def test_authenticate_soft_u2f(self): token = SoftU2FDevice() request = u2f.start_register(APP_ID) response = token.register(request.json, FACET) device, cert = u2f.complete_register(request, response) challenge1 = u2f.start_authenticate(device) challenge2 = u2f.start_authenticate(device) response2 = token.getAssertion(challenge2.json, FACET) response1 = token.getAssertion(challenge1.json, FACET) assert u2f.verify_authenticate(device, challenge1, response1) assert u2f.verify_authenticate(device, challenge2, response2) try: u2f.verify_authenticate(device, challenge1, response2) except: pass else: assert False, "Incorrect validation should fail!" try: u2f.verify_authenticate(device, challenge2, response1) except: pass else: assert False, "Incorrect validation should fail!"
def twofactor(request): print("All u2f keys") user = User.objects.get(pk=request.session['authuser']) print("The user is: %s" % user) challenges = [ u2f.start_authenticate(u2f_key.to_json()) for u2f_key in user.u2f_keys.all() ] if request.method == 'POST': u2f_response = KeyResponseForm(request.POST) if u2f_response.is_valid(): print('----------2------------------') device_response = u2f_response.cleaned_data['response'] challenge = request.session['u2f_authentication_challenges'][0] device = user.u2f_keys.get( ) #key_handle=device_response['keyHandle']) print("Check this: %s" % device) # u2f_response_json = json.dumps(u2f_response.cleaned_data['response']) u2f_response_json = u2f_response.cleaned_data['response'] login_counter, touch_asserted = u2f.verify_authenticate( device.to_json(), challenge, u2f_response_json, ) print("Touch asserted: %s" % touch_asserted) # device.last_used_at = timezone.now() # device.save() try: del request.session['u2f_authentication_challenges'] user.backend = request.session['backend'] del request.session['backend'] auth.login(request, user=user) return HttpResponseRedirect('/dashboard/') except: return HttpResponseRedirect('/login/') else: print('----------1------------------') u2f_response = KeyResponseForm() print("The user is currently: %s" % user) # challenges = [user.u2f_keys.get().to_json()] # print(challenges) challenges = [u2f.start_authenticate(user.u2f_keys.get().to_json())] print(challenges) request.session['u2f_authentication_challenges'] = challenges # challenges = [u2f.start_authenticate(u2f_key.to_json()) for u2f_key in user.u2f_keys.all()] print("Final: %s" % str(json.dumps(challenges))) context = { 'u2f_response': u2f_response, 'challenges': json.dumps(challenges) } return render(request, 'u2f/twofactor.html', context)
def authenticate_start(self, username, invalidate=False): user = self._get_user(username) if user is None or len(user.devices) == 0: log.info('User "%s" has no devices registered', username) raise NoEligibleDevicesException('No devices registered', []) sign_requests = [] descriptors = [] challenges = {} rand = rand_bytes(32) for handle, dev in user.devices.items(): if not dev.compromised: challenge = start_authenticate(dev.bind_data, rand) sign_requests.append(challenge) descriptors.append(dev.get_descriptor( self._metadata.get_metadata(dev))) challenges[handle] = { 'keyHandle': challenge.keyHandle, 'challenge': challenge } if not sign_requests: raise NoEligibleDevicesException( 'All devices compromised', [d.get_descriptor() for d in user.devices.values()] ) self._memstore.store(self._client.id, username, rand, challenges) return sign_requests, descriptors
def sign(self, username): user = self.users[username] binding = user['_u2f_binding_'] challenge = start_authenticate(binding) user['_u2f_challenge_'] = challenge.json return challenge.json
def authenticate_start(self, username, setChallenge=None, invalidate=False): user = self._get_user(username) if user is None or len(user.devices) == 0: log.info('User "%s" has no devices registered', username) raise NoEligableDevicesException('No devices registered', []) sign_requests = [] challenges = {} if setChallenge: rand = setChallenge.decode("hex") else: rand = rand_bytes(32) for handle, dev in user.devices.items(): if not dev.compromised: challenge = start_authenticate(dev.bind_data, rand) sign_requests.append(challenge) challenges[handle] = { 'keyHandle': challenge.keyHandle, 'challenge': challenge } if not sign_requests: raise NoEligableDevicesException( 'All devices compromised', [d.get_descriptor() for d in user.devices.values()] ) self._memstore.store(self._client.id, username, rand, challenges) return sign_requests
def twofactor(request): print("All u2f keys") user = User.objects.get(pk=request.session['authuser']) print("The user is: %s" % user) challenges = [u2f.start_authenticate(u2f_key.to_json()) for u2f_key in user.u2f_keys.all()] if request.method == 'POST': u2f_response = KeyResponseForm(request.POST) if u2f_response.is_valid(): device_response = u2f_response.cleaned_data['response'] challenge = request.session['u2f_authentication_challenges'][0] device = user.u2f_keys.get() #key_handle=device_response['keyHandle']) print("Check this: %s" % device) # u2f_response_json = json.dumps(u2f_response.cleaned_data['response']) u2f_response_json = u2f_response.cleaned_data['response'] login_counter, touch_asserted = u2f.verify_authenticate(device.to_json(), challenge, u2f_response_json,) print("Touch asserted: %s" % touch_asserted) # device.last_used_at = timezone.now() # device.save() del request.session['u2f_authentication_challenges'] user.backend = request.session['backend'] del request.session['backend'] auth.login(request, user=user) return HttpResponseRedirect('/dashboard/') else: u2f_response = KeyResponseForm() print("The user is currently: %s" % user) # challenges = [user.u2f_keys.get().to_json()] # print(challenges) challenges = [u2f.start_authenticate(user.u2f_keys.get().to_json())] print(challenges) request.session['u2f_authentication_challenges'] = challenges # challenges = [u2f.start_authenticate(u2f_key.to_json()) for u2f_key in user.u2f_keys.all()] print("Final: %s" % str(json.dumps(challenges))) context = {'u2f_response': u2f_response, 'challenges': json.dumps(challenges)} return render(request, 'u2f/twofactor.html', context)
def get_context_data(self, **kwargs): kwargs = super(VerifyKeyView, self).get_context_data(**kwargs) challenges = [ u2f.start_authenticate(d.to_json()) for d in self.user.u2f_keys.all() ] self.request.session['u2f_authentication_challenges'] = challenges kwargs['challenges'] = challenges if self.request.GET.get('admin'): kwargs['base_template'] = 'admin/base_site.html' else: kwargs['base_template'] = 'base.html' return kwargs
def __init__(self, *args, **kwargs): super(KeyResponseForm, self).__init__(*args, **kwargs) if self.data: self.challenges = self.request.session[ 'u2f_authentication_challenges'] else: self.challenges = [ u2f.start_authenticate(d.to_json()) for d in self.user.u2f_keys.all() ] self.request.session[ 'u2f_authentication_challenges'] = self.challenges
def get_context_data(self, **kwargs): kwargs = super(AddKeyView, self).get_context_data(**kwargs) challenge = u2f.start_register(self.get_origin()) self.request.session['u2f_registration_challenge'] = challenge kwargs['challenge'] = challenge # Create a SignRequest for each key that has already been added to the # account. # This can be passed to u2f.register as the second parameter to prevent # re-registering the same key for the same user. sign_requests = [ u2f.start_authenticate(d.to_json()) for d in self.request.user.u2f_keys.all() ] kwargs['sign_requests'] = sign_requests return kwargs
def register_start(self, username): # RegisterRequest register_request = start_register(self._client.app_id) self._memstore.store(self._client.id, username, register_request.challenge, {'request': register_request}) # SignRequest[] sign_requests = [] user = self._get_user(username) if user is not None: for dev in user.devices.values(): sign_requests.append( start_authenticate(dev.bind_data, 'check-only')) # To support multiple versions, add more RegisterRequests. return [register_request], sign_requests
def test_wrong_facet(self): token = SoftU2FDevice() request = u2f.start_register(APP_ID) response = token.register(request.json, "http://wrongfacet.com") try: u2f.complete_register(request, response, FACETS) except: pass else: assert False, "Incorrect facet should fail!" response2 = token.register(request.json, FACET) device, cert = u2f.complete_register(request, response2) challenge = u2f.start_authenticate(device) response = token.getAssertion(challenge.json, "http://notright.com") try: u2f.verify_authenticate(device, challenge, response, FACETS) except: pass else: assert False, "Incorrect facet should fail!"
def sign(self, username, password): user = self._get_user(username, password) binding = user.attributes['_u2f_binding_'] challenge = start_authenticate(binding) user.attributes['_u2f_challenge_'] = challenge.json return challenge.json
def start_authenticate(devices, challenge=None): sign_requests = [u2f_v2.start_authenticate(d, challenge or rand_bytes(32)) for d in devices] return AuthenticateRequestData(authenticateRequests=sign_requests)