Examples with Authentication org.apereo.cas.authentication.Authentication used on opensource projects

Example 36 with Authentication

use of org.apereo.cas.authentication.Authentication in project cas by apereo.

the class GrouperMultifactorAuthenticationPolicyEventResolver method resolveInternal.

@Override
public Set<Event> resolveInternal(final RequestContext context) {
    final RegisteredService service = resolveRegisteredServiceInRequestContext(context);
    final Authentication authentication = WebUtils.getAuthentication(context);
    if (StringUtils.isBlank(grouperField)) {
        LOGGER.debug("No group field is defined to process for Grouper multifactor trigger");
        return null;
    }
    if (authentication == null || service == null) {
        LOGGER.debug("No authentication or service is available to determine event for principal");
        return null;
    }
    final Principal principal = authentication.getPrincipal();
    final Collection<WsGetGroupsResult> results = GrouperFacade.getGroupsForSubjectId(principal.getId());
    if (results.isEmpty()) {
        LOGGER.debug("No groups could be found for [{}] to resolve events for MFA", principal);
        return null;
    }
    final Map<String, MultifactorAuthenticationProvider> providerMap = MultifactorAuthenticationUtils.getAvailableMultifactorAuthenticationProviders(this.applicationContext);
    if (providerMap == null || providerMap.isEmpty()) {
        LOGGER.error("No multifactor authentication providers are available in the application context");
        throw new AuthenticationException();
    }
    final GrouperGroupField groupField = GrouperGroupField.valueOf(grouperField);
    final Set<String> values = results.stream().map(wsGetGroupsResult -> Stream.of(wsGetGroupsResult.getWsGroups())).flatMap(Function.identity()).map(g -> GrouperFacade.getGrouperGroupAttribute(groupField, g)).collect(Collectors.toSet());
    final Optional<MultifactorAuthenticationProvider> providerFound = resolveProvider(providerMap, values);
    if (providerFound.isPresent()) {
        final MultifactorAuthenticationProvider provider = providerFound.get();
        if (provider.isAvailable(service)) {
            LOGGER.debug("Attempting to build event based on the authentication provider [{}] and service [{}]", provider, service.getName());
            final Event event = validateEventIdForMatchingTransitionInContext(provider.getId(), context, buildEventAttributeMap(authentication.getPrincipal(), service, provider));
            return CollectionUtils.wrapSet(event);
        }
        LOGGER.warn("Located multifactor provider [{}], yet the provider cannot be reached or verified", providerFound.get());
        return null;
    }
    LOGGER.debug("No multifactor provider could be found based on [{}]'s Grouper groups", principal.getId());
    return null;
}

Example 37 with Authentication

use of org.apereo.cas.authentication.Authentication in project cas by apereo.

the class Saml2AttributeQueryProfileHandlerController method handlePostRequest.

/**
 * Handle post request.
 *
 * @param response the response
 * @param request  the request
 */
@PostMapping(path = SamlIdPConstants.ENDPOINT_SAML2_SOAP_ATTRIBUTE_QUERY)
protected void handlePostRequest(final HttpServletResponse response, final HttpServletRequest request) {
    final MessageContext ctx = decodeSoapRequest(request);
    final AttributeQuery query = (AttributeQuery) ctx.getMessage();
    try {
        final String issuer = query.getIssuer().getValue();
        final SamlRegisteredService service = verifySamlRegisteredService(issuer);
        final Optional<SamlRegisteredServiceServiceProviderMetadataFacade> adaptor = getSamlMetadataFacadeFor(service, query);
        if (!adaptor.isPresent()) {
            throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Cannot find metadata linked to " + issuer);
        }
        final SamlRegisteredServiceServiceProviderMetadataFacade facade = adaptor.get();
        verifyAuthenticationContextSignature(ctx, request, query, facade);
        final Map<String, Object> attrs = new LinkedHashMap<>();
        if (query.getAttributes().isEmpty()) {
            final String id = this.samlAttributeQueryTicketFactory.createTicketIdFor(query.getSubject().getNameID().getValue());
            final SamlAttributeQueryTicket ticket = this.ticketRegistry.getTicket(id, SamlAttributeQueryTicket.class);
            final Authentication authentication = ticket.getTicketGrantingTicket().getAuthentication();
            final Principal principal = authentication.getPrincipal();
            final Map<String, Object> authnAttrs = authentication.getAttributes();
            final Map<String, Object> principalAttrs = principal.getAttributes();
            query.getAttributes().forEach(a -> {
                if (authnAttrs.containsKey(a.getName())) {
                    attrs.put(a.getName(), authnAttrs.get(a.getName()));
                } else if (principalAttrs.containsKey(a.getName())) {
                    attrs.put(a.getName(), principalAttrs.get(a.getName()));
                }
            });
        }
        final Assertion casAssertion = buildCasAssertion(issuer, service, attrs);
        this.responseBuilder.build(query, request, response, casAssertion, service, facade, SAMLConstants.SAML2_SOAP11_BINDING_URI);
    } catch (final Exception e) {
        LOGGER.error(e.getMessage(), e);
        request.setAttribute(SamlIdPConstants.REQUEST_ATTRIBUTE_ERROR, e.getMessage());
        samlFaultResponseBuilder.build(query, request, response, null, null, null, SAMLConstants.SAML2_SOAP11_BINDING_URI);
    }
}

Example 38 with Authentication

use of org.apereo.cas.authentication.Authentication in project cas by apereo.

the class OAuth20AuthorizeEndpointController method redirectToCallbackRedirectUrl.

