2019-11-08 18:31:50 +01:00
|
|
|
package Lemonldap::NG::Manager::Api::2F;
|
|
|
|
our $VERSION = '2.0.7';
|
|
|
|
|
|
|
|
package Lemonldap::NG::Manager::Api;
|
|
|
|
|
2019-12-19 16:52:51 +01:00
|
|
|
use 5.10.0;
|
|
|
|
use utf8;
|
|
|
|
use Mouse;
|
|
|
|
use JSON;
|
2019-12-20 11:05:16 +01:00
|
|
|
use MIME::Base64;
|
2019-12-19 16:52:51 +01:00
|
|
|
|
|
|
|
use Lemonldap::NG::Common::Session;
|
|
|
|
|
|
|
|
sub getSecondFactors {
|
|
|
|
my ( $self, $req ) = @_;
|
2019-12-20 11:13:15 +01:00
|
|
|
my ( $uid, $res );
|
2019-12-19 16:52:51 +01:00
|
|
|
|
|
|
|
$uid = $req->params('uid')
|
|
|
|
or return $self->sendError( $req, 'uid is missing', 400 );
|
|
|
|
|
|
|
|
$self->logger->debug("[API] 2F for $uid requested");
|
|
|
|
|
|
|
|
$res = $self->_get2F($uid);
|
2019-12-20 11:05:16 +01:00
|
|
|
|
|
|
|
return $self->sendError( $req, $res->{msg}, $res->{code} )
|
2019-12-20 11:13:15 +01:00
|
|
|
unless ( $res->{res} eq 'ok' );
|
2019-12-19 16:52:51 +01:00
|
|
|
|
|
|
|
return $self->sendJSONresponse( $req, $res->{secondFactors} );
|
|
|
|
}
|
|
|
|
|
|
|
|
sub getSecondFactorsByType {
|
|
|
|
my ( $self, $req ) = @_;
|
2019-12-20 11:13:15 +01:00
|
|
|
my ( $uid, $type, $res );
|
2019-12-19 16:52:51 +01:00
|
|
|
|
|
|
|
$uid = $req->params('uid')
|
|
|
|
or return $self->sendError( $req, 'Uid is missing', 400 );
|
|
|
|
|
|
|
|
$type = $req->params('type')
|
|
|
|
or return $self->sendError( $req, 'Type is missing', 400 );
|
|
|
|
|
|
|
|
$self->logger->debug("[API] 2F for $uid with type $type requested");
|
|
|
|
|
2019-12-20 11:13:15 +01:00
|
|
|
$res = $self->_get2F( $uid, uc $type );
|
2019-12-20 11:05:16 +01:00
|
|
|
|
|
|
|
return $self->sendError( $req, $res->{msg}, $res->{code} )
|
2019-12-20 11:13:15 +01:00
|
|
|
unless ( $res->{res} eq 'ok' );
|
2019-12-19 16:52:51 +01:00
|
|
|
|
|
|
|
return $self->sendJSONresponse( $req, $res->{secondFactors} );
|
|
|
|
}
|
|
|
|
|
|
|
|
sub getSecondFactorsById {
|
|
|
|
my ( $self, $req ) = @_;
|
2019-12-20 11:13:15 +01:00
|
|
|
my ( $uid, $id, $res );
|
2019-12-19 16:52:51 +01:00
|
|
|
|
|
|
|
$uid = $req->params('uid')
|
|
|
|
or return $self->sendError( $req, 'uid is missing', 400 );
|
|
|
|
|
|
|
|
$id = $req->params('id')
|
|
|
|
or return $self->sendError( $req, 'id is missing', 400 );
|
|
|
|
|
|
|
|
$self->logger->debug("[API] 2F for $uid with id $id requested");
|
|
|
|
|
2019-12-20 11:13:15 +01:00
|
|
|
$res = $self->_get2F( $uid, undef, $id );
|
2019-12-19 16:52:51 +01:00
|
|
|
|
2019-12-20 11:05:16 +01:00
|
|
|
return $self->sendError( $req, $res->{msg}, $res->{code} )
|
2019-12-20 11:13:15 +01:00
|
|
|
unless ( $res->{res} eq 'ok' );
|
