Add support for FIDO U2F (#3971)

* Add support for U2F

Signed-off-by: Jonas Franz <info@jonasfranz.software>

* Add vendor library
Add missing translations

Signed-off-by: Jonas Franz <info@jonasfranz.software>

* Minor improvements

Signed-off-by: Jonas Franz <info@jonasfranz.software>

* Add U2F support for Firefox, Chrome (Android) by introducing a custom JS library
Add U2F error handling

Signed-off-by: Jonas Franz <info@jonasfranz.software>

* Add U2F login page to OAuth

Signed-off-by: Jonas Franz <info@jonasfranz.software>

* Move U2F user settings to a separate file

Signed-off-by: Jonas Franz <info@jonasfranz.software>

* Add unit tests for u2f model
Renamed u2f table name

Signed-off-by: Jonas Franz <info@jonasfranz.software>

* Fix problems caused by refactoring

Signed-off-by: Jonas Franz <info@jonasfranz.software>

* Add U2F documentation

Signed-off-by: Jonas Franz <info@jonasfranz.software>

* Remove not needed console.log-s

Signed-off-by: Jonas Franz <info@jonasfranz.software>

* Add default values to app.ini.sample
Add FIDO U2F to comparison

Signed-off-by: Jonas Franz <info@jonasfranz.software>

4 files changed, 256 insertions, 6 deletions

diff --git a/routers/routes/routes.go b/routers/routes/routes.go
index 07be6653a6..1585a0876d 100644
--- a/routers/routes/routes.go
+++ b/routers/routes/routes.go
@@ -5,6 +5,8 @@
 package routes
 
 import (
+	"encoding/gob"
+	"net/http"
 	"os"
 	"path"
 	"time"
@@ -37,12 +39,13 @@ import (
 	"github.com/go-macaron/i18n"
 	"github.com/go-macaron/session"
 	"github.com/go-macaron/toolbox"
+	"github.com/tstranex/u2f"
 	"gopkg.in/macaron.v1"
-	"net/http"
 )
 
 // NewMacaron initializes Macaron instance.
 func NewMacaron() *macaron.Macaron {
+	gob.Register(&u2f.Challenge{})
 	m := macaron.New()
 	if !setting.DisableRouterLog {
 		m.Use(macaron.Logger())
@@ -214,6 +217,12 @@ func RegisterRoutes(m *macaron.Macaron) {
 			m.Get("/scratch", user.TwoFactorScratch)
 			m.Post("/scratch", bindIgnErr(auth.TwoFactorScratchAuthForm{}), user.TwoFactorScratchPost)
 		})
+		m.Group("/u2f", func() {
+			m.Get("", user.U2F)
+			m.Get("/challenge", user.U2FChallenge)
+			m.Post("/sign", bindIgnErr(u2f.SignResponse{}), user.U2FSign)
+
+		})
 	}, reqSignOut)
 
 	m.Group("/user/settings", func() {
@@ -235,6 +244,11 @@ func RegisterRoutes(m *macaron.Macaron) {
 				m.Get("/enroll", userSetting.EnrollTwoFactor)
 				m.Post("/enroll", bindIgnErr(auth.TwoFactorAuthForm{}), userSetting.EnrollTwoFactorPost)
 			})
+			m.Group("/u2f", func() {
+				m.Post("/request_register", bindIgnErr(auth.U2FRegistrationForm{}), userSetting.U2FRegister)
+				m.Post("/register", bindIgnErr(u2f.RegisterResponse{}), userSetting.U2FRegisterPost)
+				m.Post("/delete", bindIgnErr(auth.U2FDeleteForm{}), userSetting.U2FDelete)
+			})
 			m.Group("/openid", func() {
 				m.Post("", bindIgnErr(auth.AddOpenIDForm{}), userSetting.OpenIDPost)
 				m.Post("/delete", userSetting.DeleteOpenID)
diff --git a/routers/user/auth.go b/routers/user/auth.go
index c8e1ada0db..9a59f52db2 100644
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -21,6 +21,7 @@ import (
 
