#84: Generate TOTP secret key

This commit is contained in:
jendib 2016-03-22 01:18:18 +01:00
parent 5de77e35dc
commit 718728a672
15 changed files with 69 additions and 29 deletions

View File

@ -40,6 +40,7 @@
<com.twelvemonkeys.imageio.version>3.2.1</com.twelvemonkeys.imageio.version>
<com.levigo.jbig2.levigo-jbig2-imageio.version>1.6.5</com.levigo.jbig2.levigo-jbig2-imageio.version>
<com.github.jai-imageio.jai-imageio-core.version>1.3.1</com.github.jai-imageio.jai-imageio-core.version>
<com.warrenstrange.googleauth>0.6.0</com.warrenstrange.googleauth>
<org.eclipse.jetty.jetty-server.version>9.2.13.v20150730</org.eclipse.jetty.jetty-server.version>
<org.eclipse.jetty.jetty-webapp.version>9.2.13.v20150730</org.eclipse.jetty.jetty-webapp.version>
@ -395,18 +396,27 @@
<version>${com.twelvemonkeys.imageio.version}</version>
</dependency>
<dependency><!-- Only JBIG2 -->
<!-- Only JBIG2 -->
<dependency>
<groupId>com.levigo.jbig2</groupId>
<artifactId>levigo-jbig2-imageio</artifactId>
<version>${com.levigo.jbig2.levigo-jbig2-imageio.version}</version>
</dependency>
<dependency><!-- Essentially TIFF (for OCR) -->
<!-- Essentially TIFF (for OCR) -->
<dependency>
<groupId>com.github.jai-imageio</groupId>
<artifactId>jai-imageio-core</artifactId>
<version>${com.github.jai-imageio.jai-imageio-core.version}</version>
</dependency>
<!-- TOTP Authentication -->
<dependency>
<groupId>com.warrenstrange</groupId>
<artifactId>googleauth</artifactId>
<version>${com.warrenstrange.googleauth}</version>
</dependency>
</dependencies>
</dependencyManagement>

View File

@ -89,6 +89,11 @@
<artifactId>servlet</artifactId>
</dependency>
<dependency>
<groupId>com.warrenstrange</groupId>
<artifactId>googleauth</artifactId>
</dependency>
<!-- Test dependencies -->
<dependency>
<groupId>com.sismics.docs</groupId>

View File

@ -55,6 +55,8 @@ import com.sismics.rest.util.JsonUtil;
import com.sismics.rest.util.ValidationUtil;
import com.sismics.security.UserPrincipal;
import com.sismics.util.filter.TokenBasedSecurityFilter;
import com.warrenstrange.googleauth.GoogleAuthenticator;
import com.warrenstrange.googleauth.GoogleAuthenticatorKey;
/**
* User REST resources.
@ -639,6 +641,29 @@ public class UserResource extends BaseResource {
return Response.ok().entity(response.build()).build();
}
@POST
@Path("enable_totp")
public Response enableTotp() {
if (!authenticate()) {
throw new ForbiddenClientException();
}
// Create a new TOTP key and scratch codes
// TODO Copy library sources here to scrap useless dependencies and make verification code generation public for testing
GoogleAuthenticator gAuth = new GoogleAuthenticator();
final GoogleAuthenticatorKey key = gAuth.createCredentials();
JsonArrayBuilder scratchCodes = Json.createArrayBuilder();
for (int scratchCode : key.getScratchCodes()) {
scratchCodes.add(scratchCode);
}
JsonObjectBuilder response = Json.createObjectBuilder()
.add("secret", key.getKey())
.add("scratch_codes", scratchCodes);
return Response.ok().entity(response.build()).build();
}
/**
* Returns the authentication token value.
*

View File

@ -23,8 +23,6 @@ import com.sismics.util.filter.TokenBasedSecurityFilter;
public class TestAclResource extends BaseJerseyTest {
/**
* Test the ACL resource.
*
* @throws JSONException
*/
@Test
public void testAclResource() {

View File

@ -21,8 +21,6 @@ import com.sismics.util.filter.TokenBasedSecurityFilter;
public class TestAppResource extends BaseJerseyTest {
/**
* Test the API resource.
*
* @throws JSONException
*/
@Test
public void testAppResource() {
@ -63,8 +61,6 @@ public class TestAppResource extends BaseJerseyTest {
/**
* Test the log resource.
*
* @throws JSONException
*/
@Test
public void testLogResource() {

View File

@ -20,8 +20,6 @@ import com.sismics.util.filter.TokenBasedSecurityFilter;
public class TestAuditLogResource extends BaseJerseyTest {
/**
* Test the audit log resource.
*
* @throws JSONException
*/
@Test
public void testAuditLogResource() {

View File

@ -21,11 +21,9 @@ import com.sismics.util.filter.TokenBasedSecurityFilter;
public class TestCommentResource extends BaseJerseyTest {
/**
* Test the comment resource.
*
* @throws Exception
*/
@Test
public void testCommentResource() throws Exception {
public void testCommentResource() {
// Login comment1
clientUtil.createUser("comment1");
String comment1Token = clientUtil.login("comment1");

View File

@ -359,9 +359,8 @@ public class TestDocumentResource extends BaseJerseyTest {
* @param query Search query
* @param token Authentication token
* @return Number of documents found
* @throws Exception
*/
private int searchDocuments(String query, String token) throws Exception {
private int searchDocuments(String query, String token) {
JsonObject json = target().path("/document/list")
.queryParam("search", query)
.request()

View File

@ -198,6 +198,11 @@ public class TestFileResource extends BaseJerseyTest {
Assert.assertEquals(1, files.size());
}
/**
* Test orphan files (without linked document).
*
* @throws Exception
*/
@Test
public void testOrphanFile() throws Exception {
// Login file2
@ -283,6 +288,11 @@ public class TestFileResource extends BaseJerseyTest {
Assert.assertEquals("ok", json.getString("status"));
}
/**
* Test user quota.
*
* @throws Exception
*/
@Test
public void testQuota() throws Exception {
// Login file_quota

View File

@ -22,8 +22,6 @@ import com.sismics.util.filter.TokenBasedSecurityFilter;
public class TestGroupResource extends BaseJerseyTest {
/**
* Test the group resource.
*
* @throws JSONException
*/
@Test
public void testGroupResource() {

View File

@ -21,8 +21,6 @@ import com.sismics.util.filter.TokenBasedSecurityFilter;
public class TestSecurity extends BaseJerseyTest {
/**
* Test of the security layer.
*
* @throws JSONException
*/
@Test
public void testSecurity() {

View File

@ -28,7 +28,6 @@ import com.sismics.util.filter.TokenBasedSecurityFilter;
public class TestShareResource extends BaseJerseyTest {
/**
* Test the share resource.
* @throws Exception
*
* @throws Exception
*/

View File

@ -21,8 +21,6 @@ import com.sismics.util.filter.TokenBasedSecurityFilter;
public class TestTagResource extends BaseJerseyTest {
/**
* Test the tag resource.
*
* @throws JSONException
*/
@Test
public void testTagResource() {

View File

@ -22,8 +22,6 @@ import com.sismics.util.filter.TokenBasedSecurityFilter;
public class TestUserResource extends BaseJerseyTest {
/**
* Test the user resource.
*
* @throws JSONException
*/
@Test
public void testUserResource() {
@ -229,8 +227,6 @@ public class TestUserResource extends BaseJerseyTest {
/**
* Test the user resource admin functions.
*
* @throws JSONException
*/
@Test
public void testUserResourceAdmin() {
@ -290,4 +286,18 @@ public class TestUserResource extends BaseJerseyTest {
json = response.readEntity(JsonObject.class);
Assert.assertEquals("UserNotFound", json.getString("type"));
}
@Test
public void testTotp() {
// Create totp1 user
clientUtil.createUser("totp1");
String totp1Token = clientUtil.login("totp1");
// Enable TOTP for totp1
JsonObject json = target().path("/user/enable_totp").request()
.cookie(TokenBasedSecurityFilter.COOKIE_NAME, totp1Token)
.post(Entity.form(new Form()), JsonObject.class);
String secret = json.getString("secret");
Assert.assertNotNull(secret);
}
}

View File

@ -19,11 +19,9 @@ import com.sismics.util.filter.TokenBasedSecurityFilter;
public class TestVocabularyResource extends BaseJerseyTest {
/**
* Test the vocabulary resource.
*
* @throws Exception
*/
@Test
public void testVocabularyResource() throws Exception {
public void testVocabularyResource() {
// Login vocabulary1
clientUtil.createUser("vocabulary1");
String vocabulary1Token = clientUtil.login("vocabulary1");