def getNextStep(self, configurationAttributes, requestParameters, step):
# If user not pass current step change step to previous
context = Contexts.getEventContext()
retry_current_step = context.get("retry_current_step")
if retry_current_step:
print "Super-Gluu. Get next step. Retrying current step"
# Remove old QR code
context = Contexts.getEventContext()
context.set("super_gluu_request", "timeout")
resultStep = step
return resultStep
return -1
def authenticate(self, configurationAttributes, requestParameters, step):
duo_host = configurationAttributes.get("duo_host").getValue2()
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "Duo. Authenticate for step 1"
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
authenticationService = AuthenticationService.instance()
user = authenticationService.getAuthenticatedUser()
if (self.use_duo_group):
print "Duo. Authenticate for step 1. Checking if user belong to Duo group"
is_member_duo_group = self.isUserMemberOfGroup(user, self.audit_attribute, self.duo_group)
if (is_member_duo_group):
print "Duo. Authenticate for step 1. User '" + user.getUserId() + "' member of Duo group"
duo_count_login_steps = 2
else:
self.processAuditGroup(user)
duo_count_login_steps = 1
context = Contexts.getEventContext()
context.set("duo_count_login_steps", duo_count_login_steps)
return True
elif (step == 2):
print "Duo. Authenticate for step 2"
sig_response_array = requestParameters.get("sig_response")
if ArrayHelper.isEmpty(sig_response_array):
print "Duo. Authenticate for step 2. sig_response is empty"
return False
duo_sig_response = sig_response_array[0]
print "Duo. Authenticate for step 2. duo_sig_response: " + duo_sig_response
authenticated_username = duo_web.verify_response(self.ikey, self.skey, self.akey, duo_sig_response)
print "Duo. Authenticate for step 2. authenticated_username: "******", expected user_name: " + user_name
if (not StringHelper.equals(user_name, authenticated_username)):
return False
authenticationService = AuthenticationService.instance()
user = authenticationService.getAuthenticatedUser()
self.processAuditGroup(user)
return True
else:
return False
def prepareForStep(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
duo_host = configurationAttributes.get("duo_host").getValue2()
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "Duo. Prepare for step 1"
return True
elif (step == 2):
print "Duo. Prepare for step 2"
duo_sig_request = duo_web.sign_request(self.ikey, self.skey,
self.akey, user_name)
print "Duo. Prepare for step 2. duo_sig_request: " + duo_sig_request
context.set("duo_host", duo_host)
context.set("duo_sig_request", duo_sig_request)
return True
else:
return False
def prepareForStep(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
if (step == 1):
print "Saml. Prepare for step 1"
httpService = HttpService.instance()
request = FacesContext.getCurrentInstance().getExternalContext().getRequest()
assertionConsumerServiceUrl = httpService.constructServerUrl(request) + "/postlogin"
print "Saml. Prepare for step 1. Prepared assertionConsumerServiceUrl: '%s'" % assertionConsumerServiceUrl
currentSamlConfiguration = self.getCurrentSamlConfiguration(self.samlConfiguration, configurationAttributes, requestParameters)
if (currentSamlConfiguration == None):
print "Saml. Prepare for step 1. Client saml configuration is invalid"
return False
# Generate an AuthRequest and send it to the identity provider
samlAuthRequest = AuthRequest(currentSamlConfiguration)
external_auth_request_uri = currentSamlConfiguration.getIdpSsoTargetUrl() + "?SAMLRequest=" + samlAuthRequest.getRequest(True, assertionConsumerServiceUrl)
print "Saml. Prepare for step 1. external_auth_request_uri: '%s'" % external_auth_request_uri
context.set("external_auth_request_uri", external_auth_request_uri)
return True
elif (step == 2):
print "Saml. Prepare for step 2"
return True
else:
return False
def prepareForStep(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = Component.getInstance(AuthenticationService)
server_flag = configurationAttributes.get("oneid_server_flag").getValue2()
callback_attrs = configurationAttributes.get("oneid_callback_attrs").getValue2()
creds_file = configurationAttributes.get("oneid_creds_file").getValue2()
# Create OneID
authn = OneID(server_flag)
# Set path to credentials file
authn.creds_file = creds_file;
if (step == 1):
print "OneId. Prepare for step 1"
request = FacesContext.getCurrentInstance().getExternalContext().getRequest()
validation_page = request.getContextPath() + "/postlogin?" + "request_uri=&" + authenticationService.parametersAsString()
print "OneId. Prepare for step 1. validation_page: " + validation_page
oneid_login_button = authn.draw_signin_button(validation_page, callback_attrs, True)
print "OneId. Prepare for step 1. oneid_login_button: " + oneid_login_button
context.set("oneid_login_button", oneid_login_button)
context.set("oneid_script_header", authn.script_header)
context.set("oneid_form_script", authn.oneid_form_script)
return True
elif (step == 2):
print "OneId. Prepare for step 2"
return True
else:
return False
def prepareForStep(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
server_flag = configurationAttributes.get("oneid_server_flag").getValue2()
callback_attrs = configurationAttributes.get("oneid_callback_attrs").getValue2()
creds_file = configurationAttributes.get("oneid_creds_file").getValue2()
# Create OneID
authn = OneID(server_flag)
# Set path to credentials file
authn.creds_file = creds_file;
if (step == 1):
print "OneId. Prepare for step 1"
request = FacesContext.getCurrentInstance().getExternalContext().getRequest()
validation_page = request.getContextPath() + "/postlogin?" + "request_uri=&" + authenticationService.parametersAsString()
print "OneId. Prepare for step 1. validation_page: " + validation_page
oneid_login_button = authn.draw_signin_button(validation_page, callback_attrs, True)
print "OneId. Prepare for step 1. oneid_login_button: " + oneid_login_button
context.set("oneid_login_button", oneid_login_button)
context.set("oneid_script_header", authn.script_header)
context.set("oneid_form_script", authn.oneid_form_script)
return True
elif (step == 2):
print "OneId. Prepare for step 2"
return True
else:
return False
def prepareForStep(self, configurationAttributes, requestParameters, step):
print "Cert. Prepare for step %d" % step
context = Contexts.getEventContext()
if step == 1:
if self.enabled_recaptcha:
context.set("recaptcha_site_key", self.recaptcha_creds['site_key'])
elif step == 2:
# Store certificate in session
externalContext = FacesContext.getCurrentInstance().getExternalContext()
request = externalContext.getRequest()
# Try to get certificate from header X-ClientCert
clientCertificate = externalContext.getRequestHeaderMap().get("X-ClientCert")
if clientCertificate != None:
x509Certificate = self.certFromPemString(clientCertificate)
context.set("cert_x509", self.certToString(x509Certificate))
print "Cert. Prepare for step 2. Storing user certificate obtained from 'X-ClientCert' header"
return True
# Try to get certificate from attribute javax.servlet.request.X509Certificate
x509Certificates = request.getAttribute('javax.servlet.request.X509Certificate')
if (x509Certificates != None) and (len(x509Certificates) > 0):
context.set("cert_x509", self.certToString(x509Certificates[0]))
print "Cert. Prepare for step 2. Storing user certificate obtained from 'javax.servlet.request.X509Certificate' attribute"
return True
if step < 4:
return True
else:
return False
def prepareForStep(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
duo_host = configurationAttributes.get("duo_host").getValue2()
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "Duo prepare for step 1"
return True
elif (step == 2):
print "Duo prepare for step 2"
passed_step1 = self.isPassedStep1
if (not passed_step1):
return False
duo_sig_request = duo_web.sign_request(self.ikey, self.skey, self.akey, user_name)
print "Duo prepare for step 2. duo_sig_request: " + duo_sig_request
context.set("duo_host", duo_host)
context.set("duo_sig_request", duo_sig_request)
return True
else:
return False
def prepareForStep(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
if (step == 1):
print "Saml. Prepare for step 1"
httpService = HttpService.instance();
request = FacesContext.getCurrentInstance().getExternalContext().getRequest()
assertionConsumerServiceUrl = httpService.constructServerUrl(request) + "/postlogin"
print "Saml. Prepare for step 1. Prepared assertionConsumerServiceUrl:", assertionConsumerServiceUrl
currentSamlConfiguration = self.getCurrentSamlConfiguration(self.samlConfiguration, configurationAttributes, requestParameters)
if (currentSamlConfiguration == None):
print "Saml. Prepare for step 1. Client saml configuration is invalid"
return False
# Generate an AuthRequest and send it to the identity provider
samlAuthRequest = AuthRequest(currentSamlConfiguration)
external_auth_request_uri = currentSamlConfiguration.getIdpSsoTargetUrl() + "?SAMLRequest=" + samlAuthRequest.getRequest(True, assertionConsumerServiceUrl)
print "Saml. Prepare for step 1. external_auth_request_uri:", external_auth_request_uri
context.set("external_auth_request_uri", external_auth_request_uri)
return True
elif (step == 2):
print "Saml. Prepare for step 2"
return True
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
duo_host = configurationAttributes.get("duo_host").getValue2()
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "Duo. Authenticate for step 1"
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
authenticationService = AuthenticationService.instance()
user = authenticationService.getAuthenticatedUser()
if (self.use_duo_group):
print "Duo. Authenticate for step 1. Checking if user belong to Duo group"
is_member_duo_group = self.isUserMemberOfGroup(user, self.audit_attribute, self.duo_group)
if (is_member_duo_group):
print "Duo. Authenticate for step 1. User '" + user.getUserId() + "' member of Duo group"
duo_count_login_steps = 2
else:
self.processAuditGroup(user)
duo_count_login_steps = 1
context = Contexts.getEventContext()
context.set("duo_count_login_steps", duo_count_login_steps)
return True
elif (step == 2):
print "Duo. Authenticate for step 2"
sig_response_array = requestParameters.get("sig_response")
if ArrayHelper.isEmpty(sig_response_array):
print "Duo. Authenticate for step 2. sig_response is empty"
return False
duo_sig_response = sig_response_array[0]
print "Duo. Authenticate for step 2. duo_sig_response: " + duo_sig_response
authenticated_username = duo_web.verify_response(self.ikey, self.skey, self.akey, duo_sig_response)
print "Duo. Authenticate for step 2. authenticated_username: "******", expected user_name: " + user_name
if (not StringHelper.equals(user_name, authenticated_username)):
return False
authenticationService = AuthenticationService.instance()
user = authenticationService.getAuthenticatedUser()
self.processAuditGroup(user)
return True
else:
return False
def getCountAuthenticationSteps(self, configurationAttributes):
context = Contexts.getEventContext()
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes != None) and sessionAttributes.containsKey("wikid_count_login_steps"):
return java.lang.Integer.valueOf(sessionAttributes.get("wikid_count_login_steps"))
return 2
def getCountAuthenticationSteps(self, configurationAttributes):
context = Contexts.getEventContext()
session_attributes = context.get("sessionAttributes")
if session_attributes.containsKey("otp_count_login_steps"):
return StringHelper.toInteger(session_attributes.get("otp_count_login_steps"))
else:
return 2
def getCountAuthenticationSteps(self, configurationAttributes):
context = Contexts.getEventContext()
session_attributes = context.get("sessionAttributes")
if session_attributes.containsKey("otp_count_login_steps"):
return StringHelper.toInteger(session_attributes.get("otp_count_login_steps"))
else:
return 2
def getCountAuthenticationSteps(self, configurationAttributes):
context = Contexts.getEventContext()
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes != None) and sessionAttributes.containsKey("wikid_count_login_steps"):
return java.lang.Integer.valueOf(sessionAttributes.get("wikid_count_login_steps"))
return 2
def prepareForStep(self, configurationAttributes, requestParameters, step):
credentials = Identity.instance().getCredentials()
context = Contexts.getEventContext()
session_attributes = context.get("sessionAttributes")
self.setEventContextParameters(context)
if step == 1:
print "OTP. Prepare for step 1"
return True
elif step == 2:
print "OTP. Prepare for step 2"
session_state_validation = self.validateSessionState(session_attributes)
if not session_state_validation:
return False
otp_auth_method = session_attributes.get("otp_auth_method")
print "OTP. Prepare for step 2. otp_auth_method: '%s'" % otp_auth_method
if otp_auth_method == 'enroll':
authenticationService = Component.getInstance(AuthenticationService)
user = authenticationService.getAuthenticatedUser()
if user == None:
print "OTP. Prepare for step 2. Failed to load user enty"
return False
if self.otpType == "hotp":
otp_secret_key = self.generateSecretHotpKey()
otp_enrollment_request = self.generateHotpSecretKeyUri(otp_secret_key, self.otpIssuer, user.getAttribute("displayName"))
