Merge pull request #3 from simplesamlphp/library

Remove copy of old yubico library and replace it with surfnet library
simplesamlphp · Dec 9, 2021 · b64b54e · b64b54e
2 parents 43bd616 + 88469f6
commit b64b54e
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 203 deletions.
diff --git a/composer.json b/composer.json
@@ -34,7 +34,8 @@
 
         "simplesamlphp/assert": "~0.2.7",
         "simplesamlphp/composer-module-installer": "~1.1",
-        "simplesamlphp/simplesamlphp": "^2.0.0-beta.2"
+        "simplesamlphp/simplesamlphp": "^2.0.0-beta.2",
+        "surfnet/yubikey-api-client": "^2.2"
     },
     "require-dev": {
         "simplesamlphp/simplesamlphp-test-framework": "^1.1.4"

diff --git a/lib/Auth/Source/YubiKey.php b/lib/Auth/Source/YubiKey.php
@@ -3,51 +3,35 @@
 namespace SimpleSAML\Module\authYubiKey\Auth\Source;
 
 use Exception;
+use GuzzleHttp\Client as GuzzleClient;
 use SimpleSAML\Assert\Assert;
 use SimpleSAML\Auth;
 use SimpleSAML\Error;
 use SimpleSAML\Logger;
 use SimpleSAML\Module;
 use SimpleSAML\Utils;
-
-/*
- * Copyright (C) 2009  Andreas Åkre Solberg <andreas.solberg@uninett.no>
- * Copyright (C) 2009  Simon Josefsson <simon@yubico.com>.
- *
- * This file is part of SimpleSAMLphp
- *
- * SimpleSAMLphp is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public License
- * as published by the Free Software Foundation; either version 3 of
- * the License, or (at your option) any later version.
- *
- * SimpleSAMLphp is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License License along with GNU SASL Library; if not, write to the
- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
- * Boston, MA 02110-1301, USA.
- *
- */
+use Surfnet\YubikeyApiClient\Crypto\RandomNonceGenerator;
+use Surfnet\YubikeyApiClient\Crypto\Signer;
+use Surfnet\YubikeyApiClient\Http\ServerPoolClient;
+use Surfnet\YubikeyApiClient\Otp;
+use Surfnet\YubikeyApiClient\Service\OtpVerificationResult;
+use Surfnet\YubikeyApiClient\Service\VerificationService;
 
 /**
  * YubiKey authentication module, see http://www.yubico.com/developers/intro/
  *
  * Configure it by adding an entry to config/authsources.php such as this:
  *
  *    'yubikey' => [
- *        'authYubiKey:YubiKey',
+ *        'authYubikey:YubiKey',
  *        'id' => 997,
  *        'key' => 'b64hmackey',
  *    ],
  *
  * To generate your own client id/key you will need one YubiKey, and then
  * go to http://yubico.com/developers/api/
  *
- * @package SimpleSAMLphp
+ * @package simplesamlphp/simplesamlphp-module-authYubikey
  */
 
 class YubiKey extends Auth\Source
@@ -203,27 +187,36 @@ public static function getYubiKeyPrefix(string $otp): string
      * @param string $otp
      * @return array Associative array with the users attributes.
      */
-    protected function login(string $otp): array
+    protected function login(string $userInputOtp): array
     {
-        require_once dirname(dirname(dirname(dirname(__FILE__)))) . '/libextinc/Yubico.php';
+        $service = new VerificationService(
+            new ServerPoolClient(new GuzzleClient()),
+            new RandomNonceGenerator(),
+            new Signer($this->yubi_key),
+            $this->yubi_id
+        );
 
-        $yubi = new \Auth_Yubico($this->yubi_id, $this->yubi_key);
-        try {
-            $yubi->verify($otp);
-            $uid = self::getYubiKeyPrefix($otp);
-            $attributes = ['uid' => [$uid]];
-        } catch (Exception $e) {
-            Logger::info(
-                'YubiKey:' . $this->authId . ': Validation error (otp ' . $otp . '), debug output: '
-                . $yubi->getLastResponse()
-            );
-            throw new Error\Error('WRONGUSERPASS', $e);
+        if (!Otp::isValid($userInputOtp)) {
+            throw new Error\Exception('User-entered OTP string is not valid.');
         }
 
-        Logger::info(
-            'YubiKey:' . $this->authId . ': YubiKey otp ' . $otp . ' validated successfully: '
-            . $yubi->getLastResponse()
-        );
-        return $attributes;
+        $otp = Otp::fromString($userInputOtp);
+        $result = $service->verify($otp);
+
+        if ($result->isSuccessful()) {
+            // Yubico verified OTP.
+
+            Logger::info(sprintf(
+                'YubiKey:%s: YubiKey otp %s validated successfully: %s',
+                $this->authId,
+                $userInputOtp,
+                $result::STATUS_OK
+            ));
+
+            $uid = self::getYubiKeyPrefix($userInputOtp);
+            return ['uid' => [$uid]];
+        }
+
+        throw new Error\Error($result->getError());
     }
 }
diff --git a/libextinc/Yubico.php b/libextinc/Yubico.php