From 421ff7f194875db9634ea783d9dd5b6111f19df3 Mon Sep 17 00:00:00 2001 From: Byron Jones Date: Tue, 1 Sep 2015 13:01:20 +0800 Subject: Bug 1197073 - add support for 2fa using totp (eg. google authenticator) --- extensions/BMO/lib/Reports/Groups.pm | 30 ++++++++++++++-------- .../en/default/pages/group_members.html.tmpl | 12 ++++++--- extensions/GitHubAuth/lib/Login.pm | 27 ++++++++++++++----- extensions/Persona/lib/Login.pm | 6 +++++ 4 files changed, 54 insertions(+), 21 deletions(-) (limited to 'extensions') diff --git a/extensions/BMO/lib/Reports/Groups.pm b/extensions/BMO/lib/Reports/Groups.pm index 4a831fab3..3a5cd75dd 100644 --- a/extensions/BMO/lib/Reports/Groups.pm +++ b/extensions/BMO/lib/Reports/Groups.pm @@ -174,10 +174,12 @@ sub members_report { action => 'run', object => 'group_admins' }); - my @grouplist = - ($user->in_group('editusers') || $user->in_group('infrasec')) - ? map { lc($_->name) } Bugzilla::Group->get_all - : _get_public_membership_groups(); + my $privileged = $user->in_group('editusers') || $user->in_group('infrasec'); + $vars->{privileged} = $privileged; + + my @grouplist = $privileged + ? map { lc($_->name) } Bugzilla::Group->get_all + : _get_public_membership_groups(); my $include_disabled = $cgi->param('include_disabled') ? 1 : 0; $vars->{'include_disabled'} = $include_disabled; @@ -240,20 +242,26 @@ sub members_report { if ($page eq 'group_members.json') { my %users; foreach my $rh (@types) { - my $group_name = $rh->{name} eq '_direct' ? 'direct' : $rh->{name}; foreach my $member (@{ $rh->{members} }) { my $login = $member->login; if (exists $users{$login}) { - push @{ $users{$login}->{groups} }, $group_name; + push @{ $users{$login}->{groups} }, $rh->{name} if $privileged; } else { - $users{$login} = { + my $rh_user = { login => $login, - membership => $rh->{name} eq '_direct' ? 'direct' : 'indirect', - group => $group_name, - groups => [ $group_name ], - lastseen => $member->{lastseen}, + membership => $rh->{name} eq 'direct' ? 'direct' : 'indirect', + rh_name => $rh->{name}, }; + if ($privileged) { + $rh_user->{group} = $rh->{name}; + $rh_user->{groups} = [ $rh->{name} ]; + $rh_user->{lastseeon} = $member->{lastseen}; + $rh_user->{mfa} = $member->mfa; + $rh_user->{api_key_only} = $member->settings->{api_key_only}->{value} eq 'on' + ? JSON::true : JSON::false; + } + $users{$login} = $rh_user; } } } diff --git a/extensions/BMO/template/en/default/pages/group_members.html.tmpl b/extensions/BMO/template/en/default/pages/group_members.html.tmpl index bd27b8be2..98679c1b7 100644 --- a/extensions/BMO/template/en/default/pages/group_members.html.tmpl +++ b/extensions/BMO/template/en/default/pages/group_members.html.tmpl @@ -11,8 +11,6 @@ style_urls = [ "extensions/BMO/web/styles/reports.css" ] %] -[% SET privileged = (user.in_group('editusers') || user.in_group('infrasec')) %] -
@@ -51,7 +49,7 @@ Count Members [% IF privileged %] - Last Seen (days ago) + 2FA, Last Seen (days ago) [% END %] @@ -93,6 +91,14 @@ [% IF privileged %] + + [% IF member.mfa %] + [% member.mfa FILTER html %] + [% " (weakened)" IF member.settings.api_key_only.value == "off" %] + [% ELSE %] + - + [% END %] + [% member.lastseen FILTER html %] diff --git a/extensions/GitHubAuth/lib/Login.pm b/extensions/GitHubAuth/lib/Login.pm index 8c91fc08a..933dc6572 100644 --- a/extensions/GitHubAuth/lib/Login.pm +++ b/extensions/GitHubAuth/lib/Login.pm @@ -43,14 +43,30 @@ sub get_login_info { return { failure => AUTH_NODATA } unless $github_login; + my $response; if ($github_email_key && $github_email) { trick_taint($github_email); trick_taint($github_email_key); - return $self->_get_login_info_from_email($github_email, $github_email_key); + $response = $self->_get_login_info_from_email($github_email, $github_email_key); } else { - return $self->_get_login_info_from_github(); + $response = $self->_get_login_info_from_github(); } + + if (!exists $response->{failure}) { + my $user = $response->{user}; + return { failure => AUTH_ERROR, + user_error => 'github_auth_account_too_powerful' } if $user->in_group('no-github-auth'); + return { failure => AUTH_ERROR, + user_error => 'mfa_prevents_login', + details => { provider => 'GitHub' } } if $user->mfa; + $response = { + username => $user->login, + user_id => $user->id, + github_auth => 1, + }; + } + return $response; } sub _get_login_info_from_github { @@ -117,7 +133,7 @@ sub _get_login_info_from_github { if (@allowed_bugzilla_users == 1) { my ($user) = @allowed_bugzilla_users; $cgi->remove_cookie('Bugzilla_github_token'); - return { username => $user->login, user_id => $user->id, github_auth => 1 }; + return { user => $user }; } elsif (@allowed_bugzilla_users > 1) { $self->{github_failure} = { @@ -160,11 +176,8 @@ sub _get_login_info_from_email { } my $user = Bugzilla::User->new({name => $github_email, cache => 1}); - return { failure => AUTH_ERROR, - user_error => 'github_auth_account_too_powerful' } if $user && $user->in_group('no-github-auth'); - $cgi->remove_cookie('Bugzilla_github_token'); - return { username => $github_email, github_auth => 1 }; + return { user => $user }; } sub fail_nodata { diff --git a/extensions/Persona/lib/Login.pm b/extensions/Persona/lib/Login.pm index ece92a3c0..c2f8caf2b 100644 --- a/extensions/Persona/lib/Login.pm +++ b/extensions/Persona/lib/Login.pm @@ -98,6 +98,12 @@ sub get_login_info { user_error => 'persona_account_too_powerful' }; } + if ($user->mfa) { + return { failure => AUTH_ERROR, + user_error => 'mfa_prevents_login', + details => { provider => 'Persona' } }; + } + $login_data->{'user'} = $user; $login_data->{'user_id'} = $user->id; -- cgit v1.2.3-24-g4f1b