Search in sources :

Example 86 with Attribute

use of com.tremolosecurity.saml.Attribute in project OpenUnison by TremoloSecurity.

the class MailChimp method createUser.

@Override
public void createUser(User user, Set<String> attributes, Map<String, Object> request) throws ProvisioningException {
    String listID = (String) request.get("listID");
    JSONObject member = new JSONObject();
    member.put("email_address", user.getUserID());
    JSONObject merge = new JSONObject();
    member.put("merge_fields", merge);
    for (Attribute attr : user.getAttribs().values()) {
        if (attributes.contains(attr.getName())) {
            if (attr.getName().equals("tags")) {
                JSONArray tagList = new JSONArray();
                for (String tagName : attr.getValues()) {
                    tagList.add(tagName);
                }
                member.put("tags", tagList);
            } else if (this.mergeAttributes.contains(attr.getName())) {
                merge.put(attr.getName(), attr.getValues().get(0));
            } else {
                member.put(attr.getName(), attr.getValues().get(0));
            }
        }
    }
    String json = member.toJSONString();
    StringBuffer sb = new StringBuffer();
    try {
        sb.append("https://").append(this.host).append("/3.0/lists/").append(URLEncoder.encode(listID, "UTF-8")).append("/members");
    } catch (UnsupportedEncodingException e1) {
    }
    String url = sb.toString();
    HttpCon con = null;
    try {
        con = this.createClient();
        HttpPost post = new HttpPost(sb.toString());
        post.addHeader("Authorization", "Basic " + new String(java.util.Base64.getEncoder().encode(("x:" + apiKey).getBytes("UTF-8"))));
        StringEntity str = new StringEntity(json, ContentType.APPLICATION_JSON);
        post.setEntity(str);
        CloseableHttpResponse resp = con.getHttp().execute(post);
        if (resp.getStatusLine().getStatusCode() != 200) {
            logger.error("Could not create '" + user.getUserID() + "' - " + resp.getStatusLine().getStatusCode() + " - " + EntityUtils.toString(resp.getEntity()));
        }
        String jsonResp = EntityUtils.toString(resp.getEntity());
    } catch (Exception e) {
        logger.warn("Could not get connection", e);
    } finally {
        if (con != null) {
            try {
                con.getHttp().close();
            } catch (IOException e) {
            }
            con.getBcm().close();
        }
    }
}
Also used : HttpPost(org.apache.http.client.methods.HttpPost) StringEntity(org.apache.http.entity.StringEntity) HttpCon(com.tremolosecurity.provisioning.util.HttpCon) JSONObject(org.json.simple.JSONObject) Attribute(com.tremolosecurity.saml.Attribute) JSONArray(org.json.simple.JSONArray) CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse) UnsupportedEncodingException(java.io.UnsupportedEncodingException) IOException(java.io.IOException) ClientProtocolException(org.apache.http.client.ClientProtocolException) ParseException(org.apache.http.ParseException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) IOException(java.io.IOException) UnsupportedEncodingException(java.io.UnsupportedEncodingException)

Example 87 with Attribute

use of com.tremolosecurity.saml.Attribute in project OpenUnison by TremoloSecurity.

the class MailChimp method syncUser.

@Override
public void syncUser(User user, boolean addOnly, Set<String> attributes, Map<String, Object> request) throws ProvisioningException {
    CloseableHttpResponse resp = null;
    String respJson = getUserJSON(user.getUserID(), request, resp);
    if (respJson != null) {
        String listID = (String) request.get("listID");
        JSONObject root;
        try {
            root = (JSONObject) new JSONParser().parse(respJson);
        } catch (ParseException | org.json.simple.parser.ParseException e) {
            logger.warn("Could not parse json", e);
            return;
        }
        JSONObject exactMatches = (JSONObject) root.get("exact_matches");
        JSONArray members = (JSONArray) exactMatches.get("members");
        if (members.size() == 0) {
            // logger.error("Could not find '" + user.getUserID() + "'");
            this.createUser(user, attributes, request);
            return;
        }
        JSONObject member = (JSONObject) members.get(0);
        String id = (String) member.get("id");
        member = new JSONObject();
        member.put("email_address", user.getUserID());
        JSONObject merge = new JSONObject();
        member.put("merge_fields", merge);
        for (Attribute attr : user.getAttribs().values()) {
            if (attributes.contains(attr.getName())) {
                if (attr.getName().equals("tags")) {
                    JSONArray tagList = new JSONArray();
                    for (String tagName : attr.getValues()) {
                        tagList.add(tagName);
                    }
                    member.put("tags", tagList);
                } else if (this.mergeAttributes.contains(attr.getName())) {
                    merge.put(attr.getName(), attr.getValues().get(0));
                } else {
                    member.put(attr.getName(), attr.getValues().get(0));
                }
            }
        }
        String json = member.toJSONString();
        StringBuffer sb = new StringBuffer();
        try {
            sb.append("https://").append(this.host).append("/3.0/lists/").append(URLEncoder.encode(listID, "UTF-8")).append("/members/").append(URLEncoder.encode(id, "UTF-8"));
        } catch (UnsupportedEncodingException e1) {
        }
        String url = sb.toString();
        HttpCon con = null;
        try {
            con = this.createClient();
            HttpPatch post = new HttpPatch(sb.toString());
            post.addHeader("Authorization", "Basic " + new String(java.util.Base64.getEncoder().encode(("x:" + apiKey).getBytes("UTF-8"))));
            StringEntity str = new StringEntity(json, ContentType.APPLICATION_JSON);
            post.setEntity(str);
            resp = con.getHttp().execute(post);
            if (resp.getStatusLine().getStatusCode() != 200) {
                logger.error("Could not create '" + user.getUserID() + "' - " + resp.getStatusLine().getStatusCode() + " - " + EntityUtils.toString(resp.getEntity()));
            }
            String jsonResp = EntityUtils.toString(resp.getEntity());
        } catch (Exception e) {
            logger.warn("Could not get connection", e);
        } finally {
            if (con != null) {
                try {
                    con.getHttp().close();
                } catch (IOException e) {
                }
                con.getBcm().close();
            }
        }
    } else {
        this.createUser(user, attributes, request);
    }
}
Also used : Attribute(com.tremolosecurity.saml.Attribute) JSONArray(org.json.simple.JSONArray) UnsupportedEncodingException(java.io.UnsupportedEncodingException) IOException(java.io.IOException) HttpPatch(org.apache.http.client.methods.HttpPatch) ClientProtocolException(org.apache.http.client.ClientProtocolException) ParseException(org.apache.http.ParseException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) IOException(java.io.IOException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) StringEntity(org.apache.http.entity.StringEntity) HttpCon(com.tremolosecurity.provisioning.util.HttpCon) JSONObject(org.json.simple.JSONObject) CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse) JSONParser(org.json.simple.parser.JSONParser) ParseException(org.apache.http.ParseException)

Example 88 with Attribute

use of com.tremolosecurity.saml.Attribute in project OpenUnison by TremoloSecurity.

the class ModuleType method syncUser.

@Override
public void syncUser(User user, boolean addOnly, Set<String> attributes, Map<String, Object> request) throws ProvisioningException {
    ModuleType mt = this.getModuleType(request);
    int userID = 0;
    int approvalID = 0;
    int workflow = 0;
    if (request.containsKey("TREMOLO_USER_ID")) {
        userID = (Integer) request.get("TREMOLO_USER_ID");
    }
    if (request.containsKey("APPROVAL_ID")) {
        approvalID = (Integer) request.get("APPROVAL_ID");
    }
    if (request.containsKey("WORKFLOW_ID")) {
        workflow = (Integer) request.get("WORKFLOW_ID");
    }
    try {
        String sessionId = sugarLogin();
        Map<String, String> toAdd = new HashMap<String, String>();
        Map<String, String> toReplace = new HashMap<String, String>();
        Map<String, String> toDelete = new HashMap<String, String>();
        Gson gson = new Gson();
        Set<String> nattribs = new HashSet<String>();
        nattribs.addAll(attributes);
        nattribs.add("id");
        User foundUser = null;
        try {
            foundUser = this.findUser(user.getUserID(), nattribs, request);
        } catch (Exception e) {
            this.createUser(user, attributes, request);
            return;
        }
        Map<String, String> nvps = new HashMap<String, String>();
        nvps.put("id", foundUser.getAttribs().get("id").getValues().get(0));
        for (String attrName : user.getAttribs().keySet()) {
            if (!attributes.contains(attrName)) {
                continue;
            }
            if (attrName.equalsIgnoreCase("account_name")) {
                String id = this.getAccountId(user.getAttribs().get(attrName).getValues().get(0), sessionId);
                nvps.put("account_id", id);
            }
            foundUser.getAttribs().put(attrName, new Attribute(attrName, user.getAttribs().get(attrName).getValues().get(0)));
        }
        if (!addOnly) {
            for (String attrName : foundUser.getAttribs().keySet()) {
                if (!user.getAttribs().containsKey(attrName) && !attributes.contains(attrName) && !attrName.equalsIgnoreCase("id")) {
                    foundUser.getAttribs().put(attrName, new Attribute(attrName, ""));
                }
            }
        }
        for (String attrName : foundUser.getAttribs().keySet()) {
            nvps.put(attrName, foundUser.getAttribs().get(attrName).getValues().get(0));
        }
        SugarEntry newContact = new SugarEntry();
        newContact.setSession(sessionId);
        newContact.setModule(mt.name);
        newContact.setName_value_list(nvps);
        String createUserJSON = gson.toJson(newContact);
        execJson(createUserJSON, "set_entry");
    } catch (Exception e) {
        throw new ProvisioningException("Could not sync user", e);
    }
}
Also used : User(com.tremolosecurity.provisioning.core.User) HashMap(java.util.HashMap) Attribute(com.tremolosecurity.saml.Attribute) SugarEntry(com.tremolosecurity.provisioning.core.providers.sugarcrm.SugarEntry) Gson(com.google.gson.Gson) MalformedCookieException(org.apache.http.cookie.MalformedCookieException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) ClientProtocolException(org.apache.http.client.ClientProtocolException) MalformedURLException(java.net.MalformedURLException) IOException(java.io.IOException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) HashSet(java.util.HashSet)

Example 89 with Attribute

use of com.tremolosecurity.saml.Attribute in project OpenUnison by TremoloSecurity.

the class GithubAuthMech method doGet.

public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
    HttpSession session = ((HttpServletRequest) request).getSession();
    HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
    ConfigManager cfg = (ConfigManager) request.getAttribute(ProxyConstants.TREMOLO_CFG_OBJ);
    MyVDConnection myvd = cfg.getMyVD();
    String bearerTokenName = authParams.get("bearerTokenName").getValues().get(0);
    String clientid = authParams.get("clientid").getValues().get(0);
    String secret = authParams.get("secretid").getValues().get(0);
    String idpURL = authParams.get("idpURL") != null ? authParams.get("idpURL").getValues().get(0) : "https://github.com/login/oauth/authorize";
    String scope = authParams.get("scope").getValues().get(0);
    boolean linkToDirectory = Boolean.parseBoolean(authParams.get("linkToDirectory").getValues().get(0));
    String noMatchOU = authParams.get("noMatchOU").getValues().get(0);
    String uidAttr = authParams.get("uidAttr").getValues().get(0);
    String lookupFilter = authParams.get("lookupFilter").getValues().get(0);
    String defaultObjectClass = authParams.get("defaultObjectClass").getValues().get(0);
    // authParams.get("forceAuthentication") != null ? authParams.get("forceAuthentication").getValues().get(0).equalsIgnoreCase("true") : false;
    boolean forceAuth = true;
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
    StringBuffer b = new StringBuffer();
    URL reqURL = new URL(request.getRequestURL().toString());
    b.append(reqURL.getProtocol()).append("://").append(reqURL.getHost());
    if (reqURL.getPort() != -1) {
        b.append(":").append(reqURL.getPort());
    }
    String urlChain = holder.getUrl().getAuthChain();
    AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
    AuthMechType amt = act.getAuthMech().get(as.getId());
    String authMechName = amt.getName();
    b.append(holder.getConfig().getContextPath()).append(cfg.getAuthMechs().get(authMechName).getUri());
    String loadTokenURL = authParams.get("loadTokenURL") != null ? authParams.get("loadTokenURL").getValues().get(0) : "https://github.com/login/oauth/access_token";
    if (request.getParameter("state") == null) {
        // initialize openidconnect
        String state = new BigInteger(130, new SecureRandom()).toString(32);
        request.getSession().setAttribute("UNISON_OPENIDCONNECT_STATE", state);
        StringBuffer redirToSend = new StringBuffer();
        redirToSend.append(idpURL).append("?client_id=").append(URLEncoder.encode(clientid, "UTF-8")).append("&scope=").append(URLEncoder.encode(scope, "UTF-8")).append("&state=").append(URLEncoder.encode("security_token=", "UTF-8")).append(URLEncoder.encode(state, "UTF-8"));
        response.sendRedirect(redirToSend.toString());
    } else {
        String stateFromURL = request.getParameter("state");
        stateFromURL = URLDecoder.decode(stateFromURL, "UTF-8");
        stateFromURL = stateFromURL.substring(stateFromURL.indexOf('=') + 1);
        String stateFromSession = (String) request.getSession().getAttribute("UNISON_OPENIDCONNECT_STATE");
        if (!stateFromSession.equalsIgnoreCase(stateFromURL)) {
            throw new ServletException("Invalid State");
        }
        HttpUriRequest post = null;
        try {
            post = RequestBuilder.post().setUri(new java.net.URI(loadTokenURL)).addParameter("code", request.getParameter("code")).addParameter("client_id", clientid).addParameter("client_secret", secret).build();
        } catch (URISyntaxException e) {
            throw new ServletException("Could not create post request");
        }
        BasicHttpClientConnectionManager bhcm = new BasicHttpClientConnectionManager(GlobalEntries.getGlobalEntries().getConfigManager().getHttpClientSocketRegistry());
        RequestConfig rc = RequestConfig.custom().setCookieSpec(CookieSpecs.STANDARD).build();
        CloseableHttpClient http = HttpClients.custom().setConnectionManager(bhcm).setDefaultRequestConfig(rc).build();
        try {
            CloseableHttpResponse httpResp = http.execute(post);
            BufferedReader in = new BufferedReader(new InputStreamReader(httpResp.getEntity().getContent()));
            StringBuffer token = new StringBuffer();
            String line = null;
            while ((line = in.readLine()) != null) {
                token.append(line);
            }
            List<NameValuePair> params = URLEncodedUtils.parse(token.toString(), Charset.defaultCharset());
            String accessToken = null;
            for (NameValuePair nvp : params) {
                if (nvp.getName().equals("access_token")) {
                    accessToken = nvp.getValue();
                }
            }
            if (accessToken == null) {
                throw new ServletException("Could not get authorization toekn : " + token);
            }
            httpResp.close();
            Gson gson = new Gson();
            HttpGet get = new HttpGet("https://api.github.com/user");
            get.addHeader("Authorization", new StringBuilder().append("Bearer ").append(accessToken).toString());
            // Store the bearer token for use by Unison
            request.getSession().setAttribute(bearerTokenName, accessToken);
            httpResp = http.execute(get);
            in = new BufferedReader(new InputStreamReader(httpResp.getEntity().getContent()));
            token.setLength(0);
            line = null;
            while ((line = in.readLine()) != null) {
                token.append(line);
            }
            httpResp.close();
            Map jwtNVP = com.cedarsoftware.util.io.JsonReader.jsonToMaps(token.toString());
            ;
            if (jwtNVP == null) {
                as.setSuccess(false);
            } else {
                get = new HttpGet("https://api.github.com/user/emails");
                get.addHeader("Authorization", new StringBuilder().append("Bearer ").append(accessToken).toString());
                httpResp = http.execute(get);
                in = new BufferedReader(new InputStreamReader(httpResp.getEntity().getContent()));
                token.setLength(0);
                line = null;
                while ((line = in.readLine()) != null) {
                    token.append(line);
                }
