Certificate authenticator changes

components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml

@@ -92,7 +92,9 @@
                             javax.servlet.http,
                             javax.xml,
                             org.apache.axis2.transport.http,
-                            org.wso2.carbon.apimgt.impl
+                            org.wso2.carbon.apimgt.impl,
+                            org.wso2.carbon.certificate.mgt.core.service,
+                            org.wso2.carbon.certificate.mgt.core.exception
                         </Import-Package>
                         <!--<Fragment-Host>tomcat</Fragment-Host>-->
                     </instructions>
@@ -146,6 +148,10 @@
             <groupId>org.wso2.orbit.com.nimbusds</groupId>
             <artifactId>nimbus-jose-jwt</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.devicemgt</groupId>
+            <artifactId>org.wso2.carbon.certificate.mgt.core</artifactId>
+        </dependency>
     </dependencies>
 
 </project>

components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/DataHolder.java

@@ -18,12 +18,14 @@
  */
 package org.wso2.carbon.webapp.authenticator.framework;
 
+import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService;
 import org.wso2.carbon.user.core.service.RealmService;
 
 public class DataHolder {
 
     private WebappAuthenticatorRepository repository;
     private RealmService realmService;
+    private CertificateManagementService certificateManagementService;
 
     private DataHolder() {}
 
@@ -48,4 +50,12 @@ public class DataHolder {
     public void setRealmService(RealmService realmService) {
         this.realmService = realmService;
     }
+
+    public CertificateManagementService getCertificateManagementService() {
+        return certificateManagementService;
+    }
+
+    public void setCertificateManagementService(CertificateManagementService certificateManagementService) {
+        this.certificateManagementService = certificateManagementService;
+    }
 }

components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/CertificateAuthenticator.java

@@ -0,0 +1,78 @@
+package org.wso2.carbon.webapp.authenticator.framework.authenticator;
+
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.certificate.mgt.core.exception.KeystoreException;
+import org.wso2.carbon.webapp.authenticator.framework.DataHolder;
+
+/**
+ * This authenticator authenticates HTTP requests using certificates.
+ */
+public class CertificateAuthenticator implements WebappAuthenticator {
+
+    private static final Log log = LogFactory.getLog(CertificateAuthenticator.class);
+    private static final String CERTIFICATE_AUTHENTICATOR = "CertificateAuth";
+    private static final String HEADER_MDM_SIGNATURE = "Mdm-Signature";
+    private String[] skippedURIs;
+
+    public CertificateAuthenticator() {
+        skippedURIs = new String[]{
+                "/ios-enrollment/ca",
+                "/ios-enrollment/authenticate",
+                "/ios-enrollment/profile",
+                "/ios-enrollment/scep",
+                "/ios-enrollment/enroll",
+                "/ios-enrollment/enrolled"};
+    }
+
+    @Override
+    public boolean canHandle(Request request) {
+        return true;
+    }
+
+    @Override
+    public Status authenticate(Request request, Response response) {
+
+        String requestUri = request.getRequestURI();
+        if (requestUri == null || requestUri.isEmpty()) {
+            return Status.CONTINUE;
+        }
+
+        if(isURISkipped(requestUri)) {
+            return Status.CONTINUE;
+        }
+
+        String headerMDMSignature = request.getHeader(HEADER_MDM_SIGNATURE);
+
+        try {
+            if (headerMDMSignature != null && !headerMDMSignature.isEmpty() &&
+                    DataHolder.getInstance().getCertificateManagementService().verifySignature(headerMDMSignature)) {
+                return Status.SUCCESS;
+            }
+        } catch (KeystoreException e) {
+            log.error("KeystoreException occurred ", e);
+            return Status.FAILURE;
+        }
+
+        return Status.FAILURE;
+    }
+
+    @Override
+    public String getName() {
+        return CERTIFICATE_AUTHENTICATOR;
+    }
+
+    private boolean isURISkipped(String requestUri) {
+
+        for (String element : skippedURIs) {
+            if (element.equals(requestUri)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+}

components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/internal/WebappAuthenticatorFrameworkServiceComponent.java

@@ -21,14 +21,14 @@ package org.wso2.carbon.webapp.authenticator.framework.internal;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.osgi.service.component.ComponentContext;
+import org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService;
 import org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve;
 import org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer;
 import org.wso2.carbon.user.core.service.RealmService;
 import org.wso2.carbon.webapp.authenticator.framework.DataHolder;
 import org.wso2.carbon.webapp.authenticator.framework.WebappAuthenticationHandler;
-import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
-import org.wso2.carbon.webapp.authenticator.framework.WebappAuthenticatorFrameworkValve;
 import org.wso2.carbon.webapp.authenticator.framework.WebappAuthenticatorRepository;
+import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
 import org.wso2.carbon.webapp.authenticator.framework.config.AuthenticatorConfig;
 import org.wso2.carbon.webapp.authenticator.framework.config.WebappAuthenticatorConfig;
 
@@ -44,6 +44,12 @@ import java.util.List;
  * policy="dynamic"
  * bind="setRealmService"
  * unbind="unsetRealmService"
+ * @scr.reference name="org.wso2.carbon.certificate.mgt"
+ * interface="org.wso2.carbon.certificate.mgt.core.service.CertificateManagementService"
+ * policy="dynamic"
+ * cardinality="1..n"
+ * bind="setCertificateManagementService"
+ * unbind="unsetCertificateManagementService"
  */
 public class WebappAuthenticatorFrameworkServiceComponent {
 
@@ -91,4 +97,19 @@ public class WebappAuthenticatorFrameworkServiceComponent {
     protected void unsetRealmService(RealmService realmService) {
         DataHolder.getInstance().setRealmService(null);
     }
+
+    protected void setCertificateManagementService(CertificateManagementService certificateManagementService) {
+        if (log.isDebugEnabled()) {
+            log.debug("Setting certificate management service");
+        }
+        DataHolder.getInstance().setCertificateManagementService(certificateManagementService);
+    }
+
+    protected void unsetCertificateManagementService(CertificateManagementService certificateManagementService) {
+        if (log.isDebugEnabled()) {
+            log.debug("Removing certificate management service");
+        }
+
+        DataHolder.getInstance().setCertificateManagementService(null);
+    }
 }

features/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework.server.feature/src/main/resources/conf/webapp-authenticator-config.xml

@@ -12,5 +12,9 @@
             <Name>JWT</Name>
             <ClassName>org.wso2.carbon.webapp.authenticator.framework.authenticator.JWTAuthenticator</ClassName>
         </Authenticator>
+        <Authenticator>
+            <Name>CertificateAuth</Name>
+            <ClassName>org.wso2.carbon.webapp.authenticator.framework.authenticator.CertificateAuthenticator</ClassName>
+        </Authenticator>
 	</Authenticators>
 </WebappAuthenticatorConfig>