lib/redmine/twofa/base.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174

# frozen_string_literal: true

# Redmine - project management software
# Copyright (C) 2006-2023  Jean-Philippe Lang
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

module Redmine
  module Twofa
    class Base
      def self.inherited(child)
        # require-ing a Base subclass will register it as a 2FA scheme
        Redmine::Twofa.register_scheme(scheme_name(child), child)
      end

      def self.scheme_name(klass = self)
        klass.name.demodulize.underscore
      end

      def scheme_name
        self.class.scheme_name
      end

      def initialize(user)
        @user = user
      end

      def init_pairing!
        @user
      end

      def confirm_pairing!(code)
        # make sure an otp and not a backup code is used
        if verify_otp!(code)
          @user.update!(twofa_scheme: scheme_name)
          deliver_twofa_paired
          return true
        else
          return false
        end
      end

      def deliver_twofa_paired
        ::Mailer.deliver_security_notification(
          @user,
          User.current,
          {
            title: :label_my_account,
            message: 'twofa_mail_body_security_notification_paired',
            # (mis-)use field here as value wouldn't get localized
            field: "twofa__#{scheme_name}__name",
            url: {controller: 'my', action: 'account'}
          }
        )
      end

      def destroy_pairing!(code)
        if verify!(code)
          destroy_pairing_without_verify!
          return true
        else
          return false
        end
      end

      def destroy_pairing_without_verify!
        @user.update!(twofa_scheme: nil)
        backup_codes.delete_all
        deliver_twofa_unpaired
      end

      def deliver_twofa_unpaired
        ::Mailer.deliver_security_notification(
          @user,
          User.current,
          {
            title: :label_my_account,
            message: 'twofa_mail_body_security_notification_unpaired',
            url: {controller: 'my', action: 'account'}
          }
        )
      end

      def send_code(controller: nil, action: nil)
        # return true only if the scheme sends a code to the user
        false
      end

      def verify!(code)
        verify_otp!(code) || verify_backup_code!(code)
      end

      def verify_otp!(code)
        raise 'not implemented'
      end

      def verify_backup_code!(code)
        # backup codes are case-insensitive and white-space-insensitive
        code = code.to_s.remove(/[[:space:]]/).downcase
        user_from_code = Token.find_active_user('twofa_backup_code', code)
        # invalidate backup code after usage
        Token.where(user_id: @user.id).find_token('twofa_backup_code', code).try(:delete)
        # make sure the user using the backup code is the same it's been issued to
        return false unless @user.present? && @user == user_from_code

        ::Mailer.deliver_security_notification(
          @user,
          User.current,
          {
            originator: @user,
            title: :label_my_account,
            message: 'twofa_mail_body_backup_code_used',
            url: {controller: 'my', action: 'account'}
          }
        )
        return true
      end

      def init_backup_codes!
        backup_codes.delete_all
        tokens = []
        10.times do
          token = Token.create(user_id: @user.id, action: 'twofa_backup_code')
          token.update_columns value: Redmine::Utils.random_hex(6)
          tokens << token
        end
        ::Mailer.deliver_security_notification(
          @user,
          User.current,
          {
            title: :label_my_account,
            message: 'twofa_mail_body_backup_codes_generated',
            url: {controller: 'my', action: 'account'}
          }
        )
        tokens
      end

      def backup_codes
        Token.where(user_id: @user.id, action: 'twofa_backup_code')
      end

      # this will only be used on pairing initialization
      def init_pairing_view_variables
        otp_confirm_view_variables
      end

      def otp_confirm_view_variables
        {
          scheme_name: scheme_name,
          resendable: false
        }
      end

      private

      def allowed_drift
        30
      end
    end
  end
end