Search in sources :

Example 1 with OpenIDConnectToken

use of com.tremolosecurity.proxy.auth.util.OpenIDConnectToken in project OpenUnison by TremoloSecurity.

the class IdTokenLoader method loadToken.

@Override
public Object loadToken(AuthInfo user, HttpSession session) throws Exception {
    OpenIDConnectToken token = (OpenIDConnectToken) session.getAttribute(GenerateOIDCTokens.UNISON_SESSION_OIDC_ID_TOKEN);
    token.replaceState();
    if (token == null) {
        logger.warn("No id token found");
        return new HashMap<String, String>();
    } else {
        HashMap<String, String> tokens = new HashMap<String, String>();
        HashMap<String, Object> templateObjects = new HashMap<String, Object>();
        templateObjects.put("user", user);
        templateObjects.put("token", token);
        templateObjects.put("user_id", user.getAttribs().get(this.uidAttributeName).getValues().get(0));
        tokens.put("id_token", token.getEncodedIdJSON());
        try {
            tokens.put("refresh_token", token.getRefreshToken());
        } catch (Exception e) {
            logger.warn("Could not get refresh token", e);
        }
        return tokens;
    }
}
Also used : HashMap(java.util.HashMap) OpenIDConnectToken(com.tremolosecurity.proxy.auth.util.OpenIDConnectToken) CertificateEncodingException(java.security.cert.CertificateEncodingException)

Example 2 with OpenIDConnectToken

use of com.tremolosecurity.proxy.auth.util.OpenIDConnectToken in project OpenUnison by TremoloSecurity.

the class InjectIdToken method getResultValue.

@Override
public String getResultValue(HttpServletRequest request, HttpServletResponse response) throws ServletException {
    StringBuffer b = new StringBuffer();
    b.append("Bearer ");
    OpenIDConnectToken token = (OpenIDConnectToken) request.getSession().getAttribute(GenerateOIDCTokens.UNISON_SESSION_OIDC_ID_TOKEN);
    if (token == null) {
        b.append("NONE");
    } else {
        synchronized (token) {
            if (token.isExpired()) {
                try {
                    request.setAttribute(ProxyTools.OVERRIDE_HOST, System.getProperty("OU_HOST"));
                    token.refreshProxyToken(request);
                } catch (MalformedURLException | MalformedClaimException | JoseException | LDAPException | ProvisioningException e) {
                    throw new ServletException("Could not generate id_token", e);
                }
            }
            b.append(token.getEncodedIdJSON());
        }
    }
    return b.toString();
}
Also used : ServletException(javax.servlet.ServletException) MalformedURLException(java.net.MalformedURLException) MalformedClaimException(org.jose4j.jwt.MalformedClaimException) LDAPException(com.novell.ldap.LDAPException) JoseException(org.jose4j.lang.JoseException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) OpenIDConnectToken(com.tremolosecurity.proxy.auth.util.OpenIDConnectToken)

Example 3 with OpenIDConnectToken

use of com.tremolosecurity.proxy.auth.util.OpenIDConnectToken in project OpenUnison by TremoloSecurity.

the class KubectlTokenLoader method loadToken.

@Override
public Object loadToken(AuthInfo user, HttpSession session) throws Exception {
    OpenIDConnectToken token = (OpenIDConnectToken) session.getAttribute(GenerateOIDCTokens.UNISON_SESSION_OIDC_ID_TOKEN);
    token.replaceState();
    if (token == null) {
        logger.warn("No id token found");
        return new HashMap<String, String>();
    } else {
        HashMap<String, String> tokens = new HashMap<String, String>();
        String k8sCert = this.cert2pem(this.k8sCaCertName);
        if (k8sCert != null) {
            tokens.put("Kubernetes API Server CA Certificate", k8sCert);
        }
        String ouCert = this.cert2pem(this.unisonCaCertName);
        if (ouCert != null) {
            tokens.put("OpenUnison Server CA Certificate", ouCert);
        }
        /*String kubectlTemplate = "kubectl config set-credentials " + user.getAttribs().get(this.uidAttributeName).getValues().get(0) + "  \\\n" +
                    "        --auth-provider=oidc  \\\n" +
                    "        --auth-provider-arg=idp-issuer-url=" + token.getClaims().getIssuer() + "  \\\n" +
                    "        --auth-provider-arg=client-id=" + token.getTrustName() + "  \\\n" +
                    "        --auth-provider-arg=client-secret=" + token.getDecryptedClientSecret() + "  \\\n" +
                    "        --auth-provider-arg=refresh-token=" + token.getRefreshToken() + " \\\n" +
                    "        --auth-provider-arg=idp-certificate-authority=" + caCertificatePath + " \\\n" +
                    "        --auth-provider-arg=id-token=" + token.getEncodedIdJSON();*/
        HashMap<String, Object> templateObjects = new HashMap<String, Object>();
        templateObjects.put("user", user);
        templateObjects.put("token", token);
        templateObjects.put("user_id", user.getAttribs().get(this.uidAttributeName).getValues().get(0));
        String kubectTemplateLocal = this.kubectlTemplate;
        String winKubCtlLocal = this.kubectlWinUsage;
        if (k8sCert != null) {
            templateObjects.put("k8s_b64_cert", new String(Base64.encodeBase64(k8sCert.getBytes("UTF-8"))));
            templateObjects.put("k8s_newline_cert", k8sCert.replace("\n", "\\n"));
            templateObjects.put("k8s_newline_cert_win", k8sCert.replace("\n", "`n"));
        } else {
            kubectTemplateLocal = kubectTemplateLocal.replace("--certificate-authority=\\$TMP_CERT", "--certificate-authority=/dev/null");
            if (winKubCtlLocal != null) {
                winKubCtlLocal = winKubCtlLocal.replace("\"$k8s_newline_cert_win$\" | out-file \\$TMP_CERT -encoding oem ;", "");
            }
        }
        if (ouCert != null) {
            templateObjects.put("ou_b64_cert", new String(Base64.encodeBase64(ouCert.getBytes("UTF-8"))));
        }
        tokens.put("kubectl Command", this.renderTemplate(kubectTemplateLocal, templateObjects));
        if (this.kubectlWinUsage != null) {
            tokens.put("kubectl Windows Command", this.renderTemplate(winKubCtlLocal, templateObjects));
        }
        tokens.put("Usage", this.kubectlUsage);
        tokens.put("id_token", token.getEncodedIdJSON());
        tokens.put("refresh_token", token.getRefreshToken());
        return tokens;
    }
}
Also used : HashMap(java.util.HashMap) OpenIDConnectToken(com.tremolosecurity.proxy.auth.util.OpenIDConnectToken)

Example 4 with OpenIDConnectToken

use of com.tremolosecurity.proxy.auth.util.OpenIDConnectToken in project OpenUnison by TremoloSecurity.

the class GenerateOIDCTokens method doGet.

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
    HttpSession session = ((HttpServletRequest) request).getSession();
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    if (holder == null) {
        throw new ServletException("Holder is null");
    }
    RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
    HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
    AuthController ac = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL));
    String idpName = authParams.get("idpName").getValues().get(0);
    String trustName = authParams.get("trustName").getValues().get(0);
    String overrideURL = request.getRequestURL().toString();
    if (authParams.get("overrideURL") != null) {
        overrideURL = authParams.get("overrideURL").getValues().get(0);
    }
    OpenIDConnectToken token = new OpenIDConnectToken(idpName, trustName, overrideURL);
    try {
        request.setAttribute(ProxyTools.OVERRIDE_HOST, System.getProperty("OU_HOST"));
        token.generateToken(request);
    } catch (MalformedClaimException | JoseException | LDAPException | ProvisioningException e) {
        throw new ServletException("Could not generate token", e);
    }
    request.getSession().setAttribute(GenerateOIDCTokens.UNISON_SESSION_OIDC_ID_TOKEN, token);
    as.setSuccess(true);
    holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
Also used : Attribute(com.tremolosecurity.saml.Attribute) HashMap(java.util.HashMap) HttpSession(javax.servlet.http.HttpSession) JoseException(org.jose4j.lang.JoseException) OpenIDConnectToken(com.tremolosecurity.proxy.auth.util.OpenIDConnectToken) HttpServletRequest(javax.servlet.http.HttpServletRequest) UrlHolder(com.tremolosecurity.config.util.UrlHolder) ServletException(javax.servlet.ServletException) MalformedClaimException(org.jose4j.jwt.MalformedClaimException) LDAPException(com.novell.ldap.LDAPException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)

Aggregations

OpenIDConnectToken (com.tremolosecurity.proxy.auth.util.OpenIDConnectToken)4 HashMap (java.util.HashMap)3 LDAPException (com.novell.ldap.LDAPException)2 ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)2 ServletException (javax.servlet.ServletException)2 MalformedClaimException (org.jose4j.jwt.MalformedClaimException)2 JoseException (org.jose4j.lang.JoseException)2 UrlHolder (com.tremolosecurity.config.util.UrlHolder)1 Attribute (com.tremolosecurity.saml.Attribute)1 MalformedURLException (java.net.MalformedURLException)1 CertificateEncodingException (java.security.cert.CertificateEncodingException)1 HttpServletRequest (javax.servlet.http.HttpServletRequest)1 HttpSession (javax.servlet.http.HttpSession)1