Skip to content

Commit

Permalink
Fix issue where just after startup wag would be unable to deauthentic…
Browse files Browse the repository at this point in the history 
…ate all user devices
  • Loading branch information
@NHAS
NHAS committed May 7, 2024
1 parent 091e305 commit 08b7446
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 3 deletions.
1 change: 1 addition & 0 deletions internal/router/bpf.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,7 @@ func setupXDP(users []data.UserModel, knownDevices []data.Device) error {
}

for _, device := range knownDevices {

err := xdpAddDevice(device.Username, device.Address)
if err != nil {
return errors.New("xdp setup add device to user: " + err.Error())
Expand Down
6 changes: 4 additions & 2 deletions internal/router/statemachine.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (

"github.com/NHAS/wag/internal/acls"
"github.com/NHAS/wag/internal/data"
"github.com/NHAS/wag/internal/webserver/authenticators/types"
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
)

Expand Down Expand Up @@ -136,7 +137,7 @@ func userChanges(key string, current data.UserModel, previous data.UserModel, et
}
case data.MODIFIED:

if current.Locked != previous.Locked {
if current.Locked != previous.Locked || current.Locked {

lock := uint32(1)
if !current.Locked {
Expand All @@ -150,7 +151,8 @@ func userChanges(key string, current data.UserModel, previous data.UserModel, et
}
}

if current.Mfa != previous.Mfa || current.MfaType != previous.MfaType {
if current.Mfa != previous.Mfa || current.MfaType != previous.MfaType ||
!current.Enforcing || types.MFA(current.MfaType) == types.Unset {
err := DeauthenticateAllDevices(current.Username)
if err != nil {
log.Printf("cannot deauthenticate user %s: %s", current.Username, err)
Expand Down
12 changes: 12 additions & 0 deletions internal/router/wireguard.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,8 @@ func (msg *IfAddrmsg) Serialize() []byte {
}

func setupWireguard(devices []data.Device) error {
lock.Lock()
defer lock.Unlock()

var c wgtypes.Config

Expand Down Expand Up @@ -102,6 +104,16 @@ func setupWireguard(devices []data.Device) error {
d := time.Duration(config.Values.Wireguard.ServerPersistentKeepAlive) * time.Second
pc.PersistentKeepaliveInterval = &d
}

addressesMap, ok := usersToAddresses[device.Username]
if !ok {
addressesMap = make(map[string]string)
}

addressesMap[device.Address] = pk.String()
usersToAddresses[device.Username] = addressesMap
addressesToUsers[device.Address] = device.Username

c.Peers = append(c.Peers, pc)
}

Expand Down
1 change: 0 additions & 1 deletion internal/users/user.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ func (u *user) ResetDeviceAuthAttempts(address string) error {

func (u *user) ResetMfa() error {

// the MFA column is marked as "unique" so just set it as the username as that is also unique
err := data.SetUserMfa(u.Username, u.Username, string(types.Unset))
if err != nil {
return err
Expand Down

0 comments on commit 08b7446

Please sign in to comment.