refactor CheckPasswordInlineMFA to SetSecrets
This commit is contained in:
Matthias G
parent
cec021117c
commit
658b37c718
|
|
@ -10,39 +10,44 @@ const CodePasswordSeparator = ";"
|
|||
|
||||
var alphaNum = regexp.MustCompile(`^[a-zA-Z0-9]*$`)
|
||||
|
||||
// CheckPasswordInlineMFA For protocols that only support username/password, check if the password
|
||||
// contains the TOTP code
|
||||
func (fe *FlowExecutor) CheckPasswordInlineMFA() {
|
||||
password := fe.Answers[StagePassword]
|
||||
// We already have an authenticator answer
|
||||
if fe.Answers[StageAuthenticatorValidate] != "" {
|
||||
// SetSecrets sets the secret answers for the flow executor for protocols that only support username/password
|
||||
// acccording to used options
|
||||
func (fe *FlowExecutor) SetSecrets(password string, mfacodebased bool) {
|
||||
if fe.Answers[StageAuthenticatorValidate] != "" || fe.Answers[StagePassword] != "" {
|
||||
return
|
||||
}
|
||||
// password doesn't contain the separator
|
||||
if !strings.Contains(password, CodePasswordSeparator) {
|
||||
return
|
||||
}
|
||||
// password ends with the separator, so it won't contain an answer
|
||||
if strings.HasSuffix(password, CodePasswordSeparator) {
|
||||
return
|
||||
}
|
||||
idx := strings.LastIndex(password, CodePasswordSeparator)
|
||||
authenticator := password[idx+1:]
|
||||
// Authenticator is either 6 chars (totp code) or 8 chars (long totp or static)
|
||||
if len(authenticator) == 6 {
|
||||
// authenticator answer isn't purely numerical, so won't be value
|
||||
if _, err := strconv.Atoi(authenticator); err != nil {
|
||||
fe.Answers[StagePassword] = password
|
||||
if mfacodebased {
|
||||
// password doesn't contain the separator
|
||||
if !strings.Contains(password, CodePasswordSeparator) {
|
||||
return
|
||||
}
|
||||
} else if len(authenticator) == 8 {
|
||||
// 8 chars can be a long totp or static token, so it needs to be alphanumerical
|
||||
if !alphaNum.MatchString(authenticator) {
|
||||
// password ends with the separator, so it won't contain an answer
|
||||
if strings.HasSuffix(password, CodePasswordSeparator) {
|
||||
return
|
||||
}
|
||||
idx := strings.LastIndex(password, CodePasswordSeparator)
|
||||
authenticator := password[idx+1:]
|
||||
// Authenticator is either 6 chars (totp code) or 8 chars (long totp or static)
|
||||
if len(authenticator) == 6 {
|
||||
// authenticator answer isn't purely numerical, so won't be value
|
||||
if _, err := strconv.Atoi(authenticator); err != nil {
|
||||
return
|
||||
}
|
||||
} else if len(authenticator) == 8 {
|
||||
// 8 chars can be a long totp or static token, so it needs to be alphanumerical
|
||||
if !alphaNum.MatchString(authenticator) {
|
||||
return
|
||||
}
|
||||
} else {
|
||||
// Any other length, doesn't contain an answer
|
||||
return
|
||||
}
|
||||
fe.Answers[StagePassword] = password[:idx]
|
||||
fe.Answers[StageAuthenticatorValidate] = authenticator
|
||||
} else {
|
||||
// Any other length, doesn't contain an answer
|
||||
return
|
||||
// If code-based MFA is disabled StageAuthenticatorValidate answer is set to password.
|
||||
// This allows flows with a mfa stage only.
|
||||
fe.Answers[StageAuthenticatorValidate] = password
|
||||
}
|
||||
fe.Answers[StagePassword] = password[:idx]
|
||||
fe.Answers[StageAuthenticatorValidate] = authenticator
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,10 +23,7 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
|
|||
fe.Params.Add("goauthentik.io/outpost/ldap", "true")
|
||||
|
||||
fe.Answers[flow.StageIdentification] = username
|
||||
fe.Answers[flow.StagePassword] = req.BindPW
|
||||
if db.si.GetMFASupport() {
|
||||
fe.CheckPasswordInlineMFA()
|
||||
}
|
||||
fe.SetSecrets(req.BindPW, db.si.GetMFASupport())
|
||||
|
||||
passed, err := fe.Execute()
|
||||
flags := flags.UserFlags{
|
||||
|
|
|
|||
|
|
@ -21,14 +21,7 @@ func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusR
|
|||
fe.Params.Add("goauthentik.io/outpost/radius", "true")
|
||||
|
||||
fe.Answers[flow.StageIdentification] = username
|
||||
fe.Answers[flow.StagePassword] = rfc2865.UserPassword_GetString(r.Packet)
|
||||
if r.pi.MFASupport {
|
||||
fe.CheckPasswordInlineMFA()
|
||||
} else {
|
||||
// If code-based MFA is disabled StageAuthenticatorValidate answer is set to StagePassword answer.
|
||||
// This allows flows with only a mfa stage
|
||||
fe.Answers[flow.StageAuthenticatorValidate] = fe.Answers[flow.StagePassword]
|
||||
}
|
||||
fe.SetSecrets(rfc2865.UserPassword_GetString(r.Packet), r.pi.MFASupport)
|
||||
|
||||
passed, err := fe.Execute()
|
||||
if err != nil {
|
||||
|
|
|
|||
Reference in New Issue