use of org.apereo.inspektr.audit.annotation.Audit in project cas by apereo.
the class OAuth20AuthorizationCodeAuthorizationResponseBuilder method build.
@Audit(action = AuditableActions.OAUTH2_CODE_RESPONSE, actionResolverName = AuditActionResolvers.OAUTH2_CODE_RESPONSE_ACTION_RESOLVER, resourceResolverName = AuditResourceResolvers.OAUTH2_CODE_RESPONSE_RESOURCE_RESOLVER)
@Override
public ModelAndView build(final AccessTokenRequestContext holder) throws Exception {
val authentication = holder.getAuthentication();
val factory = (OAuth20CodeFactory) configurationContext.getTicketFactory().get(OAuth20Code.class);
val code = factory.create(holder.getService(), authentication, holder.getTicketGrantingTicket(), holder.getScopes(), holder.getCodeChallenge(), holder.getCodeChallengeMethod(), holder.getClientId(), holder.getClaims(), holder.getResponseType(), holder.getGrantType());
LOGGER.debug("Generated OAuth code: [{}]", code);
configurationContext.getCentralAuthenticationService().addTicket(code);
val ticketGrantingTicket = holder.getTicketGrantingTicket();
Optional.ofNullable(ticketGrantingTicket).ifPresent(tgt -> {
FunctionUtils.doAndHandle(ticket -> {
configurationContext.getCentralAuthenticationService().updateTicket(ticket);
}, (CheckedFunction<Throwable, TicketGrantingTicket>) throwable -> {
LOGGER.error("Unable to update ticket-granting-ticket [{}]", ticketGrantingTicket, throwable);
return null;
}).accept(tgt);
});
return buildCallbackViewViaRedirectUri(holder, code);
}
use of org.apereo.inspektr.audit.annotation.Audit in project cas by apereo.
the class AccessTokenGrantAuditableRequestExtractor method execute.
@Audit(action = AuditableActions.OAUTH2_ACCESS_TOKEN_REQUEST, actionResolverName = AuditActionResolvers.OAUTH2_ACCESS_TOKEN_REQUEST_ACTION_RESOLVER, resourceResolverName = AuditResourceResolvers.OAUTH2_ACCESS_TOKEN_REQUEST_RESOURCE_RESOLVER)
@Override
public AuditableExecutionResult execute(final AuditableContext auditableContext) {
val request = (HttpServletRequest) auditableContext.getRequest().orElseThrow();
val response = (HttpServletResponse) auditableContext.getResponse().orElseThrow();
val context = new JEEContext(request, response);
val result = this.accessTokenGrantRequestExtractors.stream().filter(ext -> ext.supports(context)).findFirst().orElseThrow(() -> new UnsupportedOperationException("Access token request is not supported")).extract(context);
return AuditableExecutionResult.builder().executionResult(result).build();
}
use of org.apereo.inspektr.audit.annotation.Audit in project cas by apereo.
the class DefaultCentralAuthenticationService method createTicketGrantingTicket.
@Audit(action = AuditableActions.TICKET_GRANTING_TICKET, actionResolverName = AuditActionResolvers.CREATE_TICKET_GRANTING_TICKET_RESOLVER, resourceResolverName = AuditResourceResolvers.CREATE_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER)
@Override
public TicketGrantingTicket createTicketGrantingTicket(final AuthenticationResult authenticationResult) throws AuthenticationException, AbstractTicketException {
val authentication = authenticationResult.getAuthentication();
var service = authenticationResult.getService();
AuthenticationCredentialsThreadLocalBinder.bindCurrent(authentication);
if (service != null) {
service = resolveServiceFromAuthenticationRequest(service);
LOGGER.debug("Resolved service [{}] from the authentication request", service);
val registeredService = configurationContext.getServicesManager().findServiceBy(service);
enforceRegisteredServiceAccess(authentication, service, registeredService);
}
val factory = (TicketGrantingTicketFactory) configurationContext.getTicketFactory().get(TicketGrantingTicket.class);
val ticketGrantingTicket = factory.create(authentication, service, TicketGrantingTicket.class);
FunctionUtils.doUnchecked(s -> {
configurationContext.getTicketRegistry().addTicket(ticketGrantingTicket);
doPublishEvent(new CasTicketGrantingTicketCreatedEvent(this, ticketGrantingTicket));
});
return ticketGrantingTicket;
}
use of org.apereo.inspektr.audit.annotation.Audit in project cas by apereo.
the class DefaultCentralAuthenticationService method createProxyGrantingTicket.
@Audit(action = AuditableActions.PROXY_GRANTING_TICKET, actionResolverName = AuditActionResolvers.CREATE_PROXY_GRANTING_TICKET_RESOLVER, resourceResolverName = AuditResourceResolvers.CREATE_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER)
@Override
public ProxyGrantingTicket createProxyGrantingTicket(final String serviceTicketId, final AuthenticationResult authenticationResult) throws AuthenticationException, AbstractTicketException {
AuthenticationCredentialsThreadLocalBinder.bindCurrent(authenticationResult.getAuthentication());
val serviceTicket = configurationContext.getTicketRegistry().getTicket(serviceTicketId, ServiceTicket.class);
if (serviceTicket == null || serviceTicket.isExpired()) {
LOGGER.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", serviceTicketId);
throw new InvalidTicketException(serviceTicketId);
}
val registeredService = configurationContext.getServicesManager().findServiceBy(serviceTicket.getService());
val ctx = AuditableContext.builder().serviceTicket(serviceTicket).authenticationResult(authenticationResult).registeredService(registeredService).build();
val result = configurationContext.getRegisteredServiceAccessStrategyEnforcer().execute(ctx);
result.throwExceptionIfNeeded();
if (!registeredService.getProxyPolicy().isAllowedToProxy()) {
LOGGER.warn("Service [{}] attempted to proxy, but is not allowed.", serviceTicket.getService().getId());
throw new UnauthorizedProxyingException();
}
return configurationContext.getLockRepository().execute(serviceTicket.getId(), Unchecked.supplier(() -> {
val authentication = authenticationResult.getAuthentication();
val factory = (ProxyGrantingTicketFactory) configurationContext.getTicketFactory().get(ProxyGrantingTicket.class);
val proxyGrantingTicket = factory.create(serviceTicket, authentication, ProxyGrantingTicket.class);
LOGGER.debug("Generated proxy granting ticket [{}] based off of [{}]", proxyGrantingTicket, serviceTicketId);
configurationContext.getTicketRegistry().addTicket(proxyGrantingTicket);
doPublishEvent(new CasProxyGrantingTicketCreatedEvent(this, proxyGrantingTicket));
return proxyGrantingTicket;
})).orElseThrow(UnauthorizedProxyingException::new);
}
use of org.apereo.inspektr.audit.annotation.Audit in project cas by apereo.
the class SurrogateSelectionAction method doExecute.
@Audit(action = AuditableActions.SURROGATE_AUTHENTICATION_ELIGIBILITY_SELECTION, actionResolverName = AuditActionResolvers.SURROGATE_AUTHENTICATION_ELIGIBILITY_SELECTION_ACTION_RESOLVER, resourceResolverName = AuditResourceResolvers.SURROGATE_AUTHENTICATION_ELIGIBILITY_SELECTION_RESOURCE_RESOLVER)
@Override
protected Event doExecute(final RequestContext requestContext) {
val resultMap = new HashMap<String, Object>();
try {
val credential = WebUtils.getCredential(requestContext);
if (credential instanceof UsernamePasswordCredential) {
val target = requestContext.getExternalContext().getRequestParameterMap().get(PARAMETER_NAME_SURROGATE_TARGET);
LOGGER.debug("Located surrogate target as [{}]", target);
if (StringUtils.isNotBlank(target)) {
val currentAuth = WebUtils.getAuthentication(requestContext);
AuthenticationCredentialsThreadLocalBinder.bindCurrent(currentAuth);
resultMap.put(PARAMETER_NAME_SURROGATE_TARGET, target);
val registeredService = WebUtils.getRegisteredService(requestContext);
val builder = WebUtils.getAuthenticationResultBuilder(requestContext);
val result = surrogatePrincipalBuilder.buildSurrogateAuthenticationResult(builder, credential, target, registeredService);
result.ifPresent(bldr -> WebUtils.putAuthenticationResultBuilder(bldr, requestContext));
} else {
LOGGER.warn("No surrogate identifier was selected or provided");
}
resultMap.put("primary", credential.getId());
} else {
LOGGER.debug("Current credential in the webflow is not one of [{}]", UsernamePasswordCredential.class.getName());
}
return success(resultMap);
} catch (final Exception e) {
WebUtils.addErrorMessageToContext(requestContext, "screen.surrogates.account.selection.error", "Unable to accept or authorize selection");
LoggingUtils.error(LOGGER, e);
return error(e);
}
}
Aggregations