From 85c6ad2498bbd9930d49b5aa7d982c3cbe02ca23 Mon Sep 17 00:00:00 2001 From: Christophe Maudoux Date: Wed, 3 Oct 2018 21:07:10 +0200 Subject: [PATCH] WIP - Append PortalForceReAuthn (#1507) --- .../Lemonldap/NG/Common/Conf/DefaultValues.pm | 2 ++ .../lib/Lemonldap/NG/Manager/Attributes.pm | 8 +++++ .../Lemonldap/NG/Manager/Build/Attributes.pm | 11 ++++++ .../lib/Lemonldap/NG/Portal/Main/Constants.pm | 3 +- .../lib/Lemonldap/NG/Portal/Main/Plugins.pm | 1 + .../NG/Portal/Plugins/PortalForceReAuthn.pm | 35 +++++++++++++++++++ 6 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/PortalForceReAuthn.pm diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm index 65effac49..8ed490789 100644 --- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm +++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm @@ -179,6 +179,8 @@ sub defaultValues { 'portalDisplayRegister' => 1, 'portalErrorOnExpiredSession' => 1, 'portalForceAuthnInterval' => 5, + 'portalForceReAuthn' => 1, + 'portalForceReAuthnTempo' => 300, 'portalPingInterval' => 60000, 'portalRequireOldPassword' => 1, 'portalSkin' => 'bootstrap', diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm index 8a5619b6a..cba1ccff2 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm @@ -2169,6 +2169,14 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.] 'default' => 5, 'type' => 'int' }, + 'portalForceReAuthn' => { + 'default' => 1, + 'type' => 'bool' + }, + 'portalForceReAuthnTempo' => { + 'default' => 300, + 'type' => 'int' + }, 'portalOpenLinkInNewWindow' => { 'default' => 0, 'type' => 'bool' diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm index b938235eb..52e490702 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm @@ -556,6 +556,17 @@ sub attributes { type => 'bool', documentation => 'Check XSS', }, + portalForceReAuthn => { + default => 1, + type => 'bool', + documentation => 'Enable force reAuthentification to access to Portal', + }, + portalForceReAuthnTempo => { + default => 300, + type => 'int', + documentation => + 'Portal force reAuthentification -> Tempo before try again', + }, bruteForceProtection => { default => 1, type => 'bool', diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm index fa806462b..f2a0750ba 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Constants.pm @@ -92,6 +92,7 @@ use constant { PE_UNAUTHORIZEDPARTNER => 84, PE_RENEWSESSION => 85, PE_WAIT => 86, + PE_MUSTREAUTHN => 87, }; # EXPORTER PARAMETERS @@ -117,7 +118,7 @@ our @EXPORT_OK = qw( PE_SENDRESPONSE PE_INFO PE_REDIRECT PE_DONE PE_OK PE_RADIUSCONNECTFAILED PE_MUST_SUPPLY_OLD_PASSWORD PE_FORBIDDENIP PE_CAPTCHAERROR PE_CAPTCHAEMPTY PE_REGISTERFIRSTACCESS PE_REGISTERFORMEMPTY PE_REGISTERALREADYEXISTS PE_NOTOKEN PE_TOKENEXPIRED HANDLER PE_U2FFAILED - PE_UNAUTHORIZEDPARTNER PE_RENEWSESSION PE_IDPCHOICE PE_WAIT + PE_UNAUTHORIZEDPARTNER PE_RENEWSESSION PE_IDPCHOICE PE_WAIT PE_MUSTREAUTHN ); our %EXPORT_TAGS = ( 'all' => [ @EXPORT_OK, 'import' ], ); diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugins.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugins.pm index f54310c21..dc6dfcdfc 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugins.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugins.pm @@ -24,6 +24,7 @@ our @pList = ( upgradeSession => '::Plugins::Upgrade', autoSigninRules => '::Plugins::AutoSignin', checkState => '::Plugins::CheckState', + portalForceReAuthn => '::Plugins::PortalForceReAuthn', ); ##@method list enabledPlugins diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/PortalForceReAuthn.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/PortalForceReAuthn.pm new file mode 100644 index 000000000..504fc527f --- /dev/null +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/PortalForceReAuthn.pm @@ -0,0 +1,35 @@ +package Lemonldap::NG::Portal::Plugins::PortalForceReAuthn; + +use Data::Dumper; +use strict; +use Mouse; +use Lemonldap::NG::Portal::Main::Constants qw(PE_OK PE_MUSTREAUTHN); + +our $VERSION = '2.0.0'; + +extends 'Lemonldap::NG::Portal::Main::Plugin'; + +# INITIALIZATION + +use constant forAuthUser => 'run'; + +sub init {1} + +# RUNNING METHOD + +sub run { + my ( $self, $req ) = @_; + my $portalURL = $self->conf->{portal}; + my $HTTP_HOST = $req->env->{HTTP_HOST}; + $self->logger->debug( "Portal URL -> " . Dumper($portalURL) ); + $self->logger->debug( "HTTP_HOST -> " . Dumper($HTTP_HOST) ); + if ( $req->env->{HTTP_HOST} and $portalURL =~ qr#\Q$HTTP_HOST# ) { + my $delta = time() - $req->{sessionInfo}->{_utime}; + $self->logger->debug( "Delta with last Authn -> " . $delta ); + $delta <= $self->conf->{portalForceReAuthnTempo} + ? return PE_OK + : return PE_MUSTREAUTHN; + } +} + +1;