use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.
the class RestEndpointMultifactorAuthenticationPolicyEventResolver method resolveInternal.
@Override
public Set<Event> resolveInternal(final RequestContext context) {
final RegisteredService service = resolveRegisteredServiceInRequestContext(context);
final Authentication authentication = WebUtils.getAuthentication(context);
if (service == null || authentication == null) {
LOGGER.debug("No service or authentication is available to determine event for principal");
return null;
}
final Principal principal = authentication.getPrincipal();
if (StringUtils.isBlank(restEndpoint)) {
LOGGER.debug("Rest endpoint to determine event is not configured for [{}]", principal.getId());
return null;
}
final Map<String, MultifactorAuthenticationProvider> providerMap = MultifactorAuthenticationUtils.getAvailableMultifactorAuthenticationProviders(this.applicationContext);
if (providerMap == null || providerMap.isEmpty()) {
LOGGER.error("No multifactor authentication providers are available in the application context");
return null;
}
final Collection<MultifactorAuthenticationProvider> flattenedProviders = flattenProviders(providerMap.values());
LOGGER.debug("Contacting [{}] to inquire about [{}]", restEndpoint, principal.getId());
final String results = callRestEndpointForMultifactor(principal, context);
if (StringUtils.isNotBlank(results)) {
return resolveMultifactorEventViaRestResult(results, flattenedProviders);
}
LOGGER.debug("No providers are available to match rest endpoint results");
return new HashSet<>(0);
}
use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.
the class DefaultCentralAuthenticationService method grantServiceTicket.
@Audit(action = "SERVICE_TICKET", actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER", resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
@Timed(name = "GRANT_SERVICE_TICKET_TIMER")
@Metered(name = "GRANT_SERVICE_TICKET_METER")
@Counted(name = "GRANT_SERVICE_TICKET_COUNTER", monotonic = true)
@Override
public ServiceTicket grantServiceTicket(final String ticketGrantingTicketId, final Service service, final AuthenticationResult authenticationResult) throws AuthenticationException, AbstractTicketException {
final boolean credentialProvided = authenticationResult != null && authenticationResult.isCredentialProvided();
final TicketGrantingTicket ticketGrantingTicket = getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
final Service selectedService = resolveServiceFromAuthenticationRequest(service);
final RegisteredService registeredService = this.servicesManager.findServiceBy(selectedService);
final AuditableContext audit = AuditableContext.builder().service(selectedService).ticketGrantingTicket(ticketGrantingTicket).registeredService(registeredService).retrievePrincipalAttributesFromReleasePolicy(Boolean.FALSE).build();
final AuditableExecutionResult accessResult = this.registeredServiceAccessStrategyEnforcer.execute(audit);
accessResult.throwExceptionIfNeeded();
final Authentication currentAuthentication = evaluatePossibilityOfMixedPrincipals(authenticationResult, ticketGrantingTicket);
RegisteredServiceAccessStrategyUtils.ensureServiceSsoAccessIsAllowed(registeredService, selectedService, ticketGrantingTicket, credentialProvided);
evaluateProxiedServiceIfNeeded(selectedService, ticketGrantingTicket, registeredService);
// Perform security policy check by getting the authentication that satisfies the configured policy
getAuthenticationSatisfiedByPolicy(currentAuthentication, new ServiceContext(selectedService, registeredService));
final Authentication latestAuthentication = ticketGrantingTicket.getRoot().getAuthentication();
AuthenticationCredentialsThreadLocalBinder.bindCurrent(latestAuthentication);
final Principal principal = latestAuthentication.getPrincipal();
final ServiceTicketFactory factory = (ServiceTicketFactory) this.ticketFactory.get(ServiceTicket.class);
final ServiceTicket serviceTicket = factory.create(ticketGrantingTicket, service, credentialProvided, ServiceTicket.class);
this.ticketRegistry.updateTicket(ticketGrantingTicket);
this.ticketRegistry.addTicket(serviceTicket);
LOGGER.info("Granted ticket [{}] for service [{}] and principal [{}]", serviceTicket.getId(), DigestUtils.abbreviate(service.getId()), principal.getId());
doPublishEvent(new CasServiceTicketGrantedEvent(this, ticketGrantingTicket, serviceTicket));
return serviceTicket;
}
use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.
the class AbstractPrincipalAttributeAcceptableUsagePolicyRepository method verify.
@Override
public Pair<Boolean, Principal> verify(final RequestContext requestContext, final Credential credential) {
final Principal principal = WebUtils.getPrincipalFromRequestContext(requestContext, this.ticketRegistrySupport);
if (isUsagePolicyAcceptedBy(principal)) {
LOGGER.debug("Usage policy has been accepted by [{}]", principal.getId());
return Pair.of(Boolean.TRUE, principal);
}
LOGGER.warn("Usage policy has not been accepted by [{}]", principal.getId());
return Pair.of(Boolean.FALSE, principal);
}
use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.
the class RegisteredServiceAccessStrategyUtils method ensurePrincipalAccessIsAllowedForService.
/**
* Ensure service access is allowed.
*
* @param service the service
* @param registeredService the registered service
* @param authentication the authentication
* @param retrievePrincipalAttributesFromReleasePolicy retrieve attributes from release policy or simply rely on the principal attributes
* already collected. Setting this value to false bears the assumption that the policy
* has run already.
* @throws UnauthorizedServiceException the unauthorized service exception
* @throws PrincipalException the principal exception
*/
static void ensurePrincipalAccessIsAllowedForService(final Service service, final RegisteredService registeredService, final Authentication authentication, final boolean retrievePrincipalAttributesFromReleasePolicy) throws UnauthorizedServiceException, PrincipalException {
ensureServiceAccessIsAllowed(service, registeredService);
final Principal principal = authentication.getPrincipal();
final Map<String, Object> principalAttrs;
if (retrievePrincipalAttributesFromReleasePolicy && registeredService != null && registeredService.getAttributeReleasePolicy() != null) {
principalAttrs = registeredService.getAttributeReleasePolicy().getAttributes(principal, service, registeredService);
} else {
principalAttrs = authentication.getPrincipal().getAttributes();
}
final Map<String, Object> attributes = new LinkedHashMap<>(principalAttrs);
attributes.putAll(authentication.getAttributes());
ensurePrincipalAccessIsAllowedForService(service, registeredService, principal.getId(), attributes);
}
use of org.apereo.cas.authentication.principal.Principal in project cas by apereo.
the class AbstractRegisteredServiceTests method verifyServiceAttributeFilterAllowedAttributes.
@Test
public void verifyServiceAttributeFilterAllowedAttributes() {
prepareService();
final ReturnAllowedAttributeReleasePolicy policy = new ReturnAllowedAttributeReleasePolicy();
policy.setAllowedAttributes(Arrays.asList(ATTR_1, ATTR_3));
this.r.setAttributeReleasePolicy(policy);
final Principal p = mock(Principal.class);
final Map<String, Object> map = new HashMap<>();
map.put(ATTR_1, "value1");
map.put(ATTR_2, "value2");
map.put(ATTR_3, Arrays.asList("v3", "v4"));
when(p.getAttributes()).thenReturn(map);
when(p.getId()).thenReturn("principalId");
final Map<String, Object> attr = this.r.getAttributeReleasePolicy().getAttributes(p, RegisteredServiceTestUtils.getService(), RegisteredServiceTestUtils.getRegisteredService(SERVICE_ID));
assertEquals(2, attr.size());
assertTrue(attr.containsKey(ATTR_1));
assertTrue(attr.containsKey(ATTR_3));
}
Aggregations