0001-2-factor-authentication-using-TOTP.patch - Redmine

     gem 'tzinfo-data', platforms: [:mingw, :x64_mingw, :mswin]
     gem "rbpdf", "~> 1.19.3"
     # TOTP-based 2-factor authentication
     gem 'rotp'
     gem 'rqrcode'
     # Optional gem for LDAP authentication
     group :ldap do
       gem "net-ldap", "~> 0.16.0"

         redirect_to(home_url)
       end
       before_action :require_active_twofa, :twofa_setup, only: [:twofa_resend, :twofa_confirm, :twofa]
       before_action :prevent_twofa_session_replay, only: [:twofa_resend, :twofa]
       def twofa_resend
         # otp resends count toward the maximum of 3 otp entry tries per password entry
         if session[:twofa_tries_counter] > 3
           destroy_twofa_session
           flash[:error] = l('twofa_too_many_tries')
           redirect_to home_url
         else
           if @twofa.send_code(controller: 'account', action: 'twofa')
             flash[:notice] = l('twofa_code_sent')
           end
           redirect_to account_twofa_confirm_path
         end
       end
       def twofa_confirm
         @twofa_view = @twofa.otp_confirm_view_variables
       end
       def twofa
         if @twofa.verify!(params[:twofa_code].to_s)
           destroy_twofa_session
           handle_active_user(@user)
         # allow at most 3 otp entry tries per successfull password entry
         # this allows using anti brute force techniques on the password entry to also
         # prevent brute force attacks on the one-time password
         elsif session[:twofa_tries_counter] > 3
           destroy_twofa_session
           flash[:error] = l('twofa_too_many_tries')
           redirect_to home_url
         else
           flash[:error] = l('twofa_invalid_code')
           redirect_to account_twofa_confirm_path
         end
       end
       private
       def prevent_twofa_session_replay
         renew_twofa_session(@user)
       end
       def twofa_setup
         # twofa sessions are only valid 2 minutes at a time
         twomind = 0.0014 # a little more than 2 minutes in days
         @user = Token.find_active_user('twofa_session', session[:twofa_session_token].to_s, twomind)
         unless @user.present?
           destroy_twofa_session
           redirect_to home_url
           return
         end
         # copy back_url, autologin back to params where they are expected
         params[:back_url] ||= session[:twofa_back_url]
         params[:autologin] ||= session[:twofa_autologin]
         # set locale for the twofa user
         set_localization(@user)
         @twofa = Redmine::Twofa.for_user(@user)
       end
       def require_active_twofa
         Setting.twofa? ? true : deny_access
       end
       def setup_twofa_session(user, previous_tries=1)
         token = Token.create(user: user, action: 'twofa_session')
         session[:twofa_session_token] = token.value
         session[:twofa_tries_counter] = previous_tries
         session[:twofa_back_url] = params[:back_url]
         session[:twofa_autologin] = params[:autologin]
       end
       # Prevent replay attacks by using each twofa_session_token only for exactly one request
       def renew_twofa_session(user)
         twofa_tries = session[:twofa_tries_counter].to_i + 1
         destroy_twofa_session
         setup_twofa_session(user, twofa_tries)
       end
       def destroy_twofa_session
         # make sure tokens can only be used once server-side to prevent replay attacks
         Token.find_token('twofa_session', session[:twofa_session_token].to_s).try(:delete)
         session[:twofa_session_token] = nil
         session[:twofa_tries_counter] = nil
         session[:twofa_back_url] = nil
         session[:twofa_autologin] = nil
       end
       def authenticate_user
         if Setting.openid? && using_open_id?
           open_id_authenticate(params[:openid_url])
-...
         else
           # Valid user
           if user.active?
             successful_authentication(user)
             update_sudo_timestamp! # activate Sudo Mode
             if user.twofa_active?
               setup_twofa_session user
               twofa = Redmine::Twofa.for_user(user)
               if twofa.send_code(controller: 'account', action: 'twofa')
                 flash[:notice] = l('twofa_code_sent')
               end
               redirect_to account_twofa_confirm_path
             else
               handle_active_user(user)
             end
           else
             handle_inactive_user(user)
           end
         end
       end
       def handle_active_user(user)
         successful_authentication(user)
         update_sudo_timestamp! # activate Sudo Mode
       end
       def open_id_authenticate(openid_url)
         back_url = signin_url(:autologin => params[:autologin])
         authenticate_with_open_id(

     class TwofaController < ApplicationController
       self.main_menu = false
       before_action :require_login
       before_action :require_admin, only: :admin_deactivate
       require_sudo_mode :activate_init, :deactivate_init
       before_action :activate_setup, only: [:activate_init, :activate_confirm, :activate]
       def activate_init
         @twofa.init_pairing!
         if @twofa.send_code(controller: 'twofa', action: 'activate')
           flash[:notice] = l('twofa_code_sent')
         end
         redirect_to action: :activate_confirm, scheme: @twofa.scheme_name
       end
       def activate_confirm
         @twofa_view = @twofa.init_pairing_view_variables
       end
       def activate
         if @twofa.confirm_pairing!(params[:twofa_code].to_s)
           flash[:notice] = l('twofa_activated')
           redirect_to my_account_path
         else
           flash[:error] = l('twofa_invalid_code')
           redirect_to action: :activate_confirm, scheme: @twofa.scheme_name
         end
       end
       before_action :deactivate_setup, only: [:deactivate_init, :deactivate_confirm, :deactivate]
       def deactivate_init
         if @twofa.send_code(controller: 'twofa', action: 'deactivate')
           flash[:notice] = l('twofa_code_sent')
         end
         redirect_to action: :deactivate_confirm, scheme: @twofa.scheme_name
       end
       def deactivate_confirm
         @twofa_view = @twofa.otp_confirm_view_variables
       end
       def deactivate
         if @twofa.destroy_pairing!(params[:twofa_code].to_s)
           flash[:notice] = l('twofa_deactivated')
           redirect_to my_account_path
         else
           flash[:error] = l('twofa_invalid_code')
           redirect_to action: :deactivate_confirm, scheme: @twofa.scheme_name
         end
       end
       def admin_deactivate
         @user = User.find(params[:user_id])
         # do not allow administrators to unpair 2FA without confirmation for themselves
         (render_403; return false) if @user == User.current
         twofa = Redmine::Twofa.for_user(@user)
         twofa.destroy_pairing_without_verify!
         flash[:notice] = l('twofa_deactivated')
         redirect_to edit_user_path(@user)
       end
       private
       def activate_setup
         twofa_scheme = Redmine::Twofa.for_twofa_scheme(params[:scheme].to_s)
         unless twofa_scheme.present?
           redirect_to my_account_path
           return
         end
         @user = User.current
         @twofa = twofa_scheme.new(@user)
       end
       def deactivate_setup
         @user = User.current
         @twofa = Redmine::Twofa.for_user(@user)
         if params[:scheme].to_s != @twofa.scheme_name
           redirect_to my_account_path
         end
       end
     end

     require "digest/sha1"
     class User < Principal
       include Redmine::Ciphering
       include Redmine::SafeAttributes
       # Different ways of displaying/sorting users
-...
         self
       end
       def twofa_active?
         twofa_scheme.present?
       end
       def pref
         self.preference ||= UserPreference.new(:user => self)
       end
-...
         Token.where(:user_id => id, :action => 'autologin', :value => value).delete_all
       end
       def twofa_totp_key
         read_ciphered_attribute(:twofa_totp_key)
       end
       def twofa_totp_key=(key)
         write_ciphered_attribute(:twofa_totp_key, key)
       end
       # Returns true if token is a valid session token for the user whose id is user_id
       def self.verify_session_token(user_id, token)
         return false if user_id.blank? || token.blank?

     <div id="login-form">
       <h3><%=l :setting_twofa %></h3>
       <p><%=l 'twofa_label_enter_otp' %></p>
       <%= form_tag({ action: 'twofa' },
                    { id: 'twofa_form',
                      onsubmit: 'return keepAnchorOnSignIn(this);' }) do -%>
         <label for="twofa_code">
           <%=l 'twofa_label_code' -%>
           <%= link_to l('twofa_resend_code'), { controller: 'account', action: 'twofa_resend' }, method: :post, class: 'lost_password' if @twofa_view[:resendable] -%>
         </label>
         <%= text_field_tag :twofa_code, nil, tabindex: '1', autocomplete: 'off', autofocus: true -%>
         <%= submit_tag l(:button_login), tabindex: '2', id: 'login-submit', name: :submit_otp -%>
       <% end %>
     </div>

       <% if Setting.openid? %>
       <p><%= f.text_field :identity_url  %></p>
       <% end %>
       <p>
         <label><%=l :setting_twofa -%></label>
         <% if @user.twofa_active? %>
           <%=l 'twofa_currently_active', twofa_scheme_name: l("twofa__#{@user.twofa_scheme}__name") -%><br/>
           <%= link_to l('button_disable'), { controller: 'twofa', action: 'deactivate_init', scheme: @user.twofa_scheme }, method: :post -%><br/>
         <% else %>
           <% Redmine::Twofa.available_schemes.each do |s| %>
             <%= link_to l("twofa__#{s}__label_activate"), { controller: 'twofa', action: 'activate_init', scheme: s }, method: :post -%><br/>
           <% end %>
         <% end %>
       </p>
       <% @user.custom_field_values.select(&:editable?).each do |value| %>
         <p><%= custom_field_tag_with_label :user, value %></p>

     <h2><%=l 'twofa_label_setup' -%></h2>
     <div class="splitcontentleft">
       <%= form_tag({ action: :activate,
                      scheme: @twofa_view[:scheme_name] },
                    { method: :post,
                      id: 'twofa_form' }) do -%>
         <div class="box">
           <p><%=t "twofa__#{@twofa_view[:scheme_name]}__text_pairing_info_html" -%></p>
           <div class="tabular">
             <%= render partial: "twofa/#{@twofa_view[:scheme_name]}/new", locals: { twofa_view: @twofa_view } -%>
             <p>
               <label for="twofa_code"><%=l 'twofa_label_code' -%></label>
               <%= text_field_tag :twofa_code, nil, autocomplete: 'off', autofocus: true -%>
             </p>
           </div>
         </div>
         <%= submit_tag l('button_activate'), name: :submit_otp -%>
         <%= link_to l('twofa_resend_code'), { action: 'activate_init', scheme: @twofa_view[:scheme_name] }, method: :post if @twofa_view[:resendable] -%>
       <% end %>
     </div>
     <% content_for :sidebar do %>
     <%= render :partial => 'my/sidebar' %>
     <% end %>

     <h2><%=l 'twofa_label_deactivation_confirmation' -%></h2>
     <div class="splitcontentleft">
       <%= form_tag({ action: :deactivate,
                      scheme: @twofa_view[:scheme_name] },
                    { method: :post,
                      id: 'twofa_form' }) do -%>
         <div class="box">
           <p><%=l 'twofa_label_enter_otp' %></p>
           <div class="tabular">
             <p>
               <label for="twofa_code"><%=l 'twofa_label_code' -%></label>
               <%= text_field_tag :twofa_code, nil, autocomplete: 'off' -%>
             </p>
           </div>
         </div>
         <%= submit_tag l('button_disable'), name: :submit_otp -%>
         <%= link_to l('twofa_resend_code'), { action: 'deactivate_init', scheme: @twofa_view[:scheme_name] }, method: :post if @twofa_view[:resendable] -%>
       <% end %>
     </div>
     <% content_for :sidebar do %>
     <%= render :partial => 'my/sidebar' %>
     <% end %>

     <p>
       <label>&nbsp;</label>
       <%= image_tag RQRCode::QRCode.new(twofa_view[:provisioning_uri]).as_png(fill: ChunkyPNG::Color::TRANSPARENT, resize_exactly_to: 280, border_modules: 0).to_data_url, id: 'twofa_code' -%>
     </p>
     <p>
       <label><%=l 'twofa__totp__label_plain_text_key' -%></label>
       <code><%= twofa_view[:totp_key].scan(/.{4}/).join(' ') -%></code>
     </p>

       <p><%= f.check_box :generate_password %></p>
       <p><%= f.check_box :must_change_passwd %></p>
       </div>
       <p>
         <label><%=l :setting_twofa -%></label>
         <% if @user.twofa_active? %>
           <%=l 'twofa_currently_active', twofa_scheme_name: l("twofa__#{@user.twofa_scheme}__name") -%><br/>
           <% if @user == User.current # administrators cannot deactivate their own 2FA without confirmation code %>
             <%= link_to l('button_disable'), { controller: 'twofa', action: 'deactivate_init', scheme: @user.twofa_scheme }, method: :post -%>
           <% else %>
             <%= link_to l('button_disable'), { controller: 'twofa', action: 'admin_deactivate', user_id: @user }, method: :post -%>
           <% end %>
         <% else %>
           <%=l 'twofa_not_active' %>
         <% end %>
       </p>
     </fieldset>
     </div>

       actionview_instancetag_blank_option: Bitte auswählen
       button_activate: Aktivieren
       button_disable: Deaktivieren
       button_add: Hinzufügen
       button_annotate: Annotieren
       button_apply: Anwenden
-...
       setting_timelog_accept_0_hours: Accept time logs with 0 hours
       setting_timelog_max_hours_per_day: Maximum hours that can be logged per day and user
       label_x_revisions: "%{count} revisions"
       setting_twofa: Zwei-Faktor-Authentifizierung
       twofa__totp__name: Authentifizierungs-App
       twofa__totp__text_pairing_info_html: 'Bitte scannen Sie diesen QR-Code oder verwenden Sie den Klartext-Schlüssel in einer TOTP-kompatiblen Authentifizierungs-App (z.B. <a href="https://support.google.com/accounts/answer/1066447?hl=de">Google Authenticator</a>, <a href="https://authy.com/download/">Authy</a>, <a href="https://guide.duo.com/third-party-accounts">Duo Mobile</a>). Anschließend geben Sie bitte den in der App generierten Code unten ein.'
       twofa__totp__label_plain_text_key: Klartext-Schlüssel
       twofa__totp__label_activate: 'Authentifizierungs-App aktivieren'
       twofa_currently_active: "Aktiv: %{twofa_scheme_name}"
       twofa_not_active: "Nicht aktiv"
       twofa_label_code: Code
       twofa_label_setup: Zwei-Faktor-Authentifizierung einrichten
       twofa_label_deactivation_confirmation: Zwei-Faktor-Authentifizierung abschalten
       twofa_activated: Zwei-Faktor-Authentifizierung erfolgreich eingerichtet.
       twofa_deactivated: Zwei-Faktor-Authentifizierung abgeschaltet.
       twofa_mail_body_security_notification_paired: "Zwei-Faktor-Authentifizierung per %{field} eingerichtet."
       twofa_mail_body_security_notification_unpaired: "Zwei-Faktor-Authentifizierung für Ihr Konto abgeschaltet."
       twofa_invalid_code: Der eingegebene Code ist ungültig oder abgelaufen.
       twofa_label_enter_otp: Bitte geben Sie Ihren Code für die Zwei-Faktor-Authentifizierung ein.
       twofa_too_many_tries: Zu viele Versuche.
       twofa_resend_code: Code erneut senden
       twofa_code_sent: Ein Code für die Zwei-Faktor-Authentifizierung wurde Ihnen zugesendet.

       button_back: Back
       button_cancel: Cancel
       button_activate: Activate
       button_disable: Disable
       button_sort: Sort
       button_log_time: Log time
       button_rollback: Rollback to this version
-...
       description_issue_category_reassign: Choose issue category
       description_wiki_subpages_reassign: Choose new parent page
       text_repository_identifier_info: 'Only lower case letters (a-z), numbers, dashes and underscores are allowed.<br />Once saved, the identifier cannot be changed.'
       setting_twofa: Two-factor authentication
       twofa__totp__name: Authenticator app
       twofa__totp__text_pairing_info_html: 'Scan this QR code or enter the plain text key into a TOTP app (e.g. <a href="https://support.google.com/accounts/answer/1066447">Google Authenticator</a>, <a href="https://authy.com/download/">Authy</a>, <a href="https://guide.duo.com/third-party-accounts">Duo Mobile</a>) and enter the code in the field below to activate two-factor authentication.'
       twofa__totp__label_plain_text_key: Plain text key
       twofa__totp__label_activate: 'Enable authenticator app'
       twofa_currently_active: "Currently active: %{twofa_scheme_name}"
       twofa_not_active: "Not activated"
       twofa_label_code: Code
       twofa_label_setup: Enable two-factor authentication
       twofa_label_deactivation_confirmation: Disable two-factor authentication
       twofa_activated: Two-factor authentication successfully enabled.
       twofa_deactivated: Two-factor authentication disabled.
       twofa_mail_body_security_notification_paired: "Two-factor authentication successfully enabled using %{field}."
       twofa_mail_body_security_notification_unpaired: "Two-factor authentication disabled for your account."
       twofa_invalid_code: Code is invalid or outdated.
       twofa_label_enter_otp: Please enter your two-factor authentication code.
       twofa_too_many_tries: Too many tries.
       twofa_resend_code: Resend code
       twofa_code_sent: An authentication code has been sent to you.

