Skip to content

Commit

Permalink
Initial logging
Browse files Browse the repository at this point in the history
  • Loading branch information
@fhanik
fhanik committed Dec 16, 2016
1 parent 8da1a30 commit adc11e1
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 8 deletions.
4 changes: 4 additions & 0 deletions .../cloudfoundry/identity/uaa/authentication/manager/ExternalLoginAuthenticationManager.java
View file
Expand Up @@ -109,6 +109,7 @@ public UaaUserDatabase getUserDatabase() {

@Override
public Authentication authenticate(Authentication request) throws AuthenticationException {
logger.debug("Starting external authentication for:"+request);
ExternalAuthenticationDetails authenticationData = getExternalAuthenticationDetails(request);
UaaUser userFromRequest = getUser(request, authenticationData);
if (userFromRequest == null) {
Expand All @@ -118,8 +119,10 @@ public Authentication authenticate(Authentication request) throws Authentication
UaaUser userFromDb;

try {
logger.debug(String.format("Searching for user by (username:%s , origin:%s)", userFromRequest.getUsername(), getOrigin()));
userFromDb = userDatabase.retrieveUserByName(userFromRequest.getUsername(), getOrigin());
} catch (UsernameNotFoundException e) {
logger.debug(String.format("Searching for user by (email:%s , origin:%s)", userFromRequest.getEmail(), getOrigin()));
userFromDb = userDatabase.retrieveUserByEmail(userFromRequest.getEmail(), getOrigin());
}

Expand Down Expand Up @@ -165,6 +168,7 @@ protected void populateAuthenticationAttributes(UaaAuthentication authentication
if (authentication.getUserAttributes()!=null && authentication.getUserAttributes().size()>0 && getProviderProvisioning()!=null) {
IdentityProvider<ExternalIdentityProviderDefinition> provider = getProviderProvisioning().retrieveByOrigin(getOrigin(), IdentityZoneHolder.get().getId());
if (provider.getConfig()!=null && provider.getConfig().areCustomAttributesStored()) {
logger.debug("Storing custom attributes for user_id:"+authentication.getPrincipal().getId());
getUserDatabase().storeUserInfo(authentication.getPrincipal().getId(), new UserInfo(authentication.getUserAttributes()));
}
}
Expand Down
40 changes: 32 additions & 8 deletions ...c/main/java/org/cloudfoundry/identity/uaa/provider/oauth/XOAuthAuthenticationManager.java
View file
Expand Up @@ -15,6 +15,8 @@

import com.fasterxml.jackson.core.type.TypeReference;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
import org.cloudfoundry.identity.uaa.authentication.manager.ExternalGroupAuthorizationEvent;
import org.cloudfoundry.identity.uaa.authentication.manager.ExternalLoginAuthenticationManager;
Expand All @@ -34,6 +36,7 @@
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.user.UaaUserPrototype;
import org.cloudfoundry.identity.uaa.util.JsonUtils;
import org.cloudfoundry.identity.uaa.util.LinkedMaskingMultiValueMap;
import org.cloudfoundry.identity.uaa.util.TokenValidation;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.core.ParameterizedTypeReference;
Expand Down Expand Up @@ -84,6 +87,7 @@

public class XOAuthAuthenticationManager extends ExternalLoginAuthenticationManager<XOAuthAuthenticationManager.AuthenticationData> {

public static Log logger = LogFactory.getLog(XOAuthAuthenticationManager.class);

public XOAuthAuthenticationManager(IdentityProviderProvisioning providerProvisioning) {
super(providerProvisioning);
Expand Down Expand Up @@ -113,8 +117,11 @@ protected AuthenticationData getExternalAuthenticationDetails(Authentication aut
String username;
if (StringUtils.hasText(userNameAttributePrefix)) {
username = (String) claims.get(userNameAttributePrefix);
logger.debug(String.format("Extracted username for claim: %s and username is: %s", userNameAttributePrefix, username));
} else {
username = (String) claims.get("preferred_username");
String preferredUsername = "preferred_username";
username = (String) claims.get(preferredUsername);
logger.debug(String.format("Extracted username for claim: %s and username is: %s", preferredUsername, username));
}

authenticationData.setUsername(username);
Expand All @@ -123,7 +130,7 @@ protected AuthenticationData getExternalAuthenticationDetails(Authentication aut
Optional.ofNullable(attributeMappings).ifPresent(map -> authenticationData.setAttributeMappings(new HashMap<>(map)));
return authenticationData;
}

logger.debug("No identity provider found for origin:"+getOrigin()+" and zone:"+IdentityZoneHolder.get().getId());
return null;
}

