mirror of
https://github.com/AuthMe/AuthMeReloaded.git
synced 2024-12-19 15:17:56 +01:00
#1141 Rough version of TOTP commands to add and remove a code for a player
This commit is contained in:
parent
9954c82cb6
commit
c3cf9e3ee0
11
pom.xml
11
pom.xml
@ -286,6 +286,10 @@
|
||||
<pattern>org.bstats</pattern>
|
||||
<shadedPattern>fr.xephi.authme.libs.org.bstats</shadedPattern>
|
||||
</relocation>
|
||||
<relocation>
|
||||
<pattern>com.warrenstrange</pattern>
|
||||
<shadedPattern>fr.xephi.authme.libs.com.warrenstrange</shadedPattern>
|
||||
</relocation>
|
||||
</relocations>
|
||||
</configuration>
|
||||
</plugin>
|
||||
@ -461,6 +465,13 @@
|
||||
<optional>true</optional>
|
||||
</dependency>
|
||||
|
||||
<!-- TOTP client -->
|
||||
<dependency>
|
||||
<groupId>com.warrenstrange</groupId>
|
||||
<artifactId>googleauth</artifactId>
|
||||
<version>1.1.2</version>
|
||||
</dependency>
|
||||
|
||||
<!-- Spigot API, http://www.spigotmc.org/ -->
|
||||
<dependency>
|
||||
<groupId>org.spigotmc</groupId>
|
||||
|
@ -40,6 +40,10 @@ import fr.xephi.authme.command.executable.email.ShowEmailCommand;
|
||||
import fr.xephi.authme.command.executable.login.LoginCommand;
|
||||
import fr.xephi.authme.command.executable.logout.LogoutCommand;
|
||||
import fr.xephi.authme.command.executable.register.RegisterCommand;
|
||||
import fr.xephi.authme.command.executable.totp.AddTotpCommand;
|
||||
import fr.xephi.authme.command.executable.totp.ConfirmTotpCommand;
|
||||
import fr.xephi.authme.command.executable.totp.RemoveTotpCommand;
|
||||
import fr.xephi.authme.command.executable.totp.TotpBaseCommand;
|
||||
import fr.xephi.authme.command.executable.unregister.UnregisterCommand;
|
||||
import fr.xephi.authme.command.executable.verification.VerificationCommand;
|
||||
import fr.xephi.authme.permission.AdminPermission;
|
||||
@ -134,6 +138,9 @@ public class CommandInitializer {
|
||||
.executableCommand(ChangePasswordCommand.class)
|
||||
.register();
|
||||
|
||||
// Create totp base command
|
||||
CommandDescription totpBase = buildTotpBaseCommand();
|
||||
|
||||
// Register the base captcha command
|
||||
CommandDescription captchaBase = CommandDescription.builder()
|
||||
.parent(null)
|
||||
@ -156,16 +163,8 @@ public class CommandInitializer {
|
||||
.executableCommand(VerificationCommand.class)
|
||||
.register();
|
||||
|
||||
List<CommandDescription> baseCommands = ImmutableList.of(
|
||||
authMeBase,
|
||||
emailBase,
|
||||
loginBase,
|
||||
logoutBase,
|
||||
registerBase,
|
||||
unregisterBase,
|
||||
changePasswordBase,
|
||||
captchaBase,
|
||||
verificationBase);
|
||||
List<CommandDescription> baseCommands = ImmutableList.of(authMeBase, emailBase, loginBase, logoutBase,
|
||||
registerBase, unregisterBase, changePasswordBase, totpBase, captchaBase, verificationBase);
|
||||
|
||||
setHelpOnAllBases(baseCommands);
|
||||
commands = baseCommands;
|
||||
@ -543,6 +542,56 @@ public class CommandInitializer {
|
||||
return emailBase;
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a command description object for {@code /totp} including its children.
|
||||
*
|
||||
* @return the totp base command description
|
||||
*/
|
||||
private CommandDescription buildTotpBaseCommand() {
|
||||
// Register the base totp command
|
||||
CommandDescription totpBase = CommandDescription.builder()
|
||||
.parent(null)
|
||||
.labels("totp", "2fa")
|
||||
.description("TOTP commands")
|
||||
.detailedDescription("Performs actions related to two-factor authentication.")
|
||||
.executableCommand(TotpBaseCommand.class)
|
||||
.register();
|
||||
|
||||
// Register totp add
|
||||
CommandDescription.builder()
|
||||
.parent(totpBase)
|
||||
.labels("add")
|
||||
.description("Enables TOTP")
|
||||
.detailedDescription("Enables two-factor authentication for your account.")
|
||||
.permission(PlayerPermission.TOGGLE_TOTP_STATUS)
|
||||
.executableCommand(AddTotpCommand.class)
|
||||
.register();
|
||||
|
||||
// Register totp confirm
|
||||
CommandDescription.builder()
|
||||
.parent(totpBase)
|
||||
.labels("confirm")
|
||||
.description("Enables TOTP after successful code")
|
||||
.detailedDescription("Saves the generated TOTP secret after confirmation.")
|
||||
.withArgument("code", "Code from the given secret from /totp add", false)
|
||||
.permission(PlayerPermission.TOGGLE_TOTP_STATUS)
|
||||
.executableCommand(ConfirmTotpCommand.class)
|
||||
.register();
|
||||
|
||||
// Register totp remove
|
||||
CommandDescription.builder()
|
||||
.parent(totpBase)
|
||||
.labels("remove")
|
||||
.description("Removes TOTP")
|
||||
.detailedDescription("Disables two-factor authentication for your account.")
|
||||
.withArgument("code", "Current 2FA code", false)
|
||||
.permission(PlayerPermission.TOGGLE_TOTP_STATUS)
|
||||
.executableCommand(RemoveTotpCommand.class)
|
||||
.register();
|
||||
|
||||
return totpBase;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the help command on all base commands, e.g. to register /authme help or /register help.
|
||||
*
|
||||
|
@ -0,0 +1,41 @@
|
||||
package fr.xephi.authme.command.executable.totp;
|
||||
|
||||
import fr.xephi.authme.command.PlayerCommand;
|
||||
import fr.xephi.authme.data.auth.PlayerAuth;
|
||||
import fr.xephi.authme.datasource.DataSource;
|
||||
import fr.xephi.authme.message.MessageKey;
|
||||
import fr.xephi.authme.security.TotpService;
|
||||
import fr.xephi.authme.security.TotpService.TotpGenerationResult;
|
||||
import fr.xephi.authme.service.CommonService;
|
||||
import org.bukkit.ChatColor;
|
||||
import org.bukkit.entity.Player;
|
||||
|
||||
import javax.inject.Inject;
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* Command for a player to enable TOTP.
|
||||
*/
|
||||
public class AddTotpCommand extends PlayerCommand {
|
||||
|
||||
@Inject
|
||||
private TotpService totpService;
|
||||
|
||||
@Inject
|
||||
private DataSource dataSource;
|
||||
|
||||
@Inject
|
||||
private CommonService commonService;
|
||||
|
||||
@Override
|
||||
protected void runCommand(Player player, List<String> arguments) {
|
||||
PlayerAuth auth = dataSource.getAuth(player.getName());
|
||||
if (auth.getTotpKey() == null) {
|
||||
TotpGenerationResult createdTotpInfo = totpService.generateTotpKey(player);
|
||||
commonService.send(player, MessageKey.TWO_FACTOR_CREATE,
|
||||
createdTotpInfo.getTotpKey(), createdTotpInfo.getAuthenticatorQrCodeUrl());
|
||||
} else {
|
||||
player.sendMessage(ChatColor.RED + "Two-factor authentication is already enabled for your account!");
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,39 @@
|
||||
package fr.xephi.authme.command.executable.totp;
|
||||
|
||||
import fr.xephi.authme.command.PlayerCommand;
|
||||
import fr.xephi.authme.datasource.DataSource;
|
||||
import fr.xephi.authme.security.TotpService;
|
||||
import org.bukkit.entity.Player;
|
||||
|
||||
import javax.inject.Inject;
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* Command to enable TOTP by supplying the proper code as confirmation.
|
||||
*/
|
||||
public class ConfirmTotpCommand extends PlayerCommand {
|
||||
|
||||
@Inject
|
||||
private TotpService totpService;
|
||||
|
||||
@Inject
|
||||
private DataSource dataSource;
|
||||
|
||||
@Override
|
||||
protected void runCommand(Player player, List<String> arguments) {
|
||||
// TODO #1141: Check if player already has TOTP
|
||||
|
||||
final String totpKey = totpService.retrieveGeneratedSecret(player);
|
||||
if (totpKey == null) {
|
||||
player.sendMessage("No TOTP key has been generated for you or it has expired. Please run /totp add");
|
||||
} else {
|
||||
boolean isTotpCodeValid = totpService.confirmCodeForGeneratedTotpKey(player, arguments.get(0));
|
||||
if (isTotpCodeValid) {
|
||||
dataSource.setTotpKey(player.getName(), totpKey);
|
||||
player.sendMessage("Successfully enabled two-factor authentication for your account");
|
||||
} else {
|
||||
player.sendMessage("Wrong code or code has expired. Please use /totp add again");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,37 @@
|
||||
package fr.xephi.authme.command.executable.totp;
|
||||
|
||||
import fr.xephi.authme.command.PlayerCommand;
|
||||
import fr.xephi.authme.data.auth.PlayerAuth;
|
||||
import fr.xephi.authme.datasource.DataSource;
|
||||
import fr.xephi.authme.security.TotpService;
|
||||
import org.bukkit.entity.Player;
|
||||
|
||||
import javax.inject.Inject;
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* Command for a player to remove 2FA authentication.
