aptible-cli 0.19.2 → 0.19.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bdd31b147b7a6e31ec8a563120edfeeb65675e6fc3207a3f7a67dfd36b34c852
-  data.tar.gz: d984d2e4aa162a24c44acf7a3ea7854a2dd14b7896afbfa7851b1c2d87b2310d
+  metadata.gz: f20b71eb3388732ade1e6e53cb1f076761d40a06d460faf08fa3e468f239acc1
+  data.tar.gz: 3e603d02a1dbe3e8168209f9a0f061d29851a48189d28dc549bff3a7d203a5e1
 SHA512:
-  metadata.gz: 70854f3f9dbdd1af2c90c739e05baa72b127c4cadfea8e1d889f2b00a81fcbc56a2bf779d51e621371e38e3312110a2a1324d3edc4b2514bd944f940f9f1e74c
-  data.tar.gz: 42a946fb3e79f01f951f480aa788d356560f97887ac1613dd5d3c210311873daaabfa9b30d6ebb542185ad264b5521f7f72a267073958c2adc9bffb2445e8f11
+  metadata.gz: e195096e2854788c488477ca6d42fd1beb15ce2b6044f0be32a774e6b3915c387694e4608c7546a94915dcb32b3f0844f4864544e4a64806dca23379c0383598
+  data.tar.gz: b2fb1ef99eb836cac0e80419d362277b05877826e8cf4b8f8cb78f937168d4ab658b81f9fea6c7ea0559cd5fe6f926aec896869b7fa8737e4503536d39dfb161

data/aptible-cli.gemspec

@@ -25,9 +25,10 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'aptible-auth', '~> 1.2.4'
   spec.add_dependency 'aptible-billing', '~> 1.0'
   spec.add_dependency 'thor', '~> 0.20.0'
-  spec.add_dependency 'git'
+  spec.add_dependency 'git', '< 1.10'
   spec.add_dependency 'term-ansicolor'
   spec.add_dependency 'chronic_duration', '~> 0.10.6'
+  spec.add_dependency 'cbor'
 
   # Temporarily pin ffi until https://github.com/ffi/ffi/issues/868 is fixed
   spec.add_dependency 'ffi', '<= 1.14.1' if Gem.win_platform?

data/lib/aptible/cli/agent.rb

@@ -145,29 +145,32 @@ module Aptible
 
           # If the user has added a security key and their computer supports it,
           # allow them to use it
-          if u2f && !which('u2f-host').nil?
+          # https://developers.yubico.com/libfido2/Manuals
+          # installation: https://github.com/Yubico/libfido2#installation
+          if u2f && !which('fido2-assert').nil? && !which('fido2-token').nil?
             origin = Aptible::Auth::Resource.new.get.href
             app_id = Aptible::Auth::Resource.new.utf_trusted_facets.href
-
             challenge = u2f.fetch('challenge')
 
-            devices = u2f.fetch('devices').map do |dev|
-              Helpers::SecurityKey::Device.new(
-                dev.fetch('version'), dev.fetch('key_handle')
-              )
-            end
+            device_info = security_key_device(u2f, app_id)
 
-            puts 'Enter your 2FA token or touch your Security Key once it ' \
-                 'starts blinking.'
+            if device_info[:locations].count > 0 && device_info[:device]
+              puts "\nEnter your 2FA token or touch your Security Key " \
+                 'once it starts blinking.'
 
-            mfa_threads << Thread.new do
-              token_options[:u2f] = Helpers::SecurityKey.authenticate(
-                origin, app_id, challenge, devices
-              )
+              mfa_threads << Thread.new do
+                token_options[:u2f] = Helpers::SecurityKey.authenticate(
+                  origin,
+                  app_id,
+                  challenge,
+                  device_info[:device],
+                  device_info[:locations]
+                )
 
-              puts ''
+                puts ''
 
-              q.push(nil)
+                q.push(nil)
+              end
             end
           end
 
@@ -202,6 +205,78 @@ module Aptible
 
       private
 
+      def security_key_device(u2f, app_id)
+        devices = u2f.fetch('devices').map do |dev|
+          version = dev.fetch('version')
+          rp_id =
+            if version == 'U2F_V2'
+              app_id
+            else
+              u2f['payload']['rpId']
+            end
+
+          Helpers::SecurityKey::Device.new(
+            dev.fetch('version'),
+            dev.fetch('key_handle'),
+            dev.fetch('name'),
+            rp_id
+          )
+        end
+
+        result = {
+          locations: [],
+          device: nil
+        }
+
+        device_locations = Helpers::SecurityKey.device_locations
+
+        if device_locations.count.zero?
+          no_keys = 'WARNING: no security keys detected on machine'
+          CLI.logger.warn(no_keys) if device_locations.count.zero?
+        else
+          result[:locations] = device_locations
+          no_creds = 'No credentials associated with user'
+          raise Error, no_creds if devices.count.zero?
+
+          result[:device] = devices[0]
+          if devices.count > 1
+            credential = security_credential(devices)
+            result[:device] = credential
+          end
+        end
+
+        result
+      end
+
+      # The name for our backend model is U2FDevice.
+      # However, really what we are storing is a security credential.
+      # Here we figure out which security credential to pass to fido2-assert.
+      def security_credential(devices)
+        puts 'There are multiple credentials associated ' \
+             'with this user.  Please select the ' \
+             "credential you want to use for authentication:\n"
+
+        device = nil
+        while device.nil?
+          devices.each_with_index do |dev, index|
+            puts "#{index}: #{dev.name}"
+          end
+
+          puts ''
+
+          device_index = ask(
+            'Enter the credential number you want to use: '
+          )
+
+          # https://stackoverflow.com/a/1235990
+          next unless /\A\d+\z/ =~ device_index
+
+          device = devices[device_index.to_i]
+        end
+
+        device
+      end
+
       def deprecated(msg)
         CLI.logger.warn([
           "DEPRECATION NOTICE: #{msg}",

data/lib/aptible/cli/helpers/security_key.rb

@@ -1,3 +1,6 @@
+require 'openssl'
+require 'cbor'
+
 module Aptible
   module CLI
     module Helpers
@@ -8,21 +11,32 @@ module Aptible
 
         class AuthenticatorParameters
           attr_reader :origin, :challenge, :app_id, :version, :key_handle
-          attr_reader :request
+          attr_reader :request, :rp_id, :device_location
+          attr_reader :client_data, :assert_str, :version
 
-          def initialize(origin, challenge, app_id, device)
+          def initialize(origin, challenge, app_id, device, device_location)
             @origin = origin
             @challenge = challenge
             @app_id = app_id
             @version = device.version
             @key_handle = device.key_handle
-
-            @request = {
-              'challenge' => challenge,
-              'appId' => app_id,
-              'version' => version,
-              'keyHandle' => key_handle
-            }
+            @rp_id = device.rp_id
+            @version = device.version
+            @device_location = device_location
+            @client_data = {
+              type: 'webauthn.get',
+              challenge: challenge,
+              origin: origin,
+              crossOrigin: false
+            }.to_json
+            key_handle = Base64.strict_encode64(
+              Base64.urlsafe_decode64(device.key_handle)
+            )
+            client_data_hash = Digest::SHA256.base64digest(@client_data)
+            in_str = "#{client_data_hash}\n" \
+              "#{device.rp_id}\n" \
+              "#{key_handle}"
+            @assert_str = in_str
           end
         end
 
@@ -51,9 +65,50 @@ module Aptible
           end
         end
 
-        class Authenticator
+        class DeviceMapper
           attr_reader :pid
 
+          def initialize(pid, out_read, err_read)
+            @pid = pid
+            @out_read = out_read
+            @err_read = err_read
+          end
+
+          def exited(status)
+            out, err = [@out_read, @err_read].map(&:read).map(&:chomp)
+
+            if status.exitstatus == 0
+              U2F_LOGGER.info("#{self.class}: ok: #{out}")
+              [nil, out]
+            else
+              U2F_LOGGER.warn("#{self.class}: err: #{err}")
+              [nil, nil]
+            end
+          ensure
+            [@out_read, @err_read].each(&:close)
+          end
+
+          def self.spawn
+            out_read, out_write = IO.pipe
+            err_read, err_write = IO.pipe
+
+            pid = Process.spawn(
+              'fido2-token -L',
+              out: out_write, err: err_write,
+              close_others: true
+            )
+
+            U2F_LOGGER.debug("#{self}: spawned #{pid}")
+
+            [out_write, err_write].each(&:close)
+
+            new(pid, out_read, err_read)
+          end
+        end
+
+        class Authenticator
+          attr_reader :pid, :auth
+
           def initialize(auth, pid, out_read, err_read)
             @auth = auth
             @pid = pid
@@ -61,13 +116,55 @@ module Aptible
             @err_read = err_read
           end
 
+          def formatted_out(out)
+            arr = out.split("\n")
+            authenticator_data = arr[2]
+            signature = arr[3]
+            appid = auth.app_id if auth.version == 'U2F_V2'
+            client_data_json = Base64.urlsafe_encode64(auth.client_data)
+
+            {
+              id: auth.key_handle,
+              rawId: auth.key_handle,
+              clientExtensionResults: { appid: appid },
+              type: 'public-key',
+              response: {
+                clientDataJSON: client_data_json,
+                authenticatorData: Base64.urlsafe_encode64(
+                  CBOR.decode(
+                    Base64.strict_decode64(authenticator_data)
+                  )
+                ),
+                signature: signature
+              }
+            }
+          end
+
+          def fido_err_msg(err)
+            match = err.match(/(FIDO_ERR.+)/)
+            return nil unless match
+            result = match.captures || []
+            no_cred = "\nCredential not found on device, " \
+                      'are you sure you selected the right ' \
+                      'credential for this device?'
+            err_map = {
+              'FIDO_ERR_NO_CREDENTIALS' => no_cred
+            }
+
+            return err_map[result[0]] if result.count > 0
+
+            nil
+          end
+
           def exited(status)
             out, err = [@out_read, @err_read].map(&:read).map(&:chomp)
 
             if status.exitstatus == 0
               U2F_LOGGER.info("#{self.class} #{@auth.key_handle}: ok: #{out}")
-              [nil, JSON.parse(out)]
+              [nil, out]
             else
+              err_msg = fido_err_msg(err)
+              CLI.logger.error(err_msg) if err_msg
               U2F_LOGGER.warn("#{self.class} #{@auth.key_handle}: err: #{err}")
               [ThrottledAuthenticator.spawn(@auth), nil]
             end
@@ -81,7 +178,7 @@ module Aptible
             err_read, err_write = IO.pipe
 
             pid = Process.spawn(
-              'u2f-host', '-aauthenticate', '-o', auth.origin,
+              "fido2-assert -G #{auth.device_location}",
               in: in_read, out: out_write, err: err_write,
               close_others: true
             )
@@ -90,7 +187,7 @@ module Aptible
 
             [in_read, out_write, err_write].each(&:close)
 
-            in_write.write(auth.request.to_json)
+            in_write.write(auth.assert_str)
             in_write.close
 
             new(auth, pid, out_read, err_read)
@@ -98,18 +195,40 @@ module Aptible
         end
 
         class Device
-          attr_reader :version, :key_handle
+          attr_reader :version, :key_handle, :rp_id, :name
 
-          def initialize(version, key_handle)
+          def initialize(version, key_handle, name, rp_id)
             @version = version
             @key_handle = key_handle
+            @name = name
+            @rp_id = rp_id
           end
         end
 
-        def self.authenticate(origin, app_id, challenge, devices)
-          procs = Hash[devices.map do |device|
+        def self.device_locations
+          w = DeviceMapper.spawn
+          _, status = Process.wait2
+          _, out = w.exited(status)
+          # parse output and only log device
+          matches = out.split("\n").map { |s| s.match(/^(\S+):\s/) }
+          results = []
+          matches.each do |m|
+            capture = m.captures
+            results << capture[0] if m && capture.count.positive?
+          end
+
+          results
+        end
+
+        def self.authenticate(origin, app_id, challenge,
+                              device, device_locations)
+          procs = Hash[device_locations.map do |location|
             params = AuthenticatorParameters.new(
-              origin, challenge, app_id, device
+              origin,
+              challenge,
+              app_id,
+              device,
+              location
             )
             w = Authenticator.spawn(params)
             [w.pid, w]
@@ -124,7 +243,7 @@ module Aptible
               r, out = w.exited(status)
 
               procs[r.pid] = r if r
-              return out if out
+              return w.formatted_out(out) if out
             end
           ensure
             procs.values.map(&:pid).each { |p| Process.kill(:SIGTERM, p) }

data/lib/aptible/cli/version.rb

@@ -1,5 +1,5 @@
 module Aptible
   module CLI
-    VERSION = '0.19.2'.freeze
+    VERSION = '0.19.3'.freeze
   end
 end

data/spec/aptible/cli/agent_spec.rb

@@ -187,8 +187,16 @@ describe Aptible::CLI::Agent do
             'u2f' => {
               'challenge' => 'some 123',
               'devices' => [
-                { 'version' => 'U2F_V2', 'key_handle' => '123' },
-                { 'version' => 'U2F_V2', 'key_handle' => '456' }
+                {
+                  'version' => 'U2F_V2',
+                  'key_handle' => '123',
+                  'name' => 'primary'
+                },
+                {
+                  'version' => 'U2F_V2',
+                  'key_handle' => '456',
+                  'name' => 'secondary'
+                }
               ]
             }
           )
@@ -215,16 +223,28 @@ describe Aptible::CLI::Agent do
         end
 
         it 'should call into U2F if supported' do
-          allow(subject).to receive(:which).and_return('u2f-host')
+          allow(subject).to receive(:which).and_return('fido2-token')
+          allow(subject).to receive(:which).and_return('fido2-assert')
           allow(subject).to receive(:ask).with('2FA Token: ') { sleep }
+          allow(subject).to receive(:ask).with(
+            'Enter the credential number you want to use: '
+          ) { '0' }
 
           e = make_oauth2_error(
             'otp_token_required',
             'u2f' => {
               'challenge' => 'some 123',
               'devices' => [
-                { 'version' => 'U2F_V2', 'key_handle' => '123' },
-                { 'version' => 'U2F_V2', 'key_handle' => '456' }
+                {
+                  'version' => 'U2F_V2',
+                  'key_handle' => '123',
+                  'name' => 'primary'
+                },
+                {
+                  'version' => 'U2F_V2',
+                  'key_handle' => '456',
+                  'name' => 'secondary'
+                }
               ]
             }
           )
@@ -238,15 +258,17 @@ describe Aptible::CLI::Agent do
 
           expect(subject).to receive(:puts).with(/security key/i)
 
+          expect(Aptible::CLI::Helpers::SecurityKey)
+            .to receive(:device_locations)
+            .and_return(['ioreg://4295020796'])
+
           expect(Aptible::CLI::Helpers::SecurityKey).to receive(:authenticate)
             .with(
               'https://auth.aptible.com/',
               'https://auth.aptible.com/u2f/trusted_facets',
               'some 123',
-              array_including(
-                instance_of(Aptible::CLI::Helpers::SecurityKey::Device),
-                instance_of(Aptible::CLI::Helpers::SecurityKey::Device)
-              )
+              instance_of(Aptible::CLI::Helpers::SecurityKey::Device),
+              ['ioreg://4295020796']
             ).and_return(u2f)
 
           expect(Aptible::Auth::Token).to receive(:create)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aptible-cli
 version: !ruby/object:Gem::Version
-  version: 0.19.2
+  version: 0.19.3
 platform: ruby
 authors:
 - Frank Macreery
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-02-18 00:00:00.000000000 Z
+date: 2022-03-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aptible-resource
@@ -84,16 +84,16 @@ dependencies:
   name: git
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.10'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.10'
 - !ruby/object:Gem::Dependency
   name: term-ansicolor
   requirement: !ruby/object:Gem::Requirement
@@ -122,6 +122,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.10.6
+- !ruby/object:Gem::Dependency
+  name: cbor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement