-
|
|
+
+
|
+
|
|
@@ -148,6 +190,9 @@
|
|
|
+
+
|
+
|
|
@@ -176,6 +221,72 @@
| |
|
+ setTimestamp($user_mfa_data['generated_at'])->setTimezone((new DateTime)->getTimezone())->format('Y-m-d H:i:s') : '';
+ $mfa_status_msg = TEXT_MFA_NOT_SET;
+ if (!empty($user_mfa_data['generated_at'])) {
+ $mfa_status_msg = sprintf(TEXT_MFA_ENABLED_DATE, zen_date_short($mfa_date));
+ } elseif (!empty($user_mfa_data['via_email'])) {
+ $mfa_status_msg = TEXT_MFA_BY_EMAIL;
+ } elseif ($mfa_exempt) {
+ $mfa_status_msg = TEXT_MFA_EXEMPT;
+ }
+ ?>
+
= $mfa_status_msg ?>
+
+
+
+ ' . TEXT_CONFIRM_RESET : '') . ($btn_class === '' ? '' : '') ?>
+
+
+
+ '; ?>
+
+
+
+ ' . TEXT_CONFIRM_EXEMPT : '') . ($btn_class === '' ? '' : '') ?>
+
+
+
+ '; ?>
+
+
+
+ ' . TEXT_CONFIRM_UNEXEMPT : '') . ($btn_class === '' ? '' : '') ?>
+
+
+
+ '; ?>
+
+ |
+
|
|
diff --git a/includes/database_tables.php b/includes/database_tables.php
index e663b81159..3b7eee939c 100644
--- a/includes/database_tables.php
+++ b/includes/database_tables.php
@@ -20,6 +20,7 @@
define('TABLE_ADMIN_PAGES', DB_PREFIX . 'admin_pages');
define('TABLE_ADMIN_PAGES_TO_PROFILES', DB_PREFIX . 'admin_pages_to_profiles');
define('TABLE_ADMIN_PROFILES', DB_PREFIX . 'admin_profiles');
+define('TABLE_ADMIN_EXPIRED_TOKENS', DB_PREFIX . 'admin_expired_tokens');
define('TABLE_AUTHORIZENET', DB_PREFIX . 'authorizenet');
define('TABLE_BANNERS', DB_PREFIX . 'banners');
define('TABLE_BANNERS_HISTORY', DB_PREFIX . 'banners_history');
diff --git a/includes/filenames.php b/includes/filenames.php
index dadafa90a2..745c46ce60 100644
--- a/includes/filenames.php
+++ b/includes/filenames.php
@@ -105,6 +105,7 @@
define('FILENAME_MAIL', 'mail');
define('FILENAME_MAIN_PRODUCT_IMAGE', 'main_product_image');
define('FILENAME_MANUFACTURERS', 'manufacturers');
+define('FILENAME_MFA', 'mfa');
define('FILENAME_META_TAGS', 'meta_tags');
define('FILENAME_MODULES', 'modules');
define('FILENAME_NEWSLETTERS', 'newsletters');
diff --git a/zc_install/includes/systemChecks.yml b/zc_install/includes/systemChecks.yml
index 6440072b52..3f6ba6a1a7 100644
--- a/zc_install/includes/systemChecks.yml
+++ b/zc_install/includes/systemChecks.yml
@@ -307,6 +307,12 @@ systemChecks:
methods:
dbVersionChecker:
parameters:
+ - checkType: configKeyExists
+ keyName: MFA_ENABLED
+ - checkType: fieldSchema
+ tableName: admin_expired_tokens
+ fieldName: otp_code
+ fieldCheck: Exists
checkDBVersion200:
runLevel: dbVersion
diff --git a/zc_install/sql/install/mysql_zencart.sql b/zc_install/sql/install/mysql_zencart.sql
index d8f12231bb..3a0f093e94 100644
--- a/zc_install/sql/install/mysql_zencart.sql
+++ b/zc_install/sql/install/mysql_zencart.sql
@@ -100,6 +100,7 @@ CREATE TABLE admin (
lockout_expires int(11) NOT NULL default '0',
last_failed_attempt datetime NOT NULL default '0001-01-01 00:00:00',
last_failed_ip varchar(45) NOT NULL default '',
+ mfa TEXT DEFAULT NULL,
PRIMARY KEY (admin_id),
KEY idx_admin_name_zen (admin_name),
KEY idx_admin_email_zen (admin_email),
@@ -107,6 +108,20 @@ CREATE TABLE admin (
) ENGINE=MyISAM;
+# --------------------------------------------------------
+#
+# Table structure for table 'admin_expired_tokens'
+#
+
+DROP TABLE IF EXISTS admin_expired_tokens;
+CREATE TABLE admin_expired_tokens (
+ admin_name varchar(44) NOT NULL default '',
+ otp_code varchar(32) NOT NULL default '',
+ used_date timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
+ PRIMARY KEY (used_date, otp_code, admin_name),
+ KEY idx_admin_name_otp_code_zen (admin_name, otp_code)
+);
+
# --------------------------------------------------------
#
@@ -2445,6 +2460,7 @@ INSERT INTO configuration (configuration_title, configuration_key, configuration
INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added, set_function) VALUES ('Wholesale Pricing', 'WHOLESALE_PRICING_CONFIG', 'false', 'Should
Wholesale Pricing be enabled for your site? Choose
false (the default) if you don\'t want that feature enabled. Otherwise, choose
Tax Exempt to enable with tax-exemptions for all wholesale customers or
Pricing Only to apply tax as usual for wholesale customers.', 1, 23, now(), 'zen_cfg_select_option([\'false\', \'Tax Exempt\', \'Pricing Only\'],');
+INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added, set_function) VALUES ('MFA Multi-Factor Authentication Required', 'MFA_ENABLED', 'False', '2-Factor authentication for Admin users', 1, 29, now(), 'zen_cfg_select_option([\'True\', \'False\'],');
INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, last_modified, date_added, use_function, set_function) VALUES ('PA-DSS Admin Session Timeout Enforced?', 'PADSS_ADMIN_SESSION_TIMEOUT_ENFORCED', '1', 'PA-DSS Compliance requires that any Admin login sessions expire after 15 minutes of inactivity.
Disabling this makes your site NON-COMPLIANT with PA-DSS rules, thus invalidating any certification.', 1, 30, now(), now(), NULL, 'zen_cfg_select_drop_down(array(array(\'id\'=>\'0\', \'text\'=>\'Non-Compliant\'), array(\'id\'=>\'1\', \'text\'=>\'On\')),');
INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, last_modified, date_added, use_function, set_function) VALUES ('PA-DSS Strong Password Rules Enforced?', 'PADSS_PWD_EXPIRY_ENFORCED', '1', 'PA-DSS Compliance requires that admin passwords must be changed after 90 days and cannot re-use the last 4 passwords.
Disabling this makes your site NON-COMPLIANT with PA-DSS rules, thus invalidating any certification.', 1, 30, now(), now(), NULL, 'zen_cfg_select_drop_down(array(array(\'id\'=>\'0\', \'text\'=>\'Non-Compliant\'), array(\'id\'=>\'1\', \'text\'=>\'On\')),');
INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, last_modified, date_added, use_function, set_function) VALUES ('PA-DSS Ajax Checkout?', 'PADSS_AJAX_CHECKOUT', '1', 'PA-DSS Compliance requires that for some inbuilt payment methods, that we use ajax to draw the checkout confirmation screen. While this will only happen if one of those payment methods is actually present, some people may want the traditional checkout flow
Disabling this makes your site NON-COMPLIANT with PA-DSS rules, thus invalidating any certification.', 1, 30, now(), now(), NULL, 'zen_cfg_select_drop_down(array(array(\'id\'=>\'0\', \'text\'=>\'Non-Compliant\'), array(\'id\'=>\'1\', \'text\'=>\'On\')),');
diff --git a/zc_install/sql/updates/mysql_upgrade_zencart_210.sql b/zc_install/sql/updates/mysql_upgrade_zencart_210.sql
index f667d4d324..539f9f7441 100644
--- a/zc_install/sql/updates/mysql_upgrade_zencart_210.sql
+++ b/zc_install/sql/updates/mysql_upgrade_zencart_210.sql
@@ -39,6 +39,19 @@ TRUNCATE TABLE db_cache;
ALTER TABLE email_archive ADD COLUMN errorinfo TEXT DEFAULT NULL;
ALTER TABLE email_archive ADD INDEX idx_email_date_sent_zen (date_sent);
+#PROGRESS_FEEDBACK:!TEXT=Updating table structures!
+ALTER TABLE admin ADD COLUMN mfa TEXT DEFAULT NULL;
+DROP TABLE IF EXISTS admin_expired_tokens;
+CREATE TABLE admin_expired_tokens (
+ admin_name varchar(44) NOT NULL default '',
+ otp_code varchar(32) NOT NULL default '',
+ used_date timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
+ PRIMARY KEY (used_date, otp_code, admin_name),
+ KEY idx_admin_name_otp_code_zen (admin_name, otp_code)
+);
+INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added, set_function) VALUES ('MFA Multi-Factor Authentication Required', 'MFA_ENABLED', 'False', '2-Factor authentication for Admin users', 1, 29, now(), 'zen_cfg_select_option([\'True\', \'False\'],');
+
+