fog-brightbox 1.5.0 → 1.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cb1f5fab98014e9dda7db0f12f010f30e35277e6516151f3ebe4f1821c662dc3
-  data.tar.gz: e4bb7b22b9c9e398923ce253708acfb0dd4519b7511428973ced16e20ac77e69
+  metadata.gz: 4ed1e1f608af748e905cfeafeb9f1a72674074f11720c854988e324de9e1fa84
+  data.tar.gz: c078791baaf84d13fb09c1f0d8ff17b9c1116f247cfb8c73647b529b97ce3bea
 SHA512:
-  metadata.gz: 38c16b6810afe2ebb15edeedfff0732f54e34ccc0e8bb56af85efcbcf2d43c1776957dff2b0ca44afc5a1cbc7d6b7a98c015cb5feb95aea36c820ab0eada57fd
-  data.tar.gz: 86e0cd498b82639fd952f3a08c03c15d8e8f623391889c23f602e6a1d7177cbe714b5527d3940e404e902d8a2acbc3c2004de97113ff6823b8656d07a35736ee
+  metadata.gz: fbfd902483fc3bb101255c4915d8fec6e54c5edf2995f6aa1b0eebe510e210a0b6173b109aa19811fee8fabc1c5f05c294d36b49fbcc9b15056bedf22e1ebac2
+  data.tar.gz: e3b208fa57e74eca736fa8d53683cbfa78645a6aa75a15b680f59365bbd26538cbb373828f92ba4d6de7a79a867e2377500179c9ef18171c35748dd3fa759e17

data/CHANGELOG.md

@@ -1,3 +1,25 @@
+### 1.6.0 / 2022-07-25
+
+Changes:
+
+* Added support to opt-in to support Brightbox 2FA within clients.
+
+Two Factor Authentication (2FA) support:
+
+Passing `brightbox_support_two_factor` into a configuration will raise a new
+error when user authentication has failed BUT the presence of the
+`X-Brightbox-OTP: required` HTTP header is found.
+
+This new error `Fog::Brightbox::OAuth2::TwoFactorMissingError` can be handled
+differently by the client and the second factor can be prompted for or
+recovered from a secure keychain.
+
+Without opting in, the previous error `Excon::Errors::Unauthorized` is raised.
+
+To send the OTP, the `brightbox_one_time_password` can be passed into a
+configuration object or one_time_password can be passed to a credentials
+object.
+
 ### 1.5.0 / 2022-06-09
 
 Changes:

data/lib/fog/brightbox/compute/shared.rb

@@ -39,21 +39,15 @@ module Fog
           @persistent          = @config.connection_persistent?
           @connection          = Fog::Core::Connection.new(@api_url, @persistent, @connection_options)
 
-          # Authentication options
-          client_id            = @config.client_id
-          client_secret        = @config.client_secret
-
-          username             = @config.username
-          password             = @config.password
           @configured_account  = @config.account
           # Request account can be changed at anytime and changes behaviour of future requests
           @scoped_account      = @configured_account
 
-          credential_options   = { :username => username, :password => password }
-          @credentials         = CredentialSet.new(client_id, client_secret, credential_options)
+          @two_factor          = @config.two_factor?
+          @one_time_password   = @config.one_time_password
 
           # If existing tokens have been cached, allow continued use of them in the service
-          @credentials.update_tokens(@config.cached_access_token, @config.cached_refresh_token)
+          credentials.update_tokens(@config.cached_access_token, @config.cached_refresh_token)
 
           @token_management    = @config.managed_tokens?
         end
@@ -73,6 +67,12 @@ module Fog
           @scoped_account = @configured_account
         end
 
+        def credentials
+          client_id = @config.client_id
+          client_secret = @config.client_secret
+          @credentials ||= CredentialSet.new(client_id, client_secret, credential_options)
+        end
+
         # Returns the scoped account being used for requests
         #
         # * For API clients this is the owning account
@@ -122,7 +122,7 @@ module Fog
         def get_access_token
           begin
             get_access_token!
-          rescue Excon::Errors::Unauthorized, Excon::Errors::BadRequest
+          rescue Fog::Brightbox::OAuth2::TwoFactorMissingError, Excon::Errors::Unauthorized, Excon::Errors::BadRequest
             @credentials.update_tokens(nil, nil)
           end
           @credentials.access_token
@@ -154,8 +154,24 @@ module Fog
           @default_image_id ||= (@config.default_image_id || select_default_image)
         end
 
+        def two_factor?
+          @two_factor || false
+        end
+
         private
 
+        # This returns a formatted set of options for the credentials for this service
+        #
+        # @return [Hash]
+        def credential_options
+          {
+            username: @config.username,
+            password: @config.password
+          }.tap do |opts|
+            opts[:one_time_password] = @one_time_password if two_factor?
+          end
+        end
+
         # This makes a request of the API based on the configured setting for
         # token management.
         #

data/lib/fog/brightbox/compute.rb

@@ -21,6 +21,10 @@ module Fog
       # Automatic token management
       recognizes :brightbox_token_management
 
+      # Two Factor Authentication support (2FA)
+      recognizes :brightbox_support_two_factor
+      recognizes :brightbox_one_time_password
+
       # Excon connection settings
       recognizes :persistent
 

data/lib/fog/brightbox/config.rb

@@ -33,6 +33,10 @@ module Fog
       #   Set to specify the client secret to use for requests.
       # @option options [String] :brightbox_token_management (true)
       #   Set to specify if the service should handle expired tokens or raise an error instead.
+      # @option options [Boolean] :brightbox_support_two_factor
+      #   Set to enable two factor authentication (2FA) for this configuration/user
+      # @option options [String] :brightbox_one_time_password
+      #   Set to pass through the current one time password when using 2FA
       # @option options [String] :brightbox_username
       #   Set to specify your user account. Either user identifier (+usr-12345+) or email address
       #   may be used.
@@ -226,6 +230,14 @@ module Fog
       def storage_temp_key
         @options[:brightbox_temp_url_key]
       end
+
+      def two_factor?
+        @options[:brightbox_support_two_factor] || false
+      end
+
+      def one_time_password
+        @options[:brightbox_one_time_password]
+      end
     end
   end
 end

data/lib/fog/brightbox/oauth2.rb

@@ -6,6 +6,10 @@ module Fog
     # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10
     #
     module OAuth2
+      TWO_FACTOR_HEADER = "X-Brightbox-OTP".freeze
+
+      class TwoFactorMissingError < StandardError; end
+
       # This builds the simplest form of requesting an access token
       # based on the arguments passed in
       #
@@ -13,16 +17,38 @@ module Fog
       # @param [CredentialSet] credentials
       #
       # @return [Excon::Response]
+      # @raise [Excon::Errors::Unauthorized] if the credentials are rejected by the server
+      # @raise [Fog::Brightbox::OAuth2::TwoFactorMissingError] if opted in to 2FA and server reports header is required
       def request_access_token(connection, credentials)
         token_strategy = credentials.best_grant_strategy
 
-        connection.request(
-          :path => "/token",
-          :expects  => 200,
-          :headers  => token_strategy.headers,
-          :method   => "POST",
-          :body     => Fog::JSON.encode(token_strategy.authorization_body_data)
-        )
+        if two_factor?
+          # When 2FA opt-in is set, we can expect 401 responses as well
+          response = connection.request(
+            :path => "/token",
+            :expects  => [200, 401],
+            :headers  => token_strategy.headers,
+            :method   => "POST",
+            :body     => Fog::JSON.encode(token_strategy.authorization_body_data)
+          )
+
+          if response.status == 401 && response.headers[Fog::Brightbox::OAuth2::TWO_FACTOR_HEADER] == "required"
+            raise TwoFactorMissingError
+          elsif response.status == 401
+            raise Excon::Errors.status_error({ expects: 200 }, status: 401)
+          else
+            response
+          end
+        else
+          # Use classic behaviour and return Excon::
+          connection.request(
+            :path => "/token",
+            :expects  => 200,
+            :headers  => token_strategy.headers,
+            :method   => "POST",
+            :body     => Fog::JSON.encode(token_strategy.authorization_body_data)
+          )
+        end
       end
 
       # Encapsulates credentials required to request access tokens from the
@@ -33,12 +59,14 @@ module Fog
       class CredentialSet
         attr_reader :client_id, :client_secret, :username, :password
         attr_reader :access_token, :refresh_token, :expires_in
+        attr_reader :one_time_password
         #
         # @param [String] client_id
         # @param [String] client_secret
         # @param [Hash] options
         # @option options [String] :username
         # @option options [String] :password
+        # @option options [String] :one_time_password One Time Password for Two Factor authentication
         #
         def initialize(client_id, client_secret, options = {})
           @client_id     = client_id
@@ -48,6 +76,7 @@ module Fog
           @access_token  = options[:access_token]
           @refresh_token = options[:refresh_token]
           @expires_in    = options[:expires_in]
+          @one_time_password = options[:one_time_password]
         end
 
         # Returns true if user details are available
@@ -142,6 +171,17 @@ module Fog
             "password"   => @credentials.password
           }
         end
+
+        def headers
+          {
+            "Authorization" => authorization_header,
+            "Content-Type" => "application/json"
+          }.tap do |headers|
+            if @credentials.one_time_password
+              headers[TWO_FACTOR_HEADER] = @credentials.one_time_password
+            end
+          end
+        end
       end
 
       # This strategy attempts to use a refresh_token gained during an earlier

data/lib/fog/brightbox/version.rb

@@ -1,5 +1,5 @@
 module Fog
   module Brightbox
-    VERSION = "1.5.0"
+    VERSION = "1.6.0"
   end
 end

data/spec/fog/brightbox/compute/credentials_spec.rb

@@ -0,0 +1,41 @@
+require "spec_helper"
+
+describe Fog::Brightbox::Compute, "#credentials" do
+  describe "when 2FA support is disabled" do
+    before do
+      @options = {
+        brightbox_client_id: "app-12345",
+        brightbox_secret: "1234567890",
+        brightbox_username: "jason.null@brightbox.com",
+        brightbox_password: "HR4life",
+        brightbox_one_time_password: "123456"
+      }
+      @service = Fog::Brightbox::Compute.new(@options)
+    end
+
+    it "does not add passed OTP to credentials" do
+      assert_kind_of Fog::Brightbox::OAuth2::CredentialSet, @service.credentials
+      assert_nil @service.credentials.one_time_password
+    end
+  end
+
+  describe "with 2FA support is enabled" do
+    before do
+      @expected_otp = "123456"
+      @options = {
+        brightbox_client_id: "app-12345",
+        brightbox_secret: "1234567890",
+        brightbox_username: "jason.null@brightbox.com",
+        brightbox_password: "HR4life",
+        brightbox_support_two_factor: true,
+        brightbox_one_time_password: @expected_otp
+      }
+      @service = Fog::Brightbox::Compute.new(@options)
+    end
+
+    it "adds passed OTP to credentials" do
+      assert_kind_of Fog::Brightbox::OAuth2::CredentialSet, @service.credentials
+      assert @expected_otp, @service.credentials.one_time_password
+    end
+  end
+end

