Skip to content

Commit

Permalink
fix(oxauth): update method to calculate user devices
Browse files Browse the repository at this point in the history
Signed-off-by: Yuriy Movchan <[email protected]>
  • Loading branch information
yurem committed Jul 2, 2024
1 parent a439df1 commit 39b98cc
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 72 deletions.
61 changes: 29 additions & 32 deletions Server/integrations/fido2/Fido2ExternalAuthenticator.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,13 @@
from org.gluu.util import StringHelper
from java.util import Arrays
from java.util.concurrent.locks import ReentrantLock
from javax.ws.rs import ClientErrorException
from javax.ws.rs.core import Response
from javax.faces.context import FacesContext

import java
import sys
try:
import json
except ImportError:
import simplejson as json
import json

class PersonAuthentication(PersonAuthenticationType):
def __init__(self, currentTimeMillis):
Expand All @@ -43,9 +43,9 @@ def init(self, customScript, configurationAttributes):

self.metaDataLoaderLock = ReentrantLock()
self.metaDataConfiguration = None

print "Fido2. Initialized successfully"
return True
return True

def destroy(self, configurationAttributes):
print "Fido2. Destroy"
Expand All @@ -54,10 +54,7 @@ def destroy(self, configurationAttributes):

def getApiVersion(self):
return 11

def getAuthenticationMethodClaims(self, requestParameters):
return None


def isValidAuthenticationMethod(self, usageType, configurationAttributes):
return True

Expand All @@ -74,9 +71,8 @@ def authenticate(self, configurationAttributes, requestParameters, step):

if step == 1:
print "Fido2. Authenticate for step 1"

identity.setWorkingParameter("platformAuthenticatorAvailable",ServerUtil.getFirstValue(requestParameters, "loginForm:platformAuthenticator"))

user_password = credentials.getPassword()
logged_in = False
if StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password):
Expand All @@ -89,7 +85,7 @@ def authenticate(self, configurationAttributes, requestParameters, step):
return True
elif step == 2:
print "Fido2. Authenticate for step 2"

token_response = ServerUtil.getFirstValue(requestParameters, "tokenResponse")
if token_response == None:
print "Fido2. Authenticate for step 2. tokenResponse is empty"
Expand Down Expand Up @@ -132,7 +128,7 @@ def authenticate(self, configurationAttributes, requestParameters, step):
return False

return False
else:
else:
return False

def prepareForStep(self, configurationAttributes, requestParameters, step):
Expand All @@ -157,14 +153,18 @@ def prepareForStep(self, configurationAttributes, requestParameters, step):
userName = user.getUserId()

metaDataConfiguration = self.getMetaDataConfiguration()

assertionResponse = None
attestationResponse = None

facesContext = CdiUtil.bean(FacesContext)
domain = facesContext.getExternalContext().getRequest().getServerName()


# Check if user have registered devices
userService = CdiUtil.bean(UserService)
countFido2Devices = userService.countFidoAndFido2Devices(userName, self.fido2_domain)
if countFido2Devices > 0:
count = CdiUtil.bean(UserService).countFido2RegisteredDevices(userName, domain)

if count > 0:
print "Fido2. Prepare for step 2. Call Fido2 endpoint in order to start assertion flow"

try:
Expand All @@ -176,6 +176,7 @@ def prepareForStep(self, configurationAttributes, requestParameters, step):
identity.setWorkingParameter("platformAuthenticatorAvailable", "true")
else:
identity.setWorkingParameter("platformAuthenticatorAvailable", "false")

except ClientErrorException, ex:
print "Fido2. Prepare for step 2. Failed to start assertion flow. Exception:", sys.exc_info()[1]
return False
Expand All @@ -184,18 +185,17 @@ def prepareForStep(self, configurationAttributes, requestParameters, step):

try:
attestationService = Fido2ClientFactory.instance().createAttestationService(metaDataConfiguration)

platformAuthenticatorAvailable = identity.getWorkingParameter("platformAuthenticatorAvailable") == "true"
basic_json = {'username': userName, 'displayName': userName, 'attestation' : 'direct'}
print "% s" % identity.getWorkingParameter("platformAuthenticatorAvailable")
if platformAuthenticatorAvailable is True:
# the reason behind userVerification = discouraged --> https://chromium.googlesource.com/chromium/src/+/master/content/browser/webauth/uv_preferred.md
# the reason behind userVerification = discouraged --> https://chromium.googlesource.com/chromium/src/+/master/content/browser/webauth/uv_preferred.md
platform_json = {"authenticatorSelection":{"authenticatorAttachment":"platform","requireResidentKey" : "false", "userVerification" : "discouraged" } }
basic_json.update(platform_json)

