def test_bind_key(self, mock_request_user_sync, mock_u2f_register_complete, mock_dump_cert, mock_load_cert):
mock_dump_cert.return_value = 'der_cert'
mock_load_cert.return_value = 'pem_cert'
mock_request_user_sync.side_effect = self.request_user_sync
mock_u2f_register_complete.return_value = DeviceRegistration(
version='mock version',
keyHandle='mock keyhandle',
appId='mock app id',
publicKey='mock public key',
transports='mock transport',
), 'mock certificate'
response = self.browser.post('/u2f/bind', data={})
self.assertEqual(response.status_code, 302) # Redirect to token service
eppn = self.test_user_data['eduPersonPrincipalName']
with self.session_cookie(self.browser, eppn) as client:
enroll_response = client.get('/u2f/enroll')
csrf_token = json.loads(enroll_response.data)['payload']['csrf_token']
data = {
'csrf_token': csrf_token,
'registrationData': 'mock registration data',
'clientData': 'mock client data',
'version': 'U2F_V2'
}
response2 = client.post('/u2f/bind', data=json.dumps(data), content_type=self.content_type_json)
bind_data = json.loads(response2.data)
self.assertEqual(bind_data['type'], 'POST_U2F_U2F_BIND_SUCCESS')
self.assertNotEqual(bind_data['payload']['credentials'], [])
def get_u2f_devices(self):
rv = []
for data in self.config.get("devices") or ():
# XXX: The previous version of python-u2flib-server didn't store
# the `version` in the device binding. Defaulting to `U2F_V2` here
# so that we don't break existing u2f registrations.
data["binding"].setdefault("version", "U2F_V2")
rv.append(DeviceRegistration(data["binding"]))
return rv
def __enable_u2f(self, user):
if user.uuid not in self.__settings:
self.__settings[user.uuid] = {}
user_settings = self.__settings[user.uuid]
devices = [DeviceRegistration.wrap(device)
for device in user_settings.get('_u2f_devices_', [])]
enroll = begin_registration(self.app_id, devices)
user_settings['_u2f_enroll_'] = enroll.json
self.__save_settings()
return enroll.json
def __enable_u2f(self, user):
if user.uuid not in self.__settings:
self.__settings[user.uuid] = {}
user_settings = self.__settings[user.uuid]
devices = [
DeviceRegistration.wrap(device)
for device in user_settings.get('_u2f_devices_', [])
]
enroll = begin_registration(self.app_id, devices)
user_settings['_u2f_enroll_'] = enroll.json
self.__save_settings()
return enroll.json
def sign(self, user_name, object_dn):
# Do we have read permissions for the requested attribute
self.__check_acl(user_name, object_dn, "r")
uuid = self.__dn_to_uuid(object_dn)
user_settings = self.__settings[uuid] if uuid in self.__settings else {}
devices = [DeviceRegistration.wrap(device)
for device in user_settings.get('_u2f_devices_', [])]
challenge = begin_authentication(self.app_id, devices)
user_settings['_u2f_challenge_'] = challenge.json
self.__save_settings()
return challenge.json
def sign(self, user_name, object_dn):
# Do we have read permissions for the requested attribute
self.__check_acl(user_name, object_dn, "r")
uuid = self.__dn_to_uuid(object_dn)
user_settings = self.__settings[
uuid] if uuid in self.__settings else {}
devices = [
DeviceRegistration.wrap(device)
for device in user_settings.get('_u2f_devices_', [])
]
challenge = begin_authentication(self.app_id, devices)
user_settings['_u2f_challenge_'] = challenge.json
self.__save_settings()
return challenge.json
def completeU2FRegistration(self, user_name, object_dn, data):
# Do we have write permissions for the requested attribute
self.__check_acl(user_name, object_dn, "w")
uuid = self.__dn_to_uuid(object_dn)
user_settings = self.__settings[uuid]
data = loads(data)
binding, cert = complete_registration(user_settings.pop('_u2f_enroll_'), data,
[self.facet])
devices = [DeviceRegistration.wrap(device)
for device in user_settings.get('_u2f_devices_', [])]
devices.append(binding)
user_settings['_u2f_devices_'] = [d.json for d in devices]
self.__save_settings()
self.__log.info("U2F device enrolled. Username: %s", user_name)
self.__log.debug("Attestation certificate:\n%s", cert.public_bytes(Encoding.PEM))
return True
def completeU2FRegistration(self, user_name, object_dn, data):
# Do we have write permissions for the requested attribute
self.__check_acl(user_name, object_dn, "w")
uuid = self.__dn_to_uuid(object_dn)
user_settings = self.__settings[uuid]
data = loads(data)
binding, cert = complete_registration(
user_settings.pop('_u2f_enroll_'), data, [self.facet])
devices = [
DeviceRegistration.wrap(device)
for device in user_settings.get('_u2f_devices_', [])
]
devices.append(binding)
user_settings['_u2f_devices_'] = [d.json for d in devices]
self.__save_settings()
self.__log.info("U2F device enrolled. Username: %s", user_name)
self.__log.debug("Attestation certificate:\n%s",
cert.public_bytes(Encoding.PEM))
return True
def as_device_registration(self):
return DeviceRegistration(version=self.version,
keyHandle=self.key_handle,
appId=settings.OTP_U2F_APP_ID,
publicKey=self.public_key,
transports=json.loads(self.transports))