elif self.otpType == "totp":
otp_secret_key = self.generateSecretTotpKey()
otp_enrollment_request = self.generateTotpSecretKeyUri(otp_secret_key, self.otpIssuer, user.getAttribute("displayName"))
else:
print "OTP. Prepare for step 2. Unknown OTP type: '%s'" % self.otpType
return False
print "OTP. Prepare for step 2. Prepared enrollment request for user: '******'" % user.getUserId()
context.set("otp_secret_key", self.toBase64Url(otp_secret_key))
context.set("otp_enrollment_request", otp_enrollment_request)
return True
elif step == 3:
print "OTP. Prepare for step 3"
session_state_validation = self.validateSessionState(session_attributes)
if not session_state_validation:
return False
otp_auth_method = session_attributes.get("otp_auth_method")
print "OTP. Prepare for step 3. otp_auth_method: '%s'" % otp_auth_method
if otp_auth_method == 'enroll':
return True
return False
def prepareForStep(self, configurationAttributes, requestParameters, step):
credentials = Identity.instance().getCredentials()
context = Contexts.getEventContext()
session_attributes = context.get("sessionAttributes")
self.setEventContextParameters(context)
if step == 1:
print "OTP. Prepare for step 1"
return True
elif step == 2:
print "OTP. Prepare for step 2"
session_state_validation = self.validateSessionState(session_attributes)
if not session_state_validation:
return False
otp_auth_method = session_attributes.get("otp_auth_method")
print "OTP. Prepare for step 2. otp_auth_method: '%s'" % otp_auth_method
if otp_auth_method == 'enroll':
authenticationService = AuthenticationService.instance()
user = authenticationService.getAuthenticatedUser()
if user == None:
print "OTP. Prepare for step 2. Failed to load user enty"
return False
if self.otpType == "hotp":
otp_secret_key = self.generateSecretHotpKey()
otp_enrollment_request = self.generateHotpSecretKeyUri(otp_secret_key, self.otpIssuer, user.getAttribute("displayName"))
elif self.otpType == "totp":
otp_secret_key = self.generateSecretTotpKey()
otp_enrollment_request = self.generateTotpSecretKeyUri(otp_secret_key, self.otpIssuer, user.getAttribute("displayName"))
else:
print "OTP. Prepare for step 2. Unknown OTP type: '%s'" % self.otpType
return False
print "OTP. Prepare for step 2. Prepared enrollment request for user: '******'" % user.getUserId()
context.set("otp_secret_key", self.toBase64Url(otp_secret_key))
context.set("otp_enrollment_request", otp_enrollment_request)
return True
elif step == 3:
print "OTP. Prepare for step 3"
session_state_validation = self.validateSessionState(session_attributes)
if not session_state_validation:
return False
otp_auth_method = session_attributes.get("otp_auth_method")
print "OTP. Prepare for step 3. otp_auth_method: '%s'" % otp_auth_method
if otp_auth_method == 'enroll':
return True
return False
def prepareForStep(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
if (step == 1):
return True
elif (step == 2):
print "U2F. Prepare for step 2"
credentials = Identity.instance().getCredentials()
user = credentials.getUser()
if (user == None):
print "U2F. Prepare for step 2. Failed to determine user name"
return False
u2f_application_id = configurationAttributes.get(
"u2f_application_id").getValue2()
# Check if user have registered devices
deviceRegistrationService = DeviceRegistrationService.instance()
userInum = user.getAttribute("inum")
authenticationRequest = None
deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(
userInum, u2f_application_id)
if (deviceRegistrations.size() > 0):
print "U2F. Prepare for step 2. Call FIDO U2F in order to start authentication workflow"
try:
authenticationRequestService = FidoU2fClientFactory.instance(
).createAuthenticationRequestService(
self.metaDataConfiguration)
authenticationRequest = authenticationRequestService.startAuthentication(
user.getUserId(), u2f_application_id)
except ClientResponseFailure, ex:
if (ex.getResponse().getResponseStatus() !=
Response.Status.NOT_FOUND):
print "U2F. Prepare for step 2. Failed to start authentication workflow. Exception:", sys.exc_info(
)[1]
return False
print "U2F. Prepare for step 2. Call FIDO U2F in order to start registration workflow"
registrationRequestService = FidoU2fClientFactory.instance(
).createRegistrationRequestService(self.metaDataConfiguration)
registrationRequest = registrationRequestService.startRegistration(
user.getUserId(), u2f_application_id)
context.set("fido_u2f_authentication_request",
ServerUtil.asJson(authenticationRequest))
context.set("fido_u2f_registration_request",
ServerUtil.asJson(registrationRequest))
return True
def prepareForStep(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
oxpush_application_name = configurationAttributes.get(
"oxpush_application_name").getValue2()
if (step == 1):
print
"oxPush. Prepare for step 1"
oxpush_android_download_url = configurationAttributes.get(
"oxpush_android_download_url").getValue2()
context.set("oxpush_android_download_url",
oxpush_android_download_url)
elif (step == 2):
print
"oxPush. Prepare for step 2"
passed_step1 = self.isPassedDefaultAuthentication
if (not passed_step1):
return False
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes == None
) or not sessionAttributes.containsKey("oxpush_user_uid"):
print
"oxPush. Prepare for step 2. oxpush_user_uid is empty"
# Initialize pairing process
pairing_process = None
try:
pairing_process = self.oxPushClient.pair(
oxpush_application_name, user_name)
except java.lang.Exception, err:
print
"oxPush. Prepare for step 2. Failed to initialize pairing process: ", err
return False
if (not pairing_process.result):
print
"oxPush. Prepare for step 2. Failed to initialize pairing process"
return False
pairing_id = pairing_process.pairingId
print
"oxPush. Prepare for step 2. Pairing Id: ", pairing_id
context.set("oxpush_pairing_uid", pairing_id)
context.set("oxpush_pairing_code", pairing_process.pairingCode)
context.set("oxpush_pairing_qr_image",
pairing_process.pairingQrImage)
def getNextStep(self, configurationAttributes, requestParameters, step):
print "Basic (demo reset step). Get next step for step '%s'" % step
# If user not pass current step authenticaton change step to previous
context = Contexts.getEventContext()
pass_authentication = context.get("pass_authentication")
if not pass_authentication:
if step > 1:
resultStep = step - 1
print "Basic (demo reset step). Get next step. Changing step to '%s'" % resultStep
return resultStep
return -1
def getNextStep(self, configurationAttributes, requestParameters, step):
print "Basic (demo reset step). Get next step for step '%s'" % step
# If user not pass current step authenticaton change step to previous
context = Contexts.getEventContext()
pass_authentication = context.get("pass_authentication")
if not pass_authentication:
if step > 1:
resultStep = step - 1
print "Basic (demo reset step). Get next step. Changing step to '%s'" % resultStep
return resultStep
return -1
def getSessionAttribute(self, attribute_name):
context = Contexts.getEventContext()
# Try to get attribute value from Seam event context
if context.isSet(attribute_name):
return context.get(attribute_name)
# Try to get attribute from persistent session
session_attributes = context.get("sessionAttributes")
if session_attributes.containsKey(attribute_name):
return session_attributes.get(attribute_name)
return None
def getSessionAttribute(self, attribute_name):
context = Contexts.getEventContext()
# Try to get attribute value from Seam event context
if context.isSet(attribute_name):
return context.get(attribute_name)
# Try to get attribute from persistent session
session_attributes = context.get("sessionAttributes")
if session_attributes.containsKey(attribute_name):
return session_attributes.get(attribute_name)
return None
def prepareForStep(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
if (step == 1):
return True
elif (step == 2):
print "U2F. Prepare for step 2"
session_state = SessionStateService.instance().getSessionStateFromCookie()
if StringHelper.isEmpty(session_state):
print "U2F. Prepare for step 2. Failed to determine session_state"
return False
credentials = Identity.instance().getCredentials()
user = credentials.getUser()
if (user == None):
print "U2F. Prepare for step 2. Failed to determine user name"
return False
u2f_application_id = configurationAttributes.get("u2f_application_id").getValue2()
# Check if user have registered devices
deviceRegistrationService = DeviceRegistrationService.instance()
userInum = user.getAttribute("inum")
authenticationRequest = None
deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(userInum, u2f_application_id)
if (deviceRegistrations.size() > 0):
print "U2F. Prepare for step 2. Call FIDO U2F in order to start authentication workflow"
try:
authenticationRequestService = FidoU2fClientFactory.instance().createAuthenticationRequestService(self.metaDataConfiguration)
authenticationRequest = authenticationRequestService.startAuthentication(user.getUserId(), None, u2f_application_id, session_state)
except ClientResponseFailure, ex:
if (ex.getResponse().getResponseStatus() != Response.Status.NOT_FOUND):
print "U2F. Prepare for step 2. Failed to start authentication workflow. Exception:", sys.exc_info()[1]
return False
print "U2F. Prepare for step 2. Call FIDO U2F in order to start registration workflow"
registrationRequestService = FidoU2fClientFactory.instance().createRegistrationRequestService(self.metaDataConfiguration)
registrationRequest = registrationRequestService.startRegistration(user.getUserId(), u2f_application_id, session_state)
context.set("fido_u2f_authentication_request", ServerUtil.asJson(authenticationRequest))
context.set("fido_u2f_registration_request", ServerUtil.asJson(registrationRequest))
return True
def getPageForStep(self, configurationAttributes, step):
context = Contexts.getEventContext()
is_wikid_registration = False
if (context.isSet("wikid_registration")):
is_wikid_registration = context.get("wikid_registration")
if (step == 2):
if (is_wikid_registration):
return "/auth/wikid/wikidregister.xhtml"
else:
return "/auth/wikid/wikidlogin.xhtml"
if (step == 3):
return "/auth/wikid/wikidlogin.xhtml"
return ""
def getPageForStep(self, configurationAttributes, step):
context = Contexts.getEventContext()
is_wikid_registration = False
if (context.isSet("wikid_registration")):
is_wikid_registration = context.get("wikid_registration")
if (step == 2):
if (is_wikid_registration):
return "/auth/wikid/wikidregister.xhtml"
else:
return "/auth/wikid/wikidlogin.xhtml"
if (step == 3):
return "/auth/wikid/wikidlogin.xhtml"
return ""
def getPageForStep(self, configurationAttributes, step):
if step == 2:
context = Contexts.getEventContext()
session_attributes = context.get("sessionAttributes")
otp_auth_method = session_attributes.get("otp_auth_method")
print "OTP. Gep page for step 2. otp_auth_method: '%s'" % otp_auth_method
if otp_auth_method == 'enroll':
return "/auth/otp/enroll.xhtml"
else:
return "/auth/otp/otplogin.xhtml"
elif step == 3:
return "/auth/otp/otplogin.xhtml"
return ""
def getPageForStep(self, configurationAttributes, step):
if step == 2:
context = Contexts.getEventContext()
session_attributes = context.get("sessionAttributes")
otp_auth_method = session_attributes.get("otp_auth_method")
print "OTP. Gep page for step 2. otp_auth_method: '%s'" % otp_auth_method
if otp_auth_method == 'enroll':
return "/auth/otp/enroll.xhtml"
else:
return "/auth/otp/otplogin.xhtml"
elif step == 3:
return "/auth/otp/otplogin.xhtml"
return ""
def prepareForStep(self, configurationAttributes, requestParameters, step):
if (step == 1):
print "InWebo. Prepare for step 1"
context = Contexts.getEventContext()
iw_helium_enabled = Boolean(configurationAttributes.get("iw_helium_enabled").getValue2()).booleanValue()
context.set("helium_enabled", iw_helium_enabled)
iw_helium_alias = None
if (iw_helium_enabled):
iw_helium_alias = configurationAttributes.get("iw_helium_alias").getValue2()
context.set("helium_alias", iw_helium_alias)
print "InWebo. Prepare for step 1. Helium status:", iw_helium_enabled
return True
def getClientConfiguration(self, configurationAttributes,
requestParameters):
# Get client configuration
if (configurationAttributes.containsKey(
"saml_client_configuration_attribute")):
saml_client_configuration_attribute = configurationAttributes.get(
"saml_client_configuration_attribute").getValue2()
print "Saml. GetClientConfiguration. Using client attribute: '%s'" % saml_client_configuration_attribute
if (requestParameters == None):
return None
client_id = None
client_id_array = requestParameters.get("client_id")
if (ArrayHelper.isNotEmpty(client_id_array)
and StringHelper.isNotEmptyString(client_id_array[0])):
client_id = client_id_array[0]
if (client_id == None):
eventContext = Contexts.getEventContext()
if (eventContext.isSet("sessionAttributes")):
client_id = eventContext.get("sessionAttributes").get(
"client_id")
if (client_id == None):
print "Saml. GetClientConfiguration. client_id is empty"
return None
clientService = ClientService.instance()
client = clientService.getClient(client_id)
if (client == None):
print "Saml. GetClientConfiguration. Failed to find client '%s' in local LDAP" % client_id
