Example 1 with UaaLoginHint
use of org.cloudfoundry.identity.uaa.authentication.UaaLoginHint in project uaa by cloudfoundry.
the class PasswordGrantAuthenticationManager method authenticate.
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
UaaLoginHint uaaLoginHint = zoneAwareAuthzAuthenticationManager.extractLoginHint(authentication);
List<String> allowedProviders = getAllowedProviders();
String defaultProvider = IdentityZoneHolder.get().getConfig().getDefaultIdentityProvider();
UaaLoginHint loginHintToUse;
List<String> identityProviders = identityProviderProvisioning.retrieveActive(IdentityZoneHolder.get().getId()).stream().filter(this::providerSupportsPasswordGrant).map(IdentityProvider::getOriginKey).collect(Collectors.toList());
List<String> possibleProviders;
if (allowedProviders == null) {
possibleProviders = identityProviders;
} else {
possibleProviders = allowedProviders.stream().filter(identityProviders::contains).collect(Collectors.toList());
}
if (uaaLoginHint == null) {
if (defaultProvider != null && possibleProviders.contains(defaultProvider)) {
loginHintToUse = new UaaLoginHint(defaultProvider);
} else {
loginHintToUse = getUaaLoginHintForChainedAuth(possibleProviders);
}
} else {
if (possibleProviders.contains(uaaLoginHint.getOrigin())) {
loginHintToUse = uaaLoginHint;
} else if (allowedProviders == null || allowedProviders.contains(uaaLoginHint.getOrigin())) {
throw new ProviderConfigurationException("The origin provided in the login_hint does not match an active Identity Provider, that supports password grant.");
} else {
throw new ProviderConfigurationException("Client is not authorized for specified user's identity provider.");
}
}
if (loginHintToUse != null) {
zoneAwareAuthzAuthenticationManager.setLoginHint(authentication, loginHintToUse);
}
if (loginHintToUse == null || loginHintToUse.getOrigin() == null || loginHintToUse.getOrigin().equals(OriginKeys.UAA) || loginHintToUse.getOrigin().equals(OriginKeys.LDAP)) {
return zoneAwareAuthzAuthenticationManager.authenticate(authentication);
} else {
return oidcPasswordGrant(authentication, (OIDCIdentityProviderDefinition) externalOAuthProviderProvisioning.retrieveByOrigin(loginHintToUse.getOrigin(), IdentityZoneHolder.get().getId()).getConfig());
}
}
Also used :
ProviderConfigurationException(org.cloudfoundry.identity.uaa.authentication.ProviderConfigurationException)
UaaLoginHint(org.cloudfoundry.identity.uaa.authentication.UaaLoginHint)
Example 2 with UaaLoginHint
use of org.cloudfoundry.identity.uaa.authentication.UaaLoginHint in project uaa by cloudfoundry.
the class PasswordGrantAuthenticationManagerTest method testPasswordGrant_NoLoginHintWithDefaultUaa.
@Test
void testPasswordGrant_NoLoginHintWithDefaultUaa() {
Authentication auth = mock(Authentication.class);
when(zoneAwareAuthzAuthenticationManager.extractLoginHint(auth)).thenReturn(null);
Map<String, Object> additionalInformation = new HashMap<>();
additionalInformation.put(ClientConstants.ALLOWED_PROVIDERS, Collections.singletonList("uaa"));
when(clientDetails.getAdditionalInformation()).thenReturn(additionalInformation);
IdentityZoneHolder.get().getConfig().setDefaultIdentityProvider("uaa");
instance.authenticate(auth);
verify(zoneAwareAuthzAuthenticationManager, times(1)).authenticate(auth);
ArgumentCaptor<UaaLoginHint> captor = ArgumentCaptor.forClass(UaaLoginHint.class);
verify(zoneAwareAuthzAuthenticationManager, times(1)).setLoginHint(eq(auth), captor.capture());
assertNotNull(captor.getValue());
assertEquals("uaa", captor.getValue().getOrigin());
}
Also used :
UaaLoginHint(org.cloudfoundry.identity.uaa.authentication.UaaLoginHint)
HashMap(java.util.HashMap)
Authentication(org.springframework.security.core.Authentication)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
Test(org.junit.jupiter.api.Test)
Example 3 with UaaLoginHint
use of org.cloudfoundry.identity.uaa.authentication.UaaLoginHint in project uaa by cloudfoundry.
the class PasswordGrantAuthenticationManagerTest method testOIDCPasswordGrantInvalidLogin.
@Test
void testOIDCPasswordGrantInvalidLogin() {
UaaLoginHint loginHint = mock(UaaLoginHint.class);
when(loginHint.getOrigin()).thenReturn("oidcprovider");
Authentication auth = mock(Authentication.class);
when(auth.getPrincipal()).thenReturn("marissa");
when(auth.getCredentials()).thenReturn("koala1");
when(zoneAwareAuthzAuthenticationManager.extractLoginHint(auth)).thenReturn(loginHint);
RestTemplate rt = mock(RestTemplate.class);
when(restTemplateConfig.nonTrustingRestTemplate()).thenReturn(rt);
ResponseEntity<Map<String, String>> response = mock(ResponseEntity.class);
when(response.hasBody()).thenReturn(true);
when(response.getBody()).thenReturn(Collections.singletonMap("id_token", "mytoken"));
HttpClientErrorException exception = mock(HttpClientErrorException.class);
when(rt.exchange(anyString(), any(HttpMethod.class), any(HttpEntity.class), any(ParameterizedTypeReference.class))).thenThrow(exception);
try {
instance.authenticate(auth);
fail("No Exception thrown.");
} catch (BadCredentialsException ignored) {
}
ArgumentCaptor<AbstractUaaEvent> eventArgumentCaptor = ArgumentCaptor.forClass(AbstractUaaEvent.class);
verify(eventPublisher, times(1)).publishEvent(eventArgumentCaptor.capture());
assertEquals(1, eventArgumentCaptor.getAllValues().size());
assertTrue(eventArgumentCaptor.getValue() instanceof IdentityProviderAuthenticationFailureEvent);
}
Also used :
HttpClientErrorException(org.springframework.web.client.HttpClientErrorException)
HttpEntity(org.springframework.http.HttpEntity)
IdentityProviderAuthenticationFailureEvent(org.cloudfoundry.identity.uaa.authentication.event.IdentityProviderAuthenticationFailureEvent)
BadCredentialsException(org.springframework.security.authentication.BadCredentialsException)
UaaLoginHint(org.cloudfoundry.identity.uaa.authentication.UaaLoginHint)
Authentication(org.springframework.security.core.Authentication)
ParameterizedTypeReference(org.springframework.core.ParameterizedTypeReference)
RestTemplate(org.springframework.web.client.RestTemplate)
AbstractUaaEvent(org.cloudfoundry.identity.uaa.audit.event.AbstractUaaEvent)
Map(java.util.Map)
HashMap(java.util.HashMap)
MultiValueMap(org.springframework.util.MultiValueMap)
HttpMethod(org.springframework.http.HttpMethod)
Test(org.junit.jupiter.api.Test)
Example 4 with UaaLoginHint
use of org.cloudfoundry.identity.uaa.authentication.UaaLoginHint in project uaa by cloudfoundry.
the class PasswordGrantAuthenticationManagerTest method testOIDCPasswordGrantProviderNotFound.
@Test
void testOIDCPasswordGrantProviderNotFound() {
UaaLoginHint loginHint = mock(UaaLoginHint.class);
when(loginHint.getOrigin()).thenReturn("oidcprovider2");
Authentication auth = mock(Authentication.class);
when(zoneAwareAuthzAuthenticationManager.extractLoginHint(auth)).thenReturn(loginHint);
try {
instance.authenticate(auth);
fail();
} catch (ProviderConfigurationException e) {
assertEquals("The origin provided in the login_hint does not match an active Identity Provider, that supports password grant.", e.getMessage());
}
}
Also used :
ProviderConfigurationException(org.cloudfoundry.identity.uaa.authentication.ProviderConfigurationException)
UaaLoginHint(org.cloudfoundry.identity.uaa.authentication.UaaLoginHint)
Authentication(org.springframework.security.core.Authentication)
Test(org.junit.jupiter.api.Test)
Example 5 with UaaLoginHint
use of org.cloudfoundry.identity.uaa.authentication.UaaLoginHint in project uaa by cloudfoundry.
the class PasswordGrantAuthenticationManagerTest method testUaaPasswordGrant_allowedProvidersOnlyUaa.
@Test
void testUaaPasswordGrant_allowedProvidersOnlyUaa() {
Authentication auth = mock(Authentication.class);
when(zoneAwareAuthzAuthenticationManager.extractLoginHint(auth)).thenReturn(null);
Map<String, Object> additionalInformation = new HashMap<>();
additionalInformation.put(ClientConstants.ALLOWED_PROVIDERS, Collections.singletonList("uaa"));
when(clientDetails.getAdditionalInformation()).thenReturn(additionalInformation);
instance.authenticate(auth);
verify(zoneAwareAuthzAuthenticationManager, times(1)).authenticate(auth);
ArgumentCaptor<UaaLoginHint> captor = ArgumentCaptor.forClass(UaaLoginHint.class);
verify(zoneAwareAuthzAuthenticationManager, times(1)).setLoginHint(eq(auth), captor.capture());
assertNotNull(captor.getValue());
assertEquals("uaa", captor.getValue().getOrigin());
}
Also used :
UaaLoginHint(org.cloudfoundry.identity.uaa.authentication.UaaLoginHint)
HashMap(java.util.HashMap)
Authentication(org.springframework.security.core.Authentication)
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
Test(org.junit.jupiter.api.Test)
Aggregations
UaaLoginHint (org.cloudfoundry.identity.uaa.authentication.UaaLoginHint)32
Test (org.junit.jupiter.api.Test)26
Authentication (org.springframework.security.core.Authentication)23
HashMap (java.util.HashMap)14
ArgumentMatchers.anyString (org.mockito.ArgumentMatchers.anyString)12
Map (java.util.Map)9
ParameterizedTypeReference (org.springframework.core.ParameterizedTypeReference)7
HttpEntity (org.springframework.http.HttpEntity)7
HttpMethod (org.springframework.http.HttpMethod)7
MultiValueMap (org.springframework.util.MultiValueMap)7
RestTemplate (org.springframework.web.client.RestTemplate)7
ProviderConfigurationException (org.cloudfoundry.identity.uaa.authentication.ProviderConfigurationException)6
IdentityProvider (org.cloudfoundry.identity.uaa.provider.IdentityProvider)6
BadCredentialsException (org.springframework.security.authentication.BadCredentialsException)5
UaaAuthenticationDetails (org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails)4
OIDCIdentityProviderDefinition (org.cloudfoundry.identity.uaa.provider.OIDCIdentityProviderDefinition)4
ExternalOAuthCodeToken (org.cloudfoundry.identity.uaa.provider.oauth.ExternalOAuthCodeToken)4
HttpHeaders (org.springframework.http.HttpHeaders)4
Collections.emptyMap (java.util.Collections.emptyMap)2
LinkedHashMap (java.util.LinkedHashMap)2
