From 8efbb2ef22f5f007b5dc6d5b15ecf070ccef08ca Mon Sep 17 00:00:00 2001 From: Ben Rosser Date: Thu, 7 Feb 2019 14:47:50 -0500 Subject: [PATCH 1/1] Core: only try local auth if a user has the "database" auth provider set This commit attempts to resolve issue #1501; currently, quassel will always attempt to do local authentication, and *then* try LDAP auth. This makes it difficult to migrate a core from local auth to LDAP auth; users who have local passwords can always use those passwords to log in, and there is not a simple way to migrate them to non-local auth. There is an "authenticator" column in the database for each user, but it is currently only used to stop passwords from being changed for LDAP users. This commit modifies the login flow to first check that database field-- if authenticator is not "Database", we don't try local authentication and proceed directly to non-local authentication. This is a bit clumsy-- I added a method to the core to look up a user's authenticator by string. But there's no way to map that to the actual authenticator object, because we only store one configured authenticator per core-- so we then just check if that authenticator is "Database" or not. I think this is something that should be improved in the future, but as a quick fix to #1501 this is probably good enough. --- src/core/core.h | 10 ++++++++++ src/core/coreauthhandler.cpp | 12 +++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/src/core/core.h b/src/core/core.h index 0b455aef..994e473b 100644 --- a/src/core/core.h +++ b/src/core/core.h @@ -125,6 +125,16 @@ public: return instance()->_storage->getUserAuthenticator(userid) == authenticator; } + //! Gets the authenticator configured for a user. + /** + * \param userid The user's name as a QString. + * \return String value corresponding to the user's configure dauthenticator. + */ + static inline QString getUserAuthenticator(const QString& userName) + { + return instance()->_storage->getUserAuthenticator(instance()->_storage->getUserId(userName)); + } + //! Change a user's password /** * \param userId The user's ID diff --git a/src/core/coreauthhandler.cpp b/src/core/coreauthhandler.cpp index 1d46e65c..d8f81abe 100644 --- a/src/core/coreauthhandler.cpp +++ b/src/core/coreauthhandler.cpp @@ -228,7 +228,17 @@ void CoreAuthHandler::handle(const Protocol::Login& msg) // First attempt local auth using the real username and password. // If that fails, move onto the auth provider. - UserId uid = Core::validateUser(msg.user, msg.password); + + // Check to see if the user has the "Database" authenticator configured. + UserId uid = 0; + if (Core::getUserAuthenticator(msg.user) == "Database") { + uid = Core::validateUser(msg.user, msg.password); + } + + // If they did not, *or* if the database login fails, try to use a different authenticator. + // TODO: this logic should likely be moved into Core::authenticateUser in the future. + // Right now a core can only have one authenticator configured; this might be something + // to change in the future. if (uid == 0) { uid = Core::authenticateUser(msg.user, msg.password); } -- 2.20.1