def init(self, customScript, configuration_attributes):
print "AzureAD. Initialization"
global azure_tenant_id
azure_tenant_id = configuration_attributes.get("azure_tenant_id").getValue2()
print "AzureAD. Initialization. Value of azure_tenant_id is %s" % azure_tenant_id
global azure_client_id
azure_client_id = configuration_attributes.get("azure_client_id").getValue2()
print "AzureAD. Initialization. Value of azure_client_id is %s" % azure_client_id
global azure_client_secret
azure_client_secret = configuration_attributes.get("azure_client_secret").getValue2()
global MICROSOFT_AUTHORITY_URL
MICROSOFT_AUTHORITY_URL = 'login.microsoftonline.com'
global AZURE_AD_GRAPH_RESOURCE_ENDPOINT
AZURE_AD_GRAPH_RESOURCE_ENDPOINT = 'https://graph.windows.net'
global azure_user_uuid
azure_user_uuid = "oid"
global gluu_ldap_uuid
gluu_ldap_uuid = "uid"
global ADMIN
ADMIN = 'admin'
global attributes_mapping
if (configuration_attributes.containsKey("azure_ad_attributes_list") and
configuration_attributes.containsKey("gluu_ldap_attributes_list")):
azure_ad_attributes_list = configuration_attributes.get("azure_ad_attributes_list").getValue2()
if StringHelper.isEmpty(azure_ad_attributes_list):
print "AzureAD: Initialization. The property azure_ad_attributes_list is empty"
return False
gluu_ldap_attributes_list = configuration_attributes.get("gluu_ldap_attributes_list").getValue2()
if StringHelper.isEmpty(gluu_ldap_attributes_list):
print "AzureAD: Initialization. The property gluu_ldap_attributes_list is empty"
return False
attributes_mapping = self.attribute_mapping_function(azure_ad_attributes_list, gluu_ldap_attributes_list)
if attributes_mapping is None:
print "AzureAD: Initialization. The attributes mapping isn't valid"
return False
print "AzureAD. Initialized successfully"
return True
def prepareClientsSet(self, configurationAttributes):
clientsSet = HashSet()
if (not configurationAttributes.containsKey("allowed_clients")):
return clientsSet
allowedClientsList = configurationAttributes.get(
"allowed_clients").getValue2()
if (StringHelper.isEmpty(allowedClientsList)):
print "UmaRptPolicy. The property allowed_clients is empty"
return clientsSet
allowedClientsListArray = StringHelper.split(allowedClientsList, ",")
if (ArrayHelper.isEmpty(allowedClientsListArray)):
print "UmaRptPolicy. No clients specified in allowed_clients property"
return clientsSet
# Convert to HashSet to quick search
i = 0
count = len(allowedClientsListArray)
while (i < count):
client = allowedClientsListArray[i]
clientsSet.add(client)
i = i + 1
return clientsSet
def getCurrentSamlConfiguration(self, currentSamlConfiguration, configurationAttributes, requestParameters):
saml_client_configuration = self.getClientConfiguration(configurationAttributes, requestParameters)
if saml_client_configuration == None:
return currentSamlConfiguration
saml_client_configuration_value = json.loads(saml_client_configuration.getValue())
client_asimba_saml_certificate = None
client_asimba_saml_certificate_file = saml_client_configuration_value["asimba_saml_certificate_file"]
if StringHelper.isNotEmpty(client_asimba_saml_certificate_file):
client_asimba_saml_certificate = self.loadCeritificate(client_asimba_saml_certificate_file)
if StringHelper.isEmpty(client_asimba_saml_certificate):
print "Asimba. BuildClientSamlConfiguration. File with x509 certificate should be not empty. Using default configuration"
return currentSamlConfiguration
clientSamlConfiguration = currentSamlConfiguration.clone()
if client_asimba_saml_certificate != None:
clientSamlConfiguration.loadCertificateFromString(client_asimba_saml_certificate)
client_asimba_entity_id = saml_client_configuration_value["asimba_entity_id"]
clientSamlConfiguration.setIssuer(client_asimba_entity_id)
saml_use_authn_context = saml_client_configuration_value["saml_use_authn_context"]
client_use_saml_use_authn_context = StringHelper.toBoolean(saml_use_authn_context, True)
clientSamlConfiguration.setUseRequestedAuthnContext(client_use_saml_use_authn_context)
return clientSamlConfiguration
def validateInweboToken(self, iw_api_uri, iw_service_id, user_name, iw_token):
httpService = CdiUtil.bean(HttpService)
xmlService = CdiUtil.bean(XmlService)
if StringHelper.isEmpty(iw_token):
print "InWebo. Token verification. iw_token is empty"
return False
request_uri = iw_api_uri + "?action=authenticate" + "&serviceId=" + httpService.encodeUrl(iw_service_id) + "&userId=" + httpService.encodeUrl(user_name) + "&token=" + httpService.encodeUrl(iw_token)
print "InWebo. Token verification. Attempting to send authentication request:", request_uri
# Execute request
http_response = httpService.executeGet(self.client, request_uri)
# Validate response code
response_validation = httpService.isResponseStastusCodeOk(http_response)
if response_validation == False:
print "InWebo. Token verification. Get unsuccessful response code"
return False
authentication_response_bytes = httpService.getResponseContent(http_response)
print "InWebo. Token verification. Get response:", httpService.convertEntityToString(authentication_response_bytes)
# Validate authentication response
response_validation = httpService.isContentTypeXml(http_response)
if response_validation == False:
print "InWebo. Token verification. Get invalid response"
return False
# Parse XML response
try:
xmlDocument = xmlService.getXmlDocument(authentication_response_bytes)
except Exception, err:
print "InWebo. Token verification. Failed to parse XML response:", err
return False
def lockUser(self, user_name):
if StringHelper.isEmpty(user_name):
return None
userService = CdiUtil.bean(UserService)
cacheService= CdiUtil.bean(CacheService)
facesMessages = CdiUtil.bean(FacesMessages)
facesMessages.setKeepMessages()
find_user_by_uid = userService.getUser(user_name)
if (find_user_by_uid == None):
return None
status_attribute_value = userService.getCustomAttribute(find_user_by_uid, "gluuStatus")
if status_attribute_value != None:
user_status = status_attribute_value.getValue()
if StringHelper.equals(user_status, "inactive"):
print "Basic (lock account). Lock user. User '%s' locked already" % user_name
return
userService.setCustomAttribute(find_user_by_uid, "gluuStatus", "inactive")
updated_user = userService.updateUser(find_user_by_uid)
object_to_store = json.dumps({'locked': True, 'created': LocalDateTime.now().toString()}, separators=(',',':'))
cacheService.put(StringHelper.toString(self.lockExpirationTime), "lock_user_"+user_name, object_to_store);
facesMessages.add(FacesMessage.SEVERITY_ERROR, "Your account is locked. Please try again after " + StringHelper.toString(self.lockExpirationTime) + " secs")
print "Basic (lock account). Lock user. User '%s' locked" % user_name
def init(self, customScript, configurationAttributes):
print "Basic (multi login). Initialization"
login_attributes_list_object = configurationAttributes.get("login_attributes_list")
if (login_attributes_list_object == None):
print "Basic (multi login). Initialization. There is no property login_attributes_list"
return False
login_attributes_list = login_attributes_list_object.getValue2()
if (StringHelper.isEmpty(login_attributes_list)):
print "Basic (multi login). Initialization. There is no attributes specified in login_attributes property"
return False
login_attributes_list_array = StringHelper.split(login_attributes_list, ",")
if (ArrayHelper.isEmpty(login_attributes_list_array)):
print "Basic (multi login). Initialization. There is no attributes specified in login_attributes property"
return False
if (configurationAttributes.containsKey("local_login_attributes_list")):
local_login_attributes_list = configurationAttributes.get("local_login_attributes_list").getValue2()
local_login_attributes_list_array = StringHelper.split(local_login_attributes_list, ",")
else:
print "Basic (multi login). Initialization. There is no property local_login_attributes_list. Assuming that login attributes are equal to local login attributes."
local_login_attributes_list_array = login_attributes_list_array
if (len(login_attributes_list_array) != len(local_login_attributes_list_array)):
print "Basic (multi login). Initialization. The number of attributes in login_attributes_list and local_login_attributes_list isn't equal"
return False
self.login_attributes_list_array = login_attributes_list_array
self.local_login_attributes_list_array = local_login_attributes_list_array
print "Basic (multi login). Initialized successfully"
return True
def init(self, customScript, configurationAttributes):
print "Google+ Initialization"
if (not configurationAttributes.containsKey("gplus_client_secrets_file")):
print "Google+ Initialization. The property gplus_client_secrets_file is empty"
return False
clientSecretsFile = configurationAttributes.get("gplus_client_secrets_file").getValue2()
self.clientSecrets = self.loadClientSecrets(clientSecretsFile)
if (self.clientSecrets == None):
print "Google+ Initialization. File with Google+ client secrets should be not empty"
return False
self.attributesMapping = None
if (configurationAttributes.containsKey("gplus_remote_attributes_list") and
configurationAttributes.containsKey("gplus_local_attributes_list")):
remoteAttributesList = configurationAttributes.get("gplus_remote_attributes_list").getValue2()
if (StringHelper.isEmpty(remoteAttributesList)):
print "Google+ Initialization. The property gplus_remote_attributes_list is empty"
return False
localAttributesList = configurationAttributes.get("gplus_local_attributes_list").getValue2()
if (StringHelper.isEmpty(localAttributesList)):
print "Google+ Initialization. The property gplus_local_attributes_list is empty"
return False
self.attributesMapping = self.prepareAttributesMapping(remoteAttributesList, localAttributesList)
if (self.attributesMapping == None):
print "Google+ Initialization. The attributes mapping isn't valid"
return False
self.extensionModule = None
if (configurationAttributes.containsKey("extension_module")):
extensionModuleName = configurationAttributes.get("extension_module").getValue2()
try:
self.extensionModule = __import__(extensionModuleName)
extensionModuleInitResult = self.extensionModule.init(configurationAttributes)
if (not extensionModuleInitResult):
return False
except ImportError, ex:
print "Google+ Initialization. Failed to load gplus_extension_module: '%s'" % extensionModuleName
print "Google+ Initialization. Unexpected error:", ex
return False
def getSamlNameId(self, samlResponse):
saml_response_name_id = samlResponse.getNameId()
if StringHelper.isEmpty(saml_response_name_id):
print "Asimba. Get Saml response. saml_response_name_id is invalid"
return None
print "Asimba. Get Saml response. saml_response_name_id: '%s'" % saml_response_name_id
# Use persistent Id as saml_user_uid
return saml_response_name_id
def init(self, customScript, configurationAttributes):
print "Registration. Initialization"
print "Registration. Initialized successfully"
if (configurationAttributes.containsKey("generic_register_attributes_list") and
configurationAttributes.containsKey("generic_local_attributes_list")):
remoteAttributesList = configurationAttributes.get("generic_register_attributes_list").getValue2()
if (StringHelper.isEmpty(remoteAttributesList)):
print "Registration: Initialization. The property generic_register_attributes_list is empty"
return False
localAttributesList = configurationAttributes.get("generic_local_attributes_list").getValue2()
if (StringHelper.isEmpty(localAttributesList)):
print "Registration: Initialization. The property generic_local_attributes_list is empty"
return False
self.attributesMapping = self.prepareAttributesMapping(remoteAttributesList, localAttributesList)
if (self.attributesMapping == None):
print "Registration: Initialization. The attributes mapping isn't valid"
return False
return True
def authenticate(self, configurationAttributes, requestParameters, step):
userService = CdiUtil.bean(UserService)
authenticationService = CdiUtil.bean(AuthenticationService)
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "Basic (with password update). Authenticate for step 1"
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = authenticationService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
elif (step == 2):
print "Basic (with password update). Authenticate for step 2"
user = authenticationService.getAuthenticatedUser()
if user == None:
print "Basic (with password update). Authenticate for step 2. Failed to determine user name"
return False
user_name = user.getUserId()
find_user_by_uid = userService.getUser(user_name)
update_button = requestParameters.get("loginForm:updateButton")
if ArrayHelper.isEmpty(update_button):
return True
new_password_array = requestParameters.get("new_password")
if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]):
print "Basic (with password update). Authenticate for step 2. New password is empty"
return False
new_password = new_password_array[0]
find_user_by_uid.setAttribute("userPassword", new_password)
print "Basic (with password update). Authenticate for step 2. Attempting to set new user '%s' password" % user_name
userService.updateUser(find_user_by_uid)
print "Basic (with password update). Authenticate for step 2. Password updated successfully"
return True
else:
return False
def authorize(self, context): # context is reference of io.jans.as.uma.authorization.UmaAuthorizationContext
print "RPT Policy. Authorizing ..."
client_id=context.getClient().getClientId()
print "UmaRptPolicy. client_id = %s" % client_id
if (StringHelper.isEmpty(client_id)):
return False
if (self.clientsSet.contains(client_id)):
print "UmaRptPolicy. Authorizing client"
return True
else:
print "UmaRptPolicy. Client isn't authorized"
return False
def setUserAttributeValue(self, user_name, attribute_name, attribute_value):
if StringHelper.isEmpty(user_name):
return None
userService = CdiUtil.bean(UserService)
find_user_by_uid = userService.getUser(user_name)
if find_user_by_uid == None:
return None
userService.setCustomAttribute(find_user_by_uid, attribute_name, attribute_value)
updated_user = userService.updateUser(find_user_by_uid)
print "Basic (lock account). Set user attribute. User's '%s' attribute '%s' value is '%s'" % (user_name, attribute_name, attribute_value)
return updated_user
def authenticate(self, configurationAttributes, requestParameters, step):
userService = CdiUtil.bean(UserService)
authenticationService = CdiUtil.bean(AuthenticationService)
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
iw_otp = requestParameters.get("loginForm:otp")
if ArrayHelper.isNotEmpty(iw_otp) and StringHelper.equalsIgnoreCase("true", iw_otp[0]) and step == 2:
identity.setWorkingParameter("iw_count_login_steps", 3)
return True
elif StringHelper.isEmptyString(user_name) and step == 1:
print "empty user_name in step1 indicates browser token notfound"
identity.setWorkingParameter("iw_count_login_steps", 2)
return True
else:
response_check = False
user_exists_in_gluu = authenticationService.authenticate(user_name)
identity.setWorkingParameter("iw_count_login_steps", step)
if (step == 1 or step == 3):
print "if (step == 1 or step == 3):"
password = credentials.getPassword()
if StringHelper.isEmpty(password):
print "InWebo. Authenticate for step 2. otp token is empty"
return False
#password is the otp token
response_check = self.validateInweboToken(self.api_uri, self.service_id, user_name, password, step)
elif (step == 2):
print "elif (step == 2):"
session = CdiUtil.bean(SessionIdService).getSessionId()
if session == None:
print "InWebo. Authenticate for step 2. session_id is not exists"
return False
response_check = self.checkStatus(self.api_uri, self.service_id, user_name, session.getId(), self.push_withoutpin)
if self.push_fail is not None:
self.setErrorMessage(self.push_fail)
identity.setWorkingParameter("iw_count_login_steps", 3)
return response_check and user_exists_in_gluu
def isInboundJwt(self, value):
if value == None:
return False
try:
jwt = Jwt.parse(value)
print "passport.isInboundJwt. jwt = %s" % jwt
user_profile_json = CdiUtil.bean(EncryptionService).decrypt(jwt.getClaims().getClaimAsString("data"))
if StringHelper.isEmpty(user_profile_json):
return False
except InvalidJwtException:
return False
except:
print("Unexpected error:", sys.exc_info()[0])
return False
return True
def getUserAttributeValue(self, user_name, attribute_name):
if StringHelper.isEmpty(user_name):
return None
userService = CdiUtil.bean(UserService)
find_user_by_uid = userService.getUser(user_name, attribute_name)
if find_user_by_uid == None:
return None
custom_attribute_value = userService.getCustomAttribute(find_user_by_uid, attribute_name)
if custom_attribute_value == None:
return None
attribute_value = custom_attribute_value.getValue()
print "Basic (lock account). Get user attribute. User's '%s' attribute '%s' value is '%s'" % (user_name, attribute_name, attribute_value)
return attribute_value
def unLockUser(self, user_name):
if StringHelper.isEmpty(user_name):
return None
userService = CdiUtil.bean(UserService)
cacheService= CdiUtil.bean(CacheService)
find_user_by_uid = userService.getUser(user_name)
if (find_user_by_uid == None):
return None
object_to_store = json.dumps({'locked': False, 'created': LocalDateTime.now().toString()}, separators=(',',':'))
cacheService.put(StringHelper.toString(self.lockExpirationTime), "lock_user_"+user_name, object_to_store);
userService.setCustomAttribute(find_user_by_uid, "gluuStatus", "active")
userService.setCustomAttribute(find_user_by_uid, self.invalidLoginCountAttribute, None)
updated_user = userService.updateUser(find_user_by_uid)
print "Basic (lock account). Lock user. User '%s' unlocked" % user_name
def getClientConfiguration(self, configurationAttributes, requestParameters):
# Get client configuration
if (configurationAttributes.containsKey("gplus_client_configuration_attribute")):
clientConfigurationAttribute = configurationAttributes.get("gplus_client_configuration_attribute").getValue2()
print "Google+ GetClientConfiguration. Using client attribute: '%s'" % clientConfigurationAttribute
if (requestParameters == None):
return None
clientId = None
# Attempt to determine client_id from request
clientIdArray = requestParameters.get("client_id")
if (ArrayHelper.isNotEmpty(clientIdArray) and StringHelper.isNotEmptyString(clientIdArray[0])):
clientId = clientIdArray[0]
# Attempt to determine client_id from event context
if (clientId == None):
identity = CdiUtil.bean(Identity)
if (identity.isSetWorkingParameter("sessionAttributes")):
clientId = identity.getSessionId().getSessionAttributes().get("client_id")
if (clientId == None):
print "Google+ GetClientConfiguration. client_id is empty"
return None
clientService = CdiUtil.bean(ClientService)
client = clientService.getClient(clientId)
if (client == None):
print "Google+ GetClientConfiguration. Failed to find client '%s' in local LDAP" % clientId
return None
clientConfiguration = clientService.getCustomAttribute(client, clientConfigurationAttribute)
if ((clientConfiguration == None) or StringHelper.isEmpty(clientConfiguration.getValue())):
print "Google+ GetClientConfiguration. Client '%s' attribute '%s' is empty" % (clientId, clientConfigurationAttribute)
else:
print "Google+ GetClientConfiguration. Client '%s' attribute '%s' is '%s'" % (clientId, clientConfigurationAttribute, clientConfiguration)
return clientConfiguration
return None
def getClientConfiguration(self, configurationAttributes, requestParameters):
# Get client configuration
if configurationAttributes.containsKey("saml_client_configuration_attribute"):
saml_client_configuration_attribute = configurationAttributes.get("saml_client_configuration_attribute").getValue2()
print "Asimba. GetClientConfiguration. Using client attribute: '%s'" % saml_client_configuration_attribute
if requestParameters == None:
return None
client_id = None
client_id_array = requestParameters.get("client_id")
if ArrayHelper.isNotEmpty(client_id_array) and StringHelper.isNotEmptyString(client_id_array[0]):
client_id = client_id_array[0]
if client_id == None:
identity = CdiUtil.bean(Identity)
if identity.getSessionId() != None:
client_id = identity.getSessionId().getSessionAttributes().get("client_id")
if client_id == None:
print "Asimba. GetClientConfiguration. client_id is empty"
return None
clientService = CdiUtil.bean(ClientService)
client = clientService.getClient(client_id)
if client == None:
print "Asimba. GetClientConfiguration. Failed to find client '%s' in local LDAP" % client_id
return None
saml_client_configuration = clientService.getCustomAttribute(client, saml_client_configuration_attribute)
if (saml_client_configuration == None) or StringHelper.isEmpty(saml_client_configuration.getValue()):
print "Asimba. GetClientConfiguration. Client '%s' attribute '%s' is empty" % ( client_id, saml_client_configuration_attribute )
else:
print "Asimba. GetClientConfiguration. Client '%s' attribute '%s' is '%s'" % ( client_id, saml_client_configuration_attribute, saml_client_configuration )
return saml_client_configuration
return None
def prepareClientRedirectUris(self, configurationAttributes):
clientRedirectUrisSet = HashSet()
if not configurationAttributes.containsKey("client_redirect_uris"):
return clientRedirectUrisSet
clientRedirectUrisList = configurationAttributes.get("client_redirect_uris").getValue2()
if StringHelper.isEmpty(clientRedirectUrisList):
print "Client registration. The property client_redirect_uris is empty"
return clientRedirectUrisSet
clientRedirectUrisArray = StringHelper.split(clientRedirectUrisList, ",")
if ArrayHelper.isEmpty(clientRedirectUrisArray):
print "Client registration. No clients specified in client_redirect_uris property"
return clientRedirectUrisSet
# Convert to HashSet to quick search
i = 0
count = len(clientRedirectUrisArray)
while i < count:
uris = clientRedirectUrisArray[i]
clientRedirectUrisSet.add(uris)
i = i + 1
return clientRedirectUrisSet
def authenticate(self, configurationAttributes, requestParameters, step):
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
userService = CdiUtil.bean(UserService)
authenticationService = CdiUtil.bean(AuthenticationService)
if step == 1:
print "Cert. Authenticate for step 1"
login_button = ServerUtil.getFirstValue(requestParameters, "loginForm:loginButton")
if StringHelper.isEmpty(login_button):
print "Cert. Authenticate for step 1. Form were submitted incorrectly"
return False
if self.enabled_recaptcha:
print "Cert. Authenticate for step 1. Validating recaptcha response"
recaptcha_response = ServerUtil.getFirstValue(requestParameters, "g-recaptcha-response")
recaptcha_result = self.validateRecaptcha(recaptcha_response)
print "Cert. Authenticate for step 1. recaptcha_result: '%s'" % recaptcha_result
return recaptcha_result
return True
elif step == 2:
print "Cert. Authenticate for step 2"
# Validate if user selected certificate
cert_x509 = self.getSessionAttribute("cert_x509")
if cert_x509 == None:
print "Cert. Authenticate for step 2. User not selected any certs"
identity.setWorkingParameter("cert_selected", False)
# Return True to inform user how to reset workflow
return True
else:
identity.setWorkingParameter("cert_selected", True)
x509Certificate = self.certFromString(cert_x509)
subjectX500Principal = x509Certificate.getSubjectX500Principal()
print "Cert. Authenticate for step 2. User selected certificate with DN '%s'" % subjectX500Principal
# Validate certificates which user selected
valid = self.validateCertificate(x509Certificate)
if not valid:
print "Cert. Authenticate for step 2. Certificate DN '%s' is not valid" % subjectX500Principal
identity.setWorkingParameter("cert_valid", False)
# Return True to inform user how to reset workflow
return True
identity.setWorkingParameter("cert_valid", True)
# Calculate certificate fingerprint
x509CertificateFingerprint = self.calculateCertificateFingerprint(x509Certificate)
identity.setWorkingParameter("cert_x509_fingerprint", x509CertificateFingerprint)
print "Cert. Authenticate for step 2. Fingerprint is '%s' of certificate with DN '%s'" % (x509CertificateFingerprint, subjectX500Principal)
# Attempt to find user by certificate fingerprint
cert_user_external_uid = "cert:%s" % x509CertificateFingerprint
print "Cert. Authenticate for step 2. Attempting to find user by oxExternalUid attribute value %s" % cert_user_external_uid
find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", cert_user_external_uid)
if find_user_by_external_uid == None:
print "Cert. Authenticate for step 2. Failed to find user"
if self.map_user_cert:
print "Cert. Authenticate for step 2. Storing cert_user_external_uid for step 3"
identity.setWorkingParameter("cert_user_external_uid", cert_user_external_uid)
return True
else:
print "Cert. Authenticate for step 2. Mapping cert to user account is not allowed"
identity.setWorkingParameter("cert_count_login_steps", 2)
return False
foundUserName = find_user_by_external_uid.getUserId()
print "Cert. Authenticate for step 2. foundUserName: "******"Cert. Authenticate for step 2. Setting count steps to 2"
identity.setWorkingParameter("cert_count_login_steps", 2)
return logged_in
elif step == 3:
print "Cert. Authenticate for step 3"
cert_user_external_uid = self.getSessionAttribute("cert_user_external_uid")
if cert_user_external_uid == None:
print "Cert. Authenticate for step 3. cert_user_external_uid is empty"
return False
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = authenticationService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Double check just to make sure. We did checking in previous step
# Check if there is user which has cert_user_external_uid
# Avoid mapping user cert to more than one IDP account
find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", cert_user_external_uid)
if find_user_by_external_uid == None:
# Add cert_user_external_uid to user's external GUID list
find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", cert_user_external_uid)
if find_user_by_external_uid == None:
print "Cert. Authenticate for step 3. Failed to update current user"
return False
return True
return True
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
extensionResult = self.extensionAuthenticate(configurationAttributes, requestParameters, step)
if extensionResult != None:
return extensionResult
print "Passport. authenticate for step %s called" % str(step)
identity = CdiUtil.bean(Identity)
# Loading self.registeredProviders in case passport destroyed
if not hasattr(self,'registeredProviders'):
print "Passport. Fetching registered providers."
self.parseProviderConfigs()
if step == 1:
jwt_param = None
if self.isInboundFlow(identity):
# if is idp-initiated inbound flow
print "Passport. authenticate for step 1. Detected idp-initiated inbound Saml flow"
# get request from session attributes
jwt_param = identity.getSessionId().getSessionAttributes().get(AuthorizeRequestParam.STATE)
print "jwt_param = %s" % jwt_param
# now jwt_param != None
if jwt_param == None:
# gets jwt parameter "user" sent after authentication by passport (if exists)
jwt_param = ServerUtil.getFirstValue(requestParameters, "user")
if jwt_param != None:
# and now that the jwt_param user exists...
print "Passport. authenticate for step 1. JWT user profile token found"
if self.isInboundFlow(identity):
jwt_param = base64.urlsafe_b64decode(str(jwt_param+'=='))
# Parse JWT and validate
jwt = Jwt.parse(jwt_param)
if not self.validSignature(jwt):
return False
if self.jwtHasExpired(jwt):
return False
# Gets user profile as string and json using the information on JWT
(user_profile, jsonp) = self.getUserProfile(jwt)
if user_profile == None:
return False
sessionAttributes = identity.getSessionId().getSessionAttributes()
self.skipProfileUpdate = StringHelper.equalsIgnoreCase(sessionAttributes.get("skipPassportProfileUpdate"), "true")
return self.attemptAuthentication(identity, user_profile, jsonp)
#See passportlogin.xhtml
provider = ServerUtil.getFirstValue(requestParameters, "loginForm:provider")
if StringHelper.isEmpty(provider):
#it's username + passw auth
print "Passport. authenticate for step 1. Basic authentication detected"
logged_in = False
credentials = identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password):
authenticationService = CdiUtil.bean(AuthenticationService)
logged_in = authenticationService.authenticate(user_name, user_password)
print "Passport. authenticate for step 1. Basic authentication returned: %s" % logged_in
return logged_in
elif provider in self.registeredProviders:
# user selected provider
# it's a recognized external IDP
identity.setWorkingParameter("selectedProvider", provider)
print "Passport. authenticate for step 1. Retrying step 1"
#see prepareForStep (step = 1)
return True
if step == 2:
mail = ServerUtil.getFirstValue(requestParameters, "loginForm:email")
jsonp = identity.getWorkingParameter("passport_user_profile")
if mail == None:
self.setMessageError(FacesMessage.SEVERITY_ERROR, "Email was missing in user profile")
elif jsonp != None:
# Completion of profile takes place
user_profile = json.loads(jsonp)
user_profile["mail"] = [ mail ]
return self.attemptAuthentication(identity, user_profile, jsonp)
print "Passport. authenticate for step 2. Failed: expected mail value in HTTP request and json profile in session"
return False
def authenticate(self, configurationAttributes, requestParameters, step):
identity = CdiUtil.bean(Identity)
userService = CdiUtil.bean(UserService)
authenticationService = CdiUtil.bean(AuthenticationService)
if step == 1:
credentials = identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = CdiUtil.bean(UserService)
logged_in = authenticationService.authenticate(user_name, user_password)
if (not logged_in):
return False
else:
find_user_by_uid = authenticationService.getAuthenticatedUser()
status_attribute_value = userService.getCustomAttribute(find_user_by_uid, "mail")
user_mail = status_attribute_value.getValue()
self.setRequestScopedParameters(identity)
isCompromised = False
isCompromised = self.is_compromised(user_mail,user_password,configurationAttributes)
if(isCompromised):
identity.setWorkingParameter("pwd_compromised", isCompromised)
identity.setWorkingParameter("user_name", user_name)
return True
else:
return True
elif step == 2:
print "compromised_password. Authenticate for step 2"
form_answer_array = requestParameters.get("loginForm:question")
if ArrayHelper.isEmpty(form_answer_array):
return False
form_answer = form_answer_array[0]
if (form_answer == self.secretanswer):
return True
return False
elif step == 3:
authenticationService = CdiUtil.bean(AuthenticationService)
print "compromised_password (with password update). Authenticate for step 3"
userService = CdiUtil.bean(UserService)
update_button = requestParameters.get("loginForm:updateButton")
new_password_array = requestParameters.get("new_password")
if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]):
print "compromised_password (with password update). Authenticate for step 3. New password is empty"
return False
new_password = new_password_array[0]
user = authenticationService.getAuthenticatedUser()
if user == None:
print "compromised_password (with password update). Authenticate for step 3. Failed to determine user name"
return False
user_name = user.getUserId()
print "compromised_password (with password update). Authenticate for step 3. Attempting to set new user '" + user_name + "' password"
find_user_by_uid = userService.getUser(user_name)
if (find_user_by_uid == None):
print "compromised_password (with password update). Authenticate for step 3. Failed to find user"
return False
find_user_by_uid.setAttribute("userPassword", new_password)
userService.updateUser(find_user_by_uid)
print "compromised_password (with password update). Authenticate for step 3. Password updated successfully"
logged_in = authenticationService.authenticate(user_name)
return True
def init(self, customScript, configurationAttributes):
print "Asimba. Initialization"
asimba_saml_certificate_file = configurationAttributes.get("asimba_saml_certificate_file").getValue2()
saml_idp_sso_target_url = configurationAttributes.get("saml_idp_sso_target_url").getValue2()
asimba_entity_id = configurationAttributes.get("asimba_entity_id").getValue2()
saml_use_authn_context = StringHelper.toBoolean(configurationAttributes.get("saml_use_authn_context").getValue2(), True)
if saml_use_authn_context:
saml_name_identifier_format = configurationAttributes.get("saml_name_identifier_format").getValue2()
else:
saml_name_identifier_format = None
asimba_saml_certificate = self.loadCeritificate(asimba_saml_certificate_file)
if StringHelper.isEmpty(asimba_saml_certificate):
print "Asimba. Initialization. File with x509 certificate should be not empty"
return False
samlConfiguration = SamlConfiguration()
# Set the issuer of the authentication request. This would usually be the URL of the issuing web application
samlConfiguration.setIssuer(asimba_entity_id)
# Tells the IdP to return a persistent identifier for the user
samlConfiguration.setNameIdentifierFormat(saml_name_identifier_format)
# The URL at the Identity Provider where to the authentication request should be sent
samlConfiguration.setIdpSsoTargetUrl(saml_idp_sso_target_url)
# Enablediable RequestedAuthnContext
samlConfiguration.setUseRequestedAuthnContext(saml_use_authn_context)
# Load x509 certificate
samlConfiguration.loadCertificateFromString(asimba_saml_certificate)
self.samlConfiguration = samlConfiguration
self.generateNameId = False
if configurationAttributes.containsKey("saml_generate_name_id"):
self.generateNameId = StringHelper.toBoolean(configurationAttributes.get("saml_generate_name_id").getValue2(), False)
print "Asimba. Initialization. The property saml_generate_name_id is %s" % self.generateNameId
self.updateUser = False
if configurationAttributes.containsKey("saml_update_user"):
self.updateUser = StringHelper.toBoolean(configurationAttributes.get("saml_update_user").getValue2(), False)
print "Asimba. Initialization. The property saml_update_user is %s" % self.updateUser
self.userObjectClasses = None
if configurationAttributes.containsKey("user_object_classes"):
self.userObjectClasses = self.prepareUserObjectClasses(configurationAttributes)
self.userEnforceAttributesUniqueness = None
if configurationAttributes.containsKey("enforce_uniqueness_attr_list"):
self.userEnforceAttributesUniqueness = self.prepareUserEnforceUniquenessAttributes(configurationAttributes)
self.attributesMapping = None
if configurationAttributes.containsKey("saml_idp_attributes_mapping"):
saml_idp_attributes_mapping = configurationAttributes.get("saml_idp_attributes_mapping").getValue2()
if StringHelper.isEmpty(saml_idp_attributes_mapping):
print "Asimba. Initialization. The property saml_idp_attributes_mapping is empty"
return False
self.attributesMapping = self.prepareAttributesMapping(saml_idp_attributes_mapping)
