Example 51 with UrlHolder
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class SamlTransaction method completeFederation.
private void completeFederation(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException, MalformedURLException {
final SamlTransaction transaction = (SamlTransaction) request.getSession().getAttribute(Saml2Idp.TRANSACTION_DATA);
final AuthInfo authInfo = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
if (!authInfo.isAuthComplete()) {
logger.warn("Attempted completetd federation before autthentication is completeed, clearing authentication and redirecting to the original URL");
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
request.getSession().removeAttribute(ProxyConstants.AUTH_CTL);
holder.getConfig().createAnonUser(request.getSession());
this.postErrorResponse(transaction, request, response, authInfo, holder);
return;
}
request.setAttribute(AzSys.FORCE, "true");
NextSys completeFed = new NextSys() {
@Override
public void nextSys(final HttpServletRequest request, final HttpServletResponse response) throws IOException, ServletException {
// System.out.println("Authorized!!!!");
final AuthInfo authInfo = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
HttpFilterRequest filterReq = new HttpFilterRequestImpl(request, null);
HttpFilterResponse filterResp = new HttpFilterResponseImpl(response);
PostProcess postProc = new PostProcess() {
@Override
public void postProcess(HttpFilterRequest req, HttpFilterResponse resp, UrlHolder holder, HttpFilterChain chain) throws Exception {
postResponse(transaction, request, response, authInfo, holder);
}
@Override
public boolean addHeader(String name) {
return false;
}
};
HttpFilterChain chain = new HttpFilterChainImpl(holder, postProc);
try {
chain.nextFilter(filterReq, filterResp, chain);
} catch (Exception e) {
throw new ServletException(e);
}
}
};
AzSys az = new AzSys();
az.doAz(request, response, completeFed);
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
NextSys(com.tremolosecurity.proxy.util.NextSys)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
ServletException(javax.servlet.ServletException)
SignatureException(java.security.SignatureException)
UnmarshallingException(org.opensaml.core.xml.io.UnmarshallingException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
SAXException(org.xml.sax.SAXException)
InvalidKeyException(java.security.InvalidKeyException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
InitializationException(org.opensaml.core.config.InitializationException)
MalformedURLException(java.net.MalformedURLException)
IOException(java.io.IOException)
ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
HttpFilterResponse(com.tremolosecurity.proxy.filter.HttpFilterResponse)
ServletException(javax.servlet.ServletException)
PostProcess(com.tremolosecurity.proxy.filter.PostProcess)
HttpFilterRequestImpl(com.tremolosecurity.proxy.filter.HttpFilterRequestImpl)
HttpFilterResponseImpl(com.tremolosecurity.proxy.filter.HttpFilterResponseImpl)
AzSys(com.tremolosecurity.proxy.auth.AzSys)
HttpFilterChainImpl(com.tremolosecurity.proxy.filter.HttpFilterChainImpl)
HttpFilterChain(com.tremolosecurity.proxy.filter.HttpFilterChain)
HttpFilterRequest(com.tremolosecurity.proxy.filter.HttpFilterRequest)
Example 52 with UrlHolder
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class AzSys method doAz.
public void doAz(ServletRequest request, ServletResponse response, NextSys nextSys) throws IOException, ServletException, MalformedURLException {
ConfigManager cfg = (ConfigManager) request.getAttribute(ProxyConstants.TREMOLO_CFG_OBJ);
if (((HttpServletRequest) request).getRequestURI().startsWith(cfg.getAuthPath()) && (request.getAttribute(FORCE) == null || request.getAttribute(FORCE).equals("false"))) {
nextSys.nextSys((HttpServletRequest) request, (HttpServletResponse) response);
return;
}
HttpSession session = ((HttpServletRequest) request).getSession(true);
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
boolean doAz = holder.getUrl().getAzRules() != null && holder.getUrl().getAzRules().getRule().size() > 0;
if (!doAz) {
// chain.doFilter(request, response);
nextSys.nextSys((HttpServletRequest) request, (HttpServletResponse) response);
return;
}
List<AzRuleType> rules = holder.getUrl().getAzRules().getRule();
AuthInfo authData = ((AuthController) ((HttpServletRequest) request).getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
boolean OK = checkRules(authData, holder.getConfig(), holder.getAzRules(), ((HttpServletRequest) request).getSession(), holder.getApp(), null);
if (OK) {
