Merge pull request #77 from appirio-tech/feature/2fa

Feature/2fa

Author: eisbilir

buildtokenproperties.sh

@@ -62,6 +62,7 @@ SENDGRID_WELCOME_EMAIL_TEMPLATE_ID=$(eval "echo \$${ENV}_SENDGRID_WELCOME_EMAIL_
 SENDGRID_SELF_SERVICE_RESEND_ACTIVATION_EMAIL_TEMPLATE_ID=$(eval "echo \$${ENV}_SENDGRID_SELF_SERVICE_RESEND_ACTIVATION_EMAIL_TEMPLATE_ID")
 SENDGRID_SELF_SERVICE_WELCOME_EMAIL_TEMPLATE_ID=$(eval "echo \$${ENV}_SENDGRID_SELF_SERVICE_WELCOME_EMAIL_TEMPLATE_ID")
 SENDGRID_2FA_INVITATION_TEMPLATE_ID=$(eval "echo \$${ENV}_SENDGRID_2FA_INVITATION_TEMPLATE_ID")
+SENDGRID_2FA_OTP_TEMPLATE_ID=$(eval "echo \$${ENV}_SENDGRID_2FA_OTP_TEMPLATE_ID")
 
 
 if [[ -z "$ENV" ]] ; then
@@ -145,3 +146,4 @@ perl -pi -e "s/\{\{SENDGRID_WELCOME_EMAIL_TEMPLATE_ID\}\}/$SENDGRID_WELCOME_EMAI
 perl -pi -e "s/\{\{SENDGRID_SELF_SERVICE_RESEND_ACTIVATION_EMAIL_TEMPLATE_ID\}\}/$SENDGRID_SELF_SERVICE_RESEND_ACTIVATION_EMAIL_TEMPLATE_ID/g" $CONFFILENAME
 perl -pi -e "s/\{\{SENDGRID_SELF_SERVICE_WELCOME_EMAIL_TEMPLATE_ID\}\}/$SENDGRID_SELF_SERVICE_WELCOME_EMAIL_TEMPLATE_ID/g" $CONFFILENAME
 perl -pi -e "s/\{\{SENDGRID_2FA_INVITATION_TEMPLATE_ID\}\}/$SENDGRID_2FA_INVITATION_TEMPLATE_ID/g" $CONFFILENAME
+perl -pi -e "s/\{\{SENDGRID_2FA_OTP_TEMPLATE_ID\}\}/$SENDGRID_2FA_OTP_TEMPLATE_ID/g" $CONFFILENAME

src/main/java/com/appirio/tech/core/service/identity/IdentityApplication.java

@@ -243,6 +243,7 @@ public void run(IdentityConfiguration configuration, Environment environment) th
 			userResource.setSendgridSelfServiceTemplateId(Utils.getString("sendGridSelfServiceTemplateId"));
 			userResource.setSendgridSelfServiceWelcomeTemplateId(Utils.getString("sendGridSelfServiceWelcomeTemplateId"));
 			userResource.setSendgrid2faInvitationTemplateId(Utils.getString("sendGrid2faInvitationTemplateId"));
+			userResource.setSendgrid2faOtpTemplateId(Utils.getString("sendGrid2faOtpTemplateId"));
     	// this secret _used_ to be different from the one used in AuthorizationResource.
     	// it _was_ the secret x2. (userResource.setSecret(getSecret()+getSecret());)
 		// we assume this was done to further limit the usability of the oneTimeToken generated in userResource

src/main/java/com/appirio/tech/core/service/identity/clients/EventBusServiceClient.java

@@ -82,9 +82,9 @@ public void reFireEvent(EventMessage eventMessage) {
             String authToken = Utils.generateAuthToken(m2mAuthConfiguration);
 
             eventMessage.setOriginator(this.config.getAdditionalConfiguration().get("originator"));
+            LOGGER.info("Fire event {}", new ObjectMapper().writer().writeValueAsString(eventMessage));
             Response response = request.header("Authorization", "Bearer " + authToken).post(Entity.entity(eventMessage.getData(), MediaType.APPLICATION_JSON_TYPE));
 
-            LOGGER.info("Fire event {}", new ObjectMapper().writer().writeValueAsString(eventMessage));
             if (response.getStatusInfo().getStatusCode() != HttpStatus.OK_200 &&  response.getStatusInfo().getStatusCode()!= HttpStatus.NO_CONTENT_204) {
                 LOGGER.error("Unable to fire the event: {}", response);
             }

src/main/java/com/appirio/tech/core/service/identity/dao/UserDAO.java

@@ -168,6 +168,20 @@ public abstract class UserDAO implements DaoBase<User>, Transactional<UserDAO> {
             "WHERE user_id=:userId")
     public abstract int update2faByUserId(@Bind("userId") long userId, @Bind("enabled") boolean enabled, @Bind("verified") boolean verified);
 
+    @SqlUpdate(
+            "UPDATE common_oltp.user_2fa SET " +
+            "otp=:otp, " +
+            "otp_expire=current_timestamp + (5 ||' minutes')::interval " +
+            "WHERE id=:id")
+    public abstract int update2faOtp(@Bind("id") long id, @Bind("otp") String otp);
+
+    @SqlUpdate(
+            "UPDATE common_oltp.user_2fa SET otp=null, otp_expire=null " +
+            "FROM (SELECT id, otp, otp_expire FROM common_oltp.user_2fa WHERE user_id=:userId FOR UPDATE)y " +
+            "WHERE x.id=y.id " +
+            "RETURNING CASE WHEN y.otp=:otp and y.otp_expire > current_timestamp THEN 1 ELSE 0 END")
+    public abstract int verify2faOtp(@Bind("userId") long userId, @Bind("otp") String otp);
+
     @RegisterMapperFactory(TCBeanMapperFactory.class)
     @SqlQuery(
             "SELECT " + USER_COLUMNS + ", " +

src/main/java/com/appirio/tech/core/service/identity/representation/UserOtp.java

@@ -0,0 +1,23 @@
+package com.appirio.tech.core.service.identity.representation;
+
+public class UserOtp {
+
+	private Long userId;
+	private String otp;
+
+	public Long getUserId() {
+		return userId;
+	}
+
+	public void setUserId(Long userId) {
+		this.userId = userId;
+	}
+
+	public String getOtp() {
+		return otp;
+	}
+
+	public void setOtp(String otp) {
+		this.otp = otp;
+	}
+}

src/main/java/com/appirio/tech/core/service/identity/representation/UserOtpResponse.java

@@ -0,0 +1,15 @@
+package com.appirio.tech.core.service.identity.representation;
+
+public class UserOtpResponse {
+
+	private Boolean verified;
+
+	public Boolean getVerified() {
+		return verified;
+	}
+
+	public void setVerified(Boolean verified) {
+		this.verified = verified;
+	}
+
+}

src/main/java/com/appirio/tech/core/service/identity/resource/UserResource.java

@@ -60,6 +60,8 @@
 import com.appirio.tech.core.service.identity.representation.Credential;
 import com.appirio.tech.core.service.identity.representation.CredentialRequest;
 import com.appirio.tech.core.service.identity.representation.User2fa;
+import com.appirio.tech.core.service.identity.representation.UserOtp;
+import com.appirio.tech.core.service.identity.representation.UserOtpResponse;
 import com.appirio.tech.core.service.identity.representation.Email;
 import com.appirio.tech.core.service.identity.representation.ProviderType;
 import com.appirio.tech.core.service.identity.representation.Role;
@@ -124,6 +126,8 @@ public class UserResource implements GetResource<User>, DDLResource<User> {
     private String sendgridSelfServiceWelcomeTemplateId;
 
     private String sendgrid2faInvitationTemplateId;
+
+    private String sendgrid2faOtpTemplateId;
 
     protected UserDAO userDao;
 
@@ -1527,7 +1531,6 @@ public ApiResponse updateUser2fa(
 
         Long userId = Utils.toLongValue(id);
 
-        logger.info(String.format("findUserById(%s)", resourceId));
         User2fa user2faInDb = userDao.findUser2faById(userId);
         if (user2faInDb == null)
             throw new APIRuntimeException(SC_NOT_FOUND, MSG_TEMPLATE_USER_NOT_FOUND);
@@ -1559,7 +1562,7 @@ public ApiResponse updateUser2fa(
                         String.format("Got unexpected response from remote service. %d %s", response.getStatusCode(),
                                 response.getMessage()));
             }
-            logger.info(response.getText());
+            logger.info("Connection created: " + response.getText());
             send2faInvitationEmailEvent(user2faInDb, diceAuth.getDiceUrl() + "/verify/" + response.getText());
         }
 
@@ -1679,6 +1682,65 @@ public ApiResponse update2faVerification(
         return ApiResponseFactory.createResponse("User verification updated");
     }
 
