WIP: Add multi-factor authentication plug-able modules

[awarecan]

Description:

Add multi-factor authentication support for new auth system.

Auth module

Multi-factor auth modules has been added to auth/modules folder.

totp is Time-based One Time Password module which compatible with Google Authenticator and Authy (not test yet).

insecure_example is a Example designed for demo and unit testing purpose, should not be used in any production system.

Multi-facot auth module can be used mixed-match with auth providers. After normal auth provider validate, if there are auth modules enabled for the specific user, the login flow will direct to auth module input form. Auth module use separated storage, can be hardening it in future.

Related issue (if applicable): fixes #

Pull request in developers.home-assistant.io with documentation (if applicable): home-assistant/developers.home-assistant#52

Example entry for configuration.yaml (if applicable):

# configuration.yaml
homeassistant:
  # Auth Provider
  auth_providers:
    - type: homeassistant
  auth_mfa_modules:
    - type: totp

auth:

Checklist:

• The code change is tested and works locally.
• Local tests pass with tox. Your PR cannot be merged unless tests pass

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated in developers.home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• New dependencies have been added to the REQUIREMENTS variable (example).
• New dependencies are only imported inside functions that use them (example).
• New or updated dependencies have been added to requirements_all.txt by running script/gen_requirements_all.py.

If the code does not interact with devices:

• Tests have been added to verify that the new code works.

[awarecan]

For other auth provider, such as legacy_api_password, you need to manually edit ~/.homeassistant/.storage/auth_module.totp file (the username for legacy_api_password is homeassistant)

To manually generate ota_secret, you can execute following python script

import pyotp
print(pyotp.random_base32())

[balloob]

typo

[balloob]

When can this happen?

[awarecan]

Data file was corrupted? Cannot recall why I added this statement, can be removed if you feel redundant.

[balloob]

It's redundant. If storage doesn't exist, we get None back and set the default above. If we save, the default was the foundation.

[balloob]

It's usually wise to discuss these things before creating big PRs like this. That way there is no work wasted if we have different views on the architecture.

[balloob]

Why do we need to always save?

[awarecan]

legacy code, should be removed. It was used in v1 implementation when auth module save data in auth provider storage.

[awarecan]

I thought we had the discussion around plugable auth module in #15225

[balloob]

That's true, but that's only 1 part of this. Starting code review now

[balloob]

auth modules should not change anymore after startup ?

[balloob]

I don't see any need for the session store. This should just be stored on the instance of the login flow handler. It will then be removed with that.

[awarecan]

Yes, it was inherited from previous version of implement. I agreed that is over-design, we should not have session at all, flow_id can be used as a session.

[balloob]

This should not live under auth provider as it has nothing to do with it?

I suggest we restructure our auth into

• homeassistant/auth/__init__.py
• homeassistant/auth/providers/homeassistant.py
• homeassistant/auth/modules/totp.py

I also not sure if I like modules, it's too generic. What about two_factor ?

[balloob]

I think that we should store these on the user objects in a data object that is stored/restored when user is saved/restored.

[balloob]

I don't like this architecture.

I think that we should implement it as a FlowHandler that is not extended by the login flows, but instead wraps one.

It should take the login flow it needs to wrap. Once that flow returns a create entry, it should hold that value, look up the user, see if any two factor has been registered, instantiate those and let them handle the next step.

You can use __getattr__ to intercept the methods on the LoginFlow and decide where to redirect the call.

[balloob]

Hmm , maybe I do like this architecture. I just don't like how it iterates through the modules and mutates them.

[balloob]

We shouldn't create sessions, just instantiate and store on this instance.

[balloob]

Use a guard clause

if not X:
    return Y

…

[balloob]

This is weird, instead, once finish called, we should check if user has any 2fa configured (stored on user object?) and then create a local list of 2fa to ask which we can mutate.

[balloob]

A user can have multiple 2FA active, it only needs to pass 1 to log in.

[awarecan]

I see your point, so the flow should like

admin create user -> user login -> user enable/setup one of many 2fa from a list
user select auth_provider -> auth_provider validate -> user select which 2fa he/she want to use -> ask 2fa challenge -> 2fa module validate -> user logged in

[balloob]

Yep, and we can do it all within a login flow without needed a frontend change

[balloob]

string concatenation should be done using .format

[balloob]

Session expiration is up to the LoginFlow to enforce.

[balloob]

Modules should not be nested under an auth provider. Instead, users should be able to enable 2fa for their account.

[awarecan]

So the configuration should like

# configuration.yml
homeassistant:
  auth_providers:
    - type: a_provder
    - type: b_provider
  auth_2fa_modules:
    - type: totp
    - type: hotp_sms

user should be able to enable one of many module in his setting page
user should be able to select use which module after auth_provider validate

That is the sequence used in my Cisco VPN client configured with okta integration.

[homeassistant]

Hello @awarecan,

When attempting to inspect the commits of your pull request for CLA signature status among all authors we encountered commit(s) which were not linked to a GitHub account, thus not allowing us to determine their status(es).

The commits that are missing a linked GitHub account are the following:

• 6f9a98b674fcefd9e2d5165915da4db18529ee30 - This commit has something that looks like an email address (ec2-user@ip-172-31-28-229.us-west-2.compute.internal). Maybe try linking that to GitHub?.

Unfortunately, we are unable to accept this pull request until this situation is corrected.

Here are your options:

1. If you had an email address set for the commit that simply wasn't linked to your GitHub account you can link that email now and it will retroactively apply to your commits. The simplest way to do this is to click the link to one of the above commits and look for a blue question mark in a blue circle in the top left. Hovering over that bubble will show you what email address you used. Clicking on that button will take you to your email address settings on GitHub. Just add the email address on that page and you're all set. GitHub has more information about this option in their help center.

2. If you didn't use an email address at all, it was an invalid email, or it's one you can't link to your GitHub, you will need to change the authorship information of the commit and your global Git settings so this doesn't happen again going forward. GitHub provides some great instructions on how to change your authorship information in their help center.

   • If you only made a single commit you should be able to run

     git commit --amend --author="Author Name <email@address.com>"
     

     (substituting Author Name and email@address.com for your actual information) to set the authorship information.
   • If you made more than one commit and the commit with the missing authorship information is not the most recent one you have two options:
     1. You can re-create all commits missing authorship information. This is going to be the easiest solution for developers that aren't extremely confident in their Git and command line skills.
     2. You can use this script that GitHub provides to rewrite history. Please note: this should be used only if you are very confident in your abilities and understand its impacts.
   • Whichever method you choose, I will come by to re-check the pull request once you push the fixes to this branch.

We apologize for this inconvenience, especially since it usually bites new contributors to Home Assistant. We hope you understand the need for us to protect ourselves and the great community we all have built legally. The best thing to come out of this is that you only need to fix this once and it benefits the entire Home Assistant and GitHub community.

Thanks, I look forward to checking this PR again soon! ❤️

[awarecan]

Rebase seems mess up, close this PR for now