Add latest changes from gitlab-org/gitlab@13-4-stable-ee

2 files changed, 95 insertions, 0 deletions

diff --git a/app/services/webauthn/authenticate_service.rb b/app/services/webauthn/authenticate_service.rb
new file mode 100644
index 00000000000..a4513c62c2d
--- /dev/null
+++ b/app/services/webauthn/authenticate_service.rb
@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module Webauthn
+  class AuthenticateService < BaseService
+    def initialize(user, device_response, challenge)
+      @user = user
+      @device_response = device_response
+      @challenge = challenge
+    end
+
+    def execute
+      parsed_device_response = Gitlab::Json.parse(@device_response)
+
+      # appid is set for legacy U2F devices, will be used in a future iteration
+      # rp_id = @app_id
+      # unless parsed_device_response['clientExtensionResults'] && parsed_device_response['clientExtensionResults']['appid']
+      # rp_id = URI(@app_id).host
+      # end
+
+      webauthn_credential = WebAuthn::Credential.from_get(parsed_device_response)
+      encoded_raw_id = Base64.strict_encode64(webauthn_credential.raw_id)
+      stored_webauthn_credential = @user.webauthn_registrations.find_by_credential_xid(encoded_raw_id)
+
+      encoder = WebAuthn.configuration.encoder
+
+      if stored_webauthn_credential &&
+          validate_webauthn_credential(webauthn_credential) &&
+          verify_webauthn_credential(webauthn_credential, stored_webauthn_credential, @challenge, encoder)
+
+        stored_webauthn_credential.update!(counter: webauthn_credential.sign_count)
+        return true
+      end
+
+      false
+    rescue JSON::ParserError, WebAuthn::SignCountVerificationError, WebAuthn::Error
+      false
+    end
+
+    ##
+    # Validates that webauthn_credential is syntactically valid
+    #
+    # duplicated from WebAuthn::PublicKeyCredential#verify
+    # which can't be used here as we need to call WebAuthn::AuthenticatorAssertionResponse#verify instead
+    # (which is done in #verify_webauthn_credential)
+    def validate_webauthn_credential(webauthn_credential)
+      webauthn_credential.type == WebAuthn::TYPE_PUBLIC_KEY &&
+          webauthn_credential.raw_id && webauthn_credential.id &&
+          webauthn_credential.raw_id == WebAuthn.standard_encoder.decode(webauthn_credential.id)
+    end
+
+    ##
+    # Verifies that webauthn_credential matches stored_credential with the given challenge
+    #
+    def verify_webauthn_credential(webauthn_credential, stored_credential, challenge, encoder)
+      webauthn_credential.response.verify(
+        encoder.decode(challenge),
+          public_key: encoder.decode(stored_credential.public_key),
+          sign_count: stored_credential.counter)
+    end
+  end
+end
diff --git a/app/services/webauthn/register_service.rb b/app/services/webauthn/register_service.rb
new file mode 100644
index 00000000000..21be22027a8
--- /dev/null
+++ b/app/services/webauthn/register_service.rb
@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Webauthn
+  class RegisterService < BaseService
+    def initialize(user, params, challenge)
+      @user = user
+      @params = params
+      @challenge = challenge
+    end
+
+    def execute
+      registration = WebauthnRegistration.new
+
+      begin
+        webauthn_credential = WebAuthn::Credential.from_create(Gitlab::Json.parse(@params[:device_response]))
+        webauthn_credential.verify(@challenge)
+
+        registration.update(
+          credential_xid: Base64.strict_encode64(webauthn_credential.raw_id),
+          public_key: webauthn_credential.public_key,
+          counter: webauthn_credential.sign_count,
+          name: @params[:name],
+          user: @user
+        )
+      rescue JSON::ParserError
+        registration.errors.add(:base, _('Your WebAuthn device did not send a valid JSON response.'))
+      rescue WebAuthn::Error => e
+        registration.errors.add(:base, e.message)
+      end
+
+      registration
+    end
+  end
+end