def sendPushNotification(self, user, oxpush2_request):
if not self.enabledPushNotifications:
return
user_name = user.getUserId()
print "oxPush2. Send push notification. Loading user '%s' devices" % user_name
send_notification = False
send_notification_result = True
userService = UserService.instance()
deviceRegistrationService = DeviceRegistrationService.instance()
user_inum = userService.getUserInum(user_name)
u2f_devices_list = deviceRegistrationService.findUserDeviceRegistrations(user_inum, self.application_id, "oxId", "oxDeviceData")
if u2f_devices_list.size() > 0:
for u2f_device in u2f_devices_list:
device_data = u2f_device.getDeviceData()
# Device data which oxPush2 gets during enrollment
if device_data == None:
continue
platform = device_data.getPlatform()
push_token = device_data.getPushToken()
debug = False
if StringHelper.equalsIgnoreCase(platform, "ios") and StringHelper.isNotEmpty(push_token):
# Sending notification to iOS user's device
if (self.pushAppleService == None):
print "oxPush2. Send push notification. Apple push notification service is not enabled"
else:
send_notification = True
title = "oxPush2"
message = "oxPush2 login request to: %s" % self.application_id
additional_fields = HashMap()
additional_fields.put("request", oxpush2_request)
send_notification_result = self.pushAppleService.sendPush(title, message, additional_fields, push_token)
if debug:
print "oxPush2. Send push notification. token: '%s', send_notification_result: '%s'" % (push_token, send_notification_result)
if StringHelper.equalsIgnoreCase(platform, "android") and StringHelper.isNotEmpty(push_token):
# Sending notification to Android user's device
if (self.pushAndroidService == None):
print "oxPush2. Send push notification. Android push notification service is not enabled"
else:
send_notification = True
send_notification_result= self.pushAndroidService.sendPush("oxPush2", oxpush2_request, push_token)
if debug:
print "oxPush2. Send push notification. token: '%s', send_notification_result: '%s'" % (push_token, send_notification_result)
print "oxPush2. Send push notification. send_notification: '%s', send_notification_result: '%s'" % (send_notification, send_notification_result)
def getTargetEndpointArn(self, deviceRegistrationService, pushSnsService, platform, user, u2fDevice):
targetEndpointArn = None
# Return endpoint ARN if it created already
notificationConf = u2fDevice.getDeviceNotificationConf()
if StringHelper.isNotEmpty(notificationConf):
notificationConfJson = json.loads(notificationConf)
targetEndpointArn = notificationConfJson['sns_endpoint_arn']
if StringHelper.isNotEmpty(targetEndpointArn):
print "Super-Gluu. Get target endpoint ARN. There is already created target endpoint ARN"
return targetEndpointArn
# Create endpoint ARN
pushClient = None
pushClientAuth = None
platformApplicationArn = None
if platform == PushPlatform.GCM:
pushClient = self.pushAndroidService
if self.pushSnsMode:
platformApplicationArn = self.pushAndroidPlatformArn
if self.pushGluuMode:
pushClientAuth = self.pushAndroidServiceAuth
elif platform == PushPlatform.APNS:
pushClient = self.pushAppleService
if self.pushSnsMode:
platformApplicationArn = self.pushApplePlatformArn
if self.pushGluuMode:
pushClientAuth = self.pushAppleServiceAuth
else:
return None
deviceData = u2fDevice.getDeviceData()
pushToken = deviceData.getPushToken()
print "Super-Gluu. Get target endpoint ARN. Attempting to create target endpoint ARN for user: '******'" % user.getUserId()
if self.pushSnsMode:
targetEndpointArn = pushSnsService.createPlatformArn(pushClient, platformApplicationArn, pushToken, user)
else:
customUserData = pushSnsService.getCustomUserData(user)
registerDeviceResponse = pushClient.registerDevice(pushClientAuth, pushToken, customUserData);
if registerDeviceResponse != None and registerDeviceResponse.getStatusCode() == 200:
targetEndpointArn = registerDeviceResponse.getEndpointArn()
if StringHelper.isEmpty(targetEndpointArn):
print "Super-Gluu. Failed to get endpoint ARN for user: '******'" % user.getUserId()
return None
print "Super-Gluu. Get target endpoint ARN. Create target endpoint ARN '%s' for user: '******'" % (targetEndpointArn, user.getUserId())
# Store created endpoint ARN in device entry
userInum = user.getAttribute("inum")
u2fDeviceUpdate = deviceRegistrationService.findUserDeviceRegistration(userInum, u2fDevice.getId())
u2fDeviceUpdate.setDeviceNotificationConf('{"sns_endpoint_arn" : "%s"}' % targetEndpointArn)
deviceRegistrationService.updateDeviceRegistration(userInum, u2fDeviceUpdate)
return targetEndpointArn
def processKeyStoreProperties(self, attrs):
file = attrs.get("key_store_file")
password = attrs.get("key_store_password")
if file != None and password != None:
file = file.getValue2()
password = password.getValue2()
if StringHelper.isNotEmpty(file) and StringHelper.isNotEmpty(password):
self.keyStoreFile = file
self.keyStorePassword = password
return True
print "Passport. readKeyStoreProperties. Properties key_store_file or key_store_password not found or empty"
return False
def getCurrentSamlConfiguration(self, currentSamlConfiguration, configurationAttributes, requestParameters):
saml_client_configuration = self.getClientConfiguration(configurationAttributes, requestParameters)
if (saml_client_configuration == None):
return currentSamlConfiguration
saml_client_configuration_value = json.loads(saml_client_configuration.getValue())
client_asimba_saml_certificate = None
client_asimba_saml_certificate_file = saml_client_configuration_value["asimba_saml_certificate_file"]
if (StringHelper.isNotEmpty(client_asimba_saml_certificate_file)):
client_asimba_saml_certificate = self.loadCeritificate(client_asimba_saml_certificate_file)
if (StringHelper.isEmpty(client_asimba_saml_certificate)):
print "Saml. BuildClientSamlConfiguration. File with x509 certificate should be not empty. Using default configuration"
return currentSamlConfiguration
clientSamlConfiguration = currentSamlConfiguration.clone()
if (client_asimba_saml_certificate != None):
clientSamlConfiguration.loadCertificateFromString(client_asimba_saml_certificate)
client_asimba_entity_id = saml_client_configuration_value["asimba_entity_id"]
clientSamlConfiguration.setIssuer(client_asimba_entity_id)
saml_use_authn_context = saml_client_configuration_value["saml_use_authn_context"]
client_use_saml_use_authn_context = StringHelper.toBoolean(saml_use_authn_context, True)
clientSamlConfiguration.setUseRequestedAuthnContext(client_use_saml_use_authn_context)
return clientSamlConfiguration
def getCurrentSamlConfiguration(self, currentSamlConfiguration, configurationAttributes, requestParameters):
saml_client_configuration = self.getClientConfiguration(configurationAttributes, requestParameters)
if (saml_client_configuration == None):
return currentSamlConfiguration
saml_client_configuration_value = json.loads(saml_client_configuration.getValue())
client_saml_certificate = None
client_saml_certificate_file = saml_client_configuration_value["saml_certificate_file"]
if (StringHelper.isNotEmpty(client_saml_certificate_file)):
client_saml_certificate = self.loadCeritificate(client_saml_certificate_file)
if (StringHelper.isEmpty(client_saml_certificate)):
print "Saml. BuildClientSamlConfiguration. File with x509 certificate should be not empty. Using default configuration"
return currentSamlConfiguration
clientSamlConfiguration = currentSamlConfiguration.clone()
if (client_saml_certificate != None):
clientSamlConfiguration.loadCertificateFromString(client_saml_certificate)
client_saml_issuer = saml_client_configuration_value["saml_issuer"]
clientSamlConfiguration.setIssuer(client_saml_issuer)
saml_use_authn_context = saml_client_configuration_value["saml_use_authn_context"]
client_use_saml_use_authn_context = StringHelper.toBoolean(saml_use_authn_context, True)
clientSamlConfiguration.setUseRequestedAuthnContext(client_use_saml_use_authn_context)
return clientSamlConfiguration
def getPreselectionIDPParams(self):
param = {"saml": None, "social": None}
acrs = [self.getAcrFor(True), self.getAcrFor(False)]
custScriptService = CdiUtil.bean(CustomScriptService)
scriptsList = custScriptService.findCustomScripts(
Collections.singletonList(CustomScriptType.PERSON_AUTHENTICATION),
"oxConfigurationProperty", "displayName", "gluuStatus")
for customScript in scriptsList:
if customScript.isEnabled() and customScript.getName() in acrs:
for prop in customScript.getConfigurationProperties():
if prop.getValue1(
) == "authz_req_param_provider" and StringHelper.isNotEmpty(
prop.getValue2()):
param["saml" if customScript.getName(
) == "passport_saml" else "social"] = prop.getValue2()
break
if param["saml"] != None:
print "Casa. getPreselectionIDPParams. Found oxAuth cust param for SAML IDPs authz requests '%s'" % param[
"saml"]
else:
print "Casa. getPreselectionIDPParams. oxAuth cust param for SAML IDPs authz requests not found. IDPs won't be available"
if param["social"] != None:
print "Casa. getPreselectionIDPParams. Found oxAuth cust param for OAuth/OIDC providers' authz requests '%s'" % param[
"social"]
else:
print "Casa. getPreselectionIDPParams. oxAuth cust param for for OAuth/OIDC providers' authz requests not found. OPs won't be available"
return param
def getTargetEndpointArn(self, deviceRegistrationService, pushSnsService,
platform, user, u2fDevice):
targetEndpointArn = None
