Support role requires 2FA

3 years ago · f09257d29b
4 changed files with 39 additions and 1 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -2,7 +2,7 @@ class User < ApplicationRecord
  # Include default devise modules. Others available are:
  # :confirmable, :timeoutable and :omniauthable
  devise :database_authenticatable, :recoverable, :rememberable, :validatable,
-         :trackable, :lockable
+         :trackable, :lockable, :two_factor_authenticatable

  belongs_to :organisation
  has_many :owned_case_logs, through: :organisation
@ -21,6 +21,8 @@ class User < ApplicationRecord
                             sign_in_count
                             updated_at]

+  has_one_time_password(encrypted: true)
+
  ROLES = {
    data_accessor: 0,
    data_provider: 1,
@ -68,4 +70,8 @@ class User < ApplicationRecord
  def is_data_protection_officer!
    update!(is_dpo: true)
  end
+
+  def need_two_factor_authentication?
+    support?
+  end
 end
--- a/db/migrate/20220406093139_two_factor_authentication_add_to_user.rb
+++ b/db/migrate/20220406093139_two_factor_authentication_add_to_user.rb
@ -0,0 +1,15 @@
+class TwoFactorAuthenticationAddToUser < ActiveRecord::Migration[7.0]
+  def change
+    change_table :users, bulk: true do |t|
+      t.column :second_factor_attempts_count, :integer, default: 0
+      t.column :encrypted_otp_secret_key, :string
+      t.column :encrypted_otp_secret_key_iv, :string
+      t.column :encrypted_otp_secret_key_salt, :string
+      t.column :direct_otp, :string
+      t.column :direct_otp_sent_at, :datetime
+      t.column :totp_timestamp, :timestamp
+
+      t.index :encrypted_otp_secret_key, unique: true
+    end
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -324,7 +324,15 @@ ActiveRecord::Schema[7.0].define(version: 202202071123100) do
    t.boolean "is_dpo", default: false
    t.boolean "is_key_contact", default: false
    t.string "phone"
+    t.integer "second_factor_attempts_count", default: 0
+    t.string "encrypted_otp_secret_key"
+    t.string "encrypted_otp_secret_key_iv"
+    t.string "encrypted_otp_secret_key_salt"
+    t.string "direct_otp"
+    t.datetime "direct_otp_sent_at", precision: nil
+    t.datetime "totp_timestamp", precision: nil
    t.index ["email"], name: "index_users_on_email", unique: true
+    t.index ["encrypted_otp_secret_key"], name: "index_users_on_encrypted_otp_secret_key", unique: true
    t.index ["organisation_id"], name: "index_users_on_organisation_id"
    t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
    t.index ["unlock_token"], name: "index_users_on_unlock_token", unique: true
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@ -64,6 +64,11 @@ RSpec.describe User, type: :model do
      expect { user.is_data_protection_officer! }
        .to change { user.reload.is_data_protection_officer? }.from(false).to(true)
    end
+
+    it "does not require 2FA" do
+      expect(user.need_two_factor_authentication?).to be false
+    end
+
    context "when the user is a Customer Support person" do
      let(:user) { FactoryBot.create(:user, :support) }
      let!(:other_orgs_log) { FactoryBot.create(:case_log) }
@ -71,6 +76,10 @@ RSpec.describe User, type: :model do
      it "has access to logs from all organisations" do
        expect(user.case_logs.to_a).to eq([owned_case_log, managed_case_log, other_orgs_log])
      end
+
+      it "requires 2FA" do
+        expect(user.need_two_factor_authentication?).to be true
+      end
    end
  end