Search in sources :

Example 1 with MfaAuthenticationSuccessEvent

use of org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationSuccessEvent in project uaa by cloudfoundry.

the class AuthenticationSuccessListenerTests method mfa_authentication_success_triggers_user_authentication_success.

@Test
void mfa_authentication_success_triggers_user_authentication_success() {
    MfaAuthenticationSuccessEvent event = new MfaAuthenticationSuccessEvent(user, mockUaaAuthentication, "mfa-type", IdentityZoneHolder.getCurrentZoneId());
    listener.onApplicationEvent(event);
    verify(mockApplicationEventPublisher, times(1)).publishEvent(isA(UserAuthenticationSuccessEvent.class));
}
Also used : UserAuthenticationSuccessEvent(org.cloudfoundry.identity.uaa.authentication.event.UserAuthenticationSuccessEvent) MfaAuthenticationSuccessEvent(org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationSuccessEvent) Test(org.junit.jupiter.api.Test)

Example 2 with MfaAuthenticationSuccessEvent

use of org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationSuccessEvent in project uaa by cloudfoundry.

the class StatelessMfaAuthenticationFilter method doFilterInternal.

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
    MfaProvider provider = null;
    try {
        if (isGrantTypeSupported(request.getParameter(GRANT_TYPE))) {
            provider = checkMfaCode(request);
            UaaUser user = getUaaUser();
            if (provider != null) {
                publishEvent(new MfaAuthenticationSuccessEvent(user, getAuthentication(), provider.getType().toValue(), IdentityZoneHolder.getCurrentZoneId()));
            }
        }
        filterChain.doFilter(request, response);
    } catch (InsufficientAuthenticationException x) {
        handleException(new JsonError(400, "invalid_request", x.getMessage()), response);
    } catch (MissingMfaCodeException | UserMfaConfigDoesNotExistException e) {
        UaaUser user = getUaaUser();
        publishEvent(new MfaAuthenticationFailureEvent(user, getAuthentication(), provider != null ? provider.getType().toValue() : "null", IdentityZoneHolder.getCurrentZoneId()));
        handleException(new JsonError(400, "invalid_request", e.getMessage()), response);
    } catch (InvalidMfaCodeException e) {
        UaaUser user = getUaaUser();
        publishEvent(new MfaAuthenticationFailureEvent(user, getAuthentication(), provider != null ? provider.getType().toValue() : "null", IdentityZoneHolder.getCurrentZoneId()));
        handleException(new JsonError(401, "unauthorized", "Bad credentials"), response);
    }
}
Also used : MissingMfaCodeException(org.cloudfoundry.identity.uaa.mfa.exception.MissingMfaCodeException) MfaAuthenticationFailureEvent(org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationFailureEvent) UaaUser(org.cloudfoundry.identity.uaa.user.UaaUser) InvalidMfaCodeException(org.cloudfoundry.identity.uaa.mfa.exception.InvalidMfaCodeException) MfaAuthenticationSuccessEvent(org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationSuccessEvent) UserMfaConfigDoesNotExistException(org.cloudfoundry.identity.uaa.mfa.exception.UserMfaConfigDoesNotExistException) InsufficientAuthenticationException(org.springframework.security.authentication.InsufficientAuthenticationException)

Example 3 with MfaAuthenticationSuccessEvent

use of org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationSuccessEvent in project uaa by cloudfoundry.

the class TotpMfaEndpoint method validateCode.

