def prepareAttributesMapping(self, remoteAttributesList, localAttributesList): remoteAttributesListArray = StringHelper.split(remoteAttributesList, ",") if (ArrayHelper.isEmpty(remoteAttributesListArray)): print "Google+ PrepareAttributesMapping. There is no attributes specified in remoteAttributesList property" return None localAttributesListArray = StringHelper.split(localAttributesList, ",") if (ArrayHelper.isEmpty(localAttributesListArray)): print "Google+ PrepareAttributesMapping. There is no attributes specified in localAttributesList property" return None if (len(remoteAttributesListArray) != len(localAttributesListArray)): print "Google+ PrepareAttributesMapping. The number of attributes in remoteAttributesList and localAttributesList isn't equal" return None attributeMapping = IdentityHashMap() containsUid = False i = 0 count = len(remoteAttributesListArray) while (i < count): remoteAttribute = StringHelper.toLowerCase(remoteAttributesListArray[i]) localAttribute = StringHelper.toLowerCase(localAttributesListArray[i]) attributeMapping.put(remoteAttribute, localAttribute) if (StringHelper.equalsIgnoreCase(localAttribute, "uid")): containsUid = True i = i + 1 if (not containsUid): print "Google+ PrepareAttributesMapping. There is no mapping to mandatory 'uid' attribute" return None return attributeMapping
def prepareAttributesMapping(self, saml_idp_attributes_list, saml_local_attributes_list): saml_idp_attributes_list_array = StringHelper.split(saml_idp_attributes_list, ",") if (ArrayHelper.isEmpty(saml_idp_attributes_list_array)): print "Saml. PrepareAttributesMapping. There is no attributes specified in saml_idp_attributes_list property" return None saml_local_attributes_list_array = StringHelper.split(saml_local_attributes_list, ",") if (ArrayHelper.isEmpty(saml_local_attributes_list_array)): print "Saml. PrepareAttributesMapping. There is no attributes specified in saml_local_attributes_list property" return None if (len(saml_idp_attributes_list_array) != len(saml_local_attributes_list_array)): print "Saml. PrepareAttributesMapping. The number of attributes in saml_idp_attributes_list and saml_local_attributes_list isn't equal" return None attributeMapping = IdentityHashMap() containsUid = False i = 0 count = len(saml_idp_attributes_list_array) while (i < count): idpAttribute = StringHelper.toLowerCase(saml_idp_attributes_list_array[i]) localAttribute = StringHelper.toLowerCase(saml_local_attributes_list_array[i]) attributeMapping.put(idpAttribute, localAttribute) if (StringHelper.equalsIgnoreCase(localAttribute, "uid")): containsUid = True i = i + 1 if (not containsUid): print "Saml. PrepareAttributesMapping. There is no mapping to mandatory 'uid' attribute" return None return attributeMapping
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "Basic (with password update). Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "Basic (with password update). Authenticate for step 2" userService = UserService.instance() update_button = requestParameters.get("loginForm:updateButton") if ArrayHelper.isEmpty(update_button): return True new_password_array = requestParameters.get("new_password") if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]): print "Basic (with password update). Authenticate for step 2. New password is empty" return False new_password = new_password_array[0] print "Basic (with password update). Authenticate for step 2. Attemprin to set new user '" + user_name + "' password" find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): print "Basic (with password update). Authenticate for step 2. Failed to find user" return False find_user_by_uid.setAttribute("userPassword", new_password) userService.updateUser(find_user_by_uid) print "Basic (with password update). Authenticate for step 2. Password updated successfully" return True else: return False
def updateClient(self, registerRequest, client, configurationAttributes): print "Client registration. UpdateClient method" redirectUris = client.getRedirectUris() print "Client registration. Redirect Uris:", redirectUris addAddressScope = False for redirectUri in redirectUris: if (StringHelper.equalsIgnoreCase(redirectUri, "https://client.example.com/example1")): addAddressScope = True break print "Client registration. Is add address scope:", addAddressScope if (addAddressScope): currentScopes = client.getScopes() print "Client registration. Current scopes:", currentScopes addressScope = self.scopeService.getScopeByDisplayName("address") newScopes = ArrayHelper.addItemToStringArray(currentScopes, addressScope.getDn()) print "Client registration. Result scopes:", newScopes client.setScopes(newScopes) return True
def authenticate(self, configurationAttributes, requestParameters, step): duo_host = configurationAttributes.get("duo_host").getValue2() credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "Duo. Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False authenticationService = AuthenticationService.instance() user = authenticationService.getAuthenticatedUser() if (self.use_duo_group): print "Duo. Authenticate for step 1. Checking if user belong to Duo group" is_member_duo_group = self.isUserMemberOfGroup(user, self.audit_attribute, self.duo_group) if (is_member_duo_group): print "Duo. Authenticate for step 1. User '" + user.getUserId() + "' member of Duo group" duo_count_login_steps = 2 else: self.processAuditGroup(user) duo_count_login_steps = 1 context = Contexts.getEventContext() context.set("duo_count_login_steps", duo_count_login_steps) return True elif (step == 2): print "Duo. Authenticate for step 2" sig_response_array = requestParameters.get("sig_response") if ArrayHelper.isEmpty(sig_response_array): print "Duo. Authenticate for step 2. sig_response is empty" return False duo_sig_response = sig_response_array[0] print "Duo. Authenticate for step 2. duo_sig_response: " + duo_sig_response authenticated_username = duo_web.verify_response(self.ikey, self.skey, self.akey, duo_sig_response) print "Duo. Authenticate for step 2. authenticated_username: "******", expected user_name: " + user_name if (not StringHelper.equals(user_name, authenticated_username)): return False authenticationService = AuthenticationService.instance() user = authenticationService.getAuthenticatedUser() self.processAuditGroup(user) return True else: return False
def init(self, configurationAttributes): print "Basic (multi login) initialization" login_attributes_list_object = configurationAttributes.get("login_attributes_list") if (login_attributes_list_object == None): print "Basic (multi login) initialization. There is no property login_attributes_list" return False login_attributes_list = login_attributes_list_object.getValue2() if (StringHelper.isEmpty(login_attributes_list)): print "Basic (multi login) initialization. There is no attributes specified in login_attributes property" return False login_attributes_list_array = StringHelper.split(login_attributes_list, ",") if (ArrayHelper.isEmpty(login_attributes_list_array)): print "Basic (multi login) initialization. There is no attributes specified in login_attributes property" return False if (configurationAttributes.containsKey("local_login_attributes_list")): local_login_attributes_list = configurationAttributes.get("local_login_attributes_list").getValue2() local_login_attributes_list_array = StringHelper.split(local_login_attributes_list, ",") else: print "Basic (multi login) initialization. There is no property local_login_attributes_list. Assuming that login attributes are equal to local login attributes." local_login_attributes_list_array = login_attributes_list_array if (len(login_attributes_list_array) != len(local_login_attributes_list_array)): print "Basic (multi login) initialization. The number of attributes in login_attributes_list and local_login_attributes_list isn't equal" return False self.login_attributes_list_array = login_attributes_list_array self.local_login_attributes_list_array = local_login_attributes_list_array print "Basic (multi login) initialized successfully" return True
def prepareUserEnforceUniquenessAttributes(self, configurationAttributes): enforce_uniqueness_attr_list = configurationAttributes.get("enforce_uniqueness_attr_list").getValue2() enforce_uniqueness_attr_list_array = StringHelper.split(enforce_uniqueness_attr_list, ",") if (ArrayHelper.isEmpty(enforce_uniqueness_attr_list_array)): return None return enforce_uniqueness_attr_list_array
def prepareUserObjectClasses(self, configurationAttributes): user_object_classes = configurationAttributes.get("user_object_classes").getValue2() user_object_classes_list_array = StringHelper.split(user_object_classes, ",") if (ArrayHelper.isEmpty(user_object_classes_list_array)): return None return user_object_classes_list_array
def prepareForStep(self, configurationAttributes, requestParameters, step): stringEncrypter = StringEncrypter.defaultInstance() context = Contexts.getEventContext() oxpush_application_name = configurationAttributes.get("oxpush_application_name").getValue2() if (step == 1): print "oxPush prepare for step 1" oxpush_android_download_url = configurationAttributes.get("oxpush_android_download_url").getValue2() context.set("oxpush_android_download_url", oxpush_android_download_url) elif (step == 2): print "oxPush prepare for step 2" passed_step1 = self.isPassedDefaultAuthentication if (not passed_step1): return False credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() oxpush_user_uid_array = requestParameters.get("oxpush_user_uid") if (ArrayHelper.isEmpty(oxpush_user_uid_array) or StringHelper.isEmptyString(oxpush_user_uid_array[0])): print "oxPush prepare for step 2. oxpush_user_uid is empty" # Initialize pairing process pairing_process = None try: pairing_process = self.oxPushClient.pair(oxpush_application_name, user_name); except java.lang.Exception, err: print "oxPush prepare for step 2. Failed to initialize pairing process: ", err return False if (not pairing_process.result): print "oxPush prepare for step 2. Failed to initialize pairing process" return False pairing_id = pairing_process.pairingId print "oxPush prepare for step 2. Pairing Id: ", pairing_id context.set("oxpush_pairing_uid", stringEncrypter.encrypt(pairing_id)) context.set("oxpush_pairing_code", pairing_process.pairingCode) context.set("oxpush_pairing_qr_image", pairing_process.pairingQrImage)
def getClientConfiguration(self, configurationAttributes, requestParameters): # Get client configuration if (configurationAttributes.containsKey("gplus_client_configuration_attribute")): clientConfigurationAttribute = configurationAttributes.get("gplus_client_configuration_attribute").getValue2() print "Google+ GetClientConfiguration. Using client attribute:", clientConfigurationAttribute if (requestParameters == None): return None clientId = None # Attempt to determine client_id from request clientIdArray = requestParameters.get("client_id") if (ArrayHelper.isNotEmpty(clientIdArray) and StringHelper.isNotEmptyString(clientIdArray[0])): clientId = clientIdArray[0] # Attempt to determine client_id from event context if (clientId == None): eventContext = Contexts.getEventContext() if (eventContext.isSet("stored_request_parameters")): clientId = eventContext.get("stored_request_parameters").get("client_id") if (clientId == None): print "Google+ GetClientConfiguration. client_id is empty" return None clientService = ClientService.instance() client = clientService.getClient(clientId) if (client == None): print "Google+ GetClientConfiguration. Failed to find client", clientId, " in local LDAP" return None clientConfiguration = clientService.getCustomAttribute(client, clientConfigurationAttribute) if ((clientConfiguration == None) or StringHelper.isEmpty(clientConfiguration.getValue())): print "Google+ GetClientConfiguration. Client", clientId, " attribute", clientConfigurationAttribute, " is empty" else: print "Google+ GetClientConfiguration. Client", clientId, " attribute", clientConfigurationAttribute, " is", clientConfiguration return clientConfiguration return None
def prepareForStep(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() server_flag = configurationAttributes.get("oneid_server_flag").getValue2() callback_attrs = configurationAttributes.get("oneid_callback_attrs").getValue2() creds_file = configurationAttributes.get("oneid_creds_file").getValue2() # Create OneID authn = OneID(server_flag) # Set path to credentials file authn.creds_file = creds_file; if (step == 1): print "OneID prepare for step 1" auth_mode_array = requestParameters.get("auth_mode") if ArrayHelper.isEmpty(auth_mode_array): print "OneID prepare for step 1. auth_mode is empty" return False request = FacesContext.getCurrentInstance().getExternalContext().getRequest() validation_page = request.getContextPath() + "/postlogin?" + "request_uri=&" + authenticationService.parametersAsString() print "OneID prepare for step 1. validation_page: " + validation_page oneid_login_button = authn.draw_signin_button(validation_page, callback_attrs, True) print "OneID prepare for step 1. oneid_login_button: " + oneid_login_button context.set("oneid_login_button", oneid_login_button) context.set("oneid_script_header", authn.script_header) context.set("oneid_form_script", authn.oneid_form_script) return True elif (step == 2): print "OneID prepare for step 2" return True else: return False
def getClientConfiguration(self, configurationAttributes, requestParameters): # Get client configuration if (configurationAttributes.containsKey("saml_client_configuration_attribute")): saml_client_configuration_attribute = configurationAttributes.get("saml_client_configuration_attribute").getValue2() print "Saml. GetClientConfiguration. Using client attribute:", saml_client_configuration_attribute if (requestParameters == None): return None client_id = None client_id_array = requestParameters.get("client_id") if (ArrayHelper.isNotEmpty(client_id_array) and StringHelper.isNotEmptyString(client_id_array[0])): client_id = client_id_array[0] if (client_id == None): eventContext = Contexts.getEventContext() if (eventContext.isSet("sessionAttributes")): client_id = eventContext.get("sessionAttributes").get("client_id") if (client_id == None): print "Saml. GetClientConfiguration. client_id is empty" return None clientService = ClientService.instance() client = clientService.getClient(client_id) if (client == None): print "Saml. GetClientConfiguration. Failed to find client", client_id, " in local LDAP" return None saml_client_configuration = clientService.getCustomAttribute(client, saml_client_configuration_attribute) if ((saml_client_configuration == None) or StringHelper.isEmpty(saml_client_configuration.getValue())): print "Saml. GetClientConfiguration. Client", client_id, " attribute", saml_client_configuration_attribute, " is empty" else: print "Saml. GetClientConfiguration. Client", client_id, " attribute", saml_client_configuration_attribute, " is", saml_client_configuration return saml_client_configuration return None
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() userService = UserService.instance() saml_map_user = False saml_enroll_user = False saml_enroll_all_user_attr = False # Use saml_deployment_type only if there is no attributes mapping if (configurationAttributes.containsKey("saml_deployment_type")): saml_deployment_type = StringHelper.toLowerCase(configurationAttributes.get("saml_deployment_type").getValue2()) if (StringHelper.equalsIgnoreCase(saml_deployment_type, "map")): saml_map_user = True if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll")): saml_enroll_user = True if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll_all_attr")): saml_enroll_all_user_attr = True saml_allow_basic_login = False if (configurationAttributes.containsKey("saml_allow_basic_login")): saml_allow_basic_login = StringHelper.toBoolean(configurationAttributes.get("saml_allow_basic_login").getValue2(), False) use_basic_auth = False if (saml_allow_basic_login): # Detect if user used basic authnetication method credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() if (StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(user_password)): use_basic_auth = True if ((step == 1) and saml_allow_basic_login and use_basic_auth): print "Saml. Authenticate for step 1. Basic authentication" context.set("saml_count_login_steps", 1) credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True if (step == 1): print "Saml. Authenticate for step 1" currentSamlConfiguration = self.getCurrentSamlConfiguration(self.samlConfiguration, configurationAttributes, requestParameters) if (currentSamlConfiguration == None): print "Saml. Prepare for step 1. Client saml configuration is invalid" return False saml_response_array = requestParameters.get("SAMLResponse") if ArrayHelper.isEmpty(saml_response_array): print "Saml. Authenticate for step 1. saml_response is empty" return False saml_response = saml_response_array[0] print "Saml. Authenticate for step 1. saml_response:", saml_response samlResponse = Response(currentSamlConfiguration) samlResponse.loadXmlFromBase64(saml_response) saml_validate_response = True if (configurationAttributes.containsKey("saml_validate_response")): saml_validate_response = StringHelper.toBoolean(configurationAttributes.get("saml_validate_response").getValue2(), False) if (saml_validate_response): if (not samlResponse.isValid()): print "Saml. Authenticate for step 1. saml_response isn't valid" saml_response_name_id = samlResponse.getNameId() if (StringHelper.isEmpty(saml_response_name_id)): print "Saml. Authenticate for step 1. saml_response_name_id is invalid" return False print "Saml. Authenticate for step 1. saml_response_name_id:", saml_response_name_id saml_response_attributes = samlResponse.getAttributes() print "Saml. Authenticate for step 1. attributes: ", saml_response_attributes # Use persistent Id as saml_user_uid saml_user_uid = saml_response_name_id if (saml_map_user): # Use mapping to local IDP user print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:", saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" print "Saml. Authenticate for step 1. Setting count steps to 2" context.set("saml_count_login_steps", 2) context.set("saml_user_uid", saml_user_uid) return True found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name:", found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result:", post_login_result return post_login_result elif (saml_enroll_user): # Use auto enrollment to local IDP print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:", saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): # Auto user enrollemnt print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" # Convert saml result attributes keys to lover case saml_response_normalized_attributes = HashMap() for saml_response_attribute_entry in saml_response_attributes.entrySet(): saml_response_normalized_attributes.put( StringHelper.toLowerCase(saml_response_attribute_entry.getKey()), saml_response_attribute_entry.getValue()) currentAttributesMapping = self.prepareCurrentAttributesMapping(self.attributesMapping, configurationAttributes, requestParameters) print "Saml. Authenticate for step 1. Using next attributes mapping", currentAttributesMapping newUser = User() for attributesMappingEntry in currentAttributesMapping.entrySet(): idpAttribute = attributesMappingEntry.getKey() localAttribute = attributesMappingEntry.getValue() localAttributeValue = saml_response_normalized_attributes.get(idpAttribute) if (localAttribute != None): newUser.setAttribute(localAttribute, localAttributeValue) newUser.setAttribute("oxExternalUid", "saml:" + saml_user_uid) print "Saml. Authenticate for step 1. Attempting to add user", saml_user_uid, " with next attributes", newUser.getCustomAttributes() find_user_by_uid = userService.addUser(newUser, True) print "Saml. Authenticate for step 1. Added new user with UID", find_user_by_uid.getUserId() found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name:", found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result:", post_login_result return post_login_result elif (saml_enroll_all_user_attr): print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:" + saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" user = User() customAttributes = ArrayList() for key in attributes.keySet(): ldapAttributes = attributeService.getAllAttributes() for ldapAttribute in ldapAttributes: saml2Uri = ldapAttribute.getSaml2Uri() if(saml2Uri == None): saml2Uri = attributeService.getDefaultSaml2Uri(ldapAttribute.getName()) if(saml2Uri == key): attribute = CustomAttribute(ldapAttribute.getName()) attribute.setValues(attributes.get(key)) customAttributes.add(attribute) attribute = CustomAttribute("oxExternalUid") attribute.setValue("saml:" + saml_user_uid) customAttributes.add(attribute) user.setCustomAttributes(customAttributes) if(user.getAttribute("sn") == None): attribute = CustomAttribute("sn") attribute.setValue(saml_user_uid) customAttributes.add(attribute) if(user.getAttribute("cn") == None): attribute = CustomAttribute("cn") attribute.setValue(saml_user_uid) customAttributes.add(attribute) find_user_by_uid = userService.addUser(user, True) print "Saml. Authenticate for step 1. Added new user with UID", find_user_by_uid.getUserId() found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name:", found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result:", post_login_result return post_login_result else: # Check if the is user with specified saml_user_uid print "Saml. Authenticate for step 1. Attempting to find user by uid:", saml_user_uid find_user_by_uid = userService.getUser(saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" return False found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name:", found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result:", post_login_result return post_login_result elif (step == 2): print "Saml. Authenticate for step 2" sessionAttributes = context.get("sessionAttributes") if (sessionAttributes == None) or not sessionAttributes.containsKey("saml_user_uid"): print "Saml. Authenticate for step 2. saml_user_uid is empty" return False saml_user_uid = sessionAttributes.get("saml_user_uid") passed_step1 = StringHelper.isNotEmptyString(saml_user_uid) if (not passed_step1): return False credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Check if there is user which has saml_user_uid # Avoid mapping Saml account to more than one IDP account find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): # Add saml_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "saml:" + saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 2. Failed to update current user" return False post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 2. post_login_result:", post_login_result return post_login_result else: found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 2. found_user_name:", found_user_name if StringHelper.equals(user_name, found_user_name): post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 2. post_login_result:", post_login_result return post_login_result return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() userService = UserService.instance() httpService = HttpService.instance(); stringEncrypter = StringEncrypter.defaultInstance() cas_host = configurationAttributes.get("cas_host").getValue2() cas_extra_opts = configurationAttributes.get("cas_extra_opts").getValue2() cas_map_user = StringHelper.toBoolean(configurationAttributes.get("cas_map_user").getValue2(), False) cas_renew_opt = StringHelper.toBoolean(configurationAttributes.get("cas_renew_opt").getValue2(), False) if (step == 1): print "CAS2 authenticate for step 1" ticket_array = requestParameters.get("ticket") if ArrayHelper.isEmpty(ticket_array): print "CAS2 authenticate for step 1. ticket is empty" return False ticket = ticket_array[0] print "CAS2 authenticate for step 1. ticket: " + ticket if (StringHelper.isEmptyString(ticket)): print "CAS2 authenticate for step 1. ticket is invalid" return False # Validate ticket request = FacesContext.getCurrentInstance().getExternalContext().getRequest() parametersMap = HashMap() parametersMap.put("service", httpService.constructServerUrl(request) + "/postlogin") if (cas_renew_opt): parametersMap.put("renew", "true") parametersMap.put("ticket", ticket) cas_service_request_uri = authenticationService.parametersAsString(parametersMap) cas_service_request_uri = cas_host + "/serviceValidate?" + cas_service_request_uri if StringHelper.isNotEmpty(cas_extra_opts): cas_service_request_uri = cas_service_request_uri + "&" + cas_extra_opts print "CAS2 authenticate for step 1. cas_service_request_uri: " + cas_service_request_uri http_client = httpService.getHttpsClientTrustAll(); http_response = httpService.executeGet(http_client, cas_service_request_uri) validation_content = httpService.convertEntityToString(httpService.getResponseContent(http_response)) print "CAS2 authenticate for step 1. validation_content: " + validation_content if StringHelper.isEmpty(validation_content): print "CAS2 authenticate for step 1. Ticket validation response is invalid" return False cas2_auth_failure = self.parse_tag(validation_content, "cas:authenticationFailure") print "CAS2 authenticate for step 1. cas2_auth_failure: ", cas2_auth_failure cas2_user_uid = self.parse_tag(validation_content, "cas:user") print "CAS2 authenticate for step 1. cas2_user_uid: ", cas2_user_uid if ((cas2_auth_failure != None) or (cas2_user_uid == None)): print "CAS2 authenticate for step 1. Ticket is invalid" return False if (cas_map_user): print "CAS2 authenticate for step 1. Attempting to find user by oxExternalUid: cas2:" + cas2_user_uid # Check if the is user with specified cas2_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid) if (find_user_by_uid == None): print "CAS2 authenticate for step 1. Failed to find user" print "CAS2 authenticate for step 1. Setting count steps to 2" context.set("cas2_count_login_steps", 2) context.set("cas2_user_uid", stringEncrypter.encrypt(cas2_user_uid)) return True found_user_name = find_user_by_uid.getUserId() print "CAS2 authenticate for step 1. found_user_name: " + found_user_name credentials = Identity.instance().getCredentials() credentials.setUsername(found_user_name) credentials.setUser(find_user_by_uid) print "CAS2 authenticate for step 1. Setting count steps to 1" context.set("cas2_count_login_steps", 1) return True else: print "CAS2 authenticate for step 1. Attempting to find user by uid:" + cas2_user_uid # Check if the is user with specified cas2_user_uid find_user_by_uid = userService.getUser(cas2_user_uid) if (find_user_by_uid == None): print "CAS2 authenticate for step 1. Failed to find user" return False found_user_name = find_user_by_uid.getUserId() print "CAS2 authenticate for step 1. found_user_name: " + found_user_name credentials = Identity.instance().getCredentials() credentials.setUsername(found_user_name) credentials.setUser(find_user_by_uid) print "CAS2 authenticate for step 1. Setting count steps to 1" context.set("cas2_count_login_steps", 1) return True elif (step == 2): print "CAS2 authenticate for step 2" cas2_user_uid_array = requestParameters.get("cas2_user_uid") if ArrayHelper.isEmpty(cas2_user_uid_array): print "CAS2 authenticate for step 2. cas2_user_uid is empty" return False cas2_user_uid = stringEncrypter.decrypt(cas2_user_uid_array[0]) passed_step1 = StringHelper.isNotEmptyString(cas2_user_uid) if (not passed_step1): return False credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Check if there is user which has cas2_user_uid # Avoid mapping CAS2 account to more than one IDP account find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid) if (find_user_by_uid == None): # Add cas2_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "cas2:" + cas2_user_uid) if (find_user_by_uid == None): print "CAS2 authenticate for step 2. Failed to update current user" return False return True else: found_user_name = find_user_by_uid.getUserId() print "CAS2 authenticate for step 2. found_user_name: " + found_user_name if StringHelper.equals(user_name, found_user_name): return True return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() userService = UserService.instance() encryptionService = EncryptionService.instance() mapUserDeployment = False enrollUserDeployment = False if (configurationAttributes.containsKey("gplus_deployment_type")): deploymentType = StringHelper.toLowerCase(configurationAttributes.get("gplus_deployment_type").getValue2()) if (StringHelper.equalsIgnoreCase(deploymentType, "map")): mapUserDeployment = True if (StringHelper.equalsIgnoreCase(deploymentType, "enroll")): enrollUserDeployment = True if (step == 1): print "Google+ authenticate for step 1" gplusAuthCodeArray = requestParameters.get("gplus_auth_code") gplusAuthCode = gplusAuthCodeArray[0] # Check if user uses basic method to log in useBasicAuth = False if (StringHelper.isEmptyString(gplusAuthCode)): useBasicAuth = True # Use basic method to log in if (useBasicAuth): print "Google+ authenticate for step 1. Basic authentication" context.set("gplus_count_login_steps", 