-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
41 changed files
with
1,184 additions
and
225 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| import logging | ||
| from repoze.who.interfaces import IAuthenticator | ||
| from webob.request import Request | ||
| from zope.interface import implements | ||
|
|
||
| from ckan.lib.authenticator import UsernamePasswordAuthenticator | ||
|
|
||
| from ckanext.querytool.model import VitalsSecurityTOTP | ||
|
|
||
| log = logging.getLogger(__name__) | ||
|
|
||
|
|
||
| class VitalsTOTPAuth(UsernamePasswordAuthenticator): | ||
| implements(IAuthenticator) | ||
|
|
||
| def authenticate(self, environ, identity): | ||
| try: | ||
| user_name = identity['login'] | ||
| except KeyError: | ||
| return None | ||
|
|
||
| if not ('login' in identity and 'password' in identity): | ||
| return None | ||
|
|
||
| # Run through the CKAN auth sequence first, so we can hit the DB | ||
| # in every case and make timing attacks a little more difficult. | ||
| auth_user_name = super(VitalsTOTPAuth, self).authenticate( | ||
| environ, identity | ||
| ) | ||
|
|
||
| if auth_user_name is None: | ||
| return None | ||
|
|
||
| return self.authenticate_totp(environ, auth_user_name) | ||
|
|
||
| def authenticate_totp(self, environ, auth_user): | ||
| totp_challenger = VitalsSecurityTOTP.get_for_user(auth_user) | ||
|
|
||
| # if there is no totp configured, don't allow auth | ||
| # shouldn't happen, login flow should create a totp_challenger | ||
| if totp_challenger is None: | ||
| log.info("Login attempted without MFA configured for: {}".format( | ||
| auth_user) | ||
| ) | ||
| return None | ||
|
|
||
| form_vars = environ.get('webob._parsed_post_vars') | ||
| form_vars = dict(form_vars[0].items()) | ||
|
|
||
| if not form_vars.get('mfa'): | ||
| log.info("Could not get MFA credentials from the request") | ||
| return None | ||
|
|
||
| result = totp_challenger.check_code( | ||
| form_vars.get('mfa'), | ||
| totp_challenger.created_at, | ||
| form_vars.get('login') | ||
| ) | ||
|
|
||
| if result: | ||
| return auth_user |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| from ckan.lib.cli import CkanCommand | ||
|
|
||
| import sys | ||
|
|
||
|
|
||
| class VitalsSecurity(CkanCommand): | ||
| '''Command for initializing the TOTP table | ||
| Usage: paster --plugin=ckanext-querytool totp <command> -c <path to config file> | ||
| command: | ||
| help - prints this help | ||
| init_totp - create the database table to support time based one time (TOTP) login | ||
| ''' | ||
| summary = __doc__.split('\n')[0] | ||
| usage = __doc__ | ||
|
|
||
| def command(self): | ||
| # load pylons config | ||
| self._load_config() | ||
| options = { | ||
| 'init_totp': self.init_totp, | ||
| 'help': self.help, | ||
| } | ||
|
|
||
| try: | ||
| cmd = self.args[0] | ||
| options[cmd](*self.args[1:]) | ||
| except KeyError: | ||
| self.help() | ||
| sys.exit(1) | ||
|
|
||
| def help(self): | ||
| print(self.__doc__) | ||
|
|
||
| def init_totp(self): | ||
| print( | ||
| "Initializing database for multi-factor authentication " | ||
| "(TOTP - Time-based One-Time Password)" | ||
| ) | ||
| from ckanext.querytool.model import VitalsSecurityTOTP | ||
| vs_totp = VitalsSecurityTOTP() | ||
| vs_totp.totp_db_setup() | ||
| print("Finished tables setup for multi-factor authentication") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| import logging | ||
| import pyotp | ||
|
|
||
| import ckan.lib.base as base | ||
