def init(self, configurationAttributes):
print "oxPush2. Initialization"
if not (configurationAttributes.containsKey("application_id") and
configurationAttributes.containsKey("authentication_mode")):
print "oxPush2. Initialization. Properties application_id and authentication_mode are mandatory"
return False
self.application_id = configurationAttributes.get("application_id").getValue2()
if StringHelper.isEmpty(self.application_id):
print "oxPush2. Initialization. Failed to determine application_id. application_id configuration parameter is empty"
return False
authentication_mode = configurationAttributes.get("authentication_mode").getValue2()
if StringHelper.isEmpty(authentication_mode):
print "oxPush2. Initialization. Failed to determine authentication_mode. authentication_mode configuration parameter is empty"
return False
self.oneStep = StringHelper.equalsIgnoreCase(authentication_mode, "one_step")
self.twoStep = StringHelper.equalsIgnoreCase(authentication_mode, "two_step")
if not (self.oneStep or self.twoStep):
print "oxPush2. Initialization. Valid authentication_mode values are one_step and two_step"
return False
self.enabledPushNotifications = self.initPushNotificationService(configurationAttributes)
print "oxPush2. Initialized successfully. oneStep: '%s', twoStep: '%s', pushNotifications: '%s'" % (self.oneStep, self.twoStep, self.enabledPushNotifications)
return True
def sendPushNotification(self, user, oxpush2_request):
if not self.enabledPushNotifications:
return
user_name = user.getUserId()
print "oxPush2. Send push notification. Loading user '%s' devices" % user_name
send_notification = False
send_notification_result = True
userService = UserService.instance()
deviceRegistrationService = DeviceRegistrationService.instance()
user_inum = userService.getUserInum(user_name)
u2f_devices_list = deviceRegistrationService.findUserDeviceRegistrations(user_inum, self.application_id, "oxId", "oxDeviceData")
if u2f_devices_list.size() > 0:
for u2f_device in u2f_devices_list:
device_data = u2f_device.getDeviceData()
# Device data which oxPush2 gets during enrollment
if device_data == None:
continue
platform = device_data.getPlatform()
push_token = device_data.getPushToken()
debug = False
if StringHelper.equalsIgnoreCase(platform, "ios") and StringHelper.isNotEmpty(push_token):
# Sending notification to iOS user's device
if (self.pushAppleService == None):
print "oxPush2. Send push notification. Apple push notification service is not enabled"
else:
send_notification = True
title = "oxPush2"
message = "oxPush2 login request to: %s" % self.application_id
additional_fields = HashMap()
additional_fields.put("request", oxpush2_request)
send_notification_result = self.pushAppleService.sendPush(title, message, additional_fields, push_token)
if debug:
print "oxPush2. Send push notification. token: '%s', send_notification_result: '%s'" % (push_token, send_notification_result)
if StringHelper.equalsIgnoreCase(platform, "android") and StringHelper.isNotEmpty(push_token):
# Sending notification to Android user's device
if (self.pushAndroidService == None):
print "oxPush2. Send push notification. Android push notification service is not enabled"
else:
send_notification = True
send_notification_result= self.pushAndroidService.sendPush("oxPush2", oxpush2_request, push_token)
if debug:
print "oxPush2. Send push notification. token: '%s', send_notification_result: '%s'" % (push_token, send_notification_result)
print "oxPush2. Send push notification. send_notification: '%s', send_notification_result: '%s'" % (send_notification, send_notification_result)
def getMappedAllAttributesUser(self, saml_response_attributes):
user = User()
# Set custom object classes
if self.userObjectClasses != None:
print "Saml. Get mapped all attributes user. User custom objectClasses to add persons: '%s'" % Util.array2ArrayList(self.userObjectClasses)
user.setCustomObjectClasses(self.userObjectClasses)
# Prepare map to do quick mapping
attributeService = AttributeService.instance()
ldapAttributes = attributeService.getAllAttributes()
samlUriToAttributesMap = HashMap()
for ldapAttribute in ldapAttributes:
saml2Uri = ldapAttribute.getSaml2Uri()
if (saml2Uri == None):
saml2Uri = attributeService.getDefaultSaml2Uri(ldapAttribute.getName())
samlUriToAttributesMap.put(saml2Uri, ldapAttribute.getName())
customAttributes = ArrayList()
for key in saml_response_attributes.keySet():
ldapAttributeName = samlUriToAttributesMap.get(key)
if ldapAttributeName == None:
print "Saml. Get mapped all attributes user. Skipping saml attribute: '%s'" % key
continue
if StringHelper.equalsIgnoreCase(ldapAttributeName, "uid"):
continue
attribute = CustomAttribute(ldapAttributeName)
attribute.setValues(saml_response_attributes.get(key))
customAttributes.add(attribute)
user.setCustomAttributes(customAttributes)
return user
def updateClient(self, registerRequest, client, configurationAttributes):
print "Client registration. UpdateClient method"
redirectUris = client.getRedirectUris()
print "Client registration. Redirect Uris:", redirectUris
addAddressScope = False
for redirectUri in redirectUris:
if (StringHelper.equalsIgnoreCase(redirectUri, "https://client.example.com/example1")):
addAddressScope = True
break
print "Client registration. Is add address scope:", addAddressScope
if (addAddressScope):
currentScopes = client.getScopes()
print "Client registration. Current scopes:", currentScopes
addressScope = self.scopeService.getScopeByDisplayName("address")
newScopes = ArrayHelper.addItemToStringArray(currentScopes, addressScope.getDn())
print "Client registration. Result scopes:", newScopes
client.setScopes(newScopes)
return True
def validateSessionDeviceStatus(self, client_redirect_uri, session_device_status, user_name = None):
userService = UserService.instance()
deviceRegistrationService = DeviceRegistrationService.instance()
u2f_device_id = session_device_status['device_id']
u2f_device = None
if session_device_status['enroll'] and session_device_status['one_step']:
u2f_device = deviceRegistrationService.findOneStepUserDeviceRegistration(u2f_device_id)
if u2f_device == None:
print "Super-Gluu. Validate session device status. There is no one step u2f_device '%s'" % u2f_device_id
return False
else:
# Validate if user has specified device_id enrollment
user_inum = userService.getUserInum(user_name)
if session_device_status['one_step']:
user_inum = session_device_status['user_inum']
u2f_device = deviceRegistrationService.findUserDeviceRegistration(user_inum, u2f_device_id)
if u2f_device == None:
print "Super-Gluu. Validate session device status. There is no u2f_device '%s' associated with user '%s'" % (u2f_device_id, user_inum)
return False
if not StringHelper.equalsIgnoreCase(client_redirect_uri, u2f_device.application):
print "Super-Gluu. Validate session device status. u2f_device '%s' associated with other application '%s'" % (u2f_device_id, u2f_device.application)
return False
return True
def prepareAttributesMapping(self, remoteAttributesList, localAttributesList):
remoteAttributesListArray = StringHelper.split(remoteAttributesList, ",")
if (ArrayHelper.isEmpty(remoteAttributesListArray)):
print "Google+ PrepareAttributesMapping. There is no attributes specified in remoteAttributesList property"
return None
localAttributesListArray = StringHelper.split(localAttributesList, ",")
if (ArrayHelper.isEmpty(localAttributesListArray)):
print "Google+ PrepareAttributesMapping. There is no attributes specified in localAttributesList property"
return None
if (len(remoteAttributesListArray) != len(localAttributesListArray)):
print "Google+ PrepareAttributesMapping. The number of attributes in remoteAttributesList and localAttributesList isn't equal"
return None
attributeMapping = IdentityHashMap()
containsUid = False
i = 0
count = len(remoteAttributesListArray)
while (i < count):
remoteAttribute = StringHelper.toLowerCase(remoteAttributesListArray[i])
localAttribute = StringHelper.toLowerCase(localAttributesListArray[i])
attributeMapping.put(remoteAttribute, localAttribute)
if (StringHelper.equalsIgnoreCase(localAttribute, "uid")):
containsUid = True
i = i + 1
if (not containsUid):
print "Google+ PrepareAttributesMapping. There is no mapping to mandatory 'uid' attribute"
return None
return attributeMapping
def prepareAttributesMapping(self, saml_idp_attributes_list, saml_local_attributes_list):
saml_idp_attributes_list_array = StringHelper.split(saml_idp_attributes_list, ",")
if (ArrayHelper.isEmpty(saml_idp_attributes_list_array)):
print "Saml. PrepareAttributesMapping. There is no attributes specified in saml_idp_attributes_list property"
return None
saml_local_attributes_list_array = StringHelper.split(saml_local_attributes_list, ",")
if (ArrayHelper.isEmpty(saml_local_attributes_list_array)):
print "Saml. PrepareAttributesMapping. There is no attributes specified in saml_local_attributes_list property"
return None
if (len(saml_idp_attributes_list_array) != len(saml_local_attributes_list_array)):
print "Saml. PrepareAttributesMapping. The number of attributes in saml_idp_attributes_list and saml_local_attributes_list isn't equal"
return None
attributeMapping = IdentityHashMap()
containsUid = False
i = 0
count = len(saml_idp_attributes_list_array)
while (i < count):
idpAttribute = StringHelper.toLowerCase(saml_idp_attributes_list_array[i])
localAttribute = StringHelper.toLowerCase(saml_local_attributes_list_array[i])
attributeMapping.put(idpAttribute, localAttribute)
if (StringHelper.equalsIgnoreCase(localAttribute, "uid")):
containsUid = True
i = i + 1
if (not containsUid):
print "Saml. PrepareAttributesMapping. There is no mapping to mandatory 'uid' attribute"
return None
return attributeMapping
def authorize(self, authorizationContext):
print "authorizing..."
if StringHelper.equalsIgnoreCase(authorizationContext.getUserClaim("locality"), "Austin"):
print "authorized"
return True
return False
def isUserMemberOfGroup(self, user, attribute, group):
is_member = False
member_of_list = user.getAttributeValues(attribute)
if (member_of_list != None):
for member_of in member_of_list:
if (StringHelper.equalsIgnoreCase(group, member_of)):
is_member = True
break
return is_member
def generateId(self, appId, idType, idPrefix, configurationAttributes):
print "Id generator. Generate Id"
print "Id generator. Generate Id. AppId: '", appId, "', IdType: '", idType, "', IdPrefix: '", idPrefix, "'"
if StringHelper.equalsIgnoreCase(idType, "test"):
id = UUID.randomUUID().toString()
print "Id generator. New test id: " + id
return id
return "invalid"
def getSessionDeviceStatus(self, session_attributes, user_name):
print "Super-Gluu. Get session device status"
if not session_attributes.containsKey("super_gluu_request"):
print "Super-Gluu. Get session device status. There is no Super-Gluu request in session attributes"
return None
# Check session state extended
if not session_attributes.containsKey("session_custom_state"):
print "Super-Gluu. Get session device status. There is no session_custom_state in session attributes"
return None
session_custom_state = session_attributes.get("session_custom_state")
if not StringHelper.equalsIgnoreCase("approved", session_custom_state):
print "Super-Gluu. Get session device status. User '%s' not approve or not pass U2F authentication. session_custom_state: '%s'" % (user_name, session_custom_state)
return None
# Try to find device_id in session attribute
if not session_attributes.containsKey("oxpush2_u2f_device_id"):
print "Super-Gluu. Get session device status. There is no u2f_device associated with this request"
return None
# Try to find user_inum in session attribute
if not session_attributes.containsKey("oxpush2_u2f_device_user_inum"):
print "Super-Gluu. Get session device status. There is no user_inum associated with this request"
return None
enroll = False
if session_attributes.containsKey("oxpush2_u2f_device_enroll"):
enroll = StringHelper.equalsIgnoreCase("true", session_attributes.get("oxpush2_u2f_device_enroll"))
one_step = False
if session_attributes.containsKey("oxpush2_u2f_device_one_step"):
one_step = StringHelper.equalsIgnoreCase("true", session_attributes.get("oxpush2_u2f_device_one_step"))
super_gluu_request = session_attributes.get("super_gluu_request")
u2f_device_id = session_attributes.get("oxpush2_u2f_device_id")
user_inum = session_attributes.get("oxpush2_u2f_device_user_inum")
session_device_status = {"super_gluu_request": super_gluu_request, "device_id": u2f_device_id, "user_inum" : user_inum, "enroll" : enroll, "one_step" : one_step}
print "Super-Gluu. Get session device status. session_device_status: '%s'" % (session_device_status)
return session_device_status
def loadOtpConfiguration(self, configurationAttributes):
print "OTP. Load OTP configuration"
if not configurationAttributes.containsKey("otp_conf_file"):
return False
otp_conf_file = configurationAttributes.get("otp_conf_file").getValue2()
# Load configuration from file
f = open(otp_conf_file, 'r')
try:
otpConfiguration = json.loads(f.read())
except:
print "OTP. Load OTP configuration. Failed to load configuration from file:", otp_conf_file
return False
finally:
f.close()
# Check configuration file settings
try:
self.hotpConfiguration = otpConfiguration["htop"]
self.totpConfiguration = otpConfiguration["totp"]
hmacShaAlgorithm = self.totpConfiguration["hmacShaAlgorithm"]
hmacShaAlgorithmType = None
if StringHelper.equalsIgnoreCase(hmacShaAlgorithm, "sha1"):
hmacShaAlgorithmType = HmacShaAlgorithm.HMAC_SHA_1
elif StringHelper.equalsIgnoreCase(hmacShaAlgorithm, "sha256"):
hmacShaAlgorithmType = HmacShaAlgorithm.HMAC_SHA_256
elif StringHelper.equalsIgnoreCase(hmacShaAlgorithm, "sha512"):
hmacShaAlgorithmType = HmacShaAlgorithm.HMAC_SHA_512
else:
print "OTP. Load OTP configuration. Invalid TOTP HMAC SHA algorithm: '%s'" % hmacShaAlgorithm
self.totpConfiguration["hmacShaAlgorithmType"] = hmacShaAlgorithmType
except:
print "OTP. Load OTP configuration. Invalid configuration file '%s' format. Exception: '%s'" % (otp_conf_file, sys.exc_info()[1])
return False
return True
def authorize(self, authorizationContext, configurationAttributes):
print "UMA Authorization policy. Attempting to authorize client"
client_id = authorizationContext.getGrant().getClientId()
print "UMA Authorization policy. Client: ", client_id
if (StringHelper.equalsIgnoreCase("@!1111!0008!FDC0.0FF5", client_id)):
print "UMA Authorization policy. Authorizing client"
return True
else:
print "UMA Authorization policy. Client isn't authorized"
return False
print "UMA Authorization policy. Authorizing client"
return True
def init(self, configurationAttributes):
print "Super-Gluu. Initialization"
if not configurationAttributes.containsKey("authentication_mode"):
print "Super-Gluu. Initialization. Property authentication_mode is mandatory"
return False
self.registrationUri = None
if configurationAttributes.containsKey("registration_uri"):
self.registrationUri = configurationAttributes.get("registration_uri").getValue2()
authentication_mode = configurationAttributes.get("authentication_mode").getValue2()
if StringHelper.isEmpty(authentication_mode):
print "Super-Gluu. Initialization. Failed to determine authentication_mode. authentication_mode configuration parameter is empty"
return False
self.oneStep = StringHelper.equalsIgnoreCase(authentication_mode, "one_step")
self.twoStep = StringHelper.equalsIgnoreCase(authentication_mode, "two_step")
if not (self.oneStep or self.twoStep):
print "Super-Gluu. Initialization. Valid authentication_mode values are one_step and two_step"
return False
self.enabledPushNotifications = self.initPushNotificationService(configurationAttributes)
self.customLabel = None
if configurationAttributes.containsKey("label"):
self.customLabel = configurationAttributes.get("label").getValue2()
self.customQrOptions = {}
if configurationAttributes.containsKey("qr_options"):
self.customQrOptions = configurationAttributes.get("qr_options").getValue2()
print "Super-Gluu. Initialized successfully. oneStep: '%s', twoStep: '%s', pushNotifications: '%s', customLabel: '%s'" % (self.oneStep, self.twoStep, self.enabledPushNotifications, self.customLabel)
return True
def update(self, dynamicScopeContext, configurationAttributes):
print "Dynamic scope. Update method"
dynamicScopes = dynamicScopeContext.getDynamicScopes()
user = dynamicScopeContext.getUser()
jsonToken = dynamicScopeContext.getJsonToken()
claims = jsonToken.getClaims()
# Iterate through list of dynamic scopes in order to add custom scopes if needed
print "Dynamic scope. Dynamic scopes:", dynamicScopes
for dynamicScope in dynamicScopes:
# Add organization name if there is scope = org_name
if (StringHelper.equalsIgnoreCase(dynamicScope, "org_name")):
claims.setClaim("org_name", "Gluu, Inc.")
continue
# Add work phone if there is scope = work_phone
if (StringHelper.equalsIgnoreCase(dynamicScope, "work_phone")):
workPhone = user.getAttribute("telephoneNumber");
if (StringHelper.isNotEmpty(workPhone)):
claims.setClaim("work_phone", workPhone)
continue
return True
def determineGeolocationData(self, remote_ip):
print "Super-Gluu. Determine remote location. remote_ip: '%s'" % remote_ip
httpService = HttpService.instance()
http_client = httpService.getHttpsClient()
http_client_params = http_client.getParams()
http_client_params.setIntParameter(CoreConnectionPNames.CONNECTION_TIMEOUT, 15 * 1000)
geolocation_service_url = "http://ip-api.com/json/%s?fields=49177" % remote_ip
geolocation_service_headers = { "Accept" : "application/json" }
try:
http_service_response = httpService.executeGet(http_client, geolocation_service_url, geolocation_service_headers)
http_response = http_service_response.getHttpResponse()
except:
print "Super-Gluu. Determine remote location. Exception: ", sys.exc_info()[1]
return None
try:
if not httpService.isResponseStastusCodeOk(http_response):
print "Super-Gluu. Determine remote location. Get invalid response from validation server: ", str(http_response.getStatusLine().getStatusCode())
httpService.consume(http_response)
return None
response_bytes = httpService.getResponseContent(http_response)
response_string = httpService.convertEntityToString(response_bytes)
httpService.consume(http_response)
finally:
http_service_response.closeConnection()
if response_string == None:
print "Super-Gluu. Determine remote location. Get empty response from location server"
return None
response = json.loads(response_string)
if not StringHelper.equalsIgnoreCase(response['status'], "success"):
print "Super-Gluu. Determine remote location. Get response with status: '%s'" % response['status']
return None
return response
def authenticate(self, configurationAttributes, requestParameters, step):
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
context = Contexts.getEventContext()
session_attributes = context.get("sessionAttributes")
self.setEventContextParameters(context)
if (step == 1):
print "UAF. Authenticate for step 1"
authenticated_user = self.processBasicAuthentication(credentials)
if authenticated_user == None:
return False
uaf_auth_method = "authenticate"
# Uncomment this block if you need to allow user second device registration
#enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton")
#if StringHelper.isNotEmpty(enrollment_mode):
# uaf_auth_method = "enroll"
if uaf_auth_method == "authenticate":
user_enrollments = self.findEnrollments(credentials)
if len(user_enrollments) == 0:
uaf_auth_method = "enroll"
print "UAF. Authenticate for step 1. There is no UAF enrollment for user '%s'. Changing uaf_auth_method to '%s'" % (user_name, uaf_auth_method)
print "UAF. Authenticate for step 1. uaf_auth_method: '%s'" % uaf_auth_method
context.set("uaf_auth_method", uaf_auth_method)
return True
elif (step == 2):
print "UAF. Authenticate for step 2"
session_state = SessionStateService.instance().getSessionStateFromCookie()
if StringHelper.isEmpty(session_state):
print "UAF. Prepare for step 2. Failed to determine session_state"
return False
if user_name == None:
print "UAF. Authenticate for step 2. Failed to determine user name"
return False
uaf_auth_result = ServerUtil.getFirstValue(requestParameters, "auth_result")
if uaf_auth_result != "success":
print "UAF. Authenticate for step 2. auth_result is '%s'" % uaf_auth_result
return False
# Restore state from session
uaf_auth_method = session_attributes.get("uaf_auth_method")
if not uaf_auth_method in ['enroll', 'authenticate']:
print "UAF. Authenticate for step 2. Failed to authenticate user. uaf_auth_method: '%s'" % uaf_auth_method
return False
# Request STATUS_OBB
if True:
#TODO: Remove this condition
# It's workaround becuase it's not possible to call STATUS_OBB 2 times. First time on browser and second ime on server
uaf_user_device_handle = ServerUtil.getFirstValue(requestParameters, "auth_handle")
else:
uaf_obb_auth_method = session_attributes.get("uaf_obb_auth_method")
uaf_obb_server_uri = session_attributes.get("uaf_obb_server_uri")
uaf_obb_start_response = session_attributes.get("uaf_obb_start_response")
# Prepare STATUS_OBB
uaf_obb_start_response_json = json.loads(uaf_obb_start_response)
uaf_obb_status_request_dictionary = { "operation": "STATUS_%s" % uaf_obb_auth_method,
"userName": user_name,
"needDetails": 1,
"oobStatusHandle": uaf_obb_start_response_json["oobStatusHandle"],
}
uaf_obb_status_request = json.dumps(uaf_obb_status_request_dictionary, separators=(',',':'))
print "UAF. Authenticate for step 2. Prepared STATUS request: '%s' to send to '%s'" % (uaf_obb_status_request, uaf_obb_server_uri)
uaf_status_obb_response = self.executePost(uaf_obb_server_uri, uaf_obb_status_request)
if uaf_status_obb_response == None:
return False
print "UAF. Authenticate for step 2. Get STATUS response: '%s'" % uaf_status_obb_response
uaf_status_obb_response_json = json.loads(uaf_status_obb_response)
if uaf_status_obb_response_json["statusCode"] != 4000:
print "UAF. Authenticate for step 2. UAF operation status is invalid. statusCode: '%s'" % uaf_status_obb_response_json["statusCode"]
return False
uaf_user_device_handle = uaf_status_obb_response_json["additionalInfo"]["authenticatorsResult"]["handle"]
if StringHelper.isEmpty(uaf_user_device_handle):
print "UAF. Prepare for step 2. Failed to get UAF handle"
return False
uaf_user_external_uid = "uaf:%s" % uaf_user_device_handle
print "UAF. Authenticate for step 2. UAF handle: '%s'" % uaf_user_external_uid
if uaf_auth_method == "authenticate":
# Validate if user used device with same keYHandle
user_enrollments = self.findEnrollments(credentials)
if len(user_enrollments) == 0:
uaf_auth_method = "enroll"
print "UAF. Authenticate for step 2. There is no UAF enrollment for user '%s'." % user_name
return False
for user_enrollment in user_enrollments:
if StringHelper.equalsIgnoreCase(user_enrollment, uaf_user_device_handle):
print "UAF. Authenticate for step 2. There is UAF enrollment for user '%s'. User authenticated successfully" % user_name
return True
else:
userService = UserService.instance()
# Double check just to make sure. We did checking in previous step
# Check if there is user which has uaf_user_external_uid
# Avoid mapping user cert to more than one IDP account
find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", uaf_user_external_uid)
if find_user_by_external_uid == None:
# Add uaf_user_external_uid to user's external GUID list
find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", uaf_user_external_uid)
