Merge branch 'develop' of https://github.com/mage-os/mirror-security-…

…package into develop
mage-os · Jun 29, 2024 · eee5c1f · eee5c1f
2 parents c8fe8b7 + d9d1406
commit eee5c1f
Show file tree

Hide file tree

Showing 6 changed files with 73 additions and 8 deletions.
diff --git a/TwoFactorAuth/Model/Config/Backend/Leeway.php b/TwoFactorAuth/Model/Config/Backend/Leeway.php
@@ -0,0 +1,64 @@
+<?php
+/**
+ * Copyright 2024 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\TwoFactorAuth\Model\Config\Backend;
+
+use Magento\Framework\App\Config\Value;
+use Magento\Framework\App\Config\Data\ProcessorInterface;
+use Magento\Framework\Exception\ValidatorException;
+use OTPHP\TOTPInterface;
+
+class Leeway extends Value implements ProcessorInterface
+{
+    /**
+     * Fetch Totp default period value
+     *
+     * @return int
+     */
+    private function getDefaultPeriod(): int
+    {
+        return TOTPInterface::DEFAULT_PERIOD;
+    }
+
+    /**
+     * Process the value before saving.
+     *
+     * @param mixed $value The configuration value.
+     * @return mixed The processed value.
+     * @throws ValidatorException If the value is invalid.
+     */
+    public function processValue($value)
+    {
+        if (!is_numeric($value)) {
+            throw new ValidatorException(__('The Leeway must be a numeric value.'));
+        }
+        $numericValue = (int) $value;
+        return $numericValue;
+    }
+
+    /**
+     * Validates the value before saving.
+     *
+     * @throws ValidatorException If the value is invalid.
+     */
+    public function beforeSave()
+    {
+        $value = $this->getValue();
+        $period = $this->getDefaultPeriod();
+        if (!is_numeric($value) || $value < 1 || $value >= $period) {
+            throw new ValidatorException(
+                __(
+                    'Invalid Leeway value. It must be between 1 and %1 as default period is %2',
+                    $period-1,
+                    $period
+                )
+            );
+        }
+
+        return parent::beforeSave();
+    }
+}
diff --git a/TwoFactorAuth/Model/Provider/Engine/Google.php b/TwoFactorAuth/Model/Provider/Engine/Google.php
@@ -35,7 +35,7 @@ class Google implements EngineInterface
     /**
      * Config path for the OTP window
      */
-    const XML_PATH_OTP_WINDOW = 'twofactorauth/google/otp_window';
+    public const XML_PATH_LEEWAY = 'twofactorauth/google/leeway';
 
     /**
      * Engine code
@@ -199,7 +199,7 @@ public function verify(UserInterface $user, DataObject $request): bool
         return $totp->verify(
             $token,
             null,
-            $config['window'] ?? (int)$this->scopeConfig->getValue(self::XML_PATH_OTP_WINDOW) ?: null
+            $config['window'] ?? (int)$this->scopeConfig->getValue(self::XML_PATH_LEEWAY) ?: null
         );
     }
 

diff --git a/TwoFactorAuth/Test/Api/GoogleActivateTest.php b/TwoFactorAuth/Test/Api/GoogleActivateTest.php
@@ -129,7 +129,7 @@ public function testAlreadyActivatedProvider()
     /**
      * @magentoConfigFixture twofactorauth/general/force_providers google
      * @magentoApiDataFixture Magento/User/_files/user_with_custom_role.php
-     * @magentoConfigFixture twofactorauth/google/otp_window 20
+     * @magentoConfigFixture twofactorauth/google/leeway 29
      */
     public function testActivate()
     {

diff --git a/TwoFactorAuth/Test/Api/GoogleAuthenticateTest.php b/TwoFactorAuth/Test/Api/GoogleAuthenticateTest.php
@@ -223,7 +223,7 @@ public function testNotConfiguredProvider(): void
     /**
      * @magentoConfigFixture twofactorauth/general/force_providers google
      * @magentoApiDataFixture Magento/User/_files/user_with_custom_role.php
-     * @magentoConfigFixture twofactorauth/google/otp_window 20
+     * @magentoConfigFixture twofactorauth/google/leeway 29
      *
      * @return void
      */

diff --git a/TwoFactorAuth/etc/adminhtml/system.xml b/TwoFactorAuth/etc/adminhtml/system.xml
@@ -39,10 +39,11 @@
             <group id="google" translate="label" type="text" sortOrder="30" showInDefault="1" showInWebsite="0"
                    showInStore="0">
                 <label>Google</label>
-                <field id="otp_window" translate="label comment" type="text" sortOrder="10" showInDefault="1"
+                <field id="leeway" translate="label comment" type="text" sortOrder="10" showInDefault="1"
                        showInWebsite="0" showInStore="0" canRestore="1">
-                    <label>OTP Window</label>
-                    <comment>This determines how long the one-time-passwords are valid for. An OTP Window of 1 will result in the current OTP value plus 1 code in the past and 1 code in the future to be valid at any given point in time.</comment>
+                    <label>Leeway</label>
+                    <comment>This sets the time drift leeway for OTPs. A leeway of 29 with a period of 30 means OTPs are valid within ±29 seconds from the current time. The leeway must be smaller than the period</comment>
+                    <backend_model>Magento\TwoFactorAuth\Model\Config\Backend\Leeway</backend_model>
                 </field>
             </group>
             <group id="duo" translate="label" type="text" sortOrder="40" showInDefault="1" showInWebsite="0"

diff --git a/TwoFactorAuth/etc/config.xml b/TwoFactorAuth/etc/config.xml
@@ -21,7 +21,7 @@
                 <application_key backend_model="Magento\Config\Model\Config\Backend\Encrypted"/>
             </duo>
             <google>
-                <otp_window>1</otp_window>
+                <leeway backend_model="Magento\TwoFactorAuth\Model\Config\Backend\Leeway">29</leeway>
             </google>
         </twofactorauth>
     </default>