private boolean readTokenCacheItems(String authority) throws JSONException {
final AuthenticationContext authContext;
try {
authContext = getOrCreateContext(authority);
} catch (Exception e) {
callbackContext.sendPluginResult(new PluginResult(PluginResult.Status.ERROR, e.getMessage()));
return true;
}
JSONArray result = new JSONArray();
ITokenCacheStore cache = authContext.getCache();
if (cache instanceof ITokenStoreQuery) {
Iterator<TokenCacheItem> cacheItems = ((ITokenStoreQuery) cache).getAll();
while (cacheItems.hasNext()) {
TokenCacheItem item = cacheItems.next();
result.put(tokenItemToJSON(item));
}
}
callbackContext.sendPluginResult(new PluginResult(PluginResult.Status.OK, result));
return true;
}
public @Nonnull List<String> get(@Nullable String bucket)
throws CloudException, InternalException {
AuthenticationContext context = provider.getAuthenticationContext();
String endpoint = context.getStorageUrl();
if (endpoint == null) {
throw new CloudException("No storage endpoint exists for " + context.getMyRegion());
}
String response =
getString(context.getAuthToken(), endpoint, bucket == null ? "/" : "/" + bucket);
ArrayList<String> entries = new ArrayList<String>();
if (response != null) {
response = response.trim();
if (response.length() > 0) {
String[] lines = response.split("\n");
if (lines.length < 1) {
entries.add(response);
} else {
for (String line : lines) {
entries.add(line.trim());
}
}
}
}
return entries;
}
public void delete(@Nonnull String bucket) throws CloudException, InternalException {
AuthenticationContext context = provider.getAuthenticationContext();
String endpoint = context.getStorageUrl();
if (endpoint == null) {
throw new CloudException("No storage endpoint exists for " + context.getMyRegion());
}
delete(context.getAuthToken(), endpoint, "/" + bucket);
}
public @Nullable InputStream get(@Nonnull String bucket, @Nonnull String object)
throws CloudException, InternalException {
AuthenticationContext context = provider.getAuthenticationContext();
String endpoint = context.getStorageUrl();
if (endpoint == null) {
throw new CloudException("No storage endpoint exists for " + context.getMyRegion());
}
return getStream(context.getAuthToken(), endpoint, "/" + bucket + "/" + object);
}
@SuppressWarnings("unused")
public @Nullable Map<String, String> head(@Nonnull String bucket)
throws CloudException, InternalException {
AuthenticationContext context = provider.getAuthenticationContext();
String endpoint = context.getStorageUrl();
if (endpoint == null) {
throw new CloudException("No storage endpoint exists for " + context.getMyRegion());
}
return head(context.getAuthToken(), endpoint, "/" + bucket);
}
private boolean clearTokenCache(String authority) {
final AuthenticationContext authContext;
try {
authContext = getOrCreateContext(authority);
} catch (Exception e) {
callbackContext.sendPluginResult(new PluginResult(PluginResult.Status.ERROR, e.getMessage()));
return true;
}
authContext.getCache().removeAll();
callbackContext.sendPluginResult(new PluginResult(PluginResult.Status.OK));
return true;
}
public void put(
@Nonnull String bucket,
@Nonnull String object,
@Nullable String md5Hash,
@Nonnull InputStream payload)
throws CloudException, InternalException {
AuthenticationContext context = provider.getAuthenticationContext();
String endpoint = context.getStorageUrl();
if (endpoint == null) {
throw new CloudException("No storage endpoint exists for " + context.getMyRegion());
}
putStream(context.getAuthToken(), endpoint, "/" + bucket + "/" + object, md5Hash, payload);
}
private boolean acquireTokenSilentAsync(
String authority, String resourceUrl, String clientId, String userId) {
final AuthenticationContext authContext;
try {
authContext = getOrCreateContext(authority);
} catch (Exception e) {
callbackContext.sendPluginResult(new PluginResult(PluginResult.Status.ERROR, e.getMessage()));
return true;
}
authContext.acquireTokenSilent(
resourceUrl, clientId, userId, new DefaultAuthenticationCallback(callbackContext));
return true;
}
@Test
public void testAcquireTokenAuthCode_ClientCredential() throws Exception {
ctx =
PowerMock.createPartialMock(
AuthenticationContext.class,
new String[] {"acquireTokenCommon"},
TestConfiguration.AAD_TENANT_ENDPOINT,
true,
service);
PowerMock.expectPrivate(
ctx,
"acquireTokenCommon",
EasyMock.isA(AdalAuthorizatonGrant.class),
EasyMock.isA(ClientAuthentication.class),
EasyMock.isA(ClientDataHttpHeaders.class))
.andReturn(
new AuthenticationResult(
"bearer",
"accessToken",
"refreshToken",
new Date().getTime(),
"idToken",
null,
false));
PowerMock.replay(ctx);
Future<AuthenticationResult> result =
ctx.acquireTokenByAuthorizationCode(
"auth_code",
new URI(TestConfiguration.AAD_DEFAULT_REDIRECT_URI),
new ClientCredential("clientId", "clientSecret"),
null);
AuthenticationResult ar = result.get();
Assert.assertNotNull(ar);
PowerMock.verifyAll();
}
@Override
public void onActivityResult(int requestCode, int resultCode, Intent data) {
super.onActivityResult(requestCode, resultCode, data);
if (currentContext != null) {
currentContext.onActivityResult(requestCode, resultCode, data);
}
}
@Test(
expectedExceptions = IllegalArgumentException.class,
expectedExceptionsMessageRegExp = "credential is null")
public void testValidateInput_NullCredential() throws MalformedURLException {
ctx = new AuthenticationContext(TestConfiguration.AAD_TENANT_ENDPOINT, true, service);
ctx.acquireToken(TestConfiguration.AAD_RESOURCE_ID, (ClientAssertion) null, null);
}
@Test(
expectedExceptions = IllegalArgumentException.class,
expectedExceptionsMessageRegExp = "resource is null or empty")
public void testValidateInput_ValidateNullResource() throws MalformedURLException {
ctx = new AuthenticationContext(TestConfiguration.AAD_TENANT_ENDPOINT, true, service);
ctx.acquireToken(null, new ClientAssertion("invalid_assertion"), null);
}
@Test(
expectedExceptions = IllegalArgumentException.class,
expectedExceptionsMessageRegExp = "redirect uri is null")
public void testAcquireTokenAuthCode_RedirectUriNull() throws Exception {
ctx = new AuthenticationContext(TestConfiguration.AAD_TENANT_ENDPOINT, true, service);
ctx.acquireTokenByAuthorizationCode(
"auth_code", null, new ClientCredential("clientId", "clientSecret"), null);
}
@Test(
expectedExceptions = IllegalArgumentException.class,
expectedExceptionsMessageRegExp = "clientId is null or empty")
public void testValidateRefreshTokenRequestInput_NullClientId() throws MalformedURLException {
ctx = new AuthenticationContext(TestConfiguration.AAD_TENANT_ENDPOINT, true, service);
ctx.acquireTokenByRefreshToken(
"refresh_token", null, new ClientAssertion("invalid_assertion"), null);
}
@Test(
expectedExceptions = IllegalArgumentException.class,
expectedExceptionsMessageRegExp = "authorization code is null or empty")
public void testcAquireTokenAuthCode_AuthCodeNull() throws Exception {
ctx = new AuthenticationContext(TestConfiguration.AAD_TENANT_ENDPOINT, true, service);
ctx.acquireTokenByAuthorizationCode(
null,
new URI(TestConfiguration.AAD_DEFAULT_REDIRECT_URI),
new ClientCredential("clientId", "clientSecret"),
null);
}
private boolean acquireTokenAsync(
String authority,
String resourceUrl,
String clientId,
String redirectUrl,
String userId,
String extraQueryParams) {
final AuthenticationContext authContext;
try {
authContext = getOrCreateContext(authority);
} catch (Exception e) {
callbackContext.sendPluginResult(new PluginResult(PluginResult.Status.ERROR, e.getMessage()));
return true;
}
if (userId != null) {
ITokenCacheStore cache = authContext.getCache();
if (cache instanceof ITokenStoreQuery) {
ArrayList<TokenCacheItem> tokensForUserId =
((ITokenStoreQuery) cache).getTokensForUser(userId);
if (tokensForUserId.size() > 0) {
// Try to acquire alias for specified userId
userId = tokensForUserId.get(0).getUserInfo().getDisplayableId();
}
}
}
authContext.acquireToken(
this.cordova.getActivity(),
resourceUrl,
clientId,
redirectUrl,
userId,
SHOW_PROMPT_ALWAYS,
extraQueryParams,
new DefaultAuthenticationCallback(callbackContext));
return true;
}
private boolean deleteTokenCacheItem(
String authority,
String itemAuthority,
String resource,
String clientId,
String userId,
boolean isMultipleResourceRefreshToken) {
final AuthenticationContext authContext;
try {
authContext = getOrCreateContext(authority);
} catch (Exception e) {
callbackContext.sendPluginResult(new PluginResult(PluginResult.Status.ERROR, e.getMessage()));
return true;
}
String key =
CacheKey.createCacheKey(
itemAuthority, resource, clientId, isMultipleResourceRefreshToken, userId);
authContext.getCache().removeItem(key);
callbackContext.sendPluginResult(new PluginResult(PluginResult.Status.OK));
return true;
}
@Test
public void testFailedAcquireTokenRequest_ExecuteCallback() throws Throwable {
ctx = new AuthenticationContext(TestConfiguration.AAD_UNKNOWN_TENANT_ENDPOINT, true, service);
AuthenticationCallback ac = PowerMock.createMock(AuthenticationCallback.class);
ac.onFailure(EasyMock.isA(Throwable.class));
EasyMock.expectLastCall();
PowerMock.replay(ac);
Future<AuthenticationResult> result =
ctx.acquireTokenByRefreshToken(
"refresh", new ClientCredential("clientId", "clientSecret"), "resource", ac);
try {
result.get();
} catch (ExecutionException ee) {
throw ee.getCause();
}
}
@Test
public void testAcquireTokenAuthCode_KeyCredential() throws Exception {
ctx =
PowerMock.createPartialMock(
AuthenticationContext.class,
new String[] {"acquireTokenCommon"},
TestConfiguration.AAD_TENANT_ENDPOINT,
true,
service);
PowerMock.expectPrivate(
ctx,
"acquireTokenCommon",
EasyMock.isA(AdalAuthorizatonGrant.class),
EasyMock.isA(ClientAuthentication.class),
EasyMock.isA(ClientDataHttpHeaders.class))
.andReturn(
new AuthenticationResult(
"bearer",
"accessToken",
"refreshToken",
new Date().getTime(),
"idToken",
null,
false));
final KeyStore keystore = KeyStore.getInstance("PKCS12", "SunJSSE");
keystore.load(
new FileInputStream(
this.getClass().getResource(TestConfiguration.AAD_CERTIFICATE_PATH).getFile()),
TestConfiguration.AAD_CERTIFICATE_PASSWORD.toCharArray());
final String alias = keystore.aliases().nextElement();
final PrivateKey key =
(PrivateKey)
keystore.getKey(alias, TestConfiguration.AAD_CERTIFICATE_PASSWORD.toCharArray());
final X509Certificate cert = (X509Certificate) keystore.getCertificate(alias);
PowerMock.replay(ctx);
Future<AuthenticationResult> result =
ctx.acquireTokenByAuthorizationCode(
"auth_code",
new URI(TestConfiguration.AAD_DEFAULT_REDIRECT_URI),
AsymmetricKeyCredential.create(TestConfiguration.AAD_CLIENT_ID, key, cert),
null);
AuthenticationResult ar = result.get();
Assert.assertNotNull(ar);
PowerMock.verifyAll();
PowerMock.resetAll(ctx);
}
public void testAcquireToken_Username_Password() throws Exception {
ctx =
PowerMock.createPartialMock(
AuthenticationContext.class,
new String[] {"acquireTokenCommon"},
TestConfiguration.AAD_TENANT_ENDPOINT,
true,
service);
PowerMock.expectPrivate(
ctx,
"acquireTokenCommon",
EasyMock.isA(AdalAuthorizatonGrant.class),
EasyMock.isA(ClientAuthentication.class),
EasyMock.isA(ClientDataHttpHeaders.class))
.andReturn(
new AuthenticationResult(
"bearer", "accessToken", "refreshToken", new Date().getTime(), null, null, false));
UserDiscoveryResponse response = EasyMock.createMock(UserDiscoveryResponse.class);
EasyMock.expect(response.isAccountFederated()).andReturn(false);
PowerMock.mockStatic(UserDiscoveryRequest.class);
EasyMock.expect(
UserDiscoveryRequest.execute(
EasyMock.isA(String.class),
EasyMock.isNull(Proxy.class),
EasyMock.isNull(SSLSocketFactory.class)))
.andReturn(response);
PowerMock.replay(ctx, response, UserDiscoveryRequest.class);
Future<AuthenticationResult> result =
ctx.acquireToken("resource", "clientId", "username", "password", null);
AuthenticationResult ar = result.get();
Assert.assertNotNull(ar);
PowerMock.verifyAll();
PowerMock.resetAll(ctx);
}
public static void signRequest(HttpRequestBase request, AuthenticationContext context) {
request.setHeader("Authorization", "Bearer " + context.getAccessToken());
}
@Test
public void testCorrelationId() throws MalformedURLException {
ctx = new AuthenticationContext(TestConfiguration.AAD_TENANT_ENDPOINT, true, service);
ctx.setCorrelationId("correlationId");
Assert.assertEquals(ctx.getCorrelationId(), "correlationId");
}
private boolean handleRequestToACSEndpoint(MessageContext messageContext, Session session) {
String fullResourceURL =
(String) messageContext.getProperty(RESTConstants.REST_FULL_REQUEST_PATH);
// Build the incoming message.
GatewayUtils.buildIncomingMessage(messageContext);
IDPMessage idpMessage = null;
try {
idpMessage = SAMLUtils.processIDPMessage(messageContext);
if (idpMessage.getSAMLResponse() == null && idpMessage.getSAMLRequest() == null) {
String errorMessage =
String.format(
"A SAML request or response was not there in the request to the ACS URL ('%s')",
fullResourceURL);
GatewayUtils.logAndThrowException(log, errorMessage, null);
}
if (idpMessage.getRawSAMLResponse() != null) {
// pass saml response and request for an authorized cookie to access admin services
String authorizedAdminCookie =
getAuthenticatedCookieFromIdP(idpMessage.getRawSAMLResponse());
if (authorizedAdminCookie == null) {
String errorMessage =
"Error while requesting the authorized cookie to access IDP admin services via "
+ "SAML2SSOAuthenticationService";
GatewayUtils.logAndThrowException(log, errorMessage, null);
}
// add to session
if (session.getAttribute(AppMConstants.IDP_AUTHENTICATED_COOKIE) == null) {
session.addAttribute(AppMConstants.IDP_AUTHENTICATED_COOKIE, authorizedAdminCookie);
SessionStore.getInstance().updateSession(session);
}
}
} catch (SAMLException e) {
String errorMessage =
String.format(
"Error while processing the IDP call back request to the ACS URL ('%s')",
fullResourceURL);
log.error(errorMessage);
if (log.isDebugEnabled()) { // Do not log the stack trace without checking isDebugEnabled,
// because log can be filled by SAML Response XSW attacks.
log.debug(errorMessage, e);
}
GatewayUtils.send401(messageContext, "Unauthorized SAML Response");
return false;
}
GatewayUtils.logWithRequestInfo(
log,
messageContext,
String.format(
"%s is available in request.",
idpMessage.getSAMLRequest() != null ? "SAMLRequest" : "SAMLResponse"));
// If not configured, the SLO request URL and the SLO response URL is the ACS URL by default.
