From 9a0aa4c79b62bb3b07836b535731e664b7b2fc0f Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 12 May 2021 18:31:44 +0200 Subject: [PATCH] outposts/ldap: add infinite loop prevention Signed-off-by: Jens Langhammer --- authentik/root/settings.py | 2 +- outpost/pkg/ldap/instance_bind.go | 13 ++++++++++--- web/src/pages/outposts/OutpostHealth.ts | 5 ++--- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/authentik/root/settings.py b/authentik/root/settings.py index 064516571..5060215fe 100644 --- a/authentik/root/settings.py +++ b/authentik/root/settings.py @@ -320,7 +320,7 @@ CELERY_RESULT_BACKEND = ( # Database backup DBBACKUP_STORAGE = "django.core.files.storage.FileSystemStorage" DBBACKUP_STORAGE_OPTIONS = {"location": "./backups" if DEBUG else "/backups"} -DBBACKUP_FILENAME_TEMPLATE = 'authentik-backup-{datetime}.sql' +DBBACKUP_FILENAME_TEMPLATE = "authentik-backup-{datetime}.sql" if CONFIG.y("postgresql.s3_backup"): DBBACKUP_STORAGE = "storages.backends.s3boto3.S3Boto3Storage" DBBACKUP_STORAGE_OPTIONS = { diff --git a/outpost/pkg/ldap/instance_bind.go b/outpost/pkg/ldap/instance_bind.go index e9cb527f0..6ba7d1d4b 100644 --- a/outpost/pkg/ldap/instance_bind.go +++ b/outpost/pkg/ldap/instance_bind.go @@ -67,7 +67,7 @@ func (pi *ProviderInstance) Bind(username string, bindPW string, conn net.Conn) } params := url.Values{} params.Add("goauthentik.io/outpost/ldap", "true") - passed, err := pi.solveFlowChallenge(username, bindPW, client, params.Encode()) + passed, err := pi.solveFlowChallenge(username, bindPW, client, params.Encode(), 1) if err != nil { pi.log.WithField("boundDN", username).WithError(err).Warning("failed to solve challenge") return ldap.LDAPResultOperationsError, nil @@ -139,7 +139,7 @@ func (pi *ProviderInstance) delayDeleteUserInfo(dn string) { }() } -func (pi *ProviderInstance) solveFlowChallenge(bindDN string, password string, client *http.Client, urlParams string) (bool, error) { +func (pi *ProviderInstance) solveFlowChallenge(bindDN string, password string, client *http.Client, urlParams string, depth int) (bool, error) { challenge, err := pi.s.ac.Client.Flows.FlowsExecutorGet(&flows.FlowsExecutorGetParams{ FlowSlug: pi.flowSlug, Query: urlParams, @@ -169,6 +169,10 @@ func (pi *ProviderInstance) solveFlowChallenge(bindDN string, password string, c } response, err := pi.s.ac.Client.Flows.FlowsExecutorSolve(responseParams, pi.s.ac.Auth) pi.log.WithField("component", response.Payload.Component).WithField("type", *response.Payload.Type).Debug("Got response") + switch response.Payload.Component { + case "ak-stage-access-denied": + return false, errors.New("got ak-stage-access-denied") + } if *response.Payload.Type == "redirect" { return true, nil } @@ -184,5 +188,8 @@ func (pi *ProviderInstance) solveFlowChallenge(bindDN string, password string, c } } } - return pi.solveFlowChallenge(bindDN, password, client, urlParams) + if depth >= 10 { + return false, errors.New("exceeded stage recursion depth") + } + return pi.solveFlowChallenge(bindDN, password, client, urlParams, depth+1) } diff --git a/web/src/pages/outposts/OutpostHealth.ts b/web/src/pages/outposts/OutpostHealth.ts index 9ec2654c2..eee784756 100644 --- a/web/src/pages/outposts/OutpostHealth.ts +++ b/web/src/pages/outposts/OutpostHealth.ts @@ -42,13 +42,12 @@ export class OutpostHealthElement extends LitElement { return html``; } if (this.outpostHealth.length === 0) { - return html`
  • + return html`
    • -
    -
  • `; + `; } return html`