use of org.cloudfoundry.identity.uaa.authentication.UaaLoginHint in project uaa by cloudfoundry.
the class PasswordGrantAuthenticationManager method authenticate.
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
UaaLoginHint uaaLoginHint = zoneAwareAuthzAuthenticationManager.extractLoginHint(authentication);
List<String> allowedProviders = getAllowedProviders();
String defaultProvider = IdentityZoneHolder.get().getConfig().getDefaultIdentityProvider();
UaaLoginHint loginHintToUse;
List<String> identityProviders = identityProviderProvisioning.retrieveActive(IdentityZoneHolder.get().getId()).stream().filter(this::providerSupportsPasswordGrant).map(IdentityProvider::getOriginKey).collect(Collectors.toList());
List<String> possibleProviders;
if (allowedProviders == null) {
possibleProviders = identityProviders;
} else {
possibleProviders = allowedProviders.stream().filter(identityProviders::contains).collect(Collectors.toList());
}
if (uaaLoginHint == null) {
if (defaultProvider != null && possibleProviders.contains(defaultProvider)) {
loginHintToUse = new UaaLoginHint(defaultProvider);
} else {
loginHintToUse = getUaaLoginHintForChainedAuth(possibleProviders);
}
} else {
if (possibleProviders.contains(uaaLoginHint.getOrigin())) {
loginHintToUse = uaaLoginHint;
} else if (allowedProviders == null || allowedProviders.contains(uaaLoginHint.getOrigin())) {
throw new ProviderConfigurationException("The origin provided in the login_hint does not match an active Identity Provider, that supports password grant.");
} else {
throw new ProviderConfigurationException("Client is not authorized for specified user's identity provider.");
}
}
if (loginHintToUse != null) {
zoneAwareAuthzAuthenticationManager.setLoginHint(authentication, loginHintToUse);
}
if (loginHintToUse == null || loginHintToUse.getOrigin() == null || loginHintToUse.getOrigin().equals(OriginKeys.UAA) || loginHintToUse.getOrigin().equals(OriginKeys.LDAP)) {
return zoneAwareAuthzAuthenticationManager.authenticate(authentication);
} else {
return oidcPasswordGrant(authentication, (OIDCIdentityProviderDefinition) externalOAuthProviderProvisioning.retrieveByOrigin(loginHintToUse.getOrigin(), IdentityZoneHolder.get().getId()).getConfig());
}
}
use of org.cloudfoundry.identity.uaa.authentication.UaaLoginHint in project uaa by cloudfoundry.
the class PasswordGrantAuthenticationManagerTest method testPasswordGrant_NoLoginHintWithDefaultUaa.
@Test
void testPasswordGrant_NoLoginHintWithDefaultUaa() {
Authentication auth = mock(Authentication.class);
when(zoneAwareAuthzAuthenticationManager.extractLoginHint(auth)).thenReturn(null);
Map<String, Object> additionalInformation = new HashMap<>();
additionalInformation.put(ClientConstants.ALLOWED_PROVIDERS, Collections.singletonList("uaa"));
when(clientDetails.getAdditionalInformation()).thenReturn(additionalInformation);
IdentityZoneHolder.get().getConfig().setDefaultIdentityProvider("uaa");
instance.authenticate(auth);
verify(zoneAwareAuthzAuthenticationManager, times(1)).authenticate(auth);
ArgumentCaptor<UaaLoginHint> captor = ArgumentCaptor.forClass(UaaLoginHint.class);
verify(zoneAwareAuthzAuthenticationManager, times(1)).setLoginHint(eq(auth), captor.capture());
assertNotNull(captor.getValue());
assertEquals("uaa", captor.getValue().getOrigin());
}
use of org.cloudfoundry.identity.uaa.authentication.UaaLoginHint in project uaa by cloudfoundry.
the class PasswordGrantAuthenticationManagerTest method testOIDCPasswordGrantInvalidLogin.
@Test
void testOIDCPasswordGrantInvalidLogin() {
UaaLoginHint loginHint = mock(UaaLoginHint.class);
when(loginHint.getOrigin()).thenReturn("oidcprovider");
Authentication auth = mock(Authentication.class);
when(auth.getPrincipal()).thenReturn("marissa");
when(auth.getCredentials()).thenReturn("koala1");
when(zoneAwareAuthzAuthenticationManager.extractLoginHint(auth)).thenReturn(loginHint);
RestTemplate rt = mock(RestTemplate.class);
when(restTemplateConfig.nonTrustingRestTemplate()).thenReturn(rt);
ResponseEntity<Map<String, String>> response = mock(ResponseEntity.class);
when(response.hasBody()).thenReturn(true);
when(response.getBody()).thenReturn(Collections.singletonMap("id_token", "mytoken"));
HttpClientErrorException exception = mock(HttpClientErrorException.class);
when(rt.exchange(anyString(), any(HttpMethod.class), any(HttpEntity.class), any(ParameterizedTypeReference.class))).thenThrow(exception);
try {
instance.authenticate(auth);
fail("No Exception thrown.");
} catch (BadCredentialsException ignored) {
}
ArgumentCaptor<AbstractUaaEvent> eventArgumentCaptor = ArgumentCaptor.forClass(AbstractUaaEvent.class);
verify(eventPublisher, times(1)).publishEvent(eventArgumentCaptor.capture());
assertEquals(1, eventArgumentCaptor.getAllValues().size());
assertTrue(eventArgumentCaptor.getValue() instanceof IdentityProviderAuthenticationFailureEvent);
}
use of org.cloudfoundry.identity.uaa.authentication.UaaLoginHint in project uaa by cloudfoundry.
the class PasswordGrantAuthenticationManagerTest method testOIDCPasswordGrantProviderNotFound.
@Test
void testOIDCPasswordGrantProviderNotFound() {
UaaLoginHint loginHint = mock(UaaLoginHint.class);
when(loginHint.getOrigin()).thenReturn("oidcprovider2");
Authentication auth = mock(Authentication.class);
when(zoneAwareAuthzAuthenticationManager.extractLoginHint(auth)).thenReturn(loginHint);
try {
instance.authenticate(auth);
fail();
} catch (ProviderConfigurationException e) {
assertEquals("The origin provided in the login_hint does not match an active Identity Provider, that supports password grant.", e.getMessage());
}
}
use of org.cloudfoundry.identity.uaa.authentication.UaaLoginHint in project uaa by cloudfoundry.
the class PasswordGrantAuthenticationManagerTest method testUaaPasswordGrant_allowedProvidersOnlyUaa.
@Test
void testUaaPasswordGrant_allowedProvidersOnlyUaa() {
Authentication auth = mock(Authentication.class);
when(zoneAwareAuthzAuthenticationManager.extractLoginHint(auth)).thenReturn(null);
Map<String, Object> additionalInformation = new HashMap<>();
additionalInformation.put(ClientConstants.ALLOWED_PROVIDERS, Collections.singletonList("uaa"));
when(clientDetails.getAdditionalInformation()).thenReturn(additionalInformation);
instance.authenticate(auth);
verify(zoneAwareAuthzAuthenticationManager, times(1)).authenticate(auth);
ArgumentCaptor<UaaLoginHint> captor = ArgumentCaptor.forClass(UaaLoginHint.class);
verify(zoneAwareAuthzAuthenticationManager, times(1)).setLoginHint(eq(auth), captor.capture());
assertNotNull(captor.getValue());
assertEquals("uaa", captor.getValue().getOrigin());
}
Aggregations