 	"github.com/go-macaron/captcha"
 	"github.com/markbates/goth"
+	"github.com/tstranex/u2f"
 )
 
 const (
@@ -35,6 +36,7 @@ const (
 	tplTwofa          base.TplName = "user/auth/twofa"
 	tplTwofaScratch   base.TplName = "user/auth/twofa_scratch"
 	tplLinkAccount    base.TplName = "user/auth/link_account"
+	tplU2F            base.TplName = "user/auth/u2f"
 )
 
 // AutoSignIn reads cookie and try to auto-login.
@@ -159,7 +161,6 @@ func SignInPost(ctx *context.Context, form auth.SignInForm) {
 		}
 		return
 	}
-
 	// If this user is enrolled in 2FA, we can't sign the user in just yet.
 	// Instead, redirect them to the 2FA authentication page.
 	_, err = models.GetTwoFactorByUID(u.ID)
@@ -175,6 +176,13 @@ func SignInPost(ctx *context.Context, form auth.SignInForm) {
 	// User needs to use 2FA, save data and redirect to 2FA page.
 	ctx.Session.Set("twofaUid", u.ID)
 	ctx.Session.Set("twofaRemember", form.Remember)
+
+	regs, err := models.GetU2FRegistrationsByUID(u.ID)
+	if err == nil && len(regs) > 0 {
+		ctx.Redirect(setting.AppSubURL + "/user/u2f")
+		return
+	}
+
 	ctx.Redirect(setting.AppSubURL + "/user/two_factor")
 }
 
@@ -317,12 +325,115 @@ func TwoFactorScratchPost(ctx *context.Context, form auth.TwoFactorScratchAuthFo
 	ctx.RenderWithErr(ctx.Tr("auth.twofa_scratch_token_incorrect"), tplTwofaScratch, auth.TwoFactorScratchAuthForm{})
 }
 
+// U2F shows the U2F login page
+func U2F(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("twofa")
+	ctx.Data["RequireU2F"] = true
+	// Check auto-login.
+	if checkAutoLogin(ctx) {
+		return
+	}
+
+	// Ensure user is in a 2FA session.
+	if ctx.Session.Get("twofaUid") == nil {
+		ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
+		return
+	}
+
+	ctx.HTML(200, tplU2F)
+}
+
+// U2FChallenge submits a sign challenge to the browser
+func U2FChallenge(ctx *context.Context) {
+	// Ensure user is in a U2F session.
+	idSess := ctx.Session.Get("twofaUid")
+	if idSess == nil {
+		ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
+		return
+	}
+	id := idSess.(int64)
+	regs, err := models.GetU2FRegistrationsByUID(id)
+	if err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+	if len(regs) == 0 {
+		ctx.ServerError("UserSignIn", errors.New("no device registered"))
+		return
+	}
+	challenge, err := u2f.NewChallenge(setting.U2F.AppID, setting.U2F.TrustedFacets)
+	if err = ctx.Session.Set("u2fChallenge", challenge); err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+	ctx.JSON(200, challenge.SignRequest(regs.ToRegistrations()))
+}
+
+// U2FSign authenticates the user by signResp
+func U2FSign(ctx *context.Context, signResp u2f.SignResponse) {
+	challSess := ctx.Session.Get("u2fChallenge")
+	idSess := ctx.Session.Get("twofaUid")
+	if challSess == nil || idSess == nil {
+		ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
+		return
+	}
+	challenge := challSess.(*u2f.Challenge)
+	id := idSess.(int64)
+	regs, err := models.GetU2FRegistrationsByUID(id)
+	if err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+	for _, reg := range regs {
+		r, err := reg.Parse()
+		if err != nil {
+			log.Fatal(4, "parsing u2f registration: %v", err)
+			continue
+		}
+		newCounter, authErr := r.Authenticate(signResp, *challenge, reg.Counter)
+		if authErr == nil {
+			reg.Counter = newCounter
+			user, err := models.GetUserByID(id)
+			if err != nil {
+				ctx.ServerError("UserSignIn", err)
+				return
+			}
+			remember := ctx.Session.Get("twofaRemember").(bool)
+			if err := reg.UpdateCounter(); err != nil {
+				ctx.ServerError("UserSignIn", err)
+				return
+			}
+
+			if ctx.Session.Get("linkAccount") != nil {
+				gothUser := ctx.Session.Get("linkAccountGothUser")
+				if gothUser == nil {
+					ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))
+					return
+				}
+
+				err = models.LinkAccountToUser(user, gothUser.(goth.User))
+				if err != nil {
+					ctx.ServerError("UserSignIn", err)
+					return
+				}
+			}
+			redirect := handleSignInFull(ctx, user, remember, false)
+			if redirect == "" {
+				redirect = setting.AppSubURL + "/"
+			}
+			ctx.PlainText(200, []byte(redirect))
+			return
+		}
+	}
+	ctx.Error(401)
+}
+
 // This handles the final part of the sign-in process of the user.
 func handleSignIn(ctx *context.Context, u *models.User, remember bool) {
 	handleSignInFull(ctx, u, remember, true)
 }
 
-func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyRedirect bool) {
+func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyRedirect bool) string {
 	if remember {
 		days := 86400 * setting.LogInRememberDays
 		ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubURL)
@@ -336,6 +447,8 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
 	ctx.Session.Delete("openid_determined_username")
 	ctx.Session.Delete("twofaUid")
 	ctx.Session.Delete("twofaRemember")
+	ctx.Session.Delete("u2fChallenge")
+	ctx.Session.Delete("linkAccount")
 	ctx.Session.Set("uid", u.ID)
 	ctx.Session.Set("uname", u.Name)
 
@@ -345,7 +458,7 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
 		u.Language = ctx.Locale.Language()
 		if err := models.UpdateUserCols(u, "language"); err != nil {
 			log.Error(4, fmt.Sprintf("Error updating user language [user: %d, locale: %s]", u.ID, u.Language))
-			return
+			return setting.AppSubURL + "/"
 		}
 	}
 
@@ -358,7 +471,7 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
 	u.SetLastLogin()
 	if err := models.UpdateUserCols(u, "last_login_unix"); err != nil {
 		ctx.ServerError("UpdateUserCols", err)
-		return
+		return setting.AppSubURL + "/"
 	}
 
 	if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 {
@@ -366,12 +479,13 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
 		if obeyRedirect {
 			ctx.RedirectToFirst(redirectTo)
 		}
-		return
+		return redirectTo
 	}
 
 	if obeyRedirect {
 		ctx.Redirect(setting.AppSubURL + "/")
 	}
+	return setting.AppSubURL + "/"
 }
 
 // SignInOAuth handles the OAuth2 login buttons
@@ -467,6 +581,14 @@ func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context
 	// User needs to use 2FA, save data and redirect to 2FA page.
 	ctx.Session.Set("twofaUid", u.ID)
 	ctx.Session.Set("twofaRemember", false)
+
+	// If U2F is enrolled -> Redirect to U2F instead
+	regs, err := models.GetU2FRegistrationsByUID(u.ID)
+	if err == nil && len(regs) > 0 {
+		ctx.Redirect(setting.AppSubURL + "/user/u2f")
+		return
+	}
+
 	ctx.Redirect(setting.AppSubURL + "/user/two_factor")
 }
 
@@ -593,6 +715,13 @@ func LinkAccountPostSignIn(ctx *context.Context, signInForm auth.SignInForm) {
 	ctx.Session.Set("twofaRemember", signInForm.Remember)
 	ctx.Session.Set("linkAccount", true)
 
+	// If U2F is enrolled -> Redirect to U2F instead
+	regs, err := models.GetU2FRegistrationsByUID(u.ID)
+	if err == nil && len(regs) > 0 {
+		ctx.Redirect(setting.AppSubURL + "/user/u2f")
+		return
+	}
+
 	ctx.Redirect(setting.AppSubURL + "/user/two_factor")
 }
 
diff --git a/routers/user/setting/security.go b/routers/user/setting/security.go
index 5346f349ff..860730303f 100644
--- a/routers/user/setting/security.go
+++ b/routers/user/setting/security.go
@@ -33,6 +33,14 @@ func Security(ctx *context.Context) {
 		}
 	}
 	ctx.Data["TwofaEnrolled"] = enrolled
+	if enrolled {
+		ctx.Data["U2FRegistrations"], err = models.GetU2FRegistrationsByUID(ctx.User.ID)
+		if err != nil {
+			ctx.ServerError("GetU2FRegistrationsByUID", err)
+			return
+		}
+		ctx.Data["RequireU2F"] = true
+	}
 
 	tokens, err := models.ListAccessTokens(ctx.User.ID)
 	if err != nil {
diff --git a/routers/user/setting/security_u2f.go b/routers/user/setting/security_u2f.go
new file mode 100644
index 0000000000..c1d6eab967
--- /dev/null
+++ b/routers/user/setting/security_u2f.go
@@ -0,0 +1,99 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package setting
+
+import (
+	"errors"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/auth"
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/setting"
+
+	"github.com/tstranex/u2f"
+)
+
+// U2FRegister initializes the u2f registration procedure
+func U2FRegister(ctx *context.Context, form auth.U2FRegistrationForm) {
+	if form.Name == "" {
+		ctx.Error(409)
+		return
+	}
+	challenge, err := u2f.NewChallenge(setting.U2F.AppID, setting.U2F.TrustedFacets)
+	if err != nil {
+		ctx.ServerError("NewChallenge", err)
+		return
+	}
+	err = ctx.Session.Set("u2fChallenge", challenge)
+	if err != nil {
+		ctx.ServerError("Session.Set", err)
+		return
+	}
+	regs, err := models.GetU2FRegistrationsByUID(ctx.User.ID)
+	if err != nil {
+		ctx.ServerError("GetU2FRegistrationsByUID", err)
+		return
+	}
+	for _, reg := range regs {
+		if reg.Name == form.Name {
+			ctx.Error(409, "Name already taken")
+			return
+		}
+	}
+	ctx.Session.Set("u2fName", form.Name)
+	ctx.JSON(200, u2f.NewWebRegisterRequest(challenge, regs.ToRegistrations()))
+}
+
+// U2FRegisterPost receives the response of the security key
+func U2FRegisterPost(ctx *context.Context, response u2f.RegisterResponse) {
+	challSess := ctx.Session.Get("u2fChallenge")
+	u2fName := ctx.Session.Get("u2fName")
+	if challSess == nil || u2fName == nil {
+		ctx.ServerError("U2FRegisterPost", errors.New("not in U2F session"))
+		return
+	}
+	challenge := challSess.(*u2f.Challenge)
+	name := u2fName.(string)
+	config := &u2f.Config{
+		// Chrome 66+ doesn't return the device's attestation
+		// certificate by default.
+		SkipAttestationVerify: true,
+	}
+	reg, err := u2f.Register(response, *challenge, config)
+	if err != nil {
+		ctx.ServerError("u2f.Register", err)
+		return
+	}
+	if _, err = models.CreateRegistration(ctx.User, name, reg); err != nil {
+		ctx.ServerError("u2f.Register", err)
+		return
+	}
+	ctx.Status(200)
+}
+
+// U2FDelete deletes an security key by id
+func U2FDelete(ctx *context.Context, form auth.U2FDeleteForm) {
+	reg, err := models.GetU2FRegistrationByID(form.ID)
+	if err != nil {
+		if models.IsErrU2FRegistrationNotExist(err) {
+			ctx.Status(200)
+			return
+		}
+		ctx.ServerError("GetU2FRegistrationByID", err)
+		return
+	}
+	if reg.UserID != ctx.User.ID {
+		ctx.Status(401)
+		return
+	}
+	if err := models.DeleteRegistration(reg); err != nil {
+		ctx.ServerError("DeleteRegistration", err)
+		return
+	}
+	ctx.JSON(200, map[string]interface{}{
+		"redirect": setting.AppSubURL + "/user/settings/security",
+	})
+	return
+}