diff --git a/lam-packaging/debian/copyright b/lam-packaging/debian/copyright
index f74a6745..586f9bb4 100644
--- a/lam-packaging/debian/copyright
+++ b/lam-packaging/debian/copyright
@@ -390,6 +390,31 @@ D:
permanent authorization for you to choose that version for the
Library.
+E:
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. The name of the author may not be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
Programs and licenses with other licenses and/or authors than the
main license and authors:
@@ -411,6 +436,8 @@ templates/lib/*jquery-validationEngine-*.js B 2010 Cedric Dugas and Olivier Re
style/150_jquery-validationEngine*.css B 2010 Cedric Dugas and Olivier Refalo
templates/lib/extra/cropperjs B 2018 Chen Fengyuan
style/600_cropper*.css B 2018 Chen Fengyuan
+templates/lib/extra/duo/*.js E 2019 Duo Security
+lib/3rdParty/duo/*.php E 2019 Duo Security
templates/lib/600_jquery.magnific-popup.js B 2016 Dmitry Semenov
style/610_magnific-popup.css B 2016 Dmitry Semenov
style/responsive/105_normalize.css B Nicolas Gallagher and Jonathan Neal
diff --git a/lam/HISTORY b/lam/HISTORY
index b770a043..92a90eef 100644
--- a/lam/HISTORY
+++ b/lam/HISTORY
@@ -1,6 +1,8 @@
September 2019 6.9
- Group account types can show member+owner count in list view
- - 2-factor authentication: user name attribute for privacyIDEA can be specified
+ - 2-factor authentication:
+ -> Duo support
+ -> user name attribute for privacyIDEA can be specified
- LAM Pro:
-> New self service settings for login and main page footer
diff --git a/lam/copyright b/lam/copyright
index 200c8a6a..878733ed 100644
--- a/lam/copyright
+++ b/lam/copyright
@@ -389,6 +389,31 @@ D:
permanent authorization for you to choose that version for the
Library.
+E:
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ 3. The name of the author may not be used to endorse or promote products
+ derived from this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
Programs and licenses with other licenses and/or authors than the
main license and authors:
@@ -410,6 +435,8 @@ templates/lib/*jquery-validationEngine-*.js B 2010 Cedric Dugas and Olivier Re
style/150_jquery-validationEngine*.css B 2010 Cedric Dugas and Olivier Refalo
templates/lib/extra/cropperjs B 2018 Chen Fengyuan
style/600_cropper*.css B 2018 Chen Fengyuan
+templates/lib/extra/duo/*.js E 2019 Duo Security
+lib/3rdParty/duo/*.php E 2019 Duo Security
templates/lib/600_jquery.magnific-popup.js B 2016 Dmitry Semenov
style/610_magnific-popup.css B 2016 Dmitry Semenov
style/responsive/105_normalize.css B Nicolas Gallagher and Jonathan Neal
diff --git a/lam/docs/manual-sources/chapter-configuration.xml b/lam/docs/manual-sources/chapter-configuration.xml
index 5a7c9c25..2feb52cc 100644
--- a/lam/docs/manual-sources/chapter-configuration.xml
+++ b/lam/docs/manual-sources/chapter-configuration.xml
@@ -625,6 +625,10 @@
YubiKey
+
+
+ Duo
+
Configuration options:
@@ -639,7 +643,20 @@
User name attribute: please enter the LDAP attribute name
- that contains the user ID (e.g. "uid")
+ that contains the user ID (e.g. "uid").
+
+
+
+ Optional: By default LAM will enforce to use a token and
+ reject users that did not setup one. You can set this check to
+ optional. But if a user has setup a token then this will always be
+ required.
+
+
+
+ Disable certificate check: This should be used on
+ development instances only. It skips the certificate check when
+ connecting to verification server.
@@ -664,15 +681,45 @@
Secret key: this is only required for YubiKey cloud. You can
register here: https://upgrade.yubico.com/getapikey/
+
+
+ Optional: By default LAM will enforce to use a token and
+ reject users that did not setup one. You can set this check to
+ optional. But if a user has setup a token then this will always be
+ required.
+
+
+
+ Disable certificate check: This should be used on
+ development instances only. It skips the certificate check when
+ connecting to verification server.
+
- Optional: By default LAM will enforce to use a token and reject
- users that did not setup one. You can set this check to optional. But
- if a user has setup a token then this will always be required.
+ Duo:
- Disable certificate check: This should be used on development
- instances only. It skips the certificate check when connecting to
- verification server.
+ This requires to register a new "Web SDK" application in your
+ Duo admin panel.
+
+
+
+ User name attribute: please enter the LDAP attribute name
+ that contains the user ID (e.g. "uid").
+
+
+
+ Base URL: please enter the API-URL of your Duo instance
+ (e.g. api-12345.duosecurity.com).
+
+
+
+ Client id: please enter your integration key.
+
+
+
+ Secret key: please enter your secret key.
+
+
diff --git a/lam/docs/manual-sources/chapter-installation.xml b/lam/docs/manual-sources/chapter-installation.xml
index 19a72dde..45961773 100644
--- a/lam/docs/manual-sources/chapter-installation.xml
+++ b/lam/docs/manual-sources/chapter-installation.xml
@@ -596,7 +596,7 @@
intermediate release.
- 6.7 -> 6.8
+ 6.7 -> 6.9
No actions required.
diff --git a/lam/lib/2factor.inc b/lam/lib/2factor.inc
index 417e6831..55267b31 100644
--- a/lam/lib/2factor.inc
+++ b/lam/lib/2factor.inc
@@ -2,6 +2,9 @@
namespace LAM\LIB\TWO_FACTOR;
use \selfServiceProfile;
use \LAMConfig;
+use \htmlScript;
+use \htmlInputField;
+use \htmlIframe;
/*
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
@@ -53,14 +56,87 @@ interface TwoFactorProvider {
*/
public function verify2ndFactor($user, $password, $serial, $twoFactorInput);
+ /**
+ * Returns if the service has a custom input form.