| import ckan.model as model | ||
| import ckan.lib.mailer as mailer | ||
| import ckan.logic as logic | ||
| from ckan.lib.mailer import mail_user | ||
| from ckan.common import _, config | ||
| import datetime | ||
|
|
||
| from ckanext.querytool.model import VitalsSecurityTOTP | ||
|
|
||
| log = logging.getLogger(__name__) | ||
|
|
||
| get_action = logic.get_action | ||
|
|
||
|
|
||
| class QuerytoolEmailAuthController(base.BaseController): | ||
| def send_2fa_code(self, user): | ||
| try: | ||
| user_dict = get_action('user_show')(None, {'id': user}) | ||
| # Get user object instead | ||
| user_obj = model.User.get(user) | ||
| vs_totp = VitalsSecurityTOTP() | ||
| now = datetime.datetime.utcnow() | ||
| challenge = vs_totp.create_for_user( | ||
| user_dict['name'], created_at=now | ||
| ) | ||
| secret = challenge.secret | ||
| totp = pyotp.TOTP(secret) | ||
| current_code = totp.at(for_time=now) | ||
| user_display_name = user_dict['display_name'] | ||
| user_email = user_dict['email'] | ||
| email_subject = _('Verification Code') | ||
| email_body = _( | ||
| 'Hi {user},\n\nHere\'s your verification' | ||
| ' code to login: {code}\n\nHave a great day!').format( | ||
| user=user_display_name, | ||
| code=current_code | ||
| ) | ||
| site_title = config.get('ckan.site_title') | ||
| site_url = config.get('ckan.site_url') | ||
|
|
||
| email_body += '\n\n' + site_title + '\n' + site_url | ||
|
|
||
| mailer.mail_recipient( | ||
| user_display_name, | ||
| user_email, | ||
| email_subject, | ||
| email_body | ||
| ) | ||
|
|
||
| return {'success': True, 'msg': 'Email sent'} | ||
| except Exception as e: | ||
| log.error(e) | ||
| return {'success': False, 'msg': 'Error sending email'} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
2 changes: 1 addition & 1 deletion
2
ckanext/querytool/fanstatic/javascript/dist/modules/fullscreen.js
Large diffs are not rendered by default.
Oops, something went wrong.
2 changes: 1 addition & 1 deletion
2
ckanext/querytool/fanstatic/javascript/dist/modules/fullscreen.js.map
Large diffs are not rendered by default.
Oops, something went wrong.
2 changes: 1 addition & 1 deletion
2
ckanext/querytool/fanstatic/javascript/dist/modules/map-module.js
Large diffs are not rendered by default.
Oops, something went wrong.
2 changes: 1 addition & 1 deletion
2
ckanext/querytool/fanstatic/javascript/dist/modules/map-module.js.map
Large diffs are not rendered by default.
Oops, something went wrong.
2 changes: 1 addition & 1 deletion
2
ckanext/querytool/fanstatic/javascript/dist/modules/table-module.js.map
Large diffs are not rendered by default.
Oops, something went wrong.
2 changes: 1 addition & 1 deletion
2
ckanext/querytool/fanstatic/javascript/dist/modules/viz-preview.js
Large diffs are not rendered by default.
Oops, something went wrong.
2 changes: 1 addition & 1 deletion
2
ckanext/querytool/fanstatic/javascript/dist/modules/viz-preview.js.map
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
2 changes: 1 addition & 1 deletion
2
ckanext/querytool/fanstatic/javascript/dist/public_query.js.map
Large diffs are not rendered by default.
Oops, something went wrong.
2 changes: 1 addition & 1 deletion
2
ckanext/querytool/fanstatic/javascript/dist/visualizations_settings.js
Large diffs are not rendered by default.
Oops, something went wrong.
2 changes: 1 addition & 1 deletion
2
ckanext/querytool/fanstatic/javascript/dist/visualizations_settings.js.map
Large diffs are not rendered by default.
Oops, something went wrong.
Oops, something went wrong.