use of com.tremolosecurity.proxy.auth.util.OpenIDConnectToken in project OpenUnison by TremoloSecurity.
the class IdTokenLoader method loadToken.
@Override
public Object loadToken(AuthInfo user, HttpSession session) throws Exception {
OpenIDConnectToken token = (OpenIDConnectToken) session.getAttribute(GenerateOIDCTokens.UNISON_SESSION_OIDC_ID_TOKEN);
token.replaceState();
if (token == null) {
logger.warn("No id token found");
return new HashMap<String, String>();
} else {
HashMap<String, String> tokens = new HashMap<String, String>();
HashMap<String, Object> templateObjects = new HashMap<String, Object>();
templateObjects.put("user", user);
templateObjects.put("token", token);
templateObjects.put("user_id", user.getAttribs().get(this.uidAttributeName).getValues().get(0));
tokens.put("id_token", token.getEncodedIdJSON());
try {
tokens.put("refresh_token", token.getRefreshToken());
} catch (Exception e) {
logger.warn("Could not get refresh token", e);
}
return tokens;
}
}
use of com.tremolosecurity.proxy.auth.util.OpenIDConnectToken in project OpenUnison by TremoloSecurity.
the class InjectIdToken method getResultValue.
@Override
public String getResultValue(HttpServletRequest request, HttpServletResponse response) throws ServletException {
StringBuffer b = new StringBuffer();
b.append("Bearer ");
OpenIDConnectToken token = (OpenIDConnectToken) request.getSession().getAttribute(GenerateOIDCTokens.UNISON_SESSION_OIDC_ID_TOKEN);
if (token == null) {
b.append("NONE");
} else {
synchronized (token) {
if (token.isExpired()) {
try {
request.setAttribute(ProxyTools.OVERRIDE_HOST, System.getProperty("OU_HOST"));
token.refreshProxyToken(request);
} catch (MalformedURLException | MalformedClaimException | JoseException | LDAPException | ProvisioningException e) {
throw new ServletException("Could not generate id_token", e);
}
}
b.append(token.getEncodedIdJSON());
}
}
return b.toString();
}
use of com.tremolosecurity.proxy.auth.util.OpenIDConnectToken in project OpenUnison by TremoloSecurity.
the class KubectlTokenLoader method loadToken.
@Override
public Object loadToken(AuthInfo user, HttpSession session) throws Exception {
OpenIDConnectToken token = (OpenIDConnectToken) session.getAttribute(GenerateOIDCTokens.UNISON_SESSION_OIDC_ID_TOKEN);
token.replaceState();
if (token == null) {
logger.warn("No id token found");
return new HashMap<String, String>();
} else {
HashMap<String, String> tokens = new HashMap<String, String>();
String k8sCert = this.cert2pem(this.k8sCaCertName);
if (k8sCert != null) {
tokens.put("Kubernetes API Server CA Certificate", k8sCert);
}
String ouCert = this.cert2pem(this.unisonCaCertName);
if (ouCert != null) {
tokens.put("OpenUnison Server CA Certificate", ouCert);
}
/*String kubectlTemplate = "kubectl config set-credentials " + user.getAttribs().get(this.uidAttributeName).getValues().get(0) + " \\\n" +
" --auth-provider=oidc \\\n" +
" --auth-provider-arg=idp-issuer-url=" + token.getClaims().getIssuer() + " \\\n" +
" --auth-provider-arg=client-id=" + token.getTrustName() + " \\\n" +
" --auth-provider-arg=client-secret=" + token.getDecryptedClientSecret() + " \\\n" +
" --auth-provider-arg=refresh-token=" + token.getRefreshToken() + " \\\n" +
" --auth-provider-arg=idp-certificate-authority=" + caCertificatePath + " \\\n" +
" --auth-provider-arg=id-token=" + token.getEncodedIdJSON();*/
HashMap<String, Object> templateObjects = new HashMap<String, Object>();
templateObjects.put("user", user);
templateObjects.put("token", token);
templateObjects.put("user_id", user.getAttribs().get(this.uidAttributeName).getValues().get(0));
String kubectTemplateLocal = this.kubectlTemplate;
String winKubCtlLocal = this.kubectlWinUsage;
if (k8sCert != null) {
templateObjects.put("k8s_b64_cert", new String(Base64.encodeBase64(k8sCert.getBytes("UTF-8"))));
templateObjects.put("k8s_newline_cert", k8sCert.replace("\n", "\\n"));
templateObjects.put("k8s_newline_cert_win", k8sCert.replace("\n", "`n"));
} else {
kubectTemplateLocal = kubectTemplateLocal.replace("--certificate-authority=\\$TMP_CERT", "--certificate-authority=/dev/null");
if (winKubCtlLocal != null) {
winKubCtlLocal = winKubCtlLocal.replace("\"$k8s_newline_cert_win$\" | out-file \\$TMP_CERT -encoding oem ;", "");
}
}
if (ouCert != null) {
templateObjects.put("ou_b64_cert", new String(Base64.encodeBase64(ouCert.getBytes("UTF-8"))));
}
tokens.put("kubectl Command", this.renderTemplate(kubectTemplateLocal, templateObjects));
if (this.kubectlWinUsage != null) {
tokens.put("kubectl Windows Command", this.renderTemplate(winKubCtlLocal, templateObjects));
}
tokens.put("Usage", this.kubectlUsage);
tokens.put("id_token", token.getEncodedIdJSON());
tokens.put("refresh_token", token.getRefreshToken());
return tokens;
}
}
use of com.tremolosecurity.proxy.auth.util.OpenIDConnectToken in project OpenUnison by TremoloSecurity.
the class GenerateOIDCTokens method doGet.
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
if (holder == null) {
throw new ServletException("Holder is null");
}
RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
AuthController ac = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL));
String idpName = authParams.get("idpName").getValues().get(0);
String trustName = authParams.get("trustName").getValues().get(0);
String overrideURL = request.getRequestURL().toString();
if (authParams.get("overrideURL") != null) {
overrideURL = authParams.get("overrideURL").getValues().get(0);
}
OpenIDConnectToken token = new OpenIDConnectToken(idpName, trustName, overrideURL);
try {
request.setAttribute(ProxyTools.OVERRIDE_HOST, System.getProperty("OU_HOST"));
token.generateToken(request);
} catch (MalformedClaimException | JoseException | LDAPException | ProvisioningException e) {
throw new ServletException("Could not generate token", e);
}
request.getSession().setAttribute(GenerateOIDCTokens.UNISON_SESSION_OIDC_ID_TOKEN, token);
as.setSuccess(true);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
Aggregations