authentik/passbook/factors/otp/views.py

"""passbook OTP Views"""
from base64 import b32encode
from binascii import unhexlify

from django.contrib import messages
from django.contrib.auth.mixins import LoginRequiredMixin
from django.http import Http404, HttpRequest, HttpResponse
from django.shortcuts import get_object_or_404, redirect
from django.urls import reverse
from django.utils.decorators import method_decorator
from django.utils.translation import ugettext as _
from django.views import View
from django.views.decorators.cache import never_cache
from django.views.generic import FormView, TemplateView
from django_otp.plugins.otp_static.models import StaticDevice, StaticToken
from django_otp.plugins.otp_totp.models import TOTPDevice
from qrcode import make
from qrcode.image.svg import SvgPathImage
from structlog import get_logger

from passbook.audit.models import Event, EventAction
from passbook.factors.otp.forms import OTPSetupForm
from passbook.factors.otp.utils import otpauth_url
from passbook.lib.config import CONFIG

OTP_SESSION_KEY = "passbook_factors_otp_key"
OTP_SETTING_UP_KEY = "passbook_factors_otp_setup"
LOGGER = get_logger()


class UserSettingsView(LoginRequiredMixin, TemplateView):
    """View for user settings to control OTP"""

    template_name = "otp/user_settings.html"

    # TODO: Check if OTP Factor exists and applies to user
    def get_context_data(self, **kwargs):
        kwargs = super().get_context_data(**kwargs)
        static = StaticDevice.objects.filter(user=self.request.user, confirmed=True)
        if static.exists():
            kwargs["static_tokens"] = StaticToken.objects.filter(
                device=static.first()
            ).order_by("token")
        totp_devices = TOTPDevice.objects.filter(user=self.request.user, confirmed=True)
        kwargs["state"] = totp_devices.exists() and static.exists()
        return kwargs


class DisableView(LoginRequiredMixin, View):
    """Disable TOTP for user"""

    def get(self, request: HttpRequest) -> HttpResponse:
        """Delete all the devices for user"""
        static = get_object_or_404(StaticDevice, user=request.user, confirmed=True)
        static_tokens = StaticToken.objects.filter(device=static).order_by("token")
        totp = TOTPDevice.objects.filter(user=request.user, confirmed=True)
        static.delete()
        totp.delete()
        for token in static_tokens:
            token.delete()
        messages.success(request, "Successfully disabled OTP")
        # Create event with email notification
        Event.new(EventAction.CUSTOM, message="User disabled OTP.").from_http(request)
        return redirect(reverse("passbook_factors_otp:otp-user-settings"))


class EnableView(LoginRequiredMixin, FormView):
    """View to set up OTP"""

    title = _("Set up OTP")
    form_class = OTPSetupForm
    template_name = "login/form.html"

    totp_device = None
    static_device = None

    # TODO: Check if OTP Factor exists and applies to user
    def get_context_data(self, **kwargs):
        kwargs["config"] = CONFIG.y("passbook")
        kwargs["title"] = _("Configure OTP")
        kwargs["primary_action"] = _("Setup")
        return super().get_context_data(**kwargs)

    def dispatch(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        # Check if user has TOTP setup already
        finished_totp_devices = TOTPDevice.objects.filter(
            user=request.user, confirmed=True
        )
        finished_static_devices = StaticDevice.objects.filter(
            user=request.user, confirmed=True
        )
        if finished_totp_devices.exists() and finished_static_devices.exists():
            messages.error(request, _("You already have TOTP enabled!"))
            del request.session[OTP_SETTING_UP_KEY]
            return redirect("passbook_factors_otp:otp-user-settings")
        request.session[OTP_SETTING_UP_KEY] = True
        # Check if there's an unconfirmed device left to set up
        totp_devices = TOTPDevice.objects.filter(user=request.user, confirmed=False)
        if not totp_devices.exists():
            # Create new TOTPDevice and save it, but not confirm it
            self.totp_device = TOTPDevice(user=request.user, confirmed=False)
            self.totp_device.save()
        else:
            self.totp_device = totp_devices.first()

        # Check if we have a static device already
        static_devices = StaticDevice.objects.filter(user=request.user, confirmed=False)
        if not static_devices.exists():
            # Create new static device and some codes
            self.static_device = StaticDevice(user=request.user, confirmed=False)
            self.static_device.save()
            # Create 9 tokens and save them
            # TODO: Send static tokens via E-Mail
            for _counter in range(0, 9):
                token = StaticToken(
                    device=self.static_device, token=StaticToken.random_token()
                )
                token.save()
        else:
            self.static_device = static_devices.first()

        # Somehow convert the generated key to base32 for the QR code
        rawkey = unhexlify(self.totp_device.key.encode("ascii"))
        request.session[OTP_SESSION_KEY] = b32encode(rawkey).decode("utf-8")
        return super().dispatch(request, *args, **kwargs)

    def get_form(self, form_class=None):
        form = super().get_form(form_class=form_class)
        form.device = self.totp_device
        form.fields["qr_code"].initial = reverse("passbook_factors_otp:otp-qr")
        tokens = [(x.token, x.token) for x in self.static_device.token_set.all()]
        form.fields["tokens"].choices = tokens
        return form

    def form_valid(self, form):
        # Save device as confirmed
        LOGGER.debug("Saved OTP Devices")
        self.totp_device.confirmed = True
        self.totp_device.save()
        self.static_device.confirmed = True
        self.static_device.save()
        del self.request.session[OTP_SETTING_UP_KEY]
        Event.new(EventAction.CUSTOM, message="User enabled OTP.").from_http(
            self.request
        )
        return redirect("passbook_factors_otp:otp-user-settings")


@method_decorator(never_cache, name="dispatch")
class QRView(View):
    """View returns an SVG image with the OTP token information"""

    def get(self, request: HttpRequest) -> HttpResponse:
        """View returns an SVG image with the OTP token information"""
        # Get the data from the session
        try:
            key = request.session[OTP_SESSION_KEY]
        except KeyError:
            raise Http404

        url = otpauth_url(accountname=request.user.username, secret=key)
        # Make and return QR code
        img = make(url, image_factory=SvgPathImage)
        resp = HttpResponse(content_type="image/svg+xml; charset=utf-8")
        img.save(resp)
        return resp
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`"""passbook OTP Views"""`
			`from base64 import b32encode`
			`from binascii import unhexlify`

			`from django.contrib import messages`
			`from django.contrib.auth.mixins import LoginRequiredMixin`
			`from django.http import Http404, HttpRequest, HttpResponse`
fix isort/pylint issues 2019-02-26 11:43:59 +00:00			`from django.shortcuts import get_object_or_404, redirect`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`from django.urls import reverse`
lib: remove method_decorator Mixins 2020-02-18 21:28:47 +00:00			`from django.utils.decorators import method_decorator`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`from django.utils.translation import ugettext as _`
			`from django.views import View`
lib: remove method_decorator Mixins 2020-02-18 21:28:47 +00:00			`from django.views.decorators.cache import never_cache`
fix isort/pylint issues 2019-02-26 11:43:59 +00:00			`from django.views.generic import FormView, TemplateView`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`from django_otp.plugins.otp_static.models import StaticDevice, StaticToken`
			`from django_otp.plugins.otp_totp.models import TOTPDevice`
			`from qrcode import make`
			`from qrcode.image.svg import SvgPathImage`
*(minor): stdlib logging to structlog 2019-10-01 08:24:10 +00:00			`from structlog import get_logger`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00
audit: rewrite to be independent of django http requests, allow custom actions 2019-12-05 15:14:08 +00:00			`from passbook.audit.models import Event, EventAction`
*(minor): small refactor 2019-10-07 14:33:48 +00:00			`from passbook.factors.otp.forms import OTPSetupForm`
			`from passbook.factors.otp.utils import otpauth_url`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`from passbook.lib.config import CONFIG`

