Example 6 with AuthController
use of com.tremolosecurity.proxy.auth.AuthController in project OpenUnison by TremoloSecurity.
the class Groups2Attribute method doFilter.
@Override
public void doFilter(HttpFilterRequest request, HttpFilterResponse response, HttpFilterChain chain) throws Exception {
HttpSession session = request.getSession();
if (session.getAttribute(key) == null) {
AuthInfo authInfo = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
Attribute members = authInfo.getAttribs().get(this.attrName);
if (members == null) {
members = new Attribute();
authInfo.getAttribs().put(this.attrName, members);
}
StringBuffer filter = new StringBuffer();
ArrayList<String> attrs = new ArrayList<String>();
attrs.add("cn");
LDAPSearchResults res = this.cfg.getMyVD().search(this.base, 2, equal(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getGroupMemberAttribute(), authInfo.getUserDN()).toString(), attrs);
while (res.hasMore()) {
LDAPEntry entry = res.next();
String cn = entry.getAttribute("cn").getStringValue();
if (p != null) {
Matcher m = p.matcher(cn);
if (m.matches()) {
members.getValues().add(m.group(groupNum));
}
} else {
members.getValues().add(cn);
}
}
session.setAttribute(key, key);
}
chain.nextFilter(request, response, chain);
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
LDAPEntry(com.novell.ldap.LDAPEntry)
LDAPSearchResults(com.novell.ldap.LDAPSearchResults)
Attribute(com.tremolosecurity.saml.Attribute)
Matcher(java.util.regex.Matcher)
HttpSession(javax.servlet.http.HttpSession)
ArrayList(java.util.ArrayList)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
Example 7 with AuthController
use of com.tremolosecurity.proxy.auth.AuthController in project OpenUnison by TremoloSecurity.
the class JITAuthMech method doGet.
@Override
public void doGet(HttpServletRequest req, HttpServletResponse resp, AuthStep as) throws ServletException, IOException {
// HttpSession session = (HttpSession) req.getAttribute(ConfigFilter.AUTOIDM_SESSION);//((HttpServletRequest) req).getSession(); //SharedSession.getSharedSession().getSession(req.getSession().getId());
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) req).getSession();
UrlHolder holder = (UrlHolder) req.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
String nameAttr = null;
if (authParams.get("nameAttr") == null) {
throw new ServletException("No name attribute");
}
nameAttr = authParams.get("nameAttr").getValues().get(0);
String workflowName;
if (authParams.get("workflowName") == null) {
throw new ServletException("No workflow specified");
}
workflowName = authParams.get("workflowName").getValues().get(0);
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
AuthInfo authInfo = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
try {
holder.getConfig().getProvisioningEngine().getWorkFlow(workflowName).executeWorkflow(authInfo, nameAttr);
as.setSuccess(true);
} catch (ProvisioningException e) {
StringBuffer b = new StringBuffer();
b.append("Could not execute workflow '").append(workflowName).append("' on '").append(authInfo.getUserDN()).append("'");
ByteArrayOutputStream baos = new ByteArrayOutputStream();
PrintWriter err = new PrintWriter(new OutputStreamWriter(baos));
e.printStackTrace(err);
Throwable t = e.getCause();
while (t != null) {
t.printStackTrace(err);
t = t.getCause();
}
logger.error(b.toString() + new String(baos.toByteArray()));
as.setSuccess(false);
logger.warn("Could not execute workflow " + workflowName + " for " + authInfo.getUserDN(), e);
}
holder.getConfig().getAuthManager().nextAuth(req, resp, session, false);
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
HashMap(java.util.HashMap)
TremoloHttpSession(com.tremolosecurity.proxy.TremoloHttpSession)
HttpSession(javax.servlet.http.HttpSession)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
ServletException(javax.servlet.ServletException)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
OutputStreamWriter(java.io.OutputStreamWriter)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
PrintWriter(java.io.PrintWriter)
Example 8 with AuthController
use of com.tremolosecurity.proxy.auth.AuthController in project OpenUnison by TremoloSecurity.
the class CreateAWSRoleAttribute method doFilter.
@Override
public void doFilter(HttpFilterRequest request, HttpFilterResponse response, HttpFilterChain chain) throws Exception {
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
Attribute source = userData.getAttribs().get(this.sourceAttribute);
if (source == null) {
logger.warn("Source attribute not found");
} else {
StringBuffer role = new StringBuffer();
Attribute roles = new Attribute("https://aws.amazon.com/SAML/Attributes/Role");
for (String groupName : source.getValues()) {
role.setLength(0);
role.append("arn:aws:iam::").append(this.accountNumber).append(":role/").append(groupName).append(",arn:aws:iam::").append(this.accountNumber).append(":saml-provider/").append(this.idpName);
roles.getValues().add(role.toString());
}
userData.getAttribs().put(roles.getName(), roles);
chain.nextFilter(request, response, chain);
}
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
Attribute(com.tremolosecurity.saml.Attribute)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
Example 9 with AuthController
use of com.tremolosecurity.proxy.auth.AuthController in project OpenUnison by TremoloSecurity.
the class WebAuthnRegistration method doFilter.
@Override
public void doFilter(HttpFilterRequest request, HttpFilterResponse response, HttpFilterChain chain) throws Exception {
request.getServletRequest().setAttribute("com.tremolosecurity.unison.proxy.noRedirectOnError", "com.tremolosecurity.unison.proxy.noRedirectOnError");
if (request.getMethod().equalsIgnoreCase("GET")) {
if (request.getRequestURI().endsWith("/credentialCreateOptions")) {
ObjectConverter oc = new ObjectConverter();
String rpId = getRpId(request.getServletRequest());
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
WebAuthnUserData webAuthnUserData = WebAuthnUtils.lookupWebAuthnUserData(userData, challengeStoreAttribute, encryptionKeyName);
if (webAuthnUserData == null) {
// no data yet, let's create
webAuthnUserData = new WebAuthnUserData(userData.getAttribs().get(this.uidAttributeName).getValues().get(0));
WebAuthnUtils.storeWebAuthnUserData(webAuthnUserData, this.encryptionKeyName, userData, this.workflowName, this.uidAttributeName, this.challengeStoreAttribute);
}
Challenge challenge = new DefaultChallenge();
CborConverter cbor = oc.getCborConverter();
String b64UrlChallenge = Base64UrlUtil.encodeToString(challenge.getValue());
AuthenticatorSelectionCriteria authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria(authenticatorAttachment, requireResisentKey, userVerificationRequirement);
PublicKeyCredentialParameters publicKeyCredentialParameters = new PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, COSEAlgorithmIdentifier.ES256);
String b64UrlId = Base64.getUrlEncoder().encodeToString(webAuthnUserData.getId());
ServerProperty serverProperty = new ServerProperty(new Origin(request.getRequestURL().toString()), rpId, challenge, webAuthnUserData.getId());
ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutputStream out = null;
byte[] yourBytes = null;
try {
out = new ObjectOutputStream(bos);
out.writeObject(serverProperty);
out.flush();
yourBytes = bos.toByteArray();
} finally {
try {
bos.close();
} catch (IOException ex) {
// ignore close exception
}
}
request.getSession().setAttribute("tremolo.io/webauthn/serverProperty", serverProperty);
PublicKeyCredentialUserEntity publicKeyCredentialUserEntity = new PublicKeyCredentialUserEntity(webAuthnUserData.getId(), webAuthnUserData.getDisplayName(), webAuthnUserData.getDisplayName());
AuthenticationExtensionsClientInputs<RegistrationExtensionClientInput> extensions = new AuthenticationExtensionsClientInputs<>();
PublicKeyCredentialCreationOptions credentialCreationOptions = new PublicKeyCredentialCreationOptions(new PublicKeyCredentialRpEntity(rpId, rpId), publicKeyCredentialUserEntity, challenge, Collections.singletonList(publicKeyCredentialParameters), null, Collections.emptyList(), authenticatorSelectionCriteria, AttestationConveyancePreference.NONE, extensions);
ObjectMapper mapper = new ObjectMapper();
// mapper.writeValueAsString(credentialCreationOptions);
String publecCredentialCreationOptionsJson = oc.getJsonConverter().writeValueAsString(credentialCreationOptions);
JSONObject root = (JSONObject) new JSONParser().parse(publecCredentialCreationOptionsJson);
root.put("challenge", b64UrlChallenge);
((JSONObject) root.get("user")).put("id", b64UrlId);
JSONObject publicKeyRoot = new JSONObject();
publicKeyRoot.put("publicKey", root);
publicKeyRoot.put("serverProperty", Base64.getUrlEncoder().encodeToString(yourBytes));
response.getWriter().println(publicKeyRoot.toString());
} else {
StringBuilder createCredentialURL = new StringBuilder(request.getRequestURL().toString());
createCredentialURL.append("/credentialCreateOptions");
request.setAttribute("tremolo.io/webauthn/challengeurl", createCredentialURL.toString());
createCredentialURL = new StringBuilder(request.getRequestURL().toString());
createCredentialURL.append("/finishregistration");
request.setAttribute("tremolo.io/webauthn/finishregistration", createCredentialURL.toString());
request.getRequestDispatcher(this.challengeURI).forward(request.getServletRequest(), response.getServletResponse());
}
} else if (request.getMethod().equalsIgnoreCase("POST")) {
try {
storeCredential(request);
} catch (WebAuthnException e) {
JSONObject resp = new JSONObject();
resp.put("error", e.getMessage());
response.sendError(500);
response.getWriter().println(resp.toString());
} catch (Throwable t) {
JSONObject resp = new JSONObject();
logger.error("Could not store credential", t);
resp.put("error", "There was an error, please contanct your system administrator");
response.sendError(500);
response.getWriter().println(resp.toString());
}
}
}
Also used :
Origin(com.webauthn4j.data.client.Origin)
PublicKeyCredentialCreationOptions(com.webauthn4j.data.PublicKeyCredentialCreationOptions)
ObjectConverter(com.webauthn4j.converter.util.ObjectConverter)
ObjectOutputStream(java.io.ObjectOutputStream)
PublicKeyCredentialUserEntity(com.webauthn4j.data.PublicKeyCredentialUserEntity)
Challenge(com.webauthn4j.data.client.challenge.Challenge)
DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge)
DefaultChallenge(com.webauthn4j.data.client.challenge.DefaultChallenge)
WebAuthnException(com.webauthn4j.util.exception.WebAuthnException)
CborConverter(com.webauthn4j.converter.util.CborConverter)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
ServerProperty(com.webauthn4j.server.ServerProperty)
PublicKeyCredentialRpEntity(com.webauthn4j.data.PublicKeyCredentialRpEntity)
WebAuthnUserData(com.tremolosecurity.proxy.auth.webauthn.WebAuthnUserData)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
IOException(java.io.IOException)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
JSONObject(org.json.simple.JSONObject)
PublicKeyCredentialParameters(com.webauthn4j.data.PublicKeyCredentialParameters)
AuthenticationExtensionsClientInputs(com.webauthn4j.data.extension.client.AuthenticationExtensionsClientInputs)
RegistrationExtensionClientInput(com.webauthn4j.data.extension.client.RegistrationExtensionClientInput)
AuthenticatorSelectionCriteria(com.webauthn4j.data.AuthenticatorSelectionCriteria)
JSONParser(org.json.simple.parser.JSONParser)
Example 10 with AuthController
use of com.tremolosecurity.proxy.auth.AuthController in project OpenUnison by TremoloSecurity.
the class WebAuthnRegistration method storeCredential.
private void storeCredential(HttpFilterRequest request) throws ParseException, IOException, ClassNotFoundException, ServletException, Exception {
byte[] requestBytes = (byte[]) request.getAttribute(ProxySys.MSG_BODY);
String requestString = new String(requestBytes, StandardCharsets.UTF_8);
JSONObject root = (JSONObject) new JSONParser().parse(requestString);
if (root.get("label") == null || ((String) root.get("label")).isEmpty()) {
throw new WebAuthnException("Label required");
}
ByteArrayInputStream bais = new ByteArrayInputStream(Base64.getUrlDecoder().decode((String) root.get("serverProperty")));
ObjectInputStream ois = new ObjectInputStream(bais);
ServerProperty serverProperty = (ServerProperty) ois.readObject();
byte[] attestationObject = Base64.getUrlDecoder().decode((String) root.get("attestationObject"));
byte[] clientDataJSON = Base64.getUrlDecoder().decode((String) root.get("clientDataJSON"));
String clientExtensionJSON = (String) root.get("clientExtResults");
Set<String> transports = new HashSet<String>();
// expectations
boolean userVerificationRequired = false;
boolean userPresenceRequired = true;
RegistrationRequest registrationRequest = new RegistrationRequest(attestationObject, clientDataJSON, clientExtensionJSON, transports);
RegistrationParameters registrationParameters = new RegistrationParameters(serverProperty, userVerificationRequired, userPresenceRequired);
RegistrationData registrationData;
WebAuthnManager webAuthnManager = WebAuthnManager.createNonStrictWebAuthnManager();
try {
registrationData = webAuthnManager.parse(registrationRequest);
} catch (DataConversionException e) {
// If you would like to handle WebAuthn data structure parse error, please catch DataConversionException
throw e;
}
try {
webAuthnManager.validate(registrationData, registrationParameters);
} catch (ValidationException e) {
// If you would like to handle WebAuthn data validation error, please catch ValidationException
throw e;
}
OpenUnisonAuthenticator authenticator = new OpenUnisonAuthenticator((String) root.get("label"), registrationData.getAttestationObject().getAuthenticatorData().getAttestedCredentialData(), registrationData.getAttestationObject().getAttestationStatement(), registrationData.getAttestationObject().getAuthenticatorData().getSignCount());
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
WebAuthnUserData webAuthnUserData = WebAuthnUtils.lookupWebAuthnUserData(userData, this.challengeStoreAttribute, this.encryptionKeyName);
if (webAuthnUserData == null) {
throw new Exception("No webauthn user data, should not happen");
}
for (OpenUnisonAuthenticator auth : webAuthnUserData.getAuthenticators()) {
if (auth.getLabel().equals(authenticator.getLabel())) {
throw new WebAuthnException("Label already exists, choose another label");
}
}
webAuthnUserData.getAuthenticators().add(authenticator);
WebAuthnUtils.storeWebAuthnUserData(webAuthnUserData, encryptionKeyName, userData, workflowName, uidAttributeName, challengeStoreAttribute);
}
Also used :
RegistrationData(com.webauthn4j.data.RegistrationData)
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
ServerProperty(com.webauthn4j.server.ServerProperty)
ValidationException(com.webauthn4j.validator.exception.ValidationException)
OpenUnisonAuthenticator(com.tremolosecurity.proxy.auth.webauthn.OpenUnisonAuthenticator)
WebAuthnUserData(com.tremolosecurity.proxy.auth.webauthn.WebAuthnUserData)
WebAuthnManager(com.webauthn4j.WebAuthnManager)
RegistrationRequest(com.webauthn4j.data.RegistrationRequest)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
ValidationException(com.webauthn4j.validator.exception.ValidationException)
ServletException(javax.servlet.ServletException)
WebAuthnException(com.webauthn4j.util.exception.WebAuthnException)
DataConversionException(com.webauthn4j.converter.exception.DataConversionException)
ParseException(org.json.simple.parser.ParseException)
MalformedURLException(java.net.MalformedURLException)
IOException(java.io.IOException)
WebAuthnException(com.webauthn4j.util.exception.WebAuthnException)
JSONObject(org.json.simple.JSONObject)
ByteArrayInputStream(java.io.ByteArrayInputStream)
JSONParser(org.json.simple.parser.JSONParser)
RegistrationParameters(com.webauthn4j.data.RegistrationParameters)
DataConversionException(com.webauthn4j.converter.exception.DataConversionException)
ObjectInputStream(java.io.ObjectInputStream)
HashSet(java.util.HashSet)
Aggregations
AuthController (com.tremolosecurity.proxy.auth.AuthController)76
AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)59
Attribute (com.tremolosecurity.saml.Attribute)45
ServletException (javax.servlet.ServletException)28
HttpSession (javax.servlet.http.HttpSession)28
UrlHolder (com.tremolosecurity.config.util.UrlHolder)26
HashMap (java.util.HashMap)25
IOException (java.io.IOException)24
LDAPAttribute (com.novell.ldap.LDAPAttribute)21
LDAPException (com.novell.ldap.LDAPException)19
AuthChainType (com.tremolosecurity.config.xml.AuthChainType)19
Gson (com.google.gson.Gson)18
RequestHolder (com.tremolosecurity.proxy.auth.RequestHolder)17
HttpServletRequest (javax.servlet.http.HttpServletRequest)15
LDAPSearchResults (com.novell.ldap.LDAPSearchResults)14
ConfigManager (com.tremolosecurity.config.util.ConfigManager)14
ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)12
MalformedURLException (java.net.MalformedURLException)12
ArrayList (java.util.ArrayList)12
LDAPEntry (com.novell.ldap.LDAPEntry)11
