use of com.tremolosecurity.saml.Attribute in project OpenUnison by TremoloSecurity.
the class OpenIDConnectAuthMech method lookupUser.
public static void lookupUser(AuthStep as, HttpSession session, MyVDConnection myvd, String noMatchOU, String uidAttr, String lookupFilter, AuthChainType act, Map jwtNVP, String defaultObjectClass) {
boolean uidIsFilter = !lookupFilter.isEmpty();
String filter = "";
if (uidIsFilter) {
StringBuffer b = new StringBuffer();
int lastIndex = 0;
int index = lookupFilter.indexOf('$');
while (index >= 0) {
b.append(lookupFilter.substring(lastIndex, index));
lastIndex = lookupFilter.indexOf('}', index) + 1;
String reqName = lookupFilter.substring(index + 2, lastIndex - 1);
b.append(jwtNVP.get(reqName).toString());
index = lookupFilter.indexOf('$', index + 1);
}
b.append(lookupFilter.substring(lastIndex));
filter = b.toString();
if (logger.isDebugEnabled()) {
logger.debug("Filter : '" + filter + "'");
}
} else {
StringBuffer b = new StringBuffer();
String userParam = (String) jwtNVP.get(uidAttr);
b.append('(').append(uidAttr).append('=').append(userParam).append(')');
if (userParam == null) {
filter = "(!(objectClass=*))";
} else {
filter = equal(uidAttr, userParam).toString();
}
}
try {
String root = act.getRoot();
if (root == null || root.trim().isEmpty()) {
root = GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot();
}
LDAPSearchResults res = myvd.search(root, 2, filter, new ArrayList<String>());
if (res.hasMore()) {
LDAPEntry entry = res.next();
Iterator<LDAPAttribute> it = entry.getAttributeSet().iterator();
AuthInfo authInfo = new AuthInfo(entry.getDN(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authInfo);
while (it.hasNext()) {
LDAPAttribute attrib = it.next();
Attribute attr = new Attribute(attrib.getName());
String[] vals = attrib.getStringValueArray();
for (int i = 0; i < vals.length; i++) {
attr.getValues().add(vals[i]);
}
authInfo.getAttribs().put(attr.getName(), attr);
}
for (Object o : jwtNVP.keySet()) {
String s = (String) o;
Object v = jwtNVP.get(s);
Attribute attr = authInfo.getAttribs().get(s);
if (attr == null) {
attr = new Attribute(s);
authInfo.getAttribs().put(attr.getName(), attr);
}
if (v instanceof String) {
String val = (String) v;
if (!attr.getValues().contains(val)) {
attr.getValues().add(val);
}
} else if (v instanceof Object[]) {
for (Object vo : ((Object[]) v)) {
String vv = (String) vo;
if (vv != null && !attr.getValues().contains(vv)) {
attr.getValues().add(vv);
}
}
}
}
as.setSuccess(true);
} else {
loadUnlinkedUser(session, noMatchOU, uidAttr, act, jwtNVP, defaultObjectClass);
as.setSuccess(true);
}
} catch (LDAPException e) {
if (e.getResultCode() != LDAPException.INVALID_CREDENTIALS) {
logger.error("Could not authenticate user", e);
}
as.setSuccess(false);
}
}
use of com.tremolosecurity.saml.Attribute in project OpenUnison by TremoloSecurity.
the class OpenIDConnectAuthMech method loadUnlinkedUser.
public static void loadUnlinkedUser(HttpSession session, String noMatchOU, String uidAttr, AuthChainType act, Map jwtNVP, String defaultObjectClass) {
String uid = (String) jwtNVP.get(uidAttr);
StringBuffer dn = new StringBuffer();
dn.append(uidAttr).append('=').append(uid).append(",ou=").append(noMatchOU).append(",").append(GlobalEntries.getGlobalEntries().getConfigManager().getCfg().getLdapRoot());
AuthInfo authInfo = new AuthInfo(dn.toString(), (String) session.getAttribute(ProxyConstants.AUTH_MECH_NAME), act.getName(), act.getLevel());
((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).setAuthInfo(authInfo);
for (Object o : jwtNVP.keySet()) {
String s = (String) o;
Attribute attr;
Object oAttr = jwtNVP.get(s);
if (logger.isDebugEnabled()) {
logger.debug(s + " type - '" + oAttr.getClass().getName() + "'");
}
if (oAttr.getClass().isArray()) {
attr = new Attribute(s);
Object[] objArray = (Object[]) oAttr;
for (Object v : objArray) {
attr.getValues().add(v.toString());
}
} else {
attr = new Attribute(s, oAttr.toString());
}
authInfo.getAttribs().put(attr.getName(), attr);
}
authInfo.getAttribs().put("objectClass", new Attribute("objectClass", defaultObjectClass));
}
use of com.tremolosecurity.saml.Attribute in project OpenUnison by TremoloSecurity.
the class Registration method doFilter.
@Override
public void doFilter(HttpFilterRequest request, HttpFilterResponse response, HttpFilterChain chain) throws Exception {
if (request.getMethod().equalsIgnoreCase("GET")) {
// TODO switch this off
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
String accountName = userData.getAttribs().get(this.uidAttributeName).getValues().get(0);
List<SecurityKeyData> keys = U2fUtil.loadUserKeys(userData, challengeStoreAttribute, encyrptionKeyName);
Set<String> origins = new HashSet<String>();
String appID = U2fUtil.getApplicationId(request.getServletRequest());
origins.add(appID);
U2FServer u2f = new U2FServerUnison(this.challengeGen, new UnisonDataStore(UUID.randomUUID().toString(), keys, (this.requireAttestation ? this.attestationCerts : new HashSet<X509Certificate>())), new BouncyCastleCrypto(), origins, this.requireAttestation);
RegistrationRequest regRequest = u2f.getRegistrationRequest(accountName, appID);
request.getSession().setAttribute(Registration.REGISTRATION_REQUEST_JSON, gson.toJson(regRequest));
request.getSession().setAttribute(Registration.REGISTRATION_REQUEST, regRequest);
request.getSession().setAttribute(Registration.SERVER, u2f);
request.setAttribute(REGISTRATION_URI, request.getRequestURL().toString());
request.getRequestDispatcher(this.challengeURI).forward(request.getServletRequest(), response.getServletResponse());
} else if (request.getMethod().equalsIgnoreCase("POST")) {
U2FServer u2f = (U2FServer) request.getSession().getAttribute(SERVER);
if (logger.isDebugEnabled()) {
logger.debug("response : '" + request.getParameter("tokenResponse").getValues().get(0) + "'");
}
RegistrationResponseHolder rrh = gson.fromJson(request.getParameter("tokenResponse").getValues().get(0), RegistrationResponseHolder.class);
RegistrationResponse rr = new RegistrationResponse(rrh.getRegistrationData(), rrh.getClientData(), rrh.getClientData());
try {
u2f.processRegistrationResponse(rr, System.currentTimeMillis());
} catch (U2FException e) {
logger.error("Could not register", e);
request.setAttribute("register.result", false);
request.getRequestDispatcher(this.registrationCompleteURI).forward(request.getServletRequest(), response.getServletResponse());
return;
}
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
String encrypted = U2fUtil.encode(u2f.getAllSecurityKeys("doesntmatter"), encyrptionKeyName);
WFCall wc = new WFCall();
wc.setName(this.workflowName);
wc.setUidAttributeName(this.uidAttributeName);
TremoloUser tu = new TremoloUser();
tu.setUid(userData.getAttribs().get(this.uidAttributeName).getValues().get(0));
tu.getAttributes().add(new Attribute(this.uidAttributeName, userData.getAttribs().get(this.uidAttributeName).getValues().get(0)));
tu.getAttributes().add(new Attribute(this.challengeStoreAttribute, encrypted));
wc.setUser(tu);
Map<String, Object> req = new HashMap<String, Object>();
req.put(ProvisioningParams.UNISON_EXEC_TYPE, ProvisioningParams.UNISON_EXEC_SYNC);
wc.setRequestParams(req);
GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getWorkFlow(this.workflowName).executeWorkflow(wc);
request.setAttribute("register.result", true);
request.getRequestDispatcher(this.registrationCompleteURI).forward(request.getServletRequest(), response.getServletResponse());
}
}
use of com.tremolosecurity.saml.Attribute in project OpenUnison by TremoloSecurity.
the class U2fAuth method doGet.
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response, AuthStep as) throws IOException, ServletException {
if (request.getParameter("signResponse") == null) {
startAuthentication(request, response, as);
} else {
SignResponseHolder srh = gson.fromJson(request.getParameter("signResponse"), SignResponseHolder.class);
AuthInfo userData = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
// SharedSession.getSharedSession().getSession(req.getSession().getId());
HttpSession session = ((HttpServletRequest) request).getSession();
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
RequestHolder reqHolder = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL)).getHolder();
String urlChain = holder.getUrl().getAuthChain();
AuthChainType act = holder.getConfig().getAuthChains().get(reqHolder.getAuthChainName());
AuthMechType amt = act.getAuthMech().get(as.getId());
HashMap<String, Attribute> authParams = (HashMap<String, Attribute>) session.getAttribute(ProxyConstants.AUTH_MECH_PARAMS);
String challengeStoreAttribute = authParams.get("attribute").getValues().get(0);
String encyrptionKeyName = authParams.get("encryptionKeyName").getValues().get(0);
String uidAttributeName = authParams.get("uidAttributeName").getValues().get(0);
String workflowName = authParams.get("workflowName").getValues().get(0);
if (srh.getErrorCode() > 0) {
logger.warn("Browser could not validate u2f token for user '" + userData.getUserDN() + "' : " + srh.getErrorCode());
if (amt.getRequired().equals("required")) {
as.setSuccess(false);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
U2FServer u2f = (U2FServer) request.getSession().getAttribute(SERVER);
SignResponse sigResp = new SignResponse(srh.getKeyHandle(), srh.getSignatureData(), srh.getClientData(), srh.getSessionId());
try {
u2f.processSignResponse(sigResp);
} catch (U2FException e) {
logger.warn("Could not authenticate user : '" + e.getMessage() + "'");
if (amt.getRequired().equals("required")) {
as.setSuccess(false);
}
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
return;
}
String encrypted;
try {
encrypted = U2fUtil.encode(u2f.getAllSecurityKeys("doesntmatter"), encyrptionKeyName);
} catch (Exception e) {
throw new ServletException("Could not encrypt keys");
}
WFCall wc = new WFCall();
wc.setName(workflowName);
wc.setUidAttributeName(uidAttributeName);
TremoloUser tu = new TremoloUser();
tu.setUid(userData.getAttribs().get(uidAttributeName).getValues().get(0));
tu.getAttributes().add(new Attribute(uidAttributeName, userData.getAttribs().get(uidAttributeName).getValues().get(0)));
tu.getAttributes().add(new Attribute(challengeStoreAttribute, encrypted));
wc.setUser(tu);
Map<String, Object> req = new HashMap<String, Object>();
req.put(ProvisioningParams.UNISON_EXEC_TYPE, ProvisioningParams.UNISON_EXEC_SYNC);
wc.setRequestParams(req);
try {
GlobalEntries.getGlobalEntries().getConfigManager().getProvisioningEngine().getWorkFlow(workflowName).executeWorkflow(wc);
} catch (ProvisioningException e) {
throw new ServletException("Could not save keys", e);
}
as.setSuccess(true);
holder.getConfig().getAuthManager().nextAuth(request, response, session, false);
}
}
use of com.tremolosecurity.saml.Attribute in project OpenUnison by TremoloSecurity.
the class WordPressProvider method createUser.
@Override
public int createUser(Connection con, User user, Map<String, Attribute> attributes, Map<String, Object> request) throws ProvisioningException {
try {
PreparedStatement psinsert = con.prepareStatement("INSERT INTO wp_users (user_login,user_nicename,user_email,user_registered,user_status,display_name) VALUES (?,?,?,?,?,?)", Statement.RETURN_GENERATED_KEYS);
psinsert.setString(1, user.getUserID());
psinsert.setString(2, attributes.get("user_nicename").getValues().get(0));
psinsert.setString(3, attributes.get("user_email").getValues().get(0));
psinsert.setDate(4, new Date(new DateTime().getMillis()));
psinsert.setInt(5, 0);
psinsert.setString(6, attributes.get("display_name").getValues().get(0));
psinsert.executeUpdate();
ResultSet rs = psinsert.getGeneratedKeys();
rs.next();
int id = rs.getInt(1);
HashSet<String> proced = new HashSet<String>();
PreparedStatement meta = con.prepareStatement("INSERT INTO wp_usermeta (user_id,meta_key,meta_value) VALUES (?,?,?)");
meta.setInt(1, id);
meta.setString(2, "first_name");
meta.setString(3, attributes.get("first_name").getValues().get(0));
meta.executeUpdate();
proced.add("first_name");
meta.setInt(1, id);
meta.setString(2, "last_name");
meta.setString(3, attributes.get("last_name").getValues().get(0));
meta.executeUpdate();
proced.add("last_name");
meta.setInt(1, id);
meta.setString(2, "nickname");
meta.setString(3, attributes.get("display_name").getValues().get(0));
meta.executeUpdate();
proced.add("nickname");
meta.setInt(1, id);
meta.setString(2, "description");
meta.setString(3, "");
meta.executeUpdate();
proced.add("description");
meta.setInt(1, id);
meta.setString(2, "rich_editing");
meta.setString(3, "true");
meta.executeUpdate();
proced.add("rich_editing");
meta.setInt(1, id);
meta.setString(2, "comment_shortcuts");
meta.setString(3, "false");
meta.executeUpdate();
proced.add("comment_shortcuts");
meta.setInt(1, id);
meta.setString(2, "admin_color");
meta.setString(3, "fresh");
meta.executeUpdate();
proced.add("admin_color");
meta.setInt(1, id);
meta.setString(2, "use_ssl");
meta.setString(3, "1");
meta.executeUpdate();
proced.add("use_ssl");
meta.setInt(1, id);
meta.setString(2, "show_admin_bar_front");
meta.setString(3, "true");
meta.executeUpdate();
proced.add("show_admin_bar_front");
meta.setInt(1, id);
meta.setString(2, "show_admin_bar_admin");
meta.setString(3, "false");
meta.executeUpdate();
proced.add("show_admin_bar_admin");
meta.setInt(1, id);
meta.setString(2, "aim");
meta.setString(3, "");
meta.executeUpdate();
proced.add("aim");
meta.setInt(1, id);
meta.setString(2, "yim");
meta.setString(3, "");
meta.executeUpdate();
proced.add("yim");
meta.setInt(1, id);
meta.setString(2, "jabber");
meta.setString(3, "");
meta.executeUpdate();
proced.add("jabber");
meta.setInt(1, id);
meta.setString(2, "wp_user_level");
meta.setString(3, "0");
meta.executeUpdate();
proced.add("wp_user_level");
meta.setInt(1, id);
meta.setString(2, "_bbp_last_posted");
meta.setString(3, "");
meta.executeUpdate();
proced.add("_bb_last_posted");
for (String key : attributes.keySet()) {
if (!this.wp_usersFields.contains(key) && !proced.contains(key)) {
Attribute attr = attributes.get(key);
for (String val : attr.getValues()) {
meta.setInt(1, id);
meta.setString(2, key);
meta.setString(3, val);
meta.executeUpdate();
}
proced.add(key);
}
}
return id;
} catch (SQLException e) {
throw new ProvisioningException("Could not create user", e);
}
}
Aggregations