Can block local login for an account
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
@ -8,7 +8,7 @@ use actix_web::dev::Payload;
|
||||
use actix_web::{web, Error, FromRequest, HttpRequest};
|
||||
|
||||
use crate::actors::users_actor;
|
||||
use crate::actors::users_actor::UsersActor;
|
||||
use crate::actors::users_actor::{AuthorizedAuthenticationSources, UsersActor};
|
||||
use crate::data::client::Client;
|
||||
use crate::data::remote_ip::RemoteIP;
|
||||
use crate::data::session_identity::SessionIdentity;
|
||||
@ -20,6 +20,7 @@ pub enum Action<'a> {
|
||||
AdminDeleteUser(&'a User),
|
||||
AdminResetUserPassword(&'a User),
|
||||
AdminRemoveUserFactor(&'a User, &'a TwoFactor),
|
||||
AdminSetAuthorizedAuthenticationSources(&'a User, &'a AuthorizedAuthenticationSources),
|
||||
AdminSetNewGrantedClientsList(&'a User, &'a GrantedClients),
|
||||
AdminClear2FAHistory(&'a User),
|
||||
LoginWebauthnAttempt { success: bool, user_id: UserID },
|
||||
@ -28,6 +29,7 @@ pub enum Action<'a> {
|
||||
UserSuccessfullyAuthenticated(&'a User),
|
||||
UserNeedNewPasswordOnLogin(&'a User),
|
||||
TryLoginWithDisabledAccount(&'a str),
|
||||
TryLocalLoginFromUnauthorizedAccount(&'a str),
|
||||
FailedLoginWithBadCredentials(&'a str),
|
||||
UserChangedPasswordOnLogin(&'a UserID),
|
||||
OTPLoginAttempt { user: &'a User, success: bool },
|
||||
@ -64,6 +66,11 @@ impl<'a> Action<'a> {
|
||||
Action::AdminClear2FAHistory(user) => {
|
||||
format!("cleared 2FA history of {}", user.quick_identity())
|
||||
}
|
||||
Action::AdminSetAuthorizedAuthenticationSources(user, sources) => format!(
|
||||
"update authorized authentication sources ({:?}) for user ({})",
|
||||
sources,
|
||||
user.quick_identity()
|
||||
),
|
||||
Action::AdminSetNewGrantedClientsList(user, clients) => format!(
|
||||
"set new granted clients list ({:?}) for user ({})",
|
||||
clients,
|
||||
@ -90,6 +97,9 @@ impl<'a> Action<'a> {
|
||||
Action::TryLoginWithDisabledAccount(login) => {
|
||||
format!("successfully authenticated as {login}, but this is a DISABLED ACCOUNT")
|
||||
}
|
||||
Action::TryLocalLoginFromUnauthorizedAccount(login) => {
|
||||
format!("successfully locally authenticated as {login}, but this is a FORBIDDEN for this account!")
|
||||
}
|
||||
Action::FailedLoginWithBadCredentials(login) => {
|
||||
format!("attempted to authenticate as {login} but with a WRONG PASSWORD")
|
||||
}
|
||||
|
||||
@ -1,3 +1,4 @@
|
||||
use crate::actors::users_actor::AuthorizedAuthenticationSources;
|
||||
use std::collections::HashMap;
|
||||
use std::net::IpAddr;
|
||||
|
||||
@ -114,6 +115,10 @@ impl Successful2FALogin {
|
||||
}
|
||||
}
|
||||
|
||||
fn default_true() -> bool {
|
||||
true
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
|
||||
pub struct User {
|
||||
pub uid: UserID,
|
||||
@ -142,6 +147,10 @@ pub struct User {
|
||||
/// None = all services
|
||||
/// Some([]) = no service
|
||||
pub authorized_clients: Option<Vec<ClientID>>,
|
||||
|
||||
/// Authorize connection through local login
|
||||
#[serde(default = "default_true")]
|
||||
pub allow_local_login: bool,
|
||||
}
|
||||
|
||||
impl User {
|
||||
@ -162,6 +171,13 @@ impl User {
|
||||
)
|
||||
}
|
||||
|
||||
/// Get the list of sources from which a user can authenticate from
|
||||
pub fn authorized_authentication_sources(&self) -> AuthorizedAuthenticationSources {
|
||||
AuthorizedAuthenticationSources {
|
||||
local: self.allow_local_login,
|
||||
}
|
||||
}
|
||||
|
||||
pub fn granted_clients(&self) -> GrantedClients {
|
||||
match self.authorized_clients.as_deref() {
|
||||
None => GrantedClients::AllClients,
|
||||
@ -296,6 +312,7 @@ impl Default for User {
|
||||
two_factor_exemption_after_successful_login: false,
|
||||
last_successful_2fa: Default::default(),
|
||||
authorized_clients: Some(Vec::new()),
|
||||
allow_local_login: true,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
use std::net::IpAddr;
|
||||
|
||||
use crate::actors::users_actor::UsersSyncBackend;
|
||||
use crate::actors::users_actor::{AuthorizedAuthenticationSources, UsersSyncBackend};
|
||||
use crate::data::entity_manager::EntityManager;
|
||||
use crate::data::user::{FactorID, GeneralSettings, GrantedClients, TwoFactor, User, UserID};
|
||||
use crate::utils::err::{new_error, Res};
|
||||
@ -143,6 +143,17 @@ impl UsersSyncBackend for EntityManager<User> {
|
||||
self.remove(&user)
|
||||
}
|
||||
|
||||
fn set_authorized_authentication_sources(
|
||||
&mut self,
|
||||
id: &UserID,
|
||||
sources: AuthorizedAuthenticationSources,
|
||||
) -> Res {
|
||||
self.update_user(id, |mut user| {
|
||||
user.allow_local_login = sources.local;
|
||||
user
|
||||
})
|
||||
}
|
||||
|
||||
fn set_granted_2fa_clients(&mut self, id: &UserID, clients: GrantedClients) -> Res {
|
||||
self.update_user(id, |mut user| {
|
||||
user.authorized_clients = clients.to_user();
|
||||
|
||||
Reference in New Issue
Block a user