tfa: remember recovery indices

and tell the client which keys are still available rather
than just yes/no/low

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2021-01-18 12:46:46 +01:00 committed by Thomas Lamprecht
parent 8a0046f519
commit ca1060862e

View File

@ -1088,7 +1088,7 @@ impl TfaUserData {
#[derive(Deserialize, Serialize)] #[derive(Deserialize, Serialize)]
pub struct Recovery { pub struct Recovery {
secret: String, secret: String,
entries: Vec<String>, entries: Vec<Option<String>>,
} }
impl Recovery { impl Recovery {
@ -1116,7 +1116,7 @@ impl Recovery {
AsHex(&b[6..8]), AsHex(&b[6..8]),
); );
this.entries.push(this.hash(entry.as_bytes())?); this.entries.push(Some(this.hash(entry.as_bytes())?));
original.push(entry); original.push(entry);
} }
@ -1138,31 +1138,32 @@ impl Recovery {
Ok(AsHex(&hmac).to_string()) Ok(AsHex(&hmac).to_string())
} }
/// Shortcut to get the count. /// Iterator over available keys.
fn len(&self) -> usize { fn available(&self) -> impl Iterator<Item = &str> {
self.entries.len() self.entries.iter().filter_map(Option::as_deref)
} }
/// Check if this entry is empty. /// Count the available keys.
fn is_empty(&self) -> bool { fn count_available(&self) -> usize {
self.entries.is_empty() self.available().count()
} }
/// Convenience serde method to check if either the option is `None` or the content `is_empty`. /// Convenience serde method to check if either the option is `None` or the content `is_empty`.
fn option_is_empty(this: &Option<Self>) -> bool { fn option_is_empty(this: &Option<Self>) -> bool {
this.as_ref().map_or(true, Self::is_empty) this.as_ref()
.map_or(true, |this| this.count_available() == 0)
} }
/// Verify a key and remove it. Returns whether the key was valid. Errors on openssl errors. /// Verify a key and remove it. Returns whether the key was valid. Errors on openssl errors.
fn verify(&mut self, key: &str) -> Result<bool, Error> { fn verify(&mut self, key: &str) -> Result<bool, Error> {
let hash = self.hash(key.as_bytes())?; let hash = self.hash(key.as_bytes())?;
Ok(match self.entries.iter().position(|entry| *entry == hash) { for entry in &mut self.entries {
Some(index) => { if entry.as_ref() == Some(&hash) {
self.entries.remove(index); *entry = None;
true return Ok(true);
} }
None => false, }
}) Ok(false)
} }
} }
@ -1283,45 +1284,38 @@ pub fn verify_challenge(
} }
/// Used to inform the user about the recovery code status. /// Used to inform the user about the recovery code status.
#[derive(Clone, Copy, Eq, PartialEq, Deserialize, Serialize)] ///
#[serde(rename_all = "kebab-case")] /// This contains the available key indices.
pub enum RecoveryState { #[derive(Clone, Default, Eq, PartialEq, Deserialize, Serialize)]
Unavailable, pub struct RecoveryState(Vec<usize>);
Low,
Available,
}
impl RecoveryState { impl RecoveryState {
fn from_count(count: usize) -> Self {
match count {
0 => RecoveryState::Unavailable,
1..=3 => RecoveryState::Low,
_ => RecoveryState::Available,
}
}
// serde needs `&self` but this is a tiny Copy type, so we mark this as inline
#[inline]
fn is_unavailable(&self) -> bool { fn is_unavailable(&self) -> bool {
*self == RecoveryState::Unavailable self.0.is_empty()
}
}
impl Default for RecoveryState {
fn default() -> Self {
RecoveryState::Unavailable
} }
} }
impl From<&Option<Recovery>> for RecoveryState { impl From<&Option<Recovery>> for RecoveryState {
fn from(r: &Option<Recovery>) -> Self { fn from(r: &Option<Recovery>) -> Self {
match r { match r {
Some(r) => Self::from_count(r.len()), Some(r) => Self::from(r),
None => RecoveryState::Unavailable, None => Self::default(),
} }
} }
} }
impl From<&Recovery> for RecoveryState {
fn from(r: &Recovery) -> Self {
Self(
r.entries
.iter()
.enumerate()
.filter_map(|(idx, key)| if key.is_some() { Some(idx) } else { None })
.collect(),
)
}
}
/// When sending a TFA challenge to the user, we include information about what kind of challenge /// When sending a TFA challenge to the user, we include information about what kind of challenge
/// the user may perform. If webauthn credentials are available, a webauthn challenge will be /// the user may perform. If webauthn credentials are available, a webauthn challenge will be
/// included. /// included.