+ * In this case the token field is not displayed.
+ *
+ * @return has custom input form
+ */
+ public function hasCustomInputForm();
+
+ /**
+ * Adds the custom input fields to the form.
+ *
+ * @param htmlResponsiveRow $row row where to add the input fields
+ * @param string user DN
+ */
+ public function addCustomInput(&$row, $userDn);
+
+ /**
+ * Returns if the submit button should be shown.
+ *
+ * @return bool show submit button
+ */
+ public function isShowSubmitButton();
+}
+
+/**
+ * Base class for 2-factor authentication providers.
+ *
+ * @author Roland Gruber
+ */
+abstract class BaseProvider implements TwoFactorProvider {
+
+ protected $config;
+
+ /**
+ * {@inheritDoc}
+ * @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::hasCustomInputForm()
+ */
+ public function hasCustomInputForm() {
+ return false;
+ }
+
+ /**
+ * {@inheritDoc}
+ * @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::addCustomInput()
+ */
+ public function addCustomInput(&$row, $userDn) {
+ // must be filled by subclass if used
+ }
+
+ /**
+ * Returns the value of the user attribute in LDAP.
+ *
+ * @param string $userDn user DN
+ * @return string user name
+ */
+ protected function getLoginAttributeValue($userDn) {
+ $attrName = $this->config->twoFactorAuthenticationSerialAttributeName;
+ $userData = ldapGetDN($userDn, array($attrName));
+ if (empty($userData[$attrName])) {
+ return null;
+ }
+ if (is_array($userData[$attrName])) {
+ return $userData[$attrName][0];
+ }
+ return $userData[$attrName];
+ }
+
+ /**
+ * {@inheritDoc}
+ * @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::isShowSubmitButton()
+ */
+ public function isShowSubmitButton() {
+ return true;
+ }
+
}
/**
* Provider for privacyIDEA.
*/
-class PrivacyIDEAProvider implements TwoFactorProvider {
-
- private $config;
+class PrivacyIDEAProvider extends BaseProvider {
/**
* Constructor.
@@ -82,24 +158,6 @@ class PrivacyIDEAProvider implements TwoFactorProvider {
return $this->getSerialsForUser($loginAttribute, $token);
}
- /**
- * Returns the value of the user attribute in LDAP.
- *
- * @param string $userDn user DN
- * @return string user name
- */
- private function getLoginAttributeValue($userDn) {
- $attrName = $this->config->twoFactorAuthenticationSerialAttributeName;
- $userData = ldapGetDN($userDn, array($attrName));
- if (empty($userData[$attrName])) {
- return null;
- }
- if (is_array($userData[$attrName])) {
- return $userData[$attrName][0];
- }
- return $userData[$attrName];
- }
-
/**
* {@inheritDoc}
* @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::verify2ndFactor()
@@ -246,9 +304,7 @@ class PrivacyIDEAProvider implements TwoFactorProvider {
*
* @author Roland Gruber
*/
-class YubicoProvider implements TwoFactorProvider {
-
- private $config;
+class YubicoProvider extends BaseProvider {
/**
* Constructor.
@@ -311,6 +367,103 @@ class YubicoProvider implements TwoFactorProvider {
}
+/**
+ * Provider for DUO.
+ */
+class DuoProvider extends BaseProvider {
+
+ /**
+ * Constructor.
+ *
+ * @param TwoFactorConfiguration $config configuration
+ */
+ public function __construct(&$config) {
+ $this->config = $config;
+ }
+
+ /**
+ * {@inheritDoc}
+ * @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::getSerials()
+ */
+ public function getSerials($user, $password) {
+ return array('DUO');
+ }
+
+ /**
+ * {@inheritDoc}
+ * @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::isShowSubmitButton()
+ */
+ public function isShowSubmitButton() {
+ return false;
+ }
+
+ /**
+ * {@inheritDoc}
+ * @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::hasCustomInputForm()
+ */
+ public function hasCustomInputForm() {
+ return true;
+ }
+
+ /**
+ * {@inheritDoc}
+ * @see \LAM\LIB\TWO_FACTOR\BaseProvider::addCustomInput()
+ */
+ public function addCustomInput(&$row, $userDn) {
+ $loginAttribute = $this->getLoginAttributeValue($userDn);
+ $aKey = $this->getAKey();
+ include_once(__DIR__ . "/3rdParty/duo/Web.php");
+ $signedRequest = \Duo\Web::signRequest($this->config->twoFactorAuthenticationClientId,
+ $this->config->twoFactorAuthenticationSecretKey,
+ $aKey,
+ $loginAttribute);
+ if ($this->config->isSelfService) {
+ $row->add(new htmlScript("../lib/extra/duo/Duo-Web-v2.js", false, false), 12);
+ }
+ else {
+ $row->add(new htmlScript("lib/extra/duo/Duo-Web-v2.js", false, false), 12);
+ }
+ $iframe = new htmlIframe('duo_iframe');
+ $iframe->addDataAttribute('host', $this->config->twoFactorAuthenticationURL);
+ $iframe->addDataAttribute('sig-request', $signedRequest);
+ $row->add($iframe, 12);
+ }
+
+ /**
+ * Returns the aKey.
