From d6b8b7a6c2c1a43df6cef688e672940ec817ca4e Mon Sep 17 00:00:00 2001
From: Guillaume Rousse <guillaume.rousse@renater.fr>
Date: Thu, 29 Nov 2018 17:40:24 +0100
Subject: [PATCH] enforce authentified status for each stage

---
 lib/AccountManager/App.pm             | 22 ++++++++++++++++++++++
 lib/AccountManager/L10N/fr.pm         |  4 ++++
 templates/web/edugain/errors.tt2.html |  2 ++
 templates/web/renater/errors.tt2.html |  2 ++
 4 files changed, 30 insertions(+)

diff --git a/lib/AccountManager/App.pm b/lib/AccountManager/App.pm
index 63f6f47..4a3575d 100644
--- a/lib/AccountManager/App.pm
+++ b/lib/AccountManager/App.pm
@@ -250,6 +250,8 @@ sub abort {
 sub req_select_federation {
     my ($self, %args) = @_;
 
+    $self->check_authentication(action => 'select_federation');
+
     my $federations = $self->{configuration}->{federations}->{list};
     my @federations = split(/, */, $federations);
 
@@ -276,6 +278,8 @@ sub req_select_federation {
 sub req_select_sp {
     my ($self, %args) = @_;
 
+    $self->check_authentication(action => 'select_sp');
+
     my $federation  = $self->{cgi}->param('federation'); # not mandatory
 
     my @federations = $federation ?
@@ -314,6 +318,8 @@ sub req_select_sp {
 sub req_select_email {
     my ($self, %args) = @_;
 
+    $self->check_authentication(action => 'select_email');
+
     my $entityid   = $self->get_parameter(name => 'entityid');
     my $federation = $self->{cgi}->param('federation'); # not mandatory
 
@@ -396,6 +402,8 @@ sub req_select_email {
 sub req_complete_challenge {
     my ($self, %args) = @_;
 
+    $self->check_authentication(action => 'complete_challenge');
+
     my $entityid   = $self->get_parameter(name => 'entityid');
     my $email      = $self->get_parameter(name => 'email');
 
@@ -573,6 +581,8 @@ sub req_complete_challenge {
 sub req_create_accounts {
     my ($self, %args) = @_;
 
+    $self->check_authentication(action => 'create_accounts');
+
     my $entityid = $self->get_parameter(name => 'entityid');
     my $token    = $self->get_parameter(name => 'token');
     my $email    = $self->get_parameter(name => 'email');
@@ -675,6 +685,8 @@ sub req_create_accounts {
 sub req_download_accounts {
     my ($self) = @_;
 
+    $self->check_authentication(action => 'download_accounts');
+
     my $entityid = $self->get_parameter(name => 'entityid');
     my $token    = $self->get_parameter(name => 'token');
     my $key      = $self->get_parameter(name => 'key');
@@ -812,4 +824,14 @@ sub check_token {
     }
 }
 
+sub check_authentication {
+    my $self = shift;
+    my %args = @_;
+
+    $self->abort(
+        log  => "unauthenticated user for action $args{action}",
+        user => "unauthenticated"
+    ) if !$ENV{HTTP_SHIB_IDENTITY_PROVIDER};
+}
+
 1;
diff --git a/lib/AccountManager/L10N/fr.pm b/lib/AccountManager/L10N/fr.pm
index 954d944..4321058 100644
--- a/lib/AccountManager/L10N/fr.pm
+++ b/lib/AccountManager/L10N/fr.pm
@@ -327,3 +327,7 @@ msgstr "nom d'utilisateur:"
 #: templates/web/edugain/create_accounts.tt2.html:67 templates/web/renater/create_accounts.tt2.html:69
 msgid "value dynamically generated by the SP"
 msgstr "valeur générée dynamiquement par le SP"
+
+#: templates/web/edugain/errors.tt2.html:27
+msgid "you need to authenticate to access this page"
+msgstr "vous devez vous authentifier pour accéder à cette page"
diff --git a/templates/web/edugain/errors.tt2.html b/templates/web/edugain/errors.tt2.html
index 3dbb3b1..fd888e3 100644
--- a/templates/web/edugain/errors.tt2.html
+++ b/templates/web/edugain/errors.tt2.html
@@ -23,6 +23,8 @@
         [% ELSIF err == 'wrong_token_for_sp' %]
         [% lh.maketext("the validation token you provided cannot be used for this service provider ([_1])", entityid) %]
 
+        [% ELSIF err == 'unauthenticated' %]
+        [% lh.maketext("you need to authenticate to access this page") %]
 
         [% ELSIF (matches = err.match('missing_(\w+)')) %]
         [% lh.maketext("missing parameter '[_1]'", matches.0) %]
diff --git a/templates/web/renater/errors.tt2.html b/templates/web/renater/errors.tt2.html
index 84303f3..34143af 100644
--- a/templates/web/renater/errors.tt2.html
+++ b/templates/web/renater/errors.tt2.html
@@ -23,6 +23,8 @@
         [% ELSIF err == 'wrong_token_for_sp' %]
         [% lh.maketext("the validation token you provided cannot be used for this service provider ([_1])", entityid) %]
 
+        [% ELSIF err == 'unauthenticated' %]
+        [% lh.maketext("you need to authenticate to access this page") %]
 
         [% ELSIF (matches = err.match('missing_(\w+)')) %]
         [% lh.maketext("missing parameter '[_1]'", matches.0) %]
-- 
GitLab