jro_apps/redmine Commit - r13951:d6f389658b9e

Require password re-entry for sensitive actions (#19851)....

Jean-Philippe Lang -

r13951:d6f389658b9e

parent child

Context file:

r13951:d6f389658b9e

Expand all files

app/views/my/show_api_key.html.erb created 644 +10 0

@@ -0,0 +1,10
	1	<h2><%= l :label_api_access_key %></h2>
	2
	3	<div class="box">
	4	<pre><%= @user.api_key %></pre>
	5	</div>
	6
	7	<p><%= link_to l(:button_back), action: 'account' %></p>
	8
	9
	10

app/views/my/show_api_key.js.erb created 644 +1 0

	@@ -0,0 +1,1
				1	$('#api-access-key').html('<%= escape_javascript @user.api_key %>').toggle();

app/views/sudo_mode/_new_modal.html.erb created 644 +19 0

@@ -0,0 +1,19
	1	<h3 class="title"><%= l(:label_password_required) %></h3>
	2	<%= form_tag({}, remote: true) do %>
	3
	4	<%= hidden_field_tag '_method', request.request_method %>
	5	<%= hash_to_hidden_fields @sudo_form.original_fields %>
	6	<%= render_flash_messages %>
	7	<div class="box tabular">
	8	<p>
	9	<label for="sudo_password"><%= l :field_password %><span class="required">*</span></label>
	10	<%= password_field_tag :sudo_password, nil, size: 25 %>
	11	</p>
	12	</div>
	13
	14	<p class="buttons">
	15	<%= submit_tag l(:button_confirm_password), onclick: "hideModal(this);" %>
	16	<%= submit_tag l(:button_cancel), name: nil, onclick: "hideModal(this);", type: 'button' %>
	17	</p>
	18	<% end %>
	19

app/views/sudo_mode/new.html.erb created 644 +17 0

@@ -0,0 +1,17
	1	<h2><%= l :label_password_required %></h2>
	2	<%= form_tag({}, class: 'tabular') do %>
	3
	4	<%= hidden_field_tag '_method', request.request_method %>
	5	<%= hash_to_hidden_fields @sudo_form.original_fields %>
	6
	7	<div class="box">
	8	<p>
	9	<label for="sudo_password"><%= l :field_password %><span class="required">*</span></label>
	10	<%= password_field_tag :sudo_password, nil, size: 25 %>
	11	</p>
	12	</div>
	13	<%= submit_tag l(:button_confirm_password) %>
	14	<% end %>
	15	<%= javascript_tag "$('#sudo_password').focus();" %>
	16
	17

app/views/sudo_mode/new.js.erb created 644 +4 0

@@ -0,0 +1,4
	1	$('#ajax-modal').html('<%= escape_javascript render partial: 'sudo_mode/new_modal' %>');
	2	showModal('ajax-modal', '400px');
	3	$('#sudo_password').focus();
	4

lib/redmine/sudo_mode.rb created 644 +224 0

@@ -0,0 +1,224
	1	require 'active_support/core_ext/object/to_query'
	2	require 'rack/utils'
	3
	4	module Redmine
	5	module SudoMode
	6
	7	# timespan after which sudo mode expires when unused.
	8	MAX_INACTIVITY = 15.minutes
	9
	10
	11	class SudoRequired < StandardError
	12	end
	13
	14
	15	class Form
	16	include ActiveModel::Validations
	17
	18	attr_accessor :password, :original_fields
	19	validate :check_password
	20
	21	def initialize(password = nil)
	22	self.password = password
	23	end
	24
	25	def check_password
	26	unless password.present? && User.current.check_password?(password)
	27	errors[:password] << :invalid
	28	end
	29	end
	30	end
	31
	32
	33	module Helper
	34	# Represents params data from hash as hidden fields
	35	#
	36	# taken from https://github.com/brianhempel/hash_to_hidden_fields
	37	def hash_to_hidden_fields(hash)
	38	cleaned_hash = hash.reject { \|k, v\| v.nil? }
	39	pairs = cleaned_hash.to_query.split(Rack::Utils::DEFAULT_SEP)
	40	tags = pairs.map do \|pair\|
	41	key, value = pair.split('=', 2).map { \|str\| Rack::Utils.unescape(str) }
	42	hidden_field_tag(key, value)
	43	end
	44	tags.join("\n").html_safe
	45	end
	46	end
	47
	48
	49	module Controller
	50	extend ActiveSupport::Concern
	51
	52	included do
	53	around_filter :sudo_mode
	54	end
	55
	56	# Sudo mode Around Filter
	57	#
	58	# Checks the 'last used' timestamp from session and sets the
	59	# SudoMode::active? flag accordingly.
	60	#
	61	# After the request refreshes the timestamp if sudo mode was used during
	62	# this request.
	63	def sudo_mode
	64	if api_request?
	65	SudoMode.disable!
	66	elsif sudo_timestamp_valid?
	67	SudoMode.active!
	68	end
	69	yield
	70	update_sudo_timestamp! if SudoMode.was_used?
	71	end
	72
	73	# This renders the sudo mode form / handles sudo form submission.
	74	#
	75	# Call this method in controller actions if sudo permissions are required
	76	# for processing this request. This approach is good in cases where the
	77	# action needs to be protected in any case or where the check is simple.
	78	#
	79	# In cases where this decision depends on complex conditions in the model,
	80	# consider the declarative approach using the require_sudo_mode class
	81	# method and a corresponding declaration in the model that causes it to throw
	82	# a SudoRequired Error when necessary.
	83	#
	84	# All parameter names given are included as hidden fields to be resubmitted
	85	# along with the password.
	86	#
	87	# Returns true when processing the action should continue, false otherwise.
	88	# If false is returned, render has already been called for display of the
	89	# password form.
	90	#
	91	# if @user.mail_changed?
	92	# require_sudo_mode :user or return
	93	# end
	94	#
	95	def require_sudo_mode(*param_names)
	96	return true if SudoMode.active?
	97
	98	if param_names.blank?
	99	param_names = params.keys - %w(id action controller sudo_password)
	100	end
	101
	102	process_sudo_form
	103
	104	if SudoMode.active?
	105	true
	106	else
	107	render_sudo_form param_names
	108	false
	109	end
	110	end
	111
	112	# display the sudo password form
	113	def render_sudo_form(param_names)
	114	@sudo_form \|\|= SudoMode::Form.new
	115	@sudo_form.original_fields = params.slice( *param_names )
