def get_options(): try: webauthn_options = webauthn.WebAuthnOptions() try: options = Options.query.filter_by(rp_id=RP_ID).first() if options is None: options = Options() options.rp_id = RP_ID options.version = CURRENT_OPTIONS_TBL_VERSION options.option_content = json.dumps(webauthn_options.get()) db.session.add(options) db.session.commit() else: if options.version != CURRENT_OPTIONS_TBL_VERSION: return make_response( jsonify({'fail': 'Options Table Version Error.'}), 400) except Exception as e: return make_response( jsonify({'fail': 'Options Database Error: {}'.format(e)}), 500) webauthn_options.set(json.loads(options.option_content)) options_dict = webauthn_options.get() except Exception as e: app.logger.debug('Options failed. Error: {}'.format(e)) return make_response( jsonify({'fail': 'Options failed. Error: {}'.format(e)}), 500) return make_response(jsonify(options_dict), 200)
def assertion_get_options(): username = request.form.get('username') if 'challenge' in session: del session['challenge'] challenge = util.generate_challenge(32) session['challenge'] = challenge webauthn_options = webauthn.WebAuthnOptions() try: options = Options.query.filter_by(rp_id=RP_ID).first() if options is None: options = Options() options.rp_id = RP_ID options.version = CURRENT_OPTIONS_TBL_VERSION options.option_content = json.dumps(webauthn_options.get()) db.session.add(options) db.session.commit() else: if options.version != CURRENT_OPTIONS_TBL_VERSION: return make_response( jsonify({'fail': 'Options Table Version Error.'}), 400) except Exception as e: return make_response( jsonify({'fail': 'Options Database Error: {}'.format(e)}), 500) webauthn_options.set(json.loads(options.option_content)) allow_credentialids = [] if username != '' or ( webauthn_options.enableAssertionAllowCredentials == 'true' and len(webauthn_options.assertionAllowCredentialsUsers) != 0): if username != '': users = Users.query.filter_by(username=username).all() else: users = Users.query.filter( Users.id.in_( webauthn_options.assertionAllowCredentialsUsers)).all() for user in users: allow_credentialids.append(user.credential_id) webauthn_assertion_options = webauthn.WebAuthnAssertionOptions( webauthn_options, allow_credentialids, challenge, RP_ID) return make_response(jsonify(webauthn_assertion_options.assertion_dict), 200)
def set_options(): conveyancePreference = request.form.get('conveyancePreference') userVerification = request.form.get('userVerification') requireResidentKey = request.form.get('requireResidentKey') authenticatorAttachment = request.form.get('authenticatorAttachment') enableAttestationExcludeCredentials = request.form.get( 'enableAttestationExcludeCredentials') attestationExcludeCredentialsUsers = request.form.get( 'attestationExcludeCredentialsUsers') attestationExcludeCredentialsTransports = request.form.get( 'attestationExcludeCredentialsTransports') attestationExtensions = request.form.get('attestationExtensions', None) enableAssertionAllowCredentials = request.form.get( 'enableAssertionAllowCredentials') assertionAllowCredentialsUsers = request.form.get( 'assertionAllowCredentialsUsers') assertionAllowCredentialsTransports = request.form.get( 'assertionAllowCredentialsTransports') assertionExtensions = request.form.get('assertionExtensions', None) try: webauthn_options = webauthn.WebAuthnOptions() try: options = Options.query.filter_by(rp_id=RP_ID).first() if options is None: options = Options() options.rp_id = RP_ID options.version = CURRENT_OPTIONS_TBL_VERSION options.option_content = json.dumps(webauthn_options.get()) db.session.add(options) db.session.commit() else: if options.version != CURRENT_OPTIONS_TBL_VERSION: return make_response( jsonify({'fail': 'Options Table Version Error.'}), 400) except Exception as e: return make_response( jsonify({'fail': 'Options Database Error: {}'.format(e)}), 500) webauthn_options.set(json.loads(options.option_content)) if conveyancePreference in webauthn.WebAuthnOptions.SUPPORTED_CONVEYANCE_PREFARENCE: webauthn_options.conveyancePreference = conveyancePreference else: return make_response( jsonify( {'fail': 'Option Selection Error (conveyancePreference).'}), 400) if userVerification in webauthn.WebAuthnOptions.SUPPORTED_AUTHENTICATIONSELECTION_USERVERIFICATION: webauthn_options.userVerification = userVerification else: return make_response( jsonify({'fail': 'Option Selection Error (userVerification).'}), 400) if requireResidentKey in webauthn.WebAuthnOptions.SUPPORTED_REQUIRE_REDIDENTKEY: webauthn_options.requireResidentKey = requireResidentKey else: return make_response( jsonify( {'fail': 'Option Selection Error (requireResidentKey).'}), 400) if authenticatorAttachment in webauthn.WebAuthnOptions.SUPPORTED_AUTHENTICATIONSELECTION_ATTACHIMENT or authenticatorAttachment == '': webauthn_options.authenticatorAttachment = authenticatorAttachment else: return make_response( jsonify({ 'fail': 'Option Selection Error (authenticatorAttachment).' }), 400) if enableAttestationExcludeCredentials in webauthn.WebAuthnOptions.SUPPORTED_ENABLE_CREDENTIALS: webauthn_options.enableAttestationExcludeCredentials = enableAttestationExcludeCredentials else: return make_response( jsonify({ 'fail': 'Option Selection Error (enableAttestationExcludeCredentials).' }), 400) if re.sub(r'\d', '', re.sub(r'\s', '', attestationExcludeCredentialsUsers)) == '': webauthn_options.attestationExcludeCredentialsUsers = attestationExcludeCredentialsUsers.split( ' ') else: return make_response( jsonify({ 'fail': 'Option Selection Error (attestationExcludeCredentialsUsers).' }), 400) if set(attestationExcludeCredentialsTransports.split(' ')).issubset( webauthn.WebAuthnOptions.SUPPORTED_TRANSPORTS ) or attestationExcludeCredentialsTransports == '': webauthn_options.attestationExcludeCredentialsTransports = attestationExcludeCredentialsTransports.split( ' ') else: return make_response( jsonify({ 'fail': 'Option Selection Error (attestationExcludeCredentialsTransports).' }), 400) if attestationExtensions is not None: tmp_dict = {} for lineitem in attestationExtensions.splitlines(): item = [x.strip() for x in lineitem.split('=')] if len(item) == 2: tmp_dict[item[0]] = item[1] if len(tmp_dict) == len(attestationExtensions.splitlines()): webauthn_options.attestationExtensions = tmp_dict else: return make_response( jsonify({ 'fail': 'Option Format Error (attestationExtensions).' }), 400) if enableAssertionAllowCredentials in webauthn.WebAuthnOptions.SUPPORTED_ENABLE_CREDENTIALS: webauthn_options.enableAssertionAllowCredentials = enableAssertionAllowCredentials else: return make_response( jsonify({ 'fail': 'Option Selection Error (enableAssertionAllowCredentials).' }), 400) if re.sub(r'\d', '', re.sub(r'\s', '', assertionAllowCredentialsUsers)) == '': webauthn_options.assertionAllowCredentialsUsers = assertionAllowCredentialsUsers.split( ' ') else: return make_response( jsonify({ 'fail': 'Option Selection Error (assertionAllowCredentialsUsers).' }), 400) if set(assertionAllowCredentialsTransports.split(' ')).issubset( webauthn.WebAuthnOptions.SUPPORTED_TRANSPORTS ) or assertionAllowCredentialsTransports == '': webauthn_options.assertionAllowCredentialsTransports = assertionAllowCredentialsTransports.split( ' ') else: return make_response( jsonify({ 'fail': 'Option Selection Error (assertionAllowCredentialsTransports).' }), 400) if assertionExtensions is not None: tmp_dict = {} for lineitem in assertionExtensions.splitlines(): item = [x.strip() for x in lineitem.split('=')] if len(item) == 2: tmp_dict[item[0]] = item[1] if len(tmp_dict) == len(assertionExtensions.splitlines()): webauthn_options.assertionExtensions = tmp_dict else: return make_response( jsonify( {'fail': 'Option Format Error (assertionExtensions).'}), 400) except Exception as e: app.logger.debug('Options failed. Error: {}'.format(e)) return make_response( jsonify({'fail': 'Options failed. Error: {}'.format(e)}), 500) try: options.option_content = json.dumps(webauthn_options.get()) db.session.add(options) db.session.commit() except Exception as e: return make_response( jsonify({'fail': 'Options Database Error: {}'.format(e)}), 500) return make_response(jsonify({'success': 'Options successfully saved.'}), 200)
def attestation_get_options(): username = request.form.get('username') display_name = request.form.get('displayName') if 'register_ukey' in session: del session['register_ukey'] if 'register_username' in session: del session['register_username'] if 'register_display_name' in session: del session['register_display_name'] if 'challenge' in session: del session['challenge'] if 'att_option' in session: del session['att_option'] if username == "" or username is None: username = util.random_username(8) if display_name == "" or display_name is None: display_name = username session['register_username'] = username session['register_display_name'] = display_name rp_name = RP_ID challenge = util.generate_challenge(32) ukey = util.generate_ukey() session['challenge'] = challenge session['register_ukey'] = ukey exclude_credentialids = [] webauthn_options = webauthn.WebAuthnOptions() try: options = Options.query.filter_by(rp_id=RP_ID).first() if options is None: options = Options() options.rp_id = RP_ID options.version = CURRENT_OPTIONS_TBL_VERSION options.option_content = json.dumps(webauthn_options.get()) db.session.add(options) db.session.commit() else: if options.version != CURRENT_OPTIONS_TBL_VERSION: return make_response( jsonify({'fail': 'Options Table Version Error.'}), 400) except Exception as e: return make_response( jsonify({'fail': 'Options Database Error: {}'.format(e)}), 500) webauthn_options.set(json.loads(options.option_content)) if webauthn_options.enableAttestationExcludeCredentials == 'true' and len( webauthn_options.attestationExcludeCredentialsUsers): users = Users.query.filter( Users.id.in_( webauthn_options.attestationExcludeCredentialsUsers)).all() for user in users: if not user.credential_id: app.logger.debug('Unknown credential ID.') return make_response( jsonify({'fail': 'Unknown credential ID.'}), 401) exclude_credentialids.append(str(user.credential_id)) make_credential_options = webauthn.WebAuthnMakeCredentialOptions( webauthn_options, exclude_credentialids, challenge, rp_name, RP_ID, ukey, username, display_name, 'https://example.com') reg_dict = json.dumps(make_credential_options.registration_dict, indent=2) session['att_option'] = reg_dict return make_response(jsonify(make_credential_options.registration_dict), 200)