Example 31 with AuthTokenException
use of com.zimbra.cs.account.AuthTokenException in project zm-mailbox by Zimbra.
the class ZimbraAuthProviderForOAuth method authToken.
@Override
protected AuthToken authToken(HttpServletRequest req, boolean isAdminReq) throws AuthProviderException, AuthTokenException {
ZimbraLog.extensions.debug("authToken(HttpServletRequest req, boolean isAdminReq) is requested.");
if (isAdminReq) {
ZimbraLog.extensions.debug("isAdminReq:true");
return null;
}
String origUrl = req.getHeader("X-Zimbra-Orig-Url");
OAuthMessage oAuthMessage;
if (StringUtil.isNullOrEmpty(origUrl)) {
ZimbraLog.extensions.debug("request.getRequestURL(): " + req.getRequestURL());
oAuthMessage = OAuthServlet.getMessage(req, null);
} else {
ZimbraLog.extensions.debug("X-Zimbra-Orig-Url: " + origUrl);
oAuthMessage = OAuthServlet.getMessage(req, origUrl);
}
String accessToken;
try {
accessToken = oAuthMessage.getToken();
} catch (IOException e) {
ZimbraLog.extensions.debug("Error in getting OAuth token from request", e);
throw AuthProviderException.FAILURE(e.getMessage());
}
if (accessToken == null) {
ZimbraLog.extensions.debug("no need for further oauth processing");
throw AuthProviderException.NO_AUTH_DATA();
}
Account account;
try {
account = Provisioning.getInstance().getAccountByForeignPrincipal("oAuthAccessToken:" + accessToken);
} catch (ServiceException e) {
ZimbraLog.extensions.warn("Error in getting account using OAuth access token", e);
throw AuthProviderException.FAILURE(e.getMessage());
}
if (account == null) {
throw AuthProviderException.FAILURE("Could not identify account corresponding to the OAuth request");
}
OAuthAccessor accessor = null;
String[] accessors = account.getOAuthAccessor();
for (String val : accessors) {
if (val.startsWith(accessToken)) {
try {
accessor = new OAuthAccessorSerializer().deserialize(val.substring(accessToken.length() + 2));
} catch (ServiceException e) {
throw AuthProviderException.FAILURE("Error in deserializing OAuth accessor");
}
break;
}
}
if (accessor == null)
throw new AuthTokenException("invalid OAuth token");
try {
OAuthServiceProvider.VALIDATOR.validateMessage(oAuthMessage, accessor);
} catch (OAuthProblemException e) {
for (Map.Entry<String, Object> entry : e.getParameters().entrySet()) {
ZimbraLog.extensions.debug(entry.getKey() + ":" + entry.getValue());
}
ZimbraLog.extensions.debug("Exception in validating OAuth token", e);
throw new AuthTokenException("Exception in validating OAuth token", e);
} catch (Exception e) {
ZimbraLog.extensions.debug("Exception in validating OAuth token", e);
throw new AuthTokenException("Exception in validating OAuth token", e);
}
return AuthProvider.getAuthToken(account);
}
Also used :
OAuthAccessor(net.oauth.OAuthAccessor)
OAuthProblemException(net.oauth.OAuthProblemException)
Account(com.zimbra.cs.account.Account)
OAuthMessage(net.oauth.OAuthMessage)
ServiceException(com.zimbra.common.service.ServiceException)
OAuthAccessorSerializer(com.zimbra.cs.account.oauth.OAuthAccessorSerializer)
AuthTokenException(com.zimbra.cs.account.AuthTokenException)
IOException(java.io.IOException)
IOException(java.io.IOException)
ServiceException(com.zimbra.common.service.ServiceException)
OAuthProblemException(net.oauth.OAuthProblemException)
AuthTokenException(com.zimbra.cs.account.AuthTokenException)
Example 32 with AuthTokenException
use of com.zimbra.cs.account.AuthTokenException in project zm-mailbox by Zimbra.
the class ZimbraOAuthProvider method authToken.
@Override
protected AuthToken authToken(Element authTokenElem, Account acct) throws AuthProviderException, AuthTokenException {
ZAuthToken zAuthToken;
try {
zAuthToken = new ZAuthToken(authTokenElem, false);
} catch (ServiceException e) {
throw AuthProviderException.FAILURE(e.getMessage());
}
if (ZIMBRA_OAUTH_PROVIDER.equals(zAuthToken.getType())) {
Map<String, String> attrs = zAuthToken.getAttrs();
// TODO: no validation of access_token in IronMaiden D4!!!
String accessToken = attrs.get(OAUTH_ACCESS_TOKEN);
if (Strings.isNullOrEmpty(accessToken)) {
throw new AuthTokenException("no oauth access token");
}
return authToken(acct);
} else {
throw AuthProviderException.NO_AUTH_DATA();
}
}
Also used :
ServiceException(com.zimbra.common.service.ServiceException)
AuthTokenException(com.zimbra.cs.account.AuthTokenException)
ZAuthToken(com.zimbra.common.auth.ZAuthToken)
Example 33 with AuthTokenException
use of com.zimbra.cs.account.AuthTokenException in project zm-mailbox by Zimbra.
the class CsrfUtilTest method testDecodeValidCsrfToken.
@Test
public final void testDecodeValidCsrfToken() {
try {
Account acct = Provisioning.getInstance().getAccountByName("test@zimbra.com");
AuthToken authToken = new ZimbraAuthToken(acct);
String csrfToken = CsrfUtil.generateCsrfToken(acct.getId(), AUTH_TOKEN_EXPR, CSRFTOKEN_SALT, authToken);
Pair<String, String> tokenParts = CsrfUtil.parseCsrfToken(csrfToken);
assertNotNull(tokenParts.getFirst());
assertNotNull(tokenParts.getSecond());
assertEquals("0", tokenParts.getSecond());
} catch (ServiceException | AuthTokenException e) {
fail("Should not throw exception.");
}
}
Also used :
Account(com.zimbra.cs.account.Account)
ServiceException(com.zimbra.common.service.ServiceException)
ZimbraAuthToken(com.zimbra.cs.account.ZimbraAuthToken)
AuthTokenException(com.zimbra.cs.account.AuthTokenException)
ZimbraAuthToken(com.zimbra.cs.account.ZimbraAuthToken)
AuthToken(com.zimbra.cs.account.AuthToken)
Test(org.junit.Test)
Example 34 with AuthTokenException
use of com.zimbra.cs.account.AuthTokenException in project zm-mailbox by Zimbra.
the class OAuthServiceProvider method markAsAuthorized.
/**
* Mark OAuth consumer as authorized and update accessor properties.
*/
public static synchronized void markAsAuthorized(OAuthAccessor accessor, String userId, String zauthtoken) throws OAuthException {
accessor.setProperty("user", userId);
accessor.setProperty("authorized", Boolean.TRUE);
accessor.setProperty("ZM_AUTH_TOKEN", zauthtoken);
AuthToken zimbraAuthToken;
try {
zimbraAuthToken = ZimbraAuthToken.getAuthToken(zauthtoken);
final Account account = zimbraAuthToken.getAccount();
setAccountPropertiesForAccessor(account, accessor);
} catch (AuthTokenException | UnsupportedEncodingException | ServiceException e) {
throw new OAuthException(e);
}
accessor.consumer.setProperty("approved_on", Long.toString(System.currentTimeMillis()));
}
Also used :
Account(com.zimbra.cs.account.Account)
ServiceException(com.zimbra.common.service.ServiceException)
AuthTokenException(com.zimbra.cs.account.AuthTokenException)
OAuthException(net.oauth.OAuthException)
ZimbraAuthToken(com.zimbra.cs.account.ZimbraAuthToken)
AuthToken(com.zimbra.cs.account.AuthToken)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
Example 35 with AuthTokenException
use of com.zimbra.cs.account.AuthTokenException in project zm-mailbox by Zimbra.
the class Auth method handle.
@Override
public Element handle(Element request, Map<String, Object> context) throws ServiceException {
ZimbraSoapContext zsc = getZimbraSoapContext(context);
AuthToken at = null;
Account acct = null;
Provisioning prov = Provisioning.getInstance();
boolean csrfSupport = request.getAttributeBool(AccountConstants.A_CSRF_SUPPORT, false);
String name = request.getAttribute(AdminConstants.E_NAME, null);
Element acctEl = request.getOptionalElement(AccountConstants.E_ACCOUNT);
//only perform auth-token authentication if other credentials are not provided
if (name == null && acctEl == null) {
//get an auth token from cookie
at = zsc.getAuthToken();
if (at == null) {
//if auth token is not in the cookie check for auth token in SOAP
Element authTokenEl = request.getOptionalElement(AdminConstants.E_AUTH_TOKEN);
if (authTokenEl != null) {
try {
at = AuthProvider.getAuthToken(request, new HashMap<String, Object>());
} catch (AuthTokenException e) {
throw ServiceException.AUTH_REQUIRED();
}
}
}
if (at == null) {
//neither login credentials nor valid auth token could be retrieved
throw ServiceException.AUTH_REQUIRED();
}
com.zimbra.cs.service.account.Auth.addAccountToLogContextByAuthToken(prov, at);
if (at.isExpired())
throw ServiceException.AUTH_EXPIRED();
if (!at.isRegistered())
throw ServiceException.AUTH_EXPIRED("authtoken is invalid");
// make sure that the authenticated account is active and has not been deleted/disabled since the last request
acct = prov.get(AccountBy.id, at.getAccountId(), at);
if (acct == null || !acct.getAccountStatus(prov).equals(Provisioning.ACCOUNT_STATUS_ACTIVE))
throw ServiceException.AUTH_EXPIRED();
// make sure the authenticated account is an admin account
checkAdmin(acct);
} else {
/*
* only one of
* <name>...</name>
* or
* <account by="name|id|foreignPrincipal">...</account>
* can/must be specified
*/
if (name != null && acctEl != null)
throw ServiceException.INVALID_REQUEST("only one of <name> or <account> can be specified", null);
if (name == null && acctEl == null)
throw ServiceException.INVALID_REQUEST("missing <name> or <account>", null);
String password = request.getAttribute(AdminConstants.E_PASSWORD);
String twoFactorCode = request.getAttribute(AccountConstants.E_TWO_FACTOR_CODE, null);
Element virtualHostEl = request.getOptionalElement(AccountConstants.E_VIRTUAL_HOST);
String virtualHost = virtualHostEl == null ? null : virtualHostEl.getText().toLowerCase();
String valuePassedIn;
AccountBy by;
String value;
if (name != null) {
valuePassedIn = name;
by = AccountBy.name;
} else {
valuePassedIn = acctEl.getText();
String byStr = acctEl.getAttribute(AccountConstants.A_BY, AccountBy.name.name());
by = AccountBy.fromString(byStr);
}
value = valuePassedIn;
try {
if (by == AccountBy.name && value.indexOf("@") == -1) {
// first try to get by adminName, which resolves the account under cn=admins,cn=zimbra
// and does not need a domain
acct = prov.get(AccountBy.adminName, value, zsc.getAuthToken());
// not found, try applying virtual host name
if (acct == null) {
if (virtualHost != null) {
Domain d = prov.get(Key.DomainBy.virtualHostname, virtualHost);
if (d != null)
value = value + "@" + d.getName();
}
}
}
if (acct == null)
acct = prov.get(by, value);
if (acct == null)
throw AuthFailedServiceException.AUTH_FAILED(value, valuePassedIn, "account not found");
AccountUtil.addAccountToLogContext(prov, acct.getId(), ZimbraLog.C_NAME, ZimbraLog.C_ID, null);
ZimbraLog.security.info(ZimbraLog.encodeAttrs(new String[] { "cmd", "AdminAuth", "account", value }));
Map<String, Object> authCtxt = new HashMap<String, Object>();
authCtxt.put(AuthContext.AC_ORIGINATING_CLIENT_IP, context.get(SoapEngine.ORIG_REQUEST_IP));
authCtxt.put(AuthContext.AC_REMOTE_IP, context.get(SoapEngine.SOAP_REQUEST_IP));
authCtxt.put(AuthContext.AC_ACCOUNT_NAME_PASSEDIN, valuePassedIn);
authCtxt.put(AuthContext.AC_USER_AGENT, zsc.getUserAgent());
authCtxt.put(AuthContext.AC_AS_ADMIN, Boolean.TRUE);
prov.authAccount(acct, password, AuthContext.Protocol.soap, authCtxt);
TwoFactorAuth twoFactorAuth = TwoFactorAuth.getFactory().getTwoFactorAuth(acct);
boolean usingTwoFactorAuth = twoFactorAuth.twoFactorAuthEnabled();
if (usingTwoFactorAuth) {
if (twoFactorCode != null) {
twoFactorAuth.authenticate(twoFactorCode);
}
}
checkAdmin(acct);
AuthMech authedByMech = (AuthMech) authCtxt.get(AuthContext.AC_AUTHED_BY_MECH);
at = AuthProvider.getAuthToken(acct, true, authedByMech);
} catch (ServiceException se) {
ZimbraLog.security.warn(ZimbraLog.encodeAttrs(new String[] { "cmd", "AdminAuth", "account", value, "error", se.getMessage() }));
throw se;
}
}
if (at != null) {
at.setCsrfTokenEnabled(csrfSupport);
}
ServletRequest httpReq = (ServletRequest) context.get(SoapServlet.SERVLET_REQUEST);
httpReq.setAttribute(CsrfFilter.AUTH_TOKEN, at);
return doResponse(request, at, zsc, context, acct, csrfSupport);
}
Also used :
Account(com.zimbra.cs.account.Account)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
ServletRequest(javax.servlet.ServletRequest)
HashMap(java.util.HashMap)
Element(com.zimbra.common.soap.Element)
Provisioning(com.zimbra.cs.account.Provisioning)
AccountBy(com.zimbra.common.account.Key.AccountBy)
AuthMech(com.zimbra.cs.account.auth.AuthMechanism.AuthMech)
ServiceException(com.zimbra.common.service.ServiceException)
AuthFailedServiceException(com.zimbra.cs.account.AccountServiceException.AuthFailedServiceException)
ZimbraSoapContext(com.zimbra.soap.ZimbraSoapContext)
TwoFactorAuth(com.zimbra.cs.account.auth.twofactor.TwoFactorAuth)
AuthTokenException(com.zimbra.cs.account.AuthTokenException)
AuthToken(com.zimbra.cs.account.AuthToken)
Domain(com.zimbra.cs.account.Domain)
Aggregations
AuthTokenException (com.zimbra.cs.account.AuthTokenException)37
AuthToken (com.zimbra.cs.account.AuthToken)25
ServiceException (com.zimbra.common.service.ServiceException)24
Account (com.zimbra.cs.account.Account)20
Provisioning (com.zimbra.cs.account.Provisioning)8
ZimbraAuthToken (com.zimbra.cs.account.ZimbraAuthToken)7
IOException (java.io.IOException)7
HttpClient (org.apache.commons.httpclient.HttpClient)7
GetMethod (org.apache.commons.httpclient.methods.GetMethod)7
ZimbraSoapContext (com.zimbra.soap.ZimbraSoapContext)6
ServletException (javax.servlet.ServletException)6
Element (com.zimbra.common.soap.Element)5
Server (com.zimbra.cs.account.Server)5
HttpMethod (org.apache.commons.httpclient.HttpMethod)5
Domain (com.zimbra.cs.account.Domain)4
GuestAccount (com.zimbra.cs.account.GuestAccount)4
HashMap (java.util.HashMap)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
ZMailbox (com.zimbra.client.ZMailbox)3
AccountBy (com.zimbra.common.account.Key.AccountBy)3
