def test_authenticate_soft_u2f(self):
token = SoftU2FDevice()
request = u2f.start_register(APP_ID)
response = token.register(request.json, FACET)
device, cert = u2f.complete_register(request, response)
challenge1 = u2f.start_authenticate(device)
challenge2 = u2f.start_authenticate(device)
response2 = token.getAssertion(challenge2.json, FACET)
response1 = token.getAssertion(challenge1.json, FACET)
assert u2f.verify_authenticate(device, challenge1, response1)
assert u2f.verify_authenticate(device, challenge2, response2)
try:
u2f.verify_authenticate(device, challenge1, response2)
except:
pass
else:
assert False, "Incorrect validation should fail!"
try:
u2f.verify_authenticate(device, challenge2, response1)
except:
pass
else:
assert False, "Incorrect validation should fail!"
def test_authenticate_soft_u2f(self):
token = SoftU2FDevice()
request = u2f.start_register(APP_ID)
response = token.register(request.json, FACET)
device, cert = u2f.complete_register(request, response)
challenge1 = u2f.start_authenticate(device)
challenge2 = u2f.start_authenticate(device)
response2 = token.getAssertion(challenge2.json, FACET)
response1 = token.getAssertion(challenge1.json, FACET)
assert u2f.verify_authenticate(device, challenge1, response1)
assert u2f.verify_authenticate(device, challenge2, response2)
try:
u2f.verify_authenticate(device, challenge1, response2)
except:
pass
else:
assert False, "Incorrect validation should fail!"
try:
u2f.verify_authenticate(device, challenge2, response1)
except:
pass
else:
assert False, "Incorrect validation should fail!"
def twofactor(request):
print("All u2f keys")
user = User.objects.get(pk=request.session['authuser'])
print("The user is: %s" % user)
challenges = [
u2f.start_authenticate(u2f_key.to_json())
for u2f_key in user.u2f_keys.all()
]
if request.method == 'POST':
u2f_response = KeyResponseForm(request.POST)
if u2f_response.is_valid():
print('----------2------------------')
device_response = u2f_response.cleaned_data['response']
challenge = request.session['u2f_authentication_challenges'][0]
device = user.u2f_keys.get(
) #key_handle=device_response['keyHandle'])
print("Check this: %s" % device)
# u2f_response_json = json.dumps(u2f_response.cleaned_data['response'])
u2f_response_json = u2f_response.cleaned_data['response']
login_counter, touch_asserted = u2f.verify_authenticate(
device.to_json(),
challenge,
u2f_response_json,
)
print("Touch asserted: %s" % touch_asserted)
# device.last_used_at = timezone.now()
# device.save()
try:
del request.session['u2f_authentication_challenges']
user.backend = request.session['backend']
del request.session['backend']
auth.login(request, user=user)
return HttpResponseRedirect('/dashboard/')
except:
return HttpResponseRedirect('/login/')
else:
print('----------1------------------')
u2f_response = KeyResponseForm()
print("The user is currently: %s" % user)
# challenges = [user.u2f_keys.get().to_json()]
# print(challenges)
challenges = [u2f.start_authenticate(user.u2f_keys.get().to_json())]
print(challenges)
request.session['u2f_authentication_challenges'] = challenges
# challenges = [u2f.start_authenticate(u2f_key.to_json()) for u2f_key in user.u2f_keys.all()]
print("Final: %s" % str(json.dumps(challenges)))
context = {
'u2f_response': u2f_response,
'challenges': json.dumps(challenges)
}
return render(request, 'u2f/twofactor.html', context)
def authenticate_start(self, username, invalidate=False):
user = self._get_user(username)
if user is None or len(user.devices) == 0:
log.info('User "%s" has no devices registered', username)
raise NoEligibleDevicesException('No devices registered', [])
sign_requests = []
descriptors = []
challenges = {}
rand = rand_bytes(32)
for handle, dev in user.devices.items():
if not dev.compromised:
challenge = start_authenticate(dev.bind_data, rand)
sign_requests.append(challenge)
descriptors.append(dev.get_descriptor(
self._metadata.get_metadata(dev)))
challenges[handle] = {
'keyHandle': challenge.keyHandle,
'challenge': challenge
}
if not sign_requests:
raise NoEligibleDevicesException(
'All devices compromised',
[d.get_descriptor() for d in user.devices.values()]
)
self._memstore.store(self._client.id, username, rand, challenges)
return sign_requests, descriptors
def sign(self, username):
user = self.users[username]
binding = user['_u2f_binding_']
challenge = start_authenticate(binding)
user['_u2f_challenge_'] = challenge.json
return challenge.json
def authenticate_start(self, username, setChallenge=None, invalidate=False):
user = self._get_user(username)
if user is None or len(user.devices) == 0:
log.info('User "%s" has no devices registered', username)
raise NoEligableDevicesException('No devices registered', [])
sign_requests = []
challenges = {}
if setChallenge:
rand = setChallenge.decode("hex")
else:
rand = rand_bytes(32)
for handle, dev in user.devices.items():
if not dev.compromised:
challenge = start_authenticate(dev.bind_data, rand)
sign_requests.append(challenge)
challenges[handle] = {
'keyHandle': challenge.keyHandle,
'challenge': challenge
}
if not sign_requests:
raise NoEligableDevicesException(
'All devices compromised',
[d.get_descriptor() for d in user.devices.values()]
)
self._memstore.store(self._client.id, username, rand, challenges)
return sign_requests
def twofactor(request):
print("All u2f keys")
user = User.objects.get(pk=request.session['authuser'])
print("The user is: %s" % user)
challenges = [u2f.start_authenticate(u2f_key.to_json()) for u2f_key in user.u2f_keys.all()]
if request.method == 'POST':
u2f_response = KeyResponseForm(request.POST)
if u2f_response.is_valid():
device_response = u2f_response.cleaned_data['response']
challenge = request.session['u2f_authentication_challenges'][0]
device = user.u2f_keys.get() #key_handle=device_response['keyHandle'])
print("Check this: %s" % device)
# u2f_response_json = json.dumps(u2f_response.cleaned_data['response'])
u2f_response_json = u2f_response.cleaned_data['response']
login_counter, touch_asserted = u2f.verify_authenticate(device.to_json(), challenge, u2f_response_json,)
print("Touch asserted: %s" % touch_asserted)
# device.last_used_at = timezone.now()
# device.save()
del request.session['u2f_authentication_challenges']
user.backend = request.session['backend']
del request.session['backend']
auth.login(request, user=user)
return HttpResponseRedirect('/dashboard/')
else:
u2f_response = KeyResponseForm()
print("The user is currently: %s" % user)
# challenges = [user.u2f_keys.get().to_json()]
# print(challenges)
challenges = [u2f.start_authenticate(user.u2f_keys.get().to_json())]
print(challenges)
request.session['u2f_authentication_challenges'] = challenges
# challenges = [u2f.start_authenticate(u2f_key.to_json()) for u2f_key in user.u2f_keys.all()]
print("Final: %s" % str(json.dumps(challenges)))
context = {'u2f_response': u2f_response,
'challenges': json.dumps(challenges)}
return render(request, 'u2f/twofactor.html', context)
def get_context_data(self, **kwargs):
kwargs = super(VerifyKeyView, self).get_context_data(**kwargs)
challenges = [
u2f.start_authenticate(d.to_json()) for d in self.user.u2f_keys.all()
]
self.request.session['u2f_authentication_challenges'] = challenges
kwargs['challenges'] = challenges
if self.request.GET.get('admin'):
kwargs['base_template'] = 'admin/base_site.html'
else:
kwargs['base_template'] = 'base.html'
return kwargs
def __init__(self, *args, **kwargs):
super(KeyResponseForm, self).__init__(*args, **kwargs)
if self.data:
self.challenges = self.request.session[
'u2f_authentication_challenges']
else:
self.challenges = [
u2f.start_authenticate(d.to_json())
for d in self.user.u2f_keys.all()
]
self.request.session[
'u2f_authentication_challenges'] = self.challenges
def get_context_data(self, **kwargs):
kwargs = super(VerifyKeyView, self).get_context_data(**kwargs)
challenges = [
u2f.start_authenticate(d.to_json())
for d in self.user.u2f_keys.all()
]
self.request.session['u2f_authentication_challenges'] = challenges
kwargs['challenges'] = challenges
if self.request.GET.get('admin'):
kwargs['base_template'] = 'admin/base_site.html'
else:
kwargs['base_template'] = 'base.html'
return kwargs
def get_context_data(self, **kwargs):
kwargs = super(AddKeyView, self).get_context_data(**kwargs)
challenge = u2f.start_register(self.get_origin())
self.request.session['u2f_registration_challenge'] = challenge
kwargs['challenge'] = challenge
# Create a SignRequest for each key that has already been added to the
# account.
# This can be passed to u2f.register as the second parameter to prevent
# re-registering the same key for the same user.
sign_requests = [
u2f.start_authenticate(d.to_json()) for d in self.request.user.u2f_keys.all()
]
kwargs['sign_requests'] = sign_requests
return kwargs
def register_start(self, username):
# RegisterRequest
register_request = start_register(self._client.app_id)
self._memstore.store(self._client.id, username,
register_request.challenge,
{'request': register_request})
# SignRequest[]
sign_requests = []
user = self._get_user(username)
if user is not None:
for dev in user.devices.values():
sign_requests.append(
start_authenticate(dev.bind_data, 'check-only'))
# To support multiple versions, add more RegisterRequests.
return [register_request], sign_requests
def register_start(self, username):
# RegisterRequest
register_request = start_register(self._client.app_id)
self._memstore.store(self._client.id, username,
register_request.challenge,
{'request': register_request})
# SignRequest[]
sign_requests = []
user = self._get_user(username)
if user is not None:
for dev in user.devices.values():
sign_requests.append(
start_authenticate(dev.bind_data, 'check-only'))
# To support multiple versions, add more RegisterRequests.
return [register_request], sign_requests
def get_context_data(self, **kwargs):
kwargs = super(AddKeyView, self).get_context_data(**kwargs)
challenge = u2f.start_register(self.get_origin())
self.request.session['u2f_registration_challenge'] = challenge
kwargs['challenge'] = challenge
# Create a SignRequest for each key that has already been added to the
# account.
# This can be passed to u2f.register as the second parameter to prevent
# re-registering the same key for the same user.
sign_requests = [
u2f.start_authenticate(d.to_json())
for d in self.request.user.u2f_keys.all()
]
kwargs['sign_requests'] = sign_requests
return kwargs
def test_wrong_facet(self):
token = SoftU2FDevice()
request = u2f.start_register(APP_ID)
response = token.register(request.json, "http://wrongfacet.com")
try:
u2f.complete_register(request, response, FACETS)
except:
pass
else:
assert False, "Incorrect facet should fail!"
response2 = token.register(request.json, FACET)
device, cert = u2f.complete_register(request, response2)
challenge = u2f.start_authenticate(device)
response = token.getAssertion(challenge.json, "http://notright.com")
try:
u2f.verify_authenticate(device, challenge, response, FACETS)
except:
pass
else:
assert False, "Incorrect facet should fail!"
def test_wrong_facet(self):
token = SoftU2FDevice()
request = u2f.start_register(APP_ID)
response = token.register(request.json, "http://wrongfacet.com")
try:
u2f.complete_register(request, response, FACETS)
except:
pass
else:
assert False, "Incorrect facet should fail!"
response2 = token.register(request.json, FACET)
device, cert = u2f.complete_register(request, response2)
challenge = u2f.start_authenticate(device)
response = token.getAssertion(challenge.json, "http://notright.com")
try:
u2f.verify_authenticate(device, challenge, response, FACETS)
except:
pass
else:
assert False, "Incorrect facet should fail!"
def sign(self, username, password):
user = self._get_user(username, password)
binding = user.attributes['_u2f_binding_']
challenge = start_authenticate(binding)
user.attributes['_u2f_challenge_'] = challenge.json
return challenge.json
def sign(self, username, password):
user = self._get_user(username, password)
binding = user.attributes['_u2f_binding_']
challenge = start_authenticate(binding)
user.attributes['_u2f_challenge_'] = challenge.json
return challenge.json
def start_authenticate(devices, challenge=None):
sign_requests = [u2f_v2.start_authenticate(d, challenge or rand_bytes(32))
for d in devices]
return AuthenticateRequestData(authenticateRequests=sign_requests)
