public function twoFactor(array $envData)
{
$userId = self::getUserId($envData['common_name']);
// use username field to specify OTP type, for now we only support 'totp'
$otpType = $envData['username'];
if ('totp' !== $otpType) {
throw new TwoFactorException('invalid OTP type specified in username field');
}
$otpKey = $envData['password'];
// validate the OTP key
if (0 === preg_match('/^[0-9]{6}$/', $otpKey)) {
throw new TwoFactorException('invalid OTP key format specified');
}
$dataDir = sprintf('%s/data/%s', $this->baseDir, $envData['INSTANCE_ID']);
if (false === ($otpSecret = @file_get_contents(sprintf('%s/users/otp_secrets/%s', $dataDir, $userId)))) {
throw new TwoFactorException('no OTP secret registered');
}
$otp = new Otp();
if ($otp->checkTotp(Base32::decode($otpSecret), $otpKey)) {
if (false === $this->otpLog->record($userId, $otpKey, time())) {
throw new TwoFactorException('OTP replayed');
}
} else {
throw new TwoFactorException('invalid OTP key');
}
}
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
require_once sprintf('%s/vendor/autoload.php', dirname(__DIR__));
use SURFnet\VPN\Server\OtpLog;
use SURFnet\VPN\Common\CliParser;
use SURFnet\VPN\Common\FileIO;
try {
$p = new CliParser('Initialize the OTP key storage', ['instance' => ['the instance', true, true]]);
$opt = $p->parse($argv);
if ($opt->e('help')) {
echo $p->help();
exit(0);
}
$vpnDataDir = sprintf('%s/openvpn-data/%s', dirname(__DIR__), $opt->v('instance'));
// create VPN directory if it does not yet exist
FileIO::createDir($vpnDataDir, 0711);
$db = new PDO(sprintf('sqlite://%s/otp.sqlite', $vpnDataDir));
$otpLog = new OtpLog($db);
$otpLog->init();
} catch (Exception $e) {
echo sprintf('ERROR: %s', $e->getMessage()) . PHP_EOL;
exit(1);
}
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
require_once sprintf('%s/vendor/autoload.php', dirname(__DIR__));
use SURFnet\VPN\Server\OtpLog;
use SURFnet\VPN\Common\CliParser;
try {
$p = new CliParser('Peform cleaning up of expired OTP keys', ['instance' => ['the instance', true, true]]);
$opt = $p->parse($argv);
if ($opt->e('help')) {
echo $p->help();
exit(0);
}
$vpnDataDir = sprintf('%s/openvpn-data/%s', dirname(__DIR__), $opt->v('instance'));
$db = new PDO(sprintf('sqlite://%s/otp.sqlite', $vpnDataDir));
$otpLog = new OtpLog($db);
// remove all OTP key entries that are older than 5 minutes
$otpLog->housekeeping(strtotime('now -5 minutes'));
} catch (Exception $e) {
echo sprintf('ERROR: %s', $e->getMessage()) . PHP_EOL;
exit(1);
}
public function setUp()
{
$db = new PDO('sqlite::memory:');
$this->otpLog = new OtpLog($db);
$this->otpLog->init();
}