                httpResp.close();
                JSONParser parser = new JSONParser();
                org.json.simple.JSONArray emails = (org.json.simple.JSONArray) parser.parse(token.toString());
                for (Object o : emails) {
                    org.json.simple.JSONObject emailObj = (org.json.simple.JSONObject) o;
                    boolean isPrimary = (Boolean) emailObj.get("primary");
                    if (isPrimary) {
                        jwtNVP.put("mail", emailObj.get("email"));
                    }
                }
                if (!linkToDirectory) {
                    loadUnlinkedUser(session, noMatchOU, uidAttr, act, jwtNVP, defaultObjectClass);
                    as.setSuccess(true);
                } else {
                    lookupUser(as, session, myvd, noMatchOU, uidAttr, lookupFilter, act, jwtNVP, defaultObjectClass);
                }
                get = new HttpGet("https://api.github.com/user/orgs");
                get.addHeader("Authorization", new StringBuilder().append("Bearer ").append(accessToken).toString());
                httpResp = http.execute(get);
                in = new BufferedReader(new InputStreamReader(httpResp.getEntity().getContent()));
                token.setLength(0);
                line = null;
                while ((line = in.readLine()) != null) {
                    token.append(line);
                }
                httpResp.close();
                parser = new JSONParser();
                org.json.simple.JSONArray orgs = (org.json.simple.JSONArray) parser.parse(token.toString());
                Attribute userOrgs = new Attribute("githubOrgs");
                Attribute userTeams = new Attribute("githubTeams");
                for (Object o : orgs) {
                    org.json.simple.JSONObject org = (org.json.simple.JSONObject) o;
                    String orgName = (String) org.get("login");
                    userOrgs.getValues().add(orgName);
                    HttpUriRequest graphql = RequestBuilder.post().addHeader(new BasicHeader("Authorization", "Bearer " + accessToken)).setUri("https://api.github.com/graphql").setEntity(new StringEntity("{\"query\":\"{organization(login: \\\"" + orgName + "\\\") { teams(first: 100, userLogins: [\\\"" + jwtNVP.get("login") + "\\\"]) { totalCount edges {node {name description}}}}}\"}")).build();
                    httpResp = http.execute(graphql);
                    in = new BufferedReader(new InputStreamReader(httpResp.getEntity().getContent()));
                    token.setLength(0);
                    line = null;
                    while ((line = in.readLine()) != null) {
                        token.append(line);
                    }
                    httpResp.close();
                    org.json.simple.JSONObject root = (org.json.simple.JSONObject) parser.parse(token.toString());
                    org.json.simple.JSONObject data = (org.json.simple.JSONObject) root.get("data");
                    org.json.simple.JSONObject organization = (org.json.simple.JSONObject) data.get("organization");
                    org.json.simple.JSONObject teams = (org.json.simple.JSONObject) organization.get("teams");
                    org.json.simple.JSONArray edges = (org.json.simple.JSONArray) teams.get("edges");
                    for (Object oi : edges) {
                        org.json.simple.JSONObject edge = (org.json.simple.JSONObject) oi;
                        org.json.simple.JSONObject node = (org.json.simple.JSONObject) edge.get("node");
                        userTeams.getValues().add(orgName + "/" + node.get("name"));
                    }
                }
                ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo().getAttribs().put("githubOrgs", userOrgs);
                ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo().getAttribs().put("githubTeams", userTeams);
                String redirectToURL = request.getParameter("target");
                if (redirectToURL != null && !redirectToURL.isEmpty()) {
                    reqHolder.setURL(redirectToURL);
                }
            }
            holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
        } catch (ParseException e) {
            throw new ServletException("Could not parse orgs", e);
        } finally {
            if (bhcm != null) {
                bhcm.close();
            }
            if (http != null) {
                http.close();
            }
        }
    }
}
Also used : HttpUriRequest(org.apache.http.client.methods.HttpUriRequest) LDAPAttribute(com.novell.ldap.LDAPAttribute) Attribute(com.tremolosecurity.saml.Attribute) HashMap(java.util.HashMap) HttpGet(org.apache.http.client.methods.HttpGet) Gson(com.google.gson.Gson) URISyntaxException(java.net.URISyntaxException) RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder) URL(java.net.URL) HttpServletRequest(javax.servlet.http.HttpServletRequest) UrlHolder(com.tremolosecurity.config.util.UrlHolder) ServletException(javax.servlet.ServletException) StringEntity(org.apache.http.entity.StringEntity) CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse) AuthChainType(com.tremolosecurity.config.xml.AuthChainType) BasicHttpClientConnectionManager(org.apache.http.impl.conn.BasicHttpClientConnectionManager) MyVDConnection(com.tremolosecurity.proxy.myvd.MyVDConnection) RequestConfig(org.apache.http.client.config.RequestConfig) CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) NameValuePair(org.apache.http.NameValuePair) InputStreamReader(java.io.InputStreamReader) HttpSession(javax.servlet.http.HttpSession) JSONArray(org.jose4j.json.internal.json_simple.JSONArray) AuthMechType(com.tremolosecurity.config.xml.AuthMechType) SecureRandom(java.security.SecureRandom) AuthController(com.tremolosecurity.proxy.auth.AuthController) ConfigManager(com.tremolosecurity.config.util.ConfigManager) JSONObject(org.jose4j.json.internal.json_simple.JSONObject) BufferedReader(java.io.BufferedReader) BigInteger(java.math.BigInteger) JSONParser(org.json.simple.parser.JSONParser) JSONObject(org.jose4j.json.internal.json_simple.JSONObject) ParseException(org.json.simple.parser.ParseException) Map(java.util.Map) HashMap(java.util.HashMap) BasicHeader(org.apache.http.message.BasicHeader)

Example 90 with Attribute

use of com.tremolosecurity.saml.Attribute in project OpenUnison by TremoloSecurity.

the class OpenIDConnectAuthMech method doGet.

public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
    HttpSession session = ((HttpServletRequest) request).getSession();
    HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
    ConfigManager cfg = (ConfigManager) request.getAttribute(ProxyConstants.TREMOLO_CFG_OBJ);
    MyVDConnection myvd = cfg.getMyVD();
    String idpURL;
    String loadTokenURL;
    if (authParams.get("issuer") != null) {
        StringBuffer b = new StringBuffer();
        String issuer = authParams.get("issuer").getValues().get(0);
        b.append(issuer);
        if (issuer.charAt(issuer.length() - 1) != '/') {
            b.append('/');
        }
        b.append(".well-known/openid-configuration");
        String discoveryUrl = b.toString();
        OidcIdpUrls idp = this.idpUrls.get(discoveryUrl);
        if (idp == null) {
            idp = new OidcIdpUrls();
            this.idpUrls.put(discoveryUrl, idp);
            BasicHttpClientConnectionManager bhcm = new BasicHttpClientConnectionManager(GlobalEntries.getGlobalEntries().getConfigManager().getHttpClientSocketRegistry());
            RequestConfig rc = RequestConfig.custom().setCookieSpec(CookieSpecs.STANDARD).build();
            CloseableHttpClient http = HttpClients.custom().setConnectionManager(bhcm).setDefaultRequestConfig(rc).build();
            try {
                HttpGet get = new HttpGet(b.toString());
                CloseableHttpResponse resp = http.execute(get);
                if (resp.getStatusLine().getStatusCode() == 200) {
                    String json = EntityUtils.toString(resp.getEntity());
                    resp.close();
                    JSONParser parser = new JSONParser();
                    org.json.simple.JSONObject root = (org.json.simple.JSONObject) parser.parse(json);
                    idp.setIdpUrl((String) root.get("authorization_endpoint"));
                    idp.setTokenUrl((String) root.get("token_endpoint"));
                    idp.setUserInfoUrl((String) root.get("userinfo_endpoint"));
                } else {
                    idp.setIdpUrl(authParams.get("idpURL").getValues().get(0));
                    idp.setTokenUrl(loadTokenURL = authParams.get("loadTokenURL").getValues().get(0));
                }
            } catch (ParseException e) {
                throw new ServletException("Could not parse discovery document", e);
            } finally {
                try {
                    http.close();
                } catch (Throwable e) {
                }
                bhcm.close();
            }
        }
        request.setAttribute(OIDC_IDP, idp);
        idpURL = idp.getIdpUrl();
        loadTokenURL = idp.getTokenUrl();
    } else {
        idpURL = authParams.get("idpURL").getValues().get(0);
        loadTokenURL = authParams.get("loadTokenURL").getValues().get(0);
    }
    String bearerTokenName = authParams.get("bearerTokenName").getValues().get(0);
    String clientid = authParams.get("clientid").getValues().get(0);
    String secret = authParams.get("secretid").getValues().get(0);
    String responseType = authParams.get("responseType").getValues().get(0);
    String scope = authParams.get("scope").getValues().get(0);
    boolean linkToDirectory = Boolean.parseBoolean(authParams.get("linkToDirectory").getValues().get(0));
    String noMatchOU = authParams.get("noMatchOU").getValues().get(0);
    String uidAttr = authParams.get("uidAttr").getValues().get(0);
    String lookupFilter = authParams.get("lookupFilter").getValues().get(0);
    String userLookupClassName = authParams.get("userLookupClassName").getValues().get(0);
    String defaultObjectClass = authParams.get("defaultObjectClass").getValues().get(0);
    boolean forceAuth = authParams.get("forceAuthentication") != null ? authParams.get("forceAuthentication").getValues().get(0).equalsIgnoreCase("true") : true;
    UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
    RequestHolder reqHolder = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
    StringBuffer b = new StringBuffer();
    URL reqURL = new URL(ProxyTools.getInstance().getHttpsUrl(request.getRequestURL().toString(), request));
