From 7b3d1a229f744096f84077d2357e084741aed876 Mon Sep 17 00:00:00 2001 From: Jens L Date: Thu, 17 Aug 2023 22:48:05 +0100 Subject: [PATCH] stages/authenticator_static: make static token size adjustable (#6565) Signed-off-by: Jens Langhammer --- authentik/stages/authenticator_static/api.py | 7 ++- ...icatorstaticstage_token_length_and_more.py | 22 ++++++++ .../stages/authenticator_static/models.py | 3 +- .../stages/authenticator_static/stage.py | 5 +- blueprints/schema.json | 8 ++- locale/en/LC_MESSAGES/django.po | 14 ++--- schema.yml | 22 +++++++- .../AuthenticatorStaticStageForm.ts | 22 ++++++++ web/xliff/de.xlf | 9 +++ web/xliff/en.xlf | 9 +++ web/xliff/es.xlf | 9 +++ web/xliff/fr_FR.xlf | 9 +++ web/xliff/pl.xlf | 9 +++ web/xliff/pseudo-LOCALE.xlf | 9 +++ web/xliff/tr.xlf | 9 +++ web/xliff/zh-Hans.xlf | 55 +++++++++++-------- web/xliff/zh-Hant.xlf | 9 +++ web/xliff/zh_TW.xlf | 9 +++ 18 files changed, 202 insertions(+), 37 deletions(-) create mode 100644 authentik/stages/authenticator_static/migrations/0007_authenticatorstaticstage_token_length_and_more.py diff --git a/authentik/stages/authenticator_static/api.py b/authentik/stages/authenticator_static/api.py index a5f534cbd..d009b9feb 100644 --- a/authentik/stages/authenticator_static/api.py +++ b/authentik/stages/authenticator_static/api.py @@ -18,7 +18,12 @@ class AuthenticatorStaticStageSerializer(StageSerializer): class Meta: model = AuthenticatorStaticStage - fields = StageSerializer.Meta.fields + ["configure_flow", "friendly_name", "token_count"] + fields = StageSerializer.Meta.fields + [ + "configure_flow", + "friendly_name", + "token_count", + "token_length", + ] class AuthenticatorStaticStageViewSet(UsedByMixin, ModelViewSet): diff --git a/authentik/stages/authenticator_static/migrations/0007_authenticatorstaticstage_token_length_and_more.py b/authentik/stages/authenticator_static/migrations/0007_authenticatorstaticstage_token_length_and_more.py new file mode 100644 index 000000000..f0136530a --- /dev/null +++ b/authentik/stages/authenticator_static/migrations/0007_authenticatorstaticstage_token_length_and_more.py @@ -0,0 +1,22 @@ +# Generated by Django 4.2.4 on 2023-08-17 17:34 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + dependencies = [ + ("authentik_stages_authenticator_static", "0006_authenticatorstaticstage_friendly_name"), + ] + + operations = [ + migrations.AddField( + model_name="authenticatorstaticstage", + name="token_length", + field=models.PositiveIntegerField(default=12), + ), + migrations.AlterField( + model_name="authenticatorstaticstage", + name="token_count", + field=models.PositiveIntegerField(default=6), + ), + ] diff --git a/authentik/stages/authenticator_static/models.py b/authentik/stages/authenticator_static/models.py index 631458a21..05511c489 100644 --- a/authentik/stages/authenticator_static/models.py +++ b/authentik/stages/authenticator_static/models.py @@ -13,7 +13,8 @@ from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage class AuthenticatorStaticStage(ConfigurableStage, FriendlyNamedStage, Stage): """Generate static tokens for the user as a backup.""" - token_count = models.IntegerField(default=6) + token_count = models.PositiveIntegerField(default=6) + token_length = models.PositiveIntegerField(default=12) @property def serializer(self) -> type[BaseSerializer]: diff --git a/authentik/stages/authenticator_static/stage.py b/authentik/stages/authenticator_static/stage.py index b5a8d6dd2..8df9ab4b5 100644 --- a/authentik/stages/authenticator_static/stage.py +++ b/authentik/stages/authenticator_static/stage.py @@ -5,6 +5,7 @@ from rest_framework.fields import