two_factor_auth 0.1.1

data/app/assets/javascripts/two_factor_auth/application.js

@@ -0,0 +1,13 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file.
+//
+// Read Sprockets README (https://github.com/sstephenson/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .

data/app/assets/stylesheets/two_factor_auth/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any styles
+ * defined in the other CSS/SCSS files in this directory. It is generally better to create a new
+ * file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/app/controllers/two_factor_auth/authentications_controller.rb

@@ -0,0 +1,32 @@
+module TwoFactorAuth
+  class AuthenticationsController < TwoFactorAuthController
+    skip_before_action :two_factor_auth_authentication
+
+    include TwoFactorAuth::AuthenticationsHelper
+
+    def new
+      redirect_to after_sign_in_path_for(current_user) if user_two_factor_auth_authenticated?
+    end
+
+    def create
+      keyHandle = TwoFactorAuth::websafe_base64_decode(params.fetch(:keyHandle, ''))
+      registration = Registration.find_by_key_handle(keyHandle)
+
+      verifier = AuthenticationVerifier.new({
+        registration: registration,
+        request: authentication_request,
+        client_data: ClientData.new(encoded: params[:clientData], correct_typ: 'navigator.id.getAssertion'),
+        response: AuthenticationResponse.new(encoded: params[:signatureData]),
+      })
+      clear_pending_challenge
+
+      if verifier.valid?
+        user_two_factor_auth_authenticated! verifier.counter
+        redirect_to after_sign_in_path_for(current_user)
+      else
+        flash[:alert] = "Unable to authenticate"
+        render :new, status: 406
+      end
+    end
+  end
+end

data/app/controllers/two_factor_auth/registrations_controller.rb

@@ -0,0 +1,29 @@
+module TwoFactorAuth
+  class RegistrationsController < TwoFactorAuthController
+    skip_before_action :two_factor_auth_registration
+    skip_before_action :two_factor_auth_authentication
+
+    include TwoFactorAuth::RegistrationsHelper
+
+    def new
+    end
+
+    def create
+      verifier = RegistrationVerifier.new({
+        login: current_user,
+        request: registration_request,
+        client_data: ClientData.new(encoded: params[:clientData], correct_typ: 'navigator.id.finishEnrollment'),
+        response: RegistrationResponse.new(encoded: params[:registrationData]),
+      })
+      clear_pending_challenge
+
+      if verifier.save
+        user_two_factor_auth_authenticated! 0 # don't need to auth again after registration
+        redirect_to after_two_factor_auth_registrations_path_for(current_user)
+      else
+        flash[:alert] = "Unable to register"
+        render :new, status: 406
+      end
+    end
+  end
+end

data/app/controllers/two_factor_auth/trusted_facets_controller.rb

@@ -0,0 +1,10 @@
+module TwoFactorAuth
+  # Does not inherit from ApplicationController because many of those enforce
+  # logins on all but a whitelist of pages and the U2F spec requires this
+  # respond to a request with no cookies or other auth.
+  class TrustedFacetsController < ActionController::Base
+    def index
+      render text: TwoFactorAuth.facets.to_json, content_type: "application/fido.trusted-apps+json"
+    end
+  end
+end

data/app/controllers/two_factor_auth/two_factor_auth_controller.rb

@@ -0,0 +1,19 @@
+module TwoFactorAuth
+  class TwoFactorAuthController < ApplicationController
+    include TwoFactorAuth::ApplicationHelper
+    include Devise::Controllers::Helpers
+
+    protect_from_forgery with: :exception
+    before_action :authenticate_user!
+
+    private
+
+    def after_two_factor_auth_registrations_path_for(resource)
+      signed_in_root_path(resource)
+    end
+
+    def after_two_factor_auth_authentication_path_for(resource)
+      after_sign_in_path_for(resource)
+    end
+  end
+end

data/app/helpers/two_factor_auth/application_helper.rb

@@ -0,0 +1,21 @@
+module TwoFactorAuth
+  module ApplicationHelper
+    def user_two_factor_auth_registered?
+      current_user.registrations.any?
+    end
+
+    def user_two_factor_auth_authenticated! counter
+      Registration.authenticated(current_user, counter)
+      user_session['two_factor_auth_authenticated'] = Time.now
+    end
+
+    def user_two_factor_auth_authenticated?
+      user_session['two_factor_auth_authenticated'].present?
+    end
+
+    def user_two_factor_auth_authenticated! counter
+      Registration.authenticated(current_user, counter)
+      user_session['two_factor_auth_authenticated'] = Time.now
+    end
+  end
+end

data/app/helpers/two_factor_auth/authentications_helper.rb

@@ -0,0 +1,17 @@
+module TwoFactorAuth
+  module AuthenticationsHelper
+    def authentication_request
+      @authentication_request ||= AuthenticationRequest.new(
+        TwoFactorAuth.trusted_facet_list_url,
+        Registration.key_handle_for_authentication(current_user),
+        user_session['pending_authentication_request_challenge']
+      )
+      user_session['pending_authentication_request_challenge'] = @authentication_request.challenge
+      @authentication_request
+    end
+
+    def clear_pending_challenge
+      user_session.delete 'pending_authentication_request_challenge'
+    end
+  end
+end

data/app/helpers/two_factor_auth/registrations_helper.rb

@@ -0,0 +1,17 @@
+module TwoFactorAuth
+  module RegistrationsHelper
+    def registration_request
+      @registration_request ||= RegistrationRequest.new(
+        TwoFactorAuth.trusted_facet_list_url,
+        [],
+        user_session['pending_registration_request_challenge']
+      )
+      user_session['pending_registration_request_challenge'] = @registration_request.challenge
+      @registration_request
+    end
+
+    def clear_pending_challenge
+      user_session.delete 'pending_registration_request_challenge'
+    end
+  end
+end

data/app/models/two_factor_auth/authentication_client_data.rb

@@ -0,0 +1,11 @@
+module TwoFactorAuth
+  class AuthenticationClientData < ClientData
+    validate :typ_correct
+
+    def typ_correct
+      if typ != 'navigator.id.getAssertion'
+        errors.add :typ, "should be navigator.id.getAssertion but is #{typ}"
+      end
+    end
+  end
+end

data/app/models/two_factor_auth/authentication_request.rb

@@ -0,0 +1,30 @@
+require 'adamantium'
+
+module TwoFactorAuth
+  class AuthenticationRequest
+    include Adamantium
+
+    attr_reader :app_id, :key_handle
+
+    def initialize app_id, key_handle, challenge=nil
+      @app_id = app_id
+      @key_handle = key_handle
+      @challenge = challenge
+    end
+
+    def challenge
+      @challenge || TwoFactorAuth::random_encoded_challenge
+    end
+    memoize :challenge
+
+    # this matches te browser's u2f api
+    def serialized
+      {
+        appId: app_id,
+        keyHandle: TwoFactorAuth.websafe_base64_encode(key_handle),
+        challenge: challenge,
+        version: U2F_VERSION,
+      }.to_json
+    end
+  end
+end

data/app/models/two_factor_auth/authentication_response.rb

@@ -0,0 +1,49 @@
+require 'active_model'
+require 'virtus'
+
+# See FIDO U2F "Raw Message Formats" documentation, section 4.3 "Registration
+# Response Message: Success"
+module TwoFactorAuth
+  class AuthenticationResponse
+    include ActiveModel::Validations
+    include Virtus.model
+
+    attribute :encoded, String
+    attribute :raw, String
+
+    attribute :bitfield, Fixnum
+    attribute :user_presence, Boolean
+    attribute :counter, Fixnum
+    attribute :signature, String
+
+    validates :bitfield, :user_presence, :counter, :signature, presence: true
+    validate :bitfield_correct, :user_is_present
+
+    def initialize *args, &blk
+      super
+      decompose_fields
+    end
+
+    def decompose_fields
+      self.raw = TwoFactorAuth.websafe_base64_decode encoded
+      io = StringIO.new raw
+
+      @bitfield = io.read(1).ord
+      @user_presence = @bitfield.ord & 1 == 1
+      @counter = io.read(4).unpack("N").first
+      @signature = io.read
+    end
+
+    def bitfield_correct
+      if bitfield.ord != 1
+        errors.add :bitfield, "bits 1-7 must be set to zero"
+      end
+    end
+
+    def user_is_present
+      if !user_presence
+        errors.add :user_presence, "must be set"
+      end
+    end
+  end
+end

data/app/models/two_factor_auth/authentication_verifier.rb

@@ -0,0 +1,68 @@
+require 'active_model'
+require 'virtus'
+
+module TwoFactorAuth
+  class AuthenticationVerifier
+    include ActiveModel::Validations
+    include Virtus.model
+
+    attribute :registration, Registration
+    attribute :request, AuthenticationRequest
+    attribute :client_data, ClientData
+    attribute :response, AuthenticationResponse
+
+    validate :client_challenge_matches, :client_origin_matches,
+            :counter_advances,
+            :verify_signature
+    validates_associated :client_data, :response
+
+    def application_parameter
+      OpenSSL::Digest::SHA256.new.digest(request.app_id.encode('ASCII-8BIT'))
+    end
+
+    def challenge_parameter
+      OpenSSL::Digest::SHA256.new.digest(client_data.json)
+    end
+
+    def client_challenge_matches
+      if client_data.challenge != request.challenge
+        errors.add :client_data, "challenge does not match the challenge they were sent"
+      end
+    end
+
+    def client_origin_matches
+      if client_data.origin != request.app_id
+        errors.add :client_data, "origin does not match the appId they were sent"
+      end
+    end
+
+    def counter_advances
+      if response.counter <= registration.counter
+        errors.add :response, "does not advance counter - could mean device was cloned"
+      end
+    end
+
+    def digest
+      data = [
+        application_parameter,
+        response.bitfield.chr,
+        [response.counter].pack('N'),
+        challenge_parameter,
+      ].join('')
+      OpenSSL::Digest::SHA256.new.digest(data)
+    end
+
+    def verify_signature
+      ec = OpenSSL::PKey::EC.new('prime256v1')
+      ec.public_key = TwoFactorAuth.decode_pubkey registration.public_key
+      return false if ec.public_key.nil?
+      if !ec.dsa_verify_asn1(digest, response.signature)
+        errors.add :response, "signature is not correct"
+      end
+    end
+
+    def counter
+      response.counter
+    end
+  end
+end

data/app/models/two_factor_auth/client_data.rb

@@ -0,0 +1,57 @@
+require 'active_model'
+require 'virtus'
+
+module TwoFactorAuth
+  class ClientData
+    include ActiveModel::Validations
+    include Virtus.model
+
+    attribute :correct_typ, String
+    attribute :encoded, String
+    attribute :attrs, Hash
+
+    attribute :json, String
+    attribute :typ, String
+    attribute :challenge, String
+    attribute :origin, String
+    attribute :cid_pubkey, String
+
+    validates :correct_typ, :typ, :challenge, :origin, presence: true
+    validates :correct_typ, inclusion: { in: %w{navigator.id.getAssertion navigator.id.finishEnrollment} }
+    validate :client_data_has_correct_keys, :typ_correct
+
+    def initialize *args, &blk
+      super
+      decompose_attrs if encoded.present?
+      raise ArgumentError, "correct_typ is mandatory" if correct_typ.blank?
+    end
+
+    def decompose_attrs
+      self.json = TwoFactorAuth::websafe_base64_decode(encoded)
+      self.attrs = JSON.parse(json)
+
+      self.typ        = attrs['typ']
+      self.challenge  = attrs['challenge']
+      self.origin     = attrs['origin']
+      self.cid_pubkey = attrs['cid_pubkey']
+    rescue ArgumentError => e
+      errors.add(:encoded, "Can't decode base64: #{e.message}")
+    rescue JSON::ParserError => e
+      errors.add(:json, "Can't parse json: #{e.message}")
+    end
+
+    def client_data_has_correct_keys
+      if attrs.keys != %w{typ challenge origin cid_pubkey}
+        errors.add :attrs, "has wrong keys: #{attrs.keys.join(', ')}"
+      end
+    end
+
+    def typ_correct
+      if typ != correct_typ
+        errors.add :typ, "should be navigator.id.getAssertion but is #{typ}"
+      end
+    end
+
+    def persisted? ; false ; end
+  end
+end

data/app/models/two_factor_auth/registration.rb

@@ -0,0 +1,18 @@
+module TwoFactorAuth
+  class Registration < ActiveRecord::Base
+    belongs_to :login, polymorphic: true
+
+    validates :login, :key_handle, :public_key, :certificate, :counter, :last_authenticated_at, presence: true
+
+    def self.key_handle_for_authentication login
+      login.registrations.first.key_handle
+    end
+
+    def self.authenticated login, counter
+      reg = login.registrations.first
+      reg.last_authenticated_at = Time.now
+      reg.counter = counter
+      reg.save!
+    end
+  end
+end

data/app/models/two_factor_auth/registration_request.rb

@@ -0,0 +1,33 @@
+require 'adamantium'
+
+module TwoFactorAuth
+  class RegistrationRequest
+    include Adamantium
+
+    attr_reader :app_id, :key_handles
+
+    def initialize app_id=TwoFactorAuth.trusted_facet_list_url, key_handles=[], challenge=nil
+      @app_id = app_id
+      @key_handles = key_handles
+      @challenge = challenge
+    end
+
+    def challenge
+      @challenge || TwoFactorAuth::random_encoded_challenge
+    end
+    memoize :challenge
+
+    def signs
+      []
+    end
+
+    # this matches te browser's u2f api
+    def serialized
+      {
+        appId: app_id,
+        challenge: challenge,
+        version: TwoFactorAuth::U2F_VERSION,
+      }.to_json
+    end
+  end
+end

data/app/models/two_factor_auth/registration_response.rb

@@ -0,0 +1,91 @@
+require 'active_model'
+require 'virtus'
+
+# See FIDO U2F "Raw Message Formats" documentation, section 4.3 "Registration
+# Response Message: Success"
+module TwoFactorAuth
+  class RegistrationResponse
+    include ActiveModel::Validations
+    include Virtus.model
+
+    USER_PUBKEY_LENGTH = 65
+
+    attribute :encoded, String
+    attribute :raw, String
+
+    attribute :reserved_byte, Fixnum
+    attribute :public_key, String
+    attribute :key_handle, String
+    attribute :certificate, String
+    attribute :signature, String
+
+    validates :reserved_byte, :public_key, :key_handle, :certificate,
+      :signature, presence: true
+    validate :reserved_byte_correct, :certificate_valid,
+            :certificate_trusted, :public_key_valid
+
+    def initialize *args, &blk
+      super
+      decompose_fields if encoded.present?
+    end
+
+    def decompose_fields
+      self.raw = TwoFactorAuth::websafe_base64_decode(encoded)
+      io = StringIO.new raw
+
+      self.reserved_byte = io.read(1)
+      self.public_key = io.read(USER_PUBKEY_LENGTH)
+      key_handle_length = io.readbyte
+      self.key_handle = io.read(key_handle_length)
+
+      at_peek = io.read(4)
+      io.seek(-4, IO::SEEK_CUR)
+      attestation_certificate_length = 4 + at_peek[2..3].unpack('n').first
+      self.certificate = io.read(attestation_certificate_length)
+      self.signature = io.read
+    rescue ArgumentError => e
+      errors.add(:encoded, "Can't decode base64: #{e.message}")
+    rescue EOFError => e
+      errors.add(:raw, "Can't extract all fields")
+    end
+
+    def certificate_public_key
+      OpenSSL::X509::Certificate.new(certificate).public_key.public_key
+    end
+
+    def reserved_byte_correct
+      if reserved_byte.ord != 5
+        errors.add :reserved_byte, "must be 0x05"
+      end
+    end
+
+    def certificate_valid
+      OpenSSL::X509::Certificate.new(certificate)
+    rescue TypeError # from certificate_public_key not extracting cert and using nil
+      errors.add(:certificate, "was not extracted")
+    rescue OpenSSL::X509::CertificateError
+      errors.add :certificate, "not a valid x509 certificate"
+    end
+
+    def public_key_valid
+      if !TwoFactorAuth.pubkey_valid?(public_key)
+        errors.add :public_key, "not a valid public key"
+      end
+    end
+
+    # FIDO raw message formats v1.0 page 5 says "The relying party should also
+    # verify that the attestation certificate was issued by a trusted
+    # certification authority. The exact process of setting up trusted
+    # certification authorities is to be defined by the FIDO Alliance and is
+    # outside the scope of this document."
+    # This hasn't yet been defined and may turn out to only be a way for the
+    # FIDO alliance to extract money from client creators. Or it may turn out to
+    # be something that servers want to configure. So this is a placeholder
+    # method to remind that this may be important in the future.
+    def certificate_trusted
+      true
+    end
+
+    def persisted? ; false ; end
+  end
+end

data/app/models/two_factor_auth/registration_verifier.rb

@@ -0,0 +1,91 @@
+require 'active_model'
+require 'virtus'
+
+module TwoFactorAuth
+  class RegistrationVerifier
+    include ActiveModel::Validations
+    #include TwoFactorAuth::ValidateAssociated
+    include Virtus.model
+
+    attribute :login
+    attribute :request, RegistrationRequest
+    attribute :client_data, ClientData
+    attribute :response, RegistrationResponse
+
+    validates :request, :client_data, :response, presence: true
+    validate :client_challenge_matches,
+            :client_origin_matches,
+            :verify_signature
+    validates_associated :client_data, :response
+
+    def application_parameter
+      OpenSSL::Digest::SHA256.new.digest(request.app_id.encode('ASCII-8BIT'))
+    end
+
+    def challenge_parameter
+      OpenSSL::Digest::SHA256.new.digest(client_data.json)
+    end
+
+    def digest
+      data = [
+        0.chr.encode('ASCII-8BIT'),
+        application_parameter,
+        challenge_parameter,
+        response.key_handle,
+        response.public_key,
+      ].join('')
+      OpenSSL::Digest::SHA256.new.digest(data)
+    end
+
+    def client_challenge_matches
+      if client_data.challenge != request.challenge
+        errors.add :client_data, "challenge does not match the challenge they were sent"
+      end
+    end
+
+    def client_origin_matches
+      if client_data.origin != request.app_id
+        errors.add :client_data, "origin does not match the appId they were sent"
+      end
+    end
+
+    def verify_signature
+      ec = OpenSSL::PKey::EC.new('prime256v1')
+      ec.public_key = response.certificate_public_key
+      return false if ec.public_key.nil?
+      if !ec.dsa_verify_asn1(digest, response.signature)
+        errors.add :response, "signature is not correct"
+      end
+    rescue TypeError # from certificate_public_key not extracting cert and using nil
+      errors.add(:response, "certificate was not extracted")
+    rescue OpenSSL::PKey::ECError # signature is invalid, not just incorrect
+      errors.add(:response, "signature not valid")
+    end
+
+    def persisted? ; false ; end
+
+    def save
+      if valid?
+        persist!
+        true
+      else
+        false
+      end
+    end
+
+    def registration_attributes
+      {
+        login: login,
+        counter: 0,
+        key_handle: response.key_handle,
+        public_key: response.public_key,
+        certificate: response.certificate,
+        last_authenticated_at: Time.now,
+      }
+    end
+
+    def persist!
+      Registration.create!(registration_attributes)
+    end
+  end
+end

data/app/views/layouts/two_factor_auth/application.html.erb

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>TwoFactorAuth</title>
+  <%= stylesheet_link_tag    "two_factor_auth/application", media: "all" %>
+  <%= javascript_include_tag "two_factor_auth/application" %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<p class="notice"><%= notice %></p>
+<p class="alert twofactorauth-status"><%= alert %></p>
+<%= yield %>
+
+</body>
+</html>