Replace bool by boolOrExpr for sfRequired + partial revert (#1487)

This commit is contained in:
Xavier Guimard 2018-08-15 20:42:08 +02:00
parent 3ffc5c7410
commit bf7d85532d
5 changed files with 29 additions and 33 deletions

View File

@ -244,6 +244,7 @@ sub defaultValues {
'samlSPSSODescriptorWantAssertionsSigned' => 1,
'securedCookie' => 0,
'sfEngine' => '::2F::Engines::Default',
'sfRequired' => 0,
'slaveAuthnLevel' => 2,
'slaveExportedVars' => {},
'SMTPServer' => '',

View File

@ -3058,7 +3058,7 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
},
'sfRequired' => {
'default' => 0,
'type' => 'bool'
'type' => 'boolOrExpr'
},
'singleIP' => {
'default' => 0,

View File

@ -2282,7 +2282,7 @@ sub attributes {
documentation => 'Second factor engine',
},
sfRequired => {
type => 'bool',
type => 'boolOrExpr',
default => 0,
documentation => 'Second factor required',
},

File diff suppressed because one or more lines are too long

View File

@ -30,6 +30,8 @@ has sfModules => ( is => 'rw', default => sub { [] } );
has sfRModules => ( is => 'rw', default => sub { [] } );
has sfReq => ( is => 'rw' );
has ott => (
is => 'rw',
default => sub {
@ -86,6 +88,19 @@ sub init {
}
}
unless (
$self->sfReq(
$self->p->HANDLER->buildSub(
$self->p->HANDLER->substitute( $self->conf->{sfRequired} )
)
)
)
{
$self->error( 'Error in sfRequired rule'
. $self->p->HANDLER->tsv->{jail}->error );
return 0;
}
# Enable REST request only if more than 1 2F module is enabled
if ( @{ $self->{sfModules} } > 1 ) {
$self->addUnauthRoute( '2fchoice' => '_choice', ['POST'] );
@ -140,40 +155,20 @@ sub run {
unless (@am) {
# Except if 2FA is required, move to registration
if ( $self->conf->{sfRequired} ) {
if ( $self->sfReq->( $req, $req->sessionInfo ) ) {
$self->logger->debug("2F is required...");
$self->logger->debug(" -> Regiter 2F");
$req->pdata->{sfRegToken} =
$self->ott->createToken( $req->sessionInfo );
if ( @{ $self->sfModules } > 1 ) {
$self->logger->debug("More than one 2F is enabled");
$self->logger->debug(" -> Redirect to /2fregisters/");
$req->response(
[
302,
[ Location => $self->conf->{portal} . '/2fregisters' ],
[]
]
);
return PE_SENDRESPONSE;
}
else {
$self->logger->debug("Just one 2F is enabled");
$self->logger->debug( " -> Redirect to /2fregisters/"
. ${ $self->sfModules }[0]->{m}->prefix );
$req->response(
[
302,
[
Location => $self->conf->{portal}
. '/2fregisters/'
. ${ $self->sfModules }[0]->{m}->prefix
],
[]
]
);
return PE_SENDRESPONSE;
}
$self->logger->debug("Just one 2F is enabled");
$self->logger->debug(" -> Redirect to /2fregisters/");
$req->response(
[
302,
[ Location => $self->conf->{portal} . '/2fregisters/' ], []
]
);
return PE_SENDRESPONSE;
}
else {
return PE_OK;