    b.append(reqURL.getProtocol()).append("://").append(reqURL.getHost());
    if (reqURL.getPort() != -1) {
        b.append(":").append(reqURL.getPort());
    }
    String urlChain = holder.getUrl().getAuthChain();
    AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
    AuthMechType amt = act.getAuthMech().get(as.getId());
    String authMechName = amt.getName();
    b.append(holder.getConfig().getContextPath()).append(cfg.getAuthMechs().get(authMechName).getUri());
    String hd = authParams.get("hd").getValues().get(0);
    if (request.getParameter("state") == null) {
        // initialize openidconnect
        String state = new BigInteger(130, new SecureRandom()).toString(32);
        request.getSession().setAttribute("UNISON_OPENIDCONNECT_STATE", state);
        StringBuffer redirToSend = new StringBuffer();
        redirToSend.append(idpURL).append("?client_id=").append(URLEncoder.encode(clientid, "UTF-8")).append("&response_type=").append(URLEncoder.encode(responseType, "UTF-8")).append("&scope=").append(URLEncoder.encode(scope, "UTF-8")).append("&redirect_uri=").append(URLEncoder.encode(b.toString(), "UTF-8")).append("&state=").append(URLEncoder.encode("security_token=", "UTF-8")).append(URLEncoder.encode(state, "UTF-8"));
        if (forceAuth) {
            redirToSend.append("&max_age=0");
        }
        if (hd != null && !hd.isEmpty()) {
            redirToSend.append("&hd=").append(hd);
        }
        response.sendRedirect(redirToSend.toString());
    } else {
        String stateFromURL = request.getParameter("state");
        stateFromURL = URLDecoder.decode(stateFromURL, "UTF-8");
        stateFromURL = stateFromURL.substring(stateFromURL.indexOf('=') + 1);
        String stateFromSession = (String) request.getSession().getAttribute("UNISON_OPENIDCONNECT_STATE");
        if (!stateFromSession.equalsIgnoreCase(stateFromURL)) {
            throw new ServletException("Invalid State");
        }
        HttpUriRequest post = null;
        try {
            post = RequestBuilder.post().setUri(new java.net.URI(loadTokenURL)).addParameter("code", request.getParameter("code")).addParameter("client_id", clientid).addParameter("client_secret", secret).addParameter("redirect_uri", b.toString()).addParameter("grant_type", "authorization_code").build();
        } catch (URISyntaxException e) {
            throw new ServletException("Could not create post request");
        }
        BasicHttpClientConnectionManager bhcm = new BasicHttpClientConnectionManager(GlobalEntries.getGlobalEntries().getConfigManager().getHttpClientSocketRegistry());
        RequestConfig rc = RequestConfig.custom().setCookieSpec(CookieSpecs.STANDARD).build();
        CloseableHttpClient http = HttpClients.custom().setConnectionManager(bhcm).setDefaultRequestConfig(rc).build();
        CloseableHttpResponse httpResp = http.execute(post);
        if (httpResp.getStatusLine().getStatusCode() != 200) {
            logger.error("Could not retrieve token : " + httpResp.getStatusLine().getStatusCode() + " / " + httpResp.getStatusLine().getReasonPhrase());
            as.setSuccess(false);
            holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
        }
        BufferedReader in = new BufferedReader(new InputStreamReader(httpResp.getEntity().getContent()));
        StringBuffer token = new StringBuffer();
        String line = null;
        while ((line = in.readLine()) != null) {
            token.append(line);
        }
        httpResp.close();
        bhcm.close();
        Gson gson = new Gson();
        Map tokenNVP = com.cedarsoftware.util.io.JsonReader.jsonToMaps(token.toString());
        String accessToken;
        // Store the bearer token for use by Unison
        request.getSession().setAttribute(bearerTokenName, tokenNVP.get("access_token"));
        Map jwtNVP = null;
        LoadUserData loadUser = null;
        try {
            loadUser = (LoadUserData) Class.forName(userLookupClassName).newInstance();
            jwtNVP = loadUser.loadUserAttributesFromIdP(request, response, cfg, authParams, tokenNVP);
        } catch (Exception e) {
            throw new ServletException("Could not load user data", e);
        }
        if (hd != null && !hd.isEmpty()) {
