Search in sources :

Example 1 with SSOConsentDisabledException

use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException in project carbon-identity-framework by wso2.

the class ConsentMgtPostAuthnHandler method handlePreConsent.

protected PostAuthnHandlerFlowStatus handlePreConsent(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws PostAuthenticationFailedException {
    String spName = context.getSequenceConfig().getApplicationConfig().getApplicationName();
    Map<String, String> claimMappings = context.getSequenceConfig().getApplicationConfig().getClaimMappings();
    // Should be removed once the issue is fixed
    if (SP_NAME_DEFAULT.equalsIgnoreCase(spName)) {
        return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
    }
    AuthenticatedUser authenticatedUser = getAuthenticatedUser(context);
    ServiceProvider serviceProvider = getServiceProvider(context);
    try {
        ConsentClaimsData consentClaimsData = getSSOConsentService().getConsentRequiredClaimsWithExistingConsents(serviceProvider, authenticatedUser);
        if (isDebugEnabled()) {
            String message = String.format("Retrieving required consent data of user: %s for service " + "provider: %s in tenant domain: %s.", authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider));
            logDebug(message);
        }
        removeClaimsWithoutConsent(context, consentClaimsData);
        // Remove the claims which dont have values given by the user.
        consentClaimsData.setRequestedClaims(removeConsentRequestedNullUserAttributes(consentClaimsData.getRequestedClaims(), authenticatedUser.getUserAttributes(), claimMappings));
        if (hasConsentForRequiredClaims(consentClaimsData)) {
            if (isDebugEnabled()) {
                String message = String.format("Required consent data is empty for user: %s for service " + "provider: %s in tenant domain: %s. Post authentication completed.", authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider));
                logDebug(message);
            }
            return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
        } else {
            String mandatoryLocalClaims = buildConsentClaimString(consentClaimsData.getMandatoryClaims());
            String requestedLocalClaims = buildConsentClaimString(consentClaimsData.getRequestedClaims());
            if (isDebugEnabled()) {
                String message = "Require consent for mandatory claims: %s, requested claims: %s, from user: %s " + "for service provider: %s in tenant domain: %s.";
                message = String.format(message, consentClaimsData.getMandatoryClaims(), consentClaimsData.getRequestedClaims(), authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider));
                logDebug(message);
            }
            redirectToConsentPage(response, context, requestedLocalClaims, mandatoryLocalClaims);
            setConsentPoppedUpState(context);
            context.addParameter(CONSENT_CLAIM_META_DATA, consentClaimsData);
            return PostAuthnHandlerFlowStatus.INCOMPLETE;
        }
    } catch (SSOConsentDisabledException e) {
        return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
    } catch (SSOConsentServiceException e) {
        String error = String.format("Error occurred while retrieving consent data of user: %s for service " + "provider: %s in tenant domain: %s.", authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider));
        throw new PostAuthenticationFailedException("Authentication failed. Error occurred while processing user " + "consent.", error, e);
    }
}
Also used : SSOConsentDisabledException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException) ServiceProvider(org.wso2.carbon.identity.application.common.model.ServiceProvider) SSOConsentServiceException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException) StringUtils.defaultString(org.apache.commons.lang.StringUtils.defaultString) PostAuthenticationFailedException(org.wso2.carbon.identity.application.authentication.framework.exception.PostAuthenticationFailedException) AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)

Example 2 with SSOConsentDisabledException

use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException in project carbon-identity-framework by wso2.

the class SSOConsentServiceImpl method getClaimsWithConsents.

/**
 * Retrieves claims which a user has provided consent for a given service provider.
 *
 * @param serviceProvider   Service provider to retrieve the consent against.
 * @param authenticatedUser Authenticated user to related to consent claim retrieval.
 * @return List of claim which the user has provided consent for the given service provider.
 * @throws SSOConsentServiceException If error occurs while retrieve user consents.
 */
@Override
public List<ClaimMetaData> getClaimsWithConsents(ServiceProvider serviceProvider, AuthenticatedUser authenticatedUser) throws SSOConsentServiceException {
    if (!isSSOConsentManagementEnabled(serviceProvider)) {
        String message = "Consent management for SSO is disabled.";
        throw new SSOConsentDisabledException(message, message);
    }
    if (serviceProvider == null) {
        throw new SSOConsentServiceException("Service provider cannot be null.");
    }
    String spName = serviceProvider.getApplicationName();
    List<ClaimMetaData> receiptConsentMetaData = new ArrayList<>();
    String spTenantDomain = getSPTenantDomain(serviceProvider);
    String subject = buildSubjectWithUserStoreDomain(authenticatedUser);
    Receipt receipt = getConsentReceiptOfUser(serviceProvider, authenticatedUser, spName, spTenantDomain, subject);
    if (receipt == null) {
        return receiptConsentMetaData;
    } else {
        receiptConsentMetaData = getRequestedClaimsFromReceipt(receipt, true);
    }
    return receiptConsentMetaData;
}
Also used : SSOConsentDisabledException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException) Receipt(org.wso2.carbon.consent.mgt.core.model.Receipt) ArrayList(java.util.ArrayList) SSOConsentServiceException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException)

Example 3 with SSOConsentDisabledException

use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException in project carbon-identity-framework by wso2.

the class SSOConsentServiceImpl method processConsent.

@Override
public void processConsent(List<Integer> consentApprovedClaimIds, ServiceProvider serviceProvider, AuthenticatedUser authenticatedUser, ConsentClaimsData consentClaimsData, boolean overrideExistingConsent) throws SSOConsentServiceException {
    if (!isSSOConsentManagementEnabled(serviceProvider)) {
        String message = "Consent management for SSO is disabled.";
        throw new SSOConsentDisabledException(message, message);
    }
    if (isDebugEnabled()) {
        logDebug("User: " + authenticatedUser.getAuthenticatedSubjectIdentifier() + " has approved consent.");
    }
    UserConsent userConsent = processUserConsent(consentApprovedClaimIds, consentClaimsData);
    if (isEmpty(userConsent.getApprovedClaims()) && isEmpty(userConsent.getDisapprovedClaims())) {
        if (isDebugEnabled()) {
            logDebug("User: " + authenticatedUser.getAuthenticatedSubjectIdentifier() + " has not provided new " + "approved/disapproved consent. Hence skipping the consent progress.");
        }
        return;
    }
    String subject = buildSubjectWithUserStoreDomain(authenticatedUser);
    List<ClaimMetaData> claimsWithConsent;
    List<ClaimMetaData> claimsDeniedConsent;
    if (!overrideExistingConsent) {
        String spName = serviceProvider.getApplicationName();
        String spTenantDomain = getSPTenantDomain(serviceProvider);
        Receipt receipt = getConsentReceiptOfUser(serviceProvider, authenticatedUser, spName, spTenantDomain, subject);
        claimsWithConsent = getUserRequestedClaims(receipt, userConsent, true);
        claimsDeniedConsent = getUserRequestedClaims(receipt, userConsent, false);
    } else {
        claimsWithConsent = userConsent.getApprovedClaims();
        claimsDeniedConsent = userConsent.getDisapprovedClaims();
    }
    String spTenantDomain = getSPTenantDomain(serviceProvider);
    String subjectTenantDomain = authenticatedUser.getTenantDomain();
    if (isNotEmpty(claimsWithConsent) || isNotEmpty(claimsDeniedConsent)) {
        addReceipt(subject, subjectTenantDomain, serviceProvider, spTenantDomain, claimsWithConsent, claimsDeniedConsent);
    }
}
Also used : SSOConsentDisabledException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException) Receipt(org.wso2.carbon.consent.mgt.core.model.Receipt)

Example 4 with SSOConsentDisabledException

use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException in project carbon-identity-framework by wso2.

the class ConsentMgtPostAuthnHandler method handlePostConsent.

protected PostAuthnHandlerFlowStatus handlePostConsent(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws PostAuthenticationFailedException {
    AuthenticatedUser authenticatedUser = getAuthenticatedUser(context);
    ApplicationConfig applicationConfig = context.getSequenceConfig().getApplicationConfig();
    Map<String, String> claimMappings = applicationConfig.getClaimMappings();
    ServiceProvider serviceProvider = getServiceProvider(context);
    if (request.getParameter(USER_CONSENT_INPUT).equalsIgnoreCase(USER_CONSENT_APPROVE)) {
        if (isDebugEnabled()) {
            String message = "User: %s has approved consent for service provider: %s in tenant domain %s.";
            message = String.format(message, authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider));
            logDebug(message);
        }
        UserConsent userConsent = processUserConsent(request, context);
        ConsentClaimsData consentClaimsData = getConsentClaimsData(context, authenticatedUser, serviceProvider);
        // Remove the claims which dont have values given by the user.
        consentClaimsData.setRequestedClaims(removeConsentRequestedNullUserAttributes(consentClaimsData.getRequestedClaims(), authenticatedUser.getUserAttributes(), claimMappings));
        try {
            List<Integer> claimIdsWithConsent = getClaimIdsWithConsent(userConsent);
            getSSOConsentService().processConsent(claimIdsWithConsent, serviceProvider, authenticatedUser, consentClaimsData);
            removeDisapprovedClaims(context, authenticatedUser);
        } catch (SSOConsentDisabledException e) {
            String error = "Authentication Failure: Consent management is disabled for SSO.";
            String errorDesc = "Illegal operation. Consent management is disabled, but post authentication for " + "sso consent management is invoked.";
            throw new PostAuthenticationFailedException(error, errorDesc, e);
        } catch (SSOConsentServiceException e) {
            String error = "Error occurred while processing consent input of user: %s, for service provider: %s " + "in tenant domain: %s.";
            error = String.format(error, authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider));
            throw new PostAuthenticationFailedException("Authentication failed. Error while processing user " + "consent input.", error, e);
        }
    } else {
        String error = String.format("Authentication failed. User denied consent to share information with %s.", applicationConfig.getApplicationName());
        if (isDebugEnabled()) {
            logDebug(String.format("User: %s denied consent to share information with the service " + "provider: %s.", authenticatedUser.getAuthenticatedSubjectIdentifier(), applicationConfig.getApplicationName()));
        }
        throw new PostAuthenticationFailedException(error, error);
    }
    return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
}
Also used : SSOConsentDisabledException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException) ApplicationConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.ApplicationConfig) ServiceProvider(org.wso2.carbon.identity.application.common.model.ServiceProvider) SSOConsentServiceException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException) StringUtils.defaultString(org.apache.commons.lang.StringUtils.defaultString) PostAuthenticationFailedException(org.wso2.carbon.identity.application.authentication.framework.exception.PostAuthenticationFailedException) AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)

Example 5 with SSOConsentDisabledException

use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException in project carbon-identity-framework by wso2.

the class SSOConsentServiceImpl method getConsentRequiredClaims.

/**
 * Get consent required claims for a given service from a user.
 *
 * @param serviceProvider     Service provider requesting consent.
 * @param authenticatedUser   Authenticated user requesting consent form.
 * @param useExistingConsents Use existing consent given by the user.
 * @param claimsListOfScopes  Claims list of requested scopes.
 * @return ConsentClaimsData which contains mandatory and required claims for consent.
 * @throws SSOConsentServiceException If error occurs while building claim information.
 */
protected ConsentClaimsData getConsentRequiredClaims(ServiceProvider serviceProvider, AuthenticatedUser authenticatedUser, boolean useExistingConsents, List<String> claimsListOfScopes) throws SSOConsentServiceException {
    if (!isSSOConsentManagementEnabled(serviceProvider)) {
        String message = "Consent management for SSO is disabled.";
        throw new SSOConsentDisabledException(message, message);
    }
    if (serviceProvider == null) {
        throw new SSOConsentServiceException("Service provider cannot be null.");
    }
    String spName = serviceProvider.getApplicationName();
    String spTenantDomain = getSPTenantDomain(serviceProvider);
    String subject = buildSubjectWithUserStoreDomain(authenticatedUser);
    ClaimMapping[] claimMappings = getSpClaimMappings(serviceProvider);
    if (claimMappings == null || claimMappings.length == 0) {
        if (log.isDebugEnabled()) {
            log.debug("No claim mapping configured from the application. Hence skipping getting consent.");
        }
        return new ConsentClaimsData();
    }
    if (claimsListOfScopes != null) {
        try {
            claimMappings = FrameworkUtils.getFilteredScopeClaims(claimsListOfScopes, Arrays.asList(claimMappings), serviceProvider.getOwner().getTenantDomain()).toArray(new ClaimMapping[0]);
        } catch (ClaimManagementException e) {
            throw new SSOConsentServiceException("Error occurred while filtering claims of requested scopes");
        }
    }
    List<String> requestedClaims = new ArrayList<>();
    List<String> mandatoryClaims = new ArrayList<>();
    Map<ClaimMapping, String> userAttributes = authenticatedUser.getUserAttributes();
    String subjectClaimUri = getSubjectClaimUri(serviceProvider);
    boolean subjectClaimUriRequested = false;
    boolean subjectClaimUriMandatory = false;
    boolean promptSubjectClaimRequestedConsent = true;
    if (StringUtils.isNotBlank(IdentityUtil.getProperty(CONFIG_PROMPT_SUBJECT_CLAIM_REQUESTED_CONSENT))) {
        promptSubjectClaimRequestedConsent = Boolean.parseBoolean(IdentityUtil.getProperty(CONFIG_PROMPT_SUBJECT_CLAIM_REQUESTED_CONSENT));
    }
    if (isPassThroughScenario(claimMappings, userAttributes)) {
        for (Map.Entry<ClaimMapping, String> userAttribute : userAttributes.entrySet()) {
            String remoteClaimUri = userAttribute.getKey().getRemoteClaim().getClaimUri();
            if (subjectClaimUri.equals(remoteClaimUri) || IdentityCoreConstants.MULTI_ATTRIBUTE_SEPARATOR.equals(remoteClaimUri)) {
                continue;
            }
            mandatoryClaims.add(remoteClaimUri);
        }
    } else {
        boolean isCustomClaimMapping = isCustomClaimMapping(serviceProvider);
        for (ClaimMapping claimMapping : claimMappings) {
            if (isCustomClaimMapping) {
                if (subjectClaimUri.equals(claimMapping.getRemoteClaim().getClaimUri())) {
                    subjectClaimUri = claimMapping.getLocalClaim().getClaimUri();
                    if (promptSubjectClaimRequestedConsent) {
                        if (claimMapping.isMandatory()) {
                            subjectClaimUriMandatory = true;
                        } else if (claimMapping.isRequested()) {
                            subjectClaimUriRequested = true;
                        }
                    }
                    continue;
                }
            } else {
                if (subjectClaimUri.equals(claimMapping.getLocalClaim().getClaimUri())) {
                    if (promptSubjectClaimRequestedConsent) {
                        if (claimMapping.isMandatory()) {
                            subjectClaimUriMandatory = true;
                        } else if (claimMapping.isRequested()) {
                            subjectClaimUriRequested = true;
                        }
                    }
                    continue;
                }
            }
            if (claimMapping.isMandatory()) {
                mandatoryClaims.add(claimMapping.getLocalClaim().getClaimUri());
            } else if (claimMapping.isRequested()) {
                requestedClaims.add(claimMapping.getLocalClaim().getClaimUri());
            }
        }
    }
    if (promptSubjectClaimRequestedConsent) {
        if (subjectClaimUriMandatory) {
            mandatoryClaims.add(subjectClaimUri);
        } else if (subjectClaimUriRequested) {
            requestedClaims.add(subjectClaimUri);
        }
    }
    List<ClaimMetaData> receiptConsentMetaData = new ArrayList<>();
    List<ClaimMetaData> receiptConsentDeniedMetaData;
    Receipt receipt = getConsentReceiptOfUser(serviceProvider, authenticatedUser, spName, spTenantDomain, subject);
    if (useExistingConsents && receipt != null) {
        receiptConsentMetaData = getRequestedClaimsFromReceipt(receipt, true);
        List<String> claimsWithConsent = getClaimsFromConsentMetaData(receiptConsentMetaData);
        receiptConsentDeniedMetaData = getRequestedClaimsFromReceipt(receipt, false);
        List<String> claimsDeniedConsent = getClaimsFromConsentMetaData(receiptConsentDeniedMetaData);
        mandatoryClaims.removeAll(claimsWithConsent);
        requestedClaims.removeAll(claimsWithConsent);
        requestedClaims.removeAll(claimsDeniedConsent);
    }
    ConsentClaimsData consentClaimsData = getConsentRequiredClaimData(mandatoryClaims, requestedClaims, spTenantDomain);
    consentClaimsData.setClaimsWithConsent(receiptConsentMetaData);
    return consentClaimsData;
}
Also used : Receipt(org.wso2.carbon.consent.mgt.core.model.Receipt) ArrayList(java.util.ArrayList) SSOConsentServiceException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException) ClaimMapping(org.wso2.carbon.identity.application.common.model.ClaimMapping) SSOConsentDisabledException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException) ClaimManagementException(org.wso2.carbon.claim.mgt.ClaimManagementException) Map(java.util.Map) HashMap(java.util.HashMap)

Aggregations

SSOConsentDisabledException (org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException)5 SSOConsentServiceException (org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException)4 Receipt (org.wso2.carbon.consent.mgt.core.model.Receipt)3 ArrayList (java.util.ArrayList)2 StringUtils.defaultString (org.apache.commons.lang.StringUtils.defaultString)2 PostAuthenticationFailedException (org.wso2.carbon.identity.application.authentication.framework.exception.PostAuthenticationFailedException)2 AuthenticatedUser (org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)2 ServiceProvider (org.wso2.carbon.identity.application.common.model.ServiceProvider)2 HashMap (java.util.HashMap)1 Map (java.util.Map)1 ClaimManagementException (org.wso2.carbon.claim.mgt.ClaimManagementException)1 ApplicationConfig (org.wso2.carbon.identity.application.authentication.framework.config.model.ApplicationConfig)1 ClaimMapping (org.wso2.carbon.identity.application.common.model.ClaimMapping)1