/** * The form for user OTP device configuration submits to this action. * * @param userId The user id to check * @param useOtp If set, enable OTP device, otherwise delete OTP device record * @param algorithm The OTP algorithm to use (see constants.php) * @param secret The device key or secret to use * @param length The length of the client tokens */ public function usersubmitAction() { $this->disableLayout(); $this->disableView(); $userOtpSetting = $this->Setting->GetValueByName('userOtpControl', 'mfa'); $userOtpControl = $userOtpSetting === 'true'; if (!$userOtpControl && !$this->userSession->Dao->isAdmin()) { throw new Zend_Exception('Only administrators are allowed to manage OTP settings'); } $userId = $this->getParam('userId'); if (!isset($userId)) { throw new Zend_Exception('Must pass a userId parameter'); } $user = $this->User->load($userId); if (!$user) { throw new Zend_Exception('Invalid userId'); } $currentUser = $this->userSession->Dao; if (!$currentUser) { throw new Zend_Exception('Must be logged in'); } if ($currentUser->getKey() != $user->getKey() && !$currentUser->isAdmin()) { throw new Zend_Exception('Permission denied'); } $otpDevice = $this->Mfa_Otpdevice->getByUser($user); $useOtp = $this->getParam('useOtp'); if (!isset($useOtp)) { if ($otpDevice) { $this->Mfa_Otpdevice->delete($otpDevice); } echo JsonComponent::encode(array('status' => 'warning', 'message' => 'OTP Authentication disabled')); } else { if (!$otpDevice) { $otpDevice = new Mfa_OtpdeviceDao(); $otpDevice->setUserId($user->getKey()); $otpDevice->setCounter('0'); } $otpDevice->setAlgorithm($this->getParam('algorithm')); $otpDevice->setSecret($this->getParam('secret')); $otpDevice->setLength($this->getParam('length')); $this->Mfa_Otpdevice->save($otpDevice); echo JsonComponent::encode(array('status' => 'ok', 'message' => 'OTP Authentication enabled')); } }
/** * Perform authentication using a RADIUS server. * * @param Mfa_OtpdeviceDao $otpDevice * @param Mfa_ApitokenDao $token * @throws Zend_Exception */ protected function _radiusauth($otpDevice, $token) { /** @var SettingModel $settingModel */ $settingModel = MidasLoader::loadModel('Setting'); $radiusserver = $settingModel->GetValueByName('radiusServer', 'mfa'); $radiusport = $settingModel->GetValueByName('radiusPort', 'mfa'); $radiuspw = $settingModel->GetValueByName('radiusPassword', 'mfa'); $radiusTimeout = $settingModel->GetValueByName('radiusTimeout', 'mfa'); $radiusMaxTries = $settingModel->GetValueByName('radiusMaxTries', 'mfa'); if (!function_exists('radius_auth_open')) { throw new Zend_Exception('RADIUS is not enabled on the server'); } $this->getLogger()->debug('Midas Server RADIUS trying to authenticate user: '******'Cannot connect to the RADIUS server: ' . radius_strerror($rh)); } if (!radius_create_request($rh, RADIUS_ACCESS_REQUEST)) { throw new Zend_Exception('Cannot process requests to RADIUS server: ' . radius_strerror($rh)); } /* this is the key parameter */ radius_put_attr($rh, RADIUS_USER_NAME, $otpDevice->getSecret()); /* this is the one time pin + 6-digit hard token or 8 digit smart token */ radius_put_attr($rh, RADIUS_USER_PASSWORD, $token); switch (radius_send_request($rh)) { case RADIUS_ACCESS_ACCEPT: $this->getLogger()->debug('Midas Server RADIUS successful authentication ' . 'for ' . $otpDevice->getSecret()); return true; case RADIUS_ACCESS_REJECT: $this->getLogger()->info('Midas Server RADIUS failed authentication for ' . $otpDevice->getSecret()); return false; case RADIUS_ACCESS_CHALLENGE: $this->getLogger()->info('Midas Server RADIUS challenge requested for ' . $otpDevice->getSecret()); return false; default: $this->getLogger()->info('Midas Server RADIUS error during authentication ' . 'for ' . $otpDevice->getSecret() . ' with Token: ' . $token . '. Error: ' . radius_strerror($rh)); throw new Zend_Exception('Error during RADIUS authentication: ' . radius_strerror($rh)); } }