@RequestMapping(value = { "/verify.do" }, method = RequestMethod.POST)
public ModelAndView validateCode(Model model, @RequestParam("code") String code, @ModelAttribute("uaaMfaCredentials") UserGoogleMfaCredentials credentials, HttpServletRequest request, SessionStatus sessionStatus) throws UaaPrincipalIsNotInSession {
    UaaAuthentication uaaAuth = getUaaAuthentication();
    UaaPrincipal uaaPrincipal = getSessionAuthPrincipal();
    if (!this.mfaPolicy.isAllowed(uaaPrincipal.getId()).isAllowed()) {
        throw new AuthenticationPolicyRejectionException("Your account has been locked because of too many failed attempts to login.");
    }
    try {
        Integer codeValue = Integer.valueOf(code);
        if (mfaCredentialsProvisioning.isValidCode(credentials, codeValue)) {
            if (mfaCredentialsProvisioning.getUserGoogleMfaCredentials(uaaPrincipal.getId()) == null) {
                mfaCredentialsProvisioning.saveUserCredentials(credentials);
            }
            Set<String> authMethods = new HashSet<>(uaaAuth.getAuthenticationMethods());
            authMethods.addAll(Arrays.asList("otp", "mfa"));
            uaaAuth.setAuthenticationMethods(authMethods);
            publish(new MfaAuthenticationSuccessEvent(getUaaUser(uaaPrincipal), uaaAuth, getMfaProvider().getType().toValue(), IdentityZoneHolder.getCurrentZoneId()));
            sessionStatus.setComplete();
            SessionUtils.setSecurityContext(request.getSession(), SecurityContextHolder.getContext());
            return new ModelAndView(new RedirectView(mfaCompleteUrl, true));
        }
        logger.debug("Code authorization failed for user: " + uaaPrincipal.getId());
        publish(new MfaAuthenticationFailureEvent(getUaaUser(uaaPrincipal), uaaAuth, getMfaProvider().getType().toValue(), IdentityZoneHolder.getCurrentZoneId()));
        model.addAttribute("error", "Incorrect code, please try again.");
    } catch (NumberFormatException | GoogleAuthenticatorException e) {
        logger.debug("Error validating the code for user: " + uaaPrincipal.getId() + ". Error: " + e.getMessage());
        publish(new MfaAuthenticationFailureEvent(getUaaUser(uaaPrincipal), uaaAuth, getMfaProvider().getType().toValue(), IdentityZoneHolder.getCurrentZoneId()));
        model.addAttribute("error", "Incorrect code, please try again.");
    }
    return renderEnterCodePage(model, uaaPrincipal);
}
Also used : MfaAuthenticationFailureEvent(org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationFailureEvent) ModelAndView(org.springframework.web.servlet.ModelAndView) GoogleAuthenticatorException(com.warrenstrange.googleauth.GoogleAuthenticatorException) UaaAuthentication(org.cloudfoundry.identity.uaa.authentication.UaaAuthentication) UaaPrincipal(org.cloudfoundry.identity.uaa.authentication.UaaPrincipal) AuthenticationPolicyRejectionException(org.cloudfoundry.identity.uaa.authentication.AuthenticationPolicyRejectionException) RedirectView(org.springframework.web.servlet.view.RedirectView) MfaAuthenticationSuccessEvent(org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationSuccessEvent) HashSet(java.util.HashSet)

Example 4 with MfaAuthenticationSuccessEvent

use of org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationSuccessEvent in project uaa by cloudfoundry.

the class StatelessMfaAuthenticationFilterTests method when_valid_mfa_auth_code_given_with_previously_failed_mfa_auth_attempts_interleaved_with_successful_mfa_auth_event_but_not_locked_out_should_pass.

@Test
public void when_valid_mfa_auth_code_given_with_previously_failed_mfa_auth_attempts_interleaved_with_successful_mfa_auth_event_but_not_locked_out_should_pass() {
    long fixedTime = 1L;
    when(timeService.getCurrentTimeMillis()).thenReturn(fixedTime);
    AuditEvent failedMfaEvent = new MfaAuthenticationFailureEvent(user, authentication, GOOGLE_AUTHENTICATOR.toValue(), IdentityZoneHolder.getCurrentZoneId()).getAuditEvent();
    AuditEvent successfulMfaEvent = new MfaAuthenticationSuccessEvent(user, authentication, GOOGLE_AUTHENTICATOR.toValue(), IdentityZoneHolder.getCurrentZoneId()).getAuditEvent();
    ArrayList<AuditEvent> events = Lists.newArrayList(failedMfaEvent, failedMfaEvent, successfulMfaEvent, failedMfaEvent);
    when(jdbcAuditServiceMock.find(user.getId(), fixedTime, zone.getId())).thenReturn(events);
    LockoutPolicy lockoutPolicy = new LockoutPolicy(1, 3, 5);
    when(lockoutPolicyRetriever.getLockoutPolicy()).thenReturn(lockoutPolicy);
    request.setParameter(MFA_CODE, "123456");
    filter.checkMfaCode(request);
}
Also used : MfaAuthenticationFailureEvent(org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationFailureEvent) AuditEvent(org.cloudfoundry.identity.uaa.audit.AuditEvent) MfaAuthenticationSuccessEvent(org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationSuccessEvent) LockoutPolicy(org.cloudfoundry.identity.uaa.provider.LockoutPolicy) Test(org.junit.Test)

Example 5 with MfaAuthenticationSuccessEvent

use of org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationSuccessEvent in project uaa by cloudfoundry.

the class AuthenticationSuccessListener method onApplicationEvent.

@Override
public void onApplicationEvent(AbstractUaaAuthenticationEvent event) {
    if (event instanceof UserAuthenticationSuccessEvent) {
        onApplicationEvent((UserAuthenticationSuccessEvent) event, event.getIdentityZoneId());
    } else if (event instanceof IdentityProviderAuthenticationSuccessEvent) {
        IdentityProviderAuthenticationSuccessEvent passwordAuthEvent = (IdentityProviderAuthenticationSuccessEvent) event;
        UserAuthenticationSuccessEvent userEvent = new UserAuthenticationSuccessEvent(passwordAuthEvent.getUser(), (Authentication) passwordAuthEvent.getSource(), IdentityZoneHolder.getCurrentZoneId());
        if (!checker.isMfaEnabledForZoneId(userEvent.getIdentityZoneId())) {
            publisher.publishEvent(userEvent);
        }
    } else if (event instanceof MfaAuthenticationSuccessEvent) {
        MfaAuthenticationSuccessEvent mfaEvent = (MfaAuthenticationSuccessEvent) event;
        UserAuthenticationSuccessEvent userEvent = new UserAuthenticationSuccessEvent(mfaEvent.getUser(), (Authentication) mfaEvent.getSource(), IdentityZoneHolder.getCurrentZoneId());
        publisher.publishEvent(userEvent);
    }
}
Also used : UserAuthenticationSuccessEvent(org.cloudfoundry.identity.uaa.authentication.event.UserAuthenticationSuccessEvent) UaaAuthentication(org.cloudfoundry.identity.uaa.authentication.UaaAuthentication) Authentication(org.springframework.security.core.Authentication) IdentityProviderAuthenticationSuccessEvent(org.cloudfoundry.identity.uaa.authentication.event.IdentityProviderAuthenticationSuccessEvent) MfaAuthenticationSuccessEvent(org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationSuccessEvent)

Aggregations

MfaAuthenticationSuccessEvent (org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationSuccessEvent)5 MfaAuthenticationFailureEvent (org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationFailureEvent)3 UaaAuthentication (org.cloudfoundry.identity.uaa.authentication.UaaAuthentication)2 UserAuthenticationSuccessEvent (org.cloudfoundry.identity.uaa.authentication.event.UserAuthenticationSuccessEvent)2 GoogleAuthenticatorException (com.warrenstrange.googleauth.GoogleAuthenticatorException)1 HashSet (java.util.HashSet)1 AuditEvent (org.cloudfoundry.identity.uaa.audit.AuditEvent)1 AuthenticationPolicyRejectionException (org.cloudfoundry.identity.uaa.authentication.AuthenticationPolicyRejectionException)1 UaaPrincipal (org.cloudfoundry.identity.uaa.authentication.UaaPrincipal)1 IdentityProviderAuthenticationSuccessEvent (org.cloudfoundry.identity.uaa.authentication.event.IdentityProviderAuthenticationSuccessEvent)1 InvalidMfaCodeException (org.cloudfoundry.identity.uaa.mfa.exception.InvalidMfaCodeException)1 MissingMfaCodeException (org.cloudfoundry.identity.uaa.mfa.exception.MissingMfaCodeException)1 UserMfaConfigDoesNotExistException (org.cloudfoundry.identity.uaa.mfa.exception.UserMfaConfigDoesNotExistException)1 LockoutPolicy (org.cloudfoundry.identity.uaa.provider.LockoutPolicy)1 UaaUser (org.cloudfoundry.identity.uaa.user.UaaUser)1 Test (org.junit.Test)1 Test (org.junit.jupiter.api.Test)1 InsufficientAuthenticationException (org.springframework.security.authentication.InsufficientAuthenticationException)1 Authentication (org.springframework.security.core.Authentication)1 ModelAndView (org.springframework.web.servlet.ModelAndView)1