Search in sources :

Example 66 with AuthController

use of com.tremolosecurity.proxy.auth.AuthController in project OpenUnison by TremoloSecurity.

the class GroupBase2Attribute method doFilter.

@Override
public void doFilter(HttpFilterRequest request, HttpFilterResponse response, HttpFilterChain chain) throws Exception {
    HttpSession session = request.getSession();
    if (session.getAttribute(key) == null) {
        AuthInfo authInfo = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
        boolean isMember = false;
        StringBuffer filter = new StringBuffer();
        LDAPSearchResults res = cfgMgr.getMyVD().search(groupDN, 2, equal(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getGroupMemberAttribute(), authInfo.getUserDN()).toString(), attribs);
        if (res.hasMore()) {
            res.next();
            isMember = true;
            logger.debug("User is member");
        } else {
            isMember = false;
            logger.debug("User is NOT member");
        }
        if (isMember) {
            Attribute attr = authInfo.getAttribs().get(this.attributeName);
            if (attr == null) {
                attr = new Attribute(this.attributeName);
                authInfo.getAttribs().put(this.attributeName, attr);
            }
            attr.getValues().add(this.attributeValue);
        }
        session.setAttribute(key, key);
    }
    chain.nextFilter(request, response, chain);
}
Also used : AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) LDAPSearchResults(com.novell.ldap.LDAPSearchResults) Attribute(com.tremolosecurity.saml.Attribute) HttpSession(javax.servlet.http.HttpSession) AuthController(com.tremolosecurity.proxy.auth.AuthController)

Example 67 with AuthController

use of com.tremolosecurity.proxy.auth.AuthController in project OpenUnison by TremoloSecurity.

the class OAuth2K8sServiceAccount method lookupUser.

public static void lookupUser(AuthStep as, HttpSession session, MyVDConnection myvd, String noMatchOU, String uidAttr, String lookupFilter, AuthChainType act, Map jwtNVP, String defaultObjectClass) {
    boolean uidIsFilter = !lookupFilter.isEmpty();
    String filter = "";
    if (uidIsFilter) {
        StringBuffer b = new StringBuffer();
        int lastIndex = 0;
        int index = lookupFilter.indexOf('$');
        while (index >= 0) {
            b.append(lookupFilter.substring(lastIndex, index));
            lastIndex = lookupFilter.indexOf('}', index) + 1;
            String reqName = lookupFilter.substring(index + 2, lastIndex - 1);
            b.append(jwtNVP.get(reqName).toString());
            index = lookupFilter.indexOf('$', index + 1);
        }
        b.append(lookupFilter.substring(lastIndex));
        filter = b.toString();
        if (logger.isDebugEnabled()) {
            logger.debug("Filter : '" + filter + "'");
        }
    } else {
        StringBuffer b = new StringBuffer();
        String userParam = (String) jwtNVP.get(uidAttr);
        b.append('(').append(uidAttr).append('=').append(userParam).append(')');
        if (userParam == null) {
            filter = "(!(objectClass=*))";
        } else {
            filter = equal(uidAttr, userParam).toString();
        }
    }
    try {
        String root = act.getRoot();
        if (root == null || root.trim().isEmpty()) {
            root = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot();
        }
        LDAPSearchResults res = myvd.search(root, 2, filter, new ArrayList<String>());
        if (res.hasMore()) {
            LDAPEntry entry = res.next();
            Iterator<LDAPAttribute> it = entry.getAttributeSet().iterator();
            AuthInfo authInfo = new AuthInfo(entry.getDN(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
            ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authInfo);
            while (it.hasNext()) {
                LDAPAttribute attrib = it.next();
                Attribute attr = new Attribute(attrib.getName());
                String[] vals = attrib.getStringValueArray();
                for (int i = 0; i < vals.length; i++) {
                    attr.getValues().add(vals[i]);
                }
                authInfo.getAttribs().put(attr.getName(), attr);
            }
            for (Object o : jwtNVP.keySet()) {
                String s = (String) o;
                Object v = jwtNVP.get(s);
                Attribute attr = authInfo.getAttribs().get(s);
                if (attr == null) {
                    attr = new Attribute(s);
                    authInfo.getAttribs().put(attr.getName(), attr);
                }
                if (v instanceof String) {
                    String val = (String) v;
                    if (!attr.getValues().contains(val)) {
                        attr.getValues().add(val);
                    }
                } else if (v instanceof Object[]) {
                    for (Object vo : ((Object[]) v)) {
                        String vv = (String) vo;
                        if (vv != null && !attr.getValues().contains(vv)) {
                            attr.getValues().add(vv);
                        }
                    }
                }
            }
            as.setSuccess(true);
        } else {
            loadUnlinkedUser(session, noMatchOU, uidAttr, act, jwtNVP, defaultObjectClass);
            as.setSuccess(true);
        }
    } catch (LDAPException e) {
        if (e.getResultCode() != LDAPException.INVALID_CREDENTIALS) {
            logger.error("Could not authenticate user", e);
        }
        as.setSuccess(false);
    }
}
Also used : LDAPAttribute(com.novell.ldap.LDAPAttribute) AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) LDAPAttribute(com.novell.ldap.LDAPAttribute) Attribute(com.tremolosecurity.saml.Attribute) AuthController(com.tremolosecurity.proxy.auth.AuthController) LDAPEntry(com.novell.ldap.LDAPEntry) LDAPSearchResults(com.novell.ldap.LDAPSearchResults) LDAPException(com.novell.ldap.LDAPException) JSONObject(org.json.simple.JSONObject)

Example 68 with AuthController

use of com.tremolosecurity.proxy.auth.AuthController in project OpenUnison by TremoloSecurity.

the class OAuth2K8sServiceAccount method processToken.

@Override
public void processToken(HttpServletRequest request, HttpServletResponse response, AuthStep as, HttpSession session, HashMap<String, Attribute> authParams, AuthChainType act, String realmName, String scope, ConfigManager cfg, String lmToken) throws ServletException, IOException {
    String k8sTarget = authParams.get("k8sTarget").getValues().get(0);
    boolean linkToDirectory = Boolean.parseBoolean(authParams.get("linkToDirectory").getValues().get(0));
    String noMatchOU = authParams.get("noMatchOU").getValues().get(0);
    String uidAttr = authParams.get("uidAttr").getValues().get(0);
    String lookupFilter = authParams.get("lookupFilter").getValues().get(0);
    String defaultObjectClass = authParams.get("defaultObjectClass").getValues().get(0);
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
    JSONObject root = new JSONObject();
    root.put("kind", "TokenReview");
    root.put("apiVersion", "authentication.k8s.io/v1");
    root.put("spec", new JSONObject());
    ((JSONObject) root.get("spec")).put("token", lmToken);
    String json = root.toJSONString();
    OpenShiftTarget target = null;
    HttpCon con = null;
    try {
        target = (OpenShiftTarget) cfg.getProvisioningEngine().getTarget(k8sTarget).getProvider();
        con = target.createClient();
        String respJSON = target.callWSPost(target.getAuthToken(), con, "/apis/authentication.k8s.io/v1/tokenreviews", json);
        if (logger.isDebugEnabled()) {
            logger.debug("JSON - " + respJSON);
        }
        JSONParser parser = new JSONParser();
        JSONObject resp = (JSONObject) parser.parse(respJSON);
        JSONObject status = (JSONObject) resp.get("status");
        if (status.get("error") != null) {
            logger.error("Could not validate token : " + status.get("error"));
            as.setExecuted(true);
            as.setSuccess(false);
            cfg.getAuthManager().nextAuth(request, response, request.getSession(), false);
            super.sendFail(response, realmName, scope, null, null);
            return;
        } else {
            Boolean authenticated = (Boolean) status.get("authenticated");
            if (authenticated != null && authenticated) {
                JSONObject user = (JSONObject) status.get("user");
                if (!linkToDirectory) {
                    loadUnlinkedUser(session, noMatchOU, uidAttr, act, user, defaultObjectClass);
                    as.setSuccess(true);
                } else {
                    lookupUser(as, session, cfg.getMyVD(), noMatchOU, uidAttr, lookupFilter, act, user, defaultObjectClass);
                }
                String redirectToURL = request.getParameter("target");
                if (redirectToURL != null && !redirectToURL.isEmpty()) {
                    reqHolder.setURL(redirectToURL);
                }
                as.setExecuted(true);
                as.setSuccess(true);
                cfg.getAuthManager().nextAuth(request, response, request.getSession(), false);
            } else {
                as.setExecuted(true);
                as.setSuccess(false);
                cfg.getAuthManager().nextAuth(request, response, request.getSession(), false);
                super.sendFail(response, realmName, scope, null, null);
                return;
            }
        }
    } catch (Exception e) {
        throw new ServletException("Could not validate token", e);
    } finally {
        con.getHttp().close();
        con.getBcm().close();
    }
}
Also used : UrlHolder(com.tremolosecurity.config.util.UrlHolder) ServletException(javax.servlet.ServletException) HttpCon(com.tremolosecurity.provisioning.util.HttpCon) JSONObject(org.json.simple.JSONObject) OpenShiftTarget(com.tremolosecurity.unison.openshiftv3.OpenShiftTarget) JSONParser(org.json.simple.parser.JSONParser) RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder) AuthController(com.tremolosecurity.proxy.auth.AuthController) LDAPException(com.novell.ldap.LDAPException) ServletException(javax.servlet.ServletException) ParseException(org.json.simple.parser.ParseException) IOException(java.io.IOException) JoseException(org.jose4j.lang.JoseException)

Example 69 with AuthController

use of com.tremolosecurity.proxy.auth.AuthController in project OpenUnison by TremoloSecurity.

the class OAuth2K8sServiceAccount method loadUnlinkedUser.

public static void loadUnlinkedUser(HttpSession session, String noMatchOU, String uidAttr, AuthChainType act, Map jwtNVP, String defaultObjectClass) {
    String uid = (String) jwtNVP.get(uidAttr);
    StringBuffer dn = new StringBuffer();
    dn.append(uidAttr).append('=').append(uid).append(",ou=").append(noMatchOU).append(",").append(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot());
    AuthInfo authInfo = new AuthInfo(dn.toString(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
    ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authInfo);
    for (Object o : jwtNVP.keySet()) {
        String s = (String) o;
        Attribute attr;
        Object oAttr = jwtNVP.get(s);
        if (logger.isDebugEnabled()) {
            logger.debug(s + " type - '" + oAttr.getClass().getName() + "'");
        }
        if (oAttr instanceof JSONArray) {
            attr = new Attribute(s);
            for (Object ox : ((JSONArray) oAttr)) {
                attr.getValues().add((String) ox);
            }
        } else {
            attr = new Attribute(s, oAttr.toString());
        }
        authInfo.getAttribs().put(attr.getName(), attr);
    }
    authInfo.getAttribs().put("sub", new Attribute("sub", uid));
    authInfo.getAttribs().put("objectClass", new Attribute("objectClass", defaultObjectClass));
}
Also used : AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) LDAPAttribute(com.novell.ldap.LDAPAttribute) Attribute(com.tremolosecurity.saml.Attribute) JSONArray(org.json.simple.JSONArray) JSONObject(org.json.simple.JSONObject) AuthController(com.tremolosecurity.proxy.auth.AuthController)

Example 70 with AuthController

use of com.tremolosecurity.proxy.auth.AuthController in project OpenUnison by TremoloSecurity.

the class GithubAuthMech method loadUnlinkedUser.

public static void loadUnlinkedUser(HttpSession session, String noMatchOU, String uidAttr, AuthChainType act, Map jwtNVP, String defaultObjectClass) {
    String uid = (String) jwtNVP.get(uidAttr);
    StringBuffer dn = new StringBuffer();
    dn.append(uidAttr).append('=').append(uid).append(",ou=").append(noMatchOU).append(",").append(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot());
    AuthInfo authInfo = new AuthInfo(dn.toString(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
    ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authInfo);
    for (Object o : jwtNVP.keySet()) {
        String s = (String) o;
        Attribute attr;
        Object oAttr = jwtNVP.get(s);
        if (oAttr != null) {
            if (logger.isDebugEnabled()) {
                logger.debug(s + " type - '" + oAttr.getClass().getName() + "'");
            }
            if (oAttr.getClass().isArray()) {
                attr = new Attribute(s);
                Object[] objArray = (Object[]) oAttr;
                for (Object v : objArray) {
                    attr.getValues().add(v.toString());
                }
            } else {
                attr = new Attribute(s, oAttr.toString());
            }
            authInfo.getAttribs().put(attr.getName(), attr);
        }
    }
    authInfo.getAttribs().put("objectClass", new Attribute("objectClass", defaultObjectClass));
}
Also used : AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) LDAPAttribute(com.novell.ldap.LDAPAttribute) Attribute(com.tremolosecurity.saml.Attribute) JSONObject(org.jose4j.json.internal.json_simple.JSONObject) AuthController(com.tremolosecurity.proxy.auth.AuthController)

Aggregations

AuthController (com.tremolosecurity.proxy.auth.AuthController)76 AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)59 Attribute (com.tremolosecurity.saml.Attribute)45 ServletException (javax.servlet.ServletException)28 HttpSession (javax.servlet.http.HttpSession)28 UrlHolder (com.tremolosecurity.config.util.UrlHolder)26 HashMap (java.util.HashMap)25 IOException (java.io.IOException)24 LDAPAttribute (com.novell.ldap.LDAPAttribute)21 LDAPException (com.novell.ldap.LDAPException)19 AuthChainType (com.tremolosecurity.config.xml.AuthChainType)19 Gson (com.google.gson.Gson)18 RequestHolder (com.tremolosecurity.proxy.auth.RequestHolder)17 HttpServletRequest (javax.servlet.http.HttpServletRequest)15 LDAPSearchResults (com.novell.ldap.LDAPSearchResults)14 ConfigManager (com.tremolosecurity.config.util.ConfigManager)14 ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)12 MalformedURLException (java.net.MalformedURLException)12 ArrayList (java.util.ArrayList)12 LDAPEntry (com.novell.ldap.LDAPEntry)11