Example 6 with AuthMechType
use of com.tremolosecurity.config.xml.AuthMechType in project OpenUnison by TremoloSecurity.
the class JITAuthMech method doGet.
@Override
public void doGet(HttpServletRequest req, HttpServletResponse resp, AuthStep as) throws ServletException, IOException {
// HttpSession session = (HttpSession) req.getAttribute(ConfigFilter.AUTOIDM_SESSION);//((HttpServletRequest) req).getSession(); //SharedSession.getSharedSession().getSession(req.getSession().getId());
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) req).getSession();
UrlHolder holder = (UrlHolder) req.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
String nameAttr = null;
if (authParams.get("nameAttr") == null) {
throw new ServletException("No name attribute");
}
nameAttr = authParams.get("nameAttr").getValues().get(0);
String workflowName;
if (authParams.get("workflowName") == null) {
throw new ServletException("No workflow specified");
}
workflowName = authParams.get("workflowName").getValues().get(0);
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
AuthInfo authInfo = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
try {
holder.getConfig().getProvisioningEngine().getWorkFlow(workflowName).executeWorkflow(authInfo, nameAttr);
as.setSuccess(true);
} catch (ProvisioningException e) {
StringBuffer b = new StringBuffer();
b.append("Could not execute workflow '").append(workflowName).append("' on '").append(authInfo.getUserDN()).append("'");
ByteArrayOutputStream baos = new ByteArrayOutputStream();
PrintWriter err = new PrintWriter(new OutputStreamWriter(baos));
e.printStackTrace(err);
Throwable t = e.getCause();
while (t != null) {
t.printStackTrace(err);
t = t.getCause();
}
logger.error(b.toString() + new String(baos.toByteArray()));
as.setSuccess(false);
logger.warn("Could not execute workflow " + workflowName + " for " + authInfo.getUserDN(), e);
}
holder.getConfig().getAuthManager().nextAuth(req, resp, session, false);
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
HashMap(java.util.HashMap)
TremoloHttpSession(com.tremolosecurity.proxy.TremoloHttpSession)
HttpSession(javax.servlet.http.HttpSession)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
ServletException(javax.servlet.ServletException)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
OutputStreamWriter(java.io.OutputStreamWriter)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
PrintWriter(java.io.PrintWriter)
Example 7 with AuthMechType
use of com.tremolosecurity.config.xml.AuthMechType in project OpenUnison by TremoloSecurity.
the class SMSAuth method doGet.
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
HttpSession session = ((HttpServletRequest) request).getSession();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
String from = authParams.get("fromNumber").getValues().get(0);
String toAttrName = authParams.get("toAttrName").getValues().get(0);
String redirectForm = authParams.get("redirectForm").getValues().get(0);
String message = authParams.get("message").getValues().get(0);
// Key Options
if (authParams.get("keyLength") == null) {
throw new ServletException("Key Length not set");
}
int keyLen = Integer.parseInt(authParams.get("keyLength").getValues().get(0));
boolean useLowerCase = authParams.get("useLowerCase") != null && authParams.get("useLowerCase").getValues().get(0).equalsIgnoreCase("true");
boolean useUpperCase = authParams.get("useUpperCase") != null && authParams.get("useUpperCase").getValues().get(0).equalsIgnoreCase("true");
boolean useNumbers = authParams.get("useNumbers") != null && authParams.get("useNumbers").getValues().get(0).equalsIgnoreCase("true");
// authParams.get("useSpecial") != null && authParams.get("useSpecial").getValues().get(0).equalsIgnoreCase("true");
boolean useSpecial = false;
if (!(useLowerCase || useUpperCase || useNumbers || useSpecial)) {
throw new ServletException("At least one character type must be chosen");
}
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
if (session.getAttribute("TREMOLO_SMS_KEY") == null) {
GenPasswd gp = new GenPasswd(keyLen, useUpperCase, useLowerCase, useNumbers, useSpecial);
AuthInfo user = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
String to = user.getAttribs().get(toAttrName).getValues().get(0);
String key = gp.getPassword();
message = message.replaceAll("[$][{]key[}]", key);
session.setAttribute("TREMOLO_SMS_KEY", key);
sendSMS(authParams, from, message, to);
}
response.sendRedirect(redirectForm);
}
Also used :
GenPasswd(com.tremolosecurity.provisioning.util.GenPasswd)
Attribute(com.tremolosecurity.saml.Attribute)
HashMap(java.util.HashMap)
HttpSession(javax.servlet.http.HttpSession)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
ServletException(javax.servlet.ServletException)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
Example 8 with AuthMechType
use of com.tremolosecurity.config.xml.AuthMechType in project OpenUnison by TremoloSecurity.
the class GithubAuthMech method doGet.
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
HttpSession session = ((HttpServletRequest) request).getSession();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
ConfigManager cfg = (ConfigManager) request.getAttribute(ProxyConstants.TREMOLO_CFG_OBJ);
MyVDConnection myvd = cfg.getMyVD();
String bearerTokenName = authParams.get("bearerTokenName").getValues().get(0);
String clientid = authParams.get("clientid").getValues().get(0);
String secret = authParams.get("secretid").getValues().get(0);
String idpURL = authParams.get("idpURL") != null ? authParams.get("idpURL").getValues().get(0) : "https://github.com/login/oauth/authorize";
String scope = authParams.get("scope").getValues().get(0);
boolean linkToDirectory = Boolean.parseBoolean(authParams.get("linkToDirectory").getValues().get(0));
String noMatchOU = authParams.get("noMatchOU").getValues().get(0);
String uidAttr = authParams.get("uidAttr").getValues().get(0);
String lookupFilter = authParams.get("lookupFilter").getValues().get(0);
String defaultObjectClass = authParams.get("defaultObjectClass").getValues().get(0);
// authParams.get("forceAuthentication") != null ? authParams.get("forceAuthentication").getValues().get(0).equalsIgnoreCase("true") : false;
boolean forceAuth = true;
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
StringBuffer b = new StringBuffer();
URL reqURL = new URL(request.getRequestURL().toString());
b.append(reqURL.getProtocol()).append("://").append(reqURL.getHost());
if (reqURL.getPort() != -1) {
b.append(":").append(reqURL.getPort());
}
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
String authMechName = amt.getName();
b.append(holder.getConfig().getContextPath()).append(cfg.getAuthMechs().get(authMechName).getUri());
String loadTokenURL = authParams.get("loadTokenURL") != null ? authParams.get("loadTokenURL").getValues().get(0) : "https://github.com/login/oauth/access_token";
if (request.getParameter("state") == null) {
// initialize openidconnect
String state = new BigInteger(130, new SecureRandom()).toString(32);
request.getSession().setAttribute("UNISON_OPENIDCONNECT_STATE", state);
StringBuffer redirToSend = new StringBuffer();
redirToSend.append(idpURL).append("?client_id=").append(URLEncoder.encode(clientid, "UTF-8")).append("&scope=").append(URLEncoder.encode(scope, "UTF-8")).append("&state=").append(URLEncoder.encode("security_token=", "UTF-8")).append(URLEncoder.encode(state, "UTF-8"));
response.sendRedirect(redirToSend.toString());
} else {
String stateFromURL = request.getParameter("state");
stateFromURL = URLDecoder.decode(stateFromURL, "UTF-8");
stateFromURL = stateFromURL.substring(stateFromURL.indexOf('=') + 1);
String stateFromSession = (String) request.getSession().getAttribute("UNISON_OPENIDCONNECT_STATE");
if (!stateFromSession.equalsIgnoreCase(stateFromURL)) {
throw new ServletException("Invalid State");
}
HttpUriRequest post = null;
try {
post = RequestBuilder.post().setUri(new java.net.URI(loadTokenURL)).addParameter("code", request.getParameter("code")).addParameter("client_id", clientid).addParameter("client_secret", secret).build();
} catch (URISyntaxException e) {
throw new ServletException("Could not create post request");
}
BasicHttpClientConnectionManager bhcm = new BasicHttpClientConnectionManager(GlobalEntries.getGlobalEntries().getConfigManager().getHttpClientSocketRegistry());
RequestConfig rc = RequestConfig.custom().setCookieSpec(CookieSpecs.STANDARD).build();
CloseableHttpClient http = HttpClients.custom().setConnectionManager(bhcm).setDefaultRequestConfig(rc).build();
try {
CloseableHttpResponse httpResp = http.execute(post);
BufferedReader in = new BufferedReader(new InputStreamReader(httpResp.getEntity().getContent()));
StringBuffer token = new StringBuffer();
String line = null;
while ((line = in.readLine()) != null) {
token.append(line);
}
List<NameValuePair> params = URLEncodedUtils.parse(token.toString(), Charset.defaultCharset());
String accessToken = null;
for (NameValuePair nvp : params) {
