Skip to content

Commit

Permalink
Fixes #83. Add user block list.
Browse files Browse the repository at this point in the history
  • Loading branch information
@aebruno
aebruno committed Oct 1, 2022
1 parent b3a3774 commit 9a4d14d
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 3 deletions.
7 changes: 5 additions & 2 deletions mokey.toml.sample
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ base_url = "https://localhost"
# keytab = "/srv/mokey/private/mokey.keytab"

#------------------------------------------------------------------------------
# User account defaults
# User account settings
#------------------------------------------------------------------------------

# Default home directory
Expand All @@ -44,6 +44,9 @@ min_passwd_len = 8
# password policy set in FreeIPA
min_passwd_classes = 2

# Block list of user accounts from logging in
# block_users = ["username1", "username2", "username3"]

#------------------------------------------------------------------------------
# Email
#------------------------------------------------------------------------------
Expand All @@ -53,7 +56,7 @@ token_max_age = 3600

# Secret key for branca tokens. Must be 32 bytes. To generate run:
# openssl rand -hex 32
# token_secret =
# token_secret = ""

# Hostname for smtp server
smtp_host = "localhost"
Expand Down
26 changes: 25 additions & 1 deletion server/auth.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,17 @@ import (
"github.com/ubccr/goipa"
)

func isBlocked(username string) bool {
blockUsers := viper.GetStringSlice("block_users")
for _, u := range blockUsers {
if username == u {
return true
}
}

return false
}

func (r *Router) Login(c *fiber.Ctx) error {
vars := fiber.Map{}
return c.Render("login.html", vars)
Expand Down Expand Up @@ -109,6 +120,13 @@ func (r *Router) CheckUser(c *fiber.Ctx) error {
return c.Status(fiber.StatusBadRequest).SendString("Please provide a username")
}

if isBlocked(username) {
log.WithFields(log.Fields{
"username": username,
}).Warn("User account is blocked from logging in")
return c.Status(fiber.StatusUnauthorized).SendString("Invalid credentials")
}

userRec, err := r.adminClient.UserShow(username)
if err != nil {
if ierr, ok := err.(*ipa.IpaError); ok && ierr.Code == 4001 {
Expand All @@ -133,7 +151,6 @@ func (r *Router) CheckUser(c *fiber.Ctx) error {
"username": username,
}).Warn("User account is locked in FreeIPA")
return c.Status(fiber.StatusUnauthorized).SendString("Invalid credentials")

}

log.WithFields(log.Fields{
Expand Down Expand Up @@ -164,6 +181,13 @@ func (r *Router) Authenticate(c *fiber.Ctx) error {
return c.Status(fiber.StatusBadRequest).SendString("Please provide a password")
}

if isBlocked(username) {
log.WithFields(log.Fields{
"username": username,
}).Warn("User account is blocked from logging in")
return c.Status(fiber.StatusUnauthorized).SendString("Invalid credentials")
}

client := ipa.NewDefaultClient()
err := client.RemoteLogin(username, password+otp)
if err != nil {
Expand Down

0 comments on commit 9a4d14d

Please sign in to comment.