attribute verification module structure

model/authentication-api/src/main/java/com/evolveum/midpoint/authentication/api/util/AuthenticationModuleNameConstants.java

@@ -22,4 +22,5 @@ public class AuthenticationModuleNameConstants {
     public static final String MAIL_NONCE = "MailNonce";
     public static final String OIDC = "OIDC";
     public static final String OTHER = "Other";
+    public static final String ATTRIBUTE_VERIFICATION = "AttrVerification";
 }

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/factory/module/AttributeVerificationModuleFactory.java

@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2022 Evolveum and contributors
+ *
+ * This work is dual-licensed under the Apache License 2.0
+ * and European Union Public License. See LICENSE file for details.
+ */
+package com.evolveum.midpoint.authentication.impl.factory.module;
+
+import com.evolveum.midpoint.authentication.api.AuthenticationChannel;
+import com.evolveum.midpoint.authentication.impl.module.authentication.AttributeVerificationModuleAuthentication;
+import com.evolveum.midpoint.authentication.impl.module.authentication.ModuleAuthenticationImpl;
+import com.evolveum.midpoint.authentication.impl.module.configuration.LoginFormModuleWebSecurityConfiguration;
+import com.evolveum.midpoint.authentication.impl.module.configurer.AttributeVerificationModuleWebSecurityConfigurer;
+import com.evolveum.midpoint.authentication.impl.provider.AttributeVerificationProvider;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
+
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.stereotype.Component;
+
+@Component
+public class AttributeVerificationModuleFactory extends AbstractCredentialModuleFactory
+        <LoginFormModuleWebSecurityConfiguration, AttributeVerificationModuleWebSecurityConfigurer<LoginFormModuleWebSecurityConfiguration>> {
+
+    @Override
+    public boolean match(AbstractAuthenticationModuleType moduleType, AuthenticationChannel authenticationChannel) {
+        return moduleType instanceof AttributeVerificationAuthenticationModuleType;
+    }
+
+    @Override
+    protected LoginFormModuleWebSecurityConfiguration createConfiguration(
+            AbstractAuthenticationModuleType moduleType, String prefixOfSequence, AuthenticationChannel authenticationChannel) {
+        LoginFormModuleWebSecurityConfiguration configuration = LoginFormModuleWebSecurityConfiguration.build(moduleType,prefixOfSequence);
+        configuration.setSequenceSuffix(prefixOfSequence);
+        return configuration;
+    }
+
+    @Override
+    protected AttributeVerificationModuleWebSecurityConfigurer<LoginFormModuleWebSecurityConfiguration> createModule(
+            LoginFormModuleWebSecurityConfiguration configuration) {
+        return  getObjectObjectPostProcessor().postProcess(new AttributeVerificationModuleWebSecurityConfigurer<>(configuration));
+    }
+
+    @Override
+    protected AuthenticationProvider createProvider(CredentialPolicyType usedPolicy) {
+        return new AttributeVerificationProvider();
+    }
+
+    @Override
+    protected Class<? extends CredentialPolicyType> supportedClass() {
+        return AttributeVerificationCredentialsPolicyType.class;
+    }
+
+    @Override
+    protected ModuleAuthenticationImpl createEmptyModuleAuthentication(AbstractAuthenticationModuleType moduleType,
+            LoginFormModuleWebSecurityConfiguration configuration, AuthenticationSequenceModuleType sequenceModule) {
+        AttributeVerificationModuleAuthentication moduleAuthentication = new AttributeVerificationModuleAuthentication(sequenceModule);
+        moduleAuthentication.setPrefix(configuration.getPrefixOfModule());
+        moduleAuthentication.setCredentialName(((AbstractCredentialAuthenticationModuleType)moduleType).getCredentialName());
+        moduleAuthentication.setCredentialType(supportedClass());
+        moduleAuthentication.setNameOfModule(configuration.getModuleIdentifier());
+        return moduleAuthentication;
+    }
+
+}

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/authentication/AttributeVerificationModuleAuthentication.java

