def lockUser(self, user_name):
if StringHelper.isEmpty(user_name):
return None
userService = CdiUtil.bean(UserService)
cacheService= CdiUtil.bean(CacheService)
facesMessages = CdiUtil.bean(FacesMessages)
facesMessages.setKeepMessages()
find_user_by_uid = userService.getUser(user_name)
if (find_user_by_uid == None):
return None
status_attribute_value = userService.getCustomAttribute(find_user_by_uid, .jans.tatus")
if status_attribute_value != None:
user_status = status_attribute_value.getValue()
if StringHelper.equals(user_status, "inactive"):
print "Basic (lock account). Lock user. User '%s' locked already" % user_name
return
userService.setCustomAttribute(find_user_by_uid, .jans.tatus", "inactive")
userService.setCustomAttribute(find_user_by_uid, "oxTrustActive", "false")
updated_user = userService.updateUser(find_user_by_uid)
object_to_store = json.dumps({'locked': True, 'created': LocalDateTime.now().toString()}, separators=(',',':'))
cacheService.put(StringHelper.toString(self.lockExpirationTime), "lock_user_"+user_name, object_to_store);
facesMessages.add(FacesMessage.SEVERITY_ERROR, "Your account is locked. Please try again after " + StringHelper.toString(self.lockExpirationTime) + " secs")
print "Basic (lock account). Lock user. User '%s' locked" % user_name
def validateTotpKey(self, secretKey, totpKey, user_name):
localTotpKey = self.generateTotpKey(secretKey)
cachedOTP = self.getCachedOTP(user_name)
if StringHelper.equals(
localTotpKey,
totpKey) and not StringHelper.equals(localTotpKey, cachedOTP):
userService = CdiUtil.bean(UserService)
if cachedOTP is None:
userService.addUserAttribute(user_name, "oxOTPCache",
localTotpKey)
else:
userService.replaceUserAttribute(user_name, "oxOTPCache",
cachedOTP, localTotpKey)
print "OTP. Caching OTP: '%s'" % localTotpKey
return {"result": True}
return {"result": False}
def authenticate(self, configurationAttributes, requestParameters, step):
duo_host = configurationAttributes.get("duo_host").getValue2()
authenticationService = CdiUtil.bean(AuthenticationService)
identity = CdiUtil.bean(Identity)
if (step == 1):
print "Duo. Authenticate for step 1"
# Check if user authenticated already in another custom script
user = authenticationService.getAuthenticatedUser()
if user == None:
credentials = identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name)
and StringHelper.isNotEmptyString(user_password)):
userService = CdiUtil.bean(UserService)
logged_in = authenticationService.authenticate(
user_name, user_password)
if (not logged_in):
return False
user = authenticationService.getAuthenticatedUser()
if (self.use_duo_group):
print "Duo. Authenticate for step 1. Checking if user belong to Duo group"
is_member_duo_group = self.isUserMemberOfGroup(
user, self.audit_attribute, self.duo_group)
if (is_member_duo_group):
print "Duo. Authenticate for step 1. User '" + user.getUserId(
) + "' member of Duo group"
duo_count_login_steps = 2
else:
self.processAuditGroup(user)
duo_count_login_steps = 1
identity.setWorkingParameter("duo_count_login_steps",
duo_count_login_steps)
return True
elif (step == 2):
print "Duo. Authenticate for step 2"
user = authenticationService.getAuthenticatedUser()
if user == None:
print "Duo. Authenticate for step 2. Failed to determine user name"
return False
user_name = user.getUserId()
sig_response_array = requestParameters.get("sig_response")
if ArrayHelper.isEmpty(sig_response_array):
print "Duo. Authenticate for step 2. sig_response is empty"
return False
duo_sig_response = sig_response_array[0]
print "Duo. Authenticate for step 2. duo_sig_response: " + duo_sig_response
authenticated_username = duo_web.verify_response(
self.ikey, self.skey, self.akey, duo_sig_response)
print "Duo. Authenticate for step 2. authenticated_username: "******", expected user_name: " + user_name
if (not StringHelper.equals(user_name, authenticated_username)):
return False
self.processAuditGroup(user)
return True
else:
return False