From bf777b2e99bb1b15e0e37419870d26450d989761 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Tue, 13 Aug 2019 17:03:30 +0200 Subject: [PATCH] Duo support --- lam/HISTORY | 4 +- lam/copyright | 27 + .../manual-sources/chapter-configuration.xml | 61 +- .../manual-sources/chapter-installation.xml | 2 +- lam/lib/2factor.inc | 184 +++++- lam/lib/3rdParty/duo/Web.php | 176 ++++++ lam/lib/account.inc | 11 +- lam/lib/html.inc | 36 ++ lam/lib/security.inc | 2 +- lam/templates/config/confmain.php | 4 + lam/templates/lib/extra/duo/Duo-Web-v2.js | 578 ++++++++++++++++++ lam/templates/login2Factor.php | 36 +- 12 files changed, 1066 insertions(+), 55 deletions(-) create mode 100644 lam/lib/3rdParty/duo/Web.php create mode 100644 lam/templates/lib/extra/duo/Duo-Web-v2.js diff --git a/lam/HISTORY b/lam/HISTORY index b770a043..92a90eef 100644 --- a/lam/HISTORY +++ b/lam/HISTORY @@ -1,6 +1,8 @@ September 2019 6.9 - Group account types can show member+owner count in list view - - 2-factor authentication: user name attribute for privacyIDEA can be specified + - 2-factor authentication: + -> Duo support + -> user name attribute for privacyIDEA can be specified - LAM Pro: -> New self service settings for login and main page footer diff --git a/lam/copyright b/lam/copyright index 200c8a6a..878733ed 100644 --- a/lam/copyright +++ b/lam/copyright @@ -389,6 +389,31 @@ D: permanent authorization for you to choose that version for the Library. +E: + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. The name of the author may not be used to endorse or promote products + derived from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + Programs and licenses with other licenses and/or authors than the main license and authors: @@ -410,6 +435,8 @@ templates/lib/*jquery-validationEngine-*.js B 2010 Cedric Dugas and Olivier Re style/150_jquery-validationEngine*.css B 2010 Cedric Dugas and Olivier Refalo templates/lib/extra/cropperjs B 2018 Chen Fengyuan style/600_cropper*.css B 2018 Chen Fengyuan +templates/lib/extra/duo/*.js E 2019 Duo Security +lib/3rdParty/duo/*.php E 2019 Duo Security templates/lib/600_jquery.magnific-popup.js B 2016 Dmitry Semenov style/610_magnific-popup.css B 2016 Dmitry Semenov style/responsive/105_normalize.css B Nicolas Gallagher and Jonathan Neal diff --git a/lam/docs/manual-sources/chapter-configuration.xml b/lam/docs/manual-sources/chapter-configuration.xml index 5a7c9c25..2feb52cc 100644 --- a/lam/docs/manual-sources/chapter-configuration.xml +++ b/lam/docs/manual-sources/chapter-configuration.xml @@ -625,6 +625,10 @@ YubiKey + + + Duo + Configuration options: @@ -639,7 +643,20 @@ User name attribute: please enter the LDAP attribute name - that contains the user ID (e.g. "uid") + that contains the user ID (e.g. "uid"). + + + + Optional: By default LAM will enforce to use a token and + reject users that did not setup one. You can set this check to + optional. But if a user has setup a token then this will always be + required. + + + + Disable certificate check: This should be used on + development instances only. It skips the certificate check when + connecting to verification server. @@ -664,15 +681,45 @@ Secret key: this is only required for YubiKey cloud. You can register here: https://upgrade.yubico.com/getapikey/ + + + Optional: By default LAM will enforce to use a token and + reject users that did not setup one. You can set this check to + optional. But if a user has setup a token then this will always be + required. + + + + Disable certificate check: This should be used on + development instances only. It skips the certificate check when + connecting to verification server. + - Optional: By default LAM will enforce to use a token and reject - users that did not setup one. You can set this check to optional. But - if a user has setup a token then this will always be required. + Duo: - Disable certificate check: This should be used on development - instances only. It skips the certificate check when connecting to - verification server. + This requires to register a new "Web SDK" application in your + Duo admin panel. + + + + User name attribute: please enter the LDAP attribute name + that contains the user ID (e.g. "uid"). + + + + Base URL: please enter the API-URL of your Duo instance + (e.g. api-12345.duosecurity.com). + + + + Client id: please enter your integration key. + + + + Secret key: please enter your secret key. + + diff --git a/lam/docs/manual-sources/chapter-installation.xml b/lam/docs/manual-sources/chapter-installation.xml index 19a72dde..45961773 100644 --- a/lam/docs/manual-sources/chapter-installation.xml +++ b/lam/docs/manual-sources/chapter-installation.xml @@ -596,7 +596,7 @@ intermediate release.
