Merge pull request #28 from nexcess/devel

Devel

Author: miguelbalparda

CHANGELOG.md

@@ -0,0 +1,16 @@
+SHELL := /bin/bash
+.PHONY: connect-desc connect-pkg all clean
+
+connect-desc:
+	grep -v 'Build Status' README.md | markdown_py -o html5 -f "build/magento-connect-desc-$(shell ./util/get-version.sh).html"
+
+connect-changelog:
+	markdown_py -o html5 -f "build/magento-connect-changelog-$(shell ./util/get-version.sh).html" CHANGELOG.md
+
+connect-pkg:
+	./build/build_package.py -d build/mage-package.xml
+
+all: connect-desc connect-changelog connect-pkg
+
+clean:
+	rm -f ./build/*.tgz ./build/*.html ./package.xml

Makefile

@@ -40,7 +40,7 @@ to the **devel** branch. The *master* branch is only for stable releases. Please
 make sure the new code follows the same style and conventions as already written
 code.
 
-### Referanced work
+### Referenced work
 
 Some code based on previous work by Jonathan Day [email protected]
 - https://github.com/magento-hackathon/Magento-Two-factor-Authentication
@@ -51,7 +51,7 @@ Some code based on previous work by Michael Kliewe/PHPGangsta
 
 ----
 ### Notes -
-1. Installing this module will update the AdminUser table in the Magento database to add a twofactor_google_secret
+1. Installing this module will update the admin_user table in the Magento database to add a twofactor_google_secret
 field for storing the local GA key. It is safe to remove this field once the module is removed.
 1. If you get locked out of admin because of a settings issue, loss of your provider account or other software related issue, you can *temporarily disable* the second factor authentication - 
  - Place a file named __tfaoff.flag__ in the root directory of your Magento installation.

README.md

@@ -18,6 +18,7 @@ public function __construct()
         $this->_provider = Mage::getStoreConfig('he2faconfig/control/provider');
         $this->_logging = Mage::getStoreConfig('he2faconfig/control/logging');
         $this->_logAccess = Mage::getStoreConfig('he2faconfig/control/logaccess');
+        $this->_ipWhitelist = $this->getIPWhitelist();
     }
 
     public function isDisabled()
@@ -66,4 +67,33 @@ public function disable2FA()
         Mage::getModel('core/config')->saveConfig('he2faconfig/control/provider', 'disabled');
         Mage::app()->getStore()->resetConfig();
     }
+
+    private function getIPWhitelist()
+    {
+        $return = [];
+        $ips = preg_split("/\r\n|\n|\r/", trim(Mage::getStoreConfig('he2faconfig/control/ipwhitelist')));
+        foreach ($ips as $ip) { 
+            if (filter_var($ip, FILTER_VALIDATE_IP)) { 
+                $return[] = trim($ip);
+            }           
+        }
+        return $return;
+    }
+
+
+    public function inWhitelist($ip) 
+    {
+        if (count($this->_ipWhitelist) == 0) { return false; }
+
+        if (in_array( $ip, $this->_ipWhitelist )) { 
+            if ( $this->shouldLogAccess() ) {
+                Mage::log("TFA bypassed for IP $ip - whitelisted", 0, "two_factor_auth.log");
+            }
+            return true;
+        }
+        else { 
+            return false; 
+        }
+    }
+
 }

app/code/community/HE/TwoFactorAuth/Helper/Data.php

@@ -15,7 +15,7 @@
 
 class HE_TwoFactorAuth_Model_Observer
 {
-    protected $_allowedActions = array('login', 'forgotpassword');
+    protected $_allowedActions = array('login', 'forgotpassword', 'resetpassword', 'resetpasswordpost');
 
     public function __construct()
     {
@@ -28,6 +28,11 @@ public function admin_user_authenticate_after($observer)
             return;
         }
 
+        // check ip-whitelist
+        if (Mage::helper('he_twofactorauth')->inWhitelist( Mage::helper('core/http')->getRemoteAddr() )) { 
+            Mage::getSingleton('admin/session')->set2faState(HE_TwoFactorAuth_Model_Validate::TFA_STATE_ACTIVE);
+        }
+
         if (Mage::getSingleton('admin/session')->get2faState() != HE_TwoFactorAuth_Model_Validate::TFA_STATE_ACTIVE) {
 
             if ($this->_shouldLog) {
@@ -211,9 +216,7 @@ public function googleSaveClear(Varien_Event_Observer $observer)
         // check that a user record has been saved
 
         // if google is turned and 2fa active...
-        if ((Mage::helper('he_twofactorauth')->getProvider() == 'google')
-            && (!Mage::helper('he_twofactorauth')->isDisabled())
-        ) {
+        if (Mage::helper('he_twofactorauth')->getProvider() == 'google') {
             $params = Mage::app()->getRequest()->getParams();
             if (isset($params['clear_google_secret'])) {
                 if ($params['clear_google_secret'] == 1) {
@@ -228,4 +231,4 @@ public function googleSaveClear(Varien_Event_Observer $observer)
             }
         }
     }
-}
+}

app/code/community/HE/TwoFactorAuth/Model/Observer.php

@@ -27,6 +27,14 @@ public function _construct()
         parent::_construct();
     }
 
+    /**
+     * Allow all admin users to access the 2fa forms
+     */
+    protected function _isAllowed()
+    {
+        return true;
+    }
+
     //need an action per provider so that we can load the correct 2fa form
 
     public function duoAction()

app/code/community/HE/TwoFactorAuth/controllers/Adminhtml/TwofactorController.php

@@ -27,15 +27,15 @@
         </helpers>
 
         <events>
-            <controller_action_postdispatch_adminhtml>
+            <controller_action_predispatch_adminhtml>
                 <observers>
                     <he_twofactorauth_observer_check>
                         <type>singleton</type>
                         <class>he_twofactorauth/observer</class>
                         <method>check_twofactor_active</method>
                     </he_twofactorauth_observer_check>
                 </observers>
-            </controller_action_postdispatch_adminhtml>
+            </controller_action_predispatch_adminhtml>
         </events>
 
         <resources>
@@ -132,8 +132,8 @@
         <he2falinks>
             <human-element-link>http://www.human-element.com</human-element-link>
             <nexcess-link>https://www.nexcess.net</nexcess-link>
-            <docs-link>http://www.human-element.com/sentry-two-factor-authentication-documentation</docs-link>
-            <submit-bug-link>http://www.human-element.com/sentry-two-factor-authentication-documentation#bugs</submit-bug-link>
+            <docs-link>https://github.com/nexcess/magento-sentry-two-factor-authentication/wiki</docs-link>
+            <submit-bug-link>https://github.com/nexcess/magento-sentry-two-factor-authentication/issues</submit-bug-link>
             <multi-auth-link>http://en.wikipedia.org/wiki/Multi-factor_authentication</multi-auth-link>
             <mage-support-link>http://www.human-element.com/magento-support-page</mage-support-link>
             <contact-link>http://www.human-element.com/contact/#contact-form</contact-link>
@@ -160,4 +160,4 @@
             </control>
         </he2faconfig>
     </default>
-</config>
+</config>

app/code/community/HE/TwoFactorAuth/etc/config.xml

@@ -47,6 +47,19 @@
                             </comment>
                         </provider>
 
+                        <ipwhitelist>
+                            <label>Whitelisted IP Addresses</label>
+                            <frontend_type>textarea</frontend_type>
+                            <sort_order>15</sort_order>
+                            <show_in_default>1</show_in_default>
+                            <show_in_website>1</show_in_website>
+                            <comment>
+                                <![CDATA[
+                                    You may whitelist IP addresses here (one per line). Anyone logging in from a whitelisted IP will not be required to perform two-factor authentication.
+                                ]]>
+                            </comment>                 
+                        </ipwhitelist>
+
                         <logaccess>
                             <label>Enable access logging</label>
                             <frontend_type>select</frontend_type>

app/code/community/HE/TwoFactorAuth/etc/system.xml

@@ -55,7 +55,7 @@
     <link rel="icon" href="<?php echo $this->getSkinUrl('favicon.ico'); ?>" type="image/x-icon" />
     <link rel="shortcut icon" href="<?php echo $this->getSkinUrl('favicon.ico'); ?>" type="image/x-icon" />
 
-    <script type="text/javascript" src="<?php echo $this->getJsUrl(); ?>index.php/x.js?f=prototype/prototype.js,prototype/validation.js,mage/adminhtml/events.js,mage/adminhtml/form.js,scriptaculous/effects.js"></script>
+    <script type="text/javascript" src="<?php echo $this->getJsUrl(); ?>index.php/x.js?c=auto&f=prototype/prototype.js,prototype/validation.js,mage/adminhtml/events.js,mage/adminhtml/form.js,scriptaculous/effects.js"></script>
     <script type="text/javascript" src="<?php echo $this->getJsUrl('mage/captcha.js') ?>"></script>
 
     <!--[if IE]> <link rel="stylesheet" href="<?php echo $this->getSkinUrl('iestyles.css'); ?>" type="text/css" media="all" /> <![endif]-->