From f09257d29b37a00e71f6a78838ee301d829058cb Mon Sep 17 00:00:00 2001 From: baarkerlounger Date: Wed, 6 Apr 2022 11:09:27 +0100 Subject: [PATCH] Support role requires 2FA --- app/models/user.rb | 8 +++++++- ...93139_two_factor_authentication_add_to_user.rb | 15 +++++++++++++++ db/schema.rb | 8 ++++++++ spec/models/user_spec.rb | 9 +++++++++ 4 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 db/migrate/20220406093139_two_factor_authentication_add_to_user.rb diff --git a/app/models/user.rb b/app/models/user.rb index f60baf072..aee03000b 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -2,7 +2,7 @@ class User < ApplicationRecord # Include default devise modules. Others available are: # :confirmable, :timeoutable and :omniauthable devise :database_authenticatable, :recoverable, :rememberable, :validatable, - :trackable, :lockable + :trackable, :lockable, :two_factor_authenticatable belongs_to :organisation has_many :owned_case_logs, through: :organisation @@ -21,6 +21,8 @@ class User < ApplicationRecord sign_in_count updated_at] + has_one_time_password(encrypted: true) + ROLES = { data_accessor: 0, data_provider: 1, @@ -68,4 +70,8 @@ class User < ApplicationRecord def is_data_protection_officer! update!(is_dpo: true) end + + def need_two_factor_authentication? + support? + end end diff --git a/db/migrate/20220406093139_two_factor_authentication_add_to_user.rb b/db/migrate/20220406093139_two_factor_authentication_add_to_user.rb new file mode 100644 index 000000000..49a88ac68 --- /dev/null +++ b/db/migrate/20220406093139_two_factor_authentication_add_to_user.rb @@ -0,0 +1,15 @@ +class TwoFactorAuthenticationAddToUser < ActiveRecord::Migration[7.0] + def change + change_table :users, bulk: true do |t| + t.column :second_factor_attempts_count, :integer, default: 0 + t.column :encrypted_otp_secret_key, :string + t.column :encrypted_otp_secret_key_iv, :string + t.column :encrypted_otp_secret_key_salt, :string + t.column :direct_otp, :string + t.column :direct_otp_sent_at, :datetime + t.column :totp_timestamp, :timestamp + + t.index :encrypted_otp_secret_key, unique: true + end + end +end diff --git a/db/schema.rb b/db/schema.rb index c1ca092bb..61368691c 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -324,7 +324,15 @@ ActiveRecord::Schema[7.0].define(version: 202202071123100) do t.boolean "is_dpo", default: false t.boolean "is_key_contact", default: false t.string "phone" + t.integer "second_factor_attempts_count", default: 0 + t.string "encrypted_otp_secret_key" + t.string "encrypted_otp_secret_key_iv" + t.string "encrypted_otp_secret_key_salt" + t.string "direct_otp" + t.datetime "direct_otp_sent_at", precision: nil + t.datetime "totp_timestamp", precision: nil t.index ["email"], name: "index_users_on_email", unique: true + t.index ["encrypted_otp_secret_key"], name: "index_users_on_encrypted_otp_secret_key", unique: true t.index ["organisation_id"], name: "index_users_on_organisation_id" t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true t.index ["unlock_token"], name: "index_users_on_unlock_token", unique: true diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index a898e7950..b8d92eb9d 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -64,6 +64,11 @@ RSpec.describe User, type: :model do expect { user.is_data_protection_officer! } .to change { user.reload.is_data_protection_officer? }.from(false).to(true) end + + it "does not require 2FA" do + expect(user.need_two_factor_authentication?).to be false + end + context "when the user is a Customer Support person" do let(:user) { FactoryBot.create(:user, :support) } let!(:other_orgs_log) { FactoryBot.create(:case_log) } @@ -71,6 +76,10 @@ RSpec.describe User, type: :model do it "has access to logs from all organisations" do expect(user.case_logs.to_a).to eq([owned_case_log, managed_case_log, other_orgs_log]) end + + it "requires 2FA" do + expect(user.need_two_factor_authentication?).to be true + end end end