Adapt SAML forceAuth to new portal (#595)
This commit is contained in:
parent
e9025a06d7
commit
d93130d168
|
@ -37,6 +37,9 @@ site/htdocs/manager.psgi
|
|||
site/htdocs/static/bwr/angular-animate/angular-animate.js
|
||||
site/htdocs/static/bwr/angular-animate/angular-animate.min.js
|
||||
site/htdocs/static/bwr/angular-animate/angular-animate.min.js.map
|
||||
site/htdocs/static/bwr/angular-aria/angular-aria.js
|
||||
site/htdocs/static/bwr/angular-aria/angular-aria.min.js
|
||||
site/htdocs/static/bwr/angular-aria/angular-aria.min.js.map
|
||||
site/htdocs/static/bwr/angular-bootstrap/ui-bootstrap-tpls.js
|
||||
site/htdocs/static/bwr/angular-bootstrap/ui-bootstrap-tpls.min.js
|
||||
site/htdocs/static/bwr/angular-cookies/angular-cookies.js
|
||||
|
|
|
@ -83,7 +83,6 @@ lib/Lemonldap/NG/Portal/Password/LDAP.pm
|
|||
lib/Lemonldap/NG/Portal/Password/REST.pm
|
||||
lib/Lemonldap/NG/Portal/Plugins/CDA.pm
|
||||
lib/Lemonldap/NG/Portal/Plugins/External2F.pm
|
||||
lib/Lemonldap/NG/Portal/Plugins/ForceAuth.pm
|
||||
lib/Lemonldap/NG/Portal/Plugins/GrantSession.pm
|
||||
lib/Lemonldap/NG/Portal/Plugins/History.pm
|
||||
lib/Lemonldap/NG/Portal/Plugins/MailReset.pm
|
||||
|
|
|
@ -394,93 +394,23 @@ sub run {
|
|||
$self->logger->debug(
|
||||
"Found ForceAuthn flag with value $force_authn");
|
||||
|
||||
# Get ForceAuthn sessions for this session_id
|
||||
my $moduleOptions = $self->conf->{samlStorageOptions} || {};
|
||||
$moduleOptions->{backend} = $self->conf->{samlStorage};
|
||||
my $module = "Lemonldap::NG::Common::Apache::Session";
|
||||
|
||||
my $forceAuthn_sessions =
|
||||
$module->searchOn( $moduleOptions, "_saml_id", $session_id );
|
||||
|
||||
my $forceAuthn_session;
|
||||
my $forceAuthnSessionInfo;
|
||||
|
||||
# Force authentication if flag is on, or previous flag still active
|
||||
if (
|
||||
my @forceAuthn_sessions_keys =
|
||||
keys %$forceAuthn_sessions
|
||||
$force_authn
|
||||
and (
|
||||
time - $req->sessionInfo->{_utime} >
|
||||
$self->conf->{portalForceAuthnInterval} )
|
||||
)
|
||||
{
|
||||
|
||||
# Warning if more than one session found
|
||||
if ( $#forceAuthn_sessions_keys > 0 ) {
|
||||
$self->logger->warn(
|
||||
"More than one ForceAuthn session found for session $session_id"
|
||||
);
|
||||
}
|
||||
|
||||
# Take the first session
|
||||
$forceAuthn_session = shift @forceAuthn_sessions_keys;
|
||||
|
||||
# Get session
|
||||
$self->logger->debug(
|
||||
"Retrieve ForceAuthn session $forceAuthn_session for session $session_id"
|
||||
);
|
||||
|
||||
$forceAuthnSessionInfo =
|
||||
$self->getSamlSession($forceAuthn_session);
|
||||
|
||||
# Check forceAuthn flag for current SP
|
||||
if ( $forceAuthnSessionInfo->data->{$spConfKey} ) {
|
||||
|
||||
$self->logger->debug(
|
||||
"User was already forced to reauthenticate for SP $spConfKey"
|
||||
);
|
||||
$force_authn = 1;
|
||||
}
|
||||
}
|
||||
else {
|
||||
$self->logger->debug(
|
||||
"No ForceAuthn session found for session $session_id");
|
||||
}
|
||||
|
||||
# Force authentication if flag is on, or previous flag still active
|
||||
if ($force_authn) {
|
||||
my $info = { $spConfKey => 1 };
|
||||
|
||||
unless ($forceAuthn_session) {
|
||||
my $forceInfos;
|
||||
$info->{'_type'} = "forceAuthn";
|
||||
$info->{'_saml_id'} = $session_id;
|
||||
$info->{'_utime'} = $time;
|
||||
$self->logger->debug("Create ForceAuthn session");
|
||||
}
|
||||
|
||||
# Store flag for further requests
|
||||
$forceAuthnSessionInfo =
|
||||
$self->getSamlSession( $forceAuthn_session, $info );
|
||||
$forceAuthn_session = $forceAuthnSessionInfo->id
|
||||
unless ($forceAuthn_session);
|
||||
|
||||
$self->logger->debug(
|
||||
"Set ForceAuthn flag for SP $spConfKey in ForceAuthn session"
|
||||
);
|
||||
$self->userLogger->info(
|
||||
"SAML SP $sp ask to refresh session of "
|
||||
. $req->sessionInfo->{ $self->conf->{whatToTrace} } );
|
||||
|
||||
# Replay authentication process
|
||||
return $self->reAuth($req);
|
||||
}
|
||||
|
||||
# Else remove flag
|
||||
elsif ($forceAuthn_session) {
|
||||
$forceAuthnSessionInfo =
|
||||
$self->getSamlSession( $forceAuthn_session,
|
||||
{ $spConfKey => 0 } );
|
||||
$forceAuthnSessionInfo->update( { $spConfKey => 0 } );
|
||||
|
||||
$self->logger->debug(
|
||||
"Unset ForceAuthn flag for SP $spConfKey in ForceAuthn session $forceAuthn_session"
|
||||
);
|
||||
}
|
||||
|
||||
# Check Destination (only in non proxy mode)
|
||||
unless ( $req->datas->{_proxiedRequest} ) {
|
||||
return PE_SAML_DESTINATION_ERROR
|
||||
|
|
|
@ -16,7 +16,6 @@ our @pList = (
|
|||
portalDisplayResetPassword => '::Plugins::MailReset',
|
||||
portalStatus => '::Plugins::Status',
|
||||
cda => '::Plugins::CDA',
|
||||
portalForceAuthn => '::Plugins::ForceAuth',
|
||||
u2fActivation => '::Plugins::U2F',
|
||||
ext2fActivation => '::Plugins::External2F',
|
||||
grantSessionRule => '::Plugins::GrantSession',
|
||||
|
|
|
@ -1,45 +0,0 @@
|
|||
package Lemonldap::NG::Portal::Plugins::ForceAuth;
|
||||
|
||||
use strict;
|
||||
use Mouse;
|
||||
use Lemonldap::NG::Portal::Main::Constants qw(PE_OK);
|
||||
|
||||
extends 'Lemonldap::NG::Portal::Main::Plugin';
|
||||
|
||||
our $VERSION = '2.0.0';
|
||||
|
||||
sub init { 1 }
|
||||
|
||||
sub forAuthUser { 'forceAuth' }
|
||||
|
||||
sub forceAuth {
|
||||
my ( $self, $req ) = @_;
|
||||
|
||||
# Don't force authentication if password is going to be changed
|
||||
return PE_OK if ( $req->param('newpassword') );
|
||||
|
||||
# Do not force authentication if last successful authentication is recent
|
||||
my $last_authn_utime = $req->{sessionInfo}->{_lastAuthnUTime} || 0;
|
||||
if ( time() - $last_authn_utime < $self->{portalForceAuthnInterval} ) {
|
||||
$self->logger->debug(
|
||||
"Authentication is recent, so do not force authentication for session $req->id"
|
||||
);
|
||||
}
|
||||
else {
|
||||
|
||||
# Else, launch authentication process
|
||||
$self->logger->debug("Force reauthentication for session $req->id");
|
||||
$req->steps(
|
||||
[
|
||||
@{ $self->p->beforeAuth },
|
||||
$self->p->authProcess,
|
||||
@{ $self->p->betweenAuthAndDatas },
|
||||
$self->p->sessionDatas,
|
||||
@{ $self->p->afterDatas }
|
||||
]
|
||||
);
|
||||
}
|
||||
return PE_OK;
|
||||
}
|
||||
|
||||
1
|
Loading…
Reference in New Issue
Block a user