def prepareAttributesMapping(self, remoteAttributesList, localAttributesList):
remoteAttributesListArray = StringHelper.split(remoteAttributesList, ",")
if (ArrayHelper.isEmpty(remoteAttributesListArray)):
print "Google+ PrepareAttributesMapping. There is no attributes specified in remoteAttributesList property"
return None
localAttributesListArray = StringHelper.split(localAttributesList, ",")
if (ArrayHelper.isEmpty(localAttributesListArray)):
print "Google+ PrepareAttributesMapping. There is no attributes specified in localAttributesList property"
return None
if (len(remoteAttributesListArray) != len(localAttributesListArray)):
print "Google+ PrepareAttributesMapping. The number of attributes in remoteAttributesList and localAttributesList isn't equal"
return None
attributeMapping = IdentityHashMap()
containsUid = False
i = 0
count = len(remoteAttributesListArray)
while (i < count):
remoteAttribute = StringHelper.toLowerCase(remoteAttributesListArray[i])
localAttribute = StringHelper.toLowerCase(localAttributesListArray[i])
attributeMapping.put(remoteAttribute, localAttribute)
if (StringHelper.equalsIgnoreCase(localAttribute, "uid")):
containsUid = True
i = i + 1
if (not containsUid):
print "Google+ PrepareAttributesMapping. There is no mapping to mandatory 'uid' attribute"
return None
return attributeMapping
def prepareAttributesMapping(self, saml_idp_attributes_list, saml_local_attributes_list):
saml_idp_attributes_list_array = StringHelper.split(saml_idp_attributes_list, ",")
if (ArrayHelper.isEmpty(saml_idp_attributes_list_array)):
print "Saml. PrepareAttributesMapping. There is no attributes specified in saml_idp_attributes_list property"
return None
saml_local_attributes_list_array = StringHelper.split(saml_local_attributes_list, ",")
if (ArrayHelper.isEmpty(saml_local_attributes_list_array)):
print "Saml. PrepareAttributesMapping. There is no attributes specified in saml_local_attributes_list property"
return None
if (len(saml_idp_attributes_list_array) != len(saml_local_attributes_list_array)):
print "Saml. PrepareAttributesMapping. The number of attributes in saml_idp_attributes_list and saml_local_attributes_list isn't equal"
return None
attributeMapping = IdentityHashMap()
containsUid = False
i = 0
count = len(saml_idp_attributes_list_array)
while (i < count):
idpAttribute = StringHelper.toLowerCase(saml_idp_attributes_list_array[i])
localAttribute = StringHelper.toLowerCase(saml_local_attributes_list_array[i])
attributeMapping.put(idpAttribute, localAttribute)
if (StringHelper.equalsIgnoreCase(localAttribute, "uid")):
containsUid = True
i = i + 1
if (not containsUid):
print "Saml. PrepareAttributesMapping. There is no mapping to mandatory 'uid' attribute"
return None
return attributeMapping
def authenticate(self, configurationAttributes, requestParameters, step):
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "Basic (with password update). Authenticate for step 1"
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
elif (step == 2):
print "Basic (with password update). Authenticate for step 2"
userService = UserService.instance()
update_button = requestParameters.get("loginForm:updateButton")
if ArrayHelper.isEmpty(update_button):
return True
new_password_array = requestParameters.get("new_password")
if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]):
print "Basic (with password update). Authenticate for step 2. New password is empty"
return False
new_password = new_password_array[0]
print "Basic (with password update). Authenticate for step 2. Attemprin to set new user '" + user_name + "' password"
find_user_by_uid = userService.getUser(user_name)
if (find_user_by_uid == None):
print "Basic (with password update). Authenticate for step 2. Failed to find user"
return False
find_user_by_uid.setAttribute("userPassword", new_password)
userService.updateUser(find_user_by_uid)
print "Basic (with password update). Authenticate for step 2. Password updated successfully"
return True
else:
return False
def updateClient(self, registerRequest, client, configurationAttributes):
print "Client registration. UpdateClient method"
redirectUris = client.getRedirectUris()
print "Client registration. Redirect Uris:", redirectUris
addAddressScope = False
for redirectUri in redirectUris:
if (StringHelper.equalsIgnoreCase(redirectUri, "https://client.example.com/example1")):
addAddressScope = True
break
print "Client registration. Is add address scope:", addAddressScope
if (addAddressScope):
currentScopes = client.getScopes()
print "Client registration. Current scopes:", currentScopes
addressScope = self.scopeService.getScopeByDisplayName("address")
newScopes = ArrayHelper.addItemToStringArray(currentScopes, addressScope.getDn())
print "Client registration. Result scopes:", newScopes
client.setScopes(newScopes)
return True
def authenticate(self, configurationAttributes, requestParameters, step):
duo_host = configurationAttributes.get("duo_host").getValue2()
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "Duo. Authenticate for step 1"
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
authenticationService = AuthenticationService.instance()
user = authenticationService.getAuthenticatedUser()
if (self.use_duo_group):
print "Duo. Authenticate for step 1. Checking if user belong to Duo group"
is_member_duo_group = self.isUserMemberOfGroup(user, self.audit_attribute, self.duo_group)
if (is_member_duo_group):
print "Duo. Authenticate for step 1. User '" + user.getUserId() + "' member of Duo group"
duo_count_login_steps = 2
else:
self.processAuditGroup(user)
duo_count_login_steps = 1
context = Contexts.getEventContext()
context.set("duo_count_login_steps", duo_count_login_steps)
return True
elif (step == 2):
print "Duo. Authenticate for step 2"
sig_response_array = requestParameters.get("sig_response")
if ArrayHelper.isEmpty(sig_response_array):
print "Duo. Authenticate for step 2. sig_response is empty"
return False
duo_sig_response = sig_response_array[0]
print "Duo. Authenticate for step 2. duo_sig_response: " + duo_sig_response
authenticated_username = duo_web.verify_response(self.ikey, self.skey, self.akey, duo_sig_response)
print "Duo. Authenticate for step 2. authenticated_username: "******", expected user_name: " + user_name
if (not StringHelper.equals(user_name, authenticated_username)):
return False
authenticationService = AuthenticationService.instance()
user = authenticationService.getAuthenticatedUser()
self.processAuditGroup(user)
return True
else:
return False
def init(self, configurationAttributes):
print "Basic (multi login) initialization"
login_attributes_list_object = configurationAttributes.get("login_attributes_list")
if (login_attributes_list_object == None):
print "Basic (multi login) initialization. There is no property login_attributes_list"
return False
login_attributes_list = login_attributes_list_object.getValue2()
if (StringHelper.isEmpty(login_attributes_list)):
print "Basic (multi login) initialization. There is no attributes specified in login_attributes property"
return False
login_attributes_list_array = StringHelper.split(login_attributes_list, ",")
if (ArrayHelper.isEmpty(login_attributes_list_array)):
print "Basic (multi login) initialization. There is no attributes specified in login_attributes property"
return False
if (configurationAttributes.containsKey("local_login_attributes_list")):
local_login_attributes_list = configurationAttributes.get("local_login_attributes_list").getValue2()
local_login_attributes_list_array = StringHelper.split(local_login_attributes_list, ",")
else:
print "Basic (multi login) initialization. There is no property local_login_attributes_list. Assuming that login attributes are equal to local login attributes."
