diff --git a/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/bean/Certificate.java b/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/bean/Certificate.java index e3e55c330f..acf63daa07 100644 --- a/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/bean/Certificate.java +++ b/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/bean/Certificate.java @@ -25,6 +25,15 @@ public class Certificate { X509Certificate certificate; int tenantId; String tenantDomain; + String deviceIdentifier; + + public String getDeviceIdentifier() { + return deviceIdentifier; + } + + public void setDeviceIdentifier(String deviceIdentifier) { + this.deviceIdentifier = deviceIdentifier; + } public int getTenantId() { return tenantId; diff --git a/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/dao/CertificateDAO.java b/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/dao/CertificateDAO.java index de3be1856a..779251761e 100644 --- a/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/dao/CertificateDAO.java +++ b/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/dao/CertificateDAO.java @@ -41,6 +41,17 @@ public interface CertificateDAO { void addCertificate(List certificate) throws CertificateManagementDAOException; + /** + * This can be used to store a certificate in the database, where it will be stored against the serial number + * of the certificate. + * + * @param certificate Holds the certificate and relevant details. + * @throws CertificateManagementDAOException + * + */ + void addCertificate(Certificate certificate) + throws CertificateManagementDAOException; + /** * Usage is to obtain a certificate stored in the database by providing the common name. * @@ -51,6 +62,16 @@ public interface CertificateDAO { */ CertificateResponse retrieveCertificate(String serialNumber) throws CertificateManagementDAOException; + /** + * Obtain a certificated stored in the database by providing the common name and the tenant ID + * + * @param serialNumber Serial number (Common name) of the certificate + * @param tenantId ID of the certificate owning tenant + * @return representation of the certificate. + * @throws CertificateManagementDAOException if fails to read the certificate from the database + */ + CertificateResponse retrieveCertificate(String serialNumber, int tenantId) throws CertificateManagementDAOException; + /** * Get all the certificates in a paginated manner. * diff --git a/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/dao/impl/AbstractCertificateDAOImpl.java b/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/dao/impl/AbstractCertificateDAOImpl.java index bd46a00559..d2b5be4062 100644 --- a/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/dao/impl/AbstractCertificateDAOImpl.java +++ b/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/dao/impl/AbstractCertificateDAOImpl.java @@ -81,6 +81,40 @@ public abstract class AbstractCertificateDAOImpl implements CertificateDAO{ } } + @Override + public void addCertificate(Certificate certificate) + throws CertificateManagementDAOException { + Connection conn; + PreparedStatement stmt = null; + try { + conn = this.getConnection(); + stmt = conn.prepareStatement( + "INSERT INTO DM_DEVICE_CERTIFICATE (SERIAL_NUMBER, CERTIFICATE, TENANT_ID," + + " USERNAME, DEVICE_IDENTIFIER) VALUES (?,?,?,?,?)"); + PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext. + getThreadLocalCarbonContext(); + String username = threadLocalCarbonContext.getUsername(); + // the serial number of the certificate used for its creation is set as its alias. + String serialNumber = certificate.getSerial(); + if (serialNumber == null || serialNumber.isEmpty()) { + serialNumber = String.valueOf(certificate.getCertificate().getSerialNumber()); + } + byte[] bytes = Serializer.serialize(certificate.getCertificate()); + + stmt.setString(1, serialNumber); + stmt.setBytes(2, bytes); + stmt.setInt(3, certificate.getTenantId()); + stmt.setString(4, username); + stmt.setString(5, certificate.getDeviceIdentifier()); + stmt.executeUpdate(); + } catch (SQLException | IOException e) { + throw new CertificateManagementDAOException("Error occurred while saving the " + + "certificate. ", e); + } finally { + CertificateManagementDAOUtil.cleanupResources(stmt, null); + } + } + @Override public CertificateResponse retrieveCertificate(String serialNumber) throws CertificateManagementDAOException { @@ -119,6 +153,42 @@ public abstract class AbstractCertificateDAOImpl implements CertificateDAO{ return certificateResponse; } + @Override + public CertificateResponse retrieveCertificate(String serialNumber, int tenantId) throws CertificateManagementDAOException { + Connection conn; + PreparedStatement stmt = null; + ResultSet resultSet = null; + CertificateResponse certificateResponse = null; + try { + conn = this.getConnection(); + String query = + "SELECT CERTIFICATE, SERIAL_NUMBER, TENANT_ID, USERNAME FROM" + + " DM_DEVICE_CERTIFICATE WHERE SERIAL_NUMBER = ? AND TENANT_ID = ? "; + stmt = conn.prepareStatement(query); + stmt.setString(1, serialNumber); + stmt.setInt(2, tenantId); + resultSet = stmt.executeQuery(); + + if (resultSet.next()) { + certificateResponse = new CertificateResponse(); + byte[] certificateBytes = resultSet.getBytes("CERTIFICATE"); + certificateResponse.setCertificate(certificateBytes); + certificateResponse.setSerialNumber(resultSet.getString("SERIAL_NUMBER")); + certificateResponse.setTenantId(resultSet.getInt("TENANT_ID")); + certificateResponse.setUsername(resultSet.getString("USERNAME")); + CertificateGenerator.extractCertificateDetails(certificateBytes, certificateResponse); + } + } catch (SQLException e) { + String errorMsg = + "Unable to get the read the certificate with serial" + serialNumber; + log.error(errorMsg, e); + throw new CertificateManagementDAOException(errorMsg, e); + } finally { + CertificateManagementDAOUtil.cleanupResources(stmt, resultSet); + } + return certificateResponse; + } + @Override public List searchCertificate(String serialNumber) throws CertificateManagementDAOException { diff --git a/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/impl/CertificateGenerator.java b/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/impl/CertificateGenerator.java index cffcec417d..328c2fcbfb 100755 --- a/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/impl/CertificateGenerator.java +++ b/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/impl/CertificateGenerator.java @@ -358,15 +358,31 @@ public class CertificateGenerator { CertificateResponse lookUpCertificate = null; KeyStoreReader keyStoreReader = new KeyStoreReader(); if (distinguishedName != null && !distinguishedName.isEmpty()) { - if (distinguishedName.contains("/CN=")) { - String[] dnSplits = distinguishedName.split("/"); - for (String dnPart : dnSplits) { - if (dnPart.contains("CN=")) { - String commonNameExtracted = dnPart.replace("CN=", ""); - lookUpCertificate = keyStoreReader.getCertificateBySerial(commonNameExtracted); - break; + if (distinguishedName.contains("CN=")) { + String[] dnSplits = null; + if (distinguishedName.contains("/")) { + dnSplits = distinguishedName.split("/"); + } else if (distinguishedName.contains(",")) { + //some older versions of nginx will forward the client certificate subject dn separated with commas + dnSplits = distinguishedName.split(","); + } + String commonNameExtracted = null; + int tenantId = 0; + if (dnSplits != null && dnSplits.length >= 1) { + for (String dnPart : dnSplits) { + if (dnPart.contains("CN=")) { + commonNameExtracted = dnPart.replace("CN=", ""); + } else if (dnPart.contains("OU=")) { + //the OU of the certificate will be like OU=tenant_ ex: OU=tenant_-1234 + //splitting by underscore to extract the tenant domain + String[] orgUnitSplits = dnPart.split("_"); + tenantId = Integer.parseInt(orgUnitSplits[1]); + } } } + + lookUpCertificate = keyStoreReader.getCertificateBySerial(commonNameExtracted, tenantId); + } else { LdapName ldapName; try { @@ -694,6 +710,30 @@ public class CertificateGenerator { } } + public void saveCertificate(io.entgra.device.mgt.core.certificate.mgt.core.bean.Certificate + certificate) throws KeystoreException { + + if (certificate == null) { + return; + } + + try { + CertificateDAO certificateDAO = CertificateManagementDAOFactory.getCertificateDAO(); + CertificateManagementDAOFactory.beginTransaction(); + certificateDAO.addCertificate(certificate); + CertificateManagementDAOFactory.commitTransaction(); + } catch (CertificateManagementDAOException e) { + String errorMsg = "Error occurred when saving the generated certificate in database"; + log.error(errorMsg); + CertificateManagementDAOFactory.rollbackTransaction(); + throw new KeystoreException(errorMsg, e); + } catch (TransactionManagementException e) { + String errorMsg = "Error occurred when saving the generated certificate in database"; + log.error(errorMsg); + throw new KeystoreException(errorMsg, e); + } + } + public void saveCertInKeyStore(List certificate) throws KeystoreException { diff --git a/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/impl/KeyStoreReader.java b/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/impl/KeyStoreReader.java index 8c8ed5e7fc..2103cc6021 100755 --- a/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/impl/KeyStoreReader.java +++ b/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/impl/KeyStoreReader.java @@ -275,6 +275,43 @@ public class KeyStoreReader { return raPrivateKey; } + public CertificateResponse getCertificateBySerial(String serialNumber, int tenantId) throws KeystoreException { + CertificateResponse certificateResponse = null; + try { + CertificateCacheManager cacheManager = CertificateCacheManagerImpl.getInstance(); + certificateResponse = cacheManager.getCertificateBySerial(serialNumber); + if (certificateResponse == null) { + try { + CertificateManagementDAOFactory.openConnection(); + certificateResponse = certDao.retrieveCertificate(serialNumber, tenantId); + } catch (SQLException e) { + String errorMsg = "Error when making a connection to the database."; + throw new KeystoreException(errorMsg, e); + } finally { + CertificateManagementDAOFactory.closeConnection(); + } + if (certificateResponse != null && certificateResponse.getCertificate() != null) { + Certificate certificate = (Certificate) Serializer.deserialize(certificateResponse.getCertificate()); + if (certificate instanceof X509Certificate) { + X509Certificate x509cert = (X509Certificate) certificate; + String commonName = CertificateGenerator.getCommonName(x509cert); + certificateResponse.setCommonName(commonName); + cacheManager.addCertificateBySerial(serialNumber, certificateResponse); + } + } + } + } catch (CertificateManagementDAOException e) { + String errorMsg = "Error when retrieving certificate from the the database for the serial number: " + + serialNumber; + throw new KeystoreException(errorMsg, e); + + } catch (ClassNotFoundException | IOException e) { + String errorMsg = "Error when de-serializing saved certificate."; + throw new KeystoreException(errorMsg, e); + } + return certificateResponse; + } + public CertificateResponse getCertificateBySerial(String serialNumber) throws KeystoreException { CertificateResponse certificateResponse = null; try { diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/DeviceManagementConstants.