From ec67b602199ab889714d5a1fc9fdce99d3c20ad3 Mon Sep 17 00:00:00 2001 From: Jens L Date: Tue, 10 May 2022 23:47:36 +0200 Subject: [PATCH] policies/hibp: check in prompt data (#2845) Signed-off-by: Jens Langhammer --- authentik/policies/hibp/models.py | 8 ++++++-- authentik/policies/hibp/tests.py | 5 +++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/authentik/policies/hibp/models.py b/authentik/policies/hibp/models.py index b6e2c4531..d9884f3bf 100644 --- a/authentik/policies/hibp/models.py +++ b/authentik/policies/hibp/models.py @@ -9,6 +9,7 @@ from structlog.stdlib import get_logger from authentik.lib.utils.http import get_http_session from authentik.policies.models import Policy, PolicyResult from authentik.policies.types import PolicyRequest +from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT LOGGER = get_logger() @@ -38,14 +39,17 @@ class HaveIBeenPwendPolicy(Policy): """Check if password is in HIBP DB. Hashes given Password with SHA1, uses the first 5 characters of Password in request and checks if full hash is in response. Returns 0 if Password is not in result otherwise the count of how many times it was used.""" - if self.password_field not in request.context: + password = request.context.get(PLAN_CONTEXT_PROMPT, {}).get( + self.password_field, request.context.get(self.password_field) + ) + if not password: LOGGER.warning( "Password field not set in Policy Request", field=self.password_field, fields=request.context.keys(), ) return PolicyResult(False, _("Password not set in context")) - password = str(request.context[self.password_field]) + password = str(password) pw_hash = sha1(password.encode("utf-8")).hexdigest() # nosec url = f"https://api.pwnedpasswords.com/range/{pw_hash[:5]}" diff --git a/authentik/policies/hibp/tests.py b/authentik/policies/hibp/tests.py index 0f6339239..89c79bf0b 100644 --- a/authentik/policies/hibp/tests.py +++ b/authentik/policies/hibp/tests.py @@ -5,6 +5,7 @@ from guardian.shortcuts import get_anonymous_user from authentik.lib.generators import generate_key from authentik.policies.hibp.models import HaveIBeenPwendPolicy from authentik.policies.types import PolicyRequest, PolicyResult +from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT class TestHIBPPolicy(TestCase): @@ -26,7 +27,7 @@ class TestHIBPPolicy(TestCase): name="test_false", ) request = PolicyRequest(get_anonymous_user()) - request.context["password"] = "password" # nosec + request.context[PLAN_CONTEXT_PROMPT] = {"password": "password"} # nosec result: PolicyResult = policy.passes(request) self.assertFalse(result.passing) self.assertTrue(result.messages[0].startswith("Password exists on ")) @@ -37,7 +38,7 @@ class TestHIBPPolicy(TestCase): name="test_true", ) request = PolicyRequest(get_anonymous_user()) - request.context["password"] = generate_key() + request.context[PLAN_CONTEXT_PROMPT] = {"password": generate_key()} result: PolicyResult = policy.passes(request) self.assertTrue(result.passing) self.assertEqual(result.messages, tuple())