Bug 1197073 - add support for 2fa using totp (eg. google authenticator)

author: Byron Jones <glob@mozilla.com> 2015-09-01 07:01:20 +0200
committer: Byron Jones <glob@mozilla.com> 2015-09-01 07:01:20 +0200
commit: 421ff7f194875db9634ea783d9dd5b6111f19df3 (patch)
tree: 5806e9f3001fa4f33ba85aa94856b70a7f878cf8 /extensions
parent: bcc93f83a64a76cd73501eaefaf5fd073fbc3f0d (diff)
download: bugzilla-421ff7f194875db9634ea783d9dd5b6111f19df3.tar.gz
bugzilla-421ff7f194875db9634ea783d9dd5b6111f19df3.tar.xz
4 files changed, 54 insertions, 21 deletions
diff --git a/extensions/BMO/lib/Reports/Groups.pm b/extensions/BMO/lib/Reports/Groups.pm
index 4a831fab3..3a5cd75dd 100644
--- a/extensions/BMO/lib/Reports/Groups.pm
+++ b/extensions/BMO/lib/Reports/Groups.pm
@@ -174,10 +174,12 @@ sub members_report {
                                             action => 'run',
                                             object => 'group_admins' });
 
-    my @grouplist =
-                  ($user->in_group('editusers') || $user->in_group('infrasec'))
-                  ? map { lc($_->name) } Bugzilla::Group->get_all
-                  : _get_public_membership_groups();
+    my $privileged = $user->in_group('editusers') || $user->in_group('infrasec');
+    $vars->{privileged} = $privileged;
+
+    my @grouplist = $privileged
+        ? map { lc($_->name) } Bugzilla::Group->get_all
+        : _get_public_membership_groups();
 
     my $include_disabled = $cgi->param('include_disabled') ? 1 : 0;
     $vars->{'include_disabled'} = $include_disabled;
@@ -240,20 +242,26 @@ sub members_report {
     if ($page eq 'group_members.json') {
         my %users;
         foreach my $rh (@types) {
-            my $group_name = $rh->{name} eq '_direct' ? 'direct' : $rh->{name};
             foreach my $member (@{ $rh->{members} }) {
                 my $login = $member->login;
                 if (exists $users{$login}) {
-                    push @{ $users{$login}->{groups} }, $group_name;
+                    push @{ $users{$login}->{groups} }, $rh->{name} if $privileged;
                 }
                 else {
-                    $users{$login} = {
+                    my $rh_user = {
                         login      => $login,
-                        membership => $rh->{name} eq '_direct' ? 'direct' : 'indirect',
-                        group      => $group_name,
-                        groups     => [ $group_name ],
-                        lastseen   => $member->{lastseen},
+                        membership => $rh->{name} eq 'direct' ? 'direct' : 'indirect',
+                        rh_name => $rh->{name},
                     };
+                    if ($privileged) {
+                        $rh_user->{group}        = $rh->{name};
+                        $rh_user->{groups}       = [ $rh->{name} ];
+                        $rh_user->{lastseeon}    = $member->{lastseen};
+                        $rh_user->{mfa}          = $member->mfa;
+                        $rh_user->{api_key_only} = $member->settings->{api_key_only}->{value} eq 'on'
+                                                   ? JSON::true : JSON::false;
+                    }
+                    $users{$login} = $rh_user;
                 }
             }
         }
diff --git a/extensions/BMO/template/en/default/pages/group_members.html.tmpl b/extensions/BMO/template/en/default/pages/group_members.html.tmpl
index bd27b8be2..98679c1b7 100644
--- a/extensions/BMO/template/en/default/pages/group_members.html.tmpl
+++ b/extensions/BMO/template/en/default/pages/group_members.html.tmpl
@@ -11,8 +11,6 @@
   style_urls = [ "extensions/BMO/web/styles/reports.css" ]
 %]
 
-[% SET privileged = (user.in_group('editusers') || user.in_group('infrasec')) %]
-
 <form method="GET" action="page.cgi">
   <input type="hidden" name="id" value="group_members.html">
 
@@ -51,7 +49,7 @@
         <th>Count</th>
         <th>Members</th>
         [% IF privileged %]
-          <th class="right">Last Seen (days ago)</th>
+          <th class="right">2FA, Last Seen (days ago)</th>
         [% END %]
       </tr>
 
@@ -93,6 +91,14 @@
                     </a>
                   </td>
                   [% IF privileged %]
+                    <td nowrap>
+                      [% IF member.mfa %]
+                        [% member.mfa FILTER html %]
+                        [% " (weakened)" IF member.settings.api_key_only.value == "off" %]
+                      [% ELSE %]
+                        -
+                      [% END %]
+                    </td>
                     <td align="right" nowrap>
                       [% member.lastseen FILTER html %]
                     </td>
diff --git a/extensions/GitHubAuth/lib/Login.pm b/extensions/GitHubAuth/lib/Login.pm
index 8c91fc08a..933dc6572 100644
--- a/extensions/GitHubAuth/lib/Login.pm
+++ b/extensions/GitHubAuth/lib/Login.pm
@@ -43,14 +43,30 @@ sub get_login_info {
 
     return { failure => AUTH_NODATA } unless $github_login;
 
+    my $response;
     if ($github_email_key && $github_email) {
         trick_taint($github_email);
         trick_taint($github_email_key);
-        return $self->_get_login_info_from_email($github_email, $github_email_key);
+        $response = $self->_get_login_info_from_email($github_email, $github_email_key);
     }
     else {
-       return $self->_get_login_info_from_github();
+       $response = $self->_get_login_info_from_github();
     }
+
+    if (!exists $response->{failure}) {
+        my $user = $response->{user};
+        return { failure    => AUTH_ERROR,
+                 user_error => 'github_auth_account_too_powerful' } if $user->in_group('no-github-auth');
+        return { failure    => AUTH_ERROR,
+                 user_error => 'mfa_prevents_login',
+                 details    => { provider => 'GitHub' } } if $user->mfa;
+        $response = {
+            username    => $user->login,
+            user_id     => $user->id,
+            github_auth => 1,
+        };
+    }
+    return $response;
 }
 
 sub _get_login_info_from_github {
@@ -117,7 +133,7 @@ sub _get_login_info_from_github {
     if (@allowed_bugzilla_users == 1) {
         my ($user) = @allowed_bugzilla_users;
         $cgi->remove_cookie('Bugzilla_github_token');
-        return { username => $user->login, user_id => $user->id, github_auth => 1 };
+        return { user => $user };
     }
     elsif (@allowed_bugzilla_users > 1) {
         $self->{github_failure} = {
@@ -160,11 +176,8 @@ sub _get_login_info_from_email {
     }
 
     my $user = Bugzilla::User->new({name => $github_email, cache => 1});
-    return { failure    => AUTH_ERROR,
-             user_error => 'github_auth_account_too_powerful' } if $user && $user->in_group('no-github-auth');
-
     $cgi->remove_cookie('Bugzilla_github_token');
-    return { username => $github_email, github_auth => 1 };
+    return { user => $user };
 }
 
 sub fail_nodata {
diff --git a/extensions/Persona/lib/Login.pm b/extensions/Persona/lib/Login.pm
index ece92a3c0..c2f8caf2b 100644
--- a/extensions/Persona/lib/Login.pm
+++ b/extensions/Persona/lib/Login.pm
@@ -98,6 +98,12 @@ sub get_login_info {
                      user_error => 'persona_account_too_powerful' };
         }
 
+        if ($user->mfa) {
+            return { failure    => AUTH_ERROR,
+                     user_error => 'mfa_prevents_login',
+                     details    => { provider => 'Persona' } };
+        }
+
         $login_data->{'user'} = $user;
         $login_data->{'user_id'} = $user->id;
author	Byron Jones <glob@mozilla.com>	2015-09-01 07:01:20 +0200
committer	Byron Jones <glob@mozilla.com>	2015-09-01 07:01:20 +0200
commit	421ff7f194875db9634ea783d9dd5b6111f19df3 (patch)
tree	5806e9f3001fa4f33ba85aa94856b70a7f878cf8 /extensions
parent	bcc93f83a64a76cd73501eaefaf5fd073fbc3f0d (diff)
download	bugzilla-421ff7f194875db9634ea783d9dd5b6111f19df3.tar.gz bugzilla-421ff7f194875db9634ea783d9dd5b6111f19df3.tar.xz