admin: add a "wipe factors" button (#13848)

woodruffw · web-flow · commit b26b4266a417 · 2023-06-03T07:56:37.000-04:00
* admin: add a "wipe factors" button

This behaves like the "reset password" button,
except that it additionally wipes the user's second factors
and recovery codes.

* tests: fixup, coverage

* admin: factor out user password reset logic

...and dedupe.
diff --git a/tests/unit/admin/test_routes.py b/tests/unit/admin/test_routes.py
@@ -83,6 +83,13 @@ def test_includeme():
             factory="warehouse.accounts.models:UserFactory",
             traverse="/{username}",
         ),
+        pretend.call(
+            "admin.user.wipe_factors",
+            "/admin/users/{username}/wipe_factors/",
+            domain=warehouse,
+            factory="warehouse.accounts.models:UserFactory",
+            traverse="/{username}",
+        ),
         pretend.call(
             "admin.prohibited_user_names.bulk_add",
             "/admin/prohibited_user_names/bulk/",
diff --git a/tests/unit/admin/views/test_users.py b/tests/unit/admin/views/test_users.py
@@ -18,7 +18,12 @@
 from webob.multidict import MultiDict, NoVars
 
 from warehouse.accounts.interfaces import IEmailBreachedService, IUserService
-from warehouse.accounts.models import DisableReason, ProhibitedUserName
+from warehouse.accounts.models import (
+    DisableReason,
+    ProhibitedUserName,
+    RecoveryCode,
+    WebAuthn,
+)
 from warehouse.admin.views import users as views
 from warehouse.packaging.models import JournalEntry, Project
 
@@ -456,6 +461,100 @@ def test_user_reset_password_redirects_actual_name(self, db_request):
         ]
 
 
+class TestUserWipeFactors:
+    def test_wipes_factors(self, db_request, monkeypatch):
+        user = UserFactory.create(
+            totp_secret=b"aaaaabbbbbcccccddddd",
+            webauthn=[
+                WebAuthn(
+                    label="fake", credential_id="fake", public_key="extremely fake"
+                )
+            ],
+            recovery_codes=[
+                RecoveryCode(code="fake"),
+            ],
+        )
+
+        assert user.totp_secret is not None
+        assert len(user.webauthn) == 1
+        assert len(user.recovery_codes.all()) == 1
+
+        db_request.matchdict["username"] = str(user.username)
+        db_request.params = {"username": user.username}
+        db_request.route_path = pretend.call_recorder(lambda *a, **kw: "/foobar")
+        db_request.user = user
+        service = pretend.stub(
+            find_userid=pretend.call_recorder(lambda username: user.username),
+            disable_password=pretend.call_recorder(
+                lambda userid, request, reason: None
+            ),
+        )
+        db_request.find_service = pretend.call_recorder(lambda iface, context: service)
+
+        send_email = pretend.call_recorder(lambda *a, **kw: None)
+        monkeypatch.setattr(views, "send_password_compromised_email", send_email)
+
+        result = views.user_wipe_factors(user, db_request)
+
+        assert user.totp_secret is None
+        assert len(user.webauthn) == 0
+        assert len(user.recovery_codes.all()) == 0
+        assert db_request.find_service.calls == [
+            pretend.call(IUserService, context=None)
+        ]
+        assert send_email.calls == [pretend.call(db_request, user)]
+        assert service.disable_password.calls == [
+            pretend.call(user.id, db_request, reason=DisableReason.CompromisedPassword)
+        ]
+        assert db_request.route_path.calls == [
+            pretend.call("admin.user.detail", username=user.username)
+        ]
+        assert result.status_code == 303
+        assert result.location == "/foobar"
+
+    def test_wipes_factors_bad_confirm(self, db_request, monkeypatch):
+        user = UserFactory.create()
+
+        db_request.matchdict["username"] = str(user.username)
+        db_request.params = {"username": "wrong"}
+        db_request.route_path = pretend.call_recorder(lambda *a, **kw: "/foobar")
+        db_request.user = UserFactory.create()
+        service = pretend.stub(
+            find_userid=pretend.call_recorder(lambda username: user.username),
+            disable_password=pretend.call_recorder(lambda userid, reason: None),
+        )
+        db_request.find_service = pretend.call_recorder(lambda iface, context: service)
+
+        send_email = pretend.call_recorder(lambda *a, **kw: None)
+        monkeypatch.setattr(views, "send_password_compromised_email", send_email)
+
+        result = views.user_wipe_factors(user, db_request)
+
+        assert db_request.find_service.calls == []
+        assert send_email.calls == []
+        assert service.disable_password.calls == []
+        assert db_request.route_path.calls == [
+            pretend.call("admin.user.detail", username=user.username)
+        ]
+        assert result.status_code == 303
+        assert result.location == "/foobar"
+
+    def test_user_wipe_factors_redirects_actual_name(self, db_request):
+        user = UserFactory.create(username="wu-tang")
+        db_request.matchdict["username"] = "Wu-Tang"
+        db_request.current_route_path = pretend.call_recorder(
+            lambda username: "/user/the-redirect/"
+        )
+
+        result = views.user_wipe_factors(user, db_request)
+
+        assert isinstance(result, HTTPMovedPermanently)
+        assert result.headers["Location"] == "/user/the-redirect/"
+        assert db_request.current_route_path.calls == [
+            pretend.call(username=user.username)
+        ]
+
+
 class TestBulkAddProhibitedUserName:
     def test_get(self):
         request = pretend.stub(method="GET")
diff --git a/warehouse/admin/routes.py b/warehouse/admin/routes.py
@@ -81,6 +81,13 @@ def includeme(config):
         factory="warehouse.accounts.models:UserFactory",
         traverse="/{username}",
     )
+    config.add_route(
+        "admin.user.wipe_factors",
+        "/admin/users/{username}/wipe_factors/",
+        domain=warehouse,
+        factory="warehouse.accounts.models:UserFactory",
+        traverse="/{username}",
+    )
     config.add_route(
         "admin.prohibited_user_names.bulk_add",
         "/admin/prohibited_user_names/bulk/",
diff --git a/warehouse/admin/templates/admin/users/detail.html b/warehouse/admin/templates/admin/users/detail.html
@@ -107,6 +107,9 @@ <h2 class="card-title">Actions</h2>
             <button type="button" class="btn btn-danger" data-toggle="modal" data-target="#pwresetModal" {{ "disabled" if not request.has_permission('admin') }}>
               <i class="fa-solid fa-unlock-keyhole"></i> Reset password
             </button>
+            <button type="button" class="btn btn-danger" data-toggle="modal" data-target="#wipeFactorsModal" {{ "disabled" if not request.has_permission('admin') }}>
+              <i class="fa-solid fa-toilet-paper"></i> Wipe 2FA and recovery codes
+            </button>
             <div class="modal fade" id="nukeModal" tabindex="-1" role="dialog">
               <form method="POST" action="{{ request.route_path('admin.user.delete', username=user.username) }}">
                 <input name="csrf_token" type="hidden" value="{{ request.session.get_csrf_token() }}">
@@ -176,7 +179,41 @@ <h4 class="modal-title" id="pwresetModalLabel">Reset password for {{ user.userna
                   </div>
                 </div>
               </form>
-              </div>
+            </div>
+            <div class="modal fade" id="wipeFactorsModal" tabindex="-1" role="dialog">
+              <form method="POST" action="{{ request.route_path('admin.user.wipe_factors', username=user.username) }}">
+                <input name="csrf_token" type="hidden" value="{{ request.session.get_csrf_token() }}">
+                <div class="modal-dialog" role="document">
+                  <div class="modal-content">
+                    <div class="modal-header">
+                      <h4 class="modal-title" id="wipeFactorsModalLabel">Wipe second/recovery factors for {{ user.username }}?</h4>
+                      <button type="button" class="close" data-dismiss="modal">
+                        <span>&times;</span>
+                      </button>
+                    </div>
+                    <div class="modal-body">
+                      <p>
+                        This will permanently remove the user's second factors and recovery codes,
+                        and cannot be undone.
+                      </p>
+                      <p>
+                        It will also permanently remove the user's current password,
+                        and send them a password reset request.
+                      </p>
+                      <hr>
+                      <p>
+                        Type the username '{{ user.username }}' to confirm:
+                      </p>
+                      <input type="text" name="username" placeholder="{{ user.username }}">
+                    </div>
+                    <div class="modal-footer">
+                        <button type="button" class="btn btn-secondary" data-dismiss="modal">Close</button>
+                        <button type="submit" class="btn btn-danger">Wipe factors</button>
+                      </div>
+                  </div>
+                </div>
+              </form>
+            </div>
           </div>
         </div>
       </div> <!-- .card -->
diff --git a/warehouse/admin/views/users.py b/warehouse/admin/views/users.py
@@ -266,6 +266,14 @@ def user_delete(user, request):
     return HTTPSeeOther(request.route_path("admin.user.list"))
 
 
+def _user_reset_password(user, request):
+    login_service = request.find_service(IUserService, context=None)
+    send_password_compromised_email(request, user)
+    login_service.disable_password(
+        user.id, request, reason=DisableReason.CompromisedPassword
+    )
+
+
 @view_config(
     route_name="admin.user.reset_password",
     require_methods=["POST"],
@@ -285,16 +293,42 @@ def user_reset_password(user, request):
             request.route_path("admin.user.detail", username=user.username)
         )
 
-    login_service = request.find_service(IUserService, context=None)
-    send_password_compromised_email(request, user)
-    login_service.disable_password(
-        user.id, request, reason=DisableReason.CompromisedPassword
-    )
+    _user_reset_password(user, request)
 
     request.session.flash(f"Reset password for {user.username!r}", queue="success")
     return HTTPSeeOther(request.route_path("admin.user.detail", username=user.username))
 
 
+@view_config(
+    route_name="admin.user.wipe_factors",
+    require_methods=["POST"],
+    permission="admin",
+    has_translations=True,
+    uses_session=True,
+    require_csrf=True,
+    context=User,
+)
+def user_wipe_factors(user, request):
+    if user.username != request.matchdict.get("username", user.username):
+        return HTTPMovedPermanently(request.current_route_path(username=user.username))
+
+    if user.username != request.params.get("username"):
+        request.session.flash("Wrong confirmation input", queue="error")
+        return HTTPSeeOther(
+            request.route_path("admin.user.detail", username=user.username)
+        )
+
+    user.totp_secret = None
+    user.webauthn = []
+    user.recovery_codes = []
+    _user_reset_password(user, request)
+
+    request.session.flash(
+        f"Wiped factors and reset password for {user.username!r}", queue="success"
+    )
+    return HTTPSeeOther(request.route_path("admin.user.detail", username=user.username))
+
+
 @view_config(
     route_name="admin.prohibited_user_names.bulk_add",
     renderer="admin/prohibited_user_names/bulk.html",
