Merge remote-tracking branch 'fspoettel/admin-panel-2fa' into totp

# Conflicts: # management/auth.py # management/mfa.py
2025-04-24 03:26:55 +00:00 · 2020-09-30 09:05:03 -04:00 · 2020-09-30 09:05:03 -04:00 · a5ebd07549
commit a5ebd07549
parent 5deb88ab60 1f0e493b8c
3 changed files with 24 additions and 20 deletions
--- a/management/auth.py
+++ b/management/auth.py
@ -4,7 +4,7 @@ from flask import make_response

 import utils
 from mailconfig import validate_login, get_mail_password, get_mail_user_privileges
-from mfa import get_mfa_state, validate_auth_mfa
+from mfa import get_hash_mfa_state, validate_auth_mfa

 DEFAULT_KEY_PATH   = '/var/lib/mailinabox/api.key'
 DEFAULT_AUTH_REALM = 'Mail-in-a-Box Management Server'
@ -135,7 +135,7 @@ class KeyAuthService:

 		# Add to the message the current MFA state, which is a list of MFA information.
 		# Turn it into a string stably.
-		msg += b" " + json.dumps(get_mfa_state(email, env), sort_keys=True).encode("utf8")
+		msg += b" " + json.dumps(get_hash_mfa_state(email, env), sort_keys=True).encode("utf8")

 		# Make the HMAC.
 		hash_key = self.key.encode('ascii')
--- a/management/mfa.py
+++ b/management/mfa.py
@ -9,8 +9,8 @@ def strip_order_prefix(rec, attributes):

    `rec` is modified in-place

-	the server returns X-ORDERED values in-order so the values will be
-	correctly orded in the record. 
+	the server returns X-ORDERED values ordered so the values will be
+	sorted in the record making the prefix superfluous.

 	For example, the function will change:
       totpSecret: {0}secret1 
@ -65,10 +65,26 @@ def get_public_mfa_state(email, env):
 	particular MFA by label and the id of each so it may be disabled.

 	'''
-	user = get_mfa_user(email, env)
-	state_list = []
-	state_list += mfa_totp.get_public_state(user)
-	return state_list
+	mfa_state = get_mfa_state(email, env)
+	return [
+		{ "id": s["id"], "type": s["type"], "label": s["label"] }
+		for s in mfa_state
+	]
+
+def get_hash_mfa_state(email, env):
+	'''return details about what MFA schemes are enabled for a user
+	ordered by the priority that the scheme will be tried, with index
+	zero being the first. This function may return secrets. It's
+	intended use is for the result to be included as part of the input
+	to a hashing function to generate a user api key (see
+	auth.py:create_user_key)
+
+	'''
+	mfa_state = get_mfa_state(email, env)
+	return [
+		{ "id": s["id"], "type": s["type"], "secret": s["secret"] }
+		for s in mfa_state
+	]

 def enable_mfa(email, type, secret, token, label, env):
 	'''enable MFA using the scheme specified in `type`. users may have
--- a/management/mfa_totp.py
+++ b/management/mfa_totp.py
@ -45,18 +45,6 @@ def get_state(user):
 		})
 	return state_list

-def get_public_state(user):
-	state_list = []
-
-	# totp
-	for idx in range(0, len(user['totpSecret'])):
-		state_list.append({
-			'id': totp_id_from_index(user, idx),
-			'type': 'totp',
-			'label': user['totpLabel'][idx]
-		})
-	return state_list
-
 def enable(user, secret, token, label, env):
 	validate_secret(secret)
 	# Sanity check with the provide current token.