Make LDAP be able to skip local 2FA (#16954)

zeripath · web-flow · commit 27b351aba564 · 2021-09-17T12:43:47.000+01:00
This PR extends #16594 to allow LDAP to be able to be set to skip local 2FA too. The technique used here would be extensible to PAM and SMTP sources. Signed-off-by: Andrew Thornton <art27@cantab.net>
diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go
@@ -89,6 +89,10 @@ var (
 			Name:  "public-ssh-key-attribute",
 			Usage: "The attribute of the user’s LDAP record containing the user’s public ssh key.",
 		},
+		cli.BoolFlag{
+			Name:  "skip-local-2fa",
+			Usage: "Set to true to skip local 2fa for users authenticated by this source",
+		},
 	}
 
 	ldapBindDnCLIFlags = append(commonLdapCLIFlags,
@@ -245,6 +249,10 @@ func parseLdapConfig(c *cli.Context, config *ldap.Source) error {
 	if c.IsSet("allow-deactivate-all") {
 		config.AllowDeactivateAll = c.Bool("allow-deactivate-all")
 	}
+	if c.IsSet("skip-local-2fa") {
+		config.SkipLocalTwoFA = c.Bool("skip-local-2fa")
+	}
+
 	return nil
 }
 
diff --git a/modules/context/api.go b/modules/context/api.go
@@ -214,6 +214,10 @@ func (ctx *APIContext) RequireCSRF() {
 
 // CheckForOTP validates OTP
 func (ctx *APIContext) CheckForOTP() {
+	if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) {
+		return // Skip 2FA
+	}
+
 	otpHeader := ctx.Req.Header.Get("X-Gitea-OTP")
 	twofa, err := models.GetTwoFactorByUID(ctx.Context.User.ID)
 	if err != nil {
diff --git a/modules/context/auth.go b/modules/context/auth.go
@@ -151,6 +151,9 @@ func ToggleAPI(options *ToggleOptions) func(ctx *APIContext) {
 				return
 			}
 			if ctx.IsSigned && ctx.IsBasicAuth {
+				if skip, ok := ctx.Data["SkipLocalTwoFA"]; ok && skip.(bool) {
+					return // Skip 2FA
+				}
 				twofa, err := models.GetTwoFactorByUID(ctx.User.ID)
 				if err != nil {
 					if models.IsErrTwoFactorNotEnrolled(err) {
diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
@@ -145,6 +145,7 @@ func parseLDAPConfig(form forms.AuthenticationForm) *ldap.Source {
 		RestrictedFilter:      form.RestrictedFilter,
 		AllowDeactivateAll:    form.AllowDeactivateAll,
 		Enabled:               true,
+		SkipLocalTwoFA:        form.SkipLocalTwoFA,
 	}
 }
 
diff --git a/routers/web/user/auth.go b/routers/web/user/auth.go
@@ -175,7 +175,7 @@ func SignInPost(ctx *context.Context) {
 	}
 
 	form := web.GetForm(ctx).(*forms.SignInForm)
-	u, err := auth.UserSignIn(form.UserName, form.Password)
+	u, source, err := auth.UserSignIn(form.UserName, form.Password)
 	if err != nil {
 		if models.IsErrUserNotExist(err) {
 			ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplSignIn, &form)
@@ -201,6 +201,15 @@ func SignInPost(ctx *context.Context) {
 		}
 		return
 	}
+
+	// Now handle 2FA:
+
+	// First of all if the source can skip local two fa we're done
+	if skipper, ok := source.Cfg.(auth.LocalTwoFASkipper); ok && skipper.IsSkipLocalTwoFA() {
+		handleSignIn(ctx, u, form.Remember)
+		return
+	}
+
 	// If this user is enrolled in 2FA, we can't sign the user in just yet.
 	// Instead, redirect them to the 2FA authentication page.
 	_, err = models.GetTwoFactorByUID(u.ID)
@@ -905,7 +914,7 @@ func LinkAccountPostSignIn(ctx *context.Context) {
 		return
 	}
 
-	u, err := auth.UserSignIn(signInForm.UserName, signInForm.Password)
+	u, _, err := auth.UserSignIn(signInForm.UserName, signInForm.Password)
 	if err != nil {
 		if models.IsErrUserNotExist(err) {
 			ctx.Data["user_exists"] = true
@@ -924,6 +933,7 @@ func linkAccount(ctx *context.Context, u *models.User, gothUser goth.User, remem
 
 	// If this user is enrolled in 2FA, we can't sign the user in just yet.
 	// Instead, redirect them to the 2FA authentication page.
+	// We deliberately ignore the skip local 2fa setting here because we are linking to a previous user here
 	_, err := models.GetTwoFactorByUID(u.ID)
 	if err != nil {
 		if !models.IsErrTwoFactorNotEnrolled(err) {
diff --git a/routers/web/user/auth_openid.go b/routers/web/user/auth_openid.go
@@ -291,7 +291,7 @@ func ConnectOpenIDPost(ctx *context.Context) {
 	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
 	ctx.Data["OpenID"] = oid
 
-	u, err := auth.UserSignIn(form.UserName, form.Password)
+	u, _, err := auth.UserSignIn(form.UserName, form.Password)
 	if err != nil {
 		if models.IsErrUserNotExist(err) {
 			ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplConnectOID, &form)
diff --git a/routers/web/user/setting/account.go b/routers/web/user/setting/account.go
@@ -229,7 +229,7 @@ func DeleteAccount(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("settings")
 	ctx.Data["PageIsSettingsAccount"] = true
 
-	if _, err := auth.UserSignIn(ctx.User.Name, ctx.FormString("password")); err != nil {
+	if _, _, err := auth.UserSignIn(ctx.User.Name, ctx.FormString("password")); err != nil {
 		if models.IsErrUserNotExist(err) {
 			loadAccountData(ctx)
 
diff --git a/services/auth/basic.go b/services/auth/basic.go
@@ -107,14 +107,18 @@ func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore
 	}
 
 	log.Trace("Basic Authorization: Attempting SignIn for %s", uname)
-	u, err := UserSignIn(uname, passwd)
+	u, source, err := UserSignIn(uname, passwd)
 	if err != nil {
 		if !models.IsErrUserNotExist(err) {
 			log.Error("UserSignIn: %v", err)
 		}
 		return nil
 	}
 
+	if skipper, ok := source.Cfg.(LocalTwoFASkipper); ok && skipper.IsSkipLocalTwoFA() {
+		store.GetData()["SkipLocalTwoFA"] = true
+	}
+
 	log.Trace("Basic Authorization: Logged in user %-v", u)
 
 	return u
diff --git a/services/auth/interface.go b/services/auth/interface.go
@@ -54,6 +54,11 @@ type PasswordAuthenticator interface {
 	Authenticate(user *models.User, login, password string) (*models.User, error)
 }
 
+// LocalTwoFASkipper represents a source of authentication that can skip local 2fa
+type LocalTwoFASkipper interface {
+	IsSkipLocalTwoFA() bool
+}
+
 // SynchronizableSource represents a source that can synchronize users
 type SynchronizableSource interface {
 	Sync(ctx context.Context, updateExisting bool) error
diff --git a/services/auth/signin.go b/services/auth/signin.go
@@ -20,66 +20,66 @@ import (
 )
 
 // UserSignIn validates user name and password.
-func UserSignIn(username, password string) (*models.User, error) {
+func UserSignIn(username, password string) (*models.User, *models.LoginSource, error) {
 	var user *models.User
 	if strings.Contains(username, "@") {
 		user = &models.User{Email: strings.ToLower(strings.TrimSpace(username))}
 		// check same email
 		cnt, err := models.Count(user)
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 		if cnt > 1 {
-			return nil, models.ErrEmailAlreadyUsed{
+			return nil, nil, models.ErrEmailAlreadyUsed{
 				Email: user.Email,
 			}
 		}
 	} else {
 		trimmedUsername := strings.TrimSpace(username)
 		if len(trimmedUsername) == 0 {
-			return nil, models.ErrUserNotExist{Name: username}
+			return nil, nil, models.ErrUserNotExist{Name: username}
 		}
 
 		user = &models.User{LowerName: strings.ToLower(trimmedUsername)}
 	}
 
 	hasUser, err := models.GetUser(user)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	if hasUser {
 		source, err := models.GetLoginSourceByID(user.LoginSource)
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 
 		if !source.IsActive {
-			return nil, models.ErrLoginSourceNotActived
+			return nil, nil, models.ErrLoginSourceNotActived
 		}
 
 		authenticator, ok := source.Cfg.(PasswordAuthenticator)
 		if !ok {
-			return nil, models.ErrUnsupportedLoginType
+			return nil, nil, models.ErrUnsupportedLoginType
 		}
 
 		user, err := authenticator.Authenticate(user, username, password)
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 
 		// WARN: DON'T check user.IsActive, that will be checked on reqSign so that
 		// user could be hint to resend confirm email.
 		if user.ProhibitLogin {
-			return nil, models.ErrUserProhibitLogin{UID: user.ID, Name: user.Name}
+			return nil, nil, models.ErrUserProhibitLogin{UID: user.ID, Name: user.Name}
 		}
 
-		return user, nil
+		return user, source, nil
 	}
 
 	sources, err := models.AllActiveLoginSources()
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	for _, source := range sources {
@@ -97,7 +97,7 @@ func UserSignIn(username, password string) (*models.User, error) {
 
 		if err == nil {
 			if !authUser.ProhibitLogin {
-				return authUser, nil
+				return authUser, source, nil
 			}
 			err = models.ErrUserProhibitLogin{UID: authUser.ID, Name: authUser.Name}
 		}
@@ -109,5 +109,5 @@ func UserSignIn(username, password string) (*models.User, error) {
 		}
 	}
 
-	return nil, models.ErrUserNotExist{Name: username}
+	return nil, nil, models.ErrUserNotExist{Name: username}
 }
diff --git a/services/auth/source/ldap/assert_interface_test.go b/services/auth/source/ldap/assert_interface_test.go
@@ -16,6 +16,7 @@ import (
 type sourceInterface interface {
 	auth.PasswordAuthenticator
 	auth.SynchronizableSource
+	auth.LocalTwoFASkipper
 	models.SSHKeyProvider
 	models.LoginConfig
 	models.SkipVerifiable
diff --git a/services/auth/source/ldap/source.go b/services/auth/source/ldap/source.go
@@ -52,6 +52,7 @@ type Source struct {
 	GroupFilter           string // Group Name Filter
 	GroupMemberUID        string // Group Attribute containing array of UserUID
 	UserUID               string // User Attribute listed in Group
+	SkipLocalTwoFA        bool   // Skip Local 2fa for users authenticated with this source
 
 	// reference to the loginSource
 	loginSource *models.LoginSource
diff --git a/services/auth/source/ldap/source_authenticate.go b/services/auth/source/ldap/source_authenticate.go
@@ -97,3 +97,8 @@ func (source *Source) Authenticate(user *models.User, login, password string) (*
 
 	return user, err
 }
+
+// IsSkipLocalTwoFA returns if this source should skip local 2fa for password authentication
+func (source *Source) IsSkipLocalTwoFA() bool {
+	return source.SkipLocalTwoFA
+}
diff --git a/services/auth/source/oauth2/source_authenticate.go b/services/auth/source/oauth2/source_authenticate.go
@@ -13,3 +13,6 @@ import (
 func (source *Source) Authenticate(user *models.User, login, password string) (*models.User, error) {
 	return db.Authenticate(user, login, password)
 }
+
+// NB: Oauth2 does not implement LocalTwoFASkipper for password authentication
+// as its password authentication drops to db authentication
diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
@@ -147,6 +147,13 @@
 							</div>
 						</div>
 					{{end}}
+					<div class="optional field">
+						<div class="ui checkbox">
+							<label for="skip_local_two_fa"><strong>{{.i18n.Tr "admin.auths.skip_local_two_fa"}}</strong></label>
+							<input id="skip_local_two_fa" name="skip_local_two_fa" type="checkbox" {{if $cfg.SkipLocalTwoFA}}checked{{end}}>
+							<p class="help">{{.i18n.Tr "admin.auths.skip_local_two_fa_helper"}}</p>
+						</div>
+					</div>
 					<div class="inline field">
 						<div class="ui checkbox">
 							<label for="allow_deactivate_all"><strong>{{.i18n.Tr "admin.auths.allow_deactivate_all"}}</strong></label>
diff --git a/templates/admin/auth/source/ldap.tmpl b/templates/admin/auth/source/ldap.tmpl
@@ -111,4 +111,17 @@
 		<label for="search_page_size">{{.i18n.Tr "admin.auths.search_page_size"}}</label>
 		<input id="search_page_size" name="search_page_size" value="{{.search_page_size}}">
 	</div>
+	<div class="optional field">
+		<div class="ui checkbox">
+			<label for="skip_local_two_fa"><strong>{{.i18n.Tr "admin.auths.skip_local_two_fa"}}</strong></label>
+			<input id="skip_local_two_fa" name="skip_local_two_fa" type="checkbox" {{if .skip_local_two_fa}}checked{{end}}>
+			<p class="help">{{.i18n.Tr "admin.auths.skip_local_two_fa_helper"}}</p>
+		</div>
+	</div>
+	<div class="inline field">
+		<div class="ui checkbox">
+			<label for="allow_deactivate_all"><strong>{{.i18n.Tr "admin.auths.allow_deactivate_all"}}</strong></label>
+			<input id="allow_deactivate_all" name="allow_deactivate_all" type="checkbox" {{if .allow_deactivate_all}}checked{{end}}>
+		</div>
+	</div>
 </div>

Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,10 @@ var (`
`89`	`89`	`Name: "public-ssh-key-attribute",`
`90`	`90`	`Usage: "The attribute of the user’s LDAP record containing the user’s public ssh key.",`
`91`	`91`	`},`
	`92`	`+ cli.BoolFlag{`
	`93`	`+ Name: "skip-local-2fa",`
	`94`	`+ Usage: "Set to true to skip local 2fa for users authenticated by this source",`
	`95`	`+ },`
`92`	`96`	`}`
`93`	`97`
`94`	`98`	`ldapBindDnCLIFlags = append(commonLdapCLIFlags,`
`@@ -245,6 +249,10 @@ func parseLdapConfig(c cli.Context, config ldap.Source) error {`
`245`	`249`	`if c.IsSet("allow-deactivate-all") {`
`246`	`250`	`config.AllowDeactivateAll = c.Bool("allow-deactivate-all")`
`247`	`251`	`}`
	`252`	`+ if c.IsSet("skip-local-2fa") {`
	`253`	`+ config.SkipLocalTwoFA = c.Bool("skip-local-2fa")`
	`254`	`+ }`
	`255`	`+`
`248`	`256`	`return nil`
`249`	`257`	`}`
`250`	`258`
Original file line number	Diff line number	Diff line change
`@@ -145,6 +145,7 @@ func parseLDAPConfig(form forms.AuthenticationForm) *ldap.Source {`
`145`	`145`	`RestrictedFilter: form.RestrictedFilter,`
`146`	`146`	`AllowDeactivateAll: form.AllowDeactivateAll,`
`147`	`147`	`Enabled: true,`
	`148`	`+ SkipLocalTwoFA: form.SkipLocalTwoFA,`
`148`	`149`	`}`
`149`	`150`	`}`
`150`	`151`
Original file line number	Diff line number	Diff line change
`@@ -107,14 +107,18 @@ func (b Basic) Verify(req http.Request, w http.ResponseWriter, store DataStore`
`107`	`107`	`}`
`108`	`108`
`109`	`109`	`log.Trace("Basic Authorization: Attempting SignIn for %s", uname)`
`110`		`- u, err := UserSignIn(uname, passwd)`
	`110`	`+ u, source, err := UserSignIn(uname, passwd)`
`111`	`111`	`if err != nil {`
`112`	`112`	`if !models.IsErrUserNotExist(err) {`
`113`	`113`	`log.Error("UserSignIn: %v", err)`
`114`	`114`	`}`
`115`	`115`	`return nil`
`116`	`116`	`}`
`117`	`117`
	`118`	`+ if skipper, ok := source.Cfg.(LocalTwoFASkipper); ok && skipper.IsSkipLocalTwoFA() {`
	`119`	`+ store.GetData()["SkipLocalTwoFA"] = true`
	`120`	`+ }`
	`121`	`+`
`118`	`122`	`log.Trace("Basic Authorization: Logged in user %-v", u)`
`119`	`123`
`120`	`124`	`return u`
Original file line number	Diff line number	Diff line change
`@@ -20,66 +20,66 @@ import (`
`20`	`20`	`)`
`21`	`21`
`22`	`22`	`// UserSignIn validates user name and password.`
`23`		`-func UserSignIn(username, password string) (*models.User, error) {`
	`23`	`+func UserSignIn(username, password string) (models.User, models.LoginSource, error) {`
`24`	`24`	`var user *models.User`
`25`	`25`	`if strings.Contains(username, "@") {`
`26`	`26`	`user = &models.User{Email: strings.ToLower(strings.TrimSpace(username))}`
`27`	`27`	`// check same email`
`28`	`28`	`cnt, err := models.Count(user)`
`29`	`29`	`if err != nil {`
`30`		`- return nil, err`
	`30`	`+ return nil, nil, err`
`31`	`31`	`}`
`32`	`32`	`if cnt > 1 {`
`33`		`- return nil, models.ErrEmailAlreadyUsed{`
	`33`	`+ return nil, nil, models.ErrEmailAlreadyUsed{`
`34`	`34`	`Email: user.Email,`
`35`	`35`	`}`
`36`	`36`	`}`
`37`	`37`	`} else {`
`38`	`38`	`trimmedUsername := strings.TrimSpace(username)`
`39`	`39`	`if len(trimmedUsername) == 0 {`
`40`		`- return nil, models.ErrUserNotExist{Name: username}`
	`40`	`+ return nil, nil, models.ErrUserNotExist{Name: username}`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`user = &models.User{LowerName: strings.ToLower(trimmedUsername)}`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`hasUser, err := models.GetUser(user)`
`47`	`47`	`if err != nil {`
`48`		`- return nil, err`
	`48`	`+ return nil, nil, err`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`if hasUser {`
`52`	`52`	`source, err := models.GetLoginSourceByID(user.LoginSource)`
`53`	`53`	`if err != nil {`
`54`		`- return nil, err`
	`54`	`+ return nil, nil, err`
`55`	`55`	`}`
`56`	`56`
`57`	`57`	`if !source.IsActive {`
`58`		`- return nil, models.ErrLoginSourceNotActived`
	`58`	`+ return nil, nil, models.ErrLoginSourceNotActived`
`59`	`59`	`}`
`60`	`60`
`61`	`61`	`authenticator, ok := source.Cfg.(PasswordAuthenticator)`
`62`	`62`	`if !ok {`
`63`		`- return nil, models.ErrUnsupportedLoginType`
	`63`	`+ return nil, nil, models.ErrUnsupportedLoginType`
`64`	`64`	`}`
`65`	`65`
`66`	`66`	`user, err := authenticator.Authenticate(user, username, password)`
`67`	`67`	`if err != nil {`
`68`		`- return nil, err`
	`68`	`+ return nil, nil, err`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`// WARN: DON'T check user.IsActive, that will be checked on reqSign so that`
`72`	`72`	`// user could be hint to resend confirm email.`
`73`	`73`	`if user.ProhibitLogin {`
`74`		`- return nil, models.ErrUserProhibitLogin{UID: user.ID, Name: user.Name}`
	`74`	`+ return nil, nil, models.ErrUserProhibitLogin{UID: user.ID, Name: user.Name}`
`75`	`75`	`}`
`76`	`76`
`77`		`- return user, nil`
	`77`	`+ return user, source, nil`
`78`	`78`	`}`
`79`	`79`
`80`	`80`	`sources, err := models.AllActiveLoginSources()`
`81`	`81`	`if err != nil {`
`82`		`- return nil, err`
	`82`	`+ return nil, nil, err`
`83`	`83`	`}`
`84`	`84`
`85`	`85`	`for _, source := range sources {`
`@@ -97,7 +97,7 @@ func UserSignIn(username, password string) (*models.User, error) {`
`97`	`97`
`98`	`98`	`if err == nil {`
`99`	`99`	`if !authUser.ProhibitLogin {`
`100`		`- return authUser, nil`
	`100`	`+ return authUser, source, nil`
`101`	`101`	`}`
`102`	`102`	`err = models.ErrUserProhibitLogin{UID: authUser.ID, Name: authUser.Name}`
`103`	`103`	`}`
`@@ -109,5 +109,5 @@ func UserSignIn(username, password string) (*models.User, error) {`
`109`	`109`	`}`
`110`	`110`	`}`
`111`	`111`
`112`		`- return nil, models.ErrUserNotExist{Name: username}`
	`112`	`+ return nil, nil, models.ErrUserNotExist{Name: username}`
`113`	`113`	`}`