use of org.apereo.cas.audit.AuditableContext in project cas by apereo.
the class InitialAuthenticationAttemptWebflowEventResolver method determineRegisteredServiceForEvent.
private RegisteredService determineRegisteredServiceForEvent(final RequestContext context, final Service service) {
RegisteredService registeredService = null;
if (service != null) {
LOGGER.debug("Locating service [{}] in service registry to determine authentication policy", service);
registeredService = this.servicesManager.findServiceBy(service);
LOGGER.debug("Locating authentication event in the request context...");
final Authentication authn = WebUtils.getAuthentication(context);
LOGGER.debug("Enforcing access strategy policies for registered service [{}] and principal [{}]", registeredService, authn.getPrincipal());
final AuditableContext audit = AuditableContext.builder().service(service).authentication(authn).registeredService(registeredService).retrievePrincipalAttributesFromReleasePolicy(Boolean.FALSE).build();
final AuditableExecutionResult result = this.registeredServiceAccessStrategyEnforcer.execute(audit);
result.throwExceptionIfNeeded();
}
return registeredService;
}
use of org.apereo.cas.audit.AuditableContext in project cas by apereo.
the class DefaultCentralAuthenticationService method grantServiceTicket.
@Audit(action = "SERVICE_TICKET", actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER", resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
@Timed(name = "GRANT_SERVICE_TICKET_TIMER")
@Metered(name = "GRANT_SERVICE_TICKET_METER")
@Counted(name = "GRANT_SERVICE_TICKET_COUNTER", monotonic = true)
@Override
public ServiceTicket grantServiceTicket(final String ticketGrantingTicketId, final Service service, final AuthenticationResult authenticationResult) throws AuthenticationException, AbstractTicketException {
final boolean credentialProvided = authenticationResult != null && authenticationResult.isCredentialProvided();
final TicketGrantingTicket ticketGrantingTicket = getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
final Service selectedService = resolveServiceFromAuthenticationRequest(service);
final RegisteredService registeredService = this.servicesManager.findServiceBy(selectedService);
final AuditableContext audit = AuditableContext.builder().service(selectedService).ticketGrantingTicket(ticketGrantingTicket).registeredService(registeredService).retrievePrincipalAttributesFromReleasePolicy(Boolean.FALSE).build();
final AuditableExecutionResult accessResult = this.registeredServiceAccessStrategyEnforcer.execute(audit);
accessResult.throwExceptionIfNeeded();
final Authentication currentAuthentication = evaluatePossibilityOfMixedPrincipals(authenticationResult, ticketGrantingTicket);
RegisteredServiceAccessStrategyUtils.ensureServiceSsoAccessIsAllowed(registeredService, selectedService, ticketGrantingTicket, credentialProvided);
evaluateProxiedServiceIfNeeded(selectedService, ticketGrantingTicket, registeredService);
// Perform security policy check by getting the authentication that satisfies the configured policy
getAuthenticationSatisfiedByPolicy(currentAuthentication, new ServiceContext(selectedService, registeredService));
final Authentication latestAuthentication = ticketGrantingTicket.getRoot().getAuthentication();
AuthenticationCredentialsThreadLocalBinder.bindCurrent(latestAuthentication);
final Principal principal = latestAuthentication.getPrincipal();
final ServiceTicketFactory factory = (ServiceTicketFactory) this.ticketFactory.get(ServiceTicket.class);
final ServiceTicket serviceTicket = factory.create(ticketGrantingTicket, service, credentialProvided, ServiceTicket.class);
this.ticketRegistry.updateTicket(ticketGrantingTicket);
this.ticketRegistry.addTicket(serviceTicket);
LOGGER.info("Granted ticket [{}] for service [{}] and principal [{}]", serviceTicket.getId(), DigestUtils.abbreviate(service.getId()), principal.getId());
doPublishEvent(new CasServiceTicketGrantedEvent(this, ticketGrantingTicket, serviceTicket));
return serviceTicket;
}
use of org.apereo.cas.audit.AuditableContext in project cas by apereo.
the class Pac4jServiceTicketValidationAuthorizer method authorize.
@Override
public void authorize(final HttpServletRequest request, final Service service, final Assertion assertion) {
final RegisteredService registeredService = this.servicesManager.findServiceBy(service);
RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service, registeredService);
LOGGER.debug("Evaluating service [{}] for delegated authentication policy", service);
final RegisteredServiceDelegatedAuthenticationPolicy policy = registeredService.getAccessStrategy().getDelegatedAuthenticationPolicy();
if (policy != null) {
final Map<String, Object> attributes = assertion.getPrimaryAuthentication().getAttributes();
if (attributes.containsKey(ClientCredential.AUTHENTICATION_ATTRIBUTE_CLIENT_NAME)) {
final Object clientNameAttr = attributes.get(ClientCredential.AUTHENTICATION_ATTRIBUTE_CLIENT_NAME);
final Optional<Object> value = CollectionUtils.firstElement(clientNameAttr);
if (value.isPresent()) {
final String client = value.get().toString();
LOGGER.debug("Evaluating delegated authentication policy [{}] for client [{}] and service [{}]", policy, client, registeredService);
final AuditableContext context = AuditableContext.builder().registeredService(registeredService).properties(CollectionUtils.wrap(Client.class.getSimpleName(), client)).build();
final AuditableExecutionResult result = delegatedAuthenticationPolicyEnforcer.execute(context);
result.throwExceptionIfNeeded();
}
}
}
}
use of org.apereo.cas.audit.AuditableContext in project cas by apereo.
the class OAuth20AuthorizeEndpointController method redirectToCallbackRedirectUrl.
/**
* Redirect to callback redirect url model and view.
*
* @param manager the manager
* @param registeredService the registered service
* @param context the context
* @param clientId the client id
* @return the model and view
*/
protected ModelAndView redirectToCallbackRedirectUrl(final ProfileManager manager, final OAuthRegisteredService registeredService, final J2EContext context, final String clientId) {
final Optional<UserProfile> profile = manager.get(true);
if (profile == null || !profile.isPresent()) {
LOGGER.error("Unexpected null profile from profile manager. Request is not fully authenticated.");
return OAuth20Utils.produceUnauthorizedErrorView();
}
final Service service = this.authenticationBuilder.buildService(registeredService, context, false);
LOGGER.debug("Created service [{}] based on registered service [{}]", service, registeredService);
final Authentication authentication = this.authenticationBuilder.build(profile.get(), registeredService, context, service);
LOGGER.debug("Created OAuth authentication [{}] for service [{}]", service, authentication);
try {
final AuditableContext audit = AuditableContext.builder().service(service).authentication(authentication).registeredService(registeredService).retrievePrincipalAttributesFromReleasePolicy(Boolean.TRUE).build();
final AuditableExecutionResult accessResult = this.registeredServiceAccessStrategyEnforcer.execute(audit);
accessResult.throwExceptionIfNeeded();
} catch (final UnauthorizedServiceException | PrincipalException e) {
LOGGER.error(e.getMessage(), e);
return OAuth20Utils.produceUnauthorizedErrorView();
}
final View view = buildAuthorizationForRequest(registeredService, context, clientId, service, authentication);
if (view != null) {
return OAuth20Utils.redirectTo(view);
}
LOGGER.debug("No explicit view was defined as part of the authorization response");
return null;
}
use of org.apereo.cas.audit.AuditableContext in project cas by apereo.
the class AccessTokenPasswordGrantRequestExtractor method extract.
@Override
public AccessTokenRequestDataHolder extract(final HttpServletRequest request, final HttpServletResponse response) {
final String clientId = request.getParameter(OAuth20Constants.CLIENT_ID);
final Set<String> scopes = OAuth20Utils.parseRequestScopes(request);
LOGGER.debug("Locating OAuth registered service by client id [{}]", clientId);
final OAuthRegisteredService registeredService = OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager, clientId);
LOGGER.debug("Located OAuth registered service [{}]", registeredService);
final J2EContext context = Pac4jUtils.getPac4jJ2EContext(request, response);
final ProfileManager manager = Pac4jUtils.getPac4jProfileManager(request, response);
final Optional<UserProfile> profile = manager.get(true);
if (!profile.isPresent()) {
throw new UnauthorizedServiceException("OAuth user profile cannot be determined");
}
final UserProfile uProfile = profile.get();
LOGGER.debug("Creating matching service request based on [{}]", registeredService);
final boolean requireServiceHeader = oAuthProperties.getGrants().getResourceOwner().isRequireServiceHeader();
if (requireServiceHeader) {
LOGGER.debug("Using request headers to identify and build the target service url");
}
final Service service = this.authenticationBuilder.buildService(registeredService, context, requireServiceHeader);
LOGGER.debug("Authenticating the OAuth request indicated by [{}]", service);
final Authentication authentication = this.authenticationBuilder.build(uProfile, registeredService, context, service);
final AuditableContext audit = AuditableContext.builder().service(service).authentication(authentication).registeredService(registeredService).retrievePrincipalAttributesFromReleasePolicy(Boolean.TRUE).build();
final AuditableExecutionResult accessResult = this.registeredServiceAccessStrategyEnforcer.execute(audit);
accessResult.throwExceptionIfNeeded();
final AuthenticationResult result = new DefaultAuthenticationResult(authentication, requireServiceHeader ? service : null);
final TicketGrantingTicket ticketGrantingTicket = this.centralAuthenticationService.createTicketGrantingTicket(result);
return new AccessTokenRequestDataHolder(service, authentication, registeredService, ticketGrantingTicket, getGrantType(), scopes);
}
Aggregations