2020-08-29 06:21:50 +00:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
|
|
# Redmine - project management software
|
|
|
|
|
# Copyright (C) 2006-2020 Jean-Philippe Lang
|
|
|
|
|
#
|
|
|
|
|
# This program is free software; you can redistribute it and/or
|
|
|
|
|
# modify it under the terms of the GNU General Public License
|
|
|
|
|
# as published by the Free Software Foundation; either version 2
|
|
|
|
|
# of the License, or (at your option) any later version.
|
|
|
|
|
#
|
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
|
#
|
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
|
# along with this program; if not, write to the Free Software
|
|
|
|
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
|
|
|
|
|
|
|
|
module Redmine
|
|
|
|
|
module Twofa
|
|
|
|
|
class Base
|
|
|
|
|
def self.inherited(child)
|
|
|
|
|
# require-ing a Base subclass will register it as a 2FA scheme
|
|
|
|
|
Redmine::Twofa.register_scheme(scheme_name(child), child)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def self.scheme_name(klass = self)
|
|
|
|
|
klass.name.demodulize.underscore
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def scheme_name
|
|
|
|
|
self.class.scheme_name
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def initialize(user)
|
|
|
|
|
@user = user
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def init_pairing!
|
|
|
|
|
@user
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def confirm_pairing!(code)
|
2020-08-29 06:51:21 +00:00
|
|
|
# make sure an otp and not a backup code is used
|
2020-08-29 06:21:50 +00:00
|
|
|
if verify_otp!(code)
|
|
|
|
|
@user.update!(twofa_scheme: scheme_name)
|
|
|
|
|
deliver_twofa_paired
|
|
|
|
|
return true
|
|
|
|
|
else
|
|
|
|
|
return false
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def deliver_twofa_paired
|
2020-08-31 08:29:44 +00:00
|
|
|
::Mailer.security_notification(
|
2020-08-29 06:21:50 +00:00
|
|
|
@user,
|
|
|
|
|
User.current,
|
|
|
|
|
{
|
|
|
|
|
title: :label_my_account,
|
|
|
|
|
message: 'twofa_mail_body_security_notification_paired',
|
|
|
|
|
# (mis-)use field here as value wouldn't get localized
|
|
|
|
|
field: "twofa__#{scheme_name}__name",
|
|
|
|
|
url: { controller: 'my', action: 'account' }
|
|
|
|
|
}
|
|
|
|
|
).deliver
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def destroy_pairing!(code)
|
|
|
|
|
if verify!(code)
|
|
|
|
|
destroy_pairing_without_verify!
|
|
|
|
|
return true
|
|
|
|
|
else
|
|
|
|
|
return false
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def destroy_pairing_without_verify!
|
|
|
|
|
@user.update!(twofa_scheme: nil)
|
2020-08-29 06:51:21 +00:00
|
|
|
backup_codes.delete_all
|
2020-08-29 06:21:50 +00:00
|
|
|
deliver_twofa_unpaired
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def deliver_twofa_unpaired
|
2020-08-31 08:29:44 +00:00
|
|
|
::Mailer.security_notification(
|
2020-08-29 06:21:50 +00:00
|
|
|
@user,
|
|
|
|
|
User.current,
|
|
|
|
|
{
|
|
|
|
|
title: :label_my_account,
|
|
|
|
|
message: 'twofa_mail_body_security_notification_unpaired',
|
|
|
|
|
url: { controller: 'my', action: 'account' }
|
|
|
|
|
}
|
|
|
|
|
).deliver
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def send_code(controller: nil, action: nil)
|
|
|
|
|
# return true only if the scheme sends a code to the user
|
|
|
|
|
false
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def verify!(code)
|
2020-08-29 06:51:21 +00:00
|
|
|
verify_otp!(code) || verify_backup_code!(code)
|
2020-08-29 06:21:50 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def verify_otp!(code)
|
|
|
|
|
raise 'not implemented'
|
|
|
|
|
end
|
|
|
|
|
|
2020-08-29 06:51:21 +00:00
|
|
|
def verify_backup_code!(code)
|
|
|
|
|
# backup codes are case-insensitive and white-space-insensitive
|
|
|
|
|
code = code.to_s.remove(/[[:space:]]/).downcase
|
|
|
|
|
user_from_code = Token.find_active_user('twofa_backup_code', code)
|
|
|
|
|
# invalidate backup code after usage
|
|
|
|
|
Token.where(user_id: @user.id).find_token('twofa_backup_code', code).try(:delete)
|
|
|
|
|
# make sure the user using the backup code is the same it's been issued to
|
|
|
|
|
return false unless @user.present? && @user == user_from_code
|
2020-08-31 08:29:44 +00:00
|
|
|
::Mailer.security_notification(
|
2020-08-29 06:51:21 +00:00
|
|
|
@user,
|
|
|
|
|
User.current,
|
|
|
|
|
{
|
|
|
|
|
originator: @user,
|
|
|
|
|
title: :label_my_account,
|
|
|
|
|
message: 'twofa_mail_body_backup_code_used',
|
|
|
|
|
url: { controller: 'my', action: 'account' }
|
|
|
|
|
}
|
|
|
|
|
).deliver
|
|
|
|
|
return true
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def init_backup_codes!
|
|
|
|
|
backup_codes.delete_all
|
|
|
|
|
tokens = []
|
|
|
|
|
10.times do
|
|
|
|
|
token = Token.create(user_id: @user.id, action: 'twofa_backup_code')
|
|
|
|
|
token.update_columns value: Redmine::Utils.random_hex(6)
|
|
|
|
|
tokens << token
|
|
|
|
|
end
|
2020-08-31 08:29:44 +00:00
|
|
|
::Mailer.security_notification(
|
2020-08-29 06:51:21 +00:00
|
|
|
@user,
|
|
|
|
|
User.current,
|
|
|
|
|
{
|
|
|
|
|
title: :label_my_account,
|
|
|
|
|
message: 'twofa_mail_body_backup_codes_generated',
|
|
|
|
|
url: { controller: 'my', action: 'account' }
|
|
|
|
|
}
|
|
|
|
|
).deliver
|
|
|
|
|
tokens
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def backup_codes
|
|
|
|
|
Token.where(user_id: @user.id, action: 'twofa_backup_code')
|
|
|
|
|
end
|
|
|
|
|
|
2020-08-29 06:21:50 +00:00
|
|
|
# this will only be used on pairing initialization
|
|
|
|
|
def init_pairing_view_variables
|
|
|
|
|
otp_confirm_view_variables
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def otp_confirm_view_variables
|
|
|
|
|
{
|
|
|
|
|
scheme_name: scheme_name,
|
|
|
|
|
resendable: false
|
|
|
|
|
}
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
|
|
def allowed_drift
|
|
|
|
|
30
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
