package Lemonldap::NG::Portal::Main::SecondFactor; use strict; use Mouse; use Lemonldap::NG::Portal::Main::Constants qw( PE_SENDRESPONSE PE_OK PE_NOTOKEN PE_TOKENEXPIRED PE_BADCREDENTIALS ); our $VERSION = '2.0.15'; extends qw( Lemonldap::NG::Portal::Main::Plugin Lemonldap::NG::Portal::Auth::_WebForm ); # INITIALIZATION has ott => ( is => 'rw', lazy => 1, default => sub { my $ott = $_[0]->{p}->loadModule('Lemonldap::NG::Portal::Lib::OneTimeToken'); $ott->timeout( $_[0]->{conf}->{sfLoginTimeout} || $_[0]->{conf}->{formTimeout} ); return $ott; } ); has prefix => ( is => 'rw' ); has logo => ( is => 'rw', default => '2f.png' ); has label => ( is => 'rw' ); has noRoute => ( is => 'ro' ); has authnLevel => ( is => 'rw', lazy => 1, default => sub { return $_[0]->conf->{ $_[0]->prefix . '2fAuthnLevel' }; } ); sub init { my ($self) = @_; # Set logo if overridden $self->logo( $self->conf->{ $self->prefix . "2fLogo" } ) if ( $self->conf->{ $self->prefix . "2fLogo" } ); # Set label if provided, translation files will be used otherwise $self->label( $self->conf->{ $self->prefix . "2fLabel" } ) if ( $self->conf->{ $self->prefix . "2fLabel" } ); unless ( $self->noRoute ) { $self->logger->debug( 'Adding ' . $self->prefix . '2fcheck routes' ); $self->addAuthRoute( $self->prefix . '2fcheck' => '_verify', ['POST'] ); $self->addAuthRoute( $self->prefix . '2fcheck' => '_redirect', ['GET'] ); $self->addUnauthRoute( $self->prefix . '2fcheck' => '_verify', ['POST'] ); $self->addUnauthRoute( $self->prefix . '2fcheck' => '_redirect', ['GET'] ); } 1; } sub _redirect { my ( $self, $req ) = @_; my $arg = $req->env->{QUERY_STRING}; return [ 302, [ Location => $self->conf->{portal} . ( $arg ? "?$arg" : '' ) ], [] ]; } sub _verify { my ( $self, $req ) = @_; my $checkLogins = $req->param('checkLogins'); $self->logger->debug("checkLogins set") if ($checkLogins); # Check token my $token; unless ( $token = $req->param('token') ) { $self->userLogger->error( $self->prefix . ' 2F access without token' ); eval { $self->setSecurity($req) }; $req->mustRedirect(1); return $self->p->do( $req, [ sub { PE_NOTOKEN } ] ); } my $session; unless ( $session = $self->ott->getToken($token) ) { $self->userLogger->info('Token expired'); $self->setSecurity($req); return $self->p->do( $req, [ sub { PE_TOKENEXPIRED } ] ); } # Launch second factor verification my $res = $self->verify( $req, $session ); # Update sessionInfo delete $session->{$_} foreach (qw(tokenSessionStartTimestamp tokenTimeoutTimestamp _type)); $req->sessionInfo($session); $req->id( delete $req->sessionInfo->{_2fRealSession} ); $req->urldc( delete $req->sessionInfo->{_2fUrldc} ); $req->{sessionInfo}->{_utime} = delete $req->{sessionInfo}->{_2fUtime}; # Case error if ($res) { $req->noLoginDisplay(1); $req->authResult(PE_BADCREDENTIALS); return $self->p->do( $req, [ sub { $self->p->storeHistory(@_) }, sub { $res } ] ); } # Else restore session $req->mustRedirect(1); $self->userLogger->notice( $self->prefix . '2F verification for ' . $req->sessionInfo->{ $self->conf->{whatToTrace} } ); if ( my $l = $self->authnLevel ) { $self->logger->debug( "Update sessionInfo with new authenticationLevel: $l"); $req->sessionInfo->{authenticationLevel} = $l; # Compute macros & groups with new authenticationLevel $self->logger->debug("Compute macros and groups..."); $req->steps( [ $self->p->groupsAndMacros, 'setLocalGroups' ] ); if ( my $error = $self->p->process($req) ) { $self->logger->debug("SFA: Process returned error: $error"); $req->error($error); return $self->p->do( $req, [ sub { $error } ] ); } $self->logger->debug("De-duplicate groups..."); $req->sessionInfo->{groups} = join $self->conf->{multiValuesSeparator}, keys %{ { map { $_ => 1 } split $self->conf->{multiValuesSeparator}, $req->sessionInfo->{groups} } }; $self->logger->debug("Filter macros..."); my %macros = ( map { $_ => $req->sessionInfo->{$_} } keys %{ $self->{conf}->{macros} } ); $self->logger->debug( "Update session with new authenticationLevel, groups, hGroups and macros" ); $self->p->updateSession( $req, { authenticationLevel => $l, groups => $req->sessionInfo->{groups}, hGroups => $req->sessionInfo->{hGroups}, _2f => $self->prefix, %macros } ); } else { # Only update _2f session key $self->p->updateSession( $req, { _2f => $self->prefix, } ); } $req->authResult(PE_SENDRESPONSE); return $self->p->do( $req, [ @{ $self->p->afterData }, $self->p->validSession, 'rebuildCookies', @{ $self->p->endAuth }, sub { PE_OK } ] ); } 1; __END__ =pod =encoding utf8 =head1 NAME Lemonldap::NG::Portal::Main::SecondFactor - Base class for L second factor plugins. =head1 SYNOPSIS package Lemonldap::NG::Portal::2F::MySecondFactor; use Mouse; # Import used constants use Lemonldap::NG::Portal::Main::Constants qw( PE_OK PE_BADCREDENTIALS PE_SENDRESPONSE ); extends 'Lemonldap::NG::Portal::Main::SecondFactor'; # INITIALIZATION # Prefix that will be used in parameter names. The form used to enter the # second factor must post its result to "/my2fcheck" (if "my" is the prefix). has prefix => ( is => 'ro', default => 'my' ); # Optional logo has logo => ( is => 'rw', default => 'mylogo.png' ); # Required init method sub init { my ($self) = @_; # Insert here initialization process # # If self registration is enabled and "activation" is set to "enabled", # replace the rule to detect if user has registered a device key. # The rule must be like this : # By example : $self->conf->{u2fActivation} = '$_2fDevices =~ /"type":\s*"U2F"/s' # Optionally, the rule can be : '$_2fDevices and $_2fDevices =~ /"type":\s*"U2F"/s' # to avoid warning due to undef variable # # Required call: return $self->SUPER::init(); } # RUNNING METHODS # Required 2nd factor send method sub run { my ( $self, $req, $token ) = @_; # $token must be inserted in a hidden input in your form with the name # "token" ... # A LLNG constant must be returned. Example: $req->response($my_psgi_response) return PE_SENDRESPONSE; } # Required 2nd factor verify method sub verify { my ( $self, $req, $session ) = @_; # Use $req->param('field') to get POST responses ... if($result eq $goodResult) { return PE_OK; } else { return PE_BADCREDENTIALS } } Enable your plugin in lemonldap-ng.ini, section [portal]: =over =item 2fActivation (required): 1, 0 or a rule =item 2fAuthnLevel (optional): change authentication level for users authenticated by this plugin =back Example: [portal] customPlugins = Lemonldap::NG::Portal::2F::MyPlugin my2fActivation = 1 my2fAuthnLevel = 4 =head1 DESCRIPTION Lemonldap::NG::Portal::Main::SecondFactor provides a simple framework to build Lemonldap::NG second authentication factor plugin. See Lemonldap::NG::Portal::Plugins::2F::* packages for examples. =head1 SEE ALSO L =head2 OTHER POD FILES =over =item Writing an authentication module: L =item Writing a UserDB module: L =item Writing a second factor module: L =item Writing an issuer module: L =item Writing another plugin: L =item Request object: L =item Adding parameters in the manager: L =back =head1 AUTHORS =over =item LemonLDAP::NG team L =back =head1 BUG REPORT Use OW2 system to report bug or ask for features: L =head1 DOWNLOAD Lemonldap::NG is available at L =head1 COPYRIGHT AND LICENSE See COPYING file for details. This library is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see L. =cut