Examples with AuthChainType com.tremolosecurity.config.xml.AuthChainType used on opensource projects

Search in sources :

Example 46 with AuthChainType

use of com.tremolosecurity.config.xml.AuthChainType in project OpenUnison by TremoloSecurity.

the class OAuth2Bearer method doGet.

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
    String basicHdr = request.getHeader("Authorization");
    boolean fromHeader = true;
    if (basicHdr == null) {
        basicHdr = request.getParameter("access_token");
        fromHeader = false;
    }
    HttpSession session = ((HttpServletRequest) request).getSession();
    HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    String urlChain = holder.getUrl().getAuthChain();
    AuthChainType act = holder.getConfig().getAuthChains().get(urlChain);
    AuthMechType amt = act.getAuthMech().get(as.getId());
    String realmName = authParams.get("realm").getValues().get(0);
    String scope = null;
    if (authParams.get("scope") != null) {
        scope = authParams.get("scope").getValues().get(0);
    }
    ConfigManager cfg = (ConfigManager) request.getAttribute(ProxyConstants.TREMOLO_CFG_OBJ);
    String accessToken = null;
    if (basicHdr == null) {
        as.setExecuted(false);
        sendFail(response, realmName, scope, null, null);
        return;
    } else {
        if (fromHeader) {
            accessToken = basicHdr.substring(basicHdr.indexOf(' ') + 1);
        } else {
            accessToken = basicHdr;
        }
    }
    processToken(request, response, as, session, authParams, act, realmName, scope, cfg, accessToken);
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) UrlHolder(com.tremolosecurity.config.util.UrlHolder) Attribute(com.tremolosecurity.saml.Attribute) LDAPAttribute(com.novell.ldap.LDAPAttribute) HashMap(java.util.HashMap) HttpSession(javax.servlet.http.HttpSession) AuthMechType(com.tremolosecurity.config.xml.AuthMechType) AuthChainType(com.tremolosecurity.config.xml.AuthChainType) ConfigManager(com.tremolosecurity.config.util.ConfigManager)

Example 47 with AuthChainType

use of com.tremolosecurity.config.xml.AuthChainType in project OpenUnison by TremoloSecurity.

the class LoadAuthChainsFromK8s method addObject.

@Override
public void addObject(TremoloType cfg, JSONObject item) throws ProvisioningException {
    String rawJson = item.toJSONString();
    StringBuffer b = new StringBuffer();
    b.setLength(0);
    OpenUnisonConfigLoader.integrateIncludes(b, rawJson);
    try {
        JSONObject newRoot = (JSONObject) new JSONParser().parse(b.toString());
        JSONObject metadata = (JSONObject) newRoot.get("metadata");
        if (metadata == null) {
            throw new ProvisioningException("No metadata");
        }
        String name = (String) metadata.get("name");
        logger.info("Adding authentication chain " + name);
        try {
            AuthChainType act = this.createAuthChain(item, name);
            synchronized (GlobalEntries.getGlobalEntries().getConfigManager().getAuthChains()) {
                GlobalEntries.getGlobalEntries().getConfigManager().getAuthChains().put(name, act);
            }
            synchronized (GlobalEntries.getGlobalEntries().getConfigManager().getCfg()) {
                AuthChainType curAct = null;
                for (AuthChainType itAct : GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getAuthChains().getChain()) {
                    if (itAct.getName().equals(act.getName())) {
                        curAct = itAct;
                        break;
                    }
                }
                if (curAct != null) {
                    GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getAuthChains().getChain().remove(curAct);
                }
                GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getAuthChains().getChain().add(act);
            }
        } catch (Exception e) {
            logger.warn("Could not initialize authentication chain " + name, e);
        }
    } catch (ParseException e) {
        throw new ProvisioningException("Could not parse custom authorization", e);
    }
}
Also used : JSONObject(org.json.simple.JSONObject) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) JSONParser(org.json.simple.parser.JSONParser) ParseException(org.json.simple.parser.ParseException) AuthChainType(com.tremolosecurity.config.xml.AuthChainType) ParseException(org.json.simple.parser.ParseException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)

Example 48 with AuthChainType

use of com.tremolosecurity.config.xml.AuthChainType in project OpenUnison by TremoloSecurity.

the class TokenData method jwtToAuthInfo.

private AuthInfo jwtToAuthInfo(TokenData td, String uidAttr, AuthChainType act, String subjectAuthMethod) throws ServletException {
    String filter = "";
    if (td.subjectUid == null) {
        filter = "(!(objectClass=*))";
    } else {
        filter = equal(uidAttr, td.subjectUid).toString();
    }
    try {
        String root = act.getRoot();
        if (root == null || root.trim().isEmpty()) {
            root = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot();
        }
        AuthChainType actForSubject = GlobalEntries.getGlobalEntries().getConfigManager().getAuthChains().get(subjectAuthMethod);
        if (actForSubject == null) {
            logger.warn(new StringBuilder("No authentication chain named '").append(subjectAuthMethod).append("'"));
        }
        LDAPSearchResults res = GlobalEntries.getGlobalEntries().getConfigManager().getMyVD().search(root, 2, filter, new ArrayList<String>());
        if (res.hasMore()) {
            LDAPEntry entry = res.next();
            AuthInfo authInfo = new AuthInfo(entry.getDN(), null, actForSubject != null ? actForSubject.getName() : null, actForSubject != null ? actForSubject.getLevel() : 0);
            User user = new User(entry);
            user = this.getMapper().mapUser(user);
            for (String attrName : user.getAttribs().keySet()) {
                authInfo.getAttribs().put(attrName, user.getAttribs().get(attrName));
            }
            if (authInfo.getAttribs().get(uidAttr) == null) {
                authInfo.getAttribs().put(uidAttr, new Attribute(uidAttr, td.subjectUid));
            }
            return authInfo;
        } else {
            String dn = new StringBuilder().append(uidAttr).append("=").append(td.subjectUid).append(",ou=oauth2,").append(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot()).toString();
            AuthInfo authInfo = new AuthInfo(dn, null, actForSubject != null ? actForSubject.getName() : null, actForSubject != null ? actForSubject.getLevel() : 0);
            for (Object key : td.root.keySet()) {
                Attribute attr = new Attribute(key.toString());
                if (attr.getName().equalsIgnoreCase("sub")) {
                    authInfo.getAttribs().put(uidAttr, new Attribute(uidAttr, (String) td.root.get(key)));
                }
                if (td.root.get(key) instanceof JSONArray) {
                    attr.getValues().addAll(((JSONArray) td.root.get(key)));
                } else {
                    attr.getValues().add(td.root.get(key).toString());
                }
                authInfo.getAttribs().put((String) key, attr);
                return authInfo;
            }
        }
    } catch (LDAPException | ProvisioningException e) {
        throw new ServletException("Could not lookup sts subject", e);
    }
    return null;
}
Also used : AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) User(com.tremolosecurity.provisioning.core.User) Attribute(com.tremolosecurity.saml.Attribute) LDAPAttribute(com.novell.ldap.LDAPAttribute) JSONArray(org.json.simple.JSONArray) ServletException(javax.servlet.ServletException) LDAPEntry(com.novell.ldap.LDAPEntry) LDAPSearchResults(com.novell.ldap.LDAPSearchResults) LDAPException(com.novell.ldap.LDAPException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) JSONObject(org.json.simple.JSONObject) AuthChainType(com.tremolosecurity.config.xml.AuthChainType)

Example 49 with AuthChainType

use of com.tremolosecurity.config.xml.AuthChainType in project OpenUnison by TremoloSecurity.

the class TokenData method clientCredentialsGrant.

