IlyaSobolev/DocSpace-client
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added functionality for flexible tfa configuration

Browse Source
This commit is contained in:
Vashchuk Nikita 2022-10-04 13:40:21 +04:00
parent 51ba7c8628
commit 4b1c7644af
10 changed files with 243 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
common/ASC.IPSecurity/Utils/IPSecurity.cs
View File

@ -128,7 +128,7 @@ public class IPSecurity
return false;
}
private static bool MatchIPs(string requestIp, string restrictionIp)
public static bool MatchIPs(string requestIp, string restrictionIp)
{
var dividerIdx = restrictionIp.IndexOf('-');
if (dividerIdx > -1)

15
web/ASC.Web.Api/Api/AuthenticationController.cs
View File

@ -67,6 +67,7 @@ public class AuthenticationController : ControllerBase
private readonly CookieStorage _cookieStorage;
private readonly DbLoginEventsManager _dbLoginEventsManager;
private readonly UserManagerWrapper _userManagerWrapper;
private readonly TfaAppAuthSettingsHelper _tfaAppAuthSettingsHelper;
public AuthenticationController(
UserManager userManager,
@ -100,7 +101,8 @@ public class AuthenticationController : ControllerBase
ApiContext apiContext,
AuthContext authContext,
CookieStorage cookieStorage,
DbLoginEventsManager dbLoginEventsManager)
DbLoginEventsManager dbLoginEventsManager,
TfaAppAuthSettingsHelper tfaAppAuthSettingsHelper)
{
_userManager = userManager;
_tenantManager = tenantManager;
@ -134,6 +136,7 @@ public class AuthenticationController : ControllerBase
_cookieStorage = cookieStorage;
_dbLoginEventsManager = dbLoginEventsManager;
_userManagerWrapper = userManagerWrapper;
_tfaAppAuthSettingsHelper = tfaAppAuthSettingsHelper;
}
@ -149,16 +152,16 @@ public class AuthenticationController : ControllerBase
{
var tenant = _tenantManager.GetCurrentTenant().Id;
var user = GetUser(inDto, out _);
var sms = false;
try
{
if (_studioSmsNotificationSettingsHelper.IsVisibleAndAvailableSettings() && _studioSmsNotificationSettingsHelper.Enable)
if (_studioSmsNotificationSettingsHelper.IsVisibleAndAvailableSettings() && _studioSmsNotificationSettingsHelper.TfaEnabledForUser(user.Id))
{
sms = true;
_smsManager.ValidateSmsCode(user, inDto.Code, true);
}
else if (TfaAppAuthSettings.IsVisibleSettings && _settingsManager.Load<TfaAppAuthSettings>().EnableSetting)
else if (TfaAppAuthSettingsHelper.IsVisibleSettings && _tfaAppAuthSettingsHelper.TfaEnabledForUser(user.Id))
{
if (_tfaManager.ValidateAuthCode(user, inDto.Code, true, true))
{
@ -212,7 +215,7 @@ public class AuthenticationController : ControllerBase
bool viaEmail;
var user = GetUser(inDto, out viaEmail);
if (_studioSmsNotificationSettingsHelper.IsVisibleAndAvailableSettings() && _studioSmsNotificationSettingsHelper.Enable)
if (_studioSmsNotificationSettingsHelper.IsVisibleAndAvailableSettings() && _studioSmsNotificationSettingsHelper.TfaEnabledForUser(user.Id))
{
if (string.IsNullOrEmpty(user.MobilePhone) || user.MobilePhoneActivationStatus == MobilePhoneActivationStatus.NotActivated)
{
@ -234,7 +237,7 @@ public class AuthenticationController : ControllerBase
};
}
if (TfaAppAuthSettings.IsVisibleSettings && _settingsManager.Load<TfaAppAuthSettings>().EnableSetting)
if (TfaAppAuthSettingsHelper.IsVisibleSettings && _tfaAppAuthSettingsHelper.TfaEnabledForUser(user.Id))
{
if (!TfaAppUserSettings.EnableForUser(_settingsManager, user.Id))
{

77
web/ASC.Web.Api/Api/Settings/TfaappController.cs
View File

@ -43,6 +43,7 @@ public class TfaappController : BaseSettingsController
private readonly DisplayUserSettingsHelper _displayUserSettingsHelper;
private readonly MessageTarget _messageTarget;
private readonly StudioSmsNotificationSettingsHelper _studioSmsNotificationSettingsHelper;
private readonly TfaAppAuthSettingsHelper _tfaAppAuthSettingsHelper;
private readonly InstanceCrypto _instanceCrypto;
private readonly Signature _signature;
private readonly SecurityContext _securityContext;
@ -62,6 +63,7 @@ public class TfaappController : BaseSettingsController
DisplayUserSettingsHelper displayUserSettingsHelper,
MessageTarget messageTarget,
StudioSmsNotificationSettingsHelper studioSmsNotificationSettingsHelper,
TfaAppAuthSettingsHelper tfaAppAuthSettingsHelper,
SmsProviderManager smsProviderManager,
IMemoryCache memoryCache,
InstanceCrypto instanceCrypto,
@ -82,39 +84,49 @@ public class TfaappController : BaseSettingsController
_displayUserSettingsHelper = displayUserSettingsHelper;
_messageTarget = messageTarget;
_studioSmsNotificationSettingsHelper = studioSmsNotificationSettingsHelper;
_tfaAppAuthSettingsHelper = tfaAppAuthSettingsHelper;
_instanceCrypto = instanceCrypto;
_signature = signature;
_securityContext = securityContext;
}
[HttpGet("tfaapp")]
public IEnumerable<TfaSettingsRequestsDto> GetTfaSettings()
public IEnumerable<TfaSettingsDto> GetTfaSettings()
{
var result = new List<TfaSettingsRequestsDto>();
var result = new List<TfaSettingsDto>();
var SmsVisible = _studioSmsNotificationSettingsHelper.IsVisibleSettings();
var SmsVisible = StudioSmsNotificationSettingsHelper.IsVisibleSettings();
var SmsEnable = SmsVisible && _smsProviderManager.Enabled();
var TfaVisible = TfaAppAuthSettings.IsVisibleSettings;
var TfaVisible = TfaAppAuthSettingsHelper.IsVisibleSettings;
var tfaAppSettings = _settingsManager.Load<TfaAppAuthSettings>();
var tfaSmsSettings = _settingsManager.Load<StudioSmsNotificationSettings>();
if (SmsVisible)
{
result.Add(new TfaSettingsRequestsDto
result.Add(new TfaSettingsDto
{
Enabled = _studioSmsNotificationSettingsHelper.Enable,
Enabled = tfaSmsSettings.EnableSetting && _smsProviderManager.Enabled(),
Id = "sms",
Title = Resource.ButtonSmsEnable,
Avaliable = SmsEnable
Avaliable = SmsEnable,
MandatoryUsers = tfaSmsSettings.MandatoryUsers,
MandatoryGroups = tfaSmsSettings.MandatoryGroups,
TrustedIps = tfaSmsSettings.TrustedIps
});
}
if (TfaVisible)
{
result.Add(new TfaSettingsRequestsDto
result.Add(new TfaSettingsDto
{
Enabled = _settingsManager.Load<TfaAppAuthSettings>().EnableSetting,
Enabled = tfaAppSettings.EnableSetting,
Id = "app",
Title = Resource.ButtonTfaAppEnable,
Avaliable = true
Avaliable = true,
MandatoryUsers = tfaAppSettings.MandatoryUsers,
MandatoryGroups = tfaAppSettings.MandatoryGroups,
TrustedIps = tfaAppSettings.TrustedIps
});
}
@ -135,7 +147,8 @@ public class TfaappController : BaseSettingsController
public object TfaConfirmUrl()
{
var user = _userManager.GetUsers(_authContext.CurrentAccount.ID);
if (_studioSmsNotificationSettingsHelper.IsVisibleSettings() && _studioSmsNotificationSettingsHelper.Enable)// && smsConfirm.ToLower() != "true")
if (StudioSmsNotificationSettingsHelper.IsVisibleSettings() && _studioSmsNotificationSettingsHelper.TfaEnabledForUser(user.Id))// && smsConfirm.ToLower() != "true")
{
var confirmType = string.IsNullOrEmpty(user.MobilePhone) ||
user.MobilePhoneActivationStatus == MobilePhoneActivationStatus.NotActivated
@ -145,7 +158,7 @@ public class TfaappController : BaseSettingsController
return _commonLinkUtility.GetConfirmationEmailUrl(user.Email, confirmType);
}
if (TfaAppAuthSettings.IsVisibleSettings && _settingsManager.Load<TfaAppAuthSettings>().EnableSetting)
if (TfaAppAuthSettingsHelper.IsVisibleSettings && _tfaAppAuthSettingsHelper.TfaEnabledForUser(user.Id))
{
var confirmType = TfaAppUserSettings.EnableForUser(_settingsManager, _authContext.CurrentAccount.ID)
? ConfirmType.TfaAuth
@ -165,7 +178,6 @@ public class TfaappController : BaseSettingsController
var result = false;
MessageAction action;
var settings = _settingsManager.Load<TfaAppAuthSettings>();
switch (inDto.Type)
{
@ -180,13 +192,15 @@ public class TfaappController : BaseSettingsController
throw new MethodAccessException();
}
_studioSmsNotificationSettingsHelper.Enable = true;
var smsSettings = _settingsManager.Load<StudioSmsNotificationSettings>();
SetSettingsProperty(smsSettings);
_settingsManager.Save(smsSettings);
action = MessageAction.TwoFactorAuthenticationEnabledBySms;
if (settings.EnableSetting)
if (_tfaAppAuthSettingsHelper.Enable)
{
settings.EnableSetting = false;
_settingsManager.Save(settings);
_tfaAppAuthSettingsHelper.Enable = false;
}
result = true;
@ -194,13 +208,15 @@ public class TfaappController : BaseSettingsController
break;
case "app":
if (!TfaAppAuthSettings.IsVisibleSettings)
if (!TfaAppAuthSettingsHelper.IsVisibleSettings)
{
throw new Exception(Resource.TfaAppNotAvailable);
}
settings.EnableSetting = true;
_settingsManager.Save(settings);
var appSettings = _settingsManager.Load<TfaAppAuthSettings>();
SetSettingsProperty(appSettings);
_settingsManager.Save(appSettings);
action = MessageAction.TwoFactorAuthenticationEnabledByTfaApp;
@ -214,10 +230,9 @@ public class TfaappController : BaseSettingsController
break;
default:
if (settings.EnableSetting)
if (_tfaAppAuthSettingsHelper.Enable)
{
settings.EnableSetting = false;
_settingsManager.Save(settings);
_tfaAppAuthSettingsHelper.Enable = false;
}
if (_studioSmsNotificationSettingsHelper.IsVisibleAndAvailableSettings() && _studioSmsNotificationSettingsHelper.Enable)
@ -237,6 +252,14 @@ public class TfaappController : BaseSettingsController
_messageService.Send(action);
return result;
void SetSettingsProperty<T>(TfaSettingsBase<T> settings) where T : class, ISettings<T>
{
settings.EnableSetting = true;
settings.TrustedIps = inDto.TrustedIps;
settings.MandatoryUsers = inDto.MandatoryUsers;
settings.MandatoryGroups = inDto.MandatoryGroups;
}
}
[HttpPut("tfaappwithlink")]
@ -257,7 +280,7 @@ public class TfaappController : BaseSettingsController
ApiContext.AuthByClaim();
var currentUser = _userManager.GetUsers(_authContext.CurrentAccount.ID);
if (!TfaAppAuthSettings.IsVisibleSettings ||
if (!TfaAppAuthSettingsHelper.IsVisibleSettings ||
!_settingsManager.Load<TfaAppAuthSettings>().EnableSetting ||
TfaAppUserSettings.EnableForUser(_settingsManager, currentUser.Id))
{
@ -277,7 +300,7 @@ public class TfaappController : BaseSettingsController
{
var currentUser = _userManager.GetUsers(_authContext.CurrentAccount.ID);
if (!TfaAppAuthSettings.IsVisibleSettings || !TfaAppUserSettings.EnableForUser(_settingsManager, currentUser.Id))
if (!TfaAppAuthSettingsHelper.IsVisibleSettings || !TfaAppUserSettings.EnableForUser(_settingsManager, currentUser.Id))
{
throw new Exception(Resource.TfaAppNotAvailable);
}
@ -295,7 +318,7 @@ public class TfaappController : BaseSettingsController
{
var currentUser = _userManager.GetUsers(_authContext.CurrentAccount.ID);
if (!TfaAppAuthSettings.IsVisibleSettings || !TfaAppUserSettings.EnableForUser(_settingsManager, currentUser.Id))
if (!TfaAppAuthSettingsHelper.IsVisibleSettings || !TfaAppUserSettings.EnableForUser(_settingsManager, currentUser.Id))
{
throw new Exception(Resource.TfaAppNotAvailable);
}
@ -323,7 +346,7 @@ public class TfaappController : BaseSettingsController
throw new SecurityAccessDeniedException(Resource.ErrorAccessDenied);
}
if (!TfaAppAuthSettings.IsVisibleSettings || !TfaAppUserSettings.EnableForUser(_settingsManager, user.Id))
if (!TfaAppAuthSettingsHelper.IsVisibleSettings || !TfaAppUserSettings.EnableForUser(_settingsManager, user.Id))
{
throw new Exception(Resource.TfaAppNotAvailable);
}

3
web/ASC.Web.Api/ApiModels/RequestsDto/TfaRequestsDto.cs
View File

@ -30,6 +30,9 @@ public class TfaRequestsDto
{
public string Type { get; set; }
public Guid? Id { get; set; }
public List<string> TrustedIps { get; set; }
public List<Guid> MandatoryUsers { get; set; }
public List<Guid> MandatoryGroups { get; set; }
}
public class TfaValidateRequestsDto

5
web/ASC.Web.Api/ApiModels/RequestsDto/TfaSettingsRequestsDto.cs → web/ASC.Web.Api/ApiModels/RequestsDto/TfaSettingsDto.cs
View File

@ -26,10 +26,13 @@
namespace ASC.Web.Api.ApiModel.RequestsDto;
public class TfaSettingsRequestsDto
public class TfaSettingsDto
{
public string Id { get; set; }
public string Title { get; set; }
public bool Enabled { get; set; }
public bool Avaliable { get; set; }
public List<string> TrustedIps { get; set; }
public List<Guid> MandatoryUsers { get; set; }
public List<Guid> MandatoryGroups { get; set; }
}

6
web/ASC.Web.Core/Sms/SmsManager.cs
View File

@ -100,7 +100,7 @@ public class SmsManager
}
}
if (_studioSmsNotificationSettingsHelper.Enable)
if (_studioSmsNotificationSettingsHelper.TfaEnabledForUser(user.Id))
{
await PutAuthCodeAsync(user, false);
}
@ -115,7 +115,7 @@ public class SmsManager
throw new Exception(Resource.ErrorUserNotFound);
}
if (!_studioSmsNotificationSettingsHelper.IsVisibleAndAvailableSettings() || !_studioSmsNotificationSettingsHelper.Enable)
if (!_studioSmsNotificationSettingsHelper.IsVisibleAndAvailableSettings() || !_studioSmsNotificationSettingsHelper.TfaEnabledForUser(user.Id))
{
throw new MethodAccessException();
}
@ -146,7 +146,7 @@ public class SmsManager
public void ValidateSmsCode(UserInfo user, string code, bool isEntryPoint = false)
{
if (!_studioSmsNotificationSettingsHelper.IsVisibleAndAvailableSettings()
|| !_studioSmsNotificationSettingsHelper.Enable)
|| !_studioSmsNotificationSettingsHelper.TfaEnabledForUser(user.Id))
{
return;
}