local_login_attributes_list_array = login_attributes_list_array
if (len(login_attributes_list_array) != len(local_login_attributes_list_array)):
print "Basic (multi login) initialization. The number of attributes in login_attributes_list and local_login_attributes_list isn't equal"
return False
self.login_attributes_list_array = login_attributes_list_array
self.local_login_attributes_list_array = local_login_attributes_list_array
print "Basic (multi login) initialized successfully"
return True
def prepareUserEnforceUniquenessAttributes(self, configurationAttributes):
enforce_uniqueness_attr_list = configurationAttributes.get("enforce_uniqueness_attr_list").getValue2()
enforce_uniqueness_attr_list_array = StringHelper.split(enforce_uniqueness_attr_list, ",")
if (ArrayHelper.isEmpty(enforce_uniqueness_attr_list_array)):
return None
return enforce_uniqueness_attr_list_array
def prepareUserObjectClasses(self, configurationAttributes):
user_object_classes = configurationAttributes.get("user_object_classes").getValue2()
user_object_classes_list_array = StringHelper.split(user_object_classes, ",")
if (ArrayHelper.isEmpty(user_object_classes_list_array)):
return None
return user_object_classes_list_array
def prepareForStep(self, configurationAttributes, requestParameters, step):
stringEncrypter = StringEncrypter.defaultInstance()
context = Contexts.getEventContext()
oxpush_application_name = configurationAttributes.get("oxpush_application_name").getValue2()
if (step == 1):
print "oxPush prepare for step 1"
oxpush_android_download_url = configurationAttributes.get("oxpush_android_download_url").getValue2()
context.set("oxpush_android_download_url", oxpush_android_download_url)
elif (step == 2):
print "oxPush prepare for step 2"
passed_step1 = self.isPassedDefaultAuthentication
if (not passed_step1):
return False
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
oxpush_user_uid_array = requestParameters.get("oxpush_user_uid")
if (ArrayHelper.isEmpty(oxpush_user_uid_array) or StringHelper.isEmptyString(oxpush_user_uid_array[0])):
print "oxPush prepare for step 2. oxpush_user_uid is empty"
# Initialize pairing process
pairing_process = None
try:
pairing_process = self.oxPushClient.pair(oxpush_application_name, user_name);
except java.lang.Exception, err:
print "oxPush prepare for step 2. Failed to initialize pairing process: ", err
return False
if (not pairing_process.result):
print "oxPush prepare for step 2. Failed to initialize pairing process"
return False
pairing_id = pairing_process.pairingId
print "oxPush prepare for step 2. Pairing Id: ", pairing_id
context.set("oxpush_pairing_uid", stringEncrypter.encrypt(pairing_id))
context.set("oxpush_pairing_code", pairing_process.pairingCode)
context.set("oxpush_pairing_qr_image", pairing_process.pairingQrImage)
def getClientConfiguration(self, configurationAttributes, requestParameters):
# Get client configuration
if (configurationAttributes.containsKey("gplus_client_configuration_attribute")):
clientConfigurationAttribute = configurationAttributes.get("gplus_client_configuration_attribute").getValue2()
print "Google+ GetClientConfiguration. Using client attribute:", clientConfigurationAttribute
if (requestParameters == None):
return None
clientId = None
# Attempt to determine client_id from request
clientIdArray = requestParameters.get("client_id")
if (ArrayHelper.isNotEmpty(clientIdArray) and StringHelper.isNotEmptyString(clientIdArray[0])):
clientId = clientIdArray[0]
# Attempt to determine client_id from event context
if (clientId == None):
eventContext = Contexts.getEventContext()
if (eventContext.isSet("stored_request_parameters")):
clientId = eventContext.get("stored_request_parameters").get("client_id")
if (clientId == None):
print "Google+ GetClientConfiguration. client_id is empty"
return None
clientService = ClientService.instance()
client = clientService.getClient(clientId)
if (client == None):
print "Google+ GetClientConfiguration. Failed to find client", clientId, " in local LDAP"
return None
clientConfiguration = clientService.getCustomAttribute(client, clientConfigurationAttribute)
if ((clientConfiguration == None) or StringHelper.isEmpty(clientConfiguration.getValue())):
print "Google+ GetClientConfiguration. Client", clientId, " attribute", clientConfigurationAttribute, " is empty"
else:
print "Google+ GetClientConfiguration. Client", clientId, " attribute", clientConfigurationAttribute, " is", clientConfiguration
return clientConfiguration
return None
def prepareForStep(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
server_flag = configurationAttributes.get("oneid_server_flag").getValue2()
callback_attrs = configurationAttributes.get("oneid_callback_attrs").getValue2()
creds_file = configurationAttributes.get("oneid_creds_file").getValue2()
# Create OneID
authn = OneID(server_flag)
# Set path to credentials file
authn.creds_file = creds_file;
if (step == 1):
print "OneID prepare for step 1"
auth_mode_array = requestParameters.get("auth_mode")
if ArrayHelper.isEmpty(auth_mode_array):
print "OneID prepare for step 1. auth_mode is empty"
return False
request = FacesContext.getCurrentInstance().getExternalContext().getRequest()
validation_page = request.getContextPath() + "/postlogin?" + "request_uri=&" + authenticationService.parametersAsString()
print "OneID prepare for step 1. validation_page: " + validation_page
oneid_login_button = authn.draw_signin_button(validation_page, callback_attrs, True)
print "OneID prepare for step 1. oneid_login_button: " + oneid_login_button
context.set("oneid_login_button", oneid_login_button)
context.set("oneid_script_header", authn.script_header)
context.set("oneid_form_script", authn.oneid_form_script)
return True
elif (step == 2):
print "OneID prepare for step 2"
return True
else:
return False
def getClientConfiguration(self, configurationAttributes, requestParameters):
# Get client configuration
if (configurationAttributes.containsKey("saml_client_configuration_attribute")):
saml_client_configuration_attribute = configurationAttributes.get("saml_client_configuration_attribute").getValue2()
print "Saml. GetClientConfiguration. Using client attribute:", saml_client_configuration_attribute
if (requestParameters == None):
return None
client_id = None
client_id_array = requestParameters.get("client_id")
if (ArrayHelper.isNotEmpty(client_id_array) and StringHelper.isNotEmptyString(client_id_array[0])):
client_id = client_id_array[0]
if (client_id == None):
eventContext = Contexts.getEventContext()
if (eventContext.isSet("sessionAttributes")):
client_id = eventContext.get("sessionAttributes").get("client_id")
if (client_id == None):
print "Saml. GetClientConfiguration. client_id is empty"
return None
clientService = ClientService.instance()
client = clientService.getClient(client_id)
if (client == None):
print "Saml. GetClientConfiguration. Failed to find client", client_id, " in local LDAP"
return None
saml_client_configuration = clientService.getCustomAttribute(client, saml_client_configuration_attribute)
if ((saml_client_configuration == None) or StringHelper.isEmpty(saml_client_configuration.getValue())):
print "Saml. GetClientConfiguration. Client", client_id, " attribute", saml_client_configuration_attribute, " is empty"
else:
print "Saml. GetClientConfiguration. Client", client_id, " attribute", saml_client_configuration_attribute, " is", saml_client_configuration
return saml_client_configuration
return None
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
saml_map_user = False
saml_enroll_user = False
saml_enroll_all_user_attr = False
# Use saml_deployment_type only if there is no attributes mapping
if (configurationAttributes.containsKey("saml_deployment_type")):
saml_deployment_type = StringHelper.toLowerCase(configurationAttributes.get("saml_deployment_type").getValue2())
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "map")):
saml_map_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll")):
saml_enroll_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll_all_attr")):
saml_enroll_all_user_attr = True
saml_allow_basic_login = False
if (configurationAttributes.containsKey("saml_allow_basic_login")):
saml_allow_basic_login = StringHelper.toBoolean(configurationAttributes.get("saml_allow_basic_login").getValue2(), False)
use_basic_auth = False
if (saml_allow_basic_login):
# Detect if user used basic authnetication method
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
if (StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(user_password)):
use_basic_auth = True
if ((step == 1) and saml_allow_basic_login and use_basic_auth):
print "Saml. Authenticate for step 1. Basic authentication"
context.set("saml_count_login_steps", 1)
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
if (step == 1):
print "Saml. Authenticate for step 1"
currentSamlConfiguration = self.getCurrentSamlConfiguration(self.samlConfiguration, configurationAttributes, requestParameters)
if (currentSamlConfiguration == None):
print "Saml. Prepare for step 1. Client saml configuration is invalid"
return False
saml_response_array = requestParameters.get("SAMLResponse")
if ArrayHelper.isEmpty(saml_response_array):
print "Saml. Authenticate for step 1. saml_response is empty"
return False
saml_response = saml_response_array[0]
print "Saml. Authenticate for step 1. saml_response:", saml_response
samlResponse = Response(currentSamlConfiguration)
samlResponse.loadXmlFromBase64(saml_response)
saml_validate_response = True
if (configurationAttributes.containsKey("saml_validate_response")):
saml_validate_response = StringHelper.toBoolean(configurationAttributes.get("saml_validate_response").getValue2(), False)
if (saml_validate_response):
if (not samlResponse.isValid()):
print "Saml. Authenticate for step 1. saml_response isn't valid"
saml_response_name_id = samlResponse.getNameId()
if (StringHelper.isEmpty(saml_response_name_id)):
print "Saml. Authenticate for step 1. saml_response_name_id is invalid"
return False
print "Saml. Authenticate for step 1. saml_response_name_id:", saml_response_name_id
