From 30a10d35a8406f4af96fcc8200c4e2173856837d Mon Sep 17 00:00:00 2001 From: Joram Wilander Date: Mon, 12 Dec 2016 08:16:10 -0500 Subject: PLT-4767 Implement MFA Enforcement (#4662) * Create MFA setup page and remove MFA setup from account settings modal * Add enforce MFA to system console and force redirect * Lockdown mfa required API routes, add localization, other changes * Minor fixes * Fix typo * Fix some unit tests * Fix more unit tests * Minor fix * Updating UI for MFA screen (#4670) * Updating UI for MFA screen * Updating styles for MFA page * Add the ability to switch between email/sso with MFA enabled * Added mfa change email * Minor UI updates for MFA enforcement * Fix unit test * Fix client unit test * Allow switching email to ldap and back when MFA is enabled * Fix unit test * Revert config.json --- webapp/actions/user_actions.jsx | 43 +++++- webapp/client/client.jsx | 15 +- webapp/client/web_client.jsx | 5 + webapp/components/admin_console/admin_sidebar.jsx | 16 ++ webapp/components/admin_console/mfa_settings.jsx | 99 ++++++++++++ .../components/admin_console/password_settings.jsx | 32 +--- .../components/claim/components/email_to_ldap.jsx | 81 +++++++--- .../components/claim/components/email_to_oauth.jsx | 73 +++++++-- .../components/claim/components/ldap_to_email.jsx | 64 ++++++-- webapp/components/login/components/login_mfa.jsx | 2 + webapp/components/mfa/components/confirm.jsx | 75 +++++++++ webapp/components/mfa/components/setup.jsx | 156 +++++++++++++++++++ webapp/components/mfa/mfa_controller.jsx | 66 ++++++++ .../user_settings/user_settings_security.jsx | 168 +++++++-------------- webapp/i18n/en.json | 25 ++- webapp/routes/route_admin_console.jsx | 5 + webapp/routes/route_mfa.jsx | 24 +++ webapp/routes/route_root.jsx | 30 +++- webapp/sass/base/_structure.scss | 4 + webapp/tests/client_user.test.jsx | 3 + 20 files changed, 780 insertions(+), 206 deletions(-) create mode 100644 webapp/components/admin_console/mfa_settings.jsx create mode 100644 webapp/components/mfa/components/confirm.jsx create mode 100644 webapp/components/mfa/components/setup.jsx create mode 100644 webapp/components/mfa/mfa_controller.jsx create mode 100644 webapp/routes/route_mfa.jsx (limited to 'webapp') diff --git a/webapp/actions/user_actions.jsx b/webapp/actions/user_actions.jsx index 6f19e9ace..812bc2716 100644 --- a/webapp/actions/user_actions.jsx +++ b/webapp/actions/user_actions.jsx @@ -16,10 +16,11 @@ import Client from 'client/web_client.jsx'; import {ActionTypes, Preferences} from 'utils/constants.jsx'; -export function switchFromLdapToEmail(email, password, ldapPassword, onSuccess, onError) { +export function switchFromLdapToEmail(email, password, token, ldapPassword, onSuccess, onError) { Client.ldapToEmail( email, password, + token, ldapPassword, (data) => { if (data.follow_link) { @@ -391,3 +392,43 @@ export function updateUserRoles(userId, newRoles, success, error) { } ); } + +export function activateMfa(code, success, error) { + Client.updateMfa( + code, + true, + () => { + AsyncClient.getMe(); + + if (success) { + success(); + } + }, + (err) => { + if (error) { + error(err); + } + } + ); +} + +export function checkMfa(loginId, success, error) { + if (global.window.mm_config.EnableMultifactorAuthentication !== 'true') { + success(false); + return; + } + + Client.checkMfa( + loginId, + (data) => { + if (success) { + success(data.mfa_required === 'true'); + } + }, + (err) => { + if (error) { + error(err); + } + } + ); +} diff --git a/webapp/client/client.jsx b/webapp/client/client.jsx index 88f910d46..c2db8a275 100644 --- a/webapp/client/client.jsx +++ b/webapp/client/client.jsx @@ -840,18 +840,13 @@ export default class Client { this.track('api', 'api_users_reset_password'); } - emailToOAuth(email, password, service, success, error) { - var data = {}; - data.password = password; - data.email = email; - data.service = service; - + emailToOAuth(email, password, token, service, success, error) { request. post(`${this.getUsersRoute()}/claim/email_to_oauth`). set(this.defaultHeaders). type('application/json'). accept('application/json'). - send(data). + send({password, email, token, service}). end(this.handleResponse.bind(this, 'emailToOAuth', success, error)); this.track('api', 'api_users_email_to_oauth'); @@ -873,12 +868,13 @@ export default class Client { this.track('api', 'api_users_oauth_to_email'); } - emailToLdap(email, password, ldapId, ldapPassword, success, error) { + emailToLdap(email, password, token, ldapId, ldapPassword, success, error) { var data = {}; data.email_password = password; data.email = email; data.ldap_id = ldapId; data.ldap_password = ldapPassword; + data.token = token; request. post(`${this.getUsersRoute()}/claim/email_to_ldap`). @@ -891,11 +887,12 @@ export default class Client { this.track('api', 'api_users_email_to_ldap'); } - ldapToEmail(email, emailPassword, ldapPassword, success, error) { + ldapToEmail(email, emailPassword, token, ldapPassword, success, error) { var data = {}; data.email = email; data.ldap_password = ldapPassword; data.email_password = emailPassword; + data.token = token; request. post(`${this.getUsersRoute()}/claim/ldap_to_email`). diff --git a/webapp/client/web_client.jsx b/webapp/client/web_client.jsx index 62870c5bc..324d4cd25 100644 --- a/webapp/client/web_client.jsx +++ b/webapp/client/web_client.jsx @@ -38,6 +38,11 @@ class WebClientClass extends Client { } handleError(err, res) { + if (res.body.id === 'api.context.mfa_required.app_error') { + window.location.reload(); + return; + } + if (err.status === HTTP_UNAUTHORIZED && res.req.url !== '/api/v3/users/login') { GlobalActions.emitUserLoggedOutEvent('/login'); } diff --git a/webapp/components/admin_console/admin_sidebar.jsx b/webapp/components/admin_console/admin_sidebar.jsx index 25a06cecf..2b304f11d 100644 --- a/webapp/components/admin_console/admin_sidebar.jsx +++ b/webapp/components/admin_console/admin_sidebar.jsx @@ -194,6 +194,7 @@ export default class AdminSidebar extends React.Component { let clusterSettings = null; let metricsSettings = null; let complianceSettings = null; + let mfaSettings = null; let license = null; let audits = null; @@ -284,6 +285,20 @@ export default class AdminSidebar extends React.Component { ); } + if (global.window.mm_license.MFA === 'true') { + mfaSettings = ( + + } + /> + ); + } + oauthSettings = ( + + + ); + } + + renderSettings() { + return ( + +
