tyler.durden/icingaweb2
1
0
Fork 0
mirror of https://github.com/Icinga/icingaweb2.git synced 2025-07-31 01:34:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add: 2FA login challenge without proper validation

Browse Source
This commit is contained in:
Jan Schuppik 2025-07-24 21:09:08 +02:00
parent a1d36202dc
commit dd2eefa50f
5 changed files with 163 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
application/controllers/AuthenticationController.php
View File

@ -8,10 +8,12 @@ use Icinga\Application\Icinga;
use Icinga\Application\Logger;
use Icinga\Common\Database;
use Icinga\Exception\AuthenticationException;
use Icinga\Forms\Authentication\Challenge2FAForm;
use Icinga\Forms\Authentication\LoginForm;
use Icinga\Web\Controller;
use Icinga\Web\Helper\CookieHelper;
use Icinga\Web\RememberMe;
use Icinga\Web\Session;
use Icinga\Web\Url;
use RuntimeException;
@ -41,7 +43,14 @@ class AuthenticationController extends Controller
if (($requiresSetup = $icinga->requiresSetup()) && $icinga->setupTokenExists()) {
$this->redirectNow(Url::fromPath('setup'));
}
$form = new LoginForm();
$user = $this->Auth()->getUser();
$form = ($user !== null
&& $user->getTwoFactorEnabled()
&& Session::getSession()->get('must_challenge_2fa_token', false) === true)
? new Challenge2FAForm()
: new LoginForm();
if (RememberMe::hasCookie() && $this->hasDb()) {
$authenticated = false;
@ -91,13 +100,8 @@ class AuthenticationController extends Controller
->sendResponse();
exit;
}
// FORM DOES NOT REDIRECT, IF USER HAS 2FA ENABLED and token hasn't been challenged
$form->handleRequest();
}
// if ($user->has2FA() && irgendwas_mit_session()) {
// // 2 FA form erstellen und zeigen und handeln
// in der session speichern ob der token gepasst hat
// }
$this->view->form = $form;
$this->view->defaultTitle = $this->translate('Icinga Web 2 Login');
$this->view->requiresSetup = $requiresSetup;

71
application/forms/Authentication/Challenge2FAForm.php Normal file
View File

@ -0,0 +1,71 @@
<?php
namespace Icinga\Forms\Authentication;
use Icinga\Application\Hook\AuthenticationHook;
use Icinga\Authentication\Auth;
use Icinga\Web\Session;
use Icinga\Web\Url;
class Challenge2FAForm extends LoginForm
{
/**
* {@inheritdoc}
*/
public function init()
{
$this->setRequiredCue(null);
$this->setName('form_challenge_2fa');
$this->setSubmitLabel($this->translate('Verify'));
$this->setProgressLabel($this->translate('Verifying'));
}
/**
* {@inheritdoc}
*/
public function createElements(array $formData)
{
$this->addElement(
'text',
'code',
[
'autocapitalize' => 'off',
'class' => 'autofocus content-centered',
'placeholder' => $this->translate('Please enter your 2FA code'),
'required' => true,
'autocomplete' => 'off',
]
);
$this->addElement(
'hidden',
'redirect',
[
'value' => Url::fromRequest()->getParam('redirect')
]
);
}
public function onSuccess()
{
// TODO: Implement proper 2FA code validation
if ($_POST['code'] == 666) {
$auth = Auth::getInstance();
$user = $auth->getUser();
Session::getSession()->set('challenged_successful_2fa_token', true);
Session::getSession()->delete('must_challenge_2fa_token');
$auth->setAuthenticated($user);
AuthenticationHook::triggerLogin($user);
$this->getResponse()->setRerenderLayout(true);
return true;
}
$this->getElement('code')->addError($this->translate('Code is invalid!'));
return false;
}
}

17
application/forms/Authentication/LoginForm.php
View File

@ -14,6 +14,7 @@ use Icinga\Exception\Http\HttpBadRequestException;
use Icinga\User;
use Icinga\Web\Form;
use Icinga\Web\RememberMe;
use Icinga\Web\Session;
use Icinga\Web\Url;
/**
@ -164,14 +165,16 @@ class LoginForm extends Form
// If user has 2FA enabled and the token hasn't been validated, redirect to login again, so that
// the token is challenged.
$redirect = $this->getElement('redirect');
$old = $redirect->getValue();
$new = [];
if ($old) {
$new['redirect'] = $old;
if ($user->getTwoFactorEnabled() && ! $user->getTwoFactorSuccessful()) {
$redirect = $this->getElement('redirect');
$redirect->setValue(
Url::fromPath('authentication/login',
['redirect' => $redirect->getValue()])->getRelativeUrl()
);
Session::getSession()->set('must_challenge_2fa_token', true);
return true;
}
$redirect->setValue(Url::fromPath('authentication/login', $new)->getRelativeUrl());
return true;
$this->getResponse()->setRerenderLayout(true);
return true;

17
library/Icinga/Authentication/Auth.php
View File

@ -87,10 +87,10 @@ class Auth
*/
public function isAuthenticated()
{
// return false just for testing. isAuthenticated must return false if the user is authentiacted but has 2FA enabled and the token hasn't been challenged yet.
return false;
if ($this->user !== null) {
if ($this->user->getTwoFactorEnabled() && ! $this->user->getTwoFactorSuccessful()) {
return false;
}
return true;
}
$this->authenticateFromSession();
@ -98,7 +98,8 @@ class Auth
return false;
}
// real 2fa check from above must happen here
// 2fa check from must happen here, to apply the 2fa challenge for external users as well
// but the session authentication would also get the 2fa challenge
return true;
}
@ -136,7 +137,9 @@ class Auth
}
// don't log if 2fa hasn't been challenged yet
AuditHook::logActivity('login', 'User logged in');
if (!$user->getTwoFactorEnabled() || $user->getTwoFactorSuccessful()) {
AuditHook::logActivity('login', 'User logged in');
}
}
/**
@ -457,6 +460,8 @@ class Auth
$admissionLoader = new AdmissionLoader();
$admissionLoader->applyRoles($user);
// Set 2FA status from the user preferences in the user obect
// Set 2FA status from the user preferences & session in the user object
$user->setTwoFactorEnabled($preferences->getValue('icingaweb', 'enabled_2fa') == 1);
$user->setTwoFactorSuccessful(Session::getSession()->get('challenged_successful_2fa_token', false));
}
}

61
library/Icinga/User.php
View File

@ -122,6 +122,20 @@ class User
*/
protected $isHttpUser = false;
/**
* Whether the user has 2FA enabled
*
* @var bool
*/
protected $twoFactorEnabled = false;
/**
* Whether the user has successfully completed 2FA
*
* @var bool
*/
protected $twoFactorSuccessful = false;
/**
* Creates a user object given the provided information
*
@ -646,4 +660,51 @@ class User
return $navigation;
}
/**
* Get whether the user has 2FA enabled
*
* @return bool
*/
public function getTwoFactorEnabled(): bool
{
return $this->twoFactorEnabled;
}
/**
* Set whether the user has 2FA enabled
*
* @param bool $enabled
*
* @return $this
*/
public function setTwoFactorEnabled(bool $enabled)
{
$this->twoFactorEnabled = $enabled;
return $this;
}
/**
* Get whether the user has successfully completed 2FA
*
* @return bool
*/
public function getTwoFactorSuccessful(): bool
{
return $this->twoFactorSuccessful;
}
/**
* Set whether the user has successfully completed 2FA
*
* @param bool $successful
*
* @return $this
*/
public function setTwoFactorSuccessful(bool $successful): self
{
$this->twoFactorSuccessful = $successful;
return $this;
}
}