if find_user_by_external_uid == None:
print "UAF. Authenticate for step 2. Failed to update current user"
return False
return True
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
userService = CdiUtil.bean(UserService)
authenticationService = CdiUtil.bean(AuthenticationService)
saml_map_user = False
saml_enroll_user = False
saml_enroll_all_user_attr = False
# Use saml_deployment_type only if there is no attributes mapping
if configurationAttributes.containsKey("saml_deployment_type"):
saml_deployment_type = StringHelper.toLowerCase(
configurationAttributes.get(
"saml_deployment_type").getValue2())
if StringHelper.equalsIgnoreCase(saml_deployment_type, "map"):
saml_map_user = True
if StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll"):
saml_enroll_user = True
if StringHelper.equalsIgnoreCase(saml_deployment_type,
"enroll_all_attr"):
saml_enroll_all_user_attr = True
saml_allow_basic_login = False
if configurationAttributes.containsKey("saml_allow_basic_login"):
saml_allow_basic_login = StringHelper.toBoolean(
configurationAttributes.get(
"saml_allow_basic_login").getValue2(), False)
use_basic_auth = False
if saml_allow_basic_login:
# Detect if user used basic authnetication method
user_name = credentials.getUsername()
user_password = credentials.getPassword()
if StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(
user_password):
use_basic_auth = True
if (step == 1) and saml_allow_basic_login and use_basic_auth:
print "Asimba. Authenticate for step 1. Basic authentication"
identity.setWorkingParameter("saml_count_login_steps", 1)
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if StringHelper.isNotEmptyString(
user_name) and StringHelper.isNotEmptyString(
user_password):
logged_in = authenticationService.authenticate(
user_name, user_password)
if (not logged_in):
return False
return True
if (step == 1):
print "Asimba. Authenticate for step 1"
currentSamlConfiguration = self.getCurrentSamlConfiguration(
self.samlConfiguration, configurationAttributes,
requestParameters)
if (currentSamlConfiguration == None):
print "Asimba. Prepare for step 1. Client saml configuration is invalid"
return False
saml_response_array = requestParameters.get("SAMLResponse")
if ArrayHelper.isEmpty(saml_response_array):
print "Asimba. Authenticate for step 1. saml_response is empty"
return False
saml_response = saml_response_array[0]
print "Asimba. Authenticate for step 1. saml_response: '%s'" % saml_response
samlResponse = Response(currentSamlConfiguration)
samlResponse.loadXmlFromBase64(saml_response)
saml_validate_response = True
if configurationAttributes.containsKey("saml_validate_response"):
saml_validate_response = StringHelper.toBoolean(
configurationAttributes.get(
"saml_validate_response").getValue2(), False)
if saml_validate_response:
if not samlResponse.isValid():
print "Asimba. Authenticate for step 1. saml_response isn't valid"
saml_response_attributes = samlResponse.getAttributes()
print "Asimba. Authenticate for step 1. attributes: '%s'" % saml_response_attributes
if saml_map_user:
saml_user_uid = self.getSamlNameId(samlResponse)
if saml_user_uid == None:
return False
# Use mapping to local IDP user
print "Asimba. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
print "Asimba. Authenticate for step 1. Failed to find user"
print "Asimba. Authenticate for step 1. Setting count steps to 2"
identity.setWorkingParameter("saml_count_login_steps", 2)
identity.setWorkingParameter("saml_user_uid",
saml_user_uid)
return True
found_user_name = find_user_by_uid.getUserId()
print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if user_authenticated == False:
print "Asimba. Authenticate for step 1. Failed to authenticate user"
return False
print "Asimba. Authenticate for step 1. Setting count steps to 1"
identity.setWorkingParameter("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif saml_enroll_user:
# Convert SAML response to user entry
newUser = self.getMappedUser(configurationAttributes,
requestParameters,
saml_response_attributes)
saml_user_uid = self.getNameId(samlResponse, newUser)
if saml_user_uid == None:
return False
self.setDefaultUid(newUser, saml_user_uid)
newUser.setAttribute("oxExternalUid",
"saml:%s" % saml_user_uid)
# Use auto enrollment to local IDP
print "Asimba. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if there is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
# Auto user enrollment
print "Asimba. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Asimba. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (
saml_user_uid, newUser.getCustomAttributes())
user_unique = self.checkUserUniqueness(newUser)
if not user_unique:
print "Asimba. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId(
)
facesMessages = CdiUtil.bean(FacesMessages)
facesMessages.add(
FacesMessage.SEVERITY_ERROR,
"Failed to enroll. User with same key attributes exist already"
)
facesMessages.setKeepMessages()
return False
find_user_by_uid = userService.addUser(newUser, True)
print "Asimba. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId(
)
else:
if self.updateUser:
print "Asimba. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (
saml_user_uid, newUser.getCustomAttributes())
find_user_by_uid.setCustomAttributes(
newUser.getCustomAttributes())
userService.updateUser(find_user_by_uid)
print "Asimba. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid
found_user_name = find_user_by_uid.getUserId()
print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if user_authenticated == False:
print "Asimba. Authenticate for step 1. Failed to authenticate user: '******'" % found_user_name
return False
print "Asimba. Authenticate for step 1. Setting count steps to 1"
identity.setWorkingParameter("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif saml_enroll_all_user_attr:
# Convert SAML response to user entry
newUser = self.getMappedAllAttributesUser(
saml_response_attributes)
saml_user_uid = self.getNameId(samlResponse, newUser)
if saml_user_uid == None:
return False
self.setDefaultUid(newUser, saml_user_uid)
newUser.setAttribute("oxExternalUid",
"saml:%s" % saml_user_uid)
print "Asimba. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:%s" % saml_user_uid
# Check if there is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
# Auto user enrollment
print "Asimba. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Asimba. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (
saml_user_uid, newUser.getCustomAttributes())
user_unique = self.checkUserUniqueness(newUser)
if not user_unique:
print "Asimba. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId(
)
facesMessages = CdiUtil.bean(FacesMessages)
facesMessages.add(
FacesMessage.SEVERITY_ERROR,
"Failed to enroll. User with same key attributes exist already"
)
facesMessages.setKeepMessages()
return False
find_user_by_uid = userService.addUser(newUser, True)
print "Asimba. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId(
)
else:
if self.updateUser:
print "Asimba. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (
saml_user_uid, newUser.getCustomAttributes())
find_user_by_uid.setCustomAttributes(
newUser.getCustomAttributes())
userService.updateUser(find_user_by_uid)
print "Asimba. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid
found_user_name = find_user_by_uid.getUserId()
print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if user_authenticated == False:
print "Asimba. Authenticate for step 1. Failed to authenticate user"
return False
print "Asimba. Authenticate for step 1. Setting count steps to 1"
identity.setWorkingParameter("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
else:
if saml_user_uid == None:
return False
# Check if the is user with specified saml_user_uid
print "Asimba. Authenticate for step 1. Attempting to find user by uid: '%s'" % saml_user_uid
find_user_by_uid = userService.getUser(saml_user_uid)
if find_user_by_uid == None:
print "Asimba. Authenticate for step 1. Failed to find user"
return False
found_user_name = find_user_by_uid.getUserId()
print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if user_authenticated == False:
print "Asimba. Authenticate for step 1. Failed to authenticate user"
return False
print "Asimba. Authenticate for step 1. Setting count steps to 1"
identity.setWorkingParameter("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (step == 2):
print "Asimba. Authenticate for step 2"
sessionAttributes = identity.getSessionState(
).getSessionAttributes()
if (sessionAttributes == None
) or not sessionAttributes.containsKey("saml_user_uid"):
print "Asimba. Authenticate for step 2. saml_user_uid is empty"
return False
saml_user_uid = sessionAttributes.get("saml_user_uid")
passed_step1 = StringHelper.isNotEmptyString(saml_user_uid)
if not passed_step1:
return False
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if StringHelper.isNotEmptyString(
user_name) and StringHelper.isNotEmptyString(
user_password):
logged_in = authenticationService.authenticate(
user_name, user_password)
if not logged_in:
return False
# Check if there is user which has saml_user_uid
# Avoid mapping Saml account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
# Add saml_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(
user_name, "oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
print "Asimba. Authenticate for step 2. Failed to update current user"
return False
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Asimba. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
else:
found_user_name = find_user_by_uid.getUserId()
print "Asimba. Authenticate for step 2. found_user_name: '%s'" % found_user_name
if StringHelper.equals(user_name, found_user_name):
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Asimba. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
saml_map_user = False
saml_enroll_user = False
saml_enroll_all_user_attr = False
# Use saml_deployment_type only if there is no attributes mapping
if (configurationAttributes.containsKey("saml_deployment_type")):
saml_deployment_type = StringHelper.toLowerCase(
configurationAttributes.get(
"saml_deployment_type").getValue2())
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "map")):
saml_map_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll")):
saml_enroll_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type,
"enroll_all_attr")):
saml_enroll_all_user_attr = True
saml_allow_basic_login = False
if (configurationAttributes.containsKey("saml_allow_basic_login")):
saml_allow_basic_login = StringHelper.toBoolean(
configurationAttributes.get(
"saml_allow_basic_login").getValue2(), False)
use_basic_auth = False
if (saml_allow_basic_login):
# Detect if user used basic authnetication method
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
if (StringHelper.isNotEmpty(user_name)
and StringHelper.isNotEmpty(user_password)):
use_basic_auth = True
if ((step == 1) and saml_allow_basic_login and use_basic_auth):
print "Saml. Authenticate for step 1. Basic authentication"
context.set("saml_count_login_steps", 1)
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name)
and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
if (step == 1):
print "Saml. Authenticate for step 1"
currentSamlConfiguration = self.getCurrentSamlConfiguration(
self.samlConfiguration, configurationAttributes,
requestParameters)
if (currentSamlConfiguration == None):
print "Saml. Prepare for step 1. Client saml configuration is invalid"
return False
saml_response_array = requestParameters.get("SAMLResponse")
if ArrayHelper.isEmpty(saml_response_array):
print "Saml. Authenticate for step 1. saml_response is empty"
return False
saml_response = saml_response_array[0]
print "Saml. Authenticate for step 1. saml_response: '%s'" % saml_response
samlResponse = Response(currentSamlConfiguration)
samlResponse.loadXmlFromBase64(saml_response)
saml_validate_response = True
if (configurationAttributes.containsKey("saml_validate_response")):
saml_validate_response = StringHelper.toBoolean(
configurationAttributes.get(
"saml_validate_response").getValue2(), False)
if (saml_validate_response):
if (not samlResponse.isValid()):
print "Saml. Authenticate for step 1. saml_response isn't valid"
saml_response_name_id = samlResponse.getNameId()
if (StringHelper.isEmpty(saml_response_name_id)):
print "Saml. Authenticate for step 1. saml_response_name_id is invalid"
return False
print "Saml. Authenticate for step 1. saml_response_name_id: '%s'" % saml_response_name_id
saml_response_attributes = samlResponse.getAttributes()
print "Saml. Authenticate for step 1. attributes: '%s'" % saml_response_attributes
# Use persistent Id as saml_user_uid
saml_user_uid = saml_response_name_id
if (saml_map_user):
# Use mapping to local IDP user
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
print "Saml. Authenticate for step 1. Setting count steps to 2"
context.set("saml_count_login_steps", 2)
context.set("saml_user_uid", saml_user_uid)
return True
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (saml_enroll_user):
# Use auto enrollment to local IDP
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
# Auto user enrollemnt
print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
# Convert saml result attributes keys to lover case
saml_response_normalized_attributes = HashMap()
for saml_response_attribute_entry in saml_response_attributes.entrySet(
):
saml_response_normalized_attributes.put(
StringHelper.toLowerCase(
saml_response_attribute_entry.getKey()),
saml_response_attribute_entry.getValue())
currentAttributesMapping = self.prepareCurrentAttributesMapping(
self.attributesMapping, configurationAttributes,
requestParameters)
print "Saml. Authenticate for step 1. Using next attributes mapping '%s'" % currentAttributesMapping
newUser = User()
# Set custom object classes
if self.userObjectClasses != None:
print "Saml. Authenticate for step 1. User custom objectClasses to add persons: '%s'" % Util.array2ArrayList(
self.userObjectClasses)
newUser.setCustomObjectClasses(self.userObjectClasses)
for attributesMappingEntry in currentAttributesMapping.entrySet(
):
idpAttribute = attributesMappingEntry.getKey()
localAttribute = attributesMappingEntry.getValue()
if self.debugEnrollment:
print "Saml. Authenticate for step 1. Trying to map '%s' into '%s'" % (
idpAttribute, localAttribute)
localAttributeValue = saml_response_normalized_attributes.get(
idpAttribute)
if (localAttributeValue != None):
if self.debugEnrollment:
print "Saml. Authenticate for step 1. Setting attribute '%s' value '%s'" % (
localAttribute, localAttributeValue)
newUser.setAttribute(localAttribute,
localAttributeValue)
newUser.setAttribute("oxExternalUid",
"saml:" + saml_user_uid)
print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (
saml_user_uid, newUser.getCustomAttributes())
user_unique = self.checkUserUniqueness(newUser)
if not user_unique:
print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getAttribute(
"uid")
facesMessages = FacesMessages.instance()
facesMessages.add(
StatusMessage.Severity.ERROR,
"Failed to enroll. User with same key attributes exist already"
)
FacesContext.getCurrentInstance().getExternalContext(
).getFlash().setKeepMessages(True)
return False
find_user_by_uid = userService.addUser(newUser, True)
print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId(
)
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user: '******'" % found_user_name
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (saml_enroll_all_user_attr):
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:" + saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
user = User()
# Set custom object classes
if self.userObjectClasses != None:
print "Saml. Authenticate for step 1. User custom objectClasses to add persons: '%s'" % Util.array2ArrayList(
self.userObjectClasses)
user.setCustomObjectClasses(self.userObjectClasses)
customAttributes = ArrayList()
for key in saml_response_attributes.keySet():
ldapAttributes = attributeService.getAllAttributes()
for ldapAttribute in ldapAttributes:
saml2Uri = ldapAttribute.getSaml2Uri()
if (saml2Uri == None):
saml2Uri = attributeService.getDefaultSaml2Uri(
ldapAttribute.getName())
if (saml2Uri == key):
attribute = CustomAttribute(
ldapAttribute.getName())
attribute.setValues(attributes.get(key))
customAttributes.add(attribute)
attribute = CustomAttribute("oxExternalUid")
attribute.setValue("saml:" + saml_user_uid)
customAttributes.add(attribute)
user.setCustomAttributes(customAttributes)
if (user.getAttribute("sn") == None):
attribute = CustomAttribute("sn")
attribute.setValue(saml_user_uid)
customAttributes.add(attribute)
if (user.getAttribute("cn") == None):
attribute = CustomAttribute("cn")
attribute.setValue(saml_user_uid)
customAttributes.add(attribute)
user_unique = self.checkUserUniqueness(user)
if not user_unique:
print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getAttribute(
"uid")
facesMessages = FacesMessages.instance()
facesMessages.add(
StatusMessage.Severity.ERROR,
"Failed to enroll. User with same key attributes exist already"
)
FacesContext.getCurrentInstance().getExternalContext(
).getFlash().setKeepMessages(True)
return False
find_user_by_uid = userService.addUser(user, True)
print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId(
)
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
else:
# Check if the is user with specified saml_user_uid
print "Saml. Authenticate for step 1. Attempting to find user by uid: '%s'" % saml_user_uid
find_user_by_uid = userService.getUser(saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
return False
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (step == 2):
print "Saml. Authenticate for step 2"
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes == None
) or not sessionAttributes.containsKey("saml_user_uid"):
print "Saml. Authenticate for step 2. saml_user_uid is empty"
return False
saml_user_uid = sessionAttributes.get("saml_user_uid")
passed_step1 = StringHelper.isNotEmptyString(saml_user_uid)
if (not passed_step1):
return False
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name)
and StringHelper.isNotEmptyString(user_password)):
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Check if there is user which has saml_user_uid
# Avoid mapping Saml account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
# Add saml_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(
user_name, "oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 2. Failed to update current user"
return False
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
else:
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 2. found_user_name: '%s'" % found_user_name
if StringHelper.equals(user_name, found_user_name):
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
encryptionService = EncryptionService.instance()
mapUserDeployment = False
enrollUserDeployment = False
if (configurationAttributes.containsKey("gplus_deployment_type")):
deploymentType = StringHelper.toLowerCase(configurationAttributes.get("gplus_deployment_type").getValue2())
if (StringHelper.equalsIgnoreCase(deploymentType, "map")):
mapUserDeployment = True
if (StringHelper.equalsIgnoreCase(deploymentType, "enroll")):
enrollUserDeployment = True
if (step == 1):
print "Google+ authenticate for step 1"
gplusAuthCodeArray = requestParameters.get("gplus_auth_code")
gplusAuthCode = gplusAuthCodeArray[0]
# Check if user uses basic method to log in
useBasicAuth = False
if (StringHelper.isEmptyString(gplusAuthCode)):
useBasicAuth = True
# Use basic method to log in
if (useBasicAuth):
print "Google+ authenticate for step 1. Basic authentication"
context.set("gplus_count_login_steps", 1)
credentials = Identity.instance().getCredentials()
userName = credentials.getUsername()
userPassword = credentials.getPassword()
loggedIn = False
if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)):
userService = UserService.instance()
loggedIn = userService.authenticate(userName, userPassword)
if (not loggedIn):
return False
return True
# Use Google+ method to log in
print "Google+ authenticate for step 1. gplusAuthCode:", gplusAuthCode
currentClientSecrets = self.getCurrentClientSecrets(self.clientSecrets, configurationAttributes, requestParameters)
if (currentClientSecrets == None):
print "Google+ authenticate for step 1. Client secrets configuration is invalid"
return False
print "Google+ authenticate for step 1. Attempting to gets tokens"
tokenResponse = self.getTokensByCode(self.clientSecrets, configurationAttributes, gplusAuthCode);
if ((tokenResponse == None) or (tokenResponse.getIdToken() == None) or (tokenResponse.getAccessToken() == None)):
print "Google+ authenticate for step 1. Failed to get tokens"
return False
else:
print "Google+ authenticate for step 1. Successfully gets tokens"
jwt = Jwt.parse(tokenResponse.getIdToken())
# TODO: Validate ID Token Signature
gplusUserUid = jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER);
print "Google+ authenticate for step 1. Found Google user ID in the ID token: ", gplusUserUid
if (mapUserDeployment):
# Use mapping to local IDP user
print "Google+ authenticate for step 1. Attempting to find user by oxExternalUid: gplus:", gplusUserUid
# Check if there is user with specified gplusUserUid
foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
print "Google+ authenticate for step 1. Failed to find user"
print "Google+ authenticate for step 1. Setting count steps to 2"
context.set("gplus_count_login_steps", 2)
context.set("gplus_user_uid", encryptionService.encrypt(gplusUserUid))
return True
foundUserName = foundUser.getUserId()
print "Google+ authenticate for step 1. foundUserName:"******"Google+ authenticate for step 1. Failed to authenticate user"
return False
print "Google+ authenticate for step 1. Setting count steps to 1"
context.set("gplus_count_login_steps", 1)
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ authenticate for step 1. postLoginResult:", postLoginResult
return postLoginResult
elif (enrollUserDeployment):
# Use auto enrollment to local IDP
print "Google+ authenticate for step 1. Attempting to find user by oxExternalUid: gplus:", gplusUserUid
# Check if there is user with specified gplusUserUid
foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
# Auto user enrollemnt
print "Google+ authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Google+ authenticate for step 1. Attempting to gets user info"
userInfoResponse = self.getUserInfo(currentClientSecrets, configurationAttributes, tokenResponse.getAccessToken())
if ((userInfoResponse == None) or (userInfoResponse.getClaims().size() == 0)):
print "Google+ authenticate for step 1. Failed to get user info"
return False
else:
print "Google+ authenticate for step 1. Successfully gets user info"
gplusResponseAttributes = userInfoResponse.getClaims()
# Convert Google+ user claims to lover case
gplusResponseNormalizedAttributes = HashMap()
for gplusResponseAttributeEntry in gplusResponseAttributes.entrySet():
gplusResponseNormalizedAttributes.put(
StringHelper.toLowerCase(gplusResponseAttributeEntry.getKey()), gplusResponseAttributeEntry.getValue())
currentAttributesMapping = self.getCurrentAttributesMapping(self.attributesMapping, configurationAttributes, requestParameters)
print "Google+ authenticate for step 1. Using next attributes mapping", currentAttributesMapping
newUser = User()
for attributesMappingEntry in currentAttributesMapping.entrySet():
idpAttribute = attributesMappingEntry.getKey()
localAttribute = attributesMappingEntry.getValue()
localAttributeValue = gplusResponseNormalizedAttributes.get(idpAttribute)
if (localAttribute != None):
newUser.setAttribute(localAttribute, localAttributeValue)
if (newUser.getAttribute("sn") == None):
newUser.setAttribute("sn", gplusUserUid)
if (newUser.getAttribute("cn") == None):
newUser.setAttribute("cn", gplusUserUid)
newUser.setAttribute("oxExternalUid", "gplus:" + gplusUserUid)
print "Google+ authenticate for step 1. Attempting to add user", gplusUserUid, " with next attributes", newUser.getCustomAttributes()
foundUser = userService.addUser(newUser)
print "Google+ authenticate for step 1. Added new user with UID", foundUser.getUserId()
foundUserName = foundUser.getUserId()
print "Google+ authenticate for step 1. foundUserName:"******"Google+ authenticate for step 1. Failed to authenticate user"
return False
print "Google+ authenticate for step 1. Setting count steps to 1"
context.set("gplus_count_login_steps", 1)
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ authenticate for step 1. postLoginResult:", postLoginResult
return postLoginResult
else:
# Check if the is user with specified gplusUserUid
print "Google+ authenticate for step 1. Attempting to find user by uid:", gplusUserUid
foundUser = userService.getUser(gplusUserUid)
if (foundUser == None):
print "Google+ authenticate for step 1. Failed to find user"
return False
foundUserName = foundUser.getUserId()
print "Google+ authenticate for step 1. foundUserName:"******"Google+ authenticate for step 1. Failed to authenticate user"
return False
print "Google+ authenticate for step 1. Setting count steps to 1"
context.set("gplus_count_login_steps", 1)
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ authenticate for step 1. postLoginResult:", postLoginResult
return postLoginResult
elif (step == 2):
print "Google+ authenticate for step 2"
gplusUserUidArray = requestParameters.get("gplus_user_uid")
if ArrayHelper.isEmpty(gplusUserUidArray):
print "Google+ authenticate for step 2. gplus_user_uid is empty"
return False
gplusUserUid = encryptionService.decrypt(gplusUserUidArray[0])
passedStep1 = StringHelper.isNotEmptyString(gplusUserUid)
if (not passedStep1):
return False
credentials = Identity.instance().getCredentials()
userName = credentials.getUsername()
userPassword = credentials.getPassword()
loggedIn = False
if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)):
loggedIn = userService.authenticate(userName, userPassword)
if (not loggedIn):
return False
# Check if there is user which has gplusUserUid
# Avoid mapping Google account to more than one IDP account
foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
# Add gplusUserUid to user one id UIDs
foundUser = userService.addUserAttribute(userName, "oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
print "Google+ authenticate for step 2. Failed to update current user"
return False
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ authenticate for step 2. postLoginResult:", postLoginResult
return postLoginResult
else:
foundUserName = foundUser.getUserId()
print "Google+ authenticate for step 2. foundUserName:"******"Google+ authenticate for step 2. postLoginResult:", postLoginResult
return postLoginResult
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
saml_map_user = False
saml_enroll_user = False
saml_enroll_all_user_attr = False
# Use saml_deployment_type only if there is no attributes mapping
if (configurationAttributes.containsKey("saml_deployment_type")):
saml_deployment_type = StringHelper.toLowerCase(configurationAttributes.get("saml_deployment_type").getValue2())
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "map")):
saml_map_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll")):
saml_enroll_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll_all_attr")):
saml_enroll_all_user_attr = True
saml_allow_basic_login = False
if (configurationAttributes.containsKey("saml_allow_basic_login")):
saml_allow_basic_login = StringHelper.toBoolean(configurationAttributes.get("saml_allow_basic_login").getValue2(), False)
use_basic_auth = False
if (saml_allow_basic_login):
# Detect if user used basic authnetication method
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
if (StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(user_password)):
use_basic_auth = True
if ((step == 1) and saml_allow_basic_login and use_basic_auth):
print "Saml. Authenticate for step 1. Basic authentication"
context.set("saml_count_login_steps", 1)
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
if (step == 1):
print "Saml. Authenticate for step 1"
currentSamlConfiguration = self.getCurrentSamlConfiguration(self.samlConfiguration, configurationAttributes, requestParameters)
if (currentSamlConfiguration == None):
print "Saml. Prepare for step 1. Client saml configuration is invalid"
return False
saml_response_array = requestParameters.get("SAMLResponse")
if ArrayHelper.isEmpty(saml_response_array):
print "Saml. Authenticate for step 1. saml_response is empty"
return False
saml_response = saml_response_array[0]
print "Saml. Authenticate for step 1. saml_response: '%s'" % saml_response
samlResponse = Response(currentSamlConfiguration)
samlResponse.loadXmlFromBase64(saml_response)
saml_validate_response = True
if (configurationAttributes.containsKey("saml_validate_response")):
saml_validate_response = StringHelper.toBoolean(configurationAttributes.get("saml_validate_response").getValue2(), False)
if (saml_validate_response):
if (not samlResponse.isValid()):
print "Saml. Authenticate for step 1. saml_response isn't valid"
saml_response_attributes = samlResponse.getAttributes()
print "Saml. Authenticate for step 1. attributes: '%s'" % saml_response_attributes
if (saml_map_user):
saml_user_uid = self.getSamlNameId(samlResponse)
if saml_user_uid == None:
return False
# Use mapping to local IDP user
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
print "Saml. Authenticate for step 1. Setting count steps to 2"
context.set("saml_count_login_steps", 2)
context.set("saml_user_uid", saml_user_uid)
return True
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (saml_enroll_user):
# Convert SAML response to user entry
newUser = self.getMappedUser(configurationAttributes, requestParameters, saml_response_attributes)
saml_user_uid = self.getNameId(samlResponse, newUser)
if saml_user_uid == None:
return False
self.setDefaultUid(newUser, saml_user_uid)
newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
# Use auto enrollment to local IDP
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if there is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
# Auto user enrollment
print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes())
user_unique = self.checkUserUniqueness(newUser)
if not user_unique:
print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId()
facesMessages = FacesMessages.instance()
facesMessages.add(StatusMessage.Severity.ERROR, "Failed to enroll. User with same key attributes exist already")
FacesContext.getCurrentInstance().getExternalContext().getFlash().setKeepMessages(True)
return False
find_user_by_uid = userService.addUser(newUser, True)
print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId()
else:
if self.updateUser:
print "Saml. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes())
find_user_by_uid.setCustomAttributes(newUser.getCustomAttributes())
userService.updateUser(find_user_by_uid)
print "Saml. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user: '******'" % found_user_name
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (saml_enroll_all_user_attr):
# Convert SAML response to user entry
newUser = self.getMappedAllAttributesUser(saml_response_attributes)
saml_user_uid = self.getNameId(samlResponse, newUser)
if saml_user_uid == None:
return False
self.setDefaultUid(newUser, saml_user_uid)
newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:%s" % saml_user_uid
# Check if there is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
# Auto user enrollment
print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes())
user_unique = self.checkUserUniqueness(newUser)
if not user_unique:
print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId()
facesMessages = FacesMessages.instance()
facesMessages.add(StatusMessage.Severity.ERROR, "Failed to enroll. User with same key attributes exist already")
FacesContext.getCurrentInstance().getExternalContext().getFlash().setKeepMessages(True)
return False
find_user_by_uid = userService.addUser(newUser, True)
print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId()
else:
if self.updateUser:
print "Saml. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes())
find_user_by_uid.setCustomAttributes(newUser.getCustomAttributes())
userService.updateUser(find_user_by_uid)
print "Saml. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
else:
if saml_user_uid == None:
return False
# Check if the is user with specified saml_user_uid
print "Saml. Authenticate for step 1. Attempting to find user by uid: '%s'" % saml_user_uid
find_user_by_uid = userService.getUser(saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
return False
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (step == 2):
print "Saml. Authenticate for step 2"
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes == None) or not sessionAttributes.containsKey("saml_user_uid"):
print "Saml. Authenticate for step 2. saml_user_uid is empty"
return False
saml_user_uid = sessionAttributes.get("saml_user_uid")
passed_step1 = StringHelper.isNotEmptyString(saml_user_uid)
if (not passed_step1):
return False
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Check if there is user which has saml_user_uid
# Avoid mapping Saml account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
# Add saml_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 2. Failed to update current user"
return False
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
else:
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 2. found_user_name: '%s'" % found_user_name
if StringHelper.equals(user_name, found_user_name):
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
return False
else:
return False
def prepareForStep(self, configurationAttributes, requestParameters, step):
credentials = Identity.instance().getCredentials()
context = Contexts.getEventContext()
session_attributes = context.get("sessionAttributes")
self.setEventContextParameters(context)
if (step == 1):
return True
elif (step == 2):
print "UAF. Prepare for step 2"
session_state = SessionStateService.instance().getSessionStateFromCookie()
if StringHelper.isEmpty(session_state):
print "UAF. Prepare for step 2. Failed to determine session_state"
return False
authenticationService = AuthenticationService.instance()
user = authenticationService.getAuthenticatedUser()
if (user == None):
print "UAF. Prepare for step 2. Failed to determine user name"
return False
uaf_auth_method = session_attributes.get("uaf_auth_method")
if StringHelper.isEmpty(uaf_auth_method):
print "UAF. Prepare for step 2. Failed to determine auth_method"
return False
print "UAF. Prepare for step 2. uaf_auth_method: '%s'" % uaf_auth_method
uaf_obb_auth_method = "OOB_REG"
uaf_obb_server_uri = self.uaf_server_uri + "/nnl/v2/reg"
if StringHelper.equalsIgnoreCase(uaf_auth_method, "authenticate"):
uaf_obb_auth_method = "OOB_AUTH"
uaf_obb_server_uri = self.uaf_server_uri + "/nnl/v2/auth"
# Prepare START_OBB
uaf_obb_start_request_dictionary = { "operation": "START_%s" % uaf_obb_auth_method,
"userName": user.getUserId(),
"policyName": "default",
"oobMode":
{ "qr": "true", "rawData": "false", "push": "false" }
}
uaf_obb_start_request = json.dumps(uaf_obb_start_request_dictionary, separators=(',',':'))
print "UAF. Prepare for step 2. Prepared START request: '%s' to send to '%s'" % (uaf_obb_start_request, uaf_obb_server_uri)
# Request START_OBB
uaf_obb_start_response = self.executePost(uaf_obb_server_uri, uaf_obb_start_request)
if uaf_obb_start_response == None:
return False
print "UAF. Prepare for step 2. Get START response: '%s'" % uaf_obb_start_response
uaf_obb_start_response_json = json.loads(uaf_obb_start_response)
# Prepare STATUS_OBB
#TODO: Remove needDetails parameter
uaf_obb_status_request_dictionary = { "operation": "STATUS_%s" % uaf_obb_auth_method,
"userName": user.getUserId(),
"needDetails": 1,
"oobStatusHandle": uaf_obb_start_response_json["oobStatusHandle"],
}
uaf_obb_status_request = json.dumps(uaf_obb_status_request_dictionary, separators=(',',':'))
print "UAF. Prepare for step 2. Prepared STATUS request: '%s' to send to '%s'" % (uaf_obb_status_request, uaf_obb_server_uri)
context.set("uaf_obb_auth_method", uaf_obb_auth_method)
context.set("uaf_obb_server_uri", uaf_obb_server_uri)
context.set("uaf_obb_start_response", uaf_obb_start_response)
context.set("qr_image", uaf_obb_start_response_json["modeResult"]["qrCode"]["qrImage"])
context.set("uaf_obb_status_request", uaf_obb_status_request)
return True
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
session_attributes = identity.getSessionState().getSessionAttributes()
self.setRequestScopedParameters(identity)
if (step == 1):
print "UAF. Authenticate for step 1"
user_name = credentials.getUsername()
authenticated_user = self.processBasicAuthentication(credentials)
if authenticated_user == None:
return False
uaf_auth_method = "authenticate"
# Uncomment this block if you need to allow user second device registration
#enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton")
#if StringHelper.isNotEmpty(enrollment_mode):
# uaf_auth_method = "enroll"
if uaf_auth_method == "authenticate":
user_enrollments = self.findEnrollments(credentials)
if len(user_enrollments) == 0:
uaf_auth_method = "enroll"
print "UAF. Authenticate for step 1. There is no UAF enrollment for user '%s'. Changing uaf_auth_method to '%s'" % (
user_name, uaf_auth_method)
print "UAF. Authenticate for step 1. uaf_auth_method: '%s'" % uaf_auth_method
identity.setWorkingParameter("uaf_auth_method", uaf_auth_method)
return True
elif (step == 2):
print "UAF. Authenticate for step 2"
session_state = CdiUtil.bean(
SessionStateService).getSessionStateFromCookie()
if StringHelper.isEmpty(session_state):
print "UAF. Prepare for step 2. Failed to determine session_state"
return False
user = authenticationService.getAuthenticatedUser()
if (user == None):
print "UAF. Authenticate for step 2. Failed to determine user name"
return False
user_name = user.getUserId()
uaf_auth_result = ServerUtil.getFirstValue(requestParameters,
"auth_result")
if uaf_auth_result != "success":
print "UAF. Authenticate for step 2. auth_result is '%s'" % uaf_auth_result
return False
# Restore state from session
uaf_auth_method = session_attributes.get("uaf_auth_method")
if not uaf_auth_method in ['enroll', 'authenticate']:
print "UAF. Authenticate for step 2. Failed to authenticate user. uaf_auth_method: '%s'" % uaf_auth_method
return False
# Request STATUS_OBB
if True:
#TODO: Remove this condition
# It's workaround becuase it's not possible to call STATUS_OBB 2 times. First time on browser and second ime on server
uaf_user_device_handle = ServerUtil.getFirstValue(
requestParameters, "auth_handle")
else:
uaf_obb_auth_method = session_attributes.get(
"uaf_obb_auth_method")
uaf_obb_server_uri = session_attributes.get(
"uaf_obb_server_uri")
uaf_obb_start_response = session_attributes.get(
"uaf_obb_start_response")
# Prepare STATUS_OBB
uaf_obb_start_response_json = json.loads(
uaf_obb_start_response)
uaf_obb_status_request_dictionary = {
"operation":
"STATUS_%s" % uaf_obb_auth_method,
"userName":
user_name,
"needDetails":
1,
"oobStatusHandle":
uaf_obb_start_response_json["oobStatusHandle"],
}
uaf_obb_status_request = json.dumps(
uaf_obb_status_request_dictionary, separators=(',', ':'))
print "UAF. Authenticate for step 2. Prepared STATUS request: '%s' to send to '%s'" % (
uaf_obb_status_request, uaf_obb_server_uri)
uaf_status_obb_response = self.executePost(
uaf_obb_server_uri, uaf_obb_status_request)
if uaf_status_obb_response == None:
return False
print "UAF. Authenticate for step 2. Get STATUS response: '%s'" % uaf_status_obb_response
uaf_status_obb_response_json = json.loads(
uaf_status_obb_response)
if uaf_status_obb_response_json["statusCode"] != 4000:
print "UAF. Authenticate for step 2. UAF operation status is invalid. statusCode: '%s'" % uaf_status_obb_response_json[
"statusCode"]
return False
uaf_user_device_handle = uaf_status_obb_response_json[
"additionalInfo"]["authenticatorsResult"]["handle"]
if StringHelper.isEmpty(uaf_user_device_handle):
print "UAF. Prepare for step 2. Failed to get UAF handle"
return False
uaf_user_external_uid = "uaf:%s" % uaf_user_device_handle
print "UAF. Authenticate for step 2. UAF handle: '%s'" % uaf_user_external_uid
if uaf_auth_method == "authenticate":
# Validate if user used device with same keYHandle
user_enrollments = self.findEnrollments(credentials)
if len(user_enrollments) == 0:
uaf_auth_method = "enroll"
print "UAF. Authenticate for step 2. There is no UAF enrollment for user '%s'." % user_name
return False
for user_enrollment in user_enrollments:
if StringHelper.equalsIgnoreCase(user_enrollment,
uaf_user_device_handle):
print "UAF. Authenticate for step 2. There is UAF enrollment for user '%s'. User authenticated successfully" % user_name
return True
else:
userService = CdiUtil.bean(UserService)
# Double check just to make sure. We did checking in previous step
# Check if there is user which has uaf_user_external_uid
# Avoid mapping user cert to more than one IDP account
find_user_by_external_uid = userService.getUserByAttribute(
"oxExternalUid", uaf_user_external_uid)
if find_user_by_external_uid == None:
# Add uaf_user_external_uid to user's external GUID list
find_user_by_external_uid = userService.addUserAttribute(
user_name, "oxExternalUid", uaf_user_external_uid)
if find_user_by_external_uid == None:
print "UAF. Authenticate for step 2. Failed to update current user"
return False
return True
return False
else:
return False
def prepareForStep(self, configurationAttributes, requestParameters, step):
authenticationService = CdiUtil.bean(AuthenticationService)
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
session_attributes = identity.getSessionState().getSessionAttributes()
self.setRequestScopedParameters(identity)
if (step == 1):
return True
elif (step == 2):
print "UAF. Prepare for step 2"
session_state = CdiUtil.bean(
SessionStateService).getSessionStateFromCookie()
if StringHelper.isEmpty(session_state):
print "UAF. Prepare for step 2. Failed to determine session_state"
return False
user = authenticationService.getAuthenticatedUser()
if (user == None):
print "UAF. Prepare for step 2. Failed to determine user name"
return False
uaf_auth_method = session_attributes.get("uaf_auth_method")
if StringHelper.isEmpty(uaf_auth_method):
print "UAF. Prepare for step 2. Failed to determine auth_method"
return False
print "UAF. Prepare for step 2. uaf_auth_method: '%s'" % uaf_auth_method
uaf_obb_auth_method = "OOB_REG"
uaf_obb_server_uri = self.uaf_server_uri + "/nnl/v2/reg"
if StringHelper.equalsIgnoreCase(uaf_auth_method, "authenticate"):
uaf_obb_auth_method = "OOB_AUTH"
uaf_obb_server_uri = self.uaf_server_uri + "/nnl/v2/auth"
# Prepare START_OBB
uaf_obb_start_request_dictionary = {
"operation": "START_%s" % uaf_obb_auth_method,
"userName": user.getUserId(),
"policyName": "default",
"oobMode": {
"qr": "true",
"rawData": "false",
"push": "false"
}
}
uaf_obb_start_request = json.dumps(
uaf_obb_start_request_dictionary, separators=(',', ':'))
print "UAF. Prepare for step 2. Prepared START request: '%s' to send to '%s'" % (
uaf_obb_start_request, uaf_obb_server_uri)
# Request START_OBB
uaf_obb_start_response = self.executePost(uaf_obb_server_uri,
uaf_obb_start_request)
if uaf_obb_start_response == None:
return False
print "UAF. Prepare for step 2. Get START response: '%s'" % uaf_obb_start_response
uaf_obb_start_response_json = json.loads(uaf_obb_start_response)
# Prepare STATUS_OBB
#TODO: Remove needDetails parameter
uaf_obb_status_request_dictionary = {
"operation": "STATUS_%s" % uaf_obb_auth_method,
"userName": user.getUserId(),
"needDetails": 1,
"oobStatusHandle":
uaf_obb_start_response_json["oobStatusHandle"],
}
uaf_obb_status_request = json.dumps(
uaf_obb_status_request_dictionary, separators=(',', ':'))
print "UAF. Prepare for step 2. Prepared STATUS request: '%s' to send to '%s'" % (
uaf_obb_status_request, uaf_obb_server_uri)
identity.setWorkingParameter("uaf_obb_auth_method",
uaf_obb_auth_method)
identity.setWorkingParameter("uaf_obb_server_uri",
uaf_obb_server_uri)
identity.setWorkingParameter("uaf_obb_start_response",
uaf_obb_start_response)
identity.setWorkingParameter(
"qr_image",
uaf_obb_start_response_json["modeResult"]["qrCode"]["qrImage"])
identity.setWorkingParameter("uaf_obb_status_request",
uaf_obb_status_request)
return True
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
saml_map_user = False
saml_enroll_user = False
saml_enroll_all_user_attr = False
# Use saml_deployment_type only if there is no attributes mapping
if (configurationAttributes.containsKey("saml_deployment_type")):
saml_deployment_type = StringHelper.toLowerCase(configurationAttributes.get("saml_deployment_type").getValue2())
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "map")):
saml_map_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll")):
saml_enroll_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll_all_attr")):
saml_enroll_all_user_attr = True
saml_allow_basic_login = False
if (configurationAttributes.containsKey("saml_allow_basic_login")):
saml_allow_basic_login = StringHelper.toBoolean(configurationAttributes.get("saml_allow_basic_login").getValue2(), False)
use_basic_auth = False
if (saml_allow_basic_login):
# Detect if user used basic authnetication method
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
if (StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(user_password)):
use_basic_auth = True
if ((step == 1) and saml_allow_basic_login and use_basic_auth):
print "Saml. Authenticate for step 1. Basic authentication"
context.set("saml_count_login_steps", 1)
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
if (step == 1):
print "Saml. Authenticate for step 1"
currentSamlConfiguration = self.getCurrentSamlConfiguration(self.samlConfiguration, configurationAttributes, requestParameters)
if (currentSamlConfiguration == None):
print "Saml. Prepare for step 1. Client saml configuration is invalid"
return False
saml_response_array = requestParameters.get("SAMLResponse")
if ArrayHelper.isEmpty(saml_response_array):
print "Saml. Authenticate for step 1. saml_response is empty"
return False
saml_response = saml_response_array[0]
print "Saml. Authenticate for step 1. saml_response:", saml_response
samlResponse = Response(currentSamlConfiguration)
samlResponse.loadXmlFromBase64(saml_response)
saml_validate_response = True
if (configurationAttributes.containsKey("saml_validate_response")):
saml_validate_response = StringHelper.toBoolean(configurationAttributes.get("saml_validate_response").getValue2(), False)
if (saml_validate_response):
if (not samlResponse.isValid()):
print "Saml. Authenticate for step 1. saml_response isn't valid"
saml_response_name_id = samlResponse.getNameId()
if (StringHelper.isEmpty(saml_response_name_id)):
print "Saml. Authenticate for step 1. saml_response_name_id is invalid"
return False
print "Saml. Authenticate for step 1. saml_response_name_id:", saml_response_name_id
saml_response_attributes = samlResponse.getAttributes()
print "Saml. Authenticate for step 1. attributes: ", saml_response_attributes
# Use persistent Id as saml_user_uid
saml_user_uid = saml_response_name_id
if (saml_map_user):
# Use mapping to local IDP user
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:", saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
print "Saml. Authenticate for step 1. Setting count steps to 2"
context.set("saml_count_login_steps", 2)
context.set("saml_user_uid", saml_user_uid)
return True
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name:", found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result:", post_login_result
return post_login_result
elif (saml_enroll_user):
# Use auto enrollment to local IDP
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:", saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
# Auto user enrollemnt
print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
# Convert saml result attributes keys to lover case
saml_response_normalized_attributes = HashMap()
for saml_response_attribute_entry in saml_response_attributes.entrySet():
saml_response_normalized_attributes.put(
StringHelper.toLowerCase(saml_response_attribute_entry.getKey()), saml_response_attribute_entry.getValue())
currentAttributesMapping = self.prepareCurrentAttributesMapping(self.attributesMapping, configurationAttributes, requestParameters)
print "Saml. Authenticate for step 1. Using next attributes mapping", currentAttributesMapping
newUser = User()
for attributesMappingEntry in currentAttributesMapping.entrySet():
idpAttribute = attributesMappingEntry.getKey()
localAttribute = attributesMappingEntry.getValue()
localAttributeValue = saml_response_normalized_attributes.get(idpAttribute)
if (localAttribute != None):
newUser.setAttribute(localAttribute, localAttributeValue)
newUser.setAttribute("oxExternalUid", "saml:" + saml_user_uid)
print "Saml. Authenticate for step 1. Attempting to add user", saml_user_uid, " with next attributes", newUser.getCustomAttributes()
find_user_by_uid = userService.addUser(newUser, True)
print "Saml. Authenticate for step 1. Added new user with UID", find_user_by_uid.getUserId()
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name:", found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result:", post_login_result
return post_login_result
elif (saml_enroll_all_user_attr):
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:" + saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
user = User()
customAttributes = ArrayList()
for key in attributes.keySet():
ldapAttributes = attributeService.getAllAttributes()
for ldapAttribute in ldapAttributes:
saml2Uri = ldapAttribute.getSaml2Uri()
if(saml2Uri == None):
saml2Uri = attributeService.getDefaultSaml2Uri(ldapAttribute.getName())
if(saml2Uri == key):
attribute = CustomAttribute(ldapAttribute.getName())
attribute.setValues(attributes.get(key))
customAttributes.add(attribute)
attribute = CustomAttribute("oxExternalUid")
attribute.setValue("saml:" + saml_user_uid)
customAttributes.add(attribute)
user.setCustomAttributes(customAttributes)
if(user.getAttribute("sn") == None):
attribute = CustomAttribute("sn")
attribute.setValue(saml_user_uid)
customAttributes.add(attribute)
if(user.getAttribute("cn") == None):
attribute = CustomAttribute("cn")
attribute.setValue(saml_user_uid)
customAttributes.add(attribute)
find_user_by_uid = userService.addUser(user, True)
print "Saml. Authenticate for step 1. Added new user with UID", find_user_by_uid.getUserId()
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name:", found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result:", post_login_result
return post_login_result
else:
# Check if the is user with specified saml_user_uid
print "Saml. Authenticate for step 1. Attempting to find user by uid:", saml_user_uid
find_user_by_uid = userService.getUser(saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
return False
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name:", found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result:", post_login_result
return post_login_result
elif (step == 2):
print "Saml. Authenticate for step 2"
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes == None) or not sessionAttributes.containsKey("saml_user_uid"):
print "Saml. Authenticate for step 2. saml_user_uid is empty"
return False
saml_user_uid = sessionAttributes.get("saml_user_uid")
passed_step1 = StringHelper.isNotEmptyString(saml_user_uid)
if (not passed_step1):
return False
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Check if there is user which has saml_user_uid
# Avoid mapping Saml account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
# Add saml_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 2. Failed to update current user"
return False
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result:", post_login_result
return post_login_result
else:
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 2. found_user_name:", found_user_name
if StringHelper.equals(user_name, found_user_name):
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result:", post_login_result
return post_login_result
return False
else:
return False
def sendSnsPushNotificationImpl(self, client_redirect_uri, user,
super_gluu_request):
if not self.enabledPushNotifications:
return
user_name = user.getUserId()
print "Super-Gluu. Send SNS push notification. Loading user '%s' devices" % user_name
send_notification = False
send_notification_result = True
pushSnsService = CdiUtil.bean(PushSnsService)
userService = CdiUtil.bean(UserService)
deviceRegistrationService = CdiUtil.bean(DeviceRegistrationService)
user_inum = userService.getUserInum(user_name)
u2f_devices_list = deviceRegistrationService.findUserDeviceRegistrations(
user_inum, client_redirect_uri, "oxId", "oxDeviceData",
"oxDeviceNotificationConf")
if u2f_devices_list.size() > 0:
for u2f_device in u2f_devices_list:
device_data = u2f_device.getDeviceData()
# Device data which Super-Gluu gets during enrollment
if device_data == None:
continue
platform = device_data.getPlatform()
push_token = device_data.getPushToken()
debug = False
if StringHelper.equalsIgnoreCase(
platform,
"ios") and StringHelper.isNotEmpty(push_token):
# Sending notification to iOS user's device
if self.pushAppleService == None:
print "Super-Gluu. Send SNS push notification. Apple SNS push notification service is not enabled"
else:
targetEndpointArn = self.getTargetEndpointArn(
deviceRegistrationService, pushSnsService,
PushPlatform.APNS, user, u2f_device)
send_notification = True
title = "Super-Gluu"
message = {
"body":
"Super-Gluu login request to: %s" %
client_redirect_uri
}
sns_push_request_dictionary = {
"sound": 'default',
"aps": {
"badge": 9,
"title": title,
"alert": message
},
"category": "ACTIONABLE",
"content-available": "1",
"request": super_gluu_request
}
push_message = json.dumps(sns_push_request_dictionary,
separators=(',', ':'))
# msgBuilder.forNewsstand()
send_notification_result = pushSnsService.sendPushMessage(
self.pushAppleService, PushPlatform.APNS,
targetEndpointArn, push_message, None)
if debug:
print "Super-Gluu. Send iOS SNS push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (
push_token, push_message,
send_notification_result)
if StringHelper.equalsIgnoreCase(
platform,
"android") and StringHelper.isNotEmpty(push_token):
# Sending notification to Android user's device
if self.pushAndroidService == None:
print "Super-Gluu. Send SNS push notification. Android SNS push notification service is not enabled"
else:
targetEndpointArn = self.getTargetEndpointArn(
deviceRegistrationService, pushSnsService,
PushPlatform.GCM, user, u2f_device)
send_notification = True
title = "Super-Gluu"
sns_push_request_dictionary = {
"collapse_key": "single",
"content_available": True,
"time_to_live": 60,
"data": {
"message": super_gluu_request,
"title": title
}
}
push_message = json.dumps(sns_push_request_dictionary,
separators=(',', ':'))
send_notification_result = pushSnsService.sendPushMessage(
self.pushAndroidService, PushPlatform.GCM,
targetEndpointArn, push_message, None)
if debug:
print "Super-Gluu. Send Android SNS push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (
push_token, push_message,
send_notification_result)
print "Super-Gluu. Send SNS push notification. send_notification: '%s', send_notification_result: '%s'" % (
send_notification, send_notification_result)
def sendPushNotification(self, client_redirect_uri, user, super_gluu_request):
if not self.enabledPushNotifications:
return
user_name = user.getUserId()
print "Super-Gluu. Send push notification. Loading user '%s' devices" % user_name
send_notification = False
send_notification_result = True
userService = UserService.instance()
deviceRegistrationService = DeviceRegistrationService.instance()
user_inum = userService.getUserInum(user_name)
u2f_devices_list = deviceRegistrationService.findUserDeviceRegistrations(user_inum, client_redirect_uri, "oxId", "oxDeviceData")
if u2f_devices_list.size() > 0:
for u2f_device in u2f_devices_list:
device_data = u2f_device.getDeviceData()
# Device data which Super-Gluu gets during enrollment
if device_data == None:
continue
platform = device_data.getPlatform()
push_token = device_data.getPushToken()
debug = False
if StringHelper.equalsIgnoreCase(platform, "ios") and StringHelper.isNotEmpty(push_token):
# Sending notification to iOS user's device
if self.pushAppleService == None:
print "Super-Gluu. Send push notification. Apple push notification service is not enabled"
else:
send_notification = True
title = "Super-Gluu"
message = "Super-Gluu login request to: %s" % client_redirect_uri
additional_fields = { "request" : super_gluu_request }
msgBuilder = APNS.newPayload().alertBody(message).alertTitle(title).sound("default")
msgBuilder.category('ACTIONABLE').badge(0)
msgBuilder.forNewsstand()
msgBuilder.customFields(additional_fields)
push_message = msgBuilder.build()
send_notification_result = self.pushAppleService.push(push_token, push_message)
if debug:
print "Super-Gluu. Send iOS push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (push_token, push_message, send_notification_result)
if StringHelper.equalsIgnoreCase(platform, "android") and StringHelper.isNotEmpty(push_token):
# Sending notification to Android user's device
if self.pushAndroidService == None:
print "Super-Gluu. Send push notification. Android push notification service is not enabled"
else:
send_notification = True
title = "Super-Gluu"
msgBuilder = Message.Builder().addData("message", super_gluu_request).addData("title", title).collapseKey("single").contentAvailable(True)
push_message = msgBuilder.build()
send_notification_result = self.pushAndroidService.send(push_message, push_token, 3)
if debug:
print "Super-Gluu. Send Android push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (push_token, push_message, send_notification_result)
print "Super-Gluu. Send push notification. send_notification: '%s', send_notification_result: '%s'" % (send_notification, send_notification_result)
def prepareForStep(self, configurationAttributes, requestParameters, step):
identity = CdiUtil.bean(Identity)
session_attributes = identity.getSessionId().getSessionAttributes()
client_redirect_uri = self.getClientRedirecUri(session_attributes)
if client_redirect_uri == None:
print "Super-Gluu. Prepare for step. redirect_uri is not set"
return False
self.setRequestScopedParameters(identity, step)
if step == 1:
print "Super-Gluu. Prepare for step 1"
if self.oneStep:
session_id = CdiUtil.bean(SessionIdService).getSessionIdFromCookie()
if StringHelper.isEmpty(session_id):
print "Super-Gluu. Prepare for step 2. Failed to determine session_id"
return False
issuer = CdiUtil.bean(ConfigurationFactory).getConfiguration().getIssuer()
super_gluu_request_dictionary = {'app': client_redirect_uri,
'issuer': issuer,
'state': session_id,
'created': datetime.datetime.now().isoformat()}
self.addGeolocationData(session_attributes, super_gluu_request_dictionary)
super_gluu_request = json.dumps(super_gluu_request_dictionary, separators=(',',':'))
print "Super-Gluu. Prepare for step 1. Prepared super_gluu_request:", super_gluu_request
identity.setWorkingParameter("super_gluu_request", super_gluu_request)
elif self.twoStep:
identity.setWorkingParameter("display_register_action", True)
return True
elif step == 2:
print "Super-Gluu. Prepare for step 2"
if self.oneStep:
return True
authenticationService = CdiUtil.bean(AuthenticationService)
user = authenticationService.getAuthenticatedUser()
if user == None:
print "Super-Gluu. Prepare for step 2. Failed to determine user name"
return False
if session_attributes.containsKey("super_gluu_request"):
super_gluu_request = session_attributes.get("super_gluu_request")
if not StringHelper.equalsIgnoreCase(super_gluu_request, "timeout"):
print "Super-Gluu. Prepare for step 2. Request was generated already"
return True
session_id = CdiUtil.bean(SessionIdService).getSessionIdFromCookie()
if StringHelper.isEmpty(session_id):
print "Super-Gluu. Prepare for step 2. Failed to determine session_id"
return False
auth_method = session_attributes.get("super_gluu_auth_method")
if StringHelper.isEmpty(auth_method):
print "Super-Gluu. Prepare for step 2. Failed to determine auth_method"
return False
print "Super-Gluu. Prepare for step 2. auth_method: '%s'" % auth_method
issuer = CdiUtil.bean(ConfigurationFactory).getAppConfiguration().getIssuer()
super_gluu_request_dictionary = {'username': user.getUserId(),
'app': client_redirect_uri,
'issuer': issuer,
'method': auth_method,
'state': session_id,
'created': datetime.datetime.now().isoformat()}
self.addGeolocationData(session_attributes, super_gluu_request_dictionary)
super_gluu_request = json.dumps(super_gluu_request_dictionary, separators=(',',':'))
print "Super-Gluu. Prepare for step 2. Prepared super_gluu_request:", super_gluu_request
identity.setWorkingParameter("super_gluu_request", super_gluu_request)
identity.setWorkingParameter("super_gluu_auth_method", auth_method)
if auth_method in ['authenticate']:
self.sendPushNotification(client_redirect_uri, user, super_gluu_request)
return True
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
mapUserDeployment = False
enrollUserDeployment = False
if (configurationAttributes.containsKey("gplus_deployment_type")):
deploymentType = StringHelper.toLowerCase(configurationAttributes.get("gplus_deployment_type").getValue2())
if (StringHelper.equalsIgnoreCase(deploymentType, "map")):
mapUserDeployment = True
if (StringHelper.equalsIgnoreCase(deploymentType, "enroll")):
enrollUserDeployment = True
if (step == 1):
print "Google+ Authenticate for step 1"
gplusAuthCodeArray = requestParameters.get("gplus_auth_code")
gplusAuthCode = gplusAuthCodeArray[0]
# Check if user uses basic method to log in
useBasicAuth = False
if (StringHelper.isEmptyString(gplusAuthCode)):
useBasicAuth = True
# Use basic method to log in
if (useBasicAuth):
print "Google+ Authenticate for step 1. Basic authentication"
context.set("gplus_count_login_steps", 1)
credentials = Identity.instance().getCredentials()
userName = credentials.getUsername()
userPassword = credentials.getPassword()
loggedIn = False
if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)):
userService = UserService.instance()
loggedIn = userService.authenticate(userName, userPassword)
if (not loggedIn):
return False
return True
# Use Google+ method to log in
print "Google+ Authenticate for step 1. gplusAuthCode:", gplusAuthCode
currentClientSecrets = self.getCurrentClientSecrets(self.clientSecrets, configurationAttributes, requestParameters)
if (currentClientSecrets == None):
print "Google+ Authenticate for step 1. Client secrets configuration is invalid"
return False
print "Google+ Authenticate for step 1. Attempting to gets tokens"
tokenResponse = self.getTokensByCode(self.clientSecrets, configurationAttributes, gplusAuthCode);
if ((tokenResponse == None) or (tokenResponse.getIdToken() == None) or (tokenResponse.getAccessToken() == None)):
print "Google+ Authenticate for step 1. Failed to get tokens"
return False
else:
print "Google+ Authenticate for step 1. Successfully gets tokens"
jwt = Jwt.parse(tokenResponse.getIdToken())
# TODO: Validate ID Token Signature
gplusUserUid = jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER);
print "Google+ Authenticate for step 1. Found Google user ID in the ID token: ", gplusUserUid
if (mapUserDeployment):
# Use mapping to local IDP user
print "Google+ Authenticate for step 1. Attempting to find user by oxExternalUid: gplus:", gplusUserUid
# Check if there is user with specified gplusUserUid
foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
print "Google+ Authenticate for step 1. Failed to find user"
print "Google+ Authenticate for step 1. Setting count steps to 2"
context.set("gplus_count_login_steps", 2)
context.set("gplus_user_uid", gplusUserUid)
return True
foundUserName = foundUser.getUserId()
print "Google+ Authenticate for step 1. foundUserName:"******"Google+ Authenticate for step 1. Failed to authenticate user"
return False
print "Google+ Authenticate for step 1. Setting count steps to 1"
context.set("gplus_count_login_steps", 1)
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ Authenticate for step 1. postLoginResult:", postLoginResult
return postLoginResult
elif (enrollUserDeployment):
# Use auto enrollment to local IDP
print "Google+ Authenticate for step 1. Attempting to find user by oxExternalUid: gplus:", gplusUserUid
# Check if there is user with specified gplusUserUid
foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
# Auto user enrollemnt
print "Google+ Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Google+ Authenticate for step 1. Attempting to gets user info"
userInfoResponse = self.getUserInfo(currentClientSecrets, configurationAttributes, tokenResponse.getAccessToken())
if ((userInfoResponse == None) or (userInfoResponse.getClaims().size() == 0)):
print "Google+ Authenticate for step 1. Failed to get user info"
return False
else:
print "Google+ Authenticate for step 1. Successfully gets user info"
gplusResponseAttributes = userInfoResponse.getClaims()
# Convert Google+ user claims to lover case
gplusResponseNormalizedAttributes = HashMap()
for gplusResponseAttributeEntry in gplusResponseAttributes.entrySet():
gplusResponseNormalizedAttributes.put(
StringHelper.toLowerCase(gplusResponseAttributeEntry.getKey()), gplusResponseAttributeEntry.getValue())
currentAttributesMapping = self.getCurrentAttributesMapping(self.attributesMapping, configurationAttributes, requestParameters)
print "Google+ Authenticate for step 1. Using next attributes mapping", currentAttributesMapping
newUser = User()
for attributesMappingEntry in currentAttributesMapping.entrySet():
remoteAttribute = attributesMappingEntry.getKey()
localAttribute = attributesMappingEntry.getValue()
localAttributeValue = gplusResponseNormalizedAttributes.get(remoteAttribute)
if (localAttribute != None):
newUser.setAttribute(localAttribute, localAttributeValue)
if (newUser.getAttribute("sn") == None):
newUser.setAttribute("sn", gplusUserUid)
if (newUser.getAttribute("cn") == None):
newUser.setAttribute("cn", gplusUserUid)
newUser.setAttribute("oxExternalUid", "gplus:" + gplusUserUid)
print "Google+ Authenticate for step 1. Attempting to add user", gplusUserUid, " with next attributes", newUser.getCustomAttributes()
foundUser = userService.addUser(newUser, True)
print "Google+ Authenticate for step 1. Added new user with UID", foundUser.getUserId()
foundUserName = foundUser.getUserId()
print "Google+ Authenticate for step 1. foundUserName:"******"Google+ Authenticate for step 1. Failed to authenticate user"
return False
print "Google+ Authenticate for step 1. Setting count steps to 1"
context.set("gplus_count_login_steps", 1)
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ Authenticate for step 1. postLoginResult:", postLoginResult
return postLoginResult
else:
# Check if there is user with specified gplusUserUid
print "Google+ Authenticate for step 1. Attempting to find user by uid:", gplusUserUid
foundUser = userService.getUser(gplusUserUid)
if (foundUser == None):
print "Google+ Authenticate for step 1. Failed to find user"
return False
foundUserName = foundUser.getUserId()
print "Google+ Authenticate for step 1. foundUserName:"******"Google+ Authenticate for step 1. Failed to authenticate user"
return False
print "Google+ Authenticate for step 1. Setting count steps to 1"
context.set("gplus_count_login_steps", 1)
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ Authenticate for step 1. postLoginResult:", postLoginResult
return postLoginResult
elif (step == 2):
print "Google+ Authenticate for step 2"
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes == None) or not sessionAttributes.containsKey("gplus_user_uid"):
