[Enhancement] Hide multifactor option in user-dialog if Enable Multi-Factor Authentication is disabled.

[crackytsi]

Bug / Feature Request

Work Environment

Question	Answer
OS version (server)	Debian
OS version (client)	10
TheHive version / git hash	4 RC2
Package Type	DEB

Problem Description

So, the first TheHive 4rc2 issue ;)

If certificate based authentication via reverse-proxy with header variable is used (or maybe in other situtations as well), enabling of "Multi-Factor Authentication" failes.
The behaviour is, after clicking on this button, a page reload happens that leasds to to login page to type in User/password (even if certificate authentication was already performed).

This authentication is already some kind of strong 2FA. So I would really appreciate it, if there is no force to use that kind of authentication as written in the latest blog "We will consider making 2FA mandatory in TheHive 4.1."

Possible Solutions

Optimize Authentication.

[aacgood]

I am also having this issue, although ive taken out reverse proxy from the mix. When I edit my user and select "Enable MFA" I get thrown back to the login prompt. The logs show 401 - Operation not supported.

Error from application.log below

2020-05-12 22:02:57,287 [ERROR] from org.thp.scalligraph.utils.Retry in application-akka.actor.default-dispatcher-1680 - uncaught error, not retrying
org.thp.scalligraph.AuthenticationError: Operation not supported
        at org.thp.thehive.controllers.v1.AuthenticationCtrl.withTotpAuthSrv(AuthenticationCtrl.scala:46)
        at org.thp.thehive.controllers.v1.AuthenticationCtrl.$anonfun$totpSetSecret$2(AuthenticationCtrl.scala:53)
        at org.thp.scalligraph.controllers.Entrypoint$EntryPointBuilder.$anonfun$authTransaction$2(Entrypoint.scala:77)
        at org.thp.scalligraph.janus.JanusDatabase.$anonfun$tryTransaction$10(JanusDatabase.scala:136)
        at scala.util.Try$.apply(Try.scala:213)
        at org.thp.scalligraph.janus.JanusDatabase.$anonfun$tryTransaction$8(JanusDatabase.scala:136)
        at scala.util.Try$.apply(Try.scala:213)
        at org.thp.scalligraph.utils.DelayRetry.withTry(Retry.scala:88)
        at org.thp.scalligraph.janus.JanusDatabase.tryTransaction(JanusDatabase.scala:130)
        at org.thp.scalligraph.controllers.Entrypoint$EntryPointBuilder.$anonfun$authTransaction$1(Entrypoint.scala:77)
        at org.thp.scalligraph.controllers.Entrypoint$EntryPointBuilder.$anonfun$auth$1(Entrypoint.scala:86)
        at org.thp.scalligraph.controllers.Entrypoint$EntryPointBuilder.$anonfun$asyncAuth$3(Entrypoint.scala:107)
        at org.scalactic.Good.fold(Or.scala:1229)
        at org.thp.scalligraph.controllers.Entrypoint$EntryPointBuilder.$anonfun$asyncAuth$2(Entrypoint.scala:107)
        at org.thp.scalligraph.DiagnosticContext$.$anonfun$withRequest$2(ContextPropagatingDisptacher.scala:100)
        at org.thp.scalligraph.DiagnosticContext$.saveDiagnosticContext(ContextPropagatingDisptacher.scala:107)
        at org.thp.scalligraph.DiagnosticContext$.withRequest(ContextPropagatingDisptacher.scala:98)
        at org.thp.scalligraph.controllers.Entrypoint$EntryPointBuilder.$anonfun$asyncAuth$1(Entrypoint.scala:107)
        at org.thp.scalligraph.auth.SessionAuthSrv$$anon$1.$anonfun$invokeBlock$2(SessionAuthSrv.scala:84)
        at scala.Option.fold(Option.scala:251)
        at org.thp.scalligraph.auth.SessionAuthSrv$$anon$1.invokeBlock(SessionAuthSrv.scala:82)
        at org.thp.scalligraph.auth.SessionAuthSrv$$anon$1.invokeBlock(SessionAuthSrv.scala:79)
        at play.api.mvc.ActionBuilder$$anon$10.$anonfun$invokeBlock$2(Action.scala:408)
        at play.api.mvc.ActionBuilderImpl.invokeBlock(Action.scala:441)
        at play.api.mvc.ActionBuilderImpl.invokeBlock(Action.scala:439)
        at play.api.mvc.ActionBuilder$$anon$10.invokeBlock(Action.scala:408)
        at play.api.mvc.ActionBuilder$$anon$10.invokeBlock(Action.scala:404)
        at play.api.mvc.ActionBuilder$$anon$9.apply(Action.scala:379)
        at play.api.mvc.Action.$anonfun$apply$4(Action.scala:82)
        at play.api.libs.streams.StrictAccumulator.$anonfun$mapFuture$4(Accumulator.scala:167)
        at scala.util.Try$.apply(Try.scala:213)
        at play.api.libs.streams.StrictAccumulator.$anonfun$mapFuture$3(Accumulator.scala:167)
        at scala.Function1.$anonfun$andThen$1(Function1.scala:57)
        at scala.Function1.$anonfun$andThen$1(Function1.scala:57)
        at play.api.libs.streams.StrictAccumulator.run(Accumulator.scala:199)
        at play.core.server.AkkaHttpServer.$anonfun$runAction$4(AkkaHttpServer.scala:413)
        at akka.http.scaladsl.util.FastFuture$.strictTransform$1(FastFuture.scala:41)
        at akka.http.scaladsl.util.FastFuture$.$anonfun$transformWith$3(FastFuture.scala:51)
        at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
        at org.thp.scalligraph.ContextPropagatingDisptacher$$anon$1.$anonfun$execute$2(ContextPropagatingDisptacher.scala:57)
        at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
        at org.thp.scalligraph.DiagnosticContext$$anon$2.withContext(ContextPropagatingDisptacher.scala:76)
        at org.thp.scalligraph.ContextPropagatingDisptacher$$anon$1.$anonfun$execute$1(ContextPropagatingDisptacher.scala:57)
        at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:47)
        at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:47)
        at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)
        at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056)
        at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692)
        at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:157)
2020-05-12 22:02:57,287 [ERROR] from org.thp.scalligraph.models.Database in application-akka.actor.default-dispatcher-1680 - Exception raised, rollback (Operation not supported)
2020-05-12 22:02:57,287 [WARN] from org.thp.scalligraph.ErrorHandler in application-akka.actor.default-dispatcher-1680 - POST /api/v1/auth/totp/set returned 401: Operation not supported
2020-05-12 22:02:57,288 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-1682 - w.x.y.z POST /api/v1/auth/totp/set took 4ms and returned 401 66 bytes

[aacgood]

Also as per https://github.com/TheHive-Project/TheHiveDocs/blob/master/TheHive4/Administration/Authentication.md I had forgotten to set multifactor to be enabled.
auth.multifactor.enabled = true

[crackytsi]

@aacgood : Thank you, I really should read the docs ;)
Ok, never the less, I think in this case the user-dialog option should consequently not be offered, so I renamed that ticket to

"Hide multifactor option in user-dialog if Enable Multi-Factor Authentication is disabled."

[nadouani]

@To-om

• can the auth.multifactor.enabled be enabled by default?
• does the /api/status contain an indicator regarding the 2fa option, if it's enabled or not?

[To-om]

The information is already in the result of /api/status (mfa in config.capabilities):

{
  [...]
  "config": {
    "capabilities": [
      "changePassword",
      "setPassword",
      "authByKey",
      "mfa"
    ]
  }
}

[nadouani]

@To-om config.capabilities seems to always contain mfa independently from auth.multifactor.enabled.

[To-om]

It should be ok now.