Skip to content
This repository has been archived by the owner on Jun 23, 2021. It is now read-only.

Commit

Permalink
Update and some additional bug fixes (transaction_id missing in error…
Browse files Browse the repository at this point in the history
… page). Regards to #15 : send two requests to the privacyIDEA.
  • Loading branch information
sbidy committed Dec 21, 2018
1 parent 50c5262 commit b58a01f
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 17 deletions.
16 changes: 8 additions & 8 deletions privacyIDEAADFSProvider/Adapter.cs
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,13 @@ public class Adapter : IAuthenticationAdapter
private string privacyIDEAurl;
public string privacyIDEArealm;
public string username;
string transaction_id = "";
private bool ssl = true;
private string token;
private string admin_user;
private string admin_pw;
public ADFSinterface[] uidefinition;
public ADFSinterface[] uidefinition;
private OTPprovider otp_prov;

public IAuthenticationAdapterMetadata Metadata
{
Expand All @@ -44,7 +46,6 @@ public IAuthenticationAdapterMetadata Metadata
/// <returns>new instance of IAdapterPresentationForm</returns>
public IAdapterPresentation BeginAuthentication(Claim identityClaim, HttpListenerRequest request, IAuthenticationContext authContext)
{
string transaction_id = "";
// seperates the username from the domain
// TODO: Map the domain to the PI3A realm
string[] tmp = identityClaim.Value.Split('\\');
Expand All @@ -53,9 +54,9 @@ public IAdapterPresentation BeginAuthentication(Claim identityClaim, HttpListene
// check if ssl is disabled in the config
// TODO: Delete for security reasons
if (!ssl) ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;

// trigger challenge
OTPprovider otp_prov = new OTPprovider(privacyIDEAurl);
otp_prov = new OTPprovider(privacyIDEAurl);
// get a new admin token for all requests if the an admin pw is defined
// #2
if (!string.IsNullOrEmpty(admin_pw) && !string.IsNullOrEmpty(admin_user))
Expand All @@ -68,7 +69,7 @@ public IAdapterPresentation BeginAuthentication(Claim identityClaim, HttpListene
transaction_id = otp_prov.triggerChallenge(username, privacyIDEArealm, token);
}

return new AdapterPresentationForm(uidefinition, username, privacyIDEArealm, transaction_id);
return new AdapterPresentationForm(false, uidefinition, username, privacyIDEArealm, transaction_id);
}

// TODO remove ?
Expand Down Expand Up @@ -119,7 +120,7 @@ public void OnAuthenticationPipelineUnload()
/// <returns>new instance of IAdapterPresentationForm derived class</returns>
public IAdapterPresentation OnError(HttpListenerRequest request, ExternalAuthenticationException ex)
{
return new AdapterPresentationForm(true, uidefinition);
return new AdapterPresentationForm(true, uidefinition, username, privacyIDEArealm, transaction_id);
}
/// <summary>
/// Function call after the user hits submit - it proofs the values (OTP pin)
Expand All @@ -145,7 +146,7 @@ public IAdapterPresentation TryEndAuthentication(IAuthenticationContext authCont
else
{
//authentication not complete - return new instance of IAdapterPresentationForm derived class and the generic error message
return new AdapterPresentationForm(true, uidefinition);
return new AdapterPresentationForm(true, uidefinition, username, privacyIDEArealm, transaction_id);
}
}

