From 1cf1990fe24b48c77b37d2fe9ecf705ac0bf54ca Mon Sep 17 00:00:00 2001
From: Maxime Besson <maxime.besson@worteks.com>
Date: Tue, 9 Jun 2020 15:33:44 +0200
Subject: [PATCH] Add portal code for session upgrade

---
 .../NG/Handler/Lib/StatusConstants.pm         |  1 +
 .../NG/Manager/Build/PortalConstants.pm       |  3 ++-
 .../lib/Lemonldap/NG/Portal/Main/Constants.pm |  5 ++++-
 .../lib/Lemonldap/NG/Portal/Main/Display.pm   | 20 +++++++++++++++++++
 .../lib/Lemonldap/NG/Portal/Main/Issuer.pm    | 14 +++++++++++++
 5 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/StatusConstants.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/StatusConstants.pm
index 45e1767ee..56c1267a4 100644
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/StatusConstants.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/StatusConstants.pm
@@ -18,6 +18,7 @@ sub portalConsts {
         '10'  => 'PE_BADCERTIFICATE',
         '100' => 'PE_PP_NOT_ALLOWED_CHARACTER',
         '101' => 'PE_PP_NOT_ALLOWED_CHARACTERS',
+        '102' => 'PE_UPGRADESESSION',
         '2'   => 'PE_FORMEMPTY',
         '21'  => 'PE_PP_ACCOUNT_LOCKED',
         '22'  => 'PE_PP_PASSWORD_EXPIRED',
diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/PortalConstants.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/PortalConstants.pm
index 6e8cf5b48..da720d270 100644
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/PortalConstants.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/PortalConstants.pm
@@ -108,7 +108,8 @@ sub portalConstants {
         PE_RESETCERTIFICATE_FORMEMPTY        => 98,
         PE_RESETCERTIFICATE_FIRSTACCESS      => 99,
         PE_PP_NOT_ALLOWED_CHARACTER          => 100,
-        PE_PP_NOT_ALLOWED_CHARACTERS         => 101
+        PE_PP_NOT_ALLOWED_CHARACTERS         => 101,
+        PE_UPGRADESESSION                    => 102
     };
 }
 
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm
index e5a412da3..b4386ebfc 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm
@@ -105,6 +105,7 @@ use constant {
     PE_RESETCERTIFICATE_FIRSTACCESS      => 99,
     PE_PP_NOT_ALLOWED_CHARACTER          => 100,
     PE_PP_NOT_ALLOWED_CHARACTERS         => 101,
+    PE_UPGRADESESSION                    => 102,
 };
 
 sub portalConsts {
@@ -119,6 +120,7 @@ sub portalConsts {
         '10'  => 'PE_BADCERTIFICATE',
         '100' => 'PE_PP_NOT_ALLOWED_CHARACTER',
         '101' => 'PE_PP_NOT_ALLOWED_CHARACTERS',
+        '102' => 'PE_UPGRADESESSION',
         '2'   => 'PE_FORMEMPTY',
         '21'  => 'PE_PP_ACCOUNT_LOCKED',
         '22'  => 'PE_PP_PASSWORD_EXPIRED',
@@ -310,7 +312,8 @@ our @EXPORT_OK = (
     'PE_RESETCERTIFICATE_FORMEMPTY',
     'PE_RESETCERTIFICATE_FIRSTACCESS',
     'PE_PP_NOT_ALLOWED_CHARACTER',
-    'PE_PP_NOT_ALLOWED_CHARACTERS'
+    'PE_PP_NOT_ALLOWED_CHARACTERS',
+    'PE_UPGRADESESSION'
 );
 our %EXPORT_TAGS = ( 'all' => [ @EXPORT_OK, 'import' ], );
 
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
index 8a8b90eab..78a1c3cd0 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
@@ -261,6 +261,25 @@ sub display {
         );
     }
 
+    # when upgrading session, the administrator can configure LLNG
+    # to ask only for 2FA
+    elsif ( $req->error == PE_UPGRADESESSION ) {
+        $skinfile       = 'upgradesession';
+        %templateParams = (
+            MAIN_LOGO  => $self->conf->{portalMainLogo},
+            LANGS      => $self->conf->{showLanguages},
+            MSG        => 'askToUpgrade',
+            CONFIRMKEY => $self->stamp,
+            PORTAL     => $self->conf->{portal},
+            URL        => $req->data->{_url},
+            (
+                $req->data->{customScript}
+                ? ( CUSTOM_SCRIPT => $req->data->{customScript} )
+                : ()
+            ),
+        );
+    }
+    # renew uses the same plugin as upgrade, but first factor is mandatory
     elsif ( $req->error == PE_RENEWSESSION ) {
         $skinfile       = 'upgradesession';
         %templateParams = (
@@ -278,6 +297,7 @@ sub display {
         );
     }
 
+    # Looks a lot like upgradesession, but no portal logo
     elsif ( $req->error == PE_MUSTAUTHN ) {
         $skinfile       = 'updatesession';
         %templateParams = (
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Issuer.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Issuer.pm
index 2f54f2fb4..2340a90d6 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Issuer.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Issuer.pm
@@ -17,6 +17,7 @@ use Lemonldap::NG::Common::FormEncode;
 use Lemonldap::NG::Portal::Main::Constants qw(
   PE_OK
   PE_RENEWSESSION
+  PE_UPGRADESESSION
 );
 
 extends 'Lemonldap::NG::Portal::Main::Plugin';
@@ -250,6 +251,19 @@ qq'<script type="text/javascript" src="$self->{p}->{staticPrefix}/common/js/auto
     return PE_RENEWSESSION;
 }
 
+sub upgradeAuth {
+    my ( $self, $req ) = @_;
+    $req->data->{customScript} =
+qq'<script type="text/javascript" src="$self->{p}->{staticPrefix}/common/js/autoRenew.min.js"></script>'
+      if ( $self->conf->{skipUpgradeConfirmation} );
+    $req->data->{_url} =
+      encode_base64( $self->conf->{portal} . $req->path_info, '' );
+    $req->pdata->{ $self->ipath } = $self->storeRequest($req);
+    push @{ $req->pdata->{keepPdata} }, $self->ipath, $self->ipath . 'Path';
+    $req->pdata->{issuerTs} = time;
+    return PE_UPGRADESESSION;
+}
+
 1;
 __END__