if self.attributesMapping == None:
print "Asimba. Initialization. The attributes mapping isn't valid"
return False
self.samlExtensionModule = None
if configurationAttributes.containsKey("saml_extension_module"):
saml_extension_module_name = configurationAttributes.get("saml_extension_module").getValue2()
try:
self.samlExtensionModule = __import__(saml_extension_module_name)
saml_extension_module_init_result = self.samlExtensionModule.init(configurationAttributes)
if not saml_extension_module_init_result:
return False
except ImportError, ex:
print "Asimba. Initialization. Failed to load saml_extension_module: '%s'" % saml_extension_module_name
print "Asimba. Initialization. Unexpected error:", ex
return False
def prepareForStep(self, configurationAttributes, requestParameters, step):
authenticationService = CdiUtil.bean(AuthenticationService)
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
session_attributes = identity.getSessionId().getSessionAttributes()
self.setRequestScopedParameters(identity)
if (step == 1):
return True
elif (step == 2):
print "UAF. Prepare for step 2"
session = CdiUtil.bean(SessionIdService).getSessionId()
if session == None:
print "UAF. Prepare for step 2. Failed to determine session_id"
return False
user = authenticationService.getAuthenticatedUser()
if (user == None):
print "UAF. Prepare for step 2. Failed to determine user name"
return False
uaf_auth_method = session_attributes.get("uaf_auth_method")
if StringHelper.isEmpty(uaf_auth_method):
print "UAF. Prepare for step 2. Failed to determine auth_method"
return False
print "UAF. Prepare for step 2. uaf_auth_method: '%s'" % uaf_auth_method
uaf_obb_auth_method = "OOB_REG"
uaf_obb_server_uri = self.uaf_server_uri + "/nnl/v2/reg"
if StringHelper.equalsIgnoreCase(uaf_auth_method, "authenticate"):
uaf_obb_auth_method = "OOB_AUTH"
uaf_obb_server_uri = self.uaf_server_uri + "/nnl/v2/auth"
# Prepare START_OBB
uaf_obb_start_request_dictionary = { "operation": "START_%s" % uaf_obb_auth_method,
"userName": user.getUserId(),
"policyName": "default",
"oobMode":
{ "qr": "true", "rawData": "false", "push": "false" }
}
uaf_obb_start_request = json.dumps(uaf_obb_start_request_dictionary, separators=(',',':'))
print "UAF. Prepare for step 2. Prepared START request: '%s' to send to '%s'" % (uaf_obb_start_request, uaf_obb_server_uri)
# Request START_OBB
uaf_obb_start_response = self.executePost(uaf_obb_server_uri, uaf_obb_start_request)
if uaf_obb_start_response == None:
return False
print "UAF. Prepare for step 2. Get START response: '%s'" % uaf_obb_start_response
uaf_obb_start_response_json = json.loads(uaf_obb_start_response)
# Prepare STATUS_OBB
#TODO: Remove needDetails parameter
uaf_obb_status_request_dictionary = { "operation": "STATUS_%s" % uaf_obb_auth_method,
"userName": user.getUserId(),
"needDetails": 1,
"oobStatusHandle": uaf_obb_start_response_json["oobStatusHandle"],
}
uaf_obb_status_request = json.dumps(uaf_obb_status_request_dictionary, separators=(',',':'))
print "UAF. Prepare for step 2. Prepared STATUS request: '%s' to send to '%s'" % (uaf_obb_status_request, uaf_obb_server_uri)
identity.setWorkingParameter("uaf_obb_auth_method", uaf_obb_auth_method)
identity.setWorkingParameter("uaf_obb_server_uri", uaf_obb_server_uri)
identity.setWorkingParameter("uaf_obb_start_response", uaf_obb_start_response)
identity.setWorkingParameter("qr_image", uaf_obb_start_response_json["modeResult"]["qrCode"]["qrImage"])
identity.setWorkingParameter("uaf_obb_status_request", uaf_obb_status_request)
return True
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
authenticationService = CdiUtil.bean(AuthenticationService)
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
self.setRequestScopedParameters(identity)
if step == 1:
print "OTP. Authenticate for step 1"
authenticated_user = self.processBasicAuthentication(credentials)
if authenticated_user == None:
return False
otp_auth_method = "authenticate"
# Uncomment this block if you need to allow user second OTP registration
#enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton")
#if StringHelper.isNotEmpty(enrollment_mode):
# otp_auth_method = "enroll"
if otp_auth_method == "authenticate":
user_enrollments = self.findEnrollments(authenticated_user.getUserId())
if len(user_enrollments) == 0:
otp_auth_method = "enroll"
print "OTP. Authenticate for step 1. There is no OTP enrollment for user '%s'. Changing otp_auth_method to '%s'" % (authenticated_user.getUserId(), otp_auth_method)
if otp_auth_method == "enroll":
print "OTP. Authenticate for step 1. Setting count steps: '%s'" % 3
identity.setWorkingParameter("otp_count_login_steps", 3)
print "OTP. Authenticate for step 1. otp_auth_method: '%s'" % otp_auth_method
identity.setWorkingParameter("otp_auth_method", otp_auth_method)
return True
elif step == 2:
print "OTP. Authenticate for step 2"
authenticationService = CdiUtil.bean(AuthenticationService)
user = authenticationService.getAuthenticatedUser()
if user == None:
print "OTP. Authenticate for step 2. Failed to determine user name"
return False
session_id_validation = self.validateSessionId(identity)
if not session_id_validation:
return False
# Restore state from session
identity.setWorkingParameter("retry_current_step", False)
otp_auth_method = identity.getWorkingParameter("otp_auth_method")
if otp_auth_method == 'enroll':
auth_result = ServerUtil.getFirstValue(requestParameters, "auth_result")
if not StringHelper.isEmpty(auth_result):
# defect fix #1225 - Retry the step, show QR code again
if auth_result == 'timeout':
print "OTP. QR-code timeout. Authenticate for step %s. Reinitializing current step" % step
identity.setWorkingParameter("retry_current_step", True)
return True
print "OTP. Authenticate for step 2. User not enrolled OTP"
return False
print "OTP. Authenticate for step 2. Skipping this step during enrollment"
return True
otp_auth_result = self.processOtpAuthentication(requestParameters, user.getUserId(), identity, otp_auth_method)
print "OTP. Authenticate for step 2. OTP authentication result: '%s'" % otp_auth_result
return otp_auth_result
elif step == 3:
print "OTP. Authenticate for step 3"
authenticationService = CdiUtil.bean(AuthenticationService)
user = authenticationService.getAuthenticatedUser()
if user == None:
print "OTP. Authenticate for step 2. Failed to determine user name"
return False
session_id_validation = self.validateSessionId(identity)
if not session_id_validation:
return False
# Restore state from session
otp_auth_method = identity.getWorkingParameter("otp_auth_method")
if otp_auth_method != 'enroll':
return False
otp_auth_result = self.processOtpAuthentication(requestParameters, user.getUserId(), identity, otp_auth_method)
print "OTP. Authenticate for step 3. OTP authentication result: '%s'" % otp_auth_result
return otp_auth_result
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
authenticationService = CdiUtil.bean(AuthenticationService)
userService = CdiUtil.bean(UserService)
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
if step == 1:
print "Basic (with password update). Authenticate for step 1"
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password):
logged_in = authenticationService.authenticate(user_name, user_password)
if not logged_in:
return False
find_user_by_uid = authenticationService.getAuthenticatedUser()
user_expDate = find_user_by_uid.getAttribute("oxPasswordExpirationDate", False)
if user_expDate == None:
print "Basic (with password update). Authenticate for step 1. User has no oxPasswordExpirationDate date"
return False
dt = StaticUtils.decodeGeneralizedTime(user_expDate)
# Get Current Date
calendar = GregorianCalendar(TimeZone.getTimeZone("UTC"));
now = calendar.getTime()
if now.compareTo(dt) > 0:
# Add 90 Days to current date
calendar.setTime(now)
calendar.add(calendar.DATE, 1)
dt_plus_90 = calendar.getTime()
expDate = StaticUtils.encodeGeneralizedTime(dt_plus_90)
identity.setWorkingParameter("expDate", expDate)
return True
elif step == 2:
print "Basic (with password update). Authenticate for step 2"
user = authenticationService.getAuthenticatedUser()
if user == None:
print "Basic (with password update). Authenticate for step 2. Failed to determine user name"
return False
user_name = user.getUserId()
find_user_by_uid = userService.getUser(user_name)
newExpDate = identity.getWorkingParameter("expDate")
if find_user_by_uid == None:
print "Basic (with password update). Authenticate for step 2. Failed to find user"
return False
print "Basic (with password update). Authenticate for step 2"
update_button = requestParameters.get("loginForm:updateButton")
if ArrayHelper.isEmpty(update_button):
return True
find_user_by_uid.setAttribute("oxPasswordExpirationDate", newExpDate)
new_password_array = requestParameters.get("loginForm:password")
if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]):
print "Basic (with password update). Authenticate for step 2. New password is empty"
return False
new_password = new_password_array[0]
find_user_by_uid.setAttribute("userPassword", new_password)
print "Basic (with password update). Authenticate for step 2. Attempting to set new user '%s' password" % user_name
userService.updateUser(find_user_by_uid)
print "Basic (with password update). Authenticate for step 2. Password updated successfully"
return True
else:
return False
def setDefaultUid(self, user, saml_user_uid):
if StringHelper.isEmpty(user.getUserId()):
user.setUserId(saml_user_uid)
def processOtpAuthentication(self, requestParameters, user_name, identity, otp_auth_method):
facesMessages = CdiUtil.bean(FacesMessages)
facesMessages.setKeepMessages()
userService = CdiUtil.bean(UserService)
otpCode = ServerUtil.getFirstValue(requestParameters, "loginForm:otpCode")
if StringHelper.isEmpty(otpCode):
facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to authenticate. OTP code is empty")
print "OTP. Process OTP authentication. otpCode is empty"
return False
if otp_auth_method == "enroll":
# Get key from session
otp_secret_key_encoded = identity.getWorkingParameter("otp_secret_key")
if otp_secret_key_encoded == None:
print "OTP. Process OTP authentication. OTP secret key is invalid"
return False
otp_secret_key = self.fromBase64Url(otp_secret_key_encoded)
if self.otpType == "hotp":
validation_result = self.validateHotpKey(otp_secret_key, 1, otpCode)
if (validation_result != None) and validation_result["result"]:
print "OTP. Process HOTP authentication during enrollment. otpCode is valid"
# Store HOTP Secret Key and moving factor in user entry
otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, validation_result["movingFactor"] )
# Add otp_user_external_uid to user's external GUID list
find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", otp_user_external_uid)
if find_user_by_external_uid != None:
return True
print "OTP. Process HOTP authentication during enrollment. Failed to update user entry"
elif self.otpType == "totp":
validation_result = self.validateTotpKey(otp_secret_key, otpCode,user_name)
if (validation_result != None) and validation_result["result"]:
print "OTP. Process TOTP authentication during enrollment. otpCode is valid"
# Store TOTP Secret Key and moving factor in user entry
otp_user_external_uid = "totp:%s" % otp_secret_key_encoded
# Add otp_user_external_uid to user's external GUID list
find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", otp_user_external_uid)
if find_user_by_external_uid != None:
return True
print "OTP. Process TOTP authentication during enrollment. Failed to update user entry"
elif otp_auth_method == "authenticate":
user_enrollments = self.findEnrollments(user_name)
if len(user_enrollments) == 0:
print "OTP. Process OTP authentication. There is no OTP enrollment for user '%s'" % user_name
facesMessages.add(FacesMessage.SEVERITY_ERROR, "There is no valid OTP user enrollments")
return False
if self.otpType == "hotp":
for user_enrollment in user_enrollments:
user_enrollment_data = user_enrollment.split(";")
otp_secret_key_encoded = user_enrollment_data[0]
# Get current moving factor from user entry
moving_factor = StringHelper.toInteger(user_enrollment_data[1])
otp_secret_key = self.fromBase64Url(otp_secret_key_encoded)
# Validate TOTP
validation_result = self.validateHotpKey(otp_secret_key, moving_factor, otpCode)
if (validation_result != None) and validation_result["result"]:
print "OTP. Process HOTP authentication during authentication. otpCode is valid"
otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, moving_factor )
new_otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, validation_result["movingFactor"] )
# Update moving factor in user entry
find_user_by_external_uid = userService.replaceUserAttribute(user_name, "oxExternalUid", otp_user_external_uid, new_otp_user_external_uid)
if find_user_by_external_uid != None:
return True
print "OTP. Process HOTP authentication during authentication. Failed to update user entry"
elif self.otpType == "totp":
for user_enrollment in user_enrollments:
otp_secret_key = self.fromBase64Url(user_enrollment)
# Validate TOTP
validation_result = self.validateTotpKey(otp_secret_key, otpCode, user_name)
if (validation_result != None) and validation_result["result"]:
print "OTP. Process TOTP authentication during authentication. otpCode is valid"
return True
facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to authenticate. OTP code is invalid")
print "OTP. Process OTP authentication. OTP code is invalid"
return False
def authenticate(self, configurationAttributes, requestParameters, step):
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
session_attributes = identity.getSessionId().getSessionAttributes()
self.setRequestScopedParameters(identity)
if (step == 1):
print "UAF. Authenticate for step 1"
user_name = credentials.getUsername()
authenticated_user = self.processBasicAuthentication(credentials)
if authenticated_user == None:
return False
uaf_auth_method = "authenticate"
# Uncomment this block if you need to allow user second device registration
#enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton")
#if StringHelper.isNotEmpty(enrollment_mode):
# uaf_auth_method = "enroll"
if uaf_auth_method == "authenticate":
user_enrollments = self.findEnrollments(credentials)
if len(user_enrollments) == 0:
uaf_auth_method = "enroll"
print "UAF. Authenticate for step 1. There is no UAF enrollment for user '%s'. Changing uaf_auth_method to '%s'" % (user_name, uaf_auth_method)
print "UAF. Authenticate for step 1. uaf_auth_method: '%s'" % uaf_auth_method
identity.setWorkingParameter("uaf_auth_method", uaf_auth_method)
return True
elif (step == 2):
print "UAF. Authenticate for step 2"
session = CdiUtil.bean(SessionIdService).getSessionId()
if session == None:
print "UAF. Prepare for step 2. Failed to determine session_id"
return False
user = authenticationService.getAuthenticatedUser()
if (user == None):
print "UAF. Authenticate for step 2. Failed to determine user name"
return False
user_name = user.getUserId()
uaf_auth_result = ServerUtil.getFirstValue(requestParameters, "auth_result")
if uaf_auth_result != "success":
print "UAF. Authenticate for step 2. auth_result is '%s'" % uaf_auth_result
return False
# Restore state from session
uaf_auth_method = session_attributes.get("uaf_auth_method")
if not uaf_auth_method in ['enroll', 'authenticate']:
print "UAF. Authenticate for step 2. Failed to authenticate user. uaf_auth_method: '%s'" % uaf_auth_method
return False
# Request STATUS_OBB
if True:
#TODO: Remove this condition
