Add support for previous TOTP windows

Update the TOTP auth plugin so that it can be configured
to allow a passcode from a given number of windows back to
still work.

This gives TOTP some slighly better UX so by default at least
one passcode back will still work. Can be disabled, or more
windows added for clouds less worried about security and more
about clock drift.

Change-Id: I8ba4127a365392f0d0e9de5fd9c979750c354dc7
Closes-Bug: #1839577
This commit is contained in:
Adrian Turjak 2019-03-26 18:22:21 +13:00
parent aed8a00950
commit 5572d01300
5 changed files with 171 additions and 17 deletions

View File

@ -34,17 +34,24 @@ import six
from keystone.auth import plugins
from keystone.auth.plugins import base
from keystone.common import provider_api
import keystone.conf
from keystone import exception
from keystone.i18n import _
CONF = keystone.conf.CONF
METHOD_NAME = 'totp'
LOG = log.getLogger(__name__)
PROVIDERS = provider_api.ProviderAPIs
def _generate_totp_passcode(secret):
PASSCODE_LENGTH = 6
PASSCODE_TIME_PERIOD = 30
def _generate_totp_passcodes(secret, included_previous_windows=0):
"""Generate TOTP passcode.
:param bytes secret: A base32 encoded secret for the TOTP authentication
@ -66,8 +73,18 @@ def _generate_totp_passcode(secret):
# HMAC-SHA1 when generating the TOTP, which is currently not insecure but
# will still trigger when scanned by bandit.
totp = crypto_totp.TOTP(
decoded, 6, hashes.SHA1(), 30, backend=default_backend()) # nosec
return totp.generate(timeutils.utcnow_ts(microsecond=True)).decode('utf-8')
decoded, PASSCODE_LENGTH, hashes.SHA1(), PASSCODE_TIME_PERIOD, # nosec
backend=default_backend())
passcode_ts = timeutils.utcnow_ts(microsecond=True)
passcodes = [totp.generate(passcode_ts).decode('utf-8')]
for i in range(included_previous_windows):
# NOTE(adriant): we move back the timestamp the number of seconds in
# PASSCODE_TIME_PERIOD each time.
passcode_ts -= PASSCODE_TIME_PERIOD
passcodes.append(totp.generate(passcode_ts).decode('utf-8'))
return passcodes
class TOTP(base.AuthMethodHandler):
@ -84,9 +101,9 @@ class TOTP(base.AuthMethodHandler):
valid_passcode = False
for credential in credentials:
try:
generated_passcode = _generate_totp_passcode(
credential['blob'])
if auth_passcode == generated_passcode:
generated_passcodes = _generate_totp_passcodes(
credential['blob'], CONF.totp.included_previous_windows)
if auth_passcode in generated_passcodes:
valid_passcode = True
break
except (ValueError, KeyError):

View File

@ -49,6 +49,7 @@ from keystone.conf import security_compliance
from keystone.conf import shadow_users
from keystone.conf import token
from keystone.conf import tokenless_auth
from keystone.conf import totp
from keystone.conf import trust
from keystone.conf import unified_limit
from keystone.conf import wsgi
@ -86,6 +87,7 @@ conf_modules = [
shadow_users,
token,
tokenless_auth,
totp,
trust,
unified_limit,
wsgi

38
keystone/conf/totp.py Normal file
View File

@ -0,0 +1,38 @@
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_config import cfg
from keystone.conf import utils
included_previous_windows = cfg.IntOpt(
'included_previous_windows',
default=1,
min=0,
max=10,
help=utils.fmt("""
The number of previous windows to check when processing TOTP passcodes.
"""))
GROUP_NAME = __name__.split('.')[-1]
ALL_OPTS = [
included_previous_windows,
]
def register_opts(conf):
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
def list_opts():
return {GROUP_NAME: ALL_OPTS}

