v0.3.4 Update

Added a custom issuer setting
Updated README

Author: cvogt729

README.md

@@ -27,6 +27,7 @@ Users can be added to a restriction bypass whitelist which makes them behave as
 
 | Setting | Default | Description |
 | - | - | - |
+| ***Issuer*** | `WebCTRL` | This field will be displayed in your authenticator app after scanning QR codes. It is intended to uniquely identify this server. A length limit of 40 characters is enforced. |
 | ***Enforce MFA*** | `false` | When MFA is enforced, all non-whitelisted users will be forced to configure MFA when they login. |
 | ***Allow Service Logins*** | `true` | When unchecked, non-whitelisted users with MFA enabled will be unable to login to WebCTRL services such as SOAP and TELNET (these services are incompatible with MFA). |
 | ***Bypass MFA on Email Server Failure*** | `true` | When WebCTRL fails to connect to its email server, MFA security codes cannot be sent. This option permits MFA to be bypassed in such a case. Otherwise, non-whitelisted users with MFA enabled will not be able to login. |

images/main_page.png

@@ -1,7 +1,7 @@
 <extension version="1">
   <name>MFA</name>
   <description>Provides MFA for WebCTRL logins through an authenticator app or emailed security codes.</description>
-  <version>0.3.3</version>
+  <version>0.3.4</version>
   <vendor>Automatic Controls Equipment Systems, Inc.</vendor>
   <web-operator-provider>aces.webctrl.mfa.core.MFAProvider</web-operator-provider>
   <system-menu-provider>aces.webctrl.mfa.web.SystemMenuEditor</system-menu-provider>

root/info.xml

@@ -83,6 +83,10 @@ public class Config {
    * Specifies the next time to load the serverURL.
    */
   private volatile static long nextURLCheck = 0;
+  /**
+   * Specifies the name of the issuer for the TOTP tokens.
+   */
+  public volatile static String issuerName = "WebCTRL";
   /**
    * Sets the path to the saved data file and attempts to load any available data.
    */
@@ -796,8 +800,11 @@ public static boolean loadData(){
           whitelistLock.writeLock().unlock();
         }
         if (!s.end()){
-          Initializer.log("Data file corrupted.");
-          return false;
+          issuerName = s.readString();
+          if (!s.end()){
+            Initializer.log("Data file corrupted.");
+            return false;
+          }
         }
       }
       if (Files.exists(cookieFile)){
@@ -881,6 +888,7 @@ public static boolean saveData(){
       }finally{
         whitelistLock.readLock().unlock();
       }
+      s.write(issuerName);
       ByteBuffer buf = s.getBuffer();
       synchronized(Config.class){
         try(

src/aces/webctrl/mfa/core/Config.java

@@ -6,6 +6,9 @@
 import java.nio.file.*;
 import java.util.*;
 import java.net.URISyntaxException;
+// # TODO
+// - Implement **Bypass MFA on Upstream Server Failure** option that is enabled by default
+//   - Maybe implement cache so that only api users are blocked when the api server is inaccessible
 /**
  * This class contains most of the life-cycle management logic for this add-on.
  */

src/aces/webctrl/mfa/core/Initializer.java

@@ -76,7 +76,7 @@ public static String createOTP(String user) throws URISyntaxException {
       builder.withAlgorithm(HMACAlgorithm.SHA1);//deprecated, but Google Authenticator does not support any stronger algorithms
     })
     .withPeriod(java.time.Duration.ofSeconds(30))
-    .build().getURI("WebCTRL", user).toString();
+    .build().getURI(Config.issuerName, user).toString();
   }
   /**
    * @return a hex string representation of the given bytes.

