From d6b8b7a6c2c1a43df6cef688e672940ec817ca4e Mon Sep 17 00:00:00 2001 From: Guillaume Rousse <guillaume.rousse@renater.fr> Date: Thu, 29 Nov 2018 17:40:24 +0100 Subject: [PATCH] enforce authentified status for each stage --- lib/AccountManager/App.pm | 22 ++++++++++++++++++++++ lib/AccountManager/L10N/fr.pm | 4 ++++ templates/web/edugain/errors.tt2.html | 2 ++ templates/web/renater/errors.tt2.html | 2 ++ 4 files changed, 30 insertions(+) diff --git a/lib/AccountManager/App.pm b/lib/AccountManager/App.pm index 63f6f47..4a3575d 100644 --- a/lib/AccountManager/App.pm +++ b/lib/AccountManager/App.pm @@ -250,6 +250,8 @@ sub abort { sub req_select_federation { my ($self, %args) = @_; + $self->check_authentication(action => 'select_federation'); + my $federations = $self->{configuration}->{federations}->{list}; my @federations = split(/, */, $federations); @@ -276,6 +278,8 @@ sub req_select_federation { sub req_select_sp { my ($self, %args) = @_; + $self->check_authentication(action => 'select_sp'); + my $federation = $self->{cgi}->param('federation'); # not mandatory my @federations = $federation ? @@ -314,6 +318,8 @@ sub req_select_sp { sub req_select_email { my ($self, %args) = @_; + $self->check_authentication(action => 'select_email'); + my $entityid = $self->get_parameter(name => 'entityid'); my $federation = $self->{cgi}->param('federation'); # not mandatory @@ -396,6 +402,8 @@ sub req_select_email { sub req_complete_challenge { my ($self, %args) = @_; + $self->check_authentication(action => 'complete_challenge'); + my $entityid = $self->get_parameter(name => 'entityid'); my $email = $self->get_parameter(name => 'email'); @@ -573,6 +581,8 @@ sub req_complete_challenge { sub req_create_accounts { my ($self, %args) = @_; + $self->check_authentication(action => 'create_accounts'); + my $entityid = $self->get_parameter(name => 'entityid'); my $token = $self->get_parameter(name => 'token'); my $email = $self->get_parameter(name => 'email'); @@ -675,6 +685,8 @@ sub req_create_accounts { sub req_download_accounts { my ($self) = @_; + $self->check_authentication(action => 'download_accounts'); + my $entityid = $self->get_parameter(name => 'entityid'); my $token = $self->get_parameter(name => 'token'); my $key = $self->get_parameter(name => 'key'); @@ -812,4 +824,14 @@ sub check_token { } } +sub check_authentication { + my $self = shift; + my %args = @_; + + $self->abort( + log => "unauthenticated user for action $args{action}", + user => "unauthenticated" + ) if !$ENV{HTTP_SHIB_IDENTITY_PROVIDER}; +} + 1; diff --git a/lib/AccountManager/L10N/fr.pm b/lib/AccountManager/L10N/fr.pm index 954d944..4321058 100644 --- a/lib/AccountManager/L10N/fr.pm +++ b/lib/AccountManager/L10N/fr.pm @@ -327,3 +327,7 @@ msgstr "nom d'utilisateur:" #: templates/web/edugain/create_accounts.tt2.html:67 templates/web/renater/create_accounts.tt2.html:69 msgid "value dynamically generated by the SP" msgstr "valeur générée dynamiquement par le SP" + +#: templates/web/edugain/errors.tt2.html:27 +msgid "you need to authenticate to access this page" +msgstr "vous devez vous authentifier pour accéder à cette page" diff --git a/templates/web/edugain/errors.tt2.html b/templates/web/edugain/errors.tt2.html index 3dbb3b1..fd888e3 100644 --- a/templates/web/edugain/errors.tt2.html +++ b/templates/web/edugain/errors.tt2.html @@ -23,6 +23,8 @@ [% ELSIF err == 'wrong_token_for_sp' %] [% lh.maketext("the validation token you provided cannot be used for this service provider ([_1])", entityid) %] + [% ELSIF err == 'unauthenticated' %] + [% lh.maketext("you need to authenticate to access this page") %] [% ELSIF (matches = err.match('missing_(\w+)')) %] [% lh.maketext("missing parameter '[_1]'", matches.0) %] diff --git a/templates/web/renater/errors.tt2.html b/templates/web/renater/errors.tt2.html index 84303f3..34143af 100644 --- a/templates/web/renater/errors.tt2.html +++ b/templates/web/renater/errors.tt2.html @@ -23,6 +23,8 @@ [% ELSIF err == 'wrong_token_for_sp' %] [% lh.maketext("the validation token you provided cannot be used for this service provider ([_1])", entityid) %] + [% ELSIF err == 'unauthenticated' %] + [% lh.maketext("you need to authenticate to access this page") %] [% ELSIF (matches = err.match('missing_(\w+)')) %] [% lh.maketext("missing parameter '[_1]'", matches.0) %] -- GitLab