|
||||
*/
|
||||
public class RemoveTotpCommand extends PlayerCommand {
|
||||
|
||||
@Inject
|
||||
private DataSource dataSource;
|
||||
|
||||
@Inject
|
||||
private TotpService totpService;
|
||||
|
||||
@Override
|
||||
protected void runCommand(Player player, List<String> arguments) {
|
||||
PlayerAuth auth = dataSource.getAuth(player.getName());
|
||||
if (auth.getTotpKey() == null) {
|
||||
player.sendMessage("Two-factor authentication is not enabled for your account!");
|
||||
} else {
|
||||
if (totpService.verifyCode(auth, arguments.get(0))) {
|
||||
dataSource.removeTotpKey(auth.getNickname());
|
||||
player.sendMessage("Successfully removed two-factor authentication from your account");
|
||||
} else {
|
||||
player.sendMessage("Invalid code!");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,29 @@
|
||||
package fr.xephi.authme.command.executable.totp;
|
||||
|
||||
import fr.xephi.authme.command.CommandMapper;
|
||||
import fr.xephi.authme.command.ExecutableCommand;
|
||||
import fr.xephi.authme.command.FoundCommandResult;
|
||||
import fr.xephi.authme.command.help.HelpProvider;
|
||||
import org.bukkit.command.CommandSender;
|
||||
|
||||
import javax.inject.Inject;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* Base command for /totp.
|
||||
*/
|
||||
public class TotpBaseCommand implements ExecutableCommand {
|
||||
|
||||
@Inject
|
||||
private CommandMapper commandMapper;
|
||||
|
||||
@Inject
|
||||
private HelpProvider helpProvider;
|
||||
|
||||
@Override
|
||||
public void executeCommand(CommandSender sender, List<String> arguments) {
|
||||
FoundCommandResult result = commandMapper.mapPartsToCommand(sender, Collections.singletonList("totp"));
|
||||
helpProvider.outputHelp(sender, result, HelpProvider.SHOW_CHILDREN);
|
||||
}
|
||||
}
|
@ -68,7 +68,12 @@ public enum PlayerPermission implements PermissionNode {
|
||||
/**
|
||||
* Permission to use the email verification codes feature.
|
||||
*/
|
||||
VERIFICATION_CODE("authme.player.security.verificationcode");
|
||||
VERIFICATION_CODE("authme.player.security.verificationcode"),
|
||||
|
||||
/**
|
||||
* Permission to enable and disable TOTP.
|
||||
*/
|
||||
TOGGLE_TOTP_STATUS("authme.player.totp");
|
||||
|
||||
/**
|
||||
* The permission node.
|
||||
|
113
src/main/java/fr/xephi/authme/security/TotpService.java
Normal file
113
src/main/java/fr/xephi/authme/security/TotpService.java
Normal file
@ -0,0 +1,113 @@
|
||||
package fr.xephi.authme.security;
|
||||
|
||||
import com.warrenstrange.googleauth.GoogleAuthenticator;
|
||||
import com.warrenstrange.googleauth.GoogleAuthenticatorKey;
|
||||
import com.warrenstrange.googleauth.GoogleAuthenticatorQRGenerator;
|
||||
import fr.xephi.authme.data.auth.PlayerAuth;
|
||||
import fr.xephi.authme.initialization.HasCleanup;
|
||||
import fr.xephi.authme.service.BukkitService;
|
||||
import fr.xephi.authme.util.expiring.ExpiringMap;
|
||||
import org.bukkit.entity.Player;
|
||||
|
||||
import javax.inject.Inject;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
|
||||
/**
|
||||
* Service for TOTP actions.