src/aces/webctrl/mfa/core/Utility.java

@@ -74,6 +74,10 @@
           const cookiesEnabled = cookiesEnabledCheckbox.checked;
           const trustProxyHeaders = trustProxyHeadersCheckbox.checked;
           const apiEnabled = apiEnabledCheckbox.checked;
+          const _issuer = issuerField.value?.trim() || "WebCTRL";
+          const issuer = _issuer.length>40?_issuer.substring(0,40):_issuer;
+          issuerField.value = issuer;
+          resize(issuerField);
           const _mappings = [];
           for (const e of document.getElementById("mappingBody").getElementsByTagName("TR")){
             if (e.mfa_operator && e.mfa_email){
@@ -116,6 +120,7 @@
             "&cookiesEnabled="+encodeURIComponent(cookiesEnabled)+
             "&trustProxyHeaders="+encodeURIComponent(trustProxyHeaders)+
             "&apiEnabled="+encodeURIComponent(apiEnabled)+
+            "&issuer="+encodeURIComponent(issuer)+
             "&mappings="+encodeURIComponent(mappings)+
             "&whitelist="+encodeURIComponent(whitelist)
           );
@@ -268,6 +273,8 @@
         cookiesEnabledCheckbox.checked = data["cookiesEnabled"];
         trustProxyHeadersCheckbox.checked = data["trustProxyHeaders"];
         apiEnabledCheckbox.checked = data["apiEnabled"];
+        issuerField.value = data["issuer"];
+        resize(issuerField);
         const mappingBody = document.getElementById("mappingBody");
         while (mappingBody.children.length>1){
           mappingBody.removeChild(mappingBody.firstElementChild);
@@ -487,7 +494,11 @@ <h1 id="mainTitle">Configure MFA</h1>
           </div>
         </div>
         <div class="column">
-          <div style="text-align:left">
+          <div style="text-align:left;margin-left:2em">
+            <div class="divGrouping" title="This field will be displayed in your authenticator app after scanning QR codes. It is intended to uniquely identify this server.">
+              <label for="issuerField">Issuer:</label>
+              <input class="c" type="text" id="issuerField" spellcheck="false" oninput="resize(this);registerChange()">
+            </div>
             <div class="divGrouping2" title="Specifies whether to force all users to use MFA.">
               <input type="checkbox" id="enforceMFACheckbox" oninput="registerChange()" style="width:1.3em;height:1.3em;vertical-align:middle">
               <label for="enforceMFACheckbox" style="vertical-align:middle">Enforce MFA</label>
@@ -555,6 +566,7 @@ <h1 id="mainTitle">Configure MFA</h1>
       resize(usernameField);
       resize(usernameField2);
       resize(emailField);
+      resize(issuerField);
       usernameField.addEventListener("keypress", function (e){
         if (e.key==="Enter"){
           e.preventDefault();

src/aces/webctrl/mfa/resources/MainPage.html

@@ -43,7 +43,8 @@ public class MainPage extends ServletBase {
         final String cookiesEnabled = req.getParameter("cookiesEnabled");
         final String mappings = req.getParameter("mappings");
         final String whitelist = req.getParameter("whitelist");
-        if (enforceMFA==null || allowServiceLogins==null || bypassOnEmailFailure==null || mappings==null || whitelist==null || emailEnabled==null || apiEnabled==null || trustProxyHeaders==null || cookiesEnabled==null){
+        final String issuer = req.getParameter("issuer");
+        if (enforceMFA==null || allowServiceLogins==null || bypassOnEmailFailure==null || mappings==null || whitelist==null || emailEnabled==null || apiEnabled==null || trustProxyHeaders==null || cookiesEnabled==null || issuer==null){
           res.setStatus(400);
           return;
         }
@@ -54,6 +55,7 @@ public class MainPage extends ServletBase {
         boolean _apiEnabled;
         boolean _trustProxyHeaders;
         boolean _cookiesEnabled;
+        String _issuer;
         ArrayList<String> _mappings;
         ArrayList<String> _whitelist;
         try{
@@ -66,6 +68,11 @@ public class MainPage extends ServletBase {
           _cookiesEnabled = Boolean.parseBoolean(cookiesEnabled);
           _mappings = Utility.decodeList(mappings);
           _whitelist = Utility.decodeList(whitelist);
+          _issuer = issuer.trim();
+          _issuer = _issuer.isEmpty()?"WebCTRL":_issuer;
+          if (_issuer.length()>40){
+            _issuer = _issuer.substring(0,40);
+          }
         }catch(Throwable t){
           Initializer.log(t);
           res.setStatus(400);
@@ -91,6 +98,7 @@ public class MainPage extends ServletBase {
         Config.apiEnabled = _apiEnabled;
         Config.trustProxyHeaders = _trustProxyHeaders;
         Config.cookiesEnabled = _cookiesEnabled;
+        Config.issuerName = _issuer;
         Config.setWhitelist(_whitelist);
         Config.checkCookies(map.keySet());
         Config.setEmails(map);
@@ -100,14 +108,15 @@ public class MainPage extends ServletBase {
       case "load":{
         final StringBuilder sb = new StringBuilder(1024);
         sb.append(Utility.format(
-          "{\"enforceMFA\":$0,\"allowServiceLogins\":$1,\"bypassOnEmailFailure\":$2,\"emailEnabled\":$3,\"apiEnabled\":$4,\"trustProxyHeaders\":$5,\"cookiesEnabled\":$6,",
+          "{\"enforceMFA\":$0,\"allowServiceLogins\":$1,\"bypassOnEmailFailure\":$2,\"emailEnabled\":$3,\"apiEnabled\":$4,\"trustProxyHeaders\":$5,\"cookiesEnabled\":$6,\"issuer\":\"$7\",",
           Config.enforceMFA,
           Config.allowServiceLogins,
           Config.bypassOnEmailFailure,
           Config.emailEnabled,
           Config.apiEnabled,
           Config.trustProxyHeaders,
-          Config.cookiesEnabled
+          Config.cookiesEnabled,
+          Utility.escapeJSON(Config.issuerName)
         ));
         sb.append("\"mappings\":");
         Config.printEmails(sb);