Merge remote-tracking branch 'origin/release/7.4' into dev

7 years ago · 19ed50a6da
parent 38d35c806a 0a34d6c649
commit 19ed50a6da
15 changed files with 264 additions and 9 deletions
--- a/app/controllers/two_factor_authentication/concerns/remember_token.rb
+++ b/app/controllers/two_factor_authentication/concerns/remember_token.rb
@ -29,6 +29,7 @@ module ::TwoFactorAuthentication
        cookies.encrypted[remember_cookie_name] = {
          value: new_token!(@authenticated_user),
          httponly: true,
          expires: remember_2fa_days.days.from_now,
          secure: Setting.protocol == 'https'
        }
      end
--- a/app/controllers/two_factor_authentication/settings_controller.rb
+++ b/app/controllers/two_factor_authentication/settings_controller.rb
@ -0,0 +1,55 @@
 module ::TwoFactorAuthentication
  class SettingsController < ApplicationController
    before_action :require_admin
    before_action :check_enabled
    layout 'admin'
    menu_item :two_factor_authentication
    def show
      render template: 'two_factor_authentication/settings',
             locals: {
               settings: Setting.plugin_openproject_two_factor_authentication,
               strategy_manager: manager,
               configuration: manager.configuration
             }
    end
    def update
      current_settings = Setting.plugin_openproject_two_factor_authentication
      begin
        merge_settings!(current_settings, permitted_params)
        manager.validate_configuration!
        flash[:notice] = I18n.t(:notice_successful_update)
      rescue ArgumentError => e
        Setting.plugin_openproject_two_factor_authentication = current_settings
        flash[:error] = I18n.t('two_factor_authentication.settings.failed_to_save_settings', message: e.message)
        Rails.logger.error "Failed to save 2FA settings: #{e.message}"
      end
      redirect_to action: :show
    end
    private
    def permitted_params
      params.require(:settings).permit(:enforced, :allow_remember_for_days)
    end
    def merge_settings!(current, permitted)
      Setting.plugin_openproject_two_factor_authentication = current.merge(
        enforced: !!permitted[:enforced],
        allow_remember_for_days: permitted[:allow_remember_for_days]
      )
    end
    def check_enabled
      render_403 unless manager.configurable_by_ui?
    end
    def manager
      ::OpenProject::TwoFactorAuthentication::TokenStrategyManager
    end
  end
 end
--- a/app/views/two_factor_authentication/settings.html.erb
+++ b/app/views/two_factor_authentication/settings.html.erb
@ -0,0 +1,80 @@
 <% html_title(t(:label_administration), t('two_factor_authentication.settings.title')) -%>
 <%= breadcrumb_toolbar(t('two_factor_authentication.settings.title')) %>
 <section class="admin--edit-section">
  <%= styled_form_tag({ action: :update },
                      method: :post,
                      id: 'update-ldap-group-settings-form') do %>
    <fieldset class="form--fieldset">
      <legend class="form--fieldset-legend"><%= t('two_factor_authentication.settings.current_configuration') %></legend>
      <p>
        <%= t('two_factor_authentication.settings.text_configuration') %>
        <br/>
        <% configuration_link = OpenProject::Static::Links.links.fetch :configuration_guide %>
        <%= link_to t('two_factor_authentication.settings.text_configuration_guide'), configuration_link[:href] %>
      </p>
      <div class="attributes-key-value">
        <div class="attributes-key-value--key"><%= t('two_factor_authentication.settings.label_active_strategies') %></div>
        <div class="attributes-key-value--value-container">
          <div class="attributes-key-value--value">
            <%= t(:label_none) if configuration[:active_strategies].empty? %>
            <% configuration[:active_strategies].each do |key| %>
              <span>
                <%= t("two_factor_authentication.strategies.#{key}") %>
              </span>
              <br/>
            <% end %>
          </div>
        </div>
        <div class="attributes-key-value--key"><%= t('two_factor_authentication.settings.label_enforced') %></div>
        <div class="attributes-key-value--value-container">
          <div class="attributes-key-value--value">
            <span><%= !!configuration[:enforced] %></span>
          </div>
        </div>
        <div class="attributes-key-value--key"><%= t('two_factor_authentication.settings.label_remember') %></div>
        <div class="attributes-key-value--value-container">
          <div class="attributes-key-value--value">
            <% if configuration[:allow_remember_for_days].to_i == 0 %>
              <span><%= t(:label_disabled) %></span>
            <% else %>
              <span><%= configuration[:allow_remember_for_days] %> (<%= t(:label_day_plural) %>)</span>
            <% end %>
          </div>
        </div>
      </div>
    </fieldset>
    <fieldset class="form--fieldset">
      <legend class="form--fieldset-legend"><%= t(:label_settings) %></legend>
      <div class="form--field">
        <label class="form--label" for='settings[enforced]'><%= t('two_factor_authentication.settings.label_enforced') %></label>
        <div class="form--field-container ">
          <%= styled_check_box_tag 'settings[enforced]',
                                   '1',
                                   !!configuration[:enforced],
                                   disabled: strategy_manager.enforced_by_configuration?(:enforced) || configuration[:active_strategies].empty?,
                                   container_class: '-middle' %>
        </div>
        <div class="form--field-instructions">
          <%= I18n.t('two_factor_authentication.settings.text_enforced') %>
        </div>
      </div>
      <div class="form--field">
        <label class="form--label" for='settings[allow_remember_for_days]'><%= t('two_factor_authentication.settings.label_remember') %></label>
        <div class="form--field-container">
          <%= styled_number_field_tag 'settings[allow_remember_for_days]',
                                      configuration[:allow_remember_for_days],
                                      min: '0',
                                      max: '365',
                                      step: '1',
                                      disabled: strategy_manager.enforced_by_configuration?(:allow_remember_for_days),
                                      container_class: '-middle' %>
        </div>
        <div class="form--field-instructions">
          <%= I18n.t('two_factor_authentication.settings.text_remember') %>
        </div>
      </div>
    </fieldset>
    <%= styled_submit_tag l(:button_apply), class: '-highlight' %>
  <% end %>
 </section>
--- a/app/views/two_factor_authentication/upsale.html.erb
+++ b/app/views/two_factor_authentication/upsale.html.erb
@ -0,0 +1,30 @@
 <% html_title(t(:label_administration), t('two_factor_authentication.settings.title')) -%>
 <%= breadcrumb_toolbar(t('two_factor_authentication.settings.title')) %>
 <div class="notification-box upsale-notification">
  <div class="notification-box--content">
    <h3><%= t('admin.enterprise.upgrade_to_ee') %></h3>
    <%= image_tag "enterprise_edition.png", class: "widget-box--teaser-image" %>
    <p><%= t('homescreen.blocks.upsale.description') %></p>
    <ul class="">
      <li>
        <%= t('homescreen.blocks.upsale.additional_features') %>
      </li>
      <li>
        <%= t('homescreen.blocks.upsale.professional_support') %>
      </li>
    </ul>
    <p>
      <b><%= t('homescreen.blocks.upsale.become_hero') %></b> <%= t('homescreen.blocks.upsale.you_contribute') %>
    </p>
    <%= link_to( "#{OpenProject::Static::Links.links[:upsale][:href]}/?utm_source=unknown&utm_medium=community-edition&utm_campaign=2fa",
                 { class: 'button -alt-highlight',
                   aria: {label: t('admin.enterprise.order')},
                   title: t('admin.enterprise.order')}) do %>
      <%= op_icon('button--icon icon-add') %>
      <span class="button--text"><%= t('admin.enterprise.order') %></span>
    <% end %>
  </div>
 </div>
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -44,6 +44,21 @@ en:
      enter_backup_code_title: Enter backup code
      enter_backup_code_text: Please enter a valid backup code from your list of codes in case you can no longer access your registered 2FA devices.
      other_device: 'Use another device or backup code'
    settings:
      title: '2FA settings'
      current_configuration: 'Current configuration'
      label_active_strategies: 'Active 2FA strategies'
      label_enforced: 'Enforce 2FA'
      label_remember: 'Remember 2FA login'
      text_configuration: |
        Note: These values represent the current application-wide configuration. You cannot disable settings enforced by the configuration or change the current active strategies, since they require a server restart.
      text_configuration_guide: For more information, check the configuration guide.
      text_enforced: 'Enable this setting to force all users to register a 2FA device on their next login. Can only be disabled when not enforced by configuration.'
      text_remember: |
        Set this to greater than zero to allow users to remember their 2FA authentication for the given number of days.
        They will not be requested to re-enter it during that period. Can only be set when not enforced by configuration.
      error_invalid_settings: 'The 2FA strategies you selected are invalid'
      failed_to_save_settings: 'Failed to update 2FA settings: %{message}'
    admin:
      self_edit_path: 'To add or modify your own 2FA devices, please go to %{self_edit_link}'
      self_edit_link_name: 'Two-factor authentication on your account page'
@ -118,6 +133,11 @@ en:
    restdt:
      delivery_failed_with_code: 'Token delivery failed. (Error code %{code})'
    strategies:
      totp: 'Authenticator application'
      sns: 'Amazon SNS'
      resdt: 'SMS Rest API'
    mobile_transmit_notification: "A one-time password has been sent to your cell phone."
