Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support event ordering for multi factor authentication
[#153527760] https://www.pivotaltracker.com/story/show/153527760 Breaking Change: UserAuthenticationSuccessEvent only happens after all auth steps have been completed - All providers publish a IdentityProviderAuthenticationSuccessEvent upon successful authentication - UserAuthenticationSuccessEvent happens after MFA if MFA is enabled, or at the same time as IdentityProviderAuthenticationSuccessEvent if MFA is disabled
- Loading branch information
Showing
24 changed files
with
514 additions
and
319 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
40 changes: 40 additions & 0 deletions
40
...foundry/identity/uaa/authentication/event/IdentityProviderAuthenticationSuccessEvent.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
/* | ||
* Cloud Foundry | ||
* Copyright (c) [2009-2018] Pivotal Software, Inc. All Rights Reserved. | ||
* <p/> | ||
* This product is licensed to you under the Apache License, Version 2.0 (the "License"). | ||
* You may not use this product except in compliance with the License. | ||
* <p/> | ||
* This product includes a number of subcomponents with | ||
* separate copyright notices and license terms. Your use of these | ||
* subcomponents is subject to the terms and conditions of the | ||
* subcomponent's license, as noted in the LICENSE file | ||
*/ | ||
|
||
package org.cloudfoundry.identity.uaa.authentication.event; | ||
|
||
import org.cloudfoundry.identity.uaa.audit.AuditEvent; | ||
import org.cloudfoundry.identity.uaa.audit.AuditEventType; | ||
import org.cloudfoundry.identity.uaa.user.UaaUser; | ||
import org.springframework.security.core.Authentication; | ||
import org.springframework.util.Assert; | ||
|
||
public class IdentityProviderAuthenticationSuccessEvent extends AbstractUaaAuthenticationEvent { | ||
private final UaaUser user; | ||
|
||
public IdentityProviderAuthenticationSuccessEvent(UaaUser user, Authentication authentication) { | ||
super(authentication); | ||
this.user = user; | ||
} | ||
|
||
@Override | ||
public AuditEvent getAuditEvent() { | ||
Assert.notNull(user, "UaaUser cannot be null"); | ||
return createAuditRecord(user.getId(), AuditEventType.IdentityProviderAuthenticationSuccess, | ||
getOrigin(getAuthenticationDetails()), user.getUsername()); | ||
} | ||
|
||
public UaaUser getUser() { | ||
return user; | ||
} | ||
} |
27 changes: 0 additions & 27 deletions
27
...rg/cloudfoundry/identity/uaa/authentication/event/PasswordAuthenticationSuccessEvent.java
This file was deleted.
Oops, something went wrong.
88 changes: 88 additions & 0 deletions
88
.../org/cloudfoundry/identity/uaa/authentication/listener/AuthenticationSuccessListener.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
/* | ||
* Cloud Foundry | ||
* Copyright (c) [2009-2018] Pivotal Software, Inc. All Rights Reserved. | ||
* <p/> | ||
* This product is licensed to you under the Apache License, Version 2.0 (the "License"). | ||
* You may not use this product except in compliance with the License. | ||
* <p/> | ||
* This product includes a number of subcomponents with | ||
* separate copyright notices and license terms. Your use of these | ||
* subcomponents is subject to the terms and conditions of the | ||
* subcomponent's license, as noted in the LICENSE file | ||
*/ | ||
|
||
package org.cloudfoundry.identity.uaa.authentication.listener; | ||
|
||
import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication; | ||
import org.cloudfoundry.identity.uaa.authentication.event.AbstractUaaAuthenticationEvent; | ||
import org.cloudfoundry.identity.uaa.authentication.event.IdentityProviderAuthenticationSuccessEvent; | ||
import org.cloudfoundry.identity.uaa.authentication.event.MfaAuthenticationSuccessEvent; | ||
import org.cloudfoundry.identity.uaa.authentication.event.UserAuthenticationSuccessEvent; | ||
import org.cloudfoundry.identity.uaa.mfa.MfaChecker; | ||
import org.cloudfoundry.identity.uaa.scim.ScimUserProvisioning; | ||
import org.cloudfoundry.identity.uaa.user.UaaUser; | ||
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder; | ||
|
||
import org.springframework.context.ApplicationEvent; | ||
import org.springframework.context.ApplicationEventPublisher; | ||
import org.springframework.context.ApplicationEventPublisherAware; | ||
import org.springframework.context.ApplicationListener; | ||
import org.springframework.security.core.Authentication; | ||
|
||
public class AuthenticationSuccessListener implements ApplicationListener<AbstractUaaAuthenticationEvent>, ApplicationEventPublisherAware { | ||
|
||
private final ScimUserProvisioning scimUserProvisioning; | ||
private final MfaChecker checker; | ||
private ApplicationEventPublisher publisher; | ||
|
||
public AuthenticationSuccessListener(ScimUserProvisioning scimUserProvisioning, | ||
MfaChecker checker) { | ||
this.scimUserProvisioning = scimUserProvisioning; | ||
this.checker = checker; | ||
} | ||
|
||
@Override | ||
public void onApplicationEvent(AbstractUaaAuthenticationEvent event) { | ||
if (event instanceof UserAuthenticationSuccessEvent) { | ||
onApplicationEvent((UserAuthenticationSuccessEvent) event); | ||
} else if (event instanceof IdentityProviderAuthenticationSuccessEvent) { | ||
IdentityProviderAuthenticationSuccessEvent passwordAuthEvent = (IdentityProviderAuthenticationSuccessEvent) event; | ||
UserAuthenticationSuccessEvent userEvent = new UserAuthenticationSuccessEvent( | ||
passwordAuthEvent.getUser(), | ||
(Authentication) passwordAuthEvent.getSource() | ||
); | ||
if (!checker.isMfaEnabled(userEvent.getIdentityZone(), userEvent.getUser().getOrigin())) { | ||
publisher.publishEvent(userEvent); | ||
} | ||
} else if (event instanceof MfaAuthenticationSuccessEvent) { | ||
MfaAuthenticationSuccessEvent mfaEvent = (MfaAuthenticationSuccessEvent) event; | ||
UserAuthenticationSuccessEvent userEvent = new UserAuthenticationSuccessEvent( | ||
mfaEvent.getUser(), | ||
(Authentication) mfaEvent.getSource() | ||
); | ||
publisher.publishEvent(userEvent); | ||
} | ||
} | ||
|
||
protected void onApplicationEvent(UserAuthenticationSuccessEvent event) { | ||
UaaUser user = event.getUser(); | ||
if (user.isLegacyVerificationBehavior() && !user.isVerified()) { | ||
scimUserProvisioning.verifyUser(user.getId(), -1, IdentityZoneHolder.get().getId()); | ||
} | ||
UaaAuthentication authentication = (UaaAuthentication) event.getAuthentication(); | ||
authentication.setLastLoginSuccessTime(user.getLastLogonTime()); | ||
scimUserProvisioning.updateLastLogonTime(user.getId(), IdentityZoneHolder.get().getId()); | ||
} | ||
|
||
|
||
@Override | ||
public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) { | ||
this.publisher = applicationEventPublisher; | ||
} | ||
|
||
public void publish(ApplicationEvent event) { | ||
if (publisher != null) { | ||
publisher.publishEvent(event); | ||
} | ||
} | ||
} |
40 changes: 0 additions & 40 deletions
40
.../cloudfoundry/identity/uaa/authentication/listener/UserAuthenticationSuccessListener.java
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.