Implement Multi-Factor Authentication #201

* Make use of session variable to redirect user during login
* Centralize management of login into `auth_form` tool
* Create a new module `auth_mfa` to handle email authentication

README.md

@@ -109,7 +109,7 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/
 
 ## Next Release - 2.5.0
 
-This next release focus on multi-factor-authentication as a measure to increase security of user's account.
+This next release focus on two-factor-authentication as a measure to increase security of user's account.
 
 * Store User's session information into database
 * Update ldap plugin to load additional attributes from LDAP server
@@ -128,6 +128,7 @@ This next release focus on multi-factor-authentication as a measure to increase
   * Show number of active users within the last 24 hours in dashboard
 * Handle migration of older Rdiffweb database by adding the missing `repos.Encoding`, `repos.keepdays` and `users.role` columns #185
 * Replace deprecated references of `disutils.spawn.find_executable()` by `shutil.which()` #208
+* Add two-factor authentication with email verification #201
 
 Breaking changes:
 

doc/index.rst

@@ -14,7 +14,7 @@ Welcome to Rdiffweb's documentation!
    installation
    quickstart
    configuration
-   settings
+   usage
    networking
    faq
    development

doc/two_factor_authentication.md

@@ -0,0 +1,28 @@
+# Two-Factor Authentication
+
+Two-factor authentication (2FA) provides an additional level of security to your Rdiffweb account. In order for others to access your account, they must have your username and password, as well as access to your second factor of authentication.
+
+As of version 2.5.0, Rdiffweb supports email verification as a second authentication factor.
+
+When enabled, users must log in with a username and password. Then a verification code is emailed to the user. To successfully authenticate, the user must provide this verification code.
+
+## Enable 2FA as Administrator
+
+For 2FA to work properly, [SMTP must be configured properly](configuration.html#configure-email-notifications).
+
+In the administration view, an administrator can enable 2FA for a specific user. By doing so, the next time this user tries to connect to Rdiffweb, he will be prompted to enter a verification code that will be sent to his email.
+
+1. Go to **Admin Area > Users**
+2. **Edit** a user
+3. Change the value of *Two-factor authentication* to *Enabled*
+
+## Enabled 2FA as User
+
+For 2FA to work properly, [SMTP must be configured properly](configuration.html#configure-email-notifications).
+
+A user may enabled 2FA for is own account from it's user's profile. To enabled 2FA, the user must provide the verification code that get sent to him by email.
+
+1. Go to **Edit profile > Two-Factor Authentication**
+2. Click **Enable Two-Factor Authentication**
+3. A verification code should be sent to your email address
+4. Enter this verification code

doc/usage.rst

@@ -0,0 +1,12 @@
+
+Use Rdiffweb
+============
+
+Learn how to use Rdiffweb end-to-end. Create users, manage user's permission and authentication.
+
+.. toctree::
+   :maxdepth: 1
+   :caption: Contents:
+
+   settings
+   two_factor_authentication

rdiffweb/controller/__init__.py

@@ -114,6 +114,7 @@ def _compile_template(self, template_name, **kwargs):
             parms.update(
                 {
                     'username': self.app.currentuser.username,
+                    'fullname': self.app.currentuser.fullname,
                     'is_admin': self.app.currentuser.is_admin,
                     'is_maintainer': self.app.currentuser.is_maintainer,
                 }

rdiffweb/controller/api.py

@@ -28,6 +28,7 @@
 
 from rdiffweb.controller import Controller
 from rdiffweb.core.librdiff import RdiffTime
+from rdiffweb.core.model import UserObject
 
 try:
     import simplejson as json
@@ -51,13 +52,26 @@ def default(o):
         yield chunk.encode('utf-8')
 
 
+def _checkpassword(realm, username, password):
+    """
+    Check basic authentication.
+    """
+    # Disable password authentication for MFA
+    userobj = UserObject.get_user(username)
+    if userobj is None or userobj.mfa == UserObject.ENABLED_MFA:
+        return False
+    # Otherwise validate username password
+    return any(cherrypy.engine.publish('login', username, password))
+
+
 @cherrypy.tools.json_out(handler=json_handler)
 @cherrypy.config(**{'error_page.default': False})
-@cherrypy.tools.auth_basic()
+@cherrypy.tools.auth_basic(realm='rdiffweb', checkpassword=_checkpassword, priority=70)
 @cherrypy.tools.auth_form(on=False)
-@cherrypy.tools.sessions(on=True)
+@cherrypy.tools.auth_mfa(on=False)
+@cherrypy.tools.sessions(on=False)
 @cherrypy.tools.i18n(on=False)
-@cherrypy.tools.ratelimit(on=True)
+@cherrypy.tools.ratelimit()
 class ApiPage(Controller):
     """
     This class provide a restful API to access some of the rdiffweb resources.

rdiffweb/controller/dispatch.py

@@ -27,6 +27,9 @@
 import cherrypy
 from cherrypy.lib.static import mimetypes, serve_file
 
+import rdiffweb.tools.auth_form  # noqa
+import rdiffweb.tools.auth_mfa  # noqa
+import rdiffweb.tools.ratelimit  # noqa
 from rdiffweb.core.rdw_helpers import unquote_url
 
 
@@ -121,6 +124,8 @@ def static(path):
 
     @cherrypy.expose
     @cherrypy.tools.auth_form(on=False)
+    @cherrypy.tools.auth_mfa(on=False)
+    @cherrypy.tools.ratelimit(on=False)
     @cherrypy.tools.sessions(on=False)
     def handler(*args, **kwargs):
         if cherrypy.request.method not in ('GET', 'HEAD'):

rdiffweb/controller/filter_authorization.py

@@ -24,19 +24,13 @@
 
 
 def is_admin():
-    # Authentication may have remove the default handle to let the user login.
-    if cherrypy.serving.request.handler is None:
-        return True
-    # Otherwise, validate the permissions.
+    # Validate the permissions.
     if not cherrypy.serving.request.currentuser or not cherrypy.serving.request.currentuser.is_admin:
         raise cherrypy.HTTPError("403 Forbidden")
 
 
 def is_maintainer():
-    # Authentication may have remove the default handle to let the user login.
-    if cherrypy.serving.request.handler is None:
-        return True
-    # Otherwise, validate the permissions.
+    # Validate the permissions.
     if not cherrypy.serving.request.currentuser or not cherrypy.serving.request.currentuser.is_maintainer:
         raise cherrypy.HTTPError("403 Forbidden")
 

rdiffweb/controller/form.py

@@ -57,7 +57,7 @@ def __init__(self, **kwargs):
         if 'formdata' in kwargs:
             formdata = kwargs.pop('formdata')
         else:
-            formdata = _AUTO if self.is_submitted() else None
+            formdata = _AUTO if CherryForm.is_submitted(self) else None
         super().__init__(formdata=formdata, **kwargs)
 
     def is_submitted(self):
@@ -77,7 +77,18 @@ def validate_on_submit(self):
     @property
     def error_message(self):
         if self.errors:
-            return ' '.join(['%s: %s' % (field, ', '.join(messages)) for field, messages in self.errors.items()])
+            msg = Markup("")
+            for field, messages in self.errors.items():
+                if msg:
+                    msg += Markup('<br/>')
+                # Field name
+                if field in self:
+                    msg += "%s: " % self[field].label.text
+                else:
+                    msg += "%s: " % field
+                for m in messages:
+                    msg += m
+            return msg
 
     def __html__(self):
         """

rdiffweb/controller/page_admin_users.py

@@ -74,6 +74,19 @@ class UserForm(CherryForm):
         validators=[validators.optional()],
         description=_('To create an LDAP user, you must leave the password empty.'),
     )
+    mfa = SelectField(
+        _('Two-Factor Authentication (2FA)'),
+        coerce=int,
+        choices=[
+            (UserObject.DISABLED_MFA, _("Disabled")),
+            (UserObject.ENABLED_MFA, _("Enabled")),
+        ],
+        default=UserObject.DISABLED_MFA,
+        description=_(
+            "When Two-Factor Authentication (2FA) is enabled for a user, a verification code get sent by email when user login from a new location."
+        ),
+        render_kw={'data-beta': 1},
+    )
     user_root = StringField(
         _('Root directory'),
         description=_("Absolute path defining the location of the repositories for this user."),
@@ -120,6 +133,12 @@ def validate_role(self, field):
         if self.username.data == currentuser.username and self.role.data != currentuser.role:
             raise ValueError(_('Cannot edit your own role.'))
 
+    def validate_mfa(self, field):
+        # Don't allow the user to changes it's "mfa" state.
+        currentuser = cherrypy.request.currentuser
+        if self.username.data == currentuser.username and self.mfa.data != currentuser.mfa:
+            raise ValueError(_('Cannot change your own two-factor authentication settings.'))
+
     def populate_obj(self, userobj):
         # Save password if defined
         if self.password.data:
@@ -128,6 +147,10 @@ def populate_obj(self, userobj):
         userobj.fullname = self.fullname.data or ''
         userobj.email = self.email.data or ''
         userobj.user_root = self.user_root.data
+        if self.mfa.data and not userobj.email:
+            flash(_("User email is required to enabled Two-Factor Authentication"), level='error')
+        else:
+            userobj.mfa = self.mfa.data
         if not userobj.valid_user_root():
             flash(_("User's root directory %s is not accessible!") % userobj.user_root, level='error')
             logger.warning("user's root directory %s is not accessible" % userobj.user_root)

rdiffweb/controller/page_login.py

@@ -17,22 +17,24 @@
 import logging
 
 import cherrypy
-from wtforms.fields import PasswordField, StringField
-from wtforms.fields.simple import HiddenField
+from wtforms.fields import BooleanField, PasswordField, StringField, SubmitField
 from wtforms.validators import InputRequired
 
 from rdiffweb.controller import Controller, flash
 from rdiffweb.controller.form import CherryForm
-from rdiffweb.core.config import Option
+from rdiffweb.tools.auth_form import LOGIN_PERSISTENT, SESSION_KEY
 from rdiffweb.tools.i18n import gettext_lazy as _
 
 # Define the logger
 logger = logging.getLogger(__name__)
 
 
 class LoginForm(CherryForm):
+    # Sanitize the redirect URL to avoid Open Redirect
+    # redirect = HiddenField(default='/', filters=[lambda v: v if v.startswith('/') else '/'])
     login = StringField(
         _('Username'),
+        default=lambda: cherrypy.session.get(SESSION_KEY, None),
         validators=[InputRequired()],
         render_kw={
             "placeholder": _('Username'),
@@ -43,54 +45,52 @@ class LoginForm(CherryForm):
         },
     )
     password = PasswordField(_('Password'), validators=[InputRequired()], render_kw={"placeholder": _('Password')})
-    # Sanitize the redirect URL to avoid Open Redirect
-    redirect = HiddenField(default='/', filters=[lambda v: v if v.startswith('/') else '/'])
+    persistent = BooleanField(
+        _('Remember me'),
+        default=lambda: cherrypy.session.get(LOGIN_PERSISTENT, False),
+    )
+    submit = SubmitField(
+        _('Sign in'),
+        render_kw={"class": "btn-primary btn-lg btn-block"},
+    )
 
 
 class LoginPage(Controller):
     """
     This page is used by the authentication to enter a user/pass.
     """
 
-    _welcome_msg = Option("welcome_msg")
-
     @cherrypy.expose()
-    @cherrypy.config(**{'tools.auth_form.on': False, 'tools.ratelimit.on': True})
+    @cherrypy.tools.auth_mfa(on=False)
+    @cherrypy.tools.ratelimit()
     def index(self, **kwargs):
+        """
+        Called by auth_form to generate the /login/ page.
+        """
         form = LoginForm()
 
-        # Redirect user to main page if already login.
-        if self.app.currentuser is not None:
-            raise cherrypy.HTTPRedirect(form.redirect.data or '/')
-
         # Validate user's credentials
         if form.validate_on_submit():
             try:
-                login = any(cherrypy.engine.publish('login', form.login.data, form.password.data))
+                results = cherrypy.engine.publish('login', form.login.data, form.password.data)
             except Exception:
-                logger.exception('fail to validate credential')
-                flash(_("Fail to validate user credential."))
+                logger.exception('fail to validate user [%s] credentials', form.login.data)
+                flash(_("Failed to validate user credentials."), level='error')
             else:
-                if login:
-                    raise cherrypy.HTTPRedirect(form.redirect.data or '/')
+                if len(results) > 0 and results[0]:
+                    cherrypy.tools.auth_form.login(username=results[0].username, persistent=form.persistent.data)
+                    cherrypy.tools.auth_form.redirect_to_original_url()
                 else:
                     flash(_("Invalid username or password."))
-
-        params = {'form': form}
-
+        params = {
+            'form': form,
+        }
         # Add welcome message to params. Try to load translated message.
-        if self._welcome_msg:
-            params["welcome_msg"] = self._welcome_msg.get('')
+        welcome_msg = self.app.cfg.welcome_msg
+        if welcome_msg:
+            params["welcome_msg"] = welcome_msg.get('')
             if hasattr(cherrypy.response, 'i18n'):
                 locale = cherrypy.response.i18n.locale.language
-                params["welcome_msg"] = self._welcome_msg.get(locale, params["welcome_msg"])
-
-        return self._compile_template("login.html", **params).encode("utf-8")
-
+                params["welcome_msg"] = welcome_msg.get(locale, params["welcome_msg"])
 
-class LogoutPage(Controller):
-    @cherrypy.expose
-    @cherrypy.config(**{'tools.auth_form.on': False})
-    def default(self):
-        cherrypy.session.clear()
-        raise cherrypy.HTTPRedirect('/')
+        return self._compile_template("login.html", **params)