Merge pull request #102 from silinternational/feature/webauthn

forevermatt · web-flow · commit 077c0f6f9c0b · 2021-12-14T17:23:59.000-05:00
Add support for WebAuthn (leaving U2F support in place)
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,6 @@
 .idea/
 vendor/
+node_modules/
 composer.lock
 nbproject/
 .vagrant/
diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2016 SIL International
+Copyright (c) 2021 SIL International
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/Makefile b/Makefile
@@ -1,7 +1,19 @@
-start:
+start: deps
 	docker-compose pull
 	docker-compose up -d
 
+copyJsLib:
+	cp ./node_modules/@simplewebauthn/browser/dist/bundle/index.umd.min.js ./www/simplewebauthn/browser.js
+	cp ./node_modules/@simplewebauthn/browser/LICENSE.md ./www/simplewebauthn/LICENSE.md
+
+deps:
+	docker-compose run --rm node npm install --ignore-scripts
+	make copyJsLib
+
+depsupdate:
+	docker-compose run --rm node npm update --ignore-scripts
+	make copyJsLib
+
 errors:
 	docker-compose exec hub cat /var/log/apache2/error.log
 	docker-compose exec idp1 cat /var/log/apache2/error.log
diff --git a/README.md b/README.md
@@ -185,13 +185,28 @@ _Note:  This nag only works once since choosing later will simply set the nag da
 1.  Insert key and press
 1.  Click **Logout**
 
+#### Key (WebAuthn)
+
+1.  Goto [SP 1](http://ssp-sp1.local:8082/module.php/core/authenticate.php?as=hub-discovery)
+1.  Click **idp4** (third one)
+1.  Login as a "webauthn" user: `username=`**has_webauthn** `password=`**a**
+1.  Insert key and press
+1.  Click **Logout**
+
 #### Multiple options
 
 1.  Goto [SP 1](http://ssp-sp1.local:8082/module.php/core/authenticate.php?as=hub-discovery)
 1.  Click **idp4** (third one)
 1.  Login as a "multiple option" user: `username=`**has_all** `password=`**a**
 1.  Click **MORE OPTIONS**
 
+#### Multiple options (legacy, with U2F)
+
+1.  Goto [SP 1](http://ssp-sp1.local:8082/module.php/core/authenticate.php?as=hub-discovery)
+1.  Click **idp4** (third one)
+1.  Login as a "multiple option" user: `username=`**has_all_legacy** `password=`**a**
+1.  Click **MORE OPTIONS**
+
 #### Manager rescue
 
 1.  Goto [SP 1](http://ssp-sp1.local:8082/module.php/core/authenticate.php?as=hub-discovery)
diff --git a/composer.json b/composer.json
@@ -12,6 +12,7 @@
   "minimum-stability": "stable",
   "require": {
     "php": ">=7.0",
+    "ext-json": "*",
     "simplesamlphp/composer-module-installer": "^1.1.5",
     "simplesamlphp/simplesamlphp": "~1.18.6",
     "silinternational/ssp-utilities": "^1.0"
diff --git a/development/idp4/m991231_235959_insert_mfa_test_users.php b/development/idp4/m991231_235959_insert_mfa_test_users.php
@@ -15,9 +15,11 @@ public function safeUp()
             [ 3  ,'a42317a0-9a43-4da0-9921-50f004e011c0','33333'      ,'Has'       ,'Backup'   ,'has_backupcode' ,'has_backupcode@example.org' ,'yes'   ,'no'    , MySqlDateTime::now(), MySqlDateTime::now(),'no'         , MySqlDateTime::today()            , MySqlDateTime::today()            , MySqlDateTime::today()            ,'mgr@example.org'],
             [ 4  ,'7bab90d3-9f54-4187-804d-7f6400021789','44444'      ,'Has'       ,'Totp'     ,'has_totp'       ,'has_totp@example.org'       ,'yes'   ,'no'    , MySqlDateTime::now(), MySqlDateTime::now(),'no'         , MySqlDateTime::today()            , MySqlDateTime::today()            , MySqlDateTime::today()            ,'mgr@example.org'],
             [ 5  ,'6b614606-bbe8-4793-b0db-ca862295c661','55555'      ,'Has'       ,'U2f'      ,'has_u2f'        ,'has_u2f@example.org'        ,'yes'   ,'no'    , MySqlDateTime::now(), MySqlDateTime::now(),'no'         , MySqlDateTime::today()            , MySqlDateTime::today()            , MySqlDateTime::today()            ,'mgr@example.org'],
-            [ 6  ,'7c695eac-dbca-45d0-b3dc-2df2e1d2294c','77777'      ,'Has'       ,'All'      ,'has_all'        ,'has_all@example.org'        ,'yes'   ,'no'    , MySqlDateTime::now(), MySqlDateTime::now(),'no'         , MySqlDateTime::today()            , MySqlDateTime::today()            , MySqlDateTime::today()            ,'mgr@example.org'],
+            [ 6  ,'7c695eac-dbca-45d0-b3dc-2df2e1d2294c','77777'      ,'Has'       ,'All'      ,'has_all_legacy' ,'has_all_legacy@example.org' ,'yes'   ,'no'    , MySqlDateTime::now(), MySqlDateTime::now(),'no'         , MySqlDateTime::today()            , MySqlDateTime::today()            , MySqlDateTime::today()            ,'mgr@example.org'],
             [ 7  ,'7c695eac-dbca-45d0-b3dc-123jkhf23bql','88888'      ,'Review'    ,'Needed'   ,'needs_review'   ,'needs_review@example.org'   ,'yes'   ,'no'    , MySqlDateTime::now(), MySqlDateTime::now(),'no'         , MySqlDateTime::relative('-3 days'), MySqlDateTime::today()            , MySqlDateTime::today()            ,'mgr@example.org'],
             [ 8  ,'7c695eac-dbca-45d0-b3dc-123jkhf23bbq','99999'      ,'No'        ,'Methods'  ,'nag_for_method' ,'nag_for_method@example.org' ,'yes'   ,'no'    , MySqlDateTime::now(), MySqlDateTime::now(),'no'         , MySqlDateTime::today()            , MySqlDateTime::today()            , MySqlDateTime::relative('-1 days'),'mgr@example.org'],
+            [ 9  ,'c818d44a-a322-45f4-a1d0-6afc3c2a54e9','66666'      ,'Has'       ,'WebAuthn' ,'has_webauthn'   ,'has_webauthn@example.org'   ,'yes'   ,'no'    , MySqlDateTime::now(), MySqlDateTime::now(),'no'         , MySqlDateTime::today()            , MySqlDateTime::today()            , MySqlDateTime::today()            ,'mgr@example.org'],
+            [ 10 ,'9272ae4c-4489-4509-94f3-dae81175e213','77778'      ,'Has'       ,'All'      ,'has_all'        ,'has_all@example.org'        ,'yes'   ,'no'    , MySqlDateTime::now(), MySqlDateTime::now(),'no'         , MySqlDateTime::today()            , MySqlDateTime::today()            , MySqlDateTime::today()            ,'mgr@example.org'],
         ]);
 
         $this->batchInsert('{{password}}',
@@ -30,30 +32,38 @@ public function safeUp()
             [ 6  , 6       ,'$2y$10$rKbAp0M8gewGpQKhD.U6qOSGDlMqKFkxK9tQZ15SZoieqYHYNsD/y', MySqlDateTime::now(), MySqlDateTime::relative('+1 year'), MySqlDateTime::relative('+1 year')],
             [ 7  , 7       ,'$2y$10$rKbAp0M8gewGpQKhD.U6qOSGDlMqKFkxK9tQZ15SZoieqYHYNsD/y', MySqlDateTime::now(), MySqlDateTime::relative('+1 year'), MySqlDateTime::relative('+1 year')],
             [ 8  , 8       ,'$2y$10$rKbAp0M8gewGpQKhD.U6qOSGDlMqKFkxK9tQZ15SZoieqYHYNsD/y', MySqlDateTime::now(), MySqlDateTime::relative('+1 year'), MySqlDateTime::relative('+1 year')],
+            [ 9  , 9       ,'$2y$10$rKbAp0M8gewGpQKhD.U6qOSGDlMqKFkxK9tQZ15SZoieqYHYNsD/y', MySqlDateTime::now(), MySqlDateTime::relative('+1 year'), MySqlDateTime::relative('+1 year')],
+            [ 10 , 10      ,'$2y$10$rKbAp0M8gewGpQKhD.U6qOSGDlMqKFkxK9tQZ15SZoieqYHYNsD/y', MySqlDateTime::now(), MySqlDateTime::relative('+1 year'), MySqlDateTime::relative('+1 year')],
         ]);
 
-        $this->update('{{user}}', ['current_password_id' => 1], 'id=1');
-        $this->update('{{user}}', ['current_password_id' => 2], 'id=2');
-        $this->update('{{user}}', ['current_password_id' => 3], 'id=3');
-        $this->update('{{user}}', ['current_password_id' => 4], 'id=4');
-        $this->update('{{user}}', ['current_password_id' => 5], 'id=5');
-        $this->update('{{user}}', ['current_password_id' => 6], 'id=6');
-        $this->update('{{user}}', ['current_password_id' => 7], 'id=7');
-        $this->update('{{user}}', ['current_password_id' => 8], 'id=8');
+        $this->update('{{user}}', ['current_password_id' => 1 ], 'id=1' );
+        $this->update('{{user}}', ['current_password_id' => 2 ], 'id=2' );
+        $this->update('{{user}}', ['current_password_id' => 3 ], 'id=3' );
+        $this->update('{{user}}', ['current_password_id' => 4 ], 'id=4' );
+        $this->update('{{user}}', ['current_password_id' => 5 ], 'id=5' );
+        $this->update('{{user}}', ['current_password_id' => 6 ], 'id=6' );
+        $this->update('{{user}}', ['current_password_id' => 7 ], 'id=7' );
+        $this->update('{{user}}', ['current_password_id' => 8 ], 'id=8' );
+        $this->update('{{user}}', ['current_password_id' => 9 ], 'id=9' );
+        $this->update('{{user}}', ['current_password_id' => 10], 'id=10');
 
         //TODO: unfortunately, a real uuid that's been verified is required for testing at this time ...will discuss decoupling 2-factor config with authentication.
         $this->batchInsert('{{mfa}}',
-            ['id','user_id','type'      ,'external_uuid'                       ,'label'           ,'verified','created_utc'        ],[
-            [ 1  , 3       ,'backupcode',NULL                                  ,'Printable Codes' , 1        , MySqlDateTime::now()],
-            [ 2  , 4       ,'totp'      ,'38764a89-b904-404e-a195-1ad2bcfabf75','Smartphone App'  , 1        , MySqlDateTime::now()], // JVRXKYTMPBEVKXLS
-            [ 3  , 5       ,'u2f'       ,'6092a08c-b271-4971-996a-6577333a7b6d','Security Key'    , 1        , MySqlDateTime::now()],
-            [ 4  , 6       ,'backupcode',NULL                                  ,'Printable Codes' , 1        , MySqlDateTime::now()],
-            [ 5  , 6       ,'totp'      ,'38764a89-b904-404e-a195-1ad2bcfabf75','Smartphone App'  , 1        , MySqlDateTime::now()], // JVRXKYTMPBEVKXLS
-            [ 6  , 6       ,'u2f'       ,'6092a08c-b271-4971-996a-6577333a7b6d','Security Key'    , 1        , MySqlDateTime::now()],
-            [ 7  , 7       ,'backupcode',NULL                                  ,'Printable Codes' , 1        , MySqlDateTime::now()],
-            [ 8  , 7       ,'totp'      ,'38764a89-b904-404e-a195-1ad2bcfabf75','Smartphone App'  , 1        , MySqlDateTime::now()], // JVRXKYTMPBEVKXLS
-            [ 9  , 7       ,'u2f'       ,'6092a08c-b271-4971-996a-6577333a7b6d','Security Key'    , 1        , MySqlDateTime::now()],
-            [ 10 , 8       ,'backupcode',NULL                                  ,'Printable Codes' , 1        , MySqlDateTime::now()],
+            ['id','user_id','type'      ,'external_uuid'                       ,'label'             ,'verified','created_utc'        ],[
+            [ 1  , 3       ,'backupcode',NULL                                  ,'Printable Codes'   , 1        , MySqlDateTime::now()],
+            [ 2  , 4       ,'totp'      ,'38764a89-b904-404e-a195-1ad2bcfabf75','Smartphone App'    , 1        , MySqlDateTime::now()], // JVRXKYTMPBEVKXLS
+            [ 3  , 5       ,'webauthn'  ,'6092a08c-b271-4971-996a-6577333a7b6d','Security Key (U2F)', 1        , MySqlDateTime::now()],
+            [ 4  , 6       ,'backupcode',NULL                                  ,'Printable Codes'   , 1        , MySqlDateTime::now()],
+            [ 5  , 6       ,'totp'      ,'38764a89-b904-404e-a195-1ad2bcfabf75','Smartphone App'    , 1        , MySqlDateTime::now()], // JVRXKYTMPBEVKXLS
+            [ 6  , 6       ,'webauthn'  ,'6092a08c-b271-4971-996a-6577333a7b6d','Security Key (U2F)', 1        , MySqlDateTime::now()],
+            [ 7  , 7       ,'backupcode',NULL                                  ,'Printable Codes'   , 1        , MySqlDateTime::now()],
+            [ 8  , 7       ,'totp'      ,'38764a89-b904-404e-a195-1ad2bcfabf75','Smartphone App'    , 1        , MySqlDateTime::now()], // JVRXKYTMPBEVKXLS
+            [ 9  , 7       ,'webauthn'  ,'6092a08c-b271-4971-996a-6577333a7b6d','Security Key (U2F)', 1        , MySqlDateTime::now()],
+            [ 10 , 8       ,'backupcode',NULL                                  ,'Printable Codes'   , 1        , MySqlDateTime::now()],
+            [ 11 , 9       ,'webauthn'  ,'11111111-1111-4111-1111-111111111111','Security Key'      , 1        , MySqlDateTime::now()],
+            [ 12 , 10      ,'backupcode',NULL                                  ,'Printable Codes'   , 1        , MySqlDateTime::now()],
+            [ 13 , 10      ,'totp'      ,'38764a89-b904-404e-a195-1ad2bcfabf75','Smartphone App'    , 1        , MySqlDateTime::now()], // JVRXKYTMPBEVKXLS
+            [ 14 , 10      ,'webauthn'  ,'11111111-1111-4111-1111-111111111111','Security Key'      , 1        , MySqlDateTime::now()],
         ]);
 
         $this->batchInsert('{{mfa_backupcode}}',
@@ -78,6 +88,11 @@ public function safeUp()
             [ 18 , 10     ,'$2y$10$rA5MdrbEcmbCiqtAgPXnYeBCEKc.AnylPArnamyu.x4DS/A0/0/4i', MySqlDateTime::now()], // 77802769
             [ 19 , 10     ,'$2y$10$JsiRI/W/FLfZzJLPj8umKeXP.rvsOW4aYQO5mOEOwGkBPpKhKWT2K', MySqlDateTime::now()], // 01970541
             [ 20 , 10     ,'$2y$10$NWw0.DPBSm.bjQoSck8xbeqJgENUhE/WazmHmsEtWoxs/UKaIdkUq', MySqlDateTime::now()], // 37771076
+            [ 21 , 12     ,'$2y$10$j/V6zcotFES8MkVmgRaiMe2E6DV1qjmO8UhUoJQD0/.p6LhZddGn2', MySqlDateTime::now()], // 94923279
+            [ 22 , 12     ,'$2y$10$If6srqyKGBag/x.nPDBeau9bjNR1RZgxqRVKhdRhJk2PkbOn5rKNS', MySqlDateTime::now()], // 82743523
+            [ 23 , 12     ,'$2y$10$rA5MdrbEcmbCiqtAgPXnYeBCEKc.AnylPArnamyu.x4DS/A0/0/4i', MySqlDateTime::now()], // 77802769
+            [ 24 , 12     ,'$2y$10$JsiRI/W/FLfZzJLPj8umKeXP.rvsOW4aYQO5mOEOwGkBPpKhKWT2K', MySqlDateTime::now()], // 01970541
+            [ 25 , 12     ,'$2y$10$NWw0.DPBSm.bjQoSck8xbeqJgENUhE/WazmHmsEtWoxs/UKaIdkUq', MySqlDateTime::now()], // 37771076
         ]);
 
         $this->batchInsert('{{method}}',
diff --git a/dictionaries/mfa.definition.json b/dictionaries/mfa.definition.json
@@ -66,30 +66,60 @@
 		"fr": "Clé de sécurité",
 		"ko": "보안키"
 	},
+	"webauthn_header": {
+		"en": "Security key",
+		"es": "Clave de seguridad",
+		"fr": "Clé de sécurité",
+		"ko": "보안키"
+	},
 	"u2f_icon": {
 		"en": "USB key icon",
 		"es": "Icono de la llave USB",
 		"fr": "Icône de clé USB",
 		"ko": "USB 키 아이콘"
 	},
+	"webauthn_icon": {
+		"en": "USB key icon",
+		"es": "Icono de la llave USB",
+		"fr": "Icône de clé USB",
+		"ko": "USB 키 아이콘"
+	},
 	"u2f_instructions": {
 		"en": "You may now insert your security key and press its button.",
 		"es": "Ahora puede insertar su clave de seguridad y presionar su botón.",
 		"fr": "Vous pouvez maintenant insérer votre clé de sécurité et appuyer sur le bouton.",
 		"ko": "이제 보안 키를 삽입하고 단추를 누를 수 있습니다."
 	},
+	"webauthn_instructions": {
+		"en": "You may now insert your security key and press its button.",
+		"es": "Ahora puede insertar su clave de seguridad y presionar su botón.",
+		"fr": "Vous pouvez maintenant insérer votre clé de sécurité et appuyer sur le bouton.",
+		"ko": "이제 보안 키를 삽입하고 단추를 누를 수 있습니다."
+	},
 	"u2f_unsupported": {
 		"en": "Unsupported in your current browser.  Please consider a more secure browser like <a href='https://www.google.com/chrome/browser' target='_blank'>Google Chrome</a>.",
 		"es": "No compatible en su navegador actual. Considere un navegador más seguro como <a href='https://www.google.com/chrome/browser' target='_blank'>Google Chrome</a>.",
 		"fr": "Non compatible avec votre navigateur actuel. Veuillez considérer un navigateur plus sûr comme <a href='https://www.google.com/chrome/browser' target='_blank'>Google Chrome</a>.",
 		"ko": "현재 브라우저에서 지원되지 않습니다. <a href='https://www.google.com/chrome/browser' target='_blank'>Chrome과</a> 같은 보다 안전한 브라우저를 고려하십시오."
 	},
+	"webauthn_unsupported": {
+		"en": "Unsupported in your current browser.  Please consider a more secure browser like <a href='https://www.google.com/chrome/browser' target='_blank'>Google Chrome</a>.",
+		"es": "No compatible en su navegador actual. Considere un navegador más seguro como <a href='https://www.google.com/chrome/browser' target='_blank'>Google Chrome</a>.",
+		"fr": "Non compatible avec votre navigateur actuel. Veuillez considérer un navigateur plus sûr comme <a href='https://www.google.com/chrome/browser' target='_blank'>Google Chrome</a>.",
+		"ko": "현재 브라우저에서 지원되지 않습니다. <a href='https://www.google.com/chrome/browser' target='_blank'>Chrome과</a> 같은 보다 안전한 브라우저를 고려하십시오."
+	},
 	"u2f_error_unknown": {
 		"en": "Something went wrong with that request, unable to verify at this time.",
 		"es": "Algo salió mal con esa solicitud, no se pudo verificar en este momento.",
 		"fr": "Quelque chose s'est mal passé avec cette demande, impossible de vérifier pour le moment.",
 		"ko": "요청에 문제가 발생하여 지금은 확인할 수 없습니다."
 	},
+	"webauthn_error_unknown": {
+		"en": "Something went wrong with that request, unable to verify at this time.",
+		"es": "Algo salió mal con esa solicitud, no se pudo verificar en este momento.",
+		"fr": "Quelque chose s'est mal passé avec cette demande, impossible de vérifier pour le moment.",
+		"ko": "요청에 문제가 발생하여 지금은 확인할 수 없습니다."
+	},
 	"u2f_error_wrong_key": {
 		"en": "This may not be the correct key for this site.",
 		"es": "Esta puede no ser la clave correcta para este sitio.",
@@ -102,6 +132,18 @@
 		"fr": "Cela a pris un peu trop de temps, vérifiez que votre clé est insérée dans le bons sens.",
 		"ko": "오랜 시간이 경과 되었으니 키가 오른쪽 위로 삽입되었는지 확인 하십시오."
 	},
+	"webauthn_error_abort": {
+		"en": "It looks like you clicked cancel. Would you like us to try again?",
+		"es": "It looks like you clicked cancel. Would you like us to try again?",
+		"fr": "Il semble que vous ayez cliqué sur annuler. Souhaitez-vous que nous essayions à nouveau ?",
+		"ko": "It looks like you clicked cancel. Would you like us to try again?"
+	},
+	"webauthn_error_not_allowed": {
+		"en": "Something about that didn't work. Please ensure that your security key is plugged in and that you touch it within 60 seconds when it blinks.",
+		"es": "Something about that didn't work. Please ensure that your security key is plugged in and that you touch it within 60 seconds when it blinks.",
+		"fr": "Quelque chose n'a pas fonctionné avec ça. Veuillez vous assurer que votre clé de sécurité est insérée et que vous la touchez dans les 60 secondes lorsqu'elle clignote.",
+		"ko": "Something about that didn't work. Please ensure that your security key is plugged in and that you touch it within 60 seconds when it blinks."
+	},
 	"manager_icon": {
 		"en": "Recovery contact icon",
 		"es": "Icono de contacto de recuperación",
@@ -234,6 +276,12 @@
 		"fr": "Utiliser plutôt ma clé de sécurité",
 		"ko": "내 보안키 사용"
 	},
+	"use_webauthn": {
+		"en": "Use my security key instead",
+		"es": "Use mi clave de seguridad en su lugar",
+		"fr": "Utiliser plutôt ma clé de sécurité",
+		"ko": "내 보안키 사용"
+	},
 	"use_totp": {
 		"en": "Use my smartphone app instead",
 		"es": "Use la aplicación de mi teléfono inteligente en su lugar",
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -288,3 +288,11 @@ services:
       SECRET_SALT: "xbcCMIHHzsgE8yYC6OIBjsp+ruZYghHn1k5Bv/IGbrg="
       IDP_NAME: "sp-2"
       IDP_DISPLAY_NAME: "SP 2"
+
+  node:
+    image: node:lts-alpine
+    volumes:
+      - ./package.json:/data/package.json
+      - ./package-lock.json:/data/package-lock.json
+      - ./node_modules:/data/node_modules
+    working_dir: /data
diff --git a/local.env.dist b/local.env.dist
@@ -6,6 +6,14 @@ MFA_U2F_apiBaseUrl=
 MFA_U2F_apiKey=
 MFA_U2F_apiSecret=
 MFA_U2F_appId=
+MFA_WEBAUTHN_apiBaseUrl=
+MFA_WEBAUTHN_apiKey=
+MFA_WEBAUTHN_apiSecret=
+MFA_WEBAUTHN_appId=
+MFA_WEBAUTHN_rpDisplayName=
+MFA_WEBAUTHN_rpId=
+# Array of origins allowed as relying parties (with scheme, without port or path)
+RP_ORIGINS=
 
 ### Optional ENV vars ###
 COMPOSER_AUTH=
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -0,0 +1,6 @@
+{
+  "name": "simplesamlphp-module-material",
+  "dependencies": {
+    "@simplewebauthn/browser": "^4.1.0"
+  }
+}
diff --git a/themes/material/mfa/prompt-for-mfa-webauthn.php b/themes/material/mfa/prompt-for-mfa-webauthn.php
diff --git a/www/mfa-webauthn.svg b/www/mfa-webauthn.svg
diff --git a/www/simplewebauthn/LICENSE.md b/www/simplewebauthn/LICENSE.md
diff --git a/www/simplewebauthn/browser.js b/www/simplewebauthn/browser.js
