def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) if (step == 1): print "Radius. Authenticate for step 1" identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() if StringHelper.isNotEmptyString(user_name ) and StringHelper.isNotEmptyString(user_password ): user_exists_in_gluu = authenticationService.authenticate(user_name ) if user_exists_in_gluu : client = RadiusClient(self.RADIUS_SERVER_IP,int (self.RADIUS_SERVER_AUTH_PORT), int(self.RADIUS_SERVER_ACCT_PORT), self.RADIUS_SERVER_SECRET) accessRequest = RadiusPacket(RadiusPacket.ACCESS_REQUEST) userNameAttribute = RadiusAttribute(RadiusAttributeValues.USER_NAME,user_name ) userPasswordAttribute = RadiusAttribute(RadiusAttributeValues.USER_PASSWORD,user_password ) accessRequest.setAttribute(userNameAttribute) accessRequest.setAttribute(userPasswordAttribute) accessResponse = client.authenticate(accessRequest) print "Packet type - %s " % accessResponse.getPacketType() if accessResponse.getPacketType() == RadiusPacket.ACCESS_ACCEPT: return True #elif accessResponse.getPacketType() == RadiusPacket.ACCESS_CHALLENGE: # return False return False
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) if 1 <= step <= 3: print "Basic (demo reset step). Authenticate for step '%s'" % step identity = CdiUtil.bean(Identity) identity.setWorkingParameter("pass_authentication", False) credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False identity.setWorkingParameter("pass_authentication", True) return True else: return False
def authenticate_user_credentials(self, identity, authentication_service): credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() print "AzureAD. user_name: %s" % user_name logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): # Special condition to allow for Gluu admin login if StringHelper.equals(user_name, ADMIN): return self.authenticate_user_in_gluu_ldap(authentication_service, user_name, user_password) # Authenticate user credentials with Azure AD non-interactively azure_auth_response = self.authenticate_user_in_azure(azure_tenant_id, user_name, user_password, azure_client_id, azure_client_secret) print "AzureAD. Value of azure_auth_response is %s" % azure_auth_response azure_auth_response_json = json.loads(azure_auth_response) if azure_user_uuid in azure_auth_response_json: # Azure authentication has succeeded. User needs to be enrolled in Gluu LDAP user = self.enroll_azure_user_in_gluu_ldap(azure_auth_response_json) if user is None: # User Enrollment in Gluu LDAP has failed logged_in = False else: # Authenticating the user within Gluu user_authenticated_in_gluu = authentication_service.authenticate(user.getUserId()) print "AzureAD: Authentication status of the user enrolled in Gluu LDAP %r " % user_authenticated_in_gluu return user_authenticated_in_gluu else: # Azure authentication has failed. logged_in = False return logged_in
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) if step == 1: print "Basic (one session). Authenticate for step 1" identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): logged_in = authenticationService.authenticate(user_name, user_password) if not logged_in: return False logged_in = self.isFirstSession(user_name) if not logged_in: facesMessages = CdiUtil.bean(FacesMessages) facesMessages.add(FacesMessage.SEVERITY_ERROR, "Please, end active session first!") return False return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) if (step == 1): print "Basic (multi login). Authenticate for step 1" identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() key_value = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(key_value) and StringHelper.isNotEmptyString(user_password)): i = 0 count = len(self.login_attributes_list_array) while (i < count): primary_key = self.login_attributes_list_array[i] local_primary_key = self.local_login_attributes_list_array[i] logged_in = authenticationService.authenticate(key_value, user_password, primary_key, local_primary_key) if (logged_in): return True i += 1 return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) if (step == 1): print "Basic. Authenticate for step 1" identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name_array = StringHelper.split(credentials.getUsername(),"+") user_name = None if len(user_name_array) == 2: email_id_array = StringHelper.split(user_name_array[1],"@") user_name = user_name_array[0] + "@"+ email_id_array[1] else: user_name = user_name_array[0] print "Username for authentication is: %s " % user_name user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate(user_name, user_password,"mail","mail") if (not logged_in): return False return True else: return False
def authenticate_user_credentials(self, identity, authentication_service): credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() print "ThumbSignIn. user_name: " + user_name logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): logged_in = self.authenticate_user_in.jans.ldap(authentication_service, user_name, user_password) return logged_in
def authenticate(self, configurationAttributes, requestParameters, step): userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() if (step == 1): print "Basic (with password update). Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "Basic (with password update). Authenticate for step 2" user = authenticationService.getAuthenticatedUser() if user == None: print "Basic (with password update). Authenticate for step 2. Failed to determine user name" return False user_name = user.getUserId() find_user_by_uid = userService.getUser(user_name) update_button = requestParameters.get("loginForm:updateButton") if ArrayHelper.isEmpty(update_button): return True new_password_array = requestParameters.get("new_password") if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]): print "Basic (with password update). Authenticate for step 2. New password is empty" return False new_password = new_password_array[0] find_user_by_uid.setAttribute("userPassword", new_password) print "Basic (with password update). Authenticate for step 2. Attempting to set new user '%s' password" % user_name userService.updateUser(find_user_by_uid) print "Basic (with password update). Authenticate for step 2. Password updated successfully" return True else: return False
def authenticateImpl(self, credentials, authenticationService): print "Basic (client group). Processing user name/password authentication" user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): logged_in = authenticationService.authenticate(user_name, user_password) if not logged_in: return False return True
def isPassedStep1(): identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() passed_step1 = StringHelper.isNotEmptyString(user_name) return passed_step1
def createLdapExtendedEntryManagers(self, authConfiguration): ldapExtendedConfigurations = self.createLdapExtendedConfigurations(authConfiguration) appInitializer = CdiUtil.bean(AppInitializer) persistanceFactoryService = CdiUtil.bean(PersistanceFactoryService) ldapEntryManagerFactory = persistanceFactoryService.getPersistenceEntryManagerFactory(LdapEntryManagerFactory) persistenceType = ldapEntryManagerFactory.getPersistenceType() ldapExtendedEntryManagers = [] for ldapExtendedConfiguration in ldapExtendedConfigurations: connectionConfiguration = ldapExtendedConfiguration["connectionConfiguration"] ldapConfiguration = ldapExtendedConfiguration["ldapConfiguration"] ldapProperties = Properties() for key, value in connectionConfiguration.items(): value_string = value if isinstance(value_string, list): value_string = ", ".join(value) else: value_string = str(value) ldapProperties.setProperty(persistenceType + "." + key, value_string) if StringHelper.isNotEmptyString(ldapConfiguration.getBindPassword()): ldapProperties.setProperty(persistenceType + ".bindPassword", ldapConfiguration.getBindPassword()) ldapEntryManager = ldapEntryManagerFactory.createEntryManager(ldapProperties) ldapExtendedEntryManagers.append({ "ldapConfiguration" : ldapConfiguration, "ldapProperties" : ldapProperties, "loginAttributes" : ldapExtendedConfiguration["loginAttributes"], "localLoginAttributes" : ldapExtendedConfiguration["localLoginAttributes"], "ldapEntryManager" : ldapEntryManager }) return ldapExtendedEntryManagers
def isPassedDefaultAuthentication(self): identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() passed_step1 = StringHelper.isNotEmptyString(user_name) return passed_step1
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) if (step == 1): print "Basic (multi auth conf). Authenticate for step 1" identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() metricService = CdiUtil.bean(MetricService) timerContext = metricService.getTimer(MetricType.USER_AUTHENTICATION_RATE).time() try: keyValue = credentials.getUsername() userPassword = credentials.getPassword() if (StringHelper.isNotEmptyString(keyValue) and StringHelper.isNotEmptyString(userPassword)): for ldapExtendedEntryManager in self.ldapExtendedEntryManagers: ldapConfiguration = ldapExtendedEntryManager["ldapConfiguration"] ldapEntryManager = ldapExtendedEntryManager["ldapEntryManager"] loginAttributes = ldapExtendedEntryManager["loginAttributes"] localLoginAttributes = ldapExtendedEntryManager["localLoginAttributes"] print "Basic (multi auth conf). Authenticate for step 1. Using configuration: " + ldapConfiguration.getConfigId() idx = 0 count = len(loginAttributes) while (idx < count): primaryKey = loginAttributes[idx] localPrimaryKey = localLoginAttributes[idx] loggedIn = authenticationService.authenticate(ldapConfiguration, ldapEntryManager, keyValue, userPassword, primaryKey, localPrimaryKey) if (loggedIn): metricService.incCounter(MetricType.USER_AUTHENTICATION_SUCCESS) return True idx += 1 finally: timerContext.stop() metricService.incCounter(MetricType.USER_AUTHENTICATION_FAILURES) return False else: return False
def processBasicAuthentication(self, credentials): userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): logged_in = authenticationService.authenticate(user_name, user_password) if not logged_in: return None find_user_by_uid = authenticationService.getAuthenticatedUser() if find_user_by_uid == None: print "UAF. Process basic authentication. Failed to find user '%s'" % user_name return None return find_user_by_uid
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) if (step == 1): print "Basic (with external logout). Authenticate for step 1" identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) session_attributes = identity.getSessionId().getSessionAttributes() authenticationService = CdiUtil.bean(AuthenticationService) allowedCountriesListArray = StringHelper.split(self.allowedCountries, ",") if (len(allowedCountriesListArray) > 0 and session_attributes.containsKey("remote_ip")): remote_ip = session_attributes.get("remote_ip") remote_loc_dic = self.determineGeolocationData(remote_ip) if remote_loc_dic == None: print "Super-Gluu. Prepare for step 2. Failed to determine remote location by remote IP '%s'" % remote_ip return remote_loc = "%s" % ( remote_loc_dic['countryCode']) print "Your remote location is "+remote_loc if remote_loc in allowedCountriesListArray: print "you are allowed to access" else: return False if (step == 1): print "Basic. Authenticate for step 1" identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False return True else: return False
def getClientConfiguration(self, configurationAttributes, requestParameters): # Get client configuration if (configurationAttributes.containsKey("gplus_client_configuration_attribute")): clientConfigurationAttribute = configurationAttributes.get("gplus_client_configuration_attribute").getValue2() print "Google+ GetClientConfiguration. Using client attribute: '%s'" % clientConfigurationAttribute if (requestParameters == None): return None clientId = None # Attempt to determine client_id from request clientIdArray = requestParameters.get("client_id") if (ArrayHelper.isNotEmpty(clientIdArray) and StringHelper.isNotEmptyString(clientIdArray[0])): clientId = clientIdArray[0] # Attempt to determine client_id from event context if (clientId == None): identity = CdiUtil.bean(Identity) if (identity.isSetWorkingParameter("sessionAttributes")): clientId = identity.getSessionId().getSessionAttributes().get("client_id") if (clientId == None): print "Google+ GetClientConfiguration. client_id is empty" return None clientService = CdiUtil.bean(ClientService) client = clientService.getClient(clientId) if (client == None): print "Google+ GetClientConfiguration. Failed to find client '%s' in local LDAP" % clientId return None clientConfiguration = clientService.getCustomAttribute(client, clientConfigurationAttribute) if ((clientConfiguration == None) or StringHelper.isEmpty(clientConfiguration.getValue())): print "Google+ GetClientConfiguration. Client '%s' attribute '%s' is empty" % (clientId, clientConfigurationAttribute) else: print "Google+ GetClientConfiguration. Client '%s' attribute '%s' is '%s'" % (clientId, clientConfigurationAttribute, clientConfiguration) return clientConfiguration return None
def getClientConfiguration(self, configurationAttributes, requestParameters): # Get client configuration if configurationAttributes.containsKey("saml_client_configuration_attribute"): saml_client_configuration_attribute = configurationAttributes.get("saml_client_configuration_attribute").getValue2() print "Asimba. GetClientConfiguration. Using client attribute: '%s'" % saml_client_configuration_attribute if requestParameters == None: return None client_id = None client_id_array = requestParameters.get("client_id") if ArrayHelper.isNotEmpty(client_id_array) and StringHelper.isNotEmptyString(client_id_array[0]): client_id = client_id_array[0] if client_id == None: identity = CdiUtil.bean(Identity) if identity.getSessionId() != None: client_id = identity.getSessionId().getSessionAttributes().get("client_id") if client_id == None: print "Asimba. GetClientConfiguration. client_id is empty" return None clientService = CdiUtil.bean(ClientService) client = clientService.getClient(client_id) if client == None: print "Asimba. GetClientConfiguration. Failed to find client '%s' in local LDAP" % client_id return None saml_client_configuration = clientService.getCustomAttribute(client, saml_client_configuration_attribute) if (saml_client_configuration == None) or StringHelper.isEmpty(saml_client_configuration.getValue()): print "Asimba. GetClientConfiguration. Client '%s' attribute '%s' is empty" % ( client_id, saml_client_configuration_attribute ) else: print "Asimba. GetClientConfiguration. Client '%s' attribute '%s' is '%s'" % ( client_id, saml_client_configuration_attribute, saml_client_configuration ) return saml_client_configuration return None
