From c61cd953b268943350c90f30a05be7c0a528b666 Mon Sep 17 00:00:00 2001 From: ayyoob Date: Wed, 1 Feb 2017 00:08:51 +0530 Subject: [PATCH] few fixes after testing sso --- .../distribution/src/ues/designer.json | 4 +- .../distribution/identity_config_change.xml | 9 - modules/core/distribution/pom.xml | 2 +- .../core/distribution/src/assembly/bin.xml | 11 +- .../identity/service-providers/publisher.xml | 2 +- .../conf/identity/service-providers/store.xml | 2 +- .../jaggeryapps/portal/configs/designer.json | 8 +- .../modules/oauth/token-handler-utils.js | 567 ------------------ 8 files changed, 10 insertions(+), 595 deletions(-) delete mode 100644 modules/core/distribution/src/repository/jaggeryapps/portal/modules/oauth/token-handler-utils.js diff --git a/modules/analytics/distribution/src/ues/designer.json b/modules/analytics/distribution/src/ues/designer.json index 7b817a49..f530bd67 100644 --- a/modules/analytics/distribution/src/ues/designer.json +++ b/modules/analytics/distribution/src/ues/designer.json @@ -43,11 +43,11 @@ "password":"admin", "dynamicClientAppRegistrationServiceURL": "https://localhost:9443/dynamic-client-web/register", "apiManagerClientAppRegistrationServiceURL": "https://localhost:9443/api-application-registration/register/tenants", - "grantType": "password refresh_token urn:ietf:carbon:signed:grant-type:saml2-bearer urn:ietf:params:oauth:grant-type:jwt-bearer", + "grantType": "password refresh_token urn:ietf:urn:ietf:params:oauth:grant-type:saml2-bearer urn:ietf:params:oauth:grant-type:jwt-bearer", "tokenScope": "admin", "callbackUrl": "https://localhost:9445/portal", "saasApp":true, - "samlGrantTypeName":"urn:ietf:carbon:signed:grant-type:saml2-bearer" + "samlGrantTypeName":"urn:ietf:params:oauth:grant-type:saml2-bearer" }, "tokenServiceURL": "https://localhost:9443/oauth2/token" diff --git a/modules/core/distribution/identity_config_change.xml b/modules/core/distribution/identity_config_change.xml index 8e497d20..7bfd9df4 100644 --- a/modules/core/distribution/identity_config_change.xml +++ b/modules/core/distribution/identity_config_change.xml @@ -29,13 +29,4 @@ org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator ]]> - - //s:Server/s:OAuth/s:SupportedGrantTypes/s:SupportedGrantType[s:GrantTypeName='iwa:ntlm'] - - - urn:ietf:carbon:signed:grant-type:saml2-bearer - org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant.ExtendedSAML2BearerGrantHandler - org.wso2.carbon.identity.oauth.common.SAML2GrantValidator - ]]> - \ No newline at end of file diff --git a/modules/core/distribution/pom.xml b/modules/core/distribution/pom.xml index 6b74d4c3..910fa08b 100644 --- a/modules/core/distribution/pom.xml +++ b/modules/core/distribution/pom.xml @@ -128,7 +128,7 @@ /Server/OAuth/SupportedGrantTypes/SupportedGrantType (org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler) - org.wso2.carbon.apimgt.keymgt.handlers.ExtendedSAML2BearerGrantHandler + org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant.ExtendedSAML2BearerGrantHandler /Server/OAuth/SupportedGrantTypes/SupportedGrantType diff --git a/modules/core/distribution/src/assembly/bin.xml b/modules/core/distribution/src/assembly/bin.xml index 4410406d..0849ebbb 100644 --- a/modules/core/distribution/src/assembly/bin.xml +++ b/modules/core/distribution/src/assembly/bin.xml @@ -115,6 +115,7 @@ **/repository/conf/security/Owasp.CsrfGuard.Carbon.properties **/repository/components/plugins/httpclient_4.3.2.wso2v1.jar **/conf/tomcat/carbon/WEB-INF/web.xml + **/repository/components/plugins/org.wso2.carbon.hostobjects.sso_4.5.4.jar @@ -741,7 +742,6 @@ **/configs/designer.json - **/modules/oauth/token-handler-utils.js **/jaggery.conf @@ -798,15 +798,6 @@ 755 - - - - src/repository/jaggeryapps/portal/modules/oauth/token-handler-utils.js - - ${pom.artifactId}-${pom.version}/repository/deployment/server/jaggeryapps/portal/modules/oauth - - 755 - diff --git a/modules/core/distribution/src/repository/conf/identity/service-providers/publisher.xml b/modules/core/distribution/src/repository/conf/identity/service-providers/publisher.xml index 503833ce..33a4736d 100644 --- a/modules/core/distribution/src/repository/conf/identity/service-providers/publisher.xml +++ b/modules/core/distribution/src/repository/conf/identity/service-providers/publisher.xml @@ -44,7 +44,7 @@ true - false + true diff --git a/modules/core/distribution/src/repository/conf/identity/service-providers/store.xml b/modules/core/distribution/src/repository/conf/identity/service-providers/store.xml index 27bb258e..9503a87d 100644 --- a/modules/core/distribution/src/repository/conf/identity/service-providers/store.xml +++ b/modules/core/distribution/src/repository/conf/identity/service-providers/store.xml @@ -44,7 +44,7 @@ true - false + true diff --git a/modules/core/distribution/src/repository/jaggeryapps/portal/configs/designer.json b/modules/core/distribution/src/repository/jaggeryapps/portal/configs/designer.json index 440e21cc..2f049839 100644 --- a/modules/core/distribution/src/repository/jaggeryapps/portal/configs/designer.json +++ b/modules/core/distribution/src/repository/jaggeryapps/portal/configs/designer.json @@ -20,7 +20,7 @@ "acs": "%https.host%/portal/acs", "identityAlias": "wso2carbon", "defaultNameIDPolicy": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", - "useTenantKey": false, + "useTenantKey": true, "isPassive": false } }, @@ -34,7 +34,7 @@ "methods": { "oauth": { "attributes": { - "apimgt-gateway": false, + "apimgt-gateway": true, "oauthProvider": { "appRegistration": { "appType": "webapp", @@ -43,11 +43,11 @@ "password":"admin", "dynamicClientAppRegistrationServiceURL": "https://localhost:9443/dynamic-client-web/register", "apiManagerClientAppRegistrationServiceURL": "%https.host%/api-application-registration/register/tenants", - "grantType": "password refresh_token urn:ietf:carbon:signed:grant-type:saml2-bearer urn:ietf:params:oauth:grant-type:jwt-bearer", + "grantType": "password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer urn:ietf:params:oauth:grant-type:jwt-bearer", "tokenScope": "admin", "callbackUrl": "%https.host%/portal", "saasApp":true, - "samlGrantTypeName":"urn:ietf:carbon:signed:grant-type:saml2-bearer" + "samlGrantTypeName":"urn:ietf:params:oauth:grant-type:saml2-bearer" }, "tokenServiceURL": "https://localhost:9443/oauth2/token" }, diff --git a/modules/core/distribution/src/repository/jaggeryapps/portal/modules/oauth/token-handler-utils.js b/modules/core/distribution/src/repository/jaggeryapps/portal/modules/oauth/token-handler-utils.js deleted file mode 100644 index 8998a19b..00000000 --- a/modules/core/distribution/src/repository/jaggeryapps/portal/modules/oauth/token-handler-utils.js +++ /dev/null @@ -1,567 +0,0 @@ -/* - * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. - * - * WSO2 Inc. licenses this file to you under the Apache License, - * Version 2.0 (the "License"); you may not use this file except - * in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, - * either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -var utils = function () { - var log = new Log("/modules/oauth/token-handler-utils.js"); - - var configs = require('/configs/portal.js').config(); - var constants = require("/modules/constants.js"); - var carbon = require("carbon"); - - //noinspection JSUnresolvedVariable - var Base64 = Packages.org.apache.commons.codec.binary.Base64; - //noinspection JSUnresolvedVariable - var String = Packages.java.lang.String; - - var publicMethods = {}; - var privateMethods = {}; - - publicMethods["encode"] = function (payload) { - return