use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class TokenData method processUserInfoRequest.
private void processUserInfoRequest(HttpServletRequest request, HttpServletResponse response) throws Exception {
AuthController ac = (AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL);
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
holder.getApp().getCookieConfig().getTimeout();
String header = request.getHeader("Authorization");
if (header == null) {
AccessLog.log(AccessEvent.AzFail, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
response.sendError(401);
return;
}
String accessToken = header.substring("Bearer ".length());
OidcSessionState dbSession = this.getSessionByAccessToken(accessToken);
if (dbSession == null) {
AccessLog.log(AccessEvent.AzFail, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
response.sendError(401);
return;
}
OpenIDConnectTrust trust = trusts.get(dbSession.getClientID());
JsonWebSignature jws = new JsonWebSignature();
jws.setCompactSerialization(this.decryptToken(this.trusts.get(dbSession.getClientID()).getCodeLastmileKeyName(), new Gson(), dbSession.getEncryptedIdToken()));
jws.setKey(GlobalEntries.getGlobalEntries().getConfigManager().getCertificate(this.jwtSigningKeyName).getPublicKey());
if (!jws.verifySignature()) {
logger.warn("id_token tampered with");
AccessLog.log(AccessEvent.AzFail, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
response.sendError(401);
return;
}
JwtClaims claims = JwtClaims.parse(jws.getPayload());
response.setContentType("application/jwt");
String jwt = null;
if (trust.isSignedUserInfo()) {
jws = new JsonWebSignature();
jws.setPayload(claims.toJson());
jws.setKey(GlobalEntries.getGlobalEntries().getConfigManager().getPrivateKey(this.jwtSigningKeyName));
jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
jwt = jws.getCompactSerialization();
} else {
jwt = claims.toJson();
}
response.getOutputStream().write(jwt.getBytes("UTF-8"));
AuthInfo remUser = new AuthInfo();
remUser.setUserDN(dbSession.getUserDN());
AccessLog.log(AccessEvent.AuSuccess, holder.getApp(), (HttpServletRequest) request, remUser, "NONE");
AccessLog.log(AccessEvent.AzSuccess, holder.getApp(), (HttpServletRequest) request, remUser, "NONE");
}
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class TokenData method nextTokenAuth.
private boolean nextTokenAuth(HttpServletRequest req, HttpServletResponse resp, HttpSession session, boolean jsRedirect, AuthChainType act) throws ServletException, IOException {
RequestHolder reqHolder;
UrlHolder holder = (UrlHolder) req.getAttribute(ProxyConstants.AUTOIDM_CFG);
String urlChain = holder.getUrl().getAuthChain();
if (urlChain == null) {
// we now know which chain name it is
holder.getUrl().setAuthChain(act.getName());
}
StringBuffer b = genTokenURL(req);
return holder.getConfig().getAuthManager().execAuth(req, resp, session, jsRedirect, holder, act, b.toString());
}
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class TokenData method nextAuth.
private boolean nextAuth(HttpServletRequest req, HttpServletResponse resp, HttpSession session, boolean jsRedirect, AuthChainType act) throws ServletException, IOException {
RequestHolder reqHolder;
UrlHolder holder = (UrlHolder) req.getAttribute(ProxyConstants.AUTOIDM_CFG);
String urlChain = holder.getUrl().getAuthChain();
if (urlChain == null) {
// we now know which chain name it is
holder.getUrl().setAuthChain(act.getName());
}
StringBuffer b = genFinalURL(req);
return holder.getConfig().getAuthManager().execAuth(req, resp, session, jsRedirect, holder, act, b.toString());
}
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class U2fAuth method startAuthentication.
private void startAuthentication(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws ServletException, MalformedURLException, IOException {
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
String challengeStoreAttribute = authParams.get("attribute").getValues().get(0);
String encyrptionKeyName = authParams.get("encryptionKeyName").getValues().get(0);
String uidAttributeName = authParams.get("uidAttributeName").getValues().get(0);
String formURI = authParams.get("formURI").getValues().get(0);
List<SecurityKeyData> keys;
try {
keys = U2fUtil.loadUserKeys(userData, challengeStoreAttribute, encyrptionKeyName);
} catch (Exception e1) {
throw new ServletException("Could not loak keys", e1);
}
Set<String> origins = new HashSet<String>();
String appID = U2fUtil.getApplicationId(request);
origins.add(appID);
U2FServer u2f = new U2FServerUnison(this.challengeGen, new UnisonDataStore(UUID.randomUUID().toString(), keys), new BouncyCastleCrypto(), origins);
String uid = userData.getAttribs().get(uidAttributeName).getValues().get(0);
if (keys == null || keys.size() == 0) {
if (amt.getRequired().equals("required")) {
as.setSuccess(false);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
U2fSignRequest sigReq = null;
try {
sigReq = u2f.getSignRequest(uid, appID);
} catch (U2FException e) {
logger.error("Could not start authentication", e);
if (amt.getRequired().equals("required")) {
as.setSuccess(false);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
Gson gson = new Gson();
request.getSession().setAttribute(AUTH_SIGN_REQ, sigReq);
request.getSession().setAttribute(AUTH_SIGN_REQ_JSON, gson.toJson(sigReq));
request.getSession().setAttribute(SERVER, u2f);
response.sendRedirect(formURI);
}
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class GenerateOIDCTokens method doGet.
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
if (holder == null) {
throw new ServletException("Holder is null");
}
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
AuthController ac = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL));
String idpName = authParams.get("idpName").getValues().get(0);
String trustName = authParams.get("trustName").getValues().get(0);
String overrideURL = request.getRequestURL().toString();
if (authParams.get("overrideURL") != null) {
overrideURL = authParams.get("overrideURL").getValues().get(0);
}
OpenIDConnectToken token = new OpenIDConnectToken(idpName, trustName, overrideURL);
try {
request.setAttribute(ProxyTools.OVERRIDE_HOST, System.getProperty("OU_HOST"));
token.generateToken(request);
} catch (MalformedClaimException | JoseException | LDAPException | ProvisioningException e) {
throw new ServletException("Could not generate token", e);
}
request.getSession().setAttribute(GenerateOIDCTokens.UNISON_SESSION_OIDC_ID_TOKEN, token);
as.setSuccess(true);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
Aggregations