def prepareForStep(self, configurationAttributes, requestParameters, step): print "Cert. Prepare for step %d" % step context = Contexts.getEventContext() if step == 1: if self.enabled_recaptcha: context.set("recaptcha_site_key", self.recaptcha_creds['site_key']) elif step == 2: # Store certificate in session externalContext = FacesContext.getCurrentInstance().getExternalContext() request = externalContext.getRequest() # Try to get certificate from header X-ClientCert clientCertificate = externalContext.getRequestHeaderMap().get("X-ClientCert") if clientCertificate != None: x509Certificate = self.certFromPemString(clientCertificate) context.set("cert_x509", self.certToString(x509Certificate)) print "Cert. Prepare for step 2. Storing user certificate obtained from 'X-ClientCert' header" return True # Try to get certificate from attribute javax.servlet.request.X509Certificate x509Certificates = request.getAttribute('javax.servlet.request.X509Certificate') if (x509Certificates != None) and (len(x509Certificates) > 0): context.set("cert_x509", self.certToString(x509Certificates[0])) print "Cert. Prepare for step 2. Storing user certificate obtained from 'javax.servlet.request.X509Certificate' attribute" return True if step < 4: return True else: return False
def prepareForStep(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() if (step == 1): print "Saml. Prepare for step 1" httpService = HttpService.instance(); request = FacesContext.getCurrentInstance().getExternalContext().getRequest() assertionConsumerServiceUrl = httpService.constructServerUrl(request) + "/postlogin" print "Saml. Prepare for step 1. Prepared assertionConsumerServiceUrl:", assertionConsumerServiceUrl currentSamlConfiguration = self.getCurrentSamlConfiguration(self.samlConfiguration, configurationAttributes, requestParameters) if (currentSamlConfiguration == None): print "Saml. Prepare for step 1. Client saml configuration is invalid" return False # Generate an AuthRequest and send it to the identity provider samlAuthRequest = AuthRequest(currentSamlConfiguration) external_auth_request_uri = currentSamlConfiguration.getIdpSsoTargetUrl() + "?SAMLRequest=" + samlAuthRequest.getRequest(True, assertionConsumerServiceUrl) print "Saml. Prepare for step 1. external_auth_request_uri:", external_auth_request_uri context.set("external_auth_request_uri", external_auth_request_uri) return True elif (step == 2): print "Saml. Prepare for step 2" return True else: return False
def prepareForStep(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = Component.getInstance(AuthenticationService) server_flag = configurationAttributes.get("oneid_server_flag").getValue2() callback_attrs = configurationAttributes.get("oneid_callback_attrs").getValue2() creds_file = configurationAttributes.get("oneid_creds_file").getValue2() # Create OneID authn = OneID(server_flag) # Set path to credentials file authn.creds_file = creds_file; if (step == 1): print "OneId. Prepare for step 1" request = FacesContext.getCurrentInstance().getExternalContext().getRequest() validation_page = request.getContextPath() + "/postlogin?" + "request_uri=&" + authenticationService.parametersAsString() print "OneId. Prepare for step 1. validation_page: " + validation_page oneid_login_button = authn.draw_signin_button(validation_page, callback_attrs, True) print "OneId. Prepare for step 1. oneid_login_button: " + oneid_login_button context.set("oneid_login_button", oneid_login_button) context.set("oneid_script_header", authn.script_header) context.set("oneid_form_script", authn.oneid_form_script) return True elif (step == 2): print "OneId. Prepare for step 2" return True else: return False
def prepareForStep(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() if (step == 1): print "Saml. Prepare for step 1" httpService = HttpService.instance() request = FacesContext.getCurrentInstance().getExternalContext().getRequest() assertionConsumerServiceUrl = httpService.constructServerUrl(request) + "/postlogin" print "Saml. Prepare for step 1. Prepared assertionConsumerServiceUrl: '%s'" % assertionConsumerServiceUrl currentSamlConfiguration = self.getCurrentSamlConfiguration(self.samlConfiguration, configurationAttributes, requestParameters) if (currentSamlConfiguration == None): print "Saml. Prepare for step 1. Client saml configuration is invalid" return False # Generate an AuthRequest and send it to the identity provider samlAuthRequest = AuthRequest(currentSamlConfiguration) external_auth_request_uri = currentSamlConfiguration.getIdpSsoTargetUrl() + "?SAMLRequest=" + samlAuthRequest.getRequest(True, assertionConsumerServiceUrl) print "Saml. Prepare for step 1. external_auth_request_uri: '%s'" % external_auth_request_uri context.set("external_auth_request_uri", external_auth_request_uri) return True elif (step == 2): print "Saml. Prepare for step 2" return True else: return False
def prepareForStep(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() server_flag = configurationAttributes.get("oneid_server_flag").getValue2() callback_attrs = configurationAttributes.get("oneid_callback_attrs").getValue2() creds_file = configurationAttributes.get("oneid_creds_file").getValue2() # Create OneID authn = OneID(server_flag) # Set path to credentials file authn.creds_file = creds_file; if (step == 1): print "OneId. Prepare for step 1" request = FacesContext.getCurrentInstance().getExternalContext().getRequest() validation_page = request.getContextPath() + "/postlogin?" + "request_uri=&" + authenticationService.parametersAsString() print "OneId. Prepare for step 1. validation_page: " + validation_page oneid_login_button = authn.draw_signin_button(validation_page, callback_attrs, True) print "OneId. Prepare for step 1. oneid_login_button: " + oneid_login_button context.set("oneid_login_button", oneid_login_button) context.set("oneid_script_header", authn.script_header) context.set("oneid_form_script", authn.oneid_form_script) return True elif (step == 2): print "OneId. Prepare for step 2" return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "Tiqr authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "Tiqr authenticate for step 2" passed_step1 = self.isPassedDefaultAuthentication if (not passed_step1): return False expected_user = credentials.getUser(); if (expected_user == None): print "Tiqr authenticate for step 2. expected user is empty" return False expected_user_name = expected_user.getUserId(); session = FacesContext.getCurrentInstance().getExternalContext().getSession(False) if (session == None): print "Tiqr authenticate for step 2. Session is not exist" return False authenticated_username = session.getValue("tiqr_user_uid") session.removeValue("tiqr_user_uid") print "Tiqr authenticate for step 2. authenticated_username: "******", expected user_name: " + expected_user_name if StringHelper.equals(expected_user_name, authenticated_username): return True return False else: return False
def validateRecaptcha(self, recaptcha_response): print "Cert. Validate recaptcha response" request = FacesContext.getCurrentInstance().getExternalContext().getRequest() remoteip = request.getHeader("X-FORWARDED-FOR") if remoteip == None: remoteip = request.getRemoteAddr() print "Cert. Validate recaptcha response. remoteip: '%s'" % remoteip httpService = Component.getInstance(HttpService); http_client = httpService.getHttpsClient(); http_client_params = http_client.getParams(); http_client_params.setIntParameter(CoreConnectionPNames.CONNECTION_TIMEOUT, 15 * 1000); recaptcha_validation_url = "https://www.google.com/recaptcha/api/siteverify" recaptcha_validation_request = urllib.urlencode({ "secret" : self.recaptcha_creds['secret_key'], "response" : recaptcha_response, "remoteip" : remoteip }) recaptcha_validation_headers = { "Content-type" : "application/x-www-form-urlencoded", "Accept" : "application/json" } try: http_service_response = httpService.executePost(http_client, recaptcha_validation_url, None, recaptcha_validation_headers, recaptcha_validation_request) http_response = http_service_response.getHttpResponse() except: print "Cert. Validate recaptcha response. Exception: ", sys.exc_info()[1] return False try: if not httpService.isResponseStastusCodeOk(http_response): print "Cert. Validate recaptcha response. Get invalid response from validation server: ", str(http_response.getStatusLine().getStatusCode()) httpService.consume(http_response) return False response_bytes = httpService.getResponseContent(http_response) response_string = httpService.convertEntityToString(response_bytes) httpService.consume(http_response) finally: http_service_response.closeConnection() if response_string == None: print "Cert. Validate recaptcha response. Get empty response from validation server" return False response = json.loads(response_string) return response["success"]
def validateRecaptcha(self, recaptcha_response): print "Cert. Validate recaptcha response" request = FacesContext.getCurrentInstance().getExternalContext().getRequest() remoteip = request.getHeader("X-FORWARDED-FOR") if remoteip == None: remoteip = request.getRemoteAddr() print "Cert. Validate recaptcha response. remoteip: '%s'" % remoteip httpService = HttpService.instance(); http_client = httpService.getHttpsClient(); http_client_params = http_client.getParams(); http_client_params.setIntParameter(CoreConnectionPNames.CONNECTION_TIMEOUT, 15 * 1000); recaptcha_validation_url = "https://www.google.com/recaptcha/api/siteverify" recaptcha_validation_request = urllib.urlencode({ "secret" : self.recaptcha_creds['secret_key'], "response" : recaptcha_response, "remoteip" : remoteip }) recaptcha_validation_headers = { "Content-type" : "application/x-www-form-urlencoded", "Accept" : "application/json" } try: http_service_response = httpService.executePost(http_client, recaptcha_validation_url, None, recaptcha_validation_headers, recaptcha_validation_request) http_response = http_service_response.getHttpResponse() except: print "Cert. Validate recaptcha response. Exception: ", sys.exc_info()[1] return False try: if not httpService.isResponseStastusCodeOk(http_response): print "Cert. Validate recaptcha response. Get invalid response from validation server: ", str(http_response.getStatusLine().getStatusCode()) httpService.consume(http_response) return False response_bytes = httpService.getResponseContent(http_response) response_string = httpService.convertEntityToString(response_bytes) httpService.consume(http_response) finally: http_service_response.closeConnection() if response_string == None: print "Cert. Validate recaptcha response. Get empty response from validation server" return False response = json.loads(response_string) return response["success"]
def prepareForStep(self, configurationAttributes, requestParameters, step): print "Cert. Prepare for step %d" % step context = Contexts.getEventContext() if step == 1: if self.enabled_recaptcha: context.set("recaptcha_site_key", self.recaptcha_creds['site_key']) elif step == 2: # Store certificate in session request = FacesContext.getCurrentInstance().getExternalContext().getRequest() x509Certificates = request.getAttribute('javax.servlet.request.X509Certificate') if (x509Certificates != None) and (len(x509Certificates) > 0): context.set("cert_x509", self.certToString(x509Certificates)) print "Cert. Prepare for step 2. Storing user certificate" if step < 4: return True else: return False
def prepareForStep(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() httpService = HttpService.instance() cas_host = configurationAttributes.get("cas_host").getValue2() cas_renew_opt = StringHelper.toBoolean( configurationAttributes.get("cas_renew_opt").getValue2(), False) cas_extra_opts = None if (configurationAttributes.containsKey("cas_extra_opts")): cas_extra_opts = configurationAttributes.get( "cas_extra_opts").getValue2() if (step == 1): print "CAS2. Prepare for step 1" request = FacesContext.getCurrentInstance().getExternalContext( ).getRequest() parametersMap = HashMap() parametersMap.put( "service", httpService.constructServerUrl(request) + "/postlogin") if (cas_renew_opt): parametersMap.put("renew", "true") cas_service_request_uri = authenticationService.parametersAsString( parametersMap) cas_service_request_uri = cas_host + "/login?" + cas_service_request_uri if cas_extra_opts != None: cas_service_request_uri = cas_service_request_uri + "&" + cas_extra_opts print "CAS2. Prepare for step 1. cas_service_request_uri: " + cas_service_request_uri context.set("cas_service_request_uri", cas_service_request_uri) return True elif (step == 2): print "CAS2. Prepare for step 2" return True else: return False
def prepareForStep(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() httpService = HttpService.instance(); cas_host = configurationAttributes.get("cas_host").getValue2() cas_renew_opt = StringHelper.toBoolean(configurationAttributes.get("cas_renew_opt").getValue2(), False) cas_extra_opts = None if (configurationAttributes.containsKey("cas_extra_opts")): cas_extra_opts = configurationAttributes.get("cas_extra_opts").getValue2() if (step == 1): print "CAS2. Prepare for step 1" print "CAS2. Prepare for step 1. Store current request parameters in session because CAS don't pass them via service URI" authenticationService.storeRequestParametersInSession() request = FacesContext.getCurrentInstance().getExternalContext().getRequest() parametersMap = HashMap() parametersMap.put("service", httpService.constructServerUrl(request) + "/postlogin") if (cas_renew_opt): parametersMap.put("renew", "true") cas_service_request_uri = authenticationService.parametersAsString(parametersMap) cas_service_request_uri = cas_host + "/login?" + cas_service_request_uri if cas_extra_opts != None: cas_service_request_uri = cas_service_request_uri + "&" + cas_extra_opts print "CAS2. Prepare for step 1. cas_service_request_uri: " + cas_service_request_uri context.set("cas_service_request_uri", cas_service_request_uri) return True elif (step == 2): print "CAS2. Prepare for step 2" return True else: return False
def prepareForStep(self, configurationAttributes, requestParameters, step): print "Cert. Prepare for step %d" % step context = Contexts.getEventContext() if step == 1: if self.enabled_recaptcha: context.set("recaptcha_site_key", self.recaptcha_creds['site_key']) elif step == 2: # Store certificate in session request = FacesContext.getCurrentInstance().getExternalContext( ).getRequest() x509Certificates = request.getAttribute( 'javax.servlet.request.X509Certificate') if (x509Certificates != None) and (len(x509Certificates) > 0): context.set("cert_x509", self.certToString(x509Certificates)) print "Cert. Prepare for step 2. Storing user certificate" if step < 4: return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() userService = UserService.instance() saml_map_user = False saml_enroll_user = False saml_enroll_all_user_attr = False # Use saml_deployment_type only if there is no attributes mapping if (configurationAttributes.containsKey("saml_deployment_type")): saml_deployment_type = StringHelper.toLowerCase( configurationAttributes.get( "saml_deployment_type").getValue2()) if (StringHelper.equalsIgnoreCase(saml_deployment_type, "map")): saml_map_user = True if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll")): saml_enroll_user = True if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll_all_attr")): saml_enroll_all_user_attr = True saml_allow_basic_login = False if (configurationAttributes.containsKey("saml_allow_basic_login")): saml_allow_basic_login = StringHelper.toBoolean( configurationAttributes.get( "saml_allow_basic_login").getValue2(), False) use_basic_auth = False if (saml_allow_basic_login): # Detect if user used basic authnetication method credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() if (StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(user_password)): use_basic_auth = True if ((step == 1) and saml_allow_basic_login and use_basic_auth): print "Saml. Authenticate for step 1. Basic authentication" context.set("saml_count_login_steps", 1) credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True if (step == 1): print "Saml. Authenticate for step 1" currentSamlConfiguration = self.getCurrentSamlConfiguration( self.samlConfiguration, configurationAttributes, requestParameters) if (currentSamlConfiguration == None): print "Saml. Prepare for step 1. Client saml configuration is invalid" return False saml_response_array = requestParameters.get("SAMLResponse") if ArrayHelper.isEmpty(saml_response_array): print "Saml. Authenticate for step 1. saml_response is empty" return False saml_response = saml_response_array[0] print "Saml. Authenticate for step 1. saml_response: '%s'" % saml_response samlResponse = Response(currentSamlConfiguration) samlResponse.loadXmlFromBase64(saml_response) saml_validate_response = True if (configurationAttributes.containsKey("saml_validate_response")): saml_validate_response = StringHelper.toBoolean( configurationAttributes.get( "saml_validate_response").getValue2(), False) if (saml_validate_response): if (not samlResponse.isValid()): print "Saml. Authenticate for step 1. saml_response isn't valid" saml_response_attributes = samlResponse.getAttributes() print "Saml. Authenticate for step 1. attributes: '%s'" % saml_response_attributes if (saml_map_user): saml_user_uid = self.getSamlNameId(samlResponse) if saml_user_uid == None: return False # Use mapping to local IDP user print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "saml:%s" % saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" print "Saml. Authenticate for step 1. Setting count steps to 2" context.set("saml_count_login_steps", 2) context.set("saml_user_uid", saml_user_uid) return True found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate( found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif (saml_enroll_user): # Convert SAML response to user entry newUser = self.getMappedUser(configurationAttributes, requestParameters, saml_response_attributes) saml_user_uid = self.getNameId(samlResponse, newUser) if saml_user_uid == None: return False self.setDefaultUid(newUser, saml_user_uid) newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid) # Use auto enrollment to local IDP print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid # Check if there is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "saml:%s" % saml_user_uid) if find_user_by_uid == None: # Auto user enrollment print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % ( saml_user_uid, newUser.getCustomAttributes()) user_unique = self.checkUserUniqueness(newUser) if not user_unique: print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId( ) facesMessages = FacesMessages.instance() facesMessages.add( StatusMessage.Severity.ERROR, "Failed to enroll. User with same key attributes exist already" ) FacesContext.getCurrentInstance().getExternalContext( ).getFlash().setKeepMessages(True) return False find_user_by_uid = userService.addUser(newUser, True) print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId( ) else: if self.updateUser: print "Saml. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % ( saml_user_uid, newUser.getCustomAttributes()) find_user_by_uid.setCustomAttributes( newUser.getCustomAttributes()) userService.updateUser(find_user_by_uid) print "Saml. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate( found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user: '******'" % found_user_name return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif (saml_enroll_all_user_attr): # Convert SAML response to user entry newUser = self.getMappedAllAttributesUser( saml_response_attributes) saml_user_uid = self.getNameId(samlResponse, newUser) if saml_user_uid == None: return False self.setDefaultUid(newUser, saml_user_uid) newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid) print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:%s" % saml_user_uid # Check if there is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "saml:%s" % saml_user_uid) if (find_user_by_uid == None): # Auto user enrollment print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % ( saml_user_uid, newUser.getCustomAttributes()) user_unique = self.checkUserUniqueness(newUser) if not user_unique: print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId( ) facesMessages = FacesMessages.instance() facesMessages.add( StatusMessage.Severity.ERROR, "Failed to enroll. User with same key attributes exist already" ) FacesContext.getCurrentInstance().getExternalContext( ).getFlash().setKeepMessages(True) return False find_user_by_uid = userService.addUser(newUser, True) print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId( ) else: if self.updateUser: print "Saml. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % ( saml_user_uid, newUser.getCustomAttributes()) find_user_by_uid.setCustomAttributes( newUser.getCustomAttributes()) userService.updateUser(find_user_by_uid) print "Saml. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate( found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result else: if saml_user_uid == None: return False # Check if the is user with specified saml_user_uid print "Saml. Authenticate for step 1. Attempting to find user by uid: '%s'" % saml_user_uid find_user_by_uid = userService.getUser(saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" return False found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate( found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif (step == 2): print "Saml. Authenticate for step 2" sessionAttributes = context.get("sessionAttributes") if (sessionAttributes == None ) or not sessionAttributes.containsKey("saml_user_uid"): print "Saml. Authenticate for step 2. saml_user_uid is empty" return False saml_user_uid = sessionAttributes.get("saml_user_uid") passed_step1 = StringHelper.isNotEmptyString(saml_user_uid) if (not passed_step1): return False credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Check if there is user which has saml_user_uid # Avoid mapping Saml account to more than one IDP account find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "saml:%s" % saml_user_uid) if (find_user_by_uid == None): # Add saml_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute( user_name, "oxExternalUid", "saml:%s" % saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 2. Failed to update current user" return False post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result return post_login_result else: found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 2. found_user_name: '%s'" % found_user_name if StringHelper.equals(user_name, found_user_name): post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result return post_login_result return False else: return False
authenticationService = AuthenticationService.instance() foundUser = userService.getUserByAttribute("oxExternalUid", self.getUserValueFromAuth("provider", requestParameters) + ":" + self.getUserValueFromAuth( self.getUidRemoteAttr(), requestParameters)) if (foundUser == None): newUser = User() try: UserEmail = self.getUserValueFromAuth("email", requestParameters) except Exception, err: print("Passport: Error in getting user email: " + str(err)) if (StringHelper.isEmptyString(UserEmail)): facesMessages = FacesMessages.instance() FacesContext.getCurrentInstance().getExternalContext().getFlash().setKeepMessages(True) facesMessages.clear() facesMessages.add(StatusMessage.Severity.ERROR, "Please provide your email.") print "Passport: Email was not received so sent error" return False for attributesMappingEntry in self.attributesMapping.entrySet(): remoteAttribute = attributesMappingEntry.getKey() localAttribute = attributesMappingEntry.getValue() localAttributeValue = self.getUserValueFromAuth(remoteAttribute, requestParameters) if ((localAttribute != None) & (localAttributeValue != "undefined") & ( localAttribute != "provider")): newUser.setAttribute(localAttribute, localAttributeValue) newUser.setAttribute("oxExternalUid", self.getUserValueFromAuth("provider", requestParameters) + ":" + self.getUserValueFromAuth(
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() userService = UserService.instance() httpService = HttpService.instance(); stringEncrypter = StringEncrypter.defaultInstance() cas_host = configurationAttributes.get("cas_host").getValue2() cas_extra_opts = configurationAttributes.get("cas_extra_opts").getValue2() cas_map_user = StringHelper.toBoolean(configurationAttributes.get("cas_map_user").getValue2(), False) cas_renew_opt = StringHelper.toBoolean(configurationAttributes.get("cas_renew_opt").getValue2(), False) if (step == 1): print "CAS2 authenticate for step 1" ticket_array = requestParameters.get("ticket") if ArrayHelper.isEmpty(ticket_array): print "CAS2 authenticate for step 1. ticket is empty" return False ticket = ticket_array[0] print "CAS2 authenticate for step 1. ticket: " + ticket if (StringHelper.isEmptyString(ticket)): print "CAS2 authenticate for step 1. ticket is invalid" return False # Validate ticket request = FacesContext.getCurrentInstance().getExternalContext().getRequest() parametersMap = HashMap() parametersMap.put("service", httpService.constructServerUrl(request) + "/postlogin") if (cas_renew_opt): parametersMap.put("renew", "true") parametersMap.put("ticket", ticket) cas_service_request_uri = authenticationService.parametersAsString(parametersMap) cas_service_request_uri = cas_host + "/serviceValidate?" + cas_service_request_uri if StringHelper.isNotEmpty(cas_extra_opts): cas_service_request_uri = cas_service_request_uri + "&" + cas_extra_opts print "CAS2 authenticate for step 1. cas_service_request_uri: " + cas_service_request_uri http_client = httpService.getHttpsClientTrustAll(); http_response = httpService.executeGet(http_client, cas_service_request_uri) validation_content = httpService.convertEntityToString(httpService.getResponseContent(http_response)) print "CAS2 authenticate for step 1. validation_content: " + validation_content if StringHelper.isEmpty(validation_content): print "CAS2 authenticate for step 1. Ticket validation response is invalid" return False cas2_auth_failure = self.parse_tag(validation_content, "cas:authenticationFailure") print "CAS2 authenticate for step 1. cas2_auth_failure: ", cas2_auth_failure cas2_user_uid = self.parse_tag(validation_content, "cas:user") print "CAS2 authenticate for step 1. cas2_user_uid: ", cas2_user_uid if ((cas2_auth_failure != None) or (cas2_user_uid == None)): print "CAS2 authenticate for step 1. Ticket is invalid" return False if (cas_map_user): print "CAS2 authenticate for step 1. Attempting to find user by oxExternalUid: cas2:" + cas2_user_uid # Check if the is user with specified cas2_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid) if (find_user_by_uid == None): print "CAS2 authenticate for step 1. Failed to find user" print "CAS2 authenticate for step 1. Setting count steps to 2" context.set("cas2_count_login_steps", 2) context.set("cas2_user_uid", stringEncrypter.encrypt(cas2_user_uid)) return True found_user_name = find_user_by_uid.getUserId() print "CAS2 authenticate for step 1. found_user_name: " + found_user_name credentials = Identity.instance().getCredentials() credentials.setUsername(found_user_name) credentials.setUser(find_user_by_uid) print "CAS2 authenticate for step 1. Setting count steps to 1" context.set("cas2_count_login_steps", 1) return True else: print "CAS2 authenticate for step 1. Attempting to find user by uid:" + cas2_user_uid # Check if the is user with specified cas2_user_uid find_user_by_uid = userService.getUser(cas2_user_uid) if (find_user_by_uid == None): print "CAS2 authenticate for step 1. Failed to find user" return False found_user_name = find_user_by_uid.getUserId() print "CAS2 authenticate for step 1. found_user_name: " + found_user_name credentials = Identity.instance().getCredentials() credentials.setUsername(found_user_name) credentials.setUser(find_user_by_uid) print "CAS2 authenticate for step 1. Setting count steps to 1" context.set("cas2_count_login_steps", 1) return True elif (step == 2): print "CAS2 authenticate for step 2" cas2_user_uid_array = requestParameters.get("cas2_user_uid") if ArrayHelper.isEmpty(cas2_user_uid_array): print "CAS2 authenticate for step 2. cas2_user_uid is empty" return False cas2_user_uid = stringEncrypter.decrypt(cas2_user_uid_array[0]) passed_step1 = StringHelper.isNotEmptyString(cas2_user_uid) if (not passed_step1): return False credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Check if there is user which has cas2_user_uid # Avoid mapping CAS2 account to more than one IDP account find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid) if (find_user_by_uid == None): # Add cas2_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "cas2:" + cas2_user_uid) if (find_user_by_uid == None): print "CAS2 authenticate for step 2. Failed to update current user" return False return True else: found_user_name = find_user_by_uid.getUserId() print "CAS2 authenticate for step 2. found_user_name: " + found_user_name if StringHelper.equals(user_name, found_user_name): return True return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() userService = UserService.instance() saml_map_user = False saml_enroll_user = False saml_enroll_all_user_attr = False # Use saml_deployment_type only if there is no attributes mapping if (configurationAttributes.containsKey("saml_deployment_type")): saml_deployment_type = StringHelper.toLowerCase( configurationAttributes.get( "saml_deployment_type").getValue2()) if (StringHelper.equalsIgnoreCase(saml_deployment_type, "map")): saml_map_user = True if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll")): saml_enroll_user = True if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll_all_attr")): saml_enroll_all_user_attr = True saml_allow_basic_login = False if (configurationAttributes.containsKey("saml_allow_basic_login")): saml_allow_basic_login = StringHelper.toBoolean( configurationAttributes.get( "saml_allow_basic_login").getValue2(), False) use_basic_auth = False if (saml_allow_basic_login): # Detect if user used basic authnetication method credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() if (StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(user_password)): use_basic_auth = True if ((step == 1) and saml_allow_basic_login and use_basic_auth): print "Saml. Authenticate for step 1. Basic authentication" context.set("saml_count_login_steps", 1) credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True if (step == 1): print "Saml. Authenticate for step 1" currentSamlConfiguration = self.getCurrentSamlConfiguration( self.samlConfiguration, configurationAttributes, requestParameters) if (currentSamlConfiguration == None): print "Saml. Prepare for step 1. Client saml configuration is invalid" return False saml_response_array = requestParameters.get("SAMLResponse") if ArrayHelper.isEmpty(saml_response_array): print "Saml. Authenticate for step 1. saml_response is empty" return False saml_response = saml_response_array[0] print "Saml. Authenticate for step 1. saml_response: '%s'" % saml_response samlResponse = Response(currentSamlConfiguration) samlResponse.loadXmlFromBase64(saml_response) saml_validate_response = True if (configurationAttributes.containsKey("saml_validate_response")): saml_validate_response = StringHelper.toBoolean( configurationAttributes.get( "saml_validate_response").getValue2(), False) if (saml_validate_response): if (not samlResponse.isValid()): print "Saml. Authenticate for step 1. saml_response isn't valid" saml_response_name_id = samlResponse.getNameId() if (StringHelper.isEmpty(saml_response_name_id)): print "Saml. Authenticate for step 1. saml_response_name_id is invalid" return False print "Saml. Authenticate for step 1. saml_response_name_id: '%s'" % saml_response_name_id saml_response_attributes = samlResponse.getAttributes() print "Saml. Authenticate for step 1. attributes: '%s'" % saml_response_attributes # Use persistent Id as saml_user_uid saml_user_uid = saml_response_name_id if (saml_map_user): # Use mapping to local IDP user print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" print "Saml. Authenticate for step 1. Setting count steps to 2" context.set("saml_count_login_steps", 2) context.set("saml_user_uid", saml_user_uid) return True found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate( found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif (saml_enroll_user): # Use auto enrollment to local IDP print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): # Auto user enrollemnt print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" # Convert saml result attributes keys to lover case saml_response_normalized_attributes = HashMap() for saml_response_attribute_entry in saml_response_attributes.entrySet( ): saml_response_normalized_attributes.put( StringHelper.toLowerCase( saml_response_attribute_entry.getKey()), saml_response_attribute_entry.getValue()) currentAttributesMapping = self.prepareCurrentAttributesMapping( self.attributesMapping, configurationAttributes, requestParameters) print "Saml. Authenticate for step 1. Using next attributes mapping '%s'" % currentAttributesMapping newUser = User() # Set custom object classes if self.userObjectClasses != None: print "Saml. Authenticate for step 1. User custom objectClasses to add persons: '%s'" % Util.array2ArrayList( self.userObjectClasses) newUser.setCustomObjectClasses(self.userObjectClasses) for attributesMappingEntry in currentAttributesMapping.entrySet( ): idpAttribute = attributesMappingEntry.getKey() localAttribute = attributesMappingEntry.getValue() if self.debugEnrollment: print "Saml. Authenticate for step 1. Trying to map '%s' into '%s'" % ( idpAttribute, localAttribute) localAttributeValue = saml_response_normalized_attributes.get( idpAttribute) if (localAttributeValue != None): if self.debugEnrollment: print "Saml. Authenticate for step 1. Setting attribute '%s' value '%s'" % ( localAttribute, localAttributeValue) newUser.setAttribute(localAttribute, localAttributeValue) newUser.setAttribute("oxExternalUid", "saml:" + saml_user_uid) print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % ( saml_user_uid, newUser.getCustomAttributes()) user_unique = self.checkUserUniqueness(newUser) if not user_unique: print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getAttribute( "uid") facesMessages = FacesMessages.instance() facesMessages.add( StatusMessage.Severity.ERROR, "Failed to enroll. User with same key attributes exist already" ) FacesContext.getCurrentInstance().getExternalContext( ).getFlash().setKeepMessages(True) return False find_user_by_uid = userService.addUser(newUser, True) print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId( ) found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate( found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user: '******'" % found_user_name return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif (saml_enroll_all_user_attr): print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:" + saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" user = User() # Set custom object classes if self.userObjectClasses != None: print "Saml. Authenticate for step 1. User custom objectClasses to add persons: '%s'" % Util.array2ArrayList( self.userObjectClasses) user.setCustomObjectClasses(self.userObjectClasses) customAttributes = ArrayList() for key in saml_response_attributes.keySet(): ldapAttributes = attributeService.getAllAttributes() for ldapAttribute in ldapAttributes: saml2Uri = ldapAttribute.getSaml2Uri() if (saml2Uri == None): saml2Uri = attributeService.getDefaultSaml2Uri( ldapAttribute.getName()) if (saml2Uri == key): attribute = CustomAttribute( ldapAttribute.getName()) attribute.setValues(attributes.get(key)) customAttributes.add(attribute) attribute = CustomAttribute("oxExternalUid") attribute.setValue("saml:" + saml_user_uid) customAttributes.add(attribute) user.setCustomAttributes(customAttributes) if (user.getAttribute("sn") == None): attribute = CustomAttribute("sn") attribute.setValue(saml_user_uid) customAttributes.add(attribute) if (user.getAttribute("cn") == None): attribute = CustomAttribute("cn") attribute.setValue(saml_user_uid) customAttributes.add(attribute) user_unique = self.checkUserUniqueness(user) if not user_unique: print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getAttribute( "uid") facesMessages = FacesMessages.instance() facesMessages.add( StatusMessage.Severity.ERROR, "Failed to enroll. User with same key attributes exist already" ) FacesContext.getCurrentInstance().getExternalContext( ).getFlash().setKeepMessages(True) return False find_user_by_uid = userService.addUser(user, True) print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId( ) found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate( found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result else: # Check if the is user with specified saml_user_uid print "Saml. Authenticate for step 1. Attempting to find user by uid: '%s'" % saml_user_uid find_user_by_uid = userService.getUser(saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" return False found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate( found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif (step == 2): print "Saml. Authenticate for step 2" sessionAttributes = context.get("sessionAttributes") if (sessionAttributes == None ) or not sessionAttributes.containsKey("saml_user_uid"): print "Saml. Authenticate for step 2. saml_user_uid is empty" return False saml_user_uid = sessionAttributes.get("saml_user_uid") passed_step1 = StringHelper.isNotEmptyString(saml_user_uid) if (not passed_step1): return False credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Check if there is user which has saml_user_uid # Avoid mapping Saml account to more than one IDP account find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): # Add saml_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute( user_name, "oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 2. Failed to update current user" return False post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result return post_login_result else: found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 2. found_user_name: '%s'" % found_user_name if StringHelper.equals(user_name, found_user_name): post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result return post_login_result return False else: return False
def processOtpAuthentication(self, requestParameters, user_name, session_attributes, otp_auth_method): facesMessages = FacesMessages.instance() FacesContext.getCurrentInstance().getExternalContext().getFlash().setKeepMessages(True) userService = Component.getInstance(UserService) otpCode = ServerUtil.getFirstValue(requestParameters, "loginForm:otpCode") if StringHelper.isEmpty(otpCode): facesMessages.add(StatusMessage.Severity.ERROR, "Failed to authenticate. OTP code is empty") print "OTP. Process OTP authentication. otpCode is empty" return False if otp_auth_method == "enroll": # Get key from session otp_secret_key_encoded = session_attributes.get("otp_secret_key") if otp_secret_key_encoded == None: print "OTP. Process OTP authentication. OTP secret key is invalid" return False otp_secret_key = self.fromBase64Url(otp_secret_key_encoded) if self.otpType == "hotp": validation_result = self.validateHotpKey(otp_secret_key, 1, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process HOTP authentication during enrollment. otpCode is valid" # Store HOTP Secret Key and moving factor in user entry otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, validation_result["movingFactor"] ) # Add otp_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process HOTP authentication during enrollment. Failed to update user entry" elif self.otpType == "totp": validation_result = self.validateTotpKey(otp_secret_key, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process TOTP authentication during enrollment. otpCode is valid" # Store TOTP Secret Key and moving factor in user entry otp_user_external_uid = "totp:%s" % otp_secret_key_encoded # Add otp_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process TOTP authentication during enrollment. Failed to update user entry" elif otp_auth_method == "authenticate": user_enrollments = self.findEnrollments(user_name) if len(user_enrollments) == 0: print "OTP. Process OTP authentication. There is no OTP enrollment for user '%s'" % user_name facesMessages.add(StatusMessage.Severity.ERROR, "There is no valid OTP user enrollments") return False if self.otpType == "hotp": for user_enrollment in user_enrollments: user_enrollment_data = user_enrollment.split(";") otp_secret_key_encoded = user_enrollment_data[0] # Get current moving factor from user entry moving_factor = StringHelper.toInteger(user_enrollment_data[1]) otp_secret_key = self.fromBase64Url(otp_secret_key_encoded) # Validate TOTP validation_result = self.validateHotpKey(otp_secret_key, moving_factor, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process HOTP authentication during authentication. otpCode is valid" otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, moving_factor ) new_otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, validation_result["movingFactor"] ) # Update moving factor in user entry find_user_by_external_uid = userService.replaceUserAttribute(user_name, "oxExternalUid", otp_user_external_uid, new_otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process HOTP authentication during authentication. Failed to update user entry" elif self.otpType == "totp": for user_enrollment in user_enrollments: otp_secret_key = self.fromBase64Url(user_enrollment) # Validate TOTP validation_result = self.validateTotpKey(otp_secret_key, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process TOTP authentication during authentication. otpCode is valid" return True facesMessages.add(StatusMessage.Severity.ERROR, "Failed to authenticate. OTP code is invalid") print "OTP. Process OTP authentication. OTP code is invalid" return False
def processOtpAuthentication(self, requestParameters, user_name, session_attributes, otp_auth_method): facesMessages = FacesMessages.instance() FacesContext.getCurrentInstance().getExternalContext().getFlash().setKeepMessages(True) userService = UserService.instance() otpCode = ServerUtil.getFirstValue(requestParameters, "loginForm:otpCode") if StringHelper.isEmpty(otpCode): facesMessages.add(StatusMessage.Severity.ERROR, "Failed to authenticate. OTP code is empty") print "OTP. Process OTP authentication. otpCode is empty" return False if otp_auth_method == "enroll": # Get key from session otp_secret_key_encoded = session_attributes.get("otp_secret_key") if otp_secret_key_encoded == None: print "OTP. Process OTP authentication. OTP secret key is invalid" return False otp_secret_key = self.fromBase64Url(otp_secret_key_encoded) if self.otpType == "hotp": validation_result = self.validateHotpKey(otp_secret_key, 1, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process HOTP authentication during enrollment. otpCode is valid" # Store HOTP Secret Key and moving factor in user entry otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, validation_result["movingFactor"] ) # Add otp_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process HOTP authentication during enrollment. Failed to update user entry" elif self.otpType == "totp": validation_result = self.validateTotpKey(otp_secret_key, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process TOTP authentication during enrollment. otpCode is valid" # Store TOTP Secret Key and moving factor in user entry otp_user_external_uid = "totp:%s" % otp_secret_key_encoded # Add otp_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process TOTP authentication during enrollment. Failed to update user entry" elif otp_auth_method == "authenticate": user_enrollments = self.findEnrollments(user_name) if len(user_enrollments) == 0: print "OTP. Process OTP authentication. There is no OTP enrollment for user '%s'" % user_name facesMessages.add(StatusMessage.Severity.ERROR, "There is no valid OTP user enrollments") return False if self.otpType == "hotp": for user_enrollment in user_enrollments: user_enrollment_data = user_enrollment.split(";") otp_secret_key_encoded = user_enrollment_data[0] # Get current moving factor from user entry moving_factor = StringHelper.toInteger(user_enrollment_data[1]) otp_secret_key = self.fromBase64Url(otp_secret_key_encoded) # Validate TOTP validation_result = self.validateHotpKey(otp_secret_key, moving_factor, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process HOTP authentication during authentication. otpCode is valid" otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, moving_factor ) new_otp_user_external_uid = "hotp:%s;%s" % ( otp_secret_key_encoded, validation_result["movingFactor"] ) # Update moving factor in user entry find_user_by_external_uid = userService.replaceUserAttribute(user_name, "oxExternalUid", otp_user_external_uid, new_otp_user_external_uid) if find_user_by_external_uid != None: return True print "OTP. Process HOTP authentication during authentication. Failed to update user entry" elif self.otpType == "totp": for user_enrollment in user_enrollments: otp_secret_key = self.fromBase64Url(user_enrollment) # Validate TOTP validation_result = self.validateTotpKey(otp_secret_key, otpCode) if (validation_result != None) and validation_result["result"]: print "OTP. Process TOTP authentication during authentication. otpCode is valid" return True facesMessages.add(StatusMessage.Severity.ERROR, "Failed to authenticate. OTP code is invalid") print "OTP. Process OTP authentication. OTP code is invalid" return False
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() context = Contexts.getEventContext() userService = UserService.instance() if (step == 1): print "Cert. Authenticate for step 1" login_button = ServerUtil.getFirstValue(requestParameters, "loginForm:loginButton") if StringHelper.isEmpty(login_button): print "Cert. Authenticate for step 1. Form were submitted incorrectly" return False return True elif (step == 2): print "Cert. Authenticate for step 2" # Validate if user selected certificate request = FacesContext.getCurrentInstance().getExternalContext().getRequest() x509Certificates = request.getAttribute('javax.servlet.request.X509Certificate') if (x509Certificates == None) or (len(x509Certificates) == 0): print "Cert. Authenticate for step 2. User not selected any certs" context.set("cert_selected", False) # Return True to inform user how to reset workflow return True context.set("cert_selected", True) # Use only first certificate for validation x509Certificate = x509Certificates[0] print "Cert. Authenticate for step 2. User selected certificate with DN '%s'" % x509Certificate.getSubjectX500Principal() # Validate certificates which user selected valid = self.validateCertificate(x509Certificate) if not valid: print "Cert. Authenticate for step 2. Certificate DN '%s' is not valid" % x509Certificate.getSubjectX500Principal() context.set("cert_valid", False) # Return True to inform user how to reset workflow return True context.set("cert_valid", True) context.set("cert_x509", x509Certificate) # Calculate certificate fingerprint x509CertificateFingerprint = self.calculateCertificateFingerprint(x509Certificate) context.set("cert_x509_fingerprint", x509CertificateFingerprint) print "Cert. Authenticate for step 2. Fingerprint is '%s' of certificate with DN '%s'" % (x509CertificateFingerprint, x509Certificate.getSubjectX500Principal()) # Attempt to find user by certificate fingerprint cert_user_external_uid = "cert: %s" % x509CertificateFingerprint print "Cert. Authenticate for step 2. Attempting to find user by oxExternalUid attribute value %s" % cert_user_external_uid find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: print "Cert. Authenticate for step 2. Failed to find user" if self.map_user_cert: print "Cert. Authenticate for step 2. Storing cert_user_external_uid for step 3" context.set("cert_user_external_uid", cert_user_external_uid) return True else: print "Cert. Authenticate for step 2. Mapping cet to user account is not allowed" context.set("cert_count_login_steps", 2) return False foundUserName = find_user_by_external_uid.getUserId() print "Cert. Authenticate for step 2. foundUserName: "******"Cert. Authenticate for step 2. Setting count steps to 2" context.set("cert_count_login_steps", 2) return logged_in elif (step == 3): print "Cert. Authenticate for step 3" cert_user_external_uid = self.getSessionAttribute("cert_user_external_uid") if cert_user_external_uid == None: print "Cert. Authenticate for step 3. cert_user_external_uid is empty" return False credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Double check just to make sure. We did checking in previous step # Check if there is user which has cert_user_external_uid # Avoid mapping user cert to more than one IDP account find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: # Add cert_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: print "Cert. Authenticate for step 3. Failed to update current user" return False return True return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): if (step == 1): print("Basic (multi auth conf & lock account). Authenticate for step 1") credentials = Identity.instance().getCredentials() keyValue = credentials.getUsername() userPassword = credentials.getPassword() if not StringHelper.isNotEmptyString(keyValue) or not StringHelper.isNotEmptyString(userPassword): print("Basic (multi auth conf & lock account). Missing fields ") faces_messages = FacesMessages.instance() faces_messages.clear() FacesContext.getCurrentInstance().getExternalContext().getFlash().setKeepMessages(True) faces_messages.addFromResourceBundle( FacesMessage.SEVERITY_ERROR, "login.missingField") return False keyValue = keyValue.strip() user_status = self.getUserAttributeValue(keyValue, "gluuStatus") if user_status is not None and user_status != "active": print("Basic (multi auth conf & lock account). Account locked for user '%s'" % keyValue) faces_messages = FacesMessages.instance() faces_messages.clear() FacesContext.getCurrentInstance().getExternalContext().getFlash().setKeepMessages(True) faces_messages.addFromResourceBundle( FacesMessage.SEVERITY_ERROR, "login.accountLocked") return False if (StringHelper.isNotEmptyString(keyValue) and StringHelper.isNotEmptyString(userPassword)): authenticationService = Component.getInstance( AuthenticationService) logged_in = False for ldapExtendedEntryManager in self.ldapExtendedEntryManagers: if logged_in: break ldapConfiguration = ldapExtendedEntryManager["ldapConfiguration"] ldapEntryManager = ldapExtendedEntryManager["ldapEntryManager"] loginAttributes = ldapExtendedEntryManager["loginAttributes"] localLoginAttributes = ldapExtendedEntryManager["localLoginAttributes"] print("Basic (multi auth conf & lock account). Authenticate for step 1. Using configuration: " + ldapConfiguration.getConfigId()) idx = 0 count = len(loginAttributes) while (idx < count): primaryKey = loginAttributes[idx] localPrimaryKey = localLoginAttributes[idx] loggedIn = authenticationService.authenticate( ldapConfiguration, ldapEntryManager, keyValue, userPassword, primaryKey, localPrimaryKey) if (loggedIn): logged_in = True break idx += 1 if logged_in: self.setUserAttributeValue( keyValue, self.invalidLoginCountAttribute, StringHelper.toString(0)) return True countInvalidLoginArributeValue = self.getUserAttributeValue( keyValue, self.invalidLoginCountAttribute) countInvalidLogin = StringHelper.toInteger( countInvalidLoginArributeValue, 0) if countInvalidLogin < self.maximumInvalidLoginAttemps: countInvalidLogin = countInvalidLogin + 1 self.setUserAttributeValue( keyValue, self.invalidLoginCountAttribute, StringHelper.toString(countInvalidLogin)) if countInvalidLogin >= self.maximumInvalidLoginAttemps: self.lockUser(keyValue) self.setUserAttributeValue( keyValue, self.invalidLoginCountAttribute, StringHelper.toString(0)) return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() userService = UserService.instance() httpService = HttpService.instance() cas_host = configurationAttributes.get("cas_host").getValue2() cas_map_user = StringHelper.toBoolean( configurationAttributes.get("cas_map_user").getValue2(), False) cas_renew_opt = StringHelper.toBoolean( configurationAttributes.get("cas_renew_opt").getValue2(), False) cas_extra_opts = None if (configurationAttributes.containsKey("cas_extra_opts")): cas_extra_opts = configurationAttributes.get( "cas_extra_opts").getValue2() if (step == 1): print "CAS2. Authenticate for step 1" ticket_array = requestParameters.get("ticket") if ArrayHelper.isEmpty(ticket_array): print "CAS2. Authenticate for step 1. ticket is empty" return False ticket = ticket_array[0] print "CAS2. Authenticate for step 1. ticket: " + ticket if (StringHelper.isEmptyString(ticket)): print "CAS2. Authenticate for step 1. ticket is invalid" return False # Validate ticket request = FacesContext.getCurrentInstance().getExternalContext( ).getRequest() parametersMap = HashMap() parametersMap.put( "service", httpService.constructServerUrl(request) + "/postlogin") if (cas_renew_opt): parametersMap.put("renew", "true") parametersMap.put("ticket", ticket) cas_service_request_uri = authenticationService.parametersAsString( parametersMap) cas_service_request_uri = cas_host + "/serviceValidate?" + cas_service_request_uri if (cas_extra_opts != None): cas_service_request_uri = cas_service_request_uri + "&" + cas_extra_opts print "CAS2. Authenticate for step 1. cas_service_request_uri: " + cas_service_request_uri http_client = httpService.getHttpsClient() http_service_response = httpService.executeGet( http_client, cas_service_request_uri) try: validation_content = httpService.convertEntityToString( httpService.getResponseContent( http_service_response.getHttpResponse())) finally: http_service_response.closeConnection() print "CAS2. Authenticate for step 1. validation_content: " + validation_content if StringHelper.isEmpty(validation_content): print "CAS2. Authenticate for step 1. Ticket validation response is invalid" return False cas2_auth_failure = self.parse_tag(validation_content, "cas:authenticationFailure") print "CAS2. Authenticate for step 1. cas2_auth_failure: ", cas2_auth_failure cas2_user_uid = self.parse_tag(validation_content, "cas:user") print "CAS2. Authenticate for step 1. cas2_user_uid: ", cas2_user_uid if ((cas2_auth_failure != None) or (cas2_user_uid == None)): print "CAS2. Authenticate for step 1. Ticket is invalid" return False if (cas_map_user): print "CAS2. Authenticate for step 1. Attempting to find user by oxExternalUid: cas2:" + cas2_user_uid # Check if the is user with specified cas2_user_uid find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "cas2:" + cas2_user_uid) if (find_user_by_uid == None): print "CAS2. Authenticate for step 1. Failed to find user" print "CAS2. Authenticate for step 1. Setting count steps to 2" context.set("cas2_count_login_steps", 2) context.set("cas2_user_uid", cas2_user_uid) return True found_user_name = find_user_by_uid.getUserId() print "CAS2. Authenticate for step 1. found_user_name: " + found_user_name credentials = Identity.instance().getCredentials() credentials.setUsername(found_user_name) credentials.setUser(find_user_by_uid) print "CAS2. Authenticate for step 1. Setting count steps to 1" context.set("cas2_count_login_steps", 1) return True else: print "CAS2. Authenticate for step 1. Attempting to find user by uid:" + cas2_user_uid # Check if the is user with specified cas2_user_uid find_user_by_uid = userService.getUser(cas2_user_uid) if (find_user_by_uid == None): print "CAS2. Authenticate for step 1. Failed to find user" return False found_user_name = find_user_by_uid.getUserId() print "CAS2. Authenticate for step 1. found_user_name: " + found_user_name credentials = Identity.instance().getCredentials() credentials.setUsername(found_user_name) credentials.setUser(find_user_by_uid) print "CAS2. Authenticate for step 1. Setting count steps to 1" context.set("cas2_count_login_steps", 1) return True elif (step == 2): print "CAS2. Authenticate for step 2" sessionAttributes = context.get("sessionAttributes") if (sessionAttributes == None ) or not sessionAttributes.containsKey("cas2_user_uid"): print "CAS2. Authenticate for step 2. cas2_user_uid is empty" return False cas2_user_uid = sessionAttributes.get("cas2_user_uid") passed_step1 = StringHelper.isNotEmptyString(cas2_user_uid) if (not passed_step1): return False credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Check if there is