            String hdFromIdToken = (String) jwtNVP.get("hd");
            if (hdFromIdToken != null && !hdFromIdToken.isEmpty()) {
                if (!hdFromIdToken.equalsIgnoreCase(hd)) {
                    as.setSuccess(false);
                    String redirectToURL = request.getParameter("target");
                    if (redirectToURL != null && !redirectToURL.isEmpty()) {
                        reqHolder.setURL(redirectToURL);
                    }
                }
            } else {
                as.setSuccess(false);
                String redirectToURL = request.getParameter("target");
                if (redirectToURL != null && !redirectToURL.isEmpty()) {
                    reqHolder.setURL(redirectToURL);
                }
            }
        }
        if (jwtNVP == null) {
            as.setSuccess(false);
        } else {
            if (!linkToDirectory) {
                loadUnlinkedUser(session, noMatchOU, uidAttr, act, jwtNVP, defaultObjectClass);
                as.setSuccess(true);
            } else {
                lookupUser(as, session, myvd, noMatchOU, uidAttr, lookupFilter, act, jwtNVP, defaultObjectClass);
            }
            String redirectToURL = request.getParameter("target");
            if (redirectToURL != null && !redirectToURL.isEmpty()) {
                reqHolder.setURL(redirectToURL);
            }
        }
        holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
    }
}
Also used : HttpUriRequest(org.apache.http.client.methods.HttpUriRequest) LDAPAttribute(com.novell.ldap.LDAPAttribute) Attribute(com.tremolosecurity.saml.Attribute) HashMap(java.util.HashMap) HttpGet(org.apache.http.client.methods.HttpGet) Gson(com.google.gson.Gson) URISyntaxException(java.net.URISyntaxException) RequestHolder(com.tremolosecurity.proxy.auth.RequestHolder) URL(java.net.URL) HttpServletRequest(javax.servlet.http.HttpServletRequest) ServletException(javax.servlet.ServletException) UrlHolder(com.tremolosecurity.config.util.UrlHolder) CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse) AuthChainType(com.tremolosecurity.config.xml.AuthChainType) LoadUserData(com.tremolosecurity.unison.proxy.auth.openidconnect.sdk.LoadUserData) BasicHttpClientConnectionManager(org.apache.http.impl.conn.BasicHttpClientConnectionManager) MyVDConnection(com.tremolosecurity.proxy.myvd.MyVDConnection) RequestConfig(org.apache.http.client.config.RequestConfig) CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) InputStreamReader(java.io.InputStreamReader) HttpSession(javax.servlet.http.HttpSession) AuthMechType(com.tremolosecurity.config.xml.AuthMechType) SecureRandom(java.security.SecureRandom) AuthController(com.tremolosecurity.proxy.auth.AuthController) ConfigManager(com.tremolosecurity.config.util.ConfigManager) ServletException(javax.servlet.ServletException) URISyntaxException(java.net.URISyntaxException) LDAPException(com.novell.ldap.LDAPException) ParseException(org.json.simple.parser.ParseException) IOException(java.io.IOException) JSONObject(org.jose4j.json.internal.json_simple.JSONObject) BufferedReader(java.io.BufferedReader) BigInteger(java.math.BigInteger) JSONParser(org.json.simple.parser.JSONParser) ParseException(org.json.simple.parser.ParseException) Map(java.util.Map) HashMap(java.util.HashMap)

Aggregations

Attribute (com.tremolosecurity.saml.Attribute)268 LDAPAttribute (com.novell.ldap.LDAPAttribute)90 HashMap (java.util.HashMap)89 ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)87 IOException (java.io.IOException)69 ArrayList (java.util.ArrayList)53 LDAPException (com.novell.ldap.LDAPException)51 ServletException (javax.servlet.ServletException)48 AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)46 AuthController (com.tremolosecurity.proxy.auth.AuthController)45 LDAPEntry (com.novell.ldap.LDAPEntry)43 LDAPSearchResults (com.novell.ldap.LDAPSearchResults)43 HttpSession (javax.servlet.http.HttpSession)40 Gson (com.google.gson.Gson)35 User (com.tremolosecurity.provisioning.core.User)33 HttpServletRequest (javax.servlet.http.HttpServletRequest)33 UrlHolder (com.tremolosecurity.config.util.UrlHolder)31 UnsupportedEncodingException (java.io.UnsupportedEncodingException)30 AuthChainType (com.tremolosecurity.config.xml.AuthChainType)28 HashSet (java.util.HashSet)26