# also need to add this --> excludeCredentials : [//registered ids]
print " basic_json %s" % basic_json

attestationRequest = json.dumps(basic_json)
#, separators=(',', ':'))

Expand Down Expand Up @@ -241,28 +241,26 @@ def logout(self, configurationAttributes, requestParameters):

def getAuthenticationMethodClaims(self, requestParameters):
return None

def getLogoutExternalUrl(self, configurationAttributes, requestParameters):
print "Get external logout URL call"
return None


return None

def getMetaDataConfiguration(self):
if self.metaDataConfiguration != None:
return self.metaDataConfiguration

self.metaDataLoaderLock.lock()
# Make sure that another thread not loaded configuration already
# Make sure that another thread not loaded configuration already
if self.metaDataConfiguration != None:
return self.metaDataConfiguration

try:
print "Fido2. Initialization. Downloading Fido2 metadata"
self.fido2_server_metadata_uri = self.fido2_server_uri + "/.well-known/fido2-configuration"
#self.fido2_server_metadata_uri = self.fido2_server_uri + "/fido2/restv1/fido2/configuration"

metaDataConfigurationService = Fido2ClientFactory.instance().createMetaDataConfigurationService(self.fido2_server_metadata_uri)

max_attempts = 10
for attempt in range(1, max_attempts + 1):
try:
Expand All @@ -272,9 +270,8 @@ def getMetaDataConfiguration(self):
# Detect if last try or we still get Service Unavailable HTTP error
if (attempt == max_attempts) or (ex.getResponse().getResponseStatus() != Response.Status.SERVICE_UNAVAILABLE):
raise ex

java.lang.Thread.sleep(3000)
print "Attempting to load metadata: %d" % attempt
finally:
self.metaDataLoaderLock.unlock()

47 changes: 7 additions & 40 deletions Server/src/main/java/org/gluu/oxauth/service/UserService.java
Original file line number Diff line number Diff line change
Expand Up @@ -53,61 +53,28 @@ protected String getPeopleBaseDn() {
return staticConfiguration.getBaseDn().getPeople();
}

public long countFido2RegisteredDevices(String username) {

public long countFido2RegisteredDevices(String username, String domain) {
String userInum = getUserInum(username);
if (userInum == null) {
return 0;
}

String baseDn = getBaseDnForFido2RegistrationEntries(userInum);
if (persistenceEntryManager.hasBranchesSupport(baseDn)) {
if (!persistenceEntryManager.contains(baseDn, SimpleBranch.class)) {
if (!persistenceEntryManager.contains(baseDn, SimpleBranch.class)) {
return 0;
}
}
}

Filter userInumFilter = Filter.createEqualityFilter("personInum", userInum);
Filter registeredFilter = Filter.createEqualityFilter("oxStatus", "registered");
Filter filter = Filter.createANDFilter(userInumFilter, registeredFilter);

long countEntries = persistenceEntryManager.countEntries(baseDn, Fido2RegistrationEntry.class, filter);
Filter domainFilter = Filter.createEqualityFilter("oxApplication", domain);
Filter filter = Filter.createANDFilter(userInumFilter, registeredFilter, domainFilter);

return countEntries;
return persistenceEntryManager.countEntries(baseDn, Fido2RegistrationEntry.class, filter);
}

public long countFidoRegisteredDevices(String username, String domain) {
String userInum = getUserInum(username);
if (userInum == null) {
return 0;
}

String baseDn = getBaseDnForFidoDevices(userInum);
if (persistenceEntryManager.hasBranchesSupport(baseDn)) {
if (!persistenceEntryManager.contains(baseDn, SimpleBranch.class)) {
return 0;
}
}

Filter userInumFilter = Filter.createEqualityFilter("personInum", userInum);
Filter activeFilter = Filter.createEqualityFilter("oxStatus", DeviceRegistrationStatus.ACTIVE.getValue());
Filter filter = Filter.createANDFilter(userInumFilter, activeFilter);

List<DeviceRegistration> fidoRegistrations = persistenceEntryManager.findEntries(baseDn, DeviceRegistration.class, filter);
if (StringUtils.isEmpty(domain)) {
return fidoRegistrations.size();
}

long deviceCount = fidoRegistrations.parallelStream()
.filter(f -> StringHelper.equals(domain, networkService.getHost(f.getApplication()))).count();

return deviceCount;
}

public long countFidoAndFido2Devices(String username, String domain) {
return countFidoRegisteredDevices(username, domain) + countFido2RegisteredDevices(username);
}


public String getBaseDnForFido2RegistrationEntries(String userInum) {
final String userBaseDn = getDnForUser(userInum); // "ou=fido2_register,inum=1234,ou=people,o=gluu"

Expand Down

0 comments on commit 39b98cc

Please sign in to comment.