+ *
+ * @return String aKey
+ */
+ private function getAKey() {
+ if (empty($_SESSION['duo_akey'])) {
+ $_SESSION['duo_akey'] = generateRandomPassword(40);
+ }
+ return $_SESSION['duo_akey'];
+ }
+
+ /**
+ * {@inheritDoc}
+ * @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::verify2ndFactor()
+ */
+ public function verify2ndFactor($user, $password, $serial, $twoFactorInput) {
+ logNewMessage(LOG_DEBUG, 'PrivacyIDEAProvider: Checking 2nd factor for ' . $user);
+ $loginAttribute = $this->getLoginAttributeValue($user);
+ $response = $_POST['sig_response'];
+ include_once(__DIR__ . "/3rdParty/duo/Web.php");
+ $result = \Duo\Web::verifyResponse(
+ $this->config->twoFactorAuthenticationClientId,
+ $this->config->twoFactorAuthenticationSecretKey,
+ $this->getAKey(),
+ $response);
+ if ($result === $loginAttribute) {
+ return true;
+ }
+ logNewMessage(LOG_ERR, 'DUO authentication failed');
+ return false;
+ }
+
+}
+
/**
* Returns the correct 2 factor provider.
*/
@@ -322,6 +475,8 @@ class TwoFactorProviderService {
const TWO_FACTOR_PRIVACYIDEA = 'privacyidea';
/** 2factor authentication via YubiKey */
const TWO_FACTOR_YUBICO = 'yubico';
+ /** 2factor authentication via DUO */
+ const TWO_FACTOR_DUO = 'duo';
private $config;
@@ -353,6 +508,9 @@ class TwoFactorProviderService {
elseif ($this->config->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_YUBICO) {
return new YubicoProvider($this->config);
}
+ elseif ($this->config->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_DUO) {
+ return new DuoProvider($this->config);
+ }
throw new \Exception('Invalid provider: ' . $this->config->twoFactorAuthentication);
}
@@ -364,6 +522,7 @@ class TwoFactorProviderService {
*/
private function getConfigSelfService(&$profile) {
$tfConfig = new TwoFactorConfiguration();
+ $tfConfig->isSelfService = true;
$tfConfig->twoFactorAuthentication = $profile->twoFactorAuthentication;
$tfConfig->twoFactorAuthenticationInsecure = $profile->twoFactorAuthenticationInsecure;
$tfConfig->twoFactorAuthenticationURL = $profile->twoFactorAuthenticationURL;
@@ -378,7 +537,8 @@ class TwoFactorProviderService {
$tfConfig->twoFactorAuthenticationSerialAttributeName = 'yubiKeyId';
}
}
- if ($tfConfig->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA) {
+ if (($tfConfig->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA)
+ || ($tfConfig->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_DUO)) {
$attrName = $profile->twoFactorAuthenticationAttribute;
if (empty($attrName)) {
$attrName = 'uid';
@@ -396,6 +556,7 @@ class TwoFactorProviderService {
*/
private function getConfigAdmin($conf) {
$tfConfig = new TwoFactorConfiguration();
+ $tfConfig->isSelfService = false;
$tfConfig->twoFactorAuthentication = $conf->getTwoFactorAuthentication();
$tfConfig->twoFactorAuthenticationInsecure = $conf->getTwoFactorAuthenticationInsecure();
$tfConfig->twoFactorAuthenticationURL = $conf->getTwoFactorAuthenticationURL();
@@ -410,7 +571,8 @@ class TwoFactorProviderService {
$tfConfig->twoFactorAuthenticationSerialAttributeName = 'yubiKeyId';
}
}
- if ($tfConfig->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA) {
+ if (($tfConfig->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA)
+ || ($tfConfig->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_DUO)) {
$tfConfig->twoFactorAuthenticationSerialAttributeName = strtolower($conf->getTwoFactorAuthenticationAttribute());
}
return $tfConfig;
@@ -425,6 +587,11 @@ class TwoFactorProviderService {
*/
class TwoFactorConfiguration {
+ /**
+ * @var bool is self service
+ */
+ public $isSelfService = false;
+
/**
* @var string provider id
*/
diff --git a/lam/lib/3rdParty/duo/Web.php b/lam/lib/3rdParty/duo/Web.php
new file mode 100644
index 00000000..b0622c7a
--- /dev/null
+++ b/lam/lib/3rdParty/duo/Web.php
@@ -0,0 +1,176 @@
+= intval($exp)) {
+ return null;
+ }
+
+ return $user;
+ }
+
+ public static function signRequest($ikey, $skey, $akey, $username, $time = null)
+ {
+ if (!isset($username) || strlen($username) === 0) {
+ return self::ERR_USER;
+ }
+ if (strpos($username, '|') !== false) {
+ return self::ERR_USER;
+ }
+ if (!isset($ikey) || strlen($ikey) !== self::IKEY_LEN) {
+ return self::ERR_IKEY;
+ }
+ if (!isset($skey) || strlen($skey) !== self::SKEY_LEN) {
+ return self::ERR_SKEY;
+ }
+ if (!isset($akey) || strlen($akey) < self::AKEY_LEN) {
+ return self::ERR_AKEY;
+ }
+
+ $vals = $username . '|' . $ikey;
+
+ $duo_sig = self::signVals($skey, $vals, self::DUO_PREFIX, self::DUO_EXPIRE, $time);
+ $app_sig = self::signVals($akey, $vals, self::APP_PREFIX, self::APP_EXPIRE, $time);
+
+ return $duo_sig . ':' . $app_sig;
+ }
+
+ public static function verifyResponse($ikey, $skey, $akey, $sig_response, $time = null)
