Branch: refs/heads/master
Home:
https://github.com/tribe29/checkmk
Commit: 7552ee4fa2f1b2ec4d1c40f54e7a84a9187733ca
https://github.com/tribe29/checkmk/commit/7552ee4fa2f1b2ec4d1c40f54e7a84a91…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2022-01-11 (Tue, 11 Jan 2022)
Changed paths:
M cmk/gui/notifications.py
M cmk/gui/wato/pages/notifications.py
A cmk/gui/wato/pages/user_profile/__init__.py
A cmk/gui/wato/pages/user_profile/async_replication.py
A cmk/gui/wato/pages/user_profile/page_menu.py
R cmk/gui/wato/user_profile.py
Log Message:
-----------
Move user_profile and split into package
The correct location for pages is below cmk/gui/wato/pages.
And since there is also functionality needed by other pages,
we separate these parts into dedicated modules. A little
more spearation will follow.
Change-Id: I6572c0d8b99a828bf4eb9a2383ab3194e1a200cb
Commit: a5cc338d1728067315364e51da35c7cab54c523b
https://github.com/tribe29/checkmk/commit/a5cc338d1728067315364e51da35c7cab…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2022-01-11 (Tue, 11 Jan 2022)
Changed paths:
M cmk/gui/wato/pages/user_profile/__init__.py
A cmk/gui/wato/pages/user_profile/abstract_page.py
A cmk/gui/wato/pages/user_profile/change_password.py
A cmk/gui/wato/pages/user_profile/edit_profile.py
A cmk/gui/wato/pages/user_profile/mega_menu.py
A cmk/gui/wato/pages/user_profile/replicate.py
Log Message:
-----------
Split remaining user_profile __init__ into modules
Change-Id: Ie222fe4585ac852c90d660eb5a6c58cdc4578829
Commit: 0026541db9f4e9923a7aa0f8ce9da592396acae3
https://github.com/tribe29/checkmk/commit/0026541db9f4e9923a7aa0f8ce9da5923…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2022-01-11 (Tue, 11 Jan 2022)
Changed paths:
M cmk/gui/wato/pages/user_profile/page_menu.py
Log Message:
-----------
User profile: Make all profile sub-pages shortcuts
Change-Id: I326f0383ba1e64d94ebad992afb97fe13b275921
Commit: 341d01c6fc5af9955763b91e073c474373984230
https://github.com/tribe29/checkmk/commit/341d01c6fc5af9955763b91e073c47437…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2022-01-11 (Tue, 11 Jan 2022)
Changed paths:
M cmk/gui/default_permissions.py
M cmk/gui/userdb.py
M cmk/gui/wato/pages/user_profile/__init__.py
M cmk/gui/wato/pages/user_profile/abstract_page.py
M cmk/gui/wato/pages/user_profile/mega_menu.py
M cmk/gui/wato/pages/user_profile/page_menu.py
A cmk/gui/wato/pages/user_profile/two_factor.py
M tests/unit/cmk/gui/test_gui_config.py
M tests/unit/cmk/gui/test_pages.py
M tests/unit/cmk/gui/test_userdb.py
M tests/unit/test_pipfile.py
M web/htdocs/js/index.js
A web/htdocs/js/modules/cbor_ext.js
A web/htdocs/js/modules/webauthn.js
A web/htdocs/themes/facelift/images/icon_2fa.svg
A web/htdocs/themes/facelift/images/icon_topic_two_factor.png
Log Message:
-----------
Users can now register webauthn credentials
This is the first step of our 2FA WebAuthn GUI integration. It adds a
new user profile page which can be used to register and remove
authentication devices for the current user.
Next steps:
* Integrate 2FA with login procedure
* Add backup codes
Change-Id: Id9cb681a797baa6ac26256a641d515d601f020de
Commit: 15b9e402acf9d6c4ab9c022f5228212e16fe80a5
https://github.com/tribe29/checkmk/commit/15b9e402acf9d6c4ab9c022f5228212e1…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2022-01-11 (Tue, 11 Jan 2022)
Changed paths:
M cmk/gui/login.py
M cmk/gui/userdb.py
M cmk/gui/wato/pages/user_profile/two_factor.py
M tests/unit/cmk/gui/test_pages.py
M web/htdocs/js/modules/webauthn.js
M web/htdocs/themes/facelift/scss/_login.scss
Log Message:
-----------
Users can now login with webauthn credentials
Next: Add backup codes
Change-Id: Iee35f51d07a0cf8f7f08f8729b69507124f8601b
Commit: 4a7d217fe25bbcd10eabac2846be79f89d055d9b
https://github.com/tribe29/checkmk/commit/4a7d217fe25bbcd10eabac2846be79f89…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2022-01-11 (Tue, 11 Jan 2022)
Changed paths:
M cmk/gui/plugins/userdb/htpasswd.py
M cmk/gui/userdb.py
M cmk/gui/wato/pages/user_profile/two_factor.py
M tests/unit/cmk/gui/test_userdb.py
A web/htdocs/themes/facelift/images/icon_2fa_backup_codes.svg
M web/htdocs/themes/facelift/scss/_login.scss
Log Message:
-----------
Add backup codes for two-factor authentication
In case a user does not have the authentication device at
hand, the backup codes can be used as an alternative.
The codes can be generated on the user profile page and are
only shown once to the user. During generation they are stored
in the user profile in the same form as regular passwords.
In the moment a backup code is used, it is automatically invalidated.
Change-Id: Ib20e87f7ab2b74d9b58888818af786ca399979ff
Commit: 17d72bae7aeb6ebda993016290e79faec5700558
https://github.com/tribe29/checkmk/commit/17d72bae7aeb6ebda993016290e79faec…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2022-01-11 (Tue, 11 Jan 2022)
Changed paths:
M cmk/gui/userdb.py
M cmk/gui/wato/pages/users.py
M tests/unit/cmk/gui/test_userdb.py
Log Message:
-----------
Integrate two-factor with user management
* Display enable two-factor authentication in user list
* Admins can disable two-factor authentication for users to help them in
case they don't have access to their 2nd factor. This can be done via
"Setup > Users > Edit user > Disable two-factor authentication".
Change-Id: Ib66950c183873e7f015eff76a5ecb2cff6c5853b
Commit: 7fcde450d5632d676defb781ffc80468eb27af91
https://github.com/tribe29/checkmk/commit/7fcde450d5632d676defb781ffc80468e…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2022-01-11 (Tue, 11 Jan 2022)
Changed paths:
A .werks/13325
Log Message:
-----------
13325 Two-factor authentication via FIDO2/WebAuthn
With this change users of the Checkmk user interface can now configure Checkmk
to ask for a second factor during user authentication.
The new two-factor authentication is based on FIDO2/WebAuthn. You can use
authenticators such as the YubiKey, a USB token, a smart phone, Apple’s Touch
ID, and Windows Hello.
To enable the new feature, login to the GUI and open the "User" mega menu on
the bottom left of the screen. Then select "Two-factor authentication". On the
opened page, you first need to click on "Add credential". Once you click that,
your browser will ask you to activate your authenticator. Once done, the
registration with your user account should be complete and a new registered
credentials is displayed.
With this step you have enabled the two-factor authentication for you user
account. Future logins will only be possible with the activated authenticator.
If you don't have your authenticator at hand, you can use backup codes. It is
recommended to generate these backup codes right away by clicking on
"Regenerate backup codes". The resulting page will show you a list of 10
backup
codes. Store them in a save place.
Administrators can see that a user has the two-factor authentication enabled in
the users list of the Setup. The Authentication column displays "Password
(+2FA)" for these users. Admins can disable two-factor authentication for users
to help them in case they don't have access to their second factor. This can be
done via "Setup > Users > Edit user > Disable two-factor
authentication".
Please note that the standard makes this feature only usable in case you access
the GUI using HTTPS.
The WebAuthn two-factor authentication is also restrictive on the type of host
address you use to access the GUI. It will be used as relying party identifier
(
https://www.w3.org/TR/webauthn-2/#relying-party-identifier) and has to be a
valid domain string (
https://url.spec.whatwg.org/#valid-domain-string). You
will have to either use a simple host name or a full qualified domain name.
Please note that you need to be consistent in the domain you use for the
two-factor authentication to work.
Change-Id: Ica6f7a3c2a33d727f5bc48762f57e8c34486497c
Compare:
https://github.com/tribe29/checkmk/compare/2dc3db8f6b02...7fcde450d563