Add rules for 2f (#1015)
This commit is contained in:
parent
6a76cf1e17
commit
e33a741acf
|
@ -1,3 +1,10 @@
|
|||
* check for issuer rules
|
||||
* unhandled parameters:
|
||||
* portalDisplayLoginHistory
|
||||
* portalDisplayAppslist
|
||||
* portalDisplayChangePassword
|
||||
* portalDisplayLogout
|
||||
* issuerDB\*Rule
|
||||
* securize SOAP session creation by cipher
|
||||
* Verify securedCookie=3 (strange)
|
||||
* Test ForceAuth
|
||||
|
|
|
@ -43,6 +43,7 @@ sub defaultValues {
|
|||
'exportedVars' => {
|
||||
'UA' => 'HTTP_USER_AGENT'
|
||||
},
|
||||
'ext2fActivation' => 0,
|
||||
'facebookAuthnLevel' => 1,
|
||||
'facebookExportedVars' => {},
|
||||
'failedLoginNumber' => 5,
|
||||
|
@ -235,6 +236,7 @@ sub defaultValues {
|
|||
'timeoutActivityInterval' => 60,
|
||||
'trustedProxies' => '',
|
||||
'twitterAuthnLevel' => 1,
|
||||
'u2fActivation' => 0,
|
||||
'userControl' => '^[\\w\\.\\-@]+$',
|
||||
'userDB' => 'Same',
|
||||
'useRedirectOnError' => 1,
|
||||
|
|
|
@ -964,7 +964,7 @@ qr/^(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-
|
|||
},
|
||||
'ext2fActivation' => {
|
||||
'default' => 0,
|
||||
'type' => 'bool'
|
||||
'type' => 'boolOrExpr'
|
||||
},
|
||||
'ext2fAuthnLevel' => {
|
||||
'type' => 'int'
|
||||
|
@ -2975,7 +2975,7 @@ qr/^(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-
|
|||
},
|
||||
'u2fActivation' => {
|
||||
'default' => 0,
|
||||
'type' => 'bool'
|
||||
'type' => 'boolOrExpr'
|
||||
},
|
||||
'u2fAuthnLevel' => {
|
||||
'type' => 'int'
|
||||
|
|
|
@ -975,7 +975,7 @@ sub attributes {
|
|||
|
||||
# U2F
|
||||
u2fActivation => {
|
||||
type => 'bool',
|
||||
type => 'boolOrExpr',
|
||||
default => 0,
|
||||
documentation => 'U2F activation',
|
||||
},
|
||||
|
@ -992,7 +992,7 @@ sub attributes {
|
|||
|
||||
# External second factor
|
||||
ext2fActivation => {
|
||||
type => 'bool',
|
||||
type => 'boolOrExpr',
|
||||
default => 0,
|
||||
documentation => 'External second factor activation',
|
||||
},
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -36,6 +36,8 @@ has ott => (
|
|||
}
|
||||
);
|
||||
|
||||
has rule => ( is => 'rw' );
|
||||
|
||||
sub init {
|
||||
my ($self) = @_;
|
||||
$self->addUnauthRoute( ext2fcheck => 'verify', ['POST'] );
|
||||
|
@ -45,14 +47,29 @@ sub init {
|
|||
return 0;
|
||||
}
|
||||
}
|
||||
my $rule = $self->conf->{ext2fActivation};
|
||||
$rule = $self->p->HANDLER->substitute($rule);
|
||||
unless ( $rule = $self->p->HANDLER->buildSub($rule) ) {
|
||||
$self->error( 'External 2F rule error: '
|
||||
. $self->p->HANDLER->tsv->{jail}->error );
|
||||
return 0;
|
||||
}
|
||||
$self->rule($rule);
|
||||
1;
|
||||
}
|
||||
|
||||
sub run {
|
||||
my ( $self, $req ) = @_;
|
||||
return PE_OK unless ( $self->rule->( $req->sessionInfo ) );
|
||||
|
||||
my $user = $req->sessionInfo->{ $self->conf->{whatToTrace} };
|
||||
$self->userLogger->info("Second factor required for $user");
|
||||
|
||||
# Prepare command and launch it
|
||||
if ( $self->launch( $req->sessionInfo, $self->conf->{ext2FSendCommand} ) ) {
|
||||
if ( my $c =
|
||||
$self->launch( $req->sessionInfo, $self->conf->{ext2FSendCommand} ) )
|
||||
{
|
||||
$self->logger->error("External send command failed (code $c)");
|
||||
return $self->p->do( $req, [ sub { PE_ERROR } ] );
|
||||
}
|
||||
|
||||
|
@ -69,8 +86,7 @@ sub run {
|
|||
TOKEN => $token
|
||||
}
|
||||
);
|
||||
$self->logger->debug( 'Prepare U2F verification for '
|
||||
. $req->sessionInfo->{ $self->conf->{whatToTrace} } );
|
||||
$self->logger->debug("Prepare U2F verification for $user");
|
||||
|
||||
$req->response($tmp);
|
||||
delete $req->{authResult};
|
||||
|
@ -98,7 +114,11 @@ sub verify {
|
|||
}
|
||||
|
||||
# Prepare command and launch it
|
||||
if ( $self->launch( $session, $self->conf->{ext2FValidateCommand}, $code ) ) {
|
||||
if ( my $c =
|
||||
$self->launch( $session, $self->conf->{ext2FValidateCommand}, $code ) )
|
||||
{
|
||||
$self->userLogger->warn( 'Second factor failed for '
|
||||
. $session->{ $self->conf->{whatToTrace} } );
|
||||
return $self->p->do( $req, [ sub { PE_BADCREDENTIALS } ] );
|
||||
}
|
||||
$req->sessionInfo($session);
|
||||
|
|
|
@ -36,9 +36,19 @@ has ott => (
|
|||
}
|
||||
);
|
||||
|
||||
has rule => ( is => 'rw' );
|
||||
|
||||
sub init {
|
||||
my ($self) = @_;
|
||||
$self->addUnauthRoute( u2fcheck => 'verify', ['POST'] );
|
||||
my $rule = $self->conf->{u2fActivation};
|
||||
$rule = $self->p->HANDLER->substitute($rule);
|
||||
unless ( $rule = $self->p->HANDLER->buildSub($rule) ) {
|
||||
$self->error(
|
||||
'U2F rule error: ' . $self->p->HANDLER->tsv->{jail}->error );
|
||||
return 0;
|
||||
}
|
||||
$self->rule($rule);
|
||||
return 0 unless $self->SUPER::init;
|
||||
1;
|
||||
}
|
||||
|
@ -48,6 +58,11 @@ sub init {
|
|||
# Main method
|
||||
sub run {
|
||||
my ( $self, $req ) = @_;
|
||||
return PE_OK unless ( $self->rule->( $req->sessionInfo ) );
|
||||
|
||||
my $user = $req->sessionInfo->{ $self->conf->{whatToTrace} };
|
||||
$self->userLogger->info("U2F required for $user");
|
||||
|
||||
my ( $kh, $uk );
|
||||
|
||||
# Check if user is registered
|
||||
|
@ -69,8 +84,7 @@ sub run {
|
|||
TOKEN => $token
|
||||
}
|
||||
);
|
||||
$self->logger->debug( 'Prepare U2F verification for '
|
||||
. $req->sessionInfo->{ $self->conf->{whatToTrace} } );
|
||||
$self->logger->debug("Prepare U2F verification for $user");
|
||||
|
||||
$req->response($tmp);
|
||||
delete $req->{authResult};
|
||||
|
|
Loading…
Reference in New Issue
Block a user