private function DuoAuth()
{
$this->AuthResult = false;
// Verify nonce first
if (!isset($_POST['ulDuoSecLoginNonce'])) {
return ulLoginBackend::ERROR;
}
if (!ulNonce::Verify('ulDuoSecLogin', $_POST['ulDuoSecLoginNonce'])) {
return ulLoginBackend::ERROR;
}
//make sure that verifyResponse does not return NULL
//if it is NOT NULL then it will return a username
//you can then set any cookies/session data for that username
//and complete the login process
$resp = Duo::verifyResponse(UL_DUOSEC_IKEY, UL_DUOSEC_SKEY, UL_DUOSEC_AKEY, $_POST['sig_response']);
if ($resp != NULL) {
$this->AuthResult = $resp;
return true;
} else {
return ulLoginBackend::BAD_CREDENTIALS;
}
}
include $_SESSION['settings']['cpassman_dir'] . '/includes/settings.php';
// load library
require_once $_SESSION['settings']['cpassman_dir'] . '/includes/libraries/Authentication/DuoSecurity/Duo.php';
$sig_request = Duo::signRequest(IKEY, SKEY, AKEY, $_POST['login']);
if ($debugDuo == 1) {
$dbgDuo = fopen($_SESSION['settings']['path_to_files_folder'] . "/duo.debug.txt", "w");
fputs($dbgDuo, "\n\n-----\n\n" . "sig request : " . $_POST['login'] . "\n" . 'resp : ' . $sig_request . "\n");
}
// return result
echo '[{"sig_request" : "' . $sig_request . '"}]';
} elseif ($_POST['type'] == "identify_duo_user_check") {
// this step is verifying the response received from the server
include $_SESSION['settings']['cpassman_dir'] . '/includes/settings.php';
// load library
require_once $_SESSION['settings']['cpassman_dir'] . '/includes/libraries/Authentication/DuoSecurity/Duo.php';
$resp = Duo::verifyResponse(IKEY, SKEY, AKEY, $_POST['sig_response']);
if ($debugDuo == 1) {
$dbgDuo = fopen($_SESSION['settings']['path_to_files_folder'] . "/duo.debug.txt", "a");
fputs($dbgDuo, "\n\n-----\n\n" . "sig response : " . $_POST['sig_response'] . "\n" . 'resp : ' . $resp . "\n");
}
// return the response (which should be the user name)
if ($resp === $_POST['login']) {
echo '[{"resp" : "' . $resp . '"}]';
} else {
echo '[{"resp" : "' . $resp . '"}]';
}
} elseif ($_POST['type'] == "identify_user") {
// identify the user through Teampass process
identifyUser($_POST['data']);
} elseif ($_POST['type'] == "store_data_in_cookie") {
// not used any more (only development purpose)
function duo_authenticate_user($user = "", $username = "", $password = "")
{
// play nicely with other plugins if they have higher priority than us
if (is_a($user, 'WP_User')) {
return $user;
}
if (!duo_auth_enabled()) {
duo_debug_log('Duo not enabled, skipping 2FA.');
return;
}
if (isset($_POST['sig_response'])) {
// secondary auth
remove_action('authenticate', 'wp_authenticate_username_password', 20);
$akey = duo_get_akey();
$duo_time = duo_get_time();
$username = Duo::verifyResponse(duo_get_option('duo_ikey'), duo_get_option('duo_skey'), $akey, $_POST['sig_response'], $duo_time);
if ($username) {
// Don't use get_user_by(). It doesn't return a WP_User object if wordpress version < 3.3
$user = new WP_User(0, $username);
duo_set_cookie($user);
duo_debug_log("Second factor successful for user: {$username}");
return $user;
} else {
$user = new WP_Error('Duo authentication_failed', __('<strong>ERROR</strong>: Failed or expired two factor authentication'));
return $user;
}
}
if (strlen($username) > 0) {
// primary auth
// Don't use get_user_by(). It doesn't return a WP_User object if wordpress version < 3.3
$user = new WP_User(0, $username);
if (!$user) {
error_log("Failed to retrieve WP user {$username}");
return;
}
if (!duo_role_require_mfa($user)) {
duo_debug_log("Skipping 2FA for user: {$username} with roles: " . print_r($user->roles, true));
return;
}
remove_action('authenticate', 'wp_authenticate_username_password', 20);
$user = wp_authenticate_username_password(NULL, $username, $password);
if (!is_a($user, 'WP_User')) {
// on error, return said error (and skip the remaining plugin chain)
return $user;
} else {
duo_debug_log("Primary auth succeeded, starting second factor for {$username}");
duo_start_second_factor($user);
}
}
duo_debug_log('Starting primary authentication');
}
SimpleSAML_Utilities::checkURLAllowed($sid['url']);
}
$state = SimpleSAML_Auth_State::loadState($id, 'duosecurity:request');
if (array_key_exists('core:SP', $state)) {
$spentityid = $state['core:SP'];
} else {
if (array_key_exists('saml:sp:State', $state)) {
$spentityid = $state['saml:sp:State']['core:SP'];
} else {
$spentityid = 'UNKNOWN';
}
}
// Duo returned a good auth, pass the user on
if (isset($_POST['sig_response'])) {
require SimpleSAML_Module::getModuleDir('duosecurity') . '/templates/duo_web.php';
