Enable MFA support

2025-12-06 17:22:49 +01:00 · 2022-02-15 07:49:12 -05:00
parent c5d6f09320
commit d97423e9f8
4 changed files with 29 additions and 4 deletions
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -147,7 +147,10 @@ function updatePassword() {
    # Generate password hash
    passwordHash=$(hashPassword "$password")
    # Update DB with new hash
-    echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), updated_at=datetime('now') where identity_id='${identityId}';" | sqlite3 "$databasePath"
+    echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 "$databasePath"
+    # Deactivate MFA
+    echo "delete from identity_credential_identifiers where identity_credential_id=(select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp'));" | sqlite3 "$databasePath"
+    echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp');" | sqlite3 "$databasePath"
    [[ $? != 0 ]] && fail "Unable to update password"
  fi
 }
@@ -244,10 +247,12 @@ function syncElastic() {
  if [[ -f "$databasePath" && -f "$socRolesFile" ]]; then
    # Append the SOC users 
    echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \
-      "from identity_credential_identifiers ici, identity_credentials ic, identities i " \
+      "from identity_credential_identifiers ici, identity_credentials ic, identities i, identity_credential_types ict " \
      "where " \
      "      ici.identity_credential_id=ic.id " \
      "  and ic.identity_id=i.id " \
+      "  and ict.id=ic.identity_credential_type_id " \
+      "  and ict.name='password' " \
      "  and instr(ic.config, 'hashed_password') " \
      "  and i.state == 'active' " \
      "order by ici.identifier;" | \
@@ -261,8 +266,11 @@ function syncElastic() {
      userId=$(echo "$rolePair" | cut -d: -f2)
      role=$(echo "$rolePair" | cut -d: -f1)
      echo "select '$role:' || ici.identifier " \
-        "from identity_credential_identifiers ici, identity_credentials ic " \
-        "where ici.identity_credential_id=ic.id and ic.identity_id = '$userId';" | \
+        "from identity_credential_identifiers ici, identity_credentials ic, identity_credential_types ict " \
+        "where ici.identity_credential_id=ic.id " \
+        "  and ict.id=ic.identity_credential_type_id " \
+        "  and ict.name='password' " \
+        "  and ic.identity_id = '$userId';" | \
        sqlite3 "$databasePath" >> "$rolesTmpFile"
    done < "$socRolesFile"

--- a/salt/kratos/files/kratos.yaml
+++ b/salt/kratos/files/kratos.yaml
@@ -1,9 +1,12 @@
 {%- set WEBACCESS = salt['pillar.get']('global:url_base', '') -%}
 {%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%}
 {%- set SESSIONTIMEOUT = salt['pillar.get']('kratos:sessiontimeout', '24h') -%}
+{%- set MFA_ISSUER = salt['pillar.get']('kratos:mfa_issuer', 'Security Onion') -%}

 session:
  lifespan: {{ SESSIONTIMEOUT }}
+  whoami:
+    required_aal: highest_available

 selfservice:
  methods:
@@ -11,10 +14,15 @@ selfservice:
      enabled: true
      config:
        haveibeenpwned_enabled: false
+    totp:
+      enabled: true
+      config:
+        issuer: {{ MFA_ISSUER }}

  flows:
    settings:
      ui_url: https://{{ WEBACCESS }}/?r=/settings
+      required_aal: highest_available

    verification:
      ui_url: https://{{ WEBACCESS }}/
--- a/salt/kratos/files/schema.json
+++ b/salt/kratos/files/schema.json
@@ -17,6 +17,9 @@
            "credentials": {
              "password": {
                "identifier": true
+              },
+              "totp": {
+                "account_name": true
              }
            },
            "verification": {
--- a/salt/nginx/etc/nginx.conf
+++ b/salt/nginx/etc/nginx.conf
@@ -399,12 +399,18 @@ http {
 		}

 		error_page 401 = @error401;
+		error_page 403 = @error403;

 		location @error401 {
 			add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
 			return        302 /auth/self-service/login/browser;
 		}

+		location @error403 {
+			add_header    Set-Cookie "ory_kratos_session=;Path=/;Max-Age=0;expires=Thu, 01 Jan 1970 00:00:00 GMT;";
+			return        302 /auth/self-service/login/browser;
+		}
+
 		error_page 500 502 503 504 /50x.html;
 				location = /usr/share/nginx/html/50x.html {
 		}