Skip to content

Commit

Permalink
fix auditing for authentication evaluators
Browse files Browse the repository at this point in the history
  • Loading branch information
@katkav
katkav committed Feb 27, 2023
1 parent c537499 commit fec1781
Show file tree
Hide file tree
Showing 3 changed files with 55 additions and 26 deletions.
49 changes: 26 additions & 23 deletions ...java/com/evolveum/midpoint/authentication/impl/evaluator/AuthenticationEvaluatorImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@

import com.evolveum.midpoint.authentication.api.util.AuthUtil;

import com.evolveum.midpoint.prism.impl.query.ObjectQueryImpl;

import com.evolveum.midpoint.schema.util.ObjectQueryUtil;

import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.MessageSource;
Expand Down Expand Up @@ -96,8 +100,7 @@ public UsernamePasswordAuthenticationToken authenticate(ConnectionEnvironment co

checkEnteredCredentials(connEnv, authnCtx);

MidPointPrincipal principal = getAndCheckPrincipal(connEnv, authnCtx.createFocusQuery(),
authnCtx.getPrincipalType(), authnCtx.isSupportActivationByChannel());
MidPointPrincipal principal = getAndCheckPrincipal(connEnv, authnCtx, authnCtx.isSupportActivationByChannel());

FocusType focusType = principal.getFocus();
CredentialsType credentials = focusType.getCredentials();
Expand Down Expand Up @@ -129,7 +132,7 @@ public FocusType checkCredentials(ConnectionEnvironment connEnv, T authnCtx)

checkEnteredCredentials(connEnv, authnCtx);

MidPointPrincipal principal = getAndCheckPrincipal(connEnv, authnCtx.createFocusQuery(), authnCtx.getPrincipalType(), false);
MidPointPrincipal principal = getAndCheckPrincipal(connEnv, authnCtx, false);

FocusType focusType = principal.getFocus();
CredentialsType credentials = focusType.getCredentials();
Expand Down Expand Up @@ -208,7 +211,7 @@ public String getAndCheckUserPassword(ConnectionEnvironment connEnv, String user
CredentialsExpiredException, AuthenticationServiceException, AccessDeniedException, UsernameNotFoundException {

PreAuthenticationContext preAuthenticationContext = new PreAuthenticationContext(username, FocusType.class, null);
MidPointPrincipal principal = getAndCheckPrincipal(connEnv, preAuthenticationContext.createFocusQuery(), FocusType.class, true);
MidPointPrincipal principal = getAndCheckPrincipal(connEnv, (T) preAuthenticationContext, true);

FocusType focusType = principal.getFocus();
CredentialsType credentials = focusType.getCredentials();
Expand Down Expand Up @@ -243,8 +246,7 @@ public String getAndCheckUserPassword(ConnectionEnvironment connEnv, String user
@Override
public <AC extends AbstractAuthenticationContext> PreAuthenticatedAuthenticationToken authenticateUserPreAuthenticated(ConnectionEnvironment connEnv, AC authnCtx) {

MidPointPrincipal principal = getAndCheckPrincipal(connEnv, authnCtx.createFocusQuery(),
authnCtx.getPrincipalType(), authnCtx.isSupportActivationByChannel());
MidPointPrincipal principal = getAndCheckPrincipal(connEnv, authnCtx, authnCtx.isSupportActivationByChannel());

// Authorizations
if (hasNoneAuthorization(principal)) {
Expand All @@ -263,49 +265,50 @@ public <AC extends AbstractAuthenticationContext> PreAuthenticatedAuthentication
}

@NotNull
protected MidPointPrincipal getAndCheckPrincipal(ConnectionEnvironment connEnv, ObjectQuery query, Class<? extends FocusType> clazz,
boolean supportsActivationCheck) {

// if (StringUtils.isBlank(query)) {
// recordAuthenticationFailure(query, connEnv, "no username");
// throw new UsernameNotFoundException("web.security.provider.invalid.credentials");
// }
protected <C extends AbstractAuthenticationContext> MidPointPrincipal getAndCheckPrincipal(ConnectionEnvironment connEnv, C authCtx, boolean supportActivationCheck) {
ObjectQuery query = authCtx.createFocusQuery();
String username = authCtx.getUsername();
if (query == null) {
recordAuthenticationFailure(username, connEnv, "no username");
throw new UsernameNotFoundException("web.security.provider.invalid.credentials");
}

if (query == null) {
recordAuthenticationFailure(query.debugDump(), connEnv, "no username");
recordAuthenticationFailure(username, connEnv, "no username");
throw new UsernameNotFoundException("web.security.provider.invalid.credentials");
}

Class<? extends FocusType> clazz = authCtx.getPrincipalType();
MidPointPrincipal principal;
try {
principal = focusProfileService.getPrincipal(query, clazz);
} catch (ObjectNotFoundException e) {
recordAuthenticationFailure(query.debugDump(), connEnv, "no focus");
recordAuthenticationFailure(username, connEnv, "no focus");
throw new UsernameNotFoundException("web.security.provider.invalid.credentials");
} catch (SchemaException e) {
recordAuthenticationFailure(query.debugDump(), connEnv, "schema error");
recordAuthenticationFailure(username, connEnv, "schema error");
throw new InternalAuthenticationServiceException("web.security.provider.invalid");
} catch (CommunicationException e) {
recordAuthenticationFailure(query.debugDump(), connEnv, "communication error");
recordAuthenticationFailure(username, connEnv, "communication error");
throw new InternalAuthenticationServiceException("web.security.provider.invalid");
} catch (ConfigurationException e) {
recordAuthenticationFailure(query.debugDump(), connEnv, "configuration error");
recordAuthenticationFailure(username, connEnv, "configuration error");
throw new InternalAuthenticationServiceException("web.security.provider.invalid");
} catch (SecurityViolationException e) {
recordAuthenticationFailure(query.debugDump(), connEnv, "security violation");
recordAuthenticationFailure(username, connEnv, "security violation");
throw new InternalAuthenticationServiceException("web.security.provider.invalid");
} catch (ExpressionEvaluationException e) {
recordAuthenticationFailure(query.debugDump(), connEnv, "expression error");
recordAuthenticationFailure(username, connEnv, "expression error");
throw new InternalAuthenticationServiceException("web.security.provider.invalid");
}

if (principal == null) {
recordAuthenticationBehavior(query.debugDump(), null, connEnv, "no focus", clazz, false);
recordAuthenticationBehavior(username, null, connEnv, "no focus", clazz, false);
throw new UsernameNotFoundException("web.security.provider.invalid.credentials");
}

if (supportsActivationCheck && !principal.isEnabled()) {
recordAuthenticationBehavior(query.debugDump(), principal, connEnv, "focus disabled", clazz, false);
if (supportActivationCheck && !principal.isEnabled()) {
recordAuthenticationBehavior(username, principal, connEnv, "focus disabled", clazz, false);
throw new DisabledException("web.security.provider.disabled");
}
return principal;
Expand Down
6 changes: 4 additions & 2 deletions .../src/main/java/com/evolveum/midpoint/model/api/context/AbstractAuthenticationContext.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;

import org.apache.commons.lang3.StringUtils;

import java.util.List;

public abstract class AbstractAuthenticationContext {
Expand Down Expand Up @@ -57,11 +59,11 @@ public List<ObjectReferenceType> getRequireAssignments() {
public abstract Object getEnteredCredential();

public ObjectQuery createFocusQuery() {
if (username != null) {
if (StringUtils.isNotBlank(username)) {
PolyString usernamePoly = new PolyString(username);
return ObjectQueryUtil.createNormNameQuery(usernamePoly, PrismContext.get());
}
throw new UnsupportedOperationException("Username not specified, probably more concrete context should override this method");
return null;
}

}
26 changes: 25 additions & 1 deletion ...ava/com/evolveum/midpoint/model/api/context/FocusIdentificationAuthenticationContext.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,14 @@
import com.evolveum.midpoint.prism.query.OrFilter;
import com.evolveum.midpoint.prism.query.builder.S_FilterExit;
import com.evolveum.midpoint.prism.query.builder.S_MatchingRuleEntry;
import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ModuleItemConfigurationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.prism.xml.ns._public.types_3.ItemPathType;

import org.apache.commons.lang3.StringUtils;

/**
* @author skublik
*/
Expand All @@ -31,6 +34,8 @@ public class FocusIdentificationAuthenticationContext extends AbstractAuthentica
private Map<ItemPath, String> values;
private List<ModuleItemConfigurationType> config;

private String username;

public FocusIdentificationAuthenticationContext(
Map<ItemPath, String> values, Class<? extends FocusType> principalType, List<ModuleItemConfigurationType> config, List<ObjectReferenceType> requireAssignment) {
super(null, principalType, requireAssignment);
Expand Down Expand Up @@ -64,7 +69,12 @@ public ObjectQuery createFocusQuery() {

ObjectQuery query = PrismContext.get().queryFor(getPrincipalType()).build();
query.addFilter(orFilter);
return query;

ObjectQuery simplified = ObjectQueryUtil.simplifyQuery(query);
if (ObjectQueryUtil.isNoneQuery(simplified)) {
return null;
}
return simplified;
}

private ModuleItemConfigurationType findConfigFor(ItemPath path) {
Expand All @@ -85,4 +95,18 @@ private ModuleItemConfigurationType findConfigFor(ItemPath path) {
}
return null;
}

@Override
public String getUsername() {
if (StringUtils.isNotBlank(username)) {
return username;
}
for (String username : values.values()) {
if (StringUtils.isNotBlank(username)) {
this.username = username;
break;
}
}
return username;
}
}

0 comments on commit fec1781

Please sign in to comment.