$resp = Duo::verifyResponse($state['duosecurity:ikey'], $state['duosecurity:skey'], $state['duosecurity:akey'], $_POST['sig_response']);
if (isset($state['Attributes'][$state['duosecurity:usernameAttribute']])) {
$username = $state['Attributes'][$state['duosecurity:usernameAttribute']][0];
} else {
throw new SimpleSAML_Error_BadRequest('Missing required username attribute.');
}
if ($resp != NULL and $resp === $username) {
$state['duo_complete'] = True;
SimpleSAML_Auth_ProcessingChain::resumeProcessing($state);
} else {
throw new SimpleSAML_Error_BadRequest('Response verification failed.');
}
}
// Bypass Duo if auth source is not specified in config file
/*
$bypassDuo = False;
public function postVerificationCode($action, $httpVars, $fileVars)
{
if ($action != "duo_post_verification_code") {
return;
}
$u = AuthService::getLoggedUser();
if ($u == null) {
return;
}
$sigResponse = $httpVars["sig_response"];
require_once $this->getBaseDir() . "/duo_php/duo_web.php";
$appUnique = $this->getFilteredOption("DUO_AUTH_AKEY");
$iKey = $this->getFilteredOption("DUO_AUTH_IKEY");
$sKey = $this->getFilteredOption("DUO_AUTH_SKEY");
$verif = Duo::verifyResponse($iKey, $sKey, $appUnique, $sigResponse);
if ($verif != null && $verif == $u->getId()) {
$u->removeLock();
$u->save("superuser");
$u->recomputeMergedRole();
AuthService::updateUser($u);
ConfService::switchUserToActiveRepository($u);
$force = $u->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1);
$passId = -1;
if ($force != "" && $u->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) {
$passId = $force;
}
$res = ConfService::switchUserToActiveRepository($u, $passId);
if (!$res) {
AuthService::disconnect();
AJXP_XMLWriter::header();
AJXP_XMLWriter::requireAuth(true);
AJXP_XMLWriter::close();
}
} else {
AuthService::disconnect();
AJXP_XMLWriter::header();
AJXP_XMLWriter::requireAuth(true);
AJXP_XMLWriter::close();
}
}
throw new SimpleSAML_Error_BadRequest('Missing required username attribute.');
}
if ($resp != NULL and $resp === $username) {
SimpleSAML_Auth_ProcessingChain::resumeProcessing($this->data['state']);
} else {
throw new SimpleSAML_Error_BadRequest('Response verification failed.');
}
}
/*
* Verify username and password. If the user and pass are good, then generate
* a sig_request and load up the Duo iframe for secondary authentication.
*/
if (isset($attributes[$username_attribute])) {
$username = $attributes[$username_attribute][0];
// Generate sig request and then load up Duo javascript and iframe
$sig_request = Duo::signRequest(IKEY, SKEY, AKEY, $username);
?>
<script src="Duo-Web-v2.min.js"></script>
<link rel="stylesheet" type="text/css" href="Duo-Frame.css">
<?php
foreach ($this->data['yesData'] as $name => $value) {
printf('<input type="hidden" id="%s" name="%s" value="%s" />', xssafe($name), xssafe($name), xssafe($value));
}
?>
<iframe id="duo_iframe" frameborder="0" data-host="<?php
xecho(HOST);
?>
" data-sig-request="<?php
xecho($sig_request);
?>
<?php
// ********************************
// DO NOT MODIFY
// ********************************
$returnUrl = ulUtils::CurrentURL();
$sig_request = Duo::signRequest(UL_DUOSEC_IKEY, UL_DUOSEC_SKEY, UL_DUOSEC_AKEY, $uid);
// ********************************
// MAKE MODIFICATION BELOW WHERE NOTED
// If possible, only insert but do not modify
// ********************************
// ********************************
// Your HTML here
// doctype, head, title etc.
// ********************************
?>
<script src="<?php
echo UL_DUOSEC_JQUERY_URI;
?>
"></script>
<script src="<?php
echo UL_DUOSEC_JS_URL;
?>
"></script>
<script>
Duo.init({
'host':'<?php
echo UL_DUOSEC_HOST;
?>
',
'post_action':'<?php
$name = $attributes['namePerson'];
}
addlog(LOG_LOGIN, "oid: '{$oidlogin}'; email: '{$email}'; friendly: '{$friendly}'; name: '{$name}'");
}
// is this OpenID known to us?
$query = "\n SELECT uid, use_duo\n FROM users\n WHERE oidlogin='******'\n LIMIT 1;\n ";
$result = do_query($query);
if (has_results($result)) {
$row = get_row($result);
$use_duo = $row['use_duo'];
$uid = (string) $row['uid'];
}
if ($use_duo) {
addlog(LOG_LOGIN, sprintf(" duo login for UID %s (openid %s)", $uid, $oidlogin));
show_header('login', 0);
$sig_request = Duo::signRequest(IKEY, SKEY, AKEY, $oidlogin);
?>
<script src="js/Duo-Web-v1.bundled.min.js"></script>
<script>
Duo.init({'host': <?php
echo "'" . HOST . "'";
?>
,
'post_action': '?page=login',
'sig_request': <?php
echo "'" . $sig_request . "'";
?>
});
</script>
<iframe id="duo_iframe" width="500" height="800" frameborder="0" allowtransparency="true" style="background: transparent;"></iframe>
<?php
