Skip to content

Commit

Permalink
Better names for method to record success and failure of authenticati…
Browse files Browse the repository at this point in the history 
…on module..
  • Loading branch information
@katkav
katkav committed Mar 5, 2023
1 parent 39635d0 commit bdc924d
Show file tree
Hide file tree
Showing 5 changed files with 35 additions and 49 deletions.
62 changes: 29 additions & 33 deletions ...java/com/evolveum/midpoint/authentication/impl/evaluator/AuthenticationEvaluatorImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,12 +34,8 @@
import com.evolveum.midpoint.model.api.context.AbstractAuthenticationContext;
import com.evolveum.midpoint.model.api.context.PreAuthenticationContext;
import com.evolveum.midpoint.model.api.util.AuthenticationEvaluatorUtil;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.equivalence.ParameterizedEquivalenceStrategy;
import com.evolveum.midpoint.prism.query.ObjectQuery;
import com.evolveum.midpoint.prism.xml.XmlTypeConverter;
import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
Expand Down Expand Up @@ -103,16 +99,16 @@ public UsernamePasswordAuthenticationToken authenticate(ConnectionEnvironment co

if (checkCredentials(principal, authnCtx, connEnv)) {
if (!AuthenticationEvaluatorUtil.checkRequiredAssignmentTargets(focusType, authnCtx.getRequireAssignments())) {
recordPasswordAuthenticationFailure(principal.getUsername(), principal, connEnv, credentialsPolicy, "does not contain required assignment");
recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, credentialsPolicy, "does not contain required assignment");
throw new InternalAuthenticationServiceException("web.security.flexAuth.invalid.required.assignment");
}
} else {
recordPasswordAuthenticationFailure(principal.getUsername(), principal, connEnv, credentialsPolicy, "password mismatch");
recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, credentialsPolicy, "password mismatch");
throw new BadCredentialsException("web.security.provider.invalid.credentials");
}

checkAuthorizations(principal, connEnv, authnCtx);
recordPasswordAuthenticationSuccess(principal, connEnv, false);
recordModuleAuthenticationSuccess(principal, connEnv, false);
return new UsernamePasswordAuthenticationToken(principal, authnCtx.getEnteredCredential(), principal.getAuthorities());
}

Expand All @@ -130,19 +126,19 @@ public FocusType checkCredentials(ConnectionEnvironment connEnv, T authnCtx)
CredentialPolicyType credentialsPolicy = getCredentialsPolicy(principal, authnCtx);

if (!checkCredentials(principal, authnCtx, connEnv)) {
recordPasswordAuthenticationFailure(principal.getUsername(), principal, connEnv, credentialsPolicy, "password mismatch");
recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, credentialsPolicy, "password mismatch");
throw new BadCredentialsException("web.security.provider.invalid.credentials");
}
checkAuthorizations(principal, connEnv, authnCtx);
recordPasswordAuthenticationSuccess(principal, connEnv, false);
recordModuleAuthenticationSuccess(principal, connEnv, false);
return focusType;
}

private void checkAuthorizations(MidPointPrincipal principal, @NotNull ConnectionEnvironment connEnv, T authnCtx) {
if (supportsAuthzCheck()) {
// Authorizations
if (hasNoneAuthorization(principal)) {
recordPasswordAuthenticationFailure(principal.getUsername(), principal, connEnv, getCredentialsPolicy(principal, authnCtx), "no authorizations");
recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, getCredentialsPolicy(principal, authnCtx), "no authorizations");
throw new DisabledException("web.security.provider.access.denied");
}
}
Expand All @@ -153,7 +149,7 @@ private boolean checkCredentials(MidPointPrincipal principal, T authnCtx, Connec
FocusType focusType = principal.getFocus();
CredentialsType credentials = focusType.getCredentials();
if (credentials == null || getCredential(credentials) == null) {
recordPasswordAuthenticationFailure(principal.getUsername(), principal, connEnv, getCredentialsPolicy(principal, authnCtx), "no credentials in user");
recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, getCredentialsPolicy(principal, authnCtx), "no credentials in user");
throw new AuthenticationCredentialsNotFoundException("web.security.provider.invalid.credentials");
}

Expand All @@ -165,7 +161,7 @@ private boolean checkCredentials(MidPointPrincipal principal, T authnCtx, Connec
if (auth instanceof MidpointAuthentication) {
((MidpointAuthentication) auth).setOverLockoutMaxAttempts(true);
}
recordPasswordAuthenticationFailure(principal.getUsername(), principal, connEnv, getCredentialsPolicy(principal, authnCtx), "password locked-out");
recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, getCredentialsPolicy(principal, authnCtx), "password locked-out");
throw new LockedException("web.security.provider.locked");
}

Expand Down Expand Up @@ -207,7 +203,7 @@ public String getAndCheckUserPassword(ConnectionEnvironment connEnv, String user
SecurityPolicyType securityPolicy = principal.getApplicableSecurityPolicy();
PasswordCredentialsPolicyType passwordCredentialsPolicy = SecurityUtil.getEffectivePasswordCredentialsPolicy(securityPolicy);
if (credentials == null) {
recordPasswordAuthenticationFailure(principal.getUsername(), principal, connEnv, passwordCredentialsPolicy, "no credentials in user");
recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, passwordCredentialsPolicy, "no credentials in user");
throw new AuthenticationCredentialsNotFoundException("web.security.provider.invalid.credentials");
}
PasswordType passwordType = credentials.getPassword();
Expand All @@ -216,7 +212,7 @@ public String getAndCheckUserPassword(ConnectionEnvironment connEnv, String user
AuthenticationAttemptDataType authenticationAttemptData = getAuthenticationData(principal, connEnv);
// Lockout
if (isLockedOut(authenticationAttemptData, passwordCredentialsPolicy)) {
recordPasswordAuthenticationFailure(principal.getUsername(), principal, connEnv, passwordCredentialsPolicy, "password locked-out");
recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, passwordCredentialsPolicy, "password locked-out");
throw new LockedException("web.security.provider.locked");
}

Expand All @@ -227,7 +223,7 @@ public String getAndCheckUserPassword(ConnectionEnvironment connEnv, String user

// Authorizations
if (hasNoneAuthorization(principal)) {
recordPasswordAuthenticationFailure(principal.getUsername(), principal, connEnv, passwordCredentialsPolicy, "no authorizations");
recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, passwordCredentialsPolicy, "no authorizations");
throw new InternalAuthenticationServiceException("web.security.provider.access.denied");
}

Expand All @@ -241,16 +237,16 @@ public <AC extends AbstractAuthenticationContext> PreAuthenticatedAuthentication

// Authorizations
if (hasNoneAuthorization(principal)) {
recordPasswordAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "no authorizations");
recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "no authorizations");
throw new InternalAuthenticationServiceException("web.security.provider.access.denied");
}

if (AuthenticationEvaluatorUtil.checkRequiredAssignmentTargets(principal.getFocus(), authnCtx.getRequireAssignments())) {
PreAuthenticatedAuthenticationToken token = new PreAuthenticatedAuthenticationToken(principal, null, principal.getAuthorities());
recordPasswordAuthenticationSuccess(principal, connEnv, true);
recordModuleAuthenticationSuccess(principal, connEnv, true);
return token;
} else {
recordPasswordAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "not contains required assignment");
recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "not contains required assignment");
throw new InternalAuthenticationServiceException("web.security.flexAuth.invalid.required.assignment");
}
}
Expand All @@ -260,7 +256,7 @@ protected <C extends AbstractAuthenticationContext> MidPointPrincipal getAndChec
ObjectQuery query = authCtx.createFocusQuery();
String username = authCtx.getUsername();
if (query == null) {
recordPasswordAuthenticationFailure(username, null, connEnv, null,"no username");
recordModuleAuthenticationFailure(username, null, connEnv, null,"no username");
throw new UsernameNotFoundException("web.security.provider.invalid.credentials");
}

Expand All @@ -269,32 +265,32 @@ protected <C extends AbstractAuthenticationContext> MidPointPrincipal getAndChec
try {
principal = focusProfileService.getPrincipal(query, clazz);
} catch (ObjectNotFoundException e) {
recordPasswordAuthenticationFailure(username, null, connEnv, null, "no focus");
recordModuleAuthenticationFailure(username, null, connEnv, null, "no focus");
throw new UsernameNotFoundException("web.security.provider.invalid.credentials");
} catch (SchemaException e) {
recordPasswordAuthenticationFailure(username, null, connEnv, null, "schema error");
recordModuleAuthenticationFailure(username, null, connEnv, null, "schema error");
throw new InternalAuthenticationServiceException("web.security.provider.invalid");
} catch (CommunicationException e) {
recordPasswordAuthenticationFailure(username, null, connEnv, null, "communication error");
recordModuleAuthenticationFailure(username, null, connEnv, null, "communication error");
throw new InternalAuthenticationServiceException("web.security.provider.invalid");
} catch (ConfigurationException e) {
recordPasswordAuthenticationFailure(username, null, connEnv, null, "configuration error");
recordModuleAuthenticationFailure(username, null, connEnv, null, "configuration error");
throw new InternalAuthenticationServiceException("web.security.provider.invalid");
} catch (SecurityViolationException e) {
recordPasswordAuthenticationFailure(username, null, connEnv, null, "security violation");
recordModuleAuthenticationFailure(username, null, connEnv, null, "security violation");
throw new InternalAuthenticationServiceException("web.security.provider.invalid");
} catch (ExpressionEvaluationException e) {
recordPasswordAuthenticationFailure(username, null, connEnv, null, "expression error");
recordModuleAuthenticationFailure(username, null, connEnv, null, "expression error");
throw new InternalAuthenticationServiceException("web.security.provider.invalid");
}

if (principal == null) {
recordPasswordAuthenticationFailure(username, null, connEnv, null, "no focus");
recordModuleAuthenticationFailure(username, null, connEnv, null, "no focus");
throw new UsernameNotFoundException("web.security.provider.invalid.credentials");
}

if (supportActivationCheck && !principal.isEnabled()) {
recordPasswordAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "focus disabled");
recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "focus disabled");
throw new DisabledException("web.security.provider.disabled");
}
return principal;
Expand All @@ -317,7 +313,7 @@ protected boolean hasNoneAuthorization(MidPointPrincipal principal) {
private <P extends CredentialPolicyType> void checkPasswordValidityAndAge(ConnectionEnvironment connEnv, @NotNull MidPointPrincipal principal, C credentials,
P passwordCredentialsPolicy) {
if (credentials == null) {
recordPasswordAuthenticationFailure(principal.getUsername(), principal, connEnv, passwordCredentialsPolicy, "no stored credential value");
recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, passwordCredentialsPolicy, "no stored credential value");
throw new AuthenticationCredentialsNotFoundException("web.security.provider.credential.bad");
}

Expand All @@ -334,7 +330,7 @@ private <P extends CredentialPolicyType> void checkPasswordValidityAndAge(Connec
if (changeTimestamp != null) {
XMLGregorianCalendar passwordValidUntil = XmlTypeConverter.addDuration(changeTimestamp, maxAge);
if (clock.isPast(passwordValidUntil)) {
recordPasswordAuthenticationFailure(principal.getUsername(), principal, connEnv, passwordCredentialsPolicy, "password expired");
recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, passwordCredentialsPolicy, "password expired");
throw new CredentialsExpiredException("web.security.provider.credential.expired");
}
}
Expand All @@ -354,7 +350,7 @@ protected boolean decryptAndMatch(ConnectionEnvironment connEnv, @NotNull MidPoi
// But that would be too hard for system administrator to figure out what is going on - especially
// if the administrator himself cannot log in. Therefore explicitly log those errors here.
LOGGER.error("Error dealing with credentials of user \"{}\" credentials: {}", principal.getUsername(), e.getMessage());
recordPasswordAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "error decrypting password: ");
recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "error decrypting password: ");
throw new AuthenticationServiceException("web.security.provider.unavailable", e);
}
}
Expand All @@ -365,7 +361,7 @@ private String getPassword(ConnectionEnvironment connEnv, @NotNull MidPointPrinc
try {
decryptedPassword = protector.decryptString(protectedString);
} catch (EncryptionException e) {
recordPasswordAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "error decrypting password: ");
recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "error decrypting password: ");
throw new AuthenticationServiceException("web.security.provider.unavailable", e);
}
} else {
Expand Down Expand Up @@ -411,12 +407,12 @@ private LoginEventType getLastFailedLogin(AuthenticationAttemptDataType authenti
return authenticationAttemptData.getLastFailedAuthentication();
}

