Context Navigation

← Previous Changeset
Next Changeset →

Changeset 2257

Timestamp:

Feb 27, 2014, 3:02:56 PM (9 years ago)

Author:

Nicklas Nordborg

Message:

References #580: Authenticate users using YubiKey? sticks

Implemented actual verification of passwords against YubiCload?. Seems to be working well. A manual configuration step to get a CLIENT_ID and CLIENT_KEY is needed when installing the extension for the first time. Instructions for this need to be written.

Location:

extensions/net.sf.basedb.yubikey/trunk

Files:

: 1 added
: 5 edited

build.xml (modified) (1 diff)
src/net/sf/basedb/yubikey/YubiKey.java (modified) (3 diffs)
src/net/sf/basedb/yubikey/YubiKeyAuthenticationManager.java (modified) (2 diffs)
src/net/sf/basedb/yubikey/YubiKeyAuthenticationManagerFactory.java (modified) (2 diffs)
src/net/sf/basedb/yubikey/YubiKeyLoginFormFactory.java (modified) (1 diff)
yubikey.properties (added)

Legend:

: Unmodified
: Added
: Removed

extensions/net.sf.basedb.yubikey/trunk/build.xml

r2256	r2257
59	59	>
60	60	<copy todir="${dist}">
61		<fileset dir="." includes="README,LICENSE" />
	61	<fileset dir="." includes="README,LICENSE,yubikey.properties" />
62	62	<fileset file="${jar.name}" />
63	63	</copy>

extensions/net.sf.basedb.yubikey/trunk/src/net/sf/basedb/yubikey/YubiKey.java

-                      r2255
+                      r2257
 package net.sf.basedb.yubikey;
+import java.io.InputStream;
+import java.net.URL;
+import java.util.Properties;
+import net.sf.basedb.core.ConfigurationException;
 import net.sf.basedb.core.authentication.AuthenticationMethod;
+import net.sf.basedb.util.Values;
 /**
 …
   @since 1.0
 */
 public class YubiKey
+public final class YubiKey
+{
   /**
 …
   public static final AuthenticationMethod AUTHENTICATION_METHOD = AuthenticationMethod.getInstance("yubikey");
+  private static Properties config;
+  private static Integer clientId;
+  private static String clientKey;
+  /**
+    Load configuration file: /yubikey.properties
+  */
+  public static synchronized final Properties getConfig()
+  {
+    if (config == null)
+    {
+      try
+      {
+        URL configUrl = YubiKey.class.getResource("/yubikey.properties");
+        InputStream is = configUrl == null ? null : configUrl.openStream();
+        if (is == null)
+        {
+          throw new ConfigurationException("Can't find the configuration file. " +
+              "Make sure '/yubikey.properties' is in the CLASSPATH.");
+        }
+        config = new Properties();
+        config.load(is);
+      }
+      catch (Exception ex)
+      {
+        throw new ConfigurationException(ex.getMessage(), ex);
+      }
+      clientId = Values.getInteger(config.getProperty("client-id"), null);
+      clientKey = config.getProperty("client-key");
+      if (clientId == null || clientKey == null)
+      {
+        // Invalid configuration
+        config = null;
+        clientId = null;
+        clientKey = null;
+        throw new ConfigurationException("Missing configuration value: client-id or client-key");
+      }
+    }
+    return config;
+  }
+  /**
+    Get the configured CLIENT_ID to use when validating passwords
+    with the YubiCloud service.
+  */
+  public static Integer getClientId()
+  {
+    return clientId;
+  }
+  /**
+    Get the configured CLIENT_KEY to use when validating passwords
+    with the YubiCloud service.
+  */
+  public static String getClientKey()
+  {
+    return clientKey;
+  }
+}

extensions/net.sf.basedb.yubikey/trunk/src/net/sf/basedb/yubikey/YubiKeyAuthenticationManager.java

-                      r2255
+                      r2257
 import net.sf.basedb.core.data.UserData;
+/**
+  Authentication manager for YubiKey one-time-passwords.
+  The 'login' string is expected to be a YubiKey one-time password, but
+  may also be a regular login for user accounts that has not been YubiKey-enabled.
+  To prevent YubiKey users to login using regular login, the first check is
+  to see if the login matches an existing user and if that user is YubiKey-enabled.
+  If no matching user is found and the login is a valid YubiKey password,
+  a second user lookup is perfomed using the public ID part of the password.
+  If a user is found the password is sent to YubiCloud for verification.
+  If the verification is successful the final step is to use the regular
+  internal verification to check the password.
+  @author nicklas
+  @since 1.0
+*/
 public class YubiKeyAuthenticationManager
   implements AuthenticationManager
 …
         throw new LoginException("User '" + login + "' must login with YubiKey!");
+      }
+      // The user is not YubiKey-enabled; return null to continue with internal authentication
+      return null;
+    }
     // Check if the login is a valid YubiKey one-time-password
-    System.out.println("Checking format: "+ login);
     if (YubicoClient.isValidOTPFormat(login))
+    {
-      System.out.println("Valid: "+ login);
       // Find user in BASE with externalId=YubiKey:<public-id>
       String publicId = YubicoClient.getPublicId(login);
       String externalId = "YubiKey:" + publicId;
-      System.out.println("publicId: "+ publicId);
       user = context.getUserByExternalId(externalId);
-      System.out.println("user: "+ user);
       if (user != null)
+      {
+        // Verify the one-time-password using YubiKey cload service
+        //YubicoClient ybClient = YubicoClient.getClient(null);
+        //YubicoResponse response = ybClient.verify(login);
+        //if (response.getStatus() == YubicoResponseStatus.OK)
+        // Verify the one-time-password using the YubiCloud service
+        YubicoClient ybClient = null;
+        YubicoResponse response = null;
+        try
+        {
+          ybClient = YubicoClient.getClient(YubiKey.getClientId());
+          ybClient.setKey(YubiKey.getClientKey());
+          response = ybClient.verify(login);
+        }
+        catch (Exception e)
+        {
+          throw new LoginException(e.getMessage(), e);
+        }
+        // Pretend to verify one-time-password
+        if (YubicoClient.isValidOTPFormat(login))
+        YubicoResponseStatus status = response.getStatus();
+        /*
+        System.out.println("status:" + response.getStatus());
+        System.out.println("H:" + response.getH());
+        System.out.println("Nonce:" + response.getNonce());
+        System.out.println("otp:" + response.getOtp());
+        //System.out.println("publicid:" + response.getPublicId());
+        System.out.println("sessioncounter:" + response.getSessioncounter());
+        System.out.println("sessionuse:" + response.getSessionuse());
+        System.out.println("Sl:" + response.getSl());
+        System.out.println("T:" + response.getT());
+        System.out.println("Timestamp:" + response.getTimestamp());
+        */
+        if (status != YubicoResponseStatus.OK)
+        {
+          // YubiKey is valid -- verify password using internal authentication
+          LoginRequest internal = new LoginRequest(user.getLogin(), request.getPassword());
+          context.verifyUserInternal(internal);
+          authInfo = new AuthenticatedUser(YubiKey.AUTHENTICATION_METHOD, user);
+          String msg = "Invalid YubiKey";
+          if (status == YubicoResponseStatus.BAD_OTP)
+          {
+            msg = "Invalid one-time-password format";
+          }
+          else if (status == YubicoResponseStatus.REPLAYED_OTP)
+          {
+            msg = "One-time-password has already been used";
+          }
+          throw new LoginException(msg + " (" + status + ")");
+        }
+        else
+        {
+          throw new LoginException("Invalid YubiKey: "+login);
+        }
+        // YubiKey is valid -- verify password using internal authentication
+        LoginRequest internal = new LoginRequest(user.getLogin(), request.getPassword());
+        context.verifyUserInternal(internal);
+        authInfo = new AuthenticatedUser(YubiKey.AUTHENTICATION_METHOD, user);
+      }
+    }

extensions/net.sf.basedb.yubikey/trunk/src/net/sf/basedb/yubikey/YubiKeyAuthenticationManagerFactory.java

-                      r2252
+                      r2257
 package net.sf.basedb.yubikey;
 import net.sf.basedb.core.AuthenticationContext;
 …
+{
+  private boolean hasConfig;
   public YubiKeyAuthenticationManagerFactory()
+  {}
+  {
+    hasConfig = YubiKey.getConfig() != null;
+  }
   /**
     @return Always true
+    @return Always true (if properly configured)
   */
   @Override
   public boolean prepareContext(InvokationContext<? super AuthenticationManager> context)
+  {
     return true;
+    return hasConfig;
+  }

extensions/net.sf.basedb.yubikey/trunk/src/net/sf/basedb/yubikey/YubiKeyLoginFormFactory.java

-                      r2256
+                      r2257
         "Insert the <a href=\"http://www.yubico.com/\" target=\"_top\">YubiKey</a> stick into a USB slot in your computer and press "
         + "the button when the green light is turned on. "
+        + "Then enter your regular password.<br>"
+        + "Then enter your regular password."
+        + "<p style=\"margin-top: 0.5em;\">"
         + "<b>Note!</b> Users without a YubiKey should login with their username.");

Note: See TracChangeset for help on using the changeset viewer.