feat(profile): enforce MFA

xkostka2 · xkostka2 · commit 40cea53f71da · 2022-03-25T16:16:07.000+01:00
* added functionality to enforce MFA
diff --git a/apps/user-profile/src/app/pages/settings-page/settings-authorization/settings-authentication.component.html b/apps/user-profile/src/app/pages/settings-page/settings-authorization/settings-authentication.component.html
@@ -1,23 +1,39 @@
-<div class="mb-5" *ngIf="displayImageBlock">
-  <h1 class="page-subtitle">{{'AUTHENTICATION.TITLE' | customTranslate | translate}}</h1>
-  <p>{{'AUTHENTICATION.ANTI_PHISHING_INFO' | customTranslate | translate}}</p>
-  <div *ngIf="imageSrc && imageSrc.length">
-    <img [src]="imageSrc" alt="" class="img-size" />
+<div [hidden]="loadingMfa || loadingImg">
+  <div class="mb-5" *ngIf="displayImageBlock">
+    <h1 class="page-subtitle">{{'AUTHENTICATION.TITLE' | customTranslate | translate}}</h1>
+    <p>{{'AUTHENTICATION.ANTI_PHISHING_INFO' | customTranslate | translate}}</p>
+    <div *ngIf="imageSrc && imageSrc.length">
+      <img [src]="imageSrc" alt="" class="img-size" />
+    </div>
+    <button (click)="onAddImg()" class="m-1 action-button" color="accent" mat-flat-button>
+      {{'AUTHENTICATION.NEW_IMG' | customTranslate | translate}}
+    </button>
+    <button
+      (click)="onDeleteImg()"
+      class="m-1"
+      color="warn"
+      [disabled]="!imgAtt || !imgAtt.value"
+      mat-flat-button>
+      {{'AUTHENTICATION.DELETE_IMG' | customTranslate | translate}}
+    </button>
   </div>
-  <button (click)="onAddImg()" class="m-1 action-button" color="accent" mat-flat-button>
-    {{'AUTHENTICATION.NEW_IMG' | customTranslate | translate}}
-  </button>
-  <button
-    (click)="onDeleteImg()"
-    class="m-1"
-    color="warn"
-    [disabled]="!imgAtt || !imgAtt.value"
-    mat-flat-button>
-    {{'AUTHENTICATION.DELETE_IMG' | customTranslate | translate}}
+
+  <h1 class="page-subtitle">{{'AUTHENTICATION.MFA' | customTranslate | translate}}</h1>
+  <span
+    [matTooltip]="'AUTHENTICATION.MFA_DISABLED' | customTranslate | translate"
+    [matTooltipDisabled]="mfaAvailable"
+    matTooltipPosition="right">
+    <mat-slide-toggle
+      [disabled]="!mfaAvailable"
+      #toggle
+      color="primary"
+      >{{'AUTHENTICATION.MFA_TOGGLE' | customTranslate | translate}}</mat-slide-toggle
+    >
+  </span>
+
+  <br />
+  <button mat-flat-button class="mt-3" (click)="redirectToMfa()" color="accent">
+    {{'AUTHENTICATION.MFA_INFO'|translate}}
   </button>
 </div>
-
-<h1 class="page-subtitle">{{'AUTHENTICATION.MFA' | customTranslate | translate}}</h1>
-<span
-  >{{'AUTHENTICATION.MFA_INFO'|translate}}<a [href]="mfaUrl">{{mfaUrl}}</a></span
->
+<mat-spinner class="ml-auto mr-auto" *ngIf="loadingMfa || loadingImg"></mat-spinner>
diff --git a/apps/user-profile/src/app/pages/settings-page/settings-authorization/settings-authentication.component.ts b/apps/user-profile/src/app/pages/settings-page/settings-authorization/settings-authentication.component.ts
@@ -1,30 +1,40 @@
-import { Component, OnInit } from '@angular/core';
+import { AfterViewInit, Component, OnInit, ViewChild } from '@angular/core';
 import { MatDialog } from '@angular/material/dialog';
 import { getDefaultDialogConfig } from '@perun-web-apps/perun/utils';
 import { AddAuthImgDialogComponent } from '../../../components/dialogs/add-auth-img-dialog/add-auth-img-dialog.component';
 import { Attribute, AttributesManagerService } from '@perun-web-apps/perun/openapi';
-import { StoreService } from '@perun-web-apps/perun/services';
+import { AuthService, StoreService } from '@perun-web-apps/perun/services';
 import { RemoveStringValueDialogComponent } from '../../../components/dialogs/remove-string-value-dialog/remove-string-value-dialog.component';
 import { TranslateService } from '@ngx-translate/core';
+import { OAuthService } from 'angular-oauth2-oidc';
+import { MatSlideToggle } from '@angular/material/slide-toggle';
 
