2018-12-24 09:07:49 +00:00
|
|
|
package main
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
"net/http"
|
|
|
|
|
"sync"
|
|
|
|
|
|
|
|
|
|
log "github.com/sirupsen/logrus"
|
2019-02-21 23:10:43 +00:00
|
|
|
|
|
|
|
|
"github.com/Luzifer/nginx-sso/plugins"
|
2018-12-24 09:07:49 +00:00
|
|
|
)
|
|
|
|
|
|
2019-02-21 23:10:43 +00:00
|
|
|
var mfaLoginField = plugins.LoginField{
|
2018-12-24 09:07:49 +00:00
|
|
|
Label: "MFA Token",
|
2019-04-21 17:36:28 +00:00
|
|
|
Name: plugins.MFALoginFieldName,
|
2018-12-24 09:07:49 +00:00
|
|
|
Placeholder: "(optional)",
|
|
|
|
|
Type: "text",
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var (
|
2019-02-21 23:10:43 +00:00
|
|
|
mfaRegistry = []plugins.MFAProvider{}
|
2018-12-24 09:07:49 +00:00
|
|
|
mfaRegistryMutex sync.RWMutex
|
|
|
|
|
|
2019-02-21 23:10:43 +00:00
|
|
|
activeMFAProviders = []plugins.MFAProvider{}
|
2018-12-24 09:07:49 +00:00
|
|
|
)
|
|
|
|
|
|
2019-02-21 23:10:43 +00:00
|
|
|
func registerMFAProvider(m plugins.MFAProvider) {
|
2018-12-24 09:07:49 +00:00
|
|
|
mfaRegistryMutex.Lock()
|
|
|
|
|
defer mfaRegistryMutex.Unlock()
|
|
|
|
|
|
|
|
|
|
mfaRegistry = append(mfaRegistry, m)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func initializeMFAProviders(yamlSource []byte) error {
|
|
|
|
|
mfaRegistryMutex.Lock()
|
|
|
|
|
defer mfaRegistryMutex.Unlock()
|
|
|
|
|
|
|
|
|
|
for _, m := range mfaRegistry {
|
|
|
|
|
err := m.Configure(yamlSource)
|
|
|
|
|
|
|
|
|
|
switch err {
|
|
|
|
|
case nil:
|
|
|
|
|
activeMFAProviders = append(activeMFAProviders, m)
|
|
|
|
|
log.WithFields(log.Fields{"mfa_provider": m.ProviderID()}).Debug("Activated MFA provider")
|
2019-02-21 23:27:02 +00:00
|
|
|
case plugins.ErrProviderUnconfigured:
|
2018-12-24 09:07:49 +00:00
|
|
|
log.WithFields(log.Fields{"mfa_provider": m.ProviderID()}).Debug("MFA provider unconfigured")
|
|
|
|
|
// This is okay.
|
|
|
|
|
default:
|
|
|
|
|
return fmt.Errorf("MFA provider configuration caused an error: %s", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-21 23:10:43 +00:00
|
|
|
func validateMFA(res http.ResponseWriter, r *http.Request, user string, mfaCfgs []plugins.MFAConfig) error {
|
2018-12-29 00:06:12 +00:00
|
|
|
if len(mfaCfgs) == 0 {
|
2018-12-24 09:07:49 +00:00
|
|
|
// User has no configured MFA devices, their MFA is automatically valid
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
mfaRegistryMutex.RLock()
|
|
|
|
|
defer mfaRegistryMutex.RUnlock()
|
|
|
|
|
|
|
|
|
|
for _, m := range activeMFAProviders {
|
|
|
|
|
err := m.ValidateMFA(res, r, user, mfaCfgs)
|
|
|
|
|
switch err {
|
|
|
|
|
case nil:
|
|
|
|
|
// Validated successfully
|
|
|
|
|
return nil
|
2019-02-21 23:27:02 +00:00
|
|
|
case plugins.ErrNoValidUserFound:
|
2018-12-24 09:07:49 +00:00
|
|
|
// This is fine for now
|
|
|
|
|
default:
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// No method could verify the user
|
2019-02-21 23:27:02 +00:00
|
|
|
return plugins.ErrNoValidUserFound
|
2018-12-24 09:07:49 +00:00
|
|
|
}
|
