OTP for enrollment with Mutual TLS

Fixes https://roadmap.entgra.net/issues/10093
1 year ago · 1aafd53d3e
parent 19ce7d6fac
commit 1aafd53d3e
9 changed files with 93 additions and 37 deletions
--- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/DeviceManagementConstants.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/DeviceManagementConstants.java
@ -134,6 +134,8 @@ public final class DeviceManagementConstants {
        public static final String LAST_NAME = "last-name";
        public static final String TENANT_ADMIN_USERNAME = "tenant-admin-username";
        public static final String TENANT_ADMIN_PASSWORD = "tenant-admin-password";
+
+        public static final int OTP_DEFAULT_EXPIRY_SECONDS = 3600;
    }

    public static final class EventServices {
--- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/general/QREnrollmentDetails.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/general/QREnrollmentDetails.java
@ -22,6 +22,7 @@ public class QREnrollmentDetails {
    String ownershipType;
    String username;
    String enrollmentMode;
+    int tokenExpiry;

    public String getOwnershipType() { return ownershipType; }

@ -34,4 +35,12 @@ public class QREnrollmentDetails {
    public String getEnrollmentMode() { return enrollmentMode; }

    public void setEnrollmentMode(String enrollmentMode) { this.enrollmentMode = enrollmentMode; }
+
+    public int getTokenExpiry() {
+        return tokenExpiry;
+    }
+
+    public void setTokenExpiry(int tokenExpiry) {
+        this.tokenExpiry = tokenExpiry;
+    }
 }
--- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/otp/mgt/OTPEmailTypes.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/otp/mgt/OTPEmailTypes.java
@ -18,5 +18,5 @@
 package org.wso2.carbon.device.mgt.common.otp.mgt;

 public enum OTPEmailTypes {
-    USER_VERIFY, DEVICE_ENROLLMENT
+    USER_VERIFY, DEVICE_ENROLLMENT, USER_INVITE
 }
--- a/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/spi/OTPManagementService.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/spi/OTPManagementService.java
@ -34,7 +34,8 @@ public interface OTPManagementService {
     * @throws OTPManagementException if error occurred whle verifying validity of the OPT
     * @throws BadRequestException if found an null value for OTP
     */
-    OneTimePinDTO isValidOTP(String oneTimeToken) throws OTPManagementException, BadRequestException;
+    OneTimePinDTO isValidOTP(String oneTimeToken, boolean requireRenewal) throws
+            OTPManagementException, BadRequestException;

    /**
     * Invalidate the OTP and send welcome mail
@ -58,8 +59,7 @@ public interface OTPManagementService {
    boolean hasEmailRegistered(String email, String emailDomain) throws OTPManagementException,
            DeviceManagementException;

-    OneTimePinDTO generateOneTimePin(String email, String emailType, String userName, Object metaDataObj,
-                                     int tenantId, boolean persistPin) throws OTPManagementException;
+    OneTimePinDTO generateOneTimePin(OneTimePinDTO oneTimePinData, boolean persistPin) throws OTPManagementException;

    OneTimePinDTO getRenewedOtpByEmailAndMailType(String email, String emailType) throws OTPManagementException;

--- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/otp/mgt/dao/impl/GenericOTPManagementDAOImpl.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/otp/mgt/dao/impl/GenericOTPManagementDAOImpl.java
@ -19,6 +19,7 @@ package org.wso2.carbon.device.mgt.core.otp.mgt.dao.impl;

 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.device.mgt.common.DeviceManagementConstants;
 import org.wso2.carbon.device.mgt.common.exceptions.DBConnectionException;
 import org.wso2.carbon.device.mgt.common.otp.mgt.dto.OneTimePinDTO;
 import org.wso2.carbon.device.mgt.core.otp.mgt.dao.AbstractDAOImpl;
@ -55,7 +56,8 @@ public class GenericOTPManagementDAOImpl extends AbstractDAOImpl implements OTPM
                + "META_INFO, "
                + "CREATED_AT,"
                + "TENANT_ID,"
-                + "USERNAME) VALUES (?, ?, ?, ?, ?, ?, ?)";
+                + "USERNAME, "
+                + "EXPIRY_TIME) VALUES (?, ?, ?, ?, ?, ?, ?, ?)";
        try {
            Connection conn = this.getDBConnection();
            Calendar calendar = Calendar.getInstance();
@ -69,6 +71,8 @@ public class GenericOTPManagementDAOImpl extends AbstractDAOImpl implements OTPM
                    stmt.setTimestamp(5, timestamp);
                    stmt.setInt(6, oneTimePinDTO.getTenantId());
                    stmt.setString(7, oneTimePinDTO.getUsername());
+                    stmt.setInt(8, oneTimePinDTO.getExpiryTime() == 0
+                            ? DeviceManagementConstants.OTPProperties.OTP_DEFAULT_EXPIRY_SECONDS : oneTimePinDTO.getExpiryTime());
                    stmt.addBatch();
                }
                stmt.executeBatch();
--- a/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/otp/mgt/service/OTPManagementServiceImpl.java
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/otp/mgt/service/OTPManagementServiceImpl.java
@ -126,7 +126,8 @@ public class OTPManagementServiceImpl implements OTPManagementService {
    }

    @Override
-    public OneTimePinDTO isValidOTP(String oneTimeToken) throws OTPManagementException, BadRequestException {
+    public OneTimePinDTO isValidOTP(String oneTimeToken, boolean requireRenewal) throws OTPManagementException,
+            BadRequestException {
        if (StringUtils.isBlank(oneTimeToken)){
            String msg = "Received blank OTP to verify. OTP: " + oneTimeToken;
            log.error(msg);
@ -150,17 +151,19 @@ public class OTPManagementServiceImpl implements OTPManagementService {
                oneTimePinDTO.getCreatedAt().getTime() + oneTimePinDTO.getExpiryTime() * 1000L);

        if (currentTimestamp.after(expiredTimestamp)) {
-            String renewedOTP = UUID.randomUUID().toString();
-            renewOTP(oneTimePinDTO, renewedOTP);
-            Gson gson = new Gson();
-            Tenant tenant = gson.fromJson(oneTimePinDTO.getMetaInfo(), Tenant.class);
+            if (requireRenewal) {
+                String renewedOTP = UUID.randomUUID().toString();
+                renewOTP(oneTimePinDTO, renewedOTP);
+                Gson gson = new Gson();
+                Tenant tenant = gson.fromJson(oneTimePinDTO.getMetaInfo(), Tenant.class);

-            Properties props = new Properties();
-            props.setProperty("first-name", tenant.getAdminFirstName());
-            props.setProperty("otp-token", renewedOTP);
-            props.setProperty("email", oneTimePinDTO.getEmail());
-            props.setProperty("type", oneTimePinDTO.getEmailType());
-            sendMail(props, oneTimePinDTO.getEmail(), DeviceManagementConstants.EmailAttributes.USER_VERIFY_TEMPLATE);
+                Properties props = new Properties();
+                props.setProperty("first-name", tenant.getAdminFirstName());
+                props.setProperty("otp-token", renewedOTP);
+                props.setProperty("email", oneTimePinDTO.getEmail());
+                props.setProperty("type", oneTimePinDTO.getEmailType());
+                sendMail(props, oneTimePinDTO.getEmail(), DeviceManagementConstants.EmailAttributes.USER_VERIFY_TEMPLATE);
+            }
            return null;
        }
        return oneTimePinDTO;
@ -243,8 +246,14 @@ public class OTPManagementServiceImpl implements OTPManagementService {
            for (String username : deviceEnrollmentInvitation.getUsernames()) {
                String emailAddress = DeviceManagerUtil.getUserClaimValue(
                        username, DeviceManagementConstants.User.CLAIM_EMAIL_ADDRESS);
-                oneTimePinDTO = generateOneTimePin(emailAddress, OTPEmailTypes.DEVICE_ENROLLMENT.toString(), username,
-                        null, tenantId, false);
+
+                OneTimePinDTO oneTimePinData = new OneTimePinDTO();
+                oneTimePinData.setEmail(emailAddress);
+                oneTimePinData.setTenantId(tenantId);
+                oneTimePinData.setUsername(username);
+                oneTimePinData.setEmailType(OTPEmailTypes.USER_INVITE.toString());
+
+                oneTimePinDTO = generateOneTimePin(oneTimePinData, false);
                oneTimePinDTOList.add(oneTimePinDTO);
                props.setProperty("first-name", DeviceManagerUtil.
                        getUserClaimValue(username, DeviceManagementConstants.User.CLAIM_FIRST_NAME));
@ -278,27 +287,17 @@ public class OTPManagementServiceImpl implements OTPManagementService {

    /**
     * Create One Time Token
-     * @param email email
-     * @param emailType email type
-     * @param userName username
-     * @param metaDataObj meta data object
-     * @param tenantId tenant Id
+     * @param oneTimePinDTO Data related to the one time pin
     * @return {@link OneTimePinDTO}
     */
    @Override
-    public OneTimePinDTO generateOneTimePin(String email, String emailType, String userName, Object metaDataObj,
-                                            int tenantId, boolean persistPin) throws OTPManagementException {
+    public OneTimePinDTO generateOneTimePin(OneTimePinDTO oneTimePinDTO, boolean persistPin) throws OTPManagementException {

        String otpValue = UUID.randomUUID().toString();

        Gson gson = new Gson();
-        String metaInfo = gson.toJson(metaDataObj);
+        String metaInfo = gson.toJson(oneTimePinDTO.getMetaInfo());

-        OneTimePinDTO oneTimePinDTO = new OneTimePinDTO();
-        oneTimePinDTO.setEmail(email);
-        oneTimePinDTO.setTenantId(tenantId);
-        oneTimePinDTO.setUsername(userName);
-        oneTimePinDTO.setEmailType(emailType);
        oneTimePinDTO.setMetaInfo(metaInfo);
        oneTimePinDTO.setOtpToken(otpValue);

--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/BasicAuthAuthenticator.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/BasicAuthAuthenticator.java
@ -36,6 +36,7 @@ import org.wso2.carbon.webapp.authenticator.framework.Utils.Utils;
 import java.nio.charset.Charset;
 import java.util.Base64;
 import java.util.Properties;
+import java.util.StringTokenizer;

 public class BasicAuthAuthenticator implements WebappAuthenticator {

@ -51,15 +52,23 @@ public class BasicAuthAuthenticator implements WebappAuthenticator {
    @Override
    public boolean canHandle(Request request) {
        /*
-        This is done to avoid every endpoint being able to use basic auth. Add the following to
-        the required web.xml of the web app.
+        This is done to avoid every web app being able to use basic auth. Add the following to
+        the required web.xml of the web app. This is a global config for a web app to allow all
+        contexts of the web app to use basic auth
        <context-param>
            <param-name>basicAuth</param-name>
            <param-value>true</param-value>
 	    </context-param>
+
+	    Adding the basicAuthAllowList parameter allows to selectively allow some context paths in a
+	    web app to use basic auth while all the other context remain unavailable with basic auth.
+	    If this parameter is present, any context that requires basic auth must be specially
+	    added as comma separated list to the param-value of basicAuthAllowList.
         */
-        if (!isAuthenticationSupported(request)) {
-            return false;
+        if (!isAllowListedForBasicAuth(request)) {
+            if (!isAuthenticationSupported(request)) {
+                return false;
+            }
        }
        if (request.getCoyoteRequest() == null || request.getCoyoteRequest().getMimeHeaders() == null) {
            return false;
@ -76,6 +85,20 @@ public class BasicAuthAuthenticator implements WebappAuthenticator {
        return false;
    }

+    private boolean isAllowListedForBasicAuth(Request request) {
+        String param = request.getContext().findParameter("basicAuthAllowList");
+        if (param != null && !param.isEmpty()) {
+            //Add the nonSecured end-points to cache
+            String[] basicAuthAllowList = param.split(",");
+            for (String contexPath : basicAuthAllowList) {
+                if (request.getRequestURI().toString().endsWith(contexPath.trim())) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
    @Override
    public AuthenticationInfo authenticate(Request request, Response response) {
        AuthenticationInfo authenticationInfo = new AuthenticationInfo();
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java
@ -75,21 +75,30 @@ public class CertificateAuthenticator implements WebappAuthenticator {
            // When there is a load balancer terminating mutual SSL, it should pass this header along and
            // as the value of this header, the client certificate subject dn should be passed.
            if (request.getHeader(PROXY_MUTUAL_AUTH_HEADER) != null) {
+                log.info("PROXY_MUTUAL_AUTH_HEADER " + request.getHeader(PROXY_MUTUAL_AUTH_HEADER));
                CertificateResponse certificateResponse = AuthenticatorFrameworkDataHolder.getInstance().
                        getCertificateManagementService().verifySubjectDN(request.getHeader(PROXY_MUTUAL_AUTH_HEADER));
+                log.info("clientCertificate" + certificateResponse.getSerialNumber());
+                log.info("clientCertificate" + certificateResponse.getCommonName());
                authenticationInfo = checkCertificateResponse(certificateResponse);
+                log.info("username" + authenticationInfo.getUsername());
            }
            else if (request.getHeader(MUTUAL_AUTH_HEADER) != null) {
+                log.info("MUTUAL_AUTH_HEADER");
                Object object = request.getAttribute(CLIENT_CERTIFICATE_ATTRIBUTE);
                X509Certificate[] clientCertificate = null;
                if (object instanceof  X509Certificate[]) {
+                    log.info("clientCertificate");
                    clientCertificate = (X509Certificate[]) request.
                            getAttribute(CLIENT_CERTIFICATE_ATTRIBUTE);
                }
                if (clientCertificate != null && clientCertificate[0] != null) {
                    CertificateResponse certificateResponse = AuthenticatorFrameworkDataHolder.getInstance().
                            getCertificateManagementService().verifyPEMSignature(clientCertificate[0]);
+                    log.info("clientCertificate" + certificateResponse.getSerialNumber());
+                    log.info("clientCertificate" + certificateResponse.getCommonName());
                    authenticationInfo = checkCertificateResponse(certificateResponse);
+                    log.info("username" + authenticationInfo.getUsername());

                } else {
                    authenticationInfo.setStatus(Status.FAILURE);
--- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OneTimeTokenAuthenticator.java
+++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/OneTimeTokenAuthenticator.java
@ -49,8 +49,18 @@ public class OneTimeTokenAuthenticator implements WebappAuthenticator {
        try {
            OTPManagementService otpManagementService = AuthenticatorFrameworkDataHolder.getInstance()
                    .getOtpManagementService();
-            OneTimePinDTO validOTP = otpManagementService.isValidOTP(request.getHeader(Constants.HTTPHeaders
-                    .ONE_TIME_TOKEN_HEADER));
+            OneTimePinDTO validOTP;
+            if (request.getRequestURI().toString().endsWith("cloud/download-url")
+                    || request.getRequestURI().toString().endsWith("cloud/tenant")) {
+                validOTP = otpManagementService.isValidOTP(request.getHeader(Constants.HTTPHeaders
+                        .ONE_TIME_TOKEN_HEADER), true);
+            } else {
+                log.info("Validating OTP for enrollments PIN: " + request.getHeader(Constants
+                        .HTTPHeaders.ONE_TIME_TOKEN_HEADER));
+                validOTP = otpManagementService.isValidOTP(request.getHeader(Constants.HTTPHeaders
+                        .ONE_TIME_TOKEN_HEADER), false);
+            }
+
            if (validOTP != null) {
                authenticationInfo.setStatus(Status.CONTINUE);
                authenticationInfo.setTenantId(validOTP.getTenantId());