def prepareForStep(self, configurationAttributes, requestParameters, step): print "U2F. prepareForStep called for step %s" % step identity = CdiUtil.bean(Identity) if (step == 1): session_id = CdiUtil.bean( SessionIdService).getSessionIdFromCookie() if StringHelper.isEmpty(session_id): print "U2F. Prepare for step 1. Failed to determine session_id" return False authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if (user == None): print "U2F. Prepare for step 1. Failed to determine user name" return False u2f_application_id = configurationAttributes.get( "u2f_application_id").getValue2() # Check if user have registered devices deviceRegistrationService = CdiUtil.bean(DeviceRegistrationService) userInum = user.getAttribute("inum") registrationRequest = None authenticationRequest = None deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations( userInum, u2f_application_id) if (deviceRegistrations.size() > 0): print "U2F. Prepare for step 1. Call FIDO U2F in order to start authentication workflow" try: authenticationRequestService = FidoU2fClientFactory.instance( ).createAuthenticationRequestService( self.metaDataConfiguration) authenticationRequest = authenticationRequestService.startAuthentication( user.getUserId(), None, u2f_application_id, session_id) except ClientResponseFailure, ex: if (ex.getResponse().getResponseStatus() != Response.Status.NOT_FOUND): print "U2F. Prepare for step 1. Failed to start authentication workflow. Exception:", sys.exc_info( )[1] return False else: print "U2F. Prepare for step 1. Call FIDO U2F in order to start registration workflow" registrationRequestService = FidoU2fClientFactory.instance( ).createRegistrationRequestService(self.metaDataConfiguration) registrationRequest = registrationRequestService.startRegistration( user.getUserId(), u2f_application_id, session_id) identity.setWorkingParameter( "fido_u2f_authentication_request", ServerUtil.asJson(authenticationRequest)) identity.setWorkingParameter( "fido_u2f_registration_request", ServerUtil.asJson(registrationRequest)) return True
def prepareForStep(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) if (step == 1): return True elif (step == 2): print "U2F. Prepare for step 2" session_id = CdiUtil.bean(SessionIdService).getSessionIdFromCookie() if StringHelper.isEmpty(session_id): print "U2F. Prepare for step 2. Failed to determine session_id" return False authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if (user == None): print "U2F. Prepare for step 2. Failed to determine user name" return False u2f_application_id = configurationAttributes.get("u2f_application_id").getValue2() # Check if user have registered devices deviceRegistrationService = CdiUtil.bean(DeviceRegistrationService) userInum = user.getAttribute("inum") registrationRequest = None authenticationRequest = None deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(userInum, u2f_application_id) if (deviceRegistrations.size() > 0): print "U2F. Prepare for step 2. Call FIDO U2F in order to start authentication workflow" try: authenticationRequestService = FidoU2fClientFactory.instance().createAuthenticationRequestService(self.metaDataConfiguration) authenticationRequest = authenticationRequestService.startAuthentication(user.getUserId(), None, u2f_application_id, session_id) except ClientResponseFailure, ex: if (ex.getResponse().getResponseStatus() != Response.Status.NOT_FOUND): print "U2F. Prepare for step 2. Failed to start authentication workflow. Exception:", sys.exc_info()[1] return False else: print "U2F. Prepare for step 2. Call FIDO U2F in order to start registration workflow" registrationRequestService = FidoU2fClientFactory.instance().createRegistrationRequestService(self.metaDataConfiguration) registrationRequest = registrationRequestService.startRegistration(user.getUserId(), u2f_application_id, session_id) identity.setWorkingParameter("fido_u2f_authentication_request", ServerUtil.asJson(authenticationRequest)) identity.setWorkingParameter("fido_u2f_registration_request", ServerUtil.asJson(registrationRequest)) return True
def validateRecaptcha(self, recaptcha_response): print "Cert. Validate recaptcha response" facesContext = CdiUtil.bean(FacesContext) request = facesContext.getExternalContext().getRequest() remoteip = ServerUtil.getIpAddress(request) print "Cert. Validate recaptcha response. remoteip: '%s'" % remoteip httpService = CdiUtil.bean(HttpService) http_client = httpService.getHttpsClient() http_client_params = http_client.getParams() http_client_params.setIntParameter( CoreConnectionPNames.CONNECTION_TIMEOUT, 15 * 1000) recaptcha_validation_url = "https://www.google.com/recaptcha/api/siteverify" recaptcha_validation_request = urllib.urlencode({ "secret": self.recaptcha_creds['secret_key'], "response": recaptcha_response, "remoteip": remoteip }) recaptcha_validation_headers = { "Content-type": "application/x-www-form-urlencoded", "Accept": "application/json" } try: http_service_response = httpService.executePost( http_client, recaptcha_validation_url, None, recaptcha_validation_headers, recaptcha_validation_request) http_response = http_service_response.getHttpResponse() except: print "Cert. Validate recaptcha response. Exception: ", sys.exc_info( )[1] return False try: if not httpService.isResponseStastusCodeOk(http_response): print "Cert. Validate recaptcha response. Get invalid response from validation server: ", str( http_response.getStatusLine().getStatusCode()) httpService.consume(http_response) return False response_bytes = httpService.getResponseContent(http_response) response_string = httpService.convertEntityToString(response_bytes) httpService.consume(http_response) finally: http_service_response.closeConnection() if response_string == None: print "Cert. Validate recaptcha response. Get empty response from validation server" return False response = json.loads(response_string) return response["success"]
def getUserValueFromAuth(self, remote_attr, requestParameters): try: toBeFeatched = "loginForm:" + remote_attr return ServerUtil.getFirstValue(requestParameters, toBeFeatched) except Exception, err: print("Registration: Exception inside getUserValueFromAuth " + str(err))
def authenticateRecoveryCode(self,requestParameters, username, identity): # Inject dependencies userService = CdiUtil.bean(UserService) authenticationProtectionService = CdiUtil.bean(AuthenticationProtectionService) facesMessages = CdiUtil.bean(FacesMessages) languageBean = CdiUtil.bean(LanguageBean) if (authenticationProtectionService.isEnabled()): authenticationProtectionService.doDelayIfNeeded(username) recoveryCode = ServerUtil.getFirstValue(requestParameters, "Recover:recoveryCode") user = userService.getUser(username, "secretAnswer") secretAnswers = userService.getCustomAttribute(user, "secretAnswer") if (secretAnswers is not None): for secretAnswer in secretAnswers.getValues(): code = self.decryptAES(self.aesKey, secretAnswer) if (StringHelper.equals(code, recoveryCode)): if (authenticationProtectionService.isEnabled()): authenticationProtectionService.storeAttempt(username, True) return True if (authenticationProtectionService.isEnabled()): authenticationProtectionService.storeAttempt(username, False) facesMessages.add( FacesMessage.SEVERITY_ERROR, languageBean.getMessage("mfa.invalidRecoveryCode")) return False
def prepareFidoAuthentication(self, username, identity): authenticationRequestService = FidoU2fClientFactory.instance().createAuthenticationRequestService(self.metaDataConfiguration) session = identity.getSessionId() identity.getSessionId().getSessionAttributes().put(Constants.AUTHENTICATED_USER, username) authenticationRequest = authenticationRequestService.startAuthentication(username, None, self.u2fApplicationId, session.getId()) identity.setWorkingParameter("fido_u2f_authentication_request", ServerUtil.asJson(authenticationRequest))
def authenticateFido2(self, userId, requestParameters): if REMOTE_DEBUG: pydevd.settrace('localhost', port=5678, stdoutToServer=True, stderrToServer=True) userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) session = identity.getSessionId() tokenResponse = ServerUtil.getFirstValue(requestParameters, "fido2Authentication") print("%s. Authenticate. Got fido2 authentication response: %s" % (self.name, tokenResponse)) metaDataConfiguration = self.getFidoMetaDataConfiguration() assertionService = Fido2ClientFactory.instance( ).createAssertionService(metaDataConfiguration) assertionStatus = assertionService.verify(tokenResponse) authenticationStatusEntity = assertionStatus.readEntity( java.lang.String) if assertionStatus.getStatus() != Response.Status.OK.getStatusCode(): print( "%s. Authenticate. Got invalid authentication status from Fido2 server" % self.name) return False return authenticationService.authenticate( identity.getWorkingParameter("userId"))
def authenticate(self, configuration_attributes, request_parameters, step): print "ThumbSignIn. Inside authenticate. Step %d" % step authentication_service = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) identity.setWorkingParameter("ts_host", ts_host) identity.setWorkingParameter("ts_statusPath", ts_statusPath) if step == 1 or step == 3: print "ThumbSignIn. Authenticate for Step %d" % step login_flow = ServerUtil.getFirstValue(request_parameters, "login_flow") print "ThumbSignIn. Value of login_flow parameter is %s" % login_flow # Logic for ThumbSignIn Authentication Flow (Either step 1 or step 3) if login_flow == THUMBSIGNIN_AUTHENTICATION or login_flow == THUMBSIGNIN_LOGIN_POST_REGISTRATION: identity.setWorkingParameter(USER_LOGIN_FLOW, login_flow) print "ThumbSignIn. Value of userLoginFlow is %s" % identity.getWorkingParameter( USER_LOGIN_FLOW) logged_in_status = authentication_service.authenticate( self.get_user_id_from_thumbsignin(request_parameters)) print "ThumbSignIn. logged_in status : %r" % logged_in_status return logged_in_status # Logic for traditional login flow (step 1) print "ThumbSignIn. User credentials login flow" identity.setWorkingParameter(USER_LOGIN_FLOW, THUMBSIGNIN_REGISTRATION) print "ThumbSignIn. Value of userLoginFlow is %s" % identity.getWorkingParameter( USER_LOGIN_FLOW) logged_in = self.authenticate_user_credentials( identity, authentication_service) print "ThumbSignIn. Status of User Credentials based Authentication : %r" % logged_in # When the traditional login fails, reinitialize the ThumbSignIn data before sending error response to UI if not logged_in: self.initialize_thumbsignin(identity, AUTHENTICATE) return False print "ThumbSignIn. Authenticate successful for step %d" % step return True elif step == 2: print "ThumbSignIn. Registration flow (step 2)" self.verify_user_login_flow(identity) user = self.get_authenticated_user_from_gluu( authentication_service) if user is None: print "ThumbSignIn. Registration flow (step 2). Failed to determine user name" return False user_name = user.getUserId() print "ThumbSignIn. Registration flow (step 2) successful. user_name: %s" % user_name return True else: return False