    label_two_factor_authentication: 'Two-factor authentication'
--- a/config/routes.rb
+++ b/config/routes.rb
@ -6,6 +6,9 @@ OpenProject::Application::routes.draw do
    post :retry, to: 'authentication#retry'
    get :backup_code, to: 'authentication#enter_backup_code'
    post :backup_code, to: 'authentication#verify_backup_code'
    get :settings, to: 'settings#show', as: 'settings_2fa'
    post :settings, to: 'settings#update', as: 'update_settings_2fa'
  end
  scope 'two_factor_authentication' do # Avoids adding the namespace prefix
--- a/lib/open_project/two_factor_authentication/engine.rb
+++ b/lib/open_project/two_factor_authentication/engine.rb
@ -10,11 +10,16 @@ module OpenProject::TwoFactorAuthentication
             author_url: 'http://openproject.com',
             settings: {
               default: {
                 # Only app-based 2FA allowed per default
                 # (will be added in token strategy manager)
                 active_strategies: [],
                 # Don't force users to register device
                 enforced: false,
-                 active_strategies: []
+                 # Don't allow remember cookie
                 allow_remember_for_days: 0
               }
             },
-             requires_openproject: '>= 4.0.0' do
+             requires_openproject: '>= 7.2.0' do
               menu :my_menu,
                    :two_factor_authentication,
                    { controller: 'two_factor_authentication/my/two_factor_devices', action: :index },
@ -22,6 +27,14 @@ module OpenProject::TwoFactorAuthentication
                    after: :password,
                    if: ->(*) { ::OpenProject::TwoFactorAuthentication::TokenStrategyManager.enabled? },
                    icon: 'icon2 icon-types'
               menu :admin_menu,
                    :two_factor_authentication,
                    { controller: 'two_factor_authentication/settings', action: :show },
                    caption: ->(*) { I18n.t('two_factor_authentication.label_two_factor_authentication') },
                    after: :ldap_authentication,
                    if: ->(*) { ::OpenProject::TwoFactorAuthentication::TokenStrategyManager.configurable_by_ui? },
                    icon: 'icon2 icon-types'
             end
    initializer 'two_factor_authentication.precompile_assets' do |app|
--- a/lib/open_project/two_factor_authentication/token_strategy_manager.rb
+++ b/lib/open_project/two_factor_authentication/token_strategy_manager.rb
@ -54,6 +54,12 @@ module OpenProject::TwoFactorAuthentication
        !!configuration[:enforced]
      end
      ##
      # Determine whether the plugin settings can be changed from the UI
      def configurable_by_ui?
        !configuration[:hide_settings_menu_item]
      end
      def allow_remember_for_days
        configuration[:allow_remember_for_days].to_i
      end
@ -68,6 +74,8 @@ module OpenProject::TwoFactorAuthentication
      # Fetch all active strategies
      def active_strategies
        configuration.fetch(:active_strategies, [])
          .map(&:to_s)
          .uniq
          .map { |strategy| lookup_active_strategy strategy }
      end
@ -100,16 +108,32 @@ module OpenProject::TwoFactorAuthentication
        config
      end
-      def merge_with_settings!(config, settings)
+      def enforced_by_configuration?(key)
-        # Allow enforcing from settings if not true in configuration
+        (OpenProject::Configuration['2fa'] || {}).has_key? key
-        unless config[:enforced]
+      end
          config[:enforced] = settings[:enforced]
        end
      def merge_with_settings!(config, settings)
        predefined_strategies = config.fetch(:active_strategies, [])
        additional_strategies = settings.fetch(:active_strategies, [])
        config[:active_strategies] = predefined_strategies | additional_strategies
        # Always enable totp if nothing is enabled
        config[:active_strategies] << :totp if add_default_strategy?(config)
        # Allow enforcing from settings if not true in configuration
        config[:enforced] ||= settings[:enforced]
        config[:allow_remember_for_days] = config.fetch(:allow_remember_for_days, settings[:allow_remember_for_days])
      end
      def add_default_strategy?(config)
        config[:active_strategies].empty?