2019-12-20 11:05:16 +01:00
|
|
|
|
2019-12-20 11:13:15 +01:00
|
|
|
return $self->sendError( $req, "2F id '$id' not found for user '$uid'",
|
|
|
|
404 )
|
|
|
|
unless ( scalar @{ $res->{secondFactors} } > 0 );
|
2019-12-20 11:05:16 +01:00
|
|
|
|
2019-12-20 11:13:15 +01:00
|
|
|
return $self->sendJSONresponse( $req, @{ $res->{secondFactors} }[0] );
|
2019-12-19 16:52:51 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
sub deleteSecondFactors {
|
|
|
|
my ( $self, $req ) = @_;
|
2019-12-20 11:13:15 +01:00
|
|
|
my ( $uid, $res );
|
2019-12-19 16:52:51 +01:00
|
|
|
|
|
|
|
$uid = $req->params('uid')
|
|
|
|
or return $self->sendError( $req, 'uid is missing', 400 );
|
|
|
|
|
|
|
|
$self->logger->debug("[API] Delete all 2F for $uid requested");
|
|
|
|
|
|
|
|
$res = $self->_delete2F($uid);
|
2019-12-20 11:05:16 +01:00
|
|
|
|
|
|
|
return $self->sendError( $req, $res->{msg}, $res->{code} )
|
2019-12-20 11:13:15 +01:00
|
|
|
unless ( $res->{res} eq 'ok' );
|
2019-12-19 16:52:51 +01:00
|
|
|
|
|
|
|
return $self->sendJSONresponse( $req, { message => $res->{msg} } );
|
|
|
|
}
|
|
|
|
|
|
|
|
sub deleteSecondFactorsById {
|
|
|
|
my ( $self, $req ) = @_;
|
2019-12-20 11:13:15 +01:00
|
|
|
my ( $uid, $id, $res );
|
2019-12-19 16:52:51 +01:00
|
|
|
|
|
|
|
$uid = $req->params('uid')
|
|
|
|
or return $self->sendError( $req, 'uid is missing', 400 );
|
|
|
|
|
|
|
|
$id = $req->params('id')
|
|
|
|
or return $self->sendError( $req, 'id is missing', 400 );
|
|
|
|
|
|
|
|
$self->logger->debug("[API] Delete 2F for $uid with id $id requested");
|
|
|
|
|
2019-12-20 11:13:15 +01:00
|
|
|
$res = $self->_delete2F( $uid, undef, $id );
|
2019-12-20 11:05:16 +01:00
|
|
|
|
|
|
|
return $self->sendError( $req, $res->{msg}, $res->{code} )
|
2019-12-20 11:13:15 +01:00
|
|
|
unless ( $res->{res} eq 'ok' );
|
2019-12-20 11:05:16 +01:00
|
|
|
|
2019-12-20 11:13:15 +01:00
|
|
|
return $self->sendError( $req, "2F id '$id' not found for user '$uid'",
|
|
|
|
404 )
|
|
|
|
unless ( $res->{removed} > 0 );
|
2019-12-19 16:52:51 +01:00
|
|
|
|
|
|
|
return $self->sendJSONresponse( $req, { message => $res->{msg} } );
|
|
|
|
}
|
|
|
|
|
|
|
|
sub deleteSecondFactorsByType {
|
|
|
|
my ( $self, $req ) = @_;
|
2019-12-20 11:13:15 +01:00
|
|
|
my ( $uid, $type, $res );
|
2019-12-19 16:52:51 +01:00
|
|
|
|
|
|
|
$uid = $req->params('uid')
|
|
|
|
or return $self->sendError( $req, 'uid is missing', 400 );
|
|
|
|
|
|
|
|
$type = $req->params('type')
|
|
|
|
or return $self->sendError( $req, 'type is missing', 400 );
|
|
|
|
|
2019-12-20 11:13:15 +01:00
|
|
|
$self->logger->debug(
|
|
|
|
"[API] Delete all 2F for $uid with type $type requested");
|
2019-12-19 16:52:51 +01:00
|
|
|
|
2019-12-20 11:13:15 +01:00
|
|
|
$res = $self->_delete2F( $uid, uc $type );
|
2019-12-20 11:05:16 +01:00
|
|
|
|
|
|
|
return $self->sendError( $req, $res->{msg}, $res->{code} )
|
2019-12-20 11:13:15 +01:00
|
|
|
unless ( $res->{res} eq 'ok' );
|
2019-12-19 16:52:51 +01:00
|
|
|
|
|
|
|
return $self->sendJSONresponse( $req, { message => $res->{msg} } );
|
|
|
|
}
|
|
|
|
|
|
|
|
sub _get2F {
|
|
|
|
my ( $self, $uid, $type, $id ) = @_;
|
2019-12-20 11:13:15 +01:00
|
|
|
my ( $res, $psessions, @secondFactors );
|
2019-12-19 16:52:51 +01:00
|
|
|
|
2019-12-20 11:13:15 +01:00
|
|
|
if ( defined $type ) {
|
2019-12-19 16:52:51 +01:00
|
|
|
$res = $self->_checkType($type);
|
2019-12-20 11:13:15 +01:00
|
|
|
return $res if ( $res->{res} ne 'ok' );
|
2019-12-19 16:52:51 +01:00
|
|
|
}
|
|
|
|
|
2019-12-20 11:05:16 +01:00
|
|
|
$psessions = $self->_getPSessions2F($uid);
|
2019-12-19 16:52:51 +01:00
|
|
|
|
2019-12-20 11:13:15 +01:00
|
|
|
foreach ( keys %{$psessions} ) {
|
|
|
|
my $devices =
|
|
|
|
from_json( $psessions->{$_}->{_2fDevices}, { allow_nonref => 1 } );
|
2019-12-19 16:52:51 +01:00
|
|
|
foreach my $device ( @{$devices} ) {
|
2019-12-20 11:13:15 +01:00
|
|
|
$self->logger->debug(
|
|
|
|
"Check device [epoch=$device->{epoch}, type=$device->{type}, name=$device->{name}]"
|
|
|
|
);
|
|
|
|
push @secondFactors,
|
|
|
|
{
|
|
|
|
id => $self->_genId2F($device),
|
|
|
|
type => $device->{type},
|
|
|
|
name => $device->{name}
|
|
|
|
}
|
|
|
|
unless ( ( defined $type and $type ne $device->{type} )
|
|
|
|
or ( defined $id and $id ne $self->_genId2F($device) ) );
|
2019-12-19 16:52:51 +01:00
|
|
|
}
|
|
|
|
}
|
2019-12-20 11:13:15 +01:00
|
|
|
$self->logger->debug(
|
|
|
|
"Found " . scalar @secondFactors . " 2F devices for uid $uid." );
|
|
|
|
return { res => 'ok', secondFactors => [@secondFactors] };
|
2019-12-20 11:05:16 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
sub _genId2F {
|
2019-12-20 11:13:15 +01:00
|
|
|
my ( $self, $device ) = @_;
|
|
|
|
return encode_base64( "$device->{epoch}::$device->{type}::$device->{name}",
|
|
|
|
"" );
|
2019-12-19 16:52:51 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
sub _getMod2F {
|
2019-12-20 11:13:15 +01:00
|
|
|
my ($self) = @_;
|
2019-12-19 16:52:51 +01:00
|
|
|
my $mod = $self->sessionTypes->{persistent};
|
|
|
|
$mod->{options}->{backend} = $mod->{module};
|
|
|
|
return $mod;
|
|
|
|
}
|
2019-12-20 11:13:15 +01:00
|
|
|
|
2019-12-19 16:52:51 +01:00
|
|
|
sub _getPSessions2F {
|
2019-12-20 11:05:16 +01:00
|
|
|
my ( $self, $uid ) = @_;
|
2019-12-19 16:52:51 +01:00
|
|
|
$self->logger->debug("Looking for psessions for uid $uid ...");
|
2019-12-20 11:13:15 +01:00
|
|
|
my $psessions = Lemonldap::NG::Common::Apache::Session->searchOn(
|
|
|
|
$self->_getMod2F->{options},
|
|
|
|
'_session_uid', $uid,
|
|
|
|
( '_session_kind', '_session_uid', '_session_id', '_2fDevices' ) );
|
|
|
|
foreach ( keys %{$psessions} ) {
|
|
|
|
delete $psessions->{$_}
|
|
|
|
unless ( $psessions->{$_}->{_session_kind} eq 'Persistent' );
|
2019-12-20 11:05:16 +01:00
|
|
|
}
|
2019-12-20 11:13:15 +01:00
|
|
|
$self->logger->debug(
|
|
|
|
"Found " . scalar( keys %{$psessions} ) . " psessions for uid $uid." );
|
2019-12-19 16:52:51 +01:00
|
|
|
return $psessions;
|
|
|
|
}
|
|
|
|
|
|
|
|
sub getSession2F {
|
|
|
|
my ( $self, $sessionId ) = @_;
|
|
|
|
$self->logger->debug("Looking for session with sessionId $sessionId ...");
|
|
|
|
my $session = $self->getApacheSession( $self->_getMod2F, $sessionId );
|
2019-12-20 11:13:15 +01:00
|
|
|
$self->logger->debug(
|
|
|
|
defined $session
|
|
|
|
? "Session $sessionId found."
|
|
|
|
: " No session found for sessionId $sessionId" );
|
2019-12-19 16:52:51 +01:00
|
|
|
return $session;
|
|
|
|
}
|
|
|
|
|
|
|
|
sub _delete2F {
|
|
|
|
my ( $self, $uid, $type, $id ) = @_;
|
2019-12-20 11:13:15 +01:00
|
|
|
my (
|
|
|
|
$res, $psessions, $sessionId, $session, $devices,
|
|
|
|
@keep, $total, $removed, $lremoved, $localStorage
|
|
|
|
);
|
2019-12-19 16:52:51 +01:00
|
|
|
|
|
|
|
$localStorage = Lemonldap::NG::Handler::PSGI::Main->tsv->{refLocalStorage};
|
|
|
|
|
2019-12-20 11:13:15 +01:00
|
|
|
if ( defined $type ) {
|
2019-12-19 16:52:51 +01:00
|
|
|
$res = $self->_checkType($type);
|
2019-12-20 11:13:15 +01:00
|
|
|
return $res if ( $res->{res} ne 'ok' );
|
2019-12-19 16:52:51 +01:00
|
|
|
}
|
|
|
|
|
2019-12-20 11:05:16 +01:00
|
|
|
$psessions = $self->_getPSessions2F($uid);
|
2019-12-19 16:52:51 +01:00
|
|
|
|
2019-12-20 11:13:15 +01:00
|
|
|
foreach ( keys %{$psessions} ) {
|
2019-12-19 16:52:51 +01:00
|
|
|
|
|
|
|
$sessionId = $psessions->{$_}->{_session_id};
|
2019-12-20 11:13:15 +01:00
|
|
|
$session = $self->getSession2F($sessionId)
|
|
|
|
or return { res => 'ko', code => 500, msg => $@ };
|
2019-12-19 16:52:51 +01:00
|
|
|
|
2019-12-20 11:13:15 +01:00
|
|
|
$self->logger->debug(
|
|
|
|
"Looking for 2F Device(s) attached to session $sessionId...");
|
2019-12-19 16:52:51 +01:00
|
|
|
|
|
|
|
if ( $session->data->{_2fDevices} ) {
|
|
|
|
|
2019-12-20 11:13:15 +01:00
|
|
|
$devices =
|
|
|
|
from_json( $session->data->{_2fDevices}, { allow_nonref => 1 } );
|
2019-12-19 16:52:51 +01:00
|
|
|
$total = scalar @$devices;
|
2019-12-20 11:13:15 +01:00
|
|
|
$self->logger->debug(
|
|
|
|
"Found $total 2F devices attached to session $sessionId.");
|
2019-12-19 16:52:51 +01:00
|
|
|
@keep = ();
|
|
|
|
while (@$devices) {
|
|
|
|
my $element = shift @$devices;
|
2019-12-20 11:13:15 +01:00
|
|
|
push @keep,
|
|
|
|
$element
|
|
|
|
if (
|
|
|
|
( defined $type or defined $id )
|
|
|
|
and ( ( defined $type and $type ne $element->{type} )
|
|
|
|
or
|
|
|
|
( defined $id and $id ne $self->_genId2F($element) ) )
|
|
|
|
);
|
2019-12-19 16:52:51 +01:00
|
|
|
}
|
|
|
|
$lremoved = $total - scalar @keep;
|
2019-12-20 11:13:15 +01:00
|
|
|
if ( $lremoved > 0 ) {
|
|
|
|
|
2019-12-19 16:52:51 +01:00
|
|
|
# Update session
|
2019-12-20 11:13:15 +01:00
|
|
|
$self->logger->debug(
|
|
|
|
"Removing $lremoved 2F device(s) attached to session $sessionId ..."
|
|
|
|
);
|
2019-12-19 16:52:51 +01:00
|
|
|
$session->data->{_2fDevices} = to_json( \@keep );
|
|
|
|
$session->update( \%{ $session->data } );
|
|
|
|
|
|
|
|
# Delete local cache
|
|
|
|
if ( $localStorage and $localStorage->get($sessionId) ) {
|
2019-12-20 11:13:15 +01:00
|
|
|
$self->logger->debug(
|
|
|
|
"Delete local cache for $sessionId ...");
|
2019-12-19 16:52:51 +01:00
|
|
|
$localStorage->remove($sessionId);
|
|
|
|
}
|
2019-12-20 11:13:15 +01:00
|
|
|
else {
|
|
|
|
$self->logger->debug(
|
|
|
|
"Local cache will not be cleared for $sessionId");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->logger->debug(
|
|
|
|
"No matching 2F devices attached to session $sessionId were selected for removal."
|
|
|
|
);
|
2019-12-19 16:52:51 +01:00
|
|
|
}
|
2019-12-20 11:13:15 +01:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->logger->debug(
|
|
|
|
"No 2F devices attached to session $sessionId were found.");
|
2019-12-19 16:52:51 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
$removed += $lremoved;
|
|
|
|
}
|
|
|
|
return {
|
2019-12-20 11:13:15 +01:00
|
|
|
res => 'ok',
|
2019-12-20 11:05:16 +01:00
|
|
|
removed => $removed,
|
2019-12-20 11:13:15 +01:00
|
|
|
msg => $removed > 0
|
|
|
|
? "Successful operation: " . $removed . " 2F were removed"
|
|
|
|
: "No operation performed"
|
2019-12-19 16:52:51 +01:00
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
sub _checkType {
|
|
|
|
my ( $self, $type ) = @_;
|
|
|
|
|
2019-12-20 11:13:15 +01:00
|
|
|
return {
|
|
|
|
res => "ko",
|
|
|
|
code => 405,
|
|
|
|
msg =>
|
|
|
|
"Invalid input: Type \"$type\" does not exist. Allowed values for type are: \"U2F\", \"TOTP\" or \"UBK\""
|
|
|
|
}
|
|
|
|
unless ( $type =~ /\b(?:U2F|TOTP|UBK)\b/ );
|
2019-12-19 16:52:51 +01:00
|
|
|
|
|
|
|
return { res => "ok" };
|
2019-11-08 18:31:50 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
1;
|