4c0e3c5d2f
* Initialized basic outline of TOTP backend using Postgresql backend as template * Updated TOTP backend.go's structure and help string * Updated TOTP path_roles.go's structure and help strings * Updated TOTP path_role_create.go's structure and help strings * Fixed typo in path_roles.go * Fixed errors in path_role_create.go and path_roles.go * Added TOTP secret backend information to cli commands * Fixed build errors in path_roles.go and path_role_create.go * Changed field values of period and digits from uint to int, added uint conversion of period when generating passwords * Initialized TOTP test file based on structure of postgresql test file * Added enforcement of input values * Added otp library to vendor folder * Added test steps and cleaned up errors * Modified read credential test step, not working yet * Use of vendored package not allowed - Test error * Removed vendor files for TOTP library * Revert "Removed vendor files for TOTP library" This reverts commit fcd030994bc1741dbf490f3995944e091b11da61. * Hopefully fixed vendor folder issue with TOTP Library * Added additional tests for TOTP backend * Cleaned up comments in TOTP backend_test.go * Added default values of period, algorithm and digits to field schema * Changed account_name and issuer fields to optional * Removed MD5 as a hash algorithm option * Implemented requested pull request changes * Added ability to validate TOTP codes * Added ability to have a key generated * Added skew, qr size and key size parameters * Reset vendor.json prior to merge * Readded otp and barcode libraries to vendor.json * Modified help strings for path_role_create.go * Fixed test issue in testAccStepReadRole * Cleaned up error formatting, variable names and path names. Also added some additional documentation * Moveed barcode and url output to key creation function and did some additional cleanup based on requested changes * Added ability to pass in TOTP urls * Added additional tests for TOTP server functions * Removed unused QRSize, URL and Generate members of keyEntry struct * Removed unnecessary urlstring variable from pathKeyCreate * Added website documentation for TOTP secret backend * Added errors if generate is true and url or key is passed, removed logger from backend, and revised parameter documentation. * Updated website documentation and added QR example * Added exported variable and ability to disable QR generation, cleaned up error reporting, changed default skew value, updated documentation and added additional tests * Updated API documentation to inlude to exported variable and qr size option * Cleaned up return statements in path_code, added error handling while validating codes and clarified documentation for generate parameters in path_keys
201 lines
4.1 KiB
Go
201 lines
4.1 KiB
Go
/**
|
|
* Copyright 2014 Paul Querna
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*
|
|
*/
|
|
|
|
package otp
|
|
|
|
import (
|
|
"github.com/boombuler/barcode"
|
|
"github.com/boombuler/barcode/qr"
|
|
|
|
"crypto/md5"
|
|
"crypto/sha1"
|
|
"crypto/sha256"
|
|
"crypto/sha512"
|
|
"errors"
|
|
"fmt"
|
|
"hash"
|
|
"image"
|
|
"net/url"
|
|
"strings"
|
|
)
|
|
|
|
// Error when attempting to convert the secret from base32 to raw bytes.
|
|
var ErrValidateSecretInvalidBase32 = errors.New("Decoding of secret as base32 failed.")
|
|
|
|
// The user provided passcode length was not expected.
|
|
var ErrValidateInputInvalidLength = errors.New("Input length unexpected")
|
|
|
|
// When generating a Key, the Issuer must be set.
|
|
var ErrGenerateMissingIssuer = errors.New("Issuer must be set")
|
|
|
|
// When generating a Key, the Account Name must be set.
|
|
var ErrGenerateMissingAccountName = errors.New("AccountName must be set")
|
|
|
|
// Key represents an TOTP or HTOP key.
|
|
type Key struct {
|
|
orig string
|
|
url *url.URL
|
|
}
|
|
|
|
// NewKeyFromURL creates a new Key from an TOTP or HOTP url.
|
|
//
|
|
// The URL format is documented here:
|
|
// https://github.com/google/google-authenticator/wiki/Key-Uri-Format
|
|
//
|
|
func NewKeyFromURL(orig string) (*Key, error) {
|
|
u, err := url.Parse(orig)
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &Key{
|
|
orig: orig,
|
|
url: u,
|
|
}, nil
|
|
}
|
|
|
|
func (k *Key) String() string {
|
|
return k.orig
|
|
}
|
|
|
|
// Image returns an QR-Code image of the specified width and height,
|
|
// suitable for use by many clients like Google-Authenricator
|
|
// to enroll a user's TOTP/HOTP key.
|
|
func (k *Key) Image(width int, height int) (image.Image, error) {
|
|
b, err := qr.Encode(k.orig, qr.M, qr.Auto)
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
b, err = barcode.Scale(b, width, height)
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return b, nil
|
|
}
|
|
|
|
// Type returns "hotp" or "totp".
|
|
func (k *Key) Type() string {
|
|
return k.url.Host
|
|
}
|
|
|
|
// Issuer returns the name of the issuing organization.
|
|
func (k *Key) Issuer() string {
|
|
q := k.url.Query()
|
|
|
|
issuer := q.Get("issuer")
|
|
|
|
if issuer != "" {
|
|
return issuer
|
|
}
|
|
|
|
p := strings.TrimPrefix(k.url.Path, "/")
|
|
i := strings.Index(p, ":")
|
|
|
|
if i == -1 {
|
|
return ""
|
|
}
|
|
|
|
return p[:i]
|
|
}
|
|
|
|
// AccountName returns the name of the user's account.
|
|
func (k *Key) AccountName() string {
|
|
p := strings.TrimPrefix(k.url.Path, "/")
|
|
i := strings.Index(p, ":")
|
|
|
|
if i == -1 {
|
|
return p
|
|
}
|
|
|
|
return p[i+1:]
|
|
}
|
|
|
|
// Secret returns the opaque secret for this Key.
|
|
func (k *Key) Secret() string {
|
|
q := k.url.Query()
|
|
|
|
return q.Get("secret")
|
|
}
|
|
|
|
// Algorithm represents the hashing function to use in the HMAC
|
|
// operation needed for OTPs.
|
|
type Algorithm int
|
|
|
|
const (
|
|
AlgorithmSHA1 Algorithm = iota
|
|
AlgorithmSHA256
|
|
AlgorithmSHA512
|
|
AlgorithmMD5
|
|
)
|
|
|
|
func (a Algorithm) String() string {
|
|
switch a {
|
|
case AlgorithmSHA1:
|
|
return "SHA1"
|
|
case AlgorithmSHA256:
|
|
return "SHA256"
|
|
case AlgorithmSHA512:
|
|
return "SHA512"
|
|
case AlgorithmMD5:
|
|
return "MD5"
|
|
}
|
|
panic("unreached")
|
|
}
|
|
|
|
func (a Algorithm) Hash() hash.Hash {
|
|
switch a {
|
|
case AlgorithmSHA1:
|
|
return sha1.New()
|
|
case AlgorithmSHA256:
|
|
return sha256.New()
|
|
case AlgorithmSHA512:
|
|
return sha512.New()
|
|
case AlgorithmMD5:
|
|
return md5.New()
|
|
}
|
|
panic("unreached")
|
|
}
|
|
|
|
// Digits represents the number of digits present in the
|
|
// user's OTP passcode. Six and Eight are the most common values.
|
|
type Digits int
|
|
|
|
const (
|
|
DigitsSix Digits = 6
|
|
DigitsEight Digits = 8
|
|
)
|
|
|
|
// Format converts an integer into the zero-filled size for this Digits.
|
|
func (d Digits) Format(in int32) string {
|
|
f := fmt.Sprintf("%%0%dd", d)
|
|
return fmt.Sprintf(f, in)
|
|
}
|
|
|
|
// Length returns the number of characters for this Digits.
|
|
func (d Digits) Length() int {
|
|
return int(d)
|
|
}
|
|
|
|
func (d Digits) String() string {
|
|
return fmt.Sprintf("%d", d)
|
|
}
|