#1141 Rough version of TOTP commands to add and remove a code for a player

pom.xml

@@ -286,6 +286,10 @@
                             <pattern>org.bstats</pattern>
                             <shadedPattern>fr.xephi.authme.libs.org.bstats</shadedPattern>
                         </relocation>
+                        <relocation>
+                            <pattern>com.warrenstrange</pattern>
+                            <shadedPattern>fr.xephi.authme.libs.com.warrenstrange</shadedPattern>
+                        </relocation>
                     </relocations>
                 </configuration>
             </plugin>
@@ -461,6 +465,13 @@
             <optional>true</optional>
         </dependency>
 
+        <!-- TOTP client -->
+        <dependency>
+            <groupId>com.warrenstrange</groupId>
+            <artifactId>googleauth</artifactId>
+            <version>1.1.2</version>
+        </dependency>
+
         <!-- Spigot API, http://www.spigotmc.org/ -->
         <dependency>
             <groupId>org.spigotmc</groupId>

src/main/java/fr/xephi/authme/command/CommandInitializer.java

@@ -40,6 +40,10 @@ import fr.xephi.authme.command.executable.email.ShowEmailCommand;
 import fr.xephi.authme.command.executable.login.LoginCommand;
 import fr.xephi.authme.command.executable.logout.LogoutCommand;
 import fr.xephi.authme.command.executable.register.RegisterCommand;
+import fr.xephi.authme.command.executable.totp.AddTotpCommand;
+import fr.xephi.authme.command.executable.totp.ConfirmTotpCommand;
+import fr.xephi.authme.command.executable.totp.RemoveTotpCommand;
+import fr.xephi.authme.command.executable.totp.TotpBaseCommand;
 import fr.xephi.authme.command.executable.unregister.UnregisterCommand;
 import fr.xephi.authme.command.executable.verification.VerificationCommand;
 import fr.xephi.authme.permission.AdminPermission;
@@ -134,6 +138,9 @@ public class CommandInitializer {
             .executableCommand(ChangePasswordCommand.class)
             .register();
 
+        // Create totp base command
+        CommandDescription totpBase = buildTotpBaseCommand();
+
         // Register the base captcha command
         CommandDescription captchaBase = CommandDescription.builder()
             .parent(null)
@@ -156,16 +163,8 @@ public class CommandInitializer {
             .executableCommand(VerificationCommand.class)
             .register();
 
-        List<CommandDescription> baseCommands = ImmutableList.of(
-            authMeBase,
-            emailBase,
-            loginBase,
-            logoutBase,
-            registerBase,
-            unregisterBase,
-            changePasswordBase,
-            captchaBase,
-            verificationBase);
+        List<CommandDescription> baseCommands = ImmutableList.of(authMeBase, emailBase, loginBase, logoutBase,
+            registerBase, unregisterBase, changePasswordBase, totpBase, captchaBase, verificationBase);
 
         setHelpOnAllBases(baseCommands);
         commands = baseCommands;
@@ -543,6 +542,56 @@ public class CommandInitializer {
         return emailBase;
     }
 
+    /**
+     * Creates a command description object for {@code /totp} including its children.
+     *
+     * @return the totp base command description
+     */
+    private CommandDescription buildTotpBaseCommand() {
+        // Register the base totp command
+        CommandDescription totpBase = CommandDescription.builder()
+            .parent(null)
+            .labels("totp", "2fa")
+            .description("TOTP commands")
+            .detailedDescription("Performs actions related to two-factor authentication.")
+            .executableCommand(TotpBaseCommand.class)
+            .register();
+
+        // Register totp add
+        CommandDescription.builder()
+            .parent(totpBase)
+            .labels("add")
+            .description("Enables TOTP")
+            .detailedDescription("Enables two-factor authentication for your account.")
+            .permission(PlayerPermission.TOGGLE_TOTP_STATUS)
+            .executableCommand(AddTotpCommand.class)
+            .register();
+
+        // Register totp confirm
+        CommandDescription.builder()
+            .parent(totpBase)
+            .labels("confirm")
+            .description("Enables TOTP after successful code")
+            .detailedDescription("Saves the generated TOTP secret after confirmation.")
+            .withArgument("code", "Code from the given secret from /totp add", false)
+            .permission(PlayerPermission.TOGGLE_TOTP_STATUS)
+            .executableCommand(ConfirmTotpCommand.class)
+            .register();
+
+        // Register totp remove
+        CommandDescription.builder()
+            .parent(totpBase)
+            .labels("remove")
+            .description("Removes TOTP")
+            .detailedDescription("Disables two-factor authentication for your account.")
+            .withArgument("code", "Current 2FA code", false)
+            .permission(PlayerPermission.TOGGLE_TOTP_STATUS)
+            .executableCommand(RemoveTotpCommand.class)
+            .register();
+
+        return totpBase;
+    }
+
     /**
      * Sets the help command on all base commands, e.g. to register /authme help or /register help.
      *

src/main/java/fr/xephi/authme/command/executable/totp/AddTotpCommand.java

@@ -0,0 +1,41 @@
+package fr.xephi.authme.command.executable.totp;
+
+import fr.xephi.authme.command.PlayerCommand;
+import fr.xephi.authme.data.auth.PlayerAuth;
+import fr.xephi.authme.datasource.DataSource;
+import fr.xephi.authme.message.MessageKey;
+import fr.xephi.authme.security.TotpService;
+import fr.xephi.authme.security.TotpService.TotpGenerationResult;
+import fr.xephi.authme.service.CommonService;
+import org.bukkit.ChatColor;
+import org.bukkit.entity.Player;
+
+import javax.inject.Inject;
+import java.util.List;
+
+/**
+ * Command for a player to enable TOTP.
+ */
+public class AddTotpCommand extends PlayerCommand {
+
+    @Inject
+    private TotpService totpService;
+
+    @Inject
+    private DataSource dataSource;
+
+    @Inject
+    private CommonService commonService;
+
+    @Override
+    protected void runCommand(Player player, List<String> arguments) {
+        PlayerAuth auth = dataSource.getAuth(player.getName());
+        if (auth.getTotpKey() == null) {
+            TotpGenerationResult createdTotpInfo = totpService.generateTotpKey(player);
+            commonService.send(player, MessageKey.TWO_FACTOR_CREATE,
+                createdTotpInfo.getTotpKey(), createdTotpInfo.getAuthenticatorQrCodeUrl());
+        } else {
+            player.sendMessage(ChatColor.RED + "Two-factor authentication is already enabled for your account!");
+        }
+    }
+}

src/main/java/fr/xephi/authme/command/executable/totp/ConfirmTotpCommand.java

@@ -0,0 +1,39 @@
+package fr.xephi.authme.command.executable.totp;
+
+import fr.xephi.authme.command.PlayerCommand;
+import fr.xephi.authme.datasource.DataSource;
+import fr.xephi.authme.security.TotpService;
+import org.bukkit.entity.Player;
+
+import javax.inject.Inject;
+import java.util.List;
+
+/**
+ * Command to enable TOTP by supplying the proper code as confirmation.
+ */
+public class ConfirmTotpCommand extends PlayerCommand {
+
+    @Inject
+    private TotpService totpService;
+
+    @Inject
+    private DataSource dataSource;
+
+    @Override
+    protected void runCommand(Player player, List<String> arguments) {
+        // TODO #1141: Check if player already has TOTP
+
+        final String totpKey = totpService.retrieveGeneratedSecret(player);
+        if (totpKey == null) {
+            player.sendMessage("No TOTP key has been generated for you or it has expired. Please run /totp add");
+        } else {
+            boolean isTotpCodeValid = totpService.confirmCodeForGeneratedTotpKey(player, arguments.get(0));
+            if (isTotpCodeValid) {
+                dataSource.setTotpKey(player.getName(), totpKey);
+                player.sendMessage("Successfully enabled two-factor authentication for your account");
+            } else {
+                player.sendMessage("Wrong code or code has expired. Please use /totp add again");
+            }
+        }
+    }
+}

