chore: refactor cert authn project to support one-step authentication/enrollment (#13184)

* feat: add flows to support enrollment/authn scenarios #13183

Signed-off-by: jgomer2001 <bonustrack310@gmail.com>

* feat: add supporting UI templates #13183

Signed-off-by: jgomer2001 <bonustrack310@gmail.com>

* feat: implement cert handling logic #13183

Signed-off-by: jgomer2001 <bonustrack310@gmail.com>

* fix: fix compilation problems #13183

Signed-off-by: jgomer2001 <bonustrack310@gmail.com>

* chore: make rabbit happy #13183

Signed-off-by: jgomer2001 <bonustrack310@gmail.com>

* chore: fix compilation problem #13183

Signed-off-by: jgomer2001 <bonustrack310@gmail.com>

---------

Signed-off-by: jgomer2001 <bonustrack310@gmail.com>

Author: jgomer2001

jans-casa/plugins/cert-authn/agama/project/code/io.jans.casa.authn.cert.flow

@@ -1,20 +1,20 @@
 Flow io.jans.casa.authn.cert
     Basepath ""
-    Configs conf 
-    Inputs userData
+    Inputs userData withEscape
+
+obj = Trigger io.jans.casa.cert.promptAndValidate
+When obj.success is true
+    uid = Call io.jans.casa.certauthn.CertUtil#findOwner obj.data.cert.fingerPrint
 
-cah = Call io.jans.casa.certauthn.CertAuthnHelper#new userData.inum conf.certPickupUrl conf.roundTripMaxTime
-url = Call cah buildRedirectUrl
-//See template index.zul and class io.jans.casa.plugins.certauthn.vm.CertAuthnVM in casa plugin
-RFAC url
+    When uid is userData.uid
+        Finish uid
 
-outcome = Call cah retrieveOutcome
-When outcome is ""
-    Finish true
+    When uid is null
+        obj = { error: "NOT_RECOGNIZED" }
+    Otherwise
+        obj = { error: "CERT_ENROLLED_OTHER_USER" }
 
-When outcome is null        //the cache entry expired
-    Log "Cert Authentication failed."
-Otherwise
-    Log "Cert Authentication failed. Reason:" outcome
+    RRF "authn-error.ftlh" obj
 
+Log "Cert Authentication failed"    
 Finish false

jans-casa/plugins/cert-authn/agama/project/code/io.jans.casa.cert.enroll.flow

@@ -0,0 +1,18 @@
+Flow io.jans.casa.cert.enroll
+    Basepath ""
+    Inputs uidRef
+
+uid = Call io.jans.casa.certauthn.CertAuthnHelper#decryptValue uidRef
+obj = Trigger io.jans.casa.cert.promptAndValidate
+validated = obj.success
+
+When validated is true
+    c = obj.data.cert
+    status = Call io.jans.casa.certauthn.CertUtil#enroll uid c.x509 c.fingerPrint
+    
+    obj = { status: status }
+    //Show feedback to user before returning to Casa
+    RRF "enroll-feedback.ftlh" obj
+
+//Always terminate successfully (there was session already in Casa)
+Finish uid

jans-casa/plugins/cert-authn/agama/project/code/io.jans.casa.cert.oneStepAuthn.flow

@@ -0,0 +1,47 @@
+Flow io.jans.casa.cert.oneStepAuthn
+    Basepath ""
+    Configs conf
+
+When conf.useAcctLinking is true
+    obj = Trigger io.jans.casa.authn.acctlinking
+        Override templates "blb4x/acctlinking.ftlh" "login-acctlinking.ftlh"
+        
+    When obj.aborted is null    //User took usual Casa authentication, terminate as such
+        Finish obj
+    
+    When obj.data."_abort".length is 0
+        pid = obj.data.providerId
+        Log "User selected identity provider" pid
+        
+        //Launch the flow again, this time preselecting the given identity provider
+        obj = Trigger io.jans.casa.authn.acctlinking pid null
+        Finish obj
+
+Otherwise
+    obj = Trigger io.jans.casa.authn.main
+        Override templates "kz1vc3/main.ftlh" "login.ftlh"
+        
+    When obj.aborted is null    //User took usual Casa authentication, terminate as such
+        Finish obj
+    
+Log "Smart card/User cert option selected"
+obj = Trigger io.jans.casa.cert.promptAndValidate
+
+When obj.success is true
+    fingerPrint = obj.data.cert.fingerPrint
+    x509 = obj.data.cert.x509
+    uid = Call io.jans.casa.certauthn.CertUtil#findOwner fingerPrint
+    
+    When uid is not null
+        Finish uid
+
+    uid = Call io.jans.casa.certauthn.CertUtil#register x509 conf.mappingClassField
+    status = Call io.jans.casa.certauthn.CertUtil#enroll uid x509 fingerPrint
+    status = Call status toString
+    
+    When status is "SUCCESS"
+        Finish uid
+
+    obj = { success: false }
+    
+Finish obj

jans-casa/plugins/cert-authn/agama/project/code/io.jans.casa.cert.promptAndValidate.flow

