josh/django-mfa2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

rename model to UserKey

Browse Source
This commit is contained in:
Tobias Bengfort
2021-06-17 11:02:20 +02:00
parent ba4e7f9a17
commit 68e257d60e
9 changed files with 52 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
mfa/Email.py
View File

@@ -12,7 +12,7 @@ from django.utils import timezone
from django.views.decorators.cache import never_cache from django.views.decorators.cache import never_cache
from .Common import send from .Common import send
from .models import User_Keys from .models import UserKey
from .views import login from .views import login
@@ -36,7 +36,7 @@ def start(request):
context = csrf(request) context = csrf(request)
if request.method == "POST": if request.method == "POST":
if request.session["email_secret"] == request.POST["otp"]: # if successful if request.session["email_secret"] == request.POST["otp"]: # if successful
uk = User_Keys() uk = UserKey()
uk.username = request.user.username uk.username = request.user.username
uk.key_type = "Email" uk.key_type = "Email"
uk.enabled = 1 uk.enabled = 1
@@ -62,7 +62,7 @@ def auth(request):
context = csrf(request) context = csrf(request)
if request.method == "POST": if request.method == "POST":
if request.session["email_secret"] == request.POST["otp"].strip(): if request.session["email_secret"] == request.POST["otp"].strip():
uk = User_Keys.objects.get( uk = UserKey.objects.get(
username=request.session["base_username"], key_type="Email" username=request.session["base_username"], key_type="Email"
) )
mfa = {"verified": True, "method": "Email", "id": uk.id} mfa = {"verified": True, "method": "Email", "id": uk.id}

8
mfa/FIDO2.py
View File

@@ -16,7 +16,7 @@ from fido2.server import Fido2Server, PublicKeyCredentialRpEntity
from fido2.utils import websafe_decode, websafe_encode from fido2.utils import websafe_decode, websafe_encode
from .Common import get_redirect_url from .Common import get_redirect_url
from .models import User_Keys from .models import UserKey
from .views import login, reset_cookie from .views import login, reset_cookie
@@ -65,7 +65,7 @@ def complete_reg(request):
request.session["fido_state"], client_data, att_obj request.session["fido_state"], client_data, att_obj
) )
encoded = websafe_encode(auth_data.credential_data) encoded = websafe_encode(auth_data.credential_data)
uk = User_Keys() uk = UserKey()
uk.username = request.user.username uk.username = request.user.username
uk.properties = { uk.properties = {
"device": encoded, "device": encoded,
@@ -91,7 +91,7 @@ def start(request):
def getUserCredentials(username): def getUserCredentials(username):
credentials = [] credentials = []
for uk in User_Keys.objects.filter(username=username, key_type="FIDO2"): for uk in UserKey.objects.filter(username=username, key_type="FIDO2"):
credentials.append( credentials.append(
AttestedCredentialData(websafe_decode(uk.properties["device"])) AttestedCredentialData(websafe_decode(uk.properties["device"]))
) )
@@ -149,7 +149,7 @@ def authenticate_complete(request):
request.session["mfa"]["rechecked_at"] = time.time() request.session["mfa"]["rechecked_at"] = time.time()
return JsonResponse({"status": "OK"}) return JsonResponse({"status": "OK"})
else: else:
keys = User_Keys.objects.filter( keys = UserKey.objects.filter(
username=username, key_type="FIDO2", enabled=1 username=username, key_type="FIDO2", enabled=1
) )
for k in keys: for k in keys:

22
mfa/TrustedDevice.py
View File

@@ -11,12 +11,12 @@ from django.utils import timezone
from jose import jwt from jose import jwt
from .Common import send from .Common import send
from .models import User_Keys from .models import UserKey
def id_generator(size=6, chars=string.ascii_uppercase + string.digits): def id_generator(size=6, chars=string.ascii_uppercase + string.digits):
x = "".join(random.choice(chars) for _ in range(size)) x = "".join(random.choice(chars) for _ in range(size))
if not User_Keys.objects.filter(properties__shas="$.key=" + x).exists(): if not UserKey.objects.filter(properties__shas="$.key=" + x).exists():
return x return x
else: else:
return id_generator(size, chars) return id_generator(size, chars)
@@ -25,7 +25,7 @@ def id_generator(size=6, chars=string.ascii_uppercase + string.digits):
def getUserAgent(request): def getUserAgent(request):
id = id = request.session.get("td_id", None) id = id = request.session.get("td_id", None)
if id: if id:
tk = User_Keys.objects.get(id=id) tk = UserKey.objects.get(id=id)
if tk.properties.get("user_agent", "") != "": if tk.properties.get("user_agent", "") != "":
ua = user_agents.parse(tk.properties["user_agent"]) ua = user_agents.parse(tk.properties["user_agent"])
res = render(None, "TrustedDevices/user-agent.html", context={"ua": ua}) res = render(None, "TrustedDevices/user-agent.html", context={"ua": ua})
@@ -34,7 +34,7 @@ def getUserAgent(request):
def trust_device(request): def trust_device(request):
tk = User_Keys.objects.get(id=request.session["td_id"]) tk = UserKey.objects.get(id=request.session["td_id"])
tk.properties["status"] = "trusted" tk.properties["status"] = "trusted"
tk.save() tk.save()
del request.session["td_id"] del request.session["td_id"]
@@ -46,7 +46,7 @@ def checkTrusted(request):
id = request.session.get("td_id", "") id = request.session.get("td_id", "")
if id != "": if id != "":
try: try:
tk = User_Keys.objects.get(id=id) tk = UserKey.objects.get(id=id)
if tk.properties["status"] == "trusted": if tk.properties["status"] == "trusted":
res = "OK" res = "OK"
except: except:
@@ -55,7 +55,7 @@ def checkTrusted(request):
def getCookie(request): def getCookie(request):
tk = User_Keys.objects.get(id=request.session["td_id"]) tk = UserKey.objects.get(id=request.session["td_id"])
if tk.properties["status"] == "trusted": if tk.properties["status"] == "trusted":
context = {"added": True} context = {"added": True}
@@ -76,7 +76,7 @@ def add(request):
key = request.POST["key"].replace("-", "").replace(" ", "").upper() key = request.POST["key"].replace("-", "").replace(" ", "").upper()
context["username"] = request.POST["username"] context["username"] = request.POST["username"]
context["key"] = request.POST["key"] context["key"] = request.POST["key"]
trusted_keys = User_Keys.objects.filter( trusted_keys = UserKey.objects.filter(
username=request.POST["username"], properties__has="$.key=" + key username=request.POST["username"], properties__has="$.key=" + key
) )
cookie = False cookie = False
@@ -102,7 +102,7 @@ def add(request):
def start(request): def start(request):
if ( if (
User_Keys.objects.filter( UserKey.objects.filter(
username=request.user.username, key_type="Trusted Device" username=request.user.username, key_type="Trusted Device"
).count() ).count()
>= 2 >= 2
@@ -110,7 +110,7 @@ def start(request):
return render(request, "TrustedDevices/start.html", {"not_allowed": True}) return render(request, "TrustedDevices/start.html", {"not_allowed": True})
td = None td = None
if not request.session.get("td_id", None): if not request.session.get("td_id", None):
td = User_Keys() td = UserKey()
td.username = request.user.username td.username = request.user.username
td.properties = {"key": id_generator(), "status": "adding"} td.properties = {"key": id_generator(), "status": "adding"}
td.key_type = "Trusted Device" td.key_type = "Trusted Device"
@@ -118,7 +118,7 @@ def start(request):
request.session["td_id"] = td.id request.session["td_id"] = td.id
try: try:
if td is None: if td is None:
td = User_Keys.objects.get(id=request.session["td_id"]) td = UserKey.objects.get(id=request.session["td_id"])
context = {"key": td.properties["key"]} context = {"key": td.properties["key"]}
except: except:
del request.session["td_id"] del request.session["td_id"]
@@ -145,7 +145,7 @@ def verify(request):
json = jwt.decode(request.COOKIES.get("deviceid"), settings.SECRET_KEY) json = jwt.decode(request.COOKIES.get("deviceid"), settings.SECRET_KEY)
if json["username"].lower() == request.session["base_username"].lower(): if json["username"].lower() == request.session["base_username"].lower():
try: try:
uk = User_Keys.objects.get( uk = UserKey.objects.get(
username=request.POST["username"].lower(), username=request.POST["username"].lower(),
properties__has="$.key=" + json["key"], properties__has="$.key=" + json["key"],
) )

12
mfa/U2F.py
View File

@@ -20,7 +20,7 @@ from u2flib_server.u2f import (
) )
from .Common import get_redirect_url from .Common import get_redirect_url
from .models import User_Keys from .models import UserKey
from .views import login from .views import login
@@ -63,7 +63,7 @@ def validate(request, username):
challenge = request.session.pop("_u2f_challenge_") challenge = request.session.pop("_u2f_challenge_")
device, c, t = complete_authentication(challenge, data, [settings.U2F_APPID]) device, c, t = complete_authentication(challenge, data, [settings.U2F_APPID])
key = User_Keys.objects.get( key = UserKey.objects.get(
username=username, username=username,
properties__shas="$.device.publicKey=%s" % device["publicKey"], properties__shas="$.device.publicKey=%s" % device["publicKey"],
) )
@@ -109,13 +109,13 @@ def bind(request):
device, cert = complete_registration(enroll, data, [settings.U2F_APPID]) device, cert = complete_registration(enroll, data, [settings.U2F_APPID])
cert = x509.load_der_x509_certificate(cert, default_backend()) cert = x509.load_der_x509_certificate(cert, default_backend())
cert_hash = hashlib.md5(cert.public_bytes(Encoding.PEM)).hexdigest() cert_hash = hashlib.md5(cert.public_bytes(Encoding.PEM)).hexdigest()
q = User_Keys.objects.filter(key_type="U2F", properties__icontains=cert_hash) q = UserKey.objects.filter(key_type="U2F", properties__icontains=cert_hash)
if q.exists(): if q.exists():
return HttpResponse( return HttpResponse(
"This key is registered before, it can't be registered again." "This key is registered before, it can't be registered again."
) )
User_Keys.objects.filter(username=request.user.username, key_type="U2F").delete() UserKey.objects.filter(username=request.user.username, key_type="U2F").delete()
uk = User_Keys() uk = UserKey()
uk.username = request.user.username uk.username = request.user.username
uk.owned_by_enterprise = getattr(settings, "MFA_OWNED_BY_ENTERPRISE", False) uk.owned_by_enterprise = getattr(settings, "MFA_OWNED_BY_ENTERPRISE", False)
uk.properties = {"device": simplejson.loads(device.json), "cert": cert_hash} uk.properties = {"device": simplejson.loads(device.json), "cert": cert_hash}
@@ -127,7 +127,7 @@ def bind(request):
def sign(username): def sign(username):
u2f_devices = [ u2f_devices = [
d.properties["device"] d.properties["device"]
for d in User_Keys.objects.filter(username=username, key_type="U2F") for d in UserKey.objects.filter(username=username, key_type="U2F")
] ]
challenge = begin_authentication(settings.U2F_APPID, u2f_devices) challenge = begin_authentication(settings.U2F_APPID, u2f_devices)
return [challenge.json, simplejson.dumps(challenge.data_for_client)] return [challenge.json, simplejson.dumps(challenge.data_for_client)]

4
mfa/helpers.py
View File

@@ -1,12 +1,12 @@
from django.http import JsonResponse from django.http import JsonResponse
from . import FIDO2, U2F, TrustedDevice, totp from . import FIDO2, U2F, TrustedDevice, totp
from .models import User_Keys from .models import UserKey
from .views import verify from .views import verify
def has_mfa(request, username): def has_mfa(request, username):
if User_Keys.objects.filter(username=username, enabled=1).count() > 0: if UserKey.objects.filter(username=username, enabled=1).count() > 0:
return verify(request, username) return verify(request, username)
return False return False

17
mfa/migrations/0012_rename_user_keys_userkey.py Normal file
View File

@@ -0,0 +1,17 @@
# Generated by Django 3.2.4 on 2021-06-23 07:10
from django.db import migrations
class Migration(migrations.Migration):
dependencies = [
('mfa', '0011_auto_20210530_0622'),
]
operations = [
migrations.RenameModel(
old_name='User_Keys',
new_name='UserKey',
),
]

2
mfa/models.py
View File

@@ -4,7 +4,7 @@ from jose import jwt
from jsonfield import JSONField from jsonfield import JSONField
class User_Keys(models.Model): class UserKey(models.Model):
username = models.CharField(max_length=50) username = models.CharField(max_length=50)
properties = JSONField(null=True) properties = JSONField(null=True)
added_on = models.DateTimeField(auto_now_add=True) added_on = models.DateTimeField(auto_now_add=True)

6
mfa/totp.py
View File

@@ -11,12 +11,12 @@ from django.utils import timezone
from django.views.decorators.cache import never_cache from django.views.decorators.cache import never_cache
from .Common import get_redirect_url from .Common import get_redirect_url
from .models import User_Keys from .models import UserKey
from .views import login from .views import login
def verify_login(request, username, token): def verify_login(request, username, token):
for key in User_Keys.objects.filter(username=username, key_type="TOTP"): for key in UserKey.objects.filter(username=username, key_type="TOTP"):
totp = pyotp.TOTP(key.properties["secret_key"]) totp = pyotp.TOTP(key.properties["secret_key"])
if totp.verify(token, valid_window=30): if totp.verify(token, valid_window=30):
key.last_used = timezone.now() key.last_used = timezone.now()
@@ -82,7 +82,7 @@ def verify(request):
secret_key = request.GET["key"] secret_key = request.GET["key"]
totp = pyotp.TOTP(secret_key) totp = pyotp.TOTP(secret_key)
if totp.verify(answer, valid_window=60): if totp.verify(answer, valid_window=60):
uk = User_Keys() uk = UserKey()
uk.username = request.user.username uk.username = request.user.username
uk.properties = {"secret_key": secret_key} uk.properties = {"secret_key": secret_key}
uk.key_type = "TOTP" uk.key_type = "TOTP"

10
mfa/views.py
View File

@@ -8,14 +8,14 @@ from django.urls import reverse
from user_agents import parse from user_agents import parse
from . import TrustedDevice from . import TrustedDevice
from .models import User_Keys from .models import UserKey
@login_required @login_required
def index(request): def index(request):
keys = [] keys = []
context = { context = {
"keys": User_Keys.objects.filter(username=request.user.username), "keys": UserKey.objects.filter(username=request.user.username),
"UNALLOWED_AUTHEN_METHODS": settings.MFA_UNALLOWED_METHODS, "UNALLOWED_AUTHEN_METHODS": settings.MFA_UNALLOWED_METHODS,
"HIDE_DISABLE": getattr(settings, "MFA_HIDE_DISABLE", []), "HIDE_DISABLE": getattr(settings, "MFA_HIDE_DISABLE", []),
} }
@@ -31,7 +31,7 @@ def index(request):
def verify(request, username): def verify(request, username):
request.session["base_username"] = username request.session["base_username"] = username
keys = User_Keys.objects.filter(username=username, enabled=1) keys = UserKey.objects.filter(username=username, enabled=1)
methods = list(set([k.key_type for k in keys])) methods = list(set([k.key_type for k in keys]))
if "Trusted Device" in methods and not request.session.get( if "Trusted Device" in methods and not request.session.get(
@@ -63,7 +63,7 @@ def login(request):
@login_required @login_required
def delKey(request): def delKey(request):
key = User_Keys.objects.get(id=request.GET["id"]) key = UserKey.objects.get(id=request.GET["id"])
if key.username == request.user.username: if key.username == request.user.username:
key.delete() key.delete()
return HttpResponse("Deleted Successfully") return HttpResponse("Deleted Successfully")
@@ -87,7 +87,7 @@ def __get_callable_function__(func_path):
@login_required @login_required
def toggleKey(request): def toggleKey(request):
id = request.GET["id"] id = request.GET["id"]
q = User_Keys.objects.filter(username=request.user.username, id=id) q = UserKey.objects.filter(username=request.user.username, id=id)
if q.count() == 1: if q.count() == 1:
key = q[0] key = q[0]
if key.key_type not in settings.MFA_HIDE_DISABLE: if key.key_type not in settings.MFA_HIDE_DISABLE: