diff options
author | Byron Jones <glob@mozilla.com> | 2015-09-01 07:01:20 +0200 |
---|---|---|
committer | Byron Jones <glob@mozilla.com> | 2015-09-01 07:01:20 +0200 |
commit | 421ff7f194875db9634ea783d9dd5b6111f19df3 (patch) | |
tree | 5806e9f3001fa4f33ba85aa94856b70a7f878cf8 /template/en/default | |
parent | bcc93f83a64a76cd73501eaefaf5fd073fbc3f0d (diff) | |
download | bugzilla-421ff7f194875db9634ea783d9dd5b6111f19df3.tar.gz bugzilla-421ff7f194875db9634ea783d9dd5b6111f19df3.tar.xz |
Bug 1197073 - add support for 2fa using totp (eg. google authenticator)
Diffstat (limited to 'template/en/default')
-rw-r--r-- | template/en/default/account/cancel-token.txt.tmpl | 3 | ||||
-rw-r--r-- | template/en/default/account/prefs/mfa.html.tmpl | 134 | ||||
-rw-r--r-- | template/en/default/account/prefs/prefs.html.tmpl | 7 | ||||
-rw-r--r-- | template/en/default/admin/users/userdata.html.tmpl | 22 | ||||
-rw-r--r-- | template/en/default/global/header.html.tmpl | 3 | ||||
-rw-r--r-- | template/en/default/global/messages.html.tmpl | 2 | ||||
-rw-r--r-- | template/en/default/global/setting-descs.none.tmpl | 1 | ||||
-rw-r--r-- | template/en/default/global/user-error.html.tmpl | 21 | ||||
-rw-r--r-- | template/en/default/mfa/totp/enroll.html.tmpl | 59 | ||||
-rw-r--r-- | template/en/default/mfa/totp/verify.html.tmpl | 29 | ||||
-rw-r--r-- | template/en/default/setup/strings.txt.pl | 1 |
11 files changed, 282 insertions, 0 deletions
diff --git a/template/en/default/account/cancel-token.txt.tmpl b/template/en/default/account/cancel-token.txt.tmpl index 6619dedd3..bc35e2d4c 100644 --- a/template/en/default/account/cancel-token.txt.tmpl +++ b/template/en/default/account/cancel-token.txt.tmpl @@ -93,6 +93,9 @@ Canceled Because: [% PROCESS cancelactionmessage %] [% ELSIF cancelaction == 'wrong_token_for_creating_account' %] You have tried to use the token to create a user account. + [% ELSIF cancelaction == 'wrong_token_for_mfa' %] + You have tried to use the token for MFA. + [% ELSE %] [%# Give sensible error if the cancel-token function is used incorrectly. #%] diff --git a/template/en/default/account/prefs/mfa.html.tmpl b/template/en/default/account/prefs/mfa.html.tmpl new file mode 100644 index 000000000..750e34cee --- /dev/null +++ b/template/en/default/account/prefs/mfa.html.tmpl @@ -0,0 +1,134 @@ +[%# This Source Code Form is subject to the terms of the Mozilla Public + # License, v. 2.0. If a copy of the MPL was not distributed with this + # file, You can obtain one at http://mozilla.org/MPL/2.0/. + # + # This Source Code Form is "Incompatible With Secondary Licenses", as + # defined by the Mozilla Public License, v. 2.0. + #%] + +[% IF NOT Bugzilla.feature('mfa') %] + <input type="hidden" name="mfa_action" id="mfa-action" value=""> + <p> + Two-factor Authentication is not available. + </p> + [% RETURN %] +[% END %] +[% IF user.cryptpassword == '*' %] + <input type="hidden" name="mfa_action" id="mfa-action" value=""> + <p> + Two-factor Authentication is not available on your account because you are + using an external authentication provider. + </p> + [% RETURN %] +[% END %] + +<div id="mfa-container"> + [% IF user.mfa %] + <p> + Two-factor authentication is currently <b>enabled</b> using + <b>[% SWITCH user.mfa %] + [% CASE "TOTP" %]TOTP + [% END %]</b>. + </p> + <input type="hidden" name="mfa_action" id="mfa-action" value="disable"> + + <button type="button" id="mfa-disable">Disable Two-factor Authentication</button> + + <div id="mfa-disable-container" style="display:none"> + + [% IF user.mfa == "TOTP" %] + A verification code is required to confirm this change.