all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`OTP_SESSION_KEY = "passbook_factors_otp_key"`
			`OTP_SETTING_UP_KEY = "passbook_factors_otp_setup"`
*(minor): remove __name__ param from get_logger 2019-10-04 08:08:53 +00:00			`LOGGER = get_logger()`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00
ci: upgrade pylint to latest version core: also upgrade kombu as https://github.com/celery/kombu/issues/1101 is fixed now 2019-12-31 11:45:29 +00:00
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`class UserSettingsView(LoginRequiredMixin, TemplateView):`
			`"""View for user settings to control OTP"""`

all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`template_name = "otp/user_settings.html"`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00
			`# TODO: Check if OTP Factor exists and applies to user`
			`def get_context_data(self, **kwargs):`
			`kwargs = super().get_context_data(**kwargs)`
			`static = StaticDevice.objects.filter(user=self.request.user, confirmed=True)`
			`if static.exists():`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`kwargs["static_tokens"] = StaticToken.objects.filter(`
			`device=static.first()`
			`).order_by("token")`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`totp_devices = TOTPDevice.objects.filter(user=self.request.user, confirmed=True)`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`kwargs["state"] = totp_devices.exists() and static.exists()`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`return kwargs`

ci: upgrade pylint to latest version core: also upgrade kombu as https://github.com/celery/kombu/issues/1101 is fixed now 2019-12-31 11:45:29 +00:00
Re-enable OTP Disable View 2019-02-26 11:35:24 +00:00			`class DisableView(LoginRequiredMixin, View):`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`"""Disable TOTP for user"""`

ci: upgrade pylint to latest version core: also upgrade kombu as https://github.com/celery/kombu/issues/1101 is fixed now 2019-12-31 11:45:29 +00:00			`def get(self, request: HttpRequest) -> HttpResponse:`
Re-enable OTP Disable View 2019-02-26 11:35:24 +00:00			`"""Delete all the devices for user"""`
			`static = get_object_or_404(StaticDevice, user=request.user, confirmed=True)`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`static_tokens = StaticToken.objects.filter(device=static).order_by("token")`
Re-enable OTP Disable View 2019-02-26 11:35:24 +00:00			`totp = TOTPDevice.objects.filter(user=request.user, confirmed=True)`
			`static.delete()`
			`totp.delete()`
			`for token in static_tokens:`
			`token.delete()`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`messages.success(request, "Successfully disabled OTP")`
Re-enable OTP Disable View 2019-02-26 11:35:24 +00:00			`# Create event with email notification`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`Event.new(EventAction.CUSTOM, message="User disabled OTP.").from_http(request)`
			`return redirect(reverse("passbook_factors_otp:otp-user-settings"))`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00
ci: upgrade pylint to latest version core: also upgrade kombu as https://github.com/celery/kombu/issues/1101 is fixed now 2019-12-31 11:45:29 +00:00
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`class EnableView(LoginRequiredMixin, FormView):`
			`"""View to set up OTP"""`

all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`title = _("Set up OTP")`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`form_class = OTPSetupForm`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`template_name = "login/form.html"`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00
			`totp_device = None`
			`static_device = None`

			`# TODO: Check if OTP Factor exists and applies to user`
			`def get_context_data(self, **kwargs):`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`kwargs["config"] = CONFIG.y("passbook")`
			`kwargs["title"] = _("Configure OTP")`
			`kwargs["primary_action"] = _("Setup")`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`return super().get_context_data(**kwargs)`

			`def dispatch(self, request: HttpRequest, args, *kwargs) -> HttpResponse:`
			`# Check if user has TOTP setup already`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`finished_totp_devices = TOTPDevice.objects.filter(`
			`user=request.user, confirmed=True`
			`)`
			`finished_static_devices = StaticDevice.objects.filter(`
			`user=request.user, confirmed=True`
			`)`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`if finished_totp_devices.exists() and finished_static_devices.exists():`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`messages.error(request, _("You already have TOTP enabled!"))`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`del request.session[OTP_SETTING_UP_KEY]`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`return redirect("passbook_factors_otp:otp-user-settings")`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`request.session[OTP_SETTING_UP_KEY] = True`
			`# Check if there's an unconfirmed device left to set up`
			`totp_devices = TOTPDevice.objects.filter(user=request.user, confirmed=False)`
			`if not totp_devices.exists():`
			`# Create new TOTPDevice and save it, but not confirm it`
			`self.totp_device = TOTPDevice(user=request.user, confirmed=False)`
			`self.totp_device.save()`
			`else:`
			`self.totp_device = totp_devices.first()`

			`# Check if we have a static device already`
			`static_devices = StaticDevice.objects.filter(user=request.user, confirmed=False)`
			`if not static_devices.exists():`
			`# Create new static device and some codes`
			`self.static_device = StaticDevice(user=request.user, confirmed=False)`
			`self.static_device.save()`
			`# Create 9 tokens and save them`
cleanup, fix Permission Denied when Cancelling login, fix display of messages on login template 2019-02-25 12:02:50 +00:00			`# TODO: Send static tokens via E-Mail`
			`for _counter in range(0, 9):`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`token = StaticToken(`
			`device=self.static_device, token=StaticToken.random_token()`
			`)`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`token.save()`
			`else:`
			`self.static_device = static_devices.first()`

			`# Somehow convert the generated key to base32 for the QR code`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`rawkey = unhexlify(self.totp_device.key.encode("ascii"))`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`request.session[OTP_SESSION_KEY] = b32encode(rawkey).decode("utf-8")`
			`return super().dispatch(request, args, *kwargs)`

			`def get_form(self, form_class=None):`
			`form = super().get_form(form_class=form_class)`
			`form.device = self.totp_device`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`form.fields["qr_code"].initial = reverse("passbook_factors_otp:otp-qr")`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`tokens = [(x.token, x.token) for x in self.static_device.token_set.all()]`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`form.fields["tokens"].choices = tokens`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`return form`

			`def form_valid(self, form):`
			`# Save device as confirmed`
			`LOGGER.debug("Saved OTP Devices")`
			`self.totp_device.confirmed = True`
			`self.totp_device.save()`
			`self.static_device.confirmed = True`
			`self.static_device.save()`
			`del self.request.session[OTP_SETTING_UP_KEY]`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`Event.new(EventAction.CUSTOM, message="User enabled OTP.").from_http(`
			`self.request`
			`)`
			`return redirect("passbook_factors_otp:otp-user-settings")`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00
ci: upgrade pylint to latest version core: also upgrade kombu as https://github.com/celery/kombu/issues/1101 is fixed now 2019-12-31 11:45:29 +00:00
lib: remove method_decorator Mixins 2020-02-18 21:28:47 +00:00			`@method_decorator(never_cache, name="dispatch")`
			`class QRView(View):`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`"""View returns an SVG image with the OTP token information"""`

			`def get(self, request: HttpRequest) -> HttpResponse:`
			`"""View returns an SVG image with the OTP token information"""`
			`# Get the data from the session`
			`try:`
			`key = request.session[OTP_SESSION_KEY]`
			`except KeyError:`
			`raise Http404`

			`url = otpauth_url(accountname=request.user.username, secret=key)`
			`# Make and return QR code`
			`img = make(url, image_factory=SvgPathImage)`
all: implement black as code formatter 2019-12-31 11:51:16 +00:00			`resp = HttpResponse(content_type="image/svg+xml; charset=utf-8")`
totp => otp, integrate with factors, new setup form 2019-02-25 11:29:40 +00:00			`img.save(resp)`
			`return resp`