Example 1 with DefaultAuthenticationHandlerExecutionResult
use of org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult in project cas by apereo.
the class OAuth20CasAuthenticationBuilder method build.
/**
* Create an authentication from a user profile.
*
* @param profile the given user profile
* @param registeredService the registered service
* @param context the context
* @param service the service
* @return the built authentication
*/
public Authentication build(final UserProfile profile, final OAuthRegisteredService registeredService, final J2EContext context, final Service service) {
final Map<String, Object> profileAttributes = getPrincipalAttributesFromProfile(profile);
final Principal newPrincipal = this.principalFactory.createPrincipal(profile.getId(), profileAttributes);
LOGGER.debug("Created final principal [{}] after filtering attributes based on [{}]", newPrincipal, registeredService);
final String authenticator = profile.getClass().getCanonicalName();
final CredentialMetaData metadata = new BasicCredentialMetaData(new BasicIdentifiableCredential(profile.getId()));
final AuthenticationHandlerExecutionResult handlerResult = new DefaultAuthenticationHandlerExecutionResult(authenticator, metadata, newPrincipal, new ArrayList<>());
final Set<Object> scopes = CollectionUtils.toCollection(context.getRequest().getParameterValues(OAuth20Constants.SCOPE));
final String state = StringUtils.defaultIfBlank(context.getRequestParameter(OAuth20Constants.STATE), StringUtils.EMPTY);
final String nonce = StringUtils.defaultIfBlank(context.getRequestParameter(OAuth20Constants.NONCE), StringUtils.EMPTY);
LOGGER.debug("OAuth [{}] is [{}], and [{}] is [{}]", OAuth20Constants.STATE, state, OAuth20Constants.NONCE, nonce);
/*
* pac4j UserProfile.getPermissions() and getRoles() returns UnmodifiableSet which Jackson Serializer
* happily serializes to json but is unable to deserialize.
* We have to of it to HashSet to avoid such problem
*/
final AuthenticationBuilder bldr = DefaultAuthenticationBuilder.newInstance().addAttribute("permissions", new HashSet<>(profile.getPermissions())).addAttribute("roles", new HashSet<>(profile.getRoles())).addAttribute("scopes", scopes).addAttribute(OAuth20Constants.STATE, state).addAttribute(OAuth20Constants.NONCE, nonce).addCredential(metadata).setPrincipal(newPrincipal).setAuthenticationDate(ZonedDateTime.now()).addSuccess(profile.getClass().getCanonicalName(), handlerResult);
collectionAuthenticationAttributesIfNecessary(profile, bldr);
return bldr.build();
}
Also used :
DefaultAuthenticationBuilder(org.apereo.cas.authentication.DefaultAuthenticationBuilder)
AuthenticationBuilder(org.apereo.cas.authentication.AuthenticationBuilder)
DefaultAuthenticationHandlerExecutionResult(org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult)
BasicIdentifiableCredential(org.apereo.cas.authentication.BasicIdentifiableCredential)
DefaultAuthenticationHandlerExecutionResult(org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult)
AuthenticationHandlerExecutionResult(org.apereo.cas.authentication.AuthenticationHandlerExecutionResult)
BasicCredentialMetaData(org.apereo.cas.authentication.BasicCredentialMetaData)
CredentialMetaData(org.apereo.cas.authentication.CredentialMetaData)
Principal(org.apereo.cas.authentication.principal.Principal)
BasicCredentialMetaData(org.apereo.cas.authentication.BasicCredentialMetaData)
HashSet(java.util.HashSet)
Example 2 with DefaultAuthenticationHandlerExecutionResult
use of org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult in project cas by apereo.
the class AbstractOAuth20Tests method getAuthentication.
protected static Authentication getAuthentication(final Principal principal) {
final CredentialMetaData metadata = new BasicCredentialMetaData(new BasicIdentifiableCredential(principal.getId()));
final AuthenticationHandlerExecutionResult handlerResult = new DefaultAuthenticationHandlerExecutionResult(principal.getClass().getCanonicalName(), metadata, principal, new ArrayList<>());
return DefaultAuthenticationBuilder.newInstance().setPrincipal(principal).setAuthenticationDate(ZonedDateTime.now()).addCredential(metadata).addSuccess(principal.getClass().getCanonicalName(), handlerResult).build();
}
Also used :
BasicIdentifiableCredential(org.apereo.cas.authentication.BasicIdentifiableCredential)
DefaultAuthenticationHandlerExecutionResult(org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult)
AuthenticationHandlerExecutionResult(org.apereo.cas.authentication.AuthenticationHandlerExecutionResult)
BasicCredentialMetaData(org.apereo.cas.authentication.BasicCredentialMetaData)
CredentialMetaData(org.apereo.cas.authentication.CredentialMetaData)
DefaultAuthenticationHandlerExecutionResult(org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult)
BasicCredentialMetaData(org.apereo.cas.authentication.BasicCredentialMetaData)
Example 3 with DefaultAuthenticationHandlerExecutionResult
use of org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult in project cas by apereo.
the class OAuth20ProfileControllerTests method getAuthentication.
protected static Authentication getAuthentication(final Principal principal) {
final CredentialMetaData metadata = new BasicCredentialMetaData(new BasicIdentifiableCredential(principal.getId()));
final AuthenticationHandlerExecutionResult handlerResult = new DefaultAuthenticationHandlerExecutionResult(principal.getClass().getCanonicalName(), metadata, principal, new ArrayList<>());
return DefaultAuthenticationBuilder.newInstance().setPrincipal(principal).addCredential(metadata).setAuthenticationDate(ZonedDateTime.now()).addSuccess(principal.getClass().getCanonicalName(), handlerResult).build();
}
Also used :
BasicIdentifiableCredential(org.apereo.cas.authentication.BasicIdentifiableCredential)
DefaultAuthenticationHandlerExecutionResult(org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult)
AuthenticationHandlerExecutionResult(org.apereo.cas.authentication.AuthenticationHandlerExecutionResult)
BasicCredentialMetaData(org.apereo.cas.authentication.BasicCredentialMetaData)
CredentialMetaData(org.apereo.cas.authentication.CredentialMetaData)
DefaultAuthenticationHandlerExecutionResult(org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult)
BasicCredentialMetaData(org.apereo.cas.authentication.BasicCredentialMetaData)
Example 4 with DefaultAuthenticationHandlerExecutionResult
use of org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult in project cas by apereo.
the class OAuth20DefaultCasAuthenticationBuilder method build.
@Override
public Authentication build(final UserProfile profile, final OAuthRegisteredService registeredService, final WebContext context, final Service service) {
val attrs = new HashMap<>(profile.getAttributes());
val profileAttributes = CoreAuthenticationUtils.convertAttributeValuesToMultiValuedObjects(attrs);
val newPrincipal = principalFactory.createPrincipal(profile.getId(), profileAttributes);
LOGGER.debug("Created final principal [{}] after filtering attributes based on [{}]", newPrincipal, registeredService);
val authenticator = profile.getClass().getCanonicalName();
val metadata = new BasicCredentialMetaData(new BasicIdentifiableCredential(profile.getId()));
val handlerResult = new DefaultAuthenticationHandlerExecutionResult(authenticator, metadata, newPrincipal, new ArrayList<>(0));
val scopes = OAuth20Utils.getRequestedScopes(context);
val state = context.getRequestParameter(OAuth20Constants.STATE).map(String::valueOf).or(() -> OAuth20Utils.getRequestParameter(context, OAuth20Constants.STATE)).orElse(StringUtils.EMPTY);
val nonce = context.getRequestParameter(OAuth20Constants.NONCE).map(String::valueOf).or(() -> OAuth20Utils.getRequestParameter(context, OAuth20Constants.NONCE)).orElse(StringUtils.EMPTY);
LOGGER.debug("OAuth [{}] is [{}], and [{}] is [{}]", OAuth20Constants.STATE, state, OAuth20Constants.NONCE, nonce);
val builder = DefaultAuthenticationBuilder.newInstance();
if (profile instanceof BasicUserProfile) {
val authenticationAttributes = ((BasicUserProfile) profile).getAuthenticationAttributes();
