diff options
Diffstat (limited to 'indra/newview')
-rw-r--r-- | indra/newview/VIEWER_VERSION.txt | 2 | ||||
-rw-r--r-- | indra/newview/app_settings/settings.xml | 11 | ||||
-rw-r--r-- | indra/newview/lllogininstance.cpp | 63 | ||||
-rw-r--r-- | indra/newview/llsecapi.h | 3 | ||||
-rw-r--r-- | indra/newview/llsechandler_basic.cpp | 5 | ||||
-rw-r--r-- | indra/newview/llsechandler_basic.h | 3 | ||||
-rw-r--r-- | indra/newview/llstartup.cpp | 18 | ||||
-rw-r--r-- | indra/newview/skins/default/xui/en/floater_mfa.xml | 49 | ||||
-rw-r--r-- | indra/newview/skins/default/xui/en/notifications.xml | 21 | ||||
-rw-r--r-- | indra/newview/skins/default/xui/en/strings.xml | 4 | ||||
-rw-r--r-- | indra/newview/tests/lllogininstance_test.cpp | 11 | ||||
-rw-r--r-- | indra/newview/tests/llsecapi_test.cpp | 1 |
12 files changed, 185 insertions, 6 deletions
diff --git a/indra/newview/VIEWER_VERSION.txt b/indra/newview/VIEWER_VERSION.txt index cc81d718c3..32c568aee0 100644 --- a/indra/newview/VIEWER_VERSION.txt +++ b/indra/newview/VIEWER_VERSION.txt @@ -1 +1 @@ -6.5.5 +6.5.6 diff --git a/indra/newview/app_settings/settings.xml b/indra/newview/app_settings/settings.xml index 7f8ebbae92..4958cf4264 100644 --- a/indra/newview/app_settings/settings.xml +++ b/indra/newview/app_settings/settings.xml @@ -16826,5 +16826,16 @@ <key>Value</key> <integer>1</integer> </map> + <key>MFAHash</key> + <map> + <key>Comment</key> + <string>Override MFA state hash for authentication</string> + <key>Persist</key> + <integer>0</integer> + <key>Type</key> + <string>String</string> + <key>Value</key> + <string></string> + </map> </map> </llsd> diff --git a/indra/newview/lllogininstance.cpp b/indra/newview/lllogininstance.cpp index f9732b804f..a3d0eb5796 100644 --- a/indra/newview/lllogininstance.cpp +++ b/indra/newview/lllogininstance.cpp @@ -61,6 +61,7 @@ #include "lltrans.h" #include <boost/scoped_ptr.hpp> +#include <boost/regex.hpp> #include <sstream> const S32 LOGIN_MAX_RETRIES = 0; // Viewer should not autmatically retry login @@ -224,8 +225,9 @@ void LLLoginInstance::constructAuthParams(LLPointer<LLCredential> user_credentia request_params["id0"] = mSerialNumber; request_params["host_id"] = gSavedSettings.getString("HostID"); request_params["extended_errors"] = true; // request message_id and message_args + request_params["token"] = ""; - // log request_params _before_ adding the credentials + // log request_params _before_ adding the credentials or sensitive MFA hash data LL_DEBUGS("LLLogin") << "Login parameters: " << LLSDOStreamer<LLSDNotationFormatter>(request_params) << LL_ENDL; // Copy the credentials into the request after logging the rest @@ -238,6 +240,33 @@ void LLLoginInstance::constructAuthParams(LLPointer<LLCredential> user_credentia request_params[it->first] = it->second; } + std::string mfa_hash = gSavedSettings.getString("MFAHash"); //non-persistent to enable testing + std::string grid(LLGridManager::getInstance()->getGridId()); + std::string user_id = user_credential->userID(); + if (gSecAPIHandler) + { + if (mfa_hash.empty()) + { + // normal execution, mfa_hash was not set from debug setting so load from protected store + LLSD data_map = gSecAPIHandler->getProtectedData("mfa_hash", grid); + if (data_map.isMap() && data_map.has(user_id)) + { + mfa_hash = data_map[user_id].asString(); + } + } + else + { + // SL-16888 the mfa_hash is being overridden for testing so save it for consistency for future login requests + gSecAPIHandler->addToProtectedMap("mfa_hash", grid, user_id, mfa_hash); + } + } + else + { + LL_WARNS() << "unable to access protected store for mfa_hash" << LL_ENDL; + } + + request_params["mfa_hash"] = mfa_hash; + // Specify desired timeout/retry options LLSD http_params; F32 srv_timeout = llclamp(gSavedSettings.getF32("LoginSRVTimeout"), LOGIN_SRV_TIMEOUT_MIN, LOGIN_SRV_TIMEOUT_MAX); @@ -411,6 +440,38 @@ void LLLoginInstance::handleLoginFailure(const LLSD& event) boost::bind(&LLLoginInstance::syncWithUpdater, this, resp, _1, _2)); } } + else if(reason_response == "mfa_challenge") + { + LL_DEBUGS("LLLogin") << " MFA challenge" << LL_ENDL; + + if (gViewerWindow) + { + gViewerWindow->setShowProgress(FALSE); + } + + LLSD args(llsd::map( "MESSAGE", LLTrans::getString(response["message_id"]) )); + LLSD payload; + LLNotificationsUtil::add("PromptMFAToken", args, payload, [=](LLSD const & notif, LLSD const & response) { + bool continue_clicked = response["continue"].asBoolean(); + std::string token = response["token"].asString(); + LL_DEBUGS("LLLogin") << "PromptMFAToken: response: " << response << " continue_clicked" << continue_clicked << LL_ENDL; + + // strip out whitespace - SL-17034/BUG-231938 + token = boost::regex_replace(token, boost::regex("\\s"), ""); + + if (continue_clicked && !token.empty()) + { + LL_INFOS("LLLogin") << "PromptMFAToken: token submitted" << LL_ENDL; + + // Set the request data to true and retry login. + mRequestData["params"]["token"] = token; + reconnect(); + } else { + LL_INFOS("LLLogin") << "PromptMFAToken: no token, attemptComplete" << LL_ENDL; + attemptComplete(); + } + }); + } else if( reason_response == "key" || reason_response == "presence" || reason_response == "connect" diff --git a/indra/newview/llsecapi.h b/indra/newview/llsecapi.h index e1320375ab..d8831fee93 100644 --- a/indra/newview/llsecapi.h +++ b/indra/newview/llsecapi.h @@ -485,6 +485,9 @@ public: const std::string& data_id, const std::string& map_elem)=0; + // ensure protected store's map is written to storage + virtual void syncProtectedMap() = 0; + public: virtual LLPointer<LLCredential> createCredential(const std::string& grid, const LLSD& identifier, diff --git a/indra/newview/llsechandler_basic.cpp b/indra/newview/llsechandler_basic.cpp index 6b06abaf99..d0da3387ec 100644 --- a/indra/newview/llsechandler_basic.cpp +++ b/indra/newview/llsechandler_basic.cpp @@ -1608,6 +1608,11 @@ void LLSecAPIBasicHandler::removeFromProtectedMap(const std::string& data_type, } } +void LLSecAPIBasicHandler::syncProtectedMap() +{ + // TODO - consider unifing these functions + _writeProtectedData(); +} // // Create a credential object from an identifier and authenticator. credentials are // per grid. diff --git a/indra/newview/llsechandler_basic.h b/indra/newview/llsechandler_basic.h index 17e9f72f07..bd1a8f640c 100644 --- a/indra/newview/llsechandler_basic.h +++ b/indra/newview/llsechandler_basic.h @@ -278,6 +278,9 @@ public: const std::string& data_id, const std::string& map_elem); + // ensure protected store's map is written to storage + virtual void syncProtectedMap(); + // credential management routines virtual LLPointer<LLCredential> createCredential(const std::string& grid, diff --git a/indra/newview/llstartup.cpp b/indra/newview/llstartup.cpp index f5c70102f3..03b24ffb71 100644 --- a/indra/newview/llstartup.cpp +++ b/indra/newview/llstartup.cpp @@ -133,6 +133,7 @@ #include "llproxy.h" #include "llproductinforequest.h" #include "llqueryflags.h" +#include "llsecapi.h" #include "llselectmgr.h" #include "llsky.h" #include "llstatview.h" @@ -1116,10 +1117,10 @@ bool idle_startup() } else { - if (reason_response != "tos") + if (reason_response != "tos" && reason_response != "mfa_challenge") { - // Don't pop up a notification in the TOS case because - // LLFloaterTOS::onCancel() already scolded the user. + // Don't pop up a notification in the TOS or MFA cases because + // the specialized floater has already scolded the user. std::string error_code; if(response.has("errorcode")) { @@ -3686,6 +3687,17 @@ bool process_login_success_response() LLViewerMedia::getInstance()->openIDSetup(openid_url, openid_token); } + + // Only save mfa_hash for future logins if the user wants their info remembered. + if(response.has("mfa_hash") && gSavedSettings.getBOOL("RememberUser") && gSavedSettings.getBOOL("RememberPassword")) + { + std::string grid(LLGridManager::getInstance()->getGridId()); + std::string user_id(gUserCredential->userID()); + gSecAPIHandler->addToProtectedMap("mfa_hash", grid, user_id, response["mfa_hash"]); + // TODO(brad) - related to SL-17223 consider building a better interface that sync's automatically + gSecAPIHandler->syncProtectedMap(); + } + bool success = false; // JC: gesture loading done below, when we have an asset system // in place. Don't delete/clear gUserCredentials until then. diff --git a/indra/newview/skins/default/xui/en/floater_mfa.xml b/indra/newview/skins/default/xui/en/floater_mfa.xml new file mode 100644 index 0000000000..a649cc6d47 --- /dev/null +++ b/indra/newview/skins/default/xui/en/floater_mfa.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="utf-8" standalone="yes" ?> +<floater + title="MFA Token Requred" + legacy_header_height="18" + can_minimize="false" + can_close="false" + height="110" + layout="topleft" + name="mfa_challenge" + help_topic="mfa_challenge" + width="550"> + <text + type="string" + word_wrap="true" + length="1" + follows="top|left" + height="15" + layout="topleft" + left="10" + name="token_prompt_text" + top="20"> + token prompt + </text> + <line_editor + follows="left|top|right" + height="19" + layout="topleft" + bottom_delta="40" + name="token_edit" + width="100" /> + <button + follows="top|left" + height="20" + label="Continue" + layout="topleft" + left="10" + name="continue_btn" + bottom_delta="30" + width="64" /> + <button + follows="top|left" + height="20" + label="Cancel" + layout="topleft" + left_pad="5" + name="cancel_btn" + bottom_delta="0" + width="64" /> +</floater> diff --git a/indra/newview/skins/default/xui/en/notifications.xml b/indra/newview/skins/default/xui/en/notifications.xml index d4ccfd55ff..dd8a2cf5fd 100644 --- a/indra/newview/skins/default/xui/en/notifications.xml +++ b/indra/newview/skins/default/xui/en/notifications.xml @@ -11817,4 +11817,25 @@ Unpacking: [UNPACK_TIME]s [USIZE]KB <tag>fail</tag> </notification> + <notification + icon="alertmodal.tga" + label="Prompt for MFA Token" + name="PromptMFAToken" + type="alertmodal"> + [MESSAGE] + <tag>confirm</tag> + <form name="form"> + <input name="token" type="text" width="400" /> + <button + default="true" + index="0" + name="continue" + text="Continue"/> + <button + index="1" + name="cancel" + text="Cancel"/> + </form> + </notification> + </notifications> diff --git a/indra/newview/skins/default/xui/en/strings.xml b/indra/newview/skins/default/xui/en/strings.xml index a024f23885..3ca0435a65 100644 --- a/indra/newview/skins/default/xui/en/strings.xml +++ b/indra/newview/skins/default/xui/en/strings.xml @@ -133,6 +133,7 @@ http://secondlife.com/viewer-access-faq</string> Please check to make sure you entered the right * Username (like bobsmith12 or steller.sunshine) * Password + * Second Factor Token (if enabled) Also, please make sure your Caps Lock key is off.</string> <string name="LoginFailedPasswordChanged">As a security precaution your password has been changed. Please go to your account page at http://secondlife.com/password @@ -192,7 +193,8 @@ Please try logging in again in a minute.</string> Please try logging in again in a minute.</string> <string name="LoginFailedLoggingOutSession">The system has begun logging out your last session. Please try logging in again in a minute.</string> - + <string name="LoginFailedAuthenticationMFARequired">To continue logging in, enter a new token from your multifactor authentication app. +If you feel this is an error, please contact support@secondlife.com</string> <!-- Disconnection --> <string name="AgentLostConnection">This region may be experiencing trouble. Please check your connection to the Internet.</string> diff --git a/indra/newview/tests/lllogininstance_test.cpp b/indra/newview/tests/lllogininstance_test.cpp index 7dd0c5faa3..7259e66265 100644 --- a/indra/newview/tests/lllogininstance_test.cpp +++ b/indra/newview/tests/lllogininstance_test.cpp @@ -186,6 +186,15 @@ std::string LLGridManager::getAppSLURLBase(const std::string& grid_name) { return "myappslurl"; } +std::string LLGridManager::getGridId(const std::string& grid) +{ + return std::string(); +} + +//LLPointer<LLSecAPIHandler> getSecHandler(const std::string& handler_type) +//{ +// return nullptr; +//} //----------------------------------------------------------------------------- #include "../llviewercontrol.h" @@ -227,6 +236,8 @@ LLAppViewer * LLAppViewer::sInstance = 0; static std::string gTOSType; static LLEventPump * gTOSReplyPump = NULL; +LLPointer<LLSecAPIHandler> gSecAPIHandler; + //static LLFloater* LLFloaterReg::showInstance(const std::string& name, const LLSD& key, BOOL focus) { diff --git a/indra/newview/tests/llsecapi_test.cpp b/indra/newview/tests/llsecapi_test.cpp index 37fbbb449b..7d2a9a436f 100644 --- a/indra/newview/tests/llsecapi_test.cpp +++ b/indra/newview/tests/llsecapi_test.cpp @@ -62,6 +62,7 @@ LLPointer<LLCertificateStore> LLSecAPIBasicHandler::getCertificateStore(const st void LLSecAPIBasicHandler::setProtectedData(const std::string& data_type, const std::string& data_id, const LLSD& data) {} void LLSecAPIBasicHandler::addToProtectedMap(const std::string& data_type, const std::string& data_id, const std::string& map_elem, const LLSD& data) {} void LLSecAPIBasicHandler::removeFromProtectedMap(const std::string& data_type, const std::string& data_id, const std::string& map_elem) {} +void LLSecAPIBasicHandler::syncProtectedMap() {} LLSD LLSecAPIBasicHandler::getProtectedData(const std::string& data_type, const std::string& data_id) { return LLSD(); } void LLSecAPIBasicHandler::deleteProtectedData(const std::string& data_type, const std::string& data_id) {} LLPointer<LLCredential> LLSecAPIBasicHandler::createCredential(const std::string& grid, const LLSD& identifier, const LLSD& authenticator) { return NULL; } |