- 6.7 -> 6.8 + 6.7 -> 6.9 No actions required.
diff --git a/lam/lib/2factor.inc b/lam/lib/2factor.inc index 417e6831..1d63d71a 100644 --- a/lam/lib/2factor.inc +++ b/lam/lib/2factor.inc @@ -2,6 +2,9 @@ namespace LAM\LIB\TWO_FACTOR; use \selfServiceProfile; use \LAMConfig; +use \htmlScript; +use \htmlInputField; +use \htmlIframe; /* This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) @@ -53,14 +56,72 @@ interface TwoFactorProvider { */ public function verify2ndFactor($user, $password, $serial, $twoFactorInput); + /** + * Returns if the service has a custom input form. + * In this case the token field is not displayed. + * + * @return has custom input form + */ + public function hasCustomInputForm(); + + /** + * Adds the custom input fields to the form. + * + * @param htmlResponsiveRow $row row where to add the input fields + * @param string user DN + */ + public function addCustomInput(&$row, $userDn); +} + +/** + * Base class for 2-factor authentication providers. + * + * @author Roland Gruber + */ +abstract class BaseProvider implements TwoFactorProvider { + + protected $config; + + /** + * {@inheritDoc} + * @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::hasCustomInputForm() + */ + public function hasCustomInputForm() { + return false; + } + + /** + * {@inheritDoc} + * @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::addCustomInput() + */ + public function addCustomInput(&$row, $userDn) { + // must be filled by subclass if used + } + + /** + * Returns the value of the user attribute in LDAP. + * + * @param string $userDn user DN + * @return string user name + */ + protected function getLoginAttributeValue($userDn) { + $attrName = $this->config->twoFactorAuthenticationSerialAttributeName; + $userData = ldapGetDN($userDn, array($attrName)); + if (empty($userData[$attrName])) { + return null; + } + if (is_array($userData[$attrName])) { + return $userData[$attrName][0]; + } + return $userData[$attrName]; + } + } /** * Provider for privacyIDEA. */ -class PrivacyIDEAProvider implements TwoFactorProvider { - - private $config; +class PrivacyIDEAProvider extends BaseProvider { /** * Constructor. @@ -82,24 +143,6 @@ class PrivacyIDEAProvider implements TwoFactorProvider { return $this->getSerialsForUser($loginAttribute, $token); } - /** - * Returns the value of the user attribute in LDAP. - * - * @param string $userDn user DN - * @return string user name - */ - private function getLoginAttributeValue($userDn) { - $attrName = $this->config->twoFactorAuthenticationSerialAttributeName; - $userData = ldapGetDN($userDn, array($attrName)); - if (empty($userData[$attrName])) { - return null; - } - if (is_array($userData[$attrName])) { - return $userData[$attrName][0]; - } - return $userData[$attrName]; - } - /** * {@inheritDoc} * @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::verify2ndFactor() @@ -246,9 +289,7 @@ class PrivacyIDEAProvider implements TwoFactorProvider { * * @author Roland Gruber */ -class YubicoProvider implements TwoFactorProvider { - - private $config; +class YubicoProvider extends BaseProvider { /** * Constructor. @@ -311,6 +352,90 @@ class YubicoProvider implements TwoFactorProvider { } +/** + * Provider for DUO. + */ +class DuoProvider extends BaseProvider { + + /** + * Constructor. + * + * @param TwoFactorConfiguration $config configuration + */ + public function __construct(&$config) { + $this->config = $config; + } + + /** + * {@inheritDoc} + * @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::getSerials() + */ + public function getSerials($user, $password) { + return array('DUO'); + } + + /** + * {@inheritDoc} + * @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::hasCustomInputForm() + */ + public function hasCustomInputForm() { + return true; + } + + /** + * {@inheritDoc} + * @see \LAM\LIB\TWO_FACTOR\BaseProvider::addCustomInput() + */ + public function addCustomInput(&$row, $userDn) { + $loginAttribute = $this->getLoginAttributeValue($userDn); + $aKey = $this->getAKey(); + include_once(__DIR__ . "/3rdParty/duo/Web.php"); + $signedRequest = \Duo\Web::signRequest($this->config->twoFactorAuthenticationClientId, + $this->config->twoFactorAuthenticationSecretKey, + $aKey, + $loginAttribute); + $row->add(new htmlScript("lib/extra/duo/Duo-Web-v2.js", false, false), 12); + $iframe = new htmlIframe('duo_iframe'); + $iframe->addDataAttribute('host', $this->config->twoFactorAuthenticationURL); + $iframe->addDataAttribute('sig-request', $signedRequest); + $row->add($iframe, 12); + } + + /** + * Returns the aKey. + * + * @return String aKey + */ + private function getAKey() { + if (empty($_SESSION['duo_akey'])) { + $_SESSION['duo_akey'] = generateRandomPassword(40); + } + return $_SESSION['duo_akey']; + } + + /** + * {@inheritDoc} + * @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::verify2ndFactor() + */ + public function verify2ndFactor($user, $password, $serial, $twoFactorInput) { + logNewMessage(LOG_DEBUG, 'PrivacyIDEAProvider: Checking 2nd factor for ' . $user); + $loginAttribute = $this->getLoginAttributeValue($user); + $response = $_POST['sig_response']; + include_once(__DIR__ . "/3rdParty/duo/Web.php"); + $result = \Duo\Web::verifyResponse( + $this->config->twoFactorAuthenticationClientId, + $this->config->twoFactorAuthenticationSecretKey, + $this->getAKey(), + $response); + if ($result === $loginAttribute) { + return true; + } + logNewMessage(LOG_ERR, 'DUO authentication failed'); + return false; + } + +} + /** * Returns the correct 2 factor provider. */ @@ -322,6 +447,8 @@ class TwoFactorProviderService { const TWO_FACTOR_PRIVACYIDEA = 'privacyidea'; /** 2factor authentication via YubiKey */ const TWO_FACTOR_YUBICO = 'yubico'; + /** 2factor authentication via DUO */ + const TWO_FACTOR_DUO = 'duo'; private $config; @@ -353,6 +480,9 @@ class TwoFactorProviderService { elseif ($this->config->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_YUBICO) { return new YubicoProvider($this->config); } + elseif ($this->config->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_DUO) { + return new DuoProvider($this->config); + } throw new \Exception('Invalid provider: ' . $this->config->twoFactorAuthentication); } @@ -378,7 +508,8 @@ class TwoFactorProviderService { $tfConfig->twoFactorAuthenticationSerialAttributeName = 'yubiKeyId'; } } - if ($tfConfig->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA) { + if (($tfConfig->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA) + || ($tfConfig->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_DUO)) { $attrName = $profile->twoFactorAuthenticationAttribute; if (empty($attrName)) { $attrName = 'uid'; @@ -410,7 +541,8 @@ class TwoFactorProviderService { $tfConfig->twoFactorAuthenticationSerialAttributeName = 'yubiKeyId'; } } - if ($tfConfig->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA) { + if (($tfConfig->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA) + || ($tfConfig->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_DUO)) { $tfConfig->twoFactorAuthenticationSerialAttributeName = strtolower($conf->getTwoFactorAuthenticationAttribute()); } return $tfConfig; diff --git a/lam/lib/3rdParty/duo/Web.php b/lam/lib/3rdParty/duo/Web.php new file mode 100644 index 00000000..b0622c7a --- /dev/null +++ b/lam/lib/3rdParty/duo/Web.php @@ -0,0 +1,176 @@ += intval($exp)) { + return null; + } + + return $user; + } + + public static function signRequest($ikey, $skey, $akey, $username, $time = null) + { + if (!isset($username) || strlen($username) === 0) { + return self::ERR_USER; + } + if (strpos($username, '|') !== false) { + return self::ERR_USER; + } + if (!isset($ikey) || strlen($ikey) !== self::IKEY_LEN) { + return self::ERR_IKEY; + } + if (!isset($skey) || strlen($skey) !== self::SKEY_LEN) { + return self::ERR_SKEY; + } + if (!isset($akey) || strlen($akey) < self::AKEY_LEN) { + return self::ERR_AKEY; + } + + $vals = $username . '|' . $ikey; + + $duo_sig = self::signVals($skey, $vals, self::DUO_PREFIX, self::DUO_EXPIRE, $time); + $app_sig = self::signVals($akey, $vals, self::APP_PREFIX, self::APP_EXPIRE, $time); + + return $duo_sig . ':' . $app_sig; + } + + public static function verifyResponse($ikey, $skey, $akey, $sig_response, $time = null) + { + list($auth_sig, $app_sig) = explode(':', $sig_response); + + $auth_user = self::parseVals($skey, $auth_sig, self::AUTH_PREFIX, $ikey, $time); + $app_user = self::parseVals($akey, $app_sig, self::APP_PREFIX, $ikey, $time); + + if ($auth_user !== $app_user) { + return null; + } + + return $auth_user; + } + + public static function initAuth($client, $ikey, $akey, $username, $enroll_only = false) + { + if (!isset($username) || strlen($username) === 0) { + return self::ERR_USER; + } + if (strpos($username, '|') !== false) { + return self::ERR_USER; + } + if (!isset($ikey) || strlen($ikey) !== self::IKEY_LEN) { + return self::ERR_IKEY; + } + if (!isset($akey) || strlen($akey) < self::AKEY_LEN) { + return self::ERR_AKEY; + } + + $blob = $username . '|' . $ikey; + $signed_blob = self::signVals( + $akey, + $blob, + self::APP_PREFIX, + self::APP_EXPIRE, + null, + 'sha512' + ); + $expire = time() + self::INIT_EXPIRE; + $client_version = self::LIBRARY_NAME . '/' . self::VERSION; + + $response = $client->init( + $username, + $signed_blob, + $expire, + $client_version, + $enroll_only + ); + + return $response['response']['response']['txid']; + } + + public static function verifyAuth($client, $ikey, $akey, $response_txid) + { + $response = $client->auth_response($response_txid); + + $username = $response['response']['response']['uname']; + $signed_blob = $response['response']['response']['app_blob']; + + $parsed_user = self::parseVals( + $akey, + $signed_blob, + self::APP_PREFIX, + $ikey, + null, + 'sha512' + ); + + if ($username !== $parsed_user) { + return null; + } + + return $username; + } +} diff --git a/lam/lib/account.inc b/lam/lib/account.inc index 9e36d88a..1c2f1b39 100644 --- a/lam/lib/account.inc +++ b/lam/lib/account.inc @@ -330,16 +330,17 @@ function pwd_is_enabled($hash) { } /** - * Generates a random password with 12 digits. + * Generates a random password with 12 digits by default. * + * @param int $length length of password (defaults to 12) * @return String password */ -function generateRandomPassword() { +function generateRandomPassword($length = 12) { $list = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.-_'; $password = ''; - $length = $_SESSION['cfgMain']->passwordMinLength; - if ($length < 12) { - $length = 12; + $minLength = $_SESSION['cfgMain']->passwordMinLength; + if ($minLength > $length) { + $length = $minLength; } for ($x = 0; $x < 10000; $x++) { $password = ''; diff --git a/lam/lib/html.inc b/lam/lib/html.inc index cd335f4f..e89e70a6 100644 --- a/lam/lib/html.inc +++ b/lam/lib/html.inc @@ -3715,6 +3715,42 @@ class htmlJavaScript extends htmlElement { } +/** + * Creates a iframe element. + * + * @package metaHTML + */ +class htmlIframe extends htmlElement { + + /** HTML id */ + private $id = null; + + /** + * Constructor. + * + * @param String $content script + */ + function __construct($id = null) { + $this->id = $id; + } + + /** + * {@inheritDoc} + * @see htmlElement::generateHTML() + */ + function generateHTML($module, $input, $values, $restricted, &$tabindex, $scope) { + $return = array(); + $idAttr = ''; + if (!empty($this->id)) { + $idAttr = ' id="' . $this->id . '"'; + } + echo ''; + return $return; + } + +} + /** * Creates a Script element to integrate external JavaScript files. * diff --git a/lam/lib/security.inc b/lam/lib/security.inc index bf9c717a..e417e6cf 100644 --- a/lam/lib/security.inc +++ b/lam/lib/security.inc @@ -687,7 +687,7 @@ function getSecurityTokenValue() { function setLAMHeaders() { if (!headers_sent()) { header('X-Frame-Options: sameorigin'); - header('Content-Security-Policy: frame-ancestors \'self\'; form-action \'self\'; base-uri \'none\'; object-src \'none\'; frame-src \'self\'; worker-src \'self\''); + header('Content-Security-Policy: frame-ancestors \'self\'; form-action \'self\'; base-uri \'none\'; object-src \'none\'; frame-src \'self\' https://*.duosecurity.com; worker-src \'self\''); header('X-Content-Type-Options: nosniff'); header('X-XSS-Protection: 1; mode=block'); } diff --git a/lam/templates/config/confmain.php b/lam/templates/config/confmain.php index ed87aa79..24c74135 100644 --- a/lam/templates/config/confmain.php +++ b/lam/templates/config/confmain.php @@ -461,6 +461,7 @@ if (extension_loaded('curl')) { _('None') => TwoFactorProviderService::TWO_FACTOR_NONE, 'privacyIDEA' => TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA, 'YubiKey' => TwoFactorProviderService::TWO_FACTOR_YUBICO, + 'Duo' => TwoFactorProviderService::TWO_FACTOR_DUO, ); $twoFactorSelect = new htmlResponsiveSelect('twoFactor', $twoFactorOptions, array($conf->getTwoFactorAuthentication()), _('Provider'), '514'); $twoFactorSelect->setHasDescriptiveElements(true); @@ -469,12 +470,15 @@ if (extension_loaded('curl')) { 'twoFactorOptional', 'twoFactorCaption', 'twoFactorClientId', 'twoFactorSecretKey', 'twoFactorAttribute'), TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA => array('twoFactorClientId', 'twoFactorSecretKey'), TwoFactorProviderService::TWO_FACTOR_YUBICO => array('twoFactorAttribute'), + TwoFactorProviderService::TWO_FACTOR_DUO => array('twoFactorOptional', 'twoFactorInsecure'), )); $twoFactorSelect->setTableRowsToShow(array( TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA => array('twoFactorURL', 'twoFactorInsecure', 'twoFactorLabel', 'twoFactorOptional', 'twoFactorCaption', 'twoFactorAttribute'), TwoFactorProviderService::TWO_FACTOR_YUBICO => array('twoFactorURL', 'twoFactorInsecure', 'twoFactorLabel', 'twoFactorOptional', 'twoFactorCaption', 'twoFactorClientId', 'twoFactorSecretKey'), + TwoFactorProviderService::TWO_FACTOR_DUO => array('twoFactorURL', 'twoFactorLabel', + 'twoFactorCaption', 'twoFactorClientId', 'twoFactorSecretKey', 'twoFactorAttribute'), )); $row->add($twoFactorSelect, 12); $twoFactorAttribute = new htmlResponsiveInputField(_("User name attribute"), 'twoFactorAttribute', $conf->getTwoFactorAuthenticationAttribute(), '528'); diff --git a/lam/templates/lib/extra/duo/Duo-Web-v2.js b/lam/templates/lib/extra/duo/Duo-Web-v2.js new file mode 100644 index 00000000..3624c87c --- /dev/null +++ b/lam/templates/lib/extra/duo/Duo-Web-v2.js @@ -0,0 +1,578 @@ +/** + * Duo Web SDK v2 + * Copyright 2019, Duo Security + */ + +(function (root, factory) { + /*eslint-disable */ + if (typeof define === 'function' && define.amd) { + // AMD. Register as an anonymous module. + define([], factory); + /*eslint-enable */ + } else if (typeof module === 'object' && module.exports) { + // Node. Does not work with strict CommonJS, but + // only CommonJS-like environments that support module.exports, + // like Node. + module.exports = factory(); + } else { + // Browser globals (root is window) + var Duo = factory(); + // If the Javascript was loaded via a script tag, attempt to autoload + // the frame. + Duo._onReady(Duo.init); + + // Attach Duo to the `window` object + root.Duo = Duo; + } +}(this, function() { + var DUO_MESSAGE_FORMAT = /^(?:AUTH|ENROLL)+\|[A-Za-z0-9\+\/=]+\|[A-Za-z0-9\+\/=]+$/; + var DUO_ERROR_FORMAT = /^ERR\|[\w\s\.\(\)]+$/; + var DUO_OPEN_WINDOW_FORMAT = /^DUO_OPEN_WINDOW\|/; + var VALID_OPEN_WINDOW_DOMAINS = [ + 'duo.com', + 'duosecurity.com', + 'duomobile.s3-us-west-1.amazonaws.com' + ]; + + var postAction, + postArgument, + host, + sigRequest, + duoSig, + appSig, + iframe, + submitCallback; + + // We use this function instead of setting initial values in the var + // declarations to make sure the initial values and subsequent + // re-initializations are always the same. + initializeStatefulVariables(); + + /** + * Set local variables to whatever they should be before you call init(). + */ + function initializeStatefulVariables() { + postAction = ''; + postArgument = 'sig_response'; + host = undefined; + sigRequest = undefined; + duoSig = undefined; + appSig = undefined; + iframe = undefined; + submitCallback = undefined; + } + + function throwError(message, givenUrl) { + var url = ( + givenUrl || + 'https://www.duosecurity.com/docs/duoweb#3.-show-the-iframe' + ); + throw new Error( + 'Duo Web SDK error: ' + message + + (url ? ('\n' + 'See ' + url + ' for more information') : '') + ); + } + + function hyphenize(str) { + return str.replace(/([a-z])([A-Z])/, '$1-$2').toLowerCase(); + } + + // cross-browser data attributes + function getDataAttribute(element, name) { + if ('dataset' in element) { + return element.dataset[name]; + } else { + return element.getAttribute('data-' + hyphenize(name)); + } + } + + // cross-browser event binding/unbinding + function on(context, event, fallbackEvent, callback) { + if ('addEventListener' in window) { + context.addEventListener(event, callback, false); + } else { + context.attachEvent(fallbackEvent, callback); + } + } + + function off(context, event, fallbackEvent, callback) { + if ('removeEventListener' in window) { + context.removeEventListener(event, callback, false); + } else { + context.detachEvent(fallbackEvent, callback); + } + } + + function onReady(callback) { + on(document, 'DOMContentLoaded', 'onreadystatechange', callback); + } + + function offReady(callback) { + off(document, 'DOMContentLoaded', 'onreadystatechange', callback); + } + + function onMessage(callback) { + on(window, 'message', 'onmessage', callback); + } + + function offMessage(callback) { + off(window, 'message', 'onmessage', callback); + } + + /** + * Parse the sig_request parameter, throwing errors if the token contains + * a server error or if the token is invalid. + * + * @param {String} sig Request token + */ + function parseSigRequest(sig) { + if (!sig) { + // nothing to do + return; + } + + // see if the token contains an error, throwing it if it does + if (sig.indexOf('ERR|') === 0) { + throwError(sig.split('|')[1]); + } + + // validate the token + if (sig.indexOf(':') === -1 || sig.split(':').length !== 2) { + throwError( + 'Duo was given a bad token. This might indicate a configuration ' + + 'problem with one of Duo\'s client libraries.' + ); + } + + var sigParts = sig.split(':'); + + // hang on to the token, and the parsed duo and app sigs + sigRequest = sig; + duoSig = sigParts[0]; + appSig = sigParts[1]; + + return { + sigRequest: sig, + duoSig: sigParts[0], + appSig: sigParts[1] + }; + } + + /** + * Validate that a MessageEvent came from the Duo service, and that it + * is a properly formatted payload. + * + * The Google Chrome sign-in page injects some JS into pages that also + * make use of postMessage, so we need to do additional validation above + * and beyond the origin. + * + * @param {MessageEvent} event Message received via postMessage + */ + function isDuoMessage(event) { + return Boolean( + event.origin === ('https://' + host) && + typeof event.data === 'string' && + ( + event.data.match(DUO_MESSAGE_FORMAT) || + event.data.match(DUO_ERROR_FORMAT) || + event.data.match(DUO_OPEN_WINDOW_FORMAT) + ) + ); + } + + /** + * Validate the request token and prepare for the iframe to become ready. + * + * All options below can be passed into an options hash to `Duo.init`, or + * specified on the iframe using `data-` attributes. + * + * Options specified using the options hash will take precedence over + * `data-` attributes. + * + * Example using options hash: + * ```javascript + * Duo.init({ + * iframe: "some_other_id", + * host: "api-main.duo.test", + * sig_request: "...", + * post_action: "/auth", + * post_argument: "resp" + * }); + * ``` + * + * Example using `data-` attributes: + * ```html + * + * ``` + * + * Some browsers (especially embedded browsers) don't like it when the Duo + * Web SDK changes the `src` attribute on the iframe. To prevent this, there + * is an alternative way to use the Duo Web SDK: + * + * Add a div (or any other container element) instead of an iframe to the + * DOM with an id of "duo_iframe", or pass that element to the + * `iframeContainer` parameter of `Duo.init`. An iframe will be created and + * inserted into that container element, preventing `src` change related + * bugs. WARNING: All other elements in the container will be deleted. + * + * The `iframeAttributes` parameter of `Duo.init` is available to set any + * attributes on the inserted iframe if the Duo Web SDK is inserting the + * iframe. For details, see the parameter documentation below. + * + * @param {Object} options + * @param {String} options.host - Hostname for the Duo Prompt. + * @param {String} options.sig_request - Request token. + * @param {String|HTMLElement} [options.iframe] - The iframe, or id of an + * iframe that will be used for the Duo Prompt. If you don't provide + * this or the `iframeContainer` parameter the Duo Web SDK will default + * to using whatever element has an id of "duo_iframe". + * @param {String|HTMLElement} [options.iframeContainer] - The element you + * want the Duo Prompt inserted into, or the id of that element. + * Anything inside this element will be deleted and replaced with an + * iframe hosting the Duo prompt. If you don't provide this or the + * `iframe` parameter the Duo Web SDK will default to using whatever + * element has an id of "duo_iframe". + * @param {Object} [options.iframeAttributes] - Object with names and + * values coresponding to attributes you want added to the Duo Prompt + * iframe, like `title`, `width` and `allow`. WARNING: this parameter + * only works if you use the `iframeContainer` parameter or add an id + * of "duo_iframe" to an element that isn't an iframe. If you have + * added an iframe to the DOM yourself, you should set those attributes + * directly on the iframe. + * @param {String} [options.post_action=''] - URL to POST back to after a + * successful auth. + * @param {String} [options.post_argument='sig_response'] - Parameter name + * to use for response token. + * @param {Function} [options.submit_callback] - If provided, the Duo Web + * SDK will not submit the form. Instead it will execute this callback + * function passing in a reference to the "duo_form" form object. + * `submit_callback`` can be used to prevent the webpage from reloading. + */ + function init(options) { + // If init() is called more than once we have to reset all the local + // variables to ensure init() will work the same way every time. This + // helps people making single page applications. SPAs may periodically + // remove the iframe and add a new one that has to be initialized. + initializeStatefulVariables(); + + if (options) { + if (options.host) { + host = options.host; + } + + if (options.sig_request) { + parseSigRequest(options.sig_request); + } + + if (options.post_action) { + postAction = options.post_action; + } + + if (options.post_argument) { + postArgument = options.post_argument; + } + + if (typeof options.submit_callback === 'function') { + submitCallback = options.submit_callback; + } + } + + var promptElement = getPromptElement(options); + if (promptElement) { + // If we can get the element that will host the prompt, set it. + ready(promptElement, options.iframeAttributes || {}); + } else { + // If the element that will host the prompt isn't available yet, set + // it up after the DOM finishes loading. + asyncReady(options); + } + + // always clean up after yourself! + offReady(init); + } + + /** + * Given the options from init(), get the iframe or iframe container that + * should be used for the Duo Prompt. Returns `null` if nothing was found. + */ + function