Commit d2bce9cc authored by Côme Chilliet's avatar Côme Chilliet

feat(webauthn) Add config backend and cleanup

issue #6013
parent 5dbb35cc
<?php
/*
This code is part of FusionDirectory (http://www.fusiondirectory.org/)
Copyright (C) 2018-2019 FusionDirectory
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
*/
class webauthnConfig extends simplePlugin
{
static function plInfo (): array
{
return [
'plShortName' => _('WebAuthn'),
'plTitle' => _('WebAuthn configuration'),
'plDescription' => _('FusionDirectory WebAuthn plugin configuration'),
'plObjectClass' => ['fdWebauthnPluginConf'],
'plCategory' => ['configuration'],
'plObjectType' => ['smallConfig'],
'plProvidedAcls' => parent::generatePlProvidedAcls(static::getAttributesInfo())
];
}
static function getAttributesInfo (): array
{
global $config;
return [
'main' => [
'name' => _('WebAuthn'),
'attrs' => [
new SetAttribute(
new SelectAttribute(
_('Formats'), _('List of allowed formats'),
'fdWebauthnFormats', FALSE,
['android-key','android-safetynet','fido-u2f','packed','none']
),
['android-key','fido-u2f','packed']
),
]
],
];
}
}
##
## webauthn-fd-conf.schema - Needed by Fusion Directory for managing webauthn plugin configuration backend
##
attributetype ( 1.3.6.1.4.1.38414.74.1.1 NAME 'fdWebauthnFormats'
DESC 'FusionDirectory - Allowed webauthn formats'
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
objectclass ( 1.3.6.1.4.1.38414.74.2.1 NAME 'fdWebauthnPluginConf'
DESC 'FusionDirectory webauthn plugin configuration'
SUP top AUXILIARY
MUST ( cn )
MAY (
fdWebauthnFormats
) )
......@@ -49,7 +49,7 @@ class LoginWebAuthnPost extends LoginPost
session::un_set('challenge');
$return = new stdClass();
$return->success = FALSE;
$return->msg = "$ex";//->getMessage();
$return->msg = $ex->getMessage();
print(json_encode($return));
}
exit();
......@@ -179,61 +179,11 @@ class LoginWebAuthnPost extends LoginPost
exit();
}
static protected function initWebAuthnObject ()
{
// Formats
$formats = [];
//~ if ($_GET['fmt_android-key']) {
$formats[] = 'android-key';
//~ }
//~ if ($_GET['fmt_android-safetynet']) {
$formats[] = 'android-safetynet';
//~ }
//~ if ($_GET['fmt_fido-u2f']) {
$formats[] = 'fido-u2f';
//~ }
//~ if ($_GET['fmt_none']) {
$formats[] = 'none';
//~ }
//~ if ($_GET['fmt_packed']) {
$formats[] = 'packed';
//~ }
//~ if ($_GET['fmt_tpm']) {
//~ $formats[] = 'tpm';
//~ }
// new Instance of the server library.
// make sure that $rpId is the domain name.
if (!empty($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$host = $_SERVER['HTTP_X_FORWARDED_HOST'];
} else {
$host = $_SERVER['SERVER_NAME'];
}
$WebAuthn = new \WebAuthn\WebAuthn('FusionDirectory', $host, $formats);
// add root certificates to validate new registrations
/*if ($_GET['solo']) {
$WebAuthn->addRootCertificates('rootCertificates/solo.pem');
}
if ($_GET['yubico']) {
$WebAuthn->addRootCertificates('rootCertificates/yubico.pem');
}
if ($_GET['hypersecu']) {
$WebAuthn->addRootCertificates('rootCertificates/hypersecu.pem');
}
if ($_GET['google']) {
$WebAuthn->addRootCertificates('rootCertificates/globalSign.pem');
$WebAuthn->addRootCertificates('rootCertificates/googleHardware.pem');
}*/
return $WebAuthn;
}
static protected function getGetArgs ()
{
global $ui;
$WebAuthn = static::initWebAuthnObject();
$WebAuthn = webauthnAccount::initWebAuthnObject();
$ids = [];
$fdWebauthnRegistrations = session::get('fdWebauthnRegistrations');
......@@ -253,7 +203,7 @@ class LoginWebAuthnPost extends LoginPost
{
global $config;
$WebAuthn = static::initWebAuthnObject();