# Return endpoint ARN if it created already
notificationConf = u2fDevice.getDeviceNotificationConf()
if StringHelper.isNotEmpty(notificationConf):
notificationConfJson = json.loads(notificationConf)
targetEndpointArn = notificationConfJson['sns_endpoint_arn']
if StringHelper.isNotEmpty(targetEndpointArn):
print "Super-Gluu. Get target endpoint ARN. There is already created target endpoint ARN"
return targetEndpointArn
# Create endpoint ARN
snsClient = None
platformApplicationArn = None
if platform == PushPlatform.GCM:
snsClient = self.pushAndroidService
platformApplicationArn = self.pushAndroidPlatformArn
elif platform == PushPlatform.APNS:
snsClient = self.pushAppleService
platformApplicationArn = self.pushApplePlatformArn
else:
return None
deviceData = u2fDevice.getDeviceData()
pushToken = deviceData.getPushToken()
print "Super-Gluu. Get target endpoint ARN. Attempting to create target endpoint ARN for user: '******'" % user.getUserId(
)
targetEndpointArn = pushSnsService.createPlatformArn(
snsClient, platformApplicationArn, pushToken, user)
print "Super-Gluu. Get target endpoint ARN. Create target endpoint ARN '%s' for user: '******'" % (
targetEndpointArn, user.getUserId())
# Store created endpoint ARN in device entry
userInum = user.getAttribute("inum")
u2fDeviceUpdate = deviceRegistrationService.findUserDeviceRegistration(
userInum, u2fDevice.getId())
u2fDeviceUpdate.setDeviceNotificationConf(
'{"sns_endpoint_arn" : "%s"}' % targetEndpointArn)
deviceRegistrationService.updateDeviceRegistration(
userInum, u2fDeviceUpdate)
return targetEndpointArn
def getGeolocation(self, identity):
session_attributes = identity.getSessionId().getSessionAttributes()
if session_attributes.containsKey("remote_ip"):
remote_ip = session_attributes.get("remote_ip")
if StringHelper.isNotEmpty(remote_ip):
httpService = CdiUtil.bean(HttpService)
http_client = httpService.getHttpsClient()
http_client_params = http_client.getParams()
http_client_params.setIntParameter(
CoreConnectionPNames.CONNECTION_TIMEOUT, 4 * 1000)
geolocation_service_url = "http://ip-api.com/json/%s?fields=country,city,status,message" % remote_ip
geolocation_service_headers = {"Accept": "application/json"}
try:
http_service_response = httpService.executeGet(
http_client, geolocation_service_url,
geolocation_service_headers)
http_response = http_service_response.getHttpResponse()
except:
print "Casa. Determine remote location. Exception: ", sys.exc_info(
)[1]
return None
try:
if not httpService.isResponseStastusCodeOk(http_response):
print "Casa. Determine remote location. Get non 200 OK response from server:", str(
http_response.getStatusLine().getStatusCode())
httpService.consume(http_response)
return None
response_bytes = httpService.getResponseContent(
http_response)
response_string = httpService.convertEntityToString(
response_bytes, Charset.forName("UTF-8"))
httpService.consume(http_response)
finally:
http_service_response.closeConnection()
if response_string == None:
print "Casa. Determine remote location. Get empty response from location server"
return None
response = json.loads(response_string)
if not StringHelper.equalsIgnoreCase(response['status'],
"success"):
print "Casa. Determine remote location. Get response with status: '%s'" % response[
'status']
return None
return response
return None
def addGeolocationData(self, session_attributes, oxpush2_request_dictionary):
if session_attributes.containsKey("remote_ip"):
remote_ip = session_attributes.get("remote_ip")
if StringHelper.isNotEmpty(remote_ip):
print "oxPush2. Prepare for step 2. Adding req_ip and req_loc to oxpush2_request"
oxpush2_request_dictionary['req_ip'] = remote_ip
remote_loc_dic = self.determineGeolocationData(remote_ip)
if remote_loc_dic == None:
print "oxPush2. Prepare for step 2. Failed to determine remote location by remote IP '%s'" % remote_ip
remote_loc = "%s, %s, %s" % ( remote_loc_dic['country'], remote_loc_dic['regionName'], remote_loc_dic['city'] )
remote_loc_encoded = urllib.quote(remote_loc)
oxpush2_request_dictionary['req_loc'] = remote_loc_encoded
def addGeolocationData(self, session_attributes, super_gluu_request_dictionary):
if session_attributes.containsKey("remote_ip"):
remote_ip = session_attributes.get("remote_ip")
if StringHelper.isNotEmpty(remote_ip):
print "Super-Gluu. Prepare for step 2. Adding req_ip and req_loc to super_gluu_request"
super_gluu_request_dictionary['req_ip'] = remote_ip
remote_loc_dic = self.determineGeolocationData(remote_ip)
if remote_loc_dic == None:
print "Super-Gluu. Prepare for step 2. Failed to determine remote location by remote IP '%s'" % remote_ip
return
remote_loc = "%s, %s, %s" % ( remote_loc_dic['country'], remote_loc_dic['regionName'], remote_loc_dic['city'] )
remote_loc_encoded = urllib.quote(remote_loc)
super_gluu_request_dictionary['req_loc'] = remote_loc_encoded
def getCustomAuthzParameter(self, simpleCustProperty):
customAuthzParameter = None
if simpleCustProperty != None:
prop = simpleCustProperty.getValue2()
if StringHelper.isNotEmpty(prop):
customAuthzParameter = prop
if customAuthzParameter == None:
print "Passport. getCustomAuthzParameter. No custom param for OIDC authz request in script properties"
print "Passport. getCustomAuthzParameter. Passport flow cannot be initiated by doing an OpenID connect authorization request"
else:
print "Passport. getCustomAuthzParameter. Custom param for OIDC authz request in script properties: %s" % customAuthzParameter
return customAuthzParameter
def update(self, dynamicScopeContext, configurationAttributes):
print "Dynamic scope. Update method"
dynamicScopes = dynamicScopeContext.getDynamicScopes()
authorizationGrant = dynamicScopeContext.getAuthorizationGrant()
user = dynamicScopeContext.getUser()
jsonWebResponse = dynamicScopeContext.getJsonWebResponse()
claims = jsonWebResponse.getClaims()
# Add work phone if there is scope = work_phone
userService = UserService.instance()
workPhone = user.getAttribute("telephoneNumber")
if (StringHelper.isNotEmpty(workPhone)):
claims.setClaim("work_phone", workPhone)
return True
def updateUser(self, user, configurationAttributes):
attributes = user.getCustomAttributes()
# Add new attribute preferredLanguage
attrPrefferedLanguage = GluuCustomAttribute("preferredLanguage", "en-us")
attributes.add(attrPrefferedLanguage)
# Add new attribute userPassword
attrUserPassword = GluuCustomAttribute("userPassword", "test")
attributes.add(attrUserPassword)
# Update givenName attribute
for attribute in attributes:
attrName = attribute.getName()
if (("givenname" == StringHelper.toLowerCase(attrName)) and StringHelper.isNotEmpty(attribute.getValue())):
attribute.setValue(StringHelper.removeMultipleSpaces(attribute.getValue()) + " (updated)")
return True
def updateUser(self, user, configurationAttributes):
attributes = user.getCustomAttributes()
# Add new attribute preferredLanguage
attrPrefferedLanguage = GluuCustomAttribute("preferredLanguage",
"en-us")
attributes.add(attrPrefferedLanguage)
# Add new attribute userPassword
attrUserPassword = GluuCustomAttribute("userPassword", "test")
attributes.add(attrUserPassword)
# Update givenName attribute
for attribute in attributes:
attrName = attribute.getName()
if (("givenname" == StringHelper.toLowerCase(attrName))
and StringHelper.isNotEmpty(attribute.getValue())):
attribute.setValue(
StringHelper.removeMultipleSpaces(attribute.getValue()) +
" (updated)")
return True
def prepareForStep(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
httpService = HttpService.instance();
cas_host = configurationAttributes.get("cas_host").getValue2()
cas_extra_opts = configurationAttributes.get("cas_extra_opts").getValue2()
cas_renew_opt = StringHelper.toBoolean(configurationAttributes.get("cas_renew_opt").getValue2(), False)
if (step == 1):
print "CAS2 prepare for step 1"
print "CAS2 prepare for step 1. Store current request parameters in session because CAS don't pass them via service URI"
authenticationService.storeRequestParametersInSession()
request = FacesContext.getCurrentInstance().getExternalContext().getRequest()
parametersMap = HashMap()
parametersMap.put("service", httpService.constructServerUrl(request) + "/postlogin")
if (cas_renew_opt):
parametersMap.put("renew", "true")
cas_service_request_uri = authenticationService.parametersAsString(parametersMap)
cas_service_request_uri = cas_host + "/login?" + cas_service_request_uri
if StringHelper.isNotEmpty(cas_extra_opts):
cas_service_request_uri = cas_service_request_uri + "&" + cas_extra_opts
print "CAS2 prepare for step 1. cas_service_request_uri: " + cas_service_request_uri
context.set("cas_service_request_uri", cas_service_request_uri)
return True
elif (step == 2):
print "CAS2 prepare for step 2"
return True
else:
return False
def update(self, dynamicScopeContext, configurationAttributes):
print "Dynamic scope. Update method"
dynamicScopes = dynamicScopeContext.getDynamicScopes()
user = dynamicScopeContext.getUser()
jsonToken = dynamicScopeContext.getJsonToken()
claims = jsonToken.getClaims()
# Iterate through list of dynamic scopes in order to add custom scopes if needed
print "Dynamic scope. Dynamic scopes:", dynamicScopes
for dynamicScope in dynamicScopes:
# Add organization name if there is scope = org_name
if (StringHelper.equalsIgnoreCase(dynamicScope, "org_name")):
claims.setClaim("org_name", "Gluu, Inc.")
