Example 61 with AuthInfo
use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.
the class OAuth2K8sServiceAccount method lookupUser.
public static void lookupUser(AuthStep as, HttpSession session, MyVDConnection myvd, String noMatchOU, String uidAttr, String lookupFilter, AuthChainType act, Map jwtNVP, String defaultObjectClass) {
boolean uidIsFilter = !lookupFilter.isEmpty();
String filter = "";
if (uidIsFilter) {
StringBuffer b = new StringBuffer();
int lastIndex = 0;
int index = lookupFilter.indexOf('$');
while (index >= 0) {
b.append(lookupFilter.substring(lastIndex, index));
lastIndex = lookupFilter.indexOf('}', index) + 1;
String reqName = lookupFilter.substring(index + 2, lastIndex - 1);
b.append(jwtNVP.get(reqName).toString());
index = lookupFilter.indexOf('$', index + 1);
}
b.append(lookupFilter.substring(lastIndex));
filter = b.toString();
if (logger.isDebugEnabled()) {
logger.debug("Filter : '" + filter + "'");
}
} else {
StringBuffer b = new StringBuffer();
String userParam = (String) jwtNVP.get(uidAttr);
b.append('(').append(uidAttr).append('=').append(userParam).append(')');
if (userParam == null) {
filter = "(!(objectClass=*))";
} else {
filter = equal(uidAttr, userParam).toString();
}
}
try {
String root = act.getRoot();
if (root == null || root.trim().isEmpty()) {
root = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot();
}
LDAPSearchResults res = myvd.search(root, 2, filter, new ArrayList<String>());
if (res.hasMore()) {
LDAPEntry entry = res.next();
Iterator<LDAPAttribute> it = entry.getAttributeSet().iterator();
AuthInfo authInfo = new AuthInfo(entry.getDN(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authInfo);
while (it.hasNext()) {
LDAPAttribute attrib = it.next();
Attribute attr = new Attribute(attrib.getName());
String[] vals = attrib.getStringValueArray();
for (int i = 0; i < vals.length; i++) {
attr.getValues().add(vals[i]);
}
authInfo.getAttribs().put(attr.getName(), attr);
}
for (Object o : jwtNVP.keySet()) {
String s = (String) o;
Object v = jwtNVP.get(s);
Attribute attr = authInfo.getAttribs().get(s);
if (attr == null) {
attr = new Attribute(s);
authInfo.getAttribs().put(attr.getName(), attr);
}
if (v instanceof String) {
String val = (String) v;
if (!attr.getValues().contains(val)) {
attr.getValues().add(val);
}
} else if (v instanceof Object[]) {
for (Object vo : ((Object[]) v)) {
String vv = (String) vo;
if (vv != null && !attr.getValues().contains(vv)) {
attr.getValues().add(vv);
}
}
}
}
as.setSuccess(true);
} else {
loadUnlinkedUser(session, noMatchOU, uidAttr, act, jwtNVP, defaultObjectClass);
as.setSuccess(true);
}
} catch (LDAPException e) {
if (e.getResultCode() != LDAPException.INVALID_CREDENTIALS) {
logger.error("Could not authenticate user", e);
}
as.setSuccess(false);
}
}
Also used :
LDAPAttribute(com.novell.ldap.LDAPAttribute)
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
Attribute(com.tremolosecurity.saml.Attribute)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
LDAPEntry(com.novell.ldap.LDAPEntry)
LDAPSearchResults(com.novell.ldap.LDAPSearchResults)
LDAPException(com.novell.ldap.LDAPException)
JSONObject(org.json.simple.JSONObject)
Example 62 with AuthInfo
use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.
the class OAuth2K8sServiceAccount method loadUnlinkedUser.
public static void loadUnlinkedUser(HttpSession session, String noMatchOU, String uidAttr, AuthChainType act, Map jwtNVP, String defaultObjectClass) {
String uid = (String) jwtNVP.get(uidAttr);
StringBuffer dn = new StringBuffer();
dn.append(uidAttr).append('=').append(uid).append(",ou=").append(noMatchOU).append(",").append(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot());
AuthInfo authInfo = new AuthInfo(dn.toString(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authInfo);
for (Object o : jwtNVP.keySet()) {
String s = (String) o;
Attribute attr;
Object oAttr = jwtNVP.get(s);
if (logger.isDebugEnabled()) {
logger.debug(s + " type - '" + oAttr.getClass().getName() + "'");
}
if (oAttr instanceof JSONArray) {
attr = new Attribute(s);
for (Object ox : ((JSONArray) oAttr)) {
attr.getValues().add((String) ox);
}
} else {
attr = new Attribute(s, oAttr.toString());
}
authInfo.getAttribs().put(attr.getName(), attr);
}
authInfo.getAttribs().put("sub", new Attribute("sub", uid));
authInfo.getAttribs().put("objectClass", new Attribute("objectClass", defaultObjectClass));
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
Attribute(com.tremolosecurity.saml.Attribute)
JSONArray(org.json.simple.JSONArray)
JSONObject(org.json.simple.JSONObject)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
Example 63 with AuthInfo
use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.
