use of com.tremolosecurity.json.Token in project OpenUnison by TremoloSecurity.
the class SendMessageThread method doApproval.
/* (non-Javadoc)
* @see com.tremolosecurity.provisioning.core.ProvisioningEngine#doApproval(int, java.lang.String, boolean, java.lang.String)
*/
@Override
public void doApproval(int id, String userID, boolean approved, String reason) throws ProvisioningException {
org.hibernate.Session session = this.sessionFactory.openSession();
try {
StringBuffer b = new StringBuffer();
LDAPSearchResults res = this.cfgMgr.getMyVD().search(this.cfgMgr.getCfg().getLdapRoot(), 2, equal(this.userIDAttributeName, userID).toString(), new ArrayList<String>());
if (!res.hasMore()) {
throw new ProvisioningException("Could not locate approver '" + userID + "'");
}
LDAPEntry approver = res.next();
AuthInfo auinfo = new AuthInfo();
auinfo.setUserDN(approver.getDN());
LDAPAttributeSet attrs = approver.getAttributeSet();
for (Object obj : attrs) {
LDAPAttribute attr = (LDAPAttribute) obj;
Attribute attrib = new Attribute(attr.getName());
String[] vals = attr.getStringValueArray();
for (String val : vals) {
attrib.getValues().add(val);
}
auinfo.getAttribs().put(attrib.getName(), attrib);
}
while (res.hasMore()) res.next();
Query query = session.createQuery("FROM Approvers WHERE userKey = :user_key");
query.setParameter("user_key", userID);
List<Approvers> approvers = query.list();
Approvers approverObj = null;
if (logger.isDebugEnabled()) {
logger.debug("Approver UserID : " + userID);
}
int approverID;
if (approvers.size() == 0) {
approverObj = new Approvers();
approverObj.setUserKey(userID);
session.save(approverObj);
approverID = approverObj.getId();
} else {
approverObj = approvers.get(0);
approverID = approverObj.getId();
}
session.beginTransaction();
boolean changed = false;
for (String attrName : this.getApproverAttributes()) {
boolean found = false;
for (ApproverAttributes appAttr : approverObj.getApproverAttributeses()) {
if (attrName.equalsIgnoreCase(appAttr.getName())) {
found = true;
LDAPAttribute approverAttr = approver.getAttribute(attrName);
if (approverAttr != null) {
if (!approverAttr.getStringValue().equals(appAttr.getValue())) {
appAttr.setValue(approverAttr.getStringValue());
session.save(appAttr);
}
}
}
}
if (!found) {
ApproverAttributes attr = new ApproverAttributes();
attr.setName(attrName);
LDAPAttribute approverAttr = approver.getAttribute(attrName);
if (approverAttr != null) {
attr.setValue(approverAttr.getStringValue());
}
attr.setApprovers(approverObj);
approverObj.getApproverAttributeses().add(attr);
session.save(attr);
changed = true;
}
}
Approvals approvals = session.load(Approvals.class, id);
if (approvals == null) {
throw new ProvisioningException("Approval not found");
}
Gson gson = new Gson();
String json = approvals.getWorkflowObj();
Token token = gson.fromJson(json, Token.class);
byte[] iv = org.bouncycastle.util.encoders.Base64.decode(token.getIv());
IvParameterSpec spec = new IvParameterSpec(iv);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, this.cfgMgr.getSecretKey(this.cfgMgr.getCfg().getProvisioning().getApprovalDB().getEncryptionKey()), spec);
byte[] encBytes = org.bouncycastle.util.encoders.Base64.decode(token.getEncryptedRequest());
String jsonDecr = new String(cipher.doFinal(encBytes));
Workflow wf = (Workflow) JsonReader.jsonToJava(jsonDecr);
Approval approval = (Approval) wf.findCurrentApprovalTask();
if (approval == null) {
throw new ProvisioningException("Could not locate approval step");
}
AzSys az = new AzSys();
for (AzRule rule : approval.getAzRules()) {
if (rule.getCustomAuthorization() != null) {
rule.getCustomAuthorization().loadConfigManager(cfgMgr);
rule.getCustomAuthorization().setWorkflow(wf);
}
}
if (!az.checkRules(auinfo, this.cfgMgr, approval.getAzRules(), wf.getRequest())) {
throw new ProvisioningException("Az of approval failed");
}
DateTime now = new DateTime();
approvals.setWorkflowObj(null);
approvals.setApprovedTs(new Timestamp(now.getMillis()));
approvals.setApprovers(approverObj);
approvals.setApproved(approved ? 1 : 0);
approvals.setReason(reason);
session.save(approvals);
wf.getRequest().put(Approval.APPROVAL_RESULT, new Boolean(approved));
approval.markComplete(approved);
if (approved) {
wf.reInit(cfgMgr);
wf.restart();
} else {
if (wf.getUserNum() != wf.getRequesterNum()) {
wf.getRequester().getAttribs().put("reason", new Attribute("reason", reason));
if (!wf.getRequester().getAttribs().containsKey(approval.getMailAttr())) {
