Bug 1199089 - add support for duo-security

7 files changed, 209 insertions, 20 deletions

diff --git a/template/en/default/account/prefs/mfa.html.tmpl b/template/en/default/account/prefs/mfa.html.tmpl
index df272f7d3..2d80520a1 100644
--- a/template/en/default/account/prefs/mfa.html.tmpl
+++ b/template/en/default/account/prefs/mfa.html.tmpl
@@ -40,11 +40,12 @@
       Two-factor authentication is currently <b>enabled</b> using
       <b>[% SWITCH user.mfa %]
         [% CASE "TOTP" %]TOTP
+        [% CASE "Duo" %]Duo Security
       [% END %]</b>.
     </p>
     <input type="hidden" name="mfa_action" id="mfa-action" value="disable">
 
-    <div id="mfa-buttons">
+    <div class="mfa-buttons">
       <div>
         <button type="button" id="mfa-disable">Disable Two-factor Authentication</button>
         [% INCLUDE "mfa/protected.html.tmpl" %]
@@ -92,15 +93,26 @@
 
     <div id="mfa-auth-container" style="display:none">
       <p>
-        <label class="mfa-totp">Current Password:</label>
+        <label>Current Password:</label>
         <input type="password" name="password" id="mfa-password" required>
       </p>
 
+      [%# disable/recovery - totp %]
       [% IF user.mfa == "TOTP" %]
-        <label class="mfa-totp">Code:</label>
+
+        <label>Code:</label>
         <input type="text" name="code"
                placeholder="123456" maxlength="9" pattern="\d{6,9}" size="10"
-               autocomplete="off" required autofocus>
+               autocomplete="off" required>
+
+      [%# disable/recovery - duo %]
+      [% ELSIF user.mfa == "Duo" %]
+
+        <p>
+          <img src="images/duo.png" id="duo-logo" width="32" height="32">
+          Verification with Duo Security will be performed before your account is updated.
+        </p>
+
       [% END %]
     </div>
 
@@ -111,23 +123,39 @@
     <input type="hidden" name="mfa_action" id="mfa-action" value="enable">
     <input type="hidden" name="mfa" id="mfa">
 
-    <div id="mfa-select">
+    <div id="mfa-select" class="mfa-buttons">
       <p>
         Select the two-factor system you want to use:
       </p>
-      <button type="button" id="mfa-select-totp">Time-based One-Time Password (TOTP)</button>
-    </div>
 
-    [%# TOTP %]
-    <div id="mfa-enable-totp" class="mfa-provider" style="display:none">
+      <button type="button" id="mfa-select-totp">Time-based One-Time Password (TOTP)</button><br>
+      <blockquote>
+        Requires a smartphone and a TOTP app (such as
+        <a href="https://support.google.com/accounts/answer/1066447" target="_blank">Google Authenticator</a>
+        or <a href="https://fedorahosted.org/freeotp/" target="_blank">Red Hat FreeOTP</a>).
+      </blockquote>
+
+      [% IF Param("duo_host") && user.in_group("mozilla-employee-confidential") %]
+        <button type="button" id="mfa-select-duo">Duo Security</button><br>
+        <blockquote>
+          Requires a smartphone and a <a href="https://www.duosecurity.com/" target="_blank">Duo Security</a>
+          account (recommended for Mozilla employees).
+        </blockquote>
+      [% END %]
+    </div>
 
+    <div id="mfa-enable-shared" style="display:none">
       <p>
         Your current password is required to enable two-factor authentication.
       </p>
       <p>
-        <label class="mfa-totp">Current Password:</label>
+        <label>Current Password:</label>
         <input type="password" name="password" id="mfa-password" required>
       </p>
+    </div>
+
+    [%# enable - TOTP %]
+    <div id="mfa-enable-totp" style="display:none">
 
       <div id="mfa-totp-throbber">
         Generating new QR code.. <img src="skins/standard/throbber.gif" width="16" height="11">
@@ -139,10 +167,10 @@
           Scan this QR code with your <a href="#" id="mfa-totp-apps">TOTP App</a>,
           then enter the six digit code the app generates.<br>
           <br>
-          <label class="mfa-totp">Code:</label>
+          <label>Code:</label>
           <input type="text" name="code" id="mfa-totp-enable-code"
                   placeholder="123456" maxlength="6" pattern="\d{6}" size="10"
-                  autocomplete="off" required autofocus>
+                  autocomplete="off">
         </div>
       </div>
 