String respGroup = getResponseSuccessGroup(holder);
AccessLog.log(AccessEvent.AzSuccess, holder.getApp(), (HttpServletRequest) request, authData, respGroup != null ? respGroup : "NONE");
if (respGroup != null) {
try {
processRequestResult(request, response, holder.getConfig().getResultGroup(respGroup), authData);
} catch (InstantiationException | IllegalAccessException | ClassNotFoundException e) {
throw new ServletException("Could not instantiate custom result group", e);
}
}
// chain.doFilter(request, response);
nextSys.nextSys((HttpServletRequest) request, (HttpServletResponse) response);
if (respGroup != null) {
try {
proccessResponseResult(request, response, holder.getConfig().getResultGroup(respGroup), false, authData, holder.getApp().getCookieConfig());
} catch (InstantiationException | IllegalAccessException | ClassNotFoundException e) {
throw new ServletException("Could not instantiate custom result", e);
}
}
} else {
String respGroup = getResponseFailGroup(holder);
AccessLog.log(AccessEvent.AzFail, holder.getApp(), (HttpServletRequest) request, authData, respGroup != null ? respGroup : "NONE");
if (respGroup != null) {
try {
proccessResponseResult(request, response, holder.getConfig().getResultGroup(respGroup), true, authData, holder.getApp().getCookieConfig());
} catch (InstantiationException | IllegalAccessException | ClassNotFoundException e) {
throw new ServletException("Could not instantiate custom result", e);
}
} else {
((HttpServletResponse) response).sendError(401);
}
}
}
Also used :
TremoloHttpSession(com.tremolosecurity.proxy.TremoloHttpSession)
HttpSession(javax.servlet.http.HttpSession)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
ConfigManager(com.tremolosecurity.config.util.ConfigManager)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
ServletException(javax.servlet.ServletException)
AzRuleType(com.tremolosecurity.config.xml.AzRuleType)
Example 53 with UrlHolder
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class SMSAuth method doPost.
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
HttpSession session = ((HttpServletRequest) request).getSession();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
String keyFromForm = request.getParameter("key");
if (keyFromForm == null) {
this.doGet(request, response, as);
return;
}
String keyFromSession = (String) request.getSession().getAttribute("TREMOLO_SMS_KEY");
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
boolean authenticated = keyFromForm.equals(keyFromSession);
if (authenticated) {
session.removeAttribute("TREMOLO_SMS_KEY");
}
as.setExecuted(true);
as.setSuccess(authenticated);
String redirectToURL = request.getParameter("target");
if (redirectToURL != null && !redirectToURL.isEmpty()) {
reqHolder.setURL(redirectToURL);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
Attribute(com.tremolosecurity.saml.Attribute)
HashMap(java.util.HashMap)
HttpSession(javax.servlet.http.HttpSession)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
Example 54 with UrlHolder
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class OAuth2Bearer method doGet.
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
String basicHdr = request.getHeader("Authorization");
boolean fromHeader = true;
if (basicHdr == null) {
basicHdr = request.getParameter("access_token");
fromHeader = false;
}
HttpSession session = ((HttpServletRequest) request).getSession();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(urlChain);
AuthMechType amt = act.getAuthMech().get(as.getId());
String realmName = authParams.get("realm").getValues().get(0);
String scope = null;
if (authParams.get("scope") != null) {
scope = authParams.get("scope").getValues().get(0);
}
ConfigManager cfg = (ConfigManager) request.getAttribute(ProxyConstants.TREMOLO_CFG_OBJ);
String accessToken = null;
if (basicHdr == null) {
as.setExecuted(false);
sendFail(response, realmName, scope, null, null);
return;
} else {
if (fromHeader) {
accessToken = basicHdr.substring(basicHdr.indexOf(' ') + 1);
} else {
accessToken = basicHdr;
}
}
processToken(request, response, as, session, authParams, act, realmName, scope, cfg, accessToken);
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
Attribute(com.tremolosecurity.saml.Attribute)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
HashMap(java.util.HashMap)
HttpSession(javax.servlet.http.HttpSession)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
ConfigManager(com.tremolosecurity.config.util.ConfigManager)
Example 55 with UrlHolder
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class OAuth2K8sServiceAccount method processToken.
@Override
public void processToken(HttpServletRequest request, HttpServletResponse response, AuthStep as, HttpSession session, HashMap<String, Attribute> authParams, AuthChainType act, String realmName, String scope, ConfigManager cfg, String lmToken) throws ServletException, IOException {
String k8sTarget = authParams.get("k8sTarget").getValues().get(0);
boolean linkToDirectory = Boolean.parseBoolean(authParams.get("linkToDirectory").getValues().get(0));
String noMatchOU = authParams.get("noMatchOU").getValues().get(0);
String uidAttr = authParams.get("uidAttr").getValues().get(0);
String lookupFilter = authParams.get("lookupFilter").getValues().get(0);
String defaultObjectClass = authParams.get("defaultObjectClass").getValues().get(0);
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
JSONObject root = new JSONObject();
root.put("kind", "TokenReview");
root.put("apiVersion", "authentication.k8s.io/v1");
root.put("spec", new JSONObject());
((JSONObject) root.get("spec")).put("token", lmToken);
String json = root.toJSONString();
OpenShiftTarget target = null;
HttpCon con = null;
try {
target = (OpenShiftTarget) cfg.getProvisioningEngine().getTarget(k8sTarget).getProvider();
con = target.createClient();
String respJSON = target.callWSPost(target.getAuthToken(), con, "/apis/authentication.k8s.io/v1/tokenreviews", json);
if (logger.isDebugEnabled()) {
logger.debug("JSON - " + respJSON);
}
JSONParser parser = new JSONParser();
JSONObject resp = (JSONObject) parser.parse(respJSON);
JSONObject status = (JSONObject) resp.get("status");
if (status.get("error") != null) {
logger.error("Could not validate token : " + status.get("error"));
as.setExecuted(true);
as.setSuccess(false);
cfg.getAuthManager().nextAuth(request, response, request.getSession(), false);
super.sendFail(response, realmName, scope, null, null);
return;
} else {
Boolean authenticated = (Boolean) status.get("authenticated");
if (authenticated != null && authenticated) {
JSONObject user = (JSONObject) status.get("user");
if (!linkToDirectory) {
loadUnlinkedUser(session, noMatchOU, uidAttr, act, user, defaultObjectClass);
as.setSuccess(true);
} else {
lookupUser(as, session, cfg.getMyVD(), noMatchOU, uidAttr, lookupFilter, act, user, defaultObjectClass);
}
String redirectToURL = request.getParameter("target");
if (redirectToURL != null && !redirectToURL.isEmpty()) {
reqHolder.setURL(redirectToURL);
}
as.setExecuted(true);
as.setSuccess(true);
cfg.getAuthManager().nextAuth(request, response, request.getSession(), false);
} else {
as.setExecuted(true);
as.setSuccess(false);
cfg.getAuthManager().nextAuth(request, response, request.getSession(), false);
super.sendFail(response, realmName, scope, null, null);
return;
}
}
} catch (Exception e) {
throw new ServletException("Could not validate token", e);
} finally {
con.getHttp().close();
con.getBcm().close();
}
}
Also used :
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
ServletException(javax.servlet.ServletException)
HttpCon(com.tremolosecurity.provisioning.util.HttpCon)
JSONObject(org.json.simple.JSONObject)
OpenShiftTarget(com.tremolosecurity.unison.openshiftv3.OpenShiftTarget)
JSONParser(org.json.simple.parser.JSONParser)
RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
LDAPException(com.novell.ldap.LDAPException)
ServletException(javax.servlet.ServletException)
ParseException(org.json.simple.parser.ParseException)
IOException(java.io.IOException)
JoseException(org.jose4j.lang.JoseException)
Aggregations
UrlHolder (com.tremolosecurity.config.util.UrlHolder)61
ServletException (javax.servlet.ServletException)42
HttpSession (javax.servlet.http.HttpSession)39
HashMap (java.util.HashMap)38
HttpServletRequest (javax.servlet.http.HttpServletRequest)36
AuthChainType (com.tremolosecurity.config.xml.AuthChainType)34
Attribute (com.tremolosecurity.saml.Attribute)31
AuthMechType (com.tremolosecurity.config.xml.AuthMechType)26
AuthController (com.tremolosecurity.proxy.auth.AuthController)26
IOException (java.io.IOException)26
AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)18
RequestHolder (com.tremolosecurity.proxy.auth.RequestHolder)18
LDAPException (com.novell.ldap.LDAPException)17
LDAPAttribute (com.novell.ldap.LDAPAttribute)16
ConfigManager (com.tremolosecurity.config.util.ConfigManager)12
MyVDConnection (com.tremolosecurity.proxy.myvd.MyVDConnection)10
MalformedURLException (java.net.MalformedURLException)10
ArrayList (java.util.ArrayList)10
ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)9
Gson (com.google.gson.Gson)8
