proxmox-mirrors/proxmox
1
0
Fork 1
mirror of https://git.proxmox.com/git/proxmox synced 2025-08-07 07:38:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

tfa: make configured webauthn origin optional

Browse Source 
and add a webauthn origin override parameter to all methods
accessing it

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2021-11-26 14:55:22 +01:00 committed by Thomas Lamprecht
parent 508c1e7c85
commit 637188d4ba
3 changed files with 79 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
proxmox-tfa/src/api/methods.rs
View File

@ -317,6 +317,7 @@ pub fn add_tfa_entry<A: OpenUserChallengeData>(
value: Option<String>, value: Option<String>,
challenge: Option<String>, challenge: Option<String>,
r#type: TfaType, r#type: TfaType,
origin: Option<&url::Url>,
) -> Result<TfaUpdateInfo, Error> { ) -> Result<TfaUpdateInfo, Error> {
match r#type { match r#type {
TfaType::Totp => { TfaType::Totp => {
@ -331,7 +332,15 @@ pub fn add_tfa_entry<A: OpenUserChallengeData>(
bail!("'totp' parameter is invalid for 'webauthn' entries"); bail!("'totp' parameter is invalid for 'webauthn' entries");
} }
add_webauthn(config, access, userid, description, challenge, value) add_webauthn(
config,
access,
userid,
description,
challenge,
value,
origin,
)
} }
TfaType::U2f => { TfaType::U2f => {
if totp.is_some() { if totp.is_some() {
@ -436,10 +445,16 @@ fn add_webauthn<A: OpenUserChallengeData>(
description: Option<String>, description: Option<String>,
challenge: Option<String>, challenge: Option<String>,
value: Option<String>, value: Option<String>,
origin: Option<&url::Url>,
) -> Result<TfaUpdateInfo, Error> { ) -> Result<TfaUpdateInfo, Error> {
match challenge { match challenge {
None => config None => config
.webauthn_registration_challenge(access, &userid, need_description(description)?) .webauthn_registration_challenge(
access,
&userid,
need_description(description)?,
origin,
)
.map(|c| TfaUpdateInfo { .map(|c| TfaUpdateInfo {
challenge: Some(c), challenge: Some(c),
..Default::default() ..Default::default()
@ -449,7 +464,7 @@ fn add_webauthn<A: OpenUserChallengeData>(
format_err!("missing 'value' parameter (webauthn challenge response missing)") format_err!("missing 'value' parameter (webauthn challenge response missing)")
})?; })?;
config config
.webauthn_registration_finish(access, &userid, &challenge, &value) .webauthn_registration_finish(access, &userid, &challenge, &value, origin)
.map(TfaUpdateInfo::id) .map(TfaUpdateInfo::id)
} }
} }

45
proxmox-tfa/src/api/mod.rs
View File

@ -9,6 +9,7 @@ use std::collections::HashMap;
use anyhow::{bail, format_err, Error}; use anyhow::{bail, format_err, Error};
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use serde_json::Value; use serde_json::Value;
use url::Url;
use webauthn_rs::{proto::UserVerificationPolicy, Webauthn}; use webauthn_rs::{proto::UserVerificationPolicy, Webauthn};
@ -28,6 +29,7 @@ pub mod methods;
pub use recovery::RecoveryState; pub use recovery::RecoveryState;
pub use u2f::U2fConfig; pub use u2f::U2fConfig;
use webauthn::WebauthnConfigInstance;
pub use webauthn::{WebauthnConfig, WebauthnCredential}; pub use webauthn::{WebauthnConfig, WebauthnCredential};
#[cfg(feature = "api-types")] #[cfg(feature = "api-types")]
@ -93,15 +95,22 @@ fn check_u2f(u2f: &Option<U2fConfig>) -> Result<u2f::U2f, Error> {
/// Helper to get a `Webauthn` instance from a `WebauthnConfig`, or `None` if there isn't one /// Helper to get a `Webauthn` instance from a `WebauthnConfig`, or `None` if there isn't one
/// configured. /// configured.
fn get_webauthn(waconfig: &Option<WebauthnConfig>) -> Option<Webauthn<WebauthnConfig>> { fn get_webauthn<'a, 'config: 'a, 'origin: 'a>(
waconfig.clone().map(Webauthn::new) waconfig: &'config Option<WebauthnConfig>,
origin: Option<&'origin Url>,
) -> Option<Result<Webauthn<WebauthnConfigInstance<'a>>, Error>> {
Some(waconfig.as_ref()?.instantiate(origin).map(Webauthn::new))
} }
/// Helper to get a u2f instance from a u2f config. /// Helper to get a u2f instance from a u2f config.
/// ///
/// This is outside of `TfaConfig` to not borrow its `&self`. /// This is outside of `TfaConfig` to not borrow its `&self`.
fn check_webauthn(waconfig: &Option<WebauthnConfig>) -> Result<Webauthn<WebauthnConfig>, Error> { fn check_webauthn<'a, 'config: 'a, 'origin: 'a>(
get_webauthn(waconfig).ok_or_else(|| format_err!("no webauthn configuration available")) waconfig: &'config Option<WebauthnConfig>,
origin: Option<&'origin Url>,
) -> Result<Webauthn<WebauthnConfigInstance<'a>>, Error> {
get_webauthn(waconfig, origin)
.ok_or_else(|| format_err!("no webauthn configuration available"))?
} }
impl TfaConfig { impl TfaConfig {
@ -142,8 +151,9 @@ impl TfaConfig {
access: A, access: A,
user: &str, user: &str,
description: String, description: String,
origin: Option<&Url>,
) -> Result<String, Error> { ) -> Result<String, Error> {
let webauthn = check_webauthn(&self.webauthn)?; let webauthn = check_webauthn(&self.webauthn, origin)?;
self.users self.users
.entry(user.to_owned()) .entry(user.to_owned())
@ -158,8 +168,9 @@ impl TfaConfig {
userid: &str, userid: &str,
challenge: &str, challenge: &str,
response: &str, response: &str,
origin: Option<&Url>,
) -> Result<String, Error> { ) -> Result<String, Error> {
let webauthn = check_webauthn(&self.webauthn)?; let webauthn = check_webauthn(&self.webauthn, origin)?;
let response: webauthn_rs::proto::RegisterPublicKeyCredential = let response: webauthn_rs::proto::RegisterPublicKeyCredential =
serde_json::from_str(response) serde_json::from_str(response)
@ -208,12 +219,13 @@ impl TfaConfig {
&mut self, &mut self,
access: A, access: A,
userid: &str, userid: &str,
origin: Option<&Url>,
) -> Result<Option<TfaChallenge>, Error> { ) -> Result<Option<TfaChallenge>, Error> {
match self.users.get_mut(userid) { match self.users.get_mut(userid) {
Some(udata) => udata.challenge( Some(udata) => udata.challenge(
access, access,
userid, userid,
get_webauthn(&self.webauthn), get_webauthn(&self.webauthn, origin),
get_u2f(&self.u2f).as_ref(), get_u2f(&self.u2f).as_ref(),
), ),
None => Ok(None), None => Ok(None),
@ -227,6 +239,7 @@ impl TfaConfig {
userid: &str, userid: &str,
challenge: &TfaChallenge, challenge: &TfaChallenge,
response: TfaResponse, response: TfaResponse,
origin: Option<&Url>,
) -> Result<NeedsSaving, Error> { ) -> Result<NeedsSaving, Error> {
match self.users.get_mut(userid) { match self.users.get_mut(userid) {
Some(user) => match response { Some(user) => match response {
@ -239,7 +252,7 @@ impl TfaConfig {
None => bail!("no u2f factor available for user '{}'", userid), None => bail!("no u2f factor available for user '{}'", userid),
}, },
TfaResponse::Webauthn(value) => { TfaResponse::Webauthn(value) => {
let webauthn = check_webauthn(&self.webauthn)?; let webauthn = check_webauthn(&self.webauthn, origin)?;
user.verify_webauthn(access.clone(), userid, webauthn, value) user.verify_webauthn(access.clone(), userid, webauthn, value)
} }
TfaResponse::Recovery(value) => { TfaResponse::Recovery(value) => {
@ -424,7 +437,7 @@ impl TfaUserData {
fn webauthn_registration_challenge<A: OpenUserChallengeData>( fn webauthn_registration_challenge<A: OpenUserChallengeData>(
&mut self, &mut self,
access: A, access: A,
webauthn: Webauthn<WebauthnConfig>, webauthn: Webauthn<WebauthnConfigInstance>,
userid: &str, userid: &str,
description: String, description: String,
) -> Result<String, Error> { ) -> Result<String, Error> {
@ -463,7 +476,7 @@ impl TfaUserData {
fn webauthn_registration_finish<A: OpenUserChallengeData>( fn webauthn_registration_finish<A: OpenUserChallengeData>(
&mut self, &mut self,
access: A, access: A,
webauthn: Webauthn<WebauthnConfig>, webauthn: Webauthn<WebauthnConfigInstance>,
userid: &str, userid: &str,
challenge: &str, challenge: &str,
response: webauthn_rs::proto::RegisterPublicKeyCredential, response: webauthn_rs::proto::RegisterPublicKeyCredential,
@ -555,11 +568,11 @@ impl TfaUserData {
} }
/// Generate a generic TFA challenge. See the [`TfaChallenge`] description for details. /// Generate a generic TFA challenge. See the [`TfaChallenge`] description for details.
pub fn challenge<A: OpenUserChallengeData>( fn challenge<A: OpenUserChallengeData>(
&mut self, &mut self,
access: A, access: A,
userid: &str, userid: &str,
webauthn: Option<Webauthn<WebauthnConfig>>, webauthn: Option<Result<Webauthn<WebauthnConfigInstance>, Error>>,
u2f: Option<&u2f::U2f>, u2f: Option<&u2f::U2f>,
) -> Result<Option<TfaChallenge>, Error> { ) -> Result<Option<TfaChallenge>, Error> {
if self.is_empty() { if self.is_empty() {
@ -570,7 +583,7 @@ impl TfaUserData {
totp: self.totp.iter().any(|e| e.info.enable), totp: self.totp.iter().any(|e| e.info.enable),
recovery: RecoveryState::from(&self.recovery), recovery: RecoveryState::from(&self.recovery),
webauthn: match webauthn { webauthn: match webauthn {
Some(webauthn) => self.webauthn_challenge(access.clone(), userid, webauthn)?, Some(webauthn) => self.webauthn_challenge(access.clone(), userid, webauthn?)?,
None => None, None => None,
}, },
u2f: match u2f { u2f: match u2f {
@ -591,7 +604,7 @@ impl TfaUserData {
&mut self, &mut self,
access: A, access: A,
userid: &str, userid: &str,
webauthn: Webauthn<WebauthnConfig>, webauthn: Webauthn<WebauthnConfigInstance>,
) -> Result<Option<webauthn_rs::proto::RequestChallengeResponse>, Error> { ) -> Result<Option<webauthn_rs::proto::RequestChallengeResponse>, Error> {
if self.webauthn.is_empty() { if self.webauthn.is_empty() {
return Ok(None); return Ok(None);
@ -703,7 +716,7 @@ impl TfaUserData {
&mut self, &mut self,
access: A, access: A,
userid: &str, userid: &str,
webauthn: Webauthn<WebauthnConfig>, webauthn: Webauthn<WebauthnConfigInstance>,
mut response: Value, mut response: Value,
) -> Result<(), Error> { ) -> Result<(), Error> {
let expire_before = proxmox_time::epoch_i64() - CHALLENGE_TIMEOUT_SECS; let expire_before = proxmox_time::epoch_i64() - CHALLENGE_TIMEOUT_SECS;
@ -995,7 +1008,7 @@ impl TfaUserChallenges {
/// `webauthn_registration_challenge`. The response should come directly from the client. /// `webauthn_registration_challenge`. The response should come directly from the client.
fn webauthn_registration_finish( fn webauthn_registration_finish(
&mut self, &mut self,
webauthn: Webauthn<WebauthnConfig>, webauthn: Webauthn<WebauthnConfigInstance>,
challenge: &str, challenge: &str,
response: webauthn_rs::proto::RegisterPublicKeyCredential, response: webauthn_rs::proto::RegisterPublicKeyCredential,
existing_registrations: &[TfaEntry<WebauthnCredential>], existing_registrations: &[TfaEntry<WebauthnCredential>],

45
proxmox-tfa/src/api/webauthn.rs
View File

@ -1,6 +1,6 @@
//! Webauthn configuration and challenge data. //! Webauthn configuration and challenge data.
use anyhow::Error; use anyhow::{format_err, Error};
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use url::Url; use url::Url;
use webauthn_rs::proto::{COSEKey, Credential, CredentialID, UserVerificationPolicy}; use webauthn_rs::proto::{COSEKey, Credential, CredentialID, UserVerificationPolicy};
@ -50,7 +50,7 @@ impl Into<String> for OriginUrl {
#[cfg_attr(feature = "api-types", api( #[cfg_attr(feature = "api-types", api(
properties: { properties: {
rp: { type: String }, rp: { type: String },
origin: { type: String }, origin: { type: String, optional: true },
id: { type: String }, id: { type: String },
} }
))] ))]
@ -68,7 +68,8 @@ pub struct WebauthnConfig {
/// users type in their browsers to access the web interface. /// users type in their browsers to access the web interface.
/// ///
/// Changing this *may* break existing credentials. /// Changing this *may* break existing credentials.
pub origin: OriginUrl, #[serde(skip_serializing_if = "Option::is_none")]
pub origin: Option<OriginUrl>,
/// Relying party ID. Must be the domain name without protocol, port or location. /// Relying party ID. Must be the domain name without protocol, port or location.
/// ///
@ -78,31 +79,49 @@ pub struct WebauthnConfig {
impl WebauthnConfig { impl WebauthnConfig {
pub fn digest(&self) -> [u8; 32] { pub fn digest(&self) -> [u8; 32] {
let data = format!( let mut data = format!("rp={:?}\nid={:?}\n", self.rp, self.id,);
"rp={:?}\norigin={:?}\nid={:?}\n", if let Some(origin) = &self.origin {
self.rp, data.push_str(&format!("origin={:?}\n", origin.as_str()));
self.origin.0.as_str(), }
self.id,
);
openssl::sha::sha256(data.as_bytes()) openssl::sha::sha256(data.as_bytes())
} }
/// Instantiate a usable webauthn configuration instance.
pub(super) fn instantiate<'a, 'this: 'a, 'origin: 'a>(
&'this self,
origin: Option<&'origin Url>,
) -> Result<WebauthnConfigInstance<'a>, Error> {
Ok(WebauthnConfigInstance {
origin: origin
.or_else(|| self.origin.as_ref().map(|u| &u.0))
.ok_or_else(|| format_err!("missing webauthn origin"))?,
rp: &self.rp,
id: &self.id,
})
}
}
pub(super) struct WebauthnConfigInstance<'a> {
rp: &'a str,
origin: &'a Url,
id: &'a str,
} }
/// For now we just implement this on the configuration this way. /// For now we just implement this on the configuration this way.
/// ///
/// Note that we may consider changing this so `get_origin` returns the `Host:` header provided by /// Note that we may consider changing this so `get_origin` returns the `Host:` header provided by
/// the connecting client. /// the connecting client.
impl webauthn_rs::WebauthnConfig for WebauthnConfig { impl<'a> webauthn_rs::WebauthnConfig for WebauthnConfigInstance<'a> {
fn get_relying_party_name(&self) -> &str { fn get_relying_party_name(&self) -> &str {
&self.rp self.rp
} }
fn get_origin(&self) -> &Url { fn get_origin(&self) -> &Url {
&self.origin.0 self.origin
} }
fn get_relying_party_id(&self) -> &str { fn get_relying_party_id(&self) -> &str {
&self.id self.id
} }
} }