348 changed files with 13074 additions and 1926 deletions
@ -0,0 +1,37 @@ |
|||
-- |
|||
-- Copyright © 2016-2022 The Thingsboard Authors |
|||
-- |
|||
-- Licensed under the Apache License, Version 2.0 (the "License"); |
|||
-- you may not use this file except in compliance with the License. |
|||
-- You may obtain a copy of the License at |
|||
-- |
|||
-- http://www.apache.org/licenses/LICENSE-2.0 |
|||
-- |
|||
-- Unless required by applicable law or agreed to in writing, software |
|||
-- distributed under the License is distributed on an "AS IS" BASIS, |
|||
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
-- See the License for the specific language governing permissions and |
|||
-- limitations under the License. |
|||
-- |
|||
|
|||
CREATE TABLE IF NOT EXISTS queue ( |
|||
id uuid NOT NULL CONSTRAINT queue_pkey PRIMARY KEY, |
|||
created_time bigint NOT NULL, |
|||
tenant_id uuid, |
|||
name varchar(255), |
|||
topic varchar(255), |
|||
poll_interval int, |
|||
partitions int, |
|||
consumer_per_partition boolean, |
|||
pack_processing_timeout bigint, |
|||
submit_strategy varchar(255), |
|||
processing_strategy varchar(255), |
|||
additional_info varchar |
|||
); |
|||
|
|||
CREATE TABLE IF NOT EXISTS user_auth_settings ( |
|||
id uuid NOT NULL CONSTRAINT user_auth_settings_pkey PRIMARY KEY, |
|||
created_time bigint NOT NULL, |
|||
user_id uuid UNIQUE NOT NULL CONSTRAINT fk_user_auth_settings_user_id REFERENCES tb_user(id), |
|||
two_fa_settings varchar |
|||
); |
|||
@ -0,0 +1,49 @@ |
|||
-- |
|||
-- Copyright © 2016-2022 The Thingsboard Authors |
|||
-- |
|||
-- Licensed under the Apache License, Version 2.0 (the "License"); |
|||
-- you may not use this file except in compliance with the License. |
|||
-- You may obtain a copy of the License at |
|||
-- |
|||
-- http://www.apache.org/licenses/LICENSE-2.0 |
|||
-- |
|||
-- Unless required by applicable law or agreed to in writing, software |
|||
-- distributed under the License is distributed on an "AS IS" BASIS, |
|||
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
-- See the License for the specific language governing permissions and |
|||
-- limitations under the License. |
|||
-- |
|||
|
|||
ALTER TABLE device_profile |
|||
ADD COLUMN IF NOT EXISTS default_queue_id uuid; |
|||
|
|||
DO |
|||
$$ |
|||
BEGIN |
|||
IF EXISTS |
|||
(SELECT column_name |
|||
FROM information_schema.columns |
|||
WHERE table_name = 'device_profile' |
|||
AND column_name = 'default_queue_name' |
|||
) |
|||
THEN |
|||
UPDATE device_profile |
|||
SET default_queue_id = q.id |
|||
FROM queue as q |
|||
WHERE default_queue_name = q.name; |
|||
END IF; |
|||
END |
|||
$$; |
|||
|
|||
DO |
|||
$$ |
|||
BEGIN |
|||
IF NOT EXISTS(SELECT 1 FROM pg_constraint WHERE conname = 'fk_default_queue_device_profile') THEN |
|||
ALTER TABLE device_profile |
|||
ADD CONSTRAINT fk_default_queue_device_profile FOREIGN KEY (default_queue_id) REFERENCES queue (id); |
|||
END IF; |
|||
END; |
|||
$$; |
|||
|
|||
ALTER TABLE device_profile |
|||
DROP COLUMN IF EXISTS default_queue_name; |
|||
@ -0,0 +1,272 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.controller; |
|||
|
|||
import io.swagger.annotations.ApiOperation; |
|||
import io.swagger.annotations.ApiParam; |
|||
import lombok.Data; |
|||
import lombok.RequiredArgsConstructor; |
|||
import org.springframework.security.access.prepost.PreAuthorize; |
|||
import org.springframework.web.bind.annotation.DeleteMapping; |
|||
import org.springframework.web.bind.annotation.GetMapping; |
|||
import org.springframework.web.bind.annotation.PostMapping; |
|||
import org.springframework.web.bind.annotation.PutMapping; |
|||
import org.springframework.web.bind.annotation.RequestBody; |
|||
import org.springframework.web.bind.annotation.RequestMapping; |
|||
import org.springframework.web.bind.annotation.RequestParam; |
|||
import org.springframework.web.bind.annotation.RestController; |
|||
import org.thingsboard.server.common.data.exception.ThingsboardException; |
|||
import org.thingsboard.server.common.data.security.model.mfa.PlatformTwoFaSettings; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.AccountTwoFaSettings; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.TwoFaAccountConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderType; |
|||
import org.thingsboard.server.queue.util.TbCoreComponent; |
|||
import org.thingsboard.server.service.security.auth.mfa.TwoFactorAuthService; |
|||
import org.thingsboard.server.service.security.auth.mfa.config.TwoFaConfigManager; |
|||
import org.thingsboard.server.service.security.model.SecurityUser; |
|||
|
|||
import javax.validation.Valid; |
|||
import java.util.Collections; |
|||
import java.util.List; |
|||
import java.util.stream.Collectors; |
|||
|
|||
import static org.thingsboard.server.controller.ControllerConstants.NEW_LINE; |
|||
|
|||
@RestController |
|||
@RequestMapping("/api/2fa") |
|||
@TbCoreComponent |
|||
@RequiredArgsConstructor |
|||
public class TwoFaConfigController extends BaseController { |
|||
|
|||
private final TwoFaConfigManager twoFaConfigManager; |
|||
private final TwoFactorAuthService twoFactorAuthService; |
|||
|
|||
|
|||
@ApiOperation(value = "Get account 2FA settings (getAccountTwoFaSettings)", |
|||
notes = "Get user's account 2FA configuration. Configuration contains configs for different 2FA providers." + NEW_LINE + |
|||
"Example:\n" + |
|||
"```\n{\n \"configs\": {\n" + |
|||
" \"EMAIL\": {\n \"providerType\": \"EMAIL\",\n \"useByDefault\": true,\n \"email\": \"tenant@thingsboard.org\"\n },\n" + |
|||
" \"TOTP\": {\n \"providerType\": \"TOTP\",\n \"useByDefault\": false,\n \"authUrl\": \"otpauth://totp/TB%202FA:tenant@thingsboard.org?issuer=TB+2FA&secret=P6Z2TLYTASOGP6LCJZAD24ETT5DACNNX\"\n },\n" + |
|||
" \"SMS\": {\n \"providerType\": \"SMS\",\n \"useByDefault\": false,\n \"phoneNumber\": \"+380501253652\"\n }\n" + |
|||
" }\n}\n```" + |
|||
ControllerConstants.AVAILABLE_FOR_ANY_AUTHORIZED_USER) |
|||
@GetMapping("/account/settings") |
|||
@PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')") |
|||
public AccountTwoFaSettings getAccountTwoFaSettings() throws ThingsboardException { |
|||
SecurityUser user = getCurrentUser(); |
|||
return twoFaConfigManager.getAccountTwoFaSettings(user.getTenantId(), user.getId()).orElse(null); |
|||
} |
|||
|
|||
|
|||
@ApiOperation(value = "Generate 2FA account config (generateTwoFaAccountConfig)", |
|||
notes = "Generate new 2FA account config template for specified provider type. " + NEW_LINE + |
|||
"For TOTP, this will return a corresponding account config template " + |
|||
"with a generated OTP auth URL (with new random secret key for each API call) that can be then " + |
|||
"converted to a QR code to scan with an authenticator app. Example:\n" + |
|||
"```\n{\n" + |
|||
" \"providerType\": \"TOTP\",\n" + |
|||
" \"useByDefault\": false,\n" + |
|||
" \"authUrl\": \"otpauth://totp/TB%202FA:tenant@thingsboard.org?issuer=TB+2FA&secret=PNJDNWJVAK4ZTUYT7RFGPQLXA7XGU7PX\"\n" + |
|||
"}\n```" + NEW_LINE + |
|||
"For EMAIL, the generated config will contain email from user's account:\n" + |
|||
"```\n{\n" + |
|||
" \"providerType\": \"EMAIL\",\n" + |
|||
" \"useByDefault\": false,\n" + |
|||
" \"email\": \"tenant@thingsboard.org\"\n" + |
|||
"}\n```" + NEW_LINE + |
|||
"For SMS 2FA this method will just return a config with empty/default values as there is nothing to generate/preset:\n" + |
|||
"```\n{\n" + |
|||
" \"providerType\": \"SMS\",\n" + |
|||
" \"useByDefault\": false,\n" + |
|||
" \"phoneNumber\": null\n" + |
|||
"}\n```" + NEW_LINE + |
|||
"Will throw an error (Bad Request) if the provider is not configured for usage. " + |
|||
ControllerConstants.AVAILABLE_FOR_ANY_AUTHORIZED_USER) |
|||
@PostMapping("/account/config/generate") |
|||
@PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')") |
|||
public TwoFaAccountConfig generateTwoFaAccountConfig(@ApiParam(value = "2FA provider type to generate new account config for", defaultValue = "TOTP", required = true) |
|||
@RequestParam TwoFaProviderType providerType) throws Exception { |
|||
SecurityUser user = getCurrentUser(); |
|||
return twoFactorAuthService.generateNewAccountConfig(user, providerType); |
|||
} |
|||
|
|||
@ApiOperation(value = "Submit 2FA account config (submitTwoFaAccountConfig)", |
|||
notes = "Submit 2FA account config to prepare for a future verification. " + |
|||
"Basically, this method will send a verification code for a given account config, if this has " + |
|||
"sense for a chosen 2FA provider. This code is needed to then verify and save the account config." + NEW_LINE + |
|||
"Example of EMAIL 2FA account config:\n" + |
|||
"```\n{\n" + |
|||
" \"providerType\": \"EMAIL\",\n" + |
|||
" \"useByDefault\": true,\n" + |
|||
" \"email\": \"separate-email-for-2fa@thingsboard.org\"\n" + |
|||
"}\n```" + NEW_LINE + |
|||
"Example of SMS 2FA account config:\n" + |
|||
"```\n{\n" + |
|||
" \"providerType\": \"SMS\",\n" + |
|||
" \"useByDefault\": false,\n" + |
|||
" \"phoneNumber\": \"+38012312321\"\n" + |
|||
"}\n```" + NEW_LINE + |
|||
"For TOTP this method does nothing." + NEW_LINE + |
|||
"Will throw an error (Bad Request) if submitted account config is not valid, " + |
|||
"or if the provider is not configured for usage. " + |
|||
ControllerConstants.AVAILABLE_FOR_ANY_AUTHORIZED_USER) |
|||
@PostMapping("/account/config/submit") |
|||
@PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')") |
|||
public void submitTwoFaAccountConfig(@Valid @RequestBody TwoFaAccountConfig accountConfig) throws Exception { |
|||
SecurityUser user = getCurrentUser(); |
|||
twoFactorAuthService.prepareVerificationCode(user, accountConfig, false); |
|||
} |
|||
|
|||
@ApiOperation(value = "Verify and save 2FA account config (verifyAndSaveTwoFaAccountConfig)", |
|||
notes = "Checks the verification code for submitted config, and if it is correct, saves the provided account config. " + NEW_LINE + |
|||
"Returns whole account's 2FA settings object.\n" + |
|||
"Will throw an error (Bad Request) if the provider is not configured for usage. " + |
|||
ControllerConstants.AVAILABLE_FOR_ANY_AUTHORIZED_USER) |
|||
@PostMapping("/account/config") |
|||
@PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')") |
|||
public AccountTwoFaSettings verifyAndSaveTwoFaAccountConfig(@Valid @RequestBody TwoFaAccountConfig accountConfig, |
|||
@RequestParam(required = false) String verificationCode) throws Exception { |
|||
SecurityUser user = getCurrentUser(); |
|||
if (twoFaConfigManager.getTwoFaAccountConfig(user.getTenantId(), user.getId(), accountConfig.getProviderType()).isPresent()) { |
|||
throw new IllegalArgumentException("2FA provider is already configured"); |
|||
} |
|||
|
|||
boolean verificationSuccess; |
|||
if (accountConfig.getProviderType() != TwoFaProviderType.BACKUP_CODE) { |
|||
verificationSuccess = twoFactorAuthService.checkVerificationCode(user, verificationCode, accountConfig, false); |
|||
} else { |
|||
verificationSuccess = true; |
|||
} |
|||
if (verificationSuccess) { |
|||
return twoFaConfigManager.saveTwoFaAccountConfig(user.getTenantId(), user.getId(), accountConfig); |
|||
} else { |
|||
throw new IllegalArgumentException("Verification code is incorrect"); |
|||
} |
|||
} |
|||
|
|||
@ApiOperation(value = "Update 2FA account config (updateTwoFaAccountConfig)", notes = |
|||
"Update config for a given provider type. \n" + |
|||
"Update request example:\n" + |
|||
"```\n{\n \"useByDefault\": true\n}\n```\n" + |
|||
"Returns whole account's 2FA settings object.\n" + |
|||
ControllerConstants.AVAILABLE_FOR_ANY_AUTHORIZED_USER) |
|||
@PutMapping("/account/config") |
|||
@PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')") |
|||
public AccountTwoFaSettings updateTwoFaAccountConfig(@RequestParam TwoFaProviderType providerType, |
|||
@RequestBody TwoFaAccountConfigUpdateRequest updateRequest) throws ThingsboardException { |
|||
SecurityUser user = getCurrentUser(); |
|||
|
|||
TwoFaAccountConfig accountConfig = twoFaConfigManager.getTwoFaAccountConfig(user.getTenantId(), user.getId(), providerType) |
|||
.orElseThrow(() -> new IllegalArgumentException("Config for " + providerType + " 2FA provider not found")); |
|||
accountConfig.setUseByDefault(updateRequest.isUseByDefault()); |
|||
return twoFaConfigManager.saveTwoFaAccountConfig(user.getTenantId(), user.getId(), accountConfig); |
|||
} |
|||
|
|||
@ApiOperation(value = "Delete 2FA account config (deleteTwoFaAccountConfig)", notes = |
|||
"Delete 2FA config for a given 2FA provider type. \n" + |
|||
"Returns whole account's 2FA settings object.\n" + |
|||
ControllerConstants.AVAILABLE_FOR_ANY_AUTHORIZED_USER) |
|||
@DeleteMapping("/account/config") |
|||
@PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')") |
|||
public AccountTwoFaSettings deleteTwoFaAccountConfig(@RequestParam TwoFaProviderType providerType) throws ThingsboardException { |
|||
SecurityUser user = getCurrentUser(); |
|||
return twoFaConfigManager.deleteTwoFaAccountConfig(user.getTenantId(), user.getId(), providerType); |
|||
} |
|||
|
|||
|
|||
@ApiOperation(value = "Get available 2FA providers (getAvailableTwoFaProviders)", notes = |
|||
"Get the list of provider types available for user to use (the ones configured by tenant or sysadmin).\n" + |
|||
"Example of response:\n" + |
|||
"```\n[\n \"TOTP\",\n \"EMAIL\",\n \"SMS\"\n]\n```" + |
|||
ControllerConstants.AVAILABLE_FOR_ANY_AUTHORIZED_USER |
|||
) |
|||
@GetMapping("/providers") |
|||
@PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')") |
|||
public List<TwoFaProviderType> getAvailableTwoFaProviders() throws ThingsboardException { |
|||
return twoFaConfigManager.getPlatformTwoFaSettings(getTenantId(), true) |
|||
.map(PlatformTwoFaSettings::getProviders).orElse(Collections.emptyList()).stream() |
|||
.map(TwoFaProviderConfig::getProviderType) |
|||
.collect(Collectors.toList()); |
|||
} |
|||
|
|||
|
|||
@ApiOperation(value = "Get platform 2FA settings (getPlatformTwoFaSettings)", |
|||
notes = "Get platform settings for 2FA. The settings are described for savePlatformTwoFaSettings API method. " + |
|||
"If 2FA is not configured, then an empty response will be returned." + |
|||
ControllerConstants.SYSTEM_OR_TENANT_AUTHORITY_PARAGRAPH) |
|||
@GetMapping("/settings") |
|||
@PreAuthorize("hasAnyAuthority('SYS_ADMIN')") |
|||
public PlatformTwoFaSettings getPlatformTwoFaSettings() throws ThingsboardException { |
|||
return twoFaConfigManager.getPlatformTwoFaSettings(getTenantId(), false).orElse(null); |
|||
} |
|||
|
|||
@ApiOperation(value = "Save platform 2FA settings (savePlatformTwoFaSettings)", |
|||
notes = "Save 2FA settings for platform. The settings have following properties:\n" + |
|||
"- `providers` - the list of 2FA providers' configs. Users will only be allowed to use 2FA providers from this list. \n\n" + |
|||
"- `minVerificationCodeSendPeriod` - minimal period in seconds to wait after verification code send request to send next request. \n" + |
|||
"- `verificationCodeCheckRateLimit` - rate limit configuration for verification code checking.\n" + |
|||
"The format is standard: 'amountOfRequests:periodInSeconds'. The value of '1:60' would limit verification " + |
|||
"code checking requests to one per minute.\n" + |
|||
"- `maxVerificationFailuresBeforeUserLockout` - maximum number of verification failures before a user gets disabled.\n" + |
|||
"- `totalAllowedTimeForVerification` - total amount of time in seconds allotted for verification. " + |
|||
"Basically, this property sets a lifetime for pre-verification token. If not set, default value of 30 minutes is used.\n" + NEW_LINE + |
|||
"TOTP 2FA provider config has following settings:\n" + |
|||
"- `issuerName` - issuer name that will be displayed in an authenticator app near a username. Must not be blank.\n\n" + |
|||
"For SMS 2FA provider:\n" + |
|||
"- `smsVerificationMessageTemplate` - verification message template. Available template variables " + |
|||
"are ${code} and ${userEmail}. It must not be blank and must contain verification code variable.\n" + |
|||
"- `verificationCodeLifetime` - verification code lifetime in seconds. Required to be positive.\n\n" + |
|||
"For EMAIL provider type:\n" + |
|||
"- `verificationCodeLifetime` - the same as for SMS." + NEW_LINE + |
|||
"Example of the settings:\n" + |
|||
"```\n{\n" + |
|||
" \"providers\": [\n" + |
|||
" {\n" + |
|||
" \"providerType\": \"TOTP\",\n" + |
|||
" \"issuerName\": \"TB\"\n" + |
|||
" },\n" + |
|||
" {\n" + |
|||
" \"providerType\": \"EMAIL\",\n" + |
|||
" \"verificationCodeLifetime\": 60\n" + |
|||
" },\n" + |
|||
" {\n" + |
|||
" \"providerType\": \"SMS\",\n" + |
|||
" \"verificationCodeLifetime\": 60,\n" + |
|||
" \"smsVerificationMessageTemplate\": \"Here is your verification code: ${code}\"\n" + |
|||
" }\n" + |
|||
" ],\n" + |
|||
" \"minVerificationCodeSendPeriod\": 60,\n" + |
|||
" \"verificationCodeCheckRateLimit\": \"3:900\",\n" + |
|||
