def validateTotpKey(self, secretKey, totpKey, user_name): localTotpKey = self.generateTotpKey(secretKey) cachedOTP = self.getCachedOTP(user_name) if StringHelper.equals(localTotpKey, totpKey) and not StringHelper.equals(localTotpKey, cachedOTP): userService = CdiUtil.bean(UserService) if cachedOTP is None: userService.addUserAttribute(user_name, "oxOTPCache",localTotpKey) else : userService.replaceUserAttribute(user_name, "oxOTPCache", cachedOTP, localTotpKey) print "OTP. Caching OTP: '%s'" % localTotpKey return { "result": True } return { "result": False }
def checkStatus(self, mode, request_id, timeout): try: curTime = java.lang.System.currentTimeMillis() endTime = curTime + timeout * 1000 while (endTime >= curTime): response_status = None if (StringHelper.equals("pair", mode)): response_status = self.oxPushClient.getPairingStatus(request_id) else: response_status = self.oxPushClient.getAuthenticationStatus(request_id) if (not response_status.result): print "oxPush. CheckStatus. Get false result from oxPushServer" return None status = response_status.status if ("declined" == status): print "oxPush. CheckStatus. The process has been cancelled" return None if ("expired" == status): print "oxPush. CheckStatus. The process has been expired" return None if ("approved" == status): print "oxPush. CheckStatus. The process was approved" return response_status java.lang.Thread.sleep(2000) curTime = java.lang.System.currentTimeMillis() except java.lang.Exception, err: print "oxPush. CheckStatus. Could not check process status: ", err return None
def lockUser(self, user_name): if StringHelper.isEmpty(user_name): return None userService = CdiUtil.bean(UserService) cacheService= CdiUtil.bean(CacheService) facesMessages = CdiUtil.bean(FacesMessages) facesMessages.setKeepMessages() find_user_by_uid = userService.getUser(user_name) if (find_user_by_uid == None): return None status_attribute_value = userService.getCustomAttribute(find_user_by_uid, "gluuStatus") if status_attribute_value != None: user_status = status_attribute_value.getValue() if StringHelper.equals(user_status, "inactive"): print "Basic (lock account). Lock user. User '%s' locked already" % user_name return userService.setCustomAttribute(find_user_by_uid, "gluuStatus", "inactive") updated_user = userService.updateUser(find_user_by_uid) object_to_store = json.dumps({'locked': True, 'created': LocalDateTime.now().toString()}, separators=(',',':')) cacheService.put(StringHelper.toString(self.lockExpirationTime), "lock_user_"+user_name, object_to_store); facesMessages.add(FacesMessage.SEVERITY_ERROR, "Your account is locked. Please try again after " + StringHelper.toString(self.lockExpirationTime) + " secs") print "Basic (lock account). Lock user. User '%s' locked" % user_name
def authenticate_user_credentials(self, identity, authentication_service): credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() print "AzureAD. user_name: %s" % user_name logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): # Special condition to allow for Gluu admin login if StringHelper.equals(user_name, ADMIN): return self.authenticate_user_in_gluu_ldap(authentication_service, user_name, user_password) # Authenticate user credentials with Azure AD non-interactively azure_auth_response = self.authenticate_user_in_azure(azure_tenant_id, user_name, user_password, azure_client_id, azure_client_secret) print "AzureAD. Value of azure_auth_response is %s" % azure_auth_response azure_auth_response_json = json.loads(azure_auth_response) if azure_user_uuid in azure_auth_response_json: # Azure authentication has succeeded. User needs to be enrolled in Gluu LDAP user = self.enroll_azure_user_in_gluu_ldap(azure_auth_response_json) if user is None: # User Enrollment in Gluu LDAP has failed logged_in = False else: # Authenticating the user within Gluu user_authenticated_in_gluu = authentication_service.authenticate(user.getUserId()) print "AzureAD: Authentication status of the user enrolled in Gluu LDAP %r " % user_authenticated_in_gluu return user_authenticated_in_gluu else: # Azure authentication has failed. logged_in = False return logged_in
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) saml_map_user = False saml_enroll_user = False saml_enroll_all_user_attr = False # Use saml_deployment_type only if there is no attributes mapping if configurationAttributes.containsKey("saml_deployment_type"): saml_deployment_type = StringHelper.toLowerCase(configurationAttributes.get("saml_deployment_type").getValue2()) if StringHelper.equalsIgnoreCase(saml_deployment_type, "map"): saml_map_user = True if StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll"): saml_enroll_user = True if StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll_all_attr"): saml_enroll_all_user_attr = True saml_allow_basic_login = False if configurationAttributes.containsKey("saml_allow_basic_login"): saml_allow_basic_login = StringHelper.toBoolean(configurationAttributes.get("saml_allow_basic_login").getValue2(), False) use_basic_auth = False if saml_allow_basic_login: # Detect if user used basic authnetication method user_name = credentials.getUsername() user_password = credentials.getPassword() if StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(user_password): use_basic_auth = True if (step == 1) and saml_allow_basic_login and use_basic_auth: print "Asimba. Authenticate for step 1. Basic authentication" identity.setWorkingParameter("saml_count_login_steps", 1) user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False return True if (step == 1): print "Asimba. Authenticate for step 1" currentSamlConfiguration = self.getCurrentSamlConfiguration(self.samlConfiguration, configurationAttributes, requestParameters) if (currentSamlConfiguration == None): print "Asimba. Prepare for step 1. Client saml configuration is invalid" return False saml_response_array = requestParameters.get("SAMLResponse") if ArrayHelper.isEmpty(saml_response_array): print "Asimba. Authenticate for step 1. saml_response is empty" return False saml_response = saml_response_array[0] print "Asimba. Authenticate for step 1. saml_response: '%s'" % saml_response samlResponse = Response(currentSamlConfiguration) samlResponse.loadXmlFromBase64(saml_response) saml_validate_response = True if configurationAttributes.containsKey("saml_validate_response"): saml_validate_response = StringHelper.toBoolean(configurationAttributes.get("saml_validate_response").getValue2(), False) if saml_validate_response: if not samlResponse.isValid(): print "Asimba. Authenticate for step 1. saml_response isn't valid" return False if samlResponse.isAuthnFailed(): print "Asimba. Authenticate for step 1. saml_response AuthnFailed" return False saml_response_attributes = samlResponse.getAttributes() print "Asimba. Authenticate for step 1. attributes: '%s'" % saml_response_attributes if saml_map_user: saml_user_uid = self.getSamlNameId(samlResponse) if saml_user_uid == None: return False # Use mapping to local IDP user print "Asimba. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid # Check if the is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid) if find_user_by_uid == None: print "Asimba. Authenticate for step 1. Failed to find user" print "Asimba. Authenticate for step 1. Setting count steps to 2" identity.setWorkingParameter("saml_count_login_steps", 2) identity.setWorkingParameter("saml_user_uid", saml_user_uid) return True found_user_name = find_user_by_uid.getUserId() print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if user_authenticated == False: print "Asimba. Authenticate for step 1. Failed to authenticate user" return False print "Asimba. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif saml_enroll_user: # Convert SAML response to user entry newUser = self.getMappedUser(configurationAttributes, requestParameters, saml_response_attributes) saml_user_uid = self.getNameId(samlResponse, newUser) if saml_user_uid == None: return False self.setDefaultUid(newUser, saml_user_uid) newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid) # Use auto enrollment to local IDP print "Asimba. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid # Check if there is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid) if find_user_by_uid == None: # Auto user enrollment print "Asimba. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" print "Asimba. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes()) user_unique = self.checkUserUniqueness(newUser) if not user_unique: print "Asimba. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId() facesMessages = CdiUtil.bean(FacesMessages) facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to enroll. User with same key attributes exist already") facesMessages.setKeepMessages() return False find_user_by_uid = userService.addUser(newUser, True) print "Asimba. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId() else: if self.updateUser: print "Asimba. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes()) find_user_by_uid.setCustomAttributes(newUser.getCustomAttributes()) userService.updateUser(find_user_by_uid) print "Asimba. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid found_user_name = find_user_by_uid.getUserId() print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if user_authenticated == False: print "Asimba. Authenticate for step 1. Failed to authenticate user: '******'" % found_user_name return False print "Asimba. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif saml_enroll_all_user_attr: # Convert SAML response to user entry newUser = self.getMappedAllAttributesUser(saml_response_attributes) saml_user_uid = self.getNameId(samlResponse, newUser) if saml_user_uid == None: return False self.setDefaultUid(newUser, saml_user_uid) newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid) print "Asimba. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:%s" % saml_user_uid # Check if there is user with specified saml_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid) if find_user_by_uid == None: # Auto user enrollment print "Asimba. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" print "Asimba. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes()) user_unique = self.checkUserUniqueness(newUser) if not user_unique: print "Asimba. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId() facesMessages = CdiUtil.bean(FacesMessages) facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to enroll. User with same key attributes exist already") facesMessages.setKeepMessages() return False find_user_by_uid = userService.addUser(newUser, True) print "Asimba. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId() else: if self.updateUser: print "Asimba. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes()) find_user_by_uid.setCustomAttributes(newUser.getCustomAttributes()) userService.updateUser(find_user_by_uid) print "Asimba. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid found_user_name = find_user_by_uid.getUserId() print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if user_authenticated == False: print "Asimba. Authenticate for step 1. Failed to authenticate user" return False print "Asimba. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result else: if saml_user_uid == None: return False # Check if the is user with specified saml_user_uid print "Asimba. Authenticate for step 1. Attempting to find user by uid: '%s'" % saml_user_uid find_user_by_uid = userService.getUser(saml_user_uid) if find_user_by_uid == None: print "Asimba. Authenticate for step 1. Failed to find user" return False found_user_name = find_user_by_uid.getUserId() print "Asimba. Authenticate for step 1. found_user_name: '%s'" % found_user_name user_authenticated = authenticationService.authenticate(found_user_name) if user_authenticated == False: print "Asimba. Authenticate for step 1. Failed to authenticate user" return False print "Asimba. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("saml_count_login_steps", 1) post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Asimba. Authenticate for step 1. post_login_result: '%s'" % post_login_result return post_login_result elif (step == 2): print "Asimba. Authenticate for step 2" sessionAttributes = identity.getSessionId().getSessionAttributes() if (sessionAttributes == None) or not sessionAttributes.containsKey("saml_user_uid"): print "Asimba. Authenticate for step 2. saml_user_uid is empty" return False saml_user_uid = sessionAttributes.get("saml_user_uid") passed_step1 = StringHelper.isNotEmptyString(saml_user_uid) if not passed_step1: return False user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): logged_in = authenticationService.authenticate(user_name, user_password) if not logged_in: return False # Check if there is user which has saml_user_uid # Avoid mapping Saml account to more than one IDP account find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid) if find_user_by_uid == None: # Add saml_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "saml:%s" % saml_user_uid) if find_user_by_uid == None: print "Asimba. Authenticate for step 2. Failed to update current user" return False post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Asimba. Authenticate for step 2. post_login_result: '%s'" % post_login_result return post_login_result else: found_user_name = find_user_by_uid.getUserId() print "Asimba. Authenticate for step 2. found_user_name: '%s'" % found_user_name if StringHelper.equals(user_name, found_user_name): post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid) print "Asimba. Authenticate for step 2. post_login_result: '%s'" % post_login_result return post_login_result return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) mapUserDeployment = False enrollUserDeployment = False if (configurationAttributes.containsKey("gplus_deployment_type")): deploymentType = StringHelper.toLowerCase(configurationAttributes.get("gplus_deployment_type").getValue2()) if (StringHelper.equalsIgnoreCase(deploymentType, "map")): mapUserDeployment = True if (StringHelper.equalsIgnoreCase(deploymentType, "enroll")): enrollUserDeployment = True if (step == 1): print "Google+ Authenticate for step 1" gplusAuthCodeArray = requestParameters.get("gplus_auth_code") gplusAuthCode = gplusAuthCodeArray[0] # Check if user uses basic method to log in useBasicAuth = False if (StringHelper.isEmptyString(gplusAuthCode)): useBasicAuth = True # Use basic method to log in if (useBasicAuth): print "Google+ Authenticate for step 1. Basic authentication" identity.setWorkingParameter("gplus_count_login_steps", 1) credentials = identity.getCredentials() userName = credentials.getUsername() userPassword = credentials.getPassword() loggedIn = False if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)): userService = CdiUtil.bean(UserService) loggedIn = authenticationService.authenticate(userName, userPassword) if (not loggedIn): return False return True # Use Google+ method to log in print "Google+ Authenticate for step 