-
-
Notifications
You must be signed in to change notification settings - Fork 577
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
providers/radius: TOTP MFA support (#7217)
* move CheckPasswordMFA to flow executor Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add mfa support field to radius Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
- Loading branch information
Showing
11 changed files
with
145 additions
and
50 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
21 changes: 21 additions & 0 deletions
21
authentik/providers/radius/migrations/0002_radiusprovider_mfa_support.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Generated by Django 4.2.6 on 2023-10-18 15:09 | ||
|
||
from django.db import migrations, models | ||
|
||
|
||
class Migration(migrations.Migration): | ||
dependencies = [ | ||
("authentik_providers_radius", "0001_initial"), | ||
] | ||
|
||
operations = [ | ||
migrations.AddField( | ||
model_name="radiusprovider", | ||
name="mfa_support", | ||
field=models.BooleanField( | ||
default=True, | ||
help_text="When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.", | ||
verbose_name="MFA Support", | ||
), | ||
), | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
package flow | ||
|
||
import ( | ||
"regexp" | ||
"strconv" | ||
"strings" | ||
) | ||
|
||
const CodePasswordSeparator = ";" | ||
|
||
var alphaNum = regexp.MustCompile(`^[a-zA-Z0-9]*$`) | ||
|
||
// CheckPasswordInlineMFA For protocols that only support username/password, check if the password | ||
// contains the TOTP code | ||
func (fe *FlowExecutor) CheckPasswordInlineMFA() { | ||
password := fe.Answers[StagePassword] | ||
// We already have an authenticator answer | ||
if fe.Answers[StageAuthenticatorValidate] != "" { | ||
return | ||
} | ||
// password doesn't contain the separator | ||
if !strings.Contains(password, CodePasswordSeparator) { | ||
return | ||
} | ||
// password ends with the separator, so it won't contain an answer | ||
if strings.HasSuffix(password, CodePasswordSeparator) { | ||
return | ||
} | ||
idx := strings.LastIndex(password, CodePasswordSeparator) | ||
authenticator := password[idx+1:] | ||
// Authenticator is either 6 chars (totp code) or 8 chars (long totp or static) | ||
if len(authenticator) == 6 { | ||
// authenticator answer isn't purely numerical, so won't be value | ||
if _, err := strconv.Atoi(authenticator); err != nil { | ||
return | ||
} | ||
} else if len(authenticator) == 8 { | ||
// 8 chars can be a long totp or static token, so it needs to be alphanumerical | ||
if !alphaNum.MatchString(authenticator) { | ||
return | ||
} | ||
} else { | ||
// Any other length, doesn't contain an answer | ||
return | ||
} | ||
fe.Answers[StagePassword] = password[:idx] | ||
fe.Answers[StageAuthenticatorValidate] = authenticator | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters