Merge pull request sandstorm#14 from sandstorm/feature-enforce-2fa

FEATURE: Enforce 2FA

Author: JamesAlias

.gitignore

@@ -0,0 +1,9 @@
+# 3rd party sources
+Packages/
+vendor/
+
+# composer
+composer.lock
+
+# IDEs
+.idea/

Classes/Controller/AuthenticationController.php

@@ -2,21 +2,22 @@
 
 namespace Sandstorm\NeosTwoFactorAuthentication\Controller;
 
-use chillerlan\QRCode\QRCode;
-use chillerlan\QRCode\QROptions;
 use Neos\Error\Messages\Message;
 use Neos\Flow\Annotations as Flow;
+use Neos\Flow\Mvc\Exception\StopActionException;
 use Neos\Flow\Mvc\FlashMessage\FlashMessageService;
+use Neos\Flow\Persistence\Exception\IllegalObjectTypeException;
 use Neos\Flow\Security\Context;
+use Neos\Flow\Session\Exception\SessionNotStartedException;
 use Neos\Neos\Controller\Module\AbstractModuleController;
 use Neos\Fusion\View\FusionView;
 use Neos\Neos\Domain\Model\User;
-use Neos\Neos\Domain\Repository\DomainRepository;
-use Neos\Neos\Domain\Repository\SiteRepository;
 use Neos\Party\Domain\Service\PartyService;
+use Sandstorm\NeosTwoFactorAuthentication\Domain\AuthenticationStatus;
 use Sandstorm\NeosTwoFactorAuthentication\Domain\Model\SecondFactor;
 use Sandstorm\NeosTwoFactorAuthentication\Domain\Model\Dto\SecondFactorDto;
 use Sandstorm\NeosTwoFactorAuthentication\Domain\Repository\SecondFactorRepository;
+use Sandstorm\NeosTwoFactorAuthentication\Service\SecondFactorSessionStorageService;
 use Sandstorm\NeosTwoFactorAuthentication\Service\TOTPService;
 
 /**
@@ -43,25 +44,31 @@ class BackendController extends AbstractModuleController
     protected $partyService;
 
     /**
-     * @var DomainRepository
      * @Flow\Inject
+     * @var FlashMessageService
      */
-    protected $domainRepository;
+    protected $flashMessageService;
 
     /**
      * @Flow\Inject
-     * @var SiteRepository
+     * @var SecondFactorSessionStorageService
      */
-    protected $siteRepository;
+    protected $secondFactorSessionStorageService;
 
     /**
      * @Flow\Inject
-     * @var FlashMessageService
+     * @var TOTPService
      */
-    protected $flashMessageService;
+    protected $tOTPService;
 
     protected $defaultViewObjectName = FusionView::class;
 
+    /**
+     * @Flow\InjectConfiguration(path="enforceTwoFactorAuthentication")
+     * @var bool
+     */
+    protected $enforceTwoFactorAuthentication;
+
     /**
      * used to list all second factors of the current user
      */
@@ -87,40 +94,38 @@ public function indexAction()
 
         $this->view->assignMultiple([
             'factorsAndPerson' => $factorsAndPerson,
-            'flashMessages' => $this->flashMessageService->getFlashMessageContainerForRequest($this->request)->getMessagesAndFlush(),
+            'flashMessages' => $this->flashMessageService
+                ->getFlashMessageContainerForRequest($this->request)
+                ->getMessagesAndFlush(),
         ]);
     }
 
     /**
      * show the form to register a new second factor
      */
-    public function newAction()
+    public function newAction(): void
     {
         $otp = TOTPService::generateNewTotp();
         $secret = $otp->getSecret();
-
-        $currentDomain = $this->domainRepository->findOneByActiveRequest();
-        $currentSite = $currentDomain !== null ? $currentDomain->getSite() : $this->siteRepository->findDefault();
-        $currentSiteName = $currentSite->getName();
-        $urlEncodedSiteName = urlencode($currentSiteName);
-
-        $userIdentifier = $this->securityContext->getAccount()->getAccountIdentifier();
-        $oauthData = "otpauth://totp/$userIdentifier?secret=$secret&period=30&issuer=$urlEncodedSiteName";
-        $qrCode = (new QRCode(new QROptions([
-            'outputType' => QRCode::OUTPUT_MARKUP_SVG
-        ])))->render($oauthData);
+        $qrCode = $this->tOTPService->generateQRCodeForTokenAndAccount($otp, $this->securityContext->getAccount());
 
         $this->view->assignMultiple([
             'secret' => $secret,
             'qrCode' => $qrCode,
-            'flashMessages' => $this->flashMessageService->getFlashMessageContainerForRequest($this->request)->getMessagesAndFlush(),
+            'flashMessages' => $this->flashMessageService
+                ->getFlashMessageContainerForRequest($this->request)
+                ->getMessagesAndFlush(),
         ]);
     }
 
     /**
      * save the registered second factor
+     *
+     * @throws SessionNotStartedException
+     * @throws IllegalObjectTypeException
+     * @throws StopActionException
      */
-    public function createAction(string $secret, string $secondFactorFromApp)
+    public function createAction(string $secret, string $secondFactorFromApp): void
     {
         $isValid = TOTPService::checkIfOtpIsValid($secret, $secondFactorFromApp);
 
@@ -129,12 +134,9 @@ public function createAction(string $secret, string $secondFactorFromApp)
             $this->redirect('new');
         }
 
-        $secondFactor = new SecondFactor();
-        $secondFactor->setAccount($this->securityContext->getAccount());
-        $secondFactor->setSecret($secret);
-        $secondFactor->setType(SecondFactor::TYPE_TOTP);
-        $this->secondFactorRepository->add($secondFactor);
-        $this->persistenceManager->persistAll();
+        $this->secondFactorRepository->createSecondFactorForAccount($secret, $this->securityContext->getAccount());
+
+        $this->secondFactorSessionStorageService->setAuthenticationStatus(AuthenticationStatus::AUTHENTICATED);
 
         $this->addFlashMessage('Successfully created otp');
         $this->redirect('index');
@@ -144,15 +146,28 @@ public function createAction(string $secret, string $secondFactorFromApp)
      * @param SecondFactor $secondFactor
      * @return void
      */
-    public function deleteAction(SecondFactor $secondFactor)
+    public function deleteAction(SecondFactor $secondFactor): void
     {
+        $account = $this->securityContext->getAccount();
+
         if (
             $this->securityContext->hasRole('Neos.Neos:Administrator')
-            || $secondFactor->getAccount() === $this->securityContext->getAccount()
+            || $secondFactor->getAccount() === $account
         ) {
-            $this->secondFactorRepository->remove($secondFactor);
-            $this->persistenceManager->persistAll();
-            $this->addFlashMessage('Second factor was deleted');
+            if (
+                $this->enforceTwoFactorAuthentication
+                && count($this->secondFactorRepository->findByAccount($account)) <= 1
+            ) {
+                $this->addFlashMessage(
+                    'Can not remove last second factor! Second factor is enforced, you need at least one!',
+                    'Error',
+                    Message::SEVERITY_ERROR
+                );
+            } else {
+                $this->secondFactorRepository->remove($secondFactor);
+                $this->persistenceManager->persistAll();
+                $this->addFlashMessage('Second factor was deleted');
+            }
         }
 
         $this->redirect('index');

Classes/Controller/BackendController.php

@@ -6,15 +6,25 @@
  * This file is part of the Sandstorm.NeosTwoFactorAuthentication package.
  */
 
+use Neos\Error\Messages\Message;
 use Neos\Flow\Annotations as Flow;
 use Neos\Flow\Configuration\ConfigurationManager;
+use Neos\Flow\Configuration\Exception\InvalidConfigurationTypeException;
 use Neos\Flow\Mvc\Controller\ActionController;
+use Neos\Flow\Mvc\Exception\StopActionException;
 use Neos\Flow\Mvc\FlashMessage\FlashMessageService;
-use Neos\Flow\Security\Authentication\AuthenticationManagerInterface;
+use Neos\Flow\Persistence\Exception\IllegalObjectTypeException;
+use Neos\Flow\Security\Account;
 use Neos\Flow\Security\Context as SecurityContext;
+use Neos\Flow\Session\Exception\SessionNotStartedException;
 use Neos\Fusion\View\FusionView;
 use Neos\Neos\Domain\Repository\DomainRepository;
 use Neos\Neos\Domain\Repository\SiteRepository;
+use Sandstorm\NeosTwoFactorAuthentication\Domain\AuthenticationStatus;
+use Sandstorm\NeosTwoFactorAuthentication\Domain\Model\SecondFactor;
+use Sandstorm\NeosTwoFactorAuthentication\Domain\Repository\SecondFactorRepository;
+use Sandstorm\NeosTwoFactorAuthentication\Service\SecondFactorSessionStorageService;
+use Sandstorm\NeosTwoFactorAuthentication\Service\TOTPService;
 
 class LoginController extends ActionController
 {
@@ -29,12 +39,6 @@ class LoginController extends ActionController
      */
     protected $securityContext;
 
-    /**
-     * @var AuthenticationManagerInterface
-     * @Flow\Inject
-     */
-    protected $authenticationManager;
-
     /**
      * @var DomainRepository
      * @Flow\Inject
@@ -53,27 +57,154 @@ class LoginController extends ActionController
      */
     protected $flashMessageService;
 