	116	# a simple 'render "sudo_mode/new"' works when used directly inside an
	117	# action, but not when called from a before_filter:
	118	respond_to do \|format\|
	119	format.html { render 'sudo_mode/new' }
	120	format.js { render 'sudo_mode/new' }
	121	end
	122	end
	123
	124	# handle sudo password form submit
	125	def process_sudo_form
	126	if params[:sudo_password]
	127	@sudo_form = SudoMode::Form.new(params[:sudo_password])
	128	if @sudo_form.valid?
	129	SudoMode.active!
	130	else
	131	flash.now[:error] = l(:notice_account_wrong_password)
	132	end
	133	end
	134	end
	135
	136	def sudo_timestamp_valid?
	137	session[:sudo_timestamp].to_i > MAX_INACTIVITY.ago.to_i
	138	end
	139
	140	def update_sudo_timestamp!(new_value = Time.now.to_i)
	141	session[:sudo_timestamp] = new_value
	142	end
	143
	144	# Before Filter which is used by the require_sudo_mode class method.
	145	class SudoRequestFilter < Struct.new(:parameters, :request_methods)
	146	def before(controller)
	147	method_matches = request_methods.blank? \|\| request_methods.include?(controller.request.method_symbol)
	148	if SudoMode.possible? && method_matches
	149	controller.require_sudo_mode( *parameters )
	150	else
	151	true
	152	end
	153	end
	154	end
	155
	156	module ClassMethods
	157
	158	# Handles sudo requirements for the given actions, preserving the named
	159	# parameters, or any parameters if you omit the :parameters option.
	160	#
	161	# Sudo enforcement by default is active for all requests to an action
	162	# but may be limited to a certain subset of request methods via the
	163	# :only option.
	164	#
	165	# Examples:
	166	#
	167	# require_sudo_mode :account, only: :post
	168	# require_sudo_mode :update, :create, parameters: %w(role)
	169	# require_sudo_mode :destroy
	170	#
	171	def require_sudo_mode(*args)
	172	actions = args.dup
	173	options = actions.extract_options!
	174	filter = SudoRequestFilter.new Array(options[:parameters]), Array(options[:only])
	175	before_filter filter, only: actions
	176	end
	177	end
	178	end
	179
	180
	181	# true if the sudo mode state was queried during this request
	182	def self.was_used?
	183	!!RequestStore.store[:sudo_mode_was_used]
	184	end
	185
	186	# true if sudo mode is currently active.
	187	#
	188	# Calling this method also turns was_used? to true, therefore
	189	# it is important to only call this when sudo is actually needed, as the last
	190	# condition to determine wether a change can be done or not.
	191	#
	192	# If you do it wrong, timeout of the sudo mode will happen too late or not at
	193	# all.
	194	def self.active?
	195	if !!RequestStore.store[:sudo_mode]
	196	RequestStore.store[:sudo_mode_was_used] = true
	197	end
	198	end
	199
	200	def self.active!
	201	RequestStore.store[:sudo_mode] = true
	202	end
	203
	204	def self.possible?
	205	!disabled? && User.current.logged?
	206	end
	207
	208	# Turn off sudo mode (never require password entry).
	209	def self.disable!
	210	RequestStore.store[:sudo_mode_disabled] = true
	211	end
	212
	213	# Turn sudo mode back on
	214	def self.enable!
	215	RequestStore.store[:sudo_mode_disabled] = nil
	216	end
	217
	218	def self.disabled?
	219	!!RequestStore.store[:sudo_mode_disabled]
	220	end
	221
	222	end
	223	end
	224

