Example 1 with Token
use of com.tremolosecurity.json.Token in project OpenUnison by TremoloSecurity.
the class SendMessageThread method doApproval.
/* (non-Javadoc)
* @see com.tremolosecurity.provisioning.core.ProvisioningEngine#doApproval(int, java.lang.String, boolean, java.lang.String)
*/
@Override
public void doApproval(int id, String userID, boolean approved, String reason) throws ProvisioningException {
org.hibernate.Session session = this.sessionFactory.openSession();
try {
StringBuffer b = new StringBuffer();
LDAPSearchResults res = this.cfgMgr.getMyVD().search(this.cfgMgr.getCfg().getLdapRoot(), 2, equal(this.userIDAttributeName, userID).toString(), new ArrayList<String>());
if (!res.hasMore()) {
throw new ProvisioningException("Could not locate approver '" + userID + "'");
}
LDAPEntry approver = res.next();
AuthInfo auinfo = new AuthInfo();
auinfo.setUserDN(approver.getDN());
LDAPAttributeSet attrs = approver.getAttributeSet();
for (Object obj : attrs) {
LDAPAttribute attr = (LDAPAttribute) obj;
Attribute attrib = new Attribute(attr.getName());
String[] vals = attr.getStringValueArray();
for (String val : vals) {
attrib.getValues().add(val);
}
auinfo.getAttribs().put(attrib.getName(), attrib);
}
while (res.hasMore()) res.next();
Query query = session.createQuery("FROM Approvers WHERE userKey = :user_key");
query.setParameter("user_key", userID);
List<Approvers> approvers = query.list();
Approvers approverObj = null;
if (logger.isDebugEnabled()) {
logger.debug("Approver UserID : " + userID);
}
int approverID;
if (approvers.size() == 0) {
approverObj = new Approvers();
approverObj.setUserKey(userID);
session.save(approverObj);
approverID = approverObj.getId();
} else {
approverObj = approvers.get(0);
approverID = approverObj.getId();
}
session.beginTransaction();
boolean changed = false;
for (String attrName : this.getApproverAttributes()) {
boolean found = false;
for (ApproverAttributes appAttr : approverObj.getApproverAttributeses()) {
if (attrName.equalsIgnoreCase(appAttr.getName())) {
found = true;
LDAPAttribute approverAttr = approver.getAttribute(attrName);
if (approverAttr != null) {
if (!approverAttr.getStringValue().equals(appAttr.getValue())) {
appAttr.setValue(approverAttr.getStringValue());
session.save(appAttr);
}
}
}
}
if (!found) {
ApproverAttributes attr = new ApproverAttributes();
attr.setName(attrName);
LDAPAttribute approverAttr = approver.getAttribute(attrName);
if (approverAttr != null) {
attr.setValue(approverAttr.getStringValue());
}
attr.setApprovers(approverObj);
approverObj.getApproverAttributeses().add(attr);
session.save(attr);
changed = true;
}
}
Approvals approvals = session.load(Approvals.class, id);
if (approvals == null) {
throw new ProvisioningException("Approval not found");
}
Gson gson = new Gson();
String json = approvals.getWorkflowObj();
Token token = gson.fromJson(json, Token.class);
byte[] iv = org.bouncycastle.util.encoders.Base64.decode(token.getIv());
IvParameterSpec spec = new IvParameterSpec(iv);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, this.cfgMgr.getSecretKey(this.cfgMgr.getCfg().getProvisioning().getApprovalDB().getEncryptionKey()), spec);
byte[] encBytes = org.bouncycastle.util.encoders.Base64.decode(token.getEncryptedRequest());
String jsonDecr = new String(cipher.doFinal(encBytes));
Workflow wf = (Workflow) JsonReader.jsonToJava(jsonDecr);
Approval approval = (Approval) wf.findCurrentApprovalTask();
