Send email when a 2fa method is added or removed

tests/unit/email/test_init.py

@@ -1090,3 +1090,72 @@ def test_added_as_collaborator_email_unverified(
 
         assert pyramid_request.task.calls == []
         assert send_email.delay.calls == []
+
+
+class TestTwoFactorEmail:
+    @pytest.mark.parametrize(
+        ("action", "method", "pretty_method"),
+        [
+            ("added", "totp", "TOTP"),
+            ("removed", "totp", "TOTP"),
+            ("added", "webauthn", "WebAuthn"),
+            ("removed", "webauthn", "WebAuthn"),
+        ],
+    )
+    def test_two_factor_email(
+        self,
+        pyramid_request,
+        pyramid_config,
+        monkeypatch,
+        action,
+        method,
+        pretty_method,
+    ):
+        stub_user = pretend.stub(
+            username="username",
+            name="",
+            email="[email protected]",
+            primary_email=pretend.stub(email="[email protected]", verified=True),
+        )
+        subject_renderer = pyramid_config.testing_add_renderer(
+            f"email/two-factor-{action}/subject.txt"
+        )
+        subject_renderer.string_response = "Email Subject"
+        body_renderer = pyramid_config.testing_add_renderer(
+            f"email/two-factor-{action}/body.txt"
+        )
+        body_renderer.string_response = "Email Body"
+        html_renderer = pyramid_config.testing_add_renderer(
+            f"email/two-factor-{action}/body.html"
+        )
+        html_renderer.string_response = "Email HTML Body"
+
+        send_email = pretend.stub(
+            delay=pretend.call_recorder(lambda *args, **kwargs: None)
+        )
+        pyramid_request.task = pretend.call_recorder(lambda *args, **kwargs: send_email)
+        monkeypatch.setattr(email, "send_email", send_email)
+
+        send_method = getattr(email, f"send_two_factor_{action}_email")
+        result = send_method(pyramid_request, stub_user, method=method)
+
+        assert result == {"method": pretty_method, "username": stub_user.username}
+        subject_renderer.assert_()
+        body_renderer.assert_(method=pretty_method, username=stub_user.username)
+        html_renderer.assert_(method=pretty_method, username=stub_user.username)
+        assert pyramid_request.task.calls == [pretend.call(send_email)]
+        assert send_email.delay.calls == [
+            pretend.call(
+                f"{stub_user.username} <{stub_user.email}>",
+                attr.asdict(
+                    EmailMessage(
+                        subject="Email Subject",
+                        body_text="Email Body",
+                        body_html=(
+                            "<html>\n<head></head>\n"
+                            "<body><p>Email HTML Body</p></body>\n</html>\n"
+                        ),
+                    )
+                ),
+            )
+        ]

tests/unit/manage/test_views.py

@@ -970,6 +970,9 @@ def test_validate_totp_provision(self, monkeypatch):
         provision_totp_cls = pretend.call_recorder(lambda *a, **kw: provision_totp_obj)
         monkeypatch.setattr(views, "ProvisionTOTPForm", provision_totp_cls)
 
+        send_email = pretend.call_recorder(lambda *a, **kw: None)
+        monkeypatch.setattr(views, "send_two_factor_added_email", send_email)
+
         view = views.ProvisionTOTPViews(request)
         result = view.validate_totp_provision()
 
@@ -991,6 +994,9 @@ def test_validate_totp_provision(self, monkeypatch):
                 additional={"method": "totp"},
             )
         ]
+        assert send_email.calls == [
+            pretend.call(request, request.user, method="totp"),
+        ]
 
     def test_validate_totp_provision_already_provisioned(self, monkeypatch):
         user_service = pretend.stub(
@@ -1118,6 +1124,9 @@ def test_delete_totp(self, monkeypatch, db_request):
         delete_totp_cls = pretend.call_recorder(lambda *a, **kw: delete_totp_obj)
         monkeypatch.setattr(views, "DeleteTOTPForm", delete_totp_cls)
 
+        send_email = pretend.call_recorder(lambda *a, **kw: None)
+        monkeypatch.setattr(views, "send_two_factor_removed_email", send_email)
+
         view = views.ProvisionTOTPViews(request)
         result = view.delete_totp()
 
@@ -1141,6 +1150,9 @@ def test_delete_totp(self, monkeypatch, db_request):
                 additional={"method": "totp"},
             )
         ]
+        assert send_email.calls == [
+            pretend.call(request, request.user, method="totp"),
+        ]
 
     def test_delete_totp_bad_password(self, monkeypatch, db_request):
         user_service = pretend.stub(
@@ -1304,6 +1316,9 @@ def test_validate_webauthn_provision(self, monkeypatch):
         )
         monkeypatch.setattr(views, "ProvisionWebAuthnForm", provision_webauthn_cls)
 
+        send_email = pretend.call_recorder(lambda *a, **kw: None)
+        monkeypatch.setattr(views, "send_two_factor_added_email", send_email)
+
         view = views.ProvisionWebAuthnViews(request)
         result = view.validate_webauthn_provision()
 
@@ -1333,6 +1348,9 @@ def test_validate_webauthn_provision(self, monkeypatch):
                 },
             )
         ]
+        assert send_email.calls == [
+            pretend.call(request, request.user, method="webauthn"),
+        ]
 
     def test_validate_webauthn_provision_invalid_form(self, monkeypatch):
         user_service = pretend.stub(
@@ -1401,6 +1419,9 @@ def test_delete_webauthn(self, monkeypatch):
         )
         monkeypatch.setattr(views, "DeleteWebAuthnForm", delete_webauthn_cls)
 
+        send_email = pretend.call_recorder(lambda *a, **kw: None)
+        monkeypatch.setattr(views, "send_two_factor_removed_email", send_email)
+
         view = views.ProvisionWebAuthnViews(request)
         result = view.delete_webauthn()
 
@@ -1421,6 +1442,9 @@ def test_delete_webauthn(self, monkeypatch):
                 },
             )
         ]
+        assert send_email.calls == [
+            pretend.call(request, request.user, method="webauthn"),
+        ]
 
     def test_delete_webauthn_not_provisioned(self):
         request = pretend.stub(

warehouse/email/__init__.py

@@ -201,6 +201,18 @@ def send_added_as_collaborator_email(request, user, *, submitter, project_name,
     return {"project": project_name, "submitter": submitter.username, "role": role}
 
 
+@_email("two-factor-added")
+def send_two_factor_added_email(request, user, method):
+    pretty_methods = {"totp": "TOTP", "webauthn": "WebAuthn"}
+    return {"method": pretty_methods[method], "username": user.username}
+
+
+@_email("two-factor-removed")
+def send_two_factor_removed_email(request, user, method):
+    pretty_methods = {"totp": "TOTP", "webauthn": "WebAuthn"}
+    return {"method": pretty_methods[method], "username": user.username}
+
+
 def includeme(config):
     email_sending_class = config.maybe_dotted(config.registry.settings["mail.backend"])
     config.register_service_factory(email_sending_class.create_service, IEmailSender)

warehouse/manage/views.py

@@ -38,6 +38,8 @@
     send_email_verification_email,
     send_password_change_email,
     send_primary_email_change_email,
+    send_two_factor_added_email,
+    send_two_factor_removed_email,
 )
 from warehouse.i18n import localize as _
 from warehouse.macaroons.interfaces import IMacaroonService
@@ -461,6 +463,7 @@ def validate_totp_provision(self):
             self.request.session.flash(
                 "Authentication application successfully set up", queue="success"
             )
+            send_two_factor_added_email(self.request, self.request.user, method="totp")
 
             return HTTPSeeOther(self.request.route_path("manage.account"))
 
@@ -500,6 +503,9 @@ def delete_totp(self):
                 "Remember to remove PyPI from your application.",
                 queue="success",
             )
+            send_two_factor_removed_email(
+                self.request, self.request.user, method="totp"
+            )
         else:
             self.request.session.flash("Invalid credentials. Try again", queue="error")
 
@@ -575,6 +581,10 @@ def validate_webauthn_provision(self):
             self.request.session.flash(
                 "Security device successfully set up", queue="success"
             )
+            send_two_factor_added_email(
+                self.request, self.request.user, method="webauthn"
+            )
+
             return {"success": "Security device successfully set up"}
 
         errors = [
@@ -610,6 +620,9 @@ def delete_webauthn(self):
                 additional={"method": "webauthn", "label": form.label.data},
             )
             self.request.session.flash("Security device removed", queue="success")
+            send_two_factor_removed_email(
+                self.request, self.request.user, method="webauthn"
+            )
         else:
             self.request.session.flash("Invalid credentials", queue="error")
 

warehouse/templates/email/two-factor-added/body.html

@@ -0,0 +1,21 @@
+{#
+ # Licensed under the Apache License, Version 2.0 (the "License");
+ # you may not use this file except in compliance with the License.
+ # You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+-#}
+{% extends "email/_base/body.html" %}
+
+
+{% block content %}
+<p>{% trans method=method, username=username %}Someone, perhaps you, has added a {{ method }} two-factor authentication method to your PyPI account <strong>{{ username }}</strong>.{% endtrans %}</p>
+
+<p>{% trans href='mailto:[email protected]', email_address='[email protected]' %}If you did not make this change, you can email <a href="{{ href }}">{{ email_address }}</a> to communicate with the PyPI administrators.{% endtrans %}</p>
+{% endblock %}

warehouse/templates/email/two-factor-added/body.txt

@@ -0,0 +1,23 @@
+{#
+ # Licensed under the Apache License, Version 2.0 (the "License");
+ # you may not use this file except in compliance with the License.
+ # You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+-#}
+{% extends "email/_base/body.txt" %}
+
+{% block content %}
+{% trans method=method, username=username %}Someone, perhaps you, has added a {{ method }} two-factor authentication method to your PyPI account
+'{{ username }}'.{% endtrans %}
+
+{% trans email_address='[email protected]' %}If you did not make this change, you can email {{ email_address }} to
+communicate with the PyPI administrators.{% endtrans %}
+{% endblock %}
+

warehouse/templates/email/two-factor-added/subject.txt

@@ -0,0 +1,17 @@
+{#
+ # Licensed under the Apache License, Version 2.0 (the "License");
+ # you may not use this file except in compliance with the License.
+ # You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+-#}
+
+{% extends "email/_base/subject.txt" %}
+
+{% block subject %}{% trans %}Two-factor method added{% endtrans %}{% endblock %}

warehouse/templates/email/two-factor-removed/body.html

@@ -0,0 +1,21 @@
+{#
+ # Licensed under the Apache License, Version 2.0 (the "License");
+ # you may not use this file except in compliance with the License.
+ # You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+-#}
+{% extends "email/_base/body.html" %}
+
+
+{% block content %}
+<p>{% trans method=method, username=username %}Someone, perhaps you, has removed a {{ method }} two-factor authentication method from your PyPI account <strong>{{ username }}</strong>.{% endtrans %}</p>
+
+<p>{% trans href='mailto:[email protected]', email_address='[email protected]' %}If you did not make this change, you can email <a href="{{ href }}">{{ email_address }}</a> to communicate with the PyPI administrators.{% endtrans %}</p>
+{% endblock %}

warehouse/templates/email/two-factor-removed/body.txt

@@ -0,0 +1,23 @@
+{#
+ # Licensed under the Apache License, Version 2.0 (the "License");
+ # you may not use this file except in compliance with the License.
+ # You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+-#}
+{% extends "email/_base/body.txt" %}
+
+{% block content %}
+{% trans method=method, username=username %}Someone, perhaps you, has removed a {{ method }} two-factor authentication method from your PyPI account
+'{{ username }}'.{% endtrans %}
+
+{% trans email_address='[email protected]' %}If you did not make this change, you can email {{ email_address }} to
+communicate with the PyPI administrators.{% endtrans %}
+{% endblock %}
+

warehouse/templates/email/two-factor-removed/subject.txt

@@ -0,0 +1,17 @@
+{#
+ # Licensed under the Apache License, Version 2.0 (the "License");
+ # you may not use this file except in compliance with the License.
+ # You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+-#}
+
+{% extends "email/_base/subject.txt" %}
+
+{% block subject %}{% trans %}Two-factor method removed{% endtrans %}{% endblock %}