$WebAuthn = webauthnAccount::initWebAuthnObject();
$post = trim(file_get_contents('php://input'));
if ($post) {
......@@ -303,5 +253,7 @@ class LoginWebAuthnPost extends LoginPost
logging::log('security', 'login', $ui->uid, [], 'Logged in successfully');
session::set('connected', 1);
session::set('DEBUGLEVEL', $config->get_cfg_value('DEBUGLEVEL'));
session::un_set('challenge');
session::un_set('fdWebauthnRegistrations');
}
}
......@@ -53,21 +53,6 @@ class WebauthnRegistrationsAttribute extends OrderedArrayAttribute
];
}
/*protected function genRowIcons ($key, $value)
{
return ['', 0];
}
public function htmlIds (): array
{
return [];
}
function renderButtons ()
{
return '';
}*/
function renderButtons ()
{
$id = $this->getHtmlId();
......
......@@ -72,6 +72,7 @@ class webauthnAccount extends simplePlugin
throw new FusionDirectoryException('Unknown operation '.$_GET['webauthn']);
}
} catch (Throwable $ex) {
session::un_set('challenge');
$return = new stdClass();
$return->success = FALSE;
$return->msg = $ex->getMessage();
......@@ -85,28 +86,12 @@ class webauthnAccount extends simplePlugin
return parent::execute();
}
protected function initWebAuthnObject ()
static public function initWebAuthnObject ()
{
global $config;
// Formats
$formats = array();
//~ if ($_GET['fmt_android-key']) {
$formats[] = 'android-key';
//~ }
//~ if ($_GET['fmt_android-safetynet']) {
$formats[] = 'android-safetynet';
//~ }
//~ if ($_GET['fmt_fido-u2f']) {
$formats[] = 'fido-u2f';
//~ }
//~ if ($_GET['fmt_none']) {
$formats[] = 'none';
//~ }
//~ if ($_GET['fmt_packed']) {
$formats[] = 'packed';
//~ }
//~ if ($_GET['fmt_tpm']) {
//~ $formats[] = 'tpm';
//~ }
$formats = $config->get_cfg_value('WebauthnFormats', ['android-key','fido-u2f','packed']);
// new Instance of the server library.
// make sure that $rpId is the domain name.
......@@ -117,21 +102,6 @@ class webauthnAccount extends simplePlugin
}
$WebAuthn = new \WebAuthn\WebAuthn('FusionDirectory', $host, $formats);
// add root certificates to validate new registrations
/*if ($_GET['solo']) {
$WebAuthn->addRootCertificates('rootCertificates/solo.pem');
}
if ($_GET['yubico']) {
$WebAuthn->addRootCertificates('rootCertificates/yubico.pem');
}
if ($_GET['hypersecu']) {
$WebAuthn->addRootCertificates('rootCertificates/hypersecu.pem');
}
if ($_GET['google']) {
$WebAuthn->addRootCertificates('rootCertificates/globalSign.pem');
$WebAuthn->addRootCertificates('rootCertificates/googleHardware.pem');
}*/
return $WebAuthn;
}
......@@ -139,9 +109,8 @@ class webauthnAccount extends simplePlugin
{
global $ui;
$WebAuthn = $this->initWebAuthnObject();
$WebAuthn = static::initWebAuthnObject();
//~ ($userId, $userName, $userDisplayName, $timeout=20, $requireResidentKey=false, $requireUserVerification=false, $excludeCredentialIds=array()) {
$createArgs = $WebAuthn->getCreateArgs($ui->dn, $ui->uid, $ui->cn, 20, FALSE);
session::set('challenge', $WebAuthn->getChallenge());
......@@ -151,7 +120,7 @@ class webauthnAccount extends simplePlugin
protected function processCreate ()
{
$WebAuthn = $this->initWebAuthnObject();
$WebAuthn = static::initWebAuthnObject();
$post = trim(file_get_contents('php://input'));
if ($post) {
......
  • SonarQube analysis reported 1 issue

    • 1 major

    Note: The following issues were found on lines that were not modified in the commit. Because these issues can't be reported as line comments, they are summarized here:

    1. Define and throw a dedicated exception instead of using a generic one. 📘
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment