Support requiring 2FA for authentication, check isEnrolledIn2Sv
#204
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| package com.gu.googleauth | ||
|
|
||
| import com.google.api.services.directory.DirectoryScopes.ADMIN_DIRECTORY_USER_READONLY | ||
| import com.google.auth.oauth2.GoogleCredentials | ||
| import com.gu.googleauth.internal.DirectoryService | ||
|
|
||
| import scala.concurrent.{ExecutionContext, Future, blocking} | ||
|
|
||
| /** | ||
| * Uses the `isEnrolledIn2Sv` field on https://developers.google.com/admin-sdk/directory/reference/rest/v1/users | ||
| * to check the 2FA status of a user. | ||
| * | ||
| * @param googleCredentials must have read-only access to retrieve a User using the Admin SDK Directory API | ||
| */ | ||
| class TwoFactorAuthChecker(googleCredentials: GoogleCredentials) { | ||
|
|
||
| private val usersApi = DirectoryService(googleCredentials, ADMIN_DIRECTORY_USER_READONLY).users() | ||
|
|
||
| def check(userEmail: String)(implicit ec: ExecutionContext): Future[Boolean] = Future { blocking { | ||
| usersApi.get(userEmail).execute().getIsEnrolledIn2Sv | ||
| }} | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -137,9 +137,20 @@ trait LoginSupport extends Logging { | |
| } | ||
| logWarn(desc, e) | ||
| Future.successful(redirectWithError(failureRedirectTarget, message)) | ||
| }.flatMap { userIdentity => | ||
| authConfig.twoFactorAuthChecker.map(requireTwoFactorAuthFor(userIdentity)).getOrElse(EitherT.pure(userIdentity)) | ||
| } | ||
| } | ||
|
|
||
| private def requireTwoFactorAuthFor(userIdentity: UserIdentity)(checker: TwoFactorAuthChecker)( | ||
| implicit ec: ExecutionContext | ||
| ): EitherT[Future, Result, UserIdentity] = EitherT { | ||
| checker.check(userIdentity.email).map(userHas2FA => if (userHas2FA) Right(userIdentity) else { | ||
| logger.warn(s"failed-oauth-callback : user-does-not-have-2fa") | ||
| Left(redirectWithError(failureRedirectTarget, "You do not have 2FA enabled")) | ||
|
There was a problem hiding this comment. This message will be displayed to the user if they don't have 2FA - as in this Ophan PR here:
|
||
| }) | ||
| } | ||
|
|
||
| /** | ||
| * Looks up user's Google Groups and ensures they belong to any that are required. Redirects to | ||
| * `failureRedirectTarget` if the user is not a member of any required group. | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| package com.gu.googleauth | ||
|
|
||
| import com.google.auth.oauth2.GoogleCredentials | ||
| import software.amazon.awssdk.auth.credentials.{AwsCredentialsProvider, ProfileCredentialsProvider} | ||
| import software.amazon.awssdk.http.apache.ApacheHttpClient | ||
| import software.amazon.awssdk.regions.Region.EU_WEST_1 | ||
| import software.amazon.awssdk.services.ssm.SsmClient | ||
| import software.amazon.awssdk.services.ssm.model.GetParameterRequest | ||
|
|
||
| import scala.concurrent.Await | ||
| import scala.concurrent.ExecutionContext.Implicits.global | ||
| import scala.concurrent.duration.Duration | ||
|
|
||
| /** | ||
| * This is a non-production piece of code, only intended for checking that Google Credentials are correctly set up, | ||
| * and that we're able to get a good response from the Google Admin SDK Directory API. | ||
| */ | ||
| object TwoFactorAuthCheckerCLITester extends App { | ||
|
|
||
| val checker = new TwoFactorAuthChecker(GoogleCredentialsInDev.loadGuardianGoogleCredentials()) | ||
|
|
||
| val userEmail = ??? // eg "firstname.lastname@guardian.co.uk" | ||
|
|
||
| val has2FA: Boolean = Await.result(checker.check(userEmail), Duration.Inf) | ||
|
|
||
| println(s"User $userEmail has 2FA enabled: $has2FA") | ||
| } | ||
|
|
||
| object GoogleCredentialsInDev { | ||
| /** | ||
| * Only intended for use by Guardian developers, in development. Requires Janus credentials. | ||
| */ | ||
| def loadGuardianGoogleCredentials(): GoogleCredentials = { | ||
| val aws = new AWS("ophan") | ||
| val serviceAccountCert = aws.loadSecureString("/Ophan/Dashboard/GoogleCloudPlatform/OphanOAuthServiceAccountCert") | ||
| val impersonatedUser = aws.loadSecureString("/Ophan/Dashboard/GoogleCloudPlatform/ImpersonatedUser") | ||
|
|
||
| ServiceAccountHelper.credentialsFrom(serviceAccountCert).createDelegated(impersonatedUser) | ||
| } | ||
| } | ||
|
|
||
| class AWS(profileName: String) { | ||
| val credentials: AwsCredentialsProvider = ProfileCredentialsProvider.builder().profileName(profileName).build() | ||
|
|
||
| val SSM: SsmClient = | ||
| SsmClient.builder().httpClientBuilder(ApacheHttpClient.builder()).credentialsProvider(credentials).region(EU_WEST_1).build() | ||
|
|
||
| def loadSecureString(paramName: String): String = SSM.getParameter( | ||
| GetParameterRequest.builder().name(paramName).withDecryption(true).build() | ||
| ).parameter().value() | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This new dependency is only for the test scope, as it's only needed for the new
TwoFactorAuthCheckerCLITester, only used for double-checking Google Credentials are correctly setup.