 @Component({
   selector: 'perun-web-apps-settings-authentication',
   templateUrl: './settings-authentication.component.html',
   styleUrls: ['./settings-authentication.component.scss'],
 })
-export class SettingsAuthenticationComponent implements OnInit {
+export class SettingsAuthenticationComponent implements OnInit, AfterViewInit {
+  @ViewChild('toggle') toggle: MatSlideToggle;
+
   removeDialogTitle: string;
   imgAtt: Attribute;
   imageSrc = '';
   removeDialogDescription: string;
   mfaUrl = '';
   displayImageBlock: boolean;
+  mfaAvailable = false;
+  mfaApiUrl = '';
+  loadingMfa = false;
+  loadingImg = false;
 
   constructor(
     private dialog: MatDialog,
     private attributesManagerService: AttributesManagerService,
     private store: StoreService,
-    private translate: TranslateService
+    private translate: TranslateService,
+    private oauthService: OAuthService,
+    private authService: AuthService
   ) {
     translate
       .get('AUTHENTICATION.DELETE_IMG_DIALOG_TITLE')
@@ -34,7 +44,15 @@ export class SettingsAuthenticationComponent implements OnInit {
       .subscribe((res) => (this.removeDialogDescription = res));
   }
 
+  ngAfterViewInit(): void {
+    this.toggle.change.subscribe((change) => {
+      this.reAuthenticate(change.checked);
+    });
+  }
+
   ngOnInit(): void {
+    this.loadingMfa = true;
+    this.loadingImg = true;
     this.translate.onLangChange.subscribe(() => {
       this.translate
         .get('AUTHENTICATION.DELETE_IMG_DIALOG_TITLE')
@@ -45,9 +63,58 @@ export class SettingsAuthenticationComponent implements OnInit {
       this.mfaUrl = this.store.get('mfa', 'url_' + this.translate.currentLang);
     });
     this.mfaUrl = this.store.get('mfa', 'url_' + this.translate.currentLang);
+    this.mfaApiUrl = this.store.get('mfa', 'api_url');
+    fetch(this.mfaApiUrl + 'mfaAvailable', {
+      method: 'GET',
+      headers: { Authorization: 'Bearer ' + this.oauthService.getIdToken() },
+    })
+      .then((response) => response.text())
+      .then((responseText) => {
+        this.mfaAvailable = responseText === 'true';
+        if (this.mfaAvailable) {
+          this.loadMfa();
+        }
+      })
+      .catch((e) => {
+        console.error(e);
+        this.loadingMfa = false;
+      });
+
     this.loadImage();
   }
 
+  private loadMfa(): void {
+    const mfaRoute = sessionStorage.getItem('mfa_route');
+    if (mfaRoute) {
+      const enforceMfa = sessionStorage.getItem('enforce_mfa');
+      this.enableMfa(enforceMfa === 'true')
+        .then((res) => {
+          if (res.ok && enforceMfa === 'true') {
+            this.toggle.toggle();
+          }
+          this.loadingMfa = false;
+        })
+        .catch((e) => {
+          console.error(e);
+          this.loadingMfa = false;
+        });
+    } else {
+      const enforceMfaAttributeName = this.store.get('mfa', 'enforce_mfa_attribute');
+      this.attributesManagerService
+        .getUserAttributeByName(this.store.getPerunPrincipal().userId, enforceMfaAttributeName)
+        .subscribe((attr) => {
+          if (attr.value) {
+            this.toggle.toggle();
+          }
+          this.loadingMfa = false;
+        });
+    }
+    if (sessionStorage.getItem('mfa_route')) {
+      sessionStorage.removeItem('enforce_mfa');
+      sessionStorage.removeItem('mfa_route');
+    }
+  }
+
   onAddImg() {
     const config = getDefaultDialogConfig();
     config.width = '500px';
@@ -62,13 +129,29 @@ export class SettingsAuthenticationComponent implements OnInit {
     });
   }
 
-  // private transformTextToImg(text: string) {
-  //   const canvas = document.createElement('canvas');
-  //   const context = canvas.getContext('2d');
-  //   context.font = "100px Calibri";
-  //   context.fillText(text, 1, 70);
-  //   return canvas.toDataURL('image/png');
-  // }
+  reAuthenticate(enforceMfa: boolean): void {
+    sessionStorage.setItem('enforce_mfa', enforceMfa.toString());
+    sessionStorage.setItem('mfa_route', '/profile/settings/auth');
+    localStorage.removeItem('refresh_token');
+    this.oauthService.logOut(true);
+    sessionStorage.setItem('auth:redirect', location.pathname);
+    sessionStorage.setItem('auth:queryParams', location.search.substring(1));
+    this.authService.loadConfigData();
+    this.oauthService.loadDiscoveryDocumentAndLogin();
+  }
+
+  enableMfa(value: boolean): Promise<Response> {
+    const idToken = this.oauthService.getIdToken();
+    const path = `mfaEnforced`;
+    const url = `${this.mfaApiUrl}${path}`;
+    const body = `value=${value}`;
+
+    return fetch(url, {
+      method: 'PUT',
+      body: body,
+      headers: { Authorization: `Bearer ${idToken}` },
+    });
+  }
 
