Upstream/bitwarden-server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2024-11-21 12:05:42 +01:00
Code Issues Projects Releases Wiki Activity

[PM-4167] Add PRF attestation flow during passkey registration (#3339)

Browse Source 
* [PM-4167] feat: add support for `SupportsPrf`

* [PM-4167] feat: add `prfStatus` property

* [PM-4167] feat: add support for storing PRF keys

* [PM-4167] fix: allow credentials to be created without encryption support

* [PM-4167] fix: broken test

* [PM-4167] chore: remove whitespace

* [PM-4167] fix: controller test

* [PM-4167] chore: improve readability of `GetPrfStatus`

* [PM-4167] fix: make prf optional

* [PM-4167] fix: commit missing controller change

* [PM-4167] fix: tests
This commit is contained in:
Andreas Coroiu 2023-11-07 16:59:51 +01:00 committed by GitHub
parent 8256b58e00
commit e401fc0983
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 58 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Api/Auth/Controllers/WebAuthnController.cs
View File

@ -75,7 +75,7 @@ public class WebAuthnController : Controller
throw new BadRequestException("The token associated with your request is expired. A valid token is required to continue."); throw new BadRequestException("The token associated with your request is expired. A valid token is required to continue.");
} }
var success = await _userService.CompleteWebAuthLoginRegistrationAsync(user, model.Name, tokenable.Options, model.DeviceResponse); var success = await _userService.CompleteWebAuthLoginRegistrationAsync(user, model.Name, tokenable.Options, model.DeviceResponse, model.SupportsPrf, model.EncryptedUserKey, model.EncryptedPublicKey, model.EncryptedPrivateKey);
if (!success) if (!success)
{ {
throw new BadRequestException("Unable to complete WebAuthn registration."); throw new BadRequestException("Unable to complete WebAuthn registration.");

16
src/Api/Auth/Models/Request/WebAuthn/WebAuthnCredentialRequestModel.cs
View File

@ -1,4 +1,5 @@
using System.ComponentModel.DataAnnotations; using System.ComponentModel.DataAnnotations;
using Bit.Core.Utilities;
using Fido2NetLib; using Fido2NetLib;
namespace Bit.Api.Auth.Models.Request.Webauthn; namespace Bit.Api.Auth.Models.Request.Webauthn;
@ -13,5 +14,20 @@ public class WebAuthnCredentialRequestModel
[Required] [Required]
public string Token { get; set; } public string Token { get; set; }
[Required]
public bool SupportsPrf { get; set; }
[EncryptedString]
[EncryptedStringLength(2000)]
public string EncryptedUserKey { get; set; }
[EncryptedString]
[EncryptedStringLength(2000)]
public string EncryptedPublicKey { get; set; }
[EncryptedString]
[EncryptedStringLength(2000)]
public string EncryptedPrivateKey { get; set; }
} }

5
src/Api/Auth/Models/Response/WebAuthn/WebAuthnCredentialResponseModel.cs
View File

@ -1,4 +1,5 @@
using Bit.Core.Auth.Entities; using Bit.Core.Auth.Entities;
using Bit.Core.Auth.Enums;
using Bit.Core.Models.Api; using Bit.Core.Models.Api;
namespace Bit.Api.Auth.Models.Response.WebAuthn; namespace Bit.Api.Auth.Models.Response.WebAuthn;
@ -11,10 +12,10 @@ public class WebAuthnCredentialResponseModel : ResponseModel
{ {
Id = credential.Id.ToString(); Id = credential.Id.ToString();
Name = credential.Name; Name = credential.Name;
PrfSupport = false; PrfStatus = credential.GetPrfStatus();
} }
public string Id { get; set; } public string Id { get; set; }
public string Name { get; set; } public string Name { get; set; }
public bool PrfSupport { get; set; } public WebAuthnPrfStatus PrfStatus { get; set; }
} }

19
src/Core/Auth/Entities/WebAuthnCredential.cs
View File

@ -1,4 +1,5 @@
using System.ComponentModel.DataAnnotations; using System.ComponentModel.DataAnnotations;
using Bit.Core.Auth.Enums;
using Bit.Core.Entities; using Bit.Core.Entities;
using Bit.Core.Utilities; using Bit.Core.Utilities;
@ -18,8 +19,11 @@ public class WebAuthnCredential : ITableObject<Guid>
[MaxLength(20)] [MaxLength(20)]
public string Type { get; set; } public string Type { get; set; }
public Guid AaGuid { get; set; } public Guid AaGuid { get; set; }
[MaxLength(2000)]
public string EncryptedUserKey { get; set; } public string EncryptedUserKey { get; set; }
[MaxLength(2000)]
public string EncryptedPrivateKey { get; set; } public string EncryptedPrivateKey { get; set; }
[MaxLength(2000)]
public string EncryptedPublicKey { get; set; } public string EncryptedPublicKey { get; set; }
public bool SupportsPrf { get; set; } public bool SupportsPrf { get; set; }
public DateTime CreationDate { get; internal set; } = DateTime.UtcNow; public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
@ -29,4 +33,19 @@ public class WebAuthnCredential : ITableObject<Guid>
{ {
Id = CoreHelpers.GenerateComb(); Id = CoreHelpers.GenerateComb();
} }
public WebAuthnPrfStatus GetPrfStatus()
{
if (!SupportsPrf)
{
return WebAuthnPrfStatus.Unsupported;
}
if (EncryptedUserKey != null && EncryptedPrivateKey != null && EncryptedPublicKey != null)
{
return WebAuthnPrfStatus.Enabled;
}
return WebAuthnPrfStatus.Supported;
}
} }

8
src/Core/Auth/Enums/WebAuthnPrfStatus.cs Normal file
View File

@ -0,0 +1,8 @@
namespace Bit.Core.Auth.Enums;
public enum WebAuthnPrfStatus
{
Enabled = 0,
Supported = 1,
Unsupported = 2
}

2
src/Core/Services/IUserService.cs
View File

@ -28,7 +28,7 @@ public interface IUserService
Task<bool> DeleteWebAuthnKeyAsync(User user, int id); Task<bool> DeleteWebAuthnKeyAsync(User user, int id);
Task<bool> CompleteWebAuthRegistrationAsync(User user, int value, string name, AuthenticatorAttestationRawResponse attestationResponse); Task<bool> CompleteWebAuthRegistrationAsync(User user, int value, string name, AuthenticatorAttestationRawResponse attestationResponse);
Task<CredentialCreateOptions> StartWebAuthnLoginRegistrationAsync(User user); Task<CredentialCreateOptions> StartWebAuthnLoginRegistrationAsync(User user);
Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string name, CredentialCreateOptions options, AuthenticatorAttestationRawResponse attestationResponse); Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string name, CredentialCreateOptions options, AuthenticatorAttestationRawResponse attestationResponse, bool supportsPrf, string encryptedUserKey = null, string encryptedPublicKey = null, string encryptedPrivateKey = null);
Task<AssertionOptions> StartWebAuthnLoginAssertionAsync(User user); Task<AssertionOptions> StartWebAuthnLoginAssertionAsync(User user);
Task<string> CompleteWebAuthLoginAssertionAsync(AuthenticatorAssertionRawResponse assertionResponse, User user); Task<string> CompleteWebAuthLoginAssertionAsync(AuthenticatorAssertionRawResponse assertionResponse, User user);
Task SendEmailVerificationAsync(User user); Task SendEmailVerificationAsync(User user);

12
src/Core/Services/Implementations/UserService.cs
View File

@ -552,9 +552,9 @@ public class UserService : UserManager<User>, IUserService, IDisposable
return options; return options;
} }
public async Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string name, public async Task<bool> CompleteWebAuthLoginRegistrationAsync(User user, string name, CredentialCreateOptions options,
CredentialCreateOptions options, AuthenticatorAttestationRawResponse attestationResponse, bool supportsPrf,
AuthenticatorAttestationRawResponse attestationResponse) string encryptedUserKey = null, string encryptedPublicKey = null, string encryptedPrivateKey = null)
{ {
var existingCredentials = await _webAuthnCredentialRepository.GetManyByUserIdAsync(user.Id); var existingCredentials = await _webAuthnCredentialRepository.GetManyByUserIdAsync(user.Id);
if (existingCredentials.Count >= 5) if (existingCredentials.Count >= 5)
@ -575,7 +575,11 @@ public class UserService : UserManager<User>, IUserService, IDisposable
Type = success.Result.CredType, Type = success.Result.CredType,
AaGuid = success.Result.Aaguid, AaGuid = success.Result.Aaguid,
Counter = (int)success.Result.Counter, Counter = (int)success.Result.Counter,
UserId = user.Id UserId = user.Id,
SupportsPrf = supportsPrf,
EncryptedUserKey = encryptedUserKey,
EncryptedPublicKey = encryptedPublicKey,
EncryptedPrivateKey = encryptedPrivateKey
}; };
await _webAuthnCredentialRepository.CreateAsync(credential); await _webAuthnCredentialRepository.CreateAsync(credential);

2
test/Api.Test/Auth/Controllers/WebAuthnControllerTests.cs
View File

@ -116,7 +116,7 @@ public class WebAuthnControllerTests
.GetUserByPrincipalAsync(default) .GetUserByPrincipalAsync(default)
.ReturnsForAnyArgs(user); .ReturnsForAnyArgs(user);
sutProvider.GetDependency<IUserService>() sutProvider.GetDependency<IUserService>()
.CompleteWebAuthLoginRegistrationAsync(user, requestModel.Name, createOptions, Arg.Any<AuthenticatorAttestationRawResponse>()) .CompleteWebAuthLoginRegistrationAsync(user, requestModel.Name, createOptions, Arg.Any<AuthenticatorAttestationRawResponse>(), requestModel.SupportsPrf, requestModel.EncryptedUserKey, requestModel.EncryptedPublicKey, requestModel.EncryptedPrivateKey)
.Returns(true); .Returns(true);
sutProvider.GetDependency<IDataProtectorTokenFactory<WebAuthnCredentialCreateOptionsTokenable>>() sutProvider.GetDependency<IDataProtectorTokenFactory<WebAuthnCredentialCreateOptionsTokenable>>()
.Unprotect(requestModel.Token) .Unprotect(requestModel.Token)

2
test/Core.Test/Services/UserServiceTests.cs
View File

@ -195,7 +195,7 @@ public class UserServiceTests
sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(existingCredentials); sutProvider.GetDependency<IWebAuthnCredentialRepository>().GetManyByUserIdAsync(user.Id).Returns(existingCredentials);
// Act // Act
var result = await sutProvider.Sut.CompleteWebAuthLoginRegistrationAsync(user, "name", options, response); var result = await sutProvider.Sut.CompleteWebAuthLoginRegistrationAsync(user, "name", options, response, false, null, null, null);
// Assert // Assert
Assert.False(result); Assert.False(result);