Search in sources :

Example 1 with AuditableContext

use of org.apereo.cas.audit.AuditableContext in project cas by apereo.

the class InitialAuthenticationAttemptWebflowEventResolver method determineRegisteredServiceForEvent.

private RegisteredService determineRegisteredServiceForEvent(final RequestContext context, final Service service) {
    RegisteredService registeredService = null;
    if (service != null) {
        LOGGER.debug("Locating service [{}] in service registry to determine authentication policy", service);
        registeredService = this.servicesManager.findServiceBy(service);
        LOGGER.debug("Locating authentication event in the request context...");
        final Authentication authn = WebUtils.getAuthentication(context);
        LOGGER.debug("Enforcing access strategy policies for registered service [{}] and principal [{}]", registeredService, authn.getPrincipal());
        final AuditableContext audit = AuditableContext.builder().service(service).authentication(authn).registeredService(registeredService).retrievePrincipalAttributesFromReleasePolicy(Boolean.FALSE).build();
        final AuditableExecutionResult result = this.registeredServiceAccessStrategyEnforcer.execute(audit);
        result.throwExceptionIfNeeded();
    }
    return registeredService;
}
Also used : AuditableContext(org.apereo.cas.audit.AuditableContext) RegisteredService(org.apereo.cas.services.RegisteredService) Authentication(org.apereo.cas.authentication.Authentication) AuditableExecutionResult(org.apereo.cas.audit.AuditableExecutionResult)

Example 2 with AuditableContext

use of org.apereo.cas.audit.AuditableContext in project cas by apereo.

the class DefaultCentralAuthenticationService method grantServiceTicket.

@Audit(action = "SERVICE_TICKET", actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER", resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
@Timed(name = "GRANT_SERVICE_TICKET_TIMER")
@Metered(name = "GRANT_SERVICE_TICKET_METER")
@Counted(name = "GRANT_SERVICE_TICKET_COUNTER", monotonic = true)
@Override
public ServiceTicket grantServiceTicket(final String ticketGrantingTicketId, final Service service, final AuthenticationResult authenticationResult) throws AuthenticationException, AbstractTicketException {
    final boolean credentialProvided = authenticationResult != null && authenticationResult.isCredentialProvided();
    final TicketGrantingTicket ticketGrantingTicket = getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
    final Service selectedService = resolveServiceFromAuthenticationRequest(service);
    final RegisteredService registeredService = this.servicesManager.findServiceBy(selectedService);
    final AuditableContext audit = AuditableContext.builder().service(selectedService).ticketGrantingTicket(ticketGrantingTicket).registeredService(registeredService).retrievePrincipalAttributesFromReleasePolicy(Boolean.FALSE).build();
    final AuditableExecutionResult accessResult = this.registeredServiceAccessStrategyEnforcer.execute(audit);
    accessResult.throwExceptionIfNeeded();
    final Authentication currentAuthentication = evaluatePossibilityOfMixedPrincipals(authenticationResult, ticketGrantingTicket);
    RegisteredServiceAccessStrategyUtils.ensureServiceSsoAccessIsAllowed(registeredService, selectedService, ticketGrantingTicket, credentialProvided);
    evaluateProxiedServiceIfNeeded(selectedService, ticketGrantingTicket, registeredService);
    // Perform security policy check by getting the authentication that satisfies the configured policy
    getAuthenticationSatisfiedByPolicy(currentAuthentication, new ServiceContext(selectedService, registeredService));
    final Authentication latestAuthentication = ticketGrantingTicket.getRoot().getAuthentication();
    AuthenticationCredentialsThreadLocalBinder.bindCurrent(latestAuthentication);
    final Principal principal = latestAuthentication.getPrincipal();
    final ServiceTicketFactory factory = (ServiceTicketFactory) this.ticketFactory.get(ServiceTicket.class);
    final ServiceTicket serviceTicket = factory.create(ticketGrantingTicket, service, credentialProvided, ServiceTicket.class);
    this.ticketRegistry.updateTicket(ticketGrantingTicket);
    this.ticketRegistry.addTicket(serviceTicket);
    LOGGER.info("Granted ticket [{}] for service [{}] and principal [{}]", serviceTicket.getId(), DigestUtils.abbreviate(service.getId()), principal.getId());
    doPublishEvent(new CasServiceTicketGrantedEvent(this, ticketGrantingTicket, serviceTicket));
    return serviceTicket;
}
Also used : AuditableContext(org.apereo.cas.audit.AuditableContext) RegisteredService(org.apereo.cas.services.RegisteredService) ServiceTicketFactory(org.apereo.cas.ticket.ServiceTicketFactory) CasServiceTicketGrantedEvent(org.apereo.cas.support.events.ticket.CasServiceTicketGrantedEvent) TicketGrantingTicket(org.apereo.cas.ticket.TicketGrantingTicket) Authentication(org.apereo.cas.authentication.Authentication) ServiceContext(org.apereo.cas.services.ServiceContext) RegisteredService(org.apereo.cas.services.RegisteredService) Service(org.apereo.cas.authentication.principal.Service) ServiceTicket(org.apereo.cas.ticket.ServiceTicket) AuditableExecutionResult(org.apereo.cas.audit.AuditableExecutionResult) Principal(org.apereo.cas.authentication.principal.Principal) Audit(org.apereo.inspektr.audit.annotation.Audit) Counted(com.codahale.metrics.annotation.Counted) Metered(com.codahale.metrics.annotation.Metered) Timed(com.codahale.metrics.annotation.Timed)

Example 3 with AuditableContext

use of org.apereo.cas.audit.AuditableContext in project cas by apereo.

the class Pac4jServiceTicketValidationAuthorizer method authorize.

@Override
public void authorize(final HttpServletRequest request, final Service service, final Assertion assertion) {
    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);
    RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service, registeredService);
    LOGGER.debug("Evaluating service [{}] for delegated authentication policy", service);
    final RegisteredServiceDelegatedAuthenticationPolicy policy = registeredService.getAccessStrategy().getDelegatedAuthenticationPolicy();
    if (policy != null) {
        final Map<String, Object> attributes = assertion.getPrimaryAuthentication().getAttributes();
        if (attributes.containsKey(ClientCredential.AUTHENTICATION_ATTRIBUTE_CLIENT_NAME)) {
            final Object clientNameAttr = attributes.get(ClientCredential.AUTHENTICATION_ATTRIBUTE_CLIENT_NAME);
            final Optional<Object> value = CollectionUtils.firstElement(clientNameAttr);
            if (value.isPresent()) {
                final String client = value.get().toString();
                LOGGER.debug("Evaluating delegated authentication policy [{}] for client [{}] and service [{}]", policy, client, registeredService);
                final AuditableContext context = AuditableContext.builder().registeredService(registeredService).properties(CollectionUtils.wrap(Client.class.getSimpleName(), client)).build();
                final AuditableExecutionResult result = delegatedAuthenticationPolicyEnforcer.execute(context);
                result.throwExceptionIfNeeded();
            }
        }
    }
}
Also used : AuditableContext(org.apereo.cas.audit.AuditableContext) RegisteredService(org.apereo.cas.services.RegisteredService) RegisteredServiceDelegatedAuthenticationPolicy(org.apereo.cas.services.RegisteredServiceDelegatedAuthenticationPolicy) Client(org.pac4j.core.client.Client) AuditableExecutionResult(org.apereo.cas.audit.AuditableExecutionResult)

Example 4 with AuditableContext

use of org.apereo.cas.audit.AuditableContext in project cas by apereo.

the class OAuth20AuthorizeEndpointController method redirectToCallbackRedirectUrl.

/**
 * Redirect to callback redirect url model and view.
 *
 * @param manager           the manager
 * @param registeredService the registered service
 * @param context           the context
 * @param clientId          the client id
 * @return the model and view
 */
protected ModelAndView redirectToCallbackRedirectUrl(final ProfileManager manager, final OAuthRegisteredService registeredService, final J2EContext context, final String clientId) {
    final Optional<UserProfile> profile = manager.get(true);
    if (profile == null || !profile.isPresent()) {
        LOGGER.error("Unexpected null profile from profile manager. Request is not fully authenticated.");
        return OAuth20Utils.produceUnauthorizedErrorView();
    }
    final Service service = this.authenticationBuilder.buildService(registeredService, context, false);
    LOGGER.debug("Created service [{}] based on registered service [{}]", service, registeredService);
    final Authentication authentication = this.authenticationBuilder.build(profile.get(), registeredService, context, service);
    LOGGER.debug("Created OAuth authentication [{}] for service [{}]", service, authentication);
    try {
        final AuditableContext audit = AuditableContext.builder().service(service).authentication(authentication).registeredService(registeredService).retrievePrincipalAttributesFromReleasePolicy(Boolean.TRUE).build();
        final AuditableExecutionResult accessResult = this.registeredServiceAccessStrategyEnforcer.execute(audit);
        accessResult.throwExceptionIfNeeded();
    } catch (final UnauthorizedServiceException | PrincipalException e) {
        LOGGER.error(e.getMessage(), e);
        return OAuth20Utils.produceUnauthorizedErrorView();
    }
    final View view = buildAuthorizationForRequest(registeredService, context, clientId, service, authentication);
    if (view != null) {
        return OAuth20Utils.redirectTo(view);
    }
    LOGGER.debug("No explicit view was defined as part of the authorization response");
    return null;
}
Also used : AuditableContext(org.apereo.cas.audit.AuditableContext) UserProfile(org.pac4j.core.profile.UserProfile) Authentication(org.apereo.cas.authentication.Authentication) PrincipalException(org.apereo.cas.authentication.PrincipalException) WebApplicationService(org.apereo.cas.authentication.principal.WebApplicationService) OAuthRegisteredService(org.apereo.cas.support.oauth.services.OAuthRegisteredService) Service(org.apereo.cas.authentication.principal.Service) UnauthorizedServiceException(org.apereo.cas.services.UnauthorizedServiceException) AuditableExecutionResult(org.apereo.cas.audit.AuditableExecutionResult) ModelAndView(org.springframework.web.servlet.ModelAndView) View(org.springframework.web.servlet.View)

Example 5 with AuditableContext

use of org.apereo.cas.audit.AuditableContext in project cas by apereo.

the class AccessTokenPasswordGrantRequestExtractor method extract.

@Override
public AccessTokenRequestDataHolder extract(final HttpServletRequest request, final HttpServletResponse response) {
    final String clientId = request.getParameter(OAuth20Constants.CLIENT_ID);
    final Set<String> scopes = OAuth20Utils.parseRequestScopes(request);
    LOGGER.debug("Locating OAuth registered service by client id [{}]", clientId);
    final OAuthRegisteredService registeredService = OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager, clientId);
    LOGGER.debug("Located OAuth registered service [{}]", registeredService);
    final J2EContext context = Pac4jUtils.getPac4jJ2EContext(request, response);
    final ProfileManager manager = Pac4jUtils.getPac4jProfileManager(request, response);
    final Optional<UserProfile> profile = manager.get(true);
    if (!profile.isPresent()) {
        throw new UnauthorizedServiceException("OAuth user profile cannot be determined");
    }
    final UserProfile uProfile = profile.get();
    LOGGER.debug("Creating matching service request based on [{}]", registeredService);
    final boolean requireServiceHeader = oAuthProperties.getGrants().getResourceOwner().isRequireServiceHeader();
    if (requireServiceHeader) {
        LOGGER.debug("Using request headers to identify and build the target service url");
    }
    final Service service = this.authenticationBuilder.buildService(registeredService, context, requireServiceHeader);
    LOGGER.debug("Authenticating the OAuth request indicated by [{}]", service);
    final Authentication authentication = this.authenticationBuilder.build(uProfile, registeredService, context, service);
    final AuditableContext audit = AuditableContext.builder().service(service).authentication(authentication).registeredService(registeredService).retrievePrincipalAttributesFromReleasePolicy(Boolean.TRUE).build();
    final AuditableExecutionResult accessResult = this.registeredServiceAccessStrategyEnforcer.execute(audit);
    accessResult.throwExceptionIfNeeded();
    final AuthenticationResult result = new DefaultAuthenticationResult(authentication, requireServiceHeader ? service : null);
    final TicketGrantingTicket ticketGrantingTicket = this.centralAuthenticationService.createTicketGrantingTicket(result);
    return new AccessTokenRequestDataHolder(service, authentication, registeredService, ticketGrantingTicket, getGrantType(), scopes);
}
Also used : ProfileManager(org.pac4j.core.profile.ProfileManager) AuditableContext(org.apereo.cas.audit.AuditableContext) UserProfile(org.pac4j.core.profile.UserProfile) OAuthRegisteredService(org.apereo.cas.support.oauth.services.OAuthRegisteredService) TicketGrantingTicket(org.apereo.cas.ticket.TicketGrantingTicket) UnauthorizedServiceException(org.apereo.cas.services.UnauthorizedServiceException) CentralAuthenticationService(org.apereo.cas.CentralAuthenticationService) OAuthRegisteredService(org.apereo.cas.support.oauth.services.OAuthRegisteredService) Service(org.apereo.cas.authentication.principal.Service) J2EContext(org.pac4j.core.context.J2EContext) DefaultAuthenticationResult(org.apereo.cas.authentication.DefaultAuthenticationResult) AuthenticationResult(org.apereo.cas.authentication.AuthenticationResult) DefaultAuthenticationResult(org.apereo.cas.authentication.DefaultAuthenticationResult) Authentication(org.apereo.cas.authentication.Authentication) AuditableExecutionResult(org.apereo.cas.audit.AuditableExecutionResult)

Aggregations

AuditableContext (org.apereo.cas.audit.AuditableContext)7 AuditableExecutionResult (org.apereo.cas.audit.AuditableExecutionResult)7 Authentication (org.apereo.cas.authentication.Authentication)4 RegisteredService (org.apereo.cas.services.RegisteredService)4 Service (org.apereo.cas.authentication.principal.Service)3 UnauthorizedServiceException (org.apereo.cas.services.UnauthorizedServiceException)2 OAuthRegisteredService (org.apereo.cas.support.oauth.services.OAuthRegisteredService)2 TicketGrantingTicket (org.apereo.cas.ticket.TicketGrantingTicket)2 Audit (org.apereo.inspektr.audit.annotation.Audit)2 Client (org.pac4j.core.client.Client)2 UserProfile (org.pac4j.core.profile.UserProfile)2 Counted (com.codahale.metrics.annotation.Counted)1 Metered (com.codahale.metrics.annotation.Metered)1 Timed (com.codahale.metrics.annotation.Timed)1 Collection (java.util.Collection)1 HttpServletRequest (javax.servlet.http.HttpServletRequest)1 HttpServletResponse (javax.servlet.http.HttpServletResponse)1 RequiredArgsConstructor (lombok.RequiredArgsConstructor)1 lombok.val (lombok.val)1 CentralAuthenticationService (org.apereo.cas.CentralAuthenticationService)1