Search in sources :

Example 16 with AuthInfo

use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.

the class AzFilter method doFilter.

@Override
public void doFilter(HttpFilterRequest request, HttpFilterResponse response, HttpFilterChain chain) throws Exception {
    HttpSession session = request.getSession();
    AuthInfo authData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    List<AzRuleType> rules = holder.getUrl().getAzRules().getRule();
    boolean OK = az.checkRules(authData, holder.getConfig(), holder.getAzRules(), null);
    if (OK) {
        String respGroup = az.getResponseSuccessGroup(holder);
        AccessLog.log(AccessEvent.AzSuccess, holder.getApp(), request.getServletRequest(), authData, respGroup != null ? respGroup : "NONE");
        if (respGroup != null) {
            az.processRequestResult(request.getServletRequest(), response.getServletResponse(), holder.getConfig().getResultGroup(respGroup), authData);
        }
        chain.nextFilter(request, response, chain);
        if (respGroup != null) {
            az.proccessResponseResult(request.getServletRequest(), response.getServletResponse(), holder.getConfig().getResultGroup(respGroup), false, authData, holder.getApp().getCookieConfig());
        }
    } else {
        String respGroup = az.getResponseFailGroup(holder);
        AccessLog.log(AccessEvent.AzFail, holder.getApp(), request.getServletRequest(), authData, respGroup != null ? respGroup : "NONE");
        if (respGroup != null) {
            az.proccessResponseResult(request.getServletRequest(), response.getServletResponse(), holder.getConfig().getResultGroup(respGroup), true, authData, holder.getApp().getCookieConfig());
        } else {
            ((HttpServletResponse) response).sendError(401);
        }
    }
}
Also used : UrlHolder(com.tremolosecurity.config.util.UrlHolder) AzRuleType(com.tremolosecurity.config.xml.AzRuleType) AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) HttpSession(javax.servlet.http.HttpSession) HttpServletResponse(javax.servlet.http.HttpServletResponse) AuthController(com.tremolosecurity.proxy.auth.AuthController)

Example 17 with AuthInfo

use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.

the class CheckADShadowAccounts method doFilter.

@Override
public void doFilter(HttpFilterRequest request, HttpFilterResponse response, HttpFilterChain chain) throws Exception {
    AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
    if (!userData.getAttribs().get("userPrincipalName").getValues().get(0).endsWith(this.nonShadowSuffix)) {
        String newUPN = userData.getAttribs().get(this.upnAttributeName).getValues().get(0);
        StringBuffer newUPNVal = new StringBuffer();
        newUPNVal.append(newUPN.replace('@', '.')).append('@').append(this.nonShadowSuffix);
        userData.getAttribs().get("userPrincipalName").getValues().clear();
        userData.getAttribs().get("userPrincipalName").getValues().add(newUPNVal.toString());
        userData.getAttribs().put(this.flagAttributeName, new Attribute(this.flagAttributeName, this.flagAttributeValue));
    }
    chain.nextFilter(request, response, chain);
}
Also used : AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) Attribute(com.tremolosecurity.saml.Attribute) AuthController(com.tremolosecurity.proxy.auth.AuthController)

Example 18 with AuthInfo

use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.

the class OpenIDConnectAuthMech method lookupUser.

public static void lookupUser(AuthStep as, HttpSession session, MyVDConnection myvd, String noMatchOU, String uidAttr, String lookupFilter, AuthChainType act, Map jwtNVP, String defaultObjectClass) {
    boolean uidIsFilter = !lookupFilter.isEmpty();
    String filter = "";
    if (uidIsFilter) {
        StringBuffer b = new StringBuffer();
        int lastIndex = 0;
        int index = lookupFilter.indexOf('$');
        while (index >= 0) {
            b.append(lookupFilter.substring(lastIndex, index));
            lastIndex = lookupFilter.indexOf('}', index) + 1;
            String reqName = lookupFilter.substring(index + 2, lastIndex - 1);
            b.append(jwtNVP.get(reqName).toString());
            index = lookupFilter.indexOf('$', index + 1);
        }
        b.append(lookupFilter.substring(lastIndex));
        filter = b.toString();
        if (logger.isDebugEnabled()) {
            logger.debug("Filter : '" + filter + "'");
        }
    } else {
        StringBuffer b = new StringBuffer();
        String userParam = (String) jwtNVP.get(uidAttr);
        b.append('(').append(uidAttr).append('=').append(userParam).append(')');
        if (userParam == null) {
            filter = "(!(objectClass=*))";
        } else {
            filter = equal(uidAttr, userParam).toString();
        }
    }
    try {
        String root = act.getRoot();
        if (root == null || root.trim().isEmpty()) {
            root = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot();
        }
        LDAPSearchResults res = myvd.search(root, 2, filter, new ArrayList<String>());
        if (res.hasMore()) {
            LDAPEntry entry = res.next();
            Iterator<LDAPAttribute> it = entry.getAttributeSet().iterator();
            AuthInfo authInfo = new AuthInfo(entry.getDN(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
            ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authInfo);
            while (it.hasNext()) {
                LDAPAttribute attrib = it.next();
                Attribute attr = new Attribute(attrib.getName());
                String[] vals = attrib.getStringValueArray();
                for (int i = 0; i < vals.length; i++) {
                    attr.getValues().add(vals[i]);
                }
                authInfo.getAttribs().put(attr.getName(), attr);
            }
            for (Object o : jwtNVP.keySet()) {
                String s = (String) o;
                Object v = jwtNVP.get(s);
                Attribute attr = authInfo.getAttribs().get(s);
                if (attr == null) {
                    attr = new Attribute(s);
                    authInfo.getAttribs().put(attr.getName(), attr);
                }
                if (v instanceof String) {
                    String val = (String) v;
                    if (!attr.getValues().contains(val)) {
                        attr.getValues().add(val);
                    }
                } else if (v instanceof Object[]) {
                    for (Object vo : ((Object[]) v)) {
                        String vv = (String) vo;
                        if (vv != null && !attr.getValues().contains(vv)) {
                            attr.getValues().add(vv);
                        }
                    }
                }
            }
            as.setSuccess(true);
        } else {
            loadUnlinkedUser(session, noMatchOU, uidAttr, act, jwtNVP, defaultObjectClass);
            as.setSuccess(true);
        }
    } catch (LDAPException e) {
        if (e.getResultCode() != LDAPException.INVALID_CREDENTIALS) {
            logger.error("Could not authenticate user", e);
        }
        as.setSuccess(false);
    }
}
Also used : LDAPAttribute(com.novell.ldap.LDAPAttribute) AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) LDAPAttribute(com.novell.ldap.LDAPAttribute) Attribute(com.tremolosecurity.saml.Attribute) AuthController(com.tremolosecurity.proxy.auth.AuthController) LDAPEntry(com.novell.ldap.LDAPEntry) LDAPSearchResults(com.novell.ldap.LDAPSearchResults) LDAPException(com.novell.ldap.LDAPException) JSONObject(org.jose4j.json.internal.json_simple.JSONObject)

Example 19 with AuthInfo

use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.

the class OpenIDConnectAuthMech method loadUnlinkedUser.

public static void loadUnlinkedUser(HttpSession session, String noMatchOU, String uidAttr, AuthChainType act, Map jwtNVP, String defaultObjectClass) {
    String uid = (String) jwtNVP.get(uidAttr);
    StringBuffer dn = new StringBuffer();
    dn.append(uidAttr).append('=').append(uid).append(",ou=").append(noMatchOU).append(",").append(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot());
    AuthInfo authInfo = new AuthInfo(dn.toString(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
    ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authInfo);
    for (Object o : jwtNVP.keySet()) {
        String s = (String) o;
        Attribute attr;
        Object oAttr = jwtNVP.get(s);
        if (logger.isDebugEnabled()) {
            logger.debug(s + " type - '" + oAttr.getClass().getName() + "'");
        }
        if (oAttr.getClass().isArray()) {
            attr = new Attribute(s);
            Object[] objArray = (Object[]) oAttr;
            for (Object v : objArray) {
                attr.getValues().add(v.toString());
            }
        } else {
            attr = new Attribute(s, oAttr.toString());
        }
        authInfo.getAttribs().put(attr.getName(), attr);
    }
    authInfo.getAttribs().put("objectClass", new Attribute("objectClass", defaultObjectClass));
}
Also used : AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) LDAPAttribute(com.novell.ldap.LDAPAttribute) Attribute(com.tremolosecurity.saml.Attribute) JSONObject(org.jose4j.json.internal.json_simple.JSONObject) AuthController(com.tremolosecurity.proxy.auth.AuthController)

Example 20 with AuthInfo

use of com.tremolosecurity.proxy.auth.AuthInfo in project OpenUnison by TremoloSecurity.

the class Registration method doFilter.

