Skip to content

SQSERVICES-1557-be-unexpected-logic-in-password-verification-for-accounts-with-saml-credentials #2430

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
battermann merged 3 commits into from
May 27, 2022
Merged

SQSERVICES-1557-be-unexpected-logic-in-password-verification-for-accounts-with-saml-credentials #2430

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
834b678
pass re-auth if user is sso user and no password provided
battermann May 27, 2022
cfae90d
changelog
battermann May 27, 2022
f56e79d
hi ci
fisx May 27, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/3-bug-fixes/pr-2430
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
On actions that require re-authentication a password is not required if the user has SAML credentials
8 changes: 4 additions & 4 deletions services/brig/src/Brig/API/Public.hs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,7 +196,7 @@ servantSitemap = userAPI :<|> selfAPI :<|> accountAPI :<|> clientAPI :<|> prekey
selfAPI :: ServerT SelfAPI (Handler r)
selfAPI =
Named @"get-self" getSelf
:<|> Named @"delete-self" deleteUser
:<|> Named @"delete-self" deleteSelfUser
:<|> Named @"put-self" updateUser
:<|> Named @"change-phone" changePhone
:<|> Named @"remove-phone" removePhone
Expand Down Expand Up @@ -951,12 +951,12 @@ getConnection self other = do
lself <- qualifyLocal self
lift . wrapClient $ Data.lookupConnection lself other

deleteUser ::
deleteSelfUser ::
UserId ->
Public.DeleteUser ->
(Handler r) (Maybe Code.Timeout)
deleteUser u body =
API.deleteUser u (Public.deleteUserPassword body) !>> deleteUserError
deleteSelfUser u body =
API.deleteSelfUser u (Public.deleteUserPassword body) !>> deleteUserError

verifyDeleteUserH :: JsonRequest Public.VerifyDeleteUser ::: JSON -> (Handler r) Response
verifyDeleteUserH (r ::: _) = do
Expand Down
6 changes: 3 additions & 3 deletions services/brig/src/Brig/API/User.hs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ module Brig.API.User
revokeIdentity,
deleteUserNoVerify,
deleteUsersNoVerify,
Brig.API.User.deleteUser,
deleteSelfUser,
verifyDeleteUser,
deleteAccount,
checkHandles,
Expand Down Expand Up @@ -1041,8 +1041,8 @@ mkPasswordResetKey ident = case ident of
-- delete them in the team settings. This protects teams against orphanhood.
--
-- TODO: communicate deletions of SSO users to SSO service.
deleteUser :: UserId -> Maybe PlainTextPassword -> ExceptT DeleteUserError (AppT r) (Maybe Timeout)
deleteUser uid pwd = do
deleteSelfUser :: UserId -> Maybe PlainTextPassword -> ExceptT DeleteUserError (AppT r) (Maybe Timeout)
deleteSelfUser uid pwd = do
account <- lift . wrapClient $ Data.lookupAccount uid
case account of
Nothing -> throwE DeleteUserInvalid
Expand Down
14 changes: 11 additions & 3 deletions services/brig/src/Brig/Data/User.hs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ module Brig.Data.User
reauthenticate,
filterActive,
isActivated,
isSSOUser,

-- * Lookups
lookupAccount,
Expand Down Expand Up @@ -196,9 +197,9 @@ authenticate u pw =
throwE AuthInvalidCredentials

-- | Password reauthentication. If the account has a password, reauthentication
-- is mandatory. If the account has no password and no password is given,
-- is mandatory. If the account has no password, or is an SSO user, and no password is given,
-- reauthentication is a no-op.
reauthenticate :: MonadClient m => UserId -> Maybe PlainTextPassword -> ExceptT ReAuthError m ()
reauthenticate :: (MonadClient m, MonadReader Env m) => UserId -> Maybe PlainTextPassword -> ExceptT ReAuthError m ()
reauthenticate u pw =
lift (lookupAuth u) >>= \case
Nothing -> throwE (ReAuthError AuthInvalidUser)
Expand All @@ -210,11 +211,18 @@ reauthenticate u pw =
Just (Just pw', Ephemeral) -> maybeReAuth pw'
where
maybeReAuth pw' = case pw of
Nothing -> throwE ReAuthMissingPassword
Nothing -> unlessM (isSSOUser u) $ throwE ReAuthMissingPassword
Just p ->
unless (verifyPassword p pw') $
throwE (ReAuthError AuthInvalidCredentials)

isSSOUser :: (MonadClient m, MonadReader Env m) => UserId -> m Bool
isSSOUser uid = do
account <- lookupAccount uid
case userIdentity . accountUser =<< account of
Just SSOIdentity {} -> pure True
_ -> pure False

insertAccount ::
MonadClient m =>
UserAccount ->
Expand Down
4 changes: 2 additions & 2 deletions services/brig/src/Brig/User/Auth.hs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -280,15 +280,15 @@ renewAccess uts at = do
pure $ Access at' ck'

revokeAccess ::
(MonadClient m, Log.MonadLogger m) =>
(MonadClient m, Log.MonadLogger m, MonadReader Env m) =>
UserId ->
PlainTextPassword ->
[CookieId] ->
[CookieLabel] ->
ExceptT AuthError m ()
revokeAccess u pw cc ll = do
lift $ Log.debug $ field "user" (toByteString u) . field "action" (Log.val "User.revokeAccess")
Data.authenticate u pw
unlessM (Data.isSSOUser u) $ Data.authenticate u pw
lift $ revokeCookies u cc ll

--------------------------------------------------------------------------------
Expand Down