def init(self, configurationAttributes): print "oxPush2. Initialization" if not (configurationAttributes.containsKey("application_id") and configurationAttributes.containsKey("authentication_mode")): print "oxPush2. Initialization. Properties application_id and authentication_mode are mandatory" return False self.application_id = configurationAttributes.get("application_id").getValue2() if StringHelper.isEmpty(self.application_id): print "oxPush2. Initialization. Failed to determine application_id. application_id configuration parameter is empty" return False authentication_mode = configurationAttributes.get("authentication_mode").getValue2() if StringHelper.isEmpty(authentication_mode): print "oxPush2. Initialization. Failed to determine authentication_mode. authentication_mode configuration parameter is empty" return False self.oneStep = StringHelper.equalsIgnoreCase(authentication_mode, "one_step") self.twoStep = StringHelper.equalsIgnoreCase(authentication_mode, "two_step") if not (self.oneStep or self.twoStep): print "oxPush2. Initialization. Valid authentication_mode values are one_step and two_step" return False self.enabledPushNotifications = self.initPushNotificationService(configurationAttributes) print "oxPush2. Initialized successfully. oneStep: '%s', twoStep: '%s', pushNotifications: '%s'" % (self.oneStep, self.twoStep, self.enabledPushNotifications) return True
def init(self, configurationAttributes): print "Passport: Basic. Initialization init method call" self.extensionModule = None self.attributesMapping = None if (configurationAttributes.containsKey("generic_remote_attributes_list") and configurationAttributes.containsKey("generic_local_attributes_list")): remoteAttributesList = configurationAttributes.get("generic_remote_attributes_list").getValue2() if (StringHelper.isEmpty(remoteAttributesList)): print "Passport: Initialization. The property generic_remote_attributes_list is empty" return False localAttributesList = configurationAttributes.get("generic_local_attributes_list").getValue2() if (StringHelper.isEmpty(localAttributesList)): print "Passport: Initialization. The property generic_local_attributes_list is empty" return False self.attributesMapping = self.prepareAttributesMapping(remoteAttributesList, localAttributesList) if (self.attributesMapping == None): print "Passport: Initialization. The attributes mapping isn't valid" return False if (configurationAttributes.containsKey("extension_module")): extensionModuleName = configurationAttributes.get("extension_module").getValue2() try: self.extensionModule = __import__(extensionModuleName) extensionModuleInitResult = self.extensionModule.init(configurationAttributes) if (not extensionModuleInitResult): return False except ImportError, ex: print "Passport: Initialization. Failed to load generic_extension_module:", extensionModuleName print "Passport: Initialization. Unexpected error:", ex return False
def init(self, configurationAttributes): print "Basic (multi login) initialization" login_attributes_list_object = configurationAttributes.get("login_attributes_list") if (login_attributes_list_object == None): print "Basic (multi login) initialization. There is no property login_attributes_list" return False login_attributes_list = login_attributes_list_object.getValue2() if (StringHelper.isEmpty(login_attributes_list)): print "Basic (multi login) initialization. There is no attributes specified in login_attributes property" return False login_attributes_list_array = StringHelper.split(login_attributes_list, ",") if (ArrayHelper.isEmpty(login_attributes_list_array)): print "Basic (multi login) initialization. There is no attributes specified in login_attributes property" return False if (configurationAttributes.containsKey("local_login_attributes_list")): local_login_attributes_list = configurationAttributes.get("local_login_attributes_list").getValue2() local_login_attributes_list_array = StringHelper.split(local_login_attributes_list, ",") else: print "Basic (multi login) initialization. There is no property local_login_attributes_list. Assuming that login attributes are equal to local login attributes." local_login_attributes_list_array = login_attributes_list_array if (len(login_attributes_list_array) != len(local_login_attributes_list_array)): print "Basic (multi login) initialization. The number of attributes in login_attributes_list and local_login_attributes_list isn't equal" return False self.login_attributes_list_array = login_attributes_list_array self.local_login_attributes_list_array = local_login_attributes_list_array print "Basic (multi login) initialized successfully" return True
def validateInweboToken(self, iw_api_uri, iw_service_id, user_name, iw_token): httpService = HttpService.instance() xmlService = XmlService.instance(); if StringHelper.isEmpty(iw_token): print "InWebo. Token verification. iw_token is empty" return False request_uri = iw_api_uri + "?action=authenticate" + "&serviceId=" + httpService.encodeUrl(iw_service_id) + "&userId=" + httpService.encodeUrl(user_name) + "&token=" + httpService.encodeUrl(iw_token) print "InWebo. Token verification. Attempting to send authentication request:", request_uri # Execute request http_response = httpService.executeGet(self.client, request_uri) # Validate response code response_validation = httpService.isResponseStastusCodeOk(http_response) if response_validation == False: print "InWebo. Token verification. Get unsuccessful response code" return False authentication_response_bytes = httpService.getResponseContent(http_response) print "InWebo. Token verification. Get response:", httpService.convertEntityToString(authentication_response_bytes) # Validate authentication response response_validation = httpService.isContentTypeXml(http_response) if response_validation == False: print "InWebo. Token verification. Get invalid response" return False # Parse XML response try: xmlDocument = xmlService.getXmlDocument(authentication_response_bytes) except Exception, err: print "InWebo. Token verification. Failed to parse XML response:", err return False
def getCurrentSamlConfiguration(self, currentSamlConfiguration, configurationAttributes, requestParameters): saml_client_configuration = self.getClientConfiguration(configurationAttributes, requestParameters) if (saml_client_configuration == None): return currentSamlConfiguration saml_client_configuration_value = json.loads(saml_client_configuration.getValue()) client_saml_certificate = None client_saml_certificate_file = saml_client_configuration_value["saml_certificate_file"] if (StringHelper.isNotEmpty(client_saml_certificate_file)): client_saml_certificate = self.loadCeritificate(client_saml_certificate_file) if (StringHelper.isEmpty(client_saml_certificate)): print "Saml. BuildClientSamlConfiguration. File with x509 certificate should be not empty. Using default configuration" return currentSamlConfiguration clientSamlConfiguration = currentSamlConfiguration.clone() if (client_saml_certificate != None): clientSamlConfiguration.loadCertificateFromString(client_saml_certificate) client_saml_issuer = saml_client_configuration_value["saml_issuer"] clientSamlConfiguration.setIssuer(client_saml_issuer) saml_use_authn_context = saml_client_configuration_value["saml_use_authn_context"] client_use_saml_use_authn_context = StringHelper.toBoolean(saml_use_authn_context, True) clientSamlConfiguration.setUseRequestedAuthnContext(client_use_saml_use_authn_context) return clientSamlConfiguration
def prepareForStep(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() if (step == 1): context.set("display_register_action", True) return True elif (step == 2): print "oxPush2. Prepare for step 2" credentials = Identity.instance().getCredentials() user = credentials.getUser() if (user == None): print "oxPush2. Prepare for step 2. Failed to determine user name" return False session_attributes = context.get("sessionAttributes") if session_attributes.containsKey("oxpush2_request"): print "oxPush2. Prepare for step 2. Request was generated already" return True session_state = SessionStateService.instance().getSessionStateFromCookie() if StringHelper.isEmpty(session_state): print "oxPush2. Prepare for step 2. Failed to determine session_state" return False auth_method = session_attributes.get("oxpush2_auth_method") if StringHelper.isEmpty(auth_method): print "oxPush2. Prepare for step 2. Failed to determine auth_method" return False print "oxPush2. Prepare for step 2. auth_method: '%s'" % auth_method issuer = ConfigurationFactory.instance().getConfiguration().getIssuer() oxpush2_request = json.dumps({'username': user.getUserId(), 'app': self.u2f_application_id, 'issuer': issuer, 'method': auth_method, 'state': session_state}, separators=(',',':')) print "oxPush2. Prepare for step 2. Prepared oxpush2_request:", oxpush2_request context.set("oxpush2_request", oxpush2_request) return True else: return False
def init(self, configurationAttributes): print "Google+ initialization" if (not configurationAttributes.containsKey("gplus_client_secrets_file")): print "Google+ initialization. The property gplus_client_secrets_file is empty" return False clientSecretsFile = configurationAttributes.get("gplus_client_secrets_file").getValue2() self.clientSecrets = self.loadClientSecrets(clientSecretsFile) if (self.clientSecrets == None): print "Google+ initialization. File with Google+ client secrets should be not empty" return False self.attributesMapping = None if (configurationAttributes.containsKey("gplus_remote_attributes_list") and configurationAttributes.containsKey("gplus_local_attributes_list")): remoteAttributesList = configurationAttributes.get("gplus_remote_attributes_list").getValue2() if (StringHelper.isEmpty(remoteAttributesList)): print "Google+ initialization. The property gplus_remote_attributes_list is empty" return False localAttributesList = configurationAttributes.get("gplus_local_attributes_list").getValue2() if (StringHelper.isEmpty(localAttributesList)): print "Google+ initialization. The property gplus_local_attributes_list is empty" return False self.attributesMapping = self.prepareAttributesMapping(remoteAttributesList, localAttributesList) if (self.attributesMapping == None): print "Google+ initialization. The attributes mapping isn't valid" return False self.extensionModule = None if (configurationAttributes.containsKey("extension_module")): extensionModuleName = configurationAttributes.get("extension_module").getValue2() try: self.extensionModule = __import__(extensionModuleName) extensionModuleInitResult = self.extensionModule.init(configurationAttributes) if (not extensionModuleInitResult): return False except ImportError, ex: print "Failed to load gplus_extension_module:", extensionModuleName print "Unexpected error:", ex return False
def getSamlNameId(self, samlResponse): saml_response_name_id = samlResponse.getNameId() if (StringHelper.isEmpty(saml_response_name_id)): print "Saml. Get Saml response. saml_response_name_id is invalid" return None print "Saml. Get Saml response. saml_response_name_id: '%s'" % saml_response_name_id # Use persistent Id as saml_user_uid return saml_response_name_id
def init(self, configurationAttributes): print "oxPush2. Initialization" self.u2f_application_id = configurationAttributes.get("u2f_application_id").getValue2() if StringHelper.isEmpty(self.u2f_application_id): print "oxPush2. Initialization. Failed to determine application_id. u2f_application_id configuration parameter is empty" return False print "oxPush2. Initialized successfully" return True
def validateSessionState(self, session_attributes): session_state = SessionStateService.instance().getSessionStateFromCookie() if StringHelper.isEmpty(session_state): print "OTP. Validate session state. Failed to determine session_state" return False otp_auth_method = session_attributes.get("otp_auth_method") if not otp_auth_method in ['enroll', 'authenticate']: print "OTP. Validate session state. Failed to authenticate user. otp_auth_method: '%s'" % otp_auth_method return False return True
def prepareForStep(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() if (step == 1): return True elif (step == 2): print "U2F. Prepare for step 2" session_state = SessionStateService.instance().getSessionStateFromCookie() if StringHelper.isEmpty(session_state): print "U2F. Prepare for step 2. Failed to determine session_state" return False credentials = Identity.instance().getCredentials() user = credentials.getUser() if (user == None): print "U2F. Prepare for step 2. Failed to determine user name" return False u2f_application_id = configurationAttributes.get("u2f_application_id").getValue2() # Check if user have registered devices deviceRegistrationService = DeviceRegistrationService.instance() userInum = user.getAttribute("inum") authenticationRequest = None deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(userInum, u2f_application_id) if (deviceRegistrations.size() > 0): print "U2F. Prepare for step 2. Call FIDO U2F in order to start authentication workflow" try: authenticationRequestService = FidoU2fClientFactory.instance().createAuthenticationRequestService(self.metaDataConfiguration) authenticationRequest = authenticationRequestService.startAuthentication(user.getUserId(), None, u2f_application_id, session_state) except ClientResponseFailure, ex: if (ex.getResponse().getResponseStatus() != Response.Status.NOT_FOUND): print "U2F. Prepare for step 2. Failed to start authentication workflow. Exception:", sys.exc_info()[1] return False print "U2F. Prepare for step 2. Call FIDO U2F in order to start registration workflow" registrationRequestService = FidoU2fClientFactory.instance().createRegistrationRequestService(self.metaDataConfiguration) registrationRequest = registrationRequestService.startRegistration(user.getUserId(), u2f_application_id, session_state) context.set("fido_u2f_authentication_request", ServerUtil.asJson(authenticationRequest)) context.set("fido_u2f_registration_request", ServerUtil.asJson(registrationRequest)) return True
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "Basic (with password update). Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "Basic (with password update). Authenticate for step 2" userService = UserService.instance() update_button = requestParameters.get("loginForm:updateButton") if ArrayHelper.isEmpty(update_button): return True new_password_array = requestParameters.get("new_password") if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]): print "Basic (with password update). Authenticate for step 2. New password is empty" return False new_password = new_password_array[0] print "Basic (with password update). Authenticate for step 2. Attemprin to set new user '" + user_name + "' password" find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): print "Basic (with password update). Authenticate for step 2. Failed to find user" return False find_user_by_uid.setAttribute("userPassword", new_password) userService.updateUser(find_user_by_uid) print "Basic (with password update). Authenticate for step 2. Password updated successfully" return True else: return False
def setUserAttributeValue(self, user_name, attribute_name, attribute_value): if StringHelper.isEmpty(user_name): return None userService = UserService.instance() find_user_by_uid = userService.getUser(user_name) if find_user_by_uid == None: return None userService.setCustomAttribute(find_user_by_uid, attribute_name, attribute_value) updated_user = userService.updateUser(find_user_by_uid) print "Basic (lock account). Set user attribute. User's '%s' attribute '%s' value is '%s'" % (user_name, attribute_name, attribute_value) return updated_user
def getUserAttributeValue(self, user_name, attribute_name): if StringHelper.isEmpty(user_name): return None userService = UserService.instance() find_user_by_uid = userService.getUser(user_name, attribute_name) if find_user_by_uid == None: return None custom_attribute_value = userService.getCustomAttribute(find_user_by_uid, attribute_name) if custom_attribute_value == None: return None attribute_value = custom_attribute_value.getValue() print "Basic (lock account). Get user attribute. User's '%s' attribute '%s' value is '%s'" % (user_name, attribute_name, attribute_value) return attribute_value
def lockUser(self, user_name): if StringHelper.isEmpty(user_name): return None userService = UserService.instance() find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): return None status_attribute_value = userService.getCustomAttribute(find_user_by_uid, "gluuStatus") if status_attribute_value != None: user_status = status_attribute_value.getValue() if StringHelper.equals(user_status, "inactive"): print "Basic (lock account). Lock user. User '%s' locked already" % user_name return userService.setCustomAttribute(find_user_by_uid, "gluuStatus", "inactive") updated_user = userService.updateUser(find_user_by_uid) print "Basic (lock account). Lock user. User '%s' locked" % user_name
def getClientConfiguration(self, configurationAttributes, requestParameters): # Get client configuration if (configurationAttributes.containsKey("gplus_client_configuration_attribute")): clientConfigurationAttribute = configurationAttributes.get("gplus_client_configuration_attribute").getValue2() print "Google+ GetClientConfiguration. Using client attribute:", clientConfigurationAttribute if (requestParameters == None): return None clientId = None # Attempt to determine client_id from request clientIdArray = requestParameters.get("client_id") if (ArrayHelper.isNotEmpty(clientIdArray) and StringHelper.isNotEmptyString(clientIdArray[0])): clientId = clientIdArray[0] # Attempt to determine client_id from event context if (clientId == None): eventContext = Contexts.getEventContext() if (eventContext.isSet("stored_request_parameters")): clientId = eventContext.get("stored_request_parameters").get("client_id") if (clientId == None): print "Google+ GetClientConfiguration. client_id is empty" return None clientService = ClientService.instance() client = clientService.getClient(clientId) if (client == None): print "Google+ GetClientConfiguration. Failed to find client", clientId, " in local LDAP" return None clientConfiguration = clientService.getCustomAttribute(client, clientConfigurationAttribute) if ((clientConfiguration == None) or StringHelper.isEmpty(clientConfiguration.getValue())): print "Google+ GetClientConfiguration. Client", clientId, " attribute", clientConfigurationAttribute, " is empty" else: print "Google+ GetClientConfiguration. Client", clientId, " attribute", clientConfigurationAttribute, " is", clientConfiguration return clientConfiguration return None
def getClientConfiguration(self, configurationAttributes, requestParameters): # Get client configuration if (configurationAttributes.containsKey("saml_client_configuration_attribute")): saml_client_configuration_attribute = configurationAttributes.get("saml_client_configuration_attribute").getValue2() print "Saml. GetClientConfiguration. Using client attribute:", saml_client_configuration_attribute if (requestParameters == None): return None client_id = None client_id_array = requestParameters.get("client_id") if (ArrayHelper.isNotEmpty(client_id_array) and StringHelper.isNotEmptyString(client_id_array[0])): client_id = client_id_array[0] if (client_id == None): eventContext = Contexts.getEventContext() if (eventContext.isSet("sessionAttributes")): client_id = eventContext.get("sessionAttributes").get("client_id") if (client_id == None): print "Saml. GetClientConfiguration. client_id is empty" return None clientService = ClientService.instance() client = clientService.getClient(client_id) if (client == None): print "Saml. GetClientConfiguration. Failed to find client", client_id, " in local LDAP" return None saml_client_configuration = clientService.getCustomAttribute(client, saml_client_configuration_attribute) if ((saml_client_configuration == None) or StringHelper.isEmpty(saml_client_configuration.getValue())): print "Saml. GetClientConfiguration. Client", client_id, " attribute", saml_client_configuration_attribute, " is empty" else: print "Saml. GetClientConfiguration. Client", client_id, " attribute", saml_client_configuration_attribute, " is", saml_client_configuration return saml_client_configuration return None
def prepareClientRedirectUris(self, configurationAttributes): clientRedirectUrisSet = HashSet() if not configurationAttributes.containsKey("client_redirect_uris"): return clientRedirectUrisSet clientRedirectUrisList = configurationAttributes.get("client_redirect_uris").getValue2() if StringHelper.isEmpty(clientRedirectUrisList): print "Casa client registration. The property client_redirect_uris is empty" return clientRedirectUrisSet clientRedirectUrisArray = StringHelper.split(clientRedirectUrisList, ",") if ArrayHelper.isEmpty(clientRedirectUrisArray): print "Casa client registration. No clients specified in client_redirect_uris property" return clientRedirectUrisSet # Convert to HashSet to quick search i = 0 count = len(clientRedirectUrisArray) while i < count: uris = clientRedirectUrisArray[i] clientRedirectUrisSet.add(uris) i = i + 1 return clientRedirectUrisSet
def init(self, configurationAttributes): print "Super-Gluu. Initialization" if not configurationAttributes.containsKey("authentication_mode"): print "Super-Gluu. Initialization. Property authentication_mode is mandatory" return False self.registrationUri = None if configurationAttributes.containsKey("registration_uri"): self.registrationUri = configurationAttributes.get("registration_uri").getValue2() authentication_mode = configurationAttributes.get("authentication_mode").getValue2() if StringHelper.isEmpty(authentication_mode): print "Super-Gluu. Initialization. Failed to determine authentication_mode. authentication_mode configuration parameter is empty" return False self.oneStep = StringHelper.equalsIgnoreCase(authentication_mode, "one_step") self.twoStep = StringHelper.equalsIgnoreCase(authentication_mode, "two_step") if not (self.oneStep or self.twoStep): print "Super-Gluu. Initialization. Valid authentication_mode values are one_step and two_step" return False self.enabledPushNotifications = self.initPushNotificationService(configurationAttributes) self.customLabel = None if configurationAttributes.containsKey("label"): self.customLabel = configurationAttributes.get("label").getValue2() self.customQrOptions = {} if configurationAttributes.containsKey("qr_options"): self.customQrOptions = configurationAttributes.get("qr_options").getValue2() print "Super-Gluu. Initialized successfully. oneStep: '%s', twoStep: '%s', pushNotifications: '%s', customLabel: '%s'" % (self.oneStep, self.twoStep, self.enabledPushNotifications, self.customLabel) return True
def init(self, configuration_attributes): print "ThumbSignIn. Initialization" global ts_host ts_host = configuration_attributes.get("ts_host").getValue2() print "ThumbSignIn. Initialization. Value of ts_host is %s" % ts_host global ts_api_key ts_api_key = configuration_attributes.get("ts_apiKey").getValue2() print "ThumbSignIn. Initialization. Value of ts_api_key is %s" % ts_api_key global ts_api_secret ts_api_secret = configuration_attributes.get("ts_apiSecret").getValue2() global ts_statusPath ts_statusPath = "/ts/secure/txn-status/" global AUTHENTICATE AUTHENTICATE = "authenticate" global REGISTER REGISTER = "register" global TRANSACTION_ID TRANSACTION_ID = "transactionId" global USER_ID USER_ID = "userId" global USER_LOGIN_FLOW USER_LOGIN_FLOW = "userLoginFlow" global THUMBSIGNIN_AUTHENTICATION THUMBSIGNIN_AUTHENTICATION = "ThumbSignIn_Authentication" global THUMBSIGNIN_REGISTRATION THUMBSIGNIN_REGISTRATION = "ThumbSignIn_Registration" global THUMBSIGNIN_LOGIN_POST_REGISTRATION THUMBSIGNIN_LOGIN_POST_REGISTRATION = "ThumbSignIn_RegistrationSucess" global RELYING_PARTY_ID RELYING_PARTY_ID = "relyingPartyId" global RELYING_PARTY_LOGIN_URL RELYING_PARTY_LOGIN_URL = "relyingPartyLoginUrl" global TSI_LOGIN_PAGE TSI_LOGIN_PAGE = "/auth/thumbsignin/tsLogin.xhtml" global TSI_REGISTER_PAGE TSI_REGISTER_PAGE = "/auth/thumbsignin/tsRegister.xhtml" global TSI_LOGIN_POST_REGISTRATION_PAGE TSI_LOGIN_POST_REGISTRATION_PAGE = "/auth/thumbsignin/tsRegistrationSuccess.xhtml" global azure_tenant_id azure_tenant_id = configuration_attributes.get("azure_tenant_id").getValue2() print "ThumbSignIn. Initialization. Value of azure_tenant_id is %s" % azure_tenant_id global azure_client_id azure_client_id = configuration_attributes.get("azure_client_id").getValue2() print "ThumbSignIn. Initialization. Value of azure_client_id is %s" % azure_client_id global azure_client_secret azure_client_secret = configuration_attributes.get("azure_client_secret").getValue2() global ADMIN ADMIN = 'admin' global azure_user_uuid azure_user_uuid = "oid" global gluu_ldap_uuid gluu_ldap_uuid = "uid" global attributes_mapping if (configuration_attributes.containsKey("azure_ad_attributes_list") and configuration_attributes.containsKey("gluu_ldap_attributes_list")): azure_ad_attributes_list = configuration_attributes.get("azure_ad_attributes_list").getValue2() if StringHelper.isEmpty(azure_ad_attributes_list): print "ThumbSignIn: Initialization. The property azure_ad_attributes_list is empty" return False gluu_ldap_attributes_list = configuration_attributes.get("gluu_ldap_attributes_list").getValue2() if StringHelper.isEmpty(gluu_ldap_attributes_list): print "ThumbSignIn: Initialization. The property gluu_ldap_attributes_list is empty" return False attributes_mapping = self.attribute_mapping_function(azure_ad_attributes_list, gluu_ldap_attributes_list) if attributes_mapping is None: print "ThumbSignIn: Initialization. The attributes mapping isn't valid" return False print "ThumbSignIn. Initialized successfully" return True
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() context = Contexts.getEventContext() session_attributes = context.get("sessionAttributes") self.setEventContextParameters(context) if step == 1: print "OTP. Authenticate for step 1" authenticated_user = self.processBasicAuthentication(credentials) if authenticated_user == None: return False otp_auth_method = "authenticate" # Uncomment this block if you need to allow user second OTP registration #enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton") #if StringHelper.isNotEmpty(enrollment_mode): # otp_auth_method = "enroll" if otp_auth_method == "authenticate": user_enrollments = self.findEnrollments(user_name) if len(user_enrollments) == 0: otp_auth_method = "enroll" print "OTP. Authenticate for step 1. There is no OTP enrollment for user '%s'. Changing otp_auth_method to '%s'" % (user_name, otp_auth_method) if otp_auth_method == "enroll": print "OTP. Authenticate for step 1. Setting count steps: '%s'" % 3 context.set("otp_count_login_steps", 3) print "OTP. Authenticate for step 1. otp_auth_method: '%s'" % otp_auth_method context.set("otp_auth_method", otp_auth_method) return True elif step == 2: print "OTP. Authenticate for step 2" session_state_validation = self.validateSessionState(session_attributes) if not session_state_validation: return False # Restore state from session otp_auth_method = session_attributes.get("otp_auth_method") if otp_auth_method == 'enroll': auth_result = ServerUtil.getFirstValue(requestParameters, "auth_result") if not StringHelper.isEmpty(auth_result): print "OTP. Authenticate for step 2. User not enrolled OTP" return False print "OTP. Authenticate for step 2. Skipping this step during enrollment" return True otp_auth_result = self.processOtpAuthentication(requestParameters, user_name, session_attributes, otp_auth_method) print "OTP. Authenticate for step 2. OTP authentication result: '%s'" % otp_auth_result return otp_auth_result elif step == 3: print "OTP. Authenticate for step 3" session_state_validation = self.validateSessionState(session_attributes) if not session_state_validation: return False # Restore state from session otp_auth_method = session_attributes.get("otp_auth_method") if otp_auth_method != 'enroll': return False otp_auth_result = self.processOtpAuthentication(requestParameters, user_name, session_attributes, otp_auth_method) print "OTP. Authenticate for step 3. OTP authentication result: '%s'" % otp_auth_result return otp_auth_result else: return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() userService = UserService.instance() saml_map_user = False saml_enroll_user = False saml_enroll_all_user_attr = False # Use saml_deployment_type only if there is no attributes mapping if (configurationAttributes.containsKey("saml_deployment_type")): saml_deployment_type = StringHelper.toLowerCase( configurationAttributes.get( "saml_deployment_type").getValue2()) if (StringHelper.equalsIgnoreCase(saml_deployment_type, "map")): saml_map_user = True if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll")): saml_enroll_user = True if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll_all_attr")): saml_enroll_all_user_attr = True saml_allow_basic_login = False if (configurationAttributes.containsKey("saml_allow_basic_login")): saml_allow_basic_login = StringHelper.toBoolean( configurationAttributes.get( "saml_allow_basic_login").getValue2(), False) use_basic_auth = False if (saml_allow_basic_login): # Detect if user used basic authnetication method credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() if (StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(user_password)): use_basic_auth = True if ((step == 1) and saml_allow_basic_login and use_basic_auth): print "Saml. Authenticate for step 1. Basic authentication" context.set("saml_count_login_steps", 1) credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True if (step == 1): print "Saml. Authenticate for step 1" currentSamlConfiguration = self.getCurrentSamlConfiguration( self.samlConfiguration, configurationAttributes, requestParameters) if (currentSamlConfiguration == None): print "Saml. Prepare for step 1. Client saml configuration is invalid" return False saml_response_array = requestParameters.get("SAMLResponse") if ArrayHelper.isEmpty(saml_response_array): print "Saml. Authenticate for step 1. saml_response is empty" return False saml_response = saml_response_array[0] print "Saml. Authenticate for step 1. saml_response: '%s'" % saml_response samlResponse = Response(currentSamlConfiguration) samlResponse.loadXmlFromBase64(saml_response) saml_validate_response = True if (configurationAttributes.containsKey("saml_validate_response")): saml_validate_response = StringHelper.toBoolean( configurationAttributes.get( "saml_validate_response").getValue2(), False) if (saml_validate_response): if (not samlResponse.isValid()): print "Saml. Authenticate for step 1. saml_response isn't valid" saml_response_name_id = samlResponse.getNameId() if (StringHelper.isEmpty(saml_response_name_id)): print "Saml. Authenticate for step 1. saml_response_name_id is invalid" return False print "Saml. Authenticate for step 1. saml_response_name_id: '%s'" % saml_response_name_id saml_response_attributes = samlResponse.getAttributes() print "Saml. Authenticate for step 1. attributes: '%s'" % saml_response_attributes # Use persistent Id as saml_user_uid saml_user_uid = saml_response_name_id if (saml_map_user): # Use mapping to local IDP user print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" print "Saml. Authenticate for step 1. Setting count steps to 2" context.set("saml_count_login_steps", 2) context.set("saml_user_uid", saml_user_uid) return True found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate( found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif (saml_enroll_user): # Use auto enrollment to local IDP print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): # Auto user enrollemnt print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" # Convert saml result attributes keys to lover case saml_response_normalized_attributes = HashMap() for saml_response_attribute_entry in saml_response_attributes.entrySet( ): saml_response_normalized_attributes.put( StringHelper.toLowerCase( saml_response_attribute_entry.getKey()), saml_response_attribute_entry.getValue()) currentAttributesMapping = self.prepareCurrentAttributesMapping( self.attributesMapping, configurationAttributes, requestParameters) print "Saml. Authenticate for step 1. Using next attributes mapping '%s'" % currentAttributesMapping newUser = User() # Set custom object classes if self.userObjectClasses != None: print "Saml. Authenticate for step 1. User custom objectClasses to add persons: '%s'" % Util.array2ArrayList( self.userObjectClasses) newUser.setCustomObjectClasses(self.userObjectClasses) for attributesMappingEntry in currentAttributesMapping.entrySet( ): idpAttribute = attributesMappingEntry.getKey() localAttribute = attributesMappingEntry.getValue() if self.debugEnrollment: print "Saml. Authenticate for step 1. Trying to map '%s' into '%s'" % ( idpAttribute, localAttribute) localAttributeValue = saml_response_normalized_attributes.get( idpAttribute) if (localAttributeValue != None): if self.debugEnrollment: print "Saml. Authenticate for step 1. Setting attribute '%s' value '%s'" % ( localAttribute, localAttributeValue) newUser.setAttribute(localAttribute, localAttributeValue) newUser.setAttribute("oxExternalUid", "saml:" + saml_user_uid) print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % ( saml_user_uid, newUser.getCustomAttributes()) user_unique = self.checkUserUniqueness(newUser) if not user_unique: print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getAttribute( "uid") facesMessages = FacesMessages.instance() facesMessages.add( StatusMessage.Severity.ERROR, "Failed to enroll. User with same key attributes exist already" ) FacesContext.getCurrentInstance().getExternalContext( ).getFlash().setKeepMessages(True) return False find_user_by_uid = userService.addUser(newUser, True) print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId( ) found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate( found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user: '******'" % found_user_name return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif (saml_enroll_all_user_attr): print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:" + saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" user = User() # Set custom object classes if self.userObjectClasses != None: print "Saml. Authenticate for step 1. User custom objectClasses to add persons: '%s'" % Util.array2ArrayList( self.userObjectClasses) user.setCustomObjectClasses(self.userObjectClasses) customAttributes = ArrayList() for key in saml_response_attributes.keySet(): ldapAttributes = attributeService.getAllAttributes() for ldapAttribute in ldapAttributes: saml2Uri = ldapAttribute.getSaml2Uri() if (saml2Uri == None): saml2Uri = attributeService.getDefaultSaml2Uri( ldapAttribute.getName()) if (saml2Uri == key): attribute = CustomAttribute( ldapAttribute.getName()) attribute.setValues(attributes.get(key)) customAttributes.add(attribute) attribute = CustomAttribute("oxExternalUid") attribute.setValue("saml:" + saml_user_uid) customAttributes.add(attribute) user.setCustomAttributes(customAttributes) if (user.getAttribute("sn") == None): attribute = CustomAttribute("sn") attribute.setValue(saml_user_uid) customAttributes.add(attribute) if (user.getAttribute("cn") == None): attribute = CustomAttribute("cn") attribute.setValue(saml_user_uid) customAttributes.add(attribute) user_unique = self.checkUserUniqueness(user) if not user_unique: print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getAttribute( "uid") facesMessages = FacesMessages.instance() facesMessages.add( StatusMessage.Severity.ERROR, "Failed to enroll. User with same key attributes exist already" ) FacesContext.getCurrentInstance().getExternalContext( ).getFlash().setKeepMessages(True) return False find_user_by_uid = userService.addUser(user, True) print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId( ) found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate( found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result else: # Check if the is user with specified saml_user_uid print "Saml. Authenticate for step 1. Attempting to find user by uid: '%s'" % saml_user_uid find_user_by_uid = userService.getUser(saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" return False found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate( found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif (step == 2): print "Saml. Authenticate for step 2" sessionAttributes = context.get("sessionAttributes") if (sessionAttributes == None ) or not sessionAttributes.containsKey("saml_user_uid"): print "Saml. Authenticate for step 2. saml_user_uid is empty" return False saml_user_uid = sessionAttributes.get("saml_user_uid") passed_step1 = StringHelper.isNotEmptyString(saml_user_uid) if (not passed_step1): return False credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Check if there is user which has saml_user_uid # Avoid mapping Saml account to more than one IDP account find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): # Add saml_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute( user_name, "oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 2. Failed to update current user" return False post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result return post_login_result else: found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 2. found_user_name: '%s'" % found_user_name if StringHelper.equals(user_name, found_user_name): post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result return post_login_result return False else: return False
def processOtpAuthentication(self, requestParameters, user_name, session_attributes, otp_auth_method): facesMessages = FacesMessages.instance() FacesContext.getCurrentInstance().getExternalContext().getFlash().setKeepMessages(True) userService = UserService.instance() otpCode = ServerUtil.getFirstValue(requestParameters, "loginForm:otpCode") if StringHelper.isEmpty(otpCode): facesMessages.add(StatusMessage.Severity.ERROR, "Failed to authenticate. OTP code is empty") print "OTP. Process OTP authentication. otpCode is empty" return False if otp_auth_method == "enroll": # Get key from session otp_secret_key_encoded = session_attributes.get("otp_secret_key") if otp_secret_key_encoded == None: print "OTP. Process OTP authentication. OTP secret key is invalid" return False otp_secret_key = self.fromBase64Url(otp_secret_key_encoded) if self.otpType == "hotp": validation_result = self.validateHotpKey(otp_secret_key, 1, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process HOTP authentication during enrollment. otpCode is valid" # Store HOTP Secret Key and moving factor in user entry otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, validation_result["movingFactor"] ) # Add otp_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process HOTP authentication during enrollment. Failed to update user entry" elif self.otpType == "totp": validation_result = self.validateTotpKey(otp_secret_key, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process TOTP authentication during enrollment. otpCode is valid" # Store TOTP Secret Key and moving factor in user entry otp_user_external_uid = "totp:%s" % otp_secret_key_encoded # Add otp_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process TOTP authentication during enrollment. Failed to update user entry" elif otp_auth_method == "authenticate": user_enrollments = self.findEnrollments(user_name) if len(user_enrollments) == 0: print "OTP. Process OTP authentication. There is no OTP enrollment for user '%s'" % user_name facesMessages.add(StatusMessage.Severity.ERROR, "There is no valid OTP user enrollments") return False if self.otpType == "hotp": for user_enrollment in user_enrollments: user_enrollment_data = user_enrollment.split(";") otp_secret_key_encoded = user_enrollment_data[0] # Get current moving factor from user entry moving_factor = StringHelper.toInteger(user_enrollment_data[1]) otp_secret_key = self.fromBase64Url(otp_secret_key_encoded) # Validate TOTP validation_result = self.validateHotpKey(otp_secret_key, moving_factor, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process HOTP authentication during authentication. otpCode is valid" otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, moving_factor ) new_otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, validation_result["movingFactor"] ) # Update moving factor in user entry find_user_by_external_uid = userService.replaceUserAttribute(user_name, "oxExternalUid", otp_user_external_uid, new_otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process HOTP authentication during authentication. Failed to update user entry" elif self.otpType == "totp": for user_enrollment in user_enrollments: otp_secret_key = self.fromBase64Url(user_enrollment) # Validate TOTP validation_result = self.validateTotpKey(otp_secret_key, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process TOTP authentication during authentication. otpCode is valid" return True facesMessages.add(StatusMessage.Severity.ERROR, "Failed to authenticate. OTP code is invalid") print "OTP. Process OTP authentication. OTP code is invalid" return False
def prepareForStep(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() context = Contexts.getEventContext() session_attributes = context.get("sessionAttributes") self.setEventContextParameters(context) if (step == 1): return True elif (step == 2): print "UAF. Prepare for step 2" session_state = SessionStateService.instance().getSessionStateFromCookie() if StringHelper.isEmpty(session_state): print "UAF. Prepare for step 2. Failed to determine session_state" return False authenticationService = AuthenticationService.instance() user = authenticationService.getAuthenticatedUser() if (user == None): print "UAF. Prepare for step 2. Failed to determine user name" return False uaf_auth_method = session_attributes.get("uaf_auth_method") if StringHelper.isEmpty(uaf_auth_method): print "UAF. Prepare for step 2. Failed to determine auth_method" return False print "UAF. Prepare for step 2. uaf_auth_method: '%s'" % uaf_auth_method uaf_obb_auth_method = "OOB_REG" uaf_obb_server_uri = self.uaf_server_uri + "/nnl/v2/reg" if StringHelper.equalsIgnoreCase(uaf_auth_method, "authenticate"): uaf_obb_auth_method = "OOB_AUTH" uaf_obb_server_uri = self.uaf_server_uri + "/nnl/v2/auth" # Prepare START_OBB uaf_obb_start_request_dictionary = { "operation": "START_%s" % uaf_obb_auth_method, "userName": user.getUserId(), "policyName": "default", "oobMode": { "qr": "true", "rawData": "false", "push": "false" } } uaf_obb_start_request = json.dumps(uaf_obb_start_request_dictionary, separators=(',',':')) print "UAF. Prepare for step 2. Prepared START request: '%s' to send to '%s'" % (uaf_obb_start_request, uaf_obb_server_uri) # Request START_OBB uaf_obb_start_response = self.executePost(uaf_obb_server_uri, uaf_obb_start_request) if uaf_obb_start_response == None: return False print "UAF. Prepare for step 2. Get START response: '%s'" % uaf_obb_start_response uaf_obb_start_response_json = json.loads(uaf_obb_start_response) # Prepare STATUS_OBB #TODO: Remove needDetails parameter uaf_obb_status_request_dictionary = { "operation": "STATUS_%s" % uaf_obb_auth_method, "userName": user.getUserId(), "needDetails": 1, "oobStatusHandle": uaf_obb_start_response_json["oobStatusHandle"], } uaf_obb_status_request = json.dumps(uaf_obb_status_request_dictionary, separators=(',',':')) print "UAF. Prepare for step 2. Prepared STATUS request: '%s' to send to '%s'" % (uaf_obb_status_request, uaf_obb_server_uri) context.set("uaf_obb_auth_method", uaf_obb_auth_method) context.set("uaf_obb_server_uri", uaf_obb_server_uri) context.set("uaf_obb_start_response", uaf_obb_start_response) context.set("qr_image", uaf_obb_start_response_json["modeResult"]["qrCode"]["qrImage"]) context.set("uaf_obb_status_request", uaf_obb_status_request) return True else: return False
def prepareForStep(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() session_attributes = context.get("sessionAttributes") client_redirect_uri = self.getClientRedirecUri(session_attributes) if client_redirect_uri == None: print "Super-Gluu. Prepare for step. redirect_uri is not set" return False self.setEventContextParameters(context) if step == 1: print "Super-Gluu. Prepare for step 1" if self.oneStep: session_state = SessionStateService.instance().getSessionStateFromCookie() if StringHelper.isEmpty(session_state): print "Super-Gluu. Prepare for step 2. Failed to determine session_state" return False issuer = ConfigurationFactory.instance().getConfiguration().getIssuer() super_gluu_request_dictionary = {'app': client_redirect_uri, 'issuer': issuer, 'state': session_state, 'created': datetime.datetime.now().isoformat()} self.addGeolocationData(session_attributes, super_gluu_request_dictionary) super_gluu_request = json.dumps(super_gluu_request_dictionary, separators=(',',':')) print "Super-Gluu. Prepare for step 1. Prepared super_gluu_request:", super_gluu_request context.set("super_gluu_request", super_gluu_request) # elif self.twoStep: # context.set("display_register_action", True) return True elif step == 2: print "Super-Gluu. Prepare for step 2" if self.oneStep: return True authenticationService = AuthenticationService.instance() user = authenticationService.getAuthenticatedUser() if user == None: print "Super-Gluu. Prepare for step 2. Failed to determine user name" return False if session_attributes.containsKey("super_gluu_request"): print "Super-Gluu. Prepare for step 2. Request was generated already" return True session_state = SessionStateService.instance().getSessionStateFromCookie() if StringHelper.isEmpty(session_state): print "Super-Gluu. Prepare for step 2. Failed to determine session_state" return False auth_method = session_attributes.get("super_gluu_auth_method") if StringHelper.isEmpty(auth_method): print "Super-Gluu. Prepare for step 2. Failed to determine auth_method" return False print "Super-Gluu. Prepare for step 2. auth_method: '%s'" % auth_method issuer = ConfigurationFactory.instance().getConfiguration().getIssuer() super_gluu_request_dictionary = {'username': user.getUserId(), 'app': client_redirect_uri, 'issuer': issuer, 'method': auth_method, 'state': session_state, 'created': datetime.datetime.now().isoformat()} self.addGeolocationData(session_attributes, super_gluu_request_dictionary) super_gluu_request = json.dumps(super_gluu_request_dictionary, separators=(',',':')) print "Super-Gluu. Prepare for step 2. Prepared super_gluu_request:", super_gluu_request context.set("super_gluu_request", super_gluu_request) if auth_method in ['authenticate']: self.sendPushNotification(client_redirect_uri, user, super_gluu_request) return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() userService = CdiUtil.bean(UserService) requestParameterService = CdiUtil.bean(RequestParameterService) authenticationService = CdiUtil.bean(AuthenticationService) httpService = CdiUtil.bean(HttpService) if step == 1: print "CAS2. Authenticate for step 1" ticket_array = requestParameters.get("ticket") if ArrayHelper.isEmpty(ticket_array): print "CAS2. Authenticate for step 1. ticket is empty" return False ticket = ticket_array[0] print "CAS2. Authenticate for step 1. ticket: " + ticket if StringHelper.isEmptyString(ticket): print "CAS2. Authenticate for step 1. ticket is invalid" return False # Validate ticket facesContext = CdiUtil.bean(FacesContext) request = facesContext.getExternalContext().getRequest() parametersMap = HashMap() parametersMap.put( "service", httpService.constructServerUrl(request) + "/postlogin") if self.cas_renew_opt: parametersMap.put("renew", "true") parametersMap.put("ticket", ticket) cas_service_request_uri = requestParameterService.parametersAsString( parametersMap) cas_service_request_uri = self.cas_host + "/serviceValidate?" + cas_service_request_uri if self.cas_extra_opts != None: cas_service_request_uri = cas_service_request_uri + "&" + self.cas_extra_opts print "CAS2. Authenticate for step 1. cas_service_request_uri: " + cas_service_request_uri http_client = httpService.getHttpsClient() http_service_response = httpService.executeGet( http_client, cas_service_request_uri) try: validation_content = httpService.convertEntityToString( httpService.getResponseContent( http_service_response.getHttpResponse())) finally: http_service_response.closeConnection() print "CAS2. Authenticate for step 1. validation_content: " + validation_content if StringHelper.isEmpty(validation_content): print "CAS2. Authenticate for step 1. Ticket validation response is invalid" return False cas2_auth_failure = self.parse_tag(validation_content, "cas:authenticationFailure") print "CAS2. Authenticate for step 1. cas2_auth_failure: ", cas2_auth_failure cas2_user_uid = self.parse_tag(validation_content, "cas:user") print "CAS2. Authenticate for step 1. cas2_user_uid: ", cas2_user_uid if (cas2_auth_failure != None) or (cas2_user_uid == None): print "CAS2. Authenticate for step 1. Ticket is invalid" return False if self.cas_map_user: print "CAS2. Authenticate for step 1. Attempting to find user by oxExternalUid: cas2:" + cas2_user_uid # Check if the is user with specified cas2_user_uid find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "cas2:" + cas2_user_uid) if find_user_by_uid == None: print "CAS2. Authenticate for step 1. Failed to find user" print "CAS2. Authenticate for step 1. Setting count steps to 2" identity.setWorkingParameter("cas2_count_login_steps", 2) identity.setWorkingParameter("cas2_user_uid", cas2_user_uid) return True found_user_name = find_user_by_uid.getUserId() print "CAS2. Authenticate for step 1. found_user_name: " + found_user_name authenticationService.authenticate(found_user_name) print "CAS2. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("cas2_count_login_steps", 1) return True else: print "CAS2. Authenticate for step 1. Attempting to find user by uid:" + cas2_user_uid # Check if there is user with specified cas2_user_uid find_user_by_uid = userService.getUser(cas2_user_uid) if find_user_by_uid == None: print "CAS2. Authenticate for step 1. Failed to find user" return False found_user_name = find_user_by_uid.getUserId() print "CAS2. Authenticate for step 1. found_user_name: " + found_user_name authenticationService.authenticate(found_user_name) print "CAS2. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("cas2_count_login_steps", 1) return True elif step == 2: print "CAS2. Authenticate for step 2" if identity.isSetWorkingParameter("cas2_user_uid"): print "CAS2. Authenticate for step 2. cas2_user_uid is empty" return False cas2_user_uid = identity.getWorkingParameter("cas2_user_uid") passed_step1 = StringHelper.isNotEmptyString(cas2_user_uid) if not passed_step1: return False user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString( user_name) and StringHelper.isNotEmptyString( user_password): logged_in = authenticationService.authenticate( user_name, user_password) if not logged_in: return False # Check if there is user which has cas2_user_uid # Avoid mapping CAS2 account to more than one IDP account find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "cas2:" + cas2_user_uid) if find_user_by_uid == None: # Add cas2_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute( user_name, "oxExternalUid", "cas2:" + cas2_user_uid) if find_user_by_uid == None: print "CAS2. Authenticate for step 2. Failed to update current user" return False return True else: found_user_name = find_user_by_uid.getUserId() print "CAS2. Authenticate for step 2. found_user_name: " + found_user_name if StringHelper.equals(user_name, found_user_name): return True return False else: return False
def processOtpAuthentication(self, requestParameters, user_name, identity, otp_auth_method): facesMessages = CdiUtil.bean(FacesMessages) facesMessages.setKeepMessages() userService = CdiUtil.bean(UserService) otpCode = ServerUtil.getFirstValue(requestParameters, "loginForm:otpCode") if StringHelper.isEmpty(otpCode): facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to authenticate. OTP code is empty") print "OTP. Process OTP authentication. otpCode is empty" return False if otp_auth_method == "enroll": # Get key from session otp_secret_key_encoded = identity.getWorkingParameter( "otp_secret_key") if otp_secret_key_encoded == None: print "OTP. Process OTP authentication. OTP secret key is invalid" return False otp_secret_key = self.fromBase64Url(otp_secret_key_encoded) if self.otpType == "hotp": validation_result = self.validateHotpKey( otp_secret_key, 1, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process HOTP authentication during enrollment. otpCode is valid" # Store HOTP Secret Key and moving factor in user entry otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, validation_result["movingFactor"]) # Add otp_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute( user_name, "oxExternalUid", otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process HOTP authentication during enrollment. Failed to update user entry" elif self.otpType == "totp": validation_result = self.validateTotpKey( otp_secret_key, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process TOTP authentication during enrollment. otpCode is valid" # Store TOTP Secret Key and moving factor in user entry otp_user_external_uid = "totp:%s" % otp_secret_key_encoded # Add otp_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute( user_name, "oxExternalUid", otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process TOTP authentication during enrollment. Failed to update user entry" elif otp_auth_method == "authenticate": user_enrollments = self.findEnrollments(user_name) if len(user_enrollments) == 0: print "OTP. Process OTP authentication. There is no OTP enrollment for user '%s'" % user_name facesMessages.add(FacesMessage.SEVERITY_ERROR, "There is no valid OTP user enrollments") return False if self.otpType == "hotp": for user_enrollment in user_enrollments: user_enrollment_data = user_enrollment.split(";") otp_secret_key_encoded = user_enrollment_data[0] # Get current moving factor from user entry moving_factor = StringHelper.toInteger( user_enrollment_data[1]) otp_secret_key = self.fromBase64Url(otp_secret_key_encoded) # Validate TOTP validation_result = self.validateHotpKey( otp_secret_key, moving_factor, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process HOTP authentication during authentication. otpCode is valid" otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, moving_factor) new_otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, validation_result["movingFactor"]) # Update moving factor in user entry find_user_by_external_uid = userService.replaceUserAttribute( user_name, "oxExternalUid", otp_user_external_uid, new_otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process HOTP authentication during authentication. Failed to update user entry" elif self.otpType == "totp": for user_enrollment in user_enrollments: otp_secret_key = self.fromBase64Url(user_enrollment) # Validate TOTP validation_result = self.validateTotpKey( otp_secret_key, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process TOTP authentication during authentication. otpCode is valid" return True facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to authenticate. OTP code is invalid") print "OTP. Process OTP authentication. OTP code is invalid" return False
def authenticate(self, configurationAttributes, requestParameters, step): extensionResult = self.extensionAuthenticate(configurationAttributes, requestParameters, step) if extensionResult != None: return extensionResult print "Passport. authenticate for step %s called" % str(step) identity = CdiUtil.bean(Identity) if step == 1: jwt_param = None if self.isInboundFlow(identity): print "Passport. authenticate for step 1. Detected inbound Saml flow" jwt_param = identity.getSessionId().getSessionAttributes().get(AuthorizeRequestParam.STATE) if jwt_param == None: jwt_param = ServerUtil.getFirstValue(requestParameters, "user") if jwt_param != None: print "Passport. authenticate for step 1. JWT user profile token found" # Parse JWT and validate jwt = Jwt.parse(jwt_param) if not self.validSignature(jwt): return False (user_profile, json) = self.getUserProfile(jwt) if user_profile == None: return False return self.attemptAuthentication(identity, user_profile, json) #See passportlogin.xhtml provider = ServerUtil.getFirstValue(requestParameters, "loginForm:provider") if StringHelper.isEmpty(provider): #it's username + passw auth print "Passport. authenticate for step 1. Basic authentication detected" logged_in = False credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): authenticationService = CdiUtil.bean(AuthenticationService) logged_in = authenticationService.authenticate(user_name, user_password) print "Passport. authenticate for step 1. Basic authentication returned: %s" % logged_in return logged_in elif provider in self.registeredProviders: #it's a recognized external IDP identity.setWorkingParameter("selectedProvider", provider) print "Passport. authenticate for step 1. Retrying step 1" #see prepareForStep (step = 1) return True if step == 2: mail = ServerUtil.getFirstValue(requestParameters, "loginForm:email") json = identity.getWorkingParameter("passport_user_profile") if mail == None: self.setEmailMessageError() elif json != None: # Completion of profile takes place attr = self.getRemoteAttr("mail") user_profile = self.getProfileFromJson(json) user_profile[attr] = mail return self.attemptAuthentication(identity, user_profile, json) print "Passport. authenticate for step 2. Failed: expected mail value in HTTP request and json profile in session" return False
def init(self, configurationAttributes): print "Saml. Initialization" saml_certificate_file = configurationAttributes.get("saml_certificate_file").getValue2() saml_idp_sso_target_url = configurationAttributes.get("saml_idp_sso_target_url").getValue2() saml_issuer = configurationAttributes.get("saml_issuer").getValue2() saml_use_authn_context = StringHelper.toBoolean(configurationAttributes.get("saml_use_authn_context").getValue2(), True) if (saml_use_authn_context): saml_name_identifier_format = configurationAttributes.get("saml_name_identifier_format").getValue2() else: saml_name_identifier_format = None saml_certificate = self.loadCeritificate(saml_certificate_file) if (StringHelper.isEmpty(saml_certificate)): print "Saml. Initialization. File with x509 certificate should be not empty" return False samlConfiguration = SamlConfiguration() # Set the issuer of the authentication request. This would usually be the URL of the issuing web application samlConfiguration.setIssuer(saml_issuer) # Tells the IdP to return a persistent identifier for the user samlConfiguration.setNameIdentifierFormat(saml_name_identifier_format) # The URL at the Identity Provider where to the authentication request should be sent samlConfiguration.setIdpSsoTargetUrl(saml_idp_sso_target_url) # Enablediable RequestedAuthnContext samlConfiguration.setUseRequestedAuthnContext(saml_use_authn_context) # Load x509 certificate samlConfiguration.loadCertificateFromString(saml_certificate) self.samlConfiguration = samlConfiguration self.attributesMapping = None if (configurationAttributes.containsKey("saml_idp_attributes_list") and configurationAttributes.containsKey("saml_local_attributes_list")): saml_idp_attributes_list = configurationAttributes.get("saml_idp_attributes_list").getValue2() if (StringHelper.isEmpty(saml_idp_attributes_list)): print "Saml. Initialization. The property saml_idp_attributes_list is empty" return False saml_local_attributes_list = configurationAttributes.get("saml_local_attributes_list").getValue2() if (StringHelper.isEmpty(saml_local_attributes_list)): print "Saml. Initialization. The property saml_local_attributes_list is empty" return False self.attributesMapping = self.prepareAttributesMapping(saml_idp_attributes_list, saml_local_attributes_list) if (self.attributesMapping == None): print "Saml. Initialization. The attributes mapping isn't valid" return False self.samlExtensionModule = None if (configurationAttributes.containsKey("saml_extension_module")): saml_extension_module_name = configurationAttributes.get("saml_extension_module").getValue2() try: self.samlExtensionModule = __import__(saml_extension_module_name) saml_extension_module_init_result = self.samlExtensionModule.init(configurationAttributes) if (not saml_extension_module_init_result): return False except ImportError, ex: print "Saml. Initialization. Failed to load saml_extension_module:", saml_extension_module_name print "Saml. Initialization. Unexpected error:", ex return False
def prepareForStep(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() context = Contexts.getEventContext() session_attributes = context.get("sessionAttributes") self.setEventContextParameters(context) if (step == 1): return True elif (step == 2): print "UAF. Prepare for step 2" session_state = SessionStateService.instance( ).getSessionStateFromCookie() if StringHelper.isEmpty(session_state): print "UAF. Prepare for step 2. Failed to determine session_state" return False user = credentials.getUser() if (user == None): print "UAF. Prepare for step 2. Failed to determine user name" return False uaf_auth_method = session_attributes.get("uaf_auth_method") if StringHelper.isEmpty(uaf_auth_method): print "UAF. Prepare for step 2. Failed to determine auth_method" return False print "UAF. Prepare for step 2. uaf_auth_method: '%s'" % uaf_auth_method uaf_obb_auth_method = "OOB_REG" uaf_obb_server_uri = self.uaf_server_uri + "/nnl/v2/reg" if StringHelper.equalsIgnoreCase(uaf_auth_method, "authenticate"): uaf_obb_auth_method = "OOB_AUTH" uaf_obb_server_uri = self.uaf_server_uri + "/nnl/v2/auth" # Prepare START_OBB uaf_obb_start_request_dictionary = { "operation": "START_%s" % uaf_obb_auth_method, "userName": user.getUserId(), "policyName": "default", "oobMode": { "qr": "true", "rawData": "false", "push": "false" } } uaf_obb_start_request = json.dumps( uaf_obb_start_request_dictionary, separators=(',', ':')) print "UAF. Prepare for step 2. Prepared START request: '%s' to send to '%s'" % ( uaf_obb_start_request, uaf_obb_server_uri) # Request START_OBB uaf_obb_start_response = self.executePost(uaf_obb_server_uri, uaf_obb_start_request) if uaf_obb_start_response == None: return False print "UAF. Prepare for step 2. Get START response: '%s'" % uaf_obb_start_response uaf_obb_start_response_json = json.loads(uaf_obb_start_response) # Prepare STATUS_OBB #TODO: Remove needDetails parameter uaf_obb_status_request_dictionary = { "operation": "STATUS_%s" % uaf_obb_auth_method, "userName": user.getUserId(), "needDetails": 1, "oobStatusHandle": uaf_obb_start_response_json["oobStatusHandle"], } uaf_obb_status_request = json.dumps( uaf_obb_status_request_dictionary, separators=(',', ':')) print "UAF. Prepare for step 2. Prepared STATUS request: '%s' to send to '%s'" % ( uaf_obb_status_request, uaf_obb_server_uri) context.set("uaf_obb_auth_method", uaf_obb_auth_method) context.set("uaf_obb_server_uri", uaf_obb_server_uri) context.set("uaf_obb_start_response", uaf_obb_start_response) context.set( "qr_image", uaf_obb_start_response_json["modeResult"]["qrCode"]["qrImage"]) context.set("uaf_obb_status_request", uaf_obb_status_request) return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "Basic (with password update). Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True elif (step == 2): userService = UserService.instance() find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): print "Basic (with password update). Authenticate for step 2. Failed to find user" return False user_expDate = find_user_by_uid.getAttribute( "oxPasswordExpirationDate", False) if (user_expDate == None): print "Failed to get Date" return False print "Exp Date is : '" + user_expDate + "' ." now = datetime.datetime.now() myDate = self.parseDate(user_expDate) prevExpDate = self.previousExpDate(myDate) expDate = self.newExpirationDate(myDate) temp = expDate.strftime("%y%m%d") expDate = (expDate + temp + "195000Z") if prevExpDate < now: print "Basic (with password update). Authenticate for step 2" find_user_by_uid.setAttribute("oxPasswordExpirationDate", expDate) update_button = requestParameters.get("loginForm:updateButton") if ArrayHelper.isEmpty(update_button): return True new_password_array = requestParameters.get("new_password") if ArrayHelper.isEmpty( new_password_array) or StringHelper.isEmpty( new_password_array[0]): print "Basic (with password update). Authenticate for step 2. New password is empty" return False new_password = new_password_array[0] print "Basic (with password update). Authenticate for step 2. Attempting to set new user '" + user_name + "' password" userService.updateUser(find_user_by_uid) print "Basic (with password update). Authenticate for step 2. Password updated successfully" return True else: return False
identity.setWorkingParameter("hideez_user_name", user_name) identity.setWorkingParameter("hideez_user_password", user_password) self.hideez_count_login_steps = 2 logged_in = True # except (HESAuthenticator.UserNotFoundException, HESAuthenticator.InvalidCredentialsException, HESAuthenticator.UserIsLockedout), ex: # logged_in = False # print ex.class.name + ex.message except Exception, ex: logged_in = False print ex.class.name + ex.message else: print "OTP. Authenticate for step 2" session_id = CdiUtil.bean(SessionIdService).getSessionIdFromCookie() if StringHelper.isEmpty(session_id): print "OTP. Validate session id. Failed to determine session_id" return False otpCode = ServerUtil.getFirstValue(requestParameters, "loginForm:otpCode") if StringHelper.isEmpty(otpCode): print "OTP. Process OTP authentication. otpCode is empty" #facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to authenticate. OTP code is empty") return False user_name = identity.getWorkingParameter("hideez_user_name") user_password = identity.getWorkingParameter("hideez_user_password") if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password) and StringHelper.isNotEmptyString(otpCode)): try: authNr = HESAuthenticator(self.hideezUrl)
def prepareForStep(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() if (step == 1): return True elif (step == 2): print "U2F. Prepare for step 2" session_state = SessionStateService.instance( ).getSessionStateFromCookie() if StringHelper.isEmpty(session_state): print "U2F. Prepare for step 2. Failed to determine session_state" return False authenticationService = AuthenticationService.instance() user = authenticationService.getAuthenticatedUser() if (user == None): print "U2F. Prepare for step 2. Failed to determine user name" return False u2f_application_id = configurationAttributes.get( "u2f_application_id").getValue2() # Check if user have registered devices deviceRegistrationService = DeviceRegistrationService.instance() userInum = user.getAttribute("inum") registrationRequest = None authenticationRequest = None deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations( userInum, u2f_application_id) if (deviceRegistrations.size() > 0): print "U2F. Prepare for step 2. Call FIDO U2F in order to start authentication workflow" try: authenticationRequestService = FidoU2fClientFactory.instance( ).createAuthenticationRequestService( self.metaDataConfiguration) authenticationRequest = authenticationRequestService.startAuthentication( user.getUserId(), None, u2f_application_id, session_state) except ClientResponseFailure, ex: if (ex.getResponse().getResponseStatus() != Response.Status.NOT_FOUND): print "U2F. Prepare for step 2. Failed to start authentication workflow. Exception:", sys.exc_info( )[1] return False else: print "U2F. Prepare for step 2. Call FIDO U2F in order to start registration workflow" registrationRequestService = FidoU2fClientFactory.instance( ).createRegistrationRequestService(self.metaDataConfiguration) registrationRequest = registrationRequestService.startRegistration( user.getUserId(), u2f_application_id, session_state) context.set("fido_u2f_authentication_request", ServerUtil.asJson(authenticationRequest)) context.set("fido_u2f_registration_request", ServerUtil.asJson(registrationRequest)) return True
credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate(user_name, user_password) print "Passport-social: Basic Authentication returning %s" % logged_in return logged_in else: facesContext = CdiUtil.bean(FacesContext) # Get JWT token if it's post back call jwt_param = ServerUtil.getFirstValue(requestParameters, "user") if StringHelper.isEmpty(jwt_param): print "Passport-social: Authenticate for step 1. JWT token is missing" return False # Parse JWT token jwt = Jwt.parse(jwt_param) # Validate signature print "Passport-social: Authenticate for step 1. Checking JWT token signature: '%s'" % jwt appConfiguration = AppConfiguration() appConfiguration.setWebKeysStorage(WebKeyStorage.KEYSTORE) appConfiguration.setKeyStoreFile(self.keyStoreFile) appConfiguration.setKeyStoreSecret(self.keyStorePassword) cryptoProvider = CryptoProviderFactory.getCryptoProvider(appConfiguration) valid = cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(), jwt.getHeader().getKeyId(),
def init(self, configurationAttributes): print "Saml. Initialization" asimba_saml_certificate_file = configurationAttributes.get( "asimba_saml_certificate_file").getValue2() saml_idp_sso_target_url = configurationAttributes.get( "saml_idp_sso_target_url").getValue2() asimba_entity_id = configurationAttributes.get( "asimba_entity_id").getValue2() saml_use_authn_context = StringHelper.toBoolean( configurationAttributes.get("saml_use_authn_context").getValue2(), True) if (saml_use_authn_context): saml_name_identifier_format = configurationAttributes.get( "saml_name_identifier_format").getValue2() else: saml_name_identifier_format = None asimba_saml_certificate = self.loadCeritificate( asimba_saml_certificate_file) if (StringHelper.isEmpty(asimba_saml_certificate)): print "Saml. Initialization. File with x509 certificate should be not empty" return False samlConfiguration = SamlConfiguration() # Set the issuer of the authentication request. This would usually be the URL of the issuing web application samlConfiguration.setIssuer(asimba_entity_id) # Tells the IdP to return a persistent identifier for the user samlConfiguration.setNameIdentifierFormat(saml_name_identifier_format) # The URL at the Identity Provider where to the authentication request should be sent samlConfiguration.setIdpSsoTargetUrl(saml_idp_sso_target_url) # Enablediable RequestedAuthnContext samlConfiguration.setUseRequestedAuthnContext(saml_use_authn_context) # Load x509 certificate samlConfiguration.loadCertificateFromString(asimba_saml_certificate) self.samlConfiguration = samlConfiguration self.generateNameId = False if configurationAttributes.containsKey("saml_generate_name_id"): self.generateNameId = StringHelper.toBoolean( configurationAttributes.get( "saml_generate_name_id").getValue2(), False) print "Saml. Initialization. The property saml_generate_name_id is %s" % self.generateNameId self.updateUser = False if configurationAttributes.containsKey("saml_update_user"): self.updateUser = StringHelper.toBoolean( configurationAttributes.get("saml_update_user").getValue2(), False) print "Saml. Initialization. The property saml_update_user is %s" % self.updateUser self.userObjectClasses = None if configurationAttributes.containsKey("user_object_classes"): self.userObjectClasses = self.prepareUserObjectClasses( configurationAttributes) self.userEnforceAttributesUniqueness = None if configurationAttributes.containsKey("enforce_uniqueness_attr_list"): self.userEnforceAttributesUniqueness = self.prepareUserEnforceUniquenessAttributes( configurationAttributes) self.attributesMapping = None if configurationAttributes.containsKey("saml_idp_attributes_mapping"): saml_idp_attributes_mapping = configurationAttributes.get( "saml_idp_attributes_mapping").getValue2() if (StringHelper.isEmpty(saml_idp_attributes_mapping)): print "Saml. Initialization. The property saml_idp_attributes_mapping is empty" return False self.attributesMapping = self.prepareAttributesMapping( saml_idp_attributes_mapping) if (self.attributesMapping == None): print "Saml. Initialization. The attributes mapping isn't valid" return False self.samlExtensionModule = None if (configurationAttributes.containsKey("saml_extension_module")): saml_extension_module_name = configurationAttributes.get( "saml_extension_module").getValue2() try: self.samlExtensionModule = __import__( saml_extension_module_name) saml_extension_module_init_result = self.samlExtensionModule.init( configurationAttributes) if (not saml_extension_module_init_result): return False except ImportError, ex: print "Saml. Initialization. Failed to load saml_extension_module: '%s'" % saml_extension_module_name print "Saml. Initialization. Unexpected error:", ex return False
def init(self, configurationAttributes): print "Saml. Initialization" asimba_saml_certificate_file = configurationAttributes.get("asimba_saml_certificate_file").getValue2() saml_idp_sso_target_url = configurationAttributes.get("saml_idp_sso_target_url").getValue2() asimba_entity_id = configurationAttributes.get("asimba_entity_id").getValue2() saml_use_authn_context = StringHelper.toBoolean(configurationAttributes.get("saml_use_authn_context").getValue2(), True) if (saml_use_authn_context): saml_name_identifier_format = configurationAttributes.get("saml_name_identifier_format").getValue2() else: saml_name_identifier_format = None asimba_saml_certificate = self.loadCeritificate(asimba_saml_certificate_file) if (StringHelper.isEmpty(asimba_saml_certificate)): print "Saml. Initialization. File with x509 certificate should be not empty" return False samlConfiguration = SamlConfiguration() # Set the issuer of the authentication request. This would usually be the URL of the issuing web application samlConfiguration.setIssuer(asimba_entity_id) # Tells the IdP to return a persistent identifier for the user samlConfiguration.setNameIdentifierFormat(saml_name_identifier_format) # The URL at the Identity Provider where to the authentication request should be sent samlConfiguration.setIdpSsoTargetUrl(saml_idp_sso_target_url) # Enablediable RequestedAuthnContext samlConfiguration.setUseRequestedAuthnContext(saml_use_authn_context) # Load x509 certificate samlConfiguration.loadCertificateFromString(asimba_saml_certificate) self.samlConfiguration = samlConfiguration self.generateNameId = False if configurationAttributes.containsKey("saml_generate_name_id"): self.generateNameId = StringHelper.toBoolean(configurationAttributes.get("saml_generate_name_id").getValue2(), False) print "Saml. Initialization. The property saml_generate_name_id is %s" % self.generateNameId self.updateUser = False if configurationAttributes.containsKey("saml_update_user"): self.updateUser = StringHelper.toBoolean(configurationAttributes.get("saml_update_user").getValue2(), False) print "Saml. Initialization. The property saml_update_user is %s" % self.updateUser self.userObjectClasses = None if configurationAttributes.containsKey("user_object_classes"): self.userObjectClasses = self.prepareUserObjectClasses(configurationAttributes) self.userEnforceAttributesUniqueness = None if configurationAttributes.containsKey("enforce_uniqueness_attr_list"): self.userEnforceAttributesUniqueness = self.prepareUserEnforceUniquenessAttributes(configurationAttributes) self.attributesMapping = None if configurationAttributes.containsKey("saml_idp_attributes_mapping"): saml_idp_attributes_mapping = configurationAttributes.get("saml_idp_attributes_mapping").getValue2() if (StringHelper.isEmpty(saml_idp_attributes_mapping)): print "Saml. Initialization. The property saml_idp_attributes_mapping is empty" return False self.attributesMapping = self.prepareAttributesMapping(saml_idp_attributes_mapping) if (self.attributesMapping == None): print "Saml. Initialization. The attributes mapping isn't valid" return False self.samlExtensionModule = None if (configurationAttributes.containsKey("saml_extension_module")): saml_extension_module_name = configurationAttributes.get("saml_extension_module").getValue2() try: self.samlExtensionModule = __import__(saml_extension_module_name) saml_extension_module_init_result = self.samlExtensionModule.init(configurationAttributes) if (not saml_extension_module_init_result): return False except ImportError, ex: print "Saml. Initialization. Failed to load saml_extension_module: '%s'" % saml_extension_module_name print "Saml. Initialization. Unexpected error:", ex return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() userService = UserService.instance() saml_map_user = False saml_enroll_user = False saml_enroll_all_user_attr = False # Use saml_deployment_type only if there is no attributes mapping if (configurationAttributes.containsKey("saml_deployment_type")): saml_deployment_type = StringHelper.toLowerCase(configurationAttributes.get("saml_deployment_type").getValue2()) if (StringHelper.equalsIgnoreCase(saml_deployment_type, "map")): saml_map_user = True if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll")): saml_enroll_user = True if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll_all_attr")): saml_enroll_all_user_attr = True saml_allow_basic_login = False if (configurationAttributes.containsKey("saml_allow_basic_login")): saml_allow_basic_login = StringHelper.toBoolean(configurationAttributes.get("saml_allow_basic_login").getValue2(), False) use_basic_auth = False if (saml_allow_basic_login): # Detect if user used basic authnetication method credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() if (StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(user_password)): use_basic_auth = True if ((step == 1) and saml_allow_basic_login and use_basic_auth): print "Saml. Authenticate for step 1. Basic authentication" context.set("saml_count_login_steps", 1) credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True if (step == 1): print "Saml. Authenticate for step 1" currentSamlConfiguration = self.getCurrentSamlConfiguration(self.samlConfiguration, configurationAttributes, requestParameters) if (currentSamlConfiguration == None): print "Saml. Prepare for step 1. Client saml configuration is invalid" return False saml_response_array = requestParameters.get("SAMLResponse") if ArrayHelper.isEmpty(saml_response_array): print "Saml. Authenticate for step 1. saml_response is empty" return False saml_response = saml_response_array[0] print "Saml. Authenticate for step 1. saml_response:", saml_response samlResponse = Response(currentSamlConfiguration) samlResponse.loadXmlFromBase64(saml_response) saml_validate_response = True if (configurationAttributes.containsKey("saml_validate_response")): saml_validate_response = StringHelper.toBoolean(configurationAttributes.get("saml_validate_response").getValue2(), False) if (saml_validate_response): if (not samlResponse.isValid()): print "Saml. Authenticate for step 1. saml_response isn't valid" saml_response_name_id = samlResponse.getNameId() if (StringHelper.isEmpty(saml_response_name_id)): print "Saml. Authenticate for step 1. saml_response_name_id is invalid" return False print "Saml. Authenticate for step 1. saml_response_name_id:", saml_response_name_id saml_response_attributes = samlResponse.getAttributes() print "Saml. Authenticate for step 1. attributes: ", saml_response_attributes # Use persistent Id as saml_user_uid saml_user_uid = saml_response_name_id if (saml_map_user): # Use mapping to local IDP user print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:", saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" print "Saml. Authenticate for step 1. Setting count steps to 2" context.set("saml_count_login_steps", 2) context.set("saml_user_uid", saml_user_uid) return True found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name:", found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result:", post_login_result return post_login_result elif (saml_enroll_user): # Use auto enrollment to local IDP print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:", saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): # Auto user enrollemnt print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" # Convert saml result attributes keys to lover case saml_response_normalized_attributes = HashMap() for saml_response_attribute_entry in saml_response_attributes.entrySet(): saml_response_normalized_attributes.put( StringHelper.toLowerCase(saml_response_attribute_entry.getKey()), saml_response_attribute_entry.getValue()) currentAttributesMapping = self.prepareCurrentAttributesMapping(self.attributesMapping, configurationAttributes, requestParameters) print "Saml. Authenticate for step 1. Using next attributes mapping", currentAttributesMapping newUser = User() for attributesMappingEntry in currentAttributesMapping.entrySet(): idpAttribute = attributesMappingEntry.getKey() localAttribute = attributesMappingEntry.getValue() localAttributeValue = saml_response_normalized_attributes.get(idpAttribute) if (localAttribute != None): newUser.setAttribute(localAttribute, localAttributeValue) newUser.setAttribute("oxExternalUid", "saml:" + saml_user_uid) print "Saml. Authenticate for step 1. Attempting to add user", saml_user_uid, " with next attributes", newUser.getCustomAttributes() find_user_by_uid = userService.addUser(newUser, True) print "Saml. Authenticate for step 1. Added new user with UID", find_user_by_uid.getUserId() found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name:", found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result:", post_login_result return post_login_result elif (saml_enroll_all_user_attr): print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:" + saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" user = User() customAttributes = ArrayList() for key in attributes.keySet(): ldapAttributes = attributeService.getAllAttributes() for ldapAttribute in ldapAttributes: saml2Uri = ldapAttribute.getSaml2Uri() if(saml2Uri == None): saml2Uri = attributeService.getDefaultSaml2Uri(ldapAttribute.getName()) if(saml2Uri == key): attribute = CustomAttribute(ldapAttribute.getName()) attribute.setValues(attributes.get(key)) customAttributes.add(attribute) attribute = CustomAttribute("oxExternalUid") attribute.setValue("saml:" + saml_user_uid) customAttributes.add(attribute) user.setCustomAttributes(customAttributes) if(user.getAttribute("sn") == None): attribute = CustomAttribute("sn") attribute.setValue(saml_user_uid) customAttributes.add(attribute) if(user.getAttribute("cn") == None): attribute = CustomAttribute("cn") attribute.setValue(saml_user_uid) customAttributes.add(attribute) find_user_by_uid = userService.addUser(user, True) print "Saml. Authenticate for step 1. Added new user with UID", find_user_by_uid.getUserId() found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name:", found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result:", post_login_result return post_login_result else: # Check if the is user with specified saml_user_uid print "Saml. Authenticate for step 1. Attempting to find user by uid:", saml_user_uid find_user_by_uid = userService.getUser(saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" return False found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name:", found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result:", post_login_result return post_login_result elif (step == 2): print "Saml. Authenticate for step 2" sessionAttributes = context.get("sessionAttributes") if (sessionAttributes == None) or not sessionAttributes.containsKey("saml_user_uid"): print "Saml. Authenticate for step 2. saml_user_uid is empty" return False saml_user_uid = sessionAttributes.get("saml_user_uid") passed_step1 = StringHelper.isNotEmptyString(saml_user_uid) if (not passed_step1): return False credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Check if there is user which has saml_user_uid # Avoid mapping Saml account to more than one IDP account find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): # Add saml_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 2. Failed to update current user" return False post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 2. post_login_result:", post_login_result return post_login_result else: found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 2. found_user_name:", found_user_name if StringHelper.equals(user_name, found_user_name): post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 2. post_login_result:", post_login_result return post_login_result return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() context = Contexts.getEventContext() session_attributes = context.get("sessionAttributes") self.setEventContextParameters(context) if (step == 1): print "UAF. Authenticate for step 1" authenticated_user = self.processBasicAuthentication(credentials) if authenticated_user == None: return False uaf_auth_method = "authenticate" # Uncomment this block if you need to allow user second device registration #enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton") #if StringHelper.isNotEmpty(enrollment_mode): # uaf_auth_method = "enroll" if uaf_auth_method == "authenticate": user_enrollments = self.findEnrollments(credentials) if len(user_enrollments) == 0: uaf_auth_method = "enroll" print "UAF. Authenticate for step 1. There is no UAF enrollment for user '%s'. Changing uaf_auth_method to '%s'" % (user_name, uaf_auth_method) print "UAF. Authenticate for step 1. uaf_auth_method: '%s'" % uaf_auth_method context.set("uaf_auth_method", uaf_auth_method) return True elif (step == 2): print "UAF. Authenticate for step 2" session_state = SessionStateService.instance().getSessionStateFromCookie() if StringHelper.isEmpty(session_state): print "UAF. Prepare for step 2. Failed to determine session_state" return False if user_name == None: print "UAF. Authenticate for step 2. Failed to determine user name" return False uaf_auth_result = ServerUtil.getFirstValue(requestParameters, "auth_result") if uaf_auth_result != "success": print "UAF. Authenticate for step 2. auth_result is '%s'" % uaf_auth_result return False # Restore state from session uaf_auth_method = session_attributes.get("uaf_auth_method") if not uaf_auth_method in ['enroll', 'authenticate']: print "UAF. Authenticate for step 2. Failed to authenticate user. uaf_auth_method: '%s'" % uaf_auth_method return False # Request STATUS_OBB if True: #TODO: Remove this condition # It's workaround becuase it's not possible to call STATUS_OBB 2 times. First time on browser and second ime on server uaf_user_device_handle = ServerUtil.getFirstValue(requestParameters, "auth_handle") else: uaf_obb_auth_method = session_attributes.get("uaf_obb_auth_method") uaf_obb_server_uri = session_attributes.get("uaf_obb_server_uri") uaf_obb_start_response = session_attributes.get("uaf_obb_start_response") # Prepare STATUS_OBB uaf_obb_start_response_json = json.loads(uaf_obb_start_response) uaf_obb_status_request_dictionary = { "operation": "STATUS_%s" % uaf_obb_auth_method, "userName": user_name, "needDetails": 1, "oobStatusHandle": uaf_obb_start_response_json["oobStatusHandle"], } uaf_obb_status_request = json.dumps(uaf_obb_status_request_dictionary, separators=(',',':')) print "UAF. Authenticate for step 2. Prepared STATUS request: '%s' to send to '%s'" % (uaf_obb_status_request, uaf_obb_server_uri) uaf_status_obb_response = self.executePost(uaf_obb_server_uri, uaf_obb_status_request) if uaf_status_obb_response == None: return False print "UAF. Authenticate for step 2. Get STATUS response: '%s'" % uaf_status_obb_response uaf_status_obb_response_json = json.loads(uaf_status_obb_response) if uaf_status_obb_response_json["statusCode"] != 4000: print "UAF. Authenticate for step 2. UAF operation status is invalid. statusCode: '%s'" % uaf_status_obb_response_json["statusCode"] return False uaf_user_device_handle = uaf_status_obb_response_json["additionalInfo"]["authenticatorsResult"]["handle"] if StringHelper.isEmpty(uaf_user_device_handle): print "UAF. Prepare for step 2. Failed to get UAF handle" return False uaf_user_external_uid = "uaf:%s" % uaf_user_device_handle print "UAF. Authenticate for step 2. UAF handle: '%s'" % uaf_user_external_uid if uaf_auth_method == "authenticate": # Validate if user used device with same keYHandle user_enrollments = self.findEnrollments(credentials) if len(user_enrollments) == 0: uaf_auth_method = "enroll" print "UAF. Authenticate for step 2. There is no UAF enrollment for user '%s'." % user_name return False for user_enrollment in user_enrollments: if StringHelper.equalsIgnoreCase(user_enrollment, uaf_user_device_handle): print "UAF. Authenticate for step 2. There is UAF enrollment for user '%s'. User authenticated successfully" % user_name return True else: userService = UserService.instance() # Double check just to make sure. We did checking in previous step # Check if there is user which has uaf_user_external_uid # Avoid mapping user cert to more than one IDP account find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", uaf_user_external_uid) if find_user_by_external_uid == None: # Add uaf_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", uaf_user_external_uid) if find_user_by_external_uid == None: print "UAF. Authenticate for step 2. Failed to update current user" return False return True return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) if step == 1: credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate( user_name, user_password) if (not logged_in): return False else: find_user_by_uid = userService.getUser(user_name) status_attribute_value = userService.getCustomAttribute( find_user_by_uid, "mail") user_mail = status_attribute_value.getValue() self.setRequestScopedParameters(identity) isCompromised = False isCompromised = self.is_compromised(user_mail, user_password, configurationAttributes) if (isCompromised): identity.setWorkingParameter("pwd_compromised", isCompromised) identity.setWorkingParameter("user_name", user_name) return True else: return True elif step == 2: print "compromised_password. Authenticate for step 2" form_answer_array = requestParameters.get("loginForm:question") if ArrayHelper.isEmpty(form_answer_array): return False form_answer = form_answer_array[0] if (form_answer == self.secretanswer): return True return False elif step == 3: authenticationService = CdiUtil.bean(AuthenticationService) print "compromised_password (with password update). Authenticate for step 3" userService = CdiUtil.bean(UserService) update_button = requestParameters.get("loginForm:updateButton") new_password_array = requestParameters.get("new_password") if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty( new_password_array[0]): print "compromised_password (with password update). Authenticate for step 3. New password is empty" return False new_password = new_password_array[0] session_attributes = identity.getSessionId().getSessionAttributes() user_name = session_attributes.get("user_name") print "compromised_password (with password update). Authenticate for step 3. Attempting to set new user '" + user_name + "' password" find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): print "compromised_password (with password update). Authenticate for step 3. Failed to find user" return False find_user_by_uid.setAttribute("userPassword", new_password) userService.updateUser(find_user_by_uid) print "compromised_password (with password update). Authenticate for step 3. Password updated successfully" logged_in = authenticationService.authenticate(user_name) return True
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() self.setRequestScopedParameters(identity) if step == 1: print "OTP. Authenticate for step 1" authenticated_user = self.processBasicAuthentication(credentials) if authenticated_user == None: return False otp_auth_method = "authenticate" # Uncomment this block if you need to allow user second OTP registration #enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton") #if StringHelper.isNotEmpty(enrollment_mode): # otp_auth_method = "enroll" if otp_auth_method == "authenticate": user_enrollments = self.findEnrollments( authenticated_user.getUserId()) if len(user_enrollments) == 0: otp_auth_method = "enroll" print "OTP. Authenticate for step 1. There is no OTP enrollment for user '%s'. Changing otp_auth_method to '%s'" % ( authenticated_user.getUserId(), otp_auth_method) if otp_auth_method == "enroll": print "OTP. Authenticate for step 1. Setting count steps: '%s'" % 3 identity.setWorkingParameter("otp_count_login_steps", 3) print "OTP. Authenticate for step 1. otp_auth_method: '%s'" % otp_auth_method identity.setWorkingParameter("otp_auth_method", otp_auth_method) return True elif step == 2: print "OTP. Authenticate for step 2" authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if user == None: print "OTP. Authenticate for step 2. Failed to determine user name" return False session_id_validation = self.validateSessionId(identity) if not session_id_validation: return False # Restore state from session otp_auth_method = identity.getWorkingParameter("otp_auth_method") if otp_auth_method == 'enroll': auth_result = ServerUtil.getFirstValue(requestParameters, "auth_result") if not StringHelper.isEmpty(auth_result): print "OTP. Authenticate for step 2. User not enrolled OTP" return False print "OTP. Authenticate for step 2. Skipping this step during enrollment" return True otp_auth_result = self.processOtpAuthentication( requestParameters, user.getUserId(), identity, otp_auth_method) print "OTP. Authenticate for step 2. OTP authentication result: '%s'" % otp_auth_result return otp_auth_result elif step == 3: print "OTP. Authenticate for step 3" authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if user == None: print "OTP. Authenticate for step 2. Failed to determine user name" return False session_id_validation = self.validateSessionId(identity) if not session_id_validation: return False # Restore state from session otp_auth_method = identity.getWorkingParameter("otp_auth_method") if otp_auth_method != 'enroll': return False otp_auth_result = self.processOtpAuthentication( requestParameters, user.getUserId(), identity, otp_auth_method) print "OTP. Authenticate for step 3. OTP authentication result: '%s'" % otp_auth_result return otp_auth_result else: return False
def prepareForStep(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) session_attributes = identity.getSessionId().getSessionAttributes() client_redirect_uri = self.getClientRedirecUri(session_attributes) if client_redirect_uri == None: print "Super-Gluu. Prepare for step. redirect_uri is not set" return False self.setRequestScopedParameters(identity, step) if step == 1: print "Super-Gluu. Prepare for step 1" if self.oneStep: session_id = CdiUtil.bean(SessionIdService).getSessionIdFromCookie() if StringHelper.isEmpty(session_id): print "Super-Gluu. Prepare for step 2. Failed to determine session_id" return False issuer = CdiUtil.bean(ConfigurationFactory).getConfiguration().getIssuer() super_gluu_request_dictionary = {'app': client_redirect_uri, 'issuer': issuer, 'state': session_id, 'created': datetime.datetime.now().isoformat()} self.addGeolocationData(session_attributes, super_gluu_request_dictionary) super_gluu_request = json.dumps(super_gluu_request_dictionary, separators=(',',':')) print "Super-Gluu. Prepare for step 1. Prepared super_gluu_request:", super_gluu_request identity.setWorkingParameter("super_gluu_request", super_gluu_request) elif self.twoStep: identity.setWorkingParameter("display_register_action", True) return True elif step == 2: print "Super-Gluu. Prepare for step 2" if self.oneStep: return True authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if user == None: print "Super-Gluu. Prepare for step 2. Failed to determine user name" return False if session_attributes.containsKey("super_gluu_request"): super_gluu_request = session_attributes.get("super_gluu_request") if not StringHelper.equalsIgnoreCase(super_gluu_request, "timeout"): print "Super-Gluu. Prepare for step 2. Request was generated already" return True session_id = CdiUtil.bean(SessionIdService).getSessionIdFromCookie() if StringHelper.isEmpty(session_id): print "Super-Gluu. Prepare for step 2. Failed to determine session_id" return False auth_method = session_attributes.get("super_gluu_auth_method") if StringHelper.isEmpty(auth_method): print "Super-Gluu. Prepare for step 2. Failed to determine auth_method" return False print "Super-Gluu. Prepare for step 2. auth_method: '%s'" % auth_method issuer = CdiUtil.bean(ConfigurationFactory).getAppConfiguration().getIssuer() super_gluu_request_dictionary = {'username': user.getUserId(), 'app': client_redirect_uri, 'issuer': issuer, 'method': auth_method, 'state': session_id, 'created': datetime.datetime.now().isoformat()} self.addGeolocationData(session_attributes, super_gluu_request_dictionary) super_gluu_request = json.dumps(super_gluu_request_dictionary, separators=(',',':')) print "Super-Gluu. Prepare for step 2. Prepared super_gluu_request:", super_gluu_request identity.setWorkingParameter("super_gluu_request", super_gluu_request) identity.setWorkingParameter("super_gluu_auth_method", auth_method) if auth_method in ['authenticate']: self.sendPushNotification(client_redirect_uri, user, super_gluu_request) return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() userService = UserService.instance() httpService = HttpService.instance(); stringEncrypter = StringEncrypter.defaultInstance() cas_host = configurationAttributes.get("cas_host").getValue2() cas_extra_opts = configurationAttributes.get("cas_extra_opts").getValue2() cas_map_user = StringHelper.toBoolean(configurationAttributes.get("cas_map_user").getValue2(), False) cas_renew_opt = StringHelper.toBoolean(configurationAttributes.get("cas_renew_opt").getValue2(), False) if (step == 1): print "CAS2 authenticate for step 1" ticket_array = requestParameters.get("ticket") if ArrayHelper.isEmpty(ticket_array): print "CAS2 authenticate for step 1. ticket is empty" return False ticket = ticket_array[0] print "CAS2 authenticate for step 1. ticket: " + ticket if (StringHelper.isEmptyString(ticket)): print "CAS2 authenticate for step 1. ticket is invalid" return False # Validate ticket request = FacesContext.getCurrentInstance().getExternalContext().getRequest() parametersMap = HashMap() parametersMap.put("service", httpService.constructServerUrl(request) + "/postlogin") if (cas_renew_opt): parametersMap.put("renew", "true") parametersMap.put("ticket", ticket) cas_service_request_uri = authenticationService.parametersAsString(parametersMap) cas_service_request_uri = cas_host + "/serviceValidate?" + cas_service_request_uri if StringHelper.isNotEmpty(cas_extra_opts): cas_service_request_uri = cas_service_request_uri + "&" + cas_extra_opts print "CAS2 authenticate for step 1. cas_service_request_uri: " + cas_service_request_uri http_client = httpService.getHttpsClientTrustAll(); http_response = httpService.executeGet(http_client, cas_service_request_uri) validation_content = httpService.convertEntityToString(httpService.getResponseContent(http_response)) print "CAS2 authenticate for step 1. validation_content: " + validation_content if StringHelper.isEmpty(validation_content): print "CAS2 authenticate for step 1. Ticket validation response is invalid" return False cas2_auth_failure = self.parse_tag(validation_content, "cas:authenticationFailure") print "CAS2 authenticate for step 1. cas2_auth_failure: ", cas2_auth_failure cas2_user_uid = self.parse_tag(validation_content, "cas:user") print "CAS2 authenticate for step 1. cas2_user_uid: ", cas2_user_uid if ((cas2_auth_failure != None) or (cas2_user_uid == None)): print "CAS2 authenticate for step 1. Ticket is invalid" return False if (cas_map_user): print "CAS2 authenticate for step 1. Attempting to find user by oxExternalUid: cas2:" + cas2_user_uid # Check if the is user with specified cas2_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid) if (find_user_by_uid == None): print "CAS2 authenticate for step 1. Failed to find user" print "CAS2 authenticate for step 1. Setting count steps to 2" context.set("cas2_count_login_steps", 2) context.set("cas2_user_uid", stringEncrypter.encrypt(cas2_user_uid)) return True found_user_name = find_user_by_uid.getUserId() print "CAS2 authenticate for step 1. found_user_name: " + found_user_name credentials = Identity.instance().getCredentials() credentials.setUsername(found_user_name) credentials.setUser(find_user_by_uid) print "CAS2 authenticate for step 1. Setting count steps to 1" context.set("cas2_count_login_steps", 1) return True else: print "CAS2 authenticate for step 1. Attempting to find user by uid:" + cas2_user_uid # Check if the is user with specified cas2_user_uid find_user_by_uid = userService.getUser(cas2_user_uid) if (find_user_by_uid == None): print "CAS2 authenticate for step 1. Failed to find user" return False found_user_name = find_user_by_uid.getUserId() print "CAS2 authenticate for step 1. found_user_name: " + found_user_name credentials = Identity.instance().getCredentials() credentials.setUsername(found_user_name) credentials.setUser(find_user_by_uid) print "CAS2 authenticate for step 1. Setting count steps to 1" context.set("cas2_count_login_steps", 1) return True elif (step == 2): print "CAS2 authenticate for step 2" cas2_user_uid_array = requestParameters.get("cas2_user_uid") if ArrayHelper.isEmpty(cas2_user_uid_array): print "CAS2 authenticate for step 2. cas2_user_uid is empty" return False cas2_user_uid = stringEncrypter.decrypt(cas2_user_uid_array[0]) passed_step1 = StringHelper.isNotEmptyString(cas2_user_uid) if (not passed_step1): return False credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Check if there is user which has cas2_user_uid # Avoid mapping CAS2 account to more than one IDP account find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid) if (find_user_by_uid == None): # Add cas2_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "cas2:" + cas2_user_uid) if (find_user_by_uid == None): print "CAS2 authenticate for step 2. Failed to update current user" return False return True else: found_user_name = find_user_by_uid.getUserId() print "CAS2 authenticate for step 2. found_user_name: " + found_user_name if StringHelper.equals(user_name, found_user_name): return True return False else: return False
def init(self, configurationAttributes): print "Super-Gluu. Initialization" if not configurationAttributes.containsKey("authentication_mode"): print "Super-Gluu. Initialization. Property authentication_mode is mandatory" return False self.registrationUri = None if configurationAttributes.containsKey("registration_uri"): self.registrationUri = configurationAttributes.get("registration_uri").getValue2() authentication_mode = configurationAttributes.get("authentication_mode").getValue2() if StringHelper.isEmpty(authentication_mode): print "Super-Gluu. Initialization. Failed to determine authentication_mode. authentication_mode configuration parameter is empty" return False self.oneStep = StringHelper.equalsIgnoreCase(authentication_mode, "one_step") self.twoStep = StringHelper.equalsIgnoreCase(authentication_mode, "two_step") if not (self.oneStep or self.twoStep): print "Super-Gluu. Initialization. Valid authentication_mode values are one_step and two_step" return False self.enabledPushNotifications = self.initPushNotificationService(configurationAttributes) self.androidUrl = None if configurationAttributes.containsKey("supergluu_android_download_url"): self.androidUrl = configurationAttributes.get("supergluu_android_download_url").getValue2() self.IOSUrl = None if configurationAttributes.containsKey("supergluu_ios_download_url"): self.IOSUrl = configurationAttributes.get("supergluu_ios_download_url").getValue2() self.customLabel = None if configurationAttributes.containsKey("label"): self.customLabel = configurationAttributes.get("label").getValue2() self.customQrOptions = {} if configurationAttributes.containsKey("qr_options"): self.customQrOptions = configurationAttributes.get("qr_options").getValue2() self.use_super_gluu_group = False if configurationAttributes.containsKey("super_gluu_group"): self.super_gluu_group = configurationAttributes.get("super_gluu_group").getValue2() self.use_super_gluu_group = True print "Super-Gluu. Initialization. Using super_gluu only if user belong to group: %s" % self.super_gluu_group self.use_audit_group = False if configurationAttributes.containsKey("audit_group"): self.audit_group = configurationAttributes.get("audit_group").getValue2() if (not configurationAttributes.containsKey("audit_group_email")): print "Super-Gluu. Initialization. Property audit_group_email is not specified" return False self.audit_email = configurationAttributes.get("audit_group_email").getValue2() self.use_audit_group = True print "Super-Gluu. Initialization. Using audit group: %s" % self.audit_group if self.use_super_gluu_group or self.use_audit_group: if not configurationAttributes.containsKey("audit_attribute"): print "Super-Gluu. Initialization. Property audit_attribute is not specified" return False else: self.audit_attribute = configurationAttributes.get("audit_attribute").getValue2() print "Super-Gluu. Initialized successfully. oneStep: '%s', twoStep: '%s', pushNotifications: '%s', customLabel: '%s'" % (self.oneStep, self.twoStep, self.enabledPushNotifications, self.customLabel) return True
def setDefaultUid(self, user, saml_user_uid): if StringHelper.isEmpty(user.getUserId()): user.setUserId(saml_user_uid)
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() context = Contexts.getEventContext() userService = UserService.instance() if (step == 1): print "Cert. Authenticate for step 1" login_button = ServerUtil.getFirstValue(requestParameters, "loginForm:loginButton") if StringHelper.isEmpty(login_button): print "Cert. Authenticate for step 1. Form were submitted incorrectly" return False return True elif (step == 2): print "Cert. Authenticate for step 2" # Validate if user selected certificate request = FacesContext.getCurrentInstance().getExternalContext().getRequest() x509Certificates = request.getAttribute('javax.servlet.request.X509Certificate') if (x509Certificates == None) or (len(x509Certificates) == 0): print "Cert. Authenticate for step 2. User not selected any certs" context.set("cert_selected", False) # Return True to inform user how to reset workflow return True context.set("cert_selected", True) # Use only first certificate for validation x509Certificate = x509Certificates[0] print "Cert. Authenticate for step 2. User selected certificate with DN '%s'" % x509Certificate.getSubjectX500Principal() # Validate certificates which user selected valid = self.validateCertificate(x509Certificate) if not valid: print "Cert. Authenticate for step 2. Certificate DN '%s' is not valid" % x509Certificate.getSubjectX500Principal() context.set("cert_valid", False) # Return True to inform user how to reset workflow return True context.set("cert_valid", True) context.set("cert_x509", x509Certificate) # Calculate certificate fingerprint x509CertificateFingerprint = self.calculateCertificateFingerprint(x509Certificate) context.set("cert_x509_fingerprint", x509CertificateFingerprint) print "Cert. Authenticate for step 2. Fingerprint is '%s' of certificate with DN '%s'" % (x509CertificateFingerprint, x509Certificate.getSubjectX500Principal()) # Attempt to find user by certificate fingerprint cert_user_external_uid = "cert: %s" % x509CertificateFingerprint print "Cert. Authenticate for step 2. Attempting to find user by oxExternalUid attribute value %s" % cert_user_external_uid find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: print "Cert. Authenticate for step 2. Failed to find user" if self.map_user_cert: print "Cert. Authenticate for step 2. Storing cert_user_external_uid for step 3" context.set("cert_user_external_uid", cert_user_external_uid) return True else: print "Cert. Authenticate for step 2. Mapping cet to user account is not allowed" context.set("cert_count_login_steps", 2) return False foundUserName = find_user_by_external_uid.getUserId() print "Cert. Authenticate for step 2. foundUserName: "******"Cert. Authenticate for step 2. Setting count steps to 2" context.set("cert_count_login_steps", 2) return logged_in elif (step == 3): print "Cert. Authenticate for step 3" cert_user_external_uid = self.getSessionAttribute("cert_user_external_uid") if cert_user_external_uid == None: print "Cert. Authenticate for step 3. cert_user_external_uid is empty" return False credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Double check just to make sure. We did checking in previous step # Check if there is user which has cert_user_external_uid # Avoid mapping user cert to more than one IDP account find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: # Add cert_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: print "Cert. Authenticate for step 3. Failed to update current user" return False return True return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) userService = CdiUtil.bean(UserService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() if step == 1: print "Basic (with password update). Authenticate for step 1" user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString( user_name) and StringHelper.isNotEmptyString( user_password): logged_in = authenticationService.authenticate( user_name, user_password) if not logged_in: return False find_user_by_uid = authenticationService.getAuthenticatedUser() user_expDate = find_user_by_uid.getAttribute( "oxPasswordExpirationDate", False) if user_expDate == None: print "Basic (with password update). Authenticate for step 1. User has no oxPasswordExpirationDate date" return False dt = StaticUtils.decodeGeneralizedTime(user_expDate) # Get Current Date calendar = GregorianCalendar(TimeZone.getTimeZone("UTC")) now = calendar.getTime() if now.compareTo(dt) > 0: # Add 90 Days to current date calendar.setTime(now) calendar.add(calendar.DATE, 90) dt_plus_90 = calendar.getTime() expDate = StaticUtils.encodeGeneralizedTime(dt_plus_90) identity.setWorkingParameter("expDate", expDate) return True elif step == 2: print "Basic (with password update). Authenticate for step 2" user = authenticationService.getAuthenticatedUser() if user == None: print "Basic (with password update). Authenticate for step 2. Failed to determine user name" return False user_name = user.getUserId() find_user_by_uid = userService.getUser(user_name) newExpDate = identity.getWorkingParameter("expDate") if find_user_by_uid == None: print "Basic (with password update). Authenticate for step 2. Failed to find user" return False print "Basic (with password update). Authenticate for step 2" update_button = requestParameters.get("loginForm:updateButton") if ArrayHelper.isEmpty(update_button): return True find_user_by_uid.setAttribute("oxPasswordExpirationDate", newExpDate) new_password_array = requestParameters.get("new_password") if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty( new_password_array[0]): print "Basic (with password update). Authenticate for step 2. New password is empty" return False new_password = new_password_array[0] find_user_by_uid.setAttribute("userPassword", new_password) print "Basic (with password update). Authenticate for step 2. Attempting to set new user '%s' password" % user_name userService.updateUser(find_user_by_uid) print "Basic (with password update). Authenticate for step 2. Password updated successfully" return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() context = Contexts.getEventContext() session_attributes = context.get("sessionAttributes") self.setEventContextParameters(context) if (step == 1): print "UAF. Authenticate for step 1" authenticated_user = self.processBasicAuthentication(credentials) if authenticated_user == None: return False uaf_auth_method = "authenticate" # Uncomment this block if you need to allow user second device registration #enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton") #if StringHelper.isNotEmpty(enrollment_mode): # uaf_auth_method = "enroll" if uaf_auth_method == "authenticate": user_enrollments = self.findEnrollments(credentials) if len(user_enrollments) == 0: uaf_auth_method = "enroll" print "UAF. Authenticate for step 1. There is no UAF enrollment for user '%s'. Changing uaf_auth_method to '%s'" % ( user_name, uaf_auth_method) print "UAF. Authenticate for step 1. uaf_auth_method: '%s'" % uaf_auth_method context.set("uaf_auth_method", uaf_auth_method) return True elif (step == 2): print "UAF. Authenticate for step 2" session_state = SessionStateService.instance( ).getSessionStateFromCookie() if StringHelper.isEmpty(session_state): print "UAF. Prepare for step 2. Failed to determine session_state" return False if user_name == None: print "UAF. Authenticate for step 2. Failed to determine user name" return False uaf_auth_result = ServerUtil.getFirstValue(requestParameters, "auth_result") if uaf_auth_result != "success": print "UAF. Authenticate for step 2. auth_result is '%s'" % uaf_auth_result return False # Restore state from session uaf_auth_method = session_attributes.get("uaf_auth_method") if not uaf_auth_method in ['enroll', 'authenticate']: print "UAF. Authenticate for step 2. Failed to authenticate user. uaf_auth_method: '%s'" % uaf_auth_method return False # Request STATUS_OBB if True: #TODO: Remove this condition # It's workaround becuase it's not possible to call STATUS_OBB 2 times. First time on browser and second ime on server uaf_user_device_handle = ServerUtil.getFirstValue( requestParameters, "auth_handle") else: uaf_obb_auth_method = session_attributes.get( "uaf_obb_auth_method") uaf_obb_server_uri = session_attributes.get( "uaf_obb_server_uri") uaf_obb_start_response = session_attributes.get( "uaf_obb_start_response") # Prepare STATUS_OBB uaf_obb_start_response_json = json.loads( uaf_obb_start_response) uaf_obb_status_request_dictionary = { "operation": "STATUS_%s" % uaf_obb_auth_method, "userName": user_name, "needDetails": 1, "oobStatusHandle": uaf_obb_start_response_json["oobStatusHandle"], } uaf_obb_status_request = json.dumps( uaf_obb_status_request_dictionary, separators=(',', ':')) print "UAF. Authenticate for step 2. Prepared STATUS request: '%s' to send to '%s'" % ( uaf_obb_status_request, uaf_obb_server_uri) uaf_status_obb_response = self.executePost( uaf_obb_server_uri, uaf_obb_status_request) if uaf_status_obb_response == None: return False print "UAF. Authenticate for step 2. Get STATUS response: '%s'" % uaf_status_obb_response uaf_status_obb_response_json = json.loads( uaf_status_obb_response) if uaf_status_obb_response_json["statusCode"] != 4000: print "UAF. Authenticate for step 2. UAF operation status is invalid. statusCode: '%s'" % uaf_status_obb_response_json[ "statusCode"] return False uaf_user_device_handle = uaf_status_obb_response_json[ "additionalInfo"]["authenticatorsResult"]["handle"] if StringHelper.isEmpty(uaf_user_device_handle): print "UAF. Prepare for step 2. Failed to get UAF handle" return False uaf_user_external_uid = "uaf: %s" % uaf_user_device_handle print "UAF. Authenticate for step 2. UAF handle: '%s'" % uaf_user_external_uid if uaf_auth_method == "authenticate": # Validate if user used device with same keYHandle user_enrollments = self.findEnrollments(credentials) if len(user_enrollments) == 0: uaf_auth_method = "enroll" print "UAF. Authenticate for step 2. There is no UAF enrollment for user '%s'." % user_name return False for user_enrollment in user_enrollments: if StringHelper.equalsIgnoreCase(user_enrollment, uaf_user_device_handle): print "UAF. Authenticate for step 2. There is UAF enrollment for user '%s'. User authenticated successfully" % user_name return True else: userService = UserService.instance() # Double check just to make sure. We did checking in previous step # Check if there is user which has uaf_user_external_uid # Avoid mapping user cert to more than one IDP account find_user_by_external_uid = userService.getUserByAttribute( "oxExternalUid", uaf_user_external_uid) if find_user_by_external_uid == None: # Add uaf_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute( user_name, "oxExternalUid", uaf_user_external_uid) if find_user_by_external_uid == None: print "UAF. Authenticate for step 2. Failed to update current user" return False return True return False else: return False
def prepareForStep(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) if (step == 1): return True elif (step == 2): print "Fido2. Prepare for step 2" session_id = CdiUtil.bean( SessionIdService).getSessionIdFromCookie() if StringHelper.isEmpty(session_id): print "Fido2. Prepare for step 2. Failed to determine session_id" return False authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if (user == None): print "Fido2. Prepare for step 2. Failed to determine user name" return False userName = user.getUserId() metaDataConfiguration = self.getMetaDataConfiguration() # Check if user have registered devices registrationPersistenceService = CdiUtil.bean( RegistrationPersistenceService) assertionResponse = None attestationResponse = None userFido2Devices = registrationPersistenceService.findAllRegisteredByUsername( userName) if (userFido2Devices.size() > 0): print "Fido2. Prepare for step 2. Call Fido2 endpoint in order to start assertion flow" try: assertionService = Fido2ClientFactory.instance( ).createAssertionService(metaDataConfiguration) assertionRequest = json.dumps({'username': userName}, separators=(',', ':')) assertionResponse = assertionService.authenticate( assertionRequest).readEntity(java.lang.String) except ClientResponseFailure, ex: print "Fido2. Prepare for step 2. Failed to start assertion flow. Exception:", sys.exc_info( )[1] return False else: print "Fido2. Prepare for step 2. Call Fido2 endpoint in order to start attestation flow" try: attestationService = Fido2ClientFactory.instance( ).createAttestationService(metaDataConfiguration) attestationRequest = json.dumps( { 'username': userName, 'displayName': userName }, separators=(',', ':')) attestationResponse = attestationService.register( attestationRequest).readEntity(java.lang.String) except ClientResponseFailure, ex: print "Fido2. Prepare for step 2. Failed to start attestation flow. Exception:", sys.exc_info( )[1] return False
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() context = Contexts.getEventContext() userService = UserService.instance() if step == 1: print "Cert. Authenticate for step 1" login_button = ServerUtil.getFirstValue(requestParameters, "loginForm:loginButton") if StringHelper.isEmpty(login_button): print "Cert. Authenticate for step 1. Form were submitted incorrectly" return False if self.enabled_recaptcha: print "Cert. Authenticate for step 1. Validating recaptcha response" recaptcha_response = ServerUtil.getFirstValue( requestParameters, "g-recaptcha-response") recaptcha_result = self.validateRecaptcha(recaptcha_response) print "Cert. Authenticate for step 1. recaptcha_result: '%s'" % recaptcha_result return recaptcha_result return True elif step == 2: print "Cert. Authenticate for step 2" # Validate if user selected certificate cert_x509 = self.getSessionAttribute("cert_x509") if cert_x509 == None: print "Cert. Authenticate for step 2. User not selected any certs" context.set("cert_selected", False) # Return True to inform user how to reset workflow return True else: context.set("cert_selected", True) x509Certificate = self.certFromString(cert_x509) subjectX500Principal = x509Certificate.getSubjectX500Principal() print "Cert. Authenticate for step 2. User selected certificate with DN '%s'" % subjectX500Principal # Validate certificates which user selected valid = self.validateCertificate(x509Certificate) if not valid: print "Cert. Authenticate for step 2. Certificate DN '%s' is not valid" % subjectX500Principal context.set("cert_valid", False) # Return True to inform user how to reset workflow return True context.set("cert_valid", True) # Calculate certificate fingerprint x509CertificateFingerprint = self.calculateCertificateFingerprint( x509Certificate) context.set("cert_x509_fingerprint", x509CertificateFingerprint) print "Cert. Authenticate for step 2. Fingerprint is '%s' of certificate with DN '%s'" % ( x509CertificateFingerprint, subjectX500Principal) # Attempt to find user by certificate fingerprint cert_user_external_uid = "cert: %s" % x509CertificateFingerprint print "Cert. Authenticate for step 2. Attempting to find user by oxExternalUid attribute value %s" % cert_user_external_uid find_user_by_external_uid = userService.getUserByAttribute( "oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: print "Cert. Authenticate for step 2. Failed to find user" if self.map_user_cert: print "Cert. Authenticate for step 2. Storing cert_user_external_uid for step 3" context.set("cert_user_external_uid", cert_user_external_uid) return True else: print "Cert. Authenticate for step 2. Mapping cert to user account is not allowed" context.set("cert_count_login_steps", 2) return False foundUserName = find_user_by_external_uid.getUserId() print "Cert. Authenticate for step 2. foundUserName: "******"Cert. Authenticate for step 2. Setting count steps to 2" context.set("cert_count_login_steps", 2) return logged_in elif step == 3: print "Cert. Authenticate for step 3" cert_user_external_uid = self.getSessionAttribute( "cert_user_external_uid") if cert_user_external_uid == None: print "Cert. Authenticate for step 3. cert_user_external_uid is empty" return False credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Double check just to make sure. We did checking in previous step # Check if there is user which has cert_user_external_uid # Avoid mapping user cert to more than one IDP account find_user_by_external_uid = userService.getUserByAttribute( "oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: # Add cert_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute( user_name, "oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: print "Cert. Authenticate for step 3. Failed to update current user" return False return True return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "Basic (with password update). Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True elif (step == 2): userService = UserService.instance() find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): print "Basic (with password update). Authenticate for step 2. Failed to find user" return False user_expDate = find_user_by_uid.getAttribute("oxPasswordExpirationDate", False) if (user_expDate == None): print "Failed to get Date" return False print "Exp Date is : '" + user_expDate + "' ." now = datetime.datetime.now() myDate = self.parseDate(user_expDate) prevExpDate = self.previousExpDate(myDate) expDate = self.newExpirationDate(myDate) temp = expDate.strftime("%y%m%d") expDate = (expDate + temp + "195000Z") if prevExpDate < now: print "Basic (with password update). Authenticate for step 2" find_user_by_uid.setAttribute("oxPasswordExpirationDate", expDate) update_button = requestParameters.get("loginForm:updateButton") if ArrayHelper.isEmpty(update_button): return True new_password_array = requestParameters.get("new_password") if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]): print "Basic (with password update). Authenticate for step 2. New password is empty" return False new_password = new_password_array[0] print "Basic (with password update). Authenticate for step 2. Attempting to set new user '" + user_name + "' password" userService.updateUser(find_user_by_uid) print "Basic (with password update). Authenticate for step 2. Password updated successfully" return True else: return False