0002-adds-a-setting-to-disable-enable-require-2fa-auth-r18593.patch

Go MAEDA, 2019-10-05 10:44

Download (12.6 KB)

View differences:

app/controllers/application_controller.rb
56 56
    end
57 57
  end
58 58

  
59
  before_action :session_expiration, :user_setup, :check_if_login_required, :set_localization, :check_password_change
59
  before_action :session_expiration, :user_setup, :check_if_login_required, :set_localization, :check_password_change, :check_twofa_activation
60 60
  after_action :record_project_usage
61 61

  
62 62
  rescue_from ::Unauthorized, :with => :deny_access
......
89 89
    if user.must_change_password?
90 90
      session[:pwd] = '1'
91 91
    end
92
    if user.must_activate_twofa?
93
      session[:must_activate_twofa] = '1'
94
    end
92 95
  end
93 96

  
94 97
  def user_setup
......
200 203
    end
201 204
  end
202 205

  
206
  def init_twofa_pairing_and_send_code_for(twofa)
207
    twofa.init_pairing!
208
    if twofa.send_code(controller: 'twofa', action: 'activate')
209
      flash[:notice] = l('twofa_code_sent')
210
    end
211
    redirect_to controller: 'twofa', action: 'activate_confirm', scheme: twofa.scheme_name
212
  end
213

  
214
  def check_twofa_activation
215
    if session[:must_activate_twofa]
216
      if User.current.must_activate_twofa?
217
        flash[:warning] = l('twofa_warning_require')
218
        if Redmine::Twofa.available_schemes.length == 1
219
          twofa_scheme = Redmine::Twofa.for_twofa_scheme(Redmine::Twofa.available_schemes.first)
220
          twofa = twofa_scheme.new(User.current)
221
          init_twofa_pairing_and_send_code_for(twofa)
222
        else
223
          redirect_to controller: 'twofa', action: 'select_scheme'
224
        end
225
      else
226
        session.delete(:must_activate_twofa)
227
      end
228
    end
229
  end
230

  
203 231
  def set_localization(user=User.current)
204 232
    lang = nil
205 233
    if user && user.logged?
app/controllers/twofa_controller.rb
23 23
  before_action :require_login
24 24
  before_action :require_admin, only: :admin_deactivate
25 25

  
26
  before_action :require_active_twofa
27

  
26 28
  require_sudo_mode :activate_init, :deactivate_init
27 29

  
30
  skip_before_action :check_twofa_activation, only: [:select_scheme, :activate_init, :activate_confirm, :activate]
31

  
32
  def select_scheme
33
    @user = User.current
34
  end
35

  
28 36
  before_action :activate_setup, only: [:activate_init, :activate_confirm, :activate]
29 37

  
30 38
  def activate_init
31
    @twofa.init_pairing!
32
    if @twofa.send_code(controller: 'twofa', action: 'activate')
33
      flash[:notice] = l('twofa_code_sent')
34
    end
35
    redirect_to action: :activate_confirm, scheme: @twofa.scheme_name
39
    init_twofa_pairing_and_send_code_for(@twofa)
36 40
  end
37 41

  
38 42
  def activate_confirm
......
103 107
      redirect_to my_account_path
104 108
    end
105 109
  end
110

  
111
  def require_active_twofa
112
    Setting.twofa? ? true : deny_access
113
  end
106 114
end
app/models/setting.rb
216 216
    s
217 217
  end
218 218

  
219
  def self.twofa_from_params(params)
220
    # unpair all current 2FA pairings when switching off 2FA
221
    Redmine::Twofa.unpair_all! if params == '0' && self.twofa?
222
    params
223
  end
224

  
219 225
  # Helper that returns an array based on per_page_options setting
220 226
  def self.per_page_options_array
221 227
    per_page_options.split(%r{[\s,]}).collect(&:to_i).select {|n| n > 0}.sort
app/models/user.rb
395 395
    twofa_scheme.present?
396 396
  end
397 397

  
398
  def must_activate_twofa?
399
    Setting.twofa == '2' && !twofa_active?
400
  end
401

  
398 402
  def pref
399 403
    self.preference ||= UserPreference.new(:user => self)
400 404
  end
app/views/my/account.html.erb
28 28
  <% if Setting.openid? %>
29 29
  <p><%= f.text_field :identity_url  %></p>
30 30
  <% end %>
31
  <% if Setting.twofa? -%>
31 32
  <p>
32 33
    <label><%=l :setting_twofa -%></label>
33 34
    <% if @user.twofa_active? %>
......
39 40
      <% end %>
40 41
    <% end %>
41 42
  </p>
43
  <% end -%>
42 44

  
43 45
  <% @user.custom_field_values.select(&:editable?).each do |value| %>
44 46
    <p><%= custom_field_tag_with_label :user, value %></p>
app/views/settings/_authentication.html.erb
28 28

  
29 29
<p><%= setting_check_box :lost_password %></p>
30 30

  
31
<p>
32
  <%= setting_select :twofa, [[l(:label_disabled), "0"],
33
                              [l(:label_optional), "1"],
34
                              [l(:label_required_lower), "2"]] -%>
35
  <em class="info">
36
    <%= t 'twofa_hint_disabled_html', label: t(:label_disabled) -%><br/>
37
    <%= t 'twofa_hint_required_html', label: t(:label_required_lower) -%>
38
  </em>
39
</p>
40

  
41

  
31 42
<p><%= setting_check_box :openid, :disabled => !Object.const_defined?(:OpenID) %></p>
32 43
</div>
33 44

  
app/views/twofa/activate_confirm.html.erb
22 22
  <% end %>
23 23
</div>
24 24

  
25
<% unless @user.must_activate_twofa? %>
25 26
<% content_for :sidebar do %>
26 27
<%= render :partial => 'my/sidebar' %>
27 28
<% end %>
29
<% end %>
app/views/twofa/select_scheme.html.erb
1
<%= title l('twofa_label_setup') %>
2

  
3
<%= form_tag({ controller: 'twofa', action: 'activate_init' }, method: :post) do %>
4
  <div class="box">
5
  <p><%=l 'twofa_notice_select' -%></p>
6
  <p>
7
  <% Redmine::Twofa.available_schemes.each_with_index do |s, idx| %>
8
    <label style="display:block;"><%= radio_button_tag 'scheme', s, idx == 0 -%> <%=l "twofa__#{s}__name" -%></label>
9
  <% end %>
10
  </p>
11
  </div>
12
  <p><%= submit_tag l(:label_next).html_safe + " &#187;".html_safe -%></p>
13
<% end %>
14

  
15
<% unless @user.must_activate_twofa? %>
16
<% content_for :sidebar do %>
17
<%= render partial: 'my/sidebar' %>
18
<% end %>
19
<% end %>
app/views/users/_form.html.erb
42 42
  <p><%= f.check_box :generate_password %></p>
43 43
  <p><%= f.check_box :must_change_passwd %></p>
44 44
  </div>
45
  <% if Setting.twofa? -%>
45 46
  <p>
46 47
    <label><%=l :setting_twofa -%></label>
47 48
    <% if @user.twofa_active? %>
......
55 56
      <%=l 'twofa_not_active' %>
56 57
    <% end %>
57 58
  </p>
59
  <% end -%>
58 60
</fieldset>
59 61
</div>
60 62

  
config/locales/de.yml
722 722
  label_repository_new: Neues Repository
723 723
  label_repository_plural: Repositories
724 724
  label_required: Erforderlich
725
  label_required_lower: erforderlich
725 726
  label_result_plural: Resultate
726 727
  label_reverse_chronological_order: in umgekehrter zeitlicher Reihenfolge
727 728
  label_revision: Revision
......
1307 1308
  twofa_currently_active: "Aktiv: %{twofa_scheme_name}"
1308 1309
  twofa_not_active: "Nicht aktiv"
1309 1310
  twofa_label_code: Code
1311
  twofa_hint_disabled_html: Die Einstellung <strong>%{label}</strong> deaktiviert Zwei-Faktor-Authentifizierung für alle Nutzer und löscht verbundene Apps.
1312
  twofa_hint_required_html: Die Einstellung <strong>%{label}</strong> fordert alle Nutzer bei ihrem nächsten Login dazu auf Zwei-Faktor-Authentifizierung einzurichten.
1310 1313
  twofa_label_setup: Zwei-Faktor-Authentifizierung einrichten
1311 1314
  twofa_label_deactivation_confirmation: Zwei-Faktor-Authentifizierung abschalten
1315
  twofa_notice_select: "Bitte wählen Sie Ihr gewünschtes Schema für die Zwei-Faktor-Authentifizierung:"
1316
  twofa_warning_require: Der Administrator fordert Sie dazu auf Zwei-Faktor-Authentifizierung einzurichten.
1312 1317
  twofa_activated: Zwei-Faktor-Authentifizierung erfolgreich eingerichtet.
1313 1318
  twofa_deactivated: Zwei-Faktor-Authentifizierung abgeschaltet.
1314 1319
  twofa_mail_body_security_notification_paired: "Zwei-Faktor-Authentifizierung per %{field} eingerichtet."
config/locales/en.yml
860 860
  label_copied_from: Copied from
861 861
  label_stay_logged_in: Stay logged in
862 862
  label_disabled: disabled
863
  label_optional: optional
863 864
  label_show_completed_versions: Show completed versions
864 865
  label_me: me
865 866
  label_board: Forum
......
982 983
  label_fields_permissions: Fields permissions
983 984
  label_readonly: Read-only
984 985
  label_required: Required
986
  label_required_lower: required
985 987
  label_hidden: Hidden
986 988
  label_attribute_of_project: "Project's %{name}"
987 989
  label_attribute_of_issue: "Issue's %{name}"
......
1289 1291
  twofa_currently_active: "Currently active: %{twofa_scheme_name}"
1290 1292
  twofa_not_active: "Not activated"
1291 1293
  twofa_label_code: Code
1294
  twofa_hint_disabled_html: Setting <strong>%{label}</strong> will deactivate and unpair two-factor authentication devices for all users.
1295
  twofa_hint_required_html: Setting <strong>%{label}</strong> will require all users to set up two-factor authentication at their next login.
1292 1296
  twofa_label_setup: Enable two-factor authentication
1293 1297
  twofa_label_deactivation_confirmation: Disable two-factor authentication
1298
  twofa_notice_select: "Please select the two-factor scheme you would like to use:"
1299
  twofa_warning_require: The administrator requires you to enable two-factor authentication.
1294 1300
  twofa_activated: Two-factor authentication successfully enabled.
1295 1301
  twofa_deactivated: Two-factor authentication disabled.
1296 1302
  twofa_mail_body_security_notification_paired: "Two-factor authentication successfully enabled using %{field}."
config/routes.rb
87 87
  match 'my/add_block', :controller => 'my', :action => 'add_block', :via => :post
88 88
  match 'my/remove_block', :controller => 'my', :action => 'remove_block', :via => :post
89 89
  match 'my/order_blocks', :controller => 'my', :action => 'order_blocks', :via => :post
90
  match 'my/twofa/activate/init', :controller => 'twofa', :action => 'activate_init', :via => :post
90 91
  match 'my/twofa/:scheme/activate/init', :controller => 'twofa', :action => 'activate_init', :via => :post
91 92
  match 'my/twofa/:scheme/activate/confirm', :controller => 'twofa', :action => 'activate_confirm', :via => :get
92 93
  match 'my/twofa/:scheme/activate', :controller => 'twofa', :action => 'activate', :via => [:get, :post]
93 94
  match 'my/twofa/:scheme/deactivate/init', :controller => 'twofa', :action => 'deactivate_init', :via => :post
94 95
  match 'my/twofa/:scheme/deactivate/confirm', :controller => 'twofa', :action => 'deactivate_confirm', :via => :get
95 96
  match 'my/twofa/:scheme/deactivate', :controller => 'twofa', :action => 'deactivate', :via => [:get, :post]
97
  match 'my/twofa/select_scheme', :controller => 'twofa', :action => 'select_scheme', :via => :get
96 98
  match 'users/:user_id/twofa/deactivate', :controller => 'twofa', :action => 'admin_deactivate', :via => :post
97 99

  
98 100
  resources :users do
config/settings.yml
34 34
lost_password:
35 35
  default: 1
36 36
  security_notifications: 1
37
twofa:
38
  default: 1
39
  security_notifications: 1
37 40
unsubscribe:
38 41
  default: 1
39 42
password_required_char_classes:
lib/redmine/twofa.rb
36 36
      for_twofa_scheme(user.twofa_scheme).try(:new, user)
37 37
    end
38 38

  
39
    def self.unpair_all!
40
      users = User.where.not(twofa_scheme: nil)
41
      users.each { |u| self.for_user(u).destroy_pairing_without_verify! }
42
    end
43

  
39 44
    def self.schemes
40 45
      initialize_schemes
41 46
      @@schemes