dani
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove explicit references to 2FA types from Manager

This commit is contained in:
Maxime Besson 2022-08-29 16:02:14 +02:00
parent 389d33d542
commit 3ff3fa9376
5 changed files with 25 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/2ndFA.pm
View File

@ -15,7 +15,6 @@ extends qw(
Lemonldap::NG::Common::Conf::AccessLib
);
use constant _2FTYPES => [ "UBK", "U2F", "TOTP", "WebAuthn" ];
our $VERSION = '2.0.10';
#############################
@ -47,8 +46,6 @@ sub init {
$self->{hiddenAttributes} //= "_password";
$self->{hiddenAttributes} .= ' _session_id'
unless $conf->{displaySessionId};
$self->{TOTPCheck} = $self->{U2FCheck} = $self->{UBKCheck} =
$self->{WebAuthnCheck} = '1';
return 1;
}
@ -69,14 +66,9 @@ sub del2F {
my $epoch = $params->{epoch}
or return $self->sendError( $req, 'Missing "epoch" parameter', 400 );
if ( grep { $_ eq $type } @{ _2FTYPES() } ) {
$self->logger->debug(
"Call procedure delete2F with type=$type and epoch=$epoch");
return $self->delete2F( $req, $session, $skey );
}
else {
return $self->sendError( $req, 'Bad value "type" parameter', 400 );
}
$self->logger->debug(
"Call procedure delete2F with type=$type and epoch=$epoch");
return $self->delete2F( $req, $session, $skey );
}
########################
@ -118,11 +110,8 @@ sub sfa {
my $moduleOptions = $mod->{options};
$moduleOptions->{backend} = $mod->{module};
# Select 2FA sessions to display
foreach ( @{ _2FTYPES() } ) {
$self->{ $_ . 'Check' } = delete $params->{ $_ . 'Check' }
if ( defined $params->{ $_ . 'Check' } );
}
my @display_types = $params->get_all('type');
$params->remove('type');
my %filters = map {
my $s = $_;
@ -190,19 +179,18 @@ sub sfa {
# Remove sessions without at least one 2F device(s)
$self->logger->debug(
"Removing sessions without at least one 2F device(s)...");
my $_2f_types_re = join( '|', @{ _2FTYPES() } );
foreach my $session ( keys %$res ) {
delete $res->{$session}
unless ( defined $res->{$session}->{_2fDevices}
and $res->{$session}->{_2fDevices} =~
/"type":\s*"(?:$_2f_types_re)"/s );
and $res->{$session}->{_2fDevices} =~ /"type"/s );
}
# Filter 2FA sessions if needed
$self->logger->debug("Filtering 2F sessions...");
my $all = ( keys %$res );
foreach ( @{ _2FTYPES() } ) {
if ( $self->{ $_ . 'Check' } eq '2' ) {
# Filter 2FA sessions if needed
if (@display_types) {
$self->logger->debug("Filtering 2F sessions...");
foreach (@display_types) {
foreach my $session ( keys %$res ) {
delete $res->{$session}
unless ( defined $res->{$session}->{_2fDevices}

1
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Api.pm
View File

@ -228,7 +228,6 @@ sub init {
$self->setTypes($conf);
$self->{multiValuesSeparator} ||= '; ';
$self->{hiddenAttributes} //= "_password";
$self->{TOTPCheck} = $self->{U2FCheck} = $self->{UBKCheck} = '1';
return 1;
}

23
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Api/2F.pm
View File

@ -139,11 +139,6 @@ sub _get2F {
my ( $self, $uid, $type, $id ) = @_;
my ( $res, $psessions, @secondFactors );
if ( defined $type ) {
$res = $self->_checkType($type);
return $res if ( $res->{res} ne 'ok' );
}
$psessions = $self->_getSessions2F( $self->_getPersistentMod, 'Persistent',
'_session_uid', $uid );
@ -279,10 +274,6 @@ sub _delete2FFromSessions {
sub _delete2F {
my ( $self, $uid, $type, $id ) = @_;
my ( $res, $removed, $count );
if ( defined $type ) {
$res = $self->_checkType($type);
return $res if ( $res->{res} ne 'ok' );
}
$res =
$self->_delete2FFromSessions( $uid, $type, $id, $self->_getPersistentMod,
@ -331,18 +322,4 @@ sub _getDevicesFromSessionData {
return [];
}
sub _checkType {
my ( $self, $type ) = @_;
return {
res => "ko",
code => 400,
msg =>
"Invalid input: Type \"$type\" does not exist. Allowed values for type are: \"U2F\", \"TOTP\", \"WebAuthn\" or \"UBK\""
}
unless ( $type =~ /\b(?:U2F|TOTP|UBK|WebAuthn)\b/i );
return { res => "ok" };
}
1;

10
lemonldap-ng-manager/t/04-2F-api.t
View File

@ -135,14 +135,6 @@ sub checkGetList {
return $ret;
}
sub checkGetBadType {
my ( $uid, $type ) = splice @_;
my ( $test, $res );
$test = "Get for uid $uid and type \"$type\" should get rejected.";
$res = get( $test, $uid, $type );
check400( $test, $res );
}
sub checkGetOnIds {
my ( $uid, $ret ) = splice @_;
foreach (@$ret) {
@ -313,7 +305,7 @@ checkGetList( 1, 'dwho', 'U2F' );
checkGetList( 1, 'dwho', 'TOTP' );
checkGetList( 1, 'dwho', 'UBK' );
checkGetList( 1, 'dwho', 'WebAuthn' );
checkGetBadType( 'dwho', 'UBKIKI' );
checkGetList( 0, 'dwho', 'UBKIKI' );
$ret = checkGetList( 4, 'dwho' );
checkGetOnIds( 'dwho', $ret );
checkDelete( 'dwho', @$ret[0]->{id} );

28
lemonldap-ng-manager/t/60-2ndfa.t
View File

@ -147,8 +147,7 @@ ok( ( $res->{_2fDevices} and $res->{_2fDevices} =~ /"type":\s*"UBK"/s ),
count(5);
## "All" query
$res = &client->jsonResponse( '/sfa/persistent',
'groupBy=substr(uid,1)&U2FCheck=1&TOTPCheck=1&UBKCheck=1' );
$res = &client->jsonResponse( '/sfa/persistent', 'groupBy=substr(uid,1)' );
ok( $res->{result} == 1, 'Search * - Result code = 1' );
ok( $res->{count} == 3, 'Found 3 results' ) or print STDERR Dumper($res);
ok( @{ $res->{values} } == 3, 'List 3 results' );
@ -168,8 +167,8 @@ count(9);
## "Search by UID" query
# uid=d*
$res = &client->jsonResponse( '/sfa/persistent',
'uid=d*&groupBy=substr(uid,1)&U2FCheck=1&TOTPCheck=1&UBKCheck=1' );
$res =
&client->jsonResponse( '/sfa/persistent', 'uid=d*&groupBy=substr(uid,1)' );
ok( $res->{result} == 1, 'Search "uid"=d* - Result code = 1' );
ok( $res->{count} == 1, 'Found 1 result' ) or print STDERR Dumper($res);
ok( @{ $res->{values} } == 1, 'List 1 result' );
@ -180,8 +179,8 @@ ok( $res->{values}->[0]->{count} == 2, 'Found 2 sessions starting with "d"' );
count(5);
# uid=dw*
$res = &client->jsonResponse( '/sfa/persistent',
'uid=dw*&groupBy=substr(uid,2)&U2FCheck=1&TOTPCheck=1&UBKCheck=1' );
$res =
&client->jsonResponse( '/sfa/persistent', 'uid=dw*&groupBy=substr(uid,2)' );
ok( $res->{result} == 1, 'Search "uid"=dw* - Result code = 1' );
ok( $res->{count} == 1, 'Found 1 result' ) or print STDERR Dumper($res);
ok( @{ $res->{values} } == 1, 'List 1 result' );
@ -193,7 +192,7 @@ count(5);
# uid=d* & UBK
$res = &client->jsonResponse( '/sfa/persistent',
'uid=d*&groupBy=substr(uid,1)&U2FCheck=1&TOTPCheck=1&UBKCheck=2' );
'uid=d*&groupBy=substr(uid,1)&type=UBK' );
ok( $res->{result} == 1, 'Search "uid"=d* & UBK - Result code = 1' );
ok( $res->{count} == 1, 'Found 1 result' ) or print STDERR Dumper($res);
ok( @{ $res->{values} } == 1, 'List 1 result' );
@ -208,7 +207,7 @@ count(5);
# uid=dw* & UBK
$res = &client->jsonResponse( '/sfa/persistent',
