use of org.gluu.oxauth.model.fido.u2f.DeviceRegistration in project oxAuth by GluuFederation.
the class U2fAuthenticationWS method finishAuthentication.
@POST
@Produces({ "application/json" })
public Response finishAuthentication(@FormParam("username") String userName, @FormParam("tokenResponse") String authenticateResponseString) {
String sessionId = null;
try {
if (appConfiguration.getDisableU2fEndpoint()) {
return Response.status(Status.FORBIDDEN).build();
}
log.debug("Finishing authentication for username '{}' with response '{}'", userName, authenticateResponseString);
AuthenticateResponse authenticateResponse = ServerUtil.jsonMapperWithWrapRoot().readValue(authenticateResponseString, AuthenticateResponse.class);
String requestId = authenticateResponse.getRequestId();
AuthenticateRequestMessageLdap authenticateRequestMessageLdap = u2fAuthenticationService.getAuthenticationRequestMessageByRequestId(requestId);
if (authenticateRequestMessageLdap == null) {
throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SESSION_EXPIRED)).build());
}
sessionId = authenticateRequestMessageLdap.getSessionId();
u2fAuthenticationService.removeAuthenticationRequestMessage(authenticateRequestMessageLdap);
AuthenticateRequestMessage authenticateRequestMessage = authenticateRequestMessageLdap.getAuthenticateRequestMessage();
String foundUserInum = authenticateRequestMessageLdap.getUserInum();
DeviceRegistrationResult deviceRegistrationResult = u2fAuthenticationService.finishAuthentication(authenticateRequestMessage, authenticateResponse, foundUserInum);
// If sessionId is not empty update session
if (StringHelper.isNotEmpty(sessionId)) {
log.debug("There is session id. Setting session id attributes");
boolean oneStep = StringHelper.isEmpty(userName);
userSessionIdService.updateUserSessionIdOnFinishRequest(sessionId, foundUserInum, deviceRegistrationResult, false, oneStep);
}
AuthenticateStatus authenticationStatus = new AuthenticateStatus(Constants.RESULT_SUCCESS, requestId);
// convert manually to avoid possible conflict between resteasy
// providers, e.g. jettison, jackson
final String entity = ServerUtil.asJson(authenticationStatus);
return Response.status(Response.Status.OK).entity(entity).cacheControl(ServerUtil.cacheControl(true)).build();
} catch (Exception ex) {
log.error("Exception happened", ex);
if (ex instanceof WebApplicationException) {
throw (WebApplicationException) ex;
}
try {
// If sessionId is not empty update session
if (StringHelper.isNotEmpty(sessionId)) {
log.debug("There is session id. Setting session id status to 'declined'");
userSessionIdService.updateUserSessionIdOnError(sessionId);
}
} catch (Exception ex2) {
log.error("Failed to update session id status", ex2);
}
if (ex instanceof BadInputException) {
throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.INVALID_REQUEST)).build());
}
if (ex instanceof DeviceCompromisedException) {
DeviceRegistration deviceRegistration = ((DeviceCompromisedException) ex).getDeviceRegistration();
try {
deviceRegistrationService.disableUserDeviceRegistration(deviceRegistration);
} catch (Exception ex2) {
log.error("Failed to mark device '{}' as compomised", ex2, deviceRegistration.getId());
}
throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.DEVICE_COMPROMISED)).build());
}
throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
}
}
use of org.gluu.oxauth.model.fido.u2f.DeviceRegistration in project oxAuth by GluuFederation.
the class CleanerTimerTest method u2fDevice_whichIsExpiredAndDeletable_MustBeRemoved.
@Test
public void u2fDevice_whichIsExpiredAndDeletable_MustBeRemoved() throws StringEncrypter.EncryptionException {
final Client client = createClient();
clientService.persist(client);
// 1. create device
String userInum = "";
String appId = "https://testapp.com";
final DeviceRegistration device = new DeviceRegistration();
device.setStatus(DeviceRegistrationStatus.ACTIVE);
device.setApplication(appId);
device.setId(String.valueOf(System.currentTimeMillis()));
device.setDn(deviceRegistrationService.getDnForU2fDevice(userInum, device.getId()));
deviceRegistrationService.addOneStepDeviceRegistration(device);
// 2. device exists
assertNotNull(deviceRegistrationService.findUserDeviceRegistration(userInum, device.getId()));
// 3. clean up
cleanerTimer.processImpl();
cacheService.clear();
// 4. device exists
assertNotNull(deviceRegistrationService.findUserDeviceRegistration(userInum, device.getId()));
final Calendar calendar = Calendar.getInstance();
calendar.add(Calendar.MINUTE, -10);
device.setExpirationDate(calendar.getTime());
deviceRegistrationService.merge(device);
// 5. clean up
cleanerTimer.processImpl();
cacheService.clear();
// 6. no device in persistence
try {
deviceRegistrationService.findUserDeviceRegistration(userInum, device.getId());
throw new AssertionError("No exception, expected EntryPersistenceException on find.");
} catch (EntryPersistenceException e) {
// ignore
}
}
use of org.gluu.oxauth.model.fido.u2f.DeviceRegistration in project oxAuth by GluuFederation.
the class AuthenticationService method buildAuthenticateRequestMessage.
public AuthenticateRequestMessage buildAuthenticateRequestMessage(String appId, String userInum) throws BadInputException, NoEligableDevicesException {
if (applicationService.isValidateApplication()) {
applicationService.checkIsValid(appId);
}
List<AuthenticateRequest> authenticateRequests = new ArrayList<AuthenticateRequest>();
byte[] challenge = challengeGenerator.generateChallenge();
List<DeviceRegistration> deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(userInum, appId);
for (DeviceRegistration deviceRegistration : deviceRegistrations) {
if (!deviceRegistration.isCompromised()) {
AuthenticateRequest request;
try {
request = startAuthentication(appId, deviceRegistration, challenge);
authenticateRequests.add(request);
} catch (DeviceCompromisedException ex) {
log.error("Faield to authenticate device", ex);
}
}
}
if (authenticateRequests.isEmpty()) {
if (deviceRegistrations.isEmpty()) {
throw new NoEligableDevicesException(deviceRegistrations, "No devices registrered");
} else {
throw new NoEligableDevicesException(deviceRegistrations, "All devices compromised");
}
}
return new AuthenticateRequestMessage(authenticateRequests);
}
use of org.gluu.oxauth.model.fido.u2f.DeviceRegistration in project oxAuth by GluuFederation.
the class DeviceRegistrationService method getExpiredDeviceRegistrations.
public List<DeviceRegistration> getExpiredDeviceRegistrations(BatchOperation<DeviceRegistration> batchOperation, Date expirationDate, String[] returnAttributes, int sizeLimit, int chunkSize) {
final String u2fBaseDn = getDnForOneStepU2fDevice(null);
Filter expirationFilter = Filter.createLessOrEqualFilter("creationDate", ldapEntryManager.encodeTime(u2fBaseDn, expirationDate));
List<DeviceRegistration> deviceRegistrations = ldapEntryManager.findEntries(u2fBaseDn, DeviceRegistration.class, expirationFilter, SearchScope.SUB, returnAttributes, batchOperation, 0, sizeLimit, chunkSize);
return deviceRegistrations;
}
use of org.gluu.oxauth.model.fido.u2f.DeviceRegistration in project oxAuth by GluuFederation.
the class UserService method countFidoRegisteredDevices.
public long countFidoRegisteredDevices(String username, String domain) {
String userInum = getUserInum(username);
if (userInum == null) {
return 0;
}
String baseDn = getBaseDnForFidoDevices(userInum);
if (persistenceEntryManager.hasBranchesSupport(baseDn)) {
if (!persistenceEntryManager.contains(baseDn, SimpleBranch.class)) {
return 0;
}
}
Filter resultFilter = Filter.createEqualityFilter("oxStatus", DeviceRegistrationStatus.ACTIVE.getValue());
List<DeviceRegistration> fidoRegistrations = persistenceEntryManager.findEntries(baseDn, DeviceRegistration.class, resultFilter);
if (StringUtils.isEmpty(domain)) {
return fidoRegistrations.size();
}
long deviceCount = fidoRegistrations.parallelStream().filter(f -> StringHelper.equals(domain, networkService.getHost(f.getApplication()))).count();
return deviceCount;
}
Aggregations