|
||||
*/
|
||||
public class TotpService implements HasCleanup {
|
||||
|
||||
private static final int NEW_TOTP_KEY_EXPIRATION_MINUTES = 5;
|
||||
|
||||
private final ExpiringMap<String, String> totpKeys;
|
||||
private final GoogleAuthenticator authenticator;
|
||||
private final BukkitService bukkitService;
|
||||
|
||||
@Inject
|
||||
TotpService(BukkitService bukkitService) {
|
||||
this.bukkitService = bukkitService;
|
||||
this.totpKeys = new ExpiringMap<>(NEW_TOTP_KEY_EXPIRATION_MINUTES, TimeUnit.MINUTES);
|
||||
this.authenticator = new GoogleAuthenticator();
|
||||
}
|
||||
|
||||
/**
|
||||
* Generates a new TOTP key and returns the corresponding QR code. The generated key is saved temporarily
|
||||
* for the user and can be later retrieved with a confirmation code from {@link #confirmCodeForGeneratedTotpKey}.
|
||||
*
|
||||
* @param player the player to save the TOTP key for
|
||||
* @return TOTP generation result
|
||||
*/
|
||||
public TotpGenerationResult generateTotpKey(Player player) {
|
||||
GoogleAuthenticatorKey credentials = authenticator.createCredentials();
|
||||
totpKeys.put(player.getName().toLowerCase(), credentials.getKey());
|
||||
String qrCodeUrl = GoogleAuthenticatorQRGenerator.getOtpAuthURL(
|
||||
bukkitService.getIp(), player.getName(), credentials);
|
||||
return new TotpGenerationResult(credentials.getKey(), qrCodeUrl);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the generated TOTP secret of a player, if available and not yet expired.
|
||||
*
|
||||
* @param player the player to retrieve the TOTP key for
|
||||
* @return the totp secret
|
||||
*/
|
||||
public String retrieveGeneratedSecret(Player player) {
|
||||
return totpKeys.get(player.getName().toLowerCase());
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns if the new totp code matches the newly generated totp key.
|
||||
*
|
||||
* @param player the player to retrieve the code for
|
||||
* @param totpCodeConfirmation the input code confirmation
|
||||
* @return the TOTP secret that was generated for the player, or null if not available or if the code is incorrect
|
||||
*/
|
||||
// Maybe by allowing to retrieve without confirmation and exposing verifyCode(String, String)
|
||||
public boolean confirmCodeForGeneratedTotpKey(Player player, String totpCodeConfirmation) {
|
||||
String totpSecret = totpKeys.get(player.getName().toLowerCase());
|
||||
if (totpSecret != null) {
|
||||
if (checkCode(totpSecret, totpCodeConfirmation)) {
|
||||
totpKeys.remove(player.getName().toLowerCase());
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
public boolean verifyCode(PlayerAuth auth, String totpCode) {
|
||||
return checkCode(auth.getTotpKey(), totpCode);
|
||||
}
|
||||
|
||||
private boolean checkCode(String totpKey, String inputCode) {
|
||||
try {
|
||||
Integer totpCode = Integer.valueOf(inputCode);
|
||||
return authenticator.authorize(totpKey, totpCode);
|
||||
} catch (NumberFormatException e) {
|
||||
// ignore
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void performCleanup() {
|
||||
totpKeys.removeExpiredEntries();
|
||||
}
|
||||
|
||||
public static final class TotpGenerationResult {
|
||||
private final String totpKey;
|
||||
private final String authenticatorQrCodeUrl;
|
||||
|
||||
TotpGenerationResult(String totpKey, String authenticatorQrCodeUrl) {
|
||||
this.totpKey = totpKey;
|
||||
this.authenticatorQrCodeUrl = authenticatorQrCodeUrl;
|
||||
}
|
||||
|
||||
public String getTotpKey() {
|
||||
return totpKey;
|
||||
}
|
||||
|
||||
public String getAuthenticatorQrCodeUrl() {
|
||||
return authenticatorQrCodeUrl;
|
||||
}
|
||||
}
|
||||
}
|
@ -376,4 +376,11 @@ public class BukkitService implements SettingsDependent {
|
||||
public BanEntry banIp(String ip, String reason, Date expires, String source) {
|
||||
return Bukkit.getServer().getBanList(BanList.Type.IP).addBan(ip, reason, expires, source);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return the IP string that this server is bound to, otherwise empty string
|
||||
*/
|
||||
public String getIp() {
|
||||
return Bukkit.getServer().getIp();
|
||||
}
|
||||
}
|
||||
|
@ -46,6 +46,11 @@ commands:
|
||||
aliases:
|
||||
- changepass
|
||||
- cp
|
||||
totp:
|
||||
description: TOTP commands
|
||||
usage: /totp add|remove
|
||||
aliases:
|
||||
- 2fa
|
||||
captcha:
|
||||
description: Captcha command
|
||||
usage: /captcha <captcha>
|
||||
@ -233,6 +238,7 @@ permissions:
|
||||
authme.player.register: true
|
||||
authme.player.security.verificationcode: true
|
||||
authme.player.seeownaccounts: true
|
||||
authme.player.totp: true
|
||||
authme.player.unregister: true
|
||||
authme.player.canbeforced:
|
||||
description: Permission for users a login can be forced to.
|
||||
@ -277,6 +283,9 @@ permissions:
|
||||
authme.player.seeownaccounts:
|
||||
description: Permission to use to see own other accounts.
|
||||
default: true
|
||||
authme.player.totp:
|
||||
description: Permission to enable and disable TOTP.
|
||||
default: true
|
||||
authme.player.unregister:
|
||||
description: Command permission to unregister.
|
||||
default: true
|
||||
|
@ -44,7 +44,7 @@ public class CommandInitializerTest {
|
||||
// It obviously doesn't make sense to test much of the concrete data
|
||||
// that is being initialized; we just want to guarantee with this test
|
||||
// that data is indeed being initialized and we take a few "probes"
|
||||
assertThat(commands, hasSize(9));
|
||||
assertThat(commands, hasSize(10));
|
||||
assertThat(commandsIncludeLabel(commands, "authme"), equalTo(true));
|
||||
assertThat(commandsIncludeLabel(commands, "register"), equalTo(true));
|
||||
assertThat(commandsIncludeLabel(commands, "help"), equalTo(false));
|
||||
|
51
src/test/java/fr/xephi/authme/security/TotpServiceTest.java
Normal file
51
src/test/java/fr/xephi/authme/security/TotpServiceTest.java
Normal file
@ -0,0 +1,51 @@
|
||||
package fr.xephi.authme.security;
|
||||
|
||||
import fr.xephi.authme.security.TotpService.TotpGenerationResult;
|
||||
import fr.xephi.authme.service.BukkitService;
|
||||
import org.bukkit.entity.Player;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.mockito.InjectMocks;
|
||||
import org.mockito.Mock;
|
||||
import org.mockito.junit.MockitoJUnitRunner;
|
||||
|
||||
import static fr.xephi.authme.AuthMeMatchers.stringWithLength;
|
||||
import static org.hamcrest.Matchers.equalTo;
|
||||
import static org.hamcrest.Matchers.not;
|
||||
import static org.hamcrest.Matchers.startsWith;
|
||||
import static org.junit.Assert.assertThat;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
import static org.mockito.Mockito.mock;
|
||||
|
||||
/**
|
||||
* Test for {@link TotpService}.
|
||||
*/
|
||||
@RunWith(MockitoJUnitRunner.class)
|
||||
public class TotpServiceTest {
|
||||
|
||||
@InjectMocks
|
||||
private TotpService totpService;
|
||||
|
||||
@Mock
|
||||
private BukkitService bukkitService;
|
||||
|
||||
@Test
|
||||
public void shouldGenerateTotpKey() {
|
||||
// given
|
||||
Player player = mock(Player.class);
|
||||
given(player.getName()).willReturn("Bobby");
|
||||
given(bukkitService.getIp()).willReturn("127.48.44.4");
|
||||
|
||||
// when
|
||||
TotpGenerationResult key1 = totpService.generateTotpKey(player);
|
||||
TotpGenerationResult key2 = totpService.generateTotpKey(player);
|
||||
|
||||
// then
|
||||
assertThat(key1.getTotpKey(), stringWithLength(16));
|
||||
assertThat(key2.getTotpKey(), stringWithLength(16));
|
||||
assertThat(key1.getAuthenticatorQrCodeUrl(), startsWith("https://chart.googleapis.com/chart?chs=200x200"));
|
||||
assertThat(key2.getAuthenticatorQrCodeUrl(), startsWith("https://chart.googleapis.com/chart?chs=200x200"));
|
||||
assertThat(key1.getTotpKey(), not(equalTo(key2.getTotpKey())));
|
||||
}
|
||||
|
||||
}
|
@ -332,6 +332,19 @@ public class BukkitServiceTest {
|
||||
assertThat(event.getPlayer(), equalTo(player));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void shouldReturnServerIp() {
|
||||
// given
|
||||
String ip = "99.99.99.99";
|
||||
given(server.getIp()).willReturn(ip);
|
||||
|
||||
// when
|
||||
String result = bukkitService.getIp();
|
||||
|
||||
// then
|
||||
assertThat(result, equalTo(ip));
|
||||
}
|
||||
|
||||
// Note: This method is used through reflections
|
||||
public static Player[] onlinePlayersImpl() {
|
||||
return new Player[]{
|
||||
|
Loading…
Reference in New Issue
Block a user