Add rules for 2f (#1015)

This commit is contained in:
Xavier Guimard 2017-03-23 06:20:06 +00:00
parent 6a76cf1e17
commit e33a741acf
7 changed files with 54 additions and 11 deletions

View File

@ -1,3 +1,10 @@
* check for issuer rules
* unhandled parameters:
* portalDisplayLoginHistory
* portalDisplayAppslist
* portalDisplayChangePassword
* portalDisplayLogout
* issuerDB\*Rule
* securize SOAP session creation by cipher
* Verify securedCookie=3 (strange)
* Test ForceAuth

View File

@ -43,6 +43,7 @@ sub defaultValues {
'exportedVars' => {
'UA' => 'HTTP_USER_AGENT'
},
'ext2fActivation' => 0,
'facebookAuthnLevel' => 1,
'facebookExportedVars' => {},
'failedLoginNumber' => 5,
@ -235,6 +236,7 @@ sub defaultValues {
'timeoutActivityInterval' => 60,
'trustedProxies' => '',
'twitterAuthnLevel' => 1,
'u2fActivation' => 0,
'userControl' => '^[\\w\\.\\-@]+$',
'userDB' => 'Same',
'useRedirectOnError' => 1,

View File

@ -964,7 +964,7 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
},
'ext2fActivation' => {
'default' => 0,
'type' => 'bool'
'type' => 'boolOrExpr'
},
'ext2fAuthnLevel' => {
'type' => 'int'
@ -2975,7 +2975,7 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
},
'u2fActivation' => {
'default' => 0,
'type' => 'bool'
'type' => 'boolOrExpr'
},
'u2fAuthnLevel' => {
'type' => 'int'

View File

@ -975,7 +975,7 @@ sub attributes {
# U2F
u2fActivation => {
type => 'bool',
type => 'boolOrExpr',
default => 0,
documentation => 'U2F activation',
},
@ -992,7 +992,7 @@ sub attributes {
# External second factor
ext2fActivation => {
type => 'bool',
type => 'boolOrExpr',
default => 0,
documentation => 'External second factor activation',
},

File diff suppressed because one or more lines are too long

View File

@ -36,6 +36,8 @@ has ott => (
}
);
has rule => ( is => 'rw' );
sub init {
my ($self) = @_;
$self->addUnauthRoute( ext2fcheck => 'verify', ['POST'] );
@ -45,14 +47,29 @@ sub init {
return 0;
}
}
my $rule = $self->conf->{ext2fActivation};
$rule = $self->p->HANDLER->substitute($rule);
unless ( $rule = $self->p->HANDLER->buildSub($rule) ) {
$self->error( 'External 2F rule error: '
. $self->p->HANDLER->tsv->{jail}->error );
return 0;
}
$self->rule($rule);
1;
}
sub run {
my ( $self, $req ) = @_;
return PE_OK unless ( $self->rule->( $req->sessionInfo ) );
my $user = $req->sessionInfo->{ $self->conf->{whatToTrace} };
$self->userLogger->info("Second factor required for $user");
# Prepare command and launch it
if ( $self->launch( $req->sessionInfo, $self->conf->{ext2FSendCommand} ) ) {
if ( my $c =
$self->launch( $req->sessionInfo, $self->conf->{ext2FSendCommand} ) )
{
$self->logger->error("External send command failed (code $c)");
return $self->p->do( $req, [ sub { PE_ERROR } ] );
}
@ -69,8 +86,7 @@ sub run {
TOKEN => $token
}
);
$self->logger->debug( 'Prepare U2F verification for '
. $req->sessionInfo->{ $self->conf->{whatToTrace} } );
$self->logger->debug("Prepare U2F verification for $user");
$req->response($tmp);
delete $req->{authResult};
@ -98,7 +114,11 @@ sub verify {
}
# Prepare command and launch it
if ( $self->launch( $session, $self->conf->{ext2FValidateCommand}, $code ) ) {
if ( my $c =
$self->launch( $session, $self->conf->{ext2FValidateCommand}, $code ) )
{
$self->userLogger->warn( 'Second factor failed for '
. $session->{ $self->conf->{whatToTrace} } );
return $self->p->do( $req, [ sub { PE_BADCREDENTIALS } ] );
}
$req->sessionInfo($session);

View File

@ -36,9 +36,19 @@ has ott => (
}
);
has rule => ( is => 'rw' );
sub init {
my ($self) = @_;
$self->addUnauthRoute( u2fcheck => 'verify', ['POST'] );
my $rule = $self->conf->{u2fActivation};
$rule = $self->p->HANDLER->substitute($rule);
unless ( $rule = $self->p->HANDLER->buildSub($rule) ) {
$self->error(
'U2F rule error: ' . $self->p->HANDLER->tsv->{jail}->error );
return 0;
}
$self->rule($rule);
return 0 unless $self->SUPER::init;
1;
}
@ -48,6 +58,11 @@ sub init {
# Main method
sub run {
my ( $self, $req ) = @_;
return PE_OK unless ( $self->rule->( $req->sessionInfo ) );
my $user = $req->sessionInfo->{ $self->conf->{whatToTrace} };
$self->userLogger->info("U2F required for $user");
my ( $kh, $uk );
# Check if user is registered
@ -69,8 +84,7 @@ sub run {
TOKEN => $token
}
);
$self->logger->debug( 'Prepare U2F verification for '
. $req->sessionInfo->{ $self->conf->{whatToTrace} } );
$self->logger->debug("Prepare U2F verification for $user");
$req->response($tmp);
delete $req->{authResult};