@@ -174,6 +202,26 @@
 
     </div>
 
+    [%# enable - duo %]
+    <div id="mfa-enable-duo" style="display:none">
+
+      <p>
+        <label>Duo Username:</label>
+        <input type="text" name="username" id="mfa-duo-user">
+      </p>
+
+      <p>
+        <img src="images/duo.png" id="duo-logo" width="32" height="32">
+        Verification with Duo Security will be performed before your account is updated.<br>
+
+        [% IF user.in_group("mozilla-employee-confidential") %]
+          You must <a href="https://login.mozilla.com/duo_enrollments/" target="_blank">
+          sign up for Duo Security via login.mozilla.com</a> before you can use Duo 2FA.
+        [% END %]
+      </p>
+
+    </div>
+
   [% END %]
 
   <div id="mfa-confirm" style="display:none">
diff --git a/template/en/default/admin/params/auth.html.tmpl b/template/en/default/admin/params/auth.html.tmpl
index fea4239b3..a6cb8d3b1 100644
--- a/template/en/default/admin/params/auth.html.tmpl
+++ b/template/en/default/admin/params/auth.html.tmpl
@@ -142,16 +142,34 @@
     "<li>letters_numbers - Passwords must contain at least one UPPER and one " _
     "lower case letter and a number.</li>" _
     "<li>letters_numbers_specialchars - Passwords must contain at least one " _
-    "UPPER or one lower case letter, a number and a special character.</li></ul>"
-  },
+    "UPPER or one lower case letter, a number and a special character.</li></ul>",
 
   password_check_on_login =>
     "If set, $terms.Bugzilla will check that the password meets the current " _
     "complexity rules and minimum length requirements  when the user logs " _
     "into the $terms.Bugzilla web interface. If it doesn't, the user would " _
-    "not be able to log in, and recieve a message to reset their password."
+    "not be able to log in, and recieve a message to reset their password.",
 
-   auth_delegation =>
+  auth_delegation =>
     "If set, $terms.Bugzilla will allow third party applications " _
-    "to request API keys for users."
+    "to request API keys for users.",
+
+  duo_host =>
+    "The 'API hostname' for Duo 2FA. This value is provided by your " _
+    "Duo Security administrator. Set this to a blank value to disable" _
+    "Duo 2FA.",
+
+  duo_akey =>
+    "The 'integration secret key' for Duo 2FA. This is automatically " _
+    "generated by checksetup.pl.",
+
+  duo_ikey =>
+    "The 'integration key' for Duo 2FA. This value is provided by your " _
+    "Duo Security administrator.",
+
+  duo_skey =>
+    "The 'secret key' for Duo 2FA. This value is provided by your " _
+    "Duo Security administrator.",
+
+  },
 %]
diff --git a/template/en/default/admin/users/userdata.html.tmpl b/template/en/default/admin/users/userdata.html.tmpl
index 72fe4349c..a455ef84b 100644
--- a/template/en/default/admin/users/userdata.html.tmpl
+++ b/template/en/default/admin/users/userdata.html.tmpl
@@ -133,6 +133,8 @@
               [% SWITCH otheruser.mfa %]
                 [% CASE "TOTP" %]
                   <option value="TOTP" selected>Enabled - TOTP</option>
+                [% CASE "Duo" %]
+                  <option value="Duo" selected>Enabled - Duo Security</option>
               [% END %]
             </select>
           [% ELSE %]
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index 7a3a536cd..66573ecb1 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1212,7 +1212,7 @@
     <br>
     Please log in using your username and password.
 
-  [% ELSIF error == "mfa_totp_bad_code" %]
+  [% ELSIF error == "mfa_bad_code" %]
     Invalid verification code.
 
