Search in sources :

Example 1 with U2FServer

use of com.google.u2f.server.U2FServer in project OpenUnison by TremoloSecurity.

the class Registration method doFilter.

@Override
public void doFilter(HttpFilterRequest request, HttpFilterResponse response, HttpFilterChain chain) throws Exception {
    if (request.getMethod().equalsIgnoreCase("GET")) {
        // TODO switch this off
        AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
        String accountName = userData.getAttribs().get(this.uidAttributeName).getValues().get(0);
        List<SecurityKeyData> keys = U2fUtil.loadUserKeys(userData, challengeStoreAttribute, encyrptionKeyName);
        Set<String> origins = new HashSet<String>();
        String appID = U2fUtil.getApplicationId(request.getServletRequest());
        origins.add(appID);
        U2FServer u2f = new U2FServerUnison(this.challengeGen, new UnisonDataStore(UUID.randomUUID().toString(), keys, (this.requireAttestation ? this.attestationCerts : new HashSet<X509Certificate>())), new BouncyCastleCrypto(), origins, this.requireAttestation);
        RegistrationRequest regRequest = u2f.getRegistrationRequest(accountName, appID);
        request.getSession().setAttribute(Registration.REGISTRATION_REQUEST_JSON, gson.toJson(regRequest));
        request.getSession().setAttribute(Registration.REGISTRATION_REQUEST, regRequest);
        request.getSession().setAttribute(Registration.SERVER, u2f);
        request.setAttribute(REGISTRATION_URI, request.getRequestURL().toString());
        request.getRequestDispatcher(this.challengeURI).forward(request.getServletRequest(), response.getServletResponse());
    } else if (request.getMethod().equalsIgnoreCase("POST")) {
        U2FServer u2f = (U2FServer) request.getSession().getAttribute(SERVER);
        if (logger.isDebugEnabled()) {
            logger.debug("response : '" + request.getParameter("tokenResponse").getValues().get(0) + "'");
        }
        RegistrationResponseHolder rrh = gson.fromJson(request.getParameter("tokenResponse").getValues().get(0), RegistrationResponseHolder.class);
        RegistrationResponse rr = new RegistrationResponse(rrh.getRegistrationData(), rrh.getClientData(), rrh.getClientData());
        try {
            u2f.processRegistrationResponse(rr, System.currentTimeMillis());
        } catch (U2FException e) {
            logger.error("Could not register", e);
            request.setAttribute("register.result", false);
            request.getRequestDispatcher(this.registrationCompleteURI).forward(request.getServletRequest(), response.getServletResponse());
            return;
        }
        AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
        String encrypted = U2fUtil.encode(u2f.getAllSecurityKeys("doesntmatter"), encyrptionKeyName);
        WFCall wc = new WFCall();
        wc.setName(this.workflowName);
        wc.setUidAttributeName(this.uidAttributeName);
        TremoloUser tu = new TremoloUser();
        tu.setUid(userData.getAttribs().get(this.uidAttributeName).getValues().get(0));
        tu.getAttributes().add(new Attribute(this.uidAttributeName, userData.getAttribs().get(this.uidAttributeName).getValues().get(0)));
        tu.getAttributes().add(new Attribute(this.challengeStoreAttribute, encrypted));
        wc.setUser(tu);
        Map<String, Object> req = new HashMap<String, Object>();
        req.put(ProvisioningParams.UNISON_EXEC_TYPE, ProvisioningParams.UNISON_EXEC_SYNC);
        wc.setRequestParams(req);
        GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getWorkFlow(this.workflowName).executeWorkflow(wc);
        request.setAttribute("register.result", true);
        request.getRequestDispatcher(this.registrationCompleteURI).forward(request.getServletRequest(), response.getServletResponse());
    }
}
Also used : AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) U2FServer(com.google.u2f.server.U2FServer) WFCall(com.tremolosecurity.provisioning.service.util.WFCall) BouncyCastleCrypto(com.google.u2f.server.impl.BouncyCastleCrypto) Attribute(com.tremolosecurity.saml.Attribute) AuthController(com.tremolosecurity.proxy.auth.AuthController) RegistrationRequest(com.google.u2f.server.messages.RegistrationRequest) SecurityKeyData(com.google.u2f.server.data.SecurityKeyData) TremoloUser(com.tremolosecurity.provisioning.service.util.TremoloUser) U2FException(com.google.u2f.U2FException) RegistrationResponse(com.google.u2f.server.messages.RegistrationResponse) HashMap(java.util.HashMap) Map(java.util.Map) HashSet(java.util.HashSet)

Example 2 with U2FServer

use of com.google.u2f.server.U2FServer in project OpenUnison by TremoloSecurity.

the class U2fAuth method doGet.

