Commit Graph

3087 Commits

Author SHA1 Message Date
Leo Hemsted
73a444b33a rename webauthn auth functions
_complete_webauthn_authentication -> _verify_webauthn_authentication

This function just does verification of the actual auth process -
checking the challenge is correct, the signature matches the public key
we have stored in our database, etc.

verify_webauthn_login -> _complete_webauthn_login_attempt

This function doesn't do any actual verification, we've already verified
the user is who they say they are (or not), it's about marking the
attempt, either unsuccessful (we bump the failed_login_count in the db)
or successful (we set the logged_in_at and current_session_id in the
db).

This change also informs changes to the names of methods on the user
model and in user_api_client.
2021-06-02 12:06:10 +01:00
Leo Hemsted
0ec92e8c2f DRY attested webauthn creds data 2021-06-02 12:06:10 +01:00
Leo Hemsted
e864100be7 make sure error message flashes work properly
flashes are consumed by the jinja template calling get_flashed_messages
in flash_messages.html.

When you call `abort(403)` the 403 error page is rendered, with the
flashed message on it. However, the webauthn endpoints just return that
page to the ajax `fetch`, which ignores the response and just reloads
the page.

Instead of calling abort, we can just return an empty response body and
the 403 error code, so that the flashed messages stay in the session and
will be rendered when the `GET /two-factor-webauthn` request happens
after the js reloads the page.
2021-06-02 12:06:09 +01:00
Leo Hemsted
a3870af87d allow password reset with webauthn login flow 2021-06-02 12:06:09 +01:00
Leo Hemsted
d05f127e41 return 200 to js instead of 302 when logging in
the js fetch function is really not designed to work with 302s. when it
receives a 302, it automatically follows it and fetches the next page.
This is awkward because I don't want js to do all this in ajax, I want
the browser to get the new URL so it can load the page.

A better approach is to view the admin endpoint as a more pure API: the
js sends a request for authentication to the admin app, and the admin
app responds with a 200 indicating success, and then a payload of
relevant data with that.

The relevant data in this case is "Which URL should I redirect to", it
might be the user's list of services page, or it might be a page telling
them that their email needs revalidating.
2021-06-02 11:51:12 +01:00
Leo Hemsted
c29f87f55d increment failed login count on unsuccesful webauthn login
this doesn't include timeouts or other errors on the browser side - the
main thing this catches is if the token doesn't belong to the user.
However I'm not entirely clear if that's something that will be caught
at this point, or if the browser would reject that key as it's not in
the credentials passed in to the begin_authentication process.
2021-06-02 11:51:11 +01:00
Leo Hemsted
92f78b14fe redirect on login; flash errors on failure
the js `fetch` function will follow redirects blindly and return you the
final 200 response. when there's an error, we don't want to go anywhere,
and we want to use the flask `flash` functionality to pop up an error
page (the likely reason for seeing this is using a yubikey that isn't
associated with your user). using `flash` and then
`window.location.reload()` handles this fine.

However, when the user does log in succesfully we need to properly log
them in - this includes:

* checking their account isn't over the max login count
* resetting failed login count to 0 if not
* setting a new session id in the database (so other browser windows are
  logged out)
* checking if they need to revalidate their email access (every 90 days)
* clearing old user out of the cache

This code all happens in the ajax function rather than being in a
separate redirect, so that you can't just navigate to the login flow. I
wasn't able to unit test that function due how it uses the session and
other flask globals, so moved the auth into its own function so it's
easy to stub out all that CBOR nonsense.

TODO: We still need to pass any `next` URLs through the chain from login
page all the way through the javascript AJAX calls and redirects to the
log_in_user function
2021-06-02 11:51:10 +01:00
Leo Hemsted
a753e32c8d only let platform admins with webauthn access the sign in pages 2021-06-01 19:08:58 +01:00
Leo Hemsted
c26a596839 allow sign in via webauthn credentials
The flow of the code is roughly as follows:

  user clicks button on webauthn page
  js sends GET request
  python reads GET request, sets up login challenge
  python returns login challenge in response
  js reads GET response, passes login challenge to browser
  browser asks user to touch yubikey
  browser returns yubikey challenge response data to js
  js sends POST request with yubikey challenge response data
  python reads yubikey challenge and compares with users creds from db
  if its a match, python signs user in

The login challenge is a PublicKeyCredentialRequestOptions: [1]
The browser function we call is navigator.credentials.get(): [2]
The response to the challenge from the browser is a PublicKeyCredential: [3]

The python server does all the work setting those up and tearing them
back down again (and checking them against the values we have stored in
the database), but we need to do work to convert them to-and-from CBOR.

[1] https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions
[2] https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/get
[3] https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential
2021-06-01 19:08:57 +01:00
Leo Hemsted
c203f624ca rename two_factor to two_factor_sms
it's a bit confusing now that there are three endpoints. the other two
are already renamed two_factor_email and two_factor_webauthn
2021-06-01 19:08:57 +01:00
Leo Hemsted
907a7dc363 create webauthn 2fa page
if user has `webauthn_auth` as their auth type, then redirect them to an
interstitial that prompts them to click on a button which right now just
logs to the JS console, but in a future commit will open up the webauthn
browser prompt

content is unsurprisingly not final.
2021-06-01 18:44:54 +01:00
Ben Thorner
68d923568c Merge pull request #3901 from alphagov/prevent-admin-auth-change
Prevent switching auth type for Platform Admins
2021-05-28 16:07:11 +01:00
Rebecca Law
24f4b3f3eb Merge pull request #3899 from alphagov/bump-utils-new-invalid-address-char
Bump utils version for new invalid address character
2021-05-27 13:53:38 +01:00
Rebecca Law
9a4b6de37d Bump utils version for new invalid address character 2021-05-27 13:04:46 +01:00
Ben Thorner
6d0d9d46f7 Prevent switching auth type for Platform Admins
This closes a security loophole, where the auth type of a Platform
Admin could be unwittingly changed when they accept an invite, or
by an admin of a service they are a member of.
2021-05-25 16:01:25 +01:00
Pea Tyczynska
a10304d9c6 Merge pull request #3892 from alphagov/update-remove-webauthn-cred
Let admin user update and delete their security key
2021-05-25 14:33:00 +01:00
Pea Tyczynska
04d1d97d4c Refactor loop to separate function and use user model
when getting a list of security keys

Also test separately that we are correctly choosing key out of list
of security keys. Previously we have done it as a part
of testing pages where where we were calling API to get a list
of keys, but then choosing one of those keys based on id.

Also remove redundant second test credential after PR review

Also remove redundant return value from mocks in update name tests
2021-05-25 14:17:58 +01:00
Pea Tyczynska
8501aa4ad6 Change name of the form and form field for consistency
Following PR review.

Also update function name for update name of security key in
user api client to be more specific.
2021-05-25 11:55:48 +01:00
Pea Tyczynska
724e345089 Do not call API if key name did not change
To avoid unnecessary calls to API.
2021-05-25 11:55:47 +01:00
Pea Tyczynska
a907f261a5 Catch last credential error from API
When we are unable to delete security key because it's the last
one for that user, API throws an error. Here we catch that error
and display useful message to the user.

Use security key instead of webauthn credential

in user facing message - for consistency and readability.

We use security key term in user facing stuff and webauthn
credential in the code.
2021-05-25 11:55:37 +01:00
Pea Tyczynska
a946ad6ec2 Let admin user delete their security key
Show confiem delete dialogue first to confirm if key should be deleted.
2021-05-25 11:40:42 +01:00
Pea Tyczynska
00c022eba5 Let admin user update their security key name 2021-05-25 11:40:41 +01:00
Pea Tyczynska
56eac279df Show manage security key page with name change form 2021-05-25 11:40:41 +01:00
Pea Tyczynska
c33465e7cf Add link and placeholder view for managing a security key 2021-05-25 11:40:33 +01:00
Chris Hill-Scott
2d2c82ca87 Merge pull request #3885 from alphagov/live-broadcast-tour
Add a version of the tour for live services
2021-05-24 10:58:45 +01:00
Chris Hill-Scott
5de1c4f6ca Redirect newly-created users to broadcast tour 2021-05-19 11:48:59 +01:00
Ben Thorner
03295eb828 Merge pull request #3889 from alphagov/webauthn-errors
Handle errors when registration fails
2021-05-19 11:22:05 +01:00
Chris Hill-Scott
766df5d1ca Add a version of the tour for live services
At the moment if you’re invited to a live broadcast service you get the
training mode tour. This is misleading, and could make people think they
weren’t in danger of sending a real alert.

This commit adds a short, 2 step tour for users invited to a live
broadcast service.
2021-05-19 09:41:58 +01:00
Chris Hill-Scott
8db280317f Rename helper method
This is ambiguous, as it's not used in a lot of the views.

