/** * Navigate to the {@link SPNEGOContext} in the context tree. * * @param prc profile request context * * @return the child context, or null */ @Nullable private SPNEGOContext getSPNEGOContext(@Nonnull final ProfileRequestContext prc) { final AuthenticationContext authnContext = prc.getSubcontext(AuthenticationContext.class); return authnContext != null ? authnContext.getSubcontext(SPNEGOContext.class) : null; }
/** {@inheritDoc} */ @Override protected boolean doPreExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { if (!super.doPreExecute(profileRequestContext, authenticationContext)) { return false; } requestedPrincipalCtx = authenticationContext.getSubcontext(RequestedPrincipalContext.class); return true; }
/** * Helper method that evaluates a {@link PrincipalSupportingComponent} against a * {@link RequestedPrincipalContext} child of this context, if present, to determine * if the input is compatible with it. * * @param component component to evaluate * * @return true iff the input is compatible with the requested authentication requirements or if * no such requirements have been imposed */ public boolean isAcceptable(@Nonnull final PrincipalSupportingComponent component) { final RequestedPrincipalContext rpCtx = getSubcontext(RequestedPrincipalContext.class); if (rpCtx != null) { return rpCtx.isAcceptable(component); } else { // No requirements so anything is acceptable. return true; } }
/** * Set the registry of predicate factories for custom principal evaluation to inject into instances of * {@link RequestedPrincipalContext} created via the {@link #addRequestedPrincipalContext(String, List, boolean)} * helper method. * * <p>It also propagates this object into any existing {@link RequestedPrincipalContext} subcontext.</p> * * @param registry predicate factory registry * * @return this context */ @Nonnull public AuthenticationContext setPrincipalEvalPredicateFactoryRegistry( @Nullable final PrincipalEvalPredicateFactoryRegistry registry) { evalRegistry = registry; final RequestedPrincipalContext rpCtx = getSubcontext(RequestedPrincipalContext.class); if (rpCtx != null) { rpCtx.setPrincipalEvalPredicateFactoryRegistry(registry); } return this; }
/** * Helper method that evaluates a {@link Principal} object against a {@link RequestedPrincipalContext} child * of this context, if present, to determine if the input is compatible with it. * * @param <T> type of principal * @param principal principal to evaluate * * @return true iff the input is compatible with the requested authentication requirements or if * no such requirements have been imposed */ public <T extends Principal> boolean isAcceptable(@Nonnull final T principal) { final RequestedPrincipalContext rpCtx = getSubcontext(RequestedPrincipalContext.class); if (rpCtx != null) { return rpCtx.isAcceptable(principal); } else { // No requirements so anything is acceptable. return true; } }
/** * Helper method that evaluates {@link Principal} objects against a {@link RequestedPrincipalContext} child * of this context, if present, to determine if the input is compatible with them. * * @param principals principal(s) to evaluate * * @return true iff the input is compatible with the requested authentication requirements or if * no such requirements have been imposed */ public boolean isAcceptable(@Nonnull @NonnullElements final Collection<Principal> principals) { final RequestedPrincipalContext rpCtx = getSubcontext(RequestedPrincipalContext.class); if (rpCtx != null) { return rpCtx.isAcceptable(principals); } else { // No requirements so anything is acceptable. return true; } }
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { final Assertion assertion = assertionLookupStrategy.apply(profileRequestContext); if (assertion == null) { log.error("Unable to obtain Assertion to modify"); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_MSG_CTX); return; } final AuthenticationStatement statement = buildAuthenticationStatement(profileRequestContext, authenticationContext.getSubcontext(RequestedPrincipalContext.class)); assertion.getAuthenticationStatements().add(statement); log.debug("{} Added AuthenticationStatement to Assertion {}", getLogPrefix(), assertion.getID()); }
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { final Assertion assertion = assertionLookupStrategy.apply(profileRequestContext); if (assertion == null) { log.error("Unable to obtain Assertion to modify"); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_MSG_CTX); return; } final AuthnStatement statement = buildAuthnStatement(profileRequestContext, authenticationContext.getSubcontext(RequestedPrincipalContext.class)); assertion.getAuthnStatements().add(statement); log.debug("{} Added AuthenticationStatement to Assertion {}", getLogPrefix(), assertion.getID()); }
/** * Adds an exception encountered during the action to an {@link AuthenticationErrorContext}, creating one if * necessary, beneath the {@link AuthenticationContext}. * * <p>The exception message is evaluated as a potential match as a "classified" error and if matched, * the classification label is attached to the {@link AuthenticationErrorContext} and used as the * resulting event for the action. * * @param profileRequestContext the current profile request context * @param authenticationContext the current authentication context * @param e the exception to process * @param eventId the event to "return" via an {@link org.opensaml.profile.context.EventContext} if * the exception message is not classified */ protected void handleError( @Nonnull final ProfileRequestContext<InboundMessageType, OutboundMessageType> profileRequestContext, @Nonnull final AuthenticationContext authenticationContext, @Nonnull final Exception e, @Nonnull @NotEmpty final String eventId) { final AuthenticationErrorContext errorCtx = authenticationContext.getSubcontext(AuthenticationErrorContext.class, true); errorCtx.addException(e); handleError(profileRequestContext, authenticationContext, e.getMessage(), eventId); }
/** * Get the registry of predicate factories for custom principal evaluation. * * <p>This object is only needed when evaluating a {@link RequestedPrincipalContext}, so the presence of it at * this level of the tree is solely for use by the {@link #addRequestedPrincipalContext(String, List, boolean)} * helper method.</p> * * @return predicate factory registry */ @Nonnull public PrincipalEvalPredicateFactoryRegistry getPrincipalEvalPredicateFactoryRegistry() { final RequestedPrincipalContext rpCtx = getSubcontext(RequestedPrincipalContext.class); if (rpCtx != null) { return rpCtx.getPrincipalEvalPredicateFactoryRegistry(); } else if (evalRegistry != null) { return evalRegistry; } else { return new PrincipalEvalPredicateFactoryRegistry(); } }
/** {@inheritDoc} */ // CheckStyle: ReturnCount OFF @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { final HttpServletRequest request = getHttpServletRequest(); if (request == null) { log.debug("{} Profile action does not contain an HttpServletRequest", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.NO_CREDENTIALS); return; } final String agent = request.getHeader(HttpHeaders.USER_AGENT); if (agent == null) { log.debug("{} User-Agent header not found in request", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.NO_CREDENTIALS); return; } authenticationContext.getSubcontext(UserAgentContext.class, true).setIdentifier(applyTransforms(agent)); } // CheckStyle: ReturnCount ON
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { final Pair<String, String> usernamePassword = extractUsernamePassword(inboundMessage); if (usernamePassword == null) { log.debug("{} inbound message does not contain a username and password", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.NO_CREDENTIALS); return; } authenticationContext.getSubcontext(UsernamePasswordContext.class, true) .setUsername(usernamePassword.getFirst()).setPassword(usernamePassword.getSecond()); }
/** {@inheritDoc} */ @Override protected boolean doPreExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { if (!super.doPreExecute(profileRequestContext, authenticationContext)) { return false; } if (authenticationContext.getAttemptedFlow() == null) { log.debug("{} No attempted flow within authentication context", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX); recordFailure(); return false; } extContext = authenticationContext.getSubcontext(ExternalAuthenticationContext.class); if (extContext == null) { log.debug("{} No ExternalAuthenticationContext available within authentication context", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_AUTHN_CTX); recordFailure(); return false; } return true; }
/** {@inheritDoc} */ // CheckStyle: ReturnCount OFF @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { final HttpServletRequest request = getHttpServletRequest(); if (request == null) { log.debug("{} Profile action does not contain an HttpServletRequest", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.NO_CREDENTIALS); return; } final String addressString = applyTransforms(request.getRemoteAddr()); if (addressString == null || !InetAddresses.isInetAddress(addressString)) { log.debug("{} User agent's address, {}, is not a valid IP address", getLogPrefix(), addressString); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.NO_CREDENTIALS); return; } authenticationContext.getSubcontext(UserAgentContext.class, true).setAddress( InetAddresses.forString(addressString)); } // CheckStyle: ReturnCount ON
/** {@inheritDoc} */ @Override protected boolean doPreExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { if (!super.doPreExecute(profileRequestContext, authenticationContext)) { return false; } if (authenticationContext.getAttemptedFlow() == null) { log.debug("{} No attempted flow within authentication context", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX); recordFailure(); return false; } usernameContext = authenticationContext.getSubcontext(UsernameContext.class); if (usernameContext == null) { log.debug("{} No UsernameContext available within authentication context", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.NO_CREDENTIALS); return false; } if (usernameContext.getUsername() == null) { log.debug("{} No username available within UsernameContext", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.NO_CREDENTIALS); return false; } return true; }
uaContext = authenticationContext.getSubcontext(UserAgentContext.class, false); if (uaContext == null) { log.debug("{} No UserAgentContext available within authentication context", getLogPrefix());
certContext = authenticationContext.getSubcontext(CertificateContext.class); if (certContext == null) { log.info("{} No CertificateContext available within authentication context", getLogPrefix());
/** * Add (or replace) a {@link RequestedPrincipalContext} as a child of this context using the * supplied parameters and the previously established {@link PrincipalEvalPredicateFactoryRegistry} * for comparison handling. * * @param operator matching operator * @param principals principals to request * @param replace whether to replace an existing context or simply return false * * @return true iff a new context was created */ public boolean addRequestedPrincipalContext(@Nonnull @NotEmpty final String operator, @Nonnull @NonnullElements final List<Principal> principals, final boolean replace) { RequestedPrincipalContext rpCtx = getSubcontext(RequestedPrincipalContext.class); if (rpCtx != null && !replace) { return false; } rpCtx = new RequestedPrincipalContext(); rpCtx.setOperator(operator) .setPrincipalEvalPredicateFactoryRegistry(evalRegistry) .setRequestedPrincipals(principals); addSubcontext(rpCtx, true); return true; }
private static Object getAuthenticationTokenCredentials(final ProfileRequestContext profileRequestContext) { final AuthenticationContext ctx = profileRequestContext.getSubcontext(AuthenticationContext.class); if (ctx != null && ctx.containsSubcontext(UsernamePasswordContext.class)) { final UsernamePasswordContext subcontext = ctx.getSubcontext(UsernamePasswordContext.class); return subcontext.getUsername(); } final SubjectContext sub = profileRequestContext.getSubcontext(SubjectContext.class); if (sub == null) { throw new OIDCException("Could not locate SubjectContext in the ProfileRequestContext"); } return sub.getPrincipalName(); }
@Nonnull final AuthenticationContext authenticationContext) { final UsernamePasswordContext upCtx = authenticationContext.getSubcontext(UsernamePasswordContext.class, true); upCtx.setUsername(null); upCtx.setPassword(null);