afan
/
gitea
Tarkkaile 1
Äänestä 0
Fork 0
Koodi Ongelmat 0 Pull-pyynnöt 0 Julkaisut 0 Wiki Activity
gitea源码
3 Commitit
2 Branchit
Haara: master
Branchit Tagit
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
gitea/routers/web/user/setting/security/2fa.go

2fa.go 8.6KB
Pysyvä linkki Historia Raaka

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281 
  1. // Copyright 2014 The Gogs Authors. All rights reserved.

  2. // Copyright 2018 The Gitea Authors. All rights reserved.

  3. // SPDX-License-Identifier: MIT

  4. 

  5. package security

  6. 

  7. import (

  8. 	"bytes"

  9. 	"encoding/base64"

  10. 	"html/template"

  11. 	"image/png"

  12. 	"net/http"

  13. 	"strings"

  14. 

  15. 	"code.gitea.io/gitea/models/auth"

  16. 	user_model "code.gitea.io/gitea/models/user"

  17. 	"code.gitea.io/gitea/modules/log"

  18. 	"code.gitea.io/gitea/modules/session"

  19. 	"code.gitea.io/gitea/modules/setting"

  20. 	"code.gitea.io/gitea/modules/web"

  21. 	"code.gitea.io/gitea/services/context"

  22. 	"code.gitea.io/gitea/services/forms"

  23. 

  24. 	"github.com/pquerna/otp"

  25. 	"github.com/pquerna/otp/totp"

  26. )

  27. 

  28. // RegenerateScratchTwoFactor regenerates the user's 2FA scratch code.

  29. func RegenerateScratchTwoFactor(ctx *context.Context) {

  30. 	if user_model.IsFeatureDisabledWithLoginType(ctx.Doer, setting.UserFeatureManageMFA) {

  31. 		ctx.HTTPError(http.StatusNotFound)

  32. 		return

  33. 	}

  34. 

  35. 	ctx.Data["Title"] = ctx.Tr("settings")

  36. 	ctx.Data["PageIsSettingsSecurity"] = true

  37. 

  38. 	t, err := auth.GetTwoFactorByUID(ctx, ctx.Doer.ID)

  39. 	if err != nil {

  40. 		if auth.IsErrTwoFactorNotEnrolled(err) {

  41. 			ctx.Flash.Error(ctx.Tr("settings.twofa_not_enrolled"))

  42. 			ctx.Redirect(setting.AppSubURL + "/user/settings/security")

  43. 		} else {

  44. 			ctx.ServerError("SettingsTwoFactor: Failed to GetTwoFactorByUID", err)

  45. 		}

  46. 		return

  47. 	}

  48. 

  49. 	token, err := t.GenerateScratchToken()

  50. 	if err != nil {

  51. 		ctx.ServerError("SettingsTwoFactor: Failed to GenerateScratchToken", err)

  52. 		return

  53. 	}

  54. 

  55. 	if err = auth.UpdateTwoFactor(ctx, t); err != nil {

  56. 		ctx.ServerError("SettingsTwoFactor: Failed to UpdateTwoFactor", err)

  57. 		return

  58. 	}

  59. 

  60. 	ctx.Flash.Success(ctx.Tr("settings.twofa_scratch_token_regenerated", token))

  61. 	ctx.Redirect(setting.AppSubURL + "/user/settings/security")

  62. }

  63. 

  64. // DisableTwoFactor deletes the user's 2FA settings.

  65. func DisableTwoFactor(ctx *context.Context) {

  66. 	if user_model.IsFeatureDisabledWithLoginType(ctx.Doer, setting.UserFeatureManageMFA) {

  67. 		ctx.HTTPError(http.StatusNotFound)

  68. 		return

  69. 	}

  70. 

  71. 	ctx.Data["Title"] = ctx.Tr("settings")

  72. 	ctx.Data["PageIsSettingsSecurity"] = true

  73. 

  74. 	t, err := auth.GetTwoFactorByUID(ctx, ctx.Doer.ID)

  75. 	if err != nil {

  76. 		if auth.IsErrTwoFactorNotEnrolled(err) {

  77. 			ctx.Flash.Error(ctx.Tr("settings.twofa_not_enrolled"))

  78. 			ctx.Redirect(setting.AppSubURL + "/user/settings/security")

  79. 		} else {

  80. 			ctx.ServerError("SettingsTwoFactor: Failed to GetTwoFactorByUID", err)

  81. 		}

  82. 		return

  83. 	}

  84. 

  85. 	if err = auth.DeleteTwoFactorByID(ctx, t.ID, ctx.Doer.ID); err != nil {

  86. 		if auth.IsErrTwoFactorNotEnrolled(err) {

  87. 			// There is a potential DB race here - we must have been disabled by another request in the intervening period

  88. 			ctx.Flash.Success(ctx.Tr("settings.twofa_disabled"))

  89. 			ctx.Redirect(setting.AppSubURL + "/user/settings/security")

  90. 		} else {

  91. 			ctx.ServerError("SettingsTwoFactor: Failed to DeleteTwoFactorByID", err)

  92. 		}

  93. 		return

  94. 	}

  95. 

  96. 	ctx.Flash.Success(ctx.Tr("settings.twofa_disabled"))

  97. 	ctx.Redirect(setting.AppSubURL + "/user/settings/security")

  98. }

  99. 

  100. func twofaGenerateSecretAndQr(ctx *context.Context) bool {

  101. 	var otpKey *otp.Key

  102. 	var err error

  103. 	uri := ctx.Session.Get("twofaUri")

  104. 	if uri != nil {

  105. 		otpKey, err = otp.NewKeyFromURL(uri.(string))

  106. 		if err != nil {

  107. 			ctx.ServerError("SettingsTwoFactor: Failed NewKeyFromURL: ", err)

  108. 			return false

  109. 		}

  110. 	}

  111. 	// Filter unsafe character ':' in issuer

  112. 	issuer := strings.ReplaceAll(setting.AppName+" ("+setting.Domain+")", ":", "")

  113. 	if otpKey == nil {

  114. 		otpKey, err = totp.Generate(totp.GenerateOpts{

  115. 			SecretSize:  40,

  116. 			Issuer:      issuer,

  117. 			AccountName: ctx.Doer.Name,

  118. 		})

  119. 		if err != nil {

  120. 			ctx.ServerError("SettingsTwoFactor: totpGenerate Failed", err)

  121. 			return false

  122. 		}

  123. 	}

  124. 

  125. 	ctx.Data["TwofaSecret"] = otpKey.Secret()

  126. 	img, err := otpKey.Image(320, 240)

  127. 	if err != nil {

  128. 		ctx.ServerError("SettingsTwoFactor: otpKey image generation failed", err)

  129. 		return false

  130. 	}

  131. 

  132. 	var imgBytes bytes.Buffer

  133. 	if err = png.Encode(&imgBytes, img); err != nil {

  134. 		ctx.ServerError("SettingsTwoFactor: otpKey png encoding failed", err)

  135. 		return false

  136. 	}

  137. 

  138. 	ctx.Data["QrUri"] = template.URL("data:image/png;base64," + base64.StdEncoding.EncodeToString(imgBytes.Bytes()))

  139. 

  140. 	if err := ctx.Session.Set("twofaSecret", otpKey.Secret()); err != nil {

  141. 		ctx.ServerError("SettingsTwoFactor: Failed to set session for twofaSecret", err)

  142. 		return false

  143. 	}

  144. 

  145. 	if err := ctx.Session.Set("twofaUri", otpKey.String()); err != nil {

  146. 		ctx.ServerError("SettingsTwoFactor: Failed to set session for twofaUri", err)

  147. 		return false

  148. 	}

  149. 

  150. 	// Here we're just going to try to release the session early

  151. 	if err := ctx.Session.Release(); err != nil {

  152. 		// we'll tolerate errors here as they *should* get saved elsewhere

  153. 		log.Error("Unable to save changes to the session: %v", err)

  154. 	}

  155. 	return true

  156. }

  157. 

  158. // EnrollTwoFactor shows the page where the user can enroll into 2FA.

  159. func EnrollTwoFactor(ctx *context.Context) {

  160. 	if user_model.IsFeatureDisabledWithLoginType(ctx.Doer, setting.UserFeatureManageMFA) {

  161. 		ctx.HTTPError(http.StatusNotFound)

  162. 		return

  163. 	}

  164. 

  165. 	ctx.Data["Title"] = ctx.Tr("settings")

  166. 	ctx.Data["PageIsSettingsSecurity"] = true

  167. 	ctx.Data["ShowTwoFactorRequiredMessage"] = false

  168. 

  169. 	t, err := auth.GetTwoFactorByUID(ctx, ctx.Doer.ID)

  170. 	if t != nil {

  171. 		// already enrolled - we should redirect back!

  172. 		log.Warn("Trying to re-enroll %-v in twofa when already enrolled", ctx.Doer)

  173. 		ctx.Flash.Error(ctx.Tr("settings.twofa_is_enrolled"))

  174. 		ctx.Redirect(setting.AppSubURL + "/user/settings/security")

  175. 		return

  176. 	}

  177. 	if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {

  178. 		ctx.ServerError("SettingsTwoFactor: GetTwoFactorByUID", err)

  179. 		return

  180. 	}

  181. 

  182. 	if !twofaGenerateSecretAndQr(ctx) {

  183. 		return

  184. 	}

  185. 

  186. 	ctx.HTML(http.StatusOK, tplSettingsTwofaEnroll)

  187. }

  188. 

  189. // EnrollTwoFactorPost handles enrolling the user into 2FA.

  190. func EnrollTwoFactorPost(ctx *context.Context) {

  191. 	if user_model.IsFeatureDisabledWithLoginType(ctx.Doer, setting.UserFeatureManageMFA) {

  192. 		ctx.HTTPError(http.StatusNotFound)

  193. 		return

  194. 	}

  195. 

  196. 	form := web.GetForm(ctx).(*forms.TwoFactorAuthForm)

  197. 	ctx.Data["Title"] = ctx.Tr("settings")

  198. 	ctx.Data["PageIsSettingsSecurity"] = true

  199. 	ctx.Data["ShowTwoFactorRequiredMessage"] = false

  200. 

  201. 	t, err := auth.GetTwoFactorByUID(ctx, ctx.Doer.ID)

  202. 	if t != nil {

  203. 		// already enrolled

  204. 		ctx.Flash.Error(ctx.Tr("settings.twofa_is_enrolled"))

  205. 		ctx.Redirect(setting.AppSubURL + "/user/settings/security")

  206. 		return

  207. 	}

  208. 	if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {

  209. 		ctx.ServerError("SettingsTwoFactor: Failed to check if already enrolled with GetTwoFactorByUID", err)

  210. 		return

  211. 	}

  212. 

  213. 	if ctx.HasError() {

  214. 		if !twofaGenerateSecretAndQr(ctx) {

  215. 			return

  216. 		}

  217. 		ctx.HTML(http.StatusOK, tplSettingsTwofaEnroll)

  218. 		return

  219. 	}

  220. 

  221. 	secretRaw := ctx.Session.Get("twofaSecret")

  222. 	if secretRaw == nil {

  223. 		ctx.Flash.Error(ctx.Tr("settings.twofa_failed_get_secret"))

  224. 		ctx.Redirect(setting.AppSubURL + "/user/settings/security/two_factor/enroll")

  225. 		return

  226. 	}

  227. 

  228. 	secret := secretRaw.(string)

  229. 	if !totp.Validate(form.Passcode, secret) {

  230. 		if !twofaGenerateSecretAndQr(ctx) {

  231. 			return

  232. 		}

  233. 		ctx.Flash.Error(ctx.Tr("settings.passcode_invalid"))

  234. 		ctx.Redirect(setting.AppSubURL + "/user/settings/security/two_factor/enroll")

  235. 		return

  236. 	}

  237. 

  238. 	t = &auth.TwoFactor{

  239. 		UID: ctx.Doer.ID,

  240. 	}

  241. 	err = t.SetSecret(secret)

  242. 	if err != nil {

  243. 		ctx.ServerError("SettingsTwoFactor: Failed to set secret", err)

  244. 		return

  245. 	}

  246. 	token, err := t.GenerateScratchToken()

  247. 	if err != nil {

  248. 		ctx.ServerError("SettingsTwoFactor: Failed to generate scratch token", err)

  249. 		return

  250. 	}

  251. 

  252. 	newTwoFactorErr := auth.NewTwoFactor(ctx, t)

  253. 	if newTwoFactorErr == nil {

  254. 		_ = ctx.Session.Set(session.KeyUserHasTwoFactorAuth, true)

  255. 	}

  256. 	// Now we have to delete the secrets - because if we fail to insert then it's highly likely that they have already been used

  257. 	// If we can detect the unique constraint failure below we can move this to after the NewTwoFactor

  258. 	if err := ctx.Session.Delete("twofaSecret"); err != nil {

  259. 		// tolerate this failure - it's more important to continue

  260. 		log.Error("Unable to delete twofaSecret from the session: Error: %v", err)

  261. 	}

  262. 	if err := ctx.Session.Delete("twofaUri"); err != nil {

  263. 		// tolerate this failure - it's more important to continue

  264. 		log.Error("Unable to delete twofaUri from the session: Error: %v", err)

  265. 	}

  266. 	if err := ctx.Session.Release(); err != nil {

  267. 		// tolerate this failure - it's more important to continue

  268. 		log.Error("Unable to save changes to the session: %v", err)

  269. 	}

  270. 

  271. 	if newTwoFactorErr != nil {

  272. 		// FIXME: We need to handle a unique constraint fail here it's entirely possible that another request has beaten us.

  273. 		// If there is a unique constraint fail we should just tolerate the error

  274. 		ctx.ServerError("SettingsTwoFactor: Failed to save two factor", newTwoFactorErr)

  275. 		return

  276. 	}

  277. 

  278. 	ctx.Flash.Success(ctx.Tr("settings.twofa_enrolled", token))

  279. 	ctx.Redirect(setting.AppSubURL + "/user/settings/security")

  280. }