data/spec/fog/brightbox/compute/get_access_token_spec.rb

@@ -0,0 +1,305 @@
+require "spec_helper"
+
+describe Fog::Brightbox::Compute, "#get_access_token" do
+  before do
+    @new_access_token = "0987654321"
+    @new_refresh_token = "5432167890"
+
+    @options = {
+      brightbox_client_id: "app-12345",
+      brightbox_secret: "1234567890",
+      brightbox_username: "jason.null@brightbox.com",
+      brightbox_password: "HR4life",
+      brightbox_support_two_factor: true,
+      brightbox_one_time_password: "123456"
+    }
+    @service = Fog::Brightbox::Compute.new(@options)
+  end
+
+  describe "when user does not have 2FA enabled" do
+    describe "and authenticates correctly" do
+      before do
+        stub_authentication_request(auth_correct: true)
+
+        assert @service.two_factor?
+      end
+
+      describe "without !" do
+        it "updates credentials" do
+          token = @service.get_access_token
+          assert_equal "0987654321", token
+
+          assert_equal token, @service.access_token
+        end
+      end
+
+      describe "with !" do
+        it "updates credentials" do
+          token = @service.get_access_token!
+          assert_equal "0987654321", token
+
+          assert_equal token, @service.access_token
+        end
+      end
+    end
+
+    describe "and authenticates incorrectly" do
+      before do
+        stub_authentication_request(auth_correct: false)
+
+        assert @service.two_factor?
+      end
+
+      describe "without !" do
+        it "returns nil" do
+          assert_nil @service.get_access_token
+
+          assert_nil @service.access_token
+          assert_nil @service.refresh_token
+        end
+      end
+
+      describe "with !" do
+        it "raises an error" do
+          begin
+            @service.get_access_token!
+          rescue Excon::Error::Unauthorized
+            assert_nil @service.access_token
+            assert_nil @service.refresh_token
+          end
+        end
+      end
+    end
+  end
+
+  describe "when user does have 2FA enabled" do
+    describe "and authenticates correctly" do
+      describe "without OTP" do
+        before do
+          stub_authentication_request(auth_correct: true,
+                                      two_factor_user: true)
+
+          assert @service.two_factor?
+        end
+
+        describe "without !" do
+          it "returns nil" do
+            assert_nil @service.get_access_token
+
+            assert_nil @service.access_token
+            assert_nil @service.refresh_token
+          end
+        end
+
+        describe "with !" do
+          it "raises an error" do
+            begin
+              @service.get_access_token!
+            rescue Fog::Brightbox::OAuth2::TwoFactorMissingError
+              assert_nil @service.access_token
+              assert_nil @service.refresh_token
+            end
+          end
+        end
+      end
+
+      describe "with OTP" do
+        before do
+          stub_authentication_request(auth_correct: true,
+                                      two_factor_user: true,
+                                      otp_sent: true)
+
+          assert @service.two_factor?
+        end
+
+        describe "without !" do
+          it "updates credentials" do
+            token = @service.get_access_token
+            assert_equal "0987654321", token
+
+            assert_equal token, @service.access_token
+          end
+        end
+
+        describe "with !" do
+          it "updates credentials" do
+            token = @service.get_access_token!
+            assert_equal "0987654321", token
+
+            assert_equal token, @service.access_token
+          end
+        end
+      end
+    end
+
+    describe "and authenticates incorrectly" do
+      before do
+        stub_authentication_request(auth_correct: false,
+                                    two_factor_user: true)
+
+        assert @service.two_factor?
+      end
+
+      describe "without !" do
+        it "returns nil" do
+          assert_nil @service.get_access_token
+
+          assert_nil @service.access_token
+          assert_nil @service.refresh_token
+        end
+      end
+
+      describe "with !" do
+        it "raises an error" do
+          begin
+            @service.get_access_token!
+          rescue Fog::Brightbox::OAuth2::TwoFactorMissingError
+            assert_nil @service.access_token
+            assert_nil @service.refresh_token
+          end
+        end
+      end
+    end
+
+    describe "without 2FA support enabled" do
+      before do
+        @options = {
+          brightbox_client_id: "app-12345",
+          brightbox_secret: "1234567890",
+          brightbox_username: "jason.null@brightbox.com",
+          brightbox_password: "HR4life",
+          brightbox_support_two_factor: false,
+          brightbox_one_time_password: "123456"
+        }
+        @service = Fog::Brightbox::Compute.new(@options)
+
+        refute @service.two_factor?
+      end
+
+      describe "without !" do
+        it "returns nil" do
+          stub_authentication_request(auth_correct: false,
+                                      two_factor_user: true)
+
+          assert_nil @service.get_access_token
+
+          assert_nil @service.access_token
+          assert_nil @service.refresh_token
+        end
+      end
+
+      describe "with !" do
+        describe "when authentication incorrect" do
+          it "raises an error" do
+            stub_authentication_request(auth_correct: false,
+                                        two_factor_user: true,
+                                        otp_sent: true)
+
+            begin
+              @service.get_access_token!
+            rescue Excon::Error::Unauthorized
+              assert_nil @service.access_token
+              assert_nil @service.refresh_token
+            end
+          end
+        end
+
+        describe "with missing OTP" do
+          before do
+            @options = {
+              brightbox_client_id: "app-12345",
+              brightbox_secret: "1234567890",
+              brightbox_username: "jason.null@brightbox.com",
+              brightbox_password: "HR4life",
+              brightbox_support_two_factor: false
+            }
+            @service = Fog::Brightbox::Compute.new(@options)
+
+            refute @service.two_factor?
+          end
+
+          it "raises an error" do
+            stub_authentication_request(auth_correct: true,
+                                        two_factor_user: true,
+                                        otp_sent: false)
+
+            begin
+              @service.get_access_token!
+            rescue Excon::Error::Unauthorized
+              assert_nil @service.access_token
+              assert_nil @service.refresh_token
+            end
+          end
+        end
+      end
+    end
+  end
+
+  # @param auth_correct [Boolean] Treat username/password as correct
+  # @param two_factor_user [Boolean] Is user protected by 2FA on server
+  # @param otp_sent [Boolean] Is an OTP sent in the request?
+  def stub_authentication_request(auth_correct:,
+                                  two_factor_user: false,
+                                  otp_sent: nil)
+
+    two_factor_supported = @service.two_factor?
+
+    request = {
+      headers: {
+        "Authorization" => "Basic YXBwLTEyMzQ1OjEyMzQ1Njc4OTA=",
+        "Content-Type" => "application/json",
+      },
+      body: {
+        grant_type: "password",
+        username: "jason.null@brightbox.com",
+        password: "HR4life"
+      }.to_json
+    }.tap do |req|
+      # Only expect the header if the service should send it
+      # Without this, we stub a request that demands an OTP but it is not sent
+      if two_factor_supported && otp_sent
+        req[:headers]["X-Brightbox-OTP"] = "123456"
+      end
+    end
+
+    # The cases we are testing are:
+    #
+    # * User does not use 2FA and authenticate
+    # * User does not use 2FA and FAILS to authenticate
+    # * User does use 2FA and authenticate
+    # * User does use 2FA and FAILS to authenticate
+    # * User does use 2FA and FAILS to send OTP
+    #
+    response = if two_factor_user && !otp_sent
+      # OTP required header
+      {
+        status: 401,
+        headers: {
+          "X-Brightbox-OTP" => "required"
+        },
+        body: { error: "invalid_client" }.to_json
+      }
+    elsif !auth_correct
+      # No OTP header
+      {
+        status: 401,
+        headers: {},
+        body: { error: "invalid_client" }.to_json
+      }
+    else
+      {
+        status: 200,
+        headers: {},
+        body: {
+          access_token: @new_access_token,
+          refresh_token: @new_refresh_token,
+          expires_in: 7200
+        }.to_json
+      }
+    end
+
+    stub_request(:post, "https://api.gb1.brightbox.com/token")
+      .with(request)
+      .to_return(response)
+  end
+end