builder.addAttributes(authenticationAttributes);
}
builder.addAttribute("permissions", new LinkedHashSet<>(profile.getPermissions())).addAttribute("roles", new LinkedHashSet<>(profile.getRoles())).addAttribute("scopes", scopes).addAttribute(OAuth20Constants.STATE, state).addAttribute(OAuth20Constants.NONCE, nonce).addAttribute(OAuth20Constants.CLIENT_ID, registeredService.getClientId()).addCredential(metadata).setPrincipal(newPrincipal).setAuthenticationDate(ZonedDateTime.now(ZoneOffset.UTC)).addSuccess(profile.getClass().getCanonicalName(), handlerResult);
context.getRequestParameter(OAuth20Constants.ACR_VALUES).ifPresent(value -> builder.addAttribute(OAuth20Constants.ACR_VALUES, value));
return builder.build();
}
Also used :
lombok.val(lombok.val)
LinkedHashSet(java.util.LinkedHashSet)
HashMap(java.util.HashMap)
BasicIdentifiableCredential(org.apereo.cas.authentication.credential.BasicIdentifiableCredential)
BasicUserProfile(org.pac4j.core.profile.BasicUserProfile)
DefaultAuthenticationHandlerExecutionResult(org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult)
BasicCredentialMetaData(org.apereo.cas.authentication.metadata.BasicCredentialMetaData)
Example 5 with DefaultAuthenticationHandlerExecutionResult
use of org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult in project cas by apereo.
the class X509CredentialsAuthenticationHandlerTests method getTestParameters.
/**
* Gets the unit test parameters.
*
* @return Test parameter data.
*/
@SuppressWarnings("PMD.ExcessiveMethodLength")
public static Stream<Arguments> getTestParameters() {
val params = new ArrayList<Arguments>();
/* Test case #1: Unsupported credential type */
var handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
params.add(arguments(handler, new UsernamePasswordCredential(), false, null, null));
/* Test case #2:Valid certificate /*/
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
var credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), null));
/* Test case #3: Expired certificate */
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
params.add(arguments(handler, new X509CertificateCredential(createCertificates("user-expired.crt")), true, null, new CertificateExpiredException()));
/* Test case #4: Untrusted issuer */
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern("CN=\\w+,OU=CAS,O=Jasig,L=Westminster,ST=Colorado,C=US"), true, false, false);
params.add(arguments(handler, new X509CertificateCredential(createCertificates("snake-oil.crt")), true, null, new FailedLoginException()));
/* Test case #5: Disallowed subject */
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), true, RegexUtils.createPattern("CN=\\w+,OU=CAS,O=Jasig,L=Westminster,ST=Colorado,C=US"));
params.add(arguments(handler, new X509CertificateCredential(createCertificates("snake-oil.crt")), true, null, new FailedLoginException()));
/* Test case #6: Check key usage on a cert without keyUsage extension */
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, false);
credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), null));
/* Test case #7: Require key usage on a cert without keyUsage extension */
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
params.add(arguments(handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, null, new FailedLoginException()));
/* Test case #8: Require key usage on a cert with acceptable keyUsage extension values */
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
credential = new X509CertificateCredential(createCertificates("user-valid-keyUsage.crt"));
params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), null));
/* Test case #9: Require key usage on a cert with unacceptable keyUsage extension values */
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
params.add(arguments(handler, new X509CertificateCredential(createCertificates("user-invalid-keyUsage.crt")), true, null, new FailedLoginException()));
/*
* Revocation tests
*/
/* Test case #10: Valid certificate with CRL checking */
var checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-valid.crl"));
checker.init();
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
params.add(arguments(handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), null));
/* Test case #11: Revoked end user certificate */
checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-valid.crl"));
checker.init();
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
params.add(arguments(handler, new X509CertificateCredential(createCertificates("user-revoked.crt")), true, null, new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), null)));
/* Test case #12: Valid certificate on expired CRL data */
val zeroThresholdPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-expired.crl"), null, zeroThresholdPolicy);
checker.init();
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
params.add(arguments(handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, null, new ExpiredCRLException(null, ZonedDateTime.now(ZoneOffset.UTC))));
/* Certificate not allowed */
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, RegexUtils.MATCH_NOTHING_PATTERN);
credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), new FailedLoginException()));
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, 0);
var certificate = new CasX509Certificate(true);
certificate.setBasicConstraints(Integer.MAX_VALUE);
credential = new X509CertificateCredential(Stream.of(certificate).toArray(X509Certificate[]::new));
params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), new FailedLoginException()));
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, 1);
certificate = new CasX509Certificate(true);
certificate.setBasicConstraints(10);
credential = new X509CertificateCredential(Stream.of(certificate).toArray(X509Certificate[]::new));
params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), new FailedLoginException()));
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".+"), true, true, false);
certificate = new CasX509Certificate(true);
certificate.setKeyUsage(true);
credential = new X509CertificateCredential(Stream.of(certificate).toArray(X509Certificate[]::new));
params.add(arguments(handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credential.getId())), null));
return params.stream();
}
Also used :
lombok.val(lombok.val)
RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
ArrayList(java.util.ArrayList)
DefaultAuthenticationHandlerExecutionResult(org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult)
CasX509Certificate(org.apereo.cas.adaptors.x509.authentication.CasX509Certificate)
ClassPathResource(org.springframework.core.io.ClassPathResource)
ThresholdExpiredCRLRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)
ExpiredCRLException(org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException)
FailedLoginException(javax.security.auth.login.FailedLoginException)
X509CertificateCredential(org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential)
ResourceCRLRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker)
UsernamePasswordCredential(org.apereo.cas.authentication.credential.UsernamePasswordCredential)
Aggregations
DefaultAuthenticationHandlerExecutionResult (org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult)23
lombok.val (lombok.val)17
BasicCredentialMetaData (org.apereo.cas.authentication.metadata.BasicCredentialMetaData)12
FailedLoginException (javax.security.auth.login.FailedLoginException)8
BasicCredentialMetaData (org.apereo.cas.authentication.BasicCredentialMetaData)6
CredentialMetaData (org.apereo.cas.authentication.CredentialMetaData)6
DefaultAuthenticationBuilder (org.apereo.cas.authentication.DefaultAuthenticationBuilder)6
HashMap (java.util.HashMap)4
AuthenticationHandlerExecutionResult (org.apereo.cas.authentication.AuthenticationHandlerExecutionResult)4
UsernamePasswordCredential (org.apereo.cas.authentication.credential.UsernamePasswordCredential)4
SimpleTestUsernamePasswordAuthenticationHandler (org.apereo.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler)4
BasicIdentifiableCredential (org.apereo.cas.authentication.BasicIdentifiableCredential)3
BasicIdentifiableCredential (org.apereo.cas.authentication.credential.BasicIdentifiableCredential)3
GeneralSecurityException (java.security.GeneralSecurityException)2
X509CertificateCredential (org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential)2
AuditableExecutionResult (org.apereo.cas.audit.AuditableExecutionResult)2
Authentication (org.apereo.cas.authentication.Authentication)2
AuthenticationBuilder (org.apereo.cas.authentication.AuthenticationBuilder)2
AuthenticationHandler (org.apereo.cas.authentication.AuthenticationHandler)2
DefaultAuthenticationServiceSelectionPlan (org.apereo.cas.authentication.DefaultAuthenticationServiceSelectionPlan)2