40
web/ASC.Web.Core/Sms/StudioSmsNotificationSettings.cs
View File

@ -26,26 +26,22 @@
namespace ASC.Web.Studio.Core.SMS;
[Serializable]
public class StudioSmsNotificationSettings : ISettings<StudioSmsNotificationSettings>
public class StudioSmsNotificationSettings : TfaSettingsBase<StudioSmsNotificationSettings>
{
[JsonIgnore]
public Guid ID
public override Guid ID
{
get { return new Guid("{2802df61-af0d-40d4-abc5-a8506a5352ff}"); }
}
public StudioSmsNotificationSettings GetDefault()
public override StudioSmsNotificationSettings GetDefault()
{
return new StudioSmsNotificationSettings { EnableSetting = false, };
return new StudioSmsNotificationSettings();
}
[JsonPropertyName("Enable")]
public bool EnableSetting { get; set; }
}
[Scope]
public class StudioSmsNotificationSettingsHelper
public class StudioSmsNotificationSettingsHelper : TfaSettingsHelperBase
{
private readonly TenantExtra _tenantExtra;
private readonly CoreBaseSettings _coreBaseSettings;
@ -54,11 +50,14 @@ public class StudioSmsNotificationSettingsHelper
private readonly SmsProviderManager _smsProviderManager;
public StudioSmsNotificationSettingsHelper(
IHttpContextAccessor httpContextAccessor,
TenantExtra tenantExtra,
CoreBaseSettings coreBaseSettings,
SetupInfo setupInfo,
SettingsManager settingsManager,
SmsProviderManager smsProviderManager)
SmsProviderManager smsProviderManager,
UserManager userManager)
: base(httpContextAccessor, userManager)
{
_tenantExtra = tenantExtra;
_coreBaseSettings = coreBaseSettings;
@ -67,7 +66,7 @@ public class StudioSmsNotificationSettingsHelper
_smsProviderManager = smsProviderManager;
}
public bool IsVisibleSettings()
public static bool IsVisibleSettings()
{
return SetupInfo.IsVisibleSettings<StudioSmsNotificationSettings>();
}
@ -87,13 +86,28 @@ public class StudioSmsNotificationSettingsHelper
&& !quota.Open);
}
public bool TfaEnabledForUser(Guid userGuid)
{
var settings = _settingsManager.Load<StudioSmsNotificationSettings>();
return TfaEnabledForUser(settings, userGuid);
}
public bool Enable
{
get { return _settingsManager.Load<StudioSmsNotificationSettings>().EnableSetting && _smsProviderManager.Enabled(); }
set
{
var settings = _settingsManager.Load<StudioSmsNotificationSettings>();
settings.EnableSetting = value;
StudioSmsNotificationSettings settings;
if (value)
{
settings = _settingsManager.Load<StudioSmsNotificationSettings>();
settings.EnableSetting = value;
}
else
{
settings = new StudioSmsNotificationSettings();
}
_settingsManager.Save(settings);
}
}