" \"maxVerificationFailuresBeforeUserLockout\": 10,\n" + |
|||
" \"totalAllowedTimeForVerification\": 600\n" + |
|||
"}\n```" + |
|||
ControllerConstants.SYSTEM_OR_TENANT_AUTHORITY_PARAGRAPH) |
|||
@PostMapping("/settings") |
|||
@PreAuthorize("hasAnyAuthority('SYS_ADMIN')") |
|||
public PlatformTwoFaSettings savePlatformTwoFaSettings(@ApiParam(value = "Settings value", required = true) |
|||
@RequestBody PlatformTwoFaSettings twoFaSettings) throws ThingsboardException { |
|||
return twoFaConfigManager.savePlatformTwoFaSettings(getTenantId(), twoFaSettings); |
|||
} |
|||
|
|||
|
|||
@Data |
|||
public static class TwoFaAccountConfigUpdateRequest { |
|||
private boolean useByDefault; |
|||
} |
|||
|
|||
} |
|||
@ -0,0 +1,152 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.controller; |
|||
|
|||
import io.swagger.annotations.ApiOperation; |
|||
import lombok.AllArgsConstructor; |
|||
import lombok.Builder; |
|||
import lombok.Data; |
|||
import lombok.RequiredArgsConstructor; |
|||
import org.springframework.security.access.prepost.PreAuthorize; |
|||
import org.springframework.web.bind.annotation.GetMapping; |
|||
import org.springframework.web.bind.annotation.PostMapping; |
|||
import org.springframework.web.bind.annotation.RequestMapping; |
|||
import org.springframework.web.bind.annotation.RequestParam; |
|||
import org.springframework.web.bind.annotation.RestController; |
|||
import org.thingsboard.server.common.data.StringUtils; |
|||
import org.thingsboard.server.common.data.audit.ActionType; |
|||
import org.thingsboard.server.common.data.exception.ThingsboardErrorCode; |
|||
import org.thingsboard.server.common.data.exception.ThingsboardException; |
|||
import org.thingsboard.server.common.data.security.model.mfa.PlatformTwoFaSettings; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.EmailTwoFaAccountConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.SmsTwoFaAccountConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderType; |
|||
import org.thingsboard.server.dao.user.UserService; |
|||
import org.thingsboard.server.queue.util.TbCoreComponent; |
|||
import org.thingsboard.server.service.security.auth.mfa.TwoFactorAuthService; |
|||
import org.thingsboard.server.service.security.auth.mfa.config.TwoFaConfigManager; |
|||
import org.thingsboard.server.service.security.auth.rest.RestAuthenticationDetails; |
|||
import org.thingsboard.server.service.security.model.JwtTokenPair; |
|||
import org.thingsboard.server.service.security.model.SecurityUser; |
|||
import org.thingsboard.server.service.security.model.token.JwtTokenFactory; |
|||
import org.thingsboard.server.service.security.system.SystemSecurityService; |
|||
|
|||
import javax.servlet.http.HttpServletRequest; |
|||
import java.util.Collections; |
|||
import java.util.List; |
|||
import java.util.Optional; |
|||
import java.util.stream.Collectors; |
|||
|
|||
import static org.thingsboard.server.controller.ControllerConstants.NEW_LINE; |
|||
|
|||
@RestController |
|||
@RequestMapping("/api/auth/2fa") |
|||
@TbCoreComponent |
|||
@RequiredArgsConstructor |
|||
public class TwoFactorAuthController extends BaseController { |
|||
|
|||
private final TwoFactorAuthService twoFactorAuthService; |
|||
private final TwoFaConfigManager twoFaConfigManager; |
|||
private final JwtTokenFactory tokenFactory; |
|||
private final SystemSecurityService systemSecurityService; |
|||
private final UserService userService; |
|||
|
|||
|
|||
@ApiOperation(value = "Request 2FA verification code (requestTwoFaVerificationCode)", |
|||
notes = "Request 2FA verification code." + NEW_LINE + |
|||
"To make a request to this endpoint, you need an access token with the scope of PRE_VERIFICATION_TOKEN, " + |
|||
"which is issued on username/password auth if 2FA is enabled." + NEW_LINE + |
|||
"The API method is rate limited (using rate limit config from TwoFactorAuthSettings). " + |
|||
"Will return a Bad Request error if provider is not configured for usage, " + |
|||
"and Too Many Requests error if rate limits are exceeded.") |
|||
@PostMapping("/verification/send") |
|||
@PreAuthorize("hasAuthority('PRE_VERIFICATION_TOKEN')") |
|||
public void requestTwoFaVerificationCode(@RequestParam TwoFaProviderType providerType) throws Exception { |
|||
SecurityUser user = getCurrentUser(); |
|||
twoFactorAuthService.prepareVerificationCode(user, providerType, true); |
|||
} |
|||
|
|||
@ApiOperation(value = "Check 2FA verification code (checkTwoFaVerificationCode)", |
|||
notes = "Checks 2FA verification code, and if it is correct the method returns a regular access and refresh token pair." + NEW_LINE + |
|||
"The API method is rate limited (using rate limit config from TwoFactorAuthSettings), and also will block a user " + |
|||
"after X unsuccessful verification attempts if such behavior is configured (in TwoFactorAuthSettings)." + NEW_LINE + |
|||
"Will return a Bad Request error if provider is not configured for usage, " + |
|||
"and Too Many Requests error if rate limits are exceeded.") |
|||
@PostMapping("/verification/check") |
|||
@PreAuthorize("hasAuthority('PRE_VERIFICATION_TOKEN')") |
|||
public JwtTokenPair checkTwoFaVerificationCode(@RequestParam TwoFaProviderType providerType, |
|||
@RequestParam String verificationCode, HttpServletRequest servletRequest) throws Exception { |
|||
SecurityUser user = getCurrentUser(); |
|||
boolean verificationSuccess = twoFactorAuthService.checkVerificationCode(user, providerType, verificationCode, true); |
|||
if (verificationSuccess) { |
|||
systemSecurityService.logLoginAction(user, new RestAuthenticationDetails(servletRequest), ActionType.LOGIN, null); |
|||
user = new SecurityUser(userService.findUserById(user.getTenantId(), user.getId()), true, user.getUserPrincipal()); |
|||
return tokenFactory.createTokenPair(user); |
|||
} else { |
|||
ThingsboardException error = new ThingsboardException("Verification code is incorrect", ThingsboardErrorCode.BAD_REQUEST_PARAMS); |
|||
systemSecurityService.logLoginAction(user, new RestAuthenticationDetails(servletRequest), ActionType.LOGIN, error); |
|||
throw error; |
|||
} |
|||
} |
|||
|
|||
|
|||
@ApiOperation(value = "Get available 2FA providers (getAvailableTwoFaProviders)", notes = |
|||
"Get the list of 2FA provider infos available for user to use. Example:\n" + |
|||
"```\n[\n" + |
|||
" {\n \"type\": \"EMAIL\",\n \"default\": true,\n \"contact\": \"ab*****ko@gmail.com\"\n },\n" + |
|||
" {\n \"type\": \"TOTP\",\n \"default\": false,\n \"contact\": null\n },\n" + |
|||
" {\n \"type\": \"SMS\",\n \"default\": false,\n \"contact\": \"+38********12\"\n }\n" + |
|||
"]\n```") |
|||
@GetMapping("/providers") |
|||
@PreAuthorize("hasAuthority('PRE_VERIFICATION_TOKEN')") |
|||
public List<TwoFaProviderInfo> getAvailableTwoFaProviders() throws ThingsboardException { |
|||
SecurityUser user = getCurrentUser(); |
|||
Optional<PlatformTwoFaSettings> platformTwoFaSettings = twoFaConfigManager.getPlatformTwoFaSettings(user.getTenantId(), true); |
|||
return twoFaConfigManager.getAccountTwoFaSettings(user.getTenantId(), user.getId()) |
|||
.map(settings -> settings.getConfigs().values()).orElse(Collections.emptyList()) |
|||
.stream().map(config -> { |
|||
String contact = null; |
|||
switch (config.getProviderType()) { |
|||
case SMS: |
|||
String phoneNumber = ((SmsTwoFaAccountConfig) config).getPhoneNumber(); |
|||
contact = StringUtils.obfuscate(phoneNumber, 2, '*', phoneNumber.indexOf('+') + 1, phoneNumber.length()); |
|||
break; |
|||
case EMAIL: |
|||
String email = ((EmailTwoFaAccountConfig) config).getEmail(); |
|||
contact = StringUtils.obfuscate(email, 2, '*', 0, email.indexOf('@')); |
|||
break; |
|||
} |
|||
return TwoFaProviderInfo.builder() |
|||
.type(config.getProviderType()) |
|||
.isDefault(config.isUseByDefault()) |
|||
.contact(contact) |
|||
.minVerificationCodeSendPeriod(platformTwoFaSettings.get().getMinVerificationCodeSendPeriod()) |
|||
.build(); |
|||
}) |
|||
.collect(Collectors.toList()); |
|||
} |
|||
|
|||
@Data |
|||
@AllArgsConstructor |
|||
@Builder |
|||
public static class TwoFaProviderInfo { |
|||
private TwoFaProviderType type; |
|||
private boolean isDefault; |
|||
private String contact; |
|||
private Integer minVerificationCodeSendPeriod; |
|||
} |
|||
|
|||
} |
|||
@ -0,0 +1,269 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.service.entitiy.queue; |
|||
|
|||
import lombok.AllArgsConstructor; |
|||
import lombok.extern.slf4j.Slf4j; |
|||
import org.springframework.stereotype.Service; |
|||
import org.thingsboard.server.cluster.TbClusterService; |
|||
import org.thingsboard.server.common.data.DeviceProfile; |
|||
import org.thingsboard.server.common.data.TenantProfile; |
|||
import org.thingsboard.server.common.data.id.QueueId; |
|||
import org.thingsboard.server.common.data.id.TenantId; |
|||
import org.thingsboard.server.common.data.page.PageLink; |
|||
import org.thingsboard.server.common.data.plugin.ComponentLifecycleEvent; |
|||
import org.thingsboard.server.common.data.queue.Queue; |
|||
import org.thingsboard.server.common.data.tenant.profile.TenantProfileQueueConfiguration; |
|||
import org.thingsboard.server.common.msg.queue.TopicPartitionInfo; |
|||
import org.thingsboard.server.dao.device.DeviceProfileService; |
|||
import org.thingsboard.server.queue.TbQueueAdmin; |
|||
import org.thingsboard.server.queue.scheduler.SchedulerComponent; |
|||
import org.thingsboard.server.queue.util.TbCoreComponent; |
|||
import org.thingsboard.server.service.entitiy.AbstractTbEntityService; |
|||
|
|||
import java.util.ArrayList; |
|||
import java.util.Collections; |
|||
import java.util.List; |
|||
import java.util.Map; |
|||
import java.util.concurrent.TimeUnit; |
|||
import java.util.stream.Collectors; |
|||
|
|||
@Slf4j |
|||
@Service |
|||
@TbCoreComponent |
|||
@AllArgsConstructor |
|||
public class DefaultTbQueueService extends AbstractTbEntityService implements TbQueueService { |
|||
private static final String MAIN = "Main"; |
|||
private static final long DELETE_DELAY = 30; |
|||
|
|||
private final TbClusterService tbClusterService; |
|||
private final TbQueueAdmin tbQueueAdmin; |
|||
private final DeviceProfileService deviceProfileService; |
|||
private final SchedulerComponent scheduler; |
|||
|
|||
@Override |
|||
public Queue saveQueue(Queue queue) { |
|||
boolean create = queue.getId() == null; |
|||
Queue oldQueue; |
|||
|
|||
if (create) { |
|||
oldQueue = null; |
|||
} else { |
|||
oldQueue = queueService.findQueueById(queue.getTenantId(), queue.getId()); |
|||
} |
|||
|
|||
//TODO: add checkNotNull
|
|||
Queue savedQueue = queueService.saveQueue(queue); |
|||
|
|||
if (create) { |
|||
onQueueCreated(savedQueue); |
|||
} else { |
|||
onQueueUpdated(savedQueue, oldQueue); |
|||
} |
|||
|
|||
return savedQueue; |
|||
} |
|||
|
|||
@Override |
|||
public void deleteQueue(TenantId tenantId, QueueId queueId) { |
|||
Queue queue = queueService.findQueueById(tenantId, queueId); |
|||
queueService.deleteQueue(tenantId, queueId); |
|||
onQueueDeleted(queue); |
|||
} |
|||
|
|||
@Override |
|||
public void deleteQueueByQueueName(TenantId tenantId, String queueName) { |
|||
Queue queue = queueService.findQueueByTenantIdAndNameInternal(tenantId, queueName); |
|||
queueService.deleteQueue(tenantId, queue.getId()); |
|||
onQueueDeleted(queue); |
|||
} |
|||
|
|||
private void onQueueCreated(Queue queue) { |
|||
for (int i = 0; i < queue.getPartitions(); i++) { |
|||
tbQueueAdmin.createTopicIfNotExists( |
|||
new TopicPartitionInfo(queue.getTopic(), queue.getTenantId(), i, false).getFullTopicName()); |
|||
} |
|||
|
|||
tbClusterService.onQueueChange(queue); |
|||
} |
|||
|
|||
private void onQueueUpdated(Queue queue, Queue oldQueue) { |
|||
int oldPartitions = oldQueue.getPartitions(); |
|||
int currentPartitions = queue.getPartitions(); |
|||
|
|||
if (currentPartitions != oldPartitions) { |
|||
if (currentPartitions > oldPartitions) { |
|||
log.info("Added [{}] new partitions to [{}] queue", currentPartitions - oldPartitions, queue.getName()); |
|||
for (int i = oldPartitions; i < currentPartitions; i++) { |
|||
tbQueueAdmin.createTopicIfNotExists( |
|||
new TopicPartitionInfo(queue.getTopic(), queue.getTenantId(), i, false).getFullTopicName()); |
|||
} |
|||
tbClusterService.onQueueChange(queue); |
|||
} else { |
|||
log.info("Removed [{}] partitions from [{}] queue", oldPartitions - currentPartitions, queue.getName()); |
|||
tbClusterService.onQueueChange(queue); |
|||
|
|||
scheduler.schedule(() -> { |
|||
for (int i = currentPartitions; i < oldPartitions; i++) { |
|||
String fullTopicName = new TopicPartitionInfo(queue.getTopic(), queue.getTenantId(), i, false).getFullTopicName(); |
|||
log.info("Removed partition [{}]", fullTopicName); |
|||
tbQueueAdmin.deleteTopic( |
|||
fullTopicName); |
|||
} |
|||
}, DELETE_DELAY, TimeUnit.SECONDS); |
|||
} |
|||
} else if (!oldQueue.equals(queue)) { |
|||
tbClusterService.onQueueChange(queue); |
|||
} |
|||
} |
|||
|
|||
private void onQueueDeleted(Queue queue) { |
|||
tbClusterService.onQueueDelete(queue); |
|||
|
|||
// queueStatsService.deleteQueueStatsByQueueId(tenantId, queueId);
|
|||
|
|||
scheduler.schedule(() -> { |
|||
for (int i = 0; i < queue.getPartitions(); i++) { |
|||
String fullTopicName = new TopicPartitionInfo(queue.getTopic(), queue.getTenantId(), i, false).getFullTopicName(); |
|||
log.info("Deleting queue [{}]", fullTopicName); |
|||
try { |
|||
tbQueueAdmin.deleteTopic(fullTopicName); |
|||
} catch (Exception e) { |
|||
log.error("Failed to delete queue [{}]", fullTopicName); |
|||
} |
|||
} |
|||
}, DELETE_DELAY, TimeUnit.SECONDS); |
|||
} |
|||
|
|||
@Override |
|||
public void updateQueuesByTenants(List<TenantId> tenantIds, TenantProfile newTenantProfile, TenantProfile |
|||
oldTenantProfile) { |
|||
boolean oldIsolated = oldTenantProfile != null && oldTenantProfile.isIsolatedTbRuleEngine(); |
|||
boolean newIsolated = newTenantProfile.isIsolatedTbRuleEngine(); |
|||
|
|||
if (!oldIsolated && !newIsolated) { |
|||
return; |
|||
} |
|||
|
|||
if (newTenantProfile.equals(oldTenantProfile)) { |
|||
return; |
|||
} |
|||
|
|||
Map<String, TenantProfileQueueConfiguration> oldQueues; |
|||
Map<String, TenantProfileQueueConfiguration> newQueues; |
|||
|
|||
if (oldIsolated) { |
|||
oldQueues = oldTenantProfile.getProfileData().getQueueConfiguration().stream() |
|||
.collect(Collectors.toMap(TenantProfileQueueConfiguration::getName, q -> q)); |
|||
} else { |
|||
oldQueues = Collections.emptyMap(); |
|||
} |
|||
|
|||
if (newIsolated) { |
|||
newQueues = newTenantProfile.getProfileData().getQueueConfiguration().stream() |
|||
.collect(Collectors.toMap(TenantProfileQueueConfiguration::getName, q -> q)); |
|||
} else { |
|||
newQueues = Collections.emptyMap(); |
|||
} |
|||
|
|||
List<String> toRemove = new ArrayList<>(); |
|||
List<String> toCreate = new ArrayList<>(); |
|||
List<String> toUpdate = new ArrayList<>(); |
|||
|
|||
for (String oldQueue : oldQueues.keySet()) { |
|||
if (!newQueues.containsKey(oldQueue)) { |
|||
toRemove.add(oldQueue); |
|||
} |
|||
} |
|||
|
|||
for (String newQueue : newQueues.keySet()) { |
|||
if (oldQueues.containsKey(newQueue)) { |
|||
toUpdate.add(newQueue); |
|||
} else { |
|||
toCreate.add(newQueue); |
|||
} |
|||
} |
|||
|
|||
tenantIds.forEach(tenantId -> { |
|||
Map<QueueId, List<DeviceProfile>> deviceProfileQueues; |
|||
|
|||
if (oldTenantProfile != null && !newTenantProfile.getId().equals(oldTenantProfile.getId()) || !toRemove.isEmpty()) { |
|||
List<DeviceProfile> deviceProfiles = deviceProfileService.findDeviceProfiles(tenantId, new PageLink(Integer.MAX_VALUE)).getData(); |
|||
deviceProfileQueues = deviceProfiles.stream() |
|||
.filter(dp -> dp.getDefaultQueueId() != null) |
|||
.collect(Collectors.groupingBy(DeviceProfile::getDefaultQueueId)); |
|||
} else { |
|||
deviceProfileQueues = Collections.emptyMap(); |
|||
} |
|||
|
|||
Map<String, QueueId> createdQueues = toCreate.stream() |
|||
.map(key -> saveQueue(new Queue(tenantId, newQueues.get(key)))) |
|||
.collect(Collectors.toMap(Queue::getName, Queue::getId)); |
|||
|
|||
// assigning created queues to device profiles instead of system queues
|
|||
if (oldTenantProfile != null && !oldTenantProfile.isIsolatedTbRuleEngine()) { |
|||
deviceProfileQueues.forEach((queueId, list) -> { |
|||
Queue queue = queueService.findQueueById(TenantId.SYS_TENANT_ID, queueId); |
|||
QueueId queueIdToAssign = createdQueues.get(queue.getName()); |
|||
if (queueIdToAssign == null) { |
|||
queueIdToAssign = createdQueues.get(MAIN); |
|||
} |
|||
for (DeviceProfile deviceProfile : list) { |
|||
deviceProfile.setDefaultQueueId(queueIdToAssign); |
|||
saveDeviceProfile(deviceProfile); |
|||
} |
|||
}); |
|||
} |
|||
|
|||
toUpdate.forEach(key -> { |
|||
Queue queueToUpdate = new Queue(tenantId, newQueues.get(key)); |
|||
Queue foundQueue = queueService.findQueueByTenantIdAndName(tenantId, key); |
|||
queueToUpdate.setId(foundQueue.getId()); |
|||
queueToUpdate.setCreatedTime(foundQueue.getCreatedTime()); |
|||
