Search in sources :

Example 1 with DeviceRegistration

use of org.gluu.oxauth.model.fido.u2f.DeviceRegistration in project oxAuth by GluuFederation.

the class U2fAuthenticationWS method finishAuthentication.

@POST
@Produces({ "application/json" })
public Response finishAuthentication(@FormParam("username") String userName, @FormParam("tokenResponse") String authenticateResponseString) {
    String sessionId = null;
    try {
        if (appConfiguration.getDisableU2fEndpoint()) {
            return Response.status(Status.FORBIDDEN).build();
        }
        log.debug("Finishing authentication for username '{}' with response '{}'", userName, authenticateResponseString);
        AuthenticateResponse authenticateResponse = ServerUtil.jsonMapperWithWrapRoot().readValue(authenticateResponseString, AuthenticateResponse.class);
        String requestId = authenticateResponse.getRequestId();
        AuthenticateRequestMessageLdap authenticateRequestMessageLdap = u2fAuthenticationService.getAuthenticationRequestMessageByRequestId(requestId);
        if (authenticateRequestMessageLdap == null) {
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SESSION_EXPIRED)).build());
        }
        sessionId = authenticateRequestMessageLdap.getSessionId();
        u2fAuthenticationService.removeAuthenticationRequestMessage(authenticateRequestMessageLdap);
        AuthenticateRequestMessage authenticateRequestMessage = authenticateRequestMessageLdap.getAuthenticateRequestMessage();
        String foundUserInum = authenticateRequestMessageLdap.getUserInum();
        DeviceRegistrationResult deviceRegistrationResult = u2fAuthenticationService.finishAuthentication(authenticateRequestMessage, authenticateResponse, foundUserInum);
        // If sessionId is not empty update session
        if (StringHelper.isNotEmpty(sessionId)) {
            log.debug("There is session id. Setting session id attributes");
            boolean oneStep = StringHelper.isEmpty(userName);
            userSessionIdService.updateUserSessionIdOnFinishRequest(sessionId, foundUserInum, deviceRegistrationResult, false, oneStep);
        }
        AuthenticateStatus authenticationStatus = new AuthenticateStatus(Constants.RESULT_SUCCESS, requestId);
        // convert manually to avoid possible conflict between resteasy
        // providers, e.g. jettison, jackson
        final String entity = ServerUtil.asJson(authenticationStatus);
        return Response.status(Response.Status.OK).entity(entity).cacheControl(ServerUtil.cacheControl(true)).build();
    } catch (Exception ex) {
        log.error("Exception happened", ex);
        if (ex instanceof WebApplicationException) {
            throw (WebApplicationException) ex;
        }
        try {
            // If sessionId is not empty update session
            if (StringHelper.isNotEmpty(sessionId)) {
                log.debug("There is session id. Setting session id status to 'declined'");
                userSessionIdService.updateUserSessionIdOnError(sessionId);
            }
        } catch (Exception ex2) {
            log.error("Failed to update session id status", ex2);
        }
        if (ex instanceof BadInputException) {
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.INVALID_REQUEST)).build());
        }
        if (ex instanceof DeviceCompromisedException) {
            DeviceRegistration deviceRegistration = ((DeviceCompromisedException) ex).getDeviceRegistration();
            try {
                deviceRegistrationService.disableUserDeviceRegistration(deviceRegistration);
            } catch (Exception ex2) {
                log.error("Failed to mark device '{}' as compomised", ex2, deviceRegistration.getId());
            }
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.DEVICE_COMPROMISED)).build());
        }
        throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
    }
}
Also used : AuthenticateStatus(org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateStatus) AuthenticateResponse(org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateResponse) AuthenticateRequestMessageLdap(org.gluu.oxauth.model.fido.u2f.AuthenticateRequestMessageLdap) AuthenticateRequestMessage(org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateRequestMessage) BadInputException(org.gluu.oxauth.model.fido.u2f.exception.BadInputException) DeviceRegistration(org.gluu.oxauth.model.fido.u2f.DeviceRegistration) DeviceRegistrationResult(org.gluu.oxauth.model.fido.u2f.DeviceRegistrationResult) DeviceCompromisedException(org.gluu.oxauth.exception.fido.u2f.DeviceCompromisedException) DeviceCompromisedException(org.gluu.oxauth.exception.fido.u2f.DeviceCompromisedException) InvalidKeyHandleDeviceException(org.gluu.oxauth.exception.fido.u2f.InvalidKeyHandleDeviceException) NoEligableDevicesException(org.gluu.oxauth.exception.fido.u2f.NoEligableDevicesException) BadInputException(org.gluu.oxauth.model.fido.u2f.exception.BadInputException)

Example 2 with DeviceRegistration

use of org.gluu.oxauth.model.fido.u2f.DeviceRegistration in project oxAuth by GluuFederation.

the class CleanerTimerTest method u2fDevice_whichIsExpiredAndDeletable_MustBeRemoved.

@Test
public void u2fDevice_whichIsExpiredAndDeletable_MustBeRemoved() throws StringEncrypter.EncryptionException {
    final Client client = createClient();
    clientService.persist(client);
    // 1. create device
    String userInum = "";
    String appId = "https://testapp.com";
    final DeviceRegistration device = new DeviceRegistration();
    device.setStatus(DeviceRegistrationStatus.ACTIVE);
    device.setApplication(appId);
    device.setId(String.valueOf(System.currentTimeMillis()));
    device.setDn(deviceRegistrationService.getDnForU2fDevice(userInum, device.getId()));
    deviceRegistrationService.addOneStepDeviceRegistration(device);
    // 2. device exists
    assertNotNull(deviceRegistrationService.findUserDeviceRegistration(userInum, device.getId()));
    // 3. clean up
    cleanerTimer.processImpl();
    cacheService.clear();
    // 4. device exists
    assertNotNull(deviceRegistrationService.findUserDeviceRegistration(userInum, device.getId()));
    final Calendar calendar = Calendar.getInstance();
    calendar.add(Calendar.MINUTE, -10);
    device.setExpirationDate(calendar.getTime());
    deviceRegistrationService.merge(device);
    // 5. clean up
    cleanerTimer.processImpl();
    cacheService.clear();
    // 6. no device in persistence
    try {
        deviceRegistrationService.findUserDeviceRegistration(userInum, device.getId());
        throw new AssertionError("No exception, expected EntryPersistenceException on find.");
    } catch (EntryPersistenceException e) {
    // ignore
    }
}
Also used : EntryPersistenceException(org.gluu.persist.exception.EntryPersistenceException) DeviceRegistration(org.gluu.oxauth.model.fido.u2f.DeviceRegistration) Client(org.gluu.oxauth.model.registration.Client) Test(org.testng.annotations.Test) BaseComponentTest(org.gluu.oxauth.BaseComponentTest)

Example 3 with DeviceRegistration

use of org.gluu.oxauth.model.fido.u2f.DeviceRegistration in project oxAuth by GluuFederation.

the class AuthenticationService method buildAuthenticateRequestMessage.

public AuthenticateRequestMessage buildAuthenticateRequestMessage(String appId, String userInum) throws BadInputException, NoEligableDevicesException {
    if (applicationService.isValidateApplication()) {
        applicationService.checkIsValid(appId);
    }
    List<AuthenticateRequest> authenticateRequests = new ArrayList<AuthenticateRequest>();
    byte[] challenge = challengeGenerator.generateChallenge();
    List<DeviceRegistration> deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(userInum, appId);
    for (DeviceRegistration deviceRegistration : deviceRegistrations) {
        if (!deviceRegistration.isCompromised()) {
            AuthenticateRequest request;
            try {
                request = startAuthentication(appId, deviceRegistration, challenge);
                authenticateRequests.add(request);
            } catch (DeviceCompromisedException ex) {
                log.error("Faield to authenticate device", ex);
            }
        }
    }
    if (authenticateRequests.isEmpty()) {
        if (deviceRegistrations.isEmpty()) {
            throw new NoEligableDevicesException(deviceRegistrations, "No devices registrered");
        } else {
            throw new NoEligableDevicesException(deviceRegistrations, "All devices compromised");
        }
    }
    return new AuthenticateRequestMessage(authenticateRequests);
}
Also used : AuthenticateRequest(org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateRequest) AuthenticateRequestMessage(org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateRequestMessage) NoEligableDevicesException(org.gluu.oxauth.exception.fido.u2f.NoEligableDevicesException) ArrayList(java.util.ArrayList) DeviceRegistration(org.gluu.oxauth.model.fido.u2f.DeviceRegistration) DeviceCompromisedException(org.gluu.oxauth.exception.fido.u2f.DeviceCompromisedException)

Example 4 with DeviceRegistration

use of org.gluu.oxauth.model.fido.u2f.DeviceRegistration in project oxAuth by GluuFederation.

the class DeviceRegistrationService method getExpiredDeviceRegistrations.

public List<DeviceRegistration> getExpiredDeviceRegistrations(BatchOperation<DeviceRegistration> batchOperation, Date expirationDate, String[] returnAttributes, int sizeLimit, int chunkSize) {
    final String u2fBaseDn = getDnForOneStepU2fDevice(null);
    Filter expirationFilter = Filter.createLessOrEqualFilter("creationDate", ldapEntryManager.encodeTime(u2fBaseDn, expirationDate));
    List<DeviceRegistration> deviceRegistrations = ldapEntryManager.findEntries(u2fBaseDn, DeviceRegistration.class, expirationFilter, SearchScope.SUB, returnAttributes, batchOperation, 0, sizeLimit, chunkSize);
    return deviceRegistrations;
}
Also used : Filter(org.gluu.search.filter.Filter) DeviceRegistration(org.gluu.oxauth.model.fido.u2f.DeviceRegistration)

Example 5 with DeviceRegistration

use of org.gluu.oxauth.model.fido.u2f.DeviceRegistration in project oxAuth by GluuFederation.

the class UserService method countFidoRegisteredDevices.

public long countFidoRegisteredDevices(String username, String domain) {
    String userInum = getUserInum(username);
    if (userInum == null) {
        return 0;
    }
    String baseDn = getBaseDnForFidoDevices(userInum);
    if (persistenceEntryManager.hasBranchesSupport(baseDn)) {
        if (!persistenceEntryManager.contains(baseDn, SimpleBranch.class)) {
            return 0;
        }
    }
    Filter resultFilter = Filter.createEqualityFilter("oxStatus", DeviceRegistrationStatus.ACTIVE.getValue());
    List<DeviceRegistration> fidoRegistrations = persistenceEntryManager.findEntries(baseDn, DeviceRegistration.class, resultFilter);
    if (StringUtils.isEmpty(domain)) {
        return fidoRegistrations.size();
    }
    long deviceCount = fidoRegistrations.parallelStream().filter(f -> StringHelper.equals(domain, networkService.getHost(f.getApplication()))).count();
    return deviceCount;
}
Also used : SimpleBranch(org.gluu.persist.model.base.SimpleBranch) StringUtils(org.apache.commons.lang.StringUtils) Filter(org.gluu.search.filter.Filter) DeviceRegistration(org.gluu.oxauth.model.fido.u2f.DeviceRegistration) Fido2RegistrationEntry(org.gluu.fido2.model.entry.Fido2RegistrationEntry) StringHelper(org.gluu.util.StringHelper) Inject(javax.inject.Inject) List(java.util.List) NetworkService(org.gluu.service.net.NetworkService) StaticConfiguration(org.gluu.oxauth.model.config.StaticConfiguration) CustomEntry(org.gluu.persist.model.base.CustomEntry) DeviceRegistrationStatus(org.gluu.oxauth.model.fido.u2f.DeviceRegistrationStatus) ApplicationScoped(javax.enterprise.context.ApplicationScoped) AppConfiguration(org.gluu.oxauth.model.configuration.AppConfiguration) SimpleBranch(org.gluu.persist.model.base.SimpleBranch) Filter(org.gluu.search.filter.Filter) DeviceRegistration(org.gluu.oxauth.model.fido.u2f.DeviceRegistration)

Aggregations

DeviceRegistration (org.gluu.oxauth.model.fido.u2f.DeviceRegistration)8 DeviceCompromisedException (org.gluu.oxauth.exception.fido.u2f.DeviceCompromisedException)3 BadInputException (org.gluu.oxauth.model.fido.u2f.exception.BadInputException)3 InvalidKeyHandleDeviceException (org.gluu.oxauth.exception.fido.u2f.InvalidKeyHandleDeviceException)2 NoEligableDevicesException (org.gluu.oxauth.exception.fido.u2f.NoEligableDevicesException)2 DeviceRegistrationResult (org.gluu.oxauth.model.fido.u2f.DeviceRegistrationResult)2 AuthenticateRequest (org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateRequest)2 AuthenticateRequestMessage (org.gluu.oxauth.model.fido.u2f.protocol.AuthenticateRequestMessage)2 Filter (org.gluu.search.filter.Filter)2 ArrayList (java.util.ArrayList)1 Date (java.util.Date)1 List (java.util.List)1 ApplicationScoped (javax.enterprise.context.ApplicationScoped)1 Inject (javax.inject.Inject)1 StringUtils (org.apache.commons.lang.StringUtils)1 Fido2RegistrationEntry (org.gluu.fido2.model.entry.Fido2RegistrationEntry)1 BaseComponentTest (org.gluu.oxauth.BaseComponentTest)1 StaticConfiguration (org.gluu.oxauth.model.config.StaticConfiguration)1 AppConfiguration (org.gluu.oxauth.model.configuration.AppConfiguration)1 AuthenticateRequestMessageLdap (org.gluu.oxauth.model.fido.u2f.AuthenticateRequestMessageLdap)1