/**
 * Redirect to callback redirect url model and view.
 *
 * @param manager           the manager
 * @param registeredService the registered service
 * @param context           the context
 * @param clientId          the client id
 * @return the model and view
 */
protected ModelAndView redirectToCallbackRedirectUrl(final ProfileManager manager, final OAuthRegisteredService registeredService, final J2EContext context, final String clientId) {
    final Optional<UserProfile> profile = manager.get(true);
    if (profile == null || !profile.isPresent()) {
        LOGGER.error("Unexpected null profile from profile manager. Request is not fully authenticated.");
        return OAuth20Utils.produceUnauthorizedErrorView();
    }
    final Service service = this.authenticationBuilder.buildService(registeredService, context, false);
    LOGGER.debug("Created service [{}] based on registered service [{}]", service, registeredService);
    final Authentication authentication = this.authenticationBuilder.build(profile.get(), registeredService, context, service);
    LOGGER.debug("Created OAuth authentication [{}] for service [{}]", service, authentication);
    try {
        final AuditableContext audit = AuditableContext.builder().service(service).authentication(authentication).registeredService(registeredService).retrievePrincipalAttributesFromReleasePolicy(Boolean.TRUE).build();
        final AuditableExecutionResult accessResult = this.registeredServiceAccessStrategyEnforcer.execute(audit);
        accessResult.throwExceptionIfNeeded();
    } catch (final UnauthorizedServiceException | PrincipalException e) {
        LOGGER.error(e.getMessage(), e);
        return OAuth20Utils.produceUnauthorizedErrorView();
    }
    final View view = buildAuthorizationForRequest(registeredService, context, clientId, service, authentication);
    if (view != null) {
        return OAuth20Utils.redirectTo(view);
    }
    LOGGER.debug("No explicit view was defined as part of the authorization response");
    return null;
}

Example 39 with Authentication

use of org.apereo.cas.authentication.Authentication in project cas by apereo.

the class OAuth20DefaultTokenGenerator method generate.

@Override
public Pair<AccessToken, RefreshToken> generate(final AccessTokenRequestDataHolder holder) {
    LOGGER.debug("Creating refresh token for [{}]", holder.getService());
    final Authentication authn = DefaultAuthenticationBuilder.newInstance(holder.getAuthentication()).addAttribute(OAuth20Constants.GRANT_TYPE, holder.getGrantType().toString()).build();
    LOGGER.debug("Creating access token for [{}]", holder);
    final AccessToken accessToken = this.accessTokenFactory.create(holder.getService(), authn, holder.getTicketGrantingTicket(), holder.getScopes());
    LOGGER.debug("Created access token [{}]", accessToken);
    addTicketToRegistry(accessToken, holder.getTicketGrantingTicket());
    LOGGER.debug("Added access token [{}] to registry", accessToken);
    if (holder.getToken() instanceof OAuthCode) {
        final TicketState codeState = TicketState.class.cast(holder.getToken());
        codeState.update();
        if (holder.getToken().isExpired()) {
            this.ticketRegistry.deleteTicket(holder.getToken().getId());
        } else {
            this.ticketRegistry.updateTicket(holder.getToken());
        }
        this.ticketRegistry.updateTicket(holder.getTicketGrantingTicket());
    }
    RefreshToken refreshToken = null;
    if (holder.isGenerateRefreshToken()) {
        refreshToken = generateRefreshToken(holder);
        LOGGER.debug("Refresh Token: [{}]", refreshToken);
    } else {
        LOGGER.debug("Service [{}] is not able/allowed to receive refresh tokens", holder.getService());
    }
    return Pair.of(accessToken, refreshToken);
}

Example 40 with Authentication

use of org.apereo.cas.authentication.Authentication in project cas by apereo.

the class AccessTokenPasswordGrantRequestExtractor method extract.

@Override
public AccessTokenRequestDataHolder extract(final HttpServletRequest request, final HttpServletResponse response) {
    final String clientId = request.getParameter(OAuth20Constants.CLIENT_ID);
    final Set<String> scopes = OAuth20Utils.parseRequestScopes(request);
    LOGGER.debug("Locating OAuth registered service by client id [{}]", clientId);
    final OAuthRegisteredService registeredService = OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager, clientId);
    LOGGER.debug("Located OAuth registered service [{}]", registeredService);
    final J2EContext context = Pac4jUtils.getPac4jJ2EContext(request, response);
    final ProfileManager manager = Pac4jUtils.getPac4jProfileManager(request, response);
    final Optional<UserProfile> profile = manager.get(true);
    if (!profile.isPresent()) {
        throw new UnauthorizedServiceException("OAuth user profile cannot be determined");
    }
    final UserProfile uProfile = profile.get();
    LOGGER.debug("Creating matching service request based on [{}]", registeredService);
    final boolean requireServiceHeader = oAuthProperties.getGrants().getResourceOwner().isRequireServiceHeader();
    if (requireServiceHeader) {
        LOGGER.debug("Using request headers to identify and build the target service url");
    }
    final Service service = this.authenticationBuilder.buildService(registeredService, context, requireServiceHeader);
    LOGGER.debug("Authenticating the OAuth request indicated by [{}]", service);
    final Authentication authentication = this.authenticationBuilder.build(uProfile, registeredService, context, service);
    final AuditableContext audit = AuditableContext.builder().service(service).authentication(authentication).registeredService(registeredService).retrievePrincipalAttributesFromReleasePolicy(Boolean.TRUE).build();
    final AuditableExecutionResult accessResult = this.registeredServiceAccessStrategyEnforcer.execute(audit);
    accessResult.throwExceptionIfNeeded();
    final AuthenticationResult result = new DefaultAuthenticationResult(authentication, requireServiceHeader ? service : null);
    final TicketGrantingTicket ticketGrantingTicket = this.centralAuthenticationService.createTicketGrantingTicket(result);
    return new AccessTokenRequestDataHolder(service, authentication, registeredService, ticketGrantingTicket, getGrantType(), scopes);
}