def authenticate(self, configurationAttributes, requestParameters, step):
authenticationService = CdiUtil.bean(AuthenticationService)
if (step == 1):
print "Radius. Authenticate for step 1"
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
if StringHelper.isNotEmptyString(user_name ) and StringHelper.isNotEmptyString(user_password ):
user_exists_in_gluu = authenticationService.authenticate(user_name )
if user_exists_in_gluu :
client = RadiusClient(self.RADIUS_SERVER_IP,int (self.RADIUS_SERVER_AUTH_PORT), int(self.RADIUS_SERVER_ACCT_PORT), self.RADIUS_SERVER_SECRET)
accessRequest = RadiusPacket(RadiusPacket.ACCESS_REQUEST)
userNameAttribute = RadiusAttribute(RadiusAttributeValues.USER_NAME,user_name )
userPasswordAttribute = RadiusAttribute(RadiusAttributeValues.USER_PASSWORD,user_password )
accessRequest.setAttribute(userNameAttribute)
accessRequest.setAttribute(userPasswordAttribute)
accessResponse = client.authenticate(accessRequest)
print "Packet type - %s " % accessResponse.getPacketType()
if accessResponse.getPacketType() == RadiusPacket.ACCESS_ACCEPT:
return True
#elif accessResponse.getPacketType() == RadiusPacket.ACCESS_CHALLENGE:
# return False
return False
def authenticate(self, configurationAttributes, requestParameters, step):
authenticationService = CdiUtil.bean(AuthenticationService)
if 1 <= step <= 3:
print "Basic (demo reset step). Authenticate for step '%s'" % step
identity = CdiUtil.bean(Identity)
identity.setWorkingParameter("pass_authentication", False)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = CdiUtil.bean(UserService)
logged_in = authenticationService.authenticate(user_name, user_password)
if (not logged_in):
return False
identity.setWorkingParameter("pass_authentication", True)
return True
else:
return False
def authenticate_user_credentials(self, identity, authentication_service):
credentials = identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
print "AzureAD. user_name: %s" % user_name
logged_in = False
if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password):
# Special condition to allow for Gluu admin login
if StringHelper.equals(user_name, ADMIN):
return self.authenticate_user_in_gluu_ldap(authentication_service, user_name, user_password)
# Authenticate user credentials with Azure AD non-interactively
azure_auth_response = self.authenticate_user_in_azure(azure_tenant_id, user_name, user_password, azure_client_id, azure_client_secret)
print "AzureAD. Value of azure_auth_response is %s" % azure_auth_response
azure_auth_response_json = json.loads(azure_auth_response)
if azure_user_uuid in azure_auth_response_json:
# Azure authentication has succeeded. User needs to be enrolled in Gluu LDAP
user = self.enroll_azure_user_in_gluu_ldap(azure_auth_response_json)
if user is None:
# User Enrollment in Gluu LDAP has failed
logged_in = False
else:
# Authenticating the user within Gluu
user_authenticated_in_gluu = authentication_service.authenticate(user.getUserId())
print "AzureAD: Authentication status of the user enrolled in Gluu LDAP %r " % user_authenticated_in_gluu
return user_authenticated_in_gluu
else:
# Azure authentication has failed.
logged_in = False
return logged_in
def authenticate(self, configurationAttributes, requestParameters, step):
authenticationService = CdiUtil.bean(AuthenticationService)
if step == 1:
print "Basic (one session). Authenticate for step 1"
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password):
logged_in = authenticationService.authenticate(user_name, user_password)
if not logged_in:
return False
logged_in = self.isFirstSession(user_name)
if not logged_in:
facesMessages = CdiUtil.bean(FacesMessages)
facesMessages.add(FacesMessage.SEVERITY_ERROR, "Please, end active session first!")
return False
return True
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
authenticationService = CdiUtil.bean(AuthenticationService)
if (step == 1):
print "Basic (multi login). Authenticate for step 1"
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
key_value = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(key_value) and StringHelper.isNotEmptyString(user_password)):
i = 0
count = len(self.login_attributes_list_array)
while (i < count):
primary_key = self.login_attributes_list_array[i]
local_primary_key = self.local_login_attributes_list_array[i]
logged_in = authenticationService.authenticate(key_value, user_password, primary_key, local_primary_key)
if (logged_in):
return True
i += 1
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
authenticationService = CdiUtil.bean(AuthenticationService)
if (step == 1):
print "Basic. Authenticate for step 1"
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name_array = StringHelper.split(credentials.getUsername(),"+")
user_name = None
if len(user_name_array) == 2:
email_id_array = StringHelper.split(user_name_array[1],"@")
user_name = user_name_array[0] + "@"+ email_id_array[1]
else:
user_name = user_name_array[0]
print "Username for authentication is: %s " % user_name
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = authenticationService.authenticate(user_name, user_password,"mail","mail")
if (not logged_in):
return False
return True
else:
return False
def authenticate_user_credentials(self, identity, authentication_service):
credentials = identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
print "ThumbSignIn. user_name: " + user_name
logged_in = False
if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password):
logged_in = self.authenticate_user_in.jans.ldap(authentication_service, user_name, user_password)
return logged_in
def authenticate(self, configurationAttributes, requestParameters, step):
userService = CdiUtil.bean(UserService)
authenticationService = CdiUtil.bean(AuthenticationService)
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "Basic (with password update). Authenticate for step 1"
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = authenticationService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
elif (step == 2):
print "Basic (with password update). Authenticate for step 2"
user = authenticationService.getAuthenticatedUser()
if user == None:
print "Basic (with password update). Authenticate for step 2. Failed to determine user name"
return False
user_name = user.getUserId()
find_user_by_uid = userService.getUser(user_name)
update_button = requestParameters.get("loginForm:updateButton")
if ArrayHelper.isEmpty(update_button):
return True
new_password_array = requestParameters.get("new_password")
if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]):
print "Basic (with password update). Authenticate for step 2. New password is empty"
return False
new_password = new_password_array[0]
find_user_by_uid.setAttribute("userPassword", new_password)
print "Basic (with password update). Authenticate for step 2. Attempting to set new user '%s' password" % user_name
userService.updateUser(find_user_by_uid)
print "Basic (with password update). Authenticate for step 2. Password updated successfully"
return True
else:
return False
def authenticateImpl(self, credentials, authenticationService):
print "Basic (client group). Processing user name/password authentication"
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password):
logged_in = authenticationService.authenticate(user_name, user_password)
if not logged_in:
return False
return True
def isPassedStep1():
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
passed_step1 = StringHelper.isNotEmptyString(user_name)
return passed_step1
def createLdapExtendedEntryManagers(self, authConfiguration):
ldapExtendedConfigurations = self.createLdapExtendedConfigurations(authConfiguration)
appInitializer = CdiUtil.bean(AppInitializer)
persistanceFactoryService = CdiUtil.bean(PersistanceFactoryService)
ldapEntryManagerFactory = persistanceFactoryService.getPersistenceEntryManagerFactory(LdapEntryManagerFactory)
persistenceType = ldapEntryManagerFactory.getPersistenceType()
ldapExtendedEntryManagers = []
for ldapExtendedConfiguration in ldapExtendedConfigurations:
connectionConfiguration = ldapExtendedConfiguration["connectionConfiguration"]
ldapConfiguration = ldapExtendedConfiguration["ldapConfiguration"]
ldapProperties = Properties()
for key, value in connectionConfiguration.items():
value_string = value
if isinstance(value_string, list):
value_string = ", ".join(value)
else:
value_string = str(value)
ldapProperties.setProperty(persistenceType + "." + key, value_string)
if StringHelper.isNotEmptyString(ldapConfiguration.getBindPassword()):
ldapProperties.setProperty(persistenceType + ".bindPassword", ldapConfiguration.getBindPassword())
ldapEntryManager = ldapEntryManagerFactory.createEntryManager(ldapProperties)
ldapExtendedEntryManagers.append({ "ldapConfiguration" : ldapConfiguration, "ldapProperties" : ldapProperties, "loginAttributes" : ldapExtendedConfiguration["loginAttributes"], "localLoginAttributes" : ldapExtendedConfiguration["localLoginAttributes"], "ldapEntryManager" : ldapEntryManager })
return ldapExtendedEntryManagers
def isPassedDefaultAuthentication(self):
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
passed_step1 = StringHelper.isNotEmptyString(user_name)
return passed_step1
def authenticate(self, configurationAttributes, requestParameters, step):
authenticationService = CdiUtil.bean(AuthenticationService)
if (step == 1):
print "Basic (multi auth conf). Authenticate for step 1"
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
metricService = CdiUtil.bean(MetricService)
timerContext = metricService.getTimer(MetricType.USER_AUTHENTICATION_RATE).time()
try:
keyValue = credentials.getUsername()
userPassword = credentials.getPassword()
if (StringHelper.isNotEmptyString(keyValue) and StringHelper.isNotEmptyString(userPassword)):
for ldapExtendedEntryManager in self.ldapExtendedEntryManagers:
ldapConfiguration = ldapExtendedEntryManager["ldapConfiguration"]
ldapEntryManager = ldapExtendedEntryManager["ldapEntryManager"]
loginAttributes = ldapExtendedEntryManager["loginAttributes"]
localLoginAttributes = ldapExtendedEntryManager["localLoginAttributes"]
print "Basic (multi auth conf). Authenticate for step 1. Using configuration: " + ldapConfiguration.getConfigId()
idx = 0
count = len(loginAttributes)
while (idx < count):
primaryKey = loginAttributes[idx]
localPrimaryKey = localLoginAttributes[idx]
loggedIn = authenticationService.authenticate(ldapConfiguration, ldapEntryManager, keyValue, userPassword, primaryKey, localPrimaryKey)
if (loggedIn):
metricService.incCounter(MetricType.USER_AUTHENTICATION_SUCCESS)
return True
idx += 1
finally:
timerContext.stop()
metricService.incCounter(MetricType.USER_AUTHENTICATION_FAILURES)
return False
else:
return False
def processBasicAuthentication(self, credentials):
userService = CdiUtil.bean(UserService)
authenticationService = CdiUtil.bean(AuthenticationService)
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password):
logged_in = authenticationService.authenticate(user_name, user_password)
if not logged_in:
return None
find_user_by_uid = authenticationService.getAuthenticatedUser()
if find_user_by_uid == None:
print "UAF. Process basic authentication. Failed to find user '%s'" % user_name
return None
return find_user_by_uid
def authenticate(self, configurationAttributes, requestParameters, step):
authenticationService = CdiUtil.bean(AuthenticationService)
if (step == 1):
print "Basic (with external logout). Authenticate for step 1"
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = authenticationService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
identity = CdiUtil.bean(Identity)
session_attributes = identity.getSessionId().getSessionAttributes()
authenticationService = CdiUtil.bean(AuthenticationService)
allowedCountriesListArray = StringHelper.split(self.allowedCountries, ",")
if (len(allowedCountriesListArray) > 0 and session_attributes.containsKey("remote_ip")):
remote_ip = session_attributes.get("remote_ip")
remote_loc_dic = self.determineGeolocationData(remote_ip)
if remote_loc_dic == None:
print "Super-Gluu. Prepare for step 2. Failed to determine remote location by remote IP '%s'" % remote_ip
return
remote_loc = "%s" % ( remote_loc_dic['countryCode'])
print "Your remote location is "+remote_loc
if remote_loc in allowedCountriesListArray:
print "you are allowed to access"
else:
return False
if (step == 1):
print "Basic. Authenticate for step 1"
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = authenticationService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
else:
return False
def getClientConfiguration(self, configurationAttributes, requestParameters):
# Get client configuration
if (configurationAttributes.containsKey("gplus_client_configuration_attribute")):
clientConfigurationAttribute = configurationAttributes.get("gplus_client_configuration_attribute").getValue2()
print "Google+ GetClientConfiguration. Using client attribute: '%s'" % clientConfigurationAttribute
if (requestParameters == None):
return None
clientId = None
# Attempt to determine client_id from request
clientIdArray = requestParameters.get("client_id")
if (ArrayHelper.isNotEmpty(clientIdArray) and StringHelper.isNotEmptyString(clientIdArray[0])):
clientId = clientIdArray[0]
# Attempt to determine client_id from event context
if (clientId == None):
identity = CdiUtil.bean(Identity)
if (identity.isSetWorkingParameter("sessionAttributes")):
clientId = identity.getSessionId().getSessionAttributes().get("client_id")
if (clientId == None):
print "Google+ GetClientConfiguration. client_id is empty"
return None
clientService = CdiUtil.bean(ClientService)
client = clientService.getClient(clientId)
if (client == None):
print "Google+ GetClientConfiguration. Failed to find client '%s' in local LDAP" % clientId
return None
clientConfiguration = clientService.getCustomAttribute(client, clientConfigurationAttribute)
if ((clientConfiguration == None) or StringHelper.isEmpty(clientConfiguration.getValue())):
print "Google+ GetClientConfiguration. Client '%s' attribute '%s' is empty" % (clientId, clientConfigurationAttribute)
else:
print "Google+ GetClientConfiguration. Client '%s' attribute '%s' is '%s'" % (clientId, clientConfigurationAttribute, clientConfiguration)
return clientConfiguration
return None
def getClientConfiguration(self, configurationAttributes, requestParameters):
# Get client configuration
if configurationAttributes.containsKey("saml_client_configuration_attribute"):
saml_client_configuration_attribute = configurationAttributes.get("saml_client_configuration_attribute").getValue2()
print "Asimba. GetClientConfiguration. Using client attribute: '%s'" % saml_client_configuration_attribute
if requestParameters == None:
return None
client_id = None
client_id_array = requestParameters.get("client_id")
if ArrayHelper.isNotEmpty(client_id_array) and StringHelper.isNotEmptyString(client_id_array[0]):
client_id = client_id_array[0]
if client_id == None:
identity = CdiUtil.bean(Identity)
if identity.getSessionId() != None:
client_id = identity.getSessionId().getSessionAttributes().get("client_id")
if client_id == None:
print "Asimba. GetClientConfiguration. client_id is empty"
return None
clientService = CdiUtil.bean(ClientService)
client = clientService.getClient(client_id)
if client == None:
print "Asimba. GetClientConfiguration. Failed to find client '%s' in local LDAP" % client_id
return None
saml_client_configuration = clientService.getCustomAttribute(client, saml_client_configuration_attribute)
if (saml_client_configuration == None) or StringHelper.isEmpty(saml_client_configuration.getValue()):
print "Asimba. GetClientConfiguration. Client '%s' attribute '%s' is empty" % ( client_id, saml_client_configuration_attribute )
else:
print "Asimba. GetClientConfiguration. Client '%s' attribute '%s' is '%s'" % ( client_id, saml_client_configuration_attribute, saml_client_configuration )
return saml_client_configuration
return None
def authenticate(self, configurationAttributes, requestParameters, step):
authenticationService = CdiUtil.bean(AuthenticationService)
if (step == 1):
print "BCrypt Auth. Authenticate for step 1"
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = CdiUtil.bean(UserService)
user = userService.getUser(user_name)
hashed_stored_pass = user.getAttribute("userPassword")
password_schema = ''
# Determine password schema
# Example for BCrypt: {BCRYPT}$2b$08$71gBXNKJ/iUBXqLjEdEXFesoUYQm5vrpKefi8YhV7ITGfAd9VNFaG
for char in hashed_stored_pass:
if char == '{':
continue
if char == '}':
break
password_schema = password_schema + char
print("Password Schema is: " + password_schema)
# OpenDJ's SSHA(512)
if 'SSHA' in password_schema:
# Returns True if authenticated on the backend
logged_in = authenticationService.authenticate(user_name, user_password)
# Pattern match BCRYPT and rewrite to SSHA
elif 'BCRYPT' in password_schema:
# Pull salt from the stored hashed password
salt = hashed_stored_pass[8:]
salt = salt.split("$")[3].strip()
salt = salt[0:22]
salt = '$2a$08$' + salt
# Create BCrypt hash of challenge cleartext password using the gathered salt
challenge = BCrypt.hashpw(user_password,salt)
# Strip unnecessary revision($2a$) and rounds(08$) from both hashed passwords for comparison.
challenge = challenge.split("$")[3].strip()
stored = hashed_stored_pass.split("$")[3].strip()
print("Challenge Salt+Hash: " + challenge)
print("Stored Salt+Hash: " + stored)
# Compare the hashses and update hash if there is a match.
if challenge in stored:
# Users hashed challenge password matches the stored hashed password in the backend
# Therefore we update the users password to the backend's password schema by passing it to OpenDJ
print("Updating hash..")
user.setAttribute("userPassword",user_password)
user = userService.updateUser(user)
print("Logging in..")
# Returns True
logged_in = authenticationService.authenticate(user_name)
# Catch unknown schema types and output to oxauth_script.log
# This script can be expanded to include other password schemas.
else:
print("Unrecognized algorithm: " + password_schema)
# If there is no match, logged_in will still be False and authentication will fail.
if (not logged_in):
return False
logged_in = authenticationService.authenticate(user_name)
return logged_in
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
identity = CdiUtil.bean(Identity)
userService = CdiUtil.bean(UserService)
authenticationService = CdiUtil.bean(AuthenticationService)
httpService = CdiUtil.bean(HttpService)
server_flag = configurationAttributes.get("oneid_server_flag").getValue2()
callback_attrs = configurationAttributes.get("oneid_callback_attrs").getValue2()
creds_file = configurationAttributes.get("oneid_creds_file").getValue2()
# Create OneID
authn = OneID(server_flag)
# Set path to credentials file
authn.creds_file = creds_file
if (step == 1):
print "OneId. Authenticate for step 1"
# Find OneID request
json_data_array = requestParameters.get("json_data")
if ArrayHelper.isEmpty(json_data_array):
print "OneId. Authenticate for step 1. json_data is empty"
return False
request = json_data_array[0]
print "OneId. Authenticate for step 1. request: " + request
if (StringHelper.isEmptyString(request)):
return False
authn.set_credentials()
# Validate request
http_client = httpService.getHttpsClientDefaulTrustStore()
auth_data = httpService.encodeBase64(authn.api_id + ":" + authn.api_key)
http_response = httpService.executePost(http_client, authn.helper_server + "/validate", auth_data, request, ContentType.APPLICATION_JSON)
validation_content = httpService.convertEntityToString(httpService.getResponseContent(http_response))
print "OneId. Authenticate for step 1. validation_content: " + validation_content
if (StringHelper.isEmptyString(validation_content)):
return False
validation_resp = json.loads(validation_content)
print "OneId. Authenticate for step 1. validation_resp: " + str(validation_resp)
if (not authn.success(validation_resp)):
return False
response = json.loads(request)
for x in validation_resp:
response[x] = validation_resp[x]
oneid_user_uid = response['uid']
print "OneId. Authenticate for step 1. oneid_user_uid: " + oneid_user_uid
# Check if the is user with specified oneid_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "oneid:" + oneid_user_uid)
if (find_user_by_uid == None):
print "OneId. Authenticate for step 1. Failed to find user"
print "OneId. Authenticate for step 1. Setting count steps to 2"
identity.setWorkingParameter("oneid_count_login_steps", 2)
identity.setWorkingParameter("oneid_user_uid", oneid_user_uid)
return True
found_user_name = find_user_by_uid.getUserId()
print "OneId. Authenticate for step 1. found_user_name: " + found_user_name
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
credentials.setUsername(found_user_name)
credentials.setUser(find_user_by_uid)
print "OneId. Authenticate for step 1. Setting count steps to 1"
identity.setWorkingParameter("oneid_count_login_steps", 1)
return True
elif (step == 2):
print "OneId. Authenticate for step 2"
sessionAttributes = identity.getSessionId().getSessionAttributes()
if (sessionAttributes == None) or not sessionAttributes.containsKey("oneid_user_uid"):
print "OneId. Authenticate for step 2. oneid_user_uid is empty"
return False
oneid_user_uid = sessionAttributes.get("oneid_user_uid")
passed_step1 = StringHelper.isNotEmptyString(oneid_user_uid)
if (not passed_step1):
return False
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
passed_step1 = StringHelper.isNotEmptyString(user_name)
if (not passed_step1):
return False
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = authenticationService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Check if there is user which has oneid_user_uid
# Avoid mapping OneID account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "oneid:" + oneid_user_uid)
if (find_user_by_uid == None):
# Add oneid_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "oneid:" + oneid_user_uid)
if (find_user_by_uid == None):
print "OneId. Authenticate for step 2. Failed to update current user"
return False
return True
else:
found_user_name = find_user_by_uid.getUserId()
print "OneId. Authenticate for step 2. found_user_name: " + found_user_name
if StringHelper.equals(user_name, found_user_name):
return True
return False
else:
return False
def containsAttributeString(self, dictionary, attribute):
return ((attribute in dictionary) and StringHelper.isNotEmptyString(dictionary[attribute]))
def authenticate(self, configurationAttributes, requestParameters, step):
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
userService = CdiUtil.bean(UserService)
authenticationService = CdiUtil.bean(AuthenticationService)
saml_map_user = False
saml_enroll_user = False
saml_enroll_all_user_attr = False
# Use saml_deployment_type only if there is no attributes mapping
if configurationAttributes.containsKey("saml_deployment_type"):
saml_deployment_type = StringHelper.toLowerCase(configurationAttributes.get("saml_deployment_type").getValue2())
if StringHelper.equalsIgnoreCase(saml_deployment_type, "map"):
saml_map_user = True
if StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll"):
saml_enroll_user = True
if StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll_all_attr"):
saml_enroll_all_user_attr = True
saml_allow_basic_login = False
if configurationAttributes.containsKey("saml_allow_basic_login"):
saml_allow_basic_login = StringHelper.toBoolean(configurationAttributes.get("saml_allow_basic_login").getValue2(), False)
use_basic_auth = False
if saml_allow_basic_login:
# Detect if user used basic authnetication method
user_name = credentials.getUsername()
user_password = credentials.getPassword()
if StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(user_password):
use_basic_auth = True
if (step == 1) and saml_allow_basic_login and use_basic_auth:
print "Asimba. Authenticate for step 1. Basic authentication"
identity.setWorkingParameter("saml_count_login_steps", 1)
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password):
logged_in = authenticationService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
if (step == 1):
print "Asimba. Authenticate for step 1"
currentSamlConfiguration = self.getCurrentSamlConfiguration(self.samlConfiguration, configurationAttributes, requestParameters)
if (currentSamlConfiguration == None):
print "Asimba. Prepare for step 1. Client saml configuration is invalid"
return False
saml_response_array = requestParameters.get("SAMLResponse")
if ArrayHelper.isEmpty(saml_response_array):
print "Asimba. Authenticate for step 1. saml_response is empty"
return False
saml_response = saml_response_array[0]
print "Asimba. Authenticate for step 1. saml_response: '%s'" % saml_response
samlResponse = Response(currentSamlConfiguration)
samlResponse.loadXmlFromBase64(saml_response)
saml_validate_response = True
if configurationAttributes.containsKey("saml_validate_response"):
