config = $config; } /** * {@inheritDoc} * @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::getSerials() */ public function getSerials($user, $password) { logNewMessage(LOG_DEBUG, 'PrivacyIDEAProvider: Getting serials for ' . $user); $token = $this->authenticate($user, $password); return $this->getSerialsForUser($user, $token); } /** * {@inheritDoc} * @see \LAM\LIB\TWO_FACTOR\TwoFactorProvider::verify2ndFactor() */ public function verify2ndFactor($user, $password, $serial, $twoFactorInput) { logNewMessage(LOG_DEBUG, 'PrivacyIDEAProvider: Checking 2nd factor for ' . $user); $token = $this->authenticate($user, $password); return $this->verify($token, $serial, $twoFactorInput); } /** * Authenticates against the server * * @param string $user user name * @param string $password password * @return string token * @throws \Exception error during authentication */ private function authenticate($user, $password) { $curl = $this->getCurl(); $url = $this->config->twoFactorAuthenticationURL . "/auth"; curl_setopt($curl, CURLOPT_URL, $url); $header = array('Accept: application/json'); curl_setopt($curl, CURLOPT_HTTPHEADER, $header); $options = array( 'username' => $user, 'password' => $password, ); curl_setopt($curl, CURLOPT_POSTFIELDS, $options); $json = curl_exec($curl); curl_close($curl); if (empty($json)) { throw new \Exception("Unable to get server response from $url."); } $output = json_decode($json); if (empty($output) || !isset($output->result) || !isset($output->result->status)) { throw new \Exception("Unable to get json from $url."); } $status = $output->result->status; if ($status != 1) { $errCode = isset($output->result->error) && isset($output->result->error->code) ? $output->result->error->code : ''; $errMessage = isset($output->result->error) && isset($output->result->error->message) ? $output->result->error->message : ''; throw new \Exception("Unable to login: " . $errCode . ' ' . $errMessage); } if (!isset($output->result->value) || !isset($output->result->value->token)) { throw new \Exception("Unable to get token."); } return $output->result->value->token; } /** * Returns the curl object. * * @return object curl handle * @throws \Exception error during curl creation */ private function getCurl() { $curl = curl_init(); if ($this->config->twoFactorAuthenticationInsecure) { curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0); } curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); return $curl; } /** * Returns the serial numbers of the user. * * @param string $user user name * @param string $token login token * @throws \Exception error during serial reading */ private function getSerialsForUser($user, $token) { $curl = $this->getCurl(); $url = $this->config->twoFactorAuthenticationURL . "/token/?user=" . $user; curl_setopt($curl, CURLOPT_URL, $url); $header = array('Authorization: ' . $token, 'Accept: application/json'); curl_setopt($curl, CURLOPT_HTTPHEADER, $header); $json = curl_exec($curl); curl_close($curl); if (empty($json)) { throw new \Exception("Unable to get server response from $url."); } $output = json_decode($json); if (empty($output) || !isset($output->result) || !isset($output->result->status)) { throw new \Exception("Unable to get json from $url."); } $status = $output->result->status; if (($status != 1) || !isset($output->result->value) || !isset($output->result->value->tokens)) { $errCode = isset($output->result->error) && isset($output->result->error->code) ? $output->result->error->code : ''; $errMessage = isset($output->result->error) && isset($output->result->error->message) ? $output->result->error->message : ''; throw new \Exception("Unable to get serials: " . $errCode . ' ' . $errMessage); } $serials = array(); foreach ($output->result->value->tokens as $tokenEntry) { if (!isset($tokenEntry->active) || ($tokenEntry->active != 1) || !isset($tokenEntry->serial)) { continue; } $serials[] = $tokenEntry->serial; } return $serials; } /** * Verifies if the given 2nd factor input is valid. * * @param string $token login token * @param string $serial serial number * @param string $twoFactorInput 2factor pin + password */ private function verify($token, $serial, $twoFactorInput) { $curl = $this->getCurl(); $url = $this->config->twoFactorAuthenticationURL . "/validate/check"; curl_setopt($curl, CURLOPT_URL, $url); $options = array( 'pass' => $twoFactorInput, 'serial' => $serial, ); curl_setopt($curl, CURLOPT_POSTFIELDS, $options); $header = array('Authorization: ' . $token, 'Accept: application/json'); curl_setopt($curl, CURLOPT_HTTPHEADER, $header); $json = curl_exec($curl); curl_close($curl); $output = json_decode($json); if (empty($output) || !isset($output->result) || !isset($output->result->status) || !isset($output->result->value)) { throw new \Exception("Unable to get json from $url."); } $status = $output->result->status; $value = $output->result->value; if (($status == 'true') && ($value == 'true')) { return true; } $errCode = isset($output->result->error) && isset($output->result->error->code) ? $output->result->error->code : ''; $errMessage = isset($output->result->error) && isset($output->result->error->message) ? $output->result->error->message : ''; logNewMessage(LOG_DEBUG, "Unable to verify token: " . print_r($output, true)); return false; } } /** * Returns the correct 2 factor provider. */ class TwoFactorProviderService { /** 2factor authentication disabled */ const TWO_FACTOR_NONE = 'none'; /** 2factor authentication via privacyIDEA */ const TWO_FACTOR_PRIVACYIDEA = 'privacyidea'; private $config; /** * Constructor. * * @param selfServiceProfile|LAMConfig $configObj profile */ public function __construct(&$configObj) { if ($configObj instanceof selfServiceProfile) { $this->config = $this->getConfigSelfService($configObj); } else { $this->config = $this->getConfigAdmin($configObj); } } /** * Returns the provider for the given type. * * @param string $type authentication type * @return TwoFactorProvider provider * @throws \Exception unable to get provider */ public function getProvider() { if ($this->config->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA) { return new PrivacyIDEAProvider($this->config); } throw new \Exception('Invalid provider: ' . $this->config->twoFactorAuthentication); } /** * Returns the configuration from self service. * * @param selfServiceProfile $profile profile * @return TwoFactorConfiguration configuration */ private function getConfigSelfService(&$profile) { $config = new TwoFactorConfiguration(); $config->twoFactorAuthentication = $profile->twoFactorAuthentication; $config->twoFactorAuthenticationCaption = $profile->twoFactorAuthenticationCaption; $config->twoFactorAuthenticationInsecure = $profile->twoFactorAuthenticationInsecure; $config->twoFactorAuthenticationLabel = $profile->twoFactorAuthenticationLabel; $config->twoFactorAuthenticationOptional = $profile->twoFactorAuthenticationOptional; $config->twoFactorAuthenticationURL = $profile->twoFactorAuthenticationURL; return $config; } } /** * Configuration settings for 2-factor authentication. * * @author Roland Gruber */ class TwoFactorConfiguration { public $twoFactorAuthentication = null; public $twoFactorAuthenticationURL = null; public $twoFactorAuthenticationInsecure = false; public $twoFactorAuthenticationLabel = null; public $twoFactorAuthenticationOptional = false; public $twoFactorAuthenticationCaption = ''; }