Merge pull request #185 from magento-gl/DUO_AC10982_13DEC2024

[2FA] Integrate with Duo Web SDK to support Universal Prompt

Author: sidolov

TwoFactorAuth/Api/Data/DuoDataInterface.php

@@ -1,7 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2020 Adobe
+ * All Rights Reserved.
  */
 declare(strict_types=1);
 
@@ -12,62 +12,82 @@
 /**
  * Represents the data needed to use duo
  *
+ * @deprecated This interface is no longer used.
+ * @see none
  * @api
  */
 interface DuoDataInterface extends ExtensibleDataInterface
 {
     /**
      * Signature field name
+     *
+     * @deprecated
+     * @see none
      */
     public const SIGNATURE = 'signature';
 
     /**
      * Api host field name
+     *
+     * @deprecated
+     * @see none
      */
     public const API_HOSTNAME = 'api_hostname';
 
     /**
      * Get the signature
      *
+     * @deprecated
+     * @see none
      * @return string
      */
     public function getSignature(): string;
 
     /**
      * Set the signature
      *
+     * @deprecated
+     * @see none
      * @param string $value
      * @return void
      */
     public function setSignature(string $value): void;
 
-    /**
-     * Get the api hostname
-     *
-     * @return string
-     */
-    public function getApiHostname(): string;
-
     /**
      * Set the api hostname
      *
+     * @deprecated
+     * @see none
      * @param string $value
      * @return void
      */
     public function setApiHostname(string $value): void;
 
+    /**
+     * Get the api hostname
+     *
+     * @deprecated
+     * @see none
+     * @return string
+     */
+    public function getApiHostname(): string;
+
     /**
      * Retrieve existing extension attributes object or create a new one
      *
      * Used fully qualified namespaces in annotations for proper work of extension interface/class code generation
      *
+     * @deprecated
+     * @see none
      * @return \Magento\TwoFactorAuth\Api\Data\DuoDataExtensionInterface|null
      */
     public function getExtensionAttributes(): ?DuoDataExtensionInterface;
 
     /**
      * Set an extension attributes object
      *
+     * @deprecated
+     * @see none
      * @param \Magento\TwoFactorAuth\Api\Data\DuoDataExtensionInterface $extensionAttributes
      * @return void
      */

TwoFactorAuth/Api/DuoAuthenticateInterface.php

@@ -1,7 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2020 Adobe
+ * All Rights Reserved.
  */
 
 declare(strict_types=1);
@@ -20,6 +20,8 @@ interface DuoAuthenticateInterface
     /**
      * Get the information required to configure duo
      *
+     * @deprecated this method is deprecated and will be removed in a future release.
+     * @see none
      * @param string $username
      * @param string $password
      * @return \Magento\TwoFactorAuth\Api\Data\DuoDataInterface
@@ -32,6 +34,9 @@ public function getAuthenticateData(
     /**
      * Authenticate and get an admin token
      *
+     * @deprecated this method is deprecated and will be removed in a future release.
+     * @see createAdminAccessTokenWithCredentialsAndPasscode
+     *
      * @param string $username
      * @param string $password
      * @param string $signatureResponse
@@ -42,4 +47,18 @@ public function createAdminAccessTokenWithCredentials(
         string $password,
         string $signatureResponse
     ): string;
+
+    /**
+     * Authenticate and get an admin token with passcode
+     *
+     * @param string $username
+     * @param string $password
+     * @param string $passcode
+     * @return string
+     */
+    public function createAdminAccessTokenWithCredentialsAndPasscode(
+        string $username,
+        string $password,
+        string $passcode
+    ): string;
 }

TwoFactorAuth/Api/DuoConfigureInterface.php

@@ -1,7 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2020 Adobe
+ * All Rights Reserved.
  */
 
 declare(strict_types=1);
@@ -20,6 +20,9 @@ interface DuoConfigureInterface
     /**
      * Get the information required to configure duo
      *
+     * @deprecated this method is deprecated and will be removed in a future release.
+     * @see getDuoConfigurationData
+     *
      * @param string $tfaToken
      * @return \Magento\TwoFactorAuth\Api\Data\DuoDataInterface
      */
@@ -30,9 +33,29 @@ public function getConfigurationData(
     /**
      * Activate the provider and get an admin token
      *
+     * @deprecated this method is deprecated and will be removed in a future release.
+     * @see duoActivate
      * @param string $tfaToken
      * @param string $signatureResponse
      * @return void
      */
     public function activate(string $tfaToken, string $signatureResponse): void;
+
+    /**
+     * Configure duo for first time user
+     *
+     * @param string $tfaToken
+     * @return void
+     */
+    public function getDuoConfigurationData(
+        string $tfaToken
+    );
+
+    /**
+     * Activate the provider and get an admin token
+     *
+     * @param string $tfaToken
+     * @return void
+     */
+    public function duoActivate(string $tfaToken): void;
 }

TwoFactorAuth/Block/Adminhtml/System/Config/Providers.php

@@ -1,8 +1,9 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2020 Adobe
+ * All Rights Reserved.
  */
+
 declare(strict_types=1);
 namespace Magento\TwoFactorAuth\Block\Adminhtml\System\Config;
 
@@ -46,7 +47,15 @@ protected function _getElementHtml(AbstractElement $element)
             '#twofactorauth_general_force_providers' => [
                 'Magento_TwoFactorAuth/js/system/config/providers' => [
                     'modalTitleText' => $this->getModalTitleText(),
-                    'modalContentBody' => $this->getModalContentBody()
+                    'modalContentBody' => $this->getModalContentBody(),
+                    'duoProviderValue' => 'duo_security',
+                    'duoFields' => [
+                        'twofactorauth_duo_client_id',
+                        'twofactorauth_duo_client_secret',
+                        'twofactorauth_duo_api_hostname',
+                        'twofactorauth_duo_integration_key',
+                        'twofactorauth_duo_secret_key',
+                    ]
                 ]
             ]
         ];

TwoFactorAuth/Block/Provider/Duo/Auth.php

@@ -1,14 +1,16 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2020 Adobe
+ * All Rights Reserved.
  */
+
 declare(strict_types=1);
 
 namespace Magento\TwoFactorAuth\Block\Provider\Duo;
 
 use Magento\Backend\Block\Template;
 use Magento\Backend\Model\Auth\Session;
+use Magento\Framework\Exception\LocalizedException;
 use Magento\TwoFactorAuth\Model\Provider\Engine\DuoSecurity;
 
 /**
@@ -48,15 +50,14 @@ public function __construct(
      */
     public function getJsLayout()
     {
-        $this->jsLayout['components']['tfa-auth']['postUrl'] =
-            $this->getUrl('*/*/authpost', ['form_key' => $this->getFormKey()]);
-
-        $this->jsLayout['components']['tfa-auth']['signature'] =
-            $this->duoSecurity->getRequestSignature($this->session->getUser());
-
-        $this->jsLayout['components']['tfa-auth']['apiHost'] =
-            $this->duoSecurity->getApiHostname();
-
+        $user = $this->session->getUser();
+        if (!$user) {
+            throw new LocalizedException(__('User session not found.'));
+        }
+        $authUrl = $this->getData('auth_url');
+        if ($authUrl) {
+            $this->jsLayout['components']['tfa-auth']['authUrl'] = $authUrl;
+        }
         return parent::getJsLayout();
     }
 }

TwoFactorAuth/Controller/Adminhtml/Duo/Auth.php

@@ -1,15 +1,18 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2020 Adobe
+ * All Rights Reserved.
  */
+
 declare(strict_types=1);
 
 namespace Magento\TwoFactorAuth\Controller\Adminhtml\Duo;
 
 use Magento\Backend\Model\Auth\Session;
 use Magento\Backend\App\Action;
 use Magento\Framework\App\Action\HttpGetActionInterface;
+use Magento\Framework\Controller\Result\RedirectFactory;
+use Magento\Framework\Message\ManagerInterface;
 use Magento\Framework\View\Result\PageFactory;
 use Magento\TwoFactorAuth\Api\TfaInterface;
 use Magento\TwoFactorAuth\Api\UserConfigManagerInterface;
@@ -48,28 +51,46 @@ class Auth extends AbstractAction implements HttpGetActionInterface
      */
     private $tokenVerifier;
 
+    /**
+     * @var DuoSecurity
+     */
+    private $duoSecurity;
+    /**
+     * @var ManagerInterface
+     */
+    protected $messageManager;
+    /**
+     * @var RedirectFactory
+     */
+    protected $resultRedirectFactory;
+
     /**
      * @param Action\Context $context
      * @param Session $session
      * @param PageFactory $pageFactory
      * @param UserConfigManagerInterface $userConfigManager
      * @param TfaInterface $tfa
      * @param HtmlAreaTokenVerifier $tokenVerifier
+     * @param DuoSecurity $duoSecurity
      */
     public function __construct(
         Action\Context $context,
         Session $session,
         PageFactory $pageFactory,
         UserConfigManagerInterface $userConfigManager,
         TfaInterface $tfa,
-        HtmlAreaTokenVerifier $tokenVerifier
+        HtmlAreaTokenVerifier $tokenVerifier,
+        DuoSecurity $duoSecurity
     ) {
         parent::__construct($context);
         $this->tfa = $tfa;
         $this->session = $session;
         $this->pageFactory = $pageFactory;
         $this->userConfigManager = $userConfigManager;
         $this->tokenVerifier = $tokenVerifier;
+        $this->duoSecurity = $duoSecurity;
+        $this->messageManager = $context->getMessageManager();
+        $this->resultRedirectFactory = $context->getResultRedirectFactory();
     }
 
     /**
@@ -87,8 +108,27 @@ private function getUser()
      */
     public function execute()
     {
+        $user = $this->getUser();
+        if (!$user) {
+            $this->messageManager->addErrorMessage(__('User session not found.'));
+        }
         $this->userConfigManager->setDefaultProvider((int)$this->getUser()->getId(), DuoSecurity::CODE);
-        return $this->pageFactory->create();
+
+        $username = $this->getUser()->getUserName();
+        $state = $this->duoSecurity->generateDuoState();
+        $this->session->setDuoState($state);
+        $response = $this->duoSecurity->initiateAuth($username, $state);
+        if ($response['status'] === 'failure') {
+            // if health check fails, skip the Duo prompt and choose different 2FA.
+            $this->messageManager->addErrorMessage($response['message']);
+        }
+
+        $resultPage = $this->pageFactory->create();
+        $block = $resultPage->getLayout()->getBlock('content');
+        if ($block) {
+            $block->setData('auth_url', $response['redirect_url']);
+        }
+        return $resultPage;
     }
 
     /**