String(Base64.encodeBase64(String(payload).getBytes())); - }; - - publicMethods["decode"] = function (payload) { - return String(Base64.decodeBase64(String(payload).getBytes())); - }; - - /** - * Check whether this application is oauth enable or not - * @returns boolean if oauth enable - */ - publicMethods["checkOAuthEnabled"] = function () { - if (constants.AUTHORIZATION_TYPE_OAUTH === configs["authorization"]["activeMethod"]) { - return true; - } - return false; - }; - - /** - * Set access token into xml http request header - * @param xhr xml http request - * @returns {*} xhr which has access token it's header - */ - publicMethods["setAccessToken"] = function (xhr, callback) { - var accessToken; - if (publicMethods.checkOAuthEnabled()) { - try { - accessToken = parse(session.get(constants.ACCESS_TOKEN_PAIR_IDENTIFIER_FOR_PORTAL))["accessToken"]; - xhr.setRequestHeader(constants.AUTHORIZATION_HEADER, constants.BEARER_PREFIX + accessToken); - } catch (exception) { - log.error("Access token hasn't been set yet, " + exception); - } finally { - callback(xhr); - } - } - callback(xhr); - }; - - /** - * Get access token of current logged user - * @param callBack response with access token - */ - publicMethods["getAccessToken"] = function (callBack) { - var accessToken = null; - if (publicMethods.checkOAuthEnabled()) { - try { - accessToken = parse(session.get(constants.ACCESS_TOKEN_PAIR_IDENTIFIER_FOR_PORTAL))["accessToken"]; - } catch (exception) { - log.error("Access token hasn't been set yet, " + exception); - } finally { - callBack(accessToken); - } - } - callBack(accessToken); - }; - - /** - * Create error message which adhere to xml http response object - * @param statusCode response status code - * @param status response status - * @param responseText response message - * @returns {{statusCode: *, status: *, responseText: *}} - */ - publicMethods["createXHRObject"] = function (statusCode, status, responseText) { - return {"statusCode": statusCode, "status": status, "responseText": responseText}; - }; - - /** - * check whether user already logged to system before invoking any apis - * @param callBack - */ - publicMethods["isUserAuthorized"] = function (callBack) { - if (session.get("Loged") !== constants.LOGIN_MESSAGE) { - callBack(false); - } else { - callBack(true); - } - }; - - /** - * Get identity provider uir - * @returns {*} - */ - publicMethods["getIdPServerURL"] = function () { - return configs["authorization"]["methods"]["oauth"]["attributes"]["oauthProvider"]["tokenServiceURL"]; - }; - - /** - * Get an Access token pair based on client secret - * @param encodedClientKeys {{clientId:"", clientSecret:""}} - * @param scope eg: PRODUCTION - * @param idPServer identity provider url - * @returns {{accessToken: *, refreshToken: *}} - */ - publicMethods["getTokenWithClientSecretType"] = function (encodedClientKeys, scope, idPServer) { - var xhr = new XMLHttpRequest(); - var tokenEndpoint = idPServer; - xhr.open(constants.HTTP_POST, tokenEndpoint, false); - xhr.setRequestHeader(constants.CONTENT_TYPE_IDENTIFIER, constants.APPLICATION_X_WWW_FOR_URLENCODED); - xhr.setRequestHeader(constants.AUTHORIZATION_HEADER, constants.BASIC_PREFIX + encodedClientKeys); - xhr.send("grant_type=client_credentials&scope=" + scope); - var tokenPair = {}; - if (xhr.status == constants.HTTP_ACCEPTED) { - var data = parse(xhr.responseText); - tokenPair.refreshToken = data.refresh_token; - tokenPair.accessToken = data.access_token; - } else if (xhr.status == constants.HTTP_USER_NOT_AUTHENTICATED) { - log.error("Error in obtaining token with client secret grant type, You are not authenticated yet"); - return null; - } else { - log.error("Error in obtaining token with client secret grant type, This might be a problem with client meta " + - "data which required for client secret grant type"); - return null; - } - return tokenPair; - }; - - - /** - * This will create client id and client secret for a given application - * @param properties "callbackUrl": "", - * "clientName": "", - * "owner": "", - * "applicationType": "", - * "grantType": "", - * "saasApp" :"", - * "dynamicClientRegistrationEndPoint" : "" - * - * @returns {{clientId:*, clientSecret:*}} - */ - publicMethods["getDynamicClientAppCredentials"] = function (username) { - // setting up dynamic client application properties - var dcAppProperties = { - "applicationType": configs["authorization"]["methods"]["oauth"]["attributes"]["oauthProvider"]["appRegistration"]["appType"], - "clientName": configs["authorization"]["methods"]["oauth"]["attributes"]["oauthProvider"]["appRegistration"]["clientName"], - "owner": configs["authorization"]["methods"]["oauth"]["attributes"]["oauthProvider"]["appRegistration"]["owner"], - "tokenScope": configs["authorization"]["methods"]["oauth"]["attributes"]["oauthProvider"]["appRegistration"]["tokenScope"], - "grantType": configs["authorization"]["methods"]["oauth"]["attributes"]["oauthProvider"]["appRegistration"]["grantType"], - "callbackUrl": configs["authorization"]["methods"]["oauth"]["attributes"]["oauthProvider"]["appRegistration"]["callbackUrl"], - "saasApp" : configs["authorization"]["methods"]["oauth"]["attributes"]["oauthProvider"]["appRegistration"]["saasApp"] - }; - - var tenantDomain = carbon.server.tenantDomain({username: username}); - if (!tenantDomain) { - log.error("{/modules/oauth/token-handler-utils.js} Error in retrieving tenant " + - "based client application credentials. Unable to obtain a valid tenant domain for provided username "+ - username +"- getDynamicClientAppCredentials(x)"); - return null; - } else { - var cachedTenantBasedClientAppCredentials = privateMethods. - getCachedTenantBasedClientAppCredentials(tenantDomain); - if (cachedTenantBasedClientAppCredentials) { - return cachedTenantBasedClientAppCredentials; - } else { - // calling dynamic client app registration service endpoint - var requestURL = configs["authorization"]["methods"]["oauth"]["attributes"]["oauthProvider"]["appRegistration"] - ["dynamicClientAppRegistrationServiceURL"]; - var requestPayload = dcAppProperties; - var token = publicMethods.encode(configs["authorization"]["methods"]["oauth"]["attributes"]["oauthProvider"] - ["appRegistration"]["owner"] + ":" + configs["authorization"]["methods"]["oauth"]["attributes"] - ["oauthProvider"]["appRegistration"]["password"]); - var xhr = new XMLHttpRequest(); - xhr.open("POST", requestURL, false); - xhr.setRequestHeader("Content-Type", "application/json"); - xhr.setRequestHeader("Authorization", "Basic "+ token); - xhr.send(stringify(requestPayload)); - var dynamicClientAppCredentials = {}; - if (xhr["status"] == 201 || xhr["status"] == 200 && xhr["responseText"]) { - var responsePayload = parse(xhr["responseText"]); - var clientId = responsePayload["client_id"]; - var clientSecret = responsePayload["client_secret"]; - if(typeof clientId == "undefined"){ - clientId = responsePayload["clientId"]; - } - if(typeof clientSecret == "undefined"){ - clientSecret = responsePayload["clientSecret"]; - } - dynamicClientAppCredentials["clientId"] = clientId; - dynamicClientAppCredentials["clientSecret"] = clientSecret; - privateMethods. - setCachedTenantBasedClientAppCredentials(tenantDomain, dynamicClientAppCredentials); - } else if (xhr["status"] == 400) { - log.error("{/modules/oauth/token-handler-utils.js - getDynamicClientAppCredentials()} " + - "Bad request. Invalid data provided as dynamic client application properties."); - dynamicClientAppCredentials = null; - } else { - log.error("{/modules/oauth/token-handler-utils.js - getDynamicClientAppCredentials()} " + - "Error in retrieving dynamic client