[Security snitch] Rake Script to Alert When Admins Are Not 2FAC Protected

Gemfile.lock

@@ -180,6 +180,8 @@ GEM
     nokogiri (1.11.1)
       mini_portile2 (~> 2.5.0)
       racc (~> 1.4)
+    nokogiri (1.11.1-x86_64-darwin)
+      racc (~> 1.4)
     orm_adapter (0.5.0)
     parallel (1.19.2)
     parser (2.7.1.4)
@@ -343,6 +345,7 @@ GEM
 
 PLATFORMS
   ruby
+  x86_64-darwin-19
 
 DEPENDENCIES
   american_date
@@ -394,4 +397,4 @@ RUBY VERSION
    ruby 2.6.6p146
 
 BUNDLED WITH
-   2.1.4
+   2.2.1

app/mailers/user_mailer.rb

@@ -4,4 +4,9 @@ def account_lockdown_email(user)
     admin_emails = user.community.region.regional_admins.pluck(:email)
     mail(to: admin_emails, subject: "Account lockdown warning")
   end
+
+  def insecure_admins_email(target_admin_emails, insecure_admins)
+    @insecure_admins = insecure_admins
+    mail(to: target_admin_emails, subject: "Report: Insecure Region Admins -- Fix ASAP")
+  end
 end

app/views/user_mailer/insecure_admins_email.html.erb

@@ -0,0 +1,15 @@
+<p>
+The following users in your region have insecure (non-2fac) accounts that must 
+be secured immediately. Please contact them to enable 2fac ASAP:
+<br><br>
+<% @insecure_admins.each do |admin| %>
+    - <%= admin.name %> (<%= admin.email %>)
+    <% if !admin.authy_enabled %>
+        Authy: NOT ENABLED, 
+    <% end %>
+    <% if !admin.agreed_to_data_entry_policies %>
+        Data Entry Policies: NOT AGREED, 
+    <% end %>
+    <br>
+<% end %>
+</p>

app/views/user_mailer/insecure_admins_email.text.erb

@@ -0,0 +1,11 @@
+The following users in your region have insecure (non-2fac) accounts that must 
+be secured immediately. Please contact them to enable 2fac ASAP:
+<% @insecure_admins.each do |admin| %>
+    - <%= admin.name %> (<%= admin.email %>)
+    <% if !admin.authy_enabled %>
+        Authy: NOT ENABLED, 
+    <% end %>
+    <% if !admin.agreed_to_data_entry_policies %>
+        Data Entry Policies: NOT AGREED, 
+    <% end %>
+<% end %>

db/schema.rb

@@ -55,11 +55,11 @@
     t.datetime "updated_at", null: false
     t.integer "region_id"
     t.boolean "confirmed"
-    t.integer "activity_type_id"
     t.text "public_notes"
+    t.integer "activity_type_id"
+    t.integer "last_edited_by"
     t.boolean "occur_at_tbd"
     t.datetime "control_date"
-    t.integer "last_edited_by"
     t.index ["activity_type_id"], name: "index_activities_on_activity_type_id"
     t.index ["region_id"], name: "index_activities_on_region_id"
   end
@@ -461,7 +461,6 @@
     t.index ["invitation_token"], name: "index_users_on_invitation_token", unique: true
     t.index ["invitations_count"], name: "index_users_on_invitations_count"
     t.index ["invited_by_id"], name: "index_users_on_invited_by_id"
-    t.index ["invited_by_type", "invited_by_id"], name: "index_users_on_invited_by_type_and_invited_by_id"
     t.index ["password_changed_at"], name: "index_users_on_password_changed_at"
     t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
     t.index ["unlock_token"], name: "index_users_on_unlock_token", unique: true

lib/tasks/security_snitch.rake

@@ -0,0 +1,28 @@
+desc 'Alert for regional admins without 2Fac enabled'
+task security_snitch: :environment do
+    # lol this can't possibly be the most efficient fetch D:
+    Region.all.each do |region|
+        admins = User
+            .where(role: ['admin', 'data_entry', 'eoir_caller'])
+            .where('authy_enabled = ? OR agreed_to_data_entry_policies = ?', false, false)
+            .where(community_id: [region.communities.pluck(:id)])
+
+        if admins.any?
+            target_admin_emails = region.regional_admins.pluck(:email)
+            UserMailer.insecure_admins_email(target_admin_emails, admins)
+
+            # Just logging for documentation
+            message = 'The following admins do not have 2FAC authy enabled: '
+            admins.each do |admin|
+                message += "\n  - " + admin.name + '(' + admin.email + '): '
+                if !admin.authy_enabled
+                    message += 'Authy: NOT ENABLED, '
+                end
+                if !admin.agreed_to_data_entry_policies
+                    message += 'Data Entry Policies: NOT AGREED'
+                end
+            end
+            puts message
+        end
+    end
+end