lemonldap-ng/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/U2F.pm

# Self U2F registration
package Lemonldap::NG::Portal::2F::Register::U2F;

use strict;
use Mouse;

our $VERSION = '2.0.0';

extends 'Lemonldap::NG::Portal::Lib::U2F';

# INITIALIZATION

has prefix => ( is => 'rw', default => 'u' );

has template => ( is => 'ro', default => 'u2fregister' );

has logo => ( is => 'rw', default => 'u2f.png' );

sub init {
    my ($self) = @_;
    return 0 unless $self->SUPER::init;
    return 1;
}

# RUNNING METHODS

# Main method
sub run {
    my ( $self, $req, $action ) = @_;

    if ( $action eq 'register' ) {
        my $challenge = $self->crypter->registrationChallenge;
        $self->logger->debug("Register challenge: $challenge");
        return [
            200,
            [
                'Content-Type'   => 'application/json',
                'Content-Length' => length($challenge),
            ],
            [$challenge]
        ];
        return [ 200, [ 'Content-Type' => 'application/json' ], [$challenge] ];
    }
    if ( $action eq 'registration' ) {
        my ( $resp, $challenge );
        $self->logger->debug('Regististration response');
        unless ($resp = $req->param('registration')
            and $challenge = $req->param('challenge') )
        {
            return $self->p->sendError( $req, 'Missing registration parameter',
                400 );
        }
        $self->logger->debug("Get registration data $resp");
        $self->logger->debug("Get challenge $challenge");
        eval { $challenge = JSON::from_json($challenge)->{challenge} };
        if ($@) {
            $self->userLogger->error("Bad challenge: $@");
            return $self->p->sendError( $req, 'Bad challenge', 400 );
        }
        my $c = $self->crypter;
        if ( $c->setChallenge($challenge) ) {
            my ( $keyHandle, $userKey ) = $c->registrationVerify($resp);
            if ( $keyHandle and $userKey ) {
                $self->p->updatePersistentSession(
                    $req,
                    {
                        _u2fKeyHandle =>
                          $self->encode_base64url( $keyHandle, '' ),
                        _u2fUserKey => $self->encode_base64url( $userKey, '' )
                    }
                );
                return [
                    200,
                    [
                        'Content-Type'   => 'application/json',
                        'Content-Length' => 12,
                    ],
                    ['{"result":1}']
                ];
            }
        }
        my $err = Crypt::U2F::Server::Simple::lastError();
        $self->userLogger->warn("U2F Registration failed: $err");
        return $self->p->sendError( $req, $err, 200 );
    }

    elsif ( $action eq 'verify' ) {
        $self->logger->debug('Verification challenge req');
        my ( $err, $error ) = $self->loadUser($req);
        if ( $err == -1 ) {
            return $self->p->sendError( $req, "U2F error: $error", 200 );
        }
        elsif ( $err == 0 ) {
            return $self->p->sendError( $req, "noU2FKeyFound" );
        }
        my $challenge = $req->datas->{crypter}->authenticationChallenge;
        return [
            200,
            [
                'Content-Type'   => 'application/json',
                'Content-Length' => length($challenge),
            ],
            [$challenge]
        ];
    }
    elsif ( $action eq 'signature' ) {
        $self->logger->debug('Verification response');
        my ( $challenge, $resp );
        unless ($challenge = $req->param('challenge')
            and $resp = $req->param('signature') )
        {
            return $self->p->sendError( $req, 'Missing signature parameter',
                400 );
        }
        my ( $err, $error ) = $self->loadUser($req);
        if ( $err == -1 ) {
            return $self->p->sendError( $req, "U2F error: $error", 200 );
        }
        elsif ( $err == 0 ) {
            return $self->p->sendError( $req, "noU2FKeyFound" );
        }
        $self->logger->debug("Get verify response $resp");
        $req->datas->{crypter}->setChallenge($challenge);
        my $res =
          ( $req->datas->{crypter}->authenticationVerify($resp) ? 1 : 0 );

        #$self->userLogger->notice("res=$res");
        return [
            200,
            [ 'Content-Type' => 'application/json', 'Content-Length' => 12, ],
            [qq'{"result":$res}']
        ];
    }

