/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License") + you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. */ package org.apache.openmeetings.web.pages.auth; import static java.nio.charset.StandardCharsets.UTF_8; import static org.apache.openmeetings.util.OpenmeetingsVariables.CONFIG_IGNORE_BAD_SSL; import static org.apache.openmeetings.util.OpenmeetingsVariables.getBaseUrl; import static org.apache.openmeetings.util.OpenmeetingsVariables.isAllowRegisterFrontend; import static org.apache.openmeetings.web.app.Application.urlForPage; import java.io.DataOutputStream; import java.io.IOException; import java.io.UnsupportedEncodingException; import java.net.HttpURLConnection; import java.net.URL; import java.net.URLConnection; import java.net.URLEncoder; import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.HashMap; import java.util.Map; import java.util.Map.Entry; import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManager; import javax.net.ssl.X509TrustManager; import org.apache.commons.io.IOUtils; import org.apache.openmeetings.db.dao.basic.ConfigurationDao; import org.apache.openmeetings.db.dao.server.OAuth2Dao; import org.apache.openmeetings.db.dao.user.IUserManager; import org.apache.openmeetings.db.dto.user.OAuthUser; import org.apache.openmeetings.db.entity.server.OAuthServer; import org.apache.openmeetings.db.entity.server.OAuthServer.RequestInfoMethod; import org.apache.openmeetings.db.entity.user.User; import org.apache.openmeetings.db.entity.user.User.Type; import org.apache.openmeetings.util.OmException; import org.apache.openmeetings.web.app.Application; import org.apache.openmeetings.web.app.WebSession; import org.apache.openmeetings.web.common.OmModalCloseButton; import org.apache.openmeetings.web.pages.BaseInitedPage; import org.apache.openmeetings.web.room.IconTextModal; import org.apache.wicket.ajax.AjaxRequestTarget; import org.apache.wicket.core.request.handler.IPartialPageRequestHandler; import org.apache.wicket.markup.head.IHeaderResponse; import org.apache.wicket.markup.head.OnDomReadyHeaderItem; import org.apache.wicket.model.Model; import org.apache.wicket.model.ResourceModel; import org.apache.wicket.request.IRequestParameters; import org.apache.wicket.request.cycle.RequestCycle; import org.apache.wicket.request.flow.RedirectToUrlException; import org.apache.wicket.request.mapper.parameter.PageParameters; import org.apache.wicket.spring.injection.annot.SpringBean; import org.apache.wicket.util.string.StringValue; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.github.openjson.JSONException; import com.github.openjson.JSONObject; import de.agilecoders.wicket.core.markup.html.bootstrap.dialog.Modal; import de.agilecoders.wicket.core.markup.html.bootstrap.dialog.TextContentModal; public class SignInPage extends BaseInitedPage { private static final long serialVersionUID = 1L; private static final Logger log = LoggerFactory.getLogger(SignInPage.class); public static final String TOKEN_PARAM = "token"; private SignInDialog signin; private final Modal<String> kick = new IconTextModal("kick") { private static final long serialVersionUID = 1L; { withLabel(new ResourceModel("606")); withErrorIcon(); setCloseOnEscapeKey(false); show(true); setUseCloseHandler(true); addButton(OmModalCloseButton.of("54")); } @Override protected void onClose(IPartialPageRequestHandler target) { WebSession.setKickedByAdmin(false); Application.get().restartResponseAtSignInPage(); } }; private final Modal<String> forgetInfoDialog = new TextContentModal("forgetInfo", new ResourceModel("321")) { private static final long serialVersionUID = 1L; @Override protected void onClose(IPartialPageRequestHandler handler) { signin.show(handler); } }; private final ForgetPasswordDialog forget = new ForgetPasswordDialog("forget", forgetInfoDialog); private final Modal<String> registerInfoDialog = new TextContentModal("registerInfo", Model.of("")) { private static final long serialVersionUID = 1L; @Override protected void onInitialize() { super.onInitialize(); setModelObject(getString("warn.notverified")); get("content").setOutputMarkupId(true); } @Override public Modal<String> setModelObject(String obj) { super.setModelObject(obj); get("content").setDefaultModelObject(obj); return this; } @Override protected void onClose(IPartialPageRequestHandler handler) { signin.show(handler); } }; RegisterDialog r = new RegisterDialog("register", registerInfoDialog); @SpringBean private ConfigurationDao cfgDao; @SpringBean private IUserManager userManager; @SpringBean private OAuth2Dao oauthDao; public SignInPage() { this(new PageParameters()); } public SignInPage(PageParameters p) { super(); WebSession.get().checkToken(p.get(TOKEN_PARAM)); if (WebSession.get().isSignedIn()) { setResponsePage(Application.get().getHomePage()); } StringValue oauthid = p.get("oauthid"); if (!oauthid.isEmpty()) { // oauth2 login try { long serverId = oauthid.toLong(-1); OAuthServer server = oauthDao.get(serverId); log.debug("OAuthServer={}", server); if (server == null) { log.warn("OAuth server id={} not found", serverId); return; } if (!p.get("code").isNull()) { // got code String code = p.get("code").toString(); log.debug("OAuth response code={}", code); AuthInfo authInfo = getToken(code, server); if (authInfo == null) { return; } log.debug("OAuthInfo={}", authInfo); OAuthUser user = getAuthParams(authInfo, code, server); loginViaOAuth2(user, serverId); } else { // redirect to get code showAuth(server); } } catch (IOException|NoSuchAlgorithmException|JSONException e) { log.error("OAuth2 login error", e); } } //will try to login directly using parameters sent by POST IRequestParameters pp = RequestCycle.get().getRequest().getPostParameters(); StringValue login = pp.getParameterValue("login"), password = pp.getParameterValue("password"); if (!login.isEmpty() && !password.isEmpty()) { try { if (WebSession.get().signIn(login.toString(), password.toString(), Type.USER, null)) { setResponsePage(Application.get().getHomePage()); } else { log.error("Failed to login using POST parameters passed"); } } catch (OmException e) { log.error("Exception while login with POST parameters passed", e); } } } @Override protected void onInitialize() { super.onInitialize(); signin = new SignInDialog("signin"); signin.setRegisterDialog(r); signin.setForgetPasswordDialog(forget); r.setSignInDialog(signin); forget.setSignInDialog(signin); add(signin.setVisible(!WebSession.get().isKickedByAdmin()), r.setVisible(allowRegister()), forget, kick.setVisible(WebSession.get().isKickedByAdmin())); add(forgetInfoDialog .header(new ResourceModel("312")) .addButton(OmModalCloseButton.of("54")) .setUseCloseHandler(true) ); add(registerInfoDialog .header(new ResourceModel("235")) .addButton(OmModalCloseButton.of("54")) .setUseCloseHandler(true) ); } @Override public void renderHead(IHeaderResponse response) { super.renderHead(response); response.render(OnDomReadyHeaderItem.forScript("" + "$('#signin-dialog, #register-dialog, #forget-dialog').on('shown.bs.modal', function () {\n" + " $(this).find('.auto-focus').trigger('focus');\n" + "})" )); } boolean allowRegister() { return isAllowRegisterFrontend(); } boolean allowOAuthLogin() { return !oauthDao.getActive().isEmpty(); } @Override protected void onParameterArrival(IRequestParameters params, AjaxRequestTarget arg1) { WebSession.get().setArea(getUrlFragment(params)); } // ============= OAuth2 methods ============= private static Map<String, String> getInitParams(final OAuthServer s) { Map<String, String> params = new HashMap<>(); params.put("{$client_id}", s.getClientId()); params.put("{$redirect_uri}", getRedirectUri(s)); return params; } public static void showAuth(final OAuthServer s) { String authUrl = prepareUrl(s.getRequestKeyUrl(), getInitParams(s)); log.debug("redirectUrl={}", authUrl); throw new RedirectToUrlException(authUrl); } private static String prepareUrl(String urlTemplate, Map<String, String> params) { String result = urlTemplate; for (Entry<String, String> e : params.entrySet()) { if (e.getValue() != null) { try { result = result.replace(e.getKey(), URLEncoder.encode(e.getValue(), UTF_8.name())); } catch (UnsupportedEncodingException err) { log.error("Unexpected exception while encoding URI param {}", e, err); } } } return result; } public static String getRedirectUri(OAuthServer server) { String result = ""; if (server.getId() != null) { String base = getBaseUrl(); result = urlForPage(SignInPage.class, new PageParameters().add("oauthid", server.getId()), base); } return result; } private void prepareConnection(URLConnection _connection) { if (!(_connection instanceof HttpsURLConnection)) { return; } if (!cfgDao.getBool(CONFIG_IGNORE_BAD_SSL, false)) { return; } TrustManager[] trustAllCerts = new TrustManager[] {new X509TrustManager() { @Override public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException { //no-op } @Override public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException { //no-op } @Override public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[] {}; } }}; try { HttpsURLConnection connection = (HttpsURLConnection)_connection; SSLContext sslContext = SSLContext.getInstance("SSL"); sslContext.init(null, trustAllCerts, new java.security.SecureRandom()); SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory(); connection.setSSLSocketFactory(sslSocketFactory); connection.setHostnameVerifier((arg0, arg1) -> true); } catch (Exception e) { log.error("[prepareConnection]", e); } } private static Map<String, String> getParams(final OAuthServer s, String code, AuthInfo authInfo) { Map<String, String> params = getInitParams(s); params.put("{$client_id}", s.getClientId()); params.put("{$client_secret}", s.getClientSecret()); if (authInfo != null) { params.put("{$access_token}", authInfo.accessToken); params.put("{$user_id}", authInfo.userId); } if (code != null) { params.put("{$code}", code); } return params; } private AuthInfo getToken(String code, OAuthServer server) throws IOException { String requestTokenBaseUrl = server.getRequestTokenUrl(); // build url params to request auth token String requestTokenParams = server.getRequestTokenAttributes(); requestTokenParams = prepareUrl(requestTokenParams, getParams(server, code, null)); // request auth token HttpURLConnection connection = (HttpURLConnection) new URL(requestTokenBaseUrl).openConnection(); prepareConnection(connection); connection.setRequestMethod(server.getRequestTokenMethod().name()); connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded"); connection.setRequestProperty("charset", UTF_8.name()); connection.setRequestProperty("Content-Length", String.valueOf(requestTokenParams.length())); connection.setDoInput(true); connection.setDoOutput(true); connection.setUseCaches(false); DataOutputStream paramsOutputStream = new DataOutputStream(connection.getOutputStream()); paramsOutputStream.writeBytes(requestTokenParams); paramsOutputStream.flush(); String sourceResponse = IOUtils.toString(connection.getInputStream(), UTF_8); // parse json result AuthInfo result = new AuthInfo(sourceResponse); // access token must be specified if (result.accessToken == null) { log.error("Response doesn't contain access_token field:\n {}", sourceResponse); return null; } return result; } private OAuthUser getAuthParams(AuthInfo authInfo, String code, OAuthServer server) throws IOException { // prepare url String requestInfoUrl = server.getRequestInfoUrl(); requestInfoUrl = prepareUrl(requestInfoUrl, getParams(server, code, authInfo)); // send request HttpURLConnection connection = (HttpURLConnection) new URL(requestInfoUrl).openConnection(); if (server.getRequestInfoMethod() == RequestInfoMethod.HEADER) { connection.setRequestProperty("Authorization", String.format("Bearer %s", authInfo.accessToken)); } else { connection.setRequestMethod(server.getRequestInfoMethod().name()); } prepareConnection(connection); String json = IOUtils.toString(connection.getInputStream(), UTF_8); log.debug("User info={}", json); // parse json result return new OAuthUser(json, server); } private void loginViaOAuth2(OAuthUser user, long serverId) throws IOException, NoSuchAlgorithmException { User u = userManager.loginOAuth(user, serverId); if (u != null && WebSession.get().signIn(u)) { setResponsePage(Application.get().getHomePage()); } else { log.error("Failed to login via OAuth2!"); } } private static class AuthInfo { final String accessToken; final String refreshToken; final String tokenType; final String userId; final long expiresIn; AuthInfo(String jsonStr) { log.debug("AuthInfo={}", jsonStr); JSONObject json = new JSONObject(jsonStr); accessToken = json.optString("access_token"); refreshToken = json.optString("refresh_token"); tokenType = json.optString("token_type"); userId = json.optString("user_id"); expiresIn = json.optLong("expires_in"); } @Override public String toString() { return new StringBuilder() .append("AuthInfo [accessToken=").append(accessToken) .append(", refreshToken=").append(refreshToken) .append(", tokenType=").append(tokenType) .append(", userId=").append(userId) .append(", expiresIn=").append(expiresIn) .append("]").toString(); } } }