1
=== modified file 'identityprovider/models/account.py'
2
--- identityprovider/models/account.py	2012-01-18 16:24:23 +0000
3
+++ identityprovider/models/account.py	2012-02-02 17:13:33 +0000
4
@@ -312,6 +312,12 @@
5
312
        except Consumer.DoesNotExist:
312
        except Consumer.DoesNotExist:
6
313
            return []
313
            return []
7
314
314
8
315
    def has_twofactor_devices(self):
9
316
        """Returns True if this Account has any associated two-factor
10
317
        devices (including one-time pads)."""
11
318
        # TODO: Test for one-time pads.
12
319
        return self.devices.exists()
13
320
14
315
    def save(self, force_insert=False, force_update=False, **kwargs):
321
    def save(self, force_insert=False, force_update=False, **kwargs):
15
316
        if settings.READ_ONLY_MODE:
322
        if settings.READ_ONLY_MODE:
16
317
            return
323
            return
17
318
324
18
=== modified file 'identityprovider/tests/unit/test_devices.py'
19
--- identityprovider/tests/unit/test_devices.py	2012-01-27 12:31:00 +0000
20
+++ identityprovider/tests/unit/test_devices.py	2012-02-02 17:13:33 +0000
21
@@ -252,6 +252,30 @@
22
252
252
23
253
        self.assertEqual(AuthenticationDevice.objects.all().count(), 0)
253
        self.assertEqual(AuthenticationDevice.objects.all().count(), 0)
24
254
254
25
255
    def test_preference_reset(self):
26
256
        account = self._get_account()
27
257
        account.twofactor_required = True
28
258
        mock_request = self._get_mock_request()
29
259
        mock_request.user = account
30
260
        mock_request.method = 'POST'
31
261
32
262
        device1 = AuthenticationDevice.objects.create(
33
263
            account=account,
34
264
            key='some key',
35
265
            name='First device'
36
266
        )
37
267
        device2 = AuthenticationDevice.objects.create(
38
268
            account=account,
39
269
            key='some key',
40
270
            name='Second device'
41
271
        )
42
272
43
273
        device_removal(mock_request, device1.id)
44
274
        self.assertTrue(account.twofactor_required)
45
275
46
276
        device_removal(mock_request, device2.id)
47
277
        self.assertFalse(account.twofactor_required)
48
278
49
255
279
50
256
class TestPrefs(TwoFactorTestCase):
280
class TestPrefs(TwoFactorTestCase):
51
257
281
52
258
282
53
=== modified file 'identityprovider/tests/unit/test_views_ui.py'
54
--- identityprovider/tests/unit/test_views_ui.py	2012-01-30 14:42:31 +0000
55
+++ identityprovider/tests/unit/test_views_ui.py	2012-02-02 17:13:33 +0000
56
@@ -1196,6 +1196,20 @@
57
1196
        oath = inputs[0]
1196
        oath = inputs[0]
58
1197
        self.assertEqual(oath.attrib['autocomplete'], 'off')
1197
        self.assertEqual(oath.attrib['autocomplete'], 'off')
59
1198
1198
60
1199
    def test_user_requires_twofactor_auth(self):
61
1200
        def f(require2f, has_devices, returns, logs):
62
1201
            with patch('logging.warning') as mock_warning:
63
1202
                account = Mock()
64
1203
                account.twofactor_required = require2f
65
1204
                account.has_twofactor_devices.return_value = has_devices
66
1205
                r = ui.user_requires_twofactor_auth(account)
67
1206
                self.assertEqual(returns, r)
68
1207
                self.assertEqual(logs, mock_warning.called)
69
1208
        f(require2f=False, has_devices=False, returns=False, logs=False)
70
1209
        f(require2f=False, has_devices=True, returns=False, logs=False)
71
1210
        f(require2f=True, has_devices=False, returns=False, logs=True)
72
1211
        f(require2f=True, has_devices=True, returns=True, logs=False)
73
1212
74
1199
    @patch('identityprovider.views.ui.user_requires_twofactor_auth')
1213
    @patch('identityprovider.views.ui.user_requires_twofactor_auth')
75
1200
    def test_when_user_requires_twofactor_redirected(self, mock_user):
1214
    def test_when_user_requires_twofactor_redirected(self, mock_user):
76
1201
        mock_user.return_value = True
1215
        mock_user.return_value = True
77
1202
1216
78
=== modified file 'identityprovider/views/devices.py'
79
--- identityprovider/views/devices.py	2012-01-30 14:42:31 +0000
80
+++ identityprovider/views/devices.py	2012-02-02 17:13:33 +0000
81
@@ -201,9 +201,15 @@
82
201
        ))
201
        ))
83
202
202
84
203
    device.delete()
203
    device.delete()
85
204
86
204
    # We should probably send an e-mail to the user stating which
205
    # We should probably send an e-mail to the user stating which
87
205
    # device was removed. As a security measure, this would be much
206
    # device was removed. As a security measure, this would be much
88
206
    # stronger if bugs #784813, #784817, and #784818 were done.
207
    # stronger if bugs #784813, #784817, and #784818 were done.
89
208
90
209
    if not request.user.has_twofactor_devices():
91
210
        request.user.twofactor_required = False
92
211
        request.user.save()
93
212
94
207
    return HttpResponseSeeOther('/device-list')
213
    return HttpResponseSeeOther('/device-list')
95
208
214
96
209
215
97
210
216
98
=== modified file 'identityprovider/views/ui.py'
99
--- identityprovider/views/ui.py	2012-01-30 14:42:31 +0000
100
+++ identityprovider/views/ui.py	2012-02-02 17:13:33 +0000
101
@@ -102,7 +102,11 @@
102
102
def user_requires_twofactor_auth(account):
102
def user_requires_twofactor_auth(account):
103
103
    if not gargoyle.is_active('TWOFACTOR'):
103
    if not gargoyle.is_active('TWOFACTOR'):
104
104
        return False
104
        return False
106
105
    return account.twofactor_required
105
    if account.twofactor_required:
107
106
        if account.has_twofactor_devices():
108
107
            return True
109
108
        logging.warning('Account %s requires two-factor but has no devices' % account.openid_identifier)
110
109
    return False
111
106
110
112
107
111
113
108
112
Status:	Merged
Approved by:	Simon Davy on 2012-02-02
Approved revision:	no longer in the source branch.
Merged at revision:	317
Proposed branch:	lp:~canonical-isd-hackers/canonical-identity-provider/2f-reset
Merge into:	lp:canonical-identity-provider/release
Diff against target:	110 lines (+55/-1) 5 files modified identityprovider/models/account.py (+6/-0) identityprovider/tests/unit/test_devices.py (+24/-0) identityprovider/tests/unit/test_views_ui.py (+14/-0) identityprovider/views/devices.py (+6/-0) identityprovider/views/ui.py (+5/-1)
To merge this branch:	bzr merge lp:~canonical-isd-hackers/canonical-identity-provider/2f-reset
Related bugs:	Link a bug report
Reviewer	Review Type	Date Requested	Status
Canonical ISD hackers		2012-02-01	Pending
Review via email: mp+91179@code.launchpad.net
1	=== modified file 'identityprovider/models/account.py'
2	--- identityprovider/models/account.py 2012-01-18 16:24:23 +0000
3	+++ identityprovider/models/account.py 2012-02-02 17:13:33 +0000
4	@@ -312,6 +312,12 @@
5	312	except Consumer.DoesNotExist:	312	except Consumer.DoesNotExist:
6	313	return []	313	return []
7	314		314
8			315	def has_twofactor_devices(self):
9			316	"""Returns True if this Account has any associated two-factor
10			317	devices (including one-time pads)."""
11			318	# TODO: Test for one-time pads.
12			319	return self.devices.exists()
13			320
14	315	def save(self, force_insert=False, force_update=False, **kwargs):	321	def save(self, force_insert=False, force_update=False, **kwargs):
15	316	if settings.READ_ONLY_MODE:	322	if settings.READ_ONLY_MODE:
16	317	return	323	return
17	318		324
18	=== modified file 'identityprovider/tests/unit/test_devices.py'
19	--- identityprovider/tests/unit/test_devices.py 2012-01-27 12:31:00 +0000
20	+++ identityprovider/tests/unit/test_devices.py 2012-02-02 17:13:33 +0000
21	@@ -252,6 +252,30 @@
22	252		252
23	253	self.assertEqual(AuthenticationDevice.objects.all().count(), 0)	253	self.assertEqual(AuthenticationDevice.objects.all().count(), 0)
24	254		254
25			255	def test_preference_reset(self):
26			256	account = self._get_account()
27			257	account.twofactor_required = True
28			258	mock_request = self._get_mock_request()
29			259	mock_request.user = account
30			260	mock_request.method = 'POST'
31			261
32			262	device1 = AuthenticationDevice.objects.create(
33			263	account=account,
34			264	key='some key',
35			265	name='First device'
36			266	)
37			267	device2 = AuthenticationDevice.objects.create(
38			268	account=account,
39			269	key='some key',
40			270	name='Second device'
41			271	)
42			272
43			273	device_removal(mock_request, device1.id)
44			274	self.assertTrue(account.twofactor_required)
45			275
46			276	device_removal(mock_request, device2.id)
47			277	self.assertFalse(account.twofactor_required)
48			278
49	255		279
50	256	class TestPrefs(TwoFactorTestCase):	280	class TestPrefs(TwoFactorTestCase):
51	257		281
52	258		282
53	=== modified file 'identityprovider/tests/unit/test_views_ui.py'
54	--- identityprovider/tests/unit/test_views_ui.py 2012-01-30 14:42:31 +0000
55	+++ identityprovider/tests/unit/test_views_ui.py 2012-02-02 17:13:33 +0000
56	@@ -1196,6 +1196,20 @@
57	1196	oath = inputs[0]	1196	oath = inputs[0]
58	1197	self.assertEqual(oath.attrib['autocomplete'], 'off')	1197	self.assertEqual(oath.attrib['autocomplete'], 'off')
59	1198		1198
60			1199	def test_user_requires_twofactor_auth(self):
61			1200	def f(require2f, has_devices, returns, logs):
62			1201	with patch('logging.warning') as mock_warning:
63			1202	account = Mock()
64			1203	account.twofactor_required = require2f
65			1204	account.has_twofactor_devices.return_value = has_devices
66			1205	r = ui.user_requires_twofactor_auth(account)
67			1206	self.assertEqual(returns, r)
68			1207	self.assertEqual(logs, mock_warning.called)
69			1208	f(require2f=False, has_devices=False, returns=False, logs=False)
70			1209	f(require2f=False, has_devices=True, returns=False, logs=False)
71			1210	f(require2f=True, has_devices=False, returns=False, logs=True)
72			1211	f(require2f=True, has_devices=True, returns=True, logs=False)
73			1212
74	1199	@patch('identityprovider.views.ui.user_requires_twofactor_auth')	1213	@patch('identityprovider.views.ui.user_requires_twofactor_auth')
75	1200	def test_when_user_requires_twofactor_redirected(self, mock_user):	1214	def test_when_user_requires_twofactor_redirected(self, mock_user):
76	1201	mock_user.return_value = True	1215	mock_user.return_value = True
77	1202		1216
78	=== modified file 'identityprovider/views/devices.py'
79	--- identityprovider/views/devices.py 2012-01-30 14:42:31 +0000
80	+++ identityprovider/views/devices.py 2012-02-02 17:13:33 +0000
81	@@ -201,9 +201,15 @@
82	201	))	201	))
83	202		202
84	203	device.delete()	203	device.delete()
85			204
86	204	# We should probably send an e-mail to the user stating which	205	# We should probably send an e-mail to the user stating which
87	205	# device was removed. As a security measure, this would be much	206	# device was removed. As a security measure, this would be much
88	206	# stronger if bugs #784813, #784817, and #784818 were done.	207	# stronger if bugs #784813, #784817, and #784818 were done.
89			208
90			209	if not request.user.has_twofactor_devices():
91			210	request.user.twofactor_required = False
92			211	request.user.save()
93			212
94	207	return HttpResponseSeeOther('/device-list')	213	return HttpResponseSeeOther('/device-list')
95	208		214
96	209		215
97	210		216
98	=== modified file 'identityprovider/views/ui.py'
99	--- identityprovider/views/ui.py 2012-01-30 14:42:31 +0000
100	+++ identityprovider/views/ui.py 2012-02-02 17:13:33 +0000
101	@@ -102,7 +102,11 @@
102	102	def user_requires_twofactor_auth(account):	102	def user_requires_twofactor_auth(account):
103	103	if not gargoyle.is_active('TWOFACTOR'):	103	if not gargoyle.is_active('TWOFACTOR'):
104	104	return False	104	return False
106	105	return account.twofactor_required	105	if account.twofactor_required:
107			106	if account.has_twofactor_devices():
108			107	return True
109			108	logging.warning('Account %s requires two-factor but has no devices' % account.openid_identifier)
110			109	return False
111	106		110
112	107		111
113	108		112