Search in sources :

Example 1 with TransactionState

use of edu.uiuc.ncsa.security.delegation.servlet.TransactionState in project OA4MP by ncsa.

the class ACS2 method doDelegation.

protected void doDelegation(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Throwable {
    info("6.a. Starting to process cert request");
    PARequest paRequest = new PARequest(httpServletRequest, getClient(httpServletRequest));
    String statusString = "client = " + paRequest.getClient().getIdentifier();
    // The next call will pull the access token off of any parameters. The result may be null if there is
    // no access token.
    paRequest.setAccessToken(getAccessToken(httpServletRequest));
    PAResponse paResponse = (PAResponse) getPAI().process(paRequest);
    debug("6.a. " + statusString);
    ServiceTransaction t = verifyAndGet(paResponse);
    Map params = httpServletRequest.getParameterMap();
    if (t.getCertReq() == null) {
        String rawCR = ((String[]) params.get(CONST(ServiceConstantKeys.CERT_REQUEST_KEY)))[0];
        // CIL-409 fix -- fail immediately if the cert request is missing
        if (!params.containsKey(CONST(ServiceConstantKeys.CERT_REQUEST_KEY))) {
            throw new GeneralException("Error: Missing cert request parameter.");
        }
        // CIL-409 fix
        if (isEmpty(rawCR)) {
            throw new GeneralException("Error: Empty cert request.");
        }
        MyPKCS10CertRequest certReq;
        try {
            certReq = CertUtil.fromStringToCertReq(rawCR);
        } catch (Throwable throwable) {
            throwable.printStackTrace();
            throw new GeneralException("Error: cert request is bad/not understandable:" + (rawCR == null ? "(null)" : rawCR), throwable);
        }
        t.setCertReq(certReq);
        // The assumption at this point is that this value is in seconds, which is valid for OIDC clients.
        if (params.containsKey(CONST(ServiceConstantKeys.CERT_LIFETIME_KEY))) {
            t.setLifetime(1000 * Long.parseLong(((String[]) params.get(CONST(ServiceConstantKeys.CERT_LIFETIME_KEY)))[0]));
        } else {
            // set the default to 10 days if there is no certlifetime parameter passed in.
            t.setLifetime(1000 * 10 * 24 * 3600);
        }
        getTransactionStore().save(t);
    }
    info("6.a. Processing request for transaction " + t.getIdentifier());
    doRealCertRequest(t, statusString);
    t.setAccessTokenValid(false);
    preprocess(new TransactionState(httpServletRequest, httpServletResponse, paResponse.getParameters(), t));
    debug("6.a. protected asset:" + (t.getProtectedAsset() == null ? "(null)" : "ok") + ", " + statusString);
    HashMap<String, String> username = new HashMap<String, String>();
    username.put("username", t.getUsername());
    if (paResponse.getParameters() != null) {
        username.putAll(paResponse.getParameters());
    }
    paResponse.setAdditionalInformation(username);
    paResponse.setProtectedAsset(t.getProtectedAsset());
    debug("6.a. Added username \"" + t.getUsername() + "\" & cert for request from " + statusString);
    getTransactionStore().save(t);
    info("6.b. Done with cert request " + statusString);
    paResponse.write(httpServletResponse);
    info("6.b. Completed transaction " + t.getIdentifierString() + ", " + statusString);
    postprocess(new TransactionState(httpServletRequest, httpServletResponse, paResponse.getParameters(), t));
}
Also used : TransactionState(edu.uiuc.ncsa.security.delegation.servlet.TransactionState) GeneralException(edu.uiuc.ncsa.security.core.exceptions.GeneralException) ServiceTransaction(edu.uiuc.ncsa.security.delegation.server.ServiceTransaction) HashMap(java.util.HashMap) PAResponse(edu.uiuc.ncsa.security.delegation.server.request.PAResponse) PARequest(edu.uiuc.ncsa.security.delegation.server.request.PARequest) HashMap(java.util.HashMap) Map(java.util.Map) MyPKCS10CertRequest(edu.uiuc.ncsa.security.util.pkcs.MyPKCS10CertRequest)

Example 2 with TransactionState

use of edu.uiuc.ncsa.security.delegation.servlet.TransactionState in project OA4MP by ncsa.