+    /**
+     * @var SecondFactorRepository
+     * @Flow\Inject
+     */
+    protected $secondFactorRepository;
+
+    /**
+     * @Flow\Inject
+     * @var SecondFactorSessionStorageService
+     */
+    protected $secondFactorSessionStorageService;
+
+    /**
+     * @Flow\Inject
+     * @var TOTPService
+     */
+    protected $tOTPService;
+
+    /**
+     * This action decides which tokens are already authenticated
+     * and decides which is next to authenticate
+     *
+     * ATTENTION: this code is copied from the Neos.Neos:LoginController
+     */
+    public function askForSecondFactorAction(?string $username = null): void
+    {
+        $currentDomain = $this->domainRepository->findOneByActiveRequest();
+        $currentSite = $currentDomain !== null ? $currentDomain->getSite() : $this->siteRepository->findDefault();
+
+        $this->view->assignMultiple([
+            'styles' => array_filter($this->getNeosSettings()['userInterface']['backendLoginForm']['stylesheets']),
+            'username' => $username,
+            'site' => $currentSite,
+            'flashMessages' => $this->flashMessageService
+                ->getFlashMessageContainerForRequest($this->request)
+                ->getMessagesAndFlush(),
+        ]);
+    }
+
+    /**
+     * @throws StopActionException
+     * @throws SessionNotStartedException
+     */
+    public function checkSecondFactorAction(string $otp): void
+    {
+        $account = $this->securityContext->getAccount();
+
+        $isValidOtp = $this->enteredTokenMatchesAnySecondFactor($otp, $account);
+
+        if ($isValidOtp) {
+            $this->secondFactorSessionStorageService->setAuthenticationStatus(AuthenticationStatus::AUTHENTICATED);
+        } else {
+            // FIXME: not visible in View!
+            $this->addFlashMessage('Invalid OTP!', 'Error', Message::SEVERITY_ERROR);
+        }
+
+        $originalRequest = $this->securityContext->getInterceptedRequest();
+        if ($originalRequest !== null) {
+            $this->redirectToRequest($originalRequest);
+        }
+
+        $this->redirect('index', 'Backend\Backend', 'Neos.Neos');
+    }
+
     /**
      * This action decides which tokens are already authenticated
      * and decides which is next to authenticate
      *
      * ATTENTION: this code is copied from the Neos.Neos:LoginController
      */
-    public function askForSecondFactorAction(?string $username = null, bool $unauthorized = false)
+    public function setupSecondFactorAction(?string $username = null): void
     {
+        $otp = TOTPService::generateNewTotp();
+        $secret = $otp->getSecret();
+        $qrCode = $this->tOTPService->generateQRCodeForTokenAndAccount($otp, $this->securityContext->getAccount());
+
         $currentDomain = $this->domainRepository->findOneByActiveRequest();
         $currentSite = $currentDomain !== null ? $currentDomain->getSite() : $this->siteRepository->findDefault();
 
         $this->view->assignMultiple([
             'styles' => array_filter($this->getNeosSettings()['userInterface']['backendLoginForm']['stylesheets']),
             'username' => $username,
             'site' => $currentSite,
-            'flashMessages' => $this->flashMessageService->getFlashMessageContainerForRequest($this->request)->getMessagesAndFlush(),
+            'secret' => $secret,
+            'qrCode' => $qrCode,
+            'flashMessages' => $this->flashMessageService
+                ->getFlashMessageContainerForRequest($this->request)
+                ->getMessagesAndFlush(),
         ]);
     }
 
+    /**
+     * @param string $secret
+     * @param string $secondFactorFromApp
+     * @return void
+     * @throws IllegalObjectTypeException
+     * @throws SessionNotStartedException
+     * @throws StopActionException
+     */
+    public function createSecondFactorAction(string $secret, string $secondFactorFromApp): void
+    {
+        $isValid = TOTPService::checkIfOtpIsValid($secret, $secondFactorFromApp);
+
+        if (!$isValid) {
+            $this->addFlashMessage('Submitted OTP was not correct.', '', Message::SEVERITY_WARNING);
+            $this->redirect('setupSecondFactor');
+        }
+
+        $account = $this->securityContext->getAccount();
+
+        $this->secondFactorRepository->createSecondFactorForAccount($secret, $account);
+
+        $this->addFlashMessage('Successfully created otp.');
+
+        $this->secondFactorSessionStorageService->setAuthenticationStatus(AuthenticationStatus::AUTHENTICATED);
+
+        $originalRequest = $this->securityContext->getInterceptedRequest();
+        if ($originalRequest !== null) {
+            $this->redirectToRequest($originalRequest);
+        }
+
+        $this->redirect('index', 'Backend\Backend', 'Neos.Neos');
+    }
+
+    /**
+     * Check if the given token matches any registered second factor
+     *
+     * @param string $enteredSecondFactor
+     * @param Account $account
+     * @return bool
+     */
+    private function enteredTokenMatchesAnySecondFactor(string $enteredSecondFactor, Account $account): bool
+    {
+        /** @var SecondFactor[] $secondFactors */
+        $secondFactors = $this->secondFactorRepository->findByAccount($account);
+        foreach ($secondFactors as $secondFactor) {
+            $isValid = TOTPService::checkIfOtpIsValid($secondFactor->getSecret(), $enteredSecondFactor);
+            if ($isValid) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
     /**
      * @return array
+     * @throws InvalidConfigurationTypeException
      */
     protected function getNeosSettings(): array
     {