+    @POST
+    @Path("/sendOtp")
+    @Timed
+    public ApiResponse createOtp(
+            @Valid PostPutRequest<UserOtp> postRequest,
+            @Context HttpServletRequest request) {
+
+        // checking param
+        checkParam(postRequest);
+
+        UserOtp userOtp = postRequest.getParam();
+
+        if (userOtp.getUserId() == null) {
+            throw new APIRuntimeException(SC_BAD_REQUEST, String.format(MSG_TEMPLATE_MANDATORY, "userId"));
+        }
+        logger.info(String.format("send otp to user (%d)", userOtp.getUserId()));
+
+        User2fa user2faInDb = userDao.findUser2faById(userOtp.getUserId());
+        if (user2faInDb == null)
+            throw new APIRuntimeException(SC_NOT_FOUND, MSG_TEMPLATE_USER_NOT_FOUND);
+        if (user2faInDb.getEnabled() == null || !user2faInDb.getEnabled()) {
+            throw new APIRuntimeException(SC_BAD_REQUEST, "2FA is not enabled for user");
+        }
+        String otp = Utils.generateRandomString(ALPHABET_DIGITS_EN, 6);
+        userDao.update2faOtp(user2faInDb.getId(), otp);
+        send2faCodeEmailEvent(user2faInDb, otp);
+        return ApiResponseFactory.createResponse("SUCCESS");
+    }
+
+    @POST
+    @Path("/checkOtp")
+    @Timed
+    public ApiResponse checkOtp(
+            @Valid PostPutRequest<UserOtp> postRequest,
+            @Context HttpServletRequest request) {
+
+        // checking param
+        checkParam(postRequest);
+
+        UserOtp userOtp = postRequest.getParam();
+
+        if (userOtp.getUserId() == null) {
+            throw new APIRuntimeException(SC_BAD_REQUEST, String.format(MSG_TEMPLATE_MANDATORY, "userId"));
+        }
+        if (userOtp.getOtp() == null || userOtp.getOtp().length() == 0) {
+            throw new APIRuntimeException(SC_BAD_REQUEST, String.format(MSG_TEMPLATE_MANDATORY, "otp"));
+        }
+        logger.info(String.format("verify otp for user (%d)", userOtp.getUserId()));
+
+        int result = userDao.verify2faOtp(userOtp.getUserId(), userOtp.getOtp());
+        UserOtpResponse response = new UserOtpResponse();
+        if (result == 1) {
+            response.setVerified(true);
+        } else {
+            response.setVerified(false);
+        }
+        return ApiResponseFactory.createResponse(response);
+    }
+
     @POST
     @Path("/oneTimeToken")
     @Timed
@@ -2010,6 +2072,14 @@ public void setSendgrid2faInvitationTemplateId(String sendgrid2faInvitationTempl
         this.sendgrid2faInvitationTemplateId = sendgrid2faInvitationTemplateId;
     }
 
+    public String getSendgrid2faOtpTemplateId() {
+        return sendgrid2faOtpTemplateId;
+    }
+
+    public void setSendgrid2faOtpTemplateId(String sendgrid2faOtpTemplateId) {
+        this.sendgrid2faOtpTemplateId = sendgrid2faOtpTemplateId;
+    }
+
     public String getSecret() {
         return secret;
     }
@@ -2123,6 +2193,34 @@ private void send2faInvitationEmailEvent(User2fa user, String inviteLink) {
         this.eventBusServiceClient.reFireEvent(msg);
     }
 
+    private void send2faCodeEmailEvent(User2fa user, String code) {
+
+        EventMessage msg = EventMessage.getDefault();
+        msg.setTopic("external.action.email");
+
+        Map<String,Object> payload = new LinkedHashMap<String,Object>();
+        Map<String,Object> data = new LinkedHashMap<String,Object>();
+        data.put("handle", user.getHandle());
+        data.put("code", code);
+
+        payload.put("data", data);
+
+        Map<String,Object> from = new LinkedHashMap<String,Object>();
+        from.put("email", String.format("Topcoder <noreply@%s>", getDomain()));
+        payload.put("from", from);
+
+        payload.put("version", "v3");
+        payload.put("sendgrid_template_id", this.getSendgrid2faOtpTemplateId());
+
+        ArrayList<String> recipients = new ArrayList<String>();
+        recipients.add(user.getEmail());
+
+        payload.put("recipients", recipients);
+
+        msg.setPayload(payload);
+        this.eventBusServiceClient.reFireEvent(msg);
+    }
+
     private void sendWelcomeEmailEvent(User user) {
 
         EventMessage msg = EventMessage.getDefault();

src/main/java/com/appirio/tech/core/service/identity/util/auth/DICEAuth.java

@@ -167,8 +167,8 @@ public String getToken() throws Exception {
             }
         }
         if (cachedToken == null || isCachedTokenExpired) {
-            Response response = new Request(
-                    "https://login.microsoftonline.com/" + getTenant() + "/oauth2/v2.0/token", "POST")
+            String url = "https://login.microsoftonline.com/" + getTenant() + "/oauth2/v2.0/token";
+            Response response = new Request(url, "POST")
                     .param("grant_type", "password")
                     .param("username", getUsername())
                     .param("password", getPassword())
@@ -181,6 +181,7 @@ public String getToken() throws Exception {
                                 response.getText()));
             }
             cachedToken = new ObjectMapper().readValue(response.getText(), Auth0Credential.class).getIdToken();
+            logger.info("Fetched token from URL: " + url);
         }
         return cachedToken;
     }

src/main/resources/config.yml

@@ -16,6 +16,7 @@ context:
   sendGridSelfServiceTemplateId: @application.sendgrid.selfservice.template.id@
   sendGridSelfServiceWelcomeTemplateId: @application.sendgrid.selfservice.welcome.template.id@
   sendGrid2faInvitationTemplateId: @application.sendgrid.2fa.invitation.template.id@
+  sendGrid2faOtpTemplateId: @application.sendgrid.2fa.otp.template.id@
   jwtExpirySeconds: 600
   cookieExpirySeconds: 7776000
 

token.properties.localdev

@@ -12,6 +12,7 @@
 @application.sendgrid.selfservice.template.id@=dummy
 @application.sendgrid.selfservice.welcome.template.id@=dummy
 @application.sendgrid.2fa.invitation.template.id@=dummy
+@application.sendgrid.2fa.otp.template.id@=dummy
 
 @ldap.host@=127.0.0.1
 @ldap.port@=389