use of org.apereo.cas.ticket.RenewableServiceTicket in project cas by apereo.
the class DefaultCentralAuthenticationService method validateServiceTicket.
@Audit(action = AuditableActions.SERVICE_TICKET_VALIDATE, actionResolverName = AuditActionResolvers.VALIDATE_SERVICE_TICKET_RESOLVER, resourceResolverName = AuditResourceResolvers.VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER)
@Override
public Assertion validateServiceTicket(final String serviceTicketId, final Service service) throws AbstractTicketException {
if (!isTicketAuthenticityVerified(serviceTicketId)) {
LOGGER.info("Service ticket [{}] is not a valid ticket issued by CAS.", serviceTicketId);
throw new InvalidTicketException(serviceTicketId);
}
val serviceTicket = configurationContext.getTicketRegistry().getTicket(serviceTicketId, ServiceTicket.class);
if (serviceTicket == null) {
LOGGER.warn("Service ticket [{}] does not exist.", serviceTicketId);
throw new InvalidTicketException(serviceTicketId);
}
try {
val selectedService = resolveServiceFromAuthenticationRequest(serviceTicket.getService());
val resolvedService = resolveServiceFromAuthenticationRequest(service);
LOGGER.debug("Resolved service [{}] from the authentication request with service [{}] linked to service ticket [{}]", resolvedService, selectedService, serviceTicket.getId());
configurationContext.getLockRepository().execute(serviceTicket.getId(), Unchecked.supplier(() -> {
if (serviceTicket.isExpired()) {
LOGGER.info("ServiceTicket [{}] has expired.", serviceTicketId);
throw new InvalidTicketException(serviceTicketId);
}
if (!configurationContext.getServiceMatchingStrategy().matches(selectedService, resolvedService)) {
LOGGER.error("Service ticket [{}] with service [{}] does not match supplied service [{}]", serviceTicketId, serviceTicket.getService().getId(), resolvedService.getId());
throw new UnrecognizableServiceForServiceTicketValidationException(selectedService);
}
serviceTicket.update();
configurationContext.getTicketRegistry().updateTicket(serviceTicket);
return serviceTicket;
}));
val registeredService = configurationContext.getServicesManager().findServiceBy(selectedService);
LOGGER.trace("Located registered service definition [{}] from [{}] to handle validation request", registeredService, selectedService);
RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(selectedService, registeredService);
val root = serviceTicket.getTicketGrantingTicket().getRoot();
val authentication = getAuthenticationSatisfiedByPolicy(root.getAuthentication(), new ServiceContext(selectedService, registeredService));
val principal = authentication.getPrincipal();
val attributePolicy = Objects.requireNonNull(registeredService.getAttributeReleasePolicy());
LOGGER.debug("Attribute policy [{}] is associated with service [{}]", attributePolicy, registeredService);
val context = RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(registeredService).service(selectedService).principal(principal).build();
val attributesToRelease = attributePolicy.getAttributes(context);
LOGGER.debug("Calculated attributes for release per the release policy are [{}]", attributesToRelease.keySet());
val principalId = registeredService.getUsernameAttributeProvider().resolveUsername(principal, selectedService, registeredService);
val builder = DefaultAuthenticationBuilder.of(principal, configurationContext.getPrincipalFactory(), attributesToRelease, selectedService, registeredService, authentication);
LOGGER.debug("Principal determined for release to [{}] is [{}]", registeredService.getServiceId(), principalId);
builder.addAttribute(CasProtocolConstants.VALIDATION_CAS_MODEL_ATTRIBUTE_NAME_FROM_NEW_LOGIN, CollectionUtils.wrap(((RenewableServiceTicket) serviceTicket).isFromNewLogin()));
builder.addAttribute(CasProtocolConstants.VALIDATION_REMEMBER_ME_ATTRIBUTE_NAME, CollectionUtils.wrap(CoreAuthenticationUtils.isRememberMeAuthentication(authentication)));
val finalAuthentication = builder.build();
val releasePolicyContext = RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(registeredService).service(service).principal(principal).build();
val policyAttributes = registeredService.getAttributeReleasePolicy().getAttributes(releasePolicyContext);
val merger = CoreAuthenticationUtils.getAttributeMerger(PrincipalAttributesCoreProperties.MergingStrategyTypes.MULTIVALUED);
var accessAttributes = CoreAuthenticationUtils.mergeAttributes(principal.getAttributes(), authentication.getAttributes(), merger);
accessAttributes = CoreAuthenticationUtils.mergeAttributes(accessAttributes, finalAuthentication.getPrincipal().getAttributes(), merger);
accessAttributes = CoreAuthenticationUtils.mergeAttributes(accessAttributes, finalAuthentication.getAttributes(), merger);
accessAttributes = CoreAuthenticationUtils.mergeAttributes(accessAttributes, policyAttributes, merger);
val accessPrincipal = configurationContext.getPrincipalFactory().createPrincipal(principal.getId(), accessAttributes);
enforceRegisteredServiceAccess(selectedService, registeredService, accessPrincipal);
AuthenticationCredentialsThreadLocalBinder.bindCurrent(finalAuthentication);
val assertion = new DefaultAssertionBuilder(finalAuthentication).with(selectedService).with(serviceTicket.getTicketGrantingTicket().getChainedAuthentications()).with(((RenewableServiceTicket) serviceTicket).isFromNewLogin()).build();
doPublishEvent(new CasServiceTicketValidatedEvent(this, serviceTicket, assertion));
return assertion;
} finally {
FunctionUtils.doUnchecked(s -> {
if (serviceTicket.isExpired()) {
deleteTicket(serviceTicketId);
} else {
configurationContext.getTicketRegistry().updateTicket(serviceTicket);
}
});
}
}
use of org.apereo.cas.ticket.RenewableServiceTicket in project cas by apereo.
the class DistributedTicketRegistryTests method verifyProxiedInstancesEqual.
@Test
public void verifyProxiedInstancesEqual() throws Exception {
val t = new TicketGrantingTicketImpl(TGT_ID, CoreAuthenticationTestUtils.getAuthentication(), NeverExpiresExpirationPolicy.INSTANCE);
this.ticketRegistry.addTicket(t);
val returned = (TicketGrantingTicket) this.ticketRegistry.getTicket(TGT_ID);
assertEquals(t, returned);
assertEquals(returned, t);
assertEquals(t.getCreationTime(), returned.getCreationTime());
assertEquals(t.getAuthentication(), returned.getAuthentication());
assertEquals(t.getCountOfUses(), returned.getCountOfUses());
assertEquals(t.getTicketGrantingTicket(), returned.getTicketGrantingTicket());
assertEquals(t.getId(), returned.getId());
assertEquals(t.getChainedAuthentications(), returned.getChainedAuthentications());
assertEquals(t.isExpired(), returned.isExpired());
assertEquals(t.isRoot(), returned.isRoot());
val s = t.grantServiceTicket("stest", RegisteredServiceTestUtils.getService(), NeverExpiresExpirationPolicy.INSTANCE, false, true);
this.ticketRegistry.addTicket(s);
val sreturned = (ServiceTicket) this.ticketRegistry.getTicket("stest");
assertEquals(s, sreturned);
assertEquals(sreturned, s);
assertEquals(s.getCreationTime(), sreturned.getCreationTime());
assertEquals(s.getCountOfUses(), sreturned.getCountOfUses());
assertEquals(s.getTicketGrantingTicket(), sreturned.getTicketGrantingTicket());
assertEquals(s.getId(), sreturned.getId());
assertEquals(s.isExpired(), sreturned.isExpired());
assertEquals(s.getService(), sreturned.getService());
assertEquals(((RenewableServiceTicket) s).isFromNewLogin(), ((RenewableServiceTicket) sreturned).isFromNewLogin());
}
Aggregations