Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: a67ffae364
Branches Tags
helm-externa...
/
generators
/
v1
/
mfa
/
otp.go

otp.go 4.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166 
  1. /*
    2. 

  2. Copyright © The ESO Authors
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package mfa
    18. 

  18. 

  19. import (
    20. 

  20. 	"crypto/hmac"
    21. 

  21. 	"crypto/sha1" //nolint:gosec // not used for encryption purposes
    22. 

  22. 	"crypto/sha256"
    23. 

  23. 	"crypto/sha512"
    24. 

  24. 	"encoding/base32"
    25. 

  25. 	"encoding/binary"
    26. 

  26. 	"errors"
    27. 

  27. 	"fmt"
    28. 

  28. 	"hash"
    29. 

  29. 	"math"
    30. 

  30. 	"strconv"
    31. 

  31. 	"strings"
    32. 

  32. 	"time"
    33. 

  33. )
    34. 

  34. 

  35. const (
    36. 

  36. 	// defaultLength for a token is 6 characters.
    37. 

  37. 	defaultLength = 6
    38. 

  38. 	// defaultTimePeriod for a token is 30 seconds.
    39. 

  39. 	defaultTimePeriod = 30
    40. 

  40. 	// defaultAlgorithm according to the RFC should be sha1.
    41. 

  41. 	defaultAlgorithm = "sha1"
    42. 

  42. )
    43. 

  43. 

  44. // options define configurable values for a TOTP token.
    45. 

  45. type options struct {
    46. 

  46. 	algorithm  string
    47. 

  47. 	when       time.Time
    48. 

  48. 	token      string
    49. 

  49. 	timePeriod int64
    50. 

  50. 	length     int
    51. 

  51. }
    52. 

  52. 

  53. // GeneratorOptionsFunc provides a nice way of configuring the generator while allowing defaults.
    54. 

  54. type GeneratorOptionsFunc func(*options)
    55. 

  55. 

  56. // WithToken can be used to set the token value.
    57. 

  57. func WithToken(token string) GeneratorOptionsFunc {
    58. 

  58. 	return func(o *options) {
    59. 

  59. 		o.token = token
    60. 

  60. 	}
    61. 

  61. }
    62. 

  62. 

  63. // WithTimePeriod sets the time-period for the generated token. Default is 30s.
    64. 

  64. func WithTimePeriod(timePeriod int64) GeneratorOptionsFunc {
    65. 

  65. 	return func(o *options) {
    66. 

  66. 		o.timePeriod = timePeriod
    67. 

  67. 	}
    68. 

  68. }
    69. 

  69. 

  70. // WithLength sets the length of the token. Defaults to 6 digits where the token can start with 0.
    71. 

  71. func WithLength(length int) GeneratorOptionsFunc {
    72. 

  72. 	return func(o *options) {
    73. 

  73. 		o.length = length
    74. 

  74. 	}
    75. 

  75. }
    76. 

  76. 

  77. // WithAlgorithm configures the algorithm. Defaults to sha1.
    78. 

  78. func WithAlgorithm(algorithm string) GeneratorOptionsFunc {
    79. 

  79. 	return func(o *options) {
    80. 

  80. 		o.algorithm = algorithm
    81. 

  81. 	}
    82. 

  82. }
    83. 

  83. 

  84. // WithWhen allows configuring the time when the token is generated from. Defaults to time.Now().
    85. 

  85. func WithWhen(when time.Time) GeneratorOptionsFunc {
    86. 

  86. 	return func(o *options) {
    87. 

  87. 		o.when = when
    88. 

  88. 	}
    89. 

  89. }
    90. 

  90. 

  91. // generateCode generates an N digit TOTP code from the secret token.
    92. 

  92. func generateCode(opts ...GeneratorOptionsFunc) (string, string, error) {
    93. 

  93. 	defaults := &options{
    94. 

  94. 		algorithm:  defaultAlgorithm,
    95. 

  95. 		length:     defaultLength,
    96. 

  96. 		timePeriod: defaultTimePeriod,
    97. 

  97. 		when:       time.Now(),
    98. 

  98. 	}
    99. 

  99. 

  100. 	for _, opt := range opts {
    101. 

  101. 		opt(defaults)
    102. 

  102. 	}
    103. 

  103. 

  104. 	cleanUpToken(defaults)
    105. 

  105. 

  106. 	if defaults.length > math.MaxInt {
    107. 

  107. 		return "", "", errors.New("length too big")
    108. 

  108. 	}
    109. 

  109. 

  110. 	timer := uint64(math.Floor(float64(defaults.when.Unix()) / float64(defaults.timePeriod)))
    111. 

  111. 	remainingTime := defaults.timePeriod - defaults.when.Unix()%defaults.timePeriod
    112. 

  112. 

  113. 	secretBytes, err := base32.StdEncoding.WithPadding(base32.NoPadding).DecodeString(defaults.token)
    114. 

  114. 	if err != nil {
    115. 

  115. 		return "", "", fmt.Errorf("failed to generate OTP code: %w", err)
    116. 

  116. 	}
    117. 

  117. 

  118. 	buf := make([]byte, 8)
    119. 

  119. 	shaFunc, err := getAlgorithmFunction(defaults.algorithm)
    120. 

  120. 	if err != nil {
    121. 

  121. 		return "", "", err
    122. 

  122. 	}
    123. 

  123. 	mac := hmac.New(shaFunc, secretBytes)
    124. 

  124. 

  125. 	binary.BigEndian.PutUint64(buf, timer)
    126. 

  126. 	_, _ = mac.Write(buf)
    127. 

  127. 	sum := mac.Sum(nil)
    128. 

  128. 

  129. 	// http://tools.ietf.org/html/rfc4226#section-5.4
    130. 

  130. 	offset := sum[len(sum)-1] & 0xf
    131. 

  131. 	value := ((int(sum[offset]) & 0x7f) << 24) |
    132. 

  132. 		((int(sum[offset+1] & 0xff)) << 16) |
    133. 

  133. 		((int(sum[offset+2] & 0xff)) << 8) |
    134. 

  134. 		(int(sum[offset+3]) & 0xff)
    135. 

  135. 

  136. 	modulo := value % int(math.Pow10(defaults.length))
    137. 

  137. 

  138. 	format := fmt.Sprintf("%%0%dd", defaults.length)
    139. 

  139. 

  140. 	return fmt.Sprintf(format, modulo), strconv.Itoa(int(remainingTime)), nil
    141. 

  141. }
    142. 

  142. 

  143. func cleanUpToken(defaults *options) {
    144. 

  144. 	// Remove all spaces. Providers sometimes make it more readable by fragmentation.
    145. 

  145. 	defaults.token = strings.ReplaceAll(defaults.token, " ", "")
    146. 

  146. 

  147. 	// The token is always uppercase.
    148. 

  148. 	defaults.token = strings.ToUpper(defaults.token)
    149. 

  149. }
    150. 

  150. 

  151. func getAlgorithmFunction(algo string) (func() hash.Hash, error) {
    152. 

  152. 	switch algo {
    153. 

  153. 	case "sha512":
    154. 

  154. 		return sha512.New, nil
    155. 

  155. 	case "sha384":
    156. 

  156. 		return sha512.New384, nil
    157. 

  157. 	case "sha512_256":
    158. 

  158. 		return sha512.New512_256, nil
    159. 

  159. 	case "sha256":
    160. 

  160. 		return sha256.New, nil
    161. 

  161. 	case "sha1":
    162. 

  162. 		return sha1.New, nil
    163. 

  163. 	default:
    164. 

  164. 		return nil, fmt.Errorf("%s for hash function is invalid", algo)
    165. 

  165. 	}
    166. 

  166. }
    167.