Example 1 with PowerAuthClientException
use of com.wultra.security.powerauth.client.model.error.PowerAuthClientException in project powerauth-restful-integration by lime-company.
the class PowerAuthAuthenticationProvider method validateSignatureAuthentication.
/**
* Validate signature based authentication.
*
* @param authentication Signature based authentication object.
* @return API authentication object in case of successful authentication, null otherwise.
*/
private PowerAuthApiAuthenticationImpl validateSignatureAuthentication(PowerAuthSignatureAuthenticationImpl authentication) {
if (authentication.getSignatureType() != null) {
final SignatureTypeConverter converter = new SignatureTypeConverter();
final SignatureType signatureType = converter.convertFrom(authentication.getSignatureType());
if (signatureType == null) {
return null;
}
final VerifySignatureRequest request = new VerifySignatureRequest();
request.setActivationId(authentication.getActivationId());
request.setApplicationKey(authentication.getApplicationKey());
request.setSignature(authentication.getSignature());
request.setSignatureType(signatureType);
request.setSignatureVersion(authentication.getVersion());
request.setData(PowerAuthHttpBody.getSignatureBaseString(authentication.getHttpMethod(), authentication.getRequestUri(), authentication.getNonce(), authentication.getData()));
// This occurs when verifying signature during upgrade before upgrade is committed.
if (authentication.getForcedSignatureVersion() != null) {
request.setForcedSignatureVersion(authentication.getForcedSignatureVersion().longValue());
}
final VerifySignatureResponse response;
try {
response = powerAuthClient.verifySignature(request);
} catch (PowerAuthClientException ex) {
logger.warn("Signature validation failed, error: {}", ex.getMessage());
logger.debug("Error details", ex);
return null;
}
final AuthenticationContext authenticationContext = new AuthenticationContext();
authenticationContext.setValid(response.isSignatureValid());
authenticationContext.setRemainingAttempts(response.getRemainingAttempts() != null ? response.getRemainingAttempts().intValue() : null);
authenticationContext.setSignatureType(response.getSignatureType() != null ? PowerAuthSignatureTypes.getEnumFromString(response.getSignatureType().value()) : null);
final PowerAuthActivation activationContext = copyActivationAttributes(response.getActivationId(), response.getUserId(), activationStatusConverter.convertFrom(response.getActivationStatus()), response.getBlockedReason(), response.getActivationFlags(), authenticationContext, authentication.getVersion());
return copyAuthenticationAttributes(response.getActivationId(), response.getUserId(), response.getApplicationId(), response.getApplicationRoles(), response.getActivationFlags(), authenticationContext, authentication.getVersion(), authentication.getHttpHeader(), activationContext);
} else {
return null;
}
}
Also used :
AuthenticationContext(io.getlime.security.powerauth.rest.api.spring.model.AuthenticationContext)
PowerAuthClientException(com.wultra.security.powerauth.client.model.error.PowerAuthClientException)
PowerAuthActivation(io.getlime.security.powerauth.rest.api.spring.authentication.PowerAuthActivation)
SignatureTypeConverter(io.getlime.security.powerauth.rest.api.spring.converter.v3.SignatureTypeConverter)
Example 2 with PowerAuthClientException
use of com.wultra.security.powerauth.client.model.error.PowerAuthClientException in project powerauth-restful-integration by lime-company.
the class ActivationService method createActivation.
/**
* Create activation.
*
* @param request Create activation layer 1 request.
* @param eciesContext PowerAuth ECIES encryption context.
* @return Create activation layer 1 response.
* @throws PowerAuthActivationException In case create activation fails.
* @throws PowerAuthRecoveryException In case activation recovery fails.
*/
public ActivationLayer1Response createActivation(ActivationLayer1Request request, EciesEncryptionContext eciesContext) throws PowerAuthActivationException, PowerAuthRecoveryException {
try {
final String applicationKey = eciesContext.getApplicationKey();
final EciesEncryptedRequest activationData = request.getActivationData();
final String ephemeralPublicKey = activationData.getEphemeralPublicKey();
final String encryptedData = activationData.getEncryptedData();
final String mac = activationData.getMac();
final String nonce = activationData.getNonce();
final Map<String, String> identity = request.getIdentityAttributes();
final Map<String, Object> customAttributes = (request.getCustomAttributes() != null) ? request.getCustomAttributes() : new HashMap<>();
// Validate inner encryption
if (nonce == null && !"3.0".equals(eciesContext.getVersion())) {
logger.warn("Missing nonce for protocol version: {}", eciesContext.getVersion());
throw new PowerAuthActivationException();
}
switch(request.getType()) {
// Regular activation which uses "code" identity attribute
case CODE:
{
// Check if identity attributes are present
if (identity == null || identity.isEmpty()) {
logger.warn("Identity attributes are missing for code activation");
throw new PowerAuthActivationException();
}
// Extract data from request and encryption object
final String activationCode = identity.get("code");
if (activationCode == null || activationCode.isEmpty()) {
logger.warn("Activation code is missing");
throw new PowerAuthActivationException();
}
// Call PrepareActivation method on PA server
final PrepareActivationResponse response = powerAuthClient.prepareActivation(activationCode, applicationKey, ephemeralPublicKey, encryptedData, mac, nonce);
// Create context for passing parameters between activation provider calls
final Map<String, Object> context = new LinkedHashMap<>();
Map<String, Object> processedCustomAttributes = customAttributes;
// In case a custom activation provider is enabled, process custom attributes and save any flags
if (activationProvider != null) {
processedCustomAttributes = activationProvider.processCustomActivationAttributes(customAttributes, response.getActivationId(), response.getUserId(), response.getApplicationId(), ActivationType.CODE, context);
List<String> activationFlags = activationProvider.getActivationFlags(identity, processedCustomAttributes, response.getActivationId(), response.getUserId(), response.getApplicationId(), ActivationType.CODE, context);
if (activationFlags != null && !activationFlags.isEmpty()) {
powerAuthClient.addActivationFlags(response.getActivationId(), activationFlags);
}
}
boolean notifyActivationCommit = false;
if (response.getActivationStatus() == ActivationStatus.ACTIVE) {
// Activation was committed instantly due to presence of Activation OTP.
notifyActivationCommit = true;
} else {
// Otherwise check if activation should be committed instantly and if yes, perform commit.
if (activationProvider != null && activationProvider.shouldAutoCommitActivation(identity, customAttributes, response.getActivationId(), response.getUserId(), response.getApplicationId(), ActivationType.CODE, context)) {
CommitActivationResponse commitResponse = powerAuthClient.commitActivation(response.getActivationId(), null);
notifyActivationCommit = commitResponse.isActivated();
}
}
// Notify activation provider about an activation commit.
if (activationProvider != null && notifyActivationCommit) {
activationProvider.activationWasCommitted(identity, customAttributes, response.getActivationId(), response.getUserId(), response.getApplicationId(), ActivationType.CODE, context);
}
// Prepare and return encrypted response
return prepareEncryptedResponse(response.getEncryptedData(), response.getMac(), processedCustomAttributes);
}
// Custom activation
case CUSTOM:
{
// Check if there is a custom activation provider available, return an error in case it is not available
if (activationProvider == null) {
logger.warn("Activation provider is not available");
throw new PowerAuthActivationException();
}
// Check if identity attributes are present
if (identity == null || identity.isEmpty()) {
logger.warn("Identity attributes are missing for custom activation");
throw new PowerAuthActivationException();
}
// Create context for passing parameters between activation provider calls
final Map<String, Object> context = new LinkedHashMap<>();
// Lookup user ID using a provided identity attributes
final String userId = activationProvider.lookupUserIdForAttributes(identity, context);
// If no user was found or user ID is invalid, return an error
if (userId == null || userId.equals("") || userId.length() > 255) {
logger.warn("Invalid user ID: {}", userId);
throw new PowerAuthActivationException();
}
// Resolve maxFailedCount and activationExpireTimestamp parameters, null value means use value configured on PowerAuth server
final Integer maxFailed = activationProvider.getMaxFailedAttemptCount(identity, customAttributes, userId, ActivationType.CUSTOM, context);
final Long maxFailedCount = maxFailed == null ? null : maxFailed.longValue();
final Long activationValidityPeriod = activationProvider.getValidityPeriodDuringActivation(identity, customAttributes, userId, ActivationType.CUSTOM, context);
Date activationExpireTimestamp = null;
if (activationValidityPeriod != null) {
Instant now = Instant.now();
Instant expiration = now.plusMillis(activationValidityPeriod);
activationExpireTimestamp = Date.from(expiration);
}
// Create activation for a looked up user and application related to the given application key
final CreateActivationResponse response = powerAuthClient.createActivation(userId, activationExpireTimestamp, maxFailedCount, applicationKey, ephemeralPublicKey, encryptedData, mac, nonce);
// Process custom attributes using a custom logic
final Map<String, Object> processedCustomAttributes = activationProvider.processCustomActivationAttributes(customAttributes, response.getActivationId(), userId, response.getApplicationId(), ActivationType.CUSTOM, context);
// Save activation flags in case the provider specified any flags
final List<String> activationFlags = activationProvider.getActivationFlags(identity, processedCustomAttributes, response.getActivationId(), userId, response.getApplicationId(), ActivationType.CUSTOM, context);
if (activationFlags != null && !activationFlags.isEmpty()) {
powerAuthClient.addActivationFlags(response.getActivationId(), activationFlags);
}
// Check if activation should be committed instantly and if yes, perform commit
if (activationProvider.shouldAutoCommitActivation(identity, customAttributes, response.getActivationId(), userId, response.getApplicationId(), ActivationType.CUSTOM, context)) {
final CommitActivationResponse commitResponse = powerAuthClient.commitActivation(response.getActivationId(), null);
if (commitResponse.isActivated()) {
activationProvider.activationWasCommitted(identity, customAttributes, response.getActivationId(), userId, response.getApplicationId(), ActivationType.CUSTOM, context);
}
}
// Prepare encrypted activation data
final EciesEncryptedResponse encryptedActivationData = new EciesEncryptedResponse(response.getEncryptedData(), response.getMac());
// Prepare the created activation response data
final ActivationLayer1Response responseL1 = new ActivationLayer1Response();
responseL1.setCustomAttributes(processedCustomAttributes);
responseL1.setActivationData(encryptedActivationData);
// Return response
return responseL1;
}
// Activation using recovery code
case RECOVERY:
{
// Check if identity attributes are present
if (identity == null || identity.isEmpty()) {
logger.warn("Identity attributes are missing for activation recovery");
throw new PowerAuthActivationException();
}
// Extract data from request and encryption object
final String recoveryCode = identity.get("recoveryCode");
final String recoveryPuk = identity.get("puk");
if (recoveryCode == null || recoveryCode.isEmpty()) {
logger.warn("Recovery code is missing");
throw new PowerAuthActivationException();
}
if (recoveryPuk == null || recoveryPuk.isEmpty()) {
logger.warn("Recovery PUK is missing");
throw new PowerAuthActivationException();
}
// Create context for passing parameters between activation provider calls
final Map<String, Object> context = new LinkedHashMap<>();
// Resolve maxFailedCount, user ID is not known
Long maxFailedCount = null;
if (activationProvider != null) {
final Integer maxFailed = activationProvider.getMaxFailedAttemptCount(identity, customAttributes, null, ActivationType.RECOVERY, context);
maxFailedCount = maxFailed == null ? null : maxFailed.longValue();
}
// Call RecoveryCodeActivation method on PA server
final RecoveryCodeActivationResponse response = powerAuthClient.createActivationUsingRecoveryCode(recoveryCode, recoveryPuk, applicationKey, maxFailedCount, ephemeralPublicKey, encryptedData, mac, nonce);
Map<String, Object> processedCustomAttributes = customAttributes;
// In case a custom activation provider is enabled, process custom attributes and save any flags
if (activationProvider != null) {
processedCustomAttributes = activationProvider.processCustomActivationAttributes(customAttributes, response.getActivationId(), response.getUserId(), response.getApplicationId(), ActivationType.RECOVERY, context);
final List<String> activationFlags = activationProvider.getActivationFlags(identity, processedCustomAttributes, response.getActivationId(), response.getUserId(), response.getApplicationId(), ActivationType.RECOVERY, context);
if (activationFlags != null && !activationFlags.isEmpty()) {
powerAuthClient.addActivationFlags(response.getActivationId(), activationFlags);
}
}
// Automatically commit activation by default, the optional activation provider can override automatic commit
if (activationProvider == null || activationProvider.shouldAutoCommitActivation(identity, customAttributes, response.getActivationId(), response.getUserId(), response.getApplicationId(), ActivationType.RECOVERY, context)) {
final CommitActivationResponse commitResponse = powerAuthClient.commitActivation(response.getActivationId(), null);
if (activationProvider != null && commitResponse.isActivated()) {
activationProvider.activationWasCommitted(identity, customAttributes, response.getActivationId(), response.getUserId(), response.getApplicationId(), ActivationType.RECOVERY, context);
}
}
// Prepare and return encrypted response
return prepareEncryptedResponse(response.getEncryptedData(), response.getMac(), processedCustomAttributes);
}
default:
logger.warn("Invalid activation request");
throw new PowerAuthInvalidRequestException();
}
} catch (PowerAuthClientException ex) {
if (ex.getPowerAuthError() instanceof PowerAuthErrorRecovery) {
final PowerAuthErrorRecovery errorRecovery = (PowerAuthErrorRecovery) ex.getPowerAuthError();
logger.debug("Invalid recovery code, current PUK index: {}", errorRecovery.getCurrentRecoveryPukIndex());
throw new PowerAuthRecoveryException(ex.getMessage(), "INVALID_RECOVERY_CODE", errorRecovery.getCurrentRecoveryPukIndex());
}
logger.warn("Creating PowerAuth activation failed, error: {}", ex.getMessage());
logger.debug(ex.getMessage(), ex);
throw new PowerAuthActivationException();
} catch (PowerAuthActivationException ex) {
// Do not swallow PowerAuthActivationException for custom activations.
// See: https://github.com/wultra/powerauth-restful-integration/issues/199
logger.warn("Creating PowerAuth activation failed, error: {}", ex.getMessage());
throw ex;
} catch (Exception ex) {
logger.warn("Creating PowerAuth activation failed, error: {}", ex.getMessage());
logger.debug(ex.getMessage(), ex);
throw new PowerAuthActivationException();
}
}
Also used :
PowerAuthClientException(com.wultra.security.powerauth.client.model.error.PowerAuthClientException)
PowerAuthInvalidRequestException(io.getlime.security.powerauth.rest.api.spring.exception.authentication.PowerAuthInvalidRequestException)
ActivationLayer1Response(io.getlime.security.powerauth.rest.api.model.response.v3.ActivationLayer1Response)
Instant(java.time.Instant)
EciesEncryptedRequest(io.getlime.security.powerauth.rest.api.model.request.v3.EciesEncryptedRequest)
PowerAuthActivationException(io.getlime.security.powerauth.rest.api.spring.exception.PowerAuthActivationException)
PowerAuthInvalidRequestException(io.getlime.security.powerauth.rest.api.spring.exception.authentication.PowerAuthInvalidRequestException)
PowerAuthClientException(com.wultra.security.powerauth.client.model.error.PowerAuthClientException)
PowerAuthRecoveryException(io.getlime.security.powerauth.rest.api.spring.exception.PowerAuthRecoveryException)
PowerAuthActivationException(io.getlime.security.powerauth.rest.api.spring.exception.PowerAuthActivationException)
PowerAuthRecoveryException(io.getlime.security.powerauth.rest.api.spring.exception.PowerAuthRecoveryException)
PowerAuthErrorRecovery(com.wultra.security.powerauth.client.model.error.PowerAuthErrorRecovery)
EciesEncryptedResponse(io.getlime.security.powerauth.rest.api.model.response.v3.EciesEncryptedResponse)
Aggregations
PowerAuthClientException (com.wultra.security.powerauth.client.model.error.PowerAuthClientException)2
PowerAuthErrorRecovery (com.wultra.security.powerauth.client.model.error.PowerAuthErrorRecovery)1
EciesEncryptedRequest (io.getlime.security.powerauth.rest.api.model.request.v3.EciesEncryptedRequest)1
ActivationLayer1Response (io.getlime.security.powerauth.rest.api.model.response.v3.ActivationLayer1Response)1
EciesEncryptedResponse (io.getlime.security.powerauth.rest.api.model.response.v3.EciesEncryptedResponse)1
PowerAuthActivation (io.getlime.security.powerauth.rest.api.spring.authentication.PowerAuthActivation)1
SignatureTypeConverter (io.getlime.security.powerauth.rest.api.spring.converter.v3.SignatureTypeConverter)1
PowerAuthActivationException (io.getlime.security.powerauth.rest.api.spring.exception.PowerAuthActivationException)1
PowerAuthRecoveryException (io.getlime.security.powerauth.rest.api.spring.exception.PowerAuthRecoveryException)1
PowerAuthInvalidRequestException (io.getlime.security.powerauth.rest.api.spring.exception.authentication.PowerAuthInvalidRequestException)1
AuthenticationContext (io.getlime.security.powerauth.rest.api.spring.model.AuthenticationContext)1
Instant (java.time.Instant)1
