47 implement token enrollment via validatecheck (#48)

lukasmatusiewicz · web-flow · commit de7718321c6a · 2022-12-16T11:55:47.000+01:00
* Update challenge and consts with image

* implement imgs

* Update the tests

* Update WebAuthn.java

* Update PIResponse.java
diff --git a/src/main/java/org/privacyidea/Challenge.java b/src/main/java/org/privacyidea/Challenge.java
@@ -23,13 +23,15 @@ public class Challenge
     private final List<String> attributes = new ArrayList<>();
     private final String serial;
     private final String message;
+    private final String image;
     private final String transaction_id;
     private final String type;
 
-    public Challenge(String serial, String message, String transaction_id, String type)
+    public Challenge(String serial, String message, String image, String transaction_id, String type)
     {
         this.serial = serial;
         this.message = message;
+        this.image = image;
         this.transaction_id = transaction_id;
         this.type = type;
     }
@@ -49,6 +51,8 @@ public String getMessage()
         return message;
     }
 
+    public String getImage() { return image; }
+
     public String getTransactionID()
     {
         return transaction_id;
diff --git a/src/main/java/org/privacyidea/JSONParser.java b/src/main/java/org/privacyidea/JSONParser.java
@@ -23,6 +23,7 @@
 import static org.privacyidea.PIConstants.DETAIL;
 import static org.privacyidea.PIConstants.ERROR;
 import static org.privacyidea.PIConstants.ID;
+import static org.privacyidea.PIConstants.IMAGE;
 import static org.privacyidea.PIConstants.INFO;
 import static org.privacyidea.PIConstants.JSONRPC;
 import static org.privacyidea.PIConstants.MAXFAIL;
@@ -185,6 +186,7 @@ public PIResponse parsePIResponse(String serverResponse)
             JsonObject detail = obj.getAsJsonObject(DETAIL);
             response.preferredClientMode = getString(detail, PREFERRED_CLIENT_MODE);
             response.message = getString(detail, MESSAGE);
+            response.image = getString(detail, IMAGE);
             response.serial = getString(detail, SERIAL);
             response.transactionID = getString(detail, TRANSACTION_ID);
             response.type = getString(detail, TYPE);
@@ -211,22 +213,23 @@ public PIResponse parsePIResponse(String serverResponse)
                                                         .getAsJsonObject();
                     String serial = getString(challenge, SERIAL);
                     String message = getString(challenge, MESSAGE);
+                    String image = getString(challenge, IMAGE);
                     String transactionid = getString(challenge, TRANSACTION_ID);
                     String type = getString(challenge, TYPE);
 
                     if (TOKEN_TYPE_WEBAUTHN.equals(type))
                     {
                         String webAuthnSignRequest = getSignRequestFromAttributes(WEBAUTHN_SIGN_REQUEST, challenge);
-                        response.multichallenge.add(new WebAuthn(serial, message, transactionid, webAuthnSignRequest));
+                        response.multichallenge.add(new WebAuthn(serial, message, image, transactionid, webAuthnSignRequest));
                     }
                     else if (TOKEN_TYPE_U2F.equals(type))
                     {
                         String u2fSignRequest = getSignRequestFromAttributes(U2F_SIGN_REQUEST, challenge);
-                        response.multichallenge.add(new U2F(serial, message, transactionid, u2fSignRequest));
+                        response.multichallenge.add(new U2F(serial, message, image, transactionid, u2fSignRequest));
                     }
                     else
                     {
-                        response.multichallenge.add(new Challenge(serial, message, transactionid, type));
+                        response.multichallenge.add(new Challenge(serial, message, image, transactionid, type));
                     }
                 }
             }
@@ -356,6 +359,7 @@ private TokenInfo parseSingleTokenInfo(String json)
         info.revoked = getBoolean(obj, "revoked");
         info.rolloutState = getString(obj, "rollout_state");
         info.serial = getString(obj, SERIAL);
+        info.image = getString(obj, IMAGE);
         info.syncWindow = getInt(obj, "sync_window");
         info.tokenType = getString(obj, "tokentype");
         info.userEditable = getBoolean(obj, "user_editable");
diff --git a/src/main/java/org/privacyidea/PIConstants.java b/src/main/java/org/privacyidea/PIConstants.java
@@ -64,6 +64,7 @@ private PIConstants()
     public static final String TOKEN = "token";
     public static final String PREFERRED_CLIENT_MODE = "preferred_client_mode";
     public static final String MESSAGE = "message";
+    public static final String IMAGE = "image";
     public static final String MESSAGES = "messages";
     public static final String MULTI_CHALLENGE = "multi_challenge";
     public static final String ATTRIBUTES = "attributes";
diff --git a/src/main/java/org/privacyidea/PIResponse.java b/src/main/java/org/privacyidea/PIResponse.java
@@ -37,6 +37,7 @@ public class PIResponse
     public List<Challenge> multichallenge = new ArrayList<>();
     public String transactionID = "";
     public String serial = "";
+    public String image = "";
     public int id = 0;
     public String jsonRPCVersion = "";
     public boolean status = false;
@@ -170,27 +171,6 @@ public String mergedSignRequest()
         }
     }
 
-    /**
-     * Get all U2F challenges from the multi_challenge.
-     *
-     * @return List of U2F objects or empty list
-     */
-    public List<U2F> u2fSignRequests()
-    {
-        List<U2F> ret = new ArrayList<>();
-        multichallenge.stream()
-                      .filter(c -> TOKEN_TYPE_U2F.equals(c.getType()))
-                      .collect(Collectors.toList())
-                      .forEach(c ->
-                               {
-                                   if (c instanceof U2F)
-                                   {
-                                       ret.add((U2F) c);
-                                   }
-                               });
-        return ret;
-    }
-
     @Override
     public String toString()
     {
diff --git a/src/main/java/org/privacyidea/PrivacyIDEA.java b/src/main/java/org/privacyidea/PrivacyIDEA.java
@@ -44,6 +44,7 @@
 import static org.privacyidea.PIConstants.POST;
 import static org.privacyidea.PIConstants.REALM;
 import static org.privacyidea.PIConstants.SERIAL;
+import static org.privacyidea.PIConstants.IMAGE;
 import static org.privacyidea.PIConstants.TRANSACTION_ID;
 import static org.privacyidea.PIConstants.TYPE;
 import static org.privacyidea.PIConstants.USER;
diff --git a/src/main/java/org/privacyidea/TokenInfo.java b/src/main/java/org/privacyidea/TokenInfo.java
@@ -40,6 +40,7 @@ public class TokenInfo
     boolean revoked = false;
     String rolloutState = "";
     String serial = "";
+    String image = "";
     int syncWindow = 0;
     String tokenType = "";
     boolean userEditable = false;
diff --git a/src/main/java/org/privacyidea/U2F.java b/src/main/java/org/privacyidea/U2F.java
@@ -19,9 +19,9 @@ public class U2F extends Challenge
 {
     private final String signRequest;
 
-    public U2F(String serial, String message, String transaction_id, String signRequest)
+    public U2F(String serial, String message, String image, String transaction_id, String signRequest)
     {
-        super(serial, message, transaction_id, PIConstants.TOKEN_TYPE_U2F);
+        super(serial, message, image, transaction_id, PIConstants.TOKEN_TYPE_U2F);
         this.signRequest = signRequest;
     }
 
diff --git a/src/main/java/org/privacyidea/WebAuthn.java b/src/main/java/org/privacyidea/WebAuthn.java
@@ -15,13 +15,16 @@
  */
 package org.privacyidea;
 
+import java.util.Collections;
+import java.util.Map;
+
 public class WebAuthn extends Challenge
 {
     private final String signRequest;
 
-    public WebAuthn(String serial, String message, String transaction_id, String signRequest)
+    public WebAuthn(String serial, String message, String image, String transaction_id, String signRequest)
     {
-        super(serial, message, transaction_id, PIConstants.TOKEN_TYPE_WEBAUTHN);
+        super(serial, message, image, transaction_id, PIConstants.TOKEN_TYPE_WEBAUTHN);
         this.signRequest = signRequest;
     }
 
diff --git a/src/test/java/org/privacyidea/TestGetTokenInfo.java b/src/test/java/org/privacyidea/TestGetTokenInfo.java
@@ -38,14 +38,15 @@ public class TestGetTokenInfo
     private final String realm = "realm";
     private final String serviceAccount = "admin";
     private final String servicePassword = "admin";
+    private final String serviceRealm = "realm";
 
     @Before
     public void setup()
     {
         mockServer = ClientAndServer.startClientAndServer(1080);
 
         privacyIDEA = PrivacyIDEA.newBuilder("https://127.0.0.1:1080", "test")
-                                 .serviceAccount(serviceAccount, servicePassword).realm(realm).sslVerify(false)
+                                 .serviceAccount(serviceAccount, servicePassword).serviceRealm(serviceRealm).disableLog().sslVerify(false)
                                  .logger(new PILogImplementation()).build();
     }
 
