Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: e5fac2433f
Branches Tags
helm-externa...
/
pkg
/
generator
/
mfa
/
otp.go

otp.go 4.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package mfa
    16. 

  16. 

  17. import (
    18. 

  18. 	"crypto/hmac"
    19. 

  19. 	"crypto/sha1" //nolint:gosec // not used for encryption purposes
    20. 

  20. 	"crypto/sha256"
    21. 

  21. 	"crypto/sha512"
    22. 

  22. 	"encoding/base32"
    23. 

  23. 	"encoding/binary"
    24. 

  24. 	"errors"
    25. 

  25. 	"fmt"
    26. 

  26. 	"hash"
    27. 

  27. 	"math"
    28. 

  28. 	"strconv"
    29. 

  29. 	"strings"
    30. 

  30. 	"time"
    31. 

  31. )
    32. 

  32. 

  33. const (
    34. 

  34. 	// defaultLength for a token is 6 characters.
    35. 

  35. 	defaultLength = 6
    36. 

  36. 	// defaultTimePeriod for a token is 30 seconds.
    37. 

  37. 	defaultTimePeriod = 30
    38. 

  38. 	// defaultAlgorithm according to the RFC should be sha1.
    39. 

  39. 	defaultAlgorithm = "sha1"
    40. 

  40. )
    41. 

  41. 

  42. // options define configurable values for a TOTP token.
    43. 

  43. type options struct {
    44. 

  44. 	algorithm  string
    45. 

  45. 	when       time.Time
    46. 

  46. 	token      string
    47. 

  47. 	timePeriod int64
    48. 

  48. 	length     int
    49. 

  49. }
    50. 

  50. 

  51. // GeneratorOptionsFunc provides a nice way of configuring the generator while allowing defaults.
    52. 

  52. type GeneratorOptionsFunc func(*options)
    53. 

  53. 

  54. // WithToken can be used to set the token value.
    55. 

  55. func WithToken(token string) GeneratorOptionsFunc {
    56. 

  56. 	return func(o *options) {
    57. 

  57. 		o.token = token
    58. 

  58. 	}
    59. 

  59. }
    60. 

  60. 

  61. // WithTimePeriod sets the time-period for the generated token. Default is 30s.
    62. 

  62. func WithTimePeriod(timePeriod int64) GeneratorOptionsFunc {
    63. 

  63. 	return func(o *options) {
    64. 

  64. 		o.timePeriod = timePeriod
    65. 

  65. 	}
    66. 

  66. }
    67. 

  67. 

  68. // WithLength sets the length of the token. Defaults to 6 digits where the token can start with 0.
    69. 

  69. func WithLength(length int) GeneratorOptionsFunc {
    70. 

  70. 	return func(o *options) {
    71. 

  71. 		o.length = length
    72. 

  72. 	}
    73. 

  73. }
    74. 

  74. 

  75. // WithAlgorithm configures the algorithm. Defaults to sha1.
    76. 

  76. func WithAlgorithm(algorithm string) GeneratorOptionsFunc {
    77. 

  77. 	return func(o *options) {
    78. 

  78. 		o.algorithm = algorithm
    79. 

  79. 	}
    80. 

  80. }
    81. 

  81. 

  82. // WithWhen allows configuring the time when the token is generated from. Defaults to time.Now().
    83. 

  83. func WithWhen(when time.Time) GeneratorOptionsFunc {
    84. 

  84. 	return func(o *options) {
    85. 

  85. 		o.when = when
    86. 

  86. 	}
    87. 

  87. }
    88. 

  88. 

  89. // generateCode generates an N digit TOTP code from the secret token.
    90. 

  90. func generateCode(opts ...GeneratorOptionsFunc) (string, string, error) {
    91. 

  91. 	defaults := &options{
    92. 

  92. 		algorithm:  defaultAlgorithm,
    93. 

  93. 		length:     defaultLength,
    94. 

  94. 		timePeriod: defaultTimePeriod,
    95. 

  95. 		when:       time.Now(),
    96. 

  96. 	}
    97. 

  97. 

  98. 	for _, opt := range opts {
    99. 

  99. 		opt(defaults)
    100. 

  100. 	}
    101. 

  101. 

  102. 	cleanUpToken(defaults)
    103. 

  103. 

  104. 	if defaults.length > math.MaxInt {
    105. 

  105. 		return "", "", errors.New("length too big")
    106. 

  106. 	}
    107. 

  107. 

  108. 	timer := uint64(math.Floor(float64(defaults.when.Unix()) / float64(defaults.timePeriod)))
    109. 

  109. 	remainingTime := defaults.timePeriod - defaults.when.Unix()%defaults.timePeriod
    110. 

  110. 

  111. 	secretBytes, err := base32.StdEncoding.WithPadding(base32.NoPadding).DecodeString(defaults.token)
    112. 

  112. 	if err != nil {
    113. 

  113. 		return "", "", fmt.Errorf("failed to generate OTP code: %w", err)
    114. 

  114. 	}
    115. 

  115. 

  116. 	buf := make([]byte, 8)
    117. 

  117. 	shaFunc, err := getAlgorithmFunction(defaults.algorithm)
    118. 

  118. 	if err != nil {
    119. 

  119. 		return "", "", err
    120. 

  120. 	}
    121. 

  121. 	mac := hmac.New(shaFunc, secretBytes)
    122. 

  122. 

  123. 	binary.BigEndian.PutUint64(buf, timer)
    124. 

  124. 	_, _ = mac.Write(buf)
    125. 

  125. 	sum := mac.Sum(nil)
    126. 

  126. 

  127. 	// http://tools.ietf.org/html/rfc4226#section-5.4
    128. 

  128. 	offset := sum[len(sum)-1] & 0xf
    129. 

  129. 	value := ((int(sum[offset]) & 0x7f) << 24) |
    130. 

  130. 		((int(sum[offset+1] & 0xff)) << 16) |
    131. 

  131. 		((int(sum[offset+2] & 0xff)) << 8) |
    132. 

  132. 		(int(sum[offset+3]) & 0xff)
    133. 

  133. 

  134. 	modulo := value % int(math.Pow10(defaults.length))
    135. 

  135. 

  136. 	format := fmt.Sprintf("%%0%dd", defaults.length)
    137. 

  137. 

  138. 	return fmt.Sprintf(format, modulo), strconv.Itoa(int(remainingTime)), nil
    139. 

  139. }
    140. 

  140. 

  141. func cleanUpToken(defaults *options) {
    142. 

  142. 	// Remove all spaces. Providers sometimes make it more readable by fragmentation.
    143. 

  143. 	defaults.token = strings.ReplaceAll(defaults.token, " ", "")
    144. 

  144. 

  145. 	// The token is always uppercase.
    146. 

  146. 	defaults.token = strings.ToUpper(defaults.token)
    147. 

  147. }
    148. 

  148. 

  149. func getAlgorithmFunction(algo string) (func() hash.Hash, error) {
    150. 

  150. 	switch algo {
    151. 

  151. 	case "sha512":
    152. 

  152. 		return sha512.New, nil
    153. 

  153. 	case "sha384":
    154. 

  154. 		return sha512.New384, nil
    155. 

  155. 	case "sha512_256":
    156. 

  156. 		return sha512.New512_256, nil
    157. 

  157. 	case "sha256":
    158. 

  158. 		return sha256.New, nil
    159. 

  159. 	case "sha1":
    160. 

  160. 		return sha1.New, nil
    161. 

  161. 	default:
    162. 

  162. 		return nil, fmt.Errorf("%s for hash function is invalid", algo)
    163. 

  163. 	}
    164. 

  164. }
    165.