-
Notifications
You must be signed in to change notification settings - Fork 188
/
SecurityQuestionAuthneticationEvaluatorImpl.java
114 lines (94 loc) · 4.53 KB
/
SecurityQuestionAuthneticationEvaluatorImpl.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
package com.evolveum.midpoint.model.impl.security;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.stereotype.Component;
import com.evolveum.midpoint.model.api.context.SecurityQuestionsAuthenticationContext;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.SecurityUtil;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityQuestionAnswerType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityQuestionsCredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityQuestionsCredentialsType;
@Component("securityQuestionsAuthenticationEvaluator")
public class SecurityQuestionAuthneticationEvaluatorImpl extends AuthenticationEvaluatorImpl<SecurityQuestionsCredentialsType, SecurityQuestionsAuthenticationContext>{
@Override
protected void checkEnteredCredentials(ConnectionEnvironment connEnv,
SecurityQuestionsAuthenticationContext authCtx) {
if (MapUtils.isEmpty(authCtx.getQuestionAnswerMap())) {
recordAuthenticationFailure(authCtx.getUsername(), connEnv, "empty password provided");
throw new BadCredentialsException("web.security.provider.password.encoding");
}
Map<String, String> enteredQuestionAnswer = authCtx.getQuestionAnswerMap();
boolean allBlank = false;
for (String enteredAnswers : enteredQuestionAnswer.values()) {
if (StringUtils.isBlank(enteredAnswers)){
allBlank = true;
}
}
if (allBlank) {
recordAuthenticationFailure(authCtx.getUsername(), connEnv, "empty password provided");
throw new BadCredentialsException("web.security.provider.password.encoding");
}
}
@Override
protected boolean suportsAuthzCheck() {
return true;
}
@Override
protected SecurityQuestionsCredentialsType getCredential(CredentialsType credentials) {
return credentials.getSecurityQuestions();
}
@Override
protected void validateCredentialNotNull(ConnectionEnvironment connEnv, MidPointPrincipal principal,
SecurityQuestionsCredentialsType credential) {
List<SecurityQuestionAnswerType> securityQuestionsAnswers = credential.getQuestionAnswer();
if (securityQuestionsAnswers == null || securityQuestionsAnswers.isEmpty()) {
recordAuthenticationFailure(principal, connEnv, "no stored security questions");
throw new AuthenticationCredentialsNotFoundException("web.security.provider.password.bad");
}
}
@Override
protected boolean passwordMatches(ConnectionEnvironment connEnv, MidPointPrincipal principal,
SecurityQuestionsCredentialsType passwordType, SecurityQuestionsAuthenticationContext authCtx) {
SecurityQuestionsCredentialsPolicyType policy = authCtx.getPolicy();
Integer iNumberOfQuestions = policy.getQuestionNumber();
int numberOfQuestions = 0;
if (iNumberOfQuestions != null){
numberOfQuestions = iNumberOfQuestions.intValue();
}
Map<String, String> enteredQuestionsAnswers = authCtx.getQuestionAnswerMap();
if (numberOfQuestions > enteredQuestionsAnswers.size()){
return false;
}
List<SecurityQuestionAnswerType> quetionsAnswers = passwordType.getQuestionAnswer();
int matched = 0;
for (SecurityQuestionAnswerType questionAnswer : quetionsAnswers){
String enteredAnswer = enteredQuestionsAnswers.get(questionAnswer.getQuestionIdentifier());
if (StringUtils.isNotBlank(enteredAnswer)) {
if (decryptAndMatch(connEnv, principal, questionAnswer.getQuestionAnswer(), enteredAnswer)) {
matched++;
}
}
}
return matched > 0 && matched >= numberOfQuestions;
}
@Override
protected CredentialPolicyType getEffectiveCredentialPolicy(SecurityPolicyType securityPolicy,
SecurityQuestionsAuthenticationContext authnCtx) throws SchemaException {
SecurityQuestionsCredentialsPolicyType policy = authnCtx.getPolicy();
if (policy == null){
policy = SecurityUtil.getEffectiveSecurityQuestionsCredentialsPolicy(securityPolicy);
}
authnCtx.setPolicy(policy);
return policy;
}
}