97
web/ASC.Web.Core/Sms/TfaSettingsBase.cs Normal file
View File

@ -0,0 +1,97 @@
// (c) Copyright Ascensio System SIA 2010-2022
//
// This program is a free software product.
// You can redistribute it and/or modify it under the terms
// of the GNU Affero General Public License (AGPL) version 3 as published by the Free Software
// Foundation. In accordance with Section 7(a) of the GNU AGPL its Section 15 shall be amended
// to the effect that Ascensio System SIA expressly excludes the warranty of non-infringement of
// any third-party rights.
//
// This program is distributed WITHOUT ANY WARRANTY, without even the implied warranty
// of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. For details, see
// the GNU AGPL at: http://www.gnu.org/licenses/agpl-3.0.html
//
// You can contact Ascensio System SIA at Lubanas st. 125a-25, Riga, Latvia, EU, LV-1021.
//
// The interactive user interfaces in modified source and object code versions of the Program must
// display Appropriate Legal Notices, as required under Section 5 of the GNU AGPL version 3.
//
// Pursuant to Section 7(b) of the License you must retain the original Product logo when
// distributing the program. Pursuant to Section 7(e) we decline to grant you any rights under
// trademark law for use of our trademarks.
//
// All the Product's GUI elements, including illustrations and icon sets, as well as technical writing
// content are licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0
// International. See the License terms at http://creativecommons.org/licenses/by-sa/4.0/legalcode
using ASC.MessagingSystem;
namespace ASC.Web.Core.Sms;
public abstract class TfaSettingsBase<T> : ISettings<T> where T : ISettings<T>
{
[JsonPropertyName("Enable")]
public bool EnableSetting { get; set; }
public abstract Guid ID { get; }
[JsonPropertyName("TrustedIps")]
public List<string> TrustedIps { get; set; }
[JsonPropertyName("MandatoryUsers")]
public List<Guid> MandatoryUsers { get; set; }
[JsonPropertyName("MandatoryGroups")]
public List<Guid> MandatoryGroups { get; set; }
public abstract T GetDefault();
}
public abstract class TfaSettingsHelperBase
{
private readonly UserManager _userManager;
private readonly IHttpContextAccessor _httpContextAccessor;
public TfaSettingsHelperBase(
IHttpContextAccessor httpContextAccessor,
UserManager userManager)
{
_httpContextAccessor = httpContextAccessor;
_userManager = userManager;
}
public bool TfaEnabledForUser<T>(TfaSettingsBase<T> settings,Guid userGuid) where T : ISettings<T>
{
if (!settings.EnableSetting)
{
return false;
}
foreach (var mandatory in settings.MandatoryGroups)
{
if (_userManager.IsUserInGroup(userGuid, mandatory))
{
return true;
}
}
foreach (var mandatory in settings.MandatoryUsers)
{
if (mandatory == userGuid)
{
return true;
}
}
var ips = MessageSettings.GetIP(_httpContextAccessor.HttpContext.Request);
if (settings.TrustedIps.Any(trustedIp => IPSecurity.IPSecurity.MatchIPs(ips, trustedIp)))
{
return false;
}
return true;
}
}

50
web/ASC.Web.Core/Tfa/TfaAppAuthSettings.cs
View File

@ -26,23 +26,59 @@
namespace ASC.Web.Studio.Core.TFA;
[Serializable]
public class TfaAppAuthSettings : ISettings<TfaAppAuthSettings>
public class TfaAppAuthSettings : TfaSettingsBase<TfaAppAuthSettings>
{
[JsonIgnore]
public Guid ID
public override Guid ID
{
get { return new Guid("{822CA059-AA8F-4588-BEE3-6CD2AA920CDB}"); }
}
public TfaAppAuthSettings GetDefault()
public override TfaAppAuthSettings GetDefault()
{
return new TfaAppAuthSettings { EnableSetting = false, };
return new TfaAppAuthSettings();
}
}
[Scope]
public class TfaAppAuthSettingsHelper : TfaSettingsHelperBase
{
private readonly SettingsManager _settingsManager;
public TfaAppAuthSettingsHelper(
IHttpContextAccessor httpContextAccessor,
UserManager userManager,
SettingsManager settingsManager)
: base(httpContextAccessor, userManager)
{
_settingsManager = settingsManager;
}
[JsonPropertyName("Enable")]
public bool EnableSetting { get; set; }
public bool TfaEnabledForUser(Guid userGuid)
{
var settings = _settingsManager.Load<TfaAppAuthSettings>();
return TfaEnabledForUser(settings, userGuid);
}
public bool Enable
{
get { return _settingsManager.Load<TfaAppAuthSettings>().EnableSetting; }
set
{
TfaAppAuthSettings settings;
if (value)
{
settings = _settingsManager.Load<TfaAppAuthSettings>();
settings.EnableSetting = value;
}
else
{
settings = new TfaAppAuthSettings();
}
_settingsManager.Save(settings);
}
}
public static bool IsVisibleSettings
{

2
web/ASC.Web.Core/Tfa/TfaManager.cs
View File

@ -95,7 +95,7 @@ public class TfaManager
public bool ValidateAuthCode(UserInfo user, string code, bool checkBackup = true, bool isEntryPoint = false)
{
if (!TfaAppAuthSettings.IsVisibleSettings
if (!TfaAppAuthSettingsHelper.IsVisibleSettings
|| !_settingsManager.Load<TfaAppAuthSettings>().EnableSetting)
{
return false;