credentials."); - dynamicClientAppCredentials = null; - } - // returning dynamic client credentials - return dynamicClientAppCredentials; - } - } - }; - - /** - * If gateway is enable, apiManagerClientAppRegistrationServiceURL is used to create oauth application - * @param username username of current logged user - * @returns {{clientId:*, clientSecret:*}} - */ - publicMethods["getTenantBasedClientAppCredentials"] = function (username) { - if (!username) { - log.error("{/modules/oauth/token-handler-utils.js} Error in retrieving tenant " + - "based client app credentials. No username " + - "as input - getTenantBasedClientAppCredentials(x)"); - return null; - } else { - //noinspection JSUnresolvedFunction, JSUnresolvedVariable - var tenantDomain = carbon.server.tenantDomain({username: username}); - - if (!tenantDomain) { - log.error("{/modules/oauth/token-handler-utils.js} Error in retrieving tenant " + - "based client application credentials. Unable to obtain a valid tenant domain for provided " + - "username - getTenantBasedClientAppCredentials(x, y)"); - return null; - } else { - var cachedTenantBasedClientAppCredentials = privateMethods. - getCachedTenantBasedClientAppCredentials(tenantDomain); - if (cachedTenantBasedClientAppCredentials) { - return cachedTenantBasedClientAppCredentials; - } else { - var adminUsername = configs["authorization"]["methods"]["oauth"]["attributes"]["adminUser"]; - var adminUserTenantId = configs["authorization"]["methods"]["oauth"]["attributes"] - ["adminUserTenantId"]; - //claims required for jwtAuthenticator. - var claims = {"http://wso2.org/claims/enduserTenantId": adminUserTenantId, - "http://wso2.org/claims/enduser": adminUsername}; - var jwtToken = publicMethods.getJwtToken(adminUsername, claims); - // register a tenant based client app at API Manager - var applicationName = configs["authorization"]["methods"]["oauth"]["attributes"]["oauthProvider"] - ["appRegistration"]["clientName"] + "_" + tenantDomain; - var requestURL = configs["authorization"]["methods"]["oauth"]["attributes"]["oauthProvider"] - ["appRegistration"]["apiManagerClientAppRegistrationServiceURL"] + - "?tenantDomain=" + tenantDomain + "&applicationName=" + applicationName; - var xhr = new XMLHttpRequest(); - xhr.open("POST", requestURL, false); - xhr.setRequestHeader("Content-Type", "application/json"); - xhr.setRequestHeader("X-JWT-Assertion", "" + jwtToken); - xhr.send(); - if ((xhr["status"] == 201 || xhr["status"] == 200) && xhr["responseText"]) { - var responsePayload = parse(xhr["responseText"]); - var tenantBasedClientAppCredentials = {}; - var clientId = responsePayload["client_id"]; - var clientSecret = responsePayload["client_secret"]; - if(typeof clientId == "undefined"){ - clientId = responsePayload["clientId"]; - } - if(typeof clientSecret == "undefined"){ - clientSecret = responsePayload["clientSecret"]; - } - tenantBasedClientAppCredentials["clientId"] = clientId; - tenantBasedClientAppCredentials["clientSecret"] = clientSecret; - privateMethods. - setCachedTenantBasedClientAppCredentials(tenantDomain, tenantBasedClientAppCredentials); - return tenantBasedClientAppCredentials; - } else { - log.error("{/modules/oauth/token-handler-utils.js} Error in retrieving tenant " + - "based client application credentials from API " + - "Manager - getTenantBasedClientAppCredentials(x, y)"); - return null; - } - } - } - } - }; - - /** - * Caching oauth application credentials - * @param tenantDomain tenant domain where application is been created - * @param clientAppCredentials {{clientId:*, clientSecret:*}} - */ - privateMethods["setCachedTenantBasedClientAppCredentials"] = function (tenantDomain, clientAppCredentials) { - var cachedTenantBasedClientAppCredentialsMap = application.get(constants["CACHED_CREDENTIALS_PORTAL_APP"]); - if (!cachedTenantBasedClientAppCredentialsMap) { - cachedTenantBasedClientAppCredentialsMap = {}; - cachedTenantBasedClientAppCredentialsMap[tenantDomain] = clientAppCredentials; - application.put(constants["CACHED_CREDENTIALS_PORTAL_APP"], cachedTenantBasedClientAppCredentialsMap); - } else if (!cachedTenantBasedClientAppCredentialsMap[tenantDomain]) { - cachedTenantBasedClientAppCredentialsMap[tenantDomain] = clientAppCredentials; - } - }; - - /** - * Get oauth application credentials from cache - * @param tenantDomain tenant domain where application is been created - * @returns {{clientId:*, clientSecret:*}} - */ - privateMethods["getCachedTenantBasedClientAppCredentials"] = function (tenantDomain) { - var cachedTenantBasedClientAppCredentialsMap = application.get(constants["CACHED_CREDENTIALS_PORTAL_APP"]); - if (!cachedTenantBasedClientAppCredentialsMap || - !cachedTenantBasedClientAppCredentialsMap[tenantDomain]) { - return null; - } else { - return cachedTenantBasedClientAppCredentialsMap[tenantDomain]; - } - }; - - /** - * Get access token and refresh token using password grant type - * @param username username of the logged user - * @param password password of the logged user - * @param encodedClientAppCredentials {{clientId:*, clientSecret:*}} - * @param scopes scopes list - * @returns {{accessToken: *, refreshToken: *}} - */ - publicMethods["getTokenPairAndScopesByPasswordGrantType"] = function (username, password - , encodedClientAppCredentials, scopes) { - if (!username || !password || !encodedClientAppCredentials || !scopes) { - log.error("{/modules/oauth/token-handler-utils.js} Error in retrieving access token by password " + - "grant type. No username, password, encoded client app credentials or scopes are " + - "found - getTokenPairAndScopesByPasswordGrantType(a, b, c, d)"); - return null; - } else { - // calling oauth provider token service endpoint - var requestURL = configs["authorization"]["methods"]["oauth"]["attributes"]["oauthProvider"] - ["tokenServiceURL"]; - var requestPayload = "grant_type=password&username=" + - username + "&password=" + password + "&scope=" + scopes; - - var xhr = new XMLHttpRequest(); - xhr.open("POST", requestURL, false); - xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); - xhr.setRequestHeader("Authorization", "Basic " + encodedClientAppCredentials); - xhr.send(requestPayload); - - if (xhr["status"] == 200 && xhr["responseText"]) { - var responsePayload = parse(xhr["responseText"]); - var tokenData = {}; - tokenData["accessToken"] = responsePayload["access_token"]; - tokenData["refreshToken"] = responsePayload["refresh_token"]; - tokenData["scopes"] = responsePayload["scope"]; - return tokenData; - } else { - log.error("{/modules/oauth/token-handler-utils.js} Error in retrieving access token " + - "by password grant type - getTokenPairAndScopesByPasswordGrantType(a, b, c, d)"); - return null; - } - } - }; - - /** - * Get access token and refresh token using SAML grant type - * @param assertion - * @param encodedClientAppCredentials - * @param scopes - * @returns {{accessToken: *, refreshToken: *}} - */ - publicMethods["getTokenPairAndScopesBySAMLGrantType"] = function (assertion, encodedClientAppCredentials, scopes) { - if (!assertion || !encodedClientAppCredentials || !scopes) { - log.error("{/modules/oauth/token-handler-utils.js} Error in retrieving access token by saml " + - "grant type. No assertion, encoded client app credentials or scopes are " + - "found - getTokenPairAndScopesBySAMLGrantType(x, y, z)"); - return null; - } else { - - var assertionXML = publicMethods.decode(assertion); - /* - TODO: make assertion extraction with proper parsing. - Since Jaggery XML parser seem to add formatting which causes signature verification to fail. - */ - var assertionStartMarker = "