Possibility to forbid U2F unregistration (#1148)

This commit is contained in:
Xavier Guimard 2018-03-18 22:20:05 +01:00
parent 30e5d25ed0
commit 05c77feebc
12 changed files with 48 additions and 29 deletions

View File

@ -250,6 +250,7 @@ sub defaultValues {
'trustedProxies' => '',
'twitterAuthnLevel' => 1,
'u2fActivation' => 0,
'u2fUserCanRemoveKey' => 1,
'upgradeSession' => 1,
'userControl' => '^[\\w\\.\\-@]+$',
'userDB' => 'Same',

View File

@ -3266,6 +3266,10 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
'default' => 0,
'type' => 'bool'
},
'u2fUserCanRemoveKey' => {
'default' => 1,
'type' => 'bool'
},
'upgradeSession' => {
'default' => 1,
'type' => 'bool'

View File

@ -1072,6 +1072,11 @@ sub attributes {
documentation =>
'Authentication level for users authentified by password+U2F'
},
u2fUserCanRemoveKey => {
type => 'bool',
default => 1,
documentation => 'Authorize users to remove existing U2F key',
},
# TOTP second factor
totp2fActivation => {

View File

@ -653,10 +653,8 @@ sub tree {
title => 'utotp2f',
help => 'utotp2f.html',
form => 'simpleInputContainer',
nodes => [
'utotp2fActivation',
'utotp2fAuthnLevel'
]
nodes =>
[ 'utotp2fActivation', 'utotp2fAuthnLevel' ]
},
{
title => 'u2f',
@ -664,7 +662,7 @@ sub tree {
form => 'simpleInputContainer',
nodes => [
'u2fActivation', 'u2fSelfRegistration',
'u2fAuthnLevel'
'u2fAuthnLevel', 'u2fUserCanRemoveKey',
]
},
{

View File

@ -732,6 +732,7 @@
"u2f":"U2F",
"u2fActivation":"تفعيل",
"u2fAuthnLevel":"U2F مستوى إثبات الهوية",
"u2fUserCanRemoveKey":"Authorize user to remove U2F key",
"u2fSelfRegistration":"التسجيل الذاتي",
"u2fSessions":"U2F sessions explorer",
"uid":"المعرف",

View File

@ -732,6 +732,7 @@
"u2f":"U2F",
"u2fActivation":"Activation",
"u2fAuthnLevel":"U2F authentication level",
"u2fUserCanRemoveKey":"Authorize user to remove U2F key",
"u2fSelfRegistration":"Self registration",
"u2fSessions":"U2F sessions explorer",
"uid":"Identifier",

View File

@ -732,6 +732,7 @@
"u2f":"U2F",
"u2fActivation":"Activation",
"u2fAuthnLevel":"Niveau d'authentification U2F",
"u2fUserCanRemoveKey":"Authoriser les utilisateurs à effacer leur clef U2F",
"u2fSelfRegistration":"Auto-enregistrement",
"u2fSessions":"Explorateur de sessions U2F",
"uid":"Identifiant",

View File

@ -732,6 +732,7 @@
"u2f":"U2F",
"u2fActivation":"Attivazione",
"u2fAuthnLevel":"Livello di autenticazione U2F",
"u2fUserCanRemoveKey":"Authorize user to remove U2F key",
"u2fSelfRegistration":"Auto-registrazione",
"u2fSessions":"U2F sessions explorer",
"uid":"Identificatore",

View File

@ -732,6 +732,7 @@
"u2f":"U2F",
"u2fActivation":"Kích hoạt",
"u2fAuthnLevel":"Mức xác thực U2F",
"u2fUserCanRemoveKey":"Authorize user to remove U2F key",
"u2fSelfRegistration":"Tự đăng ký ",
"u2fSessions":"U2F sessions explorer",
"uid":"Trình định danh",

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

View File

@ -70,27 +70,7 @@ sub run {
return $self->p->sendError( $req, $err, 200 );
}
if ( $action eq 'unregister' ) {
my $challenge = $self->crypter->registrationChallenge;
return [ 200, [ 'Content-Type' => 'application/json' ], [$challenge] ];
}
if ( $action eq 'unregistration' ) {
$self->p->updatePersistentSession(
$req,
{
_u2fKeyHandle => '',
_u2fUserKey => ''
}
);
$self->userLogger->notice('U2F key unregistration succeed');
return [ 200, [ 'Content-Type' => 'application/json' ],
['{"result":1}'] ];
my $err = Crypt::U2F::Server::Simple::lastError();
$self->userLogger->warn("U2F Unregistration failed: $err");
return $self->p->sendError( $req, $err, 200 );
}
if ( $action eq 'verify' ) {
elsif ( $action eq 'verify' ) {
my ( $err, $error ) = $self->loadUser($req);
if ( $err == -1 ) {
return $self->p->sendError( $req, "U2F error: $error", 200 );
@ -101,7 +81,7 @@ sub run {
my $challenge = $req->datas->{crypter}->authenticationChallenge;
return [ 200, [ 'Content-Type' => 'application/json' ], [$challenge] ];
}
if ( $action eq 'signature' ) {
elsif ( $action eq 'signature' ) {
my $resp;
unless ( $resp = $req->param('signature') ) {
return $self->p->sendError( $req, 'Missing signature parameter',
@ -123,6 +103,32 @@ sub run {
[qq'{"result":$res}']
];
}
# Check if unregistration is allowed
unless ( $self->conf->{u2fUserCanRemoveKey} ) {
return $self->p->sendError( $req, 'notAutorizated', 200 );
}
if ( $action eq 'unregister' ) {
my $challenge = $self->crypter->registrationChallenge;
return [ 200, [ 'Content-Type' => 'application/json' ], [$challenge] ];
}
elsif ( $action eq 'unregistration' ) {
$self->p->updatePersistentSession(
$req,
{
_u2fKeyHandle => '',
_u2fUserKey => ''
}
);
$self->userLogger->notice('U2F key unregistration succeed');
return [ 200, [ 'Content-Type' => 'application/json' ],
['{"result":1}'] ];
my $err = Crypt::U2F::Server::Simple::lastError();
$self->userLogger->warn("U2F Unregistration failed: $err");
return $self->p->sendError( $req, $err, 200 );
}
$self->logger->error("Unknown action $action");
return $self->p->sendError( $req, 'notAutorizated', 200 );
}
sub loadUser {