saml_validate_response = StringHelper.toBoolean(configurationAttributes.get("saml_validate_response").getValue2(), False)
if saml_validate_response:
if not samlResponse.isValid():
print "Asimba. Authenticate for step 1. saml_response isn't valid"
return False
if samlResponse.isAuthnFailed():
print "Asimba. Authenticate for step 1. saml_response AuthnFailed"
return False
saml_response_attributes = samlResponse.getAttributes()
print "Asimba. Authenticate for step 1. attributes: '%s'" % saml_response_attributes
if saml_map_user:
saml_user_uid = self.getSamlNameId(samlResponse)
if saml_user_uid == None:
return False
# Use mapping to local IDP user
print "Asimba. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
print "Asimba. Authenticate for step 1. Failed to find user"
print "Asimba. Authenticate for step 1. Setting count steps to 2"
identity.setWorkingParameter("saml_count_login_steps", 2)
identity.setWorkingParameter("saml_user_uid", saml_user_uid)
return True
found_user_name = find_user_by_uid.getUserId()
print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if user_authenticated == False:
print "Asimba. Authenticate for step 1. Failed to authenticate user"
return False
print "Asimba. Authenticate for step 1. Setting count steps to 1"
identity.setWorkingParameter("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif saml_enroll_user:
# Convert SAML response to user entry
newUser = self.getMappedUser(configurationAttributes, requestParameters, saml_response_attributes)
saml_user_uid = self.getNameId(samlResponse, newUser)
if saml_user_uid == None:
return False
self.setDefaultUid(newUser, saml_user_uid)
newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
# Use auto enrollment to local IDP
print "Asimba. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if there is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
# Auto user enrollment
print "Asimba. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Asimba. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes())
user_unique = self.checkUserUniqueness(newUser)
if not user_unique:
print "Asimba. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId()
facesMessages = CdiUtil.bean(FacesMessages)
facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to enroll. User with same key attributes exist already")
facesMessages.setKeepMessages()
return False
find_user_by_uid = userService.addUser(newUser, True)
print "Asimba. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId()
else:
if self.updateUser:
print "Asimba. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes())
find_user_by_uid.setCustomAttributes(newUser.getCustomAttributes())
userService.updateUser(find_user_by_uid)
print "Asimba. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid
found_user_name = find_user_by_uid.getUserId()
print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if user_authenticated == False:
print "Asimba. Authenticate for step 1. Failed to authenticate user: '******'" % found_user_name
return False
print "Asimba. Authenticate for step 1. Setting count steps to 1"
identity.setWorkingParameter("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif saml_enroll_all_user_attr:
# Convert SAML response to user entry
newUser = self.getMappedAllAttributesUser(saml_response_attributes)
saml_user_uid = self.getNameId(samlResponse, newUser)
if saml_user_uid == None:
return False
self.setDefaultUid(newUser, saml_user_uid)
newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
print "Asimba. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:%s" % saml_user_uid
# Check if there is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
# Auto user enrollment
print "Asimba. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Asimba. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes())
user_unique = self.checkUserUniqueness(newUser)
if not user_unique:
print "Asimba. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId()
facesMessages = CdiUtil.bean(FacesMessages)
facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to enroll. User with same key attributes exist already")
facesMessages.setKeepMessages()
return False
find_user_by_uid = userService.addUser(newUser, True)
print "Asimba. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId()
else:
if self.updateUser:
print "Asimba. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes())
find_user_by_uid.setCustomAttributes(newUser.getCustomAttributes())
userService.updateUser(find_user_by_uid)
print "Asimba. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid
found_user_name = find_user_by_uid.getUserId()
print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if user_authenticated == False:
print "Asimba. Authenticate for step 1. Failed to authenticate user"
return False
print "Asimba. Authenticate for step 1. Setting count steps to 1"
identity.setWorkingParameter("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
else:
if saml_user_uid == None:
return False
# Check if the is user with specified saml_user_uid
print "Asimba. Authenticate for step 1. Attempting to find user by uid: '%s'" % saml_user_uid
find_user_by_uid = userService.getUser(saml_user_uid)
if find_user_by_uid == None:
print "Asimba. Authenticate for step 1. Failed to find user"
return False
found_user_name = find_user_by_uid.getUserId()
print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if user_authenticated == False:
print "Asimba. Authenticate for step 1. Failed to authenticate user"
return False
print "Asimba. Authenticate for step 1. Setting count steps to 1"
identity.setWorkingParameter("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (step == 2):
print "Asimba. Authenticate for step 2"
sessionAttributes = identity.getSessionId().getSessionAttributes()
if (sessionAttributes == None) or not sessionAttributes.containsKey("saml_user_uid"):
print "Asimba. Authenticate for step 2. saml_user_uid is empty"
return False
saml_user_uid = sessionAttributes.get("saml_user_uid")
passed_step1 = StringHelper.isNotEmptyString(saml_user_uid)
if not passed_step1:
return False
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password):
logged_in = authenticationService.authenticate(user_name, user_password)
if not logged_in:
return False
# Check if there is user which has saml_user_uid
# Avoid mapping Saml account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
# Add saml_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
print "Asimba. Authenticate for step 2. Failed to update current user"
return False
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Asimba. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
else:
found_user_name = find_user_by_uid.getUserId()
print "Asimba. Authenticate for step 2. found_user_name: '%s'" % found_user_name
if StringHelper.equals(user_name, found_user_name):
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Asimba. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
identity = CdiUtil.bean(Identity)
userService = CdiUtil.bean(UserService)
authenticationService = CdiUtil.bean(AuthenticationService)
mapUserDeployment = False
enrollUserDeployment = False
if (configurationAttributes.containsKey("gplus_deployment_type")):
deploymentType = StringHelper.toLowerCase(configurationAttributes.get("gplus_deployment_type").getValue2())
if (StringHelper.equalsIgnoreCase(deploymentType, "map")):
mapUserDeployment = True
if (StringHelper.equalsIgnoreCase(deploymentType, "enroll")):
enrollUserDeployment = True
if (step == 1):
print "Google+ Authenticate for step 1"
gplusAuthCodeArray = requestParameters.get("gplus_auth_code")
gplusAuthCode = gplusAuthCodeArray[0]
# Check if user uses basic method to log in
useBasicAuth = False
if (StringHelper.isEmptyString(gplusAuthCode)):
useBasicAuth = True
# Use basic method to log in
if (useBasicAuth):
print "Google+ Authenticate for step 1. Basic authentication"
identity.setWorkingParameter("gplus_count_login_steps", 1)
credentials = identity.getCredentials()
userName = credentials.getUsername()
userPassword = credentials.getPassword()
loggedIn = False
if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)):
userService = CdiUtil.bean(UserService)
loggedIn = authenticationService.authenticate(userName, userPassword)
if (not loggedIn):
return False
return True
# Use Google+ method to log in
print "Google+ Authenticate for step 1. gplusAuthCode:", gplusAuthCode
currentClientSecrets = self.getCurrentClientSecrets(self.clientSecrets, configurationAttributes, requestParameters)
if (currentClientSecrets == None):
print "Google+ Authenticate for step 1. Client secrets configuration is invalid"
return False
print "Google+ Authenticate for step 1. Attempting to gets tokens"
tokenResponse = self.getTokensByCode(self.clientSecrets, configurationAttributes, gplusAuthCode)
if ((tokenResponse == None) or (tokenResponse.getIdToken() == None) or (tokenResponse.getAccessToken() == None)):
print "Google+ Authenticate for step 1. Failed to get tokens"
return False
else:
print "Google+ Authenticate for step 1. Successfully gets tokens"
jwt = Jwt.parse(tokenResponse.getIdToken())
# TODO: Validate ID Token Signature
gplusUserUid = jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER)
print "Google+ Authenticate for step 1. Found Google user ID in the ID token: '%s'" % gplusUserUid
if (mapUserDeployment):
# Use mapping to local IDP user
print "Google+ Authenticate for step 1. Attempting to find user by oxExternalUid: 'gplus:%s'" % gplusUserUid
# Check if there is user with specified gplusUserUid
foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
print "Google+ Authenticate for step 1. Failed to find user"
print "Google+ Authenticate for step 1. Setting count steps to 2"
identity.setWorkingParameter("gplus_count_login_steps", 2)
identity.setWorkingParameter("gplus_user_uid", gplusUserUid)
return True
foundUserName = foundUser.getUserId()
print "Google+ Authenticate for step 1. foundUserName: '******'" % foundUserName
userAuthenticated = authenticationService.authenticate(foundUserName)
if (userAuthenticated == False):
print "Google+ Authenticate for step 1. Failed to authenticate user"
return False
print "Google+ Authenticate for step 1. Setting count steps to 1"
identity.setWorkingParameter("gplus_count_login_steps", 1)
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ Authenticate for step 1. postLoginResult: '%s'" % postLoginResult
return postLoginResult
elif (enrollUserDeployment):
# Use auto enrollment to local IDP
print "Google+ Authenticate for step 1. Attempting to find user by oxExternalUid: 'gplus:%s'" % gplusUserUid
# Check if there is user with specified gplusUserUid
foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
# Auto user enrollemnt
print "Google+ Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Google+ Authenticate for step 1. Attempting to gets user info"
userInfoResponse = self.getUserInfo(currentClientSecrets, configurationAttributes, tokenResponse.getAccessToken())
if ((userInfoResponse == None) or (userInfoResponse.getClaims().size() == 0)):
print "Google+ Authenticate for step 1. Failed to get user info"
return False
else:
print "Google+ Authenticate for step 1. Successfully gets user info"
gplusResponseAttributes = userInfoResponse.getClaims()
# Convert Google+ user claims to lover case
gplusResponseNormalizedAttributes = HashMap()
for gplusResponseAttributeEntry in gplusResponseAttributes.entrySet():
gplusResponseNormalizedAttributes.put(
StringHelper.toLowerCase(gplusResponseAttributeEntry.getKey()), gplusResponseAttributeEntry.getValue())
currentAttributesMapping = self.getCurrentAttributesMapping(self.attributesMapping, configurationAttributes, requestParameters)
print "Google+ Authenticate for step 1. Using next attributes mapping '%s'" % currentAttributesMapping
newUser = User()
for attributesMappingEntry in currentAttributesMapping.entrySet():
remoteAttribute = attributesMappingEntry.getKey()
localAttribute = attributesMappingEntry.getValue()
localAttributeValue = gplusResponseNormalizedAttributes.get(remoteAttribute)
if (localAttribute != None):
newUser.setAttribute(localAttribute, localAttributeValue)
if (newUser.getAttribute("sn") == None):
newUser.setAttribute("sn", gplusUserUid)
if (newUser.getAttribute("cn") == None):
newUser.setAttribute("cn", gplusUserUid)
# Add mail to oxTrustEmail so that the user's
# email is available through the SCIM interface
# too.
if (newUser.getAttribute("oxTrustEmail") is None and
newUser.getAttribute("mail") is not None):
oxTrustEmail = {
"value": newUser.getAttribute("mail"),
"display": newUser.getAttribute("mail"),
"primary": True,
"operation": None,
"reference": None,
"type": "other"
}
newUser.setAttribute("oxTrustEmail", json.dumps(oxTrustEmail))
newUser.setAttribute("oxExternalUid", "gplus:" + gplusUserUid)
print "Google+ Authenticate for step 1. Attempting to add user '%s' with next attributes '%s'" % (gplusUserUid, newUser.getCustomAttributes())
foundUser = userService.addUser(newUser, True)
print "Google+ Authenticate for step 1. Added new user with UID: '%s'" % foundUser.getUserId()
foundUserName = foundUser.getUserId()
print "Google+ Authenticate for step 1. foundUserName: '******'" % foundUserName
userAuthenticated = authenticationService.authenticate(foundUserName)
if (userAuthenticated == False):
print "Google+ Authenticate for step 1. Failed to authenticate user"
return False
print "Google+ Authenticate for step 1. Setting count steps to 1"
identity.setWorkingParameter("gplus_count_login_steps", 1)
print "Google+ Authenticate for step 1. Attempting to run extension postLogin"
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ Authenticate for step 1. postLoginResult: '%s'" % postLoginResult
return postLoginResult
else:
# Check if there is user with specified gplusUserUid
print "Google+ Authenticate for step 1. Attempting to find user by uid: '%s'" % gplusUserUid
foundUser = userService.getUser(gplusUserUid)
if (foundUser == None):
print "Google+ Authenticate for step 1. Failed to find user"
return False
foundUserName = foundUser.getUserId()
print "Google+ Authenticate for step 1. foundUserName: '******'" % foundUserName
userAuthenticated = authenticationService.authenticate(foundUserName)
if (userAuthenticated == False):
print "Google+ Authenticate for step 1. Failed to authenticate user"
return False
print "Google+ Authenticate for step 1. Setting count steps to 1"
identity.setWorkingParameter("gplus_count_login_steps", 1)
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ Authenticate for step 1. postLoginResult: '%s'" % postLoginResult
return postLoginResult
elif (step == 2):
print "Google+ Authenticate for step 2"
sessionAttributes = identity.getSessionId().getSessionAttributes()
if (sessionAttributes == None) or not sessionAttributes.containsKey("gplus_user_uid"):
print "Google+ Authenticate for step 2. gplus_user_uid is empty"
return False
gplusUserUid = sessionAttributes.get("gplus_user_uid")
passed_step1 = StringHelper.isNotEmptyString(gplusUserUid)
if (not passed_step1):
return False
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
userName = credentials.getUsername()
userPassword = credentials.getPassword()
loggedIn = False
if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)):
loggedIn = authenticationService.authenticate(userName, userPassword)
if (not loggedIn):
return False
# Check if there is user which has gplusUserUid
# Avoid mapping Google account to more than one IDP account
foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
# Add gplusUserUid to user one id UIDs
foundUser = userService.addUserAttribute(userName, "oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
print "Google+ Authenticate for step 2. Failed to update current user"
return False
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ Authenticate for step 2. postLoginResult: '%s'" % postLoginResult
return postLoginResult
else:
foundUserName = foundUser.getUserId()
print "Google+ Authenticate for step 2. foundUserName: '******'" % foundUserName
if StringHelper.equals(userName, foundUserName):
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ Authenticate for step 2. postLoginResult: '%s'" % postLoginResult
return postLoginResult
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
userService = CdiUtil.bean(UserService)
authenticationService = CdiUtil.bean(AuthenticationService)
if step == 1:
print "Cert. Authenticate for step 1"
login_button = ServerUtil.getFirstValue(requestParameters, "loginForm:loginButton")
if StringHelper.isEmpty(login_button):
print "Cert. Authenticate for step 1. Form were submitted incorrectly"
return False
if self.enabled_recaptcha:
print "Cert. Authenticate for step 1. Validating recaptcha response"
recaptcha_response = ServerUtil.getFirstValue(requestParameters, "g-recaptcha-response")
recaptcha_result = self.validateRecaptcha(recaptcha_response)
print "Cert. Authenticate for step 1. recaptcha_result: '%s'" % recaptcha_result
return recaptcha_result
return True
elif step == 2:
print "Cert. Authenticate for step 2"
# Validate if user selected certificate
cert_x509 = self.getSessionAttribute("cert_x509")
if cert_x509 == None:
print "Cert. Authenticate for step 2. User not selected any certs"
identity.setWorkingParameter("cert_selected", False)
# Return True to inform user how to reset workflow
return True
else:
identity.setWorkingParameter("cert_selected", True)
x509Certificate = self.certFromString(cert_x509)
subjectX500Principal = x509Certificate.getSubjectX500Principal()
print "Cert. Authenticate for step 2. User selected certificate with DN '%s'" % subjectX500Principal
# Validate certificates which user selected
valid = self.validateCertificate(x509Certificate)
if not valid:
print "Cert. Authenticate for step 2. Certificate DN '%s' is not valid" % subjectX500Principal
identity.setWorkingParameter("cert_valid", False)
# Return True to inform user how to reset workflow
return True
identity.setWorkingParameter("cert_valid", True)
# Calculate certificate fingerprint
x509CertificateFingerprint = self.calculateCertificateFingerprint(x509Certificate)
identity.setWorkingParameter("cert_x509_fingerprint", x509CertificateFingerprint)
print "Cert. Authenticate for step 2. Fingerprint is '%s' of certificate with DN '%s'" % (x509CertificateFingerprint, subjectX500Principal)
# Attempt to find user by certificate fingerprint
cert_user_external_uid = "cert:%s" % x509CertificateFingerprint
print "Cert. Authenticate for step 2. Attempting to find user by oxExternalUid attribute value %s" % cert_user_external_uid
find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", cert_user_external_uid)
if find_user_by_external_uid == None:
print "Cert. Authenticate for step 2. Failed to find user"
if self.map_user_cert:
print "Cert. Authenticate for step 2. Storing cert_user_external_uid for step 3"
identity.setWorkingParameter("cert_user_external_uid", cert_user_external_uid)
return True
else:
print "Cert. Authenticate for step 2. Mapping cert to user account is not allowed"
identity.setWorkingParameter("cert_count_login_steps", 2)
return False
foundUserName = find_user_by_external_uid.getUserId()
print "Cert. Authenticate for step 2. foundUserName: "******"Cert. Authenticate for step 2. Setting count steps to 2"
identity.setWorkingParameter("cert_count_login_steps", 2)
return logged_in
elif step == 3:
print "Cert. Authenticate for step 3"
cert_user_external_uid = self.getSessionAttribute("cert_user_external_uid")
if cert_user_external_uid == None:
print "Cert. Authenticate for step 3. cert_user_external_uid is empty"
return False
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = authenticationService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Double check just to make sure. We did checking in previous step
# Check if there is user which has cert_user_external_uid
# Avoid mapping user cert to more than one IDP account
find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", cert_user_external_uid)
if find_user_by_external_uid == None:
# Add cert_user_external_uid to user's external GUID list
find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", cert_user_external_uid)
if find_user_by_external_uid == None:
print "Cert. Authenticate for step 3. Failed to update current user"
return False
return True
return True
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
identity = CdiUtil.bean(Identity)
userService = CdiUtil.bean(UserService)
authenticationService = CdiUtil.bean(AuthenticationService)
if step == 1:
credentials = identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = CdiUtil.bean(UserService)
logged_in = authenticationService.authenticate(user_name, user_password)
if (not logged_in):
return False
else:
find_user_by_uid = authenticationService.getAuthenticatedUser()
status_attribute_value = userService.getCustomAttribute(find_user_by_uid, "mail")
user_mail = status_attribute_value.getValue()
self.setRequestScopedParameters(identity)
isCompromised = False
isCompromised = self.is_compromised(user_mail,user_password,configurationAttributes)
if(isCompromised):
identity.setWorkingParameter("pwd_compromised", isCompromised)
identity.setWorkingParameter("user_name", user_name)
return True
else:
return True
elif step == 2:
print "compromised_password. Authenticate for step 2"
form_answer_array = requestParameters.get("loginForm:question")
if ArrayHelper.isEmpty(form_answer_array):
return False
form_answer = form_answer_array[0]
if (form_answer == self.secretanswer):
return True
return False
elif step == 3:
authenticationService = CdiUtil.bean(AuthenticationService)
print "compromised_password (with password update). Authenticate for step 3"
userService = CdiUtil.bean(UserService)
update_button = requestParameters.get("loginForm:updateButton")
new_password_array = requestParameters.get("new_password")
if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]):
print "compromised_password (with password update). Authenticate for step 3. New password is empty"
return False
new_password = new_password_array[0]
user = authenticationService.getAuthenticatedUser()
if user == None:
print "compromised_password (with password update). Authenticate for step 3. Failed to determine user name"
return False
user_name = user.getUserId()
print "compromised_password (with password update). Authenticate for step 3. Attempting to set new user '" + user_name + "' password"
find_user_by_uid = userService.getUser(user_name)
if (find_user_by_uid == None):
print "compromised_password (with password update). Authenticate for step 3. Failed to find user"
return False
find_user_by_uid.setAttribute("userPassword", new_password)
userService.updateUser(find_user_by_uid)
print "compromised_password (with password update). Authenticate for step 3. Password updated successfully"
logged_in = authenticationService.authenticate(user_name)
return True
def authenticate(self, configurationAttributes, requestParameters, step):
userService = CdiUtil.bean(UserService)
authenticationService = CdiUtil.bean(AuthenticationService)
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
oxpush_user_timeout = int(configurationAttributes.get("oxpush_user_timeout").getValue2())
oxpush_application_name = configurationAttributes.get("oxpush_application_name").getValue2()
user_name = credentials.getUsername()
if (step == 1):
print "oxPush. Authenticate for step 1"
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = CdiUtil.bean(UserService)
logged_in = authenticationService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Get user entry
userService = CdiUtil.bean(UserService)
find_user_by_uid = authenticationService.getAuthenticatedUser()
if (find_user_by_uid == None):
print "oxPush. Authenticate for step 1. Failed to find user"
return False
# Check if the user paired account to phone
user_external_uid_attr = userService.getCustomAttribute(find_user_by_uid, "oxExternalUid")
if ((user_external_uid_attr == None) or (user_external_uid_attr.getValues() == None)):
print "oxPush. Authenticate for step 1. There is no external UIDs for user: "******"oxPush. Authenticate for step 1. There is no oxPush UID for user: "******"oxPush. Authenticate for step 1. oxpush_user_uid: ", oxpush_user_uid
deployment_status = self.oxPushClient.getDeploymentStatus(oxpush_user_uid)
if (deployment_status.result):
print "oxPush. Authenticate for step 1. Deployment status is valid"
if ("enabled" == deployment_status.status):
print "oxPush. Authenticate for step 1. Deployment is enabled"
identity.setWorkingParameter("oxpush_user_uid", oxpush_user_uid)
else:
print "oxPush. Authenticate for step 1. Deployment is disabled"
return False
else:
print "oxPush. Authenticate for step 1. Deployment status is invalid. Force user to pair again"
# Remove oxpush_user_uid from user entry
find_user_by_uid = userService.removeUserAttribute(user_name, "oxExternalUid", "oxpush:" + oxpush_user_uid)
if (find_user_by_uid == None):
print "oxPush. Authenticate for step 1. Failed to update current user"
return False
return True
elif (step == 2):
print "oxPush. Authenticate for step 2"
passed_step1 = self.isPassedDefaultAuthentication
if (not passed_step1):
return False
sessionAttributes = identity.getSessionId().getSessionAttributes()
if (sessionAttributes == None) or not sessionAttributes.containsKey("oxpush_user_uid"):
print "oxPush. Authenticate for step 2. oxpush_user_uid is empty"
if (not sessionAttributes.containsKey("oxpush_pairing_uid")):
print "oxPush. Authenticate for step 2. oxpush_pairing_uid is empty"
return False
oxpush_pairing_uid = sessionAttributes.get("oxpush_pairing_uid")
# Check pairing status
pairing_status = self.checkStatus("pair", oxpush_pairing_uid, oxpush_user_timeout)
if (pairing_status == None):
print "oxPush. Authenticate for step 2. The pairing has not been authorized by user"
return False
oxpush_user_uid = pairing_status.deploymentId
print "oxPush. Authenticate for step 2. Storing oxpush_user_uid in user entry", oxpush_user_uid
# Store oxpush_user_uid in user entry
find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "oxpush:" + oxpush_user_uid)
if (find_user_by_uid == None):
print "oxPush. Authenticate for step 2. Failed to update current user"
return False
identity.setWorkingParameter("oxpush_count_login_steps", 2)
identity.setWorkingParameter("oxpush_user_uid", oxpush_user_uid)
else:
print "oxPush. Authenticate for step 2. Deployment status is valid"
return True
elif (step == 3):
print "oxPush. Authenticate for step 3"
passed_step1 = self.isPassedDefaultAuthentication
if (not passed_step1):
return False
sessionAttributes = identity.getWorkingParameter("oxpush_user_uid")
if (sessionAttributes == None) or not sessionAttributes.containsKey("oxpush_user_uid"):
print "oxPush. Authenticate for step 3. oxpush_user_uid is empty"
return False
oxpush_user_uid = sessionAttributes.get("oxpush_user_uid")
passed_step1 = StringHelper.isNotEmptyString(oxpush_user_uid)
if (not passed_step1):
return False
# Initialize authentication process
authentication_request = None
try:
authentication_request = self.oxPushClient.authenticate(oxpush_user_uid, user_name)
except java.lang.Exception, err:
print "oxPush. Authenticate for step 3. Failed to initialize authentication process: ", err
return False
if (not authentication_request.result):
print "oxPush. Authenticate for step 3. Failed to initialize authentication process"
return False
# Check authentication status
authentication_status = self.checkStatus("authenticate", authentication_request.authenticationId, oxpush_user_timeout)
if (authentication_status == None):
print "oxPush. Authenticate for step 3. The authentication has not been authorized by user"
return False
print "oxPush. Authenticate for step 3. The request was granted"
return True
def authenticate(self, configurationAttributes, requestParameters, step):
authenticationService = CdiUtil.bean(AuthenticationService)
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "PhoneFactor. Authenticate for step 1"
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = CdiUtil.bean(UserService)
logged_in = authenticationService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
elif (step == 2):
print "PhoneFactor. Authenticate for step 2"
passed_step1 = self.isPassedDefaultAuthentication
if (not passed_step1):
return False
pf_phone_number_attr = configurationAttributes.get("pf_phone_number_attr").getValue2()
# Get user entry from credentials
authenticationService = CdiUtil.bean(AuthenticationService)
credentials_user = authenticationService.getAuthenticatedUser()
userService = CdiUtil.bean(UserService)
phone_number_with_country_code_attr = userService.getCustomAttribute(credentials_user, pf_phone_number_attr)
if (phone_number_with_country_code_attr == None):
print "PhoneFactor. Authenticate for step 2. There is no phone number: ", user_name
return False
phone_number_with_country_code = phone_number_with_country_code_attr.getValue()
if (phone_number_with_country_code == None):
print "PhoneFactor. Authenticate for step 2. There is no phone number: ", user_name
return False
pf_country_delimiter = configurationAttributes.get("pf_country_delimiter").getValue2()
phone_number_with_country_code_array = string.split(phone_number_with_country_code, pf_country_delimiter, 1)
phone_number_with_country_code_array_len = len(phone_number_with_country_code_array)
if (phone_number_with_country_code_array_len == 1):
country_code = ""
phone_number = phone_number_with_country_code_array[0]
else:
country_code = phone_number_with_country_code_array[0]
phone_number = phone_number_with_country_code_array[1]
print "PhoneFactor. Authenticate for step 2. user_name: ", user_name, ", country_code: ", country_code, ", phone_number: ", phone_number
pf_auth_result = None
try:
pf_auth_result = self.pf.authenticate(user_name, country_code, phone_number, None, None, None)
except SecurityException, err:
print "PhoneFactor. Authenticate for step 2. BAD AUTH -- Security issue: ", err
except TimeoutException, err:
print "PhoneFactor. Authenticate for step 2. BAD AUTH -- Server timeout: ", err
def authenticate(self, configurationAttributes, requestParameters, step):
print "=============================================="
print "====TWILIO SMS AUTHENCATION==================="
print "=============================================="
userService = CdiUtil.bean(UserService)
authenticationService = CdiUtil.bean(AuthenticationService)
sessionIdService = CdiUtil.bean(SessionIdService)
facesMessages = CdiUtil.bean(FacesMessages)
facesMessages.setKeepMessages()
session_attributes = self.identity.getSessionId().getSessionAttributes()
form_passcode = ServerUtil.getFirstValue(requestParameters, "passcode")
form_name = ServerUtil.getFirstValue(requestParameters, "TwilioSmsloginForm")
print "TwilioSMS. form_response_passcode: %s" % str(form_passcode)
if step == 1:
print "=============================================="
print "=TWILIO SMS STEP 1 | Password Authentication=="
print "=============================================="
credentials = self.identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password):
logged_in = authenticationService.authenticate(user_name, user_password)
if not logged_in:
return False
# Get the Person's number and generate a code
foundUser = None
try:
foundUser = authenticationService.getAuthenticatedUser()
except:
print 'TwilioSMS, Error retrieving user %s from LDAP' % (user_name)
return False
try:
isVerified = foundUser.getAttribute("phoneNumberVerified")
if isVerified:
self.mobile_number = foundUser.getAttribute("employeeNumber")
if self.mobile_number == None:
self.mobile_number = foundUser.getAttribute("mobile")
if self.mobile_number == None:
self.mobile_number = foundUser.getAttribute("telephoneNumber")
if self.mobile_number == None:
print "TwilioSMS, Error finding mobile number for user '%s'" % user_name
except:
facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to determine mobile phone number")
print 'TwilioSMS, Error finding mobile number for "%s". Exception: %s` % (user_name, sys.exc_info()[1])`'
return False
# Generate Random six digit code and store it in array
code = random.randint(100000, 999999)
# Get code and save it in LDAP temporarily with special session entry
self.identity.setWorkingParameter("code", code)
sessionId = sessionIdService.getSessionId() # fetch from persistence
sessionId.getSessionAttributes().put("code", code)
try:
Twilio.init(self.ACCOUNT_SID, self.AUTH_TOKEN);
message = Message.creator(PhoneNumber(self.mobile_number), PhoneNumber(self.FROM_NUMBER), str(code)).create();
print "++++++++++++++++++++++++++++++++++++++++++++++"
print 'TwilioSMs, Message Sid: %s' % (message.getSid())
print 'TwilioSMs, User phone: %s' % (self.mobile_number)
print "++++++++++++++++++++++++++++++++++++++++++++++"
sessionId.getSessionAttributes().put("mobile_number", self.mobile_number)
sessionId.getSessionAttributes().put("mobile", self.mobile_number)
sessionIdService.updateSessionId(sessionId)
self.identity.setWorkingParameter("mobile_number", self.mobile_number)
self.identity.getSessionId().getSessionAttributes().put("mobile_number",self.mobile_number)
self.identity.setWorkingParameter("mobile", self.mobile_number)
self.identity.getSessionId().getSessionAttributes().put("mobile",self.mobile_number)
print "++++++++++++++++++++++++++++++++++++++++++++++"
print "Number: %s" % (self.identity.getWorkingParameter("mobile_number"))
print "Mobile: %s" % (self.identity.getWorkingParameter("mobile"))
print "++++++++++++++++++++++++++++++++++++++++++++++"
print "========================================"
print "===TWILIO SMS FIRST STEP DONE PROPERLY=="
print "========================================"
return True
except Exception, ex:
facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to send message to mobile phone")
print "TwilioSMS. Error sending message to Twilio"
print "TwilioSMS. Unexpected error:", ex
return False
def bindWWPass(self, requestParameters, userService, authenticationService, identity, ticket):
puid = identity.getWorkingParameter("puid")
email = requestParameters.get('email')[0] if 'email' in requestParameters else None
if not puid:
identity.setWorkingParameter("errors", "WWPass login failed")
return False
if ticket:
puid_new = self.getPuid(ticket)
# Always use the latest PUID when retrying step 2
identity.setWorkingParameter("puid", puid_new)
if puid == puid_new:
# Registering via external web service
if not self.registration_url:
return False
if self.tryFirstLogin(puid, userService, authenticationService):
identity.setWorkingParameter("puid", None)
return True
else:
if not self.allow_passkey_bind:
return False
# Binding with existing PassKey
user = userService.getUserByAttribute("oxExternalUid", "wwpass:%s"%puid_new)
if user:
if authenticationService.authenticate(user.getUserId()):
userService.addUserAttribute(user.getUserId(), "oxExternalUid", "wwpass:%s"%puid)
identity.setWorkingParameter("puid", None)
return True
identity.setWorkingParameter("errors", "Invalid user")
return False
elif email:
# Binding via email
if not self.allow_email_bind:
return False
email = requestParameters.get('email')[0] if 'email' in requestParameters else None
identity.setWorkingParameter("email", email)
user = userService.getUserByAttribute('mail', email)
if not user:
print("User with email '%s' not found." % email)
return True
nonce = self.generateNonce(33)
mailService = CdiUtil.bean(MailService)
identity.setWorkingParameter("email_nonce", nonce)
identity.setWorkingParameter("email_nonce_exp", str(time() + self.EMAIL_NONCE_EXPIRATION))
subject = "Bind your WWPass Key"
body = """
To bind your WWPass Key to your account, copy and paste the following
code into "Email code" field in the login form:
%s
If you haven't requested this operation, you can safely disregard this email.
"""
mailService.sendMail(email, subject, body % nonce)
return True
else:
# Binding via username/password
if not self.allow_password_bind:
return False
puid = identity.getWorkingParameter("puid")
if not puid:
return False
credentials = identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
try:
logged_in = authenticationService.authenticate(user_name, user_password)
except Exception as e:
print(e)
if not logged_in:
identity.setWorkingParameter("errors", "Invalid username or password")
return False
user = authenticationService.getAuthenticatedUser()
if not user:
identity.setWorkingParameter("errors", "Invalid user")
return False
userService.addUserAttribute(user_name, "oxExternalUid", "wwpass:%s"%puid)
identity.setWorkingParameter("puid", None)
return True
return False
def authenticate(self, configurationAttributes, requestParameters, step):
authenticationService = CdiUtil.bean(AuthenticationService)
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "U2F. Authenticate for step 1"
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = CdiUtil.bean(UserService)
logged_in = authenticationService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
elif (step == 2):
print "U2F. Authenticate for step 2"
token_response = ServerUtil.getFirstValue(requestParameters, "tokenResponse")
if token_response == None:
print "U2F. Authenticate for step 2. tokenResponse is empty"
return False
auth_method = ServerUtil.getFirstValue(requestParameters, "authMethod")
if auth_method == None:
print "U2F. Authenticate for step 2. authMethod is empty"
return False
authenticationService = CdiUtil.bean(AuthenticationService)
user = authenticationService.getAuthenticatedUser()
if (user == None):
print "U2F. Prepare for step 2. Failed to determine user name"
return False
if (auth_method == 'authenticate'):
print "U2F. Prepare for step 2. Call FIDO U2F in order to finish authentication workflow"
authenticationRequestService = FidoU2fClientFactory.instance().createAuthenticationRequestService(self.metaDataConfiguration)
authenticationStatus = authenticationRequestService.finishAuthentication(user.getUserId(), token_response)
if (authenticationStatus.getStatus() != Constants.RESULT_SUCCESS):
print "U2F. Authenticate for step 2. Get invalid authentication status from FIDO U2F server"
return False
return True
elif (auth_method == 'enroll'):
print "U2F. Prepare for step 2. Call FIDO U2F in order to finish registration workflow"
registrationRequestService = FidoU2fClientFactory.instance().createRegistrationRequestService(self.metaDataConfiguration)
registrationStatus = registrationRequestService.finishRegistration(user.getUserId(), token_response)
if (registrationStatus.getStatus() != Constants.RESULT_SUCCESS):
print "U2F. Authenticate for step 2. Get invalid registration status from FIDO U2F server"
return False
return True
else:
print "U2F. Prepare for step 2. Authenticatiod method is invalid"
return False
return False
else:
return False