+
+ +
+
+ + } + helpText={ + + } + value={this.state.enableMultifactorAuthentication} + onChange={this.handleChange} + /> + + } + helpText={ + + } + disabled={!this.state.enableMultifactorAuthentication} + value={this.state.enforceMultifactorAuthentication} + onChange={this.handleChange} + /> + + ); + } +} diff --git a/webapp/components/admin_console/password_settings.jsx b/webapp/components/admin_console/password_settings.jsx index 6fa1dc9c4..3707977b8 100644 --- a/webapp/components/admin_console/password_settings.jsx +++ b/webapp/components/admin_console/password_settings.jsx @@ -6,7 +6,6 @@ import AdminSettings from './admin_settings.jsx'; import {FormattedMessage} from 'react-intl'; import SettingsGroup from './settings_group.jsx'; import TextSetting from './text_setting.jsx'; -import BooleanSetting from './boolean_setting.jsx'; import Setting from './setting.jsx'; import * as Utils from 'utils/utils.jsx'; import Constants from 'utils/constants.jsx'; @@ -32,7 +31,6 @@ export default class PasswordSettings extends AdminSettings { passwordUppercase: props.config.PasswordSettings.Uppercase, passwordSymbol: props.config.PasswordSettings.Symbol, maximumLoginAttempts: props.config.ServiceSettings.MaximumLoginAttempts, - enableMultifactorAuthentication: props.config.ServiceSettings.EnableMultifactorAuthentication, passwordResetSalt: props.config.EmailSettings.PasswordResetSalt }); @@ -75,9 +73,6 @@ export default class PasswordSettings extends AdminSettings { config.ServiceSettings.MaximumLoginAttempts = this.parseIntNonZero(this.state.maximumLoginAttempts); config.EmailSettings.PasswordResetSalt = this.state.passwordResetSalt; - if (global.window.mm_license.IsLicensed === 'true' && global.window.mm_license.MFA === 'true') { - config.ServiceSettings.EnableMultifactorAuthentication = this.state.enableMultifactorAuthentication; - } return config; } @@ -90,7 +85,6 @@ export default class PasswordSettings extends AdminSettings { passwordUppercase: config.PasswordSettings.Uppercase, passwordSymbol: config.PasswordSettings.Symbol, maximumLoginAttempts: config.ServiceSettings.MaximumLoginAttempts, - enableMultifactorAuthentication: config.ServiceSettings.EnableMultifactorAuthentication, passwordResetSalt: config.EmailSettings.PasswordResetSalt }; } @@ -154,29 +148,6 @@ export default class PasswordSettings extends AdminSettings { } renderSettings() { - let mfaSetting = null; - if (global.window.mm_license.IsLicensed === 'true' && global.window.mm_license.MFA === 'true') { - mfaSetting = ( - - } - helpText={ - - } - value={this.state.enableMultifactorAuthentication} - onChange={this.handleChange} - /> - ); - } - let passwordSettings = null; if (global.window.mm_license.IsLicensed === 'true' && global.window.mm_license.PasswordRequirements === 'true') { passwordSettings = ( @@ -332,8 +303,7 @@ export default class PasswordSettings extends AdminSettings { value={this.state.maximumLoginAttempts} onChange={this.handleChange} /> - {mfaSetting} ); } -} \ No newline at end of file +} diff --git a/webapp/components/claim/components/email_to_ldap.jsx b/webapp/components/claim/components/email_to_ldap.jsx index a0b0b10e9..890512803 100644 --- a/webapp/components/claim/components/email_to_ldap.jsx +++ b/webapp/components/claim/components/email_to_ldap.jsx @@ -1,11 +1,14 @@ // Copyright (c) 2015 Mattermost, Inc. All Rights Reserved. // See License.txt for license information. +import LoginMfa from 'components/login/components/login_mfa.jsx'; + import * as Utils from 'utils/utils.jsx'; import Client from 'client/web_client.jsx'; +import {checkMfa} from 'actions/user_actions.jsx'; + import React from 'react'; -import ReactDOM from 'react-dom'; import {FormattedMessage} from 'react-intl'; export default class EmailToLDAP extends React.Component { @@ -13,16 +16,20 @@ export default class EmailToLDAP extends React.Component { super(props); this.submit = this.submit.bind(this); + this.preSubmit = this.preSubmit.bind(this); this.state = { passwordError: '', ldapError: '', ldapPasswordError: '', - serverError: '' + serverError: '', + showMfa: false }; } - submit(e) { + + preSubmit(e) { e.preventDefault(); + var state = { passwordError: '', ldapError: '', @@ -30,44 +37,65 @@ export default class EmailToLDAP extends React.Component { serverError: '' }; - const password = ReactDOM.findDOMNode(this.refs.emailpassword).value; + const password = this.refs.emailpassword.value; if (!password) { state.passwordError = Utils.localizeMessage('claim.email_to_ldap.pwdError', 'Please enter your password.'); this.setState(state); return; } - const ldapId = ReactDOM.findDOMNode(this.refs.ldapid).value.trim(); + const ldapId = this.refs.ldapid.value.trim(); if (!ldapId) { state.ldapError = Utils.localizeMessage('claim.email_to_ldap.ldapIdError', 'Please enter your AD/LDAP ID.'); this.setState(state); return; } - const ldapPassword = ReactDOM.findDOMNode(this.refs.ldappassword).value; + const ldapPassword = this.refs.ldappassword.value; if (!ldapPassword) { state.ldapPasswordError = Utils.localizeMessage('claim.email_to_ldap.ldapPasswordError', 'Please enter your AD/LDAP password.'); this.setState(state); return; } + state.password = password; + state.ldapId = ldapId; + state.ldapPassword = ldapPassword; this.setState(state); - Client.emailToLdap( + checkMfa( this.props.email, + (requiresMfa) => { + if (requiresMfa) { + this.setState({showMfa: true}); + } else { + this.submit(this.props.email, password, '', ldapId, ldapPassword); + } + }, + (err) => { + this.setState({error: err.message}); + } + ); + } + + submit(loginId, password, token, ldapId, ldapPassword) { + Client.emailToLdap( + loginId, password, - ldapId, - ldapPassword, + token, + ldapId || this.state.ldapId, + ldapPassword || this.state.ldapPassword, (data) => { if (data.follow_link) { window.location.href = data.follow_link; } }, (err) => { - this.setState({serverError: err.message}); + this.setState({serverError: err.message, showMfa: false}); } ); } + render() { let serverError = null; let formClass = 'form-group'; @@ -111,16 +139,19 @@ export default class EmailToLDAP extends React.Component { passwordPlaceholder = Utils.localizeMessage('claim.email_to_ldap.ldapPwd', 'AD/LDAP Password'); } - return ( -
-

- -

+ let content; + if (this.state.showMfa) { + content = ( + + ); + } else { + content = (

@@ -202,6 +233,18 @@ export default class EmailToLDAP extends React.Component { {serverError}

+ ); + } + + return ( +
+

+ +

+ {content}
); } diff --git a/webapp/components/claim/components/email_to_oauth.jsx b/webapp/components/claim/components/email_to_oauth.jsx index d7c4956a6..3cede15a3 100644 --- a/webapp/components/claim/components/email_to_oauth.jsx +++ b/webapp/components/claim/components/email_to_oauth.jsx @@ -1,10 +1,14 @@ // Copyright (c) 2015 Mattermost, Inc. All Rights Reserved. // See License.txt for license information. +import LoginMfa from 'components/login/components/login_mfa.jsx'; + import * as Utils from 'utils/utils.jsx'; import Client from 'client/web_client.jsx'; import Constants from 'utils/constants.jsx'; +import {checkMfa} from 'actions/user_actions.jsx'; + import React from 'react'; import ReactDOM from 'react-dom'; import {FormattedMessage} from 'react-intl'; @@ -14,10 +18,12 @@ export default class EmailToOAuth extends React.Component { super(props); this.submit = this.submit.bind(this); + this.preSubmit = this.preSubmit.bind(this); - this.state = {}; + this.state = {showMfa: false, password: ''}; } - submit(e) { + + preSubmit(e) { e.preventDefault(); var state = {}; @@ -28,12 +34,31 @@ export default class EmailToOAuth extends React.Component { return; } + this.setState({password}); + state.error = null; this.setState(state); - Client.emailToOAuth( + checkMfa( this.props.email, + (requiresMfa) => { + if (requiresMfa) { + this.setState({showMfa: true}); + } else { + this.submit(this.props.email, password, ''); + } + }, + (err) => { + this.setState({error: err.message}); + } + ); + } + + submit(loginId, password, token) { + Client.emailToOAuth( + loginId, password, + token, this.props.newType, (data) => { if (data.follow_link) { @@ -41,10 +66,11 @@ export default class EmailToOAuth extends React.Component { } }, (err) => { - this.setState({error: err.message}); + this.setState({error: err.message, showMfa: false}); } ); } + render() { var error = null; if (this.state.error) { @@ -59,18 +85,18 @@ export default class EmailToOAuth extends React.Component { const type = (this.props.newType === Constants.SAML_SERVICE ? Constants.SAML_SERVICE.toUpperCase() : Utils.toTitleCase(this.props.newType)); const uiType = `${type} SSO`; - return ( -
-

- -

-
+ let content; + if (this.state.showMfa) { + content = ( + + ); + } else { + content = ( +

+ ); + } + + return ( +

+

+ +

+ {content}
); } diff --git a/webapp/components/claim/components/ldap_to_email.jsx b/webapp/components/claim/components/ldap_to_email.jsx index b7ff93b59..39056cd0d 100644 --- a/webapp/components/claim/components/ldap_to_email.jsx +++ b/webapp/components/claim/components/ldap_to_email.jsx @@ -1,9 +1,11 @@ // Copyright (c) 2015 Mattermost, Inc. All Rights Reserved. // See License.txt for license information. +import LoginMfa from 'components/login/components/login_mfa.jsx'; + import * as Utils from 'utils/utils.jsx'; -import {switchFromLdapToEmail} from 'actions/user_actions.jsx'; +import {checkMfa, switchFromLdapToEmail} from 'actions/user_actions.jsx'; import React from 'react'; import {FormattedMessage} from 'react-intl'; @@ -13,6 +15,7 @@ export default class LDAPToEmail extends React.Component { super(props); this.submit = this.submit.bind(this); + this.preSubmit = this.preSubmit.bind(this); this.state = { passwordError: '', @@ -22,8 +25,9 @@ export default class LDAPToEmail extends React.Component { }; } - submit(e) { + preSubmit(e) { e.preventDefault(); + var state = { passwordError: '', confirmError: '', @@ -60,14 +64,33 @@ export default class LDAPToEmail extends React.Component { return; } + state.password = password; + state.ldapPassword = ldapPassword; this.setState(state); + checkMfa( + this.props.email, + (requiresMfa) => { + if (requiresMfa) { + this.setState({showMfa: true}); + } else { + this.submit(this.props.email, password, '', ldapPassword); + } + }, + (err) => { + this.setState({error: err.message}); + } + ); + } + + submit(loginId, password, token, ldapPassword) { switchFromLdapToEmail( this.props.email, password, - ldapPassword, + token, + ldapPassword || this.state.ldapPassword, null, - (err) => this.setState({serverError: err.message}) + (err) => this.setState({serverError: err.message, showMfa: false}) ); } @@ -107,16 +130,19 @@ export default class LDAPToEmail extends React.Component { passwordPlaceholder = Utils.localizeMessage('claim.ldap_to_email.ldapPwd', 'AD/LDAP Password'); } - return ( -
-

- -

+ let content; + if (this.state.showMfa) { + content = ( + + ); + } else { + content = (

@@ -194,6 +220,18 @@ export default class LDAPToEmail extends React.Component { {serverError}

+ ); + } + + return ( +
+

+ +

+ {content}
); } diff --git a/webapp/components/login/components/login_mfa.jsx b/webapp/components/login/components/login_mfa.jsx index ce77c9fa9..1a3393fa0 100644 --- a/webapp/components/login/components/login_mfa.jsx +++ b/webapp/components/login/components/login_mfa.jsx @@ -17,6 +17,7 @@ export default class LoginMfa extends React.Component { serverError: '' }; } + handleSubmit(e) { e.preventDefault(); const state = {}; @@ -33,6 +34,7 @@ export default class LoginMfa extends React.Component { this.props.submit(this.props.loginId, this.props.password, token); } + render() { let serverError; let errorClass = ''; diff --git a/webapp/components/mfa/components/confirm.jsx b/webapp/components/mfa/components/confirm.jsx new file mode 100644 index 000000000..026d12c6e --- /dev/null +++ b/webapp/components/mfa/components/confirm.jsx @@ -0,0 +1,75 @@ +// Copyright (c) 2016 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +import Constants from 'utils/constants.jsx'; +const KeyCodes = Constants.KeyCodes; + +import React from 'react'; +import {FormattedMessage, FormattedHTMLMessage} from 'react-intl'; +import {browserHistory} from 'react-router/es6'; + +export default class Confirm extends React.Component { + constructor(props) { + super(props); + + this.onKeyPress = this.onKeyPress.bind(this); + } + + componentDidMount() { + document.body.addEventListener('keydown', this.onKeyPress); + } + + componentWillUnmount() { + document.body.removeEventListener('keydown', this.onKeyPress); + } + + submit(e) { + e.preventDefault(); + browserHistory.push('/'); + } + + onKeyPress(e) { + if (e.which === KeyCodes.ENTER) { + this.submit(e); + } + } + + render() { + return ( +
+
+

+ +

+

+ +

+ +
+
+ ); + } +} + +Confirm.defaultProps = { +}; +Confirm.propTypes = { +}; diff --git a/webapp/components/mfa/components/setup.jsx b/webapp/components/mfa/components/setup.jsx new file mode 100644 index 000000000..f7a287c15 --- /dev/null +++ b/webapp/components/mfa/components/setup.jsx @@ -0,0 +1,156 @@ +// Copyright (c) 2016 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +import {generateMfaSecret, activateMfa} from 'actions/user_actions.jsx'; + +import UserStore from 'stores/user_store.jsx'; + +import * as Utils from 'utils/utils.jsx'; + +import React from 'react'; +import {FormattedMessage, FormattedHTMLMessage} from 'react-intl'; +import {browserHistory} from 'react-router/es6'; + +export default class Setup extends React.Component { + constructor(props) { + super(props); + + this.submit = this.submit.bind(this); + + this.state = {secret: '', qrCode: ''}; + } + + componentDidMount() { + const user = UserStore.getCurrentUser(); + if (!user || user.mfa_active) { + browserHistory.push('/'); + return; + } + + generateMfaSecret( + (data) => this.setState({secret: data.secret, qrCode: data.qr_code}), + (err) => this.setState({serverError: err.message}) + ); + } + + submit(e) { + e.preventDefault(); + const code = this.refs.code.value.replace(/\s/g, ''); + if (!code || code.length === 0) { + this.setState({error: Utils.localizeMessage('mfa.setup.codeError', 'Please enter the code from Google Authenticator.')}); + return; + } + + this.setState({error: null}); + + activateMfa( + code, + () => { + browserHistory.push('/mfa/confirm'); + }, + (err) => { + if (err.id === 'ent.mfa.activate.authenticate.app_error') { + this.setState({error: Utils.localizeMessage('mfa.setup.badCode', 'Invalid code. If this issue persists, contact your System Administrator.')}); + return; + } + this.setState({error: err.message}); + } + ); + } + + render() { + let formClass = 'form-group'; + let errorContent; + if (this.state.error) { + errorContent =
; + formClass += ' has-error'; + } + + let mfaRequired; + if (global.window.mm_config.EnforceMultifactorAuthentication) { + mfaRequired = ( +

+ +

+ ); + } + + return ( +
+
+ {mfaRequired} +

+ +

+

+ +

+
+
+ +
+
+
+
+

+ +

+
+

+ +

+

+ +

+ {errorContent} + +
+
+ ); + } +} + +Setup.defaultProps = { +}; +Setup.propTypes = { +}; diff --git a/webapp/components/mfa/mfa_controller.jsx b/webapp/components/mfa/mfa_controller.jsx new file mode 100644 index 000000000..21b9737f8 --- /dev/null +++ b/webapp/components/mfa/mfa_controller.jsx @@ -0,0 +1,66 @@ +// Copyright (c) 2016 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +import React from 'react'; +import {FormattedMessage} from 'react-intl'; +import {browserHistory, Link} from 'react-router/es6'; + +import logoImage from 'images/logo.png'; + +export default class MFAController extends React.Component { + componentDidMount() { + if (window.mm_license.MFA !== 'true' || window.mm_config.EnableMultifactorAuthentication !== 'true') { + browserHistory.push('/'); + } + } + + render() { + let backButton; + if (window.mm_config.EnforceMultifactorAuthentication !== 'true') { + backButton = ( +
+ + + + +
+ ); + } + + return ( +
+
+
+ {backButton} +
+
+

