enforce authentified status for each stage

d6b8b7a6 · Guillaume ROUSSE · 069ceb61 · d6b8b7a6 · d6b8b7a6 · d6b8b7a6
Commit d6b8b7a6 authored 6 years ago by Guillaume ROUSSE
--- a/lib/AccountManager/App.pm
+++ b/lib/AccountManager/App.pm
@@ -250,6 +250,8 @@ sub abort {
 sub req_select_federation {
    my ($self, %args) = @_;
+    $self->check_authentication(action => 'select_federation');
    my $federations = $self->{configuration}->{federations}->{list};
    my @federations = split(/, */, $federations);
@@ -276,6 +278,8 @@ sub req_select_federation {
 sub req_select_sp {
    my ($self, %args) = @_;
+    $self->check_authentication(action => 'select_sp');
    my $federation  = $self->{cgi}->param('federation'); # not mandatory
    my @federations = $federation ?
@@ -314,6 +318,8 @@ sub req_select_sp {
 sub req_select_email {
    my ($self, %args) = @_;
+    $self->check_authentication(action => 'select_email');
    my $entityid   = $self->get_parameter(name => 'entityid');
    my $federation = $self->{cgi}->param('federation'); # not mandatory
@@ -396,6 +402,8 @@ sub req_select_email {
 sub req_complete_challenge {
    my ($self, %args) = @_;
+    $self->check_authentication(action => 'complete_challenge');
    my $entityid   = $self->get_parameter(name => 'entityid');
    my $email      = $self->get_parameter(name => 'email');
@@ -573,6 +581,8 @@ sub req_complete_challenge {
 sub req_create_accounts {
    my ($self, %args) = @_;
+    $self->check_authentication(action => 'create_accounts');
    my $entityid = $self->get_parameter(name => 'entityid');
    my $token    = $self->get_parameter(name => 'token');
    my $email    = $self->get_parameter(name => 'email');
@@ -675,6 +685,8 @@ sub req_create_accounts {
 sub req_download_accounts {
    my ($self) = @_;
+    $self->check_authentication(action => 'download_accounts');
    my $entityid = $self->get_parameter(name => 'entityid');
    my $token    = $self->get_parameter(name => 'token');
    my $key      = $self->get_parameter(name => 'key');
@@ -812,4 +824,14 @@ sub check_token {
    }
 }
+sub check_authentication {
+    my $self = shift;
+    my %args = @_;
+    $self->abort(
+        log  => "unauthenticated user for action $args{action}",
+        user => "unauthenticated"
+    ) if !$ENV{HTTP_SHIB_IDENTITY_PROVIDER};
+}
 1;
--- a/lib/AccountManager/L10N/fr.pm
+++ b/lib/AccountManager/L10N/fr.pm
@@ -327,3 +327,7 @@ msgstr "nom d'utilisateur:"
 #: templates/web/edugain/create_accounts.tt2.html:67 templates/web/renater/create_accounts.tt2.html:69
 msgid "value dynamically generated by the SP"
 msgstr "valeur générée dynamiquement par le SP"
+#: templates/web/edugain/errors.tt2.html:27
+msgid "you need to authenticate to access this page"
+msgstr "vous devez vous authentifier pour accéder à cette page"
--- a/templates/web/edugain/errors.tt2.html
+++ b/templates/web/edugain/errors.tt2.html
@@ -23,6 +23,8 @@
        [% ELSIF err == 'wrong_token_for_sp' %]
        [% lh.maketext("the validation token you provided cannot be used for this service provider ([_1])", entityid) %]
+        [% ELSIF err == 'unauthenticated' %]
+        [% lh.maketext("you need to authenticate to access this page") %]
        [% ELSIF (matches = err.match('missing_(\w+)')) %]
        [% lh.maketext("missing parameter '[_1]'", matches.0) %]

--- a/templates/web/renater/errors.tt2.html
+++ b/templates/web/renater/errors.tt2.html
@@ -23,6 +23,8 @@
        [% ELSIF err == 'wrong_token_for_sp' %]
        [% lh.maketext("the validation token you provided cannot be used for this service provider ([_1])", entityid) %]
+        [% ELSIF err == 'unauthenticated' %]
+        [% lh.maketext("you need to authenticate to access this page") %]
        [% ELSIF (matches = err.match('missing_(\w+)')) %]
        [% lh.maketext("missing parameter '[_1]'", matches.0) %]