@@ -66,7 +67,7 @@ public void testSuccess()
                         "\"signature\":\"rsa_sha256_pss:58c4eed1...5247c47e3e\"}";
 
         mockServer.when(HttpRequest.request().withPath(PIConstants.ENDPOINT_AUTH).withMethod("POST").withBody(
-                          "username=" + serviceAccount + "&password=" + servicePassword + "&realm=" + realm))
+                          "username=" + serviceAccount + "&password=" + servicePassword + "&realm=" + serviceRealm))
                   .respond(HttpResponse.response()
                                        // This response is simplified because it is very long and contains info that is not (yet) processed anyway
                                        .withBody("{\n" + "    \"id\": 1,\n" + "    \"jsonrpc\": \"2.0\",\n" +
@@ -116,6 +117,8 @@ public void testSuccess()
         assertEquals("5", tokenInfo.userID);
         assertEquals("defrealm", tokenInfo.userRealm);
         assertEquals("Test", tokenInfo.username);
+
+        assertEquals(authToken, privacyIDEA.getAuthToken());
     }
 
     @Test
@@ -144,6 +147,8 @@ public void testNoServiceAccount()
         List<TokenInfo> tokenInfoList = privacyIDEA.getTokenInfo(username);
 
         assertNull(tokenInfoList);
+
+        assertNull(privacyIDEA.getAuthToken());
     }
 
     @After
diff --git a/src/test/java/org/privacyidea/TestPollTransaction.java b/src/test/java/org/privacyidea/TestPollTransaction.java
@@ -87,6 +87,7 @@ public void testPushSynchronous() throws InterruptedException
         assertEquals("Bitte geben Sie einen OTP-Wert ein: ", hotpChallenge.getMessage());
         assertEquals("02659936574063359702", hotpChallenge.getTransactionID());
         assertEquals("hotp", hotpChallenge.getType());
+        assertEquals("", hotpChallenge.getImage());
         assertTrue(hotpChallenge.getAttributes().isEmpty());
 
         Challenge pushChallenge = challenges.stream().filter(c -> c.getSerial().equals("PIPU0001F75E")).findFirst()
diff --git a/src/test/java/org/privacyidea/TestRollout.java b/src/test/java/org/privacyidea/TestRollout.java
@@ -128,6 +128,37 @@ public void testNoServiceAccount()
         assertNull(rolloutInfo);
     }
 
+    @Test
+    public void testRolloutViaValidateCheck()
+    {
+        privacyIDEA = PrivacyIDEA.newBuilder("https://127.0.0.1:1080", "test").sslVerify(false)
+                                 .logger(new PILogImplementation()).build();
+
+        String img = "data:image/png;base64,iVBdgfgsdfgRK5CYII=";
+
+        String response = "{\"detail\":{" + "\"attributes\":null," + "\"message\":\"BittegebenSieeinenOTP-Wertein:\"," +
+                          "\"image\": \"data:image/png;base64,iVBdgfgsdfgRK5CYII=\",\n" +
+                          "\"messages\":[\"BittegebenSieeinenOTP-Wertein:\"]," + "\"multi_challenge\":[{" +
+                          "\"attributes\":null," + "\"message\":\"BittegebenSieeinenOTP-Wertein:\"," +
+                          "\"serial\":\"TOTP00021198\"," + "\"transaction_id\":\"16734787285577957577\"," +
+                          "\"type\":\"totp\"}]," + "\"serial\":\"TOTP00021198\"," + "\"threadid\":140050885818112," +
+                          "\"transaction_id\":\"16734787285577957577\"," +
+                          "\"transaction_ids\":[\"16734787285577957577\"]," + "\"type\":\"totp\"}," + "\"id\":1," +
+                          "\"jsonrpc\":\"2.0\"," + "\"result\":{" + "\"status\":true," + "\"value\":false}," +
+                          "\"time\":1649666174.5351279," + "\"version\":\"privacyIDEA3.6.3\"," +
+                          "\"versionnumber\":\"3.6.3\"," +
+                          "\"signature\":\"rsa_sha256_pss:4b0f0e12c2...89409a2e65c87d27b\"}";
+
+        mockServer.when(HttpRequest.request().withPath(PIConstants.ENDPOINT_VALIDATE_CHECK).withMethod("POST")
+                                   .withBody("user=testuser&pass="))
+                  .respond(HttpResponse.response().withBody(response));
+
+        String username = "testuser";
+        PIResponse responseValidateCheck = privacyIDEA.validateCheck(username, "");
+
+        assertEquals(img, responseValidateCheck.image);
+    }
+
     @After
     public void teardown()
     {
diff --git a/src/test/java/org/privacyidea/TestU2F.java b/src/test/java/org/privacyidea/TestU2F.java
@@ -31,6 +31,7 @@
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 import static org.privacyidea.PIConstants.TOKEN_TYPE_U2F;
+import static org.privacyidea.PIConstants.TOKEN_TYPE_WEBAUTHN;
 
 public class TestU2F
 {
@@ -78,6 +79,11 @@ public void testTriggerU2F()
                               "\"versionnumber\":\"3.6.3\"," +
                               "\"signature\":\"rsa_sha256_pss:3e51d814...dccd5694b8c15943e37e1\"}";
 
+        String u2fSignRequest = "{" + "\"appId\":\"https://ttype.u2f\"," +
+                                "\"challenge\":\"TZKiB0VFFMFsnlz00lF5iCqtQduDJf56AeJAY_BT4NU\"," +
+                                "\"keyHandle\":\"UUHmZ4BUFCrt7q88MhlQJYu4G5qB9l7ScjRRxA-M35cTH-uHWyMEpxs4WBzbkjlZqzZW1lC-jDdFd2pKDUsNnA\"," +
+                                "\"version\":\"U2F_V2\"" + "}";
+
         mockServer.when(HttpRequest.request().withPath(PIConstants.ENDPOINT_VALIDATE_CHECK).withMethod("POST").withBody(
                           "user=Test&pass=test"))
                   .respond(HttpResponse.response().withBody(responseBody));
@@ -94,6 +100,21 @@ public void testTriggerU2F()
         assertEquals("rsa_sha256_pss:3e51d814...dccd5694b8c15943e37e1", response.signature);
         assertTrue(response.status);
         assertFalse(response.value);
+
+        Optional<Challenge> opt = response.multiChallenge().stream()
+                                          .filter(challenge -> TOKEN_TYPE_U2F.equals(challenge.getType()))
+                                          .findFirst();
+        Challenge a = opt.get();
+        if (a instanceof U2F)
+        {
+            U2F b = (U2F) a;
+            String trimmedRequest = u2fSignRequest.replaceAll("\n", "").replaceAll(" ", "");
+            assertEquals(trimmedRequest, b.signRequest());
+        }
+        else
+        {
+            fail();
+        }
     }
 
     @Test
diff --git a/src/test/java/org/privacyidea/TestWebAuthn.java b/src/test/java/org/privacyidea/TestWebAuthn.java

Original file line number	Diff line number	Diff line change
`@@ -23,13 +23,15 @@ public class Challenge`
`23`	`23`	`private final List<String> attributes = new ArrayList<>();`
`24`	`24`	`private final String serial;`
`25`	`25`	`private final String message;`
	`26`	`+ private final String image;`
`26`	`27`	`private final String transaction_id;`
`27`	`28`	`private final String type;`
`28`	`29`
`29`		`- public Challenge(String serial, String message, String transaction_id, String type)`
	`30`	`+ public Challenge(String serial, String message, String image, String transaction_id, String type)`
`30`	`31`	`{`
`31`	`32`	`this.serial = serial;`
`32`	`33`	`this.message = message;`
	`34`	`+ this.image = image;`
`33`	`35`	`this.transaction_id = transaction_id;`
`34`	`36`	`this.type = type;`
`35`	`37`	`}`
`@@ -49,6 +51,8 @@ public String getMessage()`
`49`	`51`	`return message;`
`50`	`52`	`}`
`51`	`53`
	`54`	`+ public String getImage() { return image; }`
	`55`	`+`
`52`	`56`	`public String getTransactionID()`
`53`	`57`	`{`
`54`	`58`	`return transaction_id;`
Original file line number	Diff line number	Diff line change
`@@ -19,9 +19,9 @@ public class U2F extends Challenge`
`19`	`19`	`{`
`20`	`20`	`private final String signRequest;`
`21`	`21`
`22`		`- public U2F(String serial, String message, String transaction_id, String signRequest)`
	`22`	`+ public U2F(String serial, String message, String image, String transaction_id, String signRequest)`
`23`	`23`	`{`
`24`		`- super(serial, message, transaction_id, PIConstants.TOKEN_TYPE_U2F);`
	`24`	`+ super(serial, message, image, transaction_id, PIConstants.TOKEN_TYPE_U2F);`
`25`	`25`	`this.signRequest = signRequest;`
`26`	`26`	`}`
`27`	`27`
Original file line number	Diff line number	Diff line change
`@@ -15,13 +15,16 @@`
`15`	`15`	`*/`
`16`	`16`	`package org.privacyidea;`
`17`	`17`
	`18`	`+import java.util.Collections;`
	`19`	`+import java.util.Map;`
	`20`	`+`
`18`	`21`	`public class WebAuthn extends Challenge`
`19`	`22`	`{`
`20`	`23`	`private final String signRequest;`
`21`	`24`
`22`		`- public WebAuthn(String serial, String message, String transaction_id, String signRequest)`
	`25`	`+ public WebAuthn(String serial, String message, String image, String transaction_id, String signRequest)`
`23`	`26`	`{`
`24`		`- super(serial, message, transaction_id, PIConstants.TOKEN_TYPE_WEBAUTHN);`
	`27`	`+ super(serial, message, image, transaction_id, PIConstants.TOKEN_TYPE_WEBAUTHN);`
`25`	`28`	`this.signRequest = signRequest;`
`26`	`29`	`}`
`27`	`30`