def getProviderFromJson(self, providerJson):
provider = None
try:
obj = json.loads(Base64Util.base64urldecodeToString(providerJson))
provider = obj[self.providerKey]
except:
print "Passport. getProviderFromJson. Could not parse provided Json string. Returning None"
return provider
def getProviderFromJson(self, providerJson):
provider = None
try:
obj = json.loads(Base64Util.base64urldecodeToString(providerJson))
provider = obj[self.providerKey]
except:
print "Passport. getProviderFromJson. Could not parse provided Json string. Returning None"
return provider
def parseLoginHint(self):
# Inject dependencies
facesResources = CdiUtil.bean(FacesResources)
facesContext = facesResources.getFacesContext()
httpRequest = facesContext.getCurrentInstance().getExternalContext().getRequest()
loginHint = httpRequest.getParameter("login_hint")
if (loginHint == None):
raise MFAError("ERROR: login_hint is not set, no user context for authentication")
decryptedLoginHint = self.decryptAES(self.aesKey , Base64Util.base64urldecodeToString(loginHint))
pairwiseId = decryptedLoginHint.split('|')[0]
relyingParty = decryptedLoginHint.split('|')[1]
return pairwiseId, relyingParty
def getUser(self, loginHint):
print "MFA Chooser. getUser() called"
identity = CdiUtil.bean(Identity)
sessionAttributes = identity.getSessionId().getSessionAttributes()
userService = CdiUtil.bean(UserService)
pairwiseIdentifierService = CdiUtil.bean(PairwiseIdentifierService)
# Normally we would fetch by pairwise ID ... however because there is no API for that we save MFA PAI in oxExternalUid
loginHintDecrypted = self.decryptAES(
self.aesKey, Base64Util.base64urldecodeToString(loginHint))
pairwiseId = loginHintDecrypted.split('|')[0]
relyingParty = loginHintDecrypted.split('|')[1]
# set APP for future reference in page customization
sessionAttributes.put("relyingParty", relyingParty)
# Get the user service and fetch the user
externalUid = "sic-mfa:" + pairwiseId
print "MFA Chooser: getUser(). Looking up user with externalUid = '%s'" % externalUid
user = userService.getUserByAttribute("oxExternalUid", externalUid)
if (user == None):
# Create a new account
print "MFA Chooser. authenticate. Creating new user with externalUid = '%s'" % (
externalUid)
newUser = User()
username = uuid.uuid4().hex
newUser.setAttribute("uid", username)
newUser.setAttribute("oxExternalUid", externalUid)
user = userService.addUser(newUser, True)
# add a Pairwise Subject Identifier for the OIDC Client
userInum = user.getAttribute("inum")
oidcClientId = sessionAttributes.get("client_id")
sectorIdentifierUri = sessionAttributes.get("redirect_uri")
pairwiseSubject = PairwiseIdentifier(sectorIdentifierUri,
oidcClientId)
pairwiseSubject.setId(pairwiseId)
pairwiseSubject.setDn(
pairwiseIdentifierService.getDnForPairwiseIdentifier(
pairwiseSubject.getId(), userInum))
pairwiseIdentifierService.addPairwiseIdentifier(
userInum, pairwiseSubject)
return user
def set_relying_party_login_url(identity):
print "ThumbSignIn. Inside set_relying_party_login_url..."
session_id = identity.getSessionId()
session_attribute = session_id.getSessionAttributes()
state_jwt_token = session_attribute.get("state")
print "ThumbSignIn. Value of state_jwt_token is %s" % state_jwt_token
relying_party_login_url = ""
if (state_jwt_token is None) or ("." not in state_jwt_token):
print "ThumbSignIn. Value of state parameter is not in the format of JWT Token"
identity.setWorkingParameter(RELYING_PARTY_LOGIN_URL,
relying_party_login_url)
return None
state_jwt_token_array = String(state_jwt_token).split("\\.")
state_jwt_token_payload = state_jwt_token_array[1]
state_payload_str = String(
Base64Util.base64urldecode(state_jwt_token_payload), "UTF-8")
state_payload_json = JSONObject(state_payload_str)
print "ThumbSignIn. Value of state JWT token Payload is %s" % state_payload_json
if state_payload_json.has("additional_claims"):
additional_claims = state_payload_json.get("additional_claims")
relying_party_id = additional_claims.get(RELYING_PARTY_ID)
print "ThumbSignIn. Value of relying_party_id is %s" % relying_party_id
identity.setWorkingParameter(RELYING_PARTY_ID, relying_party_id)
if String(relying_party_id).startsWith("google.com"):
# google.com/a/unphishableenterprise.com
relying_party_id_array = String(relying_party_id).split("/")
google_domain = relying_party_id_array[2]
print "ThumbSignIn. Value of google_domain is %s" % google_domain
relying_party_login_url = "https://www.google.com/accounts/AccountChooser?hd=" + google_domain + "%26continue=https://apps.google.com/user/hub"
# elif (String(relying_party_id).startsWith("xyz")):
# relying_party_login_url = "xyz.com"
else:
# If relying_party_login_url is empty, Gluu's default login URL will be used
relying_party_login_url = ""
print "ThumbSignIn. Value of relying_party_login_url is %s" % relying_party_login_url
identity.setWorkingParameter(RELYING_PARTY_LOGIN_URL,
relying_party_login_url)
return None
def set_relying_party_login_url(identity):
print "ThumbSignIn. Inside set_relying_party_login_url..."
