From 3f43ff22a8fd2069e69ddc0392ed13e3dda972c3 Mon Sep 17 00:00:00 2001 From: Matthias G <76126743+sirux88@users.noreply.github.com> Date: Fri, 15 Mar 2024 18:05:44 +0100 Subject: [PATCH] outpost: improved set secret answers for flow execution (#8013) * outpost/radius: set mfa answer for noncode-based mfa * refactor CheckPasswordInlineMFA to SetSecrets * small style changes Signed-off-by: Jens Langhammer --------- Signed-off-by: Jens Langhammer Co-authored-by: Jens Langhammer --- internal/outpost/flow/solvers_mfa.go | 17 +++++++++++------ internal/outpost/ldap/bind/direct/bind.go | 5 +---- .../outpost/radius/handle_access_request.go | 5 +---- 3 files changed, 13 insertions(+), 14 deletions(-) diff --git a/internal/outpost/flow/solvers_mfa.go b/internal/outpost/flow/solvers_mfa.go index f2952eb3df..30de3e3718 100644 --- a/internal/outpost/flow/solvers_mfa.go +++ b/internal/outpost/flow/solvers_mfa.go @@ -10,12 +10,17 @@ const CodePasswordSeparator = ";" var alphaNum = regexp.MustCompile(`^[a-zA-Z0-9]*$`) -// CheckPasswordInlineMFA For protocols that only support username/password, check if the password -// contains the TOTP code -func (fe *FlowExecutor) CheckPasswordInlineMFA() { - password := fe.Answers[StagePassword] - // We already have an authenticator answer - if fe.Answers[StageAuthenticatorValidate] != "" { +// Sets the secret answers for the flow executor for protocols that only support username/password +// according to used options +func (fe *FlowExecutor) SetSecrets(password string, mfaCodeBased bool) { + if fe.Answers[StageAuthenticatorValidate] != "" || fe.Answers[StagePassword] != "" { + return + } + fe.Answers[StagePassword] = password + if !mfaCodeBased { + // If code-based MFA is disabled StageAuthenticatorValidate answer is set to password. + // This allows flows with a mfa stage only. + fe.Answers[StageAuthenticatorValidate] = password return } // password doesn't contain the separator diff --git a/internal/outpost/ldap/bind/direct/bind.go b/internal/outpost/ldap/bind/direct/bind.go index cffa0cf366..b7850e853d 100644 --- a/internal/outpost/ldap/bind/direct/bind.go +++ b/internal/outpost/ldap/bind/direct/bind.go @@ -23,10 +23,7 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul fe.Params.Add("goauthentik.io/outpost/ldap", "true") fe.Answers[flow.StageIdentification] = username - fe.Answers[flow.StagePassword] = req.BindPW - if db.si.GetMFASupport() { - fe.CheckPasswordInlineMFA() - } + fe.SetSecrets(req.BindPW, db.si.GetMFASupport()) passed, err := fe.Execute() flags := flags.UserFlags{ diff --git a/internal/outpost/radius/handle_access_request.go b/internal/outpost/radius/handle_access_request.go index ea2b5c860b..49f1775965 100644 --- a/internal/outpost/radius/handle_access_request.go +++ b/internal/outpost/radius/handle_access_request.go @@ -21,10 +21,7 @@ func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusR fe.Params.Add("goauthentik.io/outpost/radius", "true") fe.Answers[flow.StageIdentification] = username - fe.Answers[flow.StagePassword] = rfc2865.UserPassword_GetString(r.Packet) - if r.pi.MFASupport { - fe.CheckPasswordInlineMFA() - } + fe.SetSecrets(rfc2865.UserPassword_GetString(r.Packet), r.pi.MFASupport) passed, err := fe.Execute() if err != nil {