Search in sources :

Example 1 with SimpleSecurityContext

use of com.nimbusds.jose.proc.SimpleSecurityContext in project cas by apereo.

the class AmazonCognitoAuthenticationAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException {
    try {
        val authParams = new HashMap<String, String>();
        authParams.put("USERNAME", credential.getUsername());
        authParams.put("PASSWORD", credential.getPassword());
        val authRequest = AdminInitiateAuthRequest.builder();
        val request = authRequest.authFlow(AuthFlowType.ADMIN_NO_SRP_AUTH).clientId(properties.getClientId()).userPoolId(properties.getUserPoolId()).authParameters(authParams).build();
        val result = cognitoIdentityProvider.adminInitiateAuth(request);
        if ("NEW_PASSWORD_REQUIRED".equalsIgnoreCase(result.challengeNameAsString())) {
            throw new CredentialExpiredException();
        }
        val authenticationResult = result.authenticationResult();
        val claims = jwtProcessor.process(authenticationResult.idToken(), new SimpleSecurityContext());
        if (StringUtils.isBlank(claims.getSubject())) {
            throw new FailedLoginException("Unable to accept the id token with an invalid [sub] claim");
        }
        val userResult = cognitoIdentityProvider.adminGetUser(AdminGetUserRequest.builder().userPoolId(properties.getUserPoolId()).username(credential.getUsername()).build());
        val attributes = new LinkedHashMap<String, List<Object>>();
        attributes.put("userStatus", CollectionUtils.wrap(userResult.userStatusAsString()));
        attributes.put("userCreatedDate", CollectionUtils.wrap(userResult.userCreateDate().toEpochMilli()));
        attributes.put("userModifiedDate", CollectionUtils.wrap(userResult.userLastModifiedDate().toEpochMilli()));
        val userAttributes = userResult.userAttributes();
        userAttributes.forEach(attr -> {
            if (!properties.getMappedAttributes().isEmpty() && properties.getMappedAttributes().containsKey(attr.name())) {
                val newName = properties.getMappedAttributes().get(attr.name());
                attributes.put(newName, CollectionUtils.wrap(attr.value()));
            } else {
                attributes.put(attr.name(), CollectionUtils.wrap(attr.value()));
            }
        });
        val principal = principalFactory.createPrincipal(userResult.username(), attributes);
        return createHandlerResult(credential, principal, new ArrayList<>(0));
    } catch (final NotAuthorizedException e) {
        val message = e.getMessage();
        if (message.contains("expired")) {
            throw new AccountExpiredException(message);
        }
        if (message.contains("disabled")) {
            throw new AccountDisabledException(message);
        }
        throw new FailedLoginException(e.getMessage());
    } catch (final UserNotFoundException e) {
        throw new AccountNotFoundException(e.getMessage());
    } catch (final CredentialExpiredException e) {
        throw new AccountPasswordMustChangeException(e.getMessage());
    } catch (final InvalidPasswordException e) {
        throw new AccountPasswordMustChangeException(e.getMessage());
    } catch (final Exception e) {
        throw new FailedLoginException(e.getMessage());
    }
}
Also used : lombok.val(lombok.val) UserNotFoundException(software.amazon.awssdk.services.cognitoidentityprovider.model.UserNotFoundException) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) NotAuthorizedException(software.amazon.awssdk.services.cognitoidentityprovider.model.NotAuthorizedException) UserNotFoundException(software.amazon.awssdk.services.cognitoidentityprovider.model.UserNotFoundException) AccountExpiredException(javax.security.auth.login.AccountExpiredException) CredentialExpiredException(javax.security.auth.login.CredentialExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) FailedLoginException(javax.security.auth.login.FailedLoginException) InvalidPasswordException(software.amazon.awssdk.services.cognitoidentityprovider.model.InvalidPasswordException) NotAuthorizedException(software.amazon.awssdk.services.cognitoidentityprovider.model.NotAuthorizedException) AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException) AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException) LinkedHashMap(java.util.LinkedHashMap) FailedLoginException(javax.security.auth.login.FailedLoginException) AccountExpiredException(javax.security.auth.login.AccountExpiredException) SimpleSecurityContext(com.nimbusds.jose.proc.SimpleSecurityContext) InvalidPasswordException(software.amazon.awssdk.services.cognitoidentityprovider.model.InvalidPasswordException) AccountPasswordMustChangeException(org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException) CredentialExpiredException(javax.security.auth.login.CredentialExpiredException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException) AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException)

Aggregations

SimpleSecurityContext (com.nimbusds.jose.proc.SimpleSecurityContext)1 GeneralSecurityException (java.security.GeneralSecurityException)1 HashMap (java.util.HashMap)1 LinkedHashMap (java.util.LinkedHashMap)1 AccountExpiredException (javax.security.auth.login.AccountExpiredException)1 AccountNotFoundException (javax.security.auth.login.AccountNotFoundException)1 CredentialExpiredException (javax.security.auth.login.CredentialExpiredException)1 FailedLoginException (javax.security.auth.login.FailedLoginException)1 lombok.val (lombok.val)1 AccountDisabledException (org.apereo.cas.authentication.exceptions.AccountDisabledException)1 AccountPasswordMustChangeException (org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException)1 InvalidPasswordException (software.amazon.awssdk.services.cognitoidentityprovider.model.InvalidPasswordException)1 NotAuthorizedException (software.amazon.awssdk.services.cognitoidentityprovider.model.NotAuthorizedException)1 UserNotFoundException (software.amazon.awssdk.services.cognitoidentityprovider.model.UserNotFoundException)1