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
    if (request.getParameter("signResponse") == null) {
        startAuthentication(request, response, as);
    } else {
        SignResponseHolder srh = gson.fromJson(request.getParameter("signResponse"), SignResponseHolder.class);
        AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
        // SharedSession.getSharedSession().getSession(req.getSession().getId());
        HttpSession session = ((HttpServletRequest) request).getSession();
        UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
        RequestHolder reqHolder = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
        String urlChain = holder.getUrl().getAuthChain();
        AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
        AuthMechType amt = act.getAuthMech().get(as.getId());
        HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
        String challengeStoreAttribute = authParams.get("attribute").getValues().get(0);
        String encyrptionKeyName = authParams.get("encryptionKeyName").getValues().get(0);
        String uidAttributeName = authParams.get("uidAttributeName").getValues().get(0);
        String workflowName = authParams.get("workflowName").getValues().get(0);
        if (srh.getErrorCode() > 0) {
            logger.warn("Browser could not validate u2f token for user '" + userData.getUserDN() + "' : " + srh.getErrorCode());
            if (amt.getRequired().equals("required")) {
                as.setSuccess(false);
            }
            holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
            return;
        }
        U2FServer u2f = (U2FServer) request.getSession().getAttribute(SERVER);
        SignResponse sigResp = new SignResponse(srh.getKeyHandle(), srh.getSignatureData(), srh.getClientData(), srh.getSessionId());
        try {
            u2f.processSignResponse(sigResp);
        } catch (U2FException e) {
            logger.warn("Could not authenticate user : '" + e.getMessage() + "'");
            if (amt.getRequired().equals("required")) {
                as.setSuccess(false);
            }
            holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
            return;
        }
        String encrypted;
        try {
            encrypted = U2fUtil.encode(u2f.getAllSecurityKeys("doesntmatter"), encyrptionKeyName);
        } catch (Exception e) {
            throw new ServletException("Could not encrypt keys");
        }
        WFCall wc = new WFCall();
        wc.setName(workflowName);
        wc.setUidAttributeName(uidAttributeName);
        TremoloUser tu = new TremoloUser();
        tu.setUid(userData.getAttribs().get(uidAttributeName).getValues().get(0));
        tu.getAttributes().add(new Attribute(uidAttributeName, userData.getAttribs().get(uidAttributeName).getValues().get(0)));
        tu.getAttributes().add(new Attribute(challengeStoreAttribute, encrypted));
        wc.setUser(tu);
        Map<String, Object> req = new HashMap<String, Object>();
        req.put(ProvisioningParams.UNISON_EXEC_TYPE, ProvisioningParams.UNISON_EXEC_SYNC);
        wc.setRequestParams(req);
        try {
            GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getWorkFlow(workflowName).executeWorkflow(wc);
        } catch (ProvisioningException e) {
            throw new ServletException("Could not save keys", e);
        }
        as.setSuccess(true);
        holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
    }
}
Also used : AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) U2FServer(com.google.u2f.server.U2FServer) WFCall(com.tremolosecurity.provisioning.service.util.WFCall) Attribute(com.tremolosecurity.saml.Attribute) HashMap(java.util.HashMap) HttpSession(javax.servlet.http.HttpSession) AuthMechType(com.tremolosecurity.config.xml.AuthMechType) RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder) AuthController(com.tremolosecurity.proxy.auth.AuthController) ServletException(javax.servlet.ServletException) U2FException(com.google.u2f.U2FException) MalformedURLException(java.net.MalformedURLException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) IOException(java.io.IOException) HttpServletRequest(javax.servlet.http.HttpServletRequest) UrlHolder(com.tremolosecurity.config.util.UrlHolder) ServletException(javax.servlet.ServletException) SignResponse(com.google.u2f.server.messages.SignResponse) TremoloUser(com.tremolosecurity.provisioning.service.util.TremoloUser) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) U2FException(com.google.u2f.U2FException) AuthChainType(com.tremolosecurity.config.xml.AuthChainType)

Example 3 with U2FServer

use of com.google.u2f.server.U2FServer in project OpenUnison by TremoloSecurity.

the class U2fAuth method startAuthentication.

private void startAuthentication(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws ServletException, MalformedURLException, IOException {
    AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
    // SharedSession.getSharedSession().getSession(req.getSession().getId());
    HttpSession session = ((HttpServletRequest) request).getSession();
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    RequestHolder reqHolder = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
    String urlChain = holder.getUrl().getAuthChain();
    AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
    AuthMechType amt = act.getAuthMech().get(as.getId());
    HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
    String challengeStoreAttribute = authParams.get("attribute").getValues().get(0);
    String encyrptionKeyName = authParams.get("encryptionKeyName").getValues().get(0);
    String uidAttributeName = authParams.get("uidAttributeName").getValues().get(0);
    String formURI = authParams.get("formURI").getValues().get(0);
    List<SecurityKeyData> keys;
    try {
        keys = U2fUtil.loadUserKeys(userData, challengeStoreAttribute, encyrptionKeyName);
    } catch (Exception e1) {
        throw new ServletException("Could not loak keys", e1);
    }
    Set<String> origins = new HashSet<String>();
    String appID = U2fUtil.getApplicationId(request);
    origins.add(appID);
    U2FServer u2f = new U2FServerUnison(this.challengeGen, new UnisonDataStore(UUID.randomUUID().toString(), keys), new BouncyCastleCrypto(), origins);
    String uid = userData.getAttribs().get(uidAttributeName).getValues().get(0);
    if (keys == null || keys.size() == 0) {
        if (amt.getRequired().equals("required")) {
            as.setSuccess(false);
        }
        holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
        return;
    }
    U2fSignRequest sigReq = null;
    try {
        sigReq = u2f.getSignRequest(uid, appID);
    } catch (U2FException e) {
        logger.error("Could not start authentication", e);
        if (amt.getRequired().equals("required")) {
            as.setSuccess(false);
        }
        holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
        return;
    }
    Gson gson = new Gson();
    request.getSession().setAttribute(AUTH_SIGN_REQ, sigReq);
    request.getSession().setAttribute(AUTH_SIGN_REQ_JSON, gson.toJson(sigReq));
    request.getSession().setAttribute(SERVER, u2f);
    response.sendRedirect(formURI);
}
Also used : U2FServer(com.google.u2f.server.U2FServer) BouncyCastleCrypto(com.google.u2f.server.impl.BouncyCastleCrypto) Attribute(com.tremolosecurity.saml.Attribute) HashMap(java.util.HashMap) Gson(com.google.gson.Gson) RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder) HttpServletRequest(javax.servlet.http.HttpServletRequest) UrlHolder(com.tremolosecurity.config.util.UrlHolder) ServletException(javax.servlet.ServletException) U2fSignRequest(com.google.u2f.server.messages.U2fSignRequest) SecurityKeyData(com.google.u2f.server.data.SecurityKeyData) U2FException(com.google.u2f.U2FException) AuthChainType(com.tremolosecurity.config.xml.AuthChainType) HashSet(java.util.HashSet) AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) HttpSession(javax.servlet.http.HttpSession) AuthMechType(com.tremolosecurity.config.xml.AuthMechType) AuthController(com.tremolosecurity.proxy.auth.AuthController) ServletException(javax.servlet.ServletException) U2FException(com.google.u2f.U2FException) MalformedURLException(java.net.MalformedURLException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) IOException(java.io.IOException)

Aggregations

U2FException (com.google.u2f.U2FException)3 U2FServer (com.google.u2f.server.U2FServer)3 AuthController (com.tremolosecurity.proxy.auth.AuthController)3 AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)3 Attribute (com.tremolosecurity.saml.Attribute)3 HashMap (java.util.HashMap)3 SecurityKeyData (com.google.u2f.server.data.SecurityKeyData)2 BouncyCastleCrypto (com.google.u2f.server.impl.BouncyCastleCrypto)2 UrlHolder (com.tremolosecurity.config.util.UrlHolder)2 AuthChainType (com.tremolosecurity.config.xml.AuthChainType)2 AuthMechType (com.tremolosecurity.config.xml.AuthMechType)2 ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)2 TremoloUser (com.tremolosecurity.provisioning.service.util.TremoloUser)2 WFCall (com.tremolosecurity.provisioning.service.util.WFCall)2 RequestHolder (com.tremolosecurity.proxy.auth.RequestHolder)2 IOException (java.io.IOException)2 MalformedURLException (java.net.MalformedURLException)2 HashSet (java.util.HashSet)2 ServletException (javax.servlet.ServletException)2 HttpServletRequest (javax.servlet.http.HttpServletRequest)2