Expand Down Expand Up @@ -158,11 +165,13 @@ protected void populateAuthenticationAttributes(UaaAuthentication authentication
}
}
MultiValueMap<String, String> userAttributes = new LinkedMultiValueMap<>();
logger.debug("Mapping XOauth custom attributes");
for (Map.Entry<String, Object> entry : authenticationData.getAttributeMappings().entrySet()) {
if (entry.getKey().startsWith(USER_ATTRIBUTE_PREFIX) && entry.getValue() != null) {
String key = entry.getKey().substring(USER_ATTRIBUTE_PREFIX.length());
Object values = claims.get(entry.getValue());
if (values != null) {
logger.debug(String.format("Mapped XOauth attribute %s to %s", key, values));
if (values instanceof List) {
List list = (List)values;
List<String> strings = (List<String>) list.stream()
Expand Down Expand Up @@ -193,7 +202,7 @@ protected UaaUser getUser(Authentication request, AuthenticationData authenticat
if (email == null) {
email = generateEmailIfNull(username);
}

logger.debug(String.format("Returning user data for username:%s, email:%s", username, email));
return new UaaUser(
new UaaUserPrototype()
.withEmail(email)
Expand All @@ -212,6 +221,7 @@ protected UaaUser getUser(Authentication request, AuthenticationData authenticat
.withSalt(null)
.withPasswordLastModified(null));
}
logger.debug("Authenticate data is missing, unable to return user");
return null;
}

Expand All @@ -222,6 +232,7 @@ private List<? extends GrantedAuthority> extractXOAuthUserAuthorities(Map<String
} else if (attributeMappings.get(GROUP_ATTRIBUTE_NAME) instanceof Collection) {
groupNames.addAll((Collection) attributeMappings.get(GROUP_ATTRIBUTE_NAME));
}
logger.debug("Extracting XOauth group names:"+groupNames);

Set<String> scopes = new HashSet<>();
for (String g : groupNames) {
Expand All @@ -232,6 +243,7 @@ private List<? extends GrantedAuthority> extractXOAuthUserAuthorities(Map<String
scopes.addAll((Collection<? extends String>) roles);
}
}
logger.debug("Extracting XOauth scopes:"+scopes);

List<XOAuthUserAuthority> authorities = new ArrayList<>();
for (String scope : scopes) {
Expand All @@ -246,9 +258,10 @@ protected UaaUser userAuthenticated(Authentication request, UaaUser userFromRequ
boolean userModified = false;
boolean is_invitation_acceptance = isAcceptedInvitationAuthentication();
String email = userFromRequest.getEmail();

logger.debug("XOAUTH user authenticated:"+email);
if (is_invitation_acceptance) {
String invitedUserId = (String) RequestContextHolder.currentRequestAttributes().getAttribute("user_id", RequestAttributes.SCOPE_SESSION);
logger.debug("XOAUTH user accepted invitation, user_id:"+invitedUserId);
userFromDb = getUserDatabase().retrieveUserById(invitedUserId);
if (email != null) {
if (!email.equalsIgnoreCase(userFromDb.getEmail())) {
Expand All @@ -262,6 +275,7 @@ protected UaaUser userAuthenticated(Authentication request, UaaUser userFromRequ
//we must check and see if the email address has changed between authentications
if (request.getPrincipal() != null) {
if (haveUserAttributesChanged(userFromDb, userFromRequest)) {
logger.debug("User attributed have changed, updating them.");
userFromDb = userFromDb.modifyAttributes(email, userFromRequest.getGivenName(), userFromRequest.getFamilyName(), userFromRequest.getPhoneNumber()).modifyUsername(userFromRequest.getUsername());
userModified = true;
}
Expand Down Expand Up @@ -332,22 +346,25 @@ protected Map<String, Object> getClaimsFromToken(XOAuthCodeToken codeToken, Abst
}

protected Map<String, Object> getClaimsFromToken(String idToken, AbstractXOAuthIdentityProviderDefinition config) {
logger.debug("Extracting claims from id_token");
if (idToken == null) {
logger.debug("id_token is null, no claims returned.");
return null;
}