private void clientCredentialsGrant(HttpServletRequest request, HttpServletResponse response, String clientID, String clientSecret, AuthController ac, UrlHolder holder) throws Exception, IOException, ServletException {
    OpenIDConnectTrust trust = this.trusts.get(clientID);
    if (trust == null) {
        String errorMessage = new StringBuilder().append("Trust '").append(clientID).append("' not found").toString();
        logger.warn(errorMessage);
        throw new Exception(errorMessage);
    }
    if (!trust.isEnableClientCredentialGrant()) {
        logger.error(new StringBuilder().append("Trust '").append(clientID).append("' does not support the client_credentials grant").toString());
        response.sendError(403);
        return;
    }
    String authChain = trust.getAuthChain();
    if (authChain == null) {
        if (trust.isPublicEndpoint()) {
            StringBuffer b = new StringBuffer();
            b.append("IdP does not have an authenticaiton chain configured, but is set to public");
            throw new ServletException(b.toString());
        } else {
            if (clientSecret == null || !clientSecret.equals(trust.getClientSecret())) {
                logger.warn(new StringBuilder().append("Invalid client secret for '").append(clientID).append("'"));
                response.sendError(401);
            } else {
                HttpSession session = request.getSession();
                AuthInfo authData = new AuthInfo();
                authData.setUserDN(new StringBuilder().append("uid=").append(clientID).append(",ou=oauth2,").append(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot()).toString());
                authData.setAuthLevel(0);
                authData.setAuthChain("anonymous");
                authData.getAttribs().put("uid", new Attribute("uid", clientID));
                authData.getAttribs().put("sub", new Attribute("sub", clientID));
                authData.getAttribs().put("client", new Attribute("client", "true"));
                authData.getAttribs().put("auth_chain", new Attribute("auth_chain", "anonymous"));
                authData.getAttribs().put("objectClass", new Attribute("objectClass", GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getUserObjectClass()));
                ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authData);
                AuthChainType act = holder.getConfig().getAuthChains().get(authChain);
                OpenIDConnectTransaction transaction = new OpenIDConnectTransaction();
                transaction.setClientID(clientID);
                session.setAttribute(OpenIDConnectIdP.TRANSACTION_DATA, transaction);
                ClientCredentialsGrantPostAuth postAuth = new ClientCredentialsGrantPostAuth(transaction, trust, this);
                request.setAttribute(PostAuthSuccess.POST_AUTH_ACTION, postAuth);
                postAuth.runAfterSuccessfulAuthentication(request, response, holder, act, null, ac, null);
            }
            return;
        }
    }
    HttpSession session = request.getSession();
    AuthInfo authData = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
    AuthChainType act = holder.getConfig().getAuthChains().get(authChain);
    OpenIDConnectTransaction transaction = new OpenIDConnectTransaction();
    transaction.setClientID(clientID);
    session.setAttribute(OpenIDConnectIdP.TRANSACTION_DATA, transaction);
    ClientCredentialsGrantPostAuth postAuth = new ClientCredentialsGrantPostAuth(transaction, trust, this);
    request.setAttribute(PostAuthSuccess.POST_AUTH_ACTION, postAuth);
    if (authData == null || !authData.isAuthComplete() && !(authData.getAuthLevel() < act.getLevel())) {
        nextTokenAuth(request, response, session, false, act);
    } else {
        if (authData.getAuthLevel() < act.getLevel()) {
            // step up authentication, clear existing auth data
            session.removeAttribute(ProxyConstants.AUTH_CTL);
            holder.getConfig().createAnonUser(session);
            nextTokenAuth(request, response, session, false, act);
        } else {
            // authenticated, next step
            postAuth.runAfterSuccessfulAuthentication(request, response, holder, act, null, ac, null);
        }
    }
}
Also used : AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) Attribute(com.tremolosecurity.saml.Attribute) LDAPAttribute(com.novell.ldap.LDAPAttribute) HttpSession(javax.servlet.http.HttpSession) AuthController(com.tremolosecurity.proxy.auth.AuthController) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) LDAPException(com.novell.ldap.LDAPException) InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException) IOException(java.io.IOException) ServletException(javax.servlet.ServletException) URISyntaxException(java.net.URISyntaxException) InvalidJwtException(org.jose4j.jwt.consumer.InvalidJwtException) IllegalBlockSizeException(javax.crypto.IllegalBlockSizeException) JoseException(org.jose4j.lang.JoseException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) ParseException(org.json.simple.parser.ParseException) NoSuchPaddingException(javax.crypto.NoSuchPaddingException) MalformedURLException(java.net.MalformedURLException) BadPaddingException(javax.crypto.BadPaddingException) ServletException(javax.servlet.ServletException) AuthChainType(com.tremolosecurity.config.xml.AuthChainType)

