Add manager option for delayed 2FA (#2124)

2020-09-04 17:15:29 +02:00 · 2020-09-04 17:15:29 +02:00 · ab356f12fb
commit ab356f12fb
parent ef6b8587ee
15 changed files with 21 additions and 3 deletions
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Constants.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Constants.pm
@ -30,7 +30,7 @@ use constant DEFAULTCONFBACKENDOPTIONS => (
    dirName => '/usr/local/lemonldap-ng/data/conf',
 );
 our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:S(?:ervice(?:DynamicRegistrationEx(?:portedVar|traClaim)s|MetaDataAuthnContext)|torageOptions)|RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar|Macro)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option|Macro)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars|fExtra)|c(?:as(?:A(?:ppMetaData(?:(?:ExportedVar|Option|Macro)s|Node)|ttributes)|S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions))|(?:ustom(?:Plugins|Add)Param|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
-our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:Allow(?:PasswordGrant|Offline)|Re(?:freshToken|quirePKCE)|LogoutSessionRequired|IDTokenForceClaims|BypassConsent|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:freshMyRights|setPassword|gister)|GeneratePassword|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|o(?:ntextSwitchingStopWithLogout|mpactConf|rsEnabled)|heck(?:State|User|XSS)|da)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?|sExplorer)?|y(?:Deleted|Other))|AjaxHook)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|re(?:st(?:(?:Password|Session|Config|Auth)Server|ExportSecretKeys)|freshSessions)|br(?:uteForceProtection(?:IncrementalTempo)?|owsersDontStorePassword)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|d(?:isablePersistentStorage|biDynamicHashEnabled)|g(?:roupsBeforeMacros|lobalLogoutTimer)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs))$/;
+our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|f(?:RemovedUseNotif|OnlyUpgrade)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:Allow(?:PasswordGrant|Offline)|Re(?:freshToken|quirePKCE)|LogoutSessionRequired|IDTokenForceClaims|BypassConsent|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:freshMyRights|setPassword|gister)|GeneratePassword|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|o(?:ntextSwitchingStopWithLogout|mpactConf|rsEnabled)|heck(?:State|User|XSS)|da)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?|sExplorer)?|y(?:Deleted|Other))|AjaxHook)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|re(?:st(?:(?:Password|Session|Config|Auth)Server|ExportSecretKeys)|freshSessions)|br(?:uteForceProtection(?:IncrementalTempo)?|owsersDontStorePassword)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|d(?:isablePersistentStorage|biDynamicHashEnabled)|g(?:roupsBeforeMacros|lobalLogoutTimer)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs))$/;

 our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );

--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
@ -3638,6 +3638,9 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
            'default' => 1,
            'type'    => 'boolOrExpr'
        },
+        'sfOnlyUpgrade' => {
+            'type' => 'bool'
+        },
        'sfRemovedMsgRule' => {
            'default' => 0,
            'type'    => 'boolOrExpr'
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
@ -3018,6 +3018,11 @@ sub attributes {
            help          => 'secondfactor.html',
            documentation => 'Second factor required',
        },
+        sfOnlyUpgrade => {
+            type          => 'bool',
+            help          => 'secondfactor.html',
+            documentation => 'Only trigger second factor on session upgrade',
+        },
        sfManagerRule => {
            type          => 'boolOrExpr',
            default       => 1,
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
@ -907,6 +907,7 @@ sub tree {
                                'sfRemovedNotifMsg',
                            ],
                        },
+                        'sfOnlyUpgrade',
                        'sfManagerRule',
                        'sfRequired',
                    ]
--- a/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/ar.json
@ -849,6 +849,7 @@
 "sfaTitle":"Second factors authentication",
 "sfExtra":"Additional second factors",
 "sfManagerRule":"Display Manager link",
+"sfOnlyUpgrade": "Use 2FA for session upgrade",
 "sfRequired":"Force 2FA registration at login",
 "sfRemovedNotification":"Warn if an expired 2FA is removed",
 "sfRemovedMsgRule":"تفعيل",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/de.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/de.json
@ -849,6 +849,7 @@
 "sfaTitle":"Second factors authentication",
 "sfExtra":"Additional second factors",
 "sfManagerRule":"Display Manager link",
+"sfOnlyUpgrade": "Use 2FA for session upgrade",
 "sfRequired":"Force 2FA registration at login",
 "sfRemovedNotification":"Warn if an expired 2FA is removed",
 "sfRemovedMsgRule":"Activation",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/en.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/en.json
@ -849,6 +849,7 @@
 "sfaTitle":"Second factors authentication",
 "sfExtra":"Additional second factors",
 "sfManagerRule":"Display Manager link",
+"sfOnlyUpgrade": "Use 2FA for session upgrade",
 "sfRequired":"Force 2FA registration at login",
 "sfRemovedNotification":"Warn if an expired 2FA is removed",
 "sfRemovedMsgRule":"Activation",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/fr.json
@ -849,6 +849,7 @@
 "sfaTitle":"Seconds facteurs d'authentification",
 "sfExtra":"Seconds facteurs additionnels",
 "sfManagerRule":"Afficher le lien du Gestionnaire",
+"sfOnlyUpgrade": "Utiliser le second facteur pour augmenter le niveau d'authentification",
 "sfRequired":"Exiger l'enrôlement d'un SF à l'authentification",
 "sfRemovedNotification":"Avertir si un SF expiré est supprimé",
 "sfRemovedMsgRule":"Activation",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/it.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/it.json
@ -849,6 +849,7 @@
 "sfaTitle":"Autenticazione a due fattori",
 "sfExtra":"Additional second factors",
 "sfManagerRule":"Display Manager link",
+"sfOnlyUpgrade": "Use 2FA for session upgrade",
 "sfRequired":"Force 2FA registration at login",
 "sfRemovedNotification":"Warn if an expired 2FA is removed",
 "sfRemovedMsgRule":"Attivazione",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/pl.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/pl.json
@ -849,6 +849,7 @@
 "sfaTitle":"Drugi czynnik uwierzytelniania",
 "sfExtra":"Dodatkowe drugie czynniki",
 "sfManagerRule":"Link do Menedżera wyświetlania",
+"sfOnlyUpgrade": "Use 2FA for session upgrade",
 "sfRequired":"Wymuś rejestrację 2FA przy logowaniu",
 "sfRemovedNotification":"Ostrzeż, gdy przeterminowany 2FA został usunięty",
 "sfRemovedMsgRule":"Aktywacja",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/tr.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/tr.json
@ -849,6 +849,7 @@
 "sfaTitle":"İki faktörlü kimlik doğrulaması",
 "sfExtra":"Ek ikinci faktörler",
 "sfManagerRule":"Yönetici bağlantısını görüntüle",
+"sfOnlyUpgrade": "Use 2FA for session upgrade",
 "sfRequired":"Girişte 2FA kayıtlanmaya zorla",
 "sfRemovedNotification":"Süresi dolan 2FA kaldırıldığında uyar",
 "sfRemovedMsgRule":"Aktivasyon",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/vi.json
@ -849,6 +849,7 @@
 "sfaTitle":"Second factors authentication",
 "sfExtra":"Additional second factors",
 "sfManagerRule":"Display Manager link",
+"sfOnlyUpgrade": "Use 2FA for session upgrade",
 "sfRequired":"Force 2FA registration at login",
 "sfRemovedNotification":"Warn if an expired 2FA is removed",
 "sfRemovedMsgRule":"Kích hoạt",
--- a/lemonldap-ng-manager/site/htdocs/static/languages/zh.json
+++ b/lemonldap-ng-manager/site/htdocs/static/languages/zh.json
@ -849,6 +849,7 @@
 "sfaTitle":"Second factors authentication",
 "sfExtra":"Additional second factors",
 "sfManagerRule":"Display Manager link",
+"sfOnlyUpgrade": "Use 2FA for session upgrade",
 "sfRequired":"Force 2FA registration at login",
 "sfRemovedNotification":"Warn if an expired 2FA is removed",
 "sfRemovedMsgRule":"激活",
--- a/lemonldap-ng-manager/site/htdocs/static/reverseTree.json
+++ b/lemonldap-ng-manager/site/htdocs/static/reverseTree.json
--- a/lemonldap-ng-manager/site/htdocs/static/struct.json
+++ b/lemonldap-ng-manager/site/htdocs/static/struct.json