def _parse_request(self, data):
request = Request()
for row in data:
request.id = row["id"]
request.nonce = row["nonce"]
request.time = row["time"]
request.userId = row["user_id"]
request.success = row["success"]
return request
def authentication_request_get(message):
'''
This is the url that other system uses to redirect the user in order to authenticate them
'''
try:
message = JWS().verify_compact(message, keys=[public_key])
except BadSignature:
return "Signature invalid"
# todo check whether signed correctly raise BadSignature
satosa_request = Request(message)
user = database.get_user(satosa_request.userId)
if not database.request_exists(satosa_request):
database.save_request(satosa_request)
else:
return "REPLAY ATTACK"
if not user:
database.save_user(satosa_request.userId)
new_user = database.get_user(satosa_request.userId)
login_user(new_user)
return render_template('satosa_registration_index.html',
username1=satosa_request.userId,
redirect_url1=cfg['caller']['callback-url'])
if len(database.get_credentials(satosa_request.userId)) == 0:
new_user = database.get_user(satosa_request.userId)
login_user(new_user)
return render_template('satosa_registration_index.html',
username1=satosa_request.userId,
redirect_url1=cfg['caller']['callback-url'])
if cfg['host']['turn-off'] and database.is_turned_off(user.id):
database.turn_on(user.id)
login_user(user)
satosa_request = Request()
satosa_request.userId = user.id
database.make_success(satosa_request)
username = current_user.id
credentials_array = database.get_credentials(username)
return render_template("credentials.html",
credentials=credentials_array,
username1=username,
url=ORIGIN,
turn_off=cfg['host']['turn-off'],
timeout=int(
cfg['host']['turn-off-timeout-seconds']))
return render_template('satosa_index.html',
username1=satosa_request.userId,
redirect_url1=cfg['caller']['callback-url'])
def verify_assertion():
'''
This url is called to authenticate the user
'''
challenge = session.get('challenge')
assertion_response = request.form
credential_id = assertion_response.get('id')
credential = database.get_credential(credential_id)
if not credential:
return make_response(jsonify({'fail': 'User does not exist.'}), 401)
webauthn_user = webauthn.WebAuthnUser(
credential.ukey, credential.username, credential.display_name,
credential.icon_url, credential.credential_id, credential.pub_key,
credential.sign_count, credential.rp_id)
webauthn_assertion_response = webauthn.WebAuthnAssertionResponse(
webauthn_user,
assertion_response,
challenge,
ORIGIN,
uv_required=False) # User Verification
try:
sign_count = webauthn_assertion_response.verify()
except Exception as e:
raise e
return jsonify({'fail': 'Assertion failed. Error: {}'.format(e)})
# Update counter.
credential.sign_count = sign_count
database.increment_sign_count(credential)
satosa_request = Request()
satosa_request.userId = credential.username
database.make_success(satosa_request)
user = User()
user.id = credential.username
login_user(user)
return jsonify({'success': 'User successfully logged in.'})
def verify_credential_info():
'''
This url is called to verify and register the token
'''
challenge = session['challenge']
username = session['register_username']
display_name = session['register_display_name']
ukey = session['register_ukey']
user_exists = database.user_exists(username)
if not user_exists or not current_user.is_authenticated or not username == current_user.id:
return make_response(jsonify({'fail': 'User not logged in.'}), 401)
registration_response = request.form
trust_anchor_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)),
TRUST_ANCHOR_DIR)
trusted_attestation_cert_required = True
self_attestation_permitted = True
none_attestation_permitted = True
webauthn_registration_response = webauthn.WebAuthnRegistrationResponse(
RP_ID,
ORIGIN,
registration_response,
challenge,
trust_anchor_dir,
trusted_attestation_cert_required,
self_attestation_permitted,
none_attestation_permitted,
uv_required=False) # User Verification
try:
webauthn_credential = webauthn_registration_response.verify()
except Exception as e:
return jsonify({'fail': 'Registration failed. Error: {}'.format(e)})
credential_id_exists = database.credential_exists(
webauthn_credential.credential_id)
if credential_id_exists:
return make_response(
jsonify({'fail': 'Credential ID already exists.'}), 401)
existing_user = database.user_exists(username)
credential = Credential()
if not existing_user or True:
if sys.version_info >= (3, 0):
webauthn_credential.credential_id = str(
webauthn_credential.credential_id, "utf-8")
webauthn_credential.public_key = str(
webauthn_credential.public_key, "utf-8")
credential.id = randint(1, 100000)
credential.ukey = ukey
credential.username = username
credential.display_name = display_name
credential.pub_key = webauthn_credential.public_key
credential.credential_id = webauthn_credential.credential_id
credential.sign_count = webauthn_credential.sign_count
credential.rp_id = RP_ID
credential.icon_url = 'https://example.com'
database.save_credential(credential)
database.turn_on(credential.username)
else:
return make_response(jsonify({'fail': 'User already exists.'}), 401)
satosa_request = Request()
satosa_request.userId = credential.username
database.make_success(satosa_request)
user = database.get_user(credential.username)
login_user(user)
return jsonify({'success': 'User successfully registered.'})
