From de6c9d078c01652b269dc859e6f14895b583d804 Mon Sep 17 00:00:00 2001
From: navodzoysa <navod@entgra.io>
Date: Tue, 20 Aug 2024 14:18:30 +0530
Subject: [PATCH] Add secure pending operations

---
 .../mgt/core/impl/CertificateGenerator.java   | 25 ++++++++++++++++++-
 .../CertificateAuthenticator.java             | 15 +++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/impl/CertificateGenerator.java b/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/impl/CertificateGenerator.java
index a692a45ab2..9b5653ada4 100755
--- a/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/impl/CertificateGenerator.java
+++ b/components/certificate-mgt/io.entgra.device.mgt.core.certificate.mgt.core/src/main/java/io/entgra/device/mgt/core/certificate/mgt/core/impl/CertificateGenerator.java
@@ -120,6 +120,22 @@ public class CertificateGenerator {
         return null;
     }
 
+    public static String getOrganizationalUnit(X509Certificate requestCertificate) {
+        String distinguishedName = requestCertificate.getSubjectDN().getName();
+        if (distinguishedName != null && !distinguishedName.isEmpty()) {
+            String[] dnSplits = distinguishedName.split(",");
+            for (String dnSplit : dnSplits) {
+                if (dnSplit.contains("O=")) {
+                    String[] cnSplits = dnSplit.split("=");
+                    if (cnSplits[1] != null) {
+                        return cnSplits[1];
+                    }
+                }
+            }
+        }
+        return null;
+    }
+
     public static void extractCertificateDetails(byte[] certificateBytes, CertificateResponse certificateResponse)
             throws CertificateManagementDAOException {
         try {
@@ -845,8 +861,15 @@ public class CertificateGenerator {
             }
             String subjectDn = joiner.toString();
             X500Name issuerName = new X500Name(subjectDn);
+
+
             String commonName = certificationRequest.getSubject().getRDNs(BCStyle.CN)[0].getFirst()
-                    .getValue().toString();
+                        .getValue().toString();
+            // CSR sent from a Windows device will have an '!' followed by the device ID in the CN
+            if (commonName.contains("!")) {
+                commonName = commonName.split("!")[1];
+            }
+
             int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId();
             X500Name subjectName = new X500Name("O=" + commonName + " ,CN=" +
                     serialNumber + ", OU=tenant_" + tenantId);
diff --git a/components/webapp-authenticator-framework/io.entgra.device.mgt.core.webapp.authenticator.framework/src/main/java/io/entgra/device/mgt/core/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java b/components/webapp-authenticator-framework/io.entgra.device.mgt.core.webapp.authenticator.framework/src/main/java/io/entgra/device/mgt/core/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java
index e4aad4b517..621300a4f3 100644
--- a/components/webapp-authenticator-framework/io.entgra.device.mgt.core.webapp.authenticator.framework/src/main/java/io/entgra/device/mgt/core/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java
+++ b/components/webapp-authenticator-framework/io.entgra.device.mgt.core.webapp.authenticator.framework/src/main/java/io/entgra/device/mgt/core/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java
@@ -18,6 +18,7 @@
 
 package io.entgra.device.mgt.core.webapp.authenticator.framework.authenticator;
 
+import io.entgra.device.mgt.core.certificate.mgt.core.impl.CertificateGenerator;
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
 import org.apache.commons.logging.Log;
@@ -128,7 +129,21 @@ public class CertificateAuthenticator implements WebappAuthenticator {
 
                         if (tenantedDeviceWrapper.getDevice() != null &&
                             tenantedDeviceWrapper.getDevice().getEnrolmentInfo() != null) {
+                            EnrolmentInfo enrolmentInfo = tenantedDeviceWrapper.getDevice().getEnrolmentInfo();
+                            authenticationInfo.setUsername(enrolmentInfo.getOwner());
+                        }
+                        authenticationInfo.setStatus(Status.CONTINUE);
+                    } else {
+                        SCEPManager scepManager = AuthenticatorFrameworkDataHolder.getInstance().getScepManager();
+                        DeviceIdentifier deviceIdentifier = new DeviceIdentifier();
+                        deviceIdentifier.setId(CertificateGenerator.getOrganizationalUnit(certificate));
+                        deviceIdentifier.setType(DeviceManagementConstants.MobileDeviceTypes.MOBILE_DEVICE_TYPE_WINDOWS);
+                        TenantedDeviceWrapper tenantedDeviceWrapper = scepManager.getValidatedDevice(deviceIdentifier);
+                        authenticationInfo.setTenantDomain(tenantedDeviceWrapper.getTenantDomain());
+                        authenticationInfo.setTenantId(-1);
 
+                        if (tenantedDeviceWrapper.getDevice() != null &&
+                                tenantedDeviceWrapper.getDevice().getEnrolmentInfo() != null) {
                             EnrolmentInfo enrolmentInfo = tenantedDeviceWrapper.getDevice().getEnrolmentInfo();
                             authenticationInfo.setUsername(enrolmentInfo.getOwner());
                         }