@@ -0,0 +1,24 @@
+/*
+ * Copyright (c) 2022 Evolveum and contributors
+ *
+ * This work is dual-licensed under the Apache License 2.0
+ * and European Union Public License. See LICENSE file for details.
+ */
+package com.evolveum.midpoint.authentication.impl.module.authentication;
+
+import com.evolveum.midpoint.authentication.api.util.AuthenticationModuleNameConstants;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceModuleType;
+
+public class AttributeVerificationModuleAuthentication extends CredentialModuleAuthenticationImpl {
+
+    public AttributeVerificationModuleAuthentication(AuthenticationSequenceModuleType sequenceModule) {
+        super(AuthenticationModuleNameConstants.ATTRIBUTE_VERIFICATION, sequenceModule);
+    }
+
+    public ModuleAuthenticationImpl clone() {
+        AttributeVerificationModuleAuthentication module = new AttributeVerificationModuleAuthentication(this.getSequenceModule());
+        module.setAuthentication(this.getAuthentication());
+        super.clone(module);
+        return module;
+    }
+}

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/authentication/token/AttributeVerificationToken.java

@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2022 Evolveum and contributors
+ *
+ * This work is dual-licensed under the Apache License 2.0
+ * and European Union Public License. See LICENSE file for details.
+ */
+package com.evolveum.midpoint.authentication.impl.module.authentication.token;
+
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+
+public class AttributeVerificationToken extends UsernamePasswordAuthenticationToken {
+
+    public AttributeVerificationToken(Object principal, Object credentials) {
+        super(principal, credentials);
+    }
+}

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/module/configurer/AttributeVerificationModuleWebSecurityConfigurer.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2022 Evolveum and contributors
+ *
+ * This work is dual-licensed under the Apache License 2.0
+ * and European Union Public License. See LICENSE file for details.
+ */
+package com.evolveum.midpoint.authentication.impl.module.configurer;
+
+import com.evolveum.midpoint.authentication.api.util.AuthUtil;
+import com.evolveum.midpoint.authentication.impl.entry.point.WicketLoginUrlAuthenticationEntryPoint;
+import com.evolveum.midpoint.authentication.impl.filter.SecurityQuestionsAuthenticationFilter;
+import com.evolveum.midpoint.authentication.impl.filter.configurers.MidpointExceptionHandlingConfigurer;
+import com.evolveum.midpoint.authentication.impl.filter.configurers.MidpointFormLoginConfigurer;
+import com.evolveum.midpoint.authentication.impl.handler.MidPointAuthenticationSuccessHandler;
+import com.evolveum.midpoint.authentication.impl.handler.MidpointAuthenticationFailureHandler;
+import com.evolveum.midpoint.authentication.impl.module.configuration.LoginFormModuleWebSecurityConfiguration;
+
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+
+public class AttributeVerificationModuleWebSecurityConfigurer<C extends LoginFormModuleWebSecurityConfiguration> extends ModuleWebSecurityConfigurer<C> {
+
+    public AttributeVerificationModuleWebSecurityConfigurer(C configuration) {
+        super(configuration);
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        super.configure(http);
+        http.antMatcher(AuthUtil.stripEndingSlashes(getPrefix()) + "/**");
+        getOrApply(http, new MidpointFormLoginConfigurer<>(new SecurityQuestionsAuthenticationFilter()))
+                .loginPage("/verification/attribute")
+                .loginProcessingUrl(AuthUtil.stripEndingSlashes(getPrefix()) + "/spring_security_login")
+                .failureHandler(new MidpointAuthenticationFailureHandler())
+                .successHandler(getObjectPostProcessor().postProcess(
+                        new MidPointAuthenticationSuccessHandler())).permitAll();
+        getOrApply(http, new MidpointExceptionHandlingConfigurer<>())
+                .authenticationEntryPoint(new WicketLoginUrlAuthenticationEntryPoint("/verification/attribute"));
+
+        http.logout().clearAuthentication(true)
+                .logoutRequestMatcher(getLogoutMatcher(http, getPrefix() +"/logout"))
+                .invalidateHttpSession(true)
+                .deleteCookies("JSESSIONID")
+                .logoutSuccessHandler(createLogoutHandler());
+    }
+}

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/provider/AttributeVerificationProvider.java

