private function DuoAuth() { $this->AuthResult = false; // Verify nonce first if (!isset($_POST['ulDuoSecLoginNonce'])) { return ulLoginBackend::ERROR; } if (!ulNonce::Verify('ulDuoSecLogin', $_POST['ulDuoSecLoginNonce'])) { return ulLoginBackend::ERROR; } //make sure that verifyResponse does not return NULL //if it is NOT NULL then it will return a username //you can then set any cookies/session data for that username //and complete the login process $resp = Duo::verifyResponse(UL_DUOSEC_IKEY, UL_DUOSEC_SKEY, UL_DUOSEC_AKEY, $_POST['sig_response']); if ($resp != NULL) { $this->AuthResult = $resp; return true; } else { return ulLoginBackend::BAD_CREDENTIALS; } }
include $_SESSION['settings']['cpassman_dir'] . '/includes/settings.php'; // load library require_once $_SESSION['settings']['cpassman_dir'] . '/includes/libraries/Authentication/DuoSecurity/Duo.php'; $sig_request = Duo::signRequest(IKEY, SKEY, AKEY, $_POST['login']); if ($debugDuo == 1) { $dbgDuo = fopen($_SESSION['settings']['path_to_files_folder'] . "/duo.debug.txt", "w"); fputs($dbgDuo, "\n\n-----\n\n" . "sig request : " . $_POST['login'] . "\n" . 'resp : ' . $sig_request . "\n"); } // return result echo '[{"sig_request" : "' . $sig_request . '"}]'; } elseif ($_POST['type'] == "identify_duo_user_check") { // this step is verifying the response received from the server include $_SESSION['settings']['cpassman_dir'] . '/includes/settings.php'; // load library require_once $_SESSION['settings']['cpassman_dir'] . '/includes/libraries/Authentication/DuoSecurity/Duo.php'; $resp = Duo::verifyResponse(IKEY, SKEY, AKEY, $_POST['sig_response']); if ($debugDuo == 1) { $dbgDuo = fopen($_SESSION['settings']['path_to_files_folder'] . "/duo.debug.txt", "a"); fputs($dbgDuo, "\n\n-----\n\n" . "sig response : " . $_POST['sig_response'] . "\n" . 'resp : ' . $resp . "\n"); } // return the response (which should be the user name) if ($resp === $_POST['login']) { echo '[{"resp" : "' . $resp . '"}]'; } else { echo '[{"resp" : "' . $resp . '"}]'; } } elseif ($_POST['type'] == "identify_user") { // identify the user through Teampass process identifyUser($_POST['data']); } elseif ($_POST['type'] == "store_data_in_cookie") { // not used any more (only development purpose)
function duo_authenticate_user($user = "", $username = "", $password = "") { // play nicely with other plugins if they have higher priority than us if (is_a($user, 'WP_User')) { return $user; } if (!duo_auth_enabled()) { duo_debug_log('Duo not enabled, skipping 2FA.'); return; } if (isset($_POST['sig_response'])) { // secondary auth remove_action('authenticate', 'wp_authenticate_username_password', 20); $akey = duo_get_akey(); $duo_time = duo_get_time(); $username = Duo::verifyResponse(duo_get_option('duo_ikey'), duo_get_option('duo_skey'), $akey, $_POST['sig_response'], $duo_time); if ($username) { // Don't use get_user_by(). It doesn't return a WP_User object if wordpress version < 3.3 $user = new WP_User(0, $username); duo_set_cookie($user); duo_debug_log("Second factor successful for user: {$username}"); return $user; } else { $user = new WP_Error('Duo authentication_failed', __('<strong>ERROR</strong>: Failed or expired two factor authentication')); return $user; } } if (strlen($username) > 0) { // primary auth // Don't use get_user_by(). It doesn't return a WP_User object if wordpress version < 3.3 $user = new WP_User(0, $username); if (!$user) { error_log("Failed to retrieve WP user {$username}"); return; } if (!duo_role_require_mfa($user)) { duo_debug_log("Skipping 2FA for user: {$username} with roles: " . print_r($user->roles, true)); return; } remove_action('authenticate', 'wp_authenticate_username_password', 20); $user = wp_authenticate_username_password(NULL, $username, $password); if (!is_a($user, 'WP_User')) { // on error, return said error (and skip the remaining plugin chain) return $user; } else { duo_debug_log("Primary auth succeeded, starting second factor for {$username}"); duo_start_second_factor($user); } } duo_debug_log('Starting primary authentication'); }
SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($id, 'duosecurity:request'); if (array_key_exists('core:SP', $state)) { $spentityid = $state['core:SP']; } else { if (array_key_exists('saml:sp:State', $state)) { $spentityid = $state['saml:sp:State']['core:SP']; } else { $spentityid = 'UNKNOWN'; } } // Duo returned a good auth, pass the user on if (isset($_POST['sig_response'])) { require SimpleSAML_Module::getModuleDir('duosecurity') . '/templates/duo_web.php'; $resp = Duo::verifyResponse($state['duosecurity:ikey'], $state['duosecurity:skey'], $state['duosecurity:akey'], $_POST['sig_response']); if (isset($state['Attributes'][$state['duosecurity:usernameAttribute']])) { $username = $state['Attributes'][$state['duosecurity:usernameAttribute']][0]; } else { throw new SimpleSAML_Error_BadRequest('Missing required username attribute.'); } if ($resp != NULL and $resp === $username) { $state['duo_complete'] = True; SimpleSAML_Auth_ProcessingChain::resumeProcessing($state); } else { throw new SimpleSAML_Error_BadRequest('Response verification failed.'); } } // Bypass Duo if auth source is not specified in config file /* $bypassDuo = False;
public function postVerificationCode($action, $httpVars, $fileVars) { if ($action != "duo_post_verification_code") { return; } $u = AuthService::getLoggedUser(); if ($u == null) { return; } $sigResponse = $httpVars["sig_response"]; require_once $this->getBaseDir() . "/duo_php/duo_web.php"; $appUnique = $this->getFilteredOption("DUO_AUTH_AKEY"); $iKey = $this->getFilteredOption("DUO_AUTH_IKEY"); $sKey = $this->getFilteredOption("DUO_AUTH_SKEY"); $verif = Duo::verifyResponse($iKey, $sKey, $appUnique, $sigResponse); if ($verif != null && $verif == $u->getId()) { $u->removeLock(); $u->save("superuser"); $u->recomputeMergedRole(); AuthService::updateUser($u); ConfService::switchUserToActiveRepository($u); $force = $u->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1); $passId = -1; if ($force != "" && $u->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) { $passId = $force; } $res = ConfService::switchUserToActiveRepository($u, $passId); if (!$res) { AuthService::disconnect(); AJXP_XMLWriter::header(); AJXP_XMLWriter::requireAuth(true); AJXP_XMLWriter::close(); } } else { AuthService::disconnect(); AJXP_XMLWriter::header(); AJXP_XMLWriter::requireAuth(true); AJXP_XMLWriter::close(); } }