Skip to content

Feature/2fa #277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
timabrmsn merged 11 commits into from
May 18, 2021
Merged

Feature/2fa #277

timabrmsn merged 11 commits into from
May 18, 2021

Conversation

@timabrmsn
Copy link
Contributor

@timabrmsn timabrmsn commented Apr 29, 2021

Implements support for MFA accounts.

When a profile for an MFA user is created, the user will see the message:

Multi-factor account detected. `--totp <token>` option will be required for all code42 invocations.

Then any commands that initialize the sdk will either require the --totp <token> option, or if the option isn't provided, the CLI will prompt for the token.

@github-actions
Copy link

github-actions bot commented Apr 29, 2021
edited
Loading

CLA Assistant Lite bot All contributors have signed the CLA ✍️

@alanag13
Copy link
Contributor

alanag13 commented Apr 29, 2021

Can/does that message also get printed when the user switches to that account using profile use?

@timabrmsn
Copy link
Contributor Author

timabrmsn commented Apr 29, 2021

Can/does that message also get printed when the user switches to that account using profile use?

It does not, as it only knows the user requires MFA when we validate the password. So I guess it also doesn't print if the user doesn't supply a password when creating the profile.

@alanag13
Copy link
Contributor

alanag13 commented Apr 29, 2021

Maybe we could validate upon switching too? Might be nice to know if your credentials are no longer good when you switch anyway.

antazoey
antazoey reviewed Apr 30, 2021
View reviewed changes
docs/userguides/gettingstarted.md

If you choose not to store your password in the CLI, you must enter it for each command that requires a connection.

The Code42 CLI supports local accounts with MFA (multi-factor authentication) enabled. The Time-based One-Time
Copy link
Contributor

@antazoey antazoey Apr 30, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be great to be able to login only once. We have a story for this, right? For storing the token and only prompting when it expires

Copy link
Contributor Author

@timabrmsn timabrmsn May 10, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tokens only last like 20 seconds, so it's not really going to help too much to store it. Or do you mean store the key that is used to generate the tokens in authenticator apps?

Copy link
Contributor Author

@timabrmsn timabrmsn May 10, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ohh, you mean the v3 token?

Copy link
Contributor

@antazoey antazoey May 17, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I meant the v3 token

antazoey
antazoey reviewed Apr 30, 2021
View reviewed changes
antazoey
antazoey reviewed Apr 30, 2021
View reviewed changes
src/code42cli/cmds/profile.py
c42profile.authority_url, c42profile.username, password, None
)
except Py42MFARequiredError:
echo(
Copy link
Contributor

@antazoey antazoey Apr 30, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we prompt at this point so that we can still validate?

Copy link
Contributor Author

@timabrmsn timabrmsn May 10, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do we need to validate? If we get the Py42MFARequired error, it means the password was correct but the token was missing.

antazoey
antazoey reviewed Apr 30, 2021
View reviewed changes
antazoey
antazoey reviewed Apr 30, 2021
View reviewed changes
src/code42cli/sdk_client.py
except Py42UnauthorizedError as err:
logger.log_error(str(err))
raise Code42CLIError("Invalid credentials for user {}".format(username))
if "INVALID_TIME_BASED_ONE_TIME_PASSWORD" in err.response.text:
Copy link
Contributor

@antazoey antazoey Apr 30, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is fine for now but this seems like a common enough scenario that we should have a custom py42 error for this

antazoey
antazoey reviewed Apr 30, 2021
View reviewed changes
antazoey
antazoey reviewed Apr 30, 2021
View reviewed changes
@timabrmsn timabrmsn merged commit 95195df into master May 18, 2021
@github-actions github-actions bot locked and limited conversation to collaborators May 18, 2021
@timabrmsn timabrmsn deleted the feature/2fa branch August 27, 2021 18:37
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@peterbriggs42 peterbriggs42 Awaiting requested review from peterbriggs42

2 more reviewers

@alanag13 alanag13 alanag13 approved these changes

@antazoey antazoey antazoey approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@timabrmsn @alanag13 @antazoey