      end
      def available_strategies
        {
          totp: I18n.t("activerecord.models.two_factor_authentication/device/totp"),
          sns: I18n.t("activerecord.models.two_factor_authentication/device/sms"),
          restdt: I18n.t("activerecord.models.two_factor_authentication/device/restdt")
        }
      end
      def lookup_active_strategy(klazz)
--- a/openproject-two_factor_authentication.gemspec
+++ b/openproject-two_factor_authentication.gemspec
@ -10,10 +10,10 @@ Gem::Specification.new do |s|
  s.version     = OpenProject::TwoFactorAuthentication::VERSION
  s.authors     = "OpenProject GmbH"
  s.email       = "info@openproject.com"
-  s.homepage    = "https://community.openproject.org/projects/mobile-otp"
+  s.homepage    = "https://community.openproject.org/projects/two-factor-authentication"
  s.summary     = "OpenProject Two-factor authentication"
  s.description = "This OpenProject plugin authenticates your users using two-factor authentication by means of one-time password " \
-                  "through the TOTP standard (Google Authenticator) or sent to the user\'s cell phone via SMS or voice call"
+                  "through the TOTP standard (Google Authenticator) or sent to the user's cell phone via SMS or voice call"
  s.files = Dir["{app,config,db,lib}/**/*", "CHANGELOG.md", "README.rdoc"]
  s.test_files = Dir["spec/**/*"]
--- a/spec/controllers/two_factor_authentication/authentication_controller_spec.rb
+++ b/spec/controllers/two_factor_authentication/authentication_controller_spec.rb
@ -24,6 +24,9 @@ describe ::TwoFactorAuthentication::AuthenticationController, with_2fa_ee: true,
  describe 'with no active strategy, but 2FA enforced as configuration', with_config: { '2fa' => { active_strategies: [], enforced: true } } do
    before do
      allow(OpenProject::TwoFactorAuthentication::TokenStrategyManager)
        .to receive(:add_default_strategy?)
        .and_return false
      session[:authenticated_user_id] = user.id
      get :request_otp
    end
--- a/spec/controllers/two_factor_authentication/forced_registration/two_factor_devices_controller_spec.rb
+++ b/spec/controllers/two_factor_authentication/forced_registration/two_factor_devices_controller_spec.rb
@ -20,6 +20,9 @@ describe ::TwoFactorAuthentication::ForcedRegistration::TwoFactorDevicesControll
    allow(OpenProject::Configuration)
      .to receive(:[]).with('2fa')
      .and_return({ active_strategies: active_strategies }.merge(config).with_indifferent_access)
    allow(OpenProject::TwoFactorAuthentication::TokenStrategyManager)
      .to receive(:add_default_strategy?)
      .and_return false
  end
  describe 'accessing' do
--- a/spec/controllers/two_factor_authentication/my/two_factor_devices_controller_spec.rb
+++ b/spec/controllers/two_factor_authentication/my/two_factor_devices_controller_spec.rb
@ -14,6 +14,9 @@ describe ::TwoFactorAuthentication::My::TwoFactorDevicesController, with_2fa_ee:
    allow(OpenProject::Configuration)
      .to receive(:[]).with('2fa')
      .and_return({ active_strategies: active_strategies }.merge(config).with_indifferent_access)
    allow(OpenProject::TwoFactorAuthentication::TokenStrategyManager)
      .to receive(:add_default_strategy?)
      .and_return false
  end
  describe 'accessing' do
--- a/spec/controllers/two_factor_authentication/users/two_factor_devices_controller_spec.rb
+++ b/spec/controllers/two_factor_authentication/users/two_factor_devices_controller_spec.rb
@ -15,6 +15,9 @@ describe ::TwoFactorAuthentication::Users::TwoFactorDevicesController, with_2fa_
    allow(OpenProject::Configuration)
      .to receive(:[]).with('2fa')
      .and_return({ active_strategies: active_strategies }.merge(config).with_indifferent_access)
    allow(OpenProject::TwoFactorAuthentication::TokenStrategyManager)
      .to receive(:add_default_strategy?)
      .and_return false
  end
  describe 'accessing' do
--- a/spec/lib/token_strategy_manager_spec.rb
+++ b/spec/lib/token_strategy_manager_spec.rb
@ -122,6 +122,11 @@ describe ::OpenProject::TwoFactorAuthentication::TokenStrategyManager do
      subject { described_class.validate_active_strategies! }
      context 'when no strategy is set' do
        let(:active_strategies) { [] }
        before do
          allow(OpenProject::TwoFactorAuthentication::TokenStrategyManager)
            .to receive(:add_default_strategy?)
            .and_return false
        end
        context 'and enforced is false' do
          let(:enforced) { false }
--- a/spec/services/token_service_spec.rb
+++ b/spec/services/token_service_spec.rb
@ -25,6 +25,12 @@ describe ::TwoFactorAuthentication::TokenService, with_2fa_ee: true do
      let(:active_strategies) { [] }
      context 'when enforced' do
        before do
          allow(OpenProject::TwoFactorAuthentication::TokenStrategyManager)
            .to receive(:add_default_strategy?)
            .and_return false
        end
        let(:enforced) { true }
        it 'requires a token' do
          expect(subject.requires_token?).to be_truthy
@ -38,6 +44,12 @@ describe ::TwoFactorAuthentication::TokenService, with_2fa_ee: true do
      context 'when not enforced' do
        let(:enforced) { false }
        before do
          allow(OpenProject::TwoFactorAuthentication::TokenStrategyManager)
            .to receive(:add_default_strategy?)
            .and_return false
        end
        it 'requires no token' do
          expect(subject.requires_token?).to be_falsey
        end