F OpenNebula#2497: two factor authentication

Signed-off-by: Jorge Lobo <jlobo@opennebula.systems>

install.sh

@@ -1927,7 +1927,10 @@ SUNSTONE_ETC_VIEW_MIXED="src/sunstone/etc/sunstone-views/mixed/admin.yaml \
 
 SUNSTONE_MODELS_FILES="src/sunstone/models/OpenNebulaJSON.rb \
                        src/sunstone/models/SunstoneServer.rb \
-                       src/sunstone/models/SunstoneViews.rb"
+                       src/sunstone/models/SunstoneViews.rb \
+                       src/sunstone/models/my_qr_code.rb \
+                       src/sunstone/models/my_totp.rb \
+                       src/sunstone/models/two_factor_auth.rb "
 
 SUNSTONE_MODELS_JSON_FILES="src/sunstone/models/OpenNebulaJSON/HostJSON.rb \
                     src/sunstone/models/OpenNebulaJSON/ImageJSON.rb \

share/install_gems/Gemfile

@@ -46,6 +46,8 @@ gem 'sinatra'                             # sunstone, cloud, oneflow
 gem 'thin'                                # sunstone, cloud
 gem 'memcache-client'                     # sunstone
 gem 'zendesk_api'                         # sunstone
+gem 'rotp'                                # sunstone
+gem 'rqrcode'                             # sunstone
 gem 'amazon-ec2'                          # cloud
 gem 'uuidtools'                           # cloud
 gem 'curb'                                # cloud

src/sunstone/etc/sunstone-server.conf

@@ -92,6 +92,10 @@
 #
 :core_auth: cipher
 
+# Two Factor Authentication Issuer Label
+# JORGE
+:two_factor_auth_issuer: Sunstone
+
 ################################################################################
 # Check Upgrades
 ################################################################################

src/sunstone/etc/sunstone-views/kvm/admin.yaml

@@ -154,6 +154,7 @@ tabs:
             User.create_dialog: true
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             User.quotas_dialog: true
             User.groups_dialog: true
             User.chgrp: true
@@ -883,13 +884,15 @@ tabs:
             # Buttons for settings_info_tab
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             # Buttons for settings_config_tab
             Settings.change_language: true
             Settings.change_password: true
             Settings.change_view: true
             Settings.ssh_key: true
             Settings.login_token: true
             # Edit button in settings_quotas_tab
+            User.two_factor_auth: true
             User.quotas_dialog: false
     upgrade-top-tab:
         panel_tabs:

src/sunstone/etc/sunstone-views/kvm/cloud.yaml

@@ -120,6 +120,7 @@ tabs:
             # Buttons for settings_info_tab
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             # Buttons for settings_config_tab
             Settings.change_language: true
             Settings.change_password: true
@@ -128,6 +129,7 @@ tabs:
             Settings.login_token: true
             # Edit button in settings_quotas_tab
             User.quotas_dialog: false
+            User.two_factor_auth: true
     vms-tab:
         actions: *provisionactions
     images-tab:

src/sunstone/etc/sunstone-views/kvm/groupadmin.yaml

@@ -153,6 +153,7 @@ tabs:
             User.create_dialog: true
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             User.quotas_dialog: true
             User.groups_dialog: false
             User.chgrp: false
@@ -884,12 +885,14 @@ tabs:
             # Buttons for settings_info_tab
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             # Buttons for settings_config_tab
             Settings.change_language: true
             Settings.change_password: true
             Settings.change_view: true
             Settings.ssh_key: true
             Settings.login_token: true
+            Settings.two_factor_auth: true
             # Edit button in settings_quotas_tab
             User.quotas_dialog: false
     upgrade-top-tab:

src/sunstone/etc/sunstone-views/kvm/user.yaml

@@ -146,6 +146,7 @@ tabs:
             User.create_dialog: true
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             User.quotas_dialog: true
             User.groups_dialog: true
             User.chgrp: true
@@ -877,12 +878,14 @@ tabs:
             # Buttons for settings_info_tab
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             # Buttons for settings_config_tab
             Settings.change_language: true
             Settings.change_password: true
             Settings.change_view: true
             Settings.ssh_key: true
             Settings.login_token: true
+            Settings.two_factor_auth: true
             # Edit button in settings_quotas_tab
             User.quotas_dialog: false
     upgrade-top-tab:

