def prepareForStep(self, configurationAttributes, requestParameters, step):
print "U2F. prepareForStep called for step %s" % step
identity = CdiUtil.bean(Identity)
if (step == 1):
session_id = CdiUtil.bean(
SessionIdService).getSessionIdFromCookie()
if StringHelper.isEmpty(session_id):
print "U2F. Prepare for step 1. Failed to determine session_id"
return False
authenticationService = CdiUtil.bean(AuthenticationService)
user = authenticationService.getAuthenticatedUser()
if (user == None):
print "U2F. Prepare for step 1. Failed to determine user name"
return False
u2f_application_id = configurationAttributes.get(
"u2f_application_id").getValue2()
# Check if user have registered devices
deviceRegistrationService = CdiUtil.bean(DeviceRegistrationService)
userInum = user.getAttribute("inum")
registrationRequest = None
authenticationRequest = None
deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(
userInum, u2f_application_id)
if (deviceRegistrations.size() > 0):
print "U2F. Prepare for step 1. Call FIDO U2F in order to start authentication workflow"
try:
authenticationRequestService = FidoU2fClientFactory.instance(
).createAuthenticationRequestService(
self.metaDataConfiguration)
authenticationRequest = authenticationRequestService.startAuthentication(
user.getUserId(), None, u2f_application_id, session_id)
except ClientResponseFailure, ex:
if (ex.getResponse().getResponseStatus() !=
Response.Status.NOT_FOUND):
print "U2F. Prepare for step 1. Failed to start authentication workflow. Exception:", sys.exc_info(
)[1]
return False
else:
print "U2F. Prepare for step 1. Call FIDO U2F in order to start registration workflow"
registrationRequestService = FidoU2fClientFactory.instance(
).createRegistrationRequestService(self.metaDataConfiguration)
registrationRequest = registrationRequestService.startRegistration(
user.getUserId(), u2f_application_id, session_id)
identity.setWorkingParameter(
"fido_u2f_authentication_request",
ServerUtil.asJson(authenticationRequest))
identity.setWorkingParameter(
"fido_u2f_registration_request",
ServerUtil.asJson(registrationRequest))
return True
def prepareForStep(self, configurationAttributes, requestParameters, step):
identity = CdiUtil.bean(Identity)
if (step == 1):
return True
elif (step == 2):
print "U2F. Prepare for step 2"
session_id = CdiUtil.bean(SessionIdService).getSessionIdFromCookie()
if StringHelper.isEmpty(session_id):
print "U2F. Prepare for step 2. Failed to determine session_id"
return False
authenticationService = CdiUtil.bean(AuthenticationService)
user = authenticationService.getAuthenticatedUser()
if (user == None):
print "U2F. Prepare for step 2. Failed to determine user name"
return False
u2f_application_id = configurationAttributes.get("u2f_application_id").getValue2()
# Check if user have registered devices
deviceRegistrationService = CdiUtil.bean(DeviceRegistrationService)
userInum = user.getAttribute("inum")
registrationRequest = None
authenticationRequest = None
deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(userInum, u2f_application_id)
if (deviceRegistrations.size() > 0):
print "U2F. Prepare for step 2. Call FIDO U2F in order to start authentication workflow"
try:
authenticationRequestService = FidoU2fClientFactory.instance().createAuthenticationRequestService(self.metaDataConfiguration)
authenticationRequest = authenticationRequestService.startAuthentication(user.getUserId(), None, u2f_application_id, session_id)
except ClientResponseFailure, ex:
if (ex.getResponse().getResponseStatus() != Response.Status.NOT_FOUND):
print "U2F. Prepare for step 2. Failed to start authentication workflow. Exception:", sys.exc_info()[1]
return False
else:
print "U2F. Prepare for step 2. Call FIDO U2F in order to start registration workflow"
registrationRequestService = FidoU2fClientFactory.instance().createRegistrationRequestService(self.metaDataConfiguration)
