Search in sources :

Example 56 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class TokenData method processUserInfoRequest.

private void processUserInfoRequest(HttpServletRequest request, HttpServletResponse response) throws Exception {
    AuthController ac = (AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL);
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    holder.getApp().getCookieConfig().getTimeout();
    String header = request.getHeader("Authorization");
    if (header == null) {
        AccessLog.log(AccessEvent.AzFail, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
        response.sendError(401);
        return;
    }
    String accessToken = header.substring("Bearer ".length());
    OidcSessionState dbSession = this.getSessionByAccessToken(accessToken);
    if (dbSession == null) {
        AccessLog.log(AccessEvent.AzFail, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
        response.sendError(401);
        return;
    }
    OpenIDConnectTrust trust = trusts.get(dbSession.getClientID());
    JsonWebSignature jws = new JsonWebSignature();
    jws.setCompactSerialization(this.decryptToken(this.trusts.get(dbSession.getClientID()).getCodeLastmileKeyName(), new Gson(), dbSession.getEncryptedIdToken()));
    jws.setKey(GlobalEntries.getGlobalEntries().getConfigManager().getCertificate(this.jwtSigningKeyName).getPublicKey());
    if (!jws.verifySignature()) {
        logger.warn("id_token tampered with");
        AccessLog.log(AccessEvent.AzFail, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
        response.sendError(401);
        return;
    }
    JwtClaims claims = JwtClaims.parse(jws.getPayload());
    response.setContentType("application/jwt");
    String jwt = null;
    if (trust.isSignedUserInfo()) {
        jws = new JsonWebSignature();
        jws.setPayload(claims.toJson());
        jws.setKey(GlobalEntries.getGlobalEntries().getConfigManager().getPrivateKey(this.jwtSigningKeyName));
        jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
        jwt = jws.getCompactSerialization();
    } else {
        jwt = claims.toJson();
    }
    response.getOutputStream().write(jwt.getBytes("UTF-8"));
    AuthInfo remUser = new AuthInfo();
    remUser.setUserDN(dbSession.getUserDN());
    AccessLog.log(AccessEvent.AuSuccess, holder.getApp(), (HttpServletRequest) request, remUser, "NONE");
    AccessLog.log(AccessEvent.AzSuccess, holder.getApp(), (HttpServletRequest) request, remUser, "NONE");
}
Also used : UrlHolder(com.tremolosecurity.config.util.UrlHolder) AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) JsonWebSignature(org.jose4j.jws.JsonWebSignature) JwtClaims(org.jose4j.jwt.JwtClaims) Gson(com.google.gson.Gson) AuthController(com.tremolosecurity.proxy.auth.AuthController) OidcSessionState(com.tremolosecurity.idp.providers.oidc.model.OidcSessionState)

Example 57 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class TokenData method nextTokenAuth.

private boolean nextTokenAuth(HttpServletRequest req, HttpServletResponse resp, HttpSession session, boolean jsRedirect, AuthChainType act) throws ServletException, IOException {
    RequestHolder reqHolder;
    UrlHolder holder = (UrlHolder) req.getAttribute(ProxyConstants.AUTOIDM_CFG);
    String urlChain = holder.getUrl().getAuthChain();
    if (urlChain == null) {
        // we now know which chain name it is
        holder.getUrl().setAuthChain(act.getName());
    }
    StringBuffer b = genTokenURL(req);
    return holder.getConfig().getAuthManager().execAuth(req, resp, session, jsRedirect, holder, act, b.toString());
}
Also used : UrlHolder(com.tremolosecurity.config.util.UrlHolder) RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)

Example 58 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class TokenData method nextAuth.

private boolean nextAuth(HttpServletRequest req, HttpServletResponse resp, HttpSession session, boolean jsRedirect, AuthChainType act) throws ServletException, IOException {
    RequestHolder reqHolder;
    UrlHolder holder = (UrlHolder) req.getAttribute(ProxyConstants.AUTOIDM_CFG);
    String urlChain = holder.getUrl().getAuthChain();
    if (urlChain == null) {
        // we now know which chain name it is
        holder.getUrl().setAuthChain(act.getName());
    }
    StringBuffer b = genFinalURL(req);
    return holder.getConfig().getAuthManager().execAuth(req, resp, session, jsRedirect, holder, act, b.toString());
}
Also used : UrlHolder(com.tremolosecurity.config.util.UrlHolder) RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)

Example 59 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class U2fAuth method startAuthentication.

