webauthn

3 years ago · c29be12a9e
6 changed files with 25 additions and 10 deletions
--- a/lam/lib/2factor.inc
+++ b/lam/lib/2factor.inc
@ -17,7 +17,7 @@ use \Webauthn\PublicKeyCredentialCreationOptions;

 /*
  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2017 - 2019  Roland Gruber
+  Copyright (C) 2017 - 2020  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -549,6 +549,7 @@ class WebauthnProvider extends BaseProvider {
 		}
 		$row->addVerticalSpacer('2rem');
 		$pathPrefix = $this->config->isSelfService ? '../' : '';
+		$selfServiceParam = $this->config->isSelfService ? 'true' : 'false';
 		$row->add(new htmlImage($pathPrefix . '../graphics/webauthn.svg'), 12);
 		$row->addVerticalSpacer('1rem');
 		$registerButton = new htmlButton('register_webauthn', _('Register new key'));
@ -570,7 +571,7 @@ class WebauthnProvider extends BaseProvider {
 		$errorMessageDiv->addDataAttribute('button', _('Ok'));
 		$errorMessageDiv->addDataAttribute('title', _('Webauthn failed'));
 		$row->add($errorMessageDiv, 12);
-		$row->add(new htmlJavaScript('window.lam.webauthn.start(\'' . $pathPrefix . '\');'), 0);
+		$row->add(new htmlJavaScript('window.lam.webauthn.start(\'' . $pathPrefix . '\', ' . $selfServiceParam . ');'), 0);
 	}

 	/**
@ -594,7 +595,7 @@ class WebauthnProvider extends BaseProvider {
 			$userDn = $_SESSION['ldap']->getUserName();
 		}
 		else {
-			$userDn = $_SESSION['selfService_clientDN'];
+			$userDn = lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService');
 		}
 		$hasTokens = $webauthnManager->isRegistered($userDn);
 		if (!$hasTokens) {
--- a/lam/lib/modules/.gitignore
+++ b/lam/lib/modules/.gitignore
@ -44,3 +44,4 @@
 /nPosixGroup.inc
 /nPosixUser.inc
 /bindDLZXfr.inc
+/webauthn.inc
--- a/lam/lib/selfService.inc
+++ b/lam/lib/selfService.inc
@ -3,7 +3,7 @@ use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
 /*

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2006 - 2019  Roland Gruber
+  Copyright (C) 2006 - 2020  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -452,6 +452,7 @@ class selfServiceProfile {
 	public $twoFactorAuthenticationClientId = '';
 	public $twoFactorAuthenticationSecretKey = '';
 	public $twoFactorAuthenticationAttribute = 'uid';
+	public $twoFactorAuthenticationDomain = '';

 	/** provider for captcha (-/google) */
 	public $captchaProvider = '-';
@ -512,6 +513,7 @@ class selfServiceProfile {
 		$this->twoFactorAuthenticationClientId = '';
 		$this->twoFactorAuthenticationSecretKey = '';
 		$this->twoFactorAuthenticationAttribute = 'uid';
+		$this->twoFactorAuthenticationDomain = '';
 		$this->captchaProvider = '-';
 		$this->reCaptchaSiteKey = '';
 		$this->reCaptchaSecretKey = '';
--- a/lam/lib/webauthn.inc
+++ b/lam/lib/webauthn.inc
@ -185,7 +185,10 @@ class WebauthnManager {
 	private function createRpEntry($isSelfService) {
 		$pathPrefix = $isSelfService ? '../' : '';
 		$icon = $pathPrefix . '../graphics/logo136.png';
-		if (!$isSelfService) {
+		if ($isSelfService) {
+			$domain = $_SESSION['selfServiceProfile']->twoFactorAuthenticationDomain;
+		}
+		else {
 			$domain = $_SESSION['config']->getTwoFactorAuthenticationDomain();
 		}
 		return new PublicKeyCredentialRpEntity(
--- a/lam/templates/lib/500_lam.js
+++ b/lam/templates/lib/500_lam.js
@ -1375,11 +1375,12 @@ window.lam.webauthn = window.lam.webauthn || {};
 * Starts the webauthn process.
 *
 * @param prefix path prefix for Ajax endpoint
+ * @param isSelfService runs as part of self service
 */
-window.lam.webauthn.start = function(prefix) {
+window.lam.webauthn.start = function(prefix, isSelfService) {
 	jQuery(document).ready(
 		function() {
-			window.lam.webauthn.run(prefix);
+			window.lam.webauthn.run(prefix, isSelfService);
 		}
 	);
 }
@ -1388,8 +1389,9 @@ window.lam.webauthn.start = function(prefix) {
 * Checks if the user is registered and starts login/registration.
 *
 * @param prefix path prefix for Ajax endpoint
+ * @param isSelfService runs as part of self service
 */
-window.lam.webauthn.run = function(prefix) {
+window.lam.webauthn.run = function(prefix, isSelfService) {
 	jQuery('#btn_skip_webauthn').click(function () {
 		let form = jQuery("#2faform");
 		form.append('<input type="hidden" name="sig_response" value="skip"/>');
@ -1408,8 +1410,9 @@ window.lam.webauthn.run = function(prefix) {
 			jsonInput: '',
 			sec_token: token
 	};
+	const extraParam = isSelfService ? '&selfservice=true' : '';
 	jQuery.ajax({
-		url: prefix + 'misc/ajax.php?function=webauthn',
+		url: prefix + 'misc/ajax.php?function=webauthn' + extraParam,
 		method: 'POST',
 		data: data
 	})
--- a/lam/templates/misc/ajax.php
+++ b/lam/templates/misc/ajax.php
@ -202,7 +202,12 @@ class Ajax {
 	 */
 	private function manageWebauthn($isSelfService) {
 		include_once __DIR__ . '/../../lib/webauthn.inc';
-		$userDN = $_SESSION['ldap']->getUserName();
+		if ($isSelfService) {
+			$userDN = lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService');
+		}
+		else {
+			$userDN = $_SESSION['ldap']->getUserName();
+		}
 		$webauthnManager = new WebauthnManager();
 		$isRegistered = $webauthnManager->isRegistered($userDN);
 		if (!$isRegistered) {