bartoszek/rublon-ssh
1
0
Fork 0
Code Issues 7 Pull Requests Packages Projects Releases Wiki Activity
161ba94f45
rublon-ssh/PAM/ssh/include/rublon/method/passcode_based_auth.hpp

162 lines
6.2 KiB
C++
Raw Blame History

#pragma once
#include <tl/expected.hpp>
#include <rublon/authentication_step_interface.hpp>
#include <rublon/bits.hpp>
#include <rublon/pam_action.hpp>
#include <rublon/utils.hpp>
#include <rublon/websockets.hpp>
namespace rublon::method {
class PasscodeBasedAuth : public AuthenticationStep {
protected:
const char * _uri;
const char * _confirmField;
static constexpr const char * confirmCodeEndpoint = "/api/transaction/confirmCode";
static constexpr const char * confirmSecuritySSHEndpoint = "/api/transaction/confirmSecurityKeySSH";
static constexpr const char * fieldVericode = "vericode";
static constexpr const char * fieldOtp = "otp";
static constexpr auto _bypassCodeLength = 9;
const char * _userMessage{nullptr};
const uint_fast8_t _vericodeLength;
const bool _onlyDigits;
int _prompts;
constexpr static bool isdigit(char ch) {
return std::isdigit(static_cast< unsigned char >(ch));
}
bool digitsOnly(std::string_view userinput) const {
return std::all_of(userinput.cbegin(), userinput.cend(), isdigit);
}
bool hasValidLength(std::string_view userInput) const {
if(userInput.size() == _vericodeLength || userInput.size() == _bypassCodeLength) {
log(LogLevel::Debug, "User input size %d is correct", userInput.size());
return true;
} else {
log(LogLevel::Warning, "User input size %d is different than %d", userInput.size(), _vericodeLength);
return false;
}
}
bool hasValidCharacters(std::string_view userInput) const {
if(_onlyDigits ? digitsOnly(userInput) : true) {
log(LogLevel::Debug, "User input contains valid characters");
return true;
} else {
log(LogLevel::Warning, "User input contains characters different than digits");
return false;
}
}
tl::expected< std::reference_wrapper< Document >, Error > readPasscode(Document & body, const Pam_t & pam) const {
/// TODO assert in interactive mode
auto & alloc = body.GetAllocator();
auto vericode = pam.scan([](const char * userInput) { return std::string{userInput}; }, _userMessage);
if(hasValidLength(vericode) and hasValidCharacters(vericode)) {
Value confirmFieldValue(_confirmField, alloc);
body.AddMember(confirmFieldValue, Value{vericode.c_str(), alloc}, alloc);
if(_session.hasAccessToken()) {
this->addAccessToken(body, _session.accessToken());
}
return body;
}
return tl::unexpected{Error{WerificationError{WerificationError::BadInput}}};
}
tl::expected< AuthenticationStatus, Error > checkAuthenticationStatus(const Document & /*coreResponse*/, const Pam_t & pam) const {
pam.print("The passcode has been validated");
return AuthenticationStatus{AuthenticationStatus::Action::Confirmed};
}
tl::expected< AuthenticationStatus, Error > errorHandler(Error error, const Pam_t & pam, int promptLeft) const {
if(promptLeft && error.is< WerificationError >()) {
switch(error.get< WerificationError >().errorClass) {
case WerificationError::PasscodeException:
pam.print(R"(Incorrect passcode. Try again)");
break;
case WerificationError::BadInput:
pam.print("The passcode has an incorrect number of digits or contains invalid characters. Try again");
break;
case WerificationError::SecurityKeyException:
pam.print("The entered code has an incorrect length or contains unacceptable characters. Try again");
break;
case WerificationError::TooManyRequestsException:
pam.print("Too Many Attempts. Try again after a minute");
break;
case WerificationError::SendPushException:
// if there is a communication problem we can't do anything here
break;
}
}
return tl::unexpected{error};
}
public:
const char * _name;
enum class Endpoint { ConfirmCode, SecurityKeySSH };
PasscodeBasedAuth( //
Session & session,
const char * _name,
const char * userMessage,
uint_fast8_t length,
bool numbersOnly,
Endpoint endpoint,
int prompts)
: AuthenticationStep(session),
_uri{(endpoint == Endpoint::ConfirmCode) ? confirmCodeEndpoint : confirmSecuritySSHEndpoint},
_confirmField{(endpoint == Endpoint::ConfirmCode) ? fieldVericode : fieldOtp},
_userMessage{userMessage},
_vericodeLength{length},
_onlyDigits{numbersOnly},
_prompts{prompts},
_name{_name} {}
template < typename Hander_t >
tl::expected< AuthenticationStatus, Error > verify(const CoreHandlerInterface< Hander_t > & coreHandler, const Pam_t & pam) const {
RapidJSONPMRStackAlloc< 2048 > alloc{};
Document body{rapidjson::kObjectType, &alloc};
int prompts = _prompts;
const auto requestAuthorization = [&](const auto & body) { return coreHandler.request(alloc, _uri, body); };
const auto checkCodeValidity = [&](const auto & coreResponse) { return this->checkAuthenticationStatus(coreResponse, pam); };
const auto waitForCoreToConfirm = [&](const auto &) { return waitForCoreConfirmation(coreHandler); };
const auto handleError = [&](const auto error) { return errorHandler(error, pam, prompts); };
this->addSystemToken(body);
this->addTid(body);
return [&]() {
while(true) {
prompts--;
auto access = readPasscode(body, pam) //
.and_then(requestAuthorization)
.and_then(checkCodeValidity)
.and_then(waitForCoreToConfirm)
.or_else(handleError);
if(not access && prompts) {
continue;
} else {
return access;
}
};
}();
}
};
} // namespace rublon::method
Reference in New Issue View Git Blame Copy Permalink