You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2021/11/12 10:09:55 UTC
[GitHub] [cloudstack] rhtyd opened a new pull request #5683: CCC21 Hackathon: quick & dirty 2FA Google Authentication integration
rhtyd opened a new pull request #5683:
URL: https://github.com/apache/cloudstack/pull/5683
- Hardcodes secretkey and QR code for user (can be generated with extension)
- No per-user 2FA check and enforcement (check is not enforced when 2FA code is not entered ;)
- User scans the code, log into portal using username, password and code
I'll close this next week. This is meant only as a PoC/hack for the 2FA feature, ideally we should:
- Have per user-account enforcement and checks
- Allow a pluggable framework to allow people support multiple 2-FA plugins, for ex. Google Authenticator, SMS, email OTP ...
- The QR code should be dynamically created uniquely per user-account
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd commented on pull request #5683: CCC21 Hackathon: quick & dirty 2FA Google Authentication integration
Posted by GitBox <gi...@apache.org>.
rhtyd commented on pull request #5683:
URL: https://github.com/apache/cloudstack/pull/5683#issuecomment-966997973
(let's at least ensure this doesn't break unit tests)
@blueorangutan package
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #5683: CCC21 Hackathon: quick & dirty 2FA Google Authentication integration
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #5683:
URL: https://github.com/apache/cloudstack/pull/5683#issuecomment-966998231
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] blueorangutan commented on pull request #5683: CCC21 Hackathon: quick & dirty 2FA Google Authentication integration
Posted by GitBox <gi...@apache.org>.
blueorangutan commented on pull request #5683:
URL: https://github.com/apache/cloudstack/pull/5683#issuecomment-967028448
Packaging result: :heavy_check_mark: el7 :heavy_check_mark: el8 :heavy_check_mark: debian :heavy_check_mark: suse15. SL-JID 1700
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd closed pull request #5683: CCC21 Hackathon: quick & dirty 2FA Google Authentication integration
Posted by GitBox <gi...@apache.org>.
rhtyd closed pull request #5683:
URL: https://github.com/apache/cloudstack/pull/5683
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd commented on pull request #5683: CCC21 Hackathon: quick & dirty 2FA Google Authentication integration
Posted by GitBox <gi...@apache.org>.
rhtyd commented on pull request #5683:
URL: https://github.com/apache/cloudstack/pull/5683#issuecomment-967024746
Thanks @DaanHoogland - yes by enforcing I meant that when 2FA is not provided in login it doesn't check 2FA code. In prod, we want to enforce checks at backend for all user-accounts which has 2FA enabled.
This doesn't require any integration/identities with Google;
- As a quick hack the QR code is generated by Google charts, in prod. the CloudStack UI or backend would generate that
- Google Authenticator is just the app to show us 2FA codes, other phone apps that do 2FA code by scanning QR code can work too (https://www.maketecheasier.com/google-authenticator-alternatives/). I've only used google authenticator to do the checks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd commented on pull request #5683: CCC21 Hackathon: quick & dirty 2FA Google Authentication integration
Posted by GitBox <gi...@apache.org>.
rhtyd commented on pull request #5683:
URL: https://github.com/apache/cloudstack/pull/5683#issuecomment-971443243
Closing this for now - will propose a proper design doc around pluggable 2FA feature.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] ravening commented on pull request #5683: CCC21 Hackathon: quick & dirty 2FA Google Authentication integration
Posted by GitBox <gi...@apache.org>.
ravening commented on pull request #5683:
URL: https://github.com/apache/cloudstack/pull/5683#issuecomment-995681392
> Closing this for now - will propose a proper design doc around pluggable 2FA feature.
@rhtyd hello Rohit. is there any progress on this? will it be reopened again sometime in future?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on pull request #5683: CCC21 Hackathon: quick & dirty 2FA Google Authentication integration
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on pull request #5683:
URL: https://github.com/apache/cloudstack/pull/5683#issuecomment-967148159
I was thinking of the third party identity provider use-case we have, but this isgreat @rhtyd let's test
@blueorangutan test keepEnv
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd edited a comment on pull request #5683: CCC21 Hackathon: quick & dirty 2FA Google Authentication integration
Posted by GitBox <gi...@apache.org>.
rhtyd edited a comment on pull request #5683:
URL: https://github.com/apache/cloudstack/pull/5683#issuecomment-967024746
Thanks @DaanHoogland - yes by enforcing I meant that when 2FA is not provided in login it doesn't check 2FA code. In prod, we want to enforce checks at backend for all user-accounts which has 2FA enabled.
This doesn't require any integration/identities with Google;
- As a quick hack the QR code is generated by Google charts, in prod. the CloudStack UI or backend would generate that
- Google Authenticator is just the app to show us 2FA codes, other phone apps that do 2FA code by scanning QR code can work too (https://www.maketecheasier.com/google-authenticator-alternatives/). I've only used google authenticator as an example and to test.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on a change in pull request #5683: CCC21 Hackathon: quick & dirty 2FA Google Authentication integration
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on a change in pull request #5683:
URL: https://github.com/apache/cloudstack/pull/5683#discussion_r748392481
##########
File path: ui/src/components/view/InfoCard.vue
##########
@@ -49,6 +49,14 @@
</div>
</slot>
</div>
+ <div>
+ <br/>
+ <a-divider/>
+ <p><b>2FA QR</b></p>
+ <span v-if="resource.username">
+ <img src="https://www.google.com/chart?chs=200x200&chld=M%%7C0&cht=qr&chl=otpauth://totp/Apache%20CloudStack%3Atest%40gmail.com?secret=7t4gabg72liipmq7n43lt3cw66fel4iz&issuer=Apache%20CloudStack"/>
Review comment:
@rhtyd nice work !
I have a question, if user has not logged in yet, how to get this QR code ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on pull request #5683: CCC21 Hackathon: quick & dirty 2FA Google Authentication integration
Posted by GitBox <gi...@apache.org>.
weizhouapache commented on pull request #5683:
URL: https://github.com/apache/cloudstack/pull/5683#issuecomment-967219296
@rhtyd
good work !
we could consider 2FA by sending code via email or SMS.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd commented on a change in pull request #5683: CCC21 Hackathon: quick & dirty 2FA Google Authentication integration
Posted by GitBox <gi...@apache.org>.
rhtyd commented on a change in pull request #5683:
URL: https://github.com/apache/cloudstack/pull/5683#discussion_r748147427
##########
File path: ui/src/components/view/InfoCard.vue
##########
@@ -49,6 +49,14 @@
</div>
</slot>
</div>
+ <div>
+ <br/>
+ <a-divider/>
+ <p><b>2FA QR</b></p>
+ <span v-if="resource.username">
+ <img src="https://www.google.com/chart?chs=200x200&chld=M%%7C0&cht=qr&chl=otpauth://totp/Apache%20CloudStack%3Atest%40gmail.com?secret=7t4gabg72liipmq7n43lt3cw66fel4iz&issuer=Apache%20CloudStack"/>
Review comment:
TODO: This is harcoded, needs to be generated by backend API and shown only one time to the user (with maybe some backup codes)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd commented on a change in pull request #5683: CCC21 Hackathon: quick & dirty 2FA Google Authentication integration
Posted by GitBox <gi...@apache.org>.
rhtyd commented on a change in pull request #5683:
URL: https://github.com/apache/cloudstack/pull/5683#discussion_r748395416
##########
File path: ui/src/components/view/InfoCard.vue
##########
@@ -49,6 +49,14 @@
</div>
</slot>
</div>
+ <div>
+ <br/>
+ <a-divider/>
+ <p><b>2FA QR</b></p>
+ <span v-if="resource.username">
+ <img src="https://www.google.com/chart?chs=200x200&chld=M%%7C0&cht=qr&chl=otpauth://totp/Apache%20CloudStack%3Atest%40gmail.com?secret=7t4gabg72liipmq7n43lt3cw66fel4iz&issuer=Apache%20CloudStack"/>
Review comment:
The workflow would be for the user to first log-in, then click a button to enable 2FA where they'll be shown this QR code. For this hack, I've taken shortcuts (for ex. the static QR code, instead of a randomly generated one per account).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] rhtyd commented on pull request #5683: CCC21 Hackathon: quick & dirty 2FA Google Authentication integration
Posted by GitBox <gi...@apache.org>.
rhtyd commented on pull request #5683:
URL: https://github.com/apache/cloudstack/pull/5683#issuecomment-997185065
Hi @ravening, yes I think there'll be some progress on it soon. I've started a discussion thread on dev ML and shared this design doc: https://cwiki.apache.org/confluence/display/CLOUDSTACK/2FA+Framework+and+Plugins
Since this was just a PoC for fun, I closed it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org