use of org.apereo.cas.audit.AuditableContext in project cas by apereo.
the class DefaultCentralAuthenticationService method createProxyGrantingTicket.
@Audit(action = "PROXY_GRANTING_TICKET", actionResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOLVER", resourceResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
@Timed(name = "CREATE_PROXY_GRANTING_TICKET_TIMER")
@Metered(name = "CREATE_PROXY_GRANTING_TICKET_METER")
@Counted(name = "CREATE_PROXY_GRANTING_TICKET_COUNTER", monotonic = true)
@Override
public ProxyGrantingTicket createProxyGrantingTicket(final String serviceTicketId, final AuthenticationResult authenticationResult) throws AuthenticationException, AbstractTicketException {
AuthenticationCredentialsThreadLocalBinder.bindCurrent(authenticationResult.getAuthentication());
final ServiceTicket serviceTicket = this.ticketRegistry.getTicket(serviceTicketId, ServiceTicket.class);
if (serviceTicket == null || serviceTicket.isExpired()) {
LOGGER.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", serviceTicketId);
throw new InvalidTicketException(serviceTicketId);
}
final RegisteredService registeredService = this.servicesManager.findServiceBy(serviceTicket.getService());
final AuditableContext ctx = AuditableContext.builder().serviceTicket(serviceTicket).authenticationResult(authenticationResult).registeredService(registeredService).build();
final AuditableExecutionResult result = this.registeredServiceAccessStrategyEnforcer.execute(ctx);
result.throwExceptionIfNeeded();
if (!registeredService.getProxyPolicy().isAllowedToProxy()) {
LOGGER.warn("ServiceManagement: Service [{}] attempted to proxy, but is not allowed.", serviceTicket.getService().getId());
throw new UnauthorizedProxyingException();
}
final Authentication authentication = authenticationResult.getAuthentication();
final ProxyGrantingTicketFactory factory = (ProxyGrantingTicketFactory) this.ticketFactory.get(ProxyGrantingTicket.class);
final ProxyGrantingTicket proxyGrantingTicket = factory.create(serviceTicket, authentication, ProxyGrantingTicket.class);
LOGGER.debug("Generated proxy granting ticket [{}] based off of [{}]", proxyGrantingTicket, serviceTicketId);
this.ticketRegistry.addTicket(proxyGrantingTicket);
doPublishEvent(new CasProxyGrantingTicketCreatedEvent(this, proxyGrantingTicket));
return proxyGrantingTicket;
}
use of org.apereo.cas.audit.AuditableContext in project cas by apereo.
the class DelegatedClientAuthenticationAction method isDelegatedClientAuthorizedForService.
private boolean isDelegatedClientAuthorizedForService(final Client client, final Service service) {
if (service == null || StringUtils.isBlank(service.getId())) {
LOGGER.debug("Can not evaluate delegated authentication policy since no service was provided in the request while processing client [{}]", client);
return true;
}
final RegisteredService registeredService = this.servicesManager.findServiceBy(service);
if (registeredService == null || !registeredService.getAccessStrategy().isServiceAccessAllowed()) {
LOGGER.warn("Service access for [{}] is denied", registeredService);
return false;
}
LOGGER.debug("Located registered service definition [{}] matching [{}]", registeredService, service);
final AuditableContext context = AuditableContext.builder().registeredService(registeredService).properties(CollectionUtils.wrap(Client.class.getSimpleName(), client.getName())).build();
final AuditableExecutionResult result = delegatedAuthenticationPolicyEnforcer.execute(context);
if (!result.isExecutionFailure()) {
LOGGER.debug("Delegated authentication policy for [{}] allows for using client [{}]", registeredService, client);
return true;
}
LOGGER.warn("Delegated authentication policy for [{}] refuses access to client [{}]", registeredService.getServiceId(), client);
return false;
}
use of org.apereo.cas.audit.AuditableContext in project cas by apereo.
the class SurrogateAuthenticationPostProcessor method process.
@Override
public void process(final AuthenticationBuilder builder, final AuthenticationTransaction transaction) throws AuthenticationException {
final Authentication authentication = builder.build();
final Principal principal = authentication.getPrincipal();
final SurrogateUsernamePasswordCredential surrogateCredentials = (SurrogateUsernamePasswordCredential) transaction.getPrimaryCredential().get();
final String targetUserId = surrogateCredentials.getSurrogateUsername();
try {
if (StringUtils.isBlank(targetUserId)) {
LOGGER.error("No surrogate username was specified as part of the credential");
throw new CredentialNotFoundException("Missing surrogate username in credential");
}
LOGGER.debug("Authenticated [{}] will be checked for surrogate eligibility next...", principal);
if (transaction.getService() != null) {
final RegisteredService svc = this.servicesManager.findServiceBy(transaction.getService());
final AuditableContext serviceAccessAudit = AuditableContext.builder().service(transaction.getService()).authentication(authentication).registeredService(svc).retrievePrincipalAttributesFromReleasePolicy(Boolean.TRUE).build();
final AuditableExecutionResult accessResult = this.registeredServiceAccessStrategyEnforcer.execute(serviceAccessAudit);
accessResult.throwExceptionIfNeeded();
}
if (this.surrogateAuthenticationService.canAuthenticateAs(targetUserId, principal, transaction.getService())) {
LOGGER.debug("Principal [{}] is authorized to authenticate as [{}]", principal, targetUserId);
builder.setPrincipal(this.principalFactory.createPrincipal(targetUserId));
publishSuccessEvent(principal, targetUserId);
final AuditableContext surrogateEligibleAudit = AuditableContext.builder().service(transaction.getService()).authentication(authentication).properties(CollectionUtils.wrap("targetUserId", targetUserId, "eligible", true)).build();
// We don't care about capturing audit execution result here
this.surrogateEligibilityAuditableExecution.execute(surrogateEligibleAudit);
return;
}
LOGGER.error("Principal [{}] is unable/unauthorized to authenticate as [{}]", principal, targetUserId);
throw new FailedLoginException();
} catch (final Exception e) {
publishFailureEvent(principal, targetUserId);
final Map<String, Throwable> map = CollectionUtils.wrap(getClass().getSimpleName(), new SurrogateAuthenticationException("Principal " + principal + " is unauthorized to authenticate as " + targetUserId));
final AuditableContext surrogateIneligibleAudit = AuditableContext.builder().service(transaction.getService()).authentication(authentication).build();
// We don't care about capturing audit execution result here
this.surrogateEligibilityAuditableExecution.execute(surrogateIneligibleAudit);
throw new AuthenticationException(map);
}
}
Aggregations