anoopmb
/
frappe
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
37504 Commits
1 Branch
314 MiB
 
 
 
 
 
 
Tree: 5c8856d66e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '5c8856d66e'
${ noResults }
frappe/frappe/twofactor.py

419 lines
14 KiB
Raw Blame History 

  1. # Copyright (c) 2017, Frappe Technologies Pvt. Ltd. and Contributors

  2. # License: MIT. See LICENSE

  3. import frappe

  4. from frappe import _

  5. import pyotp, os

  6. from frappe.utils.background_jobs import enqueue

  7. from pyqrcode import create as qrcreate

  8. from io import BytesIO

  9. from base64 import b64encode, b32encode

  10. from frappe.utils import get_url, get_datetime, time_diff_in_seconds, cint

  11. 

  12. class ExpiredLoginException(Exception): pass

  13. 

  14. def toggle_two_factor_auth(state, roles=None):

  15. 	'''Enable or disable 2FA in site_config and roles'''

  16. 	for role in roles or []:

  17. 		role = frappe.get_doc('Role', {'role_name': role})

  18. 		role.two_factor_auth = cint(state)

  19. 		role.save(ignore_permissions=True)

  20. 

  21. def two_factor_is_enabled(user=None):

  22. 	'''Returns True if 2FA is enabled.'''

  23. 	enabled = int(frappe.db.get_value('System Settings', None, 'enable_two_factor_auth') or 0)

  24. 	if enabled:

  25. 		bypass_two_factor_auth = int(frappe.db.get_value('System Settings', None, 'bypass_2fa_for_retricted_ip_users') or 0)

  26. 		if bypass_two_factor_auth and user:

  27. 			user_doc = frappe.get_doc("User", user)

  28. 			restrict_ip_list = user_doc.get_restricted_ip_list() #can be None or one or more than one ip address

  29. 			if restrict_ip_list and frappe.local.request_ip:

  30. 				for ip in restrict_ip_list:

  31. 					if frappe.local.request_ip.startswith(ip):

  32. 						enabled = False

  33. 						break

  34. 

  35. 	if not user or not enabled:

  36. 		return enabled

  37. 	return two_factor_is_enabled_for_(user)

  38. 

  39. def should_run_2fa(user):

  40. 	'''Check if 2fa should run.'''

  41. 	return two_factor_is_enabled(user=user)

  42. 

  43. def get_cached_user_pass():

  44. 	'''Get user and password if set.'''

  45. 	user = pwd = None

  46. 	tmp_id = frappe.form_dict.get('tmp_id')

  47. 	if tmp_id:

  48. 		user = frappe.safe_decode(frappe.cache().get(tmp_id+'_usr'))

  49. 		pwd = frappe.safe_decode(frappe.cache().get(tmp_id+'_pwd'))

  50. 	return (user, pwd)

  51. 

  52. def authenticate_for_2factor(user):

  53. 	'''Authenticate two factor for enabled user before login.'''

  54. 	if frappe.form_dict.get('otp'):

  55. 		return

  56. 	otp_secret = get_otpsecret_for_(user)

  57. 	token = int(pyotp.TOTP(otp_secret).now())

  58. 	tmp_id = frappe.generate_hash(length=8)

  59. 	cache_2fa_data(user, token, otp_secret, tmp_id)

  60. 	verification_obj = get_verification_obj(user, token, otp_secret)

  61. 	# Save data in local

  62. 	frappe.local.response['verification'] = verification_obj

  63. 	frappe.local.response['tmp_id'] = tmp_id

  64. 

  65. def cache_2fa_data(user, token, otp_secret, tmp_id):

  66. 	'''Cache and set expiry for data.'''

  67. 	pwd = frappe.form_dict.get('pwd')

  68. 	verification_method = get_verification_method()

  69. 

  70. 	# set increased expiry time for SMS and Email

  71. 	if verification_method in ['SMS', 'Email']:

  72. 		expiry_time = frappe.flags.token_expiry or 300

  73. 		frappe.cache().set(tmp_id + '_token', token)

  74. 		frappe.cache().expire(tmp_id + '_token', expiry_time)

  75. 	else:

  76. 		expiry_time = frappe.flags.otp_expiry or 180

  77. 	for k, v in {'_usr': user, '_pwd': pwd, '_otp_secret': otp_secret}.items():

  78. 		frappe.cache().set("{0}{1}".format(tmp_id, k), v)

  79. 		frappe.cache().expire("{0}{1}".format(tmp_id, k), expiry_time)

  80. 

  81. def two_factor_is_enabled_for_(user):

  82. 	'''Check if 2factor is enabled for user.'''

  83. 	if user == "Administrator":

  84. 		return False

  85. 

  86. 	if isinstance(user, str):

  87. 		user = frappe.get_doc("User", user)

  88. 

  89. 	roles = [d.role for d in user.roles or []] + ["All"]

  90. 

  91. 	role_doctype = frappe.qb.DocType("Role")

  92. 	no_of_users = frappe.db.count(role_doctype, filters=

  93. 		((role_doctype.two_factor_auth == 1) & (role_doctype.name.isin(roles))),

  94. 	)

  95. 

  96. 	if int(no_of_users) > 0:

  97. 		return True

  98. 

  99. 	return False

  100. 

  101. 

  102. def get_otpsecret_for_(user):

  103. 	'''Set OTP Secret for user even if not set.'''

  104. 	otp_secret = frappe.db.get_default(user + '_otpsecret')

  105. 	if not otp_secret:

  106. 		otp_secret = b32encode(os.urandom(10)).decode('utf-8')

  107. 		frappe.db.set_default(user + '_otpsecret', otp_secret)

  108. 		frappe.db.commit()

  109. 	return otp_secret

  110. 

  111. def get_verification_method():

  112. 	return frappe.db.get_value('System Settings', None, 'two_factor_method')

  113. 

  114. def confirm_otp_token(login_manager, otp=None, tmp_id=None):

  115. 	'''Confirm otp matches.'''

  116. 	from frappe.auth import get_login_attempt_tracker

  117. 	if not otp:

  118. 		otp = frappe.form_dict.get('otp')

  119. 	if not otp:

  120. 		if two_factor_is_enabled_for_(login_manager.user):

  121. 			return False

  122. 		return True

  123. 	if not tmp_id:

  124. 		tmp_id = frappe.form_dict.get('tmp_id')

  125. 	hotp_token = frappe.cache().get(tmp_id + '_token')

  126. 	otp_secret = frappe.cache().get(tmp_id + '_otp_secret')

  127. 	if not otp_secret:

  128. 		raise ExpiredLoginException(_('Login session expired, refresh page to retry'))

  129. 

  130. 	tracker = get_login_attempt_tracker(login_manager.user)

  131. 

  132. 	hotp = pyotp.HOTP(otp_secret)

  133. 	if hotp_token:

  134. 		if hotp.verify(otp, int(hotp_token)):

  135. 			frappe.cache().delete(tmp_id + '_token')

  136. 			tracker.add_success_attempt()

  137. 			return True

  138. 		else:

  139. 			tracker.add_failure_attempt()

  140. 			login_manager.fail(_('Incorrect Verification code'), login_manager.user)

  141. 

  142. 	totp = pyotp.TOTP(otp_secret)

  143. 	if totp.verify(otp):

  144. 		# show qr code only once

  145. 		if not frappe.db.get_default(login_manager.user + '_otplogin'):

  146. 			frappe.db.set_default(login_manager.user + '_otplogin', 1)

  147. 			delete_qrimage(login_manager.user)

  148. 		tracker.add_success_attempt()

  149. 		return True

  150. 	else:

  151. 		tracker.add_failure_attempt()

  152. 		login_manager.fail(_('Incorrect Verification code'), login_manager.user)

  153. 

  154. 

  155. def get_verification_obj(user, token, otp_secret):

  156. 	otp_issuer = frappe.db.get_value('System Settings', 'System Settings', 'otp_issuer_name')

  157. 	verification_method = get_verification_method()

  158. 	verification_obj = None

  159. 	if verification_method == 'SMS':

  160. 		verification_obj = process_2fa_for_sms(user, token, otp_secret)

  161. 	elif verification_method == 'OTP App':

  162. 		#check if this if the first time that the user is trying to login. If so, send an email

  163. 		if not frappe.db.get_default(user + '_otplogin'):

  164. 			verification_obj = process_2fa_for_email(user, token, otp_secret, otp_issuer, method='OTP App')

  165. 		else:

  166. 			verification_obj = process_2fa_for_otp_app(user, otp_secret, otp_issuer)

  167. 	elif verification_method == 'Email':

  168. 		verification_obj = process_2fa_for_email(user, token, otp_secret, otp_issuer)

  169. 	return verification_obj

  170. 

  171. def process_2fa_for_sms(user, token, otp_secret):

  172. 	'''Process sms method for 2fa.'''

  173. 	phone = frappe.db.get_value('User', user, ['phone', 'mobile_no'], as_dict=1)

  174. 	phone = phone.mobile_no or phone.phone

  175. 	status = send_token_via_sms(otp_secret, token=token, phone_no=phone)

  176. 	verification_obj = {

  177. 		'token_delivery': status,

  178. 		'prompt': status and 'Enter verification code sent to {}'.format(phone[:4] + '******' + phone[-3:]),

  179. 		'method': 'SMS',

  180. 		'setup': status

  181. 	}

  182. 	return verification_obj

  183. 

  184. def process_2fa_for_otp_app(user, otp_secret, otp_issuer):

  185. 	'''Process OTP App method for 2fa.'''

  186. 	totp_uri = pyotp.TOTP(otp_secret).provisioning_uri(user, issuer_name=otp_issuer)

  187. 	if frappe.db.get_default(user + '_otplogin'):

  188. 		otp_setup_completed = True

  189. 	else:

  190. 		otp_setup_completed = False

  191. 

  192. 	verification_obj = {

  193. 		'method': 'OTP App',

  194. 		'setup': otp_setup_completed

  195. 	}

  196. 	return verification_obj

  197. 

  198. def process_2fa_for_email(user, token, otp_secret, otp_issuer, method='Email'):

  199. 	'''Process Email method for 2fa.'''

  200. 	subject = None

  201. 	message = None

  202. 	status = True

  203. 	prompt = ''

  204. 	if method == 'OTP App' and not frappe.db.get_default(user + '_otplogin'):

  205. 		'''Sending one-time email for OTP App'''

  206. 		totp_uri = pyotp.TOTP(otp_secret).provisioning_uri(user, issuer_name=otp_issuer)

  207. 		qrcode_link = get_link_for_qrcode(user, totp_uri)

  208. 		message = get_email_body_for_qr_code({'qrcode_link': qrcode_link})

  209. 		subject = get_email_subject_for_qr_code({'qrcode_link': qrcode_link})

  210. 		prompt = _('Please check your registered email address for instructions on how to proceed. Do not close this window as you will have to return to it.')

  211. 	else:

  212. 		'''Sending email verification'''

  213. 		prompt = _('Verification code has been sent to your registered email address.')

  214. 	status = send_token_via_email(user, token, otp_secret, otp_issuer, subject=subject, message=message)

  215. 	verification_obj = {

  216. 		'token_delivery': status,

  217. 		'prompt': status and prompt,

  218. 		'method': 'Email',

  219. 		'setup': status

  220. 	}

  221. 	return verification_obj

  222. 

  223. def get_email_subject_for_2fa(kwargs_dict):

  224. 	'''Get email subject for 2fa.'''

  225. 	subject_template = _('Login Verification Code from {}').format(frappe.db.get_value('System Settings', 'System Settings', 'otp_issuer_name'))

  226. 	subject = frappe.render_template(subject_template, kwargs_dict)

  227. 	return subject

  228. 

  229. def get_email_body_for_2fa(kwargs_dict):

  230. 	'''Get email body for 2fa.'''

  231. 	body_template = """

  232. 		Enter this code to complete your login:

  233. 		<br><br>

  234. 		<b style="font-size: 18px;">{{ otp }}</b>

  235. 	"""

  236. 	body = frappe.render_template(body_template, kwargs_dict)

  237. 	return body

  238. 

  239. def get_email_subject_for_qr_code(kwargs_dict):

  240. 	'''Get QRCode email subject.'''

  241. 	subject_template = _('One Time Password (OTP) Registration Code from {}').format(frappe.db.get_value('System Settings', 'System Settings', 'otp_issuer_name'))

  242. 	subject = frappe.render_template(subject_template, kwargs_dict)

  243. 	return subject

  244. 

  245. def get_email_body_for_qr_code(kwargs_dict):

  246. 	'''Get QRCode email body.'''

  247. 	body_template = 'Please click on the following link and follow the instructions on the page.<br><br> {{qrcode_link}}'

  248. 	body = frappe.render_template(body_template, kwargs_dict)

  249. 	return body

  250. 

  251. def get_link_for_qrcode(user, totp_uri):

  252. 	'''Get link to temporary page showing QRCode.'''

  253. 	key = frappe.generate_hash(length=20)

  254. 	key_user = "{}_user".format(key)

  255. 	key_uri = "{}_uri".format(key)

  256. 	lifespan = int(frappe.db.get_value('System Settings', 'System Settings', 'lifespan_qrcode_image')) or 240

  257. 	frappe.cache().set_value(key_uri, totp_uri, expires_in_sec=lifespan)

  258. 	frappe.cache().set_value(key_user, user, expires_in_sec=lifespan)

  259. 	return get_url('/qrcode?k={}'.format(key))

  260. 

  261. def send_token_via_sms(otpsecret, token=None, phone_no=None):

  262. 	'''Send token as sms to user.'''

  263. 	try:

  264. 		from frappe.core.doctype.sms_settings.sms_settings import send_request

  265. 	except:

  266. 		return False

  267. 

  268. 	if not phone_no:

  269. 		return False

  270. 

  271. 	ss = frappe.get_doc('SMS Settings', 'SMS Settings')

  272. 	if not ss.sms_gateway_url:

  273. 		return False

  274. 

  275. 	hotp = pyotp.HOTP(otpsecret)

  276. 	args = {

  277. 		ss.message_parameter: 'Your verification code is {}'.format(hotp.at(int(token)))

  278. 	}

  279. 

  280. 	for d in ss.get("parameters"):

  281. 		args[d.parameter] = d.value

  282. 

  283. 	args[ss.receiver_parameter] = phone_no

  284. 

  285. 	sms_args = {

  286. 		'params': args,

  287. 		'gateway_url': ss.sms_gateway_url,

  288. 		'use_post': ss.use_post

  289. 	}

  290. 	enqueue(method=send_request, queue='short', timeout=300, event=None,

  291. 		is_async=True, job_name=None, now=False, **sms_args)

  292. 	return True

  293. 

  294. def send_token_via_email(user, token, otp_secret, otp_issuer, subject=None, message=None):

  295. 	'''Send token to user as email.'''

  296. 	user_email = frappe.db.get_value('User', user, 'email')

  297. 	if not user_email:

  298. 		return False

  299. 	hotp = pyotp.HOTP(otp_secret)

  300. 	otp = hotp.at(int(token))

  301. 	template_args = {'otp': otp, 'otp_issuer': otp_issuer}

  302. 	if not subject:

  303. 		subject = get_email_subject_for_2fa(template_args)

  304. 	if not message:

  305. 		message = get_email_body_for_2fa(template_args)

  306. 

  307. 	email_args = {

  308. 		'recipients': user_email,

  309. 		'sender': None,

  310. 		'subject': subject,

  311. 		'message': message,

  312. 		'header': [_('Verfication Code'), 'blue'],

  313. 		'delayed': False,

  314. 		'retry':3

  315. 	}

  316. 

  317. 	enqueue(method=frappe.sendmail, queue='short', timeout=300, event=None,

  318. 		is_async=True, job_name=None, now=False, **email_args)

  319. 	return True

  320. 

  321. def get_qr_svg_code(totp_uri):

  322. 	'''Get SVG code to display Qrcode for OTP.'''

  323. 	url = qrcreate(totp_uri)

  324. 	svg = ''

  325. 	stream = BytesIO()

  326. 	try:

  327. 		url.svg(stream, scale=4, background="#eee", module_color="#222")

  328. 		svg = stream.getvalue().decode().replace('\n', '')

  329. 		svg = b64encode(svg.encode())

  330. 	finally:

  331. 		stream.close()

  332. 	return svg

  333. 

  334. def qrcode_as_png(user, totp_uri):

  335. 	'''Save temporary Qrcode to server.'''

  336. 	folder = create_barcode_folder()

  337. 	png_file_name = '{}.png'.format(frappe.generate_hash(length=20))

  338. 	_file = frappe.get_doc({

  339. 		"doctype": "File",

  340. 		"file_name": png_file_name,

  341. 		"attached_to_doctype": 'User',

  342. 		"attached_to_name": user,

  343. 		"folder": folder,

  344. 		"content": png_file_name})

  345. 	_file.save()

  346. 	frappe.db.commit()

  347. 	file_url = get_url(_file.file_url)

  348. 	file_path = os.path.join(frappe.get_site_path('public', 'files'), _file.file_name)

  349. 	url = qrcreate(totp_uri)

  350. 	with open(file_path, 'w') as png_file:

  351. 		url.png(png_file, scale=8, module_color=[0, 0, 0, 180], background=[0xff, 0xff, 0xcc])

  352. 	return file_url

  353. 

  354. def create_barcode_folder():

  355. 	'''Get Barcodes folder.'''

  356. 	folder_name = 'Barcodes'

  357. 	folder = frappe.db.exists('File', {'file_name': folder_name})

  358. 	if folder:

  359. 		return folder

  360. 	folder = frappe.get_doc({

  361. 			'doctype': 'File',

  362. 			'file_name': folder_name,

  363. 			'is_folder':1,

  364. 			'folder': 'Home'

  365. 		})

  366. 	folder.insert(ignore_permissions=True)

  367. 	return folder.name

  368. 

  369. def delete_qrimage(user, check_expiry=False):

  370. 	'''Delete Qrimage when user logs in.'''

  371. 	user_barcodes = frappe.get_all('File', {'attached_to_doctype': 'User',

  372. 		'attached_to_name': user, 'folder': 'Home/Barcodes'})

  373. 

  374. 	for barcode in user_barcodes:

  375. 		if check_expiry and not should_remove_barcode_image(barcode):

  376. 			continue

  377. 		barcode = frappe.get_doc('File', barcode.name)

  378. 		frappe.delete_doc('File', barcode.name, ignore_permissions=True)

  379. 

  380. def delete_all_barcodes_for_users():

  381. 	'''Task to delete all barcodes for user.'''

  382. 

  383. 	users = frappe.get_all('User', {'enabled':1})

  384. 	for user in users:

  385. 		if not two_factor_is_enabled(user=user.name):

  386. 			continue

  387. 		delete_qrimage(user.name, check_expiry=True)

  388. 

  389. def should_remove_barcode_image(barcode):

  390. 	'''Check if it's time to delete barcode image from server. '''

  391. 	if isinstance(barcode, str):

  392. 		barcode = frappe.get_doc('File', barcode)

  393. 	lifespan = frappe.db.get_value('System Settings', 'System Settings', 'lifespan_qrcode_image') or 240

  394. 	if time_diff_in_seconds(get_datetime(), barcode.creation) > int(lifespan):

  395. 		return True

  396. 	return False

  397. 

  398. def disable():

  399. 	frappe.db.set_value('System Settings', None, 'enable_two_factor_auth', 0)

  400. 

  401. @frappe.whitelist()

  402. def reset_otp_secret(user):

  403. 	otp_issuer = frappe.db.get_value('System Settings', 'System Settings', 'otp_issuer_name')

  404. 	user_email = frappe.db.get_value('User', user, 'email')

  405. 	if frappe.session.user in ["Administrator", user] :

  406. 		frappe.defaults.clear_default(user + '_otplogin')

  407. 		frappe.defaults.clear_default(user + '_otpsecret')

  408. 		email_args = {

  409. 			'recipients': user_email,

  410. 			'sender': None,

  411. 			'subject': _('OTP Secret Reset - {0}').format(otp_issuer or "Frappe Framework"),

  412. 			'message': _('<p>Your OTP secret on {0} has been reset. If you did not perform this reset and did not request it, please contact your System Administrator immediately.</p>').format(otp_issuer or "Frappe Framework"),

  413. 			'delayed':False,

  414. 			'retry':3

  415. 		}

  416. 		enqueue(method=frappe.sendmail, queue='short', timeout=300, event=None, is_async=True, job_name=None, now=False, **email_args)

  417. 		return frappe.msgprint(_("OTP Secret has been reset. Re-registration will be required on next login."))

  418. 	else:

  419. 		return frappe.throw(_("OTP secret can only be reset by the Administrator."))