Examples with AuditableExecutionResult org.apereo.cas.audit.AuditableExecutionResult used on opensource projects

Example 11 with AuditableExecutionResult

use of org.apereo.cas.audit.AuditableExecutionResult in project cas by apereo.

the class DefaultCentralAuthenticationService method grantServiceTicket.

@Audit(action = "SERVICE_TICKET", actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER", resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
@Timed(name = "GRANT_SERVICE_TICKET_TIMER")
@Metered(name = "GRANT_SERVICE_TICKET_METER")
@Counted(name = "GRANT_SERVICE_TICKET_COUNTER", monotonic = true)
@Override
public ServiceTicket grantServiceTicket(final String ticketGrantingTicketId, final Service service, final AuthenticationResult authenticationResult) throws AuthenticationException, AbstractTicketException {
    final boolean credentialProvided = authenticationResult != null && authenticationResult.isCredentialProvided();
    final TicketGrantingTicket ticketGrantingTicket = getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
    final Service selectedService = resolveServiceFromAuthenticationRequest(service);
    final RegisteredService registeredService = this.servicesManager.findServiceBy(selectedService);
    final AuditableContext audit = AuditableContext.builder().service(selectedService).ticketGrantingTicket(ticketGrantingTicket).registeredService(registeredService).retrievePrincipalAttributesFromReleasePolicy(Boolean.FALSE).build();
    final AuditableExecutionResult accessResult = this.registeredServiceAccessStrategyEnforcer.execute(audit);
    accessResult.throwExceptionIfNeeded();
    final Authentication currentAuthentication = evaluatePossibilityOfMixedPrincipals(authenticationResult, ticketGrantingTicket);
    RegisteredServiceAccessStrategyUtils.ensureServiceSsoAccessIsAllowed(registeredService, selectedService, ticketGrantingTicket, credentialProvided);
    evaluateProxiedServiceIfNeeded(selectedService, ticketGrantingTicket, registeredService);
    // Perform security policy check by getting the authentication that satisfies the configured policy
    getAuthenticationSatisfiedByPolicy(currentAuthentication, new ServiceContext(selectedService, registeredService));
    final Authentication latestAuthentication = ticketGrantingTicket.getRoot().getAuthentication();
    AuthenticationCredentialsThreadLocalBinder.bindCurrent(latestAuthentication);
    final Principal principal = latestAuthentication.getPrincipal();
    final ServiceTicketFactory factory = (ServiceTicketFactory) this.ticketFactory.get(ServiceTicket.class);
    final ServiceTicket serviceTicket = factory.create(ticketGrantingTicket, service, credentialProvided, ServiceTicket.class);
    this.ticketRegistry.updateTicket(ticketGrantingTicket);
    this.ticketRegistry.addTicket(serviceTicket);
    LOGGER.info("Granted ticket [{}] for service [{}] and principal [{}]", serviceTicket.getId(), DigestUtils.abbreviate(service.getId()), principal.getId());
    doPublishEvent(new CasServiceTicketGrantedEvent(this, ticketGrantingTicket, serviceTicket));
    return serviceTicket;
}

Example 12 with AuditableExecutionResult

use of org.apereo.cas.audit.AuditableExecutionResult in project cas by apereo.

the class ServiceAccessEnforcementAuditResourceResolver method resolveFrom.

@Override
public String[] resolveFrom(final JoinPoint auditableTarget, final Object returnValue) {
    Objects.requireNonNull(returnValue, "AuditableExecutionResult must not be null");
    final AuditableExecutionResult serviceAccessCheckResult = AuditableExecutionResult.class.cast(returnValue);
    final String accessCheckOutcome = "Service Access " + BooleanUtils.toString(serviceAccessCheckResult.isExecutionFailure(), "Denied", "Granted");
    final ToStringBuilder builder = new ToStringBuilder(this, NO_CLASS_NAME_STYLE).append("result", accessCheckOutcome);
    serviceAccessCheckResult.getService().ifPresent(service -> builder.append("service", service.getId()));
    serviceAccessCheckResult.getAuthentication().ifPresent(authn -> builder.append("principal", authn.getPrincipal()));
    serviceAccessCheckResult.getRegisteredService().ifPresent(regSvc -> builder.append("requiredAttributes", regSvc.getAccessStrategy().getRequiredAttributes()));
    return new String[] { builder.toString() };
}

Example 13 with AuditableExecutionResult

use of org.apereo.cas.audit.AuditableExecutionResult in project cas by apereo.

the class DefaultCentralAuthenticationService method createTicketGrantingTicket.

@Audit(action = "TICKET_GRANTING_TICKET", actionResolverName = "CREATE_TICKET_GRANTING_TICKET_RESOLVER", resourceResolverName = "CREATE_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
@Timed(name = "CREATE_TICKET_GRANTING_TICKET_TIMER")
@Metered(name = "CREATE_TICKET_GRANTING_TICKET_METER")
@Counted(name = "CREATE_TICKET_GRANTING_TICKET_COUNTER", monotonic = true)
@Override
public TicketGrantingTicket createTicketGrantingTicket(final AuthenticationResult authenticationResult) throws AuthenticationException, AbstractTicketException {
    final Authentication authentication = authenticationResult.getAuthentication();
    final Service service = authenticationResult.getService();
    AuthenticationCredentialsThreadLocalBinder.bindCurrent(authentication);
    if (service != null) {
        final Service selectedService = resolveServiceFromAuthenticationRequest(service);
        LOGGER.debug("Resolved service [{}] from the authentication request", selectedService);
        final RegisteredService registeredService = this.servicesManager.findServiceBy(selectedService);
        final AuditableContext audit = AuditableContext.builder().service(service).authentication(authentication).registeredService(registeredService).retrievePrincipalAttributesFromReleasePolicy(Boolean.FALSE).build();
        final AuditableExecutionResult accessResult = this.registeredServiceAccessStrategyEnforcer.execute(audit);
        accessResult.throwExceptionIfNeeded();
    }
    final TicketGrantingTicketFactory factory = (TicketGrantingTicketFactory) this.ticketFactory.get(TicketGrantingTicket.class);
    final TicketGrantingTicket ticketGrantingTicket = factory.create(authentication, TicketGrantingTicket.class);
    this.ticketRegistry.addTicket(ticketGrantingTicket);
    doPublishEvent(new CasTicketGrantingTicketCreatedEvent(this, ticketGrantingTicket));
    return ticketGrantingTicket;
}

Example 14 with AuditableExecutionResult

use of org.apereo.cas.audit.AuditableExecutionResult in project cas by apereo.

the class DefaultCentralAuthenticationService method createProxyGrantingTicket.

@Audit(action = "PROXY_GRANTING_TICKET", actionResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOLVER", resourceResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
@Timed(name = "CREATE_PROXY_GRANTING_TICKET_TIMER")
@Metered(name = "CREATE_PROXY_GRANTING_TICKET_METER")
@Counted(name = "CREATE_PROXY_GRANTING_TICKET_COUNTER", monotonic = true)
@Override
public ProxyGrantingTicket createProxyGrantingTicket(final String serviceTicketId, final AuthenticationResult authenticationResult) throws AuthenticationException, AbstractTicketException {
    AuthenticationCredentialsThreadLocalBinder.bindCurrent(authenticationResult.getAuthentication());
    final ServiceTicket serviceTicket = this.ticketRegistry.getTicket(serviceTicketId, ServiceTicket.class);
    if (serviceTicket == null || serviceTicket.isExpired()) {
        LOGGER.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }
    final RegisteredService registeredService = this.servicesManager.findServiceBy(serviceTicket.getService());
    final AuditableContext ctx = AuditableContext.builder().serviceTicket(serviceTicket).authenticationResult(authenticationResult).registeredService(registeredService).build();
    final AuditableExecutionResult result = this.registeredServiceAccessStrategyEnforcer.execute(ctx);
    result.throwExceptionIfNeeded();
    if (!registeredService.getProxyPolicy().isAllowedToProxy()) {
        LOGGER.warn("ServiceManagement: Service [{}] attempted to proxy, but is not allowed.", serviceTicket.getService().getId());
        throw new UnauthorizedProxyingException();
    }
    final Authentication authentication = authenticationResult.getAuthentication();
    final ProxyGrantingTicketFactory factory = (ProxyGrantingTicketFactory) this.ticketFactory.get(ProxyGrantingTicket.class);
    final ProxyGrantingTicket proxyGrantingTicket = factory.create(serviceTicket, authentication, ProxyGrantingTicket.class);
    LOGGER.debug("Generated proxy granting ticket [{}] based off of [{}]", proxyGrantingTicket, serviceTicketId);
    this.ticketRegistry.addTicket(proxyGrantingTicket);
    doPublishEvent(new CasProxyGrantingTicketCreatedEvent(this, proxyGrantingTicket));
    return proxyGrantingTicket;
}