the class AbstractAccessTokenServlet method doDelegation.

protected IssuerTransactionState doDelegation(Client client, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Throwable, ServletException {
    printAllParameters(httpServletRequest);
    info("5.a. Starting access token exchange");
    Verifier v = getServiceEnvironment().getTokenForge().getVerifier(httpServletRequest);
    AuthorizationGrant ag = getServiceEnvironment().getTokenForge().getAuthorizationGrant(httpServletRequest);
    ATRequest atRequest = new ATRequest(httpServletRequest, client);
    atRequest.setVerifier(v);
    atRequest.setAuthorizationGrant(ag);
    // FIXME!! make this configurable??
    atRequest.setExpiresIn(DateUtils.MAX_TIMEOUT);
    ATResponse atResp = (ATResponse) getATI().process(atRequest);
    ServiceTransaction transaction = verifyAndGet(atResp);
    String cc = "client=" + transaction.getClient();
    info("5.a. got access token " + cc);
    preprocess(new TransactionState(httpServletRequest, httpServletResponse, atResp.getParameters(), transaction));
    debug("5.a. access token = " + atResp.getAccessToken() + " for verifier = " + v);
    transaction.setAuthGrantValid(false);
    transaction.setAccessToken(atResp.getAccessToken());
    transaction.setAccessTokenValid(true);
    try {
        getTransactionStore().save(transaction);
        info("5.a. updated transaction state for " + cc + ", sending response to client");
    } catch (GeneralException e) {
        throw new ServletException("Error saving transaction", e);
    }
    // atResp.write(httpServletResponse);
    info("5.b. done with access token exchange with " + cc);
    IssuerTransactionState transactionState = new IssuerTransactionState(httpServletRequest, httpServletResponse, atResp.getParameters(), transaction, atResp);
    postprocess(transactionState);
    return transactionState;
}
Also used : ServletException(javax.servlet.ServletException) TransactionState(edu.uiuc.ncsa.security.delegation.servlet.TransactionState) GeneralException(edu.uiuc.ncsa.security.core.exceptions.GeneralException) ServiceTransaction(edu.uiuc.ncsa.security.delegation.server.ServiceTransaction) ATRequest(edu.uiuc.ncsa.security.delegation.server.request.ATRequest) Verifier(edu.uiuc.ncsa.security.delegation.token.Verifier) AuthorizationGrant(edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant) ATResponse(edu.uiuc.ncsa.security.delegation.server.request.ATResponse)

Example 3 with TransactionState

use of edu.uiuc.ncsa.security.delegation.servlet.TransactionState in project OA4MP by ncsa.

the class AbstractAuthorizationServlet method createRedirect.

