Prevent to update SFA if impersonation is in progress (#2337)
This commit is contained in:
Christophe Maudoux
parent
59ce3e11c5
commit
cb0fed8e13
|
|
@ -148,6 +148,10 @@ sub run {
|
|||
400 );
|
||||
}
|
||||
|
||||
# Check if TOTP can be stored
|
||||
return $self->p->sendError( $req, 'notAuthorized', 400 )
|
||||
unless $self->allowedUpdateSfa($req);
|
||||
|
||||
# Store TOTP secret
|
||||
push @keep,
|
||||
{
|
||||
|
|
@ -259,7 +263,8 @@ sub run {
|
|||
|
||||
# Check if unregistration is allowed
|
||||
return $self->p->sendError( $req, 'notAuthorized', 400 )
|
||||
unless $self->conf->{totp2fUserCanRemoveKey};
|
||||
unless ( $self->conf->{totp2fUserCanRemoveKey}
|
||||
&& $self->allowedUpdateSfa($req) );
|
||||
|
||||
my $epoch = $req->param('epoch')
|
||||
or return $self->p->sendError( $req, '"epoch" parameter is missing',
|
||||
|
|
|
|||
|
|
@ -117,6 +117,10 @@ sub run {
|
|||
$_2fDevices = [];
|
||||
}
|
||||
|
||||
# Check if U2F key can be stored
|
||||
return $self->p->sendError( $req, 'notAuthorized', 400 )
|
||||
unless $self->allowedUpdateSfa($req);
|
||||
|
||||
my $keyName = $req->param('keyName');
|
||||
my $epoch = time();
|
||||
|
||||
|
|
@ -246,7 +250,8 @@ sub run {
|
|||
|
||||
# Check if unregistration is allowed
|
||||
return $self->p->sendError( $req, 'notAuthorized', 200 )
|
||||
unless $self->conf->{u2fUserCanRemoveKey};
|
||||
unless ( $self->conf->{u2fUserCanRemoveKey}
|
||||
&& $self->allowedUpdateSfa($req) );
|
||||
|
||||
my $epoch = $req->param('epoch')
|
||||
or return $self->p->sendError( $req, '"epoch" parameter is missing',
|
||||
|
|
|
|||
|
|
@ -73,6 +73,16 @@ sub run {
|
|||
$_2fDevices = [];
|
||||
}
|
||||
|
||||
# Check if UBK key can be stored
|
||||
return $self->p->sendHtml(
|
||||
$req, 'error',
|
||||
params => {
|
||||
MAIN_LOGO => $self->conf->{portalMainLogo},
|
||||
RAW_ERROR => 'notAuthorized',
|
||||
AUTH_ERROR_TYPE => 'warning',
|
||||
}
|
||||
) unless $self->allowedUpdateSfa($req);
|
||||
|
||||
# Search if the Yubikey is already registered
|
||||
my $SameUBKFound = 0;
|
||||
foreach (@$_2fDevices) {
|
||||
|
|
@ -151,7 +161,8 @@ sub run {
|
|||
|
||||
# Check if unregistration is allowed
|
||||
return $self->p->sendError( $req, 'notAuthorized', 400 )
|
||||
unless $self->conf->{yubikey2fUserCanRemoveKey};
|
||||
unless ( $self->conf->{yubikey2fUserCanRemoveKey}
|
||||
&& $self->allowedUpdateSfa($req) );
|
||||
|
||||
my $epoch = $req->param('epoch')
|
||||
or return $self->p->sendError( $req, '"epoch" parameter is missing',
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
|
|||
PE_ERROR
|
||||
);
|
||||
|
||||
our $VERSION = '2.0.6';
|
||||
our $VERSION = '2.0.10';
|
||||
|
||||
extends 'Lemonldap::NG::Common::Module';
|
||||
|
||||
|
|
@ -104,6 +104,27 @@ sub createNotification {
|
|||
}
|
||||
}
|
||||
|
||||
sub allowedUpdateSfa {
|
||||
my ( $self, $req ) = @_;
|
||||
my $res = 1;
|
||||
if ( $self->conf->{impersonationRule} ) {
|
||||
$self->logger->debug('Impersonation plugin is enabled!');
|
||||
if ( $req->userData->{"$self->{conf}->{impersonationPrefix}_user"}
|
||||
&& $req->userData->{"$self->{conf}->{impersonationPrefix}_user"} ne
|
||||
$req->userData->{_user} )
|
||||
{
|
||||
$self->userLogger->warn(
|
||||
'Impersonation in progress! User is not allowed to update SFA.'
|
||||
);
|
||||
undef $res;
|
||||
}
|
||||
else {
|
||||
$self->userLogger->info('User is allowed to update SFA');
|
||||
}
|
||||
}
|
||||
return $res;
|
||||
}
|
||||
|
||||
1;
|
||||
__END__
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user