logger.warn("Can not send failure notification to " + wf.getRequester().getUserID() + ", no mail found");
} else {
this.sendNotification(wf.getRequester().getAttribs().get(approval.getMailAttr()).getValues().get(0), approval.getFailureEmailMsg(), approval.getFailureEmailSubject(), wf.getRequester());
}
}
wf.getUser().getAttribs().put("reason", new Attribute("reason", reason));
if (!wf.getUser().getAttribs().containsKey(approval.getMailAttr())) {
logger.warn("Can not send failure notification to " + wf.getUser().getUserID() + ", no mail found");
} else {
this.sendNotification(wf.getUser().getAttribs().get(approval.getMailAttr()).getValues().get(0), approval.getFailureEmailMsg(), approval.getFailureEmailSubject(), wf.getUser());
}
wf.reInit(cfgMgr);
wf.restart();
}
session.getTransaction().commit();
} catch (LDAPException e) {
throw new ProvisioningException("Could not load approver", e);
} catch (SQLException e) {
throw new ProvisioningException("Could not load saved workflow", e);
} catch (IOException e) {
throw new ProvisioningException("Could not load saved workflow", e);
} catch (ClassNotFoundException e) {
throw new ProvisioningException("Could not load saved workflow", e);
} catch (NoSuchAlgorithmException e) {
throw new ProvisioningException("Could not decrypt workflow object", e);
} catch (NoSuchPaddingException e) {
throw new ProvisioningException("Could not decrypt workflow object", e);
} catch (InvalidKeyException e) {
throw new ProvisioningException("Could not decrypt workflow object", e);
} catch (InvalidAlgorithmParameterException e) {
throw new ProvisioningException("Could not decrypt workflow object", e);
} catch (IllegalBlockSizeException e) {
throw new ProvisioningException("Could not decrypt workflow object", e);
} catch (BadPaddingException e) {
throw new ProvisioningException("Could not decrypt workflow object", e);
} catch (ProvisioningException e) {
throw e;
} catch (Exception e) {
logger.error("Exception running workflow", e);
throw new ProvisioningException("Exception running workflow", e);
} finally {
if (session != null) {
session.close();
}
}
}
use of com.tremolosecurity.json.Token in project OpenUnison by TremoloSecurity.
the class TokenData method encryptToken.
private String encryptToken(String codeTokenKeyName, Gson gson, UUID refreshToken) throws UnsupportedEncodingException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, IOException {
byte[] bjson = refreshToken.toString().getBytes("UTF-8");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, GlobalEntries.getGlobalEntries().getConfigManager().getSecretKey(codeTokenKeyName));
byte[] encJson = cipher.doFinal(bjson);
String base64d = new String(org.bouncycastle.util.encoders.Base64.encode(encJson));
Token token = new Token();
token.setEncryptedRequest(base64d);
token.setIv(new String(org.bouncycastle.util.encoders.Base64.encode(cipher.getIV())));
byte[] bxml = gson.toJson(token).getBytes("UTF-8");
ByteArrayOutputStream baos = new ByteArrayOutputStream();
DeflaterOutputStream compressor = new DeflaterOutputStream(baos, new Deflater(Deflater.BEST_COMPRESSION, true));
compressor.write(bxml);
compressor.flush();
compressor.close();
String b64 = new String(org.bouncycastle.util.encoders.Base64.encode(baos.toByteArray()));
return b64;
}
use of com.tremolosecurity.json.Token in project OpenUnison by TremoloSecurity.
the class TokenData method encryptToken.
private String encryptToken(String codeTokenKeyName, Gson gson, String data) throws UnsupportedEncodingException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, IOException {
byte[] bjson = data.getBytes("UTF-8");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, GlobalEntries.getGlobalEntries().getConfigManager().getSecretKey(codeTokenKeyName));
byte[] encJson = cipher.doFinal(bjson);
String base64d = new String(org.bouncycastle.util.encoders.Base64.encode(encJson));
Token token = new Token();
token.setEncryptedRequest(base64d);
token.setIv(new String(org.bouncycastle.util.encoders.Base64.encode(cipher.getIV())));
byte[] bxml = gson.toJson(token).getBytes("UTF-8");
ByteArrayOutputStream baos = new ByteArrayOutputStream();
DeflaterOutputStream compressor = new DeflaterOutputStream(baos, new Deflater(Deflater.BEST_COMPRESSION, true));
compressor.write(bxml);
compressor.flush();
compressor.close();
String b64 = new String(org.bouncycastle.util.encoders.Base64.encode(baos.toByteArray()));
return b64;
}
use of com.tremolosecurity.json.Token in project OpenUnison by TremoloSecurity.
the class TokenData method decryptToken.
/*public OIDCSession storeSession(OpenIDConnectAccessToken access,ApplicationType app,String codeTokenKeyName,HttpServletRequest request,String userDN,String clientID) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, IllegalBlockSizeException, BadPaddingException, IOException {
Gson gson = new Gson();
OIDCSession session = new OIDCSession();
session.setAccessToken(access.getAccess_token());
session.setIdToken(access.getId_token());
session.setApplicationName(app.getName());
session.setSessionExpires(new Timestamp(new DateTime().plusSeconds(app.getCookieConfig().getTimeout()).getMillis()));
session.setUserDN(userDN);
session.setClientID(clientID);
UUID refreshToken = UUID.randomUUID();
session.setRefreshToken(refreshToken.toString());
String b64 = encryptToken(codeTokenKeyName, gson, refreshToken);
session.setEncryptedRefreshToken(b64);
Session db = null;
try {
db = this.sessionFactory.openSession();
db.beginTransaction();
db.save(session);
db.getTransaction().commit();
LogoutUtil.insertFirstLogoutHandler(request, new ClearOidcSessionOnLogout(session,this));
return session;
} finally {
if (db != null) {
if (db.getTransaction() != null && db.getTransaction().isActive()) {
db.getTransaction().rollback();
}
db.close();
}
}
}*/
private String decryptToken(String codeTokenKeyName, Gson gson, String encrypted) throws Exception {
String inflated = this.inflate(encrypted);
Token token = gson.fromJson(inflated, Token.class);
byte[] iv = org.bouncycastle.util.encoders.Base64.decode(token.getIv());
IvParameterSpec spec = new IvParameterSpec(iv);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, GlobalEntries.getGlobalEntries().getConfigManager().getSecretKey(codeTokenKeyName), spec);
byte[] decBytes = org.bouncycastle.util.encoders.Base64.decode(token.getEncryptedRequest());
return new String(cipher.doFinal(decBytes));
}
use of com.tremolosecurity.json.Token in project OpenUnison by TremoloSecurity.
the class OTPAuth method doPost.
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
if (request.getParameter("code") == null) {
this.doGet(request, response, as);
return;
}
HttpSession session = ((HttpServletRequest) request).getSession();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
Attribute attr = authParams.get("keyName");
if (attr == null) {
throw new ServletException("keyName not present");
}
SecretKey key = this.cfgMgr.getSecretKey(attr.getValues().get(0));
if (key == null) {
throw new ServletException("Key '" + attr.getValues().get(0) + "' does not exist");
}
int windowSize = 3;
attr = authParams.get("windowSize");
if (attr == null) {
logger.warn("No windowSize set");
} else {
windowSize = Integer.parseInt(attr.getValues().get(0));
}
attr = authParams.get("attributeName");
if (attr == null) {
throw new ServletException("attributeName not present");
}
String attributeName = attr.getValues().get(0);
AuthController ac = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL));
attr = ac.getAuthInfo().getAttribs().get(attributeName);
if (attr == null) {
if (logger.isDebugEnabled()) {
logger.info("Attribute '" + attributeName + "' not present");
}
as.setSuccess(false);
} else {
try {
String keyjson = attr.getValues().get(0);
if (logger.isDebugEnabled()) {
logger.debug("token json : '" + keyjson + "'");
}
Gson gson = new Gson();
Token token = gson.fromJson(new String(Base64.decode(keyjson)), Token.class);
byte[] iv = org.bouncycastle.util.encoders.Base64.decode(token.getIv());
IvParameterSpec spec = new IvParameterSpec(iv);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, key, spec);
byte[] encBytes = org.bouncycastle.util.encoders.Base64.decode(token.getEncryptedRequest());
String totpJson = new String(cipher.doFinal(encBytes));
TOTPKey totp = gson.fromJson(totpJson, TOTPKey.class);
GoogleAuthenticatorConfigBuilder b = new GoogleAuthenticatorConfigBuilder();
b.setWindowSize(windowSize);
GoogleAuthenticatorConfig cfg = b.build();
GoogleAuthenticator ga = new GoogleAuthenticator(cfg);
String code = request.getParameter("code");
if (code == null) {
as.setSuccess(false);
} else {
as.setSuccess(ga.authorize(totp.getSecretKey(), Integer.parseInt(code)));
}
String redirectToURL = request.getParameter("target");
if (redirectToURL != null && !redirectToURL.isEmpty()) {
reqHolder.setURL(redirectToURL);
}
} catch (Exception e) {
as.setSuccess(false);
logger.error("Could not decrypt key", e);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
}
Aggregations