/**
* The form for user OTP device configuration submits to this action.
*
* @param userId The user id to check
* @param useOtp If set, enable OTP device, otherwise delete OTP device record
* @param algorithm The OTP algorithm to use (see constants.php)
* @param secret The device key or secret to use
* @param length The length of the client tokens
*/
public function usersubmitAction()
{
$this->disableLayout();
$this->disableView();
$userOtpSetting = $this->Setting->GetValueByName('userOtpControl', 'mfa');
$userOtpControl = $userOtpSetting === 'true';
if (!$userOtpControl && !$this->userSession->Dao->isAdmin()) {
throw new Zend_Exception('Only administrators are allowed to manage OTP settings');
}
$userId = $this->getParam('userId');
if (!isset($userId)) {
throw new Zend_Exception('Must pass a userId parameter');
}
$user = $this->User->load($userId);
if (!$user) {
throw new Zend_Exception('Invalid userId');
}
$currentUser = $this->userSession->Dao;
if (!$currentUser) {
throw new Zend_Exception('Must be logged in');
}
if ($currentUser->getKey() != $user->getKey() && !$currentUser->isAdmin()) {
throw new Zend_Exception('Permission denied');
}
$otpDevice = $this->Mfa_Otpdevice->getByUser($user);
$useOtp = $this->getParam('useOtp');
if (!isset($useOtp)) {
if ($otpDevice) {
$this->Mfa_Otpdevice->delete($otpDevice);
}
echo JsonComponent::encode(array('status' => 'warning', 'message' => 'OTP Authentication disabled'));
} else {
if (!$otpDevice) {
$otpDevice = new Mfa_OtpdeviceDao();
$otpDevice->setUserId($user->getKey());
$otpDevice->setCounter('0');
}
$otpDevice->setAlgorithm($this->getParam('algorithm'));
$otpDevice->setSecret($this->getParam('secret'));
$otpDevice->setLength($this->getParam('length'));
$this->Mfa_Otpdevice->save($otpDevice);
echo JsonComponent::encode(array('status' => 'ok', 'message' => 'OTP Authentication enabled'));
}
}
/**
* Perform authentication using a RADIUS server.
*
* @param Mfa_OtpdeviceDao $otpDevice
* @param Mfa_ApitokenDao $token
* @throws Zend_Exception
*/
protected function _radiusauth($otpDevice, $token)
{
/** @var SettingModel $settingModel */
$settingModel = MidasLoader::loadModel('Setting');
$radiusserver = $settingModel->GetValueByName('radiusServer', 'mfa');
$radiusport = $settingModel->GetValueByName('radiusPort', 'mfa');
$radiuspw = $settingModel->GetValueByName('radiusPassword', 'mfa');
$radiusTimeout = $settingModel->GetValueByName('radiusTimeout', 'mfa');
$radiusMaxTries = $settingModel->GetValueByName('radiusMaxTries', 'mfa');
if (!function_exists('radius_auth_open')) {
throw new Zend_Exception('RADIUS is not enabled on the server');
}
$this->getLogger()->debug('Midas Server RADIUS trying to authenticate user: '******'Cannot connect to the RADIUS server: ' . radius_strerror($rh));
}
if (!radius_create_request($rh, RADIUS_ACCESS_REQUEST)) {
throw new Zend_Exception('Cannot process requests to RADIUS server: ' . radius_strerror($rh));
}
/* this is the key parameter */
radius_put_attr($rh, RADIUS_USER_NAME, $otpDevice->getSecret());
/* this is the one time pin + 6-digit hard token or 8 digit smart token */
radius_put_attr($rh, RADIUS_USER_PASSWORD, $token);
switch (radius_send_request($rh)) {
case RADIUS_ACCESS_ACCEPT:
$this->getLogger()->debug('Midas Server RADIUS successful authentication ' . 'for ' . $otpDevice->getSecret());
return true;
case RADIUS_ACCESS_REJECT:
$this->getLogger()->info('Midas Server RADIUS failed authentication for ' . $otpDevice->getSecret());
return false;
case RADIUS_ACCESS_CHALLENGE:
$this->getLogger()->info('Midas Server RADIUS challenge requested for ' . $otpDevice->getSecret());
return false;
default:
$this->getLogger()->info('Midas Server RADIUS error during authentication ' . 'for ' . $otpDevice->getSecret() . ' with Token: ' . $token . '. Error: ' . radius_strerror($rh));
throw new Zend_Exception('Error during RADIUS authentication: ' . radius_strerror($rh));
}
}
