bartoszek/rublon-ssh
1
0
Fork 0
Code Issues 7 Pull Requests Packages Projects Releases Wiki Activity
af64f8e9e3
rublon-ssh/PAM/ssh/include/rublon/method/passcode_based_auth.hpp
rublon-bwi af64f8e9e3
Bwi/v2.2.0 (#16) 
* Remove dynamic memory usage from core

* Refacor status check to use json pointers

* Move access token to session

* Remove code duplication

* Fix compile warnings from rapidjson sources

* Add 'interactive mode option to session configuration

* Implement non interactive mode connector

* Add 'non interactove' implementation

* Apply rapidjson patch

* Build on all cores

* Rename build script

* Split configure and build steps

* Add scripts for building all images

* Change bash to python for build scripts

* Stop printing methods name in non interactive mode

* Add trace log level, adn more params to init message

* Fix build

* Fix non interactive method selection and refactor vagrant files for debian like systems

* Refactor log messages

* Remove exces dependencies from vagrant configuration files

* Fixed vagrantfiles

* Added repo for rhel

* Add nonInteractiveMode option

* Added instalation script for pubkey

* Fixed pubkey install script and postrm for rhel
2025-03-07 11:41:12 +01:00

160 lines
6.0 KiB
C++
Raw Blame History

#pragma once
#include <tl/expected.hpp>
#include <rublon/authentication_step_interface.hpp>
#include <rublon/bits.hpp>
#include <rublon/pam_action.hpp>
#include <rublon/utils.hpp>
#include <rublon/websockets.hpp>
namespace rublon::method {
class PasscodeBasedAuth : public AuthenticationStep {
protected:
const char * uri;
const char * confirmField;
static constexpr const char * confirmCodeEndpoint = "/api/transaction/confirmCode";
static constexpr const char * confirmSecuritySSHEndpoint = "/api/transaction/confirmSecurityKeySSH";
static constexpr const char * fieldVericode = "vericode";
static constexpr const char * fieldOtp = "otp";
static constexpr auto _bypassCodeLength = 9;
const char * userMessage{nullptr};
const uint_fast8_t vericodeLength;
const bool onlyDigits;
int _prompts;
constexpr static bool isdigit(char ch) {
return std::isdigit(static_cast< unsigned char >(ch));
}
bool digitsOnly(std::string_view userinput) const {
return std::all_of(userinput.cbegin(), userinput.cend(), isdigit);
}
bool hasValidLength(std::string_view userInput) const {
if(userInput.size() == vericodeLength || userInput.size() == _bypassCodeLength) {
log(LogLevel::Debug, "User input size %d is correct", userInput.size());
return true;
} else {
log(LogLevel::Warning, "User input size %d is different than %d", userInput.size(), vericodeLength);
return false;
}
}
bool hasValidCharacters(std::string_view userInput) const {
if(onlyDigits ? digitsOnly(userInput) : true) {
log(LogLevel::Debug, "User input contains valid characters");
return true;
} else {
log(LogLevel::Warning, "User input contains characters different than digits");
return false;
}
}
tl::expected< std::reference_wrapper< Document >, Error > readPasscode(Document & body, const Pam_t & pam) const {
///TODO assert in interactive mode
auto & alloc = body.GetAllocator();
auto vericode = pam.scan([](const char * userInput) { return std::string{userInput}; }, userMessage);
if(hasValidLength(vericode) and hasValidCharacters(vericode)) {
Value confirmFieldValue(confirmField, alloc);
body.AddMember(confirmFieldValue, Value{vericode.c_str(), alloc}, alloc);
if(_session.hasAccessToken()) {
this->addAccessToken(body, _session.accessToken());
}
return body;
}
return tl::unexpected{Error{WerificationError{WerificationError::BadInput}}};
}
tl::expected< AuthenticationStatus, Error > checkAuthenticationStatus(const Document & /*coreResponse*/, const Pam_t & pam) const {
pam.print("The passcode has been validated");
return AuthenticationStatus{AuthenticationStatus::Action::Confirmed};
}
tl::expected< AuthenticationStatus, Error > errorHandler(Error error, const Pam_t & pam, int promptLeft) const {
if(promptLeft && error.is< WerificationError >()) {
switch(error.get< WerificationError >().errorClass) {
case WerificationError::PasscodeException:
pam.print(R"(Incorrect passcode. Try again)");
break;
case WerificationError::BadInput:
pam.print("The passcode has an incorrect number of digits or contains invalid characters. Try again");
break;
case WerificationError::SecurityKeyException:
pam.print("The entered code has an incorrect length or contains unacceptable characters. Try again");
break;
case WerificationError::TooManyRequestsException:
pam.print("Too Many Attempts. Try again after a minute");
break;
}
}
return tl::unexpected{error};
}
public:
const char * _name;
enum class Endpoint { ConfirmCode, SecurityKeySSH };
PasscodeBasedAuth( //
Session & session,
const char * _name,
const char * userMessage,
uint_fast8_t length,
bool numbersOnly,
Endpoint endpoint,
int prompts)
: AuthenticationStep(session),
uri{(endpoint == Endpoint::ConfirmCode) ? confirmCodeEndpoint : confirmSecuritySSHEndpoint},
confirmField{(endpoint == Endpoint::ConfirmCode) ? fieldVericode : fieldOtp},
userMessage{userMessage},
vericodeLength{length},
onlyDigits{numbersOnly},
_prompts{prompts},
_name{_name} {}
template < typename Hander_t >
tl::expected< AuthenticationStatus, Error > verify(const CoreHandlerInterface< Hander_t > & coreHandler, const Pam_t & pam) const {
RapidJSONPMRStackAlloc< 2048 > alloc{};
Document body{rapidjson::kObjectType, &alloc};
int prompts = _prompts;
const auto requestAuthorization = [&](const auto & body) { return coreHandler.request(alloc, uri, body); };
const auto checkCodeValidity = [&](const auto & coreResponse) { return this->checkAuthenticationStatus(coreResponse, pam); };
const auto waitForCoreToConfirm = [&](const auto &) { return waitForCoreConfirmation(coreHandler); };
const auto handleError = [&](const auto error) { return errorHandler(error, pam, prompts); };
this->addSystemToken(body);
this->addTid(body);
return [&]() {
while(true) {
prompts--;
auto access = readPasscode(body, pam) //
.and_then(requestAuthorization)
.and_then(checkCodeValidity)
.and_then(waitForCoreToConfirm)
.or_else(handleError);
if(not access && prompts) {
continue;
} else {
return access;
}
};
}();
}
};
} // namespace rublon::method
Reference in New Issue View Git Blame Copy Permalink