`eval { from_json( $session->{_2fDevices}, { allow_nonref => 1 } ); };`
			`if ($@) {`
			`$self->logger->error("Bad encoding in _2fDevices: $@");`
			`return PE_ERROR;`
			`}`
			`$self->logger->debug("2F Device(s) found");`
Improve code 2020-02-17 23:22:31 +01:00			`$self->logger->debug("Reading TOTP secret if exists...");`

			`$secret = $_->{_secret}`
			`foreach grep { $_->{type} eq 'TOTP' } @$_2fDevices;`
Typo (#1386) 2018-04-10 16:15:14 +02:00			`}`
Enabled new 2F engine (#1386) 2018-04-10 11:06:06 +02:00
Catch JSON errors (#1386) 2018-04-11 09:54:40 +02:00			`unless ($secret) {`
			`$self->logger->debug("No TOTP secret found");`
Change portal error code on 2F failure (#2008) 2019-11-13 11:46:30 +01:00			`return PE_BADOTP;`
Typo (#1386) 2018-04-10 16:15:14 +02:00			`}`
TOTP verification skeleton (#1359) 2018-02-19 14:23:33 +01:00
Move TOTP verification in Common (#1359) This Common module will be used also in admin interface 2018-02-19 22:34:23 +01:00			`my $r = $self->verifyCode(`
			`$self->conf->{totp2fInterval},`
			`$self->conf->{totp2fRange},`
Full TOTP (#1359) 2018-02-21 22:07:12 +01:00			`$self->conf->{totp2fDigits},`
Enabled new 2F engine (#1386) 2018-04-10 11:06:06 +02:00			`$secret, $code`
Move TOTP verification in Common (#1359) This Common module will be used also in admin interface 2018-02-19 22:34:23 +01:00			`);`
Improve code 2020-02-17 23:22:31 +01:00			`return PE_ERROR if ( $r == -1 );`

			`if ($r) {`
Move TOTP verification in Common (#1359) This Common module will be used also in admin interface 2018-02-19 22:34:23 +01:00			`$self->userLogger->info('TOTP succeed');`
			`return PE_OK;`
TOTP verification skeleton (#1359) 2018-02-19 14:23:33 +01:00			`}`
Move TOTP verification in Common (#1359) This Common module will be used also in admin interface 2018-02-19 22:34:23 +01:00			`else {`
			`$self->userLogger->notice( 'Invalid TOTP for '`
			`. $session->{ $self->conf->{whatToTrace} }`
			`. ')' );`
Change portal error code on 2F failure (#2008) 2019-11-13 11:46:30 +01:00			`return PE_BADOTP;`
TOTP verification skeleton (#1359) 2018-02-19 14:23:33 +01:00			`}`
			`}`

			`1;`