New release 5.9.2.1

ENH: Support without2FA user, unlock timeout without 2FA, autocomplete username with last connected
multiOTP · Aug 10, 2022 · f147839 · f147839
1 parent fa3ded1
commit f147839
Show file tree

Hide file tree

Showing 24 changed files with 781 additions and 166 deletions.
diff --git a/CppClientCore/CppClientCore/MultiOTP.cpp b/CppClientCore/CppClientCore/MultiOTP.cpp
@@ -2,8 +2,8 @@
  * multiOTP Credential Provider, extends privacyIdea
  *
  * @author    Yann Jeanrenaud, SysCo systemes de communication sa, <[email protected]>
- * @version   5.9.1.0
- * @date      2022-06-17
+ * @version   5.9.2.1
+ * @date      2022-08-10
  * @since     2021
  * @copyright (c) 2016-2022 SysCo systemes de communication sa
  * @copyright (c) 2015-2016 ArcadeJust ("RDP only" enhancement)
@@ -54,3 +54,17 @@ HRESULT MultiOTP::validateCheck(const std::wstring& username, const std::wstring
 		return PI_AUTH_FAILURE;
 	}
 }
+
+bool MultiOTP::isWithout2FA(const std::wstring& username, const std::wstring& domain)
+{
+	HRESULT hr = E_UNEXPECTED;
+	hr = multiotp_request_command(L"-iswithout2fa", L"\""+getCleanUsername(username, domain)+ L"\"");
+	if ((hr == MULTIOTP_IS_WITHOUT2FA)) {
+		if (DEVELOP_MODE) PrintLn("MultiotpCredential::multiOTP user is without2FA", hr);
+		return true;
+	}
+	else {
+		if (DEVELOP_MODE) PrintLn("MultiotpCredential::multiOTP user is not without2fa ", hr);
+	}
+	return false;
+}
diff --git a/CppClientCore/CppClientCore/MultiOTP.h b/CppClientCore/CppClientCore/MultiOTP.h
@@ -2,8 +2,8 @@
  * multiOTP Credential Provider, extends privacyIdea
  *
  * @author    Yann Jeanrenaud, SysCo systemes de communication sa, <[email protected]>
- * @version   5.9.1.0
- * @date      2022-06-17
+ * @version   5.9.2.1
+ * @date      2022-08-10
  * @since     2021
  * @copyright (c) 2016-2022 SysCo systemes de communication sa
  * @copyright (c) 2015-2016 ArcadeJust ("RDP only" enhancement)
@@ -40,7 +40,7 @@ class MultiOTP : public PrivacyIDEA {
 	// 1. Offline otp data, 2. Triggered challenges, 3. Authentication success
 	// <returns> PI_AUTH_SUCCESS, PI_TRIGGERED_CHALLENGE, PI_AUTH_FAILURE, PI_AUTH_ERROR, PI_ENDPOINT_SETUP_ERROR, PI_WRONG_OFFLINE_SERVER_UNAVAILABLE </returns>
 	HRESULT validateCheck(const std::wstring& username, const std::wstring& domain, const SecureWString& otp, const std::string& transaction_id = std::string());
-
+	bool MultiOTP::isWithout2FA(const std::wstring& username, const std::wstring& domain);
 
 private:
 

diff --git a/CppClientCore/CppClientCore/MultiOTPConfiguration.cpp b/CppClientCore/CppClientCore/MultiOTPConfiguration.cpp
@@ -0,0 +1,122 @@
+/* * * * * * * * * * * * * * * * * * * * *
+**
+** Copyright 2019 NetKnights GmbH
+**           2020-2022 SysCo systemes de communication sa
+** Author: Nils Behlen
+**         Yann Jeanrenaud, Andre Liechti
+**
+**    Licensed under the Apache License, Version 2.0 (the "License");
+**    you may not use this file except in compliance with the License.
+**    You may obtain a copy of the License at
+**
+**        http://www.apache.org/licenses/LICENSE-2.0
+**
+**    Unless required by applicable law or agreed to in writing, software
+**    distributed under the License is distributed on an "AS IS" BASIS,
+**    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+**    See the License for the specific language governing permissions and
+**    limitations under the License.
+**
+** * * * * * * * * * * * * * * * * * * */
+
+#include "MultiOTPConfiguration.h"
+#include "MultiotpHelpers.h" // multiOTP/yj
+#include "Utilities.h"
+#include "version.h"
+#include "Logger.h"
+#include "RegistryReader.h"
+#include "MultiOTPRegistryReader.h"
+
+using namespace std;
+
+const wstring Configuration::registryPath = L"CLSID\\{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978}\\";
+const wstring Configuration::registryRealmPath = L"CLSID\\{FCEFDFAB-B0A1-4C4D-8B2B-4FF4E0A3D978}\\realm-mapping";
+
+MultiOTPConfiguration::MultiOTPConfiguration() : Configuration()
+{
+	MultiOTPRegistryReader rr(registryPath);
+
+	// Credential Provider specific config
+	bitmapPath = rr.getRegistry(L"v1_bitmap_path");
+	hideDomainName = rr.getBoolRegistry(L"hide_domainname");
+	hideFullName = rr.getBoolRegistry(L"hide_fullname");
+	hide_otp_sleep_s = rr.getIntRegistry(L"hide_otp_sleep_s");
+
+	twoStepHideOTP = rr.getBoolRegistry(L"two_step_hide_otp");
+	twoStepSendEmptyPassword = rr.getBoolRegistry(L"two_step_send_empty_password");
+	twoStepSendPassword = rr.getBoolRegistry(L"two_step_send_password");
+
+	piconfig.logPasswords = rr.getBoolRegistry(L"log_sensitive");
+	releaseLog = rr.getBoolRegistry(L"release_log");
+
+	showDomainHint = rr.getBoolRegistry(L"show_domain_hint");
+	// Custom field texts: check if set, otherwise use defaults (from header)
+	wstring tmp = rr.getRegistry(L"login_text");
+	loginText = tmp.empty() ? L"privacyIDEA Login" : tmp;
+
+	otpFieldText = rr.getRegistry(L"otp_text");
+
+	tmp = rr.getRegistry(L"otp_fail_text");
+	defaultOTPFailureText = tmp.empty() ? Utilities::GetTranslatedText(TEXT_WRONG_OTP) : tmp;
+
+	tmp = rr.getRegistry(L"otp_hint_text");
+	defaultOTPHintText = tmp.empty() ? Utilities::GetTranslatedText(TEXT_DEFAULT_OTP_HINT) : tmp;
+
+	// Config for PrivacyIDEA
+	piconfig.hostname = rr.getRegistry(L"hostname");
+	// Check if the path contains the placeholder, if so replace with nothing
+	tmp = rr.getRegistry(L"path");
+	piconfig.path = (tmp == L"/path/to/pi" ? L"" : tmp);
+
+	piconfig.ignoreUnknownCA = rr.getBoolRegistry(L"ssl_ignore_unknown_ca");
+	piconfig.ignoreInvalidCN = rr.getBoolRegistry(L"ssl_ignore_invalid_cn");
+	piconfig.customPort = rr.getIntRegistry(L"custom_port");
+	piconfig.offlineFilePath = rr.getRegistry(L"offline_file");
+	piconfig.offlineTryWindow = rr.getIntRegistry(L"offline_try_window");
+
+	piconfig.resolveTimeoutMS = rr.getIntRegistry(L"resolve_timeout");
+	piconfig.connectTimeoutMS = rr.getIntRegistry(L"connect_timeout");
+	piconfig.sendTimeoutMS = rr.getIntRegistry(L"send_timeout");
+	piconfig.receiveTimeoutMS = rr.getIntRegistry(L"receive_timeout");
+
+	// format domain\username or computername\username
+	excludedAccount = rr.getRegistry(L"excluded_account");
+
+	// Realm Mapping
+	piconfig.defaultRealm = rr.getRegistry(L"default_realm");
+
+	if (!rr.getAll(registryRealmPath, piconfig.realmMap))
+	{
+		piconfig.realmMap.clear();
+	}
+
+	// Validate that only one of hideDomainName OR hideFullName is active
+	// In the installer it is exclusive but could be changed in the registry
+	if (hideDomainName && hideFullName)
+	{
+		hideDomainName = false;
+	}
+	// Validate 2Step
+	if (twoStepSendEmptyPassword || twoStepSendPassword)
+	{
+		twoStepHideOTP = true;
+	}
+	if (twoStepSendEmptyPassword && twoStepSendPassword)
+	{
+		twoStepSendEmptyPassword = false;
+	}
+
+	// Get the Windows Version, deprecated 
+	OSVERSIONINFOEX info;
+	ZeroMemory(&info, sizeof(OSVERSIONINFOEX));
+	info.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
+	GetVersionEx((LPOSVERSIONINFO)&info);
+
+	winVerMajor = info.dwMajorVersion;
+	winVerMinor = info.dwMinorVersion;
+	winBuildNr = info.dwBuildNumber;
+
+	multiOTPTimeoutUnlock = rr.getRegistryDWORD(L"multiOTPTimeoutUnlock");
+	multiOTPDisplayLastUser = rr.getBoolRegistryDWORD(L"multiOTPDisplayLastUser");
+	multiOTPWithout2FA = rr.getBoolRegistryDWORD(L"multiOTPWithout2FA");
+}
diff --git a/CppClientCore/CppClientCore/MultiOTPConfiguration.h b/CppClientCore/CppClientCore/MultiOTPConfiguration.h
@@ -0,0 +1,36 @@
+/* * * * * * * * * * * * * * * * * * * * *
+**
+** Copyright SysCo
+** Author: Yann Jeanrenaud
+**
+**    Licensed under the Apache License, Version 2.0 (the "License");
+**    you may not use this file except in compliance with the License.
+**    You may obtain a copy of the License at
+**
+**        http://www.apache.org/licenses/LICENSE-2.0
+**
+**    Unless required by applicable law or agreed to in writing, software
+**    distributed under the License is distributed on an "AS IS" BASIS,
+**    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+**    See the License for the specific language governing permissions and
+**    limitations under the License.
+**
+** * * * * * * * * * * * * * * * * * * */
+
+#pragma once
+#include "PIConf.h"
+#include "Challenge.h"
+#include "SecureString.h"
+#include <string>
+#include <credentialprovider.h>
+#include "Configuration.h"
+
+class MultiOTPConfiguration : public Configuration
+{
+	public:
+		MultiOTPConfiguration();
+
+		bool multiOTPDisplayLastUser = false;
+		bool multiOTPWithout2FA = false;
+		int multiOTPTimeoutUnlock = 0;
+};
diff --git a/CppClientCore/CppClientCore/MultiOTPRegistryReader.cpp b/CppClientCore/CppClientCore/MultiOTPRegistryReader.cpp
@@ -2,8 +2,8 @@
  * multiOTP Credential Provider, extends privacyIdea RegistryReader
  *
  * @author    Yann Jeanrenaud, SysCo systemes de communication sa, <[email protected]>
- * @version   5.9.1.0
- * @date      2022-06-17
+ * @version   5.9.2.1
+ * @date      2022-08-10
  * @since     2021
  * @copyright (c) 2016-2022 SysCo systemes de communication sa
  * @copyright (c) 2015-2016 ArcadeJust ("RDP only" enhancement)
@@ -77,6 +77,51 @@ bool MultiOTPRegistryReader::getBoolRegistry(std::wstring name, HKEY container)
 	return getRegistry(name, container) == L"1";
 }
 
