Add sfRequired option (#1487)
This commit is contained in:
Xavier Guimard
parent
6799ca9281
commit
4ef9fa374a
|
|
@ -129,7 +129,7 @@
|
|||
.\" ========================================================================
|
||||
.\"
|
||||
.IX Title "llng-fastcgi-server 1"
|
||||
.TH llng-fastcgi-server 1 "2018-07-02" "perl v5.26.2" "User Contributed Perl Documentation"
|
||||
.TH llng-fastcgi-server 1 "2018-08-03" "perl v5.26.2" "User Contributed Perl Documentation"
|
||||
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
|
||||
.\" way too many mistakes in technical documents.
|
||||
.if n .ad l
|
||||
|
|
|
|||
|
|
@ -3056,6 +3056,9 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
|
|||
'default' => '::2F::Engines::Default',
|
||||
'type' => 'text'
|
||||
},
|
||||
'sfRequired' => {
|
||||
'type' => 'bool'
|
||||
},
|
||||
'singleIP' => {
|
||||
'default' => 0,
|
||||
'type' => 'bool'
|
||||
|
|
|
|||
|
|
@ -2281,6 +2281,10 @@ sub attributes {
|
|||
default => '::2F::Engines::Default',
|
||||
documentation => 'Second factor engine',
|
||||
},
|
||||
sfRequired => {
|
||||
type => 'bool',
|
||||
documentation => 'Second factor required',
|
||||
},
|
||||
available2F => {
|
||||
type => 'text',
|
||||
default => 'UTOTP,TOTP,U2F,REST,Ext2F,Yubikey',
|
||||
|
|
|
|||
|
|
@ -632,7 +632,7 @@ sub tree {
|
|||
{
|
||||
title => 'stateCheck',
|
||||
help => 'checkstate.html',
|
||||
form => 'simpleInputContainer',
|
||||
form => 'simpleInputContainer',
|
||||
nodes => [ 'checkState', 'checkStateSecret', ],
|
||||
},
|
||||
]
|
||||
|
|
@ -709,6 +709,7 @@ sub tree {
|
|||
'yubikey2fUserCanRemoveKey',
|
||||
],
|
||||
},
|
||||
'sfRequired',
|
||||
]
|
||||
},
|
||||
{
|
||||
|
|
|
|||
|
|
@ -680,6 +680,7 @@
|
|||
"sessionStorage":"تخزين الجلسات",
|
||||
"sessionTitle":"محتوى الجلسة",
|
||||
"sfaTitle":"Second Factors Authentication",
|
||||
"sfRequired":"Require 2FA",
|
||||
"show":"عرض",
|
||||
"showHelp":"عرض المساعدة",
|
||||
"singleIP":"عنوان آي بي واحد لكل مستخدم",
|
||||
|
|
|
|||
|
|
@ -680,6 +680,7 @@
|
|||
"sessionStorage":"Sessions Storage",
|
||||
"sessionTitle":"Session content",
|
||||
"sfaTitle":"Second Factors Authentication",
|
||||
"sfRequired":"Require 2FA",
|
||||
"show":"Show",
|
||||
"showHelp":"Show help",
|
||||
"singleIP":"One IP only by user",
|
||||
|
|
|
|||
|
|
@ -372,6 +372,7 @@
|
|||
"logo":"Logo",
|
||||
"logout":"Déconnexion",
|
||||
"logoutServices":"Transfert de la déconnexion",
|
||||
"sfRequired":"Exiger 2FA",
|
||||
"logParams":"Journalisation",
|
||||
"lwpOpts":"Options pour les requêtes serveur",
|
||||
"lwpSslOpts":"Options SSL pour les requêtes serveur",
|
||||
|
|
|
|||
|
|
@ -97,6 +97,7 @@
|
|||
"browserIdAuthnLevel":"Livello di autenticazione",
|
||||
"browserIdAutoLogin":"Login automatico",
|
||||
"browserIdBackgroundColor":"Colore di sfondo",
|
||||
"sfRequired":"Require 2FA",
|
||||
"browseridParams":"BrowserIDParams",
|
||||
"browserIdSiteLogo":"Logo del sito",
|
||||
"browserIdSiteName":"Nome del sito",
|
||||
|
|
|
|||
|
|
@ -680,6 +680,7 @@
|
|||
"sessionStorage":"Sessions lưu trữ",
|
||||
"sessionTitle":"Nội dung phiên",
|
||||
"sfaTitle":"Second Factors Authentication",
|
||||
"sfRequired":"Require 2FA",
|
||||
"show":"Hiển thị",
|
||||
"showHelp":"Hiển thị trợ giúp",
|
||||
"singleIP":"Chỉ một địa chỉ IP bởi người dùng",
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
|
@ -99,6 +99,12 @@ sub init {
|
|||
# Registration base
|
||||
$self->addAuthRoute( '2fregisters' => '_displayRegister', ['GET'] );
|
||||
$self->addAuthRoute( '2fregisters' => 'register', ['POST'] );
|
||||
if ( $self->conf->{sfRequired} ) {
|
||||
$self->addUnauthRoute(
|
||||
'2fregisters' => 'restoreSession',
|
||||
[ 'GET', 'POST' ]
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
|
@ -131,7 +137,24 @@ sub run {
|
|||
|
||||
# If no 2F module is authorized, skipping 2F
|
||||
# Note that a rule may forbid access after (GrantSession plugin)
|
||||
return PE_OK unless (@am);
|
||||
unless (@am) {
|
||||
|
||||
# Except if 2FA is required, move to registration
|
||||
if ( $self->conf->{sfRequired} ) {
|
||||
$req->pdata->{sfRegToken} =
|
||||
$self->ott->createToken( $req->sessionInfo );
|
||||
$req->response(
|
||||
[
|
||||
302, [ Location => $self->conf->{portal} . '/2fregisters' ],
|
||||
[]
|
||||
]
|
||||
);
|
||||
return PE_SENDRESPONSE;
|
||||
}
|
||||
else {
|
||||
return PE_OK;
|
||||
}
|
||||
}
|
||||
|
||||
$self->userLogger->info( 'Second factor required for '
|
||||
. $req->sessionInfo->{ $self->conf->{whatToTrace} } );
|
||||
|
|
@ -319,4 +342,14 @@ sub register {
|
|||
return $self->p->sendJSONresponse( $req, \@am );
|
||||
}
|
||||
|
||||
sub restoreSession {
|
||||
my ( $self, $req, @path ) = @_;
|
||||
my $token = $req->pdata->{sfRegToken}
|
||||
or return [ 302, [ Location => $self->conf->{portal} ], [] ];
|
||||
$req->userData( $self->ott->getToken( $token, 1 ) );
|
||||
return $req->method eq 'POST'
|
||||
? $self->register( $req, @path )
|
||||
: $self->_displayRegister( $req, @path );
|
||||
}
|
||||
|
||||
1;
|
||||
|
|
|
|||
|
|
@ -110,7 +110,7 @@ sub getToken {
|
|||
return undef;
|
||||
}
|
||||
my %h = %{ $tsession->{data} };
|
||||
$tsession->remove;
|
||||
$tsession->remove unless($keep);
|
||||
return \%h;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue