@ -21,13 +21,11 @@ package io.entgra.device.mgt.core.webapp.authenticator.framework.authenticator;
import io.entgra.device.mgt.core.certificate.mgt.core.dto.CertificateResponse ;
import io.entgra.device.mgt.core.certificate.mgt.core.dto.CertificateResponse ;
import io.entgra.device.mgt.core.certificate.mgt.core.exception.KeystoreException ;
import io.entgra.device.mgt.core.certificate.mgt.core.exception.KeystoreException ;
import io.entgra.device.mgt.core.certificate.mgt.core.scep.SCEPException ;
import io.entgra.device.mgt.core.certificate.mgt.core.scep.SCEPException ;
import io.entgra.device.mgt.core.certificate.mgt.core.scep.SCEPManager ;
import io.entgra.device.mgt.core.certificate.mgt.core.scep.TenantedDeviceWrapper ;
import io.entgra.device.mgt.core.device.mgt.common.DeviceIdentifier ;
import io.entgra.device.mgt.core.device.mgt.common.DeviceIdentifier ;
import io.entgra.device.mgt.core.device.mgt.common.DeviceManagementConstants ;
import io.entgra.device.mgt.core.device.mgt.common.DeviceManagementConstants ;
import io.entgra.device.mgt.core.device.mgt.common.EnrolmentInfo ;
import io.entgra.device.mgt.core.webapp.authenticator.framework.AuthenticationException ;
import io.entgra.device.mgt.core.webapp.authenticator.framework.AuthenticationException ;
import io.entgra.device.mgt.core.webapp.authenticator.framework.AuthenticationInfo ;
import io.entgra.device.mgt.core.webapp.authenticator.framework.AuthenticationInfo ;
import io.entgra.device.mgt.core.webapp.authenticator.framework.Constants ;
import io.entgra.device.mgt.core.webapp.authenticator.framework.Utils.Utils ;
import io.entgra.device.mgt.core.webapp.authenticator.framework.Utils.Utils ;
import io.entgra.device.mgt.core.webapp.authenticator.framework.internal.AuthenticatorFrameworkDataHolder ;
import io.entgra.device.mgt.core.webapp.authenticator.framework.internal.AuthenticatorFrameworkDataHolder ;
import org.apache.catalina.connector.Request ;
import org.apache.catalina.connector.Request ;
@ -45,9 +43,6 @@ public class CertificateAuthenticator implements WebappAuthenticator {
private static final Log log = LogFactory . getLog ( CertificateAuthenticator . class ) ;
private static final Log log = LogFactory . getLog ( CertificateAuthenticator . class ) ;
private static final String CERTIFICATE_AUTHENTICATOR = "CertificateAuth" ;
private static final String CERTIFICATE_AUTHENTICATOR = "CertificateAuth" ;
private static final String MUTUAL_AUTH_HEADER = "mutual-auth-header" ;
private static final String PROXY_MUTUAL_AUTH_HEADER = "proxy-mutual-auth-header" ;
private static final String CERTIFICATE_VERIFICATION_HEADER = "Mdm-Signature" ;
private static final String CLIENT_CERTIFICATE_ATTRIBUTE = "javax.servlet.request.X509Certificate" ;
private static final String CLIENT_CERTIFICATE_ATTRIBUTE = "javax.servlet.request.X509Certificate" ;
@Override
@Override
@ -57,8 +52,9 @@ public class CertificateAuthenticator implements WebappAuthenticator {
@Override
@Override
public boolean canHandle ( Request request ) {
public boolean canHandle ( Request request ) {
return request . getHeader ( CERTIFICATE_VERIFICATION_HEADER ) ! = null
return request . getHeader ( Constants . HTTPHeaders . CERTIFICATE_VERIFICATION_HEADER ) ! = null
| | request . getHeader ( MUTUAL_AUTH_HEADER ) ! = null | | request . getHeader ( PROXY_MUTUAL_AUTH_HEADER ) ! = null ;
| | request . getHeader ( Constants . HTTPHeaders . MUTUAL_AUTH_HEADER ) ! = null | |
request . getHeader ( Constants . HTTPHeaders . PROXY_MUTUAL_AUTH_HEADER ) ! = null ;
}
}
@Override
@Override
@ -73,12 +69,14 @@ public class CertificateAuthenticator implements WebappAuthenticator {
try {
try {
// When there is a load balancer terminating mutual SSL, it should pass this header along and
// When there is a load balancer terminating mutual SSL, it should pass this header along and
// as the value of this header, the client certificate subject dn should be passed.
// as the value of this header, the client certificate subject dn should be passed.
if ( request . getHeader ( PROXY_MUTUAL_AUTH_HEADER) ! = null ) {
if ( request . getHeader ( Constants. HTTPHeaders . PROXY_MUTUAL_AUTH_HEADER) ! = null ) {
if ( log . isDebugEnabled ( ) ) {
if ( log . isDebugEnabled ( ) ) {
log . debug ( "PROXY_MUTUAL_AUTH_HEADER " + request . getHeader ( PROXY_MUTUAL_AUTH_HEADER ) ) ;
log . debug ( "PROXY_MUTUAL_AUTH_HEADER " +
request . getHeader ( Constants . HTTPHeaders . PROXY_MUTUAL_AUTH_HEADER ) ) ;
}
}
CertificateResponse certificateResponse = AuthenticatorFrameworkDataHolder . getInstance ( ) .
CertificateResponse certificateResponse = AuthenticatorFrameworkDataHolder . getInstance ( ) .
getCertificateManagementService ( ) . verifySubjectDN ( request . getHeader ( PROXY_MUTUAL_AUTH_HEADER ) ) ;
getCertificateManagementService ( ) . verifySubjectDN ( request . getHeader (
Constants . HTTPHeaders . PROXY_MUTUAL_AUTH_HEADER ) ) ;
authenticationInfo = checkCertificateResponse ( certificateResponse ) ;
authenticationInfo = checkCertificateResponse ( certificateResponse ) ;
if ( log . isDebugEnabled ( ) ) {
if ( log . isDebugEnabled ( ) ) {
log . debug ( "Certificate Serial : " + certificateResponse . getSerialNumber ( )
log . debug ( "Certificate Serial : " + certificateResponse . getSerialNumber ( )
@ -86,7 +84,7 @@ public class CertificateAuthenticator implements WebappAuthenticator {
+ " , username" + authenticationInfo . getUsername ( ) ) ;
+ " , username" + authenticationInfo . getUsername ( ) ) ;
}
}
}
}
else if ( request . getHeader ( MUTUAL_AUTH_HEADER) ! = null ) {
else if ( request . getHeader ( Constants. HTTPHeaders . MUTUAL_AUTH_HEADER) ! = null ) {
Object object = request . getAttribute ( CLIENT_CERTIFICATE_ATTRIBUTE ) ;
Object object = request . getAttribute ( CLIENT_CERTIFICATE_ATTRIBUTE ) ;
X509Certificate [ ] clientCertificate = null ;
X509Certificate [ ] clientCertificate = null ;
if ( object instanceof X509Certificate [ ] ) {
if ( object instanceof X509Certificate [ ] ) {
@ -101,13 +99,11 @@ public class CertificateAuthenticator implements WebappAuthenticator {
authenticationInfo . setStatus ( Status . FAILURE ) ;
authenticationInfo . setStatus ( Status . FAILURE ) ;
authenticationInfo . setMessage ( "No client certificate is present" ) ;
authenticationInfo . setMessage ( "No client certificate is present" ) ;
}
}
} else if ( request . getHeader ( C ERTIFICATE_VERIFICATION_HEADER) ! = null ) {
} else if ( request . getHeader ( C onstants. HTTPHeaders . C ERTIFICATE_VERIFICATION_HEADER) ! = null ) {
String certHeader = request . getHeader ( C ERTIFICATE_VERIFICATION_HEADER) ;
String certHeader = request . getHeader ( C onstants. HTTPHeaders . C ERTIFICATE_VERIFICATION_HEADER) ;
if ( certHeader ! = null & &
if ( certHeader ! = null & &
AuthenticatorFrameworkDataHolder . getInstance ( ) . getCertificateManagementService ( ) .
AuthenticatorFrameworkDataHolder . getInstance ( ) . getCertificateManagementService ( ) .
verifySignature ( certHeader ) ) {
verifySignature ( certHeader ) ) {
AuthenticatorFrameworkDataHolder . getInstance ( ) . getCertificateManagementService ( ) .
extractCertificateFromSignature ( certHeader ) ;
X509Certificate certificate =
X509Certificate certificate =
AuthenticatorFrameworkDataHolder . getInstance ( ) . getCertificateManagementService ( ) .
AuthenticatorFrameworkDataHolder . getInstance ( ) . getCertificateManagementService ( ) .
extractCertificateFromSignature ( certHeader ) ;
extractCertificateFromSignature ( certHeader ) ;
@ -116,30 +112,37 @@ public class CertificateAuthenticator implements WebappAuthenticator {
if ( challengeToken ! = null ) {
if ( challengeToken ! = null ) {
challengeToken = challengeToken . substring ( challengeToken . indexOf ( "(" ) + 1 ) . trim ( ) ;
challengeToken = challengeToken . substring ( challengeToken . indexOf ( "(" ) + 1 ) . trim ( ) ;
SCEPManager scepManager = AuthenticatorFrameworkDataHolder . getInstance ( ) . getScepManager ( ) ;
DeviceIdentifier deviceIdentifier = new DeviceIdentifier ( ) ;
DeviceIdentifier deviceIdentifier = new DeviceIdentifier ( ) ;
deviceIdentifier . setId ( challengeToken ) ;
deviceIdentifier . setId ( challengeToken ) ;
deviceIdentifier . setType ( DeviceManagementConstants . MobileDeviceTypes . MOBILE_DEVICE_TYPE_IOS ) ;
deviceIdentifier . setType ( DeviceManagementConstants . MobileDeviceTypes . MOBILE_DEVICE_TYPE_IOS ) ;
TenantedDeviceWrapper tenantedDeviceWrapper = scepManager . getValidatedDevice ( deviceIdentifier ) ;
Utils . validateScepDevice ( deviceIdentifier , authenticationInfo ) ;
authenticationInfo . setTenantDomain ( tenantedDeviceWrapper . getTenantDomain ( ) ) ;
// To make sure the tenant flow is not initiated in the valve as the
// tenant flows are initiated at the API level on iOS
authenticationInfo . setTenantId ( - 1 ) ;
if ( tenantedDeviceWrapper . getDevice ( ) ! = null & &
tenantedDeviceWrapper . getDevice ( ) . getEnrolmentInfo ( ) ! = null ) {
EnrolmentInfo enrolmentInfo = tenantedDeviceWrapper . getDevice ( ) . getEnrolmentInfo ( ) ;
authenticationInfo . setUsername ( enrolmentInfo . getOwner ( ) ) ;
}
authenticationInfo . setStatus ( Status . CONTINUE ) ;
authenticationInfo . setStatus ( Status . CONTINUE ) ;
} else {
DeviceIdentifier deviceIdentifier = new DeviceIdentifier ( ) ;
String deviceId = Utils . getSubjectDnAttribute ( certificate ,
Constants . Certificate . ORGANIZATION_ATTRIBUTE ) ;
if ( deviceId = = null ) {
authenticationInfo . setStatus ( Status . FAILURE ) ;
return authenticationInfo ;
}
deviceIdentifier . setId ( deviceId ) ;
deviceIdentifier . setType (
DeviceManagementConstants . MobileDeviceTypes . MOBILE_DEVICE_TYPE_WINDOWS ) ;
Utils . validateScepDevice ( deviceIdentifier , authenticationInfo ) ;
authenticationInfo . setStatus ( Status . SUCCESS ) ;
}
}
}
}
}
}
} catch ( KeystoreException e ) {
} catch ( KeystoreException e ) {
log . error ( "KeystoreException occurred " , e ) ;
String msg = "Error occurred while validating device client certificate." ;
log . error ( msg , e ) ;
authenticationInfo . setStatus ( Status . FAILURE ) ;
authenticationInfo . setMessage ( msg ) ;
} catch ( SCEPException e ) {
} catch ( SCEPException e ) {
log . error ( "SCEPException occurred " , e ) ;
String msg = "Error occurred while validating device identification." ;
log . error ( msg , e ) ;
authenticationInfo . setStatus ( Status . FAILURE ) ;
authenticationInfo . setMessage ( msg ) ;
}
}
return authenticationInfo ;
return authenticationInfo ;
}
}