diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm index 7c481e651..cbacd38f9 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm @@ -27,7 +27,7 @@ sub types { BEGIN { ${^WARNING_BITS} = -"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x01"; +"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05"; } eval "$s $val"; my $err = join( @@ -662,7 +662,7 @@ sub attributes { BEGIN { ${^WARNING_BITS} = -"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x01"; +"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05"; } eval "$s $val"; my $err = join( @@ -1026,7 +1026,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][ BEGIN { ${^WARNING_BITS} = -"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x01"; +"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05"; } eval $s; my $err = join( @@ -1111,7 +1111,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][ BEGIN { ${^WARNING_BITS} = -"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x01"; +"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05"; } eval "$s $val"; my $err = join( @@ -1134,7 +1134,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][ BEGIN { ${^WARNING_BITS} = -"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x01"; +"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05"; } eval "$s $val"; my $err = join( @@ -1489,7 +1489,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][ BEGIN { ${^WARNING_BITS} = -"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x01"; +"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05"; } eval $s; my $err = join( @@ -1526,7 +1526,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][ BEGIN { ${^WARNING_BITS} = -"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x01"; +"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05"; } eval "$s $val"; my $err = join( @@ -1877,7 +1877,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][ BEGIN { ${^WARNING_BITS} = -"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x01"; +"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05"; } eval "$s $val"; my $err = join( @@ -2214,7 +2214,7 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][ BEGIN { ${^WARNING_BITS} = -"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x01"; +"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05"; } eval "$s $val"; my $err = join( @@ -2917,7 +2917,7 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.] BEGIN { ${^WARNING_BITS} = -"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x01"; +"\x54\x55\x55\x55\x15\x55\x55\x55\x55\x55\x51\x55\x55\x55\x55\x55\x55\x05"; } eval "$s $val"; my $err = join( @@ -2996,19 +2996,19 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.] 'default' => 0, 'select' => [ { - 'k' => '0', + 'k' => 0, 'v' => 'unsecuredCookie' }, { - 'k' => '1', + 'k' => 1, 'v' => 'securedCookie' }, { - 'k' => '2', + 'k' => 2, 'v' => 'doubleCookie' }, { - 'k' => '3', + 'k' => 3, 'v' => 'doubleCookieForSingleSession' } ], diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/TOTP.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/TOTP.pm index 7986c69ea..3d31b2d52 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/TOTP.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/TOTP.pm @@ -65,17 +65,16 @@ sub run { # Now check TOTP code to verify that user has a valid TOTP app my $code = $req->param('code'); my $TOTPName = $req->param('TOTPName'); + my $epoch = time(); + + # Set default name if empty + $TOTPName ||= $epoch; unless ($code) { $self->logger->userInfo('TOTP registration: empty validation form'); return $self->p->sendError( $req, 'missingCode', 200 ); } - #unless ( $code and $TOTPName ) { - #$self->logger->userInfo( - #'TOTP registration: empty code or name in validation form'); - #return $self->p->sendError( $req, 'missingCode', 200 ); - #} my $r = $self->verifyCode( $self->conf->{totp2fInterval}, $self->conf->{totp2fRange}, @@ -112,11 +111,11 @@ sub run { type => 'TOTP', name => $TOTPName, _secret => $token->{_totp2fSecret}, - epoch => time() + epoch => $epoch }; - #$self->logger->debug( - #"Append 2F Device : { type => 'totp', name => $TOTPName }"); + $self->logger->debug( + "Append 2F Device : { type => 'totp', name => $TOTPName }"); $self->p->updatePersistentSession( $req, { list2FDevices => to_json($list2FDevices) } ); @@ -173,20 +172,19 @@ sub run { } ); } - - if ( $self->conf->{totp2fUserCanChangeKey} ) { - return $self->p->sendError( $req, 'notAutorizated', 200 ); - } + + # Check if unregistration is allowed + unless ( $self->conf->{totp2fUserCanChangeKey} ) { + return $self->p->sendError( $req, 'notAutorizated', 200 ); + } # Get or generate master key if ( $action eq 'unregister' ) { - $self->p->updatePersistentSession( $req, { _totp2fSecret => '' } ); - $self->userLogger->notice('TOTP unregistration succeed'); - return [ - 200, [ 'Content-Type' => 'application/json' ], - ['{"result":1}'] - ]; - } + $self->p->updatePersistentSession( $req, { _totp2fSecret => '' } ); + $self->userLogger->notice('TOTP unregistration succeed'); + return [ 200, [ 'Content-Type' => 'application/json' ], + ['{"result":1}'] ]; + } elsif ( $action eq 'delete' ) { my $epoch = $req->param('epoch'); @@ -201,7 +199,7 @@ sub run { my @keep = (); while (@$list2FDevices) { my $element = shift @$list2FDevices; - $self->logger->debug("Looking for 2F Device to delete ..."); + $self->logger->debug("Looking for 2F device to delete ..."); push @keep, $element unless ( $element->{epoch} eq $epoch ); } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/U2F.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/U2F.pm index 7d71f3e1d..240d6d89d 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/U2F.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/U2F.pm @@ -46,8 +46,7 @@ sub run { my ( $resp, $challenge ); $self->logger->debug('Registration response'); unless ($resp = $req->param('registration') - and $challenge = $req->param('challenge') - ) + and $challenge = $req->param('challenge') ) { return $self->p->sendError( $req, 'Missing registration parameter', 400 ); @@ -78,30 +77,12 @@ sub run { $list2FDevices = []; } my $keyName = $req->param('keyName'); - my $epoch = time(); + my $epoch = time(); + + # Set default name if empty $keyName ||= $epoch; $self->logger->debug("Key name : $keyName"); - # Select U2F Devices only - #my @listU2FKeys = map { - #( $_->{type} eq "U2F" ) ? return $_ : return (); - #} @{$list2FDevices}; - #$self->logger->debug("Select U2F Devices only ..."); - - # Search if U2F Key has been already registered - my $SameU2FKeyFound = 0; - foreach (@$list2FDevices) { - $self->logger->debug("Reading U2F Keys ..."); - $SameU2FKeyFound ||= 1 if ( ( $_->{name} eq $keyName ) ); - } - - $self->logger->debug("Same 2F Device found ? $SameU2FKeyFound"); - - if ($SameU2FKeyFound) { - $self->userLogger->error("U2F Key already registered !"); - return $self->p->sendError( $req, 'Bad challenge', 400 ); - } - push @{$list2FDevices}, { type => 'U2F', @@ -230,7 +211,7 @@ sub run { my @keep = (); while (@$list2FDevices) { my $element = shift @$list2FDevices; - $self->logger->debug("Looking for 2F Device to delete ..."); + $self->logger->debug("Looking for 2F device to delete ..."); push @keep, $element unless ( $element->{epoch} eq $epoch ); } diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/Yubikey.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/Yubikey.pm index cff6480c8..ae8e270ff 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/Yubikey.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Register/Yubikey.pm @@ -35,8 +35,11 @@ sub run { if ( $action eq 'register' ) { my $otp = $req->param('otp'); my $UBKName = $req->param('UBKName'); - if ( $UBKName - and $otp + my $epoch = time(); + + # Set default name if empty + $UBKName ||= $epoch; + if ( $otp and length($otp) > $self->conf->{yubikey2fPublicIDSize} ) { my $keys = $req->userData->{_yubikeys} || ''; @@ -53,13 +56,37 @@ sub run { $self->logger->debug("No 2F Device found"); $list2FDevices = []; } + + # Select U2F Devices only + #my @listU2FKeys = map { + #( $_->{type} eq "U2F" ) ? return $_ : return (); + #} @{$list2FDevices}; + #$self->logger->debug("Select U2F Devices only ..."); + + # Search if Yubikey has been already registered + my $SameUBKFound = 0; + foreach (@$list2FDevices) { + $self->logger->debug("Reading Yubikeys ..."); + if ( $_->{_yubikey} eq $key ) { + $SameUBKFound = 1; + last; + } + } + + $self->logger->debug("Same 2F Device found ? $SameUBKFound"); + if ($SameUBKFound) { + $self->userLogger->error("Yubikey already registered !"); + return $self->p->sendError( $req, 'Yubikey already registered', 200 ); + } + push @{$list2FDevices}, { type => 'UBK', name => $UBKName, _yubikey => $key, - epoch => time() + epoch => $epoch }; + $self->logger->debug( "Append 2F Device : { type => 'UBK', name => $UBKName }"); $self->p->updatePersistentSession( $req, @@ -86,9 +113,13 @@ sub run { } } - elsif ( $action eq 'delete' ) { - my $epoch = $req->param('epoch'); + # Check if unregistration is allowed + unless ( $self->conf->{u2fUserCanRemoveKey} ) { + return $self->p->sendError( $req, 'notAutorizated', 200 ); + } + if ( $action eq 'delete' ) { + my $epoch = $req->param('epoch'); my $list2FDevices = eval { $self->logger->debug("Loading 2F Devices ..."); @@ -99,7 +130,7 @@ sub run { my @keep = (); while (@$list2FDevices) { my $element = shift @$list2FDevices; - $self->logger->debug("Looking for 2F Device to delete ..."); + $self->logger->debug("Looking for 2F device to delete ..."); push @keep, $element unless ( $element->{epoch} eq $epoch ); }