return None
saml_client_configuration = clientService.getCustomAttribute(
client, saml_client_configuration_attribute)
if ((saml_client_configuration == None) or StringHelper.isEmpty(
saml_client_configuration.getValue())):
print "Saml. GetClientConfiguration. Client '%s' attribute '%s' is empty" % (
client_id, saml_client_configuration_attribute)
else:
print "Saml. GetClientConfiguration. Client '%s' attribute '%s' is '%s'" % (
client_id, saml_client_configuration_attribute,
saml_client_configuration)
return saml_client_configuration
return None
def prepareForStep(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
if (step == 1):
context.set("display_register_action", True)
return True
elif (step == 2):
print "oxPush2. Prepare for step 2"
credentials = Identity.instance().getCredentials()
user = credentials.getUser()
if (user == None):
print "oxPush2. Prepare for step 2. Failed to determine user name"
return False
session_attributes = context.get("sessionAttributes")
if session_attributes.containsKey("oxpush2_request"):
print "oxPush2. Prepare for step 2. Request was generated already"
return True
session_state = SessionStateService.instance().getSessionStateFromCookie()
if StringHelper.isEmpty(session_state):
print "oxPush2. Prepare for step 2. Failed to determine session_state"
return False
auth_method = session_attributes.get("oxpush2_auth_method")
if StringHelper.isEmpty(auth_method):
print "oxPush2. Prepare for step 2. Failed to determine auth_method"
return False
print "oxPush2. Prepare for step 2. auth_method: '%s'" % auth_method
issuer = ConfigurationFactory.instance().getConfiguration().getIssuer()
oxpush2_request = json.dumps({'username': user.getUserId(),
'app': self.u2f_application_id,
'issuer': issuer,
'method': auth_method,
'state': session_state}, separators=(',',':'))
print "oxPush2. Prepare for step 2. Prepared oxpush2_request:", oxpush2_request
context.set("oxpush2_request", oxpush2_request)
return True
else:
return False
def prepareForStep(self, configurationAttributes, requestParameters, step):
stringEncrypter = StringEncrypter.defaultInstance()
context = Contexts.getEventContext()
oxpush_application_name = configurationAttributes.get("oxpush_application_name").getValue2()
if (step == 1):
print "oxPush prepare for step 1"
oxpush_android_download_url = configurationAttributes.get("oxpush_android_download_url").getValue2()
context.set("oxpush_android_download_url", oxpush_android_download_url)
elif (step == 2):
print "oxPush prepare for step 2"
passed_step1 = self.isPassedDefaultAuthentication
if (not passed_step1):
return False
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
oxpush_user_uid_array = requestParameters.get("oxpush_user_uid")
if (ArrayHelper.isEmpty(oxpush_user_uid_array) or StringHelper.isEmptyString(oxpush_user_uid_array[0])):
print "oxPush prepare for step 2. oxpush_user_uid is empty"
# Initialize pairing process
pairing_process = None
try:
pairing_process = self.oxPushClient.pair(oxpush_application_name, user_name);
except java.lang.Exception, err:
print "oxPush prepare for step 2. Failed to initialize pairing process: ", err
return False
if (not pairing_process.result):
print "oxPush prepare for step 2. Failed to initialize pairing process"
return False
pairing_id = pairing_process.pairingId
print "oxPush prepare for step 2. Pairing Id: ", pairing_id
context.set("oxpush_pairing_uid", stringEncrypter.encrypt(pairing_id))
context.set("oxpush_pairing_code", pairing_process.pairingCode)
context.set("oxpush_pairing_qr_image", pairing_process.pairingQrImage)
def prepareForStep(self, configurationAttributes, requestParameters, step):
print "Cert. Prepare for step %d" % step
context = Contexts.getEventContext()
if step == 1:
if self.enabled_recaptcha:
context.set("recaptcha_site_key", self.recaptcha_creds['site_key'])
elif step == 2:
# Store certificate in session
request = FacesContext.getCurrentInstance().getExternalContext().getRequest()
x509Certificates = request.getAttribute('javax.servlet.request.X509Certificate')
if (x509Certificates != None) and (len(x509Certificates) > 0):
context.set("cert_x509", self.certToString(x509Certificates))
print "Cert. Prepare for step 2. Storing user certificate"
if step < 4:
return True
else:
return False
def prepareForStep(self, configurationAttributes, requestParameters, step):
if (step == 1):
print "InWebo. Prepare for step 1"
context = Contexts.getEventContext()
iw_helium_enabled = Boolean(
configurationAttributes.get(
"iw_helium_enabled").getValue2()).booleanValue()
context.set("helium_enabled", iw_helium_enabled)
iw_helium_alias = None
if (iw_helium_enabled):
iw_helium_alias = configurationAttributes.get(
"iw_helium_alias").getValue2()
context.set("helium_alias", iw_helium_alias)
print "InWebo. Prepare for step 1. Helium status:", iw_helium_enabled
return True
def prepareForStep(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
httpService = HttpService.instance()
cas_host = configurationAttributes.get("cas_host").getValue2()
cas_renew_opt = StringHelper.toBoolean(
configurationAttributes.get("cas_renew_opt").getValue2(), False)
cas_extra_opts = None
if (configurationAttributes.containsKey("cas_extra_opts")):
cas_extra_opts = configurationAttributes.get(
"cas_extra_opts").getValue2()
if (step == 1):
print "CAS2. Prepare for step 1"
request = FacesContext.getCurrentInstance().getExternalContext(
).getRequest()
parametersMap = HashMap()
parametersMap.put(
"service",
httpService.constructServerUrl(request) + "/postlogin")
if (cas_renew_opt):
parametersMap.put("renew", "true")
cas_service_request_uri = authenticationService.parametersAsString(
parametersMap)
cas_service_request_uri = cas_host + "/login?" + cas_service_request_uri
if cas_extra_opts != None:
cas_service_request_uri = cas_service_request_uri + "&" + cas_extra_opts
print "CAS2. Prepare for step 1. cas_service_request_uri: " + cas_service_request_uri
context.set("cas_service_request_uri", cas_service_request_uri)
return True
elif (step == 2):
print "CAS2. Prepare for step 2"
return True
else:
return False
def getClientConfiguration(self, configurationAttributes, requestParameters):
# Get client configuration
if (configurationAttributes.containsKey("gplus_client_configuration_attribute")):
clientConfigurationAttribute = configurationAttributes.get("gplus_client_configuration_attribute").getValue2()
print "Google+ GetClientConfiguration. Using client attribute:", clientConfigurationAttribute
if (requestParameters == None):
return None
clientId = None
# Attempt to determine client_id from request
clientIdArray = requestParameters.get("client_id")
if (ArrayHelper.isNotEmpty(clientIdArray) and StringHelper.isNotEmptyString(clientIdArray[0])):
clientId = clientIdArray[0]
# Attempt to determine client_id from event context
if (clientId == None):
eventContext = Contexts.getEventContext()
if (eventContext.isSet("stored_request_parameters")):
clientId = eventContext.get("stored_request_parameters").get("client_id")
if (clientId == None):
print "Google+ GetClientConfiguration. client_id is empty"
return None
clientService = ClientService.instance()
client = clientService.getClient(clientId)
if (client == None):
print "Google+ GetClientConfiguration. Failed to find client", clientId, " in local LDAP"
return None
clientConfiguration = clientService.getCustomAttribute(client, clientConfigurationAttribute)
if ((clientConfiguration == None) or StringHelper.isEmpty(clientConfiguration.getValue())):
print "Google+ GetClientConfiguration. Client", clientId, " attribute", clientConfigurationAttribute, " is empty"
else:
print "Google+ GetClientConfiguration. Client", clientId, " attribute", clientConfigurationAttribute, " is", clientConfiguration
return clientConfiguration
return None
def getClientConfiguration(self, configurationAttributes, requestParameters):
# Get client configuration
if (configurationAttributes.containsKey("gplus_client_configuration_attribute")):
clientConfigurationAttribute = configurationAttributes.get("gplus_client_configuration_attribute").getValue2()
print "Google+ GetClientConfiguration. Using client attribute:", clientConfigurationAttribute
if (requestParameters == None):
return None
clientId = None
# Attempt to determine client_id from request
clientIdArray = requestParameters.get("client_id")
if (ArrayHelper.isNotEmpty(clientIdArray) and StringHelper.isNotEmptyString(clientIdArray[0])):
clientId = clientIdArray[0]
# Attempt to determine client_id from event context
if (clientId == None):
eventContext = Contexts.getEventContext()
if (eventContext.isSet("sessionAttributes")):
clientId = eventContext.get("sessionAttributes").get("client_id")
if (clientId == None):
print "Google+ GetClientConfiguration. client_id is empty"
return None
clientService = Component.getInstance(ClientService)
client = clientService.getClient(clientId)
if (client == None):
print "Google+ GetClientConfiguration. Failed to find client", clientId, " in local LDAP"
return None
clientConfiguration = clientService.getCustomAttribute(client, clientConfigurationAttribute)
if ((clientConfiguration == None) or StringHelper.isEmpty(clientConfiguration.getValue())):
print "Google+ GetClientConfiguration. Client", clientId, " attribute", clientConfigurationAttribute, " is empty"
else:
print "Google+ GetClientConfiguration. Client", clientId, " attribute", clientConfigurationAttribute, " is", clientConfiguration
return clientConfiguration
return None
def prepareForStep(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
httpService = HttpService.instance();
cas_host = configurationAttributes.get("cas_host").getValue2()
cas_renew_opt = StringHelper.toBoolean(configurationAttributes.get("cas_renew_opt").getValue2(), False)
cas_extra_opts = None
if (configurationAttributes.containsKey("cas_extra_opts")):
cas_extra_opts = configurationAttributes.get("cas_extra_opts").getValue2()
if (step == 1):
print "CAS2. Prepare for step 1"
print "CAS2. Prepare for step 1. Store current request parameters in session because CAS don't pass them via service URI"
authenticationService.storeRequestParametersInSession()
request = FacesContext.getCurrentInstance().getExternalContext().getRequest()
parametersMap = HashMap()
parametersMap.put("service", httpService.constructServerUrl(request) + "/postlogin")
if (cas_renew_opt):
parametersMap.put("renew", "true")
cas_service_request_uri = authenticationService.parametersAsString(parametersMap)
cas_service_request_uri = cas_host + "/login?" + cas_service_request_uri
if cas_extra_opts != None:
cas_service_request_uri = cas_service_request_uri + "&" + cas_extra_opts
print "CAS2. Prepare for step 1. cas_service_request_uri: " + cas_service_request_uri
context.set("cas_service_request_uri", cas_service_request_uri)
return True
elif (step == 2):
print "CAS2. Prepare for step 2"
return True
else:
return False
def prepareForStep(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
if (step == 1):
print "Google+ prepare for step 1"
currentClientSecrets = self.getCurrentClientSecrets(self.clientSecrets, configurationAttributes, requestParameters)
if (currentClientSecrets == None):
print "Google+ prepare for step 1. Google+ client configuration is invalid"
return False
context.set("gplus_client_id", currentClientSecrets["web"]["client_id"])
context.set("gplus_client_secret", currentClientSecrets["web"]["client_secret"])
return True
elif (step == 2):
print "Google+ prepare for step 2"
return True
else:
return False
def prepareForStep(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = Component.getInstance(AuthenticationService)
if (step == 1):
print "Google+ Prepare for step 1"
currentClientSecrets = self.getCurrentClientSecrets(self.clientSecrets, configurationAttributes, requestParameters)
if (currentClientSecrets == None):
print "Google+ Prepare for step 1. Google+ client configuration is invalid"
return False
context.set("gplus_client_id", currentClientSecrets["web"]["client_id"])
context.set("gplus_client_secret", currentClientSecrets["web"]["client_secret"])
return True
elif (step == 2):
print "Google+ Prepare for step 2"
return True
else:
return False
def prepareForStep(self, configurationAttributes, requestParameters, step):
print "Cert. Prepare for step %d" % step
context = Contexts.getEventContext()
if step == 1:
if self.enabled_recaptcha:
context.set("recaptcha_site_key",
self.recaptcha_creds['site_key'])
elif step == 2:
# Store certificate in session
request = FacesContext.getCurrentInstance().getExternalContext(
).getRequest()
x509Certificates = request.getAttribute(
'javax.servlet.request.X509Certificate')
if (x509Certificates != None) and (len(x509Certificates) > 0):
context.set("cert_x509", self.certToString(x509Certificates))
print "Cert. Prepare for step 2. Storing user certificate"
if step < 4:
return True
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
context.set("pass_authentication", False)
if 1 <= step <= 3:
print "Basic (demo reset step). Authenticate for step '%s'" % step
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = Component.getInstance(UserService)
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
context.set("pass_authentication", True)
return True
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
context.set("pass_authentication", False)
if 1 <= step <= 3:
print "Basic (demo reset step). Authenticate for step '%s'" % step
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
context.set("pass_authentication", True)
return True
else:
return False
def getClientConfiguration(self, configurationAttributes, requestParameters):
# Get client configuration
if (configurationAttributes.containsKey("saml_client_configuration_attribute")):
saml_client_configuration_attribute = configurationAttributes.get("saml_client_configuration_attribute").getValue2()
print "Saml. GetClientConfiguration. Using client attribute:", saml_client_configuration_attribute
if (requestParameters == None):
return None
client_id = None
client_id_array = requestParameters.get("client_id")
if (ArrayHelper.isNotEmpty(client_id_array) and StringHelper.isNotEmptyString(client_id_array[0])):
client_id = client_id_array[0]
if (client_id == None):
eventContext = Contexts.getEventContext()
if (eventContext.isSet("sessionAttributes")):
client_id = eventContext.get("sessionAttributes").get("client_id")
if (client_id == None):
print "Saml. GetClientConfiguration. client_id is empty"
return None
clientService = ClientService.instance()
client = clientService.getClient(client_id)
if (client == None):
print "Saml. GetClientConfiguration. Failed to find client", client_id, " in local LDAP"
return None
saml_client_configuration = clientService.getCustomAttribute(client, saml_client_configuration_attribute)
if ((saml_client_configuration == None) or StringHelper.isEmpty(saml_client_configuration.getValue())):
print "Saml. GetClientConfiguration. Client", client_id, " attribute", saml_client_configuration_attribute, " is empty"
else:
print "Saml. GetClientConfiguration. Client", client_id, " attribute", saml_client_configuration_attribute, " is", saml_client_configuration
return saml_client_configuration
return None
def getCountAuthenticationSteps(self, configurationAttributes):
context = Contexts.getEventContext()
if (context.isSet("iw_count_login_steps")):
return context.get("iw_count_login_steps")
return 2
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
encryptionService = EncryptionService.instance()
mapUserDeployment = False
enrollUserDeployment = False
if (configurationAttributes.containsKey("gplus_deployment_type")):
deploymentType = StringHelper.toLowerCase(configurationAttributes.get("gplus_deployment_type").getValue2())
if (StringHelper.equalsIgnoreCase(deploymentType, "map")):
mapUserDeployment = True
if (StringHelper.equalsIgnoreCase(deploymentType, "enroll")):
enrollUserDeployment = True
if (step == 1):
print "Google+ authenticate for step 1"
gplusAuthCodeArray = requestParameters.get("gplus_auth_code")
gplusAuthCode = gplusAuthCodeArray[0]
# Check if user uses basic method to log in
useBasicAuth = False
if (StringHelper.isEmptyString(gplusAuthCode)):
useBasicAuth = True
# Use basic method to log in
if (useBasicAuth):
print "Google+ authenticate for step 1. Basic authentication"
context.set("gplus_count_login_steps", 1)
credentials = Identity.instance().getCredentials()
userName = credentials.getUsername()
userPassword = credentials.getPassword()
loggedIn = False
if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)):
userService = UserService.instance()
loggedIn = userService.authenticate(userName, userPassword)
if (not loggedIn):
return False
return True
# Use Google+ method to log in
print "Google+ authenticate for step 1. gplusAuthCode:", gplusAuthCode
currentClientSecrets = self.getCurrentClientSecrets(self.clientSecrets, configurationAttributes, requestParameters)
if (currentClientSecrets == None):
print "Google+ authenticate for step 1. Client secrets configuration is invalid"
return False
print "Google+ authenticate for step 1. Attempting to gets tokens"
tokenResponse = self.getTokensByCode(self.clientSecrets, configurationAttributes, gplusAuthCode);
if ((tokenResponse == None) or (tokenResponse.getIdToken() == None) or (tokenResponse.getAccessToken() == None)):
print "Google+ authenticate for step 1. Failed to get tokens"
return False
else:
print "Google+ authenticate for step 1. Successfully gets tokens"
jwt = Jwt.parse(tokenResponse.getIdToken())
# TODO: Validate ID Token Signature
gplusUserUid = jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER);
print "Google+ authenticate for step 1. Found Google user ID in the ID token: ", gplusUserUid
if (mapUserDeployment):
# Use mapping to local IDP user
print "Google+ authenticate for step 1. Attempting to find user by oxExternalUid: gplus:", gplusUserUid
# Check if there is user with specified gplusUserUid
foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
print "Google+ authenticate for step 1. Failed to find user"
print "Google+ authenticate for step 1. Setting count steps to 2"
context.set("gplus_count_login_steps", 2)
context.set("gplus_user_uid", encryptionService.encrypt(gplusUserUid))
return True
foundUserName = foundUser.getUserId()
print "Google+ authenticate for step 1. foundUserName:"******"Google+ authenticate for step 1. Failed to authenticate user"
return False
print "Google+ authenticate for step 1. Setting count steps to 1"
context.set("gplus_count_login_steps", 1)
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ authenticate for step 1. postLoginResult:", postLoginResult
return postLoginResult
elif (enrollUserDeployment):
# Use auto enrollment to local IDP
print "Google+ authenticate for step 1. Attempting to find user by oxExternalUid: gplus:", gplusUserUid
# Check if there is user with specified gplusUserUid
foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
# Auto user enrollemnt
print "Google+ authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Google+ authenticate for step 1. Attempting to gets user info"
userInfoResponse = self.getUserInfo(currentClientSecrets, configurationAttributes, tokenResponse.getAccessToken())
if ((userInfoResponse == None) or (userInfoResponse.getClaims().size() == 0)):
print "Google+ authenticate for step 1. Failed to get user info"
return False
else:
print "Google+ authenticate for step 1. Successfully gets user info"
gplusResponseAttributes = userInfoResponse.getClaims()
# Convert Google+ user claims to lover case
gplusResponseNormalizedAttributes = HashMap()
for gplusResponseAttributeEntry in gplusResponseAttributes.entrySet():
gplusResponseNormalizedAttributes.put(
StringHelper.toLowerCase(gplusResponseAttributeEntry.getKey()), gplusResponseAttributeEntry.getValue())
currentAttributesMapping = self.getCurrentAttributesMapping(self.attributesMapping, configurationAttributes, requestParameters)
print "Google+ authenticate for step 1. Using next attributes mapping", currentAttributesMapping
newUser = User()
for attributesMappingEntry in currentAttributesMapping.entrySet():
idpAttribute = attributesMappingEntry.getKey()
localAttribute = attributesMappingEntry.getValue()
localAttributeValue = gplusResponseNormalizedAttributes.get(idpAttribute)
if (localAttribute != None):
newUser.setAttribute(localAttribute, localAttributeValue)
if (newUser.getAttribute("sn") == None):
newUser.setAttribute("sn", gplusUserUid)
if (newUser.getAttribute("cn") == None):
newUser.setAttribute("cn", gplusUserUid)
newUser.setAttribute("oxExternalUid", "gplus:" + gplusUserUid)
print "Google+ authenticate for step 1. Attempting to add user", gplusUserUid, " with next attributes", newUser.getCustomAttributes()
foundUser = userService.addUser(newUser)
print "Google+ authenticate for step 1. Added new user with UID", foundUser.getUserId()
foundUserName = foundUser.getUserId()
print "Google+ authenticate for step 1. foundUserName:"******"Google+ authenticate for step 1. Failed to authenticate user"
return False
print "Google+ authenticate for step 1. Setting count steps to 1"
context.set("gplus_count_login_steps", 1)
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ authenticate for step 1. postLoginResult:", postLoginResult
return postLoginResult
else:
# Check if the is user with specified gplusUserUid
print "Google+ authenticate for step 1. Attempting to find user by uid:", gplusUserUid
foundUser = userService.getUser(gplusUserUid)
if (foundUser == None):
print "Google+ authenticate for step 1. Failed to find user"
return False
foundUserName = foundUser.getUserId()
print "Google+ authenticate for step 1. foundUserName:"******"Google+ authenticate for step 1. Failed to authenticate user"
return False
print "Google+ authenticate for step 1. Setting count steps to 1"
context.set("gplus_count_login_steps", 1)
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ authenticate for step 1. postLoginResult:", postLoginResult
return postLoginResult
elif (step == 2):
print "Google+ authenticate for step 2"
gplusUserUidArray = requestParameters.get("gplus_user_uid")
if ArrayHelper.isEmpty(gplusUserUidArray):
print "Google+ authenticate for step 2. gplus_user_uid is empty"
return False
gplusUserUid = encryptionService.decrypt(gplusUserUidArray[0])
passedStep1 = StringHelper.isNotEmptyString(gplusUserUid)
if (not passedStep1):
return False
credentials = Identity.instance().getCredentials()
userName = credentials.getUsername()
userPassword = credentials.getPassword()
loggedIn = False
if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)):
loggedIn = userService.authenticate(userName, userPassword)
if (not loggedIn):
return False
# Check if there is user which has gplusUserUid
# Avoid mapping Google account to more than one IDP account
foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
# Add gplusUserUid to user one id UIDs
foundUser = userService.addUserAttribute(userName, "oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
print "Google+ authenticate for step 2. Failed to update current user"
return False
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ authenticate for step 2. postLoginResult:", postLoginResult
return postLoginResult
else:
foundUserName = foundUser.getUserId()
print "Google+ authenticate for step 2. foundUserName:"******"Google+ authenticate for step 2. postLoginResult:", postLoginResult
return postLoginResult
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
saml_map_user = False
saml_enroll_user = False
saml_enroll_all_user_attr = False
# Use saml_deployment_type only if there is no attributes mapping
if (configurationAttributes.containsKey("saml_deployment_type")):
saml_deployment_type = StringHelper.toLowerCase(configurationAttributes.get("saml_deployment_type").getValue2())
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "map")):
saml_map_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll")):
saml_enroll_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll_all_attr")):
saml_enroll_all_user_attr = True
saml_allow_basic_login = False
if (configurationAttributes.containsKey("saml_allow_basic_login")):
saml_allow_basic_login = StringHelper.toBoolean(configurationAttributes.get("saml_allow_basic_login").getValue2(), False)
use_basic_auth = False
if (saml_allow_basic_login):
# Detect if user used basic authnetication method
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
if (StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(user_password)):
use_basic_auth = True
if ((step == 1) and saml_allow_basic_login and use_basic_auth):
print "Saml. Authenticate for step 1. Basic authentication"
context.set("saml_count_login_steps", 1)
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
if (step == 1):
print "Saml. Authenticate for step 1"
currentSamlConfiguration = self.getCurrentSamlConfiguration(self.samlConfiguration, configurationAttributes, requestParameters)
if (currentSamlConfiguration == None):
print "Saml. Prepare for step 1. Client saml configuration is invalid"
return False
saml_response_array = requestParameters.get("SAMLResponse")
if ArrayHelper.isEmpty(saml_response_array):
print "Saml. Authenticate for step 1. saml_response is empty"
return False
saml_response = saml_response_array[0]
print "Saml. Authenticate for step 1. saml_response:", saml_response
samlResponse = Response(currentSamlConfiguration)
samlResponse.loadXmlFromBase64(saml_response)
saml_validate_response = True
if (configurationAttributes.containsKey("saml_validate_response")):
saml_validate_response = StringHelper.toBoolean(configurationAttributes.get("saml_validate_response").getValue2(), False)
if (saml_validate_response):
if (not samlResponse.isValid()):
print "Saml. Authenticate for step 1. saml_response isn't valid"
saml_response_name_id = samlResponse.getNameId()
if (StringHelper.isEmpty(saml_response_name_id)):
print "Saml. Authenticate for step 1. saml_response_name_id is invalid"
return False
print "Saml. Authenticate for step 1. saml_response_name_id:", saml_response_name_id
saml_response_attributes = samlResponse.getAttributes()
print "Saml. Authenticate for step 1. attributes: ", saml_response_attributes
# Use persistent Id as saml_user_uid
saml_user_uid = saml_response_name_id
if (saml_map_user):
# Use mapping to local IDP user
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:", saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
print "Saml. Authenticate for step 1. Setting count steps to 2"
context.set("saml_count_login_steps", 2)