+ +

+ +
+ {React.cloneElement(this.props.children, {})} +
+
+
+
+
+
+ ); + } +} + +MFAController.defaultProps = { +}; +MFAController.propTypes = { + location: React.PropTypes.object.isRequired, + children: React.PropTypes.node +}; diff --git a/webapp/components/user_settings/user_settings_security.jsx b/webapp/components/user_settings/user_settings_security.jsx index 5f231e499..3484b8183 100644 --- a/webapp/components/user_settings/user_settings_security.jsx +++ b/webapp/components/user_settings/user_settings_security.jsx @@ -9,8 +9,6 @@ import ToggleModalButton from '../toggle_modal_button.jsx'; import PreferenceStore from 'stores/preference_store.jsx'; -import {generateMfaSecret} from 'actions/user_actions.jsx'; - import Client from 'client/web_client.jsx'; import * as AsyncClient from 'utils/async_client.jsx'; import * as Utils from 'utils/utils.jsx'; @@ -18,8 +16,8 @@ import Constants from 'utils/constants.jsx'; import $ from 'jquery'; import React from 'react'; -import {FormattedMessage, FormattedHTMLMessage, FormattedTime, FormattedDate} from 'react-intl'; -import {Link} from 'react-router/es6'; +import {FormattedMessage, FormattedTime, FormattedDate} from 'react-intl'; +import {browserHistory, Link} from 'react-router/es6'; import icon50 from 'images/icon50x50.png'; @@ -28,17 +26,15 @@ export default class SecurityTab extends React.Component { super(props); this.submitPassword = this.submitPassword.bind(this); - this.activateMfa = this.activateMfa.bind(this); + this.setupMfa = this.setupMfa.bind(this); this.deactivateMfa = this.deactivateMfa.bind(this); this.updateCurrentPassword = this.updateCurrentPassword.bind(this); this.updateNewPassword = this.updateNewPassword.bind(this); this.updateConfirmPassword = this.updateConfirmPassword.bind(this); - this.updateMfaToken = this.updateMfaToken.bind(this); this.getDefaultState = this.getDefaultState.bind(this); this.createPasswordSection = this.createPasswordSection.bind(this); this.createSignInSection = this.createSignInSection.bind(this); this.createOAuthAppsSection = this.createOAuthAppsSection.bind(this); - this.showQrCode = this.showQrCode.bind(this); this.deauthorizeApp = this.deauthorizeApp.bind(this); this.state = this.getDefaultState(); @@ -51,9 +47,7 @@ export default class SecurityTab extends React.Component { confirmPassword: '', passwordError: '', serverError: '', - authService: this.props.user.auth_service, - mfaShowQr: false, - mfaToken: '' + authService: this.props.user.auth_service }; } @@ -119,26 +113,9 @@ export default class SecurityTab extends React.Component { ); } - activateMfa() { - Client.updateMfa( - this.state.mfaToken, - true, - () => { - this.props.updateSection(''); - AsyncClient.getMe(); - this.setState(this.getDefaultState()); - }, - (err) => { - const state = this.getDefaultState(); - if (err.message) { - state.serverError = err.message; - } else { - state.serverError = err; - } - state.mfaError = ''; - this.setState(state); - } - ); + setupMfa(e) { + e.preventDefault(); + browserHistory.push('/mfa/setup'); } deactivateMfa() { @@ -146,6 +123,13 @@ export default class SecurityTab extends React.Component { '', false, () => { + if (global.window.mm_license.MFA === 'true' && + global.window.mm_config.EnableMultifactorAuthentication === 'true' && + global.window.mm_config.EnforceMultifactorAuthentication === 'true') { + window.location.href = '/mfa/setup'; + return; + } + this.props.updateSection(''); AsyncClient.getMe(); this.setState(this.getDefaultState()); @@ -157,7 +141,6 @@ export default class SecurityTab extends React.Component { } else { state.serverError = err; } - state.mfaError = ''; this.setState(state); } ); @@ -175,18 +158,6 @@ export default class SecurityTab extends React.Component { this.setState({confirmPassword: e.target.value}); } - updateMfaToken(e) { - this.setState({mfaToken: e.target.value}); - } - - showQrCode(e) { - e.preventDefault(); - generateMfaSecret( - (data) => this.setState({mfaShowQr: true, secret: data.secret, qrCode: data.qr_code}), - (err) => this.setState({serverError: err.message}) - ); - } - deauthorizeApp(e) { e.preventDefault(); const appId = e.currentTarget.getAttribute('data-app'); @@ -212,6 +183,39 @@ export default class SecurityTab extends React.Component { let content; let extraInfo; if (this.props.user.mfa_active) { + let mfaRemoveHelp; + let mfaButtonText; + + if (global.window.mm_config.EnforceMultifactorAuthentication === 'true') { + mfaRemoveHelp = ( + + ); + + mfaButtonText = ( + + ); + } else { + mfaRemoveHelp = ( + + ); + + mfaButtonText = ( + + ); + } + content = ( @@ -230,78 +231,16 @@ export default class SecurityTab extends React.Component { extraInfo = ( - + {mfaRemoveHelp} ); - } else if (this.state.mfaShowQr) { - content = ( -
-
- -
- -
-
-
- -
- {this.state.secret} -
-
-
-
- -
- -
-
-
- ); - - extraInfo = ( - - - - ); - - submit = this.activateMfa; } else { content = (
- ); @@ -334,7 +273,7 @@ export default class SecurityTab extends React.Component { updateSectionStatus = function resetSection(e) { this.props.updateSection(''); - this.setState({mfaToken: '', mfaShowQr: false, mfaError: null, serverError: null}); + this.setState({serverError: null}); e.preventDefault(); }.bind(this); @@ -345,7 +284,6 @@ export default class SecurityTab extends React.Component { extraInfo={extraInfo} submit={submit} server_error={this.state.serverError} - client_error={this.state.mfaError} updateSection={updateSectionStatus} width='medium' /> diff --git a/webapp/i18n/en.json b/webapp/i18n/en.json index 5cc7f0bbf..d409aaec7 100644 --- a/webapp/i18n/en.json +++ b/webapp/i18n/en.json @@ -136,6 +136,12 @@ "add_outgoing_webhook.triggerWordsTriggerWhen.help": "Choose when to trigger the outgoing webhook; if the first word of a message matches a Trigger Word exactly, or if it starts with a Trigger Word.", "add_outgoing_webhook.triggerWordsTriggerWhenFullWord": "First word matches a trigger word exactly", "add_outgoing_webhook.triggerWordsTriggerWhenStartsWith": "First word starts with a trigger word", + "admin.mfa.title": "Multi-factor Authentication", + "admin.mfa.bannerDesc": "Multi-factor authentication is only available for accounts with LDAP and email login methods. If there are users on your system with other login methods, it is recommended you set up multi-factor authentication directly with the SSO or SAML provider.", + "admin.mfa.cluster": "High", + "admin.mfa.cluster": "High", + "admin.mfa.cluster": "High", + "admin.mfa.cluster": "High", "admin.advance.cluster": "High Availability (Beta)", "admin.advance.metrics": "Performance Monitoring (Beta)", "admin.audits.reload": "Reload User Activity Logs", @@ -668,6 +674,8 @@ "admin.service.listenExample": "E.g.: \":8065\"", "admin.service.mfaDesc": "When true, users will be given the option to add multi-factor authentication to their account. They will need a smartphone and an authenticator app such as Google Authenticator.", "admin.service.mfaTitle": "Enable Multi-factor Authentication:", + "admin.service.enforcMfaTitle": "Enforce Multi-factor Authentication:", + "admin.service.enforceMfaDesc": "When true, users on the system will be required to set up [multi-factor authentication]. Any logged in users will be redirected to the multi-factor authentication setup page until they successfully add MFA to their account.

It is recommended you turn on enforcement during non-peak hours, when people are less likely to be using the system. New users will be required to set up multi-factor authentication when they first sign up. After set up, users will not be able to remove multi-factor authentication unless enforcement is disabled.

Please note that multi-factor authentication is only available for accounts with LDAP and email login methods. Mattermost will not enforce multi-factor authentication for other login methods. If there are users on your system using other login methods, it is recommended you set up and enforce multi-factor authentication directly with the SSO or SAML provider.", "admin.service.mobileSessionDays": "Session length mobile (days):", "admin.service.mobileSessionDaysDesc": "The number of days from the last time a user entered their credentials to the expiry of the user's session. After changing this setting, the new session length will take effect after the next time the user enters their credentials.", "admin.service.outWebhooksDesc": "When true, outgoing webhooks will be allowed. See documentation to learn more.", @@ -1979,14 +1987,29 @@ "user.settings.languages.change": "Change interface language", "user.settings.languages.promote": "Select which language Mattermost displays in the user interface.

Would like to help with translations? Join the Mattermost Translation Server to contribute.", "user.settings.mfa.add": "Add MFA to your account", - "user.settings.mfa.addHelp": "You can require a smartphone-based token, in addition to your password, to sign into Mattermost.

To enable, download Google Authenticator from iTunes or Google Play for your phone, then

1. Click the Add MFA to your account button above.
2. Use Google Authenticator to scan the QR code that appears or type in the secret manually.
3. Type in the Token generated by Google Authenticator and click Save.

When logging in, you will be asked to enter a token from Google Authenticator in addition to your regular credentials.", + "user.settings.mfa.addHelp": "Adding multi-factor authentication will make your account more secure by requiring a code from your mobile phone each time you sign in.", "user.settings.mfa.addHelpQr": "Please scan the QR code with the Google Authenticator app on your smartphone and fill in the token with one provided by the app. If you are unable to scan the code, you can manually enter the secret provided.", "user.settings.mfa.enterToken": "Token (numbers only)", "user.settings.mfa.qrCode": "Bar Code", "user.settings.mfa.remove": "Remove MFA from your account", + "user.settings.mfa.reset": "Reset MFA on your account", "user.settings.mfa.removeHelp": "Removing multi-factor authentication means you will no longer require a phone-based passcode to sign-in to your account.", + "user.settings.mfa.requiredHelp": "Multi-factor authentication is required on this server. Resetting is only recommended when you need to switch code generation to a new mobile device. You will be required to set it up again immediately.", "user.settings.mfa.secret": "Secret", "user.settings.mfa.title": "Multi-factor Authentication", + "mfa.setupTitle": "Multi-factor Authentication Setup", + "mfa.setup.codeError": "Please enter the code from Google Authenticator.", + "mfa.setup.badCode": "Invalid code. If this issue persists, contact your System Administrator.", + "mfa.setup.required": "Multi-factor authentication is required on {siteName}.", + "mfa.setup.step1": "Step 1: On your phone, download Google Authenticator from iTunes or Google Play", + "mfa.setup.step2": "Step 2: Use Google Authenticator to scan this QR code, or manually type in the secret key", + "mfa.setup.secret": "Secret: {secret}", + "mfa.setup.step3": "Step 3: Enter the code generated by Google Authenticator", + "mfa.setup.code": "MFA Code", + "mfa.setup.save": "Save", + "mfa.confirm.complete": "Set up complete!", + "mfa.confirm.secure": "Your account is now secure. Next time you sign in, you will be asked to enter a code from the Google Authenticator app on your phone.", + "mfa.confirm.okay": "Okay", "user.settings.modal.advanced": "Advanced", "user.settings.modal.confirmBtns": "Yes, Discard", "user.settings.modal.confirmMsg": "You have unsaved changes, are you sure you want to discard them?", diff --git a/webapp/routes/route_admin_console.jsx b/webapp/routes/route_admin_console.jsx index a67cb3e83..5b0f5d28e 100644 --- a/webapp/routes/route_admin_console.jsx +++ b/webapp/routes/route_admin_console.jsx @@ -21,6 +21,7 @@ import ClusterSettings from 'components/admin_console/cluster_settings.jsx'; import MetricsSettings from 'components/admin_console/metrics_settings.jsx'; import SignupSettings from 'components/admin_console/signup_settings.jsx'; import PasswordSettings from 'components/admin_console/password_settings.jsx'; +import MfaSettings from 'components/admin_console/mfa_settings.jsx'; import PublicLinkSettings from 'components/admin_console/public_link_settings.jsx'; import SessionSettings from 'components/admin_console/session_settings.jsx'; import ConnectionSettings from 'components/admin_console/connection_settings.jsx'; @@ -104,6 +105,10 @@ export default ( path='saml' component={SamlSettings} /> + diff --git a/webapp/routes/route_mfa.jsx b/webapp/routes/route_mfa.jsx new file mode 100644 index 000000000..517d3802e --- /dev/null +++ b/webapp/routes/route_mfa.jsx @@ -0,0 +1,24 @@ +import * as RouteUtils from 'routes/route_utils.jsx'; + +export default { + path: 'mfa', + getComponents: (location, callback) => { + System.import('components/mfa/mfa_controller.jsx').then(RouteUtils.importComponentSuccess(callback)); + }, + getChildRoutes: RouteUtils.createGetChildComponentsFunction( + [ + { + path: 'setup', + getComponents: (location, callback) => { + System.import('components/mfa/components/setup.jsx').then(RouteUtils.importComponentSuccess(callback)); + } + }, + { + path: 'confirm', + getComponents: (location, callback) => { + System.import('components/mfa/components/confirm.jsx').then(RouteUtils.importComponentSuccess(callback)); + } + } + ] + ) +}; diff --git a/webapp/routes/route_root.jsx b/webapp/routes/route_root.jsx index 9d64c6012..f72e35302 100644 --- a/webapp/routes/route_root.jsx +++ b/webapp/routes/route_root.jsx @@ -6,14 +6,18 @@ import * as RouteUtils from 'routes/route_utils.jsx'; import Root from 'components/root.jsx'; import claimAccountRoute from 'routes/route_claim.jsx'; +import mfaRoute from 'routes/route_mfa.jsx'; import createTeamRoute from 'routes/route_create_team.jsx'; import teamRoute from 'routes/route_team.jsx'; import helpRoute from 'routes/route_help.jsx'; import BrowserStore from 'stores/browser_store.jsx'; import ErrorStore from 'stores/error_store.jsx'; +import UserStore from 'stores/user_store.jsx'; import * as UserAgent from 'utils/user_agent.jsx'; +import {browserHistory} from 'react-router/es6'; + function preLogin(nextState, replace, callback) { // redirect to the mobile landing page if the user hasn't seen it before if (window.mm_config.IosAppDownloadLink && UserAgent.isIosWeb() && !BrowserStore.hasSeenLandingPage()) { @@ -27,7 +31,30 @@ function preLogin(nextState, replace, callback) { callback(); } +const mfaPaths = [ + '/mfa/setup', + '/mfa/confirm' +]; + +const mfaAuthServices = [ + '', + 'email', + 'ldap' +]; + function preLoggedIn(nextState, replace, callback) { + if (window.mm_license.MFA === 'true' && + window.mm_config.EnableMultifactorAuthentication === 'true' && + window.mm_config.EnforceMultifactorAuthentication === 'true' && + mfaPaths.indexOf(nextState.location.pathname) === -1) { + const user = UserStore.getCurrentUser(); + if (user && !user.mfa_active && + mfaAuthServices.indexOf(user.auth_service) !== -1) { + browserHistory.push('/mfa/setup'); + return; + } + } + ErrorStore.clearLastError(); callback(); } @@ -154,7 +181,8 @@ export default { ] ) }, - teamRoute + teamRoute, + mfaRoute ] ) }, diff --git a/webapp/sass/base/_structure.scss b/webapp/sass/base/_structure.scss index 217488334..60673f9a2 100644 --- a/webapp/sass/base/_structure.scss +++ b/webapp/sass/base/_structure.scss @@ -32,6 +32,10 @@ body { .inner-wrap { height: 100%; + &.sticky { + overflow: auto; + } + > .row { &.main { height: 100%; diff --git a/webapp/tests/client_user.test.jsx b/webapp/tests/client_user.test.jsx index 5e5eb6821..3af29661a 100644 --- a/webapp/tests/client_user.test.jsx +++ b/webapp/tests/client_user.test.jsx @@ -306,6 +306,7 @@ describe('Client.User', function() { TestHelper.basicClient().emailToOAuth( user.email, 'new_password', + '', 'gitlab', function() { throw Error('shouldnt work'); @@ -345,6 +346,7 @@ describe('Client.User', function() { TestHelper.basicClient().emailToLdap( user.email, user.password, + '', 'unknown_id', 'unknown_pwd', function() { @@ -365,6 +367,7 @@ describe('Client.User', function() { TestHelper.basicClient().ldapToEmail( user.email, 'new_password', + '', 'new_password', function() { throw Error('shouldnt work'); -- cgit v1.2.3-1-g7c22