def init(self, customScript, configuration_attributes): print "AzureAD. Initialization" global azure_tenant_id azure_tenant_id = configuration_attributes.get("azure_tenant_id").getValue2() print "AzureAD. Initialization. Value of azure_tenant_id is %s" % azure_tenant_id global azure_client_id azure_client_id = configuration_attributes.get("azure_client_id").getValue2() print "AzureAD. Initialization. Value of azure_client_id is %s" % azure_client_id global azure_client_secret azure_client_secret = configuration_attributes.get("azure_client_secret").getValue2() global MICROSOFT_AUTHORITY_URL MICROSOFT_AUTHORITY_URL = 'login.microsoftonline.com' global AZURE_AD_GRAPH_RESOURCE_ENDPOINT AZURE_AD_GRAPH_RESOURCE_ENDPOINT = 'https://graph.windows.net' global azure_user_uuid azure_user_uuid = "oid" global gluu_ldap_uuid gluu_ldap_uuid = "uid" global ADMIN ADMIN = 'admin' global attributes_mapping if (configuration_attributes.containsKey("azure_ad_attributes_list") and configuration_attributes.containsKey("gluu_ldap_attributes_list")): azure_ad_attributes_list = configuration_attributes.get("azure_ad_attributes_list").getValue2() if StringHelper.isEmpty(azure_ad_attributes_list): print "AzureAD: Initialization. The property azure_ad_attributes_list is empty" return False gluu_ldap_attributes_list = configuration_attributes.get("gluu_ldap_attributes_list").getValue2() if StringHelper.isEmpty(gluu_ldap_attributes_list): print "AzureAD: Initialization. The property gluu_ldap_attributes_list is empty" return False attributes_mapping = self.attribute_mapping_function(azure_ad_attributes_list, gluu_ldap_attributes_list) if attributes_mapping is None: print "AzureAD: Initialization. The attributes mapping isn't valid" return False print "AzureAD. Initialized successfully" return True
def prepareClientsSet(self, configurationAttributes): clientsSet = HashSet() if (not configurationAttributes.containsKey("allowed_clients")): return clientsSet allowedClientsList = configurationAttributes.get( "allowed_clients").getValue2() if (StringHelper.isEmpty(allowedClientsList)): print "UmaRptPolicy. The property allowed_clients is empty" return clientsSet allowedClientsListArray = StringHelper.split(allowedClientsList, ",") if (ArrayHelper.isEmpty(allowedClientsListArray)): print "UmaRptPolicy. No clients specified in allowed_clients property" return clientsSet # Convert to HashSet to quick search i = 0 count = len(allowedClientsListArray) while (i < count): client = allowedClientsListArray[i] clientsSet.add(client) i = i + 1 return clientsSet
def getCurrentSamlConfiguration(self, currentSamlConfiguration, configurationAttributes, requestParameters): saml_client_configuration = self.getClientConfiguration(configurationAttributes, requestParameters) if saml_client_configuration == None: return currentSamlConfiguration saml_client_configuration_value = json.loads(saml_client_configuration.getValue()) client_asimba_saml_certificate = None client_asimba_saml_certificate_file = saml_client_configuration_value["asimba_saml_certificate_file"] if StringHelper.isNotEmpty(client_asimba_saml_certificate_file): client_asimba_saml_certificate = self.loadCeritificate(client_asimba_saml_certificate_file) if StringHelper.isEmpty(client_asimba_saml_certificate): print "Asimba. BuildClientSamlConfiguration. File with x509 certificate should be not empty. Using default configuration" return currentSamlConfiguration clientSamlConfiguration = currentSamlConfiguration.clone() if client_asimba_saml_certificate != None: clientSamlConfiguration.loadCertificateFromString(client_asimba_saml_certificate) client_asimba_entity_id = saml_client_configuration_value["asimba_entity_id"] clientSamlConfiguration.setIssuer(client_asimba_entity_id) saml_use_authn_context = saml_client_configuration_value["saml_use_authn_context"] client_use_saml_use_authn_context = StringHelper.toBoolean(saml_use_authn_context, True) clientSamlConfiguration.setUseRequestedAuthnContext(client_use_saml_use_authn_context) return clientSamlConfiguration
def validateInweboToken(self, iw_api_uri, iw_service_id, user_name, iw_token): httpService = CdiUtil.bean(HttpService) xmlService = CdiUtil.bean(XmlService) if StringHelper.isEmpty(iw_token): print "InWebo. Token verification. iw_token is empty" return False request_uri = iw_api_uri + "?action=authenticate" + "&serviceId=" + httpService.encodeUrl(iw_service_id) + "&userId=" + httpService.encodeUrl(user_name) + "&token=" + httpService.encodeUrl(iw_token) print "InWebo. Token verification. Attempting to send authentication request:", request_uri # Execute request http_response = httpService.executeGet(self.client, request_uri) # Validate response code response_validation = httpService.isResponseStastusCodeOk(http_response) if response_validation == False: print "InWebo. Token verification. Get unsuccessful response code" return False authentication_response_bytes = httpService.getResponseContent(http_response) print "InWebo. Token verification. Get response:", httpService.convertEntityToString(authentication_response_bytes) # Validate authentication response response_validation = httpService.isContentTypeXml(http_response) if response_validation == False: print "InWebo. Token verification. Get invalid response" return False # Parse XML response try: xmlDocument = xmlService.getXmlDocument(authentication_response_bytes) except Exception, err: print "InWebo. Token verification. Failed to parse XML response:", err return False
def lockUser(self, user_name): if StringHelper.isEmpty(user_name): return None userService = CdiUtil.bean(UserService) cacheService= CdiUtil.bean(CacheService) facesMessages = CdiUtil.bean(FacesMessages) facesMessages.setKeepMessages() find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): return None status_attribute_value = userService.getCustomAttribute(find_user_by_uid, "gluuStatus") if status_attribute_value != None: user_status = status_attribute_value.getValue() if StringHelper.equals(user_status, "inactive"): print "Basic (lock account). Lock user. User '%s' locked already" % user_name return userService.setCustomAttribute(find_user_by_uid, "gluuStatus", "inactive") updated_user = userService.updateUser(find_user_by_uid) object_to_store = json.dumps({'locked': True, 'created': LocalDateTime.now().toString()}, separators=(',',':')) cacheService.put(StringHelper.toString(self.lockExpirationTime), "lock_user_"+user_name, object_to_store); facesMessages.add(FacesMessage.SEVERITY_ERROR, "Your account is locked. Please try again after " + StringHelper.toString(self.lockExpirationTime) + " secs") print "Basic (lock account). Lock user. User '%s' locked" % user_name
def init(self, customScript, configurationAttributes): print "Basic (multi login). Initialization" login_attributes_list_object = configurationAttributes.get("login_attributes_list") if (login_attributes_list_object == None): print "Basic (multi login). Initialization. There is no property login_attributes_list" return False login_attributes_list = login_attributes_list_object.getValue2() if (StringHelper.isEmpty(login_attributes_list)): print "Basic (multi login). Initialization. There is no attributes specified in login_attributes property" return False login_attributes_list_array = StringHelper.split(login_attributes_list, ",") if (ArrayHelper.isEmpty(login_attributes_list_array)): print "Basic (multi login). Initialization. There is no attributes specified in login_attributes property" return False if (configurationAttributes.containsKey("local_login_attributes_list")): local_login_attributes_list = configurationAttributes.get("local_login_attributes_list").getValue2() local_login_attributes_list_array = StringHelper.split(local_login_attributes_list, ",") else: print "Basic (multi login). Initialization. There is no property local_login_attributes_list. Assuming that login attributes are equal to local login attributes." local_login_attributes_list_array = login_attributes_list_array if (len(login_attributes_list_array) != len(local_login_attributes_list_array)): print "Basic (multi login). Initialization. The number of attributes in login_attributes_list and local_login_attributes_list isn't equal" return False self.login_attributes_list_array = login_attributes_list_array self.local_login_attributes_list_array = local_login_attributes_list_array print "Basic (multi login). Initialized successfully" return True
def init(self, customScript, configurationAttributes): print "Google+ Initialization" if (not configurationAttributes.containsKey("gplus_client_secrets_file")): print "Google+ Initialization. The property gplus_client_secrets_file is empty" return False clientSecretsFile = configurationAttributes.get("gplus_client_secrets_file").getValue2() self.clientSecrets = self.loadClientSecrets(clientSecretsFile) if (self.clientSecrets == None): print "Google+ Initialization. File with Google+ client secrets should be not empty" return False self.attributesMapping = None if (configurationAttributes.containsKey("gplus_remote_attributes_list") and configurationAttributes.containsKey("gplus_local_attributes_list")): remoteAttributesList = configurationAttributes.get("gplus_remote_attributes_list").getValue2() if (StringHelper.isEmpty(remoteAttributesList)): print "Google+ Initialization. The property gplus_remote_attributes_list is empty" return False localAttributesList = configurationAttributes.get("gplus_local_attributes_list").getValue2() if (StringHelper.isEmpty(localAttributesList)): print "Google+ Initialization. The property gplus_local_attributes_list is empty" return False self.attributesMapping = self.prepareAttributesMapping(remoteAttributesList, localAttributesList) if (self.attributesMapping == None): print "Google+ Initialization. The attributes mapping isn't valid" return False self.extensionModule = None if (configurationAttributes.containsKey("extension_module")): extensionModuleName = configurationAttributes.get("extension_module").getValue2() try: self.extensionModule = __import__(extensionModuleName) extensionModuleInitResult = self.extensionModule.init(configurationAttributes) if (not extensionModuleInitResult): return False except ImportError, ex: print "Google+ Initialization. Failed to load gplus_extension_module: '%s'" % extensionModuleName print "Google+ Initialization. Unexpected error:", ex return False
def getSamlNameId(self, samlResponse): saml_response_name_id = samlResponse.getNameId() if StringHelper.isEmpty(saml_response_name_id): print "Asimba. Get Saml response. saml_response_name_id is invalid" return None print "Asimba. Get Saml response. saml_response_name_id: '%s'" % saml_response_name_id # Use persistent Id as saml_user_uid return saml_response_name_id
def init(self, customScript, configurationAttributes): print "Registration. Initialization" print "Registration. Initialized successfully" if (configurationAttributes.containsKey("generic_register_attributes_list") and configurationAttributes.containsKey("generic_local_attributes_list")): remoteAttributesList = configurationAttributes.get("generic_register_attributes_list").getValue2() if (StringHelper.isEmpty(remoteAttributesList)): print "Registration: Initialization. The property generic_register_attributes_list is empty" return False localAttributesList = configurationAttributes.get("generic_local_attributes_list").getValue2() if (StringHelper.isEmpty(localAttributesList)): print "Registration: Initialization. The property generic_local_attributes_list is empty" return False self.attributesMapping = self.prepareAttributesMapping(remoteAttributesList, localAttributesList) if (self.attributesMapping == None): print "Registration: Initialization. The attributes mapping isn't valid" return False return True
def authenticate(self, configurationAttributes, requestParameters, step): userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() if (step == 1): print "Basic (with password update). Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "Basic (with password update). Authenticate for step 2" user = authenticationService.getAuthenticatedUser() if user == None: print "Basic (with password update). Authenticate for step 2. Failed to determine user name" return False user_name = user.getUserId() find_user_by_uid = userService.getUser(user_name) update_button = requestParameters.get("loginForm:updateButton") if ArrayHelper.isEmpty(update_button): return True new_password_array = requestParameters.get("new_password") if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]): print "Basic (with password update). Authenticate for step 2. New password is empty" return False new_password = new_password_array[0] find_user_by_uid.setAttribute("userPassword", new_password) print "Basic (with password update). Authenticate for step 2. Attempting to set new user '%s' password" % user_name userService.updateUser(find_user_by_uid) print "Basic (with password update). Authenticate for step 2. Password updated successfully" return True else: return False
def authorize(self, context): # context is reference of io.jans.as.uma.authorization.UmaAuthorizationContext print "RPT Policy. Authorizing ..." client_id=context.getClient().getClientId() print "UmaRptPolicy. client_id = %s" % client_id if (StringHelper.isEmpty(client_id)): return False if (self.clientsSet.contains(client_id)): print "UmaRptPolicy. Authorizing client" return True else: print "UmaRptPolicy. Client isn't authorized" return False
def setUserAttributeValue(self, user_name, attribute_name, attribute_value): if StringHelper.isEmpty(user_name): return None userService = CdiUtil.bean(UserService) find_user_by_uid = userService.getUser(user_name) if find_user_by_uid == None: return None userService.setCustomAttribute(find_user_by_uid, attribute_name, attribute_value) updated_user = userService.updateUser(find_user_by_uid) print "Basic (lock account). Set user attribute. User's '%s' attribute '%s' value is '%s'" % (user_name, attribute_name, attribute_value) return updated_user
def authenticate(self, configurationAttributes, requestParameters, step): userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() iw_otp = requestParameters.get("loginForm:otp") if ArrayHelper.isNotEmpty(iw_otp) and StringHelper.equalsIgnoreCase("true", iw_otp[0]) and step == 2: identity.setWorkingParameter("iw_count_login_steps", 3) return True elif StringHelper.isEmptyString(user_name) and step == 1: print "empty user_name in step1 indicates browser token notfound" identity.setWorkingParameter("iw_count_login_steps", 2) return True else: response_check = False user_exists_in_gluu = authenticationService.authenticate(user_name) identity.setWorkingParameter("iw_count_login_steps", step) if (step == 1 or step == 3): print "if (step == 1 or step == 3):" password = credentials.getPassword() if StringHelper.isEmpty(password): print "InWebo. Authenticate for step 2. otp token is empty" return False #password is the otp token response_check = self.validateInweboToken(self.api_uri, self.service_id, user_name, password, step) elif (step == 2): print "elif (step == 2):" session = CdiUtil.bean(SessionIdService).getSessionId() if session == None: print "InWebo. Authenticate for step 2. session_id is not exists" return False response_check = self.checkStatus(self.api_uri, self.service_id, user_name, session.getId(), self.push_withoutpin) if self.push_fail is not None: self.setErrorMessage(self.push_fail) identity.setWorkingParameter("iw_count_login_steps", 3) return response_check and user_exists_in_gluu
def isInboundJwt(self, value): if value == None: return False try: jwt = Jwt.parse(value) print "passport.isInboundJwt. jwt = %s" % jwt user_profile_json = CdiUtil.bean(EncryptionService).decrypt(jwt.getClaims().getClaimAsString("data")) if StringHelper.isEmpty(user_profile_json): return False except InvalidJwtException: return False except: print("Unexpected error:", sys.exc_info()[0]) return False return True
def getUserAttributeValue(self, user_name, attribute_name): if StringHelper.isEmpty(user_name): return None userService = CdiUtil.bean(UserService) find_user_by_uid = userService.getUser(user_name, attribute_name) if find_user_by_uid == None: return None custom_attribute_value = userService.getCustomAttribute(find_user_by_uid, attribute_name) if custom_attribute_value == None: return None attribute_value = custom_attribute_value.getValue() print "Basic (lock account). Get user attribute. User's '%s' attribute '%s' value is '%s'" % (user_name, attribute_name, attribute_value) return attribute_value
def unLockUser(self, user_name): if StringHelper.isEmpty(user_name): return None userService = CdiUtil.bean(UserService) cacheService= CdiUtil.bean(CacheService) find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): return None object_to_store = json.dumps({'locked': False, 'created': LocalDateTime.now().toString()}, separators=(',',':')) cacheService.put(StringHelper.toString(self.lockExpirationTime), "lock_user_"+user_name, object_to_store); userService.setCustomAttribute(find_user_by_uid, "gluuStatus", "active") userService.setCustomAttribute(find_user_by_uid, self.invalidLoginCountAttribute, None) updated_user = userService.updateUser(find_user_by_uid) print "Basic (lock account). Lock user. User '%s' unlocked" % user_name
def getClientConfiguration(self, configurationAttributes, requestParameters): # Get client configuration if (configurationAttributes.containsKey("gplus_client_configuration_attribute")): clientConfigurationAttribute = configurationAttributes.get("gplus_client_configuration_attribute").getValue2() print "Google+ GetClientConfiguration. Using client attribute: '%s'" % clientConfigurationAttribute if (requestParameters == None): return None clientId = None # Attempt to determine client_id from request clientIdArray = requestParameters.get("client_id") if (ArrayHelper.isNotEmpty(clientIdArray) and StringHelper.isNotEmptyString(clientIdArray[0])): clientId = clientIdArray[0] # Attempt to determine client_id from event context if (clientId == None): identity = CdiUtil.bean(Identity) if (identity.isSetWorkingParameter("sessionAttributes")): clientId = identity.getSessionId().getSessionAttributes().get("client_id") if (clientId == None): print "Google+ GetClientConfiguration. client_id is empty" return None clientService = CdiUtil.bean(ClientService) client = clientService.getClient(clientId) if (client == None): print "Google+ GetClientConfiguration. Failed to find client '%s' in local LDAP" % clientId return None clientConfiguration = clientService.getCustomAttribute(client, clientConfigurationAttribute) if ((clientConfiguration == None) or StringHelper.isEmpty(clientConfiguration.getValue())): print "Google+ GetClientConfiguration. Client '%s' attribute '%s' is empty" % (clientId, clientConfigurationAttribute) else: print "Google+ GetClientConfiguration. Client '%s' attribute '%s' is '%s'" % (clientId, clientConfigurationAttribute, clientConfiguration) return clientConfiguration return None
def getClientConfiguration(self, configurationAttributes, requestParameters): # Get client configuration if configurationAttributes.containsKey("saml_client_configuration_attribute"): saml_client_configuration_attribute = configurationAttributes.get("saml_client_configuration_attribute").getValue2() print "Asimba. GetClientConfiguration. Using client attribute: '%s'" % saml_client_configuration_attribute if requestParameters == None: return None client_id = None client_id_array = requestParameters.get("client_id") if ArrayHelper.isNotEmpty(client_id_array) and StringHelper.isNotEmptyString(client_id_array[0]): client_id = client_id_array[0] if client_id == None: identity = CdiUtil.bean(Identity) if identity.getSessionId() != None: client_id = identity.getSessionId().getSessionAttributes().get("client_id") if client_id == None: print "Asimba. GetClientConfiguration. client_id is empty" return None clientService = CdiUtil.bean(ClientService) client = clientService.getClient(client_id) if client == None: print "Asimba. GetClientConfiguration. Failed to find client '%s' in local LDAP" % client_id return None saml_client_configuration = clientService.getCustomAttribute(client, saml_client_configuration_attribute) if (saml_client_configuration == None) or StringHelper.isEmpty(saml_client_configuration.getValue()): print "Asimba. GetClientConfiguration. Client '%s' attribute '%s' is empty" % ( client_id, saml_client_configuration_attribute ) else: print "Asimba. GetClientConfiguration. Client '%s' attribute '%s' is '%s'" % ( client_id, saml_client_configuration_attribute, saml_client_configuration ) return saml_client_configuration return None
def prepareClientRedirectUris(self, configurationAttributes): clientRedirectUrisSet = HashSet() if not configurationAttributes.containsKey("client_redirect_uris"): return clientRedirectUrisSet clientRedirectUrisList = configurationAttributes.get("client_redirect_uris").getValue2() if StringHelper.isEmpty(clientRedirectUrisList): print "Client registration. The property client_redirect_uris is empty" return clientRedirectUrisSet clientRedirectUrisArray = StringHelper.split(clientRedirectUrisList, ",") if ArrayHelper.isEmpty(clientRedirectUrisArray): print "Client registration. No clients specified in client_redirect_uris property" return clientRedirectUrisSet # Convert to HashSet to quick search i = 0 count = len(clientRedirectUrisArray) while i < count: uris = clientRedirectUrisArray[i] clientRedirectUrisSet.add(uris) i = i + 1 return clientRedirectUrisSet
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) if step == 1: print "Cert. Authenticate for step 1" login_button = ServerUtil.getFirstValue(requestParameters, "loginForm:loginButton") if StringHelper.isEmpty(login_button): print "Cert. Authenticate for step 1. Form were submitted incorrectly" return False if self.enabled_recaptcha: print "Cert. Authenticate for step 1. Validating recaptcha response" recaptcha_response = ServerUtil.getFirstValue(requestParameters, "g-recaptcha-response") recaptcha_result = self.validateRecaptcha(recaptcha_response) print "Cert. Authenticate for step 1. recaptcha_result: '%s'" % recaptcha_result return recaptcha_result return True elif step == 2: print "Cert. Authenticate for step 2" # Validate if user selected certificate cert_x509 = self.getSessionAttribute("cert_x509") if cert_x509 == None: print "Cert. Authenticate for step 2. User not selected any certs" identity.setWorkingParameter("cert_selected", False) # Return True to inform user how to reset workflow return True else: identity.setWorkingParameter("cert_selected", True) x509Certificate = self.certFromString(cert_x509) subjectX500Principal = x509Certificate.getSubjectX500Principal() print "Cert. Authenticate for step 2. User selected certificate with DN '%s'" % subjectX500Principal # Validate certificates which user selected valid = self.validateCertificate(x509Certificate) if not valid: print "Cert. Authenticate for step 2. Certificate DN '%s' is not valid" % subjectX500Principal identity.setWorkingParameter("cert_valid", False) # Return True to inform user how to reset workflow return True identity.setWorkingParameter("cert_valid", True) # Calculate certificate fingerprint x509CertificateFingerprint = self.calculateCertificateFingerprint(x509Certificate) identity.setWorkingParameter("cert_x509_fingerprint", x509CertificateFingerprint) print "Cert. Authenticate for step 2. Fingerprint is '%s' of certificate with DN '%s'" % (x509CertificateFingerprint, subjectX500Principal) # Attempt to find user by certificate fingerprint cert_user_external_uid = "cert:%s" % x509CertificateFingerprint print "Cert. Authenticate for step 2. Attempting to find user by oxExternalUid attribute value %s" % cert_user_external_uid find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: print "Cert. Authenticate for step 2. Failed to find user" if self.map_user_cert: print "Cert. Authenticate for step 2. Storing cert_user_external_uid for step 3" identity.setWorkingParameter("cert_user_external_uid", cert_user_external_uid) return True else: print "Cert. Authenticate for step 2. Mapping cert to user account is not allowed" identity.setWorkingParameter("cert_count_login_steps", 2) return False foundUserName = find_user_by_external_uid.getUserId() print "Cert. Authenticate for step 2. foundUserName: "******"Cert. Authenticate for step 2. Setting count steps to 2" identity.setWorkingParameter("cert_count_login_steps", 2) return logged_in elif step == 3: print "Cert. Authenticate for step 3" cert_user_external_uid = self.getSessionAttribute("cert_user_external_uid") if cert_user_external_uid == None: print "Cert. Authenticate for step 3. cert_user_external_uid is empty" return False user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False # Double check just to make sure. We did checking in previous step # Check if there is user which has cert_user_external_uid # Avoid mapping user cert to more than one IDP account find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: # Add cert_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: print "Cert. Authenticate for step 3. Failed to update current user" return False return True return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): extensionResult = self.extensionAuthenticate(configurationAttributes, requestParameters, step) if extensionResult != None: return extensionResult print "Passport. authenticate for step %s called" % str(step) identity = CdiUtil.bean(Identity) # Loading self.registeredProviders in case passport destroyed if not hasattr(self,'registeredProviders'): print "Passport. Fetching registered providers." self.parseProviderConfigs() if step == 1: jwt_param = None if self.isInboundFlow(identity): # if is idp-initiated inbound flow print "Passport. authenticate for step 1. Detected idp-initiated inbound Saml flow" # get request from session attributes jwt_param = identity.getSessionId().getSessionAttributes().get(AuthorizeRequestParam.STATE) print "jwt_param = %s" % jwt_param # now jwt_param != None if jwt_param == None: # gets jwt parameter "user" sent after authentication by passport (if exists) jwt_param = ServerUtil.getFirstValue(requestParameters, "user") if jwt_param != None: # and now that the jwt_param user exists... print "Passport. authenticate for step 1. JWT user profile token found" if self.isInboundFlow(identity): jwt_param = base64.urlsafe_b64decode(str(jwt_param+'==')) # Parse JWT and validate jwt = Jwt.parse(jwt_param) if not self.validSignature(jwt): return False if self.jwtHasExpired(jwt): return False # Gets user profile as string and json using the information on JWT (user_profile, jsonp) = self.getUserProfile(jwt) if user_profile == None: return False sessionAttributes = identity.getSessionId().getSessionAttributes() self.skipProfileUpdate = StringHelper.equalsIgnoreCase(sessionAttributes.get("skipPassportProfileUpdate"), "true") return self.attemptAuthentication(identity, user_profile, jsonp) #See passportlogin.xhtml provider = ServerUtil.getFirstValue(requestParameters, "loginForm:provider") if StringHelper.isEmpty(provider): #it's username + passw auth print "Passport. authenticate for step 1. Basic authentication detected" logged_in = False credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): authenticationService = CdiUtil.bean(AuthenticationService) logged_in = authenticationService.authenticate(user_name, user_password) print "Passport. authenticate for step 1. Basic authentication returned: %s" % logged_in return logged_in elif provider in self.registeredProviders: # user selected provider # it's a recognized external IDP identity.setWorkingParameter("selectedProvider", provider) print "Passport. authenticate for step 1. Retrying step 1" #see prepareForStep (step = 1) return True if step == 2: mail = ServerUtil.getFirstValue(requestParameters, "loginForm:email") jsonp = identity.getWorkingParameter("passport_user_profile") if mail == None: self.setMessageError(FacesMessage.SEVERITY_ERROR, "Email was missing in user profile") elif jsonp != None: # Completion of profile takes place user_profile = json.loads(jsonp) user_profile["mail"] = [ mail ] return self.attemptAuthentication(identity, user_profile, jsonp) print "Passport. authenticate for step 2. Failed: expected mail value in HTTP request and json profile in session" return False
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) if step == 1: credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False else: find_user_by_uid = authenticationService.getAuthenticatedUser() status_attribute_value = userService.getCustomAttribute(find_user_by_uid, "mail") user_mail = status_attribute_value.getValue() self.setRequestScopedParameters(identity) isCompromised = False isCompromised = self.is_compromised(user_mail,user_password,configurationAttributes) if(isCompromised): identity.setWorkingParameter("pwd_compromised", isCompromised) identity.setWorkingParameter("user_name", user_name) return True else: return True elif step == 2: print "compromised_password. Authenticate for step 2" form_answer_array = requestParameters.get("loginForm:question") if ArrayHelper.isEmpty(form_answer_array): return False form_answer = form_answer_array[0] if (form_answer == self.secretanswer): return True return False elif step == 3: authenticationService = CdiUtil.bean(AuthenticationService) print "compromised_password (with password update). Authenticate for step 3" userService = CdiUtil.bean(UserService) update_button = requestParameters.get("loginForm:updateButton") new_password_array = requestParameters.get("new_password") if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]): print "compromised_password (with password update). Authenticate for step 3. New password is empty" return False new_password = new_password_array[0] user = authenticationService.getAuthenticatedUser() if user == None: print "compromised_password (with password update). Authenticate for step 3. Failed to determine user name" return False user_name = user.getUserId() print "compromised_password (with password update). Authenticate for step 3. Attempting to set new user '" + user_name + "' password" find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): print "compromised_password (with password update). Authenticate for step 3. Failed to find user" return False find_user_by_uid.setAttribute("userPassword", new_password) userService.updateUser(find_user_by_uid) print "compromised_password (with password update). Authenticate for step 3. Password updated successfully" logged_in = authenticationService.authenticate(user_name) return True
def init(self, customScript, configurationAttributes): print "Asimba. Initialization" asimba_saml_certificate_file = configurationAttributes.get("asimba_saml_certificate_file").getValue2() saml_idp_sso_target_url = configurationAttributes.get("saml_idp_sso_target_url").getValue2() asimba_entity_id = configurationAttributes.get("asimba_entity_id").getValue2() saml_use_authn_context = StringHelper.toBoolean(configurationAttributes.get("saml_use_authn_context").getValue2(), True) if saml_use_authn_context: saml_name_identifier_format = configurationAttributes.get("saml_name_identifier_format").getValue2() else: saml_name_identifier_format = None asimba_saml_certificate = self.loadCeritificate(asimba_saml_certificate_file) if StringHelper.isEmpty(asimba_saml_certificate): print "Asimba. Initialization. File with x509 certificate should be not empty" return False samlConfiguration = SamlConfiguration() # Set the issuer of the authentication request. This would usually be the URL of the issuing web application samlConfiguration.setIssuer(asimba_entity_id) # Tells the IdP to return a persistent identifier for the user samlConfiguration.setNameIdentifierFormat(saml_name_identifier_format) # The URL at the Identity Provider where to the authentication request should be sent samlConfiguration.setIdpSsoTargetUrl(saml_idp_sso_target_url) # Enablediable RequestedAuthnContext samlConfiguration.setUseRequestedAuthnContext(saml_use_authn_context) # Load x509 certificate samlConfiguration.loadCertificateFromString(asimba_saml_certificate) self.samlConfiguration = samlConfiguration self.generateNameId = False if configurationAttributes.containsKey("saml_generate_name_id"): self.generateNameId = StringHelper.toBoolean(configurationAttributes.get("saml_generate_name_id").getValue2(), False) print "Asimba. Initialization. The property saml_generate_name_id is %s" % self.generateNameId self.updateUser = False if configurationAttributes.containsKey("saml_update_user"): self.updateUser = StringHelper.toBoolean(configurationAttributes.get("saml_update_user").getValue2(), False) print "Asimba. Initialization. The property saml_update_user is %s" % self.updateUser self.userObjectClasses = None if configurationAttributes.containsKey("user_object_classes"): self.userObjectClasses = self.prepareUserObjectClasses(configurationAttributes) self.userEnforceAttributesUniqueness = None if configurationAttributes.containsKey("enforce_uniqueness_attr_list"): self.userEnforceAttributesUniqueness = self.prepareUserEnforceUniquenessAttributes(configurationAttributes) self.attributesMapping = None if configurationAttributes.containsKey("saml_idp_attributes_mapping"): saml_idp_attributes_mapping = configurationAttributes.get("saml_idp_attributes_mapping").getValue2() if StringHelper.isEmpty(saml_idp_attributes_mapping): print "Asimba. Initialization. The property saml_idp_attributes_mapping is empty" return False self.attributesMapping = self.prepareAttributesMapping(saml_idp_attributes_mapping) if self.attributesMapping == None: print "Asimba. Initialization. The attributes mapping isn't valid" return False self.samlExtensionModule = None if configurationAttributes.containsKey("saml_extension_module"): saml_extension_module_name = configurationAttributes.get("saml_extension_module").getValue2() try: self.samlExtensionModule = __import__(saml_extension_module_name) saml_extension_module_init_result = self.samlExtensionModule.init(configurationAttributes) if not saml_extension_module_init_result: return False except ImportError, ex: print "Asimba. Initialization. Failed to load saml_extension_module: '%s'" % saml_extension_module_name print "Asimba. Initialization. Unexpected error:", ex return False
def prepareForStep(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() session_attributes = identity.getSessionId().getSessionAttributes() self.setRequestScopedParameters(identity) if (step == 1): return True elif (step == 2): print "UAF. Prepare for step 2" session = CdiUtil.bean(SessionIdService).getSessionId() if session == None: print "UAF. Prepare for step 2. Failed to determine session_id" return False user = authenticationService.getAuthenticatedUser() if (user == None): print "UAF. Prepare for step 2. Failed to determine user name" return False uaf_auth_method = session_attributes.get("uaf_auth_method") if StringHelper.isEmpty(uaf_auth_method): print "UAF. Prepare for step 2. Failed to determine auth_method" return False print "UAF. Prepare for step 2. uaf_auth_method: '%s'" % uaf_auth_method uaf_obb_auth_method = "OOB_REG" uaf_obb_server_uri = self.uaf_server_uri + "/nnl/v2/reg" if StringHelper.equalsIgnoreCase(uaf_auth_method, "authenticate"): uaf_obb_auth_method = "OOB_AUTH" uaf_obb_server_uri = self.uaf_server_uri + "/nnl/v2/auth" # Prepare START_OBB uaf_obb_start_request_dictionary = { "operation": "START_%s" % uaf_obb_auth_method, "userName": user.getUserId(), "policyName": "default", "oobMode": { "qr": "true", "rawData": "false", "push": "false" } } uaf_obb_start_request = json.dumps(uaf_obb_start_request_dictionary, separators=(',',':')) print "UAF. Prepare for step 2. Prepared START request: '%s' to send to '%s'" % (uaf_obb_start_request, uaf_obb_server_uri) # Request START_OBB uaf_obb_start_response = self.executePost(uaf_obb_server_uri, uaf_obb_start_request) if uaf_obb_start_response == None: return False print "UAF. Prepare for step 2. Get START response: '%s'" % uaf_obb_start_response uaf_obb_start_response_json = json.loads(uaf_obb_start_response) # Prepare STATUS_OBB #TODO: Remove needDetails parameter uaf_obb_status_request_dictionary = { "operation": "STATUS_%s" % uaf_obb_auth_method, "userName": user.getUserId(), "needDetails": 1, "oobStatusHandle": uaf_obb_start_response_json["oobStatusHandle"], } uaf_obb_status_request = json.dumps(uaf_obb_status_request_dictionary, separators=(',',':')) print "UAF. Prepare for step 2. Prepared STATUS request: '%s' to send to '%s'" % (uaf_obb_status_request, uaf_obb_server_uri) identity.setWorkingParameter("uaf_obb_auth_method", uaf_obb_auth_method) identity.setWorkingParameter("uaf_obb_server_uri", uaf_obb_server_uri) identity.setWorkingParameter("uaf_obb_start_response", uaf_obb_start_response) identity.setWorkingParameter("qr_image", uaf_obb_start_response_json["modeResult"]["qrCode"]["qrImage"]) identity.setWorkingParameter("uaf_obb_status_request", uaf_obb_status_request) return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() self.setRequestScopedParameters(identity) if step == 1: print "OTP. Authenticate for step 1" authenticated_user = self.processBasicAuthentication(credentials) if authenticated_user == None: return False otp_auth_method = "authenticate" # Uncomment this block if you need to allow user second OTP registration #enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton") #if StringHelper.isNotEmpty(enrollment_mode): # otp_auth_method = "enroll" if otp_auth_method == "authenticate": user_enrollments = self.findEnrollments(authenticated_user.getUserId()) if len(user_enrollments) == 0: otp_auth_method = "enroll" print "OTP. Authenticate for step 1. There is no OTP enrollment for user '%s'. Changing otp_auth_method to '%s'" % (authenticated_user.getUserId(), otp_auth_method) if otp_auth_method == "enroll": print "OTP. Authenticate for step 1. Setting count steps: '%s'" % 3 identity.setWorkingParameter("otp_count_login_steps", 3) print "OTP. Authenticate for step 1. otp_auth_method: '%s'" % otp_auth_method identity.setWorkingParameter("otp_auth_method", otp_auth_method) return True elif step == 2: print "OTP. Authenticate for step 2" authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if user == None: print "OTP. Authenticate for step 2. Failed to determine user name" return False session_id_validation = self.validateSessionId(identity) if not session_id_validation: return False # Restore state from session identity.setWorkingParameter("retry_current_step", False) otp_auth_method = identity.getWorkingParameter("otp_auth_method") if otp_auth_method == 'enroll': auth_result = ServerUtil.getFirstValue(requestParameters, "auth_result") if not StringHelper.isEmpty(auth_result): # defect fix #1225 - Retry the step, show QR code again if auth_result == 'timeout': print "OTP. QR-code timeout. Authenticate for step %s. Reinitializing current step" % step identity.setWorkingParameter("retry_current_step", True) return True print "OTP. Authenticate for step 2. User not enrolled OTP" return False print "OTP. Authenticate for step 2. Skipping this step during enrollment" return True otp_auth_result = self.processOtpAuthentication(requestParameters, user.getUserId(), identity, otp_auth_method) print "OTP. Authenticate for step 2. OTP authentication result: '%s'" % otp_auth_result return otp_auth_result elif step == 3: print "OTP. Authenticate for step 3" authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if user == None: print "OTP. Authenticate for step 2. Failed to determine user name" return False session_id_validation = self.validateSessionId(identity) if not session_id_validation: return False # Restore state from session otp_auth_method = identity.getWorkingParameter("otp_auth_method") if otp_auth_method != 'enroll': return False otp_auth_result = self.processOtpAuthentication(requestParameters, user.getUserId(), identity, otp_auth_method) print "OTP. Authenticate for step 3. OTP authentication result: '%s'" % otp_auth_result return otp_auth_result else: return False
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) userService = CdiUtil.bean(UserService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() if step == 1: print "Basic (with password update). Authenticate for step 1" user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): logged_in = authenticationService.authenticate(user_name, user_password) if not logged_in: return False find_user_by_uid = authenticationService.getAuthenticatedUser() user_expDate = find_user_by_uid.getAttribute("oxPasswordExpirationDate", False) if user_expDate == None: print "Basic (with password update). Authenticate for step 1. User has no oxPasswordExpirationDate date" return False dt = StaticUtils.decodeGeneralizedTime(user_expDate) # Get Current Date calendar = GregorianCalendar(TimeZone.getTimeZone("UTC")); now = calendar.getTime() if now.compareTo(dt) > 0: # Add 90 Days to current date calendar.setTime(now) calendar.add(calendar.DATE, 1) dt_plus_90 = calendar.getTime() expDate = StaticUtils.encodeGeneralizedTime(dt_plus_90) identity.setWorkingParameter("expDate", expDate) return True elif step == 2: print "Basic (with password update). Authenticate for step 2" user = authenticationService.getAuthenticatedUser() if user == None: print "Basic (with password update). Authenticate for step 2. Failed to determine user name" return False user_name = user.getUserId() find_user_by_uid = userService.getUser(user_name) newExpDate = identity.getWorkingParameter("expDate") if find_user_by_uid == None: print "Basic (with password update). Authenticate for step 2. Failed to find user" return False print "Basic (with password update). Authenticate for step 2" update_button = requestParameters.get("loginForm:updateButton") if ArrayHelper.isEmpty(update_button): return True find_user_by_uid.setAttribute("oxPasswordExpirationDate", newExpDate) new_password_array = requestParameters.get("loginForm:password") if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]): print "Basic (with password update). Authenticate for step 2. New password is empty" return False new_password = new_password_array[0] find_user_by_uid.setAttribute("userPassword", new_password) print "Basic (with password update). Authenticate for step 2. Attempting to set new user '%s' password" % user_name userService.updateUser(find_user_by_uid) print "Basic (with password update). Authenticate for step 2. Password updated successfully" return True else: return False
