Merge remote-tracking branch 'fspoettel/admin-panel-2fa' into totp

# Conflicts: # management/daemon.py # management/mfa.py # setup/mail-users.sh
2026-03-04 15:54:48 +01:00 · 2020-09-29 22:20:15 -04:00
parent e2dea39e5b ada2167d08
commit 5deb88ab60
5 changed files with 29 additions and 8 deletions
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -9,7 +9,7 @@ import auth, utils, mfa
 from mailconfig import get_mail_users, get_mail_users_ex, get_admins, add_mail_user, set_mail_password, set_mail_display_name, remove_mail_user
 from mailconfig import get_mail_user_privileges, add_remove_mail_user_privilege
 from mailconfig import get_mail_aliases, get_mail_aliases_ex, get_mail_domains, add_mail_alias, remove_mail_alias
-from mfa import get_mfa_state, enable_mfa, disable_mfa
+from mfa import get_public_mfa_state, enable_mfa, disable_mfa
 import mfa_totp

 env = utils.load_environment()
@@ -413,7 +413,7 @@ def ssl_provision_certs():
@authorized_personnel_only
 def mfa_get_status():
 	return json_response({
-		"enabled_mfa": get_mfa_state(request.user_email, env),
+		"enabled_mfa": get_public_mfa_state(request.user_email, env),
 		"new_mfa": {
 			"totp": mfa_totp.provision(request.user_email, env)
 		}
--- a/management/mfa.py
+++ b/management/mfa.py
@@ -57,6 +57,19 @@ def get_mfa_state(email, env):
 	state_list += mfa_totp.get_state(user)
 	return state_list

+def get_public_mfa_state(email, env):
+	'''return details about what MFA schemes are enabled for a user
+	ordered by the priority that the scheme will be tried, with index
+	zero being the first. No secrets are returned by this function -
+	only those details that are needed by the end user to identify a
+	particular MFA by label and the id of each so it may be disabled.
+
+	'''
+	user = get_mfa_user(email, env)
+	state_list = []
+	state_list += mfa_totp.get_public_state(user)
+	return state_list
+
 def enable_mfa(email, type, secret, token, label, env):
 	'''enable MFA using the scheme specified in `type`. users may have
 multiple mfa schemes enabled of the same type.
--- a/management/mfa_totp.py
+++ b/management/mfa_totp.py
@@ -45,6 +45,18 @@ def get_state(user):
 		})
 	return state_list

+def get_public_state(user):
+	state_list = []
+
+	# totp
+	for idx in range(0, len(user['totpSecret'])):
+		state_list.append({
+			'id': totp_id_from_index(user, idx),
+			'type': 'totp',
+			'label': user['totpLabel'][idx]
+		})
+	return state_list
+
 def enable(user, secret, token, label, env):
 	validate_secret(secret)
 	# Sanity check with the provide current token.