web/flows: improve error messages for failed duo push

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2022-11-24 13:42:13 +01:00
parent 118555c97a
commit 1c2cdfe06a
4 changed files with 58 additions and 32 deletions

View file

@ -208,8 +208,7 @@ def validate_challenge_duo(device_pk: int, stage_view: StageView, user: User) ->
stage=stage_view.executor.current_stage, stage=stage_view.executor.current_stage,
device_class=DeviceClasses.DUO.value, device_class=DeviceClasses.DUO.value,
) )
raise ValidationError("Duo denied access") raise ValidationError("Duo denied access", code="denied")
device.save()
return device return device
except RuntimeError as exc: except RuntimeError as exc:
Event.new( Event.new(
@ -217,4 +216,4 @@ def validate_challenge_duo(device_pk: int, stage_view: StageView, user: User) ->
message=f"Failed to DUO authenticate user: {str(exc)}", message=f"Failed to DUO authenticate user: {str(exc)}",
user=user, user=user,
).from_http(stage_view.request, user) ).from_http(stage_view.request, user)
raise ValidationError("Duo denied access") raise ValidationError("Duo denied access", code="denied")

View file

@ -73,7 +73,17 @@ class AuthenticatorValidateStageDuoTests(FlowTestCase):
) )
with patch( with patch(
"authentik.stages.authenticator_duo.models.AuthenticatorDuoStage.auth_client", "authentik.stages.authenticator_duo.models.AuthenticatorDuoStage.auth_client",
MagicMock(return_value=MagicMock(auth=MagicMock(return_value={"result": "deny"}))), MagicMock(
return_value=MagicMock(
auth=MagicMock(
return_value={
"result": "deny",
"status": "deny",
"status_msg": "foo",
}
)
)
),
): ):
with self.assertRaises(ValidationError): with self.assertRaises(ValidationError):
validate_challenge_duo( validate_challenge_duo(

View file

@ -1,3 +1,4 @@
import { AKElement } from "@goauthentik/elements/Base";
import "@goauthentik/elements/EmptyState"; import "@goauthentik/elements/EmptyState";
import "@goauthentik/flow/FormStatic"; import "@goauthentik/flow/FormStatic";
import { BaseStage } from "@goauthentik/flow/stages/base"; import { BaseStage } from "@goauthentik/flow/stages/base";
@ -5,7 +6,7 @@ import { BaseStage } from "@goauthentik/flow/stages/base";
import { t } from "@lingui/macro"; import { t } from "@lingui/macro";
import { CSSResult, TemplateResult, css, html } from "lit"; import { CSSResult, TemplateResult, css, html } from "lit";
import { customElement } from "lit/decorators.js"; import { customElement, property } from "lit/decorators.js";
import { ifDefined } from "lit/directives/if-defined.js"; import { ifDefined } from "lit/directives/if-defined.js";
import AKGlobal from "@goauthentik/common/styles/authentik.css"; import AKGlobal from "@goauthentik/common/styles/authentik.css";
@ -18,18 +19,14 @@ import PFBase from "@patternfly/patternfly/patternfly-base.css";
import { AccessDeniedChallenge, FlowChallengeResponseRequest } from "@goauthentik/api"; import { AccessDeniedChallenge, FlowChallengeResponseRequest } from "@goauthentik/api";
@customElement("ak-stage-access-denied") @customElement("ak-stage-access-denied-icon")
export class AccessDeniedStage extends BaseStage< export class AccessDeniedIcon extends AKElement {
AccessDeniedChallenge, @property()
FlowChallengeResponseRequest errorMessage?: string;
> {
static get styles(): CSSResult[] { static get styles(): CSSResult[] {
return [ return [
PFBase, PFBase,
PFLogin,
PFForm,
PFList,
PFFormControl,
PFTitle, PFTitle,
AKGlobal, AKGlobal,
css` css`
@ -50,6 +47,29 @@ export class AccessDeniedStage extends BaseStage<
]; ];
} }
render(): TemplateResult {
return html` <div class="pf-c-form__group">
<p class="big-icon">
<i class="pf-icon pf-icon-error-circle-o"></i>
</p>
<h3 class="pf-c-title pf-m-3xl reason">${t`Request has been denied.`}</h3>
${this.errorMessage
? html`<hr />
<p>${this.errorMessage}</p>`
: html``}
</div>`;
}
}
@customElement("ak-stage-access-denied")
export class AccessDeniedStage extends BaseStage<
AccessDeniedChallenge,
FlowChallengeResponseRequest
> {
static get styles(): CSSResult[] {
return [PFBase, PFLogin, PFForm, PFList, PFFormControl, PFTitle, AKGlobal];
}
render(): TemplateResult { render(): TemplateResult {
if (!this.challenge) { if (!this.challenge) {
return html`<ak-empty-state ?loading="${true}" header=${t`Loading`}> </ak-empty-state>`; return html`<ak-empty-state ?loading="${true}" header=${t`Loading`}> </ak-empty-state>`;
@ -70,15 +90,10 @@ export class AccessDeniedStage extends BaseStage<
> >
</div> </div>
</ak-form-static> </ak-form-static>
<div class="pf-c-form__group"> <ak-stage-access-denied-icon
<p class="big-icon"> errorMessage=${ifDefined(this.challenge.errorMessage)}
<i class="pf-icon pf-icon-error-circle-o"></i> >
</p> </ak-stage-access-denied-icon>
<h3 class="pf-c-title pf-m-3xl reason">${t`Request has been denied.`}</h3>
${this.challenge?.errorMessage &&
html`<hr />
<p>${this.challenge.errorMessage}</p>`}
</div>
</form> </form>
</div> </div>
<footer class="pf-c-login__main-footer"> <footer class="pf-c-login__main-footer">

View file

@ -69,15 +69,17 @@ export class AuthenticatorValidateStageWebDuo extends BaseStage<
</div> </div>
</ak-form-static> </ak-form-static>
${errors.map((err) => { ${errors.length > 0
? errors.map((err) => {
if (err.code === "denied") {
return html` <ak-stage-access-denied-icon
errorMessage=${err.string}
>
</ak-stage-access-denied-icon>`;
}
return html`<p>${err.string}</p>`; return html`<p>${err.string}</p>`;
})} })
: html`${t`Sending Duo push notification`}`}
<div class="pf-c-form__group pf-m-action">
<button type="submit" class="pf-c-button pf-m-primary pf-m-block">
${t`Continue`}
</button>
</div>
</form> </form>
</div> </div>
<footer class="pf-c-login__main-footer"> <footer class="pf-c-login__main-footer">