1
|
|
|
<?php |
2
|
|
|
|
3
|
|
|
declare(strict_types=1); |
4
|
|
|
|
5
|
|
|
/** |
6
|
|
|
* balloon |
7
|
|
|
* |
8
|
|
|
* @copyright Copryright (c) 2012-2019 gyselroth GmbH (https://gyselroth.com) |
9
|
|
|
* @license GPL-3.0 https://opensource.org/licenses/GPL-3.0 |
10
|
|
|
*/ |
11
|
|
|
|
12
|
|
|
namespace Balloon\App\Webauthn\GrantType; |
13
|
|
|
|
14
|
|
|
use Balloon\App\Webauthn\RequestChallenge\RequestChallengeFactory; |
15
|
|
|
use Balloon\Hook; |
16
|
|
|
use Balloon\Server; |
17
|
|
|
use Micro\Auth\Adapter\None as AdapterNone; |
18
|
|
|
use Micro\Auth\Auth; |
19
|
|
|
use MongoDB\BSON\ObjectId; |
20
|
|
|
use OAuth2\GrantType\GrantTypeInterface; |
21
|
|
|
use OAuth2\RequestInterface; |
22
|
|
|
use OAuth2\ResponseInterface; |
23
|
|
|
use OAuth2\ResponseType\AccessTokenInterface; |
24
|
|
|
use Psr\Log\LoggerInterface; |
25
|
|
|
use Webauthn\AuthenticatorAssertionResponse; |
26
|
|
|
use Webauthn\AuthenticatorAssertionResponseValidator; |
27
|
|
|
use Webauthn\PublicKeyCredentialLoader; |
28
|
|
|
|
29
|
|
|
class Webauthn implements GrantTypeInterface |
30
|
|
|
{ |
31
|
|
|
/** |
32
|
|
|
* Challenge factory. |
33
|
|
|
* |
34
|
|
|
* @var RequestChallengeFactory |
35
|
|
|
*/ |
36
|
|
|
protected $request_challenge_factory; |
37
|
|
|
|
38
|
|
|
/** |
39
|
|
|
* Server. |
40
|
|
|
* |
41
|
|
|
* @var Server |
42
|
|
|
*/ |
43
|
|
|
protected $server; |
44
|
|
|
|
45
|
|
|
/** |
46
|
|
|
* Validator. |
47
|
|
|
* |
48
|
|
|
* @var AuthenticatorAssertionResponseValidator |
49
|
|
|
*/ |
50
|
|
|
protected $validator; |
51
|
|
|
|
52
|
|
|
/** |
53
|
|
|
* Publickey load. |
54
|
|
|
* |
55
|
|
|
* @var PublicKeyCredentialLoader |
56
|
|
|
*/ |
57
|
|
|
protected $loader; |
58
|
|
|
|
59
|
|
|
/** |
60
|
|
|
* Hook. |
61
|
|
|
* |
62
|
|
|
* @var Hook |
63
|
|
|
*/ |
64
|
|
|
protected $hook; |
65
|
|
|
|
66
|
|
|
/** |
67
|
|
|
* Logger. |
68
|
|
|
* |
69
|
|
|
* @var LoggerInterface |
70
|
|
|
*/ |
71
|
|
|
protected $logger; |
72
|
|
|
|
73
|
|
|
/** |
74
|
|
|
* Auth. |
75
|
|
|
* |
76
|
|
|
* @var Auth |
77
|
|
|
*/ |
78
|
|
|
protected $auth; |
79
|
|
|
|
80
|
|
|
/** |
81
|
|
|
* User details. |
82
|
|
|
* |
83
|
|
|
* @var array |
84
|
|
|
*/ |
85
|
|
|
protected $user = []; |
86
|
|
|
|
87
|
|
|
/** |
88
|
|
|
* Init. |
89
|
|
|
*/ |
90
|
|
|
public function __construct(RequestChallengeFactory $request_challenge_factory, Server $server, Auth $auth, PublicKeyCredentialLoader $loader, AuthenticatorAssertionResponseValidator $validator, Hook $hook, LoggerInterface $logger) |
91
|
|
|
{ |
92
|
|
|
$this->request_challenge_factory = $request_challenge_factory; |
93
|
|
|
$this->server = $server; |
94
|
|
|
$this->validator = $validator; |
95
|
|
|
$this->loader = $loader; |
96
|
|
|
$this->auth = $auth; |
97
|
|
|
$this->hook = $hook; |
98
|
|
|
$this->logger = $logger; |
99
|
|
|
} |
100
|
|
|
|
101
|
|
|
/** |
102
|
|
|
* {@inheritdoc} |
103
|
|
|
*/ |
104
|
|
|
public function getQueryStringIdentifier() |
105
|
|
|
{ |
106
|
|
|
return 'webauthn'; |
107
|
|
|
} |
108
|
|
|
|
109
|
|
|
/** |
110
|
|
|
* {@inheritdoc} |
111
|
|
|
*/ |
112
|
|
|
public function validateRequest(RequestInterface $request, ResponseInterface $response) |
113
|
|
|
{ |
114
|
|
View Code Duplication |
if (!$request->request('user') || !$request->request('public_key') || !$request->request('challenge')) { |
|
|
|
|
115
|
|
|
$response->setError(400, 'invalid_request', 'Missing parameters: "user", "public_key" and "challenge" required'); |
116
|
|
|
|
117
|
|
|
return null; |
118
|
|
|
} |
119
|
|
|
|
120
|
|
|
$user = $request->request('user'); |
121
|
|
|
$data = $request->request('public_key'); |
122
|
|
|
|
123
|
|
|
// Retrieve the Options passed to the device |
124
|
|
|
$publicKeyCredentialRequestOptions = $this->request_challenge_factory->getOne(new ObjectId($request->request('challenge'))); |
125
|
|
|
|
126
|
|
|
$psr7Request = \Zend\Diactoros\ServerRequestFactory::fromGlobals(); |
127
|
|
|
|
128
|
|
|
// Load the data |
129
|
|
|
$publicKeyCredential = $this->loader->load(json_encode($data)); |
130
|
|
|
$result = $publicKeyCredential->getResponse(); |
131
|
|
|
|
132
|
|
|
// Check if the response is an Authenticator Assertion Response |
133
|
|
|
if (!$result instanceof AuthenticatorAssertionResponse) { |
|
|
|
|
134
|
|
|
throw new \RuntimeException('Not an authenticator assertion response'); |
135
|
|
|
} |
136
|
|
|
|
137
|
|
|
try { |
138
|
|
|
$this->validator->check( |
139
|
|
|
$publicKeyCredential->getRawId(), |
140
|
|
|
$publicKeyCredential->getResponse(), |
141
|
|
|
$publicKeyCredentialRequestOptions, |
142
|
|
|
$psr7Request, |
143
|
|
|
$user |
144
|
|
|
); |
145
|
|
|
} catch (\Exception $e) { |
146
|
|
|
$this->logger->error('failed to authenticate device', [ |
147
|
|
|
'category' => get_class($this), |
148
|
|
|
'exception' => $e, |
149
|
|
|
]); |
150
|
|
|
|
151
|
|
|
$response->setError(401, 'invalid_grant', 'device could not be authenticated: '.$e->getMessage()); |
152
|
|
|
} |
153
|
|
|
|
154
|
|
|
$identity = $this->auth->createIdentity(new AdapterNone()); |
155
|
|
|
$user = $this->server->getUserById(new ObjectId($request->request('user'))); |
156
|
|
|
$this->hook->run('preServerIdentity', [$identity, &$user]); |
157
|
|
|
|
158
|
|
|
$user = $user->getAttributes(); |
159
|
|
|
$user['user_id'] = $user['username']; |
160
|
|
|
$this->user = $user; |
161
|
|
|
|
162
|
|
|
return true; |
163
|
|
|
} |
164
|
|
|
|
165
|
|
|
/** |
166
|
|
|
* {@inheritdoc} |
167
|
|
|
*/ |
168
|
|
|
public function getClientId() |
169
|
|
|
{ |
170
|
|
|
return null; |
171
|
|
|
} |
172
|
|
|
|
173
|
|
|
/** |
174
|
|
|
* {@inheritdoc} |
175
|
|
|
*/ |
176
|
|
|
public function getUserId() |
177
|
|
|
{ |
178
|
|
|
return $this->user['user_id']; |
179
|
|
|
} |
180
|
|
|
|
181
|
|
|
/** |
182
|
|
|
* {@inheritdoc} |
183
|
|
|
*/ |
184
|
|
|
public function getScope() |
185
|
|
|
{ |
186
|
|
|
return isset($this->user['scope']) ? $this->user['scope'] : null; |
187
|
|
|
} |
188
|
|
|
|
189
|
|
|
/** |
190
|
|
|
* {@inheritdoc} |
191
|
|
|
*/ |
192
|
|
|
public function createAccessToken(AccessTokenInterface $accessToken, $client_id, $user_id, $scope) |
193
|
|
|
{ |
194
|
|
|
return $accessToken->createAccessToken($client_id, $user_id, $scope); |
195
|
|
|
} |
196
|
|
|
} |
197
|
|
|
|
Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.
You can also find more detailed suggestions in the “Code” section of your repository.