mirror of
https://github.com/drakkan/sftpgo.git
synced 2024-11-21 23:20:24 +00:00
WebClient: enforce 2fa and password requirements also with OIDC
Some checks failed
Code scanning - action / CodeQL-Build (push) Has been cancelled
CI / Test and deploy (push) Has been cancelled
CI / Test build flags (push) Has been cancelled
CI / Test with PgSQL/MySQL/Cockroach (push) Has been cancelled
CI / Build Linux packages (push) Has been cancelled
CI / golangci-lint (push) Has been cancelled
Docker / Build (push) Has been cancelled
Some checks failed
Code scanning - action / CodeQL-Build (push) Has been cancelled
CI / Test and deploy (push) Has been cancelled
CI / Test build flags (push) Has been cancelled
CI / Test with PgSQL/MySQL/Cockroach (push) Has been cancelled
CI / Build Linux packages (push) Has been cancelled
CI / golangci-lint (push) Has been cancelled
Docker / Build (push) Has been cancelled
password and 2fa can be used with other protocols Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
parent
7e7005f5b3
commit
8d697bcc94
3 changed files with 31 additions and 17 deletions
|
@ -212,21 +212,24 @@ func newOIDCPendingAuth(audience tokenAudience) oidcPendingAuth {
|
||||||
}
|
}
|
||||||
|
|
||||||
type oidcToken struct {
|
type oidcToken struct {
|
||||||
AccessToken string `json:"access_token"`
|
AccessToken string `json:"access_token"`
|
||||||
TokenType string `json:"token_type,omitempty"`
|
TokenType string `json:"token_type,omitempty"`
|
||||||
RefreshToken string `json:"refresh_token,omitempty"`
|
RefreshToken string `json:"refresh_token,omitempty"`
|
||||||
ExpiresAt int64 `json:"expires_at,omitempty"`
|
ExpiresAt int64 `json:"expires_at,omitempty"`
|
||||||
SessionID string `json:"session_id"`
|
SessionID string `json:"session_id"`
|
||||||
IDToken string `json:"id_token"`
|
IDToken string `json:"id_token"`
|
||||||
Nonce string `json:"nonce"`
|
Nonce string `json:"nonce"`
|
||||||
Username string `json:"username"`
|
Username string `json:"username"`
|
||||||
Permissions []string `json:"permissions"`
|
Permissions []string `json:"permissions"`
|
||||||
HideUserPageSections int `json:"hide_user_page_sections,omitempty"`
|
HideUserPageSections int `json:"hide_user_page_sections,omitempty"`
|
||||||
TokenRole string `json:"token_role,omitempty"` // SFTPGo role name
|
MustSetTwoFactorAuth bool `json:"must_set_2fa,omitempty"`
|
||||||
Role any `json:"role"` // oidc user role: SFTPGo user or admin
|
MustChangePassword bool `json:"must_change_password,omitempty"`
|
||||||
CustomFields *map[string]any `json:"custom_fields,omitempty"`
|
RequiredTwoFactorProtocols []string `json:"required_two_factor_protocols,omitempty"`
|
||||||
Cookie string `json:"cookie"`
|
TokenRole string `json:"token_role,omitempty"` // SFTPGo role name
|
||||||
UsedAt int64 `json:"used_at"`
|
Role any `json:"role"` // oidc user role: SFTPGo user or admin
|
||||||
|
CustomFields *map[string]any `json:"custom_fields,omitempty"`
|
||||||
|
Cookie string `json:"cookie"`
|
||||||
|
UsedAt int64 `json:"used_at"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *oidcToken) parseClaims(claims map[string]any, usernameField, roleField string, customFields []string,
|
func (t *oidcToken) parseClaims(claims map[string]any, usernameField, roleField string, customFields []string,
|
||||||
|
@ -399,6 +402,9 @@ func (t *oidcToken) refreshUser(r *http.Request) error {
|
||||||
}
|
}
|
||||||
t.Permissions = user.Filters.WebClient
|
t.Permissions = user.Filters.WebClient
|
||||||
t.TokenRole = user.Role
|
t.TokenRole = user.Role
|
||||||
|
t.MustSetTwoFactorAuth = user.MustSetSecondFactor()
|
||||||
|
t.MustChangePassword = user.MustChangePassword()
|
||||||
|
t.RequiredTwoFactorProtocols = user.Filters.TwoFactorAuthProtocols
