Setting Ownership of keys

README.md

@@ -52,7 +52,8 @@ Depends on
    MFA_RECHECK_MIN=10         # Minimum interval in seconds
    MFA_RECHECK_MAX=30         # Maximum in seconds
    MFA_QUICKLOGIN=True        # Allow quick login for returning users by provide only their 2FA
-   MFA_HIDE_DISABLE=('FIDO2',)     # Can the user disable his key (Added in 1.2.0).   
+   MFA_HIDE_DISABLE=('FIDO2',)     # Can the user disable his key (Added in 1.2.0).
+   MFA_OWNED_BY_ENTERPRISE = FALSE  # Who ownes security keys   
 
    TOKEN_ISSUER_NAME="PROJECT_NAME"      #TOTP Issuer name
 
@@ -68,8 +69,9 @@ Depends on
    * Trusted_Devices
    * Email
    
-   **Note**: Starting version 1.1, ~~FIDO_LOGIN_URL~~ isn't required for FIDO2 anymore.
+   **Notes**:
-   
+    * Starting version 1.1, ~~FIDO_LOGIN_URL~~ isn't required for FIDO2 anymore.
+    * Starting version 1.6.0, Key owners can be specified.
 1. Break your login function
 
    Usually your login function will check for username and password, log the user in if the username and password are correct and create the user session, to support mfa, this has to change

mfa/FIDO2.py

@@ -52,6 +52,7 @@ def complete_reg(request):
         uk=User_Keys()
         uk.username = request.user.username
         uk.properties = {"device":encoded,"type":att_obj.fmt,}
+        uk.owned_by_enterprise=getattr(settings,"MFA_OWNED_BY_ENTERPRISE",False)
         uk.key_type = "FIDO2"
         uk.save()
         return HttpResponse(simplejson.dumps({'status': 'OK'}))

mfa/U2F.py

@@ -89,6 +89,7 @@ def bind(request):
     User_Keys.objects.filter(username=request.user.username,key_type="U2F").delete()
     uk = User_Keys()
     uk.username = request.user.username
+    uk.owned_by_enterprise = getattr(settings, "MFA_OWNED_BY_ENTERPRISE", False)
     uk.properties = {"device":simplejson.loads(device.json),"cert":cert_hash}
     uk.key_type = "U2F"
     uk.save()

mfa/migrations/0009_user_keys_owned_by_enterprise.py

@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+from django.db import models, migrations
+from django.conf import settings
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('mfa', '0008_user_keys_last_used'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='user_keys',
+            name='owned_by_enterprise',
+            field=models.NullBooleanField(default=None),
+        ),
+        migrations.RunSQL("update mfa_user_keys set owned_by_enterprise = %s where key_type='FIDO2'"%(1 if getattr(settings,"MFA_OWNED_BY_ENTERPRISE",False) else 0 ))
+    ]

mfa/models.py

@@ -13,6 +13,8 @@ class User_Keys(models.Model):
     enabled=models.BooleanField(default=True)
     expires=models.DateTimeField(null=True,default=None,blank=True)
     last_used=models.DateTimeField(null=True,default=None,blank=True)
+    owned_by_enterprise=models.NullBooleanField(default=None,null=True,blank=True)
+
     def save(self, force_insert=False, force_update=False, using=None, update_fields=None):
         if self.key_type == "Trusted Device" and self.properties.get("signature","") == "":
             self.properties["signature"]= jwt.encode({"username": self.username, "key": self.properties["key"]}, settings.SECRET_KEY)

setup.py

@@ -4,7 +4,7 @@ from setuptools import find_packages, setup
 
 setup(
     name='django-mfa2',
-    version='1.5.0',
+    version='1.6.0',
     description='Allows user to add 2FA to their accounts',
     long_description=open("README.md").read(),
     long_description_content_type="text/markdown",