saml_response_attributes = samlResponse.getAttributes()
print "Saml. Authenticate for step 1. attributes: ", saml_response_attributes
# Use persistent Id as saml_user_uid
saml_user_uid = saml_response_name_id
if (saml_map_user):
# Use mapping to local IDP user
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:", saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
print "Saml. Authenticate for step 1. Setting count steps to 2"
context.set("saml_count_login_steps", 2)
context.set("saml_user_uid", saml_user_uid)
return True
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name:", found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result:", post_login_result
return post_login_result
elif (saml_enroll_user):
# Use auto enrollment to local IDP
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:", saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
# Auto user enrollemnt
print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
# Convert saml result attributes keys to lover case
saml_response_normalized_attributes = HashMap()
for saml_response_attribute_entry in saml_response_attributes.entrySet():
saml_response_normalized_attributes.put(
StringHelper.toLowerCase(saml_response_attribute_entry.getKey()), saml_response_attribute_entry.getValue())
currentAttributesMapping = self.prepareCurrentAttributesMapping(self.attributesMapping, configurationAttributes, requestParameters)
print "Saml. Authenticate for step 1. Using next attributes mapping", currentAttributesMapping
newUser = User()
for attributesMappingEntry in currentAttributesMapping.entrySet():
idpAttribute = attributesMappingEntry.getKey()
localAttribute = attributesMappingEntry.getValue()
localAttributeValue = saml_response_normalized_attributes.get(idpAttribute)
if (localAttribute != None):
newUser.setAttribute(localAttribute, localAttributeValue)
newUser.setAttribute("oxExternalUid", "saml:" + saml_user_uid)
print "Saml. Authenticate for step 1. Attempting to add user", saml_user_uid, " with next attributes", newUser.getCustomAttributes()
find_user_by_uid = userService.addUser(newUser, True)
print "Saml. Authenticate for step 1. Added new user with UID", find_user_by_uid.getUserId()
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name:", found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result:", post_login_result
return post_login_result
elif (saml_enroll_all_user_attr):
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:" + saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
user = User()
customAttributes = ArrayList()
for key in attributes.keySet():
ldapAttributes = attributeService.getAllAttributes()
for ldapAttribute in ldapAttributes:
saml2Uri = ldapAttribute.getSaml2Uri()
if(saml2Uri == None):
saml2Uri = attributeService.getDefaultSaml2Uri(ldapAttribute.getName())
if(saml2Uri == key):
attribute = CustomAttribute(ldapAttribute.getName())
attribute.setValues(attributes.get(key))
customAttributes.add(attribute)
attribute = CustomAttribute("oxExternalUid")
attribute.setValue("saml:" + saml_user_uid)
customAttributes.add(attribute)
user.setCustomAttributes(customAttributes)
if(user.getAttribute("sn") == None):
attribute = CustomAttribute("sn")
attribute.setValue(saml_user_uid)
customAttributes.add(attribute)
if(user.getAttribute("cn") == None):
attribute = CustomAttribute("cn")
attribute.setValue(saml_user_uid)
customAttributes.add(attribute)
find_user_by_uid = userService.addUser(user, True)
print "Saml. Authenticate for step 1. Added new user with UID", find_user_by_uid.getUserId()
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name:", found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result:", post_login_result
return post_login_result
else:
# Check if the is user with specified saml_user_uid
print "Saml. Authenticate for step 1. Attempting to find user by uid:", saml_user_uid
find_user_by_uid = userService.getUser(saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
return False
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name:", found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result:", post_login_result
return post_login_result
elif (step == 2):
print "Saml. Authenticate for step 2"
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes == None) or not sessionAttributes.containsKey("saml_user_uid"):
print "Saml. Authenticate for step 2. saml_user_uid is empty"
return False
saml_user_uid = sessionAttributes.get("saml_user_uid")
passed_step1 = StringHelper.isNotEmptyString(saml_user_uid)
if (not passed_step1):
return False
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Check if there is user which has saml_user_uid
# Avoid mapping Saml account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
# Add saml_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 2. Failed to update current user"
return False
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result:", post_login_result
return post_login_result
else:
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 2. found_user_name:", found_user_name
if StringHelper.equals(user_name, found_user_name):
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result:", post_login_result
return post_login_result
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
httpService = HttpService.instance();
stringEncrypter = StringEncrypter.defaultInstance()
cas_host = configurationAttributes.get("cas_host").getValue2()
cas_extra_opts = configurationAttributes.get("cas_extra_opts").getValue2()
cas_map_user = StringHelper.toBoolean(configurationAttributes.get("cas_map_user").getValue2(), False)
cas_renew_opt = StringHelper.toBoolean(configurationAttributes.get("cas_renew_opt").getValue2(), False)
if (step == 1):
print "CAS2 authenticate for step 1"
ticket_array = requestParameters.get("ticket")
if ArrayHelper.isEmpty(ticket_array):
print "CAS2 authenticate for step 1. ticket is empty"
return False
ticket = ticket_array[0]
print "CAS2 authenticate for step 1. ticket: " + ticket
if (StringHelper.isEmptyString(ticket)):
print "CAS2 authenticate for step 1. ticket is invalid"
return False
# Validate ticket
request = FacesContext.getCurrentInstance().getExternalContext().getRequest()
parametersMap = HashMap()
parametersMap.put("service", httpService.constructServerUrl(request) + "/postlogin")
if (cas_renew_opt):
parametersMap.put("renew", "true")
parametersMap.put("ticket", ticket)
cas_service_request_uri = authenticationService.parametersAsString(parametersMap)
cas_service_request_uri = cas_host + "/serviceValidate?" + cas_service_request_uri
if StringHelper.isNotEmpty(cas_extra_opts):
cas_service_request_uri = cas_service_request_uri + "&" + cas_extra_opts
print "CAS2 authenticate for step 1. cas_service_request_uri: " + cas_service_request_uri
http_client = httpService.getHttpsClientTrustAll();
http_response = httpService.executeGet(http_client, cas_service_request_uri)
validation_content = httpService.convertEntityToString(httpService.getResponseContent(http_response))
print "CAS2 authenticate for step 1. validation_content: " + validation_content
if StringHelper.isEmpty(validation_content):
print "CAS2 authenticate for step 1. Ticket validation response is invalid"
return False
cas2_auth_failure = self.parse_tag(validation_content, "cas:authenticationFailure")
print "CAS2 authenticate for step 1. cas2_auth_failure: ", cas2_auth_failure
cas2_user_uid = self.parse_tag(validation_content, "cas:user")
print "CAS2 authenticate for step 1. cas2_user_uid: ", cas2_user_uid
if ((cas2_auth_failure != None) or (cas2_user_uid == None)):
print "CAS2 authenticate for step 1. Ticket is invalid"
return False
if (cas_map_user):
print "CAS2 authenticate for step 1. Attempting to find user by oxExternalUid: cas2:" + cas2_user_uid
# Check if the is user with specified cas2_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid)
if (find_user_by_uid == None):
print "CAS2 authenticate for step 1. Failed to find user"
print "CAS2 authenticate for step 1. Setting count steps to 2"
context.set("cas2_count_login_steps", 2)
context.set("cas2_user_uid", stringEncrypter.encrypt(cas2_user_uid))
return True
found_user_name = find_user_by_uid.getUserId()
print "CAS2 authenticate for step 1. found_user_name: " + found_user_name
credentials = Identity.instance().getCredentials()
credentials.setUsername(found_user_name)
credentials.setUser(find_user_by_uid)
print "CAS2 authenticate for step 1. Setting count steps to 1"
context.set("cas2_count_login_steps", 1)
return True
else:
print "CAS2 authenticate for step 1. Attempting to find user by uid:" + cas2_user_uid
# Check if the is user with specified cas2_user_uid
find_user_by_uid = userService.getUser(cas2_user_uid)
if (find_user_by_uid == None):
print "CAS2 authenticate for step 1. Failed to find user"
return False
found_user_name = find_user_by_uid.getUserId()
print "CAS2 authenticate for step 1. found_user_name: " + found_user_name
credentials = Identity.instance().getCredentials()
credentials.setUsername(found_user_name)
credentials.setUser(find_user_by_uid)
print "CAS2 authenticate for step 1. Setting count steps to 1"
context.set("cas2_count_login_steps", 1)
return True
elif (step == 2):
print "CAS2 authenticate for step 2"
cas2_user_uid_array = requestParameters.get("cas2_user_uid")
if ArrayHelper.isEmpty(cas2_user_uid_array):
print "CAS2 authenticate for step 2. cas2_user_uid is empty"
return False
cas2_user_uid = stringEncrypter.decrypt(cas2_user_uid_array[0])
passed_step1 = StringHelper.isNotEmptyString(cas2_user_uid)
if (not passed_step1):
return False
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Check if there is user which has cas2_user_uid
# Avoid mapping CAS2 account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid)
if (find_user_by_uid == None):
# Add cas2_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "cas2:" + cas2_user_uid)
if (find_user_by_uid == None):
print "CAS2 authenticate for step 2. Failed to update current user"
return False
return True
else:
found_user_name = find_user_by_uid.getUserId()
print "CAS2 authenticate for step 2. found_user_name: " + found_user_name
if StringHelper.equals(user_name, found_user_name):
return True
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
encryptionService = EncryptionService.instance()
mapUserDeployment = False
enrollUserDeployment = False
if (configurationAttributes.containsKey("gplus_deployment_type")):
deploymentType = StringHelper.toLowerCase(configurationAttributes.get("gplus_deployment_type").getValue2())
if (StringHelper.equalsIgnoreCase(deploymentType, "map")):
mapUserDeployment = True
if (StringHelper.equalsIgnoreCase(deploymentType, "enroll")):
enrollUserDeployment = True
if (step == 1):
print "Google+ authenticate for step 1"
gplusAuthCodeArray = requestParameters.get("gplus_auth_code")
gplusAuthCode = gplusAuthCodeArray[0]
# Check if user uses basic method to log in
useBasicAuth = False
if (StringHelper.isEmptyString(gplusAuthCode)):
useBasicAuth = True
# Use basic method to log in
if (useBasicAuth):
print "Google+ authenticate for step 1. Basic authentication"
context.set("gplus_count_login_steps", 1)
credentials = Identity.instance().getCredentials()
userName = credentials.getUsername()
userPassword = credentials.getPassword()
loggedIn = False
if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)):
userService = UserService.instance()
loggedIn = userService.authenticate(userName, userPassword)
if (not loggedIn):
return False
return True
# Use Google+ method to log in
print "Google+ authenticate for step 1. gplusAuthCode:", gplusAuthCode
currentClientSecrets = self.getCurrentClientSecrets(self.clientSecrets, configurationAttributes, requestParameters)
if (currentClientSecrets == None):
print "Google+ authenticate for step 1. Client secrets configuration is invalid"
return False
print "Google+ authenticate for step 1. Attempting to gets tokens"
tokenResponse = self.getTokensByCode(self.clientSecrets, configurationAttributes, gplusAuthCode);
if ((tokenResponse == None) or (tokenResponse.getIdToken() == None) or (tokenResponse.getAccessToken() == None)):
print "Google+ authenticate for step 1. Failed to get tokens"
return False
else:
print "Google+ authenticate for step 1. Successfully gets tokens"
jwt = Jwt.parse(tokenResponse.getIdToken())
# TODO: Validate ID Token Signature
gplusUserUid = jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER);
print "Google+ authenticate for step 1. Found Google user ID in the ID token: ", gplusUserUid
if (mapUserDeployment):
# Use mapping to local IDP user
print "Google+ authenticate for step 1. Attempting to find user by oxExternalUid: gplus:", gplusUserUid
# Check if there is user with specified gplusUserUid
foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
print "Google+ authenticate for step 1. Failed to find user"
print "Google+ authenticate for step 1. Setting count steps to 2"
context.set("gplus_count_login_steps", 2)
context.set("gplus_user_uid", encryptionService.encrypt(gplusUserUid))
return True
foundUserName = foundUser.getUserId()
print "Google+ authenticate for step 1. foundUserName:"******"Google+ authenticate for step 1. Failed to authenticate user"
return False
print "Google+ authenticate for step 1. Setting count steps to 1"
context.set("gplus_count_login_steps", 1)
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ authenticate for step 1. postLoginResult:", postLoginResult
return postLoginResult
elif (enrollUserDeployment):
# Use auto enrollment to local IDP
print "Google+ authenticate for step 1. Attempting to find user by oxExternalUid: gplus:", gplusUserUid
# Check if there is user with specified gplusUserUid
foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
# Auto user enrollemnt
print "Google+ authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Google+ authenticate for step 1. Attempting to gets user info"
userInfoResponse = self.getUserInfo(currentClientSecrets, configurationAttributes, tokenResponse.getAccessToken())
if ((userInfoResponse == None) or (userInfoResponse.getClaims().size() == 0)):
print "Google+ authenticate for step 1. Failed to get user info"
return False
else:
print "Google+ authenticate for step 1. Successfully gets user info"
gplusResponseAttributes = userInfoResponse.getClaims()
# Convert Google+ user claims to lover case
gplusResponseNormalizedAttributes = HashMap()
for gplusResponseAttributeEntry in gplusResponseAttributes.entrySet():
gplusResponseNormalizedAttributes.put(
StringHelper.toLowerCase(gplusResponseAttributeEntry.getKey()), gplusResponseAttributeEntry.getValue())
currentAttributesMapping = self.getCurrentAttributesMapping(self.attributesMapping, configurationAttributes, requestParameters)
print "Google+ authenticate for step 1. Using next attributes mapping", currentAttributesMapping
newUser = User()
for attributesMappingEntry in currentAttributesMapping.entrySet():
idpAttribute = attributesMappingEntry.getKey()
localAttribute = attributesMappingEntry.getValue()
localAttributeValue = gplusResponseNormalizedAttributes.get(idpAttribute)
if (localAttribute != None):
newUser.setAttribute(localAttribute, localAttributeValue)
if (newUser.getAttribute("sn") == None):
newUser.setAttribute("sn", gplusUserUid)
if (newUser.getAttribute("cn") == None):
newUser.setAttribute("cn", gplusUserUid)
newUser.setAttribute("oxExternalUid", "gplus:" + gplusUserUid)
print "Google+ authenticate for step 1. Attempting to add user", gplusUserUid, " with next attributes", newUser.getCustomAttributes()
foundUser = userService.addUser(newUser)
print "Google+ authenticate for step 1. Added new user with UID", foundUser.getUserId()
foundUserName = foundUser.getUserId()
print "Google+ authenticate for step 1. foundUserName:"******"Google+ authenticate for step 1. Failed to authenticate user"
return False
print "Google+ authenticate for step 1. Setting count steps to 1"
context.set("gplus_count_login_steps", 1)
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ authenticate for step 1. postLoginResult:", postLoginResult
return postLoginResult
else:
# Check if the is user with specified gplusUserUid
print "Google+ authenticate for step 1. Attempting to find user by uid:", gplusUserUid
foundUser = userService.getUser(gplusUserUid)
if (foundUser == None):
print "Google+ authenticate for step 1. Failed to find user"
return False
foundUserName = foundUser.getUserId()
print "Google+ authenticate for step 1. foundUserName:"******"Google+ authenticate for step 1. Failed to authenticate user"
return False
print "Google+ authenticate for step 1. Setting count steps to 1"
context.set("gplus_count_login_steps", 1)
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ authenticate for step 1. postLoginResult:", postLoginResult
return postLoginResult
elif (step == 2):
print "Google+ authenticate for step 2"
gplusUserUidArray = requestParameters.get("gplus_user_uid")
if ArrayHelper.isEmpty(gplusUserUidArray):
print "Google+ authenticate for step 2. gplus_user_uid is empty"
return False
gplusUserUid = encryptionService.decrypt(gplusUserUidArray[0])
passedStep1 = StringHelper.isNotEmptyString(gplusUserUid)
if (not passedStep1):
return False
credentials = Identity.instance().getCredentials()
userName = credentials.getUsername()
userPassword = credentials.getPassword()
loggedIn = False
if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)):
loggedIn = userService.authenticate(userName, userPassword)
if (not loggedIn):
return False
# Check if there is user which has gplusUserUid
# Avoid mapping Google account to more than one IDP account
foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
# Add gplusUserUid to user one id UIDs
foundUser = userService.addUserAttribute(userName, "oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
print "Google+ authenticate for step 2. Failed to update current user"
return False
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ authenticate for step 2. postLoginResult:", postLoginResult
return postLoginResult
else:
foundUserName = foundUser.getUserId()
print "Google+ authenticate for step 2. foundUserName:"******"Google+ authenticate for step 2. postLoginResult:", postLoginResult
return postLoginResult
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
userService = CdiUtil.bean(UserService)
authenticationService = CdiUtil.bean(AuthenticationService)
saml_map_user = False
saml_enroll_user = False
saml_enroll_all_user_attr = False
# Use saml_deployment_type only if there is no attributes mapping
if configurationAttributes.containsKey("saml_deployment_type"):
saml_deployment_type = StringHelper.toLowerCase(
configurationAttributes.get(
"saml_deployment_type").getValue2())
if StringHelper.equalsIgnoreCase(saml_deployment_type, "map"):
saml_map_user = True
if StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll"):
saml_enroll_user = True
if StringHelper.equalsIgnoreCase(saml_deployment_type,
"enroll_all_attr"):
saml_enroll_all_user_attr = True
saml_allow_basic_login = False
if configurationAttributes.containsKey("saml_allow_basic_login"):
saml_allow_basic_login = StringHelper.toBoolean(
configurationAttributes.get(
"saml_allow_basic_login").getValue2(), False)
use_basic_auth = False
if saml_allow_basic_login:
# Detect if user used basic authnetication method
user_name = credentials.getUsername()
user_password = credentials.getPassword()
if StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(
user_password):
use_basic_auth = True
if (step == 1) and saml_allow_basic_login and use_basic_auth:
print "Asimba. Authenticate for step 1. Basic authentication"
identity.setWorkingParameter("saml_count_login_steps", 1)
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if StringHelper.isNotEmptyString(
user_name) and StringHelper.isNotEmptyString(
user_password):
logged_in = authenticationService.authenticate(
user_name, user_password)
if (not logged_in):
return False
return True
if (step == 1):
print "Asimba. Authenticate for step 1"
currentSamlConfiguration = self.getCurrentSamlConfiguration(
self.samlConfiguration, configurationAttributes,
requestParameters)
if (currentSamlConfiguration == None):
print "Asimba. Prepare for step 1. Client saml configuration is invalid"
return False
saml_response_array = requestParameters.get("SAMLResponse")
if ArrayHelper.isEmpty(saml_response_array):
print "Asimba. Authenticate for step 1. saml_response is empty"
return False
saml_response = saml_response_array[0]
print "Asimba. Authenticate for step 1. saml_response: '%s'" % saml_response
samlResponse = Response(currentSamlConfiguration)
samlResponse.loadXmlFromBase64(saml_response)
saml_validate_response = True
if configurationAttributes.containsKey("saml_validate_response"):
saml_validate_response = StringHelper.toBoolean(
configurationAttributes.get(
"saml_validate_response").getValue2(), False)
if saml_validate_response:
if not samlResponse.isValid():
print "Asimba. Authenticate for step 1. saml_response isn't valid"
saml_response_attributes = samlResponse.getAttributes()
print "Asimba. Authenticate for step 1. attributes: '%s'" % saml_response_attributes
if saml_map_user:
saml_user_uid = self.getSamlNameId(samlResponse)
if saml_user_uid == None:
return False
# Use mapping to local IDP user
print "Asimba. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
print "Asimba. Authenticate for step 1. Failed to find user"
print "Asimba. Authenticate for step 1. Setting count steps to 2"
identity.setWorkingParameter("saml_count_login_steps", 2)
identity.setWorkingParameter("saml_user_uid",
saml_user_uid)
return True
found_user_name = find_user_by_uid.getUserId()
print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if user_authenticated == False:
print "Asimba. Authenticate for step 1. Failed to authenticate user"
return False
print "Asimba. Authenticate for step 1. Setting count steps to 1"
identity.setWorkingParameter("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif saml_enroll_user:
# Convert SAML response to user entry
newUser = self.getMappedUser(configurationAttributes,
requestParameters,
saml_response_attributes)
saml_user_uid = self.getNameId(samlResponse, newUser)
if saml_user_uid == None:
return False
self.setDefaultUid(newUser, saml_user_uid)
newUser.setAttribute("oxExternalUid",
"saml:%s" % saml_user_uid)
# Use auto enrollment to local IDP
print "Asimba. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if there is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
# Auto user enrollment
print "Asimba. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Asimba. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (
saml_user_uid, newUser.getCustomAttributes())
user_unique = self.checkUserUniqueness(newUser)
if not user_unique:
print "Asimba. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId(
)
facesMessages = CdiUtil.bean(FacesMessages)
facesMessages.add(
FacesMessage.SEVERITY_ERROR,
"Failed to enroll. User with same key attributes exist already"
)
facesMessages.setKeepMessages()
return False
find_user_by_uid = userService.addUser(newUser, True)
print "Asimba. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId(
)
else:
if self.updateUser:
print "Asimba. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (
saml_user_uid, newUser.getCustomAttributes())
find_user_by_uid.setCustomAttributes(
newUser.getCustomAttributes())
userService.updateUser(find_user_by_uid)
print "Asimba. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid
found_user_name = find_user_by_uid.getUserId()
print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if user_authenticated == False:
print "Asimba. Authenticate for step 1. Failed to authenticate user: '******'" % found_user_name
return False
print "Asimba. Authenticate for step 1. Setting count steps to 1"
identity.setWorkingParameter("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif saml_enroll_all_user_attr:
# Convert SAML response to user entry
newUser = self.getMappedAllAttributesUser(
saml_response_attributes)
saml_user_uid = self.getNameId(samlResponse, newUser)
if saml_user_uid == None:
return False
self.setDefaultUid(newUser, saml_user_uid)
newUser.setAttribute("oxExternalUid",
"saml:%s" % saml_user_uid)
print "Asimba. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:%s" % saml_user_uid
# Check if there is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
# Auto user enrollment
print "Asimba. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Asimba. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (
saml_user_uid, newUser.getCustomAttributes())
user_unique = self.checkUserUniqueness(newUser)
if not user_unique:
print "Asimba. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId(
)
facesMessages = CdiUtil.bean(FacesMessages)
facesMessages.add(
FacesMessage.SEVERITY_ERROR,
"Failed to enroll. User with same key attributes exist already"
)
facesMessages.setKeepMessages()
return False
find_user_by_uid = userService.addUser(newUser, True)
print "Asimba. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId(
)
else:
if self.updateUser:
print "Asimba. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (
saml_user_uid, newUser.getCustomAttributes())
find_user_by_uid.setCustomAttributes(
newUser.getCustomAttributes())
userService.updateUser(find_user_by_uid)
print "Asimba. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid
found_user_name = find_user_by_uid.getUserId()
print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if user_authenticated == False:
print "Asimba. Authenticate for step 1. Failed to authenticate user"
return False
print "Asimba. Authenticate for step 1. Setting count steps to 1"
identity.setWorkingParameter("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
else:
if saml_user_uid == None:
return False
# Check if the is user with specified saml_user_uid
print "Asimba. Authenticate for step 1. Attempting to find user by uid: '%s'" % saml_user_uid
find_user_by_uid = userService.getUser(saml_user_uid)
if find_user_by_uid == None:
print "Asimba. Authenticate for step 1. Failed to find user"
return False
found_user_name = find_user_by_uid.getUserId()
print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if user_authenticated == False:
print "Asimba. Authenticate for step 1. Failed to authenticate user"
return False
print "Asimba. Authenticate for step 1. Setting count steps to 1"
identity.setWorkingParameter("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (step == 2):
print "Asimba. Authenticate for step 2"
sessionAttributes = identity.getSessionId().getSessionAttributes()
if (sessionAttributes == None
) or not sessionAttributes.containsKey("saml_user_uid"):
print "Asimba. Authenticate for step 2. saml_user_uid is empty"
return False
saml_user_uid = sessionAttributes.get("saml_user_uid")
passed_step1 = StringHelper.isNotEmptyString(saml_user_uid)
if not passed_step1:
return False
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if StringHelper.isNotEmptyString(
user_name) and StringHelper.isNotEmptyString(
user_password):
logged_in = authenticationService.authenticate(
user_name, user_password)
if not logged_in:
return False
# Check if there is user which has saml_user_uid
# Avoid mapping Saml account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
# Add saml_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(
user_name, "oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
print "Asimba. Authenticate for step 2. Failed to update current user"
return False
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Asimba. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
else:
found_user_name = find_user_by_uid.getUserId()
print "Asimba. Authenticate for step 2. found_user_name: '%s'" % found_user_name
if StringHelper.equals(user_name, found_user_name):
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Asimba. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
duo_host = configurationAttributes.get("duo_host").getValue2()
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "Duo. Authenticate for step 1"
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name)
and StringHelper.isNotEmptyString(user_password)):
userService = Component.getInstance(UserService)
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
authenticationService = Component.getInstance(
AuthenticationService)
user = authenticationService.getAuthenticatedUser()
if (self.use_duo_group):
print "Duo. Authenticate for step 1. Checking if user belong to Duo group"
is_member_duo_group = self.isUserMemberOfGroup(
user, self.audit_attribute, self.duo_group)
if (is_member_duo_group):
print "Duo. Authenticate for step 1. User '" + user.getUserId(
) + "' member of Duo group"
duo_count_login_steps = 2
else:
self.processAuditGroup(user)
duo_count_login_steps = 1
context = Contexts.getEventContext()
context.set("duo_count_login_steps", duo_count_login_steps)
return True
elif (step == 2):
print "Duo. Authenticate for step 2"
sig_response_array = requestParameters.get("sig_response")
if ArrayHelper.isEmpty(sig_response_array):
print "Duo. Authenticate for step 2. sig_response is empty"
return False
duo_sig_response = sig_response_array[0]
print "Duo. Authenticate for step 2. duo_sig_response: " + duo_sig_response
authenticated_username = duo_web.verify_response(
self.ikey, self.skey, self.akey, duo_sig_response)
print "Duo. Authenticate for step 2. authenticated_username: "******", expected user_name: " + user_name
if (not StringHelper.equals(user_name, authenticated_username)):
return False
authenticationService = Component.getInstance(
AuthenticationService)
user = authenticationService.getAuthenticatedUser()
self.processAuditGroup(user)
return True
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "Basic (with password update). Authenticate for step 1"
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
elif (step == 2):
userService = UserService.instance()
find_user_by_uid = userService.getUser(user_name)
if (find_user_by_uid == None):
print "Basic (with password update). Authenticate for step 2. Failed to find user"
return False
user_expDate = find_user_by_uid.getAttribute("oxPasswordExpirationDate", False)
if (user_expDate == None):
print "Failed to get Date"
return False
print "Exp Date is : '" + user_expDate + "' ."
