auth/src/Authentication/AuthenticationService.php at 3023faae02c6894f9502a520f9680b1516a954d6 · CakeDC/auth · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
<?php
declare(strict_types=1);

/**
 * Copyright 2010 - 2019, Cake Development Corporation (https://www.cakedc.com)
 *
 * Licensed under The MIT License
 * Redistributions of files must retain the above copyright notice.
 *
 * @copyright Copyright 2010 - 2019, Cake Development Corporation (https://www.cakedc.com)
 * @license MIT License (http://www.opensource.org/licenses/mit-license.php)
 */

namespace CakeDC\Auth\Authentication;

use Authentication\AuthenticationService as BaseService;
use Authentication\Authenticator\Result;
use Authentication\Authenticator\ResultInterface;
use Authentication\Authenticator\StatelessInterface;
use Cake\Datasource\EntityInterface;
use Psr\Http\Message\ServerRequestInterface;
use RuntimeException;

class AuthenticationService extends BaseService
{
    public const NEED_TWO_FACTOR_VERIFY = 'NEED_TWO_FACTOR_VERIFY';

    public const TWO_FACTOR_VERIFY_SESSION_KEY = 'temporarySession';

    public const U2F_SESSION_KEY = 'U2f.User';

    public const NEED_U2F_VERIFY = 'NEED_U2F_VERIFY';

    public const NEED_WEBAUTHN_2FA_VERIFY = 'NEED_WEBAUTHN2FA_VERIFY';

    public const WEBAUTHN_2FA_SESSION_KEY = 'Webauthn2fa.User';

    /**
     * All failures authenticators
     *
     * @var \CakeDC\Auth\Authentication\Failure[]
     */
    protected $failures = [];

    /**
     * Proceed to google verify action after a valid result result
     *
     * @param \Psr\Http\Message\ServerRequestInterface $request The request.
     * @param \Authentication\Authenticator\ResultInterface $result The original result
     * @return \Authentication\Authenticator\ResultInterface The result object.
     */
    protected function proceedToGoogleVerify(ServerRequestInterface $request, ResultInterface $result)
    {
        /**
         * @var \Cake\Http\Session $session
         */
        $session = $request->getAttribute('session');
        $session->write(self::TWO_FACTOR_VERIFY_SESSION_KEY, $result->getData());
        $result = new Result(null, self::NEED_TWO_FACTOR_VERIFY);
        $this->_successfulAuthenticator = null;

        return $this->_result = $result;
    }

    /**
     * Proceed to webauthn2fa flow after a valid result result
     *
     * @param \Psr\Http\Message\ServerRequestInterface $request response to manipulate
     * @param \Authentication\Authenticator\ResultInterface $result valid result
     * @return \Authentication\Authenticator\ResultInterface with result, request and response keys
     */
    protected function proceedToWebauthn2fa(ServerRequestInterface $request, ResultInterface $result)
    {
        /**
         * @var \Cake\Http\Session $session
         */
        $session = $request->getAttribute('session');
        $session->write(self::WEBAUTHN_2FA_SESSION_KEY, $result->getData());
        $result = new Result(null, self::NEED_WEBAUTHN_2FA_VERIFY);
        $this->_successfulAuthenticator = null;

        return $this->_result = $result;
    }

    /**
     * Proceed to U2f flow after a valid result result
     *
     * @param \Psr\Http\Message\ServerRequestInterface $request response to manipulate
     * @param \Authentication\Authenticator\ResultInterface $result valid result
     * @return \Authentication\Authenticator\ResultInterface with result, request and response keys
     */
    protected function proceedToU2f(ServerRequestInterface $request, ResultInterface $result)
    {
        /**
         * @var \Cake\Http\Session $session
         */
        $session = $request->getAttribute('session');
        $session->write(self::U2F_SESSION_KEY, $result->getData());
        $result = new Result(null, self::NEED_U2F_VERIFY);
        $this->_successfulAuthenticator = null;

        return $this->_result = $result;
    }

    /**
     * Get the configured one-time password authentication checker
     *
     * @return \CakeDC\Auth\Authentication\OneTimePasswordAuthenticationCheckerInterface
     */
    protected function getOneTimePasswordAuthenticationChecker()
    {
        return (new OneTimePasswordAuthenticationCheckerFactory())->build();
    }

    /**
     * Get the configured u2f authentication checker
     *
     * @return \CakeDC\Auth\Authentication\Webauthn2FAuthenticationCheckerInterface
     */
    protected function getWebauthn2fAuthenticationChecker()
    {
        return (new Webauthn2fAuthenticationCheckerFactory())->build();
    }

    /**
     * Get the configured u2f authentication checker
     *
     * @return \CakeDC\Auth\Authentication\U2fAuthenticationCheckerInterface
     */
    protected function getU2fAuthenticationChecker()
    {
        return (new U2fAuthenticationCheckerFactory())->build();
    }

    /**
     * {@inheritDoc}
     *
     * @throws \RuntimeException Throws a runtime exception when no authenticators are loaded.
     */
    public function authenticate(ServerRequestInterface $request): ResultInterface
    {
        if ($this->authenticators()->isEmpty()) {
            throw new RuntimeException(
                'No authenticators loaded. You need to load at least one authenticator.'
            );
        }

        $result = null;
        foreach ($this->authenticators() as $authenticator) {
            $result = $authenticator->authenticate($request);
            if ($result->isValid()) {
                $skipTwoFactorVerify = $authenticator->getConfig('skipTwoFactorVerify');
                $userData = $result->getData();
                if ($userData instanceof EntityInterface) {
                    $userData = $userData->toArray();
                }
                $webauthn2faChecker = $this->getWebauthn2fAuthenticationChecker();
                if ($skipTwoFactorVerify !== true && $webauthn2faChecker->isRequired($userData)) {
                    return $this->proceedToWebauthn2fa($request, $result);
                }

                $u2fCheck = $this->getU2fAuthenticationChecker();
                if ($skipTwoFactorVerify !== true && $u2fCheck->isRequired($userData)) {
                    return $this->proceedToU2f($request, $result);
                }

                $otpCheck = $this->getOneTimePasswordAuthenticationChecker();
                if ($skipTwoFactorVerify !== true && $otpCheck->isRequired($userData)) {
                    return $this->proceedToGoogleVerify($request, $result);
                }

                $this->_successfulAuthenticator = $authenticator;
                $this->_result = $result;

                return $this->_result = $result;
            } else {
                $this->failures[] = new Failure($authenticator, $result);
            }

            if ($authenticator instanceof StatelessInterface) {
                $authenticator->unauthorizedChallenge($request);
            }
        }

        $this->_successfulAuthenticator = null;

        return $this->_result = $result;
    }

    /**
     * Get list the list of failures processed
     *
     * @return \CakeDC\Auth\Authentication\Failure[]
     */
    public function getFailures()
    {
        return $this->failures;
    }
}