diff options
10 files changed, 171 insertions, 30 deletions
diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoAuthenticatorSelection.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoAuthenticatorSelection.cs index 6db41af..301113c 100644 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoAuthenticatorSelection.cs +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoAuthenticatorSelection.cs @@ -1,5 +1,5 @@ /* -* Copyright (c) 2022 Vaughn Nugent +* Copyright (c) 2024 Vaughn Nugent * * Library: VNLib * Package: VNLib.Plugins.Essentials.Accounts @@ -24,14 +24,16 @@ using System.Text.Json.Serialization; -namespace VNLib.Plugins.Essentials.Accounts.MFA +namespace VNLib.Plugins.Essentials.Accounts.MFA.Fido { - class FidoAuthenticatorSelection + internal sealed class FidoAuthenticatorSelection { [JsonPropertyName("requireResidentKey")] public bool RequireResidentKey { get; set; } = false; + [JsonPropertyName("authenticatorAttachment")] public string? AuthenticatorAttachment { get; set; } = "cross-platform"; + [JsonPropertyName("userVerification")] public string? UserVerification { get; set; } = "required"; } diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoPubkeyAlgorithm.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoPubkeyAlgorithm.cs new file mode 100644 index 0000000..0bdd563 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoPubkeyAlgorithm.cs @@ -0,0 +1,37 @@ +/* +* Copyright (c) 2024 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: FidoPubkeyAlgorithm.cs +* +* FidoPubkeyAlgorithm.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System.Text.Json.Serialization; + +namespace VNLib.Plugins.Essentials.Accounts.MFA.Fido +{ + internal sealed class FidoPubkeyAlgorithm + { + [JsonPropertyName("alg")] + public int AlgId { get; set; } + + [JsonPropertyName("type")] + public string Type { get; set; } = "public-key"; + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegClientData.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRegClientData.cs index 1ef7d59..3ad17f3 100644 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegClientData.cs +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRegClientData.cs @@ -1,5 +1,5 @@ /* -* Copyright (c) 2022 Vaughn Nugent +* Copyright (c) 2024 Vaughn Nugent * * Library: VNLib * Package: VNLib.Plugins.Essentials.Accounts @@ -24,16 +24,16 @@ using System.Text.Json.Serialization; -#nullable enable - -namespace VNLib.Plugins.Essentials.Accounts.MFA +namespace VNLib.Plugins.Essentials.Accounts.MFA.Fido { - internal class FidoRegClientData + internal sealed class FidoRegClientData { [JsonPropertyName("challenge")] public string? Challenge { get; set; } + [JsonPropertyName("origin")] public string? Origin { get; set; } + [JsonPropertyName("type")] public string? Type { get; set; } } diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegistrationMessage.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRegistrationMessage.cs index e8fbcc4..4dfa036 100644 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/FidoRegistrationMessage.cs +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRegistrationMessage.cs @@ -1,5 +1,5 @@ /* -* Copyright (c) 2022 Vaughn Nugent +* Copyright (c) 2024 Vaughn Nugent * * Library: VNLib * Package: VNLib.Plugins.Essentials.Accounts @@ -24,29 +24,33 @@ using System.Text.Json.Serialization; -#nullable enable - -namespace VNLib.Plugins.Essentials.Accounts.MFA +namespace VNLib.Plugins.Essentials.Accounts.MFA.Fido { /// <summary> /// Represents a fido device registration message to be sent /// to a currently signed in user /// </summary> - class FidoRegistrationMessage + sealed class FidoRegistrationMessage { - [JsonPropertyName("id")] - public string? GuidUserId { get; set; } [JsonPropertyName("challenge")] public string? Base64Challenge { get; set; } = null; + [JsonPropertyName("timeout")] public int Timeout { get; set; } = 60000; - [JsonPropertyName("cose_alg")] - public int CoseAlgNumber { get; set; } - [JsonPropertyName("rp_name")] - public string? SiteName { get; set; } + + [JsonPropertyName("rp")] + public FidoRelyingParty RelyingParty { get; set; } = new(); + [JsonPropertyName("attestation")] - public string? AttestationType { get; set; } = "none"; + public string AttestationType { get; set; } = "none"; + + [JsonPropertyName("user")] + public FidoUserData User { get; set; } = new(); + + [JsonPropertyName("pubKeyCredParams")] + public FidoPubkeyAlgorithm[]? PubKeyCredParams { get; set; } + [JsonPropertyName("authenticatorSelection")] - public FidoAuthenticatorSelection? AuthSelection { get; set; } = new(); + public FidoAuthenticatorSelection AuthSelection { get; set; } = new(); } } diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRelyingParty.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRelyingParty.cs new file mode 100644 index 0000000..d259ac6 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoRelyingParty.cs @@ -0,0 +1,37 @@ +/* +* Copyright (c) 2024 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: FidoRelyingParty.cs +* +* FidoRelyingParty.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System.Text.Json.Serialization; + +namespace VNLib.Plugins.Essentials.Accounts.MFA.Fido +{ + internal sealed class FidoRelyingParty + { + [JsonPropertyName("id")] + public string? Id { get; set; } + + [JsonPropertyName("name")] + public string? Name { get; set; } + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoUserData.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoUserData.cs new file mode 100644 index 0000000..aadef29 --- /dev/null +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/Fido/FidoUserData.cs @@ -0,0 +1,54 @@ +/* +* Copyright (c) 2024 Vaughn Nugent +* +* Library: VNLib +* Package: VNLib.Plugins.Essentials.Accounts +* File: FidoUserData.cs +* +* FidoUserData.cs is part of VNLib.Plugins.Essentials.Accounts which is part of the larger +* VNLib collection of libraries and utilities. +* +* VNLib.Plugins.Essentials.Accounts is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License as +* published by the Free Software Foundation, either version 3 of the +* License, or (at your option) any later version. +* +* VNLib.Plugins.Essentials.Accounts is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see https://www.gnu.org/licenses/. +*/ + +using System; +using System.Buffers.Binary; +using System.Formats.Cbor; +using System.Text.Json.Serialization; + +using VNLib.Hashing.IdentityUtility; + +namespace VNLib.Plugins.Essentials.Accounts.MFA.Fido +{ + internal sealed class FidoAuthenticatorResponse + { + [JsonPropertyName("client_data")] + public string? Base64ClientDataJson { get; set; } + + [JsonPropertyName("attestation_object")] + public string? Base64AttestationObject { get; set; } + } + + internal sealed class FidoUserData + { + [JsonPropertyName("id")] + public string? UserId { get; set; } + + [JsonPropertyName("name")] + public string? UserName { get; set; } + + [JsonPropertyName("displayName")] + public string? DisplayName { get; set; } + } +} diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAConfig.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAConfig.cs index bb86a3f..9dfd183 100644 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAConfig.cs +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/MFA/MFAConfig.cs @@ -29,9 +29,10 @@ using FluentValidation; using VNLib.Hashing; using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Essentials.Accounts.MFA.Fido; namespace VNLib.Plugins.Essentials.Accounts.MFA -{ +{ [ConfigurationName("mfa")] internal class MFAConfig : IOnConfigValidation diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecConfig.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecConfig.cs index 180e30e..4c80eac 100644 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecConfig.cs +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecConfig.cs @@ -184,6 +184,12 @@ namespace VNLib.Plugins.Essentials.Accounts.SecurityProvider [JsonPropertyName("strict_path")] public bool VerifyPath { get; set; } = true; + /// <summary> + /// Enforce strict user-agent strings for authorized users + /// </summary> + [JsonPropertyName("strict_user_agent")] + public bool StrictUserAgent { get; set; } = true; + void IOnConfigValidation.Validate() { //Validate the current instance diff --git a/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecProvider.cs b/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecProvider.cs index e20ec9f..d800e3e 100644 --- a/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecProvider.cs +++ b/plugins/VNLib.Plugins.Essentials.Accounts/src/SecurityProvider/AccountSecProvider.cs @@ -120,7 +120,7 @@ namespace VNLib.Plugins.Essentials.Accounts.SecurityProvider else if (ClientWebAuthManager.IsSessionElevated(in session)) { //If the session stored a user-agent, make sure it matches the connection - if (!string.Equals(session.UserAgent, entity.Server.UserAgent, StringComparison.Ordinal)) + if (_config.StrictUserAgent && !string.Equals(session.UserAgent, entity.Server.UserAgent, StringComparison.Ordinal)) { _logger.Debug("Denied authorized connection from {ip} because user-agent changed", entity.TrustedRemoteIp); return ValueTask.FromResult(FileProcessArgs.Deny); diff --git a/plugins/VNLib.Plugins.Essentials.Auth.Social/src/LoginUriBuilder.cs b/plugins/VNLib.Plugins.Essentials.Auth.Social/src/LoginUriBuilder.cs index da37fb7..4ed6ffd 100644 --- a/plugins/VNLib.Plugins.Essentials.Auth.Social/src/LoginUriBuilder.cs +++ b/plugins/VNLib.Plugins.Essentials.Auth.Social/src/LoginUriBuilder.cs @@ -56,11 +56,11 @@ namespace VNLib.Plugins.Essentials.Auth.Social //buffer writer for easier syntax ForwardOnlyWriter<char> writer = new(buffer); //first build the redirect url to re-encode it - writer.Append(scheme); - writer.Append("://"); + writer.AppendSmall(scheme); + writer.AppendSmall("://"); //Create redirect url (current page, default action is to authorize the client) - writer.Append(authority); - writer.Append(path); + writer.AppendSmall(authority); + writer.AppendSmall(path); //url encode the redirect path and save it for later redirectUrl = Uri.EscapeDataString(writer.ToString()); @@ -98,13 +98,13 @@ namespace VNLib.Plugins.Essentials.Auth.Social //Append the config redirect path writer.Append(Config.AccessCodeUrl.OriginalString); //begin query arguments - writer.Append("&client_id="); + writer.AppendSmall("&client_id="); writer.Append(Config.ClientID.Value); //add the redirect url - writer.Append("&redirect_uri="); + writer.AppendSmall("&redirect_uri="); writer.Append(redirectUrl); //Append the state parameter - writer.Append("&state="); + writer.AppendSmall("&state="); writer.Append(nonce); //Collect the written character data |