|
1 <?php |
|
2 /**!info** |
|
3 { |
|
4 "Plugin Name" : "Yubikey management service", |
|
5 "Plugin URI" : "http://enanocms.org/plugin/yubikey-yms", |
|
6 "Description" : "Adds the ability for Enano to act as a Yubikey authentication provider. The Yubikey authentication plugin is a prerequisite.", |
|
7 "Author" : "Dan Fuhry", |
|
8 "Version" : "0.1", |
|
9 "Author URI" : "http://enanocms.org/" |
|
10 } |
|
11 **!*/ |
|
12 |
|
13 $plugins->attachHook('session_started', 'yms_add_special_pages();'); |
|
14 |
|
15 function yms_add_special_pages() |
|
16 { |
|
17 global $lang; |
|
18 |
|
19 register_special_page('YMS', 'yms_specialpage_yms'); |
|
20 register_special_page('YMSCreateClient', 'yms_specialpage_register'); |
|
21 register_special_page('YubikeyValidate', 'yms_specialpage_validate'); |
|
22 } |
|
23 |
|
24 define('YMS_DISABLED', 0); |
|
25 define('YMS_ENABLED', 1); |
|
26 define('YMS_ANY_CLIENT', 2); |
|
27 |
|
28 define('YMS_INSTALLED', 1); |
|
29 |
|
30 require(ENANO_ROOT . '/plugins/yms/yms.php'); |
|
31 require(ENANO_ROOT . '/plugins/yms/libotp.php'); |
|
32 require(ENANO_ROOT . '/plugins/yms/transcode.php'); |
|
33 require(ENANO_ROOT . '/plugins/yms/backend.php'); |
|
34 require(ENANO_ROOT . '/plugins/yms/validate.php'); |
|
35 require(ENANO_ROOT . '/plugins/yms/validate-functions.php'); |
|
36 |
|
37 /**!language** |
|
38 |
|
39 The following text up to the closing comment tag is JSON language data. |
|
40 It is not PHP code but your editor or IDE may highlight it as such. This |
|
41 data is imported when the plugin is loaded for the first time; it provides |
|
42 the strings displayed by this plugin's interface. |
|
43 |
|
44 You should copy and paste this block when you create your own plugins so |
|
45 that these comments and the basic structure of the language data is |
|
46 preserved. All language data is in the same format as the Enano core |
|
47 language files in the /language/* directories. See the Enano Localization |
|
48 Guide and Enano API Documentation for further information on the format of |
|
49 language files. |
|
50 |
|
51 The exception in plugin language file format is that multiple languages |
|
52 may be specified in the language block. This should be done by way of making |
|
53 the top-level elements each a JSON language object, with elements named |
|
54 according to the ISO-639-1 language they are representing. The path should be: |
|
55 |
|
56 root => language ID => categories array, ( strings object => category \ |
|
57 objects => strings ) |
|
58 |
|
59 All text leading up to first curly brace is stripped by the parser; using |
|
60 a code tag makes jEdit and other editors do automatic indentation and |
|
61 syntax highlighting on the language data. The use of the code tag is not |
|
62 necessary; it is only included as a tool for development. |
|
63 |
|
64 <code> |
|
65 { |
|
66 // english |
|
67 eng: { |
|
68 categories: [ 'meta', 'yms' ], |
|
69 strings: { |
|
70 meta: { |
|
71 yms: 'Yubikey management system' |
|
72 }, |
|
73 yms: { |
|
74 specialpage_yms: 'Yubikey manager', |
|
75 specialpage_register: 'Register YMS client', |
|
76 specialpage_validate: 'Yubikey validation API', |
|
77 err_yubikey_plugin_missing_title: 'Yubikey plugin not found', |
|
78 err_yubikey_plugin_missing_body: 'The Yubikey YMS cannot load because the Enano <a href="http://enanocms.org/plugin/yubikey">Yubikey authentication plugin</a> is not installed. Please ask your administrator to install it.', |
|
79 err_client_exists_title: 'Client already exists', |
|
80 err_client_exists_body: 'You cannot register another YMS client using this same user account.', |
|
81 register_confirm_title: 'Enable your account for Yubikey authentication', |
|
82 register_confirm_body: 'As a Yubikey authentication client, you gain the ability to manage multiple Yubikeys and tie them to your own organization. It also lets you retrieve secret AES keys for tokens, register new or reprogrammed keys, validate Yubikey OTPs using your own API key, and deactivate keys in case of a compromise. Do you want to enable your account for Yubikey management?', |
|
83 register_btn_submit: 'Create YMS client', |
|
84 |
|
85 register_msg_success_title: 'Congratulations! Your account is now enabled for YMS access.', |
|
86 register_msg_success_body: '<p>You can now go to the <a href="%yms_link|htmlsafe%">YMS admin panel</a> and add your Yubikeys. Your client ID and API key are below:</p> |
|
87 <p class="yms-copypara">Client ID: <span class="yms-copyfield">%client_id%</span><br /> |
|
88 API key: <span class="yms-copyfield">%api_key%</span><br /> |
|
89 Validation API URL: <span class="yms-copyfield">%validate_url%</span></p> |
|
