int
validateTOTP(char * secret_hex, char * TOTP_string)
{
int t = ((int)time(NULL))/30; // period = 30
int i;
uint8_t timer[8];
for( i = 7; i >= 0 ; i--){
timer[i] = t & 0xff;
t >>= 8;
}
return validateOTP(secret_hex, timer, TOTP_string);
}
int
validateHOTP(char * secret_hex, char * HOTP_string)
{
// 8-byte counter array
int i;
long counter = 1;
uint8_t text[sizeof(counter)];
for( i = sizeof(text)-1; i >= 0 ; i--){
text[i] = (char)(counter & 0xff);
counter >>= 8;
}
return validateOTP(secret_hex, text, HOTP_string);
}
bool CBaseSecurityManager::updateSettings(ISecUser & sec_user,IArrayOf<ISecResource>& rlist)
{
CSecureUser* user = (CSecureUser*)&sec_user;
if(user == NULL)
return false;
int usernum = findUser(user->getName(),user->getRealm());
if(usernum < 0)
{
PrintLog("User number of %s can't be found", user->getName());
return false;
}
bool sqchecked = false, sqverified = false, otpchecked = false;
int otpok = -1;
ForEachItemIn(x, rlist)
{
ISecResource* secRes = (ISecResource*)(&(rlist.item(x)));
if(secRes == NULL)
continue;
//AccessFlags default value is -1. Set it to 0 so that the settings can be cached. AccessFlags is not being used for settings.
secRes->setAccessFlags(0);
if(secRes->getParameter("userprop") && *secRes->getParameter("userprop")!='\0')
{
//if we have a parameter in the user or company table it will have been added as a parameter to the ISecUser when
// the authentication query was run. We should keep this messiness here so that the the end user is insulated....
dbValidateSetting(*secRes,sec_user);
continue;
}
const char* resource_name = secRes->getParameter("resource");
if(resource_name && *resource_name &&
(stricmp(resource_name, "SSN Masking") == 0 || stricmp(resource_name, "Driver License Masking") == 0))
{
//If OTP Enabled and OTP2FACTOR cookie not valid, mask
if(m_enableOTP)
{
if(!otpchecked)
{
const char* otpcookie = sec_user.getProperty("OTP2FACTOR");
// -1 means OTP is not enabled for the user. 0: failed verfication, 1: passed verification.
otpok = validateOTP(&sec_user, otpcookie);
otpchecked = true;
}
if(otpok == 0)
{
CSecurityResource* cres = dynamic_cast<CSecurityResource*>(secRes);
if(resource_name && *resource_name && cres)
{
if(stricmp(resource_name, "SSN Masking") == 0)
{
cres->setValue("All");
continue;
}
else if(stricmp(resource_name, "Driver License Masking") == 0)
{
cres->setValue("1");
continue;
}
}
}
else if(otpok == 1)
{
CSecurityResource* cres = dynamic_cast<CSecurityResource*>(secRes);
if(resource_name && *resource_name && cres)
{
if(stricmp(resource_name, "SSN Masking") == 0)
{
cres->setValue("None");
continue;
}
else if(stricmp(resource_name, "Driver License Masking") == 0)
{
cres->setValue("0");
continue;
}
}
}
}
if(m_enableIPRoaming && sec_user.getPropertyInt("IPRoaming") == 1)
{
if(!sqchecked)
{
const char* sequest = sec_user.getProperty("SEQUEST");
if(sequest && *sequest)
{
sqverified = validateSecurityQuestion(&sec_user, sequest);
}
sqchecked = true;
}
if(!sqverified)
{
CSecurityResource* cres = dynamic_cast<CSecurityResource*>(secRes);
if(resource_name && *resource_name && cres)
{
if(stricmp(resource_name, "SSN Masking") == 0)
{
cres->setValue("All");
continue;
}
else if(stricmp(resource_name, "Driver License Masking") == 0)
{
cres->setValue("1");
continue;
}
}
}
}
}
dbValidateSetting(*secRes,usernum,user->getRealm());
}