test/integration/sudo_test.rb created 644 +126 0

@@ -0,0 +1,126
	1	require File.expand_path('../../test_helper', __FILE__)
	2
	3	class SudoTest < Redmine::IntegrationTest
	4	fixtures :projects, :members, :member_roles, :roles, :users
	5
	6	def setup
	7	Redmine::SudoMode.enable!
	8	end
	9
	10	def teardown
	11	Redmine::SudoMode.disable!
	12	end
	13
	14	def test_create_member_xhr
	15	log_user 'admin', 'admin'
	16	get '/projects/ecookbook/settings/members'
	17	assert_response :success
	18
	19	assert_no_difference 'Member.count' do
	20	xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}
	21	end
	22
	23	assert_no_difference 'Member.count' do
	24	xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: ''
	25	end
	26
	27	assert_no_difference 'Member.count' do
	28	xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'wrong'
	29	end
	30
	31	assert_difference 'Member.count' do
	32	xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'admin'
	33	end
	34	assert User.find(7).member_of?(Project.find(1))
	35	end
	36
	37	def test_create_member
	38	log_user 'admin', 'admin'
	39	get '/projects/ecookbook/settings/members'
	40	assert_response :success
	41
	42	assert_no_difference 'Member.count' do
	43	post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}
	44	end
	45
	46	assert_no_difference 'Member.count' do
	47	post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: ''
	48	end
	49
	50	assert_no_difference 'Member.count' do
	51	post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'wrong'
	52	end
	53
	54	assert_difference 'Member.count' do
	55	post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'admin'
	56	end
	57
	58	assert_redirected_to '/projects/ecookbook/settings/members'
	59	assert User.find(7).member_of?(Project.find(1))
	60	end
	61
	62	def test_create_role
	63	log_user 'admin', 'admin'
	64	get '/roles'
	65	assert_response :success
	66
	67	get '/roles/new'
	68	assert_response :success
	69
	70	post '/roles', role: { }
	71	assert_response :success
	72	assert_select 'h2', 'Confirm your password to continue'
	73	assert_select 'form[action="/roles"]'
	74	assert assigns(:sudo_form).errors.blank?
	75
	76	post '/roles', role: { name: 'new role', issues_visibility: 'all' }
	77	assert_response :success
	78	assert_select 'h2', 'Confirm your password to continue'
	79	assert_select 'form[action="/roles"]'
	80	assert_match /"new role"/, response.body
	81	assert assigns(:sudo_form).errors.blank?
	82
	83	post '/roles', role: { name: 'new role', issues_visibility: 'all' }, sudo_password: 'wrong'
	84	assert_response :success
	85	assert_select 'h2', 'Confirm your password to continue'
	86	assert_select 'form[action="/roles"]'
	87	assert_match /"new role"/, response.body
	88	assert assigns(:sudo_form).errors[:password].present?
	89
	90	assert_difference 'Role.count' do
	91	post '/roles', role: { name: 'new role', issues_visibility: 'all', assignable: '1', permissions: %w(view_calendar) }, sudo_password: 'admin'
	92	end
	93	assert_redirected_to '/roles'
	94	end
	95
	96	def test_update_email_address
	97	log_user 'jsmith', 'jsmith'
	98	get '/my/account'
	99	assert_response :success
	100	post '/my/account', user: { mail: 'newmail@test.com' }
	101	assert_response :success
	102	assert_select 'h2', 'Confirm your password to continue'
	103	assert_select 'form[action="/my/account"]'
	104	assert_match /"newmail@test\.com"/, response.body
	105	assert assigns(:sudo_form).errors.blank?
	106
	107	# wrong password
	108	post '/my/account', user: { mail: 'newmail@test.com' }, sudo_password: 'wrong'
	109	assert_response :success
	110	assert_select 'h2', 'Confirm your password to continue'
	111	assert_select 'form[action="/my/account"]'
	112	assert_match /"newmail@test\.com"/, response.body
	113	assert assigns(:sudo_form).errors[:password].present?
	114
	115	# correct password
	116	post '/my/account', user: { mail: 'newmail@test.com' }, sudo_password: 'jsmith'
	117	assert_redirected_to '/my/account'
	118	assert_equal 'newmail@test.com', User.find_by_login('jsmith').mail
	119
	120	# sudo mode should now be active and not require password again
	121	post '/my/account', user: { mail: 'even.newer.mail@test.com' }
	122	assert_redirected_to '/my/account'
	123	assert_equal 'even.newer.mail@test.com', User.find_by_login('jsmith').mail
	124	end
	125
	126	end

app/controllers/application_controller.rb +2 0

               include Redmine::MenuManager::MenuController
               helper Redmine::MenuManager::MenuHelper
+              include Redmine::SudoMode::Controller
               def session_expiration
                 if session[:user_id]
                   if session_expired? && !try_to_autologin

app/controllers/auth_sources_controller.rb +1 0

               before_filter :require_admin
               before_filter :find_auth_source, :only => [:edit, :update, :test_connection, :destroy]
+              require_sudo_mode :update, :destroy
               def index
                 @auth_source_pages, @auth_sources = paginate AuthSource, :per_page => 25

app/controllers/email_addresses_controller.rb +1 0

             class EmailAddressesController < ApplicationController
               before_filter :find_user, :require_admin_or_current_user
               before_filter :find_email_address, :only => [:update, :destroy]
+              require_sudo_mode :create, :update, :destroy
               def index
                 @addresses = @user.email_addresses.order(:id).where(:is_default => false).to_a

app/controllers/groups_controller.rb +2 0

               before_filter :find_group, :except => [:index, :new, :create]
               accept_api_auth :index, :show, :create, :update, :destroy, :add_users, :remove_user
+              require_sudo_mode :add_users, :remove_user, :create, :update, :destroy, :edit_membership, :destroy_membership
               helper :custom_fields
               helper :principal_memberships

app/controllers/members_controller.rb +2 0

               before_filter :authorize
               accept_api_auth :index, :show, :create, :update, :destroy
+              require_sudo_mode :create, :update, :destroy
               def index
                 scope = @project.memberships.active
                 @offset, @limit = api_offset_and_limit

app/controllers/my_controller.rb +7 0

               # let user change user's password when user has to
               skip_before_filter :check_password_change, :only => :password
+              require_sudo_mode :account, only: :post
+              require_sudo_mode :reset_rss_key, :reset_api_key, :show_api_key, :destroy
               helper :issues
               helper :users
               helper :custom_fields
                 redirect_to my_account_path
               end
+              def show_api_key
+                @user = User.current
+              end
               # Create a new API key
               def reset_api_key
                 if request.post?

app/controllers/projects_controller.rb +1 0

               before_filter :require_admin, :only => [ :copy, :archive, :unarchive, :destroy ]
               accept_rss_auth :index
               accept_api_auth :index, :show, :create, :update, :destroy
+              require_sudo_mode :destroy
               after_filter :only => [:create, :edit, :update, :archive, :unarchive, :destroy] do |controller|
                 if controller.request.post?

app/controllers/roles_controller.rb +2 0

               before_filter :find_role, :only => [:show, :edit, :update, :destroy]
               accept_api_auth :index, :show
+              require_sudo_mode :create, :update, :destroy
               def index
                 respond_to do |format|
                   format.html {

app/controllers/settings_controller.rb +2 0

               before_filter :require_admin
+              require_sudo_mode :index, :edit, :plugin
               def index
                 edit
                 render :action => 'edit'

app/controllers/users_controller.rb +2 0

               include CustomFieldsHelper
               helper :principal_memberships
+              require_sudo_mode :create, :update, :destroy
               def index
                 sort_init 'login', 'asc'
                 sort_update %w(login firstname lastname admin created_on last_login_on)

app/helpers/application_helper.rb +1 0

               include Redmine::I18n
               include GravatarHelper::PublicMethods
               include Redmine::Pagination::Helper
+              include Redmine::SudoMode::Helper
               extend Forwardable
               def_delegators :wiki_helper, :wikitoolbar_for, :heads_for_wiki_formatter

app/views/my/_sidebar.html.erb +2 -2

             <% if Setting.rest_api_enabled? %>
             <h4><%= l(:label_api_access_key) %></h4>
             <div>
-              <%= link_to_function(l(:button_show), "$('#api-access-key').toggle();")%>
+              <%= link_to l(:button_show), {:action => 'show_api_key'}, :remote => true %>
-              <pre id='api-access-key' class='autoscroll'><%= @user.api_key %></pre>
+              <pre id='api-access-key' class='autoscroll'></pre>
             </div>
             <%= javascript_tag("$('#api-access-key').hide();") %>
             <p>

config/locales/de.yml +2 0

               button_close: Schließen
               button_collapse_all: Alle einklappen
               button_configure: Konfigurieren
+              button_confirm_password: Kennwort bestätigen
               button_copy: Kopieren
               button_copy_and_follow: Kopieren und Ticket anzeigen
               button_create: Anlegen
               label_overview: Übersicht
               label_parent_revision: Vorgänger
               label_password_lost: Kennwort vergessen
+              label_password_required: Bitte geben Sie Ihr Kennwort ein
               label_permissions: Berechtigungen
               label_permissions_report: Berechtigungsübersicht
               label_personalize_page: Diese Seite anpassen

config/locales/en.yml +2 0

               label_register: Register
               label_login_with_open_id_option: or login with OpenID
               label_password_lost: Lost password
+              label_password_required: Confirm your password to continue
               label_home: Home
               label_my_page: My page
               label_my_account: My account
               button_reset: Reset
               button_rename: Rename
               button_change_password: Change password
+              button_confirm_password: Confirm password
               button_copy: Copy
               button_copy_and_follow: Copy and follow
               button_annotate: Annotate

