SL-16514 store mfa hash in protected data using LLSecAPIBasicHandler

2022-01-14 22:24:52 -08:00 · 2022-01-14 22:24:52 -08:00 · 96a6d21086
parent 90dbc4eaf7
commit 96a6d21086
4 changed files with 26 additions and 5 deletions
--- a/indra/newview/app_settings/settings_per_account.xml
+++ b/indra/newview/app_settings/settings_per_account.xml
@ -441,7 +441,7 @@
        <key>Comment</key>
        <string>MFA state hash for authentication</string>
        <key>Persist</key>
-        <integer>1</integer>
+        <integer>0</integer>
        <key>Type</key>
        <string>String</string>
        <key>Value</key>
--- a/indra/newview/lllogininstance.cpp
+++ b/indra/newview/lllogininstance.cpp
@ -228,11 +228,20 @@ void LLLoginInstance::constructAuthParams(LLPointer<LLCredential> user_credentia
 	request_params["host_id"] = gSavedSettings.getString("HostID");
 	request_params["extended_errors"] = true; // request message_id and message_args
 	request_params["token"] = "";
-	request_params["slmfa_hash"] = gSavedPerAccountSettings.getString("SLMFAHash");

-    // log request_params _before_ adding the credentials   
+    // log request_params _before_ adding the credentials or sensitive MFA hash data
    LL_DEBUGS("LLLogin") << "Login parameters: " << LLSDOStreamer<LLSDNotationFormatter>(request_params) << LL_ENDL;

+    std::string slmfa_hash = gSavedPerAccountSettings.getString("SLMFAHash"); //non-persistent to enable testing
+    if(slmfa_hash.empty())
+    {
+        LLPointer<LLSecAPIHandler> basic_secure_store = getSecHandler(BASIC_SECHANDLER);
+        std::string grid(LLGridManager::getInstance()->getGridId());
+        slmfa_hash = basic_secure_store->getProtectedData("slmfa_hash", grid).asString();
+    }
+
+    request_params["slmfa_hash"] = slmfa_hash;
+
    // Copy the credentials into the request after logging the rest
    LLSD credentials(user_credential->getLoginParams());
    for (LLSD::map_const_iterator it = credentials.beginMap();
@ -417,7 +426,7 @@ void LLLoginInstance::handleLoginFailure(const LLSD& event)

        LLSD data(LLSD::emptyMap());
        data["message"] = message_response;
-        data["reply_pump"] = MFA_REPLY_PUMP;
+        data["reply_pump"] = MFA_REPLY_PUMP
        if (gViewerWindow)
        {
            gViewerWindow->setShowProgress(FALSE);
--- a/indra/newview/llstartup.cpp
+++ b/indra/newview/llstartup.cpp
@ -133,6 +133,7 @@
 #include "llproxy.h"
 #include "llproductinforequest.h"
 #include "llqueryflags.h"
+#include "llsecapi.h"
 #include "llselectmgr.h"
 #include "llsky.h"
 #include "llstatview.h"
@ -3599,7 +3600,9 @@ bool process_login_success_response()

 	if(response.has("slmfa_hash"))
 	{
-		gSavedPerAccountSettings.setString("SLMFAHash", response["slmfa_hash"]);
+		LLPointer<LLSecAPIHandler> basic_secure_store = getSecHandler(BASIC_SECHANDLER);
+		std::string grid(LLGridManager::getInstance()->getGridId());
+		basic_secure_store->setProtectedData("slmfa_hash", grid, response["slmfa_hash"]);
 	}

 	bool success = false;
--- a/indra/newview/tests/lllogininstance_test.cpp
+++ b/indra/newview/tests/lllogininstance_test.cpp
@ -186,6 +186,15 @@ std::string LLGridManager::getAppSLURLBase(const std::string& grid_name)
 {
 	return "myappslurl";
 }
+std::string LLGridManager::getGridId(const std::string& grid)
+{
+    return std::string();
+}
+
+LLPointer<LLSecAPIHandler> getSecHandler(const std::string& handler_type)
+{
+    return nullptr;
+}

 //-----------------------------------------------------------------------------
 #include "../llviewercontrol.h"