def verify(self, user_name, object_dn, key):
# Do we have read permissions for the requested attribute
self.__check_acl(user_name, object_dn, "r")
# Get the object for the given dn
user = ObjectProxy(object_dn)
factor_method = self.get_method_from_user(user)
user_settings = self.__settings[
user.uuid] if user.uuid in self.__settings else {}
if factor_method == "otp":
totp = TOTP(user_settings.get('otp_secret'))
return totp.verify(key)
elif factor_method == "u2f":
devices = [
DeviceRegistration.wrap(device)
for device in user_settings.get('_u2f_devices_', [])
]
challenge = user_settings.pop('_u2f_challenge_')
data = loads(key)
c, t = verify_authenticate(devices, challenge, data, [self.facet])
return {'touch': t, 'counter': c}
elif factor_method is None:
return True
return False
def post(self, request, *args, **kwargs):
password = request.POST.get("password", "")
valid = False
if '_u2f_challenge' in self.request.session and password.startswith('{'):
devices = [DeviceRegistration.wrap(device.json_data)
for device in U2FDevice.objects.filter(confirmed=True, user=self.request.user)]
challenge = self.request.session.pop('_u2f_challenge')
try:
u2f.verify_authenticate(devices, challenge, password, [self.app_id])
valid = True
except Exception:
logger.exception('U2F login failed')
valid = valid or request.user.check_password(password)
if valid:
t = int(time.time())
request.session['pretix_auth_login_time'] = t
request.session['pretix_auth_last_used'] = t
if "next" in request.GET and is_safe_url(request.GET.get("next"), allowed_hosts=None):
return redirect(request.GET.get("next"))
return redirect(reverse('control:index'))
else:
messages.error(request, _('The password you entered was invalid, please try again.'))
return self.get(request, *args, **kwargs)
def verify(self, user_name, object_dn, key):
# Do we have read permissions for the requested attribute
self.__check_acl(user_name, object_dn, "r")
# Get the object for the given dn
user = ObjectProxy(object_dn)
factor_method = self.get_method_from_user(user)
user_settings = self.__settings[user.uuid] if user.uuid in self.__settings else {}
if factor_method == "otp":
totp = TOTP(user_settings.get('otp_secret'))
return totp.verify(key)
elif factor_method == "u2f":
devices = [DeviceRegistration.wrap(device)
for device in user_settings.get('_u2f_devices_', [])]
challenge = user_settings.pop('_u2f_challenge_')
data = loads(key)
c, t = verify_authenticate(devices, challenge, data, [self.facet])
return {
'touch': t,
'counter': c
}
elif factor_method is None:
return True
return False
def post(self, request, *args, **kwargs):
token = request.POST.get('token', '').strip().replace(' ', '')
valid = False
if '_u2f_challenge' in self.request.session and token.startswith('{'):
devices = [DeviceRegistration.wrap(device.json_data)
for device in U2FDevice.objects.filter(confirmed=True, user=self.user)]
challenge = self.request.session.pop('_u2f_challenge')
try:
u2f.verify_authenticate(devices, challenge, token, [self.app_id])
valid = True
except Exception:
logger.exception('U2F login failed')
else:
valid = match_token(self.user, token)
if valid:
auth_login(request, self.user)
request.session['pretix_auth_login_time'] = int(time.time())
del request.session['pretix_auth_2fa_user']
del request.session['pretix_auth_2fa_time']
if "next" in request.GET and is_safe_url(request.GET.get("next"), allowed_hosts=None):
return redirect(request.GET.get("next"))
return redirect(reverse('control:index'))
else:
messages.error(request, _('Invalid code, please try again.'))
return redirect('control:auth.login.2fa')
def post(self, request, *args, **kwargs):
token = request.POST.get('token', '').strip().replace(' ', '')
valid = False
if '_u2f_challenge' in self.request.session and token.startswith('{'):
devices = [
DeviceRegistration.wrap(device.json_data)
for device in U2FDevice.objects.filter(confirmed=True,
user=self.user)
]
challenge = self.request.session.pop('_u2f_challenge')
try:
u2f.verify_authenticate(devices, challenge, token,
[self.app_id])
valid = True
except Exception:
logger.exception('U2F login failed')
else:
valid = match_token(self.user, token)
if valid:
auth_login(request, self.user)
request.session['pretix_auth_login_time'] = int(time.time())
del request.session['pretix_auth_2fa_user']
del request.session['pretix_auth_2fa_time']
if "next" in request.GET and is_safe_url(request.GET.get("next")):
return redirect(request.GET.get("next"))
return redirect(reverse('control:index'))
else:
messages.error(request, _('Invalid code, please try again.'))
return redirect('control:auth.login.2fa')
def sign(self, username):
user = self.users[username]
devices = [DeviceRegistration.wrap(device)
for device in user.get('_u2f_devices_', [])]
challenge = start_authenticate(devices)
user['_u2f_challenge_'] = challenge.json
return challenge.json
def post(self, request, *args, **kwargs):
password = request.POST.get("password", "")
valid = False
if '_u2f_challenge' in self.request.session and password.startswith(
'{'):
devices = [
DeviceRegistration.wrap(device.json_data)
for device in U2FDevice.objects.filter(confirmed=True,
user=self.request.user)
]
challenge = self.request.session.pop('_u2f_challenge')
try:
u2f.verify_authenticate(devices, challenge, password,
[self.app_id])
valid = True
except Exception:
logger.exception('U2F login failed')
valid = valid or request.user.check_password(password)
if valid:
t = int(time.time())
request.session['pretix_auth_login_time'] = t
request.session['pretix_auth_last_used'] = t
if "next" in request.GET and is_safe_url(request.GET.get("next")):
return redirect(request.GET.get("next"))
return redirect(reverse('control:index'))
else:
messages.error(
request,
_('The password you entered was invalid, please try again.'))
return self.get(request, *args, **kwargs)
def verify(self, username, data):
user = self.users[username]
devices = [
DeviceRegistration.wrap(device)
for device in user.get('_u2f_devices_', [])
]
challenge = user.pop('_u2f_challenge_')
c, t = verify_authenticate(devices, challenge, data, [self.facet])
return json.dumps({'touch': t, 'counter': c})
def enroll(self, username):
if username not in self.users:
self.users[username] = {}
user = self.users[username]
devices = [DeviceRegistration.wrap(device)
for device in user.get('_u2f_devices_', [])]
enroll = start_register(self.app_id, devices)
user['_u2f_enroll_'] = enroll.json
return enroll.json
def start_authenticate(device, challenge=None):
device = DeviceRegistration.wrap(device)
if challenge is None:
challenge = rand_bytes(32)
return SignRequest(version=VERSION,
appId=device.appId,
keyHandle=device.keyHandle,
challenge=websafe_encode(challenge))
def get_context_data(self, **kwargs):
ctx = super().get_context_data()
ctx['device'] = self.device
devices = [DeviceRegistration.wrap(device.json_data)
for device in U2FDevice.objects.filter(confirmed=True, user=self.request.user)]
enroll = u2f.start_register(self.app_id, devices)
self.request.session['_u2f_enroll'] = enroll.json
ctx['jsondata'] = enroll.json
return ctx
def verify(self, username, data):
user = self.users[username]
devices = [DeviceRegistration.wrap(device)
for device in user.get('_u2f_devices_', [])]
challenge = user.pop('_u2f_challenge_')
c, t = verify_authenticate(devices, challenge, data, [self.facet])
return json.dumps({
'touch': t,
'counter': c
})
def __enable_u2f(self, user):
if user.uuid not in self.__settings:
self.__settings[user.uuid] = {}
user_settings = self.__settings[user.uuid]
devices = [DeviceRegistration.wrap(device)
for device in user_settings.get('_u2f_devices_', [])]
enroll = start_register(self.app_id, devices)
user_settings['_u2f_enroll_'] = enroll.json
self.__save_settings()
return enroll.json
def start_authenticate(device, challenge=None):
device = DeviceRegistration.wrap(device)
if challenge is None:
challenge = rand_bytes(32)
return SignRequest(
version=VERSION,
appId=device.appId,
keyHandle=device.keyHandle,
challenge=websafe_encode(challenge)
)
def sign(self, user_name, object_dn):
# Do we have read permissions for the requested attribute
self.__check_acl(user_name, object_dn, "r")
user = ObjectProxy(object_dn)
user_settings = self.__settings[user.uuid] if user.uuid in self.__settings else {}
devices = [DeviceRegistration.wrap(device)
for device in user_settings.get('_u2f_devices_', [])]
challenge = start_authenticate(devices)
user_settings['_u2f_challenge_'] = challenge.json
self.__save_settings()
return challenge.json
def bind(self, username, data):
user = self.users[username]
binding, cert = complete_register(user.pop('_u2f_enroll_'), data,
[self.facet])
devices = [DeviceRegistration.wrap(device)
for device in user.get('_u2f_devices_', [])]
devices.append(binding)
user['_u2f_devices_'] = [d.json for d in devices]
log.info("U2F device enrolled. Username: %s", username)
log.debug("Attestation certificate:\n%s", cert.public_bytes(Encoding.PEM))
return json.dumps(True)
def __enable_u2f(self, user):
if user.uuid not in self.__settings:
self.__settings[user.uuid] = {}
user_settings = self.__settings[user.uuid]
devices = [
DeviceRegistration.wrap(device)
for device in user_settings.get('_u2f_devices_', [])
]
enroll = start_register(self.app_id, devices)
user_settings['_u2f_enroll_'] = enroll.json
self.__save_settings()
return enroll.json
def verify_authenticate(device, request, response, valid_facets=None):
device = DeviceRegistration.wrap(device)
request = SignRequest.wrap(request)
response = SignResponse.wrap(response)
_validate_client_data(response.clientData, request.challenge,
"navigator.id.getAssertion", valid_facets)
raw_response = RawAuthenticationResponse(device.appParam,
response.clientParam,
response.signatureData)
raw_response.verify_signature(websafe_decode(device.publicKey))
return raw_response.counter_int, raw_response.user_presence
def get_context_data(self, **kwargs):
ctx = super().get_context_data()
ctx['device'] = self.device
devices = [
DeviceRegistration.wrap(device.json_data)
for device in U2FDevice.objects.filter(confirmed=True,
user=self.request.user)
]
enroll = u2f.start_register(self.app_id, devices)
self.request.session['_u2f_enroll'] = enroll.json
ctx['jsondata'] = enroll.json
return ctx
def get_context_data(self, **kwargs):
ctx = super().get_context_data()
devices = [DeviceRegistration.wrap(device.json_data)
for device in U2FDevice.objects.filter(confirmed=True, user=self.user)]
if devices:
challenge = u2f.start_authenticate(devices, challenge=rand_bytes(32))
self.request.session['_u2f_challenge'] = challenge.json
ctx['jsondata'] = challenge.json
else:
if '_u2f_challenge' in self.request.session:
del self.request.session['_u2f_challenge']
ctx['jsondata'] = None
return ctx
def verify_authenticate(device, request, response, valid_facets=None):
device = DeviceRegistration.wrap(device)
request = SignRequest.wrap(request)
response = SignResponse.wrap(response)
_validate_client_data(response.clientData, request.challenge,
"navigator.id.getAssertion", valid_facets)
raw_response = RawAuthenticationResponse(
device.appParam,
response.clientParam,
response.signatureData
)
raw_response.verify_signature(websafe_decode(device.publicKey))
return raw_response.counter_int, raw_response.user_presence
def sign(self, user_name, object_dn):
# Do we have read permissions for the requested attribute
self.__check_acl(user_name, object_dn, "r")
user = ObjectProxy(object_dn)
user_settings = self.__settings[
user.uuid] if user.uuid in self.__settings else {}
devices = [
DeviceRegistration.wrap(device)
for device in user_settings.get('_u2f_devices_', [])
]
challenge = start_authenticate(devices)
user_settings['_u2f_challenge_'] = challenge.json
self.__save_settings()
return challenge.json
def complete_register(request, response, valid_facets=None):
request = RegisterRequest.wrap(request)
response = RegisterResponse.wrap(response)
_validate_client_data(response.clientData, request.challenge,
"navigator.id.finishEnrollment", valid_facets)
raw_response = RawRegistrationResponse(request.appParam,
response.clientParam,
response.registrationData)
raw_response.verify_csr_signature()
return DeviceRegistration(
appId=request.appId,
keyHandle=websafe_encode(raw_response.key_handle),
publicKey=websafe_encode(
raw_response.pub_key)), raw_response.certificate
def get_context_data(self, **kwargs):
ctx = super().get_context_data()
devices = [
DeviceRegistration.wrap(device.json_data)
for device in U2FDevice.objects.filter(confirmed=True,
user=self.request.user)
]
if devices:
challenge = u2f.start_authenticate(devices,
challenge=rand_bytes(32))
self.request.session['_u2f_challenge'] = challenge.json
ctx['jsondata'] = challenge.json
else:
if '_u2f_challenge' in self.request.session:
del self.request.session['_u2f_challenge']
ctx['jsondata'] = None
return ctx
def completeU2FRegistration(self, user_name, object_dn, data):
# Do we have write permissions for the requested attribute
self.__check_acl(user_name, object_dn, "w")
user = ObjectProxy(object_dn)
user_settings = self.__settings[user.uuid]
data = loads(data)
binding, cert = complete_register(user_settings.pop('_u2f_enroll_'), data,
[self.facet])
devices = [DeviceRegistration.wrap(device)
for device in user_settings.get('_u2f_devices_', [])]
devices.append(binding)
user_settings['_u2f_devices_'] = [d.json for d in devices]
self.__save_settings()
self.__log.info("U2F device enrolled. Username: %s", user_name)
self.__log.debug("Attestation certificate:\n%s", cert.public_bytes(Encoding.PEM))
return True
def completeU2FRegistration(self, user_name, object_dn, data):
# Do we have write permissions for the requested attribute
self.__check_acl(user_name, object_dn, "w")
user = ObjectProxy(object_dn)
user_settings = self.__settings[user.uuid]
data = loads(data)
binding, cert = complete_register(user_settings.pop('_u2f_enroll_'),
data, [self.facet])
devices = [
DeviceRegistration.wrap(device)
for device in user_settings.get('_u2f_devices_', [])
]
devices.append(binding)
user_settings['_u2f_devices_'] = [d.json for d in devices]
self.__save_settings()
self.__log.info("U2F device enrolled. Username: %s", user_name)
self.__log.debug("Attestation certificate:\n%s",
cert.public_bytes(Encoding.PEM))
return True
def test_appParam(self):
obj = DeviceRegistration(appId='https://example.com')
self.assertEqual('\x10\x06\x80\xadTl\xe6\xa5w\xf4/R\xdf3\xb4\xcf'
'\xdc\xa7V\x85\x9efK\x8d}\xe3)\xb1P\xd0\x9c\xe9',
obj.appParam)
