fixes #1374 admins cannot delete multiple MFA enrollments

openziti · Mar 27, 2023 · 2a29061 · 2a29061
1 parent 1343c95
commit 2a29061
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 22 deletions.
diff --git a/controller/internal/routes/authenticate_router.go b/controller/internal/routes/authenticate_router.go
@@ -151,7 +151,7 @@ func (ro *AuthRouter) authHandler(ae *env.AppEnv, rc *response.RequestContext, h
 		LastActivityAt:  time.Now().UTC(),
 	}
 
-	mfa, err := ae.Managers.Mfa.ReadByIdentityId(identity.Id)
+	mfa, err := ae.Managers.Mfa.ReadOneByIdentityId(identity.Id)
 
 	if err != nil {
 		rc.RespondWithError(err)
@@ -203,7 +203,7 @@ func (ro *AuthRouter) authHandler(ae *env.AppEnv, rc *response.RequestContext, h
 }
 
 func (ro *AuthRouter) authMfa(ae *env.AppEnv, rc *response.RequestContext, mfaCode *rest_model.MfaCode) {
-	mfa, err := ae.Managers.Mfa.ReadByIdentityId(rc.Identity.Id)
+	mfa, err := ae.Managers.Mfa.ReadOneByIdentityId(rc.Identity.Id)
 
 	if err != nil {
 		rc.RespondWithError(err)

diff --git a/controller/internal/routes/current_identity_router.go b/controller/internal/routes/current_identity_router.go
@@ -139,7 +139,7 @@ func (r *CurrentIdentityRouter) Register(ae *env.AppEnv) {
 }
 
 func (r *CurrentIdentityRouter) verifyMfa(ae *env.AppEnv, rc *response.RequestContext, body *rest_model.MfaCode) {
-	mfa, err := ae.Managers.Mfa.ReadByIdentityId(rc.Identity.Id)
+	mfa, err := ae.Managers.Mfa.ReadOneByIdentityId(rc.Identity.Id)
 
 	if err != nil {
 		rc.RespondWithError(err)
@@ -189,7 +189,7 @@ func (r *CurrentIdentityRouter) verifyMfa(ae *env.AppEnv, rc *response.RequestCo
 }
 
 func (r *CurrentIdentityRouter) createMfa(ae *env.AppEnv, rc *response.RequestContext) {
-	mfa, err := ae.Managers.Mfa.ReadByIdentityId(rc.Identity.Id)
+	mfa, err := ae.Managers.Mfa.ReadOneByIdentityId(rc.Identity.Id)
 
 	if err != nil {
 		rc.RespondWithError(err)
@@ -212,7 +212,7 @@ func (r *CurrentIdentityRouter) createMfa(ae *env.AppEnv, rc *response.RequestCo
 }
 
 func (r *CurrentIdentityRouter) detailMfa(ae *env.AppEnv, rc *response.RequestContext) {
-	mfa, err := ae.Managers.Mfa.ReadByIdentityId(rc.Identity.Id)
+	mfa, err := ae.Managers.Mfa.ReadOneByIdentityId(rc.Identity.Id)
 
 	if err != nil {
 		rc.RespondWithError(err)
@@ -252,7 +252,7 @@ func (r *CurrentIdentityRouter) removeMfa(ae *env.AppEnv, rc *response.RequestCo
 }
 
 func (r *CurrentIdentityRouter) detailMfaQrCode(ae *env.AppEnv, rc *response.RequestContext) {
-	mfa, err := ae.Managers.Mfa.ReadByIdentityId(rc.Identity.Id)
+	mfa, err := ae.Managers.Mfa.ReadOneByIdentityId(rc.Identity.Id)
 
 	if err != nil {
 		rc.RespondWithError(err)
@@ -282,7 +282,7 @@ func (r *CurrentIdentityRouter) detailMfaQrCode(ae *env.AppEnv, rc *response.Req
 }
 
 func (r *CurrentIdentityRouter) createMfaRecoveryCodes(ae *env.AppEnv, rc *response.RequestContext, body *rest_model.MfaCode) {
-	mfa, err := ae.Managers.Mfa.ReadByIdentityId(rc.Identity.Id)
+	mfa, err := ae.Managers.Mfa.ReadOneByIdentityId(rc.Identity.Id)
 
 	if err != nil {
 		rc.RespondWithError(err)
@@ -315,7 +315,7 @@ func (r *CurrentIdentityRouter) createMfaRecoveryCodes(ae *env.AppEnv, rc *respo
 }
 
 func (r *CurrentIdentityRouter) detailMfaRecoveryCodes(ae *env.AppEnv, rc *response.RequestContext, mfaValidationBody *rest_model.MfaCode, mfaCodeHeader *string) {
-	mfa, err := ae.Managers.Mfa.ReadByIdentityId(rc.Identity.Id)
+	mfa, err := ae.Managers.Mfa.ReadOneByIdentityId(rc.Identity.Id)
 
 	if err != nil {
 		rc.RespondWithError(err)

diff --git a/controller/internal/routes/identity_api_model.go b/controller/internal/routes/identity_api_model.go
@@ -232,7 +232,7 @@ func MapIdentityToRestModel(ae *env.AppEnv, identity *model.Identity) (*rest_mod
 		return nil, err
 	}
 
-	mfa, err := ae.Managers.Mfa.ReadByIdentityId(identity.Id)
+	mfa, err := ae.Managers.Mfa.ReadOneByIdentityId(identity.Id)
 	if err != nil {
 		return nil, err
 	}

diff --git a/controller/internal/routes/identity_router.go b/controller/internal/routes/identity_router.go
@@ -362,23 +362,13 @@ func (r *IdentityRouter) getPostureDataFailedServiceRequests(ae *env.AppEnv, rc
 
 func (r *IdentityRouter) removeMfa(ae *env.AppEnv, rc *response.RequestContext) {
 	id, _ := rc.GetEntityId()
-	mfa, err := ae.Managers.Mfa.ReadByIdentityId(id)
+	err := ae.Managers.Mfa.DeleteAllForIdentity(id)
 
 	if err != nil {
 		rc.RespondWithError(err)
 		return
 	}
 
-	if mfa == nil || !mfa.IsVerified {
-		rc.RespondWithNotFound()
-		return
-	}
-
-	if err := ae.Managers.Mfa.Delete(mfa.Id); err != nil {
-		rc.RespondWithError(err)
-		return
-	}
-
 	rc.RespondWithEmptyOk()
 }
 

diff --git a/controller/model/mfa_manager.go b/controller/model/mfa_manager.go
@@ -136,7 +136,7 @@ func (self *MfaManager) Query(query string) (*MfaListResult, error) {
 	return result, nil
 }
 
-func (self *MfaManager) ReadByIdentityId(identityId string) (*Mfa, error) {
+func (self *MfaManager) ReadOneByIdentityId(identityId string) (*Mfa, error) {
 	query := fmt.Sprintf(`identity = "%s"`, identityId)
 
 	resultList, err := self.Query(query)
@@ -183,7 +183,7 @@ func (self *MfaManager) VerifyTOTP(mfa *Mfa, code string) (bool, error) {
 }
 
 func (self *MfaManager) DeleteForIdentity(identity *Identity, code string) error {
-	mfa, err := self.ReadByIdentityId(identity.Id)
+	mfa, err := self.ReadOneByIdentityId(identity.Id)
 
 	if err != nil {
 		return err
@@ -297,6 +297,14 @@ func (self *MfaManager) Unmarshall(bytes []byte) (*Mfa, error) {
 	}, nil
 }
 
+// DeleteAllForIdentity is meant for administrators to remove all MFAs (enrolled or not) from an identity
+func (self *MfaManager) DeleteAllForIdentity(id string) error {
+	return self.GetDb().Update(func(tx *bbolt.Tx) error {
+		ctx := boltz.NewMutateContext(tx)
+		return self.Store.DeleteWhere(ctx, fmt.Sprintf("identity = \"%s\"", id))
+	})
+}
+
 type MfaListResult struct {
 	manager *MfaManager
 	Mfas    []*Mfa