Initial mfa support (for internal users) #93591

Merged
Oleg-Komarov merged 46 commits from mfa into main 2024-08-29 11:44:06 +02:00
9 changed files with 145 additions and 2 deletions
Showing only changes of commit d38eafb7cb - Show all commits

View File

@ -282,3 +282,40 @@ def construct_password_changed(user):
subject = "Security alert: password changed"
return email_body_txt, subject
def construct_new_mfa_device(user, device_type):
context = {
"device_type": device_type,
"user": user,
}
email_body_txt = loader.render_to_string(
"bid_main/emails/new_mfa_device.txt", context
)
subject = "Security alert: a new multi-factor authentication device added"
return email_body_txt, subject
def construct_mfa_disabled(user):
context = {
"user": user,
}
email_body_txt = loader.render_to_string(
"bid_main/emails/mfa_disabled.txt", context
)
subject = "Security alert: multi-factor authentication disabled"
return email_body_txt, subject
def construct_mfa_recovery_used(user):
context = {
"user": user,
}
email_body_txt = loader.render_to_string(
"bid_main/emails/mfa_recovery_used.txt", context
)
subject = "Security alert: recovery code used"
return email_body_txt, subject

View File

@ -7,6 +7,7 @@ from django.db.models.signals import m2m_changed, post_delete
from django.dispatch import receiver
from . import models
from mfa.signals import recovery_used
import bid_main.utils as utils
import bid_main.file_utils
import bid_main.tasks
@ -79,3 +80,10 @@ def delete_orphaned_avatar_files(sender, instance, **kwargs):
return
bid_main.file_utils.delete_avatar_files(instance.avatar.name)
@receiver(recovery_used)
def send_mfa_recovery_used_email(sender, **kwargs):
user = kwargs['device'].user
if user.confirmed_email_at:
bid_main.tasks.send_mfa_recovery_used_email(user.pk)

View File

@ -43,3 +43,54 @@ def send_password_changed_email(user_pk):
from_email=None, # just use the configured default From-address.
recipient_list=[email],
)
@background(schedule={'action': TaskSchedule.RESCHEDULE_EXISTING})
def send_new_mfa_device_email(user_pk, device_type):
user = User.objects.get(pk=user_pk)
log.info("sending a new mfa device email for account %s", user.pk)
# sending only a text/plain email to reduce the room for look-alike phishing emails
email_body_txt, subject = bid_main.email.construct_new_mfa_device(user, device_type)
email = user.email
send_mail(
subject=subject,
message=email_body_txt,
from_email=None, # just use the configured default From-address.
recipient_list=[email],
)
@background(schedule={'action': TaskSchedule.RESCHEDULE_EXISTING})
def send_mfa_disabled_email(user_pk):
user = User.objects.get(pk=user_pk)
log.info("sending an mfa disabled email for account %s", user.pk)
# sending only a text/plain email to reduce the room for look-alike phishing emails
email_body_txt, subject = bid_main.email.construct_mfa_disabled(user)
email = user.email
send_mail(
subject=subject,
message=email_body_txt,
from_email=None, # just use the configured default From-address.
recipient_list=[email],
)
@background(schedule={'action': TaskSchedule.RESCHEDULE_EXISTING})
def send_mfa_recovery_used_email(user_pk):
user = User.objects.get(pk=user_pk)
log.info("sending an mfa recovery used email for account %s", user.pk)
# sending only a text/plain email to reduce the room for look-alike phishing emails
email_body_txt, subject = bid_main.email.construct_mfa_recovery_used(user)
email = user.email
send_mail(
subject=subject,
message=email_body_txt,
from_email=None, # just use the configured default From-address.
recipient_list=[email],
)

View File

@ -0,0 +1,9 @@
{% autoescape off %}
Dear {{ user.full_name|default:user.email }}!
Multi-factor authentication has been disabled for your Blender ID account {{ user.email }}
--
Kind regards,
The Blender Web Team
{% endautoescape %}

View File

@ -0,0 +1,11 @@
{% autoescape off %}
Dear {{ user.full_name|default:user.email }}!
A recovery code was used to pass multi-factor authentication for your Blender ID account {{ user.email }}
If this wasn't done by you, please reset your password immediately, re-generate your MFA recovery codes, and contact blenderid@blender.org for support.
--
Kind regards,
The Blender Web Team
{% endautoescape %}

View File

@ -0,0 +1,11 @@
{% autoescape off %}
Dear {{ user.full_name|default:user.email }}!
A new {{ device_type }} multi-factor authenticator has been added to your Blender ID account {{ user.email }}
If this wasn't done by you, please reset your password immediately and contact blenderid@blender.org for support.
--
Kind regards,
The Blender Web Team
{% endautoescape %}

View File

@ -17,6 +17,7 @@ import qrcode
from . import mixins
from mfa.forms import DisableMfaForm, TotpMfaForm
from mfa.models import EncryptedRecoveryDevice, EncryptedTOTPDevice, devices_for_user
import bid_main.tasks
class MfaView(mixins.MfaRequiredIfConfiguredMixin, TemplateView):
@ -56,6 +57,8 @@ class DisableView(mixins.MfaRequiredMixin, FormView):
def form_valid(self, form):
for device in devices_for_user(self.request.user):
device.delete()
if self.request.user.confirmed_email_at:
bid_main.tasks.send_mfa_disabled_email(self.request.user.pk)
return super().form_valid(form)
@ -118,8 +121,11 @@ class TotpView(mixins.MfaRequiredIfConfiguredMixin, FormView):
context['first_device'] = not devices_for_user(self.request.user)
return context
@transaction.atomic
def form_valid(self, form):
form.save()
if self.request.user.confirmed_email_at:
bid_main.tasks.send_new_mfa_device_email(self.request.user.pk, 'totp')
return super().form_valid(form)

View File

@ -10,11 +10,13 @@ the upstream implementation as much as possible.
from binascii import unhexlify
from django.db import models
from django.db import models, transaction
from django_otp.plugins.otp_static.models import StaticDevice
from django_otp.plugins.otp_totp.models import TOTPDevice
from nacl_encrypted_fields.fields import NaClCharField
from mfa.signals import recovery_used
class EncryptedRecoveryDevice(StaticDevice):
"""Using a proxy model and pretending that upstream StaticToken does not exist."""
@ -22,8 +24,12 @@ class EncryptedRecoveryDevice(StaticDevice):
abstract = False
proxy = True
@transaction.atomic
def verify_token(self, token):
"""Copy-pasted verbatim from StaticDevice, replacing token_set with encryptedtoken_set."""
"""Copy-pasted verbatim from StaticDevice, replacing token_set with encryptedtoken_set.
Also added a signal for email notification.
"""
verify_allowed, _ = self.verify_is_allowed()
if verify_allowed:
match = self.encryptedtoken_set.filter(encrypted_token=token).first()
@ -32,6 +38,7 @@ class EncryptedRecoveryDevice(StaticDevice):
self.throttle_reset(commit=False)
self.set_last_used_timestamp(commit=False)
self.save()
recovery_used.send(EncryptedRecoveryDevice, device=self)
else:
self.throttle_increment()
else:

3
mfa/signals.py Normal file
View File

@ -0,0 +1,3 @@
from django.dispatch import Signal
recovery_used = Signal()