if (nvp.getName().equals("access_token")) {
accessToken = nvp.getValue();
}
}
if (accessToken == null) {
throw new ServletException("Could not get authorization toekn : " + token);
}
httpResp.close();
Gson gson = new Gson();
HttpGet get = new HttpGet("https://api.github.com/user");
get.addHeader("Authorization", new StringBuilder().append("Bearer ").append(accessToken).toString());
// Store the bearer token for use by Unison
request.getSession().setAttribute(bearerTokenName, accessToken);
httpResp = http.execute(get);
in = new BufferedReader(new InputStreamReader(httpResp.getEntity().getContent()));
token.setLength(0);
line = null;
while ((line = in.readLine()) != null) {
token.append(line);
}
httpResp.close();
Map jwtNVP = com.cedarsoftware.util.io.JsonReader.jsonToMaps(token.toString());
;
if (jwtNVP == null) {
as.setSuccess(false);
} else {
get = new HttpGet("https://api.github.com/user/emails");
get.addHeader("Authorization", new StringBuilder().append("Bearer ").append(accessToken).toString());
httpResp = http.execute(get);
in = new BufferedReader(new InputStreamReader(httpResp.getEntity().getContent()));
token.setLength(0);
line = null;
while ((line = in.readLine()) != null) {
token.append(line);
}
httpResp.close();
JSONParser parser = new JSONParser();
org.json.simple.JSONArray emails = (org.json.simple.JSONArray) parser.parse(token.toString());
for (Object o : emails) {
org.json.simple.JSONObject emailObj = (org.json.simple.JSONObject) o;
boolean isPrimary = (Boolean) emailObj.get("primary");
if (isPrimary) {
jwtNVP.put("mail", emailObj.get("email"));
}
}
if (!linkToDirectory) {
loadUnlinkedUser(session, noMatchOU, uidAttr, act, jwtNVP, defaultObjectClass);
as.setSuccess(true);
} else {
lookupUser(as, session, myvd, noMatchOU, uidAttr, lookupFilter, act, jwtNVP, defaultObjectClass);
}
get = new HttpGet("https://api.github.com/user/orgs");
get.addHeader("Authorization", new StringBuilder().append("Bearer ").append(accessToken).toString());
httpResp = http.execute(get);
in = new BufferedReader(new InputStreamReader(httpResp.getEntity().getContent()));
token.setLength(0);
line = null;
while ((line = in.readLine()) != null) {
token.append(line);
}
httpResp.close();
parser = new JSONParser();
org.json.simple.JSONArray orgs = (org.json.simple.JSONArray) parser.parse(token.toString());
Attribute userOrgs = new Attribute("githubOrgs");
Attribute userTeams = new Attribute("githubTeams");
for (Object o : orgs) {
org.json.simple.JSONObject org = (org.json.simple.JSONObject) o;
String orgName = (String) org.get("login");
userOrgs.getValues().add(orgName);
HttpUriRequest graphql = RequestBuilder.post().addHeader(new BasicHeader("Authorization", "Bearer " + accessToken)).setUri("https://api.github.com/graphql").setEntity(new StringEntity("{\"query\":\"{organization(login: \\\"" + orgName + "\\\") { teams(first: 100, userLogins: [\\\"" + jwtNVP.get("login") + "\\\"]) { totalCount edges {node {name description}}}}}\"}")).build();
httpResp = http.execute(graphql);
in = new BufferedReader(new InputStreamReader(httpResp.getEntity().getContent()));
token.setLength(0);
line = null;
while ((line = in.readLine()) != null) {
token.append(line);
}
httpResp.close();
org.json.simple.JSONObject root = (org.json.simple.JSONObject) parser.parse(token.toString());
org.json.simple.JSONObject data = (org.json.simple.JSONObject) root.get("data");
org.json.simple.JSONObject organization = (org.json.simple.JSONObject) data.get("organization");
org.json.simple.JSONObject teams = (org.json.simple.JSONObject) organization.get("teams");
org.json.simple.JSONArray edges = (org.json.simple.JSONArray) teams.get("edges");
for (Object oi : edges) {
org.json.simple.JSONObject edge = (org.json.simple.JSONObject) oi;
org.json.simple.JSONObject node = (org.json.simple.JSONObject) edge.get("node");
userTeams.getValues().add(orgName + "/" + node.get("name"));
}
}
((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo().getAttribs().put("githubOrgs", userOrgs);