registrationRequest = registrationRequestService.startRegistration(user.getUserId(), u2f_application_id, session_id)
identity.setWorkingParameter("fido_u2f_authentication_request", ServerUtil.asJson(authenticationRequest))
identity.setWorkingParameter("fido_u2f_registration_request", ServerUtil.asJson(registrationRequest))
return True
def init(self, customScript, configurationAttributes):
print "U2F. Initialization"
print "U2F. Initialization. Downloading U2F metadata"
u2f_server_uri = configurationAttributes.get(
"u2f_server_uri").getValue2()
u2f_server_metadata_uri = u2f_server_uri + "/.well-known/fido-configuration"
#u2f_server_metadata_uri = u2f_server_uri + "/oxauth/restv1/fido-configuration"
metaDataConfigurationService = FidoU2fClientFactory.instance(
).createMetaDataConfigurationService(u2f_server_metadata_uri)
max_attempts = 20
for attempt in range(1, max_attempts + 1):
try:
self.metaDataConfiguration = metaDataConfigurationService.getMetadataConfiguration(
)
break
except ClientResponseFailure, ex:
# Detect if last try or we still get Service Unavailable HTTP error
if (attempt == max_attempts) or (
ex.getResponse().getResponseStatus() !=
Response.Status.SERVICE_UNAVAILABLE):
raise ex
java.lang.Thread.sleep(3000)
print "Attempting to load metadata: %d" % attempt
except ResteasyClientException, ex:
# Detect if last try or we still get Service Unavailable HTTP error
if attempt == max_attempts:
raise ex
java.lang.Thread.sleep(3000)
print "Attempting to load metadata: %d" % attempt
def prepareFidoAuthentication(self, username, identity):
authenticationRequestService = FidoU2fClientFactory.instance().createAuthenticationRequestService(self.metaDataConfiguration)
session = identity.getSessionId()
identity.getSessionId().getSessionAttributes().put(Constants.AUTHENTICATED_USER, username)
authenticationRequest = authenticationRequestService.startAuthentication(username, None, self.u2fApplicationId, session.getId())
identity.setWorkingParameter("fido_u2f_authentication_request", ServerUtil.asJson(authenticationRequest))
def init(self, configurationAttributes):
print "U2F. Initialization"
print "U2F. Initialization. Downloading U2F metadata"
u2f_server_uri = configurationAttributes.get("u2f_server_uri").getValue2()
u2f_server_metadata_uri = u2f_server_uri + "/.well-known/fido-u2f-configuration"
metaDataConfigurationService = FidoU2fClientFactory.instance().createMetaDataConfigurationService(u2f_server_metadata_uri)
max_attempts = 20
for attempt in range(1, max_attempts + 1):
try:
self.metaDataConfiguration = metaDataConfigurationService.getMetadataConfiguration()
break
except ClientResponseFailure, ex:
# Detect if last try or we still get Service Unavailable HTTP error
if (attempt == max_attempts) or (ex.getResponse().getResponseStatus() != Response.Status.SERVICE_UNAVAILABLE):
raise ex
java.lang.Thread.sleep(3000)
print "Attempting to load metadata: %d" % attempt
except ResteasyClientException, ex:
# Detect if last try or we still get Service Unavailable HTTP error
if attempt == max_attempts:
raise ex
java.lang.Thread.sleep(3000)
print "Attempting to load metadata: %d" % attempt
def registerFIDO(self, requestParameters, username, identity):
print "MFA. registerFIDO called"
registrationRequestService = FidoU2fClientFactory.instance().createRegistrationRequestService(self.metaDataConfiguration)
token_response = ServerUtil.getFirstValue(requestParameters, "tokenResponse")
registrationStatus = registrationRequestService.finishRegistration(username, token_response)
if (registrationStatus.getStatus() != Constants.RESULT_SUCCESS):
print "MFA. Register FIDO. Failed to register U2F device"
identity.setWorkingParameter("flow", "Error") # Trigger the error page
return False
self.deleteTOTP(username, identity)
return True
def init(self, configurationAttributes):
print "U2F. Initialization"
