kanidm 1.1.0-alpha

Kanidm Server Library and Binary
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131

use crate::credential::totp::{TOTP, TOTP_DEFAULT_STEP};
use crate::event::EventOriginId;
use crate::idm::account::Account;
use kanidm_proto::v1::TOTPSecret;
use kanidm_proto::v1::{OperationError, SetCredentialResponse};
use std::mem;
use std::time::Duration;
use uuid::Uuid;

// Client requests they want to reg a TOTP to account.
pub(crate) enum MfaReqInit {
    TOTP(String),
    // Webauthn
}

pub(crate) enum MfaReqStep {
    TOTPVerify(u32),
}

pub(crate) enum MfaRegCred {
    TOTP(TOTP),
}

pub(crate) enum MfaRegNext {
    Success,
    TOTPCheck(TOTPSecret),
    // Webauthn(chal)
}

impl MfaRegNext {
    pub fn to_proto(&self, u: &Uuid) -> SetCredentialResponse {
        match self {
            MfaRegNext::Success => SetCredentialResponse::Success,
            MfaRegNext::TOTPCheck(secret) => {
                SetCredentialResponse::TOTPCheck(*u, (*secret).clone())
            }
        }
    }
}

#[derive(Clone)]
enum MfaRegState {
    TOTPInit(TOTP),
    TOTPDone,
    // Webauthn ...
}

#[derive(Clone)]
pub(crate) struct MfaRegSession {
    // The event origin, aka who is requesting the MFA reg (may not
    // be the same as account!!!)
    origin: EventOriginId,
    // The account that the MFA will be registered to
    pub account: Account,
    // What state is the reg process in?
    state: MfaRegState,
}

impl MfaRegSession {
    pub fn new(
        origin: EventOriginId,
        account: Account,
        req: MfaReqInit,
    ) -> Result<(Self, MfaRegNext), OperationError> {
        // Based on the req, init our session, and the return the next step.
        // Store the ID of the event that start's the attempt
        let state = match req {
            MfaReqInit::TOTP(label) => {
                MfaRegState::TOTPInit(TOTP::generate_secure(label, TOTP_DEFAULT_STEP))
            }
        };
        let s = MfaRegSession {
            origin,
            account,
            state,
        };
        let next = s.next();
        Ok((s, next))
    }

    pub fn step(
        &mut self,
        origin: &EventOriginId,
        target: &Uuid,
        req: MfaReqStep,
        ct: &Duration,
    ) -> Result<(MfaRegNext, Option<MfaRegCred>), OperationError> {
        if &self.origin != origin || target != &self.account.uuid {
            // Verify that the same event source is the one continuing this attempt
            return Err(OperationError::InvalidRequestState);
        };

        match (req, &self.state) {
            (MfaReqStep::TOTPVerify(chal), MfaRegState::TOTPInit(token)) => {
                if token.verify(chal, ct) {
                    let mut nstate = MfaRegState::TOTPDone;
                    mem::swap(&mut self.state, &mut nstate);
                    match nstate {
                        MfaRegState::TOTPInit(token) => {
                            Ok((MfaRegNext::Success, Some(MfaRegCred::TOTP(token))))
                        }
                        _ => Err(OperationError::InvalidState),
                    }
                } else {
                    // Let them try again?
                    let accountname = self.account.name.as_str();
                    let issuer = self.account.spn.as_str();
                    Ok((
                        MfaRegNext::TOTPCheck(token.to_proto(accountname, issuer)),
                        None,
                    ))
                }
            }
            _ => Err(OperationError::InvalidRequestState),
        }
    }
}

impl MfaRegSession {
    pub fn next(&self) -> MfaRegNext {
        // Given our current state, what is the next step we need to process or offer?
        match &self.state {
            MfaRegState::TOTPDone => MfaRegNext::Success,
            MfaRegState::TOTPInit(token) => {
                let accountname = self.account.name.as_str();
                let issuer = self.account.spn.as_str();
                MfaRegNext::TOTPCheck(token.to_proto(accountname, issuer))
            }
        }
    }
}