This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/internal/outpost/flow/solvers.go
Jens L 01311929d1
providers/ldap: improve password totp detection (#6006)
* providers/ldap: improve password totp detection

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add flag for totp mfa support

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* keep support for static tokens

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix migrations

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-20 12:09:13 +02:00

58 lines
2.6 KiB
Go

package flow
import (
"errors"
"strconv"
"goauthentik.io/api/v3"
)
func (fe *FlowExecutor) solveChallenge_Identification(challenge *api.ChallengeTypes, req api.ApiFlowsExecutorSolveRequest) (api.FlowChallengeResponseRequest, error) {
r := api.NewIdentificationChallengeResponseRequest(fe.getAnswer(StageIdentification))
r.SetPassword(fe.getAnswer(StagePassword))
return api.IdentificationChallengeResponseRequestAsFlowChallengeResponseRequest(r), nil
}
func (fe *FlowExecutor) solveChallenge_Password(challenge *api.ChallengeTypes, req api.ApiFlowsExecutorSolveRequest) (api.FlowChallengeResponseRequest, error) {
r := api.NewPasswordChallengeResponseRequest(fe.getAnswer(StagePassword))
return api.PasswordChallengeResponseRequestAsFlowChallengeResponseRequest(r), nil
}
func (fe *FlowExecutor) solveChallenge_UserLogin(challenge *api.ChallengeTypes, req api.ApiFlowsExecutorSolveRequest) (api.FlowChallengeResponseRequest, error) {
r := api.NewUserLoginChallengeResponseRequest(true)
return api.UserLoginChallengeResponseRequestAsFlowChallengeResponseRequest(r), nil
}
func (fe *FlowExecutor) solveChallenge_AuthenticatorValidate(challenge *api.ChallengeTypes, req api.ApiFlowsExecutorSolveRequest) (api.FlowChallengeResponseRequest, error) {
// We only support duo and code-based authenticators, check if that's allowed
var deviceChallenge *api.DeviceChallenge
inner := api.NewAuthenticatorValidationChallengeResponseRequest()
for _, devCh := range challenge.AuthenticatorValidationChallenge.DeviceChallenges {
if devCh.DeviceClass == string(api.DEVICECLASSESENUM_DUO) {
deviceChallenge = &devCh
devId, err := strconv.ParseInt(deviceChallenge.DeviceUid, 10, 32)
if err != nil {
return api.FlowChallengeResponseRequest{}, errors.New("failed to convert duo device id to int")
}
devId32 := int32(devId)
inner.SelectedChallenge = (*api.DeviceChallengeRequest)(deviceChallenge)
inner.Duo = &devId32
}
if devCh.DeviceClass == string(api.DEVICECLASSESENUM_STATIC) ||
devCh.DeviceClass == string(api.DEVICECLASSESENUM_TOTP) {
// Only use code-based devices if we have a code in the entered password,
// and we haven't selected a push device yet
if deviceChallenge == nil && fe.getAnswer(StageAuthenticatorValidate) != "" {
deviceChallenge = &devCh
inner.SelectedChallenge = (*api.DeviceChallengeRequest)(deviceChallenge)
code := fe.getAnswer(StageAuthenticatorValidate)
inner.Code = &code
}
}
}
if deviceChallenge == nil {
return api.FlowChallengeResponseRequest{}, errors.New("no compatible authenticator class found")
}
return api.AuthenticatorValidationChallengeResponseRequestAsFlowChallengeResponseRequest(inner), nil
}