feat: require 2fa for new users

Hooks into security policy to require all non-account management actions
to have a form of 2FA set up.

Adds a time-based restriction for new users, which we can remove when we
want to enforce for everyone.

Resolves pypi#13762

Signed-off-by: Mike Fiedler <[email protected]>

Author: miketheman

tests/unit/accounts/test_security_policy.py

@@ -10,6 +10,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+from datetime import datetime
 
 import pretend
 import pytest
@@ -516,8 +517,11 @@ def test_acl(self, monkeypatch, policy_class, principals, expected):
 
         request = pretend.stub(
             identity=pretend.stub(
-                __principals__=lambda: principals, has_primary_verified_email=True
-            )
+                __principals__=lambda: principals,
+                has_primary_verified_email=True,
+                has_two_factor=False,
+            ),
+            matched_route=pretend.stub(name="random.route"),
         )
         context = pretend.stub(__acl__=[(Allow, "user:5", "myperm")])
 
@@ -545,6 +549,7 @@ def test_2fa_owner_requires(
                 has_primary_verified_email=True,
                 has_two_factor=has_mfa,
             ),
+            matched_route=pretend.stub(name="random.route"),
             registry=pretend.stub(
                 settings={
                     "warehouse.two_factor_requirement.enabled": True,
@@ -581,6 +586,7 @@ def test_2fa_pypi_mandates_2fa(
                 has_primary_verified_email=True,
                 has_two_factor=has_mfa,
             ),
+            matched_route=pretend.stub(name="random.route"),
             registry=pretend.stub(
                 settings={
                     "warehouse.two_factor_requirement.enabled": False,
@@ -617,6 +623,7 @@ def test_2fa_pypi_mandates_2fa_with_warning(
                 has_primary_verified_email=True,
                 has_two_factor=has_mfa,
             ),
+            matched_route=pretend.stub(name="random.route"),
             registry=pretend.stub(
                 settings={
                     "warehouse.two_factor_requirement.enabled": False,
@@ -650,11 +657,97 @@ def test_permits_with_unverified_email(self, monkeypatch, policy_class):
 
         request = pretend.stub(
             identity=pretend.stub(
-                __principals__=lambda: ["user:5"], has_primary_verified_email=False
+                __principals__=lambda: ["user:5"],
+                has_primary_verified_email=False,
+                has_two_factor=False,
+            ),
+            matched_route=pretend.stub(name="manage.projects"),
+        )
+        context = pretend.stub(__acl__=[(Allow, "user:5", "myperm")])
+
+        policy = policy_class()
+        assert not policy.permits(request, context, "myperm")
+
+    # TODO: remove this test when we remove the conditional
+    def test_permits_manage_projects_without_2fa_for_older_users(
+        self, monkeypatch, policy_class
+    ):
+        monkeypatch.setattr(security_policy, "User", pretend.stub)
+
+        request = pretend.stub(
+            identity=pretend.stub(
+                __principals__=lambda: ["user:5"],
+                has_primary_verified_email=True,
+                has_two_factor=False,
+                date_joined=datetime(2019, 1, 1),
+            ),
+            matched_route=pretend.stub(name="manage.projects"),
+        )
+        context = pretend.stub(__acl__=[(Allow, "user:5", "myperm")])
+
+        policy = policy_class()
+        assert policy.permits(request, context, "myperm")
+
+    def test_permits_manage_projects_with_2fa(self, monkeypatch, policy_class):
+        monkeypatch.setattr(security_policy, "User", pretend.stub)
+
+        request = pretend.stub(
+            identity=pretend.stub(
+                __principals__=lambda: ["user:5"],
+                has_primary_verified_email=True,
+                has_two_factor=True,
+            ),
+            matched_route=pretend.stub(name="manage.projects"),
+        )
+        context = pretend.stub(__acl__=[(Allow, "user:5", "myperm")])
+
+        policy = policy_class()
+        assert policy.permits(request, context, "myperm")
+
+    def test_deny_manage_projects_without_2fa(self, monkeypatch, policy_class):
+        monkeypatch.setattr(security_policy, "User", pretend.stub)
+
+        request = pretend.stub(
+            identity=pretend.stub(
+                __principals__=lambda: ["user:5"],
+                has_primary_verified_email=True,
+                has_two_factor=False,
+                date_joined=datetime.now(),
             ),
             matched_route=pretend.stub(name="manage.projects"),
         )
         context = pretend.stub(__acl__=[(Allow, "user:5", "myperm")])
 
         policy = policy_class()
         assert not policy.permits(request, context, "myperm")
+
+    @pytest.mark.parametrize(
+        "matched_route",
+        [
+            "manage.account",
+            "manage.account.recovery-codes",
+            "manage.account.totp-provision",
+            "manage.account.two-factor",
+            "manage.account.webauthn-provision",
+            "manage.account.webauthn-provision.validate",
+        ],
+    )
+    def test_permits_2fa_routes_without_2fa(
+        self, monkeypatch, policy_class, matched_route
+    ):
+        monkeypatch.setattr(security_policy, "User", pretend.stub)
+
+        request = pretend.stub(
+            identity=pretend.stub(
+                __principals__=lambda: ["user:5"],
+                has_primary_verified_email=True,
+                has_two_factor=False,
+                date_joined=datetime.now(),
+            ),
+            matched_route=pretend.stub(name=matched_route),
+        )
+
+        context = pretend.stub(__acl__=[(Allow, "user:5", "myperm")])
+
+        policy = policy_class()
+        assert policy.permits(request, context, "myperm")

warehouse/accounts/security_policy.py

@@ -309,4 +309,33 @@ def _check_for_mfa(request, context) -> WarehouseDenied | None:
                 queue="warning",
             )
 
+    # Regardless of TwoFactorRequireable, if we're in the manage namespace, we'll
+    # check if the user has 2FA enabled, and if they don't we'll deny them.
+
+    # Management routes that don't require 2FA, mostly to set up 2FA.
+    _exempt_routes = [
+        "manage.account.recovery-codes",
+        "manage.account.totp-provision",
+        "manage.account.two-factor",
+        "manage.account.webauthn-provision",
+    ]
+
+    if (
+        request.matched_route.name.startswith("manage")
+        and request.matched_route.name != "manage.account"
+        and not any(
+            request.matched_route.name.startswith(route) for route in _exempt_routes
+        )
+        and not request.identity.has_two_factor
+    ) and (
+        # Start enforcement from 2023-08-01, but we should remove this check
+        # at the end of 2023.
+        request.identity.date_joined
+        and request.identity.date_joined > datetime.datetime(2023, 8, 1)
+    ):
+        return WarehouseDenied(
+            "You must enable two factor authentication to manage other settings",
+            reason="manage_2fa_required",
+        )
+
     return None

warehouse/views.py

@@ -152,7 +152,11 @@ def forbidden(exc, request):
 
         # If the forbidden error is because the user doesn't have 2FA enabled, we'll
         # redirect them to the 2FA page
-        if exc.result.reason in {"owners_require_2fa", "pypi_mandates_2fa"}:
+        if exc.result.reason in {
+            "owners_require_2fa",
+            "pypi_mandates_2fa",
+            "manage_2fa_required",
+        }:
             request.session.flash(
                 request._(
                     "Two-factor authentication must be enabled on your account to "