From c475c66d6089fa343a6caea5d477f0ac2cbefb8f Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Sat, 11 Feb 2017 22:07:38 +0100
Subject: [PATCH] 2-factor

---
 lam/lib/2factor.inc            |   9 --
 lam/templates/login.php        |   8 ++
 lam/templates/login2Factor.php | 241 +++++++++++++++++++++++++++++++++
 3 files changed, 249 insertions(+), 9 deletions(-)
 create mode 100644 lam/templates/login2Factor.php

diff --git a/lam/lib/2factor.inc b/lam/lib/2factor.inc
index 75a20681..053a472c 100644
--- a/lam/lib/2factor.inc
+++ b/lam/lib/2factor.inc
@@ -270,10 +270,7 @@ class TwoFactorProviderService {
 	private function getConfigSelfService(&$profile) {
 		$config = new TwoFactorConfiguration();
 		$config->twoFactorAuthentication = $profile->twoFactorAuthentication;
-		$config->twoFactorAuthenticationCaption = $profile->twoFactorAuthenticationCaption;
 		$config->twoFactorAuthenticationInsecure = $profile->twoFactorAuthenticationInsecure;
-		$config->twoFactorAuthenticationLabel = $profile->twoFactorAuthenticationLabel;
-		$config->twoFactorAuthenticationOptional = $profile->twoFactorAuthenticationOptional;
 		$config->twoFactorAuthenticationURL = $profile->twoFactorAuthenticationURL;
 		return $config;
 	}
@@ -287,10 +284,7 @@ class TwoFactorProviderService {
 	private function getConfigAdmin($conf) {
 		$config = new TwoFactorConfiguration();
 		$config->twoFactorAuthentication = $conf->getTwoFactorAuthentication();
-		$config->twoFactorAuthenticationCaption = $conf->getTwoFactorAuthenticationCaption();
 		$config->twoFactorAuthenticationInsecure = $conf->getTwoFactorAuthenticationInsecure();
-		$config->twoFactorAuthenticationLabel = $conf->getTwoFactorAuthenticationLabel();
-		$config->twoFactorAuthenticationOptional = $conf->getTwoFactorAuthenticationOptional();
 		$config->twoFactorAuthenticationURL = $conf->getTwoFactorAuthenticationURL();
 		return $config;
 	}
@@ -306,7 +300,4 @@ class TwoFactorConfiguration {
 	public $twoFactorAuthentication = null;
 	public $twoFactorAuthenticationURL = null;
 	public $twoFactorAuthenticationInsecure = false;
-	public $twoFactorAuthenticationLabel = null;
-	public $twoFactorAuthenticationOptional = false;
-	public $twoFactorAuthenticationCaption = '';
 }
diff --git a/lam/templates/login.php b/lam/templates/login.php
index 2d8d8b40..78ccc312 100644
--- a/lam/templates/login.php
+++ b/lam/templates/login.php
@@ -326,6 +326,14 @@ function display_LoginPage($config_object, $cfgMain) {
 			StatusMessage("INFO", _("Your settings were successfully saved."), htmlspecialchars($_GET['selfserviceSaveOk']));
 			echo "<br>";
 		}
+		if (isset($_GET['2factor']) && ($_GET['2factor'] == 'error')) {
+			StatusMessage('ERROR', _("Unable to start 2-factor authentication."));
+			echo "<br>";
+		}
+		elseif (isset($_GET['2factor']) && ($_GET['2factor'] == 'noToken')) {
+			StatusMessage('ERROR', _("Unable to start 2-factor authentication because no tokens were found."));
+			echo "<br>";
+		}
 		if (!empty($config_object)) {
 		?>
 		<br><br>
diff --git a/lam/templates/login2Factor.php b/lam/templates/login2Factor.php
new file mode 100644
index 00000000..f3d63932
--- /dev/null
+++ b/lam/templates/login2Factor.php
@@ -0,0 +1,241 @@
+<?php
+namespace LAM\LOGIN;
+use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
+use \htmlResponsiveRow;
+use \htmlGroup;
+use \htmlOutputText;
+use \htmlSpacer;
+use \htmlSelect;
+use \htmlInputField;
+use \htmlButton;
+/*
+$Id$
+
+  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
+  Copyright (C) 2017  Roland Gruber
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 2 of the License, or
+  (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+*/
+
+/**
+* This page redirects to the correct start page after checking 2nd factor.
