-
Notifications
You must be signed in to change notification settings - Fork 188
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix for security issue on the self registration page
- Loading branch information
Kateryna Honchar
committed
May 25, 2023
1 parent
d225fe8
commit c90cf73
Showing
15 changed files
with
399 additions
and
95 deletions.
There are no files selected for viewing
105 changes: 105 additions & 0 deletions
105
gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/login/PageInvitation.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,105 @@ | ||
/* | ||
* Copyright (C) 2010-2023 Evolveum and contributors | ||
* | ||
* This work is dual-licensed under the Apache License 2.0 | ||
* and European Union Public License. See LICENSE file for details. | ||
*/ | ||
package com.evolveum.midpoint.web.page.login; | ||
|
||
import com.evolveum.midpoint.web.application.AuthorizationAction; | ||
import com.evolveum.midpoint.web.application.PageDescriptor; | ||
import com.evolveum.midpoint.web.application.Url; | ||
|
||
import com.evolveum.midpoint.prism.delta.ObjectDelta; | ||
import com.evolveum.midpoint.schema.constants.SchemaConstants; | ||
import com.evolveum.midpoint.schema.result.OperationResult; | ||
import com.evolveum.midpoint.schema.util.SecurityPolicyUtil; | ||
import com.evolveum.midpoint.security.api.AuthorizationConstants; | ||
import com.evolveum.midpoint.security.api.SecurityUtil; | ||
import com.evolveum.midpoint.task.api.Task; | ||
import com.evolveum.midpoint.util.exception.*; | ||
import com.evolveum.midpoint.util.logging.Trace; | ||
import com.evolveum.midpoint.util.logging.TraceManager; | ||
import com.evolveum.midpoint.xml.ns._public.common.common_3.*; | ||
|
||
@PageDescriptor(urls = { @Url(mountUrl = "/invitation", matchUrlForSecurity = "/invitation") }, | ||
action = { | ||
@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_UI_INVITATION_URL) }) | ||
public class PageInvitation extends PageSelfRegistration { | ||
|
||
private static final long serialVersionUID = 1L; | ||
|
||
private static final Trace LOGGER = TraceManager.getTrace(PageInvitation.class); | ||
|
||
private static final String DOT_CLASS = PageInvitation.class.getName() + "."; | ||
|
||
public PageInvitation() { | ||
super(); | ||
} | ||
|
||
@Override | ||
protected UserType instantiateUser() { | ||
return (UserType) getPrincipalFocus(); | ||
} | ||
|
||
@Override | ||
protected ObjectDelta<UserType> prepareUserDelta(Task task, OperationResult result) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException { | ||
LOGGER.trace("Preparing user MODIFY delta (preregistered user registration)"); | ||
ObjectDelta<UserType> delta; | ||
if (!isCustomFormDefined()) { | ||
delta = getPrismContext().deltaFactory().object().createEmptyModifyDelta(UserType.class, | ||
userModel.getObject().getOid()); | ||
if (getSelfRegistrationConfiguration().getInitialLifecycleState() != null) { | ||
delta.addModificationReplaceProperty(UserType.F_LIFECYCLE_STATE, | ||
getSelfRegistrationConfiguration().getInitialLifecycleState()); | ||
} | ||
delta.addModificationReplaceProperty(SchemaConstants.PATH_PASSWORD_VALUE, createPassword().getValue()); | ||
} else { | ||
delta = getDynamicFormPanel().getObjectDelta(); | ||
} | ||
|
||
delta.addModificationReplaceContainer(SchemaConstants.PATH_NONCE, | ||
createNonce(getNonceCredentialsPolicy(), task, result).asPrismContainerValue()); | ||
LOGGER.trace("Going to register user with modifications {}", delta); | ||
return delta; | ||
} | ||
|
||
private NonceCredentialsPolicyType getNonceCredentialsPolicy() { | ||
SecurityPolicyType securityPolicy = resolveSecurityPolicy(); | ||
if (securityPolicy == null) { | ||
return null; | ||
} | ||
String invitationSequenceIdentifier = SecurityUtil.getInvitationSequenceName(securityPolicy); | ||
AuthenticationSequenceType invitationSequence = SecurityPolicyUtil.findSequenceByName(securityPolicy, invitationSequenceIdentifier); | ||
if (invitationSequence == null || invitationSequence.getModule().isEmpty()) { | ||
return null; | ||
} | ||
String moduleIdentifier = invitationSequence.getModule().get(0).getName(); | ||
if (moduleIdentifier == null) { | ||
return null; | ||
