Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make LDAP be able to skip local 2FA #16954

Merged
merged 7 commits into from
Sep 17, 2021
Merged
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions cmd/admin_auth_ldap.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,10 @@ var (
Name: "public-ssh-key-attribute",
Usage: "The attribute of the user’s LDAP record containing the user’s public ssh key.",
},
cli.BoolFlag{
Name: "skip-local-2fa",
Usage: "Set to true to skip local 2fa for users authenticated by this source",
},
}

ldapBindDnCLIFlags = append(commonLdapCLIFlags,
Expand Down Expand Up @@ -245,6 +249,10 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error {
if c.IsSet("allow-deactivate-all") {
config.AllowDeactivateAll = c.Bool("allow-deactivate-all")
}
if c.IsSet("skip-local-2fa") {
config.SkipLocalTwoFA = c.Bool("skip-local-2fa")
}

return nil
}

Expand Down
4 changes: 4 additions & 0 deletions modules/context/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,10 @@ func (ctx *APIContext) RequireCSRF() {

// CheckForOTP validates OTP
func (ctx *APIContext) CheckForOTP() {
if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) {
6543 marked this conversation as resolved.
Show resolved Hide resolved
return // Skip 2FA
}

otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
twofa, err := models.GetTwoFactorByUID(ctx.Context.User.ID)
if err != nil {
Expand Down
3 changes: 3 additions & 0 deletions modules/context/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,9 @@ func ToggleAPI(options *ToggleOptions) func(ctx *APIContext) {
return
}
if ctx.IsSigned && ctx.IsBasicAuth {
if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) {
return // Skip 2FA
}
twofa, err := models.GetTwoFactorByUID(ctx.User.ID)
if err != nil {
if models.IsErrTwoFactorNotEnrolled(err) {
Expand Down
1 change: 1 addition & 0 deletions routers/web/admin/auths.go
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,7 @@ func parseLDAPConfig(form forms.AuthenticationForm) *ldap.Source {
RestrictedFilter: form.RestrictedFilter,
AllowDeactivateAll: form.AllowDeactivateAll,
Enabled: true,
SkipLocalTwoFA: form.SkipLocalTwoFA,
}
}

Expand Down
14 changes: 12 additions & 2 deletions routers/web/user/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ func SignInPost(ctx *context.Context) {
}

form := web.GetForm(ctx).(*forms.SignInForm)
u, err := auth.UserSignIn(form.UserName, form.Password)
u, source, err := auth.UserSignIn(form.UserName, form.Password)
if err != nil {
if models.IsErrUserNotExist(err) {
ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplSignIn, &form)
Expand All @@ -201,6 +201,15 @@ func SignInPost(ctx *context.Context) {
}
return
}

// Now handle 2FA:

// First of all if the source can skip local two fa we're done
if skipper, ok := source.Cfg.(auth.LocalTwoFASkipper); ok && skipper.IsSkipLocalTwoFA() {
handleSignIn(ctx, u, form.Remember)
return
}

// If this user is enrolled in 2FA, we can't sign the user in just yet.
// Instead, redirect them to the 2FA authentication page.
_, err = models.GetTwoFactorByUID(u.ID)
Expand Down Expand Up @@ -905,7 +914,7 @@ func LinkAccountPostSignIn(ctx *context.Context) {
return
}

u, err := auth.UserSignIn(signInForm.UserName, signInForm.Password)
u, _, err := auth.UserSignIn(signInForm.UserName, signInForm.Password)
if err != nil {
if models.IsErrUserNotExist(err) {
ctx.Data["user_exists"] = true
Expand All @@ -924,6 +933,7 @@ func linkAccount(ctx *context.Context, u *models.User, gothUser goth.User, remem

// If this user is enrolled in 2FA, we can't sign the user in just yet.
// Instead, redirect them to the 2FA authentication page.
// We deliberately ignore the skip local 2fa setting here because we are linking to a previous user here
_, err := models.GetTwoFactorByUID(u.ID)
if err != nil {
if !models.IsErrTwoFactorNotEnrolled(err) {
Expand Down
2 changes: 1 addition & 1 deletion routers/web/user/auth_openid.go
Original file line number Diff line number Diff line change
Expand Up @@ -291,7 +291,7 @@ func ConnectOpenIDPost(ctx *context.Context) {
ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
ctx.Data["OpenID"] = oid

u, err := auth.UserSignIn(form.UserName, form.Password)
u, _, err := auth.UserSignIn(form.UserName, form.Password)
if err != nil {
if models.IsErrUserNotExist(err) {
ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplConnectOID, &form)
Expand Down
2 changes: 1 addition & 1 deletion routers/web/user/setting/account.go
Original file line number Diff line number Diff line change
Expand Up @@ -229,7 +229,7 @@ func DeleteAccount(ctx *context.Context) {
ctx.Data["Title"] = ctx.Tr("settings")
ctx.Data["PageIsSettingsAccount"] = true

if _, err := auth.UserSignIn(ctx.User.Name, ctx.FormString("password")); err != nil {
if _, _, err := auth.UserSignIn(ctx.User.Name, ctx.FormString("password")); err != nil {
if models.IsErrUserNotExist(err) {
loadAccountData(ctx)

Expand Down
6 changes: 5 additions & 1 deletion services/auth/basic.go
Original file line number Diff line number Diff line change
Expand Up @@ -107,14 +107,18 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
}

log.Trace("Basic Authorization: Attempting SignIn for %s", uname)
u, err := UserSignIn(uname, passwd)
u, source, err := UserSignIn(uname, passwd)
if err != nil {
if !models.IsErrUserNotExist(err) {
log.Error("UserSignIn: %v", err)
}
return nil
}

if skipper, ok := source.Cfg.(LocalTwoFASkipper); ok && skipper.IsSkipLocalTwoFA() {
store.GetData()["SkipLocalTwoFA"] = true
}

log.Trace("Basic Authorization: Logged in user %-v", u)

return u
Expand Down
5 changes: 5 additions & 0 deletions services/auth/interface.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,11 @@ type PasswordAuthenticator interface {
Authenticate(user *models.User, login, password string) (*models.User, error)
}

// LocalTwoFASkipper represents a source of authentication that can skip local 2fa
type LocalTwoFASkipper interface {
IsSkipLocalTwoFA() bool
}

// SynchronizableSource represents a source that can synchronize users
type SynchronizableSource interface {
Sync(ctx context.Context, updateExisting bool) error
Expand Down
28 changes: 14 additions & 14 deletions services/auth/signin.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,66 +20,66 @@ import (
)

// UserSignIn validates user name and password.
func UserSignIn(username, password string) (*models.User, error) {
func UserSignIn(username, password string) (*models.User, *models.LoginSource, error) {
var user *models.User
if strings.Contains(username, "@") {
user = &models.User{Email: strings.ToLower(strings.TrimSpace(username))}
// check same email
cnt, err := models.Count(user)
if err != nil {
return nil, err
return nil, nil, err
}
if cnt > 1 {
return nil, models.ErrEmailAlreadyUsed{
return nil, nil, models.ErrEmailAlreadyUsed{
Email: user.Email,
}
}
} else {
trimmedUsername := strings.TrimSpace(username)
if len(trimmedUsername) == 0 {
return nil, models.ErrUserNotExist{Name: username}
return nil, nil, models.ErrUserNotExist{Name: username}
}

user = &models.User{LowerName: strings.ToLower(trimmedUsername)}
}

hasUser, err := models.GetUser(user)
if err != nil {
return nil, err
return nil, nil, err
}

if hasUser {
source, err := models.GetLoginSourceByID(user.LoginSource)
if err != nil {
return nil, err
return nil, nil, err
}

if !source.IsActive {
return nil, models.ErrLoginSourceNotActived
return nil, nil, models.ErrLoginSourceNotActived
}

authenticator, ok := source.Cfg.(PasswordAuthenticator)
if !ok {
return nil, models.ErrUnsupportedLoginType
return nil, nil, models.ErrUnsupportedLoginType
}

user, err := authenticator.Authenticate(user, username, password)
if err != nil {
return nil, err
return nil, nil, err
}

// WARN: DON'T check user.IsActive, that will be checked on reqSign so that
// user could be hint to resend confirm email.
if user.ProhibitLogin {
return nil, models.ErrUserProhibitLogin{UID: user.ID, Name: user.Name}
return nil, nil, models.ErrUserProhibitLogin{UID: user.ID, Name: user.Name}
}

return user, nil
return user, source, nil
}

sources, err := models.AllActiveLoginSources()
if err != nil {
return nil, err
return nil, nil, err
}

for _, source := range sources {
Expand All @@ -97,7 +97,7 @@ func UserSignIn(username, password string) (*models.User, error) {

if err == nil {
if !authUser.ProhibitLogin {
return authUser, nil
return authUser, source, nil
}
err = models.ErrUserProhibitLogin{UID: authUser.ID, Name: authUser.Name}
}
Expand All @@ -109,5 +109,5 @@ func UserSignIn(username, password string) (*models.User, error) {
}
}

return nil, models.ErrUserNotExist{Name: username}
return nil, nil, models.ErrUserNotExist{Name: username}
}
1 change: 1 addition & 0 deletions services/auth/source/ldap/assert_interface_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
type sourceInterface interface {
auth.PasswordAuthenticator
auth.SynchronizableSource
auth.LocalTwoFASkipper
models.SSHKeyProvider
models.LoginConfig
models.SkipVerifiable
Expand Down
1 change: 1 addition & 0 deletions services/auth/source/ldap/source.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ type Source struct {
GroupFilter string // Group Name Filter
GroupMemberUID string // Group Attribute containing array of UserUID
UserUID string // User Attribute listed in Group
SkipLocalTwoFA bool // Skip Local 2fa for users authenticated with this source

// reference to the loginSource
loginSource *models.LoginSource
Expand Down
5 changes: 5 additions & 0 deletions services/auth/source/ldap/source_authenticate.go
Original file line number Diff line number Diff line change
Expand Up @@ -97,3 +97,8 @@ func (source *Source) Authenticate(user *models.User, login, password string) (*

return user, err
}

// IsSkipLocalTwoFA returns if this source should skip local 2fa for password authentication
func (source *Source) IsSkipLocalTwoFA() bool {
return source.SkipLocalTwoFA
}
3 changes: 3 additions & 0 deletions services/auth/source/oauth2/source_authenticate.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,6 @@ import (
func (source *Source) Authenticate(user *models.User, login, password string) (*models.User, error) {
return db.Authenticate(user, login, password)
}

// NB: Oauth2 does not implement LocalTwoFASkipper for password authentication
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this a nit that didn't make it into #16594 ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No.

Oauth2 Password authentication is simply a fall back to local DB source and so its skip local 2fa does not apply on that source.

This is a weirdness because of the broken way in which we have specialised the local db instead of just making it a source of authentication just like all of the others.

I have ideas for how to fix this but it's quite fiddly.

// as its password authentication drops to db authentication
7 changes: 7 additions & 0 deletions templates/admin/auth/edit.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,13 @@
</div>
</div>
{{end}}
<div class="optional field">
<div class="ui checkbox">
<label for="skip_local_two_fa"><strong>{{.i18n.Tr "admin.auths.skip_local_two_fa"}}</strong></label>
<input id="skip_local_two_fa" name="skip_local_two_fa" type="checkbox" {{if $cfg.SkipLocalTwoFA}}checked{{end}}>
<p class="help">{{.i18n.Tr "admin.auths.skip_local_two_fa_helper"}}</p>
</div>
</div>
<div class="inline field">
<div class="ui checkbox">
<label for="allow_deactivate_all"><strong>{{.i18n.Tr "admin.auths.allow_deactivate_all"}}</strong></label>
Expand Down
13 changes: 13 additions & 0 deletions templates/admin/auth/source/ldap.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -111,4 +111,17 @@
<label for="search_page_size">{{.i18n.Tr "admin.auths.search_page_size"}}</label>
<input id="search_page_size" name="search_page_size" value="{{.search_page_size}}">
</div>
<div class="optional field">
<div class="ui checkbox">
<label for="skip_local_two_fa"><strong>{{.i18n.Tr "admin.auths.skip_local_two_fa"}}</strong></label>
<input id="skip_local_two_fa" name="skip_local_two_fa" type="checkbox" {{if .skip_local_two_fa}}checked{{end}}>
<p class="help">{{.i18n.Tr "admin.auths.skip_local_two_fa_helper"}}</p>
</div>
</div>
<div class="inline field">
<div class="ui checkbox">
<label for="allow_deactivate_all"><strong>{{.i18n.Tr "admin.auths.allow_deactivate_all"}}</strong></label>
<input id="allow_deactivate_all" name="allow_deactivate_all" type="checkbox" {{if .allow_deactivate_all}}checked{{end}}>
</div>
</div>
</div>