getPromptElement(options) { + var result; + + if (options.iframe && options.iframeContainer) { + throwError( + 'Passing both `iframe` and `iframeContainer` arguments at the' + + ' same time is not allowed.' + ); + } else if (options.iframe) { + // If we are getting an iframe, try to get it and raise if the + // element we find is NOT an iframe. + result = getUserDefinedElement(options.iframe); + validateIframe(result); + } else if (options.iframeContainer) { + result = getUserDefinedElement(options.iframeContainer); + validateIframeContainer(result); + } else { + result = document.getElementById('duo_iframe'); + } + + return result; + } + + /** + * When given an HTMLElement, return it. When given a string, get an element + * with that id, else return null. + */ + function getUserDefinedElement(object) { + if (object.tagName) { + return object; + } else if (typeof object == 'string') { + return document.getElementById(object); + } + return null; + } + + /** + * Check if the given thing is an iframe. + */ + function isIframe(element) { + return ( + element && + element.tagName && + element.tagName.toLowerCase() === 'iframe' + ); + } + + /** + * Throw an error if we are given an element that is NOT an iframe. + */ + function validateIframe(element) { + if (element && !isIframe(element)) { + throwError( + '`iframe` only accepts an iframe element or the id of an' + + ' iframe. To use a non-iframe element, use the' + + ' `iframeContainer` argument.' + ); + } + } + + /** + * Throw an error if we are given an element that IS an iframe instead of an + * element that we can insert an iframe into. + */ + function validateIframeContainer(element) { + if (element && isIframe(element)) { + throwError( + '`iframeContainer` only accepts a non-iframe element or the' + + ' id of a non-iframe. To use a non-iframe element, use the' + + ' `iframeContainer` argument on Duo.init().' + ); + } + } + + /** + * Generate the URL that goes to the Duo Prompt. + */ + function generateIframeSrc() { + return [ + 'https://', host, '/frame/web/v1/auth?tx=', duoSig, + '&parent=', encodeURIComponent(document.location.href), + '&v=2.8' + ].join(''); + } + + /** + * This function is called when a message was received from another domain + * using the `postMessage` API. Check that the event came from the Duo + * service domain, and that the message is a properly formatted payload, + * then perform the post back to the primary service. + * + * @param event Event object (contains origin and data) + */ + function onReceivedMessage(event) { + if (isDuoMessage(event)) { + if (event.data.match(DUO_OPEN_WINDOW_FORMAT)) { + var url = event.data.substring("DUO_OPEN_WINDOW|".length); + if (isValidUrlToOpen(url)) { + // Open the URL that comes after the DUO_WINDOW_OPEN token. + window.open(url, "_self"); + } + } + else { + // the event came from duo, do the post back + doPostBack(event.data); + + // always clean up after yourself! + offMessage(onReceivedMessage); + } + } + } + + /** + * Validate that this passed in URL is one that we will actually allow to + * be opened. + * @param url String URL that the message poster wants to open + * @returns {boolean} true if we allow this url to be opened in the window + */ + function isValidUrlToOpen(url) { + if (!url) { + return false; + } + + var parser = document.createElement('a'); + parser.href = url; + + if (parser.protocol === "duotrustedendpoints:") { + return true; + } else if (parser.protocol !== "https:") { + return false; + } + + for (var i = 0; i < VALID_OPEN_WINDOW_DOMAINS.length; i++) { + if (parser.hostname.endsWith("." + VALID_OPEN_WINDOW_DOMAINS[i]) || + parser.hostname === VALID_OPEN_WINDOW_DOMAINS[i]) { + return true; + } + } + return false; + } + + /** + * Register a callback to call ready() after the DOM has loaded. + */ + function asyncReady(options) { + var callback = function() { + var promptElement = getPromptElement(options); + if (!promptElement) { + throwError( + 'This page does not contain an iframe for Duo to use.' + + ' Add an element like' + + ' to this page.' + ); + } + + ready(promptElement, options.iframeAttributes || {}); + + // Always clean up after yourself. + offReady(callback) + }; + + onReady(callback); + } + + /** + * Point the iframe at Duo, then wait for it to postMessage back to us. + */ + function ready(promptElement, iframeAttributes) { + if (!host) { + host = getDataAttribute(promptElement, 'host'); + + if (!host) { + throwError( + 'No API hostname is given for Duo to use. Be sure to pass ' + + 'a `host` parameter to Duo.init, or through the `data-host` ' + + 'attribute on the iframe element.' + ); + } + } + + if (!duoSig || !appSig) { + parseSigRequest(getDataAttribute(promptElement, 'sigRequest')); + + if (!duoSig || !appSig) { + throwError( + 'No valid signed request is given. Be sure to give the ' + + '`sig_request` parameter to Duo.init, or use the ' + + '`data-sig-request` attribute on the iframe element.' + ); + } + } + + // if postAction/Argument are defaults, see if they are specified + // as data attributes on the iframe + if (postAction === '') { + postAction = getDataAttribute(promptElement, 'postAction') || postAction; + } + + if (postArgument === 'sig_response') { + postArgument = getDataAttribute(promptElement, 'postArgument') || postArgument; + } + + if (isIframe(promptElement)) { + iframe = promptElement; + iframe.src = generateIframeSrc(); + } else { + // If given a container to put an iframe in, clean out any children + // child elements in case `init()` was called more than once. + while (promptElement.firstChild) { + // We call `removeChild()` instead of doing `innerHTML = ""` + // to make sure we unbind any events. + promptElement.removeChild(promptElement.firstChild) + } + + iframe = document.createElement('iframe'); + + // Set the src and all other attributes on the new iframe. + iframeAttributes['src'] = generateIframeSrc(); + for (var name in iframeAttributes) { + iframe.setAttribute(name, iframeAttributes[name]); + } + + promptElement.appendChild(iframe); + } + + // listen for the 'message' event + onMessage(onReceivedMessage); + } + + /** + * We received a postMessage from Duo. POST back to the primary service + * with the response token, and any additional user-supplied parameters + * given in form#duo_form. + */ + function doPostBack(response) { + // create a hidden input to contain the response token + var input = document.createElement('input'); + input.type = 'hidden'; + input.name = postArgument; + input.value = response + ':' + appSig; + + // user may supply their own form with additional inputs + var form = document.getElementById('duo_form'); + + // if the form doesn't exist, create one + if (!form) { + form = document.createElement('form'); + + // insert the new form after the iframe + iframe.parentElement.insertBefore(form, iframe.nextSibling); + } + + // make sure we are actually posting to the right place + form.method = 'POST'; + form.action = postAction; + + // add the response token input to the form + form.appendChild(input); + + // away we go! + if (typeof submitCallback === "function") { + submitCallback.call(null, form); + } else { + form.submit(); + } + } + + return { + init: init, + _onReady: onReady, + _parseSigRequest: parseSigRequest, + _isDuoMessage: isDuoMessage, + _doPostBack: doPostBack + }; +})); diff --git a/lam/templates/login2Factor.php b/lam/templates/login2Factor.php index 7088338b..c1fa4916 100644 --- a/lam/templates/login2Factor.php +++ b/lam/templates/login2Factor.php @@ -84,10 +84,10 @@ if (isset($_POST['logout'])) { exit(); } -if (isset($_POST['submit'])) { - $twoFactorInput = $_POST['2factor']; - $serial = $_POST['serial']; - if (empty($twoFactorInput) || !in_array($serial, $serials)) { +if (isset($_POST['submit']) || isset($_POST['sig_response'])) { + $twoFactorInput = isset($_POST['2factor']) ? $_POST['2factor'] : null; + $serial = isset($_POST['serial']) ? $_POST['serial'] : null; + if (!$provider->hasCustomInputForm() && (empty($twoFactorInput) || !in_array($serial, $serials))) { $errorMessage = _(sprintf('Please enter "%s".', $twoFactorLabel)); } else { @@ -148,16 +148,24 @@ echo $config->getTwoFactorAuthenticationCaption(); $row->add(new \htmlStatusMessage('ERROR', $errorMessage), 12); $row->add(new htmlSpacer('1em', '1em'), 12); } - // serial - $row->add(new htmlOutputText(_('Serial number')), 12, 12, 12, 'text-left'); - $serialSelect = new htmlSelect('serial', $serials); - $row->add($serialSelect, 12); - // token - $row->add(new htmlOutputText($twoFactorLabel), 12, 12, 12, 'text-left'); - $twoFactorInput = new htmlInputField('2factor', ''); - $twoFactorInput->setFieldSize(null); - $twoFactorInput->setIsPassword(true); - $row->add($twoFactorInput, 12); + + if (!$provider->hasCustomInputForm()) { + // serial + $row->add(new htmlOutputText(_('Serial number')), 12, 12, 12, 'text-left'); + $serialSelect = new htmlSelect('serial', $serials); + $row->add($serialSelect, 12); + // token + $row->add(new htmlOutputText($twoFactorLabel), 12, 12, 12, 'text-left'); + $twoFactorInput = new htmlInputField('2factor', ''); + $twoFactorInput->setFieldSize(null); + $twoFactorInput->setIsPassword(true); + $row->add($twoFactorInput, 12); + } + else { + $provider->addCustomInput($row, $user); + } + + // buttons $row->add(new htmlSpacer('1em', '1em'), 12); $submit = new htmlButton('submit', _("Submit")); $submit->setCSSClasses(array('fullwidth'));