Example 11 with UrlHolder
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class U2fAuth method doGet.
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
if (request.getParameter("signResponse") == null) {
startAuthentication(request, response, as);
} else {
SignResponseHolder srh = gson.fromJson(request.getParameter("signResponse"), SignResponseHolder.class);
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
String challengeStoreAttribute = authParams.get("attribute").getValues().get(0);
String encyrptionKeyName = authParams.get("encryptionKeyName").getValues().get(0);
String uidAttributeName = authParams.get("uidAttributeName").getValues().get(0);
String workflowName = authParams.get("workflowName").getValues().get(0);
if (srh.getErrorCode() > 0) {
logger.warn("Browser could not validate u2f token for user '" + userData.getUserDN() + "' : " + srh.getErrorCode());
if (amt.getRequired().equals("required")) {
as.setSuccess(false);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
U2FServer u2f = (U2FServer) request.getSession().getAttribute(SERVER);
SignResponse sigResp = new SignResponse(srh.getKeyHandle(), srh.getSignatureData(), srh.getClientData(), srh.getSessionId());
try {
u2f.processSignResponse(sigResp);
} catch (U2FException e) {
logger.warn("Could not authenticate user : '" + e.getMessage() + "'");
if (amt.getRequired().equals("required")) {
as.setSuccess(false);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
String encrypted;
try {
encrypted = U2fUtil.encode(u2f.getAllSecurityKeys("doesntmatter"), encyrptionKeyName);
} catch (Exception e) {
throw new ServletException("Could not encrypt keys");
}
WFCall wc = new WFCall();
wc.setName(workflowName);
wc.setUidAttributeName(uidAttributeName);
TremoloUser tu = new TremoloUser();
tu.setUid(userData.getAttribs().get(uidAttributeName).getValues().get(0));
tu.getAttributes().add(new Attribute(uidAttributeName, userData.getAttribs().get(uidAttributeName).getValues().get(0)));
tu.getAttributes().add(new Attribute(challengeStoreAttribute, encrypted));
wc.setUser(tu);
Map<String, Object> req = new HashMap<String, Object>();
req.put(ProvisioningParams.UNISON_EXEC_TYPE, ProvisioningParams.UNISON_EXEC_SYNC);
wc.setRequestParams(req);
try {
GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getWorkFlow(workflowName).executeWorkflow(wc);
} catch (ProvisioningException e) {
throw new ServletException("Could not save keys", e);
}
as.setSuccess(true);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
U2FServer(com.google.u2f.server.U2FServer)
WFCall(com.tremolosecurity.provisioning.service.util.WFCall)
Attribute(com.tremolosecurity.saml.Attribute)
HashMap(java.util.HashMap)
HttpSession(javax.servlet.http.HttpSession)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
ServletException(javax.servlet.ServletException)
U2FException(com.google.u2f.U2FException)
MalformedURLException(java.net.MalformedURLException)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
IOException(java.io.IOException)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
ServletException(javax.servlet.ServletException)
SignResponse(com.google.u2f.server.messages.SignResponse)
TremoloUser(com.tremolosecurity.provisioning.service.util.TremoloUser)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
U2FException(com.google.u2f.U2FException)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
Example 12 with UrlHolder
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class TokenData method doPost.
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
if (request.getHeader("Accept") != null && request.getHeader("Accept").startsWith("application/json")) {
request.setAttribute("com.tremolosecurity.unison.proxy.noRedirectOnError", "com.tremolosecurity.unison.proxy.noRedirectOnError");
}
try {
String action = (String) request.getAttribute(IDP.ACTION_NAME);
if (action.contentEquals("completefed")) {
this.completeFederation(request, response);
} else if (action.equalsIgnoreCase("token")) {
String code = request.getParameter("code");
String clientID = request.getParameter("client_id");
String clientSecret = request.getParameter("client_secret");
String redirectURI = request.getParameter("redirect_uri");
String grantType = request.getParameter("grant_type");
String refreshToken = request.getParameter("refresh_token");
if (clientID == null) {
// this means that the clientid is in the Authorization header
String azHeader = request.getHeader("Authorization");
azHeader = azHeader.substring(azHeader.indexOf(' ') + 1).trim();
azHeader = new String(org.apache.commons.codec.binary.Base64.decodeBase64(azHeader));
clientID = azHeader.substring(0, azHeader.indexOf(':'));
clientSecret = azHeader.substring(azHeader.indexOf(':') + 1);
}
AuthController ac = (AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL);
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
holder.getApp().getCookieConfig().getTimeout();
if (refreshToken != null) {
try {
refreshToken(response, clientID, clientSecret, refreshToken, holder, request, ac.getAuthInfo());
} catch (Exception e1) {
logger.warn("Could not refresh token", e1);
AccessLog.log(AccessEvent.AzFail, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
response.sendError(401);
}
} else if (grantType.equalsIgnoreCase("urn:ietf:params:oauth:grant-type:token-exchange")) {
StsRequest stsRequest = new StsRequest();
stsRequest.setAudience(request.getParameter("audience"));
stsRequest.setDelegation(request.getParameter("actor_token") != null);
stsRequest.setImpersonation(!stsRequest.isDelegation());
stsRequest.setSubjectToken(request.getParameter("subject_token"));
stsRequest.setSubjectTokenType(request.getParameter("subject_token_type"));
stsRequest.setActorToken(request.getParameter("actor_token"));
stsRequest.setActorTokenType(request.getParameter("actor_token_type"));
stsRequest.setImpersonation(stsRequest.getActorToken() == null);
stsRequest.setDelegation(stsRequest.getActorToken() != null);
OpenIDConnectTrust trust = this.trusts.get(clientID);
if (trust == null) {
String errorMessage = new StringBuilder().append("Trust '").append(clientID).append("' not found").toString();
logger.warn(errorMessage);
throw new Exception(errorMessage);
}
if (!trust.isSts()) {
String errorMessage = new StringBuilder().append("Trust '").append(clientID).append("' not an sts").toString();
logger.warn(errorMessage);
response.sendError(401);
return;
}
if (stsRequest.isImpersonation()) {
stsImpersontion(request, response, clientID, ac, holder, stsRequest, trust);
} else {
if (!trust.isStsDelegation()) {
logger.warn(new StringBuilder().append("clientid '").append(clientID).append("' does not support delegation"));
response.sendError(403);
}
// validate the actor
X509Certificate sigCert = GlobalEntries.getGlobalEntries().getConfigManager().getCertificate(this.getJwtSigningKeyName());
if (sigCert == null) {
logger.error(new StringBuilder().append("JWT Signing Certificate '").append(this.getJwtSigningKeyName()).append("' does not exist").toString());
response.sendError(500);
return;
}
StringBuffer issuer = new StringBuffer();
// issuer.append(cfg.getAuthIdPPath()).append(this.idpName);
issuer.append(holder.getApp().getUrls().getUrl().get(0).getUri());
String issuerUrl = ProxyTools.getInstance().getFqdnUrl(issuer.toString(), request);
HttpSession session = request.getSession();
AuthInfo authData = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
TokenData actorTokenData = this.validateToken(stsRequest.getActorToken(), "actor_token", sigCert.getPublicKey(), issuerUrl, clientID, holder, request, authData, response, false);
if (actorTokenData == null) {
return;
}
String uidAttribute = this.getUidAttributeFromMap();
if (uidAttribute == null) {
logger.error(new StringBuilder().append("IdP ").append(holder.getApp().getName()).append(" does not have a sub attribute mapped to a user attribute").toString());
response.sendError(500);
return;
}
String authChainName = null;
AuthChainType actorAuthChain = null;
if (actorTokenData.amr != null) {
authChainName = this.getAmrToAuthChain().get(actorTokenData.amr);
if (authChainName != null) {
actorAuthChain = GlobalEntries.getGlobalEntries().getConfigManager().getAuthChains().get(authChainName);
}
}
AuthInfo actorAuth = this.jwtToAuthInfo(actorTokenData, uidAttribute, actorAuthChain, authChainName);
if (actorAuth == null) {
// don't think this can happen
logger.error("Could not create user auth object from jwt");
response.sendError(500);
return;
}
AzSys azSys = new AzSys();
if (!azSys.checkRules(actorAuth, GlobalEntries.getGlobalEntries().getConfigManager(), trust.getClientAzRules(), new HashMap<String, Object>())) {
AccessLog.log(AccessEvent.AzFail, holder.getApp(), request, actorAuth, new StringBuilder().append("client not authorized to exchange token for subject '").append(actorTokenData.subjectUid).append("'").toString());
response.sendError(403);
return;
}
if (!trust.getAllowedAudiences().contains(stsRequest.getAudience())) {
AccessLog.log(AccessEvent.AzFail, holder.getApp(), request, actorAuth, new StringBuilder().append("Audience '").append(stsRequest.getAudience()).append("' is not an authorized audience for sts '").append(trust.getTrustName()).append("'").toString());
response.sendError(403);
return;
}
OpenIDConnectTrust targetTrust = this.getTrusts().get(stsRequest.getAudience());
if (targetTrust == null) {
logger.warn(new StringBuilder().append("Audience '").append(stsRequest.getAudience()).append("' does not exist").toString());
response.sendError(404);
return;
}
TokenData subjectTokenData = this.validateToken(stsRequest.getSubjectToken(), "subject_token", sigCert.getPublicKey(), issuerUrl, null, holder, request, authData, response, true);
if (subjectTokenData == null) {
return;
}
authChainName = null;
actorAuthChain = null;
if (subjectTokenData.amr != null) {
authChainName = this.getAmrToAuthChain().get(subjectTokenData.amr);
if (authChainName != null) {
actorAuthChain = GlobalEntries.getGlobalEntries().getConfigManager().getAuthChains().get(authChainName);
}
}
AuthInfo subjectAuth = this.jwtToAuthInfo(subjectTokenData, uidAttribute, actorAuthChain, authChainName);
if (subjectAuth == null) {
// don't think this can happen
logger.error("Could not create user auth object from jwt");
response.sendError(500);
return;
}
if (!azSys.checkRules(subjectAuth, GlobalEntries.getGlobalEntries().getConfigManager(), trust.getSubjectAzRules(), new HashMap<String, Object>())) {
AccessLog.log(AccessEvent.AzFail, holder.getApp(), request, actorAuth, new StringBuilder().append("client not authorized to exchange token for subject '").append(subjectTokenData.subjectUid).append("'").toString());
response.sendError(403);
return;
}
OpenIDConnectAccessToken access = new OpenIDConnectAccessToken();
OidcSessionState oidcSession = this.createUserSession(request, stsRequest.getAudience(), holder, targetTrust, subjectAuth.getUserDN(), GlobalEntries.getGlobalEntries().getConfigManager(), access, UUID.randomUUID().toString(), subjectAuth.getAuthChain(), subjectTokenData.root, actorTokenData.root);
AccessLog.log(AccessEvent.AzSuccess, holder.getApp(), request, actorAuth, new StringBuilder().append("client '").append(trust.getTrustName()).append("' delegated to by '").append(subjectTokenData.subjectUid).append("', jti : '").append(access.getIdTokenId()).append("'").toString());
String idtoken = access.getId_token();
access.setRefresh_token(oidcSession.getRefreshToken());
Gson gson = new Gson();
String json = gson.toJson(access);
response.setContentType("application/json");
response.getOutputStream().write(json.getBytes("UTF-8"));
response.getOutputStream().flush();
if (logger.isDebugEnabled()) {
logger.debug("Token JSON : '" + json + "'");
}
}
} else if (grantType.equalsIgnoreCase("client_credentials")) {
clientCredentialsGrant(request, response, clientID, clientSecret, ac, holder);
} else {
completeUserLogin(request, response, code, clientID, clientSecret, holder, ac.getAuthInfo());
}
}
} catch (Throwable t) {
if (request.getHeader("Accept") != null && request.getHeader("Accept").startsWith("application/json")) {
response.sendError(500);
response.setContentType("application/json");
response.getWriter().print("{\"error\":\"invalid_request\"}");
logger.error("Sending JSON Error", t);
} else {
if (t instanceof ServletException) {
throw (ServletException) t;
} else if (t instanceof IOException) {
throw (IOException) t;
} else {
throw new ServletException("Error processing post", t);
}
}
}
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
HashMap(java.util.HashMap)
HttpSession(javax.servlet.http.HttpSession)
Gson(com.google.gson.Gson)
IOException(java.io.IOException)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
LDAPException(com.novell.ldap.LDAPException)
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
IOException(java.io.IOException)
ServletException(javax.servlet.ServletException)
URISyntaxException(java.net.URISyntaxException)
InvalidJwtException(org.jose4j.jwt.consumer.InvalidJwtException)
IllegalBlockSizeException(javax.crypto.IllegalBlockSizeException)
JoseException(org.jose4j.lang.JoseException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
ParseException(org.json.simple.parser.ParseException)
NoSuchPaddingException(javax.crypto.NoSuchPaddingException)
MalformedURLException(java.net.MalformedURLException)
BadPaddingException(javax.crypto.BadPaddingException)
X509Certificate(java.security.cert.X509Certificate)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
ServletException(javax.servlet.ServletException)
AzSys(com.tremolosecurity.proxy.auth.AzSys)
StsRequest(com.tremolosecurity.idp.providers.oidc.db.StsRequest)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
OidcSessionState(com.tremolosecurity.idp.providers.oidc.model.OidcSessionState)
Example 13 with UrlHolder
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class TokenData method doGet.
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
if (request.getHeader("Accept") != null && request.getHeader("Accept").startsWith("application/json")) {
request.setAttribute("com.tremolosecurity.unison.proxy.noRedirectOnError", "com.tremolosecurity.unison.proxy.noRedirectOnError");
}
String action = (String) request.getAttribute(IDP.ACTION_NAME);
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
if (holder == null) {
throw new ServletException("Holder is null");
}
AuthController ac = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL));
if (action.equalsIgnoreCase(".well-known/openid-configuration")) {
Gson gson = new GsonBuilder().setPrettyPrinting().create();
String json = gson.toJson(new OpenIDConnectConfig(this.authURI, request, mapper));
response.setContentType("application/json");
response.getWriter().print(json);
AccessLog.log(AccessEvent.AzSuccess, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
return;
} else if (action.equalsIgnoreCase("certs")) {
try {
X509Certificate cert = GlobalEntries.getGlobalEntries().getConfigManager().getCertificate(this.jwtSigningKeyName);
JsonWebKey jwk = JsonWebKey.Factory.newJwk(cert.getPublicKey());
String keyID = buildKID(cert);
jwk.setKeyId(keyID);
jwk.setUse("sig");
jwk.setAlgorithm("RS256");
response.setContentType("application/json");
response.getWriter().print(new JsonWebKeySet(jwk).toJson());
AccessLog.log(AccessEvent.AzSuccess, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
return;
} catch (JoseException e) {
throw new ServletException("Could not generate jwt", e);
}
} else if (action.equalsIgnoreCase("auth")) {
String clientID = request.getParameter("client_id");
String responseCode = request.getParameter("response_type");
String scope = request.getParameter("scope");
String redirectURI = request.getParameter("redirect_uri");
String state = request.getParameter("state");
String nonce = request.getParameter("nonce");
OpenIDConnectTransaction transaction = new OpenIDConnectTransaction();
transaction.setClientID(clientID);
transaction.setResponseCode(responseCode);
transaction.setNonce(nonce);
StringTokenizer toker = new StringTokenizer(scope, " ", false);
while (toker.hasMoreTokens()) {
String token = toker.nextToken();
transaction.getScope().add(token);
}
transaction.setRedirectURI(redirectURI);
transaction.setState(state);
OpenIDConnectTrust trust = trusts.get(clientID);
if (trust == null) {
StringBuffer b = new StringBuffer();
b.append(redirectURI).append("?error=unauthorized_client");
logger.warn("Trust '" + clientID + "' not found");
response.sendRedirect(b.toString());
return;
}
if (trust.isVerifyRedirect()) {
if (!trust.getRedirectURI().contains(redirectURI)) {
StringBuffer b = new StringBuffer();
b.append(redirectURI).append("?error=unauthorized_client");
logger.warn("Invalid redirect");
AccessLog.log(AccessEvent.AzFail, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
response.sendRedirect(b.toString());
return;
}
transaction.setRedirectURI(redirectURI);
} else {
transaction.setRedirectURI(redirectURI);
}
if (this.scopes == null) {
if (transaction.getScope().size() == 0 || !transaction.getScope().get(0).equals("openid")) {
StringBuffer b = new StringBuffer();
b.append(transaction.getRedirectURI()).append("?error=invalid_scope");
logger.warn("First scope not openid");
AccessLog.log(AccessEvent.AzFail, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
response.sendRedirect(b.toString());
return;
} else {
// we don't need the openid scope anymore
transaction.getScope().remove(0);
}
} else {
for (String indvScope : transaction.getScope()) {
if (!this.scopes.contains(indvScope)) {
StringBuffer b = new StringBuffer();
b.append(transaction.getRedirectURI()).append("?error=invalid_scope");
logger.warn(new StringBuilder().append("Scope '").append(indvScope).append("' not recognized"));
AccessLog.log(AccessEvent.AzFail, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
response.sendRedirect(b.toString());
return;
}
}
}
String authChain = trust.getAuthChain();
if (authChain == null) {
StringBuffer b = new StringBuffer();
b.append("IdP does not have an authenticaiton chain configured");
throw new ServletException(b.toString());
}
HttpSession session = request.getSession();
AuthInfo authData = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
AuthChainType act = holder.getConfig().getAuthChains().get(authChain);
session.setAttribute(OpenIDConnectIdP.TRANSACTION_DATA, transaction);
if (authData == null || !authData.isAuthComplete() && !(authData.getAuthLevel() < act.getLevel())) {
nextAuth(request, response, session, false, act);
} else {
if (authData.getAuthLevel() < act.getLevel()) {
// step up authentication, clear existing auth data
session.removeAttribute(ProxyConstants.AUTH_CTL);
holder.getConfig().createAnonUser(session);
nextAuth(request, response, session, false, act);
} else {
StringBuffer b = genFinalURL(request);
response.sendRedirect(b.toString());
// TODO if session already exists extend the life of the id_token
}
}
} else if (action.contentEquals("completefed")) {
this.completeFederation(request, response);
} else if (action.equalsIgnoreCase("userinfo")) {
try {
processUserInfoRequest(request, response);
} catch (Exception e) {
throw new ServletException("Could not process userinfo request", e);
}
}
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
OpenIDConnectConfig(com.tremolosecurity.idp.providers.oidc.model.OpenIDConnectConfig)
GsonBuilder(com.google.gson.GsonBuilder)
JoseException(org.jose4j.lang.JoseException)
HttpSession(javax.servlet.http.HttpSession)
JsonWebKey(org.jose4j.jwk.JsonWebKey)
Gson(com.google.gson.Gson)
JsonWebKeySet(org.jose4j.jwk.JsonWebKeySet)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
X509Certificate(java.security.cert.X509Certificate)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
LDAPException(com.novell.ldap.LDAPException)
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
IOException(java.io.IOException)
ServletException(javax.servlet.ServletException)
URISyntaxException(java.net.URISyntaxException)
InvalidJwtException(org.jose4j.jwt.consumer.InvalidJwtException)
IllegalBlockSizeException(javax.crypto.IllegalBlockSizeException)
JoseException(org.jose4j.lang.JoseException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
ParseException(org.json.simple.parser.ParseException)
NoSuchPaddingException(javax.crypto.NoSuchPaddingException)
MalformedURLException(java.net.MalformedURLException)
BadPaddingException(javax.crypto.BadPaddingException)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
ServletException(javax.servlet.ServletException)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
StringTokenizer(java.util.StringTokenizer)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
Example 14 with UrlHolder
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class ScaleJSOperator method lookupUser.
private void lookupUser(HttpFilterRequest request, HttpFilterResponse response, Gson gson) throws Exception, LDAPException, IOException {
if (this.scaleMainConfig == null) {
UrlHolder holder = GlobalEntries.getGlobalEntries().getConfigManager().findURL(this.scaleMainURL);
for (HttpFilter filter : holder.getFilterChain()) {
if (filter instanceof ScaleMain) {
ScaleMain scaleMain = (ScaleMain) filter;
this.scaleMainConfig = scaleMain.scaleConfig;
}
}
}
String dn = request.getParameter("dn").getValues().get(0);
FilterBuilder baseFilter = (FilterBuilder) request.getAttribute("ops.search.filter");
String filter = "(objectClass=*)";
if (baseFilter != null) {
filter = baseFilter.toString();
}
LDAPSearchResults res = GlobalEntries.getGlobalEntries().getConfigManager().getMyVD().search(dn, 0, filter, new ArrayList<String>());
if (!res.hasMore()) {
throw new Exception("Could not locate user '" + dn + "'");
}
LDAPEntry entry = res.next();
AuthInfo userData = new AuthInfo();
userData.setUserDN(entry.getDN());
LDAPAttributeSet attrs = entry.getAttributeSet();
for (Object obj : attrs) {
LDAPAttribute attr = (LDAPAttribute) obj;
Attribute attrib = new Attribute(attr.getName());
String[] vals = attr.getStringValueArray();
for (String val : vals) {
attrib.getValues().add(val);
}
userData.getAttribs().put(attrib.getName(), attrib);
}
Set<String> allowedAttrs = null;
if (scaleMainConfig.getUiDecisions() != null) {
allowedAttrs = this.scaleMainConfig.getUiDecisions().availableAttributes(userData, request.getServletRequest());
}
OpsUserData userToSend = new OpsUserData();
userToSend.setDn(userData.getUserDN());
for (String attrName : this.scaleMainConfig.getUserAttributeList()) {
if (allowedAttrs == null || allowedAttrs.contains(attrName)) {
Attribute attr = new Attribute(attrName);
Attribute fromUser = userData.getAttribs().get(attrName);
if (fromUser != null) {
attr.getValues().addAll(fromUser.getValues());
if (attrName.equalsIgnoreCase(this.scaleMainConfig.getUidAttributeName())) {
userToSend.setUid(fromUser.getValues().get(0));
}
}
userToSend.getAttributes().add(attr);
}
}
if (this.scaleMainConfig.getRoleAttribute() != null && !this.scaleMainConfig.getRoleAttribute().isEmpty()) {
Attribute fromUser = userData.getAttribs().get(this.scaleMainConfig.getRoleAttribute());
Attribute attr = new Attribute(this.scaleMainConfig.getRoleAttribute());
if (fromUser != null) {
attr.getValues().addAll(fromUser.getValues());
userToSend.getGroups().clear();
userToSend.getGroups().addAll(fromUser.getValues());
}
userToSend.getAttributes().add(attr);
}
ArrayList<String> attrNames = new ArrayList<String>();
attrNames.add("cn");
attrNames.add(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getGroupMemberAttribute());
res = GlobalEntries.getGlobalEntries().getConfigManager().getMyVD().search(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot(), 2, equal(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getGroupMemberAttribute(), dn).toString(), attrNames);
net.sourceforge.myvd.types.Filter ldapFiltertoCheck = new net.sourceforge.myvd.types.Filter(equal(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getGroupMemberAttribute(), dn).toString());
while (res.hasMore()) {
entry = res.next();
if (ldapFiltertoCheck.getRoot().checkEntry(entry)) {
LDAPAttribute la = entry.getAttribute("cn");
if (la != null) {
String val = la.getStringValue();
if (!userToSend.getGroups().contains(val)) {
userToSend.getGroups().add(val);
}
}
}
}
if (scaleMainConfig.getUiDecisions() != null) {
Set<String> smAllowedAttrs = this.scaleMainConfig.getUiDecisions().availableAttributes(userData, request.getServletRequest());
ScaleConfig local = new ScaleConfig(this.scaleMainConfig);
if (smAllowedAttrs != null) {
for (String attrName : this.scaleMainConfig.getAttributes().keySet()) {
if (!smAllowedAttrs.contains(attrName)) {
local.getAttributes().remove(attrName);
}
}
}
userToSend.setMetaData(local.getAttributes());
userToSend.setCanEditUser(this.scaleMainConfig.getUiDecisions().canEditUser(userData, request.getServletRequest()));
} else {
userToSend.setMetaData(scaleMainConfig.getAttributes());
userToSend.setCanEditUser(scaleMainConfig.isCanEditUser());
}
ScaleJSUtils.addCacheHeaders(response);
response.setContentType("application/json");
response.getWriter().println(gson.toJson(userToSend).trim());
}
Also used :
LDAPAttribute(com.novell.ldap.LDAPAttribute)
Attribute(com.tremolosecurity.saml.Attribute)
ArrayList(java.util.ArrayList)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
LDAPEntry(com.novell.ldap.LDAPEntry)
FilterBuilder(org.apache.directory.ldap.client.api.search.FilterBuilder)
HttpFilter(com.tremolosecurity.proxy.filter.HttpFilter)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
Filter(net.sourceforge.myvd.types.Filter)
OpsUserData(com.tremolosecurity.scalejs.operators.data.OpsUserData)
LDAPAttributeSet(com.novell.ldap.LDAPAttributeSet)
LDAPException(com.novell.ldap.LDAPException)
IOException(java.io.IOException)
LDAPSearchResults(com.novell.ldap.LDAPSearchResults)
Filter(net.sourceforge.myvd.types.Filter)
HttpFilter(com.tremolosecurity.proxy.filter.HttpFilter)
ScaleMain(com.tremolosecurity.scalejs.ws.ScaleMain)
ScaleConfig(com.tremolosecurity.scalejs.cfg.ScaleConfig)
Example 15 with UrlHolder
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class TokenData method completeFederation.
private void completeFederation(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException, MalformedURLException {
final OpenIDConnectTransaction transaction = (OpenIDConnectTransaction) request.getSession().getAttribute(OpenIDConnectIdP.TRANSACTION_DATA);
final AuthInfo authInfo = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
if (!authInfo.isAuthComplete()) {
logger.warn("Attempted completetd federation before autthentication is completeed, clearing authentication and redirecting to the original URL");
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
request.getSession().removeAttribute(ProxyConstants.AUTH_CTL);
holder.getConfig().createAnonUser(request.getSession());
StringBuffer b = new StringBuffer();
b.append(transaction.getRedirectURI()).append("?error=login_reset");
response.sendRedirect(b.toString());
return;
}
request.setAttribute(AzSys.FORCE, "true");
NextSys completeFed = new NextSys() {
public void nextSys(final HttpServletRequest request, final HttpServletResponse response) throws IOException, ServletException {
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
HttpFilterRequest filterReq = new HttpFilterRequestImpl(request, null);
HttpFilterResponse filterResp = new HttpFilterResponseImpl(response);
PostProcess postProc = new PostProcess() {
@Override
public void postProcess(HttpFilterRequest req, HttpFilterResponse resp, UrlHolder holder, HttpFilterChain chain) throws Exception {
postResponse(transaction, request, response, authInfo, holder);
}
@Override
public boolean addHeader(String name) {
return false;
}
};
HttpFilterChain chain = new HttpFilterChainImpl(holder, postProc);
try {
chain.nextFilter(filterReq, filterResp, chain);
} catch (Exception e) {
throw new ServletException(e);
}
}
};
AzSys az = new AzSys();
az.doAz(request, response, completeFed);
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
NextSys(com.tremolosecurity.proxy.util.NextSys)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
LDAPException(com.novell.ldap.LDAPException)
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
IOException(java.io.IOException)
ServletException(javax.servlet.ServletException)
URISyntaxException(java.net.URISyntaxException)
InvalidJwtException(org.jose4j.jwt.consumer.InvalidJwtException)
IllegalBlockSizeException(javax.crypto.IllegalBlockSizeException)
JoseException(org.jose4j.lang.JoseException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
ParseException(org.json.simple.parser.ParseException)
NoSuchPaddingException(javax.crypto.NoSuchPaddingException)
MalformedURLException(java.net.MalformedURLException)
BadPaddingException(javax.crypto.BadPaddingException)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
HttpFilterResponse(com.tremolosecurity.proxy.filter.HttpFilterResponse)
ServletException(javax.servlet.ServletException)
PostProcess(com.tremolosecurity.proxy.filter.PostProcess)
HttpFilterRequestImpl(com.tremolosecurity.proxy.filter.HttpFilterRequestImpl)
HttpFilterResponseImpl(com.tremolosecurity.proxy.filter.HttpFilterResponseImpl)
AzSys(com.tremolosecurity.proxy.auth.AzSys)
HttpFilterChainImpl(com.tremolosecurity.proxy.filter.HttpFilterChainImpl)
HttpFilterChain(com.tremolosecurity.proxy.filter.HttpFilterChain)
HttpFilterRequest(com.tremolosecurity.proxy.filter.HttpFilterRequest)
Aggregations
UrlHolder (com.tremolosecurity.config.util.UrlHolder)61
ServletException (javax.servlet.ServletException)42
HttpSession (javax.servlet.http.HttpSession)39
HashMap (java.util.HashMap)38
HttpServletRequest (javax.servlet.http.HttpServletRequest)36
AuthChainType (com.tremolosecurity.config.xml.AuthChainType)34
Attribute (com.tremolosecurity.saml.Attribute)31
AuthMechType (com.tremolosecurity.config.xml.AuthMechType)26
AuthController (com.tremolosecurity.proxy.auth.AuthController)26
IOException (java.io.IOException)26
AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)18
RequestHolder (com.tremolosecurity.proxy.auth.RequestHolder)18
LDAPException (com.novell.ldap.LDAPException)17
LDAPAttribute (com.novell.ldap.LDAPAttribute)16
ConfigManager (com.tremolosecurity.config.util.ConfigManager)12
MyVDConnection (com.tremolosecurity.proxy.myvd.MyVDConnection)10
MalformedURLException (java.net.MalformedURLException)10
ArrayList (java.util.ArrayList)10
ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)9
Gson (com.google.gson.Gson)8
