Add two login to ecp login method used by ldap facade

b927fda0 · ls1947 · ad376797 · b927fda0 · b927fda0
Commit b927fda0 authored Jul 08, 2020 by ls1947
--- a/bwreg-jpa/src/main/java/edu/kit/scc/webreg/entity/UserLoginInfoEntity.java
+++ b/bwreg-jpa/src/main/java/edu/kit/scc/webreg/entity/UserLoginInfoEntity.java
@@ -18,6 +18,9 @@ public class UserLoginInfoEntity extends AbstractBaseEntity {
 	@ManyToOne(targetEntity = UserEntity.class)
 	private UserEntity user;

+	@ManyToOne(targetEntity = RegistryEntity.class)
+	private RegistryEntity registry;
+
 	@Enumerated(EnumType.STRING)
 	private UserLoginInfoStatus loginStatus;

@@ -69,4 +72,12 @@ public class UserLoginInfoEntity extends AbstractBaseEntity {
 	public void setLoginMethod(UserLoginMethod loginMethod) {
 		this.loginMethod = loginMethod;
 	}
+
+	public RegistryEntity getRegistry() {
+		return registry;
+	}
+
+	public void setRegistry(RegistryEntity registry) {
+		this.registry = registry;
+	}
 }
--- a/bwreg-service/src/main/java/edu/kit/scc/webreg/service/impl/UserLoginServiceImpl.java
+++ b/bwreg-service/src/main/java/edu/kit/scc/webreg/service/impl/UserLoginServiceImpl.java
@@ -48,6 +48,7 @@ import edu.kit.scc.webreg.dao.SamlIdpMetadataDao;
 import edu.kit.scc.webreg.dao.SamlSpConfigurationDao;
 import edu.kit.scc.webreg.dao.SamlUserDao;
 import edu.kit.scc.webreg.dao.ServiceDao;
+import edu.kit.scc.webreg.dao.UserLoginInfoDao;
 import edu.kit.scc.webreg.drools.OverrideAccess;
 import edu.kit.scc.webreg.drools.UnauthorizedUser;
 import edu.kit.scc.webreg.drools.impl.KnowledgeSessionSingleton;
@@ -60,6 +61,9 @@ import edu.kit.scc.webreg.entity.SamlSpConfigurationEntity;
 import edu.kit.scc.webreg.entity.SamlUserEntity;
 import edu.kit.scc.webreg.entity.ServiceEntity;
 import edu.kit.scc.webreg.entity.UserEntity;
+import edu.kit.scc.webreg.entity.UserLoginInfoEntity;
+import edu.kit.scc.webreg.entity.UserLoginInfoStatus;
+import edu.kit.scc.webreg.entity.UserLoginMethod;
 import edu.kit.scc.webreg.exc.AssertionException;
 import edu.kit.scc.webreg.exc.GenericRestInterfaceException;
 import edu.kit.scc.webreg.exc.LoginFailedException;
@@ -88,6 +92,9 @@ import edu.kit.scc.webreg.service.saml.Saml2ResponseValidationService;
 import edu.kit.scc.webreg.service.saml.SamlHelper;
 import edu.kit.scc.webreg.service.saml.SsoHelper;
 import edu.kit.scc.webreg.service.saml.exc.SamlAuthenticationException;
+import edu.kit.scc.webreg.service.twofa.TwoFaException;
+import edu.kit.scc.webreg.service.twofa.TwoFaService;
+import edu.kit.scc.webreg.service.twofa.linotp.LinotpSimpleResponse;

 @Stateless
 public class UserLoginServiceImpl implements UserLoginService, Serializable {
@@ -142,6 +149,12 @@ public class UserLoginServiceImpl implements UserLoginService, Serializable {
 	@Inject
 	private Saml2ResponseValidationService saml2ResponseValidationService;

+	@Inject
+	private TwoFaService twoFaService;
+	
+	@Inject
+	private UserLoginInfoDao userLoginInfoDao;
+	
 	@Override
 	public Map<String, String> ecpLogin(String eppn,
 			String serviceShortName,
@@ -197,15 +210,72 @@ public class UserLoginServiceImpl implements UserLoginService, Serializable {
 		}
 	}

+	private void createLoginInfo(UserEntity user, RegistryEntity registry, UserLoginMethod method, UserLoginInfoStatus status) {
+		UserLoginInfoEntity loginInfo = userLoginInfoDao.createNew();
+		loginInfo.setUser(user);
+		loginInfo.setRegistry(registry);
+		loginInfo.setLoginDate(new Date());
+		loginInfo.setLoginMethod(method);
+		loginInfo.setLoginStatus(status);
+		userLoginInfoDao.persist(loginInfo);
+	}
+	
 	private Map<String, String> ecp(SamlUserEntity user, ServiceEntity service, RegistryEntity registry,
 			String password, String localHostName) throws RestInterfaceException {

+		/**
+		 * TODO Check for second factor here. Configurable per service. Then the ldap-facade doesn't
+		 * have to be changed
+		 */
+		if (password == null || password.equals("")) {
+			createLoginInfo(user, registry, UserLoginMethod.LOCAL, UserLoginInfoStatus.FAILED);
+			throw new LoginFailedException("Password blank");
+		}
+		
+		if (service.getServiceProps().containsKey("twofa") && 
+				service.getServiceProps().get("twofa").equalsIgnoreCase("enabled")) {
+			
+			String separator = ",";
+			if (service.getServiceProps().containsKey("twofa_separator")) {
+				separator = service.getServiceProps().get("twofa_separator");
+			}
+			
+			int index = password.lastIndexOf(separator);
+			
+			if (index < 2) {
+				createLoginInfo(user, registry, UserLoginMethod.TWOFA, UserLoginInfoStatus.FAILED);
+				throw new LoginFailedException("Password must contain separator char");
+			}
+			
+			String twoFa = password.substring(index + 1);
+			password = password.substring(0, index);
+			
+			try {
+				LinotpSimpleResponse response = twoFaService.checkToken(user.getId(), twoFa);
+				if (!(response.getResult() != null && response.getResult().isStatus() && 
+						response.getResult().isValue())) {
+					logger.info("User {} ({}) failed 2fa authentication", user.getEppn(), user.getId()); 
+					createLoginInfo(user, registry, UserLoginMethod.TWOFA, UserLoginInfoStatus.FAILED);
+					throw new LoginFailedException("2fa wrong");
+				}
+				else {
+					logger.info("User {} ({}) 2fa authentication success", user.getEppn(), user.getId()); 
+					createLoginInfo(user, registry, UserLoginMethod.TWOFA, UserLoginInfoStatus.SUCCESS);
+				}
+			} catch (TwoFaException e) {
+				logger.info("Problems with 2fa authentication", e); 
+				throw new LoginFailedException("Problems with 2fa authentication");
+			}			
+		}
+
 		if (registry.getRegistryValues().containsKey("userPassword")) {
 			logger.debug("userPassword is set on registry. Comparing with given password");
 			Boolean match = passwordUtil.comparePassword(password, registry.getRegistryValues().get("userPassword"));
 			logger.debug("Passwords match: {}", match);
 			
 			if (match) {
+				createLoginInfo(user, registry, UserLoginMethod.LOCAL, UserLoginInfoStatus.SUCCESS);
+
 				updateUser(user, service, "login-with-service-password");

 				List<Object> objectList = checkRules(user, service, registry);
@@ -226,6 +296,12 @@ public class UserLoginServiceImpl implements UserLoginService, Serializable {
 			}
 		}
 		
+		if (service.getServiceProps().containsKey("ecp") && 
+				service.getServiceProps().get("ecp").equalsIgnoreCase("disabled")) {
+			createLoginInfo(user, registry, UserLoginMethod.LOCAL, UserLoginInfoStatus.FAILED);
+			throw new LoginFailedException("Local authentication failed and ecp is disabled");
+		}
+		
 		logger.debug("Attempting ECP Authentication for {} and service {} (regId {})", user.getEppn(), service.getShortName(), registry.getId());

 		String[] splits = user.getEppn().split("@");
@@ -313,9 +389,11 @@ public class UserLoginServiceImpl implements UserLoginService, Serializable {
 				logger.debug("SoapException: {}", se.getMessage());
 				if (se.getCause() != null)
 					logger.debug("Inner Exception: {}", se.getCause().getMessage());
+				createLoginInfo(user, registry, UserLoginMethod.HOME_ORG, UserLoginInfoStatus.FAILED);
 				throw new LoginFailedException(se.getMessage());
 			}
 			Response response = (Response) inOutContext.getInboundMessageContext().getMessage();
+			createLoginInfo(user, registry, UserLoginMethod.HOME_ORG, UserLoginInfoStatus.SUCCESS);

 			return processResponse(response, idpEntityDesc, service, idp, sp, "ecp");