alpcentaur
/
sncf-docker-compose
mirror of https://git.42l.fr/alpcentaur/sncf-docker-compose.git
1
0
Fork 0
Code Issues 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
20 MiB
Tree: df7e20de4b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'df7e20de4b'
${ noResults }
sncf-docker-compose/docker/overlays/nextcloud/html/lib/private/Authentication/WebAuthn/Manager.php

275 lines
9.3 KiB
Raw Normal View History

first commit
3 years ago
 
  1. <?php
  2. 

  3. declare(strict_types=1);
  4. 

  5. /**
  6.  * @copyright Copyright (c) 2020, Roeland Jago Douma <roeland@famdouma.nl>
  7.  *
  8.  * @author Christoph Wurst <christoph@winzerhof-wurst.at>
  9.  * @author Roeland Jago Douma <roeland@famdouma.nl>
  10.  *
  11.  * @license GNU AGPL version 3 or any later version
  12.  *
  13.  * This program is free software: you can redistribute it and/or modify
  14.  * it under the terms of the GNU Affero General Public License as
  15.  * published by the Free Software Foundation, either version 3 of the
  16.  * License, or (at your option) any later version.
  17.  *
  18.  * This program is distributed in the hope that it will be useful,
  19.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  20.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  21.  * GNU Affero General Public License for more details.
  22.  *
  23.  * You should have received a copy of the GNU Affero General Public License
  24.  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  25.  *
  26.  */
  27. 

  28. namespace OC\Authentication\WebAuthn;
  29. 

  30. use Cose\Algorithm\Signature\ECDSA\ES256;
  31. use Cose\Algorithm\Signature\RSA\RS256;
  32. use Cose\Algorithms;
  33. use GuzzleHttp\Psr7\ServerRequest;
  34. use OC\Authentication\WebAuthn\Db\PublicKeyCredentialEntity;
  35. use OC\Authentication\WebAuthn\Db\PublicKeyCredentialMapper;
  36. use OCP\AppFramework\Db\DoesNotExistException;
  37. use OCP\IConfig;
  38. use OCP\ILogger;
  39. use OCP\IUser;
  40. use Webauthn\AttestationStatement\AttestationObjectLoader;
  41. use Webauthn\AttestationStatement\AttestationStatementSupportManager;
  42. use Webauthn\AttestationStatement\NoneAttestationStatementSupport;
  43. use Webauthn\AuthenticationExtensions\ExtensionOutputCheckerHandler;
  44. use Webauthn\AuthenticatorAssertionResponse;
  45. use Webauthn\AuthenticatorAssertionResponseValidator;
  46. use Webauthn\AuthenticatorAttestationResponse;
  47. use Webauthn\AuthenticatorAttestationResponseValidator;
  48. use Webauthn\AuthenticatorSelectionCriteria;
  49. use Webauthn\PublicKeyCredentialCreationOptions;
  50. use Webauthn\PublicKeyCredentialDescriptor;
  51. use Webauthn\PublicKeyCredentialLoader;
  52. use Webauthn\PublicKeyCredentialParameters;
  53. use Webauthn\PublicKeyCredentialRequestOptions;
  54. use Webauthn\PublicKeyCredentialRpEntity;
  55. use Webauthn\PublicKeyCredentialUserEntity;
  56. use Webauthn\TokenBinding\TokenBindingNotSupportedHandler;
  57. 

  58. class Manager {
  59. 

  60. 	/** @var CredentialRepository */
  61. 	private $repository;
  62. 

  63. 	/** @var PublicKeyCredentialMapper */
  64. 	private $credentialMapper;
  65. 

  66. 	/** @var ILogger */
  67. 	private $logger;
  68. 

  69. 	/** @var IConfig */
  70. 	private $config;
  71. 

  72. 	public function __construct(
  73. 		CredentialRepository $repository,
  74. 		PublicKeyCredentialMapper $credentialMapper,
  75. 		ILogger $logger,
  76. 		IConfig $config
  77. 	) {
  78. 		$this->repository = $repository;
  79. 		$this->credentialMapper = $credentialMapper;
  80. 		$this->logger = $logger;
  81. 		$this->config = $config;
  82. 	}
  83. 

  84. 	public function startRegistration(IUser $user, string $serverHost): PublicKeyCredentialCreationOptions {
  85. 		$rpEntity = new PublicKeyCredentialRpEntity(
  86. 			'Nextcloud', //Name

  87. 			$this->stripPort($serverHost),        //ID

  88. 			null                            //Icon

  89. 		);
  90. 

  91. 		$userEntity = new PublicKeyCredentialUserEntity(
  92. 			$user->getUID(),                              //Name

  93. 			$user->getUID(),                              //ID

  94. 			$user->getDisplayName()                      //Display name

  95. //            'https://foo.example.co/avatar/123e4567-e89b-12d3-a456-426655440000' //Icon

  96. 		);
  97. 

  98. 		$challenge = random_bytes(32);
  99. 

  100. 		$publicKeyCredentialParametersList = [
  101. 			new PublicKeyCredentialParameters('public-key', Algorithms::COSE_ALGORITHM_ES256),
  102. 			new PublicKeyCredentialParameters('public-key', Algorithms::COSE_ALGORITHM_RS256),
  103. 		];
  104. 

  105. 		$timeout = 60000;
  106. 

  107. 		$excludedPublicKeyDescriptors = [
  108. 		];
  109. 

  110. 		$authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(
  111. 			null,
  112. 			false,
  113. 			AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED
  114. 		);
  115. 

  116. 		return new PublicKeyCredentialCreationOptions(
  117. 			$rpEntity,
  118. 			$userEntity,
  119. 			$challenge,
  120. 			$publicKeyCredentialParametersList,
  121. 			$timeout,
  122. 			$excludedPublicKeyDescriptors,
  123. 			$authenticatorSelectionCriteria,
  124. 			PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_NONE,
  125. 			null
  126. 		);
  127. 	}
  128. 

  129. 	public function finishRegister(PublicKeyCredentialCreationOptions $publicKeyCredentialCreationOptions, string $name, string $data): PublicKeyCredentialEntity {
  130. 		$tokenBindingHandler = new TokenBindingNotSupportedHandler();
  131. 

  132. 		$attestationStatementSupportManager = new AttestationStatementSupportManager();
  133. 		$attestationStatementSupportManager->add(new NoneAttestationStatementSupport());
  134. 

  135. 		$attestationObjectLoader = new AttestationObjectLoader($attestationStatementSupportManager);
  136. 		$publicKeyCredentialLoader = new PublicKeyCredentialLoader($attestationObjectLoader);
  137. 

  138. 		// Extension Output Checker Handler

  139. 		$extensionOutputCheckerHandler = new ExtensionOutputCheckerHandler();
  140. 

  141. 		// Authenticator Attestation Response Validator

  142. 		$authenticatorAttestationResponseValidator = new AuthenticatorAttestationResponseValidator(
  143. 			$attestationStatementSupportManager,
  144. 			$this->repository,
  145. 			$tokenBindingHandler,
  146. 			$extensionOutputCheckerHandler
  147. 		);
  148. 

  149. 		try {
  150. 			// Load the data

  151. 			$publicKeyCredential = $publicKeyCredentialLoader->load($data);
  152. 			$response = $publicKeyCredential->getResponse();
  153. 

  154. 			// Check if the response is an Authenticator Attestation Response

  155. 			if (!$response instanceof AuthenticatorAttestationResponse) {
  156. 				throw new \RuntimeException('Not an authenticator attestation response');
  157. 			}
  158. 

  159. 			// Check the response against the request

  160. 			$request = ServerRequest::fromGlobals();
  161. 

  162. 			$publicKeyCredentialSource = $authenticatorAttestationResponseValidator->check(
  163. 				$response,
  164. 				$publicKeyCredentialCreationOptions,
  165. 				$request);
  166. 		} catch (\Throwable $exception) {
  167. 			throw $exception;
  168. 		}
  169. 

  170. 		// Persist the data

  171. 		return $this->repository->saveAndReturnCredentialSource($publicKeyCredentialSource, $name);
  172. 	}
  173. 

  174. 	private function stripPort(string $serverHost): string {
  175. 		return preg_replace('/(:\d+$)/', '', $serverHost);
  176. 	}
  177. 

  178. 	public function startAuthentication(string $uid, string $serverHost): PublicKeyCredentialRequestOptions {
  179. 		// List of registered PublicKeyCredentialDescriptor classes associated to the user

  180. 		$registeredPublicKeyCredentialDescriptors = array_map(function (PublicKeyCredentialEntity $entity) {
  181. 			$credential = $entity->toPublicKeyCredentialSource();
  182. 			return new PublicKeyCredentialDescriptor(
  183. 				$credential->getType(),
  184. 				$credential->getPublicKeyCredentialId()
  185. 			);
  186. 		}, $this->credentialMapper->findAllForUid($uid));
  187. 

  188. 		// Public Key Credential Request Options

  189. 		return new PublicKeyCredentialRequestOptions(
  190. 			random_bytes(32),                                                    // Challenge

  191. 			60000,                                                              // Timeout

  192. 			$this->stripPort($serverHost),                                                                  // Relying Party ID

  193. 			$registeredPublicKeyCredentialDescriptors,                                  // Registered PublicKeyCredentialDescriptor classes

  194. 			AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED
  195. 		);
  196. 	}
  197. 

  198. 	public function finishAuthentication(PublicKeyCredentialRequestOptions $publicKeyCredentialRequestOptions, string $data, string $uid) {
  199. 		$attestationStatementSupportManager = new AttestationStatementSupportManager();
  200. 		$attestationStatementSupportManager->add(new NoneAttestationStatementSupport());
  201. 

  202. 		$attestationObjectLoader = new AttestationObjectLoader($attestationStatementSupportManager);
  203. 		$publicKeyCredentialLoader = new PublicKeyCredentialLoader($attestationObjectLoader);
  204. 

  205. 		$tokenBindingHandler = new TokenBindingNotSupportedHandler();
  206. 		$extensionOutputCheckerHandler = new ExtensionOutputCheckerHandler();
  207. 		$algorithmManager = new \Cose\Algorithm\Manager();
  208. 		$algorithmManager->add(new ES256());
  209. 		$algorithmManager->add(new RS256());
  210. 

  211. 		$authenticatorAssertionResponseValidator = new AuthenticatorAssertionResponseValidator(
  212. 			$this->repository,
  213. 			$tokenBindingHandler,
  214. 			$extensionOutputCheckerHandler,
  215. 			$algorithmManager
  216. 		);
  217. 

  218. 		try {
  219. 			$this->logger->debug('Loading publickey credentials from: ' . $data);
  220. 

  221. 			// Load the data

  222. 			$publicKeyCredential = $publicKeyCredentialLoader->load($data);
  223. 			$response = $publicKeyCredential->getResponse();
  224. 

  225. 			// Check if the response is an Authenticator Attestation Response

  226. 			if (!$response instanceof AuthenticatorAssertionResponse) {
  227. 				throw new \RuntimeException('Not an authenticator attestation response');
  228. 			}
  229. 

  230. 			// Check the response against the request

  231. 			$request = ServerRequest::fromGlobals();
  232. 

  233. 			$publicKeyCredentialSource = $authenticatorAssertionResponseValidator->check(
  234. 				$publicKeyCredential->getRawId(),
  235. 				$response,
  236. 				$publicKeyCredentialRequestOptions,
  237. 				$request,
  238. 				$uid
  239. 			);
  240. 		} catch (\Throwable $e) {
  241. 			throw $e;
  242. 		}
  243. 

  244. 

  245. 

  246. 		return true;
  247. 	}
  248. 

  249. 	public function deleteRegistration(IUser $user, int $id): void {
  250. 		try {
  251. 			$entry = $this->credentialMapper->findById($user->getUID(), $id);
  252. 		} catch (DoesNotExistException $e) {
  253. 			$this->logger->warning("WebAuthn device $id does not exist, can't delete it");
  254. 			return;
  255. 		}
  256. 

  257. 		$this->credentialMapper->delete($entry);
  258. 	}
  259. 

  260. 	public function isWebAuthnAvailable(): bool {
  261. 		if (!extension_loaded('bcmath')) {
  262. 			return false;
  263. 		}
  264. 

  265. 		if (!extension_loaded('gmp')) {
  266. 			return false;
  267. 		}
  268. 

  269. 		if (!$this->config->getSystemValueBool('auth.webauthn.enabled', true)) {
  270. 			return false;
  271. 		}
  272. 

  273. 		return true;
  274. 	}
  275. }