Duo WebSDK Token Provider

2024-11-22 12:15:36 +01:00 · 2017-06-21 00:04:25 -04:00 · 2017-06-21 00:04:25 -04:00 · 7095ae0ea1
commit 7095ae0ea1
parent 4d6d3c97a3
5 changed files with 83 additions and 1 deletions
--- a/src/Api/settings.json
+++ b/src/Api/settings.json
@ -42,6 +42,9 @@
    "yubico": {
      "clientid": "SECRET",
      "key": "SECRET"
+    },
+    "duo": {
+      "aKey": "SECRET"
    }
  },
  "IpRateLimitOptions": {
--- a/src/Core/GlobalSettings.cs
+++ b/src/Core/GlobalSettings.cs
@ -16,6 +16,7 @@
        public virtual DocumentDbSettings DocumentDb { get; set; } = new DocumentDbSettings();
        public virtual NotificationHubSettings NotificationHub { get; set; } = new NotificationHubSettings();
        public virtual YubicoSettings Yubico { get; set; } = new YubicoSettings();
+        public virtual DuoSettings Duo { get; set; } = new DuoSettings();

        public class SqlServerSettings
        {
@ -85,5 +86,10 @@
            public string ClientId { get; set; }
            public string Key { get; set; }
        }
+
+        public class DuoSettings
+        {
+            public string AKey { get; set; }
+        }
    }
 }
--- a/src/Core/Identity/DuoWebTokenProvider.cs
+++ b/src/Core/Identity/DuoWebTokenProvider.cs
@ -0,0 +1,66 @@
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Identity;
+using Bit.Core.Models.Table;
+using Bit.Core.Enums;
+using Bit.Core.Utilities.Duo;
+using System;
+using Bit.Core.Models;
+
+namespace Bit.Core.Identity
+{
+    public class DuoWebTokenProvider : IUserTwoFactorTokenProvider<User>
+    {
+        private readonly GlobalSettings _globalSettings;
+
+        public DuoWebTokenProvider(GlobalSettings globalSettings)
+        {
+            _globalSettings = globalSettings;
+        }
+
+        public Task<bool> CanGenerateTwoFactorTokenAsync(UserManager<User> manager, User user)
+        {
+            var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Duo);
+            var canGenerate = user.TwoFactorProviderIsEnabled(TwoFactorProviderType.Duo) && HasProperMetaData(provider);
+            return Task.FromResult(canGenerate);
+        }
+
+        public Task<string> GenerateAsync(string purpose, UserManager<User> manager, User user)
+        {
+            var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Duo);
+            if(!HasProperMetaData(provider))
+            {
+                return Task.FromResult<string>(null);
+            }
+
+            var signatureRequest = DuoWeb.SignRequest(provider.MetaData["IKey"], provider.MetaData["SKey"],
+                _globalSettings.Duo.AKey, user.Id.ToString());
+            return Task.FromResult(signatureRequest);
+        }
+
+        public Task<bool> ValidateAsync(string purpose, string token, UserManager<User> manager, User user)
+        {
+            var provider = user.GetTwoFactorProvider(TwoFactorProviderType.Duo);
+            if(!HasProperMetaData(provider))
+            {
+                return Task.FromResult(false);
+            }
+
+            var response = DuoWeb.VerifyResponse(provider.MetaData["IKey"], provider.MetaData["SKey"],
+                _globalSettings.Duo.AKey, token);
+
+            Guid userId;
+            if(!Guid.TryParse(response, out userId))
+            {
+                return Task.FromResult(false);
+            }
+
+            return Task.FromResult(userId == user.Id);
+        }
+
+        private bool HasProperMetaData(TwoFactorProvider provider)
+        {
+            return provider?.MetaData != null && provider.MetaData.ContainsKey("IKey") &&
+                provider.MetaData.ContainsKey("SKey") && provider.MetaData.ContainsKey("Host");
+        }
+    }
+}
--- a/src/Core/Utilities/ServiceCollectionExtensions.cs
+++ b/src/Core/Utilities/ServiceCollectionExtensions.cs
@ -99,7 +99,7 @@ namespace Bit.Core.Utilities
                .AddRoleStore<RoleStore>()
                .AddTokenProvider<AuthenticatorTokenProvider>(TwoFactorProviderType.Authenticator.ToString())
                .AddTokenProvider<YubicoOtpTokenProvider>(TwoFactorProviderType.YubiKey.ToString())
-                .AddTokenProvider<DuoTokenProvider>(TwoFactorProviderType.Duo.ToString())
+                .AddTokenProvider<DuoWebTokenProvider>(TwoFactorProviderType.Duo.ToString())
                .AddTokenProvider<EmailTokenProvider<User>>(TokenOptions.DefaultEmailProvider);

            return identityBuilder;
--- a/src/Identity/settings.json
+++ b/src/Identity/settings.json
@ -34,6 +34,13 @@
    "notificationHub": {
      "connectionString": "SECRET",
      "hubName": "SECRET"
+    },
+    "yubico": {
+      "clientid": "SECRET",
+      "key": "SECRET"
+    },
+    "duo": {
+      "aKey": "SECRET"
    }
  }
 }