Skip to content
Snippets Groups Projects
Commit 050a535b authored by ale's avatar ale
Browse files

Properly set the Has2FA bit when U2F is enabled

parent 4770ce8c
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 23 additions and 7 deletions
backend/model.go
+ 23
7
View file @ 050a535b
...@@ -99,14 +99,26 @@ func newLDAPBackendWithConn(conn ldapConn, base string) (*backend, error) { ...@@ -99,14 +99,26 @@ func newLDAPBackendWithConn(conn ldapConn, base string) (*backend, error) {
} }
func newUser(entry *ldap.Entry) (*accountserver.User, error) { func newUser(entry *ldap.Entry) (*accountserver.User, error) {
// Note that some user-level attributes related to
// authentication are stored on the uid= object, while others
// are on the email= object. We set the latter in the GetUser
// function later.
//
// The case of password recovery attributes is more complex:
// the current schema has those on email=, but we'd like to
// move them to uid=, so we currently have to support both.
user := &accountserver.User{ user := &accountserver.User{
Name: entry.GetAttributeValue("uid"), Name: entry.GetAttributeValue("uid"),
Lang: entry.GetAttributeValue(preferredLanguageLDAPAttr), Lang: entry.GetAttributeValue(preferredLanguageLDAPAttr),
Has2FA: (entry.GetAttributeValue(totpSecretLDAPAttr) != ""), PasswordRecoveryHint: entry.GetAttributeValue(recoveryHintLDAPAttr),
//HasEncryptionKeys: (len(entry.GetAttributeValues("storageEncryptionKey")) > 0),
//PasswordRecoveryHint: entry.GetAttributeValue("recoverQuestion"),
U2FRegistrations: decodeU2FRegistrations(entry.GetAttributeValues(u2fRegistrationsLDAPAttr)), U2FRegistrations: decodeU2FRegistrations(entry.GetAttributeValues(u2fRegistrationsLDAPAttr)),
} }
// The user has 2FA enabled if it has a TOTP secret or U2F keys.
if (entry.GetAttributeValue(totpSecretLDAPAttr) != "") || (len(user.U2FRegistrations) > 0) {
user.Has2FA = true
}
if user.Lang == "" { if user.Lang == "" {
user.Lang = "en" user.Lang = "en"
} }
...@@ -231,7 +243,9 @@ func (tx *backendTX) GetUser(ctx context.Context, username string) (*accountserv ...@@ -231,7 +243,9 @@ func (tx *backendTX) GetUser(ctx context.Context, username string) (*accountserv
// object, a shortcoming of the legacy A/I database model. Set // object, a shortcoming of the legacy A/I database model. Set
// them on the main User object. // them on the main User object.
if isObjectClass(entry, "virtualMailUser") { if isObjectClass(entry, "virtualMailUser") {
user.PasswordRecoveryHint = entry.GetAttributeValue(recoveryHintLDAPAttr) if s := entry.GetAttributeValue(recoveryHintLDAPAttr); s != "" {
user.PasswordRecoveryHint = s
}
user.AppSpecificPasswords = getASPInfo(decodeAppSpecificPasswords(entry.GetAttributeValues(aspLDAPAttr))) user.AppSpecificPasswords = getASPInfo(decodeAppSpecificPasswords(entry.GetAttributeValues(aspLDAPAttr)))
user.HasEncryptionKeys = (entry.GetAttributeValue(storagePublicKeyLDAPAttr) != "") user.HasEncryptionKeys = (entry.GetAttributeValue(storagePublicKeyLDAPAttr) != "")
} }
...@@ -277,6 +291,8 @@ func (tx *backendTX) GetUserRecoveryEncryptedPassword(ctx context.Context, user ...@@ -277,6 +291,8 @@ func (tx *backendTX) GetUserRecoveryEncryptedPassword(ctx context.Context, user
} }
func (tx *backendTX) SetPasswordRecoveryHint(ctx context.Context, user *accountserver.User, hint, response string) error { func (tx *backendTX) SetPasswordRecoveryHint(ctx context.Context, user *accountserver.User, hint, response string) error {
// Write the password recovery attributes on the uid= object,
// as per the new schema.
dn := tx.getUserDN(user) dn := tx.getUserDN(user)
tx.setAttr(dn, recoveryHintLDAPAttr, hint) tx.setAttr(dn, recoveryHintLDAPAttr, hint)
tx.setAttr(dn, recoveryResponseLDAPAttr, response) tx.setAttr(dn, recoveryResponseLDAPAttr, response)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment