feat: add email for 2fa not yet enabled on upload (#14444)

Author: miketheman

tests/common/db/accounts.py

@@ -38,6 +38,7 @@ class Meta:
     last_login = factory.Faker(
         "date_time_between_dates", datetime_start=datetime.datetime(2011, 1, 1)
     )
+    totp_secret = factory.Faker("binary", length=20)
 
 
 class UserEventFactory(WarehouseFactory):

tests/unit/accounts/test_models.py

@@ -235,7 +235,7 @@ def test_principals(
         ],
     )
     def test_has_single_2fa(self, db_session, has_totp, count_webauthn, expected):
-        user = DBUserFactory.create()
+        user = DBUserFactory.create(totp_secret=None)
         if has_totp:
             user.totp_secret = b"secret"
         for i in range(count_webauthn):

tests/unit/accounts/test_services.py

@@ -536,14 +536,14 @@ def test_updating_password_undisables(self, user_service):
         assert user_service.is_disabled(user.id) == (False, None)
 
     def test_has_two_factor(self, user_service):
-        user = UserFactory.create()
+        user = UserFactory.create(totp_secret=None)
         assert not user_service.has_two_factor(user.id)
 
         user_service.update_user(user.id, totp_secret=b"foobar")
         assert user_service.has_two_factor(user.id)
 
     def test_has_totp(self, user_service):
-        user = UserFactory.create()
+        user = UserFactory.create(totp_secret=None)
         assert not user_service.has_totp(user.id)
         user_service.update_user(user.id, totp_secret=b"foobar")
         assert user_service.has_totp(user.id)
@@ -642,7 +642,7 @@ def test_check_totp_value_user_rate_limited(self, user_service, metrics):
         ]
 
     def test_check_totp_value_invalid_secret(self, user_service):
-        user = UserFactory.create()
+        user = UserFactory.create(totp_secret=None)
         limiter = pretend.stub(
             hit=pretend.call_recorder(lambda *a, **kw: None), test=lambda *a, **kw: True
         )

tests/unit/accounts/test_views.py

@@ -2255,7 +2255,7 @@ class TestVerifyEmail:
     def test_verify_email(
         self, db_request, user_service, token_service, is_primary, confirm_message
     ):
-        user = UserFactory(is_active=False)
+        user = UserFactory(is_active=False, totp_secret=None)
         email = EmailFactory(user=user, verified=False, primary=is_primary)
         db_request.user = user
         db_request.GET.update({"token": "RANDOM_KEY"})

tests/unit/email/test_init.py

@@ -1537,6 +1537,79 @@ def test_gpg_signature_uploaded_email(
         ]
 
 
+class Test2FAonUploadEmail:
+    def test_send_two_factor_not_yet_enabled_email(
+        self, pyramid_request, pyramid_config, monkeypatch
+    ):
+        stub_user = pretend.stub(
+            id="id",
+            username="username",
+            name="",
+            email="[email protected]",
+            primary_email=pretend.stub(email="[email protected]", verified=True),
+            has_2fa=False,
+        )
+        subject_renderer = pyramid_config.testing_add_renderer(
+            "email/two-factor-not-yet-enabled/subject.txt"
+        )
+        subject_renderer.string_response = "Email Subject"
+        body_renderer = pyramid_config.testing_add_renderer(
+            "email/two-factor-not-yet-enabled/body.txt"
+        )
+        body_renderer.string_response = "Email Body"
+        html_renderer = pyramid_config.testing_add_renderer(
+            "email/two-factor-not-yet-enabled/body.html"
+        )
+        html_renderer.string_response = "Email HTML Body"
+
+        send_email = pretend.stub(
+            delay=pretend.call_recorder(lambda *args, **kwargs: None)
+        )
+        pyramid_request.task = pretend.call_recorder(lambda *args, **kwargs: send_email)
+        monkeypatch.setattr(email, "send_email", send_email)
+
+        pyramid_request.db = pretend.stub(
+            query=lambda a: pretend.stub(
+                filter=lambda *a: pretend.stub(
+                    one=lambda: pretend.stub(user_id=stub_user.id)
+                )
+            ),
+        )
+        pyramid_request.user = stub_user
+        pyramid_request.registry.settings = {"mail.sender": "[email protected]"}
+
+        result = email.send_two_factor_not_yet_enabled_email(
+            pyramid_request,
+            stub_user,
+        )
+
+        assert result == {"username": stub_user.username}
+        assert pyramid_request.task.calls == [pretend.call(send_email)]
+        assert send_email.delay.calls == [
+            pretend.call(
+                f"{stub_user.username} <{stub_user.email}>",
+                {
+                    "subject": "Email Subject",
+                    "body_text": "Email Body",
+                    "body_html": (
+                        "<html>\n<head></head>\n"
+                        "<body><p>Email HTML Body</p></body>\n</html>\n"
+                    ),
+                },
+                {
+                    "tag": "account:email:sent",
+                    "user_id": stub_user.id,
+                    "additional": {
+                        "from_": "[email protected]",
+                        "to": stub_user.email,
+                        "subject": "Email Subject",
+                        "redact_ip": False,
+                    },
+                },
+            )
+        ]
+
+
 class TestAccountDeletionEmail:
     def test_account_deletion_email(
         self, pyramid_request, pyramid_config, metrics, monkeypatch

tests/unit/forklift/test_legacy.py

@@ -3798,6 +3798,51 @@ def test_upload_succeeds_with_signature(
             pretend.call(db_request, user, project_name="example"),
         ]
 
+    def test_upload_succeeds_without_two_factor(
+        self, pyramid_config, db_request, metrics, project_service, monkeypatch
+    ):
+        user = UserFactory.create(totp_secret=None)
+        EmailFactory.create(user=user)
+
+        pyramid_config.testing_securitypolicy(identity=user)
+        db_request.user = user
+        db_request.POST = MultiDict(
+            {
+                "metadata_version": "1.2",
+                "name": "example",
+                "version": "1.0",
+                "filetype": "sdist",
+                "md5_digest": _TAR_GZ_PKG_MD5,
+                "content": pretend.stub(
+                    filename="example-1.0.tar.gz",
+                    file=io.BytesIO(_TAR_GZ_PKG_TESTDATA),
+                    type="application/tar",
+                ),
+            }
+        )
+
+        storage_service = pretend.stub(store=lambda path, filepath, meta: None)
+        db_request.find_service = lambda svc, name=None, context=None: {
+            IFileStorage: storage_service,
+            IMetricsService: metrics,
+            IProjectService: project_service,
+        }.get(svc)
+        db_request.user_agent = "warehouse-tests/6.6.6"
+
+        send_email = pretend.call_recorder(lambda *a, **kw: None)
+        monkeypatch.setattr(legacy, "send_two_factor_not_yet_enabled_email", send_email)
+
+        resp = legacy.file_upload(db_request)
+
+        assert resp.status_code == 200
+        assert resp.body == (
+            b"Two factor authentication is not enabled for your account."
+        )
+
+        assert send_email.calls == [
+            pretend.call(db_request, user),
+        ]
+
     @pytest.mark.parametrize(
         ("emails_verified", "expected_success"),
         [

tests/unit/packaging/test_tasks.py

@@ -941,7 +941,7 @@ def test_compute_2fa_metrics(db_request, monkeypatch):
     )
 
     # A critical maintainer with two WebAuthn methods enabled
-    third_critical_project_maintainer = UserFactory.create()
+    third_critical_project_maintainer = UserFactory.create(totp_secret=None)
     RoleFactory.create(user=third_critical_project_maintainer, project=critical_project)
     webauthn = WebAuthn(
         user_id=third_critical_project_maintainer.id,

warehouse/email/__init__.py

@@ -342,6 +342,15 @@ def send_basic_auth_with_two_factor_email(request, user, *, project_name):
     return {"project_name": project_name}
 
 
+@_email(
+    "two-factor-not-yet-enabled",
+    allow_unverified=True,
+    repeat_window=datetime.timedelta(days=14),
+)
+def send_two_factor_not_yet_enabled_email(request, user):
+    return {"username": user.username}
+
+
 @_email("gpg-signature-uploaded", repeat_window=datetime.timedelta(days=1))
 def send_gpg_signature_uploaded_email(request, user, *, project_name):
     return {"project_name": project_name}

warehouse/forklift/legacy.py

@@ -50,6 +50,7 @@
 from warehouse.email import (
     send_basic_auth_with_two_factor_email,
     send_gpg_signature_uploaded_email,
+    send_two_factor_not_yet_enabled_email,
 )
 from warehouse.errors import BasicAuthTwoFactorEnabled
 from warehouse.events.tags import EventTag
@@ -1493,6 +1494,11 @@ def file_upload(request):
                 },
             )
 
+    # Check if the user has any 2FA methods enabled, and if not, email them.
+    if request.user and not request.user.has_two_factor:
+        warnings.append("Two factor authentication is not enabled for your account.")
+        send_two_factor_not_yet_enabled_email(request, request.user)
+
     request.db.flush()  # flush db now so server default values are populated for celery
 
     # Push updates to BigQuery

warehouse/locale/messages.pot

@@ -2504,6 +2504,128 @@ msgid ""
 "method to your PyPI account <strong>%(username)s</strong>."
 msgstr ""
 
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:17
+#, python-format
+msgid "Hi %(username)s!"
+msgstr ""
+
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:19
+#, python-format
+msgid ""
+"Earlier this year, <a href=\"%(blogpost)s\">we announced</a> that PyPI "
+"would require all users to enable a form of two-factor authentication on "
+"their accounts by the end of 2023."
+msgstr ""
+
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:26
+msgid ""
+"Keeping your PyPI account secure is important to all of us. We encourage "
+"you to enable two-factor authentication on your PyPI account as soon as "
+"possible."
+msgstr ""
+
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:34
+msgid "What forms of 2FA can I use?"
+msgstr ""
+
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:37
+msgid "We currently offer two main forms of 2FA for your account:"
+msgstr ""
+
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:42
+#, python-format
+msgid ""
+"<a href=\"%(utfkey)s\">Security device</a> including modern browsers "
+"(preferred) (e.g. Yubikey, Google Titan)"
+msgstr ""
+
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:48
+#, python-format
+msgid "<a href=\"%(totp)s\">Authentication app</a> (e.g. Google Authenticator)"
+msgstr ""
+
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:54
+#, python-format
+msgid ""
+"Once one of these secure forms is enabled on your account, you will also "
+"need to use either <a href=\"%(trusted_publishers)s\">Trusted "
+"Publishers</a> (preferred) or <a href=\"%(api_token)s\">API tokens</a> to"
+" upload to PyPI."
+msgstr ""
+
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:63
+msgid "What do I do if I lose my 2FA device?"
+msgstr ""
+
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:66
+msgid ""
+"As part of 2FA enrollment, you will receive one-time use recovery codes. "
+"One of them must be used to confirm receipt before 2FA is fully active. "
+"<strong>Keep these recovery codes safe</strong> - they are equivalent to "
+"your 2FA device. Should you lose access to your 2FA device, use a "
+"recovery code to log in and swap your 2FA to a new device."
+msgstr ""
+
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:77
+#, python-format
+msgid "Read more about<a href=\"%(recovery_codes)s\">recovery codes</a>."
+msgstr ""
+
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:83
+msgid "Why is PyPI requiring 2FA?"
+msgstr ""
+
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:86
+msgid ""
+"Keeping all users of PyPI is a shared responsibility we take seriously. "
+"Strong passwords combined with 2FA is a recognized secure practice for "
+"over a decade."
+msgstr ""
+
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:93
+msgid ""
+"We are requiring 2FA to protect your account and the packages you upload,"
+" and to protect PyPI itself from malicious actors. The most damaging "
+"attacks are account takeover and malicious package upload."
+msgstr ""
+
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:101
+#, python-format
+msgid ""
+"To see this and other security events for your account, visit your <a "
+"href=\"%(account_events)s\">account security history</a>."
+msgstr ""
+
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:107
+#, python-format
+msgid "Read more on <a href=\"%(blog_post)s\">this blog post.</a>"
+msgstr ""
+
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:112
+#, python-format
+msgid ""
+"If you run into problems, read the <a href=\"%(help_page)s\">FAQ "
+"page</a>. If the solutions there are unable to resolve the issue, contact"
+" us via <a href=\"%(support_email)s\">[email protected]</a>."
+msgstr ""
+
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:119
+msgid "Thanks,"
+msgstr ""
+
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:121
+msgid "The PyPI Admins"
+msgstr ""
+
+#: warehouse/templates/email/two-factor-not-yet-enabled/body.html:127
+#, python-format
+msgid ""
+"You're receiving this email because you have not yet enabled two-factor "
+"authentication on your PyPI account. If you have enabled 2FA and believe "
+"this message is an error, please let us know via <a "
+"href=\"%(support_mail)s\">[email protected]</a>."
+msgstr ""
+
 #: warehouse/templates/email/two-factor-removed/body.html:18
 #, python-format
 msgid ""