def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) if (step == 1): print "Basic. Authenticate for step 1" identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name_array = StringHelper.split(credentials.getUsername(),"+") user_name = None if len(user_name_array) == 2: email_id_array = StringHelper.split(user_name_array[1],"@") user_name = user_name_array[0] + "@"+ email_id_array[1] else: user_name = user_name_array[0] print "Username for authentication is: %s " % user_name user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate(user_name, user_password,"mail","mail") if (not logged_in): return False return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) if step == 1: print "Basic (one session). Authenticate for step 1" identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString( user_name) and StringHelper.isNotEmptyString( user_password): logged_in = authenticationService.authenticate( user_name, user_password) if not logged_in: return False logged_in = self.isFirstSession(user_name) if not logged_in: facesMessages = CdiUtil.bean(FacesMessages) facesMessages.add(FacesMessage.SEVERITY_ERROR, "Please, end active session first!") return False return True else: return False
def authenticate_user_credentials(self, identity, authentication_service): credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() print "AzureAD. user_name: %s" % user_name logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): # Special condition to allow for Gluu admin login if StringHelper.equals(user_name, ADMIN): return self.authenticate_user_in_gluu_ldap(authentication_service, user_name, user_password) # Authenticate user credentials with Azure AD non-interactively azure_auth_response = self.authenticate_user_in_azure(azure_tenant_id, user_name, user_password, azure_client_id, azure_client_secret) print "AzureAD. Value of azure_auth_response is %s" % azure_auth_response azure_auth_response_json = json.loads(azure_auth_response) if azure_user_uuid in azure_auth_response_json: # Azure authentication has succeeded. User needs to be enrolled in Gluu LDAP user = self.enroll_azure_user_in_gluu_ldap(azure_auth_response_json) if user is None: # User Enrollment in Gluu LDAP has failed logged_in = False else: # Authenticating the user within Gluu user_authenticated_in_gluu = authentication_service.authenticate(user.getUserId()) print "AzureAD: Authentication status of the user enrolled in Gluu LDAP %r " % user_authenticated_in_gluu return user_authenticated_in_gluu else: # Azure authentication has failed. logged_in = False return logged_in
def processBasicAuthentication(self, credentials): userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) find_user_by_uid = authenticationService.getAuthenticatedUser() if find_user_by_uid != None: print "BioID. Process basic authentication. There is an authenticated user already" return find_user_by_uid user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): logged_in = authenticationService.authenticate(user_name, user_password) if not logged_in: print "OTP. Process basic authentication. Failed to find user '%s'" % user_name return None find_user_by_uid = authenticationService.getAuthenticatedUser() if find_user_by_uid == None: print "OTP. Process basic authentication. Failed to find user '%s'" % user_name return None return find_user_by_uid
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() if (step == 1): print "New Acr Link. Authenticate for step 1" identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate( user_name, user_password) if (not logged_in): return False return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) if 1 <= step <= 3: print "Basic (demo reset step). Authenticate for step '%s'" % step identity = CdiUtil.bean(Identity) identity.setWorkingParameter("pass_authentication", False) credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate( user_name, user_password) if (not logged_in): return False identity.setWorkingParameter("pass_authentication", True) return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) if (step == 1): print "Radius. Authenticate for step 1" identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() if StringHelper.isNotEmptyString(user_name ) and StringHelper.isNotEmptyString(user_password ): user_exists_in_gluu = authenticationService.authenticate(user_name ) if user_exists_in_gluu : client = RadiusClient(self.RADIUS_SERVER_IP,int (self.RADIUS_SERVER_AUTH_PORT), int(self.RADIUS_SERVER_ACCT_PORT), self.RADIUS_SERVER_SECRET) accessRequest = RadiusPacket(RadiusPacket.ACCESS_REQUEST) userNameAttribute = RadiusAttribute(RadiusAttributeValues.USER_NAME,user_name ) userPasswordAttribute = RadiusAttribute(RadiusAttributeValues.USER_PASSWORD,user_password ) accessRequest.setAttribute(userNameAttribute) accessRequest.setAttribute(userPasswordAttribute) accessResponse = client.authenticate(accessRequest) print "Packet type - %s " % accessResponse.getPacketType() if accessResponse.getPacketType() == RadiusPacket.ACCESS_ACCEPT: return True #elif accessResponse.getPacketType() == RadiusPacket.ACCESS_CHALLENGE: # return False return False