now = datetime.datetime.now()
myDate = self.parseDate(user_expDate)
prevExpDate = self.previousExpDate(myDate)
expDate = self.newExpirationDate(myDate)
temp = expDate.strftime("%y%m%d")
expDate = (expDate + temp + "195000Z")
if prevExpDate < now:
print "Basic (with password update). Authenticate for step 2"
find_user_by_uid.setAttribute("oxPasswordExpirationDate", expDate)
update_button = requestParameters.get("loginForm:updateButton")
if ArrayHelper.isEmpty(update_button):
return True
new_password_array = requestParameters.get("new_password")
if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]):
print "Basic (with password update). Authenticate for step 2. New password is empty"
return False
new_password = new_password_array[0]
print "Basic (with password update). Authenticate for step 2. Attempting to set new user '" + user_name + "' password"
userService.updateUser(find_user_by_uid)
print "Basic (with password update). Authenticate for step 2. Password updated successfully"
return True
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
httpService = HttpService.instance();
server_flag = configurationAttributes.get("oneid_server_flag").getValue2()
callback_attrs = configurationAttributes.get("oneid_callback_attrs").getValue2()
creds_file = configurationAttributes.get("oneid_creds_file").getValue2()
# Create OneID
authn = OneID(server_flag)
# Set path to credentials file
authn.creds_file = creds_file;
if (step == 1):
print "OneId. Authenticate for step 1"
# Find OneID request
json_data_array = requestParameters.get("json_data")
if ArrayHelper.isEmpty(json_data_array):
print "OneId. Authenticate for step 1. json_data is empty"
return False
request = json_data_array[0]
print "OneId. Authenticate for step 1. request: " + request
if (StringHelper.isEmptyString(request)):
return False
authn.set_credentials()
# Validate request
http_client = httpService.getHttpsClientDefaulTrustStore();
auth_data = httpService.encodeBase64(authn.api_id + ":" + authn.api_key)
http_response = httpService.executePost(http_client, authn.helper_server + "/validate", auth_data, request, ContentType.APPLICATION_JSON)
validation_content = httpService.convertEntityToString(httpService.getResponseContent(http_response))
print "OneId. Authenticate for step 1. validation_content: " + validation_content
if (StringHelper.isEmptyString(validation_content)):
return False
validation_resp = json.loads(validation_content)
print "OneId. Authenticate for step 1. validation_resp: " + str(validation_resp)
if (not authn.success(validation_resp)):
return False
response = json.loads(request)
for x in validation_resp:
response[x] = validation_resp[x]
oneid_user_uid = response['uid']
print "OneId. Authenticate for step 1. oneid_user_uid: " + oneid_user_uid
# Check if the is user with specified oneid_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "oneid:" + oneid_user_uid)
if (find_user_by_uid == None):
print "OneId. Authenticate for step 1. Failed to find user"
print "OneId. Authenticate for step 1. Setting count steps to 2"
context.set("oneid_count_login_steps", 2)
context.set("oneid_user_uid", oneid_user_uid)
return True
found_user_name = find_user_by_uid.getUserId()
print "OneId. Authenticate for step 1. found_user_name: " + found_user_name
credentials = Identity.instance().getCredentials()
credentials.setUsername(found_user_name)
credentials.setUser(find_user_by_uid)
print "OneId. Authenticate for step 1. Setting count steps to 1"
context.set("oneid_count_login_steps", 1)
return True
elif (step == 2):
print "OneId. Authenticate for step 2"
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes == None) or not sessionAttributes.containsKey("oneid_user_uid"):
print "OneId. Authenticate for step 2. oneid_user_uid is empty"
return False
oneid_user_uid = sessionAttributes.get("oneid_user_uid")
passed_step1 = StringHelper.isNotEmptyString(oneid_user_uid)
if (not passed_step1):
return False
#
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
passed_step1 = StringHelper.isNotEmptyString(user_name)
if (not passed_step1):
return False
#
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Check if there is user which has oneid_user_uid
# Avoid mapping OneID account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "oneid:" + oneid_user_uid)
if (find_user_by_uid == None):
# Add oneid_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "oneid:" + oneid_user_uid)
if (find_user_by_uid == None):
print "OneId. Authenticate for step 2. Failed to update current user"
return False
return True
else:
found_user_name = find_user_by_uid.getUserId()
print "OneId. Authenticate for step 2. found_user_name: " + found_user_name
if StringHelper.equals(user_name, found_user_name):
return True
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
userService = UserService.instance()
stringEncrypter = StringEncrypter.defaultInstance()
oxpush_user_timeout = int(configurationAttributes.get("oxpush_user_timeout").getValue2())
oxpush_application_name = configurationAttributes.get("oxpush_application_name").getValue2()
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "oxPush authenticate for step 1"
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Find user by uid
userService = UserService.instance()
find_user_by_uid = userService.getUser(user_name)
if (find_user_by_uid == None):
print "oxPush authenticate for step 1. Failed to find user"
return False
# Check if the user paired account to phone
user_external_uid_attr = userService.getCustomAttribute(find_user_by_uid, "oxExternalUid")
if ((user_external_uid_attr == None) or (user_external_uid_attr.getValues() == None)):
print "oxPush authenticate for step 1. There is no external UIDs for user: "******"oxPush authenticate for step 1. There is no oxPush UID for user: "******"oxPush authenticate for step 1. oxpush_user_uid: ", oxpush_user_uid
deployment_status = self.oxPushClient.getDeploymentStatus(oxpush_user_uid);
if (deployment_status.result):
print "oxPush authenticate for step 1. Deployment status is valid"
if ("enabled" == deployment_status.status):
print "oxPush authenticate for step 1. Deployment is enabled"
context.set("oxpush_user_uid", stringEncrypter.encrypt(oxpush_user_uid))
else:
print "oxPush authenticate for step 1. Deployment is disabled"
return False
else:
print "oxPush authenticate for step 1. Deployment status is invalid. Force user to pair again"
# Remove oxpush_user_uid from user entry
find_user_by_uid = userService.removeUserAttribute(user_name, "oxExternalUid", "oxpush:" + oxpush_user_uid)
if (find_user_by_uid == None):
print "oxPush authenticate for step 1. Failed to update current user"
return False
return True
elif (step == 2):
print "oxPush authenticate for step 2"
passed_step1 = self.isPassedDefaultAuthentication
if (not passed_step1):
return False
oxpush_user_uid_array = requestParameters.get("oxpush_user_uid")
if (ArrayHelper.isEmpty(oxpush_user_uid_array) or StringHelper.isEmptyString(oxpush_user_uid_array[0])):
print "oxPush authenticate for step 2. oxpush_user_uid is empty"
oxpush_pairing_uid_array = requestParameters.get("oxpush_pairing_uid")
if (ArrayHelper.isEmpty(oxpush_pairing_uid_array) or StringHelper.isEmptyString(oxpush_pairing_uid_array[0])):
print "oxPush authenticate for step 2. oxpush_pairing_uid is empty"
return False
oxpush_pairing_uid = stringEncrypter.decrypt(oxpush_pairing_uid_array[0])
# Check pairing status
pairing_status = self.checkStatus("pair", oxpush_pairing_uid, oxpush_user_timeout)
if (pairing_status == None):
print "oxPush authenticate for step 2. The pairing has not been authorized by user"
return False
oxpush_user_uid = pairing_status.deploymentId
print "oxPush authenticate for step 2. Storing oxpush_user_uid in user entry", oxpush_user_uid
# Store oxpush_user_uid in user entry
find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "oxpush:" + oxpush_user_uid)
if (find_user_by_uid == None):
print "oxPush authenticate for step 2. Failed to update current user"
return False
context.set("oxpush_count_login_steps", 2)
context.set("oxpush_user_uid", stringEncrypter.encrypt(oxpush_user_uid))
else:
print "oxPush authenticate for step 2. Deployment status is valid"
return True
elif (step == 3):
print "oxPush authenticate for step 3"
passed_step1 = self.isPassedDefaultAuthentication
if (not passed_step1):
return False
oxpush_user_uid_array = requestParameters.get("oxpush_user_uid")
if ArrayHelper.isEmpty(oxpush_user_uid_array):
print "oxPush authenticate for step 3. oxpush_user_uid is empty"
return False
oxpush_user_uid = stringEncrypter.decrypt(oxpush_user_uid_array[0])
# Initialize authentication process
authentication_request = None
try:
authentication_request = self.oxPushClient.authenticate(oxpush_user_uid, user_name);
except java.lang.Exception, err:
print "oxPush authenticate for step 3. Failed to initialize authentication process: ", err
return False
if (not authentication_request.result):
print "oxPush authenticate for step 3. Failed to initialize authentication process"
return False
# Check authentication status
authentication_status = self.checkStatus("authenticate", authentication_request.authenticationId, oxpush_user_timeout)
if (authentication_status == None):
print "oxPush authenticate for step 3. The authentication has not been authorized by user"
return False
print "oxPush authenticate for step 3. The request was granted"
return True
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
