diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-09-19 01:45:44 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-09-19 01:45:44 +0000 |
commit | 85dc423f7090da0a52c73eb66faf22ddb20efff9 (patch) | |
tree | 9160f299afd8c80c038f08e1545be119f5e3f1e1 /app/services/webauthn | |
parent | 15c2c8c66dbe422588e5411eee7e68f1fa440bb8 (diff) | |
download | gitlab-ce-85dc423f7090da0a52c73eb66faf22ddb20efff9.tar.gz |
Add latest changes from gitlab-org/gitlab@13-4-stable-ee
Diffstat (limited to 'app/services/webauthn')
-rw-r--r-- | app/services/webauthn/authenticate_service.rb | 61 | ||||
-rw-r--r-- | app/services/webauthn/register_service.rb | 34 |
2 files changed, 95 insertions, 0 deletions
diff --git a/app/services/webauthn/authenticate_service.rb b/app/services/webauthn/authenticate_service.rb new file mode 100644 index 00000000000..a4513c62c2d --- /dev/null +++ b/app/services/webauthn/authenticate_service.rb @@ -0,0 +1,61 @@ +# frozen_string_literal: true + +module Webauthn + class AuthenticateService < BaseService + def initialize(user, device_response, challenge) + @user = user + @device_response = device_response + @challenge = challenge + end + + def execute + parsed_device_response = Gitlab::Json.parse(@device_response) + + # appid is set for legacy U2F devices, will be used in a future iteration + # rp_id = @app_id + # unless parsed_device_response['clientExtensionResults'] && parsed_device_response['clientExtensionResults']['appid'] + # rp_id = URI(@app_id).host + # end + + webauthn_credential = WebAuthn::Credential.from_get(parsed_device_response) + encoded_raw_id = Base64.strict_encode64(webauthn_credential.raw_id) + stored_webauthn_credential = @user.webauthn_registrations.find_by_credential_xid(encoded_raw_id) + + encoder = WebAuthn.configuration.encoder + + if stored_webauthn_credential && + validate_webauthn_credential(webauthn_credential) && + verify_webauthn_credential(webauthn_credential, stored_webauthn_credential, @challenge, encoder) + + stored_webauthn_credential.update!(counter: webauthn_credential.sign_count) + return true + end + + false + rescue JSON::ParserError, WebAuthn::SignCountVerificationError, WebAuthn::Error + false + end + + ## + # Validates that webauthn_credential is syntactically valid + # + # duplicated from WebAuthn::PublicKeyCredential#verify + # which can't be used here as we need to call WebAuthn::AuthenticatorAssertionResponse#verify instead + # (which is done in #verify_webauthn_credential) + def validate_webauthn_credential(webauthn_credential) + webauthn_credential.type == WebAuthn::TYPE_PUBLIC_KEY && + webauthn_credential.raw_id && webauthn_credential.id && + webauthn_credential.raw_id == WebAuthn.standard_encoder.decode(webauthn_credential.id) + end + + ## + # Verifies that webauthn_credential matches stored_credential with the given challenge + # + def verify_webauthn_credential(webauthn_credential, stored_credential, challenge, encoder) + webauthn_credential.response.verify( + encoder.decode(challenge), + public_key: encoder.decode(stored_credential.public_key), + sign_count: stored_credential.counter) + end + end +end diff --git a/app/services/webauthn/register_service.rb b/app/services/webauthn/register_service.rb new file mode 100644 index 00000000000..21be22027a8 --- /dev/null +++ b/app/services/webauthn/register_service.rb @@ -0,0 +1,34 @@ +# frozen_string_literal: true + +module Webauthn + class RegisterService < BaseService + def initialize(user, params, challenge) + @user = user + @params = params + @challenge = challenge + end + + def execute + registration = WebauthnRegistration.new + + begin + webauthn_credential = WebAuthn::Credential.from_create(Gitlab::Json.parse(@params[:device_response])) + webauthn_credential.verify(@challenge) + + registration.update( + credential_xid: Base64.strict_encode64(webauthn_credential.raw_id), + public_key: webauthn_credential.public_key, + counter: webauthn_credential.sign_count, + name: @params[:name], + user: @user + ) + rescue JSON::ParserError + registration.errors.add(:base, _('Your WebAuthn device did not send a valid JSON response.')) + rescue WebAuthn::Error => e + registration.errors.add(:base, e.message) + end + + registration + end + end +end |