Example 15 with AuditableExecutionResult

use of org.apereo.cas.audit.AuditableExecutionResult in project cas by apereo.

the class CentralAuthenticationServiceImplWithMockitoTests method prepareNewCAS.

@Before
public void prepareNewCAS() {
    this.authentication = mock(Authentication.class);
    when(this.authentication.getAuthenticationDate()).thenReturn(ZonedDateTime.now(ZoneOffset.UTC));
    final CredentialMetaData metadata = new BasicCredentialMetaData(RegisteredServiceTestUtils.getCredentialsWithSameUsernameAndPassword("principal"));
    final Map<String, AuthenticationHandlerExecutionResult> successes = new HashMap<>();
    successes.put("handler1", new DefaultAuthenticationHandlerExecutionResult(mock(AuthenticationHandler.class), metadata));
    when(this.authentication.getCredentials()).thenReturn(Arrays.asList(metadata));
    when(this.authentication.getSuccesses()).thenReturn(successes);
    when(this.authentication.getPrincipal()).thenReturn(new DefaultPrincipalFactory().createPrincipal(PRINCIPAL));
    final Service service1 = getService(SVC1_ID);
    final ServiceTicket stMock = createMockServiceTicket(ST_ID, service1);
    final TicketGrantingTicket tgtRootMock = createRootTicketGrantingTicket();
    final TicketGrantingTicket tgtMock = createMockTicketGrantingTicket(TGT_ID, stMock, false, tgtRootMock, new ArrayList<>());
    when(tgtMock.getProxiedBy()).thenReturn(getService("proxiedBy"));
    final List<Authentication> authnListMock = mock(List.class);
    // Size is required to be 2, so that we can simulate proxying capabilities
    when(authnListMock.size()).thenReturn(2);
    when(authnListMock.toArray()).thenReturn(new Object[] { this.authentication, this.authentication });
    when(authnListMock.get(anyInt())).thenReturn(this.authentication);
    when(tgtMock.getChainedAuthentications()).thenReturn(authnListMock);
    when(stMock.getTicketGrantingTicket()).thenReturn(tgtMock);
    final Service service2 = getService(SVC2_ID);
    final ServiceTicket stMock2 = createMockServiceTicket(ST2_ID, service2);
    final TicketGrantingTicket tgtMock2 = createMockTicketGrantingTicket(TGT2_ID, stMock2, false, tgtRootMock, authnListMock);
    mockTicketRegistry(stMock, tgtMock, stMock2, tgtMock2);
    final ServicesManager smMock = getServicesManager(service1, service2);
    final TicketFactory factory = getTicketFactory();
    final AuthenticationServiceSelectionPlan authenticationRequestServiceSelectionStrategies = new DefaultAuthenticationServiceSelectionPlan(new DefaultAuthenticationServiceSelectionStrategy());
    final AuditableExecution enforcer = mock(AuditableExecution.class);
    when(enforcer.execute(any())).thenReturn(new AuditableExecutionResult());
    this.cas = new DefaultCentralAuthenticationService(mock(ApplicationEventPublisher.class), ticketRegMock, smMock, mock(LogoutManager.class), factory, authenticationRequestServiceSelectionStrategies, new AcceptAnyAuthenticationPolicyFactory(), new DefaultPrincipalFactory(), null, enforcer);
    this.cas.setApplicationEventPublisher(mock(ApplicationEventPublisher.class));
}