From 8434eaa9c09b48ee57c1035893b1da04d231bed8 Mon Sep 17 00:00:00 2001 From: Livio Spring Date: Wed, 6 Jul 2022 08:32:05 +0200 Subject: [PATCH] fix: require user verification for passwordless authentication (#3896) --- .../eventsourcing/eventstore/auth_request.go | 24 +++++----- internal/command/user_human_webauthn.go | 45 ++++++++++--------- internal/webauthn/webauthn.go | 4 +- 3 files changed, 38 insertions(+), 35 deletions(-) diff --git a/internal/auth/repository/eventsourcing/eventstore/auth_request.go b/internal/auth/repository/eventsourcing/eventstore/auth_request.go index c4a8ecf0b0..f0d78b13b7 100644 --- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go +++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go @@ -142,11 +142,11 @@ func (repo *AuthRequestRepo) CreateAuthRequest(ctx context.Context, request *dom } if request.LoginHint != "" { err = repo.checkLoginName(ctx, request, request.LoginHint) - logging.LogWithFields("EVENT-aG311", "login name", request.LoginHint, "id", request.ID, "applicationID", request.ApplicationID, "traceID", tracing.TraceIDFromCtx(ctx)).OnError(err).Debug("login hint invalid") + logging.WithFields("login name", request.LoginHint, "id", request.ID, "applicationID", request.ApplicationID, "traceID", tracing.TraceIDFromCtx(ctx)).OnError(err).Debug("login hint invalid") } if request.UserID == "" && request.LoginHint == "" && domain.IsPrompt(request.Prompt, domain.PromptNone) { err = repo.tryUsingOnlyUserSession(request) - logging.LogWithFields("EVENT-SDf3g", "id", request.ID, "applicationID", request.ApplicationID, "traceID", tracing.TraceIDFromCtx(ctx)).OnError(err).Debug("unable to select only user session") + logging.WithFields("id", request.ID, "applicationID", request.ApplicationID, "traceID", tracing.TraceIDFromCtx(ctx)).OnError(err).Debug("unable to select only user session") } err = repo.AuthRequests.SaveAuthRequest(ctx, request) @@ -361,7 +361,7 @@ func (repo *AuthRequestRepo) BeginMFAU2FLogin(ctx context.Context, userID, resou if err != nil { return nil, err } - return repo.Command.HumanBeginU2FLogin(ctx, userID, resourceOwner, request, true) + return repo.Command.HumanBeginU2FLogin(ctx, userID, resourceOwner, request) } func (repo *AuthRequestRepo) VerifyMFAU2F(ctx context.Context, userID, resourceOwner, authRequestID, userAgentID string, credentialData []byte, info *domain.BrowserInfo) (err error) { @@ -371,7 +371,7 @@ func (repo *AuthRequestRepo) VerifyMFAU2F(ctx context.Context, userID, resourceO if err != nil { return err } - return repo.Command.HumanFinishU2FLogin(ctx, userID, resourceOwner, credentialData, request, true) + return repo.Command.HumanFinishU2FLogin(ctx, userID, resourceOwner, credentialData, request) } func (repo *AuthRequestRepo) BeginPasswordlessSetup(ctx context.Context, userID, resourceOwner string, authenticatorPlatform domain.AuthenticatorAttachment) (login *domain.WebAuthNToken, err error) { @@ -415,7 +415,7 @@ func (repo *AuthRequestRepo) BeginPasswordlessLogin(ctx context.Context, userID, if err != nil { return nil, err } - return repo.Command.HumanBeginPasswordlessLogin(ctx, userID, resourceOwner, request, true) + return repo.Command.HumanBeginPasswordlessLogin(ctx, userID, resourceOwner, request) } func (repo *AuthRequestRepo) VerifyPasswordless(ctx context.Context, userID, resourceOwner, authRequestID, userAgentID string, credentialData []byte, info *domain.BrowserInfo) (err error) { @@ -425,7 +425,7 @@ func (repo *AuthRequestRepo) VerifyPasswordless(ctx context.Context, userID, res if err != nil { return err } - return repo.Command.HumanFinishPasswordlessLogin(ctx, userID, resourceOwner, credentialData, request, true) + return repo.Command.HumanFinishPasswordlessLogin(ctx, userID, resourceOwner, credentialData, request) } func (repo *AuthRequestRepo) LinkExternalUsers(ctx context.Context, authReqID, userAgentID string, info *domain.BrowserInfo) (err error) { @@ -627,7 +627,7 @@ func (repo *AuthRequestRepo) tryUsingOnlyUserSession(request *domain.AuthRequest } func (repo *AuthRequestRepo) checkLoginName(ctx context.Context, request *domain.AuthRequest, loginName string) (err error) { - user := new(user_view_model.UserView) + var user *user_view_model.UserView preferredLoginName := loginName if request.RequestedOrgID != "" { if request.RequestedOrgID != "" { @@ -719,7 +719,7 @@ func (repo *AuthRequestRepo) checkSelectedExternalIDP(request *domain.AuthReques } func (repo *AuthRequestRepo) checkExternalUserLogin(ctx context.Context, request *domain.AuthRequest, idpConfigID, externalUserID string) (err error) { - externalIDP := new(user_view_model.ExternalIDPView) + var externalIDP *user_view_model.ExternalIDPView if request.RequestedOrgID != "" { externalIDP, err = repo.View.ExternalIDPByExternalUserIDAndIDPConfigIDAndResourceOwner(externalUserID, idpConfigID, request.RequestedOrgID, request.InstanceID) } else { @@ -1116,7 +1116,7 @@ func userSessionByIDs(ctx context.Context, provider userSessionViewProvider, eve } events, err := eventProvider.UserEventsByID(ctx, user.ID, session.Sequence) if err != nil { - logging.Log("EVENT-Hse6s").WithError(err).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Debug("error retrieving new events") + logging.WithFields("traceID", tracing.TraceIDFromCtx(ctx)).WithError(err).Debug("error retrieving new events") return user_view_model.UserSessionToModel(session), nil } sessionCopy := *session @@ -1141,7 +1141,7 @@ func userSessionByIDs(ctx context.Context, provider userSessionViewProvider, eve user_repo.HumanU2FTokenCheckFailedType: eventData, err := user_view_model.UserSessionFromEvent(event) if err != nil { - logging.Log("EVENT-sdgT3").WithError(err).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Debug("error getting event data") + logging.WithFields("traceID", tracing.TraceIDFromCtx(ctx)).WithError(err).Debug("error getting event data") return user_view_model.UserSessionToModel(session), nil } if eventData.UserAgentID != agentID { @@ -1151,7 +1151,7 @@ func userSessionByIDs(ctx context.Context, provider userSessionViewProvider, eve return nil, errors.ThrowPreconditionFailed(nil, "EVENT-dG2fe", "Errors.User.NotActive") } err := sessionCopy.AppendEvent(event) - logging.Log("EVENT-qbhj3").OnError(err).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Warn("error appending event") + logging.WithFields("traceID", tracing.TraceIDFromCtx(ctx)).OnError(err).Warn("error appending event") } return user_view_model.UserSessionToModel(&sessionCopy), nil } @@ -1197,7 +1197,7 @@ func userByID(ctx context.Context, viewProvider userViewProvider, eventProvider } events, err := eventProvider.UserEventsByID(ctx, userID, user.Sequence) if err != nil { - logging.Log("EVENT-dfg42").WithError(err).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Debug("error retrieving new events") + logging.WithFields("traceID", tracing.TraceIDFromCtx(ctx)).WithError(err).Debug("error retrieving new events") return user_view_model.UserToModel(user), nil } if len(events) == 0 { diff --git a/internal/command/user_human_webauthn.go b/internal/command/user_human_webauthn.go index 8b2e6c97c5..e6d7b52eb3 100644 --- a/internal/command/user_human_webauthn.go +++ b/internal/command/user_human_webauthn.go @@ -82,7 +82,7 @@ func (c *Commands) HumanAddU2FSetup(ctx context.Context, userID, resourceowner s if err != nil { return nil, err } - addWebAuthN, userAgg, webAuthN, err := c.addHumanWebAuthN(ctx, userID, resourceowner, isLoginUI, u2fTokens, domain.AuthenticatorAttachmentUnspecified) + addWebAuthN, userAgg, webAuthN, err := c.addHumanWebAuthN(ctx, userID, resourceowner, isLoginUI, u2fTokens, domain.AuthenticatorAttachmentUnspecified, domain.UserVerificationRequirementDiscouraged) if err != nil { return nil, err } @@ -108,7 +108,7 @@ func (c *Commands) HumanAddPasswordlessSetup(ctx context.Context, userID, resour if err != nil { return nil, err } - addWebAuthN, userAgg, webAuthN, err := c.addHumanWebAuthN(ctx, userID, resourceowner, isLoginUI, passwordlessTokens, authenticatorPlatform) + addWebAuthN, userAgg, webAuthN, err := c.addHumanWebAuthN(ctx, userID, resourceowner, isLoginUI, passwordlessTokens, authenticatorPlatform, domain.UserVerificationRequirementRequired) if err != nil { return nil, err } @@ -137,7 +137,7 @@ func (c *Commands) HumanAddPasswordlessSetupInitCode(ctx context.Context, userID return c.HumanAddPasswordlessSetup(ctx, userID, resourceowner, true, preferredPlatformType) } -func (c *Commands) addHumanWebAuthN(ctx context.Context, userID, resourceowner string, isLoginUI bool, tokens []*domain.WebAuthNToken, authenticatorPlatform domain.AuthenticatorAttachment) (*HumanWebAuthNWriteModel, *eventstore.Aggregate, *domain.WebAuthNToken, error) { +func (c *Commands) addHumanWebAuthN(ctx context.Context, userID, resourceowner string, isLoginUI bool, tokens []*domain.WebAuthNToken, authenticatorPlatform domain.AuthenticatorAttachment, userVerification domain.UserVerificationRequirement) (*HumanWebAuthNWriteModel, *eventstore.Aggregate, *domain.WebAuthNToken, error) { if userID == "" { return nil, nil, nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-3M0od", "Errors.IDMissing") } @@ -157,7 +157,7 @@ func (c *Commands) addHumanWebAuthN(ctx context.Context, userID, resourceowner s if accountName == "" { accountName = user.EmailAddress } - webAuthN, err := c.webauthnConfig.BeginRegistration(ctx, user, accountName, authenticatorPlatform, domain.UserVerificationRequirementDiscouraged, isLoginUI, tokens...) + webAuthN, err := c.webauthnConfig.BeginRegistration(ctx, user, accountName, authenticatorPlatform, userVerification, isLoginUI, tokens...) if err != nil { return nil, nil, nil, err } @@ -286,13 +286,13 @@ func (c *Commands) verifyHumanWebAuthN(ctx context.Context, userID, resourceowne return userAgg, webAuthN, verifyWebAuthN, nil } -func (c *Commands) HumanBeginU2FLogin(ctx context.Context, userID, resourceOwner string, authRequest *domain.AuthRequest, isLoginUI bool) (*domain.WebAuthNLogin, error) { +func (c *Commands) HumanBeginU2FLogin(ctx context.Context, userID, resourceOwner string, authRequest *domain.AuthRequest) (*domain.WebAuthNLogin, error) { u2fTokens, err := c.getHumanU2FTokens(ctx, userID, resourceOwner) if err != nil { return nil, err } - userAgg, webAuthNLogin, err := c.beginWebAuthNLogin(ctx, userID, resourceOwner, u2fTokens, isLoginUI) + userAgg, webAuthNLogin, err := c.beginWebAuthNLogin(ctx, userID, resourceOwner, u2fTokens, domain.UserVerificationRequirementDiscouraged) if err != nil { return nil, err } @@ -311,13 +311,13 @@ func (c *Commands) HumanBeginU2FLogin(ctx context.Context, userID, resourceOwner return webAuthNLogin, err } -func (c *Commands) HumanBeginPasswordlessLogin(ctx context.Context, userID, resourceOwner string, authRequest *domain.AuthRequest, isLoginUI bool) (*domain.WebAuthNLogin, error) { +func (c *Commands) HumanBeginPasswordlessLogin(ctx context.Context, userID, resourceOwner string, authRequest *domain.AuthRequest) (*domain.WebAuthNLogin, error) { u2fTokens, err := c.getHumanPasswordlessTokens(ctx, userID, resourceOwner) if err != nil { return nil, err } - userAgg, webAuthNLogin, err := c.beginWebAuthNLogin(ctx, userID, resourceOwner, u2fTokens, isLoginUI) + userAgg, webAuthNLogin, err := c.beginWebAuthNLogin(ctx, userID, resourceOwner, u2fTokens, domain.UserVerificationRequirementRequired) if err != nil { return nil, err } @@ -334,7 +334,7 @@ func (c *Commands) HumanBeginPasswordlessLogin(ctx context.Context, userID, reso return webAuthNLogin, err } -func (c *Commands) beginWebAuthNLogin(ctx context.Context, userID, resourceOwner string, tokens []*domain.WebAuthNToken, isLoginUI bool) (*eventstore.Aggregate, *domain.WebAuthNLogin, error) { +func (c *Commands) beginWebAuthNLogin(ctx context.Context, userID, resourceOwner string, tokens []*domain.WebAuthNToken, userVerification domain.UserVerificationRequirement) (*eventstore.Aggregate, *domain.WebAuthNLogin, error) { if userID == "" { return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-hh8K9", "Errors.IDMissing") } @@ -343,7 +343,7 @@ func (c *Commands) beginWebAuthNLogin(ctx context.Context, userID, resourceOwner if err != nil { return nil, nil, err } - webAuthNLogin, err := c.webauthnConfig.BeginLogin(ctx, human, domain.UserVerificationRequirementDiscouraged, isLoginUI, tokens...) + webAuthNLogin, err := c.webauthnConfig.BeginLogin(ctx, human, userVerification, tokens...) if err != nil { return nil, nil, err } @@ -357,7 +357,7 @@ func (c *Commands) beginWebAuthNLogin(ctx context.Context, userID, resourceOwner return userAgg, webAuthNLogin, nil } -func (c *Commands) HumanFinishU2FLogin(ctx context.Context, userID, resourceOwner string, credentialData []byte, authRequest *domain.AuthRequest, isLoginUI bool) error { +func (c *Commands) HumanFinishU2FLogin(ctx context.Context, userID, resourceOwner string, credentialData []byte, authRequest *domain.AuthRequest) error { webAuthNLogin, err := c.getHumanU2FLogin(ctx, userID, authRequest.ID, resourceOwner) if err != nil { return err @@ -367,10 +367,10 @@ func (c *Commands) HumanFinishU2FLogin(ctx context.Context, userID, resourceOwne return err } - userAgg, token, signCount, err := c.finishWebAuthNLogin(ctx, userID, resourceOwner, credentialData, webAuthNLogin, u2fTokens, isLoginUI) + userAgg, token, signCount, err := c.finishWebAuthNLogin(ctx, userID, resourceOwner, credentialData, webAuthNLogin, u2fTokens) if err != nil { if userAgg == nil { - logging.LogWithFields("EVENT-Addqd", "userID", userID, "resourceOwner", resourceOwner).WithError(err).Warn("missing userAggregate for pushing failed u2f check event") + logging.WithFields("userID", userID, "resourceOwner", resourceOwner).WithError(err).Warn("missing userAggregate for pushing failed u2f check event") return err } _, pushErr := c.eventstore.Push(ctx, @@ -380,7 +380,7 @@ func (c *Commands) HumanFinishU2FLogin(ctx context.Context, userID, resourceOwne authRequestDomainToAuthRequestInfo(authRequest), ), ) - logging.LogWithFields("EVENT-Bdgd2", "userID", userID, "resourceOwner", resourceOwner).OnError(pushErr).Warn("could not push failed u2f check event") + logging.WithFields("userID", userID, "resourceOwner", resourceOwner).OnError(pushErr).Warn("could not push failed u2f check event") return err } @@ -401,7 +401,7 @@ func (c *Commands) HumanFinishU2FLogin(ctx context.Context, userID, resourceOwne return err } -func (c *Commands) HumanFinishPasswordlessLogin(ctx context.Context, userID, resourceOwner string, credentialData []byte, authRequest *domain.AuthRequest, isLoginUI bool) error { +func (c *Commands) HumanFinishPasswordlessLogin(ctx context.Context, userID, resourceOwner string, credentialData []byte, authRequest *domain.AuthRequest) error { webAuthNLogin, err := c.getHumanPasswordlessLogin(ctx, userID, authRequest.ID, resourceOwner) if err != nil { return err @@ -412,10 +412,10 @@ func (c *Commands) HumanFinishPasswordlessLogin(ctx context.Context, userID, res return err } - userAgg, token, signCount, err := c.finishWebAuthNLogin(ctx, userID, resourceOwner, credentialData, webAuthNLogin, passwordlessTokens, isLoginUI) + userAgg, token, signCount, err := c.finishWebAuthNLogin(ctx, userID, resourceOwner, credentialData, webAuthNLogin, passwordlessTokens) if err != nil { if userAgg == nil { - logging.LogWithFields("EVENT-Dbbbw", "userID", userID, "resourceOwner", resourceOwner).WithError(err).Warn("missing userAggregate for pushing failed passwordless check event") + logging.WithFields("userID", userID, "resourceOwner", resourceOwner).WithError(err).Warn("missing userAggregate for pushing failed passwordless check event") return err } _, pushErr := c.eventstore.Push(ctx, @@ -425,7 +425,7 @@ func (c *Commands) HumanFinishPasswordlessLogin(ctx context.Context, userID, res authRequestDomainToAuthRequestInfo(authRequest), ), ) - logging.LogWithFields("EVENT-33M9f", "userID", userID, "resourceOwner", resourceOwner).OnError(pushErr).Warn("could not push failed passwordless check event") + logging.WithFields("userID", userID, "resourceOwner", resourceOwner).OnError(pushErr).Warn("could not push failed passwordless check event") return err } @@ -445,7 +445,7 @@ func (c *Commands) HumanFinishPasswordlessLogin(ctx context.Context, userID, res return err } -func (c *Commands) finishWebAuthNLogin(ctx context.Context, userID, resourceOwner string, credentialData []byte, webAuthN *domain.WebAuthNLogin, tokens []*domain.WebAuthNToken, isLoginUI bool) (*eventstore.Aggregate, *domain.WebAuthNToken, uint32, error) { +func (c *Commands) finishWebAuthNLogin(ctx context.Context, userID, resourceOwner string, credentialData []byte, webAuthN *domain.WebAuthNLogin, tokens []*domain.WebAuthNToken) (*eventstore.Aggregate, *domain.WebAuthNToken, uint32, error) { if userID == "" { return nil, nil, 0, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-hh8K9", "Errors.IDMissing") } @@ -454,7 +454,7 @@ func (c *Commands) finishWebAuthNLogin(ctx context.Context, userID, resourceOwne if err != nil { return nil, nil, 0, err } - keyID, signCount, err := c.webauthnConfig.FinishLogin(ctx, human, webAuthN, credentialData, isLoginUI, tokens...) + keyID, signCount, err := c.webauthnConfig.FinishLogin(ctx, human, webAuthN, credentialData, tokens...) if err != nil && keyID == nil { return nil, nil, 0, err } @@ -485,6 +485,9 @@ func (c *Commands) HumanRemovePasswordless(ctx context.Context, userID, webAuthN func (c *Commands) HumanAddPasswordlessInitCode(ctx context.Context, userID, resourceOwner string, passwordlessCodeGenerator crypto.Generator) (*domain.PasswordlessInitCode, error) { codeEvent, initCode, code, err := c.humanAddPasswordlessInitCode(ctx, userID, resourceOwner, true, passwordlessCodeGenerator) + if err != nil { + return nil, err + } pushedEvents, err := c.eventstore.Push(ctx, codeEvent) if err != nil { return nil, err @@ -576,7 +579,7 @@ func (c *Commands) humanVerifyPasswordlessInitCode(ctx context.Context, userID, if err != nil || initCode.State != domain.PasswordlessInitCodeStateActive { userAgg := UserAggregateFromWriteModel(&initCode.WriteModel) _, err = c.eventstore.Push(ctx, usr_repo.NewHumanPasswordlessInitCodeCheckFailedEvent(ctx, userAgg, codeID)) - logging.LogWithFields("COMMAND-Gkuud", "userID", userAgg.ID).OnError(err).Error("NewHumanPasswordlessInitCodeCheckFailedEvent push failed") + logging.WithFields("userID", userAgg.ID).OnError(err).Error("NewHumanPasswordlessInitCodeCheckFailedEvent push failed") return caos_errs.ThrowInvalidArgument(err, "COMMAND-Dhz8i", "Errors.User.Code.Invalid") } return nil diff --git a/internal/webauthn/webauthn.go b/internal/webauthn/webauthn.go index eb1d521282..a06f909434 100644 --- a/internal/webauthn/webauthn.go +++ b/internal/webauthn/webauthn.go @@ -127,7 +127,7 @@ func (w *Config) FinishRegistration(ctx context.Context, user *domain.Human, web return webAuthN, nil } -func (w *Config) BeginLogin(ctx context.Context, user *domain.Human, userVerification domain.UserVerificationRequirement, isLoginUI bool, webAuthNs ...*domain.WebAuthNToken) (*domain.WebAuthNLogin, error) { +func (w *Config) BeginLogin(ctx context.Context, user *domain.Human, userVerification domain.UserVerificationRequirement, webAuthNs ...*domain.WebAuthNToken) (*domain.WebAuthNLogin, error) { webAuthNServer, err := w.serverFromContext(ctx) if err != nil { return nil, err @@ -151,7 +151,7 @@ func (w *Config) BeginLogin(ctx context.Context, user *domain.Human, userVerific }, nil } -func (w *Config) FinishLogin(ctx context.Context, user *domain.Human, webAuthN *domain.WebAuthNLogin, credData []byte, isLoginUI bool, webAuthNs ...*domain.WebAuthNToken) ([]byte, uint32, error) { +func (w *Config) FinishLogin(ctx context.Context, user *domain.Human, webAuthN *domain.WebAuthNLogin, credData []byte, webAuthNs ...*domain.WebAuthNToken) ([]byte, uint32, error) { assertionData, err := protocol.ParseCredentialRequestResponseBody(bytes.NewReader(credData)) if err != nil { return nil, 0, caos_errs.ThrowInternal(err, "WEBAU-ADgv4", "Errors.User.WebAuthN.ValidateLoginFailed")