// SLOResponse is handled in this method. But the SLORequest is handled generically in the rest
// of the handler code.
if (idpMessage.isSLOResponse()) {
GatewayUtils.logWithRequestInfo(log, messageContext, "SAMLResponse in an SLO response.");
GatewayUtils.redirectToURL(messageContext, GatewayUtils.getAppRootURL(messageContext));
return false;
} else if (idpMessage.isSLORequest()) {
GatewayUtils.logWithRequestInfo(log, messageContext, "SAMLRequest in an SLO request.");
OMElement response =
handleSLORequest(messageContext, (LogoutRequest) idpMessage.getSAMLRequest());
GatewayUtils.send200(messageContext, response);
return false;
} else {
// Validate SAML response validity period
if (!idpMessage.validateAssertionValidityPeriod()) {
requestAuthentication(messageContext);
return false;
}
// Validate SAML response signature, assertion signature and audience restrictions
if (!idpMessage.validateSignatureAndAudienceRestriction(
idpMessage.getSAMLResponse(), webApp, configuration)) {
GatewayUtils.send401(messageContext, "Unauthorized SAML Response");
return false;
}
AuthenticationContext authenticationContext =
getAuthenticationContextFromIDPCallback(idpMessage);
if (authenticationContext.isAuthenticated()) {;
if (log.isDebugEnabled()) {
GatewayUtils.logWithRequestInfo(
log,
messageContext,
String.format(
"SAML response is authenticated. Subject = '%s'",
authenticationContext.getSubject()));
}
session.setAuthenticationContext(authenticationContext);
if (shouldSendSAMLResponseToBackend()) {
Map<String, String> samlResponses =
(Map<String, String>)
session.getAttribute(SAMLUtils.SESSION_ATTRIBUTE_RAW_SAML_RESPONSES);
if (samlResponses == null) {
samlResponses = new HashMap<String, String>();
session.addAttribute(SAMLUtils.SESSION_ATTRIBUTE_RAW_SAML_RESPONSES, samlResponses);
}
samlResponses.put(webApp.getUUID(), idpMessage.getRawSAMLResponse());
}
// Get the SAML session index.
String sessionIndex =
(String) SAMLUtils.getSessionIndex((ResponseImpl) idpMessage.getSAMLResponse());
session.addAttribute(SAMLUtils.SESSION_ATTRIBUTE_SAML_SESSION_INDEX, sessionIndex);
GatewayUtils.logWithRequestInfo(
log, messageContext, String.format("Session index : %s", sessionIndex));
// Add Session Index -> Session ID to a cache.
CacheManager.getInstance()
.getSessionIndexMappingCache()
.put(sessionIndex, session.getUuid());
// Mark this web app as an access web app in this session.
session.addAccessedWebAppUUID(webApp.getUUID());
Map<String, Object> userAttributes =
getUserAttributes((ResponseImpl) idpMessage.getSAMLResponse());
session.getAuthenticationContext().setAttributes(userAttributes);
String roleAttributeValue = (String) userAttributes.get("http://wso2.org/claims/role");
if (roleAttributeValue != null) {
String[] roles = roleAttributeValue.split(",");
for (String role : roles) {
session.getAuthenticationContext().addRole(role);
}
}
// Generate the JWT and store in the session.
if (isJWTEnabled()) {
try {
// Generate and store the JWT against the app.
Map<String, String> generatedJWTs =
(Map<String, String>) session.getAttribute(SESSION_ATTRIBUTE_JWTS);
if (generatedJWTs == null) {
generatedJWTs = new HashMap<String, String>();
session.addAttribute(SESSION_ATTRIBUTE_JWTS, generatedJWTs);
}
generatedJWTs.put(
webApp.getUUID(),
getJWTGenerator().generateToken(userAttributes, webApp, messageContext));
} catch (AppManagementException e) {
String errorMessage =
String.format(
"Can't generate JWT for the subject : '%s'",
authenticationContext.getSubject());
GatewayUtils.logAndThrowException(log, errorMessage, e);
}
}
SessionStore.getInstance().updateSession(session);
if (session.getRequestedURL() != null) {
GatewayUtils.redirectToURL(messageContext, session.getRequestedURL());
} else {
log.warn(
String.format(
"Original requested URL in the session is null. Redirecting to the app root URL."));
GatewayUtils.redirectToURL(messageContext, GatewayUtils.getAppRootURL(messageContext));
}
return false;
} else {
if (log.isDebugEnabled()) {
GatewayUtils.logWithRequestInfo(
log, messageContext, "SAML response is not authenticated.");
}
requestAuthentication(messageContext);
return false;
}
}
}
/**
* Parses the SecurityToken by wrapping within an AssertionWrapper.
*
* @param securityToken SecurityToken
*/
private void parseToken(SecurityToken securityToken) {
XMLStreamReader xmlStreamReader = StaxUtils.createXMLStreamReader(securityToken.getToken());
try {
AttrStatement attributeStatement = null;
AuthenticationStatement authenticationStatement = null;
Attr attribute = null;
int attrs = 0;
while (xmlStreamReader.hasNext()) {
int event = xmlStreamReader.next();
switch (event) {
case XMLStreamConstants.START_ELEMENT:
{
String localName = xmlStreamReader.getLocalName();
switch (localName) {
case NameID.DEFAULT_ELEMENT_LOCAL_NAME:
name = xmlStreamReader.getElementText();
for (int i = 0; i < xmlStreamReader.getAttributeCount(); i++) {
if (xmlStreamReader
.getAttributeLocalName(i)
.equals(NameID.FORMAT_ATTRIB_NAME)) {
nameIDFormat = xmlStreamReader.getAttributeValue(i);
break;
}
}
break;
case AttributeStatement.DEFAULT_ELEMENT_LOCAL_NAME:
attributeStatement = new AttrStatement();
attributeStatements.add(attributeStatement);
break;
case AuthnStatement.DEFAULT_ELEMENT_LOCAL_NAME:
authenticationStatement = new AuthenticationStatement();
authenticationStatements.add(authenticationStatement);
attrs = xmlStreamReader.getAttributeCount();
for (int i = 0; i < attrs; i++) {
String name = xmlStreamReader.getAttributeLocalName(i);
String value = xmlStreamReader.getAttributeValue(i);
if (AuthnStatement.AUTHN_INSTANT_ATTRIB_NAME.equals(name)) {
authenticationStatement.setAuthnInstant(DateTime.parse(value));
}
}
break;
case AuthnContextClassRef.DEFAULT_ELEMENT_LOCAL_NAME:
if (authenticationStatement != null) {
String classValue = xmlStreamReader.getText();
classValue = classValue.trim();
AuthenticationContextClassRef authenticationContextClassRef =
new AuthenticationContextClassRef();
authenticationContextClassRef.setAuthnContextClassRef(classValue);
AuthenticationContext authenticationContext = new AuthenticationContext();
authenticationContext.setAuthnContextClassRef(authenticationContextClassRef);
authenticationStatement.setAuthnContext(authenticationContext);
}
break;
case Attribute.DEFAULT_ELEMENT_LOCAL_NAME:
attribute = new Attr();
if (attributeStatement != null) {
attributeStatement.addAttribute(attribute);
}
attrs = xmlStreamReader.getAttributeCount();
for (int i = 0; i < attrs; i++) {
String name = xmlStreamReader.getAttributeLocalName(i);
String value = xmlStreamReader.getAttributeValue(i);
if (Attribute.NAME_ATTTRIB_NAME.equals(name)) {
attribute.setName(value);
} else if (Attribute.NAME_FORMAT_ATTRIB_NAME.equals(name)) {
attribute.setNameFormat(value);
}
}
break;
case AttributeValue.DEFAULT_ELEMENT_LOCAL_NAME:
XSString xsString = new XMLString();
xsString.setValue(xmlStreamReader.getElementText());
if (attribute != null) {
attribute.addAttributeValue(xsString);
}
break;
case Issuer.DEFAULT_ELEMENT_LOCAL_NAME:
issuer = xmlStreamReader.getElementText();
break;
case Conditions.DEFAULT_ELEMENT_LOCAL_NAME:
attrs = xmlStreamReader.getAttributeCount();
for (int i = 0; i < attrs; i++) {
String name = xmlStreamReader.getAttributeLocalName(i);
String value = xmlStreamReader.getAttributeValue(i);
if (Conditions.NOT_BEFORE_ATTRIB_NAME.equals(name)) {
notBefore = DatatypeConverter.parseDateTime(value).getTime();
} else if (Conditions.NOT_ON_OR_AFTER_ATTRIB_NAME.equals(name)) {
notOnOrAfter = DatatypeConverter.parseDateTime(value).getTime();
}
}
break;
}
break;
}
case XMLStreamConstants.END_ELEMENT:
{
String localName = xmlStreamReader.getLocalName();
switch (localName) {
case AttributeStatement.DEFAULT_ELEMENT_LOCAL_NAME:
attributeStatement = null;
break;
case Attribute.DEFAULT_ELEMENT_LOCAL_NAME:
attribute = null;
break;
}
break;
}
}
}
} catch (XMLStreamException e) {
LOGGER.error("Unable to parse security token.", e);
} finally {
try {
xmlStreamReader.close();
} catch (XMLStreamException ignore) {
// ignore
}
}
}
@Override
public boolean handleRequest(MessageContext messageContext) {
Session session = getSession(messageContext);
// Get and set relevant message context properties.
org.apache.axis2.context.MessageContext axis2MessageContext =
((Axis2MessageContext) messageContext).getAxis2MessageContext();
String webAppContext = (String) messageContext.getProperty(RESTConstants.REST_API_CONTEXT);
String webAppVersion =
(String) messageContext.getProperty(RESTConstants.SYNAPSE_REST_API_VERSION);
String fullResourceURL =
(String) messageContext.getProperty(RESTConstants.REST_FULL_REQUEST_PATH);
// If the request has come through the default App (the Synapse API without a version),
// remove the version from the request URL when doing a redirection.
String redirectionFriendlyFullRequestPath = getRedirectionReadyFullRequestPath(messageContext);
messageContext.setProperty(
AppMConstants.MESSAGE_CONTEXT_PROPERTY_REDIRECTION_FRIENDLY_FULL_REQUEST_PATH,
redirectionFriendlyFullRequestPath);
String baseURL = String.format("%s/%s/", webAppContext, webAppVersion);
String relativeResourceURL = StringUtils.substringAfter(fullResourceURL, baseURL);
String httpVerb = (String) axis2MessageContext.getProperty(Constants.Configuration.HTTP_METHOD);
// Fetch the web app for the requested context and version.
try {
if (webApp == null) {
int tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId();
webApp =
new DefaultAppRepository(null)
.getWebAppByContextAndVersion(webAppContext, webAppVersion, tenantId);
}
} catch (AppManagementException e) {
String errorMessage =
String.format("Can't fetch the web for '%s' from the repository.", fullResourceURL);
GatewayUtils.logAndThrowException(log, errorMessage, e);
}
messageContext.setProperty(
AppMConstants.MESSAGE_CONTEXT_PROPERTY_APP_ID, webApp.getDatabaseId());
// Find a matched URI template.
URITemplate matchedTemplate =
GatewayUtils.findMatchedURITemplate(webApp, httpVerb, relativeResourceURL);
messageContext.setProperty(
AppMConstants.MESSAGE_CONTEXT_PROPERTY_MATCHED_URI_TEMPLATE, matchedTemplate);
// If the request comes to the ACS URL, then it should be a SAML response or a request from the
// IDP.
if (isACSURL(relativeResourceURL)) {
handleRequestToACSEndpoint(messageContext, session);
// All requests to the ACS URL should be redirected to somewhere. e.g. IDP, app root URL
return false;
}
// Handle logout requests. These requests don't need to be authenticated.