   onDeleteImg() {
     const config = getDefaultDialogConfig();
@@ -95,17 +178,28 @@ export class SettingsAuthenticationComponent implements OnInit {
     this.displayImageBlock = this.store.get('mfa', 'enable_security_image');
     this.attributesManagerService
       .getUserAttributeByName(this.store.getPerunPrincipal().userId, imgAttributeName)
-      .subscribe((attr) => {
-        if (!attr) {
-          this.attributesManagerService
-            .getAttributeDefinitionByName(imgAttributeName)
-            .subscribe((att) => {
-              this.imgAtt = att as Attribute;
-            });
-        } else {
-          this.imgAtt = attr;
-          this.imageSrc = this.imgAtt.value as unknown as string;
+      .subscribe(
+        (attr) => {
+          if (!attr) {
+            this.attributesManagerService
+              .getAttributeDefinitionByName(imgAttributeName)
+              .subscribe((att) => {
+                this.imgAtt = att as Attribute;
+              });
+          } else {
+            this.imgAtt = attr;
+            this.imageSrc = this.imgAtt.value as unknown as string;
+          }
+          this.loadingImg = false;
+        },
+        (e) => {
+          console.error(e);
+          this.loadingImg = false;
         }
-      });
+      );
+  }
+
+  redirectToMfa(): void {
+    window.open(this.mfaUrl, '_blank');
   }
 }
diff --git a/apps/user-profile/src/assets/config/defaultConfig.json b/apps/user-profile/src/assets/config/defaultConfig.json
@@ -70,6 +70,7 @@
     "api_url": "https://id.muni.cz/mfaapi/",
     "enable_security_image": true,
     "security_image_attribute": "urn:perun:user:attribute-def:def:securityImage:mu",
+    "enforce_mfa_attribute": "urn:perun:user:attribute-def:def:mfaEnforced:mu",
     "url_en": "https://mfa.aai.muni.cz/",
     "url_cs": "https://mfa.aai.muni.cz/"
   },
diff --git a/apps/user-profile/src/assets/i18n/cs.json b/apps/user-profile/src/assets/i18n/cs.json
@@ -136,12 +136,14 @@
   "AUTHENTICATION": {
     "TITLE": "Bezpečnostní obrázek",
     "MFA": "Vícefázové ověření",
+    "MFA_TOGGLE": "Zapnout vícefázové ověření pro všechny služby",
+    "MFA_DISABLED": "Potřebujete mít alespoň jeden aktivní MFA token.",
     "NEW_IMG": "Nový obrázek",
     "DELETE_IMG": "Vymazat obrázek",
     "ANTI_PHISHING_INFO": "Tento bezpečnostní obrázek se vám ukáže před tím, než zadáte heslo, ujistíte se tak, že se nepřihlašujete na podvrženou stránku",
     "DELETE_IMG_DIALOG_TITLE": "Vymazat proti-phishingový obrázek",
     "DELETE_IMG_DIALOG_DESC": "Váš bezpečnostní obrázek bude odstraněn a nebude použit během autentizace.",
-    "MFA_INFO": "Pro správu prostředků vícefázového ověření (MFA) navštivte "
+    "MFA_INFO": "Spravovat moje prostředky vícefázového ověření (MFA)"
   },
   "DIALOGS": {
     "CHANGE_EMAIL": {
diff --git a/apps/user-profile/src/assets/i18n/en.json b/apps/user-profile/src/assets/i18n/en.json
@@ -136,12 +136,14 @@
   "AUTHENTICATION": {
     "TITLE": "Security image",
     "MFA": "Multi-factor authentication",
+    "MFA_TOGGLE": "Turn on multi-factor authentication for all services",
+    "MFA_DISABLED": "You need to have at least one active MFA token.",
     "NEW_IMG": "New image",
     "DELETE_IMG": "Delete image",
     "ANTI_PHISHING_INFO": "You will be shown this security image before you enter your password so you will know that you are visiting the right site",
     "DELETE_IMG_DIALOG_TITLE": "Delete anti-phishing image",
     "DELETE_IMG_DIALOG_DESC": "Your security image will be deleted and will not be used during authentication process.",
-    "MFA_INFO": "To manage MFA tokens go to "
+    "MFA_INFO": "Manage my MFA tokens"
   },
   "DIALOGS": {
     "CHANGE_EMAIL": {
diff --git a/libs/perun/services/src/lib/auth.service.ts b/libs/perun/services/src/lib/auth.service.ts
@@ -44,7 +44,11 @@ export class AuthService {
     ) {
       customQueryParams['prompt'] = 'consent';
     }
-
+    if (sessionStorage.getItem('mfa_route')) {
+      customQueryParams['acr_values'] = 'https://refeds.org/profile/mfa';
+      customQueryParams['prompt'] = 'login';
+      customQueryParams['max_age'] = '0';
+    }
     return {
       requestAccessToken: true,
       issuer: this.store.get('oidc_client', 'oauth_authority'),
