allura git commit: [#8130] invalidate other login sessions after setting up two-factor auth
Repository: allura
Updated Branches:
refs/heads/master e30522555 -> 7fb402233
[#8130] invalidate other login sessions after setting up two-factor auth
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/7fb40223
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/7fb40223
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/7fb40223
Branch: refs/heads/master
Commit: 7fb4022335055d605b571f538cff5661df509fff
Parents: e305225
Author: Dave Brondsema
Authored: Tue Sep 20 16:44:01 2016 -0400
Committer: Dave Brondsema
Committed: Tue Sep 20 16:44:01 2016 -0400
--
Allura/allura/controllers/auth.py | 3 +++
Allura/allura/lib/plugin.py | 16 +++-
Allura/allura/tests/functional/test_auth.py | 10 ++
3 files changed, 24 insertions(+), 5 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/allura/blob/7fb40223/Allura/allura/controllers/auth.py
--
diff --git a/Allura/allura/controllers/auth.py
b/Allura/allura/controllers/auth.py
index a5031d1..932f106 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -731,6 +731,8 @@ class PreferencesController(BaseController):
h.auditlog_user('Set up multifactor TOTP')
totp_service.set_secret_key(c.user, key)
c.user.set_pref('multifactor', True)
+c.user.set_tool_data('allura', multifactor_date=datetime.utcnow())
+c.user.set_tool_data('allura',
pwd_reset_preserve_session=session.id) # other sessions will have to re-auth;
preserve this one
del session['totp_new_key']
session.save()
tg.flash('Two factor authentication has now been set up.')
@@ -754,6 +756,7 @@ class PreferencesController(BaseController):
recovery = RecoveryCodeService.get()
recovery.delete_all(c.user)
c.user.set_pref('multifactor', False)
+c.user.set_tool_data('allura', multifactor_date=None)
tg.flash('Multifactor authentication has now been disabled.')
email_body =
g.jinja2_env.get_template('allura:templates/mail/twofactor_disabled.md').render(dict(
user=c.user,
http://git-wip-us.apache.org/repos/asf/allura/blob/7fb40223/Allura/allura/lib/plugin.py
--
diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py
index 7127120..4b2bf0a 100644
--- a/Allura/allura/lib/plugin.py
+++ b/Allura/allura/lib/plugin.py
@@ -118,11 +118,17 @@ class AuthenticationProvider(object):
if user.disabled or user.pending:
self.logout()
return M.User.anonymous()
-if not user.is_anonymous() and \
-self.get_last_password_updated(user) >
datetime.utcfromtimestamp(self.session.created) and \
-user.get_tool_data('allura', 'pwd_reset_preserve_session') !=
self.session.id:
-log.debug('Session logged out: due to user %s pwd change %s > %s',
user.username,
- self.get_last_password_updated(user),
datetime.utcfromtimestamp(self.session.created))
+session_create_date = datetime.utcfromtimestamp(self.session.created)
+if user.is_anonymous():
+sessions_need_reauth = False
+elif self.get_last_password_updated(user) > session_create_date:
+sessions_need_reauth = True
+elif (user.get_tool_data('allura', 'multifactor_date') or
datetime.min) > session_create_date:
+sessions_need_reauth = True
+else:
+sessions_need_reauth = False
+if sessions_need_reauth and user.get_tool_data('allura',
'pwd_reset_preserve_session') != self.session.id:
+log.debug('Session logged out: due to user %s pwd change or
multifactor enabled', user.username)
self.logout()
return M.User.anonymous()
http://git-wip-us.apache.org/repos/asf/allura/blob/7fb40223/Allura/allura/tests/functional/test_auth.py
--
diff --git a/Allura/allura/tests/functional/test_auth.py
b/Allura/allura/tests/functional/test_auth.py
index 4ba27e3..b7b28be 100644
--- a/Allura/allura/tests/functional/test_auth.py
+++ b/Allura/allura/tests/functional/test_auth.py
@@ -2093,6 +2093,11 @@ class TestTwoFactor(TestController):
assert_in('Password Confirmation', r)
def test_enable_totp(self):
+# create a separate session, for later use in the test
+other_session = TestController()
+other_session.setUp()
+other_session.app.get('/auth/preferences/')
+
with out_audits(user=True):
r = self.app.get('/auth/preferences/totp_n
allura git commit: [#8130] invalidate other login sessions after setting up two-factor auth
Repository: allura
Updated Branches:
refs/heads/db/8130 [created] 7fb402233
[#8130] invalidate other login sessions after setting up two-factor auth
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/7fb40223
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/7fb40223
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/7fb40223
Branch: refs/heads/db/8130
Commit: 7fb4022335055d605b571f538cff5661df509fff
Parents: e305225
Author: Dave Brondsema
Authored: Tue Sep 20 16:44:01 2016 -0400
Committer: Dave Brondsema
Committed: Tue Sep 20 16:44:01 2016 -0400
--
Allura/allura/controllers/auth.py | 3 +++
Allura/allura/lib/plugin.py | 16 +++-
Allura/allura/tests/functional/test_auth.py | 10 ++
3 files changed, 24 insertions(+), 5 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/allura/blob/7fb40223/Allura/allura/controllers/auth.py
--
diff --git a/Allura/allura/controllers/auth.py
b/Allura/allura/controllers/auth.py
index a5031d1..932f106 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -731,6 +731,8 @@ class PreferencesController(BaseController):
h.auditlog_user('Set up multifactor TOTP')
totp_service.set_secret_key(c.user, key)
c.user.set_pref('multifactor', True)
+c.user.set_tool_data('allura', multifactor_date=datetime.utcnow())
+c.user.set_tool_data('allura',
pwd_reset_preserve_session=session.id) # other sessions will have to re-auth;
preserve this one
del session['totp_new_key']
session.save()
tg.flash('Two factor authentication has now been set up.')
@@ -754,6 +756,7 @@ class PreferencesController(BaseController):
recovery = RecoveryCodeService.get()
recovery.delete_all(c.user)
c.user.set_pref('multifactor', False)
+c.user.set_tool_data('allura', multifactor_date=None)
tg.flash('Multifactor authentication has now been disabled.')
email_body =
g.jinja2_env.get_template('allura:templates/mail/twofactor_disabled.md').render(dict(
user=c.user,
http://git-wip-us.apache.org/repos/asf/allura/blob/7fb40223/Allura/allura/lib/plugin.py
--
diff --git a/Allura/allura/lib/plugin.py b/Allura/allura/lib/plugin.py
index 7127120..4b2bf0a 100644
--- a/Allura/allura/lib/plugin.py
+++ b/Allura/allura/lib/plugin.py
@@ -118,11 +118,17 @@ class AuthenticationProvider(object):
if user.disabled or user.pending:
self.logout()
return M.User.anonymous()
-if not user.is_anonymous() and \
-self.get_last_password_updated(user) >
datetime.utcfromtimestamp(self.session.created) and \
-user.get_tool_data('allura', 'pwd_reset_preserve_session') !=
self.session.id:
-log.debug('Session logged out: due to user %s pwd change %s > %s',
user.username,
- self.get_last_password_updated(user),
datetime.utcfromtimestamp(self.session.created))
+session_create_date = datetime.utcfromtimestamp(self.session.created)
+if user.is_anonymous():
+sessions_need_reauth = False
+elif self.get_last_password_updated(user) > session_create_date:
+sessions_need_reauth = True
+elif (user.get_tool_data('allura', 'multifactor_date') or
datetime.min) > session_create_date:
+sessions_need_reauth = True
+else:
+sessions_need_reauth = False
+if sessions_need_reauth and user.get_tool_data('allura',
'pwd_reset_preserve_session') != self.session.id:
+log.debug('Session logged out: due to user %s pwd change or
multifactor enabled', user.username)
self.logout()
return M.User.anonymous()
http://git-wip-us.apache.org/repos/asf/allura/blob/7fb40223/Allura/allura/tests/functional/test_auth.py
--
diff --git a/Allura/allura/tests/functional/test_auth.py
b/Allura/allura/tests/functional/test_auth.py
index 4ba27e3..b7b28be 100644
--- a/Allura/allura/tests/functional/test_auth.py
+++ b/Allura/allura/tests/functional/test_auth.py
@@ -2093,6 +2093,11 @@ class TestTwoFactor(TestController):
assert_in('Password Confirmation', r)
def test_enable_totp(self):
+# create a separate session, for later use in the test
+other_session = TestController()
+other_session.setUp()
+other_session.app.get('/auth/preferences/')
+
with out_audits(user=True):
r = self.app.get('/auth/preferences/totp_ne