<br><br> + <b>Code:</b> + <input type="text" name="mfa_disable_code" id="mfa-totp-disable-code" + placeholder="123456" maxlength="6" pattern="\d{6}" size="10" + autocomplete="off" required autofocus> + [% END %] + + </div> + + [% ELSE %] + <p> + Two-factor authentication is currently <b>disabled</b>. + </p> + <input type="hidden" name="mfa_action" id="mfa-action" value="enable"> + + <button type="button" id="mfa-enable">Enable Two-factor Authentication</button> + + <div id="mfa-enable-container" style="display:none"> + <b>System:</b> + <select name="mfa" id="mfa"> + <option value="" selected></option> + <option value="TOTP">Time-based One-Time Password (TOTP)</option> + </select> + + [%# TOTP %] + <div id="mfa-enable-totp" class="mfa-provider" style="display:none"> + + <div id="mfa-totp-throbber"> + Working.. <img src="skins/standard/throbber.gif" width="16" height="11"> + </div> + + <div id="mfa-totp-issued" style="display:none"> + <iframe id="mfa-enable-totp-frame" src="userprefs.cgi?tab=mfa&frame=totp"></iframe> + <div id="mfa-totp-blurb"> + Scan this QR code with your <a href="#" id="mfa-totp-apps">TOTP App</a>, + then enter the six digit code the app generates.<br> + <br> + <b>Code:</b> + <input type="text" name="mfa_enable_code" id="mfa-totp-enable-code" + placeholder="123456" maxlength="6" pattern="\d{6}" size="10" + autocomplete="off" required autofocus> + </div> + </div> + + <div id="mfa-totp-apps-popup" class="mfa-totp-popup" style="display:none"> + Example TOTP Applications:<br> + <ul> + <li>Android and iOS: + <a href="http://guide.duosecurity.com/third-party-accounts" target="_blank">Duo Mobile</a>, + <a href="https://support.google.com/accounts/answer/1066447" target="_blank">Google Authenticator</a> + </li> + <li>Firefox OS: + <a href="https://marketplace.firefox.com/app/gauth/" target="_blank">GAuth</a> + </li> + <li>Windows Phone: + <a href="http://www.windowsphone.com/en-us/store/app/authenticator/021dd79f-0598-e011-986b-78e7d1fa76f8" + target="_blank">Authenticator</a> + </li> + </ul> + <button type="button" class="mfa-totp-popup-close">Close</button> + </div> + + <div id="mfa-totp-text-popup" class="mfa-totp-popup" style="display:none"> + Your two-factor secret: + <div id="mfa-totp-secret"></div> + <button type="button" class="mfa-totp-popup-close">Close</button> + </div> + + </div> + + </div> + + [% END %] + + <div id="mfa-confirm" style="display:none"> + <p> + Two-factor authentication settings will not be updated until you provide + your current password and <b>Submit Changes</b>. + </p> + + <p> + <b>Current Password:</b> + <input type="password" name="password" required> + </p> + + <p id="mfa-api-blurb" style="display:none"> + Enabling two-factor authentication will also require systems that + interface with [% terms.Bugzilla %]'s API to use <a href="userprefs.cgi?tab=apikey">API-Keys</a> + for authentication.<br> + While not recommended, this limitation can be lifted by changing the + <a href="userprefs.cgi?tab=settings#api_key_only">Require API-Key authentication for API requests</a> + preference after 2FA is enabled. + </div> + +</div> diff --git a/template/en/default/account/prefs/prefs.html.tmpl b/template/en/default/account/prefs/prefs.html.tmpl index 679a3cb30..853841bff 100644 --- a/template/en/default/account/prefs/prefs.html.tmpl +++ b/template/en/default/account/prefs/prefs.html.tmpl @@ -44,6 +44,7 @@ generate_api_token = 1 style_urls = ['skins/standard/admin.css'] javascript_urls = ['js/util.js', 'js/field.js', 'js/TUI.js', 'js/account.js'] + jquery = ['bPopup'], doc_section = "userpreferences.html"; tabs = [ @@ -72,6 +73,12 @@ saveable => "1" }, { + name => "mfa", + label => "Two-Factor Authentication", + link => "userprefs.cgi?tab=mfa", + saveable => "1" + }, + { name => "sessions", label => "Sessions", link => "userprefs.cgi?tab=sessions", diff --git a/template/en/default/admin/users/userdata.html.tmpl b/template/en/default/admin/users/userdata.html.tmpl index ebe7451e4..c24074df9 100644 --- a/template/en/default/admin/users/userdata.html.tmpl +++ b/template/en/default/admin/users/userdata.html.tmpl @@ -122,6 +122,28 @@ explain why.) </td> </tr> + [% IF editform %] + <tr> + <th><label for="mfa">Two-factor Auth:</label></th> + <td> + [% IF user.in_group('admin') %] + [% IF otheruser.mfa %] + <select name="mfa" value="mfa"> + <option value="">Disable</option> + [% SWITCH otheruser.mfa %] + [% CASE "TOTP" %] + <option value="TOTP" selected>Enabled - TOTP</option> + [% END %] + </select> + [% ELSE %] + Disabled + [% END %] + [% ELSE %] + [% user.mfa ? "Enabled - " _ user.mfa : "Disabled" FILTER html %] + [% END %] + </td> + </tr> + [% END %] [% END %] [% Hook.process('end') %] diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl index aafbbca70..3f70b9453 100644 --- a/template/en/default/global/header.html.tmpl +++ b/template/en/default/global/header.html.tmpl @@ -36,6 +36,7 @@ # message: string. A message to display to the user. May contain HTML. # atomlink: Atom link URL, May contain HTML # generate_api_token: generate a token which can be used to make authenticated webservice calls + # no_body: if true the body element will not be generated #%] [% IF message %] @@ -262,6 +263,8 @@ [% Hook.process("additional_header") %] </head> +[% RETURN IF no_body %] + [%# Migration note: contents of the old Param 'bodyhtml' go in the body tag, # but set the onload attribute in the DEFAULT directive above. #%] diff --git a/template/en/default/global/messages.html.tmpl b/template/en/default/global/messages.html.tmpl index 4cefe2a3f..d5d4a563d 100644 --- a/template/en/default/global/messages.html.tmpl +++ b/template/en/default/global/messages.html.tmpl @@ -60,6 +60,8 @@ A new password has been set. [% ELSIF field == 'disabledtext' %] The disable text has been modified. + [% ELSIF field == 'mfa' %] + Two-factor authentication has been disabled. [% ELSIF field == 'is_enabled' %] The user has been [% otheruser.is_enabled ? 'enabled' : 'disabled' %]. [% ELSIF field == 'extern_id' %] diff --git a/template/en/default/global/setting-descs.none.tmpl b/template/en/default/global/setting-descs.none.tmpl index 5ba100183..5005f4efe 100644 --- a/template/en/default/global/setting-descs.none.tmpl +++ b/template/en/default/global/setting-descs.none.tmpl @@ -55,6 +55,7 @@ "bugmail_new_prefix" => "Add 'New:' to subject line of email sent when a new $terms.bug is filed", "possible_duplicates" => "Display possible duplicates when reporting a new $terms.bug", "requestee_cc" => "Automatically add me to the CC list of $terms.bugs I am requested to review", + "api_key_only" => "Require API-Key authentication for API requests", } %] diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index 98076ce1c..6f352e5ac 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -1012,6 +1012,10 @@ [% title = "Invalid Attachment ID" %] The attachment id [% attach_id FILTER html %] is invalid. + [% ELSIF error == "invalid_auth_method" %] + [% title = "Invalid Authentication Method" %] + API-Key authentication is required. + [% ELSIF error == "bug_id_does_not_exist" %] [% title = BLOCK %]Invalid [% terms.Bug %] ID[% END %] [% terms.Bug %] [%= bug_id FILTER html %] does not exist. @@ -1198,6 +1202,15 @@ [%# Used for non-web-based LOGIN_REQUIRED situations. %] You must log in before using this part of [% terms.Bugzilla %]. + [% ELSIF error == "mfa_prevents_login" %] + Unable to log in with [% provider FILTER html %] because two-factor + authentication is enabled on your account.<br> + <br> + Please log in using your username and password. + + [% ELSIF error == "mfa_totp_bad_code" %] + Invalid verification code. + [% ELSIF error == "migrate_config_created" %] The file <kbd>[% file FILTER html %]</kbd> contains configuration variables that must be set before continuing with the migration. @@ -1462,6 +1475,10 @@ [% title = "Passwords Don't Match" %] The two passwords you entered did not match. + [% ELSIF error == "password_incorrect" %] + [% title = "Incorrect Password" %] + You did not enter your password correctly. + [% ELSIF error == "password_too_short" %] [% title = "Password Too Short" %] The password must be at least @@ -1921,6 +1938,10 @@ [% title = "Wrong Token" %] That token cannot be used to create a user account. + [% ELSIF error == "wrong_token_for_mfa" %] + [% title = "Wrong Token" %] + That token cannot be used for MFA. + [% ELSIF error == "xmlrpc_invalid_value" %] "[% value FILTER html %]" is not a valid value for a <[% type FILTER html %]> field. (See the XML-RPC specification diff --git a/template/en/default/mfa/totp/enroll.html.tmpl b/template/en/default/mfa/totp/enroll.html.tmpl new file mode 100644 index 000000000..63fc74698 --- /dev/null +++ b/template/en/default/mfa/totp/enroll.html.tmpl @@ -0,0 +1,59 @@ +[%# This Source Code Form is subject to the terms of the Mozilla Public + # License, v. 2.0. If a copy of the MPL was not distributed with this + # file, You can obtain one at http://mozilla.org/MPL/2.0/. + # + # This Source Code Form is "Incompatible With Secondary Licenses", as + # defined by the Mozilla Public License, v. 2.0. + #%] + +[% js = BLOCK %] + +$(function() { + + $('#show-text') + .click(function(event) { + event.preventDefault(); + $('#qr, #show-text').hide(); + $('#secret, #show-qr').show(); + }); + + $('#show-qr') + .click(function(event) { + event.preventDefault(); + $('#secret, #show-qr').hide(); + $('#qr, #show-text').show(); + }); + +}); + +[% END %] + +[% css = BLOCK %] + +#secret { + font-size: 120%; + padding: 12px; +} + +#show-text, #show-qr { + padding-left: 12px; +} + +[% END %] + +[% + PROCESS global/header.html.tmpl + style_urls = ['skins/standard/admin.css'] + no_body = 1 + javascript = js + style = css +%] +<body id="mfa-enroll-embedded"> + <div id="toggle"> + <a href="#" id="show-text">Show as text</a> + <a href="#" id="show-qr" style="display:none">Show as QR code</a> + </div> + <img id="qr" width="195" height="195"> + <div id="secret" style="display:none"></div> +</body> +</html> diff --git a/template/en/default/mfa/totp/verify.html.tmpl b/template/en/default/mfa/totp/verify.html.tmpl new file mode 100644 index 000000000..3ff720d62 --- /dev/null +++ b/template/en/default/mfa/totp/verify.html.tmpl @@ -0,0 +1,29 @@ +[%# This Source Code Form is subject to the terms of the Mozilla Public + # License, v. 2.0. If a copy of the MPL was not distributed with this + # file, You can obtain one at http://mozilla.org/MPL/2.0/. + # + # This Source Code Form is "Incompatible With Secondary Licenses", as + # defined by the Mozilla Public License, v. 2.0. + #%] + +[% INCLUDE global/header.html.tmpl + title = "Account Verification" +%] + +<h1>Account Verification</h1> + +<p> + Please enter your verification code from your TOTP application: +</p> + +<form method="POST" action="token.cgi"> +<input type="hidden" name="a" value="mfa"> +<input type="hidden" name="t" value="[% token FILTER html %]"> +<input type="text" name="code" id="code" + placeholder="123456" maxlength="6" pattern="\d{6}" size="10" + autocomplete="off" required autofocus><br> +<br> +<input type="submit" value="Submit"> +</form> + +[% INCLUDE global/footer.html.tmpl %] diff --git a/template/en/default/setup/strings.txt.pl b/template/en/default/setup/strings.txt.pl index f8a2920d0..657b3ce92 100644 --- a/template/en/default/setup/strings.txt.pl +++ b/template/en/default/setup/strings.txt.pl @@ -105,6 +105,7 @@ END feature_new_charts => 'New Charts', feature_old_charts => 'Old Charts', feature_memcached => 'Memcached Support', + feature_mfa => 'Two-Factor Authentication', feature_mod_perl => 'mod_perl', feature_moving => 'Move Bugs Between Installations', feature_patch_viewer => 'Patch Viewer', |