|
|||
if (queueToUpdate.equals(foundQueue)) { |
|||
//Queue not changed
|
|||
} else { |
|||
saveQueue(queueToUpdate); |
|||
} |
|||
}); |
|||
|
|||
toRemove.forEach(q -> { |
|||
Queue queue = queueService.findQueueByTenantIdAndNameInternal(tenantId, q); |
|||
QueueId queueIdForRemove = queue.getId(); |
|||
if (deviceProfileQueues.containsKey(queueIdForRemove)) { |
|||
Queue foundQueue = queueService.findQueueByTenantIdAndName(tenantId, q); |
|||
if (foundQueue == null || queue.equals(foundQueue)) { |
|||
foundQueue = queueService.findQueueByTenantIdAndName(tenantId, MAIN); |
|||
} |
|||
QueueId newQueueId = foundQueue.getId(); |
|||
deviceProfileQueues.get(queueIdForRemove).stream() |
|||
.peek(dp -> dp.setDefaultQueueId(newQueueId)) |
|||
.forEach(this::saveDeviceProfile); |
|||
} |
|||
deleteQueue(tenantId, queueIdForRemove); |
|||
}); |
|||
}); |
|||
} |
|||
|
|||
//TODO: remove after implementing TbDeviceProfileService
|
|||
private void saveDeviceProfile(DeviceProfile deviceProfile) { |
|||
DeviceProfile savedDeviceProfile = deviceProfileService.saveDeviceProfile(deviceProfile); |
|||
tbClusterService.onDeviceProfileChange(savedDeviceProfile, null); |
|||
tbClusterService.broadcastEntityStateChangeEvent(deviceProfile.getTenantId(), savedDeviceProfile.getId(), ComponentLifecycleEvent.UPDATED); |
|||
} |
|||
|
|||
} |
|||
@ -0,0 +1,34 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.service.entitiy.queue; |
|||
|
|||
import org.thingsboard.server.common.data.TenantProfile; |
|||
import org.thingsboard.server.common.data.id.QueueId; |
|||
import org.thingsboard.server.common.data.id.TenantId; |
|||
import org.thingsboard.server.common.data.queue.Queue; |
|||
|
|||
import java.util.List; |
|||
|
|||
public interface TbQueueService { |
|||
|
|||
Queue saveQueue(Queue queue); |
|||
|
|||
void deleteQueue(TenantId tenantId, QueueId queueId); |
|||
|
|||
void deleteQueueByQueueName(TenantId tenantId, String queueName); |
|||
|
|||
void updateQueuesByTenants(List<TenantId> tenantIds, TenantProfile newTenantProfile, TenantProfile oldTenantProfile); |
|||
} |
|||
@ -0,0 +1,50 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.service.entitiy.tenant_profile; |
|||
|
|||
import lombok.AllArgsConstructor; |
|||
import lombok.extern.slf4j.Slf4j; |
|||
import org.springframework.stereotype.Service; |
|||
import org.thingsboard.server.common.data.TenantProfile; |
|||
import org.thingsboard.server.common.data.id.TenantId; |
|||
import org.thingsboard.server.dao.tenant.TenantProfileService; |
|||
import org.thingsboard.server.dao.tenant.TenantService; |
|||
import org.thingsboard.server.queue.util.TbCoreComponent; |
|||
import org.thingsboard.server.service.entitiy.queue.TbQueueService; |
|||
|
|||
import java.util.List; |
|||
|
|||
@Slf4j |
|||
@Service |
|||
@TbCoreComponent |
|||
@AllArgsConstructor |
|||
public class DefaultTbTenantProfileService implements TbTenantProfileService { |
|||
private final TbQueueService tbQueueService; |
|||
private final TenantProfileService tenantProfileService; |
|||
private final TenantService tenantService; |
|||
|
|||
@Override |
|||
public TenantProfile saveTenantProfile(TenantId tenantId, TenantProfile tenantProfile, TenantProfile oldTenantProfile) { |
|||
TenantProfile savedTenantProfile = tenantProfileService.saveTenantProfile(tenantId, tenantProfile); |
|||
|
|||
if (oldTenantProfile != null && savedTenantProfile.isIsolatedTbRuleEngine()) { |
|||
List<TenantId> tenantIds = tenantService.findTenantIdsByTenantProfileId(savedTenantProfile.getId()); |
|||
tbQueueService.updateQueuesByTenants(tenantIds, savedTenantProfile, oldTenantProfile); |
|||
} |
|||
|
|||
return savedTenantProfile; |
|||
} |
|||
} |
|||
@ -0,0 +1,23 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.service.entitiy.tenant_profile; |
|||
|
|||
import org.thingsboard.server.common.data.TenantProfile; |
|||
import org.thingsboard.server.common.data.id.TenantId; |
|||
|
|||
public interface TbTenantProfileService { |
|||
TenantProfile saveTenantProfile(TenantId tenantId, TenantProfile tenantProfile, TenantProfile oldTenantProfile); |
|||
} |
|||
@ -0,0 +1,48 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.service.install; |
|||
|
|||
import lombok.Data; |
|||
import lombok.extern.slf4j.Slf4j; |
|||
import org.springframework.boot.autoconfigure.EnableAutoConfiguration; |
|||
import org.springframework.boot.context.properties.ConfigurationProperties; |
|||
import org.springframework.context.annotation.Configuration; |
|||
import org.springframework.context.annotation.Profile; |
|||
import org.thingsboard.server.queue.settings.TbRuleEngineQueueConfiguration; |
|||
|
|||
import javax.annotation.PostConstruct; |
|||
import java.util.List; |
|||
|
|||
@Slf4j |
|||
@Data |
|||
@EnableAutoConfiguration |
|||
@Configuration |
|||
@ConfigurationProperties(prefix = "queue.rule-engine") |
|||
@Profile("install") |
|||
public class TbRuleEngineQueueConfigService { |
|||
|
|||
private String topic; |
|||
private List<TbRuleEngineQueueConfiguration> queues; |
|||
|
|||
@PostConstruct |
|||
public void validate() { |
|||
queues.stream().filter(queue -> queue.getName().equals("Main")).findFirst().orElseThrow(() -> { |
|||
log.error("Main queue is not configured in thingsboard.yml"); |
|||
return new RuntimeException("No \"Main\" queue configured!"); |
|||
}); |
|||
} |
|||
|
|||
} |
|||
@ -0,0 +1,44 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.service.queue; |
|||
|
|||
import lombok.extern.slf4j.Slf4j; |
|||
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression; |
|||
import org.springframework.stereotype.Service; |
|||
import org.thingsboard.server.dao.queue.QueueService; |
|||
import org.thingsboard.server.queue.discovery.QueueRoutingInfo; |
|||
import org.thingsboard.server.queue.discovery.QueueRoutingInfoService; |
|||
|
|||
import java.util.List; |
|||
import java.util.stream.Collectors; |
|||
|
|||
@Slf4j |
|||
@Service |
|||
@ConditionalOnExpression("'${service.type:null}'=='monolith' || '${service.type:null}'=='tb-core' || '${service.type:null}'=='tb-rule-engine'") |
|||
public class DefaultQueueRoutingInfoService implements QueueRoutingInfoService { |
|||
|
|||
private final QueueService queueService; |
|||
|
|||
public DefaultQueueRoutingInfoService(QueueService queueService) { |
|||
this.queueService = queueService; |
|||
} |
|||
|
|||
@Override |
|||
public List<QueueRoutingInfo> getAllQueuesRoutingInfo() { |
|||
return queueService.findAllQueues().stream().map(QueueRoutingInfo::new).collect(Collectors.toList()); |
|||
} |
|||
|
|||
} |
|||
@ -0,0 +1,24 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.service.security.auth; |
|||
|
|||
import org.thingsboard.server.service.security.model.SecurityUser; |
|||
|
|||
public class MfaAuthenticationToken extends AbstractJwtAuthenticationToken { |
|||
public MfaAuthenticationToken(SecurityUser securityUser) { |
|||
super(securityUser); |
|||
} |
|||
} |
|||
@ -0,0 +1,190 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.service.security.auth.mfa; |
|||
|
|||
import lombok.RequiredArgsConstructor; |
|||
import org.apache.commons.lang3.StringUtils; |
|||
import org.springframework.beans.factory.annotation.Autowired; |
|||
import org.springframework.security.authentication.LockedException; |
|||
import org.springframework.stereotype.Service; |
|||
import org.thingsboard.server.common.data.User; |
|||
import org.thingsboard.server.common.data.exception.ThingsboardErrorCode; |
|||
import org.thingsboard.server.common.data.exception.ThingsboardException; |
|||
import org.thingsboard.server.common.data.id.TenantId; |
|||
import org.thingsboard.server.common.data.id.UserId; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderType; |
|||
import org.thingsboard.server.common.msg.tools.TbRateLimits; |
|||
import org.thingsboard.server.dao.user.UserService; |
|||
import org.thingsboard.server.queue.util.TbCoreComponent; |
|||
import org.thingsboard.server.service.security.auth.mfa.config.TwoFaConfigManager; |
|||
import org.thingsboard.server.common.data.security.model.mfa.PlatformTwoFaSettings; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.TwoFaAccountConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderConfig; |
|||
import org.thingsboard.server.service.security.auth.mfa.provider.TwoFaProvider; |
|||
import org.thingsboard.server.service.security.model.SecurityUser; |
|||
import org.thingsboard.server.service.security.system.SystemSecurityService; |
|||
|
|||
import java.util.Collection; |
|||
import java.util.EnumMap; |
|||
import java.util.Map; |
|||
import java.util.Optional; |
|||
import java.util.concurrent.ConcurrentHashMap; |
|||
import java.util.concurrent.ConcurrentMap; |
|||
|
|||
@Service |
|||
@RequiredArgsConstructor |
|||
@TbCoreComponent |
|||
public class DefaultTwoFactorAuthService implements TwoFactorAuthService { |
|||
|
|||
private final TwoFaConfigManager configManager; |
|||
private final SystemSecurityService systemSecurityService; |
|||
private final UserService userService; |
|||
private final Map<TwoFaProviderType, TwoFaProvider<TwoFaProviderConfig, TwoFaAccountConfig>> providers = new EnumMap<>(TwoFaProviderType.class); |
|||
|
|||
private static final ThingsboardException ACCOUNT_NOT_CONFIGURED_ERROR = new ThingsboardException("2FA is not configured for account", ThingsboardErrorCode.BAD_REQUEST_PARAMS); |
|||
private static final ThingsboardException PROVIDER_NOT_CONFIGURED_ERROR = new ThingsboardException("2FA provider is not configured", ThingsboardErrorCode.BAD_REQUEST_PARAMS); |
|||
private static final ThingsboardException PROVIDER_NOT_AVAILABLE_ERROR = new ThingsboardException("2FA provider is not available", ThingsboardErrorCode.GENERAL); |
|||
|
|||
private final ConcurrentMap<UserId, ConcurrentMap<TwoFaProviderType, TbRateLimits>> verificationCodeSendingRateLimits = new ConcurrentHashMap<>(); |
|||
private final ConcurrentMap<UserId, ConcurrentMap<TwoFaProviderType, TbRateLimits>> verificationCodeCheckingRateLimits = new ConcurrentHashMap<>(); |
|||
|
|||
@Override |
|||
public boolean isTwoFaEnabled(TenantId tenantId, UserId userId) { |
|||
return configManager.getAccountTwoFaSettings(tenantId, userId) |
|||
.map(settings -> !settings.getConfigs().isEmpty()) |
|||
.orElse(false); |
|||
} |
|||
|
|||
@Override |
|||
public void checkProvider(TenantId tenantId, TwoFaProviderType providerType) throws ThingsboardException { |
|||
getTwoFaProvider(providerType).check(tenantId); |
|||
} |
|||
|
|||
|
|||
@Override |
|||
public void prepareVerificationCode(SecurityUser user, TwoFaProviderType providerType, boolean checkLimits) throws Exception { |
|||
TwoFaAccountConfig accountConfig = configManager.getTwoFaAccountConfig(user.getTenantId(), user.getId(), providerType) |
|||
.orElseThrow(() -> ACCOUNT_NOT_CONFIGURED_ERROR); |
|||
prepareVerificationCode(user, accountConfig, checkLimits); |
|||
} |
|||
|
|||
@Override |
|||
public void prepareVerificationCode(SecurityUser user, TwoFaAccountConfig accountConfig, boolean checkLimits) throws ThingsboardException { |
|||
PlatformTwoFaSettings twoFaSettings = configManager.getPlatformTwoFaSettings(user.getTenantId(), true) |
|||
.orElseThrow(() -> PROVIDER_NOT_CONFIGURED_ERROR); |
|||
if (checkLimits) { |
|||
Integer minVerificationCodeSendPeriod = twoFaSettings.getMinVerificationCodeSendPeriod(); |
|||
String rateLimit = null; |
|||
if (minVerificationCodeSendPeriod != null && minVerificationCodeSendPeriod > 4) { |
|||
rateLimit = "1:" + minVerificationCodeSendPeriod; |
|||
} |
|||
checkRateLimits(user.getId(), accountConfig.getProviderType(), rateLimit, verificationCodeSendingRateLimits); |
|||
} |
|||
|
|||
TwoFaProviderConfig providerConfig = twoFaSettings.getProviderConfig(accountConfig.getProviderType()) |
|||
.orElseThrow(() -> PROVIDER_NOT_CONFIGURED_ERROR); |
|||
getTwoFaProvider(accountConfig.getProviderType()).prepareVerificationCode(user, providerConfig, accountConfig); |
|||
} |
|||
|
|||
|
|||
@Override |
|||
public boolean checkVerificationCode(SecurityUser user, TwoFaProviderType providerType, String verificationCode, boolean checkLimits) throws ThingsboardException { |
|||
TwoFaAccountConfig accountConfig = configManager.getTwoFaAccountConfig(user.getTenantId(), user.getId(), providerType) |
|||
.orElseThrow(() -> ACCOUNT_NOT_CONFIGURED_ERROR); |
|||
return checkVerificationCode(user, verificationCode, accountConfig, checkLimits); |
|||
} |
|||
|
|||
@Override |
|||
public boolean checkVerificationCode(SecurityUser user, String verificationCode, TwoFaAccountConfig accountConfig, boolean checkLimits) throws ThingsboardException { |
|||
if (!userService.findUserCredentialsByUserId(user.getTenantId(), user.getId()).isEnabled()) { |
|||
throw new ThingsboardException("User is disabled", ThingsboardErrorCode.AUTHENTICATION); |
|||
} |
|||
|
|||
PlatformTwoFaSettings twoFaSettings = configManager.getPlatformTwoFaSettings(user.getTenantId(), true) |
|||
.orElseThrow(() -> PROVIDER_NOT_CONFIGURED_ERROR); |
|||
if (checkLimits) { |
|||
checkRateLimits(user.getId(), accountConfig.getProviderType(), twoFaSettings.getVerificationCodeCheckRateLimit(), verificationCodeCheckingRateLimits); |
|||
} |
|||
TwoFaProviderConfig providerConfig = twoFaSettings.getProviderConfig(accountConfig.getProviderType()) |
|||
.orElseThrow(() -> PROVIDER_NOT_CONFIGURED_ERROR); |
|||
|
|||
boolean verificationSuccess = false; |
|||
if (StringUtils.isNotBlank(verificationCode)) { |
|||
if (StringUtils.isNumeric(verificationCode) || accountConfig.getProviderType() == TwoFaProviderType.BACKUP_CODE) { |
|||
verificationSuccess = getTwoFaProvider(accountConfig.getProviderType()).checkVerificationCode(user, verificationCode, providerConfig, accountConfig); |
|||
} |
|||
} |
|||
if (checkLimits) { |
|||
try { |
|||
systemSecurityService.validateTwoFaVerification(user, verificationSuccess, twoFaSettings); |
|||
} catch (LockedException e) { |
|||
verificationCodeCheckingRateLimits.remove(user.getId()); |
|||
verificationCodeSendingRateLimits.remove(user.getId()); |
|||
throw new ThingsboardException(e.getMessage(), ThingsboardErrorCode.AUTHENTICATION); |
|||
} |
|||
if (verificationSuccess) { |
|||
verificationCodeCheckingRateLimits.remove(user.getId()); |
|||
verificationCodeSendingRateLimits.remove(user.getId()); |
|||
} |
|||
} |
|||
return verificationSuccess; |
|||
} |
|||
|
|||
private void checkRateLimits(UserId userId, TwoFaProviderType providerType, String rateLimitConfig, |
|||
ConcurrentMap<UserId, ConcurrentMap<TwoFaProviderType, TbRateLimits>> rateLimits) throws ThingsboardException { |
|||
if (StringUtils.isNotEmpty(rateLimitConfig)) { |
|||
ConcurrentMap<TwoFaProviderType, TbRateLimits> providersRateLimits = rateLimits.computeIfAbsent(userId, i -> new ConcurrentHashMap<>()); |
|||
|
|||
TbRateLimits rateLimit = providersRateLimits.get(providerType); |
|||
if (rateLimit == null || !rateLimit.getConfig().equals(rateLimitConfig)) { |
|||
rateLimit = new TbRateLimits(rateLimitConfig, true); |
|||
providersRateLimits.put(providerType, rateLimit); |
|||
} |
|||
if (!rateLimit.tryConsume()) { |
|||
throw new ThingsboardException("Too many requests", ThingsboardErrorCode.TOO_MANY_REQUESTS); |
|||
} |
|||
} else { |
|||
rateLimits.remove(userId); |
|||
} |
|||
} |
|||
|
|||
|
|||
@Override |
|||
public TwoFaAccountConfig generateNewAccountConfig(User user, TwoFaProviderType providerType) throws ThingsboardException { |
|||
TwoFaProviderConfig providerConfig = getTwoFaProviderConfig(user.getTenantId(), providerType); |
|||
return getTwoFaProvider(providerType).generateNewAccountConfig(user, providerConfig); |
|||
} |
|||
|
|||
|
|||
private TwoFaProviderConfig getTwoFaProviderConfig(TenantId tenantId, TwoFaProviderType providerType) throws ThingsboardException { |
|||
return configManager.getPlatformTwoFaSettings(tenantId, true) |
|||
.flatMap(twoFaSettings -> twoFaSettings.getProviderConfig(providerType)) |
|||
.orElseThrow(() -> PROVIDER_NOT_CONFIGURED_ERROR); |
|||
} |
|||
|
|||
private TwoFaProvider<TwoFaProviderConfig, TwoFaAccountConfig> getTwoFaProvider(TwoFaProviderType providerType) throws ThingsboardException { |
|||
return Optional.ofNullable(providers.get(providerType)) |
|||
.orElseThrow(() -> PROVIDER_NOT_AVAILABLE_ERROR); |
|||
} |
|||
|
|||
@Autowired |
|||
private void setProviders(Collection<TwoFaProvider> providers) { |
|||
providers.forEach(provider -> { |
|||
this.providers.put(provider.getType(), provider); |
|||
}); |
|||
} |
|||
|
|||
} |
|||
@ -0,0 +1,45 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.service.security.auth.mfa; |
|||
|
|||
import org.thingsboard.server.common.data.User; |
|||
import org.thingsboard.server.common.data.exception.ThingsboardException; |
|||
import org.thingsboard.server.common.data.id.TenantId; |
|||
import org.thingsboard.server.common.data.id.UserId; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.TwoFaAccountConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderType; |
|||
import org.thingsboard.server.service.security.model.SecurityUser; |
|||
|
|||
public interface TwoFactorAuthService { |
|||
|
|||
boolean isTwoFaEnabled(TenantId tenantId, UserId userId); |
|||
|
|||
void checkProvider(TenantId tenantId, TwoFaProviderType providerType) throws ThingsboardException; |
|||
|
|||
|
|||
void prepareVerificationCode(SecurityUser user, TwoFaProviderType providerType, boolean checkLimits) throws Exception; |
|||
|
|||
void prepareVerificationCode(SecurityUser user, TwoFaAccountConfig accountConfig, boolean checkLimits) throws ThingsboardException; |
|||
|
|||
|
|||
boolean checkVerificationCode(SecurityUser user, TwoFaProviderType providerType, String verificationCode, boolean checkLimits) throws ThingsboardException; |
|||
|
|||
boolean checkVerificationCode(SecurityUser user, String verificationCode, TwoFaAccountConfig accountConfig, boolean checkLimits) throws ThingsboardException; |
|||
|
|||
|
|||
TwoFaAccountConfig generateNewAccountConfig(User user, TwoFaProviderType providerType) throws ThingsboardException; |
|||
|
|||
} |
|||
@ -0,0 +1,168 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.service.security.auth.mfa.config; |
|||
|
|||
import lombok.RequiredArgsConstructor; |
|||
import org.springframework.beans.factory.annotation.Autowired; |
|||
import org.springframework.context.annotation.Lazy; |
|||
import org.springframework.stereotype.Service; |
|||
import org.thingsboard.common.util.JacksonUtil; |
|||
import org.thingsboard.server.common.data.AdminSettings; |
|||
import org.thingsboard.server.common.data.exception.ThingsboardException; |
|||
import org.thingsboard.server.common.data.id.TenantId; |
|||
import org.thingsboard.server.common.data.id.UserId; |
|||
import org.thingsboard.server.common.data.security.UserAuthSettings; |
|||
import org.thingsboard.server.common.data.security.model.mfa.PlatformTwoFaSettings; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.AccountTwoFaSettings; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.TwoFaAccountConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderType; |
|||
import org.thingsboard.server.dao.service.ConstraintValidator; |
|||
import org.thingsboard.server.dao.settings.AdminSettingsDao; |
|||
import org.thingsboard.server.dao.settings.AdminSettingsService; |
|||
import org.thingsboard.server.dao.user.UserAuthSettingsDao; |
|||
import org.thingsboard.server.service.security.auth.mfa.TwoFactorAuthService; |
|||
|
|||
import java.util.Comparator; |
|||
import java.util.LinkedHashMap; |
|||
import java.util.Map; |
|||
import java.util.Optional; |
|||
|
|||
@Service |
|||
@RequiredArgsConstructor |
|||
public class DefaultTwoFaConfigManager implements TwoFaConfigManager { |
|||
|
|||
private final UserAuthSettingsDao userAuthSettingsDao; |
|||
private final AdminSettingsService adminSettingsService; |
|||
private final AdminSettingsDao adminSettingsDao; |
|||
@Autowired @Lazy |
|||
private TwoFactorAuthService twoFactorAuthService; |
|||
|
|||
protected static final String TWO_FACTOR_AUTH_SETTINGS_KEY = "twoFaSettings"; |
|||
|
|||
|
|||
@Override |
|||
public Optional<AccountTwoFaSettings> getAccountTwoFaSettings(TenantId tenantId, UserId userId) { |
|||
return Optional.ofNullable(userAuthSettingsDao.findByUserId(userId)) |
|||
.flatMap(userAuthSettings -> Optional.ofNullable(userAuthSettings.getTwoFaSettings())) |
|||
.map(twoFaSettings -> { |
|||
twoFaSettings.getConfigs().keySet().removeIf(providerType -> { |
|||
return getTwoFaProviderConfig(tenantId, providerType).isEmpty(); |
|||
}); |
|||
return twoFaSettings; |
|||
}); |
|||
} |
|||
|
|||
protected AccountTwoFaSettings saveAccountTwoFaSettings(TenantId tenantId, UserId userId, AccountTwoFaSettings settings) { |
|||
UserAuthSettings userAuthSettings = Optional.ofNullable(userAuthSettingsDao.findByUserId(userId)) |
|||
.orElseGet(() -> { |
|||
UserAuthSettings newUserAuthSettings = new UserAuthSettings(); |
|||
newUserAuthSettings.setUserId(userId); |
|||
return newUserAuthSettings; |
|||
}); |
|||
userAuthSettings.setTwoFaSettings(settings); |
|||
settings.getConfigs().values().forEach(accountConfig -> accountConfig.setSerializeHiddenFields(true)); |
|||
userAuthSettingsDao.save(tenantId, userAuthSettings); |
|||
settings.getConfigs().values().forEach(accountConfig -> accountConfig.setSerializeHiddenFields(false)); |
|||
return settings; |
|||
} |
|||
|
|||
|
|||
@Override |
|||
public Optional<TwoFaAccountConfig> getTwoFaAccountConfig(TenantId tenantId, UserId userId, TwoFaProviderType providerType) { |
|||
return getAccountTwoFaSettings(tenantId, userId) |
|||
.map(AccountTwoFaSettings::getConfigs) |
|||
.flatMap(configs -> Optional.ofNullable(configs.get(providerType))); |
|||
} |
|||
|
|||
@Override |
|||
public AccountTwoFaSettings saveTwoFaAccountConfig(TenantId tenantId, UserId userId, TwoFaAccountConfig accountConfig) { |
|||
getTwoFaProviderConfig(tenantId, accountConfig.getProviderType()) |
|||
.orElseThrow(() -> new IllegalArgumentException("2FA provider is not configured")); |
|||
|
|||
AccountTwoFaSettings settings = getAccountTwoFaSettings(tenantId, userId).orElseGet(() -> { |
|||
AccountTwoFaSettings newSettings = new AccountTwoFaSettings(); |
|||
newSettings.setConfigs(new LinkedHashMap<>()); |
|||
return newSettings; |
|||
}); |
|||
Map<TwoFaProviderType, TwoFaAccountConfig> configs = settings.getConfigs(); |
|||
if (configs.isEmpty() && accountConfig.getProviderType() == TwoFaProviderType.BACKUP_CODE) { |
|||
throw new IllegalArgumentException("To use 2FA backup codes you first need to configure at least one provider"); |
|||
} |
|||
if (accountConfig.isUseByDefault()) { |
|||
configs.values().forEach(config -> config.setUseByDefault(false)); |
|||
} |
|||
configs.put(accountConfig.getProviderType(), accountConfig); |
|||
if (configs.values().stream().noneMatch(TwoFaAccountConfig::isUseByDefault)) { |
|||
configs.values().stream().findFirst().ifPresent(config -> config.setUseByDefault(true)); |
|||
} |
|||
return saveAccountTwoFaSettings(tenantId, userId, settings); |
|||
} |
|||
|
|||
@Override |
|||
public AccountTwoFaSettings deleteTwoFaAccountConfig(TenantId tenantId, UserId userId, TwoFaProviderType providerType) { |
|||
AccountTwoFaSettings settings = getAccountTwoFaSettings(tenantId, userId) |
|||
.orElseThrow(() -> new IllegalArgumentException("2FA not configured")); |
|||
settings.getConfigs().remove(providerType); |
|||
if (settings.getConfigs().size() == 1) { |
|||
settings.getConfigs().remove(TwoFaProviderType.BACKUP_CODE); |
|||
} |
|||
if (!settings.getConfigs().isEmpty() && settings.getConfigs().values().stream() |
|||
.noneMatch(TwoFaAccountConfig::isUseByDefault)) { |
|||
settings.getConfigs().values().stream() |
|||
.min(Comparator.comparing(TwoFaAccountConfig::getProviderType)) |
|||
.ifPresent(config -> config.setUseByDefault(true)); |
|||
} |
|||
return saveAccountTwoFaSettings(tenantId, userId, settings); |
|||
} |
|||
|
|||
|
|||
private Optional<TwoFaProviderConfig> getTwoFaProviderConfig(TenantId tenantId, TwoFaProviderType providerType) { |
|||
return getPlatformTwoFaSettings(tenantId, true) |
|||
.flatMap(twoFaSettings -> twoFaSettings.getProviderConfig(providerType)); |
|||
} |
|||
|
|||
@Override |
|||
public Optional<PlatformTwoFaSettings> getPlatformTwoFaSettings(TenantId tenantId, boolean sysadminSettingsAsDefault) { |
|||
return Optional.ofNullable(adminSettingsService.findAdminSettingsByKey(TenantId.SYS_TENANT_ID, TWO_FACTOR_AUTH_SETTINGS_KEY)) |
|||
.map(adminSettings -> JacksonUtil.treeToValue(adminSettings.getJsonValue(), PlatformTwoFaSettings.class)); |
|||
} |
|||
|
|||
@Override |
|||
public PlatformTwoFaSettings savePlatformTwoFaSettings(TenantId tenantId, PlatformTwoFaSettings twoFactorAuthSettings) throws ThingsboardException { |
|||
ConstraintValidator.validateFields(twoFactorAuthSettings); |
|||
for (TwoFaProviderConfig providerConfig : twoFactorAuthSettings.getProviders()) { |
|||
twoFactorAuthService.checkProvider(tenantId, providerConfig.getProviderType()); |
|||
} |
|||
|
|||
AdminSettings settings = Optional.ofNullable(adminSettingsService.findAdminSettingsByKey(tenantId, TWO_FACTOR_AUTH_SETTINGS_KEY)) |
|||
.orElseGet(() -> { |
|||
AdminSettings newSettings = new AdminSettings(); |
|||
newSettings.setKey(TWO_FACTOR_AUTH_SETTINGS_KEY); |
|||
return newSettings; |
|||
}); |
|||
settings.setJsonValue(JacksonUtil.valueToTree(twoFactorAuthSettings)); |
|||
adminSettingsService.saveAdminSettings(tenantId, settings); |
|||
return twoFactorAuthSettings; |
|||
} |
|||
|
|||
@Override |
|||
public void deletePlatformTwoFaSettings(TenantId tenantId) { |
|||
Optional.ofNullable(adminSettingsService.findAdminSettingsByKey(tenantId, TWO_FACTOR_AUTH_SETTINGS_KEY)) |
|||
.ifPresent(adminSettings -> adminSettingsDao.removeById(tenantId, adminSettings.getId().getId())); |
|||
} |
|||
|
|||
} |
|||
@ -0,0 +1,46 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.service.security.auth.mfa.config; |
|||
|
|||
import org.thingsboard.server.common.data.exception.ThingsboardException; |
|||
import org.thingsboard.server.common.data.id.TenantId; |
|||
import org.thingsboard.server.common.data.id.UserId; |
|||
import org.thingsboard.server.common.data.security.model.mfa.PlatformTwoFaSettings; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.AccountTwoFaSettings; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.TwoFaAccountConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderType; |
|||
|
|||
import java.util.Optional; |
|||
|
|||
public interface TwoFaConfigManager { |
|||
|
|||
Optional<AccountTwoFaSettings> getAccountTwoFaSettings(TenantId tenantId, UserId userId); |
|||
|
|||
|
|||
Optional<TwoFaAccountConfig> getTwoFaAccountConfig(TenantId tenantId, UserId userId, TwoFaProviderType providerType); |
|||
|
|||
AccountTwoFaSettings saveTwoFaAccountConfig(TenantId tenantId, UserId userId, TwoFaAccountConfig accountConfig); |
|||
|
|||
AccountTwoFaSettings deleteTwoFaAccountConfig(TenantId tenantId, UserId userId, TwoFaProviderType providerType); |
|||
|
|||
|
|||
Optional<PlatformTwoFaSettings> getPlatformTwoFaSettings(TenantId tenantId, boolean sysadminSettingsAsDefault); |
|||
|
|||
PlatformTwoFaSettings savePlatformTwoFaSettings(TenantId tenantId, PlatformTwoFaSettings twoFactorAuthSettings) throws ThingsboardException; |
|||
|
|||
void deletePlatformTwoFaSettings(TenantId tenantId); |
|||
|
|||
} |
|||
@ -0,0 +1,39 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.service.security.auth.mfa.provider; |
|||
|
|||
import org.thingsboard.server.common.data.User; |
|||
import org.thingsboard.server.common.data.exception.ThingsboardException; |
|||
import org.thingsboard.server.common.data.id.TenantId; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.TwoFaAccountConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderType; |
|||
import org.thingsboard.server.service.security.model.SecurityUser; |
|||
|
|||
public interface TwoFaProvider<C extends TwoFaProviderConfig, A extends TwoFaAccountConfig> { |
|||
|
|||
A generateNewAccountConfig(User user, C providerConfig); |
|||
|
|||
default void prepareVerificationCode(SecurityUser user, C providerConfig, A accountConfig) throws ThingsboardException {} |
|||
|
|||
boolean checkVerificationCode(SecurityUser user, String code, C providerConfig, A accountConfig); |
|||
|
|||
default void check(TenantId tenantId) throws ThingsboardException {}; |
|||
|
|||
|
|||
TwoFaProviderType getType(); |
|||
|
|||
} |
|||
@ -0,0 +1,73 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.service.security.auth.mfa.provider.impl; |
|||
|
|||
import org.apache.commons.lang3.RandomStringUtils; |
|||
import org.springframework.beans.factory.annotation.Autowired; |
|||
import org.springframework.context.annotation.Lazy; |
|||
import org.springframework.stereotype.Service; |
|||
import org.thingsboard.common.util.CollectionsUtil; |
|||
import org.thingsboard.server.common.data.User; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.BackupCodeTwoFaAccountConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.BackupCodeTwoFaProviderConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderType; |
|||
import org.thingsboard.server.queue.util.TbCoreComponent; |
|||
import org.thingsboard.server.service.security.auth.mfa.config.TwoFaConfigManager; |
|||
import org.thingsboard.server.service.security.auth.mfa.provider.TwoFaProvider; |
|||
import org.thingsboard.server.service.security.model.SecurityUser; |
|||
|
|||
import java.util.Set; |
|||
import java.util.stream.Collectors; |
|||
import java.util.stream.Stream; |
|||
|
|||
@Service |
|||
@TbCoreComponent |
|||
public class BackupCodeTwoFaProvider implements TwoFaProvider<BackupCodeTwoFaProviderConfig, BackupCodeTwoFaAccountConfig> { |
|||
|
|||
@Autowired @Lazy |
|||
private TwoFaConfigManager twoFaConfigManager; |
|||
|
|||
@Override |
|||
public BackupCodeTwoFaAccountConfig generateNewAccountConfig(User user, BackupCodeTwoFaProviderConfig providerConfig) { |
|||
BackupCodeTwoFaAccountConfig config = new BackupCodeTwoFaAccountConfig(); |
|||
config.setCodes(generateCodes(providerConfig.getCodesQuantity(), 8)); |
|||
config.setSerializeHiddenFields(true); |
|||
return config; |
|||
} |
|||
|
|||
private static Set<String> generateCodes(int count, int length) { |
|||
return Stream.generate(() -> RandomStringUtils.random(length, "0123456789abcdef")) |
|||
.distinct().limit(count) |
|||
.collect(Collectors.toSet()); |
|||
} |
|||
|
|||
@Override |
|||
public boolean checkVerificationCode(SecurityUser user, String code, BackupCodeTwoFaProviderConfig providerConfig, BackupCodeTwoFaAccountConfig accountConfig) { |
|||
if (CollectionsUtil.contains(accountConfig.getCodes(), code)) { |
|||
accountConfig.getCodes().remove(code); |
|||
twoFaConfigManager.saveTwoFaAccountConfig(user.getTenantId(), user.getId(), accountConfig); |
|||
return true; |
|||
} else { |
|||
return false; |
|||
} |
|||
} |
|||
|
|||
@Override |
|||
public TwoFaProviderType getType() { |
|||
return TwoFaProviderType.BACKUP_CODE; |
|||
} |
|||
|
|||
} |
|||
@ -0,0 +1,68 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.service.security.auth.mfa.provider.impl; |
|||
|
|||
import org.springframework.cache.CacheManager; |
|||
import org.springframework.stereotype.Service; |
|||
import org.thingsboard.rule.engine.api.MailService; |
|||
import org.thingsboard.server.common.data.User; |
|||
import org.thingsboard.server.common.data.exception.ThingsboardErrorCode; |
|||
import org.thingsboard.server.common.data.exception.ThingsboardException; |
|||
import org.thingsboard.server.common.data.id.TenantId; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.EmailTwoFaAccountConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.EmailTwoFaProviderConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderType; |
|||
import org.thingsboard.server.queue.util.TbCoreComponent; |
|||
import org.thingsboard.server.service.security.model.SecurityUser; |
|||
|
|||
@Service |
|||
@TbCoreComponent |
|||
public class EmailTwoFaProvider extends OtpBasedTwoFaProvider<EmailTwoFaProviderConfig, EmailTwoFaAccountConfig> { |
|||
|
|||
private final MailService mailService; |
|||
|
|||
protected EmailTwoFaProvider(CacheManager cacheManager, MailService mailService) { |
|||
super(cacheManager); |
|||
this.mailService = mailService; |
|||
} |
|||
|
|||
@Override |
|||
public EmailTwoFaAccountConfig generateNewAccountConfig(User user, EmailTwoFaProviderConfig providerConfig) { |
|||
EmailTwoFaAccountConfig config = new EmailTwoFaAccountConfig(); |
|||
config.setEmail(user.getEmail()); |
|||
return config; |
|||
} |
|||
|
|||
@Override |
|||
public void check(TenantId tenantId) throws ThingsboardException { |
|||
try { |
|||
mailService.testConnection(tenantId); |
|||
} catch (Exception e) { |
|||
throw new ThingsboardException("Mail service is not set up", ThingsboardErrorCode.BAD_REQUEST_PARAMS); |
|||
} |
|||
} |
|||
|
|||
@Override |
|||
protected void sendVerificationCode(SecurityUser user, String verificationCode, EmailTwoFaProviderConfig providerConfig, EmailTwoFaAccountConfig accountConfig) throws ThingsboardException { |
|||
mailService.sendTwoFaVerificationEmail(accountConfig.getEmail(), verificationCode, providerConfig.getVerificationCodeLifetime()); |
|||
} |
|||
|
|||
@Override |
|||
public TwoFaProviderType getType() { |
|||
return TwoFaProviderType.EMAIL; |
|||
} |
|||
|
|||
} |
|||
@ -0,0 +1,76 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.service.security.auth.mfa.provider.impl; |
|||
|
|||
import lombok.Data; |
|||
import org.apache.commons.lang3.RandomStringUtils; |
|||
import org.springframework.cache.Cache; |
|||
import org.springframework.cache.CacheManager; |
|||
import org.thingsboard.server.common.data.CacheConstants; |
|||
import org.thingsboard.server.common.data.exception.ThingsboardException; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.OtpBasedTwoFaAccountConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.OtpBasedTwoFaProviderConfig; |
