1
0
mirror of https://github.com/dkmstr/openuds.git synced 2025-01-11 05:17:55 +03:00

Fixed MFA cache time.

This commit is contained in:
Adolfo Gómez García 2023-02-28 13:27:56 +01:00
parent 002321c339
commit f4d15e0fca
No known key found for this signature in database
GPG Key ID: DD1ABF20724CDA23
4 changed files with 8 additions and 6 deletions
server/src/uds
core/mfas
mfas
Radius
TOTP
web/views

View File

@ -88,7 +88,7 @@ class MFA(Module):
# : override it in your own implementation.
# : Note: This value is only used in "validity" method, that is also overridable
# : by your own implementation, so its up to you to use it or not.
cacheTime: typing.ClassVar[int] = 5*60
cacheTime: typing.ClassVar[int] = 0
class RESULT(enum.IntEnum):
"""

View File

@ -60,7 +60,6 @@ class RadiusOTP(mfas.MFA):
typeType = 'RadiusOTP'
typeDescription = _('Radius OTP Challenge')
iconFile = 'radius.png'
cacheTime = 1*60 # In this MFA type there are not code generation nor sending... so ? 1 minute or too short ?
server = gui.TextField(
length=64,

View File

@ -26,7 +26,7 @@
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
"""
@author: Daniel Torregrosa
@author: Adolfo Gómez, dkmaster at dkmon dot com
"""
import typing
import logging
@ -63,7 +63,6 @@ class TOTP_MFA(mfas.MFA):
typeType = 'TOTP_MFA'
typeDescription = _('TOTP Based MFA (Google Authenticator, etc)')
iconFile = 'totp.png'
cacheTime = 1 # In this MFA type there are not code generation nor sending... so ? 1 minute or too short ?
issuer = gui.TextField(
length=64,

View File

@ -176,10 +176,12 @@ def mfa(request: ExtendedHttpRequest) -> HttpResponse:
if (
not request.user or request.authorized
): # If no user, or user is already authorized, redirect to index
logger.warning('MFA: No user or user is already authorized')
return HttpResponseRedirect(reverse('page.index')) # No user, no MFA
mfaProvider: typing.Optional['models.MFA'] = request.user.manager.mfa
if not mfaProvider:
logger.warning('MFA: No MFA provider for user')
return HttpResponseRedirect(reverse('page.index'))
mfaUserId = mfas.MFA.getUserId(request.user)
@ -187,6 +189,7 @@ def mfa(request: ExtendedHttpRequest) -> HttpResponse:
# Try to get cookie anc check it
mfaCookie = request.COOKIES.get(MFA_COOKIE_NAME, None)
if mfaCookie == mfaUserId: # Cookie is valid, skip MFA setting authorization
logger.debug('MFA: Cookie is valid, skipping MFA')
request.authorized = True
return HttpResponseRedirect(reverse('page.index'))
@ -195,11 +198,12 @@ def mfa(request: ExtendedHttpRequest) -> HttpResponse:
mfaInstance: 'mfas.MFA' = mfaProvider.getInstance()
# Get validity duration
validity = min(mfaInstance.validity(), mfaProvider.validity*60)
validity = max(mfaInstance.validity(), mfaProvider.validity*60)
start_time = request.session.get('mfa_start_time', time.time())
# If mfa process timed out, we need to start login again
if validity > 0 and time.time() - start_time > validity:
logger.debug('MFA: MFA process timed out')
request.session.flush() # Clear session, and redirect to login
return HttpResponseRedirect(reverse('page.login'))
@ -255,6 +259,7 @@ def mfa(request: ExtendedHttpRequest) -> HttpResponse:
return response
except exceptions.MFAError as e:
logger.error('MFA error: %s', e)
tries += 1
request.session['mfa_tries'] = tries
if tries >= GlobalConfig.MAX_LOGIN_TRIES.getInt():
@ -262,7 +267,6 @@ def mfa(request: ExtendedHttpRequest) -> HttpResponse:
request.session.flush()
# Too many tries, redirect to login error page
return errors.errorView(request, errors.ACCESS_DENIED)
logger.error('MFA error: %s', e)
return errors.errorView(request, errors.INVALID_MFA_CODE)
else:
pass # Will render again the page