    # Check if unregistration is allowed
    unless ( $self->conf->{u2fUserCanRemoveKey} ) {
        return $self->p->sendError( $req, 'notAutorizated', 200 );
    }
    if ( $action eq 'unregister' ) {
        my $challenge = $self->crypter->registrationChallenge;
        return [
            200,
            [
                'Content-Type'   => 'application/json',
                'Content-Length' => length($challenge),
            ],
            [$challenge]
        ];
    }
    elsif ( $action eq 'unregistration' ) {
        $self->p->updatePersistentSession(
            $req,
            {
                _u2fKeyHandle => '',
                _u2fUserKey   => ''
            }
        );
        $self->userLogger->notice('U2F key unregistration succeed');
        return [
            200,
            [ 'Content-Type' => 'application/json', 'Content-Length' => 12, ],
            ['{"result":1}']
        ];
        my $err = Crypt::U2F::Server::Simple::lastError();
        $self->userLogger->warn("U2F Unregistration failed: $err");
        return $self->p->sendError( $req, $err, 200 );
    }
    $self->logger->error("Unknown action $action");
    return $self->p->sendError( $req, 'notAutorizated', 200 );
}

sub loadUser {
    my ( $self, $req ) = @_;
    my $uid     = $req->userData->{ $self->conf->{whatToTrace} };
    my $session = $self->p->getPersistentSession($uid);
    my $kh      = $session->data->{_u2fKeyHandle};
    my $uk      = $session->data->{_u2fUserKey};
    unless ( $kh and $uk ) {
        return 0;
    }
    $req->datas->{crypter} = $self->crypter(
        keyHandle => $self->decode_base64url($kh),
        publicKey => $self->decode_base64url($uk)
    );
    unless ( $req->datas->{crypter} ) {
        my $error = Crypt::U2F::Server::Simple::lastError();
        return ( -1, $error );
    }
    return 1;
}

1;
U2F in progress (#1148) 2017-02-04 08:55:47 +01:00			`# Self U2F registration`
Move all second factor plugins in 2F directory 2018-02-19 14:15:29 +01:00			`package Lemonldap::NG::Portal::2F::Register::U2F;`
U2F skeleton (#1148) 2017-02-02 22:48:32 +01:00
			`use strict;`
			`use Mouse;`

			`our $VERSION = '2.0.0';`

U2F in progress (#1148) 2017-02-04 08:55:47 +01:00			`extends 'Lemonldap::NG::Portal::Lib::U2F';`
U2F skeleton (#1148) 2017-02-02 22:48:32 +01:00
U2F in progress (#1148) 2017-02-04 08:55:47 +01:00			`# INITIALIZATION`
U2F registration works (#1148) 2017-02-03 18:14:13 +01:00
2F engine works with 1 2F enabled (#1148) 2018-03-08 20:36:32 +01:00			`has prefix => ( is => 'rw', default => 'u' );`

Add 2F registration engine (#1148 #1359 #1391) 2018-03-15 07:04:52 +01:00			`has template => ( is => 'ro', default => 'u2fregister' );`

2F registration menu (#1148 #1359 #1391) 2018-03-15 22:35:59 +01:00			`has logo => ( is => 'rw', default => 'u2f.png' );`

U2F skeleton (#1148) 2017-02-02 22:48:32 +01:00			`sub init {`
			`my ($self) = @_;`
U2F in progress (#1148) 2017-02-04 08:55:47 +01:00			`return 0 unless $self->SUPER::init;`
U2F skeleton (#1148) 2017-02-02 22:48:32 +01:00			`return 1;`
			`}`

U2F in progress (#1148) 2017-02-04 08:55:47 +01:00			`# RUNNING METHODS`

			`# Main method`
U2F skeleton (#1148) 2017-02-02 22:48:32 +01:00			`sub run {`
Add 2F registration engine (#1148 #1359 #1391) 2018-03-15 07:04:52 +01:00			`my ( $self, $req, $action ) = @_;`
U2F skeleton (#1148) 2017-02-02 22:48:32 +01:00
Start rewrite Register::U2F using Ajax (#1148) NB: broken for now 2017-02-08 14:01:02 +01:00			`if ( $action eq 'register' ) {`
			`my $challenge = $self->crypter->registrationChallenge;`
Restore challenge in verification (#1148) 2018-03-19 22:35:39 +01:00			`$self->logger->debug("Register challenge: $challenge");`
			`return [`
			`200,`
			`[`
			`'Content-Type' => 'application/json',`
			`'Content-Length' => length($challenge),`
			`],`
			`[$challenge]`
			`];`
Revert U2F change included by error (#1386): work not finished 2018-03-17 20:37:31 +01:00			`return [ 200, [ 'Content-Type' => 'application/json' ], [$challenge] ];`
Start rewrite Register::U2F using Ajax (#1148) NB: broken for now 2017-02-08 14:01:02 +01:00			`}`
			`if ( $action eq 'registration' ) {`
Revert U2F change included by error (#1386): work not finished 2018-03-17 20:37:31 +01:00			`my ( $resp, $challenge );`
Restore challenge in verification (#1148) 2018-03-19 22:35:39 +01:00			`$self->logger->debug('Regististration response');`
U2F is working now (#1148) 2018-03-06 22:50:40 +01:00			`unless ($resp = $req->param('registration')`
			`and $challenge = $req->param('challenge') )`
			`{`
Start rewrite Register::U2F using Ajax (#1148) NB: broken for now 2017-02-08 14:01:02 +01:00			`return $self->p->sendError( $req, 'Missing registration parameter',`
			`400 );`
			`}`
Replace lmLog by logger-> (#857) 2017-02-15 07:41:50 +01:00			`$self->logger->debug("Get registration data $resp");`
U2F is working now (#1148) 2018-03-06 22:50:40 +01:00			`$self->logger->debug("Get challenge $challenge");`
			`eval { $challenge = JSON::from_json($challenge)->{challenge} };`
			`if ($@) {`
			`$self->userLogger->error("Bad challenge: $@");`
			`return $self->p->sendError( $req, 'Bad challenge', 400 );`
			`}`
			`my $c = $self->crypter;`
			`if ( $c->setChallenge($challenge) ) {`
Revert U2F change included by error (#1386): work not finished 2018-03-17 20:37:31 +01:00			`my ( $keyHandle, $userKey ) = $c->registrationVerify($resp);`
			`if ( $keyHandle and $userKey ) {`
			`$self->p->updatePersistentSession(`
			`$req,`
			`{`
			`_u2fKeyHandle =>`
			`$self->encode_base64url( $keyHandle, '' ),`
			`_u2fUserKey => $self->encode_base64url( $userKey, '' )`
			`}`
			`);`
U2F is working now (#1148) 2018-03-06 22:50:40 +01:00			`return [`
Restore challenge in verification (#1148) 2018-03-19 22:35:39 +01:00			`200,`
			`[`
			`'Content-Type' => 'application/json',`
			`'Content-Length' => 12,`
			`],`
U2F is working now (#1148) 2018-03-06 22:50:40 +01:00			`['{"result":1}']`
			`];`
			`}`
U2F in progress (#1148) 2017-02-03 07:23:39 +01:00			`}`
Start rewrite Register::U2F using Ajax (#1148) NB: broken for now 2017-02-08 14:01:02 +01:00			`my $err = Crypt::U2F::Server::Simple::lastError();`
Replace userNotice/Error... by userLogger (#857) 2017-02-15 15:16:59 +01:00			`$self->userLogger->warn("U2F Registration failed: $err");`
Start rewrite Register::U2F using Ajax (#1148) NB: broken for now 2017-02-08 14:01:02 +01:00			`return $self->p->sendError( $req, $err, 200 );`
U2F skeleton (#1148) 2017-02-02 22:48:32 +01:00			`}`
Self unregister U2F key 2018-02-21 09:23:41 +01:00
Possibility to forbid U2F unregistration (#1148) 2018-03-18 22:20:05 +01:00			`elsif ( $action eq 'verify' ) {`
Restore challenge in verification (#1148) 2018-03-19 22:35:39 +01:00			`$self->logger->debug('Verification challenge req');`
Start rewrite Register::U2F using Ajax (#1148) NB: broken for now 2017-02-08 14:01:02 +01:00			`my ( $err, $error ) = $self->loadUser($req);`
			`if ( $err == -1 ) {`
			`return $self->p->sendError( $req, "U2F error: $error", 200 );`
			`}`
			`elsif ( $err == 0 ) {`
			`return $self->p->sendError( $req, "noU2FKeyFound" );`
			`}`
Fix some mistakes & display sessions with U2F key registered only 2018-03-07 23:29:42 +01:00			`my $challenge = $req->datas->{crypter}->authenticationChallenge;`
Restore challenge in verification (#1148) 2018-03-19 22:35:39 +01:00			`return [`
			`200,`
			`[`
			`'Content-Type' => 'application/json',`
			`'Content-Length' => length($challenge),`
			`],`
			`[$challenge]`
			`];`
Start rewrite Register::U2F using Ajax (#1148) NB: broken for now 2017-02-08 14:01:02 +01:00			`}`
Possibility to forbid U2F unregistration (#1148) 2018-03-18 22:20:05 +01:00			`elsif ( $action eq 'signature' ) {`
Restore challenge in verification (#1148) 2018-03-19 22:35:39 +01:00			`$self->logger->debug('Verification response');`
			`my ( $challenge, $resp );`
			`unless ($challenge = $req->param('challenge')`
			`and $resp = $req->param('signature') )`
			`{`
Start rewrite Register::U2F using Ajax (#1148) NB: broken for now 2017-02-08 14:01:02 +01:00			`return $self->p->sendError( $req, 'Missing signature parameter',`
			`400 );`
			`}`
			`my ( $err, $error ) = $self->loadUser($req);`
			`if ( $err == -1 ) {`
			`return $self->p->sendError( $req, "U2F error: $error", 200 );`
U2F is ready for skin bootstrap (#1148) 2017-02-07 23:04:49 +01:00			`}`
Start rewrite Register::U2F using Ajax (#1148) NB: broken for now 2017-02-08 14:01:02 +01:00			`elsif ( $err == 0 ) {`
			`return $self->p->sendError( $req, "noU2FKeyFound" );`
			`}`
Restore challenge in verification (#1148) 2018-03-19 22:35:39 +01:00			`$self->logger->debug("Get verify response $resp");`
			`$req->datas->{crypter}->setChallenge($challenge);`
U2F is working now (#1148) 2018-03-06 22:50:40 +01:00			`my $res =`
Fix some mistakes & display sessions with U2F key registered only 2018-03-07 23:29:42 +01:00			`( $req->datas->{crypter}->authenticationVerify($resp) ? 1 : 0 );`
Tidy 2018-03-13 07:14:01 +01:00
Update icons 2018-03-09 23:40:22 +01:00			`#$self->userLogger->notice("res=$res");`
Start rewrite Register::U2F using Ajax (#1148) NB: broken for now 2017-02-08 14:01:02 +01:00			`return [`
Restore challenge in verification (#1148) 2018-03-19 22:35:39 +01:00			`200,`
			`[ 'Content-Type' => 'application/json', 'Content-Length' => 12, ],`
Start rewrite Register::U2F using Ajax (#1148) NB: broken for now 2017-02-08 14:01:02 +01:00			`[qq'{"result":$res}']`
			`];`
			`}`
Possibility to forbid U2F unregistration (#1148) 2018-03-18 22:20:05 +01:00
			`# Check if unregistration is allowed`
			`unless ( $self->conf->{u2fUserCanRemoveKey} ) {`
			`return $self->p->sendError( $req, 'notAutorizated', 200 );`
			`}`
			`if ( $action eq 'unregister' ) {`
			`my $challenge = $self->crypter->registrationChallenge;`
Restore challenge in verification (#1148) 2018-03-19 22:35:39 +01:00			`return [`
			`200,`
			`[`
			`'Content-Type' => 'application/json',`
			`'Content-Length' => length($challenge),`
			`],`
			`[$challenge]`
			`];`
Possibility to forbid U2F unregistration (#1148) 2018-03-18 22:20:05 +01:00			`}`
			`elsif ( $action eq 'unregistration' ) {`
			`$self->p->updatePersistentSession(`
			`$req,`
			`{`
			`_u2fKeyHandle => '',`
			`_u2fUserKey => ''`
			`}`
			`);`
			`$self->userLogger->notice('U2F key unregistration succeed');`
Restore challenge in verification (#1148) 2018-03-19 22:35:39 +01:00			`return [`
			`200,`
			`[ 'Content-Type' => 'application/json', 'Content-Length' => 12, ],`
			`['{"result":1}']`
			`];`
Possibility to forbid U2F unregistration (#1148) 2018-03-18 22:20:05 +01:00			`my $err = Crypt::U2F::Server::Simple::lastError();`
			`$self->userLogger->warn("U2F Unregistration failed: $err");`
			`return $self->p->sendError( $req, $err, 200 );`
			`}`
			`$self->logger->error("Unknown action $action");`
			`return $self->p->sendError( $req, 'notAutorizated', 200 );`
Start rewrite Register::U2F using Ajax (#1148) NB: broken for now 2017-02-08 14:01:02 +01:00			`}`

