Feature #1237 » 0001-adds-two-factor-authentication-support.patch
Gemfile | ||
---|---|---|
18 | 18 |
# Windows does not include zoneinfo files, so bundle the tzinfo-data gem |
19 | 19 |
gem 'tzinfo-data', platforms: [:mingw, :x64_mingw, :mswin] |
20 | 20 | |
21 |
# TOTP-based 2-factor authentication |
|
22 |
gem 'rotp' |
|
23 |
gem 'rqrcode' |
|
24 | ||
21 | 25 |
# Optional gem for LDAP authentication |
22 | 26 |
group :ldap do |
23 | 27 |
gem "net-ldap", "~> 0.16.0" |
app/controllers/account_controller.rb | ||
---|---|---|
204 | 204 |
redirect_to(home_url) |
205 | 205 |
end |
206 | 206 | |
207 |
before_action :require_active_twofa, :twofa_setup, only: [:twofa_resend, :twofa_confirm, :twofa] |
|
208 |
before_action :prevent_twofa_session_replay, only: [:twofa_resend, :twofa] |
|
209 | ||
210 |
def twofa_resend |
|
211 |
# otp resends count toward the maximum of 3 otp entry tries per password entry |
|
212 |
if session[:twofa_tries_counter] > 3 |
|
213 |
destroy_twofa_session |
|
214 |
flash[:error] = l('twofa_too_many_tries') |
|
215 |
redirect_to home_url |
|
216 |
else |
|
217 |
if @twofa.send_code(controller: 'account', action: 'twofa') |
|
218 |
flash[:notice] = l('twofa_code_sent') |
|
219 |
end |
|
220 |
redirect_to account_twofa_confirm_path |
|
221 |
end |
|
222 |
end |
|
223 | ||
224 |
def twofa_confirm |
|
225 |
@twofa_view = @twofa.otp_confirm_view_variables |
|
226 |
end |
|
227 | ||
228 |
def twofa |
|
229 |
if @twofa.verify!(params[:twofa_code].to_s) |
|
230 |
destroy_twofa_session |
|
231 |
handle_active_user(@user) |
|
232 |
# allow at most 3 otp entry tries per successfull password entry |
|
233 |
# this allows using anti brute force techniques on the password entry to also |
|
234 |
# prevent brute force attacks on the one-time password |
|
235 |
elsif session[:twofa_tries_counter] > 3 |
|
236 |
destroy_twofa_session |
|
237 |
flash[:error] = l('twofa_too_many_tries') |
|
238 |
redirect_to home_url |
|
239 |
else |
|
240 |
flash[:error] = l('twofa_invalid_code') |
|
241 |
redirect_to account_twofa_confirm_path |
|
242 |
end |
|
243 |
end |
|
244 | ||
207 | 245 |
private |
208 | 246 | |
247 |
def prevent_twofa_session_replay |
|
248 |
renew_twofa_session(@user) |
|
249 |
end |
|
250 | ||
251 |
def twofa_setup |
|
252 |
# twofa sessions are only valid 2 minutes at a time |
|
253 |
twomind = 0.0014 # a little more than 2 minutes in days |
|
254 |
@user = Token.find_active_user('twofa_session', session[:twofa_session_token].to_s, twomind) |
|
255 |
unless @user.present? |
|
256 |
destroy_twofa_session |
|
257 |
redirect_to home_url |
|
258 |
return |
|
259 |
end |
|
260 | ||
261 |
# copy back_url, autologin back to params where they are expected |
|
262 |
params[:back_url] ||= session[:twofa_back_url] |
|
263 |
params[:autologin] ||= session[:twofa_autologin] |
|
264 | ||
265 |
# set locale for the twofa user |
|
266 |
set_localization(@user) |
|
267 | ||
268 |
@twofa = Redmine::Twofa.for_user(@user) |
|
269 |
end |
|
270 | ||
271 |
def require_active_twofa |
|
272 |
Setting.twofa? ? true : deny_access |
|
273 |
end |
|
274 | ||
275 |
def setup_twofa_session(user, previous_tries=1) |
|
276 |
token = Token.create(user: user, action: 'twofa_session') |
|
277 |
session[:twofa_session_token] = token.value |
|
278 |
session[:twofa_tries_counter] = previous_tries |
|
279 |
session[:twofa_back_url] = params[:back_url] |
|
280 |
session[:twofa_autologin] = params[:autologin] |
|
281 |
end |
|
282 | ||
283 |
# Prevent replay attacks by using each twofa_session_token only for exactly one request |
|
284 |
def renew_twofa_session(user) |
