Implement OTP/AgentAuthentication in the Island

[mssalvatore]

Description

Tasks

• Investigate the OTP generation methods used and improve OTP infrastructure (0d) @cakekoa:
  • Remove unused endpoints
  • Make sure the secrets are properly generated
    • Use our secure_generate_random_string() utility, with at least the 62 alphanumeric, preferably with known command-line safe chars as well
    • 32 characters
  • Define a reasonable timeout
    • 2 minutes
  • Rate limit token fetching API (preferably we just generate very large (32 bytes or larger) OTPs)
    • Still want to do this, to prevent DOS. Can we do this on a per-user level? Look at Flask's offerings
  • Prevent OTP reuse: Make sure used OTPs cannot be reused
• Implement the endpoint for authenticated agents to fetch an OTP. (0d) - @shreyamalviya
• Implement the endpoint where the agent could submit the OTP to get an authentication token. (0d) - @shreyamalviya
  • Create agent user/role
  • Invalid token if it has been used.
• Secure relevant endpoints for the agent user roles. All endpoints should require authentication by the island user and/or the agent user, except login and registration. (0d) - @shreyamalviya
• Make sure tokens/session are cleaned up properly on timeout or on agent shutdown. (0d) @cakekoa
  • Delete agent users
  • Delete any agent users that do not exist in the agent repository (watch out for race conditions)
• Change the manual run UI to generate commands with OTP's. (0.5d) @cakekoa
  • (optional) Add a BB test for manual runs
  • Make OTP all * @ilija-lazoroski
  • Add a refresh button to refresh the OTP
  • Refresh automatically every time the "copy to clipboard" button is pushed
  • Refresh automatically on ctrl-c
  • Display a countdown @cakekoa
    • Better display?
• Change the "Run from island" button to generate and execute an OTP (0d) @cakekoa
• Update documentation for the manual run page (0d) - @shreyamalviya
• Make sure we're using the OTP objects everywhere and not strings. @mssalvatore
• Make the Token type a SecretStr and move it to common (use in the Agent as well) (0.25d) @cakekoa
• Agent logs out after cleanup (0d) @cakekoa
• Invalidate all OTPs on startup. @cakekoa
• Rate limit the login endpoint (3/second should be plenty for an interactive login, yeah?) @mssalvatore
  • Add BB test Not worth the struggle ATM.
• Fix agent otp rate limiting key (user, not ip) @cakekoa
• Remove the AGENT_OTP_FLAG feature flag (agent)

[ilija-lazoroski]

passlib as a whole doesn't have OTP generation algorithms, but it has otp wrapper for the oath library which provides a TOTP class for generating TOTP (Time-based One-Time Password) tokens, and a HOTP class for generating HOTP (HMAC-based One-Time Password) tokens.

Regarding the OTP itself, I would suggest that we use alphanumeric OTPs, because a 6-digit numeric OTP can have 1 million possible combinations (10^6), whereas a 6-character alphanumeric OTP using upper and lowercase letters and numbers can have over 2 billion possible combinations (62^6).

For the length itself, based on some research I would suggest somewhere between 8-10 alphanumeric chars. I am keen on 10 alphanumeric chars as the possible combinations are 62^10 which is roughly 839 trillion combinations. So no place for brute-forcing.

[cakekoa]

The Flask-Limiter package will allow us to rate-limit our endpoints. We can specify a limit like "10/s" that will limit the endpoint to a maximum of 10 in a second. A key_func can be provided, which allows one to specify how keys are determined (the rate limit is applied per-key). It defaults to using the remote IP, but we can leverage it to specify users