if (approval == null) {
throw new ProvisioningException("Could not locate approval step");
}
AzSys az = new AzSys();
for (AzRule rule : approval.getAzRules()) {
if (rule.getCustomAuthorization() != null) {
rule.getCustomAuthorization().loadConfigManager(cfgMgr);
rule.getCustomAuthorization().setWorkflow(wf);
}
}
if (!az.checkRules(auinfo, this.cfgMgr, approval.getAzRules(), wf.getRequest())) {
throw new ProvisioningException("Az of approval failed");
}
DateTime now = new DateTime();
approvals.setWorkflowObj(null);
approvals.setApprovedTs(new Timestamp(now.getMillis()));
approvals.setApprovers(approverObj);
approvals.setApproved(approved ? 1 : 0);
approvals.setReason(reason);
session.save(approvals);
wf.getRequest().put(Approval.APPROVAL_RESULT, new Boolean(approved));
approval.markComplete(approved);
if (approved) {
wf.reInit(cfgMgr);
wf.restart();
} else {
if (wf.getUserNum() != wf.getRequesterNum()) {
wf.getRequester().getAttribs().put("reason", new Attribute("reason", reason));
if (!wf.getRequester().getAttribs().containsKey(approval.getMailAttr())) {
logger.warn("Can not send failure notification to " + wf.getRequester().getUserID() + ", no mail found");
} else {
this.sendNotification(wf.getRequester().getAttribs().get(approval.getMailAttr()).getValues().get(0), approval.getFailureEmailMsg(), approval.getFailureEmailSubject(), wf.getRequester());
}
}
wf.getUser().getAttribs().put("reason", new Attribute("reason", reason));
if (!wf.getUser().getAttribs().containsKey(approval.getMailAttr())) {
logger.warn("Can not send failure notification to " + wf.getUser().getUserID() + ", no mail found");
} else {
this.sendNotification(wf.getUser().getAttribs().get(approval.getMailAttr()).getValues().get(0), approval.getFailureEmailMsg(), approval.getFailureEmailSubject(), wf.getUser());
}
wf.reInit(cfgMgr);
wf.restart();
}
session.getTransaction().commit();
} catch (LDAPException e) {
throw new ProvisioningException("Could not load approver", e);
} catch (SQLException e) {
throw new ProvisioningException("Could not load saved workflow", e);
} catch (IOException e) {
throw new ProvisioningException("Could not load saved workflow", e);
} catch (ClassNotFoundException e) {
throw new ProvisioningException("Could not load saved workflow", e);
} catch (NoSuchAlgorithmException e) {
throw new ProvisioningException("Could not decrypt workflow object", e);
} catch (NoSuchPaddingException e) {
throw new ProvisioningException("Could not decrypt workflow object", e);
} catch (InvalidKeyException e) {
throw new ProvisioningException("Could not decrypt workflow object", e);
} catch (InvalidAlgorithmParameterException e) {
throw new ProvisioningException("Could not decrypt workflow object", e);
} catch (IllegalBlockSizeException e) {
throw new ProvisioningException("Could not decrypt workflow object", e);
} catch (BadPaddingException e) {
throw new ProvisioningException("Could not decrypt workflow object", e);
} catch (ProvisioningException e) {
throw e;
} catch (Exception e) {
logger.error("Exception running workflow", e);
throw new ProvisioningException("Exception running workflow", e);
} finally {
if (session != null) {
session.close();
}
}
}
Also used :
ApproverAttributes(com.tremolosecurity.provisioning.objects.ApproverAttributes)
Query(org.hibernate.Query)
Attribute(com.tremolosecurity.saml.Attribute)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
SQLException(java.sql.SQLException)
Approvals(com.tremolosecurity.provisioning.objects.Approvals)
Gson(com.google.gson.Gson)
IllegalBlockSizeException(javax.crypto.IllegalBlockSizeException)
Token(com.tremolosecurity.json.Token)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
BadPaddingException(javax.crypto.BadPaddingException)
Timestamp(java.sql.Timestamp)
DateTime(org.joda.time.DateTime)
LDAPEntry(com.novell.ldap.LDAPEntry)
Approvers(com.tremolosecurity.provisioning.objects.Approvers)
AllowedApprovers(com.tremolosecurity.provisioning.objects.AllowedApprovers)
Approval(com.tremolosecurity.provisioning.tasks.Approval)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
LDAPAttributeSet(com.novell.ldap.LDAPAttributeSet)
NoSuchPaddingException(javax.crypto.NoSuchPaddingException)
IOException(java.io.IOException)
InvalidKeyException(java.security.InvalidKeyException)
InvocationTargetException(java.lang.reflect.InvocationTargetException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
LDAPException(com.novell.ldap.LDAPException)
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
SocketException(java.net.SocketException)
SQLException(java.sql.SQLException)
SchedulerException(org.quartz.SchedulerException)
IOException(java.io.IOException)
MessagingException(javax.mail.MessagingException)
IllegalBlockSizeException(javax.crypto.IllegalBlockSizeException)
JMSException(javax.jms.JMSException)
JAXBException(javax.xml.bind.JAXBException)
FileNotFoundException(java.io.FileNotFoundException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
NoSuchPaddingException(javax.crypto.NoSuchPaddingException)
BadPaddingException(javax.crypto.BadPaddingException)
LDAPSearchResults(com.novell.ldap.LDAPSearchResults)
LDAPException(com.novell.ldap.LDAPException)
AzSys(com.tremolosecurity.proxy.auth.AzSys)
IvParameterSpec(javax.crypto.spec.IvParameterSpec)
Cipher(javax.crypto.Cipher)
AzRule(com.tremolosecurity.proxy.az.AzRule)
Example 2 with Token
use of com.tremolosecurity.json.Token in project OpenUnison by TremoloSecurity.
the class TokenData method encryptToken.
private String encryptToken(String codeTokenKeyName, Gson gson, UUID refreshToken) throws UnsupportedEncodingException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, IOException {
byte[] bjson = refreshToken.toString().getBytes("UTF-8");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, GlobalEntries.getGlobalEntries().getConfigManager().getSecretKey(codeTokenKeyName));
byte[] encJson = cipher.doFinal(bjson);
String base64d = new String(org.bouncycastle.util.encoders.Base64.encode(encJson));
Token token = new Token();
token.setEncryptedRequest(base64d);
token.setIv(new String(org.bouncycastle.util.encoders.Base64.encode(cipher.getIV())));
byte[] bxml = gson.toJson(token).getBytes("UTF-8");
ByteArrayOutputStream baos = new ByteArrayOutputStream();
DeflaterOutputStream compressor = new DeflaterOutputStream(baos, new Deflater(Deflater.BEST_COMPRESSION, true));
compressor.write(bxml);
compressor.flush();
compressor.close();
String b64 = new String(org.bouncycastle.util.encoders.Base64.encode(baos.toByteArray()));
return b64;
}
Also used :
Deflater(java.util.zip.Deflater)
DeflaterOutputStream(java.util.zip.DeflaterOutputStream)
Token(com.tremolosecurity.json.Token)
Cipher(javax.crypto.Cipher)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
Example 3 with Token
use of com.tremolosecurity.json.Token in project OpenUnison by TremoloSecurity.
the class TokenData method encryptToken.
private String encryptToken(String codeTokenKeyName, Gson gson, String data) throws UnsupportedEncodingException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, IOException {
byte[] bjson = data.getBytes("UTF-8");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, GlobalEntries.getGlobalEntries().getConfigManager().getSecretKey(codeTokenKeyName));
byte[] encJson = cipher.doFinal(bjson);
String base64d = new String(org.bouncycastle.util.encoders.Base64.encode(encJson));
Token token = new Token();
token.setEncryptedRequest(base64d);
token.setIv(new String(org.bouncycastle.util.encoders.Base64.encode(cipher.getIV())));
byte[] bxml = gson.toJson(token).getBytes("UTF-8");
ByteArrayOutputStream baos = new ByteArrayOutputStream();
DeflaterOutputStream compressor = new DeflaterOutputStream(baos, new Deflater(Deflater.BEST_COMPRESSION, true));
compressor.write(bxml);
compressor.flush();
compressor.close();
String b64 = new String(org.bouncycastle.util.encoders.Base64.encode(baos.toByteArray()));
return b64;
}
Also used :
Deflater(java.util.zip.Deflater)
DeflaterOutputStream(java.util.zip.DeflaterOutputStream)
Token(com.tremolosecurity.json.Token)
Cipher(javax.crypto.Cipher)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
Example 4 with Token
use of com.tremolosecurity.json.Token in project OpenUnison by TremoloSecurity.
the class TokenData method decryptToken.
/*public OIDCSession storeSession(OpenIDConnectAccessToken access,ApplicationType app,String codeTokenKeyName,HttpServletRequest request,String userDN,String clientID) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, IllegalBlockSizeException, BadPaddingException, IOException {
Gson gson = new Gson();
OIDCSession session = new OIDCSession();
session.setAccessToken(access.getAccess_token());
session.setIdToken(access.getId_token());
session.setApplicationName(app.getName());
session.setSessionExpires(new Timestamp(new DateTime().plusSeconds(app.getCookieConfig().getTimeout()).getMillis()));
session.setUserDN(userDN);
session.setClientID(clientID);
UUID refreshToken = UUID.randomUUID();
session.setRefreshToken(refreshToken.toString());
String b64 = encryptToken(codeTokenKeyName, gson, refreshToken);
session.setEncryptedRefreshToken(b64);
Session db = null;
try {
db = this.sessionFactory.openSession();
db.beginTransaction();
db.save(session);
db.getTransaction().commit();
LogoutUtil.insertFirstLogoutHandler(request, new ClearOidcSessionOnLogout(session,this));
return session;
} finally {
if (db != null) {
if (db.getTransaction() != null && db.getTransaction().isActive()) {
db.getTransaction().rollback();
}
db.close();
}
}
}*/
private String decryptToken(String codeTokenKeyName, Gson gson, String encrypted) throws Exception {
String inflated = this.inflate(encrypted);
Token token = gson.fromJson(inflated, Token.class);
byte[] iv = org.bouncycastle.util.encoders.Base64.decode(token.getIv());
IvParameterSpec spec = new IvParameterSpec(iv);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, GlobalEntries.getGlobalEntries().getConfigManager().getSecretKey(codeTokenKeyName), spec);
byte[] decBytes = org.bouncycastle.util.encoders.Base64.decode(token.getEncryptedRequest());
return new String(cipher.doFinal(decBytes));
}
Also used :
Token(com.tremolosecurity.json.Token)
IvParameterSpec(javax.crypto.spec.IvParameterSpec)
Cipher(javax.crypto.Cipher)
Example 5 with Token
use of com.tremolosecurity.json.Token in project OpenUnison by TremoloSecurity.
the class OTPAuth method doPost.
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
if (request.getParameter("code") == null) {
this.doGet(request, response, as);
return;
}
HttpSession session = ((HttpServletRequest) request).getSession();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
Attribute attr = authParams.get("keyName");
if (attr == null) {
throw new ServletException("keyName not present");
}
SecretKey key = this.cfgMgr.getSecretKey(attr.getValues().get(0));
if (key == null) {
throw new ServletException("Key '" + attr.getValues().get(0) + "' does not exist");
}
int windowSize = 3;
attr = authParams.get("windowSize");
if (attr == null) {
logger.warn("No windowSize set");
} else {
windowSize = Integer.parseInt(attr.getValues().get(0));
}
attr = authParams.get("attributeName");
if (attr == null) {
throw new ServletException("attributeName not present");
}
String attributeName = attr.getValues().get(0);
AuthController ac = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL));
attr = ac.getAuthInfo().getAttribs().get(attributeName);
if (attr == null) {
if (logger.isDebugEnabled()) {
logger.info("Attribute '" + attributeName + "' not present");
}
as.setSuccess(false);
} else {
try {
String keyjson = attr.getValues().get(0);
if (logger.isDebugEnabled()) {
logger.debug("token json : '" + keyjson + "'");
}
Gson gson = new Gson();
Token token = gson.fromJson(new String(Base64.decode(keyjson)), Token.class);
byte[] iv = org.bouncycastle.util.encoders.Base64.decode(token.getIv());
IvParameterSpec spec = new IvParameterSpec(iv);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, key, spec);
byte[] encBytes = org.bouncycastle.util.encoders.Base64.decode(token.getEncryptedRequest());
String totpJson = new String(cipher.doFinal(encBytes));
TOTPKey totp = gson.fromJson(totpJson, TOTPKey.class);
GoogleAuthenticatorConfigBuilder b = new GoogleAuthenticatorConfigBuilder();
b.setWindowSize(windowSize);
GoogleAuthenticatorConfig cfg = b.build();
GoogleAuthenticator ga = new GoogleAuthenticator(cfg);
String code = request.getParameter("code");
if (code == null) {
as.setSuccess(false);
} else {
as.setSuccess(ga.authorize(totp.getSecretKey(), Integer.parseInt(code)));
}
String redirectToURL = request.getParameter("target");
if (redirectToURL != null && !redirectToURL.isEmpty()) {
reqHolder.setURL(redirectToURL);
}
} catch (Exception e) {
as.setSuccess(false);
logger.error("Could not decrypt key", e);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
}
Also used :
GoogleAuthenticator(com.warrenstrange.googleauth.GoogleAuthenticator)
Attribute(com.tremolosecurity.saml.Attribute)
HashMap(java.util.HashMap)
HttpSession(javax.servlet.http.HttpSession)
GoogleAuthenticatorConfig(com.warrenstrange.googleauth.GoogleAuthenticatorConfig)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
Gson(com.google.gson.Gson)
Token(com.tremolosecurity.json.Token)
GoogleAuthenticatorConfigBuilder(com.warrenstrange.googleauth.GoogleAuthenticatorConfig.GoogleAuthenticatorConfigBuilder)
RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
ServletException(javax.servlet.ServletException)
IOException(java.io.IOException)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
ServletException(javax.servlet.ServletException)
SecretKey(javax.crypto.SecretKey)
IvParameterSpec(javax.crypto.spec.IvParameterSpec)
Cipher(javax.crypto.Cipher)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
Aggregations
Token (com.tremolosecurity.json.Token)16
Cipher (javax.crypto.Cipher)16
Gson (com.google.gson.Gson)13
IvParameterSpec (javax.crypto.spec.IvParameterSpec)10
ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)4
Approvals (com.tremolosecurity.provisioning.objects.Approvals)4
ByteArrayOutputStream (java.io.ByteArrayOutputStream)4
SecretKey (javax.crypto.SecretKey)4
AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)3
TOTPKey (com.tremolosecurity.proxy.auth.otp.TOTPKey)3
Attribute (com.tremolosecurity.saml.Attribute)3
IOException (java.io.IOException)3
Session (org.hibernate.Session)3
LDAPAttribute (com.novell.ldap.LDAPAttribute)2
LDAPEntry (com.novell.ldap.LDAPEntry)2
LDAPException (com.novell.ldap.LDAPException)2
Workflow (com.tremolosecurity.provisioning.core.Workflow)2
AllowedApprovers (com.tremolosecurity.provisioning.objects.AllowedApprovers)2
Approval (com.tremolosecurity.provisioning.tasks.Approval)2
AuthController (com.tremolosecurity.proxy.auth.AuthController)2
