feat(webauthn) Add config backend and cleanup

issue #6013

feat(webauthn) Add config backend and cleanup
issue #6013
d2bce9cc · Côme Chilliet · 5dbb35cc · d2bce9cc · d2bce9cc · d2bce9cc
Verified Commit d2bce9cc authored 5 years ago by Côme Chilliet
Hide whitespace changes
Inline Side-by-side

Showing

with 87 additions and 106 deletions
+87 -106
--- a/webauthn/config/webauthn/class_WebauthnConfig.inc
+++ b/webauthn/config/webauthn/class_WebauthnConfig.inc
+<?php
+/*
+  This code is part of FusionDirectory (http://www.fusiondirectory.org/)
+
+  Copyright (C) 2018-2019 FusionDirectory
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation; either version 2 of the License, or
+  (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
+*/
+
+class webauthnConfig extends simplePlugin
+{
+  static function plInfo (): array
+  {
+    return [
+      'plShortName'     => _('WebAuthn'),
+      'plTitle'         => _('WebAuthn configuration'),
+      'plDescription'   => _('FusionDirectory WebAuthn plugin configuration'),
+      'plObjectClass'   => ['fdWebauthnPluginConf'],
+      'plCategory'      => ['configuration'],
+      'plObjectType'    => ['smallConfig'],
+
+      'plProvidedAcls'  => parent::generatePlProvidedAcls(static::getAttributesInfo())
+    ];
+  }
+
+  static function getAttributesInfo (): array
+  {
+    global $config;
+
+    return [
+      'main' => [
+        'name'  => _('WebAuthn'),
+        'attrs' => [
+          new SetAttribute(
+            new SelectAttribute(
+              _('Formats'), _('List of allowed formats'),
+              'fdWebauthnFormats', FALSE,
+              ['android-key','android-safetynet','fido-u2f','packed','none']
+            ),
+            ['android-key','fido-u2f','packed']
+          ),
+        ]
+      ],
+    ];
+  }
+}
--- a/webauthn/contrib/openldap/webauthn-fd-conf.schema
+++ b/webauthn/contrib/openldap/webauthn-fd-conf.schema
+##
+## webauthn-fd-conf.schema - Needed by Fusion Directory for managing webauthn plugin configuration backend
+##
+
+attributetype ( 1.3.6.1.4.1.38414.74.1.1 NAME 'fdWebauthnFormats'
+  DESC 'FusionDirectory - Allowed webauthn formats'
+  EQUALITY caseExactMatch
+  SUBSTR caseExactSubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+
+objectclass ( 1.3.6.1.4.1.38414.74.2.1 NAME 'fdWebauthnPluginConf'
+  DESC 'FusionDirectory webauthn plugin configuration'
+  SUP top AUXILIARY
+  MUST ( cn )
+  MAY (
+    fdWebauthnFormats
+  ) )
--- a/webauthn/include/login/class_LoginWebAuthnPost.inc
+++ b/webauthn/include/login/class_LoginWebAuthnPost.inc
@@ -49,7 +49,7 @@ class LoginWebAuthnPost extends LoginPost
        session::un_set('challenge');
        $return           = new stdClass();
        $return->success  = FALSE;
-        $return->msg      = "$ex";//->getMessage();
+        $return->msg      = $ex->getMessage();
        print(json_encode($return));
      }
      exit();
@@ -179,61 +179,11 @@ class LoginWebAuthnPost extends LoginPost
    exit();
  }

-  static protected function initWebAuthnObject ()
-  {
-    // Formats
-    $formats = [];
-    //~ if ($_GET['fmt_android-key']) {
-      $formats[] = 'android-key';
-    //~ }
-    //~ if ($_GET['fmt_android-safetynet']) {
-      $formats[] = 'android-safetynet';
-    //~ }
-    //~ if ($_GET['fmt_fido-u2f']) {
-      $formats[] = 'fido-u2f';
-    //~ }
-    //~ if ($_GET['fmt_none']) {
-      $formats[] = 'none';
-    //~ }
-    //~ if ($_GET['fmt_packed']) {
-      $formats[] = 'packed';
-    //~ }
-    //~ if ($_GET['fmt_tpm']) {
-      //~ $formats[] = 'tpm';
-    //~ }
-
-    // new Instance of the server library.
-    // make sure that $rpId is the domain name.
-    if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
-      $host = $_SERVER['HTTP_X_FORWARDED_HOST'];
-    } else {
-      $host = $_SERVER['SERVER_NAME'];
-    }
-    $WebAuthn = new \WebAuthn\WebAuthn('FusionDirectory', $host, $formats);
-
-    // add root certificates to validate new registrations
-    /*if ($_GET['solo']) {
-      $WebAuthn->addRootCertificates('rootCertificates/solo.pem');
-    }
-    if ($_GET['yubico']) {
-      $WebAuthn->addRootCertificates('rootCertificates/yubico.pem');
-    }
-    if ($_GET['hypersecu']) {
-      $WebAuthn->addRootCertificates('rootCertificates/hypersecu.pem');
-    }
-    if ($_GET['google']) {
-      $WebAuthn->addRootCertificates('rootCertificates/globalSign.pem');
-      $WebAuthn->addRootCertificates('rootCertificates/googleHardware.pem');
-    }*/
-
-    return $WebAuthn;
-  }
-
  static protected function getGetArgs ()
  {
    global $ui;

-    $WebAuthn = static::initWebAuthnObject();
+    $WebAuthn = webauthnAccount::initWebAuthnObject();

    $ids = [];
    $fdWebauthnRegistrations = session::get('fdWebauthnRegistrations');
@@ -253,7 +203,7 @@ class LoginWebAuthnPost extends LoginPost
  {
    global $config;

-    $WebAuthn = static::initWebAuthnObject();
+    $WebAuthn = webauthnAccount::initWebAuthnObject();

    $post = trim(file_get_contents('php://input'));
    if ($post) {
@@ -303,5 +253,7 @@ class LoginWebAuthnPost extends LoginPost
    logging::log('security', 'login', $ui->uid, [], 'Logged in successfully');
    session::set('connected', 1);
    session::set('DEBUGLEVEL', $config->get_cfg_value('DEBUGLEVEL'));
+    session::un_set('challenge');
+    session::un_set('fdWebauthnRegistrations');
  }
 }
--- a/webauthn/personal/webauthn/class_WebauthnRegistrationsAttribute.inc
+++ b/webauthn/personal/webauthn/class_WebauthnRegistrationsAttribute.inc
@@ -53,21 +53,6 @@ class WebauthnRegistrationsAttribute extends OrderedArrayAttribute
    ];
  }

-  /*protected function genRowIcons ($key, $value)
-  {
-    return ['', 0];
-  }
-
-  public function htmlIds (): array
-  {
-    return [];
-  }
-
-  function renderButtons ()
-  {
-    return '';
-  }*/
-
  function renderButtons ()
  {
    $id = $this->getHtmlId();

--- a/webauthn/personal/webauthn/class_webauthnAccount.inc
+++ b/webauthn/personal/webauthn/class_webauthnAccount.inc
@@ -72,6 +72,7 @@ class webauthnAccount extends simplePlugin
            throw new FusionDirectoryException('Unknown operation '.$_GET['webauthn']);
        }
      } catch (Throwable $ex) {
+        session::un_set('challenge');
        $return           = new stdClass();
        $return->success  = FALSE;
        $return->msg      = $ex->getMessage();
@@ -85,28 +86,12 @@ class webauthnAccount extends simplePlugin
    return parent::execute();
  }

-  protected function initWebAuthnObject ()
+  static public function initWebAuthnObject ()
  {
+    global $config;
+
    // Formats
-    $formats = array();
-    //~ if ($_GET['fmt_android-key']) {
-      $formats[] = 'android-key';
-    //~ }
-    //~ if ($_GET['fmt_android-safetynet']) {
-      $formats[] = 'android-safetynet';
-    //~ }
-    //~ if ($_GET['fmt_fido-u2f']) {
-      $formats[] = 'fido-u2f';
-    //~ }
-    //~ if ($_GET['fmt_none']) {
-      $formats[] = 'none';
-    //~ }
-    //~ if ($_GET['fmt_packed']) {
-      $formats[] = 'packed';
-    //~ }
-    //~ if ($_GET['fmt_tpm']) {
-      //~ $formats[] = 'tpm';
-    //~ }
+    $formats = $config->get_cfg_value('WebauthnFormats', ['android-key','fido-u2f','packed']);

    // new Instance of the server library.
    // make sure that $rpId is the domain name.
@@ -117,21 +102,6 @@ class webauthnAccount extends simplePlugin
    }
    $WebAuthn = new \WebAuthn\WebAuthn('FusionDirectory', $host, $formats);

-    // add root certificates to validate new registrations
-    /*if ($_GET['solo']) {
-      $WebAuthn->addRootCertificates('rootCertificates/solo.pem');
-    }
-    if ($_GET['yubico']) {
-      $WebAuthn->addRootCertificates('rootCertificates/yubico.pem');
-    }
-    if ($_GET['hypersecu']) {
-      $WebAuthn->addRootCertificates('rootCertificates/hypersecu.pem');
-    }
-    if ($_GET['google']) {
-      $WebAuthn->addRootCertificates('rootCertificates/globalSign.pem');
-      $WebAuthn->addRootCertificates('rootCertificates/googleHardware.pem');
-    }*/
-
    return $WebAuthn;
  }

@@ -139,9 +109,8 @@ class webauthnAccount extends simplePlugin
  {
    global $ui;

-    $WebAuthn = $this->initWebAuthnObject();
+    $WebAuthn = static::initWebAuthnObject();

-    //~ ($userId, $userName, $userDisplayName, $timeout=20, $requireResidentKey=false, $requireUserVerification=false, $excludeCredentialIds=array()) {
    $createArgs = $WebAuthn->getCreateArgs($ui->dn, $ui->uid, $ui->cn, 20, FALSE);

    session::set('challenge', $WebAuthn->getChallenge());
@@ -151,7 +120,7 @@ class webauthnAccount extends simplePlugin

  protected function processCreate ()
  {
-    $WebAuthn = $this->initWebAuthnObject();
+    $WebAuthn = static::initWebAuthnObject();

    $post = trim(file_get_contents('php://input'));
    if ($post) {