# Self Yubikey registration package Lemonldap::NG::Portal::2F::Register::Yubikey; use strict; use Mouse; use JSON qw(from_json to_json); use Lemonldap::NG::Portal::Main::Constants qw( PE_FORMEMPTY PE_ERROR ); our $VERSION = '2.0.0'; extends 'Lemonldap::NG::Portal::Main::Plugin'; # INITIALIZATION has prefix => ( is => 'rw', default => 'yubikey' ); has template => ( is => 'ro', default => 'yubikey2fregister' ); has logo => ( is => 'rw', default => 'yubikey.png' ); sub init { my ($self) = @_; $self->conf->{yubikey2fPublicIDSize} ||= 12; return 1; } # RUNNING METHODS # Main method sub run { my ( $self, $req, $action ) = @_; if ( $action eq 'register' ) { my $otp = $req->param('otp'); my $UBKName = $req->param('UBKName'); my $epoch = time(); # Set default name if empty $UBKName ||= $epoch; if ( $otp and length($otp) > $self->conf->{yubikey2fPublicIDSize} ) { my $keys = $req->userData->{_yubikeys} || ''; $keys .= ( $keys ? ', ' : '' ) . substr( $otp, 0, $self->conf->{yubikey2fPublicIDSize} ); my $key = substr( $otp, 0, $self->conf->{yubikey2fPublicIDSize} ); my $list2FDevices = eval { $self->logger->debug("Looking for 2F Devices ..."); from_json( $req->userData->{list2FDevices}, { allow_nonref => 1 } ); }; unless ($list2FDevices) { $self->logger->debug("No 2F Device found"); $list2FDevices = []; } # Select U2F Devices only #my @listU2FKeys = map { #( $_->{type} eq "U2F" ) ? return $_ : return (); #} @{$list2FDevices}; #$self->logger->debug("Select U2F Devices only ..."); # Search if Yubikey has been already registered my $SameUBKFound = 0; foreach (@$list2FDevices) { $self->logger->debug("Reading Yubikeys ..."); if ( $_->{_yubikey} eq $key ) { $SameUBKFound = 1; last; } } $self->logger->debug("Same 2F Device found ? $SameUBKFound"); if ($SameUBKFound) { $self->userLogger->error("Yubikey already registered !"); return $self->p->sendError( $req, 'Yubikey already registered', 200 ); } push @{$list2FDevices}, { type => 'UBK', name => $UBKName, _yubikey => $key, epoch => $epoch }; $self->logger->debug( "Append 2F Device : { type => 'UBK', name => $UBKName }"); $self->p->updatePersistentSession( $req, { list2FDevices => to_json($list2FDevices) } ); $self->p->updatePersistentSession( $req, { _yubikeys => $keys } ); return $self->p->sendHtml( $req, 'error', params => { RAW_ERROR => 'yourKeyIsRegistered', AUTH_ERROR_TYPE => 'positive', } ); } else { $self->userLogger->error('Yubikey 2F: no code or name'); return $self->p->sendHtml( $req, 'error', params => { AUTH_ERROR => PE_FORMEMPTY, AUTH_ERROR_TYPE => 'positive', } ); } } # Check if unregistration is allowed unless ( $self->conf->{u2fUserCanRemoveKey} ) { return $self->p->sendError( $req, 'notAutorizated', 200 ); } if ( $action eq 'delete' ) { my $epoch = $req->param('epoch'); my $list2FDevices = eval { $self->logger->debug("Loading 2F Devices ..."); # Read existing 2FDevices from_json( $req->userData->{list2FDevices}, { allow_nonref => 1 } ); }; my @keep = (); while (@$list2FDevices) { my $element = shift @$list2FDevices; $self->logger->debug("Looking for 2F device to delete ..."); push @keep, $element unless ( $element->{epoch} eq $epoch ); } $self->logger->debug( "Delete 2F Device : { type => 'UBK', epoch => $epoch }"); $self->p->updatePersistentSession( $req, { list2FDevices => to_json( \@keep ) } ); $self->userLogger->notice('Yubikey deletion succeed'); return [ 200, [ 'Content-Type' => 'application/json', 'Content-Length' => 12, ], ['{"result":1}'] ]; } else { $self->userLogger->error("Unknown Yubikey action $action"); return $self->p->sendHtml( $req, 'error', params => { AUTH_ERROR => PE_ERROR, AUTH_ERROR_TYPE => 'positive', } ); } } 1;