outposts/ldap: add infinite loop prevention

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-05-12 18:31:44 +02:00
parent 34ab68a169
commit 9a0aa4c79b
3 changed files with 13 additions and 7 deletions

View file

@ -320,7 +320,7 @@ CELERY_RESULT_BACKEND = (
# Database backup # Database backup
DBBACKUP_STORAGE = "django.core.files.storage.FileSystemStorage" DBBACKUP_STORAGE = "django.core.files.storage.FileSystemStorage"
DBBACKUP_STORAGE_OPTIONS = {"location": "./backups" if DEBUG else "/backups"} DBBACKUP_STORAGE_OPTIONS = {"location": "./backups" if DEBUG else "/backups"}
DBBACKUP_FILENAME_TEMPLATE = 'authentik-backup-{datetime}.sql' DBBACKUP_FILENAME_TEMPLATE = "authentik-backup-{datetime}.sql"
if CONFIG.y("postgresql.s3_backup"): if CONFIG.y("postgresql.s3_backup"):
DBBACKUP_STORAGE = "storages.backends.s3boto3.S3Boto3Storage" DBBACKUP_STORAGE = "storages.backends.s3boto3.S3Boto3Storage"
DBBACKUP_STORAGE_OPTIONS = { DBBACKUP_STORAGE_OPTIONS = {

View file

@ -67,7 +67,7 @@ func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn)
} }
params := url.Values{} params := url.Values{}
params.Add("goauthentik.io/outpost/ldap", "true") params.Add("goauthentik.io/outpost/ldap", "true")
passed, err := pi.solveFlowChallenge(username, bindPW, client, params.Encode()) passed, err := pi.solveFlowChallenge(username, bindPW, client, params.Encode(), 1)
if err != nil { if err != nil {
pi.log.WithField("boundDN", username).WithError(err).Warning("failed to solve challenge") pi.log.WithField("boundDN", username).WithError(err).Warning("failed to solve challenge")
return ldap.LDAPResultOperationsError, nil return ldap.LDAPResultOperationsError, nil
@ -139,7 +139,7 @@ func (pi *ProviderInstance) delayDeleteUserInfo(dn string) {
}() }()
} }
func (pi *ProviderInstance) solveFlowChallenge(bindDN string, password string, client *http.Client, urlParams string) (bool, error) { func (pi *ProviderInstance) solveFlowChallenge(bindDN string, password string, client *http.Client, urlParams string, depth int) (bool, error) {
challenge, err := pi.s.ac.Client.Flows.FlowsExecutorGet(&flows.FlowsExecutorGetParams{ challenge, err := pi.s.ac.Client.Flows.FlowsExecutorGet(&flows.FlowsExecutorGetParams{
FlowSlug: pi.flowSlug, FlowSlug: pi.flowSlug,
Query: urlParams, Query: urlParams,
@ -169,6 +169,10 @@ func (pi *ProviderInstance) solveFlowChallenge(bindDN string, password string, c
} }
response, err := pi.s.ac.Client.Flows.FlowsExecutorSolve(responseParams, pi.s.ac.Auth) response, err := pi.s.ac.Client.Flows.FlowsExecutorSolve(responseParams, pi.s.ac.Auth)
pi.log.WithField("component", response.Payload.Component).WithField("type", *response.Payload.Type).Debug("Got response") pi.log.WithField("component", response.Payload.Component).WithField("type", *response.Payload.Type).Debug("Got response")
switch response.Payload.Component {
case "ak-stage-access-denied":
return false, errors.New("got ak-stage-access-denied")
}
if *response.Payload.Type == "redirect" { if *response.Payload.Type == "redirect" {
return true, nil return true, nil
} }
@ -184,5 +188,8 @@ func (pi *ProviderInstance) solveFlowChallenge(bindDN string, password string, c
} }
} }
} }
return pi.solveFlowChallenge(bindDN, password, client, urlParams) if depth >= 10 {
return false, errors.New("exceeded stage recursion depth")
}
return pi.solveFlowChallenge(bindDN, password, client, urlParams, depth+1)
} }

View file

@ -42,13 +42,12 @@ export class OutpostHealthElement extends LitElement {
return html`<ak-spinner></ak-spinner>`; return html`<ak-spinner></ak-spinner>`;
} }
if (this.outpostHealth.length === 0) { if (this.outpostHealth.length === 0) {
return html`<li> return html`
<ul> <ul>
<li role="cell"> <li role="cell">
<ak-label color=${PFColor.Grey} text=${t`Not available`}></ak-label> <ak-label color=${PFColor.Grey} text=${t`Not available`}></ak-label>
</li> </li>
</ul> </ul>`;
</li>`;
} }
return html`<ul>${this.outpostHealth.map((h) => { return html`<ul>${this.outpostHealth.map((h) => {
return html`<li> return html`<li>