mirror of
				https://github.com/zitadel/zitadel.git
				synced 2025-10-24 23:19:09 +00:00 
			
		
		
		
	 d8e42744b4
			
		
	
	d8e42744b4
	
	
	
		
			
			* fix: move eventstore pkgs * fix: move eventstore pkgs * fix: remove v2 view * fix: remove v2 view
		
			
				
	
	
		
			183 lines
		
	
	
		
			6.0 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			183 lines
		
	
	
		
			6.0 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| package webauthn
 | |
| 
 | |
| import (
 | |
| 	"bytes"
 | |
| 	"encoding/json"
 | |
| 	"github.com/caos/zitadel/internal/domain"
 | |
| 
 | |
| 	"github.com/duo-labs/webauthn/protocol"
 | |
| 	"github.com/duo-labs/webauthn/webauthn"
 | |
| 
 | |
| 	"github.com/caos/zitadel/internal/config/systemdefaults"
 | |
| 	caos_errs "github.com/caos/zitadel/internal/errors"
 | |
| )
 | |
| 
 | |
| type WebAuthN struct {
 | |
| 	webLogin   *webauthn.WebAuthn
 | |
| 	webConsole *webauthn.WebAuthn
 | |
| }
 | |
| 
 | |
| func StartServer(sd systemdefaults.WebAuthN) (*WebAuthN, error) {
 | |
| 	webLogin, err := webauthn.New(&webauthn.Config{
 | |
| 		RPDisplayName: sd.DisplayName,
 | |
| 		RPID:          sd.ID,
 | |
| 		RPOrigin:      sd.OriginLogin,
 | |
| 	})
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	webConsole, err := webauthn.New(&webauthn.Config{
 | |
| 		RPDisplayName: sd.DisplayName,
 | |
| 		RPID:          sd.ID,
 | |
| 		RPOrigin:      sd.OriginConsole,
 | |
| 	})
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	return &WebAuthN{
 | |
| 		webLogin:   webLogin,
 | |
| 		webConsole: webConsole,
 | |
| 	}, err
 | |
| }
 | |
| 
 | |
| type webUser struct {
 | |
| 	*domain.Human
 | |
| 	accountName string
 | |
| 	credentials []webauthn.Credential
 | |
| }
 | |
| 
 | |
| func (u *webUser) WebAuthnID() []byte {
 | |
| 	return []byte(u.AggregateID)
 | |
| }
 | |
| 
 | |
| func (u *webUser) WebAuthnName() string {
 | |
| 	if u.accountName != "" {
 | |
| 		return u.accountName
 | |
| 	}
 | |
| 	return u.GetUsername()
 | |
| }
 | |
| 
 | |
| func (u *webUser) WebAuthnDisplayName() string {
 | |
| 	return u.DisplayName
 | |
| }
 | |
| 
 | |
| func (u *webUser) WebAuthnIcon() string {
 | |
| 	return ""
 | |
| }
 | |
| 
 | |
| func (u *webUser) WebAuthnCredentials() []webauthn.Credential {
 | |
| 	return u.credentials
 | |
| }
 | |
| 
 | |
| func (w *WebAuthN) BeginRegistration(user *domain.Human, accountName string, authType domain.AuthenticatorAttachment, userVerification domain.UserVerificationRequirement, isLoginUI bool, webAuthNs ...*domain.WebAuthNToken) (*domain.WebAuthNToken, error) {
 | |
| 	creds := WebAuthNsToCredentials(webAuthNs)
 | |
| 	existing := make([]protocol.CredentialDescriptor, len(creds))
 | |
| 	for i, cred := range creds {
 | |
| 		existing[i] = protocol.CredentialDescriptor{
 | |
| 			Type:         protocol.PublicKeyCredentialType,
 | |
| 			CredentialID: cred.ID,
 | |
| 		}
 | |
| 	}
 | |
| 	credentialOptions, sessionData, err := w.web(isLoginUI).BeginRegistration(
 | |
| 		&webUser{
 | |
| 			Human:       user,
 | |
| 			accountName: accountName,
 | |
| 			credentials: creds,
 | |
| 		},
 | |
| 		webauthn.WithAuthenticatorSelection(protocol.AuthenticatorSelection{
 | |
| 			UserVerification:        UserVerificationFromDomain(userVerification),
 | |
| 			AuthenticatorAttachment: AuthenticatorAttachmentFromDomain(authType),
 | |
| 		}),
 | |
| 		webauthn.WithConveyancePreference(protocol.PreferNoAttestation),
 | |
| 		webauthn.WithExclusions(existing),
 | |
| 	)
 | |
| 	if err != nil {
 | |
| 		return nil, caos_errs.ThrowInternal(err, "WEBAU-bM8sd", "Errors.User.WebAuthN.BeginRegisterFailed")
 | |
| 	}
 | |
| 	cred, err := json.Marshal(credentialOptions)
 | |
| 	if err != nil {
 | |
| 		return nil, caos_errs.ThrowInternal(err, "WEBAU-D7cus", "Errors.User.WebAuthN.MarshalError")
 | |
| 	}
 | |
| 	return &domain.WebAuthNToken{
 | |
| 		Challenge:              sessionData.Challenge,
 | |
| 		CredentialCreationData: cred,
 | |
| 		AllowedCredentialIDs:   sessionData.AllowedCredentialIDs,
 | |
| 		UserVerification:       UserVerificationToDomain(sessionData.UserVerification),
 | |
| 	}, nil
 | |
| }
 | |
| 
 | |
| func (w *WebAuthN) FinishRegistration(user *domain.Human, webAuthN *domain.WebAuthNToken, tokenName string, credData []byte, isLoginUI bool) (*domain.WebAuthNToken, error) {
 | |
| 	if webAuthN == nil {
 | |
| 		return nil, caos_errs.ThrowInternal(nil, "WEBAU-5M9so", "Errors.User.WebAuthN.NotFound")
 | |
| 	}
 | |
| 	credentialData, err := protocol.ParseCredentialCreationResponseBody(bytes.NewReader(credData))
 | |
| 	if err != nil {
 | |
| 		return nil, caos_errs.ThrowInternal(err, "WEBAU-sEr8c", "Errors.User.WebAuthN.ErrorOnParseCredential")
 | |
| 	}
 | |
| 	sessionData := WebAuthNToSessionData(webAuthN)
 | |
| 	credential, err := w.web(isLoginUI).CreateCredential(
 | |
| 		&webUser{
 | |
| 			Human: user,
 | |
| 		},
 | |
| 		sessionData,
 | |
| 		credentialData)
 | |
| 	if err != nil {
 | |
| 		return nil, caos_errs.ThrowInternal(err, "WEBAU-3Vb9s", "Errors.User.WebAuthN.CreateCredentialFailed")
 | |
| 	}
 | |
| 
 | |
| 	webAuthN.KeyID = credential.ID
 | |
| 	webAuthN.PublicKey = credential.PublicKey
 | |
| 	webAuthN.AttestationType = credential.AttestationType
 | |
| 	webAuthN.AAGUID = credential.Authenticator.AAGUID
 | |
| 	webAuthN.SignCount = credential.Authenticator.SignCount
 | |
| 	webAuthN.WebAuthNTokenName = tokenName
 | |
| 	return webAuthN, nil
 | |
| }
 | |
| 
 | |
| func (w *WebAuthN) BeginLogin(user *domain.Human, userVerification domain.UserVerificationRequirement, isLoginUI bool, webAuthNs ...*domain.WebAuthNToken) (*domain.WebAuthNLogin, error) {
 | |
| 	assertion, sessionData, err := w.web(isLoginUI).BeginLogin(&webUser{
 | |
| 		Human:       user,
 | |
| 		credentials: WebAuthNsToCredentials(webAuthNs),
 | |
| 	}, webauthn.WithUserVerification(UserVerificationFromDomain(userVerification)))
 | |
| 	if err != nil {
 | |
| 		return nil, caos_errs.ThrowInternal(err, "WEBAU-4G8sw", "Errors.User.WebAuthN.BeginLoginFailed")
 | |
| 	}
 | |
| 	cred, err := json.Marshal(assertion)
 | |
| 	if err != nil {
 | |
| 		return nil, caos_errs.ThrowInternal(err, "WEBAU-2M0s9", "Errors.User.WebAuthN.MarshalError")
 | |
| 	}
 | |
| 	return &domain.WebAuthNLogin{
 | |
| 		Challenge:               sessionData.Challenge,
 | |
| 		CredentialAssertionData: cred,
 | |
| 		AllowedCredentialIDs:    sessionData.AllowedCredentialIDs,
 | |
| 		UserVerification:        userVerification,
 | |
| 	}, nil
 | |
| }
 | |
| 
 | |
| func (w *WebAuthN) FinishLogin(user *domain.Human, webAuthN *domain.WebAuthNLogin, credData []byte, isLoginUI bool, webAuthNs ...*domain.WebAuthNToken) ([]byte, uint32, error) {
 | |
| 	assertionData, err := protocol.ParseCredentialRequestResponseBody(bytes.NewReader(credData))
 | |
| 	if err != nil {
 | |
| 		return nil, 0, caos_errs.ThrowInternal(err, "WEBAU-ADgv4", "Errors.User.WebAuthN.ValidateLoginFailed")
 | |
| 	}
 | |
| 	webUser := &webUser{
 | |
| 		Human:       user,
 | |
| 		credentials: WebAuthNsToCredentials(webAuthNs),
 | |
| 	}
 | |
| 	credential, err := w.web(isLoginUI).ValidateLogin(webUser, WebAuthNLoginToSessionData(webAuthN), assertionData)
 | |
| 	if err != nil {
 | |
| 		return nil, 0, caos_errs.ThrowInternal(err, "WEBAU-3M9si", "Errors.User.WebAuthN.ValidateLoginFailed")
 | |
| 	}
 | |
| 
 | |
| 	if credential.Authenticator.CloneWarning {
 | |
| 		return credential.ID, credential.Authenticator.SignCount, caos_errs.ThrowInternal(err, "WEBAU-4M90s", "Errors.User.WebAuthN.CloneWarning")
 | |
| 	}
 | |
| 	return credential.ID, credential.Authenticator.SignCount, nil
 | |
| }
 | |
| 
 | |
| func (w *WebAuthN) web(isLoginUI bool) *webauthn.WebAuthn {
 | |
| 	if isLoginUI {
 | |
| 		return w.webLogin
 | |
| 	}
 | |
| 	return w.webConsole
 | |
| }
 |