def generateInum(self, orgInum, prefix): if (StringHelper.isNotEmptyString(orgInum) and StringHelper.isNotEmptyString(prefix)): return orgInum + Configuration.inumDelimiter + prefix + Configuration.inumDelimiter + INumGenerator.generate( ) else: return ""
def authenticate_user_credentials(self, identity, authentication_service): credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() print "ThumbSignIn. user_name: " + user_name logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): logged_in = self.authenticate_user_in_gluu_ldap(authentication_service, user_name, user_password) return logged_in
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) if (step == 1): print "Basic (multi auth conf). Authenticate for step 1" identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() metricService = CdiUtil.bean(MetricService) timerContext = metricService.getTimer( MetricType.OXAUTH_USER_AUTHENTICATION_RATE).time() try: keyValue = credentials.getUsername() userPassword = credentials.getPassword() if (StringHelper.isNotEmptyString(keyValue) and StringHelper.isNotEmptyString(userPassword)): for ldapExtendedEntryManager in self.ldapExtendedEntryManagers: ldapConfiguration = ldapExtendedEntryManager[ "ldapConfiguration"] ldapEntryManager = ldapExtendedEntryManager[ "ldapEntryManager"] loginAttributes = ldapExtendedEntryManager[ "loginAttributes"] localLoginAttributes = ldapExtendedEntryManager[ "localLoginAttributes"] print "Basic (multi auth conf). Authenticate for step 1. Using configuration: " + ldapConfiguration.getConfigId( ) idx = 0 count = len(loginAttributes) while (idx < count): primaryKey = loginAttributes[idx] localPrimaryKey = localLoginAttributes[idx] loggedIn = authenticationService.authenticate( ldapConfiguration, ldapEntryManager, keyValue, userPassword, primaryKey, localPrimaryKey) if (loggedIn): metricService.incCounter( MetricType. OXAUTH_USER_AUTHENTICATION_SUCCESS) return True idx += 1 finally: timerContext.stop() metricService.incCounter( MetricType.OXAUTH_USER_AUTHENTICATION_FAILURES) return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() if (step == 1): print "Basic (with password update). Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate( user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "Basic (with password update). Authenticate for step 2" user = authenticationService.getAuthenticatedUser() if user == None: print "Basic (with password update). Authenticate for step 2. Failed to determine user name" return False user_name = user.getUserId() find_user_by_uid = userService.getUser(user_name) update_button = requestParameters.get("loginForm:updateButton") if ArrayHelper.isEmpty(update_button): return True new_password_array = requestParameters.get("new_password") if ArrayHelper.isEmpty(new_password_array) or StringHelper.isEmpty( new_password_array[0]): print "Basic (with password update). Authenticate for step 2. New password is empty" return False new_password = new_password_array[0] find_user_by_uid.setAttribute("userPassword", new_password) print "Basic (with password update). Authenticate for step 2. Attempting to set new user '%s' password" % user_name userService.updateUser(find_user_by_uid) print "Basic (with password update). Authenticate for step 2. Password updated successfully" return True else: return False
def isPassedDefaultAuthentication(self): identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() passed_step1 = StringHelper.isNotEmptyString(user_name) return passed_step1
def processBasicAuthentication(self, credentials): userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return None find_user_by_uid = authenticationService.getAuthenticatedUser() if (find_user_by_uid == None): print "Cert. Process basic authentication. Failed to find user '%s'" % user_name return None return find_user_by_uid
def processBasicAuthentication(self, credentials): userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): logged_in = authenticationService.authenticate(user_name, user_password) if not logged_in: return None find_user_by_uid = authenticationService.getAuthenticatedUser() if find_user_by_uid == None: print "UAF. Process basic authentication. Failed to find user '%s'" % user_name return None return find_user_by_uid
