From fc224038a3352682a4bd37f8aaf9aa6bdb2174cd Mon Sep 17 00:00:00 2001
From: Aitzol <aitzol@lainoa.eus>
Date: Fri, 17 Nov 2023 13:17:16 +0100
Subject: [PATCH] 2fa-0.6

---
 _2fa.tpl |  2 +-
 app.py   | 39 +++++++++++++++++++++++++++++++--------
 2 files changed, 32 insertions(+), 9 deletions(-)

diff --git a/_2fa.tpl b/_2fa.tpl
index 050962d..7cbd698 100644
--- a/_2fa.tpl
+++ b/_2fa.tpl
@@ -17,7 +17,7 @@
 
         % if data['secureAuth'] == True:
         
-            <form name="disable2faForm" method="post" action="/user">
+            <form name="disable2faForm" method="post" action="/disable_2fa">
 
                 <label for="2fa">2FA</label>
                 <input id="2fa" name="2fa" type="text" value="{{data['authCode']}}">
diff --git a/app.py b/app.py
index 9633a50..5f936f1 100644
--- a/app.py
+++ b/app.py
@@ -24,7 +24,7 @@ from bottle import SimpleTemplate
 from bottle.ext import beaker
 from configparser import ConfigParser
 from ldap3 import Server, Connection, ALL
-from ldap3 import SIMPLE, SUBTREE, MODIFY_REPLACE, MODIFY_ADD, ALL_ATTRIBUTES
+from ldap3 import SIMPLE, SUBTREE, MODIFY_REPLACE, MODIFY_ADD, MODIFY_DELETE, ALL_ATTRIBUTES
 from ldap3.core.exceptions import LDAPBindError, LDAPConstraintViolationResult, \
     LDAPInvalidCredentialsResult, LDAPUserNameIsMandatoryError, \
     LDAPSocketOpenError, LDAPExceptionError, LDAPAttributeOrValueExistsResult
@@ -278,7 +278,22 @@ def post_edit_email():
 def post_enable_2fa():
     try:
         username=newSession().get()['username']
-        add_auth_attribute_step1(username, tools.generate_secret())
+        add_auth_attribute_step1(username, tools.generate_secret(), action='enable')
+        '''
+        add attribute authCode
+        set session data
+        '''
+    except Error as e:
+        LOG.warning("akatsa")
+        return error(str(e))
+
+    return _2fa_tpl(data=newSession().get(), str=i18n.str)
+
+@post('/disable_2fa')
+def post_disable_2fa():
+    try:
+        username=newSession().get()['username']
+        add_auth_attribute_step1(username, tools.generate_secret(), action='disable')
         '''
         add attribute authCode
         set session data
@@ -677,7 +692,7 @@ def update_email_address(conf, username, old_email, new_email):
         newSession().set(get_user_data(user_dn, c))
 
 # ADD AUTHCODE ATTRIBUTE - 2FA
-def add_auth_attribute_step1(username, code):
+def add_auth_attribute_step1(username, code, action):
     changed = []
 
     for key in (key for key in CONF.sections()
@@ -685,7 +700,7 @@ def add_auth_attribute_step1(username, code):
 
         LOG.debug("Adding secureAuth attribute %s to %s" % (key, username))
         try:
-            add_auth_attribute_step2(CONF[key], username, code)
+            add_auth_attribute_step2(CONF[key], username, code, action)
             changed.append(key)
             LOG.debug("%s changed email address on %s" % (username, key))
         except Error as e:
@@ -717,15 +732,20 @@ def add_auth_attribute_step2(conf, *args):
         LOG.error('{}: {!s}'.format(e.__class__.__name__, e))
         raise Error(i18n.msg[23])
 
-def add_auth_attribute_step3(conf, username, code):
+def add_auth_attribute_step3(conf, username, code, action):
     
     #set current LDAP
     superUser = SuperUsers(conf)
 
+    print(action)
     with connect_ldap(conf, user=superUser.admin_dn, password=superUser.admin_pwd) as c:
         user_dn = find_user_dn(conf, c, username)
-        OBJECT_CLASS = ['top', 'inetOrgPerson', 'posixAccount', 'accountsManagement']
-        c.add(dn=user_dn,object_class=OBJECT_CLASS, attributes={'authCode': code})
+        if(action == 'enable'):
+            c.modify(user_dn,{'authCode': [(MODIFY_ADD, [code])]})
+            c.modify(user_dn,{'secureAuth': [MODIFY_REPLACE, [True]]})
+        elif(action == 'disable'):
+            c.modify(user_dn,{'authCode': [(MODIFY_DELETE, [])]})
+            c.modify(user_dn,{'secureAuth': [MODIFY_REPLACE, [False]]})
         newSession().set(get_user_data(user_dn, c))
 
 #CHANGE PASSWORD
@@ -1011,7 +1031,10 @@ def newSession():
             self.ip = data[7]
             self.lastLogin = data[8]
             self.secureAuth = data[9]
-            self.authCode = None
+            try:
+                self.authCode = data[10]
+            except:
+                self.authCode = None
 
             self.data['active'] = self.active
             self.data['fakeCn'] = self.fakeCn