2020-02-01 12:54:50 +00:00
|
|
|
package handlers
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"net/url"
|
|
|
|
|
2020-02-04 21:18:02 +00:00
|
|
|
"github.com/authelia/authelia/internal/authorization"
|
2020-02-01 12:54:50 +00:00
|
|
|
"github.com/authelia/authelia/internal/middlewares"
|
|
|
|
"github.com/authelia/authelia/internal/utils"
|
|
|
|
)
|
|
|
|
|
2020-02-04 21:18:02 +00:00
|
|
|
func Handle1FAResponse(ctx *middlewares.AutheliaCtx, targetURI string, username string, groups []string) {
|
|
|
|
if targetURI == "" {
|
|
|
|
if authorization.PolicyToLevel(ctx.Configuration.AccessControl.DefaultPolicy) == authorization.OneFactor &&
|
|
|
|
ctx.Configuration.DefaultRedirectionURL != "" {
|
|
|
|
ctx.SetJSONBody(redirectResponse{Redirect: ctx.Configuration.DefaultRedirectionURL})
|
|
|
|
} else {
|
|
|
|
ctx.ReplyOK()
|
2020-02-01 12:54:50 +00:00
|
|
|
}
|
2020-02-04 21:18:02 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
targetURL, err := url.ParseRequestURI(targetURI)
|
|
|
|
if err != nil {
|
|
|
|
ctx.Error(fmt.Errorf("Unable to parse target URL %s: %s", targetURI, err), authenticationFailedMessage)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
requiredLevel := ctx.Providers.Authorizer.GetRequiredLevel(authorization.Subject{
|
|
|
|
Username: username,
|
|
|
|
Groups: groups,
|
|
|
|
IP: ctx.RemoteIP(),
|
|
|
|
}, *targetURL)
|
|
|
|
|
|
|
|
ctx.Logger.Debugf("Required level for the URL %s is %d", targetURI, requiredLevel)
|
|
|
|
|
|
|
|
if requiredLevel > authorization.OneFactor {
|
|
|
|
ctx.Logger.Warnf("%s requires more than 1FA, cannot be redirected to", targetURI)
|
|
|
|
ctx.ReplyOK()
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
safeRedirection := utils.IsRedirectionSafe(*targetURL, ctx.Configuration.Session.Domain)
|
2020-02-01 12:54:50 +00:00
|
|
|
|
2020-02-04 21:18:02 +00:00
|
|
|
if !safeRedirection {
|
|
|
|
if authorization.PolicyToLevel(ctx.Configuration.AccessControl.DefaultPolicy) == authorization.OneFactor &&
|
|
|
|
ctx.Configuration.DefaultRedirectionURL != "" {
|
|
|
|
ctx.SetJSONBody(redirectResponse{Redirect: ctx.Configuration.DefaultRedirectionURL})
|
2020-02-01 12:54:50 +00:00
|
|
|
} else {
|
|
|
|
ctx.ReplyOK()
|
|
|
|
}
|
2020-02-04 21:18:02 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
ctx.Logger.Debugf("Redirection URL %s is safe", targetURI)
|
|
|
|
response := redirectResponse{Redirect: targetURI}
|
|
|
|
ctx.SetJSONBody(response)
|
|
|
|
}
|
|
|
|
|
|
|
|
func Handle2FAResponse(ctx *middlewares.AutheliaCtx, targetURI string) {
|
|
|
|
if targetURI == "" {
|
2020-02-01 12:54:50 +00:00
|
|
|
if ctx.Configuration.DefaultRedirectionURL != "" {
|
|
|
|
ctx.SetJSONBody(redirectResponse{Redirect: ctx.Configuration.DefaultRedirectionURL})
|
|
|
|
} else {
|
|
|
|
ctx.ReplyOK()
|
|
|
|
}
|
2020-02-04 21:18:02 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
targetURL, err := url.ParseRequestURI(targetURI)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
ctx.Error(fmt.Errorf("Unable to parse target URL: %s", err), mfaValidationFailedMessage)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if targetURL != nil && utils.IsRedirectionSafe(*targetURL, ctx.Configuration.Session.Domain) {
|
|
|
|
ctx.SetJSONBody(redirectResponse{Redirect: targetURI})
|
|
|
|
} else {
|
|
|
|
ctx.ReplyOK()
|
2020-02-01 12:54:50 +00:00
|
|
|
}
|
|
|
|
}
|