def parsePlatformData(self, requestParameters): try: #Find device info passed in HTTP request params (see index.xhtml) platform = ServerUtil.getFirstValue(requestParameters, "loginForm:platform") deviceInf = json.loads(platform) except: print "Casa. parsePlatformData. Error parsing platform data" deviceInf = None return deviceInf
def parsePlatformData(self, requestParameters): try: #Find device info passed in HTTP request params (see index.xhtml) platform = ServerUtil.getFirstValue(requestParameters, "loginForm:platform") deviceInf = json.loads(platform) except: print "Casa. parsePlatformData. Error parsing platform data" deviceInf = None return deviceInf
def getCodeFromRequest(self, requestParameters): print "MFA Recovery. getCodeFromRequest called" try: toBeFetched1 = "loginForm:recoveryCode1" toBeFetched2 = "loginForm:recoveryCode2" toBeFetched3 = "loginForm:recoveryCode3" code1 = ServerUtil.getFirstValue(requestParameters, toBeFetched1) code2 = ServerUtil.getFirstValue(requestParameters, toBeFetched2) code3 = ServerUtil.getFirstValue(requestParameters, toBeFetched3) print "MFA Recovery. getCodeFromRequest: fetched loginForm:recoveryCode(s) '%s-%s-%s'" % ( code1, code2, code3) if StringHelper.isNotEmpty(code1) and StringHelper.isNotEmpty( code2) and StringHelper.isNotEmpty(code3): code = "%s-%s-%s" % (code1, code2, code3) return code return Null except Exception, err: print("MFA Recovery. getCodeFromRequest Exception: " + str(err))
def get_user_id_from_thumbsignin(self, request_parameters): transaction_id = ServerUtil.getFirstValue(request_parameters, TRANSACTION_ID) print "ThumbSignIn. Value of transaction_id is %s" % transaction_id get_user_request = "getUser/" + transaction_id print "ThumbSignIn. Value of get_user_request is %s" % get_user_request get_user_response = self.thumbsigninApiController.handleThumbSigninRequest(get_user_request, ts_api_key, ts_api_secret) print "ThumbSignIn. Value of get_user_response is %s" % get_user_response get_user_response_json = JSONObject(get_user_response) thumbsignin_user_id = get_user_response_json.get(USER_ID) print "ThumbSignIn. Value of thumbsignin_user_id is %s" % thumbsignin_user_id return thumbsignin_user_id
def authenticate(self, configurationAttributes, requestParameters, step): print "MFA Chooser. authenticate called for step '%s'" % step identity = CdiUtil.bean(Identity) # What option did they choose? choice = ServerUtil.getFirstValue(requestParameters, "loginForm:mfachoice") print "MFA Chooser. Authenticate: %s selected." % choice identity.setWorkingParameter("authenticatorType", choice) return False
def getNextStep(self, configurationAttributes, requestParameters, step): print "Casa. getNextStep called %s" % str(step) if step > 1: acr = ServerUtil.getFirstValue(requestParameters, "alternativeMethod") if acr != None: print "Casa. getNextStep. Use alternative method %s" % acr CdiUtil.bean(Identity).setWorkingParameter("ACR", acr) #retry step with different acr return 2 return -1
def get_user_id_from_thumbsignin(self, request_parameters): transaction_id = ServerUtil.getFirstValue(request_parameters, TRANSACTION_ID) print "ThumbSignIn. Value of transaction_id is %s" % transaction_id get_user_request = "getUser/" + transaction_id print "ThumbSignIn. Value of get_user_request is %s" % get_user_request get_user_response = self.thumbsigninApiController.handleThumbSigninRequest(get_user_request, ts_api_key, ts_api_secret) print "ThumbSignIn. Value of get_user_response is %s" % get_user_response get_user_response_json = JSONObject(get_user_response) thumbsignin_user_id = get_user_response_json.get(USER_ID) print "ThumbSignIn. Value of thumbsignin_user_id is %s" % thumbsignin_user_id return thumbsignin_user_id
def getNextStep(self, configurationAttributes, requestParameters, step): print "Casa. getNextStep called %s" % str(step) if step > 1: acr = ServerUtil.getFirstValue(requestParameters, "alternativeMethod") if acr != None: print "Casa. getNextStep. Use alternative method %s" % acr CdiUtil.bean(Identity).setWorkingParameter("ACR", acr) #retry step with different acr return 2 return -1
def authenticate(self, configuration_attributes, request_parameters, step): print "ThumbSignIn. Inside authenticate. Step %d" % step authentication_service = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) identity.setWorkingParameter("ts_host", ts_host) identity.setWorkingParameter("ts_statusPath", ts_statusPath) if step == 1 or step == 3: print "ThumbSignIn. Authenticate for Step %d" % step login_flow = ServerUtil.getFirstValue(request_parameters, "login_flow") print "ThumbSignIn. Value of login_flow parameter is %s" % login_flow # Logic for ThumbSignIn Authentication Flow (Either step 1 or step 3) if login_flow == THUMBSIGNIN_AUTHENTICATION or login_flow == THUMBSIGNIN_LOGIN_POST_REGISTRATION: identity.setWorkingParameter(USER_LOGIN_FLOW, login_flow) print "ThumbSignIn. Value of userLoginFlow is %s" % identity.getWorkingParameter(USER_LOGIN_FLOW) logged_in_status = authentication_service.authenticate(self.get_user_id_from_thumbsignin(request_parameters)) print "ThumbSignIn. logged_in status : %r" % logged_in_status return logged_in_status # Logic for traditional login flow (step 1) print "ThumbSignIn. User credentials login flow" identity.setWorkingParameter(USER_LOGIN_FLOW, THUMBSIGNIN_REGISTRATION) print "ThumbSignIn. Value of userLoginFlow is %s" % identity.getWorkingParameter(USER_LOGIN_FLOW) logged_in = self.authenticate_user_credentials(identity, authentication_service) print "ThumbSignIn. Status of User Credentials based Authentication : %r" % logged_in # When the traditional login fails, reinitialize the ThumbSignIn data before sending error response to UI if not logged_in: self.initialize_thumbsignin(identity, AUTHENTICATE) return False print "ThumbSignIn. Authenticate successful for step %d" % step return True elif step == 2: print "ThumbSignIn. Registration flow (step 2)" self.verify_user_login_flow(identity) user = self.get_authenticated_user_from_gluu(authentication_service) if user is None: print "ThumbSignIn. Registration flow (step 2). Failed to determine user name" return False user_name = user.getUserId() print "ThumbSignIn. Registration flow (step 2) successful. user_name: %s" % user_name return True else: return False
def getMfaValueFromAuth(self, requestParameters): print "MFA Chooser. getMfaValueFromAuth called" try: toBeFeatched = "loginForm:mfachoice" print "MFA Chooser. getMfaValueFromAuth: fetching '%s'" % toBeFeatched new_acr_value = ServerUtil.getFirstValue(requestParameters, toBeFeatched) print "MFA Chooser. getMfaValueFromAuth: fetched new_acr_value '%s'" % new_acr_value if StringHelper.isNotEmpty(new_acr_value): return new_acr_value return Null except Exception, err: print("MFA Chooser. getMfaValueFromAuth Exception: " + str(err))
def getAcrValueFromAuth(self, requestParameters): print "IDP Chooser. getAcrValueFromAuth called" try: toBeFeatched = "loginForm:acrname" print "IDP Chooser. getAcrValueFromAuth: fetching '%s'" % toBeFeatched new_acr_provider_value = ServerUtil.getFirstValue( requestParameters, toBeFeatched) print "IDP Chooser. getAcrValueFromAuth: fetched new_acr_provider_value '%s'" % new_acr_provider_value if StringHelper.isNotEmpty(new_acr_provider_value): return new_acr_provider_value return None except Exception, err: print("IDP Chooser. getAcrValueFromAuth Exception: " + str(err))
def getSwitchValueFromAuth(self, requestParameters): print "IDP Chooser. getSwitchValueFromAuth called" try: switchCredential = "loginForm:switchCredentialBox" print "IDP Chooser. getSwitchValueFromAuth: fetching '%s'" % switchCredential switch_credential_selected = ServerUtil.getFirstValue( requestParameters, switchCredential) print "IDP Chooser. getSwitchValueFromAuth: fetched switch_credential_selected = '%s'" % switch_credential_selected if switch_credential_selected == "on": return True return False except Exception, err: print("IDP Chooser. getSwitchValueFromAuth Exception: " + str(err))
def alternateActionRequested(self, requestParameters): print "MFA Enroll Recovery. alternateActionRequested called" try: toBeFetched = "loginForm:action" print "MFA Enroll Recovery. alternateActionRequested: fetching '%s'" % toBeFetched action_value = ServerUtil.getFirstValue(requestParameters, toBeFetched) print "MFA Enroll Recovery. alternateActionRequested: fetched action_value '%s'" % action_value if ( StringHelper.isNotEmpty(action_value) ): return action_value return None except Exception, err: print("MFA Enroll Recovery. alternateActionRequested Exception: " + str(err)) return None
def authenticateTOTP(self, requestParameters, username, identity): print "MFA. authenticateTOTP called" # Inject dependencies facesMessages = CdiUtil.bean(FacesMessages) languageBean = CdiUtil.bean(LanguageBean) userService = CdiUtil.bean(UserService) authenticationProtectionService = CdiUtil.bean(AuthenticationProtectionService) facesMessages.setKeepMessages() if (authenticationProtectionService.isEnabled()): authenticationProtectionService.doDelayIfNeeded(username) totpCode = ServerUtil.getFirstValue(requestParameters, "TOTPauthenticate:totpCode") # Do some basic input validation if (totpCode is None or len(totpCode) != 6 or not totpCode.isdigit()): facesMessages.add(FacesMessage.SEVERITY_ERROR, languageBean.getMessage("mfa.otpInvalid")) return False # Find the user, retrieve and decrypt their TOTP code user = userService.getUser(username, "oxExternalUid") if (user is None): print "MFA. authenticateTOTP. Failed to find user" identity.setWorkingParameter("nextStep", -1) # Error page return True externalUids = userService.getCustomAttribute(user, "oxExternalUid") if (externalUids is not None): for externalUid in externalUids.getValues(): if (externalUid.startswith("totp:")): secretKey = self.decryptAES(self.aesKey, externalUid[5:]) break if (secretKey is None): print "MFA. authenticateTOTP. Failed to find TOTP secret" identity.setWorkingParameter("nextStep", -1) # Error page return True # Authenticate the TOTP code if (not self.validateTotpKey(self.fromBase64Url(secretKey), totpCode)): facesMessages.add(FacesMessage.SEVERITY_ERROR, languageBean.getMessage("mfa.otpInvalid")) if (authenticationProtectionService.isEnabled()): authenticationProtectionService.storeAttempt(username, False) return False if (authenticationProtectionService.isEnabled()): authenticationProtectionService.storeAttempt(username, True) return True
def registerFIDO(self, requestParameters, username, identity): print "MFA. registerFIDO called" registrationRequestService = FidoU2fClientFactory.instance().createRegistrationRequestService(self.metaDataConfiguration) token_response = ServerUtil.getFirstValue(requestParameters, "tokenResponse") registrationStatus = registrationRequestService.finishRegistration(username, token_response) if (registrationStatus.getStatus() != Constants.RESULT_SUCCESS): print "MFA. Register FIDO. Failed to register U2F device" identity.setWorkingParameter("flow", "Error") # Trigger the error page return False self.deleteTOTP(username, identity) return True
def validateRecaptcha(self, recaptcha_response): print "Cert. Validate recaptcha response" facesContext = CdiUtil.bean(FacesContext) request = facesContext.getExternalContext().getRequest() remoteip = ServerUtil.getIpAddress(request) print "Cert. Validate recaptcha response. remoteip: '%s'" % remoteip httpService = CdiUtil.bean(HttpService) http_client = httpService.getHttpsClient() http_client_params = http_client.getParams() http_client_params.setIntParameter(CoreConnectionPNames.CONNECTION_TIMEOUT, 15 * 1000) recaptcha_validation_url = "https://www.google.com/recaptcha/api/siteverify" recaptcha_validation_request = urllib.urlencode({ "secret" : self.recaptcha_creds['secret_key'], "response" : recaptcha_response, "remoteip" : remoteip }) recaptcha_validation_headers = { "Content-type" : "application/x-www-form-urlencoded", "Accept" : "application/json" } try: http_service_response = httpService.executePost(http_client, recaptcha_validation_url, None, recaptcha_validation_headers, recaptcha_validation_request) http_response = http_service_response.getHttpResponse() except: print "Cert. Validate recaptcha response. Exception: ", sys.exc_info()[1] return False try: if not httpService.isResponseStastusCodeOk(http_response): print "Cert. Validate recaptcha response. Get invalid response from validation server: ", str(http_response.getStatusLine().getStatusCode()) httpService.consume(http_response) return False response_bytes = httpService.getResponseContent(http_response) response_string = httpService.convertEntityToString(response_bytes) httpService.consume(http_response) finally: http_service_response.closeConnection() if response_string == None: print "Cert. Validate recaptcha response. Get empty response from validation server" return False response = json.loads(response_string) return response["success"]
def handleResponse(self, requestParameters): """Process an authentication response from passport. Returns a User object, or None in case of failure.""" jwt = None externalProfile = None try: # gets jwt parameter "user" sent after authentication by passport (if exists) jwt_param = ServerUtil.getFirstValue(requestParameters, "user") # Parse JWT and validate # TODO: Log a security event whenever JWT validation fails jwt = Jwt.parse(jwt_param) if not self.verifySignature(jwt): return None if self.jwtHasExpired(jwt): return None claims = jwt.getClaims() externalProfileJson = CdiUtil.bean(EncryptionService).decrypt( claims.getClaimAsString("data")) externalProfile = json.loads(externalProfileJson) providerId = externalProfile["provider"] providerConfig = self.registeredProviders.get(providerId) providerType = providerConfig["type"] sub = claims.getClaimAsString("sub") if providerType == "saml": # This is silly. It should be consistent. externalProfile["externalUid"] = "passport-saml:%s:%s" % ( providerId, sub) else: externalProfile["externalUid"] = "passport-%s:%s" % ( providerId, sub) except: print("Passport. handleResponse. Invalid JWT from passport") return None return externalProfile
def authenticate(self, configurationAttributes, requestParameters, step): print "MFA Enroll Recovery. authenticate called for step '%s'" % step # if it's the confirmation page then just get on with it and finish if (step == 2): return True identity = CdiUtil.bean(Identity) # For authentication then check if someone enrolling clicked CANCEL button alternateAction = self.alternateActionRequested(requestParameters) if ( alternateAction == 'cancel'): identity.getSessionId().getSessionAttributes().put("authenticationFlow", "RESTART_ENROLLMENT") CdiUtil.bean(SessionIdService).updateSessionId( identity.getSessionId() ) return True ######################################################################################## # 1. Make sure we have a session and a user with no existing codes in the profile session_id_validation = self.validateSessionId(identity) if not session_id_validation: print "MFA Enroll Recovery. prepareForStep for step %s. Failed to validate session state" % step return False authenticationService = CdiUtil.bean(AuthenticationService) authenticated_user = authenticationService.getAuthenticatedUser() if authenticated_user == None: print "MFA Enroll Recovery. prepareForStep. Failed to determine authenticated user from previous module" return False ######################################################################################## # 2. Get the confirmation checkbox value confirmCodeBox = None try: toBeFeatched = "loginForm:confirmCodeBox" print "MFA Enroll Recovery. authenticate: fetching '%s'" % toBeFeatched confirmCodeBox = ServerUtil.getFirstValue(requestParameters, toBeFeatched) except Exception, err: print("MFA Enroll Recovery. authenticate Exception getting form checkbox: " + str(err))
def authenticateFIDO(self, requestParameters, username, identity): facesMessages = CdiUtil.bean(FacesMessages) languageBean = CdiUtil.bean(LanguageBean) authenticationProtectionService = CdiUtil.bean(AuthenticationProtectionService) facesMessages.setKeepMessages() if (authenticationProtectionService.isEnabled()): authenticationProtectionService.doDelayIfNeeded(username) token_response = ServerUtil.getFirstValue(requestParameters, "tokenResponse") authenticationRequestService = FidoU2fClientFactory.instance().createAuthenticationRequestService(self.metaDataConfiguration) authenticationStatus = authenticationRequestService.finishAuthentication(username, token_response) if (authenticationStatus.getStatus() != Constants.RESULT_SUCCESS): print "MFA. Authenticate FIDO. Failed to authenticate U2F device" facesMessages.add(FacesMessage.SEVERITY_ERROR, languageBean.getMessage("mfa.FIDOInvalid")) if (authenticationProtectionService.isEnabled()): authenticationProtectionService.storeAttempt(username, False) return False if (authenticationProtectionService.isEnabled()): authenticationProtectionService.storeAttempt(username, True) return True
def authenticate(self, configurationAttributes, requestParameters, step): extensionResult = self.extensionAuthenticate(configurationAttributes, requestParameters, step) if extensionResult != None: return extensionResult print "Passport. authenticate for step %s called" % str(step) identity = CdiUtil.bean(Identity) if step == 1: # Get JWT token jwt_param = ServerUtil.getFirstValue(requestParameters, "user") if jwt_param != None: print "Passport. authenticate for step 1. JWT user profile token found" # Parse JWT and validate jwt = Jwt.parse(jwt_param) if not self.validSignature(jwt): return False (user_profile, json) = self.getUserProfile(jwt) if user_profile == None: return False return self.attemptAuthentication(identity, user_profile, json) #See passportlogin.xhtml provider = ServerUtil.getFirstValue(requestParameters, "loginForm:provider") if StringHelper.isEmpty(provider): #it's username + passw auth print "Passport. authenticate for step 1. Basic authentication detected" logged_in = False credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): authenticationService = CdiUtil.bean(AuthenticationService) logged_in = authenticationService.authenticate(user_name, user_password) print "Passport. authenticate for step 1. Basic authentication returned: %s" % logged_in return logged_in elif provider in self.registeredProviders: #it's a recognized external IDP identity.setWorkingParameter("selectedProvider", provider) print "Passport. authenticate for step 1. Retrying step 1" #see prepareForStep (step = 1) return True if step == 2: mail = ServerUtil.getFirstValue(requestParameters, "loginForm:email") json = identity.getWorkingParameter("passport_user_profile") if mail == None: self.setEmailMessageError() elif json != None: # Completion of profile takes place user_profile = self.getProfileFromJson(json) user_profile["mail"] = mail return self.attemptAuthentication(identity, user_profile, json) print "Passport. authenticate for step 2. Failed: expected mail value in HTTP request and json profile in session" return False
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() if (step == 1): print "U2F. Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "U2F. Authenticate for step 2" token_response = ServerUtil.getFirstValue(requestParameters, "tokenResponse") if token_response == None: print "U2F. Authenticate for step 2. tokenResponse is empty" return False auth_method = ServerUtil.getFirstValue(requestParameters, "authMethod") if auth_method == None: print "U2F. Authenticate for step 2. authMethod is empty" return False authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if (user == None): print "U2F. Prepare for step 2. Failed to determine user name" return False if (auth_method == 'authenticate'): print "U2F. Prepare for step 2. Call FIDO U2F in order to finish authentication workflow" authenticationRequestService = FidoU2fClientFactory.instance().createAuthenticationRequestService(self.metaDataConfiguration) authenticationStatus = authenticationRequestService.finishAuthentication(user.getUserId(), token_response) if (authenticationStatus.getStatus() != Constants.RESULT_SUCCESS): print "U2F. Authenticate for step 2. Get invalid authentication status from FIDO U2F server" return False return True elif (auth_method == 'enroll'): print "U2F. Prepare for step 2. Call FIDO U2F in order to finish registration workflow" registrationRequestService = FidoU2fClientFactory.instance().createRegistrationRequestService(self.metaDataConfiguration) registrationStatus = registrationRequestService.finishRegistration(user.getUserId(), token_response) if (registrationStatus.getStatus() != Constants.RESULT_SUCCESS): print "U2F. Authenticate for step 2. Get invalid registration status from FIDO U2F server" return False return True else: print "U2F. Prepare for step 2. Authenticatiod method is invalid" return False return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() self.setRequestScopedParameters(identity) if step == 1: print "OTP. Authenticate for step 1" # Modified for Casa compliance authenticated_user = authenticationService.getAuthenticatedUser() if authenticated_user == None: authenticated_user = self.processBasicAuthentication( credentials) if authenticated_user == None: return False otp_auth_method = "authenticate" # Uncomment this block if you need to allow user second OTP registration #enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton") #if StringHelper.isNotEmpty(enrollment_mode): # otp_auth_method = "enroll" # Modified for Casa compliance if not self.hasEnrollments(configurationAttributes, authenticated_user): return False #if otp_auth_method == "authenticate": # user_enrollments = self.findEnrollments(authenticated_user.getUserId()) # if len(user_enrollments) == 0: # otp_auth_method = "enroll" # print "OTP. Authenticate for step 1. There is no OTP enrollment for user '%s'. Changing otp_auth_method to '%s'" % (authenticated_user.getUserId(), otp_auth_method) if otp_auth_method == "enroll": print "OTP. Authenticate for step 1. Setting count steps: '%s'" % 3 identity.setWorkingParameter("otp_count_login_steps", 3) print "OTP. Authenticate for step 1. otp_auth_method: '%s'" % otp_auth_method identity.setWorkingParameter("otp_auth_method", otp_auth_method) return True elif step == 2: print "OTP. Authenticate for step 2" authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if user == None: print "OTP. Authenticate for step 2. Failed to determine user name" return False session_id_validation = self.validateSessionId(identity) if not session_id_validation: return False # Restore state from session otp_auth_method = identity.getWorkingParameter("otp_auth_method") if otp_auth_method == 'enroll': auth_result = ServerUtil.getFirstValue(requestParameters, "auth_result") if not StringHelper.isEmpty(auth_result): print "OTP. Authenticate for step 2. User not enrolled OTP" return False print "OTP. Authenticate for step 2. Skipping this step during enrollment" return True otp_auth_result = self.processOtpAuthentication( requestParameters, user.getUserId(), identity, otp_auth_method) print "OTP. Authenticate for step 2. OTP authentication result: '%s'" % otp_auth_result return otp_auth_result elif step == 3: print "OTP. Authenticate for step 3" authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if user == None: print "OTP. Authenticate for step 2. Failed to determine user name" return False session_id_validation = self.validateSessionId(identity) if not session_id_validation: return False # Restore state from session otp_auth_method = identity.getWorkingParameter("otp_auth_method") if otp_auth_method != 'enroll': return False otp_auth_result = self.processOtpAuthentication( requestParameters, user.getUserId(), identity, otp_auth_method) print "OTP. Authenticate for step 3. OTP authentication result: '%s'" % otp_auth_result return otp_auth_result else: return False
def processOtpAuthentication(self, requestParameters, user_name, identity, otp_auth_method): facesMessages = CdiUtil.bean(FacesMessages) facesMessages.setKeepMessages() userService = CdiUtil.bean(UserService) otpCode = ServerUtil.getFirstValue(requestParameters, "loginForm:otpCode") if StringHelper.isEmpty(otpCode): facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to authenticate. OTP code is empty") print "OTP. Process OTP authentication. otpCode is empty" return False if otp_auth_method == "enroll": # Get key from session otp_secret_key_encoded = identity.getWorkingParameter( "otp_secret_key") if otp_secret_key_encoded == None: print "OTP. Process OTP authentication. OTP secret key is invalid" return False otp_secret_key = self.fromBase64Url(otp_secret_key_encoded) if self.otpType == "hotp": validation_result = self.validateHotpKey( otp_secret_key, 1, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process HOTP authentication during enrollment. otpCode is valid" # Store HOTP Secret Key and moving factor in user entry otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, validation_result["movingFactor"]) # Add otp_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute( user_name, "oxExternalUid", otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process HOTP authentication during enrollment. Failed to update user entry" elif self.otpType == "totp": validation_result = self.validateTotpKey( otp_secret_key, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process TOTP authentication during enrollment. otpCode is valid" # Store TOTP Secret Key and moving factor in user entry otp_user_external_uid = "totp:%s" % otp_secret_key_encoded # Add otp_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute( user_name, "oxExternalUid", otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process TOTP authentication during enrollment. Failed to update user entry" elif otp_auth_method == "authenticate": # Modified for Casa compliance user_enrollments = self.findEnrollments(user_name, "hotp") #if len(user_enrollments) == 0: # print "OTP. Process OTP authentication. There is no OTP enrollment for user '%s'" % user_name # facesMessages.add(FacesMessage.SEVERITY_ERROR, "There is no valid OTP user enrollments") # return False if len(user_enrollments) > 0: for user_enrollment in user_enrollments: user_enrollment_data = user_enrollment.split(";") otp_secret_key_encoded = user_enrollment_data[0] # Get current moving factor from user entry moving_factor = StringHelper.toInteger( user_enrollment_data[1]) otp_secret_key = self.fromBase64Url(otp_secret_key_encoded) # Validate TOTP validation_result = self.validateHotpKey( otp_secret_key, moving_factor, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process HOTP authentication during authentication. otpCode is valid" otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, moving_factor) new_otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, validation_result["movingFactor"]) # Update moving factor in user entry find_user_by_external_uid = userService.replaceUserAttribute( user_name, "oxExternalUid", otp_user_external_uid, new_otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process HOTP authentication during authentication. Failed to update user entry" user_enrollments = self.findEnrollments(user_name, "totp") if len(user_enrollments) > 0: for user_enrollment in user_enrollments: otp_secret_key = self.fromBase64Url(user_enrollment) # Validate TOTP validation_result = self.validateTotpKey( otp_secret_key, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process TOTP authentication during authentication. otpCode is valid" return True facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to authenticate. OTP code is invalid") print "OTP. Process OTP authentication. OTP code is invalid" return False
def authenticate(self, configurationAttributes, requestParameters, step): userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) facesMessages = CdiUtil.bean(FacesMessages) facesMessages.setKeepMessages() session_attributes = self.identity.getSessionId().getSessionAttributes() form_passcode = ServerUtil.getFirstValue(requestParameters, "passcode") form_name = ServerUtil.getFirstValue(requestParameters, "TwilioSmsloginForm") print "TwilioSMS. form_response_passcode: %s" % str(form_passcode) if step == 1: print "TwilioSMS. Step 1 Password Authentication" credentials = self.identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): logged_in = authenticationService.authenticate(user_name, user_password) if not logged_in: return False # Get the Person's number and generate a code foundUser = None try: foundUser = authenticationService.getAuthenticatedUser() except: print 'TwilioSMS, Error retrieving user %s from LDAP' % (user_name) return False try: isVerified = foundUser.getAttribute("phoneNumberVerified") if isVerified: self.mobile_number = foundUser.getAttribute("employeeNumber") if self.mobile_number == None: self.mobile_number = foundUser.getAttribute("mobile") if self.mobile_number == None: self.mobile_number = foundUser.getAttribute("telephoneNumber") if self.mobile_number == None: print "TwilioSMS, Error finding mobile number for user '%'" % user_name except: facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to determine mobile phone number") print 'TwilioSMS, Error finding mobile number for' % (user_name) return False # Generate Random six digit code and store it in array code = random.randint(100000, 999999) # Get code and save it in LDAP temporarily with special session entry self.identity.setWorkingParameter("code", code) try: Twilio.init(self.ACCOUNT_SID, self.AUTH_TOKEN); message = Message.creator(PhoneNumber(self.mobile_number), PhoneNumber(self.FROM_NUMBER), str(code)).create(); print "++++++++++++++++++++++++++++++++++++++++++++++" print 'TwilioSMs, Message Sid: %s' % (message.getSid()) print 'TwilioSMs, User phone: %s' % (self.mobile_number) print "++++++++++++++++++++++++++++++++++++++++++++++" self.identity.setWorkingParameter("mobile_number", self.mobile_number) self.identity.getSessionId().getSessionAttributes().put("mobile_number",self.mobile_number) self.identity.setWorkingParameter("mobile", self.mobile_number) self.identity.getSessionId().getSessionAttributes().put("mobile",self.mobile_number) print "++++++++++++++++++++++++++++++++++++++++++++++" print "Number: %s" % (self.identity.getWorkingParameter("mobile_number")) print "Mobile: %s" % (self.identity.getWorkingParameter("mobile")) print "++++++++++++++++++++++++++++++++++++++++++++++" return True except Exception, ex: facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to send message to mobile phone") print "TwilioSMS. Error sending message to Twilio" print "TwilioSMS. Unexpected error:", ex return False
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() if (step == 1): print "U2F. Authenticate for step 1" if authenticationService.getAuthenticatedUser() != None: return True user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate( user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "U2F. Authenticate for step 2" token_response = ServerUtil.getFirstValue(requestParameters, "tokenResponse") if token_response == None: print "U2F. Authenticate for step 2. tokenResponse is empty" return False auth_method = ServerUtil.getFirstValue(requestParameters, "authMethod") if auth_method == None: print "U2F. Authenticate for step 2. authMethod is empty" return False authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if (user == None): print "U2F. Prepare for step 2. Failed to determine user name" return False if (auth_method == 'authenticate'): print "U2F. Prepare for step 2. Call FIDO U2F in order to finish authentication workflow" authenticationRequestService = FidoU2fClientFactory.instance( ).createAuthenticationRequestService( self.metaDataConfiguration) authenticationStatus = authenticationRequestService.finishAuthentication( user.getUserId(), token_response) if (authenticationStatus.getStatus() != Constants.RESULT_SUCCESS): print "U2F. Authenticate for step 2. Get invalid authentication status from FIDO U2F server" return False return True elif (auth_method == 'enroll'): print "U2F. Prepare for step 2. Call FIDO U2F in order to finish registration workflow" registrationRequestService = FidoU2fClientFactory.instance( ).createRegistrationRequestService(self.metaDataConfiguration) registrationStatus = registrationRequestService.finishRegistration( user.getUserId(), token_response) if (registrationStatus.getStatus() != Constants.RESULT_SUCCESS): print "U2F. Authenticate for step 2. Get invalid registration status from FIDO U2F server" return False return True else: print "U2F. Prepare for step 2. Authenticatiod method is invalid" return False return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() session_attributes = identity.getSessionId().getSessionAttributes() self.setRequestScopedParameters(identity) if (step == 1): print "UAF. Authenticate for step 1" user_name = credentials.getUsername() authenticated_user = self.processBasicAuthentication(credentials) if authenticated_user == None: return False uaf_auth_method = "authenticate" # Uncomment this block if you need to allow user second device registration #enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton") #if StringHelper.isNotEmpty(enrollment_mode): # uaf_auth_method = "enroll" if uaf_auth_method == "authenticate": user_enrollments = self.findEnrollments(credentials) if len(user_enrollments) == 0: uaf_auth_method = "enroll" print "UAF. Authenticate for step 1. There is no UAF enrollment for user '%s'. Changing uaf_auth_method to '%s'" % (user_name, uaf_auth_method) print "UAF. Authenticate for step 1. uaf_auth_method: '%s'" % uaf_auth_method identity.setWorkingParameter("uaf_auth_method", uaf_auth_method) return True elif (step == 2): print "UAF. Authenticate for step 2" session_id = CdiUtil.bean(SessionIdService).getSessionIdFromCookie() if StringHelper.isEmpty(session_id): print "UAF. Prepare for step 2. Failed to determine session_id" return False user = authenticationService.getAuthenticatedUser() if (user == None): print "UAF. Authenticate for step 2. Failed to determine user name" return False user_name = user.getUserId() uaf_auth_result = ServerUtil.getFirstValue(requestParameters, "auth_result") if uaf_auth_result != "success": print "UAF. Authenticate for step 2. auth_result is '%s'" % uaf_auth_result return False # Restore state from session uaf_auth_method = session_attributes.get("uaf_auth_method") if not uaf_auth_method in ['enroll', 'authenticate']: print "UAF. Authenticate for step 2. Failed to authenticate user. uaf_auth_method: '%s'" % uaf_auth_method return False # Request STATUS_OBB if True: #TODO: Remove this condition # It's workaround becuase it's not possible to call STATUS_OBB 2 times. First time on browser and second ime on server uaf_user_device_handle = ServerUtil.getFirstValue(requestParameters, "auth_handle") else: uaf_obb_auth_method = session_attributes.get("uaf_obb_auth_method") uaf_obb_server_uri = session_attributes.get("uaf_obb_server_uri") uaf_obb_start_response = session_attributes.get("uaf_obb_start_response") # Prepare STATUS_OBB uaf_obb_start_response_json = json.loads(uaf_obb_start_response) uaf_obb_status_request_dictionary = { "operation": "STATUS_%s" % uaf_obb_auth_method, "userName": user_name, "needDetails": 1, "oobStatusHandle": uaf_obb_start_response_json["oobStatusHandle"], } uaf_obb_status_request = json.dumps(uaf_obb_status_request_dictionary, separators=(',',':')) print "UAF. Authenticate for step 2. Prepared STATUS request: '%s' to send to '%s'" % (uaf_obb_status_request, uaf_obb_server_uri) uaf_status_obb_response = self.executePost(uaf_obb_server_uri, uaf_obb_status_request) if uaf_status_obb_response == None: return False print "UAF. Authenticate for step 2. Get STATUS response: '%s'" % uaf_status_obb_response uaf_status_obb_response_json = json.loads(uaf_status_obb_response) if uaf_status_obb_response_json["statusCode"] != 4000: print "UAF. Authenticate for step 2. UAF operation status is invalid. statusCode: '%s'" % uaf_status_obb_response_json["statusCode"] return False uaf_user_device_handle = uaf_status_obb_response_json["additionalInfo"]["authenticatorsResult"]["handle"] if StringHelper.isEmpty(uaf_user_device_handle): print "UAF. Prepare for step 2. Failed to get UAF handle" return False uaf_user_external_uid = "uaf:%s" % uaf_user_device_handle print "UAF. Authenticate for step 2. UAF handle: '%s'" % uaf_user_external_uid if uaf_auth_method == "authenticate": # Validate if user used device with same keYHandle user_enrollments = self.findEnrollments(credentials) if len(user_enrollments) == 0: uaf_auth_method = "enroll" print "UAF. Authenticate for step 2. There is no UAF enrollment for user '%s'." % user_name return False for user_enrollment in user_enrollments: if StringHelper.equalsIgnoreCase(user_enrollment, uaf_user_device_handle): print "UAF. Authenticate for step 2. There is UAF enrollment for user '%s'. User authenticated successfully" % user_name return True else: userService = CdiUtil.bean(UserService) # Double check just to make sure. We did checking in previous step # Check if there is user which has uaf_user_external_uid # Avoid mapping user cert to more than one IDP account find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", uaf_user_external_uid) if find_user_by_external_uid == None: # Add uaf_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", uaf_user_external_uid) if find_user_by_external_uid == None: print "UAF. Authenticate for step 2. Failed to update current user" return False return True return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() if (step == 1): print "Fido2. Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "Fido2. Authenticate for step 2" token_response = ServerUtil.getFirstValue(requestParameters, "tokenResponse") if token_response == None: print "Fido2. Authenticate for step 2. tokenResponse is empty" return False auth_method = ServerUtil.getFirstValue(requestParameters, "authMethod") if auth_method == None: print "Fido2. Authenticate for step 2. authMethod is empty" return False authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if (user == None): print "Fido2. Prepare for step 2. Failed to determine user name" return False if (auth_method == 'authenticate'): print "Fido2. Prepare for step 2. Call Fido2 in order to finish authentication flow" assertionService = Fido2ClientFactory.instance().createAssertionService(self.metaDataConfiguration) assertionStatus = assertionService.verify(token_response) authenticationStatusEntity = assertionStatus.readEntity(java.lang.String) if (assertionStatus.getStatus() != Response.Status.OK.getStatusCode()): print "Fido2. Authenticate for step 2. Get invalid authentication status from Fido2 server" return False return True elif (auth_method == 'enroll'): print "Fido2. Prepare for step 2. Call Fido2 in order to finish registration flow" attestationService = Fido2ClientFactory.instance().createAttestationService(self.metaDataConfiguration) attestationStatus = attestationService.verify(token_response) if (attestationStatus.getStatus() != Response.Status.OK.getStatusCode()): print "Fido2. Authenticate for step 2. Get invalid registration status from Fido2 server" return False return True else: print "Fido2. Prepare for step 2. Authentication method is invalid" return False return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) if step == 1: print "Cert. Authenticate for step 1" login_button = ServerUtil.getFirstValue(requestParameters, "loginForm:loginButton") if StringHelper.isEmpty(login_button): print "Cert. Authenticate for step 1. Form were submitted incorrectly" return False if self.enabled_recaptcha: print "Cert. Authenticate for step 1. Validating recaptcha response" recaptcha_response = ServerUtil.getFirstValue(requestParameters, "g-recaptcha-response") recaptcha_result = self.validateRecaptcha(recaptcha_response) print "Cert. Authenticate for step 1. recaptcha_result: '%s'" % recaptcha_result return recaptcha_result return True elif step == 2: print "Cert. Authenticate for step 2" # Validate if user selected certificate cert_x509 = self.getSessionAttribute("cert_x509") if cert_x509 == None: print "Cert. Authenticate for step 2. User not selected any certs" identity.setWorkingParameter("cert_selected", False) # Return True to inform user how to reset workflow return True else: identity.setWorkingParameter("cert_selected", True) x509Certificate = self.certFromString(cert_x509) subjectX500Principal = x509Certificate.getSubjectX500Principal() print "Cert. Authenticate for step 2. User selected certificate with DN '%s'" % subjectX500Principal # Validate certificates which user selected valid = self.validateCertificate(x509Certificate) if not valid: print "Cert. Authenticate for step 2. Certificate DN '%s' is not valid" % subjectX500Principal identity.setWorkingParameter("cert_valid", False) # Return True to inform user how to reset workflow return True identity.setWorkingParameter("cert_valid", True) # Calculate certificate fingerprint x509CertificateFingerprint = self.calculateCertificateFingerprint(x509Certificate) identity.setWorkingParameter("cert_x509_fingerprint", x509CertificateFingerprint) print "Cert. Authenticate for step 2. Fingerprint is '%s' of certificate with DN '%s'" % (x509CertificateFingerprint, subjectX500Principal) # Attempt to find user by certificate fingerprint cert_user_external_uid = "cert:%s" % x509CertificateFingerprint print "Cert. Authenticate for step 2. Attempting to find user by oxExternalUid attribute value %s" % cert_user_external_uid find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: print "Cert. Authenticate for step 2. Failed to find user" if self.map_user_cert: print "Cert. Authenticate for step 2. Storing cert_user_external_uid for step 3" identity.setWorkingParameter("cert_user_external_uid", cert_user_external_uid) return True else: print "Cert. Authenticate for step 2. Mapping cert to user account is not allowed" identity.setWorkingParameter("cert_count_login_steps", 2) return False foundUserName = find_user_by_external_uid.getUserId() print "Cert. Authenticate for step 2. foundUserName: "******"Cert. Authenticate for step 2. Setting count steps to 2" identity.setWorkingParameter("cert_count_login_steps", 2) return logged_in elif step == 3: print "Cert. Authenticate for step 3" cert_user_external_uid = self.getSessionAttribute("cert_user_external_uid") if cert_user_external_uid == None: print "Cert. Authenticate for step 3. cert_user_external_uid is empty" return False user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False # Double check just to make sure. We did checking in previous step # Check if there is user which has cert_user_external_uid # Avoid mapping user cert to more than one IDP account find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: # Add cert_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: print "Cert. Authenticate for step 3. Failed to update current user" return False return True return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() if (step == 1): print "Fido2. Authenticate for step 1" if authenticationService.getAuthenticatedUser() != None: return True user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate( user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "Fido2. Authenticate for step 2" token_response = ServerUtil.getFirstValue(requestParameters, "tokenResponse") if token_response == None: print "Fido2. Authenticate for step 2. tokenResponse is empty" return False auth_method = ServerUtil.getFirstValue(requestParameters, "authMethod") if auth_method == None: print "Fido2. Authenticate for step 2. authMethod is empty" return False authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if (user == None): print "Fido2. Prepare for step 2. Failed to determine user name" return False if (auth_method == 'authenticate'): print "Fido2. Prepare for step 2. Call Fido2 in order to finish authentication flow" assertionService = Fido2ClientFactory.instance( ).createAssertionService(self.metaDataConfiguration) assertionStatus = assertionService.verify(token_response) authenticationStatusEntity = assertionStatus.readEntity( java.lang.String) if (assertionStatus.getStatus() != Response.Status.OK.getStatusCode()): print "Fido2. Authenticate for step 2. Get invalid authentication status from Fido2 server" return False return True elif (auth_method == 'enroll'): print "Fido2. Prepare for step 2. Call Fido2 in order to finish registration flow" attestationService = Fido2ClientFactory.instance( ).createAttestationService(self.metaDataConfiguration) attestationStatus = attestationService.verify(token_response) if (attestationStatus.getStatus() != Response.Status.OK.getStatusCode()): print "Fido2. Authenticate for step 2. Get invalid registration status from Fido2 server" return False return True else: print "Fido2. Prepare for step 2. Authentication method is invalid" return False return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): extensionResult = self.extensionAuthenticate(configurationAttributes, requestParameters, step) if extensionResult != None: return extensionResult print "Passport. authenticate for step %s called" % str(step) identity = CdiUtil.bean(Identity) if step == 1: jwt_param = None if self.isInboundFlow(identity): # if is idp-initiated inbound flow print "Passport. authenticate for step 1. Detected idp-initiated inbound Saml flow" # get request from session attributes jwt_param = identity.getSessionId().getSessionAttributes().get(AuthorizeRequestParam.STATE) # now jwt_param != None if jwt_param == None: # gets jwt parameter "user" sent after authentication by passport (if exists) jwt_param = ServerUtil.getFirstValue(requestParameters, "user") if jwt_param != None: # and now that the jwt_param user exists... print "Passport. authenticate for step 1. JWT user profile token found" # Parse JWT and validate jwt = Jwt.parse(jwt_param) if not self.validSignature(jwt): return False if self.jwtHasExpired(jwt): return False # Gets user profile as string and json using the information on JWT (user_profile, jsonp) = self.getUserProfile(jwt) if user_profile == None: return False return self.attemptAuthentication(identity, user_profile, jsonp) #See passportlogin.xhtml provider = ServerUtil.getFirstValue(requestParameters, "loginForm:provider") if StringHelper.isEmpty(provider): #it's username + passw auth print "Passport. authenticate for step 1. Basic authentication detected" logged_in = False credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): authenticationService = CdiUtil.bean(AuthenticationService) logged_in = authenticationService.authenticate(user_name, user_password) print "Passport. authenticate for step 1. Basic authentication returned: %s" % logged_in return logged_in elif provider in self.registeredProviders: # user selected provider # it's a recognized external IDP identity.setWorkingParameter("selectedProvider", provider) print "Passport. authenticate for step 1. Retrying step 1" #see prepareForStep (step = 1) return True if step == 2: mail = ServerUtil.getFirstValue(requestParameters, "loginForm:email") jsonp = identity.getWorkingParameter("passport_user_profile") if mail == None: self.setMessageError(FacesMessage.SEVERITY_ERROR, "Email was missing in user profile") elif jsonp != None: # Completion of profile takes place user_profile = json.loads(jsonp) user_profile["mail"] = [ mail ] return self.attemptAuthentication(identity, user_profile, jsonp) print "Passport. authenticate for step 2. Failed: expected mail value in HTTP request and json profile in session" return False
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) if step == 1: print "Cert. Authenticate for step 1" login_button = ServerUtil.getFirstValue(requestParameters, "loginForm:loginButton") if StringHelper.isEmpty(login_button): print "Cert. Authenticate for step 1. Form were submitted incorrectly" return False if self.enabled_recaptcha: print "Cert. Authenticate for step 1. Validating recaptcha response" recaptcha_response = ServerUtil.getFirstValue( requestParameters, "g-recaptcha-response") recaptcha_result = self.validateRecaptcha(recaptcha_response) print "Cert. Authenticate for step 1. recaptcha_result: '%s'" % recaptcha_result return recaptcha_result return True elif step == 2: print "Cert. Authenticate for step 2" # Validate if user selected certificate cert_x509 = self.getSessionAttribute("cert_x509") if cert_x509 == None: print "Cert. Authenticate for step 2. User not selected any certs" identity.setWorkingParameter("cert_selected", False) # Return True to inform user how to reset workflow return True else: identity.setWorkingParameter("cert_selected", True) x509Certificate = self.certFromString(cert_x509) subjectX500Principal = x509Certificate.getSubjectX500Principal() print "Cert. Authenticate for step 2. User selected certificate with DN '%s'" % subjectX500Principal # Validate certificates which user selected valid = self.validateCertificate(x509Certificate) if not valid: print "Cert. Authenticate for step 2. Certificate DN '%s' is not valid" % subjectX500Principal identity.setWorkingParameter("cert_valid", False) # Return True to inform user how to reset workflow return True identity.setWorkingParameter("cert_valid", True) # Calculate certificate fingerprint x509CertificateFingerprint = self.calculateCertificateFingerprint( x509Certificate) identity.setWorkingParameter("cert_x509_fingerprint", x509CertificateFingerprint) print "Cert. Authenticate for step 2. Fingerprint is '%s' of certificate with DN '%s'" % ( x509CertificateFingerprint, subjectX500Principal) # Attempt to find user by certificate fingerprint cert_user_external_uid = "cert:%s" % x509CertificateFingerprint print "Cert. Authenticate for step 2. Attempting to find user by oxExternalUid attribute value %s" % cert_user_external_uid find_user_by_external_uid = userService.getUserByAttribute( "oxExternalUid", cert_user_external_uid, True) if find_user_by_external_uid == None: print "Cert. Authenticate for step 2. Failed to find user" if self.map_user_cert: print "Cert. Authenticate for step 2. Storing cert_user_external_uid for step 3" identity.setWorkingParameter("cert_user_external_uid", cert_user_external_uid) return True else: print "Cert. Authenticate for step 2. Mapping cert to user account is not allowed" identity.setWorkingParameter("cert_count_login_steps", 2) return False foundUserName = find_user_by_external_uid.getUserId() print "Cert. Authenticate for step 2. foundUserName: "******"Cert. Authenticate for step 2. Setting count steps to 2" identity.setWorkingParameter("cert_count_login_steps", 2) return logged_in elif step == 3: print "Cert. Authenticate for step 3" cert_user_external_uid = self.getSessionAttribute( "cert_user_external_uid") if cert_user_external_uid == None: print "Cert. Authenticate for step 3. cert_user_external_uid is empty" return False user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate( user_name, user_password) if (not logged_in): return False # Double check just to make sure. We did checking in previous step # Check if there is user which has cert_user_external_uid # Avoid mapping user cert to more than one IDP account find_user_by_external_uid = userService.getUserByAttribute( "oxExternalUid", cert_user_external_uid, True) if find_user_by_external_uid == None: # Add cert_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute( user_name, "oxExternalUid", cert_user_external_uid, True) if find_user_by_external_uid == None: print "Cert. Authenticate for step 3. Failed to update current user" return False return True return True else: return False
class PersonAuthentication(PersonAuthenticationType): def __init__(self, currentTimeMillis): self.currentTimeMillis = currentTimeMillis def init(self, customScript, configurationAttributes): print "Fido2. Initialization" if not configurationAttributes.containsKey("fido2_server_uri"): print "fido2_server_uri. Initialization. Property fido2_server_uri is not specified" return False self.fido2_server_uri = configurationAttributes.get( "fido2_server_uri").getValue2() #self.fido2_domain = None #if configurationAttributes.containsKey("fido2_domain"): # self.fido2_domain = configurationAttributes.get("fido2_domain").getValue2() self.metaDataLoaderLock = ReentrantLock() self.metaDataConfiguration = None print "Fido2. Initialized successfully" return True def destroy(self, configurationAttributes): print "Fido2. Destroy" print "Fido2. Destroyed successfully" return True def getApiVersion(self): return 11 def isValidAuthenticationMethod(self, usageType, configurationAttributes): return True def getAlternativeAuthenticationMethod(self, usageType, configurationAttributes): return None def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() if (step == 1): print "Fido2. Authenticate for step 1" if authenticationService.getAuthenticatedUser() != None: return True user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate( user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "Fido2. Authenticate for step 2" token_response = ServerUtil.getFirstValue(requestParameters, "tokenResponse") if token_response == None: print "Fido2. Authenticate for step 2. tokenResponse is empty" return False auth_method = ServerUtil.getFirstValue(requestParameters, "authMethod") if auth_method == None: print "Fido2. Authenticate for step 2. authMethod is empty" return False authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if (user == None): print "Fido2. Prepare for step 2. Failed to determine user name" return False if (auth_method == 'authenticate'): print "Fido2. Prepare for step 2. Call Fido2 in order to finish authentication flow" assertionService = Fido2ClientFactory.instance( ).createAssertionService(self.metaDataConfiguration) assertionStatus = assertionService.verify(token_response) authenticationStatusEntity = assertionStatus.readEntity( java.lang.String) if (assertionStatus.getStatus() != Response.Status.OK.getStatusCode()): print "Fido2. Authenticate for step 2. Get invalid authentication status from Fido2 server" return False return True elif (auth_method == 'enroll'): print "Fido2. Prepare for step 2. Call Fido2 in order to finish registration flow" attestationService = Fido2ClientFactory.instance( ).createAttestationService(self.metaDataConfiguration) attestationStatus = attestationService.verify(token_response) if (attestationStatus.getStatus() != Response.Status.OK.getStatusCode()): print "Fido2. Authenticate for step 2. Get invalid registration status from Fido2 server" return False return True else: print "Fido2. Prepare for step 2. Authentication method is invalid" return False return False else: return False def prepareForStep(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) if (step == 1): return True elif (step == 2): print "Fido2. Prepare for step 2" session_id = CdiUtil.bean( SessionIdService).getSessionIdFromCookie() if StringHelper.isEmpty(session_id): print "Fido2. Prepare for step 2. Failed to determine session_id" return False authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if (user == None): print "Fido2. Prepare for step 2. Failed to determine user name" return False userName = user.getUserId() metaDataConfiguration = self.getMetaDataConfiguration() # Check if user have registered devices registrationPersistenceService = CdiUtil.bean( RegistrationPersistenceService) assertionResponse = None attestationResponse = None userFido2Devices = registrationPersistenceService.findAllRegisteredByUsername( userName) if (userFido2Devices.size() > 0): print "Fido2. Prepare for step 2. Call Fido2 endpoint in order to start assertion flow" try: assertionService = Fido2ClientFactory.instance( ).createAssertionService(metaDataConfiguration) assertionRequest = json.dumps({'username': userName}, separators=(',', ':')) assertionResponse = assertionService.authenticate( assertionRequest).readEntity(java.lang.String) except ClientResponseFailure, ex: print "Fido2. Prepare for step 2. Failed to start assertion flow. Exception:", sys.exc_info( )[1] return False else: print "Fido2. Prepare for step 2. Call Fido2 endpoint in order to start attestation flow" try: attestationService = Fido2ClientFactory.instance( ).createAttestationService(metaDataConfiguration) attestationRequest = json.dumps( { 'username': userName, 'displayName': userName }, separators=(',', ':')) attestationResponse = attestationService.register( attestationRequest).readEntity(java.lang.String) except ClientResponseFailure, ex: print "Fido2. Prepare for step 2. Failed to start attestation flow. Exception:", sys.exc_info( )[1] return False identity.setWorkingParameter("fido2_assertion_request", ServerUtil.asJson(assertionResponse)) identity.setWorkingParameter( "fido2_attestation_request", ServerUtil.asJson(attestationResponse)) print "Fido2. Prepare for step 2. Successfully start flow with next requests.\nfido2_assertion_request: '%s'\nfido2_attestation_request: '%s'" % ( assertionResponse, attestationResponse) return True
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() self.setRequestScopedParameters(identity) if step == 1: print "OTP. Authenticate for step 1" authenticated_user = self.processBasicAuthentication(credentials) if authenticated_user == None: return False otp_auth_method = "authenticate" # Uncomment this block if you need to allow user second OTP registration #enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton") #if StringHelper.isNotEmpty(enrollment_mode): # otp_auth_method = "enroll" if otp_auth_method == "authenticate": user_enrollments = self.findEnrollments(authenticated_user.getUserId()) if len(user_enrollments) == 0: otp_auth_method = "enroll" print "OTP. Authenticate for step 1. There is no OTP enrollment for user '%s'. Changing otp_auth_method to '%s'" % (authenticated_user.getUserId(), otp_auth_method) if otp_auth_method == "enroll": print "OTP. Authenticate for step 1. Setting count steps: '%s'" % 3 identity.setWorkingParameter("otp_count_login_steps", 3) print "OTP. Authenticate for step 1. otp_auth_method: '%s'" % otp_auth_method identity.setWorkingParameter("otp_auth_method", otp_auth_method) return True elif step == 2: print "OTP. Authenticate for step 2" authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if user == None: print "OTP. Authenticate for step 2. Failed to determine user name" return False session_id_validation = self.validateSessionId(identity) if not session_id_validation: return False # Restore state from session otp_auth_method = identity.getWorkingParameter("otp_auth_method") if otp_auth_method == 'enroll': auth_result = ServerUtil.getFirstValue(requestParameters, "auth_result") if not StringHelper.isEmpty(auth_result): print "OTP. Authenticate for step 2. User not enrolled OTP" return False print "OTP. Authenticate for step 2. Skipping this step during enrollment" return True otp_auth_result = self.processOtpAuthentication(requestParameters, user.getUserId(), identity, otp_auth_method) print "OTP. Authenticate for step 2. OTP authentication result: '%s'" % otp_auth_result return otp_auth_result elif step == 3: print "OTP. Authenticate for step 3" authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if user == None: print "OTP. Authenticate for step 2. Failed to determine user name" return False session_id_validation = self.validateSessionId(identity) if not session_id_validation: return False # Restore state from session otp_auth_method = identity.getWorkingParameter("otp_auth_method") if otp_auth_method != 'enroll': return False otp_auth_result = self.processOtpAuthentication(requestParameters, user.getUserId(), identity, otp_auth_method) print "OTP. Authenticate for step 3. OTP authentication result: '%s'" % otp_auth_result return otp_auth_result else: return False
def authenticate(self, configurationAttributes, requestParameters, step): extensionResult = self.extensionAuthenticate(configurationAttributes, requestParameters, step) if extensionResult != None: return extensionResult print "Passport. authenticate for step %s called" % str(step) identity = CdiUtil.bean(Identity) if step == 1: # Get JWT token jwt_param = ServerUtil.getFirstValue(requestParameters, "user") if jwt_param != None: print "Passport. authenticate for step 1. JWT user profile token found" # Parse JWT and validate jwt = Jwt.parse(jwt_param) if not self.validSignature(jwt): return False (user_profile, json) = self.getUserProfile(jwt) if user_profile == None: return False return self.attemptAuthentication(identity, user_profile, json) #See passportlogin.xhtml provider = ServerUtil.getFirstValue(requestParameters, "loginForm:provider") if StringHelper.isEmpty(provider): #it's username + passw auth print "Passport. authenticate for step 1. Basic authentication detected" logged_in = False credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() if StringHelper.isNotEmptyString( user_name) and StringHelper.isNotEmptyString( user_password): authenticationService = CdiUtil.bean(AuthenticationService) logged_in = authenticationService.authenticate( user_name, user_password) print "Passport. authenticate for step 1. Basic authentication returned: %s" % logged_in return logged_in elif provider in self.registeredProviders: #it's a recognized external IDP identity.setWorkingParameter("selectedProvider", provider) print "Passport. authenticate for step 1. Retrying step 1" #see prepareForStep (step = 1) return True if step == 2: mail = ServerUtil.getFirstValue(requestParameters, "loginForm:email") json = identity.getWorkingParameter("passport_user_profile") if mail == None: self.setMessageError(FacesMessage.SEVERITY_ERROR, "Email was missing in user profile") elif json != None: # Completion of profile takes place user_profile = self.getProfileFromJson(json) user_profile["mail"] = mail return self.attemptAuthentication(identity, user_profile, json) print "Passport. authenticate for step 2. Failed: expected mail value in HTTP request and json profile in session" return False
def authenticate(self, configurationAttributes, requestParameters, step): print "Casa. authenticate %s" % str(step) userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) if step == 1: credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): foundUser = userService.getUserByAttribute(self.uid_attr, user_name) #foundUser = userService.getUser(user_name) if foundUser == None: print "Casa. authenticate for step 1. Unknown username" else: platform_data = self.parsePlatformData(requestParameters) mfaOff = foundUser.getAttribute("oxPreferredMethod") == None logged_in = False if mfaOff: logged_in = authenticationService.authenticate(user_name, user_password) else: acr = self.getSuitableAcr(foundUser, platform_data['isMobile']) if acr != None: module = self.authenticators[acr] logged_in = module.authenticate(module.configAttrs, requestParameters, step) if logged_in: foundUser = authenticationService.getAuthenticatedUser() if foundUser == None: print "Casa. authenticate for step 1. Cannot retrieve logged user" else: if mfaOff: identity.setWorkingParameter("skip2FA", True) else: #Determine whether to skip 2FA based on policy defined (global or user custom) skip2FA = self.determineSkip2FA(userService, identity, foundUser, platform_data) identity.setWorkingParameter("skip2FA", skip2FA) identity.setWorkingParameter("ACR", acr) return True else: print "Casa. authenticate for step 1 was not successful" return False else: user = authenticationService.getAuthenticatedUser() if user == None: print "Casa. authenticate for step 2. Cannot retrieve logged user" return False #see casa.xhtml alter = ServerUtil.getFirstValue(requestParameters, "alternativeMethod") if alter != None: #bypass the rest of this step if an alternative method was provided. Current step will be retried (see getNextStep) self.simulateFirstStep(requestParameters, alter) return True session_attributes = identity.getSessionId().getSessionAttributes() acr = session_attributes.get("ACR") #this working parameter is used in casa.xhtml identity.setWorkingParameter("methods", ArrayList(self.getAvailMethodsUser(user, acr))) success = False if acr in self.authenticators: module = self.authenticators[acr] success = module.authenticate(module.configAttrs, requestParameters, step) #Update the list of trusted devices if 2fa passed if success: print "Casa. authenticate. 2FA authentication was successful" tdi = session_attributes.get("trustedDevicesInfo") if tdi == None: print "Casa. authenticate. List of user's trusted devices was not updated" else: user.setAttribute("oxTrustedDevicesInfo", tdi) userService.updateUser(user) else: print "Casa. authenticate. 2FA authentication failed" return success return False
def authenticate(self, configurationAttributes, requestParameters, step): print "Casa. authenticate for step %s" % str(step) userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) if step == 1: credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() if StringHelper.isNotEmptyString( user_name) and StringHelper.isNotEmptyString( user_password): foundUser = userService.getUserByAttribute( self.uid_attr, user_name) #foundUser = userService.getUser(user_name) if foundUser == None: print "Casa. authenticate for step 1. Unknown username" else: platform_data = self.parsePlatformData(requestParameters) mfaOff = foundUser.getAttribute( "oxPreferredMethod") == None logged_in = False if mfaOff: logged_in = authenticationService.authenticate( user_name, user_password) else: acr = self.getSuitableAcr(foundUser, platform_data) if acr != None: module = self.authenticators[acr] logged_in = module.authenticate( module.configAttrs, requestParameters, step) if logged_in: foundUser = authenticationService.getAuthenticatedUser( ) if foundUser == None: print "Casa. authenticate for step 1. Cannot retrieve logged user" else: if mfaOff: identity.setWorkingParameter("skip2FA", True) else: #Determine whether to skip 2FA based on policy defined (global or user custom) skip2FA = self.determineSkip2FA( userService, identity, foundUser, platform_data) identity.setWorkingParameter( "skip2FA", skip2FA) identity.setWorkingParameter("ACR", acr) return True else: print "Casa. authenticate for step 1 was not successful" return False else: user = authenticationService.getAuthenticatedUser() if user == None: print "Casa. authenticate for step 2. Cannot retrieve logged user" return False #see casa.xhtml alter = ServerUtil.getFirstValue(requestParameters, "alternativeMethod") if alter != None: #bypass the rest of this step if an alternative method was provided. Current step will be retried (see getNextStep) self.simulateFirstStep(requestParameters, alter) return True session_attributes = identity.getSessionId().getSessionAttributes() acr = session_attributes.get("ACR") #this working parameter is used in casa.xhtml identity.setWorkingParameter( "methods", ArrayList(self.getAvailMethodsUser(user, acr))) success = False if acr in self.authenticators: module = self.authenticators[acr] success = module.authenticate(module.configAttrs, requestParameters, step) #Update the list of trusted devices if 2fa passed if success: print "Casa. authenticate. 2FA authentication was successful" tdi = session_attributes.get("trustedDevicesInfo") if tdi == None: print "Casa. authenticate. List of user's trusted devices was not updated" else: user.setAttribute("oxTrustedDevicesInfo", tdi) userService.updateUser(user) else: print "Casa. authenticate. 2FA authentication failed" return success return False
def processOtpAuthentication(self, requestParameters, user_name, identity, otp_auth_method): facesMessages = CdiUtil.bean(FacesMessages) facesMessages.setKeepMessages() userService = CdiUtil.bean(UserService) otpCode = ServerUtil.getFirstValue(requestParameters, "loginForm:otpCode") if StringHelper.isEmpty(otpCode): facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to authenticate. OTP code is empty") print "OTP. Process OTP authentication. otpCode is empty" return False if otp_auth_method == "enroll": # Get key from session otp_secret_key_encoded = identity.getWorkingParameter("otp_secret_key") if otp_secret_key_encoded == None: print "OTP. Process OTP authentication. OTP secret key is invalid" return False otp_secret_key = self.fromBase64Url(otp_secret_key_encoded) if self.otpType == "hotp": validation_result = self.validateHotpKey(otp_secret_key, 1, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process HOTP authentication during enrollment. otpCode is valid" # Store HOTP Secret Key and moving factor in user entry otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, validation_result["movingFactor"] ) # Add otp_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process HOTP authentication during enrollment. Failed to update user entry" elif self.otpType == "totp": validation_result = self.validateTotpKey(otp_secret_key, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process TOTP authentication during enrollment. otpCode is valid" # Store TOTP Secret Key and moving factor in user entry otp_user_external_uid = "totp:%s" % otp_secret_key_encoded # Add otp_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process TOTP authentication during enrollment. Failed to update user entry" elif otp_auth_method == "authenticate": user_enrollments = self.findEnrollments(user_name) if len(user_enrollments) == 0: print "OTP. Process OTP authentication. There is no OTP enrollment for user '%s'" % user_name facesMessages.add(FacesMessage.SEVERITY_ERROR, "There is no valid OTP user enrollments") return False if self.otpType == "hotp": for user_enrollment in user_enrollments: user_enrollment_data = user_enrollment.split(";") otp_secret_key_encoded = user_enrollment_data[0] # Get current moving factor from user entry moving_factor = StringHelper.toInteger(user_enrollment_data[1]) otp_secret_key = self.fromBase64Url(otp_secret_key_encoded) # Validate TOTP validation_result = self.validateHotpKey(otp_secret_key, moving_factor, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process HOTP authentication during authentication. otpCode is valid" otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, moving_factor ) new_otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, validation_result["movingFactor"] ) # Update moving factor in user entry find_user_by_external_uid = userService.replaceUserAttribute(user_name, "oxExternalUid", otp_user_external_uid, new_otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process HOTP authentication during authentication. Failed to update user entry" elif self.otpType == "totp": for user_enrollment in user_enrollments: otp_secret_key = self.fromBase64Url(user_enrollment) # Validate TOTP validation_result = self.validateTotpKey(otp_secret_key, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process TOTP authentication during authentication. otpCode is valid" return True facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to authenticate. OTP code is invalid") print "OTP. Process OTP authentication. OTP code is invalid" return False