WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

webauthn

This commit is contained in:
Roland Gruber 2020-01-08 20:38:26 +01:00
parent 0990d61507
commit c29be12a9e
6 changed files with 25 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
lam/lib/2factor.inc
View File

@ -17,7 +17,7 @@ use \Webauthn\PublicKeyCredentialCreationOptions;
/* /*
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2017 - 2019 Roland Gruber Copyright (C) 2017 - 2020 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -549,6 +549,7 @@ class WebauthnProvider extends BaseProvider {
} }
$row->addVerticalSpacer('2rem'); $row->addVerticalSpacer('2rem');
$pathPrefix = $this->config->isSelfService ? '../' : ''; $pathPrefix = $this->config->isSelfService ? '../' : '';
$selfServiceParam = $this->config->isSelfService ? 'true' : 'false';
$row->add(new htmlImage($pathPrefix . '../graphics/webauthn.svg'), 12); $row->add(new htmlImage($pathPrefix . '../graphics/webauthn.svg'), 12);
$row->addVerticalSpacer('1rem'); $row->addVerticalSpacer('1rem');
$registerButton = new htmlButton('register_webauthn', _('Register new key')); $registerButton = new htmlButton('register_webauthn', _('Register new key'));
@ -570,7 +571,7 @@ class WebauthnProvider extends BaseProvider {
$errorMessageDiv->addDataAttribute('button', _('Ok')); $errorMessageDiv->addDataAttribute('button', _('Ok'));
$errorMessageDiv->addDataAttribute('title', _('Webauthn failed')); $errorMessageDiv->addDataAttribute('title', _('Webauthn failed'));
$row->add($errorMessageDiv, 12); $row->add($errorMessageDiv, 12);
$row->add(new htmlJavaScript('window.lam.webauthn.start(\'' . $pathPrefix . '\');'), 0); $row->add(new htmlJavaScript('window.lam.webauthn.start(\'' . $pathPrefix . '\', ' . $selfServiceParam . ');'), 0);
} }
/** /**
@ -594,7 +595,7 @@ class WebauthnProvider extends BaseProvider {
$userDn = $_SESSION['ldap']->getUserName(); $userDn = $_SESSION['ldap']->getUserName();
} }
else { else {
$userDn = $_SESSION['selfService_clientDN']; $userDn = lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService');
} }
$hasTokens = $webauthnManager->isRegistered($userDn); $hasTokens = $webauthnManager->isRegistered($userDn);
if (!$hasTokens) { if (!$hasTokens) {

1
lam/lib/modules/.gitignore vendored
View File

@ -44,3 +44,4 @@
/nPosixGroup.inc /nPosixGroup.inc
/nPosixUser.inc /nPosixUser.inc
/bindDLZXfr.inc /bindDLZXfr.inc
/webauthn.inc

4
lam/lib/selfService.inc
View File

@ -3,7 +3,7 @@ use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
/* /*
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2006 - 2019 Roland Gruber Copyright (C) 2006 - 2020 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -452,6 +452,7 @@ class selfServiceProfile {
public $twoFactorAuthenticationClientId = ''; public $twoFactorAuthenticationClientId = '';
public $twoFactorAuthenticationSecretKey = ''; public $twoFactorAuthenticationSecretKey = '';
public $twoFactorAuthenticationAttribute = 'uid'; public $twoFactorAuthenticationAttribute = 'uid';
public $twoFactorAuthenticationDomain = '';
/** provider for captcha (-/google) */ /** provider for captcha (-/google) */
public $captchaProvider = '-'; public $captchaProvider = '-';
@ -512,6 +513,7 @@ class selfServiceProfile {
$this->twoFactorAuthenticationClientId = ''; $this->twoFactorAuthenticationClientId = '';
$this->twoFactorAuthenticationSecretKey = ''; $this->twoFactorAuthenticationSecretKey = '';
$this->twoFactorAuthenticationAttribute = 'uid'; $this->twoFactorAuthenticationAttribute = 'uid';
$this->twoFactorAuthenticationDomain = '';
$this->captchaProvider = '-'; $this->captchaProvider = '-';
$this->reCaptchaSiteKey = ''; $this->reCaptchaSiteKey = '';
$this->reCaptchaSecretKey = ''; $this->reCaptchaSecretKey = '';

