Topt enrollment backend procedure #2651
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CDimonaco
added
enhancement
arbulu89
approved these changes
May 27, 2024
There was a problem hiding this comment.
Great @CDimonaco
I left some comments to try to "unify" some terms with my PR.
Let's discuss here, merge this first so I can adapt the other PR.
Good job
lib/trento/users.ex
Outdated
|
|
||
| def confirm_totp_enrollment(%User{id: 1}, _), do: {:error, :forbidden} | ||
|
|
||
| def confirm_totp_enrollment(%User{totp_secret: totp_secret, totp_enabled_at: nil} = user, totp) do |
There was a problem hiding this comment.
Just to have a more common naming, i named this totp , totp_code.
Which one do you prefer? To put the same name in the other validate_totp function in my PR
| @@ -198,4 +253,12 @@ defmodule Trento.Users do | |||
| rescue | |||
| Ecto.StaleEntryError -> {:error, :stale_entry} | |||
| end | |||
|
|
|||
| defp update_user_totp(%User{id: 1}, _), do: {:error, :forbidden} | |||
There was a problem hiding this comment.
I did put this update_user_totp as public function, but it is true that I don't use it outside.
I was simply using in the iex console.
Thinking this way, once you have the enrollment, you don't really need it.
I might use your private version hehe
There was a problem hiding this comment.
Yeah, private is better we reduce the api surface and it's already tested by the public functions
| summary: "Reset the TOTP configuration for the user", | ||
| tags: ["Platform"], | ||
| responses: [ | ||
| forbidden: Schema.Forbidden.response() |
There was a problem hiding this comment.
I guess no_content should be part of responses
|
|
||
| @schema %Schema{ | ||
| title: "UserTOTPEnrollmentPayload", | ||
| description: "Trento User totp enrollment payload", |
There was a problem hiding this comment.
Let's put topt as upper case TOTP as in other texts
|
|
||
| def confirm_totp_enrollment(%{body_params: body_params} = conn, _) do | ||
| %User{} = user = Pow.Plug.current_user(conn) | ||
| totp = Map.get(body_params, :totp) |
There was a problem hiding this comment.
Again, I'm using totp_code in the other PR. Let's use the same term.
I will adapt my PR once we have it decided
There was a problem hiding this comment.
totp_code also here and in the schemas!
| |> assert_schema("Forbidden", api_spec) | ||
| end | ||
|
|
||
| test "should not reset totp when a reset is requested by the default admin", %{ |
There was a problem hiding this comment.
This shouldn't be by the default admin, it should be for the default admin
EMaksy
reviewed
May 27, 2024
| @@ -1184,7 +1184,7 @@ defmodule Trento.Discovery.Policies.ClusterPolicyTest do | |||
| |> ClusterPolicy.handle(nil) | |||
| end | |||
|
|
|||
| test "should set the health to critical when the SAPInstance resourece is running the same node" do | |||
| test "should set the health to critical when the SAPInstance resource is running the same node" do | |||
There was a problem hiding this comment.
I guess @CDimonaco found the same issue a second time here @janvhs 👍
There was a problem hiding this comment.
👀 great ideas are in the air
| |> assert_schema("Forbidden", api_spec) | ||
| end | ||
|
|
||
| test "should not reset totp when a reset is requested by the default admin", %{ |
Merged
CDimonaco
force-pushed
the
topt_enrollment
branch
from
8035315
to
5a786fe
Compare
arbulu89
approved these changes
May 27, 2024
arbulu89
pushed a commit
that referenced
this pull request
Jun 25, 2024
* reset totp for users * topt enrollment context * topt openapi payloads * Renamed reset totp * Changed error when totp is invalid in the totp enrollment procedure * TOTP Procedure in profile controller * fix mispelling * Addressing review feedbacks
arbulu89
added a commit
that referenced
this pull request
Jun 25, 2024
* Basic User management (#2529) * Enforce password security un user schema * Argon2 hash algorithm for user password * Add fullname and email fields to user schema * Mix phx gen json scaffolding for users * Users context * mix format * User controller refactored for the new users context * Pow custom context for getting non-deleted users * Unique email for users * Update release task and seed for users * Users context prevents deletion of user with id 1 * Username cannot be updated * Created and updated timestamps in users view * Change of the username when users are deleted * Add lock feature to Users * Locked and deleted users are excluded from renew * Session controller tests updated * /me endpoint returns also user id * User socket authenticatio * User controller broadcast user actions on user topic * Access token expiration to 3 minutes * Fix could not delete admin user in context * Trento default admin enabled * User controller with spex * Fix app jwt auth plug test typo * User controller actions are dispatched to per user channels * fix access token test * fix alias in factory file * mix credo * fix mispell * mix credo * removed comments from user_controller_test * Addressing review feedbacks * Introduced users factory * Addresing feedbacks * Updated trento_dev sql regression dump * Revert "Updated trento_dev sql regression dump" This reverts commit ccce860. * Ecto seed with user password update on conflict * Run db seed on regression tests * Listening to user related events on the frontend (#2542) * Frontend socket authentication refactored * Add logged user in the state when user performs login * Subscription to user topic on user login * Guard component put user in state after me call We need to enrich the user in the store not only on login but also when the session is valid, we already call the me endpoint in the guard to get user details, we store these details in the state to have always consistency between the logged users on the backend and the user in the store (returned from me endpoint at each app load) * Listening on user actions event in the frontend * Addressing review feedbacks * Create Abilities and UserAbilities schema (#2543) * mix.gen.context Abilities * Users abilities * Addressing review feedbacks * Mix format * Install make and gcc in container and rpm (#2553) * Install make in container and rpm * Install gcc * Add New User Management View (#2544) * Add users view * Add users view test * Add users story * Refactor and rename code * Refactor file structure and imports * Refactor users component * Refactor user component and delete unused views * Enrich user's story * Remove empty components * Add banner and update test * Refactor users page and users * Disable Create button while loading users * Address comments * Fix storybook * Refactor test and test for deletion api call * Improve factory and texts * order and clean up code * Split up tests and clean up * Address final pr comments * Create user form (#2548) * Move api validation errors code to lib * Add users api * Add users factory * Pass props to password component * Add UserForm view * Add CreateUser view * Add CreateUser to the router * Update password policy tooltip * Use a more standard file naming * Create dedicated function on save clicked * Rewrite test descriptions * Policy enforcing on users (#2552) * users context return user abilities * LoadUserPlug load the user from the database using stateless user * Wip on user controller policy * Refactor abilities * User controller renamed to users controller * Refactored user openapi schemas * Users controller policy usage refactored * Add basic permissions * Users controller abilities refactored * mix credo * addressing review feedbacks * mix credo * Fix policy test * Edit user form (#2566) * Update UserForm to allow edition style * Add EditUserPage * Fix conflicts after rebase resolution * Correct some typos and descriptions * User profile routes (#2583) * Update user profile in users context * profile controller wip * Prevent profile update for admin user * Profile controller * Add current password validation to the user schema when profile updates password * Current password field in profile update schema * Addressing review feedbacks * mix credo * Add soft delete for email and update test (#2584) * Enable user status update (#2591) * Enable locking up user in creation * Enable status select in frontend * Disable edit button for admin user (#2592) * Abilities controller and update (#2568) * Add abilities controller and index endpoint * Add and update abilities in user operations * Adapt user controller to use abilities * Load abilities in profile endpoint * Delete user abilities on deletion * Optimistic lock for users (#2595) * Optimistic locking on user schema update * wip on preconditions * mix credo * Add optimistic locking in users controller * Add optimistic locking handling in EditUserPage * fix typo in users test * fix user schema * Add top-right corner profile button & menu (#2590) * Store email from /me endpoint in state * Add and use new Profile Menu component * Use profile endpoint instead of /me * Fix users/profile controller tests (#2607) * Fix users controller test adding if-match * Add admin user in profile controller test to avoid 403 * Add a generate password button for the UserForm (#2576) * Add generate password button for input form * Disable password generation button if user is admin * Multi select component (#2600) * Add react-select dependency * Create MultiSelect component * Add className to component * Update classNames usage * Update value containers color * Switch to use link in ProfileMenu (#2608) * Users abilities frontend (#2611) * Add abilities api * Load abilities and user abilities * Update tests and stories * Forbidden guard for user entries (#2612) * Update redux code to load user abilities * Implement the ForbiddenGuard * User ForbiddenGuard in users related items * Add missing abilities field in the user state * Add disabled prop to multi-select (#2620) * Interpolate validation errors in error view (#2616) * User Profile page (#2615) * Moved common forms labels and components to @lib/forms * Wip profile page * User profile form stories * Profile password change form * ProfileForm test * ProfilePasswordChangeForm test * ProfilePage test * Close password dialog when user click save in profile view * fix tests * User profile form disabled when the user is the default admin * Profile form modal toggle lift up * Addressing review feedbacks * Multi select for permissions in user profile * ProfilePage dispatch setUser command in redux when user is updated * Updated usage of multiselect in profile form * Address review feedbacks * User edit create toast (#2613) * Add success and error toast * Add toast test for create user page * Add error toast if user is not found * Rescue StaleError in user update function when abilities are present (#2622) * Password change request (#2624) * Add password_change_requested_at field and logic * Add new field to controller and api spec * Add maybe_ prefix to conditional functions * Change password change requested to boolean and add to admin view * Change placeholders in UserForm and EditUserPage(#2626) * Password change request frontend (#2625) * Move the toast out of profile menu and change z-index * Move toaster inside router so it can use router data * Load password requested field in redux store * Add ToastNotifications component * Create new customNotify action * Add password change request fork in sagan index * Dismiss password change request notification * Use password_change_requested as boolean * Update notifications to allow receiving health icons * Clean and improve e2e performance (#2630) * Remove unused commands * Load initial state only if needed * e2e user management (#2631) * Update login commands for multi user usage * Remove actions from users factory * Add users e2e tests * Admin cannot be edited test scenarios added * Remove empty describe * Add validation when a password is generated (#2640) * Refactor generatePassword function * Refactor test, update tooltip and enrich backend * Enrich password test list * User totp fields (#2646) * Add new totp field migrations to the user * Add new fields to user schema * Validate totp_enabled_at can only be nil for admin update * Fix credo error * Topt enrollment backend procedure (#2651) * reset totp for users * topt enrollment context * topt openapi payloads * Renamed reset totp * Changed error when totp is invalid in the totp enrollment procedure * TOTP Procedure in profile controller * fix mispelling * Addressing review feedbacks * Login with totp (#2647) * Add update_user_totp function * Add totp validation code * Update session controller to authenticate with totp * Fix session controller create schema code * Filter out totp_code from phoenix logs * Send totp_code in users saga login action * Add totp input state in login page * Remove required fields to avoid backward incompatible error * Use common Input in login page * Fix tests after conflict resolution * Totp enrollment frontend (#2657) * Totp enrollment box component * totp enabled field in profile controller response * Profile totp enrollment frontend procedure * fix mispell * Confirmation modal on totp disable * Addressing review feedbacks * Allow admin disable totp (#2658) * Allow update of totp_enabled field to false * Allow disabling totp feature from user mgmt * Adjust formatting * Remove unnecessary changes and improve UserForm changes * Various cleanups & move code to controller * Move the totp disabling to the context * Improve test description * Improve UserForm component * Fix missed === * Remove default padding in the Select component * Improve TOTP select disabled check * Add update_user test for TOTP disable * Address remaining feedback * Policy support functions (#2670) * TOTP authentication e2e tests (#2667) * Move lock user tests to new describe * Add TOTP tests * Skip long lasting test by default * Disabled guard (#2672) * Move ForbiddenGuard to common * Create the DisabledGuard component * Update early return usage * Improve cloneElement usage * Make tooltip place a prop * Refactor storybook functions * Some small improvements in the user forms (#2673) * Remove TOTP configuration in user creation form * Add disabled state to Switch component * Disable TOTP configuration for default admin * Style TOTP enrollment box (#2674) * Style totp enrollment box usage in profile form * Use profileFactory in profile form tests * Reword multi-factor text usage * Update e2e tests * Use proper command to login (#2712) * Use proper command to login * Add page reloads to get correct suma posted data * Set python3 as ansible interpreter (#2713) * Set python3 as ansible interpreter * Pin ubuntu version for pr env ci stages --------- Co-authored-by: Carmine Di Monaco <carmine.dimonaco@suse.com> Co-authored-by: Eugen Maksymenko <emaksymenko@suse.com> Co-authored-by: Rubén Torrero Marijnissen <rtorreromarijnissen@suse.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The pr enable the totp enrollment procedure on the backend.
How was this tested?
Automated tests