rack-u2f 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 293216cb2f753e7ffae84b3d65aabd4a5b472359
+  data.tar.gz: 173f07ee1e0ef64ad696b5994dbd0a993de0bd04
+SHA512:
+  metadata.gz: cc091c574805618fa863b6cef886e6ce249151c8b622f08e37bb0fc2ff91ea486f565a08161b4d19b85682560c1b25ee1337fc8931ec9401bc31ca01482e7cb5
+  data.tar.gz: f1175bd3ce0366219a8cca9db89b962e063cd47dbfa631a8d13861b26958fa5bb2f08a7fea3279379c4043e5ec876bdf68590beb78a24939f0261fd5e3507208

data/.gitignore

@@ -0,0 +1,12 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.rubocop.yml

@@ -0,0 +1,2 @@
+Metrics/LineLength:
+  Max: 110

data/.travis.yml

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.4.2
+before_install: gem install bundler -v 1.15.4

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in rack-u2f.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2017 Eaden McKee
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,58 @@
+# Rack::U2f
+
+Note: This gem needs a tidy up and will be properly released by end of Nov 2017
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'rack-u2f'
+```
+
+And then execute:
+
+    $ bundle
+
+## Usage
+
+Rack U2F has two components;
+
+A Rack app to register U2F devices
+
+and
+
+Rack middleware to authenticate against registered U2F devices
+
+In rails:
+
+In `config/routes.rb`:
+
+```ruby
+mount Rack::U2f::RegistrationServer.new(store: Rack::U2f::RegistrationStore::RedisStore.new), at: '/u2f_registration'
+```
+
+in `config/application.rb`
+
+```ruby
+config.middleware.use Rack::U2f::AuthenticationMiddleware, {
+  store: Rack::U2f::RegistrationStore::RedisStore.new,
+  exclude_urls: [/\Au2f/, /\A\/\z/]
+}
+```
+
+Currently only a redis store is developed, but other stores such as active record will be easy to add.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/eadz/rack-u2f.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "rack/u2f"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/rack/u2f.rb

@@ -0,0 +1,15 @@
+require 'rack/u2f/version'
+require 'rack/u2f/helpers'
+require 'rack/u2f/registration_server'
+require 'rack/u2f/registration_store'
+require 'rack/u2f/authentication_middleware'
+
+module Rack
+  # :nodoc:
+  module U2f
+    TEMPLATE_DIR = ::File.join(::File.dirname(__FILE__), 'u2f', 'templates')
+    REGISTRATION_TEMPLATE = ::File.read(::File.join(TEMPLATE_DIR, 'registration_page.html.mustache'))
+    CHALLENGE_TEMPLATE = ::File.read(::File.join(TEMPLATE_DIR, 'challenge_page.html.mustache'))
+    U2FJS = ::File.read(::File.join(TEMPLATE_DIR, 'u2f.js'))
+  end
+end

data/lib/rack/u2f/authentication_middleware.rb

@@ -0,0 +1,79 @@
+module Rack
+  module U2f
+    # Middleware to authenticate against registered u2f keys
+    class AuthenticationMiddleware
+      include Helpers
+
+      def initialize(app, config = nil)
+        @app = app
+        @store = config[:store] || raise('Please specify a U2F store such as Rack::U2f::RegistrationStore::RedisStore.new')
+        @exclude_urls = config[:exclude_urls] || [/\A\/u2f/]
+      end
+
+      def call(env)
+        request = Rack::Request.new(env)
+        return @app.call(env) if excluded?(request)
+        return @app.call(env) if authenticated?(request)
+        return resp_auth_from_u2f(request) if request.params['u2f_auth']
+        challenge_page(request)
+      end
+
+      private
+
+      def excluded?(request)
+        @exclude_urls.any?{ |exc| request.path =~ exc }
+      end
+
+      def authenticated?(request)
+        request.session['u2f_authenticated']
+      end
+
+      def resp_unregistered
+        [403, {}, ["Unregistered Device"]]
+      end
+
+      def resp_invalid
+        [403, {}, ["Invalid Auth"]]
+      end
+
+      def resp_auth_from_u2f(request)
+        u2f_response = U2F::SignResponse.load_from_json(request.params['u2f_auth'])
+        registration = @store.get_registration(key_handle: u2f_response.key_handle)
+        return unregistered unless registration
+        begin
+          u2f = U2F::U2F.new(extract_app_id(request))
+          u2f.authenticate!(request.session['challenge'], u2f_response,
+                    Base64.decode64(registration['public_key']),
+                    registration['counter'])
+        rescue U2F::Error => e
+          return resp_invalid
+        ensure
+          request.session.delete('challenge')
+        end
+
+        @store.update_registration(key_handle: u2f_response.key_handle, counter: u2f_response.counter)
+        request.session['u2f_authenticated'] = true
+        [302, {"Location" => '/'}, []]
+      end
+
+      def challenge_page(request)
+        key_handles = @store.key_handles
+        return resp_unregistered unless key_handles && key_handles.size > 0
+        u2f = U2F::U2F.new(extract_app_id(request))
+        sign_requests = u2f.authentication_requests(key_handles)
+        challenge = u2f.challenge
+        request.session['challenge'] = challenge
+
+        content = Mustache.render(
+          CHALLENGE_TEMPLATE,
+          app_id: u2f.app_id.to_json,
+          challenge: challenge.to_json,
+          sign_requests: sign_requests.to_json,
+          u2fjs: U2FJS
+        )
+
+        Rack::Response.new(content)
+      end
+    end
+  end
+end

data/lib/rack/u2f/helpers.rb

@@ -0,0 +1,13 @@
+module Rack
+  module U2f
+    # Helpers used in the middleware and registration server
+    module Helpers
+      def extract_app_id(request)
+        app_id = request.url.split('/')[0..2].join('/')
+        return app_id if [443, 80].include?(request.port)
+        app_id + ':' + request.port
+      end
+
+    end
+  end
+end

data/lib/rack/u2f/registration_server.rb

@@ -0,0 +1,66 @@
+require 'u2f'
+require 'mustache'
+
+module Rack
+  module U2f
+    # Middleware allow registration of u2f devices
+    class RegistrationServer
+      include Helpers
+
+      def initialize(config)
+        @config = config
+        @store = config[:store]
+        raise 'Missing RegistrationMiddleware Config' if @config.nil?
+      end
+
+      def call(env)
+        return [403, {}, ['']] unless ENV['ENABLE_U2F_REGISTRATION']
+        request = Rack::Request.new(env)
+        if request.get?
+          generate_registration(request)
+        else
+          u2f = U2F::U2F.new(extract_app_id(request))
+
+          response = U2F::RegisterResponse.load_from_json(request.params['response'])
+          reg = begin
+            u2f.register!(request.session['challenges'], response)
+          rescue U2F::Error => e
+            return [422, {}, ['Unable to register device']]
+          ensure
+            request.session.delete('challenges')
+          end
+          @store.store_registration(
+            certificate: reg.certificate,
+            key_handle: reg.key_handle,
+            public_key: reg.public_key,
+            counter: reg.counter
+          )
+          return [200, {}, ["Registration Successful"]]
+        end
+      end
+
+      private
+
+      def generate_registration(request)
+        u2f = U2F::U2F.new('https://junk.ngrok.io')
+        registration_requests = u2f.registration_requests
+        request.session['challenges'] = registration_requests.map(&:challenge)
+        key_handles = @store.key_handles
+        sign_requests = u2f.authentication_requests(key_handles)
+
+        registration_page(u2f.app_id, registration_requests, sign_requests)
+      end
+
+      def registration_page(app_id, registration_requests, sign_requests)
+        content = Mustache.render(
+          REGISTRATION_TEMPLATE,
+          app_id: app_id.to_json,
+          registration_requests: registration_requests.to_json,
+          sign_requests: sign_requests.to_json,
+          u2fjs: U2FJS
+        )
+        Rack::Response.new(content)
+      end
+    end
+  end
+end

data/lib/rack/u2f/registration_store.rb

@@ -0,0 +1,22 @@
+require 'rack/u2f/registration_store/redis_store'
+
+module Rack
+  module U2f
+    # Store to keep track of tokens
+    module RegistrationStore
+      class AbstractStore
+        def initialize(*args)
+        end
+
+        def store_registration(certificate:, key_handle:, public_key:, counter:)
+        end
+
+        def update_registration(key_handle:, counter:)
+        end
+
+        def key_handles
+        end
+      end
+    end
+  end
+end

data/lib/rack/u2f/registration_store/active_record_store.rb

@@ -0,0 +1,24 @@
+module Rack
+  module U2f
+    # Store to keep track of u2f data in active record
+    module RegistrationStore
+      class ActiveRecordStore
+        def initialize(ar_model)
+          @model = ar_model
+        end
+
+        def store_registration(certificate:, key_handle:, public_key:, counter:)
+        end
+
+        def get_registration(key_handle:)
+        end
+
+        def update_registration(key_handle:, counter:)
+        end
+
+        def key_handles
+        end
+      end
+    end
+  end
+end

data/lib/rack/u2f/registration_store/redis_store.rb

@@ -0,0 +1,50 @@
+require 'redis'
+module Rack
+  module U2f
+    # Store to keep track of u2f data in redis
+    module RegistrationStore
+      class RedisStore
+        def initialize(redis_connection = nil)
+          @redis = redis_connection || Redis.new
+          @hash_key_prefix = 'rack-u2f'
+        end
+
+        def store_registration(certificate:, key_handle:, public_key:, counter:)
+          @redis.hset(
+            @hash_key_prefix,
+            key_handle,
+            JSON.dump(
+              certificate: certificate,
+              public_key: public_key,
+              counter: counter
+            )
+          )
+        end
+
+        def get_registration(key_handle:)
+          data = @redis.hget(@hash_key_prefix, key_handle)
+          data && JSON.parse(data)
+        end
+
+        def update_registration(key_handle:, counter:)
+          existing = get_registration(key_handle: key_handle)
+          if existing
+            @redis.hset(
+              @hash_key_prefix,
+              key_handle,
+              JSON.dump(
+                certificate: existing['certificate'],
+                public_key: existing['public_key'],
+                counter: counter
+              )
+            )
+          end
+        end
+
+        def key_handles
+          @redis.hkeys(@hash_key_prefix) || []
+        end
+      end
+    end
+  end
+end

data/lib/rack/u2f/templates/challenge_page.html.mustache

@@ -0,0 +1,56 @@
+<html>
+<head>
+  <title>U2F Challenge</title>
+  <style type="text/css"><!--
+  body {
+    background: #232526;  /* fallback for old browsers */
+  background: -webkit-linear-gradient(to top, #414345, #232526);  /* Chrome 10-25, Safari 5.1-6 */
+  background: linear-gradient(to top, #414345, #232526); /* W3C, IE 10+/ Edge, Firefox 16+, Chrome 26+, Opera 12+, Safari 7+ */
+  }
+  body, html {
+    color: #fff;
+    font-family: monospace;
+  }
+  div.main {
+    margin-left: auto;
+    margin-right: auto;
+    width: 60%;
+    margin-top: 10%;
+  }
+  --></style>
+</head>
+<body>
+<form method="post">
+  <input type="hidden" name="u2f_auth">
+</form>
+
+<script type="text/javascript">
+
+{{{u2fjs}}}
+
+var appId = {{{app_id}}};
+var challenge = {{{challenge}}};
+var signRequests = {{{sign_requests.as_json}}};
+u2f.sign(appId, challenge, signRequests, function(signResponse) {
+  var form, reg, response;
+
+  if (signResponse.errorCode) {
+    return alert("Authentication error: " + signResponse.errorCode);
+  }
+
+  form = document.forms[0];
+  response = document.querySelector('[name=u2f_auth]');
+
+  response.value = JSON.stringify(signResponse);
+
+  form.submit();
+
+});
+</script>
+
+<div class="main">
+<h1>U2F Auth</h1>
+<p>Insert your token and authenticate.</p>
+</div>
+</body>
+</html>