|
285 |
twofa_tries = session[:twofa_tries_counter].to_i + 1 |
|
286 |
destroy_twofa_session |
|
287 |
setup_twofa_session(user, twofa_tries) |
|
288 |
end |
|
289 | ||
290 |
def destroy_twofa_session |
|
291 |
# make sure tokens can only be used once server-side to prevent replay attacks |
|
292 |
Token.find_token('twofa_session', session[:twofa_session_token].to_s).try(:delete) |
|
293 |
session[:twofa_session_token] = nil |
|
294 |
session[:twofa_tries_counter] = nil |
|
295 |
session[:twofa_back_url] = nil |
|
296 |
session[:twofa_autologin] = nil |
|
297 |
end |
|
298 | ||
209 | 299 |
def authenticate_user |
210 | 300 |
if Setting.openid? && using_open_id? |
211 | 301 |
open_id_authenticate(params[:openid_url]) |
... | ... | |
224 | 314 |
else |
225 | 315 |
# Valid user |
226 | 316 |
if user.active? |
227 |
successful_authentication(user) |
|
228 |
update_sudo_timestamp! # activate Sudo Mode |
|
317 |
if user.twofa_active? |
|
318 |
setup_twofa_session user |
|
319 |
twofa = Redmine::Twofa.for_user(user) |
|
320 |
if twofa.send_code(controller: 'account', action: 'twofa') |
|
321 |
flash[:notice] = l('twofa_code_sent') |
|
322 |
end |
|
323 |
redirect_to account_twofa_confirm_path |
|
324 |
else |
|
325 |
handle_active_user(user) |
|
326 |
end |
|
229 | 327 |
else |
230 | 328 |
handle_inactive_user(user) |
231 | 329 |
end |
232 | 330 |
end |
233 | 331 |
end |
234 | 332 | |
333 |
def handle_active_user(user) |
|
334 |
successful_authentication(user) |
|
335 |
update_sudo_timestamp! # activate Sudo Mode |
|
336 |
end |
|
337 | ||
235 | 338 |
def open_id_authenticate(openid_url) |
236 | 339 |
back_url = signin_url(:autologin => params[:autologin]) |
237 | 340 |
authenticate_with_open_id( |
app/controllers/twofa_controller.rb | ||
---|---|---|
1 |
class TwofaController < ApplicationController |
|
2 |
self.main_menu = false |
|
3 | ||
4 |
before_action :require_login |
|
5 |
before_action :require_admin, only: :admin_deactivate |
|
6 | ||
7 |
require_sudo_mode :activate_init, :deactivate_init |
|
8 | ||
9 |
before_action :activate_setup, only: [:activate_init, :activate_confirm, :activate] |
|
10 | ||
11 |
def activate_init |
|
12 |
@twofa.init_pairing! |
|
13 |
if @twofa.send_code(controller: 'twofa', action: 'activate') |
|
14 |
flash[:notice] = l('twofa_code_sent') |
|
15 |
end |
|
16 |
redirect_to action: :activate_confirm, scheme: @twofa.scheme_name |
|
17 |
end |
|
18 | ||
19 |
def activate_confirm |
|
20 |
@twofa_view = @twofa.init_pairing_view_variables |
|
21 |
end |
|
22 | ||
23 |
def activate |
|
24 |
if @twofa.confirm_pairing!(params[:twofa_code].to_s) |
|
25 |
flash[:notice] = l('twofa_activated') |
|
26 |
redirect_to my_account_path |
|
27 |
else |
|
28 |
flash[:error] = l('twofa_invalid_code') |
|
29 |
redirect_to action: :activate_confirm, scheme: @twofa.scheme_name |
|
30 |
end |
|
31 |
end |
|
32 | ||
33 |
before_action :deactivate_setup, only: [:deactivate_init, :deactivate_confirm, :deactivate] |
|
34 | ||
35 |
def deactivate_init |
|
36 |
if @twofa.send_code(controller: 'twofa', action: 'deactivate') |
|
37 |
flash[:notice] = l('twofa_code_sent') |
|
38 |
end |
|
39 |
redirect_to action: :deactivate_confirm, scheme: @twofa.scheme_name |
|
40 |
end |
|
41 | ||
42 |
def deactivate_confirm |
|
43 |
@twofa_view = @twofa.otp_confirm_view_variables |
|
44 |
end |
|
45 | ||
46 |
def deactivate |
|
47 |
if @twofa.destroy_pairing!(params[:twofa_code].to_s) |
|
48 |
flash[:notice] = l('twofa_deactivated') |
|
49 |
redirect_to my_account_path |
|
50 |
else |
|
51 |
flash[:error] = l('twofa_invalid_code') |
|
52 |
redirect_to action: :deactivate_confirm, scheme: @twofa.scheme_name |
|
53 |
end |
|
54 |
end |
|
55 | ||
56 |
def admin_deactivate |
|
57 |
@user = User.find(params[:user_id]) |
|
58 |
# do not allow administrators to unpair 2FA without confirmation for themselves |
|
59 |
(render_403; return false) if @user == User.current |
|
60 | ||
61 |
twofa = Redmine::Twofa.for_user(@user) |
|
62 |
twofa.destroy_pairing_without_verify! |
|
63 |
flash[:notice] = l('twofa_deactivated') |
|
64 |
redirect_to edit_user_path(@user) |
|
65 |
end |
|
66 | ||
67 |
private |
|
68 | ||
69 |
def activate_setup |
|
70 |
twofa_scheme = Redmine::Twofa.for_twofa_scheme(params[:scheme].to_s) |
|
71 | ||
72 |
unless twofa_scheme.present? |
|
73 |
redirect_to my_account_path |
|
74 |
return |
|
75 |
end |
|
76 |
@user = User.current |
|
77 |
@twofa = twofa_scheme.new(@user) |
|
78 |
end |
|
79 | ||
80 |
def deactivate_setup |
|
81 |
@user = User.current |
|
82 |
@twofa = Redmine::Twofa.for_user(@user) |
|
83 |
if params[:scheme].to_s != @twofa.scheme_name |
|
84 |
redirect_to my_account_path |
|
85 |
end |
|
86 |
end |
|
87 |
end |
app/models/user.rb | ||
---|---|---|
20 | 20 |
require "digest/sha1" |
21 | 21 | |
22 | 22 |
class User < Principal |
23 |
include Redmine::Ciphering |
|
23 | 24 |
include Redmine::SafeAttributes |
24 | 25 | |
25 | 26 |
# Different ways of displaying/sorting users |
... | ... | |
376 | 377 |
self |
377 | 378 |
end |
378 | 379 | |
380 |
def twofa_active? |
|
381 |
twofa_scheme.present? |
|
382 |
end |
|
383 | ||
379 | 384 |
def pref |
380 | 385 |
self.preference ||= UserPreference.new(:user => self) |
381 | 386 |
end |
... | ... | |
436 | 441 |
Token.where(:user_id => id, :action => 'autologin', :value => value).delete_all |
437 | 442 |
end |
438 | 443 | |
444 |
def twofa_totp_key |
|
445 |
read_ciphered_attribute(:twofa_totp_key) |
|
446 |
end |
|
447 | ||
448 |
def twofa_totp_key=(key) |
|
449 |
write_ciphered_attribute(:twofa_totp_key, key) |
|
450 |
end |
|
451 | ||
439 | 452 |
# Returns true if token is a valid session token for the user whose id is user_id |
440 | 453 |
def self.verify_session_token(user_id, token) |
441 | 454 |
return false if user_id.blank? || token.blank? |
app/views/account/twofa_confirm.html.erb | ||
---|---|---|
1 |
<div id="login-form"> |
|
2 | ||
3 |
<h3><%=l :setting_twofa %></h3> |
|
4 |
<p><%=l 'twofa_label_enter_otp' %></p> |
|
5 | ||
6 |
<%= form_tag({ action: 'twofa' }, |
|
7 |
{ id: 'twofa_form', |
|
8 |
onsubmit: 'return keepAnchorOnSignIn(this);' }) do -%> |
|
9 | ||
10 | ||
11 |
<label for="twofa_code"> |
|
12 |
<%=l 'twofa_label_code' -%> |
|
13 |
<%= link_to l('twofa_resend_code'), { controller: 'account', action: 'twofa_resend' }, method: :post, class: 'lost_password' if @twofa_view[:resendable] -%> |
|
14 |
</label> |
|
15 |
<%= text_field_tag :twofa_code, nil, tabindex: '1', autocomplete: 'off', autofocus: true -%> |
|
16 | ||
17 |
<%= submit_tag l(:button_login), tabindex: '2', id: 'login-submit', name: :submit_otp -%> |
|
18 |
<% end %> |
|
19 | ||
20 |
</div> |
app/views/my/_sidebar.html.erb | ||
---|---|---|
4 | 4 |
<%=l(:field_created_on)%>: <%= format_time(@user.created_on) %></p> |
5 | 5 | |
6 | 6 |
<% if @user.own_account_deletable? %> |
7 |
<p><%= link_to(l(:button_delete_my_account), {:action => 'destroy'}, :class => 'icon icon-del') %></p> |
|
7 |
<p><%= link_to(l(:button_delete_my_account), {:controller => 'my', :action => 'destroy'}, :class => 'icon icon-del') %></p>
|
|
8 | 8 |
<% end %> |
9 | 9 | |
10 | 10 |
<h4><%= l(:label_feeds_access_key) %></h4> |
app/views/my/account.html.erb | ||
---|---|---|
28 | 28 |
<% if Setting.openid? %> |
29 | 29 |
<p><%= f.text_field :identity_url %></p> |
30 | 30 |
<% end %> |
31 |
<p> |
|
32 |
<label><%=l :setting_twofa -%></label> |
|
33 |
<% if @user.twofa_active? %> |
|
34 |
<%=l 'twofa_currently_active', twofa_scheme_name: l("twofa__#{@user.twofa_scheme}__name") -%><br/> |
|
35 |
<%= link_to l('button_disable'), { controller: 'twofa', action: 'deactivate_init', scheme: @user.twofa_scheme }, method: :post -%><br/> |
|
36 |
<% else %> |
|
37 |
<% Redmine::Twofa.available_schemes.each do |s| %> |
|
38 |
<%= link_to l("twofa__#{s}__label_activate"), { controller: 'twofa', action: 'activate_init', scheme: s }, method: :post -%><br/> |
|
39 |
<% end %> |
|
40 |
<% end %> |
|
41 |
</p> |
|
31 | 42 | |
32 | 43 |
<% @user.custom_field_values.select(&:editable?).each do |value| %> |
33 | 44 |
<p><%= custom_field_tag_with_label :user, value %></p> |
app/views/twofa/activate_confirm.html.erb | ||
---|---|---|
1 |
<h2><%=l 'twofa_label_setup' -%></h2> |
|
2 | ||
3 |
<div class="splitcontentleft"> |
|
4 |
<%= form_tag({ action: :activate, |
|
5 |
scheme: @twofa_view[:scheme_name] }, |
|
6 |
{ method: :post, |
|
7 |
id: 'twofa_form' }) do -%> |
|
8 | ||
9 |
<div class="box"> |
|
10 |
<p><%=t "twofa__#{@twofa_view[:scheme_name]}__text_pairing_info_html" -%></p> |
|
11 |
<div class="tabular"> |
|
12 |
<%= render partial: "twofa/#{@twofa_view[:scheme_name]}/new", locals: { twofa_view: @twofa_view } -%> |
|
13 |
<p> |
|
14 |
<label for="twofa_code"><%=l 'twofa_label_code' -%></label> |
|
15 |
<%= text_field_tag :twofa_code, nil, autocomplete: 'off', autofocus: true -%> |
|
16 |
</p> |
|
17 |
</div> |
|
18 |
</div> |
|
19 | ||
20 |
<%= submit_tag l('button_activate'), name: :submit_otp -%> |
|
21 |
<%= link_to l('twofa_resend_code'), { action: 'activate_init', scheme: @twofa_view[:scheme_name] }, method: :post if @twofa_view[:resendable] -%> |
|
22 |
<% end %> |
|
23 |
</div> |
|
24 | ||
25 |
<% content_for :sidebar do %> |
|
26 |
<%= render :partial => 'my/sidebar' %> |
|
27 |
<% end %> |
app/views/twofa/deactivate_confirm.html.erb | ||
---|---|---|
1 |
<h2><%=l 'twofa_label_deactivation_confirmation' -%></h2> |
|
2 | ||
3 |
<div class="splitcontentleft"> |
|
4 |
<%= form_tag({ action: :deactivate, |
|
5 |
scheme: @twofa_view[:scheme_name] }, |
|
6 |
{ method: :post, |
|
7 |
id: 'twofa_form' }) do -%> |
|
8 |
<div class="box"> |
|
9 | ||
10 |
<p><%=l 'twofa_label_enter_otp' %></p> |
|
11 |
<div class="tabular"> |
|
12 |
<p> |
|
13 |
<label for="twofa_code"><%=l 'twofa_label_code' -%></label> |
|
14 |
<%= text_field_tag :twofa_code, nil, autocomplete: 'off' -%> |
|
15 |
</p> |
|
16 |
</div> |
|
17 |
</div> |
|
18 |
<%= submit_tag l('button_disable'), name: :submit_otp -%> |
|
19 |
<%= link_to l('twofa_resend_code'), { action: 'deactivate_init', scheme: @twofa_view[:scheme_name] }, method: :post if @twofa_view[:resendable] -%> |
|
20 |
<% end %> |
|
21 |
</div> |
|
22 | ||
23 |
<% content_for :sidebar do %> |
|
24 |
<%= render :partial => 'my/sidebar' %> |
|
25 |
<% end %> |
app/views/twofa/totp/_new.html.erb | ||
---|---|---|
1 |
<p> |
|
2 |
<label> </label> |
|
3 |
<%= image_tag RQRCode::QRCode.new(twofa_view[:provisioning_uri]).as_png(fill: ChunkyPNG::Color::TRANSPARENT, resize_exactly_to: 280, border_modules: 0).to_data_url, id: 'twofa_code' -%> |
|
4 |
</p> |
|
5 |
<p> |
|
6 |
<label><%=l 'twofa__totp__label_plain_text_key' -%></label> |
|
7 |
<code><%= twofa_view[:totp_key].scan(/.{4}/).join(' ') -%></code> |
|
8 |
</p> |
app/views/users/_form.html.erb | ||
---|---|---|
37 | 37 |
<p><%= f.check_box :generate_password %></p> |
38 | 38 |
<p><%= f.check_box :must_change_passwd %></p> |
39 | 39 |
</div> |
40 |
<p> |
|
41 |
<label><%=l :setting_twofa -%></label> |
|
42 |
<% if @user.twofa_active? %> |
|
43 |
<%=l 'twofa_currently_active', twofa_scheme_name: l("twofa__#{@user.twofa_scheme}__name") -%><br/> |
|
44 |
<% if @user == User.current # administrators cannot deactivate their own 2FA without confirmation code %> |
|
45 |
<%= link_to l('button_disable'), { controller: 'twofa', action: 'deactivate_init', scheme: @user.twofa_scheme }, method: :post -%> |
|
46 |
<% else %> |
|
47 |
<%= link_to l('button_disable'), { controller: 'twofa', action: 'admin_deactivate', user_id: @user }, method: :post -%> |
|
48 |
<% end %> |
|
49 |
<% else %> |
|
50 |
<%=l 'twofa_not_active' %> |
|
51 |
<% end %> |
|
52 |
</p> |
|
40 | 53 |
</fieldset> |
41 | 54 |
</div> |
42 | 55 |
config/locales/de.yml | ||
---|---|---|
152 | 152 |
actionview_instancetag_blank_option: Bitte auswählen |
153 | 153 | |
154 | 154 |
button_activate: Aktivieren |
155 |
button_disable: Deaktivieren |
|
155 | 156 |
button_add: Hinzufügen |
156 | 157 |
button_annotate: Annotieren |
157 | 158 |
button_apply: Anwenden |
... | ... | |
1288 | 1289 |
label_issue_history_properties: Property changes |
1289 | 1290 |
label_issue_history_notes: Notes |
1290 | 1291 |
label_last_tab_visited: Last visited tab |
1292 |
setting_twofa: Zwei-Faktor-Authentifizierung |
|
1293 |
twofa__totp__name: Authentifizierungs-App |
|
1294 |
twofa__totp__text_pairing_info_html: 'Bitte scannen Sie diesen QR-Code oder verwenden Sie den Klartext-Schlüssel in einer TOTP-kompatiblen Authentifizierungs-App (z.B. <a href="https://support.google.com/accounts/answer/1066447?hl=de">Google Authenticator</a>, <a href="https://authy.com/download/">Authy</a>, <a href="https://guide.duo.com/third-party-accounts">Duo Mobile</a>). Anschließend geben Sie bitte den in der App generierten Code unten ein.' |
|
1295 |
twofa__totp__label_plain_text_key: Klartext-Schlüssel |
|
1296 |
twofa__totp__label_activate: 'Authentifizierungs-App aktivieren' |
|
1297 |
twofa_currently_active: "Aktiv: %{twofa_scheme_name}" |
|
1298 |
twofa_not_active: "Nicht aktiv" |
|
1299 |
twofa_label_code: Code |
|
1300 |
twofa_label_setup: Zwei-Faktor-Authentifizierung einrichten |
|
1301 |
twofa_label_deactivation_confirmation: Zwei-Faktor-Authentifizierung abschalten |
|
1302 |
twofa_activated: Zwei-Faktor-Authentifizierung erfolgreich eingerichtet. |
|
1303 |
twofa_deactivated: Zwei-Faktor-Authentifizierung abgeschaltet. |
|
1304 |
twofa_mail_body_security_notification_paired: "Zwei-Faktor-Authentifizierung per %{field} eingerichtet." |
|
1305 |
twofa_mail_body_security_notification_unpaired: "Zwei-Faktor-Authentifizierung für Ihr Konto abgeschaltet." |
|
1306 |
twofa_invalid_code: Der eingegebene Code ist ungültig oder abgelaufen. |
|
1307 |
twofa_label_enter_otp: Bitte geben Sie Ihren Code für die Zwei-Faktor-Authentifizierung ein. |
|
1308 |
twofa_too_many_tries: Zu viele Versuche. |
|
1309 |
twofa_resend_code: Code erneut senden |
|
1310 |
twofa_code_sent: Ein Code für die Zwei-Faktor-Authentifizierung wurde Ihnen zugesendet. |
config/locales/en.yml | ||
---|---|---|
1089 | 1089 |
button_back: Back |
1090 | 1090 |
button_cancel: Cancel |
1091 | 1091 |
button_activate: Activate |
1092 |
button_disable: Disable |
|
1092 | 1093 |
button_sort: Sort |
1093 | 1094 |
button_log_time: Log time |
1094 | 1095 |
button_rollback: Rollback to this version |
... | ... | |
1266 | 1267 |
label_login_required_no: "No, allow anonymous access to public projects" |
1267 | 1268 |
text_project_is_public_non_member: Public projects and their contents are available to all logged-in users. |
1268 | 1269 |
text_project_is_public_anonymous: Public projects and their contents are openly available on the network. |
1270 | ||
1271 |
setting_twofa: Two-factor authentication |
|
1272 |
twofa__totp__name: Authenticator app |
|
1273 |
twofa__totp__text_pairing_info_html: 'Scan this QR code or enter the plain text key into a TOTP app (e.g. <a href="https://support.google.com/accounts/answer/1066447">Google Authenticator</a>, <a href="https://authy.com/download/">Authy</a>, <a href="https://guide.duo.com/third-party-accounts">Duo Mobile</a>) and enter the code in the field below to activate two-factor authentication.' |
|
1274 |
twofa__totp__label_plain_text_key: Plain text key |
|
1275 |
twofa__totp__label_activate: 'Enable authenticator app' |
|
1276 |
twofa_currently_active: "Currently active: %{twofa_scheme_name}" |
|
1277 |
twofa_not_active: "Not activated" |
|
1278 |
twofa_label_code: Code |
|
1279 |
twofa_label_setup: Enable two-factor authentication |
|
1280 |
twofa_label_deactivation_confirmation: Disable two-factor authentication |
|
1281 |
twofa_activated: Two-factor authentication successfully enabled. |
|
1282 |
twofa_deactivated: Two-factor authentication disabled. |
|
1283 |
twofa_mail_body_security_notification_paired: "Two-factor authentication successfully enabled using %{field}." |
|
1284 |
twofa_mail_body_security_notification_unpaired: "Two-factor authentication disabled for your account." |
|
1285 |
twofa_invalid_code: Code is invalid or outdated. |
|
1286 |
twofa_label_enter_otp: Please enter your two-factor authentication code. |
|
1287 |
twofa_too_many_tries: Too many tries. |
|
1288 |
twofa_resend_code: Resend code |
|
1289 |
twofa_code_sent: An authentication code has been sent to you. |
config/routes.rb | ||
---|---|---|
22 | 22 | |
23 | 23 |
match 'login', :to => 'account#login', :as => 'signin', :via => [:get, :post] |
24 | 24 |
match 'logout', :to => 'account#logout', :as => 'signout', :via => [:get, :post] |
25 |
match 'account/twofa/confirm', :to => 'account#twofa_confirm', :via => :get |
|
26 |
match 'account/twofa/resend', :to => 'account#twofa_resend', :via => :post |
|
27 |
match 'account/twofa', :to => 'account#twofa', :via => [:get, :post] |
|
25 | 28 |
match 'account/register', :to => 'account#register', :via => [:get, :post], :as => 'register' |
26 | 29 |
match 'account/lost_password', :to => 'account#lost_password', :via => [:get, :post], :as => 'lost_password' |
27 | 30 |
match 'account/activate', :to => 'account#activate', :via => :get |
... | ... | |
84 | 87 |
match 'my/add_block', :controller => 'my', :action => 'add_block', :via => :post |
85 | 88 |
match 'my/remove_block', :controller => 'my', :action => 'remove_block', :via => :post |
86 | 89 |
match 'my/order_blocks', :controller => 'my', :action => 'order_blocks', :via => :post |
90 |
match 'my/twofa/:scheme/activate/init', :controller => 'twofa', :action => 'activate_init', :via => :post |
|
91 |
match 'my/twofa/:scheme/activate/confirm', :controller => 'twofa', :action => 'activate_confirm', :via => :get |
|
92 |
match 'my/twofa/:scheme/activate', :controller => 'twofa', :action => 'activate', :via => [:get, :post] |
|
93 |
match 'my/twofa/:scheme/deactivate/init', :controller => 'twofa', :action => 'deactivate_init', :via => :post |
|
94 |
match 'my/twofa/:scheme/deactivate/confirm', :controller => 'twofa', :action => 'deactivate_confirm', :via => :get |
|
95 |
match 'my/twofa/:scheme/deactivate', :controller => 'twofa', :action => 'deactivate', :via => [:get, :post] |
|
96 |
match 'users/:user_id/twofa/deactivate', :controller => 'twofa', :action => 'admin_deactivate', :via => :post |
|
87 | 97 | |
88 | 98 |
resources :users do |
89 | 99 |
resources :memberships, :controller => 'principal_memberships' |
db/migrate/20170711134351_add_twofa_scheme_to_user.rb | ||
---|---|---|
1 |
class AddTwofaSchemeToUser < ActiveRecord::Migration[4.2] |
|
2 |
def change |
|
3 |
add_column :users, :twofa_scheme, :string |
|
4 |
end |
|
5 |
end |
db/migrate/20170711134352_add_totp_to_user.rb | ||
---|---|---|
1 |
class AddTotpToUser < ActiveRecord::Migration[4.2] |
|
2 |
def change |
|
3 |
add_column :users, :twofa_totp_key, :string |
|
4 |
add_column :users, :twofa_totp_last_used_at, :integer |
|
5 |
end |
|
6 |
end |
lib/redmine/twofa.rb | ||
---|---|---|
1 |
module Redmine |
|
2 |
module Twofa |
|
3 |
def self.register_scheme(name, klass) |
|
4 |
initialize_schemes |
|
5 |
@@schemes[name] = klass |
|
6 |
end |
|
7 | ||
8 |
def self.available_schemes |
|
9 |
schemes.keys |
|
10 |
end |
|
11 | ||
12 |
def self.for_twofa_scheme(name) |
|
13 |
schemes[name] |
|
14 |
end |
|
15 | ||
16 |
def self.for_user(user) |
|
17 |
for_twofa_scheme(user.twofa_scheme).try(:new, user) |
|
18 |
end |
|
19 | ||
20 |
private |
|
21 | ||
22 |
def self.schemes |
|
23 |
initialize_schemes |
|
24 |
@@schemes |
|
25 |
end |
|
26 | ||
27 |
def self.initialize_schemes |
|
28 |
@@schemes ||= { } |
|
29 |
scan_builtin_schemes if @@schemes.blank? |
|
30 |
end |
|
31 | ||
32 |
def self.scan_builtin_schemes |
|
33 |
Dir[Rails.root.join('lib', 'redmine', 'twofa', '*.rb')].each do |file| |
|
34 |
require_dependency file |
|
35 |
end |
|
36 |
end |
|
37 |
end |
|
38 |
end |
lib/redmine/twofa/base.rb | ||
---|---|---|
1 |
module Redmine |
|
2 |
module Twofa |
|
3 |
class Base |
|
4 |
def self.inherited(child) |
|
5 |
# require-ing a Base subclass will register it as a 2FA scheme |
|
6 |
Redmine::Twofa.register_scheme(scheme_name(child), child) |
|
7 |
end |
|
8 | ||
9 |
def self.scheme_name(klass = self) |
|
10 |
klass.name.demodulize.underscore |
|
11 |
end |
|
12 | ||
13 |
def scheme_name |
|
14 |
self.class.scheme_name |
|
15 |
end |
|
16 | ||
17 |
def initialize(user) |
|
18 |
@user = user |
|
19 |
end |
|
20 | ||
21 |
def init_pairing! |
|
22 |
@user |
|
23 |
end |
|
24 | ||
25 |
def confirm_pairing!(code) |
|
26 |
# make sure an otp is used |
|
27 |
if verify_otp!(code) |
|
28 |
@user.update!(twofa_scheme: scheme_name) |
|
29 |
deliver_twofa_paired |
|
30 |
return true |
|
31 |
else |
|
32 |
return false |
|
33 |
end |
|
34 |
end |
|
35 | ||
36 |
def deliver_twofa_paired |
|
37 |
Mailer.security_notification( |
|
38 |
@user, |
|
39 |
User.current, |
|
40 |
{ |
|
41 |
title: :label_my_account, |
|
42 |
message: 'twofa_mail_body_security_notification_paired', |
|
43 |
# (mis-)use field here as value wouldn't get localized |
|
44 |
field: "twofa__#{scheme_name}__name", |
|
45 |
url: { controller: 'my', action: 'account' } |
|
46 |
} |
|
47 |
).deliver |
|
48 |
end |
|
49 | ||
50 |
def destroy_pairing!(code) |
|
51 |
if verify!(code) |
|
52 |
destroy_pairing_without_verify! |
|
53 |
return true |
|
54 |
else |
|
55 |
return false |
|
56 |
end |
|
57 |
end |
|
58 | ||
59 |
def destroy_pairing_without_verify! |
|
60 |
@user.update!(twofa_scheme: nil) |
|
61 |
deliver_twofa_unpaired |
|
62 |
end |
|
63 | ||
64 |
def deliver_twofa_unpaired |
|
65 |
Mailer.security_notification( |
|
66 |
@user, |
|
67 |
User.current, |
|
68 |
{ |
|
69 |
title: :label_my_account, |
|
70 |
message: 'twofa_mail_body_security_notification_unpaired', |
|
71 |
url: { controller: 'my', action: 'account' } |
|
72 |
} |
|
73 |
).deliver |
|
74 |
end |
|
75 | ||
76 |
def send_code(controller: nil, action: nil) |
|
77 |
# return true only if the scheme sends a code to the user |
|
78 |
false |
|
79 |
end |
|
80 | ||
81 |
def verify!(code) |
|
82 |
verify_otp!(code) |
|
83 |
end |
|
84 | ||
85 |
def verify_otp!(code) |
|
86 |
raise 'not implemented' |
|
87 |
end |
|
88 | ||
89 |
# this will only be used on pairing initialization |
|
90 |
def init_pairing_view_variables |
|
91 |
otp_confirm_view_variables |
|
92 |
end |
|
93 | ||
94 |
def otp_confirm_view_variables |
|
95 |
{ |
|
96 |
scheme_name: scheme_name, |
|
97 |
resendable: false |
|
98 |
} |
|
99 |
end |
|
100 | ||
101 |
private |
|
102 | ||
103 |
def allowed_drift |
|
104 |
30 |
|
105 |
end |
|
106 |
end |
|
107 |
end |
|
108 |
end |
lib/redmine/twofa/totp.rb | ||
---|---|---|
1 |
module Redmine |
|
2 |
module Twofa |
|
3 |
class Totp < Base |
|
4 |
def init_pairing! |
|
5 |
@user.update!(twofa_totp_key: ROTP::Base32.random) |
|
6 |
# reset the cached totp as the key might have changed |
|
7 |
@totp = nil |
|
8 |
super |
|
9 |
end |
|
10 | ||
11 |
def destroy_pairing_without_verify! |
|
12 |
@user.update!(twofa_totp_key: nil, twofa_totp_last_used_at: nil) |
|
13 |
# reset the cached totp as the key might have changed |
|
14 |
@totp = nil |
|
15 |
super |
|
16 |
end |
|
17 | ||
18 |
def verify_otp!(code) |
|
19 |
# topt codes are white-space-insensitive |
|
20 |
code = code.to_s.remove(/[[:space:]]/) |
|
21 |
last_verified_at = @user.twofa_totp_last_used_at |
|
22 |
verified_at = totp.verify(code.to_s, drift_behind: allowed_drift, after: last_verified_at) |
|
23 |
if verified_at |
|
24 |
@user.update!(twofa_totp_last_used_at: verified_at) |
|
25 |
return true |
|
26 |
else |
|
27 |
return false |
|
28 |
end |
|
29 |
end |
|
30 | ||
31 |
def provisioning_uri |
|
32 |
totp.provisioning_uri(@user.mail) |
|
33 |
end |
|
34 | ||
35 |
def init_pairing_view_variables |
|
36 |
super.merge({ |
|
37 |
provisioning_uri: provisioning_uri, |
|
38 |
totp_key: @user.twofa_totp_key |
|
39 |
}) |
|
40 |
end |
|
41 | ||
42 |
private |
|
43 | ||
44 |
def totp |
|
45 |
@totp ||= ROTP::TOTP.new(@user.twofa_totp_key, issuer: Setting.app_title) |
|
46 |
end |
|
47 |
end |
|
48 |
end |
|
49 |
end |
public/stylesheets/application.css | ||
---|---|---|
108 | 108 |
#login-form input[type=text], #login-form input[type=password] {margin-bottom: 15px;} |
109 | 109 |
#login-form a.lost_password {float:right; font-weight:normal;} |
110 | 110 |
#login-form input#openid_url {background:#fff url(../images/openid-bg.gif) no-repeat 4px 50%; padding-left:24px !important;} |
111 |
#login-form h3 {text-align: center;} |
|
111 | 112 | |
112 | 113 |
div.modal { border-radius:5px; background:#fff; z-index:50; padding:4px;} |
113 | 114 |
div.modal h3.title {display:none;} |
... | ... | |
748 | 749 | |
749 | 750 |
.tabular input, .tabular select {max-width:95%} |
750 | 751 |
.tabular textarea {width:95%; resize:vertical;} |
752 |
input#twofa_code, img#twofa_code { width: 140px; } |
|
751 | 753 | |
752 | 754 |
.tabular label{ |
753 | 755 |
font-weight: bold; |
public/stylesheets/responsive.css | ||
---|---|---|
664 | 664 | |
665 | 665 |
#login-form input#username, |
666 | 666 |
#login-form input#password, |
667 |
#login-form input#openid_url { |
|
667 |
#login-form input#openid_url, |
|
668 |
#login-form input#twofa_code { |
|
668 | 669 |
width: 100%; |
669 | 670 |
height: auto; |
670 | 671 |
} |