Etusivu Tutki Apua
Rekisteröidy Kirjaudu sisään
yo
/
gitote
peilaus alkaen https://gitlab.com/gitote/gitote
Tarkkaile 1
Äänestä 1
Fork 0
Tiedostot Ongelmat 0 Wiki
Branch: master
Branchit Tagit
gitote
/
models
/
two_factor.go

two_factor.go 5.9 KB
Pysyvä linkki Historia Raaka

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205 
  1. // Copyright 2015 - Present, The Gogs Authors. All rights reserved.
    2. 

  2. // Copyright 2018 - Present, Gitote. All rights reserved.
    3. 

  3. //
    4. 

  4. // This source code is licensed under the MIT license found in the
    5. 

  5. // LICENSE file in the root directory of this source tree.
    6. 

  6. 

  7. package models
    8. 

  8. 

  9. import (
    10. 

  10. 	"encoding/base64"
    11. 

  11. 	"fmt"
    12. 

  12. 	"gitote/gitote/models/errors"
    13. 

  13. 	"gitote/gitote/pkg/setting"
    14. 

  14. 	"gitote/gitote/pkg/tool"
    15. 

  15. 	"strings"
    16. 

  16. 	"time"
    17. 

  17. 

  18. 	"github.com/go-xorm/xorm"
    19. 

  19. 	"github.com/pquerna/otp/totp"
    20. 

  20. 	"gitlab.com/gitote/com"
    21. 

  21. 	log "gopkg.in/clog.v1"
    22. 

  22. )
    23. 

  23. 

  24. // TwoFactor represents a two-factor authentication token.
    25. 

  25. type TwoFactor struct {
    26. 

  26. 	ID          int64
    27. 

  27. 	UserID      int64 `xorm:"UNIQUE"`
    28. 

  28. 	Secret      string
    29. 

  29. 	Created     time.Time `xorm:"-" json:"-"`
    30. 

  30. 	CreatedUnix int64
    31. 

  31. }
    32. 

  32. 

  33. // BeforeInsert will be invoked by XORM before inserting a record
    34. 

  34. func (t *TwoFactor) BeforeInsert() {
    35. 

  35. 	t.CreatedUnix = time.Now().Unix()
    36. 

  36. }
    37. 

  37. 

  38. // AfterSet is invoked from XORM after setting the values of all fields of this object.
    39. 

  39. func (t *TwoFactor) AfterSet(colName string, _ xorm.Cell) {
    40. 

  40. 	switch colName {
    41. 

  41. 	case "created_unix":
    42. 

  42. 		t.Created = time.Unix(t.CreatedUnix, 0).Local()
    43. 

  43. 	}
    44. 

  44. }
    45. 

  45. 

  46. // ValidateTOTP returns true if given passcode is valid for two-factor authentication token.
    47. 

  47. // It also returns possible validation error.
    48. 

  48. func (t *TwoFactor) ValidateTOTP(passcode string) (bool, error) {
    49. 

  49. 	secret, err := base64.StdEncoding.DecodeString(t.Secret)
    50. 

  50. 	if err != nil {
    51. 

  51. 		return false, fmt.Errorf("DecodeString: %v", err)
    52. 

  52. 	}
    53. 

  53. 	decryptSecret, err := com.AESGCMDecrypt(tool.MD5Bytes(setting.SecretKey), secret)
    54. 

  54. 	if err != nil {
    55. 

  55. 		return false, fmt.Errorf("AESGCMDecrypt: %v", err)
    56. 

  56. 	}
    57. 

  57. 	return totp.Validate(passcode, string(decryptSecret)), nil
    58. 

  58. }
    59. 

  59. 

  60. // IsUserEnabledTwoFactor returns true if user has enabled two-factor authentication.
    61. 

  61. func IsUserEnabledTwoFactor(userID int64) bool {
    62. 

  62. 	has, err := x.Where("user_id = ?", userID).Get(new(TwoFactor))
    63. 

  63. 	if err != nil {
    64. 

  64. 		log.Error(2, "IsUserEnabledTwoFactor [user_id: %d]: %v", userID, err)
    65. 

  65. 	}
    66. 

  66. 	return has
    67. 

  67. }
    68. 

  68. 

  69. func generateRecoveryCodes(userID int64) ([]*TwoFactorRecoveryCode, error) {
    70. 

  70. 	recoveryCodes := make([]*TwoFactorRecoveryCode, 10)
    71. 

  71. 	for i := 0; i < 10; i++ {
    72. 

  72. 		code, err := tool.RandomString(10)
    73. 

  73. 		if err != nil {
    74. 

  74. 			return nil, fmt.Errorf("RandomString: %v", err)
    75. 

  75. 		}
    76. 

  76. 		recoveryCodes[i] = &TwoFactorRecoveryCode{
    77. 

  77. 			UserID: userID,
    78. 

  78. 			Code:   strings.ToLower(code[:5] + "-" + code[5:]),
    79. 

  79. 		}
    80. 

  80. 	}
    81. 

  81. 	return recoveryCodes, nil
    82. 

  82. }
    83. 

  83. 

  84. // NewTwoFactor creates a new two-factor authentication token and recovery codes for given user.
    85. 

  85. func NewTwoFactor(userID int64, secret string) error {
    86. 

  86. 	t := &TwoFactor{
    87. 

  87. 		UserID: userID,
    88. 

  88. 	}
    89. 

  89. 

  90. 	// Encrypt secret
    91. 

  91. 	encryptSecret, err := com.AESGCMEncrypt(tool.MD5Bytes(setting.SecretKey), []byte(secret))
    92. 

  92. 	if err != nil {
    93. 

  93. 		return fmt.Errorf("AESGCMEncrypt: %v", err)
    94. 

  94. 	}
    95. 

  95. 	t.Secret = base64.StdEncoding.EncodeToString(encryptSecret)
    96. 

  96. 

  97. 	recoveryCodes, err := generateRecoveryCodes(userID)
    98. 

  98. 	if err != nil {
    99. 

  99. 		return fmt.Errorf("generateRecoveryCodes: %v", err)
    100. 

  100. 	}
    101. 

  101. 

  102. 	sess := x.NewSession()
    103. 

  103. 	defer sess.Close()
    104. 

  104. 	if err = sess.Begin(); err != nil {
    105. 

  105. 		return err
    106. 

  106. 	}
    107. 

  107. 

  108. 	if _, err = sess.Insert(t); err != nil {
    109. 

  109. 		return fmt.Errorf("insert two-factor: %v", err)
    110. 

  110. 	} else if _, err = sess.Insert(recoveryCodes); err != nil {
    111. 

  111. 		return fmt.Errorf("insert recovery codes: %v", err)
    112. 

  112. 	}
    113. 

  113. 

  114. 	return sess.Commit()
    115. 

  115. }
    116. 

  116. 

  117. // GetTwoFactorByUserID returns two-factor authentication token of given user.
    118. 

  118. func GetTwoFactorByUserID(userID int64) (*TwoFactor, error) {
    119. 

  119. 	t := new(TwoFactor)
    120. 

  120. 	has, err := x.Where("user_id = ?", userID).Get(t)
    121. 

  121. 	if err != nil {
    122. 

  122. 		return nil, err
    123. 

  123. 	} else if !has {
    124. 

  124. 		return nil, errors.TwoFactorNotFound{userID}
    125. 

  125. 	}
    126. 

  126. 

  127. 	return t, nil
    128. 

  128. }
    129. 

  129. 

  130. // DeleteTwoFactor removes two-factor authentication token and recovery codes of given user.
    131. 

  131. func DeleteTwoFactor(userID int64) (err error) {
    132. 

  132. 	sess := x.NewSession()
    133. 

  133. 	defer sess.Close()
    134. 

  134. 	if err = sess.Begin(); err != nil {
    135. 

  135. 		return err
    136. 

  136. 	}
    137. 

  137. 

  138. 	if _, err = sess.Where("user_id = ?", userID).Delete(new(TwoFactor)); err != nil {
    139. 

  139. 		return fmt.Errorf("delete two-factor: %v", err)
    140. 

  140. 	} else if err = deleteRecoveryCodesByUserID(sess, userID); err != nil {
    141. 

  141. 		return fmt.Errorf("deleteRecoveryCodesByUserID: %v", err)
    142. 

  142. 	}
    143. 

  143. 

  144. 	return sess.Commit()
    145. 

  145. }
    146. 

  146. 

  147. // TwoFactorRecoveryCode represents a two-factor authentication recovery code.
    148. 

  148. type TwoFactorRecoveryCode struct {
    149. 

  149. 	ID     int64
    150. 

  150. 	UserID int64
    151. 

  151. 	Code   string `xorm:"VARCHAR(11)"`
    152. 

  152. 	IsUsed bool
    153. 

  153. }
    154. 

  154. 

  155. // GetRecoveryCodesByUserID returns all recovery codes of given user.
    156. 

  156. func GetRecoveryCodesByUserID(userID int64) ([]*TwoFactorRecoveryCode, error) {
    157. 

  157. 	recoveryCodes := make([]*TwoFactorRecoveryCode, 0, 10)
    158. 

  158. 	return recoveryCodes, x.Where("user_id = ?", userID).Find(&recoveryCodes)
    159. 

  159. }
    160. 

  160. 

  161. func deleteRecoveryCodesByUserID(e Engine, userID int64) error {
    162. 

  162. 	_, err := e.Where("user_id = ?", userID).Delete(new(TwoFactorRecoveryCode))
    163. 

  163. 	return err
    164. 

  164. }
    165. 

  165. 

  166. // RegenerateRecoveryCodes regenerates new set of recovery codes for given user.
    167. 

  167. func RegenerateRecoveryCodes(userID int64) error {
    168. 

  168. 	recoveryCodes, err := generateRecoveryCodes(userID)
    169. 

  169. 	if err != nil {
    170. 

  170. 		return fmt.Errorf("generateRecoveryCodes: %v", err)
    171. 

  171. 	}
    172. 

  172. 

  173. 	sess := x.NewSession()
    174. 

  174. 	defer sess.Close()
    175. 

  175. 	if err = sess.Begin(); err != nil {
    176. 

  176. 		return err
    177. 

  177. 	}
    178. 

  178. 

  179. 	if err = deleteRecoveryCodesByUserID(sess, userID); err != nil {
    180. 

  180. 		return fmt.Errorf("deleteRecoveryCodesByUserID: %v", err)
    181. 

  181. 	} else if _, err = sess.Insert(recoveryCodes); err != nil {
    182. 

  182. 		return fmt.Errorf("insert new recovery codes: %v", err)
    183. 

  183. 	}
    184. 

  184. 

  185. 	return sess.Commit()
    186. 

  186. }
    187. 

  187. 

  188. // UseRecoveryCode validates recovery code of given user and marks it is used if valid.
    189. 

  189. func UseRecoveryCode(userID int64, code string) error {
    190. 

  190. 	recoveryCode := new(TwoFactorRecoveryCode)
    191. 

  191. 	has, err := x.Where("code = ?", code).And("is_used = ?", false).Get(recoveryCode)
    192. 

  192. 	if err != nil {
    193. 

  193. 		return fmt.Errorf("get unused code: %v", err)
    194. 

  194. 	} else if !has {
    195. 

  195. 		return errors.TwoFactorRecoveryCodeNotFound{code}
    196. 

  196. 	}
    197. 

  197. 

  198. 	recoveryCode.IsUsed = true
    199. 

  199. 	if _, err = x.Id(recoveryCode.ID).Cols("is_used").Update(recoveryCode); err != nil {
    200. 

  200. 		return fmt.Errorf("mark code as used: %v", err)
    201. 

  201. 	}
    202. 

  202. 

  203. 	return nil
    204. 

  204. }
    205. 

  205.