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) if (step == 1): print "BCrypt Auth. Authenticate for step 1" identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) user = userService.getUser(user_name) hashed_stored_pass = user.getAttribute("userPassword") password_schema = '' # Determine password schema # Example for BCrypt: {BCRYPT}$2b$08$71gBXNKJ/iUBXqLjEdEXFesoUYQm5vrpKefi8YhV7ITGfAd9VNFaG for char in hashed_stored_pass: if char == '{': continue if char == '}': break password_schema = password_schema + char print("Password Schema is: " + password_schema) # OpenDJ's SSHA(512) if 'SSHA' in password_schema: # Returns True if authenticated on the backend logged_in = authenticationService.authenticate(user_name, user_password) # Pattern match BCRYPT and rewrite to SSHA elif 'BCRYPT' in password_schema: # Pull salt from the stored hashed password salt = hashed_stored_pass[8:] salt = salt.split("$")[3].strip() salt = salt[0:22] salt = '$2a$08$' + salt # Create BCrypt hash of challenge cleartext password using the gathered salt challenge = BCrypt.hashpw(user_password,salt) # Strip unnecessary revision($2a$) and rounds(08$) from both hashed passwords for comparison. challenge = challenge.split("$")[3].strip() stored = hashed_stored_pass.split("$")[3].strip() print("Challenge Salt+Hash: " + challenge) print("Stored Salt+Hash: " + stored) # Compare the hashses and update hash if there is a match. if challenge in stored: # Users hashed challenge password matches the stored hashed password in the backend # Therefore we update the users password to the backend's password schema by passing it to OpenDJ print("Updating hash..") user.setAttribute("userPassword",user_password) user = userService.updateUser(user) print("Logging in..") # Returns True logged_in = authenticationService.authenticate(user_name) # Catch unknown schema types and output to oxauth_script.log # This script can be expanded to include other password schemas. else: print("Unrecognized algorithm: " + password_schema) # If there is no match, logged_in will still be False and authentication will fail. if (not logged_in): return False logged_in = authenticationService.authenticate(user_name) return logged_in else: return False
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) httpService = CdiUtil.bean(HttpService) server_flag = configurationAttributes.get("oneid_server_flag").getValue2() callback_attrs = configurationAttributes.get("oneid_callback_attrs").getValue2() creds_file = configurationAttributes.get("oneid_creds_file").getValue2() # Create OneID authn = OneID(server_flag) # Set path to credentials file authn.creds_file = creds_file if (step == 1): print "OneId. Authenticate for step 1" # Find OneID request json_data_array = requestParameters.get("json_data") if ArrayHelper.isEmpty(json_data_array): print "OneId. Authenticate for step 1. json_data is empty" return False request = json_data_array[0] print "OneId. Authenticate for step 1. request: " + request if (StringHelper.isEmptyString(request)): return False authn.set_credentials() # Validate request http_client = httpService.getHttpsClientDefaulTrustStore() auth_data = httpService.encodeBase64(authn.api_id + ":" + authn.api_key) http_response = httpService.executePost(http_client, authn.helper_server + "/validate", auth_data, request, ContentType.APPLICATION_JSON) validation_content = httpService.convertEntityToString(httpService.getResponseContent(http_response)) print "OneId. Authenticate for step 1. validation_content: " + validation_content if (StringHelper.isEmptyString(validation_content)): return False validation_resp = json.loads(validation_content) print "OneId. Authenticate for step 1. validation_resp: " + str(validation_resp) if (not authn.success(validation_resp)): return False response = json.loads(request) for x in validation_resp: response[x] = validation_resp[x] oneid_user_uid = response['uid'] print "OneId. Authenticate for step 1. oneid_user_uid: " + oneid_user_uid # Check if the is user with specified oneid_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "oneid:" + oneid_user_uid) if (find_user_by_uid == None): print "OneId. Authenticate for step 1. Failed to find user" print "OneId. Authenticate for step 1. Setting count steps to 2" identity.setWorkingParameter("oneid_count_login_steps", 2) identity.setWorkingParameter("oneid_user_uid", oneid_user_uid) return True found_user_name = find_user_by_uid.getUserId() print "OneId. Authenticate for step 1. found_user_name: " + found_user_name identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() credentials.setUsername(found_user_name) credentials.setUser(find_user_by_uid) print "OneId. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("oneid_count_login_steps", 1) return True elif (step == 2): print "OneId. Authenticate for step 2" sessionAttributes = identity.getSessionId().getSessionAttributes() if (sessionAttributes == None) or not sessionAttributes.containsKey("oneid_user_uid"): print "OneId. Authenticate for step 2. oneid_user_uid is empty" return False oneid_user_uid = sessionAttributes.get("oneid_user_uid") passed_step1 = StringHelper.isNotEmptyString(oneid_user_uid) if (not passed_step1): return False identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() passed_step1 = StringHelper.isNotEmptyString(user_name) if (not passed_step1): return False identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False # Check if there is user which has oneid_user_uid # Avoid mapping OneID account to more than one IDP account find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "oneid:" + oneid_user_uid) if (find_user_by_uid == None): # Add oneid_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "oneid:" + oneid_user_uid) if (find_user_by_uid == None): print "OneId. Authenticate for step 2. Failed to update current user" return False return True else: found_user_name = find_user_by_uid.getUserId() print "OneId. Authenticate for step 2. found_user_name: " + found_user_name if StringHelper.equals(user_name, found_user_name): return True return False else: return False
def containsAttributeString(self, dictionary, attribute): return ((attribute in dictionary) and StringHelper.isNotEmptyString(dictionary[attribute]))
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) saml_map_user = False saml_enroll_user = False saml_enroll_all_user_attr = False # Use saml_deployment_type only if there is no attributes mapping if configurationAttributes.containsKey("saml_deployment_type"): saml_deployment_type = StringHelper.toLowerCase(configurationAttributes.get("saml_deployment_type").getValue2()) if StringHelper.equalsIgnoreCase(saml_deployment_type, "map"): saml_map_user = True if StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll"): saml_enroll_user = True if StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll_all_attr"): saml_enroll_all_user_attr = True saml_allow_basic_login = False if configurationAttributes.containsKey("saml_allow_basic_login"): saml_allow_basic_login = StringHelper.toBoolean(configurationAttributes.get("saml_allow_basic_login").getValue2(), False) use_basic_auth = False if saml_allow_basic_login: # Detect if user used basic authnetication method user_name = credentials.getUsername() user_password = credentials.getPassword() if StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(user_password): use_basic_auth = True if (step == 1) and saml_allow_basic_login and use_basic_auth: print "Asimba. Authenticate for step 1. Basic authentication" identity.setWorkingParameter("saml_count_login_steps", 1) user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False return True if (step == 1): print "Asimba. Authenticate for step 1" currentSamlConfiguration = self.getCurrentSamlConfiguration(self.samlConfiguration, configurationAttributes, requestParameters) if (currentSamlConfiguration == None): print "Asimba. Prepare