From c29be12a9efb7aced4fe704fb7350eaac495f90e Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Wed, 8 Jan 2020 20:38:26 +0100 Subject: [PATCH] webauthn --- lam/lib/2factor.inc | 7 ++++--- lam/lib/modules/.gitignore | 1 + lam/lib/selfService.inc | 4 +++- lam/lib/webauthn.inc | 5 ++++- lam/templates/lib/500_lam.js | 11 +++++++---- lam/templates/misc/ajax.php | 7 ++++++- 6 files changed, 25 insertions(+), 10 deletions(-) diff --git a/lam/lib/2factor.inc b/lam/lib/2factor.inc index a23497bf..c04bf665 100644 --- a/lam/lib/2factor.inc +++ b/lam/lib/2factor.inc @@ -17,7 +17,7 @@ use \Webauthn\PublicKeyCredentialCreationOptions; /* This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2017 - 2019 Roland Gruber + Copyright (C) 2017 - 2020 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -549,6 +549,7 @@ class WebauthnProvider extends BaseProvider { } $row->addVerticalSpacer('2rem'); $pathPrefix = $this->config->isSelfService ? '../' : ''; + $selfServiceParam = $this->config->isSelfService ? 'true' : 'false'; $row->add(new htmlImage($pathPrefix . '../graphics/webauthn.svg'), 12); $row->addVerticalSpacer('1rem'); $registerButton = new htmlButton('register_webauthn', _('Register new key')); @@ -570,7 +571,7 @@ class WebauthnProvider extends BaseProvider { $errorMessageDiv->addDataAttribute('button', _('Ok')); $errorMessageDiv->addDataAttribute('title', _('Webauthn failed')); $row->add($errorMessageDiv, 12); - $row->add(new htmlJavaScript('window.lam.webauthn.start(\'' . $pathPrefix . '\');'), 0); + $row->add(new htmlJavaScript('window.lam.webauthn.start(\'' . $pathPrefix . '\', ' . $selfServiceParam . ');'), 0); } /** @@ -594,7 +595,7 @@ class WebauthnProvider extends BaseProvider { $userDn = $_SESSION['ldap']->getUserName(); } else { - $userDn = $_SESSION['selfService_clientDN']; + $userDn = lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService'); } $hasTokens = $webauthnManager->isRegistered($userDn); if (!$hasTokens) { diff --git a/lam/lib/modules/.gitignore b/lam/lib/modules/.gitignore index 4db515d8..4e8cabc6 100644 --- a/lam/lib/modules/.gitignore +++ b/lam/lib/modules/.gitignore @@ -44,3 +44,4 @@ /nPosixGroup.inc /nPosixUser.inc /bindDLZXfr.inc +/webauthn.inc diff --git a/lam/lib/selfService.inc b/lam/lib/selfService.inc index bbf379aa..7d8b63c9 100644 --- a/lam/lib/selfService.inc +++ b/lam/lib/selfService.inc @@ -3,7 +3,7 @@ use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService; /* This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2006 - 2019 Roland Gruber + Copyright (C) 2006 - 2020 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -452,6 +452,7 @@ class selfServiceProfile { public $twoFactorAuthenticationClientId = ''; public $twoFactorAuthenticationSecretKey = ''; public $twoFactorAuthenticationAttribute = 'uid'; + public $twoFactorAuthenticationDomain = ''; /** provider for captcha (-/google) */ public $captchaProvider = '-'; @@ -512,6 +513,7 @@ class selfServiceProfile { $this->twoFactorAuthenticationClientId = ''; $this->twoFactorAuthenticationSecretKey = ''; $this->twoFactorAuthenticationAttribute = 'uid'; + $this->twoFactorAuthenticationDomain = ''; $this->captchaProvider = '-'; $this->reCaptchaSiteKey = ''; $this->reCaptchaSecretKey = ''; diff --git a/lam/lib/webauthn.inc b/lam/lib/webauthn.inc index e396fec1..a41d0f34 100644 --- a/lam/lib/webauthn.inc +++ b/lam/lib/webauthn.inc @@ -185,7 +185,10 @@ class WebauthnManager { private function createRpEntry($isSelfService) { $pathPrefix = $isSelfService ? '../' : ''; $icon = $pathPrefix . '../graphics/logo136.png'; - if (!$isSelfService) { + if ($isSelfService) { + $domain = $_SESSION['selfServiceProfile']->twoFactorAuthenticationDomain; + } + else { $domain = $_SESSION['config']->getTwoFactorAuthenticationDomain(); } return new PublicKeyCredentialRpEntity( diff --git a/lam/templates/lib/500_lam.js b/lam/templates/lib/500_lam.js index 2d716ede..8b5b4d31 100644 --- a/lam/templates/lib/500_lam.js +++ b/lam/templates/lib/500_lam.js @@ -1375,11 +1375,12 @@ window.lam.webauthn = window.lam.webauthn || {}; * Starts the webauthn process. * * @param prefix path prefix for Ajax endpoint + * @param isSelfService runs as part of self service */ -window.lam.webauthn.start = function(prefix) { +window.lam.webauthn.start = function(prefix, isSelfService) { jQuery(document).ready( function() { - window.lam.webauthn.run(prefix); + window.lam.webauthn.run(prefix, isSelfService); } ); } @@ -1388,8 +1389,9 @@ window.lam.webauthn.start = function(prefix) { * Checks if the user is registered and starts login/registration. * * @param prefix path prefix for Ajax endpoint + * @param isSelfService runs as part of self service */ -window.lam.webauthn.run = function(prefix) { +window.lam.webauthn.run = function(prefix, isSelfService) { jQuery('#btn_skip_webauthn').click(function () { let form = jQuery("#2faform"); form.append(''); @@ -1408,8 +1410,9 @@ window.lam.webauthn.run = function(prefix) { jsonInput: '', sec_token: token }; + const extraParam = isSelfService ? '&selfservice=true' : ''; jQuery.ajax({ - url: prefix + 'misc/ajax.php?function=webauthn', + url: prefix + 'misc/ajax.php?function=webauthn' + extraParam, method: 'POST', data: data }) diff --git a/lam/templates/misc/ajax.php b/lam/templates/misc/ajax.php index 4e86477b..3dd9df2e 100644 --- a/lam/templates/misc/ajax.php +++ b/lam/templates/misc/ajax.php @@ -202,7 +202,12 @@ class Ajax { */ private function manageWebauthn($isSelfService) { include_once __DIR__ . '/../../lib/webauthn.inc'; - $userDN = $_SESSION['ldap']->getUserName(); + if ($isSelfService) { + $userDN = lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService'); + } + else { + $userDN = $_SESSION['ldap']->getUserName(); + } $webauthnManager = new WebauthnManager(); $isRegistered = $webauthnManager->isRegistered($userDN); if (!$isRegistered) {