+ {
+ list($auth_sig, $app_sig) = explode(':', $sig_response);
+
+ $auth_user = self::parseVals($skey, $auth_sig, self::AUTH_PREFIX, $ikey, $time);
+ $app_user = self::parseVals($akey, $app_sig, self::APP_PREFIX, $ikey, $time);
+
+ if ($auth_user !== $app_user) {
+ return null;
+ }
+
+ return $auth_user;
+ }
+
+ public static function initAuth($client, $ikey, $akey, $username, $enroll_only = false)
+ {
+ if (!isset($username) || strlen($username) === 0) {
+ return self::ERR_USER;
+ }
+ if (strpos($username, '|') !== false) {
+ return self::ERR_USER;
+ }
+ if (!isset($ikey) || strlen($ikey) !== self::IKEY_LEN) {
+ return self::ERR_IKEY;
+ }
+ if (!isset($akey) || strlen($akey) < self::AKEY_LEN) {
+ return self::ERR_AKEY;
+ }
+
+ $blob = $username . '|' . $ikey;
+ $signed_blob = self::signVals(
+ $akey,
+ $blob,
+ self::APP_PREFIX,
+ self::APP_EXPIRE,
+ null,
+ 'sha512'
+ );
+ $expire = time() + self::INIT_EXPIRE;
+ $client_version = self::LIBRARY_NAME . '/' . self::VERSION;
+
+ $response = $client->init(
+ $username,
+ $signed_blob,
+ $expire,
+ $client_version,
+ $enroll_only
+ );
+
+ return $response['response']['response']['txid'];
+ }
+
+ public static function verifyAuth($client, $ikey, $akey, $response_txid)
+ {
+ $response = $client->auth_response($response_txid);
+
+ $username = $response['response']['response']['uname'];
+ $signed_blob = $response['response']['response']['app_blob'];
+
+ $parsed_user = self::parseVals(
+ $akey,
+ $signed_blob,
+ self::APP_PREFIX,
+ $ikey,
+ null,
+ 'sha512'
+ );
+
+ if ($username !== $parsed_user) {
+ return null;
+ }
+
+ return $username;
+ }
+}
diff --git a/lam/lib/account.inc b/lam/lib/account.inc
index 9e36d88a..1c2f1b39 100644
--- a/lam/lib/account.inc
+++ b/lam/lib/account.inc
@@ -330,16 +330,17 @@ function pwd_is_enabled($hash) {
}
/**
- * Generates a random password with 12 digits.
+ * Generates a random password with 12 digits by default.
*
+ * @param int $length length of password (defaults to 12)
* @return String password
*/
-function generateRandomPassword() {
+function generateRandomPassword($length = 12) {
$list = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.-_';
$password = '';
- $length = $_SESSION['cfgMain']->passwordMinLength;
- if ($length < 12) {
- $length = 12;
+ $minLength = $_SESSION['cfgMain']->passwordMinLength;
+ if ($minLength > $length) {
+ $length = $minLength;
}
for ($x = 0; $x < 10000; $x++) {
$password = '';
diff --git a/lam/lib/html.inc b/lam/lib/html.inc
index cd335f4f..e89e70a6 100644
--- a/lam/lib/html.inc
+++ b/lam/lib/html.inc
@@ -3715,6 +3715,42 @@ class htmlJavaScript extends htmlElement {
}
+/**
+ * Creates a iframe element.
+ *
+ * @package metaHTML
+ */
+class htmlIframe extends htmlElement {
+
+ /** HTML id */
+ private $id = null;
+
+ /**
+ * Constructor.
+ *
+ * @param String $content script
+ */
+ function __construct($id = null) {
+ $this->id = $id;
+ }
+
+ /**
+ * {@inheritDoc}
+ * @see htmlElement::generateHTML()
+ */
+ function generateHTML($module, $input, $values, $restricted, &$tabindex, $scope) {
+ $return = array();
+ $idAttr = '';
+ if (!empty($this->id)) {
+ $idAttr = ' id="' . $this->id . '"';
+ }
+ echo '';
+ return $return;
+ }
+
+}
+
/**
* Creates a Script element to integrate external JavaScript files.
*
diff --git a/lam/lib/security.inc b/lam/lib/security.inc
index bf9c717a..e417e6cf 100644
--- a/lam/lib/security.inc
+++ b/lam/lib/security.inc
@@ -687,7 +687,7 @@ function getSecurityTokenValue() {
function setLAMHeaders() {
if (!headers_sent()) {
header('X-Frame-Options: sameorigin');
- header('Content-Security-Policy: frame-ancestors \'self\'; form-action \'self\'; base-uri \'none\'; object-src \'none\'; frame-src \'self\'; worker-src \'self\'');
+ header('Content-Security-Policy: frame-ancestors \'self\'; form-action \'self\'; base-uri \'none\'; object-src \'none\'; frame-src \'self\' https://*.duosecurity.com; worker-src \'self\'');
header('X-Content-Type-Options: nosniff');
header('X-XSS-Protection: 1; mode=block');
}
diff --git a/lam/templates/config/confmain.php b/lam/templates/config/confmain.php
index ed87aa79..24c74135 100644
--- a/lam/templates/config/confmain.php
+++ b/lam/templates/config/confmain.php
@@ -461,6 +461,7 @@ if (extension_loaded('curl')) {
_('None') => TwoFactorProviderService::TWO_FACTOR_NONE,
'privacyIDEA' => TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA,
'YubiKey' => TwoFactorProviderService::TWO_FACTOR_YUBICO,
+ 'Duo' => TwoFactorProviderService::TWO_FACTOR_DUO,
);
$twoFactorSelect = new htmlResponsiveSelect('twoFactor', $twoFactorOptions, array($conf->getTwoFactorAuthentication()), _('Provider'), '514');
$twoFactorSelect->setHasDescriptiveElements(true);