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/DeviceManagementConstants.java index fb4c749b82..6fd2fedde9 100644 --- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/DeviceManagementConstants.java +++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/DeviceManagementConstants.java @@ -134,6 +134,8 @@ public final class DeviceManagementConstants { public static final String LAST_NAME = "last-name"; public static final String TENANT_ADMIN_USERNAME = "tenant-admin-username"; public static final String TENANT_ADMIN_PASSWORD = "tenant-admin-password"; + + public static final int OTP_DEFAULT_EXPIRY_SECONDS = 3600; } public static final class EventServices { diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/general/QREnrollmentDetails.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/general/QREnrollmentDetails.java index fede2e3780..4d6bb97df1 100644 --- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/general/QREnrollmentDetails.java +++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/general/QREnrollmentDetails.java @@ -25,6 +25,7 @@ public class QREnrollmentDetails { String username; String enrollmentMode; Map customValues; + int tokenExpiry; public Map getCustomValues() { return customValues; @@ -45,4 +46,12 @@ public class QREnrollmentDetails { public String getEnrollmentMode() { return enrollmentMode; } public void setEnrollmentMode(String enrollmentMode) { this.enrollmentMode = enrollmentMode; } + + public int getTokenExpiry() { + return tokenExpiry; + } + + public void setTokenExpiry(int tokenExpiry) { + this.tokenExpiry = tokenExpiry; + } } diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/otp/mgt/OTPEmailTypes.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/otp/mgt/OTPEmailTypes.java index afb1d6b0fa..53113c5b75 100644 --- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/otp/mgt/OTPEmailTypes.java +++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/otp/mgt/OTPEmailTypes.java @@ -19,5 +19,5 @@ package io.entgra.device.mgt.core.device.mgt.common.otp.mgt; public enum OTPEmailTypes { - USER_VERIFY, DEVICE_ENROLLMENT + USER_VERIFY, DEVICE_ENROLLMENT, USER_INVITE, REMOTE_SESSION } diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/spi/OTPManagementService.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/spi/OTPManagementService.java index c89d311cda..e4cfa042b6 100644 --- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/spi/OTPManagementService.java +++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.common/src/main/java/io/entgra/device/mgt/core/device/mgt/common/spi/OTPManagementService.java @@ -35,7 +35,8 @@ public interface OTPManagementService { * @throws OTPManagementException if error occurred whle verifying validity of the OPT * @throws BadRequestException if found an null value for OTP */ - OneTimePinDTO isValidOTP(String oneTimeToken) throws OTPManagementException, BadRequestException; + OneTimePinDTO isValidOTP(String oneTimeToken, boolean requireRenewal) throws + OTPManagementException, BadRequestException; /** * Invalidate the OTP and send welcome mail @@ -59,8 +60,7 @@ public interface OTPManagementService { boolean hasEmailRegistered(String email, String emailDomain) throws OTPManagementException, DeviceManagementException; - OneTimePinDTO generateOneTimePin(String email, String emailType, String userName, Object metaDataObj, - int tenantId, boolean persistPin) throws OTPManagementException; + OneTimePinDTO generateOneTimePin(OneTimePinDTO oneTimePinData, boolean persistPin) throws OTPManagementException; OneTimePinDTO getRenewedOtpByEmailAndMailType(String email, String emailType) throws OTPManagementException; diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.config.api/src/main/java/io/entgra/device/mgt/core/device/mgt/config/api/service/DeviceManagementConfigService.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.config.api/src/main/java/io/entgra/device/mgt/core/device/mgt/config/api/service/DeviceManagementConfigService.java index f2fc9e436f..ad8b11b5a3 100644 --- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.config.api/src/main/java/io/entgra/device/mgt/core/device/mgt/config/api/service/DeviceManagementConfigService.java +++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.config.api/src/main/java/io/entgra/device/mgt/core/device/mgt/config/api/service/DeviceManagementConfigService.java @@ -156,7 +156,12 @@ public interface DeviceManagementConfigService { value = "The properties list using for query a device", required = true) @QueryParam("properties") - String properties); + String properties, + @ApiParam( + name = "withAccessToken", + value = "Whether to use access token or otp token for device configuration") + @QueryParam("withAccessToken") + boolean withAccessToken); @PUT @Path("/device/transfer") diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.config.api/src/main/java/io/entgra/device/mgt/core/device/mgt/config/api/service/impl/DeviceManagementConfigServiceImpl.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.config.api/src/main/java/io/entgra/device/mgt/core/device/mgt/config/api/service/impl/DeviceManagementConfigServiceImpl.java index 713c01e3d3..c7b191704e 100644 --- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.config.api/src/main/java/io/entgra/device/mgt/core/device/mgt/config/api/service/impl/DeviceManagementConfigServiceImpl.java +++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.config.api/src/main/java/io/entgra/device/mgt/core/device/mgt/config/api/service/impl/DeviceManagementConfigServiceImpl.java @@ -21,6 +21,10 @@ import com.fasterxml.jackson.core.JsonParseException; import com.fasterxml.jackson.core.type.TypeReference; import com.fasterxml.jackson.databind.JsonMappingException; import com.fasterxml.jackson.databind.ObjectMapper; +import io.entgra.device.mgt.core.device.mgt.common.exceptions.OTPManagementException; +import io.entgra.device.mgt.core.device.mgt.common.otp.mgt.OTPEmailTypes; +import io.entgra.device.mgt.core.device.mgt.common.otp.mgt.dto.OneTimePinDTO; +import io.entgra.device.mgt.core.device.mgt.common.spi.OTPManagementService; import io.entgra.device.mgt.core.device.mgt.config.api.beans.ErrorResponse; import