} | ||
MailNonceAuthenticationModuleType nonceModule = securityPolicy | ||
.getAuthentication() | ||
.getModules() | ||
.getMailNonce() | ||
.stream() | ||
.filter(m -> moduleIdentifier.equals(m.getName())) | ||
.findFirst() | ||
.orElse(null); | ||
if (nonceModule == null) { | ||
return null; | ||
} | ||
String credentialName = nonceModule.getCredentialName(); | ||
if (credentialName == null) { | ||
return null; | ||
} | ||
return securityPolicy | ||
.getCredentials() | ||
.getNonce() | ||
.stream() | ||
.filter(n -> credentialName.equals(n.getName())) | ||
.findFirst() | ||
.orElse(null); | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
60 changes: 60 additions & 0 deletions
60
...main/java/com/evolveum/midpoint/web/security/channel/InvitationAuthenticationChannel.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
/* | ||
* Copyright (C) 2010-2023 Evolveum and contributors | ||
* | ||
* This work is dual-licensed under the Apache License 2.0 | ||
* and European Union Public License. See LICENSE file for details. | ||
*/ | ||
package com.evolveum.midpoint.web.security.channel; | ||
|
||
import com.evolveum.midpoint.schema.constants.SchemaConstants; | ||
import com.evolveum.midpoint.security.api.Authorization; | ||
import com.evolveum.midpoint.security.api.AuthorizationConstants; | ||
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceChannelType; | ||
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationType; | ||
|
||
import java.util.ArrayList; | ||
import java.util.Collection; | ||
|
||
/** | ||
* @author skublik | ||
*/ | ||
|
||
public class InvitationAuthenticationChannel extends AuthenticationChannelImpl { | ||
|
||
public InvitationAuthenticationChannel(AuthenticationSequenceChannelType channel) { | ||
super(channel); | ||
} | ||
|
||
public String getChannelId() { | ||
return SchemaConstants.CHANNEL_INVITATION_URI; | ||
} | ||
|
||
public String getPathAfterSuccessfulAuthentication() { | ||
return "/invitation"; | ||
} | ||
|
||
public String getPathAfterUnsuccessfulAuthentication() { | ||
return "/"; | ||
} | ||
|
||
@Override | ||
public String getSpecificLoginUrl() { | ||
return "/invitation"; | ||
} | ||
|
||
@Override | ||
public boolean isSupportActivationByChannel() { | ||
return false; | ||
} | ||
|
||
@Override | ||
public Collection<Authorization> resolveAuthorities(Collection<Authorization> authorities) { | ||
ArrayList<Authorization> newAuthorities = new ArrayList<>(); | ||
AuthorizationType authorizationBean = new AuthorizationType(); | ||
authorizationBean.getAction().add(AuthorizationConstants.AUTZ_UI_INVITATION_URL); | ||
Authorization selfServiceCredentialsAuthz = new Authorization(authorizationBean); | ||
newAuthorities.add(selfServiceCredentialsAuthz); | ||
authorities.addAll(newAuthorities); | ||
return authorities; | ||
} | ||
} |
32 changes: 32 additions & 0 deletions
32
...ain/java/com/evolveum/midpoint/web/security/factory/channel/InvitationChannelFactory.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
/* | ||
* Copyright (C) 2010-2023 Evolveum and contributors | ||
* | ||
* This work is dual-licensed under the Apache License 2.0 | ||
* and European Union Public License. See LICENSE file for details. | ||
*/ | ||
package com.evolveum.midpoint.web.security.factory.channel; | ||
|
||
import com.evolveum.midpoint.model.api.authentication.AuthenticationChannel; | ||
import com.evolveum.midpoint.schema.constants.SchemaConstants; | ||
import com.evolveum.midpoint.web.security.channel.InvitationAuthenticationChannel; | ||
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceChannelType; | ||
|
||
import org.springframework.stereotype.Component; | ||
|
||
@Component | ||
public class InvitationChannelFactory extends AbstractChannelFactory { | ||
@Override | ||
public boolean match(String channelId) { | ||
return SchemaConstants.CHANNEL_INVITATION_URI.equals(channelId); | ||
} | ||
|
||
@Override | ||
public AuthenticationChannel createAuthChannel(AuthenticationSequenceChannelType channel) { | ||
return new InvitationAuthenticationChannel(channel); | ||
} | ||
|
||
@Override | ||
protected Integer getOrder() { | ||
return 10; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.