Commit Graph

12517 Commits

Author SHA1 Message Date
Ben Thorner
957dba4356 Avoid registering the same authenticator twice
This passes existing credentials in the server response, to allow
the browser to prevent re-registering the same key for the same
user. Registering the same key multiple times doesn't seem to be
an issue technically; the user has likely got their keys mixed up.

- Chrome says "you don't need to register it again".
- Safari exits with an InvalidStateError.
- Firefox exits with a DOMException.
2021-05-13 10:22:24 +01:00
Ben Thorner
e2cf3e2c70 Support registering a new authenticator
This adds Yubico's FIDO2 library and two APIs for working with the
"navigator.credentials.create()" function in JavaScript. The GET
API uses the library to generate options for the "create()" function,
and the POST API decodes and verifies the resulting credential. While
the options and response are dict-like, CBOR is necessary to encode
some of the byte-level values, which can't be represented in JSON.

Much of the code here is based on the Yubico library example [1][2].

Implementation notes:

- There are definitely better ways to alert the user about failure, but
window.alert() will do for the time being. Using location.reload() is
also a bit jarring if the page scrolls, but not a major issue.

- Ideally we would use window.fetch() to do AJAX calls, but we don't
have a polyfill for this, and we use $.ajax() elsewhere [3]. We need
to do a few weird tricks [6] to stop jQuery trashing the data.

- The FIDO2 server doesn't serve web requests; it's just a "server" in
the sense of WebAuthn terminology. It lives in its own module, since it
needs to be initialised with the app / config.

- $.ajax returns a promise-like object. Although we've used ".fail()"
elsewhere [3], I couldn't find a stub object that supports it, so I've
gone for ".catch()", and used a Promise stub object in tests.

- WebAuthn only works over HTTPS, but there's an exception for "localhost"
[4].  However, the library is a bit too strict [5], so we have to disable
origin verification to avoid needing HTTPS for dev work.

[1]: c42d9628a4/examples/server/server.py
[2]: c42d9628a4/examples/server/static/register.html
[3]: 91453d3639/app/assets/javascripts/updateContent.js (L33)
[4]: https://stackoverflow.com/questions/55971593/navigator-credentials-is-null-on-local-server
[5]: c42d9628a4/fido2/rpid.py (L69)
[6]: https://stackoverflow.com/questions/12394622/does-jquery-ajax-or-load-allow-for-responsetype-arraybuffer
2021-05-13 10:22:23 +01:00
Pea Tyczynska
2a756f90d4 Add webauth as an auth type
When showing what auth type user uses to sign in, add a text
for users with webauthn.

On password change or sign in, throw not implemented error
if user uses webauthn auth.
2021-05-12 17:40:31 +01:00
Chris Hill-Scott
ad0b7537de Make the government channel visually distinct
It’s really serious, so this sets it apart from the other live channels.
2021-05-12 16:22:45 +01:00
Chris Hill-Scott
d38f44ec69 Be explicit that ‘test’ goes out on real networks
Adding ‘all networks’ whenever we mention the using the test channel
without a restriction to a single network should help reinforce that
this sends real alerts.
2021-05-12 16:22:45 +01:00
Chris Hill-Scott
e45bd485e8 Add conditional reveal to network selection
Rather than try to explain all/only just through words we can use some
interaction design to make the hierarchy of choices more explicit.
2021-05-12 16:22:44 +01:00
Chris Hill-Scott
d720b0e47a Rename cell broadcasts
‘Emergency alerts’ is the confirmed name of the service now.
2021-05-12 16:22:44 +01:00
Chris Hill-Scott
a0f54539cc Add a second step for choosing networks
Only the test channel has the option to isolate messages to one network.

This commits makes the choices less confusing by only showing the
network choice to those who have selected the test channel.
2021-05-12 16:22:44 +01:00
Chris Hill-Scott
f640767f3d Add government channel
We have been asked to support the government channel so that:
- it can be tested
- the option to use it is available for the most severe of emergencies,
  where the public’s choice to opt-out is outweighed by the widespread
  risk to life
2021-05-12 16:22:43 +01:00
Chris Hill-Scott
ffd844b2a7 Add confirmation step to emergency alert settings
It feels quite dangerous that it’s just one click to make an emergency
alerts service live.

This commit adds a confirmation step which explains the consequences of
what you’re about to do.
2021-05-12 14:53:49 +01:00
Ben Thorner
ebb82b2e80 Add page for security keys with stubbed data
This adds a new platform admin settings row, leading a page which
shows any existing keys and allows a new one to be registered. Until
the APIs for this are implemented, the user API client just returns
some stubbed data for manual testing.

This also includes a basic JavaScript module to do the main work of
registering a new authenticator, to be implemented in the next commits.

Some more minor notes:

- Setting the headings in the mapping_table is necessary to get the
horizontal rule along the top (to match the design).

- Setting caption to False in the mapping_table is necessary to stop
an extra margin appearing at the top.
2021-05-12 13:41:53 +01:00
Ben Thorner
78824f54fd Merge pull request #3880 from alphagov/small-follow-up-tweaks
Minor follow-up tweaks from #3878
2021-05-12 09:11:01 +01:00
Ben Thorner
9f9751adbf Tweak layout for dependencies section
This matches what we have in other repos [1][2].

[1]: https://github.com/alphagov/notifications-antivirus#to-update-application-dependencies
[2]: https://github.com/alphagov/notifications-api#to-update-application-dependencies
2021-05-11 18:22:11 +01:00
Ben Thorner
d15143606e Rewrite and expand docs on auto-JS scripts
This adds a note about automatically re-running JavaScript tests.
I've moved and rewritten the old content about re-building JS code
to match the new style.
2021-05-11 18:20:40 +01:00
Ben Thorner
d395d614b9 Use ID for row to avoid guessing position
This makes it easier to add / test other rows in future.
2021-05-11 17:53:36 +01:00
Katie Smith
389f98f63c Merge pull request #3877 from alphagov/no-none-providers
Stop checking for allowed_broadcast_provider being None
2021-05-11 16:40:22 +01:00
Chris Hill-Scott
2fba8e02c5 Merge pull request #3868 from alphagov/add-another-test-area
Add another area to the library of test polygons
2021-05-11 15:47:01 +01:00
Katie Smith
f7036825df Stop checking for allowed_broadcast_provider being None
The current_service.allowed_broadcast_provider is now always "all" or
one of the four providers, which means we can simply the code by not
checking if it is None.
2021-05-11 12:20:03 +01:00
Katie Smith
91453d3639 Merge pull request #3873 from alphagov/allowed-broadcast-provider-value
Start changing broadcast_provider value from None to "all"
2021-05-11 11:54:15 +01:00
Chris Hill-Scott
320c3553ae Merge pull request #3875 from alphagov/revert-3872-dependabot/pip/eventlet-0.31.0
Revert "Bump eventlet from 0.30.2 to 0.31.0"
2021-05-10 17:23:29 +01:00
Chris Hill-Scott
98847742d3 Stop pyup complaining
The apps won’t start with Eventlet 0.31.0

But Pyup complains when we try to downgrade
2021-05-10 17:06:10 +01:00
Chris Hill-Scott
9566bae96a Revert "Bump eventlet from 0.30.2 to 0.31.0" 2021-05-10 16:45:51 +01:00
Katie Smith
3485475270 Allow provider_restriction to be None or "all"
Until all the data is updated to always be "all", we have to handle the
case of provider_restriction being set to None or "all" (which mean the
same thing).

The code can be tidied up once the broadcast provider_restriction is never None.
2021-05-10 16:18:14 +01:00
Katie Smith
2f9e2dbc9d Send api the broadcast provider restriction of 'all', not 'None'
We're replacing the value of None with the value of all. API has been
updated to accept both values
(1767535def)
so this change starts sending notifications-api the value of "all".
2021-05-10 16:18:14 +01:00
Chris Hill-Scott
c9611e1cf7 Add another area to the library of test polygons 2021-05-10 16:09:02 +01:00
Chris Hill-Scott
a270d631e7 Merge pull request #3872 from alphagov/dependabot/pip/eventlet-0.31.0
Bump eventlet from 0.30.2 to 0.31.0
2021-05-10 16:06:45 +01:00
dependabot[bot]
3ad9e1ac6a Bump eventlet from 0.30.2 to 0.31.0
Bumps [eventlet](https://github.com/eventlet/eventlet) from 0.30.2 to 0.31.0.
- [Release notes](https://github.com/eventlet/eventlet/releases)
- [Changelog](https://github.com/eventlet/eventlet/blob/master/NEWS)
- [Commits](https://github.com/eventlet/eventlet/compare/v0.30.2...v0.31.0)

Signed-off-by: dependabot[bot] <support@github.com>
2021-05-08 16:57:07 +00:00
Rebecca Law
e7d6eebdfe Merge pull request #3871 from alphagov/remove-training-mode-test-channels
Remove some of the option we have for broadcast services.
2021-05-06 15:05:29 +01:00
Rebecca Law
cf160c3ae1 Update labels
Use more suscinct labels for the service settings page
2021-05-06 07:29:21 +01:00
Rebecca Law
5495de0b3b Remove some of the option we have for broadcast services.
This is the first step in making the UI easier for setting the
options for a broadcast service. Here we remove the options for
"Training mode" test channels. When we create a broadcast message for a trail mode service it is marked as stubbed and does not create a broadcast event that is sent to a provider.

The label for the form and setting page have been updated to reflect the
change.
2021-05-05 14:04:51 +01:00
Ben Thorner
bfc55b45ca Merge pull request #3863 from alphagov/show-suspended
Show service suspension in breadcrumb
2021-04-28 14:59:56 +01:00
Ben Thorner
b43eb3a591 Show service suspension in breadcrumb
Previously there was no indication that a service was suspended.
While this could also be shown for archived/deleted services, the
meaning is similar enough that it makes sense there too - the name
of the archived service should distinguish it as being archived.
2021-04-27 11:15:13 +01:00
karlchillmaid
c7840496d3 Merge pull request #3866 from alphagov/fix-typo
Fix apostrophe
2021-04-26 14:00:12 +01:00
karlchillmaid
487452b390 Fix apostrophe 2021-04-26 13:38:11 +01:00
Rebecca Law
7563cd79b8 Merge pull request #3865 from alphagov/update-allowances
Update pricing information on the features page
2021-04-22 13:36:17 +01:00
karlchillmaid
e78c10fc40 Remove details of allowance and pricing 2021-04-22 13:27:22 +01:00
karlchillmaid
029a6ec3b5 Update text message cost and rates
Update text message cost and rates on the features page
2021-04-22 13:25:40 +01:00
Pea Tyczynska
c55cc4574e Merge pull request #3854 from alphagov/admin-cancel-broadcast
Allow platform admins to cancel broadcasts.
2021-04-21 12:52:14 +01:00
karlchillmaid
bda66245a8 Merge pull request #3864 from alphagov/update-email-status-content
Update email status description
2021-04-20 17:40:04 +01:00
karlchillmaid
652f3f8065 Update {{ text_field(charge | safe) }} 2021-04-20 17:31:08 +01:00
karlchillmaid
94d71ca330 Update app/templates/views/message-status.html
Co-authored-by: Katie Smith <klssmith@users.noreply.github.com>
2021-04-20 17:30:03 +01:00
Pea Tyczynska
d77ec8a5ca Test that user without permission cannot reject broadcast 2021-04-20 17:27:56 +01:00
Pea Tyczynska
28378fdd3d Test that user without permission cannot accept broadcast
Also fix incorrect docstring.
2021-04-20 17:27:56 +01:00
Pea Tyczynska
6999d3bceb Refactor platform admin user fixtures
To make the code more DRY
2021-04-20 17:27:56 +01:00
Pea Tyczynska
0c0d9dd72f Admins won't see buttons for broadcast actions they can't do
These actions are creating, accepting and rejecting broadcasts.
2021-04-20 17:27:56 +01:00
Pea Tyczynska
002dd7485d Allow platform admins to cancel broadcasts.
Do not allow platform admins to:
- create broadcasts
- approve broadcasts
- reject broadcasts

that is, unless they have a send_messages permission
for a given service.

This is so platform admins have the minimum permissions necessary
to cancel a broadcast that might have been sent out accidentally.
2021-04-20 17:27:55 +01:00
karlchillmaid
6782f6770b Fix error 2021-04-20 16:41:51 +01:00
karlchillmaid
0fe60c3bd8 Update content 2021-04-20 15:51:12 +01:00
karlchillmaid
77f17db9dc Update email status description
Update email status description for ‘Inbox not accepting messages right now’
2021-04-20 15:46:16 +01:00
Rebecca Law
007fa5fa19 Merge pull request #3855 from alphagov/set-annual_billing-in-the-api
Let the API handle setting the default free allowance.
2021-04-20 07:17:57 +01:00