0002-auth2_multifactor-add-OATH-authentication-factor.patch

Valentin Deniaud, 25 juin 2019 15:56

Voir les différences: en ligne côte à côte

Subject: [PATCH 2/3] auth2_multifactor: add OATH authentication factor

Add a new module auth2_multifactor, which should contain all additionnal
authentication factors.
We make use of the authentication frontend/authenticator mechanisms, for
profile configuration and login blocks. However, there is no associated
backends since we will work with users that are already authenticated.

This authentication factor requires the user to install a third party
app that implements TOTP, and lets them scan a QR Code, or manually
enter a key. Then they can enter a one-time password whenever required.

 MANIFEST.in                                   |   1 +
 setup.py                                      |   3 +
 src/authentic2/auth2_multifactor/__init__.py  |   5 +
 .../auth2_multifactor/auth_oath/__init__.py   |  10 ++
 .../auth_oath/app_settings.py                 |  23 +++
 .../auth_oath/authenticators.py               |  25 ++++
 .../auth2_multifactor/auth_oath/forms.py      |  27 ++++
 .../auth_oath/migrations/0001_initial.py      |  27 ++++
 .../auth_oath/migrations/__init__.py          |   0
 .../auth2_multifactor/auth_oath/models.py     |  17 +++
 .../auth_oath/templates/auth_oath/qrcode.html |   3 +
 .../templates/auth_oath/totp_enable.html      |  30 ++++
 .../templates/auth_oath/totp_form.html        |  14 ++
 .../templates/auth_oath/totp_profile.html     |  31 ++++
 .../auth2_multifactor/auth_oath/urls.py       |  19 +++
 .../auth2_multifactor/auth_oath/utils.py      |  31 ++++
 .../auth2_multifactor/auth_oath/views.py      | 134 ++++++++++++++++++
 .../auth2_multifactor/decorators.py           |  12 ++
 18 files changed, 412 insertions(+)
 create mode 100644 src/authentic2/auth2_multifactor/__init__.py
 create mode 100644 src/authentic2/auth2_multifactor/auth_oath/__init__.py
 create mode 100644 src/authentic2/auth2_multifactor/auth_oath/app_settings.py
 create mode 100644 src/authentic2/auth2_multifactor/auth_oath/authenticators.py
 create mode 100644 src/authentic2/auth2_multifactor/auth_oath/forms.py
 create mode 100644 src/authentic2/auth2_multifactor/auth_oath/migrations/0001_initial.py
 create mode 100644 src/authentic2/auth2_multifactor/auth_oath/migrations/__init__.py
 create mode 100644 src/authentic2/auth2_multifactor/auth_oath/models.py
 create mode 100644 src/authentic2/auth2_multifactor/auth_oath/templates/auth_oath/qrcode.html
 create mode 100644 src/authentic2/auth2_multifactor/auth_oath/templates/auth_oath/totp_enable.html
 create mode 100644 src/authentic2/auth2_multifactor/auth_oath/templates/auth_oath/totp_form.html
 create mode 100644 src/authentic2/auth2_multifactor/auth_oath/templates/auth_oath/totp_profile.html
 create mode 100644 src/authentic2/auth2_multifactor/auth_oath/urls.py
 create mode 100644 src/authentic2/auth2_multifactor/auth_oath/utils.py
 create mode 100644 src/authentic2/auth2_multifactor/auth_oath/views.py
 create mode 100644 src/authentic2/auth2_multifactor/decorators.py

MANIFEST.in
25	25	recursive-include src/authentic2_auth_saml/templates/authentic2_auth_saml *.html
26	26	recursive-include src/authentic2_auth_oidc/templates/authentic2_auth_oidc *.html
27	27	recursive-include src/authentic2_idp_oidc/templates/authentic2_idp_oidc *.html
	28	recursive-include src/authentic2/auth2_multifactor/auth_oath/templates *.html
28	29
29	30	recursive-include src/authentic2/saml/fixtures *.json
30	31	recursive-include src/authentic2/locale .po .mo

               'xstatic-select2',
               'pillow',
               'tablib',
               'qrcode',
               'oath',
           ],
           zip_safe=False,
           classifiers=[
-...
                   'authentic2-idp-oidc = authentic2_idp_oidc:Plugin',
                   'authentic2-provisionning-ldap = authentic2_provisionning_ldap:Plugin',
                   'authentic2-auth-fc = authentic2_auth_fc:Plugin',
                   'authentic2-auth-oath = authentic2.auth2_multifactor.auth_oath:Plugin',
               ],
           })

src/authentic2/auth2_multifactor/__init__.py
	1	"""
	2	This package contains authentification modules that are not to be used as primary
	3	modes of authentification, but rather as supplementary authentication factors in
	4	order to guarantee higher levels of trust.
	5	"""

     class Plugin(object):
         def get_before_urls(self):
             from . import urls
             return urls.urlpatterns
         def get_apps(self):
             return [__name__]
         def get_authenticators(self):
             return ['authentic2.auth2_multifactor.auth_oath.authenticators.TOTPAuthenticator']

     class AppSettings(object):
         __DEFAULTS = {
             'ENABLE': True,
             'LEVEL': 2,
+        }
         def __init__(self, prefix):
             self.prefix = prefix
         def _setting(self, name, dflt):
             from django.conf import settings
             return getattr(settings, self.prefix+name, dflt)
         def __getattr__(self, name):
             if name not in self.__DEFAULTS:
                 raise AttributeError(name)
             return self._setting(name, self.__DEFAULTS[name])
     import sys
     app_settings = AppSettings('A2_AUTH_OATH_')
     app_settings.__name__ = __name__
     sys.modules[__name__] = app_settings

     from django.utils.translation import ugettext_lazy
     from . import app_settings
     from .views import totp_profile, totp_login
     class TOTPAuthenticator(object):
         submit_name = 'oath-totp-submit'
         auth_level = app_settings.LEVEL
         _id = 'multifactor-totp'
         def enabled(self):
             return app_settings.ENABLE
         def name(self):
             return ugettext_lazy('One-time password')
         def id(self):
             return self._id
         def login(self, request, *args, **kwargs):
             return totp_login(request, *args, **kwargs)
         def profile(self, request, *args, **kwargs):
             return totp_profile(request, *args, **kwargs)

     from django import forms
     from django.core.exceptions import ValidationError
     from django.utils.translation import ugettext as _
     def validate_number(value):
         try:
             int(value)
         except ValueError:
             raise ValidationError(
                 _('Code must be a number.'),
+            )
     class EnableForm(forms.Form):
         code = forms.CharField(
             max_length=6, min_length=6, validators=[validate_number],
             label=_('Code'),
+        )
     class LoginForm(EnableForm):
         def __init__(self, *args, **kwargs):
             super(LoginForm, self).__init__(*args, **kwargs)
             self.fields['code'].help_text = \
                 _('In order to be granted access, you must enter the six-digit '
                   'code given by the authentificator app on your device.')

     # -*- coding: utf-8 -*-
     # Generated by Django 1.11.18 on 2019-04-01 08:21
     from __future__ import unicode_literals
     from django.conf import settings
     from django.db import migrations, models
     import django.db.models.deletion
     class Migration(migrations.Migration):
         initial = True
         dependencies = [
             ('custom_user', '0016_auto_20180925_1107'),
+        ]
         operations = [
             migrations.CreateModel(
                 name='OATHTOTPSecret',
                 fields=[
                     ('user', models.OneToOneField(on_delete=django.db.models.deletion.CASCADE, primary_key=True, related_name='oath_totp_secret', serialize=False, to=settings.AUTH_USER_MODEL, verbose_name='utilisateur')),
                     ('key', models.CharField(max_length=40)),
                     ('drift', models.IntegerField(default=0)),
                 ],
             ),
+        ]

     from base64 import b32encode
     from binascii import unhexlify
     from django.conf import settings
     from django.db import models
     from django.utils.translation import ugettext as _
     class OATHTOTPSecret(models.Model):
         user = models.OneToOneField(settings.AUTH_USER_MODEL, primary_key=True,
                                     related_name='oath_totp_secret', verbose_name=_('user'))
         key = models.CharField(max_length=40)
         drift = models.IntegerField(default=0)
         def b32_encoded(self):
             return b32encode(unhexlify(self.key)).decode('ascii')

src/authentic2/auth2_multifactor/auth_oath/templates/auth_oath/qrcode.html
	1	<div style="text-align: center">
	2	<img src="data:image/png;base64,{{ uri }}">
	3	</div>

