refactor CheckPasswordInlineMFA to SetSecrets

2024-01-01 20:04:04 +01:00 · 2024-01-01 20:04:04 +01:00 · 658b37c718
parent cec021117c
commit 658b37c718
3 changed files with 34 additions and 39 deletions
--- a/internal/outpost/flow/solvers_mfa.go
+++ b/internal/outpost/flow/solvers_mfa.go
@ -10,14 +10,14 @@ const CodePasswordSeparator = ";"

 var alphaNum = regexp.MustCompile(`^[a-zA-Z0-9]*$`)

-// CheckPasswordInlineMFA For protocols that only support username/password, check if the password
-// contains the TOTP code
-func (fe *FlowExecutor) CheckPasswordInlineMFA() {
-	password := fe.Answers[StagePassword]
-	// We already have an authenticator answer
-	if fe.Answers[StageAuthenticatorValidate] != "" {
+// SetSecrets sets the secret answers for the flow executor for protocols that only support username/password
+// acccording to used options
+func (fe *FlowExecutor) SetSecrets(password string, mfacodebased bool) {
+	if fe.Answers[StageAuthenticatorValidate] != "" || fe.Answers[StagePassword] != "" {
 		return
 	}
+	fe.Answers[StagePassword] = password
+	if mfacodebased {
 		// password doesn't contain the separator
 		if !strings.Contains(password, CodePasswordSeparator) {
 			return
@ -45,4 +45,9 @@ func (fe *FlowExecutor) CheckPasswordInlineMFA() {
 		}
 		fe.Answers[StagePassword] = password[:idx]
 		fe.Answers[StageAuthenticatorValidate] = authenticator
+	} else {
+		// If code-based MFA is disabled StageAuthenticatorValidate answer is set to password.
+		// This allows flows with a mfa stage only.
+		fe.Answers[StageAuthenticatorValidate] = password
+	}
 }
--- a/internal/outpost/ldap/bind/direct/bind.go
+++ b/internal/outpost/ldap/bind/direct/bind.go
@ -23,10 +23,7 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 	fe.Params.Add("goauthentik.io/outpost/ldap", "true")

 	fe.Answers[flow.StageIdentification] = username
-	fe.Answers[flow.StagePassword] = req.BindPW
-	if db.si.GetMFASupport() {
-		fe.CheckPasswordInlineMFA()
-	}
+	fe.SetSecrets(req.BindPW, db.si.GetMFASupport())

 	passed, err := fe.Execute()
 	flags := flags.UserFlags{
--- a/internal/outpost/radius/handle_access_request.go
+++ b/internal/outpost/radius/handle_access_request.go
@ -21,14 +21,7 @@ func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusR
 	fe.Params.Add("goauthentik.io/outpost/radius", "true")

 	fe.Answers[flow.StageIdentification] = username
-	fe.Answers[flow.StagePassword] = rfc2865.UserPassword_GetString(r.Packet)
-	if r.pi.MFASupport {
-		fe.CheckPasswordInlineMFA()
-	} else {
-		// If code-based MFA is disabled StageAuthenticatorValidate answer is set to StagePassword answer.
-		// This allows flows with only a mfa stage
-		fe.Answers[flow.StageAuthenticatorValidate] = fe.Answers[flow.StagePassword]
-	}
+	fe.SetSecrets(rfc2865.UserPassword_GetString(r.Packet), r.pi.MFASupport)

 	passed, err := fe.Execute()
 	if err != nil {