1) credentials = Identity.instance().getCredentials() userName = credentials.getUsername() userPassword = credentials.getPassword() loggedIn = False if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)): userService = UserService.instance() loggedIn = userService.authenticate(userName, userPassword) if (not loggedIn): return False return True # Use Google+ method to log in print "Google+ authenticate for step 1. gplusAuthCode:", gplusAuthCode currentClientSecrets = self.getCurrentClientSecrets(self.clientSecrets, configurationAttributes, requestParameters) if (currentClientSecrets == None): print "Google+ authenticate for step 1. Client secrets configuration is invalid" return False print "Google+ authenticate for step 1. Attempting to gets tokens" tokenResponse = self.getTokensByCode(self.clientSecrets, configurationAttributes, gplusAuthCode); if ((tokenResponse == None) or (tokenResponse.getIdToken() == None) or (tokenResponse.getAccessToken() == None)): print "Google+ authenticate for step 1. Failed to get tokens" return False else: print "Google+ authenticate for step 1. Successfully gets tokens" jwt = Jwt.parse(tokenResponse.getIdToken()) # TODO: Validate ID Token Signature gplusUserUid = jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER); print "Google+ authenticate for step 1. Found Google user ID in the ID token: ", gplusUserUid if (mapUserDeployment): # Use mapping to local IDP user print "Google+ authenticate for step 1. Attempting to find user by oxExternalUid: gplus:", gplusUserUid # Check if there is user with specified gplusUserUid foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid) if (foundUser == None): print "Google+ authenticate for step 1. Failed to find user" print "Google+ authenticate for step 1. Setting count steps to 2" context.set("gplus_count_login_steps", 2) context.set("gplus_user_uid", encryptionService.encrypt(gplusUserUid)) return True foundUserName = foundUser.getUserId() print "Google+ authenticate for step 1. foundUserName:"******"Google+ authenticate for step 1. Failed to authenticate user" return False print "Google+ authenticate for step 1. Setting count steps to 1" context.set("gplus_count_login_steps", 1) postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser) print "Google+ authenticate for step 1. postLoginResult:", postLoginResult return postLoginResult elif (enrollUserDeployment): # Use auto enrollment to local IDP print "Google+ authenticate for step 1. Attempting to find user by oxExternalUid: gplus:", gplusUserUid # Check if there is user with specified gplusUserUid foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid) if (foundUser == None): # Auto user enrollemnt print "Google+ authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" print "Google+ authenticate for step 1. Attempting to gets user info" userInfoResponse = self.getUserInfo(currentClientSecrets, configurationAttributes, tokenResponse.getAccessToken()) if ((userInfoResponse == None) or (userInfoResponse.getClaims().size() == 0)): print "Google+ authenticate for step 1. Failed to get user info" return False else: print "Google+ authenticate for step 1. Successfully gets user info" gplusResponseAttributes = userInfoResponse.getClaims() # Convert Google+ user claims to lover case gplusResponseNormalizedAttributes = HashMap() for gplusResponseAttributeEntry in gplusResponseAttributes.entrySet(): gplusResponseNormalizedAttributes.put( StringHelper.toLowerCase(gplusResponseAttributeEntry.getKey()), gplusResponseAttributeEntry.getValue()) currentAttributesMapping = self.getCurrentAttributesMapping(self.attributesMapping, configurationAttributes, requestParameters) print "Google+ authenticate for step 1. Using next attributes mapping", currentAttributesMapping newUser = User() for attributesMappingEntry in currentAttributesMapping.entrySet(): idpAttribute = attributesMappingEntry.getKey() localAttribute = attributesMappingEntry.getValue() localAttributeValue = gplusResponseNormalizedAttributes.get(idpAttribute) if (localAttribute != None): newUser.setAttribute(localAttribute, localAttributeValue) if (newUser.getAttribute("sn") == None): newUser.setAttribute("sn", gplusUserUid) if (newUser.getAttribute("cn") == None): newUser.setAttribute("cn", gplusUserUid) newUser.setAttribute("oxExternalUid", "gplus:" + gplusUserUid) print "Google+ authenticate for step 1. Attempting to add user", gplusUserUid, " with next attributes", newUser.getCustomAttributes() foundUser = userService.addUser(newUser) print "Google+ authenticate for step 1. Added new user with UID", foundUser.getUserId() foundUserName = foundUser.getUserId() print "Google+ authenticate for step 1. foundUserName:"******"Google+ authenticate for step 1. Failed to authenticate user" return False print "Google+ authenticate for step 1. Setting count steps to 1" context.set("gplus_count_login_steps", 1) postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser) print "Google+ authenticate for step 1. postLoginResult:", postLoginResult return postLoginResult else: # Check if the is user with specified gplusUserUid print "Google+ authenticate for step 1. Attempting to find user by uid:", gplusUserUid foundUser = userService.getUser(gplusUserUid) if (foundUser == None): print "Google+ authenticate for step 1. Failed to find user" return False foundUserName = foundUser.getUserId() print "Google+ authenticate for step 1. foundUserName:"******"Google+ authenticate for step 1. Failed to authenticate user" return False print "Google+ authenticate for step 1. Setting count steps to 1" context.set("gplus_count_login_steps", 1) postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser) print "Google+ authenticate for step 1. postLoginResult:", postLoginResult return postLoginResult elif (step == 2): print "Google+ authenticate for step 2" gplusUserUidArray = requestParameters.get("gplus_user_uid") if ArrayHelper.isEmpty(gplusUserUidArray): print "Google+ authenticate for step 2. gplus_user_uid is empty" return False gplusUserUid = encryptionService.decrypt(gplusUserUidArray[0]) passedStep1 = StringHelper.isNotEmptyString(gplusUserUid) if (not passedStep1): return False credentials = Identity.instance().getCredentials() userName = credentials.getUsername() userPassword = credentials.getPassword() loggedIn = False if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)): loggedIn = userService.authenticate(userName, userPassword) if (not loggedIn): return False # Check if there is user which has gplusUserUid # Avoid mapping Google account to more than one IDP account foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid) if (foundUser == None): # Add gplusUserUid to user one id UIDs foundUser = userService.addUserAttribute(userName, "oxExternalUid", "gplus:" + gplusUserUid) if (foundUser == None): print "Google+ authenticate for step 2. Failed to update current user" return False postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser) print "Google+ authenticate for step 2. postLoginResult:", postLoginResult return postLoginResult else: foundUserName = foundUser.getUserId() print "Google+ authenticate for step 2. foundUserName:"******"Google+ authenticate for step 2. postLoginResult:", postLoginResult return postLoginResult return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) saml_map_user = False saml_enroll_user = False saml_enroll_all_user_attr = False # Use saml_deployment_type only if there is no attributes mapping if configurationAttributes.containsKey("saml_deployment_type"): saml_deployment_type = StringHelper.toLowerCase( configurationAttributes.get( "saml_deployment_type").getValue2()) if StringHelper.equalsIgnoreCase(saml_deployment_type, "map"): saml_map_user = True if StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll"): saml_enroll_user = True if StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll_all_attr"): saml_enroll_all_user_attr = True saml_allow_basic_login = False if configurationAttributes.containsKey("saml_allow_basic_login"): saml_allow_basic_login = StringHelper.toBoolean( configurationAttributes.get( "saml_allow_basic_login").getValue2(), False) use_basic_auth = False if saml_allow_basic_login: # Detect if user used basic authnetication method user_name = credentials.getUsername() user_password = credentials.getPassword() if StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty( user_password): use_basic_auth = True if (step == 1) and saml_allow_basic_login and use_basic_auth: print "Asimba. Authenticate for step 1. Basic authentication" identity.setWorkingParameter("saml_count_login_steps", 1) user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString( user_name) and StringHelper.isNotEmptyString( user_password): logged_in = authenticationService.authenticate( user_name, user_password) if (not logged_in): return False return True if (step == 1): print "Asimba. Authenticate for step 1" currentSamlConfiguration = self.getCurrentSamlConfiguration( self.samlConfiguration, configurationAttributes, requestParameters) if (currentSamlConfiguration == None): print "Asimba. Prepare for step 1. Client saml configuration is invalid" return False saml_response_array = requestParameters.get("SAMLResponse") if ArrayHelper.isEmpty(saml_response_array): print "Asimba. Authenticate for step 1. saml_response is empty" return False saml_response = saml_response_array[0] print "Asimba. Authenticate for step 1. saml_response: '%s'" % saml_response samlResponse = Response(currentSamlConfiguration) samlResponse.loadXmlFromBase64(saml_response) saml_validate_response = True if configurationAttributes.containsKey("saml_validate_response"): saml_validate_response = StringHelper.toBoolean( configurationAttributes.get( "saml_validate_response").getValue2(), False) if saml_validate_response: if not samlResponse.isValid(): print "Asimba. Authenticate for step 1. saml_response isn't valid" saml_response_attributes = samlResponse.getAttributes() print "Asimba. Authenticate for step 1. attributes: '%s'" % saml_response_attributes if saml_map_user: saml_user_uid = self.getSamlNameId(samlResponse) if saml_user_uid == None: return False # Use mapping to local IDP user print "Asimba. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "saml:%s" % saml_user_uid) if find_user_by_uid == None: print "Asimba. Authenticate for step 1. Failed to find user" print "Asimba. Authenticate for step 1. Setting count steps to 2" identity.setWorkingParameter("saml_count_login_steps", 2) identity.setWorkingParameter("saml_user_uid", saml_user_uid) return True found_user_name = find_user_by_uid.getUserId() print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate( found_user_name) if user_authenticated == False: print "Asimba. Authenticate for step 1. Failed to authenticate user" return False print "Asimba. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif saml_enroll_user: # Convert SAML response to user entry newUser = self.getMappedUser(configurationAttributes, requestParameters, saml_response_attributes) saml_user_uid = self.getNameId(samlResponse, newUser) if saml_user_uid == None: return False self.setDefaultUid(newUser, saml_user_uid) newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid) # Use auto enrollment to local IDP print "Asimba. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid # Check if there is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "saml:%s" % saml_user_uid) if find_user_by_uid == None: # Auto user enrollment print "Asimba. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" print "Asimba. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % ( saml_user_uid, newUser.getCustomAttributes()) user_unique = self.checkUserUniqueness(newUser) if not user_unique: print "Asimba. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId( ) facesMessages = CdiUtil.bean(FacesMessages) facesMessages.add( FacesMessage.SEVERITY_ERROR, "Failed to enroll. User with same key attributes exist already" ) facesMessages.setKeepMessages() return False find_user_by_uid = userService.addUser(newUser, True) print "Asimba. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId( ) else: if self.updateUser: print "Asimba. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % ( saml_user_uid, newUser.getCustomAttributes()) find_user_by_uid.setCustomAttributes( newUser.getCustomAttributes()) userService.updateUser(find_user_by_uid) print "Asimba. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid found_user_name = find_user_by_uid.getUserId() print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate( found_user_name) if user_authenticated == False: print "Asimba. Authenticate for step 1. Failed to authenticate user: '******'" % found_user_name return False print "Asimba. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif saml_enroll_all_user_attr: # Convert SAML response to user entry newUser = self.getMappedAllAttributesUser( saml_response_attributes) saml_user_uid = self.getNameId(samlResponse, newUser) if saml_user_uid == None: return False self.setDefaultUid(newUser, saml_user_uid) newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid) print "Asimba. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:%s" % saml_user_uid # Check if there is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "saml:%s" % saml_user_uid) if find_user_by_uid == None: # Auto user enrollment print "Asimba. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" print "Asimba. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % ( saml_user_uid, newUser.getCustomAttributes()) user_unique = self.checkUserUniqueness(newUser) if not user_unique: print "Asimba. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId( ) facesMessages = CdiUtil.bean(FacesMessages) facesMessages.add( FacesMessage.SEVERITY_ERROR, "Failed to enroll. User with same key attributes exist already" ) facesMessages.setKeepMessages() return False find_user_by_uid = userService.addUser(newUser, True) print "Asimba. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId( ) else: if self.updateUser: print "Asimba. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % ( saml_user_uid, newUser.getCustomAttributes()) find_user_by_uid.setCustomAttributes( newUser.getCustomAttributes()) userService.updateUser(find_user_by_uid) print "Asimba. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid found_user_name = find_user_by_uid.getUserId() print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate( found_user_name) if user_authenticated == False: print "Asimba. Authenticate for step 1. Failed to authenticate user" return False print "Asimba. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result else: if saml_user_uid == None: return False # Check if the is user with specified saml_user_uid print "Asimba. Authenticate for step 1. Attempting to find user by uid: '%s'" % saml_user_uid find_user_by_uid = userService.getUser(saml_user_uid) if find_user_by_uid == None: print "Asimba. Authenticate for step 1. Failed to find user" return False found_user_name = find_user_by_uid.getUserId() print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate( found_user_name) if user_authenticated == False: print "Asimba. Authenticate for step 1. Failed to authenticate user" return False print "Asimba. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif (step == 2): print "Asimba. Authenticate for step 2" sessionAttributes = identity.getSessionId().getSessionAttributes() if (sessionAttributes == None ) or not sessionAttributes.containsKey("saml_user_uid"): print "Asimba. Authenticate for step 2. saml_user_uid is empty" return False saml_user_uid = sessionAttributes.get("saml_user_uid") passed_step1 = StringHelper.isNotEmptyString(saml_user_uid) if not passed_step1: return False user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString( user_name) and StringHelper.isNotEmptyString( user_password): logged_in = authenticationService.authenticate( user_name, user_password) if not logged_in: return False # Check if there is user which has saml_user_uid # Avoid mapping Saml account to more than one IDP account find_user_by_uid = userService.getUserByAttribute( "oxExternalUid", "saml:%s" % saml_user_uid) if find_user_by_uid == None: # Add saml_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute( user_name, "oxExternalUid", "saml:%s" % saml_user_uid) if find_user_by_uid == None: print "Asimba. Authenticate for step 2. Failed to update current user" return False post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Asimba. Authenticate for step 2. post_login_result: '%s'" % post_login_result return post_login_result else: found_user_name = find_user_by_uid.getUserId() print "Asimba. Authenticate for step 2. found_user_name: '%s'" % found_user_name if StringHelper.equals(user_name, found_user_name): post_login_result = self.samlExtensionPostLogin( configurationAttributes, find_user_by_uid) print "Asimba. Authenticate for step 2. post_login_result: '%s'" % post_login_result return post_login_result return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): duo_host = configurationAttributes.get("duo_host").getValue2() credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "Duo. Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = Component.getInstance(UserService) logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False authenticationService = Component.getInstance( AuthenticationService) user = authenticationService.getAuthenticatedUser() if (self.use_duo_group): print "Duo. Authenticate for step 1. Checking if user belong to Duo group" is_member_duo_group = self.isUserMemberOfGroup( user, self.audit_attribute, self.duo_group) if (is_member_duo_group): print "Duo. Authenticate for step 1. User '" + user.getUserId( ) + "' member of Duo group" duo_count_login_steps = 2 else: self.processAuditGroup(user) duo_count_login_steps = 1 context = Contexts.getEventContext() context.set("duo_count_login_steps", duo_count_login_steps) return True elif (step == 2): print "Duo. Authenticate for step 2" sig_response_array = requestParameters.get("sig_response") if ArrayHelper.isEmpty(sig_response_array): print "Duo. Authenticate for step 2. sig_response is empty" return False duo_sig_response = sig_response_array[0] print "Duo. Authenticate for step 2. duo_sig_response: " + duo_sig_response authenticated_username = duo_web.verify_response( self.ikey, self.skey, self.akey, duo_sig_response) print "Duo. Authenticate for step 2. authenticated_username: "******", expected user_name: " + user_name if (not StringHelper.equals(user_name, authenticated_username)): return False authenticationService = Component.getInstance( AuthenticationService) user = authenticationService.getAuthenticatedUser() self.processAuditGroup(user) return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "Basic (with password update). Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True elif (step == 2): userService = UserService.instance() find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): print "Basic (with password update). Authenticate for step 2. Failed to find user" return False user_expDate = find_user_by_uid.getAttribute("oxPasswordExpirationDate", False) if (user_expDate == None): print "Failed to get Date" return False print "Exp Date is : '" + user_expDate + "' ." now = datetime.datetime.now() myDate = self.parseDate(user_expDate) prevExpDate = self.previousExpDate(myDate) expDate = self.newExpirationDate(myDate) temp = expDate.strftime("%y%m%d") expDate = (expDate + temp + "195000Z") if prevExpDate < now: print "Basic (with password update). Authenticate for step 2" find_user_by_uid.setAttribute("oxPasswordExpirationDate", expDate) update_button = requestParameters.get("loginForm:updateButton") if ArrayHelper.isEmpty(update_button): return True new_password_array = requestParameters.get("new_password") if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]): print "Basic (with password update). Authenticate for step 2. New password is empty" return False new_password = new_password_array[0] print "Basic (with password update). Authenticate for step 2. Attempting to set new user '" + user_name + "' password" userService.updateUser(find_user_by_uid) print "Basic (with password update). Authenticate for step 2. Password updated successfully" return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() userService = UserService.instance() httpService = HttpService.instance(); server_flag = configurationAttributes.get("oneid_server_flag").getValue2() callback_attrs = configurationAttributes.get("oneid_callback_attrs").getValue2() creds_file = configurationAttributes.get("oneid_creds_file").getValue2() # Create OneID authn = OneID(server_flag) # Set path to credentials file authn.creds_file = creds_file; if (step == 1): print "OneId. Authenticate for step 1" # Find OneID request json_data_array = requestParameters.get("json_data") if ArrayHelper.isEmpty(json_data_array): print "OneId. Authenticate for step 1. json_data is empty" return False request = json_data_array[0] print "OneId. Authenticate for step 1. request: " + request if (StringHelper.isEmptyString(request)): return False authn.set_credentials() # Validate request http_client = httpService.getHttpsClientDefaulTrustStore(); auth_data = httpService.encodeBase64(authn.api_id + ":" + authn.api_key) http_response = httpService.executePost(http_client, authn.helper_server + "/validate", auth_data, request, ContentType.APPLICATION_JSON) validation_content = httpService.convertEntityToString(httpService.getResponseContent(http_response)) print "OneId. Authenticate for step 1. validation_content: " + validation_content if (StringHelper.isEmptyString(validation_content)): return False validation_resp = json.loads(validation_content) print "OneId. Authenticate for step 1. validation_resp: " + str(validation_resp) if (not authn.success(validation_resp)): return False response = json.loads(request) for x in validation_resp: response[x] = validation_resp[x] oneid_user_uid = response['uid'] print "OneId. Authenticate for step 1. oneid_user_uid: " + oneid_user_uid # Check if the is user with specified oneid_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "oneid:" + oneid_user_uid) if (find_user_by_uid == None): print "OneId. Authenticate for step 1. Failed to find user" print "OneId. Authenticate for step 1. Setting count steps to 2" context.set("oneid_count_login_steps", 2) context.set("oneid_user_uid", oneid_user_uid) return True found_user_name = find_user_by_uid.getUserId() print "OneId. Authenticate for step 1. found_user_name: " + found_user_name credentials = Identity.instance().getCredentials() credentials.setUsername(found_user_name) credentials.setUser(find_user_by_uid) print "OneId. Authenticate for step 1. Setting count steps to 1" context.set("oneid_count_login_steps", 1) return True elif (step == 2): print "OneId. Authenticate for step 2" sessionAttributes = context.get("sessionAttributes") if (sessionAttributes == None) or not sessionAttributes.containsKey("oneid_user_uid"): print "OneId. Authenticate for step 2. oneid_user_uid is empty" return False oneid_user_uid = sessionAttributes.get("oneid_user_uid") passed_step1 = StringHelper.isNotEmptyString(oneid_user_uid) if (not passed_step1): return False # credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() passed_step1 = StringHelper.isNotEmptyString(user_name) if (not passed_step1): return False # credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Check if there is user which has oneid_user_uid # Avoid mapping OneID account to more than one IDP account find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "oneid:" + oneid_user_uid) if (find_user_by_uid == None): # Add oneid_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "oneid:" + oneid_user_uid) if (find_user_by_uid == None): print "OneId. Authenticate for step 2. Failed to update current user" return False return True else: found_user_name = find_user_by_uid.getUserId() print "OneId. Authenticate for step 2. found_user_name: " + found_user_name if StringHelper.equals(user_name, found_user_name): return True return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() userService = UserService.instance() stringEncrypter = StringEncrypter.defaultInstance() oxpush_user_timeout = int(configurationAttributes.get("oxpush_user_timeout").getValue2()) oxpush_application_name = configurationAttributes.get("oxpush_application_name").getValue2() credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "oxPush authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Find user by uid userService = UserService.instance() find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): print "oxPush authenticate for step 1. Failed to find user" return False # Check if the user paired account to phone user_external_uid_attr = userService.getCustomAttribute(find_user_by_uid, "oxExternalUid") if ((user_external_uid_attr == None) or (user_external_uid_attr.getValues() == None)): print "oxPush authenticate for step 1. There is no external UIDs for user: "******"oxPush authenticate for step 1. There is no oxPush UID for user: "******"oxPush authenticate for step 1. oxpush_user_uid: ", oxpush_user_uid deployment_status = self.oxPushClient.getDeploymentStatus(oxpush_user_uid); if (deployment_status.result): print "oxPush authenticate for step 1. Deployment status is valid" if ("enabled" == deployment_status.status): print "oxPush authenticate for step 1. Deployment is enabled" context.set("oxpush_user_uid", stringEncrypter.encrypt(oxpush_user_uid)) else: print "oxPush authenticate for step 1. Deployment is disabled" return False else: print "oxPush authenticate for step 1. Deployment status is invalid. Force user to pair again" # Remove oxpush_user_uid from user entry find_user_by_uid = userService.removeUserAttribute(user_name, "oxExternalUid", "oxpush:" + oxpush_user_uid) if (find_user_by_uid == None): print "oxPush authenticate for step 1. Failed to update current user" return False return True elif (step == 2): print "oxPush authenticate for step 2" passed_step1 = self.isPassedDefaultAuthentication if (not passed_step1): return False oxpush_user_uid_array = requestParameters.get("oxpush_user_uid") if (ArrayHelper.isEmpty(oxpush_user_uid_array) or StringHelper.isEmptyString(oxpush_user_uid_array[0])): print "oxPush authenticate for step 2. oxpush_user_uid is empty" oxpush_pairing_uid_array = requestParameters.get("oxpush_pairing_uid") if (ArrayHelper.isEmpty(oxpush_pairing_uid_array) or StringHelper.isEmptyString(oxpush_pairing_uid_array[0])): print "oxPush authenticate for step 2. oxpush_pairing_uid is empty" return False oxpush_pairing_uid = stringEncrypter.decrypt(oxpush_pairing_uid_array[0]) # Check pairing status pairing_status = self.checkStatus("pair", oxpush_pairing_uid, oxpush_user_timeout) if (pairing_status == None): print "oxPush authenticate for step 2. The pairing has not been authorized by user" return False oxpush_user_uid = pairing_status.deploymentId print "oxPush authenticate for step 2. Storing oxpush_user_uid in user entry", oxpush_user_uid # Store oxpush_user_uid in user entry find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "oxpush:" + oxpush_user_uid) if (find_user_by_uid == None): print "oxPush authenticate for step 2. Failed to update current user" return False context.set("oxpush_count_login_steps", 2) context.set("oxpush_user_uid", stringEncrypter.encrypt(oxpush_user_uid)) else: print "oxPush authenticate for step 2. Deployment status is valid" return True elif (step == 3): print "oxPush authenticate for step 3" passed_step1 = self.isPassedDefaultAuthentication if (not passed_step1): return False oxpush_user_uid_array = requestParameters.get("oxpush_user_uid") if ArrayHelper.isEmpty(oxpush_user_uid_array): print "oxPush authenticate for step 3. oxpush_user_uid is empty" return False oxpush_user_uid = stringEncrypter.decrypt(oxpush_user_uid_array[0]) # Initialize authentication process authentication_request = None try: authentication_request = self.oxPushClient.authenticate(oxpush_user_uid, user_name); except java.lang.Exception, err: print "oxPush authenticate for step 3. Failed to initialize authentication process: ", err return False if (not authentication_request.result): print "oxPush authenticate for step 3. Failed to initialize authentication process" return False # Check authentication status authentication_status = self.checkStatus("authenticate", authentication_request.authenticationId, oxpush_user_timeout) if (authentication_status == None): print "oxPush authenticate for step 3. The authentication has not been authorized by user" return False print "oxPush authenticate for step 3. The request was granted" return True
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() authenticationService = AuthenticationService.instance() userService = UserService.instance() saml_map_user = False saml_enroll_user = False saml_enroll_all_user_attr = False # Use saml_deployment_type only if there is no attributes mapping if (configurationAttributes.containsKey("saml_deployment_type")): saml_deployment_type = StringHelper.toLowerCase(configurationAttributes.get("saml_deployment_type").getValue2()) if (StringHelper.equalsIgnoreCase(saml_deployment_type, "map")): saml_map_user = True if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll")): saml_enroll_user = True if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll_all_attr")): saml_enroll_all_user_attr = True saml_allow_basic_login = False if (configurationAttributes.containsKey("saml_allow_basic_login")): saml_allow_basic_login = StringHelper.toBoolean(configurationAttributes.get("saml_allow_basic_login").getValue2(), False) use_basic_auth = False if (saml_allow_basic_login): # Detect if user used basic authnetication method credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() if (StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(user_password)): use_basic_auth = True if ((step == 1) and saml_allow_basic_login and use_basic_auth): print "Saml. Authenticate for step 1. Basic authentication" context.set("saml_count_login_steps", 1) credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return True if (step == 1): print "Saml. Authenticate for step 1" currentSamlConfiguration = self.getCurrentSamlConfiguration(self.samlConfiguration, configurationAttributes, requestParameters) if (currentSamlConfiguration == None): print "Saml. Prepare for step 1. Client saml configuration is invalid" return False saml_response_array = requestParameters.get("SAMLResponse") if ArrayHelper.isEmpty(saml_response_array): print "Saml. Authenticate for step 1. saml_response is empty" return False saml_response = saml_response_array[0] print "Saml. Authenticate for step 1. saml_response: '%s'" % saml_response samlResponse = Response(currentSamlConfiguration) samlResponse.loadXmlFromBase64(saml_response) saml_validate_response = True if (configurationAttributes.containsKey("saml_validate_response")): saml_validate_response = StringHelper.toBoolean(configurationAttributes.get("saml_validate_response").getValue2(), False) if (saml_validate_response): if (not samlResponse.isValid()): print "Saml. Authenticate for step 1. saml_response isn't valid" saml_response_attributes = samlResponse.getAttributes() print "Saml. Authenticate for step 1. attributes: '%s'" % saml_response_attributes if (saml_map_user): saml_user_uid = self.getSamlNameId(samlResponse) if saml_user_uid == None: return False # Use mapping to local IDP user print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" print "Saml. Authenticate for step 1. Setting count steps to 2" context.set("saml_count_login_steps", 2) context.set("saml_user_uid", saml_user_uid) return True found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif (saml_enroll_user): # Convert SAML response to user entry newUser = self.getMappedUser(configurationAttributes, requestParameters, saml_response_attributes) saml_user_uid = self.getNameId(samlResponse, newUser) if saml_user_uid == None: return False self.setDefaultUid(newUser, saml_user_uid) newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid) # Use auto enrollment to local IDP print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid # Check if there is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid) if find_user_by_uid == None: # Auto user enrollment print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes()) user_unique = self.checkUserUniqueness(newUser) if not user_unique: print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId() facesMessages = FacesMessages.instance() facesMessages.add(StatusMessage.Severity.ERROR, "Failed to enroll. User with same key attributes exist already") FacesContext.getCurrentInstance().getExternalContext().getFlash().setKeepMessages(True) return False find_user_by_uid = userService.addUser(newUser, True) print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId() else: if self.updateUser: print "Saml. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes()) find_user_by_uid.setCustomAttributes(newUser.getCustomAttributes()) userService.updateUser(find_user_by_uid) print "Saml. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user: '******'" % found_user_name return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif (saml_enroll_all_user_attr): # Convert SAML response to user entry newUser = self.getMappedAllAttributesUser(saml_response_attributes) saml_user_uid = self.getNameId(samlResponse, newUser) if saml_user_uid == None: return False self.setDefaultUid(newUser, saml_user_uid) newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid) print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:%s" % saml_user_uid # Check if there is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid) if (find_user_by_uid == None): # Auto user enrollment print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes()) user_unique = self.checkUserUniqueness(newUser) if not user_unique: print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId() facesMessages = FacesMessages.instance() facesMessages.add(StatusMessage.Severity.ERROR, "Failed to enroll. User with same key attributes exist already") FacesContext.getCurrentInstance().getExternalContext().getFlash().setKeepMessages(True) return False find_user_by_uid = userService.addUser(newUser, True) print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId() else: if self.updateUser: print "Saml. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes()) find_user_by_uid.setCustomAttributes(newUser.getCustomAttributes()) userService.updateUser(find_user_by_uid) print "Saml. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result else: if saml_user_uid == None: return False # Check if the is user with specified saml_user_uid print "Saml. Authenticate for step 1. Attempting to find user by uid: '%s'" % saml_user_uid find_user_by_uid = userService.getUser(saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 1. Failed to find user" return False found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if (user_authenticated == False): print "Saml. Authenticate for step 1. Failed to authenticate user" return False print "Saml. Authenticate for step 1. Setting count steps to 1" context.set("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif (step == 2): print "Saml. Authenticate for step 2" sessionAttributes = context.get("sessionAttributes") if (sessionAttributes == None) or not sessionAttributes.containsKey("saml_user_uid"): print "Saml. Authenticate for step 2. saml_user_uid is empty" return False saml_user_uid = sessionAttributes.get("saml_user_uid") passed_step1 = StringHelper.isNotEmptyString(saml_user_uid) if (not passed_step1): return False credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Check if there is user which has saml_user_uid # Avoid mapping Saml account to more than one IDP account find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid) if (find_user_by_uid == None): # Add saml_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "saml:%s" % saml_user_uid) if (find_user_by_uid == None): print "Saml. Authenticate for step 2. Failed to update current user" return False post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result return post_login_result else: found_user_name = find_user_by_uid.getUserId() print "Saml. Authenticate for step 2. found_user_name: '%s'" % found_user_name if StringHelper.equals(user_name, found_user_name): post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result return post_login_result return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() userService = UserService.instance() stringEncrypter = StringEncrypter.defaultInstance() toopher_user_timeout = int(configurationAttributes.get("toopher_user_timeout").getValue2()) credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "Toopher authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False # Find user by uid userService = UserService.instance() find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): print "Toopher authenticate for step 1. Failed to find user" return False # Check if the user paired account to phone user_external_uid_attr = userService.getCustomAttribute(find_user_by_uid, "oxExternalUid") if ((user_external_uid_attr == None) or (user_external_uid_attr.getValues() == None)): print "Toopher authenticate for step 1. There is no external UIDs for user: "******"Toopher authenticate for step 1. There is no Topher UID for user: "******"toopher_user_uid", stringEncrypter.encrypt(topher_user_uid)) return True elif (step == 2): print "Toopher authenticate for step 2" passed_step1 = self.isPassedDefaultAuthentication if (not passed_step1): return False toopher_user_uid_array = requestParameters.get("toopher_user_uid") if (ArrayHelper.isEmpty(toopher_user_uid_array) or StringHelper.isEmptyString(toopher_user_uid_array[0])): print "Toopher authenticate for step 2. toopher_user_uid is empty" # Pair with phone pairing_phrase_array = requestParameters.get("pairing_phrase") if ArrayHelper.isEmpty(pairing_phrase_array): print "Toopher authenticate for step 2. pairing_phrase is empty" return False pairing_phrase = pairing_phrase_array[0] try: pairing_status = self.tapi.pair(pairing_phrase, user_name); toopher_user_uid = pairing_status.id; except RequestError, err: print "Toopher authenticate for step 2. Failed pair with phone: ", err return False pairing_result = self.checkPairingStatus(toopher_user_uid, toopher_user_timeout) if (not pairing_result): print "Toopher authenticate for step 2. The pairing has not been authorized by the phone yet" return False print "Toopher authenticate for step 2. Storing toopher_user_uid in user entry", toopher_user_uid # Store toopher_user_uid in user entry find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "toopher:" + toopher_user_uid) if (find_user_by_uid == None): print "Toopher authenticate for step 2. Failed to update current user" return False context.set("toopher_user_uid", stringEncrypter.encrypt(toopher_user_uid)) else: toopher_user_uid = stringEncrypter.decrypt(toopher_user_uid_array[0]) # Check pairing stastus print "Toopher authenticate for step 2. toopher_user_uid: ", toopher_user_uid pairing_result = self.checkPairingStatus(toopher_user_uid, 0) if (not pairing_result): print "Toopher authenticate for step 2. The pairing has not been authorized by the phone yet" return False return True