@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 2022 Evolveum and contributors
+ *
+ * This work is dual-licensed under the Apache License 2.0
+ * and European Union Public License. See LICENSE file for details.
+ */
+package com.evolveum.midpoint.authentication.impl.provider;
+
+import com.evolveum.midpoint.authentication.api.AuthenticationChannel;
+import com.evolveum.midpoint.authentication.api.config.AuthenticationEvaluator;
+import com.evolveum.midpoint.authentication.impl.module.authentication.token.AttributeVerificationToken;
+import com.evolveum.midpoint.model.api.authentication.GuiProfiledPrincipal;
+import com.evolveum.midpoint.model.api.context.AttributeVerificationAuthenticationContext;
+import com.evolveum.midpoint.util.logging.Trace;
+import com.evolveum.midpoint.util.logging.TraceManager;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+
+import java.util.Collection;
+import java.util.List;
+
+public class AttributeVerificationProvider extends AbstractCredentialProvider<AttributeVerificationAuthenticationContext> {
+
+    private static final Trace LOGGER = TraceManager.getTrace(AttributeVerificationProvider.class);
+
+    @Autowired
+    private AuthenticationEvaluator<AttributeVerificationAuthenticationContext> authenticationEvaluator;
+
+    @Override
+    protected AuthenticationEvaluator<AttributeVerificationAuthenticationContext> getEvaluator() {
+        return authenticationEvaluator;
+    }
+
+    @Override
+    protected Authentication internalAuthentication(Authentication authentication, List<ObjectReferenceType> requireAssignment,
+            AuthenticationChannel channel, Class<? extends FocusType> focusType) throws AuthenticationException {
+        if (authentication.isAuthenticated() && authentication.getPrincipal() instanceof GuiProfiledPrincipal) {
+            return authentication;
+        }
+        //todo implement
+        return null;
+    }
+
+    @Override
+    protected Authentication createNewAuthenticationToken(Authentication actualAuthentication, Collection<? extends GrantedAuthority> newAuthorities) {
+        if (actualAuthentication instanceof UsernamePasswordAuthenticationToken) {
+            return new UsernamePasswordAuthenticationToken(actualAuthentication.getPrincipal(), actualAuthentication.getCredentials(), newAuthorities);
+        } else {
+            return actualAuthentication;
+        }
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return AttributeVerificationToken.class.equals(authentication);
+    }
+
+    @Override
+    public Class<? extends CredentialPolicyType> getTypeOfCredential() {
+        return AttributeVerificationCredentialsPolicyType.class;
+    }
+
+}

model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/AttributeVerificationAuthenticationContext.java

@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 2022 Evolveum and contributors
+ *
+ * This work is dual-licensed under the Apache License 2.0
+ * and European Union Public License. See LICENSE file for details.
+ */
+package com.evolveum.midpoint.model.api.context;
+
+import com.evolveum.midpoint.prism.path.ItemPath;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AttributeVerificationCredentialsPolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
+
+import java.util.List;
+import java.util.Map;
+
+public class AttributeVerificationAuthenticationContext  extends AbstractAuthenticationContext{
+
+    private Map<ItemPath, String> attributeValuesMap;
+    private AttributeVerificationCredentialsPolicyType policy;
+
+    public AttributeVerificationAuthenticationContext(String username, Class<? extends FocusType> principalType, Map<ItemPath, String> attributeValuesMap) {
+        this(username, principalType, attributeValuesMap, null);
+    }
+
+    public AttributeVerificationAuthenticationContext(String username, Class<? extends FocusType> principalType, Map<ItemPath, String> attributeValuesMap, List<ObjectReferenceType> requireAssignment) {
+        super(username, principalType, requireAssignment);
+        this.attributeValuesMap = attributeValuesMap;
+    }
+
+
+    public Map<ItemPath, String> getAttributeValuesMap() {
+        return attributeValuesMap;
+    }
+
+    @Override
+    public Object getEnteredCredential() {
+        return getAttributeValuesMap();
+    }
+
+    public AttributeVerificationCredentialsPolicyType getPolicy() {
+        return policy;
+    }
+
+    public void setPolicy(AttributeVerificationCredentialsPolicyType policy) {
+        this.policy = policy;
+    }
+
+
+}