U2F skeleton (#1148)

COPYING

@@ -94,6 +94,10 @@ Files: lemonldap-ng-manager/site/static/bwr/angular/* lemonldap-ng-manager/site/
 Copyright: 2010-2015, Google, Inc. http://angularjs.org
 License: Expat
 
+Files: lemonldap-ng-portal/site/htdocs/static/common/js/u2f-api.*
+Copyright: 2014-2015, Google Inc.
+License: Expat
+
 Files: lemonldap-ng-manager/site/static/bwr/angular-bootstrap/*
 Copyright: 2012-2016, the AngularUI Team, https://github.com/organizations/angular-ui/teams/291112
 License: Expat

debian/copyright

@@ -94,6 +94,10 @@ Files: lemonldap-ng-manager/site/static/bwr/angular/* lemonldap-ng-manager/site/
 Copyright: 2010-2015, Google, Inc. http://angularjs.org
 License: Expat
 
+Files: lemonldap-ng-portal/site/htdocs/static/common/js/u2f-api.*
+Copyright: 2014-2015, Google Inc.
+License: Expat
+
 Files: lemonldap-ng-manager/site/static/bwr/angular-bootstrap/*
 Copyright: 2012-2016, the AngularUI Team, https://github.com/organizations/angular-ui/teams/291112
 License: Expat

lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm

@@ -243,6 +243,7 @@ sub defaultValues {
         'timeoutActivityInterval'                 => 60,
         'trustedProxies'                          => '',
         'twitterAuthnLevel'                       => 1,
+        'u2fAppId'                                => 'Lemonldap::NG',
         'userControl'                             => '^[\\w\\.\\-@]+$',
         'userDB'                                  => 'Demo',
         'useRedirectOnError'                      => 1,

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm

@@ -2826,6 +2826,14 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
         'twitterSecret' => {
             'type' => 'text'
         },
+        'u2fActivation' => {
+            'default' => 0,
+            'type'    => 'bool'
+        },
+        'u2fAppId' => {
+            'default' => 'Lemonldap::NG',
+            'type'    => 'text'
+        },
         'userControl' => {
             'default' => '^[\\w\\.\\-@]+$',
             'type'    => 'pcre'

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm

@@ -661,8 +661,8 @@ sub attributes {
 
         # Notification
         oldNotifFormat => {
-            type => 'bool',
-            default => 0,
+            type          => 'bool',
+            default       => 0,
             documentation => 'Use old XML format',
         },
         notificationWildcard => {
@@ -948,6 +948,18 @@ sub attributes {
             documentation => 'Register session timeout',
         },
 
+        # U2F
+        u2fActivation => {
+            type          => 'bool',
+            default       => 0,
+            documentation => 'U2F activation',
+        },
+        u2fAppId => {
+            default       => 'Lemonldap::NG',
+            type          => 'text',
+            documentation => 'U2F application ID',
+        },
+
         # Single session
         notifyDeleted => {
             default       => 1,
@@ -1755,12 +1767,12 @@ sub attributes {
         authentication => {
             type   => 'select',
             select => [
-                { k => 'Apache',    v => 'Apache' },
-                { k => 'AD',        v => 'Active Directory' },
-                { k => 'Choice',    v => 'authChoice' },
-                { k => 'CAS',  v => 'Central Authentication Service (CAS)' },
-                { k => 'DBI',  v => 'Database (DBI)' },
-                { k => 'Demo', v => 'Demonstration' },
+                { k => 'Apache', v => 'Apache' },
+                { k => 'AD',     v => 'Active Directory' },
+                { k => 'Choice', v => 'authChoice' },
+                { k => 'CAS',    v => 'Central Authentication Service (CAS)' },
+                { k => 'DBI',    v => 'Database (DBI)' },
+                { k => 'Demo',   v => 'Demonstration' },
                 { k => 'Facebook',      v => 'Facebook' },
                 { k => 'Google',        v => 'Google' },
                 { k => 'LDAP',          v => 'LDAP' },
@@ -2214,8 +2226,8 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
             test       => sub { 1 },
             select     => [
                 [
-                    { k => 'Apache',    v => 'Apache' },
-                    { k => 'AD',        v => 'Active Directory' },
+                    { k => 'Apache', v => 'Apache' },
+                    { k => 'AD',     v => 'Active Directory' },
                     { k => 'CAS', v => 'Central Authentication Service (CAS)' },
                     { k => 'DBI', v => 'Database (DBI)' },
                     { k => 'Demo',          v => 'Demo' },

lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm

@@ -579,6 +579,11 @@ sub tree {
                                 'registerDoneSubject'
                             ]
                         },
+                        {
+                            title => 'u2f',
+                            form  => 'simpleInputContainer',
+                            nodes => [ 'u2fActivation', 'u2fAppId', ]
+                        },
                         {
                             title => 'security',
                             help => 'security.html#configure_security_settings',

lemonldap-ng-manager/site/static/languages/en.json

@@ -629,6 +629,9 @@
 "twitterKey": "API key",
 "twitterParams": "Twitter parameters",
 "twitterSecret": "API secret",
+"u2f": "U2F",
+"u2fActivation": "Activation",
+"u2fAppId": "Application ID",
 "uid": "Identifier",
 "unknownAttrOrMacro": "Unknown attribute or macro",
 "unknownError": "Unknown error",

lemonldap-ng-manager/site/static/languages/fr.json

@@ -629,6 +629,9 @@
 "twitterKey": "Clef de l'API",
 "twitterParams": "Paramètres Twitter",
 "twitterSecret": "Secret de l'API",
+"u2f": "U2F",
+"u2fActivation": "Activation",
+"u2fAppId": "Identifiant de l'application",
 "uid": "Identifiant",
 "unknownAttrOrMacro": "Attribut ou macro inconnu",
 "unknownError": "Erreur inconnue",

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugins.pm

@@ -74,10 +74,16 @@ sub enabledPlugins {
         push @res, "::Password::$p" if ( $p ne 'Null' );
     }
 
+    # U2F
+    if ( $self->conf->{u2fActivation} ) {
+        push @res, '::Register::U2F', '::Plugins::U2F';
+    }
+
     # Check if custom plugins are required
     # TODO: change this name
     if ( $self->conf->{customPlugins} ) {
-        $self->lmLog( 'Custom plugins: ' . $self->conf->{customPlugins}, 'debug' );
+        $self->lmLog( 'Custom plugins: ' . $self->conf->{customPlugins},
+            'debug' );
         push @res, grep ( /\w/, split( /,\s*/, $self->conf->{customPlugins} ) );
     }
     return @res;

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/U2F.pm

@@ -0,0 +1,14 @@
+package Lemonldap::NG::Portal::Plugins::U2F;
+
+use strict;
+use Mouse;
+
+our $VERSION = '2.0.0';
+
+extends 'Lemonldap::NG::Portal::Main::Plugin';
+
+sub init {
+    1;
+}
+
+1;

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Register/U2F.pm

@@ -0,0 +1,51 @@
+package Lemonldap::NG::Portal::Register::U2F;
+
+use strict;
+use Mouse;
+
+our $VERSION = '2.0.0';
+
+extends 'Lemonldap::NG::Portal::Main::Plugin';
+
+has crypter => ( is => 'rw' );
+
+sub init {
+    my ($self) = @_;
+    eval 'use Crypt::U2F::Server::Simple';
+    if ($@) {
+        $self->error("Can't load U2F library: $@");
+        return 0;
+    }
+    unless (
+        $self->crypter(
+            Crypt::U2F::Server::Simple->new(
+                appId  => $self->conf->{u2fAppId},
+                origin => $self->conf->{portal},
+            )
+        )
+      )
+    {
+        $self->error( Crypt::U2F::Server::Simple::lastError() );
+        return 0;
+    }
+    $self->addAuthRoute( u2f => 'run', [ 'GET', 'POST' ] );
+    return 1;
+}
+
+sub run {
+    my ( $self, $req ) = @_;
+
+    # Check for registration response
+    if ( my $rd = $req->param('registration') ) {
+        $self->lmLog( "Get registration data $rd", 'debug' );
+        my ( $keyHandle, $userKey ) = $self->crypter->registrationVerify($rd);
+        $self->lmLog( "Handle: $keyHandle, Key: $userKey", 'debug' );
+        $self->p->updatePersistentSession( $req,
+            { _u2fHandle => $keyHandle, _u2fKey => $userKey } );
+        return $self->sendHtml( $req, 'u2fregister', params => { SUCCESS => 1 } );
+    }
+    return $self->sendHtml( $req, 'u2fregister',
+        params => { CHALLENGE => $challenge, APPID=>$self->conf->{u2fAppId} } );
+}
+
+1;

lemonldap-ng-portal/site/coffee/u2fregistration.coffee

@@ -0,0 +1,14 @@
+###
+LemonLDAP::NG U2F registration script
+###
+
+register = ->
+	request =
+		challenge: window.datas.challenge
+		version: 'U2F_V2'
+	u2f.register window.datas.appId, request, [], (data) ->
+		$('#bind-data').val JSON.stringify data
+		$('#bind-form').submit()
+
+$(document).ready ->
+	setTimeout register, 1000

lemonldap-ng-portal/site/htdocs/static/common/js/u2f-api.js

@@ -0,0 +1,748 @@
+//Copyright 2014-2015 Google Inc. All rights reserved.
+
+//Use of this source code is governed by a BSD-style
+//license that can be found in the LICENSE file or at
+//https://developers.google.com/open-source/licenses/bsd
+
+/**
+ * @fileoverview The U2F api.
+ */
+'use strict';
+
+
+/**
+ * Namespace for the U2F api.
+ * @type {Object}
+ */
+var u2f = u2f || {};
+
+/**
+ * FIDO U2F Javascript API Version
+ * @number
+ */
+var js_api_version;
+
+/**
+ * The U2F extension id
+ * @const {string}
+ */
+// The Chrome packaged app extension ID.
+// Uncomment this if you want to deploy a server instance that uses
+// the package Chrome app and does not require installing the U2F Chrome extension.
+ u2f.EXTENSION_ID = 'kmendfapggjehodndflmmgagdbamhnfd';
+// The U2F Chrome extension ID.
+// Uncomment this if you want to deploy a server instance that uses
+// the U2F Chrome extension to authenticate.
+// u2f.EXTENSION_ID = 'pfboblefjcgdjicmnffhdgionmgcdmne';
+
+
+/**
+ * Message types for messsages to/from the extension
+ * @const
+ * @enum {string}
+ */
+u2f.MessageTypes = {
+    'U2F_REGISTER_REQUEST': 'u2f_register_request',
+    'U2F_REGISTER_RESPONSE': 'u2f_register_response',
+    'U2F_SIGN_REQUEST': 'u2f_sign_request',
+    'U2F_SIGN_RESPONSE': 'u2f_sign_response',
+    'U2F_GET_API_VERSION_REQUEST': 'u2f_get_api_version_request',
+    'U2F_GET_API_VERSION_RESPONSE': 'u2f_get_api_version_response'
+};
+
+
+/**
+ * Response status codes
+ * @const
+ * @enum {number}
+ */
+u2f.ErrorCodes = {
+    'OK': 0,
+    'OTHER_ERROR': 1,
+    'BAD_REQUEST': 2,
+    'CONFIGURATION_UNSUPPORTED': 3,
+    'DEVICE_INELIGIBLE': 4,
+    'TIMEOUT': 5
+};
+
+
+/**
+ * A message for registration requests
+ * @typedef {{
+ *   type: u2f.MessageTypes,
+ *   appId: ?string,
+ *   timeoutSeconds: ?number,
+ *   requestId: ?number
+ * }}
+ */
+u2f.U2fRequest;
+
+
+/**
+ * A message for registration responses
+ * @typedef {{
+ *   type: u2f.MessageTypes,
+ *   responseData: (u2f.Error | u2f.RegisterResponse | u2f.SignResponse),
+ *   requestId: ?number
+ * }}
+ */
+u2f.U2fResponse;
+
+
+/**
+ * An error object for responses
+ * @typedef {{
+ *   errorCode: u2f.ErrorCodes,
+ *   errorMessage: ?string
+ * }}
+ */
+u2f.Error;
+
+/**
+ * Data object for a single sign request.
+ * @typedef {enum {BLUETOOTH_RADIO, BLUETOOTH_LOW_ENERGY, USB, NFC}}
+ */
+u2f.Transport;
+
+
+/**
+ * Data object for a single sign request.
+ * @typedef {Array<u2f.Transport>}
+ */
+u2f.Transports;
+
+/**
+ * Data object for a single sign request.
+ * @typedef {{
+ *   version: string,
+ *   challenge: string,
+ *   keyHandle: string,
+ *   appId: string
+ * }}
+ */
+u2f.SignRequest;
+
+
+/**
+ * Data object for a sign response.
+ * @typedef {{
+ *   keyHandle: string,
+ *   signatureData: string,
+ *   clientData: string
+ * }}
+ */
+u2f.SignResponse;
+
+
+/**
+ * Data object for a registration request.
+ * @typedef {{
+ *   version: string,
+ *   challenge: string
+ * }}
+ */
+u2f.RegisterRequest;
+
+
+/**
+ * Data object for a registration response.
+ * @typedef {{
+ *   version: string,
+ *   keyHandle: string,
+ *   transports: Transports,
+ *   appId: string
+ * }}
+ */
+u2f.RegisterResponse;
+
+
+/**
+ * Data object for a registered key.
+ * @typedef {{
+ *   version: string,
+ *   keyHandle: string,
+ *   transports: ?Transports,
+ *   appId: ?string
+ * }}
+ */
+u2f.RegisteredKey;
+
+
+/**
+ * Data object for a get API register response.
+ * @typedef {{
+ *   js_api_version: number
+ * }}
+ */
+u2f.GetJsApiVersionResponse;
+
+
+//Low level MessagePort API support
+
+/**
+ * Sets up a MessagePort to the U2F extension using the
+ * available mechanisms.
+ * @param {function((MessagePort|u2f.WrappedChromeRuntimePort_))} callback
+ */
+u2f.getMessagePort = function(callback) {
+  if (typeof chrome != 'undefined' && chrome.runtime) {
+    // The actual message here does not matter, but we need to get a reply
+    // for the callback to run. Thus, send an empty signature request
+    // in order to get a failure response.
+    var msg = {
+        type: u2f.MessageTypes.U2F_SIGN_REQUEST,
+        signRequests: []
+    };
+    chrome.runtime.sendMessage(u2f.EXTENSION_ID, msg, function() {
+      if (!chrome.runtime.lastError) {
+        // We are on a whitelisted origin and can talk directly
+        // with the extension.
+        u2f.getChromeRuntimePort_(callback);
+      } else {
+        // chrome.runtime was available, but we couldn't message
+        // the extension directly, use iframe
+        u2f.getIframePort_(callback);
+      }
+    });
+  } else if (u2f.isAndroidChrome_()) {
+    u2f.getAuthenticatorPort_(callback);
+  } else if (u2f.isIosChrome_()) {
+    u2f.getIosPort_(callback);
+  } else {
+    // chrome.runtime was not available at all, which is normal
+    // when this origin doesn't have access to any extensions.
+    u2f.getIframePort_(callback);
+  }
+};
+
+/**
+ * Detect chrome running on android based on the browser's useragent.
+ * @private
+ */
+u2f.isAndroidChrome_ = function() {
+  var userAgent = navigator.userAgent;
+  return userAgent.indexOf('Chrome') != -1 &&
+  userAgent.indexOf('Android') != -1;
+};
+
+/**
+ * Detect chrome running on iOS based on the browser's platform.
+ * @private
+ */
+u2f.isIosChrome_ = function() {
+  return $.inArray(navigator.platform, ["iPhone", "iPad", "iPod"]) > -1;
+};
+
+/**
+ * Connects directly to the extension via chrome.runtime.connect.
+ * @param {function(u2f.WrappedChromeRuntimePort_)} callback
+ * @private
+ */
+u2f.getChromeRuntimePort_ = function(callback) {
+  var port = chrome.runtime.connect(u2f.EXTENSION_ID,
+      {'includeTlsChannelId': true});
+  setTimeout(function() {
+    callback(new u2f.WrappedChromeRuntimePort_(port));
+  }, 0);
+};
+
+/**
+ * Return a 'port' abstraction to the Authenticator app.
+ * @param {function(u2f.WrappedAuthenticatorPort_)} callback
+ * @private
+ */
+u2f.getAuthenticatorPort_ = function(callback) {
+  setTimeout(function() {
+    callback(new u2f.WrappedAuthenticatorPort_());
+  }, 0);
+};
+
+/**
+ * Return a 'port' abstraction to the iOS client app.
+ * @param {function(u2f.WrappedIosPort_)} callback
+ * @private
+ */
+u2f.getIosPort_ = function(callback) {
+  setTimeout(function() {
+    callback(new u2f.WrappedIosPort_());
+  }, 0);
+};
+
+/**
+ * A wrapper for chrome.runtime.Port that is compatible with MessagePort.
+ * @param {Port} port
+ * @constructor
+ * @private
+ */
+u2f.WrappedChromeRuntimePort_ = function(port) {
+  this.port_ = port;
+};
+
+/**
+ * Format and return a sign request compliant with the JS API version supported by the extension.
+ * @param {Array<u2f.SignRequest>} signRequests
+ * @param {number} timeoutSeconds
+ * @param {number} reqId
+ * @return {Object}
+ */
+u2f.formatSignRequest_ =
+  function(appId, challenge, registeredKeys, timeoutSeconds, reqId) {
+  if (js_api_version === undefined || js_api_version < 1.1) {
+    // Adapt request to the 1.0 JS API
+    var signRequests = [];
+    for (var i = 0; i < registeredKeys.length; i++) {
+      signRequests[i] = {
+          version: registeredKeys[i].version,
+          challenge: challenge,
+          keyHandle: registeredKeys[i].keyHandle,
+          appId: appId
+      };
+    }
+    return {
+      type: u2f.MessageTypes.U2F_SIGN_REQUEST,
+      signRequests: signRequests,
+      timeoutSeconds: timeoutSeconds,
+      requestId: reqId
+    };
+  }
+  // JS 1.1 API
+  return {
+    type: u2f.MessageTypes.U2F_SIGN_REQUEST,
+    appId: appId,
+    challenge: challenge,
+    registeredKeys: registeredKeys,
+    timeoutSeconds: timeoutSeconds,
+    requestId: reqId
+  };
+};
+
+/**
+ * Format and return a register request compliant with the JS API version supported by the extension..
+ * @param {Array<u2f.SignRequest>} signRequests
+ * @param {Array<u2f.RegisterRequest>} signRequests
+ * @param {number} timeoutSeconds
+ * @param {number} reqId
+ * @return {Object}
+ */
+u2f.formatRegisterRequest_ =
+  function(appId, registeredKeys, registerRequests, timeoutSeconds, reqId) {
+  if (js_api_version === undefined || js_api_version < 1.1) {
+    // Adapt request to the 1.0 JS API
+    for (var i = 0; i < registerRequests.length; i++) {
+      registerRequests[i].appId = appId;
+    }
+    var signRequests = [];
+    for (var i = 0; i < registeredKeys.length; i++) {
+      signRequests[i] = {
+          version: registeredKeys[i].version,
+          challenge: registerRequests[0],
+          keyHandle: registeredKeys[i].keyHandle,
+          appId: appId
+      };
+    }
+    return {
+      type: u2f.MessageTypes.U2F_REGISTER_REQUEST,