print "Google+ Authenticate for step 2. gplus_user_uid is empty"
return False
gplusUserUid = sessionAttributes.get("gplus_user_uid")
passed_step1 = StringHelper.isNotEmptyString(gplusUserUid)
if (not passed_step1):
return False
credentials = Identity.instance().getCredentials()
userName = credentials.getUsername()
userPassword = credentials.getPassword()
loggedIn = False
if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)):
loggedIn = userService.authenticate(userName, userPassword)
if (not loggedIn):
return False
# Check if there is user which has gplusUserUid
# Avoid mapping Google account to more than one IDP account
foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
# Add gplusUserUid to user one id UIDs
foundUser = userService.addUserAttribute(userName, "oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
print "Google+ Authenticate for step 2. Failed to update current user"
return False
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ Authenticate for step 2. postLoginResult:", postLoginResult
return postLoginResult
else:
foundUserName = foundUser.getUserId()
print "Google+ Authenticate for step 2. foundUserName:"******"Google+ Authenticate for step 2. postLoginResult:", postLoginResult
return postLoginResult
return False
else:
return False
def init(self, configurationAttributes):
print "Super-Gluu. Initialization"
if not configurationAttributes.containsKey("authentication_mode"):
print "Super-Gluu. Initialization. Property authentication_mode is mandatory"
return False
self.registrationUri = None
if configurationAttributes.containsKey("registration_uri"):
self.registrationUri = configurationAttributes.get("registration_uri").getValue2()
authentication_mode = configurationAttributes.get("authentication_mode").getValue2()
if StringHelper.isEmpty(authentication_mode):
print "Super-Gluu. Initialization. Failed to determine authentication_mode. authentication_mode configuration parameter is empty"
return False
self.oneStep = StringHelper.equalsIgnoreCase(authentication_mode, "one_step")
self.twoStep = StringHelper.equalsIgnoreCase(authentication_mode, "two_step")
if not (self.oneStep or self.twoStep):
print "Super-Gluu. Initialization. Valid authentication_mode values are one_step and two_step"
return False
self.enabledPushNotifications = self.initPushNotificationService(configurationAttributes)
self.androidUrl = None
if configurationAttributes.containsKey("supergluu_android_download_url"):
self.androidUrl = configurationAttributes.get("supergluu_android_download_url").getValue2()
self.IOSUrl = None
if configurationAttributes.containsKey("supergluu_ios_download_url"):
self.IOSUrl = configurationAttributes.get("supergluu_ios_download_url").getValue2()
self.customLabel = None
if configurationAttributes.containsKey("label"):
self.customLabel = configurationAttributes.get("label").getValue2()
self.customQrOptions = {}
if configurationAttributes.containsKey("qr_options"):
self.customQrOptions = configurationAttributes.get("qr_options").getValue2()
self.use_super_gluu_group = False
if configurationAttributes.containsKey("super_gluu_group"):
self.super_gluu_group = configurationAttributes.get("super_gluu_group").getValue2()
self.use_super_gluu_group = True
print "Super-Gluu. Initialization. Using super_gluu only if user belong to group: %s" % self.super_gluu_group
self.use_audit_group = False
if configurationAttributes.containsKey("audit_group"):
self.audit_group = configurationAttributes.get("audit_group").getValue2()
if (not configurationAttributes.containsKey("audit_group_email")):
print "Super-Gluu. Initialization. Property audit_group_email is not specified"
return False
self.audit_email = configurationAttributes.get("audit_group_email").getValue2()
self.use_audit_group = True
print "Super-Gluu. Initialization. Using audit group: %s" % self.audit_group
if self.use_super_gluu_group or self.use_audit_group:
if not configurationAttributes.containsKey("audit_attribute"):
print "Super-Gluu. Initialization. Property audit_attribute is not specified"
return False
else:
self.audit_attribute = configurationAttributes.get("audit_attribute").getValue2()
print "Super-Gluu. Initialized successfully. oneStep: '%s', twoStep: '%s', pushNotifications: '%s', customLabel: '%s'" % (self.oneStep, self.twoStep, self.enabledPushNotifications, self.customLabel)
return True
def sendPushNotificationImpl(self, client_redirect_uri, user, super_gluu_request):
if not self.enabledPushNotifications:
return
user_name = user.getUserId()
print "Super-Gluu. Send push notification. Loading user '%s' devices" % user_name
send_notification = False
send_notification_result = True
userService = CdiUtil.bean(UserService)
deviceRegistrationService = CdiUtil.bean(DeviceRegistrationService)
user_inum = userService.getUserInum(user_name)
send_android = 0
send_ios = 0
u2f_devices_list = deviceRegistrationService.findUserDeviceRegistrations(user_inum, client_redirect_uri, "oxId", "oxDeviceData", "oxDeviceNotificationConf")
if u2f_devices_list.size() > 0:
for u2f_device in u2f_devices_list:
device_data = u2f_device.getDeviceData()
# Device data which Super-Gluu gets during enrollment
if device_data == None:
continue
platform = device_data.getPlatform()
push_token = device_data.getPushToken()
debug = False
if StringHelper.equalsIgnoreCase(platform, "ios") and StringHelper.isNotEmpty(push_token):
# Sending notification to iOS user's device
if self.pushAppleService == None:
print "Super-Gluu. Send push notification. Apple native push notification service is not enabled"
else:
send_notification = True
title = "Super-Gluu"
message = "Super-Gluu login request to: %s" % client_redirect_uri
if self.pushSnsMode or self.pushGluuMode:
pushSnsService = CdiUtil.bean(PushSnsService)
targetEndpointArn = self.getTargetEndpointArn(deviceRegistrationService, pushSnsService, PushPlatform.APNS, user, u2f_device)
if targetEndpointArn == None:
return
send_notification = True
sns_push_request_dictionary = { "aps":
{ "badge": 0,
"alert" : {"body": message, "title" : title},
"category": "ACTIONABLE",
"content-available": "1",
"sound": 'default'
},
"request" : super_gluu_request
}
push_message = json.dumps(sns_push_request_dictionary, separators=(',',':'))
if self.pushSnsMode:
apple_push_platform = PushPlatform.APNS
if not self.pushAppleServiceProduction:
apple_push_platform = PushPlatform.APNS_SANDBOX
send_notification_result = pushSnsService.sendPushMessage(self.pushAppleService, apple_push_platform, targetEndpointArn, push_message, None)
if debug:
print "Super-Gluu. Send iOS SNS push notification. token: '%s', message: '%s', send_notification_result: '%s', apple_push_platform: '%s'" % (push_token, push_message, send_notification_result, apple_push_platform)
elif self.pushGluuMode:
send_notification_result = self.pushAppleService.sendNotification(self.pushAppleServiceAuth, targetEndpointArn, push_message)
if debug:
print "Super-Gluu. Send iOS Gluu push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (push_token, push_message, send_notification_result)
else:
additional_fields = { "request" : super_gluu_request }
msgBuilder = APNS.newPayload().alertBody(message).alertTitle(title).sound("default")
msgBuilder.category('ACTIONABLE').badge(0)
msgBuilder.forNewsstand()
msgBuilder.customFields(additional_fields)
push_message = msgBuilder.build()
send_notification_result = self.pushAppleService.push(push_token, push_message)
if debug:
print "Super-Gluu. Send iOS Native push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (push_token, push_message, send_notification_result)
send_ios = send_ios + 1
if StringHelper.equalsIgnoreCase(platform, "android") and StringHelper.isNotEmpty(push_token):
# Sending notification to Android user's device
if self.pushAndroidService == None:
print "Super-Gluu. Send native push notification. Android native push notification service is not enabled"
else:
send_notification = True
title = "Super-Gluu"
if self.pushSnsMode or self.pushGluuMode:
pushSnsService = CdiUtil.bean(PushSnsService)
targetEndpointArn = self.getTargetEndpointArn(deviceRegistrationService, pushSnsService, PushPlatform.GCM, user, u2f_device)
if targetEndpointArn == None:
return
send_notification = True
sns_push_request_dictionary = { "collapse_key": "single",
"content_available": True,
"time_to_live": 60,
"data":
{ "message" : super_gluu_request,
"title" : title }
}
push_message = json.dumps(sns_push_request_dictionary, separators=(',',':'))
if self.pushSnsMode:
send_notification_result = pushSnsService.sendPushMessage(self.pushAndroidService, PushPlatform.GCM, targetEndpointArn, push_message, None)
if debug:
print "Super-Gluu. Send Android SNS push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (push_token, push_message, send_notification_result)
elif self.pushGluuMode:
send_notification_result = self.pushAndroidService.sendNotification(self.pushAndroidServiceAuth, targetEndpointArn, push_message)
if debug:
print "Super-Gluu. Send Android Gluu push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (push_token, push_message, send_notification_result)
else:
msgBuilder = Message.Builder().addData("message", super_gluu_request).addData("title", title).collapseKey("single").contentAvailable(True)
push_message = msgBuilder.build()
send_notification_result = self.pushAndroidService.send(push_message, push_token, 3)
if debug:
print "Super-Gluu. Send Android Native push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (push_token, push_message, send_notification_result)
send_android = send_android + 1
print "Super-Gluu. Send push notification. send_android: '%s', send_ios: '%s'" % (send_android, send_ios)
def authenticate(self, configurationAttributes, requestParameters, step):
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
context = Contexts.getEventContext()
userService = UserService.instance()
deviceRegistrationService = DeviceRegistrationService.instance()
if (step == 1):
print "oxPush2. Authenticate for step 1"
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
auth_method = 'authenticate'
enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton")
if StringHelper.isNotEmpty(enrollment_mode):
auth_method = 'enroll'
if (auth_method == 'authenticate'):
find_user_by_uid = userService.getUser(user_name)
if (find_user_by_uid == None):
print "oxPush. Authenticate for step 1. Failed to find user"
return False
user_inum = userService.getUserInum(find_user_by_uid)
u2f_devices_list = deviceRegistrationService.findUserDeviceRegistrations(user_inum, self.u2f_application_id, "oxId")
if (u2f_devices_list.size() == 0):
auth_method = 'enroll'
print "oxPush2. There is no U2F '%s' user devices associated with application '%s'. Changing auth_method to '%s'" % (user_name, self.u2f_application_id, auth_method)
print "oxPush2. Authenticate for step 1. auth_method: '%s'" % auth_method
context.set("oxpush2_auth_method", auth_method)
return True
elif (step == 2):
print "oxPush2. Authenticate for step 2"
credentials = Identity.instance().getCredentials()
user = credentials.getUser()
if (user == None):
print "oxPush2. Authenticate for step 2. Failed to determine user name"
return False
# Find user by uid
userService = UserService.instance()
find_user_by_uid = userService.getUser(user_name)
if (find_user_by_uid == None):
print "oxPush. Authenticate for step 2. Failed to find user"
return False
session_attributes = context.get("sessionAttributes")
if (not session_attributes.containsKey("oxpush2_request")):
print "oxPush2. Authenticate for step 2. There is no oxPush2 request in session attributes"
return False
oxpush2_request_json = session_attributes.get("oxpush2_request")
oxpush2_request = json.loads(oxpush2_request_json)
auth_method = oxpush2_request['method']
if (auth_method in ['enroll', 'authenticate']):
print "oxPush2. Authenticate for step 2. Validation U2F user device. auth_method: '%s'" % auth_method
# Check session state extended
if (not session_attributes.containsKey("session_custom_state")):
print "oxPush2. Authenticate for step 2. There is no session_custom_state in session attributes"
return False
session_custom_state = session_attributes.get("session_custom_state")
if(not StringHelper.equalsIgnoreCase("approved", session_custom_state)):
print "oxPush2. Authenticate for step 2. User '%s' not approve or pass U2F authentication. session_custom_state: '%s'" % (user_name, session_custom_state)
return False
# Try to find device_id in session attribute
if (not session_attributes.containsKey("oxpush2_u2f_device_id")):
print "oxPush2. Authenticate for step 2. There is no u2f_device associated with this request"
return False
u2f_device_id = session_attributes.get("oxpush2_u2f_device_id")
# Validate if user has specified device_id enrollment
user_inum = userService.getUserInum(find_user_by_uid)
u2f_device = deviceRegistrationService.findUserDeviceRegistration(user_inum, u2f_device_id)
if (u2f_device == None):
print "oxPush2. Authenticate for step 2. There is no u2f_device '%s' associated with user '%s'" % (u2f_device_id, user_inum)
return False
if (not StringHelper.equalsIgnoreCase(self.u2f_application_id, u2f_device.application)):
print "oxPush2. Authenticate for step 2. U2F user's '%s' device associated with other application '%s'" % (user_name, u2f_device.application)
return False
print "oxPush2. Authenticate for step 2. U2F user's '%s' device authenticated successfully with U2F device '%s'" % (user_name, u2f_device_id)
return True
else:
print "oxPush2. Authenticate for step 2. U2F auth_method is invalid"
return False
else:
return False