     {% extends "authentic2/base-page.html" %}
     {% load i18n %}
     {% block content %}
     <div>
       <p>
         {% blocktrans %}
           Install any application capable of generating such codes (refer to the
           documentation for recommendations). Then scan the QR code below, and
           enter the six-digit code that the app will display in order to complete
           the setup.
         {% endblocktrans %}
       </p>
     </div>
     <div>
       {% include "auth_oath/qrcode.html" %}
       <p>
         {% trans "For manual setup when unable to scan the code, enter the following key : " %}
         {{ secret }}
       </p>
     </div>
     <div>
       <form method="post" autocomplete="off" action="">
         {% csrf_token %}
         {{ form.as_p }}
         <button class="submit-button" name="{{ submit_name }}">{% trans "Activate" %}</button>
       </form>
     </div>
     {% endblock %}

     {% load i18n %}
     <h2>{% trans "Multi-factor authentication" %}</h1>
     <div>
       <form method="post" autocomplete="off" action="">
         {% csrf_token %}
         {{ form.as_p }}
         <button class="submit-button" name="{{ submit_name }}">{% trans "Submit" %}</button>
         {% if cancel %}
           <button class="cancel-button" name="cancel">{% trans 'Cancel' %}</button>
         {% endif %}
       </form>
     </div>

     {% load i18n %}
     {% if enabled %}
       <p>
         {% trans "You can configure additional devices by scanning the QR code below." %}
       </p>
       {% include "auth_oath/qrcode.html" %}
       <p>
         <a onclick="return confirm('{% trans "Are you sure ?" %}')" href="{% url 'totp-disable' %}">
           {% trans "Click here to disable this factor." %}
         </a>
         {% blocktrans %}
           Doing so will invalidate configuration on all devices, meaning that if
           it is enabled again the codes they generate won't be valid anymore.
         {% endblocktrans %}
       </p>
     {% else %}
       {% if login_url %}
         <a href="{{ login_url }}">
           {% trans "Insufficient authentication level to view, click here to increase." %}
         </a>
       {% else %}
         <a href="{{ enable_url }}">
           {% trans "Enable this factor " %}
         </a>
         {% blocktrans %}
           in order to secure authentication with a one-time verification code. It
           will be requested when needed on top of username and password.
         {% endblocktrans %}
       {% endif %}
     {% endif %}

     from django.conf.urls import url
     from django.contrib.auth.decorators import login_required
     from authentic2.decorators import required
     from authentic2.auth2_multifactor.decorators import auth_level_required
     from . import views
     from .utils import get_authenticator_level
     urlpatterns = required(
         (login_required, auth_level_required(get_authenticator_level)), [
             url(r'disable', views.disable, name='totp-disable'),
+        ]
+    )
     urlpatterns += [
         url(r'enable', login_required(views.enable), name='totp-enable'),
+    ]

     from base64 import b64encode
     from io import BytesIO
     from qrcode import QRCode
     from oath import google_authenticator
     def get_qrcode(user, secret=None):
         if not secret:
             secret = user.oath_totp_secret
         ga = google_authenticator.GoogleAuthenticatorURI()
         account = user.get_full_name().encode('utf-8')
         uri = ga.generate(secret.key, account=account, issuer='Publik')
         qr = QRCode(box_size=5)
         qr.add_data(uri)
         qr.make(fit=True)
         img = qr.make_image()
         img_bytes = BytesIO()
         img.save(img_bytes, format='png')
         uri = b64encode(img_bytes.getvalue())
         return uri
     def get_authenticator_id():
         from .authenticators import TOTPAuthenticator
         return TOTPAuthenticator._id
     def get_authenticator_level():
         from .authenticators import TOTPAuthenticator
         return TOTPAuthenticator.auth_level

