def getProviderFromJson(self, providerJson): provider = None try: obj = json.loads(Base64Util.base64urldecodeToString(providerJson)) provider = obj[self.providerKey] except: print "Passport. getProviderFromJson. Could not parse provided Json string. Returning None" return provider
def parseLoginHint(self): # Inject dependencies facesResources = CdiUtil.bean(FacesResources) facesContext = facesResources.getFacesContext() httpRequest = facesContext.getCurrentInstance().getExternalContext().getRequest() loginHint = httpRequest.getParameter("login_hint") if (loginHint == None): raise MFAError("ERROR: login_hint is not set, no user context for authentication") decryptedLoginHint = self.decryptAES(self.aesKey , Base64Util.base64urldecodeToString(loginHint)) pairwiseId = decryptedLoginHint.split('|')[0] relyingParty = decryptedLoginHint.split('|')[1] return pairwiseId, relyingParty
def getUser(self, loginHint): print "MFA Chooser. getUser() called" identity = CdiUtil.bean(Identity) sessionAttributes = identity.getSessionId().getSessionAttributes() userService = CdiUtil.bean(UserService) pairwiseIdentifierService = CdiUtil.bean(PairwiseIdentifierService) # Normally we would fetch by pairwise ID ... however because there is no API for that we save MFA PAI in oxExternalUid loginHintDecrypted = self.decryptAES( self.aesKey, Base64Util.base64urldecodeToString(loginHint)) pairwiseId = loginHintDecrypted.split('|')[0] relyingParty = loginHintDecrypted.split('|')[1] # set APP for future reference in page customization sessionAttributes.put("relyingParty", relyingParty) # Get the user service and fetch the user externalUid = "sic-mfa:" + pairwiseId print "MFA Chooser: getUser(). Looking up user with externalUid = '%s'" % externalUid user = userService.getUserByAttribute("oxExternalUid", externalUid) if (user == None): # Create a new account print "MFA Chooser. authenticate. Creating new user with externalUid = '%s'" % ( externalUid) newUser = User() username = uuid.uuid4().hex newUser.setAttribute("uid", username) newUser.setAttribute("oxExternalUid", externalUid) user = userService.addUser(newUser, True) # add a Pairwise Subject Identifier for the OIDC Client userInum = user.getAttribute("inum") oidcClientId = sessionAttributes.get("client_id") sectorIdentifierUri = sessionAttributes.get("redirect_uri") pairwiseSubject = PairwiseIdentifier(sectorIdentifierUri, oidcClientId) pairwiseSubject.setId(pairwiseId) pairwiseSubject.setDn( pairwiseIdentifierService.getDnForPairwiseIdentifier( pairwiseSubject.getId(), userInum)) pairwiseIdentifierService.addPairwiseIdentifier( userInum, pairwiseSubject) return user
def set_relying_party_login_url(identity): print "ThumbSignIn. Inside set_relying_party_login_url..." session_id = identity.getSessionId() session_attribute = session_id.getSessionAttributes() state_jwt_token = session_attribute.get("state") print "ThumbSignIn. Value of state_jwt_token is %s" % state_jwt_token relying_party_login_url = "" if (state_jwt_token is None) or ("." not in state_jwt_token): print "ThumbSignIn. Value of state parameter is not in the format of JWT Token" identity.setWorkingParameter(RELYING_PARTY_LOGIN_URL, relying_party_login_url) return None state_jwt_token_array = String(state_jwt_token).split("\\.") state_jwt_token_payload = state_jwt_token_array[1] state_payload_str = String( Base64Util.base64urldecode(state_jwt_token_payload), "UTF-8") state_payload_json = JSONObject(state_payload_str) print "ThumbSignIn. Value of state JWT token Payload is %s" % state_payload_json if state_payload_json.has("additional_claims"): additional_claims = state_payload_json.get("additional_claims") relying_party_id = additional_claims.get(RELYING_PARTY_ID) print "ThumbSignIn. Value of relying_party_id is %s" % relying_party_id identity.setWorkingParameter(RELYING_PARTY_ID, relying_party_id) if String(relying_party_id).startsWith("google.com"): # google.com/a/unphishableenterprise.com relying_party_id_array = String(relying_party_id).split("/") google_domain = relying_party_id_array[2] print "ThumbSignIn. Value of google_domain is %s" % google_domain relying_party_login_url = "https://www.google.com/accounts/AccountChooser?hd=" + google_domain + "%26continue=https://apps.google.com/user/hub" # elif (String(relying_party_id).startsWith("xyz")): # relying_party_login_url = "xyz.com" else: # If relying_party_login_url is empty, Gluu's default login URL will be used relying_party_login_url = "" print "ThumbSignIn. Value of relying_party_login_url is %s" % relying_party_login_url identity.setWorkingParameter(RELYING_PARTY_LOGIN_URL, relying_party_login_url) return None