src/sunstone/etc/sunstone-views/mixed/admin.yaml

@@ -154,6 +154,7 @@ tabs:
             User.create_dialog: true
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             User.quotas_dialog: true
             User.groups_dialog: true
             User.chgrp: true
@@ -886,12 +887,14 @@ tabs:
             # Buttons for settings_info_tab
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             # Buttons for settings_config_tab
             Settings.change_language: true
             Settings.change_password: true
             Settings.change_view: true
             Settings.ssh_key: true
             Settings.login_token: true
+            Settings.two_factor_auth: true
             # Edit button in settings_quotas_tab
             User.quotas_dialog: false
     upgrade-top-tab:

src/sunstone/etc/sunstone-views/mixed/cloud.yaml

@@ -120,12 +120,14 @@ tabs:
             # Buttons for settings_info_tab
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             # Buttons for settings_config_tab
             Settings.change_language: true
             Settings.change_password: true
             Settings.change_view: true
             Settings.ssh_key: true
             Settings.login_token: true
+            Settings.two_factor_auth: true
             # Edit button in settings_quotas_tab
             User.quotas_dialog: false
     vms-tab:

src/sunstone/etc/sunstone-views/mixed/groupadmin.yaml

@@ -153,6 +153,7 @@ tabs:
             User.create_dialog: true
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             User.quotas_dialog: true
             User.groups_dialog: false
             User.chgrp: false
@@ -884,12 +885,14 @@ tabs:
             # Buttons for settings_info_tab
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             # Buttons for settings_config_tab
             Settings.change_language: true
             Settings.change_password: true
             Settings.change_view: true
             Settings.ssh_key: true
             Settings.login_token: true
+            Settings.two_factor_auth: true
             # Edit button in settings_quotas_tab
             User.quotas_dialog: false
     upgrade-top-tab:

src/sunstone/etc/sunstone-views/mixed/user.yaml

@@ -146,6 +146,7 @@ tabs:
             User.create_dialog: true
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             User.quotas_dialog: true
             User.groups_dialog: true
             User.chgrp: true
@@ -877,12 +878,14 @@ tabs:
             # Buttons for settings_info_tab
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             # Buttons for settings_config_tab
             Settings.change_language: true
             Settings.change_password: true
             Settings.change_view: true
             Settings.ssh_key: true
             Settings.login_token: true
+            Settings.two_factor_auth: true
             # Edit button in settings_quotas_tab
             User.quotas_dialog: false
     upgrade-top-tab:

src/sunstone/etc/sunstone-views/vcenter/admin.yaml

@@ -152,6 +152,7 @@ tabs:
             User.create_dialog: true
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             User.quotas_dialog: true
             User.groups_dialog: true
             User.chgrp: true
@@ -883,12 +884,14 @@ tabs:
             # Buttons for settings_info_tab
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             # Buttons for settings_config_tab
             Settings.change_language: true
             Settings.change_password: true
             Settings.change_view: true
             Settings.ssh_key: true
             Settings.login_token: true
+            Settings.two_factor_auth: true
             # Edit button in settings_quotas_tab
             User.quotas_dialog: false
     upgrade-top-tab:

src/sunstone/etc/sunstone-views/vcenter/cloud.yaml

@@ -121,12 +121,14 @@ tabs:
             # Buttons for settings_info_tab
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             # Buttons for settings_config_tab
             Settings.change_language: true
             Settings.change_password: true
             Settings.change_view: true
             Settings.ssh_key: true
             Settings.login_token: true
+            Settings.two_factor_auth: true
             # Edit button in settings_quotas_tab
             User.quotas_dialog: false
     vms-tab:

src/sunstone/etc/sunstone-views/vcenter/groupadmin.yaml

@@ -153,6 +153,7 @@ tabs:
             User.create_dialog: true
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             User.quotas_dialog: true
             User.groups_dialog: false
             User.chgrp: false
@@ -884,12 +885,14 @@ tabs:
             # Buttons for settings_info_tab
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             # Buttons for settings_config_tab
             Settings.change_language: true
             Settings.change_password: true
             Settings.change_view: true
             Settings.ssh_key: true
             Settings.login_token: true
+            Settings.two_factor_auth: true
             # Edit button in settings_quotas_tab
             User.quotas_dialog: false
     upgrade-top-tab:

src/sunstone/etc/sunstone-views/vcenter/user.yaml

@@ -146,6 +146,7 @@ tabs:
             User.create_dialog: true
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             User.quotas_dialog: true
             User.groups_dialog: true
             User.chgrp: true
@@ -877,12 +878,14 @@ tabs:
             # Buttons for settings_info_tab
             User.update_password: true
             User.login_token: true
+            User.two_factor_auth: true
             # Buttons for settings_config_tab
             Settings.change_language: true
             Settings.change_password: true
             Settings.change_view: true
             Settings.ssh_key: true
             Settings.login_token: true
+            Settings.two_factor_auth: true
             # Edit button in settings_quotas_tab
             User.quotas_dialog: false
     upgrade-top-tab:

src/sunstone/models/OpenNebulaJSON/JSONUtils.rb

@@ -61,6 +61,15 @@ def parse_json_sym(json_str, root_element)
             end
         end
 
+        def template_to_str_sunstone_with_explicite_empty_value(attributes)
+            result = template_to_str(attributes, indent=true)
+            if result == ""
+                "SUNSTONE=[]\n"
+            else
+                result
+            end
+        end
+
         def template_to_str(attributes, indent=true)
              if indent
                  ind_enter="\n"

src/sunstone/models/OpenNebulaJSON/UserJSON.rb

@@ -15,6 +15,7 @@
 #--------------------------------------------------------------------------- #
 
 require 'OpenNebulaJSON/JSONUtils'
+require 'two_factor_auth'
 
 module OpenNebulaJSON
     class UserJSON < OpenNebula::User
@@ -39,14 +40,16 @@ def perform_action(template_json)
             end
 
             rc = case action_hash['perform']
-                 when "passwd"       then self.passwd(action_hash['params'])
-                 when "chgrp"        then self.chgrp(action_hash['params'])
-                 when "chauth"       then self.chauth(action_hash['params'])
-                 when "update"       then self.update(action_hash['params'])
-                 when "set_quota"    then self.set_quota(action_hash['params'])
-                 when "addgroup"     then self.addgroup(action_hash['params'])
-                 when "delgroup"     then self.delgroup(action_hash['params'])
-                 when "login"        then self.login(action_hash['params'])
+                 when "passwd"                  then self.passwd(action_hash['params'])
+                 when "chgrp"                   then self.chgrp(action_hash['params'])
+                 when "chauth"                  then self.chauth(action_hash['params'])
+                 when "update"                  then self.update(action_hash['params'])
+                 when "enable_two_factor_auth"  then self.enable_two_factor_auth(action_hash['params'])
+                 when "disable_two_factor_auth" then self.disable_two_factor_auth(action_hash['params'])
+                 when "set_quota"               then self.set_quota(action_hash['params'])
+                 when "addgroup"                then self.addgroup(action_hash['params'])
+                 when "delgroup"                then self.delgroup(action_hash['params'])
+                 when "login"                   then self.login(action_hash['params'])
                  else
                      error_msg = "#{action_hash['perform']} action not " <<
                          " available for this resource"
@@ -74,6 +77,28 @@ def update(params=Hash.new)
             end
         end
 
+        def enable_two_factor_auth(params=Hash.new)
+            unless TwoFactorAuth.authenticate(params["secret"], params["token"])
+              return OpenNebula::Error.new("Invalid token.")
+            end
+
+            sunstone_setting = { 
+                "sunstone" => params["current_sunstone_setting"].merge("TWO_FACTOR_AUTH_SECRET" => params["secret"]) 
+            }
+            template_raw = template_to_str(sunstone_setting)
+            update_params = { "template_raw" => template_raw, "append" => true }
+            update(update_params)
+        end
+
+        def disable_two_factor_auth(params=Hash.new)
+            sunstone_setting = params["current_sunstone_setting"]
+            sunstone_setting.delete("TWO_FACTOR_AUTH_SECRET")
+            sunstone_setting = { "sunstone" => sunstone_setting }
+	        template_raw = template_to_str_sunstone_with_explicite_empty_value(sunstone_setting)
+            update_params = { "template_raw" => template_raw, "append" => true }
+            update(update_params)
+        end
+
         def set_quota(params=Hash.new)
             quota_json = params['quotas']
             quota_template = template_to_str(quota_json)

src/sunstone/models/my_qr_code.rb

@@ -0,0 +1,32 @@
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2018, OpenNebula Project, OpenNebula Systems                #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+require 'rqrcode'
+
+class MyQrCode
+    def self.build(code)
+        qr_code = RQRCode::QRCode.new(code)
+        new(qr_code)
+    end
+
+    def initialize(qr_code)
+        @qr_code = qr_code
+    end
+
+    def as_svg
+        @qr_code.as_svg
+    end
+end