outpost: improved set secret answers for flow execution (#8013)

* outpost/radius: set mfa answer for noncode-based mfa * refactor CheckPasswordInlineMFA to SetSecrets * small style changes Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
2024-03-15 18:05:44 +01:00
parent cf6bbbae70
commit 3f43ff22a8
3 changed files with 13 additions and 14 deletions
--- a/internal/outpost/flow/solvers_mfa.go
+++ b/internal/outpost/flow/solvers_mfa.go
@ -10,12 +10,17 @@ const CodePasswordSeparator = ";"

 var alphaNum = regexp.MustCompile(`^[a-zA-Z0-9]*$`)

-// CheckPasswordInlineMFA For protocols that only support username/password, check if the password
-// contains the TOTP code
-func (fe *FlowExecutor) CheckPasswordInlineMFA() {
-	password := fe.Answers[StagePassword]
-	// We already have an authenticator answer
-	if fe.Answers[StageAuthenticatorValidate] != "" {
+// Sets the secret answers for the flow executor for protocols that only support username/password
+// according to used options
+func (fe *FlowExecutor) SetSecrets(password string, mfaCodeBased bool) {
+	if fe.Answers[StageAuthenticatorValidate] != "" || fe.Answers[StagePassword] != "" {
+		return
+	}
+	fe.Answers[StagePassword] = password
+	if !mfaCodeBased {
+		// If code-based MFA is disabled StageAuthenticatorValidate answer is set to password.
+		// This allows flows with a mfa stage only.
+		fe.Answers[StageAuthenticatorValidate] = password
 		return
 	}
 	// password doesn't contain the separator
--- a/internal/outpost/ldap/bind/direct/bind.go
+++ b/internal/outpost/ldap/bind/direct/bind.go
@ -23,10 +23,7 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 	fe.Params.Add("goauthentik.io/outpost/ldap", "true")

 	fe.Answers[flow.StageIdentification] = username
-	fe.Answers[flow.StagePassword] = req.BindPW
-	if db.si.GetMFASupport() {
-		fe.CheckPasswordInlineMFA()
-	}
+	fe.SetSecrets(req.BindPW, db.si.GetMFASupport())

 	passed, err := fe.Execute()
 	flags := flags.UserFlags{
--- a/internal/outpost/radius/handle_access_request.go
+++ b/internal/outpost/radius/handle_access_request.go
@ -21,10 +21,7 @@ func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusR
 	fe.Params.Add("goauthentik.io/outpost/radius", "true")

 	fe.Answers[flow.StageIdentification] = username
-	fe.Answers[flow.StagePassword] = rfc2865.UserPassword_GetString(r.Packet)
-	if r.pi.MFASupport {
-		fe.CheckPasswordInlineMFA()
-	}
+	fe.SetSecrets(rfc2865.UserPassword_GetString(r.Packet), r.pi.MFASupport)

 	passed, err := fe.Execute()
 	if err != nil {