Add mfa_data_enabled attribute to authenticator classes and update related methods

2025-03-20 06:50:23 +03:00 · 2025-02-12 17:43:09 +01:00 · 2025-02-12 17:43:09 +01:00 · 1c81c4e76c
commit 1c81c4e76c
parent 67b58f62ee
7 changed files with 35 additions and 12 deletions
--- a/server/src/uds/REST/methods/authenticators.py
+++ b/server/src/uds/REST/methods/authenticators.py
@ -97,6 +97,7 @@ class Authenticators(ModelHandler):
                label_password=_(type_.label_password),
                create_users_supported=type_.create_user != auths.Authenticator.create_user,
                is_external=type_.external_source,
+                mfa_data_enabled=type_.mfa_data_enabled,
                mfa_supported=type_.provides_mfa(),
            )
        # Not of my type
--- a/server/src/uds/auths/IP/authenticator.py
+++ b/server/src/uds/auths/IP/authenticator.py
@ -37,6 +37,7 @@ import typing
 from django.utils.translation import gettext_noop as _

 from uds.core import auths, types
+from uds.core.types.states import State
 from uds.core.ui import gui
 from uds.core.util import net

@ -52,13 +53,15 @@ class IPAuth(auths.Authenticator):
    type_description = _('IP Authenticator')
    icon_file = 'auth.png'

+    # Allow mfa data on user form
+    mfa_data_enabled = True
+
    needs_password = False
    label_username = _('IP')
    label_groupname = _('IP Range')

    block_user_on_failures = False

-    
    accepts_proxy = gui.CheckBoxField(
        label=_('Accept proxy'),
        default=False,
@ -90,6 +93,13 @@ class IPAuth(auths.Authenticator):
            ip = ip.split(':')[-1]
        return ip

+    def mfa_identifier(self, username: str) -> str:
+        try:
+            return self.db_obj().users.get(name=username.lower(), state=State.ACTIVE).mfa_data
+        except Exception:  # nosec: This is a "not found" exception or any other db exception
+            pass
+        return ''
+
    def get_groups(self, username: str, groups_manager: 'auths.GroupsManager') -> None:
        # these groups are a bit special. They are in fact ip-ranges, and we must check that the ip is in betwen
        # The ranges are stored in group names
@ -138,12 +148,14 @@ class IPAuth(auths.Authenticator):
        self.get_groups(ip, gm)

        if gm.has_valid_groups() and self.db_obj().is_user_allowed(ip, True):
-            return ('function setVal(element, value) {{\n'  # nosec: no user input, password is always EMPTY
-                    '    document.getElementById(element).value = value;\n'
-                    '}}\n'
-                    f'setVal("id_user", "{ip}");\n'
-                    'setVal("id_password", "");\n'
-                    'document.getElementById("loginform").submit();\n')
+            return (
+                'function setVal(element, value) {{\n'  # nosec: no user input, password is always EMPTY
+                '    document.getElementById(element).value = value;\n'
+                '}}\n'
+                f'setVal("id_user", "{ip}");\n'
+                'setVal("id_password", "");\n'
+                'document.getElementById("loginform").submit();\n'
+            )

        return 'alert("invalid authhenticator"); window.location.reload();'

--- a/server/src/uds/auths/InternalDB/authenticator.py
+++ b/server/src/uds/auths/InternalDB/authenticator.py
@ -66,6 +66,9 @@ class InternalDBAuth(auths.Authenticator):
    # This is the only internal source
    external_source = False

+    # Allow mfa data on user form
+    mfa_data_enabled = True
+
    unique_by_host = gui.CheckBoxField(
        label=_('Different user for each host'),
        order=1,
@ -99,7 +102,8 @@ class InternalDBAuth(auths.Authenticator):
        ip = request.ip_proxy if self.accepts_proxy.as_bool() else request.ip  # pylint: disable=maybe-no-member
        if self.reverse_dns.as_bool():
            try:
-                return str(dns.resolver.query(dns.reversename.from_address(ip).to_text(), 'PTR')[0])  # pyright: ignore[reportUnknownArgumentType]
+                ptr_resolv = dns.resolver.query(dns.reversename.from_address(ip).to_text(), 'PTR')
+                return str(ptr_resolv[0])  # pyright: ignore[reportUnknownArgumentType]
            except Exception:
                # if we can't get the reverse, we will use the ip
                pass
@ -108,7 +112,7 @@ class InternalDBAuth(auths.Authenticator):
    def mfa_identifier(self, username: str) -> str:
        try:
            return self.db_obj().users.get(name=username.lower(), state=State.ACTIVE).mfa_data
-        except Exception:  # nosec: This is e controled pickle loading
+        except Exception:  # nosec: This is a "not found" exception or any other db exception
            pass
        return ''

@ -127,7 +131,9 @@ class InternalDBAuth(auths.Authenticator):
                usr = auth.users.get(name=username, state=State.ACTIVE)
                parent = usr.uuid
                grps = [g for g in usr.groups.all()]
-                typing.cast(typing.Any, usr).id = typing.cast(typing.Any, usr).uuid = None  # cast to avoid pylance error
+                typing.cast(typing.Any, usr).id = typing.cast(typing.Any, usr).uuid = (
+                    None  # cast to avoid pylance error
+                )
                if usr.real_name.strip() == '':
                    usr.real_name = usr.name
                usr.name = ip_username
--- a/server/src/uds/core/auths/authenticator.py
+++ b/server/src/uds/core/auths/authenticator.py
@ -136,6 +136,9 @@ class Authenticator(Module):
    # : database, that are most authenticator (except Internal DB)
    # : So, external_source means that "user is kept at database only"
    external_source: typing.ClassVar[bool] = True
+    
+    # : Mark this authenticator as mfa data enabled (so mfa field appears on the user)
+    mfa_data_enabled: typing.ClassVar[bool] = False

    # : If we need to enter the password for this user when creating a new
    # : user at administration interface. Used basically by internal authenticator.
--- a/server/src/uds/core/types/rest.py
+++ b/server/src/uds/core/types/rest.py
@ -52,6 +52,7 @@ class AuthenticatorTypeInfo(ExtraTypeInfo):
    label_password: str
    create_users_supported: bool
    is_external: bool
+    mfa_data_enabled: bool
    mfa_supported: bool

    def as_dict(self) -> TypeInfoDict:
--- a/server/src/uds/static/admin/main.js
+++ b/server/src/uds/static/admin/main.js
--- a/server/src/uds/templates/uds/admin/index.html
+++ b/server/src/uds/templates/uds/admin/index.html
@ -102,6 +102,6 @@
      </svg>
    </div>
  </uds-root>
-<link rel="modulepreload" href="/uds/res/admin/chunk-2F3F2YC2.js?stamp=1737566375" integrity="sha384-VVOra5xy5Xg9fYkBmK9MLhX7vif/MexRAaLIDBsQ4ZlkF31s/U6uWWrj+LAnvX/q"><script src="/uds/res/admin/polyfills.js?stamp=1737566375" type="module" crossorigin="anonymous" integrity="sha384-TVRkn44wOGJBeCKWJBHWLvXubZ+Julj/yA0OoEFa3LgJHVHaPeeATX6NcjuNgsIA"></script><script src="/uds/res/admin/main.js?stamp=1737566375" type="module" crossorigin="anonymous" integrity="sha384-X1/ISiXOGMpaqthPYQSfK0iCO/Ha6rJ6kVSmMD9dI/vP31We3YdD70NxbOX5A63w"></script></body>
+<link rel="modulepreload" href="/uds/res/admin/chunk-2F3F2YC2.js?stamp=1739377732" integrity="sha384-VVOra5xy5Xg9fYkBmK9MLhX7vif/MexRAaLIDBsQ4ZlkF31s/U6uWWrj+LAnvX/q"><script src="/uds/res/admin/polyfills.js?stamp=1739377732" type="module" crossorigin="anonymous" integrity="sha384-TVRkn44wOGJBeCKWJBHWLvXubZ+Julj/yA0OoEFa3LgJHVHaPeeATX6NcjuNgsIA"></script><script src="/uds/res/admin/main.js?stamp=1739377732" type="module" crossorigin="anonymous" integrity="sha384-Y8PxQV+VhSrcFgU/tucEgBnrcSO1nS7X3B8tJ8VH/vka5Xf0d0CE98YyBIZxG07E"></script></body>

 </html>