MC-22950: Enable 2FA by default for Admins

- New implementation for u2f keys

Author: nathanjosiah

TwoFactorAuth/Block/Provider/U2fKey/Auth.php

@@ -26,6 +26,11 @@ class Auth extends Template
      */
     private $session;
 
+    /**
+     * @var array
+     */
+    private $authenticateData;
+
     /**
      * @param Template\Context $context
      * @param Session $session
@@ -57,9 +62,20 @@ public function getJsLayout()
         $this->jsLayout['components']['tfa-auth']['touchImageUrl'] =
             $this->getViewFileUrl('Magento_TwoFactorAuth::images/u2f/touch.png');
 
-        $this->jsLayout['components']['tfa-auth']['authenticateData'] =
-            $this->u2fKey->getAuthenticateData($this->session->getUser());
-
+        $this->jsLayout['components']['tfa-auth']['authenticateData'] = $this->generateAuthenticateData();
         return parent::getJsLayout();
     }
+
+    /**
+     * Get the data needed to authenticate a webauthn request
+     *
+     * @return array
+     */
+    public function generateAuthenticateData(): array
+    {
+        $authenticateData = $this->u2fKey->getAuthenticateData($this->session->getUser());
+        $this->session->setTfaU2fChallenge($authenticateData['credentialRequestOptions']['challenge']);
+
+        return $authenticateData;
+    }
 }

TwoFactorAuth/Block/Provider/U2fKey/Configure.php

@@ -8,6 +8,7 @@
 namespace Magento\TwoFactorAuth\Block\Provider\U2fKey;
 
 use Magento\Backend\Block\Template;
+use Magento\Backend\Model\Auth\Session;
 use Magento\TwoFactorAuth\Model\Provider\Engine\U2fKey;
 
 /**
@@ -20,19 +21,27 @@ class Configure extends Template
      */
     private $u2fKey;
 
+    /**
+     * @var Session
+     */
+    private $session;
+
     /**
      * @param Template\Context $context
      * @param U2fKey $u2fKey
+     * @param Session $session
      * @param array $data
      */
     public function __construct(
         Template\Context $context,
         U2fKey $u2fKey,
+        Session $session,
         array $data = []
     ) {
 
         parent::__construct($context, $data);
         $this->u2fKey = $u2fKey;
+        $this->session = $session;
     }
 
     /**
@@ -50,7 +59,7 @@ public function getJsLayout()
             $this->getViewFileUrl('Magento_TwoFactorAuth::images/u2f/touch.png');
 
         $this->jsLayout['components']['tfa-configure']['registerData'] =
-            $this->u2fKey->getRegisterData();
+            $this->u2fKey->getRegisterData($this->session->getUser());
 
         return parent::getJsLayout();
     }

TwoFactorAuth/Controller/Adminhtml/U2f/Auth.php

@@ -15,7 +15,6 @@
 use Magento\TwoFactorAuth\Api\UserConfigManagerInterface;
 use Magento\TwoFactorAuth\Controller\Adminhtml\AbstractAction;
 use Magento\TwoFactorAuth\Model\Provider\Engine\U2fKey;
-use Magento\User\Model\User;
 
 /**
  * UbiKey authentication controller

TwoFactorAuth/Controller/Adminhtml/U2f/Authpost.php

@@ -22,7 +22,8 @@
 use Magento\User\Model\User;
 
 /**
- * UbiKey Authentication post controller
+ * U2f key Authentication post controller
+ *
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  * @SuppressWarnings(PHPMD.CamelCaseMethodName)
  */
@@ -92,12 +93,21 @@ public function execute()
         $result = $this->jsonFactory->create();
 
         try {
-            $this->u2fKey->verify($this->getUser(), $this->dataObjectFactory->create([
-                'data' => $this->getRequest()->getParams(),
-            ]));
-            $this->tfaSession->grantAccess();
-
-            $res = ['success' => true];
+            $challenge = $this->session->getTfaU2fChallenge();
+            if (!empty($challenge)) {
+                $this->u2fKey->verify($this->getUser(), $this->dataObjectFactory->create([
+                    'data' => [
+                        'publicKeyCredential' => $this->getRequest()->getParams()['publicKeyCredential'],
+                        'originalChallenge' => $challenge
+                    ]
+                ]));
+                $this->tfaSession->grantAccess();
+                $this->session->unsTfaU2fChallenge();
+
+                $res = ['success' => true];
+            } else {
+                $res = ['success' => false];
+            }
         } catch (Exception $e) {
             $this->alert->event(
                 'Magento_TwoFactorAuth',

TwoFactorAuth/Controller/Adminhtml/U2f/Configurepost.php

@@ -7,7 +7,6 @@
 
 namespace Magento\TwoFactorAuth\Controller\Adminhtml\U2f;
 
-use Exception;
 use Magento\Backend\App\Action\Context;
 use Magento\Backend\Model\Auth\Session;
 use Magento\Framework\App\Action\HttpPostActionInterface;
@@ -21,7 +20,8 @@
 use Magento\TwoFactorAuth\Model\UserConfig\HtmlAreaTokenVerifier;
 
 /**
- * UbiKey configuration post controller
+ * U2f key configuration post controller
+ *
  * @SuppressWarnings(PHPMD.CamelCaseMethodName)
  */
 class Configurepost extends AbstractConfigureAction implements HttpPostActionInterface
@@ -94,10 +94,9 @@ public function execute()
         $result = $this->jsonFactory->create();
 
         try {
-            $request = $this->getRequest()->getParam('request');
-            $response = $this->getRequest()->getParam('response');
+            $data = $this->getRequest()->getParam('publicKeyCredential');
 
-            $this->u2fKey->registerDevice($this->getUser(), $request, $response);
+            $this->u2fKey->registerDevice($this->getUser(), $data);
             $this->tfaSession->grantAccess();
 
             $this->alert->event(

TwoFactorAuth/Model/Provider/Engine/U2fKey.php

@@ -10,15 +10,11 @@
 use Magento\Framework\DataObject;
 use Magento\Framework\Exception\LocalizedException;
 use Magento\Framework\Exception\NoSuchEntityException;
-use Magento\Store\Model\Store;
 use Magento\Store\Model\StoreManagerInterface;
+use Magento\TwoFactorAuth\Model\Provider\Engine\U2fKey\WebAuthn;
 use Magento\User\Api\Data\UserInterface;
 use Magento\TwoFactorAuth\Api\UserConfigManagerInterface;
 use Magento\TwoFactorAuth\Api\EngineInterface;
-use stdClass;
-use u2flib_server\Error;
-use u2flib_server\Registration;
-use u2flib_server\U2F;
 
 /**
  * UbiKey engine
@@ -42,92 +38,72 @@ class U2fKey implements EngineInterface
      */
     private $storeManager;
 
+    /**
+     * @var WebAuthn
+     */
+    private $webAuthn;
+
     /**
      * @param StoreManagerInterface $storeManager
-     * @param \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig
      * @param UserConfigManagerInterface $userConfigManager
+     * @param WebAuthn $webAuthn
      */
     public function __construct(
         StoreManagerInterface $storeManager,
-        \Magento\Framework\App\Config\ScopeConfigInterface $scopeConfig,
-        UserConfigManagerInterface $userConfigManager
+        UserConfigManagerInterface $userConfigManager,
+        WebAuthn $webAuthn
     ) {
         $this->userConfigManager = $userConfigManager;
         $this->storeManager = $storeManager;
-    }
-
-    /**
-     * Converts array to object
-     * @param array $hash
-     * @return stdClass
-     */
-    private function hashToObject(array $hash): stdClass
-    {
-        // @codingStandardsIgnoreStart
-        $object = new stdClass();
-        // @codingStandardsIgnoreEnd
-        foreach ($hash as $key => $value) {
-            $object->$key = $value;
-        }
-
-        return $object;
+        $this->webAuthn = $webAuthn;
     }
 
     /**
      * @inheritDoc
      */
     public function verify(UserInterface $user, DataObject $request): bool
     {
-        $u2f = $this->getU2f();
-
         $registration = $this->getRegistration($user);
         if ($registration === null) {
             throw new LocalizedException(__('Missing registration data'));
         }
 
-        $requests = [$this->hashToObject($request->getData('request')[0])];
-        $registrations = [$this->hashToObject($registration)];
-        $response = $this->hashToObject($request->getData('response'));
-
-        // it triggers an error in case of auth failure
-        $u2f->doAuthenticate($requests, $registrations, $response);
+        $this->webAuthn->assertCredentialDataIsValid(
+            $request->getData('publicKeyCredential'),
+            $registration['public_keys'],
+            $request->getData('originalChallenge')
+        );
 
         return true;
     }
 
     /**
      * Create the registration challenge
+     *
+     * @param UserInterface $user
      * @return array
      * @throws LocalizedException
-     * @throws Error
      */
-    public function getRegisterData(): array
+    public function getRegisterData(UserInterface $user): array
     {
-        $u2f = $this->getU2f();
-        return $u2f->getRegisterData();
+        return $this->webAuthn->getRegisterData($user);
     }
 
     /**
      * Get authenticate data
+     *
      * @param UserInterface $user
      * @return array
      * @throws LocalizedException
-     * @throws Error
      */
     public function getAuthenticateData(UserInterface $user): array
     {
-        $u2f = $this->getU2f();
-
-        $registration = $this->getRegistration($user);
-        if ($registration === null) {
-            throw new LocalizedException(__('Missing registration data'));
-        }
-
-        return $u2f->getAuthenticateData([$this->hashToObject($registration)]);
+        return $this->webAuthn->getAuthenticateData($this->getRegistration($user)['public_keys']);
     }
 
     /**
      * Get registration information
+     *
      * @param UserInterface $user
      * @return array
      * @throws NoSuchEntityException
@@ -145,34 +121,22 @@ private function getRegistration(UserInterface $user): array
 
     /**
      * Register a new key
+     *
      * @param UserInterface $user
-     * @param array $request
-     * @param array $response
-     * @return Registration
-     * @throws LocalizedException
+     * @param array $data
      * @throws NoSuchEntityException
-     * @throws Error
+     * @throws \Magento\Framework\Validation\ValidationException
      */
-    public function registerDevice(UserInterface $user, array $request, array $response): Registration
+    public function registerDevice(UserInterface $user, array $data): void
     {
-        // Must convert to object
-        $request = $this->hashToObject($request);
-        $response = $this->hashToObject($response);
-
-        $u2f = $this->getU2f();
-        $res = $u2f->doRegister($request, $response);
+        $publicKey = $this->webAuthn->getPublicKeyFromRegistrationData($data);
 
         $this->userConfigManager->addProviderConfig((int) $user->getId(), static::CODE, [
             'registration' => [
-                'certificate' => $res->certificate,
-                'keyHandle' => $res->keyHandle,
-                'publicKey' => $res->publicKey,
-                'counter' => $res->counter,
+                'public_keys' => [$publicKey]
             ]
         ]);
         $this->userConfigManager->activateProviderConfiguration((int) $user->getId(), static::CODE);
-
-        return $res;
     }
 
     /**
@@ -182,27 +146,4 @@ public function isEnabled(): bool
     {
         return true;
     }
-
-    /**
-     * @return U2F
-     * @throws LocalizedException
-     * @throws Error
-     */
-    private function getU2f(): U2F
-    {
-        /** @var Store $store */
-        $store = $this->storeManager->getStore(Store::ADMIN_CODE);
-
-        $baseUrl = $store->getBaseUrl();
-        if (preg_match('/^(https?:\/\/.+?)\//', $baseUrl, $matches)) {
-            $domain = $matches[1];
-        } else {
-            throw new LocalizedException(__('Unexpected error while parsing domain name'));
-        }
-
-        /** @var U2F $u2f */
-        // @codingStandardsIgnoreStart
-        return new U2F($domain);
-        // @codingStandardsIgnoreEnd
-    }
 }