use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class WebAuthn method doGet.
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
if (request.getParameter("requestOptions") != null && request.getParameter("requestOptions").equalsIgnoreCase("true")) {
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
String attributeName = authParams.get("attribute").getValues().get(0);
String encryptionKeyName = authParams.get("encryptionKeyName").getValues().get(0);
if (userData.getAttribs().get(attributeName) == null) {
StringBuilder sb = new StringBuilder();
sb.append("User '").append(userData.getUserDN()).append("' does not have attribute '").append(attributeName).append("'");
logger.warn(sb.toString());
as.setExecuted(true);
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
WebAuthnUserData webauthnUser = WebAuthnUtils.lookupWebAuthnUserData(userData, attributeName, encryptionKeyName);
if (webauthnUser == null) {
throw new ServletException("No webauthn user data, can not happen");
}
try {
Challenge challenge = new DefaultChallenge();
JSONObject resp = new JSONObject();
JSONObject publicKey = new JSONObject();
resp.put("publicKey", publicKey);
JSONArray allowedCredentials = new JSONArray();
publicKey.put("allowedCredentials", allowedCredentials);
for (Authenticator auth : webauthnUser.getAuthenticators()) {
byte[] credentialId = auth.getAttestedCredentialData().getCredentialId();
JSONObject credential = new JSONObject();
allowedCredentials.add(credential);
credential.put("type", "public-key");
credential.put("id", Base64UrlUtil.encodeToString(credentialId));
}
publicKey.put("challenge", Base64UrlUtil.encodeToString(challenge.getValue()));
publicKey.put("rpId", WebAuthnRegistration.getRpId(request));
publicKey.put("timeout", 30000);
publicKey.put("userVerification", authParams.get("userVerificationRequirement").getValues().get(0));
ServerProperty serverProperty = new ServerProperty(new Origin(request.getRequestURL().toString()), WebAuthnRegistration.getRpId(request), challenge, webauthnUser.getId());
ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutputStream out = null;
byte[] yourBytes = null;
try {
out = new ObjectOutputStream(bos);
out.writeObject(serverProperty);
out.flush();
yourBytes = bos.toByteArray();
} finally {
try {
bos.close();
} catch (IOException ex) {
// ignore close exception
}
}
resp.put("serverProperty", java.util.Base64.getUrlEncoder().encodeToString(yourBytes));
response.getWriter().println(resp.toString());
} catch (Exception e) {
throw new ServletException(e);
}
} else {
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
String formURI = authParams.get("formURI").getValues().get(0);
request.getRequestDispatcher(formURI).forward(request, response);
}
}
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class WebAuthn method doPost.
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
if (request.getParameter("webauthnResponse") != null) {
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
ByteArrayInputStream bais = new ByteArrayInputStream(Base64UrlUtil.decode((String) request.getParameter("serverProperty")));
ObjectInputStream ois = new ObjectInputStream(bais);
ServerProperty serverProperty = null;
try {
serverProperty = (ServerProperty) ois.readObject();
} catch (ClassNotFoundException | IOException e) {
throw new ServletException(e);
}
String attributeName = authParams.get("attribute").getValues().get(0);
String encryptionKeyName = authParams.get("encryptionKeyName").getValues().get(0);
Authenticator auth = null;
if (userData.getAttribs().get(attributeName) == null) {
StringBuilder sb = new StringBuilder();
sb.append("User '").append(userData.getUserDN()).append("' does not have attribute '").append(attributeName).append("'");
logger.warn(sb.toString());
as.setExecuted(true);
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
WebAuthnUserData webauthnUser = WebAuthnUtils.lookupWebAuthnUserData(userData, attributeName, encryptionKeyName);
if (webauthnUser == null) {
throw new ServletException("No webauthn user data, can not happen");
}
JSONObject webauthnResp = null;
try {
webauthnResp = (JSONObject) new JSONParser().parse(request.getParameter("webauthnResponse"));
} catch (ParseException e) {
throw new ServletException("could not parse webauthn response", e);
}
byte[] credentialId = java.util.Base64.getUrlDecoder().decode((String) webauthnResp.get("credential_id"));
byte[] userHandle = java.util.Base64.getUrlDecoder().decode((String) webauthnResp.get("userHandle"));
;
byte[] authenticatorData = java.util.Base64.getUrlDecoder().decode((String) webauthnResp.get("authenticatorData"));
byte[] clientDataJSON = java.util.Base64.getUrlDecoder().decode((String) webauthnResp.get("clientDataJSON"));
String clientExtensionJSON = (String) webauthnResp.get("clientExtResults");
byte[] signature = java.util.Base64.getUrlDecoder().decode((String) webauthnResp.get("signature"));
if (!Arrays.equals(userHandle, webauthnUser.getId())) {
StringBuilder sb = new StringBuilder();
sb.append("User '").append(userData.getUserDN()).append("' credential not owned by the client");
logger.warn(sb.toString());
as.setExecuted(true);
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
auth = null;
for (Authenticator checkUser : webauthnUser.getAuthenticators()) {
if (Arrays.equals(checkUser.getAttestedCredentialData().getCredentialId(), credentialId)) {
auth = checkUser;
}
}
if (auth == null) {
StringBuilder sb = new StringBuilder();
sb.append("User '").append(userData.getUserDN()).append("' does not have a credential associated with '").append((String) webauthnResp.get("credential_id")).append("'");
logger.warn(sb.toString());
as.setExecuted(true);
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
AuthenticationRequest authenticationRequest = new AuthenticationRequest(credentialId, userHandle, authenticatorData, clientDataJSON, clientExtensionJSON, signature);
AuthenticationParameters authenticationParameters = new AuthenticationParameters(serverProperty, auth, null, false, true);
WebAuthnManager webAuthnManager = WebAuthnManager.createNonStrictWebAuthnManager();
AuthenticationData authenticationData;
try {
authenticationData = webAuthnManager.parse(authenticationRequest);
} catch (DataConversionException e) {
StringBuilder sb = new StringBuilder();
sb.append("User '").append(userData.getUserDN()).append("' could not parse authentication data with credential '").append((String) webauthnResp.get("credential_id")).append("'");
logger.warn(sb.toString(), e);
as.setExecuted(true);
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
try {
webAuthnManager.validate(authenticationData, authenticationParameters);
} catch (ValidationException e) {
StringBuilder sb = new StringBuilder();
sb.append("User '").append(userData.getUserDN()).append("' could not validate authentication data with credential '").append((String) webauthnResp.get("credential_id")).append("'");
logger.warn(sb.toString(), e);
as.setExecuted(true);
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
as.setExecuted(true);
as.setSuccess(true);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
} else {
// redirect the user to the correct URL
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
response.sendRedirect(holder.getConfig().getAuthMechs().get(amt.getName()).getUri());
return;
}
}
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class OTPAuth method doPost.
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
if (request.getParameter("code") == null) {
this.doGet(request, response, as);
return;
}
HttpSession session = ((HttpServletRequest) request).getSession();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
Attribute attr = authParams.get("keyName");
if (attr == null) {
throw new ServletException("keyName not present");
}
SecretKey key = this.cfgMgr.getSecretKey(attr.getValues().get(0));
if (key == null) {
throw new ServletException("Key '" + attr.getValues().get(0) + "' does not exist");
}
int windowSize = 3;
attr = authParams.get("windowSize");
if (attr == null) {
logger.warn("No windowSize set");
} else {
windowSize = Integer.parseInt(attr.getValues().get(0));
}
attr = authParams.get("attributeName");
if (attr == null) {
throw new ServletException("attributeName not present");
}
String attributeName = attr.getValues().get(0);
AuthController ac = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL));
attr = ac.getAuthInfo().getAttribs().get(attributeName);
if (attr == null) {
if (logger.isDebugEnabled()) {
logger.info("Attribute '" + attributeName + "' not present");
}
as.setSuccess(false);
} else {
try {
String keyjson = attr.getValues().get(0);
if (logger.isDebugEnabled()) {
logger.debug("token json : '" + keyjson + "'");
}
Gson gson = new Gson();
Token token = gson.fromJson(new String(Base64.decode(keyjson)), Token.class);
byte[] iv = org.bouncycastle.util.encoders.Base64.decode(token.getIv());
IvParameterSpec spec = new IvParameterSpec(iv);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, key, spec);
byte[] encBytes = org.bouncycastle.util.encoders.Base64.decode(token.getEncryptedRequest());
String totpJson = new String(cipher.doFinal(encBytes));
TOTPKey totp = gson.fromJson(totpJson, TOTPKey.class);
GoogleAuthenticatorConfigBuilder b = new GoogleAuthenticatorConfigBuilder();
b.setWindowSize(windowSize);
GoogleAuthenticatorConfig cfg = b.build();
GoogleAuthenticator ga = new GoogleAuthenticator(cfg);
String code = request.getParameter("code");
if (code == null) {
as.setSuccess(false);
} else {
as.setSuccess(ga.authorize(totp.getSecretKey(), Integer.parseInt(code)));
}
String redirectToURL = request.getParameter("target");
if (redirectToURL != null && !redirectToURL.isEmpty()) {
reqHolder.setURL(redirectToURL);
}
} catch (Exception e) {
as.setSuccess(false);
logger.error("Could not decrypt key", e);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
}
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class ProxySys method doPush.
public void doPush(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
UrlHolder holder = (UrlHolder) req.getAttribute(ProxyConstants.AUTOIDM_CFG);
HttpFilterRequest filterReq = new HttpFilterRequestImpl(req, null);
HttpFilterResponse filterResp = new HttpFilterResponseImpl(resp);
HashMap<String, String> uriParams = (HashMap<String, String>) req.getAttribute("TREMOLO_URI_PARAMS");
if (uriParams == null) {
uriParams = new HashMap<String, String>();
req.setAttribute("TREMOLO_URI_PARAMS", uriParams);
}
uriParams.put("fullURI", req.getRequestURI());
HashSet<String> queryParams = new HashSet<String>();
req.setAttribute(ProxySys.QUERY_PARAMS, queryParams);
String qs = req.getQueryString();
if (qs != null) {
StringTokenizer toker = new StringTokenizer(qs, "&", false);
while (toker.hasMoreTokens()) {
String qsParam = toker.nextToken();
int eqIndex = qsParam.indexOf('=');
String paramName;
if (eqIndex == -1) {
paramName = qsParam;
} else {
paramName = qsParam.substring(0, eqIndex);
}
if (!queryParams.contains(paramName)) {
queryParams.add(paramName);
}
}
}
PostProcess postProc = null;
if (holder.getUrl().getProxyTo() == null || holder.getUrl().getProxyTo().isEmpty()) {
FilterChain filterChain = (FilterChain) req.getAttribute(ProxyConstants.TREMOLO_FILTER_CHAIN);
if (filterChain == null) {
logger.warn("Could not find filter chain");
}
postProc = new EmbPostProc(filterChain);
} else {
postProc = new PushRequestProcess();
;
}
HttpFilterChain chain = new HttpFilterChainImpl(holder, postProc);
try {
chain.nextFilter(filterReq, filterResp, chain);
} catch (Exception e) {
throw new ServletException(e);
}
ProxyData pd = new ProxyData();
pd.setHolder(holder);
pd.setIns(chain.getIns());
pd.setPostProc(postProc);
pd.setRequest(filterReq);
pd.setResponse(filterResp);
pd.setText(chain.isText());
pd.setLogout(chain.isLogout());
pd.setHttpRequestBase(chain.getHttpRequestBase());
req.setAttribute(ProxyConstants.TREMOLO_PRXY_DATA, pd);
}
use of com.tremolosecurity.config.util.UrlHolder in project OpenUnison by TremoloSecurity.
the class AuthManagerImpl method nextAuth.
/* (non-Javadoc)
* @see com.tremolosecurity.proxy.auth.sys.AuthManager#nextAuth(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, javax.servlet.http.HttpSession, boolean, com.tremolosecurity.proxy.util.NextSys)
*/
@Override
public boolean nextAuth(HttpServletRequest req, HttpServletResponse resp, HttpSession session, boolean jsRedirect, NextSys next) throws ServletException, IOException {
if (next == null) {
next = (NextSys) req.getAttribute(NEXT_SYS);
if (next == null) {
throw new ServletException("Unknown state");
}
}
// HttpSession session = req.getSession(true);
AuthController actl = (AuthController) req.getSession().getAttribute(ProxyConstants.AUTH_CTL);
RequestHolder reqHolder = actl.getHolder();
String actName = "";
UrlHolder holder = (UrlHolder) req.getAttribute(ProxyConstants.AUTOIDM_CFG);
if (reqHolder != null) {
actName = reqHolder.getAuthChainName();
} else {
actName = holder.getUrl().getAuthChain();
}
AuthChainType act = holder.getConfig().getAuthChains().get(actName);
if (act == null) {
act = holder.getConfig().getAuthFailChain();
}
return execAuth(req, resp, session, jsRedirect, holder, act, req.getRequestURL().toString(), next);
}
Aggregations