tfa: remember recovery indices
and tell the client which keys are still available rather than just yes/no/low Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
parent
8a0046f519
commit
ca1060862e
@ -1088,7 +1088,7 @@ impl TfaUserData {
|
|||||||
#[derive(Deserialize, Serialize)]
|
#[derive(Deserialize, Serialize)]
|
||||||
pub struct Recovery {
|
pub struct Recovery {
|
||||||
secret: String,
|
secret: String,
|
||||||
entries: Vec<String>,
|
entries: Vec<Option<String>>,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl Recovery {
|
impl Recovery {
|
||||||
@ -1116,7 +1116,7 @@ impl Recovery {
|
|||||||
AsHex(&b[6..8]),
|
AsHex(&b[6..8]),
|
||||||
);
|
);
|
||||||
|
|
||||||
this.entries.push(this.hash(entry.as_bytes())?);
|
this.entries.push(Some(this.hash(entry.as_bytes())?));
|
||||||
original.push(entry);
|
original.push(entry);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1138,31 +1138,32 @@ impl Recovery {
|
|||||||
Ok(AsHex(&hmac).to_string())
|
Ok(AsHex(&hmac).to_string())
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Shortcut to get the count.
|
/// Iterator over available keys.
|
||||||
fn len(&self) -> usize {
|
fn available(&self) -> impl Iterator<Item = &str> {
|
||||||
self.entries.len()
|
self.entries.iter().filter_map(Option::as_deref)
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Check if this entry is empty.
|
/// Count the available keys.
|
||||||
fn is_empty(&self) -> bool {
|
fn count_available(&self) -> usize {
|
||||||
self.entries.is_empty()
|
self.available().count()
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Convenience serde method to check if either the option is `None` or the content `is_empty`.
|
/// Convenience serde method to check if either the option is `None` or the content `is_empty`.
|
||||||
fn option_is_empty(this: &Option<Self>) -> bool {
|
fn option_is_empty(this: &Option<Self>) -> bool {
|
||||||
this.as_ref().map_or(true, Self::is_empty)
|
this.as_ref()
|
||||||
|
.map_or(true, |this| this.count_available() == 0)
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Verify a key and remove it. Returns whether the key was valid. Errors on openssl errors.
|
/// Verify a key and remove it. Returns whether the key was valid. Errors on openssl errors.
|
||||||
fn verify(&mut self, key: &str) -> Result<bool, Error> {
|
fn verify(&mut self, key: &str) -> Result<bool, Error> {
|
||||||
let hash = self.hash(key.as_bytes())?;
|
let hash = self.hash(key.as_bytes())?;
|
||||||
Ok(match self.entries.iter().position(|entry| *entry == hash) {
|
for entry in &mut self.entries {
|
||||||
Some(index) => {
|
if entry.as_ref() == Some(&hash) {
|
||||||
self.entries.remove(index);
|
*entry = None;
|
||||||
true
|
return Ok(true);
|
||||||
}
|
}
|
||||||
None => false,
|
}
|
||||||
})
|
Ok(false)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1283,45 +1284,38 @@ pub fn verify_challenge(
|
|||||||
}
|
}
|
||||||
|
|
||||||
/// Used to inform the user about the recovery code status.
|
/// Used to inform the user about the recovery code status.
|
||||||
#[derive(Clone, Copy, Eq, PartialEq, Deserialize, Serialize)]
|
///
|
||||||
#[serde(rename_all = "kebab-case")]
|
/// This contains the available key indices.
|
||||||
pub enum RecoveryState {
|
#[derive(Clone, Default, Eq, PartialEq, Deserialize, Serialize)]
|
||||||
Unavailable,
|
pub struct RecoveryState(Vec<usize>);
|
||||||
Low,
|
|
||||||
Available,
|
|
||||||
}
|
|
||||||
|
|
||||||
impl RecoveryState {
|
impl RecoveryState {
|
||||||
fn from_count(count: usize) -> Self {
|
|
||||||
match count {
|
|
||||||
0 => RecoveryState::Unavailable,
|
|
||||||
1..=3 => RecoveryState::Low,
|
|
||||||
_ => RecoveryState::Available,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// serde needs `&self` but this is a tiny Copy type, so we mark this as inline
|
|
||||||
#[inline]
|
|
||||||
fn is_unavailable(&self) -> bool {
|
fn is_unavailable(&self) -> bool {
|
||||||
*self == RecoveryState::Unavailable
|
self.0.is_empty()
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
impl Default for RecoveryState {
|
|
||||||
fn default() -> Self {
|
|
||||||
RecoveryState::Unavailable
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
impl From<&Option<Recovery>> for RecoveryState {
|
impl From<&Option<Recovery>> for RecoveryState {
|
||||||
fn from(r: &Option<Recovery>) -> Self {
|
fn from(r: &Option<Recovery>) -> Self {
|
||||||
match r {
|
match r {
|
||||||
Some(r) => Self::from_count(r.len()),
|
Some(r) => Self::from(r),
|
||||||
None => RecoveryState::Unavailable,
|
None => Self::default(),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
impl From<&Recovery> for RecoveryState {
|
||||||
|
fn from(r: &Recovery) -> Self {
|
||||||
|
Self(
|
||||||
|
r.entries
|
||||||
|
.iter()
|
||||||
|
.enumerate()
|
||||||
|
.filter_map(|(idx, key)| if key.is_some() { Some(idx) } else { None })
|
||||||
|
.collect(),
|
||||||
|
)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/// When sending a TFA challenge to the user, we include information about what kind of challenge
|
/// When sending a TFA challenge to the user, we include information about what kind of challenge
|
||||||
/// the user may perform. If webauthn credentials are available, a webauthn challenge will be
|
/// the user may perform. If webauthn credentials are available, a webauthn challenge will be
|
||||||
/// included.
|
/// included.
|
||||||
|
Loading…
Reference in New Issue
Block a user