From 53db05a1f67fc974dba904ec158b2d67fa72df95 Mon Sep 17 00:00:00 2001 From: Roeland Jago Douma Date: Sun, 9 Feb 2020 20:06:08 +0100 Subject: Start with webauthn Signed-off-by: Roeland Jago Douma Signed-off-by: npmbuildbot[bot] --- core/Controller/LoginController.php | 9 ++- core/Controller/WebAuthnController.php | 117 +++++++++++++++++++++++++++++++++ 2 files changed, 125 insertions(+), 1 deletion(-) create mode 100644 core/Controller/WebAuthnController.php (limited to 'core/Controller') diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php index 13aef8f67ab..b3f7bb310ba 100644 --- a/core/Controller/LoginController.php +++ b/core/Controller/LoginController.php @@ -34,6 +34,7 @@ namespace OC\Core\Controller; use OC\AppFramework\Http\Request; use OC\Authentication\Login\Chain; use OC\Authentication\Login\LoginData; +use OC\Authentication\WebAuthn\Manager as WebAuthnManager; use OC\Security\Bruteforce\Throttler; use OC\User\Session; use OC_App; @@ -80,6 +81,8 @@ class LoginController extends Controller { private $loginChain; /** @var IInitialStateService */ private $initialStateService; + /** @var WebAuthnManager */ + private $webAuthnManager; public function __construct(?string $appName, IRequest $request, @@ -92,7 +95,8 @@ class LoginController extends Controller { Defaults $defaults, Throttler $throttler, Chain $loginChain, - IInitialStateService $initialStateService) { + IInitialStateService $initialStateService, + WebAuthnManager $webAuthnManager) { parent::__construct($appName, $request); $this->userManager = $userManager; $this->config = $config; @@ -104,6 +108,7 @@ class LoginController extends Controller { $this->throttler = $throttler; $this->loginChain = $loginChain; $this->initialStateService = $initialStateService; + $this->webAuthnManager = $webAuthnManager; } /** @@ -181,6 +186,8 @@ class LoginController extends Controller { $this->setPasswordResetInitialState($user); + $this->initialStateService->provideInitialState('core', 'webauthn-available', $this->webAuthnManager->isWebAuthnAvailable()); + // OpenGraph Support: http://ogp.me/ Util::addHeader('meta', ['property' => 'og:title', 'content' => Util::sanitizeHTML($this->defaults->getName())]); Util::addHeader('meta', ['property' => 'og:description', 'content' => Util::sanitizeHTML($this->defaults->getSlogan())]); diff --git a/core/Controller/WebAuthnController.php b/core/Controller/WebAuthnController.php new file mode 100644 index 00000000000..0b98a58c1eb --- /dev/null +++ b/core/Controller/WebAuthnController.php @@ -0,0 +1,117 @@ + + * + * @author Roeland Jago Douma + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ + +namespace OC\Core\Controller; + +use OC\Authentication\Login\LoginData; +use OC\Authentication\Login\WebAuthnChain; +use OC\Authentication\WebAuthn\Manager; +use OCP\AppFramework\Controller; +use OCP\AppFramework\Http; +use OCP\AppFramework\Http\JSONResponse; +use OCP\ILogger; +use OCP\IRequest; +use OCP\ISession; +use OCP\Util; +use Webauthn\PublicKeyCredentialRequestOptions; + +class WebAuthnController extends Controller { + + private const WEBAUTHN_LOGIN = 'webauthn_login'; + private const WEBAUTHN_LOGIN_UID = 'webauthn_login_uid'; + + /** @var Manager */ + private $webAuthnManger; + + /** @var ISession */ + private $session; + + /** @var ILogger */ + private $logger; + + /** @var WebAuthnChain */ + private $webAuthnChain; + + public function __construct($appName, IRequest $request, Manager $webAuthnManger, ISession $session, ILogger $logger, WebAuthnChain $webAuthnChain) { + parent::__construct($appName, $request); + + $this->webAuthnManger = $webAuthnManger; + $this->session = $session; + $this->logger = $logger; + $this->webAuthnChain = $webAuthnChain; + } + + /** + * @NoAdminRequired + * @PublicPage + * @UseSession + */ + public function startAuthentication(string $loginName): JSONResponse { + $this->logger->debug('Starting WebAuthn login'); + + $this->logger->debug('Converting login name to UID'); + $uid = $loginName; + Util::emitHook( + '\OCA\Files_Sharing\API\Server2Server', + 'preLoginNameUsedAsUserName', + array('uid' => &$uid) + ); + $this->logger->debug('Got UID: ' . $uid); + + $publicKeyCredentialRequestOptions = $this->webAuthnManger->startAuthentication($uid, $this->request->getServerHost()); + $this->session->set(self::WEBAUTHN_LOGIN, json_encode($publicKeyCredentialRequestOptions)); + $this->session->set(self::WEBAUTHN_LOGIN_UID, $uid); + + return new JSONResponse($publicKeyCredentialRequestOptions); + } + + /** + * @NoAdminRequired + * @PublicPage + * @UseSession + */ + public function finishAuthentication(string $data): JSONResponse { + $this->logger->debug('Validating WebAuthn login'); + + if (!$this->session->exists(self::WEBAUTHN_LOGIN) || !$this->session->exists(self::WEBAUTHN_LOGIN_UID)) { + $this->logger->debug('Trying to finish WebAuthn login without session data'); + return new JSONResponse([], Http::STATUS_BAD_REQUEST); + } + + // Obtain the publicKeyCredentialOptions from when we started the registration + $publicKeyCredentialRequestOptions = PublicKeyCredentialRequestOptions::createFromString($this->session->get(self::WEBAUTHN_LOGIN)); + $uid = $this->session->get(self::WEBAUTHN_LOGIN_UID); + $this->webAuthnManger->finishAuthentication($publicKeyCredentialRequestOptions, $data, $uid); + + //TODO: add other parameters + $loginData = new LoginData( + $this->request, + $uid, + '' + ); + $this->webAuthnChain->process($loginData); + + return new JSONResponse([]); + } +} -- cgit v1.2.3