@@ -469,12 +470,15 @@ if (extension_loaded('curl')) {
'twoFactorOptional', 'twoFactorCaption', 'twoFactorClientId', 'twoFactorSecretKey', 'twoFactorAttribute'),
TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA => array('twoFactorClientId', 'twoFactorSecretKey'),
TwoFactorProviderService::TWO_FACTOR_YUBICO => array('twoFactorAttribute'),
+ TwoFactorProviderService::TWO_FACTOR_DUO => array('twoFactorOptional', 'twoFactorInsecure'),
));
$twoFactorSelect->setTableRowsToShow(array(
TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA => array('twoFactorURL', 'twoFactorInsecure', 'twoFactorLabel',
'twoFactorOptional', 'twoFactorCaption', 'twoFactorAttribute'),
TwoFactorProviderService::TWO_FACTOR_YUBICO => array('twoFactorURL', 'twoFactorInsecure', 'twoFactorLabel',
'twoFactorOptional', 'twoFactorCaption', 'twoFactorClientId', 'twoFactorSecretKey'),
+ TwoFactorProviderService::TWO_FACTOR_DUO => array('twoFactorURL', 'twoFactorLabel',
+ 'twoFactorCaption', 'twoFactorClientId', 'twoFactorSecretKey', 'twoFactorAttribute'),
));
$row->add($twoFactorSelect, 12);
$twoFactorAttribute = new htmlResponsiveInputField(_("User name attribute"), 'twoFactorAttribute', $conf->getTwoFactorAuthenticationAttribute(), '528');
diff --git a/lam/templates/lib/extra/duo/Duo-Web-v2.js b/lam/templates/lib/extra/duo/Duo-Web-v2.js
new file mode 100644
index 00000000..3624c87c
--- /dev/null
+++ b/lam/templates/lib/extra/duo/Duo-Web-v2.js
@@ -0,0 +1,578 @@
+/**
+ * Duo Web SDK v2
+ * Copyright 2019, Duo Security
+ */
+
+(function (root, factory) {
+ /*eslint-disable */
+ if (typeof define === 'function' && define.amd) {
+ // AMD. Register as an anonymous module.
+ define([], factory);
+ /*eslint-enable */
+ } else if (typeof module === 'object' && module.exports) {
+ // Node. Does not work with strict CommonJS, but
+ // only CommonJS-like environments that support module.exports,
+ // like Node.
+ module.exports = factory();
+ } else {
+ // Browser globals (root is window)
+ var Duo = factory();
+ // If the Javascript was loaded via a script tag, attempt to autoload
+ // the frame.
+ Duo._onReady(Duo.init);
+
+ // Attach Duo to the `window` object
+ root.Duo = Duo;
+ }
+}(this, function() {
+ var DUO_MESSAGE_FORMAT = /^(?:AUTH|ENROLL)+\|[A-Za-z0-9\+\/=]+\|[A-Za-z0-9\+\/=]+$/;
+ var DUO_ERROR_FORMAT = /^ERR\|[\w\s\.\(\)]+$/;
+ var DUO_OPEN_WINDOW_FORMAT = /^DUO_OPEN_WINDOW\|/;
+ var VALID_OPEN_WINDOW_DOMAINS = [
+ 'duo.com',
+ 'duosecurity.com',
+ 'duomobile.s3-us-west-1.amazonaws.com'
+ ];
+
+ var postAction,
+ postArgument,
+ host,
+ sigRequest,
+ duoSig,
+ appSig,
+ iframe,
+ submitCallback;
+
+ // We use this function instead of setting initial values in the var
+ // declarations to make sure the initial values and subsequent
+ // re-initializations are always the same.
+ initializeStatefulVariables();
+
+ /**
+ * Set local variables to whatever they should be before you call init().
+ */
+ function initializeStatefulVariables() {
+ postAction = '';
+ postArgument = 'sig_response';
+ host = undefined;
+ sigRequest = undefined;
+ duoSig = undefined;
+ appSig = undefined;
+ iframe = undefined;
+ submitCallback = undefined;
+ }
+
+ function throwError(message, givenUrl) {
+ var url = (
+ givenUrl ||
+ 'https://www.duosecurity.com/docs/duoweb#3.-show-the-iframe'
+ );
+ throw new Error(
+ 'Duo Web SDK error: ' + message +
+ (url ? ('\n' + 'See ' + url + ' for more information') : '')
+ );
+ }
+
+ function hyphenize(str) {
+ return str.replace(/([a-z])([A-Z])/, '$1-$2').toLowerCase();
+ }
+
+ // cross-browser data attributes
+ function getDataAttribute(element, name) {
+ if ('dataset' in element) {
+ return element.dataset[name];
+ } else {
+ return element.getAttribute('data-' + hyphenize(name));
+ }
+ }
+
+ // cross-browser event binding/unbinding
+ function on(context, event, fallbackEvent, callback) {
+ if ('addEventListener' in window) {
+ context.addEventListener(event, callback, false);
+ } else {
+ context.attachEvent(fallbackEvent, callback);
+ }
+ }
+
+ function off(context, event, fallbackEvent, callback) {
+ if ('removeEventListener' in window) {
+ context.removeEventListener(event, callback, false);
+ } else {
+ context.detachEvent(fallbackEvent, callback);
+ }
+ }
+
+ function onReady(callback) {
+ on(document, 'DOMContentLoaded', 'onreadystatechange', callback);
+ }
+
+ function offReady(callback) {
+ off(document, 'DOMContentLoaded', 'onreadystatechange', callback);
+ }
+
+ function onMessage(callback) {
+ on(window, 'message', 'onmessage', callback);
+ }
+
+ function offMessage(callback) {
+ off(window, 'message', 'onmessage', callback);
+ }
+
+ /**
+ * Parse the sig_request parameter, throwing errors if the token contains
+ * a server error or if the token is invalid.