CharField, ListField from authentik.flows.challenge import ChallengeResponse, ChallengeTypes, WithUserInfoChallenge from authentik.flows.stage import ChallengeStageView +from authentik.lib.generators import generate_id from authentik.stages.authenticator_static.models import AuthenticatorStaticStage SESSION_STATIC_DEVICE = "static_device" @@ -50,7 +51,9 @@ class AuthenticatorStaticStageView(ChallengeStageView): device = StaticDevice(user=user, confirmed=False, name="Static Token") tokens = [] for _ in range(0, stage.token_count): - tokens.append(StaticToken(device=device, token=StaticToken.random_token())) + tokens.append( + StaticToken(device=device, token=generate_id(length=stage.token_length)) + ) self.request.session[SESSION_STATIC_DEVICE] = device self.request.session[SESSION_STATIC_TOKENS] = tokens return super().get(request, *args, **kwargs) diff --git a/blueprints/schema.json b/blueprints/schema.json index 7637beec4..064b0117c 100644 --- a/blueprints/schema.json +++ b/blueprints/schema.json @@ -5859,9 +5859,15 @@ }, "token_count": { "type": "integer", - "minimum": -2147483648, + "minimum": 0, "maximum": 2147483647, "title": "Token count" + }, + "token_length": { + "type": "integer", + "minimum": 0, + "maximum": 2147483647, + "title": "Token length" } }, "required": [] diff --git a/locale/en/LC_MESSAGES/django.po b/locale/en/LC_MESSAGES/django.po index b449f8e10..ebdc06553 100644 --- a/locale/en/LC_MESSAGES/django.po +++ b/locale/en/LC_MESSAGES/django.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2023-07-28 11:50+0000\n" +"POT-Creation-Date: 2023-08-17 17:37+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -23,11 +23,11 @@ msgstr "" msgid "Successfully re-scheduled Task %(name)s!" msgstr "" -#: authentik/api/schema.py:21 +#: authentik/api/schema.py:24 msgid "Generic API Error" msgstr "" -#: authentik/api/schema.py:29 +#: authentik/api/schema.py:32 msgid "Validation Error" msgstr "" @@ -82,11 +82,11 @@ msgstr "" msgid "Create a SAML Provider by importing its Metadata." msgstr "" -#: authentik/core/api/users.py:144 +#: authentik/core/api/users.py:150 msgid "No leading or trailing slashes allowed." msgstr "" -#: authentik/core/api/users.py:147 +#: authentik/core/api/users.py:153 msgid "No empty segments in user path allowed." msgstr "" @@ -1871,11 +1871,11 @@ msgstr "" msgid "Invalid phone number" msgstr "" -#: authentik/stages/authenticator_static/models.py:46 +#: authentik/stages/authenticator_static/models.py:47 msgid "Static Authenticator Stage" msgstr "" -#: authentik/stages/authenticator_static/models.py:47 +#: authentik/stages/authenticator_static/models.py:48 msgid "Static Authenticator Stages" msgstr "" diff --git a/schema.yml b/schema.yml index f6320501b..1e00f3a5d 100644 --- a/schema.yml +++ b/schema.yml @@ -21101,6 +21101,10 @@ paths: name: token_count schema: type: integer + - in: query + name: token_length + schema: + type: integer tags: - stages security: @@ -27547,7 +27551,11 @@ components: token_count: type: integer maximum: 2147483647 - minimum: -2147483648 + minimum: 0 + token_length: + type: integer + maximum: 2147483647 + minimum: 0 required: - component - meta_model_name @@ -27579,7 +27587,11 @@ components: token_count: type: integer maximum: 2147483647 - minimum: -2147483648 + minimum: 0 + token_length: + type: integer + maximum: 2147483647 + minimum: 0 required: - name AuthenticatorTOTPChallenge: @@ -34502,7 +34514,11 @@ components: token_count: type: integer maximum: 2147483647 - minimum: -2147483648 + minimum: 0 + token_length: + type: integer + maximum: 2147483647 + minimum: 0 PatchedAuthenticatorTOTPStageRequest: type: object description: AuthenticatorTOTPStage Serializer diff --git a/web/src/admin/stages/authenticator_static/AuthenticatorStaticStageForm.ts b/web/src/admin/stages/authenticator_static/AuthenticatorStaticStageForm.ts index 270b3e588..87fd6ad7d 100644 --- a/web/src/admin/stages/authenticator_static/AuthenticatorStaticStageForm.ts +++ b/web/src/admin/stages/authenticator_static/AuthenticatorStaticStageForm.ts @@ -92,6 +92,28 @@ export class AuthenticatorStaticStageForm extends ModelForm +