|||
import org.thingsboard.server.service.security.auth.mfa.provider.TwoFaProvider; |
|||
import org.thingsboard.server.service.security.model.SecurityUser; |
|||
|
|||
import java.util.concurrent.TimeUnit; |
|||
|
|||
public abstract class OtpBasedTwoFaProvider<C extends OtpBasedTwoFaProviderConfig, A extends OtpBasedTwoFaAccountConfig> implements TwoFaProvider<C, A> { |
|||
|
|||
private final Cache verificationCodesCache; |
|||
|
|||
protected OtpBasedTwoFaProvider(CacheManager cacheManager) { |
|||
this.verificationCodesCache = cacheManager.getCache(CacheConstants.TWO_FA_VERIFICATION_CODES_CACHE); |
|||
} |
|||
|
|||
|
|||
@Override |
|||
public final void prepareVerificationCode(SecurityUser user, C providerConfig, A accountConfig) throws ThingsboardException { |
|||
String verificationCode = RandomStringUtils.randomNumeric(6); |
|||
sendVerificationCode(user, verificationCode, providerConfig, accountConfig); |
|||
verificationCodesCache.put(user.getId(), new Otp(System.currentTimeMillis(), verificationCode, accountConfig)); |
|||
} |
|||
|
|||
protected abstract void sendVerificationCode(SecurityUser user, String verificationCode, C providerConfig, A accountConfig) throws ThingsboardException; |
|||
|
|||
|
|||
@Override |
|||
public final boolean checkVerificationCode(SecurityUser user, String code, C providerConfig, A accountConfig) { |
|||
Otp correctVerificationCode = verificationCodesCache.get(user.getId(), Otp.class); |
|||
if (correctVerificationCode != null) { |
|||
if (System.currentTimeMillis() - correctVerificationCode.getTimestamp() |
|||
> TimeUnit.SECONDS.toMillis(providerConfig.getVerificationCodeLifetime())) { |
|||
verificationCodesCache.evict(user.getId()); |
|||
return false; |
|||
} |
|||
if (code.equals(correctVerificationCode.getValue()) |
|||
&& accountConfig.equals(correctVerificationCode.getAccountConfig())) { |
|||
verificationCodesCache.evict(user.getId()); |
|||
return true; |
|||
} |
|||
} |
|||
return false; |
|||
} |
|||
|
|||
|
|||
@Data |
|||
public static class Otp { |
|||
private final long timestamp; |
|||
private final String value; |
|||
private final OtpBasedTwoFaAccountConfig accountConfig; |
|||
} |
|||
|
|||
} |
|||
@ -0,0 +1,76 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.service.security.auth.mfa.provider.impl; |
|||
|
|||
import org.springframework.cache.CacheManager; |
|||
import org.springframework.stereotype.Service; |
|||
import org.thingsboard.rule.engine.api.SmsService; |
|||
import org.thingsboard.rule.engine.api.util.TbNodeUtils; |
|||
import org.thingsboard.server.common.data.User; |
|||
import org.thingsboard.server.common.data.exception.ThingsboardErrorCode; |
|||
import org.thingsboard.server.common.data.exception.ThingsboardException; |
|||
import org.thingsboard.server.common.data.id.TenantId; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.SmsTwoFaAccountConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.SmsTwoFaProviderConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderType; |
|||
import org.thingsboard.server.queue.util.TbCoreComponent; |
|||
import org.thingsboard.server.service.security.model.SecurityUser; |
|||
|
|||
import java.util.Map; |
|||
|
|||
@Service |
|||
@TbCoreComponent |
|||
public class SmsTwoFaProvider extends OtpBasedTwoFaProvider<SmsTwoFaProviderConfig, SmsTwoFaAccountConfig> { |
|||
|
|||
private final SmsService smsService; |
|||
|
|||
public SmsTwoFaProvider(CacheManager cacheManager, SmsService smsService) { |
|||
super(cacheManager); |
|||
this.smsService = smsService; |
|||
} |
|||
|
|||
|
|||
@Override |
|||
public SmsTwoFaAccountConfig generateNewAccountConfig(User user, SmsTwoFaProviderConfig providerConfig) { |
|||
return new SmsTwoFaAccountConfig(); |
|||
} |
|||
|
|||
@Override |
|||
protected void sendVerificationCode(SecurityUser user, String verificationCode, SmsTwoFaProviderConfig providerConfig, SmsTwoFaAccountConfig accountConfig) throws ThingsboardException { |
|||
Map<String, String> messageData = Map.of( |
|||
"code", verificationCode, |
|||
"userEmail", user.getEmail() |
|||
); |
|||
String message = TbNodeUtils.processTemplate(providerConfig.getSmsVerificationMessageTemplate(), messageData); |
|||
String phoneNumber = accountConfig.getPhoneNumber(); |
|||
|
|||
smsService.sendSms(user.getTenantId(), user.getCustomerId(), new String[]{phoneNumber}, message); |
|||
} |
|||
|
|||
@Override |
|||
public void check(TenantId tenantId) throws ThingsboardException { |
|||
if (!smsService.isConfigured(tenantId)) { |
|||
throw new ThingsboardException("SMS service in not configured", ThingsboardErrorCode.BAD_REQUEST_PARAMS); |
|||
} |
|||
} |
|||
|
|||
|
|||
@Override |
|||
public TwoFaProviderType getType() { |
|||
return TwoFaProviderType.SMS; |
|||
} |
|||
|
|||
} |
|||
@ -0,0 +1,74 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.service.security.auth.mfa.provider.impl; |
|||
|
|||
import lombok.RequiredArgsConstructor; |
|||
import lombok.SneakyThrows; |
|||
import org.apache.commons.lang3.RandomUtils; |
|||
import org.apache.http.client.utils.URIBuilder; |
|||
import org.jboss.aerogear.security.otp.Totp; |
|||
import org.jboss.aerogear.security.otp.api.Base32; |
|||
import org.springframework.stereotype.Service; |
|||
import org.springframework.web.util.UriComponentsBuilder; |
|||
import org.thingsboard.server.common.data.User; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderType; |
|||
import org.thingsboard.server.queue.util.TbCoreComponent; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.TotpTwoFaAccountConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TotpTwoFaProviderConfig; |
|||
import org.thingsboard.server.service.security.auth.mfa.provider.TwoFaProvider; |
|||
import org.thingsboard.server.service.security.model.SecurityUser; |
|||
|
|||
@Service |
|||
@RequiredArgsConstructor |
|||
@TbCoreComponent |
|||
public class TotpTwoFaProvider implements TwoFaProvider<TotpTwoFaProviderConfig, TotpTwoFaAccountConfig> { |
|||
|
|||
@Override |
|||
public final TotpTwoFaAccountConfig generateNewAccountConfig(User user, TotpTwoFaProviderConfig providerConfig) { |
|||
TotpTwoFaAccountConfig config = new TotpTwoFaAccountConfig(); |
|||
String secretKey = generateSecretKey(); |
|||
config.setAuthUrl(getTotpAuthUrl(user, secretKey, providerConfig)); |
|||
return config; |
|||
} |
|||
|
|||
@Override |
|||
public final boolean checkVerificationCode(SecurityUser user, String code, TotpTwoFaProviderConfig providerConfig, TotpTwoFaAccountConfig accountConfig) { |
|||
String secretKey = UriComponentsBuilder.fromUriString(accountConfig.getAuthUrl()).build().getQueryParams().getFirst("secret"); |
|||
return new Totp(secretKey).verify(code); |
|||
} |
|||
|
|||
@SneakyThrows |
|||
private String getTotpAuthUrl(User user, String secretKey, TotpTwoFaProviderConfig providerConfig) { |
|||
URIBuilder uri = new URIBuilder() |
|||
.setScheme("otpauth") |
|||
.setHost("totp") |
|||
.setParameter("issuer", providerConfig.getIssuerName()) |
|||
.setPath("/" + providerConfig.getIssuerName() + ":" + user.getEmail()) |
|||
.setParameter("secret", secretKey); |
|||
return uri.build().toASCIIString(); |
|||
} |
|||
|
|||
private String generateSecretKey() { |
|||
return Base32.encode(RandomUtils.nextBytes(20)); |
|||
} |
|||
|
|||
|
|||
@Override |
|||
public TwoFaProviderType getType() { |
|||
return TwoFaProviderType.TOTP; |
|||
} |
|||
|
|||
} |
|||
@ -0,0 +1,117 @@ |
|||
<#-- |
|||
|
|||
Copyright © 2016-2022 The Thingsboard Authors |
|||
|
|||
Licensed under the Apache License, Version 2.0 (the "License"); |
|||
you may not use this file except in compliance with the License. |
|||
You may obtain a copy of the License at |
|||
|
|||
http://www.apache.org/licenses/LICENSE-2.0 |
|||
|
|||
Unless required by applicable law or agreed to in writing, software |
|||
distributed under the License is distributed on an "AS IS" BASIS, |
|||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
See the License for the specific language governing permissions and |
|||
limitations under the License. |
|||
|
|||
--> |
|||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" |
|||
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> |
|||
<html xmlns="http://www.w3.org/1999/xhtml" |
|||
style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 14px; margin: 0;"> |
|||
<head> |
|||
<meta name="viewport" content="width=device-width" /> |
|||
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> |
|||
<title>Email verification code</title> |
|||
|
|||
|
|||
<style type="text/css"> |
|||
img { |
|||
max-width: 100%; |
|||
} |
|||
body { |
|||
-webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; width: 100% !important; height: 100%; line-height: 1.6em; |
|||
} |
|||
body { |
|||
background-color: #f6f6f6; |
|||
} |
|||
@media only screen and (max-width: 640px) { |
|||
body { |
|||
padding: 0 !important; |
|||
} |
|||
h2 { |
|||
font-weight: 800 !important; |
|||
margin: 0 0 8px !important; |
|||
} |
|||
h2 { |
|||
font-size: 18px !important; |
|||
} |
|||
.container { |
|||
padding: 0 !important; |
|||
width: 100% !important; |
|||
} |
|||
.content { |
|||
padding: 0 !important; |
|||
} |
|||
.content-wrap { |
|||
padding: 10px !important; |
|||
} |
|||
} |
|||
</style> |
|||
</head> |
|||
|
|||
<body itemscope itemtype="http://schema.org/EmailMessage" |
|||
style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none; width: 100% !important; height: 100%; line-height: 1.6em; background-color: #f6f6f6; margin: 0;" |
|||
bgcolor="#f6f6f6"> |
|||
|
|||
<table class="body-wrap" style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; width: 100%; background-color: #f6f6f6; margin: 0;" bgcolor="#f6f6f6"><tr style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; margin: 0;"><td style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; vertical-align: top; margin: 0;" valign="top"></td> |
|||
<td class="container" width="600" style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; vertical-align: top; display: block !important; max-width: 600px !important; clear: both !important; margin: 0 auto;" valign="top"> |
|||
<div class="content" style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; max-width: 600px; display: block; margin: 0 auto; padding: 20px;"> |
|||
<table class="main" width="100%" cellpadding="0" cellspacing="0" itemprop="action" itemscope itemtype="http://schema.org/ConfirmAction" style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; border-radius: 3px; background-color: #fff; margin: 0; border: 1px solid #e9e9e9;" bgcolor="#fff"><tr style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; margin: 0;"><td class="content-wrap" style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; vertical-align: top; margin: 0; padding: 20px;" valign="top"> |
|||
<meta itemprop="name" content="Confirm Email" style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; margin: 0;" /><table width="100%" cellpadding="0" cellspacing="0" style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; margin: 0;"> |
|||
<tr style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; margin: 0;"> |
|||
<td class="content-block" style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; color: #348eda; box-sizing: border-box; font-size: 14px; vertical-align: top; margin: 0; padding: 0;" valign="top" align="center"> |
|||
<h2 style="margin-bottom: 0;">Your verification code:</h2> |
|||
</td> |
|||
</tr> |
|||
<tr style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; margin: 0;"> |
|||
<td class="content-block" style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; color: #348eda; box-sizing: border-box; font-size: 14px; vertical-align: top; margin: 0; padding: 0 0 20px;" valign="top" align="center"> |
|||
<h2 style="margin-top: 8px;">${code}</h2> |
|||
</td> |
|||
</tr> |
|||
<tr style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; margin: 0;"> |
|||
<td class="content-block" style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; vertical-align: top; margin: 0; padding: 0 0 8px;" valign="top"> |
|||
Please verify your access using the code above. |
|||
</td> |
|||
</tr> |
|||
<tr style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; margin: 0;"> |
|||
<td class="content-block" style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; vertical-align: top; margin: 0; padding: 0 0 8px;" valign="top"> |
|||
This code will expire in ${expirationTimeSeconds} seconds. |
|||
</td> |
|||
</tr> |
|||
<tr style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; margin: 0;"> |
|||
<td class="content-block" style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; vertical-align: top; margin: 0; padding: 0 0 20px;" valign="top"> |
|||
If you didn't request this code, you can ignore this email. |
|||
</td> |
|||
</tr> |
|||
<tr style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; margin: 0;"> |
|||
<td class="content-block" style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; vertical-align: top; margin: 0; padding: 0 0 20px;" valign="top"> |
|||
— The Thingsboard |
|||
</td> |
|||
</tr></table></td> |
|||
</tr> |
|||
</table> |
|||
<div class="footer" style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; width: 100%; clear: both; color: #999; margin: 0; padding: 20px;"> |
|||
<table width="100%" style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; margin: 0;"> |
|||
<tr style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; margin: 0;"> |
|||
<td class="aligncenter content-block" style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 12px; vertical-align: top; color: #999; text-align: center; margin: 0; padding: 0 0 20px;" align="center" valign="top">This email was sent to <a href="mailto:${targetEmail}" style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 12px; color: #999; text-decoration: underline; margin: 0;">${targetEmail}</a> by Thingsboard.</td> |
|||
</tr> |
|||
</table> |
|||
</div> |
|||
</div> |
|||
</td> |
|||
<td style="font-family: 'Helvetica Neue',Helvetica,Arial,sans-serif; box-sizing: border-box; font-size: 14px; vertical-align: top; margin: 0;" valign="top"></td> |
|||
</tr> |
|||
</table> |
|||
</body> |
|||
</html> |
|||
@ -0,0 +1,470 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.controller; |
|||
|
|||
import org.jboss.aerogear.security.otp.Totp; |
|||
import org.jboss.aerogear.security.otp.api.Base32; |
|||
import org.junit.After; |
|||
import org.junit.Before; |
|||
import org.junit.Test; |
|||
import org.mockito.ArgumentCaptor; |
|||
import org.springframework.beans.factory.annotation.Autowired; |
|||
import org.springframework.boot.test.mock.mockito.MockBean; |
|||
import org.springframework.boot.test.mock.mockito.SpyBean; |
|||
import org.springframework.cache.CacheManager; |
|||
import org.springframework.web.util.UriComponents; |
|||
import org.springframework.web.util.UriComponentsBuilder; |
|||
import org.thingsboard.rule.engine.api.SmsService; |
|||
import org.thingsboard.server.common.data.CacheConstants; |
|||
import org.thingsboard.server.common.data.id.TenantId; |
|||
import org.thingsboard.server.common.data.security.model.mfa.PlatformTwoFaSettings; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.AccountTwoFaSettings; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.SmsTwoFaAccountConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.TotpTwoFaAccountConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.TwoFaAccountConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.SmsTwoFaProviderConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TotpTwoFaProviderConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderType; |
|||
import org.thingsboard.server.service.security.auth.mfa.TwoFactorAuthService; |
|||
import org.thingsboard.server.service.security.auth.mfa.config.TwoFaConfigManager; |
|||
import org.thingsboard.server.service.security.auth.mfa.provider.impl.OtpBasedTwoFaProvider; |
|||
import org.thingsboard.server.service.security.auth.mfa.provider.impl.TotpTwoFaProvider; |
|||
|
|||
import java.util.Arrays; |
|||
import java.util.Collections; |
|||
import java.util.List; |
|||
import java.util.stream.Collectors; |
|||
|
|||
import static org.assertj.core.api.Assertions.assertThat; |
|||
import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; |
|||
import static org.mockito.ArgumentMatchers.any; |
|||
import static org.mockito.ArgumentMatchers.argThat; |
|||
import static org.mockito.ArgumentMatchers.eq; |
|||
import static org.mockito.Mockito.doNothing; |
|||
import static org.mockito.Mockito.verify; |
|||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; |
|||
|
|||
public abstract class TwoFactorAuthConfigTest extends AbstractControllerTest { |
|||
|
|||
@SpyBean |
|||
private TotpTwoFaProvider totpTwoFactorAuthProvider; |
|||
@MockBean |
|||
private SmsService smsService; |
|||
@Autowired |
|||
private CacheManager cacheManager; |
|||
@Autowired |
|||
private TwoFaConfigManager twoFaConfigManager; |
