Search in sources :

Example 11 with AuditableContext

use of org.apereo.cas.audit.AuditableContext in project cas by apereo.

the class DefaultCentralAuthenticationService method createProxyGrantingTicket.

@Audit(action = "PROXY_GRANTING_TICKET", actionResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOLVER", resourceResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
@Timed(name = "CREATE_PROXY_GRANTING_TICKET_TIMER")
@Metered(name = "CREATE_PROXY_GRANTING_TICKET_METER")
@Counted(name = "CREATE_PROXY_GRANTING_TICKET_COUNTER", monotonic = true)
@Override
public ProxyGrantingTicket createProxyGrantingTicket(final String serviceTicketId, final AuthenticationResult authenticationResult) throws AuthenticationException, AbstractTicketException {
    AuthenticationCredentialsThreadLocalBinder.bindCurrent(authenticationResult.getAuthentication());
    final ServiceTicket serviceTicket = this.ticketRegistry.getTicket(serviceTicketId, ServiceTicket.class);
    if (serviceTicket == null || serviceTicket.isExpired()) {
        LOGGER.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }
    final RegisteredService registeredService = this.servicesManager.findServiceBy(serviceTicket.getService());
    final AuditableContext ctx = AuditableContext.builder().serviceTicket(serviceTicket).authenticationResult(authenticationResult).registeredService(registeredService).build();
    final AuditableExecutionResult result = this.registeredServiceAccessStrategyEnforcer.execute(ctx);
    result.throwExceptionIfNeeded();
    if (!registeredService.getProxyPolicy().isAllowedToProxy()) {
        LOGGER.warn("ServiceManagement: Service [{}] attempted to proxy, but is not allowed.", serviceTicket.getService().getId());
        throw new UnauthorizedProxyingException();
    }
    final Authentication authentication = authenticationResult.getAuthentication();
    final ProxyGrantingTicketFactory factory = (ProxyGrantingTicketFactory) this.ticketFactory.get(ProxyGrantingTicket.class);
    final ProxyGrantingTicket proxyGrantingTicket = factory.create(serviceTicket, authentication, ProxyGrantingTicket.class);
    LOGGER.debug("Generated proxy granting ticket [{}] based off of [{}]", proxyGrantingTicket, serviceTicketId);
    this.ticketRegistry.addTicket(proxyGrantingTicket);
    doPublishEvent(new CasProxyGrantingTicketCreatedEvent(this, proxyGrantingTicket));
    return proxyGrantingTicket;
}
Also used : AuditableContext(org.apereo.cas.audit.AuditableContext) RegisteredService(org.apereo.cas.services.RegisteredService) Authentication(org.apereo.cas.authentication.Authentication) InvalidTicketException(org.apereo.cas.ticket.InvalidTicketException) ServiceTicket(org.apereo.cas.ticket.ServiceTicket) ProxyGrantingTicket(org.apereo.cas.ticket.proxy.ProxyGrantingTicket) CasProxyGrantingTicketCreatedEvent(org.apereo.cas.support.events.ticket.CasProxyGrantingTicketCreatedEvent) AuditableExecutionResult(org.apereo.cas.audit.AuditableExecutionResult) UnauthorizedProxyingException(org.apereo.cas.services.UnauthorizedProxyingException) ProxyGrantingTicketFactory(org.apereo.cas.ticket.proxy.ProxyGrantingTicketFactory) Audit(org.apereo.inspektr.audit.annotation.Audit) Counted(com.codahale.metrics.annotation.Counted) Metered(com.codahale.metrics.annotation.Metered) Timed(com.codahale.metrics.annotation.Timed)

Example 12 with AuditableContext

use of org.apereo.cas.audit.AuditableContext in project cas by apereo.

the class DelegatedClientAuthenticationAction method isDelegatedClientAuthorizedForService.

private boolean isDelegatedClientAuthorizedForService(final Client client, final Service service) {
    if (service == null || StringUtils.isBlank(service.getId())) {
        LOGGER.debug("Can not evaluate delegated authentication policy since no service was provided in the request while processing client [{}]", client);
        return true;
    }
    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);
    if (registeredService == null || !registeredService.getAccessStrategy().isServiceAccessAllowed()) {
        LOGGER.warn("Service access for [{}] is denied", registeredService);
        return false;
    }
    LOGGER.debug("Located registered service definition [{}] matching [{}]", registeredService, service);
    final AuditableContext context = AuditableContext.builder().registeredService(registeredService).properties(CollectionUtils.wrap(Client.class.getSimpleName(), client.getName())).build();
    final AuditableExecutionResult result = delegatedAuthenticationPolicyEnforcer.execute(context);
    if (!result.isExecutionFailure()) {
        LOGGER.debug("Delegated authentication policy for [{}] allows for using client [{}]", registeredService, client);
        return true;
    }
    LOGGER.warn("Delegated authentication policy for [{}] refuses access to client [{}]", registeredService.getServiceId(), client);
    return false;
}
Also used : AuditableContext(org.apereo.cas.audit.AuditableContext) RegisteredService(org.apereo.cas.services.RegisteredService) IndirectClient(org.pac4j.core.client.IndirectClient) BaseClient(org.pac4j.core.client.BaseClient) Client(org.pac4j.core.client.Client) AuditableExecutionResult(org.apereo.cas.audit.AuditableExecutionResult)

Example 13 with AuditableContext

use of org.apereo.cas.audit.AuditableContext in project cas by apereo.

the class SurrogateAuthenticationPostProcessor method process.

@Override
public void process(final AuthenticationBuilder builder, final AuthenticationTransaction transaction) throws AuthenticationException {
    final Authentication authentication = builder.build();
    final Principal principal = authentication.getPrincipal();
    final SurrogateUsernamePasswordCredential surrogateCredentials = (SurrogateUsernamePasswordCredential) transaction.getPrimaryCredential().get();
    final String targetUserId = surrogateCredentials.getSurrogateUsername();
    try {
        if (StringUtils.isBlank(targetUserId)) {
            LOGGER.error("No surrogate username was specified as part of the credential");
            throw new CredentialNotFoundException("Missing surrogate username in credential");
        }
        LOGGER.debug("Authenticated [{}] will be checked for surrogate eligibility next...", principal);
        if (transaction.getService() != null) {
            final RegisteredService svc = this.servicesManager.findServiceBy(transaction.getService());
            final AuditableContext serviceAccessAudit = AuditableContext.builder().service(transaction.getService()).authentication(authentication).registeredService(svc).retrievePrincipalAttributesFromReleasePolicy(Boolean.TRUE).build();
            final AuditableExecutionResult accessResult = this.registeredServiceAccessStrategyEnforcer.execute(serviceAccessAudit);
            accessResult.throwExceptionIfNeeded();
        }
        if (this.surrogateAuthenticationService.canAuthenticateAs(targetUserId, principal, transaction.getService())) {
            LOGGER.debug("Principal [{}] is authorized to authenticate as [{}]", principal, targetUserId);
            builder.setPrincipal(this.principalFactory.createPrincipal(targetUserId));
            publishSuccessEvent(principal, targetUserId);
            final AuditableContext surrogateEligibleAudit = AuditableContext.builder().service(transaction.getService()).authentication(authentication).properties(CollectionUtils.wrap("targetUserId", targetUserId, "eligible", true)).build();
            // We don't care about capturing audit execution result here
            this.surrogateEligibilityAuditableExecution.execute(surrogateEligibleAudit);
            return;
        }
        LOGGER.error("Principal [{}] is unable/unauthorized to authenticate as [{}]", principal, targetUserId);
        throw new FailedLoginException();
    } catch (final Exception e) {
        publishFailureEvent(principal, targetUserId);
        final Map<String, Throwable> map = CollectionUtils.wrap(getClass().getSimpleName(), new SurrogateAuthenticationException("Principal " + principal + " is unauthorized to authenticate as " + targetUserId));
        final AuditableContext surrogateIneligibleAudit = AuditableContext.builder().service(transaction.getService()).authentication(authentication).build();
        // We don't care about capturing audit execution result here
        this.surrogateEligibilityAuditableExecution.execute(surrogateIneligibleAudit);
        throw new AuthenticationException(map);
    }
}
Also used : AuditableContext(org.apereo.cas.audit.AuditableContext) RegisteredService(org.apereo.cas.services.RegisteredService) CredentialNotFoundException(javax.security.auth.login.CredentialNotFoundException) CredentialNotFoundException(javax.security.auth.login.CredentialNotFoundException) FailedLoginException(javax.security.auth.login.FailedLoginException) FailedLoginException(javax.security.auth.login.FailedLoginException) AuditableExecutionResult(org.apereo.cas.audit.AuditableExecutionResult) Map(java.util.Map) Principal(org.apereo.cas.authentication.principal.Principal)

Aggregations

AuditableContext (org.apereo.cas.audit.AuditableContext)13 AuditableExecutionResult (org.apereo.cas.audit.AuditableExecutionResult)13 RegisteredService (org.apereo.cas.services.RegisteredService)11 Authentication (org.apereo.cas.authentication.Authentication)10 Service (org.apereo.cas.authentication.principal.Service)7 Counted (com.codahale.metrics.annotation.Counted)5 Metered (com.codahale.metrics.annotation.Metered)5 Timed (com.codahale.metrics.annotation.Timed)5 Audit (org.apereo.inspektr.audit.annotation.Audit)5 Principal (org.apereo.cas.authentication.principal.Principal)4 ServiceTicket (org.apereo.cas.ticket.ServiceTicket)4 TicketGrantingTicket (org.apereo.cas.ticket.TicketGrantingTicket)4 ServiceContext (org.apereo.cas.services.ServiceContext)3 CentralAuthenticationService (org.apereo.cas.CentralAuthenticationService)2 AuthenticationResult (org.apereo.cas.authentication.AuthenticationResult)2 PrincipalException (org.apereo.cas.authentication.PrincipalException)2 UnauthorizedServiceException (org.apereo.cas.services.UnauthorizedServiceException)2 OAuthRegisteredService (org.apereo.cas.support.oauth.services.OAuthRegisteredService)2 InvalidTicketException (org.apereo.cas.ticket.InvalidTicketException)2 ProxyGrantingTicket (org.apereo.cas.ticket.proxy.ProxyGrantingTicket)2