src/main/java/fr/xephi/authme/command/executable/totp/RemoveTotpCommand.java

@@ -0,0 +1,37 @@
+package fr.xephi.authme.command.executable.totp;
+
+import fr.xephi.authme.command.PlayerCommand;
+import fr.xephi.authme.data.auth.PlayerAuth;
+import fr.xephi.authme.datasource.DataSource;
+import fr.xephi.authme.security.TotpService;
+import org.bukkit.entity.Player;
+
+import javax.inject.Inject;
+import java.util.List;
+
+/**
+ * Command for a player to remove 2FA authentication.
+ */
+public class RemoveTotpCommand extends PlayerCommand {
+
+    @Inject
+    private DataSource dataSource;
+
+    @Inject
+    private TotpService totpService;
+
+    @Override
+    protected void runCommand(Player player, List<String> arguments) {
+        PlayerAuth auth = dataSource.getAuth(player.getName());
+        if (auth.getTotpKey() == null) {
+            player.sendMessage("Two-factor authentication is not enabled for your account!");
+        } else {
+            if (totpService.verifyCode(auth, arguments.get(0))) {
+                dataSource.removeTotpKey(auth.getNickname());
+                player.sendMessage("Successfully removed two-factor authentication from your account");
+            } else {
+                player.sendMessage("Invalid code!");
+            }
+        }
+    }
+}

src/main/java/fr/xephi/authme/command/executable/totp/TotpBaseCommand.java

@@ -0,0 +1,29 @@
+package fr.xephi.authme.command.executable.totp;
+
+import fr.xephi.authme.command.CommandMapper;
+import fr.xephi.authme.command.ExecutableCommand;
+import fr.xephi.authme.command.FoundCommandResult;
+import fr.xephi.authme.command.help.HelpProvider;
+import org.bukkit.command.CommandSender;
+
+import javax.inject.Inject;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * Base command for /totp.
+ */
+public class TotpBaseCommand implements ExecutableCommand {
+
+    @Inject
+    private CommandMapper commandMapper;
+
+    @Inject
+    private HelpProvider helpProvider;
+
+    @Override
+    public void executeCommand(CommandSender sender, List<String> arguments) {
+        FoundCommandResult result = commandMapper.mapPartsToCommand(sender, Collections.singletonList("totp"));
+        helpProvider.outputHelp(sender, result, HelpProvider.SHOW_CHILDREN);
+    }
+}

src/main/java/fr/xephi/authme/permission/PlayerPermission.java

@@ -68,7 +68,12 @@ public enum PlayerPermission implements PermissionNode {
     /**
      * Permission to use the email verification codes feature.
      */
-    VERIFICATION_CODE("authme.player.security.verificationcode");
+    VERIFICATION_CODE("authme.player.security.verificationcode"),
+
+    /**
+     * Permission to enable and disable TOTP.
+     */
+    TOGGLE_TOTP_STATUS("authme.player.totp");
 
     /**
      * The permission node.

