From 4be7dcbe0b8b728581e7419032fc77fb05ed1c1a Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Fri, 17 Sep 2021 17:48:32 +0100
Subject: [PATCH 1/2] Add SkipLocal2FA option to other pam and smtp sources

Extend #16954 to allow setting skip local 2fa on pam and SMTP authentication sources

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 routers/web/admin/auths.go                       |  6 ++++--
 services/auth/source/pam/source.go               |  5 +++--
 services/auth/source/pam/source_authenticate.go  |  5 +++++
 services/auth/source/smtp/source.go              |  1 +
 services/auth/source/smtp/source_authenticate.go |  5 +++++
 templates/admin/auth/edit.tmpl                   | 14 ++++++++++++++
 templates/admin/auth/new.tmpl                    |  7 +++++++
 templates/admin/auth/source/smtp.tmpl            |  7 +++++++
 8 files changed, 46 insertions(+), 4 deletions(-)

diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
index 2937190a1f50..4326d4f5d8af 100644
--- a/routers/web/admin/auths.go
+++ b/routers/web/admin/auths.go
@@ -159,6 +159,7 @@ func parseSMTPConfig(form forms.AuthenticationForm) *smtp.Source {
 		SkipVerify:     form.SkipVerify,
 		HeloHostname:   form.HeloHostname,
 		DisableHelo:    form.DisableHelo,
+		SkipLocalTwoFA: form.SkipLocalTwoFA,
 	}
 }
 
@@ -242,8 +243,9 @@ func NewAuthSourcePost(ctx *context.Context) {
 		hasTLS = true
 	case models.LoginPAM:
 		config = &pamService.Source{
-			ServiceName: form.PAMServiceName,
-			EmailDomain: form.PAMEmailDomain,
+			ServiceName:    form.PAMServiceName,
+			EmailDomain:    form.PAMEmailDomain,
+			SkipLocalTwoFA: form.SkipLocalTwoFA,
 		}
 	case models.LoginOAuth2:
 		config = parseOAuth2Config(form)
diff --git a/services/auth/source/pam/source.go b/services/auth/source/pam/source.go
index 75aa99e45fd4..b6d7a4e30a55 100644
--- a/services/auth/source/pam/source.go
+++ b/services/auth/source/pam/source.go
@@ -18,8 +18,9 @@ import (
 
 // Source holds configuration for the PAM login source.
 type Source struct {
-	ServiceName string // pam service (e.g. system-auth)
-	EmailDomain string
+	ServiceName    string // pam service (e.g. system-auth)
+	EmailDomain    string
+	SkipLocalTwoFA bool // Skip Local 2fa for users authenticated with this source
 
 	// reference to the loginSource
 	loginSource *models.LoginSource
diff --git a/services/auth/source/pam/source_authenticate.go b/services/auth/source/pam/source_authenticate.go
index 8241aed7256f..0292acf53cb7 100644
--- a/services/auth/source/pam/source_authenticate.go
+++ b/services/auth/source/pam/source_authenticate.go
@@ -68,3 +68,8 @@ func (source *Source) Authenticate(user *models.User, login, password string) (*
 
 	return user, nil
 }
+
+// IsSkipLocalTwoFA returns if this source should skip local 2fa for password authentication
+func (source *Source) IsSkipLocalTwoFA() bool {
+	return source.SkipLocalTwoFA
+}
diff --git a/services/auth/source/smtp/source.go b/services/auth/source/smtp/source.go
index 39c9851ede23..15a21dcda659 100644
--- a/services/auth/source/smtp/source.go
+++ b/services/auth/source/smtp/source.go
@@ -26,6 +26,7 @@ type Source struct {
 	SkipVerify     bool
 	HeloHostname   string
 	DisableHelo    bool
+	SkipLocalTwoFA bool
 
 	// reference to the loginSource
 	loginSource *models.LoginSource
diff --git a/services/auth/source/smtp/source_authenticate.go b/services/auth/source/smtp/source_authenticate.go
index cff64c69d2f9..efb34d1ec982 100644
--- a/services/auth/source/smtp/source_authenticate.go
+++ b/services/auth/source/smtp/source_authenticate.go
@@ -84,3 +84,8 @@ func (source *Source) Authenticate(user *models.User, login, password string) (*
 
 	return user, nil
 }
+
+// IsSkipLocalTwoFA returns if this source should skip local 2fa for password authentication
+func (source *Source) IsSkipLocalTwoFA() bool {
+	return source.SkipLocalTwoFA
+}
diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index 9ff80663846b..142c537b1510 100644
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -215,6 +215,13 @@
 						<input id="allowed_domains" name="allowed_domains" value="{{$cfg.AllowedDomains}}">
 						<p class="help">{{.i18n.Tr "admin.auths.allowed_domains_helper"}}</p>
 					</div>
+					<div class="optional field">
+						<div class="ui checkbox">
+							<label for="skip_local_two_fa"><strong>{{.i18n.Tr "admin.auths.skip_local_two_fa"}}</strong></label>
+							<input id="skip_local_two_fa" name="skip_local_two_fa" type="checkbox" {{if $cfg.SkipLocalTwoFA}}checked{{end}}>
+							<p class="help">{{.i18n.Tr "admin.auths.skip_local_two_fa_helper"}}</p>
+						</div>
+					</div>
 				{{end}}
 
