diff options
| author | Matthew Somerville <matthew-github@dracos.co.uk> | 2018-02-02 08:52:58 +0000 |
|---|---|---|
| committer | Matthew Somerville <matthew-github@dracos.co.uk> | 2018-02-07 12:11:54 +0000 |
| commit | b4b6679f6aac821ac31e541e0cc6f05549b130b5 (patch) | |
| tree | 9d5f1ab9ab3af93672c11b8cf8998f4cf0878631 | |
| parent | 3ec1e871a1a04cd1f6ce051d1a6247acf2220ac2 (diff) | |
Add two-factor authentication for superusers.
| -rw-r--r-- | CHANGELOG.md | 1 | ||||
| -rw-r--r-- | cpanfile | 2 | ||||
| -rw-r--r-- | cpanfile.snapshot | 53 | ||||
| -rw-r--r-- | perllib/Catalyst/Authentication/Credential/2FA.pm | 123 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App.pm | 17 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Alert.pm | 9 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Auth.pm | 3 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Auth/Profile.pm | 26 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Report/New.pm | 3 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Report/Update.pm | 3 | ||||
| -rw-r--r-- | perllib/FixMyStreet/DB/Result/User.pm | 5 | ||||
| -rw-r--r-- | t/app/controller/auth.t | 23 | ||||
| -rw-r--r-- | t/app/controller/auth_profile.t | 36 | ||||
| -rw-r--r-- | templates/web/base/auth/2faform.html | 25 | ||||
| -rw-r--r-- | templates/web/base/auth/generate_token.html | 26 | ||||
| -rw-r--r-- | templates/web/base/my/my.html | 2 |
16 files changed, 339 insertions, 18 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 680d4b412..37b12d997 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ - Fix error sending `requires_inspection` reports. #1961 - Admin improvements: - Admin can anonymize/hide all a user's reports. #1942 #1943 + - Superusers can have optional two-factor authentication. #1973 - UK: - Lazy load images in the footer. @@ -18,6 +18,7 @@ requires 'CGI', '4.38'; # Catalyst itself, and modules/plugins used requires 'Catalyst', '5.80031'; requires 'Catalyst::Action::RenderView'; +requires 'Catalyst::Authentication::Credential::MultiFactor'; requires 'Catalyst::Authentication::Store::DBIx::Class'; requires 'Catalyst::Devel'; requires 'Catalyst::Model::Adaptor'; @@ -30,6 +31,7 @@ requires 'Catalyst::Plugin::Unicode::Encoding'; requires 'Catalyst::View::TT'; # Modules used by FixMyStreet +requires 'Auth::GoogleAuth'; requires 'Authen::SASL'; requires 'Cache::Memcached'; requires 'Carp'; diff --git a/cpanfile.snapshot b/cpanfile.snapshot index c5e5b2a46..7b3bb89f5 100644 --- a/cpanfile.snapshot +++ b/cpanfile.snapshot @@ -28,6 +28,22 @@ DISTRIBUTIONS requirements: ExtUtils::MakeMaker 0 Test::More 0 + Auth-GoogleAuth-1.02 + pathname: G/GR/GRYPHON/Auth-GoogleAuth-1.02.tar.gz + provides: + Auth::GoogleAuth 1.02 + requirements: + Carp 0 + Class::Accessor 0 + Convert::Base32 0 + Digest::HMAC_SHA1 0 + ExtUtils::MakeMaker 0 + Math::Random::MT 0 + URI::Escape 0 + base 0 + perl 5.008 + strict 0 + warnings 0 Authen-SASL-2.16 pathname: G/GB/GBARR/Authen-SASL-2.16.tar.gz provides: @@ -292,6 +308,14 @@ DISTRIBUTIONS HTTP::Request::AsCGI 0 MRO::Compat 0 Test::More 0.88 + Catalyst-Authentication-Credential-MultiFactor-1.2 + pathname: T/TE/TENGU/Catalyst-Authentication-Credential-MultiFactor-1.2.tar.gz + provides: + Catalyst::Authentication::Credential::MultiFactor 1.2 + requirements: + ExtUtils::MakeMaker 0 + Moose 0 + namespace::autoclean 0 Catalyst-Authentication-Store-DBIx-Class-0.1503 pathname: B/BO/BOBTFISH/Catalyst-Authentication-Store-DBIx-Class-0.1503.tar.gz provides: @@ -909,6 +933,14 @@ DISTRIBUTIONS Test::Exception 0 Test::More 0 ok 0 + Convert-Base32-0.06 + pathname: I/IK/IKEGAMI/Convert-Base32-0.06.tar.gz + provides: + Convert::Base32 0.06 + requirements: + ExtUtils::MakeMaker 0 + Test::Exception 0 + Test::More 0 Cpanel-JSON-XS-3.0210 pathname: R/RU/RURBAN/Cpanel-JSON-XS-3.0210.tar.gz provides: @@ -3671,6 +3703,14 @@ DISTRIBUTIONS Net::Domain 1.05 Net::SMTP 1.03 Test::More 0 + Math-Random-MT-1.17 + pathname: F/FA/FANGLY/Math-Random-MT-1.17.tar.gz + provides: + Math::Random::MT 1.17 + requirements: + ExtUtils::MakeMaker 0 + Test::More 0 + Test::Number::Delta 0 Memoize-ExpireLRU-0.55 pathname: B/BP/BPOWERS/Memoize-ExpireLRU-0.55.tar.gz provides: @@ -6082,6 +6122,19 @@ DISTRIBUTIONS Test::More 0.47 Test::Tester 0.107 perl 5.006 + Test-Number-Delta-1.06 + pathname: D/DA/DAGOLDEN/Test-Number-Delta-1.06.tar.gz + provides: + Test::Number::Delta 1.06 + requirements: + Carp 0 + Exporter 0 + ExtUtils::MakeMaker 6.17 + Test::Builder 0 + perl 5.006 + strict 0 + vars 0 + warnings 0 Test-Output-1.01 pathname: B/BD/BDFOY/Test-Output-1.01.tar.gz provides: diff --git a/perllib/Catalyst/Authentication/Credential/2FA.pm b/perllib/Catalyst/Authentication/Credential/2FA.pm new file mode 100644 index 000000000..2c2054c66 --- /dev/null +++ b/perllib/Catalyst/Authentication/Credential/2FA.pm @@ -0,0 +1,123 @@ +package Catalyst::Authentication::Credential::2FA; + +use strict; +use warnings; +use Auth::GoogleAuth; + +our $VERSION = "0.01"; + +sub new { + my ($class, $config, $c, $realm) = @_; + my $self = { %$config }; + bless $self, $class; + return $self; +} + +sub authenticate { + my ( $self, $c, $realm, $authinfo ) = @_; + + my $userfindauthinfo = {%{$authinfo}}; + delete($userfindauthinfo->{password}); + + my $user_obj = $realm->find_user($userfindauthinfo, $c); + if (ref($user_obj)) { + # We don't care unless user is a superuser and has a 2FA secret + return $user_obj unless $user_obj->is_superuser; + return $user_obj unless $user_obj->get_extra_metadata('2fa_secret'); + return $user_obj if $self->check_2fa($c, $user_obj); + + $c->stash->{template} = 'auth/2faform.html'; + $c->detach; + } +} + +sub check_2fa { + my ($self, $c, $user) = @_; + + if (my $code = $c->get_param('2fa_code')) { + my $auth = Auth::GoogleAuth->new; + my $secret32 = $user->get_extra_metadata('2fa_secret'); + return 1 if $auth->verify($code, 1, $secret32); + $c->stash->{incorrect_code} = 1; + } + return 0; +} + +__PACKAGE__; + +__END__ + +=pod + +=head1 NAME + +Catalyst::Authentication::Credential::2FA - Authenticate a user +with a two-factor authentication code. + +=head1 SYNOPSIS + + use Catalyst qw/ + Authentication + /; + + package MyApp::Controller::Auth; + + sub login : Local { + my ( $self, $c ) = @_; + + $c->authenticate( { username => $c->req->param('username'), + password => $c->req->param('password') }); + } + +=head1 DESCRIPTION + +This authentication credential checker takes authentication information +(most often a username), and only passes if a valid 2FA code is then +entered. It only works for Users that have an is_superuser flag set, +plus store the 2FA secret in a FixMyStreet::Role::Extra metadata key. + +=head1 CONFIGURATION + + # example + 'Plugin::Authentication' => { + default => { + credential => { + class => 'MultiFactor', + factors => [ + { + class => 'Password', + password_field => 'password', + password_type => 'self_check', + }, + { + class => '2FA', + }, + ], + }, + store => { + class => 'DBIx::Class', + user_model => 'DB::User', + }, + }, + + +=over 4 + +=item class + +The classname used for Credential. This is part of +L<Catalyst::Plugin::Authentication> and is the method by which +Catalyst::Authentication::Credential::2FA is loaded as the +credential validator. For this module to be used, this must be set to +'2FA'. + +=back + +=head1 USAGE + +Once configured as indicated above, authenticating using this module is a +matter of calling $c->authenticate() as normal. If you wish to use it in +combination with e.g. password authentication as well (so it actually is +two-factor!), check out Catalyst::Authentication::Credential::MultiFactor. + +=cut diff --git a/perllib/FixMyStreet/App.pm b/perllib/FixMyStreet/App.pm index e47336b7c..3108c5c01 100644 --- a/perllib/FixMyStreet/App.pm +++ b/perllib/FixMyStreet/App.pm @@ -61,10 +61,19 @@ __PACKAGE__->config( 'Plugin::Authentication' => { default_realm => 'default', default => { - credential => { # Catalyst::Authentication::Credential::Password - class => 'Password', - password_field => 'password', - password_type => 'self_check', + credential => { + class => 'MultiFactor', + factors => [ + # Catalyst::Authentication::Credential::Password + { + class => 'Password', + password_field => 'password', + password_type => 'self_check', + }, + { + class => '2FA', + }, + ], }, store => { # Catalyst::Authentication::Store::DBIx::Class class => 'DBIx::Class', diff --git a/perllib/FixMyStreet/App/Controller/Alert.pm b/perllib/FixMyStreet/App/Controller/Alert.pm index 5c9fbad1b..9d522dbc9 100644 --- a/perllib/FixMyStreet/App/Controller/Alert.pm +++ b/perllib/FixMyStreet/App/Controller/Alert.pm @@ -281,20 +281,25 @@ then display confirmation page. sub send_confirmation_email : Private { my ( $self, $c ) = @_; + my $user = $c->stash->{alert}->user; + + # Superusers using 2FA can not log in by code + $c->detach( '/page_error_403_access_denied', [] ) if $user->has_2fa; + my $token = $c->model("DB::Token")->create( { scope => 'alert', data => { id => $c->stash->{alert}->id, type => 'subscribe', - email => $c->stash->{alert}->user->email + email => $user->email } } ); $c->stash->{token_url} = $c->uri_for_email( '/A', $token->token ); - $c->send_email( 'alert-confirm.txt', { to => $c->stash->{alert}->user->email } ); + $c->send_email( 'alert-confirm.txt', { to => $user->email } ); $c->stash->{email_type} = 'alert'; $c->stash->{template} = 'email_sent.html'; diff --git a/perllib/FixMyStreet/App/Controller/Auth.pm b/perllib/FixMyStreet/App/Controller/Auth.pm index 455022e03..06448afde 100644 --- a/perllib/FixMyStreet/App/Controller/Auth.pm +++ b/perllib/FixMyStreet/App/Controller/Auth.pm @@ -232,6 +232,9 @@ sub process_login : Private { $c->detach( '/page_error_403_access_denied', [] ) if FixMyStreet->config('SIGNUPS_DISABLED') && !$user->in_storage && !$data->{old_user_id}; + # Superusers using 2FA can not log in by code + $c->detach( '/page_error_403_access_denied', [] ) if $user->has_2fa; + if ($data->{old_user_id}) { # Were logged in as old_user_id, want to switch to $user if ($user->in_storage) { diff --git a/perllib/FixMyStreet/App/Controller/Auth/Profile.pm b/perllib/FixMyStreet/App/Controller/Auth/Profile.pm index 5e6fe6266..a58d2ddf6 100644 --- a/perllib/FixMyStreet/App/Controller/Auth/Profile.pm +++ b/perllib/FixMyStreet/App/Controller/Auth/Profile.pm @@ -157,14 +157,34 @@ sub generate_token : Path('/auth/generate_token') { $c->stash->{template} = 'auth/generate_token.html'; $c->forward('/auth/get_csrf_token'); + my $has_2fa = $c->user->get_extra_metadata('2fa_secret'); + if ($c->req->method eq 'POST') { $c->forward('/auth/check_csrf_token'); - my $token = mySociety::AuthToken::random_token(); - $c->user->set_extra_metadata('access_token', $token); + + if ($c->get_param('generate_token')) { + my $token = mySociety::AuthToken::random_token(); + $c->user->set_extra_metadata('access_token', $token); + $c->stash->{token_generated} = 1; + } + + if ($c->get_param('toggle_2fa') && $c->user->is_superuser) { + if ($has_2fa) { + $c->user->unset_extra_metadata('2fa_secret'); + $c->stash->{toggle_2fa_off} = 1; + } else { + my $auth = Auth::GoogleAuth->new; + $c->stash->{qr_code} = $auth->qr_code(undef, $c->user->email, 'FixMyStreet'); + $c->stash->{secret32} = $auth->secret32; + $c->user->set_extra_metadata('2fa_secret', $auth->secret32); + $c->stash->{toggle_2fa_on} = 1; + } + } + $c->user->update(); - $c->stash->{token_generated} = 1; } + $c->stash->{has_2fa} = $has_2fa ? 1 : 0; $c->stash->{existing_token} = $c->user->get_extra_metadata('access_token'); } diff --git a/perllib/FixMyStreet/App/Controller/Report/New.pm b/perllib/FixMyStreet/App/Controller/Report/New.pm index 166c0614d..09430110d 100644 --- a/perllib/FixMyStreet/App/Controller/Report/New.pm +++ b/perllib/FixMyStreet/App/Controller/Report/New.pm @@ -1391,6 +1391,9 @@ sub redirect_or_confirm_creation : Private { return 1; } + # Superusers using 2FA can not log in by code + $c->detach( '/page_error_403_access_denied', [] ) if $report->user->has_2fa; + # otherwise email or text a confirm token to them. my $thing = 'email'; if ($report->user->email_verified) { diff --git a/perllib/FixMyStreet/App/Controller/Report/Update.pm b/perllib/FixMyStreet/App/Controller/Report/Update.pm index c28039808..2f0ef8c0f 100644 --- a/perllib/FixMyStreet/App/Controller/Report/Update.pm +++ b/perllib/FixMyStreet/App/Controller/Report/Update.pm @@ -478,6 +478,9 @@ sub redirect_or_confirm_creation : Private { return 1; } + # Superusers using 2FA can not log in by code + $c->detach( '/page_error_403_access_denied', [] ) if $update->user->has_2fa; + my $data = $c->stash->{token_data}; $data->{id} = $update->id; $data->{add_alert} = $c->get_param('add_alert') ? 1 : 0; diff --git a/perllib/FixMyStreet/DB/Result/User.pm b/perllib/FixMyStreet/DB/Result/User.pm index d02039ac3..7e16308b9 100644 --- a/perllib/FixMyStreet/DB/Result/User.pm +++ b/perllib/FixMyStreet/DB/Result/User.pm @@ -395,6 +395,11 @@ sub admin_user_body_permissions { }); } +sub has_2fa { + my $self = shift; + return $self->is_superuser && $self->get_extra_metadata('2fa_secret'); +} + sub contributing_as { my ($self, $other, $c, $bodies) = @_; $bodies = [ keys %$bodies ] if ref $bodies eq 'HASH'; diff --git a/t/app/controller/auth.t b/t/app/controller/auth.t index 8d60137a2..70b970e2b 100644 --- a/t/app/controller/auth.t +++ b/t/app/controller/auth.t @@ -276,3 +276,26 @@ subtest "check logging in with token" => sub { $mech->delete_header('Authorization'); }; + +subtest "Test two-factor authentication login" => sub { + use Auth::GoogleAuth; + my $auth = Auth::GoogleAuth->new; + my $code = $auth->code; + my $wrong_code = $auth->code(undef, time() - 120); + + my $user = FixMyStreet::App->model('DB::User')->find( { email => $test_email } ); + $user->is_superuser(1); + $user->password('password'); + $user->set_extra_metadata('2fa_secret', $auth->secret32); + $user->update; + + $mech->get_ok('/auth'); + $mech->submit_form_ok( + { with_fields => { username => $test_email, password_sign_in => 'password' } }, + "sign in using form" ); + $mech->content_contains('Please generate a two-factor code'); + $mech->submit_form_ok({ with_fields => { '2fa_code' => $wrong_code } }, "provide wrong 2FA code" ); + $mech->content_contains('Try again'); + $mech->submit_form_ok({ with_fields => { '2fa_code' => $code } }, "provide correct 2FA code" ); + $mech->logged_in_ok; +}; diff --git a/t/app/controller/auth_profile.t b/t/app/controller/auth_profile.t index 74edccfe6..c9daff7ae 100644 --- a/t/app/controller/auth_profile.t +++ b/t/app/controller/auth_profile.t @@ -274,7 +274,7 @@ subtest "Test superuser can access generate token page" => sub { }, }); - $mech->content_lacks('Generate token'); + $mech->content_lacks('Security'); $mech->get('/auth/generate_token'); is $mech->res->code, 403, "access denied"; @@ -282,7 +282,7 @@ subtest "Test superuser can access generate token page" => sub { ok $user->update({ is_superuser => 1 }), 'user is superuser'; $mech->get_ok('/my'); - $mech->content_contains('Generate token'); + $mech->content_contains('Security'); $mech->get_ok('/auth/generate_token'); }; @@ -299,7 +299,7 @@ subtest "Test staff user can access generate token page" => sub { }, }); - $mech->content_lacks('Generate token'); + $mech->content_lacks('Security'); my $body = $mech->create_body_ok(2237, 'Oxfordshire'); @@ -309,7 +309,7 @@ subtest "Test staff user can access generate token page" => sub { ok $user->update({ from_body => $body }), 'user is staff user'; $mech->get_ok('/my'); - $mech->content_contains('Generate token'); + $mech->content_contains('Security'); $mech->get_ok('/auth/generate_token'); }; @@ -333,7 +333,7 @@ subtest "Test generate token page" => sub { $mech->follow_link_ok({url => '/auth/generate_token'}); $mech->content_lacks('Token:'); $mech->submit_form_ok( - { with_fields => { generate_token => 'Generate token' } }, + { button => 'generate_token' }, "submit generate token form" ); $mech->content_contains( 'Your token has been generated', "token generated" ); @@ -352,4 +352,28 @@ subtest "Test generate token page" => sub { $mech->log_out_ok; $mech->add_header('Authorization', "Bearer $token"); $mech->logged_in_ok; -} +}; + +subtest "Test two-factor authentication admin" => sub { + my $user = FixMyStreet::App->model('DB::User')->find( { email => $test_email } ); + ok $user->update({ is_superuser => 1 }), 'user set to superuser'; + + $mech->log_in_ok($test_email); + $mech->get_ok('/auth/generate_token'); + ok !$user->get_extra_metadata('2fa_secret'); + + $mech->submit_form_ok({ button => 'toggle_2fa' }, "submit 2FA activation"); + $mech->content_contains('has been activated', "2FA activated"); + + $user->discard_changes(); + my $token = $user->get_extra_metadata('2fa_secret'); + ok $token, '2FA secret set'; + + $mech->content_contains($token, 'secret displayed'); + + $mech->get_ok('/auth/generate_token'); + $mech->content_lacks($token, 'secret no longer displayed'); + + $mech->submit_form_ok({ button => 'toggle_2fa' }, "submit 2FA deactivation"); + $mech->content_contains('has been deactivated', "2FA deactivated"); +}; diff --git a/templates/web/base/auth/2faform.html b/templates/web/base/auth/2faform.html new file mode 100644 index 000000000..f9257bf61 --- /dev/null +++ b/templates/web/base/auth/2faform.html @@ -0,0 +1,25 @@ +[% INCLUDE 'header.html', bodyclass = 'fullwidthpage', title = loc('Confirm account') %] + + <div class="confirmation-header confirmation-header--phone"> + [% IF incorrect_code %] + <h1>[% loc('Sorry, that wasn’t the correct code') %]</h1> + <p>[% loc('Try again') %]:</p> + [% ELSE %] + <h1>[% loc("Nearly done! Now check your phone…") %]</h1> + <p>[% loc("Please generate a two-factor code and enter it below:") %]</p> + [% END %] + <form action="/auth" method="post"> + <input type="hidden" name="username" value="[% c.get_param('username') | html %]"> + <input type="hidden" name="password_sign_in" value="[% c.get_param('password_sign_in') | html %]"> + <input type="hidden" name="r" value="[% c.get_param('r') | html %]"> + <input type="hidden" name="remember_me" value="[% c.get_param('remember_me') | html %]"> + + <label for="2fa_code">[% loc('Code') %]</label> + <div class="form-txt-submit-box"> + <input class="form-control" type="number" id="2fa_code" name="2fa_code" value="" required> + <input type="submit" value="[% loc('Submit') %]" class="btn-primary"> + </div> + </form> + </div> + +[% INCLUDE 'footer.html' %] diff --git a/templates/web/base/auth/generate_token.html b/templates/web/base/auth/generate_token.html index 157335047..f7061be45 100644 --- a/templates/web/base/auth/generate_token.html +++ b/templates/web/base/auth/generate_token.html @@ -1,5 +1,5 @@ [% -INCLUDE 'header.html', title = loc('Generate token'), bodyclass = 'fullwidthpage' +INCLUDE 'header.html', title = loc('Security'), bodyclass = 'fullwidthpage' %] [% IF token_generated %] @@ -15,9 +15,28 @@ INCLUDE 'header.html', title = loc('Generate token'), bodyclass = 'fullwidthpage <p><a href="/my">[% loc('Your account') %]</a></p> </div> +[% ELSIF toggle_2fa_on %] + + <div class="confirmation-header"> + <h1>[% loc('Two-factor authentication has been activated') %]</h1> + + <p align="center"><img src="[% qr_code %]"></p> + <p align="center">[% secret32.replace('(....)', '$1 ') %]</p> + + <p><a href="/my">[% loc('Your account') %]</a></p> + </div> + +[% ELSIF toggle_2fa_off %] + + <div class="confirmation-header"> + <h1>[% loc('Two-factor authentication has been deactivated') %]</h1> + + <p><a href="/my">[% loc('Your account') %]</a></p> + </div> + [% ELSE %] -<h1>[% loc('Generate token') %]</h1> +<h1>[% loc('Security') %]</h1> <form action="[% c.uri_for_action('/auth/profile/generate_token') %]" method="post" name="generate_token"> <input type="hidden" name="token" value="[% csrf_token %]"> @@ -31,6 +50,9 @@ INCLUDE 'header.html', title = loc('Generate token'), bodyclass = 'fullwidthpage <p> <input name="generate_token" type="submit" class="btn" value="[% existing_token ? loc('Replace token') : loc('Generate token') %]"> + [% IF c.user.is_superuser %] + <input name="toggle_2fa" type="submit" class="btn" value="[% has_2fa ? loc('Deactivate two-factor authentication') : loc('Activate two-factor authentication') %]"> + [% END %] </p> </form> diff --git a/templates/web/base/my/my.html b/templates/web/base/my/my.html index e10dd96c8..459fa5266 100644 --- a/templates/web/base/my/my.html +++ b/templates/web/base/my/my.html @@ -62,7 +62,7 @@ li .my-account-buttons a { <p class="my-account-buttons"> <a href="/auth/change_password">[% loc('Change password') %]</a> [% IF c.user AND (c.user.from_body OR c.user.is_superuser) %] - <a href="/auth/generate_token">[% loc('Generate token') %]</a> + <a href="/auth/generate_token">[% loc('Security') %]</a> [% END %] <a href="/auth/sign_out">[% loc('Sign out') %]</a> </p> |