config/routes.rb +1 0

               match 'my', :controller => 'my', :action => 'index', :via => :get # Redirects to my/page
               match 'my/reset_rss_key', :controller => 'my', :action => 'reset_rss_key', :via => :post
               match 'my/reset_api_key', :controller => 'my', :action => 'reset_api_key', :via => :post
+              match 'my/show_api_key', :controller => 'my', :action => 'show_api_key', :via => :get
               match 'my/password', :controller => 'my', :action => 'password', :via => [:get, :post]
               match 'my/page_layout', :controller => 'my', :action => 'page_layout', :via => :get
               match 'my/add_block', :controller => 'my', :action => 'add_block', :via => :post

test/functional/auth_sources_controller_test.rb +1 0

               def setup
                 @request.session[:user_id] = 1
+                Redmine::SudoMode.disable!
               end
               def test_index

test/functional/email_addresses_controller_test.rb +1 0

               def setup
                 User.current = nil
+                Redmine::SudoMode.disable!
               end
               def test_index_with_no_additional_emails

test/functional/groups_controller_test.rb +1 0

               def setup
                 @request.session[:user_id] = 1
+                Redmine::SudoMode.disable!
               end
               def test_index

test/functional/members_controller_test.rb +1 0

               def setup
                 User.current = nil
                 @request.session[:user_id] = 2
+                Redmine::SudoMode.disable!
               end
               def test_new

test/functional/my_controller_test.rb +7 0

               def setup
                 @request.session[:user_id] = 2
+                Redmine::SudoMode.disable!
               end
               def test_index
                 assert_redirected_to '/my/account'
               end
+              def test_show_api_key
+                get :show_api_key
+                assert_response :success
+                assert_select 'pre', User.find(2).api_key
+              end
               def test_reset_api_key_with_existing_key
                 @previous_token_value = User.find(2).api_key # Will generate one if it's missing
                 post :reset_api_key

test/functional/projects_controller_test.rb +1 0

               def setup
                 @request.session[:user_id] = nil
                 Setting.default_language = 'en'
+                Redmine::SudoMode.disable!
               end
               def test_index_by_anonymous_should_not_show_private_projects

test/functional/roles_controller_test.rb +1 0

               def setup
                 User.current = nil
                 @request.session[:user_id] = 1 # admin
+                Redmine::SudoMode.disable!
               end
               def test_index

test/functional/settings_controller_test.rb +1 0

               def setup
                 User.current = nil
                 @request.session[:user_id] = 1 # admin
+                Redmine::SudoMode.disable!
               end
               def test_index

test/functional/users_controller_test.rb +1 0

               def setup
                 User.current = nil
                 @request.session[:user_id] = 1 # admin
+                Redmine::SudoMode.disable!
               end
               def test_index

test/integration/admin_test.rb +17 0

@@ -26,6 +26,14 class AdminTest < Redmine::IntegrationTest
26	:members,	26	:members,
27	:enabled_modules	27	:enabled_modules
28		28
		29	def setup
		30	Redmine::SudoMode.enable!
		31	end
		32
		33	def teardown
		34	Redmine::SudoMode.disable!
		35	end
		36
29	def test_add_user	37	def test_add_user
30	log_user("admin", "admin")	38	log_user("admin", "admin")
31	get "/users/new"	39	get "/users/new"
@@ -36,6 +44,15 class AdminTest < Redmine::IntegrationTest
36	:lastname => "Smith", :mail => "psmith@somenet.foo",	44	:lastname => "Smith", :mail => "psmith@somenet.foo",
37	:language => "en", :password => "psmith09",	45	:language => "en", :password => "psmith09",
38	:password_confirmation => "psmith09" }	46	:password_confirmation => "psmith09" }
		47	assert_response :success
		48	assert_nil User.find_by_login("psmith")
		49
		50	post "/users",
		51	:user => { :login => "psmith", :firstname => "Paul",
		52	:lastname => "Smith", :mail => "psmith@somenet.foo",
		53	:language => "en", :password => "psmith09",
		54	:password_confirmation => "psmith09" },
		55	:sudo_password => 'admin'
39		56
40	user = User.find_by_login("psmith")	57	user = User.find_by_login("psmith")
41	assert_kind_of User, user	58	assert_kind_of User, user

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages