diff options
author | vnugent <public@vaughnnugent.com> | 2023-01-12 17:47:40 -0500 |
---|---|---|
committer | vnugent <public@vaughnnugent.com> | 2023-01-12 17:47:40 -0500 |
commit | 551066ed9a255bd47c1c5789ec1998fda64bd5aa (patch) | |
tree | d6caceb0e7caa44478c6611903b4b7e120964c89 /plugins/VNLib.Plugins.Essentials.Accounts/src | |
parent | b6481038bc6573af30492e9ce52b36d9f64195f3 (diff) |
Large project reorder and consolidation
Diffstat (limited to 'plugins/VNLib.Plugins.Essentials.Accounts/src')
17 files changed, 2238 insertions, 0 deletions
diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/AccountValidations.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/AccountValidations.cs new file mode 100644 index 0000000..972bd36 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/AccountValidations.cs @@ -0,0 +1,107 @@ +/* +* Copyright (c) 2022 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: AccountValidations.cs +* +* AccountValidations.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using FluentValidation; + +using VNLib.Plugins.Extensions.Validation; + +#nullable enable + +namespace VNLib.Plugins.Essentials.Accounts +{ + public static class AccountValidations + { + /// <summary> + /// Central password requirement validator + /// </summary> + public static IValidator<string> PasswordValidator { get; } = GetPassVal(); + + public static IValidator<AccountData> AccountDataValidator { get; } = GetAcVal(); + + + static IValidator<string> GetPassVal() + { + InlineValidator<string> passVal = new(); + + passVal.RuleFor(static password => password) + .NotEmpty() + .Length(min: 8, max: 100) + .Password() + .WithMessage(errorMessage: "Password does not meet minium requirements"); + + return passVal; + } + + static IValidator<AccountData> GetAcVal() + { + InlineValidator<AccountData> adv = new (); + + //Validate city + + adv.RuleFor(t => t.City) + .MaximumLength(35) + .AlphaOnly() + .When(t => t.City?.Length > 0); + + adv.RuleFor(t => t.Company) + .MaximumLength(50) + .SpecialCharacters() + .When(t => t.Company?.Length > 0); + + //Require a first and last names to be set together + adv.When(t => t.First?.Length > 0 || t.Last?.Length > 0, () => + { + adv.RuleFor(t => t.First) + .Length(1, 35) + .AlphaOnly(); + adv.RuleFor(t => t.Last) + .Length(1, 35) + .AlphaOnly(); + }); + + adv.RuleFor(t => t.PhoneNumber) + .PhoneNumber() + .When(t => t.PhoneNumber?.Length > 0) + .OverridePropertyName("Phone"); + + //State must be 2 characters for us states if set + adv.RuleFor(t => t.State) + .Length(2) + .When(t => t.State?.Length > 0); + + adv.RuleFor(t => t.Street) + .AlphaNumericOnly() + .MaximumLength(50) + .When(t => t.Street?.Length > 0); + + //Allow empty zip codes, but if one is defined, is must be less than 7 characters + adv.RuleFor(t => t.Zip) + .NumericOnly() + .MaximumLength(7) + .When(t => t.Zip?.Length > 0); + + return adv; + } + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/AccountsEntryPoint.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/AccountsEntryPoint.cs new file mode 100644 index 0000000..ed79476 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/AccountsEntryPoint.cs @@ -0,0 +1,204 @@ +/* +* Copyright (c) 2022 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: AccountsEntryPoint.cs +* +* AccountsEntryPoint.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System; +using System.Linq; +using System.Collections.Generic; + +using VNLib.Utils.Memory; +using VNLib.Utils.Logging; +using VNLib.Plugins.Essentials.Users; +using VNLib.Plugins.Essentials.Accounts.Endpoints; +using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Extensions.Loading.Users; +using VNLib.Plugins.Extensions.Loading.Routing; + +namespace VNLib.Plugins.Essentials.Accounts +{ + public sealed class AccountsEntryPoint : PluginBase + { + + public override string PluginName => "Essentials.Accounts"; + + protected override void OnLoad() + { + try + { + //Route endpoints + this.Route<LoginEndpoint>(); + + this.Route<LogoutEndpoint>(); + + this.Route<KeepAliveEndpoint>(); + + this.Route<ProfileEndpoint>(); + + this.Route<PasswordChangeEndpoint>(); + + this.Route<MFAEndpoint>(); + + //Write loaded to log + Log.Information("Plugin loaded"); + } + catch (KeyNotFoundException knf) + { + Log.Error("Missing required account configuration variables {mess}", knf.Message); + } + catch (UriFormatException uri) + { + Log.Error("Invalid endpoint URI {message}", uri.Message); + } + } + + + + protected override void OnUnLoad() + { + //Write closing messsage and dispose the log + Log.Information("Plugin unloaded"); + } + + protected override async void ProcessHostCommand(string cmd) + { + //Only process commands if the plugin is in debug mode + if (!this.IsDebug()) + { + return; + } + try + { + IUserManager Users = this.GetUserManager(); + PasswordHashing Passwords = this.GetPasswords(); + + //get args as a list + List<string> args = cmd.Split(' ').ToList(); + if (args.Count < 3) + { + Log.Warn("No command specified"); + } + switch (args[2].ToLower()) + { + //Create new user + case "create": + { + int uid = args.IndexOf("-u"); + int pwd = args.IndexOf("-p"); + if (uid < 0 || pwd < 0) + { + Log.Warn("You are missing required argument values. Format 'create -u <username> -p <password>'"); + return; + } + string username = args[uid + 1].Trim(); + string randomUserId = AccountManager.GetRandomUserId(); + //Password as privatestring DANGEROUS to refs + using (PrivateString password = (PrivateString)args[pwd + 1].Trim()!) + { + //Hash the password + using PrivateString passHash = Passwords.Hash(password); + //Create the user + using IUser user = await Users.CreateUserAsync(randomUserId, username, AccountManager.MINIMUM_LEVEL, passHash); + //Set active flag + user.Status = UserStatus.Active; + //Set local account + user.SetAccountOrigin(AccountManager.LOCAL_ACCOUNT_ORIGIN); + + await user.ReleaseAsync(); + } + Log.Information("Successfully created user {id}", username); + + } + break; + case "reset": + { + int uid = args.IndexOf("-u"); + int pwd = args.IndexOf("-p"); + if (uid < 0 || pwd < 0) + { + Log.Warn("You are missing required argument values. Format 'reset -u <username> -p <password>'"); + return; + } + string username = args[uid + 1].Trim(); + //Password as privatestring DANGEROUS to refs + using (PrivateString password = (PrivateString)args[pwd + 1].Trim()!) + { + //Hash the password + using PrivateString passHash = Passwords.Hash(password); + //Get the user + using IUser? user = await Users.GetUserFromEmailAsync(username); + + if(user == null) + { + Log.Warn("The specified user does not exist"); + break; + } + + //Set the password + await Users.UpdatePassAsync(user, passHash); + } + Log.Information("Successfully reset password for {id}", username); + } + break; + case "delete": + { + //get user-id + string userId = args[3].Trim(); + //Get user + using IUser? user = await Users.GetUserFromEmailAsync(userId); + + if (user == null) + { + Log.Warn("The specified user does not exist"); + break; + } + + //delete user + user.Delete(); + //Release user + await user.ReleaseAsync(); + } + break; + default: + Log.Warn("Uknown command"); + break; + } + } + catch (UserExistsException) + { + Log.Error("User already exists"); + } + catch(UserCreationFailedException) + { + Log.Error("Failed to create the new user"); + } + catch (ArgumentOutOfRangeException) + { + Log.Error("You are missing required command arguments"); + } + catch(Exception ex) + { + Log.Error(ex); + } + } + } +}
\ No newline at end of file diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/KeepAliveEndpoint.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/KeepAliveEndpoint.cs new file mode 100644 index 0000000..fe5a65b --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/KeepAliveEndpoint.cs @@ -0,0 +1,64 @@ +/* +* Copyright (c) 2022 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: KeepAliveEndpoint.cs +* +* KeepAliveEndpoint.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System; +using System.Net; +using System.Text.Json; +using System.Collections.Generic; + +using VNLib.Plugins.Essentials.Endpoints; +using VNLib.Plugins.Extensions.Loading; + +namespace VNLib.Plugins.Essentials.Accounts.Endpoints +{ + [ConfigurationName("keepalive_endpoint")] + internal sealed class KeepAliveEndpoint : ProtectedWebEndpoint + { + /* + * Endpoint does not use a log, so IniPathAndLog is never called + * and path verification happens verbosly + */ + public KeepAliveEndpoint(PluginBase pbase, IReadOnlyDictionary<string, JsonElement> config) + { + string? path = config["path"].GetString(); + + InitPathAndLog(path, pbase.Log); + } + + protected override VfReturnType Get(HttpEntity entity) + { + //Return okay + entity.CloseResponse(HttpStatusCode.OK); + return VfReturnType.VirtualSkip; + } + + //Allow post to update user's credentials + protected override VfReturnType Post(HttpEntity entity) + { + //Return okay + entity.CloseResponse(HttpStatusCode.OK); + return VfReturnType.VirtualSkip; + } + } +}
\ No newline at end of file diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LoginEndpoint.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LoginEndpoint.cs new file mode 100644 index 0000000..4100620 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LoginEndpoint.cs @@ -0,0 +1,410 @@ +/* +* Copyright (c) 2022 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: LoginEndpoint.cs +* +* LoginEndpoint.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System; +using System.Net; +using System.Text.Json; +using System.Threading.Tasks; +using System.Collections.Generic; +using System.Security.Cryptography; +using System.Text.Json.Serialization; + +using VNLib.Hashing; +using VNLib.Utils; +using VNLib.Utils.Memory; +using VNLib.Utils.Logging; +using VNLib.Utils.Extensions; +using VNLib.Plugins.Essentials.Users; +using VNLib.Plugins.Essentials.Endpoints; +using VNLib.Plugins.Essentials.Extensions; +using VNLib.Plugins.Extensions.Validation; +using VNLib.Plugins.Essentials.Accounts.MFA; +using VNLib.Plugins.Essentials.Accounts.Validators; +using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Extensions.Loading.Users; +using static VNLib.Plugins.Essentials.Statics; +using static VNLib.Plugins.Essentials.Accounts.AccountManager; + + +namespace VNLib.Plugins.Essentials.Accounts.Endpoints +{ + + /// <summary> + /// Provides an authentication endpoint for user-accounts + /// </summary> + [ConfigurationName("login_endpoint")] + internal sealed class LoginEndpoint : UnprotectedWebEndpoint + { + public const string INVALID_MESSAGE = "Please check your email or password."; + public const string LOCKED_ACCOUNT_MESSAGE = "You have been timed out, please try again later"; + public const string MFA_ERROR_MESSAGE = "Invalid or expired request."; + + private static readonly LoginMessageValidation LmValidator = new(); + + private readonly PasswordHashing Passwords; + private readonly MFAConfig? MultiFactor; + private readonly IUserManager Users; + private readonly uint MaxFailedLogins; + private readonly TimeSpan FailedCountTimeout; + + public LoginEndpoint(PluginBase pbase, IReadOnlyDictionary<string, JsonElement> config) + { + string? path = config["path"].GetString(); + FailedCountTimeout = config["failed_count_timeout_sec"].GetTimeSpan(TimeParseType.Seconds); + MaxFailedLogins = config["failed_count_max"].GetUInt32(); + + InitPathAndLog(path, pbase.Log); + + Passwords = pbase.GetPasswords(); + Users = pbase.GetUserManager(); + MultiFactor = pbase.GetMfaConfig(); + } + + private class MfaUpgradeWebm : ValErrWebMessage + { + [JsonPropertyName("pwtoken")] + public string? PasswordToken { get; set; } + + [JsonPropertyName("mfa")] + public bool? MultiFactorUpgrade { get; set; } = null; + } + + + protected async override ValueTask<VfReturnType> PostAsync(HttpEntity entity) + { + //Conflict if user is logged in + if (entity.LoginCookieMatches() || entity.TokenMatches()) + { + entity.CloseResponse(HttpStatusCode.Conflict); + return VfReturnType.VirtualSkip; + } + + //If mfa is enabled, allow processing via mfa + if (MultiFactor != null) + { + if (entity.QueryArgs.ContainsKey("mfa")) + { + return await ProcessMfaAsync(entity); + } + } + return await ProccesLoginAsync(entity); + } + + + private async ValueTask<VfReturnType> ProccesLoginAsync(HttpEntity entity) + { + MfaUpgradeWebm webm = new(); + try + { + //Make sure the id is regenerated (or upgraded if successful login) + entity.Session.RegenID(); + + using LoginMessage? loginMessage = await entity.GetJsonFromFileAsync<LoginMessage>(SR_OPTIONS); + + if (webm.Assert(loginMessage != null, "Invalid request data")) + { + entity.CloseResponseJson(HttpStatusCode.BadRequest, webm); + return VfReturnType.VirtualSkip; + } + + //validate the message + if (!LmValidator.Validate(loginMessage, webm)) + { + entity.CloseResponseJson(HttpStatusCode.UnprocessableEntity, webm); + return VfReturnType.VirtualSkip; + } + + //Time to get the user + using IUser? user = await Users.GetUserAndPassFromEmailAsync(loginMessage.UserName); + //Make sure account exists + if (webm.Assert(user != null, INVALID_MESSAGE)) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + //Make sure the account has not been locked out + if (webm.Assert(!UserLoginLocked(user), LOCKED_ACCOUNT_MESSAGE)) + { + goto Cleanup; + } + + //Only allow local accounts + if (user.IsLocalAccount() && !PrivateString.IsNullOrEmpty(user.PassHash)) + { + //If login return true, the response has been set and we should return + if (LoginUser(entity, loginMessage, user, webm)) + { + goto Cleanup; + } + } + + //Inc failed login count + user.FailedLoginIncrement(); + webm.Result = INVALID_MESSAGE; + + Cleanup: + await user.ReleaseAsync(); + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + catch (UserUpdateException uue) + { + Log.Warn(uue); + return VfReturnType.Error; + } + } + + private bool LoginUser(HttpEntity entity, LoginMessage loginMessage, IUser user, MfaUpgradeWebm webm) + { + //Verify password before we tell the user the status of their account for security reasons + if (!Passwords.Verify(user.PassHash, new PrivateString(loginMessage.Password, false))) + { + return false; + } + //Reset flc for account + user.FailedLoginCount(0); + try + { + switch (user.Status) + { + case UserStatus.Active: + { + //Is the account restricted to a local network connection? + if (user.LocalOnly && !entity.IsLocalConnection) + { + Log.Information("User {uid} attempted a login from a non-local network with the correct password. Access was denied", user.UserID); + return false; + } + //Gen and store the pw secret + byte[] pwSecret = entity.Session.GenPasswordChallenge(new(loginMessage.Password, false)); + //Encrypt and convert to base64 + string clientPwSecret = EncryptSecret(loginMessage.ClientPublicKey, pwSecret); + //get the new upgrade jwt string + Tuple<string,string>? message = user.MFAGetUpgradeIfEnabled(MultiFactor, loginMessage, clientPwSecret); + //if message is null, mfa was not enabled or could not be prepared + if (message != null) + { + //Store the base64 signature + entity.Session.MfaUpgradeSignature(message.Item2); + //send challenge message to client + webm.Result = message.Item1; + webm.Success = true; + webm.MultiFactorUpgrade = true; + break; + } + //Set password token + webm.PasswordToken = clientPwSecret; + //Elevate the login status of the session to reflect the user's status + webm.Token = entity.GenerateAuthorization(loginMessage, user); + //Send the Username (since they already have it) + webm.Result = new AccountData() + { + EmailAddress = user.EmailAddress, + }; + webm.Success = true; + //Write to log + Log.Verbose("Successful login for user {uid}...", user.UserID[..8]); + } + break; + default: + //This is an unhandled case, and should never happen, but just incase write a warning to the log + Log.Warn("Account {uid} has invalid status key and a login was attempted from {ip}", user.UserID, entity.TrustedRemoteIp); + return false; + } + } + /* + * Account auhorization may throw excetpions if the configuration does not + * match the client, or the client sent invalid or malicous data and + * it could not grant authorization + */ + catch (OutOfMemoryException) + { + webm.Result = "Your browser sent malformatted security information"; + } + catch (CryptographicException ce) + { + webm.Result = "Your browser sent malformatted security information"; + Log.Debug(ce); + } + return true; + } + + + private async ValueTask<VfReturnType> ProcessMfaAsync(HttpEntity entity) + { + MfaUpgradeWebm webm = new(); + //Recover request message + using JsonDocument? request = await entity.GetJsonFromFileAsync(); + if (webm.Assert(request != null, "Invalid request data")) + { + entity.CloseResponseJson(HttpStatusCode.BadRequest, webm); + return VfReturnType.VirtualSkip; + } + //Recover upgrade jwt + string? upgradeJwt = request.RootElement.GetPropString("upgrade"); + if (webm.Assert(upgradeJwt != null, "Missing required upgrade data")) + { + entity.CloseResponseJson(HttpStatusCode.UnprocessableEntity, webm); + return VfReturnType.VirtualSkip; + } + + //Recover stored signature + string? storedSig = entity.Session.MfaUpgradeSignature(); + if(webm.Assert(!string.IsNullOrWhiteSpace(storedSig), MFA_ERROR_MESSAGE)) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + //Recover upgrade data from upgrade message + if (!MultiFactor!.RecoverUpgrade(upgradeJwt, storedSig, out MFAUpgrade? upgrade)) + { + webm.Result = MFA_ERROR_MESSAGE; + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + //recover user account + using IUser? user = await Users.GetUserFromEmailAsync(upgrade.UserName!); + + if (webm.Assert(user != null, MFA_ERROR_MESSAGE)) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + bool locked = UserLoginLocked(user); + + //Make sure the account has not been locked out + if (!webm.Assert(locked == false, LOCKED_ACCOUNT_MESSAGE)) + { + //process mfa login + LoginMfa(entity, user, request, upgrade, webm); + } + else + { + //Locked, so clear stored signature + entity.Session.MfaUpgradeSignature(null); + } + + //Update user on clean process + await user.ReleaseAsync(); + //Close rseponse + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + private void LoginMfa(HttpEntity entity, IUser user, JsonDocument request, MFAUpgrade upgrade, MfaUpgradeWebm webm) + { + //Recover the user's local time + DateTimeOffset localTime = request.RootElement.GetProperty("localtime").GetDateTimeOffset(); + + //Check mode + switch (upgrade.Type) + { + case MFAType.TOTP: + { + //get totp code from request + uint code = request.RootElement.GetProperty("code").GetUInt32(); + //Verify totp code + if (!MultiFactor!.VerifyTOTP(user, code)) + { + webm.Result = "Please check your code."; + //Increment flc and update the user in the store + user.FailedLoginIncrement(); + return; + } + //Valid, complete + } + break; + case MFAType.PGP: + { } + break; + default: + { + webm.Result = MFA_ERROR_MESSAGE; + } + return; + } + + //Wipe session signature + entity.Session.MfaUpgradeSignature(null); + + //build login message from upgrade + LoginMessage loginMessage = new() + { + ClientID = upgrade.ClientID, + ClientPublicKey = upgrade.Base64PubKey, + LocalLanguage = upgrade.ClientLocalLanguage, + LocalTime = localTime, + UserName = upgrade.UserName + }; + //Elevate the login status of the session to reflect the user's status + webm.Token = entity.GenerateAuthorization(loginMessage, user); + //Set the password token as the password field of the login message + webm.PasswordToken = upgrade.PwClientData; + //Send the Username (since they already have it) + webm.Result = new AccountData() + { + EmailAddress = user.EmailAddress, + }; + webm.Success = true; + //Write to log + Log.Verbose("Successful login for user {uid}...", user.UserID[..8]); + } + + private static string EncryptSecret(string pubKey, byte[] secret) + { + //Alloc buffer for secret + using IMemoryHandle<byte> buffer = Memory.SafeAlloc<byte>(4096); + //Try to encrypt the data + ERRNO count = TryEncryptClientData(pubKey, secret, buffer.Span); + //Clear secret + RandomHash.GetRandomBytes(secret); + //Convert to base64 string + return Convert.ToBase64String(buffer.Span[..(int)count]); + } + + public bool UserLoginLocked(IUser user) + { + //Recover last counter value + TimestampedCounter flc = user.FailedLoginCount(); + if(flc.Count < MaxFailedLogins) + { + //Period exceeded + return false; + } + //See if the flc timeout period has expired + if (flc.LastModified.Add(FailedCountTimeout) < DateTimeOffset.UtcNow) + { + //clear flc flag + user.FailedLoginCount(0); + return false; + } + //Count has been exceeded, and has not timed out yet + return true; + } + } +}
\ No newline at end of file diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs new file mode 100644 index 0000000..cc36609 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/LogoutEndpoint.cs @@ -0,0 +1,53 @@ +/* +* Copyright (c) 2022 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: LogoutEndpoint.cs +* +* LogoutEndpoint.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System; +using System.Net; +using System.Text.Json; +using System.Collections.Generic; + +using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Essentials.Endpoints; + +namespace VNLib.Plugins.Essentials.Accounts.Endpoints +{ + [ConfigurationName("logout_endpoint")] + internal class LogoutEndpoint : ProtectedWebEndpoint + { + + public LogoutEndpoint(PluginBase pbase, IReadOnlyDictionary<string, JsonElement> config) + { + string? path = config["path"].GetString(); + InitPathAndLog(path, pbase.Log); + } + + + protected override VfReturnType Post(HttpEntity entity) + { + entity.InvalidateLogin(); + entity.CloseResponse(HttpStatusCode.OK); + return VfReturnType.VirtualSkip; + } + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/MFAEndpoint.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/MFAEndpoint.cs new file mode 100644 index 0000000..6ebb024 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/MFAEndpoint.cs @@ -0,0 +1,282 @@ +/* +* Copyright (c) 2022 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: MFAEndpoint.cs +* +* MFAEndpoint.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System; +using System.Net; +using System.Text.Json; +using System.Threading.Tasks; +using System.Collections.Generic; +using System.Text.Json.Serialization; + +using VNLib.Hashing; +using VNLib.Utils; +using VNLib.Utils.Memory; +using VNLib.Utils.Logging; +using VNLib.Utils.Extensions; +using VNLib.Plugins.Essentials.Users; +using VNLib.Plugins.Essentials.Extensions; +using VNLib.Plugins.Essentials.Accounts.MFA; +using VNLib.Plugins.Extensions.Validation; +using VNLib.Plugins.Essentials.Endpoints; +using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Extensions.Loading.Users; + +namespace VNLib.Plugins.Essentials.Accounts.Endpoints +{ + [ConfigurationName("mfa_endpoint")] + internal sealed class MFAEndpoint : ProtectedWebEndpoint + { + public const int TOTP_URL_MAX_CHARS = 1024; + + private readonly IUserManager Users; + private readonly MFAConfig? MultiFactor; + + public MFAEndpoint(PluginBase pbase, IReadOnlyDictionary<string, JsonElement> config) + { + string? path = config["path"].GetString(); + InitPathAndLog(path, pbase.Log); + + Users = pbase.GetUserManager(); + MultiFactor = pbase.GetMfaConfig(); + } + + private class TOTPUpdateMessage + { + [JsonPropertyName("issuer")] + public string? Issuer { get; set; } + [JsonPropertyName("digits")] + public int Digits { get; set; } + [JsonPropertyName("period")] + public int Period { get; set; } + [JsonPropertyName("secret")] + public string? Base64EncSecret { get; set; } + [JsonPropertyName("algorithm")] + public string? Algorithm { get; set; } + } + + protected override async ValueTask<VfReturnType> GetAsync(HttpEntity entity) + { + List<string> enabledModes = new(2); + //Load the MFA entry for the user + using IUser? user = await Users.GetUserFromIDAsync(entity.Session.UserID); + //Set the TOTP flag if set + if (!string.IsNullOrWhiteSpace(user?.MFAGetTOTPSecret())) + { + enabledModes.Add("totp"); + } + //TODO Set fido flag if enabled + if (!string.IsNullOrWhiteSpace("")) + { + enabledModes.Add("fido"); + } + //Return mfa modes as an array + entity.CloseResponseJson(HttpStatusCode.OK, enabledModes); + return VfReturnType.VirtualSkip; + } + + protected override async ValueTask<VfReturnType> PutAsync(HttpEntity entity) + { + WebMessage webm = new(); + + //Get the request message + using JsonDocument? mfaRequest = await entity.GetJsonFromFileAsync(); + if (webm.Assert(mfaRequest != null, "Invalid request")) + { + entity.CloseResponseJson(HttpStatusCode.BadRequest, webm); + return VfReturnType.VirtualSkip; + } + + //Get the type argument + string? mfaType = mfaRequest.RootElement.GetPropString("type"); + if (string.IsNullOrWhiteSpace(mfaType)) + { + webm.Result = "MFA type was not specified"; + entity.CloseResponseJson(HttpStatusCode.UnprocessableEntity, webm); + return VfReturnType.VirtualSkip; + } + + //Make sure the user's account origin is a local account + if (webm.Assert(entity.Session.HasLocalAccount(), "Your account uses external authentication and MFA cannot be enabled")) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + //Make sure mfa is loaded + if (webm.Assert(MultiFactor != null, "MFA is not enabled on this server")) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + //get the user's password challenge + using (PrivateString? password = (PrivateString?)mfaRequest.RootElement.GetPropString("challenge")) + { + if (PrivateString.IsNullOrEmpty(password)) + { + webm.Result = "Please check your password"; + entity.CloseResponseJson(HttpStatusCode.Unauthorized, webm); + return VfReturnType.VirtualSkip; + } + //Verify challenge + if (!entity.Session.VerifyChallenge(password)) + { + webm.Result = "Please check your password"; + entity.CloseResponseJson(HttpStatusCode.Unauthorized, webm); + return VfReturnType.VirtualSkip; + } + } + //Get the user entry + using IUser? user = await Users.GetUserFromIDAsync(entity.Session.UserID); + if (webm.Assert(user != null, "Please log-out and try again.")) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + switch (mfaType.ToLower()) + { + //Process a Time based one time password(TOTP) creation/regeneration + case "totp": + { + //generate a new secret (passing the buffer which will get copied to an array because the pw bytes can be modified during encryption) + byte[] secretBuffer = user.MFAGenreateTOTPSecret(MultiFactor); + //Alloc output buffer + UnsafeMemoryHandle<byte> outputBuffer = Memory.UnsafeAlloc<byte>(4096, true); + try + { + //Encrypt the secret for the client + ERRNO count = entity.Session.TryEncryptClientData(secretBuffer, outputBuffer.Span); + if (!count) + { + webm.Result = "There was an error updating your credentials"; + //If this code is running, the client should have a valid public key stored, but log it anyway + Log.Warn("TOTP secret encryption failed, for requested user {uid}", entity.Session.UserID); + break; + } + webm.Result = new TOTPUpdateMessage() + { + Issuer = MultiFactor.IssuerName, + Digits = MultiFactor.TOTPDigits, + Period = (int)MultiFactor.TOTPPeriod.TotalSeconds, + Algorithm = MultiFactor.TOTPAlg.ToString(), + //Convert the secret to base64 string to send to client + Base64EncSecret = Convert.ToBase64String(outputBuffer.Span[..(int)count]) + }; + //set success flag + webm.Success = true; + } + finally + { + //dispose the output buffer + outputBuffer.Dispose(); + RandomHash.GetRandomBytes(secretBuffer); + } + //Only write changes to the db of operation was successful + await user.ReleaseAsync(); + } + break; + default: + webm.Result = "The server does not support the specified MFA type"; + break; + } + //Close response + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + protected override async ValueTask<VfReturnType> PostAsync(HttpEntity entity) + { + WebMessage webm = new(); + try + { + //Check account type + if (!entity.Session.HasLocalAccount()) + { + webm.Result = "You are using external authentication. Operation failed."; + entity.CloseResponseJson(HttpStatusCode.BadRequest, webm); + return VfReturnType.VirtualSkip; + } + + //get the request + using JsonDocument? request = await entity.GetJsonFromFileAsync(); + if (webm.Assert(request != null, "Invalid request.")) + { + entity.CloseResponseJson(HttpStatusCode.BadRequest, webm); + return VfReturnType.VirtualSkip; + } + /* + * An MFA upgrade requires a challenge to be verified because + * it can break the user's ability to access their account + */ + string? challenge = request.RootElement.GetProperty("challenge").GetString(); + string? mfaType = request.RootElement.GetProperty("type").GetString(); + if (!entity.Session.VerifyChallenge(challenge)) + { + webm.Result = "Please check your password"; + //return unauthorized + entity.CloseResponseJson(HttpStatusCode.Unauthorized, webm); + return VfReturnType.VirtualSkip; + } + //get the user + using IUser? user = await Users.GetUserFromIDAsync(entity.Session.UserID); + if (user == null) + { + return VfReturnType.NotFound; + } + //Check for totp disable + if ("totp".Equals(mfaType, StringComparison.OrdinalIgnoreCase)) + { + //Clear the TOTP secret + user.MFASetTOTPSecret(null); + //write changes + await user.ReleaseAsync(); + webm.Result = "Successfully disabled your TOTP authentication"; + webm.Success = true; + } + else if ("fido".Equals(mfaType, StringComparison.OrdinalIgnoreCase)) + { + //Clear webauthn changes + + //write changes + await user.ReleaseAsync(); + webm.Result = "Successfully disabled your FIDO authentication"; + webm.Success = true; + } + else + { + webm.Result = "Invalid MFA type"; + } + //Must write response while password is in scope + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + catch (KeyNotFoundException) + { + webm.Result = "The request was is missing required fields"; + entity.CloseResponseJson(HttpStatusCode.UnprocessableEntity, webm); + return VfReturnType.BadRequest; + } + } + } +}
\ No newline at end of file diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/PasswordResetEndpoint.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/PasswordResetEndpoint.cs new file mode 100644 index 0000000..0a51eb5 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/PasswordResetEndpoint.cs @@ -0,0 +1,140 @@ +/* +* Copyright (c) 2022 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: PasswordResetEndpoint.cs +* +* PasswordResetEndpoint.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System; +using System.Net; +using System.Text.Json; +using System.Threading.Tasks; +using System.Collections.Generic; + +using FluentValidation; + +using VNLib.Utils.Memory; +using VNLib.Utils.Extensions; +using VNLib.Plugins.Essentials.Users; +using VNLib.Plugins.Essentials.Extensions; +using VNLib.Plugins.Extensions.Validation; +using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Extensions.Loading.Users; +using VNLib.Plugins.Essentials.Endpoints; + +namespace VNLib.Plugins.Essentials.Accounts.Endpoints +{ + + /// <summary> + /// Password reset for user's that are logged in and know + /// their passwords to reset their MFA methods + /// </summary> + [ConfigurationName("password_endpoint")] + internal sealed class PasswordChangeEndpoint : ProtectedWebEndpoint + { + private readonly IUserManager Users; + private readonly PasswordHashing Passwords; + + public PasswordChangeEndpoint(PluginBase pbase, IReadOnlyDictionary<string, JsonElement> config) + { + string? path = config["path"].GetString(); + InitPathAndLog(path, pbase.Log); + + Users = pbase.GetUserManager(); + Passwords = pbase.GetPasswords(); + } + + protected override async ValueTask<VfReturnType> PostAsync(HttpEntity entity) + { + ValErrWebMessage webm = new(); + //get the request body + using JsonDocument? request = await entity.GetJsonFromFileAsync(); + if (request == null) + { + webm.Result = "No request specified"; + entity.CloseResponseJson(HttpStatusCode.BadRequest, webm); + return VfReturnType.VirtualSkip; + } + //get the user's old password + using PrivateString? currentPass = (PrivateString?)request.RootElement.GetPropString("current"); + //Get password as a private string + using PrivateString? newPass = (PrivateString?)request.RootElement.GetPropString("new_password"); + if (PrivateString.IsNullOrEmpty(currentPass)) + { + webm.Result = "You must specifiy your current password."; + entity.CloseResponseJson(HttpStatusCode.UnprocessableEntity, webm); + return VfReturnType.VirtualSkip; + } + if (PrivateString.IsNullOrEmpty(newPass)) + { + webm.Result = "You must specifiy a new password."; + entity.CloseResponseJson(HttpStatusCode.UnprocessableEntity, webm); + return VfReturnType.VirtualSkip; + } + //Test the password against minimum + if (!AccountValidations.PasswordValidator.Validate((string)newPass, webm)) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + if (webm.Assert(!currentPass.Equals(newPass), "Passwords cannot be the same.")) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + //get the user's entry in the table + using IUser? user = await Users.GetUserAndPassFromIDAsync(entity.Session.UserID); + if(webm.Assert(user != null, "An error has occured, please log-out and try again")) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + //Make sure the account's origin is a local profile + if (webm.Assert(user.IsLocalAccount(), "External accounts cannot be modified")) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + //Verify the user's old password + if (!Passwords.Verify(user.PassHash, currentPass)) + { + webm.Result = "Please check your current password"; + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + //Hash the user's new password + using PrivateString newPassHash = Passwords.Hash(newPass); + //Update the user's password + if (!await Users.UpdatePassAsync(user, newPassHash)) + { + //error + webm.Result = "Your password could not be updated"; + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + await user.ReleaseAsync(); + //delete the user's MFA entry so they can re-enable it + webm.Result = "Your password has been updated"; + webm.Success = true; + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/ProfileEndpoint.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/ProfileEndpoint.cs new file mode 100644 index 0000000..45908e7 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/Endpoints/ProfileEndpoint.cs @@ -0,0 +1,132 @@ +/* +* Copyright (c) 2022 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: ProfileEndpoint.cs +* +* ProfileEndpoint.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System; +using System.Net; +using System.Text.Json; +using System.Threading.Tasks; +using System.Collections.Generic; + +using VNLib.Utils.Logging; +using VNLib.Plugins.Essentials.Users; +using VNLib.Plugins.Essentials.Endpoints; +using VNLib.Plugins.Essentials.Extensions; +using VNLib.Plugins.Extensions.Validation; +using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Extensions.Loading.Users; +using static VNLib.Plugins.Essentials.Statics; + + +namespace VNLib.Plugins.Essentials.Accounts.Endpoints +{ + /// <summary> + /// Provides an http endpoint for user account profile access + /// </summary> + [ConfigurationName("profile_endpoint")] + internal sealed class ProfileEndpoint : ProtectedWebEndpoint + { + private readonly IUserManager Users; + + public ProfileEndpoint(PluginBase pbase, IReadOnlyDictionary<string, JsonElement> config) + { + string? path = config["path"].GetString(); + + InitPathAndLog(path, pbase.Log); + //Store user system + Users = pbase.GetUserManager(); + } + + protected override async ValueTask<VfReturnType> GetAsync(HttpEntity entity) + { + //get user data from database + using IUser? user = await Users.GetUserFromIDAsync(entity.Session.UserID); + //Make sure the account exists + if (user == null || user.Status != UserStatus.Active) + { + //Account was not found + entity.CloseResponse(HttpStatusCode.NotFound); + return VfReturnType.VirtualSkip; + } + //Get the stored profile + AccountData? profile = user.GetProfile(); + //No profile found, so return an empty "profile" + profile ??= new() + { + //set email address + EmailAddress = user.EmailAddress, + //created time in rfc1123 gmt time + Created = user.Created.ToString("R") + }; + //Serialize the profile and return to user + entity.CloseResponseJson(HttpStatusCode.OK, profile); + return VfReturnType.VirtualSkip; + } + protected override async ValueTask<VfReturnType> PostAsync(HttpEntity entity) + { + ValErrWebMessage webm = new(); + try + { + //Recover the update message form the client + AccountData? updateMessage = await entity.GetJsonFromFileAsync<AccountData>(SR_OPTIONS); + if (webm.Assert(updateMessage != null, "Malformatted payload")) + { + entity.CloseResponseJson(HttpStatusCode.BadRequest, webm); + return VfReturnType.VirtualSkip; + } + //Validate the new account data + if (!AccountValidations.AccountDataValidator.Validate(updateMessage, webm)) + { + entity.CloseResponseJson(HttpStatusCode.UnprocessableEntity, webm); + return VfReturnType.VirtualSkip; + } + //Get the user from database + using IUser? user = await Users.GetUserFromIDAsync(entity.Session.UserID); + //Make sure the user exists + if (webm.Assert(user != null, "Account does not exist")) + { + //Should probably log the user out here + entity.CloseResponseJson(HttpStatusCode.NotFound, webm); + return VfReturnType.VirtualSkip; + } + //Overwite the current profile data (will also sanitize inputs) + user.SetProfile(updateMessage); + //Update the user only if successful + await user.ReleaseAsync(); + webm.Result = "Successfully updated account"; + webm.Success = true; + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + //Catch an account update exception + catch (UserUpdateException uue) + { + Log.Error(uue, "An error occured while the user account is being updated"); + //Return message to client + webm.Result = "An error occured while updating your account, try again later"; + entity.CloseResponseJson(HttpStatusCode.InternalServerError, webm); + return VfReturnType.VirtualSkip; + } + } + } +}
\ No newline at end of file diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoAuthenticatorSelection.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoAuthenticatorSelection.cs new file mode 100644 index 0000000..0ea6dad --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoAuthenticatorSelection.cs @@ -0,0 +1,40 @@ +/* +* Copyright (c) 2022 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: FidoAuthenticatorSelection.cs +* +* FidoAuthenticatorSelection.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System.Text.Json.Serialization; + +#nullable enable + +namespace VNLib.Plugins.Essentials.Accounts.MFA +{ + class FidoAuthenticatorSelection + { + [JsonPropertyName("requireResidentKey")] + public bool RequireResidentKey { get; set; } = false; + [JsonPropertyName("authenticatorAttachment")] + public string? AuthenticatorAttachment { get; set; } = "cross-platform"; + [JsonPropertyName("userVerification")] + public string? UserVerification { get; set; } = "required"; + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegClientData.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegClientData.cs new file mode 100644 index 0000000..1ef7d59 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegClientData.cs @@ -0,0 +1,40 @@ +/* +* Copyright (c) 2022 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: FidoRegClientData.cs +* +* FidoRegClientData.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System.Text.Json.Serialization; + +#nullable enable + +namespace VNLib.Plugins.Essentials.Accounts.MFA +{ + internal class FidoRegClientData + { + [JsonPropertyName("challenge")] + public string? Challenge { get; set; } + [JsonPropertyName("origin")] + public string? Origin { get; set; } + [JsonPropertyName("type")] + public string? Type { get; set; } + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegistrationMessage.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegistrationMessage.cs new file mode 100644 index 0000000..e8fbcc4 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegistrationMessage.cs @@ -0,0 +1,52 @@ +/* +* Copyright (c) 2022 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: FidoRegistrationMessage.cs +* +* FidoRegistrationMessage.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System.Text.Json.Serialization; + +#nullable enable + +namespace VNLib.Plugins.Essentials.Accounts.MFA +{ + /// <summary> + /// Represents a fido device registration message to be sent + /// to a currently signed in user + /// </summary> + class FidoRegistrationMessage + { + [JsonPropertyName("id")] + public string? GuidUserId { get; set; } + [JsonPropertyName("challenge")] + public string? Base64Challenge { get; set; } = null; + [JsonPropertyName("timeout")] + public int Timeout { get; set; } = 60000; + [JsonPropertyName("cose_alg")] + public int CoseAlgNumber { get; set; } + [JsonPropertyName("rp_name")] + public string? SiteName { get; set; } + [JsonPropertyName("attestation")] + public string? AttestationType { get; set; } = "none"; + [JsonPropertyName("authenticatorSelection")] + public FidoAuthenticatorSelection? AuthSelection { get; set; } = new(); + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAConfig.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAConfig.cs new file mode 100644 index 0000000..03d5a20 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAConfig.cs @@ -0,0 +1,103 @@ +/* +* Copyright (c) 2022 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: MFAConfig.cs +* +* MFAConfig.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System; +using System.Linq; +using System.Text.Json; +using System.Collections.Generic; + +using VNLib.Hashing; +using VNLib.Utils.Extensions; +using VNLib.Hashing.IdentityUtility; + +namespace VNLib.Plugins.Essentials.Accounts.MFA +{ + internal class MFAConfig + { + public ReadOnlyJsonWebKey? MFASecret { get; set; } + + public bool TOTPEnabled { get; } + public string? IssuerName { get; } + public TimeSpan TOTPPeriod { get; } + public HashAlg TOTPAlg { get; } + public int TOTPDigits { get; } + public int TOTPSecretBytes { get; } + public int TOTPTimeWindowSteps { get; } + + + public bool FIDOEnabled { get; } + public int FIDOChallangeSize { get; } + public int FIDOTimeout { get; } + public string? FIDOSiteName { get; } + public string? FIDOAttestationType { get; } + public FidoAuthenticatorSelection? FIDOAuthSelection { get; } + + public TimeSpan UpgradeValidFor { get; } + public int NonceLenBytes { get; } + + public MFAConfig(IReadOnlyDictionary<string, JsonElement> conf) + { + UpgradeValidFor = conf["upgrade_expires_secs"].GetTimeSpan(TimeParseType.Seconds); + NonceLenBytes = conf["nonce_size"].GetInt32(); + string siteName = conf["site_name"].GetString() ?? throw new KeyNotFoundException("Missing required key 'site_name' in 'mfa' config"); + + //Totp setup + if (conf.TryGetValue("totp", out JsonElement totpEl)) + { + IReadOnlyDictionary<string, JsonElement> totp = totpEl.EnumerateObject().ToDictionary(k => k.Name, k => k.Value); + + //Get totp config + IssuerName = siteName; + //Get alg name + string TOTPAlgName = totp["algorithm"].GetString()?.ToUpper() ?? throw new KeyNotFoundException("Missing required key 'algorithm' in plugin 'mfa' config"); + //Parse from enum string + TOTPAlg = Enum.Parse<HashAlg>(TOTPAlgName); + + + TOTPDigits = totp["digits"].GetInt32(); + TOTPPeriod = TimeSpan.FromSeconds(totp["period_secs"].GetInt32()); + TOTPSecretBytes = totp["secret_size"].GetInt32(); + TOTPTimeWindowSteps = totp["window_size"].GetInt32(); + //Set enabled flag + TOTPEnabled = true; + } + //Fido setup + if(conf.TryGetValue("fido", out JsonElement fidoEl)) + { + IReadOnlyDictionary<string, JsonElement> fido = fidoEl.EnumerateObject().ToDictionary(k => k.Name, k => k.Value); + FIDOChallangeSize = fido["challenge_size"].GetInt32(); + FIDOAttestationType = fido["attestation"].GetString(); + FIDOTimeout = fido["timeout"].GetInt32(); + FIDOSiteName = siteName; + //Deserailze a + if(fido.TryGetValue("authenticatorSelection", out JsonElement authSel)) + { + FIDOAuthSelection = authSel.Deserialize<FidoAuthenticatorSelection>(); + } + //Set enabled flag + FIDOEnabled = true; + } + } + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAType.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAType.cs new file mode 100644 index 0000000..208eea3 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAType.cs @@ -0,0 +1,31 @@ +/* +* Copyright (c) 2022 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: MFAType.cs +* +* MFAType.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +namespace VNLib.Plugins.Essentials.Accounts.MFA +{ + public enum MFAType + { + TOTP, FIDO, PGP + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAUpgrade.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAUpgrade.cs new file mode 100644 index 0000000..5577d51 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAUpgrade.cs @@ -0,0 +1,65 @@ +/* +* Copyright (c) 2022 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: MFAUpgrade.cs +* +* MFAUpgrade.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System.Text.Json.Serialization; + +#nullable enable + +namespace VNLib.Plugins.Essentials.Accounts.MFA +{ + internal class MFAUpgrade + { + /// <summary> + /// The login's client id specifier + /// </summary> + [JsonPropertyName("cid")] + public string? ClientID { get; set; } + /// <summary> + /// The id of the user that is requesting a login + /// </summary> + [JsonPropertyName("uname")] + public string? UserName{ get; set; } + /// <summary> + /// The <see cref="MFAType"/> of the upgrade request + /// </summary> + [JsonPropertyName("type")] + public MFAType Type { get; set; } + /// <summary> + /// The a base64 encoded string of the user's + /// public key + /// </summary> + [JsonPropertyName("pubkey")] + public string? Base64PubKey { get; set; } + /// <summary> + /// The user's specified language + /// </summary> + [JsonPropertyName("lang")] + public string? ClientLocalLanguage { get; set; } + /// <summary> + /// The encrypted password token for the client + /// </summary> + [JsonPropertyName("cd")] + public string? PwClientData { get; set; } + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/UserMFAExtensions.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/UserMFAExtensions.cs new file mode 100644 index 0000000..1ec9953 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/UserMFAExtensions.cs @@ -0,0 +1,384 @@ +/* +* Copyright (c) 2022 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: UserMFAExtensions.cs +* +* UserMFAExtensions.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System; +using System.Linq; +using System.Text.Json; +using System.Collections.Generic; +using System.Security.Cryptography; +using System.Text.Json.Serialization; +using System.Diagnostics.CodeAnalysis; + +using VNLib.Hashing; +using VNLib.Utils; +using VNLib.Utils.Memory; +using VNLib.Utils.Extensions; +using VNLib.Hashing.IdentityUtility; +using VNLib.Plugins.Essentials.Users; +using VNLib.Plugins.Essentials.Sessions; +using VNLib.Plugins.Extensions.Loading; + +namespace VNLib.Plugins.Essentials.Accounts.MFA +{ + + internal static class UserMFAExtensions + { + public const string WEBAUTHN_KEY_ENTRY = "mfa.fido"; + public const string TOTP_KEY_ENTRY = "mfa.totp"; + public const string PGP_PUB_KEY = "mfa.pgpp"; + public const string SESSION_SIG_KEY = "mfa.sig"; + + /// <summary> + /// Determines if the user account has an + /// </summary> + /// <param name="user"></param> + /// <returns>True if any form of MFA is enabled for the user account</returns> + public static bool MFAEnabled(this IUser user) + { + return !(string.IsNullOrWhiteSpace(user[TOTP_KEY_ENTRY]) && string.IsNullOrWhiteSpace(user[WEBAUTHN_KEY_ENTRY])); + } + + #region totp + + /// <summary> + /// Recovers the base32 encoded TOTP secret for the current user + /// </summary> + /// <param name="user"></param> + /// <returns>The base32 encoded TOTP secret, or an emtpy string (user spec) if not set</returns> + public static string MFAGetTOTPSecret(this IUser user) => user[TOTP_KEY_ENTRY]; + + /// <summary> + /// Stores or removes the current user's TOTP secret, stored in base32 format + /// </summary> + /// <param name="user"></param> + /// <param name="secret">The base32 encoded TOTP secret</param> + public static void MFASetTOTPSecret(this IUser user, string? secret) => user[TOTP_KEY_ENTRY] = secret!; + + + /// <summary> + /// Generates/overwrites the current user's TOTP secret entry and returns a + /// byte array of the generated secret bytes + /// </summary> + /// <param name="entry">The <see cref="MFAEntry"/> to modify the TOTP configuration of</param> + /// <returns>The raw secret that was encrypted and stored in the <see cref="MFAEntry"/>, to send to the client</returns> + /// <exception cref="OutOfMemoryException"></exception> + public static byte[] MFAGenreateTOTPSecret(this IUser user, MFAConfig config) + { + //Generate a random key + byte[] newSecret = RandomHash.GetRandomBytes(config.TOTPSecretBytes); + //Store secret in user storage + user.MFASetTOTPSecret(VnEncoding.ToBase32String(newSecret, false)); + //return the raw secret bytes + return newSecret; + } + + /// <summary> + /// Verfies the supplied TOTP code against the current user's totp codes + /// This method should not be used for verifying TOTP codes for authentication + /// </summary> + /// <param name="user">The user account to verify the TOTP code against</param> + /// <param name="code">The code to verify</param> + /// <param name="config">A readonly referrence to the MFA configuration structure</param> + /// <returns>True if the user has TOTP configured and code matches against its TOTP secret entry, false otherwise</returns> + /// <exception cref="FormatException"></exception> + /// <exception cref="OutOfMemoryException"></exception> + public static bool VerifyTOTP(this MFAConfig config, IUser user, uint code) + { + //Get the base32 TOTP secret for the user and make sure its actually set + string base32Secret = user.MFAGetTOTPSecret(); + if (string.IsNullOrWhiteSpace(base32Secret)) + { + return false; + } + //Alloc buffer with zero o + using UnsafeMemoryHandle<byte> buffer = Memory.UnsafeAlloc<byte>(base32Secret.Length, true); + ERRNO count = VnEncoding.TryFromBase32Chars(base32Secret, buffer); + //Verify the TOTP using the decrypted secret + return count && VerifyTOTP(code, buffer.AsSpan(0, count), config); + } + + private static bool VerifyTOTP(uint totpCode, ReadOnlySpan<byte> userSecret, MFAConfig config) + { + //A basic attempt at a constant time TOTP verification, run the calculation a fixed number of times, regardless of the resutls + bool codeMatches = false; + + //cache current time + DateTimeOffset currentUtc = DateTimeOffset.UtcNow; + //Start the current window with the minimum window + int currenStep = -config.TOTPTimeWindowSteps; + Span<byte> stepBuffer = stackalloc byte[sizeof(long)]; + Span<byte> hashBuffer = stackalloc byte[(int)config.TOTPAlg]; + //Run the loop at least once to allow a 0 step tight window + do + { + //Calculate the window by multiplying the window by the current step, then add it to the current time offset to produce a new window + DateTimeOffset window = currentUtc.Add(config.TOTPPeriod.Multiply(currenStep)); + //calculate the time step + long timeStep = (long)Math.Floor(window.ToUnixTimeSeconds() / config.TOTPPeriod.TotalSeconds); + //try to compute the hash + _ = BitConverter.TryWriteBytes(stepBuffer, timeStep) ? 0 : throw new InternalBufferTooSmallException("Failed to format TOTP time step"); + //If platform is little endian, reverse the byte order + if (BitConverter.IsLittleEndian) + { + stepBuffer.Reverse(); + } + ERRNO result = ManagedHash.ComputeHmac(userSecret, stepBuffer, hashBuffer, config.TOTPAlg); + //try to compute the hash of the time step + if (result < 1) + { + throw new InternalBufferTooSmallException("Failed to compute TOTP time step hash because the buffer was too small"); + } + //Hash bytes + ReadOnlySpan<byte> hash = hashBuffer[..(int)result]; + //compute the TOTP code and compare it to the supplied, then store the result + codeMatches |= (totpCode == CalcTOTPCode(hash, config)); + //next step + currenStep++; + } while (currenStep <= config.TOTPTimeWindowSteps); + + return codeMatches; + } + + private static uint CalcTOTPCode(ReadOnlySpan<byte> hash, MFAConfig config) + { + //Calculate the offset, RFC defines, the lower 4 bits of the last byte in the hash output + byte offset = (byte)(hash[^1] & 0x0Fu); + + uint TOTPCode; + if (BitConverter.IsLittleEndian) + { + //Store the code components + TOTPCode = (hash[offset] & 0x7Fu) << 24 | (hash[offset + 1] & 0xFFu) << 16 | (hash[offset + 2] & 0xFFu) << 8 | hash[offset + 3] & 0xFFu; + } + else + { + //Store the code components (In reverse order for big-endian machines) + TOTPCode = (hash[offset + 3] & 0x7Fu) << 24 | (hash[offset + 2] & 0xFFu) << 16 | (hash[offset + 1] & 0xFFu) << 8 | hash[offset] & 0xFFu; + } + //calculate the modulus value + TOTPCode %= (uint)Math.Pow(10, config.TOTPDigits); + return TOTPCode; + } + + #endregion + + #region loading + + const string MFA_CONFIG_KEY = "mfa"; + + /// <summary> + /// Gets the plugins ambient <see cref="PasswordHashing"/> if loaded, or loads it if required. This class will + /// be unloaded when the plugin us unloaded. + /// </summary> + /// <param name="plugin"></param> + /// <returns>The ambient <see cref="PasswordHashing"/></returns> + /// <exception cref="OverflowException"></exception> + /// <exception cref="KeyNotFoundException"></exception> + /// <exception cref="ObjectDisposedException"></exception> + public static MFAConfig? GetMfaConfig(this PluginBase plugin) + { + static MFAConfig? LoadMfaConfig(PluginBase pbase) + { + //Try to get the configuration object + IReadOnlyDictionary<string, JsonElement>? conf = pbase.TryGetConfig(MFA_CONFIG_KEY); + + if (conf == null) + { + return null; + } + //Init mfa config + MFAConfig mfa = new(conf); + + //Recover secret from config and dangerous 'lazy load' + _ = pbase.DeferTask(async () => + { + mfa.MFASecret = await pbase.TryGetSecretAsync("mfa_secret").ToJsonWebKey(); + + }, 50); + + return mfa; + } + + plugin.ThrowIfUnloaded(); + //Get/load the passwords one time only + return LoadingExtensions.GetOrCreateSingleton(plugin, LoadMfaConfig); + } + + #endregion + + #region pgp + + private class PgpMfaCred + { + [JsonPropertyName("p")] + public string? SpkiPublicKey { get; set; } + + [JsonPropertyName("c")] + public string? CurveFriendlyName { get; set; } + } + + + /// <summary> + /// Gets the stored PGP public key for the user + /// </summary> + /// <param name="user"></param> + /// <returns>The stored PGP signature key </returns> + public static string MFAGetPGPPubKey(this IUser user) => user[PGP_PUB_KEY]; + + public static void MFASetPGPPubKey(this IUser user, string? pubKey) => user[PGP_PUB_KEY] = pubKey!; + + public static void VerifySignedData(string data) + { + + } + + #endregion + + #region webauthn + + #endregion + + /// <summary> + /// Recovers a signed MFA upgrade JWT and verifies its authenticity, and confrims its not expired, + /// then recovers the upgrade mssage + /// </summary> + /// <param name="config"></param> + /// <param name="upgradeJwtString">The signed JWT upgrade message</param> + /// <param name="upgrade">The recovered upgrade</param> + /// <param name="base64sessionSig">The stored base64 encoded signature from the session that requested an upgrade</param> + /// <returns>True if the upgrade was verified, not expired, and was recovered from the signed message, false otherwise</returns> + public static bool RecoverUpgrade(this MFAConfig config, ReadOnlySpan<char> upgradeJwtString, ReadOnlySpan<char> base64sessionSig, [NotNullWhen(true)] out MFAUpgrade? upgrade) + { + //Verifies a jwt stored signature against the actual signature + static bool VerifyStoredSig(ReadOnlySpan<char> base64string, ReadOnlySpan<byte> signature) + { + using UnsafeMemoryHandle<byte> buffer = Memory.UnsafeAlloc<byte>(base64string.Length, true); + //Recover base64 + ERRNO count = VnEncoding.TryFromBase64Chars(base64string, buffer.Span); + //Compare + return CryptographicOperations.FixedTimeEquals(signature, buffer.Span[..(int)count]); + } + + //Verify config secret + _ = config.MFASecret ?? throw new InvalidOperationException("MFA config is missing required upgrade signing key"); + + upgrade = null; + + //Parse jwt + using JsonWebToken jwt = JsonWebToken.Parse(upgradeJwtString); + + if (!jwt.VerifyFromJwk(config.MFASecret)) + { + return false; + } + + if(!VerifyStoredSig(base64sessionSig, jwt.SignatureData)) + { + return false; + } + + //get request body + using JsonDocument doc = jwt.GetPayload(); + //Recover issued at time + DateTimeOffset iat = DateTimeOffset.FromUnixTimeMilliseconds(doc.RootElement.GetProperty("iat").GetInt64()); + //Verify its not timed out + if (iat.Add(config.UpgradeValidFor) < DateTimeOffset.UtcNow) + { + //expired + return false; + } + + //Recover the upgrade message + upgrade = doc.RootElement.GetProperty("upgrade").Deserialize<MFAUpgrade>(); + return upgrade != null; + } + + + /// <summary> + /// Generates an upgrade for the requested user, using the highest prirotiy method + /// </summary> + /// <param name="login">The message from the user requesting the login</param> + /// <returns>A signed upgrade message the client will pass back to the server after the MFA verification</returns> + /// <exception cref="InvalidOperationException"></exception> + public static Tuple<string, string>? MFAGetUpgradeIfEnabled(this IUser user, MFAConfig? conf, LoginMessage login, string pwClientData) + { + //Webauthn config + + + //Search for totp secret entry + string base32Secret = user.MFAGetTOTPSecret(); + + //Check totp entry + if (!string.IsNullOrWhiteSpace(base32Secret)) + { + //Verify config secret + _ = conf?.MFASecret ?? throw new InvalidOperationException("MFA config is missing required upgrade signing key"); + + //setup the upgrade + MFAUpgrade upgrade = new() + { + //Set totp upgrade type + Type = MFAType.TOTP, + //Store login message details + UserName = login.UserName, + ClientID = login.ClientID, + Base64PubKey = login.ClientPublicKey, + ClientLocalLanguage = login.LocalLanguage, + PwClientData = pwClientData + }; + + //Init jwt for upgrade + return GetUpgradeMessage(upgrade, conf.MFASecret, conf.UpgradeValidFor); + } + return null; + } + + private static Tuple<string, string> GetUpgradeMessage(MFAUpgrade upgrade, ReadOnlyJsonWebKey secret, TimeSpan expires) + { + //Add some random entropy to the upgrade message, to help prevent forgery + string entropy = RandomHash.GetRandomBase32(16); + //Init jwt + using JsonWebToken upgradeJwt = new(); + upgradeJwt.WriteHeader(secret.JwtHeader); + //Write claims + upgradeJwt.InitPayloadClaim() + .AddClaim("iat", DateTimeOffset.UtcNow.ToUnixTimeMilliseconds()) + .AddClaim("upgrade", upgrade) + .AddClaim("type", upgrade.Type.ToString().ToLower()) + .AddClaim("expires", expires.TotalSeconds) + .AddClaim("a", entropy) + .CommitClaims(); + + //Sign with jwk + upgradeJwt.SignFromJwk(secret); + + //compile and return jwt upgrade + return new(upgradeJwt.Compile(), Convert.ToBase64String(upgradeJwt.SignatureData)); + } + + public static void MfaUpgradeSignature(this in SessionInfo session, string? base64Signature) => session[SESSION_SIG_KEY] = base64Signature!; + + public static string? MfaUpgradeSignature(this in SessionInfo session) => session[SESSION_SIG_KEY]; + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/VNLib.Plugins.Essentials.Accounts.csproj b/plugins/VNLib.Plugins.Essentials.Accounts/src/VNLib.Plugins.Essentials.Accounts.csproj new file mode 100644 index 0000000..98ba1ab --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/VNLib.Plugins.Essentials.Accounts.csproj @@ -0,0 +1,61 @@ +<Project Sdk="Microsoft.NET.Sdk"> + + <PropertyGroup> + <TargetFramework>net6.0</TargetFramework> + <RootNamespace>VNLib.Plugins.Essentials.Accounts</RootNamespace> + <Copyright>Copyright © 2022 Vaughn Nugent</Copyright> + <Authors>Vaughn Nugent</Authors> + <AssemblyName>Accounts</AssemblyName> + + <PackageId>VNLib.Plugins.Essentials.Accounts</PackageId> + <Version>1.0.1.5</Version> + <PackageProjectUrl>https://www.vaughnnugent.com/resources</PackageProjectUrl> + <SignAssembly>True</SignAssembly> + <AssemblyOriginatorKeyFile>\\vaughnnugent.com\Internal\Folder Redirection\vman\Documents\Programming\Software\StrongNameingKey.snk</AssemblyOriginatorKeyFile> + </PropertyGroup> + + + <!-- Resolve nuget dll files and store them in the output dir --> + <PropertyGroup> + <!--Enable dynamic loading--> + <EnableDynamicLoading>true</EnableDynamicLoading> + <Nullable>enable</Nullable> + <AnalysisLevel>latest-all</AnalysisLevel> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'"> + <Deterministic>False</Deterministic> + </PropertyGroup> + <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'"> + <Deterministic>False</Deterministic> + </PropertyGroup> + + <ItemGroup> + <PackageReference Include="ErrorProne.NET.CoreAnalyzers" Version="0.1.2"> + <PrivateAssets>all</PrivateAssets> + <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets> + </PackageReference> + <PackageReference Include="ErrorProne.NET.Structs" Version="0.1.2"> + <PrivateAssets>all</PrivateAssets> + <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets> + </PackageReference> + <PackageReference Include="FluentValidation" Version="11.4.0" /> + </ItemGroup> + + <ItemGroup> + <ProjectReference Include="..\..\..\..\..\core\lib\Plugins.Essentials\src\VNLib.Plugins.Essentials.csproj" /> + <ProjectReference Include="..\..\..\..\..\core\lib\Utils\src\VNLib.Utils.csproj" /> + <ProjectReference Include="..\..\..\..\Extensions\lib\VNLib.Plugins.Extensions.Loading\src\VNLib.Plugins.Extensions.Loading.csproj" /> + <ProjectReference Include="..\..\..\..\Extensions\lib\VNLib.Plugins.Extensions.Validation\src\VNLib.Plugins.Extensions.Validation.csproj" /> + </ItemGroup> + + <ItemGroup> + <None Update="Accounts.json"> + <CopyToOutputDirectory>Always</CopyToOutputDirectory> + </None> + </ItemGroup> + + <Target Name="PostBuild" AfterTargets="PostBuildEvent"> + <Exec Command="start xcopy "$(TargetDir)" "F:\Programming\vnlib\devplugins\$(TargetName)" /E /Y /R" /> + </Target> + +</Project> diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/Validators/LoginMessageValidation.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/Validators/LoginMessageValidation.cs new file mode 100644 index 0000000..6d96695 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/Validators/LoginMessageValidation.cs @@ -0,0 +1,70 @@ +/* +* Copyright (c) 2022 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: LoginMessageValidation.cs +* +* LoginMessageValidation.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System; + +using FluentValidation; + +using VNLib.Plugins.Extensions.Validation; + +namespace VNLib.Plugins.Essentials.Accounts.Validators +{ + + internal class LoginMessageValidation : AbstractValidator<LoginMessage> + { + public LoginMessageValidation() + { + RuleFor(static t => t.ClientID) + .Length(min: 10, max: 100) + .WithMessage(errorMessage: "Your browser is not sending required security information"); + + RuleFor(static t => t.ClientPublicKey) + .NotEmpty() + .Length(min: 50, max: 1000) + .WithMessage(errorMessage: "Your browser is not sending required security information"); + + /* Rules for user-input on passwords, set max length to avoid DOS */ + RuleFor(static t => t.Password) + .SetValidator(AccountValidations.PasswordValidator); + + //Username/email address + RuleFor(static t => t.UserName) + .Length(min: 1, max: 64) + .WithName(overridePropertyName: "Email") + .EmailAddress() + .WithName(overridePropertyName: "Email") + .IllegalCharacters() + .WithName(overridePropertyName: "Email"); + + RuleFor(static t => t.LocalLanguage) + .NotEmpty() + .IllegalCharacters() + .WithMessage(errorMessage: "Your language is not supported"); + + RuleFor(static t => t.LocalTime.ToUniversalTime()) + .Must(static time => time > DateTime.UtcNow.AddSeconds(-60) && time < DateTime.UtcNow.AddSeconds(60)) + .WithMessage(errorMessage: "Please check your system clock"); + } + } +} |