JsonWebKeySet tokenKey = getTokenKeyFromOAuth(config);

logger.debug("Validating id_token");
TokenValidation validation = validate(idToken)
.checkSignature(new ChainedSignatureVerifier(tokenKey))
.checkIssuer((StringUtils.isEmpty(config.getIssuer()) ? config.getTokenUrl().toString() : config.getIssuer()))
.checkAudience(config.getRelyingPartyId())
.checkExpiry()
.throwIfInvalid();
logger.debug("Decoding id_token");
Jwt decodeIdToken = validation.getJwt();

return JsonUtils.readValue(decodeIdToken.getClaims(), new TypeReference<Map<String, Object>>() {
});
logger.debug("Deserializing id_token claims");
return JsonUtils.readValue(decodeIdToken.getClaims(), new TypeReference<Map<String, Object>>() {});
}

private JsonWebKeySet<JsonWebKey> getTokenKeyFromOAuth(AbstractXOAuthIdentityProviderDefinition config) {
Expand All @@ -356,6 +373,7 @@ private JsonWebKeySet<JsonWebKey> getTokenKeyFromOAuth(AbstractXOAuthIdentityPro
Map<String, Object> p = new HashMap<>();
p.put("value", tokenKey);
p.put("kty", KeyInfo.isAssymetricKey(tokenKey) ? RSA.name() : MAC.name());
logger.debug("Key configured, returning.");
return new JsonWebKeySet<>(Arrays.asList(new JsonWebKey(p)));
}
URL tokenKeyUrl = config.getTokenKeyUrl();
Expand All @@ -367,7 +385,9 @@ private JsonWebKeySet<JsonWebKey> getTokenKeyFromOAuth(AbstractXOAuthIdentityPro
headers.add("Authorization", getClientAuthHeader(config));
headers.add("Accept", "application/json");
HttpEntity tokenKeyRequest = new HttpEntity<>(null, headers);
logger.debug("Fetching token keys from:"+tokenKeyUrl);
ResponseEntity<String> responseEntity = getRestTemplate(config).exchange(tokenKeyUrl.toString(), HttpMethod.GET, tokenKeyRequest, String.class);
logger.debug("Token key response:"+responseEntity.getStatusCode());
if (responseEntity.getStatusCode() == HttpStatus.OK) {
return JsonWebKeyHelper.deserialize(responseEntity.getBody());
} else {
Expand All @@ -377,9 +397,10 @@ private JsonWebKeySet<JsonWebKey> getTokenKeyFromOAuth(AbstractXOAuthIdentityPro

private String getTokenFromCode(XOAuthCodeToken codeToken, AbstractXOAuthIdentityProviderDefinition config) {
if (StringUtils.hasText(codeToken.getIdToken()) && "id_token".equals(getResponseType(config))) {
logger.debug("XOauthCodeToken contains id_token, not exchanging code.");
return codeToken.getIdToken();
}
MultiValueMap<String, String> body = new LinkedMultiValueMap<>();
MultiValueMap<String, String> body = new LinkedMaskingMultiValueMap<>("code");
body.add("grant_type", "authorization_code");
body.add("response_type", getResponseType(config));
body.add("code", codeToken.getCode());
Expand All @@ -395,10 +416,12 @@ private String getTokenFromCode(XOAuthCodeToken codeToken, AbstractXOAuthIdentit
try {
requestUri = config.getTokenUrl().toURI();
} catch (URISyntaxException e) {
logger.error("Invalid URI configured:"+config.getTokenUrl(), e);
return null;
}

try {
logger.debug(String.format("Performing token exchange with url:%s and request:%s", requestUri, body));
// A configuration that skips SSL/TLS validation requires clobbering the rest template request factory
// setup by the bean initializer.
ResponseEntity<Map<String, String>> responseEntity =
Expand All @@ -409,6 +432,7 @@ private String getTokenFromCode(XOAuthCodeToken codeToken, AbstractXOAuthIdentit
new ParameterizedTypeReference<Map<String, String>>() {
}
);
logger.debug(String.format("Request completed with status:%s", responseEntity.getStatusCode()));
return responseEntity.getBody().get(ID_TOKEN);
} catch (HttpServerErrorException | HttpClientErrorException ex) {
throw ex;
Expand Down

0 comments on commit adc11e1

Please sign in to comment.