Example 50 with AuthChainType

use of com.tremolosecurity.config.xml.AuthChainType in project OpenUnison by TremoloSecurity.

the class TokenData method stsImpersontion.

private void stsImpersontion(HttpServletRequest request, HttpServletResponse response, String clientID, AuthController ac, UrlHolder holder, StsRequest stsRequest, OpenIDConnectTrust trust) throws ServletException, IOException {
    String authChain = trust.getAuthChain();
    if (authChain == null) {
        StringBuffer b = new StringBuffer();
        b.append("IdP does not have an authenticaiton chain configured");
        throw new ServletException(b.toString());
    }
    HttpSession session = request.getSession();
    AuthInfo authData = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
    AuthChainType act = holder.getConfig().getAuthChains().get(authChain);
    OpenIDConnectTransaction transaction = new OpenIDConnectTransaction();
    transaction.setClientID(clientID);
    session.setAttribute(OpenIDConnectIdP.TRANSACTION_DATA, transaction);
    TokenPostAuth postAuth = new TokenPostAuth(transaction, trust, stsRequest, this);
    request.setAttribute(PostAuthSuccess.POST_AUTH_ACTION, postAuth);
    if (authData == null || !authData.isAuthComplete() && !(authData.getAuthLevel() < act.getLevel())) {
        nextTokenAuth(request, response, session, false, act);
    } else {
        if (authData.getAuthLevel() < act.getLevel()) {
            // step up authentication, clear existing auth data
            session.removeAttribute(ProxyConstants.AUTH_CTL);
            holder.getConfig().createAnonUser(session);
            nextTokenAuth(request, response, session, false, act);
        } else {
            // authenticated, next step
            postAuth.runAfterSuccessfulAuthentication(request, response, holder, act, null, ac, null);
        }
    }
}
Also used : ServletException(javax.servlet.ServletException) AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) HttpSession(javax.servlet.http.HttpSession) AuthController(com.tremolosecurity.proxy.auth.AuthController) AuthChainType(com.tremolosecurity.config.xml.AuthChainType)

Aggregations

AuthChainType (com.tremolosecurity.config.xml.AuthChainType)52 UrlHolder (com.tremolosecurity.config.util.UrlHolder)34 AuthMechType (com.tremolosecurity.config.xml.AuthMechType)34 HttpSession (javax.servlet.http.HttpSession)33 HashMap (java.util.HashMap)32 ServletException (javax.servlet.ServletException)32 Attribute (com.tremolosecurity.saml.Attribute)28 HttpServletRequest (javax.servlet.http.HttpServletRequest)28 IOException (java.io.IOException)21 AuthController (com.tremolosecurity.proxy.auth.AuthController)19 LDAPException (com.novell.ldap.LDAPException)18 LDAPAttribute (com.novell.ldap.LDAPAttribute)17 AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)14 RequestHolder (com.tremolosecurity.proxy.auth.RequestHolder)13 ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)12 MalformedURLException (java.net.MalformedURLException)10 LDAPSearchResults (com.novell.ldap.LDAPSearchResults)9 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)9 ArrayList (java.util.ArrayList)9 LDAPEntry (com.novell.ldap.LDAPEntry)8
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial