def get_options():
try:
webauthn_options = webauthn.WebAuthnOptions()
try:
options = Options.query.filter_by(rp_id=RP_ID).first()
if options is None:
options = Options()
options.rp_id = RP_ID
options.version = CURRENT_OPTIONS_TBL_VERSION
options.option_content = json.dumps(webauthn_options.get())
db.session.add(options)
db.session.commit()
else:
if options.version != CURRENT_OPTIONS_TBL_VERSION:
return make_response(
jsonify({'fail': 'Options Table Version Error.'}), 400)
except Exception as e:
return make_response(
jsonify({'fail': 'Options Database Error: {}'.format(e)}), 500)
webauthn_options.set(json.loads(options.option_content))
options_dict = webauthn_options.get()
except Exception as e:
app.logger.debug('Options failed. Error: {}'.format(e))
return make_response(
jsonify({'fail': 'Options failed. Error: {}'.format(e)}), 500)
return make_response(jsonify(options_dict), 200)
def assertion_get_options():
username = request.form.get('username')
if 'challenge' in session:
del session['challenge']
challenge = util.generate_challenge(32)
session['challenge'] = challenge
webauthn_options = webauthn.WebAuthnOptions()
try:
options = Options.query.filter_by(rp_id=RP_ID).first()
if options is None:
options = Options()
options.rp_id = RP_ID
options.version = CURRENT_OPTIONS_TBL_VERSION
options.option_content = json.dumps(webauthn_options.get())
db.session.add(options)
db.session.commit()
else:
if options.version != CURRENT_OPTIONS_TBL_VERSION:
return make_response(
jsonify({'fail': 'Options Table Version Error.'}), 400)
except Exception as e:
return make_response(
jsonify({'fail': 'Options Database Error: {}'.format(e)}), 500)
webauthn_options.set(json.loads(options.option_content))
allow_credentialids = []
if username != '' or (
webauthn_options.enableAssertionAllowCredentials == 'true'
and len(webauthn_options.assertionAllowCredentialsUsers) != 0):
if username != '':
users = Users.query.filter_by(username=username).all()
else:
users = Users.query.filter(
Users.id.in_(
webauthn_options.assertionAllowCredentialsUsers)).all()
for user in users:
allow_credentialids.append(user.credential_id)
webauthn_assertion_options = webauthn.WebAuthnAssertionOptions(
webauthn_options, allow_credentialids, challenge, RP_ID)
return make_response(jsonify(webauthn_assertion_options.assertion_dict),
200)
def set_options():
conveyancePreference = request.form.get('conveyancePreference')
userVerification = request.form.get('userVerification')
requireResidentKey = request.form.get('requireResidentKey')
authenticatorAttachment = request.form.get('authenticatorAttachment')
enableAttestationExcludeCredentials = request.form.get(
'enableAttestationExcludeCredentials')
attestationExcludeCredentialsUsers = request.form.get(
'attestationExcludeCredentialsUsers')
attestationExcludeCredentialsTransports = request.form.get(
'attestationExcludeCredentialsTransports')
attestationExtensions = request.form.get('attestationExtensions', None)
enableAssertionAllowCredentials = request.form.get(
'enableAssertionAllowCredentials')
assertionAllowCredentialsUsers = request.form.get(
'assertionAllowCredentialsUsers')
assertionAllowCredentialsTransports = request.form.get(
'assertionAllowCredentialsTransports')
assertionExtensions = request.form.get('assertionExtensions', None)
try:
webauthn_options = webauthn.WebAuthnOptions()
try:
options = Options.query.filter_by(rp_id=RP_ID).first()
if options is None:
options = Options()
options.rp_id = RP_ID
options.version = CURRENT_OPTIONS_TBL_VERSION
options.option_content = json.dumps(webauthn_options.get())
db.session.add(options)
db.session.commit()
else:
if options.version != CURRENT_OPTIONS_TBL_VERSION:
return make_response(
jsonify({'fail': 'Options Table Version Error.'}), 400)
except Exception as e:
return make_response(
jsonify({'fail': 'Options Database Error: {}'.format(e)}), 500)
webauthn_options.set(json.loads(options.option_content))
if conveyancePreference in webauthn.WebAuthnOptions.SUPPORTED_CONVEYANCE_PREFARENCE:
webauthn_options.conveyancePreference = conveyancePreference
else:
return make_response(
jsonify(
{'fail':
'Option Selection Error (conveyancePreference).'}), 400)
if userVerification in webauthn.WebAuthnOptions.SUPPORTED_AUTHENTICATIONSELECTION_USERVERIFICATION:
webauthn_options.userVerification = userVerification
else:
return make_response(
jsonify({'fail':
'Option Selection Error (userVerification).'}), 400)
if requireResidentKey in webauthn.WebAuthnOptions.SUPPORTED_REQUIRE_REDIDENTKEY:
webauthn_options.requireResidentKey = requireResidentKey
else:
return make_response(
jsonify(
{'fail': 'Option Selection Error (requireResidentKey).'}),
400)
if authenticatorAttachment in webauthn.WebAuthnOptions.SUPPORTED_AUTHENTICATIONSELECTION_ATTACHIMENT or authenticatorAttachment == '':
webauthn_options.authenticatorAttachment = authenticatorAttachment
else:
return make_response(
jsonify({
'fail':
'Option Selection Error (authenticatorAttachment).'
}), 400)
if enableAttestationExcludeCredentials in webauthn.WebAuthnOptions.SUPPORTED_ENABLE_CREDENTIALS:
webauthn_options.enableAttestationExcludeCredentials = enableAttestationExcludeCredentials
else:
return make_response(
jsonify({
'fail':
'Option Selection Error (enableAttestationExcludeCredentials).'
}), 400)
if re.sub(r'\d', '',
re.sub(r'\s', '', attestationExcludeCredentialsUsers)) == '':
webauthn_options.attestationExcludeCredentialsUsers = attestationExcludeCredentialsUsers.split(
' ')
else:
return make_response(
jsonify({
'fail':
'Option Selection Error (attestationExcludeCredentialsUsers).'
}), 400)
if set(attestationExcludeCredentialsTransports.split(' ')).issubset(
webauthn.WebAuthnOptions.SUPPORTED_TRANSPORTS
) or attestationExcludeCredentialsTransports == '':
webauthn_options.attestationExcludeCredentialsTransports = attestationExcludeCredentialsTransports.split(
' ')
else:
return make_response(
jsonify({
'fail':
'Option Selection Error (attestationExcludeCredentialsTransports).'
}), 400)
if attestationExtensions is not None:
tmp_dict = {}
for lineitem in attestationExtensions.splitlines():
item = [x.strip() for x in lineitem.split('=')]
if len(item) == 2:
tmp_dict[item[0]] = item[1]
if len(tmp_dict) == len(attestationExtensions.splitlines()):
webauthn_options.attestationExtensions = tmp_dict
else:
return make_response(
jsonify({
'fail':
'Option Format Error (attestationExtensions).'
}), 400)
if enableAssertionAllowCredentials in webauthn.WebAuthnOptions.SUPPORTED_ENABLE_CREDENTIALS:
webauthn_options.enableAssertionAllowCredentials = enableAssertionAllowCredentials
else:
return make_response(
jsonify({
'fail':
'Option Selection Error (enableAssertionAllowCredentials).'
}), 400)
if re.sub(r'\d', '', re.sub(r'\s', '',
assertionAllowCredentialsUsers)) == '':
webauthn_options.assertionAllowCredentialsUsers = assertionAllowCredentialsUsers.split(
' ')
else:
return make_response(
jsonify({
'fail':
'Option Selection Error (assertionAllowCredentialsUsers).'
}), 400)
if set(assertionAllowCredentialsTransports.split(' ')).issubset(
webauthn.WebAuthnOptions.SUPPORTED_TRANSPORTS
) or assertionAllowCredentialsTransports == '':
webauthn_options.assertionAllowCredentialsTransports = assertionAllowCredentialsTransports.split(
' ')
else:
return make_response(
jsonify({
'fail':
'Option Selection Error (assertionAllowCredentialsTransports).'
}), 400)
if assertionExtensions is not None:
tmp_dict = {}
for lineitem in assertionExtensions.splitlines():
item = [x.strip() for x in lineitem.split('=')]
if len(item) == 2:
tmp_dict[item[0]] = item[1]
if len(tmp_dict) == len(assertionExtensions.splitlines()):
webauthn_options.assertionExtensions = tmp_dict
else:
return make_response(
jsonify(
{'fail':
'Option Format Error (assertionExtensions).'}), 400)
except Exception as e:
app.logger.debug('Options failed. Error: {}'.format(e))
return make_response(
jsonify({'fail': 'Options failed. Error: {}'.format(e)}), 500)
try:
options.option_content = json.dumps(webauthn_options.get())
db.session.add(options)
db.session.commit()
except Exception as e:
return make_response(
jsonify({'fail': 'Options Database Error: {}'.format(e)}), 500)
return make_response(jsonify({'success': 'Options successfully saved.'}),
200)
def attestation_get_options():
username = request.form.get('username')
display_name = request.form.get('displayName')
if 'register_ukey' in session:
del session['register_ukey']
if 'register_username' in session:
del session['register_username']
if 'register_display_name' in session:
del session['register_display_name']
if 'challenge' in session:
del session['challenge']
if 'att_option' in session:
del session['att_option']
if username == "" or username is None:
username = util.random_username(8)
if display_name == "" or display_name is None:
display_name = username
session['register_username'] = username
session['register_display_name'] = display_name
rp_name = RP_ID
challenge = util.generate_challenge(32)
ukey = util.generate_ukey()
session['challenge'] = challenge
session['register_ukey'] = ukey
exclude_credentialids = []
webauthn_options = webauthn.WebAuthnOptions()
try:
options = Options.query.filter_by(rp_id=RP_ID).first()
if options is None:
options = Options()
options.rp_id = RP_ID
options.version = CURRENT_OPTIONS_TBL_VERSION
options.option_content = json.dumps(webauthn_options.get())
db.session.add(options)
db.session.commit()
else:
if options.version != CURRENT_OPTIONS_TBL_VERSION:
return make_response(
jsonify({'fail': 'Options Table Version Error.'}), 400)
except Exception as e:
return make_response(
jsonify({'fail': 'Options Database Error: {}'.format(e)}), 500)
webauthn_options.set(json.loads(options.option_content))
if webauthn_options.enableAttestationExcludeCredentials == 'true' and len(
webauthn_options.attestationExcludeCredentialsUsers):
users = Users.query.filter(
Users.id.in_(
webauthn_options.attestationExcludeCredentialsUsers)).all()
for user in users:
if not user.credential_id:
app.logger.debug('Unknown credential ID.')
return make_response(
jsonify({'fail': 'Unknown credential ID.'}), 401)
exclude_credentialids.append(str(user.credential_id))
make_credential_options = webauthn.WebAuthnMakeCredentialOptions(
webauthn_options, exclude_credentialids, challenge, rp_name, RP_ID,
ukey, username, display_name, 'https://example.com')
reg_dict = json.dumps(make_credential_options.registration_dict, indent=2)
session['att_option'] = reg_dict
return make_response(jsonify(make_credential_options.registration_dict),
200)
