Search in sources :

Example 26 with UsernamePasswordCredentials

use of org.pac4j.core.credentials.UsernamePasswordCredentials in project cas by apereo.

the class OAuth20IntrospectionEndpointController method handlePostRequest.

/**
 * Handle post request.
 *
 * @param request  the request
 * @param response the response
 * @return the response entity
 */
@PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, produces = MediaType.APPLICATION_JSON_VALUE, value = '/' + OAuth20Constants.BASE_OAUTH20_URL + '/' + OAuth20Constants.INTROSPECTION_URL)
public ResponseEntity<OAuth20IntrospectionAccessTokenResponse> handlePostRequest(final HttpServletRequest request, final HttpServletResponse response) {
    ResponseEntity<OAuth20IntrospectionAccessTokenResponse> result;
    try {
        val authExtractor = new BasicAuthExtractor();
        val context = new JEEContext(request, response);
        val credentialsResult = authExtractor.extract(context, getConfigurationContext().getSessionStore());
        if (credentialsResult.isEmpty()) {
            LOGGER.warn("Unable to locate and extract credentials from the request");
            return buildUnauthorizedResponseEntity(OAuth20Constants.INVALID_CLIENT, true);
        }
        val credentials = (UsernamePasswordCredentials) credentialsResult.get();
        val service = OAuth20Utils.getRegisteredOAuthServiceByClientId(getConfigurationContext().getServicesManager(), credentials.getUsername());
        if (service == null) {
            LOGGER.warn("Unable to locate service definition by client id [{}]", credentials.getUsername());
            return buildUnauthorizedResponseEntity(OAuth20Constants.INVALID_CLIENT, true);
        }
        val validationError = validateIntrospectionRequest(service, credentials, request);
        if (validationError.isPresent()) {
            result = validationError.get();
        } else {
            val accessToken = StringUtils.defaultIfBlank(request.getParameter(OAuth20Constants.TOKEN), request.getParameter(OAuth20Constants.ACCESS_TOKEN));
            LOGGER.debug("Located access token [{}] in the request", accessToken);
            var ticket = (OAuth20AccessToken) null;
            try {
                val token = extractAccessTokenFrom(accessToken);
                ticket = getConfigurationContext().getCentralAuthenticationService().getTicket(token, OAuth20AccessToken.class);
            } catch (final InvalidTicketException e) {
                LOGGER.trace(e.getMessage(), e);
                LOGGER.info("Unable to fetch access token [{}]: [{}]", accessToken, e.getMessage());
            }
            val introspect = createIntrospectionValidResponse(ticket);
            result = new ResponseEntity<>(introspect, HttpStatus.OK);
        }
    } catch (final Exception e) {
        LoggingUtils.error(LOGGER, e);
        result = new ResponseEntity<>(HttpStatus.INTERNAL_SERVER_ERROR);
    }
    return result;
}
Also used : lombok.val(lombok.val) OAuth20AccessToken(org.apereo.cas.ticket.accesstoken.OAuth20AccessToken) BasicAuthExtractor(org.pac4j.core.credentials.extractor.BasicAuthExtractor) ResponseEntity(org.springframework.http.ResponseEntity) OAuth20IntrospectionAccessTokenResponse(org.apereo.cas.support.oauth.web.response.introspection.OAuth20IntrospectionAccessTokenResponse) InvalidTicketException(org.apereo.cas.ticket.InvalidTicketException) JEEContext(org.pac4j.core.context.JEEContext) InvalidTicketException(org.apereo.cas.ticket.InvalidTicketException) UsernamePasswordCredentials(org.pac4j.core.credentials.UsernamePasswordCredentials) PostMapping(org.springframework.web.bind.annotation.PostMapping)

Example 27 with UsernamePasswordCredentials

use of org.pac4j.core.credentials.UsernamePasswordCredentials in project cas by apereo.

the class BasicAuthenticationAction method constructCredentialsFromRequest.

@Override
protected Credential constructCredentialsFromRequest(final RequestContext requestContext) {
    try {
        val request = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
        val response = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext);
        val extractor = new BasicAuthExtractor();
        val webContext = new JEEContext(request, response);
        val credentialsResult = extractor.extract(webContext, JEESessionStore.INSTANCE);
        if (credentialsResult.isPresent()) {
            val credentials = (UsernamePasswordCredentials) credentialsResult.get();
            LOGGER.debug("Received basic authentication request from credentials [{}]", credentials);
            return new UsernamePasswordCredential(credentials.getUsername(), credentials.getPassword());
        }
    } catch (final Exception e) {
        LoggingUtils.warn(LOGGER, e);
    }
    return null;
}
Also used : lombok.val(lombok.val) BasicAuthExtractor(org.pac4j.core.credentials.extractor.BasicAuthExtractor) JEEContext(org.pac4j.core.context.JEEContext) UsernamePasswordCredential(org.apereo.cas.authentication.credential.UsernamePasswordCredential) UsernamePasswordCredentials(org.pac4j.core.credentials.UsernamePasswordCredentials)

Example 28 with UsernamePasswordCredentials

use of org.pac4j.core.credentials.UsernamePasswordCredentials in project cas by apereo.

the class OAuth20ProofKeyCodeExchangeAuthenticatorTests method verifyAuthenticationPlainWithSecretTransmittedByBasicAuthn.

@Test
public void verifyAuthenticationPlainWithSecretTransmittedByBasicAuthn() throws Exception {
    val credentials = new UsernamePasswordCredentials("client", "secret");
    val request = new MockHttpServletRequest();
    ticketRegistry.addTicket(new OAuth20DefaultCode("CODE-1234567890", RegisteredServiceTestUtils.getService(), RegisteredServiceTestUtils.getAuthentication(), new HardTimeoutExpirationPolicy(10), new MockTicketGrantingTicket("casuser"), new ArrayList<>(), "ABCD123", "plain", "clientid12345", new HashMap<>(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE));
    request.addHeader("Authorization", "Basic " + EncodingUtils.encodeBase64("client:secret"));
    request.addParameter(OAuth20Constants.CODE_VERIFIER, "ABCD123");
    request.addParameter(OAuth20Constants.CODE, "CODE-1234567890");
    val ctx = new JEEContext(request, new MockHttpServletResponse());
    authenticator.validate(credentials, ctx, JEESessionStore.INSTANCE);
    assertNotNull(credentials.getUserProfile());
    assertEquals("client", credentials.getUserProfile().getId());
}
Also used : lombok.val(lombok.val) MockTicketGrantingTicket(org.apereo.cas.mock.MockTicketGrantingTicket) HashMap(java.util.HashMap) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) HardTimeoutExpirationPolicy(org.apereo.cas.ticket.expiration.HardTimeoutExpirationPolicy) ArrayList(java.util.ArrayList) JEEContext(org.pac4j.core.context.JEEContext) OAuth20DefaultCode(org.apereo.cas.ticket.code.OAuth20DefaultCode) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) UsernamePasswordCredentials(org.pac4j.core.credentials.UsernamePasswordCredentials) Test(org.junit.jupiter.api.Test)

Example 29 with UsernamePasswordCredentials

use of org.pac4j.core.credentials.UsernamePasswordCredentials in project cas by apereo.

the class OAuth20ProofKeyCodeExchangeAuthenticatorTests method verifyAuthenticationHashedWithoutSecret.

@Test
public void verifyAuthenticationHashedWithoutSecret() throws Exception {
    val hash = EncodingUtils.encodeUrlSafeBase64(DigestUtils.rawDigestSha256("ABCD123"));
    val credentials = new UsernamePasswordCredentials("clientWithoutSecret", "ABCD123");
    val request = new MockHttpServletRequest();
    val ticket = new OAuth20DefaultCode("CODE-1234567890", RegisteredServiceTestUtils.getService(), RegisteredServiceTestUtils.getAuthentication(), new HardTimeoutExpirationPolicy(10), new MockTicketGrantingTicket("casuser"), new ArrayList<>(), hash, "s256", "clientid12345", new HashMap<>(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE);
    ticketRegistry.addTicket(ticket);
    request.addParameter(OAuth20Constants.CLIENT_ID, "clientWithoutSecret");
    request.addParameter(OAuth20Constants.CODE_VERIFIER, "ABCD123");
    request.addParameter(OAuth20Constants.CODE, ticket.getId());
    val ctx = new JEEContext(request, new MockHttpServletResponse());
    authenticator.validate(credentials, ctx, JEESessionStore.INSTANCE);
    assertNotNull(credentials.getUserProfile());
    assertEquals("clientWithoutSecret", credentials.getUserProfile().getId());
}
Also used : lombok.val(lombok.val) MockTicketGrantingTicket(org.apereo.cas.mock.MockTicketGrantingTicket) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) HardTimeoutExpirationPolicy(org.apereo.cas.ticket.expiration.HardTimeoutExpirationPolicy) JEEContext(org.pac4j.core.context.JEEContext) OAuth20DefaultCode(org.apereo.cas.ticket.code.OAuth20DefaultCode) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) UsernamePasswordCredentials(org.pac4j.core.credentials.UsernamePasswordCredentials) Test(org.junit.jupiter.api.Test)

Example 30 with UsernamePasswordCredentials

use of org.pac4j.core.credentials.UsernamePasswordCredentials in project cas by apereo.

the class OAuth20ProofKeyCodeExchangeAuthenticatorTests method verifyAuthenticationNotHashedCorrectly.

@Test
public void verifyAuthenticationNotHashedCorrectly() throws Exception {
    val credentials = new UsernamePasswordCredentials("client", "ABCD123");
    val request = new MockHttpServletRequest();
    val ticket = new OAuth20DefaultCode("CODE-1234567890", RegisteredServiceTestUtils.getService(), RegisteredServiceTestUtils.getAuthentication(), new HardTimeoutExpirationPolicy(10), new MockTicketGrantingTicket("casuser"), new ArrayList<>(), "something-else", "s256", "clientid12345", new HashMap<>(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE);
    ticketRegistry.addTicket(ticket);
    request.addParameter(OAuth20Constants.CLIENT_ID, "client");
    request.addParameter(OAuth20Constants.CODE_VERIFIER, "ABCD123");
    request.addParameter(OAuth20Constants.CLIENT_SECRET, "secret");
    request.addParameter(OAuth20Constants.CODE, ticket.getId());
    val ctx = new JEEContext(request, new MockHttpServletResponse());
    assertThrows(CredentialsException.class, () -> authenticator.validate(credentials, ctx, JEESessionStore.INSTANCE));
}
Also used : lombok.val(lombok.val) MockTicketGrantingTicket(org.apereo.cas.mock.MockTicketGrantingTicket) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) HardTimeoutExpirationPolicy(org.apereo.cas.ticket.expiration.HardTimeoutExpirationPolicy) JEEContext(org.pac4j.core.context.JEEContext) OAuth20DefaultCode(org.apereo.cas.ticket.code.OAuth20DefaultCode) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) UsernamePasswordCredentials(org.pac4j.core.credentials.UsernamePasswordCredentials) Test(org.junit.jupiter.api.Test)

Aggregations

UsernamePasswordCredentials (org.pac4j.core.credentials.UsernamePasswordCredentials)80 lombok.val (lombok.val)34 JEEContext (org.pac4j.core.context.JEEContext)24 CommonProfile (org.pac4j.core.profile.CommonProfile)22 Test (org.junit.Test)21 Test (org.junit.jupiter.api.Test)21 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)20 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)20 MockTicketGrantingTicket (org.apereo.cas.mock.MockTicketGrantingTicket)10 BasicAuthExtractor (org.pac4j.core.credentials.extractor.BasicAuthExtractor)9 OAuth20DefaultCode (org.apereo.cas.ticket.code.OAuth20DefaultCode)8 HardTimeoutExpirationPolicy (org.apereo.cas.ticket.expiration.HardTimeoutExpirationPolicy)8 HashMap (java.util.HashMap)7 SimpleTestUsernamePasswordAuthenticator (org.pac4j.http.credentials.authenticator.test.SimpleTestUsernamePasswordAuthenticator)6 Map (java.util.Map)5 MockWebContext (org.pac4j.core.context.MockWebContext)5 UsernamePasswordCredential (org.apereo.cas.authentication.credential.UsernamePasswordCredential)4 CredentialsException (org.pac4j.core.exception.CredentialsException)4 ArrayList (java.util.ArrayList)3 WebContext (org.pac4j.core.context.WebContext)3