MFA dialog update

sns iam policy fix
VAuthenticator · Sep 1, 2024 · 8c6e6d3 · 8c6e6d3
1 parent dc388a2
commit 8c6e6d3
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 32 deletions.
diff --git a/iac/terraform/policy/sns.tf b/iac/terraform/policy/sns.tf
@@ -11,4 +11,9 @@ data "aws_iam_policy_document" "vauthenticator_sns_send_sms_policy" {
 
     not_resources = ["arn:aws:sns:*:*:*"]
   }
+}
+
+resource "aws_iam_user_policy" "vauthenticator_sns_send_sms_iam_policy" {
+  policy = data.aws_iam_policy_document.vauthenticator_sns_send_sms_policy.json
+  user   = data.aws_iam_user.vauthenticator.arn
 }
diff --git a/local-environment/request.http b/local-environment/request.http
@@ -79,12 +79,23 @@ Authorization: Bearer xxxx
   "mfaChannel" : "[email protected]"
 }
 
+### enroll new phone
+
+POST {{host}}/api/mfa/enrollment
+Content-Type: application/json
+Authorization: Bearer eyJraWQiOiJmZDEyMjI5Yi1hNGU4LTQzN2EtYTQzZi0yNWZlNzhmYjJmYzAiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyQGVtYWlsLmNvbSIsImF1ZCI6InVzZXItaW50cm9zcGVjdGlvbiIsIm5iZiI6MTcyNTIyMzQ5MywidXNlcl9uYW1lIjoidXNlckBlbWFpbC5jb20iLCJzY29wZSI6WyJtZmE6ZW5yb2xsbWVudCIsIm9wZW5pZCIsImVtYWlsIiwicHJvZmlsZSJdLCJpc3MiOiJodHRwOi8vbG9jYWwuYXBpLnZhdXRoZW50aWNhdG9yLmNvbTo5MDkwIiwiZXhwIjoxNzI1MjIzODUzLCJpYXQiOjE3MjUyMjM0OTMsImp0aSI6ImQ3OTY0NmFhLWYwZTktNDRjNS1iNTMyLTMzYzI4M2RjMGEzNyIsImF1dGhvcml0aWVzIjpbIlJPTEVfVVNFUiIsIlZBVVRIRU5USUNBVE9SX0FETUlOIl19.Zs1XgFPQn5LbMGQSjSSaT6bJqGUE4VK-Kac-aa4pF6zzYD3f-8zsNIHebzsyLMg1zoPOYUpEZuJu1d4eWX3IoOQy-_KTM6JouQCQEotj4qWakBqeJiRqsurOOjTnCGlkSbpNNwn7Put8YhXkaa8fnMCJKGUtDyP4JJkhzGTBZOr0uHIEXFoexhcs1xQEzJI_e0NpT_OCOfMc_dyrw278an9TbjsShg3EA3g_jXX1_Z5NdrnkGw_I-rW3T65Dtosl8oRu5eHLpSMw_7aN_BRt2j8EPcvCS_Ds7mgcPUSxJYLz8I81bmoMI14VUbLmApxQ7-_yrjmyK3EY3JwgVYmjtA
+
+{
+  "mfaMethod": "SMS_MFA_METHOD",
+  "mfaChannel" : "+39 233 2323233"
+}
+
 
 ### associate new email
 
 POST {{host}}/api/mfa/associate
 Content-Type: application/json
-Authorization: Bearer xxx
+Authorization: Bearer eyJraWQiOiJmZDEyMjI5Yi1hNGU4LTQzN2EtYTQzZi0yNWZlNzhmYjJmYzAiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyQGVtYWlsLmNvbSIsImF1ZCI6InVzZXItaW50cm9zcGVjdGlvbiIsIm5iZiI6MTcyNTIyMzQ5MywidXNlcl9uYW1lIjoidXNlckBlbWFpbC5jb20iLCJzY29wZSI6WyJtZmE6ZW5yb2xsbWVudCIsIm9wZW5pZCIsImVtYWlsIiwicHJvZmlsZSJdLCJpc3MiOiJodHRwOi8vbG9jYWwuYXBpLnZhdXRoZW50aWNhdG9yLmNvbTo5MDkwIiwiZXhwIjoxNzI1MjIzODUzLCJpYXQiOjE3MjUyMjM0OTMsImp0aSI6ImQ3OTY0NmFhLWYwZTktNDRjNS1iNTMyLTMzYzI4M2RjMGEzNyIsImF1dGhvcml0aWVzIjpbIlJPTEVfVVNFUiIsIlZBVVRIRU5USUNBVE9SX0FETUlOIl19.Zs1XgFPQn5LbMGQSjSSaT6bJqGUE4VK-Kac-aa4pF6zzYD3f-8zsNIHebzsyLMg1zoPOYUpEZuJu1d4eWX3IoOQy-_KTM6JouQCQEotj4qWakBqeJiRqsurOOjTnCGlkSbpNNwn7Put8YhXkaa8fnMCJKGUtDyP4JJkhzGTBZOr0uHIEXFoexhcs1xQEzJI_e0NpT_OCOfMc_dyrw278an9TbjsShg3EA3g_jXX1_Z5NdrnkGw_I-rW3T65Dtosl8oRu5eHLpSMw_7aN_BRt2j8EPcvCS_Ds7mgcPUSxJYLz8I81bmoMI14VUbLmApxQ7-_yrjmyK3EY3JwgVYmjtA
 
 {
   "ticket": "xxxx",

diff --git a/src/main/frontend/app/mfa/MfaChallengePage.tsx b/src/main/frontend/app/mfa/MfaChallengePage.tsx
@@ -1,12 +1,11 @@
 import React, {useEffect, useState} from "react";
 import ErrorBanner from "../component/ErrorBanner";
 import {getMfaMethods, MfaAccountEnrolledMethod, sendMfaCode} from "./MfaRepository";
-import EmailIcon from "@mui/icons-material/Email";
 import {Box, Button, Divider, Grid, ThemeProvider, Typography} from "@mui/material";
 import theme from "../component/styles";
 import Modal from "../component/Modal";
 import Template from "../component/Template";
-import {CheckCircle, Person, VpnKey} from "@mui/icons-material";
+import {Call, CheckCircle, Email, Person, VpnKey} from "@mui/icons-material";
 import FormInputTextField from "../component/FormInputTextField";
 import Separator from "../component/Separator";
 import FormButton from "../component/FormButton";
@@ -60,7 +59,14 @@ const MfaChallengePage: React.FC<MfaChallengePageProps> = ({
                 type="button"
                 style={{textTransform: "none", color: "black"}}
                 onClick={() => setDefaultMfaDevice(mfaMethod.mfaDeviceId)}>
-                <EmailIcon/> EMail: {mfaMethod.mfaChannel} {mfaIconCheckIconFor(mfaMethod)}
+                <Email/> EMail: {mfaMethod.mfaChannel} {mfaIconCheckIconFor(mfaMethod)}
+            </Button>
+        } else if ("SMS_MFA_METHOD" === mfaMethod.mfaMethod) {
+            icon = <Button
+                type="button"
+                style={{textTransform: "none", color: "black"}}
+                onClick={() => setDefaultMfaDevice(mfaMethod.mfaDeviceId)}>
+                <Call/> Phone: {mfaMethod.mfaChannel} {mfaIconCheckIconFor(mfaMethod)}
             </Button>
         }
         return icon

diff --git a/src/main/kotlin/com/vauthenticator/server/mfa/MfaConfig.kt b/src/main/kotlin/com/vauthenticator/server/mfa/MfaConfig.kt
@@ -6,10 +6,8 @@ import com.vauthenticator.server.account.repository.AccountRepository
 import com.vauthenticator.server.communication.NoReplyEMailConfiguration
 import com.vauthenticator.server.communication.adapter.JinJavaTemplateResolver
 import com.vauthenticator.server.communication.adapter.email.JavaEMailSenderService
-import com.vauthenticator.server.communication.domain.EMailSenderService
-import com.vauthenticator.server.communication.domain.EMailType
-import com.vauthenticator.server.communication.domain.SimpleEMailMessageFactory
-import com.vauthenticator.server.communication.domain.SmsSenderService
+import com.vauthenticator.server.communication.adapter.sms.SnsSmsSenderService
+import com.vauthenticator.server.communication.domain.*
 import com.vauthenticator.server.keys.KeyDecrypter
 import com.vauthenticator.server.keys.KeyRepository
 import com.vauthenticator.server.keys.MasterKid
@@ -24,6 +22,7 @@ import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.mail.javamail.JavaMailSender
 import software.amazon.awssdk.services.dynamodb.DynamoDbClient
+import software.amazon.awssdk.services.sns.SnsClient
 import java.util.*
 
 @Configuration(proxyBeanMethods = false)
@@ -63,7 +62,13 @@ class MfaConfig {
         accountRepository: AccountRepository,
         mfaAccountMethodsRepository: MfaAccountMethodsRepository,
         sensitiveEmailMasker: SensitiveEmailMasker
-    ) = MfaMethodsEnrollment(accountRepository, ticketCreator, mfaSender, mfaAccountMethodsRepository, sensitiveEmailMasker)
+    ) = MfaMethodsEnrollment(
+        accountRepository,
+        ticketCreator,
+        mfaSender,
+        mfaAccountMethodsRepository,
+        sensitiveEmailMasker
+    )
 
     @Bean
     fun otpMfa(
@@ -94,6 +99,11 @@ class MfaConfig {
         mfaAccountMethodsRepository: MfaAccountMethodsRepository,
     ) = OtpMfaVerifier(accountRepository, otpMfa, mfaAccountMethodsRepository)
 
+    @Bean
+    fun mfaSmsSender(
+        snsClient: SnsClient
+    ) = SnsSmsSenderService(snsClient, SimpleSmsMessageFactory())
+
     @Bean
     fun mfaMailSender(
         javaMailSender: JavaMailSender,

diff --git a/src/test/kotlin/com/vauthenticator/server/mfa/domain/EmailMfaChallengeSenderTest.kt b/src/test/kotlin/com/vauthenticator/server/mfa/domain/EmailMfaChallengeSenderTest.kt
@@ -65,26 +65,7 @@ class MfaChallengeSenderTest {
         mfaMethod: MfaMethod,
         testAccount: Account
     ) {
-        every { mfaAccountMethodsRepository.findBy(mfaDeviceId) } returns associatedMfaAccountMethod(
-            userName,
-            mfaChannel,
-            mfaMethod
-        )
-        every { accountRepository.accountFor(userName) } returns Optional.of(testAccount)
-        every { otp.generateSecretKeyFor(testAccount, mfaMethod, mfaChannel) } returns mfaSecret
-        every { otp.getTOTPCode(mfaSecret) } returns challenge
-        every {
-            smsSenderService.sendFor(
-                testAccount,
-                mapOf("phone" to mfaChannel, "mfaCode" to challenge.content())
-            )
-        } just runs
-        every {
-            emailSenderService.sendFor(
-                testAccount,
-                mapOf("email" to mfaChannel, "mfaCode" to challenge.content())
-            )
-        } just runs
+        testSetup(mfaChannel, mfaMethod, testAccount)
 
         uut.sendMfaChallengeFor(userName, mfaDeviceId)
     }
@@ -97,6 +78,16 @@ class MfaChallengeSenderTest {
         testAccount: Account
     ) {
         every { mfaAccountMethodsRepository.getDefaultDevice(userName) } returns Optional.of(mfaDeviceId)
+        testSetup(mfaChannel, mfaMethod, testAccount)
+
+        uut.sendMfaChallengeFor(userName)
+    }
+
+    private fun testSetup(
+        mfaChannel: String,
+        mfaMethod: MfaMethod,
+        testAccount: Account
+    ) {
         every { mfaAccountMethodsRepository.findBy(mfaDeviceId) } returns associatedMfaAccountMethod(
             userName,
             mfaChannel,
@@ -118,9 +109,6 @@ class MfaChallengeSenderTest {
                 mapOf("email" to mfaChannel, "mfaCode" to challenge.content())
             )
         } just runs
-
-
-        uut.sendMfaChallengeFor(userName)
     }
 
     companion object {