continue
# Add work phone if there is scope = work_phone
if (StringHelper.equalsIgnoreCase(dynamicScope, "work_phone")):
workPhone = user.getAttribute("telephoneNumber");
if (StringHelper.isNotEmpty(workPhone)):
claims.setClaim("work_phone", workPhone)
continue
return True
def authenticate(self, configurationAttributes, requestParameters, step):
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
context = Contexts.getEventContext()
userService = UserService.instance()
deviceRegistrationService = DeviceRegistrationService.instance()
if (step == 1):
print "oxPush2. Authenticate for step 1"
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
auth_method = 'authenticate'
enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton")
if StringHelper.isNotEmpty(enrollment_mode):
auth_method = 'enroll'
if (auth_method == 'authenticate'):
find_user_by_uid = userService.getUser(user_name)
if (find_user_by_uid == None):
print "oxPush. Authenticate for step 1. Failed to find user"
return False
user_inum = userService.getUserInum(find_user_by_uid)
u2f_devices_list = deviceRegistrationService.findUserDeviceRegistrations(user_inum, self.u2f_application_id, "oxId")
if (u2f_devices_list.size() == 0):
auth_method = 'enroll'
print "oxPush2. There is no U2F '%s' user devices associated with application '%s'. Changing auth_method to '%s'" % (user_name, self.u2f_application_id, auth_method)
print "oxPush2. Authenticate for step 1. auth_method: '%s'" % auth_method
context.set("oxpush2_auth_method", auth_method)
return True
elif (step == 2):
print "oxPush2. Authenticate for step 2"
credentials = Identity.instance().getCredentials()
user = credentials.getUser()
if (user == None):
print "oxPush2. Authenticate for step 2. Failed to determine user name"
return False
# Find user by uid
userService = UserService.instance()
find_user_by_uid = userService.getUser(user_name)
if (find_user_by_uid == None):
print "oxPush. Authenticate for step 2. Failed to find user"
return False
session_attributes = context.get("sessionAttributes")
if (not session_attributes.containsKey("oxpush2_request")):
print "oxPush2. Authenticate for step 2. There is no oxPush2 request in session attributes"
return False
oxpush2_request_json = session_attributes.get("oxpush2_request")
oxpush2_request = json.loads(oxpush2_request_json)
auth_method = oxpush2_request['method']
if (auth_method in ['enroll', 'authenticate']):
print "oxPush2. Authenticate for step 2. Validation U2F user device. auth_method: '%s'" % auth_method
# Check session state extended
if (not session_attributes.containsKey("session_custom_state")):
print "oxPush2. Authenticate for step 2. There is no session_custom_state in session attributes"
return False
session_custom_state = session_attributes.get("session_custom_state")
if(not StringHelper.equalsIgnoreCase("approved", session_custom_state)):
print "oxPush2. Authenticate for step 2. User '%s' not approve or pass U2F authentication. session_custom_state: '%s'" % (user_name, session_custom_state)
return False
# Try to find device_id in session attribute
if (not session_attributes.containsKey("oxpush2_u2f_device_id")):
print "oxPush2. Authenticate for step 2. There is no u2f_device associated with this request"
return False
u2f_device_id = session_attributes.get("oxpush2_u2f_device_id")
# Validate if user has specified device_id enrollment
user_inum = userService.getUserInum(find_user_by_uid)
u2f_device = deviceRegistrationService.findUserDeviceRegistration(user_inum, u2f_device_id)
if (u2f_device == None):
print "oxPush2. Authenticate for step 2. There is no u2f_device '%s' associated with user '%s'" % (u2f_device_id, user_inum)
return False
if (not StringHelper.equalsIgnoreCase(self.u2f_application_id, u2f_device.application)):
print "oxPush2. Authenticate for step 2. U2F user's '%s' device associated with other application '%s'" % (user_name, u2f_device.application)
return False
print "oxPush2. Authenticate for step 2. U2F user's '%s' device authenticated successfully with U2F device '%s'" % (user_name, u2f_device_id)
return True
else:
print "oxPush2. Authenticate for step 2. U2F auth_method is invalid"
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
saml_map_user = False
saml_enroll_user = False
saml_enroll_all_user_attr = False
# Use saml_deployment_type only if there is no attributes mapping
if (configurationAttributes.containsKey("saml_deployment_type")):
saml_deployment_type = StringHelper.toLowerCase(configurationAttributes.get("saml_deployment_type").getValue2())
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "map")):
saml_map_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll")):
saml_enroll_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll_all_attr")):
saml_enroll_all_user_attr = True
saml_allow_basic_login = False
if (configurationAttributes.containsKey("saml_allow_basic_login")):
saml_allow_basic_login = StringHelper.toBoolean(configurationAttributes.get("saml_allow_basic_login").getValue2(), False)
use_basic_auth = False
if (saml_allow_basic_login):
# Detect if user used basic authnetication method
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
if (StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(user_password)):
use_basic_auth = True
if ((step == 1) and saml_allow_basic_login and use_basic_auth):
print "Saml. Authenticate for step 1. Basic authentication"
context.set("saml_count_login_steps", 1)
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
if (step == 1):
print "Saml. Authenticate for step 1"
currentSamlConfiguration = self.getCurrentSamlConfiguration(self.samlConfiguration, configurationAttributes, requestParameters)
if (currentSamlConfiguration == None):
print "Saml. Prepare for step 1. Client saml configuration is invalid"
return False
saml_response_array = requestParameters.get("SAMLResponse")
if ArrayHelper.isEmpty(saml_response_array):
print "Saml. Authenticate for step 1. saml_response is empty"
return False
saml_response = saml_response_array[0]
print "Saml. Authenticate for step 1. saml_response:", saml_response
samlResponse = Response(currentSamlConfiguration)
samlResponse.loadXmlFromBase64(saml_response)
saml_validate_response = True
if (configurationAttributes.containsKey("saml_validate_response")):
saml_validate_response = StringHelper.toBoolean(configurationAttributes.get("saml_validate_response").getValue2(), False)
if (saml_validate_response):
if (not samlResponse.isValid()):
print "Saml. Authenticate for step 1. saml_response isn't valid"
saml_response_name_id = samlResponse.getNameId()
if (StringHelper.isEmpty(saml_response_name_id)):
print "Saml. Authenticate for step 1. saml_response_name_id is invalid"
return False
print "Saml. Authenticate for step 1. saml_response_name_id:", saml_response_name_id
saml_response_attributes = samlResponse.getAttributes()
print "Saml. Authenticate for step 1. attributes: ", saml_response_attributes
# Use persistent Id as saml_user_uid
saml_user_uid = saml_response_name_id
if (saml_map_user):
# Use mapping to local IDP user
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:", saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
print "Saml. Authenticate for step 1. Setting count steps to 2"
context.set("saml_count_login_steps", 2)
context.set("saml_user_uid", saml_user_uid)
return True
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name:", found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result:", post_login_result
return post_login_result
elif (saml_enroll_user):
# Use auto enrollment to local IDP
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:", saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
# Auto user enrollemnt
print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
# Convert saml result attributes keys to lover case
saml_response_normalized_attributes = HashMap()
for saml_response_attribute_entry in saml_response_attributes.entrySet():
saml_response_normalized_attributes.put(
StringHelper.toLowerCase(saml_response_attribute_entry.getKey()), saml_response_attribute_entry.getValue())
currentAttributesMapping = self.prepareCurrentAttributesMapping(self.attributesMapping, configurationAttributes, requestParameters)
print "Saml. Authenticate for step 1. Using next attributes mapping", currentAttributesMapping
newUser = User()
for attributesMappingEntry in currentAttributesMapping.entrySet():
idpAttribute = attributesMappingEntry.getKey()
localAttribute = attributesMappingEntry.getValue()
localAttributeValue = saml_response_normalized_attributes.get(idpAttribute)
if (localAttribute != None):
newUser.setAttribute(localAttribute, localAttributeValue)
newUser.setAttribute("oxExternalUid", "saml:" + saml_user_uid)
print "Saml. Authenticate for step 1. Attempting to add user", saml_user_uid, " with next attributes", newUser.getCustomAttributes()
find_user_by_uid = userService.addUser(newUser, True)
print "Saml. Authenticate for step 1. Added new user with UID", find_user_by_uid.getUserId()
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name:", found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result:", post_login_result
return post_login_result
elif (saml_enroll_all_user_attr):
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:" + saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
user = User()
customAttributes = ArrayList()
for key in attributes.keySet():
ldapAttributes = attributeService.getAllAttributes()
for ldapAttribute in ldapAttributes:
saml2Uri = ldapAttribute.getSaml2Uri()
if(saml2Uri == None):
saml2Uri = attributeService.getDefaultSaml2Uri(ldapAttribute.getName())
if(saml2Uri == key):
attribute = CustomAttribute(ldapAttribute.getName())
attribute.setValues(attributes.get(key))
customAttributes.add(attribute)
attribute = CustomAttribute("oxExternalUid")
attribute.setValue("saml:" + saml_user_uid)
customAttributes.add(attribute)
user.setCustomAttributes(customAttributes)
if(user.getAttribute("sn") == None):
attribute = CustomAttribute("sn")
attribute.setValue(saml_user_uid)
customAttributes.add(attribute)
if(user.getAttribute("cn") == None):
attribute = CustomAttribute("cn")
attribute.setValue(saml_user_uid)
customAttributes.add(attribute)
find_user_by_uid = userService.addUser(user, True)
print "Saml. Authenticate for step 1. Added new user with UID", find_user_by_uid.getUserId()
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name:", found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result:", post_login_result
return post_login_result
else:
# Check if the is user with specified saml_user_uid
print "Saml. Authenticate for step 1. Attempting to find user by uid:", saml_user_uid
find_user_by_uid = userService.getUser(saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
return False
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name:", found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result:", post_login_result
return post_login_result
elif (step == 2):
print "Saml. Authenticate for step 2"
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes == None) or not sessionAttributes.containsKey("saml_user_uid"):
print "Saml. Authenticate for step 2. saml_user_uid is empty"
return False
saml_user_uid = sessionAttributes.get("saml_user_uid")
passed_step1 = StringHelper.isNotEmptyString(saml_user_uid)
if (not passed_step1):
return False
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Check if there is user which has saml_user_uid
# Avoid mapping Saml account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
# Add saml_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 2. Failed to update current user"
return False
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result:", post_login_result
return post_login_result
else:
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 2. found_user_name:", found_user_name
if StringHelper.equals(user_name, found_user_name):
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result:", post_login_result
return post_login_result
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
saml_map_user = False
saml_enroll_user = False
saml_enroll_all_user_attr = False
# Use saml_deployment_type only if there is no attributes mapping
if (configurationAttributes.containsKey("saml_deployment_type")):
saml_deployment_type = StringHelper.toLowerCase(
configurationAttributes.get(
"saml_deployment_type").getValue2())
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "map")):
saml_map_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll")):
saml_enroll_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type,
"enroll_all_attr")):
saml_enroll_all_user_attr = True
saml_allow_basic_login = False
if (configurationAttributes.containsKey("saml_allow_basic_login")):
saml_allow_basic_login = StringHelper.toBoolean(
configurationAttributes.get(
"saml_allow_basic_login").getValue2(), False)
use_basic_auth = False
if (saml_allow_basic_login):
# Detect if user used basic authnetication method
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
if (StringHelper.isNotEmpty(user_name)
and StringHelper.isNotEmpty(user_password)):
use_basic_auth = True
if ((step == 1) and saml_allow_basic_login and use_basic_auth):
print "Saml. Authenticate for step 1. Basic authentication"
context.set("saml_count_login_steps", 1)
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name)
and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
if (step == 1):
print "Saml. Authenticate for step 1"
currentSamlConfiguration = self.getCurrentSamlConfiguration(
self.samlConfiguration, configurationAttributes,
requestParameters)
if (currentSamlConfiguration == None):
print "Saml. Prepare for step 1. Client saml configuration is invalid"
return False
saml_response_array = requestParameters.get("SAMLResponse")
if ArrayHelper.isEmpty(saml_response_array):
print "Saml. Authenticate for step 1. saml_response is empty"
return False
saml_response = saml_response_array[0]
print "Saml. Authenticate for step 1. saml_response: '%s'" % saml_response
samlResponse = Response(currentSamlConfiguration)
samlResponse.loadXmlFromBase64(saml_response)
saml_validate_response = True
if (configurationAttributes.containsKey("saml_validate_response")):
saml_validate_response = StringHelper.toBoolean(
configurationAttributes.get(
"saml_validate_response").getValue2(), False)
if (saml_validate_response):
if (not samlResponse.isValid()):
print "Saml. Authenticate for step 1. saml_response isn't valid"
saml_response_attributes = samlResponse.getAttributes()
print "Saml. Authenticate for step 1. attributes: '%s'" % saml_response_attributes
if (saml_map_user):
saml_user_uid = self.getSamlNameId(samlResponse)
if saml_user_uid == None:
return False
# Use mapping to local IDP user
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
print "Saml. Authenticate for step 1. Setting count steps to 2"
context.set("saml_count_login_steps", 2)
context.set("saml_user_uid", saml_user_uid)
return True
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (saml_enroll_user):
# Convert SAML response to user entry
newUser = self.getMappedUser(configurationAttributes,
requestParameters,
saml_response_attributes)
saml_user_uid = self.getNameId(samlResponse, newUser)
if saml_user_uid == None:
return False
self.setDefaultUid(newUser, saml_user_uid)
newUser.setAttribute("oxExternalUid",
"saml:%s" % saml_user_uid)
# Use auto enrollment to local IDP
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if there is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
# Auto user enrollment
print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (
saml_user_uid, newUser.getCustomAttributes())
user_unique = self.checkUserUniqueness(newUser)
if not user_unique:
print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId(
)
facesMessages = FacesMessages.instance()
facesMessages.add(
StatusMessage.Severity.ERROR,
"Failed to enroll. User with same key attributes exist already"
)
FacesContext.getCurrentInstance().getExternalContext(
).getFlash().setKeepMessages(True)
return False
find_user_by_uid = userService.addUser(newUser, True)
print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId(
)
else:
if self.updateUser:
print "Saml. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (
saml_user_uid, newUser.getCustomAttributes())
find_user_by_uid.setCustomAttributes(
newUser.getCustomAttributes())
userService.updateUser(find_user_by_uid)
print "Saml. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user: '******'" % found_user_name
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (saml_enroll_all_user_attr):
# Convert SAML response to user entry
newUser = self.getMappedAllAttributesUser(
saml_response_attributes)
saml_user_uid = self.getNameId(samlResponse, newUser)
if saml_user_uid == None:
return False
self.setDefaultUid(newUser, saml_user_uid)
newUser.setAttribute("oxExternalUid",
"saml:%s" % saml_user_uid)
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:%s" % saml_user_uid
# Check if there is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
# Auto user enrollment
print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (
saml_user_uid, newUser.getCustomAttributes())
user_unique = self.checkUserUniqueness(newUser)
if not user_unique:
print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId(
)
facesMessages = FacesMessages.instance()
facesMessages.add(
StatusMessage.Severity.ERROR,
"Failed to enroll. User with same key attributes exist already"
)
FacesContext.getCurrentInstance().getExternalContext(
).getFlash().setKeepMessages(True)
return False
find_user_by_uid = userService.addUser(newUser, True)
print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId(
)
else:
if self.updateUser:
print "Saml. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (
saml_user_uid, newUser.getCustomAttributes())
find_user_by_uid.setCustomAttributes(
newUser.getCustomAttributes())
userService.updateUser(find_user_by_uid)
print "Saml. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
else:
if saml_user_uid == None:
return False
# Check if the is user with specified saml_user_uid
print "Saml. Authenticate for step 1. Attempting to find user by uid: '%s'" % saml_user_uid
find_user_by_uid = userService.getUser(saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
return False
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (step == 2):
print "Saml. Authenticate for step 2"
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes == None
) or not sessionAttributes.containsKey("saml_user_uid"):
print "Saml. Authenticate for step 2. saml_user_uid is empty"
return False
saml_user_uid = sessionAttributes.get("saml_user_uid")
passed_step1 = StringHelper.isNotEmptyString(saml_user_uid)
if (not passed_step1):
return False
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name)
and StringHelper.isNotEmptyString(user_password)):
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Check if there is user which has saml_user_uid
# Avoid mapping Saml account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
# Add saml_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(
user_name, "oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 2. Failed to update current user"
return False
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
else:
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 2. found_user_name: '%s'" % found_user_name
if StringHelper.equals(user_name, found_user_name):
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
httpService = HttpService.instance();
stringEncrypter = StringEncrypter.defaultInstance()
cas_host = configurationAttributes.get("cas_host").getValue2()
cas_extra_opts = configurationAttributes.get("cas_extra_opts").getValue2()
cas_map_user = StringHelper.toBoolean(configurationAttributes.get("cas_map_user").getValue2(), False)
cas_renew_opt = StringHelper.toBoolean(configurationAttributes.get("cas_renew_opt").getValue2(), False)
if (step == 1):
print "CAS2 authenticate for step 1"
ticket_array = requestParameters.get("ticket")
if ArrayHelper.isEmpty(ticket_array):
print "CAS2 authenticate for step 1. ticket is empty"
return False
ticket = ticket_array[0]
print "CAS2 authenticate for step 1. ticket: " + ticket
if (StringHelper.isEmptyString(ticket)):
print "CAS2 authenticate for step 1. ticket is invalid"
return False
# Validate ticket
request = FacesContext.getCurrentInstance().getExternalContext().getRequest()
parametersMap = HashMap()
parametersMap.put("service", httpService.constructServerUrl(request) + "/postlogin")
if (cas_renew_opt):
parametersMap.put("renew", "true")
parametersMap.put("ticket", ticket)
cas_service_request_uri = authenticationService.parametersAsString(parametersMap)
cas_service_request_uri = cas_host + "/serviceValidate?" + cas_service_request_uri
if StringHelper.isNotEmpty(cas_extra_opts):
cas_service_request_uri = cas_service_request_uri + "&" + cas_extra_opts
print "CAS2 authenticate for step 1. cas_service_request_uri: " + cas_service_request_uri
http_client = httpService.getHttpsClientTrustAll();
http_response = httpService.executeGet(http_client, cas_service_request_uri)
validation_content = httpService.convertEntityToString(httpService.getResponseContent(http_response))
print "CAS2 authenticate for step 1. validation_content: " + validation_content
if StringHelper.isEmpty(validation_content):
print "CAS2 authenticate for step 1. Ticket validation response is invalid"
return False
cas2_auth_failure = self.parse_tag(validation_content, "cas:authenticationFailure")
print "CAS2 authenticate for step 1. cas2_auth_failure: ", cas2_auth_failure
cas2_user_uid = self.parse_tag(validation_content, "cas:user")
print "CAS2 authenticate for step 1. cas2_user_uid: ", cas2_user_uid
if ((cas2_auth_failure != None) or (cas2_user_uid == None)):
print "CAS2 authenticate for step 1. Ticket is invalid"
return False
if (cas_map_user):
print "CAS2 authenticate for step 1. Attempting to find user by oxExternalUid: cas2:" + cas2_user_uid
# Check if the is user with specified cas2_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid)
if (find_user_by_uid == None):
print "CAS2 authenticate for step 1. Failed to find user"
print "CAS2 authenticate for step 1. Setting count steps to 2"
context.set("cas2_count_login_steps", 2)
context.set("cas2_user_uid", stringEncrypter.encrypt(cas2_user_uid))
return True
found_user_name = find_user_by_uid.getUserId()
print "CAS2 authenticate for step 1. found_user_name: " + found_user_name
credentials = Identity.instance().getCredentials()
credentials.setUsername(found_user_name)
credentials.setUser(find_user_by_uid)
print "CAS2 authenticate for step 1. Setting count steps to 1"
context.set("cas2_count_login_steps", 1)
return True
else:
print "CAS2 authenticate for step 1. Attempting to find user by uid:" + cas2_user_uid
# Check if the is user with specified cas2_user_uid
find_user_by_uid = userService.getUser(cas2_user_uid)
if (find_user_by_uid == None):
print "CAS2 authenticate for step 1. Failed to find user"
return False
found_user_name = find_user_by_uid.getUserId()
print "CAS2 authenticate for step 1. found_user_name: " + found_user_name
credentials = Identity.instance().getCredentials()
credentials.setUsername(found_user_name)
credentials.setUser(find_user_by_uid)
print "CAS2 authenticate for step 1. Setting count steps to 1"
context.set("cas2_count_login_steps", 1)
return True
elif (step == 2):
print "CAS2 authenticate for step 2"
cas2_user_uid_array = requestParameters.get("cas2_user_uid")
if ArrayHelper.isEmpty(cas2_user_uid_array):
print "CAS2 authenticate for step 2. cas2_user_uid is empty"
return False
cas2_user_uid = stringEncrypter.decrypt(cas2_user_uid_array[0])
passed_step1 = StringHelper.isNotEmptyString(cas2_user_uid)
if (not passed_step1):
return False
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Check if there is user which has cas2_user_uid
# Avoid mapping CAS2 account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "cas2:" + cas2_user_uid)
if (find_user_by_uid == None):
# Add cas2_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "cas2:" + cas2_user_uid)
if (find_user_by_uid == None):
print "CAS2 authenticate for step 2. Failed to update current user"
return False
return True
else:
found_user_name = find_user_by_uid.getUserId()
print "CAS2 authenticate for step 2. found_user_name: " + found_user_name
if StringHelper.equals(user_name, found_user_name):
return True
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
extensionResult = self.extensionAuthenticate(configurationAttributes, requestParameters, step)
if extensionResult != None:
return extensionResult
authenticationService = CdiUtil.bean(AuthenticationService)
userService = CdiUtil.bean(UserService)
identity = CdiUtil.bean(Identity)
try:
UserId = self.getUserValueFromAuth("username", requestParameters)
except Exception, err:
print "Passport-social: Error: " + str(err)
# Use basic method to log in
if StringHelper.isNotEmpty(UserId):
print "Passport-social: Basic Authentication"
credentials = identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = authenticationService.authenticate(user_name, user_password)
print "Passport-social: Basic Authentication returning %s" % logged_in
return logged_in
else:
facesContext = CdiUtil.bean(FacesContext)
# Get JWT token if it's post back call
def sendSnsPushNotificationImpl(self, client_redirect_uri, user,
super_gluu_request):
if not self.enabledPushNotifications:
return
user_name = user.getUserId()
print "Super-Gluu. Send SNS push notification. Loading user '%s' devices" % user_name
send_notification = False
send_notification_result = True
pushSnsService = CdiUtil.bean(PushSnsService)
userService = CdiUtil.bean(UserService)
deviceRegistrationService = CdiUtil.bean(DeviceRegistrationService)
user_inum = userService.getUserInum(user_name)
u2f_devices_list = deviceRegistrationService.findUserDeviceRegistrations(
user_inum, client_redirect_uri, "oxId", "oxDeviceData",
"oxDeviceNotificationConf")
if u2f_devices_list.size() > 0:
for u2f_device in u2f_devices_list:
device_data = u2f_device.getDeviceData()
# Device data which Super-Gluu gets during enrollment
if device_data == None:
continue
platform = device_data.getPlatform()
push_token = device_data.getPushToken()
debug = False
if StringHelper.equalsIgnoreCase(
platform,
"ios") and StringHelper.isNotEmpty(push_token):
# Sending notification to iOS user's device
if self.pushAppleService == None:
print "Super-Gluu. Send SNS push notification. Apple SNS push notification service is not enabled"
else:
targetEndpointArn = self.getTargetEndpointArn(
deviceRegistrationService, pushSnsService,
PushPlatform.APNS, user, u2f_device)
send_notification = True
title = "Super-Gluu"
message = {
"body":
"Super-Gluu login request to: %s" %
client_redirect_uri
}
sns_push_request_dictionary = {
"sound": 'default',
"aps": {
"badge": 9,
"title": title,
"alert": message
},
"category": "ACTIONABLE",
"content-available": "1",
"request": super_gluu_request
}
push_message = json.dumps(sns_push_request_dictionary,
separators=(',', ':'))
# msgBuilder.forNewsstand()
send_notification_result = pushSnsService.sendPushMessage(
self.pushAppleService, PushPlatform.APNS,
targetEndpointArn, push_message, None)
if debug:
print "Super-Gluu. Send iOS SNS push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (
push_token, push_message,
send_notification_result)
if StringHelper.equalsIgnoreCase(
platform,
"android") and StringHelper.isNotEmpty(push_token):
# Sending notification to Android user's device
if self.pushAndroidService == None:
print "Super-Gluu. Send SNS push notification. Android SNS push notification service is not enabled"
else:
targetEndpointArn = self.getTargetEndpointArn(
deviceRegistrationService, pushSnsService,
PushPlatform.GCM, user, u2f_device)
send_notification = True
title = "Super-Gluu"
sns_push_request_dictionary = {
"collapse_key": "single",
"content_available": True,
"time_to_live": 60,
"data": {
"message": super_gluu_request,
"title": title
}
}
push_message = json.dumps(sns_push_request_dictionary,
separators=(',', ':'))
send_notification_result = pushSnsService.sendPushMessage(
self.pushAndroidService, PushPlatform.GCM,
targetEndpointArn, push_message, None)
if debug:
print "Super-Gluu. Send Android SNS push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (
push_token, push_message,
send_notification_result)
print "Super-Gluu. Send SNS push notification. send_notification: '%s', send_notification_result: '%s'" % (
send_notification, send_notification_result)
def authenticate(self, configurationAttributes, requestParameters, step):
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
context = Contexts.getEventContext()
session_attributes = context.get("sessionAttributes")
client_redirect_uri = self.getClientRedirecUri(session_attributes)
if client_redirect_uri == None:
print "Super-Gluu. Authenticate. redirect_uri is not set"
return False
self.setEventContextParameters(context)
userService = UserService.instance()
deviceRegistrationService = DeviceRegistrationService.instance()
if step == 1:
print "Super-Gluu. Authenticate for step 1"
if self.oneStep:
session_device_status = self.getSessionDeviceStatus(session_attributes, user_name)
if session_device_status == None:
return
u2f_device_id = session_device_status['device_id']
validation_result = self.validateSessionDeviceStatus(client_redirect_uri, session_device_status)
if validation_result:
print "Super-Gluu. Authenticate for step 1. User successfully authenticated with u2f_device '%s'" % u2f_device_id
else:
return False
if not session_device_status['one_step']:
print "Super-Gluu. Authenticate for step 1. u2f_device '%s' is not one step device" % u2f_device_id
return False
# There are two steps only in enrollment mode
if session_device_status['enroll']:
return validation_result
context.set("super_gluu_count_login_steps", 1)
user_inum = session_device_status['user_inum']
u2f_device = deviceRegistrationService.findUserDeviceRegistration(user_inum, u2f_device_id, "oxId")
if u2f_device == None:
print "Super-Gluu. Authenticate for step 1. Failed to load u2f_device '%s'" % u2f_device_id
return False
logged_in = userService.authenticate(user_name)
if not logged_in:
print "Super-Gluu. Authenticate for step 1. Failed to authenticate user '%s'" % user_name
return False
print "Super-Gluu. Authenticate for step 1. User '%s' successfully authenticated with u2f_device '%s'" % (user_name, u2f_device_id)
return True
elif self.twoStep:
authenticated_user = self.processBasicAuthentication(credentials)
if authenticated_user == None:
return False
auth_method = 'authenticate'
enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton")
if StringHelper.isNotEmpty(enrollment_mode):
auth_method = 'enroll'
if auth_method == 'authenticate':
user_inum = userService.getUserInum(authenticated_user)
u2f_devices_list = deviceRegistrationService.findUserDeviceRegistrations(user_inum, client_redirect_uri, "oxId")
if u2f_devices_list.size() == 0:
auth_method = 'enroll'
print "Super-Gluu. Authenticate for step 1. There is no U2F '%s' user devices associated with application '%s'. Changing auth_method to '%s'" % (user_name, client_redirect_uri, auth_method)
print "Super-Gluu. Authenticate for step 1. auth_method: '%s'" % auth_method
context.set("super_gluu_auth_method", auth_method)
return True
return False
elif step == 2:
print "Super-Gluu. Authenticate for step 2"
session_attributes = context.get("sessionAttributes")
session_device_status = self.getSessionDeviceStatus(session_attributes, user_name)
if session_device_status == None:
return False
u2f_device_id = session_device_status['device_id']
# There are two steps only in enrollment mode
if self.oneStep and session_device_status['enroll']:
authenticated_user = self.processBasicAuthentication(credentials)
if authenticated_user == None:
return False
user_inum = userService.getUserInum(authenticated_user)
attach_result = deviceRegistrationService.attachUserDeviceRegistration(user_inum, u2f_device_id)
print "Super-Gluu. Authenticate for step 2. Result after attaching u2f_device '%s' to user '%s': '%s'" % (u2f_device_id, user_name, attach_result)
return attach_result
elif self.twoStep:
if user_name == None:
print "Super-Gluu. Authenticate for step 2. Failed to determine user name"
return False
validation_result = self.validateSessionDeviceStatus(client_redirect_uri, session_device_status, user_name)
if validation_result:
print "Super-Gluu. Authenticate for step 2. User '%s' successfully authenticated with u2f_device '%s'" % (user_name, u2f_device_id)
else:
return False
super_gluu_request = json.loads(session_device_status['super_gluu_request'])
auth_method = super_gluu_request['method']
if auth_method in ['enroll', 'authenticate']:
return validation_result
print "Super-Gluu. Authenticate for step 2. U2F auth_method is invalid"
return False
else:
return False
def sendPushNotification(self, client_redirect_uri, user, super_gluu_request):
if not self.enabledPushNotifications:
return
user_name = user.getUserId()
print "Super-Gluu. Send push notification. Loading user '%s' devices" % user_name
send_notification = False
send_notification_result = True
userService = UserService.instance()
deviceRegistrationService = DeviceRegistrationService.instance()
user_inum = userService.getUserInum(user_name)
u2f_devices_list = deviceRegistrationService.findUserDeviceRegistrations(user_inum, client_redirect_uri, "oxId", "oxDeviceData")
if u2f_devices_list.size() > 0:
for u2f_device in u2f_devices_list:
device_data = u2f_device.getDeviceData()
# Device data which Super-Gluu gets during enrollment
if device_data == None:
continue
platform = device_data.getPlatform()
push_token = device_data.getPushToken()
debug = False
if StringHelper.equalsIgnoreCase(platform, "ios") and StringHelper.isNotEmpty(push_token):
# Sending notification to iOS user's device
if self.pushAppleService == None:
print "Super-Gluu. Send push notification. Apple push notification service is not enabled"
else:
send_notification = True
title = "Super-Gluu"
message = "Super-Gluu login request to: %s" % client_redirect_uri
additional_fields = { "request" : super_gluu_request }
msgBuilder = APNS.newPayload().alertBody(message).alertTitle(title).sound("default")
msgBuilder.category('ACTIONABLE').badge(0)
msgBuilder.forNewsstand()
msgBuilder.customFields(additional_fields)
push_message = msgBuilder.build()
send_notification_result = self.pushAppleService.push(push_token, push_message)
if debug:
print "Super-Gluu. Send iOS push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (push_token, push_message, send_notification_result)
if StringHelper.equalsIgnoreCase(platform, "android") and StringHelper.isNotEmpty(push_token):
# Sending notification to Android user's device
if self.pushAndroidService == None:
print "Super-Gluu. Send push notification. Android push notification service is not enabled"
else:
send_notification = True
title = "Super-Gluu"
msgBuilder = Message.Builder().addData("message", super_gluu_request).addData("title", title).collapseKey("single").contentAvailable(True)
push_message = msgBuilder.build()
send_notification_result = self.pushAndroidService.send(push_message, push_token, 3)
if debug:
print "Super-Gluu. Send Android push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (push_token, push_message, send_notification_result)
print "Super-Gluu. Send push notification. send_notification: '%s', send_notification_result: '%s'" % (send_notification, send_notification_result)
def authenticate(self, configurationAttributes, requestParameters, step):
authenticationService = CdiUtil.bean(AuthenticationService)
identity = CdiUtil.bean(Identity)
credentials = identity.getCredentials()
session_attributes = identity.getSessionId().getSessionAttributes()
client_redirect_uri = self.getClientRedirecUri(session_attributes)
if client_redirect_uri == None:
print "Super-Gluu. Authenticate. redirect_uri is not set"
return False
self.setRequestScopedParameters(identity, step)
# Validate form result code and initialize QR code regeneration if needed (retry_current_step = True)
identity.setWorkingParameter("retry_current_step", False)
form_auth_result = ServerUtil.getFirstValue(requestParameters, "auth_result")
if StringHelper.isNotEmpty(form_auth_result):
print "Super-Gluu. Authenticate for step %s. Get auth_result: '%s'" % (step, form_auth_result)
if form_auth_result in ['error']:
return False
if form_auth_result in ['timeout']:
if ((step == 1) and self.oneStep) or ((step == 2) and self.twoStep):
print "Super-Gluu. Authenticate for step %s. Reinitializing current step" % step
identity.setWorkingParameter("retry_current_step", True)
return False
userService = CdiUtil.bean(UserService)
deviceRegistrationService = CdiUtil.bean(DeviceRegistrationService)
if step == 1:
print "Super-Gluu. Authenticate for step 1"
user_name = credentials.getUsername()
if self.oneStep:
session_device_status = self.getSessionDeviceStatus(session_attributes, user_name)
if session_device_status == None:
return False
u2f_device_id = session_device_status['device_id']
validation_result = self.validateSessionDeviceStatus(client_redirect_uri, session_device_status)
if validation_result:
print "Super-Gluu. Authenticate for step 1. User successfully authenticated with u2f_device '%s'" % u2f_device_id
else:
return False
if not session_device_status['one_step']:
print "Super-Gluu. Authenticate for step 1. u2f_device '%s' is not one step device" % u2f_device_id
return False
# There are two steps only in enrollment mode
if session_device_status['enroll']:
return validation_result
identity.setWorkingParameter("super_gluu_count_login_steps", 1)
user_inum = session_device_status['user_inum']
u2f_device = deviceRegistrationService.findUserDeviceRegistration(user_inum, u2f_device_id, "oxId")
if u2f_device == None:
print "Super-Gluu. Authenticate for step 1. Failed to load u2f_device '%s'" % u2f_device_id
return False
logged_in = authenticationService.authenticate(user_name)
if not logged_in:
print "Super-Gluu. Authenticate for step 1. Failed to authenticate user '%s'" % user_name
return False
print "Super-Gluu. Authenticate for step 1. User '%s' successfully authenticated with u2f_device '%s'" % (user_name, u2f_device_id)
return True
elif self.twoStep:
authenticated_user = self.processBasicAuthentication(credentials)
if authenticated_user == None:
return False
if (self.use_super_gluu_group):
print "Super-Gluu. Authenticate for step 1. Checking if user belong to super_gluu group"
is_member_super_gluu_group = self.isUserMemberOfGroup(authenticated_user, self.audit_attribute, self.super_gluu_group)
if (is_member_super_gluu_group):
print "Super-Gluu. Authenticate for step 1. User '%s' member of super_gluu group" % authenticated_user.getUserId()
super_gluu_count_login_steps = 2
else:
if self.use_audit_group:
self.processAuditGroup(authenticated_user, self.audit_attribute, self.audit_group)
super_gluu_count_login_steps = 1
identity.setWorkingParameter("super_gluu_count_login_steps", super_gluu_count_login_steps)
if super_gluu_count_login_steps == 1:
return True
auth_method = 'authenticate'
enrollment_mode = ServerUtil.getFirstValue(requestParameters, "loginForm:registerButton")
if StringHelper.isNotEmpty(enrollment_mode):
auth_method = 'enroll'
if auth_method == 'authenticate':
user_inum = userService.getUserInum(authenticated_user)
u2f_devices_list = deviceRegistrationService.findUserDeviceRegistrations(user_inum, client_redirect_uri, "oxId")
if u2f_devices_list.size() == 0:
auth_method = 'enroll'
print "Super-Gluu. Authenticate for step 1. There is no U2F '%s' user devices associated with application '%s'. Changing auth_method to '%s'" % (user_name, client_redirect_uri, auth_method)
print "Super-Gluu. Authenticate for step 1. auth_method: '%s'" % auth_method
identity.setWorkingParameter("super_gluu_auth_method", auth_method)
return True
return False
elif step == 2:
print "Super-Gluu. Authenticate for step 2"
user = authenticationService.getAuthenticatedUser()
if (user == None):
print "Super-Gluu. Authenticate for step 2. Failed to determine user name"
return False
user_name = user.getUserId()
session_attributes = identity.getSessionId().getSessionAttributes()
session_device_status = self.getSessionDeviceStatus(session_attributes, user_name)
if session_device_status == None:
return False
u2f_device_id = session_device_status['device_id']
# There are two steps only in enrollment mode
if self.oneStep and session_device_status['enroll']:
authenticated_user = self.processBasicAuthentication(credentials)
if authenticated_user == None:
return False
user_inum = userService.getUserInum(authenticated_user)
attach_result = deviceRegistrationService.attachUserDeviceRegistration(user_inum, u2f_device_id)
print "Super-Gluu. Authenticate for step 2. Result after attaching u2f_device '%s' to user '%s': '%s'" % (u2f_device_id, user_name, attach_result)
return attach_result
elif self.twoStep:
if user_name == None:
print "Super-Gluu. Authenticate for step 2. Failed to determine user name"
return False
validation_result = self.validateSessionDeviceStatus(client_redirect_uri, session_device_status, user_name)
if validation_result:
print "Super-Gluu. Authenticate for step 2. User '%s' successfully authenticated with u2f_device '%s'" % (user_name, u2f_device_id)
else:
return False
super_gluu_request = json.loads(session_device_status['super_gluu_request'])
auth_method = super_gluu_request['method']
if auth_method in ['enroll', 'authenticate']:
if validation_result and self.use_audit_group:
user = authenticationService.getAuthenticatedUser()
self.processAuditGroup(user, self.audit_attribute, self.audit_group)
return validation_result
print "Super-Gluu. Authenticate for step 2. U2F auth_method is invalid"
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
print "Casa. authenticate %s" % str(step)
userService = CdiUtil.bean(UserService)
authenticationService = CdiUtil.bean(AuthenticationService)
identity = CdiUtil.bean(Identity)
if step == 1:
# Determine if external provider must be used
provider = ServerUtil.getFirstValue(requestParameters,
"loginForm:provider")
if StringHelper.isNotEmpty(provider):
url = self.getAuthzRequestUrl(provider)
if url != None:
CdiUtil.bean(FacesService).redirectToExternalURL(url)
return url != None
credentials = identity.getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
if StringHelper.isNotEmptyString(
user_name) and StringHelper.isNotEmptyString(
user_password):
foundUser = userService.getUserByAttribute(
self.uid_attr, user_name)
#foundUser = userService.getUser(user_name)
if foundUser == None:
print "Casa. authenticate for step 1. Unknown username"
else:
acr = foundUser.getAttribute("oxPreferredMethod")
logged_in = False
if acr == None:
logged_in = authenticationService.authenticate(
user_name, user_password)
elif acr in self.authenticators:
module = self.authenticators[acr]
logged_in = module.authenticate(
module.configAttrs, requestParameters, step)
if logged_in:
foundUser = authenticationService.getAuthenticatedUser(
)
if foundUser == None:
print "Casa. authenticate for step 1. Cannot retrieve logged user"
else:
if acr == None:
identity.setWorkingParameter("skip2FA", True)
else:
#Determine whether to skip 2FA based on policy defined (global or user custom)
skip2FA = self.determineSkip2FA(
userService, identity, foundUser,
ServerUtil.getFirstValue(
requestParameters,
"loginForm:platform"))
identity.setWorkingParameter(
"skip2FA", skip2FA)
identity.setWorkingParameter("ACR", acr)
return True
else:
print "Casa. authenticate for step 1 was not successful"
return False
else:
user = authenticationService.getAuthenticatedUser()
if user == None:
print "Casa. authenticate for step 2. Cannot retrieve logged user"
return False
#see casa.xhtml
alter = ServerUtil.getFirstValue(requestParameters,
"alternativeMethod")
if alter != None:
#bypass the rest of this step if an alternative method was provided. Current step will be retried (see getNextStep)
self.simulateFirstStep(requestParameters, alter)
return True
session_attributes = identity.getSessionId().getSessionAttributes()
acr = session_attributes.get("ACR")
#this working parameter is used in casa.xhtml
identity.setWorkingParameter("methods",
self.getAvailMethodsUser(user, acr))
success = False
if acr in self.authenticators:
module = self.authenticators[acr]
success = module.authenticate(module.configAttrs,
requestParameters, step)
#Update the list of trusted devices if 2fa passed
if success:
print "Casa. authenticate. 2FA authentication was successful"
tdi = session_attributes.get("trustedDevicesInfo")
if tdi == None:
print "Casa. authenticate. List of user's trusted devices was not updated"
else:
user.setAttribute("oxTrustedDevicesInfo", tdi)
userService.updateUser(user)
else:
print "Casa. authenticate. 2FA authentication failed"
return success
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
saml_map_user = False
saml_enroll_user = False
saml_enroll_all_user_attr = False
# Use saml_deployment_type only if there is no attributes mapping
if (configurationAttributes.containsKey("saml_deployment_type")):
saml_deployment_type = StringHelper.toLowerCase(
configurationAttributes.get(
"saml_deployment_type").getValue2())
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "map")):
saml_map_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll")):
saml_enroll_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type,
"enroll_all_attr")):
saml_enroll_all_user_attr = True
saml_allow_basic_login = False
if (configurationAttributes.containsKey("saml_allow_basic_login")):
saml_allow_basic_login = StringHelper.toBoolean(
configurationAttributes.get(
"saml_allow_basic_login").getValue2(), False)
use_basic_auth = False
if (saml_allow_basic_login):
# Detect if user used basic authnetication method
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
if (StringHelper.isNotEmpty(user_name)
and StringHelper.isNotEmpty(user_password)):
use_basic_auth = True
if ((step == 1) and saml_allow_basic_login and use_basic_auth):
print "Saml. Authenticate for step 1. Basic authentication"
context.set("saml_count_login_steps", 1)
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name)
and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
if (step == 1):
print "Saml. Authenticate for step 1"
currentSamlConfiguration = self.getCurrentSamlConfiguration(
self.samlConfiguration, configurationAttributes,
requestParameters)
if (currentSamlConfiguration == None):
print "Saml. Prepare for step 1. Client saml configuration is invalid"
return False
saml_response_array = requestParameters.get("SAMLResponse")
if ArrayHelper.isEmpty(saml_response_array):
print "Saml. Authenticate for step 1. saml_response is empty"
return False
saml_response = saml_response_array[0]
print "Saml. Authenticate for step 1. saml_response: '%s'" % saml_response
samlResponse = Response(currentSamlConfiguration)
samlResponse.loadXmlFromBase64(saml_response)
saml_validate_response = True
if (configurationAttributes.containsKey("saml_validate_response")):
saml_validate_response = StringHelper.toBoolean(
configurationAttributes.get(
"saml_validate_response").getValue2(), False)
if (saml_validate_response):
if (not samlResponse.isValid()):
print "Saml. Authenticate for step 1. saml_response isn't valid"
saml_response_name_id = samlResponse.getNameId()
if (StringHelper.isEmpty(saml_response_name_id)):
print "Saml. Authenticate for step 1. saml_response_name_id is invalid"
return False
print "Saml. Authenticate for step 1. saml_response_name_id: '%s'" % saml_response_name_id
saml_response_attributes = samlResponse.getAttributes()
print "Saml. Authenticate for step 1. attributes: '%s'" % saml_response_attributes
# Use persistent Id as saml_user_uid
saml_user_uid = saml_response_name_id
if (saml_map_user):
# Use mapping to local IDP user
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
print "Saml. Authenticate for step 1. Setting count steps to 2"
context.set("saml_count_login_steps", 2)
context.set("saml_user_uid", saml_user_uid)
return True
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (saml_enroll_user):
# Use auto enrollment to local IDP
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
# Auto user enrollemnt
print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
# Convert saml result attributes keys to lover case
saml_response_normalized_attributes = HashMap()
for saml_response_attribute_entry in saml_response_attributes.entrySet(
):
saml_response_normalized_attributes.put(
StringHelper.toLowerCase(
saml_response_attribute_entry.getKey()),
saml_response_attribute_entry.getValue())
currentAttributesMapping = self.prepareCurrentAttributesMapping(
self.attributesMapping, configurationAttributes,
requestParameters)
print "Saml. Authenticate for step 1. Using next attributes mapping '%s'" % currentAttributesMapping
newUser = User()
# Set custom object classes
if self.userObjectClasses != None:
print "Saml. Authenticate for step 1. User custom objectClasses to add persons: '%s'" % Util.array2ArrayList(
self.userObjectClasses)
newUser.setCustomObjectClasses(self.userObjectClasses)
for attributesMappingEntry in currentAttributesMapping.entrySet(
):
idpAttribute = attributesMappingEntry.getKey()
localAttribute = attributesMappingEntry.getValue()
if self.debugEnrollment:
print "Saml. Authenticate for step 1. Trying to map '%s' into '%s'" % (
idpAttribute, localAttribute)
localAttributeValue = saml_response_normalized_attributes.get(
idpAttribute)
if (localAttributeValue != None):
if self.debugEnrollment:
print "Saml. Authenticate for step 1. Setting attribute '%s' value '%s'" % (
localAttribute, localAttributeValue)
newUser.setAttribute(localAttribute,
localAttributeValue)
newUser.setAttribute("oxExternalUid",
"saml:" + saml_user_uid)
print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (
saml_user_uid, newUser.getCustomAttributes())
user_unique = self.checkUserUniqueness(newUser)
if not user_unique:
print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getAttribute(
"uid")
facesMessages = FacesMessages.instance()
facesMessages.add(
StatusMessage.Severity.ERROR,
"Failed to enroll. User with same key attributes exist already"
)
FacesContext.getCurrentInstance().getExternalContext(
).getFlash().setKeepMessages(True)
return False
find_user_by_uid = userService.addUser(newUser, True)
print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId(
)
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user: '******'" % found_user_name
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (saml_enroll_all_user_attr):
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:" + saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
user = User()
# Set custom object classes
if self.userObjectClasses != None:
print "Saml. Authenticate for step 1. User custom objectClasses to add persons: '%s'" % Util.array2ArrayList(
self.userObjectClasses)
user.setCustomObjectClasses(self.userObjectClasses)
customAttributes = ArrayList()
for key in saml_response_attributes.keySet():
ldapAttributes = attributeService.getAllAttributes()
for ldapAttribute in ldapAttributes:
saml2Uri = ldapAttribute.getSaml2Uri()
if (saml2Uri == None):
saml2Uri = attributeService.getDefaultSaml2Uri(
ldapAttribute.getName())
if (saml2Uri == key):
attribute = CustomAttribute(
ldapAttribute.getName())
attribute.setValues(attributes.get(key))
customAttributes.add(attribute)
attribute = CustomAttribute("oxExternalUid")
attribute.setValue("saml:" + saml_user_uid)
customAttributes.add(attribute)
user.setCustomAttributes(customAttributes)
if (user.getAttribute("sn") == None):
attribute = CustomAttribute("sn")
attribute.setValue(saml_user_uid)
customAttributes.add(attribute)
if (user.getAttribute("cn") == None):
attribute = CustomAttribute("cn")
attribute.setValue(saml_user_uid)
customAttributes.add(attribute)
user_unique = self.checkUserUniqueness(user)
if not user_unique:
print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getAttribute(
"uid")
facesMessages = FacesMessages.instance()
facesMessages.add(
StatusMessage.Severity.ERROR,
"Failed to enroll. User with same key attributes exist already"
)
FacesContext.getCurrentInstance().getExternalContext(
).getFlash().setKeepMessages(True)
return False
find_user_by_uid = userService.addUser(user, True)
print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId(
)
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
else:
# Check if the is user with specified saml_user_uid
print "Saml. Authenticate for step 1. Attempting to find user by uid: '%s'" % saml_user_uid
find_user_by_uid = userService.getUser(saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
return False
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(
found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (step == 2):
print "Saml. Authenticate for step 2"
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes == None
) or not sessionAttributes.containsKey("saml_user_uid"):
print "Saml. Authenticate for step 2. saml_user_uid is empty"
return False
saml_user_uid = sessionAttributes.get("saml_user_uid")
passed_step1 = StringHelper.isNotEmptyString(saml_user_uid)
if (not passed_step1):
return False
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name)
and StringHelper.isNotEmptyString(user_password)):
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Check if there is user which has saml_user_uid
# Avoid mapping Saml account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute(
"oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
# Add saml_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(
user_name, "oxExternalUid", "saml:" + saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 2. Failed to update current user"
return False
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
else:
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 2. found_user_name: '%s'" % found_user_name
if StringHelper.equals(user_name, found_user_name):
post_login_result = self.samlExtensionPostLogin(
configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
return False
else:
return False
def authenticate(self, configurationAttributes, requestParameters, step):
context = Contexts.getEventContext()
authenticationService = AuthenticationService.instance()
userService = UserService.instance()
saml_map_user = False
saml_enroll_user = False
saml_enroll_all_user_attr = False
# Use saml_deployment_type only if there is no attributes mapping
if (configurationAttributes.containsKey("saml_deployment_type")):
saml_deployment_type = StringHelper.toLowerCase(configurationAttributes.get("saml_deployment_type").getValue2())
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "map")):
saml_map_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll")):
saml_enroll_user = True
if (StringHelper.equalsIgnoreCase(saml_deployment_type, "enroll_all_attr")):
saml_enroll_all_user_attr = True
saml_allow_basic_login = False
if (configurationAttributes.containsKey("saml_allow_basic_login")):
saml_allow_basic_login = StringHelper.toBoolean(configurationAttributes.get("saml_allow_basic_login").getValue2(), False)
use_basic_auth = False
if (saml_allow_basic_login):
# Detect if user used basic authnetication method
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
if (StringHelper.isNotEmpty(user_name) and StringHelper.isNotEmpty(user_password)):
use_basic_auth = True
if ((step == 1) and saml_allow_basic_login and use_basic_auth):
print "Saml. Authenticate for step 1. Basic authentication"
context.set("saml_count_login_steps", 1)
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
userService = UserService.instance()
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
return True
if (step == 1):
print "Saml. Authenticate for step 1"
currentSamlConfiguration = self.getCurrentSamlConfiguration(self.samlConfiguration, configurationAttributes, requestParameters)
if (currentSamlConfiguration == None):
print "Saml. Prepare for step 1. Client saml configuration is invalid"
return False
saml_response_array = requestParameters.get("SAMLResponse")
if ArrayHelper.isEmpty(saml_response_array):
print "Saml. Authenticate for step 1. saml_response is empty"
return False
saml_response = saml_response_array[0]
print "Saml. Authenticate for step 1. saml_response: '%s'" % saml_response
samlResponse = Response(currentSamlConfiguration)
samlResponse.loadXmlFromBase64(saml_response)
saml_validate_response = True
if (configurationAttributes.containsKey("saml_validate_response")):
saml_validate_response = StringHelper.toBoolean(configurationAttributes.get("saml_validate_response").getValue2(), False)
if (saml_validate_response):
if (not samlResponse.isValid()):
print "Saml. Authenticate for step 1. saml_response isn't valid"
saml_response_attributes = samlResponse.getAttributes()
print "Saml. Authenticate for step 1. attributes: '%s'" % saml_response_attributes
if (saml_map_user):
saml_user_uid = self.getSamlNameId(samlResponse)
if saml_user_uid == None:
return False