saml_map_user = False
saml_enroll_user = False
saml_enroll_all_user_attr = False
# Use saml_deployment_type only if there is no attributes mapping
if (configurationAttributes.containsKey("saml_deployment_type")):
saml_deployment_type = StringHelper.toLowerCase(configurationAttributes.get("saml_deployment_type").getValue2())
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "map")):
saml_map_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll")):
saml_enroll_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll_all_attr")):
saml_enroll_all_user_attr = True
saml_allow_basic_login = False
if (configurationAttributes.containsKey("saml_allow_basic_login")):
saml_allow_basic_login = StringHelper.toBoolean(configurationAttributes.get("saml_allow_basic_login").getValue2(), False)
use_basic_auth = False
if (saml_allow_basic_login):
# Detect if user used basic authnetication method
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
if (StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(user_password)):
use_basic_auth = True
if ((step == 1) and saml_allow_basic_login and use_basic_auth):
print "Saml. Authenticate for step 1. Basic authentication"
context.set("saml_count_login_steps", 1)
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
if (step == 1):
print "Saml. Authenticate for step 1"
currentSamlConfiguration = self.getCurrentSamlConfiguration(self.samlConfiguration, configurationAttributes, requestParameters)
if (currentSamlConfiguration == None):
print "Saml. Prepare for step 1. Client saml configuration is invalid"
return False
saml_response_array = requestParameters.get("SAMLResponse")
if ArrayHelper.isEmpty(saml_response_array):
print "Saml. Authenticate for step 1. saml_response is empty"
return False
saml_response = saml_response_array[0]
print "Saml. Authenticate for step 1. saml_response: '%s'" % saml_response
samlResponse = Response(currentSamlConfiguration)
samlResponse.loadXmlFromBase64(saml_response)
saml_validate_response = True
if (configurationAttributes.containsKey("saml_validate_response")):
saml_validate_response = StringHelper.toBoolean(configurationAttributes.get("saml_validate_response").getValue2(), False)
if (saml_validate_response):
if (not samlResponse.isValid()):
print "Saml. Authenticate for step 1. saml_response isn't valid"
saml_response_attributes = samlResponse.getAttributes()
print "Saml. Authenticate for step 1. attributes: '%s'" % saml_response_attributes
if (saml_map_user):
saml_user_uid = self.getSamlNameId(samlResponse)
if saml_user_uid == None:
return False
# Use mapping to local IDP user
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
print "Saml. Authenticate for step 1. Setting count steps to 2"
context.set("saml_count_login_steps", 2)
context.set("saml_user_uid", saml_user_uid)
return True
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (saml_enroll_user):
# Convert SAML response to user entry
newUser = self.getMappedUser(configurationAttributes, requestParameters, saml_response_attributes)
saml_user_uid = self.getNameId(samlResponse, newUser)
if saml_user_uid == None:
return False
self.setDefaultUid(newUser, saml_user_uid)
newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
# Use auto enrollment to local IDP
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if there is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
# Auto user enrollment
print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes())
user_unique = self.checkUserUniqueness(newUser)
if not user_unique:
print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId()
facesMessages = FacesMessages.instance()
facesMessages.add(StatusMessage.Severity.ERROR, "Failed to enroll. User with same key attributes exist already")
FacesContext.getCurrentInstance().getExternalContext().getFlash().setKeepMessages(True)
return False
find_user_by_uid = userService.addUser(newUser, True)
print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId()
else:
if self.updateUser:
print "Saml. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes())
find_user_by_uid.setCustomAttributes(newUser.getCustomAttributes())
userService.updateUser(find_user_by_uid)
print "Saml. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user: '******'" % found_user_name
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (saml_enroll_all_user_attr):
# Convert SAML response to user entry
newUser = self.getMappedAllAttributesUser(saml_response_attributes)
saml_user_uid = self.getNameId(samlResponse, newUser)
if saml_user_uid == None:
return False
self.setDefaultUid(newUser, saml_user_uid)
newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:%s" % saml_user_uid
# Check if there is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
# Auto user enrollment
print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes())
user_unique = self.checkUserUniqueness(newUser)
if not user_unique:
print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId()
facesMessages = FacesMessages.instance()
facesMessages.add(StatusMessage.Severity.ERROR, "Failed to enroll. User with same key attributes exist already")
FacesContext.getCurrentInstance().getExternalContext().getFlash().setKeepMessages(True)
return False
find_user_by_uid = userService.addUser(newUser, True)
print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId()
else:
if self.updateUser:
print "Saml. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes())
find_user_by_uid.setCustomAttributes(newUser.getCustomAttributes())
userService.updateUser(find_user_by_uid)
print "Saml. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
else:
if saml_user_uid == None:
return False
# Check if the is user with specified saml_user_uid
print "Saml. Authenticate for step 1. Attempting to find user by uid: '%s'" % saml_user_uid
find_user_by_uid = userService.getUser(saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
return False
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (step == 2):
print "Saml. Authenticate for step 2"
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes == None) or not sessionAttributes.containsKey("saml_user_uid"):
print "Saml. Authenticate for step 2. saml_user_uid is empty"
return False
saml_user_uid = sessionAttributes.get("saml_user_uid")
passed_step1 = StringHelper.isNotEmptyString(saml_user_uid)
if (not passed_step1):
return False
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Check if there is user which has saml_user_uid
# Avoid mapping Saml account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
# Add saml_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 2. Failed to update current user"
return False
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
else:
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 2. found_user_name: '%s'" % found_user_name
if StringHelper.equals(user_name, found_user_name):
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
userService = UserService.instance()
stringEncrypter = StringEncrypter.defaultInstance()
toopher_user_timeout = int(configurationAttributes.get("toopher_user_timeout").getValue2())
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "Toopher authenticate for step 1"
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Find user by uid
userService = UserService.instance()
find_user_by_uid = userService.getUser(user_name)
if (find_user_by_uid == None):
print "Toopher authenticate for step 1. Failed to find user"
return False
# Check if the user paired account to phone
user_external_uid_attr = userService.getCustomAttribute(find_user_by_uid, "oxExternalUid")
if ((user_external_uid_attr == None) or (user_external_uid_attr.getValues() == None)):
print "Toopher authenticate for step 1. There is no external UIDs for user: "******"Toopher authenticate for step 1. There is no Topher UID for user: "******"toopher_user_uid", stringEncrypter.encrypt(topher_user_uid))
return True
elif (step == 2):
print "Toopher authenticate for step 2"
passed_step1 = self.isPassedDefaultAuthentication
if (not passed_step1):
return False
toopher_user_uid_array = requestParameters.get("toopher_user_uid")
if (ArrayHelper.isEmpty(toopher_user_uid_array) or StringHelper.isEmptyString(toopher_user_uid_array[0])):
print "Toopher authenticate for step 2. toopher_user_uid is empty"
# Pair with phone
pairing_phrase_array = requestParameters.get("pairing_phrase")
if ArrayHelper.isEmpty(pairing_phrase_array):
print "Toopher authenticate for step 2. pairing_phrase is empty"
return False
pairing_phrase = pairing_phrase_array[0]
try:
pairing_status = self.tapi.pair(pairing_phrase, user_name);
toopher_user_uid = pairing_status.id;
except RequestError, err:
print "Toopher authenticate for step 2. Failed pair with phone: ", err
return False
pairing_result = self.checkPairingStatus(toopher_user_uid, toopher_user_timeout)
if (not pairing_result):
print "Toopher authenticate for step 2. The pairing has not been authorized by the phone yet"
return False
print "Toopher authenticate for step 2. Storing toopher_user_uid in user entry", toopher_user_uid
# Store toopher_user_uid in user entry
find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "toopher:" + toopher_user_uid)
if (find_user_by_uid == None):
print "Toopher authenticate for step 2. Failed to update current user"
return False
context.set("toopher_user_uid", stringEncrypter.encrypt(toopher_user_uid))
else:
toopher_user_uid = stringEncrypter.decrypt(toopher_user_uid_array[0])
# Check pairing stastus
print "Toopher authenticate for step 2. toopher_user_uid: ", toopher_user_uid
pairing_result = self.checkPairingStatus(toopher_user_uid, 0)
if (not pairing_result):
print "Toopher authenticate for step 2. The pairing has not been authorized by the phone yet"
return False
return True
def authenticate(self, configurationAttributes, requestParameters, step):
print "Wikid. Authentication. Checking client"
if (not self.wc.isConnected()):
print "Wikid. Authentication. Wikid client state is invalid"
return False
context = Contexts.getEventContext()
is_wikid_registration = False
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes != None) and sessionAttributes.containsKey("wikid_registration"):
is_wikid_registration = java.lang.Boolean.valueOf(sessionAttributes.get("wikid_registration"))
wikid_server_code = configurationAttributes.get("wikid_server_code").getValue2()
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "Wikid. Authenticate for step 1"
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
print "Wikid. Authenticate for step 1. Attempting to find wikid_user: "******"Wikid. Authenticate for step 1. There is no associated devices for user: "******"Wikid. Authenticate for step 1. Setting count steps to 3"
context.set("wikid_count_login_steps", 3)
context.set("wikid_registration", True)
else:
context.set("wikid_count_login_steps", 2)
return True
elif (is_wikid_registration):
print "Wikid. Authenticate for step wikid_register_device"
userService = UserService.instance()
wikid_regcode_array = requestParameters.get("regcode")
if ArrayHelper.isEmpty(wikid_regcode_array):
print "Wikid. Authenticate for step wikid_register_device. Regcode is empty"
return False
wikid_regcode = wikid_regcode_array[0]
print "Wikid. Authenticate for step wikid_register_device. User: "******", regcode: " + wikid_regcode
register_result = self.wc.registerUsername(user_name, wikid_regcode, wikid_server_code);
is_valid = register_result == 0
if is_valid:
print "Wikid. Authenticate for step wikid_register_device. User: "******" token registered successfully"
# Add wikid_regcode to user UIDs
find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "wikid:" + wikid_regcode)
if (find_user_by_uid == None):
print "Wikid. Authenticate for step wikid_register_device. Failed to update user: "******"wikid_registration", False)
else:
print "Wikid. Authenticate for step wikid_register_device. Failed to register user: "******" token:" + wikid_regcode + ". Registration result:", register_result
return is_valid
elif (not is_wikid_registration):
print "Wikid. Authenticate for step wikid_check_passcode"
wikid_passcode_array = requestParameters.get("passcode")
if ArrayHelper.isEmpty(wikid_passcode_array):
print "Wikid. Authenticate for step wikid_check_passcode. Passcode is empty"
return False
wikid_passcode = wikid_passcode_array[0]
print "Wikid. Authenticate for step wikid_check_passcode. wikid_user: "******"Wikid. Authenticate for step wikid_check_passcode. wikid_user: "******" authenticated successfully"
else:
print "Wikid. Authenticate for step wikid_check_passcode. Failed to authenticate. wikid_user: " + user_name
return is_valid
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getApplicationContext()
print "Wikid. Authentication. Cheking client"
wc = context.get("wClient")
if ((wc is None) or (not wc.isConnected())):
print "Wikid. Authenticate for step 1. Creating new client."
wikid_server_host = configurationAttributes.get("wikid_server_host").getValue2()
wikid_server_port = int(configurationAttributes.get("wikid_server_port").getValue2())
wikid_cert_path = configurationAttributes.get("wikid_cert_path").getValue2()
wikid_cert_pass = configurationAttributes.get("wikid_cert_pass").getValue2()
wikid_ca_store_path = configurationAttributes.get("wikid_ca_store_path").getValue2()
wikid_ca_store_pass = configurationAttributes.get("wikid_ca_store_pass").getValue2()
wc = wClient(wikid_server_host, wikid_server_port, wikid_cert_path, wikid_cert_pass, wikid_ca_store_path, wikid_ca_store_pass)
context.set("wClient", wc)
if (step == 1):
print "Wikid. Authenticate for step 1"
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
return wc.isConnected()
elif (step == 2):
print "Wikid. Authenticate for step 2"
wc = context.get("wClient")
if (wc is None):
print "Wikid. Authenticate. Client is invalid"
return False
wikid_user_array = requestParameters.get("username")
wikid_passcode_array = requestParameters.get("passcode")
if ArrayHelper.isEmpty(wikid_user_array) or ArrayHelper.isEmpty(wikid_passcode_array):
print "Wikid. Authenticate. Username or passcode is empty"
return False
wikid_user = wikid_user_array[0]
wikid_passcode = wikid_passcode_array[0]
wikid_server_code = configurationAttributes.get("wikid_server_code").getValue2()
print "Wikid. Authenticate for step 2 wikid_user: "******"Wikid. Authenticate for step 2. wikid_user: "******" authenticated successfully"
else:
print "Wikid. Authenticate for step 2. Failed to authenticate. wikid_user: " + wikid_user
return is_valid
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
userService = UserService.instance()
iw_api_uri = configurationAttributes.get("iw_api_uri").getValue2()
iw_service_id = configurationAttributes.get("iw_service_id").getValue2()
iw_helium_enabled = Boolean(configurationAttributes.get("iw_helium_enabled").getValue2()).booleanValue()
if (iw_helium_enabled):
context.set("iw_count_login_steps", 1)
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "InWebo. Authenticate for step 1"
print "InWebo. Authenticate for step 1. iw_helium_enabled:", iw_helium_enabled
user_password = credentials.getPassword()
if (iw_helium_enabled):
login_array = requestParameters.get("login")
if ArrayHelper.isEmpty(login_array):
print "InWebo. Authenticate for step 1. login is empty"
return False
user_name = login_array[0]
password_array = requestParameters.get("password")
if ArrayHelper.isEmpty(password_array):
print "InWebo. Authenticate for step 1. password is empty"
return False
user_password = password_array[0]
response_validation = self.validateInweboToken(iw_api_uri, iw_service_id, user_name, user_password)
if (not response_validation):
return False
logged_in = False
if (StringHelper.isNotEmptyString(user_name)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name)
return logged_in
else:
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
return logged_in
return True
elif (step == 2):
print "InWebo. Authenticate for step 2"
passed_step1 = self.isPassedDefaultAuthentication
if (not passed_step1):
return False
iw_token_array = requestParameters.get("iw_token")
if ArrayHelper.isEmpty(iw_token_array):
print "InWebo. Authenticate for step 2. iw_token is empty"
return False
iw_token = iw_token_array[0]
response_validation = self.validateInweboToken(iw_api_uri, iw_service_id, user_name, iw_token)
return response_validation
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
identity = CdiUtil.bean(Identity)
userService = CdiUtil.bean(UserService)
authenticationService = CdiUtil.bean(AuthenticationService)
if step == 1:
credentials = identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = CdiUtil.bean(UserService)
logged_in = authenticationService.authenticate(user_name, user_password)
if (not logged_in):
return False
else:
find_user_by_uid = authenticationService.getAuthenticatedUser()
status_attribute_value = userService.getCustomAttribute(find_user_by_uid, "mail")
user_mail = status_attribute_value.getValue()
self.setRequestScopedParameters(identity)
isCompromised = False
isCompromised = self.is_compromised(user_mail,user_password,configurationAttributes)
if(isCompromised):
identity.setWorkingParameter("pwd_compromised", isCompromised)
identity.setWorkingParameter("user_name", user_name)
return True
else:
return True
elif step == 2:
print "compromised_password. Authenticate for step 2"
form_answer_array = requestParameters.get("loginForm:question")
if ArrayHelper.isEmpty(form_answer_array):
return False
form_answer = form_answer_array[0]
if (form_answer == self.secretanswer):
return True
return False
elif step == 3:
authenticationService = CdiUtil.bean(AuthenticationService)
print "compromised_password (with password update). Authenticate for step 3"
userService = CdiUtil.bean(UserService)
update_button = requestParameters.get("loginForm:updateButton")
new_password_array = requestParameters.get("new_password")
if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]):
print "compromised_password (with password update). Authenticate for step 3. New password is empty"
return False
new_password = new_password_array[0]
user = authenticationService.getAuthenticatedUser()
if user == None:
print "compromised_password (with password update). Authenticate for step 3. Failed to determine user name"
return False
user_name = user.getUserId()
print "compromised_password (with password update). Authenticate for step 3. Attempting to set new user '" + user_name + "' password"
find_user_by_uid = userService.getUser(user_name)
if (find_user_by_uid == None):
print "compromised_password (with password update). Authenticate for step 3. Failed to find user"
return False
find_user_by_uid.setAttribute("userPassword", new_password)
userService.updateUser(find_user_by_uid)
print "compromised_password (with password update). Authenticate for step 3. Password updated successfully"
logged_in = authenticationService.authenticate(user_name)
return True
