ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
YubiKey.php
Go to the documentation of this file.
1 <?php
2 
3 /*
4  * Copyright (C) 2009 Andreas Åkre Solberg <andreas.solberg@uninett.no>
5  * Copyright (C) 2009 Simon Josefsson <simon@yubico.com>.
6  *
7  * This file is part of SimpleSAMLphp
8  *
9  * SimpleSAMLphp is free software; you can redistribute it and/or
10  * modify it under the terms of the GNU Lesser General Public License
11  * as published by the Free Software Foundation; either version 3 of
12  * the License, or (at your option) any later version.
13  *
14  * SimpleSAMLphp is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17  * Lesser General Public License for more details.
18  *
19  * You should have received a copy of the GNU Lesser General Public
20  * License License along with GNU SASL Library; if not, write to the
21  * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
22  * Boston, MA 02110-1301, USA.
23  *
24  */
25 
42 class sspmod_authYubiKey_Auth_Source_YubiKey extends SimpleSAML_Auth_Source {
43 
47  const STAGEID = 'sspmod_authYubiKey_Auth_Source_YubiKey.state';
48 
53  const TOKENSIZE = 32;
54 
58  const AUTHID = 'sspmod_authYubiKey_Auth_Source_YubiKey.AuthId';
59 
63  private $yubi_id;
64  private $yubi_key;
65 
72  public function __construct($info, $config) {
73  assert('is_array($info)');
74  assert('is_array($config)');
75 
76  // Call the parent constructor first, as required by the interface
77  parent::__construct($info, $config);
78 
79  if (array_key_exists('id', $config)) {
80  $this->yubi_id = $config['id'];
81  }
82 
83  if (array_key_exists('key', $config)) {
84  $this->yubi_key = $config['key'];
85  }
86  }
87 
88 
97  public function authenticate(&$state) {
98  assert('is_array($state)');
99 
100  // We are going to need the authId in order to retrieve this authentication source later
101  $state[self::AUTHID] = $this->authId;
102 
103  $id = SimpleSAML_Auth_State::saveState($state, self::STAGEID);
104 
105  $url = SimpleSAML\Module::getModuleURL('authYubiKey/yubikeylogin.php');
106  \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('AuthState' => $id));
107  }
108 
109 
122  public static function handleLogin($authStateId, $otp) {
123  assert('is_string($authStateId)');
124  assert('is_string($otp)');
125 
126  /* Retrieve the authentication state. */
127  $state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
128 
129  /* Find authentication source. */
130  assert('array_key_exists(self::AUTHID, $state)');
131  $source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]);
132  if ($source === NULL) {
133  throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]);
134  }
135 
136 
137  try {
138  /* Attempt to log in. */
139  $attributes = $source->login($otp);
140  } catch (SimpleSAML_Error_Error $e) {
141  /* An error occurred during login. Check if it is because of the wrong
142  * username/password - if it is, we pass that error up to the login form,
143  * if not, we let the generic error handler deal with it.
144  */
145  if ($e->getErrorCode() === 'WRONGUSERPASS') {
146  return 'WRONGUSERPASS';
147  }
148 
149  /* Some other error occurred. Rethrow exception and let the generic error
150  * handler deal with it.
151  */
152  throw $e;
153  }
154 
155  $state['Attributes'] = $attributes;
156  SimpleSAML_Auth_Source::completeAuth($state);
157  }
158 
162  public static function getYubiKeyPrefix($otp) {
163  $uid = substr ($otp, 0, strlen ($otp) - self::TOKENSIZE);
164  return $uid;
165  }
166 
180  protected function login($otp) {
181  assert('is_string($otp)');
182 
183  require_once dirname(dirname(dirname(dirname(__FILE__)))) . '/libextinc/Yubico.php';
184 
185  $attributes = array();
186 
187  try {
188  $yubi = new Auth_Yubico($this->yubi_id, $this->yubi_key);
189  $auth = $yubi->verify($otp);
190  $uid = self::getYubiKeyPrefix($otp);
191  $attributes = array('uid' => array($uid));
192  } catch (Exception $e) {
193  SimpleSAML\Logger::info('YubiKey:' . $this->authId . ': Validation error (otp ' . $otp . '), debug output: ' . $yubi->getLastResponse());
194 
195  throw new SimpleSAML_Error_Error('WRONGUSERPASS', $e);
196  }
197 
198  SimpleSAML\Logger::info('YubiKey:' . $this->authId . ': YubiKey otp ' . $otp . ' validated successfully: ' . $yubi->getLastResponse());
199 
200  return $attributes;
201  }
202 
203 }
Auth_Yubico
$auth
$auth
Definition: metadata.php:48
sspmod_authYubiKey_Auth_Source_YubiKey\getYubiKeyPrefix
static getYubiKeyPrefix($otp)
Return the user id part of a one time passord.
Definition: YubiKey.php:162
sspmod_authYubiKey_Auth_Source_YubiKey\$yubi_id
$yubi_id
The client id/key for use with the Auth_Yubico PHP module.
Definition: YubiKey.php:63
sspmod_authYubiKey_Auth_Source_YubiKey\AUTHID
const AUTHID
The key of the AuthId field in the state.
Definition: YubiKey.php:58
sspmod_authYubiKey_Auth_Source_YubiKey\login
login($otp)
Attempt to log in using the given username and password.
Definition: YubiKey.php:180
sspmod_authYubiKey_Auth_Source_YubiKey\TOKENSIZE
const TOKENSIZE
The number of characters of the OTP that is the secure token.
Definition: YubiKey.php:53
SimpleSAML_Auth_Source\$authId
$authId
Definition: Source.php:22
$id
if(!array_key_exists('StateId', $_REQUEST)) $id
Definition: expirywarning.php:14
$attributes
$attributes
Definition: serviceValidate.php:33
SimpleSAML\Utils\HTTP\redirectTrustedURL
static redirectTrustedURL($url, $parameters=array())
This function redirects to the specified URL without performing any security checks.
Definition: HTTP.php:962
sspmod_authYubiKey_Auth_Source_YubiKey\__construct
__construct($info, $config)
Constructor for this authentication source.
Definition: YubiKey.php:72
SimpleSAML\Module\getModuleURL
static getModuleURL($resource, array $parameters=array())
Get absolute URL to a specified module resource.
Definition: Module.php:303
$state
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
Definition: linkback.php:10
SimpleSAML\Logger\info
static info($string)
Definition: Logger.php:201
SimpleSAML_Error_Error
Definition: Error.php:10
sspmod_authYubiKey_Auth_Source_YubiKey\authenticate
authenticate(&$state)
Initialize login.
Definition: YubiKey.php:97
SimpleSAML_Auth_State\loadState
static loadState($id, $stage, $allowMissing=false)
Retrieve saved state.
Definition: State.php:259
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
sspmod_authYubiKey_Auth_Source_YubiKey\STAGEID
const STAGEID
The string used to identify our states.
Definition: YubiKey.php:47
sspmod_authYubiKey_Auth_Source_YubiKey\handleLogin
static handleLogin($authStateId, $otp)
Handle login request.
Definition: YubiKey.php:122
$url
$url
Definition: proxy_ylocal.php:28
SimpleSAML_Auth_Source\completeAuth
static completeAuth(&$state)
Complete authentication.
Definition: Source.php:135
$source
$source
Definition: linkback.php:22
SimpleSAML_Auth_Source\getById
static getById($authId, $type=null)
Retrieve authentication source.
Definition: Source.php:324
$info
$info
Definition: index.php:5
$authStateId
if(!array_key_exists('AuthState', $_REQUEST)) $authStateId
Definition: yubikeylogin.php:15
SimpleSAML_Error_Error\getErrorCode
getErrorCode()
Retrieve the error code given when throwing this error.
Definition: Error.php:129
SimpleSAML_Auth_State\saveState
static saveState(&$state, $stage, $rawId=false)
Save the state.
Definition: State.php:194
sspmod_authYubiKey_Auth_Source_YubiKey
Definition: YubiKey.php:42
sspmod_authYubiKey_Auth_Source_YubiKey\$yubi_key
$yubi_key
Definition: YubiKey.php:64
SimpleSAML_Auth_Source
Definition: Source.php:12