protected void createRedirect(HttpServletRequest request, HttpServletResponse response, ServiceTransaction trans) throws Throwable {
    String userName = null;
    String password = null;
    // Fixes OAUTH-192.
    if (getServiceEnvironment().getAuthorizationServletConfig().isUseHeader()) {
        String headerName = getServiceEnvironment().getAuthorizationServletConfig().getHeaderFieldName();
        if (isEmpty(headerName) || headerName.toLowerCase().equals("remote_user")) {
            userName = request.getRemoteUser();
        } else {
            Enumeration enumeration = request.getHeaders(headerName);
            if (!enumeration.hasMoreElements()) {
                throw new GeneralException("Error: A custom header of \"" + headerName + "\" was specified for authorization, but no value was found.");
            }
            userName = enumeration.nextElement().toString();
            if (enumeration.hasMoreElements()) {
                throw new GeneralException("Error: A custom header of \"" + headerName + "\" was specified for authorization, but multiple values were found.");
            }
        }
        if (getServiceEnvironment().getAuthorizationServletConfig().isRequireHeader()) {
            if (isEmpty(userName)) {
                warn("Headers required, but none found.");
                throw new GeneralException("Headers required, but none found.");
            }
        } else {
            // So the score card is that the header is not required though use it if there for the username
            if (isEmpty(userName)) {
                userName = request.getParameter(AUTHORIZATION_USER_NAME_KEY);
            }
            trans.setUsername(userName);
        }
    } else {
        // Headers not used, just pull it off the form the user POSTs.
        userName = request.getParameter(AUTHORIZATION_USER_NAME_KEY);
        password = request.getParameter(AUTHORIZATION_PASSWORD_KEY);
        trans.setUsername(userName);
    }
    userName = trans.getUsername();
    info("3.b. transaction has user name = " + userName);
    // The right place to invoke the pre-processor.
    preprocess(new TransactionState(request, response, null, trans));
    String statusString = " transaction =" + trans.getIdentifierString() + " and client=" + trans.getClient().getIdentifierString();
    trans.setVerifier(MyProxyDelegationServlet.getServiceEnvironment().getTokenForge().getVerifier());
    MyProxyDelegationServlet.getServiceEnvironment().getTransactionStore().save(trans);
    setupMPConnection(trans, userName, password);
    // Change is to close this connection after verifying it works.
    // Oauth 1 will get the cert, OAuth 2 will do nothing here, getting the cert later.
    doRealCertRequest(trans, statusString);
    debug("4.a. verifier = " + trans.getVerifier() + ", " + statusString);
    String cb = createCallback(trans, getFirstParameters(request));
    info("4.a. starting redirect to " + cb + ", " + statusString);
    response.sendRedirect(cb);
    info("4.b. Redirect to callback " + cb + " ok, " + statusString);
}
Also used : TransactionState(edu.uiuc.ncsa.security.delegation.servlet.TransactionState) Enumeration(java.util.Enumeration) GeneralException(edu.uiuc.ncsa.security.core.exceptions.GeneralException)

Example 4 with TransactionState

use of edu.uiuc.ncsa.security.delegation.servlet.TransactionState in project OA4MP by ncsa.

the class AbstractAuthorizationServlet method present.

public void present(PresentableState state) throws Throwable {
    AuthorizedState aState = (AuthorizedState) state;
    postprocess(new TransactionState(state.getRequest(), aState.getResponse(), null, aState.getTransaction()));
    switch(aState.getState()) {
        case AUTHORIZATION_ACTION_START:
            String initPage = INITIAL_PAGE;
            info("*** STARTING present");
            if (getServiceEnvironment().getAuthorizationServletConfig().isUseHeader()) {
                initPage = REMOTE_USER_INITIAL_PAGE;
                info("*** PRESENT: Use headers enabled.");
                String x = null;
                if (getServiceEnvironment().getAuthorizationServletConfig().getHeaderFieldName().equals("REMOTE_USER")) {
                    // slightly more surefire way to get this.
                    x = aState.getRequest().getRemoteUser();
                    info("*** got user name from request = " + x);
                } else {
                    x = aState.getRequest().getHeader(getServiceEnvironment().getAuthorizationServletConfig().getHeaderFieldName());
                    info("Got username from header \"" + getServiceEnvironment().getAuthorizationServletConfig().getHeaderFieldName() + "\" + directly: " + x);
                }
                if (isEmpty(x)) {
                    if (getServiceEnvironment().getAuthorizationServletConfig().isRequireHeader()) {
                        throw new GeneralException("Error: configuration required using the header \"" + getServiceEnvironment().getAuthorizationServletConfig().getHeaderFieldName() + "\" " + "but this was not set. Cannot continue.");
                    }
                // not required, it is null
                } else {
                    // name is set. optional or required
                    aState.getTransaction().setUsername(x);
                    info("*** storing user name = " + x);
                    getTransactionStore().save(aState.getTransaction());
                    // make it display pretty as per usual conventions. This is never reused, however.
                    aState.getRequest().setAttribute(AUTHORIZATION_USER_NAME_VALUE, escapeHtml(x));
                }
            } else {
                info("*** PRESENT: Use headers DISABLED.");
            }
            JSPUtil.fwd(state.getRequest(), state.getResponse(), initPage);
            info("3.a. User information obtained for grant = " + aState.getTransaction().getAuthorizationGrant());
            break;
        case AUTHORIZATION_ACTION_OK:
            JSPUtil.fwd(state.getRequest(), state.getResponse(), OK_PAGE);
            break;
        default:
            // fall through and do nothing
            debug("Hit default case in AbstractAuthZ servlet");
    }
}
Also used : TransactionState(edu.uiuc.ncsa.security.delegation.servlet.TransactionState) GeneralException(edu.uiuc.ncsa.security.core.exceptions.GeneralException)

Example 5 with TransactionState

use of edu.uiuc.ncsa.security.delegation.servlet.TransactionState in project OA4MP by ncsa.

the class AbstractCertServlet method doDelegation.

protected void doDelegation(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Throwable {
    info("6.a. Starting to process cert request");
    PARequest paRequest = new PARequest(httpServletRequest, getClient(httpServletRequest));
    String cc = "client = " + paRequest.getClient().getIdentifier();
    paRequest.setAccessToken(getServiceEnvironment().getTokenForge().getAccessToken(httpServletRequest));
    PAResponse paResponse = (PAResponse) getPAI().process(paRequest);
    AccessToken accessToken = paResponse.getAccessToken();
    debug("6.a. " + cc);
    ServiceTransaction t = verifyAndGet(paResponse);
    info("6.a. Processing request for transaction " + t.getIdentifier());
    t.setAccessTokenValid(false);
    preprocess(new TransactionState(httpServletRequest, httpServletResponse, paResponse.getParameters(), t));
    debug("6.a. protected asset:" + (t.getProtectedAsset() == null ? "(null)" : "ok") + ", " + cc);
    HashMap<String, String> username = new HashMap<String, String>();
    username.put("username", t.getUsername());
    username.putAll(paResponse.getParameters());
    paResponse.setAdditionalInformation(username);
    paResponse.setProtectedAsset(t.getProtectedAsset());
    debug("6.a. Added username \"" + t.getUsername() + "\" & cert for request from " + cc);
    getTransactionStore().save(t);
    info("6.b. Done with cert request " + cc);
    paResponse.write(httpServletResponse);
    info("6.b. Completed transaction " + t.getIdentifierString() + ", " + cc);
    postprocess(new TransactionState(httpServletRequest, httpServletResponse, paResponse.getParameters(), t));
}
Also used : TransactionState(edu.uiuc.ncsa.security.delegation.servlet.TransactionState) ServiceTransaction(edu.uiuc.ncsa.security.delegation.server.ServiceTransaction) HashMap(java.util.HashMap) AccessToken(edu.uiuc.ncsa.security.delegation.token.AccessToken) PAResponse(edu.uiuc.ncsa.security.delegation.server.request.PAResponse) PARequest(edu.uiuc.ncsa.security.delegation.server.request.PARequest)

Aggregations

TransactionState (edu.uiuc.ncsa.security.delegation.servlet.TransactionState)9 GeneralException (edu.uiuc.ncsa.security.core.exceptions.GeneralException)5 ServiceTransaction (edu.uiuc.ncsa.security.delegation.server.ServiceTransaction)5 PARequest (edu.uiuc.ncsa.security.delegation.server.request.PARequest)2 PAResponse (edu.uiuc.ncsa.security.delegation.server.request.PAResponse)2 HashMap (java.util.HashMap)2 NoUsableMyProxyServerFoundException (edu.uiuc.ncsa.myproxy.NoUsableMyProxyServerFoundException)1 ConnectionException (edu.uiuc.ncsa.security.core.exceptions.ConnectionException)1 UnapprovedClientException (edu.uiuc.ncsa.security.delegation.server.UnapprovedClientException)1 AGRequest (edu.uiuc.ncsa.security.delegation.server.request.AGRequest)1 AGResponse (edu.uiuc.ncsa.security.delegation.server.request.AGResponse)1 ATRequest (edu.uiuc.ncsa.security.delegation.server.request.ATRequest)1 ATResponse (edu.uiuc.ncsa.security.delegation.server.request.ATResponse)1 Client (edu.uiuc.ncsa.security.delegation.storage.Client)1 AccessToken (edu.uiuc.ncsa.security.delegation.token.AccessToken)1 AuthorizationGrant (edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant)1 Verifier (edu.uiuc.ncsa.security.delegation.token.Verifier)1 MyPKCS10CertRequest (edu.uiuc.ncsa.security.util.pkcs.MyPKCS10CertRequest)1 GeneralSecurityException (java.security.GeneralSecurityException)1 Enumeration (java.util.Enumeration)1