io.entgra.device.mgt.core.device.mgt.config.api.service.DeviceManagementConfigService; import io.entgra.device.mgt.core.device.mgt.config.api.util.DeviceMgtAPIUtils; @@ -77,7 +81,8 @@ public class DeviceManagementConfigServiceImpl implements DeviceManagementConfig @Path("/configurations") @Produces(MediaType.APPLICATION_JSON) public Response getConfiguration(@HeaderParam("token") String token, - @QueryParam("properties") String properties) { + @QueryParam("properties") String properties, + @QueryParam("withAccessToken") boolean withAccessToken) { DeviceManagementProviderService dms = DeviceMgtAPIUtils.getDeviceManagementService(); try { if (token == null || token.isEmpty()) { @@ -102,7 +107,8 @@ public class DeviceManagementConfigServiceImpl implements DeviceManagementConfig deviceProps.put("token", token); DeviceConfiguration devicesConfiguration = dms.getDeviceConfiguration(deviceProps); - setAccessTokenToDeviceConfigurations(devicesConfiguration); + if (withAccessToken) setAccessTokenToDeviceConfigurations(devicesConfiguration); + else setOTPTokenToDeviceConfigurations(devicesConfiguration); return Response.status(Response.Status.OK).entity(devicesConfiguration).build(); } catch (DeviceManagementException e) { String msg = "Error occurred while retrieving configurations"; @@ -214,6 +220,33 @@ public class DeviceManagementConfigServiceImpl implements DeviceManagementConfig } } + private void setOTPTokenToDeviceConfigurations(DeviceConfiguration deviceConfiguration) + throws DeviceManagementException { + OneTimePinDTO oneTimePinData = new OneTimePinDTO(); + oneTimePinData.setEmail(OTPEmailTypes.DEVICE_ENROLLMENT.toString()); + oneTimePinData.setEmailType(OTPEmailTypes.DEVICE_ENROLLMENT.toString()); + oneTimePinData.setUsername(deviceConfiguration.getDeviceOwner()); + PrivilegedCarbonContext.startTenantFlow(); + PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain( + deviceConfiguration.getTenantDomain(), true); + oneTimePinData.setTenantId(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId()); + PrivilegedCarbonContext.endTenantFlow(); + OTPManagementService otpManagementService = DeviceMgtAPIUtils.getOtpManagementService(); + try { + OneTimePinDTO oneTimePinDTO = otpManagementService.generateOneTimePin(oneTimePinData, true); + if (oneTimePinDTO == null) { + String msg = "Null value returned when generating OTP token for " + oneTimePinData.getOtpToken(); + log.error(msg); + throw new DeviceManagementException(msg); + } + deviceConfiguration.setAccessToken(oneTimePinDTO.getOtpToken()); + } catch (OTPManagementException ex) { + String msg = "Error occurred while generating one time pin: " + ex.getMessage(); + log.error(msg, ex); + throw new DeviceManagementException(msg, ex); + } + } + @Override @Path("/tenants") @GET diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.config.api/src/main/java/io/entgra/device/mgt/core/device/mgt/config/api/util/DeviceMgtAPIUtils.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.config.api/src/main/java/io/entgra/device/mgt/core/device/mgt/config/api/util/DeviceMgtAPIUtils.java index 53d8ee9a3e..c958b79e3d 100644 --- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.config.api/src/main/java/io/entgra/device/mgt/core/device/mgt/config/api/util/DeviceMgtAPIUtils.java +++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.config.api/src/main/java/io/entgra/device/mgt/core/device/mgt/config/api/util/DeviceMgtAPIUtils.java @@ -21,6 +21,7 @@ package io.entgra.device.mgt.core.device.mgt.config.api.util; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.wso2.carbon.context.PrivilegedCarbonContext; +import io.entgra.device.mgt.core.device.mgt.common.spi.OTPManagementService; import io.entgra.device.mgt.core.device.mgt.core.service.DeviceManagementProviderService; import org.wso2.carbon.user.core.service.RealmService; @@ -34,6 +35,8 @@ public class DeviceMgtAPIUtils { private static DeviceManagementProviderService deviceManagementProviderService = null; private static RealmService realmService = null; + private static OTPManagementService otpManagementService = null; + public static DeviceManagementProviderService getDeviceManagementService() { if (deviceManagementProviderService == null) { PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext(); @@ -48,6 +51,19 @@ public class DeviceMgtAPIUtils { return deviceManagementProviderService; } + public static OTPManagementService getOtpManagementService() { + if (otpManagementService == null) { + PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext(); + otpManagementService = (OTPManagementService) ctx.getOSGiService(OTPManagementService.class, null); + if (otpManagementService == null) { + String msg = "OTP Management Service has not initialized."; + log.error(msg); + throw new IllegalStateException(msg); + } + } + return otpManagementService; + } + public static RealmService getRealmService() { if (realmService == null) { PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext(); diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/otp/mgt/dao/impl/GenericOTPManagementDAOImpl.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/otp/mgt/dao/impl/GenericOTPManagementDAOImpl.java index b755c2527b..e5755cd999 100644 --- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/otp/mgt/dao/impl/GenericOTPManagementDAOImpl.java +++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/otp/mgt/dao/impl/GenericOTPManagementDAOImpl.java @@ -18,6 +18,7 @@ package io.entgra.device.mgt.core.device.mgt.core.otp.mgt.dao.impl; +import io.entgra.device.mgt.core.device.mgt.common.DeviceManagementConstants; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import io.entgra.device.mgt.core.device.mgt.common.exceptions.DBConnectionException; @@ -56,7 +57,8 @@ public class GenericOTPManagementDAOImpl extends AbstractDAOImpl implements OTPM + "META_INFO, " + "CREATED_AT," + "TENANT_ID," - + "USERNAME) VALUES (?, ?, ?, ?, ?, ?, ?)"; + + "USERNAME, " + + "EXPIRY_TIME) VALUES (?, ?, ?, ?, ?, ?, ?, ?)"; try { Connection conn = this.getDBConnection(); Calendar calendar = Calendar.getInstance(); @@ -70,6 +72,8 @@ public class GenericOTPManagementDAOImpl extends AbstractDAOImpl implements OTPM stmt.setTimestamp(5, timestamp); stmt.setInt(6, oneTimePinDTO.getTenantId()); stmt.setString(7, oneTimePinDTO.getUsername()); + stmt.setInt(8, oneTimePinDTO.getExpiryTime() == 0 + ? DeviceManagementConstants.OTPProperties.OTP_DEFAULT_EXPIRY_SECONDS : oneTimePinDTO.getExpiryTime()); stmt.addBatch(); } stmt.executeBatch(); diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/otp/mgt/service/OTPManagementServiceImpl.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/otp/mgt/service/OTPManagementServiceImpl.java index c34408b2cc..ebf75b841e 100644 --- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/otp/mgt/service/OTPManagementServiceImpl.java +++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/otp/mgt/service/OTPManagementServiceImpl.java @@ -127,7 +127,8 @@ public class OTPManagementServiceImpl implements OTPManagementService { } @Override - public OneTimePinDTO isValidOTP(String oneTimeToken) throws OTPManagementException, BadRequestException { + public OneTimePinDTO isValidOTP(String oneTimeToken, boolean requireRenewal) throws OTPManagementException, + BadRequestException { if (StringUtils.isBlank(oneTimeToken)){ String msg = "Received blank OTP to verify. OTP: " + oneTimeToken; log.error(msg); @@ -151,17 +152,19 @@ public class OTPManagementServiceImpl implements OTPManagementService { oneTimePinDTO.getCreatedAt().getTime() + oneTimePinDTO.getExpiryTime() * 1000L); if (currentTimestamp.after(expiredTimestamp)) { - String renewedOTP = UUID.randomUUID().toString(); - renewOTP(oneTimePinDTO, renewedOTP); - Gson gson = new Gson(); - Tenant tenant = gson.fromJson(oneTimePinDTO.getMetaInfo(), Tenant.class); + if (requireRenewal) { + String renewedOTP = UUID.randomUUID().toString(); + renewOTP(oneTimePinDTO, renewedOTP); + Gson gson = new Gson(); + Tenant tenant = gson.fromJson(oneTimePinDTO.getMetaInfo(), Tenant.class); - Properties props = new Properties(); - props.setProperty("first-name", tenant.getAdminFirstName()); - props.setProperty("otp-token", renewedOTP); - props.setProperty("email", oneTimePinDTO.getEmail()); - props.setProperty("type", oneTimePinDTO.getEmailType()); - sendMail(props, oneTimePinDTO.getEmail(), DeviceManagementConstants.EmailAttributes.USER_VERIFY_TEMPLATE); + Properties props = new Properties(); + props.setProperty("first-name", tenant.getAdminFirstName()); + props.setProperty("otp-token", renewedOTP); + props.setProperty("email", oneTimePinDTO.getEmail()); + props.setProperty("type", oneTimePinDTO.getEmailType()); + sendMail(props, oneTimePinDTO.getEmail(), DeviceManagementConstants.EmailAttributes.USER_VERIFY_TEMPLATE); + } return null; } return oneTimePinDTO; @@ -244,8 +247,14 @@ public class OTPManagementServiceImpl implements OTPManagementService { for (String username : deviceEnrollmentInvitation.getUsernames()) { String emailAddress = DeviceManagerUtil.getUserClaimValue( username, DeviceManagementConstants.User.CLAIM_EMAIL_ADDRESS); - oneTimePinDTO = generateOneTimePin(emailAddress, OTPEmailTypes.DEVICE_ENROLLMENT.toString(), username, - null, tenantId, false); + + OneTimePinDTO oneTimePinData = new OneTimePinDTO(); + oneTimePinData.setEmail(emailAddress); + oneTimePinData.setTenantId(tenantId); + oneTimePinData.setUsername(username); + oneTimePinData.setEmailType(OTPEmailTypes.USER_INVITE.toString()); + + oneTimePinDTO = generateOneTimePin(oneTimePinData, false); oneTimePinDTOList.add(oneTimePinDTO); props.setProperty("first-name", DeviceManagerUtil. getUserClaimValue(username, DeviceManagementConstants.User.CLAIM_FIRST_NAME)); @@ -279,27 +288,17 @@ public class OTPManagementServiceImpl implements OTPManagementService { /** * Create One Time Token - * @param email email - * @param emailType email type - * @param userName username - * @param metaDataObj meta data object - * @param tenantId tenant Id + * @param oneTimePinDTO Data related to the one time pin * @return {@link OneTimePinDTO} */ @Override - public OneTimePinDTO generateOneTimePin(String email, String emailType, String userName, Object metaDataObj, - int tenantId, boolean persistPin) throws OTPManagementException { + public OneTimePinDTO generateOneTimePin(OneTimePinDTO oneTimePinDTO, boolean persistPin) throws OTPManagementException { String otpValue = UUID.randomUUID().toString(); Gson gson = new Gson(); - String metaInfo = gson.toJson(metaDataObj); + String metaInfo = gson.toJson(oneTimePinDTO.getMetaInfo()); - OneTimePinDTO oneTimePinDTO = new OneTimePinDTO(); - oneTimePinDTO.setEmail(email); - oneTimePinDTO.setTenantId(tenantId); - oneTimePinDTO.setUsername(userName); - oneTimePinDTO.setEmailType(emailType); oneTimePinDTO.setMetaInfo(metaInfo); oneTimePinDTO.setOtpToken(otpValue); diff --git a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/service/DeviceManagementProviderServiceImpl.java b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/service/DeviceManagementProviderServiceImpl.java index 0d2a3fb42c..ffd74099e7 100644 --- a/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/service/DeviceManagementProviderServiceImpl.java +++ b/components/device-mgt/io.entgra.device.mgt.core.device.mgt.core/src/main/java/io/entgra/device/mgt/core/device/mgt/core/service/DeviceManagementProviderServiceImpl.java @@ -467,6 +467,8 @@ public class DeviceManagementProviderServiceImpl implements DeviceManagementProv if (log.isDebugEnabled()) { log.debug("Modifying enrollment for device: " + device.getId() + " of type '" + device.getType() + "'"); } + String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(); + String userName = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUsername(); DeviceManager deviceManager = this.getDeviceManager(device.getType()); DeviceIdentifier deviceIdentifier = new DeviceIdentifier(device.getDeviceIdentifier(), device.getType()); if (deviceManager == null) { @@ -495,6 +497,7 @@ public class DeviceManagementProviderServiceImpl implements DeviceManagementProv enrollmentDAO.updateEnrollment(device.getEnrolmentInfo(), tenantId); DeviceManagementDAOFactory.commitTransaction(); + log.info("Device enrolled successfully", deviceEnrolmentLogContextBuilder.setDeviceId(String.valueOf(currentDevice.getId())).setDeviceType(String.valueOf(currentDevice.getType())).setOwner(currentDevice.getEnrolmentInfo().getOwner()).setOwnership(String.valueOf(currentDevice.getEnrolmentInfo().getOwnership())).setTenantID(String.valueOf(tenantId)).setTenantDomain(tenantDomain).setUserName(userName).build()); this.removeDeviceFromCache(deviceIdentifier); } catch (DeviceManagementDAOException e) { DeviceManagementDAOFactory.rollbackTransaction(); diff --git a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/DefaultTokenHandler.java b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/DefaultTokenHandler.java index 56bb34a285..82ebb63ba0 100644 --- a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/DefaultTokenHandler.java +++ b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/DefaultTokenHandler.java @@ -19,7 +19,6 @@ package io.entgra.device.mgt.core.ui.request.interceptor; import com.google.gson.Gson; -import com.google.gson.JsonElement; import com.google.gson.JsonObject; import com.google.gson.JsonParser; import io.entgra.device.mgt.core.ui.request.interceptor.beans.AuthData; @@ -28,12 +27,17 @@ import io.entgra.device.mgt.core.ui.request.interceptor.util.HandlerUtil; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.apache.http.HttpHeaders; import org.apache.http.HttpStatus; -import org.apache.http.client.methods.HttpGet; import org.apache.http.client.utils.URIBuilder; -import org.apache.http.entity.ContentType; import io.entgra.device.mgt.core.ui.request.interceptor.beans.ProxyResponse; +import org.wso2.carbon.context.PrivilegedCarbonContext; +import io.entgra.device.mgt.core.device.mgt.common.DeviceManagementConstants; +import io.entgra.device.mgt.core.device.mgt.common.exceptions.OTPManagementException; +import io.entgra.device.mgt.core.device.mgt.common.otp.mgt.OTPEmailTypes; +import io.entgra.device.mgt.core.device.mgt.common.otp.mgt.dto.OneTimePinDTO; +import io.entgra.device.mgt.core.device.mgt.common.spi.OTPManagementService; +import org.wso2.carbon.user.api.UserStoreException; +import org.wso2.carbon.user.core.service.RealmService; import javax.servlet.annotation.MultipartConfig; import javax.servlet.annotation.WebServlet; @@ -55,71 +59,28 @@ public class DefaultTokenHandler extends HttpServlet { HttpSession httpSession = req.getSession(false); if (httpSession != null) { - AuthData authData = (AuthData) httpSession.getAttribute(HandlerConstants.SESSION_AUTH_DATA_KEY); - if (authData == null) { - HandlerUtil.sendUnAuthorizeResponse(resp); - return; + String userWithDomain = (String) httpSession.getAttribute(HandlerConstants.USERNAME_WITH_DOMAIN); + String[] userNameParts = userWithDomain.split("@"); + + OneTimePinDTO oneTimePinData = new OneTimePinDTO(); + oneTimePinData.setEmail(OTPEmailTypes.REMOTE_SESSION.toString()); + oneTimePinData.setEmailType(OTPEmailTypes.REMOTE_SESSION.toString()); + oneTimePinData.setUsername(userNameParts[0]); + PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext(); + RealmService realmService = (RealmService) ctx.getOSGiService(RealmService.class, null); + try { + oneTimePinData.setTenantId(realmService.getTenantManager().getTenantId(userNameParts[1])); + } catch (UserStoreException e) { + throw new RuntimeException(e); } - - AuthData defaultAuthData = (AuthData) httpSession - .getAttribute(HandlerConstants.SESSION_DEFAULT_AUTH_DATA_KEY); - if (defaultAuthData != null) { - HandlerUtil.handleSuccess(resp, constructSuccessProxyResponse(defaultAuthData.getAccessToken())); - return; - } - - String clientId = authData.getClientId(); - String clientSecret = authData.getClientSecret(); - - String queryString = req.getQueryString(); - String scopeString = ""; - if (StringUtils.isNotEmpty(queryString)) { - scopeString = req.getParameter("scopes"); - if (scopeString != null) { - scopeString = "?scopes=" + scopeString; - } - } - - String iotsCoreUrl = req.getScheme() + HandlerConstants.SCHEME_SEPARATOR - + System.getProperty(HandlerConstants.IOT_GW_HOST_ENV_VAR) - + HandlerConstants.COLON + HandlerUtil.getGatewayPort(req.getScheme()); - String tokenUrl = iotsCoreUrl + "/api/device-mgt/v1.0/devices/" + clientId - + "/" + clientSecret + "/default-token" + scopeString; - - HttpGet defaultTokenRequest = new HttpGet(tokenUrl); - defaultTokenRequest - .setHeader(HttpHeaders.AUTHORIZATION, HandlerConstants.BEARER + authData.getAccessToken()); - defaultTokenRequest - .setHeader(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_FORM_URLENCODED.toString()); - ProxyResponse tokenResultResponse = HandlerUtil.execute(defaultTokenRequest); - - if (tokenResultResponse.getExecutorResponse().contains(HandlerConstants.EXECUTOR_EXCEPTION_PREFIX)) { - log.error("Error occurred while invoking the API to get default token data."); - HandlerUtil.handleError(resp, tokenResultResponse); - return; - } - String tokenResult = tokenResultResponse.getData(); - if (tokenResult == null) { - log.error("Invalid default token response is received."); - HandlerUtil.handleError(resp, tokenResultResponse); - return; - } - - JsonParser jsonParser = new JsonParser(); - JsonElement jTokenResult = jsonParser.parse(tokenResult); - if (jTokenResult.isJsonObject()) { - JsonObject jTokenResultAsJsonObject = jTokenResult.getAsJsonObject(); - AuthData newDefaultAuthData = new AuthData(); - newDefaultAuthData.setClientId(clientId); - newDefaultAuthData.setClientSecret(clientSecret); - - String defaultToken = jTokenResultAsJsonObject.get("accessToken").getAsString(); - newDefaultAuthData.setAccessToken(defaultToken); - newDefaultAuthData.setRefreshToken(jTokenResultAsJsonObject.get("refreshToken").getAsString()); - newDefaultAuthData.setScope(jTokenResultAsJsonObject.get("scopes").getAsString()); - httpSession.setAttribute(HandlerConstants.SESSION_DEFAULT_AUTH_DATA_KEY, newDefaultAuthData); - - HandlerUtil.handleSuccess(resp, constructSuccessProxyResponse(defaultToken)); + oneTimePinData.setExpiryTime(DeviceManagementConstants.OTPProperties.OTP_DEFAULT_EXPIRY_SECONDS); + OTPManagementService otpManagementService = HandlerUtil.getOTPManagementService(); + try { + oneTimePinData = otpManagementService.generateOneTimePin(oneTimePinData, true); + HandlerUtil.handleSuccess(resp, constructSuccessProxyResponse(oneTimePinData.getOtpToken())); + } catch (OTPManagementException e) { + log.error("Failed while generating remote session OTP for user " + userWithDomain, e); + HandlerUtil.handleError(resp, HttpStatus.SC_INTERNAL_SERVER_ERROR); } } else { HandlerUtil.sendUnAuthorizeResponse(resp); diff --git a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/UserHandler.java b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/UserHandler.java index f4ed2e0323..5c60a16558 100644 --- a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/UserHandler.java +++ b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/UserHandler.java @@ -120,6 +120,7 @@ public class UserHandler extends HttpServlet { proxyResponse.setData( jTokenResultAsJsonObject.get("username").getAsString().replaceAll("@carbon.super", "")); HandlerUtil.handleSuccess(resp, proxyResponse); + httpSession.setAttribute(HandlerConstants.USERNAME_WITH_DOMAIN, jTokenResultAsJsonObject.get("username").getAsString()); log.info("Customer login", userLogContextBuilder.setUserName(proxyResponse.getData()).setUserRegistered(true).build()); } } catch (IOException e) { diff --git a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerConstants.java b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerConstants.java index 239cf1c944..9aa9cb9fe6 100644 --- a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerConstants.java +++ b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerConstants.java @@ -106,4 +106,5 @@ public class HandlerConstants { public static final String IOT_REPORTING_WEBAPP_HOST_ENV_VAR = "iot.reporting.webapp.host"; public static final String USER_SCOPES = "userScopes"; public static final String HUBSPOT_CHAT_URL = "api.hubapi.com"; + public static final String USERNAME_WITH_DOMAIN = "usernameWithDomain"; } diff --git a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerUtil.java b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerUtil.java index 68aae89ee6..75b1643598 100644 --- a/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerUtil.java +++ b/components/ui-request-interceptor/io.entgra.device.mgt.core.ui.request.interceptor/src/main/java/io/entgra/device/mgt/core/ui/request/interceptor/util/HandlerUtil.java @@ -55,6 +55,8 @@ import org.json.JSONException; import org.json.JSONObject; import org.w3c.dom.Document; import io.entgra.device.mgt.core.ui.request.interceptor.beans.ProxyResponse; +import org.wso2.carbon.context.PrivilegedCarbonContext; +import io.entgra.device.mgt.core.device.mgt.common.spi.OTPManagementService; import org.xml.sax.SAXException; import javax.servlet.http.HttpServletRequest; @@ -79,6 +81,8 @@ public class HandlerUtil { private static boolean isLoginCacheInitialized = false; private static AuthData authData; + private static OTPManagementService otpManagementService; + /*** * * @param httpRequest - httpMethod e.g:- HttpPost, HttpGet @@ -751,4 +755,12 @@ public class HandlerUtil { public static boolean isPropertyDefined(String property) { return StringUtils.isEmpty(System.getProperty(property)); } + + public static OTPManagementService getOTPManagementService() { + if (otpManagementService == null) { + otpManagementService = (OTPManagementService) PrivilegedCarbonContext + .getThreadLocalCarbonContext().getOSGiService(OTPManagementService.class, null); + } + return otpManagementService; + } } diff --git a/components/webapp-authenticator-framework/io.entgra.device.mgt.core.webapp.authenticator.framework/src/main/java/io/entgra/device/mgt/core/webapp/authenticator/framework/authenticator/BasicAuthAuthenticator.java b/components/webapp-authenticator-framework/io.entgra.device.mgt.core.webapp.authenticator.framework/src/main/java/io/entgra/device/mgt/core/webapp/authenticator/framework/authenticator/BasicAuthAuthenticator.java index 9c7de39b5b..3478dd2dba 100644 --- a/components/webapp-authenticator-framework/io.entgra.device.mgt.core.webapp.authenticator.framework/src/main/java/io/entgra/device/mgt/core/webapp/authenticator/framework/authenticator/BasicAuthAuthenticator.java +++ b/components/webapp-authenticator-framework/io.entgra.device.mgt.core.webapp.authenticator.framework/src/main/java/io/entgra/device/mgt/core/webapp/authenticator/framework/authenticator/BasicAuthAuthenticator.java @@ -35,6 +35,7 @@ import io.entgra.device.mgt.core.webapp.authenticator.framework.Utils.Utils; import java.nio.charset.Charset; import java.util.Base64; import java.util.Properties; +import java.util.StringTokenizer; public class BasicAuthAuthenticator implements WebappAuthenticator { @@ -50,15 +51,23 @@ public class BasicAuthAuthenticator implements WebappAuthenticator { @Override public boolean canHandle(Request request) { /* - This is done to avoid every endpoint being able to use basic auth. Add the following to - the required web.xml of the web app. + This is done to avoid every web app being able to use basic auth. Add the following to + the required web.xml of the web app. This is a global config for a web app to allow all + contexts of the web app to use basic auth basicAuth true + + Adding the basicAuthAllowList parameter allows to selectively allow some context paths in a + web app to use basic auth while all the other context remain unavailable with basic auth. + If this parameter is present, any context that requires basic auth must be specially + added as comma separated list to the param-value of basicAuthAllowList. */ - if (!isAuthenticationSupported(request)) { - return false; + if (!isAllowListedForBasicAuth(request)) { + if (!isAuthenticationSupported(request)) { + return false; + } } if (request.getCoyoteRequest() == null || request.getCoyoteRequest().getMimeHeaders() == null) { return false; @@ -75,6 +84,20 @@ public class BasicAuthAuthenticator implements WebappAuthenticator { return false; } + private boolean isAllowListedForBasicAuth(Request request) { + String param = request.getContext().findParameter("basicAuthAllowList"); + if (param != null && !param.isEmpty()) { + //Add the nonSecured end-points to cache + String[] basicAuthAllowList = param.split(","); + for (String contexPath : basicAuthAllowList) { + if (request.getRequestURI().toString().endsWith(contexPath.trim())) { + return true; + } + } + } + return false; + } + @Override public AuthenticationInfo authenticate(Request request, Response response) { AuthenticationInfo authenticationInfo = new AuthenticationInfo(); diff --git a/components/webapp-authenticator-framework/io.entgra.device.mgt.core.webapp.authenticator.framework/src/main/java/io/entgra/device/mgt/core/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java b/components/webapp-authenticator-framework/io.entgra.device.mgt.core.webapp.authenticator.framework/src/main/java/io/entgra/device/mgt/core/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java index 06e879e37a..e4aad4b517 100644 --- a/components/webapp-authenticator-framework/io.entgra.device.mgt.core.webapp.authenticator.framework/src/main/java/io/entgra/device/mgt/core/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java +++ b/components/webapp-authenticator-framework/io.entgra.device.mgt.core.webapp.authenticator.framework/src/main/java/io/entgra/device/mgt/core/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java @@ -74,9 +74,17 @@ public class CertificateAuthenticator implements WebappAuthenticator { // When there is a load balancer terminating mutual SSL, it should pass this header along and // as the value of this header, the client certificate subject dn should be passed. if (request.getHeader(PROXY_MUTUAL_AUTH_HEADER) != null) { + if (log.isDebugEnabled()) { + log.debug("PROXY_MUTUAL_AUTH_HEADER " + request.getHeader(PROXY_MUTUAL_AUTH_HEADER)); + } CertificateResponse certificateResponse = AuthenticatorFrameworkDataHolder.getInstance(). getCertificateManagementService().verifySubjectDN(request.getHeader(PROXY_MUTUAL_AUTH_HEADER)); authenticationInfo = checkCertificateResponse(certificateResponse); + if (log.isDebugEnabled()) { + log.debug("Certificate Serial : " + certificateResponse.getSerialNumber() + + ", CN : " + certificateResponse.getCommonName() + + " , username" + authenticationInfo.getUsername()); + } } else if (request.getHeader(MUTUAL_AUTH_HEADER) != null) { Object object = request.getAttribute(CLIENT_CERTIFICATE_ATTRIBUTE); @@ -89,7 +97,6 @@ public class CertificateAuthenticator implements WebappAuthenticator { CertificateResponse certificateResponse = AuthenticatorFrameworkDataHolder.getInstance(). getCertificateManagementService().verifyPEMSignature(clientCertificate[0]); authenticationInfo = checkCertificateResponse(certificateResponse); - } else { authenticationInfo.setStatus(Status.FAILURE); authenticationInfo.setMessage("No client certificate is present"); diff --git a/components/webapp-authenticator-framework/io.entgra.device.mgt.core.webapp.authenticator.framework/src/main/java/io/entgra/device/mgt/core/webapp/authenticator/framework/authenticator/OneTimeTokenAuthenticator.java b/components/webapp-authenticator-framework/io.entgra.device.mgt.core.webapp.authenticator.framework/src/main/java/io/entgra/device/mgt/core/webapp/authenticator/framework/authenticator/OneTimeTokenAuthenticator.java index ca7684c651..6021f2ad1d 100644 --- a/components/webapp-authenticator-framework/io.entgra.device.mgt.core.webapp.authenticator.framework/src/main/java/io/entgra/device/mgt/core/webapp/authenticator/framework/authenticator/OneTimeTokenAuthenticator.java +++ b/components/webapp-authenticator-framework/io.entgra.device.mgt.core.webapp.authenticator.framework/src/main/java/io/entgra/device/mgt/core/webapp/authenticator/framework/authenticator/OneTimeTokenAuthenticator.java @@ -49,8 +49,18 @@ public class OneTimeTokenAuthenticator implements WebappAuthenticator { try { OTPManagementService otpManagementService = AuthenticatorFrameworkDataHolder.getInstance() .getOtpManagementService(); - OneTimePinDTO validOTP = otpManagementService.isValidOTP(request.getHeader(Constants.HTTPHeaders - .ONE_TIME_TOKEN_HEADER)); + OneTimePinDTO validOTP; + if (request.getRequestURI().toString().endsWith("cloud/download-url") + || request.getRequestURI().toString().endsWith("cloud/tenant")) { + validOTP = otpManagementService.isValidOTP(request.getHeader(Constants.HTTPHeaders + .ONE_TIME_TOKEN_HEADER), true); + } else { + log.info("Validating OTP for enrollments PIN: " + request.getHeader(Constants + .HTTPHeaders.ONE_TIME_TOKEN_HEADER)); + validOTP = otpManagementService.isValidOTP(request.getHeader(Constants.HTTPHeaders + .ONE_TIME_TOKEN_HEADER), false); + } + if (validOTP != null) { authenticationInfo.setStatus(Status.CONTINUE); authenticationInfo.setTenantId(validOTP.getTenantId());