       match 'login', :to => 'account#login', :as => 'signin', :via => [:get, :post]
       match 'logout', :to => 'account#logout', :as => 'signout', :via => [:get, :post]
       match 'account/twofa/confirm', :to => 'account#twofa_confirm', :via => :get
       match 'account/twofa/resend', :to => 'account#twofa_resend', :via => :post
       match 'account/twofa', :to => 'account#twofa', :via => [:get, :post]
       match 'account/register', :to => 'account#register', :via => [:get, :post], :as => 'register'
       match 'account/lost_password', :to => 'account#lost_password', :via => [:get, :post], :as => 'lost_password'
       match 'account/activate', :to => 'account#activate', :via => :get
-...
       match 'my/add_block', :controller => 'my', :action => 'add_block', :via => :post
       match 'my/remove_block', :controller => 'my', :action => 'remove_block', :via => :post
       match 'my/order_blocks', :controller => 'my', :action => 'order_blocks', :via => :post
       match 'my/twofa/:scheme/activate/init', :controller => 'twofa', :action => 'activate_init', :via => :post
       match 'my/twofa/:scheme/activate/confirm', :controller => 'twofa', :action => 'activate_confirm', :via => :get
       match 'my/twofa/:scheme/activate', :controller => 'twofa', :action => 'activate', :via => [:get, :post]
       match 'my/twofa/:scheme/deactivate/init', :controller => 'twofa', :action => 'deactivate_init', :via => :post
       match 'my/twofa/:scheme/deactivate/confirm', :controller => 'twofa', :action => 'deactivate_confirm', :via => :get
       match 'my/twofa/:scheme/deactivate', :controller => 'twofa', :action => 'deactivate', :via => [:get, :post]
       match 'users/:user_id/twofa/deactivate', :controller => 'twofa', :action => 'admin_deactivate', :via => :post
       resources :users do
         resources :memberships, :controller => 'principal_memberships'
-...
             end
           end
         end
         match 'wiki/index', :controller => 'wiki', :action => 'index', :via => :get
         resources :wiki, :except => [:index, :create], :as => 'wiki_page' do
           member do

db/migrate/20170711134351_add_twofa_scheme_to_user.rb
	1	class AddTwofaSchemeToUser < ActiveRecord::Migration[4.2]
	2	def change
	3	add_column :users, :twofa_scheme, :string
	4	end
	5	end

db/migrate/20170711134352_add_totp_to_user.rb
	1	class AddTotpToUser < ActiveRecord::Migration[4.2]
	2	def change
	3	add_column :users, :twofa_totp_key, :string
	4	add_column :users, :twofa_totp_last_used_at, :integer
	5	end
	6	end

     module Redmine
       module Twofa
         def self.register_scheme(name, klass)
           initialize_schemes
           @@schemes[name] = klass
         end
         def self.available_schemes
           schemes.keys
         end
         def self.for_twofa_scheme(name)
           schemes[name]
         end
         def self.for_user(user)
           for_twofa_scheme(user.twofa_scheme).try(:new, user)
         end
         private
         def self.schemes
           initialize_schemes
           @@schemes
         end
         def self.initialize_schemes
           @@schemes ||= { }
           scan_builtin_schemes if @@schemes.blank?
         end
         def self.scan_builtin_schemes
           Dir[Rails.root.join('lib', 'redmine', 'twofa', '*.rb')].each do |file|
             require_dependency file
           end
         end
       end
     end

