From aea92f9d85a3422d376a152c9c63545b99939656 Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Sun, 18 Nov 2018 12:38:50 +0100 Subject: [PATCH] Begin to phase in custom authentication --- README.md | 10 ++-- ungleichotp/otpauth/admin.py | 6 +-- .../otpauth/migrations/0001_initial.py | 46 +++++++++++++++++++ ungleichotp/otpauth/migrations/__init__.py | 0 ungleichotp/otpauth/serializer.py | 24 ++++++++++ ungleichotp/ungleichotp/settings.py | 24 ++++++++++ 6 files changed, 102 insertions(+), 8 deletions(-) create mode 100644 ungleichotp/otpauth/migrations/0001_initial.py create mode 100644 ungleichotp/otpauth/migrations/__init__.py diff --git a/README.md b/README.md index 8cd5704..47d98bb 100644 --- a/README.md +++ b/README.md @@ -185,15 +185,17 @@ Don’t forget to point AUTH_USER_MODEL to it. Do this before creating any migra - [x] OTPSerializer: allow to read seed for admin - [x] Implement deleting entry - [x] Include verify in ModelSerializer -- [ ] Remove hard coded JSON (?) -- [ ] Use Custom authentication (?) - needs to have a user -- [ ] Maybe we map name+realm == User (?) +- [x] Maybe we map name+realm == User (?) - name == name@realm - - no password + - password is used for admin login (?) - seed - custom auth method +- [ ] try to fake username for django based on name+realm (?) +- [ ] maybe overwrite get_username() (?) +- [ ] Use Custom authentication (?) - needs to have a user - [ ] Implement creating new "User" - by POST / Model based - [ ] move totp constants into settings - [ ] move field lengths into settings - [ ] make settings adjustable by environment (?) +- [ ] Remove hard coded JSON (?) diff --git a/ungleichotp/otpauth/admin.py b/ungleichotp/otpauth/admin.py index fc9d230..acdf348 100644 --- a/ungleichotp/otpauth/admin.py +++ b/ungleichotp/otpauth/admin.py @@ -5,10 +5,8 @@ from django.contrib import admin from django.contrib.auth.admin import UserAdmin from .models import OTPSeed -#admin.site.register(OTPSeed) - - from django.contrib import admin from django.contrib.auth.admin import UserAdmin -admin.site.register(OTPSeed, UserAdmin) +# admin.site.register(OTPSeed, UserAdmin) +admin.site.register(OTPSeed) diff --git a/ungleichotp/otpauth/migrations/0001_initial.py b/ungleichotp/otpauth/migrations/0001_initial.py new file mode 100644 index 0000000..40d1872 --- /dev/null +++ b/ungleichotp/otpauth/migrations/0001_initial.py @@ -0,0 +1,46 @@ +# Generated by Django 2.1.3 on 2018-11-17 22:01 + +import django.contrib.auth.models +import django.contrib.auth.validators +from django.db import migrations, models +import django.utils.timezone + + +class Migration(migrations.Migration): + + initial = True + + dependencies = [ + ('auth', '0009_alter_user_last_name_max_length'), + ] + + operations = [ + migrations.CreateModel( + name='OTPSeed', + fields=[ + ('password', models.CharField(max_length=128, verbose_name='password')), + ('last_login', models.DateTimeField(blank=True, null=True, verbose_name='last login')), + ('is_superuser', models.BooleanField(default=False, help_text='Designates that this user has all permissions without explicitly assigning them.', verbose_name='superuser status')), + ('username', models.CharField(error_messages={'unique': 'A user with that username already exists.'}, help_text='Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only.', max_length=150, unique=True, validators=[django.contrib.auth.validators.UnicodeUsernameValidator()], verbose_name='username')), + ('first_name', models.CharField(blank=True, max_length=30, verbose_name='first name')), + ('last_name', models.CharField(blank=True, max_length=150, verbose_name='last name')), + ('email', models.EmailField(blank=True, max_length=254, verbose_name='email address')), + ('is_staff', models.BooleanField(default=False, help_text='Designates whether the user can log into this admin site.', verbose_name='staff status')), + ('is_active', models.BooleanField(default=True, help_text='Designates whether this user should be treated as active. Unselect this instead of deleting accounts.', verbose_name='active')), + ('date_joined', models.DateTimeField(default=django.utils.timezone.now, verbose_name='date joined')), + ('id', models.AutoField(primary_key=True, serialize=False)), + ('name', models.CharField(max_length=128)), + ('realm', models.CharField(max_length=128)), + ('seed', models.CharField(max_length=128)), + ('groups', models.ManyToManyField(blank=True, help_text='The groups this user belongs to. A user will get all permissions granted to each of their groups.', related_name='user_set', related_query_name='user', to='auth.Group', verbose_name='groups')), + ('user_permissions', models.ManyToManyField(blank=True, help_text='Specific permissions for this user.', related_name='user_set', related_query_name='user', to='auth.Permission', verbose_name='user permissions')), + ], + managers=[ + ('objects', django.contrib.auth.models.UserManager()), + ], + ), + migrations.AlterUniqueTogether( + name='otpseed', + unique_together={('name', 'realm')}, + ), + ] diff --git a/ungleichotp/otpauth/migrations/__init__.py b/ungleichotp/otpauth/migrations/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/ungleichotp/otpauth/serializer.py b/ungleichotp/otpauth/serializer.py index ccfe2a8..2986157 100644 --- a/ungleichotp/otpauth/serializer.py +++ b/ungleichotp/otpauth/serializer.py @@ -55,3 +55,27 @@ class VerifySerializer(serializers.Serializer): print("All verified!") return verifyinstance + + +class TokenSerializer(serializers.Serializer): + name = serializers.CharField(max_length=128) + token = serializers.CharField(max_length=128) + realm = serializers.CharField(max_length=128) + + def save(self): + token_in = self.validated_data.get('token') + name_in = self.validated_data.get('name') + realm_in = self.validated_data.get('realm') + + # 1. Verify that the connection might authenticate + try: + db_instance = otpauth.models.OTPSeed.objects.get(name=name_in, realm=realm_in) + except (OTPSeed.MultipleObjectsReturned, OTPSeed.DoesNotExist): + raise exceptions.AuthenticationFailed() + + totp = pyotp.TOTP(db_instance.seed) + + if not totp.verify(token_in, valid_window=3): + raise exceptions.AuthenticationFailed() + + return db_instance diff --git a/ungleichotp/ungleichotp/settings.py b/ungleichotp/ungleichotp/settings.py index a8dc786..8197a63 100644 --- a/ungleichotp/ungleichotp/settings.py +++ b/ungleichotp/ungleichotp/settings.py @@ -102,6 +102,30 @@ AUTH_PASSWORD_VALIDATORS = [ ] +from rest_framework import exceptions +from rest_framework import authentication +from otpauth import OTPSeed +from otpauth.serializer import TokenSerializer + +class OTPAuthentication(authentication.BaseAuthentication): + def authenticate(self, request): + serializer = TokenSerializer(data=request.data) + + if serializer.is_valid(): + print("trying to save... {}".format(serializer)) + user = serializer.save() + else: + raise exceptions.AuthenticationFailed() + + return (user, None) + +REST_FRAMEWORK = { + 'DEFAULT_AUTHENTICATION_CLASSES': ( + 'OTPAuthentication' + ) +} + + # Internationalization # https://docs.djangoproject.com/en/2.1/topics/i18n/