'uid=dw*&groupBy=substr(uid,2)&U2FCheck=1&TOTPCheck=1&UBKCheck=2' );
'uid=dw*&groupBy=substr(uid,2)&type=UBK' );
ok( $res->{result} == 1, 'Search "uid"=dw* & UBK - Result code = 1' );
ok( $res->{count} == 1, 'Found 1 result' ) or print STDERR Dumper($res);
ok( @{ $res->{values} } == 1, 'List 1 result' );
@ -223,7 +222,7 @@ count(5);
# uid=da* & UBK
$res = &client->jsonResponse( '/sfa/persistent',
'uid=da*&groupBy=substr(uid,2)&U2FCheck=1&TOTPCheck=1&UBKCheck=2' );
'uid=da*&groupBy=substr(uid,2)&type=UBK' );
ok( $res->{result} == 1, 'Search "uid"=da* & UBK - Result code = 1' );
ok( $res->{count} == 0, 'Found 0 session with "da" & UBK' )
or print STDERR Dumper($res);
@ -232,7 +231,7 @@ count(3);
## "Filtered by U2F" query
$res = &client->jsonResponse( '/sfa/persistent',
'uid=*&groupBy=substr(uid,0)&U2FCheck=2&TOTPCheck=1&UBKCheck=1' );
'uid=*&groupBy=substr(uid,0)&type=U2F' );
ok( $res->{result} == 1, 'Search "uid"=* & UBK - Result code = 1' );
ok( $res->{count} == 3, 'Found 3 results' ) or print STDERR Dumper($res);
ok( @{ $res->{values} } == 3, 'List 3 results' );
@ -261,7 +260,7 @@ count(9);
## "Filtered by U2F & TOTP" query
$res = &client->jsonResponse( '/sfa/persistent',
'uid=*&groupBy=substr(uid,0)&U2FCheck=2&TOTPCheck=2&UBKCheck=1' );
'uid=*&groupBy=substr(uid,0)&type=U2F&type=TOTP' );
ok( $res->{result} == 1, 'Search "uid"=* & UBK & TOTP - Result code = 1' );
ok( $res->{count} == 1, 'Found 1 result' ) or print STDERR Dumper($res);
ok( @{ $res->{values} } == 1, 'List 1 result' );
@ -274,7 +273,7 @@ count(5);
## "Filtered by U2F & TOTP & UBK" query
$res = &client->jsonResponse( '/sfa/persistent',
'uid=*&groupBy=substr(uid,0)&U2FCheck=2&TOTPCheck=2&UBKCheck=2' );
'uid=*&groupBy=substr(uid,0)&type=U2F&type=TOTP&type=UBK' );
ok( $res->{result} == 1,
'Search "uid"=* & UBK & TOTP & UBK - Result code = 1' );
ok( $res->{count} == 1, 'Found 1 result' ) or print STDERR Dumper($res);
@ -288,7 +287,7 @@ count(5);
## "Filtered by U2F & UBK" query
$res = &client->jsonResponse( '/sfa/persistent',
'uid=*&groupBy=substr(uid,0)&U2FCheck=2&TOTPCheck=1&UBKCheck=2' );
'uid=*&groupBy=substr(uid,0)&type=U2F&type=UBK' );
ok( $res->{result} == 1, 'Search "uid"=* & UBK & UBK - Result code = 1' );
ok( $res->{count} == 2, 'Found 2 results' ) or print STDERR Dumper($res);
ok( @{ $res->{values} } == 2, 'List 2 results' );
@ -345,8 +344,7 @@ foreach ( 2 .. 3 ) {
}
## Check than all devices have been deleted with "All" query
$res = &client->jsonResponse( '/sfa/persistent',
'groupBy=substr(uid,1)&U2FCheck=1&TOTPCheck=1&UBKCheck=1' );
$res = &client->jsonResponse( '/sfa/persistent', 'groupBy=substr(uid,1)' );
ok( $res->{result} == 1, 'Result code = 1' );
ok( $res->{count} == 0, 'Found 0 session with 2F device' )
or print STDERR Dumper($res);