			`sub loadUser {`
			`my ( $self, $req ) = @_;`
			`my $uid = $req->userData->{ $self->conf->{whatToTrace} };`
Full ajax registration (#1148) 2017-02-08 19:10:06 +01:00			`my $session = $self->p->getPersistentSession($uid);`
Start rewrite Register::U2F using Ajax (#1148) NB: broken for now 2017-02-08 14:01:02 +01:00			`my $kh = $session->data->{_u2fKeyHandle};`
			`my $uk = $session->data->{_u2fUserKey};`
			`unless ( $kh and $uk ) {`
			`return 0;`
			`}`
Fix some mistakes & display sessions with U2F key registered only 2018-03-07 23:29:42 +01:00			`$req->datas->{crypter} = $self->crypter(`
Use new crypt object for each crypter operation (#1148) 2018-03-06 07:03:42 +01:00			`keyHandle => $self->decode_base64url($kh),`
			`publicKey => $self->decode_base64url($uk)`
			`);`
Fix some mistakes & display sessions with U2F key registered only 2018-03-07 23:29:42 +01:00			`unless ( $req->datas->{crypter} ) {`
Start rewrite Register::U2F using Ajax (#1148) NB: broken for now 2017-02-08 14:01:02 +01:00			`my $error = Crypt::U2F::Server::Simple::lastError();`
			`return ( -1, $error );`
			`}`
			`return 1;`
U2F skeleton (#1148) 2017-02-02 22:48:32 +01:00			`}`

			`1;`