Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -292,13 +292,31 @@ private SecondFactorResponse ProcessMfException(

if (IsUserPassThrow(context))
{
LogApiUnreachableBypass(context, identity);
var code = ConvertToAuthCode(AccessRequestResponse.Bypass);
return new SecondFactorResponse(code);
}
var radCode = ConvertToAuthCode(null);
return new SecondFactorResponse(radCode);
}

private void LogApiUnreachableBypass(RadiusPipelineContext context, string identity)
{
var callingStationIdAttributeName = context.ClientConfiguration.CallingStationIdAttribute;
var callingStationIdAttr = context.RequestPacket.GetCallingStationIdAttribute(callingStationIdAttributeName);
var callingStationId = RequestDataExtractor.GetCallingStationId(
callingStationIdAttr,
context.RequestPacket.RemoteEndpoint,
context.ClientConfiguration.IsIpFromUdp);

_logger.LogInformation(
"Bypass second factor for user '{user:l}' with calling-station-id {csi:l} from {host:l}:{port} because Multifactor API is unreachable",
identity,
callingStationId,
context.RequestPacket.RemoteEndpoint.Address,
context.RequestPacket.RemoteEndpoint.Port);
}

private bool IsUserPassThrow(RadiusPipelineContext context)
{
if (!context.ClientConfiguration.BypassSecondFactorWhenApiUnreachable)
Expand Down Expand Up @@ -343,4 +361,4 @@ private SecondFactorResponse ProcessException(Exception ex, string identity, IPE

private static bool ShouldCacheResponse(bool apiResponseCacheEnabled, AuthenticationStatus responseCode, AccessRequestResponse? response)
=> apiResponseCacheEnabled && responseCode == AuthenticationStatus.Accept && !(response?.Bypassed ?? false);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,9 @@ public async Task<AccessRequestResponse> Execute(AccessRequestDto dto, Multifact
catch (TaskCanceledException) when (!cancellationToken.IsCancellationRequested)
{
_logger.LogWarning("Multifactor API timeout expired for endpoint: {Url}", Url);
return CreateDeniedResponse("Request timeout");
throw new MultifactorApiUnreachableException(
$"Multifactor API timeout expired for endpoint: {Url}. " +
$"Host: {client.BaseAddress?.OriginalString}. Reason: Request timeout");
}
catch (OperationCanceledException)
{
Expand Down Expand Up @@ -144,4 +146,4 @@ private HttpClient CreateClient(MultifactorAuthData authData)

return client;
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,9 @@ public async Task<AccessRequestResponse> Execute(ChallengeRequestDto dto, Multif
catch (TaskCanceledException) when (!cancellationToken.IsCancellationRequested)
{
_logger.LogWarning("Multifactor API timeout expired for endpoint: {Url}", Url);
return CreateDeniedResponse("Request timeout");
throw new MultifactorApiUnreachableException(
$"Multifactor API timeout expired for endpoint: {Url}. " +
$"Host: {client.BaseAddress?.OriginalString}. Reason: Request timeout");
}
catch (OperationCanceledException)
{
Expand Down Expand Up @@ -142,4 +144,4 @@ private HttpClient CreateClient(MultifactorAuthData authData)

return client;
}
}
}