# It's workaround becuase it's not possible to call STATUS_OBB 2 times. First time on browser and second ime on server
uaf_user_device_handle = ServerUtil.getFirstValue(requestParameters, "auth_handle")
else:
uaf_obb_auth_method = session_attributes.get("uaf_obb_auth_method")
uaf_obb_server_uri = session_attributes.get("uaf_obb_server_uri")
uaf_obb_start_response = session_attributes.get("uaf_obb_start_response")
# Prepare STATUS_OBB
uaf_obb_start_response_json = json.loads(uaf_obb_start_response)
uaf_obb_status_request_dictionary = { "operation": "STATUS_%s" % uaf_obb_auth_method,
"userName": user_name,
"needDetails": 1,
"oobStatusHandle": uaf_obb_start_response_json["oobStatusHandle"],
}
uaf_obb_status_request = json.dumps(uaf_obb_status_request_dictionary, separators=(',',':'))
print "UAF. Authenticate for step 2. Prepared STATUS request: '%s' to send to '%s'" % (uaf_obb_status_request, uaf_obb_server_uri)
uaf_status_obb_response = self.executePost(uaf_obb_server_uri, uaf_obb_status_request)
if uaf_status_obb_response == None:
return False
print "UAF. Authenticate for step 2. Get STATUS response: '%s'" % uaf_status_obb_response
uaf_status_obb_response_json = json.loads(uaf_status_obb_response)
if uaf_status_obb_response_json["statusCode"] != 4000:
print "UAF. Authenticate for step 2. UAF operation status is invalid. statusCode: '%s'" % uaf_status_obb_response_json["statusCode"]
return False
uaf_user_device_handle = uaf_status_obb_response_json["additionalInfo"]["authenticatorsResult"]["handle"]
if StringHelper.isEmpty(uaf_user_device_handle):
print "UAF. Prepare for step 2. Failed to get UAF handle"
return False
uaf_user_external_uid = "uaf:%s" % uaf_user_device_handle
print "UAF. Authenticate for step 2. UAF handle: '%s'" % uaf_user_external_uid
if uaf_auth_method == "authenticate":
# Validate if user used device with same keYHandle
user_enrollments = self.findEnrollments(credentials)
if len(user_enrollments) == 0:
uaf_auth_method = "enroll"
print "UAF. Authenticate for step 2. There is no UAF enrollment for user '%s'." % user_name
return False
for user_enrollment in user_enrollments:
if StringHelper.equalsIgnoreCase(user_enrollment, uaf_user_device_handle):
print "UAF. Authenticate for step 2. There is UAF enrollment for user '%s'. User authenticated successfully" % user_name
return True
else:
userService = CdiUtil.bean(UserService)
# Double check just to make sure. We did checking in previous step
# Check if there is user which has uaf_user_external_uid
# Avoid mapping user cert to more than one IDP account
find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", uaf_user_external_uid)
if find_user_by_external_uid == None:
# Add uaf_user_external_uid to user's external GUID list
find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", uaf_user_external_uid)
if find_user_by_external_uid == None:
print "UAF. Authenticate for step 2. Failed to update current user"
return False
return True
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
userService = CdiUtil.bean(UserService)
requestParameterService = CdiUtil.bean(RequestParameterService)
authenticationService = CdiUtil.bean(AuthenticationService)
httpService = CdiUtil.bean(HttpService)
if step == 1:
print "CAS2. Authenticate for step 1"
ticket_array = requestParameters.get("ticket")
if ArrayHelper.isEmpty(ticket_array):
print "CAS2. Authenticate for step 1. ticket is empty"
return False
ticket = ticket_array[0]
print "CAS2. Authenticate for step 1. ticket: " + ticket
if StringHelper.isEmptyString(ticket):
print "CAS2. Authenticate for step 1. ticket is invalid"
return False
# Validate ticket
facesContext = CdiUtil.bean(FacesContext)
request = facesContext.getExternalContext().getRequest()
parametersMap = HashMap()
parametersMap.put("service", httpService.constructServerUrl(request) + "/postlogin.htm")
if self.cas_renew_opt:
parametersMap.put("renew", "true")
parametersMap.put("ticket", ticket)
cas_service_request_uri = requestParameterService.parametersAsString(parametersMap)
cas_service_request_uri = self.cas_host + "/serviceValidate?" + cas_service_request_uri
if self.cas_extra_opts != None:
cas_service_request_uri = cas_service_request_uri + "&" + self.cas_extra_opts
print "CAS2. Authenticate for step 1. cas_service_request_uri: " + cas_service_request_uri
http_client = httpService.getHttpsClient()
http_service_response = httpService.executeGet(http_client, cas_service_request_uri)
try:
validation_content = httpService.convertEntityToString(httpService.getResponseContent(http_service_response.getHttpResponse()))
finally:
http_service_response.closeConnection()
print "CAS2. Authenticate for step 1. validation_content: " + validation_content
if StringHelper.isEmpty(validation_content):
print "CAS2. Authenticate for step 1. Ticket validation response is invalid"
return False
cas2_auth_failure = self.parse_tag(validation_content, "cas:authenticationFailure")
print "CAS2. Authenticate for step 1. cas2_auth_failure: ", cas2_auth_failure
cas2_user_uid = self.parse_tag(validation_content, "cas:user")
print "CAS2. Authenticate for step 1. cas2_user_uid: ", cas2_user_uid
if (cas2_auth_failure != None) or (cas2_user_uid == None):
print "CAS2. Authenticate for step 1. Ticket is invalid"
return False
if self.cas_map_user:
print "CAS2. Authenticate for step 1. Attempting to find user by oxExternalUid: cas2:" + cas2_user_uid
# Check if the is user with specified cas2_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid)
if find_user_by_uid == None:
print "CAS2. Authenticate for step 1. Failed to find user"
print "CAS2. Authenticate for step 1. Setting count steps to 2"
identity.setWorkingParameter("cas2_count_login_steps", 2)
identity.setWorkingParameter("cas2_user_uid", cas2_user_uid)
return True
found_user_name = find_user_by_uid.getUserId()
print "CAS2. Authenticate for step 1. found_user_name: " + found_user_name
authenticationService.authenticate(found_user_name)
print "CAS2. Authenticate for step 1. Setting count steps to 1"
identity.setWorkingParameter("cas2_count_login_steps", 1)
return True
else:
print "CAS2. Authenticate for step 1. Attempting to find user by uid:" + cas2_user_uid
# Check if there is user with specified cas2_user_uid
find_user_by_uid = userService.getUser(cas2_user_uid)
if find_user_by_uid == None:
print "CAS2. Authenticate for step 1. Failed to find user"
return False
found_user_name = find_user_by_uid.getUserId()
print "CAS2. Authenticate for step 1. found_user_name: " + found_user_name
authenticationService.authenticate(found_user_name)
print "CAS2. Authenticate for step 1. Setting count steps to 1"
identity.setWorkingParameter("cas2_count_login_steps", 1)
return True
elif step == 2:
print "CAS2. Authenticate for step 2"
if identity.isSetWorkingParameter("cas2_user_uid"):
print "CAS2. Authenticate for step 2. cas2_user_uid is empty"
return False
cas2_user_uid = identity.getWorkingParameter("cas2_user_uid")
passed_step1 = StringHelper.isNotEmptyString(cas2_user_uid)
if not passed_step1:
return False
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password):
logged_in = authenticationService.authenticate(user_name, user_password)
if not logged_in:
return False
# Check if there is user which has cas2_user_uid
# Avoid mapping CAS2 account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid)
if find_user_by_uid == None:
# Add cas2_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "cas2:" + cas2_user_uid)
if find_user_by_uid == None:
print "CAS2. Authenticate for step 2. Failed to update current user"
return False
return True
else:
found_user_name = find_user_by_uid.getUserId()
print "CAS2. Authenticate for step 2. found_user_name: " + found_user_name
if StringHelper.equals(user_name, found_user_name):
return True
return False
else:
return False