for step 1. Client saml configuration is invalid" return False saml_response_array = requestParameters.get("SAMLResponse") if ArrayHelper.isEmpty(saml_response_array): print "Asimba. Authenticate for step 1. saml_response is empty" return False saml_response = saml_response_array[0] print "Asimba. Authenticate for step 1. saml_response: '%s'" % saml_response samlResponse = Response(currentSamlConfiguration) samlResponse.loadXmlFromBase64(saml_response) saml_validate_response = True if configurationAttributes.containsKey("saml_validate_response"): saml_validate_response = StringHelper.toBoolean(configurationAttributes.get("saml_validate_response").getValue2(), False) if saml_validate_response: if not samlResponse.isValid(): print "Asimba. Authenticate for step 1. saml_response isn't valid" return False if samlResponse.isAuthnFailed(): print "Asimba. Authenticate for step 1. saml_response AuthnFailed" return False saml_response_attributes = samlResponse.getAttributes() print "Asimba. Authenticate for step 1. attributes: '%s'" % saml_response_attributes if saml_map_user: saml_user_uid = self.getSamlNameId(samlResponse) if saml_user_uid == None: return False # Use mapping to local IDP user print "Asimba. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid) if find_user_by_uid == None: print "Asimba. Authenticate for step 1. Failed to find user" print "Asimba. Authenticate for step 1. Setting count steps to 2" identity.setWorkingParameter("saml_count_login_steps", 2) identity.setWorkingParameter("saml_user_uid", saml_user_uid) return True found_user_name = find_user_by_uid.getUserId() print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if user_authenticated == False: print "Asimba. Authenticate for step 1. Failed to authenticate user" return False print "Asimba. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif saml_enroll_user: # Convert SAML response to user entry newUser = self.getMappedUser(configurationAttributes, requestParameters, saml_response_attributes) saml_user_uid = self.getNameId(samlResponse, newUser) if saml_user_uid == None: return False self.setDefaultUid(newUser, saml_user_uid) newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid) # Use auto enrollment to local IDP print "Asimba. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid # Check if there is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid) if find_user_by_uid == None: # Auto user enrollment print "Asimba. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" print "Asimba. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes()) user_unique = self.checkUserUniqueness(newUser) if not user_unique: print "Asimba. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId() facesMessages = CdiUtil.bean(FacesMessages) facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to enroll. User with same key attributes exist already") facesMessages.setKeepMessages() return False find_user_by_uid = userService.addUser(newUser, True) print "Asimba. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId() else: if self.updateUser: print "Asimba. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes()) find_user_by_uid.setCustomAttributes(newUser.getCustomAttributes()) userService.updateUser(find_user_by_uid) print "Asimba. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid found_user_name = find_user_by_uid.getUserId() print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if user_authenticated == False: print "Asimba. Authenticate for step 1. Failed to authenticate user: '******'" % found_user_name return False print "Asimba. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif saml_enroll_all_user_attr: # Convert SAML response to user entry newUser = self.getMappedAllAttributesUser(saml_response_attributes) saml_user_uid = self.getNameId(samlResponse, newUser) if saml_user_uid == None: return False self.setDefaultUid(newUser, saml_user_uid) newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid) print "Asimba. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:%s" % saml_user_uid # Check if there is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid) if find_user_by_uid == None: # Auto user enrollment print "Asimba. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" print "Asimba. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes()) user_unique = self.checkUserUniqueness(newUser) if not user_unique: print "Asimba. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId() facesMessages = CdiUtil.bean(FacesMessages) facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to enroll. User with same key attributes exist already") facesMessages.setKeepMessages() return False find_user_by_uid = userService.addUser(newUser, True) print "Asimba. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId() else: if self.updateUser: print "Asimba. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes()) find_user_by_uid.setCustomAttributes(newUser.getCustomAttributes()) userService.updateUser(find_user_by_uid) print "Asimba. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid found_user_name = find_user_by_uid.getUserId() print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if user_authenticated == False: print "Asimba. Authenticate for step 1. Failed to authenticate user" return False print "Asimba. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result else: if saml_user_uid == None: return False # Check if the is user with specified saml_user_uid print "Asimba. Authenticate for step 1. Attempting to find user by uid: '%s'" % saml_user_uid find_user_by_uid = userService.getUser(saml_user_uid) if find_user_by_uid == None: print "Asimba. Authenticate for step 1. Failed to find user" return False found_user_name = find_user_by_uid.getUserId() print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if user_authenticated == False: print "Asimba. Authenticate for step 1. Failed to authenticate user" return False print "Asimba. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif (step == 2): print "Asimba. Authenticate for step 2" sessionAttributes = identity.getSessionId().getSessionAttributes() if (sessionAttributes == None) or not sessionAttributes.containsKey("saml_user_uid"): print "Asimba. Authenticate for step 2. saml_user_uid is empty" return False saml_user_uid = sessionAttributes.get("saml_user_uid") passed_step1 = StringHelper.isNotEmptyString(saml_user_uid) if not passed_step1: return False user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): logged_in = authenticationService.authenticate(user_name, user_password) if not logged_in: return False # Check if there is user which has saml_user_uid # Avoid mapping Saml account to more than one IDP account find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid) if find_user_by_uid == None: # Add saml_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "saml:%s" % saml_user_uid) if find_user_by_uid == None: print "Asimba. Authenticate for step 2. Failed to update current user" return False post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Asimba. Authenticate for step 2. post_login_result: '%s'" % post_login_result return post_login_result else: found_user_name = find_user_by_uid.getUserId() print "Asimba. Authenticate for step 2. found_user_name: '%s'" % found_user_name if StringHelper.equals(user_name, found_user_name): post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Asimba. Authenticate for step 2. post_login_result: '%s'" % post_login_result return post_login_result return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) mapUserDeployment = False enrollUserDeployment = False if (configurationAttributes.containsKey("gplus_deployment_type")): deploymentType = StringHelper.toLowerCase(configurationAttributes.get("gplus_deployment_type").getValue2()) if (StringHelper.equalsIgnoreCase(deploymentType, "map")): mapUserDeployment = True if (StringHelper.equalsIgnoreCase(deploymentType, "enroll")): enrollUserDeployment = True if (step == 1): print "Google+ Authenticate for step 1" gplusAuthCodeArray = requestParameters.get("gplus_auth_code") gplusAuthCode = gplusAuthCodeArray[0] # Check if user uses basic method to log in useBasicAuth = False if (StringHelper.isEmptyString(gplusAuthCode)): useBasicAuth = True # Use basic method to log in if (useBasicAuth): print "Google+ Authenticate for step 1. Basic authentication" identity.setWorkingParameter("gplus_count_login_steps", 1) credentials = identity.getCredentials() userName = credentials.getUsername() userPassword = credentials.getPassword() loggedIn = False if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)): userService = CdiUtil.bean(UserService) loggedIn = authenticationService.authenticate(userName, userPassword) if (not loggedIn): return False return True # Use Google+ method to log in print "Google+ Authenticate for step 1. gplusAuthCode:", gplusAuthCode currentClientSecrets = self.getCurrentClientSecrets(self.clientSecrets, configurationAttributes, requestParameters) if (currentClientSecrets == None): print "Google+ Authenticate for step 1. Client secrets configuration is invalid" return False print "Google+ Authenticate for step 1. Attempting to gets tokens" tokenResponse = self.getTokensByCode(self.clientSecrets, configurationAttributes, gplusAuthCode) if ((tokenResponse == None) or (tokenResponse.getIdToken() == None) or (tokenResponse.getAccessToken() == None)): print "Google+ Authenticate for step 1. Failed to get tokens" return False else: print "Google+ Authenticate for step 1. Successfully gets tokens" jwt = Jwt.parse(tokenResponse.getIdToken()) # TODO: Validate ID Token Signature gplusUserUid = jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER) print "Google+ Authenticate for step 1. Found Google user ID in the ID token: '%s'" % gplusUserUid if (mapUserDeployment): # Use mapping to local IDP user print "Google+ Authenticate for step 1. Attempting to find user by oxExternalUid: 'gplus:%s'" % gplusUserUid # Check if there is user with specified gplusUserUid foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid) if (foundUser == None): print "Google+ Authenticate for step 1. Failed to find user" print "Google+ Authenticate for step 1. Setting count steps to 2" identity.setWorkingParameter("gplus_count_login_steps", 2) identity.setWorkingParameter("gplus_user_uid", gplusUserUid) return True foundUserName = foundUser.getUserId() print "Google+ Authenticate for step 1. foundUserName: '******'" % foundUserName userAuthenticated = authenticationService.authenticate(foundUserName) if (userAuthenticated == False): print "Google+ Authenticate for step 1. Failed to authenticate user" return False print "Google+ Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("gplus_count_login_steps", 1) postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser) print "Google+ Authenticate for step 1. postLoginResult: '%s'" % postLoginResult return postLoginResult elif (enrollUserDeployment): # Use auto enrollment to local IDP print "Google+ Authenticate for step 1. Attempting to find user by oxExternalUid: 'gplus:%s'" % gplusUserUid # Check if there is user with specified gplusUserUid foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid) if (foundUser == None): # Auto user enrollemnt print "Google+ Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" print "Google+ Authenticate for step 1. Attempting to gets user info" userInfoResponse = self.getUserInfo(currentClientSecrets, configurationAttributes, tokenResponse.getAccessToken()) if ((userInfoResponse == None) or (userInfoResponse.getClaims().size() == 0)): print "Google+ Authenticate for step 1. Failed to get user info" return False else: print "Google+ Authenticate for step 1. Successfully gets user info" gplusResponseAttributes = userInfoResponse.getClaims() # Convert Google+ user claims to lover case gplusResponseNormalizedAttributes = HashMap() for gplusResponseAttributeEntry in gplusResponseAttributes.entrySet(): gplusResponseNormalizedAttributes.put( StringHelper.toLowerCase(gplusResponseAttributeEntry.getKey()), gplusResponseAttributeEntry.getValue()) currentAttributesMapping = self.getCurrentAttributesMapping(self.attributesMapping, configurationAttributes, requestParameters) print "Google+ Authenticate for step 1. Using next attributes mapping '%s'" % currentAttributesMapping newUser = User() for attributesMappingEntry in currentAttributesMapping.entrySet(): remoteAttribute = attributesMappingEntry.getKey() localAttribute = attributesMappingEntry.getValue() localAttributeValue = gplusResponseNormalizedAttributes.get(remoteAttribute) if (localAttribute != None): newUser.setAttribute(localAttribute, localAttributeValue) if (newUser.getAttribute("sn") == None): newUser.setAttribute("sn", gplusUserUid) if (newUser.getAttribute("cn") == None): newUser.setAttribute("cn", gplusUserUid) # Add mail to oxTrustEmail so that the user's # email is available through the SCIM interface # too. if (newUser.getAttribute("oxTrustEmail") is None and newUser.getAttribute("mail") is not None): oxTrustEmail = { "value": newUser.getAttribute("mail"), "display": newUser.getAttribute("mail"), "primary": True, "operation": None, "reference": None, "type": "other" } newUser.setAttribute("oxTrustEmail", json.dumps(oxTrustEmail)) newUser.setAttribute("oxExternalUid", "gplus:" + gplusUserUid) print "Google+ Authenticate for step 1. Attempting to add user '%s' with next attributes '%s'" % (gplusUserUid, newUser.getCustomAttributes()) foundUser = userService.addUser(newUser, True) print "Google+ Authenticate for step 1. Added new user with UID: '%s'" % foundUser.getUserId() foundUserName = foundUser.getUserId() print "Google+ Authenticate for step 1. foundUserName: '******'" % foundUserName userAuthenticated = authenticationService.authenticate(foundUserName) if (userAuthenticated == False): print "Google+ Authenticate for step 1. Failed to authenticate user" return False print "Google+ Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("gplus_count_login_steps", 1) print "Google+ Authenticate for step 1. Attempting to run extension postLogin" postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser) print "Google+ Authenticate for step 1. postLoginResult: '%s'" % postLoginResult return postLoginResult else: # Check if there is user with specified gplusUserUid print "Google+ Authenticate for step 1. Attempting to find user by uid: '%s'" % gplusUserUid foundUser = userService.getUser(gplusUserUid) if (foundUser == None): print "Google+ Authenticate for step 1. Failed to find user" return False foundUserName = foundUser.getUserId() print "Google+ Authenticate for step 1. foundUserName: '******'" % foundUserName userAuthenticated = authenticationService.authenticate(foundUserName) if (userAuthenticated == False): print "Google+ Authenticate for step 1. Failed to authenticate user" return False print "Google+ Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("gplus_count_login_steps", 1) postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser) print "Google+ Authenticate for step 1. postLoginResult: '%s'" % postLoginResult return postLoginResult elif (step == 2): print "Google+ Authenticate for step 2" sessionAttributes = identity.getSessionId().getSessionAttributes() if (sessionAttributes == None) or not sessionAttributes.containsKey("gplus_user_uid"): print "Google+ Authenticate for step 2. gplus_user_uid is empty" return False gplusUserUid = sessionAttributes.get("gplus_user_uid") passed_step1 = StringHelper.isNotEmptyString(gplusUserUid) if (not passed_step1): return False identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() userName = credentials.getUsername() userPassword = credentials.getPassword() loggedIn = False if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)): loggedIn = authenticationService.authenticate(userName, userPassword) if (not loggedIn): return False # Check if there is user which has gplusUserUid # Avoid mapping Google account to more than one IDP account foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid) if (foundUser == None): # Add gplusUserUid to user one id UIDs foundUser = userService.addUserAttribute(userName, "oxExternalUid", "gplus:" + gplusUserUid) if (foundUser == None): print "Google+ Authenticate for step 2. Failed to update current user" return False postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser) print "Google+ Authenticate for step 2. postLoginResult: '%s'" % postLoginResult return postLoginResult else: foundUserName = foundUser.getUserId() print "Google+ Authenticate for step 2. foundUserName: '******'" % foundUserName if StringHelper.equals(userName, foundUserName): postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser) print "Google+ Authenticate for step 2. postLoginResult: '%s'" % postLoginResult return postLoginResult return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) if step == 1: print "Cert. Authenticate for step 1" login_button = ServerUtil.getFirstValue(requestParameters, "loginForm:loginButton") if StringHelper.isEmpty(login_button): print "Cert. Authenticate for step 1. Form were submitted incorrectly" return False if self.enabled_recaptcha: print "Cert. Authenticate for step 1. Validating recaptcha response" recaptcha_response = ServerUtil.getFirstValue(requestParameters, "g-recaptcha-response") recaptcha_result = self.validateRecaptcha(recaptcha_response) print "Cert. Authenticate for step 1. recaptcha_result: '%s'" % recaptcha_result return recaptcha_result return True elif step == 2: print "Cert. Authenticate for step 2" # Validate if user selected certificate cert_x509 = self.getSessionAttribute("cert_x509") if cert_x509 == None: print "Cert. Authenticate for step 2. User not selected any certs" identity.setWorkingParameter("cert_selected", False) # Return True to inform user how to reset workflow return True else: identity.setWorkingParameter("cert_selected", True) x509Certificate = self.certFromString(cert_x509) subjectX500Principal = x509Certificate.getSubjectX500Principal() print "Cert. Authenticate for step 2. User selected certificate with DN '%s'" % subjectX500Principal # Validate certificates which user selected valid = self.validateCertificate(x509Certificate) if not valid: print "Cert. Authenticate for step 2. Certificate DN '%s' is not valid" % subjectX500Principal identity.setWorkingParameter("cert_valid", False) # Return True to inform user how to reset workflow return True identity.setWorkingParameter("cert_valid", True) # Calculate certificate fingerprint x509CertificateFingerprint = self.calculateCertificateFingerprint(x509Certificate) identity.setWorkingParameter("cert_x509_fingerprint", x509CertificateFingerprint) print "Cert. Authenticate for step 2. Fingerprint is '%s' of certificate with DN '%s'" % (x509CertificateFingerprint, subjectX500Principal) # Attempt to find user by certificate fingerprint cert_user_external_uid = "cert:%s" % x509CertificateFingerprint print "Cert. Authenticate for step 2. Attempting to find user by oxExternalUid attribute value %s" % cert_user_external_uid find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: print "Cert. Authenticate for step 2. Failed to find user" if self.map_user_cert: print "Cert. Authenticate for step 2. Storing cert_user_external_uid for step 3" identity.setWorkingParameter("cert_user_external_uid", cert_user_external_uid) return True else: print "Cert. Authenticate for step 2. Mapping cert to user account is not allowed" identity.setWorkingParameter("cert_count_login_steps", 2) return False foundUserName = find_user_by_external_uid.getUserId() print "Cert. Authenticate for step 2. foundUserName: "******"Cert. Authenticate for step 2. Setting count steps to 2" identity.setWorkingParameter("cert_count_login_steps", 2) return logged_in elif step == 3: print "Cert. Authenticate for step 3" cert_user_external_uid = self.getSessionAttribute("cert_user_external_uid") if cert_user_external_uid == None: print "Cert. Authenticate for step 3. cert_user_external_uid is empty" return False user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False # Double check just to make sure. We did checking in previous step # Check if there is user which has cert_user_external_uid # Avoid mapping user cert to more than one IDP account find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: # Add cert_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: print "Cert. Authenticate for step 3. Failed to update current user" return False return True return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) if step == 1: credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False else: find_user_by_uid = authenticationService.getAuthenticatedUser() status_attribute_value = userService.getCustomAttribute(find_user_by_uid, "mail") user_mail = status_attribute_value.getValue() self.setRequestScopedParameters(identity) isCompromised = False isCompromised = self.is_compromised(user_mail,user_password,configurationAttributes) if(isCompromised): identity.setWorkingParameter("pwd_compromised", isCompromised) identity.setWorkingParameter("user_name", user_name) return True else: return True elif step == 2: print "compromised_password. Authenticate for step 2" form_answer_array = requestParameters.get("loginForm:question") if ArrayHelper.isEmpty(form_answer_array): return False form_answer = form_answer_array[0] if (form_answer == self.secretanswer): return True return False elif step == 3: authenticationService = CdiUtil.bean(AuthenticationService) print "compromised_password (with password update). Authenticate for step 3" userService = CdiUtil.bean(UserService) update_button = requestParameters.get("loginForm:updateButton") new_password_array = requestParameters.get("new_password") if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]): print "compromised_password (with password update). Authenticate for step 3. New password is empty" return False new_password = new_password_array[0] user = authenticationService.getAuthenticatedUser() if user == None: print "compromised_password (with password update). Authenticate for step 3. Failed to determine user name" return False user_name = user.getUserId() print "compromised_password (with password update). Authenticate for step 3. Attempting to set new user '" + user_name + "' password" find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): print "compromised_password (with password update). Authenticate for step 3. Failed to find user" return False find_user_by_uid.setAttribute("userPassword", new_password) userService.updateUser(find_user_by_uid) print "compromised_password (with password update). Authenticate for step 3. Password updated successfully" logged_in = authenticationService.authenticate(user_name) return True