def set_relying_party_login_url(identity): print "ThumbSignIn. Inside set_relying_party_login_url..." session_id = identity.getSessionId() session_attribute = session_id.getSessionAttributes() state_jwt_token = session_attribute.get("state") print "ThumbSignIn. Value of state_jwt_token is %s" % state_jwt_token relying_party_login_url = "" if (state_jwt_token is None) or ("." not in state_jwt_token): print "ThumbSignIn. Value of state parameter is not in the format of JWT Token" identity.setWorkingParameter(RELYING_PARTY_LOGIN_URL, relying_party_login_url) return None state_jwt_token_array = String(state_jwt_token).split("\\.") state_jwt_token_payload = state_jwt_token_array[1] state_payload_str = String(Base64Util.base64urldecode(state_jwt_token_payload), "UTF-8") state_payload_json = JSONObject(state_payload_str) print "ThumbSignIn. Value of state JWT token Payload is %s" % state_payload_json if state_payload_json.has("additional_claims"): additional_claims = state_payload_json.get("additional_claims") relying_party_id = additional_claims.get(RELYING_PARTY_ID) print "ThumbSignIn. Value of relying_party_id is %s" % relying_party_id identity.setWorkingParameter(RELYING_PARTY_ID, relying_party_id) if String(relying_party_id).startsWith("google.com"): # google.com/a/unphishableenterprise.com relying_party_id_array = String(relying_party_id).split("/") google_domain = relying_party_id_array[2] print "ThumbSignIn. Value of google_domain is %s" % google_domain relying_party_login_url = "https://www.google.com/accounts/AccountChooser?hd="+ google_domain + "%26continue=https://apps.google.com/user/hub" # elif (String(relying_party_id).startsWith("xyz")): # relying_party_login_url = "xyz.com" else: # If relying_party_login_url is empty, Gluu's default login URL will be used relying_party_login_url = "" print "ThumbSignIn. Value of relying_party_login_url is %s" % relying_party_login_url identity.setWorkingParameter(RELYING_PARTY_LOGIN_URL, relying_party_login_url) return None
def getPassportRedirectUrl(self, provider, loginHint): # provider is assumed to exist in self.registeredProviders url = None try: facesContext = CdiUtil.bean(FacesContext) tokenEndpoint = "https://%s/passport/token" % facesContext.getExternalContext().getRequest().getServerName() httpService = CdiUtil.bean(HttpService) httpclient = httpService.getHttpsClient() print "Passport-social. getPassportRedirectUrl. Obtaining token from passport at %s" % tokenEndpoint resultResponse = httpService.executeGet(httpclient, tokenEndpoint, Collections.singletonMap("Accept", "text/json")) httpResponse = resultResponse.getHttpResponse() bytes = httpService.getResponseContent(httpResponse) response = httpService.convertEntityToString(bytes) print "Passport-social. getPassportRedirectUrl. Response was %s" % httpResponse.getStatusLine().getStatusCode() locale = CdiUtil.bean(LanguageBean).getLocaleCode()[:2] if (locale != "en" and locale != "fr"): locale = "en" tokenObj = json.loads(response) if (loginHint != None): url = "/passport/auth/%s/%s/locale/%s/id/%s" % (provider, tokenObj["token_"], locale, Base64Util.base64urlencode(loginHint)) else: url = "/passport/auth/%s/%s/locale/%s" % (provider, tokenObj["token_"], locale ) print "Passport-social. getPassportRedirectUrl. Returning URL = %s" % url except: print "Passport-social. getPassportRedirectUrl. Error building redirect URL: ", sys.exc_info()[1] return url
def encodeProvider(self, name): enc = { "provider" : name } return Base64Util.base64urlencode(String(json.dumps(enc)).getBytes())
def getPassportRedirectUrl(self, provider, issuerSpNameQualifier): # provider is assumed to exist in self.registeredProviders url = None try: facesContext = CdiUtil.bean(FacesContext) tokenEndpoint = "https://%s/passport/token" % facesContext.getExternalContext().getRequest().getServerName() httpService = CdiUtil.bean(HttpService) httpclient = httpService.getHttpsClient() print "Passport-saml. getPassportRedirectUrl. Obtaining token from passport at %s" % tokenEndpoint resultResponse = httpService.executeGet(httpclient, tokenEndpoint, Collections.singletonMap("Accept", "text/json")) httpResponse = resultResponse.getHttpResponse() bytes = httpService.getResponseContent(httpResponse) response = httpService.convertEntityToString(bytes) print "Passport-saml. getPassportRedirectUrl. Response was %s" % httpResponse.getStatusLine().getStatusCode() print "Passport-saml. getPassportRedirectUrl. Loading response %s" % response tokenObj = json.loads(response) print "Passport-saml. getPassportRedirectUrl. Building URL: provider: %s" % provider print "Passport-saml. getPassportRedirectUrl. Building URL: token: %s" % tokenObj["token_"] print "Passport-saml. getPassportRedirectUrl. Building URL: spNameQfr: %s" % issuerSpNameQualifier locale = CdiUtil.bean(LanguageBean).getLocaleCode()[:2] if (locale != "en" and locale != "fr"): locale = "en" # Check if the samlissuer is there so to use the old endpoint if no collection needed if ( issuerSpNameQualifier != None ): url = "/passport/auth/%s/%s/locale/%s/saml/%s" % (provider, tokenObj["token_"], locale, Base64Util.base64urlencode(issuerSpNameQualifier)) else: url = "/passport/auth/%s/%s/locale/%s" % ( provider, tokenObj["token_"], locale ) except: print "Passport-saml. getPassportRedirectUrl. Error building redirect URL: ", sys.exc_info()[1] return url