the class GithubAuthMech method loadUnlinkedUser.
public static void loadUnlinkedUser(HttpSession session, String noMatchOU, String uidAttr, AuthChainType act, Map jwtNVP, String defaultObjectClass) {
String uid = (String) jwtNVP.get(uidAttr);
StringBuffer dn = new StringBuffer();
dn.append(uidAttr).append('=').append(uid).append(",ou=").append(noMatchOU).append(",").append(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot());
AuthInfo authInfo = new AuthInfo(dn.toString(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authInfo);
for (Object o : jwtNVP.keySet()) {
String s = (String) o;
Attribute attr;
Object oAttr = jwtNVP.get(s);
if (oAttr != null) {
if (logger.isDebugEnabled()) {
logger.debug(s + " type - '" + oAttr.getClass().getName() + "'");
}
if (oAttr.getClass().isArray()) {
attr = new Attribute(s);
Object[] objArray = (Object[]) oAttr;
for (Object v : objArray) {
attr.getValues().add(v.toString());
}
} else {
attr = new Attribute(s, oAttr.toString());
}
authInfo.getAttribs().put(attr.getName(), attr);
}
}
authInfo.getAttribs().put("objectClass", new Attribute("objectClass", defaultObjectClass));
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
Attribute(com.tremolosecurity.saml.Attribute)
JSONObject(org.jose4j.json.internal.json_simple.JSONObject)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
Example 64 with AuthInfo
use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.
the class GithubAuthMech method lookupUser.
public static void lookupUser(AuthStep as, HttpSession session, MyVDConnection myvd, String noMatchOU, String uidAttr, String lookupFilter, AuthChainType act, Map jwtNVP, String defaultObjectClass) {
boolean uidIsFilter = !lookupFilter.isEmpty();
String filter = "";
if (uidIsFilter) {
StringBuffer b = new StringBuffer();
int lastIndex = 0;
int index = lookupFilter.indexOf('$');
while (index >= 0) {
b.append(lookupFilter.substring(lastIndex, index));
lastIndex = lookupFilter.indexOf('}', index) + 1;
String reqName = lookupFilter.substring(index + 2, lastIndex - 1);
b.append(jwtNVP.get(reqName).toString());
index = lookupFilter.indexOf('$', index + 1);
}
b.append(lookupFilter.substring(lastIndex));
filter = b.toString();
if (logger.isDebugEnabled()) {
logger.debug("Filter : '" + filter + "'");
}
} else {
StringBuffer b = new StringBuffer();
String userParam = (String) jwtNVP.get(uidAttr);
b.append('(').append(uidAttr).append('=').append(userParam).append(')');
if (userParam == null) {
filter = "(!(objectClass=*))";
} else {
filter = equal(uidAttr, userParam).toString();
}
}
try {
String root = act.getRoot();
if (root == null || root.trim().isEmpty()) {
root = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot();
}
LDAPSearchResults res = myvd.search(root, 2, filter, new ArrayList<String>());
if (res.hasMore()) {
LDAPEntry entry = res.next();
Iterator<LDAPAttribute> it = entry.getAttributeSet().iterator();
AuthInfo authInfo = new AuthInfo(entry.getDN(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authInfo);
while (it.hasNext()) {
LDAPAttribute attrib = it.next();
Attribute attr = new Attribute(attrib.getName());
String[] vals = attrib.getStringValueArray();
for (int i = 0; i < vals.length; i++) {
attr.getValues().add(vals[i]);
}
authInfo.getAttribs().put(attr.getName(), attr);
}
for (Object o : jwtNVP.keySet()) {
String s = (String) o;
Object v = jwtNVP.get(s);
Attribute attr = authInfo.getAttribs().get(s);
if (attr == null) {
attr = new Attribute(s);
authInfo.getAttribs().put(attr.getName(), attr);
}
if (v instanceof String) {
String val = (String) v;
if (!attr.getValues().contains(val)) {
attr.getValues().add(val);
}
} else if (v instanceof Object[]) {
for (Object vo : ((Object[]) v)) {
String vv = (String) vo;
if (vv != null && !attr.getValues().contains(vv)) {
attr.getValues().add(vv);
}
}
}
}
as.setSuccess(true);
} else {
loadUnlinkedUser(session, noMatchOU, uidAttr, act, jwtNVP, defaultObjectClass);
as.setSuccess(true);
}
} catch (LDAPException e) {
if (e.getResultCode() != LDAPException.INVALID_CREDENTIALS) {
logger.error("Could not authenticate user", e);
}
as.setSuccess(false);
}
}
Also used :
LDAPAttribute(com.novell.ldap.LDAPAttribute)
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
Attribute(com.tremolosecurity.saml.Attribute)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
LDAPEntry(com.novell.ldap.LDAPEntry)
LDAPSearchResults(com.novell.ldap.LDAPSearchResults)
LDAPException(com.novell.ldap.LDAPException)
JSONObject(org.jose4j.json.internal.json_simple.JSONObject)
Example 65 with AuthInfo
use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.