+ *
+ * @param {String} sig Request token
+ */
+ function parseSigRequest(sig) {
+ if (!sig) {
+ // nothing to do
+ return;
+ }
+
+ // see if the token contains an error, throwing it if it does
+ if (sig.indexOf('ERR|') === 0) {
+ throwError(sig.split('|')[1]);
+ }
+
+ // validate the token
+ if (sig.indexOf(':') === -1 || sig.split(':').length !== 2) {
+ throwError(
+ 'Duo was given a bad token. This might indicate a configuration ' +
+ 'problem with one of Duo\'s client libraries.'
+ );
+ }
+
+ var sigParts = sig.split(':');
+
+ // hang on to the token, and the parsed duo and app sigs
+ sigRequest = sig;
+ duoSig = sigParts[0];
+ appSig = sigParts[1];
+
+ return {
+ sigRequest: sig,
+ duoSig: sigParts[0],
+ appSig: sigParts[1]
+ };
+ }
+
+ /**
+ * Validate that a MessageEvent came from the Duo service, and that it
+ * is a properly formatted payload.
+ *
+ * The Google Chrome sign-in page injects some JS into pages that also
+ * make use of postMessage, so we need to do additional validation above
+ * and beyond the origin.
+ *
+ * @param {MessageEvent} event Message received via postMessage
+ */
+ function isDuoMessage(event) {
+ return Boolean(
+ event.origin === ('https://' + host) &&
+ typeof event.data === 'string' &&
+ (
+ event.data.match(DUO_MESSAGE_FORMAT) ||
+ event.data.match(DUO_ERROR_FORMAT) ||
+ event.data.match(DUO_OPEN_WINDOW_FORMAT)
+ )
+ );
+ }
+
+ /**
+ * Validate the request token and prepare for the iframe to become ready.
+ *
+ * All options below can be passed into an options hash to `Duo.init`, or
+ * specified on the iframe using `data-` attributes.
+ *
+ * Options specified using the options hash will take precedence over
+ * `data-` attributes.
+ *
+ * Example using options hash:
+ * ```javascript
+ * Duo.init({
+ * iframe: "some_other_id",
+ * host: "api-main.duo.test",
+ * sig_request: "...",
+ * post_action: "/auth",
+ * post_argument: "resp"
+ * });
+ * ```
+ *
+ * Example using `data-` attributes:
+ * ```html
+ *
+ * ```
+ *
+ * Some browsers (especially embedded browsers) don't like it when the Duo
+ * Web SDK changes the `src` attribute on the iframe. To prevent this, there
+ * is an alternative way to use the Duo Web SDK:
+ *
+ * Add a div (or any other container element) instead of an iframe to the
+ * DOM with an id of "duo_iframe", or pass that element to the
+ * `iframeContainer` parameter of `Duo.init`. An iframe will be created and
+ * inserted into that container element, preventing `src` change related
+ * bugs. WARNING: All other elements in the container will be deleted.
+ *
+ * The `iframeAttributes` parameter of `Duo.init` is available to set any
+ * attributes on the inserted iframe if the Duo Web SDK is inserting the
+ * iframe. For details, see the parameter documentation below.
+ *
+ * @param {Object} options
+ * @param {String} options.host - Hostname for the Duo Prompt.
+ * @param {String} options.sig_request - Request token.
+ * @param {String|HTMLElement} [options.iframe] - The iframe, or id of an
+ * iframe that will be used for the Duo Prompt. If you don't provide
+ * this or the `iframeContainer` parameter the Duo Web SDK will default
+ * to using whatever element has an id of "duo_iframe".
+ * @param {String|HTMLElement} [options.iframeContainer] - The element you
+ * want the Duo Prompt inserted into, or the id of that element.
+ * Anything inside this element will be deleted and replaced with an
+ * iframe hosting the Duo prompt. If you don't provide this or the
+ * `iframe` parameter the Duo Web SDK will default to using whatever
+ * element has an id of "duo_iframe".
+ * @param {Object} [options.iframeAttributes] - Object with names and
+ * values coresponding to attributes you want added to the Duo Prompt
+ * iframe, like `title`, `width` and `allow`. WARNING: this parameter
+ * only works if you use the `iframeContainer` parameter or add an id
+ * of "duo_iframe" to an element that isn't an iframe. If you have
+ * added an iframe to the DOM yourself, you should set those attributes
+ * directly on the iframe.
+ * @param {String} [options.post_action=''] - URL to POST back to after a
+ * successful auth.
+ * @param {String} [options.post_argument='sig_response'] - Parameter name
+ * to use for response token.
+ * @param {Function} [options.submit_callback] - If provided, the Duo Web
+ * SDK will not submit the form. Instead it will execute this callback
+ * function passing in a reference to the "duo_form" form object.
+ * `submit_callback`` can be used to prevent the webpage from reloading.
+ */
+ function init(options) {
+ // If init() is called more than once we have to reset all the local
+ // variables to ensure init() will work the same way every time. This
+ // helps people making single page applications. SPAs may periodically
+ // remove the iframe and add a new one that has to be initialized.
+ initializeStatefulVariables();
+
+ if (options) {
+ if (options.host) {
+ host = options.host;
+ }
+
+ if (options.sig_request) {
+ parseSigRequest(options.sig_request);
+ }
+
+ if (options.post_action) {
+ postAction = options.post_action;
+ }
+
+ if (options.post_argument) {
+ postArgument = options.post_argument;
+ }
+
+ if (typeof options.submit_callback === 'function') {
+ submitCallback = options.submit_callback;
+ }
+ }
+
+ var promptElement = getPromptElement(options);
+ if (promptElement) {
+ // If we can get the element that will host the prompt, set it.
+ ready(promptElement, options.iframeAttributes || {});
+ } else {
+ // If the element that will host the prompt isn't available yet, set
+ // it up after the DOM finishes loading.
+ asyncReady(options);
+ }
+
+ // always clean up after yourself!
+ offReady(init);
+ }
+
+ /**
+ * Given the options from init(), get the iframe or iframe container that
+ * should be used for the Duo Prompt. Returns `null` if nothing was found.
+ */
+ function getPromptElement(options) {
+ var result;
+
+ if (options.iframe && options.iframeContainer) {
+ throwError(
+ 'Passing both `iframe` and `iframeContainer` arguments at the' +
+ ' same time is not allowed.'
+ );
+ } else if (options.iframe) {
+ // If we are getting an iframe, try to get it and raise if the
+ // element we find is NOT an iframe.
+ result = getUserDefinedElement(options.iframe);
+ validateIframe(result);
+ } else if (options.iframeContainer) {
+ result = getUserDefinedElement(options.iframeContainer);
+ validateIframeContainer(result);
+ } else {
+ result = document.getElementById('duo_iframe');
+ }
+
+ return result;
+ }
+
+ /**
+ * When given an HTMLElement, return it. When given a string, get an element
+ * with that id, else return null.
+ */
+ function getUserDefinedElement(object) {
+ if (object.tagName) {
+ return object;
+ } else if (typeof object == 'string') {
+ return document.getElementById(object);
+ }
+ return null;
+ }
+
+ /**
+ * Check if the given thing is an iframe.
+ */
+ function isIframe(element) {
+ return (
+ element &&
+ element.tagName &&
+ element.tagName.toLowerCase() === 'iframe'
+ );
+ }
+
+ /**
+ * Throw an error if we are given an element that is NOT an iframe.
+ */
+ function validateIframe(element) {
+ if (element && !isIframe(element)) {
+ throwError(
+ '`iframe` only accepts an iframe element or the id of an' +
+ ' iframe. To use a non-iframe element, use the' +
+ ' `iframeContainer` argument.'
+ );
+ }
+ }
+
+ /**
+ * Throw an error if we are given an element that IS an iframe instead of an
+ * element that we can insert an iframe into.
+ */
+ function validateIframeContainer(element) {
+ if (element && isIframe(element)) {
+ throwError(
+ '`iframeContainer` only accepts a non-iframe element or the' +
+ ' id of a non-iframe. To use a non-iframe element, use the' +
+ ' `iframeContainer` argument on Duo.init().'
+ );
+ }
+ }
+
+ /**
+ * Generate the URL that goes to the Duo Prompt.
+ */
+ function generateIframeSrc() {
+ return [
+ 'https://', host, '/frame/web/v1/auth?tx=', duoSig,
+ '&parent=', encodeURIComponent(document.location.href),
+ '&v=2.8'
+ ].join('');
+ }
+
+ /**
+ * This function is called when a message was received from another domain
+ * using the `postMessage` API. Check that the event came from the Duo
+ * service domain, and that the message is a properly formatted payload,
+ * then perform the post back to the primary service.
+ *
+ * @param event Event object (contains origin and data)
+ */
+ function onReceivedMessage(event) {
+ if (isDuoMessage(event)) {
+ if (event.data.match(DUO_OPEN_WINDOW_FORMAT)) {
+ var url = event.data.substring("DUO_OPEN_WINDOW|".length);
+ if (isValidUrlToOpen(url)) {
+ // Open the URL that comes after the DUO_WINDOW_OPEN token.
+ window.open(url, "_self");
+ }
+ }
+ else {
+ // the event came from duo, do the post back
+ doPostBack(event.data);
+
+ // always clean up after yourself!
+ offMessage(onReceivedMessage);
+ }
+ }
+ }
+
+ /**
+ * Validate that this passed in URL is one that we will actually allow to
+ * be opened.
+ * @param url String URL that the message poster wants to open
+ * @returns {boolean} true if we allow this url to be opened in the window
+ */
+ function isValidUrlToOpen(url) {
+ if (!url) {
+ return false;
+ }
+
+ var parser = document.createElement('a');
+ parser.href = url;
+
+ if (parser.protocol === "duotrustedendpoints:") {
+ return true;
+ } else if (parser.protocol !== "https:") {
+ return false;
+ }
+
+ for (var i = 0; i < VALID_OPEN_WINDOW_DOMAINS.length; i++) {
+ if (parser.hostname.endsWith("." + VALID_OPEN_WINDOW_DOMAINS[i]) ||
+ parser.hostname === VALID_OPEN_WINDOW_DOMAINS[i]) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ /**
+ * Register a callback to call ready() after the DOM has loaded.
+ */
+ function asyncReady(options) {
+ var callback = function() {
+ var promptElement = getPromptElement(options);
+ if (!promptElement) {
+ throwError(
+ 'This page does not contain an iframe for Duo to use.' +
+ ' Add an element like' +
+ ' to this page.'
+ );
+ }
+
+ ready(promptElement, options.iframeAttributes || {});
+
+ // Always clean up after yourself.
+ offReady(callback)
+ };
+
+ onReady(callback);
+ }
+
+ /**
+ * Point the iframe at Duo, then wait for it to postMessage back to us.
+ */
+ function ready(promptElement, iframeAttributes) {
+ if (!host) {
+ host = getDataAttribute(promptElement, 'host');
+
+ if (!host) {
+ throwError(
+ 'No API hostname is given for Duo to use. Be sure to pass ' +
+ 'a `host` parameter to Duo.init, or through the `data-host` ' +
+ 'attribute on the iframe element.'
+ );
+ }
+ }
+
+ if (!duoSig || !appSig) {
+ parseSigRequest(getDataAttribute(promptElement, 'sigRequest'));
+
+ if (!duoSig || !appSig) {
+ throwError(
+ 'No valid signed request is given. Be sure to give the ' +
+ '`sig_request` parameter to Duo.init, or use the ' +
+ '`data-sig-request` attribute on the iframe element.'
+ );
+ }
+ }
+
+ // if postAction/Argument are defaults, see if they are specified
+ // as data attributes on the iframe
+ if (postAction === '') {
+ postAction = getDataAttribute(promptElement, 'postAction') || postAction;
+ }
+
+ if (postArgument === 'sig_response') {
+ postArgument = getDataAttribute(promptElement, 'postArgument') || postArgument;
+ }
+
+ if (isIframe(promptElement)) {
+ iframe = promptElement;
+ iframe.src = generateIframeSrc();
+ } else {
+ // If given a container to put an iframe in, clean out any children
+ // child elements in case `init()` was called more than once.
+ while (promptElement.firstChild) {
+ // We call `removeChild()` instead of doing `innerHTML = ""`
+ // to make sure we unbind any events.
+ promptElement.removeChild(promptElement.firstChild)
+ }
+
+ iframe = document.createElement('iframe');
+
+ // Set the src and all other attributes on the new iframe.
+ iframeAttributes['src'] = generateIframeSrc();
+ for (var name in iframeAttributes) {
+ iframe.setAttribute(name, iframeAttributes[name]);
+ }
+
+ promptElement.appendChild(iframe);
+ }
+
+ // listen for the 'message' event
+ onMessage(onReceivedMessage);
+ }
+
+ /**
+ * We received a postMessage from Duo. POST back to the primary service
+ * with the response token, and any additional user-supplied parameters
+ * given in form#duo_form.
+ */
+ function doPostBack(response) {
+ // create a hidden input to contain the response token
+ var input = document.createElement('input');
+ input.type = 'hidden';
+ input.name = postArgument;
+ input.value = response + ':' + appSig;
+
+ // user may supply their own form with additional inputs
+ var form = document.getElementById('duo_form');
+
+ // if the form doesn't exist, create one
+ if (!form) {
+ form = document.createElement('form');
+
+ // insert the new form after the iframe
+ iframe.parentElement.insertBefore(form, iframe.nextSibling);
+ }
+
+ // make sure we are actually posting to the right place
+ form.method = 'POST';
+ form.action = postAction;
+
+ // add the response token input to the form
+ form.appendChild(input);
+
+ // away we go!
+ if (typeof submitCallback === "function") {
+ submitCallback.call(null, form);
+ } else {
+ form.submit();
+ }
+ }
+
+ return {
+ init: init,
+ _onReady: onReady,
+ _parseSigRequest: parseSigRequest,
+ _isDuoMessage: isDuoMessage,
+ _doPostBack: doPostBack
+ };
+}));
diff --git a/lam/templates/login2Factor.php b/lam/templates/login2Factor.php
index 7088338b..30c00064 100644
--- a/lam/templates/login2Factor.php
+++ b/lam/templates/login2Factor.php
@@ -84,10 +84,10 @@ if (isset($_POST['logout'])) {
exit();
}
-if (isset($_POST['submit'])) {
- $twoFactorInput = $_POST['2factor'];
- $serial = $_POST['serial'];
- if (empty($twoFactorInput) || !in_array($serial, $serials)) {
+if (isset($_POST['submit']) || isset($_POST['sig_response'])) {
+ $twoFactorInput = isset($_POST['2factor']) ? $_POST['2factor'] : null;
+ $serial = isset($_POST['serial']) ? $_POST['serial'] : null;
+ if (!$provider->hasCustomInputForm() && (empty($twoFactorInput) || !in_array($serial, $serials))) {
$errorMessage = _(sprintf('Please enter "%s".', $twoFactorLabel));
}
else {
@@ -148,21 +148,31 @@ echo $config->getTwoFactorAuthenticationCaption();
$row->add(new \htmlStatusMessage('ERROR', $errorMessage), 12);
$row->add(new htmlSpacer('1em', '1em'), 12);
}
- // serial
- $row->add(new htmlOutputText(_('Serial number')), 12, 12, 12, 'text-left');
- $serialSelect = new htmlSelect('serial', $serials);
- $row->add($serialSelect, 12);
- // token
- $row->add(new htmlOutputText($twoFactorLabel), 12, 12, 12, 'text-left');
- $twoFactorInput = new htmlInputField('2factor', '');
- $twoFactorInput->setFieldSize(null);
- $twoFactorInput->setIsPassword(true);
- $row->add($twoFactorInput, 12);
+
+ if (!$provider->hasCustomInputForm()) {
+ // serial
+ $row->add(new htmlOutputText(_('Serial number')), 12, 12, 12, 'text-left');
+ $serialSelect = new htmlSelect('serial', $serials);
+ $row->add($serialSelect, 12);
+ // token
+ $row->add(new htmlOutputText($twoFactorLabel), 12, 12, 12, 'text-left');
+ $twoFactorInput = new htmlInputField('2factor', '');
+ $twoFactorInput->setFieldSize(null);
+ $twoFactorInput->setIsPassword(true);
+ $row->add($twoFactorInput, 12);
+ }
+ else {
+ $provider->addCustomInput($row, $user);
+ }
+
+ // buttons
$row->add(new htmlSpacer('1em', '1em'), 12);
- $submit = new htmlButton('submit', _("Submit"));
- $submit->setCSSClasses(array('fullwidth'));
- $row->add($submit, 12, 12, 12, 'fullwidth');
- $row->add(new htmlSpacer('0.5em', '0.5em'), 12);
+ if ($provider->isShowSubmitButton()) {
+ $submit = new htmlButton('submit', _("Submit"));
+ $submit->setCSSClasses(array('fullwidth'));
+ $row->add($submit, 12, 12, 12, 'fullwidth');
+ $row->add(new htmlSpacer('0.5em', '0.5em'), 12);
+ }
$logout = new htmlButton('logout', _("Cancel"));
$logout->setCSSClasses(array('fullwidth'));
$row->add($logout, 12);