Example 1 with DeviceRegistrationResult
use of org.xdi.oxauth.model.fido.u2f.DeviceRegistrationResult in project oxAuth by GluuFederation.
the class U2fRegistrationWS method finishRegistration.
@POST
@Produces({ "application/json" })
public Response finishRegistration(@FormParam("username") String userName, @FormParam("tokenResponse") String registerResponseString) {
String sessionState = null;
try {
log.debug("Finishing registration for username '{}' with response '{}'", userName, registerResponseString);
RegisterResponse registerResponse = ServerUtil.jsonMapperWithWrapRoot().readValue(registerResponseString, RegisterResponse.class);
String requestId = registerResponse.getRequestId();
RegisterRequestMessageLdap registerRequestMessageLdap = u2fRegistrationService.getRegisterRequestMessageByRequestId(requestId);
if (registerRequestMessageLdap == null) {
throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SESSION_EXPIRED)).build());
}
u2fRegistrationService.removeRegisterRequestMessage(registerRequestMessageLdap);
String foundUserInum = registerRequestMessageLdap.getUserInum();
RegisterRequestMessage registerRequestMessage = registerRequestMessageLdap.getRegisterRequestMessage();
DeviceRegistrationResult deviceRegistrationResult = u2fRegistrationService.finishRegistration(registerRequestMessage, registerResponse, foundUserInum);
// If sessionState is not empty update session
sessionState = registerRequestMessageLdap.getSessionState();
if (StringHelper.isNotEmpty(sessionState)) {
log.debug("There is session state. Setting session state attributes");
boolean oneStep = StringHelper.isEmpty(foundUserInum);
userSessionStateService.updateUserSessionStateOnFinishRequest(sessionState, foundUserInum, deviceRegistrationResult, true, oneStep);
}
RegisterStatus registerStatus = new RegisterStatus(Constants.RESULT_SUCCESS, requestId);
// Convert manually to avoid possible conflict between resteasy providers, e.g. jettison, jackson
final String entity = ServerUtil.asJson(registerStatus);
return Response.status(Response.Status.OK).entity(entity).cacheControl(ServerUtil.cacheControl(true)).build();
} catch (Exception ex) {
log.error("Exception happened", ex);
try {
// If sessionState is not empty update session
if (StringHelper.isNotEmpty(sessionState)) {
log.debug("There is session state. Setting session state status to 'declined'");
userSessionStateService.updateUserSessionStateOnError(sessionState);
}
} catch (Exception ex2) {
log.error("Failed to update session state status", ex2);
}
if (ex instanceof WebApplicationException) {
throw (WebApplicationException) ex;
}
if (ex instanceof BadInputException) {
throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.INVALID_REQUEST)).build());
}
throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
}
}
Also used :
RegisterResponse(org.xdi.oxauth.model.fido.u2f.protocol.RegisterResponse)
BadInputException(org.xdi.oxauth.model.fido.u2f.exception.BadInputException)
WebApplicationException(javax.ws.rs.WebApplicationException)
RegisterStatus(org.xdi.oxauth.model.fido.u2f.protocol.RegisterStatus)
RegisterRequestMessage(org.xdi.oxauth.model.fido.u2f.protocol.RegisterRequestMessage)
DeviceRegistrationResult(org.xdi.oxauth.model.fido.u2f.DeviceRegistrationResult)
RegisterRequestMessageLdap(org.xdi.oxauth.model.fido.u2f.RegisterRequestMessageLdap)
BadInputException(org.xdi.oxauth.model.fido.u2f.exception.BadInputException)
WebApplicationException(javax.ws.rs.WebApplicationException)
POST(javax.ws.rs.POST)
Produces(javax.ws.rs.Produces)
Example 2 with DeviceRegistrationResult
use of org.xdi.oxauth.model.fido.u2f.DeviceRegistrationResult in project oxAuth by GluuFederation.
the class U2fAuthenticationWS method finishAuthentication.
@POST
@Produces({ "application/json" })
public Response finishAuthentication(@FormParam("username") String userName, @FormParam("tokenResponse") String authenticateResponseString) {
String sessionState = null;
try {
log.debug("Finishing authentication for username '{}' with response '{}'", userName, authenticateResponseString);
AuthenticateResponse authenticateResponse = ServerUtil.jsonMapperWithWrapRoot().readValue(authenticateResponseString, AuthenticateResponse.class);
String requestId = authenticateResponse.getRequestId();
AuthenticateRequestMessageLdap authenticateRequestMessageLdap = u2fAuthenticationService.getAuthenticationRequestMessageByRequestId(requestId);
if (authenticateRequestMessageLdap == null) {
throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SESSION_EXPIRED)).build());
}
sessionState = authenticateRequestMessageLdap.getSessionState();
u2fAuthenticationService.removeAuthenticationRequestMessage(authenticateRequestMessageLdap);
AuthenticateRequestMessage authenticateRequestMessage = authenticateRequestMessageLdap.getAuthenticateRequestMessage();
String foundUserInum = authenticateRequestMessageLdap.getUserInum();
DeviceRegistrationResult deviceRegistrationResult = u2fAuthenticationService.finishAuthentication(authenticateRequestMessage, authenticateResponse, foundUserInum);
// If sessionState is not empty update session
if (StringHelper.isNotEmpty(sessionState)) {
log.debug("There is session state. Setting session state attributes");
boolean oneStep = StringHelper.isEmpty(userName);
userSessionStateService.updateUserSessionStateOnFinishRequest(sessionState, foundUserInum, deviceRegistrationResult, false, oneStep);
}
AuthenticateStatus authenticationStatus = new AuthenticateStatus(Constants.RESULT_SUCCESS, requestId);
// convert manually to avoid possible conflict between resteasy
// providers, e.g. jettison, jackson
final String entity = ServerUtil.asJson(authenticationStatus);
return Response.status(Response.Status.OK).entity(entity).cacheControl(ServerUtil.cacheControl(true)).build();
} catch (Exception ex) {
log.error("Exception happened", ex);
if (ex instanceof WebApplicationException) {
throw (WebApplicationException) ex;
}
try {
// If sessionState is not empty update session
if (StringHelper.isNotEmpty(sessionState)) {
log.debug("There is session state. Setting session state status to 'declined'");
userSessionStateService.updateUserSessionStateOnError(sessionState);
}
} catch (Exception ex2) {
log.error("Failed to update session state status", ex2);
}
if (ex instanceof BadInputException) {
throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.INVALID_REQUEST)).build());
}
if (ex instanceof DeviceCompromisedException) {
DeviceRegistration deviceRegistration = ((DeviceCompromisedException) ex).getDeviceRegistration();
try {
deviceRegistrationService.disableUserDeviceRegistration(deviceRegistration);
} catch (Exception ex2) {
log.error("Failed to mark device '{}' as compomised", ex2, deviceRegistration.getId());
}
throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.DEVICE_COMPROMISED)).build());
}
throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
}
}
Also used :
AuthenticateStatus(org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateStatus)
AuthenticateResponse(org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateResponse)
AuthenticateRequestMessageLdap(org.xdi.oxauth.model.fido.u2f.AuthenticateRequestMessageLdap)
AuthenticateRequestMessage(org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateRequestMessage)
BadInputException(org.xdi.oxauth.model.fido.u2f.exception.BadInputException)
WebApplicationException(javax.ws.rs.WebApplicationException)
DeviceRegistration(org.xdi.oxauth.model.fido.u2f.DeviceRegistration)
DeviceRegistrationResult(org.xdi.oxauth.model.fido.u2f.DeviceRegistrationResult)
DeviceCompromisedException(org.xdi.oxauth.exception.fido.u2f.DeviceCompromisedException)
DeviceCompromisedException(org.xdi.oxauth.exception.fido.u2f.DeviceCompromisedException)
NoEligableDevicesException(org.xdi.oxauth.exception.fido.u2f.NoEligableDevicesException)
InvalidKeyHandleDeviceException(org.xdi.oxauth.exception.fido.u2f.InvalidKeyHandleDeviceException)
BadInputException(org.xdi.oxauth.model.fido.u2f.exception.BadInputException)
WebApplicationException(javax.ws.rs.WebApplicationException)
POST(javax.ws.rs.POST)
Produces(javax.ws.rs.Produces)
Example 3 with DeviceRegistrationResult
use of org.xdi.oxauth.model.fido.u2f.DeviceRegistrationResult in project oxAuth by GluuFederation.
the class AuthenticationService method finishAuthentication.
public DeviceRegistrationResult finishAuthentication(AuthenticateRequestMessage requestMessage, AuthenticateResponse response, String userInum, Set<String> facets) throws BadInputException, DeviceCompromisedException {
List<DeviceRegistration> deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(userInum, requestMessage.getAppId());
final AuthenticateRequest request = getAuthenticateRequest(requestMessage, response);
DeviceRegistration usedDeviceRegistration = null;
for (DeviceRegistration deviceRegistration : deviceRegistrations) {
if (StringHelper.equals(request.getKeyHandle(), deviceRegistration.getKeyHandle())) {
usedDeviceRegistration = deviceRegistration;
break;
}
}
if (usedDeviceRegistration == null) {
throw new BadInputException("Failed to find DeviceRegistration for the given AuthenticateRequest");
}
if (usedDeviceRegistration.isCompromised()) {
throw new DeviceCompromisedException(usedDeviceRegistration, "The device is marked as possibly compromised, and cannot be authenticated");
}
ClientData clientData = response.getClientData();
clientDataValidationService.checkContent(clientData, RawAuthenticationService.SUPPORTED_AUTHENTICATE_TYPES, request.getChallenge(), facets);
RawAuthenticateResponse rawAuthenticateResponse = rawAuthenticationService.parseRawAuthenticateResponse(response.getSignatureData());
rawAuthenticationService.checkSignature(request.getAppId(), clientData, rawAuthenticateResponse, Base64Util.base64urldecode(usedDeviceRegistration.getDeviceRegistrationConfiguration().getPublicKey()));
rawAuthenticateResponse.checkUserPresence();
usedDeviceRegistration.checkAndUpdateCounter(rawAuthenticateResponse.getCounter());
usedDeviceRegistration.setLastAccessTime(new Date());
deviceRegistrationService.updateDeviceRegistration(userInum, usedDeviceRegistration);
DeviceRegistrationResult.Status status = DeviceRegistrationResult.Status.APPROVED;
boolean approved = StringHelper.equals(RawAuthenticationService.AUTHENTICATE_GET_TYPE, clientData.getTyp());
if (!approved) {
status = DeviceRegistrationResult.Status.CANCELED;
log.debug("Authentication request with keyHandle '{}' was canceled", response.getKeyHandle());
}
return new DeviceRegistrationResult(usedDeviceRegistration, status);
}
Also used :
AuthenticateRequest(org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateRequest)
BadInputException(org.xdi.oxauth.model.fido.u2f.exception.BadInputException)
ClientData(org.xdi.oxauth.model.fido.u2f.protocol.ClientData)
DeviceRegistration(org.xdi.oxauth.model.fido.u2f.DeviceRegistration)
DeviceCompromisedException(org.xdi.oxauth.exception.fido.u2f.DeviceCompromisedException)
DeviceRegistrationResult(org.xdi.oxauth.model.fido.u2f.DeviceRegistrationResult)
RawAuthenticateResponse(org.xdi.oxauth.model.fido.u2f.message.RawAuthenticateResponse)
Date(java.util.Date)
Example 4 with DeviceRegistrationResult
use of org.xdi.oxauth.model.fido.u2f.DeviceRegistrationResult in project oxAuth by GluuFederation.
the class RegistrationService method finishRegistration.
public DeviceRegistrationResult finishRegistration(RegisterRequestMessage requestMessage, RegisterResponse response, String userInum, Set<String> facets) throws BadInputException {
RegisterRequest request = requestMessage.getRegisterRequest();
String appId = request.getAppId();
ClientData clientData = response.getClientData();
clientDataValidationService.checkContent(clientData, RawRegistrationService.SUPPORTED_REGISTER_TYPES, request.getChallenge(), facets);
RawRegisterResponse rawRegisterResponse = rawRegistrationService.parseRawRegisterResponse(response.getRegistrationData());
rawRegistrationService.checkSignature(appId, clientData, rawRegisterResponse);
Date now = new GregorianCalendar(TimeZone.getTimeZone("UTC")).getTime();
DeviceRegistration deviceRegistration = rawRegistrationService.createDevice(rawRegisterResponse);
deviceRegistration.setStatus(DeviceRegistrationStatus.ACTIVE);
deviceRegistration.setApplication(appId);
deviceRegistration.setCreationDate(now);
int keyHandleHashCode = deviceRegistrationService.getKeyHandleHashCode(rawRegisterResponse.getKeyHandle());
deviceRegistration.setKeyHandleHashCode(keyHandleHashCode);
final String deviceRegistrationId = String.valueOf(System.currentTimeMillis());
deviceRegistration.setId(deviceRegistrationId);
String responseDeviceData = response.getDeviceData();
if (StringHelper.isNotEmpty(responseDeviceData)) {
try {
String responseDeviceDataDecoded = new String(Base64Util.base64urldecode(responseDeviceData));
DeviceData deviceData = ServerUtil.jsonMapperWithWrapRoot().readValue(responseDeviceDataDecoded, DeviceData.class);
deviceRegistration.setDeviceData(deviceData);
} catch (Exception ex) {
throw new BadInputException(String.format("Device data is invalid: %s", responseDeviceData), ex);
}
}
boolean approved = StringHelper.equals(RawRegistrationService.REGISTER_FINISH_TYPE, response.getClientData().getTyp());
if (!approved) {
log.debug("Registratio request with keyHandle '{}' was canceled", rawRegisterResponse.getKeyHandle());
return new DeviceRegistrationResult(deviceRegistration, DeviceRegistrationResult.Status.CANCELED);
}
boolean twoStep = StringHelper.isNotEmpty(userInum);
if (twoStep) {
deviceRegistration.setDn(deviceRegistrationService.getDnForU2fDevice(userInum, deviceRegistrationId));
// Check if there is device registration with keyHandle in LDAP already
List<DeviceRegistration> foundDeviceRegistrations = deviceRegistrationService.findDeviceRegistrationsByKeyHandle(appId, deviceRegistration.getKeyHandle(), "oxId");
if (foundDeviceRegistrations.size() != 0) {
throw new BadInputException(String.format("KeyHandle %s was compromised", deviceRegistration.getKeyHandle()));
}
deviceRegistrationService.addUserDeviceRegistration(userInum, deviceRegistration);
} else {
deviceRegistration.setDn(deviceRegistrationService.getDnForOneStepU2fDevice(deviceRegistrationId));
deviceRegistrationService.addOneStepDeviceRegistration(deviceRegistration);
}
return new DeviceRegistrationResult(deviceRegistration, DeviceRegistrationResult.Status.APPROVED);
}
Also used :
RegisterRequest(org.xdi.oxauth.model.fido.u2f.protocol.RegisterRequest)
GregorianCalendar(java.util.GregorianCalendar)
RawRegisterResponse(org.xdi.oxauth.model.fido.u2f.message.RawRegisterResponse)
DeviceRegistration(org.xdi.oxauth.model.fido.u2f.DeviceRegistration)
Date(java.util.Date)
DeviceCompromisedException(org.xdi.oxauth.exception.fido.u2f.DeviceCompromisedException)
BadInputException(org.xdi.oxauth.model.fido.u2f.exception.BadInputException)
BadInputException(org.xdi.oxauth.model.fido.u2f.exception.BadInputException)
ClientData(org.xdi.oxauth.model.fido.u2f.protocol.ClientData)
DeviceData(org.xdi.oxauth.model.fido.u2f.protocol.DeviceData)
DeviceRegistrationResult(org.xdi.oxauth.model.fido.u2f.DeviceRegistrationResult)
Aggregations
DeviceRegistrationResult (org.xdi.oxauth.model.fido.u2f.DeviceRegistrationResult)4
BadInputException (org.xdi.oxauth.model.fido.u2f.exception.BadInputException)4
DeviceCompromisedException (org.xdi.oxauth.exception.fido.u2f.DeviceCompromisedException)3
DeviceRegistration (org.xdi.oxauth.model.fido.u2f.DeviceRegistration)3
Date (java.util.Date)2
POST (javax.ws.rs.POST)2
Produces (javax.ws.rs.Produces)2
WebApplicationException (javax.ws.rs.WebApplicationException)2
ClientData (org.xdi.oxauth.model.fido.u2f.protocol.ClientData)2
GregorianCalendar (java.util.GregorianCalendar)1
InvalidKeyHandleDeviceException (org.xdi.oxauth.exception.fido.u2f.InvalidKeyHandleDeviceException)1
NoEligableDevicesException (org.xdi.oxauth.exception.fido.u2f.NoEligableDevicesException)1
AuthenticateRequestMessageLdap (org.xdi.oxauth.model.fido.u2f.AuthenticateRequestMessageLdap)1
RegisterRequestMessageLdap (org.xdi.oxauth.model.fido.u2f.RegisterRequestMessageLdap)1
RawAuthenticateResponse (org.xdi.oxauth.model.fido.u2f.message.RawAuthenticateResponse)1
RawRegisterResponse (org.xdi.oxauth.model.fido.u2f.message.RawRegisterResponse)1
AuthenticateRequest (org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateRequest)1
AuthenticateRequestMessage (org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateRequestMessage)1
AuthenticateResponse (org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateResponse)1
AuthenticateStatus (org.xdi.oxauth.model.fido.u2f.protocol.AuthenticateStatus)1