View File

@ -142,7 +142,7 @@ class TestMFARules(test_v3.RestfulTestCase):
user_id=self.user_id,
password=self.user['password'],
user_domain_id=self.domain_id,
passcode=totp._generate_totp_passcode(totp_cred['blob']))
passcode=totp._generate_totp_passcodes(totp_cred['blob'])[0])
self.v3_create_token(auth_req)
def test_MFA_single_method_rules_requirements_not_met_fails(self):
@ -253,7 +253,7 @@ class TestMFARules(test_v3.RestfulTestCase):
user_id=self.user_id,
password=self.user['password'],
user_domain_id=self.domain_id,
passcode=totp._generate_totp_passcode(totp_cred['blob']))
passcode=totp._generate_totp_passcodes(totp_cred['blob'])[0])
r = self.v3_create_token(auth_data)
auth_data = self.build_authentication_request(
token=r.headers.get('X-Subject-Token'),
@ -311,7 +311,8 @@ class TestMFARules(test_v3.RestfulTestCase):
user_id=self.user_id,
user_domain_id=self.domain_id,
project_id=self.project_id,
passcode=totp._generate_totp_passcode(totp_cred['blob'])),
passcode=totp._generate_totp_passcodes(
totp_cred['blob'])[0]),
expected_status=http_client.UNAUTHORIZED)
self.assertIsNotNone(
@ -345,7 +346,8 @@ class TestMFARules(test_v3.RestfulTestCase):
password=self.user['password'],
user_domain_id=self.domain_id,
project_id=self.project_id,
passcode=totp._generate_totp_passcode(totp_cred['blob'])),
passcode=totp._generate_totp_passcodes(
totp_cred['blob'])[0]),
expected_status=http_client.UNAUTHORIZED)
self.assertIsNotNone(
@ -444,7 +446,8 @@ class TestMFARules(test_v3.RestfulTestCase):
user_id=self.user_id,
user_domain_id=self.domain_id,
project_id=self.project_id,
passcode=totp._generate_totp_passcode(totp_cred['blob'])))
passcode=totp._generate_totp_passcodes(
totp_cred['blob'])[0]))
def test_MFA_consuming_receipt_not_found(self):
time = datetime.datetime.utcnow() + datetime.timedelta(seconds=5)
@ -5348,7 +5351,94 @@ class TestAuthTOTP(test_v3.RestfulTestCase):
self.useFixture(fixture.TimeFixture())
auth_data = self._make_auth_data_by_id(
totp._generate_totp_passcode(secret))
totp._generate_totp_passcodes(secret)[0])
self.v3_create_token(auth_data, expected_status=http_client.CREATED)
def test_with_an_expired_passcode(self):
creds = self._make_credentials('totp')
secret = creds[-1]['blob']
past = datetime.datetime.utcnow() - datetime.timedelta(minutes=2)
with freezegun.freeze_time(past):
auth_data = self._make_auth_data_by_id(
totp._generate_totp_passcodes(secret)[0])
# Stop the clock otherwise there is a chance of accidental success due
# to getting a different TOTP between the call here and the call in the
# auth plugin.
self.useFixture(fixture.TimeFixture())
self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_with_an_expired_passcode_no_previous_windows(self):
self.config_fixture.config(group='totp',
included_previous_windows=0)
creds = self._make_credentials('totp')
secret = creds[-1]['blob']
past = datetime.datetime.utcnow() - datetime.timedelta(seconds=30)
with freezegun.freeze_time(past):
auth_data = self._make_auth_data_by_id(
totp._generate_totp_passcodes(secret)[0])
# Stop the clock otherwise there is a chance of accidental success due
# to getting a different TOTP between the call here and the call in the
# auth plugin.
self.useFixture(fixture.TimeFixture())
self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
def test_with_passcode_no_previous_windows(self):
self.config_fixture.config(group='totp',
included_previous_windows=0)
creds = self._make_credentials('totp')
secret = creds[-1]['blob']
auth_data = self._make_auth_data_by_id(
