mirrored/vaultwarden
1
0
Fork 1
Spiegel von https://github.com/dani-garcia/vaultwarden.git synchronisiert 2024-09-28 21:53:55 +02:00
Code Issues Releases Aktivität

cleanup & comments

Quellcode durchsuchen
Dieser Commit ist enthalten in:
0x0fbc 2024-06-07 00:12:10 -04:00 committet von Mathijs van Veluw
Ursprung c6a695ce9c
Commit 1a89fbd08b
1 geänderte Dateien mit 72 neuen und 95 gelöschten Zeilen
Statistiken anzeigen Patch-Datei herunterladen Diff-Datei herunterladen Alle Dateien ausklappen Alle Dateien einklappen

165
src/api/core/two_factor/duo_oidc.rs
Datei anzeigen

@ -1,5 +1,5 @@
use chrono::{TimeDelta, Utc};
use jsonwebtoken::{decode_header, Algorithm, DecodingKey, EncodingKey, Header, Validation};
use jsonwebtoken::{Algorithm, DecodingKey, EncodingKey, Header, Validation};
use reqwest::{header, StatusCode};
use serde::Serialize;
use std::collections::HashMap;
@ -20,6 +20,9 @@ use crate::{
CONFIG,
};
// State length must be at least 16 characters and at most 1024 characters.
const STATE_LENGTH: usize = 36;
// Pool of characters for state and nonce generation
// 0-9 -> 0x30-0x39
// A-Z -> 0x41-0x5A
@ -30,10 +33,10 @@ const STATE_CHAR_POOL: [u8; 62] = [
0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75,
0x76, 0x77, 0x78, 0x79, 0x7A,
];
const MIN_STATE_SIZE: usize = 16;
const MAX_STATE_SIZE: usize = 1024;
const STATE_LENGTH: usize = 36; // Default size of state for generate_state_default()
// Generate a state/nonce string.
pub fn generate_state() -> String {
return crypto::get_random_string(&STATE_CHAR_POOL, STATE_LENGTH);
}
// Client URL constants. Defined as macros, so they can be passed into format!()
#[allow(non_snake_case)]
@ -67,24 +70,15 @@ const JWT_VALIDITY_SECS: i64 = 300;
// Stored Duo context validity duration
const CTX_VALIDITY_SECS: i64 = 300;
// Generate a new Duo WebSDKv4 state string with a given size.
// This can also be used to generate the optional OpenID Connect nonce.
// Size must be between 16 and 1024 (inclusive).
pub fn generate_state_len(size: usize) -> String {
if (size < MIN_STATE_SIZE) || (MAX_STATE_SIZE < size) {
panic!("Illegal Duo state size: {size}. Size must be 15 < size < 1025")
}
// Expected algorithm used by Duo to sign JWTs.
const DUO_RESP_SIGNATURE_ALG: Algorithm = Algorithm::HS512;
return crypto::get_random_string(&STATE_CHAR_POOL, size);
}
// Signature algorithm we're using to sign JWTs for Duo. Must be either HS512 or HS256.
const JWT_SIGNATURE_ALG: Algorithm = Algorithm::HS512;
pub fn generate_state_default() -> String {
return generate_state_len(STATE_LENGTH);
}
// Structs for serializing calls to Duo
// client_assertion payload for health checks and obtaining MFA results.
#[derive(Debug, Serialize, Deserialize)]
struct ClientAssertionJwt {
struct ClientAssertion {
pub iss: String,
pub sub: String,
pub aud: String,
@ -93,8 +87,9 @@ struct ClientAssertionJwt {
pub iat: i64,
}
// request payload sent with clients to Duo for MFA
#[derive(Debug, Serialize, Deserialize)]
struct AuthUrlJwt {
struct AuthorizationRequest {
pub response_type: String,
pub scope: String,
pub exp: i64,
@ -102,51 +97,36 @@ struct AuthUrlJwt {
pub redirect_uri: String,
pub state: String,
pub duo_uname: String,
#[serde(skip_serializing_if = "Option::is_none")]
pub iss: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub aud: Option<String>,
pub iss: String,
pub aud: String,
pub nonce: String,
#[serde(skip_serializing_if = "Option::is_none")]
pub use_duo_code_attribute: Option<bool>,
}
/*
Structs for deserializing responses from Duo's API
*/
#[derive(Debug, Serialize, Deserialize)]
struct HealthOKTS {
timestamp: i64,
}
// Duo service health check responses
#[derive(Debug, Serialize, Deserialize)]
#[serde(untagged)]
enum HealthCheckResponse {
HealthOK {
stat: String,
response: HealthOKTS,
},
HealthFail {
stat: String,
code: i32,
timestamp: i64,
message: String,
message_detail: String,
},
}
// Iuter structure of response when exchanging authz code for MFA results
#[derive(Debug, Serialize, Deserialize)]
struct IdTokenResponse {
id_token: String,
id_token: String, // IdTokenClaims
access_token: String,
expires_in: i64,
token_type: String,
}
// Inner structure of IdTokenResponse.id_token
#[derive(Debug, Serialize, Deserialize)]
struct IdTokenClaims {
aud: String,
iss: String,
preferred_username: String,
nonce: String,
}
@ -159,10 +139,11 @@ struct DuoClient {
redirect_uri: String, // URL in this application clients should call for MFA verification
jwt_exp_seconds: i64, // Number of seconds that JWTs we create should be valid for
}
// TODO: Cert pinning for calls to Duo?
// See https://duo.com/docs/oauthapi
impl DuoClient {
// Construct a new DuoClient
fn new(client_id: String, client_secret: String, api_host: String, redirect_uri: String) -> DuoClient {
return DuoClient {
client_id,
@ -173,10 +154,25 @@ impl DuoClient {
};
}
// Generate a client assertion for health checks and authorization code exchange.
fn new_client_assertion(&self, url: &String) -> ClientAssertion {
let now = Utc::now().timestamp();
let jwt_id = generate_state();
ClientAssertion {
iss: self.client_id.clone(),
sub: self.client_id.clone(),
aud: url.clone(),
exp: now + self.jwt_exp_seconds,
jti: jwt_id,
iat: now,
}
}
// Given a serde-serializable struct, attempt to encode it as a JWT
fn encode_duo_jwt<T: Serialize>(&self, jwt_payload: T) -> Result<String, Error> {
match jsonwebtoken::encode(
&Header::new(Algorithm::HS512),
&Header::new(JWT_SIGNATURE_ALG),
&jwt_payload,
&EncodingKey::from_secret(&self.client_secret.as_bytes()),
) {
@ -191,16 +187,7 @@ impl DuoClient {
async fn health_check(&self) -> Result<(), Error> {
let health_check_url: String = format!(HEALTH_ENDPOINT!(), self.api_host);
let now = Utc::now();
let jwt_id = generate_state_default();
let jwt_payload = ClientAssertionJwt {
iss: self.client_id.clone(),
sub: self.client_id.clone(),
aud: health_check_url.clone(),
exp: (now + TimeDelta::try_seconds(self.jwt_exp_seconds).unwrap()).timestamp(),
jti: jwt_id,
iat: now.timestamp(),
};
let jwt_payload = self.new_client_assertion(&health_check_url);
let token = match self.encode_duo_jwt(jwt_payload) {
Ok(token) => token,
@ -230,12 +217,8 @@ impl DuoClient {
let health_stat: String = match response {
HealthCheckResponse::HealthOK {
stat,
response: _,
} => stat,
HealthCheckResponse::HealthFail {
stat: _,
code: _,
timestamp: _,
message,
message_detail,
} => err!(format!("Duo health check FAIL response msg: {}, detail: {}", message, message_detail)),
@ -254,7 +237,7 @@ impl DuoClient {
fn make_authz_req_url(&self, duo_username: &str, state: String, nonce: String) -> Result<String, Error> {
let now = Utc::now();
let jwt_payload = AuthUrlJwt {
let jwt_payload = AuthorizationRequest {
response_type: String::from("code"),
scope: String::from("openid"),
exp: (now + TimeDelta::try_seconds(self.jwt_exp_seconds).unwrap()).timestamp(),
@ -262,10 +245,9 @@ impl DuoClient {
redirect_uri: self.redirect_uri.clone(),
state,
duo_uname: String::from(duo_username),
iss: Some(self.client_id.clone()),
aud: Some(format!(API_HOST_FMT!(), self.api_host)),
iss: self.client_id.clone(),
aud: format!(API_HOST_FMT!(), self.api_host),
nonce,
use_duo_code_attribute: Some(false),
};
let token = match self.encode_duo_jwt(jwt_payload) {
@ -290,29 +272,22 @@ impl DuoClient {
return Ok(final_auth_url);
}
// Exchange the authorization code obtained from an access token provided by the user
// for the result of the MFA and validate.
// See: https://duo.com/docs/oauthapi#access-token (under Response Format)
async fn exchange_authz_code_for_result(
&self,
duo_code: &str,
duo_username: &str,
nonce: &str,
) -> Result<(), Error> {
if duo_code == "" {
if duo_code.is_empty() {
err!("Invalid Duo Code")
}
let now = Utc::now();
let token_url = format!(TOKEN_ENDPOINT!(), self.api_host);
let jwt_id = generate_state_default();
let jwt_payload = ClientAssertionJwt {
iss: self.client_id.clone(),
sub: self.client_id.clone(),
aud: token_url.clone(),
exp: (now + TimeDelta::try_seconds(self.jwt_exp_seconds).unwrap()).timestamp(),
jti: jwt_id,
iat: now.timestamp(),
};
let jwt_payload = self.new_client_assertion(&token_url);
let token = match self.encode_duo_jwt(jwt_payload) {
Ok(token) => token,
@ -348,9 +323,7 @@ impl DuoClient {
Err(e) => err!(format!("Error decoding ID token response: {}", e)),
};
let header = decode_header(&response.id_token).unwrap();
let mut validation = Validation::new(header.alg);
let mut validation = Validation::new(DUO_RESP_SIGNATURE_ALG);
validation.set_required_spec_claims(&["exp", "aud", "iss"]);
validation.set_audience(&[&self.client_id]);
validation.set_issuer(&[token_url.as_str()]);
@ -400,7 +373,6 @@ async fn extract_context(state: &str, conn: &mut DbConn) -> Option<DuoAuthContex
// Copy the context data, so that we can delete the context from
// the database before returning.
let ret_ctx = DuoAuthContext {
state: ctx.state.clone(),
user_email: ctx.user_email.clone(),
@ -412,7 +384,7 @@ async fn extract_context(state: &str, conn: &mut DbConn) -> Option<DuoAuthContex
return Some(ret_ctx)
}
// Task to clean up expired Duo authentication contexts that may have accumulated in the store.
// Task to clean up expired Duo authentication contexts that may have accumulated in the database.
pub async fn purge_duo_contexts(pool: DbPool) {
debug!("Purging Duo authentication contexts");
if let Ok(mut conn) = pool.get().await {
@ -422,12 +394,12 @@ pub async fn purge_duo_contexts(pool: DbPool) {
}
}
// Construct the url that Duo should redirect users to.
// The actual location is a bridge built in to the clients.
// The location Duo redirects to is a bridge built in to the clients.
// See: /clients/apps/web/src/connectors/duo-redirect.ts
fn make_callback_url(client_name: &str) -> Result<String, Error> {
const DUO_REDIRECT_LOCATION: &str = "duo-redirect-connector.html";
// Construct the url that Duo should redirect users to.
fn make_callback_url(client_name: &str) -> Result<String, Error> {
// Get the location of this application as defined in the config.
let base = match Url::parse(CONFIG.domain().as_str()) {
Ok(url) => url,
@ -449,8 +421,8 @@ fn make_callback_url(client_name: &str) -> Result<String, Error> {
return Ok(callback.to_string());
}
// Initiates the first stage of the Duo WebSDKv4 authentication flow.
// Returns the "AuthUrl" that should be passed to clients for MFA.
// Pre-redirect first stage of the Duo WebSDKv4 authentication flow.
// Returns the "AuthUrl" that should be returned to clients for MFA.
pub async fn get_duo_auth_url(email: &str, client_type: &ClientType, conn: &mut DbConn) -> Result<String, Error> {
let (ik, sk, _, host) = get_duo_keys_email(email, conn).await?;
@ -466,9 +438,9 @@ pub async fn get_duo_auth_url(email: &str, client_type: &ClientType, conn: &mut
Err(e) => err!(format!("{}", e)),
};
// Generate a random Duo state and OIDC Nonce
let state = generate_state_default();
let nonce = generate_state_default();
// Generate random OAuth2 state and OIDC Nonce
let state = generate_state();
let nonce = generate_state();
match TwoFactorDuoContext::save(state.as_str(), email, nonce.as_str(), CTX_VALIDITY_SECS, conn).await {
Ok(()) => client.make_authz_req_url(email, state, nonce),
@ -476,12 +448,17 @@ pub async fn get_duo_auth_url(email: &str, client_type: &ClientType, conn: &mut
}
}
// Post-redirect second stage of the Duo WebSDKv4 authentication flow.
// Exchanges an authorization code for the MFA result with Duo's API and validates the result.
pub async fn validate_duo_login(
email: &str,
two_factor_token: &str,
client_type: &ClientType,
conn: &mut DbConn,
) -> EmptyResult {
// TODO: The OIDC nonce should somehow be bound to a specific authentication attempt.
// e.g. hashed and in an httponly cookie.
// This may not be possible given the way that BW clients redirect users for final auth.
let email = &email.to_lowercase();
let split: Vec<&str> = two_factor_token.split('|').collect();
@ -499,13 +476,8 @@ pub async fn validate_duo_login(
let (ik, sk, _, host) = get_duo_keys_email(email, conn).await?;
let callback_url = match make_callback_url(client_type.as_str()) {
Ok(url) => url,
Err(e) => err!(format!("{}", e)),
};
// Get the context by the state reported by the client. If we don't have one,
// it means the context was either missing or expired.
// it means the context is either missing or expired.
let ctx = match extract_context(state, conn).await {
Some(c) => c,
None => {
@ -518,7 +490,7 @@ pub async fn validate_duo_login(
}
};
// Context validation
// Context validation steps
let matching_usernames = crypto::ct_eq(&email, &ctx.user_email);
// Probably redundant, but we're double-checking them anyway.
@ -534,6 +506,11 @@ pub async fn validate_duo_login(
)
}
let callback_url = match make_callback_url(client_type.as_str()) {
Ok(url) => url,
Err(e) => err!(format!("{}", e)),
};
let client = DuoClient::new(ik, sk, host, callback_url);
match client.health_check().await {