Improvements in two factor API

ging · May 5, 2016 · 086105f · 086105f
1 parent 3f7d45f
commit 086105f
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 8 deletions.
diff --git a/keystone/contrib/two_factor_auth/backends/sql.py b/keystone/contrib/two_factor_auth/backends/sql.py
@@ -86,13 +86,13 @@ def get_two_factor_info(self, user_id):
         else:
             return twofactor
 
-    def check_security_question(self, user_id, two_factor_auth):
+    def check_security_question(self, user_id, sec_answer):
         session = sql.get_session()
         twofactor = session.query(TwoFactor).get(user_id)
         if twofactor is None:
             raise exception.NotFound(_('Two Factor Authentication is not enabled for user %s.' % user_id))
         else:
-            return utils.check_security_answer(two_factor_auth['security_answer'],
+            return utils.check_security_answer(sec_answer,
                                                                twofactor.security_answer)
 
     def save_device(self, device_id, device_token, user_id):

diff --git a/keystone/contrib/two_factor_auth/controllers.py b/keystone/contrib/two_factor_auth/controllers.py
@@ -84,10 +84,17 @@ def disable_two_factor_auth(self, context, user_id):
         return self.two_factor_auth_api.delete_two_factor_key(user_id)
 
     @controller.protected()
-    def check_security_question(self, context, user_id, two_factor_auth):
+    def check_security_question(self, context, user_id):
         """Checks whether the provided answer is correct"""
 
-        return self.two_factor_auth_api.check_security_question(user_id, two_factor_auth)
+        sec_answer = context['query_string'].get('sec_answer')
+
+        if not sec_answer:
+            raise exception.ValidationError(
+                    attribute='sec_answer',
+                    target='query string')
+
+        return self.two_factor_auth_api.check_security_question(user_id, sec_answer)
 
     @controller.protected()
     def get_two_factor_data(self, context, user_id):
@@ -103,6 +110,11 @@ def remember_device(self, context):
         device_id = context['query_string'].get('device_id', None)
         device_token = context['query_string'].get('device_token', None)
 
+        if device_id and not device_token:
+            raise exception.ValidationError(
+                    attribute='device_token',
+                    target='query string')
+
         device_data = self.two_factor_auth_api.remember_device(user_id=self._get_user_id_from_context(context),
                                                                device_id=device_id,
                                                                device_token=device_token)
@@ -115,6 +127,11 @@ def check_for_device(self, context):
         device_id = context['query_string'].get('device_id')
         device_token = context['query_string'].get('device_token')
 
+        if not device_id or not device_token:
+            raise exception.ValidationError(
+                    attribute='device_id and device_token',
+                    target='query string')
+
         self.two_factor_auth_api.check_for_device(device_id=device_id,
                                                   device_token=device_token,
                                                   user_id=self._get_user_id_from_context(context))

diff --git a/keystone/contrib/two_factor_auth/core.py b/keystone/contrib/two_factor_auth/core.py
@@ -90,11 +90,11 @@ def is_two_factor_enabled(self, user_id):
         if not self.driver.is_two_factor_enabled(user_id):
             raise exception.NotFound(_('Two Factor Authentication is not enabled for user %s.' %user_id))
 
-    def check_security_question(self, user_id, two_factor_auth):
+    def check_security_question(self, user_id, sec_answer):
         """Checks if the provided security answer is correct"""
 
         user = self.identity_api.get_user(user_id) # check if user exists
-        if not self.driver.check_security_question(user_id, two_factor_auth):
+        if not self.driver.check_security_question(user_id, sec_answer):
             raise exception.Unauthorized(_('Security answer is not correct.'))
 
     def get_two_factor_data(self, user_id):
@@ -196,7 +196,7 @@ def get_two_factor_info(self, user_id):
         raise exception.NotImplemented()
 
     @abc.abstractmethod
-    def check_security_question(self, user_id, two_factor_auth):
+    def check_security_question(self, user_id, sec_answer):
         """Checks whether the provided answer is correct.
 
         :param user_id: user ID

diff --git a/keystone/contrib/two_factor_auth/routers.py b/keystone/contrib/two_factor_auth/routers.py
@@ -38,7 +38,7 @@ class TwoFactorExtension(wsgi.V3ExtensionRouter):
 
       # get non-sensitive data and check security question
       GET /users/{user_id}/OS-TWO-FACTOR/two_factor_data
-      HEAD /users/{user_id}/OS-TWO-FACTOR/sec_question #check security question
+      HEAD /users/{user_id}/OS-TWO-FACTOR/sec_question?sec_answer={sec_answer} #check security question
 
       # remember device functionality
       POST /OS-TWO-FACTOR/devices?user_id={user_id}&user_name={user_name}&domain_name={domain_name}&device_id={device_id}&device_token={device_token}