dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Test authLevel before removing 2F device (#2332)

Browse Source
This commit is contained in:
Christophe Maudoux 2020-10-04 19:22:24 +02:00
parent c615ba2b7d
commit a8343ac7be
4 changed files with 23 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/TOTP.pm
View File

@ -38,7 +38,7 @@ sub run {
# Check if TOTP can be updated
return $self->p->sendError( $req, 'notAuthorized', 400 )
unless $self->allowedUpdateSfa($req);
unless $self->allowedUpdateSfa($req, $action);
# Verification that user has a valid TOTP app
if ( $action eq 'verify' ) {

2
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/U2F.pm
View File

@ -35,7 +35,7 @@ sub run {
# Check if U2F key can be updated
return $self->p->sendError( $req, 'notAuthorized', 400 )
unless $self->allowedUpdateSfa($req);
unless $self->allowedUpdateSfa($req, $action);
if ( $action eq 'register' ) {

2
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/Yubikey.pm
View File

@ -42,7 +42,7 @@ sub run {
RAW_ERROR => 'notAuthorized',
AUTH_ERROR_TYPE => 'warning',
}
) unless $self->allowedUpdateSfa($req);
) unless $self->allowedUpdateSfa($req, $action);
if ( $action eq 'register' ) {
my $otp = $req->param('otp');

22
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugin.pm
View File

@ -105,9 +105,27 @@ sub createNotification {
}
sub allowedUpdateSfa {
my ( $self, $req ) = @_;
my ( $self, $req, $action ) = @_;
my $user = $req->userData->{ $self->conf->{whatToTrace} };
my $res = 1;
my $res = 1;
if ( $action eq 'delete' ) {
my $module = lc ref $self;
$module = ( $module =~ /2f::register::(\w+)$/ )[0];
$module =~ s/2f//;
$self->logger->debug("$user request to delete ${module}2f device");
if ( $self->{conf}->{"${module}2fAuthnLevel"}
&& $req->userData->{authenticationLevel} <
$self->{conf}->{"${module}2fAuthnLevel"} )
{
$self->userLogger->warn(
"$user request to delete ${module}2f device rejected due to insufficient authentication level!"
);
$self->logger->debug(
"authLevel: $req->{userData}->{authenticationLevel} < requiredLevel: "
. $self->{conf}->{"${module}2fAuthnLevel"} );
undef $res;
}
}
if ( $self->conf->{impersonationRule} ) {
$self->logger->debug('Impersonation plugin is enabled!');
if ( $req->userData->{"$self->{conf}->{impersonationPrefix}_user"}