There’s precendent for naming these kind of methods here:
06cc5b58c7/app/main/views/broadcast.py (L238)
2021-05-18 15:58:41 +01:00
Chris Hill-Scott
e2ef8cd36e Show error message if checkbox wasn’t checked
Because we were redirecting in all cases the error message wasn’t being
shown.

This commit changes the endpoint to respond with content (including an
error message) if the `POST` is not successful.
2021-05-18 15:58:41 +01:00
Chris Hill-Scott
7d66dadcd7 Add a confirmation checkbox for live broadcasts
We want people to be really sure before sending a live broadcast, not
just clicking through the green buttons.

This commit adds a checkbox which explains exactly the consequences of
what they’re about to do, tailored to the channel they’re on, and the
area chosen by the person creating the alert.
2021-05-18 15:58:41 +01:00
Ben Thorner
8502827afb Handle errors when registration fails
Previously we would raise a 500 error in a variety of cases:

- If a second key was being registered simultaneously (e.g. in a
separate tab), which means the registration state could be missing
after the first registration completes. That smells like an attack.

- If the server-side verification failed e.g. origin verification,
challenge verification, etc. The library seems to use 'ValueError'
for all such errors [1] (after auditing its 'raise' statements, and
excluding AttestationError [2], since we're not doing that).

- If a key is used that attempts to sign with an unsupported
algorithm. This would normally raise a NotImplemented error as part
of verifying attestation [3], but we don't do that, so we need to
verify the algorithm is supported by the library manually.

This adds error handling to return a 400 response and error message
in these cases, since the error is not unexpected (i.e. not a 500).
A 400 seems more appropriate than a 403, since in many cases it's
not clear if the request data is valid.

I've used CBOR for the transport encoding, to match the successful
request / response encoding. Note that the ordering of then/catch
matters in JS - we don't want to catch our own throws!

[1]: 142587b3e6/fido2/server.py (L255)
[2]: c42d9628a4/fido2/attestation/base.py (L39)
[3]: c42d9628a4/fido2/cose.py (L92)
2021-05-17 12:18:24 +01:00
Chris Hill-Scott
362189d562 Merge pull request #3879 from alphagov/add-government-channel
Add an option to set a service to the government channel for emergency alerts
2021-05-13 15:10:15 +01:00
Pea Tyczynska
714afff156 Merge pull request #3884 from alphagov/add-webauthn-as-auth-type
Add webauthn as an auth type
2021-05-13 14:32:03 +01:00
Ben Thorner
a7d7cb3421 Merge pull request #3878 from alphagov/register-security-key
Allow registering WebAuthn authenticators in memory
2021-05-13 12:43:16 +01:00
Ben Thorner
957dba4356 Avoid registering the same authenticator twice
This passes existing credentials in the server response, to allow
the browser to prevent re-registering the same key for the same
user. Registering the same key multiple times doesn't seem to be
an issue technically; the user has likely got their keys mixed up.

- Chrome says "you don't need to register it again".
- Safari exits with an InvalidStateError.
- Firefox exits with a DOMException.
2021-05-13 10:22:24 +01:00
Ben Thorner
e2cf3e2c70 Support registering a new authenticator
This adds Yubico's FIDO2 library and two APIs for working with the
"navigator.credentials.create()" function in JavaScript. The GET
API uses the library to generate options for the "create()" function,
and the POST API decodes and verifies the resulting credential. While
the options and response are dict-like, CBOR is necessary to encode
some of the byte-level values, which can't be represented in JSON.

Much of the code here is based on the Yubico library example [1][2].

Implementation notes:

- There are definitely better ways to alert the user about failure, but
window.alert() will do for the time being. Using location.reload() is
also a bit jarring if the page scrolls, but not a major issue.

- Ideally we would use window.fetch() to do AJAX calls, but we don't
have a polyfill for this, and we use $.ajax() elsewhere [3]. We need
to do a few weird tricks [6] to stop jQuery trashing the data.

- The FIDO2 server doesn't serve web requests; it's just a "server" in
the sense of WebAuthn terminology. It lives in its own module, since it
needs to be initialised with the app / config.

- $.ajax returns a promise-like object. Although we've used ".fail()"
elsewhere [3], I couldn't find a stub object that supports it, so I've
gone for ".catch()", and used a Promise stub object in tests.

- WebAuthn only works over HTTPS, but there's an exception for "localhost"
[4].  However, the library is a bit too strict [5], so we have to disable
origin verification to avoid needing HTTPS for dev work.

[1]: c42d9628a4/examples/server/server.py
[2]: c42d9628a4/examples/server/static/register.html
[3]: 91453d3639/app/assets/javascripts/updateContent.js (L33)
[4]: https://stackoverflow.com/questions/55971593/navigator-credentials-is-null-on-local-server
[5]: c42d9628a4/fido2/rpid.py (L69)
[6]: https://stackoverflow.com/questions/12394622/does-jquery-ajax-or-load-allow-for-responsetype-arraybuffer
2021-05-13 10:22:23 +01:00
Pea Tyczynska
2a756f90d4 Add webauth as an auth type
When showing what auth type user uses to sign in, add a text
for users with webauthn.

On password change or sign in, throw not implemented error
if user uses webauthn auth.
2021-05-12 17:40:31 +01:00
Chris Hill-Scott
e45bd485e8 Add conditional reveal to network selection
Rather than try to explain all/only just through words we can use some
interaction design to make the hierarchy of choices more explicit.
2021-05-12 16:22:44 +01:00
Chris Hill-Scott
a0f54539cc Add a second step for choosing networks
Only the test channel has the option to isolate messages to one network.

This commits makes the choices less confusing by only showing the
network choice to those who have selected the test channel.
2021-05-12 16:22:44 +01:00
Chris Hill-Scott
f640767f3d Add government channel
We have been asked to support the government channel so that:
- it can be tested
- the option to use it is available for the most severe of emergencies,
  where the public’s choice to opt-out is outweighed by the widespread
  risk to life
2021-05-12 16:22:43 +01:00
Chris Hill-Scott
ffd844b2a7 Add confirmation step to emergency alert settings
It feels quite dangerous that it’s just one click to make an emergency
alerts service live.

This commit adds a confirmation step which explains the consequences of
what you’re about to do.
2021-05-12 14:53:49 +01:00
Ben Thorner
ebb82b2e80 Add page for security keys with stubbed data
This adds a new platform admin settings row, leading a page which
shows any existing keys and allows a new one to be registered. Until
the APIs for this are implemented, the user API client just returns
some stubbed data for manual testing.

This also includes a basic JavaScript module to do the main work of
registering a new authenticator, to be implemented in the next commits.

Some more minor notes:

- Setting the headings in the mapping_table is necessary to get the
horizontal rule along the top (to match the design).

- Setting caption to False in the mapping_table is necessary to stop
an extra margin appearing at the top.
2021-05-12 13:41:53 +01:00
Katie Smith
f7036825df Stop checking for allowed_broadcast_provider being None
The current_service.allowed_broadcast_provider is now always "all" or
one of the four providers, which means we can simply the code by not
checking if it is None.
2021-05-11 12:20:03 +01:00
Katie Smith
3485475270 Allow provider_restriction to be None or "all"
Until all the data is updated to always be "all", we have to handle the
case of provider_restriction being set to None or "all" (which mean the
same thing).

The code can be tidied up once the broadcast provider_restriction is never None.
2021-05-10 16:18:14 +01:00
Katie Smith
2f9e2dbc9d Send api the broadcast provider restriction of 'all', not 'None'
We're replacing the value of None with the value of all. API has been
updated to accept both values
(1767535def)
so this change starts sending notifications-api the value of "all".
2021-05-10 16:18:14 +01:00
Rebecca Law
5495de0b3b Remove some of the option we have for broadcast services.
This is the first step in making the UI easier for setting the
options for a broadcast service. Here we remove the options for
"Training mode" test channels. When we create a broadcast message for a trail mode service it is marked as stubbed and does not create a broadcast event that is sent to a provider.

The label for the form and setting page have been updated to reflect the
change.
2021-05-05 14:04:51 +01:00
Pea Tyczynska
c55cc4574e Merge pull request #3854 from alphagov/admin-cancel-broadcast
Allow platform admins to cancel broadcasts.
2021-04-21 12:52:14 +01:00
Pea Tyczynska
002dd7485d Allow platform admins to cancel broadcasts.
Do not allow platform admins to:
- create broadcasts
- approve broadcasts
- reject broadcasts

that is, unless they have a send_messages permission
for a given service.

This is so platform admins have the minimum permissions necessary
to cancel a broadcast that might have been sent out accidentally.
2021-04-20 17:27:55 +01:00
Rebecca Law
007fa5fa19 Merge pull request #3855 from alphagov/set-annual_billing-in-the-api
Let the API handle setting the default free allowance.
2021-04-20 07:17:57 +01:00