From df09375be394484ac6756d81290d65d7ffddb260 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Sun, 17 Nov 2019 21:38:57 +0100 Subject: [PATCH] webauthn --- lam-packaging/debian/copyright | 28 +++++++++++++ lam/copyright | 28 +++++++++++++ lam/graphics/webauthn.svg | 31 ++++++++++++++ lam/lib/2factor.inc | 74 +++++++++++++++++++++++++++++++++- 4 files changed, 160 insertions(+), 1 deletion(-) create mode 100644 lam/graphics/webauthn.svg diff --git a/lam-packaging/debian/copyright b/lam-packaging/debian/copyright index ca07053c..cafeac9d 100644 --- a/lam-packaging/debian/copyright +++ b/lam-packaging/debian/copyright @@ -415,6 +415,33 @@ E: (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +F: + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. +3. Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS +IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR +CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, +EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + Programs and licenses with other licenses and/or authors than the main license and authors: @@ -438,6 +465,7 @@ templates/lib/extra/cropperjs B 2018 Chen Fengyuan style/600_cropper*.css B 2018 Chen Fengyuan templates/lib/extra/duo/*.js E 2019 Duo Security lib/3rdParty/duo/*.php E 2019 Duo Security +graphics/webauthn.svg F 2017 Duo Security, Inc. templates/lib/600_jquery.magnific-popup.js B 2016 Dmitry Semenov style/610_magnific-popup.css B 2016 Dmitry Semenov style/responsive/105_normalize.css B Nicolas Gallagher and Jonathan Neal diff --git a/lam/copyright b/lam/copyright index 0640e706..d2a46ec4 100644 --- a/lam/copyright +++ b/lam/copyright @@ -414,6 +414,33 @@ E: (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +F: + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. +3. Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS +IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR +CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, +EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + Programs and licenses with other licenses and/or authors than the main license and authors: @@ -437,6 +464,7 @@ templates/lib/extra/cropperjs B 2018 Chen Fengyuan style/600_cropper*.css B 2018 Chen Fengyuan templates/lib/extra/duo/*.js E 2019 Duo Security lib/3rdParty/duo/*.php E 2019 Duo Security +graphics/webauthn.svg F 2017 Duo Security, Inc. templates/lib/600_jquery.magnific-popup.js B 2016 Dmitry Semenov style/610_magnific-popup.css B 2016 Dmitry Semenov style/responsive/105_normalize.css B Nicolas Gallagher and Jonathan Neal diff --git a/lam/graphics/webauthn.svg b/lam/graphics/webauthn.svg new file mode 100644 index 00000000..d0bd06f4 --- /dev/null +++ b/lam/graphics/webauthn.svg @@ -0,0 +1,31 @@ + + + + shield + Created with Sketch. + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/lam/lib/2factor.inc b/lam/lib/2factor.inc index 55267b31..38733342 100644 --- a/lam/lib/2factor.inc +++ b/lam/lib/2factor.inc @@ -3,8 +3,8 @@ namespace LAM\LIB\TWO_FACTOR; use \selfServiceProfile; use \LAMConfig; use \htmlScript; -use \htmlInputField; use \htmlIframe; +use \htmlImage; /* This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) @@ -464,6 +464,76 @@ class DuoProvider extends BaseProvider { } +/** + * Provider for Webauthn. + */ +class WebauthnProvider extends BaseProvider { + + /** + * Constructor. + * + * @param TwoFactorConfiguration $config configuration + */ + public function __construct(&$config) { + $this->config = $config; + } + + /** + * {@inheritDoc} + * @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::getSerials() + */ + public function getSerials($user, $password) { + return array('WEBAUTHN'); + } + + /** + * {@inheritDoc} + * @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::isShowSubmitButton() + */ + public function isShowSubmitButton() { + return false; + } + + /** + * {@inheritDoc} + * @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::hasCustomInputForm() + */ + public function hasCustomInputForm() { + return true; + } + + /** + * {@inheritDoc} + * @see \LAM\LIB\TWO_FACTOR\BaseProvider::addCustomInput() + */ + public function addCustomInput(&$row, $userDn) { + $pathPrefix = $this->config->isSelfService ? '../' : ''; + $row->add(new htmlImage($pathPrefix . '../graphics/webauthn.svg'), 12); + } + + /** + * {@inheritDoc} + * @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::verify2ndFactor() + */ + public function verify2ndFactor($user, $password, $serial, $twoFactorInput) { + logNewMessage(LOG_DEBUG, 'PrivacyIDEAProvider: Checking 2nd factor for ' . $user); + $loginAttribute = $this->getLoginAttributeValue($user); + $response = $_POST['sig_response']; + include_once(__DIR__ . "/3rdParty/duo/Web.php"); + $result = \Duo\Web::verifyResponse( + $this->config->twoFactorAuthenticationClientId, + $this->config->twoFactorAuthenticationSecretKey, + $this->getAKey(), + $response); + if ($result === $loginAttribute) { + return true; + } + logNewMessage(LOG_ERR, 'DUO authentication failed'); + return false; + } + +} + /** * Returns the correct 2 factor provider. */ @@ -477,6 +547,8 @@ class TwoFactorProviderService { const TWO_FACTOR_YUBICO = 'yubico'; /** 2factor authentication via DUO */ const TWO_FACTOR_DUO = 'duo'; + /** 2factor authentication via webauthn */ + const TWO_FACTOR_WEBAUTHN = 'webauthn'; private $config;