the class TokenData method processUserInfoRequest.
private void processUserInfoRequest(HttpServletRequest request, HttpServletResponse response) throws Exception {
AuthController ac = (AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL);
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
holder.getApp().getCookieConfig().getTimeout();
String header = request.getHeader("Authorization");
if (header == null) {
AccessLog.log(AccessEvent.AzFail, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
response.sendError(401);
return;
}
String accessToken = header.substring("Bearer ".length());
OidcSessionState dbSession = this.getSessionByAccessToken(accessToken);
if (dbSession == null) {
AccessLog.log(AccessEvent.AzFail, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
response.sendError(401);
return;
}
OpenIDConnectTrust trust = trusts.get(dbSession.getClientID());
JsonWebSignature jws = new JsonWebSignature();
jws.setCompactSerialization(this.decryptToken(this.trusts.get(dbSession.getClientID()).getCodeLastmileKeyName(), new Gson(), dbSession.getEncryptedIdToken()));
jws.setKey(GlobalEntries.getGlobalEntries().getConfigManager().getCertificate(this.jwtSigningKeyName).getPublicKey());
if (!jws.verifySignature()) {
logger.warn("id_token tampered with");
AccessLog.log(AccessEvent.AzFail, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
response.sendError(401);
return;
}
JwtClaims claims = JwtClaims.parse(jws.getPayload());
response.setContentType("application/jwt");
String jwt = null;
if (trust.isSignedUserInfo()) {
jws = new JsonWebSignature();
jws.setPayload(claims.toJson());
jws.setKey(GlobalEntries.getGlobalEntries().getConfigManager().getPrivateKey(this.jwtSigningKeyName));
jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
jwt = jws.getCompactSerialization();
} else {
jwt = claims.toJson();
}
response.getOutputStream().write(jwt.getBytes("UTF-8"));
AuthInfo remUser = new AuthInfo();
remUser.setUserDN(dbSession.getUserDN());
AccessLog.log(AccessEvent.AuSuccess, holder.getApp(), (HttpServletRequest) request, remUser, "NONE");
AccessLog.log(AccessEvent.AzSuccess, holder.getApp(), (HttpServletRequest) request, remUser, "NONE");
}
Also used :
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
JsonWebSignature(org.jose4j.jws.JsonWebSignature)
JwtClaims(org.jose4j.jwt.JwtClaims)
Gson(com.google.gson.Gson)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
OidcSessionState(com.tremolosecurity.idp.providers.oidc.model.OidcSessionState)
Aggregations
AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)71
AuthController (com.tremolosecurity.proxy.auth.AuthController)59
Attribute (com.tremolosecurity.saml.Attribute)46
LDAPAttribute (com.novell.ldap.LDAPAttribute)27
IOException (java.io.IOException)25
ServletException (javax.servlet.ServletException)24
HttpSession (javax.servlet.http.HttpSession)23
Gson (com.google.gson.Gson)22
LDAPException (com.novell.ldap.LDAPException)22
LDAPSearchResults (com.novell.ldap.LDAPSearchResults)22
LDAPEntry (com.novell.ldap.LDAPEntry)19
HashMap (java.util.HashMap)19
UrlHolder (com.tremolosecurity.config.util.UrlHolder)18
ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)18
MalformedURLException (java.net.MalformedURLException)15
AuthChainType (com.tremolosecurity.config.xml.AuthChainType)14
ArrayList (java.util.ArrayList)14
AzSys (com.tremolosecurity.proxy.auth.AzSys)12
UnsupportedEncodingException (java.io.UnsupportedEncodingException)11
HttpServletRequest (javax.servlet.http.HttpServletRequest)11
