def authenticate(self, configurationAttributes, requestParameters, step): if (step == 1): print "Basic (multi login) authenticate for step 1" credentials = Identity.instance().getCredentials() key_value = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(key_value) and StringHelper.isNotEmptyString(user_password)): authenticationService = AuthenticationService.instance() i = 0; count = len(self.login_attributes_list_array) while (i < count): primary_key = self.login_attributes_list_array[i] local_primary_key = self.local_login_attributes_list_array[i] logged_in = authenticationService.authenticate(key_value, user_password, primary_key, local_primary_key) if (logged_in): return True i += 1 return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): duo_host = configurationAttributes.get("duo_host").getValue2() credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "Duo. Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False authenticationService = AuthenticationService.instance() user = authenticationService.getAuthenticatedUser() if (self.use_duo_group): print "Duo. Authenticate for step 1. Checking if user belong to Duo group" is_member_duo_group = self.isUserMemberOfGroup(user, self.audit_attribute, self.duo_group) if (is_member_duo_group): print "Duo. Authenticate for step 1. User '" + user.getUserId() + "' member of Duo group" duo_count_login_steps = 2 else: self.processAuditGroup(user) duo_count_login_steps = 1 context = Contexts.getEventContext() context.set("duo_count_login_steps", duo_count_login_steps) return True elif (step == 2): print "Duo. Authenticate for step 2" sig_response_array = requestParameters.get("sig_response") if ArrayHelper.isEmpty(sig_response_array): print "Duo. Authenticate for step 2. sig_response is empty" return False duo_sig_response = sig_response_array[0] print "Duo. Authenticate for step 2. duo_sig_response: " + duo_sig_response authenticated_username = duo_web.verify_response(self.ikey, self.skey, self.akey, duo_sig_response) print "Duo. Authenticate for step 2. authenticated_username: "******", expected user_name: " + user_name if (not StringHelper.equals(user_name, authenticated_username)): return False authenticationService = AuthenticationService.instance() user = authenticationService.getAuthenticatedUser() self.processAuditGroup(user) return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): if step == 1: print "Basic (lock account). Authenticate for step 1" credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() try: logged_in = userService.authenticate(user_name, user_password) except AuthenticationException: print "Basic (lock account). Authenticate. Failed to authenticate user '%s'" % user_name if (not logged_in): countInvalidLoginArributeValue = self.getUserAttributeValue(user_name, self.invalidLoginCountAttribute) countInvalidLogin = StringHelper.toInteger(countInvalidLoginArributeValue, 0) if countInvalidLogin < self.maximumInvalidLoginAttemps: countInvalidLogin = countInvalidLogin + 1 self.setUserAttributeValue(user_name, self.invalidLoginCountAttribute, StringHelper.toString(countInvalidLogin)) if countInvalidLogin >= self.maximumInvalidLoginAttemps: self.lockUser(user_name) return False self.setUserAttributeValue(user_name, self.invalidLoginCountAttribute, StringHelper.toString(0)) return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): if (step == 1): print "Basic authenticate for step 1" credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Commented out becuase we do the same in AuthenticationService.authenticate method # # user = userService.getUser(user_name) # if (user == None): # print "Basic authenticate for step 1. Failed to find user in local LDAP" # return False # # # Store user to allow use this module for web services # credentials.setUser(user); return True else: return False
def generateInum(self, orgInum, prefix): if (StringHelper.isNotEmptyString(orgInum) and StringHelper.isNotEmptyString(prefix)): return orgInum + Configuration.inumDelimiter + prefix + Configuration.inumDelimiter + INumGenerator.generate( ) else: return ""
def generateInum(self, orgInum, prefix): if StringHelper.isNotEmptyString(orgInum) and StringHelper.isNotEmptyString(prefix): return ( orgInum + Configuration.inumDelimiter + prefix + Configuration.inumDelimiter + INumGenerator.generate() ) else: return ""
def authenticate(self, configurationAttributes, requestParameters, step): if (step == 1): print "Basic (multi auth conf) authenticate for step 1" credentials = Identity.instance().getCredentials() keyValue = credentials.getUsername() userPassword = credentials.getPassword() if (StringHelper.isNotEmptyString(keyValue) and StringHelper.isNotEmptyString(userPassword)): authenticationService = AuthenticationService.instance() for ldapExtendedEntryManager in self.ldapExtendedEntryManagers: ldapConfiguration = ldapExtendedEntryManager["ldapConfiguration"] ldapEntryManager = ldapExtendedEntryManager["ldapEntryManager"] loginAttributes = ldapExtendedEntryManager["loginAttributes"] localLoginAttributes = ldapExtendedEntryManager["localLoginAttributes"] print "Basic (multi auth conf) authenticate for step 1. Using configuration: " + ldapConfiguration.getConfigId() idx = 0; count = len(loginAttributes) while (idx < count): primaryKey = loginAttributes[idx] localPrimaryKey = localLoginAttributes[idx] loggedIn = authenticationService.authenticate(ldapConfiguration, ldapEntryManager, keyValue, userPassword, primaryKey, localPrimaryKey) if (loggedIn): return True idx += 1 return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) if (step == 1): print "Basic (multi auth conf). Authenticate for step 1" identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() metricService = CdiUtil.bean(MetricService) timerContext = metricService.getTimer( MetricType.OXAUTH_USER_AUTHENTICATION_RATE).time() try: keyValue = credentials.getUsername() userPassword = credentials.getPassword() if (StringHelper.isNotEmptyString(keyValue) and StringHelper.isNotEmptyString(userPassword)): for ldapExtendedEntryManager in self.ldapExtendedEntryManagers: ldapConfiguration = ldapExtendedEntryManager[ "ldapConfiguration"] ldapEntryManager = ldapExtendedEntryManager[ "ldapEntryManager"] loginAttributes = ldapExtendedEntryManager[ "loginAttributes"] localLoginAttributes = ldapExtendedEntryManager[ "localLoginAttributes"] print "Basic (multi auth conf). Authenticate for step 1. Using configuration: " + ldapConfiguration.getConfigId( ) idx = 0 count = len(loginAttributes) while (idx < count): primaryKey = loginAttributes[idx] localPrimaryKey = localLoginAttributes[idx] loggedIn = authenticationService.authenticate( ldapConfiguration, ldapEntryManager, keyValue, userPassword, primaryKey, localPrimaryKey) if (loggedIn): metricService.incCounter( MetricType. OXAUTH_USER_AUTHENTICATION_SUCCESS) return True idx += 1 finally: timerContext.stop() metricService.incCounter( MetricType.OXAUTH_USER_AUTHENTICATION_FAILURES) return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() if (step == 1): print "Basic (with password update). Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate( user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "Basic (with password update). Authenticate for step 2" user = authenticationService.getAuthenticatedUser() if user == None: print "Basic (with password update). Authenticate for step 2. Failed to determine user name" return False user_name = user.getUserId() find_user_by_uid = userService.getUser(user_name) update_button = requestParameters.get("loginForm:updateButton") if ArrayHelper.isEmpty(update_button): return True new_password_array = requestParameters.get("new_password") if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty( new_password_array[0]): print "Basic (with password update). Authenticate for step 2. New password is empty" return False new_password = new_password_array[0] find_user_by_uid.setAttribute("userPassword", new_password) print "Basic (with password update). Authenticate for step 2. Attempting to set new user '%s' password" % user_name userService.updateUser(find_user_by_uid) print "Basic (with password update). Authenticate for step 2. Password updated successfully" return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "Basic (with password update). Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "Basic (with password update). Authenticate for step 2" userService = UserService.instance() update_button = requestParameters.get("loginForm:updateButton") if ArrayHelper.isEmpty(update_button): return True new_password_array = requestParameters.get("new_password") if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]): print "Basic (with password update). Authenticate for step 2. New password is empty" return False new_password = new_password_array[0] print "Basic (with password update). Authenticate for step 2. Attemprin to set new user '" + user_name + "' password" find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): print "Basic (with password update). Authenticate for step 2. Failed to find user" return False find_user_by_uid.setAttribute("userPassword", new_password) userService.updateUser(find_user_by_uid) print "Basic (with password update). Authenticate for step 2. Password updated successfully" return True else: return False
def updateUser(self, foundUser, profile, userService): # mapping is already lower cased mapping = self.attributesMapping for remoteAttr in mapping: # "provider" is disregarded if part of mapping value = profile[remoteAttr] if remoteAttr != "provider" and StringHelper.isNotEmptyString( value): localAttr = mapping[remoteAttr] print "Remote (%s), Local (%s) = %s" % (remoteAttr, localAttr, value) values = foundUser.getAttributeValues(localAttr) # Make the list modifiable values = ArrayList() if values == None else ArrayList(values) # This loop helps not to add duplicated values in multivalued attributes found = False for v in values: found = found or StringHelper.equalsIgnoreCase(v, value) if not found: values.add(value) foundUser.setAttribute(localAttr, values) userService.updateUser(foundUser)
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "Tiqr authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "Tiqr authenticate for step 2" passed_step1 = self.isPassedDefaultAuthentication if (not passed_step1): return False expected_user = credentials.getUser(); if (expected_user == None): print "Tiqr authenticate for step 2. expected user is empty" return False expected_user_name = expected_user.getUserId(); session = FacesContext.getCurrentInstance().getExternalContext().getSession(False) if (session == None): print "Tiqr authenticate for step 2. Session is not exist" return False authenticated_username = session.getValue("tiqr_user_uid") session.removeValue("tiqr_user_uid") print "Tiqr authenticate for step 2. authenticated_username: "******", expected user_name: " + expected_user_name if StringHelper.equals(expected_user_name, authenticated_username): return True return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): if (step == 1): print "Basic. Authenticate for step 1" credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True else: return False
def processBasicAuthentication(self, credentials): userService = UserService.instance() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): logged_in = userService.authenticate(user_name, user_password) if not logged_in: return None find_user_by_uid = userService.getUser(user_name) if find_user_by_uid == None: print "Super-Gluu. Process basic authentication. Failed to find user '%s'" % user_name return None return find_user_by_uid
def authenticate(self, configurationAttributes, requestParameters, step): if (step == 1): print "CSBase. Authenticate for step 1" identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = self.csbaseProxy.authenticate( user_name, user_password) if (not logged_in): return False return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): if (step == 1): print "Shibboleth authenticate for step 1" idp_idp_base_uri = configurationAttributes.get("idp_idp_base_uri").getValue2() idp_protected_resource_uri = configurationAttributes.get("idp_protected_resource_uri").getValue2() credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = self.sb.authenticate(idp_idp_base_uri, idp_protected_resource_uri, user_name, user_password) if (not logged_in): print "Shibboleth authenticate for step 1. Failed to authenticate user/client" return False if (String(user_name).startsWith("@!")): clientService = ClientService.instance() client = clientService.getClient(user_name) if (client == None): print "Shibboleth authenticate for step 1. Failed to find client in local LDAP" return False #TODO: Add client else: userService = UserService.instance() user = userService.getUser(user_name) if (user == None): print "Shibboleth authenticate for step 1. Adding new user in local LDAP" user = userService.addDefaultUser(user_name); credentials.setUser(user); return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() context.set("pass_authentication", False) if 1 <= step <= 3: print "Basic (demo reset step). Authenticate for step '%s'" % step credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False context.set("pass_authentication", True) return True else: return False
def addUser(self, externalUid, profile, userService): newUser = User() #Fill user attrs newUser.setAttribute("oxExternalUid", externalUid) mapping = self.attributesMapping for remoteAttr in mapping: value = profile[remoteAttr] # "provider" is disregarded if part of mapping if remoteAttr != "provider" and StringHelper.isNotEmptyString( value): localAttr = mapping[remoteAttr] print "Remote (%s), Local (%s) = %s" % (remoteAttr, localAttr, value) newUser.setAttribute(mapping[remoteAttr], value) newUser = userService.addUser(newUser, True) return newUser
def getClientConfiguration(self, configurationAttributes, requestParameters): # Get client configuration if (configurationAttributes.containsKey("gplus_client_configuration_attribute")): clientConfigurationAttribute = configurationAttributes.get("gplus_client_configuration_attribute").getValue2() print "Google+ GetClientConfiguration. Using client attribute:", clientConfigurationAttribute if (requestParameters == None): return None clientId = None # Attempt to determine client_id from request clientIdArray = requestParameters.get("client_id") if (ArrayHelper.isNotEmpty(clientIdArray) and StringHelper.isNotEmptyString(clientIdArray[0])): clientId = clientIdArray[0] # Attempt to determine client_id from event context if (clientId == None): eventContext = Contexts.getEventContext() if (eventContext.isSet("stored_request_parameters")): clientId = eventContext.get("stored_request_parameters").get("client_id") if (clientId == None): print "Google+ GetClientConfiguration. client_id is empty" return None clientService = ClientService.instance() client = clientService.getClient(clientId) if (client == None): print "Google+ GetClientConfiguration. Failed to find client", clientId, " in local LDAP" return None clientConfiguration = clientService.getCustomAttribute(client, clientConfigurationAttribute) if ((clientConfiguration == None) or StringHelper.isEmpty(clientConfiguration.getValue())): print "Google+ GetClientConfiguration. Client", clientId, " attribute", clientConfigurationAttribute, " is empty" else: print "Google+ GetClientConfiguration. Client", clientId, " attribute", clientConfigurationAttribute, " is", clientConfiguration return clientConfiguration return None
def getClientConfiguration(self, configurationAttributes, requestParameters): # Get client configuration if (configurationAttributes.containsKey("saml_client_configuration_attribute")): saml_client_configuration_attribute = configurationAttributes.get("saml_client_configuration_attribute").getValue2() print "Saml. GetClientConfiguration. Using client attribute:", saml_client_configuration_attribute if (requestParameters == None): return None client_id = None client_id_array = requestParameters.get("client_id") if (ArrayHelper.isNotEmpty(client_id_array) and StringHelper.isNotEmptyString(client_id_array[0])): client_id = client_id_array[0] if (client_id == None): eventContext = Contexts.getEventContext() if (eventContext.isSet("sessionAttributes")): client_id = eventContext.get("sessionAttributes").get("client_id") if (client_id == None): print "Saml. GetClientConfiguration. client_id is empty" return None clientService = ClientService.instance() client = clientService.getClient(client_id) if (client == None): print "Saml. GetClientConfiguration. Failed to find client", client_id, " in local LDAP" return None saml_client_configuration = clientService.getCustomAttribute(client, saml_client_configuration_attribute) if ((saml_client_configuration == None) or StringHelper.isEmpty(saml_client_configuration.getValue())): print "Saml. GetClientConfiguration. Client", client_id, " attribute", saml_client_configuration_attribute, " is empty" else: print "Saml. GetClientConfiguration. Client", client_id, " attribute", saml_client_configuration_attribute, " is", saml_client_configuration return saml_client_configuration return None
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() userService = UserService.instance() session_attributes = context.get("sessionAttributes") form_passcode = ServerUtil.getFirstValue(requestParameters, "passcode") form_name = ServerUtil.getFirstValue(requestParameters, "TwilioSmsloginForm") print "TwilioSMS. form_response_passcode: %s" % str(form_passcode) if step == 1: print "TwilioSMS. Step 1 Password Authentication" credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): logged_in = userService.authenticate(user_name, user_password) if not logged_in: return False # Get the Person's number and generate a code foundUser = None try: foundUser = userService.getUserByAttribute("uid", user_name) except: print 'TwilioSMS, Error retrieving user %s from LDAP' % (user_name) return False try: mobile_number = foundUser.getAttribute("phoneNumberVerified") except: print 'TwilioSMS, Error finding mobile number for' % (user_name) return False # Generate Random six digit code and store it in array code = random.randint(100000, 999999) # Get code and save it in LDAP temporarily with special session entry context.set("code", code) client = TwilioRestClient(self.ACCOUNT_SID, self.AUTH_TOKEN) bodyParam = BasicNameValuePair("Body", str(code)) toParam = BasicNameValuePair("To", mobile_number) fromParam = BasicNameValuePair("From", self.FROM_NUMBER) params = ArrayList() params.add(bodyParam) params.add(toParam) params.add(fromParam) try: messageFactory = client.getAccount().getMessageFactory() message = messageFactory.create(params) print 'TwilioSMs, Message Sid: %s' % (message.getSid()) return True except: print "TwilioSMS. Error sending message to Twilio" return False elif step == 2: # Retrieve the session attribute print "TwilioSMS. Step 2 SMS/OTP Authentication" code = session_attributes.get("code") print "TwilioSMS. Code: %s" % str(code) if code is None: print "TwilioSMS. Failed to find previously sent code" return False if form_passcode is None: print "TwilioSMS. Passcode is empty" return False if len(form_passcode) != 6: print "TwilioSMS. Passcode from response is not 6 digits: %s" % form_passcode return False if form_passcode == code: print "TiwlioSMS, SUCCESS! User entered the same code!" return True print "TwilioSMS. FAIL! User entered the wrong code! %s != %s" % (form_passcode, code) return False print "TwilioSMS. ERROR: step param not found or != (1|2)" return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() userService = UserService.instance() saml_map_user = False saml_enroll_user = False saml_enroll_all_user_attr = False # Use saml_deployment_type only if there is no attributes mapping if (configurationAttributes.containsKey("saml_deployment_type")): saml_deployment_type = StringHelper.toLowerCase(configurationAttributes.get("saml_deployment_type").getValue2()) if (StringHelper.equalsIgnoreCase(saml_deployment_type, "map")): saml_map_user = True if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll")): saml_enroll_user = True if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll_all_attr")): saml_enroll_all_user_attr = True saml_allow_basic_login = False if (configurationAttributes.containsKey("saml_allow_basic_login")): saml_allow_basic_login = StringHelper.toBoolean(configurationAttributes.get("saml_allow_basic_login").getValue2(), False) use_basic_auth = False if (saml_allow_basic_login): # Detect if user used basic authnetication method credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() if (StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(user_password)): use_basic_auth = True if ((step == 1) and saml_allow_basic_login and use_basic_auth): print "Saml. Authenticate for step 1. Basic authentication" context.set("saml_count_login_steps", 1) credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True if (step == 1): print "Saml. Authenticate for step 1" currentSamlConfiguration = self.getCurrentSamlConfiguration(self.samlConfiguration, configurationAttributes, requestParameters) if (currentSamlConfiguration == None): print "Saml. Prepare for step 1. Client saml configuration is invalid" return False saml_response_array = requestParameters.get("SAMLResponse") if ArrayHelper.isEmpty(saml_response_array): print "Saml. Authenticate for step 1. saml_response is empty" return False saml_response = saml_response_array[0] print "Saml. Authenticate for step 1. saml_response:", saml_response samlResponse = Response(currentSamlConfiguration) samlResponse.loadXmlFromBase64(saml_response) saml_validate_response = True if (configurationAttributes.containsKey("saml_validate_response")): saml_validate_response = StringHelper.toBoolean(configurationAttributes.get("saml_validate_response").getValue2(), False) if (saml_validate_response): if (not samlResponse.isValid()): print "Saml. Authenticate for step 1. saml_response isn't valid" saml_response_name_id = samlResponse.getNameId() if (StringHelper.isEmpty(saml_response_name_id)): print "Saml. Authenticate for step 1. saml_response_name_id is invalid" return False print "Saml. Authenticate for step 1. saml_response_name_id:", saml_response_name_id saml_response_attributes = samlResponse.getAttributes() print "Saml. Authenticate for step 1. attributes: ", saml_response_attributes # Use persistent Id as saml_user_uid saml_user_uid = saml_response_name_id if (saml_map_user): # Use mapping to local IDP user print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:", saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" print "Saml. Authenticate for step 1. Setting count steps to 2" context.set("saml_count_login_steps", 2) context.set("saml_user_uid", saml_user_uid) return True found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name:", found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result:", post_login_result return post_login_result elif (saml_enroll_user): # Use auto enrollment to local IDP print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:", saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): # Auto user enrollemnt print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" # Convert saml result attributes keys to lover case saml_response_normalized_attributes = HashMap() for saml_response_attribute_entry in saml_response_attributes.entrySet(): saml_response_normalized_attributes.put( StringHelper.toLowerCase(saml_response_attribute_entry.getKey()), saml_response_attribute_entry.getValue()) currentAttributesMapping = self.prepareCurrentAttributesMapping(self.attributesMapping, configurationAttributes, requestParameters) print "Saml. Authenticate for step 1. Using next attributes mapping", currentAttributesMapping newUser = User() for attributesMappingEntry in currentAttributesMapping.entrySet(): idpAttribute = attributesMappingEntry.getKey() localAttribute = attributesMappingEntry.getValue() localAttributeValue = saml_response_normalized_attributes.get(idpAttribute) if (localAttribute != None): newUser.setAttribute(localAttribute, localAttributeValue) newUser.setAttribute("oxExternalUid", "saml:" + saml_user_uid) print "Saml. Authenticate for step 1. Attempting to add user", saml_user_uid, " with next attributes", newUser.getCustomAttributes() find_user_by_uid = userService.addUser(newUser, True) print "Saml. Authenticate for step 1. Added new user with UID", find_user_by_uid.getUserId() found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name:", found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result:", post_login_result return post_login_result elif (saml_enroll_all_user_attr): print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:" + saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" user = User() customAttributes = ArrayList() for key in attributes.keySet(): ldapAttributes = attributeService.getAllAttributes() for ldapAttribute in ldapAttributes: saml2Uri = ldapAttribute.getSaml2Uri() if(saml2Uri == None): saml2Uri = attributeService.getDefaultSaml2Uri(ldapAttribute.getName()) if(saml2Uri == key): attribute = CustomAttribute(ldapAttribute.getName()) attribute.setValues(attributes.get(key)) customAttributes.add(attribute) attribute = CustomAttribute("oxExternalUid") attribute.setValue("saml:" + saml_user_uid) customAttributes.add(attribute) user.setCustomAttributes(customAttributes) if(user.getAttribute("sn") == None): attribute = CustomAttribute("sn") attribute.setValue(saml_user_uid) customAttributes.add(attribute) if(user.getAttribute("cn") == None): attribute = CustomAttribute("cn") attribute.setValue(saml_user_uid) customAttributes.add(attribute) find_user_by_uid = userService.addUser(user, True) print "Saml. Authenticate for step 1. Added new user with UID", find_user_by_uid.getUserId() found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name:", found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result:", post_login_result return post_login_result else: # Check if the is user with specified saml_user_uid print "Saml. Authenticate for step 1. Attempting to find user by uid:", saml_user_uid find_user_by_uid = userService.getUser(saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" return False found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name:", found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result:", post_login_result return post_login_result elif (step == 2): print "Saml. Authenticate for step 2" sessionAttributes = context.get("sessionAttributes") if (sessionAttributes == None) or not sessionAttributes.containsKey("saml_user_uid"): print "Saml. Authenticate for step 2. saml_user_uid is empty" return False saml_user_uid = sessionAttributes.get("saml_user_uid") passed_step1 = StringHelper.isNotEmptyString(saml_user_uid) if (not passed_step1): return False credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Check if there is user which has saml_user_uid # Avoid mapping Saml account to more than one IDP account find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): # Add saml_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 2. Failed to update current user" return False post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 2. post_login_result:", post_login_result return post_login_result else: found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 2. found_user_name:", found_user_name if StringHelper.equals(user_name, found_user_name): post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 2. post_login_result:", post_login_result return post_login_result return False else: return False
def isPassedStep1(): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() passed_step1 = StringHelper.isNotEmptyString(user_name) return passed_step1
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "U2F. Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "U2F. Authenticate for step 2" token_response = ServerUtil.getFirstValue(requestParameters, "tokenResponse") if token_response == None: print "U2F. Authenticate for step 2. tokenResponse is empty" return False auth_method = ServerUtil.getFirstValue(requestParameters, "authMethod") if auth_method == None: print "U2F. Authenticate for step 2. authMethod is empty" return False credentials = Identity.instance().getCredentials() user = credentials.getUser() if (user == None): print "U2F. Prepare for step 2. Failed to determine user name" return False if (auth_method == 'authenticate'): print "U2F. Prepare for step 2. Call FIDO U2F in order to finish authentication workflow" authenticationRequestService = FidoU2fClientFactory.instance().createAuthenticationRequestService(self.metaDataConfiguration) authenticationStatus = authenticationRequestService.finishAuthentication(user.getUserId(), token_response) if (authenticationStatus.getStatus() != Constants.RESULT_SUCCESS): print "U2F. Authenticate for step 2. Get invalid authentication status from FIDO U2F server" return False return True elif (auth_method == 'enroll'): print "U2F. Prepare for step 2. Call FIDO U2F in order to finish registration workflow" registrationRequestService = FidoU2fClientFactory.instance().createRegistrationRequestService(self.metaDataConfiguration) registrationStatus = registrationRequestService.finishRegistration(user.getUserId(), token_response) if (registrationStatus.getStatus() != Constants.RESULT_SUCCESS): print "U2F. Authenticate for step 2. Get invalid registration status from FIDO U2F server" return False return True else: print "U2F. Prepare for step 2. Authenticatiod method is invalid" return False return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() userService = UserService.instance() httpService = HttpService.instance(); stringEncrypter = StringEncrypter.defaultInstance() cas_host = configurationAttributes.get("cas_host").getValue2() cas_extra_opts = configurationAttributes.get("cas_extra_opts").getValue2() cas_map_user = StringHelper.toBoolean(configurationAttributes.get("cas_map_user").getValue2(), False) cas_renew_opt = StringHelper.toBoolean(configurationAttributes.get("cas_renew_opt").getValue2(), False) if (step == 1): print "CAS2 authenticate for step 1" ticket_array = requestParameters.get("ticket") if ArrayHelper.isEmpty(ticket_array): print "CAS2 authenticate for step 1. ticket is empty" return False ticket = ticket_array[0] print "CAS2 authenticate for step 1. ticket: " + ticket if (StringHelper.isEmptyString(ticket)): print "CAS2 authenticate for step 1. ticket is invalid" return False # Validate ticket request = FacesContext.getCurrentInstance().getExternalContext().getRequest() parametersMap = HashMap() parametersMap.put("service", httpService.constructServerUrl(request) + "/postlogin") if (cas_renew_opt): parametersMap.put("renew", "true") parametersMap.put("ticket", ticket) cas_service_request_uri = authenticationService.parametersAsString(parametersMap) cas_service_request_uri = cas_host + "/serviceValidate?" + cas_service_request_uri if StringHelper.isNotEmpty(cas_extra_opts): cas_service_request_uri = cas_service_request_uri + "&" + cas_extra_opts print "CAS2 authenticate for step 1. cas_service_request_uri: " + cas_service_request_uri http_client = httpService.getHttpsClientTrustAll(); http_response = httpService.executeGet(http_client, cas_service_request_uri) validation_content = httpService.convertEntityToString(httpService.getResponseContent(http_response)) print "CAS2 authenticate for step 1. validation_content: " + validation_content if StringHelper.isEmpty(validation_content): print "CAS2 authenticate for step 1. Ticket validation response is invalid" return False cas2_auth_failure = self.parse_tag(validation_content, "cas:authenticationFailure") print "CAS2 authenticate for step 1. cas2_auth_failure: ", cas2_auth_failure cas2_user_uid = self.parse_tag(validation_content, "cas:user") print "CAS2 authenticate for step 1. cas2_user_uid: ", cas2_user_uid if ((cas2_auth_failure != None) or (cas2_user_uid == None)): print "CAS2 authenticate for step 1. Ticket is invalid" return False if (cas_map_user): print "CAS2 authenticate for step 1. Attempting to find user by oxExternalUid: cas2:" + cas2_user_uid # Check if the is user with specified cas2_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid) if (find_user_by_uid == None): print "CAS2 authenticate for step 1. Failed to find user" print "CAS2 authenticate for step 1. Setting count steps to 2" context.set("cas2_count_login_steps", 2) context.set("cas2_user_uid", stringEncrypter.encrypt(cas2_user_uid)) return True found_user_name = find_user_by_uid.getUserId() print "CAS2 authenticate for step 1. found_user_name: " + found_user_name credentials = Identity.instance().getCredentials() credentials.setUsername(found_user_name) credentials.setUser(find_user_by_uid) print "CAS2 authenticate for step 1. Setting count steps to 1" context.set("cas2_count_login_steps", 1) return True else: print "CAS2 authenticate for step 1. Attempting to find user by uid:" + cas2_user_uid # Check if the is user with specified cas2_user_uid find_user_by_uid = userService.getUser(cas2_user_uid) if (find_user_by_uid == None): print "CAS2 authenticate for step 1. Failed to find user" return False found_user_name = find_user_by_uid.getUserId() print "CAS2 authenticate for step 1. found_user_name: " + found_user_name credentials = Identity.instance().getCredentials() credentials.setUsername(found_user_name) credentials.setUser(find_user_by_uid) print "CAS2 authenticate for step 1. Setting count steps to 1" context.set("cas2_count_login_steps", 1) return True elif (step == 2): print "CAS2 authenticate for step 2" cas2_user_uid_array = requestParameters.get("cas2_user_uid") if ArrayHelper.isEmpty(cas2_user_uid_array): print "CAS2 authenticate for step 2. cas2_user_uid is empty" return False cas2_user_uid = stringEncrypter.decrypt(cas2_user_uid_array[0]) passed_step1 = StringHelper.isNotEmptyString(cas2_user_uid) if (not passed_step1): return False credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Check if there is user which has cas2_user_uid # Avoid mapping CAS2 account to more than one IDP account find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid) if (find_user_by_uid == None): # Add cas2_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "cas2:" + cas2_user_uid) if (find_user_by_uid == None): print "CAS2 authenticate for step 2. Failed to update current user" return False return True else: found_user_name = find_user_by_uid.getUserId() print "CAS2 authenticate for step 2. found_user_name: " + found_user_name if StringHelper.equals(user_name, found_user_name): return True return False else: return False
UserId = self.getUserValueFromAuth("userid", requestParameters) except Exception, err: print("Passport: Error: " + str(err)) useBasicAuth = False if (StringHelper.isEmptyString(UserId)): useBasicAuth = True # Use basic method to log in if (useBasicAuth): print "Passport: Basic Authentication" credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True else: try: userService = UserService.instance() authenticationService = AuthenticationService.instance() foundUser = userService.getUserByAttribute("oxExternalUid", self.getUserValueFromAuth("provider", requestParameters) + ":" + self.getUserValueFromAuth( self.getUidRemoteAttr(), requestParameters))
def authenticate(self, configurationAttributes, requestParameters, step): print "Wikid. Authentication. Checking client" if (not self.wc.isConnected()): print "Wikid. Authentication. Wikid client state is invalid" return False context = Contexts.getEventContext() is_wikid_registration = False sessionAttributes = context.get("sessionAttributes") if (sessionAttributes != None) and sessionAttributes.containsKey("wikid_registration"): is_wikid_registration = java.lang.Boolean.valueOf(sessionAttributes.get("wikid_registration")) wikid_server_code = configurationAttributes.get("wikid_server_code").getValue2() credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "Wikid. Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False print "Wikid. Authenticate for step 1. Attempting to find wikid_user: "******"Wikid. Authenticate for step 1. There is no associated devices for user: "******"Wikid. Authenticate for step 1. Setting count steps to 3" context.set("wikid_count_login_steps", 3) context.set("wikid_registration", True) else: context.set("wikid_count_login_steps", 2) return True elif (is_wikid_registration): print "Wikid. Authenticate for step wikid_register_device" userService = UserService.instance() wikid_regcode_array = requestParameters.get("regcode") if ArrayHelper.isEmpty(wikid_regcode_array): print "Wikid. Authenticate for step wikid_register_device. Regcode is empty" return False wikid_regcode = wikid_regcode_array[0] print "Wikid. Authenticate for step wikid_register_device. User: "******", regcode: " + wikid_regcode register_result = self.wc.registerUsername(user_name, wikid_regcode, wikid_server_code); is_valid = register_result == 0 if is_valid: print "Wikid. Authenticate for step wikid_register_device. User: "******" token registered successfully" # Add wikid_regcode to user UIDs find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "wikid:" + wikid_regcode) if (find_user_by_uid == None): print "Wikid. Authenticate for step wikid_register_device. Failed to update user: "******"wikid_registration", False) else: print "Wikid. Authenticate for step wikid_register_device. Failed to register user: "******" token:" + wikid_regcode + ". Registration result:", register_result return is_valid elif (not is_wikid_registration): print "Wikid. Authenticate for step wikid_check_passcode" wikid_passcode_array = requestParameters.get("passcode") if ArrayHelper.isEmpty(wikid_passcode_array): print "Wikid. Authenticate for step wikid_check_passcode. Passcode is empty" return False wikid_passcode = wikid_passcode_array[0] print "Wikid. Authenticate for step wikid_check_passcode. wikid_user: "******"Wikid. Authenticate for step wikid_check_passcode. wikid_user: "******" authenticated successfully" else: print "Wikid. Authenticate for step wikid_check_passcode. Failed to authenticate. wikid_user: " + user_name return is_valid else: return False
def containsAttributeString(self, dictionary, attribute): return ((attribute in dictionary) and StringHelper.isNotEmptyString(dictionary[attribute]))
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() context = Contexts.getEventContext() userService = UserService.instance() if (step == 1): print "Cert. Authenticate for step 1" login_button = ServerUtil.getFirstValue(requestParameters, "loginForm:loginButton") if StringHelper.isEmpty(login_button): print "Cert. Authenticate for step 1. Form were submitted incorrectly" return False return True elif (step == 2): print "Cert. Authenticate for step 2" # Validate if user selected certificate request = FacesContext.getCurrentInstance().getExternalContext().getRequest() x509Certificates = request.getAttribute('javax.servlet.request.X509Certificate') if (x509Certificates == None) or (len(x509Certificates) == 0): print "Cert. Authenticate for step 2. User not selected any certs" context.set("cert_selected", False) # Return True to inform user how to reset workflow return True context.set("cert_selected", True) # Use only first certificate for validation x509Certificate = x509Certificates[0] print "Cert. Authenticate for step 2. User selected certificate with DN '%s'" % x509Certificate.getSubjectX500Principal() # Validate certificates which user selected valid = self.validateCertificate(x509Certificate) if not valid: print "Cert. Authenticate for step 2. Certificate DN '%s' is not valid" % x509Certificate.getSubjectX500Principal() context.set("cert_valid", False) # Return True to inform user how to reset workflow return True context.set("cert_valid", True) context.set("cert_x509", x509Certificate) # Calculate certificate fingerprint x509CertificateFingerprint = self.calculateCertificateFingerprint(x509Certificate) context.set("cert_x509_fingerprint", x509CertificateFingerprint) print "Cert. Authenticate for step 2. Fingerprint is '%s' of certificate with DN '%s'" % (x509CertificateFingerprint, x509Certificate.getSubjectX500Principal()) # Attempt to find user by certificate fingerprint cert_user_external_uid = "cert: %s" % x509CertificateFingerprint print "Cert. Authenticate for step 2. Attempting to find user by oxExternalUid attribute value %s" % cert_user_external_uid find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: print "Cert. Authenticate for step 2. Failed to find user" if self.map_user_cert: print "Cert. Authenticate for step 2. Storing cert_user_external_uid for step 3" context.set("cert_user_external_uid", cert_user_external_uid) return True else: print "Cert. Authenticate for step 2. Mapping cet to user account is not allowed" context.set("cert_count_login_steps", 2) return False foundUserName = find_user_by_external_uid.getUserId() print "Cert. Authenticate for step 2. foundUserName: "******"Cert. Authenticate for step 2. Setting count steps to 2" context.set("cert_count_login_steps", 2) return logged_in elif (step == 3): print "Cert. Authenticate for step 3" cert_user_external_uid = self.getSessionAttribute("cert_user_external_uid") if cert_user_external_uid == None: print "Cert. Authenticate for step 3. cert_user_external_uid is empty" return False credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Double check just to make sure. We did checking in previous step # Check if there is user which has cert_user_external_uid # Avoid mapping user cert to more than one IDP account find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: # Add cert_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: print "Cert. Authenticate for step 3. Failed to update current user" return False return True return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() userService = UserService.instance() encryptionService = EncryptionService.instance() mapUserDeployment = False enrollUserDeployment = False if (configurationAttributes.containsKey("gplus_deployment_type")): deploymentType = StringHelper.toLowerCase(configurationAttributes.get("gplus_deployment_type").getValue2()) if (StringHelper.equalsIgnoreCase(deploymentType, "map")): mapUserDeployment = True if (StringHelper.equalsIgnoreCase(deploymentType, "enroll")): enrollUserDeployment = True if (step == 1): print "Google+ authenticate for step 1" gplusAuthCodeArray = requestParameters.get("gplus_auth_code") gplusAuthCode = gplusAuthCodeArray[0] # Check if user uses basic method to log in useBasicAuth = False if (StringHelper.isEmptyString(gplusAuthCode)): useBasicAuth = True # Use basic method to log in if (useBasicAuth): print "Google+ authenticate for step 1. Basic authentication" context.set("gplus_count_login_steps", 1) credentials = Identity.instance().getCredentials() userName = credentials.getUsername() userPassword = credentials.getPassword() loggedIn = False if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)): userService = UserService.instance() loggedIn = userService.authenticate(userName, userPassword) if (not loggedIn): return False return True # Use Google+ method to log in print "Google+ authenticate for step 1. gplusAuthCode:", gplusAuthCode currentClientSecrets = self.getCurrentClientSecrets(self.clientSecrets, configurationAttributes, requestParameters) if (currentClientSecrets == None): print "Google+ authenticate for step 1. Client secrets configuration is invalid" return False print "Google+ authenticate for step 1. Attempting to gets tokens" tokenResponse = self.getTokensByCode(self.clientSecrets, configurationAttributes, gplusAuthCode); if ((tokenResponse == None) or (tokenResponse.getIdToken() == None) or (tokenResponse.getAccessToken() == None)): print "Google+ authenticate for step 1. Failed to get tokens" return False else: print "Google+ authenticate for step 1. Successfully gets tokens" jwt = Jwt.parse(tokenResponse.getIdToken()) # TODO: Validate ID Token Signature gplusUserUid = jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER); print "Google+ authenticate for step 1. Found Google user ID in the ID token: ", gplusUserUid if (mapUserDeployment): # Use mapping to local IDP user print "Google+ authenticate for step 1. Attempting to find user by oxExternalUid: gplus:", gplusUserUid # Check if there is user with specified gplusUserUid foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid) if (foundUser == None): print "Google+ authenticate for step 1. Failed to find user" print "Google+ authenticate for step 1. Setting count steps to 2" context.set("gplus_count_login_steps", 2) context.set("gplus_user_uid", encryptionService.encrypt(gplusUserUid)) return True foundUserName = foundUser.getUserId() print "Google+ authenticate for step 1. foundUserName:"******"Google+ authenticate for step 1. Failed to authenticate user" return False print "Google+ authenticate for step 1. Setting count steps to 1" context.set("gplus_count_login_steps", 1) postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser) print "Google+ authenticate for step 1. postLoginResult:", postLoginResult return postLoginResult elif (enrollUserDeployment): # Use auto enrollment to local IDP print "Google+ authenticate for step 1. Attempting to find user by oxExternalUid: gplus:", gplusUserUid # Check if there is user with specified gplusUserUid foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid) if (foundUser == None): # Auto user enrollemnt print "Google+ authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" print "Google+ authenticate for step 1. Attempting to gets user info" userInfoResponse = self.getUserInfo(currentClientSecrets, configurationAttributes, tokenResponse.getAccessToken()) if ((userInfoResponse == None) or (userInfoResponse.getClaims().size() == 0)): print "Google+ authenticate for step 1. Failed to get user info" return False else: print "Google+ authenticate for step 1. Successfully gets user info" gplusResponseAttributes = userInfoResponse.getClaims() # Convert Google+ user claims to lover case gplusResponseNormalizedAttributes = HashMap() for gplusResponseAttributeEntry in gplusResponseAttributes.entrySet(): gplusResponseNormalizedAttributes.put( StringHelper.toLowerCase(gplusResponseAttributeEntry.getKey()), gplusResponseAttributeEntry.getValue()) currentAttributesMapping = self.getCurrentAttributesMapping(self.attributesMapping, configurationAttributes, requestParameters) print "Google+ authenticate for step 1. Using next attributes mapping", currentAttributesMapping newUser = User() for attributesMappingEntry in currentAttributesMapping.entrySet(): idpAttribute = attributesMappingEntry.getKey() localAttribute = attributesMappingEntry.getValue() localAttributeValue = gplusResponseNormalizedAttributes.get(idpAttribute) if (localAttribute != None): newUser.setAttribute(localAttribute, localAttributeValue) if (newUser.getAttribute("sn") == None): newUser.setAttribute("sn", gplusUserUid) if (newUser.getAttribute("cn") == None): newUser.setAttribute("cn", gplusUserUid) newUser.setAttribute("oxExternalUid", "gplus:" + gplusUserUid) print "Google+ authenticate for step 1. Attempting to add user", gplusUserUid, " with next attributes", newUser.getCustomAttributes() foundUser = userService.addUser(newUser) print "Google+ authenticate for step 1. Added new user with UID", foundUser.getUserId() foundUserName = foundUser.getUserId() print "Google+ authenticate for step 1. foundUserName:"******"Google+ authenticate for step 1. Failed to authenticate user" return False print "Google+ authenticate for step 1. Setting count steps to 1" context.set("gplus_count_login_steps", 1) postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser) print "Google+ authenticate for step 1. postLoginResult:", postLoginResult return postLoginResult else: # Check if the is user with specified gplusUserUid print "Google+ authenticate for step 1. Attempting to find user by uid:", gplusUserUid foundUser = userService.getUser(gplusUserUid) if (foundUser == None): print "Google+ authenticate for step 1. Failed to find user" return False foundUserName = foundUser.getUserId() print "Google+ authenticate for step 1. foundUserName:"******"Google+ authenticate for step 1. Failed to authenticate user" return False print "Google+ authenticate for step 1. Setting count steps to 1" context.set("gplus_count_login_steps", 1) postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser) print "Google+ authenticate for step 1. postLoginResult:", postLoginResult return postLoginResult elif (step == 2): print "Google+ authenticate for step 2" gplusUserUidArray = requestParameters.get("gplus_user_uid") if ArrayHelper.isEmpty(gplusUserUidArray): print "Google+ authenticate for step 2. gplus_user_uid is empty" return False gplusUserUid = encryptionService.decrypt(gplusUserUidArray[0]) passedStep1 = StringHelper.isNotEmptyString(gplusUserUid) if (not passedStep1): return False credentials = Identity.instance().getCredentials() userName = credentials.getUsername() userPassword = credentials.getPassword() loggedIn = False if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)): loggedIn = userService.authenticate(userName, userPassword) if (not loggedIn): return False # Check if there is user which has gplusUserUid # Avoid mapping Google account to more than one IDP account foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid) if (foundUser == None): # Add gplusUserUid to user one id UIDs foundUser = userService.addUserAttribute(userName, "oxExternalUid", "gplus:" + gplusUserUid) if (foundUser == None): print "Google+ authenticate for step 2. Failed to update current user" return False postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser) print "Google+ authenticate for step 2. postLoginResult:", postLoginResult return postLoginResult else: foundUserName = foundUser.getUserId() print "Google+ authenticate for step 2. foundUserName:"******"Google+ authenticate for step 2. postLoginResult:", postLoginResult return postLoginResult return False else: return False
def isPassedDefaultAuthentication(self): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() passed_step1 = StringHelper.isNotEmptyString(user_name) return passed_step1
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() userService = UserService.instance() httpService = HttpService.instance(); server_flag = configurationAttributes.get("oneid_server_flag").getValue2() callback_attrs = configurationAttributes.get("oneid_callback_attrs").getValue2() creds_file = configurationAttributes.get("oneid_creds_file").getValue2() # Create OneID authn = OneID(server_flag) # Set path to credentials file authn.creds_file = creds_file; if (step == 1): print "OneId. Authenticate for step 1" # Find OneID request json_data_array = requestParameters.get("json_data") if ArrayHelper.isEmpty(json_data_array): print "OneId. Authenticate for step 1. json_data is empty" return False request = json_data_array[0] print "OneId. Authenticate for step 1. request: " + request if (StringHelper.isEmptyString(request)): return False authn.set_credentials() # Validate request http_client = httpService.getHttpsClientDefaulTrustStore(); auth_data = httpService.encodeBase64(authn.api_id + ":" + authn.api_key) http_response = httpService.executePost(http_client, authn.helper_server + "/validate", auth_data, request, ContentType.APPLICATION_JSON) validation_content = httpService.convertEntityToString(httpService.getResponseContent(http_response)) print "OneId. Authenticate for step 1. validation_content: " + validation_content if (StringHelper.isEmptyString(validation_content)): return False validation_resp = json.loads(validation_content) print "OneId. Authenticate for step 1. validation_resp: " + str(validation_resp) if (not authn.success(validation_resp)): return False response = json.loads(request) for x in validation_resp: response[x] = validation_resp[x] oneid_user_uid = response['uid'] print "OneId. Authenticate for step 1. oneid_user_uid: " + oneid_user_uid # Check if the is user with specified oneid_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "oneid:" + oneid_user_uid) if (find_user_by_uid == None): print "OneId. Authenticate for step 1. Failed to find user" print "OneId. Authenticate for step 1. Setting count steps to 2" context.set("oneid_count_login_steps", 2) context.set("oneid_user_uid", oneid_user_uid) return True found_user_name = find_user_by_uid.getUserId() print "OneId. Authenticate for step 1. found_user_name: " + found_user_name credentials = Identity.instance().getCredentials() credentials.setUsername(found_user_name) credentials.setUser(find_user_by_uid) print "OneId. Authenticate for step 1. Setting count steps to 1" context.set("oneid_count_login_steps", 1) return True elif (step == 2): print "OneId. Authenticate for step 2" sessionAttributes = context.get("sessionAttributes") if (sessionAttributes == None) or not sessionAttributes.containsKey("oneid_user_uid"): print "OneId. Authenticate for step 2. oneid_user_uid is empty" return False oneid_user_uid = sessionAttributes.get("oneid_user_uid") passed_step1 = StringHelper.isNotEmptyString(oneid_user_uid) if (not passed_step1): return False # credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() passed_step1 = StringHelper.isNotEmptyString(user_name) if (not passed_step1): return False # credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Check if there is user which has oneid_user_uid # Avoid mapping OneID account to more than one IDP account find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "oneid:" + oneid_user_uid) if (find_user_by_uid == None): # Add oneid_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "oneid:" + oneid_user_uid) if (find_user_by_uid == None): print "OneId. Authenticate for step 2. Failed to update current user" return False return True else: found_user_name = find_user_by_uid.getUserId() print "OneId. Authenticate for step 2. found_user_name: " + found_user_name if StringHelper.equals(user_name, found_user_name): return True return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "PhoneFactor. Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "PhoneFactor. Authenticate for step 2" passed_step1 = self.isPassedDefaultAuthentication if (not passed_step1): return False pf_phone_number_attr = configurationAttributes.get("pf_phone_number_attr").getValue2() # Get user entry from credentials credentials_user = credentials.getUser() userService = UserService.instance() phone_number_with_country_code_attr = userService.getCustomAttribute(credentials_user, pf_phone_number_attr) if (phone_number_with_country_code_attr == None): print "PhoneFactor. Authenticate for step 2. There is no phone number: ", user_name return False phone_number_with_country_code = phone_number_with_country_code_attr.getValue() if (phone_number_with_country_code == None): print "PhoneFactor. Authenticate for step 2. There is no phone number: ", user_name return False pf_country_delimiter = configurationAttributes.get("pf_country_delimiter").getValue2() phone_number_with_country_code_array = string.split(phone_number_with_country_code, pf_country_delimiter, 1) phone_number_with_country_code_array_len = len(phone_number_with_country_code_array) if (phone_number_with_country_code_array_len == 1): country_code = "" phone_number = phone_number_with_country_code_array[0] else: country_code = phone_number_with_country_code_array[0] phone_number = phone_number_with_country_code_array[1] print "PhoneFactor. Authenticate for step 2. user_name: ", user_name, ", country_code: ", country_code, ", phone_number: ", phone_number pf_auth_result = None try: pf_auth_result = self.pf.authenticate(user_name, country_code, phone_number, None, None, None) except SecurityException, err: print "PhoneFactor. Authenticate for step 2. BAD AUTH -- Security issue: ", err except TimeoutException, err: print "PhoneFactor. Authenticate for step 2. BAD AUTH -- Server timeout: ", err
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "Basic (with password update). Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True elif (step == 2): userService = UserService.instance() find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): print "Basic (with password update). Authenticate for step 2. Failed to find user" return False user_expDate = find_user_by_uid.getAttribute("oxPasswordExpirationDate", False) if (user_expDate == None): print "Failed to get Date" return False print "Exp Date is : '" + user_expDate + "' ." now = datetime.datetime.now() myDate = self.parseDate(user_expDate) prevExpDate = self.previousExpDate(myDate) expDate = self.newExpirationDate(myDate) temp = expDate.strftime("%y%m%d") expDate = (expDate + temp + "195000Z") if prevExpDate < now: print "Basic (with password update). Authenticate for step 2" find_user_by_uid.setAttribute("oxPasswordExpirationDate", expDate) update_button = requestParameters.get("loginForm:updateButton") if ArrayHelper.isEmpty(update_button): return True new_password_array = requestParameters.get("new_password") if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]): print "Basic (with password update). Authenticate for step 2. New password is empty" return False new_password = new_password_array[0] print "Basic (with password update). Authenticate for step 2. Attempting to set new user '" + user_name + "' password" userService.updateUser(find_user_by_uid) print "Basic (with password update). Authenticate for step 2. Password updated successfully" return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() userService = UserService.instance() iw_api_uri = configurationAttributes.get("iw_api_uri").getValue2() iw_service_id = configurationAttributes.get("iw_service_id").getValue2() iw_helium_enabled = Boolean(configurationAttributes.get("iw_helium_enabled").getValue2()).booleanValue() if (iw_helium_enabled): context.set("iw_count_login_steps", 1) credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "InWebo. Authenticate for step 1" print "InWebo. Authenticate for step 1. iw_helium_enabled:", iw_helium_enabled user_password = credentials.getPassword() if (iw_helium_enabled): login_array = requestParameters.get("login") if ArrayHelper.isEmpty(login_array): print "InWebo. Authenticate for step 1. login is empty" return False user_name = login_array[0] password_array = requestParameters.get("password") if ArrayHelper.isEmpty(password_array): print "InWebo. Authenticate for step 1. password is empty" return False user_password = password_array[0] response_validation = self.validateInweboToken(iw_api_uri, iw_service_id, user_name, user_password) if (not response_validation): return False logged_in = False if (StringHelper.isNotEmptyString(user_name)): userService = UserService.instance() logged_in = userService.authenticate(user_name) return logged_in else: logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) return logged_in return True elif (step == 2): print "InWebo. Authenticate for step 2" passed_step1 = self.isPassedDefaultAuthentication if (not passed_step1): return False iw_token_array = requestParameters.get("iw_token") if ArrayHelper.isEmpty(iw_token_array): print "InWebo. Authenticate for step 2. iw_token is empty" return False iw_token = iw_token_array[0] response_validation = self.validateInweboToken(iw_api_uri, iw_service_id, user_name, iw_token) return response_validation else: return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() userService = UserService.instance() oxpush_user_timeout = int(configurationAttributes.get("oxpush_user_timeout").getValue2()) oxpush_application_name = configurationAttributes.get("oxpush_application_name").getValue2() credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "oxPush. Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Find user by uid userService = UserService.instance() find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): print "oxPush. Authenticate for step 1. Failed to find user" return False # Check if the user paired account to phone user_external_uid_attr = userService.getCustomAttribute(find_user_by_uid, "oxExternalUid") if ((user_external_uid_attr == None) or (user_external_uid_attr.getValues() == None)): print "oxPush. Authenticate for step 1. There is no external UIDs for user: "******"oxPush. Authenticate for step 1. There is no oxPush UID for user: "******"oxPush. Authenticate for step 1. oxpush_user_uid: ", oxpush_user_uid deployment_status = self.oxPushClient.getDeploymentStatus(oxpush_user_uid); if (deployment_status.result): print "oxPush. Authenticate for step 1. Deployment status is valid" if ("enabled" == deployment_status.status): print "oxPush. Authenticate for step 1. Deployment is enabled" context.set("oxpush_user_uid", oxpush_user_uid) else: print "oxPush. Authenticate for step 1. Deployment is disabled" return False else: print "oxPush. Authenticate for step 1. Deployment status is invalid. Force user to pair again" # Remove oxpush_user_uid from user entry find_user_by_uid = userService.removeUserAttribute(user_name, "oxExternalUid", "oxpush:" + oxpush_user_uid) if (find_user_by_uid == None): print "oxPush. Authenticate for step 1. Failed to update current user" return False return True elif (step == 2): print "oxPush. Authenticate for step 2" passed_step1 = self.isPassedDefaultAuthentication if (not passed_step1): return False sessionAttributes = context.get("sessionAttributes") if (sessionAttributes == None) or not sessionAttributes.containsKey("oxpush_user_uid"): print "oxPush. Authenticate for step 2. oxpush_user_uid is empty" if (not sessionAttributes.containsKey("oxpush_pairing_uid")): print "oxPush. Authenticate for step 2. oxpush_pairing_uid is empty" return False oxpush_pairing_uid = sessionAttributes.get("oxpush_pairing_uid") # Check pairing status pairing_status = self.checkStatus("pair", oxpush_pairing_uid, oxpush_user_timeout) if (pairing_status == None): print "oxPush. Authenticate for step 2. The pairing has not been authorized by user" return False oxpush_user_uid = pairing_status.deploymentId print "oxPush. Authenticate for step 2. Storing oxpush_user_uid in user entry", oxpush_user_uid # Store oxpush_user_uid in user entry find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "oxpush:" + oxpush_user_uid) if (find_user_by_uid == None): print "oxPush. Authenticate for step 2. Failed to update current user" return False context.set("oxpush_count_login_steps", 2) context.set("oxpush_user_uid", oxpush_user_uid) else: print "oxPush. Authenticate for step 2. Deployment status is valid" return True elif (step == 3): print "oxPush. Authenticate for step 3" passed_step1 = self.isPassedDefaultAuthentication if (not passed_step1): return False sessionAttributes = context.get("oxpush_user_uid") if (sessionAttributes == None) or not sessionAttributes.containsKey("oxpush_user_uid"): print "oxPush. Authenticate for step 3. oxpush_user_uid is empty" return False oxpush_user_uid = sessionAttributes.get("oxpush_user_uid") passed_step1 = StringHelper.isNotEmptyString(oxpush_user_uid) if (not passed_step1): return False # Initialize authentication process authentication_request = None try: authentication_request = self.oxPushClient.authenticate(oxpush_user_uid, user_name); except java.lang.Exception, err: print "oxPush. Authenticate for step 3. Failed to initialize authentication process: ", err return False if (not authentication_request.result): print "oxPush. Authenticate for step 3. Failed to initialize authentication process" return False # Check authentication status authentication_status = self.checkStatus("authenticate", authentication_request.authenticationId, oxpush_user_timeout) if (authentication_status == None): print "oxPush. Authenticate for step 3. The authentication has not been authorized by user" return False print "oxPush. Authenticate for step 3. The request was granted" return True