((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo().getAttribs().put("githubTeams", userTeams);
String redirectToURL = request.getParameter("target");
if (redirectToURL != null && !redirectToURL.isEmpty()) {
reqHolder.setURL(redirectToURL);
}
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
} catch (ParseException e) {
throw new ServletException("Could not parse orgs", e);
} finally {
if (bhcm != null) {
bhcm.close();
}
if (http != null) {
http.close();
}
}
}
}
Also used :
HttpUriRequest(org.apache.http.client.methods.HttpUriRequest)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
Attribute(com.tremolosecurity.saml.Attribute)
HashMap(java.util.HashMap)
HttpGet(org.apache.http.client.methods.HttpGet)
Gson(com.google.gson.Gson)
URISyntaxException(java.net.URISyntaxException)
RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)
URL(java.net.URL)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
ServletException(javax.servlet.ServletException)
StringEntity(org.apache.http.entity.StringEntity)
CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
BasicHttpClientConnectionManager(org.apache.http.impl.conn.BasicHttpClientConnectionManager)
MyVDConnection(com.tremolosecurity.proxy.myvd.MyVDConnection)
RequestConfig(org.apache.http.client.config.RequestConfig)
CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient)
NameValuePair(org.apache.http.NameValuePair)
InputStreamReader(java.io.InputStreamReader)
HttpSession(javax.servlet.http.HttpSession)
JSONArray(org.jose4j.json.internal.json_simple.JSONArray)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
SecureRandom(java.security.SecureRandom)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
ConfigManager(com.tremolosecurity.config.util.ConfigManager)
JSONObject(org.jose4j.json.internal.json_simple.JSONObject)
BufferedReader(java.io.BufferedReader)
BigInteger(java.math.BigInteger)
JSONParser(org.json.simple.parser.JSONParser)
JSONObject(org.jose4j.json.internal.json_simple.JSONObject)
ParseException(org.json.simple.parser.ParseException)
Map(java.util.Map)
HashMap(java.util.HashMap)
BasicHeader(org.apache.http.message.BasicHeader)
Example 9 with AuthMechType
use of com.tremolosecurity.config.xml.AuthMechType in project OpenUnison by TremoloSecurity.
the class OpenIDConnectAuthMech method doGet.
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
HttpSession session = ((HttpServletRequest) request).getSession();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
ConfigManager cfg = (ConfigManager) request.getAttribute(ProxyConstants.TREMOLO_CFG_OBJ);
MyVDConnection myvd = cfg.getMyVD();
String idpURL;
String loadTokenURL;
if (authParams.get("issuer") != null) {
StringBuffer b = new StringBuffer();
String issuer = authParams.get("issuer").getValues().get(0);
b.append(issuer);
if (issuer.charAt(issuer.length() - 1) != '/') {
b.append('/');
}
b.append(".well-known/openid-configuration");
String discoveryUrl = b.toString();
OidcIdpUrls idp = this.idpUrls.get(discoveryUrl);
if (idp == null) {
idp = new OidcIdpUrls();
this.idpUrls.put(discoveryUrl, idp);
BasicHttpClientConnectionManager bhcm = new BasicHttpClientConnectionManager(GlobalEntries.getGlobalEntries().getConfigManager().getHttpClientSocketRegistry());
RequestConfig rc = RequestConfig.custom().setCookieSpec(CookieSpecs.STANDARD).build();
CloseableHttpClient http = HttpClients.custom().setConnectionManager(bhcm).setDefaultRequestConfig(rc).build();
try {
HttpGet get = new HttpGet(b.toString());
CloseableHttpResponse resp = http.execute(get);
if (resp.getStatusLine().getStatusCode() == 200) {
String json = EntityUtils.toString(resp.getEntity());
resp.close();
JSONParser parser = new JSONParser();
org.json.simple.JSONObject root = (org.json.simple.JSONObject) parser.parse(json);
idp.setIdpUrl((String) root.get("authorization_endpoint"));
idp.setTokenUrl((String) root.get("token_endpoint"));
idp.setUserInfoUrl((String) root.get("userinfo_endpoint"));
} else {
idp.setIdpUrl(authParams.get("idpURL").getValues().get(0));
idp.setTokenUrl(loadTokenURL = authParams.get("loadTokenURL").getValues().get(0));
}
} catch (ParseException e) {
throw new ServletException("Could not parse discovery document", e);
} finally {
try {
http.close();
} catch (Throwable e) {
}
bhcm.close();
}
}
request.setAttribute(OIDC_IDP, idp);
idpURL = idp.getIdpUrl();
loadTokenURL = idp.getTokenUrl();
} else {
idpURL = authParams.get("idpURL").getValues().get(0);
loadTokenURL = authParams.get("loadTokenURL").getValues().get(0);
}
String bearerTokenName = authParams.get("bearerTokenName").getValues().get(0);
String clientid = authParams.get("clientid").getValues().get(0);
String secret = authParams.get("secretid").getValues().get(0);
String responseType = authParams.get("responseType").getValues().get(0);
String scope = authParams.get("scope").getValues().get(0);
boolean linkToDirectory = Boolean.parseBoolean(authParams.get("linkToDirectory").getValues().get(0));
String noMatchOU = authParams.get("noMatchOU").getValues().get(0);
String uidAttr = authParams.get("uidAttr").getValues().get(0);
String lookupFilter = authParams.get("lookupFilter").getValues().get(0);
String userLookupClassName = authParams.get("userLookupClassName").getValues().get(0);
String defaultObjectClass = authParams.get("defaultObjectClass").getValues().get(0);
boolean forceAuth = authParams.get("forceAuthentication") != null ? authParams.get("forceAuthentication").getValues().get(0).equalsIgnoreCase("true") : true;
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
StringBuffer b = new StringBuffer();
URL reqURL = new URL(ProxyTools.getInstance().getHttpsUrl(request.getRequestURL().toString(), request));
b.append(reqURL.getProtocol()).append("://").append(reqURL.getHost());
if (reqURL.getPort() != -1) {
b.append(":").append(reqURL.getPort());
}
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
String authMechName = amt.getName();
b.append(holder.getConfig().getContextPath()).append(cfg.getAuthMechs().get(authMechName).getUri());
String hd = authParams.get("hd").getValues().get(0);
if (request.getParameter("state") == null) {
// initialize openidconnect
String state = new BigInteger(130, new SecureRandom()).toString(32);
request.getSession().setAttribute("UNISON_OPENIDCONNECT_STATE", state);
StringBuffer redirToSend = new StringBuffer();
redirToSend.append(idpURL).append("?client_id=").append(URLEncoder.encode(clientid, "UTF-8")).append("&response_type=").append(URLEncoder.encode(responseType, "UTF-8")).append("&scope=").append(URLEncoder.encode(scope, "UTF-8")).append("&redirect_uri=").append(URLEncoder.encode(b.toString(), "UTF-8")).append("&state=").append(URLEncoder.encode("security_token=", "UTF-8")).append(URLEncoder.encode(state, "UTF-8"));
if (forceAuth) {
redirToSend.append("&max_age=0");
}
if (hd != null && !hd.isEmpty()) {
redirToSend.append("&hd=").append(hd);
}
response.sendRedirect(redirToSend.toString());
} else {
String stateFromURL = request.getParameter("state");
stateFromURL = URLDecoder.decode(stateFromURL, "UTF-8");
stateFromURL = stateFromURL.substring(stateFromURL.indexOf('=') + 1);
String stateFromSession = (String) request.getSession().getAttribute("UNISON_OPENIDCONNECT_STATE");
if (!stateFromSession.equalsIgnoreCase(stateFromURL)) {
throw new ServletException("Invalid State");
}
HttpUriRequest post = null;
try {
post = RequestBuilder.post().setUri(new java.net.URI(loadTokenURL)).addParameter("code", request.getParameter("code")).addParameter("client_id", clientid).addParameter("client_secret", secret).addParameter("redirect_uri", b.toString()).addParameter("grant_type", "authorization_code").build();
} catch (URISyntaxException e) {
throw new ServletException("Could not create post request");
}
BasicHttpClientConnectionManager bhcm = new BasicHttpClientConnectionManager(GlobalEntries.getGlobalEntries().getConfigManager().getHttpClientSocketRegistry());
RequestConfig rc = RequestConfig.custom().setCookieSpec(CookieSpecs.STANDARD).build();
CloseableHttpClient http = HttpClients.custom().setConnectionManager(bhcm).setDefaultRequestConfig(rc).build();
CloseableHttpResponse httpResp = http.execute(post);
if (httpResp.getStatusLine().getStatusCode() != 200) {
logger.error("Could not retrieve token : " + httpResp.getStatusLine().getStatusCode() + " / " + httpResp.getStatusLine().getReasonPhrase());
as.setSuccess(false);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
BufferedReader in = new BufferedReader(new InputStreamReader(httpResp.getEntity().getContent()));
StringBuffer token = new StringBuffer();
String line = null;
while ((line = in.readLine()) != null) {
token.append(line);
}
httpResp.close();
bhcm.close();
Gson gson = new Gson();
Map tokenNVP = com.cedarsoftware.util.io.JsonReader.jsonToMaps(token.toString());
String accessToken;
// Store the bearer token for use by Unison
request.getSession().setAttribute(bearerTokenName, tokenNVP.get("access_token"));
Map jwtNVP = null;
LoadUserData loadUser = null;
try {
loadUser = (LoadUserData) Class.forName(userLookupClassName).newInstance();
jwtNVP = loadUser.loadUserAttributesFromIdP(request, response, cfg, authParams, tokenNVP);
} catch (Exception e) {
throw new ServletException("Could not load user data", e);
}
if (hd != null && !hd.isEmpty()) {
String hdFromIdToken = (String) jwtNVP.get("hd");
if (hdFromIdToken != null && !hdFromIdToken.isEmpty()) {
if (!hdFromIdToken.equalsIgnoreCase(hd)) {
as.setSuccess(false);
String redirectToURL = request.getParameter("target");
if (redirectToURL != null && !redirectToURL.isEmpty()) {
reqHolder.setURL(redirectToURL);
}
}
} else {
as.setSuccess(false);
String redirectToURL = request.getParameter("target");
if (redirectToURL != null && !redirectToURL.isEmpty()) {
reqHolder.setURL(redirectToURL);
}
}
}
if (jwtNVP == null) {
as.setSuccess(false);
} else {
if (!linkToDirectory) {
loadUnlinkedUser(session, noMatchOU, uidAttr, act, jwtNVP, defaultObjectClass);
as.setSuccess(true);
} else {
lookupUser(as, session, myvd, noMatchOU, uidAttr, lookupFilter, act, jwtNVP, defaultObjectClass);
}
String redirectToURL = request.getParameter("target");
if (redirectToURL != null && !redirectToURL.isEmpty()) {
reqHolder.setURL(redirectToURL);
}
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
}
Also used :
HttpUriRequest(org.apache.http.client.methods.HttpUriRequest)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
Attribute(com.tremolosecurity.saml.Attribute)
HashMap(java.util.HashMap)
HttpGet(org.apache.http.client.methods.HttpGet)
Gson(com.google.gson.Gson)
URISyntaxException(java.net.URISyntaxException)
RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)
URL(java.net.URL)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
ServletException(javax.servlet.ServletException)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
LoadUserData(com.tremolosecurity.unison.proxy.auth.openidconnect.sdk.LoadUserData)
BasicHttpClientConnectionManager(org.apache.http.impl.conn.BasicHttpClientConnectionManager)
MyVDConnection(com.tremolosecurity.proxy.myvd.MyVDConnection)
RequestConfig(org.apache.http.client.config.RequestConfig)
CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient)
InputStreamReader(java.io.InputStreamReader)
HttpSession(javax.servlet.http.HttpSession)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
SecureRandom(java.security.SecureRandom)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
ConfigManager(com.tremolosecurity.config.util.ConfigManager)
ServletException(javax.servlet.ServletException)
URISyntaxException(java.net.URISyntaxException)
LDAPException(com.novell.ldap.LDAPException)
ParseException(org.json.simple.parser.ParseException)
IOException(java.io.IOException)
JSONObject(org.jose4j.json.internal.json_simple.JSONObject)
BufferedReader(java.io.BufferedReader)
BigInteger(java.math.BigInteger)
JSONParser(org.json.simple.parser.JSONParser)
ParseException(org.json.simple.parser.ParseException)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 10 with AuthMechType
use of com.tremolosecurity.config.xml.AuthMechType in project OpenUnison by TremoloSecurity.
the class U2fAuth method doGet.
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
if (request.getParameter("signResponse") == null) {
startAuthentication(request, response, as);
} else {
SignResponseHolder srh = gson.fromJson(request.getParameter("signResponse"), SignResponseHolder.class);
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
String challengeStoreAttribute = authParams.get("attribute").getValues().get(0);
String encyrptionKeyName = authParams.get("encryptionKeyName").getValues().get(0);
String uidAttributeName = authParams.get("uidAttributeName").getValues().get(0);
String workflowName = authParams.get("workflowName").getValues().get(0);
if (srh.getErrorCode() > 0) {
logger.warn("Browser could not validate u2f token for user '" + userData.getUserDN() + "' : " + srh.getErrorCode());
if (amt.getRequired().equals("required")) {
as.setSuccess(false);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
U2FServer u2f = (U2FServer) request.getSession().getAttribute(SERVER);
SignResponse sigResp = new SignResponse(srh.getKeyHandle(), srh.getSignatureData(), srh.getClientData(), srh.getSessionId());
try {
u2f.processSignResponse(sigResp);
} catch (U2FException e) {
logger.warn("Could not authenticate user : '" + e.getMessage() + "'");
if (amt.getRequired().equals("required")) {
as.setSuccess(false);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
String encrypted;
try {
encrypted = U2fUtil.encode(u2f.getAllSecurityKeys("doesntmatter"), encyrptionKeyName);
} catch (Exception e) {
throw new ServletException("Could not encrypt keys");
}
WFCall wc = new WFCall();
wc.setName(workflowName);
wc.setUidAttributeName(uidAttributeName);
TremoloUser tu = new TremoloUser();
tu.setUid(userData.getAttribs().get(uidAttributeName).getValues().get(0));
tu.getAttributes().add(new Attribute(uidAttributeName, userData.getAttribs().get(uidAttributeName).getValues().get(0)));
tu.getAttributes().add(new Attribute(challengeStoreAttribute, encrypted));
wc.setUser(tu);
Map<String, Object> req = new HashMap<String, Object>();
req.put(ProvisioningParams.UNISON_EXEC_TYPE, ProvisioningParams.UNISON_EXEC_SYNC);
wc.setRequestParams(req);
try {
GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getWorkFlow(workflowName).executeWorkflow(wc);
} catch (ProvisioningException e) {
throw new ServletException("Could not save keys", e);
}
as.setSuccess(true);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
U2FServer(com.google.u2f.server.U2FServer)
WFCall(com.tremolosecurity.provisioning.service.util.WFCall)
Attribute(com.tremolosecurity.saml.Attribute)
HashMap(java.util.HashMap)
HttpSession(javax.servlet.http.HttpSession)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
ServletException(javax.servlet.ServletException)
U2FException(com.google.u2f.U2FException)
MalformedURLException(java.net.MalformedURLException)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
IOException(java.io.IOException)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
ServletException(javax.servlet.ServletException)
SignResponse(com.google.u2f.server.messages.SignResponse)
TremoloUser(com.tremolosecurity.provisioning.service.util.TremoloUser)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
U2FException(com.google.u2f.U2FException)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
Aggregations
AuthMechType (com.tremolosecurity.config.xml.AuthMechType)35
AuthChainType (com.tremolosecurity.config.xml.AuthChainType)34
HashMap (java.util.HashMap)28
UrlHolder (com.tremolosecurity.config.util.UrlHolder)26
HttpSession (javax.servlet.http.HttpSession)24
Attribute (com.tremolosecurity.saml.Attribute)23
HttpServletRequest (javax.servlet.http.HttpServletRequest)23
ServletException (javax.servlet.ServletException)22
IOException (java.io.IOException)15
LDAPAttribute (com.novell.ldap.LDAPAttribute)14
LDAPException (com.novell.ldap.LDAPException)12
AuthController (com.tremolosecurity.proxy.auth.AuthController)11
RequestHolder (com.tremolosecurity.proxy.auth.RequestHolder)10
ParamWithValueType (com.tremolosecurity.config.xml.ParamWithValueType)8
MechanismType (com.tremolosecurity.config.xml.MechanismType)7
MyVDConnection (com.tremolosecurity.proxy.myvd.MyVDConnection)7
ArrayList (java.util.ArrayList)7
ConfigManager (com.tremolosecurity.config.util.ConfigManager)6
LDAPSearchResults (com.novell.ldap.LDAPSearchResults)5
ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)5
