def add_token_to_user(self, eppn, credential_id, token_type):
user = self.app.central_userdb.get_user_by_eppn(eppn)
if token_type == 'u2f':
mfa_token = U2F.from_dict(
dict(
version='test',
keyhandle=credential_id,
public_key='test',
app_id='test',
attest_cert='test',
description='test',
created_by='test',
))
else:
mfa_token = Webauthn.from_dict(
dict(
keyhandle=credential_id,
credential_data='test',
app_id='test',
attest_obj='test',
description='test',
created_by='test',
))
user.credentials.add(mfa_token)
self.request_user_sync(user)
return mfa_token
def add_token_to_user(self, eppn):
user = self.app.central_userdb.get_user_by_eppn(eppn)
u2f_token = U2F(version='version', keyhandle='keyHandle', app_id='appId',
public_key='publicKey', attest_cert='cert', description='description',
application='eduid_security', created_ts=True)
user.credentials.add(u2f_token)
self.app.central_userdb.save(user)
return SecurityUser.from_user(user, self.app.private_userdb)
def setUp(self):
super(MFAActionPluginTests, self).setUp()
u2f = U2F(version='U2F_V2',
app_id='https://dev.eduid.se/u2f-app-id.json',
keyhandle='test_key_handle',
public_key='test_public_key',
attest_cert='test_attest_cert',
description='test_description',
)
self.user.credentials.add(u2f)
self.app.central_userdb.save(self.user, check_sync=False)
def test_action_webauthn_legacy_token(self, mock_complete_authn):
# mock_complete_authn.return_value = ({'keyHandle': 'test_key_handle'},
# 'dummy-touch', 'dummy-counter')
#
# Add a working U2F credential for this test
u2f = U2F.from_dict(
dict(
version='U2F_V2',
keyhandle=
'V1vXqZcwBJD2RMIH2udd2F7R9NoSNlP7ZSPOtKHzS7n_rHFXcXbSpOoX__aUKyTR6jEC8Xv678WjXC5KEkvziA',
public_key=
'BHVTWuo3_D7ruRBe2Tw-m2atT2IOm_qQWSDreWShu3t21ne9c-DPSUdym-H-t7FcjV7rj1dSc3WSwaOJpFmkKxQ',
app_id='https://dev.eduid.se/u2f-app-id.json',
attest_cert='',
description='unit test U2F token',
))
self.user.credentials.add(u2f)
self.app.central_userdb.save(self.user, check_sync=False)
fido2_state = json.dumps(
Fido2Server._make_internal_state(
base64.b64decode(
'3h/EAZpY25xDdSJCOMx1ABZEA5Odz3yejUI3AUNTQWc='),
'preferred'))
self.app.config.fido2_rp_id = 'idp.dev.eduid.se'
data1 = {
'authenticatorData':
'mZ9k6EPHoJxJZNA+UuvM0JVoutZHmqelg9kXe/DSefgBAAAA/w==',
'clientDataJSON':
('eyJjaGFsbGVuZ2UiOiIzaF9FQVpwWTI1eERkU0pDT014MUFCWkVBNU9k'
'ejN5ZWpVSTNBVU5UUVdjIiwib3JpZ2luIjoiaHR0cHM6Ly9pZHAuZGV2LmVkdWlkLnNlIiwidH'
'lwZSI6IndlYmF1dGhuLmdldCJ9'),
'credentialId':
('V1vXqZcwBJD2RMIH2udd2F7R9NoSNlP7ZSPOtKHzS7n/rHFXcXbSpOoX//aUKyTR6jEC8Xv678WjXC5KEkvziA=='
),
'signature':
('MEYCIQC5gM8inamJGUFKu3bNo4fT0jmJQuw33OSSXc242NCuiwIhAIWnVw2Spow72j6J92KaY2rLR6qSXEbLam09ZXbSkBnQ'
),
}
response = self._action(data1=data1, fido2_state=fido2_state)
self.assertEqual(response.status_code, 200)
self.assertEqual(
len(self.app.actions_db.get_actions(self.user.eppn,
'mock-session')), 1)
def test_action_webauthn_legacy_token(self, mock_complete_authn):
#mock_complete_authn.return_value = ({'keyHandle': 'test_key_handle'},
# 'dummy-touch', 'dummy-counter')
#
# Add a working U2F credential for this test
u2f = U2F(version='U2F_V2',
keyhandle='V1vXqZcwBJD2RMIH2udd2F7R9NoSNlP7ZSPOtKHzS7n_rHFXcXbSpOoX__aUKyTR6jEC8Xv678WjXC5KEkvziA',
public_key='BHVTWuo3_D7ruRBe2Tw-m2atT2IOm_qQWSDreWShu3t21ne9c-DPSUdym-H-t7FcjV7rj1dSc3WSwaOJpFmkKxQ',
app_id='https://dev.eduid.se/u2f-app-id.json',
attest_cert='',
description='unit test U2F token'
)
self.user.credentials.add(u2f)
self.app.central_userdb.save(self.user, check_sync=False)
with self.session_cookie(self.browser) as client:
self.prepare(client, Plugin, 'mfa', action_dict=MFA_ACTION)
with self.app.test_request_context():
with client.session_transaction() as sess:
fido2_state = Fido2Server._make_internal_state(
base64.b64decode('3h/EAZpY25xDdSJCOMx1ABZEA5Odz3yejUI3AUNTQWc='), 'preferred')
sess['eduid_action.mfa.webauthn.state'] = json.dumps(fido2_state)
csrf_token = sess.get_csrf_token()
data = json.dumps({'csrf_token': csrf_token,
'authenticatorData': 'mZ9k6EPHoJxJZNA+UuvM0JVoutZHmqelg9kXe/DSefgBAAAA/w==',
'clientDataJSON': 'eyJjaGFsbGVuZ2UiOiIzaF9FQVpwWTI1eERkU0pDT014MUFCWkVBNU9k'+\
'ejN5ZWpVSTNBVU5UUVdjIiwib3JpZ2luIjoiaHR0cHM6Ly9pZHAuZGV2LmVkdWlkLnNlIiwidH'+\
'lwZSI6IndlYmF1dGhuLmdldCJ9',
'credentialId': 'V1vXqZcwBJD2RMIH2udd2F7R9NoSNlP7ZSPOtKHzS7n/rHFXcXbSpOoX//'+\
'aUKyTR6jEC8Xv678WjXC5KEkvziA==',
'signature': 'MEYCIQC5gM8inamJGUFKu3bNo4fT0jmJQuw33OSSXc242NCuiwIhAIWnVw2Sp'+\
'ow72j6J92KaY2rLR6qSXEbLam09ZXbSkBnQ'}
)
self.app.config['FIDO2_RP_ID'] = 'idp.dev.eduid.se'
response = client.post('/post-action', data=data, content_type=self.content_type_json)
self.assertEquals(response.status_code, 200)
data = json.loads(response.data)
self.assertEquals(len(self.app.actions_db.get_actions(self.user.eppn, 'mock-session')), 1)
mock_idp_app = MockIdPApp(self.app.actions_db)
mock_idp_app.logger = self.app.logger
add_actions(mock_idp_app, self.user, MockTicket('mock-session'))
self.assertEquals(len(self.app.actions_db.get_actions(self.user.eppn, 'mock-session')), 0)
def test_add_mfa_action_old_key(self):
self.actions.remove_action_by_id(self.test_action.action_id)
u2f = U2F.from_dict(
dict(
version='U2F_V2',
app_id='https://dev.eduid.se/u2f-app-id.json',
keyhandle='test_key_handle',
public_key='test_public_key',
attest_cert='test_attest_cert',
description='test_description',
))
self.test_user.credentials.add(u2f)
self.amdb.save(self.user, check_sync=False)
from eduid_idp.mfa_action import add_actions
mock_ticket = make_login_ticket(req_class_ref=SWAMID_AL2,
context=self.idp_app.context,
key='mock-session')
add_actions(self.idp_app.context, self.test_user, mock_ticket)
self.assertEqual(
len(self.actions.get_actions(self.test_user.eppn, 'mock-session')),
1)
def bind(user, version, registration_data, client_data, description=''):
security_user = SecurityUser.from_user(user, current_app.private_userdb)
enrollment_data = session.pop('_u2f_enroll_', None)
if not enrollment_data:
current_app.logger.error('Found no U2F enrollment data in session.')
return error_response(message=SecurityMsg.missing_data)
data = {
'version': version,
'registrationData': registration_data,
'clientData': client_data
}
device, der_cert = complete_registration(enrollment_data, data,
current_app.config.u2f_facets)
cert = x509.load_der_x509_certificate(der_cert, default_backend())
pem_cert = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
if not isinstance(pem_cert, six.string_types):
pem_cert = pem_cert.decode('utf-8')
u2f_token = U2F.from_dict(
dict(
version=device['version'],
keyhandle=device['keyHandle'],
app_id=device['appId'],
public_key=device['publicKey'],
attest_cert=pem_cert,
description=description,
created_by='eduid_security',
created_ts=True,
))
security_user.credentials.add(u2f_token)
save_and_sync_user(security_user)
current_app.stats.count(name='u2f_token_bind')
credentials = compile_credential_list(security_user)
return success_response(payload=dict(credentials=credentials),
message=SecurityMsg.u2f_registered)