Search in sources :

Example 1 with ConqueryAuthenticationInfo

use of com.bakdata.conquery.models.auth.ConqueryAuthenticationInfo in project conquery by bakdata.

the class IntrospectionDelegatingRealm method doGetAuthenticationInfo.

@Override
@SneakyThrows
public ConqueryAuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    if (!(TOKEN_CLASS.isAssignableFrom(token.getClass()))) {
        log.trace("Incompatible token. Expected {}, got {}", TOKEN_CLASS, token.getClass());
        return null;
    }
    log.trace("Token has expected format!");
    TokenIntrospectionSuccessResponse successResponse = tokenCache.get((BearerToken) token);
    log.trace("Got an successful token introspection response.");
    UserId userId = extractId(successResponse);
    User user = getUserOrThrowUnknownAccount(storage, userId);
    return new ConqueryAuthenticationInfo(user, token, this, true);
}
Also used : User(com.bakdata.conquery.models.auth.entities.User) UserId(com.bakdata.conquery.models.identifiable.ids.specific.UserId) ConqueryAuthenticationInfo(com.bakdata.conquery.models.auth.ConqueryAuthenticationInfo) TokenIntrospectionSuccessResponse(com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse) SneakyThrows(lombok.SneakyThrows)

Example 2 with ConqueryAuthenticationInfo

use of com.bakdata.conquery.models.auth.ConqueryAuthenticationInfo in project conquery by bakdata.

the class ConqueryTokenRealm method doGetAuthenticationInfo.

@Override
public ConqueryAuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    if (!(TOKEN_CLASS.isAssignableFrom(token.getClass()))) {
        log.trace("Incompatible token. Expected {}, got {}", TOKEN_CLASS, token.getClass());
        return null;
    }
    log.trace("Token has expected format: {}\tWas: {} ", TOKEN_CLASS, token.getClass());
    DecodedJWT decodedToken = null;
    try {
        decodedToken = jwtConfig.getTokenVerifier(this).verify((String) token.getCredentials());
    } catch (TokenExpiredException e) {
        log.trace("The provided token is expired.");
        throw new ExpiredCredentialsException(e);
    } catch (SignatureVerificationException | InvalidClaimException e) {
        log.trace("The provided token was not successfully verified against its signature or claims.");
        throw new IncorrectCredentialsException(e);
    } catch (JWTVerificationException e) {
        log.trace("The provided token could not be verified.", e);
        throw new AuthenticationException(e);
    } catch (Exception e) {
        log.trace("Unable to decode token", e);
        throw new AuthenticationException(e);
    }
    log.trace("Received valid token.");
    String username = decodedToken.getSubject();
    UserId userId = UserId.Parser.INSTANCE.parse(username);
    final User user = getUserOrThrowUnknownAccount(storage, userId);
    return new ConqueryAuthenticationInfo(user, token, this, true);
}
Also used : User(com.bakdata.conquery.models.auth.entities.User) InvalidClaimException(com.auth0.jwt.exceptions.InvalidClaimException) TokenExpiredException(com.auth0.jwt.exceptions.TokenExpiredException) InvalidClaimException(com.auth0.jwt.exceptions.InvalidClaimException) SignatureVerificationException(com.auth0.jwt.exceptions.SignatureVerificationException) JWTVerificationException(com.auth0.jwt.exceptions.JWTVerificationException) JWTVerificationException(com.auth0.jwt.exceptions.JWTVerificationException) TokenExpiredException(com.auth0.jwt.exceptions.TokenExpiredException) UserId(com.bakdata.conquery.models.identifiable.ids.specific.UserId) ConqueryAuthenticationInfo(com.bakdata.conquery.models.auth.ConqueryAuthenticationInfo) SignatureVerificationException(com.auth0.jwt.exceptions.SignatureVerificationException) DecodedJWT(com.auth0.jwt.interfaces.DecodedJWT)

Example 3 with ConqueryAuthenticationInfo

use of com.bakdata.conquery.models.auth.ConqueryAuthenticationInfo in project conquery by bakdata.

the class JwtPkceVerifyingRealm method doGetAuthenticationInfo.

@Override
public ConqueryAuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    Optional<JwtPkceVerifyingRealmFactory.IdpConfiguration> idpConfigurationOpt = idpConfigurationSupplier.get();
    if (idpConfigurationOpt.isEmpty()) {
        log.warn("Unable to start authentication, because idp configuration is not available.");
        return null;
    }
    JwtPkceVerifyingRealmFactory.IdpConfiguration idpConfiguration = idpConfigurationOpt.get();
    log.trace("Creating token verifier");
    TokenVerifier<AccessToken> verifier = TokenVerifier.create(((BearerToken) token).getToken(), AccessToken.class).withChecks(new TokenVerifier.RealmUrlCheck(idpConfiguration.getIssuer()), TokenVerifier.SUBJECT_EXISTS_CHECK, activeVerifier).withChecks(tokenChecks).publicKey(idpConfiguration.getPublicKey()).audience(allowedAudience);
    String subject;
    log.trace("Verifying token");
    AccessToken accessToken = null;
    try {
        verifier.verify();
        accessToken = verifier.getToken();
    } catch (VerificationException e) {
        log.trace("Verification failed", e);
        throw new IncorrectCredentialsException(e);
    }
    subject = accessToken.getSubject();
    if (subject == null) {
        // Should not happen, as sub is mandatory in an access_token
        throw new UnsupportedTokenException("Unable to extract a subject from the provided token.");
    }
    log.trace("Authentication successfull for subject {}", subject);
    UserId userId = new UserId(subject);
    User user = storage.getUser(userId);
    if (user != null) {
        log.trace("Successfully authenticated user {}", userId);
        return new ConqueryAuthenticationInfo(user, token, this, true);
    }
    // Try alternative ids
    List<UserId> alternativeIds = new ArrayList<>();
    for (String alternativeIdClaim : alternativeIdClaims) {
        Object altId = accessToken.getOtherClaims().get(alternativeIdClaim);
        if (!(altId instanceof String)) {
            log.trace("Found no value for alternative id claim {}", alternativeIdClaim);
            continue;
        }
        userId = new UserId((String) altId);
        user = storage.getUser(userId);
        if (user != null) {
            log.trace("Successfully mapped subject {} using user id {}", subject, userId);
            return new ConqueryAuthenticationInfo(user, token, this, true);
        }
    }
    throw new UnknownAccountException("The user id was unknown: " + subject);
}
Also used : User(com.bakdata.conquery.models.auth.entities.User) ArrayList(java.util.ArrayList) UnsupportedTokenException(org.apache.shiro.authc.pam.UnsupportedTokenException) JwtPkceVerifyingRealmFactory(com.bakdata.conquery.models.config.auth.JwtPkceVerifyingRealmFactory) AccessToken(org.keycloak.representations.AccessToken) UserId(com.bakdata.conquery.models.identifiable.ids.specific.UserId) ConqueryAuthenticationInfo(com.bakdata.conquery.models.auth.ConqueryAuthenticationInfo) VerificationException(org.keycloak.common.VerificationException)

Example 4 with ConqueryAuthenticationInfo

use of com.bakdata.conquery.models.auth.ConqueryAuthenticationInfo in project conquery by bakdata.

the class ApiTokenRealm method doGetAuthenticationInfo.

@Override
public ConqueryAuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    if (!(token instanceof ApiToken)) {
        return null;
    }
    final ApiToken apiToken = ((ApiToken) token);
    ApiTokenHash tokenHash = apiToken.hashToken();
    // Clear the token
    apiToken.clear();
    ApiTokenData tokenData = tokenStorage.get(tokenHash);
    if (tokenData == null) {
        log.trace("Unknown token, cannot map token hash to token data. Aborting authentication");
        throw new IncorrectCredentialsException();
    }
    if (LocalDate.now().isAfter(tokenData.getExpirationDate())) {
        log.info("Supplied token expired on: {}", tokenData.getExpirationDate());
        throw new ExpiredCredentialsException("Supplied token is expired");
    }
    final ApiTokenData.MetaData metaData = new ApiTokenData.MetaData(LocalDate.now());
    tokenStorage.updateMetaData(tokenData.getId(), metaData);
    final UserId userId = tokenData.getUserId();
    final User user = storage.getUser(userId);
    if (user == null) {
        throw new UnknownAccountException("The UserId does not map to a user: " + userId);
    }
    return new ConqueryAuthenticationInfo(new TokenScopedUser(user, tokenData), token, this, false);
}
Also used : IncorrectCredentialsException(org.apache.shiro.authc.IncorrectCredentialsException) User(com.bakdata.conquery.models.auth.entities.User) UserId(com.bakdata.conquery.models.identifiable.ids.specific.UserId) UnknownAccountException(org.apache.shiro.authc.UnknownAccountException) ConqueryAuthenticationInfo(com.bakdata.conquery.models.auth.ConqueryAuthenticationInfo) ExpiredCredentialsException(org.apache.shiro.authc.ExpiredCredentialsException)

Example 5 with ConqueryAuthenticationInfo

use of com.bakdata.conquery.models.auth.ConqueryAuthenticationInfo in project conquery by bakdata.

the class DefaultInitialUserRealm method doGetAuthenticationInfo.

@Override
public ConqueryAuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    if (!(token instanceof DevelopmentToken)) {
        return null;
    }
    DevelopmentToken devToken = (DevelopmentToken) token;
    final User user = getUserOrThrowUnknownAccount(storage, devToken.getPrincipal());
    return new ConqueryAuthenticationInfo(user, devToken.getCredentials(), this, true);
}
Also used : User(com.bakdata.conquery.models.auth.entities.User) ConqueryAuthenticationInfo(com.bakdata.conquery.models.auth.ConqueryAuthenticationInfo)

Aggregations

ConqueryAuthenticationInfo (com.bakdata.conquery.models.auth.ConqueryAuthenticationInfo)5 User (com.bakdata.conquery.models.auth.entities.User)5 UserId (com.bakdata.conquery.models.identifiable.ids.specific.UserId)4 InvalidClaimException (com.auth0.jwt.exceptions.InvalidClaimException)1 JWTVerificationException (com.auth0.jwt.exceptions.JWTVerificationException)1 SignatureVerificationException (com.auth0.jwt.exceptions.SignatureVerificationException)1 TokenExpiredException (com.auth0.jwt.exceptions.TokenExpiredException)1 DecodedJWT (com.auth0.jwt.interfaces.DecodedJWT)1 JwtPkceVerifyingRealmFactory (com.bakdata.conquery.models.config.auth.JwtPkceVerifyingRealmFactory)1 TokenIntrospectionSuccessResponse (com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse)1 ArrayList (java.util.ArrayList)1 SneakyThrows (lombok.SneakyThrows)1 ExpiredCredentialsException (org.apache.shiro.authc.ExpiredCredentialsException)1 IncorrectCredentialsException (org.apache.shiro.authc.IncorrectCredentialsException)1 UnknownAccountException (org.apache.shiro.authc.UnknownAccountException)1 UnsupportedTokenException (org.apache.shiro.authc.pam.UnsupportedTokenException)1 VerificationException (org.keycloak.common.VerificationException)1 AccessToken (org.keycloak.representations.AccessToken)1