fix(handler): oidc two factor handling (#3512)

This commit is contained in:
James Elliott 2022-06-14 15:17:11 +10:00 committed by GitHub
parent e786eec8b0
commit 607bbcc324
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 28 additions and 3 deletions

View File

@ -0,0 +1,15 @@
package authentication
// LevelToString returns a string representation of an authentication.Level.
func LevelToString(level Level) string {
switch level {
case NotAuthenticated:
return "not_authenticated"
case OneFactor:
return "one_factor"
case TwoFactor:
return "two_factor"
}
return "invalid"
}

View File

@ -8,6 +8,8 @@ import (
"github.com/google/uuid"
"github.com/ory/fosite"
"github.com/authelia/authelia/v4/internal/authentication"
"github.com/authelia/authelia/v4/internal/authorization"
"github.com/authelia/authelia/v4/internal/middlewares"
"github.com/authelia/authelia/v4/internal/model"
"github.com/authelia/authelia/v4/internal/oidc"
@ -105,7 +107,7 @@ func handleOIDCAuthorizationConsentWithChallengeID(ctx *middlewares.AutheliaCtx,
return consent, false
}
handleOIDCAuthorizationConsentRedirect(rootURI, client, userSession, rw, r)
handleOIDCAuthorizationConsentRedirect(ctx, rootURI, client, userSession, rw, r, requester)
return consent, true
}
@ -169,16 +171,23 @@ func handleOIDCAuthorizationConsentGenerate(ctx *middlewares.AutheliaCtx, rootUR
return nil, true
}
handleOIDCAuthorizationConsentRedirect(rootURI, client, userSession, rw, r)
handleOIDCAuthorizationConsentRedirect(ctx, rootURI, client, userSession, rw, r, requester)
return consent, true
}
func handleOIDCAuthorizationConsentRedirect(destination string, client *oidc.Client, userSession session.UserSession, rw http.ResponseWriter, r *http.Request) {
func handleOIDCAuthorizationConsentRedirect(ctx *middlewares.AutheliaCtx, destination string, client *oidc.Client,
userSession session.UserSession, rw http.ResponseWriter, r *http.Request, requester fosite.AuthorizeRequester) {
if client.IsAuthenticationLevelSufficient(userSession.AuthenticationLevel) {
ctx.Logger.Debugf("Authorization Request with id '%s' on client with id '%s' authentication level '%s' is sufficient for client level '%s'", requester.GetID(), client.GetID(), authentication.LevelToString(userSession.AuthenticationLevel), authorization.LevelToPolicy(client.Policy))
destination = fmt.Sprintf("%s/consent", destination)
} else {
ctx.Logger.Debugf("Authorization Request with id '%s' on client with id '%s' authentication level '%s' is insufficient for client level '%s'", requester.GetID(), client.GetID(), authentication.LevelToString(userSession.AuthenticationLevel), authorization.LevelToPolicy(client.Policy))
}
ctx.Logger.Debugf("Authorization Request with id '%s' on client with id '%s' is being redirected to '%s'", requester.GetID(), client.GetID(), destination)
http.Redirect(rw, r, destination, http.StatusFound)
}

View File

@ -41,6 +41,7 @@ func TestNewClient(t *testing.T) {
assert.Equal(t, fosite.ResponseModeFormPost, exampleClient.ResponseModes[1])
assert.Equal(t, fosite.ResponseModeQuery, exampleClient.ResponseModes[2])
assert.Equal(t, fosite.ResponseModeFragment, exampleClient.ResponseModes[3])
assert.Equal(t, authorization.TwoFactor, exampleClient.Policy)
}
func TestIsAuthenticationLevelSufficient(t *testing.T) {