+bool MultiOTPRegistryReader::getBoolRegistryDWORD(std::wstring name, HKEY container)
+{
+	return getRegistryDWORD(name, container) == 1;
+}
+
+DWORD MultiOTPRegistryReader::getRegistryDWORD(std::wstring name, HKEY container)
+{
+	DWORD dwRet = NULL;
+	HKEY hKey = nullptr;
+	dwRet = RegOpenKeyEx(
+		container,
+		wpath.c_str(),
+		NULL,
+		KEY_QUERY_VALUE,
+		&hKey);
+	if (dwRet != ERROR_SUCCESS)
+	{
+		return 0;
+	}
+
+	const DWORD SIZE = 1024;
+	DWORD dwReturnLong;
+	DWORD dwValue = SIZE;
+	DWORD dwType = 0;
+	dwRet = RegQueryValueEx(
+		hKey,
+		name.c_str(),
+		NULL,
+		&dwType,
+		(LPBYTE)&dwReturnLong,
+		&dwValue);
+	if (dwRet != ERROR_SUCCESS)
+	{
+		return 0;
+	}
+
+	if (dwType != REG_DWORD)
+	{
+		return 0;
+	}
+	RegCloseKey(hKey);
+	hKey = NULL;
+	return dwReturnLong;
+}
+
 int MultiOTPRegistryReader::getIntRegistry(std::wstring name, HKEY container)
 {
 	return _wtoi(getRegistry(name, container).c_str()); // Invalid parameter returns 0

diff --git a/CppClientCore/CppClientCore/MultiOTPRegistryReader.h b/CppClientCore/CppClientCore/MultiOTPRegistryReader.h
@@ -2,8 +2,8 @@
  * multiOTP Credential Provider, extends privacyIdea RegistryReader
  *
  * @author    Yann Jeanrenaud, SysCo systemes de communication sa, <[email protected]>
- * @version   5.9.1.0
- * @date      2022-06-17
+ * @version   5.9.2.1
+ * @date      2022-08-10
  * @since     2021
  * @copyright (c) 2016-2022 SysCo systemes de communication sa
  * @copyright (c) 2015-2016 ArcadeJust ("RDP only" enhancement)
@@ -25,7 +25,9 @@ class MultiOTPRegistryReader : public RegistryReader {
 public:
 	MultiOTPRegistryReader(const std::wstring& pathToKey);
 	std::wstring getRegistry(std::wstring name, HKEY container = HKEY_CLASSES_ROOT);
+	DWORD getRegistryDWORD(std::wstring name, HKEY container = HKEY_CLASSES_ROOT);
 	bool getBoolRegistry(std::wstring name, HKEY container = HKEY_CLASSES_ROOT);
+	bool getBoolRegistryDWORD(std::wstring name, HKEY container = HKEY_CLASSES_ROOT);
 	int getIntRegistry(std::wstring name, HKEY container = HKEY_CLASSES_ROOT);
 	bool getAll(const std::wstring& path, std::map<std::wstring, std::wstring>& map, HKEY container = HKEY_CLASSES_ROOT);
 private: