def validateSessionDeviceStatus(self, client_redirect_uri, session_device_status, user_name = None): userService = UserService.instance() deviceRegistrationService = DeviceRegistrationService.instance() u2f_device_id = session_device_status['device_id'] u2f_device = None if session_device_status['enroll'] and session_device_status['one_step']: u2f_device = deviceRegistrationService.findOneStepUserDeviceRegistration(u2f_device_id) if u2f_device == None: print "Super-Gluu. Validate session device status. There is no one step u2f_device '%s'" % u2f_device_id return False else: # Validate if user has specified device_id enrollment user_inum = userService.getUserInum(user_name) if session_device_status['one_step']: user_inum = session_device_status['user_inum'] u2f_device = deviceRegistrationService.findUserDeviceRegistration(user_inum, u2f_device_id) if u2f_device == None: print "Super-Gluu. Validate session device status. There is no u2f_device '%s' associated with user '%s'" % (u2f_device_id, user_inum) return False if not StringHelper.equalsIgnoreCase(client_redirect_uri, u2f_device.application): print "Super-Gluu. Validate session device status. u2f_device '%s' associated with other application '%s'" % (u2f_device_id, u2f_device.application) return False return True
def sendPushNotification(self, user, oxpush2_request): if not self.enabledPushNotifications: return user_name = user.getUserId() print "oxPush2. Send push notification. Loading user '%s' devices" % user_name send_notification = False send_notification_result = True userService = UserService.instance() deviceRegistrationService = DeviceRegistrationService.instance() user_inum = userService.getUserInum(user_name) u2f_devices_list = deviceRegistrationService.findUserDeviceRegistrations(user_inum, self.application_id, "oxId", "oxDeviceData") if u2f_devices_list.size() > 0: for u2f_device in u2f_devices_list: device_data = u2f_device.getDeviceData() # Device data which oxPush2 gets during enrollment if device_data == None: continue platform = device_data.getPlatform() push_token = device_data.getPushToken() debug = False if StringHelper.equalsIgnoreCase(platform, "ios") and StringHelper.isNotEmpty(push_token): # Sending notification to iOS user's device if (self.pushAppleService == None): print "oxPush2. Send push notification. Apple push notification service is not enabled" else: send_notification = True title = "oxPush2" message = "oxPush2 login request to: %s" % self.application_id additional_fields = HashMap() additional_fields.put("request", oxpush2_request) send_notification_result = self.pushAppleService.sendPush(title, message, additional_fields, push_token) if debug: print "oxPush2. Send push notification. token: '%s', send_notification_result: '%s'" % (push_token, send_notification_result) if StringHelper.equalsIgnoreCase(platform, "android") and StringHelper.isNotEmpty(push_token): # Sending notification to Android user's device if (self.pushAndroidService == None): print "oxPush2. Send push notification. Android push notification service is not enabled" else: send_notification = True send_notification_result= self.pushAndroidService.sendPush("oxPush2", oxpush2_request, push_token) if debug: print "oxPush2. Send push notification. token: '%s', send_notification_result: '%s'" % (push_token, send_notification_result) print "oxPush2. Send push notification. send_notification: '%s', send_notification_result: '%s'" % (send_notification, send_notification_result)
def prepareForStep(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() if (step == 1): return True elif (step == 2): print "U2F. Prepare for step 2" credentials = Identity.instance().getCredentials() user = credentials.getUser() if (user == None): print "U2F. Prepare for step 2. Failed to determine user name" return False u2f_application_id = configurationAttributes.get( "u2f_application_id").getValue2() # Check if user have registered devices deviceRegistrationService = DeviceRegistrationService.instance() userInum = user.getAttribute("inum") authenticationRequest = None deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations( userInum, u2f_application_id) if (deviceRegistrations.size() > 0): print "U2F. Prepare for step 2. Call FIDO U2F in order to start authentication workflow" try: authenticationRequestService = FidoU2fClientFactory.instance( ).createAuthenticationRequestService( self.metaDataConfiguration) authenticationRequest = authenticationRequestService.startAuthentication( user.getUserId(), u2f_application_id) except ClientResponseFailure, ex: if (ex.getResponse().getResponseStatus() != Response.Status.NOT_FOUND): print "U2F. Prepare for step 2. Failed to start authentication workflow. Exception:", sys.exc_info( )[1] return False print "U2F. Prepare for step 2. Call FIDO U2F in order to start registration workflow" registrationRequestService = FidoU2fClientFactory.instance( ).createRegistrationRequestService(self.metaDataConfiguration) registrationRequest = registrationRequestService.startRegistration( user.getUserId(), u2f_application_id) context.set("fido_u2f_authentication_request", ServerUtil.asJson(authenticationRequest)) context.set("fido_u2f_registration_request", ServerUtil.asJson(registrationRequest)) return True
def prepareForStep(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() if (step == 1): return True elif (step == 2): print "U2F. Prepare for step 2" session_state = SessionStateService.instance().getSessionStateFromCookie() if StringHelper.isEmpty(session_state): print "U2F. Prepare for step 2. Failed to determine session_state" return False credentials = Identity.instance().getCredentials() user = credentials.getUser() if (user == None): print "U2F. Prepare for step 2. Failed to determine user name" return False u2f_application_id = configurationAttributes.get("u2f_application_id").getValue2() # Check if user have registered devices deviceRegistrationService = DeviceRegistrationService.instance() userInum = user.getAttribute("inum") authenticationRequest = None deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(userInum, u2f_application_id) if (deviceRegistrations.size() > 0): print "U2F. Prepare for step 2. Call FIDO U2F in order to start authentication workflow" try: authenticationRequestService = FidoU2fClientFactory.instance().createAuthenticationRequestService(self.metaDataConfiguration) authenticationRequest = authenticationRequestService.startAuthentication(user.getUserId(), None, u2f_application_id, session_state) except ClientResponseFailure, ex: if (ex.getResponse().getResponseStatus() != Response.Status.NOT_FOUND): print "U2F. Prepare for step 2. Failed to start authentication workflow. Exception:", sys.exc_info()[1] return False print "U2F. Prepare for step 2. Call FIDO U2F in order to start registration workflow" registrationRequestService = FidoU2fClientFactory.instance().createRegistrationRequestService(self.metaDataConfiguration) registrationRequest = registrationRequestService.startRegistration(user.getUserId(), u2f_application_id, session_state) context.set("fido_u2f_authentication_request", ServerUtil.asJson(authenticationRequest)) context.set("fido_u2f_registration_request", ServerUtil.asJson(registrationRequest)) return True
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() context = Contexts.getEventContext() session_attributes = context.get("sessionAttributes") client_redirect_uri = self.getClientRedirecUri(session_attributes) if client_redirect_uri == None: print "Super-Gluu. Authenticate. redirect_uri is not set" return False self.setEventContextParameters(context) userService = UserService.instance() deviceRegistrationService = DeviceRegistrationService.instance() if step == 1: print "Super-Gluu. Authenticate for step 1" if self.oneStep: session_device_status = self.getSessionDeviceStatus(session_attributes, user_name) if session_device_status == None: return u2f_device_id = session_device_status['device_id'] validation_result = self.validateSessionDeviceStatus(client_redirect_uri, session_device_status) if validation_result: print "Super-Gluu. Authenticate for step 1. User successfully authenticated with u2f_device '%s'" % u2f_device_id else: return False if not session_device_status['one_step']: print "Super-Gluu. Authenticate for step 1. u2f_device '%s' is not one step device" % u2f_device_id return False # There are two steps only in enrollment mode if session_device_status['enroll']: return validation_result context.set("super_gluu_count_login_steps", 1) user_inum = session_device_status['user_inum'] u2f_device = deviceRegistrationService.findUserDeviceRegistration(user_inum, u2f_device_id, "oxId") if u2f_device == None: print "Super-Gluu. Authenticate for step 1. Failed to load u2f_device '%s'" % u2f_device_id return False logged_in = userService.authenticate(user_name) if not logged_in: print "Super-Gluu. Authenticate for step 1. Failed to authenticate user '%s'" % user_name return False print "Super-Gluu. Authenticate for step 1. User '%s' successfully authenticated with u2f_device '%s'" % (user_name, u2f_device_id) return True elif self.twoStep: authenticated_user = self.processBasicAuthentication(credentials) if authenticated_user == None: return False auth_method = 'authenticate' enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton") if StringHelper.isNotEmpty(enrollment_mode): auth_method = 'enroll' if auth_method == 'authenticate': user_inum = userService.getUserInum(authenticated_user) u2f_devices_list = deviceRegistrationService.findUserDeviceRegistrations(user_inum, client_redirect_uri, "oxId") if u2f_devices_list.size() == 0: auth_method = 'enroll' print "Super-Gluu. Authenticate for step 1. There is no U2F '%s' user devices associated with application '%s'. Changing auth_method to '%s'" % (user_name, client_redirect_uri, auth_method) print "Super-Gluu. Authenticate for step 1. auth_method: '%s'" % auth_method context.set("super_gluu_auth_method", auth_method) return True return False elif step == 2: print "Super-Gluu. Authenticate for step 2" session_attributes = context.get("sessionAttributes") session_device_status = self.getSessionDeviceStatus(session_attributes, user_name) if session_device_status == None: return False u2f_device_id = session_device_status['device_id'] # There are two steps only in enrollment mode if self.oneStep and session_device_status['enroll']: authenticated_user = self.processBasicAuthentication(credentials) if authenticated_user == None: return False user_inum = userService.getUserInum(authenticated_user) attach_result = deviceRegistrationService.attachUserDeviceRegistration(user_inum, u2f_device_id) print "Super-Gluu. Authenticate for step 2. Result after attaching u2f_device '%s' to user '%s': '%s'" % (u2f_device_id, user_name, attach_result) return attach_result elif self.twoStep: if user_name == None: print "Super-Gluu. Authenticate for step 2. Failed to determine user name" return False validation_result = self.validateSessionDeviceStatus(client_redirect_uri, session_device_status, user_name) if validation_result: print "Super-Gluu. Authenticate for step 2. User '%s' successfully authenticated with u2f_device '%s'" % (user_name, u2f_device_id) else: return False super_gluu_request = json.loads(session_device_status['super_gluu_request']) auth_method = super_gluu_request['method'] if auth_method in ['enroll', 'authenticate']: return validation_result print "Super-Gluu. Authenticate for step 2. U2F auth_method is invalid" return False else: return False
def sendPushNotification(self, client_redirect_uri, user, super_gluu_request): if not self.enabledPushNotifications: return user_name = user.getUserId() print "Super-Gluu. Send push notification. Loading user '%s' devices" % user_name send_notification = False send_notification_result = True userService = UserService.instance() deviceRegistrationService = DeviceRegistrationService.instance() user_inum = userService.getUserInum(user_name) u2f_devices_list = deviceRegistrationService.findUserDeviceRegistrations(user_inum, client_redirect_uri, "oxId", "oxDeviceData") if u2f_devices_list.size() > 0: for u2f_device in u2f_devices_list: device_data = u2f_device.getDeviceData() # Device data which Super-Gluu gets during enrollment if device_data == None: continue platform = device_data.getPlatform() push_token = device_data.getPushToken() debug = False if StringHelper.equalsIgnoreCase(platform, "ios") and StringHelper.isNotEmpty(push_token): # Sending notification to iOS user's device if self.pushAppleService == None: print "Super-Gluu. Send push notification. Apple push notification service is not enabled" else: send_notification = True title = "Super-Gluu" message = "Super-Gluu login request to: %s" % client_redirect_uri additional_fields = { "request" : super_gluu_request } msgBuilder = APNS.newPayload().alertBody(message).alertTitle(title).sound("default") msgBuilder.category('ACTIONABLE').badge(0) msgBuilder.forNewsstand() msgBuilder.customFields(additional_fields) push_message = msgBuilder.build() send_notification_result = self.pushAppleService.push(push_token, push_message) if debug: print "Super-Gluu. Send iOS push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (push_token, push_message, send_notification_result) if StringHelper.equalsIgnoreCase(platform, "android") and StringHelper.isNotEmpty(push_token): # Sending notification to Android user's device if self.pushAndroidService == None: print "Super-Gluu. Send push notification. Android push notification service is not enabled" else: send_notification = True title = "Super-Gluu" msgBuilder = Message.Builder().addData("message", super_gluu_request).addData("title", title).collapseKey("single").contentAvailable(True) push_message = msgBuilder.build() send_notification_result = self.pushAndroidService.send(push_message, push_token, 3) if debug: print "Super-Gluu. Send Android push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (push_token, push_message, send_notification_result) print "Super-Gluu. Send push notification. send_notification: '%s', send_notification_result: '%s'" % (send_notification, send_notification_result)
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() context = Contexts.getEventContext() userService = UserService.instance() deviceRegistrationService = DeviceRegistrationService.instance() if (step == 1): print "oxPush2. Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False auth_method = 'authenticate' enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton") if StringHelper.isNotEmpty(enrollment_mode): auth_method = 'enroll' if (auth_method == 'authenticate'): find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): print "oxPush. Authenticate for step 1. Failed to find user" return False user_inum = userService.getUserInum(find_user_by_uid) u2f_devices_list = deviceRegistrationService.findUserDeviceRegistrations(user_inum, self.u2f_application_id, "oxId") if (u2f_devices_list.size() == 0): auth_method = 'enroll' print "oxPush2. There is no U2F '%s' user devices associated with application '%s'. Changing auth_method to '%s'" % (user_name, self.u2f_application_id, auth_method) print "oxPush2. Authenticate for step 1. auth_method: '%s'" % auth_method context.set("oxpush2_auth_method", auth_method) return True elif (step == 2): print "oxPush2. Authenticate for step 2" credentials = Identity.instance().getCredentials() user = credentials.getUser() if (user == None): print "oxPush2. Authenticate for step 2. Failed to determine user name" return False # Find user by uid userService = UserService.instance() find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): print "oxPush. Authenticate for step 2. Failed to find user" return False session_attributes = context.get("sessionAttributes") if (not session_attributes.containsKey("oxpush2_request")): print "oxPush2. Authenticate for step 2. There is no oxPush2 request in session attributes" return False oxpush2_request_json = session_attributes.get("oxpush2_request") oxpush2_request = json.loads(oxpush2_request_json) auth_method = oxpush2_request['method'] if (auth_method in ['enroll', 'authenticate']): print "oxPush2. Authenticate for step 2. Validation U2F user device. auth_method: '%s'" % auth_method # Check session state extended if (not session_attributes.containsKey("session_custom_state")): print "oxPush2. Authenticate for step 2. There is no session_custom_state in session attributes" return False session_custom_state = session_attributes.get("session_custom_state") if(not StringHelper.equalsIgnoreCase("approved", session_custom_state)): print "oxPush2. Authenticate for step 2. User '%s' not approve or pass U2F authentication. session_custom_state: '%s'" % (user_name, session_custom_state) return False # Try to find device_id in session attribute if (not session_attributes.containsKey("oxpush2_u2f_device_id")): print "oxPush2. Authenticate for step 2. There is no u2f_device associated with this request" return False u2f_device_id = session_attributes.get("oxpush2_u2f_device_id") # Validate if user has specified device_id enrollment user_inum = userService.getUserInum(find_user_by_uid) u2f_device = deviceRegistrationService.findUserDeviceRegistration(user_inum, u2f_device_id) if (u2f_device == None): print "oxPush2. Authenticate for step 2. There is no u2f_device '%s' associated with user '%s'" % (u2f_device_id, user_inum) return False if (not StringHelper.equalsIgnoreCase(self.u2f_application_id, u2f_device.application)): print "oxPush2. Authenticate for step 2. U2F user's '%s' device associated with other application '%s'" % (user_name, u2f_device.application) return False print "oxPush2. Authenticate for step 2. U2F user's '%s' device authenticated successfully with U2F device '%s'" % (user_name, u2f_device_id) return True else: print "oxPush2. Authenticate for step 2. U2F auth_method is invalid" return False else: return False