+ ${msg( + "The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device.", + )} +

+ + + +

+ ${msg( + "The length of the individual generated tokens. Can be increased to improve security.", + )} +

Sign out + + + The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device. + + + Token length + + + The length of the individual generated tokens. Can be increased to improve security. diff --git a/web/xliff/en.xlf b/web/xliff/en.xlf index de0a17462..bd44a710e 100644 --- a/web/xliff/en.xlf +++ b/web/xliff/en.xlf @@ -6195,6 +6195,15 @@ Bindings to groups/users are checked against the user of the event. Sign out + + + The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device. + + + Token length + + + The length of the individual generated tokens. Can be increased to improve security. diff --git a/web/xliff/es.xlf b/web/xliff/es.xlf index 8cc375c97..9d0f632c9 100644 --- a/web/xliff/es.xlf +++ b/web/xliff/es.xlf @@ -5787,6 +5787,15 @@ Bindings to groups/users are checked against the user of the event. Sign out + + + The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device. + + + Token length + + + The length of the individual generated tokens. Can be increased to improve security. diff --git a/web/xliff/fr_FR.xlf b/web/xliff/fr_FR.xlf index 36e343b7d..0943d46a5 100644 --- a/web/xliff/fr_FR.xlf +++ b/web/xliff/fr_FR.xlf @@ -5894,6 +5894,15 @@ Bindings to groups/users are checked against the user of the event. Sign out + + + The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device. + + + Token length + + + The length of the individual generated tokens. Can be increased to improve security. diff --git a/web/xliff/pl.xlf b/web/xliff/pl.xlf index 7bc91c6d8..8655c7a86 100644 --- a/web/xliff/pl.xlf +++ b/web/xliff/pl.xlf @@ -6026,6 +6026,15 @@ Bindings to groups/users are checked against the user of the event. Sign out + + + The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device. + + + Token length + + + The length of the individual generated tokens. Can be increased to improve security. diff --git a/web/xliff/pseudo-LOCALE.xlf b/web/xliff/pseudo-LOCALE.xlf index 1241c31a2..5cff56dee 100644 --- a/web/xliff/pseudo-LOCALE.xlf +++ b/web/xliff/pseudo-LOCALE.xlf @@ -6130,6 +6130,15 @@ Bindings to groups/users are checked against the user of the event. Sign out + + + The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device. + + + Token length + + + The length of the individual generated tokens. Can be increased to improve security. diff --git a/web/xliff/tr.xlf b/web/xliff/tr.xlf index 65d4e4660..d259c0c55 100644 --- a/web/xliff/tr.xlf +++ b/web/xliff/tr.xlf @@ -5777,6 +5777,15 @@ Bindings to groups/users are checked against the user of the event. Sign out + + + The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device. + + + Token length + + + The length of the individual generated tokens. Can be increased to improve security. diff --git a/web/xliff/zh-Hans.xlf b/web/xliff/zh-Hans.xlf index 08fa7a33c..a09b06731 100644 --- a/web/xliff/zh-Hans.xlf +++ b/web/xliff/zh-Hans.xlf @@ -1,4 +1,4 @@ - + @@ -618,9 +618,9 @@ - The URL "" was not found. - 未找到 URL " - "。 + The URL "" was not found. + 未找到 URL " + "。 @@ -1072,8 +1072,8 @@ - To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have. - 要允许任何重定向 URI,请将此值设置为 ".*"。请注意这可能带来的安全影响。 + To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have. + 要允许任何重定向 URI,请将此值设置为 ".*"。请注意这可能带来的安全影响。 @@ -1819,8 +1819,8 @@ - Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test". - 输入完整 URL、相对路径,或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。 + Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test". + 输入完整 URL、相对路径,或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。 @@ -3248,8 +3248,8 @@ doesn't pass when either or both of the selected options are equal or above the - Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...' - 包含组成员的字段。请注意,如果使用 "memberUid" 字段,则假定该值包含相对可分辨名称。例如,'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...' + Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...' + 包含组成员的字段。请注意,如果使用 "memberUid" 字段,则假定该值包含相对可分辨名称。例如,'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...' @@ -4046,8 +4046,8 @@ doesn't pass when either or both of the selected options are equal or above the - When using an external logging solution for archiving, this can be set to "minutes=5". - 使用外部日志记录解决方案进行存档时,可以将其设置为 "minutes=5"。 + When using an external logging solution for archiving, this can be set to "minutes=5". + 使用外部日志记录解决方案进行存档时,可以将其设置为 "minutes=5"。 @@ -4056,8 +4056,8 @@ doesn't pass when either or both of the selected options are equal or above the - Format: "weeks=3;days=2;hours=3,seconds=2". - 格式:"weeks=3;days=2;hours=3,seconds=2"。 + Format: "weeks=3;days=2;hours=3,seconds=2". + 格式:"weeks=3;days=2;hours=3,seconds=2"。 @@ -4253,10 +4253,10 @@ doesn't pass when either or both of the selected options are equal or above the - Are you sure you want to update ""? + Are you sure you want to update ""? 您确定要更新 - " - " 吗? + " + " 吗? @@ -5372,7 +5372,7 @@ doesn't pass when either or both of the selected options are equal or above the - A "roaming" authenticator, like a YubiKey + A "roaming" authenticator, like a YubiKey 像 YubiKey 这样的“漫游”身份验证器 @@ -5712,10 +5712,10 @@ doesn't pass when either or both of the selected options are equal or above the - ("", of type ) + ("", of type ) - (" - ",类型为 + (" + ",类型为 @@ -5764,7 +5764,7 @@ doesn't pass when either or both of the selected options are equal or above the - If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here. + If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here. 如果设置时长大于 0,用户可以选择“保持登录”选项,这将使用户的会话延长此处设置的时间。 @@ -7756,7 +7756,16 @@ Bindings to groups/users are checked against the user of the event. Sign out 登出 + + + The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device. + + + Token length + + + The length of the individual generated tokens. Can be increased to improve security. - \ No newline at end of file + diff --git a/web/xliff/zh-Hant.xlf b/web/xliff/zh-Hant.xlf index db4d9f23a..967f4f9e4 100644 --- a/web/xliff/zh-Hant.xlf +++ b/web/xliff/zh-Hant.xlf @@ -5832,6 +5832,15 @@ Bindings to groups/users are checked against the user of the event. Sign out + + + The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device. + + + Token length + + + The length of the individual generated tokens. Can be increased to improve security. diff --git a/web/xliff/zh_TW.xlf b/web/xliff/zh_TW.xlf index ee1190abf..16a6fd25a 100644 --- a/web/xliff/zh_TW.xlf +++ b/web/xliff/zh_TW.xlf @@ -5831,6 +5831,15 @@ Bindings to groups/users are checked against the user of the event. Sign out + + + The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device. + + + Token length + + + The length of the individual generated tokens. Can be increased to improve security.