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -470,6 +476,9 @@ func (t *oidcToken) getUser(r *http.Request) error {
|
||||||
dataprovider.UpdateLastLogin(user)
|
dataprovider.UpdateLastLogin(user)
|
||||||
t.Permissions = user.Filters.WebClient
|
t.Permissions = user.Filters.WebClient
|
||||||
t.TokenRole = user.Role
|
t.TokenRole = user.Role
|
||||||
|
t.MustSetTwoFactorAuth = user.MustSetSecondFactor()
|
||||||
|
t.MustChangePassword = user.MustChangePassword()
|
||||||
|
t.RequiredTwoFactorProtocols = user.Filters.TwoFactorAuthProtocols
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -550,6 +559,11 @@ func (s *httpdServer) oidcTokenAuthenticator(audience tokenAudience) func(next h
|
||||||
Role: token.TokenRole,
|
Role: token.TokenRole,
|
||||||
HideUserPageSections: token.HideUserPageSections,
|
HideUserPageSections: token.HideUserPageSections,
|
||||||
}
|
}
|
||||||
|
if audience == tokenAudienceWebClient {
|
||||||
|
jwtTokenClaims.MustSetTwoFactorAuth = token.MustSetTwoFactorAuth
|
||||||
|
jwtTokenClaims.MustChangePassword = token.MustChangePassword
|
||||||
|
jwtTokenClaims.RequiredTwoFactorProtocols = token.RequiredTwoFactorProtocols
|
||||||
|
}
|
||||||
_, tokenString, err := jwtTokenClaims.createToken(s.tokenAuth, audience, util.GetIPFromRemoteAddress(r.RemoteAddr))
|
_, tokenString, err := jwtTokenClaims.createToken(s.tokenAuth, audience, util.GetIPFromRemoteAddress(r.RemoteAddr))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
setFlashMessage(w, r, newFlashMessage("Unable to create cookie", util.I18nError500Message))
|
setFlashMessage(w, r, newFlashMessage("Unable to create cookie", util.I18nError500Message))
|
||||||
|
|
|
@ -427,7 +427,7 @@
|
||||||
"save_err": "Failed to save two-factor authentication configuration",
|
"save_err": "Failed to save two-factor authentication configuration",
|
||||||
"auth_code_required": "The authentication code is required",
|
"auth_code_required": "The authentication code is required",
|
||||||
"no_protocol": "Please select at least a protocol",
|
"no_protocol": "Please select at least a protocol",
|
||||||
"required_protocols": "Unable to disable two-factor authentication. The security policy configured for your account requires two-factor authentication for the following protocols: {{val}}",
|
"required_protocols": "The security policy configured for your account requires two-factor authentication for the following protocols: {{val}}",
|
||||||
"recovery_codes_generate": "Generate new recovery codes",
|
"recovery_codes_generate": "Generate new recovery codes",
|
||||||
"recovery_codes_view": "View recovery codes"
|
"recovery_codes_view": "View recovery codes"
|
||||||
},
|
},
|
||||||
|
|
|
@ -427,7 +427,7 @@
|
||||||
"save_err": "Impossibile salvare la configurazione dell'autenticazione a due fattori",
|
"save_err": "Impossibile salvare la configurazione dell'autenticazione a due fattori",
|
||||||
"auth_code_required": "Il codice di autenticazione è obbligatorio",
|
"auth_code_required": "Il codice di autenticazione è obbligatorio",
|
||||||
"no_protocol": "Seleziona almeno un protocollo",
|
"no_protocol": "Seleziona almeno un protocollo",
|
||||||
"required_protocols": "Impossibile disabilitare l'autenticazione a due fattori. La politica di sicurezza configurata per il tuo account richiede l'autenticazione a due fattori per i seguenti protocolli: {{val}}",
|
"required_protocols": "La politica di sicurezza configurata per il tuo account richiede l'autenticazione a due fattori per i seguenti protocolli: {{val}}",
|
||||||
"recovery_codes_generate": "Genera nuovi codici di ripristino",
|
"recovery_codes_generate": "Genera nuovi codici di ripristino",
|
||||||
"recovery_codes_view": "Visualizza codici di ripristino"
|
"recovery_codes_view": "Visualizza codici di ripristino"
|
||||||
},
|
},
|
||||||
|
|
Loading…
Reference in a new issue