MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

new: WIP LinOTP authentication

pull/4421/head
Andreas Rammhold 2019-03-01 16:15:30 +01:00
parent 97b626a593
commit 516cf0767b
3 changed files with 254 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
app/Config/config.default.php
View File

@ -123,6 +123,15 @@ $config = array(
'DefaultOrg' => 'DEFAULT_ORG',
),
*/
/*
'LinOTPAuth' => // Configuration for the LinOTP authentication
array(
'baseUrl' => 'https://linotp', // The base URL of LinOTP
'realm' => 'lino', // the (default) realm of all the users logging in through this system
'userModel' => 'User', // name of the User class (MISP class) to check if the user exists
'userModelKey' => 'email', // User field that will be used for querying.
),
*/
// Warning: The following is a 3rd party contribution and still untested (including security) by the MISP-project team.
// Feel free to enable it and report back to us if you run into any issues.
//

76
app/Plugin/LinOTPAuth/Controller/Component/Auth/LinOTPAuthenticate.php Normal file
View File

@ -0,0 +1,76 @@
<?php
App::uses('BaseAuthenticate', 'Controller/Component/Auth');
App::uses('LinOTP', 'LinOTPAuth.Lib');
/**
* @package Controller.Component.Auth
* @since 2.0
* @see ApacheAuthComponent::$authenticate
*/
class LinOTPAuthenticate extends BaseAuthenticate
{
/*
* Try to authenticate the incoming request against the LinOTP backend.
* The function may redirect the user if there are more authentication steps required that do not fit the standard function signature.
* @return array|bool
*/
public function authenticate(CakeRequest $request, CakeResponse $response)
{
$user = $this->getUser($request);
return $user;
}
/*
* Retrieve a user by validating the request data
*/
public function getUser(CakeRequest $request)
{
if (!array_key_exists("User", $request->data)) {
return false;
}
$userFields = $request->data['User'];
$email = $userFields['email'];
$password = $userFields['password'];
CakeLog::debug("getUser email: ${email}");
$linotp = new LinOTP(
Configure::read("LinOTPAuth.baseUrl"),
Configure::read("LinOTPAuth.realm")
);
$response = $linotp->validate_check($email, $password);
// If LinOTP didn't reject the request we can go on to further authentication steps, user login or creation
if ($response !== false) {
if ($response['value'] === true) { // user can be logged in, authentication successful
$this->settings['fields'] = array('username' => "email");
$user = $this->_findUser($email);
if ($user) {
// When the user logs in for the first time a password prompt will appear
// To avoid that very prompt we are changing the `change_pw` value to '0'.
if ($user['change_pw'] === "1") {
$userModel = ClassRegistry::init($this->settings['userModel']);
$user['change_pw'] = '0';
$userModel->set(array(
"id" => $user['id'],
"change_pw" => $user['change_pw'],
));
$userModel->save(array('User' => $user), false);
$user = $this->_findUser($email);
}
return $user;
} else {
CakeLog::error("User ${email} authenticated but not found in database.");
return false;
}
}
}
return false;
}
}

169
app/Plugin/LinOTPAuth/Lib/LinOTP.php Normal file
View File

@ -0,0 +1,169 @@
<?php
class LinOTP {
/**
* LinOTP client library class
*
* Provides an abstraction of the common authentication methods of LinOTP.
*/
/**
* @var string base url at which the LinOTP instance can be found
*/
protected $base_url;
/**
* @var int Timeout for HTTP requests in milliseconds
*/
protected $request_timeout;
/**
* @var string Path to the CA certificate to use, or null for default (system) CAs.
*/
protected $ca_path = null;
/**
* @var string|null default authentication realm
*/
protected $realm = null;
/**
* LinOTP constructor.
* @param $base_url string base URL of LinOTP e.g. https://linotp1.corp.local.example.com/
* @param $request_timeout int timeout in milliseconds before pending HTTP requests shall be canceled
* @param $ca_path string|null path to the CA bundle or null for system default.
*/
public function __construct($base_url, $realm=null, int $request_timeout=30000, $ca_path=null)
{
$this->base_url = $this->_normalize_url($base_url);
$this->realm = $realm;
$this->request_timeout = $request_timeout;
$this->ca_path = $ca_path;
}
/**
* Strip trailing slashes (from URLs)
* @param $url
* @return bool|stringS
*/
protected function _normalize_url($url) {
return rtrim($url, "/");
}
/**
* Validate Check
* Performa a /validate/check call against the given LinOTP instance.
* @param user the username (opt. including the realm)
* @param password the password or OTPPin to validate
* @return bool|mixed returns true or false if the validation was successful, if more information are required (e.g. an OTP) an array is return that contains details.
*/
public function validate_check($user, $password) {
CakeLog::debug("Calling /validate/check for ${user}");
$data = array(
"user" => $user,
"pass" => $password,
);
if ($this->realm != null) {
$data['realm'] = $this->realm;
}
$response = $this->_post("/validate/check", $data);
if ($response == false) {
CakeLog::error("LinOTP request for user ${user} failed.");
return false;
} else {
if (gettype($response) !== "object") {
CakeLog::error("Response from LinOTP is not an JSON dictionary/array. Got an " .gettype($response). ": ".$response);
return false;
}
if (!property_exists($response,"result")) {
CakeLog::error("Missing 'result' key in LinOTP response.");
return false;
}
$result = $response->result;
if (!property_exists($result,"status")) {
CakeLog::error("Missing 'status' key in result envelope from LinOTP.");
return false;
}
$status = $result->status;
if (!property_exists($result, "value")) {
CakeLog::error("Missing 'value' key in result envelop from LinOTP.");
return false;
}
$value = $result->value;
$ret = array(
"status" => $status,
"value" => $value,
);
if (property_exists($result, 'detail')) {
$ret['detail'] = $result->detail;
}
return $ret;
}
}
/**
* Perform a POST request to the given path on the configured LinOTP instance.
* @param $path string path part of the request URL
* @param $data array the post data
* @return bool|mixed false if the request failed otherwise the request body or decoded json may be returned.
*/
protected function _post($path, $data) {
$ch = curl_init();
$url = $this->base_url . $path;
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_TIMEOUT_MS, $this->request_timeout);
curl_setopt($ch, CURLOPT_USERAGENT, 'MISP LinOTPAuth');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
// if there is a ca_path set tell curl about it.
if ($this->ca_path != null) {
curl_setopt($ch, CURLOPT_CAPATH, $this->ca_path);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
}
CakeLog::debug( "Sending POST request to ${url}");
$response = curl_exec($ch);
$content_type = curl_getinfo($ch, CURLINFO_CONTENT_TYPE);
$content_length = curl_getinfo($ch, CURLINFO_CONTENT_LENGTH_DOWNLOAD);
$status_code = curl_getinfo($ch, CURLINFO_RESPONSE_CODE);
CakeLog::debug("Response status: ${status_code}");
if ($status_code >= 300 || $status_code < 200) {
CakeLog::debug("Status Code out of range: ${status_code}");
}
$curl_errno = curl_errno($ch);
$curl_error = curl_error($ch);
curl_close($ch);
// if the request failed return false
if ($curl_errno !== 0) {
CakeLog::error("curl error: ${curl_error}");
return false;
} else {
// if the response content type hints towards JSON try to deserialize it
if ($content_length > 0 && $content_type === 'application/json') {
$json_data = json_decode($response);
return $json_data;
} else {
return $response;
}
}
}
}