@Override
public void doFilter(HttpFilterRequest request, HttpFilterResponse response, HttpFilterChain chain) throws Exception {
    if (request.getMethod().equalsIgnoreCase("GET")) {
        // TODO switch this off
        AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
        String accountName = userData.getAttribs().get(this.uidAttributeName).getValues().get(0);
        List<SecurityKeyData> keys = U2fUtil.loadUserKeys(userData, challengeStoreAttribute, encyrptionKeyName);
        Set<String> origins = new HashSet<String>();
        String appID = U2fUtil.getApplicationId(request.getServletRequest());
        origins.add(appID);
        U2FServer u2f = new U2FServerUnison(this.challengeGen, new UnisonDataStore(UUID.randomUUID().toString(), keys, (this.requireAttestation ? this.attestationCerts : new HashSet<X509Certificate>())), new BouncyCastleCrypto(), origins, this.requireAttestation);
        RegistrationRequest regRequest = u2f.getRegistrationRequest(accountName, appID);
        request.getSession().setAttribute(Registration.REGISTRATION_REQUEST_JSON, gson.toJson(regRequest));
        request.getSession().setAttribute(Registration.REGISTRATION_REQUEST, regRequest);
        request.getSession().setAttribute(Registration.SERVER, u2f);
        request.setAttribute(REGISTRATION_URI, request.getRequestURL().toString());
        request.getRequestDispatcher(this.challengeURI).forward(request.getServletRequest(), response.getServletResponse());
    } else if (request.getMethod().equalsIgnoreCase("POST")) {
        U2FServer u2f = (U2FServer) request.getSession().getAttribute(SERVER);
        if (logger.isDebugEnabled()) {
            logger.debug("response : '" + request.getParameter("tokenResponse").getValues().get(0) + "'");
        }
        RegistrationResponseHolder rrh = gson.fromJson(request.getParameter("tokenResponse").getValues().get(0), RegistrationResponseHolder.class);
        RegistrationResponse rr = new RegistrationResponse(rrh.getRegistrationData(), rrh.getClientData(), rrh.getClientData());
        try {
            u2f.processRegistrationResponse(rr, System.currentTimeMillis());
        } catch (U2FException e) {
            logger.error("Could not register", e);
            request.setAttribute("register.result", false);
            request.getRequestDispatcher(this.registrationCompleteURI).forward(request.getServletRequest(), response.getServletResponse());
            return;
        }
        AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
        String encrypted = U2fUtil.encode(u2f.getAllSecurityKeys("doesntmatter"), encyrptionKeyName);
        WFCall wc = new WFCall();
        wc.setName(this.workflowName);
        wc.setUidAttributeName(this.uidAttributeName);
        TremoloUser tu = new TremoloUser();
        tu.setUid(userData.getAttribs().get(this.uidAttributeName).getValues().get(0));
        tu.getAttributes().add(new Attribute(this.uidAttributeName, userData.getAttribs().get(this.uidAttributeName).getValues().get(0)));
        tu.getAttributes().add(new Attribute(this.challengeStoreAttribute, encrypted));
        wc.setUser(tu);
        Map<String, Object> req = new HashMap<String, Object>();
        req.put(ProvisioningParams.UNISON_EXEC_TYPE, ProvisioningParams.UNISON_EXEC_SYNC);
        wc.setRequestParams(req);
        GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getWorkFlow(this.workflowName).executeWorkflow(wc);
        request.setAttribute("register.result", true);
        request.getRequestDispatcher(this.registrationCompleteURI).forward(request.getServletRequest(), response.getServletResponse());
    }
}
Also used : AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo) U2FServer(com.google.u2f.server.U2FServer) WFCall(com.tremolosecurity.provisioning.service.util.WFCall) BouncyCastleCrypto(com.google.u2f.server.impl.BouncyCastleCrypto) Attribute(com.tremolosecurity.saml.Attribute) AuthController(com.tremolosecurity.proxy.auth.AuthController) RegistrationRequest(com.google.u2f.server.messages.RegistrationRequest) SecurityKeyData(com.google.u2f.server.data.SecurityKeyData) TremoloUser(com.tremolosecurity.provisioning.service.util.TremoloUser) U2FException(com.google.u2f.U2FException) RegistrationResponse(com.google.u2f.server.messages.RegistrationResponse) HashMap(java.util.HashMap) Map(java.util.Map) HashSet(java.util.HashSet)

Aggregations

AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)71 AuthController (com.tremolosecurity.proxy.auth.AuthController)59 Attribute (com.tremolosecurity.saml.Attribute)46 LDAPAttribute (com.novell.ldap.LDAPAttribute)27 IOException (java.io.IOException)25 ServletException (javax.servlet.ServletException)24 HttpSession (javax.servlet.http.HttpSession)23 Gson (com.google.gson.Gson)22 LDAPException (com.novell.ldap.LDAPException)22 LDAPSearchResults (com.novell.ldap.LDAPSearchResults)22 LDAPEntry (com.novell.ldap.LDAPEntry)19 HashMap (java.util.HashMap)19 UrlHolder (com.tremolosecurity.config.util.UrlHolder)18 ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)18 MalformedURLException (java.net.MalformedURLException)15 AuthChainType (com.tremolosecurity.config.xml.AuthChainType)14 ArrayList (java.util.ArrayList)14 AzSys (com.tremolosecurity.proxy.auth.AzSys)12 UnsupportedEncodingException (java.io.UnsupportedEncodingException)11 HttpServletRequest (javax.servlet.http.HttpServletRequest)11