session_id = identity.getSessionId()
session_attribute = session_id.getSessionAttributes()
state_jwt_token = session_attribute.get("state")
print "ThumbSignIn. Value of state_jwt_token is %s" % state_jwt_token
relying_party_login_url = ""
if (state_jwt_token is None) or ("." not in state_jwt_token):
print "ThumbSignIn. Value of state parameter is not in the format of JWT Token"
identity.setWorkingParameter(RELYING_PARTY_LOGIN_URL, relying_party_login_url)
return None
state_jwt_token_array = String(state_jwt_token).split("\\.")
state_jwt_token_payload = state_jwt_token_array[1]
state_payload_str = String(Base64Util.base64urldecode(state_jwt_token_payload), "UTF-8")
state_payload_json = JSONObject(state_payload_str)
print "ThumbSignIn. Value of state JWT token Payload is %s" % state_payload_json
if state_payload_json.has("additional_claims"):
additional_claims = state_payload_json.get("additional_claims")
relying_party_id = additional_claims.get(RELYING_PARTY_ID)
print "ThumbSignIn. Value of relying_party_id is %s" % relying_party_id
identity.setWorkingParameter(RELYING_PARTY_ID, relying_party_id)
if String(relying_party_id).startsWith("google.com"):
# google.com/a/unphishableenterprise.com
relying_party_id_array = String(relying_party_id).split("/")
google_domain = relying_party_id_array[2]
print "ThumbSignIn. Value of google_domain is %s" % google_domain
relying_party_login_url = "https://www.google.com/accounts/AccountChooser?hd="+ google_domain + "%26continue=https://apps.google.com/user/hub"
# elif (String(relying_party_id).startsWith("xyz")):
# relying_party_login_url = "xyz.com"
else:
# If relying_party_login_url is empty, Gluu's default login URL will be used
relying_party_login_url = ""
print "ThumbSignIn. Value of relying_party_login_url is %s" % relying_party_login_url
identity.setWorkingParameter(RELYING_PARTY_LOGIN_URL, relying_party_login_url)
return None
def getPassportRedirectUrl(self, provider, loginHint):
# provider is assumed to exist in self.registeredProviders
url = None
try:
facesContext = CdiUtil.bean(FacesContext)
tokenEndpoint = "https://%s/passport/token" % facesContext.getExternalContext().getRequest().getServerName()
httpService = CdiUtil.bean(HttpService)
httpclient = httpService.getHttpsClient()
print "Passport-social. getPassportRedirectUrl. Obtaining token from passport at %s" % tokenEndpoint
resultResponse = httpService.executeGet(httpclient, tokenEndpoint, Collections.singletonMap("Accept", "text/json"))
httpResponse = resultResponse.getHttpResponse()
bytes = httpService.getResponseContent(httpResponse)
response = httpService.convertEntityToString(bytes)
print "Passport-social. getPassportRedirectUrl. Response was %s" % httpResponse.getStatusLine().getStatusCode()
locale = CdiUtil.bean(LanguageBean).getLocaleCode()[:2]
if (locale != "en" and locale != "fr"):
locale = "en"
tokenObj = json.loads(response)
if (loginHint != None):
url = "/passport/auth/%s/%s/locale/%s/id/%s" % (provider, tokenObj["token_"], locale, Base64Util.base64urlencode(loginHint))
else:
url = "/passport/auth/%s/%s/locale/%s" % (provider, tokenObj["token_"], locale )
print "Passport-social. getPassportRedirectUrl. Returning URL = %s" % url
except:
print "Passport-social. getPassportRedirectUrl. Error building redirect URL: ", sys.exc_info()[1]
return url
def encodeProvider(self, name):
enc = { "provider" : name }
return Base64Util.base64urlencode(String(json.dumps(enc)).getBytes())
def getPassportRedirectUrl(self, provider, issuerSpNameQualifier):
# provider is assumed to exist in self.registeredProviders
url = None
try:
facesContext = CdiUtil.bean(FacesContext)
tokenEndpoint = "https://%s/passport/token" % facesContext.getExternalContext().getRequest().getServerName()
httpService = CdiUtil.bean(HttpService)
httpclient = httpService.getHttpsClient()
print "Passport-saml. getPassportRedirectUrl. Obtaining token from passport at %s" % tokenEndpoint
resultResponse = httpService.executeGet(httpclient, tokenEndpoint, Collections.singletonMap("Accept", "text/json"))
httpResponse = resultResponse.getHttpResponse()
bytes = httpService.getResponseContent(httpResponse)
response = httpService.convertEntityToString(bytes)
print "Passport-saml. getPassportRedirectUrl. Response was %s" % httpResponse.getStatusLine().getStatusCode()
print "Passport-saml. getPassportRedirectUrl. Loading response %s" % response
tokenObj = json.loads(response)
print "Passport-saml. getPassportRedirectUrl. Building URL: provider: %s" % provider
print "Passport-saml. getPassportRedirectUrl. Building URL: token: %s" % tokenObj["token_"]
print "Passport-saml. getPassportRedirectUrl. Building URL: spNameQfr: %s" % issuerSpNameQualifier
locale = CdiUtil.bean(LanguageBean).getLocaleCode()[:2]
if (locale != "en" and locale != "fr"):
locale = "en"
# Check if the samlissuer is there so to use the old endpoint if no collection needed
if ( issuerSpNameQualifier != None ):
url = "/passport/auth/%s/%s/locale/%s/saml/%s" % (provider, tokenObj["token_"], locale, Base64Util.base64urlencode(issuerSpNameQualifier))
else:
url = "/passport/auth/%s/%s/locale/%s" % ( provider, tokenObj["token_"], locale )
except:
print "Passport-saml. getPassportRedirectUrl. Error building redirect URL: ", sys.exc_info()[1]
return url
