Feature/2fa (#277)

* impl

* tests

* Changelog and user guides

* style

* rm unneeded error handling

* unused import

* rm comma

* default totp=None on validate_connection

* rm comma

* use example.com

Author: timabrmsn

CHANGELOG.md

@@ -21,6 +21,8 @@ how a consumer would use the library (e.g. adding unit tests, updating documenta
 
 ### Added
 
+- Support for users that require multi-factor authentication.
+
 - New command `code42 alerts show` that displays information about a single alert.
 
 - New command `code42 alerts update` that can update an alert's state or note.

docs/userguides/gettingstarted.md

@@ -72,10 +72,16 @@ python3 -m pip install code42cli --upgrade
 .. important:: The Code42 CLI currently only supports token-based authentication.
 ```
 
-Create a user in Code42 to authenticate (basic authentication) and access data via the CLI. The CLI returns data based on the roles assigned to this user. To ensure that the user's rights are not too permissive, create a user with the lowest level of privilege necessary. See our [Role assignment use cases](https://support.code42.com/Administrator/Cloud/Monitoring_and_managing/Role_assignment_use_cases) for information on recommended roles. We recommend you test to confirm that the user can access the right data.
+Create a user in Code42 to authenticate (basic authentication) and access data via the CLI. The CLI returns data based
+on the roles assigned to this user. To ensure that the user's rights are not too permissive, create a user with the lowest
+level of privilege necessary. See our [Role assignment use cases](https://support.code42.com/Administrator/Cloud/Monitoring_and_managing/Role_assignment_use_cases)
+for information on recommended roles. We recommend you test to confirm that the user can access the right data.
 
 If you choose not to store your password in the CLI, you must enter it for each command that requires a connection.
 
+The Code42 CLI supports local accounts with MFA (multi-factor authentication) enabled. The Time-based One-Time
+Password (TOTP) must be provided at every invocation of the CLI, either via the `--totp` option or when prompted.
+
 The Code42 CLI currently does **not** support SSO login providers or any other identity providers such as Active
 Directory or Okta.
 

docs/userguides/profile.md

@@ -33,3 +33,9 @@ To see all your profiles, do:
 ```bash
 code42 profile list
 ```
+
+## Profiles with Multi-Factor Authentication
+
+If your Code42 user account requires multi-factor authentication, the token is not required to create your profile but
+will be required for any subsequent CLI commands. The MFA token can either be passed in with the `--totp` option, or if
+not passed you will be prompted to enter it before the command executes.

src/code42cli/cmds/profile.py

@@ -3,6 +3,7 @@
 import click
 from click import echo
 from click import secho
+from py42.exceptions import Py42MFARequiredError
 
 import code42cli.profile as cliprofile
 from code42cli.errors import Code42CLIError
@@ -193,6 +194,10 @@ def _set_pw(profile_name, password):
     c42profile = cliprofile.get_profile(profile_name)
     try:
         validate_connection(c42profile.authority_url, c42profile.username, password)
+    except Py42MFARequiredError:
+        echo(
+            "Multi-factor account detected. `--totp <token>` option will be required for all code42 invocations."
+        )
     except Exception:
         secho("Password not stored!", bold=True)
         raise

src/code42cli/options.py

@@ -41,6 +41,7 @@ def __init__(self):
             self._profile = get_profile()
         except Code42CLIError:
             self._profile = None
+        self.totp = None
         self.debug = False
         self._sdk = None
         self.search_filters = []
@@ -59,7 +60,7 @@ def profile(self, value):
     @property
     def sdk(self):
         if self._sdk is None:
-            self._sdk = create_sdk(self.profile, self.debug)
+            self._sdk = create_sdk(self.profile, self.debug, self.totp)
         return self._sdk
 
     def set_assume_yes(self, param):
@@ -81,6 +82,12 @@ def set_debug(ctx, param, value):
         ctx.ensure_object(CLIState).debug = value
 
 
+def set_totp(ctx, param, value):
+    """Sets TOTP token on global state object for multi-factor authentication."""
+    if value:
+        ctx.ensure_object(CLIState).totp = value
+
+
 def profile_option(hidden=False):
     opt = click.option(
         "--profile",
@@ -105,12 +112,24 @@ def debug_option(hidden=False):
     return opt
 
 
+def totp_option(hidden=False):
+    opt = click.option(
+        "--totp",
+        expose_value=False,
+        callback=set_totp,
+        hidden=hidden,
+        help="TOTP token for multi-factor authentication.",
+    )
+    return opt
+
+
 pass_state = click.make_pass_decorator(CLIState, ensure=True)
 
 
 def sdk_options(hidden=False):
     def decorator(f):
         f = profile_option(hidden)(f)
+        f = totp_option(hidden)(f)
         f = debug_option(hidden)(f)
         f = pass_state(f)
         return f

src/code42cli/sdk_client.py

@@ -2,7 +2,9 @@
 import py42.settings
 import py42.settings.debug as debug
 import requests
+from click import prompt
 from click import secho
+from py42.exceptions import Py42MFARequiredError
 from py42.exceptions import Py42UnauthorizedError
 from requests.exceptions import ConnectionError
 
@@ -15,7 +17,7 @@
 logger = get_main_cli_logger()
 
 
-def create_sdk(profile, is_debug_mode):
+def create_sdk(profile, is_debug_mode, totp=None):
     if is_debug_mode:
         py42.settings.debug.level = debug.DEBUG
     if profile.ignore_ssl_errors == "True":
@@ -30,18 +32,24 @@ def create_sdk(profile, is_debug_mode):
         )
         py42.settings.verify_ssl_certs = False
     password = profile.get_password()
-    return validate_connection(profile.authority_url, profile.username, password)
+    return validate_connection(profile.authority_url, profile.username, password, totp)
 
 
-def validate_connection(authority_url, username, password):
+def validate_connection(authority_url, username, password, totp=None):
     try:
-        return py42.sdk.from_local_account(authority_url, username, password)
+        return py42.sdk.from_local_account(authority_url, username, password, totp=totp)
     except ConnectionError as err:
         logger.log_error(str(err))
-        raise LoggedCLIError("Problem connecting to {}".format(authority_url))
+        raise LoggedCLIError(f"Problem connecting to {authority_url}.")
+    except Py42MFARequiredError:
+        totp = prompt("Multi-factor authentication required. Enter TOTP", type=int)
+        return validate_connection(authority_url, username, password, totp)
     except Py42UnauthorizedError as err:
         logger.log_error(str(err))
-        raise Code42CLIError("Invalid credentials for user {}".format(username))
+        if "INVALID_TIME_BASED_ONE_TIME_PASSWORD" in err.response.text:
+            raise Code42CLIError(f"Invalid TOTP token for user {username}.")
+        else:
+            raise Code42CLIError(f"Invalid credentials for user {username}.")
     except Exception as err:
         logger.log_error(str(err))
         raise LoggedCLIError("Unknown problem validating connection.")

tests/cmds/test_profile.py

@@ -1,4 +1,7 @@
 import pytest
+from py42.exceptions import Py42MFARequiredError
+from requests import Response
+from requests.exceptions import HTTPError
 
 from ..conftest import create_mock_profile
 from code42cli import PRODUCT_NAME
@@ -208,6 +211,29 @@ def test_create_profile_with_password_option_if_credentials_valid_password_saved
     assert "Would you like to set a password?" not in result.output
 
 
+def test_create_profile_stores_password_and_prints_message_when_user_requires_mfa(
+    runner, mocker, mock_verify, mock_cliprofile_namespace
+):
+    mock_verify.side_effect = Py42MFARequiredError(HTTPError(response=Response()))
+    result = runner.invoke(
+        cli,
+        [
+            "profile",
+            "create",
+            "-n",
+            "mfa",
+            "-s",
+            "bar",
+            "-u",
+            "baz",
+            "--password",
+            "pass",
+        ],
+    )
+    assert "Multi-factor account detected." in result.output
+    mock_cliprofile_namespace.set_password.assert_called_once_with("pass", mocker.ANY)
+
+
 def test_create_profile_outputs_confirmation(
     runner, user_agreement, valid_connection, mock_cliprofile_namespace
 ):

tests/test_sdk_client.py

@@ -1,14 +1,20 @@
+from io import StringIO
+
 import py42.sdk
 import py42.settings.debug as debug
 import pytest
+from py42.exceptions import Py42MFARequiredError
 from py42.exceptions import Py42UnauthorizedError
 from requests import Response
 from requests.exceptions import ConnectionError
+from requests.exceptions import HTTPError
 from requests.exceptions import RequestException
 
 from .conftest import create_mock_profile
 from code42cli.errors import Code42CLIError
 from code42cli.errors import LoggedCLIError
+from code42cli.main import cli
+from code42cli.options import CLIState
 from code42cli.sdk_client import create_sdk
 from code42cli.sdk_client import validate_connection
 
@@ -114,5 +120,46 @@ def mock_get_password():
 
 
 def test_validate_connection_uses_given_credentials(mock_sdk_factory):
-    assert validate_connection("Authority", "Test", "Password")
-    mock_sdk_factory.assert_called_once_with("Authority", "Test", "Password")
+    assert validate_connection("Authority", "Test", "Password", None)
+    mock_sdk_factory.assert_called_once_with("Authority", "Test", "Password", totp=None)
+
+
+def test_validate_connection_when_mfa_required_exception_raised_prompts_for_totp(
+    mocker, monkeypatch, mock_sdk_factory, capsys
+):
+    monkeypatch.setattr("sys.stdin", StringIO("101010"))
+    response = mocker.MagicMock(spec=Response)
+    mock_sdk_factory.side_effect = [
+        Py42MFARequiredError(HTTPError(response=response)),
+        None,
+    ]
+    validate_connection("Authority", "Test", "Password", None)
+    output = capsys.readouterr()
+    assert "Multi-factor authentication required. Enter TOTP:" in output.out
+
+
+def test_validate_connection_when_mfa_token_invalid_raises_expected_cli_error(
+    mocker, mock_sdk_factory
+):
+    response = mocker.MagicMock(spec=Response)
+    response.text = '{"data":null,"error":[{"primaryErrorKey":"INVALID_TIME_BASED_ONE_TIME_PASSWORD","otherErrors":null}],"warnings":null}'
+    mock_sdk_factory.side_effect = Py42UnauthorizedError(HTTPError(response=response))
+    with pytest.raises(Code42CLIError) as err:
+        validate_connection("Authority", "Test", "Password", "1234")
+    assert str(err.value) == "Invalid TOTP token for user Test."
+
+
+def test_totp_option_when_passed_is_passed_to_sdk_initialization(
+    mocker, profile, runner
+):
+    mock_py42 = mocker.patch("code42cli.sdk_client.py42.sdk.from_local_account")
+    cli_state = CLIState()
+    totp = "1234"
+    profile.authority_url = "example.com"
+    profile.username = "user"
+    profile.get_password.return_value = "password"
+    cli_state._profile = profile
+    runner.invoke(cli, ["users", "list", "--totp", totp], obj=cli_state)
+    mock_py42.assert_called_once_with(
+        profile.authority_url, profile.username, "password", totp=totp
+    )