+*
+* @package main
+* @author Roland Gruber
+*/
+
+/** config object */
+include_once '../lib/config.inc';
+
+// start session
+startSecureSession();
+
+setlanguage();
+
+$config = $_SESSION['config'];
+$ldap = $_SESSION['ldap'];
+$credentials = $ldap->decrypt_login();
+$password = $credentials[1];
+$user = $_SESSION['user2factor'];
+if (get_preg($user, 'dn')) {
+	$user = extractRDNValue($user);
+}
+
+// get serials
+try {
+	$service = new TwoFactorProviderService($config);
+	$provider = $service->getProvider();
+	$serials = $provider->getSerials($user, $password);
+}
+catch (\Exception $e) {
+	logNewMessage(LOG_ERR, 'Unable to get 2-factor serials for ' . $user . ' ' . $e->getMessage());
+	metaRefresh("login.php?2factor=error");
+	die();
+}
+
+$twoFactorLabel = empty($config->getTwoFactorAuthenticationLabel()) ? _('PIN+Token') : $config->getTwoFactorAuthenticationLabel();
+
+if (sizeof($serials) == 0) {
+	if ($config->getTwoFactorAuthenticationOptional()) {
+		unset($_SESSION['2factorRequired']);
+		unset($_SESSION['user2factor']);
+		metaRefresh("main.php");
+		die();
+	}
+	else {
+		metaRefresh("login.php?2factor=noToken");
+		die();
+	}
+}
+
+if (isset($_POST['logout'])) {
+	// destroy session
+	session_destroy();
+	unset($_SESSION);
+	// redirect to login page
+	metaRefresh("login.php");
+	exit();
+}
+
+if (isset($_POST['submit'])) {
+	$twoFactorInput = $_POST['2factor'];
+	$serial = $_POST['serial'];
+	if (empty($twoFactorInput) || !in_array($serial, $serials)) {
+		$errorMessage = _(sprintf('Please enter "%s".', $twoFactorLabel));
+	}
+	else {
+		$twoFactorValid = false;
+		try {
+			$twoFactorValid = $provider->verify2ndFactor($user, $password, $serial, $twoFactorInput);
+		}
+		catch (\Exception $e) {
+			logNewMessage(LOG_WARNING, '2-factor verification failed: ' . $e->getMessage());
+		}
+		if ($twoFactorValid) {
+			unset($_SESSION['2factorRequired']);
+			unset($_SESSION['user2factor']);
+			metaRefresh("main.php");
+			die();
+		}
+		else {
+			$errorMessage = _(sprintf('Verification failed.', $twoFactorLabel));
+		}
+	}
+}
+
+?>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html class="no-js">
+<head>
+<meta http-equiv="content-type" content="text/html; charset=UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<meta http-equiv="pragma" content="no-cache">
+		<meta http-equiv="cache-control" content="no-cache">
+	<title><?php echo _("Login"); ?></title>
+	<link rel="stylesheet" type="text/css" href="../style/responsive/105_normalize.css">
+	<link rel="stylesheet" type="text/css" href="../style/responsive/110_foundation.css">
+	<?php
+		// include all CSS files
+		$cssDirName = dirname(__FILE__) . '/../style';
+		$cssDir = dir($cssDirName);
+		$cssFiles = array();
+		$cssEntry = $cssDir->read();
+		while ($cssEntry !== false) {
+			if (substr($cssEntry, strlen($cssEntry) - 4, 4) == '.css') {
+				$cssFiles[] = $cssEntry;
+			}
+			$cssEntry = $cssDir->read();
+		}
+		sort($cssFiles);
+		foreach ($cssFiles as $cssEntry) {
+			echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"../style/" . $cssEntry . "\">\n";
+		}
+		if (isset($profile->additionalCSS) && ($profile->additionalCSS != '')) {
+			$CSSlinks = explode("\n", $profile->additionalCSS);
+			for ($i = 0; $i < sizeof($CSSlinks); $i++) {
+				$CSSlinks[$i] = trim($CSSlinks[$i]);
+				if ($CSSlinks[$i] == '') {
+					continue;
+				}
+				echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"" . $CSSlinks[$i] . "\">\n";
+			}
+		}
+	?>
+</head>
+<body class="admin">
+<?php
+
+// include all JavaScript files
+$jsDirName = dirname(__FILE__) . '/lib';
+$jsDir = dir($jsDirName);
+$jsFiles = array();
+while ($jsEntry = $jsDir->read()) {
+	if (substr($jsEntry, strlen($jsEntry) - 3, 3) != '.js') continue;
+	$jsFiles[] = $jsEntry;
+}
+sort($jsFiles);
+foreach ($jsFiles as $jsEntry) {
+	echo "<script type=\"text/javascript\" src=\"lib/" . $jsEntry . "\"></script>\n";
+}
+?>
+
+	<script type="text/javascript" src="lib/extra/responsive/200_modernizr.js"></script>
+	<script type="text/javascript" src="lib/extra/responsive/250_foundation.js"></script>
+	<table border=0 width="100%" class="lamHeader ui-corner-all">
+		<tr>
+			<td align="left" height="30">
+				<a class="lamLogo" href="http://www.ldap-account-manager.org/" target="new_window">LDAP Account Manager</a>
+			</td>
+		<td align="right" height=20>
+		</td>
+		</tr>
+	</table>
+
+	<br><br>
+
+	<form enctype="multipart/form-data" action="login2Factor.php" method="post" autocomplete="off">
+<?php
+echo $config->getTwoFactorAuthenticationCaption();
+
+?>
+	<div class="centeredTable">
+	<div class="roundedShadowBox limitWidth">
+<?php
+
+	$group = new htmlGroup();
+	$row = new htmlResponsiveRow();
+	// error
+	if (!empty($errorMessage)) {
+		$row->add(new \htmlStatusMessage('ERROR', $errorMessage), 12);
+		$row->add(new htmlSpacer('1em', '1em'), 12);
+	}
+	// serial
+	$row->add(new htmlOutputText(_('Serial number')), 12, 12, 12, 'text-left');
+	$serialSelect = new htmlSelect('serial', $serials);
+	$row->add($serialSelect, 12);
+	// token
+	$row->add(new htmlOutputText($twoFactorLabel), 12, 12, 12, 'text-left');
+	$twoFactorInput = new htmlInputField('2factor', '');
+	$twoFactorInput->setFieldSize(null);
+	$twoFactorInput->setIsPassword(true);
+	$row->add($twoFactorInput, 12);
+	$row->add(new htmlSpacer('1em', '1em'), 12);
+	$submit = new htmlButton('submit', _("Submit"));
+	$submit->setCSSClasses(array('fullwidth'));
+	$row->add($submit, 12, 12, 12, 'fullwidth');
+	$row->add(new htmlSpacer('0.5em', '0.5em'), 12);
+	$logout = new htmlButton('logout', _("Cancel"));
+	$logout->setCSSClasses(array('fullwidth'));
+	$row->add($logout, 12);
+	$group->addElement($row);
+
+	$tabindex = 1;
+	addSecurityTokenToMetaHTML($group);
+	parseHtml(null, $group, array(), false, $tabindex, 'user');
+
+?>
+	</div>
+	</div>
+	</form>
+	<br><br>
+
+	<script type="text/javascript">
+		$(document).foundation();
+		myElement = document.getElementsByName('2factor')[0];
+		myElement.focus();
+	</script>
+</body>
+</html>