|||
@SpyBean |
|||
private TwoFactorAuthService twoFactorAuthService; |
|||
|
|||
@Before |
|||
public void beforeEach() throws Exception { |
|||
doNothing().when(twoFactorAuthService).checkProvider(any(), any()); |
|||
loginSysAdmin(); |
|||
} |
|||
|
|||
@After |
|||
public void afterEach() { |
|||
twoFaConfigManager.deletePlatformTwoFaSettings(TenantId.SYS_TENANT_ID); |
|||
twoFaConfigManager.deletePlatformTwoFaSettings(tenantId); |
|||
} |
|||
|
|||
|
|||
@Test |
|||
public void testSavePlatformTwoFaSettings() throws Exception { |
|||
loginSysAdmin(); |
|||
|
|||
TotpTwoFaProviderConfig totpTwoFaProviderConfig = new TotpTwoFaProviderConfig(); |
|||
totpTwoFaProviderConfig.setIssuerName("tb"); |
|||
SmsTwoFaProviderConfig smsTwoFaProviderConfig = new SmsTwoFaProviderConfig(); |
|||
smsTwoFaProviderConfig.setSmsVerificationMessageTemplate("${code}"); |
|||
smsTwoFaProviderConfig.setVerificationCodeLifetime(60); |
|||
|
|||
PlatformTwoFaSettings twoFaSettings = new PlatformTwoFaSettings(); |
|||
twoFaSettings.setProviders(List.of(totpTwoFaProviderConfig, smsTwoFaProviderConfig)); |
|||
twoFaSettings.setVerificationCodeCheckRateLimit("3:900"); |
|||
twoFaSettings.setMaxVerificationFailuresBeforeUserLockout(10); |
|||
twoFaSettings.setTotalAllowedTimeForVerification(3600); |
|||
|
|||
doPost("/api/2fa/settings", twoFaSettings).andExpect(status().isOk()); |
|||
|
|||
PlatformTwoFaSettings savedTwoFaSettings = readResponse(doGet("/api/2fa/settings").andExpect(status().isOk()), PlatformTwoFaSettings.class); |
|||
|
|||
assertThat(savedTwoFaSettings.getProviders()).hasSize(2); |
|||
assertThat(savedTwoFaSettings.getProviders()).contains(totpTwoFaProviderConfig, smsTwoFaProviderConfig); |
|||
} |
|||
|
|||
@Test |
|||
public void testSavePlatformTwoFaSettings_validationError() throws Exception { |
|||
loginSysAdmin(); |
|||
|
|||
PlatformTwoFaSettings twoFaSettings = new PlatformTwoFaSettings(); |
|||
twoFaSettings.setProviders(Collections.emptyList()); |
|||
twoFaSettings.setVerificationCodeCheckRateLimit("0:12"); |
|||
twoFaSettings.setMaxVerificationFailuresBeforeUserLockout(-1); |
|||
twoFaSettings.setTotalAllowedTimeForVerification(0); |
|||
|
|||
String errorMessage = getErrorMessage(doPost("/api/2fa/settings", twoFaSettings) |
|||
.andExpect(status().isBadRequest())); |
|||
|
|||
assertThat(errorMessage).contains( |
|||
"verification code check rate limit configuration is invalid", |
|||
"maximum number of verification failure before user lockout must be positive", |
|||
"total amount of time allotted for verification must be greater than or equal 60" |
|||
); |
|||
} |
|||
|
|||
@Test |
|||
public void testSaveTotpTwoFaProviderConfig_validationError() throws Exception { |
|||
TotpTwoFaProviderConfig invalidTotpTwoFaProviderConfig = new TotpTwoFaProviderConfig(); |
|||
invalidTotpTwoFaProviderConfig.setIssuerName(" "); |
|||
|
|||
String errorResponse = savePlatformTwoFaSettingsAndGetError(invalidTotpTwoFaProviderConfig); |
|||
assertThat(errorResponse).containsIgnoringCase("issuer name must not be blank"); |
|||
} |
|||
|
|||
@Test |
|||
public void testSaveSmsTwoFaProviderConfig_validationError() throws Exception { |
|||
SmsTwoFaProviderConfig invalidSmsTwoFaProviderConfig = new SmsTwoFaProviderConfig(); |
|||
invalidSmsTwoFaProviderConfig.setSmsVerificationMessageTemplate("does not contain verification code"); |
|||
invalidSmsTwoFaProviderConfig.setVerificationCodeLifetime(60); |
|||
|
|||
String errorResponse = savePlatformTwoFaSettingsAndGetError(invalidSmsTwoFaProviderConfig); |
|||
assertThat(errorResponse).containsIgnoringCase("must contain verification code"); |
|||
|
|||
invalidSmsTwoFaProviderConfig.setSmsVerificationMessageTemplate(null); |
|||
invalidSmsTwoFaProviderConfig.setVerificationCodeLifetime(0); |
|||
errorResponse = savePlatformTwoFaSettingsAndGetError(invalidSmsTwoFaProviderConfig); |
|||
assertThat(errorResponse).containsIgnoringCase("verification message template is required"); |
|||
assertThat(errorResponse).containsIgnoringCase("verification code lifetime is required"); |
|||
} |
|||
|
|||
private String savePlatformTwoFaSettingsAndGetError(TwoFaProviderConfig invalidTwoFaProviderConfig) throws Exception { |
|||
PlatformTwoFaSettings twoFaSettings = new PlatformTwoFaSettings(); |
|||
twoFaSettings.setProviders(Collections.singletonList(invalidTwoFaProviderConfig)); |
|||
|
|||
return getErrorMessage(doPost("/api/2fa/settings", twoFaSettings) |
|||
.andExpect(status().isBadRequest())); |
|||
} |
|||
|
|||
|
|||
@Test |
|||
public void testSaveTwoFaAccountConfig_providerNotConfigured() throws Exception { |
|||
configureSmsTwoFaProvider("${code}"); |
|||
|
|||
loginTenantAdmin(); |
|||
|
|||
TwoFaProviderType notConfiguredProviderType = TwoFaProviderType.TOTP; |
|||
String errorMessage = getErrorMessage(doPost("/api/2fa/account/config/generate?providerType=" + notConfiguredProviderType) |
|||
.andExpect(status().isBadRequest())); |
|||
assertThat(errorMessage).containsIgnoringCase("provider is not configured"); |
|||
|
|||
TotpTwoFaAccountConfig notConfiguredProviderAccountConfig = new TotpTwoFaAccountConfig(); |
|||
notConfiguredProviderAccountConfig.setAuthUrl("otpauth://totp/aba:aba?issuer=aba&secret=ABA"); |
|||
errorMessage = getErrorMessage(doPost("/api/2fa/account/config/submit", notConfiguredProviderAccountConfig)); |
|||
assertThat(errorMessage).containsIgnoringCase("provider is not configured"); |
|||
} |
|||
|
|||
@Test |
|||
public void testGenerateTotpTwoFaAccountConfig() throws Exception { |
|||
TotpTwoFaProviderConfig totpTwoFaProviderConfig = configureTotpTwoFaProvider(); |
|||
|
|||
loginTenantAdmin(); |
|||
|
|||
assertThat(readResponse(doGet("/api/2fa/account/settings").andExpect(status().isOk()), String.class)).isNullOrEmpty(); |
|||
generateTotpTwoFaAccountConfig(totpTwoFaProviderConfig); |
|||
} |
|||
|
|||
@Test |
|||
public void testSubmitTotpTwoFaAccountConfig() throws Exception { |
|||
TotpTwoFaProviderConfig totpTwoFaProviderConfig = configureTotpTwoFaProvider(); |
|||
|
|||
loginTenantAdmin(); |
|||
|
|||
TotpTwoFaAccountConfig generatedTotpTwoFaAccountConfig = generateTotpTwoFaAccountConfig(totpTwoFaProviderConfig); |
|||
doPost("/api/2fa/account/config/submit", generatedTotpTwoFaAccountConfig).andExpect(status().isOk()); |
|||
verify(totpTwoFactorAuthProvider).prepareVerificationCode(argThat(user -> user.getEmail().equals(TENANT_ADMIN_EMAIL)), |
|||
eq(totpTwoFaProviderConfig), eq(generatedTotpTwoFaAccountConfig)); |
|||
} |
|||
|
|||
@Test |
|||
public void testSubmitTotpTwoFaAccountConfig_validationError() throws Exception { |
|||
configureTotpTwoFaProvider(); |
|||
|
|||
loginTenantAdmin(); |
|||
|
|||
TotpTwoFaAccountConfig totpTwoFaAccountConfig = new TotpTwoFaAccountConfig(); |
|||
totpTwoFaAccountConfig.setAuthUrl(null); |
|||
|
|||
String errorMessage = getErrorMessage(doPost("/api/2fa/account/config/submit", totpTwoFaAccountConfig) |
|||
.andExpect(status().isBadRequest())); |
|||
assertThat(errorMessage).containsIgnoringCase("otp auth url cannot be blank"); |
|||
|
|||
totpTwoFaAccountConfig.setAuthUrl("otpauth://totp/T B: aba"); |
|||
errorMessage = getErrorMessage(doPost("/api/2fa/account/config/submit", totpTwoFaAccountConfig) |
|||
.andExpect(status().isBadRequest())); |
|||
assertThat(errorMessage).containsIgnoringCase("otp auth url is invalid"); |
|||
|
|||
totpTwoFaAccountConfig.setAuthUrl("otpauth://totp/ThingsBoard%20(Tenant):tenant@thingsboard.org?issuer=ThingsBoard+%28Tenant%29&secret=FUNBIM3CXFNNGQR6ZIPVWHP65PPFWDII"); |
|||
doPost("/api/2fa/account/config/submit", totpTwoFaAccountConfig) |
|||
.andExpect(status().isOk()); |
|||
} |
|||
|
|||
@Test |
|||
public void testVerifyAndSaveTotpTwoFaAccountConfig() throws Exception { |
|||
TotpTwoFaProviderConfig totpTwoFaProviderConfig = configureTotpTwoFaProvider(); |
|||
|
|||
loginTenantAdmin(); |
|||
|
|||
TotpTwoFaAccountConfig generatedTotpTwoFaAccountConfig = generateTotpTwoFaAccountConfig(totpTwoFaProviderConfig); |
|||
generatedTotpTwoFaAccountConfig.setUseByDefault(true); |
|||
|
|||
String secret = UriComponentsBuilder.fromUriString(generatedTotpTwoFaAccountConfig.getAuthUrl()).build() |
|||
.getQueryParams().getFirst("secret"); |
|||
String correctVerificationCode = new Totp(secret).now(); |
|||
|
|||
doPost("/api/2fa/account/config?verificationCode=" + correctVerificationCode, generatedTotpTwoFaAccountConfig) |
|||
.andExpect(status().isOk()); |
|||
|
|||
AccountTwoFaSettings accountTwoFaSettings = readResponse(doGet("/api/2fa/account/settings").andExpect(status().isOk()), AccountTwoFaSettings.class); |
|||
assertThat(accountTwoFaSettings.getConfigs()).size().isOne(); |
|||
|
|||
TwoFaAccountConfig twoFaAccountConfig = accountTwoFaSettings.getConfigs().get(TwoFaProviderType.TOTP); |
|||
assertThat(twoFaAccountConfig).isEqualTo(generatedTotpTwoFaAccountConfig); |
|||
} |
|||
|
|||
@Test |
|||
public void testVerifyAndSaveTotpTwoFaAccountConfig_incorrectVerificationCode() throws Exception { |
|||
TotpTwoFaProviderConfig totpTwoFaProviderConfig = configureTotpTwoFaProvider(); |
|||
|
|||
loginTenantAdmin(); |
|||
|
|||
TotpTwoFaAccountConfig generatedTotpTwoFaAccountConfig = generateTotpTwoFaAccountConfig(totpTwoFaProviderConfig); |
|||
|
|||
String incorrectVerificationCode = "100000"; |
|||
String errorMessage = getErrorMessage(doPost("/api/2fa/account/config?verificationCode=" + incorrectVerificationCode, generatedTotpTwoFaAccountConfig) |
|||
.andExpect(status().isBadRequest())); |
|||
|
|||
assertThat(errorMessage).containsIgnoringCase("verification code is incorrect"); |
|||
} |
|||
|
|||
private TotpTwoFaAccountConfig generateTotpTwoFaAccountConfig(TotpTwoFaProviderConfig totpTwoFaProviderConfig) throws Exception { |
|||
TwoFaAccountConfig generatedTwoFaAccountConfig = readResponse(doPost("/api/2fa/account/config/generate?providerType=TOTP") |
|||
.andExpect(status().isOk()), TwoFaAccountConfig.class); |
|||
assertThat(generatedTwoFaAccountConfig).isInstanceOf(TotpTwoFaAccountConfig.class); |
|||
|
|||
assertThat(((TotpTwoFaAccountConfig) generatedTwoFaAccountConfig)).satisfies(accountConfig -> { |
|||
UriComponents otpAuthUrl = UriComponentsBuilder.fromUriString(accountConfig.getAuthUrl()).build(); |
|||
assertThat(otpAuthUrl.getScheme()).isEqualTo("otpauth"); |
|||
assertThat(otpAuthUrl.getHost()).isEqualTo("totp"); |
|||
assertThat(otpAuthUrl.getQueryParams().getFirst("issuer")).isEqualTo(totpTwoFaProviderConfig.getIssuerName()); |
|||
assertThat(otpAuthUrl.getPath()).isEqualTo("/%s:%s", totpTwoFaProviderConfig.getIssuerName(), TENANT_ADMIN_EMAIL); |
|||
assertThat(otpAuthUrl.getQueryParams().getFirst("secret")).satisfies(secretKey -> { |
|||
assertDoesNotThrow(() -> Base32.decode(secretKey)); |
|||
}); |
|||
}); |
|||
return (TotpTwoFaAccountConfig) generatedTwoFaAccountConfig; |
|||
} |
|||
|
|||
@Test |
|||
public void testGetTwoFaAccountConfig_whenProviderNotConfigured() throws Exception { |
|||
testVerifyAndSaveTotpTwoFaAccountConfig(); |
|||
assertThat(readResponse(doGet("/api/2fa/account/settings").andExpect(status().isOk()), |
|||
AccountTwoFaSettings.class).getConfigs()).isNotEmpty(); |
|||
|
|||
loginSysAdmin(); |
|||
saveProvidersConfigs(); |
|||
|
|||
loginTenantAdmin(); |
|||
|
|||
assertThat(readResponse(doGet("/api/2fa/account/settings").andExpect(status().isOk()), AccountTwoFaSettings.class).getConfigs()) |
|||
.isEmpty(); |
|||
} |
|||
|
|||
@Test |
|||
public void testGenerateSmsTwoFaAccountConfig() throws Exception { |
|||
configureSmsTwoFaProvider("${code}"); |
|||
doPost("/api/2fa/account/config/generate?providerType=SMS") |
|||
.andExpect(status().isOk()); |
|||
} |
|||
|
|||
@Test |
|||
public void testSubmitSmsTwoFaAccountConfig() throws Exception { |
|||
String verificationMessageTemplate = "Here is your verification code: ${code}"; |
|||
configureSmsTwoFaProvider(verificationMessageTemplate); |
|||
|
|||
loginTenantAdmin(); |
|||
|
|||
SmsTwoFaAccountConfig smsTwoFaAccountConfig = new SmsTwoFaAccountConfig(); |
|||
smsTwoFaAccountConfig.setPhoneNumber("+38054159785"); |
|||
|
|||
doPost("/api/2fa/account/config/submit", smsTwoFaAccountConfig).andExpect(status().isOk()); |
|||
|
|||
String verificationCode = cacheManager.getCache(CacheConstants.TWO_FA_VERIFICATION_CODES_CACHE) |
|||
.get(tenantAdminUserId, OtpBasedTwoFaProvider.Otp.class).getValue(); |
|||
|
|||
verify(smsService).sendSms(eq(tenantId), any(), argThat(phoneNumbers -> { |
|||
return phoneNumbers[0].equals(smsTwoFaAccountConfig.getPhoneNumber()); |
|||
}), eq("Here is your verification code: " + verificationCode)); |
|||
} |
|||
|
|||
@Test |
|||
public void testSubmitSmsTwoFaAccountConfig_validationError() throws Exception { |
|||
configureSmsTwoFaProvider("${code}"); |
|||
|
|||
SmsTwoFaAccountConfig smsTwoFaAccountConfig = new SmsTwoFaAccountConfig(); |
|||
String blankPhoneNumber = ""; |
|||
smsTwoFaAccountConfig.setPhoneNumber(blankPhoneNumber); |
|||
|
|||
String errorMessage = getErrorMessage(doPost("/api/2fa/account/config/submit", smsTwoFaAccountConfig) |
|||
.andExpect(status().isBadRequest())); |
|||
assertThat(errorMessage).containsIgnoringCase("phone number cannot be blank"); |
|||
|
|||
String nonE164PhoneNumber = "8754868"; |
|||
smsTwoFaAccountConfig.setPhoneNumber(nonE164PhoneNumber); |
|||
|
|||
errorMessage = getErrorMessage(doPost("/api/2fa/account/config/submit", smsTwoFaAccountConfig) |
|||
.andExpect(status().isBadRequest())); |
|||
assertThat(errorMessage).containsIgnoringCase("phone number is not of E.164 format"); |
|||
} |
|||
|
|||
@Test |
|||
public void testVerifyAndSaveSmsTwoFaAccountConfig() throws Exception { |
|||
configureSmsTwoFaProvider("${code}"); |
|||
|
|||
loginTenantAdmin(); |
|||
|
|||
SmsTwoFaAccountConfig smsTwoFaAccountConfig = new SmsTwoFaAccountConfig(); |
|||
smsTwoFaAccountConfig.setPhoneNumber("+38051889445"); |
|||
smsTwoFaAccountConfig.setUseByDefault(true); |
|||
|
|||
ArgumentCaptor<String> verificationCodeCaptor = ArgumentCaptor.forClass(String.class); |
|||
doPost("/api/2fa/account/config/submit", smsTwoFaAccountConfig).andExpect(status().isOk()); |
|||
|
|||
verify(smsService).sendSms(eq(tenantId), any(), argThat(phoneNumbers -> { |
|||
return phoneNumbers[0].equals(smsTwoFaAccountConfig.getPhoneNumber()); |
|||
}), verificationCodeCaptor.capture()); |
|||
|
|||
String correctVerificationCode = verificationCodeCaptor.getValue(); |
|||
doPost("/api/2fa/account/config?verificationCode=" + correctVerificationCode, smsTwoFaAccountConfig) |
|||
.andExpect(status().isOk()); |
|||
|
|||
AccountTwoFaSettings accountTwoFaSettings = readResponse(doGet("/api/2fa/account/settings").andExpect(status().isOk()), AccountTwoFaSettings.class); |
|||
TwoFaAccountConfig accountConfig = accountTwoFaSettings.getConfigs().get(TwoFaProviderType.SMS); |
|||
assertThat(accountConfig).isEqualTo(smsTwoFaAccountConfig); |
|||
} |
|||
|
|||
@Test |
|||
public void testVerifyAndSaveSmsTwoFaAccountConfig_incorrectVerificationCode() throws Exception { |
|||
configureSmsTwoFaProvider("${code}"); |
|||
|
|||
loginTenantAdmin(); |
|||
|
|||
SmsTwoFaAccountConfig smsTwoFaAccountConfig = new SmsTwoFaAccountConfig(); |
|||
smsTwoFaAccountConfig.setPhoneNumber("+38051889445"); |
|||
|
|||
String errorMessage = getErrorMessage(doPost("/api/2fa/account/config?verificationCode=100000", smsTwoFaAccountConfig) |
|||
.andExpect(status().isBadRequest())); |
|||
assertThat(errorMessage).containsIgnoringCase("verification code is incorrect"); |
|||
} |
|||
|
|||
@Test |
|||
public void testVerifyAndSaveSmsTwoFaAccountConfig_differentAccountConfigs() throws Exception { |
|||
configureSmsTwoFaProvider("${code}"); |
|||
loginTenantAdmin(); |
|||
|
|||
SmsTwoFaAccountConfig initialSmsTwoFaAccountConfig = new SmsTwoFaAccountConfig(); |
|||
initialSmsTwoFaAccountConfig.setPhoneNumber("+38051889445"); |
|||
initialSmsTwoFaAccountConfig.setUseByDefault(true); |
|||
|
|||
ArgumentCaptor<String> verificationCodeCaptor = ArgumentCaptor.forClass(String.class); |
|||
doPost("/api/2fa/account/config/submit", initialSmsTwoFaAccountConfig).andExpect(status().isOk()); |
|||
|
|||
verify(smsService).sendSms(eq(tenantId), any(), argThat(phoneNumbers -> { |
|||
return phoneNumbers[0].equals(initialSmsTwoFaAccountConfig.getPhoneNumber()); |
|||
}), verificationCodeCaptor.capture()); |
|||
|
|||
String correctVerificationCode = verificationCodeCaptor.getValue(); |
|||
|
|||
SmsTwoFaAccountConfig anotherSmsTwoFaAccountConfig = new SmsTwoFaAccountConfig(); |
|||
anotherSmsTwoFaAccountConfig.setPhoneNumber("+38111111111"); |
|||
String errorMessage = getErrorMessage(doPost("/api/2fa/account/config?verificationCode=" + correctVerificationCode, anotherSmsTwoFaAccountConfig) |
|||
.andExpect(status().isBadRequest())); |
|||
assertThat(errorMessage).containsIgnoringCase("verification code is incorrect"); |
|||
|
|||
doPost("/api/2fa/account/config?verificationCode=" + correctVerificationCode, initialSmsTwoFaAccountConfig) |
|||
.andExpect(status().isOk()); |
|||
AccountTwoFaSettings accountTwoFaSettings = readResponse(doGet("/api/2fa/account/settings").andExpect(status().isOk()), AccountTwoFaSettings.class); |
|||
TwoFaAccountConfig accountConfig = accountTwoFaSettings.getConfigs().get(TwoFaProviderType.SMS); |
|||
assertThat(accountConfig).isEqualTo(initialSmsTwoFaAccountConfig); |
|||
} |
|||
|
|||
private TotpTwoFaProviderConfig configureTotpTwoFaProvider() throws Exception { |
|||
TotpTwoFaProviderConfig totpTwoFaProviderConfig = new TotpTwoFaProviderConfig(); |
|||
totpTwoFaProviderConfig.setIssuerName("tb"); |
|||
|
|||
saveProvidersConfigs(totpTwoFaProviderConfig); |
|||
return totpTwoFaProviderConfig; |
|||
} |
|||
|
|||
private SmsTwoFaProviderConfig configureSmsTwoFaProvider(String verificationMessageTemplate) throws Exception { |
|||
SmsTwoFaProviderConfig smsTwoFaProviderConfig = new SmsTwoFaProviderConfig(); |
|||
smsTwoFaProviderConfig.setSmsVerificationMessageTemplate(verificationMessageTemplate); |
|||
smsTwoFaProviderConfig.setVerificationCodeLifetime(60); |
|||
|
|||
saveProvidersConfigs(smsTwoFaProviderConfig); |
|||
return smsTwoFaProviderConfig; |
|||
} |
|||
|
|||
private void saveProvidersConfigs(TwoFaProviderConfig... providerConfigs) throws Exception { |
|||
PlatformTwoFaSettings twoFaSettings = new PlatformTwoFaSettings(); |
|||
|
|||
twoFaSettings.setProviders(Arrays.stream(providerConfigs).collect(Collectors.toList())); |
|||
doPost("/api/2fa/settings", twoFaSettings).andExpect(status().isOk()); |
|||
} |
|||
|
|||
@Test |
|||
public void testIsTwoFaEnabled() throws Exception { |
|||
configureSmsTwoFaProvider("${code}"); |
|||
SmsTwoFaAccountConfig accountConfig = new SmsTwoFaAccountConfig(); |
|||
accountConfig.setPhoneNumber("+38050505050"); |
|||
twoFaConfigManager.saveTwoFaAccountConfig(tenantId, tenantAdminUserId, accountConfig); |
|||
|
|||
assertThat(twoFactorAuthService.isTwoFaEnabled(tenantId, tenantAdminUserId)).isTrue(); |
|||
} |
|||
|
|||
@Test |
|||
public void testDeleteTwoFaAccountConfig() throws Exception { |
|||
configureSmsTwoFaProvider("${code}"); |
|||
SmsTwoFaAccountConfig accountConfig = new SmsTwoFaAccountConfig(); |
|||
accountConfig.setPhoneNumber("+38050505050"); |
|||
|
|||
loginTenantAdmin(); |
|||
|
|||
twoFaConfigManager.saveTwoFaAccountConfig(tenantId, tenantAdminUserId, accountConfig); |
|||
|
|||
AccountTwoFaSettings accountTwoFaSettings = readResponse(doGet("/api/2fa/account/settings").andExpect(status().isOk()), AccountTwoFaSettings.class); |
|||
TwoFaAccountConfig savedAccountConfig = accountTwoFaSettings.getConfigs().get(TwoFaProviderType.SMS); |
|||
assertThat(savedAccountConfig).isEqualTo(accountConfig); |
|||
|
|||
doDelete("/api/2fa/account/config?providerType=SMS").andExpect(status().isOk()); |
|||
|
|||
assertThat(readResponse(doGet("/api/2fa/account/settings").andExpect(status().isOk()), AccountTwoFaSettings.class).getConfigs()) |
|||
.doesNotContainKey(TwoFaProviderType.SMS); |
|||
} |
|||
|
|||
} |
|||
@ -0,0 +1,441 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.controller; |
|||
|
|||
import com.fasterxml.jackson.core.type.TypeReference; |
|||
import com.fasterxml.jackson.databind.JsonNode; |
|||
import org.apache.commons.lang3.RandomStringUtils; |
|||
import org.apache.commons.lang3.StringUtils; |
|||
import org.jboss.aerogear.security.otp.Totp; |
|||
import org.junit.After; |
|||
import org.junit.Before; |
|||
import org.junit.Test; |
|||
import org.mockito.ArgumentCaptor; |
|||
import org.springframework.beans.factory.annotation.Autowired; |
|||
import org.springframework.boot.test.mock.mockito.MockBean; |
|||
import org.springframework.boot.test.mock.mockito.SpyBean; |
|||
import org.thingsboard.rule.engine.api.SmsService; |
|||
import org.thingsboard.server.common.data.User; |
|||
import org.thingsboard.server.common.data.audit.ActionStatus; |
|||
import org.thingsboard.server.common.data.audit.ActionType; |
|||
import org.thingsboard.server.common.data.audit.AuditLog; |
|||
import org.thingsboard.server.common.data.exception.ThingsboardException; |
|||
import org.thingsboard.server.common.data.id.TenantId; |
|||
import org.thingsboard.server.common.data.page.PageLink; |
|||
import org.thingsboard.server.common.data.page.SortOrder; |
|||
import org.thingsboard.server.common.data.page.TimePageLink; |
|||
import org.thingsboard.server.common.data.security.Authority; |
|||
import org.thingsboard.server.common.data.security.model.mfa.PlatformTwoFaSettings; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.EmailTwoFaAccountConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.SmsTwoFaAccountConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.account.TotpTwoFaAccountConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.EmailTwoFaProviderConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.SmsTwoFaProviderConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TotpTwoFaProviderConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderConfig; |
|||
import org.thingsboard.server.common.data.security.model.mfa.provider.TwoFaProviderType; |
|||
import org.thingsboard.server.dao.audit.AuditLogService; |
|||
import org.thingsboard.server.dao.user.UserService; |
|||
import org.thingsboard.server.service.security.auth.mfa.TwoFactorAuthService; |
|||
import org.thingsboard.server.service.security.auth.mfa.config.TwoFaConfigManager; |
|||
import org.thingsboard.server.service.security.auth.rest.LoginRequest; |
|||
import org.thingsboard.server.service.security.model.JwtTokenPair; |
|||
|
|||
import java.time.Duration; |
|||
import java.util.Arrays; |
|||
import java.util.List; |
|||
import java.util.Map; |
|||
import java.util.concurrent.TimeUnit; |
|||
import java.util.function.Consumer; |
|||
import java.util.stream.Collectors; |
|||
import java.util.stream.Stream; |
|||
|
|||
import static org.assertj.core.api.Assertions.assertThat; |
|||
import static org.awaitility.Awaitility.await; |
|||
import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; |
|||
import static org.junit.jupiter.api.Assertions.fail; |
|||
import static org.mockito.ArgumentMatchers.any; |
|||
import static org.mockito.ArgumentMatchers.eq; |
|||
import static org.mockito.Mockito.doNothing; |
|||
import static org.mockito.Mockito.verify; |
|||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; |
|||
|
|||
public abstract class TwoFactorAuthTest extends AbstractControllerTest { |
|||
|
|||
@Autowired |
|||
private TwoFaConfigManager twoFaConfigManager; |
|||
@SpyBean |
|||
private TwoFactorAuthService twoFactorAuthService; |
|||
@MockBean |
|||
private SmsService smsService; |
|||
@Autowired |
|||
private AuditLogService auditLogService; |
|||
@Autowired |
|||
private UserService userService; |
|||
|
|||
private User user; |
|||
private String username; |
|||
private String password; |
|||
|
|||
@Before |
|||
public void beforeEach() throws Exception { |
|||
username = "mfa@tb.io"; |
|||
password = "psswrd"; |
|||
|
|||
user = new User(); |
|||
user.setAuthority(Authority.TENANT_ADMIN); |
|||
user.setEmail(username); |
|||
user.setTenantId(tenantId); |
|||
|
|||
loginSysAdmin(); |
|||
user = createUser(user, password); |
|||
doNothing().when(twoFactorAuthService).checkProvider(any(), any()); |
|||
} |
|||
|
|||
@After |
|||
public void afterEach() { |
|||
twoFaConfigManager.deletePlatformTwoFaSettings(tenantId); |
|||
twoFaConfigManager.deletePlatformTwoFaSettings(TenantId.SYS_TENANT_ID); |
|||
} |
|||
|
|||
@Test |
|||
public void testTwoFa_totp() throws Exception { |
|||
TotpTwoFaAccountConfig totpTwoFaAccountConfig = configureTotpTwoFa(); |
|||
|
|||
logInWithPreVerificationToken(username, password); |
|||
|
|||
doPost("/api/auth/2fa/verification/send?providerType=TOTP") |
|||
.andExpect(status().isOk()); |
|||
|
|||
String correctVerificationCode = getCorrectTotp(totpTwoFaAccountConfig); |
|||
|
|||
JsonNode tokenPair = readResponse(doPost("/api/auth/2fa/verification/check?providerType=TOTP&verificationCode=" + correctVerificationCode) |
|||
.andExpect(status().isOk()), JsonNode.class); |
|||
validateAndSetJwtToken(tokenPair, username); |
|||
|
|||
User currentUser = readResponse(doGet("/api/auth/user") |
|||
.andExpect(status().isOk()), User.class); |
|||
assertThat(currentUser.getId()).isEqualTo(user.getId()); |
|||
} |
|||
|
|||
@Test |
|||
public void testTwoFa_sms() throws Exception { |
|||
configureSmsTwoFa(); |
|||
|
|||
logInWithPreVerificationToken(username, password); |
|||
|
|||
doPost("/api/auth/2fa/verification/send?providerType=SMS") |
|||
.andExpect(status().isOk()); |
|||
|
|||
ArgumentCaptor<String> verificationCodeCaptor = ArgumentCaptor.forClass(String.class); |
|||
verify(smsService).sendSms(eq(tenantId), any(), any(), verificationCodeCaptor.capture()); |
|||
String correctVerificationCode = verificationCodeCaptor.getValue(); |
|||
|
|||
JsonNode tokenPair = readResponse(doPost("/api/auth/2fa/verification/check?providerType=SMS&verificationCode=" + correctVerificationCode) |
|||
.andExpect(status().isOk()), JsonNode.class); |
|||
validateAndSetJwtToken(tokenPair, username); |
|||
|
|||
User currentUser = readResponse(doGet("/api/auth/user") |
|||
.andExpect(status().isOk()), User.class); |
|||
assertThat(currentUser.getId()).isEqualTo(user.getId()); |
|||
} |
|||
|
|||
@Test |
|||
public void testTwoFaPreVerificationTokenLifetime() throws Exception { |
|||
configureTotpTwoFa(twoFaSettings -> { |
|||
twoFaSettings.setTotalAllowedTimeForVerification(65); |
|||
}); |
|||
|
|||
logInWithPreVerificationToken(username, password); |
|||
|
|||
await("expiration of the pre-verification token") |
|||
.atLeast(Duration.ofSeconds(30).plusMillis(500)) |
|||
.atMost(Duration.ofSeconds(70)) |
|||
.untilAsserted(() -> { |
|||
doPost("/api/auth/2fa/verification/send?providerType=TOTP") |
|||
.andExpect(status().isUnauthorized()); |
|||
}); |
|||
} |
|||
|
|||
@Test |
|||
public void testCheckVerificationCode_userBlocked() throws Exception { |
|||
configureTotpTwoFa(twoFaSettings -> { |
|||
twoFaSettings.setMaxVerificationFailuresBeforeUserLockout(10); |
|||
}); |
|||
|
|||
logInWithPreVerificationToken(username, password); |
|||
|
|||
Stream.generate(() -> RandomStringUtils.randomNumeric(6)) |
|||
.limit(9) |
|||
.forEach(incorrectVerificationCode -> { |
|||
try { |
|||
String errorMessage = getErrorMessage(doPost("/api/auth/2fa/verification/check?providerType=TOTP&verificationCode=" + incorrectVerificationCode) |
|||
.andExpect(status().isBadRequest())); |
|||
assertThat(errorMessage).containsIgnoringCase("verification code is incorrect"); |
|||
} catch (Exception e) { |
|||
fail(); |
|||
} |
|||
}); |
|||
|
|||
String errorMessage = getErrorMessage(doPost("/api/auth/2fa/verification/check?providerType=TOTP&verificationCode=" + RandomStringUtils.randomNumeric(6)) |
|||
.andExpect(status().isUnauthorized())); |
|||
assertThat(errorMessage).containsIgnoringCase("account was locked due to exceeded 2fa verification attempts"); |
|||
|
|||
errorMessage = getErrorMessage(doPost("/api/auth/2fa/verification/check?providerType=TOTP&verificationCode=" + RandomStringUtils.randomNumeric(6)) |
|||
.andExpect(status().isUnauthorized())); |
|||
assertThat(errorMessage).containsIgnoringCase("user is disabled"); |
|||
} |
|||
|
|||
@Test |
|||
public void testSendVerificationCode_rateLimit() throws Exception { |
|||
configureTotpTwoFa(twoFaSettings -> { |
|||
twoFaSettings.setMinVerificationCodeSendPeriod(10); |
|||
}); |
|||
|
|||
logInWithPreVerificationToken(username, password); |
|||
|
|||
doPost("/api/auth/2fa/verification/send?providerType=TOTP") |
|||
.andExpect(status().isOk()); |
|||
|
|||
String rateLimitExceededError = getErrorMessage(doPost("/api/auth/2fa/verification/send?providerType=TOTP") |
|||
.andExpect(status().isTooManyRequests())); |
|||
assertThat(rateLimitExceededError).containsIgnoringCase("too many requests"); |
|||
|
|||
await("verification code sending rate limit resetting") |
|||
.atLeast(Duration.ofSeconds(8)) |
|||
.atMost(Duration.ofSeconds(12)) |
|||
.untilAsserted(() -> { |
|||
doPost("/api/auth/2fa/verification/send?providerType=TOTP") |
|||
.andExpect(status().isOk()); |
|||
}); |
|||
} |
|||
|
|||
@Test |
|||
public void testCheckVerificationCode_rateLimit() throws Exception { |
|||
TotpTwoFaAccountConfig totpTwoFaAccountConfig = configureTotpTwoFa(twoFaSettings -> { |
|||
twoFaSettings.setVerificationCodeCheckRateLimit("3:10"); |
|||
}); |
|||
|
|||
logInWithPreVerificationToken(username, password); |
|||
|
|||
for (int i = 0; i < 3; i++) { |
|||
String incorrectVerificationCodeError = getErrorMessage(doPost("/api/auth/2fa/verification/check?providerType=TOTP&verificationCode=incorrect") |
|||
.andExpect(status().isBadRequest())); |
|||
assertThat(incorrectVerificationCodeError).containsIgnoringCase("verification code is incorrect"); |
|||
} |
|||
|
|||
String rateLimitExceededError = getErrorMessage(doPost("/api/auth/2fa/verification/check?providerType=TOTP&verificationCode=incorrect") |
|||
.andExpect(status().isTooManyRequests())); |
|||
assertThat(rateLimitExceededError).containsIgnoringCase("too many requests"); |
|||
|
|||
await("verification code checking rate limit resetting") |
|||
.atLeast(Duration.ofSeconds(8)) |
|||
.atMost(Duration.ofSeconds(12)) |
|||
.untilAsserted(() -> { |
|||
String incorrectVerificationCodeError = getErrorMessage(doPost("/api/auth/2fa/verification/check?providerType=TOTP&verificationCode=incorrect") |
|||
.andExpect(status().isBadRequest())); |
|||
assertThat(incorrectVerificationCodeError).containsIgnoringCase("verification code is incorrect"); |
|||
}); |
|||
|
|||
doPost("/api/auth/2fa/verification/check?providerType=TOTP&verificationCode=" + getCorrectTotp(totpTwoFaAccountConfig)) |
|||
.andExpect(status().isOk()); |
|||
} |
|||
|
|||
@Test |
|||
public void testCheckVerificationCode_invalidVerificationCode() throws Exception { |
|||
configureTotpTwoFa(); |
|||
logInWithPreVerificationToken(username, password); |
|||
|
|||
for (String invalidVerificationCode : new String[]{"1234567", "ab1212", "12311 ", "oewkriwejqf"}) { |
|||
String errorMessage = getErrorMessage(doPost("/api/auth/2fa/verification/check?providerType=TOTP&verificationCode=" + invalidVerificationCode) |
|||
.andExpect(status().isBadRequest())); |
|||
assertThat(errorMessage).containsIgnoringCase("verification code is incorrect"); |
|||
} |
|||
} |
|||
|
|||
@Test |
|||
public void testCheckVerificationCode_codeExpiration() throws Exception { |
|||
configureSmsTwoFa(smsTwoFaProviderConfig -> { |
|||
smsTwoFaProviderConfig.setVerificationCodeLifetime(10); |
|||
}); |
|||
|
|||
logInWithPreVerificationToken(username, password); |
|||
|
|||
ArgumentCaptor<String> verificationCodeCaptor = ArgumentCaptor.forClass(String.class); |
|||
doPost("/api/auth/2fa/verification/send?providerType=SMS").andExpect(status().isOk()); |
|||
verify(smsService).sendSms(eq(tenantId), any(), any(), verificationCodeCaptor.capture()); |
|||
|
|||
String correctVerificationCode = verificationCodeCaptor.getValue(); |
|||
|
|||
await("verification code expiration") |
|||
.pollDelay(10, TimeUnit.SECONDS) |
|||
.atLeast(10, TimeUnit.SECONDS) |
|||
.atMost(12, TimeUnit.SECONDS) |
|||
.untilAsserted(() -> { |
|||
String incorrectVerificationCodeError = getErrorMessage(doPost("/api/auth/2fa/verification/check?providerType=SMS&verificationCode=" + correctVerificationCode) |
|||
.andExpect(status().isBadRequest())); |
|||
assertThat(incorrectVerificationCodeError).containsIgnoringCase("verification code is incorrect"); |
|||
}); |
|||
} |
|||
|
|||
@Test |
|||
public void testTwoFa_logLoginAction() throws Exception { |
|||
TotpTwoFaAccountConfig totpTwoFaAccountConfig = configureTotpTwoFa(); |
|||
|
|||
logInWithPreVerificationToken(username, password); |
|||
await("async audit log saving").during(1, TimeUnit.SECONDS); |
|||
assertThat(getLogInAuditLogs()).isEmpty(); |
|||
assertThat(userService.findUserById(tenantId, user.getId()).getAdditionalInfo() |
|||
.get("lastLoginTs")).isNull(); |
|||
|
|||
doPost("/api/auth/2fa/verification/check?providerType=TOTP&verificationCode=incorrect") |
|||
.andExpect(status().isBadRequest()); |
|||
|
|||
await("async audit log saving").atMost(1, TimeUnit.SECONDS) |
|||
.until(() -> getLogInAuditLogs().size() == 1); |
|||
assertThat(getLogInAuditLogs().get(0)).satisfies(failedLogInAuditLog -> { |
|||
assertThat(failedLogInAuditLog.getActionStatus()).isEqualTo(ActionStatus.FAILURE); |
|||
assertThat(failedLogInAuditLog.getActionFailureDetails()).containsIgnoringCase("verification code is incorrect"); |
|||
assertThat(failedLogInAuditLog.getUserName()).isEqualTo(username); |
|||
}); |
|||
|
|||
doPost("/api/auth/2fa/verification/check?providerType=TOTP&verificationCode=" + getCorrectTotp(totpTwoFaAccountConfig)) |
|||
.andExpect(status().isOk()); |
|||
await("async audit log saving").atMost(1, TimeUnit.SECONDS) |
|||
.until(() -> getLogInAuditLogs().size() == 2); |
|||
assertThat(getLogInAuditLogs().get(0)).satisfies(successfulLogInAuditLog -> { |
|||