 				<!-- PAM -->
@@ -228,6 +235,13 @@
 						<label for="pam_email_domain">{{.i18n.Tr "admin.auths.pam_email_domain"}}</label>
 						<input id="pam_email_domain" name="pam_email_domain" value="{{$cfg.EmailDomain}}">
 					</div>
+					<div class="optional field">
+						<div class="ui checkbox">
+							<label for="skip_local_two_fa"><strong>{{.i18n.Tr "admin.auths.skip_local_two_fa"}}</strong></label>
+							<input id="skip_local_two_fa" name="skip_local_two_fa" type="checkbox" {{if $cfg.SkipLocalTwoFA}}checked{{end}}>
+							<p class="help">{{.i18n.Tr "admin.auths.skip_local_two_fa_helper"}}</p>
+						</div>
+					</div>
 				{{end}}
 
 				<!-- OAuth2 -->
diff --git a/templates/admin/auth/new.tmpl b/templates/admin/auth/new.tmpl
index ba1f145a4a3b..13e1366c874e 100644
--- a/templates/admin/auth/new.tmpl
+++ b/templates/admin/auth/new.tmpl
@@ -41,6 +41,13 @@
 					<label for="pam_email_domain">{{.i18n.Tr "admin.auths.pam_email_domain"}}</label>
 					<input id="pam_email_domain" name="pam_email_domain" value="{{.pam_email_domain}}">
 				</div>
+				<div class="pam optional field {{if not (eq .type 4)}}hide{{end}}">
+					<div class="ui checkbox">
+						<label for="skip_local_two_fa"><strong>{{.i18n.Tr "admin.auths.skip_local_two_fa"}}</strong></label>
+						<input id="skip_local_two_fa" name="skip_local_two_fa" type="checkbox" {{if .skip_local_two_fa}}checked{{end}}>
+						<p class="help">{{.i18n.Tr "admin.auths.skip_local_two_fa_helper"}}</p>
+					</div>
+				</div>
 
 				<!-- OAuth2 -->
 				{{ template "admin/auth/source/oauth" . }}
diff --git a/templates/admin/auth/source/smtp.tmpl b/templates/admin/auth/source/smtp.tmpl
index b0f643b8ca68..8572d6dc56eb 100644
--- a/templates/admin/auth/source/smtp.tmpl
+++ b/templates/admin/auth/source/smtp.tmpl
@@ -49,4 +49,11 @@
 		<input id="allowed_domains" name="allowed_domains" value="{{.allowed_domains}}">
 		<p class="help">{{.i18n.Tr "admin.auths.allowed_domains_helper"}}</p>
 	</div>
+	<div class="optional field">
+		<div class="ui checkbox">
+			<label for="skip_local_two_fa"><strong>{{.i18n.Tr "admin.auths.skip_local_two_fa"}}</strong></label>
+			<input id="skip_local_two_fa" name="skip_local_two_fa" type="checkbox" {{if .skip_local_two_fa}}checked{{end}}>
+			<p class="help">{{.i18n.Tr "admin.auths.skip_local_two_fa_helper"}}</p>
+		</div>
+	</div>
 </div>

From 2d76a78f444d5a198a4cd4ed65656d6c438162f9 Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Fri, 17 Sep 2021 17:55:57 +0100
Subject: [PATCH 2/2] make SkipLocal2FA omitempty

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 services/auth/source/ldap/source.go   | 2 +-
 services/auth/source/oauth2/source.go | 2 +-
 services/auth/source/pam/source.go    | 2 +-
 services/auth/source/smtp/source.go   | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/services/auth/source/ldap/source.go b/services/auth/source/ldap/source.go
index d1228d41aeb1..6efcd13ee5ea 100644
--- a/services/auth/source/ldap/source.go
+++ b/services/auth/source/ldap/source.go
@@ -52,7 +52,7 @@ type Source struct {
 	GroupFilter           string // Group Name Filter
 	GroupMemberUID        string // Group Attribute containing array of UserUID
 	UserUID               string // User Attribute listed in Group
-	SkipLocalTwoFA        bool   // Skip Local 2fa for users authenticated with this source
+	SkipLocalTwoFA        bool   `json:",omitempty"` // Skip Local 2fa for users authenticated with this source
 
 	// reference to the loginSource
 	loginSource *models.LoginSource
diff --git a/services/auth/source/oauth2/source.go b/services/auth/source/oauth2/source.go
index 7b22383d7ed6..83fa386d2669 100644
--- a/services/auth/source/oauth2/source.go
+++ b/services/auth/source/oauth2/source.go
@@ -24,7 +24,7 @@ type Source struct {
 	OpenIDConnectAutoDiscoveryURL string
 	CustomURLMapping              *CustomURLMapping
 	IconURL                       string
-	SkipLocalTwoFA                bool
+	SkipLocalTwoFA                bool `json:",omitempty"`
 
 	// reference to the loginSource
 	loginSource *models.LoginSource
diff --git a/services/auth/source/pam/source.go b/services/auth/source/pam/source.go
index b6d7a4e30a55..24cbf19e9682 100644
--- a/services/auth/source/pam/source.go
+++ b/services/auth/source/pam/source.go
@@ -20,7 +20,7 @@ import (
 type Source struct {
 	ServiceName    string // pam service (e.g. system-auth)
 	EmailDomain    string
-	SkipLocalTwoFA bool // Skip Local 2fa for users authenticated with this source
+	SkipLocalTwoFA bool `json:",omitempty"` // Skip Local 2fa for users authenticated with this source
 
 	// reference to the loginSource
 	loginSource *models.LoginSource
diff --git a/services/auth/source/smtp/source.go b/services/auth/source/smtp/source.go
index 15a21dcda659..c09b7b6a150b 100644
--- a/services/auth/source/smtp/source.go
+++ b/services/auth/source/smtp/source.go
@@ -26,7 +26,7 @@ type Source struct {
 	SkipVerify     bool
 	HeloHostname   string
 	DisableHelo    bool
-	SkipLocalTwoFA bool
+	SkipLocalTwoFA bool `json:",omitempty"`
 
 	// reference to the loginSource
 	loginSource *models.LoginSource