   [% ELSIF error == "mfa_totp_bad_enrolment_code" %]
diff --git a/template/en/default/mfa/dummy/verify.html.tmpl b/template/en/default/mfa/dummy/verify.html.tmpl
new file mode 100644
index 000000000..9b9501e66
--- /dev/null
+++ b/template/en/default/mfa/dummy/verify.html.tmpl
@@ -0,0 +1,28 @@
+[%# This Source Code Form is subject to the terms of the Mozilla Public
+  # License, v. 2.0. If a copy of the MPL was not distributed with this
+  # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+  #
+  # This Source Code Form is "Incompatible With Secondary Licenses", as
+  # defined by the Mozilla Public License, v. 2.0.
+  #%]
+
+[%
+  INCLUDE global/header.html.tmpl
+    title = "Account Verification"
+%]
+
+<h1>Account Verification</h1>
+
+<p>
+  <b>[% reason FILTER html %]</b> requires verification, and your configured
+  two-factor provider is no longer available.
+</p>
+
+<form method="POST" id="duo_form" action="[% postback.action FILTER none %]">
+  [% FOREACH field IN postback.fields.keys %]
+    <input type="hidden" name="[% field FILTER html %]" value="[% postback.fields.item(field) FILTER html %]">
+  [% END %]
+  <input type="submit" value="Verify">
+</form>
+
+[% INCLUDE global/footer.html.tmpl %]
diff --git a/template/en/default/mfa/duo/verify.html.tmpl b/template/en/default/mfa/duo/verify.html.tmpl
new file mode 100644
index 000000000..627b82039
--- /dev/null
+++ b/template/en/default/mfa/duo/verify.html.tmpl
@@ -0,0 +1,95 @@
+[%# This Source Code Form is subject to the terms of the Mozilla Public
+  # License, v. 2.0. If a copy of the MPL was not distributed with this
+  # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+  #
+  # This Source Code Form is "Incompatible With Secondary Licenses", as
+  # defined by the Mozilla Public License, v. 2.0.
+  #%]
+
+[% is_enrolment = action == "enable" %]
+
+[% js = BLOCK %]
+$(function() {
+
+  $('#recovery-toggle')
+    .click(function(event) {
+      event.preventDefault();
+
+      if ($('#duo_container').is(':visible')) {
+        $('#duo_container').hide();
+        $('#recovery').show();
+        $('#code').attr('required', true).focus();
+        $('#recovery-submit').attr('disabled', false);
+        $(this).text('Verify using Duo Security');
+      }
+      else {
+        $('#duo_container').show();
+        $('#recovery').hide();
+        $('#code').attr('required', false);
+        $('#recovery-submit').attr('disabled', true);
+        $(this).text('Verify using a recovery code');
+      }
+    });
+
+});
+[% END %]
+
+[% css = BLOCK %]
+
+  #duo_container {
+    background: #fff url(skins/standard/throbber.gif) 10px 10px no-repeat;
+    width: 620px;
+    height: 330px;
+    border: 1px solid #000;
+  }
+
+[% END %]
+
+[%
+  INCLUDE global/header.html.tmpl
+    title           = "Account Verification"
+    javascript_urls = ['js/duo-min.js']
+    javascript      = js
+    style           = css
+%]
+
+<h1>Account Verification</h1>
+
+<p>
+  <b>[% reason FILTER html %]</b> requires verification.<br>
+  [% UNLESS is_enrolment %]
+    <a href="#" id="recovery-toggle">Verify using a recovery code</a>.
+  [% END %]
+</p>
+
+<div id="duo_container">
+  <iframe id="duo_iframe" width="620" height="330" frameborder="0"></iframe>
+</div>
+
+<form method="POST" id="duo_form" action="[% postback.action FILTER none %]">
+  [% FOREACH field IN postback.fields.keys %]
+    <input type="hidden" name="[% field FILTER html %]" value="[% postback.fields.item(field) FILTER html %]">
+  [% END %]
+  [% UNLESS is_enrolment %]
+    <div id="recovery" style="display:none">
+      <p>
+        Provide a two-factor recovery code:
+      </p>
+      <input type="text" name="code" id="code"
+            placeholder="123456789" maxlength="9" pattern="\d{9}" size="10"
+            autocomplete="off"><br>
+      <br>
+      <input type="submit" value="Submit" id="recovery-submit" disabled>
+    </div>
+  [% END %]
+</form>
+
+<script>
+  Duo.init({
+    'host': '[% Param('duo_host') FILTER js %]',
+    'sig_request': '[% sig_request FILTER js %]',
+    'post_action': '[% postback.action FILTER js %]'
+  });
+</script>
+
+[% INCLUDE global/footer.html.tmpl %]
diff --git a/template/en/default/mfa/totp/enroll.html.tmpl b/template/en/default/mfa/totp/enroll.html.tmpl
index 63fc74698..fda7689a5 100644
--- a/template/en/default/mfa/totp/enroll.html.tmpl
+++ b/template/en/default/mfa/totp/enroll.html.tmpl
@@ -7,7 +7,6 @@
   #%]
 
 [% js = BLOCK %]
-
 $(function() {
 
   $('#show-text')
@@ -25,7 +24,6 @@ $(function() {
     });
 
 });
-
 [% END %]
 
 [% css = BLOCK %]