src/main/java/fr/xephi/authme/security/TotpService.java

@@ -0,0 +1,113 @@
+package fr.xephi.authme.security;
+
+import com.warrenstrange.googleauth.GoogleAuthenticator;
+import com.warrenstrange.googleauth.GoogleAuthenticatorKey;
+import com.warrenstrange.googleauth.GoogleAuthenticatorQRGenerator;
+import fr.xephi.authme.data.auth.PlayerAuth;
+import fr.xephi.authme.initialization.HasCleanup;
+import fr.xephi.authme.service.BukkitService;
+import fr.xephi.authme.util.expiring.ExpiringMap;
+import org.bukkit.entity.Player;
+
+import javax.inject.Inject;
+import java.util.concurrent.TimeUnit;
+
+/**
+ * Service for TOTP actions.
+ */
+public class TotpService implements HasCleanup {
+
+    private static final int NEW_TOTP_KEY_EXPIRATION_MINUTES = 5;
+
+    private final ExpiringMap<String, String> totpKeys;
+    private final GoogleAuthenticator authenticator;
+    private final BukkitService bukkitService;
+
+    @Inject
+    TotpService(BukkitService bukkitService) {
+        this.bukkitService = bukkitService;
+        this.totpKeys = new ExpiringMap<>(NEW_TOTP_KEY_EXPIRATION_MINUTES, TimeUnit.MINUTES);
+        this.authenticator = new GoogleAuthenticator();
+    }
+
+    /**
+     * Generates a new TOTP key and returns the corresponding QR code. The generated key is saved temporarily
+     * for the user and can be later retrieved with a confirmation code from {@link #confirmCodeForGeneratedTotpKey}.
+     *
+     * @param player the player to save the TOTP key for
+     * @return TOTP generation result
+     */
+    public TotpGenerationResult generateTotpKey(Player player) {
+        GoogleAuthenticatorKey credentials = authenticator.createCredentials();
+        totpKeys.put(player.getName().toLowerCase(), credentials.getKey());
+        String qrCodeUrl = GoogleAuthenticatorQRGenerator.getOtpAuthURL(
+            bukkitService.getIp(), player.getName(), credentials);
+        return new TotpGenerationResult(credentials.getKey(), qrCodeUrl);
+    }
+
+    /**
+     * Returns the generated TOTP secret of a player, if available and not yet expired.
+     *
+     * @param player the player to retrieve the TOTP key for
+     * @return the totp secret
+     */
+    public String retrieveGeneratedSecret(Player player) {
+        return totpKeys.get(player.getName().toLowerCase());
+    }
+
+    /**
+     * Returns if the new totp code matches the newly generated totp key.
+     *
+     * @param player the player to retrieve the code for
+     * @param totpCodeConfirmation the input code confirmation
+     * @return the TOTP secret that was generated for the player, or null if not available or if the code is incorrect
+     */
+    // Maybe by allowing to retrieve without confirmation and exposing verifyCode(String, String)
+    public boolean confirmCodeForGeneratedTotpKey(Player player, String totpCodeConfirmation) {
+        String totpSecret = totpKeys.get(player.getName().toLowerCase());
+        if (totpSecret != null) {
+            if (checkCode(totpSecret, totpCodeConfirmation)) {
+                totpKeys.remove(player.getName().toLowerCase());
+                return true;
+            }
+        }
+        return false;
+    }
+
+    public boolean verifyCode(PlayerAuth auth, String totpCode) {
+        return checkCode(auth.getTotpKey(), totpCode);
+    }
+
+    private boolean checkCode(String totpKey, String inputCode) {
+        try {
+            Integer totpCode = Integer.valueOf(inputCode);
+            return authenticator.authorize(totpKey, totpCode);
+        } catch (NumberFormatException e) {
+            // ignore
+        }
+        return false;
+    }
+
+    @Override
+    public void performCleanup() {
+        totpKeys.removeExpiredEntries();
+    }
+
+    public static final class TotpGenerationResult {
+        private final String totpKey;
+        private final String authenticatorQrCodeUrl;
+
+        TotpGenerationResult(String totpKey, String authenticatorQrCodeUrl) {
+            this.totpKey = totpKey;
+            this.authenticatorQrCodeUrl = authenticatorQrCodeUrl;
+        }
+
+        public String getTotpKey() {
+            return totpKey;
+        }
+
+        public String getAuthenticatorQrCodeUrl() {
+            return authenticatorQrCodeUrl;
+        }
+    }
+}

src/main/java/fr/xephi/authme/service/BukkitService.java

@@ -376,4 +376,11 @@ public class BukkitService implements SettingsDependent {
     public BanEntry banIp(String ip, String reason, Date expires, String source) {
         return Bukkit.getServer().getBanList(BanList.Type.IP).addBan(ip, reason, expires, source);
     }
+
+    /**
+     * @return the IP string that this server is bound to, otherwise empty string
+     */
+    public String getIp() {
+        return Bukkit.getServer().getIp();
+    }
 }

