Add support for previous TOTP windows
Update the TOTP auth plugin so that it can be configured to allow a passcode from a given number of windows back to still work. This gives TOTP some slighly better UX so by default at least one passcode back will still work. Can be disabled, or more windows added for clouds less worried about security and more about clock drift. Change-Id: I8ba4127a365392f0d0e9de5fd9c979750c354dc7 Closes-Bug: #1839577
This commit is contained in:
parent
aed8a00950
commit
5572d01300
|
@ -34,17 +34,24 @@ import six
|
|||
from keystone.auth import plugins
|
||||
from keystone.auth.plugins import base
|
||||
from keystone.common import provider_api
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
|
||||
METHOD_NAME = 'totp'
|
||||
|
||||
LOG = log.getLogger(__name__)
|
||||
PROVIDERS = provider_api.ProviderAPIs
|
||||
|
||||
|
||||
def _generate_totp_passcode(secret):
|
||||
PASSCODE_LENGTH = 6
|
||||
PASSCODE_TIME_PERIOD = 30
|
||||
|
||||
|
||||
def _generate_totp_passcodes(secret, included_previous_windows=0):
|
||||
"""Generate TOTP passcode.
|
||||
|
||||
:param bytes secret: A base32 encoded secret for the TOTP authentication
|
||||
|
@ -66,8 +73,18 @@ def _generate_totp_passcode(secret):
|
|||
# HMAC-SHA1 when generating the TOTP, which is currently not insecure but
|
||||
# will still trigger when scanned by bandit.
|
||||
totp = crypto_totp.TOTP(
|
||||
decoded, 6, hashes.SHA1(), 30, backend=default_backend()) # nosec
|
||||
return totp.generate(timeutils.utcnow_ts(microsecond=True)).decode('utf-8')
|
||||
decoded, PASSCODE_LENGTH, hashes.SHA1(), PASSCODE_TIME_PERIOD, # nosec
|
||||
backend=default_backend())
|
||||
|
||||
passcode_ts = timeutils.utcnow_ts(microsecond=True)
|
||||
passcodes = [totp.generate(passcode_ts).decode('utf-8')]
|
||||
|
||||
for i in range(included_previous_windows):
|
||||
# NOTE(adriant): we move back the timestamp the number of seconds in
|
||||
# PASSCODE_TIME_PERIOD each time.
|
||||
passcode_ts -= PASSCODE_TIME_PERIOD
|
||||
passcodes.append(totp.generate(passcode_ts).decode('utf-8'))
|
||||
return passcodes
|
||||
|
||||
|
||||
class TOTP(base.AuthMethodHandler):
|
||||
|
@ -84,9 +101,9 @@ class TOTP(base.AuthMethodHandler):
|
|||
valid_passcode = False
|
||||
for credential in credentials:
|
||||
try:
|
||||
generated_passcode = _generate_totp_passcode(
|
||||
credential['blob'])
|
||||
if auth_passcode == generated_passcode:
|
||||
generated_passcodes = _generate_totp_passcodes(
|
||||
credential['blob'], CONF.totp.included_previous_windows)
|
||||
if auth_passcode in generated_passcodes:
|
||||
valid_passcode = True
|
||||
break
|
||||
except (ValueError, KeyError):
|
||||
|
|
|
@ -49,6 +49,7 @@ from keystone.conf import security_compliance
|
|||
from keystone.conf import shadow_users
|
||||
from keystone.conf import token
|
||||
from keystone.conf import tokenless_auth
|
||||
from keystone.conf import totp
|
||||
from keystone.conf import trust
|
||||
from keystone.conf import unified_limit
|
||||
from keystone.conf import wsgi
|
||||
|
@ -86,6 +87,7 @@ conf_modules = [
|
|||
shadow_users,
|
||||
token,
|
||||
tokenless_auth,
|
||||
totp,
|
||||
trust,
|
||||
unified_limit,
|
||||
wsgi
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_config import cfg
|
||||
|
||||
from keystone.conf import utils
|
||||
|
||||
included_previous_windows = cfg.IntOpt(
|
||||
'included_previous_windows',
|
||||
default=1,
|
||||
min=0,
|
||||
max=10,
|
||||
help=utils.fmt("""
|
||||
The number of previous windows to check when processing TOTP passcodes.