1. gplusAuthCode:", gplusAuthCode currentClientSecrets = self.getCurrentClientSecrets(self.clientSecrets, configurationAttributes, requestParameters) if (currentClientSecrets == None): print "Google+ Authenticate for step 1. Client secrets configuration is invalid" return False print "Google+ Authenticate for step 1. Attempting to gets tokens" tokenResponse = self.getTokensByCode(self.clientSecrets, configurationAttributes, gplusAuthCode) if ((tokenResponse == None) or (tokenResponse.getIdToken() == None) or (tokenResponse.getAccessToken() == None)): print "Google+ Authenticate for step 1. Failed to get tokens" return False else: print "Google+ Authenticate for step 1. Successfully gets tokens" jwt = Jwt.parse(tokenResponse.getIdToken()) # TODO: Validate ID Token Signature gplusUserUid = jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER) print "Google+ Authenticate for step 1. Found Google user ID in the ID token: '%s'" % gplusUserUid if (mapUserDeployment): # Use mapping to local IDP user print "Google+ Authenticate for step 1. Attempting to find user by oxExternalUid: 'gplus:%s'" % gplusUserUid # Check if there is user with specified gplusUserUid foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid) if (foundUser == None): print "Google+ Authenticate for step 1. Failed to find user" print "Google+ Authenticate for step 1. Setting count steps to 2" identity.setWorkingParameter("gplus_count_login_steps", 2) identity.setWorkingParameter("gplus_user_uid", gplusUserUid) return True foundUserName = foundUser.getUserId() print "Google+ Authenticate for step 1. foundUserName: '******'" % foundUserName userAuthenticated = authenticationService.authenticate(foundUserName) if (userAuthenticated == False): print "Google+ Authenticate for step 1. Failed to authenticate user" return False print "Google+ Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("gplus_count_login_steps", 1) postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser) print "Google+ Authenticate for step 1. postLoginResult: '%s'" % postLoginResult return postLoginResult elif (enrollUserDeployment): # Use auto enrollment to local IDP print "Google+ Authenticate for step 1. Attempting to find user by oxExternalUid: 'gplus:%s'" % gplusUserUid # Check if there is user with specified gplusUserUid foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid) if (foundUser == None): # Auto user enrollemnt print "Google+ Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP" print "Google+ Authenticate for step 1. Attempting to gets user info" userInfoResponse = self.getUserInfo(currentClientSecrets, configurationAttributes, tokenResponse.getAccessToken()) if ((userInfoResponse == None) or (userInfoResponse.getClaims().size() == 0)): print "Google+ Authenticate for step 1. Failed to get user info" return False else: print "Google+ Authenticate for step 1. Successfully gets user info" gplusResponseAttributes = userInfoResponse.getClaims() # Convert Google+ user claims to lover case gplusResponseNormalizedAttributes = HashMap() for gplusResponseAttributeEntry in gplusResponseAttributes.entrySet(): gplusResponseNormalizedAttributes.put( StringHelper.toLowerCase(gplusResponseAttributeEntry.getKey()), gplusResponseAttributeEntry.getValue()) currentAttributesMapping = self.getCurrentAttributesMapping(self.attributesMapping, configurationAttributes, requestParameters) print "Google+ Authenticate for step 1. Using next attributes mapping '%s'" % currentAttributesMapping newUser = User() for attributesMappingEntry in currentAttributesMapping.entrySet(): remoteAttribute = attributesMappingEntry.getKey() localAttribute = attributesMappingEntry.getValue() localAttributeValue = gplusResponseNormalizedAttributes.get(remoteAttribute) if (localAttribute != None): newUser.setAttribute(localAttribute, localAttributeValue) if (newUser.getAttribute("sn") == None): newUser.setAttribute("sn", gplusUserUid) if (newUser.getAttribute("cn") == None): newUser.setAttribute("cn", gplusUserUid) # Add mail to oxTrustEmail so that the user's # email is available through the SCIM interface # too. if (newUser.getAttribute("oxTrustEmail") is None and newUser.getAttribute("mail") is not None): oxTrustEmail = { "value": newUser.getAttribute("mail"), "display": newUser.getAttribute("mail"), "primary": True, "operation": None, "reference": None, "type": "other" } newUser.setAttribute("oxTrustEmail", json.dumps(oxTrustEmail)) newUser.setAttribute("oxExternalUid", "gplus:" + gplusUserUid) print "Google+ Authenticate for step 1. Attempting to add user '%s' with next attributes '%s'" % (gplusUserUid, newUser.getCustomAttributes()) foundUser = userService.addUser(newUser, True) print "Google+ Authenticate for step 1. Added new user with UID: '%s'" % foundUser.getUserId() foundUserName = foundUser.getUserId() print "Google+ Authenticate for step 1. foundUserName: '******'" % foundUserName userAuthenticated = authenticationService.authenticate(foundUserName) if (userAuthenticated == False): print "Google+ Authenticate for step 1. Failed to authenticate user" return False print "Google+ Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("gplus_count_login_steps", 1) print "Google+ Authenticate for step 1. Attempting to run extension postLogin" postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser) print "Google+ Authenticate for step 1. postLoginResult: '%s'" % postLoginResult return postLoginResult else: # Check if there is user with specified gplusUserUid print "Google+ Authenticate for step 1. Attempting to find user by uid: '%s'" % gplusUserUid foundUser = userService.getUser(gplusUserUid) if (foundUser == None): print "Google+ Authenticate for step 1. Failed to find user" return False foundUserName = foundUser.getUserId() print "Google+ Authenticate for step 1. foundUserName: '******'" % foundUserName userAuthenticated = authenticationService.authenticate(foundUserName) if (userAuthenticated == False): print "Google+ Authenticate for step 1. Failed to authenticate user" return False print "Google+ Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("gplus_count_login_steps", 1) postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser) print "Google+ Authenticate for step 1. postLoginResult: '%s'" % postLoginResult return postLoginResult elif (step == 2): print "Google+ Authenticate for step 2" sessionAttributes = identity.getSessionId().getSessionAttributes() if (sessionAttributes == None) or not sessionAttributes.containsKey("gplus_user_uid"): print "Google+ Authenticate for step 2. gplus_user_uid is empty" return False gplusUserUid = sessionAttributes.get("gplus_user_uid") passed_step1 = StringHelper.isNotEmptyString(gplusUserUid) if (not passed_step1): return False identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() userName = credentials.getUsername() userPassword = credentials.getPassword() loggedIn = False if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)): loggedIn = authenticationService.authenticate(userName, userPassword) if (not loggedIn): return False # Check if there is user which has gplusUserUid # Avoid mapping Google account to more than one IDP account foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid) if (foundUser == None): # Add gplusUserUid to user one id UIDs foundUser = userService.addUserAttribute(userName, "oxExternalUid", "gplus:" + gplusUserUid) if (foundUser == None): print "Google+ Authenticate for step 2. Failed to update current user" return False postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser) print "Google+ Authenticate for step 2. postLoginResult: '%s'" % postLoginResult return postLoginResult else: foundUserName = foundUser.getUserId() print "Google+ Authenticate for step 2. foundUserName: '******'" % foundUserName if StringHelper.equals(userName, foundUserName): postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser) print "Google+ Authenticate for step 2. postLoginResult: '%s'" % postLoginResult return postLoginResult return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) httpService = CdiUtil.bean(HttpService) server_flag = configurationAttributes.get("oneid_server_flag").getValue2() callback_attrs = configurationAttributes.get("oneid_callback_attrs").getValue2() creds_file = configurationAttributes.get("oneid_creds_file").getValue2() # Create OneID authn = OneID(server_flag) # Set path to credentials file authn.creds_file = creds_file if (step == 1): print "OneId. Authenticate for step 1" # Find OneID request json_data_array = requestParameters.get("json_data") if ArrayHelper.isEmpty(json_data_array): print "OneId. Authenticate for step 1. json_data is empty" return False request = json_data_array[0] print "OneId. Authenticate for step 1. request: " + request if (StringHelper.isEmptyString(request)): return False authn.set_credentials() # Validate request http_client = httpService.getHttpsClientDefaulTrustStore() auth_data = httpService.encodeBase64(authn.api_id + ":" + authn.api_key) http_response = httpService.executePost(http_client, authn.helper_server + "/validate", auth_data, request, ContentType.APPLICATION_JSON) validation_content = httpService.convertEntityToString(httpService.getResponseContent(http_response)) print "OneId. Authenticate for step 1. validation_content: " + validation_content if (StringHelper.isEmptyString(validation_content)): return False validation_resp = json.loads(validation_content) print "OneId. Authenticate for step 1. validation_resp: " + str(validation_resp) if (not authn.success(validation_resp)): return False response = json.loads(request) for x in validation_resp: response[x] = validation_resp[x] oneid_user_uid = response['uid'] print "OneId. Authenticate for step 1. oneid_user_uid: " + oneid_user_uid # Check if the is user with specified oneid_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "oneid:" + oneid_user_uid) if (find_user_by_uid == None): print "OneId. Authenticate for step 1. Failed to find user" print "OneId. Authenticate for step 1. Setting count steps to 2" identity.setWorkingParameter("oneid_count_login_steps", 2) identity.setWorkingParameter("oneid_user_uid", oneid_user_uid) return True found_user_name = find_user_by_uid.getUserId() print "OneId. Authenticate for step 1. found_user_name: " + found_user_name identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() credentials.setUsername(found_user_name) credentials.setUser(find_user_by_uid) print "OneId. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("oneid_count_login_steps", 1) return True elif (step == 2): print "OneId. Authenticate for step 2" sessionAttributes = identity.getSessionId().getSessionAttributes() if (sessionAttributes == None) or not sessionAttributes.containsKey("oneid_user_uid"): print "OneId. Authenticate for step 2. oneid_user_uid is empty" return False oneid_user_uid = sessionAttributes.get("oneid_user_uid") passed_step1 = StringHelper.isNotEmptyString(oneid_user_uid) if (not passed_step1): return False identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() passed_step1 = StringHelper.isNotEmptyString(user_name) if (not passed_step1): return False identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False # Check if there is user which has oneid_user_uid # Avoid mapping OneID account to more than one IDP account find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "oneid:" + oneid_user_uid) if (find_user_by_uid == None): # Add oneid_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "oneid:" + oneid_user_uid) if (find_user_by_uid == None): print "OneId. Authenticate for step 2. Failed to update current user" return False return True else: found_user_name = find_user_by_uid.getUserId() print "OneId. Authenticate for step 2. found_user_name: " + found_user_name if StringHelper.equals(user_name, found_user_name): return True return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): duo_host = configurationAttributes.get("duo_host").getValue2() authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) if (step == 1): print "Duo. Authenticate for step 1" # Check if user authenticated already in another custom script user = authenticationService.getAuthenticatedUser() if user == None: credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False user = authenticationService.getAuthenticatedUser() if (self.use_duo_group): print "Duo. Authenticate for step 1. Checking if user belong to Duo group" is_member_duo_group = self.isUserMemberOfGroup(user, self.audit_attribute, self.duo_group) if (is_member_duo_group): print "Duo. Authenticate for step 1. User '" + user.getUserId() + "' member of Duo group" duo_count_login_steps = 2 else: self.processAuditGroup(user) duo_count_login_steps = 1 identity.setWorkingParameter("duo_count_login_steps", duo_count_login_steps) return True elif (step == 2): print "Duo. Authenticate for step 2" user = authenticationService.getAuthenticatedUser() if user == None: print "Duo. Authenticate for step 2. Failed to determine user name" return False user_name = user.getUserId() sig_response_array = requestParameters.get("sig_response") if ArrayHelper.isEmpty(sig_response_array): print "Duo. Authenticate for step 2. sig_response is empty" return False duo_sig_response = sig_response_array[0] print "Duo. Authenticate for step 2. duo_sig_response: " + duo_sig_response authenticated_username = duo_web.verify_response(self.ikey, self.skey, self.akey, duo_sig_response) print "Duo. Authenticate for step 2. authenticated_username: "******", expected user_name: " + user_name if (not StringHelper.equals(user_name, authenticated_username)): return False self.processAuditGroup(user) return True else: return False
class PersonAuthentication(PersonAuthenticationType): def __init__(self, currentTimeMillis): self.currentTimeMillis = currentTimeMillis self.client = None def init(self, configurationAttributes): print "InWebo. Initialization" iw_cert_store_type = configurationAttributes.get("iw_cert_store_type").getValue2() iw_cert_path = configurationAttributes.get("iw_cert_path").getValue2() iw_creds_file = configurationAttributes.get("iw_creds_file").getValue2() # Load credentials from file f = open(iw_creds_file, 'r') try: creds = json.loads(f.read()) except: return False finally: f.close() iw_cert_password = creds["CERT_PASSWORD"] try: encryptionService = CdiUtil.bean(EncryptionService) iw_cert_password = encryptionService.decrypt(iw_cert_password) except: return False httpService = CdiUtil.bean(HttpService) self.client = httpService.getHttpsClient(None, None, None, iw_cert_store_type, iw_cert_path, iw_cert_password) print "InWebo. Initialized successfully" return True def destroy(self, configurationAttributes): print "InWebo. Destroy" print "InWebo. Destroyed successfully" return True def getApiVersion(self): return 1 def isValidAuthenticationMethod(self, usageType, configurationAttributes): return True def getAlternativeAuthenticationMethod(self, usageType, configurationAttributes): return None def authenticate(self, configurationAttributes, requestParameters, step): userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) iw_api_uri = configurationAttributes.get("iw_api_uri").getValue2() iw_service_id = configurationAttributes.get("iw_service_id").getValue2() iw_helium_enabled = Boolean(configurationAttributes.get("iw_helium_enabled").getValue2()).booleanValue() if (iw_helium_enabled): identity.setWorkingParameter("iw_count_login_steps", 1) credentials = identity.getCredentials() user_name = credentials.getUsername() if (step == 1): print "InWebo. Authenticate for step 1" print "InWebo. Authenticate for step 1. iw_helium_enabled:", iw_helium_enabled user_password = credentials.getPassword() if (iw_helium_enabled): login_array = requestParameters.get("login") if ArrayHelper.isEmpty(login_array): print "InWebo. Authenticate for step 1. login is empty" return False user_name = login_array[0] password_array = requestParameters.get("password") if ArrayHelper.isEmpty(password_array): print "InWebo. Authenticate for step 1. password is empty" return False user_password = password_array[0] response_validation = self.validateInweboToken(iw_api_uri, iw_service_id, user_name, user_password) if (not response_validation): return False logged_in = False if (StringHelper.isNotEmptyString(user_name)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate(user_name) return logged_in else: logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate(user_name, user_password) return logged_in return True elif (step == 2): print "InWebo. Authenticate for step 2" passed_step1 = self.isPassedDefaultAuthentication if (not passed_step1): return False iw_token_array = requestParameters.get("iw_token") if ArrayHelper.isEmpty(iw_token_array): print "InWebo. Authenticate for step 2. iw_token is empty" return False iw_token = iw_token_array[0] response_validation = self.validateInweboToken(iw_api_uri, iw_service_id, user_name, iw_token) return response_validation else: return False def prepareForStep(self, configurationAttributes, requestParameters, step): if (step == 1): print "InWebo. Prepare for step 1" identity = CdiUtil.bean(Identity) iw_helium_enabled = Boolean(configurationAttributes.get("iw_helium_enabled").getValue2()).booleanValue() identity.setWorkingParameter("helium_enabled", iw_helium_enabled) iw_helium_alias = None if (iw_helium_enabled): iw_helium_alias = configurationAttributes.get("iw_helium_alias").getValue2() identity.setWorkingParameter("helium_alias", iw_helium_alias) print "InWebo. Prepare for step 1. Helium status:", iw_helium_enabled return True def getExtraParametersForStep(self, configurationAttributes, step): return None def getCountAuthenticationSteps(self, configurationAttributes): identity = CdiUtil.bean(Identity) if (identity.isSetWorkingParameter("iw_count_login_steps")): return identity.getWorkingParameter("iw_count_login_steps") return 2 def getPageForStep(self, configurationAttributes, step): if (step == 1): return "/auth/inwebo/iwlogin.xhtml" if (step == 2): return "/auth/inwebo/iwauthenticate.xhtml" else: return "" def isPassedDefaultAuthentication(self): identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() passed_step1 = StringHelper.isNotEmptyString(user_name) return passed_step1 def validateInweboToken(self, iw_api_uri, iw_service_id, user_name, iw_token): httpService = CdiUtil.bean(HttpService) xmlService = CdiUtil.bean(XmlService) if StringHelper.isEmpty(iw_token): print "InWebo. Token verification. iw_token is empty" return False request_uri = iw_api_uri + "?action=authenticate" + "&serviceId=" + httpService.encodeUrl(iw_service_id) + "&userId=" + httpService.encodeUrl(user_name) + "&token=" + httpService.encodeUrl(iw_token) print "InWebo. Token verification. Attempting to send authentication request:", request_uri # Execute request http_response = httpService.executeGet(self.client, request_uri) # Validate response code response_validation = httpService.isResponseStastusCodeOk(http_response) if response_validation == False: print "InWebo. Token verification. Get unsuccessful response code" return False authentication_response_bytes = httpService.getResponseContent(http_response) print "InWebo. Token verification. Get response:", httpService.convertEntityToString(authentication_response_bytes) # Validate authentication response response_validation = httpService.isContentTypeXml(http_response) if response_validation == False: print "InWebo. Token verification. Get invalid response" return False # Parse XML response try: xmlDocument = xmlService.getXmlDocument(authentication_response_bytes) except Exception, err: print "InWebo. Token verification. Failed to parse XML response:", err return False result_code = xmlService.getNodeValue(xmlDocument, "/authenticate", None) print "InWebo. Token verification. Result after parsing XML response:", result_code response_validation = StringHelper.equals(result_code, "OK") print "InWebo. Token verification. Result validation:", response_validation return response_validation
def validateTotpKey(self, secretKey, totpKey): localTotpKey = self.generateTotpKey(secretKey) if StringHelper.equals(localTotpKey, totpKey): return { "result": True } return { "result": False }
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() userService = CdiUtil.bean(UserService) requestParameterService = CdiUtil.bean(RequestParameterService) authenticationService = CdiUtil.bean(AuthenticationService) httpService = CdiUtil.bean(HttpService) if step == 1: print "CAS2. Authenticate for step 1" ticket_array = requestParameters.get("ticket") if ArrayHelper.isEmpty(ticket_array): print "CAS2. Authenticate for step 1. ticket is empty" return False ticket = ticket_array[0] print "CAS2. Authenticate for step 1. ticket: " + ticket if StringHelper.isEmptyString(ticket): print "CAS2. Authenticate for step 1. ticket is invalid" return False # Validate ticket facesContext = CdiUtil.bean(FacesContext) request = facesContext.getExternalContext().getRequest() parametersMap = HashMap() parametersMap.put("service", httpService.constructServerUrl(request) + "/postlogin.htm") if self.cas_renew_opt: parametersMap.put("renew", "true") parametersMap.put("ticket", ticket) cas_service_request_uri = requestParameterService.parametersAsString(parametersMap) cas_service_request_uri = self.cas_host + "/serviceValidate?" + cas_service_request_uri if self.cas_extra_opts != None: cas_service_request_uri = cas_service_request_uri + "&" + self.cas_extra_opts print "CAS2. Authenticate for step 1. cas_service_request_uri: " + cas_service_request_uri http_client = httpService.getHttpsClient() http_service_response = httpService.executeGet(http_client, cas_service_request_uri) try: validation_content = httpService.convertEntityToString(httpService.getResponseContent(http_service_response.getHttpResponse())) finally: http_service_response.closeConnection() print "CAS2. Authenticate for step 1. validation_content: " + validation_content if StringHelper.isEmpty(validation_content): print "CAS2. Authenticate for step 1. Ticket validation response is invalid" return False cas2_auth_failure = self.parse_tag(validation_content, "cas:authenticationFailure") print "CAS2. Authenticate for step 1. cas2_auth_failure: ", cas2_auth_failure cas2_user_uid = self.parse_tag(validation_content, "cas:user") print "CAS2. Authenticate for step 1. cas2_user_uid: ", cas2_user_uid if (cas2_auth_failure != None) or (cas2_user_uid == None): print "CAS2. Authenticate for step 1. Ticket is invalid" return False if self.cas_map_user: print "CAS2. Authenticate for step 1. Attempting to find user by oxExternalUid: cas2:" + cas2_user_uid # Check if the is user with specified cas2_user_uid find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid) if find_user_by_uid == None: print "CAS2. Authenticate for step 1. Failed to find user" print "CAS2. Authenticate for step 1. Setting count steps to 2" identity.setWorkingParameter("cas2_count_login_steps", 2) identity.setWorkingParameter("cas2_user_uid", cas2_user_uid) return True found_user_name = find_user_by_uid.getUserId() print "CAS2. Authenticate for step 1. found_user_name: " + found_user_name authenticationService.authenticate(found_user_name) print "CAS2. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("cas2_count_login_steps", 1) return True else: print "CAS2. Authenticate for step 1. Attempting to find user by uid:" + cas2_user_uid # Check if there is user with specified cas2_user_uid find_user_by_uid = userService.getUser(cas2_user_uid) if find_user_by_uid == None: print "CAS2. Authenticate for step 1. Failed to find user" return False found_user_name = find_user_by_uid.getUserId() print "CAS2. Authenticate for step 1. found_user_name: " + found_user_name authenticationService.authenticate(found_user_name) print "CAS2. Authenticate for step 1. Setting count steps to 1" identity.setWorkingParameter("cas2_count_login_steps", 1) return True elif step == 2: print "CAS2. Authenticate for step 2" if identity.isSetWorkingParameter("cas2_user_uid"): print "CAS2. Authenticate for step 2. cas2_user_uid is empty" return False cas2_user_uid = identity.getWorkingParameter("cas2_user_uid") passed_step1 = StringHelper.isNotEmptyString(cas2_user_uid) if not passed_step1: return False user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): logged_in = authenticationService.authenticate(user_name, user_password) if not logged_in: return False # Check if there is user which has cas2_user_uid # Avoid mapping CAS2 account to more than one IDP account find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid) if find_user_by_uid == None: # Add cas2_user_uid to user one id UIDs find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "cas2:" + cas2_user_uid) if find_user_by_uid == None: print "CAS2. Authenticate for step 2. Failed to update current user" return False return True else: found_user_name = find_user_by_uid.getUserId() print "CAS2. Authenticate for step 2. found_user_name: " + found_user_name if StringHelper.equals(user_name, found_user_name): return True return False else: return False