# Use mapping to local IDP user
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if the is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
print "Saml. Authenticate for step 1. Setting count steps to 2"
context.set("saml_count_login_steps", 2)
context.set("saml_user_uid", saml_user_uid)
return True
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (saml_enroll_user):
# Convert SAML response to user entry
newUser = self.getMappedUser(configurationAttributes, requestParameters, saml_response_attributes)
saml_user_uid = self.getNameId(samlResponse, newUser)
if saml_user_uid == None:
return False
self.setDefaultUid(newUser, saml_user_uid)
newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
# Use auto enrollment to local IDP
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml: '%s'" % saml_user_uid
# Check if there is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
if find_user_by_uid == None:
# Auto user enrollment
print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes())
user_unique = self.checkUserUniqueness(newUser)
if not user_unique:
print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId()
facesMessages = FacesMessages.instance()
facesMessages.add(StatusMessage.Severity.ERROR, "Failed to enroll. User with same key attributes exist already")
FacesContext.getCurrentInstance().getExternalContext().getFlash().setKeepMessages(True)
return False
find_user_by_uid = userService.addUser(newUser, True)
print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId()
else:
if self.updateUser:
print "Saml. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes())
find_user_by_uid.setCustomAttributes(newUser.getCustomAttributes())
userService.updateUser(find_user_by_uid)
print "Saml. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user: '******'" % found_user_name
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (saml_enroll_all_user_attr):
# Convert SAML response to user entry
newUser = self.getMappedAllAttributesUser(saml_response_attributes)
saml_user_uid = self.getNameId(samlResponse, newUser)
if saml_user_uid == None:
return False
self.setDefaultUid(newUser, saml_user_uid)
newUser.setAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
print "Saml. Authenticate for step 1. Attempting to find user by oxExternalUid: saml:%s" % saml_user_uid
# Check if there is user with specified saml_user_uid
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
# Auto user enrollment
print "Saml. Authenticate for step 1. There is no user in LDAP. Adding user to local LDAP"
print "Saml. Authenticate for step 1. Attempting to add user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes())
user_unique = self.checkUserUniqueness(newUser)
if not user_unique:
print "Saml. Authenticate for step 1. Failed to add user: '******'. User not unique" % newUser.getUserId()
facesMessages = FacesMessages.instance()
facesMessages.add(StatusMessage.Severity.ERROR, "Failed to enroll. User with same key attributes exist already")
FacesContext.getCurrentInstance().getExternalContext().getFlash().setKeepMessages(True)
return False
find_user_by_uid = userService.addUser(newUser, True)
print "Saml. Authenticate for step 1. Added new user with UID: '%s'" % find_user_by_uid.getUserId()
else:
if self.updateUser:
print "Saml. Authenticate for step 1. Attempting to update user '%s' with next attributes: '%s'" % (saml_user_uid, newUser.getCustomAttributes())
find_user_by_uid.setCustomAttributes(newUser.getCustomAttributes())
userService.updateUser(find_user_by_uid)
print "Saml. Authenticate for step 1. Updated user with UID: '%s'" % saml_user_uid
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
else:
if saml_user_uid == None:
return False
# Check if the is user with specified saml_user_uid
print "Saml. Authenticate for step 1. Attempting to find user by uid: '%s'" % saml_user_uid
find_user_by_uid = userService.getUser(saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 1. Failed to find user"
return False
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 1. found_user_name: '%s'" % found_user_name
user_authenticated = authenticationService.authenticate(found_user_name)
if (user_authenticated == False):
print "Saml. Authenticate for step 1. Failed to authenticate user"
return False
print "Saml. Authenticate for step 1. Setting count steps to 1"
context.set("saml_count_login_steps", 1)
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 1. post_login_result: '%s'" % post_login_result
return post_login_result
elif (step == 2):
print "Saml. Authenticate for step 2"
sessionAttributes = context.get("sessionAttributes")
if (sessionAttributes == None) or not sessionAttributes.containsKey("saml_user_uid"):
print "Saml. Authenticate for step 2. saml_user_uid is empty"
return False
saml_user_uid = sessionAttributes.get("saml_user_uid")
passed_step1 = StringHelper.isNotEmptyString(saml_user_uid)
if (not passed_step1):
return False
credentials = Identity.instance().getCredentials()
user_name = credentials.getUsername()
user_password = credentials.getPassword()
logged_in = False
if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)):
logged_in = userService.authenticate(user_name, user_password)
if (not logged_in):
return False
# Check if there is user which has saml_user_uid
# Avoid mapping Saml account to more than one IDP account
find_user_by_uid = userService.getUserByAttribute("oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
# Add saml_user_uid to user one id UIDs
find_user_by_uid = userService.addUserAttribute(user_name, "oxExternalUid", "saml:%s" % saml_user_uid)
if (find_user_by_uid == None):
print "Saml. Authenticate for step 2. Failed to update current user"
return False
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
else:
found_user_name = find_user_by_uid.getUserId()
print "Saml. Authenticate for step 2. found_user_name: '%s'" % found_user_name
if StringHelper.equals(user_name, found_user_name):
post_login_result = self.samlExtensionPostLogin(configurationAttributes, find_user_by_uid)
print "Saml. Authenticate for step 2. post_login_result: '%s'" % post_login_result
return post_login_result
return False
else:
return False
def sendPushNotificationImpl(self, client_redirect_uri, user, super_gluu_request):
if not self.enabledPushNotifications:
return
user_name = user.getUserId()
print "Super-Gluu. Send push notification. Loading user '%s' devices" % user_name
send_notification = False
send_notification_result = True
userService = CdiUtil.bean(UserService)
deviceRegistrationService = CdiUtil.bean(DeviceRegistrationService)
user_inum = userService.getUserInum(user_name)
send_android = 0
send_ios = 0
u2f_devices_list = deviceRegistrationService.findUserDeviceRegistrations(user_inum, client_redirect_uri, "oxId", "oxDeviceData", "oxDeviceNotificationConf")
if u2f_devices_list.size() > 0:
for u2f_device in u2f_devices_list:
device_data = u2f_device.getDeviceData()
# Device data which Super-Gluu gets during enrollment
if device_data == None:
continue
platform = device_data.getPlatform()
push_token = device_data.getPushToken()
debug = False
if StringHelper.equalsIgnoreCase(platform, "ios") and StringHelper.isNotEmpty(push_token):
# Sending notification to iOS user's device
if self.pushAppleService == None:
print "Super-Gluu. Send push notification. Apple native push notification service is not enabled"
else:
send_notification = True
title = "Super-Gluu"
message = "Super-Gluu login request to: %s" % client_redirect_uri
if self.pushSnsMode or self.pushGluuMode:
pushSnsService = CdiUtil.bean(PushSnsService)
targetEndpointArn = self.getTargetEndpointArn(deviceRegistrationService, pushSnsService, PushPlatform.APNS, user, u2f_device)
if targetEndpointArn == None:
return
send_notification = True
sns_push_request_dictionary = { "aps":
{ "badge": 0,
"alert" : {"body": message, "title" : title},
"category": "ACTIONABLE",
"content-available": "1",
"sound": 'default'
},
"request" : super_gluu_request
}
push_message = json.dumps(sns_push_request_dictionary, separators=(',',':'))
if self.pushSnsMode:
apple_push_platform = PushPlatform.APNS
if not self.pushAppleServiceProduction:
apple_push_platform = PushPlatform.APNS_SANDBOX
send_notification_result = pushSnsService.sendPushMessage(self.pushAppleService, apple_push_platform, targetEndpointArn, push_message, None)
if debug:
print "Super-Gluu. Send iOS SNS push notification. token: '%s', message: '%s', send_notification_result: '%s', apple_push_platform: '%s'" % (push_token, push_message, send_notification_result, apple_push_platform)
elif self.pushGluuMode:
send_notification_result = self.pushAppleService.sendNotification(self.pushAppleServiceAuth, targetEndpointArn, push_message)
if debug:
print "Super-Gluu. Send iOS Gluu push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (push_token, push_message, send_notification_result)
else:
additional_fields = { "request" : super_gluu_request }
msgBuilder = APNS.newPayload().alertBody(message).alertTitle(title).sound("default")
msgBuilder.category('ACTIONABLE').badge(0)
msgBuilder.forNewsstand()
msgBuilder.customFields(additional_fields)
push_message = msgBuilder.build()
send_notification_result = self.pushAppleService.push(push_token, push_message)
if debug:
print "Super-Gluu. Send iOS Native push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (push_token, push_message, send_notification_result)
send_ios = send_ios + 1
if StringHelper.equalsIgnoreCase(platform, "android") and StringHelper.isNotEmpty(push_token):
# Sending notification to Android user's device
if self.pushAndroidService == None:
print "Super-Gluu. Send native push notification. Android native push notification service is not enabled"
else:
send_notification = True
title = "Super-Gluu"
if self.pushSnsMode or self.pushGluuMode:
pushSnsService = CdiUtil.bean(PushSnsService)
targetEndpointArn = self.getTargetEndpointArn(deviceRegistrationService, pushSnsService, PushPlatform.GCM, user, u2f_device)
if targetEndpointArn == None:
return
send_notification = True
sns_push_request_dictionary = { "collapse_key": "single",
"content_available": True,
"time_to_live": 60,
"data":
{ "message" : super_gluu_request,
"title" : title }
}
push_message = json.dumps(sns_push_request_dictionary, separators=(',',':'))
if self.pushSnsMode:
send_notification_result = pushSnsService.sendPushMessage(self.pushAndroidService, PushPlatform.GCM, targetEndpointArn, push_message, None)
if debug:
print "Super-Gluu. Send Android SNS push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (push_token, push_message, send_notification_result)
elif self.pushGluuMode:
send_notification_result = self.pushAndroidService.sendNotification(self.pushAndroidServiceAuth, targetEndpointArn, push_message)
if debug:
print "Super-Gluu. Send Android Gluu push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (push_token, push_message, send_notification_result)
else:
msgBuilder = Message.Builder().addData("message", super_gluu_request).addData("title", title).collapseKey("single").contentAvailable(True)
push_message = msgBuilder.build()
send_notification_result = self.pushAndroidService.send(push_message, push_token, 3)
if debug:
print "Super-Gluu. Send Android Native push notification. token: '%s', message: '%s', send_notification_result: '%s'" % (push_token, push_message, send_notification_result)
send_android = send_android + 1
print "Super-Gluu. Send push notification. send_android: '%s', send_ios: '%s'" % (send_android, send_ios)