if (GatewayUtils.isLogoutURL(webApp, relativeResourceURL)) {
doLogout(session);
redirectToIDPWithLogoutRequest(messageContext, session);
return false;
}
if (GatewayUtils.isAnonymousAccessAllowed(webApp, matchedTemplate)) {
if (log.isDebugEnabled()) {
GatewayUtils.logWithRequestInfo(
log,
messageContext,
String.format("Request to '%s' is allowed for anonymous access", fullResourceURL));
}
messageContext.setProperty(
AppMConstants.MESSAGE_CONTEXT_PROPERTY_GATEWAY_SKIP_SECURITY, true);
return true;
}
AuthenticationContext authenticationContext = session.getAuthenticationContext();
if (!authenticationContext.isAuthenticated()) {
if (log.isDebugEnabled()) {
GatewayUtils.logWithRequestInfo(
log,
messageContext,
String.format("Request to '%s' is not authenticated", fullResourceURL));
}
session.setRequestedURL(redirectionFriendlyFullRequestPath);
SessionStore.getInstance().updateSession(session);
setSessionCookie(messageContext, session.getUuid());
requestAuthentication(messageContext);
return false;
} else {
if (log.isDebugEnabled()) {
GatewayUtils.logWithRequestInfo(
log,
messageContext,
String.format(
"Request to '%s' is authenticated. Subject = '%s'",
fullResourceURL, authenticationContext.getSubject()));
}
// If this web app has not been access before in this session, redirect to the IDP.
// This is done to make sure SLO works.
if (!session.hasAppBeenAccessedBefore(webApp.getUUID())) {
GatewayUtils.logWithRequestInfo(
log,
messageContext,
"This web app has not been accessed before in the current session. Doing SSO through IDP since it is needed to make SLO work.");
session.setRequestedURL(redirectionFriendlyFullRequestPath);
SessionStore.getInstance().updateSession(session);
requestAuthentication(messageContext);
return false;
}
// Set the session as a message context property.
messageContext.setProperty(AppMConstants.APPM_SAML2_COOKIE, session.getUuid());
if (shouldSendSAMLResponseToBackend()) {
Map<String, String> samlResponses =
(Map<String, String>)
session.getAttribute(SAMLUtils.SESSION_ATTRIBUTE_RAW_SAML_RESPONSES);
String samlResponseForApp = null;
if (samlResponses != null
&& (samlResponseForApp = samlResponses.get(webApp.getUUID())) != null) {
addTransportHeader(messageContext, HTTP_HEADER_SAML_RESPONSE, samlResponseForApp);
if (log.isDebugEnabled()) {
GatewayUtils.logWithRequestInfo(
log, messageContext, "SAML response has been set in the request to the backend.");
}
} else {
if (log.isDebugEnabled()) {
GatewayUtils.logWithRequestInfo(
log, messageContext, "Couldn't find the SAML response for the app in the session.");
}
}
}
if (isJWTEnabled()) {
String jwtHeaderName =
configuration.getFirstProperty(APISecurityConstants.API_SECURITY_CONTEXT_HEADER);
Map<String, String> generatedJWTs =
(Map<String, String>) session.getAttribute(SESSION_ATTRIBUTE_JWTS);
String jwtForApp = null;
if (generatedJWTs != null && (jwtForApp = generatedJWTs.get(webApp.getUUID())) != null) {
addTransportHeader(messageContext, jwtHeaderName, jwtForApp);
if (log.isDebugEnabled()) {
GatewayUtils.logWithRequestInfo(
log, messageContext, "JWT has been set in the request to the backend.");
}
} else {
if (log.isDebugEnabled()) {
GatewayUtils.logWithRequestInfo(
log, messageContext, "Couldn't find the generated JWT for the app in the session.");
}
}
}
return true;
}
}
@Test(expectedExceptions = AuthenticationException.class)
public void testInvalidClientAssertion() throws MalformedURLException {
ctx = new AuthenticationContext(TestConfiguration.AAD_TENANT_ENDPOINT, true, service);
ctx.acquireToken(
TestConfiguration.AAD_RESOURCE_ID, new ClientAssertion("invalid_assertion"), null);
}