def authenticate(self, configurationAttributes, requestParameters, step): userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() oxpush_user_timeout = int(configurationAttributes.get("oxpush_user_timeout").getValue2()) oxpush_application_name = configurationAttributes.get("oxpush_application_name").getValue2() user_name = credentials.getUsername() if (step == 1): print "oxPush. Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False # Get user entry userService = CdiUtil.bean(UserService) find_user_by_uid = authenticationService.getAuthenticatedUser() if (find_user_by_uid == None): print "oxPush. Authenticate for step 1. Failed to find user" return False # Check if the user paired account to phone user_external_uid_attr = userService.getCustomAttribute(find_user_by_uid, "oxExternalUid") if ((user_external_uid_attr == None) or (user_external_uid_attr.getValues() == None)): print "oxPush. Authenticate for step 1. There is no external UIDs for user: "******"oxPush. Authenticate for step 1. There is no oxPush UID for user: "******"oxPush. Authenticate for step 1. oxpush_user_uid: ", oxpush_user_uid deployment_status = self.oxPushClient.getDeploymentStatus(oxpush_user_uid) if (deployment_status.result): print "oxPush. Authenticate for step 1. Deployment status is valid" if ("enabled" == deployment_status.status): print "oxPush. Authenticate for step 1. Deployment is enabled" identity.setWorkingParameter("oxpush_user_uid", oxpush_user_uid) else: print "oxPush. Authenticate for step 1. Deployment is disabled" return False else: print "oxPush. Authenticate for step 1. Deployment status is invalid. Force user to pair again" # Remove oxpush_user_uid from user entry find_user_by_uid = userService.removeUserAttribute(user_name, "oxExternalUid", "oxpush:" + oxpush_user_uid) if (find_user_by_uid == None): print "oxPush. Authenticate for step 1. Failed to update current user" return False return True elif (step == 2): print "oxPush. Authenticate for step 2" passed_step1 = self.isPassedDefaultAuthentication if (not passed_step1): return False sessionAttributes = identity.getSessionId().getSessionAttributes() if (sessionAttributes == None) or not sessionAttributes.containsKey("oxpush_user_uid"): print "oxPush. Authenticate for step 2. oxpush_user_uid is empty" if (not sessionAttributes.containsKey("oxpush_pairing_uid")): print "oxPush. Authenticate for step 2. oxpush_pairing_uid is empty" return False oxpush_pairing_uid = sessionAttributes.get("oxpush_pairing_uid") # Check pairing status pairing_status = self.checkStatus("pair", oxpush_pairing_uid, oxpush_user_timeout) if (pairing_status == None): print "oxPush. Authenticate for step 2. The pairing has not been authorized by user" return False oxpush_user_uid = pairing_status.deploymentId print "oxPush. Authenticate for step 2. Storing oxpush_user_uid in user entry", oxpush_user_uid # Store oxpush_user_uid in user entry find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "oxpush:" + oxpush_user_uid) if (find_user_by_uid == None): print "oxPush. Authenticate for step 2. Failed to update current user" return False identity.setWorkingParameter("oxpush_count_login_steps", 2) identity.setWorkingParameter("oxpush_user_uid", oxpush_user_uid) else: print "oxPush. Authenticate for step 2. Deployment status is valid" return True elif (step == 3): print "oxPush. Authenticate for step 3" passed_step1 = self.isPassedDefaultAuthentication if (not passed_step1): return False sessionAttributes = identity.getWorkingParameter("oxpush_user_uid") if (sessionAttributes == None) or not sessionAttributes.containsKey("oxpush_user_uid"): print "oxPush. Authenticate for step 3. oxpush_user_uid is empty" return False oxpush_user_uid = sessionAttributes.get("oxpush_user_uid") passed_step1 = StringHelper.isNotEmptyString(oxpush_user_uid) if (not passed_step1): return False # Initialize authentication process authentication_request = None try: authentication_request = self.oxPushClient.authenticate(oxpush_user_uid, user_name) except java.lang.Exception, err: print "oxPush. Authenticate for step 3. Failed to initialize authentication process: ", err return False if (not authentication_request.result): print "oxPush. Authenticate for step 3. Failed to initialize authentication process" return False # Check authentication status authentication_status = self.checkStatus("authenticate", authentication_request.authenticationId, oxpush_user_timeout) if (authentication_status == None): print "oxPush. Authenticate for step 3. The authentication has not been authorized by user" return False print "oxPush. Authenticate for step 3. The request was granted" return True
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() if (step == 1): print "PhoneFactor. Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "PhoneFactor. Authenticate for step 2" passed_step1 = self.isPassedDefaultAuthentication if (not passed_step1): return False pf_phone_number_attr = configurationAttributes.get("pf_phone_number_attr").getValue2() # Get user entry from credentials authenticationService = CdiUtil.bean(AuthenticationService) credentials_user = authenticationService.getAuthenticatedUser() userService = CdiUtil.bean(UserService) phone_number_with_country_code_attr = userService.getCustomAttribute(credentials_user, pf_phone_number_attr) if (phone_number_with_country_code_attr == None): print "PhoneFactor. Authenticate for step 2. There is no phone number: ", user_name return False phone_number_with_country_code = phone_number_with_country_code_attr.getValue() if (phone_number_with_country_code == None): print "PhoneFactor. Authenticate for step 2. There is no phone number: ", user_name return False pf_country_delimiter = configurationAttributes.get("pf_country_delimiter").getValue2() phone_number_with_country_code_array = string.split(phone_number_with_country_code, pf_country_delimiter, 1) phone_number_with_country_code_array_len = len(phone_number_with_country_code_array) if (phone_number_with_country_code_array_len == 1): country_code = "" phone_number = phone_number_with_country_code_array[0] else: country_code = phone_number_with_country_code_array[0] phone_number = phone_number_with_country_code_array[1] print "PhoneFactor. Authenticate for step 2. user_name: ", user_name, ", country_code: ", country_code, ", phone_number: ", phone_number pf_auth_result = None try: pf_auth_result = self.pf.authenticate(user_name, country_code, phone_number, None, None, None) except SecurityException, err: print "PhoneFactor. Authenticate for step 2. BAD AUTH -- Security issue: ", err except TimeoutException, err: print "PhoneFactor. Authenticate for step 2. BAD AUTH -- Server timeout: ", err
def authenticate(self, configurationAttributes, requestParameters, step): print "==============================================" print "====TWILIO SMS AUTHENCATION===================" print "==============================================" userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) sessionIdService = CdiUtil.bean(SessionIdService) facesMessages = CdiUtil.bean(FacesMessages) facesMessages.setKeepMessages() session_attributes = self.identity.getSessionId().getSessionAttributes() form_passcode = ServerUtil.getFirstValue(requestParameters, "passcode") form_name = ServerUtil.getFirstValue(requestParameters, "TwilioSmsloginForm") print "TwilioSMS. form_response_passcode: %s" % str(form_passcode) if step == 1: print "==============================================" print "=TWILIO SMS STEP 1 | Password Authentication==" print "==============================================" credentials = self.identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): logged_in = authenticationService.authenticate(user_name, user_password) if not logged_in: return False # Get the Person's number and generate a code foundUser = None try: foundUser = authenticationService.getAuthenticatedUser() except: print 'TwilioSMS, Error retrieving user %s from LDAP' % (user_name) return False try: isVerified = foundUser.getAttribute("phoneNumberVerified") if isVerified: self.mobile_number = foundUser.getAttribute("employeeNumber") if self.mobile_number == None: self.mobile_number = foundUser.getAttribute("mobile") if self.mobile_number == None: self.mobile_number = foundUser.getAttribute("telephoneNumber") if self.mobile_number == None: print "TwilioSMS, Error finding mobile number for user '%s'" % user_name except: facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to determine mobile phone number") print 'TwilioSMS, Error finding mobile number for "%s". Exception: %s` % (user_name, sys.exc_info()[1])`' return False # Generate Random six digit code and store it in array code = random.randint(100000, 999999) # Get code and save it in LDAP temporarily with special session entry self.identity.setWorkingParameter("code", code) sessionId = sessionIdService.getSessionId() # fetch from persistence sessionId.getSessionAttributes().put("code", code) try: Twilio.init(self.ACCOUNT_SID, self.AUTH_TOKEN); message = Message.creator(PhoneNumber(self.mobile_number), PhoneNumber(self.FROM_NUMBER), str(code)).create(); print "++++++++++++++++++++++++++++++++++++++++++++++" print 'TwilioSMs, Message Sid: %s' % (message.getSid()) print 'TwilioSMs, User phone: %s' % (self.mobile_number) print "++++++++++++++++++++++++++++++++++++++++++++++" sessionId.getSessionAttributes().put("mobile_number", self.mobile_number) sessionId.getSessionAttributes().put("mobile", self.mobile_number) sessionIdService.updateSessionId(sessionId) self.identity.setWorkingParameter("mobile_number", self.mobile_number) self.identity.getSessionId().getSessionAttributes().put("mobile_number",self.mobile_number) self.identity.setWorkingParameter("mobile", self.mobile_number) self.identity.getSessionId().getSessionAttributes().put("mobile",self.mobile_number) print "++++++++++++++++++++++++++++++++++++++++++++++" print "Number: %s" % (self.identity.getWorkingParameter("mobile_number")) print "Mobile: %s" % (self.identity.getWorkingParameter("mobile")) print "++++++++++++++++++++++++++++++++++++++++++++++" print "========================================" print "===TWILIO SMS FIRST STEP DONE PROPERLY==" print "========================================" return True except Exception, ex: facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to send message to mobile phone") print "TwilioSMS. Error sending message to Twilio" print "TwilioSMS. Unexpected error:", ex return False
def bindWWPass(self, requestParameters, userService, authenticationService, identity, ticket): puid = identity.getWorkingParameter("puid") email = requestParameters.get('email')[0] if 'email' in requestParameters else None if not puid: identity.setWorkingParameter("errors", "WWPass login failed") return False if ticket: puid_new = self.getPuid(ticket) # Always use the latest PUID when retrying step 2 identity.setWorkingParameter("puid", puid_new) if puid == puid_new: # Registering via external web service if not self.registration_url: return False if self.tryFirstLogin(puid, userService, authenticationService): identity.setWorkingParameter("puid", None) return True else: if not self.allow_passkey_bind: return False # Binding with existing PassKey user = userService.getUserByAttribute("oxExternalUid", "wwpass:%s"%puid_new) if user: if authenticationService.authenticate(user.getUserId()): userService.addUserAttribute(user.getUserId(), "oxExternalUid", "wwpass:%s"%puid) identity.setWorkingParameter("puid", None) return True identity.setWorkingParameter("errors", "Invalid user") return False elif email: # Binding via email if not self.allow_email_bind: return False email = requestParameters.get('email')[0] if 'email' in requestParameters else None identity.setWorkingParameter("email", email) user = userService.getUserByAttribute('mail', email) if not user: print("User with email '%s' not found." % email) return True nonce = self.generateNonce(33) mailService = CdiUtil.bean(MailService) identity.setWorkingParameter("email_nonce", nonce) identity.setWorkingParameter("email_nonce_exp", str(time() + self.EMAIL_NONCE_EXPIRATION)) subject = "Bind your WWPass Key" body = """ To bind your WWPass Key to your account, copy and paste the following code into "Email code" field in the login form: %s If you haven't requested this operation, you can safely disregard this email. """ mailService.sendMail(email, subject, body % nonce) return True else: # Binding via username/password if not self.allow_password_bind: return False puid = identity.getWorkingParameter("puid") if not puid: return False credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): try: logged_in = authenticationService.authenticate(user_name, user_password) except Exception as e: print(e) if not logged_in: identity.setWorkingParameter("errors", "Invalid username or password") return False user = authenticationService.getAuthenticatedUser() if not user: identity.setWorkingParameter("errors", "Invalid user") return False userService.addUserAttribute(user_name, "oxExternalUid", "wwpass:%s"%puid) identity.setWorkingParameter("puid", None) return True return False
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() if (step == 1): print "U2F. Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "U2F. Authenticate for step 2" token_response = ServerUtil.getFirstValue(requestParameters, "tokenResponse") if token_response == None: print "U2F. Authenticate for step 2. tokenResponse is empty" return False auth_method = ServerUtil.getFirstValue(requestParameters, "authMethod") if auth_method == None: print "U2F. Authenticate for step 2. authMethod is empty" return False authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if (user == None): print "U2F. Prepare for step 2. Failed to determine user name" return False if (auth_method == 'authenticate'): print "U2F. Prepare for step 2. Call FIDO U2F in order to finish authentication workflow" authenticationRequestService = FidoU2fClientFactory.instance().createAuthenticationRequestService(self.metaDataConfiguration) authenticationStatus = authenticationRequestService.finishAuthentication(user.getUserId(), token_response) if (authenticationStatus.getStatus() != Constants.RESULT_SUCCESS): print "U2F. Authenticate for step 2. Get invalid authentication status from FIDO U2F server" return False return True elif (auth_method == 'enroll'): print "U2F. Prepare for step 2. Call FIDO U2F in order to finish registration workflow" registrationRequestService = FidoU2fClientFactory.instance().createRegistrationRequestService(self.metaDataConfiguration) registrationStatus = registrationRequestService.finishRegistration(user.getUserId(), token_response) if (registrationStatus.getStatus() != Constants.RESULT_SUCCESS): print "U2F. Authenticate for step 2. Get invalid registration status from FIDO U2F server" return False return True else: print "U2F. Prepare for step 2. Authenticatiod method is invalid" return False return False else: return False