protected void recordPasswordAuthenticationSuccess(@NotNull MidPointPrincipal principal, @NotNull ConnectionEnvironment connEnv,
protected void recordModuleAuthenticationSuccess(@NotNull MidPointPrincipal principal, @NotNull ConnectionEnvironment connEnv,
boolean audit) {
authenticationRecorder.recordModuleAuthenticationAttemptSuccess(principal, connEnv);
}

protected void recordPasswordAuthenticationFailure(String username, MidPointPrincipal principal, @NotNull ConnectionEnvironment connEnv,
protected void recordModuleAuthenticationFailure(String username, MidPointPrincipal principal, @NotNull ConnectionEnvironment connEnv,
CredentialPolicyType credentialsPolicy, String reason) {
if (principal != null) {
authenticationRecorder.recordModuleAuthenticationAttemptFailure(principal, credentialsPolicy, connEnv);
Expand Down
5 changes: 1 addition & 4 deletions ...idpoint/authentication/impl/evaluator/FocusIdentificationAuthenticationEvaluatorImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@
package com.evolveum.midpoint.authentication.impl.evaluator;

import com.evolveum.midpoint.model.api.context.PasswordAuthenticationContext;
import com.evolveum.midpoint.model.api.context.PreAuthenticationContext;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.api.SecurityUtil;
Expand All @@ -22,7 +21,6 @@
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.stereotype.Component;

@Component("focusIdentificationEvaluator")
Expand Down Expand Up @@ -59,8 +57,7 @@ protected void validateCredentialNotNull(ConnectionEnvironment connEnv,
ProtectedStringType protectedString = credential.getValue();

if (protectedString == null) {
recordPasswordAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "no stored password value");
// recordAuthenticationBehavior(principal.getUsername(), principal, connEnv, "no stored password value", principal.getFocus().getClass(), false);
recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "no stored password value");
throw new AuthenticationCredentialsNotFoundException("web.security.provider.password.bad");
}

Expand Down
3 changes: 1 addition & 2 deletions ...com/evolveum/midpoint/authentication/impl/evaluator/NonceAuthenticationEvaluatorImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,8 +51,7 @@ protected NonceType getCredential(CredentialsType credentials) {
protected void validateCredentialNotNull(ConnectionEnvironment connEnv,
@NotNull MidPointPrincipal principal, NonceType credential) {
if (credential.getValue() == null) {
recordPasswordAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "no stored nonce value");
// recordAuthenticationBehavior(principal.getUsername(), principal, connEnv,"no stored password value", principal.getFocus().getClass(), false);
recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "no stored nonce value");
throw new AuthenticationCredentialsNotFoundException("web.security.provider.nonce.bad");
}
}
Expand Down
3 changes: 1 addition & 2 deletions .../evolveum/midpoint/authentication/impl/evaluator/PasswordAuthenticationEvaluatorImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,7 @@ protected void validateCredentialNotNull(ConnectionEnvironment connEnv,
ProtectedStringType protectedString = credential.getValue();

if (protectedString == null) {
recordPasswordAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "no stored password value");
// recordAuthenticationBehavior(principal.getUsername(), principal, connEnv, "no stored password value", principal.getFocus().getClass(), false);
recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "no stored password value");
throw new AuthenticationCredentialsNotFoundException("web.security.provider.password.bad");
}

Expand Down

0 comments on commit bdc924d

Please sign in to comment.