@@ -0,0 +1,21 @@
+Flow io.jans.casa.cert.promptAndValidate
+    Basepath ""
+    Configs conf
+    
+cah = Call io.jans.casa.certauthn.CertAuthnHelper#new conf.certPickupUrl conf.roundTripMaxTime
+url = Call cah buildRedirectUrl
+//See template index.zul and class io.jans.casa.plugins.certauthn.vm.CertAuthnVM in casa plugin
+RFAC url
+
+validationResult = Call io.jans.casa.certauthn.CertUtil#validate cah.certPEM conf.certChainPEM
+status = Call validationResult.first toString
+
+When status is "VALID"
+    x509Cert = validationResult.second
+    fp = Call io.jans.casa.certauthn.CertUtil#getFingerPrint x509Cert
+    obj = { success: true, data: { cert: { x509: x509Cert, fingerPrint: fp } } }
+    Finish obj
+
+obj = { error: status }
+RRF "validation-error.ftlh" obj
+Finish false

jans-casa/plugins/cert-authn/agama/project/lib/io/jans/casa/certauthn/AttributeMappings.java

@@ -0,0 +1,36 @@
+package io.jans.casa.certauthn;
+
+import java.util.function.UnaryOperator;
+import java.util.*;
+
+/**
+ * Fields of this class can be referenced in the config properties of flow 
+ * io.jans.casa.cert.oneStepAuthn, see mappingClassField
+ */
+public final class AttributeMappings {
+
+    //Maps some "incoming attributes" in the certificate to build a user profile  
+    public static final UnaryOperator<Map<String, String>> STRAIGHT = 
+
+        attributes -> {
+            String[] attrNames = new String[] {                
+                "o",      //Organization Name
+                "cn",     //Common Name
+                "l",      //City
+                "mail"    //e-mail
+            };
+            String attrForUid = "mail";
+            
+            Map<String, String> profile = new HashMap<>();            
+            profile.put("uid", attributes.get(attrForUid));
+                
+            //Straight (one-to-one) copy of attributes from source to destination map
+            List.of(attrNames).forEach(attr -> 
+                profile.put(attr, attributes.get(attr))); 
+
+            return profile;
+        };
+        
+    private AttributeMappings() { }
+
+}

jans-casa/plugins/cert-authn/agama/project/lib/io/jans/casa/certauthn/CertAuthnHelper.java

@@ -4,21 +4,24 @@
 import io.jans.service.cdi.util.CdiUtil;
 import io.jans.util.security.StringEncrypter;
 
-import org.json.JSONObject;
-
 import java.net.URLEncoder;
 import java.security.SecureRandom;
 import java.util.Optional;
 
+import org.slf4j.*;
+
 import static java.nio.charset.StandardCharsets.UTF_8;
 
 public class CertAuthnHelper {
 
     private static final String RND_KEY = "ref";
-    private static final SecureRandom RND = new SecureRandom();
+    private static final int DEFAULT_ROUND_TRIP_MAX_TIME = 45;
 
+    private static SecureRandom RND = new SecureRandom();
+    private static Logger logger = LoggerFactory.getLogger(CertAuthnHelper.class); 
     private static CacheService cs = CdiUtil.bean(CacheService.class);
-    private String userId;
+    private static StringEncrypter encrypter = CdiUtil.bean(StringEncrypter.class);
+
     private String certPickupUrl;
     private String key;
 
@@ -28,39 +31,47 @@ public class CertAuthnHelper {
 
     public CertAuthnHelper() {}
 
-    public CertAuthnHelper(String inum, String certPickupUrl, int roundTripMaxTime) {
+    public CertAuthnHelper(String certPickupUrl, Integer rtmt) {
+
+        if (rtmt == null || rtmt < 10) {
+            logger.warn("roundTripMaxTime provided is of no practical use. Setting a default value...");
+            this.roundTripMaxTime =  DEFAULT_ROUND_TRIP_MAX_TIME;
+        } else {
+            this.roundTripMaxTime =  rtmt;
+        }
 
-        this.userId = inum;
         this.certPickupUrl = certPickupUrl;
-        this.roundTripMaxTime = roundTripMaxTime;
         this.key = ("" + RND.nextDouble()).substring(2);
 
     }
 
     public String buildRedirectUrl() throws StringEncrypter.EncryptionException {
-        
-        String encKey = CdiUtil.bean(StringEncrypter.class).encrypt(key);
+
+        String encKey = encrypter.encrypt(key);
         encKey = URLEncoder.encode(encKey, UTF_8);
-        
-        //See plugin's class io.jans.casa.plugins.certauthn.model.Reference
-        JSONObject job = new JSONObject();
-        job.put("userId", userId);
-        job.put("enroll", false);
-        job.put("expiresAt", System.currentTimeMillis() + 1000L*roundTripMaxTime);
 
-        cs.put(roundTripMaxTime, key, job.toString());
+        cs.put(roundTripMaxTime, key, System.currentTimeMillis() + 1000L*roundTripMaxTime);
         return certPickupUrl + "?" + RND_KEY + "=" + encKey;
 
     }
-    
-    public String retrieveOutcome() {
-        
-        String val = Optional.ofNullable(cs.get(key)).map(Object::toString).orElse(null);        
-        if (val != null) {
+
+    public String getCertPEM() {
+
+        //See class io.jans.casa.plugins.certauthn.vm.CertAuthnVM
+        String cert = Optional.ofNullable(cs.get(key)).map(Object::toString).orElse(null);        
+        if (cert != null) {
             cs.remove(key);
+            
+            if (cert.equals("(null)")) {    //Apache server may send '(null)'
+                cert = null;
+            }
         }
-        return val;
+        return cert;
 
     }
 
+    public static String decryptValue(String val) throws StringEncrypter.EncryptionException {
+        return encrypter.decrypt(val);
+    }
+    
 }