# Load customization content from file
content_file = configurationAttributes.get(
"custom_page_content_file").getValue2()
f = open(content_file, 'r')
try:
self.customPageContent = json.loads(f.read())
except:
print "U2F. Initialization. Failed to load RP customization content from file: %s" % content_file
return False
finally:
f.close()
print "U2F. Initialization. Downloading U2F metadata"
u2f_server_uri = configurationAttributes.get(
"u2f_server_uri").getValue2()
u2f_server_metadata_uri = u2f_server_uri + "/.well-known/fido-u2f-configuration"
metaDataConfigurationService = FidoU2fClientFactory.instance(
).createMetaDataConfigurationService(u2f_server_metadata_uri)
max_attempts = 20
for attempt in range(1, max_attempts + 1):
try:
self.metaDataConfiguration = metaDataConfigurationService.getMetadataConfiguration(
)
break
except ClientResponseFailure, ex:
# Detect if last try or we still get Service Unavailable HTTP error
if (attempt == max_attempts) or (
ex.getResponse().getResponseStatus() !=
Response.Status.SERVICE_UNAVAILABLE):
raise ex
java.lang.Thread.sleep(3000)
print "Attempting to load metadata: %d" % attempt
except ResteasyClientException, ex:
# Detect if last try or we still get Service Unavailable HTTP error
if attempt == max_attempts:
raise ex
java.lang.Thread.sleep(3000)
print "Attempting to load metadata: %d" % attempt
def authenticateFIDO(self, requestParameters, username, identity):
facesMessages = CdiUtil.bean(FacesMessages)
languageBean = CdiUtil.bean(LanguageBean)
authenticationProtectionService = CdiUtil.bean(AuthenticationProtectionService)
facesMessages.setKeepMessages()
if (authenticationProtectionService.isEnabled()):
authenticationProtectionService.doDelayIfNeeded(username)
token_response = ServerUtil.getFirstValue(requestParameters, "tokenResponse")
authenticationRequestService = FidoU2fClientFactory.instance().createAuthenticationRequestService(self.metaDataConfiguration)
authenticationStatus = authenticationRequestService.finishAuthentication(username, token_response)
if (authenticationStatus.getStatus() != Constants.RESULT_SUCCESS):
print "MFA. Authenticate FIDO. Failed to authenticate U2F device"
facesMessages.add(FacesMessage.SEVERITY_ERROR, languageBean.getMessage("mfa.FIDOInvalid"))
if (authenticationProtectionService.isEnabled()):
authenticationProtectionService.storeAttempt(username, False)
return False
if (authenticationProtectionService.isEnabled()):
authenticationProtectionService.storeAttempt(username, True)
return True
def loadFIDOConfiguration(self, configurationAttributes):
print "MFA. Downloading U2F metadata"
if not configurationAttributes.containsKey("u2f_application_id"):
print "MFA. Initialization. Property u2f_server_uri is mandatory"
return False
self.u2fApplicationId = configurationAttributes.get("u2f_server_uri").getValue2()
if not configurationAttributes.containsKey("u2f_server_uri"):
print "MFA. Initialization. Property u2f_server_uri is mandatory"
return False
u2f_server_uri = configurationAttributes.get("u2f_server_uri").getValue2()
u2f_server_metadata_uri = u2f_server_uri + "/.well-known/fido-u2f-configuration"
metaDataConfigurationService = FidoU2fClientFactory.instance().createMetaDataConfigurationService(u2f_server_metadata_uri)
max_attempts = 20
for attempt in range(1, max_attempts + 1):
try:
self.metaDataConfiguration = metaDataConfigurationService.getMetadataConfiguration()
break
except WebApplicationException, ex:
# Detect if last try or we still get Service Unavailable HTTP error
if (attempt == max_attempts) or (ex.getResponse().getStatus() != Response.Status.SERVICE_UNAVAILABLE.getStatusCode()):
raise ex
java.lang.Thread.sleep(3000)
print "Attempting to load metadata: %d" % attempt
except ResteasyClientException, ex:
# Detect if last try or we still get Service Unavailable HTTP error
if attempt == max_attempts:
raise ex
java.lang.Thread.sleep(3000)
