116 lines
4.3 KiB
Ruby
116 lines
4.3 KiB
Ruby
class SuperAdmin < ApplicationRecord
|
|
include PasswordComplexityConcern
|
|
|
|
devise :rememberable, :trackable, :validatable, :lockable, :recoverable
|
|
if SUPER_ADMIN_OTP_ENABLED
|
|
devise :two_factor_authenticatable, otp_secret_encryption_key: Rails.application.secrets.otp_secret_key, sign_in_after_reset_password: false
|
|
else
|
|
devise :database_authenticatable
|
|
end
|
|
|
|
def enable_otp!
|
|
self.otp_secret = SuperAdmin.generate_otp_secret
|
|
self.otp_required_for_login = true
|
|
save!
|
|
end
|
|
|
|
def disable_otp!
|
|
self.assign_attributes(
|
|
{
|
|
otp_secret: nil,
|
|
encrypted_otp_secret: nil,
|
|
encrypted_otp_secret_iv: nil,
|
|
encrypted_otp_secret_salt: nil,
|
|
consumed_timestep: nil,
|
|
otp_required_for_login: false
|
|
}
|
|
)
|
|
save!
|
|
end
|
|
|
|
def invite_admin(email)
|
|
user = User.create_or_promote_to_administrateur(email, SecureRandom.hex)
|
|
|
|
if user.valid?
|
|
user.invite_administrateur!(id)
|
|
Procedure.create_initiation_procedure(user.administrateur)
|
|
end
|
|
|
|
user
|
|
end
|
|
|
|
def send_devise_notification(notification, *args)
|
|
devise_mailer.send(notification, self, *args).deliver_later
|
|
end
|
|
|
|
private
|
|
|
|
# From https://github.com/tinfoil/devise-two-factor/blob/main/UPGRADING.md
|
|
# Remove me after super admin have been migrated to the new OTP system.
|
|
# Decrypt and return the `encrypted_otp_secret` attribute which was used in
|
|
# prior versions of devise-two-factor
|
|
# @return [String] The decrypted OTP secret
|
|
def legacy_otp_secret
|
|
return nil unless self[:encrypted_otp_secret]
|
|
return nil unless self.class.otp_secret_encryption_key
|
|
|
|
hmac_iterations = 2000 # a default set by the Encryptor gem
|
|
key = self.class.otp_secret_encryption_key
|
|
salt = Base64.decode64(encrypted_otp_secret_salt)
|
|
iv = Base64.decode64(encrypted_otp_secret_iv)
|
|
|
|
raw_cipher_text = Base64.decode64(encrypted_otp_secret)
|
|
# The last 16 bytes of the ciphertext are the authentication tag - we use
|
|
# Galois Counter Mode which is an authenticated encryption mode
|
|
cipher_text = raw_cipher_text[0..-17]
|
|
auth_tag = raw_cipher_text[-16..-1]
|
|
|
|
# this alrorithm lifted from
|
|
# https://github.com/attr-encrypted/encryptor/blob/master/lib/encryptor.rb#L54
|
|
|
|
# create an OpenSSL object which will decrypt the AES cipher with 256 bit
|
|
# keys in Galois Counter Mode (GCM). See
|
|
# https://ruby.github.io/openssl/OpenSSL/Cipher.html
|
|
cipher = OpenSSL::Cipher.new('aes-256-gcm')
|
|
|
|
# tell the cipher we want to decrypt. Symmetric algorithms use a very
|
|
# similar process for encryption and decryption, hence the same object can
|
|
# do both.
|
|
cipher.decrypt
|
|
|
|
# Use a Password-Based Key Derivation Function to generate the key actually
|
|
# used for encryptoin from the key we got as input.
|
|
cipher.key = OpenSSL::PKCS5.pbkdf2_hmac_sha1(key, salt, hmac_iterations, cipher.key_len)
|
|
|
|
# set the Initialization Vector (IV)
|
|
cipher.iv = iv
|
|
|
|
# The tag must be set after calling Cipher#decrypt, Cipher#key= and
|
|
# Cipher#iv=, but before calling Cipher#final. After all decryption is
|
|
# performed, the tag is verified automatically in the call to Cipher#final.
|
|
#
|
|
# If the auth_tag does not verify, then #final will raise OpenSSL::Cipher::CipherError
|
|
cipher.auth_tag = auth_tag
|
|
|
|
# auth_data must be set after auth_tag has been set when decrypting See
|
|
# http://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/Cipher.html#method-i-auth_data-3D
|
|
# we are not adding any authenticated data but OpenSSL docs say this should
|
|
# still be called.
|
|
cipher.auth_data = ''
|
|
|
|
# #update is (somewhat confusingly named) the method which actually
|
|
# performs the decryption on the given chunk of data. Our OTP secret is
|
|
# short so we only need to call it once.
|
|
#
|
|
# It is very important that we call #final because:
|
|
#
|
|
# 1. The authentication tag is checked during the call to #final
|
|
# 2. Block based cipher modes (e.g. CBC) work on fixed size chunks. We need
|
|
# to call #final to get it to process the last chunk properly. The output
|
|
# of #final should be appended to the decrypted value. This isn't
|
|
# required for streaming cipher modes but including it is a best practice
|
|
# so that your code will continue to function correctly even if you later
|
|
# change to a block cipher mode.
|
|
cipher.update(cipher_text) + cipher.final
|
|
end
|
|
end
|