user which has cas2_user_uid # Avoid mapping CAS2 account to more than one IDP account find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "cas2:" + cas2_user_uid) if (find_user_by_uid == None): # Add cas2_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute( user_name, "oxExternalUid", "cas2:" + cas2_user_uid) if (find_user_by_uid == None): print "CAS2. Authenticate for step 2. Failed to update current user" return False return True else: found_user_name = find_user_by_uid.getUserId() print "CAS2. Authenticate for step 2. found_user_name: " + found_user_name if StringHelper.equals(user_name, found_user_name): return True return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() userService = UserService.instance() saml_map_user = False saml_enroll_user = False saml_enroll_all_user_attr = False # Use saml_deployment_type only if there is no attributes mapping if (configurationAttributes.containsKey("saml_deployment_type")): saml_deployment_type = StringHelper.toLowerCase(configurationAttributes.get("saml_deployment_type").getValue2()) if (StringHelper.equalsIgnoreCase(saml_deployment_type, "map")): saml_map_user = True if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll")): saml_enroll_user = True if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll_all_attr")): saml_enroll_all_user_attr = True saml_allow_basic_login = False if (configurationAttributes.containsKey("saml_allow_basic_login")): saml_allow_basic_login = StringHelper.toBoolean(configurationAttributes.get("saml_allow_basic_login").getValue2(), False) use_basic_auth = False if (saml_allow_basic_login): # Detect if user used basic authnetication method credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() if (StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(user_password)): use_basic_auth = True if ((step == 1) and saml_allow_basic_login and use_basic_auth): print "Saml. Authenticate for step 1. Basic authentication" context.set("saml_count_login_steps", 1) credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True if (step == 1): print "Saml. Authenticate for step 1" currentSamlConfiguration = self.getCurrentSamlConfiguration(self.samlConfiguration, configurationAttributes, requestParameters) if (currentSamlConfiguration == None): print "Saml. Prepare for step 1. Client saml configuration is invalid" return False saml_response_array = requestParameters.get("SAMLResponse") if ArrayHelper.isEmpty(saml_response_array): print "Saml. Authenticate for step 1. saml_response is empty" return False saml_response = saml_response_array[0] print "Saml. Authenticate for step 1. saml_response: '%s'" % saml_response samlResponse = Response(currentSamlConfiguration) samlResponse.loadXmlFromBase64(saml_response) saml_validate_response = True if (configurationAttributes.containsKey("saml_validate_response")): saml_validate_response = StringHelper.toBoolean(configurationAttributes.get("saml_validate_response").getValue2(), False) if (saml_validate_response): if (not samlResponse.isValid()): print "Saml. Authenticate for step 1. saml_response isn't valid" saml_response_attributes = samlResponse.getAttributes() print "Saml. Authenticate for step 1. attributes: '%s'" % saml_response_attributes if (saml_map_user): saml_user_uid = self.getSamlNameId(samlResponse) if saml_user_uid == None: return False # Use mapping to local IDP user print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" print "Saml. Authenticate for step 1. Setting count steps to 2" context.set("saml_count_login_steps", 2) context.set("saml_user_uid", saml_user_uid) return True found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif (saml_enroll_user): # Convert SAML response to user entry newUser = self.getMappedUser(configurationAttributes, requestParameters, saml_response_attributes) saml_user_uid = self.getNameId(samlResponse, newUser) if saml_user_uid == None: return False self.setDefaultUid(newUser, saml_user_uid) newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid) # Use auto enrollment to local IDP print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid # Check if there is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid) if find_user_by_uid == None: # Auto user enrollment print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes()) user_unique = self.checkUserUniqueness(newUser) if not user_unique: print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId() facesMessages = FacesMessages.instance() facesMessages.add(StatusMessage.Severity.ERROR, "Failed to enroll. User with same key attributes exist already") FacesContext.getCurrentInstance().getExternalContext().getFlash().setKeepMessages(True) return False find_user_by_uid = userService.addUser(newUser, True) print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId() else: if self.updateUser: print "Saml. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes()) find_user_by_uid.setCustomAttributes(newUser.getCustomAttributes()) userService.updateUser(find_user_by_uid) print "Saml. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user: '******'" % found_user_name return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif (saml_enroll_all_user_attr): # Convert SAML response to user entry newUser = self.getMappedAllAttributesUser(saml_response_attributes) saml_user_uid = self.getNameId(samlResponse, newUser) if saml_user_uid == None: return False self.setDefaultUid(newUser, saml_user_uid) newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid) print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:%s" % saml_user_uid # Check if there is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid) if (find_user_by_uid == None): # Auto user enrollment print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes()) user_unique = self.checkUserUniqueness(newUser) if not user_unique: print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId() facesMessages = FacesMessages.instance() facesMessages.add(StatusMessage.Severity.ERROR, "Failed to enroll. User with same key attributes exist already") FacesContext.getCurrentInstance().getExternalContext().getFlash().setKeepMessages(True) return False find_user_by_uid = userService.addUser(newUser, True) print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId() else: if self.updateUser: print "Saml. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes()) find_user_by_uid.setCustomAttributes(newUser.getCustomAttributes()) userService.updateUser(find_user_by_uid) print "Saml. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result else: if saml_user_uid == None: return False # Check if the is user with specified saml_user_uid print "Saml. Authenticate for step 1. Attempting to find user by uid: '%s'" % saml_user_uid find_user_by_uid = userService.getUser(saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" return False found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif (step == 2): print "Saml. Authenticate for step 2" sessionAttributes = context.get("sessionAttributes") if (sessionAttributes == None) or not sessionAttributes.containsKey("saml_user_uid"): print "Saml. Authenticate for step 2. saml_user_uid is empty" return False saml_user_uid = sessionAttributes.get("saml_user_uid") passed_step1 = StringHelper.isNotEmptyString(saml_user_uid) if (not passed_step1): return False credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Check if there is user which has saml_user_uid # Avoid mapping Saml account to more than one IDP account find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid) if (find_user_by_uid == None): # Add saml_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "saml:%s" % saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 2. Failed to update current user" return False post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result return post_login_result else: found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 2. found_user_name: '%s'" % found_user_name if StringHelper.equals(user_name, found_user_name): post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result return post_login_result return False else: return False