Expand All @@ -165,7 +166,6 @@ bool ValidateProofData(IProofData proofData, IAuthenticationContext authContext)
string session_realm = (string)proofData.Properties["realm"];
string transaction_id = (string)proofData.Properties["transaction_id"];
// end fix
OTPprovider otp_prov = new OTPprovider(privacyIDEAurl);
#if DEBUG
Debug.WriteLine(debugPrefix+"OTP Code: " + otpvalue + " User: " + session_user + " Server: " + session_realm + " Transaction_id" + transaction_id);
#endif
Expand Down
6 changes: 1 addition & 5 deletions privacyIDEAADFSProvider/AdapterPresentationForm.cs
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,10 @@ class AdapterPresentationForm : IAdapterPresentationForm
private string realm = "";
private string id = "";

public AdapterPresentationForm(bool error, ADFSinterface[] adfsinter)
public AdapterPresentationForm(bool error, ADFSinterface[] adfsinter, string username, string realm, string id)
{
this.error = error;
this.inter = adfsinter;
}
public AdapterPresentationForm(ADFSinterface[] adfsinter, string username, string realm, string id)
{
this.inter = adfsinter;
this.username = username;
this.id = id;
this.realm = realm;
Expand Down
39 changes: 35 additions & 4 deletions privacyIDEAADFSProvider/OTPprovider.cs
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ public class OTPprovider
{
private string debugPrefix = "ID3Aprovider: ";
private string URL;
private bool isChallengeToken = false;
/// <summary>
/// Class creates a OTPprovide for the privacyIDEA system
/// </summary>
Expand All @@ -24,13 +25,40 @@ public OTPprovider(string privacyIDEAurl)
URL = privacyIDEAurl;
}
/// <summary>
/// Validates a otp pin to the PID3
/// Dispatcher methode for #14 - made two request to avoid auth fail by TOTP with PIN
/// </summary>
/// <param name="OTPuser">User name for the token</param>
/// <param name="OTPpin">PIN for validation</param>
/// <param name="realm">Domain/realm name</param>
/// <param name="transaction_id">ID for the coresponding challenge</param>
/// <returns>true if the pin is correct</returns>
public bool getAuthOTP(string OTPuser, string OTPpin, string realm, string transaction_id)
{
if (isChallengeToken)
{
// first request with transaction_id
bool request_with_id = validateOTP(OTPuser, OTPpin, realm, transaction_id);
// first ture retrun direct (SMS or Mail token)
if (request_with_id) return true;
// second request without transaction_id (TOTP)
else return validateOTP(OTPuser, OTPpin, realm, null);
}
else
{
// if no challenge token for the user exists request without
return validateOTP(OTPuser, OTPpin, realm, transaction_id);
}
}

/// <summary>
/// Validates a otp pin to the PID3
/// </summary>
/// <param name="OTPuser">User name for the token</param>
/// <param name="OTPpin">PIN for validation</param>
/// <param name="realm">Domain/realm name</param>
/// <param name="transaction_id">ID for the coresponding challenge</param>
/// <returns>true if the pin is correct</returns>
private bool validateOTP(string OTPuser, string OTPpin, string realm, string transaction_id)
{
string responseString = "";
try
Expand Down Expand Up @@ -67,6 +95,7 @@ public bool getAuthOTP(string OTPuser, string OTPpin, string realm, string trans
/// <param name="OTPuser">User name for the token</param>
/// <param name="realm">Domain/realm name</param>
/// <param name="token">Admin token</param>
/// <returns>string transaction_id for the challenge</returns>
public string triggerChallenge(string OTPuser, string realm, string token)
{
string responseString = "";
Expand All @@ -82,10 +111,12 @@ public string triggerChallenge(string OTPuser, string realm, string token)
{ "realm ", realm},
});
responseString = Encoding.UTF8.GetString(response);
// get transaction id from response
string transaction_id = getJsonNode(responseString, "transaction_ids");
// ToDo - not realy a solution if multible tocken enrolled!! For #15
if (transaction_id.Length > 20) return transaction_id.Remove(20);
else return transaction_id;
if (transaction_id.Length > 20) transaction_id = transaction_id.Remove(20);
// check if use has challenge token
if (getJsonNode(responseString, "value") != "0") this.isChallengeToken = true;
return transaction_id;
}
}
catch (WebException wex)
Expand Down

0 comments on commit b58a01f

Please sign in to comment.