totp._generate_totp_passcodes(secret)[0])
# Stop the clock otherwise there is a chance of auth failure due to
# getting a different TOTP between the call here and the call in the
# auth plugin.
self.useFixture(fixture.TimeFixture())
self.v3_create_token(auth_data, expected_status=http_client.CREATED)
def test_with_passcode_in_previous_windows_default(self):
"""Confirm previous window default of 1 works."""
creds = self._make_credentials('totp')
secret = creds[-1]['blob']
past = datetime.datetime.utcnow() - datetime.timedelta(seconds=30)
with freezegun.freeze_time(past):
auth_data = self._make_auth_data_by_id(
totp._generate_totp_passcodes(secret)[0])
# Stop the clock otherwise there is a chance of auth failure due to
# getting a different TOTP between the call here and the call in the
# auth plugin.
self.useFixture(fixture.TimeFixture())
self.v3_create_token(auth_data, expected_status=http_client.CREATED)
def test_with_passcode_in_previous_windows_extended(self):
self.config_fixture.config(group='totp',
included_previous_windows=4)
creds = self._make_credentials('totp')
secret = creds[-1]['blob']
past = datetime.datetime.utcnow() - datetime.timedelta(minutes=2)
with freezegun.freeze_time(past):
auth_data = self._make_auth_data_by_id(
totp._generate_totp_passcodes(secret)[0])
# Stop the clock otherwise there is a chance of auth failure due to
# getting a different TOTP between the call here and the call in the
# auth plugin.
self.useFixture(fixture.TimeFixture())
self.v3_create_token(auth_data, expected_status=http_client.CREATED)
@ -5380,7 +5470,7 @@ class TestAuthTOTP(test_v3.RestfulTestCase):
self.useFixture(fixture.TimeFixture())
auth_data = self._make_auth_data_by_id(
totp._generate_totp_passcode(secret))
totp._generate_totp_passcodes(secret)[0])
self.v3_create_token(auth_data, expected_status=http_client.CREATED)
def test_with_multiple_users(self):
@ -5403,7 +5493,7 @@ class TestAuthTOTP(test_v3.RestfulTestCase):
self.useFixture(fixture.TimeFixture())
auth_data = self._make_auth_data_by_id(
totp._generate_totp_passcode(secret), user_id=user['id'])
totp._generate_totp_passcodes(secret)[0], user_id=user['id'])
self.v3_create_token(auth_data, expected_status=http_client.CREATED)
def test_with_multiple_users_and_invalid_credentials(self):
@ -5429,7 +5519,7 @@ class TestAuthTOTP(test_v3.RestfulTestCase):
secret = user2_creds[-1]['blob']
auth_data = self._make_auth_data_by_id(
totp._generate_totp_passcode(secret), user_id=user_id)
totp._generate_totp_passcodes(secret)[0], user_id=user_id)
self.v3_create_token(auth_data,
expected_status=http_client.UNAUTHORIZED)
@ -5443,7 +5533,7 @@ class TestAuthTOTP(test_v3.RestfulTestCase):
self.useFixture(fixture.TimeFixture())
auth_data = self._make_auth_data_by_name(
totp._generate_totp_passcode(secret),
totp._generate_totp_passcodes(secret)[0],
username=self.default_domain_user['name'],
user_domain_id=self.default_domain_user['domain_id'])
@ -5451,7 +5541,7 @@ class TestAuthTOTP(test_v3.RestfulTestCase):
def test_generated_passcode_is_correct_format(self):
secret = self._make_credentials('totp')[-1]['blob']
passcode = totp._generate_totp_passcode(secret)
passcode = totp._generate_totp_passcodes(secret)[0]
reg = re.compile(r'^-?[0-9]+$')
self.assertTrue(reg.match(passcode))

View File

@ -0,0 +1,7 @@
---
features:
- >
[`bug 1839577 <https://bugs.launchpad.net/keystone/+bug/1839577>`_]
TOTP now allows by default the code from the previous time window
to be considered valid as part of auth. This can be disabled, or
the extended up to ten previous windows.