90 <p><b>Remember to secure your user account!</b> Your Enano login is used to administer your YMS account. For maximum security, use the Yubikey Settings page of the User Control Panel to require both a password and a Yubikey OTP to log in.</p>', |
|
91 msg_no_yubikeys: 'No Yubikeys found', |
|
92 btn_add_key: 'Add Yubikey', |
|
93 btn_add_key_preregistered: 'Claim a New Key', |
|
94 state_active: 'Active', |
|
95 state_inactive: 'Inactive', |
|
96 |
|
97 th_id: 'ID#', |
|
98 th_publicid: 'OTP prefix', |
|
99 th_createtime: 'Created', |
|
100 th_accesstime: 'Last accessed', |
|
101 th_state: 'Lifecycle state', |
|
102 th_note: 'Note', |
|
103 |
|
104 msg_access_never: 'Never', |
|
105 |
|
106 // Add key interface |
|
107 lbl_addkey_heading: 'Register Yubikey', |
|
108 lbl_addkey_desc: 'Register a Yubikey that you programmed yourself in YMS to enable validation of OTPs from that key against this server.', |
|
109 lbl_addkey_field_secret: 'AES secret key:', |
|
110 lbl_addkey_field_secret_hint: 'Input in ModHex, hex, or base-64. The format will be detected automatically.', |
|
111 lbl_addkey_field_otp: 'Enter an OTP from this Yubikey:', |
|
112 lbl_addkey_field_notes: 'Notes about this key:', |
|
113 lbl_addkey_field_state: 'Lifecycle state:', |
|
114 lbl_addkey_field_any_client_name: 'Allow validation by any client:', |
|
115 lbl_addkey_field_any_client_hint: 'If unchecked, OTPs from this Yubikey can only be verified by someone using your client ID. Check this if you plan to use this Yubikey on websites you don\'t control.', |
|
116 lbl_addkey_field_any_client: 'Other clients can validate OTPs from this key', |
|
117 btn_addkey_submit: 'Register key', |
|
118 msg_addkey_success: 'This key has been successfully registered.', |
|
119 |
|
120 err_addkey_crc_failed: 'The CRC check on the OTP failed. This usually means that your AES key is wrong or could not be properly interpreted.', |
|
121 err_addkey_invalid_key: 'There was an error decoding your AES secret key. Please enter a 128-bit hex, ModHex, or base-64 value.', |
|
122 err_addkey_invalid_otp: 'The OTP from the Yubikey is invalid.', |
|
123 err_addkey_key_exists: 'This Yubikey is already registered on this server.', |
|
124 |
|
125 // Claim key interface |
|
126 lbl_claimkey_heading: 'Claim Yubikey', |
|
127 lbl_claimkey_desc: 'Attach a key you have not reprogrammed to your YMS account, so that you can see its AES secret key and keep track of it.', |
|
128 lbl_claimkey_field_otp: 'Enter an OTP from this Yubikey:', |
|
129 lbl_custom_hint: 'For your security, this is used to validate your ownership of this Yubikey.', |
|
130 |
|
131 // AES key view interface |
|
132 showaes_th: 'AES secret key for key %public_id%', |
|
133 showaes_lbl_hex: 'Hex:', |
|
134 showaes_lbl_modhex: 'ModHex:', |
|
135 showaes_lbl_base64: 'Base64:', |
|
136 |
|
137 // API key view interface |
|
138 th_client_id: 'Client ID', |
|
139 lbl_client_id: 'Client ID:', |
|
140 th_api_key: 'API key', |
|
141 |
|
142 // Binary format converter |
|
143 th_converted_value: 'Converted value', |
|
144 conv_err_invalid_string: 'The string was invalid or you entered did not match the format you selected.', |
|
145 th_converter: 'Convert binary formats', |
|
146 conv_lbl_value: 'Value to convert:', |
|
147 conv_lbl_format: 'Current encoding:', |
|
148 conv_lbl_format_auto: 'Auto-detect', |
|
149 conv_lbl_format_hex: 'Hexadecimal', |
|
150 conv_lbl_format_modhex: 'ModHex', |
|
151 conv_lbl_format_base64: 'Base-64', |
|
152 conv_btn_submit: 'Convert', |
|
153 |
|
154 // Key list |
|
155 btn_note_view: 'View or edit note', |
|
156 btn_note_create: 'No note; click to create', |
|
157 btn_show_aes: 'Show AES secret', |
|
158 btn_show_converter: 'Binary encoding converter', |
|
159 btn_show_client_info: 'View client info' |
|
160 } |
|
161 } |
|
162 } |
|
163 } |
|
164 </code> |
|
165 **!*/ |
|
166 |
|
167 /**!install dbms="mysql"; ** |
|
168 |
|
169 CREATE TABLE {{TABLE_PREFIX}}yms_clients( |
|
170 id int(12) NOT NULL DEFAULT 0, |
|
171 apikey varchar(40) NOT NULL, |
|
172 PRIMARY KEY ( id ) |
|
173 ); |
|
174 |
|
175 CREATE TABLE {{TABLE_PREFIX}}yms_yubikeys( |
|
176 id int(12) NOT NULL auto_increment, |
|
177 client_id int(12) NOT NULL DEFAULT 0, |
|
178 public_id varchar(12) NOT NULL DEFAULT '000000000000', |
|
179 private_id varchar(12) NOT NULL DEFAULT '000000000000', |
|
180 session_count int(8) NOT NULL DEFAULT 0, |
|
181 token_count int(8) NOT NULL DEFAULT 0, |
|
182 create_time int(12) NOT NULL DEFAULT 0, |
|
183 access_time int(12) NOT NULL DEFAULT 0, |
|
184 token_time int(12) NOT NULL DEFAULT 0, |
|
185 aes_secret varchar(40) NOT NULL DEFAULT '00000000000000000000000000000000', |
|
186 flags int(8) NOT NULL DEFAULT 1, |
|
187 notes text, |
|
188 PRIMARY KEY (id) |
|
189 ); |
|
190 |
|
191 **!*/ |
|
192 |