     module Redmine
       module Twofa
         class Base
           def self.inherited(child)
             # require-ing a Base subclass will register it as a 2FA scheme
             Redmine::Twofa.register_scheme(scheme_name(child), child)
           end
           def self.scheme_name(klass = self)
             klass.name.demodulize.underscore
           end
           def scheme_name
             self.class.scheme_name
           end
           def initialize(user)
             @user = user
           end
           def init_pairing!
             @user
           end
           def confirm_pairing!(code)
             # make sure an otp is used
             if verify_otp!(code)
               @user.update!(twofa_scheme: scheme_name)
               deliver_twofa_paired
               return true
             else
               return false
             end
           end
           def deliver_twofa_paired
             Mailer.security_notification(
               @user,
+              {
                 title: :label_my_account,
                 message: 'twofa_mail_body_security_notification_paired',
                 # (mis-)use field here as value wouldn't get localized
                 field: "twofa__#{scheme_name}__name",
                 url: { controller: 'my', action: 'account' }
+              }
             ).deliver
           end
           def destroy_pairing!(code)
             if verify!(code)
               destroy_pairing_without_verify!
               return true
             else
               return false
             end
           end
           def destroy_pairing_without_verify!
             @user.update!(twofa_scheme: nil)
             deliver_twofa_unpaired
           end
           def deliver_twofa_unpaired
             Mailer.security_notification(
               @user,
+              {
                 title: :label_my_account,
                 message: 'twofa_mail_body_security_notification_unpaired',
                 url: { controller: 'my', action: 'account' }
+              }
             ).deliver
           end
           def send_code(controller: nil, action: nil)
             # return true only if the scheme sends a code to the user
             false
           end
           def verify!(code)
             verify_otp!(code)
           end
           def verify_otp!(code)
             raise 'not implemented'
           end
           # this will only be used on pairing initialization
           def init_pairing_view_variables
             otp_confirm_view_variables
           end
           def otp_confirm_view_variables
+            {
               scheme_name: scheme_name,
               resendable: false
+            }
           end
           private
           def allowed_drift
           end
         end
       end
     end

     module Redmine
       module Twofa
         class Totp < Base
           def init_pairing!
             @user.update!(twofa_totp_key: ROTP::Base32.random_base32)
             # reset the cached totp as the key might have changed
             @totp = nil
             super
           end
           def destroy_pairing_without_verify!
             @user.update!(twofa_totp_key: nil, twofa_totp_last_used_at: nil)
             # reset the cached totp as the key might have changed
             @totp = nil
             super
           end
           def verify_otp!(code)
             # topt codes are white-space-insensitive
             code = code.to_s.remove(/[[:space:]]/)
             last_verified_at = @user.twofa_totp_last_used_at
             verified_at = totp.verify_with_drift_and_prior(code.to_s, allowed_drift, last_verified_at)
             if verified_at
               @user.update!(twofa_totp_last_used_at: verified_at)
               return true
             else
               return false
             end
           end
           def provisioning_uri
             totp.provisioning_uri(@user.mail)
           end
           def init_pairing_view_variables
             super.merge({
               provisioning_uri: provisioning_uri,
               totp_key: @user.twofa_totp_key
             })
           end
           private
           def totp
             @totp ||= ROTP::TOTP.new(@user.twofa_totp_key, issuer: Setting.app_title)
           end
         end
       end
     end

     #login-form a.lost_password {float:right; font-weight:normal;}
     #login-form input#openid_url {background:#fff url(../images/openid-bg.gif) no-repeat 4px 50%; padding-left:24px !important;}
     #login-form input#login-submit {margin-top:15px; padding:7px; display:block; width:100%; box-sizing: border-box;}
     #login-form h3 {text-align: center;}
     div.modal { border-radius:5px; background:#fff; z-index:50; padding:4px;}
     div.modal h3.title {display:none;}
-...
     .tabular input, .tabular select {max-width:95%}
     .tabular textarea {width:95%; resize:vertical;}
     input#twofa_code, img#twofa_code { width: 140px; }
     .tabular label{
       font-weight: bold;

       #login-form input#username,
       #login-form input#password,
       #login-form input#openid_url {
       #login-form input#openid_url,
       #login-form input#twofa_code {
         width: 100%;
         height: auto;
+      }

Project

General

Profile

Redmine

Feature #1237 » 0001-2-factor-authentication-using-TOTP.patch