src/main/resources/plugin.yml

@@ -46,6 +46,11 @@ commands:
     aliases:
     - changepass
     - cp
+  totp:
+    description: TOTP commands
+    usage: /totp add|remove
+    aliases:
+    - 2fa
   captcha:
     description: Captcha command
     usage: /captcha <captcha>
@@ -233,6 +238,7 @@ permissions:
       authme.player.register: true
       authme.player.security.verificationcode: true
       authme.player.seeownaccounts: true
+      authme.player.totp: true
       authme.player.unregister: true
   authme.player.canbeforced:
     description: Permission for users a login can be forced to.
@@ -277,6 +283,9 @@ permissions:
   authme.player.seeownaccounts:
     description: Permission to use to see own other accounts.
     default: true
+  authme.player.totp:
+    description: Permission to enable and disable TOTP.
+    default: true
   authme.player.unregister:
     description: Command permission to unregister.
     default: true

src/test/java/fr/xephi/authme/command/CommandInitializerTest.java

@@ -44,7 +44,7 @@ public class CommandInitializerTest {
         // It obviously doesn't make sense to test much of the concrete data
         // that is being initialized; we just want to guarantee with this test
         // that data is indeed being initialized and we take a few "probes"
-        assertThat(commands, hasSize(9));
+        assertThat(commands, hasSize(10));
         assertThat(commandsIncludeLabel(commands, "authme"), equalTo(true));
         assertThat(commandsIncludeLabel(commands, "register"), equalTo(true));
         assertThat(commandsIncludeLabel(commands, "help"), equalTo(false));

src/test/java/fr/xephi/authme/security/TotpServiceTest.java

@@ -0,0 +1,51 @@
+package fr.xephi.authme.security;
+
+import fr.xephi.authme.security.TotpService.TotpGenerationResult;
+import fr.xephi.authme.service.BukkitService;
+import org.bukkit.entity.Player;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+
+import static fr.xephi.authme.AuthMeMatchers.stringWithLength;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.not;
+import static org.hamcrest.Matchers.startsWith;
+import static org.junit.Assert.assertThat;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
+
+/**
+ * Test for {@link TotpService}.
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class TotpServiceTest {
+
+    @InjectMocks
+    private TotpService totpService;
+
+    @Mock
+    private BukkitService bukkitService;
+
+    @Test
+    public void shouldGenerateTotpKey() {
+        // given
+        Player player = mock(Player.class);
+        given(player.getName()).willReturn("Bobby");
+        given(bukkitService.getIp()).willReturn("127.48.44.4");
+
+        // when
+        TotpGenerationResult key1 = totpService.generateTotpKey(player);
+        TotpGenerationResult key2 = totpService.generateTotpKey(player);
+
+        // then
+        assertThat(key1.getTotpKey(), stringWithLength(16));
+        assertThat(key2.getTotpKey(), stringWithLength(16));
+        assertThat(key1.getAuthenticatorQrCodeUrl(), startsWith("https://chart.googleapis.com/chart?chs=200x200"));
+        assertThat(key2.getAuthenticatorQrCodeUrl(), startsWith("https://chart.googleapis.com/chart?chs=200x200"));
+        assertThat(key1.getTotpKey(), not(equalTo(key2.getTotpKey())));
+    }
+
+}

src/test/java/fr/xephi/authme/service/BukkitServiceTest.java

@@ -332,6 +332,19 @@ public class BukkitServiceTest {
         assertThat(event.getPlayer(), equalTo(player));
     }
 
+    @Test
+    public void shouldReturnServerIp() {
+        // given
+        String ip = "99.99.99.99";
+        given(server.getIp()).willReturn(ip);
+
+        // when
+        String result = bukkitService.getIp();
+
+        // then
+        assertThat(result, equalTo(ip));
+    }
+
     // Note: This method is used through reflections
     public static Player[] onlinePlayersImpl() {
         return new Player[]{