Sudo mode (poc to review)

src/Auth.php

@@ -38,6 +38,7 @@
 use Glpi\Error\ErrorHandler;
 use Glpi\Event;
 use Glpi\Plugin\Hooks;
+use Glpi\Security\ReAuthManager;
 use Glpi\Security\TOTPManager;
 use Safe\Exceptions\LdapException;
 
@@ -179,6 +180,8 @@ public static function getMenuContent()
     /**
      * Check user existence in DB
      *
+     * Side effect : may also fill $this->user_dn
+     *
      * @global DBmysql $DB
      * @param  array   $options conditions : array('name'=>'glpi')
      *                                    or array('email' => 'test at test.com')
@@ -221,6 +224,39 @@ public function userExists($options = [])
         }
     }
 
+    /**
+     * User can log in
+     *
+     * All conditions to meet :
+     * - User is not deleted
+     * - active
+     * - current time between restricted dates
+     */
+    public function canUserLogin(): bool
+    {
+        // in some contexts, we can have "NULL" as string instead of null value
+        if ($this->user->fields['begin_date'] === 'NULL') {
+            $this->user->fields['begin_date'] = null;
+        }
+        if ($this->user->fields['end_date'] === 'NULL') {
+            $this->user->fields['begin_date'] = null;
+        }
+
+        return
+            $this->user->fields['is_deleted'] === 0
+            && (
+                $this->user->fields['is_active'] === 1
+                && (
+                    ($this->user->fields['begin_date'] < $_SESSION["glpi_currenttime"])
+                    || is_null($this->user->fields['begin_date'])
+                )
+                && (
+                    ($this->user->fields['end_date'] > $_SESSION["glpi_currenttime"])
+                    || is_null($this->user->fields['end_date'])
+                )
+            );
+    }
+
     /**
      * Try a IMAP/POP connection
      *
@@ -1159,6 +1195,9 @@ public function login($login_name, $login_password, $noauto = false, $remember_m
             $DB->setTimezone($this->user->fields['timezone']);
         }
 
+        // initiate ReAuthentication, consider authentication successful as user just logged in.
+        (new ReAuthManager())->initiate();
+
         return $this->auth_succeded;
     }
 

src/Glpi/Controller/Security/ReAuthController.php

@@ -0,0 +1,96 @@
+<?php
+
+/**
+ * ---------------------------------------------------------------------
+ *
+ * GLPI - Gestionnaire Libre de Parc Informatique
+ *
+ * http://glpi-project.org
+ *
+ * @copyright 2015-2026 Teclib' and contributors.
+ * @licence   https://www.gnu.org/licenses/gpl-3.0.html
+ *
+ * ---------------------------------------------------------------------
+ *
+ * LICENSE
+ *
+ * This file is part of GLPI.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ * ---------------------------------------------------------------------
+ */
+
+declare(strict_types=1);
+
+namespace Glpi\Controller\Security;
+
+use Glpi\Application\View\TemplateRenderer;
+use Glpi\Controller\AbstractController;
+use Glpi\Exception\RedirectException;
+use Glpi\Http\Firewall;
+use Glpi\Security\Attribute\SecurityStrategy;
+use Glpi\Security\ReAuthManager;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+
+class ReAuthController extends AbstractController
+{
+    private ReAuthManager $reAuthManager;
+
+    public function __construct(
+        private readonly ?UrlGeneratorInterface $router = null
+    ) {
+        $this->reAuthManager = new ReAuthManager();
+    }
+
+
+    #[Route(
+        path: "/ReAuth/Prompt",
+        name: "reauth_prompt",
+        methods: ['GET']
+    )]
+    #[SecurityStrategy(Firewall::STRATEGY_NO_CHECK)]
+    public function prompt(Request $request): Response
+    {
+        return new Response(TemplateRenderer::getInstance()->render('pages/2fa/2fa_request.html.twig', [
+            'redirect' => $this->reAuthManager->getRedirectSuccessURL(),
+            'action' => $this->router->generate('reauth_verify'),
+        ]));
+    }
+
+    #[Route(
+        path: "/ReAuth/Verify",
+        name: "reauth_verify",
+        methods: ['POST']
+    )]
+    public function verify(Request $request): void
+    {
+        $totp_code = $request->get('totp_code');
+        if (is_array($totp_code)) {
+            $totp_code = implode('', $totp_code);
+        }
+        if ($this->reAuthManager->verify((string) $totp_code)) { // @todo refacto gestion de l'array dans verify ?
+            $this->reAuthManager->authenticate();
+
+            // @todo pour la conservation des données POST (si la le réauth n'est plus valable au moment de la soumission du form),
+            // il faut afficher un form qui contient les données post stockées ($this->reAuthManager->getPostDataForRedirect())
+            throw new RedirectException($this->reAuthManager->getRedirectSuccessURL());
+        }
+
+        throw new \Exception('Vérif ratée : Rediriger vers ? petit bloc avec message d\'erreur et bouton pour revenir à la page précédente ?');
+    }
+}

src/Glpi/Controller/ServiceCatalog/IndexController.php

@@ -62,7 +62,7 @@ public function __construct()
         $this->interface = Session::getCurrentInterface();
     }
 
-    #[SecurityStrategy(Firewall::STRATEGY_AUTHENTICATED)]
+    #[SecurityStrategy(Firewall::STRATEGY_REAUTHENTICATE)]
     #[Route(
         "/ServiceCatalog",
         name: "glpi_service_catalog",

src/Glpi/Http/Firewall.php

@@ -36,6 +36,7 @@
 
 use Config;
 use Glpi\Exception\Http\AccessDeniedHttpException;
+use Glpi\Security\ReAuthManager;
 use LogicException;
 use Plugin;
 use Session;
@@ -65,6 +66,12 @@ final class Firewall
      */
     public const STRATEGY_ADMIN_ACCESS = 'admin_access';
 
+    /**
+    * Check that user is authenticated and re-authenticated since a little time to access critical features (e.g. change password, access security settings, etc.).
+     * Re-authentication (e.g. sudo mode) consist of asking user to authenticate again (password/totp verification) to ensure that the user is still present.
+    */
+    public const STRATEGY_REAUTHENTICATE = 'reauthenticate';
+
     /**
      * Check that user is authenticated and is using a profile based on central interface.
      */
@@ -149,6 +156,10 @@ public function applyStrategy(string $strategy): void
                     throw new AccessDeniedHttpException('Missing administration rights.');
                 }
                 break;
+            case self::STRATEGY_REAUTHENTICATE:
+                Session::checkLoginUser();
+                (new ReAuthManager())->checkReAuthenticated();
+                break;
             case self::STRATEGY_CENTRAL_ACCESS:
                 Session::checkCentralAccess();
                 break;
@@ -192,7 +203,12 @@ private function computeFallbackStrategyForCore(string $path): string
     {
         if (!file_exists($this->glpi_root . $path)) {
             // Modern controllers
-            return self::FALLBACK_STRATEGY;
+            return match ($path) {
+                (new \Computer())->getFormURL(full: false), // maybe prefere hardcoded version ? '/front/computer.php'
+                'another_route'
+                => self::STRATEGY_REAUTHENTICATE,
+                default => self::FALLBACK_STRATEGY
+            };
         }
 
         $paths = [
@@ -211,6 +227,9 @@ private function computeFallbackStrategyForCore(string $path): string
             '/front/lostpassword.php' => self::STRATEGY_NO_CHECK,
             '/front/updatepassword.php' => self::STRATEGY_NO_CHECK,
             '/install/' => self::STRATEGY_NO_CHECK, // No check during install/update
+
+            // urls requiring reauth
+            '/front/user.form.php' => self::STRATEGY_REAUTHENTICATE,
         ];
 
         if (Config::allowUnauthenticatedUploads()) {