private void startAuthentication(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws ServletException, MalformedURLException, IOException {
    AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
    // SharedSession.getSharedSession().getSession(req.getSession().getId());
    HttpSession session = ((HttpServletRequest) request).getSession();
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    RequestHolder reqHolder = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
    String urlChain = holder.getUrl().getAuthChain();
    AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
    AuthMechType amt = act.getAuthMech().get(as.getId());
    HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
    String challengeStoreAttribute = authParams.get("attribute").getValues().get(0);
    String encyrptionKeyName = authParams.get("encryptionKeyName").getValues().get(0);
    String uidAttributeName = authParams.get("uidAttributeName").getValues().get(0);
    String formURI = authParams.get("formURI").getValues().get(0);
    List<SecurityKeyData> keys;
    try {
        keys = U2fUtil.loadUserKeys(userData, challengeStoreAttribute, encyrptionKeyName);
    } catch (Exception e1) {
        throw new ServletException("Could not loak keys", e1);
    }
    Set<String> origins = new HashSet<String>();
    String appID = U2fUtil.getApplicationId(request);
    origins.add(appID);
    U2FServer u2f = new U2FServerUnison(this.challengeGen, new UnisonDataStore(UUID.randomUUID().toString(), keys), new BouncyCastleCrypto(), origins);
    String uid = userData.getAttribs().get(uidAttributeName).getValues().get(0);
    if (keys == null || keys.size() == 0) {
        if (amt.getRequired().equals("required")) {
            as.setSuccess(false);
        }
        holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
        return;
    }
    U2fSignRequest sigReq = null;
    try {
        sigReq = u2f.getSignRequest(uid, appID);
    } catch (U2FException e) {
        logger.error("Could not start authentication", e);
        if (amt.getRequired().equals("required")) {
            as.setSuccess(false);
        }
        holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
        return;
    }
    Gson gson = new Gson();
    request.getSession().setAttribute(AUTH_SIGN_REQ, sigReq);
    request.getSession().setAttribute(AUTH_SIGN_REQ_JSON, gson.toJson(sigReq));
    request.getSession().setAttribute(SERVER, u2f);
    response.sendRedirect(formURI);
}
Also used : U2FServer(com.google.u2f.server.U2FServer) BouncyCastleCrypto(com.google.u2f.server.impl.BouncyCastleCrypto) Attribute(com.tremolosecurity.saml.Attribute) HashMap(java.util.HashMap) Gson(com.google.gson.Gson) RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder) HttpServletRequest(javax.servlet.http.HttpServletRequest) UrlHolder(com.tremolosecurity.config.util.UrlHolder) ServletException(javax.servlet.ServletException) U2fSignRequest(com.google.u2f.server.messages.U2fSignRequest) SecurityKeyData(com.google.u2f.server.data.SecurityKeyData) U2FException(com.google.u2f.U2FException) AuthChainType(com.tremolosecurity.config.xml.AuthChainType) HashSet(java.util.HashSet) AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) HttpSession(javax.servlet.http.HttpSession) AuthMechType(com.tremolosecurity.config.xml.AuthMechType) AuthController(com.tremolosecurity.proxy.auth.AuthController) ServletException(javax.servlet.ServletException) U2FException(com.google.u2f.U2FException) MalformedURLException(java.net.MalformedURLException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) IOException(java.io.IOException)

Example 60 with UrlHolder

use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.

the class GenerateOIDCTokens method doGet.

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
    HttpSession session = ((HttpServletRequest) request).getSession();
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    if (holder == null) {
        throw new ServletException("Holder is null");
    }
    RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
    HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
    AuthController ac = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL));
    String idpName = authParams.get("idpName").getValues().get(0);
    String trustName = authParams.get("trustName").getValues().get(0);
    String overrideURL = request.getRequestURL().toString();
    if (authParams.get("overrideURL") != null) {
        overrideURL = authParams.get("overrideURL").getValues().get(0);
    }
    OpenIDConnectToken token = new OpenIDConnectToken(idpName, trustName, overrideURL);
    try {
        request.setAttribute(ProxyTools.OVERRIDE_HOST, System.getProperty("OU_HOST"));
        token.generateToken(request);
    } catch (MalformedClaimException | JoseException | LDAPException | ProvisioningException e) {
        throw new ServletException("Could not generate token", e);
    }
    request.getSession().setAttribute(GenerateOIDCTokens.UNISON_SESSION_OIDC_ID_TOKEN, token);
    as.setSuccess(true);
    holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
Also used : Attribute(com.tremolosecurity.saml.Attribute) HashMap(java.util.HashMap) HttpSession(javax.servlet.http.HttpSession) JoseException(org.jose4j.lang.JoseException) OpenIDConnectToken(com.tremolosecurity.proxy.auth.util.OpenIDConnectToken) HttpServletRequest(javax.servlet.http.HttpServletRequest) UrlHolder(com.tremolosecurity.config.util.UrlHolder) ServletException(javax.servlet.ServletException) MalformedClaimException(org.jose4j.jwt.MalformedClaimException) LDAPException(com.novell.ldap.LDAPException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)

Aggregations

UrlHolder (com.tremolosecurity.config.util.UrlHolder)61 ServletException (javax.servlet.ServletException)42 HttpSession (javax.servlet.http.HttpSession)39 HashMap (java.util.HashMap)38 HttpServletRequest (javax.servlet.http.HttpServletRequest)36 AuthChainType (com.tremolosecurity.config.xml.AuthChainType)34 Attribute (com.tremolosecurity.saml.Attribute)31 AuthMechType (com.tremolosecurity.config.xml.AuthMechType)26 AuthController (com.tremolosecurity.proxy.auth.AuthController)26 IOException (java.io.IOException)26 AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)18 RequestHolder (com.tremolosecurity.proxy.auth.RequestHolder)18 LDAPException (com.novell.ldap.LDAPException)17 LDAPAttribute (com.novell.ldap.LDAPAttribute)16 ConfigManager (com.tremolosecurity.config.util.ConfigManager)12 MyVDConnection (com.tremolosecurity.proxy.myvd.MyVDConnection)10 MalformedURLException (java.net.MalformedURLException)10 ArrayList (java.util.ArrayList)10 ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)9 Gson (com.google.gson.Gson)8