     from random import SystemRandom
     from django.template.loader import render_to_string
     from django.utils.translation import ugettext as _
     from django.views.generic.edit import FormView
     from oath import accept_totp
     from authentic2.utils import redirect, get_next_url, csrf_token_check, make_url
     from .forms import LoginForm, EnableForm
     from .models import OATHTOTPSecret
     from .utils import (get_qrcode, get_authenticator_level, get_authenticator_id)
     def totp_profile(request, *args, **kwargs):
         context = {}
         try:
             request.user.enabled_auth_factors.get(
                 authenticator_id=get_authenticator_id())
         except request.user.enabled_auth_factors.model.DoesNotExist:
             context['enabled'] = False
             if 'auth_level' in request.GET:
                 # Forced enabling flow
                 context['enable_url'] = make_url('totp-enable', keep_params=True,
                                                  request=request)
             else:
                 context['enable_url'] = make_url('totp-enable',
                                                  params={'next': request.get_full_path()})
         else:
             context['uri'] = get_qrcode(request.user)
             auth_level = get_authenticator_level()
             if request.session.get('auth_level', 1) < auth_level:
                 params = {
                     'next': request.get_full_path(),
                     'auth_level': auth_level,
+                }
                 context['login_url'] = make_url('auth_login', params=params)
             else:
                 context['enabled'] = True
         return render_to_string('auth_oath/totp_profile.html', context, request=request)
     class Login(FormView):
         template_name = 'auth_oath/totp_form.html'
         form_class = LoginForm
         def get_context_data(self, **kwargs):
             kwargs['submit_name'] = 'oath-totp-submit'
             return super(Login, self).get_context_data(**kwargs)
         def get_success_url(self):
             return get_next_url(self.request.GET)
         def form_valid(self, form):
             code = form.cleaned_data['code']
             secret = self.request.user.oath_totp_secret
             success, drift = accept_totp(secret.key, str(code), drift=secret.drift)
             csrf_token_check(self.request, form)
             if success:
                 secret.drift = drift
                 secret.save()
                 self.request.session['auth_level'] = get_authenticator_level()
                 return super(Login, self).form_valid(form)
             form.add_error('code', _('Invalid code.'))
             return self.form_invalid(form)
     totp_login = Login.as_view()
     class Enable(FormView):
         template_name = 'auth_oath/totp_enable.html'
         form_class = EnableForm
         def dispatch(self, request, *args, **kwargs):
             try:
                 request.user.enabled_auth_factors.get(
                     authenticator_id=get_authenticator_id())
                 return redirect(request, 'authenticators_profile')
             except request.user.enabled_auth_factors.model.DoesNotExist:
                 return super(Enable, self).dispatch(request, *args, **kwargs)
         def get_success_url(self):
             return get_next_url(self.request.GET)
         def get_context_data(self, **kwargs):
             secret = self.get_secret_for_session()
             kwargs['uri'] = get_qrcode(self.request.user, secret)
             encoded_secret = secret.b32_encoded()
             kwargs['secret'] = ' '.join(encoded_secret[i:i + 4]
                                         for i in range(0, len(encoded_secret), 4))
             return super(Enable, self).get_context_data(**kwargs)
         def get_secret_for_session(self):
             """Make sure a new temporary secret is generated each session.
             We don't want to generate a secret on every page refresh.
             On the other hand, permanently storing the secret before the user has
             completed setup would allow an attacker who already owns the account to
             preventively get it, so that in case the user decides to enable TOTP
             they would still have access.
             """
             key = self.request.session.setdefault(
                 'oath_totp_secret', format(SystemRandom().getrandbits(160), '040x'))
             return OATHTOTPSecret(self.request.user.id, key)
         def form_valid(self, form):
             code = form.cleaned_data['code']
             secret = self.get_secret_for_session()
             success, _ = accept_totp(secret.key, str(code))
             if success:
                 secret.save()
                 self.request.user.enabled_auth_factors.create(
                     authenticator_id=get_authenticator_id())
                 self.request.session['auth_level'] = get_authenticator_level()
                 return super(Enable, self).form_valid(form)
             form.add_error('code', _('Invalid code.'))
             return self.form_invalid(form)
     enable = Enable.as_view()
     def disable(request):
         try:
             factor = request.user.enabled_auth_factors.get(
                 authenticator_id=get_authenticator_id())
             factor.delete()
         except request.user.enabled_auth_factors.model.DoesNotExist:
             pass
         else:
             request.user.oath_totp_secret.delete()
         return redirect(request, 'authenticators_profile')

     from django.core.exceptions import PermissionDenied
     def auth_level_required(auth_level):
         def actual_decorator(func):
             actual_auth_level = auth_level() if callable(auth_level) else auth_level
             def wrapped(request, *args, **kwargs):
                 if request.session.get('auth_level', 1) < actual_auth_level:
                     raise PermissionDenied
                 return func(request, *args, **kwargs)
             return wrapped
         return actual_decorator
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0002-auth2_multifactor-add-OATH-authentication-factor.patch