Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a post authenticaton handler to validate email domain during federated authentication #6177

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,14 @@
<groupId>org.wso2.carbon.identity.organization.management.core</groupId>
<artifactId>org.wso2.carbon.identity.organization.management.service</artifactId>
</dependency>
<dependency>
<groupId>org.wso2.carbon.identity.organization.management</groupId>
<artifactId>org.wso2.carbon.identity.organization.discovery.service</artifactId>
</dependency>
<dependency>
<groupId>org.wso2.carbon.identity.organization.management</groupId>
<artifactId>org.wso2.carbon.identity.organization.config.service</artifactId>
</dependency>
<dependency>
<groupId>org.wso2.carbon.identity.framework</groupId>
<artifactId>org.wso2.carbon.identity.role.v2.mgt.core</artifactId>
Expand Down Expand Up @@ -303,6 +311,8 @@
version="${carbon.identity.package.import.version.range}",
org.wso2.carbon.identity.central.log.mgt.*; version="${carbon.identity.package.import.version.range}",
org.wso2.carbon.identity.organization.management.service; version="${org.wso2.carbon.identity.organization.management.core.version.range}",
org.wso2.carbon.identity.organization.discovery.service; version="${org.wso2.carbon.identity.organization.management.version.range}",
org.wso2.carbon.identity.organization.config.service; version="${org.wso2.carbon.identity.organization.management.version.range}",
org.wso2.carbon.identity.configuration.mgt.core; version="${carbon.identity.package.import.version.range}",
org.wso2.carbon.identity.configuration.mgt.core.exception; version="${carbon.identity.package.import.version.range}",
org.wso2.carbon.identity.configuration.mgt.core.model; version="${carbon.identity.package.import.version.range}",
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,232 @@
/*
* Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com).
Yasasr1 marked this conversation as resolved.
Show resolved Hide resolved
*
* WSO2 LLC. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

package org.wso2.carbon.identity.application.authentication.framework.handler.request.impl;

import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.FederatedApplicationAuthenticator;
import org.wso2.carbon.identity.application.authentication.framework.config.model.AuthenticatorConfig;
import org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig;
import org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.PostAuthenticationFailedException;
import org.wso2.carbon.identity.application.authentication.framework.handler.request.AbstractPostAuthnHandler;
import org.wso2.carbon.identity.application.authentication.framework.handler.request.PostAuthnHandlerFlowStatus;
import org.wso2.carbon.identity.application.authentication.framework.internal.FrameworkServiceDataHolder;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.organization.config.service.exception.OrganizationConfigClientException;
import org.wso2.carbon.identity.organization.config.service.exception.OrganizationConfigException;
import org.wso2.carbon.identity.organization.config.service.model.ConfigProperty;
import org.wso2.carbon.identity.organization.config.service.model.DiscoveryConfig;
import org.wso2.carbon.identity.organization.discovery.service.model.OrgDiscoveryAttribute;
import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;

import java.util.List;
import java.util.Map;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkErrorConstants.ErrorMessages.ERROR_WHILE_RETRIEVING_ORG_DISCOVERY_ATTRIBUTES;
import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkErrorConstants.ErrorMessages.INVALID_EMAIL_DOMAIN;
import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkErrorConstants.ErrorMessages.NO_EMAIL_ATTRIBUTE_FOUND;

/**
* This class is responsible for validating the email domain of the user during the authentication flow.
*/
Yasasr1 marked this conversation as resolved.
Show resolved Hide resolved
public class EmailDomainValidationHandler extends AbstractPostAuthnHandler {

private static final Log log = LogFactory.getLog(EmailDomainValidationHandler.class);
private static final String EMAIL_DOMAIN_ENABLE = "emailDomain.enable";
public static final String EMAIL_DOMAIN = "emailDomain";

private EmailDomainValidationHandler() {

}

private static class Holder {

private static final EmailDomainValidationHandler INSTANCE = new EmailDomainValidationHandler();
}

public static EmailDomainValidationHandler getInstance() {

return Holder.INSTANCE;
}

@Override
public boolean isEnabled() {

if (!super.isEnabled()) {
return false;
}

try {
OrganizationManager organizationManager = FrameworkServiceDataHolder.getInstance().getOrganizationManager();
String organizationId = organizationManager.resolveOrganizationId(CarbonContext
.getThreadLocalCarbonContext().getTenantDomain());

if (organizationManager.isPrimaryOrganization(organizationId)) {
// Skip email domain validation since email domains cannot be mapped to primary organizations.
return false;
} else {
organizationId = organizationManager.getPrimaryOrganizationId(organizationId);
}

return isEmailDomainDiscoveryEnabled(organizationId);
} catch (OrganizationConfigClientException e) {
if (log.isDebugEnabled()) {
log.debug("No organization discovery configurations found for organization: " + CarbonContext
.getThreadLocalCarbonContext().getTenantDomain());
}
return false;
} catch (OrganizationManagementException | OrganizationConfigException e) {
log.error("Error while retrieving organization discovery configuration.", e);
return false;
}
}

@Override
public int getPriority() {

int priority = super.getPriority();
if (priority == -1) {
priority = 15;
}
return priority;
}

@Override
public PostAuthnHandlerFlowStatus handle(HttpServletRequest request, HttpServletResponse response,
AuthenticationContext context) throws PostAuthenticationFailedException {

SequenceConfig sequenceConfig = context.getSequenceConfig();
for (Map.Entry<Integer, StepConfig> entry : sequenceConfig.getStepMap().entrySet()) {
StepConfig stepConfig = entry.getValue();
AuthenticatorConfig authenticatorConfig = stepConfig.getAuthenticatedAutenticator();
if (authenticatorConfig == null) {
continue;
}

ApplicationAuthenticator authenticator = authenticatorConfig.getApplicationAuthenticator();
if (authenticator instanceof FederatedApplicationAuthenticator) {
Yasasr1 marked this conversation as resolved.
Show resolved Hide resolved
Map<String, String> localClaimValues;
if (stepConfig.isSubjectAttributeStep()) {
localClaimValues =
(Map<String, String>) context.getProperty(FrameworkConstants.UNFILTERED_LOCAL_CLAIM_VALUES);
} else {
// Need to validate even if this is not the subject attribute step since
// jit provisioning will happen in both scenarios.
Yasasr1 marked this conversation as resolved.
Show resolved Hide resolved
localClaimValues =
FrameworkUtils.getLocalClaimValuesOfIDPInNonAttributeSelectionStep(context, stepConfig,
context.getExternalIdP());
}

String emailDomain = extractEmailDomain(localClaimValues.get(FrameworkConstants.EMAIL_ADDRESS_CLAIM));

if (emailDomain == null) {
Yasasr1 marked this conversation as resolved.
Show resolved Hide resolved
if (log.isDebugEnabled()) {
log.debug("Email address not found or is not in the correct format." +
" Email domain validation failed.");
Yasasr1 marked this conversation as resolved.
Show resolved Hide resolved
}
throw new PostAuthenticationFailedException(NO_EMAIL_ATTRIBUTE_FOUND.getCode(),
NO_EMAIL_ATTRIBUTE_FOUND.getMessage());
}

if (!isValidEmailDomain(context, emailDomain)) {
throw new PostAuthenticationFailedException(INVALID_EMAIL_DOMAIN.getCode(),
String.format(INVALID_EMAIL_DOMAIN.getMessage(), context.getTenantDomain()));
}
}
}
return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
}

private boolean isEmailDomainDiscoveryEnabled(String primaryOrganizationId)
throws OrganizationConfigException, OrganizationManagementException {

String tenantDomain = FrameworkServiceDataHolder.getInstance().getOrganizationManager()
.resolveTenantDomain(primaryOrganizationId);

DiscoveryConfig discoveryConfiguration =
FrameworkServiceDataHolder.getInstance().getOrganizationConfigManager()
.getDiscoveryConfigurationByTenantId(IdentityTenantUtil.getTenantId(tenantDomain));
List<ConfigProperty> configProperties = discoveryConfiguration.getConfigProperties();
for (ConfigProperty configProperty : configProperties) {
if (configProperty.getKey().equals(EMAIL_DOMAIN_ENABLE)) {
return Boolean.parseBoolean(configProperty.getValue());
}
}
return false;
}

private boolean isValidEmailDomain(AuthenticationContext context, String emaildomain)
throws PostAuthenticationFailedException {

try {
List<OrgDiscoveryAttribute> organizationDiscoveryAttributes =
FrameworkServiceDataHolder.getInstance().getOrganizationDiscoveryManager()
.getOrganizationDiscoveryAttributes(context.getTenantDomain(), false);

if (organizationDiscoveryAttributes.isEmpty()) {
log.debug("No email domains are mapped to the organization. Skipping email domain validation.");
return true;
}

for (OrgDiscoveryAttribute orgDiscoveryAttribute : organizationDiscoveryAttributes) {
if (!EMAIL_DOMAIN.equals(orgDiscoveryAttribute.getType())) {
continue;
}

List<String> mappedEmailDomains = orgDiscoveryAttribute.getValues();
if (mappedEmailDomains != null && !mappedEmailDomains.contains(emaildomain)) {
return false;
}
}

} catch (OrganizationManagementException e) {
log.error(
"Error while retrieving organization discovery attributes for tenant: " + context.getTenantDomain(),
e);
throw new PostAuthenticationFailedException(ERROR_WHILE_RETRIEVING_ORG_DISCOVERY_ATTRIBUTES.getCode(),
String.format(ERROR_WHILE_RETRIEVING_ORG_DISCOVERY_ATTRIBUTES.getMessage(),
context.getTenantDomain()), e);
}
return true;
}

private String extractEmailDomain(String email) {

if (StringUtils.isBlank(email)) {
return null;
}

String[] emailSplit = email.split("@");
if (emailSplit.length == 2) {
return emailSplit[1];
}
return null;
Yasasr1 marked this conversation as resolved.
Show resolved Hide resolved
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -304,8 +304,9 @@ private PostAuthnHandlerFlowStatus handleRequestFlow(HttpServletRequest request,
localClaimValues = (Map<String, String>) context
.getProperty(FrameworkConstants.UNFILTERED_LOCAL_CLAIM_VALUES);
} else {
localClaimValues = getLocalClaimValuesOfIDPInNonAttributeSelectionStep(context, stepConfig,
externalIdPConfig);
localClaimValues =
FrameworkUtils.getLocalClaimValuesOfIDPInNonAttributeSelectionStep(context, stepConfig,
externalIdPConfig);
}
if (localClaimValues == null || localClaimValues.size() == 0) {
Map<ClaimMapping, String> userAttributes = stepConfig.getAuthenticatedUser().getUserAttributes();
Expand Down Expand Up @@ -1083,59 +1084,6 @@ private String getUserIdClaimUriInLocalDialect(ExternalIdPConfig idPConfig) {
return null;
}

/**
* Uses to get local claim values of an authenticated user from an IDP in non attribute selection steps.
*
* @param context Authentication Context.
* @param stepConfig Current step configuration.
* @param externalIdPConfig Identity providers config.
* @return Mapped federated user values to local claims.
* @throws PostAuthenticationFailedException Post Authentication failed exception.
*/
private Map<String, String> getLocalClaimValuesOfIDPInNonAttributeSelectionStep(AuthenticationContext context,
StepConfig stepConfig,
ExternalIdPConfig externalIdPConfig)
throws PostAuthenticationFailedException {

boolean useDefaultIdpDialect = externalIdPConfig.useDefaultLocalIdpDialect();
ApplicationAuthenticator authenticator =
stepConfig.getAuthenticatedAutenticator().getApplicationAuthenticator();
String idPStandardDialect = authenticator.getClaimDialectURI();
Map<ClaimMapping, String> extAttrs = stepConfig.getAuthenticatedUser().getUserAttributes();
Map<String, String> originalExternalAttributeValueMap = FrameworkUtils.getClaimMappings(extAttrs, false);
Map<String, String> claimMapping = new HashMap<>();
Map<String, String> localClaimValues = new HashMap<>();
if (useDefaultIdpDialect && StringUtils.isNotBlank(idPStandardDialect)) {
try {
claimMapping = ClaimMetadataHandler.getInstance()
.getMappingsMapFromOtherDialectToCarbon(idPStandardDialect,
originalExternalAttributeValueMap.keySet(), context.getTenantDomain(),
true);
} catch (ClaimMetadataException e) {
throw new PostAuthenticationFailedException(ErrorMessages.ERROR_WHILE_HANDLING_CLAIM_MAPPINGS.getCode(),
ErrorMessages.ERROR_WHILE_HANDLING_CLAIM_MAPPINGS.getMessage(), e);
}
} else {
ClaimMapping[] customClaimMapping = context.getExternalIdP().getClaimMappings();
for (ClaimMapping externalClaim : customClaimMapping) {
if (originalExternalAttributeValueMap.containsKey(externalClaim.getRemoteClaim().getClaimUri())) {
claimMapping.put(externalClaim.getLocalClaim().getClaimUri(),
externalClaim.getRemoteClaim().getClaimUri());
}
}
}

if (claimMapping != null && claimMapping.size() > 0) {
for (Map.Entry<String, String> entry : claimMapping.entrySet()) {
if (originalExternalAttributeValueMap.containsKey(entry.getValue()) &&
originalExternalAttributeValueMap.get(entry.getValue()) != null) {
localClaimValues.put(entry.getKey(), originalExternalAttributeValueMap.get(entry.getValue()));
}
}
}
return localClaimValues;
}

private UserRealm getUserRealm(String tenantDomain) throws UserStoreException {

RealmService realmService = FrameworkServiceComponent.getRealmService();
Expand Down
Loading
Loading