5
lam/lib/webauthn.inc
View File

@ -185,7 +185,10 @@ class WebauthnManager {
private function createRpEntry($isSelfService) { private function createRpEntry($isSelfService) {
$pathPrefix = $isSelfService ? '../' : ''; $pathPrefix = $isSelfService ? '../' : '';
$icon = $pathPrefix . '../graphics/logo136.png'; $icon = $pathPrefix . '../graphics/logo136.png';
if (!$isSelfService) { if ($isSelfService) {
$domain = $_SESSION['selfServiceProfile']->twoFactorAuthenticationDomain;
}
else {
$domain = $_SESSION['config']->getTwoFactorAuthenticationDomain(); $domain = $_SESSION['config']->getTwoFactorAuthenticationDomain();
} }
return new PublicKeyCredentialRpEntity( return new PublicKeyCredentialRpEntity(

11
lam/templates/lib/500_lam.js
View File

@ -1375,11 +1375,12 @@ window.lam.webauthn = window.lam.webauthn || {};
* Starts the webauthn process. * Starts the webauthn process.
* *
* @param prefix path prefix for Ajax endpoint * @param prefix path prefix for Ajax endpoint
* @param isSelfService runs as part of self service
*/ */
window.lam.webauthn.start = function(prefix) { window.lam.webauthn.start = function(prefix, isSelfService) {
jQuery(document).ready( jQuery(document).ready(
function() { function() {
window.lam.webauthn.run(prefix); window.lam.webauthn.run(prefix, isSelfService);
} }
); );
} }
@ -1388,8 +1389,9 @@ window.lam.webauthn.start = function(prefix) {
* Checks if the user is registered and starts login/registration. * Checks if the user is registered and starts login/registration.
* *
* @param prefix path prefix for Ajax endpoint * @param prefix path prefix for Ajax endpoint
* @param isSelfService runs as part of self service
*/ */
window.lam.webauthn.run = function(prefix) { window.lam.webauthn.run = function(prefix, isSelfService) {
jQuery('#btn_skip_webauthn').click(function () { jQuery('#btn_skip_webauthn').click(function () {
let form = jQuery("#2faform"); let form = jQuery("#2faform");
form.append('<input type="hidden" name="sig_response" value="skip"/>'); form.append('<input type="hidden" name="sig_response" value="skip"/>');
@ -1408,8 +1410,9 @@ window.lam.webauthn.run = function(prefix) {
jsonInput: '', jsonInput: '',
sec_token: token sec_token: token
}; };
const extraParam = isSelfService ? '&selfservice=true' : '';
jQuery.ajax({ jQuery.ajax({
url: prefix + 'misc/ajax.php?function=webauthn', url: prefix + 'misc/ajax.php?function=webauthn' + extraParam,
method: 'POST', method: 'POST',
data: data data: data
}) })

7
lam/templates/misc/ajax.php
View File

@ -202,7 +202,12 @@ class Ajax {
*/ */
private function manageWebauthn($isSelfService) { private function manageWebauthn($isSelfService) {
include_once __DIR__ . '/../../lib/webauthn.inc'; include_once __DIR__ . '/../../lib/webauthn.inc';
$userDN = $_SESSION['ldap']->getUserName(); if ($isSelfService) {
$userDN = lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService');
}
else {
$userDN = $_SESSION['ldap']->getUserName();
}
$webauthnManager = new WebauthnManager(); $webauthnManager = new WebauthnManager();
$isRegistered = $webauthnManager->isRegistered($userDN); $isRegistered = $webauthnManager->isRegistered($userDN);
if (!$isRegistered) { if (!$isRegistered) {