From 658b37c718eb48a6b10c96fff714f37eb4168278 Mon Sep 17 00:00:00 2001 From: Matthias G Date: Mon, 1 Jan 2024 20:04:04 +0100 Subject: [PATCH] refactor CheckPasswordInlineMFA to SetSecrets --- internal/outpost/flow/solvers_mfa.go | 59 ++++++++++--------- internal/outpost/ldap/bind/direct/bind.go | 5 +- .../outpost/radius/handle_access_request.go | 9 +-- 3 files changed, 34 insertions(+), 39 deletions(-) diff --git a/internal/outpost/flow/solvers_mfa.go b/internal/outpost/flow/solvers_mfa.go index f2952eb3d..928b251e3 100644 --- a/internal/outpost/flow/solvers_mfa.go +++ b/internal/outpost/flow/solvers_mfa.go @@ -10,39 +10,44 @@ const CodePasswordSeparator = ";" var alphaNum = regexp.MustCompile(`^[a-zA-Z0-9]*$`) -// CheckPasswordInlineMFA For protocols that only support username/password, check if the password -// contains the TOTP code -func (fe *FlowExecutor) CheckPasswordInlineMFA() { - password := fe.Answers[StagePassword] - // We already have an authenticator answer - if fe.Answers[StageAuthenticatorValidate] != "" { +// SetSecrets sets the secret answers for the flow executor for protocols that only support username/password +// acccording to used options +func (fe *FlowExecutor) SetSecrets(password string, mfacodebased bool) { + if fe.Answers[StageAuthenticatorValidate] != "" || fe.Answers[StagePassword] != "" { return } - // password doesn't contain the separator - if !strings.Contains(password, CodePasswordSeparator) { - return - } - // password ends with the separator, so it won't contain an answer - if strings.HasSuffix(password, CodePasswordSeparator) { - return - } - idx := strings.LastIndex(password, CodePasswordSeparator) - authenticator := password[idx+1:] - // Authenticator is either 6 chars (totp code) or 8 chars (long totp or static) - if len(authenticator) == 6 { - // authenticator answer isn't purely numerical, so won't be value - if _, err := strconv.Atoi(authenticator); err != nil { + fe.Answers[StagePassword] = password + if mfacodebased { + // password doesn't contain the separator + if !strings.Contains(password, CodePasswordSeparator) { return } - } else if len(authenticator) == 8 { - // 8 chars can be a long totp or static token, so it needs to be alphanumerical - if !alphaNum.MatchString(authenticator) { + // password ends with the separator, so it won't contain an answer + if strings.HasSuffix(password, CodePasswordSeparator) { return } + idx := strings.LastIndex(password, CodePasswordSeparator) + authenticator := password[idx+1:] + // Authenticator is either 6 chars (totp code) or 8 chars (long totp or static) + if len(authenticator) == 6 { + // authenticator answer isn't purely numerical, so won't be value + if _, err := strconv.Atoi(authenticator); err != nil { + return + } + } else if len(authenticator) == 8 { + // 8 chars can be a long totp or static token, so it needs to be alphanumerical + if !alphaNum.MatchString(authenticator) { + return + } + } else { + // Any other length, doesn't contain an answer + return + } + fe.Answers[StagePassword] = password[:idx] + fe.Answers[StageAuthenticatorValidate] = authenticator } else { - // Any other length, doesn't contain an answer - return + // If code-based MFA is disabled StageAuthenticatorValidate answer is set to password. + // This allows flows with a mfa stage only. + fe.Answers[StageAuthenticatorValidate] = password } - fe.Answers[StagePassword] = password[:idx] - fe.Answers[StageAuthenticatorValidate] = authenticator } diff --git a/internal/outpost/ldap/bind/direct/bind.go b/internal/outpost/ldap/bind/direct/bind.go index cffa0cf36..b7850e853 100644 --- a/internal/outpost/ldap/bind/direct/bind.go +++ b/internal/outpost/ldap/bind/direct/bind.go @@ -23,10 +23,7 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul fe.Params.Add("goauthentik.io/outpost/ldap", "true") fe.Answers[flow.StageIdentification] = username - fe.Answers[flow.StagePassword] = req.BindPW - if db.si.GetMFASupport() { - fe.CheckPasswordInlineMFA() - } + fe.SetSecrets(req.BindPW, db.si.GetMFASupport()) passed, err := fe.Execute() flags := flags.UserFlags{ diff --git a/internal/outpost/radius/handle_access_request.go b/internal/outpost/radius/handle_access_request.go index 55b88ff54..49f177596 100644 --- a/internal/outpost/radius/handle_access_request.go +++ b/internal/outpost/radius/handle_access_request.go @@ -21,14 +21,7 @@ func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusR fe.Params.Add("goauthentik.io/outpost/radius", "true") fe.Answers[flow.StageIdentification] = username - fe.Answers[flow.StagePassword] = rfc2865.UserPassword_GetString(r.Packet) - if r.pi.MFASupport { - fe.CheckPasswordInlineMFA() - } else { - // If code-based MFA is disabled StageAuthenticatorValidate answer is set to StagePassword answer. - // This allows flows with only a mfa stage - fe.Answers[flow.StageAuthenticatorValidate] = fe.Answers[flow.StagePassword] - } + fe.SetSecrets(rfc2865.UserPassword_GetString(r.Packet), r.pi.MFASupport) passed, err := fe.Execute() if err != nil {