data/spec/fog/brightbox/compute/two_factor_spec.rb

@@ -0,0 +1,53 @@
+require "spec_helper"
+
+describe Fog::Brightbox::Compute, "#two_factor?" do
+  describe "when omitted" do
+    before do
+      @options = {
+        brightbox_client_id: "app-12345",
+        brightbox_secret: "1234567890",
+        brightbox_username: "jason.null@brightbox.com",
+        brightbox_password: "HR4life"
+      }
+      @service = Fog::Brightbox::Compute.new(@options)
+    end
+
+    it do
+      refute @service.two_factor?
+    end
+  end
+
+  describe "when disabled" do
+    before do
+      @options = {
+        brightbox_client_id: "app-12345",
+        brightbox_secret: "1234567890",
+        brightbox_username: "jason.null@brightbox.com",
+        brightbox_password: "HR4life",
+        brightbox_support_two_factor: false
+      }
+      @service = Fog::Brightbox::Compute.new(@options)
+    end
+
+    it do
+      refute @service.two_factor?
+    end
+  end
+
+  describe "when enabled" do
+    before do
+      @options = {
+        brightbox_client_id: "app-12345",
+        brightbox_secret: "1234567890",
+        brightbox_username: "jason.null@brightbox.com",
+        brightbox_password: "HR4life",
+        brightbox_support_two_factor: true
+      }
+      @service = Fog::Brightbox::Compute.new(@options)
+    end
+
+    it do
+      assert @service.two_factor?
+    end
+  end
+end

data/spec/fog/brightbox/oauth2/user_credentials_strategy_spec.rb

@@ -37,4 +37,24 @@ describe Fog::Brightbox::OAuth2::UserCredentialsStrategy do
     assert_equal "Basic YXBwLTEyMzQ1Ol9fbWFzaGVkX2tleXNfMTIzX18=", headers["Authorization"]
     assert_equal "application/json", headers["Content-Type"]
   end
+
+  describe "when 2FA OTP is included" do
+    before do
+      options = {
+        username: @username,
+        password: @password,
+        one_time_password: "123456"
+      }
+
+      @credentials = Fog::Brightbox::OAuth2::CredentialSet.new(@client_id, @client_secret, options)
+      @strategy = Fog::Brightbox::OAuth2::UserCredentialsStrategy.new(@credentials)
+    end
+
+    it "tests #headers" do
+      headers = @strategy.headers
+      assert_equal "Basic YXBwLTEyMzQ1Ol9fbWFzaGVkX2tleXNfMTIzX18=", headers["Authorization"]
+      assert_equal "application/json", headers["Content-Type"]
+      assert_equal "123456", headers["X-Brightbox-OTP"]
+    end
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fog-brightbox
 version: !ruby/object:Gem::Version
-  version: 1.5.0
+  version: 1.6.0
 platform: ruby
 authors:
 - Paul Thornthwaite
@@ -381,6 +381,9 @@ files:
 - lib/fog/brightbox/storage/not_found.rb
 - lib/fog/brightbox/version.rb
 - spec/fog/brightbox/compute/config_spec.rb
+- spec/fog/brightbox/compute/credentials_spec.rb
+- spec/fog/brightbox/compute/get_access_token_spec.rb
+- spec/fog/brightbox/compute/two_factor_spec.rb
 - spec/fog/brightbox/compute/wrapped_request_spec.rb
 - spec/fog/brightbox/config_spec.rb
 - spec/fog/brightbox/link_helper_spec.rb
@@ -488,6 +491,9 @@ summary: This library can be used as a module for `fog` or as standalone provide
   to use the Brightbox Cloud in applications
 test_files:
 - spec/fog/brightbox/compute/config_spec.rb
+- spec/fog/brightbox/compute/credentials_spec.rb
+- spec/fog/brightbox/compute/get_access_token_spec.rb
+- spec/fog/brightbox/compute/two_factor_spec.rb
 - spec/fog/brightbox/compute/wrapped_request_spec.rb
 - spec/fog/brightbox/config_spec.rb
 - spec/fog/brightbox/link_helper_spec.rb