2019-04-25 04:52:08 +07:00
|
|
|
package handlers
|
|
|
|
|
|
|
|
import (
|
2021-11-29 10:09:14 +07:00
|
|
|
"crypto/ecdsa"
|
2019-11-17 08:05:46 +07:00
|
|
|
"crypto/elliptic"
|
2019-04-25 04:52:08 +07:00
|
|
|
"fmt"
|
|
|
|
|
2020-04-05 19:37:21 +07:00
|
|
|
"github.com/tstranex/u2f"
|
|
|
|
|
2021-08-11 08:04:35 +07:00
|
|
|
"github.com/authelia/authelia/v4/internal/middlewares"
|
2021-11-29 10:09:14 +07:00
|
|
|
"github.com/authelia/authelia/v4/internal/regulation"
|
2021-08-11 08:04:35 +07:00
|
|
|
"github.com/authelia/authelia/v4/internal/session"
|
|
|
|
"github.com/authelia/authelia/v4/internal/storage"
|
2019-04-25 04:52:08 +07:00
|
|
|
)
|
|
|
|
|
|
|
|
// SecondFactorU2FSignGet handler for initiating a signing request.
|
|
|
|
func SecondFactorU2FSignGet(ctx *middlewares.AutheliaCtx) {
|
2020-02-13 09:12:37 +07:00
|
|
|
if ctx.XForwardedProto() == nil {
|
2021-07-22 10:52:37 +07:00
|
|
|
ctx.Error(errMissingXForwardedProto, messageMFAValidationFailed)
|
2020-02-13 09:12:37 +07:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if ctx.XForwardedHost() == nil {
|
2021-07-22 10:52:37 +07:00
|
|
|
ctx.Error(errMissingXForwardedHost, messageMFAValidationFailed)
|
2020-02-13 09:12:37 +07:00
|
|
|
return
|
|
|
|
}
|
2019-04-25 04:52:08 +07:00
|
|
|
|
2021-11-29 10:09:14 +07:00
|
|
|
userSession := ctx.GetSession()
|
|
|
|
|
2019-04-25 04:52:08 +07:00
|
|
|
appID := fmt.Sprintf("%s://%s", ctx.XForwardedProto(), ctx.XForwardedHost())
|
2020-05-06 02:35:32 +07:00
|
|
|
|
2019-04-25 04:52:08 +07:00
|
|
|
var trustedFacets = []string{appID}
|
|
|
|
|
2021-11-29 10:09:14 +07:00
|
|
|
challenge, err := u2f.NewChallenge(appID, trustedFacets)
|
2019-04-25 04:52:08 +07:00
|
|
|
if err != nil {
|
2021-11-29 10:09:14 +07:00
|
|
|
ctx.Logger.Errorf("Unable to create %s challenge for user '%s': %+v", regulation.AuthTypeFIDO, userSession.Username, err)
|
|
|
|
|
|
|
|
respondUnauthorized(ctx, messageMFAValidationFailed)
|
|
|
|
|
2019-04-25 04:52:08 +07:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-11-23 16:45:38 +07:00
|
|
|
device, err := ctx.Providers.StorageProvider.LoadU2FDevice(ctx, userSession.Username)
|
2019-04-25 04:52:08 +07:00
|
|
|
if err != nil {
|
2021-11-29 10:09:14 +07:00
|
|
|
respondUnauthorized(ctx, messageMFAValidationFailed)
|
|
|
|
|
2019-04-25 04:52:08 +07:00
|
|
|
if err == storage.ErrNoU2FDeviceHandle {
|
2021-11-29 10:09:14 +07:00
|
|
|
_ = markAuthenticationAttempt(ctx, false, nil, userSession.Username, regulation.AuthTypeFIDO, fmt.Errorf("no registered U2F device"))
|
2019-04-25 04:52:08 +07:00
|
|
|
return
|
|
|
|
}
|
2020-05-06 02:35:32 +07:00
|
|
|
|
2021-11-29 10:09:14 +07:00
|
|
|
ctx.Logger.Errorf("Could not load %s devices for user '%s': %+v", regulation.AuthTypeFIDO, userSession.Username, err)
|
2020-05-06 02:35:32 +07:00
|
|
|
|
2019-04-25 04:52:08 +07:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-11-23 16:45:38 +07:00
|
|
|
x, y := elliptic.Unmarshal(elliptic.P256(), device.PublicKey)
|
2021-11-29 10:09:14 +07:00
|
|
|
|
|
|
|
registration := u2f.Registration{
|
|
|
|
KeyHandle: device.KeyHandle,
|
|
|
|
PubKey: ecdsa.PublicKey{
|
|
|
|
Curve: elliptic.P256(),
|
|
|
|
X: x,
|
|
|
|
Y: y,
|
|
|
|
},
|
|
|
|
}
|
2019-04-25 04:52:08 +07:00
|
|
|
|
|
|
|
// Save the challenge and registration for use in next request
|
2019-11-17 08:05:46 +07:00
|
|
|
userSession.U2FRegistration = &session.U2FRegistration{
|
2021-11-23 16:45:38 +07:00
|
|
|
KeyHandle: device.KeyHandle,
|
|
|
|
PublicKey: device.PublicKey,
|
2019-11-17 08:05:46 +07:00
|
|
|
}
|
2021-11-29 10:09:14 +07:00
|
|
|
|
2019-04-25 04:52:08 +07:00
|
|
|
userSession.U2FChallenge = challenge
|
|
|
|
|
2021-11-29 10:09:14 +07:00
|
|
|
if err = ctx.SaveSession(userSession); err != nil {
|
|
|
|
ctx.Logger.Errorf(logFmtErrSessionSave, "challenge and registration", regulation.AuthTypeFIDO, userSession.Username, err)
|
|
|
|
|
|
|
|
respondUnauthorized(ctx, messageMFAValidationFailed)
|
|
|
|
|
2019-04-25 04:52:08 +07:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
signRequest := challenge.SignRequest([]u2f.Registration{registration})
|
|
|
|
|
2021-11-29 10:09:14 +07:00
|
|
|
if err = ctx.SetJSONBody(signRequest); err != nil {
|
|
|
|
ctx.Logger.Errorf(logFmtErrWriteResponseBody, regulation.AuthTypeFIDO, userSession.Username, err)
|
|
|
|
|
|
|
|
respondUnauthorized(ctx, messageMFAValidationFailed)
|
|
|
|
|
2019-04-25 04:52:08 +07:00
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|