def authenticate(self, configurationAttributes, requestParameters, step): print "Wikid. Authentication. Checking client" if (not self.wc.isConnected()): print "Wikid. Authentication. Wikid client state is invalid" return False context = Contexts.getEventContext() is_wikid_registration = False sessionAttributes = context.get("sessionAttributes") if (sessionAttributes != None) and sessionAttributes.containsKey("wikid_registration"): is_wikid_registration = java.lang.Boolean.valueOf(sessionAttributes.get("wikid_registration")) wikid_server_code = configurationAttributes.get("wikid_server_code").getValue2() credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "Wikid. Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False print "Wikid. Authenticate for step 1. Attempting to find wikid_user: "******"Wikid. Authenticate for step 1. There is no associated devices for user: "******"Wikid. Authenticate for step 1. Setting count steps to 3" context.set("wikid_count_login_steps", 3) context.set("wikid_registration", True) else: context.set("wikid_count_login_steps", 2) return True elif (is_wikid_registration): print "Wikid. Authenticate for step wikid_register_device" userService = UserService.instance() wikid_regcode_array = requestParameters.get("regcode") if ArrayHelper.isEmpty(wikid_regcode_array): print "Wikid. Authenticate for step wikid_register_device. Regcode is empty" return False wikid_regcode = wikid_regcode_array[0] print "Wikid. Authenticate for step wikid_register_device. User: "******", regcode: " + wikid_regcode register_result = self.wc.registerUsername(user_name, wikid_regcode, wikid_server_code); is_valid = register_result == 0 if is_valid: print "Wikid. Authenticate for step wikid_register_device. User: "******" token registered successfully" # Add wikid_regcode to user UIDs find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "wikid:" + wikid_regcode) if (find_user_by_uid == None): print "Wikid. Authenticate for step wikid_register_device. Failed to update user: "******"wikid_registration", False) else: print "Wikid. Authenticate for step wikid_register_device. Failed to register user: "******" token:" + wikid_regcode + ". Registration result:", register_result return is_valid elif (not is_wikid_registration): print "Wikid. Authenticate for step wikid_check_passcode" wikid_passcode_array = requestParameters.get("passcode") if ArrayHelper.isEmpty(wikid_passcode_array): print "Wikid. Authenticate for step wikid_check_passcode. Passcode is empty" return False wikid_passcode = wikid_passcode_array[0] print "Wikid. Authenticate for step wikid_check_passcode. wikid_user: "******"Wikid. Authenticate for step wikid_check_passcode. wikid_user: "******" authenticated successfully" else: print "Wikid. Authenticate for step wikid_check_passcode. Failed to authenticate. wikid_user: " + user_name return is_valid else: return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getApplicationContext() print "Wikid. Authentication. Cheking client" wc = context.get("wClient") if ((wc is None) or (not wc.isConnected())): print "Wikid. Authenticate for step 1. Creating new client." wikid_server_host = configurationAttributes.get("wikid_server_host").getValue2() wikid_server_port = int(configurationAttributes.get("wikid_server_port").getValue2()) wikid_cert_path = configurationAttributes.get("wikid_cert_path").getValue2() wikid_cert_pass = configurationAttributes.get("wikid_cert_pass").getValue2() wikid_ca_store_path = configurationAttributes.get("wikid_ca_store_path").getValue2() wikid_ca_store_pass = configurationAttributes.get("wikid_ca_store_pass").getValue2() wc = wClient(wikid_server_host, wikid_server_port, wikid_cert_path, wikid_cert_pass, wikid_ca_store_path, wikid_ca_store_pass) context.set("wClient", wc) if (step == 1): print "Wikid. Authenticate for step 1" credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) if (not logged_in): return False return wc.isConnected() elif (step == 2): print "Wikid. Authenticate for step 2" wc = context.get("wClient") if (wc is None): print "Wikid. Authenticate. Client is invalid" return False wikid_user_array = requestParameters.get("username") wikid_passcode_array = requestParameters.get("passcode") if ArrayHelper.isEmpty(wikid_user_array) or ArrayHelper.isEmpty(wikid_passcode_array): print "Wikid. Authenticate. Username or passcode is empty" return False wikid_user = wikid_user_array[0] wikid_passcode = wikid_passcode_array[0] wikid_server_code = configurationAttributes.get("wikid_server_code").getValue2() print "Wikid. Authenticate for step 2 wikid_user: "******"Wikid. Authenticate for step 2. wikid_user: "******" authenticated successfully" else: print "Wikid. Authenticate for step 2. Failed to authenticate. wikid_user: " + wikid_user return is_valid else: return False
def authenticate(self, configurationAttributes, requestParameters, step): context = Contexts.getEventContext() userService = UserService.instance() iw_api_uri = configurationAttributes.get("iw_api_uri").getValue2() iw_service_id = configurationAttributes.get("iw_service_id").getValue2() iw_helium_enabled = Boolean(configurationAttributes.get("iw_helium_enabled").getValue2()).booleanValue() if (iw_helium_enabled): context.set("iw_count_login_steps", 1) credentials = Identity.instance().getCredentials() user_name = credentials.getUsername() if (step == 1): print "InWebo. Authenticate for step 1" print "InWebo. Authenticate for step 1. iw_helium_enabled:", iw_helium_enabled user_password = credentials.getPassword() if (iw_helium_enabled): login_array = requestParameters.get("login") if ArrayHelper.isEmpty(login_array): print "InWebo. Authenticate for step 1. login is empty" return False user_name = login_array[0] password_array = requestParameters.get("password") if ArrayHelper.isEmpty(password_array): print "InWebo. Authenticate for step 1. password is empty" return False user_password = password_array[0] response_validation = self.validateInweboToken(iw_api_uri, iw_service_id, user_name, user_password) if (not response_validation): return False logged_in = False if (StringHelper.isNotEmptyString(user_name)): userService = UserService.instance() logged_in = userService.authenticate(user_name) return logged_in else: logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = UserService.instance() logged_in = userService.authenticate(user_name, user_password) return logged_in return True elif (step == 2): print "InWebo. Authenticate for step 2" passed_step1 = self.isPassedDefaultAuthentication if (not passed_step1): return False iw_token_array = requestParameters.get("iw_token") if ArrayHelper.isEmpty(iw_token_array): print "InWebo. Authenticate for step 2. iw_token is empty" return False iw_token = iw_token_array[0] response_validation = self.validateInweboToken(iw_api_uri, iw_service_id, user_name, iw_token) return response_validation else: return False
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) if step == 1: credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False else: find_user_by_uid = authenticationService.getAuthenticatedUser() status_attribute_value = userService.getCustomAttribute(find_user_by_uid, "mail") user_mail = status_attribute_value.getValue() self.setRequestScopedParameters(identity) isCompromised = False isCompromised = self.is_compromised(user_mail,user_password,configurationAttributes) if(isCompromised): identity.setWorkingParameter("pwd_compromised", isCompromised) identity.setWorkingParameter("user_name", user_name) return True else: return True elif step == 2: print "compromised_password. Authenticate for step 2" form_answer_array = requestParameters.get("loginForm:question") if ArrayHelper.isEmpty(form_answer_array): return False form_answer = form_answer_array[0] if (form_answer == self.secretanswer): return True return False elif step == 3: authenticationService = CdiUtil.bean(AuthenticationService) print "compromised_password (with password update). Authenticate for step 3" userService = CdiUtil.bean(UserService) update_button = requestParameters.get("loginForm:updateButton") new_password_array = requestParameters.get("new_password") if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty(new_password_array[0]): print "compromised_password (with password update). Authenticate for step 3. New password is empty" return False new_password = new_password_array[0] user = authenticationService.getAuthenticatedUser() if user == None: print "compromised_password (with password update). Authenticate for step 3. Failed to determine user name" return False user_name = user.getUserId() print "compromised_password (with password update). Authenticate for step 3. Attempting to set new user '" + user_name + "' password" find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): print "compromised_password (with password update). Authenticate for step 3. Failed to find user" return False find_user_by_uid.setAttribute("userPassword", new_password) userService.updateUser(find_user_by_uid) print "compromised_password (with password update). Authenticate for step 3. Password updated successfully" logged_in = authenticationService.authenticate(user_name) return True