def setDefaultUid(self, user, saml_user_uid): if StringHelper.isEmpty(user.getUserId()): user.setUserId(saml_user_uid)
def processOtpAuthentication(self, requestParameters, user_name, identity, otp_auth_method): facesMessages = CdiUtil.bean(FacesMessages) facesMessages.setKeepMessages() userService = CdiUtil.bean(UserService) otpCode = ServerUtil.getFirstValue(requestParameters, "loginForm:otpCode") if StringHelper.isEmpty(otpCode): facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to authenticate. OTP code is empty") print "OTP. Process OTP authentication. otpCode is empty" return False if otp_auth_method == "enroll": # Get key from session otp_secret_key_encoded = identity.getWorkingParameter("otp_secret_key") if otp_secret_key_encoded == None: print "OTP. Process OTP authentication. OTP secret key is invalid" return False otp_secret_key = self.fromBase64Url(otp_secret_key_encoded) if self.otpType == "hotp": validation_result = self.validateHotpKey(otp_secret_key, 1, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process HOTP authentication during enrollment. otpCode is valid" # Store HOTP Secret Key and moving factor in user entry otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, validation_result["movingFactor"] ) # Add otp_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process HOTP authentication during enrollment. Failed to update user entry" elif self.otpType == "totp": validation_result = self.validateTotpKey(otp_secret_key, otpCode,user_name) if (validation_result != None) and validation_result["result"]: print "OTP. Process TOTP authentication during enrollment. otpCode is valid" # Store TOTP Secret Key and moving factor in user entry otp_user_external_uid = "totp:%s" % otp_secret_key_encoded # Add otp_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process TOTP authentication during enrollment. Failed to update user entry" elif otp_auth_method == "authenticate": user_enrollments = self.findEnrollments(user_name) if len(user_enrollments) == 0: print "OTP. Process OTP authentication. There is no OTP enrollment for user '%s'" % user_name facesMessages.add(FacesMessage.SEVERITY_ERROR, "There is no valid OTP user enrollments") return False if self.otpType == "hotp": for user_enrollment in user_enrollments: user_enrollment_data = user_enrollment.split(";") otp_secret_key_encoded = user_enrollment_data[0] # Get current moving factor from user entry moving_factor = StringHelper.toInteger(user_enrollment_data[1]) otp_secret_key = self.fromBase64Url(otp_secret_key_encoded) # Validate TOTP validation_result = self.validateHotpKey(otp_secret_key, moving_factor, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process HOTP authentication during authentication. otpCode is valid" otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, moving_factor ) new_otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, validation_result["movingFactor"] ) # Update moving factor in user entry find_user_by_external_uid = userService.replaceUserAttribute(user_name, "oxExternalUid", otp_user_external_uid, new_otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process HOTP authentication during authentication. Failed to update user entry" elif self.otpType == "totp": for user_enrollment in user_enrollments: otp_secret_key = self.fromBase64Url(user_enrollment) # Validate TOTP validation_result = self.validateTotpKey(otp_secret_key, otpCode, user_name) if (validation_result != None) and validation_result["result"]: print "OTP. Process TOTP authentication during authentication. otpCode is valid" return True facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to authenticate. OTP code is invalid") print "OTP. Process OTP authentication. OTP code is invalid" return False
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() session_attributes = identity.getSessionId().getSessionAttributes() self.setRequestScopedParameters(identity) if (step == 1): print "UAF. Authenticate for step 1" user_name = credentials.getUsername() authenticated_user = self.processBasicAuthentication(credentials) if authenticated_user == None: return False uaf_auth_method = "authenticate" # Uncomment this block if you need to allow user second device registration #enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton") #if StringHelper.isNotEmpty(enrollment_mode): # uaf_auth_method = "enroll" if uaf_auth_method == "authenticate": user_enrollments = self.findEnrollments(credentials) if len(user_enrollments) == 0: uaf_auth_method = "enroll" print "UAF. Authenticate for step 1. There is no UAF enrollment for user '%s'. Changing uaf_auth_method to '%s'" % (user_name, uaf_auth_method) print "UAF. Authenticate for step 1. uaf_auth_method: '%s'" % uaf_auth_method identity.setWorkingParameter("uaf_auth_method", uaf_auth_method) return True elif (step == 2): print "UAF. Authenticate for step 2" session = CdiUtil.bean(SessionIdService).getSessionId() if session == None: print "UAF. Prepare for step 2. Failed to determine session_id" return False user = authenticationService.getAuthenticatedUser() if (user == None): print "UAF. Authenticate for step 2. Failed to determine user name" return False user_name = user.getUserId() uaf_auth_result = ServerUtil.getFirstValue(requestParameters, "auth_result") if uaf_auth_result != "success": print "UAF. Authenticate for step 2. auth_result is '%s'" % uaf_auth_result return False # Restore state from session uaf_auth_method = session_attributes.get("uaf_auth_method") if not uaf_auth_method in ['enroll', 'authenticate']: print "UAF. Authenticate for step 2. Failed to authenticate user. uaf_auth_method: '%s'" % uaf_auth_method return False # Request STATUS_OBB if True: #TODO: Remove this condition # It's workaround becuase it's not possible to call STATUS_OBB 2 times. First time on browser and second ime on server uaf_user_device_handle = ServerUtil.getFirstValue(requestParameters, "auth_handle") else: uaf_obb_auth_method = session_attributes.get("uaf_obb_auth_method") uaf_obb_server_uri = session_attributes.get("uaf_obb_server_uri") uaf_obb_start_response = session_attributes.get("uaf_obb_start_response") # Prepare STATUS_OBB uaf_obb_start_response_json = json.loads(uaf_obb_start_response) uaf_obb_status_request_dictionary = { "operation": "STATUS_%s" % uaf_obb_auth_method, "userName": user_name, "needDetails": 1, "oobStatusHandle": uaf_obb_start_response_json["oobStatusHandle"], } uaf_obb_status_request = json.dumps(uaf_obb_status_request_dictionary, separators=(',',':')) print "UAF. Authenticate for step 2. Prepared STATUS request: '%s' to send to '%s'" % (uaf_obb_status_request, uaf_obb_server_uri) uaf_status_obb_response = self.executePost(uaf_obb_server_uri, uaf_obb_status_request) if uaf_status_obb_response == None: return False print "UAF. Authenticate for step 2. Get STATUS response: '%s'" % uaf_status_obb_response uaf_status_obb_response_json = json.loads(uaf_status_obb_response) if uaf_status_obb_response_json["statusCode"] != 4000: print "UAF. Authenticate for step 2. UAF operation status is invalid. statusCode: '%s'" % uaf_status_obb_response_json["statusCode"] return False uaf_user_device_handle = uaf_status_obb_response_json["additionalInfo"]["authenticatorsResult"]["handle"] if StringHelper.isEmpty(uaf_user_device_handle): print "UAF. Prepare for step 2. Failed to get UAF handle" return False uaf_user_external_uid = "uaf:%s" % uaf_user_device_handle print "UAF. Authenticate for step 2. UAF handle: '%s'" % uaf_user_external_uid if uaf_auth_method == "authenticate": # Validate if user used device with same keYHandle user_enrollments = self.findEnrollments(credentials) if len(user_enrollments) == 0: uaf_auth_method = "enroll" print "UAF. Authenticate for step 2. There is no UAF enrollment for user '%s'." % user_name return False for user_enrollment in user_enrollments: if StringHelper.equalsIgnoreCase(user_enrollment, uaf_user_device_handle): print "UAF. Authenticate for step 2. There is UAF enrollment for user '%s'. User authenticated successfully" % user_name return True else: userService = CdiUtil.bean(UserService) # Double check just to make sure. We did checking in previous step # Check if there is user which has uaf_user_external_uid # Avoid mapping user cert to more than one IDP account find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", uaf_user_external_uid) if find_user_by_external_uid == None: # Add uaf_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", uaf_user_external_uid) if find_user_by_external_uid == None: print "UAF. Authenticate for step 2. Failed to update current user" return False return True return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() userService = CdiUtil.bean(UserService) requestParameterService = CdiUtil.bean(RequestParameterService) authenticationService = CdiUtil.bean(AuthenticationService) httpService = CdiUtil.bean(HttpService) if step == 1: print "CAS2. Authenticate for step 1" ticket_array = requestParameters.get("ticket") if ArrayHelper.isEmpty(ticket_array): print "CAS2. Authenticate for step 1. ticket is empty" return False ticket = ticket_array[0] print "CAS2. Authenticate for step 1. ticket: " + ticket if StringHelper.isEmptyString(ticket): print "CAS2. Authenticate for step 1. ticket is invalid" return False # Validate ticket facesContext = CdiUtil.bean(FacesContext) request = facesContext.getExternalContext().getRequest() parametersMap = HashMap() parametersMap.put("service", httpService.constructServerUrl(request) + "/postlogin.htm") if self.cas_renew_opt: parametersMap.put("renew", "true") parametersMap.put("ticket", ticket) cas_service_request_uri = requestParameterService.parametersAsString(parametersMap) cas_service_request_uri = self.cas_host + "/serviceValidate?" + cas_service_request_uri if self.cas_extra_opts != None: cas_service_request_uri = cas_service_request_uri + "&" + self.cas_extra_opts print "CAS2. Authenticate for step 1. cas_service_request_uri: " + cas_service_request_uri http_client = httpService.getHttpsClient() http_service_response = httpService.executeGet(http_client, cas_service_request_uri) try: validation_content = httpService.convertEntityToString(httpService.getResponseContent(http_service_response.getHttpResponse())) finally: http_service_response.closeConnection() print "CAS2. Authenticate for step 1. validation_content: " + validation_content if StringHelper.isEmpty(validation_content): print "CAS2. Authenticate for step 1. Ticket validation response is invalid" return False cas2_auth_failure = self.parse_tag(validation_content, "cas:authenticationFailure") print "CAS2. Authenticate for step 1. cas2_auth_failure: ", cas2_auth_failure cas2_user_uid = self.parse_tag(validation_content, "cas:user") print "CAS2. Authenticate for step 1. cas2_user_uid: ", cas2_user_uid if (cas2_auth_failure != None) or (cas2_user_uid == None): print "CAS2. Authenticate for step 1. Ticket is invalid" return False if self.cas_map_user: print "CAS2. Authenticate for step 1. Attempting to find user by oxExternalUid: cas2:" + cas2_user_uid # Check if the is user with specified cas2_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid) if find_user_by_uid == None: print "CAS2. Authenticate for step 1. Failed to find user" print "CAS2. Authenticate for step 1. Setting count steps to 2" identity.setWorkingParameter("cas2_count_login_steps", 2) identity.setWorkingParameter("cas2_user_uid", cas2_user_uid) return True found_user_name = find_user_by_uid.getUserId() print "CAS2. Authenticate for step 1. found_user_name: " + found_user_name authenticationService.authenticate(found_user_name) print "CAS2. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("cas2_count_login_steps", 1) return True else: print "CAS2. Authenticate for step 1. Attempting to find user by uid:" + cas2_user_uid # Check if there is user with specified cas2_user_uid find_user_by_uid = userService.getUser(cas2_user_uid) if find_user_by_uid == None: print "CAS2. Authenticate for step 1. Failed to find user" return False found_user_name = find_user_by_uid.getUserId() print "CAS2. Authenticate for step 1. found_user_name: " + found_user_name authenticationService.authenticate(found_user_name) print "CAS2. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("cas2_count_login_steps", 1) return True elif step == 2: print "CAS2. Authenticate for step 2" if identity.isSetWorkingParameter("cas2_user_uid"): print "CAS2. Authenticate for step 2. cas2_user_uid is empty" return False cas2_user_uid = identity.getWorkingParameter("cas2_user_uid") passed_step1 = StringHelper.isNotEmptyString(cas2_user_uid) if not passed_step1: return False user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): logged_in = authenticationService.authenticate(user_name, user_password) if not logged_in: return False # Check if there is user which has cas2_user_uid # Avoid mapping CAS2 account to more than one IDP account find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid) if find_user_by_uid == None: # Add cas2_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "cas2:" + cas2_user_uid) if find_user_by_uid == None: print "CAS2. Authenticate for step 2. Failed to update current user" return False return True else: found_user_name = find_user_by_uid.getUserId() print "CAS2. Authenticate for step 2. found_user_name: " + found_user_name if StringHelper.equals(user_name, found_user_name): return True return False else: return False