Home Explore Help
Sign In
SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git
1
0
Fork 0
Files
Tree: a85d811dbb
Branches Tags
zammad
/
lib
/
auth.rb

auth.rb 2.4 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182 
  1. # Copyright (C) 2012-2023 Zammad Foundation, https://zammad-foundation.org/
    2. 

  2. 

  3. class Auth
    4. 

  4. 

  5.   attr_reader :user, :password, :auth_user, :two_factor_method, :two_factor_payload, :only_verify_password
    6. 

  6. 

  7.   delegate :user, to: :auth_user
    8. 

  8. 

  9.   attr_accessor :increase_login_failed_attempts
    10. 

  10. 

  11.   BRUTE_FORCE_SLEEP = 1.second
    12. 

  12. 

  13.   # Initializes a Auth object for the given user.
    14. 

  14.   #
    15. 

  15.   # @param username [String] the user name for the user object which needs an authentication.
    16. 

  16.   #
    17. 

  17.   # @example
    18. 

  18.   #  auth = Auth.new('admin@example.com', 'some+password')
    19. 

  19.   def initialize(username, password, two_factor_method: nil, two_factor_payload: nil, only_verify_password: false)
    20. 

  20.     @auth_user                      = username.present? ? Auth::User.new(username) : nil
    21. 

  21.     @password                       = password
    22. 

  22.     @two_factor_payload             = two_factor_payload
    23. 

  23.     @two_factor_method              = two_factor_method
    24. 

  24.     @increase_login_failed_attempts = false
    25. 

  25.     @only_verify_password           = only_verify_password
    26. 

  26. 

  27.     return if !@two_factor_payload.is_a?(Hash)
    28. 

  28. 

  29.     @two_factor_payload = @two_factor_payload.symbolize_keys
    30. 

  30.   end
    31. 

  31. 

  32.   # Validates the given credentials for the user to the configured auth backends which should
    33. 

  33.   # be performed.
    34. 

  34.   #
    35. 

  35.   # @return true if the user was authenticated, otherwise it raises an Exception.
    36. 

  36.   def valid!
    37. 

  37. 

  38.     if verify_credentials!
    39. 

  39.       auth_user.update_last_login if !only_verify_password
    40. 

  40.       return true
    41. 

  41.     end
    42. 

  42. 

  43.     wait_and_raise Auth::Error::AuthenticationFailed
    44. 

  44.   end
    45. 

  45. 

  46.   private
    47. 

  47. 

  48.   def verify_credentials!
    49. 

  49.     # Wrap in a lock to synchronize concurrent requests.
    50. 

  50.     auth_user&.user&.with_lock do
    51. 

  51.       next false if !auth_user.can_login?
    52. 

  52. 

  53.       if !backends.valid?
    54. 

  54.         # Failed log-in attempts are only recorded if the password backend requests so.
    55. 

  55.         auth_user.increase_login_failed if increase_login_failed_attempts && !only_verify_password
    56. 

  56.         next false
    57. 

  57.       end
    58. 

  58.       verify_two_factor!
    59. 

  59.     end
    60. 

  60.   end
    61. 

  61. 

  62.   def verify_two_factor!
    63. 

  63.     return true if only_verify_password
    64. 

  64.     return true if !auth_user.requires_two_factor?
    65. 

  65. 

  66.     if two_factor_method.blank?
    67. 

  67.       raise Auth::Error::TwoFactorRequired, auth_user
    68. 

  68.     end
    69. 

  69. 

  70.     auth_user.two_factor_payload_valid?(two_factor_method, two_factor_payload) || wait_and_raise(Auth::Error::TwoFactorFailed)
    71. 

  71.   end
    72. 

  72. 

  73.   def wait_and_raise(...)
    74. 

  74.     # Sleep for a second to avoid brute force attacks.
    75. 

  75.     sleep BRUTE_FORCE_SLEEP
    76. 

  76.     raise(...)
    77. 

  77.   end
    78. 

  78. 

  79.   def backends
    80. 

  80.     Auth::Backend.new(self)
    81. 

  81.   end
    82. 

  82. end
    83.