print "Attempting to load metadata: %d" % attempt
def authenticate(self, configurationAttributes, requestParameters, step):
authenticationService = CdiUtil.bean(AuthenticationService)
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "U2F. Authenticate for step 1"
if authenticationService.getAuthenticatedUser() != None:
return True
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name)
and StringHelper.isNotEmptyString(user_password)):
userService = CdiUtil.bean(UserService)
logged_in = authenticationService.authenticate(
user_name, user_password)
if (not logged_in):
return False
return True
elif (step == 2):
print "U2F. Authenticate for step 2"
token_response = ServerUtil.getFirstValue(requestParameters,
"tokenResponse")
if token_response == None:
print "U2F. Authenticate for step 2. tokenResponse is empty"
return False
auth_method = ServerUtil.getFirstValue(requestParameters,
"authMethod")
if auth_method == None:
print "U2F. Authenticate for step 2. authMethod is empty"
return False
authenticationService = CdiUtil.bean(AuthenticationService)
user = authenticationService.getAuthenticatedUser()
if (user == None):
print "U2F. Prepare for step 2. Failed to determine user name"
return False
if (auth_method == 'authenticate'):
print "U2F. Prepare for step 2. Call FIDO U2F in order to finish authentication workflow"
authenticationRequestService = FidoU2fClientFactory.instance(
).createAuthenticationRequestService(
self.metaDataConfiguration)
authenticationStatus = authenticationRequestService.finishAuthentication(
user.getUserId(), token_response)
if (authenticationStatus.getStatus() !=
Constants.RESULT_SUCCESS):
print "U2F. Authenticate for step 2. Get invalid authentication status from FIDO U2F server"
return False
return True
elif (auth_method == 'enroll'):
print "U2F. Prepare for step 2. Call FIDO U2F in order to finish registration workflow"
registrationRequestService = FidoU2fClientFactory.instance(
).createRegistrationRequestService(self.metaDataConfiguration)
registrationStatus = registrationRequestService.finishRegistration(
user.getUserId(), token_response)
if (registrationStatus.getStatus() !=
Constants.RESULT_SUCCESS):
print "U2F. Authenticate for step 2. Get invalid registration status from FIDO U2F server"
return False
return True
else:
print "U2F. Prepare for step 2. Authenticatiod method is invalid"
return False
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
authenticationService = CdiUtil.bean(AuthenticationService)
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "U2F. Authenticate for step 1"
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = CdiUtil.bean(UserService)
logged_in = authenticationService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
elif (step == 2):
print "U2F. Authenticate for step 2"
token_response = ServerUtil.getFirstValue(requestParameters, "tokenResponse")
if token_response == None:
print "U2F. Authenticate for step 2. tokenResponse is empty"
return False
auth_method = ServerUtil.getFirstValue(requestParameters, "authMethod")
if auth_method == None:
print "U2F. Authenticate for step 2. authMethod is empty"
return False
authenticationService = CdiUtil.bean(AuthenticationService)
user = authenticationService.getAuthenticatedUser()
if (user == None):
print "U2F. Prepare for step 2. Failed to determine user name"
return False
if (auth_method == 'authenticate'):
print "U2F. Prepare for step 2. Call FIDO U2F in order to finish authentication workflow"
authenticationRequestService = FidoU2fClientFactory.instance().createAuthenticationRequestService(self.metaDataConfiguration)
authenticationStatus = authenticationRequestService.finishAuthentication(user.getUserId(), token_response)
if (authenticationStatus.getStatus() != Constants.RESULT_SUCCESS):
print "U2F. Authenticate for step 2. Get invalid authentication status from FIDO U2F server"
return False
return True
elif (auth_method == 'enroll'):
print "U2F. Prepare for step 2. Call FIDO U2F in order to finish registration workflow"
registrationRequestService = FidoU2fClientFactory.instance().createRegistrationRequestService(self.metaDataConfiguration)
registrationStatus = registrationRequestService.finishRegistration(user.getUserId(), token_response)
if (registrationStatus.getStatus() != Constants.RESULT_SUCCESS):
print "U2F. Authenticate for step 2. Get invalid registration status from FIDO U2F server"
return False
return True
else:
print "U2F. Prepare for step 2. Authenticatiod method is invalid"
return False
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
print "U2F. authenticate called for step %s" % step
if (step == 1):
# For authentication first check if recovery was chosen, set value to ATTEMPT_RECOVERY
identity = CdiUtil.bean(Identity)
alternateAction = self.alternateActionRequested(requestParameters)
authenticationFlow = identity.getSessionId().getSessionAttributes(
).get("authenticationFlow")
if (alternateAction == 'recover'
and authenticationFlow == 'MFA_VALIDATION'):
identity.getSessionId().getSessionAttributes().put(
"validationAcr", "mfa_u2f")
identity.getSessionId().getSessionAttributes().put(
"authenticationFlow", "ATTEMPT_RECOVERY")
identity.setWorkingParameter("count_login_steps", 2)
CdiUtil.bean(SessionIdService).updateSessionId(
identity.getSessionId())
return True
# For authentication then check if someone enrolling clicked CANCEL button
elif (alternateAction == 'cancel'
and authenticationFlow != 'MFA_VALIDATION'):
identity.getSessionId().getSessionAttributes().put(
"authenticationFlow", "RESTART_ENROLLMENT")
identity.setWorkingParameter("count_login_steps", 2)
CdiUtil.bean(SessionIdService).updateSessionId(
identity.getSessionId())
return True
# get auth_method
auth_method = ServerUtil.getFirstValue(requestParameters,
"authMethod")
if auth_method == None:
print "U2F. Authenticate for step 1. authMethod is empty"
return False
token_response = ServerUtil.getFirstValue(requestParameters,
"tokenResponse")
if token_response == None:
print "U2F. Authenticate for step 1. tokenResponse is empty"
return False
user = CdiUtil.bean(AuthenticationService).getAuthenticatedUser()
if (user == None):
print "U2F. Authenticate for step 1. Failed to determine user name"
return False
if (auth_method == 'authenticate'):
print "U2F. Authenticate for step 1. Call FIDO U2F in order to finish authentication workflow"
authenticationRequestService = FidoU2fClientFactory.instance(
).createAuthenticationRequestService(
self.metaDataConfiguration)
authenticationStatus = authenticationRequestService.finishAuthentication(
user.getUserId(), token_response)
if (authenticationStatus.getStatus() !=
Constants.RESULT_SUCCESS):
print "U2F. Authenticate for step 1. Get invalid authentication status from FIDO U2F server"
return False
return True
elif (auth_method == 'enroll'):
print "U2F. Authenticate for step 1. Call FIDO U2F in order to finish registration workflow"
registrationRequestService = FidoU2fClientFactory.instance(
).createRegistrationRequestService(self.metaDataConfiguration)
registrationStatus = registrationRequestService.finishRegistration(
user.getUserId(), token_response)
if (registrationStatus.getStatus() !=
Constants.RESULT_SUCCESS):
print "U2F. Authenticate for step 1. Get invalid registration status from FIDO U2F server"
return False
identity.getSessionId().getSessionAttributes().put(
"authenticationFlow", "NEW_RECOVERY_CODE")
identity.setWorkingParameter("count_login_steps", 2)
CdiUtil.bean(SessionIdService).updateSessionId(
identity.getSessionId())
print "U2F. Authenticate for step 1. Call FIDO U2F in order to finish registration workflow"
return True
else:
print "U2F. Authenticate for step 1. Authentication method is invalid"
return False
return False
else:
return False