Re-add WebID-TLS auth code

Author: dmitrizagidulin

lib/api/authn/index.js

@@ -29,6 +29,7 @@ function setUserHeader (req, res, next) {
 
 module.exports = {
   oidc: require('./webid-oidc'),
+  tls: require('./webid-tls'),
   overrideWith,
   setUserHeader
 }

lib/api/authn/webid-tls.js

@@ -0,0 +1,45 @@
+module.exports = handler
+module.exports.authenticate = authenticate
+
+var webid = require('webid/tls')
+var debug = require('../../debug').authentication
+
+function authenticate () {
+  return handler
+}
+
+function handler (req, res, next) {
+  // User already logged in? skip
+  if (req.session.userId && req.session.identified) {
+    debug('User: ' + req.session.userId)
+    res.set('User', req.session.userId)
+    return next()
+  }
+
+  var certificate = req.connection.getPeerCertificate()
+  // Certificate is empty? skip
+  if (certificate === null || Object.keys(certificate).length === 0) {
+    debug('No client certificate found in the request. Did the user click on a cert?')
+    setEmptySession(req)
+    return next()
+  }
+
+  // Verify webid
+  webid.verify(certificate, function (err, result) {
+    if (err) {
+      debug('Error processing certificate: ' + err.message)
+      setEmptySession(req)
+      return next()
+    }
+    req.session.userId = result
+    req.session.identified = true
+    debug('Identified user: ' + req.session.userId)
+    res.set('User', req.session.userId)
+    return next()
+  })
+}
+
+function setEmptySession (req) {
+  req.session.userId = ''
+  req.session.identified = false
+}

lib/api/index.js

@@ -3,5 +3,6 @@
 module.exports = {
   authn: require('./authn'),
   oidc: require('./authn/webid-oidc'),
+  tls: require('./authn/webid-tls'),
   accounts: require('./accounts/user-accounts')
 }

lib/create-app.js

@@ -174,7 +174,16 @@ function initWebId (argv, app, ldp) {
 function initAuthentication (argv, app) {
   let authMethod = argv.auth
 
+  if (argv.forceUser) {
+    app.use('/', API.authn.overrideWith(argv.forceUser))
+    return
+  }
+
   switch (authMethod) {
+    case 'tls':
+      // Enforce authentication with WebID-TLS on all LDP routes
+      app.use('/', API.tls.authenticate())
+      break
     case 'oidc':
       let oidc = OidcManager.fromServerConfig(argv)
       app.locals.oidc = oidc
@@ -189,15 +198,12 @@ function initAuthentication (argv, app) {
       // Enforce authentication with WebID-OIDC on all LDP routes
       app.use('/', oidc.rs.authenticate())
 
-      if (argv.forceUser) {
-        app.use('/', API.authn.overrideWith(argv.forceUser))
-      }
+      app.use('/', API.authn.setUserHeader)
+
       break
     default:
       throw new TypeError('Unsupported authentication scheme')
   }
-
-  app.use('/', API.authn.setUserHeader)
 }
 
 /**

lib/create-server.js

@@ -58,6 +58,10 @@ function createServer (argv, app) {
       cert: cert
     }
 
+    if (ldp.webid && ldp.auth === 'tls') {
+      credentials.requestCert = true
+    }
+
     server = https.createServer(credentials, app)
   }
 

lib/requests/create-account-request.js

@@ -1,6 +1,7 @@
 'use strict'
 
 const AuthRequest = require('./auth-request')
+const WebIdTlsCertificate = require('../models/webid-tls-certificate')
 const debug = require('../debug').accounts
 
 /**
@@ -72,6 +73,9 @@ class CreateAccountRequest extends AuthRequest {
         options.password = req.body.password
         options.userStore = locals.oidc.users
         return new CreateOidcAccountRequest(options)
+      case 'tls':
+        options.spkac = req.body.spkac
+        return new CreateTlsAccountRequest(options)
       default:
         throw new TypeError('Unsupported authentication scheme')
     }
@@ -255,5 +259,112 @@ class CreateOidcAccountRequest extends CreateAccountRequest {
   }
 }
 
+/**
+ * Models a Create Account request for a server using WebID-TLS as primary
+ * authentication mode. Handles generating and saving a TLS certificate, etc.
+ *
+ * @class CreateTlsAccountRequest
+ * @extends CreateAccountRequest
+ */
+class CreateTlsAccountRequest extends CreateAccountRequest {
+  /**
+   * @constructor
+   *
+   * @param [options={}] {Object} See `CreateAccountRequest` constructor docstring
+   * @param [options.spkac] {string}
+   */
+  constructor (options = {}) {
+    super(options)
+    this.spkac = options.spkac
+    this.certificate = null
+  }
+
+  /**
+   * Generates a new X.509v3 RSA certificate (if `spkac` was passed in) and
+   * adds it to the user account. Used for storage in an agent's WebID
+   * Profile, for WebID-TLS authentication.
+   *
+   * @param userAccount {UserAccount}
+   * @param userAccount.webId {string} An agent's WebID URI
+   *
+   * @throws {Error} HTTP 400 error if errors were encountering during
+   *   certificate generation.
+   *
+   * @return {Promise<UserAccount>} Chainable
+   */
+  generateTlsCertificate (userAccount) {
+    if (!this.spkac) {
+      debug('Missing spkac param, not generating cert during account creation')
+      return Promise.resolve(userAccount)
+    }
+
+    return Promise.resolve()
+      .then(() => {
+        let host = this.accountManager.host
+        return WebIdTlsCertificate.fromSpkacPost(this.spkac, userAccount, host)
+          .generateCertificate()
+      })
+      .catch(err => {
+        err.status = 400
+        err.message = 'Error generating a certificate: ' + err.message
+        throw err
+      })
+      .then(certificate => {
+        debug('Generated a WebID-TLS certificate as part of account creation')
+        this.certificate = certificate
+        return userAccount
+      })
+  }
+
+  /**
+   * Generates a WebID-TLS certificate and saves it to the user's profile
+   * graph.
+   *
+   * @param userAccount {UserAccount}
+   *
+   * @return {Promise<UserAccount>} Chainable
+   */
+  saveCredentialsFor (userAccount) {
+    return this.generateTlsCertificate(userAccount)
+      .then(userAccount => {
+        if (this.certificate) {
+          return this.accountManager
+            .addCertKeyToProfile(this.certificate, userAccount)
+            .then(() => {
+              debug('Saved generated WebID-TLS certificate to profile')
+            })
+        } else {
+          debug('No certificate generated, no need to save to profile')
+        }
+      })
+      .then(() => {
+        return userAccount
+      })
+  }
+
+  /**
+   * Writes the generated TLS certificate to the http Response object.
+   *
+   * @param userAccount {UserAccount}
+   *
+   * @return {UserAccount} Chainable
+   */
+  sendResponse (userAccount) {
+    let res = this.response
+    res.set('User', userAccount.webId)
+    res.status(200)
+
+    if (this.certificate) {
+      res.set('Content-Type', 'application/x-x509-user-cert')
+      res.send(this.certificate.toDER())
+    } else {
+      res.end()
+    }
+
+    return userAccount
+  }
+}
+
 module.exports = CreateAccountRequest
 module.exports.CreateAccountRequest = CreateAccountRequest
+module.exports.CreateTlsAccountRequest = CreateTlsAccountRequest