Search in sources :

Example 1 with Principal

use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.

the class DefaultMultifactorAuthenticationProviderBypass method isAuthenticationRequestHonored.

@Override
public boolean isAuthenticationRequestHonored(final Authentication authentication, final RegisteredService registeredService, final MultifactorAuthenticationProvider provider) {
    final Principal principal = authentication.getPrincipal();
    final boolean bypassByPrincipal = locateMatchingAttributeBasedOnPrincipalAttributes(bypass, principal);
    if (bypassByPrincipal) {
        LOGGER.debug("Bypass rules for principal [{}] indicate the request may be ignored", principal.getId());
        updateAuthenticationToRememberBypass(authentication, provider, principal);
        return false;
    }
    final boolean bypassByAuthn = locateMatchingAttributeBasedOnAuthenticationAttributes(bypass, authentication);
    if (bypassByAuthn) {
        LOGGER.debug("Bypass rules for authentication [{}] indicate the request may be ignored", principal.getId());
        updateAuthenticationToRememberBypass(authentication, provider, principal);
        return false;
    }
    final boolean bypassByAuthnMethod = locateMatchingAttributeValue(AuthenticationManager.AUTHENTICATION_METHOD_ATTRIBUTE, bypass.getAuthenticationMethodName(), authentication.getAttributes(), false);
    if (bypassByAuthnMethod) {
        LOGGER.debug("Bypass rules for authentication method [{}] indicate the request may be ignored", principal.getId());
        updateAuthenticationToRememberBypass(authentication, provider, principal);
        return false;
    }
    final boolean bypassByHandlerName = locateMatchingAttributeValue(AuthenticationHandler.SUCCESSFUL_AUTHENTICATION_HANDLERS, bypass.getAuthenticationHandlerName(), authentication.getAttributes(), false);
    if (bypassByHandlerName) {
        LOGGER.debug("Bypass rules for authentication handlers [{}] indicate the request may be ignored", principal.getId());
        updateAuthenticationToRememberBypass(authentication, provider, principal);
        return false;
    }
    final boolean bypassByCredType = locateMatchingCredentialType(authentication, bypass.getCredentialClassType());
    if (bypassByCredType) {
        LOGGER.debug("Bypass rules for credential types [{}] indicate the request may be ignored", principal.getId());
        updateAuthenticationToRememberBypass(authentication, provider, principal);
        return false;
    }
    final boolean bypassByService = locateMatchingRegisteredServiceForBypass(authentication, registeredService);
    if (bypassByService) {
        updateAuthenticationToRememberBypass(authentication, provider, principal);
        return false;
    }
    updateAuthenticationToForgetBypass(authentication, provider, principal);
    return true;
}
Also used : Principal(org.apereo.cas.authentication.principal.Principal)

Example 2 with Principal

use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.

the class AbstractAuthenticationManager method authenticate.

@Override
@Audit(action = "AUTHENTICATION", actionResolverName = "AUTHENTICATION_RESOLVER", resourceResolverName = "AUTHENTICATION_RESOURCE_RESOLVER")
@Timed(name = "AUTHENTICATE_TIMER")
@Metered(name = "AUTHENTICATE_METER")
@Counted(name = "AUTHENTICATE_COUNT", monotonic = true)
public Authentication authenticate(final AuthenticationTransaction transaction) throws AuthenticationException {
    AuthenticationCredentialsLocalBinder.bindCurrent(transaction.getCredentials());
    final AuthenticationBuilder builder = authenticateInternal(transaction);
    authenticationEventExecutionPlan.getAuthenticationPostProcessors().forEach(p -> {
        LOGGER.info("Invoking authentication post processor [{}]", p);
        p.process(transaction, builder);
    });
    final Authentication authentication = builder.build();
    final Principal principal = authentication.getPrincipal();
    if (principal instanceof NullPrincipal) {
        throw new UnresolvedPrincipalException(authentication);
    }
    addAuthenticationMethodAttribute(builder, authentication);
    LOGGER.info("Authenticated principal [{}] with attributes [{}] via credentials [{}].", principal.getId(), principal.getAttributes(), transaction.getCredentials());
    populateAuthenticationMetadataAttributes(builder, transaction.getCredentials());
    final Authentication a = builder.build();
    AuthenticationCredentialsLocalBinder.bindCurrent(a);
    return a;
}
Also used : NullPrincipal(org.apereo.cas.authentication.principal.NullPrincipal) UnresolvedPrincipalException(org.apereo.cas.authentication.exceptions.UnresolvedPrincipalException) NullPrincipal(org.apereo.cas.authentication.principal.NullPrincipal) Principal(org.apereo.cas.authentication.principal.Principal) Audit(org.apereo.inspektr.audit.annotation.Audit) Counted(com.codahale.metrics.annotation.Counted) Metered(com.codahale.metrics.annotation.Metered) Timed(com.codahale.metrics.annotation.Timed)

Example 3 with Principal

use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.

the class AbstractAuthenticationManager method authenticateAndResolvePrincipal.

/**
     * Authenticate and resolve principal.
     *
     * @param builder    the builder
     * @param credential the credential
     * @param resolver   the resolver
     * @param handler    the handler
     * @throws GeneralSecurityException the general security exception
     * @throws PreventedException       the prevented exception
     */
protected void authenticateAndResolvePrincipal(final AuthenticationBuilder builder, final Credential credential, final PrincipalResolver resolver, final AuthenticationHandler handler) throws GeneralSecurityException, PreventedException {
    Principal principal;
    publishEvent(new CasAuthenticationTransactionStartedEvent(this, credential));
    final HandlerResult result = handler.authenticate(credential);
    builder.addSuccess(handler.getName(), result);
    LOGGER.debug("Authentication handler [{}] successfully authenticated [{}]", handler.getName(), credential);
    publishEvent(new CasAuthenticationTransactionSuccessfulEvent(this, credential));
    principal = result.getPrincipal();
    if (resolver == null) {
        LOGGER.debug("No principal resolution is configured for [{}]. Falling back to handler principal [{}]", handler.getName(), principal);
    } else {
        principal = resolvePrincipal(handler, resolver, credential, principal);
        if (principal == null) {
            if (this.principalResolutionFailureFatal) {
                LOGGER.warn("Principal resolution handled by [{}] produced a null principal for: [{}]" + "CAS is configured to treat principal resolution failures as fatal.", resolver.getClass().getSimpleName(), credential);
                throw new UnresolvedPrincipalException();
            }
            LOGGER.warn("Principal resolution handled by [{}] produced a null principal. " + "This is likely due to misconfiguration or missing attributes; CAS will attempt to use the principal " + "produced by the authentication handler, if any.", resolver.getClass().getSimpleName());
        }
    }
    if (principal != null) {
        builder.setPrincipal(principal);
    }
    LOGGER.debug("Final principal resolved for this authentication event is [{}]", principal);
    publishEvent(new CasAuthenticationPrincipalResolvedEvent(this, principal));
}
Also used : CasAuthenticationPrincipalResolvedEvent(org.apereo.cas.support.events.authentication.CasAuthenticationPrincipalResolvedEvent) CasAuthenticationTransactionStartedEvent(org.apereo.cas.support.events.authentication.CasAuthenticationTransactionStartedEvent) UnresolvedPrincipalException(org.apereo.cas.authentication.exceptions.UnresolvedPrincipalException) CasAuthenticationTransactionSuccessfulEvent(org.apereo.cas.support.events.authentication.CasAuthenticationTransactionSuccessfulEvent) NullPrincipal(org.apereo.cas.authentication.principal.NullPrincipal) Principal(org.apereo.cas.authentication.principal.Principal)

Example 4 with Principal

use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.

the class RegisteredServiceAccessStrategyUtils method ensurePrincipalAccessIsAllowedForService.

/**
     * Ensure service access is allowed.
     *
     * @param service           the service
     * @param registeredService the registered service
     * @param authentication    the authentication
     * @throws UnauthorizedServiceException the unauthorized service exception
     * @throws PrincipalException           the principal exception
     */
public static void ensurePrincipalAccessIsAllowedForService(final Service service, final RegisteredService registeredService, final Authentication authentication) throws UnauthorizedServiceException, PrincipalException {
    ensureServiceAccessIsAllowed(service, registeredService);
    final Principal principal = authentication.getPrincipal();
    final Map<String, Object> principalAttrs = registeredService.getAttributeReleasePolicy().getAttributes(principal, registeredService);
    if (!registeredService.getAccessStrategy().doPrincipalAttributesAllowServiceAccess(principal.getId(), principalAttrs)) {
        LOGGER.warn("Cannot grant access to service [{}] because it is not authorized for use by [{}].", service.getId(), principal);
        final Map<String, Class<? extends Exception>> handlerErrors = new HashMap<>();
        handlerErrors.put(UnauthorizedServiceForPrincipalException.class.getSimpleName(), UnauthorizedServiceForPrincipalException.class);
        throw new PrincipalException(UnauthorizedServiceForPrincipalException.CODE_UNAUTHZ_SERVICE, handlerErrors, new HashMap<>());
    }
}
Also used : HashMap(java.util.HashMap) PrincipalException(org.apereo.cas.authentication.PrincipalException) Principal(org.apereo.cas.authentication.principal.Principal) PrincipalException(org.apereo.cas.authentication.PrincipalException)

Example 5 with Principal

use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.

the class RegisteredServicePrincipalAttributeMultifactorAuthenticationPolicyEventResolver method resolveInternal.

@Override
public Set<Event> resolveInternal(final RequestContext context) {
    final RegisteredService service = resolveRegisteredServiceInRequestContext(context);
    final Authentication authentication = WebUtils.getAuthentication(context);
    final RegisteredServiceMultifactorPolicy policy = service != null ? service.getMultifactorPolicy() : null;
    if (policy == null || service.getMultifactorPolicy().getMultifactorAuthenticationProviders().isEmpty()) {
        LOGGER.debug("Authentication policy is absent or does not contain any multifactor authentication providers");
        return null;
    }
    if (StringUtils.isBlank(policy.getPrincipalAttributeNameTrigger()) || StringUtils.isBlank(policy.getPrincipalAttributeValueToMatch())) {
        LOGGER.debug("Authentication policy does not define a principal attribute and/or value to trigger multifactor authentication");
        return null;
    }
    final Principal principal = authentication.getPrincipal();
    final Collection<MultifactorAuthenticationProvider> providers = flattenProviders(getAuthenticationProviderForService(service));
    return resolveEventViaPrincipalAttribute(principal, org.springframework.util.StringUtils.commaDelimitedListToSet(policy.getPrincipalAttributeNameTrigger()), service, context, providers, Pattern.compile(policy.getPrincipalAttributeValueToMatch()).asPredicate());
}
Also used : RegisteredServiceMultifactorPolicy(org.apereo.cas.services.RegisteredServiceMultifactorPolicy) RegisteredService(org.apereo.cas.services.RegisteredService) Authentication(org.apereo.cas.authentication.Authentication) MultifactorAuthenticationProvider(org.apereo.cas.services.MultifactorAuthenticationProvider) Principal(org.apereo.cas.authentication.principal.Principal)

Aggregations

Principal (org.apereo.cas.authentication.principal.Principal)114 HashMap (java.util.HashMap)33 RegisteredService (org.apereo.cas.services.RegisteredService)31 Test (org.junit.Test)29 Authentication (org.apereo.cas.authentication.Authentication)26 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)26 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)26 OAuthRegisteredService (org.apereo.cas.support.oauth.services.OAuthRegisteredService)25 Map (java.util.Map)23 Slf4j (lombok.extern.slf4j.Slf4j)23 lombok.val (lombok.val)19 List (java.util.List)15 StringUtils (org.apache.commons.lang3.StringUtils)15 OAuthCode (org.apereo.cas.ticket.code.OAuthCode)15 CollectionUtils (org.apereo.cas.util.CollectionUtils)15 ArrayList (java.util.ArrayList)14 Optional (java.util.Optional)14 Service (org.apereo.cas.authentication.principal.Service)14 Collection (java.util.Collection)11 Collectors (java.util.stream.Collectors)10