|
||||
"""))
|
||||
|
||||
|
||||
GROUP_NAME = __name__.split('.')[-1]
|
||||
ALL_OPTS = [
|
||||
included_previous_windows,
|
||||
]
|
||||
|
||||
|
||||
def register_opts(conf):
|
||||
conf.register_opts(ALL_OPTS, group=GROUP_NAME)
|
||||
|
||||
|
||||
def list_opts():
|
||||
return {GROUP_NAME: ALL_OPTS}
|
|
@ -142,7 +142,7 @@ class TestMFARules(test_v3.RestfulTestCase):
|
|||
user_id=self.user_id,
|
||||
password=self.user['password'],
|
||||
user_domain_id=self.domain_id,
|
||||
passcode=totp._generate_totp_passcode(totp_cred['blob']))
|
||||
passcode=totp._generate_totp_passcodes(totp_cred['blob'])[0])
|
||||
self.v3_create_token(auth_req)
|
||||
|
||||
def test_MFA_single_method_rules_requirements_not_met_fails(self):
|
||||
|
@ -253,7 +253,7 @@ class TestMFARules(test_v3.RestfulTestCase):
|
|||
user_id=self.user_id,
|
||||
password=self.user['password'],
|
||||
user_domain_id=self.domain_id,
|
||||
passcode=totp._generate_totp_passcode(totp_cred['blob']))
|
||||
passcode=totp._generate_totp_passcodes(totp_cred['blob'])[0])
|
||||
r = self.v3_create_token(auth_data)
|
||||
auth_data = self.build_authentication_request(
|
||||
token=r.headers.get('X-Subject-Token'),
|
||||
|
@ -311,7 +311,8 @@ class TestMFARules(test_v3.RestfulTestCase):
|
|||
user_id=self.user_id,
|
||||
user_domain_id=self.domain_id,
|
||||
project_id=self.project_id,
|
||||
passcode=totp._generate_totp_passcode(totp_cred['blob'])),
|
||||
passcode=totp._generate_totp_passcodes(
|
||||
totp_cred['blob'])[0]),
|
||||
expected_status=http_client.UNAUTHORIZED)
|
||||
|
||||
self.assertIsNotNone(
|
||||
|
@ -345,7 +346,8 @@ class TestMFARules(test_v3.RestfulTestCase):
|
|||
password=self.user['password'],
|
||||
user_domain_id=self.domain_id,
|
||||
project_id=self.project_id,
|
||||
passcode=totp._generate_totp_passcode(totp_cred['blob'])),
|
||||
passcode=totp._generate_totp_passcodes(
|
||||
totp_cred['blob'])[0]),
|
||||
expected_status=http_client.UNAUTHORIZED)
|
||||
|
||||
self.assertIsNotNone(
|
||||
|
@ -444,7 +446,8 @@ class TestMFARules(test_v3.RestfulTestCase):
|
|||
user_id=self.user_id,
|
||||
user_domain_id=self.domain_id,
|
||||
project_id=self.project_id,
|
||||
passcode=totp._generate_totp_passcode(totp_cred['blob'])))
|
||||
passcode=totp._generate_totp_passcodes(
|
||||
totp_cred['blob'])[0]))
|
||||
|
||||
def test_MFA_consuming_receipt_not_found(self):
|
||||
time = datetime.datetime.utcnow() + datetime.timedelta(seconds=5)
|
||||
|
@ -5348,7 +5351,94 @@ class TestAuthTOTP(test_v3.RestfulTestCase):
|
|||
self.useFixture(fixture.TimeFixture())
|
||||
|
||||
auth_data = self._make_auth_data_by_id(
|
||||
totp._generate_totp_passcode(secret))
|
||||
totp._generate_totp_passcodes(secret)[0])
|
||||
|
||||
self.v3_create_token(auth_data, expected_status=http_client.CREATED)
|
||||
|
||||
def test_with_an_expired_passcode(self):
|
||||
creds = self._make_credentials('totp')
|
||||
secret = creds[-1]['blob']
|
||||
|
||||
past = datetime.datetime.utcnow() - datetime.timedelta(minutes=2)
|
||||
with freezegun.freeze_time(past):
|
||||
auth_data = self._make_auth_data_by_id(
|
||||
totp._generate_totp_passcodes(secret)[0])
|
||||
|
||||
# Stop the clock otherwise there is a chance of accidental success due
|
||||
# to getting a different TOTP between the call here and the call in the
|
||||
# auth plugin.
|
||||
self.useFixture(fixture.TimeFixture())
|
||||
|
||||
self.v3_create_token(auth_data,
|
||||
expected_status=http_client.UNAUTHORIZED)
|
||||
|
||||
def test_with_an_expired_passcode_no_previous_windows(self):
|
||||
self.config_fixture.config(group='totp',
|
||||
included_previous_windows=0)
|
||||
creds = self._make_credentials('totp')
|
||||
secret = creds[-1]['blob']
|
||||
|
||||
past = datetime.datetime.utcnow() - datetime.timedelta(seconds=30)
|
||||
with freezegun.freeze_time(past):
|
||||
auth_data = self._make_auth_data_by_id(
|
||||
totp._generate_totp_passcodes(secret)[0])
|
||||
|
||||
# Stop the clock otherwise there is a chance of accidental success due
|
||||
# to getting a different TOTP between the call here and the call in the
|
||||
# auth plugin.
|
||||
self.useFixture(fixture.TimeFixture())
|
||||
|
||||
self.v3_create_token(auth_data,
|
||||
expected_status=http_client.UNAUTHORIZED)
|
||||
|
||||
def test_with_passcode_no_previous_windows(self):
|
||||
self.config_fixture.config(group='totp',
|
||||
included_previous_windows=0)
|
||||
creds = self._make_credentials('totp')
|
||||
secret = creds[-1]['blob']
|
||||
|
||||
auth_data = self._make_auth_data_by_id(
|
||||
totp._generate_totp_passcodes(secret)[0])
|
||||
|
||||
# Stop the clock otherwise there is a chance of auth failure due to
|
||||
# getting a different TOTP between the call here and the call in the
|
||||
# auth plugin.
|
||||
self.useFixture(fixture.TimeFixture())
|
||||
|
||||
self.v3_create_token(auth_data, expected_status=http_client.CREATED)
|
||||
|
||||
def test_with_passcode_in_previous_windows_default(self):
|
||||
"""Confirm previous window default of 1 works."""
|
||||
creds = self._make_credentials('totp')
|
||||
secret = creds[-1]['blob']
|
||||
|
||||
past = datetime.datetime.utcnow() - datetime.timedelta(seconds=30)
|
||||
with freezegun.freeze_time(past):
|
||||
auth_data = self._make_auth_data_by_id(
|
||||
totp._generate_totp_passcodes(secret)[0])
|
||||
|
||||
# Stop the clock otherwise there is a chance of auth failure due to
|
||||
# getting a different TOTP between the call here and the call in the
|
||||
# auth plugin.
|
||||
self.useFixture(fixture.TimeFixture())
|
||||
|
||||
self.v3_create_token(auth_data, expected_status=http_client.CREATED)
|
||||
|
||||
def test_with_passcode_in_previous_windows_extended(self):
|
||||
self.config_fixture.config(group='totp',
|
||||
included_previous_windows=4)
|
||||
creds = self._make_credentials('totp')
|
||||
secret = creds[-1]['blob']
|
||||
|
||||
past = datetime.datetime.utcnow() - datetime.timedelta(minutes=2)
|
||||
with freezegun.freeze_time(past):
|
||||
auth_data = self._make_auth_data_by_id(
|
||||
totp._generate_totp_passcodes(secret)[0])
|
||||
|
||||
# Stop the clock otherwise there is a chance of auth failure due to
|
||||
# getting a different TOTP between the call here and the call in the
|
||||
# auth plugin.
|
||||
self.useFixture(fixture.TimeFixture())
|
||||
|
||||
self.v3_create_token(auth_data, expected_status=http_client.CREATED)
|
||||
|
||||
|
@ -5380,7 +5470,7 @@ class TestAuthTOTP(test_v3.RestfulTestCase):
|
|||
self.useFixture(fixture.TimeFixture())
|
||||
|
||||
auth_data = self._make_auth_data_by_id(
|
||||
totp._generate_totp_passcode(secret))
|
||||
totp._generate_totp_passcodes(secret)[0])
|
||||
self.v3_create_token(auth_data, expected_status=http_client.CREATED)
|
||||
|
||||
def test_with_multiple_users(self):
|
||||
|
@ -5403,7 +5493,7 @@ class TestAuthTOTP(test_v3.RestfulTestCase):
|
|||
self.useFixture(fixture.TimeFixture())
|
||||
|
||||
auth_data = self._make_auth_data_by_id(
|
||||
totp._generate_totp_passcode(secret), user_id=user['id'])
|
||||
totp._generate_totp_passcodes(secret)[0], user_id=user['id'])
|
||||
self.v3_create_token(auth_data, expected_status=http_client.CREATED)
|
||||
|
||||
def test_with_multiple_users_and_invalid_credentials(self):
|
||||
|
@ -5429,7 +5519,7 @@ class TestAuthTOTP(test_v3.RestfulTestCase):
|
|||
secret = user2_creds[-1]['blob']
|
||||
|
||||
auth_data = self._make_auth_data_by_id(
|
||||
totp._generate_totp_passcode(secret), user_id=user_id)
|
||||
totp._generate_totp_passcodes(secret)[0], user_id=user_id)
|
||||
self.v3_create_token(auth_data,
|
||||
expected_status=http_client.UNAUTHORIZED)
|
||||
|
||||
|
@ -5443,7 +5533,7 @@ class TestAuthTOTP(test_v3.RestfulTestCase):
|
|||
self.useFixture(fixture.TimeFixture())
|
||||
|
||||
auth_data = self._make_auth_data_by_name(
|
||||
totp._generate_totp_passcode(secret),
|
||||
totp._generate_totp_passcodes(secret)[0],
|
||||
username=self.default_domain_user['name'],
|
||||
user_domain_id=self.default_domain_user['domain_id'])
|
||||
|
||||
|
@ -5451,7 +5541,7 @@ class TestAuthTOTP(test_v3.RestfulTestCase):
|
|||
|
||||
def test_generated_passcode_is_correct_format(self):
|
||||
secret = self._make_credentials('totp')[-1]['blob']
|
||||
passcode = totp._generate_totp_passcode(secret)
|
||||
passcode = totp._generate_totp_passcodes(secret)[0]
|
||||
reg = re.compile(r'^-?[0-9]+$')
|
||||
self.assertTrue(reg.match(passcode))
|
||||
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
features:
|
||||
- >
|
||||
[`bug 1839577 <https://bugs.launchpad.net/keystone/+bug/1839577>`_]
|
||||
TOTP now allows by default the code from the previous time window
|
||||
to be considered valid as part of auth. This can be disabled, or
|
||||
the extended up to ten previous windows.
|
Loading…
Reference in New Issue