Search in sources :

Example 1 with DeviceCompromisedException

use of org.xdi.oxauth.exception.fido.u2f.DeviceCompromisedException in project oxAuth by GluuFederation.

the class U2fAuthenticationWS method finishAuthentication.

@POST
@Produces({ "application/json" })
public Response finishAuthentication(@FormParam("username") String userName, @FormParam("tokenResponse") String authenticateResponseString) {
    String sessionState = null;
    try {
        log.debug("Finishing authentication for username '{}' with response '{}'", userName, authenticateResponseString);
        AuthenticateResponse authenticateResponse = ServerUtil.jsonMapperWithWrapRoot().readValue(authenticateResponseString, AuthenticateResponse.class);
        String requestId = authenticateResponse.getRequestId();
        AuthenticateRequestMessageLdap authenticateRequestMessageLdap = u2fAuthenticationService.getAuthenticationRequestMessageByRequestId(requestId);
        if (authenticateRequestMessageLdap == null) {
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SESSION_EXPIRED)).build());
        }
        sessionState = authenticateRequestMessageLdap.getSessionState();
        u2fAuthenticationService.removeAuthenticationRequestMessage(authenticateRequestMessageLdap);
        AuthenticateRequestMessage authenticateRequestMessage = authenticateRequestMessageLdap.getAuthenticateRequestMessage();
        String foundUserInum = authenticateRequestMessageLdap.getUserInum();
        DeviceRegistrationResult deviceRegistrationResult = u2fAuthenticationService.finishAuthentication(authenticateRequestMessage, authenticateResponse, foundUserInum);
        // If sessionState is not empty update session
        if (StringHelper.isNotEmpty(sessionState)) {
            log.debug("There is session state. Setting session state attributes");
            boolean oneStep = StringHelper.isEmpty(userName);
            userSessionStateService.updateUserSessionStateOnFinishRequest(sessionState, foundUserInum, deviceRegistrationResult, false, oneStep);
        }
        AuthenticateStatus authenticationStatus = new AuthenticateStatus(Constants.RESULT_SUCCESS, requestId);
        // convert manually to avoid possible conflict between resteasy
        // providers, e.g. jettison, jackson
        final String entity = ServerUtil.asJson(authenticationStatus);
        return Response.status(Response.Status.OK).entity(entity).cacheControl(ServerUtil.cacheControl(true)).build();
    } catch (Exception ex) {
        log.error("Exception happened", ex);
        if (ex instanceof WebApplicationException) {
            throw (WebApplicationException) ex;
        }
        try {
            // If sessionState is not empty update session
            if (StringHelper.isNotEmpty(sessionState)) {
                log.debug("There is session state. Setting session state status to 'declined'");
                userSessionStateService.updateUserSessionStateOnError(sessionState);
            }
        } catch (Exception ex2) {
            log.error("Failed to update session state status", ex2);
        }
        if (ex instanceof BadInputException) {
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.INVALID_REQUEST)).build());
        }
        if (ex instanceof DeviceCompromisedException) {
            DeviceRegistration deviceRegistration = ((DeviceCompromisedException) ex).getDeviceRegistration();
            try {
                deviceRegistrationService.disableUserDeviceRegistration(deviceRegistration);
            } catch (Exception ex2) {
                log.error("Failed to mark device '{}' as compomised", ex2, deviceRegistration.getId());
            }
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.DEVICE_COMPROMISED)).build());
        }
        throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
    }
}
Also used : AuthenticateStatus(org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateStatus) AuthenticateResponse(org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateResponse) AuthenticateRequestMessageLdap(org.xdi.oxauth.model.fido.u2f.AuthenticateRequestMessageLdap) AuthenticateRequestMessage(org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateRequestMessage) BadInputException(org.xdi.oxauth.model.fido.u2f.exception.BadInputException) WebApplicationException(javax.ws.rs.WebApplicationException) DeviceRegistration(org.xdi.oxauth.model.fido.u2f.DeviceRegistration) DeviceRegistrationResult(org.xdi.oxauth.model.fido.u2f.DeviceRegistrationResult) DeviceCompromisedException(org.xdi.oxauth.exception.fido.u2f.DeviceCompromisedException) DeviceCompromisedException(org.xdi.oxauth.exception.fido.u2f.DeviceCompromisedException) NoEligableDevicesException(org.xdi.oxauth.exception.fido.u2f.NoEligableDevicesException) InvalidKeyHandleDeviceException(org.xdi.oxauth.exception.fido.u2f.InvalidKeyHandleDeviceException) BadInputException(org.xdi.oxauth.model.fido.u2f.exception.BadInputException) WebApplicationException(javax.ws.rs.WebApplicationException) POST(javax.ws.rs.POST) Produces(javax.ws.rs.Produces)

Example 2 with DeviceCompromisedException

use of org.xdi.oxauth.exception.fido.u2f.DeviceCompromisedException in project oxAuth by GluuFederation.

the class AuthenticationService method buildAuthenticateRequestMessage.

public AuthenticateRequestMessage buildAuthenticateRequestMessage(String appId, String userInum) throws BadInputException, NoEligableDevicesException {
    if (applicationService.isValidateApplication()) {
        applicationService.checkIsValid(appId);
    }
    List<AuthenticateRequest> authenticateRequests = new ArrayList<AuthenticateRequest>();
    byte[] challenge = challengeGenerator.generateChallenge();
    List<DeviceRegistration> deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(userInum, appId);
    for (DeviceRegistration deviceRegistration : deviceRegistrations) {
        if (!deviceRegistration.isCompromised()) {
            AuthenticateRequest request;
            try {
                request = startAuthentication(appId, deviceRegistration, challenge);
                authenticateRequests.add(request);
            } catch (DeviceCompromisedException ex) {
                log.error("Faield to authenticate device", ex);
            }
        }
    }
    if (authenticateRequests.isEmpty()) {
        if (deviceRegistrations.isEmpty()) {
            throw new NoEligableDevicesException(deviceRegistrations, "No devices registrered");
        } else {
            throw new NoEligableDevicesException(deviceRegistrations, "All devices compromised");
        }
    }
    return new AuthenticateRequestMessage(authenticateRequests);
}
Also used : AuthenticateRequest(org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateRequest) AuthenticateRequestMessage(org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateRequestMessage) NoEligableDevicesException(org.xdi.oxauth.exception.fido.u2f.NoEligableDevicesException) ArrayList(java.util.ArrayList) DeviceRegistration(org.xdi.oxauth.model.fido.u2f.DeviceRegistration) DeviceCompromisedException(org.xdi.oxauth.exception.fido.u2f.DeviceCompromisedException)

Example 3 with DeviceCompromisedException

use of org.xdi.oxauth.exception.fido.u2f.DeviceCompromisedException in project oxAuth by GluuFederation.

the class AuthenticationService method finishAuthentication.

public DeviceRegistrationResult finishAuthentication(AuthenticateRequestMessage requestMessage, AuthenticateResponse response, String userInum, Set<String> facets) throws BadInputException, DeviceCompromisedException {
    List<DeviceRegistration> deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(userInum, requestMessage.getAppId());
    final AuthenticateRequest request = getAuthenticateRequest(requestMessage, response);
    DeviceRegistration usedDeviceRegistration = null;
    for (DeviceRegistration deviceRegistration : deviceRegistrations) {
        if (StringHelper.equals(request.getKeyHandle(), deviceRegistration.getKeyHandle())) {
            usedDeviceRegistration = deviceRegistration;
            break;
        }
    }
    if (usedDeviceRegistration == null) {
        throw new BadInputException("Failed to find DeviceRegistration for the given AuthenticateRequest");
    }
    if (usedDeviceRegistration.isCompromised()) {
        throw new DeviceCompromisedException(usedDeviceRegistration, "The device is marked as possibly compromised, and cannot be authenticated");
    }
    ClientData clientData = response.getClientData();
    clientDataValidationService.checkContent(clientData, RawAuthenticationService.SUPPORTED_AUTHENTICATE_TYPES, request.getChallenge(), facets);
    RawAuthenticateResponse rawAuthenticateResponse = rawAuthenticationService.parseRawAuthenticateResponse(response.getSignatureData());
    rawAuthenticationService.checkSignature(request.getAppId(), clientData, rawAuthenticateResponse, Base64Util.base64urldecode(usedDeviceRegistration.getDeviceRegistrationConfiguration().getPublicKey()));
    rawAuthenticateResponse.checkUserPresence();
    usedDeviceRegistration.checkAndUpdateCounter(rawAuthenticateResponse.getCounter());
    usedDeviceRegistration.setLastAccessTime(new Date());
    deviceRegistrationService.updateDeviceRegistration(userInum, usedDeviceRegistration);
    DeviceRegistrationResult.Status status = DeviceRegistrationResult.Status.APPROVED;
    boolean approved = StringHelper.equals(RawAuthenticationService.AUTHENTICATE_GET_TYPE, clientData.getTyp());
    if (!approved) {
        status = DeviceRegistrationResult.Status.CANCELED;
        log.debug("Authentication request with keyHandle '{}' was canceled", response.getKeyHandle());
    }
    return new DeviceRegistrationResult(usedDeviceRegistration, status);
}
Also used : AuthenticateRequest(org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateRequest) BadInputException(org.xdi.oxauth.model.fido.u2f.exception.BadInputException) ClientData(org.xdi.oxauth.model.fido.u2f.protocol.ClientData) DeviceRegistration(org.xdi.oxauth.model.fido.u2f.DeviceRegistration) DeviceCompromisedException(org.xdi.oxauth.exception.fido.u2f.DeviceCompromisedException) DeviceRegistrationResult(org.xdi.oxauth.model.fido.u2f.DeviceRegistrationResult) RawAuthenticateResponse(org.xdi.oxauth.model.fido.u2f.message.RawAuthenticateResponse) Date(java.util.Date)

Example 4 with DeviceCompromisedException

use of org.xdi.oxauth.exception.fido.u2f.DeviceCompromisedException in project oxAuth by GluuFederation.

the class RegistrationService method builRegisterRequestMessage.

public RegisterRequestMessage builRegisterRequestMessage(String appId, String userInum) {
    if (applicationService.isValidateApplication()) {
        applicationService.checkIsValid(appId);
    }
    List<AuthenticateRequest> authenticateRequests = new ArrayList<AuthenticateRequest>();
    List<RegisterRequest> registerRequests = new ArrayList<RegisterRequest>();
    boolean twoStep = StringHelper.isNotEmpty(userInum);
    if (twoStep) {
        // In two steps we expects not empty userInum
        List<DeviceRegistration> deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(userInum, appId);
        for (DeviceRegistration deviceRegistration : deviceRegistrations) {
            if (!deviceRegistration.isCompromised()) {
                try {
                    AuthenticateRequest authenticateRequest = u2fAuthenticationService.startAuthentication(appId, deviceRegistration);
                    authenticateRequests.add(authenticateRequest);
                } catch (DeviceCompromisedException ex) {
                    log.error("Faield to authenticate device", ex);
                }
            }
        }
    }
    RegisterRequest request = startRegistration(appId);
    registerRequests.add(request);
    return new RegisterRequestMessage(authenticateRequests, registerRequests);
}
Also used : RegisterRequest(org.xdi.oxauth.model.fido.u2f.protocol.RegisterRequest) AuthenticateRequest(org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateRequest) ArrayList(java.util.ArrayList) DeviceRegistration(org.xdi.oxauth.model.fido.u2f.DeviceRegistration) DeviceCompromisedException(org.xdi.oxauth.exception.fido.u2f.DeviceCompromisedException) RegisterRequestMessage(org.xdi.oxauth.model.fido.u2f.protocol.RegisterRequestMessage)

Aggregations

DeviceCompromisedException (org.xdi.oxauth.exception.fido.u2f.DeviceCompromisedException)4 DeviceRegistration (org.xdi.oxauth.model.fido.u2f.DeviceRegistration)4 AuthenticateRequest (org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateRequest)3 ArrayList (java.util.ArrayList)2 NoEligableDevicesException (org.xdi.oxauth.exception.fido.u2f.NoEligableDevicesException)2 DeviceRegistrationResult (org.xdi.oxauth.model.fido.u2f.DeviceRegistrationResult)2 BadInputException (org.xdi.oxauth.model.fido.u2f.exception.BadInputException)2 AuthenticateRequestMessage (org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateRequestMessage)2 Date (java.util.Date)1 POST (javax.ws.rs.POST)1 Produces (javax.ws.rs.Produces)1 WebApplicationException (javax.ws.rs.WebApplicationException)1 InvalidKeyHandleDeviceException (org.xdi.oxauth.exception.fido.u2f.InvalidKeyHandleDeviceException)1 AuthenticateRequestMessageLdap (org.xdi.oxauth.model.fido.u2f.AuthenticateRequestMessageLdap)1 RawAuthenticateResponse (org.xdi.oxauth.model.fido.u2f.message.RawAuthenticateResponse)1 AuthenticateResponse (org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateResponse)1 AuthenticateStatus (org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateStatus)1 ClientData (org.xdi.oxauth.model.fido.u2f.protocol.ClientData)1 RegisterRequest (org.xdi.oxauth.model.fido.u2f.protocol.RegisterRequest)1 RegisterRequestMessage (org.xdi.oxauth.model.fido.u2f.protocol.RegisterRequestMessage)1