Add sfRequired option (#1487)

This commit is contained in:
Xavier Guimard 2018-08-09 08:21:09 +02:00
parent 6799ca9281
commit 4ef9fa374a
13 changed files with 52 additions and 6 deletions

View File

@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "llng-fastcgi-server 1"
.TH llng-fastcgi-server 1 "2018-07-02" "perl v5.26.2" "User Contributed Perl Documentation"
.TH llng-fastcgi-server 1 "2018-08-03" "perl v5.26.2" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l

View File

@ -3056,6 +3056,9 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => '::2F::Engines::Default',
'type' => 'text'
},
'sfRequired' => {
'type' => 'bool'
},
'singleIP' => {
'default' => 0,
'type' => 'bool'

View File

@ -2281,6 +2281,10 @@ sub attributes {
default => '::2F::Engines::Default',
documentation => 'Second factor engine',
},
sfRequired => {
type => 'bool',
documentation => 'Second factor required',
},
available2F => {
type => 'text',
default => 'UTOTP,TOTP,U2F,REST,Ext2F,Yubikey',

View File

@ -632,7 +632,7 @@ sub tree {
{
title => 'stateCheck',
help => 'checkstate.html',
form => 'simpleInputContainer',
form => 'simpleInputContainer',
nodes => [ 'checkState', 'checkStateSecret', ],
},
]
@ -709,6 +709,7 @@ sub tree {
'yubikey2fUserCanRemoveKey',
],
},
'sfRequired',
]
},
{

View File

@ -680,6 +680,7 @@
"sessionStorage":"تخزين الجلسات",
"sessionTitle":"محتوى الجلسة",
"sfaTitle":"Second Factors Authentication",
"sfRequired":"Require 2FA",
"show":"عرض",
"showHelp":"عرض المساعدة",
"singleIP":"عنوان آي بي واحد لكل مستخدم",

View File

@ -680,6 +680,7 @@
"sessionStorage":"Sessions Storage",
"sessionTitle":"Session content",
"sfaTitle":"Second Factors Authentication",
"sfRequired":"Require 2FA",
"show":"Show",
"showHelp":"Show help",
"singleIP":"One IP only by user",

View File

@ -372,6 +372,7 @@
"logo":"Logo",
"logout":"Déconnexion",
"logoutServices":"Transfert de la déconnexion",
"sfRequired":"Exiger 2FA",
"logParams":"Journalisation",
"lwpOpts":"Options pour les requêtes serveur",
"lwpSslOpts":"Options SSL pour les requêtes serveur",

View File

@ -97,6 +97,7 @@
"browserIdAuthnLevel":"Livello di autenticazione",
"browserIdAutoLogin":"Login automatico",
"browserIdBackgroundColor":"Colore di sfondo",
"sfRequired":"Require 2FA",
"browseridParams":"BrowserIDParams",
"browserIdSiteLogo":"Logo del sito",
"browserIdSiteName":"Nome del sito",

View File

@ -680,6 +680,7 @@
"sessionStorage":"Sessions lưu trữ",
"sessionTitle":"Nội dung phiên",
"sfaTitle":"Second Factors Authentication",
"sfRequired":"Require 2FA",
"show":"Hiển thị",
"showHelp":"Hiển thị trợ giúp",
"singleIP":"Chỉ một địa chỉ IP bởi người dùng",

File diff suppressed because one or more lines are too long

File diff suppressed because one or more lines are too long

View File

@ -99,6 +99,12 @@ sub init {
# Registration base
$self->addAuthRoute( '2fregisters' => '_displayRegister', ['GET'] );
$self->addAuthRoute( '2fregisters' => 'register', ['POST'] );
if ( $self->conf->{sfRequired} ) {
$self->addUnauthRoute(
'2fregisters' => 'restoreSession',
[ 'GET', 'POST' ]
);
}
}
return 1;
@ -131,7 +137,24 @@ sub run {
# If no 2F module is authorized, skipping 2F
# Note that a rule may forbid access after (GrantSession plugin)
return PE_OK unless (@am);
unless (@am) {
# Except if 2FA is required, move to registration
if ( $self->conf->{sfRequired} ) {
$req->pdata->{sfRegToken} =
$self->ott->createToken( $req->sessionInfo );
$req->response(
[
302, [ Location => $self->conf->{portal} . '/2fregisters' ],
[]
]
);
return PE_SENDRESPONSE;
}
else {
return PE_OK;
}
}
$self->userLogger->info( 'Second factor required for '
. $req->sessionInfo->{ $self->conf->{whatToTrace} } );
@ -319,4 +342,14 @@ sub register {
return $self->p->sendJSONresponse( $req, \@am );
}
sub restoreSession {
my ( $self, $req, @path ) = @_;
my $token = $req->pdata->{sfRegToken}
or return [ 302, [ Location => $self->conf->{portal} ], [] ];
$req->userData( $self->ott->getToken( $token, 1 ) );
return $req->method eq 'POST'
? $self->register( $req, @path )
: $self->_displayRegister( $req, @path );
}
1;

View File

@ -110,7 +110,7 @@ sub getToken {
return undef;
}
my %h = %{ $tsession->{data} };
$tsession->remove;
$tsession->remove unless($keep);
return \%h;
}
}