context.set("saml_user_uid", saml_user_uid)
return True
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name:", found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result:", post_login_result
return post_login_result
elif (saml_enroll_user):
# Use auto enrollment to local IDP
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:", saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
# Auto user enrollemnt
print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
# Convert saml result attributes keys to lover case
saml_response_normalized_attributes = HashMap()
for saml_response_attribute_entry in saml_response_attributes.entrySet():
saml_response_normalized_attributes.put(
StringHelper.toLowerCase(saml_response_attribute_entry.getKey()), saml_response_attribute_entry.getValue())
currentAttributesMapping = self.prepareCurrentAttributesMapping(self.attributesMapping, configurationAttributes, requestParameters)
print "Saml. Authenticate for step 1. Using next attributes mapping", currentAttributesMapping
newUser = User()
for attributesMappingEntry in currentAttributesMapping.entrySet():
idpAttribute = attributesMappingEntry.getKey()
localAttribute = attributesMappingEntry.getValue()
localAttributeValue = saml_response_normalized_attributes.get(idpAttribute)
if (localAttribute != None):
newUser.setAttribute(localAttribute, localAttributeValue)
newUser.setAttribute("oxExternalUid", "saml:" + saml_user_uid)
print "Saml. Authenticate for step 1. Attempting to add user", saml_user_uid, " with next attributes", newUser.getCustomAttributes()
find_user_by_uid = userService.addUser(newUser, True)
print "Saml. Authenticate for step 1. Added new user with UID", find_user_by_uid.getUserId()
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name:", found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result:", post_login_result
return post_login_result
elif (saml_enroll_all_user_attr):
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:" + saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
user = User()
customAttributes = ArrayList()
for key in attributes.keySet():
ldapAttributes = attributeService.getAllAttributes()
for ldapAttribute in ldapAttributes:
saml2Uri = ldapAttribute.getSaml2Uri()
if(saml2Uri == None):
saml2Uri = attributeService.getDefaultSaml2Uri(ldapAttribute.getName())
if(saml2Uri == key):
attribute = CustomAttribute(ldapAttribute.getName())
attribute.setValues(attributes.get(key))
customAttributes.add(attribute)
attribute = CustomAttribute("oxExternalUid")
attribute.setValue("saml:" + saml_user_uid)
customAttributes.add(attribute)
user.setCustomAttributes(customAttributes)
if(user.getAttribute("sn") == None):
attribute = CustomAttribute("sn")
attribute.setValue(saml_user_uid)
customAttributes.add(attribute)
if(user.getAttribute("cn") == None):
attribute = CustomAttribute("cn")
attribute.setValue(saml_user_uid)
customAttributes.add(attribute)
find_user_by_uid = userService.addUser(user, True)
print "Saml. Authenticate for step 1. Added new user with UID", find_user_by_uid.getUserId()
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name:", found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result:", post_login_result
return post_login_result
else:
# Check if the is user with specified saml_user_uid
print "Saml. Authenticate for step 1. Attempting to find user by uid:", saml_user_uid
find_user_by_uid = userService.getUser(saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
return False
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name:", found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result:", post_login_result
return post_login_result
elif (step == 2):
print "Saml. Authenticate for step 2"
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes == None) or not sessionAttributes.containsKey("saml_user_uid"):
print "Saml. Authenticate for step 2. saml_user_uid is empty"
return False
saml_user_uid = sessionAttributes.get("saml_user_uid")
passed_step1 = StringHelper.isNotEmptyString(saml_user_uid)
if (not passed_step1):
return False
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Check if there is user which has saml_user_uid
# Avoid mapping Saml account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
# Add saml_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 2. Failed to update current user"
return False
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result:", post_login_result
return post_login_result
else:
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 2. found_user_name:", found_user_name
if StringHelper.equals(user_name, found_user_name):
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result:", post_login_result
return post_login_result
return False
else:
return False
def getCountAuthenticationSteps(self, configurationAttributes):
context = Contexts.getEventContext()
if context.isSet("super_gluu_count_login_steps"):
return context.get("super_gluu_count_login_steps")
else:
return 2
def getCountAuthenticationSteps(self, configurationAttributes):
context = Contexts.getEventContext()
if (context.isSet("saml_count_login_steps")):
return context.get("saml_count_login_steps")
return 2
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
saml_map_user = False
saml_enroll_user = False
saml_enroll_all_user_attr = False
# Use saml_deployment_type only if there is no attributes mapping
if (configurationAttributes.containsKey("saml_deployment_type")):
saml_deployment_type = StringHelper.toLowerCase(
configurationAttributes.get(
"saml_deployment_type").getValue2())
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "map")):
saml_map_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll")):
saml_enroll_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type,
"enroll_all_attr")):
saml_enroll_all_user_attr = True
saml_allow_basic_login = False
if (configurationAttributes.containsKey("saml_allow_basic_login")):
saml_allow_basic_login = StringHelper.toBoolean(
configurationAttributes.get(
"saml_allow_basic_login").getValue2(), False)
use_basic_auth = False
if (saml_allow_basic_login):
# Detect if user used basic authnetication method
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
if (StringHelper.isNotEmpty(user_name)
and StringHelper.isNotEmpty(user_password)):
use_basic_auth = True
if ((step == 1) and saml_allow_basic_login and use_basic_auth):
print "Saml. Authenticate for step 1. Basic authentication"
context.set("saml_count_login_steps", 1)
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name)
and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
if (step == 1):
print "Saml. Authenticate for step 1"
currentSamlConfiguration = self.getCurrentSamlConfiguration(
self.samlConfiguration, configurationAttributes,
requestParameters)
if (currentSamlConfiguration == None):
print "Saml. Prepare for step 1. Client saml configuration is invalid"
return False
saml_response_array = requestParameters.get("SAMLResponse")
if ArrayHelper.isEmpty(saml_response_array):
print "Saml. Authenticate for step 1. saml_response is empty"
return False
saml_response = saml_response_array[0]
print "Saml. Authenticate for step 1. saml_response: '%s'" % saml_response
samlResponse = Response(currentSamlConfiguration)
samlResponse.loadXmlFromBase64(saml_response)
saml_validate_response = True
if (configurationAttributes.containsKey("saml_validate_response")):
saml_validate_response = StringHelper.toBoolean(
configurationAttributes.get(
"saml_validate_response").getValue2(), False)
if (saml_validate_response):
if (not samlResponse.isValid()):
print "Saml. Authenticate for step 1. saml_response isn't valid"
saml_response_attributes = samlResponse.getAttributes()
print "Saml. Authenticate for step 1. attributes: '%s'" % saml_response_attributes
if (saml_map_user):
saml_user_uid = self.getSamlNameId(samlResponse)
if saml_user_uid == None:
return False
# Use mapping to local IDP user
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
print "Saml. Authenticate for step 1. Setting count steps to 2"
context.set("saml_count_login_steps", 2)
context.set("saml_user_uid", saml_user_uid)
return True
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (saml_enroll_user):
# Convert SAML response to user entry
newUser = self.getMappedUser(configurationAttributes,
requestParameters,
saml_response_attributes)
saml_user_uid = self.getNameId(samlResponse, newUser)
if saml_user_uid == None:
return False
self.setDefaultUid(newUser, saml_user_uid)
newUser.setAttribute("oxExternalUid",
"saml:%s" % saml_user_uid)
# Use auto enrollment to local IDP
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if there is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
# Auto user enrollment
print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (
saml_user_uid, newUser.getCustomAttributes())
user_unique = self.checkUserUniqueness(newUser)
if not user_unique:
print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId(
)
facesMessages = FacesMessages.instance()
facesMessages.add(
StatusMessage.Severity.ERROR,
"Failed to enroll. User with same key attributes exist already"
)
FacesContext.getCurrentInstance().getExternalContext(
).getFlash().setKeepMessages(True)
return False
find_user_by_uid = userService.addUser(newUser, True)
print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId(
)
else:
if self.updateUser:
print "Saml. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (
saml_user_uid, newUser.getCustomAttributes())
find_user_by_uid.setCustomAttributes(
newUser.getCustomAttributes())
userService.updateUser(find_user_by_uid)
print "Saml. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user: '******'" % found_user_name
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (saml_enroll_all_user_attr):
# Convert SAML response to user entry
newUser = self.getMappedAllAttributesUser(
saml_response_attributes)
saml_user_uid = self.getNameId(samlResponse, newUser)
if saml_user_uid == None:
return False
self.setDefaultUid(newUser, saml_user_uid)
newUser.setAttribute("oxExternalUid",
"saml:%s" % saml_user_uid)
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:%s" % saml_user_uid
# Check if there is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
# Auto user enrollment
print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (
saml_user_uid, newUser.getCustomAttributes())
user_unique = self.checkUserUniqueness(newUser)
if not user_unique:
print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId(
)
facesMessages = FacesMessages.instance()
facesMessages.add(
StatusMessage.Severity.ERROR,
"Failed to enroll. User with same key attributes exist already"
)
FacesContext.getCurrentInstance().getExternalContext(
).getFlash().setKeepMessages(True)
return False
find_user_by_uid = userService.addUser(newUser, True)
print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId(
)
else:
if self.updateUser:
print "Saml. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (
saml_user_uid, newUser.getCustomAttributes())
find_user_by_uid.setCustomAttributes(
newUser.getCustomAttributes())
userService.updateUser(find_user_by_uid)
print "Saml. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
else:
if saml_user_uid == None:
return False
# Check if the is user with specified saml_user_uid
print "Saml. Authenticate for step 1. Attempting to find user by uid: '%s'" % saml_user_uid
find_user_by_uid = userService.getUser(saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
return False
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (step == 2):
print "Saml. Authenticate for step 2"
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes == None
) or not sessionAttributes.containsKey("saml_user_uid"):
print "Saml. Authenticate for step 2. saml_user_uid is empty"
return False
saml_user_uid = sessionAttributes.get("saml_user_uid")
passed_step1 = StringHelper.isNotEmptyString(saml_user_uid)
if (not passed_step1):
return False
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name)
and StringHelper.isNotEmptyString(user_password)):
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Check if there is user which has saml_user_uid
# Avoid mapping Saml account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
# Add saml_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(
user_name, "oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 2. Failed to update current user"
return False
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
else:
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 2. found_user_name: '%s'" % found_user_name
if StringHelper.equals(user_name, found_user_name):
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = Component.getInstance(AuthenticationService)
userService = Component.getInstance(UserService)
mapUserDeployment = False
enrollUserDeployment = False
if (configurationAttributes.containsKey("gplus_deployment_type")):
deploymentType = StringHelper.toLowerCase(configurationAttributes.get("gplus_deployment_type").getValue2())
if (StringHelper.equalsIgnoreCase(deploymentType, "map")):
mapUserDeployment = True
if (StringHelper.equalsIgnoreCase(deploymentType, "enroll")):
enrollUserDeployment = True
if (step == 1):
print "Google+ Authenticate for step 1"
gplusAuthCodeArray = requestParameters.get("gplus_auth_code")
gplusAuthCode = gplusAuthCodeArray[0]
# Check if user uses basic method to log in
useBasicAuth = False
if (StringHelper.isEmptyString(gplusAuthCode)):
useBasicAuth = True
# Use basic method to log in
if (useBasicAuth):
print "Google+ Authenticate for step 1. Basic authentication"
context.set("gplus_count_login_steps", 1)
credentials = Identity.instance().getCredentials()
userName = credentials.getUsername()
userPassword = credentials.getPassword()
loggedIn = False
if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)):
userService = Component.getInstance(UserService)
loggedIn = userService.authenticate(userName, userPassword)
if (not loggedIn):
return False
return True
# Use Google+ method to log in
print "Google+ Authenticate for step 1. gplusAuthCode:", gplusAuthCode
currentClientSecrets = self.getCurrentClientSecrets(self.clientSecrets, configurationAttributes, requestParameters)
if (currentClientSecrets == None):
print "Google+ Authenticate for step 1. Client secrets configuration is invalid"
return False
print "Google+ Authenticate for step 1. Attempting to gets tokens"
tokenResponse = self.getTokensByCode(self.clientSecrets, configurationAttributes, gplusAuthCode);
if ((tokenResponse == None) or (tokenResponse.getIdToken() == None) or (tokenResponse.getAccessToken() == None)):
print "Google+ Authenticate for step 1. Failed to get tokens"
return False
else:
print "Google+ Authenticate for step 1. Successfully gets tokens"
jwt = Jwt.parse(tokenResponse.getIdToken())
# TODO: Validate ID Token Signature
gplusUserUid = jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER);
print "Google+ Authenticate for step 1. Found Google user ID in the ID token: ", gplusUserUid
if (mapUserDeployment):
# Use mapping to local IDP user
print "Google+ Authenticate for step 1. Attempting to find user by oxExternalUid: gplus:", gplusUserUid
# Check if there is user with specified gplusUserUid
foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
print "Google+ Authenticate for step 1. Failed to find user"
print "Google+ Authenticate for step 1. Setting count steps to 2"
context.set("gplus_count_login_steps", 2)
context.set("gplus_user_uid", gplusUserUid)
return True
foundUserName = foundUser.getUserId()
print "Google+ Authenticate for step 1. foundUserName:"******"Google+ Authenticate for step 1. Failed to authenticate user"
return False
print "Google+ Authenticate for step 1. Setting count steps to 1"
context.set("gplus_count_login_steps", 1)
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ Authenticate for step 1. postLoginResult:", postLoginResult
return postLoginResult
elif (enrollUserDeployment):
# Use auto enrollment to local IDP
print "Google+ Authenticate for step 1. Attempting to find user by oxExternalUid: gplus:", gplusUserUid
# Check if there is user with specified gplusUserUid
foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
# Auto user enrollemnt
print "Google+ Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Google+ Authenticate for step 1. Attempting to gets user info"
userInfoResponse = self.getUserInfo(currentClientSecrets, configurationAttributes, tokenResponse.getAccessToken())
if ((userInfoResponse == None) or (userInfoResponse.getClaims().size() == 0)):
print "Google+ Authenticate for step 1. Failed to get user info"
return False
else:
print "Google+ Authenticate for step 1. Successfully gets user info"
gplusResponseAttributes = userInfoResponse.getClaims()
# Convert Google+ user claims to lover case
gplusResponseNormalizedAttributes = HashMap()
for gplusResponseAttributeEntry in gplusResponseAttributes.entrySet():
gplusResponseNormalizedAttributes.put(
StringHelper.toLowerCase(gplusResponseAttributeEntry.getKey()), gplusResponseAttributeEntry.getValue())
currentAttributesMapping = self.getCurrentAttributesMapping(self.attributesMapping, configurationAttributes, requestParameters)
print "Google+ Authenticate for step 1. Using next attributes mapping", currentAttributesMapping
newUser = User()
for attributesMappingEntry in currentAttributesMapping.entrySet():
remoteAttribute = attributesMappingEntry.getKey()
localAttribute = attributesMappingEntry.getValue()
localAttributeValue = gplusResponseNormalizedAttributes.get(remoteAttribute)
if (localAttribute != None):
newUser.setAttribute(localAttribute, localAttributeValue)
if (newUser.getAttribute("sn") == None):
newUser.setAttribute("sn", gplusUserUid)
if (newUser.getAttribute("cn") == None):
newUser.setAttribute("cn", gplusUserUid)
newUser.setAttribute("oxExternalUid", "gplus:" + gplusUserUid)
print "Google+ Authenticate for step 1. Attempting to add user", gplusUserUid, " with next attributes", newUser.getCustomAttributes()
foundUser = userService.addUser(newUser, True)
print "Google+ Authenticate for step 1. Added new user with UID", foundUser.getUserId()
foundUserName = foundUser.getUserId()
print "Google+ Authenticate for step 1. foundUserName:"******"Google+ Authenticate for step 1. Failed to authenticate user"
return False
print "Google+ Authenticate for step 1. Setting count steps to 1"
context.set("gplus_count_login_steps", 1)
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ Authenticate for step 1. postLoginResult:", postLoginResult
return postLoginResult
else:
# Check if there is user with specified gplusUserUid
print "Google+ Authenticate for step 1. Attempting to find user by uid:", gplusUserUid
foundUser = userService.getUser(gplusUserUid)
if (foundUser == None):
print "Google+ Authenticate for step 1. Failed to find user"
return False
foundUserName = foundUser.getUserId()
print "Google+ Authenticate for step 1. foundUserName:"******"Google+ Authenticate for step 1. Failed to authenticate user"
return False
print "Google+ Authenticate for step 1. Setting count steps to 1"
context.set("gplus_count_login_steps", 1)
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ Authenticate for step 1. postLoginResult:", postLoginResult
return postLoginResult
elif (step == 2):
print "Google+ Authenticate for step 2"
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes == None) or not sessionAttributes.containsKey("gplus_user_uid"):
print "Google+ Authenticate for step 2. gplus_user_uid is empty"
return False
gplusUserUid = sessionAttributes.get("gplus_user_uid")
passed_step1 = StringHelper.isNotEmptyString(gplusUserUid)
if (not passed_step1):
return False
credentials = Identity.instance().getCredentials()
userName = credentials.getUsername()
userPassword = credentials.getPassword()
loggedIn = False
if (StringHelper.isNotEmptyString(userName) and StringHelper.isNotEmptyString(userPassword)):
loggedIn = userService.authenticate(userName, userPassword)
if (not loggedIn):
return False
# Check if there is user which has gplusUserUid
# Avoid mapping Google account to more than one IDP account
foundUser = userService.getUserByAttribute("oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
# Add gplusUserUid to user one id UIDs
foundUser = userService.addUserAttribute(userName, "oxExternalUid", "gplus:" + gplusUserUid)
if (foundUser == None):
print "Google+ Authenticate for step 2. Failed to update current user"
return False
postLoginResult = self.extensionPostLogin(configurationAttributes, foundUser)
print "Google+ Authenticate for step 2. postLoginResult:", postLoginResult
return postLoginResult
else:
foundUserName = foundUser.getUserId()
print "Google+ Authenticate for step 2. foundUserName:"******"Google+ Authenticate for step 2. postLoginResult:", postLoginResult
return postLoginResult
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
context = Contexts.getEventContext()
session_attributes = context.get("sessionAttributes")
client_redirect_uri = self.getClientRedirecUri(session_attributes)
if client_redirect_uri == None:
print "Super-Gluu. Authenticate. redirect_uri is not set"
return False
self.setEventContextParameters(context)
userService = UserService.instance()
deviceRegistrationService = DeviceRegistrationService.instance()
if step == 1:
print "Super-Gluu. Authenticate for step 1"
if self.oneStep:
session_device_status = self.getSessionDeviceStatus(session_attributes, user_name)
if session_device_status == None:
return
u2f_device_id = session_device_status['device_id']
validation_result = self.validateSessionDeviceStatus(client_redirect_uri, session_device_status)
if validation_result:
print "Super-Gluu. Authenticate for step 1. User successfully authenticated with u2f_device '%s'" % u2f_device_id
else:
return False
if not session_device_status['one_step']:
print "Super-Gluu. Authenticate for step 1. u2f_device '%s' is not one step device" % u2f_device_id
return False
# There are two steps only in enrollment mode
if session_device_status['enroll']:
return validation_result
context.set("super_gluu_count_login_steps", 1)
user_inum = session_device_status['user_inum']
u2f_device = deviceRegistrationService.findUserDeviceRegistration(user_inum, u2f_device_id, "oxId")
if u2f_device == None:
print "Super-Gluu. Authenticate for step 1. Failed to load u2f_device '%s'" % u2f_device_id
return False
logged_in = userService.authenticate(user_name)
if not logged_in:
print "Super-Gluu. Authenticate for step 1. Failed to authenticate user '%s'" % user_name
return False
print "Super-Gluu. Authenticate for step 1. User '%s' successfully authenticated with u2f_device '%s'" % (user_name, u2f_device_id)
return True
elif self.twoStep:
authenticated_user = self.processBasicAuthentication(credentials)
if authenticated_user == None:
return False
auth_method = 'authenticate'
enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton")
if StringHelper.isNotEmpty(enrollment_mode):
auth_method = 'enroll'
if auth_method == 'authenticate':
user_inum = userService.getUserInum(authenticated_user)
u2f_devices_list = deviceRegistrationService.findUserDeviceRegistrations(user_inum, client_redirect_uri, "oxId")
if u2f_devices_list.size() == 0:
auth_method = 'enroll'
print "Super-Gluu. Authenticate for step 1. There is no U2F '%s' user devices associated with application '%s'. Changing auth_method to '%s'" % (user_name, client_redirect_uri, auth_method)
print "Super-Gluu. Authenticate for step 1. auth_method: '%s'" % auth_method
context.set("super_gluu_auth_method", auth_method)
return True
return False
elif step == 2:
print "Super-Gluu. Authenticate for step 2"
session_attributes = context.get("sessionAttributes")
session_device_status = self.getSessionDeviceStatus(session_attributes, user_name)
if session_device_status == None:
return False
u2f_device_id = session_device_status['device_id']
# There are two steps only in enrollment mode
if self.oneStep and session_device_status['enroll']:
authenticated_user = self.processBasicAuthentication(credentials)
if authenticated_user == None:
return False
user_inum = userService.getUserInum(authenticated_user)
attach_result = deviceRegistrationService.attachUserDeviceRegistration(user_inum, u2f_device_id)
print "Super-Gluu. Authenticate for step 2. Result after attaching u2f_device '%s' to user '%s': '%s'" % (u2f_device_id, user_name, attach_result)
return attach_result
elif self.twoStep:
if user_name == None:
print "Super-Gluu. Authenticate for step 2. Failed to determine user name"
return False
validation_result = self.validateSessionDeviceStatus(client_redirect_uri, session_device_status, user_name)
if validation_result:
print "Super-Gluu. Authenticate for step 2. User '%s' successfully authenticated with u2f_device '%s'" % (user_name, u2f_device_id)
else:
return False
super_gluu_request = json.loads(session_device_status['super_gluu_request'])
auth_method = super_gluu_request['method']
if auth_method in ['enroll', 'authenticate']:
return validation_result
print "Super-Gluu. Authenticate for step 2. U2F auth_method is invalid"
return False
else:
return False
def prepareForStep(self, configurationAttributes, requestParameters, step):
credentials = Identity.instance().getCredentials()
context = Contexts.getEventContext()
session_attributes = context.get("sessionAttributes")
self.setEventContextParameters(context)
if (step == 1):
return True
elif (step == 2):
print "UAF. Prepare for step 2"
session_state = SessionStateService.instance(
).getSessionStateFromCookie()
if StringHelper.isEmpty(session_state):
print "UAF. Prepare for step 2. Failed to determine session_state"
return False
user = credentials.getUser()
if (user == None):
print "UAF. Prepare for step 2. Failed to determine user name"
return False
uaf_auth_method = session_attributes.get("uaf_auth_method")
if StringHelper.isEmpty(uaf_auth_method):
print "UAF. Prepare for step 2. Failed to determine auth_method"
return False
print "UAF. Prepare for step 2. uaf_auth_method: '%s'" % uaf_auth_method
uaf_obb_auth_method = "OOB_REG"
uaf_obb_server_uri = self.uaf_server_uri + "/nnl/v2/reg"
if StringHelper.equalsIgnoreCase(uaf_auth_method, "authenticate"):
uaf_obb_auth_method = "OOB_AUTH"
uaf_obb_server_uri = self.uaf_server_uri + "/nnl/v2/auth"
# Prepare START_OBB
uaf_obb_start_request_dictionary = {
"operation": "START_%s" % uaf_obb_auth_method,
"userName": user.getUserId(),
"policyName": "default",
"oobMode": {
"qr": "true",
"rawData": "false",
"push": "false"
}
}
uaf_obb_start_request = json.dumps(
uaf_obb_start_request_dictionary, separators=(',', ':'))
print "UAF. Prepare for step 2. Prepared START request: '%s' to send to '%s'" % (
uaf_obb_start_request, uaf_obb_server_uri)
# Request START_OBB
uaf_obb_start_response = self.executePost(uaf_obb_server_uri,
uaf_obb_start_request)
if uaf_obb_start_response == None:
return False
print "UAF. Prepare for step 2. Get START response: '%s'" % uaf_obb_start_response
uaf_obb_start_response_json = json.loads(uaf_obb_start_response)
# Prepare STATUS_OBB
#TODO: Remove needDetails parameter
uaf_obb_status_request_dictionary = {
"operation": "STATUS_%s" % uaf_obb_auth_method,
"userName": user.getUserId(),
"needDetails": 1,
"oobStatusHandle":
uaf_obb_start_response_json["oobStatusHandle"],
}
uaf_obb_status_request = json.dumps(
uaf_obb_status_request_dictionary, separators=(',', ':'))
print "UAF. Prepare for step 2. Prepared STATUS request: '%s' to send to '%s'" % (
uaf_obb_status_request, uaf_obb_server_uri)
context.set("uaf_obb_auth_method", uaf_obb_auth_method)
context.set("uaf_obb_server_uri", uaf_obb_server_uri)
context.set("uaf_obb_start_response", uaf_obb_start_response)
context.set(
"qr_image",
uaf_obb_start_response_json["modeResult"]["qrCode"]["qrImage"])
context.set("uaf_obb_status_request", uaf_obb_status_request)
return True
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
userService = UserService.instance()
iw_api_uri = configurationAttributes.get("iw_api_uri").getValue2()
iw_service_id = configurationAttributes.get("iw_service_id").getValue2()
iw_helium_enabled = Boolean(configurationAttributes.get("iw_helium_enabled").getValue2()).booleanValue()
if (iw_helium_enabled):
context.set("iw_count_login_steps", 1)
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "InWebo. Authenticate for step 1"
print "InWebo. Authenticate for step 1. iw_helium_enabled:", iw_helium_enabled
user_password = credentials.getPassword()
if (iw_helium_enabled):
login_array = requestParameters.get("login")
if ArrayHelper.isEmpty(login_array):
print "InWebo. Authenticate for step 1. login is empty"
return False
user_name = login_array[0]
password_array = requestParameters.get("password")
if ArrayHelper.isEmpty(password_array):
print "InWebo. Authenticate for step 1. password is empty"
return False
user_password = password_array[0]
response_validation = self.validateInweboToken(iw_api_uri, iw_service_id, user_name, user_password)
if (not response_validation):
return False
logged_in = False
if (StringHelper.isNotEmptyString(user_name)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name)
return logged_in
else:
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
return logged_in
return True
elif (step == 2):
print "InWebo. Authenticate for step 2"
passed_step1 = self.isPassedDefaultAuthentication
if (not passed_step1):
return False
iw_token_array = requestParameters.get("iw_token")
if ArrayHelper.isEmpty(iw_token_array):
print "InWebo. Authenticate for step 2. iw_token is empty"
return False
iw_token = iw_token_array[0]
response_validation = self.validateInweboToken(iw_api_uri, iw_service_id, user_name, iw_token)
return response_validation
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
context = Contexts.getEventContext()
session_attributes = context.get("sessionAttributes")
self.setEventContextParameters(context)
if (step == 1):
print "UAF. Authenticate for step 1"
authenticated_user = self.processBasicAuthentication(credentials)
if authenticated_user == None:
return False
uaf_auth_method = "authenticate"
# Uncomment this block if you need to allow user second device registration
#enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton")
#if StringHelper.isNotEmpty(enrollment_mode):
# uaf_auth_method = "enroll"
if uaf_auth_method == "authenticate":
user_enrollments = self.findEnrollments(credentials)
if len(user_enrollments) == 0:
uaf_auth_method = "enroll"
print "UAF. Authenticate for step 1. There is no UAF enrollment for user '%s'. Changing uaf_auth_method to '%s'" % (
user_name, uaf_auth_method)
print "UAF. Authenticate for step 1. uaf_auth_method: '%s'" % uaf_auth_method
context.set("uaf_auth_method", uaf_auth_method)
return True
elif (step == 2):
print "UAF. Authenticate for step 2"
session_state = SessionStateService.instance(
).getSessionStateFromCookie()
if StringHelper.isEmpty(session_state):
print "UAF. Prepare for step 2. Failed to determine session_state"
return False
if user_name == None:
print "UAF. Authenticate for step 2. Failed to determine user name"
return False
uaf_auth_result = ServerUtil.getFirstValue(requestParameters,
"auth_result")
if uaf_auth_result != "success":
print "UAF. Authenticate for step 2. auth_result is '%s'" % uaf_auth_result
return False
# Restore state from session
uaf_auth_method = session_attributes.get("uaf_auth_method")
if not uaf_auth_method in ['enroll', 'authenticate']:
print "UAF. Authenticate for step 2. Failed to authenticate user. uaf_auth_method: '%s'" % uaf_auth_method
return False
# Request STATUS_OBB
if True:
#TODO: Remove this condition
# It's workaround becuase it's not possible to call STATUS_OBB 2 times. First time on browser and second ime on server
uaf_user_device_handle = ServerUtil.getFirstValue(
requestParameters, "auth_handle")
else:
uaf_obb_auth_method = session_attributes.get(
"uaf_obb_auth_method")
uaf_obb_server_uri = session_attributes.get(
"uaf_obb_server_uri")
uaf_obb_start_response = session_attributes.get(
"uaf_obb_start_response")
# Prepare STATUS_OBB
uaf_obb_start_response_json = json.loads(
uaf_obb_start_response)
uaf_obb_status_request_dictionary = {
"operation":
"STATUS_%s" % uaf_obb_auth_method,
"userName":
user_name,
"needDetails":
1,
"oobStatusHandle":
uaf_obb_start_response_json["oobStatusHandle"],
}
uaf_obb_status_request = json.dumps(
uaf_obb_status_request_dictionary, separators=(',', ':'))
print "UAF. Authenticate for step 2. Prepared STATUS request: '%s' to send to '%s'" % (
uaf_obb_status_request, uaf_obb_server_uri)
uaf_status_obb_response = self.executePost(
uaf_obb_server_uri, uaf_obb_status_request)
if uaf_status_obb_response == None:
return False
print "UAF. Authenticate for step 2. Get STATUS response: '%s'" % uaf_status_obb_response
uaf_status_obb_response_json = json.loads(
uaf_status_obb_response)
if uaf_status_obb_response_json["statusCode"] != 4000:
print "UAF. Authenticate for step 2. UAF operation status is invalid. statusCode: '%s'" % uaf_status_obb_response_json[
"statusCode"]
return False
uaf_user_device_handle = uaf_status_obb_response_json[
"additionalInfo"]["authenticatorsResult"]["handle"]
if StringHelper.isEmpty(uaf_user_device_handle):
print "UAF. Prepare for step 2. Failed to get UAF handle"
return False
uaf_user_external_uid = "uaf: %s" % uaf_user_device_handle
print "UAF. Authenticate for step 2. UAF handle: '%s'" % uaf_user_external_uid
if uaf_auth_method == "authenticate":
# Validate if user used device with same keYHandle
user_enrollments = self.findEnrollments(credentials)
if len(user_enrollments) == 0:
uaf_auth_method = "enroll"
print "UAF. Authenticate for step 2. There is no UAF enrollment for user '%s'." % user_name
return False
for user_enrollment in user_enrollments:
if StringHelper.equalsIgnoreCase(user_enrollment,
uaf_user_device_handle):
print "UAF. Authenticate for step 2. There is UAF enrollment for user '%s'. User authenticated successfully" % user_name
return True
else:
userService = UserService.instance()
# Double check just to make sure. We did checking in previous step
# Check if there is user which has uaf_user_external_uid
# Avoid mapping user cert to more than one IDP account
find_user_by_external_uid = userService.getUserByAttribute(
"oxExternalUid", uaf_user_external_uid)
if find_user_by_external_uid == None:
# Add uaf_user_external_uid to user's external GUID list
find_user_by_external_uid = userService.addUserAttribute(
user_name, "oxExternalUid", uaf_user_external_uid)
if find_user_by_external_uid == None:
print "UAF. Authenticate for step 2. Failed to update current user"
return False
return True
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
httpService = HttpService.instance();
stringEncrypter = StringEncrypter.defaultInstance()
cas_host = configurationAttributes.get("cas_host").getValue2()
cas_extra_opts = configurationAttributes.get("cas_extra_opts").getValue2()
cas_map_user = StringHelper.toBoolean(configurationAttributes.get("cas_map_user").getValue2(), False)
cas_renew_opt = StringHelper.toBoolean(configurationAttributes.get("cas_renew_opt").getValue2(), False)
if (step == 1):
print "CAS2 authenticate for step 1"
ticket_array = requestParameters.get("ticket")
if ArrayHelper.isEmpty(ticket_array):
print "CAS2 authenticate for step 1. ticket is empty"
return False
ticket = ticket_array[0]
print "CAS2 authenticate for step 1. ticket: " + ticket
if (StringHelper.isEmptyString(ticket)):
print "CAS2 authenticate for step 1. ticket is invalid"
return False
# Validate ticket
request = FacesContext.getCurrentInstance().getExternalContext().getRequest()
parametersMap = HashMap()
parametersMap.put("service", httpService.constructServerUrl(request) + "/postlogin")
if (cas_renew_opt):
parametersMap.put("renew", "true")
parametersMap.put("ticket", ticket)
cas_service_request_uri = authenticationService.parametersAsString(parametersMap)
cas_service_request_uri = cas_host + "/serviceValidate?" + cas_service_request_uri
if StringHelper.isNotEmpty(cas_extra_opts):
cas_service_request_uri = cas_service_request_uri + "&" + cas_extra_opts
print "CAS2 authenticate for step 1. cas_service_request_uri: " + cas_service_request_uri
http_client = httpService.getHttpsClientTrustAll();
http_response = httpService.executeGet(http_client, cas_service_request_uri)
validation_content = httpService.convertEntityToString(httpService.getResponseContent(http_response))
print "CAS2 authenticate for step 1. validation_content: " + validation_content
if StringHelper.isEmpty(validation_content):
print "CAS2 authenticate for step 1. Ticket validation response is invalid"
return False
cas2_auth_failure = self.parse_tag(validation_content, "cas:authenticationFailure")
print "CAS2 authenticate for step 1. cas2_auth_failure: ", cas2_auth_failure
cas2_user_uid = self.parse_tag(validation_content, "cas:user")
print "CAS2 authenticate for step 1. cas2_user_uid: ", cas2_user_uid
if ((cas2_auth_failure != None) or (cas2_user_uid == None)):
print "CAS2 authenticate for step 1. Ticket is invalid"
return False
if (cas_map_user):
print "CAS2 authenticate for step 1. Attempting to find user by oxExternalUid: cas2:" + cas2_user_uid
# Check if the is user with specified cas2_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid)
if (find_user_by_uid == None):
print "CAS2 authenticate for step 1. Failed to find user"
print "CAS2 authenticate for step 1. Setting count steps to 2"
context.set("cas2_count_login_steps", 2)
context.set("cas2_user_uid", stringEncrypter.encrypt(cas2_user_uid))
return True
found_user_name = find_user_by_uid.getUserId()
print "CAS2 authenticate for step 1. found_user_name: " + found_user_name
credentials = Identity.instance().getCredentials()
credentials.setUsername(found_user_name)
credentials.setUser(find_user_by_uid)
print "CAS2 authenticate for step 1. Setting count steps to 1"
context.set("cas2_count_login_steps", 1)
return True
else:
print "CAS2 authenticate for step 1. Attempting to find user by uid:" + cas2_user_uid
# Check if the is user with specified cas2_user_uid
find_user_by_uid = userService.getUser(cas2_user_uid)
if (find_user_by_uid == None):
print "CAS2 authenticate for step 1. Failed to find user"
return False
found_user_name = find_user_by_uid.getUserId()
print "CAS2 authenticate for step 1. found_user_name: " + found_user_name
credentials = Identity.instance().getCredentials()
credentials.setUsername(found_user_name)
credentials.setUser(find_user_by_uid)
print "CAS2 authenticate for step 1. Setting count steps to 1"
context.set("cas2_count_login_steps", 1)
return True
elif (step == 2):
print "CAS2 authenticate for step 2"
cas2_user_uid_array = requestParameters.get("cas2_user_uid")
if ArrayHelper.isEmpty(cas2_user_uid_array):
print "CAS2 authenticate for step 2. cas2_user_uid is empty"
return False
cas2_user_uid = stringEncrypter.decrypt(cas2_user_uid_array[0])
passed_step1 = StringHelper.isNotEmptyString(cas2_user_uid)
if (not passed_step1):
return False
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Check if there is user which has cas2_user_uid
# Avoid mapping CAS2 account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid)
if (find_user_by_uid == None):
# Add cas2_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "cas2:" + cas2_user_uid)
if (find_user_by_uid == None):
print "CAS2 authenticate for step 2. Failed to update current user"
return False
return True
else:
found_user_name = find_user_by_uid.getUserId()
print "CAS2 authenticate for step 2. found_user_name: " + found_user_name
if StringHelper.equals(user_name, found_user_name):
return True
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
context = Contexts.getEventContext()
userService = UserService.instance()
if step == 1:
print "Cert. Authenticate for step 1"
login_button = ServerUtil.getFirstValue(requestParameters,
"loginForm:loginButton")
if StringHelper.isEmpty(login_button):
print "Cert. Authenticate for step 1. Form were submitted incorrectly"
return False
if self.enabled_recaptcha:
print "Cert. Authenticate for step 1. Validating recaptcha response"
recaptcha_response = ServerUtil.getFirstValue(
requestParameters, "g-recaptcha-response")
recaptcha_result = self.validateRecaptcha(recaptcha_response)
print "Cert. Authenticate for step 1. recaptcha_result: '%s'" % recaptcha_result
return recaptcha_result
return True
elif step == 2:
print "Cert. Authenticate for step 2"
# Validate if user selected certificate
cert_x509 = self.getSessionAttribute("cert_x509")
if cert_x509 == None:
print "Cert. Authenticate for step 2. User not selected any certs"
context.set("cert_selected", False)
# Return True to inform user how to reset workflow
return True
else:
context.set("cert_selected", True)
x509Certificate = self.certFromString(cert_x509)
subjectX500Principal = x509Certificate.getSubjectX500Principal()
print "Cert. Authenticate for step 2. User selected certificate with DN '%s'" % subjectX500Principal
# Validate certificates which user selected
valid = self.validateCertificate(x509Certificate)
if not valid:
print "Cert. Authenticate for step 2. Certificate DN '%s' is not valid" % subjectX500Principal
context.set("cert_valid", False)
# Return True to inform user how to reset workflow
return True
context.set("cert_valid", True)
# Calculate certificate fingerprint
x509CertificateFingerprint = self.calculateCertificateFingerprint(
x509Certificate)
context.set("cert_x509_fingerprint", x509CertificateFingerprint)
print "Cert. Authenticate for step 2. Fingerprint is '%s' of certificate with DN '%s'" % (
x509CertificateFingerprint, subjectX500Principal)
# Attempt to find user by certificate fingerprint
cert_user_external_uid = "cert: %s" % x509CertificateFingerprint
print "Cert. Authenticate for step 2. Attempting to find user by oxExternalUid attribute value %s" % cert_user_external_uid
find_user_by_external_uid = userService.getUserByAttribute(
"oxExternalUid", cert_user_external_uid)
if find_user_by_external_uid == None:
print "Cert. Authenticate for step 2. Failed to find user"
if self.map_user_cert:
print "Cert. Authenticate for step 2. Storing cert_user_external_uid for step 3"
context.set("cert_user_external_uid",
cert_user_external_uid)
return True
else:
print "Cert. Authenticate for step 2. Mapping cert to user account is not allowed"
context.set("cert_count_login_steps", 2)
return False
foundUserName = find_user_by_external_uid.getUserId()
print "Cert. Authenticate for step 2. foundUserName: "******"Cert. Authenticate for step 2. Setting count steps to 2"
context.set("cert_count_login_steps", 2)
return logged_in
elif step == 3:
print "Cert. Authenticate for step 3"
cert_user_external_uid = self.getSessionAttribute(
"cert_user_external_uid")
if cert_user_external_uid == None:
print "Cert. Authenticate for step 3. cert_user_external_uid is empty"
return False
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name)
and StringHelper.isNotEmptyString(user_password)):
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Double check just to make sure. We did checking in previous step
# Check if there is user which has cert_user_external_uid
# Avoid mapping user cert to more than one IDP account
find_user_by_external_uid = userService.getUserByAttribute(
"oxExternalUid", cert_user_external_uid)
if find_user_by_external_uid == None:
# Add cert_user_external_uid to user's external GUID list
find_user_by_external_uid = userService.addUserAttribute(
user_name, "oxExternalUid", cert_user_external_uid)
if find_user_by_external_uid == None:
print "Cert. Authenticate for step 3. Failed to update current user"
return False
return True
return True
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
userService = UserService.instance()
toopher_user_timeout = int(
configurationAttributes.get("toopher_user_timeout").getValue2())
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
if (step == 1):
print "Toopher. Authenticate for step 1"
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name)
and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Find user by uid
userService = UserService.instance()
find_user_by_uid = userService.getUser(user_name)
if (find_user_by_uid == None):
print "Toopher. Authenticate for step 1. Failed to find user"
return False
# Check if the user paired account to phone
user_external_uid_attr = userService.getCustomAttribute(
find_user_by_uid, "oxExternalUid")
if ((user_external_uid_attr == None)
or (user_external_uid_attr.getValues() == None)):
print "Toopher. Authenticate for step 1. There is no external UIDs for user: "******"Toopher. Authenticate for step 1. There is no Topher UID for user: "******"toopher_user_uid", topher_user_uid)
return True
elif (step == 2):
print "Toopher. Authenticate for step 2"
passed_step1 = self.isPassedDefaultAuthentication
if (not passed_step1):
return False
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes == None
) or not sessionAttributes.containsKey("toopher_user_uid"):
print "Toopher. Authenticate for step 2. toopher_user_uid is empty"
# Pair with phone
pairing_phrase_array = requestParameters.get("pairing_phrase")
if ArrayHelper.isEmpty(pairing_phrase_array):
print "Toopher. Authenticate for step 2. pairing_phrase is empty"
return False
pairing_phrase = pairing_phrase_array[0]
try:
pairing_status = self.tapi.pair(pairing_phrase, user_name)
toopher_user_uid = pairing_status.id
except RequestError, err:
print "Toopher. Authenticate for step 2. Failed pair with phone: ", err
return False
pairing_result = self.checkPairingStatus(
toopher_user_uid, toopher_user_timeout)
if (not pairing_result):
print "Toopher. Authenticate for step 2. The pairing has not been authorized by the phone yet"
return False
print "Toopher. Authenticate for step 2. Storing toopher_user_uid in user entry", toopher_user_uid
# Store toopher_user_uid in user entry
find_user_by_uid = userService.addUserAttribute(
user_name, "oxExternalUid", "toopher:" + toopher_user_uid)
if (find_user_by_uid == None):
print "Toopher. Authenticate for step 2. Failed to update current user"
return False
context.set("toopher_user_uid", toopher_user_uid)
else:
toopher_user_uid = sessionAttributes.get("toopher_user_uid")
# Check pairing stastus
print "Toopher. Authenticate for step 2. toopher_user_uid: ", toopher_user_uid
pairing_result = self.checkPairingStatus(toopher_user_uid, 0)
if (not pairing_result):
print "Toopher. Authenticate for step 2. The pairing has not been authorized by the phone yet"
return False
return True
def prepareForStep(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
session_attributes = context.get("sessionAttributes")
client_redirect_uri = self.getClientRedirecUri(session_attributes)
if client_redirect_uri == None:
print "Super-Gluu. Prepare for step. redirect_uri is not set"
return False
self.setEventContextParameters(context)
if step == 1:
print "Super-Gluu. Prepare for step 1"
if self.oneStep:
session_state = SessionStateService.instance().getSessionStateFromCookie()
if StringHelper.isEmpty(session_state):
print "Super-Gluu. Prepare for step 2. Failed to determine session_state"
return False
issuer = ConfigurationFactory.instance().getConfiguration().getIssuer()
super_gluu_request_dictionary = {'app': client_redirect_uri,
'issuer': issuer,
'state': session_state,
'created': datetime.datetime.now().isoformat()}
self.addGeolocationData(session_attributes, super_gluu_request_dictionary)
super_gluu_request = json.dumps(super_gluu_request_dictionary, separators=(',',':'))
print "Super-Gluu. Prepare for step 1. Prepared super_gluu_request:", super_gluu_request
context.set("super_gluu_request", super_gluu_request)
# elif self.twoStep:
# context.set("display_register_action", True)
return True
elif step == 2:
print "Super-Gluu. Prepare for step 2"
if self.oneStep:
return True
authenticationService = AuthenticationService.instance()
user = authenticationService.getAuthenticatedUser()
if user == None:
print "Super-Gluu. Prepare for step 2. Failed to determine user name"
return False
if session_attributes.containsKey("super_gluu_request"):
print "Super-Gluu. Prepare for step 2. Request was generated already"
return True
session_state = SessionStateService.instance().getSessionStateFromCookie()
if StringHelper.isEmpty(session_state):
print "Super-Gluu. Prepare for step 2. Failed to determine session_state"
return False
auth_method = session_attributes.get("super_gluu_auth_method")
if StringHelper.isEmpty(auth_method):
print "Super-Gluu. Prepare for step 2. Failed to determine auth_method"
return False
print "Super-Gluu. Prepare for step 2. auth_method: '%s'" % auth_method
issuer = ConfigurationFactory.instance().getConfiguration().getIssuer()
super_gluu_request_dictionary = {'username': user.getUserId(),
'app': client_redirect_uri,
'issuer': issuer,
'method': auth_method,
'state': session_state,
'created': datetime.datetime.now().isoformat()}
self.addGeolocationData(session_attributes, super_gluu_request_dictionary)
super_gluu_request = json.dumps(super_gluu_request_dictionary, separators=(',',':'))
print "Super-Gluu. Prepare for step 2. Prepared super_gluu_request:", super_gluu_request
context.set("super_gluu_request", super_gluu_request)
if auth_method in ['authenticate']:
self.sendPushNotification(client_redirect_uri, user, super_gluu_request)
return True
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
httpService = HttpService.instance();
server_flag = configurationAttributes.get("oneid_server_flag").getValue2()
callback_attrs = configurationAttributes.get("oneid_callback_attrs").getValue2()
creds_file = configurationAttributes.get("oneid_creds_file").getValue2()
# Create OneID
authn = OneID(server_flag)
# Set path to credentials file
authn.creds_file = creds_file;
if (step == 1):
print "OneId. Authenticate for step 1"
# Find OneID request
json_data_array = requestParameters.get("json_data")
if ArrayHelper.isEmpty(json_data_array):
print "OneId. Authenticate for step 1. json_data is empty"
return False
request = json_data_array[0]
print "OneId. Authenticate for step 1. request: " + request
if (StringHelper.isEmptyString(request)):
return False
authn.set_credentials()
# Validate request
http_client = httpService.getHttpsClientDefaulTrustStore();
auth_data = httpService.encodeBase64(authn.api_id + ":" + authn.api_key)
http_response = httpService.executePost(http_client, authn.helper_server + "/validate", auth_data, request, ContentType.APPLICATION_JSON)
validation_content = httpService.convertEntityToString(httpService.getResponseContent(http_response))
print "OneId. Authenticate for step 1. validation_content: " + validation_content
if (StringHelper.isEmptyString(validation_content)):
return False
validation_resp = json.loads(validation_content)
print "OneId. Authenticate for step 1. validation_resp: " + str(validation_resp)
if (not authn.success(validation_resp)):
return False
response = json.loads(request)
for x in validation_resp:
response[x] = validation_resp[x]
oneid_user_uid = response['uid']
print "OneId. Authenticate for step 1. oneid_user_uid: " + oneid_user_uid
# Check if the is user with specified oneid_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "oneid:" + oneid_user_uid)
if (find_user_by_uid == None):
print "OneId. Authenticate for step 1. Failed to find user"
print "OneId. Authenticate for step 1. Setting count steps to 2"
context.set("oneid_count_login_steps", 2)
context.set("oneid_user_uid", oneid_user_uid)
return True
found_user_name = find_user_by_uid.getUserId()
print "OneId. Authenticate for step 1. found_user_name: " + found_user_name
credentials = Identity.instance().getCredentials()
credentials.setUsername(found_user_name)
credentials.setUser(find_user_by_uid)
print "OneId. Authenticate for step 1. Setting count steps to 1"
context.set("oneid_count_login_steps", 1)
return True
elif (step == 2):
print "OneId. Authenticate for step 2"
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes == None) or not sessionAttributes.containsKey("oneid_user_uid"):
print "OneId. Authenticate for step 2. oneid_user_uid is empty"
return False
oneid_user_uid = sessionAttributes.get("oneid_user_uid")
passed_step1 = StringHelper.isNotEmptyString(oneid_user_uid)
if (not passed_step1):
return False
#
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
passed_step1 = StringHelper.isNotEmptyString(user_name)
if (not passed_step1):
return False
#
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Check if there is user which has oneid_user_uid
# Avoid mapping OneID account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "oneid:" + oneid_user_uid)
if (find_user_by_uid == None):
# Add oneid_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "oneid:" + oneid_user_uid)
if (find_user_by_uid == None):
print "OneId. Authenticate for step 2. Failed to update current user"
return False
return True
else:
found_user_name = find_user_by_uid.getUserId()
print "OneId. Authenticate for step 2. found_user_name: " + found_user_name
if StringHelper.equals(user_name, found_user_name):
return True
return False
else:
return False
