org.jasig.cas.authentication.principal.Response Java Examples

@Test
public void verifyGetResponse() {
    openIdService = OpenIdService.createServiceFrom(request, null);
    final Response response = this.openIdService.getResponse("test");
    try {
        verify(cas, never()).validateServiceTicket("test", openIdService);
    } catch (final Exception e) {
        LOGGER.debug("Exception during verification of service ticket", e);
    }
    assertNotNull(response);

    assertEquals("test", response.getAttributes().get("openid.assoc_handle"));
    assertEquals("http://www.ja-sig.org/?service=fa", response.getAttributes().get("openid.return_to"));
    assertEquals("http://openid.ja-sig.org/battags", response.getAttributes().get("openid.identity"));

    final Response response2 = this.openIdService.getResponse(null);
    assertEquals("cancel", response2.getAttributes().get("openid.mode"));
}
 

@Test
public void verifyExpiredAssociationGetResponse() {
    request.addParameter("openid.assoc_handle", "test");
    openIdService = OpenIdService.createServiceFrom(request, null);
    Association association = null;
    try {
        association = Association.generate(Association.TYPE_HMAC_SHA1, "test", 2);
    } catch (final Exception e) {
        fail("Could not generate association");
    }
    when(sharedAssociations.load("test")).thenReturn(association);
    synchronized (this) {
        try {
            this.wait(3000);
        } catch (final InterruptedException ie) {
            fail("Could not wait long enough to check association expiry date");
        }
    }
    final Response response = this.openIdService.getResponse("test");
    request.removeParameter("openid.assoc_handle");
    assertNotNull(response);

    assertEquals(1, response.getAttributes().size());
    assertEquals("cancel", response.getAttributes().get("openid.mode"));
}
 

@Test
public void testGetResponse() {
    openIdService = OpenIdService.createServiceFrom(request);
    when(context.getBean("serverManager")).thenReturn(manager);
    when(context.getBean("centralAuthenticationService")).thenReturn(cas);
    final Response response = this.openIdService.getResponse("test");
    try {
        verify(cas, never()).validateServiceTicket("test", openIdService);
    } catch (final Exception e) {
        LOGGER.debug("Exception during verification of service ticket", e);
    }
    assertNotNull(response);

    assertEquals("test", response.getAttributes().get("openid.assoc_handle"));
    assertEquals("http://www.ja-sig.org/?service=fa", response.getAttributes().get("openid.return_to"));
    assertEquals("http://openid.ja-sig.org/battags", response.getAttributes().get("openid.identity"));

    final Response response2 = this.openIdService.getResponse(null);
    assertEquals("cancel", response2.getAttributes().get("openid.mode"));
}
 

/**
 * Construct SAML response.
 * <a href="http://bit.ly/1uI8Ggu">See this reference for more info.</a>
 * @return the SAML response
 */
private String constructSamlResponse() {
    final DateTime currentDateTime = DateTime.parse(new ISOStandardDateFormat().getCurrentDateAndTime());
    final DateTime notBeforeIssueInstant = DateTime.parse("2003-04-17T00:46:02Z");

    final RegisteredService svc = this.servicesManager.findServiceBy(this);
    final String userId = svc.getUsernameAttributeProvider().resolveUsername(getPrincipal(), this);

    final org.opensaml.saml.saml2.core.Response response = BUILDER.newResponse(
            BUILDER.generateSecureRandomId(),
            currentDateTime,
            getId(), this);
    response.setStatus(BUILDER.newStatus(StatusCode.SUCCESS, null));

    final AuthnStatement authnStatement = BUILDER.newAuthnStatement(
            AuthnContext.PASSWORD_AUTHN_CTX, currentDateTime);
    final Assertion assertion = BUILDER.newAssertion(authnStatement,
            "https://www.opensaml.org/IDP",
            notBeforeIssueInstant, BUILDER.generateSecureRandomId());

    final Conditions conditions = BUILDER.newConditions(notBeforeIssueInstant,
            currentDateTime, getId());
    assertion.setConditions(conditions);

    final Subject subject = BUILDER.newSubject(NameID.EMAIL, userId,
            getId(), currentDateTime, this.requestId);
    assertion.setSubject(subject);

    response.getAssertions().add(assertion);

    final StringWriter writer = new StringWriter();
    BUILDER.marshalSamlXmlObject(response, writer);

    final String result = writer.toString();
    logger.debug("Generated Google SAML response: {}", result);
    return result;
}
 

private static MultiFactorWebApplicationServiceFactory getMFWASF(final WebApplicationService was) {
    final MultiFactorWebApplicationServiceFactory factory = mock(MultiFactorWebApplicationServiceFactory.class);
    when(factory.create(anyString(), anyString(), anyString(), any(Response.ResponseType.class), anyString(),
            any(MultiFactorAuthenticationSupportingWebApplicationService.AuthenticationMethodSource.class)))
            .thenReturn(getMfaService());
    return factory;
}
 

@Test(expected = UnrecognizedAuthenticationMethodException.class)
public void testTranslateException() {
    final DefaultMultiFactorAuthenticationSupportingWebApplicationService svc =
            new DefaultMultiFactorAuthenticationSupportingWebApplicationService("https://www.github.com",
                    "https://www.github.com", null, Response.ResponseType.REDIRECT, "test_authn_method");

    final Map<String, String> testMap = getLookupMap();

    final RegexAuthenticationMethodTranslator regexAuthenticationMethodTranslator = new RegexAuthenticationMethodTranslator(testMap);
    regexAuthenticationMethodTranslator.translate(svc, "CN=sudoers,OU=AdminGroups,DC=example,DC=edu");
}
 

@Test
public void testServiceWithMfaRole() {
    final List<ArgumentExtractor> set = new ArrayList<>();
    set.add(new CasArgumentExtractor());

    final MultiFactorWebApplicationServiceFactory factory = mock(MultiFactorWebApplicationServiceFactory.class);
    when(factory.create(anyString(), anyString(), anyString(), any(Response.ResponseType.class),
            anyString(), any(AuthenticationMethodSource.class)))
            .thenReturn(getMfaService());

    final AuthenticationMethodVerifier verifier = mock(AuthenticationMethodVerifier.class);

    final RegisteredService svc = TestUtils.getRegisteredService(CAS_SERVICE);
    DefaultRegisteredServiceProperty prop = new DefaultRegisteredServiceProperty();
    prop.setValues(Collections.singleton(CAS_AUTHN_METHOD));
    svc.getProperties().put(MultiFactorAuthenticationSupportingWebApplicationService.CONST_PARAM_AUTHN_METHOD, prop);

    prop = new DefaultRegisteredServiceProperty();
    svc.getProperties().put(RegisteredServiceMfaRoleProcessor.MFA_ATTRIBUTE_NAME, prop);

    prop = new DefaultRegisteredServiceProperty();
    prop.setValues(Collections.singleton(CAS_AUTHN_METHOD));
    svc.getProperties().put(RegisteredServiceMfaRoleProcessor.MFA_ATTRIBUTE_PATTERN, prop);

    final ServicesManager mgmr = mock(ServicesManager.class);
    when(mgmr.findServiceBy(anyInt())).thenReturn(svc);
    when(mgmr.findServiceBy(any(Service.class))).thenReturn(svc);

    final RegisteredServiceAttributeMultiFactorAuthenticationArgumentExtractor extractor =
            new RegisteredServiceAttributeMultiFactorAuthenticationArgumentExtractor(set, factory, mgmr, verifier);

    final MultiFactorAuthenticationSupportingWebApplicationService webSvc =
            (MultiFactorAuthenticationSupportingWebApplicationService) extractor.extractService(getRequest());
    assertNull(webSvc);
}
 

@Test
public void testServiceWithDefaultMfaAttribute() {
    final List<ArgumentExtractor> set = new ArrayList<>();
    set.add(new CasArgumentExtractor());
    
    final MultiFactorWebApplicationServiceFactory factory = mock(MultiFactorWebApplicationServiceFactory.class);
    when(factory.create(anyString(), anyString(), anyString(), any(Response.ResponseType.class),
            anyString(), any(AuthenticationMethodSource.class)))
        .thenReturn(getMfaService());
    
    final AuthenticationMethodVerifier verifier = mock(AuthenticationMethodVerifier.class);

    final RegisteredService svc = TestUtils.getRegisteredService(CAS_SERVICE);
    final DefaultRegisteredServiceProperty prop = new DefaultRegisteredServiceProperty();
    prop.setValues(Collections.singleton(CAS_AUTHN_METHOD));
    svc.getProperties().put(MultiFactorAuthenticationSupportingWebApplicationService.CONST_PARAM_AUTHN_METHOD, prop);
    
    final ServicesManager mgmr = mock(ServicesManager.class);
    when(mgmr.findServiceBy(anyInt())).thenReturn(svc);
    when(mgmr.findServiceBy(any(Service.class))).thenReturn(svc);
    
    final RegisteredServiceAttributeMultiFactorAuthenticationArgumentExtractor extractor = 
            new RegisteredServiceAttributeMultiFactorAuthenticationArgumentExtractor(set, factory, mgmr, verifier);

    final MultiFactorAuthenticationSupportingWebApplicationService webSvc =
            (MultiFactorAuthenticationSupportingWebApplicationService) extractor.extractService(getRequest());
    assertNotNull(webSvc);
    assertEquals(webSvc.getAuthenticationMethod(), CAS_AUTHN_METHOD);
}
 

/**
 * Test that an instance of {@link DefaultMultiFactorAuthenticationSupportingWebApplicationService}
 * properly implements getAuthenticationMethod() and ability to get a Response to direct the user to redirect to
 * the service with a ticket.
 */
@Test
public void testServiceness() {
    final DefaultMultiFactorAuthenticationSupportingWebApplicationService svc =
            new DefaultMultiFactorAuthenticationSupportingWebApplicationService("https://www.github.com",
            "https://www.github.com", null, Response.ResponseType.REDIRECT,
                    "test_authn_method");
    assertEquals(svc.getAuthenticationMethod(), "test_authn_method");
    final Response res = svc.getResponse("testTicketId");
    assertNotNull(res);
    assertEquals(res.getResponseType(), Response.ResponseType.REDIRECT);
    assertEquals(res.getUrl(), "https://www.github.com?ticket=testTicketId");
}
 

@Override
public Response getResponse(final String ticketId) {
    final HashMap parameters = new HashMap();
    if (StringUtils.hasText(ticketId)) {
        parameters.put("ticket", ticketId);
    }

    return ResponseType.POST == this.responseType ? DefaultResponse.getPostResponse(this.getOriginalUrl(), parameters)
            : DefaultResponse.getRedirectResponse(this.getOriginalUrl(), parameters);
}
 

@Test
public void testExpiredAssociationGetResponse() {
    request.addParameter("openid.assoc_handle", "test");
    openIdService = OpenIdService.createServiceFrom(request);
    Association association = null;
    try {
        association = Association.generate(Association.TYPE_HMAC_SHA1, "test", 2);
    } catch (final Exception e) {
        fail("Could not generate association");
    }
    when(context.getBean("serverManager")).thenReturn(manager);
    when(context.getBean("centralAuthenticationService")).thenReturn(cas);
    when(sharedAssociations.load("test")).thenReturn(association);
    synchronized (this) {
        try {
            this.wait(3000);
        } catch (final InterruptedException ie) {
            fail("Could not wait long enough to check association expiry date");
        }
    }
    final Response response = this.openIdService.getResponse("test");
    request.removeParameter("openid.assoc_handle");
    assertNotNull(response);

    assertEquals(1, response.getAttributes().size());
    assertEquals("cancel", response.getAttributes().get("openid.mode"));
}
 

@Test
public void testResponseWithNoTicket() {
    final MockHttpServletRequest request = new MockHttpServletRequest();
    request.setParameter("TARGET", "service");
    final SamlService impl = SamlService.createServiceFrom(request);

    final Response response = impl.getResponse(null);
    assertNotNull(response);
    assertEquals(ResponseType.REDIRECT, response.getResponseType());
    assertFalse(response.getUrl().contains("SAMLart="));
}
 

@Test
public void testResponse() {
    final MockHttpServletRequest request = new MockHttpServletRequest();
    request.setParameter("TARGET", "service");
    final SamlService impl = SamlService.createServiceFrom(request);

    final Response response = impl.getResponse("ticketId");
    assertNotNull(response);
    assertEquals(ResponseType.REDIRECT, response.getResponseType());
    assertTrue(response.getUrl().contains("SAMLart="));
}
 

@Override
public Response getResponse(final String ticketId) {
    final Map<String, String> parameters = new HashMap<String, String>();

    parameters.put(CONST_PARAM_TICKET, ticketId);
    parameters.put(CONST_PARAM_SERVICE, getOriginalUrl());

    return Response.getRedirectResponse(getOriginalUrl(), parameters);
}
 

@Override
public Response getResponse(final String ticketId) {
    final Map<String, String> parameters = new HashMap<String, String>();
    final String samlResponse = constructSamlResponse();
    final String signedResponse = SamlUtils.signSamlResponse(samlResponse,
            this.privateKey, this.publicKey);
    parameters.put("SAMLResponse", signedResponse);
    parameters.put("RelayState", this.relayState);

    return Response.getPostResponse(getOriginalUrl(), parameters);
}
 

@Test
public void verifyResponse() {
    final Response resp = this.googleAccountsService.getResponse("ticketId");
    assertEquals(resp.getResponseType(), DefaultResponse.ResponseType.POST);
    assertTrue(resp.getAttributes().containsKey(SamlProtocolConstants.PARAMETER_SAML_RESPONSE));
    assertTrue(resp.getAttributes().containsKey(SamlProtocolConstants.PARAMETER_SAML_RELAY_STATE));
}
 

@Test
public void verifyResponseWithNoTicket() {
    final MockHttpServletRequest request = new MockHttpServletRequest();
    request.setParameter("TARGET", "service");
    final SamlService impl = SamlService.createServiceFrom(request);

    final Response response = impl.getResponse(null);
    assertNotNull(response);
    assertEquals(Response.ResponseType.REDIRECT, response.getResponseType());
    assertFalse(response.getUrl().contains("SAMLart="));
}
 

@Test
public void verifyResponse() {
    final MockHttpServletRequest request = new MockHttpServletRequest();
    request.setParameter("TARGET", "service");
    final SamlService impl = SamlService.createServiceFrom(request);

    final Response response = impl.getResponse("ticketId");
    assertNotNull(response);
    assertEquals(Response.ResponseType.REDIRECT, response.getResponseType());
    assertTrue(response.getUrl().contains("SAMLart="));
}
 

@Override
public Response getResponse(final String ticketId) {
    final Map<String, String> parameters = new HashMap<>();
    final String samlResponse = constructSamlResponse();
    final String signedResponse = BUILDER.signSamlResponse(samlResponse,
            this.privateKey, this.publicKey);
    parameters.put(SamlProtocolConstants.PARAMETER_SAML_RESPONSE, signedResponse);
    parameters.put(SamlProtocolConstants.PARAMETER_SAML_RELAY_STATE, this.relayState);

    return DefaultResponse.getPostResponse(getOriginalUrl(), parameters);
}
 

public Response getResponse(final String ticketId) {
    return null;
}
 

/**
 * Generates an Openid response.
 * If no ticketId is found, response is negative.
 * If we have a ticket id, then we check if we have an association.
 * If so, we ask OpenId server manager to generate the answer according with the existing association.
 * If not, we send back an answer with the ticket id as association handle.
 * This will force the consumer to ask a verification, which will validate the service ticket.
 * @param ticketId the service ticket to provide to the service.
 * @return the generated authentication answer
 */
@Override
public Response getResponse(final String ticketId) {
    final Map<String, String> parameters = new HashMap<String, String>();
    if (ticketId != null) {

        ServerManager manager = (ServerManager) ApplicationContextProvider.getApplicationContext().getBean("serverManager");
        CentralAuthenticationService cas = (CentralAuthenticationService) ApplicationContextProvider.getApplicationContext()
                                            .getBean("centralAuthenticationService");
        boolean associated = false;
        boolean associationValid = true;
        try {
            AuthRequest authReq = AuthRequest.createAuthRequest(requestParameters, manager.getRealmVerifier());
            Map parameterMap = authReq.getParameterMap();
            if (parameterMap != null && parameterMap.size() > 0) {
                String assocHandle = (String) parameterMap.get("openid.assoc_handle");
                if (assocHandle != null) {
                    Association association = manager.getSharedAssociations().load(assocHandle);
                    if (association != null) {
                        associated = true;
                        if (association.hasExpired()) {
                            associationValid = false;
                        }
                    }

                }
            }
        } catch (final MessageException me) {
            LOGGER.error("Message exception : {}", me.getMessage(), me);
        }

        boolean successFullAuthentication = true;
        try {
            if (associated) {
                if (associationValid) {
                    cas.validateServiceTicket(ticketId, this);
                    LOGGER.info("Validated openid ticket");
                } else {
                    successFullAuthentication = false;
                }
            }
        } catch (final TicketException te) {
            LOGGER.error("Could not validate ticket : {}", te.getMessage(), te);
            successFullAuthentication = false;
        }

        // We sign directly (final 'true') because we don't add extensions
        // response message can be either a DirectError or an AuthSuccess here.
        // Anyway, handling is the same : send the response message
        Message response = manager.authResponse(requestParameters,
                this.identity,
                this.identity,
                successFullAuthentication,
                true);
        parameters.putAll(response.getParameterMap());
        if (!associated) {
            parameters.put("openid.assoc_handle", ticketId);
        }
    } else {
        parameters.put("openid.mode", "cancel");
    }
    return Response.getRedirectResponse(getOriginalUrl(), parameters);
}
 

@Override
public Response getResponse(final String ticketId) {
    return null;
}
 

/**
 * Generates an Openid response.
 * If no ticketId is found, response is negative.
 * If we have a ticket id, then we check if we have an association.
 * If so, we ask OpenId server manager to generate the answer according with the existing association.
 * If not, we send back an answer with the ticket id as association handle.
 * This will force the consumer to ask a verification, which will validate the service ticket.
 * @param ticketId the service ticket to provide to the service.
 * @return the generated authentication answer
 */
@Override
public Response getResponse(final String ticketId) {
    final Map<String, String> parameters = new HashMap<>();
    if (ticketId != null) {

        final ServerManager manager = (ServerManager) ApplicationContextProvider.getApplicationContext().getBean("serverManager");
        final CentralAuthenticationService cas = ApplicationContextProvider.getApplicationContext()
                                            .getBean("centralAuthenticationService", CentralAuthenticationService.class);
        boolean associated = false;
        boolean associationValid = true;
        try {
            final AuthRequest authReq = AuthRequest.createAuthRequest(requestParameters, manager.getRealmVerifier());
            final Map parameterMap = authReq.getParameterMap();
            if (parameterMap != null && parameterMap.size() > 0) {
                final String assocHandle = (String) parameterMap.get(OpenIdConstants.OPENID_ASSOCHANDLE);
                if (assocHandle != null) {
                    final Association association = manager.getSharedAssociations().load(assocHandle);
                    if (association != null) {
                        associated = true;
                        if (association.hasExpired()) {
                            associationValid = false;
                        }
                    }

                }
            }
        } catch (final MessageException me) {
            LOGGER.error("Message exception : {}", me.getMessage(), me);
        }

        boolean successFullAuthentication = true;
        Assertion assertion = null;
        try {
            if (associated) {
                if (associationValid) {
                    assertion = cas.validateServiceTicket(ticketId, this);
                    LOGGER.info("Validated openid ticket");
                } else {
                    successFullAuthentication = false;
                }
            }
        } catch (final TicketException te) {
            LOGGER.error("Could not validate ticket : {}", te.getMessage(), te);
            successFullAuthentication = false;
        }

        final String id;
        if (assertion != null && OpenIdConstants.OPENID_IDENTIFIERSELECT.equals(this.identity)) {
            id = this.openIdPrefixUrl + '/' + assertion.getPrimaryAuthentication().getPrincipal().getId();
        } else {
            id = this.identity;
        }
        // We sign directly (final 'true') because we don't add extensions
        // response message can be either a DirectError or an AuthSuccess here.
        // Anyway, handling is the same : send the response message
        final Message response = manager.authResponse(requestParameters,
                id,
                id,
                successFullAuthentication,
                true);
        parameters.putAll(response.getParameterMap());
        if (!associated) {
            parameters.put(OpenIdConstants.OPENID_ASSOCHANDLE, ticketId);
        }
    } else {
        parameters.put(OpenIdConstants.OPENID_MODE, OpenIdConstants.CANCEL);
    }
    return DefaultResponse.getRedirectResponse(getOriginalUrl(), parameters);
}
 

private static MultiFactorAuthenticationSupportingWebApplicationService getMfaService() {
    return new DefaultMultiFactorAuthenticationSupportingWebApplicationService(CAS_SERVICE, CAS_SERVICE, null,
            Response.ResponseType.REDIRECT, CAS_AUTHN_METHOD);
}
 

@Override
public Response getResponse(final String ticketId) {
    final Map<String, String> parameters = new HashMap<>();
    parameters.put(SamlProtocolConstants.CONST_PARAM_ARTIFACT, ticketId);
    return DefaultResponse.getRedirectResponse(getOriginalUrl(), parameters);
}
 

private static MultiFactorAuthenticationSupportingWebApplicationService getMfaService() {
    return new DefaultMultiFactorAuthenticationSupportingWebApplicationService(CAS_SERVICE, CAS_SERVICE, null,
            Response.ResponseType.REDIRECT, CAS_AUTHN_METHOD);
}