initial commit

Author: cvogt729

LICENSE

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2024, Automatic Controls Equipment Systems, Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -0,0 +1,32 @@
+
+# MFA Add-On
+
+WebCTRL is a trademark of Automated Logic Corporation. Any other trademarks mentioned herein are the property of their respective owners.
+
+## Installation
+
+1. If your server requires signed add-ons, copy the authenticating certificate [*ACES.cer*](https://github.com/automatic-controls/addon-dev-script/blob/main/ACES.cer?raw=true) to the *./addons* directory of your WebCTRL installation folder.
+
+2. Install [*MFA.addon*](https://github.com/automatic-controls/mfa-addon/releases/latest/download/MFA.addon) using the WebCTRL interface.
+
+## General Information
+
+This add-on provides the ability to use multi-factor authentication when logging into WebCTRL. This add-on has been tested on WebCTRL8.5 and WebCTRL9.0. The add-on uses WebCTRL's email server configuration to send a random 6-digit code to a user's email address upon login. Security codes expire in 5 minutes, and users get 3 attempts to enter the code correctly. After logging in, an item will show up in the system menu allowing users to configure or change the MFA email address associated to their account.
+
+![](./root/webapp/images/system_menu.png)
+
+- After installing the add-on, you must logout and login for the *Configure MFA* button to show up in the system menu.
+
+System administrators can change settings in the add-on's main page. MFA emails can be viewed or changed for any user. If a user accidentically configures an incorrect email for MFA, a system administrator can navigate to this page and delete the relevant email mapping.
+
+![](./root/webapp/images/main_page.png)
+
+Users can be added to a restriction bypass whitelist which makes them behave as if MFA is not enforced, service logins are allowed, and MFA bypass on email server failure is enabled (described in more detail below).
+
+| Setting | Description |
+| - | - |
+| ***Enforce MFA*** | When MFA is enforced, all non-whitelisted users will be forced to configure MFA when they login. |
+| ***Allow Service Logins*** | When unchecked, non-whitelisted users with MFA enabled will be unable to login to WebCTRL services such as SOAP and TELNET (these services are incompatible with MFA). |
+| ***Bypass MFA on Email Server Failure*** | When WebCTRL fails to connect to its email server, MFA security codes cannot be sent. This option permits MFA to be bypassed in such a case. Otherwise, non-whitelisted users with MFA enabled will not be able to login. |
+
+I suggest adding a least one operator to the restriction bypass whitelist, especially if MFA is enforced and bypass MFA on email failure is disabled. Whitelisted operators can still configure and use MFA on their accounts.

config/BUILD_DETAILS

@@ -0,0 +1,26 @@
+JDK Version:
+openjdk 22.0.1 2024-04-16
+OpenJDK Runtime Environment (build 22.0.1+8-16)
+OpenJDK 64-Bit Server VM (build 22.0.1+8-16, mixed mode, sharing)
+
+Compilation Flags:
+--release 11
+
+Runtime Dependencies:
+addonsupport-api-addon-1.10.0
+alarmmanager-api-addon-1.10.0
+bacnet-api-core-1.10.007-20240227.1003r
+directaccess-api-addon-1.10.0
+tomcat-embed-core-9.0.87
+webaccess-api-addon-1.10.0
+xdatabase-api-addon-1.10.0
+common-9.0.002
+commonbaseutils-2.0.5
+commonexceptions-9.0.002
+core-9.0.002
+core-api-9.0.002
+extensionsupport-api-9.0.002
+javax.mail-1.5.6
+webaccess-api-9.0.002
+
+Packaged Dependencies:

config/COMPILE_FLAGS

@@ -0,0 +1 @@
+--release 11

config/RUNTIME_DEPS

@@ -0,0 +1,8 @@
+file:core:modules\core
+file:core-api:modules\core
+file:common:modules\common
+file:commonexceptions:modules\commonexceptions
+file:commonbaseutils:bin\lib
+file:webaccess-api:modules\webaccess
+file:extensionsupport-api:modules\extensionsupport
+file:javax.mail:bin\lib

ext/deploy.bat

@@ -0,0 +1,57 @@
+@echo off
+if "%WebCTRL%" EQU "" goto :bad
+if "%addonFile%" EQU "" goto :bad
+if "%certFile%" EQU "" goto :bad
+if /i "%*" EQU "--help" (
+  echo DEPLOY            Copies the .addon archive and certificate file to the bound WebCTRL installation.
+  exit /b 0
+)
+if "%*" NEQ "" (
+  echo Unexpected parameter.
+  exit /b 1
+)
+if not exist "%addonFile%" (
+  echo Cannot deploy because !name!.addon does not exist.
+  exit /b 1
+)
+echo Deploying...
+if "!name!" EQU "AddonDevRefresher" (
+  echo Cannot be used to self-deploy.
+  echo Deployment unsuccessful.
+  exit /b 1
+)
+if not exist "%WebCTRL%\programdata\addons" mkdir "%WebCTRL%\programdata\addons" >nul 2>nul
+copy /y "%certFile%" "%WebCTRL%\programdata\addons\%certFileName%" >nul
+copy /y "%addonFile%" "%WebCTRL%\programdata\addons\!name!.update" >nul
+if %ErrorLevel% NEQ 0 (
+  echo Deployment unsuccessful.
+  exit /b 1
+)
+set /a count=0
+:waitUpdate
+timeout 1 /nobreak >nul
+set /a count+=1
+if exist "%WebCTRL%\programdata\addons\!name!.update" (
+  if "%count%" EQU "60" (
+    echo Timeout occurred.
+    echo Deployment unsuccessful.
+    exit /b 1
+  ) else (
+    goto :waitUpdate
+  )
+)
+if exist "%WebCTRL%\programdata\addons\!name!.addon" (
+  echo Deployment successful.
+  exit /b 0
+) else (
+  echo Deployment unsuccessful.
+  exit /b 1
+)
+
+:bad
+  echo This script should not be invoked as a stand-alone application.
+  echo You must use this file as an extension to addon-dev-script.
+  echo https://github.com/automatic-controls/addon-dev-script
+  echo Press any key to exit.
+  pause >nul
+exit /b 1

root/info.xml

@@ -0,0 +1,8 @@
+<extension version="1">
+  <name>MFA</name>
+  <description>In order to provide MFA, one-time security codes are emailed to users upon login.</description>
+  <version>0.1.0</version>
+  <vendor>Automatic Controls Equipment Systems, Inc.</vendor>
+  <web-operator-provider>aces.webctrl.mfa.core.MFAProvider</web-operator-provider>
+  <system-menu-provider>aces.webctrl.mfa.web.SystemMenuEditor</system-menu-provider>
+</extension>

root/webapp/WEB-INF/web.xml

@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<web-app>
+
+  <listener>
+    <listener-class>aces.webctrl.mfa.core.Initializer</listener-class>
+  </listener>
+
+  <welcome-file-list>
+    <welcome-file>index</welcome-file>
+  </welcome-file-list>
+
+  <servlet>
+    <servlet-name>MainPage</servlet-name>
+    <servlet-class>aces.webctrl.mfa.web.MainPage</servlet-class>
+  </servlet>
+  <servlet-mapping>
+    <servlet-name>MainPage</servlet-name>
+    <url-pattern>/index</url-pattern>
+  </servlet-mapping>
+
+  <servlet>
+    <servlet-name>QueryMFAPage</servlet-name>
+    <servlet-class>aces.webctrl.mfa.web.QueryMFAPage</servlet-class>
+  </servlet>
+  <servlet-mapping>
+    <servlet-name>QueryMFAPage</servlet-name>
+    <url-pattern>/QueryMFA</url-pattern>
+  </servlet-mapping>
+
+  <servlet>
+    <servlet-name>ConfigureMFAPage</servlet-name>
+    <servlet-class>aces.webctrl.mfa.web.ConfigureMFAPage</servlet-class>
+  </servlet>
+  <servlet-mapping>
+    <servlet-name>ConfigureMFAPage</servlet-name>
+    <url-pattern>/ConfigureMFA</url-pattern>
+  </servlet-mapping>
+
+  <servlet>
+    <servlet-name>ChangeEmailPage</servlet-name>
+    <servlet-class>aces.webctrl.mfa.web.ChangeEmailPage</servlet-class>
+  </servlet>
+  <servlet-mapping>
+    <servlet-name>ChangeEmailPage</servlet-name>
+    <url-pattern>/ChangeEmail</url-pattern>
+  </servlet-mapping>
+
+  <security-constraint>
+    <web-resource-collection>
+      <web-resource-name>WEB</web-resource-name>
+      <url-pattern>/*</url-pattern>
+    </web-resource-collection>
+  </security-constraint>
+
+  <filter>
+    <filter-name>RoleFilterAJAX</filter-name>
+    <filter-class>com.controlj.green.addonsupport.web.RoleFilter</filter-class>
+    <init-param>
+      <param-name>roles</param-name>
+      <param-value>login</param-value>
+    </init-param>
+  </filter>
+  <filter-mapping>
+    <filter-name>RoleFilterAJAX</filter-name>
+    <url-pattern>/documentation.html</url-pattern>
+    <url-pattern>/documentation.md</url-pattern>
+  </filter-mapping>
+
+</web-app>