-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #5322 from akvo/enforce-2fa
Implement enforcing 2FA
- Loading branch information
Showing
13 changed files
with
271 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| import sys | ||
| from django.core.management.base import BaseCommand, CommandParser | ||
| from tablib import Dataset | ||
| from akvo.rsr.models import Organisation | ||
| from akvo.rsr.usecases.toggle_org_enforce_2fa import find_related_users | ||
|
|
||
|
|
||
| class Command(BaseCommand): | ||
| help = "Script to get list of users who are employed by or have role access to projects of the given organisation" | ||
|
|
||
| def add_arguments(self, parser: CommandParser): | ||
| parser.add_argument('org_id', type=int) | ||
|
|
||
| def handle(self, *args, **options): | ||
| try: | ||
| org = Organisation.objects.get(id=options['org_id']) | ||
| except Organisation.DoesNotExist: | ||
| self.stderr.write("Organisation not found") | ||
| sys.exit(1) | ||
|
|
||
| users = find_related_users(org) | ||
| tbl = Dataset() | ||
| tbl.headers = ['email', 'name'] | ||
| for user in users: | ||
| tbl.append([user.email, user.get_full_name()]) | ||
| self.stdout.write(tbl.export('csv')) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| # Generated by Django 3.2.18 on 2024-02-15 08:15 | ||
|
|
||
| from django.db import migrations, models | ||
|
|
||
|
|
||
| class Migration(migrations.Migration): | ||
|
|
||
| dependencies = [ | ||
| ('rsr', '0228_delete_emailreportjob'), | ||
| ] | ||
|
|
||
| operations = [ | ||
| migrations.AddField( | ||
| model_name='organisation', | ||
| name='enforce_2fa', | ||
| field=models.BooleanField(default=False, help_text='Enfore related users (through employment or project access) to enable their 2FA', verbose_name='Enforce 2-Factor-Authentication'), | ||
| ), | ||
| ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| # Generated by Django 3.2.18 on 2024-02-19 07:42 | ||
|
|
||
| from django.db import migrations, models | ||
|
|
||
|
|
||
| class Migration(migrations.Migration): | ||
|
|
||
| dependencies = [ | ||
| ('rsr', '0229_organisation_enforce_2fa'), | ||
| ] | ||
|
|
||
| operations = [ | ||
| migrations.AddField( | ||
| model_name='user', | ||
| name='enforce_2fa', | ||
| field=models.BooleanField(default=False, help_text='Enfore related users (through employment or project access) to enable their 2FA', verbose_name='Enforce 2-Factor-Authentication'), | ||
| ), | ||
| ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| from django.contrib.auth import get_user_model | ||
| from django.contrib.auth.models import AnonymousUser | ||
| from django.http import HttpResponse | ||
| from django.test import RequestFactory | ||
| from django_otp.plugins.otp_totp.models import TOTPDevice | ||
| from akvo.rsr.tests.base import BaseTestCase | ||
| from akvo.rsr.decorators import two_factor_required | ||
|
|
||
|
|
||
| def func_view(request): | ||
| return HttpResponse(request.user) | ||
|
|
||
|
|
||
| class TwoFactorRequiredDecoratorTestCase(BaseTestCase): | ||
| def setUp(self) -> None: | ||
| super().setUp() | ||
| self.request = RequestFactory().get('') | ||
| self.user = self.create_user('test@akvo.org') | ||
| self.request.user = self.user | ||
|
|
||
| def make_default_device(self, user): | ||
| return TOTPDevice.objects.create(user=user, name='default') | ||
|
|
||
| def enforce_2fa(self, user): | ||
| user.enforce_2fa = True | ||
| user.save() | ||
| return get_user_model().objects.get(id=user.id) | ||
|
|
||
| def test_user_no_device_and_not_enforced_2fa(self): | ||
| response = two_factor_required(func_view)(self.request) | ||
| self.assertEqual(response.status_code, 200) | ||
|
|
||
| def test_user_no_device_and_enforced_2fa(self): | ||
| self.enforce_2fa(self.user) | ||
| response = two_factor_required(func_view)(self.request) | ||
| self.assertEqual(response.status_code, 302) | ||
|
|
||
| def test_user_with_device_not_and_enforced_2fa(self): | ||
| self.make_default_device(self.user) | ||
| response = two_factor_required(func_view)(self.request) | ||
| self.assertEqual(response.status_code, 200) | ||
|
|
||
| def test_user_with_device_and_enforced_2fa(self): | ||
| user = self.enforce_2fa(self.user) | ||
| self.make_default_device(user) | ||
| response = two_factor_required(func_view)(self.request) | ||
| self.assertEqual(response.status_code, 200) | ||
|
|
||
| def test_anonymous_user(self): | ||
| user = AnonymousUser() | ||
| request = RequestFactory().get('') | ||
| request.user = user | ||
| response = two_factor_required(func_view)(request) | ||
| self.assertEqual(response.status_code, 200) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| from akvo.rsr.tests.base import BaseTestCase | ||
| from akvo.rsr.models import User | ||
| from akvo.rsr.usecases.toggle_org_enforce_2fa import find_related_users, toggle_enfore_2fa | ||
|
|
||
|
|
||
| class FindRelatedUsersTest(BaseTestCase): | ||
| def setUp(self): | ||
| super().setUp() | ||
| self.org = self.create_organisation('Akvo') | ||
| self.user = self.create_user('test@akvo.org') | ||
| self.project = self.create_project('Acme') | ||
|
|
||
| def test_found_employee(self): | ||
| self.make_employment(self.user, self.org, 'Users') | ||
|
|
||
| found = find_related_users(self.org).values_list('email', flat=True) | ||
|
|
||
| self.assertIn(self.user.email, found) | ||
|
|
||
| def test_found_project_access(self): | ||
| self.make_project_role(self.user, self.project, 'Users') | ||
| self.make_partner(self.project, self.org) | ||
|
|
||
| found = find_related_users(self.org).values_list('email', flat=True) | ||
|
|
||
| self.assertIn(self.user.email, found) | ||
|
|
||
|
|
||
| class ToggleEnforce2FATest(BaseTestCase): | ||
| def setUp(self): | ||
| super().setUp() | ||
| self.org = self.create_organisation('Akvo') | ||
| self.user = self.create_user('test@akvo.org') | ||
| self.make_employment(self.user, self.org, 'Users') | ||
|
|
||
| def test_toggle_true(self): | ||
| self.org.enforce_2fa = True | ||
| self.org.save() | ||
|
|
||
| toggle_enfore_2fa(self.org) | ||
|
|
||
| self.assertTrue(User.objects.get(id=self.user.id).enforce_2fa) | ||
|
|
||
| def test_toggle_false(self): | ||
| # Force changes | ||
| self.org.enforce_2fa = True | ||
| self.org.save() | ||
| self.org.enforce_2fa = False | ||
| self.org.save() | ||
|
|
||
| self.user.enforce_2fa = True | ||
| self.user.save() | ||
|
|
||
| toggle_enfore_2fa(self.org) | ||
|
|
||
| self.assertFalse(User.objects.get(id=self.user.id).enforce_2fa) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| from __future__ import annotations | ||
| from typing import TYPE_CHECKING | ||
| from django.apps import apps | ||
|
|
||
| from django.db.models import QuerySet | ||
|
|
||
| if TYPE_CHECKING: | ||
| from akvo.rsr.models import Organisation | ||
|
|
||
|
|
||
| def toggle_enfore_2fa(org: Organisation): | ||
| User = apps.get_model('rsr.User') | ||
| user_ids = find_related_users(org).values_list('id', flat=True) | ||
| User.objects.filter(id__in=user_ids).update(enforce_2fa=org.enforce_2fa) | ||
|
|
||
|
|
||
| def find_related_users(organisation: Organisation) -> QuerySet: | ||
| User = apps.get_model('rsr.User') | ||
| Project = apps.get_model('rsr.Project') | ||
| employees = User.objects.filter(employers__organisation=organisation) | ||
|
|
||
| programs = Project.objects.exclude(projecthierarchy__isnull=True).filter( | ||
| primary_organisation=organisation | ||
| ) | ||
| program_projects = set(programs.values_list("id", flat=True)) | ||
| for program in programs: | ||
| program_projects = program_projects | set( | ||
| program.descendants().values_list("id", flat=True) | ||
| ) | ||
| program_users = User.objects.filter(projectrole__project__in=program_projects) | ||
| other_projects = Project.objects.filter(primary_organisation=organisation).exclude( | ||
| id__in=program_projects | ||
| ) | ||
| other_users = User.objects.filter(projectrole__project__in=other_projects) | ||
|
|
||
| return employees.union(program_users).union(other_users) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters