def init(self, customScript, configurationAttributes):
print "Basic (lock account). Initialization"
self.invalidLoginCountAttribute = "oxCountInvalidLogin"
if configurationAttributes.containsKey("invalid_login_count_attribute"):
self.invalidLoginCountAttribute = configurationAttributes.get("invalid_login_count_attribute").getValue2()
else:
print "Basic (lock account). Initialization. Using default attribute"
self.maximumInvalidLoginAttemps = 3
if configurationAttributes.containsKey("maximum_invalid_login_attemps"):
self.maximumInvalidLoginAttemps = StringHelper.toInteger(configurationAttributes.get("maximum_invalid_login_attemps").getValue2())
else:
print "Basic (lock account). Initialization. Using default number attempts"
self.lockExpirationTime = 180
if configurationAttributes.containsKey("lock_expiration_time"):
self.lockExpirationTime = StringHelper.toInteger(configurationAttributes.get("lock_expiration_time").getValue2())
else:
print "Basic (lock account). Initialization. Using default lock expiration time"
print "Basic (lock account). Initialized successfully. invalid_login_count_attribute: '%s', maximum_invalid_login_attemps: '%s', lock_expiration_time: '%s'" % (self.invalidLoginCountAttribute, self.maximumInvalidLoginAttemps, self.lockExpirationTime)
return True
def getCountAuthenticationSteps(self, configurationAttributes):
identity = CdiUtil.bean(Identity)
if identity.isSetWorkingParameter("otp_count_login_steps"):
return StringHelper.toInteger("%s" % identity.getWorkingParameter("otp_count_login_steps"))
else:
return 2
def init(self, customScript, configurationAttributes):
print "Cert. Initialization"
if not (configurationAttributes.containsKey("chain_cert_file_path")):
print "Cert. Initialization. Property chain_cert_file_path is mandatory"
return False
if not (configurationAttributes.containsKey("map_user_cert")):
print "Cert. Initialization. Property map_user_cert is mandatory"
return False
chain_cert_file_path = configurationAttributes.get("chain_cert_file_path").getValue2()
self.chain_certs = CertUtil.loadX509CertificateFromFile(chain_cert_file_path)
if self.chain_certs == None:
print "Cert. Initialization. Failed to load chain certificates from '%s'" % chain_cert_file_path
return False
print "Cert. Initialization. Loaded '%d' chain certificates" % self.chain_certs.size()
crl_max_response_size = 5 * 1024 * 1024 # 10Mb
if configurationAttributes.containsKey("crl_max_response_size"):
crl_max_response_size = StringHelper.toInteger(configurationAttributes.get("crl_max_response_size").getValue2(), crl_max_response_size)
print "Cert. Initialization. CRL max response size is '%d'" % crl_max_response_size
# Define array to order methods correctly
self.validator_types = [ 'generic', 'path', 'ocsp', 'crl']
self.validators = { 'generic' : [GenericCertificateVerifier(), False],
'path' : [PathCertificateVerifier(False), False],
'ocsp' : [OCSPCertificateVerifier(), False],
'crl' : [CRLCertificateVerifier(crl_max_response_size), False] }
for type in self.validator_types:
validator_param_name = "use_%s_validator" % type
if configurationAttributes.containsKey(validator_param_name):
validator_status = StringHelper.toBoolean(configurationAttributes.get(validator_param_name).getValue2(), False)
self.validators[type][1] = validator_status
print "Cert. Initialization. Validation method '%s' status: '%s'" % (type, self.validators[type][1])
self.map_user_cert = StringHelper.toBoolean(configurationAttributes.get("map_user_cert").getValue2(), False)
print "Cert. Initialization. map_user_cert: '%s'" % self.map_user_cert
self.enabled_recaptcha = self.initRecaptcha(configurationAttributes)
print "Cert. Initialization. enabled_recaptcha: '%s'" % self.enabled_recaptcha
print "Cert. Initialized successfully"
return True
def processOtpAuthentication(self, requestParameters, user_name, identity, otp_auth_method):
facesMessages = CdiUtil.bean(FacesMessages)
facesMessages.setKeepMessages()
userService = CdiUtil.bean(UserService)
otpCode = ServerUtil.getFirstValue(requestParameters, "loginForm:otpCode")
if StringHelper.isEmpty(otpCode):
facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to authenticate. OTP code is empty")
print "OTP. Process OTP authentication. otpCode is empty"
return False
if otp_auth_method == "enroll":
# Get key from session
otp_secret_key_encoded = identity.getWorkingParameter("otp_secret_key")
if otp_secret_key_encoded == None:
print "OTP. Process OTP authentication. OTP secret key is invalid"
return False
otp_secret_key = self.fromBase64Url(otp_secret_key_encoded)
if self.otpType == "hotp":
validation_result = self.validateHotpKey(otp_secret_key, 1, otpCode)
if (validation_result != None) and validation_result["result"]:
print "OTP. Process HOTP authentication during enrollment. otpCode is valid"
# Store HOTP Secret Key and moving factor in user entry
otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, validation_result["movingFactor"] )
# Add otp_user_external_uid to user's external GUID list
find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", otp_user_external_uid)
if find_user_by_external_uid != None:
return True
print "OTP. Process HOTP authentication during enrollment. Failed to update user entry"
elif self.otpType == "totp":
validation_result = self.validateTotpKey(otp_secret_key, otpCode,user_name)
if (validation_result != None) and validation_result["result"]:
print "OTP. Process TOTP authentication during enrollment. otpCode is valid"
# Store TOTP Secret Key and moving factor in user entry
otp_user_external_uid = "totp:%s" % otp_secret_key_encoded
# Add otp_user_external_uid to user's external GUID list
find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", otp_user_external_uid)
if find_user_by_external_uid != None:
return True
print "OTP. Process TOTP authentication during enrollment. Failed to update user entry"
elif otp_auth_method == "authenticate":
user_enrollments = self.findEnrollments(user_name)
if len(user_enrollments) == 0:
print "OTP. Process OTP authentication. There is no OTP enrollment for user '%s'" % user_name
facesMessages.add(FacesMessage.SEVERITY_ERROR, "There is no valid OTP user enrollments")
return False
if self.otpType == "hotp":
for user_enrollment in user_enrollments:
user_enrollment_data = user_enrollment.split(";")
otp_secret_key_encoded = user_enrollment_data[0]
# Get current moving factor from user entry
moving_factor = StringHelper.toInteger(user_enrollment_data[1])
otp_secret_key = self.fromBase64Url(otp_secret_key_encoded)
# Validate TOTP
validation_result = self.validateHotpKey(otp_secret_key, moving_factor, otpCode)
if (validation_result != None) and validation_result["result"]:
print "OTP. Process HOTP authentication during authentication. otpCode is valid"
otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, moving_factor )
new_otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, validation_result["movingFactor"] )
# Update moving factor in user entry
find_user_by_external_uid = userService.replaceUserAttribute(user_name, "oxExternalUid", otp_user_external_uid, new_otp_user_external_uid)
if find_user_by_external_uid != None:
return True
print "OTP. Process HOTP authentication during authentication. Failed to update user entry"
elif self.otpType == "totp":
for user_enrollment in user_enrollments:
otp_secret_key = self.fromBase64Url(user_enrollment)
# Validate TOTP
validation_result = self.validateTotpKey(otp_secret_key, otpCode, user_name)
if (validation_result != None) and validation_result["result"]:
print "OTP. Process TOTP authentication during authentication. otpCode is valid"
return True
facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to authenticate. OTP code is invalid")
print "OTP. Process OTP authentication. OTP code is invalid"
return False
def authenticate(self, configurationAttributes, requestParameters, step):
authenticationService = CdiUtil.bean(AuthenticationService)
if step == 1:
print "Basic (lock account). Authenticate for step 1"
facesMessages = CdiUtil.bean(FacesMessages)
facesMessages.setKeepMessages()
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
cacheService = CdiUtil.bean(CacheService)
userService = CdiUtil.bean(UserService)
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
try:
logged_in = authenticationService.authenticate(user_name, user_password)
except AuthenticationException:
print "Basic (lock account). Authenticate. Failed to authenticate user '%s'" % user_name
if logged_in:
self.setUserAttributeValue(user_name, self.invalidLoginCountAttribute, StringHelper.toString(0))
else:
countInvalidLoginArributeValue = self.getUserAttributeValue(user_name, self.invalidLoginCountAttribute)
userSatus = self.getUserAttributeValue(user_name, "gluuStatus")
print "Current user '%s' status is '%s'" % ( user_name, userSatus )
countInvalidLogin = StringHelper.toInteger(countInvalidLoginArributeValue, 0)
if countInvalidLogin < self.maximumInvalidLoginAttemps:
countInvalidLogin = countInvalidLogin + 1
remainingAttempts = self.maximumInvalidLoginAttemps - countInvalidLogin
print "Remaining login count attempts '%s' for user '%s'" % ( remainingAttempts, user_name )
self.setUserAttributeValue(user_name, self.invalidLoginCountAttribute, StringHelper.toString(countInvalidLogin))
if remainingAttempts > 0 and userSatus == "active":
facesMessages.add(FacesMessage.SEVERITY_INFO, StringHelper.toString(remainingAttempts)+" more attempt(s) before account is LOCKED!")
if (countInvalidLogin >= self.maximumInvalidLoginAttemps) and ((userSatus == None) or (userSatus == "active")):
print "Basic (lock account). Locking '%s' for '%s' seconds" % ( user_name, self.lockExpirationTime)
self.lockUser(user_name)
return False
if (countInvalidLogin >= self.maximumInvalidLoginAttemps) and userSatus == "inactive":
print "Basic (lock account). User '%s' is locked. Checking if we can unlock him" % user_name
unlock_and_authenticate = False
object_from_store = cacheService.get(None, "lock_user_" + user_name)
if object_from_store == None:
# Object in cache was expired. We need to unlock user
print "Basic (lock account). User locking details for user '%s' not exists" % user_name
unlock_and_authenticate = True
else:
# Analyze object from cache
user_lock_details = json.loads(object_from_store)
user_lock_details_locked = user_lock_details['locked']
user_lock_details_created = user_lock_details['created']
user_lock_details_created_date = LocalDateTime.parse(user_lock_details_created, DateTimeFormatter.ISO_LOCAL_DATE_TIME)
user_lock_details_created_diff = Duration.between(user_lock_details_created_date, LocalDateTime.now()).getSeconds()
print "Basic (lock account). Get user '%s' locking details. locked: '%s', Created: '%s', Difference in seconds: '%s'" % ( user_name, user_lock_details_locked, user_lock_details_created, user_lock_details_created_diff )
if user_lock_details_locked and user_lock_details_created_diff >= self.lockExpirationTime:
print "Basic (lock account). Unlocking user '%s' after lock expiration" % user_name
unlock_and_authenticate = True
if unlock_and_authenticate:
self.unLockUser(user_name)
self.setUserAttributeValue(user_name, self.invalidLoginCountAttribute, StringHelper.toString(0))
logged_in = authenticationService.authenticate(user_name, user_password)
if not logged_in:
# Update number of attempts
self.setUserAttributeValue(user_name, self.invalidLoginCountAttribute, StringHelper.toString(1))
if self.maximumInvalidLoginAttemps == 1:
# Lock user if maximum count login attempts is 1
self.lockUser(user_name)
return False
return logged_in
else:
return False