+      signRequests: signRequests,
+      registerRequests: registerRequests,
+      timeoutSeconds: timeoutSeconds,
+      requestId: reqId
+    };
+  }
+  // JS 1.1 API
+  return {
+    type: u2f.MessageTypes.U2F_REGISTER_REQUEST,
+    appId: appId,
+    registerRequests: registerRequests,
+    registeredKeys: registeredKeys,
+    timeoutSeconds: timeoutSeconds,
+    requestId: reqId
+  };
+};
+
+
+/**
+ * Posts a message on the underlying channel.
+ * @param {Object} message
+ */
+u2f.WrappedChromeRuntimePort_.prototype.postMessage = function(message) {
+  this.port_.postMessage(message);
+};
+
+
+/**
+ * Emulates the HTML 5 addEventListener interface. Works only for the
+ * onmessage event, which is hooked up to the chrome.runtime.Port.onMessage.
+ * @param {string} eventName
+ * @param {function({data: Object})} handler
+ */
+u2f.WrappedChromeRuntimePort_.prototype.addEventListener =
+    function(eventName, handler) {
+  var name = eventName.toLowerCase();
+  if (name == 'message' || name == 'onmessage') {
+    this.port_.onMessage.addListener(function(message) {
+      // Emulate a minimal MessageEvent object
+      handler({'data': message});
+    });
+  } else {
+    console.error('WrappedChromeRuntimePort only supports onMessage');
+  }
+};
+
+/**
+ * Wrap the Authenticator app with a MessagePort interface.
+ * @constructor
+ * @private
+ */
+u2f.WrappedAuthenticatorPort_ = function() {
+  this.requestId_ = -1;
+  this.requestObject_ = null;
+}
+
+/**
+ * Launch the Authenticator intent.
+ * @param {Object} message
+ */
+u2f.WrappedAuthenticatorPort_.prototype.postMessage = function(message) {
+  var intentUrl =
+    u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ +
+    ';S.request=' + encodeURIComponent(JSON.stringify(message)) +
+    ';end';
+  document.location = intentUrl;
+};
+
+/**
+ * Tells what type of port this is.
+ * @return {String} port type
+ */
+u2f.WrappedAuthenticatorPort_.prototype.getPortType = function() {
+  return "WrappedAuthenticatorPort_";
+};
+
+
+/**
+ * Emulates the HTML 5 addEventListener interface.
+ * @param {string} eventName
+ * @param {function({data: Object})} handler
+ */
+u2f.WrappedAuthenticatorPort_.prototype.addEventListener = function(eventName, handler) {
+  var name = eventName.toLowerCase();
+  if (name == 'message') {
+    var self = this;
+    /* Register a callback to that executes when
+     * chrome injects the response. */
+    window.addEventListener(
+        'message', self.onRequestUpdate_.bind(self, handler), false);
+  } else {
+    console.error('WrappedAuthenticatorPort only supports message');
+  }
+};
+
+/**
+ * Callback invoked  when a response is received from the Authenticator.
+ * @param function({data: Object}) callback
+ * @param {Object} message message Object
+ */
+u2f.WrappedAuthenticatorPort_.prototype.onRequestUpdate_ =
+    function(callback, message) {
+  var messageObject = JSON.parse(message.data);
+  var intentUrl = messageObject['intentURL'];
+
+  var errorCode = messageObject['errorCode'];
+  var responseObject = null;
+  if (messageObject.hasOwnProperty('data')) {
+    responseObject = /** @type {Object} */ (
+        JSON.parse(messageObject['data']));
+  }
+
+  callback({'data': responseObject});
+};
+
+/**
+ * Base URL for intents to Authenticator.
+ * @const
+ * @private
+ */
+u2f.WrappedAuthenticatorPort_.INTENT_URL_BASE_ =
+  'intent:#Intent;action=com.google.android.apps.authenticator.AUTHENTICATE';
+
+/**
+ * Wrap the iOS client app with a MessagePort interface.
+ * @constructor
+ * @private
+ */
+u2f.WrappedIosPort_ = function() {};
+
+/**
+ * Launch the iOS client app request
+ * @param {Object} message
+ */
+u2f.WrappedIosPort_.prototype.postMessage = function(message) {
+  var str = JSON.stringify(message);
+  var url = "u2f://auth?" + encodeURI(str);
+  location.replace(url);
+};
+
+/**
+ * Tells what type of port this is.
+ * @return {String} port type
+ */
+u2f.WrappedIosPort_.prototype.getPortType = function() {
+  return "WrappedIosPort_";
+};
+
+/**
+ * Emulates the HTML 5 addEventListener interface.
+ * @param {string} eventName
+ * @param {function({data: Object})} handler
+ */
+u2f.WrappedIosPort_.prototype.addEventListener = function(eventName, handler) {
+  var name = eventName.toLowerCase();
+  if (name !== 'message') {
+    console.error('WrappedIosPort only supports message');
+  }
+};
+
+/**
+ * Sets up an embedded trampoline iframe, sourced from the extension.
+ * @param {function(MessagePort)} callback
+ * @private
+ */
+u2f.getIframePort_ = function(callback) {
+  // Create the iframe
+  var iframeOrigin = 'chrome-extension://' + u2f.EXTENSION_ID;
+  var iframe = document.createElement('iframe');
+  iframe.src = iframeOrigin + '/u2f-comms.html';
+  iframe.setAttribute('style', 'display:none');
+  document.body.appendChild(iframe);
+
+  var channel = new MessageChannel();
+  var ready = function(message) {
+    if (message.data == 'ready') {
+      channel.port1.removeEventListener('message', ready);
+      callback(channel.port1);
+    } else {
+      console.error('First event on iframe port was not "ready"');
+    }
+  };
+  channel.port1.addEventListener('message', ready);
+  channel.port1.start();
+
+  iframe.addEventListener('load', function() {
+    // Deliver the port to the iframe and initialize
+    iframe.contentWindow.postMessage('init', iframeOrigin, [channel.port2]);
+  });
+};
+
+
+//High-level JS API
+
+/**
+ * Default extension response timeout in seconds.
+ * @const
+ */
+u2f.EXTENSION_TIMEOUT_SEC = 30;
+
+/**
+ * A singleton instance for a MessagePort to the extension.
+ * @type {MessagePort|u2f.WrappedChromeRuntimePort_}
+ * @private
+ */
+u2f.port_ = null;
+
+/**
+ * Callbacks waiting for a port
+ * @type {Array<function((MessagePort|u2f.WrappedChromeRuntimePort_))>}
+ * @private
+ */
+u2f.waitingForPort_ = [];
+
+/**
+ * A counter for requestIds.
+ * @type {number}
+ * @private
+ */
+u2f.reqCounter_ = 0;
+
+/**
+ * A map from requestIds to client callbacks
+ * @type {Object.<number,(function((u2f.Error|u2f.RegisterResponse))
+ *                       |function((u2f.Error|u2f.SignResponse)))>}
+ * @private
+ */
+u2f.callbackMap_ = {};
+
+/**
+ * Creates or retrieves the MessagePort singleton to use.
+ * @param {function((MessagePort|u2f.WrappedChromeRuntimePort_))} callback
+ * @private
+ */
+u2f.getPortSingleton_ = function(callback) {
+  if (u2f.port_) {
+    callback(u2f.port_);
+  } else {
+    if (u2f.waitingForPort_.length == 0) {
+      u2f.getMessagePort(function(port) {
+        u2f.port_ = port;
+        u2f.port_.addEventListener('message',
+            /** @type {function(Event)} */ (u2f.responseHandler_));
+
+        // Careful, here be async callbacks. Maybe.
+        while (u2f.waitingForPort_.length)
+          u2f.waitingForPort_.shift()(u2f.port_);
+      });
+    }
+    u2f.waitingForPort_.push(callback);
+  }
+};
+
+/**
+ * Handles response messages from the extension.
+ * @param {MessageEvent.<u2f.Response>} message
+ * @private
+ */
+u2f.responseHandler_ = function(message) {
+  var response = message.data;
+  var reqId = response['requestId'];
+  if (!reqId || !u2f.callbackMap_[reqId]) {
+    console.error('Unknown or missing requestId in response.');
+    return;
+  }
+  var cb = u2f.callbackMap_[reqId];
+  delete u2f.callbackMap_[reqId];
+  cb(response['responseData']);
+};
+
+/**
+ * Dispatches an array of sign requests to available U2F tokens.
+ * If the JS API version supported by the extension is unknown, it first sends a
+ * message to the extension to find out the supported API version and then it sends
+ * the sign request.
+ * @param {string=} appId
+ * @param {string=} challenge
+ * @param {Array<u2f.RegisteredKey>} registeredKeys
+ * @param {function((u2f.Error|u2f.SignResponse))} callback
+ * @param {number=} opt_timeoutSeconds
+ */
+u2f.sign = function(appId, challenge, registeredKeys, callback, opt_timeoutSeconds) {
+  if (js_api_version === undefined) {
+    // Send a message to get the extension to JS API version, then send the actual sign request.
+    u2f.getApiVersion(
+        function (response) {
+          js_api_version = response['js_api_version'] === undefined ? 0 : response['js_api_version'];
+          console.log("Extension JS API Version: ", js_api_version);
+          u2f.sendSignRequest(appId, challenge, registeredKeys, callback, opt_timeoutSeconds);
+        });
+  } else {
+    // We know the JS API version. Send the actual sign request in the supported API version.
+    u2f.sendSignRequest(appId, challenge, registeredKeys, callback, opt_timeoutSeconds);
+  }
+};
+
+/**
+ * Dispatches an array of sign requests to available U2F tokens.
