bartoszek/rublon-ssh
1
0
Fork 0
Code Issues 7 Pull Requests Packages Projects Releases Wiki Activity
351964199a
rublon-ssh/PAM/ssh/include/rublon/method/passcode_based_auth.hpp
rublon-bwi 0934902bba
Bwi/v2.3.0 (#17) 
* Add base PROXY support implementation

* Remove some dynamic memory allocations

* Rewrite configuration reading module

* Make everything in core connector memory resource aware

* Add logs to check is proxy is used

* Add a proxy fallback, and read proxy from env

* Add config entry to check application

* Cleanup includes

* Ddd configuration dump to check application

* Update rhel8 packages

* Fix http headers bug when using proxy server

* Fix formatting

* Fix bad optional access

* Fix configuration check regresion

* Fix memory management issue, remove strict allocators and make connector more polite to memory overflow errors

* Fix initialization of core handler
2025-07-18 11:48:18 +02:00

164 lines
6.3 KiB
C++
Raw Blame History

#pragma once
#include "rublon/memory.hpp"
#include <tl/expected.hpp>
#include <rublon/authentication_step_interface.hpp>
#include <rublon/bits.hpp>
#include <rublon/pam_action.hpp>
#include <rublon/utils.hpp>
#include <rublon/websockets.hpp>
namespace rublon::method {
class PasscodeBasedAuth : public AuthenticationStep {
protected:
const char * _uri;
const char * _confirmField;
static constexpr const char * confirmCodeEndpoint = "/api/transaction/confirmCode";
static constexpr const char * confirmSecuritySSHEndpoint = "/api/transaction/confirmSecurityKeySSH";
static constexpr const char * fieldVericode = "vericode";
static constexpr const char * fieldOtp = "otp";
static constexpr auto _bypassCodeLength = 9;
const char * _userMessage{nullptr};
const uint_fast8_t _vericodeLength;
const bool _onlyDigits;
int _prompts;
constexpr static bool isdigit(char ch) {
return std::isdigit(static_cast< unsigned char >(ch));
}
bool digitsOnly(std::string_view userinput) const {
return std::all_of(userinput.cbegin(), userinput.cend(), isdigit);
}
bool hasValidLength(std::string_view userInput) const {
if(userInput.size() == _vericodeLength || userInput.size() == _bypassCodeLength) {
log(LogLevel::Debug, "User input size %d is correct", userInput.size());
return true;
} else {
log(LogLevel::Warning, "User input size %d is different than %d", userInput.size(), _vericodeLength);
return false;
}
}
bool hasValidCharacters(std::string_view userInput) const {
if(_onlyDigits ? digitsOnly(userInput) : true) {
log(LogLevel::Debug, "User input contains valid characters");
return true;
} else {
log(LogLevel::Warning, "User input contains characters different than digits");
return false;
}
}
tl::expected< std::reference_wrapper< Document >, Error > readPasscode(Document & body, const Pam_t & pam) const {
/// TODO assert in interactive mode
memory::MonotonicStackResource< 100 > memoryResource;
auto & alloc = body.GetAllocator();
auto vericode = pam.scan([&](const char * userInput) { return std::pmr::string{userInput, &memoryResource}; }, _userMessage);
if(hasValidLength(vericode) and hasValidCharacters(vericode)) {
Value confirmFieldValue(_confirmField, alloc);
body.AddMember(confirmFieldValue, Value{vericode.c_str(), alloc}, alloc);
if(_session.hasAccessToken()) {
this->addAccessToken(body, _session.accessToken());
}
return body;
}
return tl::unexpected{Error{WerificationError{WerificationError::BadInput}}};
}
tl::expected< AuthenticationStatus, Error > checkAuthenticationStatus(const Document & /*coreResponse*/, const Pam_t & pam) const {
pam.print("The passcode has been validated");
return AuthenticationStatus{AuthenticationStatus::Action::Confirmed};
}
tl::expected< AuthenticationStatus, Error > errorHandler(Error error, const Pam_t & pam, int promptLeft) const {
if(promptLeft && error.is< WerificationError >()) {
switch(error.get< WerificationError >().errorClass) {
case WerificationError::PasscodeException:
pam.print(R"(Incorrect passcode. Try again)");
break;
case WerificationError::BadInput:
pam.print("The passcode has an incorrect number of digits or contains invalid characters. Try again");
break;
case WerificationError::SecurityKeyException:
pam.print("The entered code has an incorrect length or contains unacceptable characters. Try again");
break;
case WerificationError::TooManyRequestsException:
pam.print("Too Many Attempts. Try again after a minute");
break;
case WerificationError::SendPushException:
// if there is a communication problem we can't do anything here
break;
}
}
return tl::unexpected{error};
}
public:
const char * _name;
enum class Endpoint { ConfirmCode, SecurityKeySSH };
PasscodeBasedAuth( //
Session & session,
const char * _name,
const char * userMessage,
uint_fast8_t length,
bool numbersOnly,
Endpoint endpoint,
int prompts)
: AuthenticationStep(session),
_uri{(endpoint == Endpoint::ConfirmCode) ? confirmCodeEndpoint : confirmSecuritySSHEndpoint},
_confirmField{(endpoint == Endpoint::ConfirmCode) ? fieldVericode : fieldOtp},
_userMessage{userMessage},
_vericodeLength{length},
_onlyDigits{numbersOnly},
_prompts{prompts},
_name{_name} {}
template < typename Hander_t >
tl::expected< AuthenticationStatus, Error > verify(const CoreHandlerInterface< Hander_t > & coreHandler, const Pam_t & pam) const {
RapidJSONPMRStackAlloc< 2048 > alloc{};
Document body{rapidjson::kObjectType, &alloc};
int prompts = _prompts;
const auto requestAuthorization = [&](const auto & body) { return coreHandler.request(alloc, _uri, body); };
const auto checkCodeValidity = [&](const auto & coreResponse) { return this->checkAuthenticationStatus(coreResponse, pam); };
const auto waitForCoreToConfirm = [&](const auto &) { return waitForCoreConfirmation(coreHandler); };
const auto handleError = [&](const auto error) { return errorHandler(error, pam, prompts); };
this->addSystemToken(body);
this->addTid(body);
return [&]() {
while(true) {
prompts--;
auto access = readPasscode(body, pam) //
.and_then(requestAuthorization)
.and_then(checkCodeValidity)
.and_then(waitForCoreToConfirm)
.or_else(handleError);
if(not access && prompts) {
continue;
} else {
return access;
}
};
}();
}
};
} // namespace rublon::method
Reference in New Issue View Git Blame Copy Permalink