summaryrefslogtreecommitdiffstats
path: root/template
diff options
context:
space:
mode:
authorByron Jones <glob@mozilla.com>2015-09-01 07:01:20 +0200
committerByron Jones <glob@mozilla.com>2015-09-01 07:01:20 +0200
commit421ff7f194875db9634ea783d9dd5b6111f19df3 (patch)
tree5806e9f3001fa4f33ba85aa94856b70a7f878cf8 /template
parentbcc93f83a64a76cd73501eaefaf5fd073fbc3f0d (diff)
downloadbugzilla-421ff7f194875db9634ea783d9dd5b6111f19df3.tar.gz
bugzilla-421ff7f194875db9634ea783d9dd5b6111f19df3.tar.xz
Bug 1197073 - add support for 2fa using totp (eg. google authenticator)
Diffstat (limited to 'template')
-rw-r--r--template/en/default/account/cancel-token.txt.tmpl3
-rw-r--r--template/en/default/account/prefs/mfa.html.tmpl134
-rw-r--r--template/en/default/account/prefs/prefs.html.tmpl7
-rw-r--r--template/en/default/admin/users/userdata.html.tmpl22
-rw-r--r--template/en/default/global/header.html.tmpl3
-rw-r--r--template/en/default/global/messages.html.tmpl2
-rw-r--r--template/en/default/global/setting-descs.none.tmpl1
-rw-r--r--template/en/default/global/user-error.html.tmpl21
-rw-r--r--template/en/default/mfa/totp/enroll.html.tmpl59
-rw-r--r--template/en/default/mfa/totp/verify.html.tmpl29
-rw-r--r--template/en/default/setup/strings.txt.pl1
11 files changed, 282 insertions, 0 deletions
diff --git a/template/en/default/account/cancel-token.txt.tmpl b/template/en/default/account/cancel-token.txt.tmpl
index 6619dedd3..bc35e2d4c 100644
--- a/template/en/default/account/cancel-token.txt.tmpl
+++ b/template/en/default/account/cancel-token.txt.tmpl
@@ -93,6 +93,9 @@ Canceled Because: [% PROCESS cancelactionmessage %]
[% ELSIF cancelaction == 'wrong_token_for_creating_account' %]
You have tried to use the token to create a user account.
+ [% ELSIF cancelaction == 'wrong_token_for_mfa' %]
+ You have tried to use the token for MFA.
+
[% ELSE %]
[%# Give sensible error if the cancel-token function is used incorrectly.
#%]
diff --git a/template/en/default/account/prefs/mfa.html.tmpl b/template/en/default/account/prefs/mfa.html.tmpl
new file mode 100644
index 000000000..750e34cee
--- /dev/null
+++ b/template/en/default/account/prefs/mfa.html.tmpl
@@ -0,0 +1,134 @@
+[%# This Source Code Form is subject to the terms of the Mozilla Public
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ #
+ # This Source Code Form is "Incompatible With Secondary Licenses", as
+ # defined by the Mozilla Public License, v. 2.0.
+ #%]
+
+[% IF NOT Bugzilla.feature('mfa') %]
+ <input type="hidden" name="mfa_action" id="mfa-action" value="">
+ <p>
+ Two-factor Authentication is not available.
+ </p>
+ [% RETURN %]
+[% END %]
+[% IF user.cryptpassword == '*' %]
+ <input type="hidden" name="mfa_action" id="mfa-action" value="">
+ <p>
+ Two-factor Authentication is not available on your account because you are
+ using an external authentication provider.
+ </p>
+ [% RETURN %]
+[% END %]
+
+<div id="mfa-container">
+ [% IF user.mfa %]
+ <p>
+ Two-factor authentication is currently <b>enabled</b> using
+ <b>[% SWITCH user.mfa %]
+ [% CASE "TOTP" %]TOTP
+ [% END %]</b>.
+ </p>
+ <input type="hidden" name="mfa_action" id="mfa-action" value="disable">
+
+ <button type="button" id="mfa-disable">Disable Two-factor Authentication</button>
+
+ <div id="mfa-disable-container" style="display:none">
+
+ [% IF user.mfa == "TOTP" %]
+ A verification code is required to confirm this change.<br><br>
+ <b>Code:</b>
+ <input type="text" name="mfa_disable_code" id="mfa-totp-disable-code"
+ placeholder="123456" maxlength="6" pattern="\d{6}" size="10"
+ autocomplete="off" required autofocus>
+ [% END %]
+
+ </div>
+
+ [% ELSE %]
+ <p>
+ Two-factor authentication is currently <b>disabled</b>.
+ </p>
+ <input type="hidden" name="mfa_action" id="mfa-action" value="enable">
+
+ <button type="button" id="mfa-enable">Enable Two-factor Authentication</button>
+
+ <div id="mfa-enable-container" style="display:none">
+ <b>System:</b>
+ <select name="mfa" id="mfa">
+ <option value="" selected></option>
+ <option value="TOTP">Time-based One-Time Password (TOTP)</option>
+ </select>
+
+ [%# TOTP %]
+ <div id="mfa-enable-totp" class="mfa-provider" style="display:none">
+
+ <div id="mfa-totp-throbber">
+ Working.. <img src="skins/standard/throbber.gif" width="16" height="11">
+ </div>
+
+ <div id="mfa-totp-issued" style="display:none">
+ <iframe id="mfa-enable-totp-frame" src="userprefs.cgi?tab=mfa&frame=totp"></iframe>
+ <div id="mfa-totp-blurb">
+ Scan this QR code with your <a href="#" id="mfa-totp-apps">TOTP App</a>,
+ then enter the six digit code the app generates.<br>
+ <br>
+ <b>Code:</b>
+ <input type="text" name="mfa_enable_code" id="mfa-totp-enable-code"
+ placeholder="123456" maxlength="6" pattern="\d{6}" size="10"
+ autocomplete="off" required autofocus>
+ </div>
+ </div>
+
+ <div id="mfa-totp-apps-popup" class="mfa-totp-popup" style="display:none">
+ Example TOTP Applications:<br>
+ <ul>
+ <li>Android and iOS:
+ <a href="http://guide.duosecurity.com/third-party-accounts" target="_blank">Duo Mobile</a>,
+ <a href="https://support.google.com/accounts/answer/1066447" target="_blank">Google Authenticator</a>
+ </li>
+ <li>Firefox OS:
+ <a href="https://marketplace.firefox.com/app/gauth/" target="_blank">GAuth</a>
+ </li>
+ <li>Windows Phone:
+ <a href="http://www.windowsphone.com/en-us/store/app/authenticator/021dd79f-0598-e011-986b-78e7d1fa76f8"
+ target="_blank">Authenticator</a>
+ </li>
+ </ul>
+ <button type="button" class="mfa-totp-popup-close">Close</button>
+ </div>
+
+ <div id="mfa-totp-text-popup" class="mfa-totp-popup" style="display:none">
+ Your two-factor secret:
+ <div id="mfa-totp-secret"></div>
+ <button type="button" class="mfa-totp-popup-close">Close</button>
+ </div>
+
+ </div>
+
+ </div>
+
+ [% END %]
+
+ <div id="mfa-confirm" style="display:none">
+ <p>
+ Two-factor authentication settings will not be updated until you provide
+ your current password and <b>Submit Changes</b>.
+ </p>
+
+ <p>
+ <b>Current Password:</b>
+ <input type="password" name="password" required>
+ </p>
+
+ <p id="mfa-api-blurb" style="display:none">
+ Enabling two-factor authentication will also require systems that
+ interface with [% terms.Bugzilla %]'s API to use <a href="userprefs.cgi?tab=apikey">API-Keys</a>
+ for authentication.<br>
+ While not recommended, this limitation can be lifted by changing the
+ <a href="userprefs.cgi?tab=settings#api_key_only">Require API-Key authentication for API requests</a>
+ preference after 2FA is enabled.
+ </div>
+
+</div>
diff --git a/template/en/default/account/prefs/prefs.html.tmpl b/template/en/default/account/prefs/prefs.html.tmpl
index 679a3cb30..853841bff 100644
--- a/template/en/default/account/prefs/prefs.html.tmpl
+++ b/template/en/default/account/prefs/prefs.html.tmpl
@@ -44,6 +44,7 @@
generate_api_token = 1
style_urls = ['skins/standard/admin.css']
javascript_urls = ['js/util.js', 'js/field.js', 'js/TUI.js', 'js/account.js']
+ jquery = ['bPopup'],
doc_section = "userpreferences.html";
tabs = [
@@ -72,6 +73,12 @@
saveable => "1"
},
{
+ name => "mfa",
+ label => "Two-Factor Authentication",
+ link => "userprefs.cgi?tab=mfa",
+ saveable => "1"
+ },
+ {
name => "sessions",
label => "Sessions",
link => "userprefs.cgi?tab=sessions",
diff --git a/template/en/default/admin/users/userdata.html.tmpl b/template/en/default/admin/users/userdata.html.tmpl
index ebe7451e4..c24074df9 100644
--- a/template/en/default/admin/users/userdata.html.tmpl
+++ b/template/en/default/admin/users/userdata.html.tmpl
@@ -122,6 +122,28 @@
explain why.)
</td>
</tr>
+ [% IF editform %]
+ <tr>
+ <th><label for="mfa">Two-factor Auth:</label></th>
+ <td>
+ [% IF user.in_group('admin') %]
+ [% IF otheruser.mfa %]
+ <select name="mfa" value="mfa">
+ <option value="">Disable</option>
+ [% SWITCH otheruser.mfa %]
+ [% CASE "TOTP" %]
+ <option value="TOTP" selected>Enabled - TOTP</option>
+ [% END %]
+ </select>
+ [% ELSE %]
+ Disabled
+ [% END %]
+ [% ELSE %]
+ [% user.mfa ? "Enabled - " _ user.mfa : "Disabled" FILTER html %]
+ [% END %]
+ </td>
+ </tr>
+ [% END %]
[% END %]
[% Hook.process('end') %]
diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl
index aafbbca70..3f70b9453 100644
--- a/template/en/default/global/header.html.tmpl
+++ b/template/en/default/global/header.html.tmpl
@@ -36,6 +36,7 @@
# message: string. A message to display to the user. May contain HTML.
# atomlink: Atom link URL, May contain HTML
# generate_api_token: generate a token which can be used to make authenticated webservice calls
+ # no_body: if true the body element will not be generated
#%]
[% IF message %]
@@ -262,6 +263,8 @@
[% Hook.process("additional_header") %]
</head>
+[% RETURN IF no_body %]
+
[%# Migration note: contents of the old Param 'bodyhtml' go in the body tag,
# but set the onload attribute in the DEFAULT directive above.
#%]
diff --git a/template/en/default/global/messages.html.tmpl b/template/en/default/global/messages.html.tmpl
index 4cefe2a3f..d5d4a563d 100644
--- a/template/en/default/global/messages.html.tmpl
+++ b/template/en/default/global/messages.html.tmpl
@@ -60,6 +60,8 @@
A new password has been set.
[% ELSIF field == 'disabledtext' %]
The disable text has been modified.
+ [% ELSIF field == 'mfa' %]
+ Two-factor authentication has been disabled.
[% ELSIF field == 'is_enabled' %]
The user has been [% otheruser.is_enabled ? 'enabled' : 'disabled' %].
[% ELSIF field == 'extern_id' %]
diff --git a/template/en/default/global/setting-descs.none.tmpl b/template/en/default/global/setting-descs.none.tmpl
index 5ba100183..5005f4efe 100644
--- a/template/en/default/global/setting-descs.none.tmpl
+++ b/template/en/default/global/setting-descs.none.tmpl
@@ -55,6 +55,7 @@
"bugmail_new_prefix" => "Add 'New:' to subject line of email sent when a new $terms.bug is filed",
"possible_duplicates" => "Display possible duplicates when reporting a new $terms.bug",
"requestee_cc" => "Automatically add me to the CC list of $terms.bugs I am requested to review",
+ "api_key_only" => "Require API-Key authentication for API requests",
}
%]
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index 98076ce1c..6f352e5ac 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1012,6 +1012,10 @@
[% title = "Invalid Attachment ID" %]
The attachment id [% attach_id FILTER html %] is invalid.
+ [% ELSIF error == "invalid_auth_method" %]
+ [% title = "Invalid Authentication Method" %]
+ API-Key authentication is required.
+
[% ELSIF error == "bug_id_does_not_exist" %]
[% title = BLOCK %]Invalid [% terms.Bug %] ID[% END %]
[% terms.Bug %] [%= bug_id FILTER html %] does not exist.
@@ -1198,6 +1202,15 @@
[%# Used for non-web-based LOGIN_REQUIRED situations. %]
You must log in before using this part of [% terms.Bugzilla %].
+ [% ELSIF error == "mfa_prevents_login" %]
+ Unable to log in with [% provider FILTER html %] because two-factor
+ authentication is enabled on your account.<br>
+ <br>
+ Please log in using your username and password.
+
+ [% ELSIF error == "mfa_totp_bad_code" %]
+ Invalid verification code.
+
[% ELSIF error == "migrate_config_created" %]
The file <kbd>[% file FILTER html %]</kbd> contains configuration
variables that must be set before continuing with the migration.
@@ -1462,6 +1475,10 @@
[% title = "Passwords Don't Match" %]
The two passwords you entered did not match.
+ [% ELSIF error == "password_incorrect" %]
+ [% title = "Incorrect Password" %]
+ You did not enter your password correctly.
+
[% ELSIF error == "password_too_short" %]
[% title = "Password Too Short" %]
The password must be at least
@@ -1921,6 +1938,10 @@
[% title = "Wrong Token" %]
That token cannot be used to create a user account.
+ [% ELSIF error == "wrong_token_for_mfa" %]
+ [% title = "Wrong Token" %]
+ That token cannot be used for MFA.
+
[% ELSIF error == "xmlrpc_invalid_value" %]
"[% value FILTER html %]" is not a valid value for a
&lt;[% type FILTER html %]&gt; field. (See the XML-RPC specification
diff --git a/template/en/default/mfa/totp/enroll.html.tmpl b/template/en/default/mfa/totp/enroll.html.tmpl
new file mode 100644
index 000000000..63fc74698
--- /dev/null
+++ b/template/en/default/mfa/totp/enroll.html.tmpl
@@ -0,0 +1,59 @@
+[%# This Source Code Form is subject to the terms of the Mozilla Public
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ #
+ # This Source Code Form is "Incompatible With Secondary Licenses", as
+ # defined by the Mozilla Public License, v. 2.0.
+ #%]
+
+[% js = BLOCK %]
+
+$(function() {
+
+ $('#show-text')
+ .click(function(event) {
+ event.preventDefault();
+ $('#qr, #show-text').hide();
+ $('#secret, #show-qr').show();
+ });
+
+ $('#show-qr')
+ .click(function(event) {
+ event.preventDefault();
+ $('#secret, #show-qr').hide();
+ $('#qr, #show-text').show();
+ });
+
+});
+
+[% END %]
+
+[% css = BLOCK %]
+
+#secret {
+ font-size: 120%;
+ padding: 12px;
+}
+
+#show-text, #show-qr {
+ padding-left: 12px;
+}
+
+[% END %]
+
+[%
+ PROCESS global/header.html.tmpl
+ style_urls = ['skins/standard/admin.css']
+ no_body = 1
+ javascript = js
+ style = css
+%]
+<body id="mfa-enroll-embedded">
+ <div id="toggle">
+ <a href="#" id="show-text">Show as text</a>
+ <a href="#" id="show-qr" style="display:none">Show as QR code</a>
+ </div>
+ <img id="qr" width="195" height="195">
+ <div id="secret" style="display:none"></div>
+</body>
+</html>
diff --git a/template/en/default/mfa/totp/verify.html.tmpl b/template/en/default/mfa/totp/verify.html.tmpl
new file mode 100644
index 000000000..3ff720d62
--- /dev/null
+++ b/template/en/default/mfa/totp/verify.html.tmpl
@@ -0,0 +1,29 @@
+[%# This Source Code Form is subject to the terms of the Mozilla Public
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ #
+ # This Source Code Form is "Incompatible With Secondary Licenses", as
+ # defined by the Mozilla Public License, v. 2.0.
+ #%]
+
+[% INCLUDE global/header.html.tmpl
+ title = "Account Verification"
+%]
+
+<h1>Account Verification</h1>
+
+<p>
+ Please enter your verification code from your TOTP application:
+</p>
+
+<form method="POST" action="token.cgi">
+<input type="hidden" name="a" value="mfa">
+<input type="hidden" name="t" value="[% token FILTER html %]">
+<input type="text" name="code" id="code"
+ placeholder="123456" maxlength="6" pattern="\d{6}" size="10"
+ autocomplete="off" required autofocus><br>
+<br>
+<input type="submit" value="Submit">
+</form>
+
+[% INCLUDE global/footer.html.tmpl %]
diff --git a/template/en/default/setup/strings.txt.pl b/template/en/default/setup/strings.txt.pl
index f8a2920d0..657b3ce92 100644
--- a/template/en/default/setup/strings.txt.pl
+++ b/template/en/default/setup/strings.txt.pl
@@ -105,6 +105,7 @@ END
feature_new_charts => 'New Charts',
feature_old_charts => 'Old Charts',
feature_memcached => 'Memcached Support',
+ feature_mfa => 'Two-Factor Authentication',
feature_mod_perl => 'mod_perl',
feature_moving => 'Move Bugs Between Installations',
feature_patch_viewer => 'Patch Viewer',