+ * @param {string=} appId
+ * @param {string=} challenge
+ * @param {Array<u2f.RegisteredKey>} registeredKeys
+ * @param {function((u2f.Error|u2f.SignResponse))} callback
+ * @param {number=} opt_timeoutSeconds
+ */
+u2f.sendSignRequest = function(appId, challenge, registeredKeys, callback, opt_timeoutSeconds) {
+  u2f.getPortSingleton_(function(port) {
+    var reqId = ++u2f.reqCounter_;
+    u2f.callbackMap_[reqId] = callback;
+    var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ?
+        opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC);
+    var req = u2f.formatSignRequest_(appId, challenge, registeredKeys, timeoutSeconds, reqId);
+    port.postMessage(req);
+  });
+};
+
+/**
+ * Dispatches register requests to available U2F tokens. An array of sign
+ * requests identifies already registered tokens.
+ * If the JS API version supported by the extension is unknown, it first sends a
+ * message to the extension to find out the supported API version and then it sends
+ * the register request.
+ * @param {string=} appId
+ * @param {Array<u2f.RegisterRequest>} registerRequests
+ * @param {Array<u2f.RegisteredKey>} registeredKeys
+ * @param {function((u2f.Error|u2f.RegisterResponse))} callback
+ * @param {number=} opt_timeoutSeconds
+ */
+u2f.register = function(appId, registerRequests, registeredKeys, callback, opt_timeoutSeconds) {
+  if (js_api_version === undefined) {
+    // Send a message to get the extension to JS API version, then send the actual register request.
+    u2f.getApiVersion(
+        function (response) {
+          js_api_version = response['js_api_version'] === undefined ? 0: response['js_api_version'];
+          console.log("Extension JS API Version: ", js_api_version);
+          u2f.sendRegisterRequest(appId, registerRequests, registeredKeys,
+              callback, opt_timeoutSeconds);
+        });
+  } else {
+    // We know the JS API version. Send the actual register request in the supported API version.
+    u2f.sendRegisterRequest(appId, registerRequests, registeredKeys,
+        callback, opt_timeoutSeconds);
+  }
+};
+
+/**
+ * Dispatches register requests to available U2F tokens. An array of sign
+ * requests identifies already registered tokens.
+ * @param {string=} appId
+ * @param {Array<u2f.RegisterRequest>} registerRequests
+ * @param {Array<u2f.RegisteredKey>} registeredKeys
+ * @param {function((u2f.Error|u2f.RegisterResponse))} callback
+ * @param {number=} opt_timeoutSeconds
+ */
+u2f.sendRegisterRequest = function(appId, registerRequests, registeredKeys, callback, opt_timeoutSeconds) {
+  u2f.getPortSingleton_(function(port) {
+    var reqId = ++u2f.reqCounter_;
+    u2f.callbackMap_[reqId] = callback;
+    var timeoutSeconds = (typeof opt_timeoutSeconds !== 'undefined' ?
+        opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC);
+    var req = u2f.formatRegisterRequest_(
+        appId, registeredKeys, registerRequests, timeoutSeconds, reqId);
+    port.postMessage(req);
+  });
+};
+
+
+/**
+ * Dispatches a message to the extension to find out the supported
+ * JS API version.
+ * If the user is on a mobile phone and is thus using Google Authenticator instead
+ * of the Chrome extension, don't send the request and simply return 0.
+ * @param {function((u2f.Error|u2f.GetJsApiVersionResponse))} callback
+ * @param {number=} opt_timeoutSeconds
+ */
+u2f.getApiVersion = function(callback, opt_timeoutSeconds) {
+ u2f.getPortSingleton_(function(port) {
+   // If we are using Android Google Authenticator or iOS client app,
+   // do not fire an intent to ask which JS API version to use.
+   if (port.getPortType) {
+     var apiVersion;
+     switch (port.getPortType()) {
+       case 'WrappedIosPort_':
+       case 'WrappedAuthenticatorPort_':
+         apiVersion = 1.1;
+         break;
+
+       default:
+         apiVersion = 0;
+         break;
+     }
+     callback({ 'js_api_version': apiVersion });
+     return;
+   }
+    var reqId = ++u2f.reqCounter_;
+    u2f.callbackMap_[reqId] = callback;
+    var req = {
+      type: u2f.MessageTypes.U2F_GET_API_VERSION_REQUEST,
+      timeoutSeconds: (typeof opt_timeoutSeconds !== 'undefined' ?
+          opt_timeoutSeconds : u2f.EXTENSION_TIMEOUT_SEC),
+      requestId: reqId
+    };
+    port.postMessage(req);
+  });
+};

lemonldap-ng-portal/site/htdocs/static/common/js/u2fregistration.js

@@ -0,0 +1,26 @@
+// Generated by CoffeeScript 1.10.0
+
+/*
+LemonLDAP::NG U2F registration script
+ */
+
+(function() {
+  var register;
+
+  register = function() {
+    var request;
+    request = {
+      challenge: window.datas.challenge,
+      version: 'U2F_V2'
+    };
+    return u2f.register(window.datas.appId, request, [], function(data) {
+      $('#bind-data').val(JSON.stringify(data));
+      return $('#bind-form').submit();
+    });
+  };
+
+  $(document).ready(function() {
+    return setTimeout(register, 1000);
+  });
+
+}).call(this);

lemonldap-ng-portal/site/htdocs/static/common/js/u2fregistration.min.js

@@ -0,0 +1 @@
+(function(){var a;a=function(){var b;b={challenge:window.datas.challenge,version:"U2F_V2"};return u2f.register(window.datas.appId,b,[],function(c){$("#bind-data").val(JSON.stringify(c));return $("#bind-form").submit()})};$(document).ready(function(){return setTimeout(a,1000)})}).call(this);

lemonldap-ng-portal/site/htdocs/static/languages/en.json

@@ -186,6 +186,9 @@
 "serviceProvidedBy":"Service provided by",
 "SSOSessionInactive":"SSO session inactive",
 "submit":"Submit",
+"touchU2fDevice": "Please touch the flashing U2F device now.",
+"u2fPermission": "You may be prompted to allow the site permission to access your security keys. After granting permission, the device will start to blink.",
+"u2fSuccess": "Your key is registered",
 "updateCdc": "Update Common Domain Cookie",
 "user":"User",
 "useYubikey":"use your Yubikey",

lemonldap-ng-portal/site/htdocs/static/languages/fr.json

@@ -186,6 +186,9 @@
 "serviceProvidedBy":"Ce service est fourni par",
 "SSOSessionInactive":"Session SSO inactive",
 "submit":"Envoyer",
+"touchU2fDevice": "Poser votre doigt sur le périphérique U2F",
+"u2fPermission": "Il est possible qu'on vous demande d'autoriser le site à accéder à votre clef. Après votre accord, la clef clignotera.",
+"u2fSuccess": "Votre clef est enregistrée",
 "updateCdc": "Mise à jour du cookie de domaine commun",
 "user":"Utilisateur",
 "useYubikey":"utilisez votre Yubikey",

lemonldap-ng-portal/site/templates/bootstrap/u2fregister.tpl

@@ -0,0 +1,28 @@
+<TMPL_INCLUDE NAME="header.tpl">
+
+<TMPL_IF NAME="CHALLENGE">
+  <p trspan="touchU2fDevice">Please touch the flashing U2F device now.</p>
+  <p trspan="u2fPermission">You may be prompted to allow the site permission to access your security keys. After granting permission, the device will start to blink.</p>
+  <form id="bind-form" action="#" method="post">
+    <input type="hidden" id="bind-data" name="registration" value="">
+  </form>
+  <script type="application/init">
+{
+  "challenge":"<TMPL_VAR NAME="CHALLENGE">",
+  "appId": "<TMPL_VAR NAME="APPID">"
+}
+  </script>
+<!-- //if:jsminified
+  <script type="text/javascript" src="<TMPL_VAR NAME="STATIC_PREFIX">/common/js/u2f-api.min.js"></script>
+  <script type="text/javascript" src="<TMPL_VAR NAME="STATIC_PREFIX">/common/js/u2fregistration.min.js"></script>
+//else -->
+  <script type="text/javascript" src="<TMPL_VAR NAME="STATIC_PREFIX">/common/js/u2f-api.js"></script>
+  <script type="text/javascript" src="<TMPL_VAR NAME="STATIC_PREFIX">/common/js/u2fregistration.js"></script>
+<!-- //endif -->
+</TMPL_IF>
+
+<TMPL_IF NAME="SUCCESS">
+  <h3 trspan="u2fSuccess">Success</h3>
+</TMPL_IF>
+
+<TMPL_INCLUDE NAME="footer.tpl">