1
0
Fork 0
mirror of https://github.com/Luzifer/nginx-sso.git synced 2025-01-02 03:01:16 +00:00
nginx-sso/plugins/mfa/yubikey/mfa.go

90 lines
2.1 KiB
Go
Raw Normal View History

package yubikey
import (
"net/http"
"strings"
"github.com/GeertJohan/yubigo"
"github.com/pkg/errors"
yaml "gopkg.in/yaml.v2"
"github.com/Luzifer/nginx-sso/plugins"
)
type MFAYubikey struct {
ClientID string `yaml:"client_id"`
SecretKey string `yaml:"secret_key"`
}
func New() *MFAYubikey {
return &MFAYubikey{}
}
// ProviderID needs to return an unique string to identify
// this special MFA provider
func (m MFAYubikey) ProviderID() (id string) { return "yubikey" }
// Configure loads the configuration for the Authenticator from the
// global config.yaml file which is passed as a byte-slice.
// If no configuration for the Authenticator is supplied the function
// needs to return the plugins.ErrProviderUnconfigured
func (m *MFAYubikey) Configure(yamlSource []byte) (err error) {
envelope := struct {
MFA struct {
Yubikey *MFAYubikey `yaml:"yubikey"`
} `yaml:"mfa"`
}{}
if err := yaml.Unmarshal(yamlSource, &envelope); err != nil {
return err
}
if envelope.MFA.Yubikey == nil {
return plugins.ErrProviderUnconfigured
}
m.ClientID = envelope.MFA.Yubikey.ClientID
m.SecretKey = envelope.MFA.Yubikey.SecretKey
return nil
}
// ValidateMFA takes the user from the login cookie and performs a
// validation against the provided MFA configuration for this user
func (m MFAYubikey) ValidateMFA(res http.ResponseWriter, r *http.Request, user string, mfaCfgs []plugins.MFAConfig) error {
var keyInput string
yubiAuth, err := yubigo.NewYubiAuth(m.ClientID, m.SecretKey)
if err != nil {
return errors.Wrap(err, "Unable to create Yubikey client")
}
for _, c := range mfaCfgs {
if c.Provider != m.ProviderID() {
continue
}
for key, values := range r.Form {
if strings.HasSuffix(key, plugins.MFALoginFieldName) && strings.HasPrefix(values[0], c.AttributeString("device")) {
keyInput = values[0]
}
}
if keyInput == "" {
continue
}
_, ok, err := yubiAuth.Verify(keyInput)
if err != nil && !strings.Contains(err.Error(), "OTP has wrong length.") {
return errors.Wrap(err, "OTP verification failed")
}
if ok {
return nil
}
}
// Not a valid authentication
return plugins.ErrNoValidUserFound
}