2022-06-29 19:46:41 -04:00
|
|
|
|
using System.Text.Json;
|
2023-04-14 13:25:56 -04:00
|
|
|
|
using Bit.Core.Auth.Enums;
|
|
|
|
|
|
using Bit.Core.Auth.Models;
|
2022-01-11 10:40:51 +01:00
|
|
|
|
using Bit.Core.Entities;
|
2021-03-22 23:21:43 +01:00
|
|
|
|
using Bit.Core.Services;
|
|
|
|
|
|
using Bit.Core.Settings;
|
|
|
|
|
|
using Bit.Core.Utilities;
|
|
|
|
|
|
using Fido2NetLib;
|
|
|
|
|
|
using Fido2NetLib.Objects;
|
|
|
|
|
|
using Microsoft.AspNetCore.Identity;
|
|
|
|
|
|
using Microsoft.Extensions.DependencyInjection;
|
|
|
|
|
|
|
2023-04-14 13:25:56 -04:00
|
|
|
|
namespace Bit.Core.Auth.Identity;
|
2022-08-29 16:06:55 -04:00
|
|
|
|
|
2021-03-22 23:21:43 +01:00
|
|
|
|
public class WebAuthnTokenProvider : IUserTwoFactorTokenProvider<User>
|
|
|
|
|
|
{
|
|
|
|
|
|
private readonly IServiceProvider _serviceProvider;
|
|
|
|
|
|
private readonly IFido2 _fido2;
|
|
|
|
|
|
private readonly GlobalSettings _globalSettings;
|
2022-08-29 16:06:55 -04:00
|
|
|
|
|
2021-03-22 23:21:43 +01:00
|
|
|
|
public WebAuthnTokenProvider(IServiceProvider serviceProvider, IFido2 fido2, GlobalSettings globalSettings)
|
|
|
|
|
|
{
|
|
|
|
|
|
_serviceProvider = serviceProvider;
|
|
|
|
|
|
_fido2 = fido2;
|
|
|
|
|
|
_globalSettings = globalSettings;
|
2022-08-29 16:06:55 -04:00
|
|
|
|
}
|
2021-03-22 23:21:43 +01:00
|
|
|
|
|
|
|
|
|
|
public async Task<bool> CanGenerateTwoFactorTokenAsync(UserManager<User> manager, User user)
|
2022-08-29 16:06:55 -04:00
|
|
|
|
{
|
2021-03-22 23:21:43 +01:00
|
|
|
|
var userService = _serviceProvider.GetRequiredService<IUserService>();
|
|
|
|
|
|
if (!(await userService.CanAccessPremium(user)))
|
|
|
|
|
|
{
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
var webAuthnProvider = user.GetTwoFactorProvider(TwoFactorProviderType.WebAuthn);
|
|
|
|
|
|
if (!HasProperMetaData(webAuthnProvider))
|
|
|
|
|
|
{
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return await userService.TwoFactorProviderIsEnabledAsync(TwoFactorProviderType.WebAuthn, user);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public async Task<string> GenerateAsync(string purpose, UserManager<User> manager, User user)
|
2022-08-29 16:06:55 -04:00
|
|
|
|
{
|
2021-03-22 23:21:43 +01:00
|
|
|
|
var userService = _serviceProvider.GetRequiredService<IUserService>();
|
|
|
|
|
|
if (!(await userService.CanAccessPremium(user)))
|
2022-08-29 16:06:55 -04:00
|
|
|
|
{
|
2021-03-22 23:21:43 +01:00
|
|
|
|
return null;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
var provider = user.GetTwoFactorProvider(TwoFactorProviderType.WebAuthn);
|
|
|
|
|
|
var keys = LoadKeys(provider);
|
|
|
|
|
|
var existingCredentials = keys.Select(key => key.Item2.Descriptor).ToList();
|
|
|
|
|
|
|
|
|
|
|
|
if (existingCredentials.Count == 0)
|
2022-08-29 16:06:55 -04:00
|
|
|
|
{
|
2021-03-22 23:21:43 +01:00
|
|
|
|
return null;
|
2022-08-29 16:06:55 -04:00
|
|
|
|
}
|
2021-03-22 23:21:43 +01:00
|
|
|
|
|
|
|
|
|
|
var exts = new AuthenticationExtensionsClientInputs()
|
2022-08-29 16:06:55 -04:00
|
|
|
|
{
|
2021-03-22 23:21:43 +01:00
|
|
|
|
UserVerificationMethod = true,
|
|
|
|
|
|
AppID = CoreHelpers.U2fAppIdUrl(_globalSettings),
|
2022-08-29 15:53:48 -04:00
|
|
|
|
};
|
2021-03-22 23:21:43 +01:00
|
|
|
|
|
2021-03-31 16:20:15 +02:00
|
|
|
|
var options = _fido2.GetAssertionOptions(existingCredentials, UserVerificationRequirement.Discouraged, exts);
|
2021-03-22 23:21:43 +01:00
|
|
|
|
|
2022-01-24 18:13:43 +01:00
|
|
|
|
// TODO: Remove this when newtonsoft legacy converters are gone
|
|
|
|
|
|
provider.MetaData["login"] = JsonSerializer.Serialize(options);
|
2021-03-22 23:21:43 +01:00
|
|
|
|
|
|
|
|
|
|
var providers = user.GetTwoFactorProviders();
|
|
|
|
|
|
providers[TwoFactorProviderType.WebAuthn] = provider;
|
|
|
|
|
|
user.SetTwoFactorProviders(providers);
|
|
|
|
|
|
await userService.UpdateTwoFactorProviderAsync(user, TwoFactorProviderType.WebAuthn, logEvent: false);
|
|
|
|
|
|
|
|
|
|
|
|
return options.ToJson();
|
2022-08-29 16:06:55 -04:00
|
|
|
|
}
|
2021-03-22 23:21:43 +01:00
|
|
|
|
|
|
|
|
|
|
public async Task<bool> ValidateAsync(string purpose, string token, UserManager<User> manager, User user)
|
2022-08-29 16:06:55 -04:00
|
|
|
|
{
|
2021-03-22 23:21:43 +01:00
|
|
|
|
var userService = _serviceProvider.GetRequiredService<IUserService>();
|
|
|
|
|
|
if (!(await userService.CanAccessPremium(user)) || string.IsNullOrWhiteSpace(token))
|
2022-08-29 16:06:55 -04:00
|
|
|
|
{
|
2021-03-22 23:21:43 +01:00
|
|
|
|
return false;
|
2022-08-29 15:53:48 -04:00
|
|
|
|
}
|
2021-03-22 23:21:43 +01:00
|
|
|
|
|
|
|
|
|
|
var provider = user.GetTwoFactorProvider(TwoFactorProviderType.WebAuthn);
|
|
|
|
|
|
var keys = LoadKeys(provider);
|
|
|
|
|
|
|
|
|
|
|
|
if (!provider.MetaData.ContainsKey("login"))
|
2022-08-29 16:06:55 -04:00
|
|
|
|
{
|
2021-03-22 23:21:43 +01:00
|
|
|
|
return false;
|
2022-08-29 16:06:55 -04:00
|
|
|
|
}
|
2021-03-22 23:21:43 +01:00
|
|
|
|
|
2022-01-24 18:13:43 +01:00
|
|
|
|
var clientResponse = JsonSerializer.Deserialize<AuthenticatorAssertionRawResponse>(token,
|
|
|
|
|
|
new JsonSerializerOptions { PropertyNameCaseInsensitive = true });
|
2021-03-22 23:21:43 +01:00
|
|
|
|
|
|
|
|
|
|
var jsonOptions = provider.MetaData["login"].ToString();
|
|
|
|
|
|
var options = AssertionOptions.FromJson(jsonOptions);
|
|
|
|
|
|
|
|
|
|
|
|
var webAuthCred = keys.Find(k => k.Item2.Descriptor.Id.SequenceEqual(clientResponse.Id));
|
|
|
|
|
|
|
|
|
|
|
|
if (webAuthCred == null)
|
2022-08-29 16:06:55 -04:00
|
|
|
|
{
|
2021-03-22 23:21:43 +01:00
|
|
|
|
return false;
|
2022-08-29 16:06:55 -04:00
|
|
|
|
}
|
2021-03-22 23:21:43 +01:00
|
|
|
|
|
2023-01-19 11:06:51 -05:00
|
|
|
|
// Callback to check user ownership of credential. Always return true since we have already
|
|
|
|
|
|
// established ownership in this context.
|
|
|
|
|
|
IsUserHandleOwnerOfCredentialIdAsync callback = (args, cancellationToken) => Task.FromResult(true);
|
2021-03-22 23:21:43 +01:00
|
|
|
|
|
|
|
|
|
|
var res = await _fido2.MakeAssertionAsync(clientResponse, options, webAuthCred.Item2.PublicKey, webAuthCred.Item2.SignatureCounter, callback);
|
|
|
|
|
|
|
|
|
|
|
|
provider.MetaData.Remove("login");
|
|
|
|
|
|
|
|
|
|
|
|
// Update SignatureCounter
|
|
|
|
|
|
webAuthCred.Item2.SignatureCounter = res.Counter;
|
|
|
|
|
|
|
|
|
|
|
|
var providers = user.GetTwoFactorProviders();
|
|
|
|
|
|
providers[TwoFactorProviderType.WebAuthn].MetaData[webAuthCred.Item1] = webAuthCred.Item2;
|
|
|
|
|
|
user.SetTwoFactorProviders(providers);
|
|
|
|
|
|
await userService.UpdateTwoFactorProviderAsync(user, TwoFactorProviderType.WebAuthn, logEvent: false);
|
|
|
|
|
|
|
|
|
|
|
|
return res.Status == "ok";
|
2022-08-29 16:06:55 -04:00
|
|
|
|
}
|
2021-03-22 23:21:43 +01:00
|
|
|
|
|
|
|
|
|
|
private bool HasProperMetaData(TwoFactorProvider provider)
|
2022-08-29 16:06:55 -04:00
|
|
|
|
{
|
2021-03-22 23:21:43 +01:00
|
|
|
|
return provider?.MetaData?.Any() ?? false;
|
2022-08-29 15:53:48 -04:00
|
|
|
|
}
|
|
|
|
|
|
|
2021-03-22 23:21:43 +01:00
|
|
|
|
private List<Tuple<string, TwoFactorProvider.WebAuthnData>> LoadKeys(TwoFactorProvider provider)
|
2022-08-29 16:06:55 -04:00
|
|
|
|
{
|
2021-03-22 23:21:43 +01:00
|
|
|
|
var keys = new List<Tuple<string, TwoFactorProvider.WebAuthnData>>();
|
|
|
|
|
|
if (!HasProperMetaData(provider))
|
|
|
|
|
|
{
|
|
|
|
|
|
return keys;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Support up to 5 keys
|
|
|
|
|
|
for (var i = 1; i <= 5; i++)
|
|
|
|
|
|
{
|
|
|
|
|
|
var keyName = $"Key{i}";
|
|
|
|
|
|
if (provider.MetaData.ContainsKey(keyName))
|
|
|
|
|
|
{
|
|
|
|
|
|
var key = new TwoFactorProvider.WebAuthnData((dynamic)provider.MetaData[keyName]);
|
|
|
|
|
|
|
|
|
|
|
|
keys.Add(new Tuple<string, TwoFactorProvider.WebAuthnData>(keyName, key));
|
|
|
|
|
|
}
|
2022-08-29 15:53:48 -04:00
|
|
|
|
}
|
2022-08-29 16:06:55 -04:00
|
|
|
|
|
2021-03-22 23:21:43 +01:00
|
|
|
|
return keys;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