assertThat(successfulLogInAuditLog.getActionStatus()).isEqualTo(ActionStatus.SUCCESS); |
|||
assertThat(successfulLogInAuditLog.getUserName()).isEqualTo(username); |
|||
}); |
|||
assertThat(userService.findUserById(tenantId, user.getId()).getAdditionalInfo() |
|||
.get("lastLoginTs").asLong()) |
|||
.isGreaterThan(System.currentTimeMillis() - TimeUnit.SECONDS.toMillis(3)); |
|||
} |
|||
|
|||
private List<AuditLog> getLogInAuditLogs() { |
|||
return auditLogService.findAuditLogsByTenantIdAndUserId(tenantId, user.getId(), List.of(ActionType.LOGIN), |
|||
new TimePageLink(new PageLink(10, 0, null, new SortOrder("createdTime", SortOrder.Direction.DESC)), 0L, System.currentTimeMillis())).getData(); |
|||
} |
|||
|
|||
@Test |
|||
public void testAuthWithoutTwoFaAccountConfig() throws ThingsboardException { |
|||
configureTotpTwoFa(); |
|||
twoFaConfigManager.deleteTwoFaAccountConfig(tenantId, user.getId(), TwoFaProviderType.TOTP); |
|||
|
|||
assertDoesNotThrow(() -> { |
|||
login(username, password); |
|||
}); |
|||
} |
|||
|
|||
@Test |
|||
public void testTwoFa_multipleProviders() throws Exception { |
|||
PlatformTwoFaSettings platformTwoFaSettings = new PlatformTwoFaSettings(); |
|||
|
|||
TotpTwoFaProviderConfig totpTwoFaProviderConfig = new TotpTwoFaProviderConfig(); |
|||
totpTwoFaProviderConfig.setIssuerName("TB"); |
|||
|
|||
SmsTwoFaProviderConfig smsTwoFaProviderConfig = new SmsTwoFaProviderConfig(); |
|||
smsTwoFaProviderConfig.setVerificationCodeLifetime(60); |
|||
smsTwoFaProviderConfig.setSmsVerificationMessageTemplate("${code}"); |
|||
|
|||
EmailTwoFaProviderConfig emailTwoFaProviderConfig = new EmailTwoFaProviderConfig(); |
|||
emailTwoFaProviderConfig.setVerificationCodeLifetime(60); |
|||
|
|||
platformTwoFaSettings.setProviders(List.of(totpTwoFaProviderConfig, smsTwoFaProviderConfig, emailTwoFaProviderConfig)); |
|||
twoFaConfigManager.savePlatformTwoFaSettings(TenantId.SYS_TENANT_ID, platformTwoFaSettings); |
|||
|
|||
User twoFaUser = new User(); |
|||
twoFaUser.setAuthority(Authority.TENANT_ADMIN); |
|||
twoFaUser.setTenantId(tenantId); |
|||
twoFaUser.setEmail("2fa@thingsboard.org"); |
|||
twoFaUser = createUserAndLogin(twoFaUser, "12345678"); |
|||
|
|||
TotpTwoFaAccountConfig totpTwoFaAccountConfig = (TotpTwoFaAccountConfig) twoFactorAuthService.generateNewAccountConfig(twoFaUser, TwoFaProviderType.TOTP); |
|||
totpTwoFaAccountConfig.setUseByDefault(true); |
|||
twoFaConfigManager.saveTwoFaAccountConfig(tenantId, twoFaUser.getId(), totpTwoFaAccountConfig); |
|||
|
|||
SmsTwoFaAccountConfig smsTwoFaAccountConfig = new SmsTwoFaAccountConfig(); |
|||
smsTwoFaAccountConfig.setPhoneNumber("+38012312322"); |
|||
twoFaConfigManager.saveTwoFaAccountConfig(tenantId, twoFaUser.getId(), smsTwoFaAccountConfig); |
|||
|
|||
EmailTwoFaAccountConfig emailTwoFaAccountConfig = new EmailTwoFaAccountConfig(); |
|||
emailTwoFaAccountConfig.setEmail(twoFaUser.getEmail()); |
|||
twoFaConfigManager.saveTwoFaAccountConfig(tenantId, twoFaUser.getId(), emailTwoFaAccountConfig); |
|||
|
|||
logInWithPreVerificationToken(twoFaUser.getEmail(), "12345678"); |
|||
|
|||
Map<TwoFaProviderType, TwoFactorAuthController.TwoFaProviderInfo> providersInfos = readResponse(doGet("/api/auth/2fa/providers").andExpect(status().isOk()), new TypeReference<List<TwoFactorAuthController.TwoFaProviderInfo>>() {}).stream() |
|||
.collect(Collectors.toMap(TwoFactorAuthController.TwoFaProviderInfo::getType, v -> v)); |
|||
|
|||
assertThat(providersInfos).size().isEqualTo(3); |
|||
|
|||
assertThat(providersInfos).containsKey(TwoFaProviderType.TOTP); |
|||
assertThat(providersInfos.get(TwoFaProviderType.TOTP).isDefault()).isTrue(); |
|||
|
|||
assertThat(providersInfos).containsKey(TwoFaProviderType.SMS); |
|||
assertThat(providersInfos.get(TwoFaProviderType.SMS).isDefault()).isFalse(); |
|||
|
|||
assertThat(providersInfos).containsKey(TwoFaProviderType.EMAIL); |
|||
assertThat(providersInfos.get(TwoFaProviderType.EMAIL).isDefault()).isFalse(); |
|||
} |
|||
|
|||
private void logInWithPreVerificationToken(String username, String password) throws Exception { |
|||
LoginRequest loginRequest = new LoginRequest(username, password); |
|||
|
|||
JwtTokenPair response = readResponse(doPost("/api/auth/login", loginRequest).andExpect(status().isOk()), JwtTokenPair.class); |
|||
assertThat(response.getToken()).isNotNull(); |
|||
assertThat(response.getRefreshToken()).isNull(); |
|||
assertThat(response.getScope()).isEqualTo(Authority.PRE_VERIFICATION_TOKEN); |
|||
|
|||
this.token = response.getToken(); |
|||
} |
|||
|
|||
private TotpTwoFaAccountConfig configureTotpTwoFa(Consumer<PlatformTwoFaSettings>... customizer) throws ThingsboardException { |
|||
TotpTwoFaProviderConfig totpTwoFaProviderConfig = new TotpTwoFaProviderConfig(); |
|||
totpTwoFaProviderConfig.setIssuerName("tb"); |
|||
|
|||
PlatformTwoFaSettings twoFaSettings = new PlatformTwoFaSettings(); |
|||
twoFaSettings.setProviders(Arrays.stream(new TwoFaProviderConfig[]{totpTwoFaProviderConfig}).collect(Collectors.toList())); |
|||
Arrays.stream(customizer).forEach(c -> c.accept(twoFaSettings)); |
|||
twoFaConfigManager.savePlatformTwoFaSettings(TenantId.SYS_TENANT_ID, twoFaSettings); |
|||
|
|||
TotpTwoFaAccountConfig totpTwoFaAccountConfig = (TotpTwoFaAccountConfig) twoFactorAuthService.generateNewAccountConfig(user, TwoFaProviderType.TOTP); |
|||
twoFaConfigManager.saveTwoFaAccountConfig(tenantId, user.getId(), totpTwoFaAccountConfig); |
|||
return totpTwoFaAccountConfig; |
|||
} |
|||
|
|||
private SmsTwoFaAccountConfig configureSmsTwoFa(Consumer<SmsTwoFaProviderConfig>... customizer) throws ThingsboardException { |
|||
SmsTwoFaProviderConfig smsTwoFaProviderConfig = new SmsTwoFaProviderConfig(); |
|||
smsTwoFaProviderConfig.setVerificationCodeLifetime(60); |
|||
smsTwoFaProviderConfig.setSmsVerificationMessageTemplate("${code}"); |
|||
Arrays.stream(customizer).forEach(c -> c.accept(smsTwoFaProviderConfig)); |
|||
|
|||
PlatformTwoFaSettings twoFaSettings = new PlatformTwoFaSettings(); |
|||
twoFaSettings.setProviders(Arrays.stream(new TwoFaProviderConfig[]{smsTwoFaProviderConfig}).collect(Collectors.toList())); |
|||
twoFaConfigManager.savePlatformTwoFaSettings(TenantId.SYS_TENANT_ID, twoFaSettings); |
|||
|
|||
SmsTwoFaAccountConfig smsTwoFaAccountConfig = new SmsTwoFaAccountConfig(); |
|||
smsTwoFaAccountConfig.setPhoneNumber("+38050505050"); |
|||
twoFaConfigManager.saveTwoFaAccountConfig(tenantId, user.getId(), smsTwoFaAccountConfig); |
|||
return smsTwoFaAccountConfig; |
|||
} |
|||
|
|||
private String getCorrectTotp(TotpTwoFaAccountConfig totpTwoFaAccountConfig) { |
|||
String secret = StringUtils.substringAfterLast(totpTwoFaAccountConfig.getAuthUrl(), "secret="); |
|||
return new Totp(secret).now(); |
|||
} |
|||
|
|||
} |
|||
@ -0,0 +1,23 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.controller.sql; |
|||
|
|||
import org.thingsboard.server.dao.service.DaoSqlTest; |
|||
import org.thingsboard.server.controller.TwoFactorAuthConfigTest; |
|||
|
|||
@DaoSqlTest |
|||
public class TwoFactorAuthConfigSqlTest extends TwoFactorAuthConfigTest { |
|||
} |
|||
@ -0,0 +1,23 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.controller.sql; |
|||
|
|||
import org.thingsboard.server.controller.TwoFactorAuthTest; |
|||
import org.thingsboard.server.dao.service.DaoSqlTest; |
|||
|
|||
@DaoSqlTest |
|||
public class TwoFactorAuthSqlTest extends TwoFactorAuthTest { |
|||
} |
|||
@ -0,0 +1,165 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.service.security.auth; |
|||
|
|||
import io.jsonwebtoken.Claims; |
|||
import org.junit.BeforeClass; |
|||
import org.junit.Test; |
|||
import org.thingsboard.server.common.data.id.CustomerId; |
|||
import org.thingsboard.server.common.data.id.TenantId; |
|||
import org.thingsboard.server.common.data.id.UserId; |
|||
import org.thingsboard.server.common.data.security.Authority; |
|||
import org.thingsboard.server.common.data.security.model.JwtToken; |
|||
import org.thingsboard.server.config.JwtSettings; |
|||
import org.thingsboard.server.service.security.model.SecurityUser; |
|||
import org.thingsboard.server.service.security.model.UserPrincipal; |
|||
import org.thingsboard.server.service.security.model.token.AccessJwtToken; |
|||
import org.thingsboard.server.service.security.model.token.JwtTokenFactory; |
|||
import org.thingsboard.server.service.security.model.token.RawAccessJwtToken; |
|||
|
|||
import java.util.Calendar; |
|||
import java.util.Date; |
|||
import java.util.UUID; |
|||
import java.util.concurrent.TimeUnit; |
|||
|
|||
import static org.assertj.core.api.Assertions.assertThat; |
|||
|
|||
public class JwtTokenFactoryTest { |
|||
|
|||
private static JwtTokenFactory tokenFactory; |
|||
private static JwtSettings jwtSettings; |
|||
|
|||
@BeforeClass |
|||
public static void beforeAll() { |
|||
jwtSettings = new JwtSettings(); |
|||
jwtSettings.setTokenIssuer("tb"); |
|||
jwtSettings.setTokenSigningKey("abewafaf"); |
|||
jwtSettings.setTokenExpirationTime((int) TimeUnit.HOURS.toSeconds(2)); |
|||
jwtSettings.setRefreshTokenExpTime((int) TimeUnit.DAYS.toSeconds(7)); |
|||
|
|||
tokenFactory = new JwtTokenFactory(jwtSettings); |
|||
} |
|||
|
|||
@Test |
|||
public void testCreateAndParseAccessJwtToken() { |
|||
SecurityUser securityUser = new SecurityUser(); |
|||
securityUser.setId(new UserId(UUID.randomUUID())); |
|||
securityUser.setEmail("tenant@thingsboard.org"); |
|||
securityUser.setAuthority(Authority.TENANT_ADMIN); |
|||
securityUser.setTenantId(new TenantId(UUID.randomUUID())); |
|||
securityUser.setEnabled(true); |
|||
securityUser.setFirstName("A"); |
|||
securityUser.setLastName("B"); |
|||
securityUser.setUserPrincipal(new UserPrincipal(UserPrincipal.Type.USER_NAME, securityUser.getEmail())); |
|||
securityUser.setCustomerId(new CustomerId(UUID.randomUUID())); |
|||
|
|||
testCreateAndParseAccessJwtToken(securityUser); |
|||
|
|||
securityUser = new SecurityUser(securityUser, true, new UserPrincipal(UserPrincipal.Type.PUBLIC_ID, securityUser.getEmail())); |
|||
securityUser.setFirstName(null); |
|||
securityUser.setLastName(null); |
|||
securityUser.setCustomerId(null); |
|||
|
|||
testCreateAndParseAccessJwtToken(securityUser); |
|||
} |
|||
|
|||
public void testCreateAndParseAccessJwtToken(SecurityUser securityUser) { |
|||
AccessJwtToken accessToken = tokenFactory.createAccessJwtToken(securityUser); |
|||
checkExpirationTime(accessToken, jwtSettings.getTokenExpirationTime()); |
|||
|
|||
SecurityUser parsedSecurityUser = tokenFactory.parseAccessJwtToken(new RawAccessJwtToken(accessToken.getToken())); |
|||
assertThat(parsedSecurityUser.getId()).isEqualTo(securityUser.getId()); |
|||
assertThat(parsedSecurityUser.getEmail()).isEqualTo(securityUser.getEmail()); |
|||
assertThat(parsedSecurityUser.getUserPrincipal()).matches(userPrincipal -> { |
|||
return userPrincipal.getType().equals(securityUser.getUserPrincipal().getType()) |
|||
&& userPrincipal.getValue().equals(securityUser.getUserPrincipal().getValue()); |
|||
}); |
|||
assertThat(parsedSecurityUser.getAuthorities()).isEqualTo(securityUser.getAuthorities()); |
|||
assertThat(parsedSecurityUser.isEnabled()).isEqualTo(securityUser.isEnabled()); |
|||
assertThat(parsedSecurityUser.getTenantId()).isEqualTo(securityUser.getTenantId()); |
|||
assertThat(parsedSecurityUser.getCustomerId()).isEqualTo(securityUser.getCustomerId()); |
|||
assertThat(parsedSecurityUser.getFirstName()).isEqualTo(securityUser.getFirstName()); |
|||
assertThat(parsedSecurityUser.getLastName()).isEqualTo(securityUser.getLastName()); |
|||
} |
|||
|
|||
@Test |
|||
public void testCreateAndParseRefreshJwtToken() { |
|||
SecurityUser securityUser = new SecurityUser(); |
|||
securityUser.setId(new UserId(UUID.randomUUID())); |
|||
securityUser.setEmail("tenant@thingsboard.org"); |
|||
securityUser.setAuthority(Authority.TENANT_ADMIN); |
|||
securityUser.setUserPrincipal(new UserPrincipal(UserPrincipal.Type.USER_NAME, securityUser.getEmail())); |
|||
securityUser.setEnabled(true); |
|||
securityUser.setTenantId(new TenantId(UUID.randomUUID())); |
|||
securityUser.setCustomerId(new CustomerId(UUID.randomUUID())); |
|||
|
|||
JwtToken refreshToken = tokenFactory.createRefreshToken(securityUser); |
|||
checkExpirationTime(refreshToken, jwtSettings.getRefreshTokenExpTime()); |
|||
|
|||
SecurityUser parsedSecurityUser = tokenFactory.parseRefreshToken(new RawAccessJwtToken(refreshToken.getToken())); |
|||
assertThat(parsedSecurityUser.getId()).isEqualTo(securityUser.getId()); |
|||
assertThat(parsedSecurityUser.getUserPrincipal()).matches(userPrincipal -> { |
|||
return userPrincipal.getType().equals(securityUser.getUserPrincipal().getType()) |
|||
&& userPrincipal.getValue().equals(securityUser.getUserPrincipal().getValue()); |
|||
}); |
|||
assertThat(parsedSecurityUser.getAuthority()).isNull(); |
|||
} |
|||
|
|||
@Test |
|||
public void testCreateAndParsePreVerificationJwtToken() { |
|||
SecurityUser securityUser = new SecurityUser(); |
|||
securityUser.setId(new UserId(UUID.randomUUID())); |
|||
securityUser.setEmail("tenant@thingsboard.org"); |
|||
securityUser.setAuthority(Authority.TENANT_ADMIN); |
|||
securityUser.setUserPrincipal(new UserPrincipal(UserPrincipal.Type.USER_NAME, securityUser.getEmail())); |
|||
securityUser.setEnabled(true); |
|||
securityUser.setTenantId(new TenantId(UUID.randomUUID())); |
|||
securityUser.setCustomerId(new CustomerId(UUID.randomUUID())); |
|||
|
|||
int tokenLifetime = (int) TimeUnit.MINUTES.toSeconds(30); |
|||
JwtToken preVerificationToken = tokenFactory.createPreVerificationToken(securityUser, tokenLifetime); |
|||
checkExpirationTime(preVerificationToken, tokenLifetime); |
|||
|
|||
SecurityUser parsedSecurityUser = tokenFactory.parseAccessJwtToken(new RawAccessJwtToken(preVerificationToken.getToken())); |
|||
assertThat(parsedSecurityUser.getId()).isEqualTo(securityUser.getId()); |
|||
assertThat(parsedSecurityUser.getAuthority()).isEqualTo(Authority.PRE_VERIFICATION_TOKEN); |
|||
assertThat(parsedSecurityUser.getTenantId()).isEqualTo(securityUser.getTenantId()); |
|||
assertThat(parsedSecurityUser.getCustomerId()).isEqualTo(securityUser.getCustomerId()); |
|||
assertThat(parsedSecurityUser.getUserPrincipal()).matches(userPrincipal -> { |
|||
return userPrincipal.getType() == UserPrincipal.Type.USER_NAME |
|||
&& userPrincipal.getValue().equals(securityUser.getUserPrincipal().getValue()); |
|||
}); |
|||
} |
|||
|
|||
private void checkExpirationTime(JwtToken jwtToken, int tokenLifetime) { |
|||
Claims claims = tokenFactory.parseTokenClaims(jwtToken).getBody(); |
|||
assertThat(claims.getExpiration()).matches(actualExpirationTime -> { |
|||
Calendar expirationTime = Calendar.getInstance(); |
|||
expirationTime.setTime(new Date()); |
|||
expirationTime.add(Calendar.SECOND, tokenLifetime); |
|||
if (actualExpirationTime.equals(expirationTime.getTime())) { |
|||
return true; |
|||
} else if (actualExpirationTime.before(expirationTime.getTime())) { |
|||
int gap = 2; |
|||
expirationTime.add(Calendar.SECOND, -gap); |
|||
return actualExpirationTime.after(expirationTime.getTime()); |
|||
} else { |
|||
return false; |
|||
} |
|||
}); |
|||
} |
|||
|
|||
} |
|||
@ -0,0 +1,45 @@ |
|||
/** |
|||
* Copyright © 2016-2022 The Thingsboard Authors |
|||
* |
|||
* Licensed under the Apache License, Version 2.0 (the "License"); |
|||
* you may not use this file except in compliance with the License. |
|||
* You may obtain a copy of the License at |
|||
* |
|||
* http://www.apache.org/licenses/LICENSE-2.0
|
|||
* |
|||
* Unless required by applicable law or agreed to in writing, software |
|||
* distributed under the License is distributed on an "AS IS" BASIS, |
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|||
* See the License for the specific language governing permissions and |
|||
* limitations under the License. |
|||
*/ |
|||
package org.thingsboard.server.dao.queue; |
|||
|
|||
import org.thingsboard.server.common.data.id.QueueId; |
|||
import org.thingsboard.server.common.data.id.TenantId; |
|||
import org.thingsboard.server.common.data.page.PageData; |
|||
import org.thingsboard.server.common.data.page.PageLink; |
|||
import org.thingsboard.server.common.data.queue.Queue; |
|||
|
|||
import java.util.List; |
|||
|
|||
public interface QueueService { |
|||
|
|||
Queue saveQueue(Queue queue); |
|||
|
|||
void deleteQueue(TenantId tenantId, QueueId queueId); |
|||
|
|||
List<Queue> findQueuesByTenantId(TenantId tenantId); |
|||
|
|||
PageData<Queue> findQueuesByTenantId(TenantId tenantId, PageLink pageLink); |
|||
|
|||
List<Queue> findAllQueues(); |
|||
|
|||
Queue findQueueById(TenantId tenantId, QueueId queueId); |
|||
|
|||
Queue findQueueByTenantIdAndName(TenantId tenantId, String name); |
|||
|
|||
Queue findQueueByTenantIdAndNameInternal(TenantId tenantId, String queueName); |
|||
|
|||
void deleteQueuesByTenantId(TenantId tenantId); |
|||
} |
|||
Some files were not shown because too many files changed in this diff
Loading…
Reference in new issue