summaryrefslogtreecommitdiffstats
path: root/Bugzilla/MFA
diff options
context:
space:
mode:
authorByron Jones <glob@mozilla.com>2015-09-01 07:01:20 +0200
committerByron Jones <glob@mozilla.com>2015-09-01 07:01:20 +0200
commit421ff7f194875db9634ea783d9dd5b6111f19df3 (patch)
tree5806e9f3001fa4f33ba85aa94856b70a7f878cf8 /Bugzilla/MFA
parentbcc93f83a64a76cd73501eaefaf5fd073fbc3f0d (diff)
downloadbugzilla-421ff7f194875db9634ea783d9dd5b6111f19df3.tar.gz
bugzilla-421ff7f194875db9634ea783d9dd5b6111f19df3.tar.xz
Bug 1197073 - add support for 2fa using totp (eg. google authenticator)
Diffstat (limited to 'Bugzilla/MFA')
-rw-r--r--Bugzilla/MFA/TOTP.pm79
1 files changed, 79 insertions, 0 deletions
diff --git a/Bugzilla/MFA/TOTP.pm b/Bugzilla/MFA/TOTP.pm
new file mode 100644
index 000000000..95e3d89aa
--- /dev/null
+++ b/Bugzilla/MFA/TOTP.pm
@@ -0,0 +1,79 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# This Source Code Form is "Incompatible With Secondary Licenses", as
+# defined by the Mozilla Public License, v. 2.0.
+
+package Bugzilla::MFA::TOTP;
+use strict;
+use parent 'Bugzilla::MFA';
+
+use Auth::GoogleAuth;
+use Bugzilla::Error;
+use Bugzilla::Token qw( issue_session_token );
+use Bugzilla::Util qw( template_var generate_random_password );
+use GD::Barcode::QRcode;
+use MIME::Base64 qw( encode_base64 );
+
+sub _auth {
+ my ($self) = @_;
+ return Auth::GoogleAuth->new({
+ secret => $self->property_get('secret') // $self->property_get('secret.temp'),
+ issuer => template_var('terms')->{BugzillaTitle},
+ key_id => $self->{user}->login,
+ });
+}
+
+sub enroll {
+ my ($self) = @_;
+
+ # create a new secret for the user
+ # store it in secret.temp to avoid overwriting a valid secret
+ $self->property_set('secret.temp', generate_random_password(16));
+
+ # build the qr code
+ my $auth = $self->_auth();
+ my $otpauth = $auth->qr_code(undef, undef, undef, 1);
+ my $png = GD::Barcode::QRcode->new($otpauth, { Version => 10, ModuleSize => 3 })->plot()->png();
+ return { png => encode_base64($png), secret32 => $auth->secret32 };
+}
+
+sub enrolled {
+ my ($self) = @_;
+
+ # make the temporary secret permanent
+ $self->property_set('secret', $self->property_get('secret.temp'));
+ $self->property_delete('secret.temp');
+}
+
+sub prompt {
+ my ($self, $params) = @_;
+ my $template = Bugzilla->template;
+
+ my $vars = {
+ user => $params->{user},
+ token => scalar issue_session_token('mfa', $params->{user}),
+ type => $params->{type},
+ };
+
+ print Bugzilla->cgi->header();
+ $template->process('mfa/totp/verify.html.tmpl', $vars)
+ || ThrowTemplateError($template->error());
+}
+
+sub check {
+ my ($self, $code) = @_;
+ $self->_auth()->verify($code)
+ || ThrowUserError('mfa_totp_bad_code');
+}
+
+sub check_login {
+ my ($self, $user) = @_;
+ my $cgi = Bugzilla->cgi;
+
+ $self->check($cgi->param('code') // '');
+ $user->authorizer->mfa_verified($user, $cgi->param('type'));
+}
+
+1;