afan
/
gitea
Beobachten 1
Favorisieren 0
Fork 0
Code Issues 0 Pull-Requests 0 Releases 0 Wiki Aktivität
gitea源码
3 Commits
2 Branches
Struktur: 6d2efddf43
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von '6d2efddf43'
${ noResults }
gitea/models/auth/webauthn.go

webauthn.go 7.5KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213 
  1. // Copyright 2020 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package auth

  5. 

  6. import (

  7. 	"context"

  8. 	"fmt"

  9. 	"strings"

  10. 

  11. 	"code.gitea.io/gitea/models/db"

  12. 	"code.gitea.io/gitea/modules/timeutil"

  13. 	"code.gitea.io/gitea/modules/util"

  14. 

  15. 	"github.com/go-webauthn/webauthn/protocol"

  16. 	"github.com/go-webauthn/webauthn/webauthn"

  17. )

  18. 

  19. // ErrWebAuthnCredentialNotExist represents a "ErrWebAuthnCRedentialNotExist" kind of error.

  20. type ErrWebAuthnCredentialNotExist struct {

  21. 	ID           int64

  22. 	CredentialID []byte

  23. }

  24. 

  25. func (err ErrWebAuthnCredentialNotExist) Error() string {

  26. 	if len(err.CredentialID) == 0 {

  27. 		return fmt.Sprintf("WebAuthn credential does not exist [id: %d]", err.ID)

  28. 	}

  29. 	return fmt.Sprintf("WebAuthn credential does not exist [credential_id: %x]", err.CredentialID)

  30. }

  31. 

  32. // Unwrap unwraps this as a ErrNotExist err

  33. func (err ErrWebAuthnCredentialNotExist) Unwrap() error {

  34. 	return util.ErrNotExist

  35. }

  36. 

  37. // IsErrWebAuthnCredentialNotExist checks if an error is a ErrWebAuthnCredentialNotExist.

  38. func IsErrWebAuthnCredentialNotExist(err error) bool {

  39. 	_, ok := err.(ErrWebAuthnCredentialNotExist)

  40. 	return ok

  41. }

  42. 

  43. // WebAuthnCredential represents the WebAuthn credential data for a public-key

  44. // credential conformant to WebAuthn Level 1

  45. type WebAuthnCredential struct {

  46. 	ID              int64 `xorm:"pk autoincr"`

  47. 	Name            string

  48. 	LowerName       string `xorm:"unique(s)"`

  49. 	UserID          int64  `xorm:"INDEX unique(s)"`

  50. 	CredentialID    []byte `xorm:"INDEX VARBINARY(1024)"`

  51. 	PublicKey       []byte

  52. 	AttestationType string

  53. 	AAGUID          []byte

  54. 	SignCount       uint32 `xorm:"BIGINT"`

  55. 	CloneWarning    bool

  56. 	CreatedUnix     timeutil.TimeStamp `xorm:"INDEX created"`

  57. 	UpdatedUnix     timeutil.TimeStamp `xorm:"INDEX updated"`

  58. }

  59. 

  60. func init() {

  61. 	db.RegisterModel(new(WebAuthnCredential))

  62. }

  63. 

  64. // TableName returns a better table name for WebAuthnCredential

  65. func (cred WebAuthnCredential) TableName() string {

  66. 	return "webauthn_credential"

  67. }

  68. 

  69. // UpdateSignCount will update the database value of SignCount

  70. func (cred *WebAuthnCredential) UpdateSignCount(ctx context.Context) error {

  71. 	_, err := db.GetEngine(ctx).ID(cred.ID).Cols("sign_count").Update(cred)

  72. 	return err

  73. }

  74. 

  75. // BeforeInsert will be invoked by XORM before updating a record

  76. func (cred *WebAuthnCredential) BeforeInsert() {

  77. 	cred.LowerName = strings.ToLower(cred.Name)

  78. }

  79. 

  80. // BeforeUpdate will be invoked by XORM before updating a record

  81. func (cred *WebAuthnCredential) BeforeUpdate() {

  82. 	cred.LowerName = strings.ToLower(cred.Name)

  83. }

  84. 

  85. // AfterLoad is invoked from XORM after setting the values of all fields of this object.

  86. func (cred *WebAuthnCredential) AfterLoad() {

  87. 	cred.LowerName = strings.ToLower(cred.Name)

  88. }

  89. 

  90. // WebAuthnCredentialList is a list of *WebAuthnCredential

  91. type WebAuthnCredentialList []*WebAuthnCredential

  92. 

  93. // newCredentialFlagsFromAuthenticatorFlags is copied from https://github.com/go-webauthn/webauthn/pull/337

  94. // to convert protocol.AuthenticatorFlags to webauthn.CredentialFlags

  95. func newCredentialFlagsFromAuthenticatorFlags(flags protocol.AuthenticatorFlags) webauthn.CredentialFlags {

  96. 	return webauthn.CredentialFlags{

  97. 		UserPresent:    flags.HasUserPresent(),

  98. 		UserVerified:   flags.HasUserVerified(),

  99. 		BackupEligible: flags.HasBackupEligible(),

  100. 		BackupState:    flags.HasBackupState(),

  101. 	}

  102. }

  103. 

  104. // ToCredentials will convert all WebAuthnCredentials to webauthn.Credentials

  105. func (list WebAuthnCredentialList) ToCredentials(defaultAuthFlags ...protocol.AuthenticatorFlags) []webauthn.Credential {

  106. 	// TODO: at the moment, Gitea doesn't store or check the flags

  107. 	// so we need to use the default flags from the authenticator to make the login validation pass

  108. 	// In the future, we should:

  109. 	// 1. store the flags when registering the credential

  110. 	// 2. provide the stored flags when converting the credentials (for login)

  111. 	// 3. for old users, still use this fallback to the default flags

  112. 	defAuthFlags := util.OptionalArg(defaultAuthFlags)

  113. 	creds := make([]webauthn.Credential, 0, len(list))

  114. 	for _, cred := range list {

  115. 		creds = append(creds, webauthn.Credential{

  116. 			ID:              cred.CredentialID,

  117. 			PublicKey:       cred.PublicKey,

  118. 			AttestationType: cred.AttestationType,

  119. 			Flags:           newCredentialFlagsFromAuthenticatorFlags(defAuthFlags),

  120. 			Authenticator: webauthn.Authenticator{

  121. 				AAGUID:       cred.AAGUID,

  122. 				SignCount:    cred.SignCount,

  123. 				CloneWarning: cred.CloneWarning,

  124. 			},

  125. 		})

  126. 	}

  127. 	return creds

  128. }

  129. 

  130. // GetWebAuthnCredentialsByUID returns all WebAuthn credentials of the given user

  131. func GetWebAuthnCredentialsByUID(ctx context.Context, uid int64) (WebAuthnCredentialList, error) {

  132. 	creds := make(WebAuthnCredentialList, 0)

  133. 	return creds, db.GetEngine(ctx).Where("user_id = ?", uid).Find(&creds)

  134. }

  135. 

  136. // ExistsWebAuthnCredentialsForUID returns if the given user has credentials

  137. func ExistsWebAuthnCredentialsForUID(ctx context.Context, uid int64) (bool, error) {

  138. 	return db.GetEngine(ctx).Where("user_id = ?", uid).Exist(&WebAuthnCredential{})

  139. }

  140. 

  141. // GetWebAuthnCredentialByName returns WebAuthn credential by id

  142. func GetWebAuthnCredentialByName(ctx context.Context, uid int64, name string) (*WebAuthnCredential, error) {

  143. 	cred := new(WebAuthnCredential)

  144. 	if found, err := db.GetEngine(ctx).Where("user_id = ? AND lower_name = ?", uid, strings.ToLower(name)).Get(cred); err != nil {

  145. 		return nil, err

  146. 	} else if !found {

  147. 		return nil, ErrWebAuthnCredentialNotExist{}

  148. 	}

  149. 	return cred, nil

  150. }

  151. 

  152. // GetWebAuthnCredentialByID returns WebAuthn credential by id

  153. func GetWebAuthnCredentialByID(ctx context.Context, id int64) (*WebAuthnCredential, error) {

  154. 	cred := new(WebAuthnCredential)

  155. 	if found, err := db.GetEngine(ctx).ID(id).Get(cred); err != nil {

  156. 		return nil, err

  157. 	} else if !found {

  158. 		return nil, ErrWebAuthnCredentialNotExist{ID: id}

  159. 	}

  160. 	return cred, nil

  161. }

  162. 

  163. // HasWebAuthnRegistrationsByUID returns whether a given user has WebAuthn registrations

  164. func HasWebAuthnRegistrationsByUID(ctx context.Context, uid int64) (bool, error) {

  165. 	return db.GetEngine(ctx).Where("user_id = ?", uid).Exist(&WebAuthnCredential{})

  166. }

  167. 

  168. // GetWebAuthnCredentialByCredID returns WebAuthn credential by credential ID

  169. func GetWebAuthnCredentialByCredID(ctx context.Context, userID int64, credID []byte) (*WebAuthnCredential, error) {

  170. 	cred := new(WebAuthnCredential)

  171. 	if found, err := db.GetEngine(ctx).Where("user_id = ? AND credential_id = ?", userID, credID).Get(cred); err != nil {

  172. 		return nil, err

  173. 	} else if !found {

  174. 		return nil, ErrWebAuthnCredentialNotExist{CredentialID: credID}

  175. 	}

  176. 	return cred, nil

  177. }

  178. 

  179. // CreateCredential will create a new WebAuthnCredential from the given Credential

  180. func CreateCredential(ctx context.Context, userID int64, name string, cred *webauthn.Credential) (*WebAuthnCredential, error) {

  181. 	c := &WebAuthnCredential{

  182. 		UserID:          userID,

  183. 		Name:            name,

  184. 		CredentialID:    cred.ID,

  185. 		PublicKey:       cred.PublicKey,

  186. 		AttestationType: cred.AttestationType,

  187. 		AAGUID:          cred.Authenticator.AAGUID,

  188. 		SignCount:       cred.Authenticator.SignCount,

  189. 		CloneWarning:    false,

  190. 	}

  191. 

  192. 	if err := db.Insert(ctx, c); err != nil {

  193. 		return nil, err

  194. 	}

  195. 	return c, nil

  196. }

  197. 

  198. // DeleteCredential will delete WebAuthnCredential

  199. func DeleteCredential(ctx context.Context, id, userID int64) (bool, error) {

  200. 	had, err := db.GetEngine(ctx).ID(id).Where("user_id = ?", userID).Delete(&WebAuthnCredential{})

  201. 	return had > 0, err

  202. }

  203. 

  204. // WebAuthnCredentials implements the webauthn.User interface

  205. func WebAuthnCredentials(ctx context.Context, userID int64) ([]webauthn.Credential, error) {

  206. 	dbCreds, err := GetWebAuthnCredentialsByUID(ctx, userID)

  207. 	if err != nil {

  208. 		return nil, err

  209. 	}

  210. 

  211. 	return dbCreds.ToCredentials(), nil

  212. }