refactor CheckPasswordInlineMFA to SetSecrets

This commit is contained in:
Matthias G 2024-01-01 20:04:04 +01:00
parent cec021117c
commit 658b37c718
3 changed files with 34 additions and 39 deletions

View file

@ -10,14 +10,14 @@ const CodePasswordSeparator = ";"
var alphaNum = regexp.MustCompile(`^[a-zA-Z0-9]*$`)
// CheckPasswordInlineMFA For protocols that only support username/password, check if the password
// contains the TOTP code
func (fe *FlowExecutor) CheckPasswordInlineMFA() {
password := fe.Answers[StagePassword]
// We already have an authenticator answer
if fe.Answers[StageAuthenticatorValidate] != "" {
// SetSecrets sets the secret answers for the flow executor for protocols that only support username/password
// acccording to used options
func (fe *FlowExecutor) SetSecrets(password string, mfacodebased bool) {
if fe.Answers[StageAuthenticatorValidate] != "" || fe.Answers[StagePassword] != "" {
return
}
fe.Answers[StagePassword] = password
if mfacodebased {
// password doesn't contain the separator
if !strings.Contains(password, CodePasswordSeparator) {
return
@ -45,4 +45,9 @@ func (fe *FlowExecutor) CheckPasswordInlineMFA() {
}
fe.Answers[StagePassword] = password[:idx]
fe.Answers[StageAuthenticatorValidate] = authenticator
} else {
// If code-based MFA is disabled StageAuthenticatorValidate answer is set to password.
// This allows flows with a mfa stage only.
fe.Answers[StageAuthenticatorValidate] = password
}
}

View file

@ -23,10 +23,7 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
fe.Params.Add("goauthentik.io/outpost/ldap", "true")
fe.Answers[flow.StageIdentification] = username
fe.Answers[flow.StagePassword] = req.BindPW
if db.si.GetMFASupport() {
fe.CheckPasswordInlineMFA()
}
fe.SetSecrets(req.BindPW, db.si.GetMFASupport())
passed, err := fe.Execute()
flags := flags.UserFlags{

View file

@ -21,14 +21,7 @@ func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusR
fe.Params.Add("goauthentik.io/outpost/radius", "true")
fe.Answers[flow.StageIdentification] = username
fe.Answers[flow.StagePassword] = rfc2865.UserPassword_GetString(r.Packet)
if r.pi.MFASupport {
fe.CheckPasswordInlineMFA()
} else {
// If code-based MFA is disabled StageAuthenticatorValidate answer is set to StagePassword answer.
// This allows flows with only a mfa stage
fe.Answers[flow.StageAuthenticatorValidate] = fe.Answers[flow.StagePassword]
}
fe.SetSecrets(rfc2865.UserPassword_GetString(r.Packet), r.pi.MFASupport)
passed, err := fe.Execute()
if err != nil {