NAS-133464 / 25.04 / Disable token authentication when STIG is enabled (

#11363)

src/app/interfaces/auth.interface.ts

@@ -14,9 +14,15 @@ export enum LoginExMechanism {
   ApiKeyPlain = 'API_KEY_PLAIN',
 }
 
+export enum AuthenticatorLoginLevel {
+  Level1 = 'LEVEL_1',
+  Level2 = 'LEVEL_2',
+}
+
 export interface LoginSuccessResponse {
   response_type: LoginExResponseType.Success;
   user_info: LoggedInUser;
+  authenticator: AuthenticatorLoginLevel;
 }
 
 export interface LoginAuthErrorResponse {

src/app/modules/auth/auth.service.spec.ts

@@ -17,7 +17,9 @@ import { mockAuth } from 'app/core/testing/utils/mock-auth.utils';
 import { LoginResult } from 'app/enums/login-result.enum';
 import { Role } from 'app/enums/role.enum';
 import { WINDOW } from 'app/helpers/window.helper';
-import { LoginExMechanism, LoginExResponse, LoginExResponseType } from 'app/interfaces/auth.interface';
+import {
+  AuthenticatorLoginLevel, LoginExMechanism, LoginExResponse, LoginExResponseType,
+} from 'app/interfaces/auth.interface';
 import { DashConfigItem } from 'app/interfaces/dash-config-item.interface';
 import { LoggedInUser } from 'app/interfaces/ds-cache.interface';
 import { Preferences } from 'app/interfaces/preferences.interface';
@@ -58,6 +60,7 @@ describe('AuthService', () => {
         mockCall('auth.generate_token', 'DUMMY_TOKEN'),
         mockCall('auth.logout'),
         mockCall('auth.login_ex', {
+          authenticator: AuthenticatorLoginLevel.Level1,
           response_type: LoginExResponseType.Success,
           user_info: {
             privilege: { webui_access: true },
@@ -135,6 +138,35 @@ describe('AuthService', () => {
       expect(spectator.inject(ApiService).call).not.toHaveBeenCalledWith('auth.me');
       expect(spectator.inject(ApiService).call).toHaveBeenCalledWith('auth.generate_token');
     });
+
+    it('initializes auth session with LEVEL_2 with no token support.', () => {
+      timer$.next(0);
+
+      // Mock the auth.login_ex response for LEVEL_2 authentication
+      spectator.inject(MockApiService).mockCall('auth.login_ex', {
+        authenticator: AuthenticatorLoginLevel.Level2,
+        response_type: LoginExResponseType.Success,
+        user_info: {
+          privilege: { webui_access: true },
+        },
+      } as LoginExResponse);
+
+      const obs$ = spectator.service.login('dummy', 'dummy');
+
+      testScheduler.run(({ expectObservable }) => {
+        expectObservable(obs$).toBe(
+          '(a|)',
+          { a: LoginResult.Success },
+        );
+      });
+
+      expect(spectator.inject(ApiService).call).toHaveBeenCalledWith(
+        'auth.login_ex',
+        [{ mechanism: 'PASSWORD_PLAIN', username: 'dummy', password: 'dummy' }],
+      );
+      expect(spectator.inject(ApiService).call).not.toHaveBeenCalledWith('auth.me');
+      expect(spectator.inject(ApiService).call).not.toHaveBeenCalledWith('auth.generate_token');
+    });
   });
 
   describe('Logout', () => {

src/app/modules/auth/auth.service.ts

@@ -18,8 +18,11 @@ import {
 import { AccountAttribute } from 'app/enums/account-attribute.enum';
 import { LoginResult } from 'app/enums/login-result.enum';
 import { Role } from 'app/enums/role.enum';
+import { filterAsync } from 'app/helpers/operators/filter-async.operator';
 import { WINDOW } from 'app/helpers/window.helper';
-import { LoginExMechanism, LoginExResponse, LoginExResponseType } from 'app/interfaces/auth.interface';
+import {
+  AuthenticatorLoginLevel, LoginExMechanism, LoginExResponse, LoginExResponseType,
+} from 'app/interfaces/auth.interface';
 import { LoggedInUser } from 'app/interfaces/ds-cache.interface';
 import { GlobalTwoFactorConfig } from 'app/interfaces/two-factor-config.interface';
 import { DialogService } from 'app/modules/dialog/dialog.service';
@@ -56,6 +59,7 @@ export class AuthService {
   private generateTokenSubscription: Subscription | null;
 
   readonly user$ = this.loggedInUser$.asObservable();
+  readonly isTokenAllowed$ = new BehaviorSubject<boolean>(false);
 
   /**
    * Special case that only matches root and admin users.
@@ -83,6 +87,7 @@ export class AuthService {
   ) {
     this.setupAuthenticationUpdate();
     this.setupWsConnectionUpdate();
+    this.setupPeriodicTokenGeneration();
     this.setupTokenUpdate();
   }
 
@@ -205,10 +210,14 @@ export class AuthService {
 
           this.wsStatus.setLoginStatus(true);
           this.window.sessionStorage.setItem('loginBannerDismissed', 'true');
-          return this.authToken$.pipe(
-            take(1),
-            map(() => LoginResult.Success),
-          );
+          if (result?.authenticator === AuthenticatorLoginLevel.Level1) {
+            this.isTokenAllowed$.next(true);
+            return this.authToken$.pipe(
+              take(1),
+              map(() => LoginResult.Success),
+            );
+          }
+          return of(LoginResult.Success);
         }
         this.wsStatus.setLoginStatus(false);
 
@@ -221,14 +230,19 @@ export class AuthService {
   }
 
   private setupPeriodicTokenGeneration(): void {
-    if (!this.generateTokenSubscription || this.generateTokenSubscription.closed) {
-      this.generateTokenSubscription = timer(0, this.tokenRegenerationTimeMillis).pipe(
-        switchMap(() => this.wsStatus.isAuthenticated$.pipe(take(1))),
-        filter(Boolean),
-        switchMap(() => this.api.call('auth.generate_token')),
-        tap((token) => this.latestTokenGenerated$.next(token)),
-      ).subscribe();
-    }
+    this.isTokenAllowed$.pipe(
+      filter(Boolean),
+      filterAsync(() => this.wsStatus.isAuthenticated$),
+    ).subscribe(() => {
+      if (!this.generateTokenSubscription || this.generateTokenSubscription.closed) {
+        this.generateTokenSubscription = timer(0, this.tokenRegenerationTimeMillis).pipe(
+          switchMap(() => this.wsStatus.isAuthenticated$.pipe(take(1))),
+          filter(Boolean),
+          switchMap(() => this.api.call('auth.generate_token')),
+          tap((token) => this.latestTokenGenerated$.next(token)),
+        ).subscribe();
+      }
+    });
   }
 
   private getLoggedInUserInformation(): Observable<LoggedInUser> {
@@ -240,11 +254,10 @@ export class AuthService {
   }
 
   private setupAuthenticationUpdate(): void {
-    this.wsStatus.isAuthenticated$.subscribe({
+    this.wsStatus.isAuthenticated$.pipe().subscribe({
       next: (isAuthenticated) => {
         if (isAuthenticated) {
           this.store$.dispatch(adminUiInitialized());
-          this.setupPeriodicTokenGeneration();
         } else if (this.generateTokenSubscription) {
           this.latestTokenGenerated$?.complete();
           this.latestTokenGenerated$ = new ReplaySubject<string>(1);

src/app/pages/system/advanced/system-security/system-security-form/system-security-form.component.html

@@ -20,9 +20,8 @@
         [tooltip]="'Enable this mode to enhance system security to meet US federal government security requirements. Note that enabling STIG mode will restrict some functionality.' | translate"
       ></ix-slide-toggle>
 
-      <p class="hint">
-        {{ 'Restart is required after changing these settings.' | translate }}
-      </p>
+      <mat-hint>{{ 'Global Two-Factor Authentication must be enabled to activate this feature.' | translate }}</mat-hint>
+      <mat-hint>{{ 'Restart is required after changing these settings.' | translate }}</mat-hint>
 
       <div class="form-actions">
         <button

src/app/pages/system/advanced/system-security/system-security-form/system-security-form.component.scss

@@ -4,6 +4,7 @@
   }
 }
 
-.hint {
+mat-hint {
+  display: flex;
   font-size: 12px;
 }

src/app/pages/system/advanced/system-security/system-security-form/system-security-form.component.ts

@@ -1,11 +1,12 @@
 import {
-  ChangeDetectionStrategy, ChangeDetectorRef, Component, OnInit,
+  ChangeDetectionStrategy, Component, OnInit,
+  signal,
 } from '@angular/core';
 import { FormBuilder, ReactiveFormsModule } from '@angular/forms';
 import { MatButton } from '@angular/material/button';
 import { MatCard, MatCardContent } from '@angular/material/card';
+import { MatHint } from '@angular/material/form-field';
 import { UntilDestroy, untilDestroyed } from '@ngneat/until-destroy';
-import { Store } from '@ngrx/store';
 import { TranslateService, TranslateModule } from '@ngx-translate/core';
 import { of } from 'rxjs';
 import { RequiresRolesDirective } from 'app/directives/requires-roles/requires-roles.directive';
@@ -19,7 +20,6 @@ import { SnackbarService } from 'app/modules/snackbar/services/snackbar.service'
 import { TestDirective } from 'app/modules/test-id/test.directive';
 import { ApiService } from 'app/modules/websocket/api.service';
 import { ErrorHandlerService } from 'app/services/error-handler.service';
-import { AppState } from 'app/store';
 
 @UntilDestroy()
 @Component({
@@ -38,6 +38,7 @@ import { AppState } from 'app/store';
     MatButton,
     TestDirective,
     TranslateModule,
+    MatHint,
   ],
 })
 export class SystemSecurityFormComponent implements OnInit {
@@ -48,14 +49,12 @@ export class SystemSecurityFormComponent implements OnInit {
     enable_gpos_stig: [false],
   });
 
-  private systemSecurityConfig: SystemSecurityConfig;
+  private systemSecurityConfig = signal<SystemSecurityConfig>(this.slideInRef.getData());
 
   constructor(
     private formBuilder: FormBuilder,
-    private cdr: ChangeDetectorRef,
     private translate: TranslateService,
     private snackbar: SnackbarService,
-    private store$: Store<AppState>,
     private dialogService: DialogService,
     private api: ApiService,
     private errorHandler: ErrorHandlerService,
@@ -64,11 +63,10 @@ export class SystemSecurityFormComponent implements OnInit {
     this.slideInRef.requireConfirmationWhen(() => {
       return of(this.form.dirty);
     });
-    this.systemSecurityConfig = this.slideInRef.getData();
   }
 
   ngOnInit(): void {
-    if (this.systemSecurityConfig) {
+    if (this.systemSecurityConfig()) {
       this.initSystemSecurityForm();
     }
   }
@@ -92,7 +90,11 @@ export class SystemSecurityFormComponent implements OnInit {
   }
 
   private initSystemSecurityForm(): void {
-    this.form.patchValue(this.systemSecurityConfig);
-    this.cdr.markForCheck();
+    this.form.patchValue(this.systemSecurityConfig());
+    this.form.controls.enable_gpos_stig.valueChanges.pipe(untilDestroyed(this)).subscribe((value) => {
+      if (value && !this.form.controls.enable_fips.value) {
+        this.form.patchValue({ enable_fips: true });
+      }
+    });
   }
 }

src/app/services/fips.service.spec.ts

@@ -7,6 +7,7 @@ import {
 import { of } from 'rxjs';
 import { fakeSuccessfulJob } from 'app/core/testing/utils/fake-job.utils';
 import { mockJob, mockApi } from 'app/core/testing/utils/mock-api.utils';
+import { AuthService } from 'app/modules/auth/auth.service';
 import { DialogService } from 'app/modules/dialog/dialog.service';
 import { ApiService } from 'app/modules/websocket/api.service';
 import { FipsService } from 'app/services/fips.service';
@@ -26,6 +27,9 @@ describe('FipsService', () => {
       mockApi([
         mockJob('failover.reboot.other_node', fakeSuccessfulJob()),
       ]),
+      mockProvider(AuthService, {
+        clearAuthToken: jest.fn(),
+      }),
     ],
   });
 
@@ -42,6 +46,7 @@ describe('FipsService', () => {
           buttonText: 'Restart Now',
         }),
       );
+      expect(spectator.inject(AuthService).clearAuthToken).toHaveBeenCalled();
       expect(spectator.inject(Router).navigate).toHaveBeenCalledWith(['/system-tasks/restart'], { skipLocationChange: true });
     });
   });

src/app/services/fips.service.ts

@@ -5,6 +5,7 @@ import { Observable, of, switchMap } from 'rxjs';
 import {
   filter, tap,
 } from 'rxjs/operators';
+import { AuthService } from 'app/modules/auth/auth.service';
 import { DialogService } from 'app/modules/dialog/dialog.service';
 import { SnackbarService } from 'app/modules/snackbar/services/snackbar.service';
 import { ApiService } from 'app/modules/websocket/api.service';
@@ -27,6 +28,7 @@ export class FipsService {
     private snackbar: SnackbarService,
     private api: ApiService,
     private errorHandler: ErrorHandlerService,
+    private authService: AuthService,
   ) {}
 
   promptForRestart(): Observable<unknown> {
@@ -38,6 +40,7 @@ export class FipsService {
       .pipe(
         tap((approved) => {
           if (approved) {
+            this.authService.clearAuthToken();
             this.restart();
           }
         }),

src/assets/i18n/af.json

@@ -2060,6 +2060,7 @@
   "Global Target Configuration": "",
   "Global Two Factor Authentication": "",
   "Global Two Factor Authentication Settings": "",
+  "Global Two-Factor Authentication must be enabled to activate this feature.": "",
   "Global password to unlock SEDs.": "",
   "Gmail": "",
   "Go Back": "",

src/assets/i18n/ar.json

@@ -2060,6 +2060,7 @@
   "Global Target Configuration": "",
   "Global Two Factor Authentication": "",
   "Global Two Factor Authentication Settings": "",
+  "Global Two-Factor Authentication must be enabled to activate this feature.": "",
   "Global password to unlock SEDs.": "",
   "Gmail": "",
   "Go Back": "",

src/assets/i18n/ast.json

@@ -2060,6 +2060,7 @@
   "Global Target Configuration": "",
   "Global Two Factor Authentication": "",
   "Global Two Factor Authentication Settings": "",
+  "Global Two-Factor Authentication must be enabled to activate this feature.": "",
   "Global password to unlock SEDs.": "",
   "Gmail": "",
   "Go Back": "",

src/assets/i18n/az.json

@@ -2060,6 +2060,7 @@
   "Global Target Configuration": "",
   "Global Two Factor Authentication": "",
   "Global Two Factor Authentication Settings": "",
+  "Global Two-Factor Authentication must be enabled to activate this feature.": "",
   "Global password to unlock SEDs.": "",
   "Gmail": "",
   "Go Back": "",

src/assets/i18n/be.json

@@ -2060,6 +2060,7 @@
   "Global Target Configuration": "",
   "Global Two Factor Authentication": "",
   "Global Two Factor Authentication Settings": "",
+  "Global Two-Factor Authentication must be enabled to activate this feature.": "",
   "Global password to unlock SEDs.": "",
   "Gmail": "",
   "Go Back": "",

src/assets/i18n/bg.json

@@ -2060,6 +2060,7 @@
   "Global Target Configuration": "",
   "Global Two Factor Authentication": "",
   "Global Two Factor Authentication Settings": "",
+  "Global Two-Factor Authentication must be enabled to activate this feature.": "",
   "Global password to unlock SEDs.": "",
   "Gmail": "",
   "Go Back": "",

src/assets/i18n/bn.json

@@ -2060,6 +2060,7 @@
   "Global Target Configuration": "",
   "Global Two Factor Authentication": "",
   "Global Two Factor Authentication Settings": "",
+  "Global Two-Factor Authentication must be enabled to activate this feature.": "",
   "Global password to unlock SEDs.": "",
   "Gmail": "",
   "Go Back": "",

src/assets/i18n/br.json

@@ -2060,6 +2060,7 @@
   "Global Target Configuration": "",
   "Global Two Factor Authentication": "",
   "Global Two Factor Authentication Settings": "",
+  "Global Two-Factor Authentication must be enabled to activate this feature.": "",
   "Global password to unlock SEDs.": "",
   "Gmail": "",
   "Go Back": "",

src/assets/i18n/bs.json

@@ -2060,6 +2060,7 @@
   "Global Target Configuration": "",
   "Global Two Factor Authentication": "",
   "Global Two Factor Authentication Settings": "",
+  "Global Two-Factor Authentication must be enabled to activate this feature.": "",
   "Global password to unlock SEDs.": "",
   "Gmail": "",
   "Go Back": "",

src/assets/i18n/ca.json

@@ -2060,6 +2060,7 @@
   "Global Target Configuration": "",
   "Global Two Factor Authentication": "",
   "Global Two Factor Authentication Settings": "",
+  "Global Two-Factor Authentication must be enabled to activate this feature.": "",
   "Global password to unlock SEDs.": "",
   "Gmail": "",
   "Go Back": "",

src/assets/i18n/cs.json

@@ -1606,6 +1606,7 @@
   "Global Target Configuration": "",
   "Global Two Factor Authentication": "",
   "Global Two Factor Authentication Settings": "",
+  "Global Two-Factor Authentication must be enabled to activate this feature.": "",
   "Gmail": "",
   "Go Back": "",
   "Go To Dataset": "",