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) if (step == 1): print "Basic. Authenticate for step 1" identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) session_attributes = identity.getSessionId().getSessionAttributes() authenticationService = CdiUtil.bean(AuthenticationService) allowedCountriesListArray = StringHelper.split(self.allowedCountries, ",") if (len(allowedCountriesListArray) > 0 and session_attributes.containsKey("remote_ip")): remote_ip = session_attributes.get("remote_ip") remote_loc_dic = self.determineGeolocationData(remote_ip) if remote_loc_dic == None: print "Super-Gluu. Prepare for step 2. Failed to determine remote location by remote IP '%s'" % remote_ip return remote_loc = "%s" % (remote_loc_dic['countryCode']) print "Your remote location is " + remote_loc if remote_loc in allowedCountriesListArray: print "you are allowed to access" else: return False if (step == 1): print "Basic. Authenticate for step 1" identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate( user_name, user_password) if (not logged_in): return False return True else: return False
def processBasicAuthentication(self, credentials): authenticationService = CdiUtil.bean(AuthenticationService) user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): try: logged_in = authenticationService.authenticate( user_name, user_password) except AuthenticationException: print "OTP (with lockout). Authenticate. Failed to authenticate user '%s'" % user_name if not logged_in: return None find_user_by_uid = authenticationService.getAuthenticatedUser() if find_user_by_uid == None: print "OTP (with lockout). Process basic authentication. Failed to find user '%s'" % user_name return None return find_user_by_uid
def getClientConfiguration(self, configurationAttributes, requestParameters): # Get client configuration if (configurationAttributes.containsKey("gplus_client_configuration_attribute")): clientConfigurationAttribute = configurationAttributes.get("gplus_client_configuration_attribute").getValue2() print "Google+ GetClientConfiguration. Using client attribute: '%s'" % clientConfigurationAttribute if (requestParameters == None): return None clientId = None # Attempt to determine client_id from request clientIdArray = requestParameters.get("client_id") if (ArrayHelper.isNotEmpty(clientIdArray) and StringHelper.isNotEmptyString(clientIdArray[0])): clientId = clientIdArray[0] # Attempt to determine client_id from event context if (clientId == None): identity = CdiUtil.bean(Identity) if (identity.isSetWorkingParameter("sessionAttributes")): clientId = identity.getSessionId().getSessionAttributes().get("client_id") if (clientId == None): print "Google+ GetClientConfiguration. client_id is empty" return None clientService = CdiUtil.bean(ClientService) client = clientService.getClient(clientId) if (client == None): print "Google+ GetClientConfiguration. Failed to find client '%s' in local LDAP" % clientId return None clientConfiguration = clientService.getCustomAttribute(client, clientConfigurationAttribute) if ((clientConfiguration == None) or StringHelper.isEmpty(clientConfiguration.getValue())): print "Google+ GetClientConfiguration. Client '%s' attribute '%s' is empty" % (clientId, clientConfigurationAttribute) else: print "Google+ GetClientConfiguration. Client '%s' attribute '%s' is '%s'" % (clientId, clientConfigurationAttribute, clientConfiguration) return clientConfiguration return None
def bindWWPass(self, requestParameters, userService, authenticationService, identity, ticket): puid = identity.getWorkingParameter("puid") email = requestParameters.get( 'email')[0] if 'email' in requestParameters else None if not puid: identity.setWorkingParameter("errors", "WWPass login failed") return False if ticket: puid_new = self.getPuid(ticket) # Always use the latest PUID when retrying step 2 identity.setWorkingParameter("puid", puid_new) if puid == puid_new: # Registering via external web service if not self.registration_url: return False if self.tryFirstLogin(puid, userService, authenticationService): identity.setWorkingParameter("puid", None) return True else: if not self.allow_passkey_bind: return False # Binding with existing PassKey user = userService.getUserByAttribute("oxExternalUid", "wwpass:%s" % puid_new) if user: if authenticationService.authenticate(user.getUserId()): userService.addUserAttribute(user.getUserId(), "oxExternalUid", "wwpass:%s" % puid) identity.setWorkingParameter("puid", None) return True identity.setWorkingParameter("errors", "Invalid user") return False elif email: # Binding via email if not self.allow_email_bind: return False email = requestParameters.get( 'email')[0] if 'email' in requestParameters else None identity.setWorkingParameter("email", email) user = userService.getUserByAttribute('mail', email) if not user: print("User with email '%s' not found." % email) return True nonce = self.generateNonce(33) mailService = CdiUtil.bean(MailService) identity.setWorkingParameter("email_nonce", nonce) identity.setWorkingParameter( "email_nonce_exp", str(time() + self.EMAIL_NONCE_EXPIRATION)) subject = "Bind your WWPass Key" body = """ To bind your WWPass Key to your account, copy and paste the following code into "Email code" field in the login form: %s If you haven't requested this operation, you can safely disregard this email. """ mailService.sendMail(email, subject, body % nonce) return True else: # Binding via username/password if not self.allow_password_bind: return False puid = identity.getWorkingParameter("puid") if not puid: return False credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): try: logged_in = authenticationService.authenticate( user_name, user_password) except Exception as e: print(e) if not logged_in: identity.setWorkingParameter("errors", "Invalid username or password") return False user = authenticationService.getAuthenticatedUser() if not user: identity.setWorkingParameter("errors", "Invalid user") return False userService.addUserAttribute(user_name, "oxExternalUid", "wwpass:%s" % puid) identity.setWorkingParameter("puid", None) return True return False
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) if step == 1: print "Basic (lock account). Authenticate for step 1" facesMessages = CdiUtil.bean(FacesMessages) facesMessages.setKeepMessages() identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() cacheService = CdiUtil.bean(CacheService) userService = CdiUtil.bean(UserService) logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): try: logged_in = authenticationService.authenticate(user_name, user_password) except AuthenticationException: print "Basic (lock account). Authenticate. Failed to authenticate user '%s'" % user_name if logged_in: self.setUserAttributeValue(user_name, self.invalidLoginCountAttribute, StringHelper.toString(0)) else: countInvalidLoginArributeValue = self.getUserAttributeValue(user_name, self.invalidLoginCountAttribute) userSatus = self.getUserAttributeValue(user_name, "gluuStatus") print "Current user '%s' status is '%s'" % ( user_name, userSatus ) countInvalidLogin = StringHelper.toInteger(countInvalidLoginArributeValue, 0) if countInvalidLogin < self.maximumInvalidLoginAttemps: countInvalidLogin = countInvalidLogin + 1 remainingAttempts = self.maximumInvalidLoginAttemps - countInvalidLogin print "Remaining login count attempts '%s' for user '%s'" % ( remainingAttempts, user_name ) self.setUserAttributeValue(user_name, self.invalidLoginCountAttribute, StringHelper.toString(countInvalidLogin)) if remainingAttempts > 0 and userSatus == "active": facesMessages.add(FacesMessage.SEVERITY_INFO, StringHelper.toString(remainingAttempts)+" more attempt(s) before account is LOCKED!") if (countInvalidLogin >= self.maximumInvalidLoginAttemps) and ((userSatus == None) or (userSatus == "active")): print "Basic (lock account). Locking '%s' for '%s' seconds" % ( user_name, self.lockExpirationTime) self.lockUser(user_name) return False if (countInvalidLogin >= self.maximumInvalidLoginAttemps) and userSatus == "inactive": print "Basic (lock account). User '%s' is locked. Checking if we can unlock him" % user_name unlock_and_authenticate = False object_from_store = cacheService.get(None, "lock_user_" + user_name) if object_from_store == None: # Object in cache was expired. We need to unlock user print "Basic (lock account). User locking details for user '%s' not exists" % user_name unlock_and_authenticate = True else: # Analyze object from cache user_lock_details = json.loads(object_from_store) user_lock_details_locked = user_lock_details['locked'] user_lock_details_created = user_lock_details['created'] user_lock_details_created_date = LocalDateTime.parse(user_lock_details_created, DateTimeFormatter.ISO_LOCAL_DATE_TIME) user_lock_details_created_diff = Duration.between(user_lock_details_created_date, LocalDateTime.now()).getSeconds() print "Basic (lock account). Get user '%s' locking details. locked: '%s', Created: '%s', Difference in seconds: '%s'" % ( user_name, user_lock_details_locked, user_lock_details_created, user_lock_details_created_diff ) if user_lock_details_locked and user_lock_details_created_diff >= self.lockExpirationTime: print "Basic (lock account). Unlocking user '%s' after lock expiration" % user_name unlock_and_authenticate = True if unlock_and_authenticate: self.unLockUser(user_name) self.setUserAttributeValue(user_name, self.invalidLoginCountAttribute, StringHelper.toString(0)) logged_in = authenticationService.authenticate(user_name, user_password) if not logged_in: # Update number of attempts self.setUserAttributeValue(user_name, self.invalidLoginCountAttribute, StringHelper.toString(1)) if self.maximumInvalidLoginAttemps == 1: # Lock user if maximum count login attempts is 1 self.lockUser(user_name) return False return logged_in else: return False
def authenticate(self, configurationAttributes, requestParameters, step): userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) facesMessages = CdiUtil.bean(FacesMessages) facesMessages.setKeepMessages() session_attributes = self.identity.getSessionId().getSessionAttributes() form_passcode = ServerUtil.getFirstValue(requestParameters, "passcode") form_name = ServerUtil.getFirstValue(requestParameters, "TwilioSmsloginForm") print "TwilioSMS. form_response_passcode: %s" % str(form_passcode) if step == 1: print "TwilioSMS. Step 1 Password Authentication" credentials = self.identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): logged_in = authenticationService.authenticate(user_name, user_password) if not logged_in: return False # Get the Person's number and generate a code foundUser = None try: foundUser = authenticationService.getAuthenticatedUser() except: print 'TwilioSMS, Error retrieving user %s from LDAP' % (user_name) return False try: isVerified = foundUser.getAttribute("phoneNumberVerified") if isVerified: self.mobile_number = foundUser.getAttribute("employeeNumber") if self.mobile_number == None: self.mobile_number = foundUser.getAttribute("mobile") if self.mobile_number == None: self.mobile_number = foundUser.getAttribute("telephoneNumber") if self.mobile_number == None: print "TwilioSMS, Error finding mobile number for user '%'" % user_name except: facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to determine mobile phone number") print 'TwilioSMS, Error finding mobile number for' % (user_name) return False # Generate Random six digit code and store it in array code = random.randint(100000, 999999) # Get code and save it in LDAP temporarily with special session entry self.identity.setWorkingParameter("code", code) try: Twilio.init(self.ACCOUNT_SID, self.AUTH_TOKEN); message = Message.creator(PhoneNumber(self.mobile_number), PhoneNumber(self.FROM_NUMBER), str(code)).create(); print "++++++++++++++++++++++++++++++++++++++++++++++" print 'TwilioSMs, Message Sid: %s' % (message.getSid()) print 'TwilioSMs, User phone: %s' % (self.mobile_number) print "++++++++++++++++++++++++++++++++++++++++++++++" self.identity.setWorkingParameter("mobile_number", self.mobile_number) self.identity.getSessionId().getSessionAttributes().put("mobile_number",self.mobile_number) self.identity.setWorkingParameter("mobile", self.mobile_number) self.identity.getSessionId().getSessionAttributes().put("mobile",self.mobile_number) print "++++++++++++++++++++++++++++++++++++++++++++++" print "Number: %s" % (self.identity.getWorkingParameter("mobile_number")) print "Mobile: %s" % (self.identity.getWorkingParameter("mobile")) print "++++++++++++++++++++++++++++++++++++++++++++++" return True except Exception, ex: facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to send message to mobile phone") print "TwilioSMS. Error sending message to Twilio" print "TwilioSMS. Unexpected error:", ex return False
def authenticate(self, configurationAttributes, requestParameters, step): extensionResult = self.extensionAuthenticate(configurationAttributes, requestParameters, step) if extensionResult != None: return extensionResult print "Passport. authenticate for step %s called" % str(step) identity = CdiUtil.bean(Identity) if step == 1: # Get JWT token jwt_param = ServerUtil.getFirstValue(requestParameters, "user") if jwt_param != None: print "Passport. authenticate for step 1. JWT user profile token found" # Parse JWT and validate jwt = Jwt.parse(jwt_param) if not self.validSignature(jwt): return False (user_profile, json) = self.getUserProfile(jwt) if user_profile == None: return False return self.attemptAuthentication(identity, user_profile, json) #See passportlogin.xhtml provider = ServerUtil.getFirstValue(requestParameters, "loginForm:provider") if StringHelper.isEmpty(provider): #it's username + passw auth print "Passport. authenticate for step 1. Basic authentication detected" logged_in = False credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): authenticationService = CdiUtil.bean(AuthenticationService) logged_in = authenticationService.authenticate(user_name, user_password) print "Passport. authenticate for step 1. Basic authentication returned: %s" % logged_in return logged_in elif provider in self.registeredProviders: #it's a recognized external IDP identity.setWorkingParameter("selectedProvider", provider) print "Passport. authenticate for step 1. Retrying step 1" #see prepareForStep (step = 1) return True if step == 2: mail = ServerUtil.getFirstValue(requestParameters, "loginForm:email") json = identity.getWorkingParameter("passport_user_profile") if mail == None: self.setEmailMessageError() elif json != None: # Completion of profile takes place user_profile = self.getProfileFromJson(json) user_profile["mail"] = mail return self.attemptAuthentication(identity, user_profile, json) print "Passport. authenticate for step 2. Failed: expected mail value in HTTP request and json profile in session" return False
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() if (step == 1): print "U2F. Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "U2F. Authenticate for step 2" token_response = ServerUtil.getFirstValue(requestParameters, "tokenResponse") if token_response == None: print "U2F. Authenticate for step 2. tokenResponse is empty" return False auth_method = ServerUtil.getFirstValue(requestParameters, "authMethod") if auth_method == None: print "U2F. Authenticate for step 2. authMethod is empty" return False authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if (user == None): print "U2F. Prepare for step 2. Failed to determine user name" return False if (auth_method == 'authenticate'): print "U2F. Prepare for step 2. Call FIDO U2F in order to finish authentication workflow" authenticationRequestService = FidoU2fClientFactory.instance().createAuthenticationRequestService(self.metaDataConfiguration) authenticationStatus = authenticationRequestService.finishAuthentication(user.getUserId(), token_response) if (authenticationStatus.getStatus() != Constants.RESULT_SUCCESS): print "U2F. Authenticate for step 2. Get invalid authentication status from FIDO U2F server" return False return True elif (auth_method == 'enroll'): print "U2F. Prepare for step 2. Call FIDO U2F in order to finish registration workflow" registrationRequestService = FidoU2fClientFactory.instance().createRegistrationRequestService(self.metaDataConfiguration) registrationStatus = registrationRequestService.finishRegistration(user.getUserId(), token_response) if (registrationStatus.getStatus() != Constants.RESULT_SUCCESS): print "U2F. Authenticate for step 2. Get invalid registration status from FIDO U2F server" return False return True else: print "U2F. Prepare for step 2. Authenticatiod method is invalid" return False return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() if (step == 1): print "Fido2. Authenticate for step 1" user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False return True elif (step == 2): print "Fido2. Authenticate for step 2" token_response = ServerUtil.getFirstValue(requestParameters, "tokenResponse") if token_response == None: print "Fido2. Authenticate for step 2. tokenResponse is empty" return False auth_method = ServerUtil.getFirstValue(requestParameters, "authMethod") if auth_method == None: print "Fido2. Authenticate for step 2. authMethod is empty" return False authenticationService = CdiUtil.bean(AuthenticationService) user = authenticationService.getAuthenticatedUser() if (user == None): print "Fido2. Prepare for step 2. Failed to determine user name" return False if (auth_method == 'authenticate'): print "Fido2. Prepare for step 2. Call Fido2 in order to finish authentication flow" assertionService = Fido2ClientFactory.instance().createAssertionService(self.metaDataConfiguration) assertionStatus = assertionService.verify(token_response) authenticationStatusEntity = assertionStatus.readEntity(java.lang.String) if (assertionStatus.getStatus() != Response.Status.OK.getStatusCode()): print "Fido2. Authenticate for step 2. Get invalid authentication status from Fido2 server" return False return True elif (auth_method == 'enroll'): print "Fido2. Prepare for step 2. Call Fido2 in order to finish registration flow" attestationService = Fido2ClientFactory.instance().createAttestationService(self.metaDataConfiguration) attestationStatus = attestationService.verify(token_response) if (attestationStatus.getStatus() != Response.Status.OK.getStatusCode()): print "Fido2. Authenticate for step 2. Get invalid registration status from Fido2 server" return False return True else: print "Fido2. Prepare for step 2. Authentication method is invalid" return False return False else: return False
def authenticate(self, configurationAttributes, requestParameters, step): duo_host = configurationAttributes.get("duo_host").getValue2() authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) if (step == 1): print "Duo. Authenticate for step 1" # Check if user authenticated alreadyin another custom script user = authenticationService.getAuthenticatedUser() if user == None: credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False user = authenticationService.getAuthenticatedUser() if (self.use_duo_group): print "Duo. Authenticate for step 1. Checking if user belong to Duo group" is_member_duo_group = self.isUserMemberOfGroup(user, self.audit_attribute, self.duo_group) if (is_member_duo_group): print "Duo. Authenticate for step 1. User '" + user.getUserId() + "' member of Duo group" duo_count_login_steps = 2 else: self.processAuditGroup(user) duo_count_login_steps = 1 identity.setWorkingParameter("duo_count_login_steps", duo_count_login_steps) return True elif (step == 2): print "Duo. Authenticate for step 2" user = authenticationService.getAuthenticatedUser() if user == None: print "Duo. Authenticate for step 2. Failed to determine user name" return False user_name = user.getUserId() sig_response_array = requestParameters.get("sig_response") if ArrayHelper.isEmpty(sig_response_array): print "Duo. Authenticate for step 2. sig_response is empty" return False duo_sig_response = sig_response_array[0] print "Duo. Authenticate for step 2. duo_sig_response: " + duo_sig_response authenticated_username = duo_web.verify_response(self.ikey, self.skey, self.akey, duo_sig_response) print "Duo. Authenticate for step 2. authenticated_username: "******", expected user_name: " + user_name if (not StringHelper.equals(user_name, authenticated_username)): return False self.processAuditGroup(user) return True else: return False
def authenticate(self, configurationAttributes, requestParameters, step): print "Casa. authenticate %s" % str(step) userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) identity = CdiUtil.bean(Identity) if step == 1: credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password): foundUser = userService.getUserByAttribute(self.uid_attr, user_name) #foundUser = userService.getUser(user_name) if foundUser == None: print "Casa. authenticate for step 1. Unknown username" else: platform_data = self.parsePlatformData(requestParameters) mfaOff = foundUser.getAttribute("oxPreferredMethod") == None logged_in = False if mfaOff: logged_in = authenticationService.authenticate(user_name, user_password) else: acr = self.getSuitableAcr(foundUser, platform_data['isMobile']) if acr != None: module = self.authenticators[acr] logged_in = module.authenticate(module.configAttrs, requestParameters, step) if logged_in: foundUser = authenticationService.getAuthenticatedUser() if foundUser == None: print "Casa. authenticate for step 1. Cannot retrieve logged user" else: if mfaOff: identity.setWorkingParameter("skip2FA", True) else: #Determine whether to skip 2FA based on policy defined (global or user custom) skip2FA = self.determineSkip2FA(userService, identity, foundUser, platform_data) identity.setWorkingParameter("skip2FA", skip2FA) identity.setWorkingParameter("ACR", acr) return True else: print "Casa. authenticate for step 1 was not successful" return False else: user = authenticationService.getAuthenticatedUser() if user == None: print "Casa. authenticate for step 2. Cannot retrieve logged user" return False #see casa.xhtml alter = ServerUtil.getFirstValue(requestParameters, "alternativeMethod") if alter != None: #bypass the rest of this step if an alternative method was provided. Current step will be retried (see getNextStep) self.simulateFirstStep(requestParameters, alter) return True session_attributes = identity.getSessionId().getSessionAttributes() acr = session_attributes.get("ACR") #this working parameter is used in casa.xhtml identity.setWorkingParameter("methods", ArrayList(self.getAvailMethodsUser(user, acr))) success = False if acr in self.authenticators: module = self.authenticators[acr] success = module.authenticate(module.configAttrs, requestParameters, step) #Update the list of trusted devices if 2fa passed if success: print "Casa. authenticate. 2FA authentication was successful" tdi = session_attributes.get("trustedDevicesInfo") if tdi == None: print "Casa. authenticate. List of user's trusted devices was not updated" else: user.setAttribute("oxTrustedDevicesInfo", tdi) userService.updateUser(user) else: print "Casa. authenticate. 2FA authentication failed" return success return False
def authenticate(self, configurationAttributes, requestParameters, step): identity = CdiUtil.bean(Identity) credentials = identity.getCredentials() user_name = credentials.getUsername() userService = CdiUtil.bean(UserService) authenticationService = CdiUtil.bean(AuthenticationService) if step == 1: print "Cert. Authenticate for step 1" login_button = ServerUtil.getFirstValue(requestParameters, "loginForm:loginButton") if StringHelper.isEmpty(login_button): print "Cert. Authenticate for step 1. Form were submitted incorrectly" return False if self.enabled_recaptcha: print "Cert. Authenticate for step 1. Validating recaptcha response" recaptcha_response = ServerUtil.getFirstValue(requestParameters, "g-recaptcha-response") recaptcha_result = self.validateRecaptcha(recaptcha_response) print "Cert. Authenticate for step 1. recaptcha_result: '%s'" % recaptcha_result return recaptcha_result return True elif step == 2: print "Cert. Authenticate for step 2" # Validate if user selected certificate cert_x509 = self.getSessionAttribute("cert_x509") if cert_x509 == None: print "Cert. Authenticate for step 2. User not selected any certs" identity.setWorkingParameter("cert_selected", False) # Return True to inform user how to reset workflow return True else: identity.setWorkingParameter("cert_selected", True) x509Certificate = self.certFromString(cert_x509) subjectX500Principal = x509Certificate.getSubjectX500Principal() print "Cert. Authenticate for step 2. User selected certificate with DN '%s'" % subjectX500Principal # Validate certificates which user selected valid = self.validateCertificate(x509Certificate) if not valid: print "Cert. Authenticate for step 2. Certificate DN '%s' is not valid" % subjectX500Principal identity.setWorkingParameter("cert_valid", False) # Return True to inform user how to reset workflow return True identity.setWorkingParameter("cert_valid", True) # Calculate certificate fingerprint x509CertificateFingerprint = self.calculateCertificateFingerprint(x509Certificate) identity.setWorkingParameter("cert_x509_fingerprint", x509CertificateFingerprint) print "Cert. Authenticate for step 2. Fingerprint is '%s' of certificate with DN '%s'" % (x509CertificateFingerprint, subjectX500Principal) # Attempt to find user by certificate fingerprint cert_user_external_uid = "cert:%s" % x509CertificateFingerprint print "Cert. Authenticate for step 2. Attempting to find user by oxExternalUid attribute value %s" % cert_user_external_uid find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: print "Cert. Authenticate for step 2. Failed to find user" if self.map_user_cert: print "Cert. Authenticate for step 2. Storing cert_user_external_uid for step 3" identity.setWorkingParameter("cert_user_external_uid", cert_user_external_uid) return True else: print "Cert. Authenticate for step 2. Mapping cert to user account is not allowed" identity.setWorkingParameter("cert_count_login_steps", 2) return False foundUserName = find_user_by_external_uid.getUserId() print "Cert. Authenticate for step 2. foundUserName: "******"Cert. Authenticate for step 2. Setting count steps to 2" identity.setWorkingParameter("cert_count_login_steps", 2) return logged_in elif step == 3: print "Cert. Authenticate for step 3" cert_user_external_uid = self.getSessionAttribute("cert_user_external_uid") if cert_user_external_uid == None: print "Cert. Authenticate for step 3. cert_user_external_uid is empty" return False user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False # Double check just to make sure. We did checking in previous step # Check if there is user which has cert_user_external_uid # Avoid mapping user cert to more than one IDP account find_user_by_external_uid = userService.getUserByAttribute("oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: # Add cert_user_external_uid to user's external GUID list find_user_by_external_uid = userService.addUserAttribute(user_name, "oxExternalUid", cert_user_external_uid) if find_user_by_external_uid == None: print "Cert. Authenticate for step 3. Failed to update current user" return False return True return True else: return False
def generateInum(self,orgInum,prefix): if(StringHelper.isNotEmptyString(orgInum) and StringHelper.isNotEmptyString(prefix)): return orgInum + Configuration.inumDelimiter + prefix + Configuration.inumDelimiter + INumGenerator.generate() else: return ""