org.xdi.oxauth.ws.rs.fido.u2f.U2fRegistrationWS 連携図

公開メンバ関数
Response	startRegistration (@QueryParam("username") String userName, @QueryParam("application") String appId, @QueryParam("session_id") String sessionId, @QueryParam("enrollment_code") String enrollmentCode)

Response	finishRegistration (@FormParam("username") String userName, @FormParam("tokenResponse") String registerResponseString)

非公開メンバ関数
boolean	isCurrentAuthenticationLevelCorrespondsToU2fLevel (String session)

詳解

The endpoint allows to start and finish U2F registration process

著者: Yuriy Movchan

バージョン: August 9, 2017

関数詳解

◆ finishRegistration()

Response org.xdi.oxauth.ws.rs.fido.u2f.U2fRegistrationWS.finishRegistration	(	@FormParam("username") String	userName,
		@FormParam("tokenResponse") String	registerResponseString
	)

inline

                                                                                                                                           {
         String sessionId = null;
         try {
             if (appConfiguration.getDisableU2fEndpoint()) {
                 return Response.status(Status.FORBIDDEN).build();
             }
 
             log.debug("Finishing registration for username '{}' with response '{}'", userName, registerResponseString);
 
             RegisterResponse registerResponse = ServerUtil.jsonMapperWithWrapRoot().readValue(registerResponseString, RegisterResponse.class);
 
             String requestId = registerResponse.getRequestId();
             RegisterRequestMessageLdap registerRequestMessageLdap = u2fRegistrationService.getRegisterRequestMessageByRequestId(requestId);
             if (registerRequestMessageLdap == null) {
                 throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN)
                         .entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SESSION_EXPIRED)).build());
             }
             u2fRegistrationService.removeRegisterRequestMessage(registerRequestMessageLdap);
 
             String foundUserInum = registerRequestMessageLdap.getUserInum();
 
             RegisterRequestMessage registerRequestMessage = registerRequestMessageLdap.getRegisterRequestMessage();
             DeviceRegistrationResult deviceRegistrationResult = u2fRegistrationService.finishRegistration(registerRequestMessage, registerResponse, foundUserInum);
 
             // If sessionId is not empty update session
             sessionId = registerRequestMessageLdap.getSessionId();
             if (StringHelper.isNotEmpty(sessionId)) {
                 log.debug("There is session id. Setting session id attributes");
 
                 boolean oneStep = StringHelper.isEmpty(foundUserInum);
                 userSessionIdService.updateUserSessionIdOnFinishRequest(sessionId, foundUserInum, deviceRegistrationResult, true, oneStep);
             }
 
             RegisterStatus registerStatus = new RegisterStatus(Constants.RESULT_SUCCESS, requestId);
 
             // Convert manually to avoid possible conflict between resteasy providers, e.g. jettison, jackson
             final String entity = ServerUtil.asJson(registerStatus);
 
             return Response.status(Response.Status.OK).entity(entity).cacheControl(ServerUtil.cacheControl(true)).build();
         } catch (Exception ex) {
             log.error("Exception happened", ex);
 
             try {
                 // If sessionId is not empty update session
                 if (StringHelper.isNotEmpty(sessionId)) {
                     log.debug("There is session id. Setting session id status to 'declined'");
                     userSessionIdService.updateUserSessionIdOnError(sessionId);
                 }
             } catch (Exception ex2) {
                 log.error("Failed to update session id status", ex2);
             }
 
             if (ex instanceof WebApplicationException) {
                 throw (WebApplicationException) ex;
             }
 
             if (ex instanceof BadInputException) {
                 throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN)
                         .entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.INVALID_REQUEST)).build());
             }
 
             throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR)
                     .entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
         }
     }

◆ isCurrentAuthenticationLevelCorrespondsToU2fLevel()

boolean org.xdi.oxauth.ws.rs.fido.u2f.U2fRegistrationWS.isCurrentAuthenticationLevelCorrespondsToU2fLevel ( String session )

inlineprivate

                                                                                       {
         SessionId sessionId = sessionIdService.getSessionId(session);
         if (sessionId == null)
             return false;
 
         String acrValuesStr = sessionIdService.getAcr(sessionId);
         if (acrValuesStr == null)
             return false;
 
         CustomScriptConfiguration u2fScriptConfiguration = service.getCustomScriptConfigurationByName("u2f");
         if (u2fScriptConfiguration == null)
             return false;
 
         String[] acrValuesArray = acrValuesStr.split(" ");
         for (String acrValue : acrValuesArray) {
             CustomScriptConfiguration currentScriptConfiguration = service.getCustomScriptConfigurationByName(acrValue);
             if (currentScriptConfiguration == null)
                 continue;
 
             if (currentScriptConfiguration.getLevel() >= u2fScriptConfiguration.getLevel())
                 return true;
         }
 
         return false;
     }

◆ startRegistration()

Response org.xdi.oxauth.ws.rs.fido.u2f.U2fRegistrationWS.startRegistration	(	@QueryParam("username") String	userName,
		@QueryParam("application") String	appId,
		@QueryParam("session_id") String	sessionId,
		@QueryParam("enrollment_code") String	enrollmentCode
	)

inline

                                                                                                                                                                                                                           {
         // Parameter username is deprecated. We uses it only to determine is it's one or two step workflow
         try {
             if (appConfiguration.getDisableU2fEndpoint()) {
                 return Response.status(Status.FORBIDDEN).build();
             }
 
             log.debug("Startig registration with username '{}' for appId '{}'. session_id '{}', enrollment_code '{}'", userName, appId, sessionId, enrollmentCode);
 
             String userInum = null;
 
             boolean sessionBasedEnrollment = false;
             boolean twoStep = StringHelper.isNotEmpty(userName);
             if (twoStep) {
                 boolean removeEnrollment = false;
                 if (StringHelper.isNotEmpty(sessionId)) {
                     boolean valid = u2fValidationService.isValidSessionId(userName, sessionId);
                     if (!valid) {
                         throw new BadInputException(String.format("session_id '%s' is invalid", sessionId));
                     }
                     sessionBasedEnrollment = true;
                 } else if (StringHelper.isNotEmpty(enrollmentCode)) {
                     boolean valid = u2fValidationService.isValidEnrollmentCode(userName, enrollmentCode);
                     if (!valid) {
                         throw new BadInputException(String.format("enrollment_code '%s' is invalid", enrollmentCode));
                     }
                     removeEnrollment = true;
                 } else {
                     throw new BadInputException("session_id or enrollment_code is mandatory");
                 }
 
                 User user = userService.getUser(userName);
                 userInum = userService.getUserInum(user);
                 if (StringHelper.isEmpty(userInum)) {
                     throw new BadInputException(String.format("Failed to find user '%s' in LDAP", userName));
                 }
 
                 if (removeEnrollment) {
                     // We allow to use enrollment code only one time
                     user.setAttribute(U2fConstants.U2F_ENROLLMENT_CODE_ATTRIBUTE, (String) null);
                     userService.updateUser(user);
                 }
             }
 
             if (sessionBasedEnrollment) {
                 List<DeviceRegistration> deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(userInum, appId);
                 if (deviceRegistrations.size() > 0 && !isCurrentAuthenticationLevelCorrespondsToU2fLevel(sessionId)) {
                     throw new RegistrationNotAllowed(String.format("It's not possible to start registration with user_name and session_id because user '%s' has already enrolled device", userName));
                 }
             }
 
             RegisterRequestMessage registerRequestMessage = u2fRegistrationService.builRegisterRequestMessage(appId, userInum);
             u2fRegistrationService.storeRegisterRequestMessage(registerRequestMessage, userInum, sessionId);
 
             // Convert manually to avoid possible conflict between resteasy providers, e.g. jettison, jackson
             final String entity = ServerUtil.asJson(registerRequestMessage);
 
             return Response.status(Response.Status.OK).entity(entity).cacheControl(ServerUtil.cacheControl(true)).build();
         } catch (Exception ex) {
             log.error("Exception happened", ex);
             if (ex instanceof WebApplicationException) {
                 throw (WebApplicationException) ex;
             }
 
             if (ex instanceof RegistrationNotAllowed) {
                 throw new WebApplicationException(Response.status(Response.Status.NOT_ACCEPTABLE)
                         .entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.REGISTRATION_NOT_ALLOWED)).build());
             }
 
             throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR)
                     .entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
         }
     }

メンバ詳解

◆ appConfiguration

AppConfiguration org.xdi.oxauth.ws.rs.fido.u2f.U2fRegistrationWS.appConfiguration

private

◆ deviceRegistrationService

DeviceRegistrationService org.xdi.oxauth.ws.rs.fido.u2f.U2fRegistrationWS.deviceRegistrationService

private

◆ errorResponseFactory

ErrorResponseFactory org.xdi.oxauth.ws.rs.fido.u2f.U2fRegistrationWS.errorResponseFactory

private

◆ log

Logger org.xdi.oxauth.ws.rs.fido.u2f.U2fRegistrationWS.log

private

◆ service

ExternalAuthenticationService org.xdi.oxauth.ws.rs.fido.u2f.U2fRegistrationWS.service

private

◆ sessionIdService

SessionIdService org.xdi.oxauth.ws.rs.fido.u2f.U2fRegistrationWS.sessionIdService

private

◆ u2fRegistrationService

RegistrationService org.xdi.oxauth.ws.rs.fido.u2f.U2fRegistrationWS.u2fRegistrationService

private

◆ u2fValidationService

ValidationService org.xdi.oxauth.ws.rs.fido.u2f.U2fRegistrationWS.u2fValidationService

private

◆ userService

UserService org.xdi.oxauth.ws.rs.fido.u2f.U2fRegistrationWS.userService

private

◆ userSessionIdService

UserSessionIdService org.xdi.oxauth.ws.rs.fido.u2f.U2fRegistrationWS.userSessionIdService

private

このクラス詳解は次のファイルから抽出されました:

D:/AppData/OpenId/gluu/src/oxAuth/Server/src/main/java/org/xdi/oxauth/ws/rs/fido/u2f/U2fRegistrationWS.java

非公開変数類
Logger	log

AppConfiguration	appConfiguration

UserService	userService

ErrorResponseFactory	errorResponseFactory

RegistrationService	u2fRegistrationService

DeviceRegistrationService	deviceRegistrationService

SessionIdService	sessionIdService

UserSessionIdService	userSessionIdService

ValidationService	u2fValidationService

ExternalAuthenticationService	service

公開メンバ関数

非公開メンバ関数

非公開変数類

詳解

関数詳解

◆ finishRegistration()

◆ isCurrentAuthenticationLevelCorrespondsToU2fLevel()

◆ startRegistration()

メンバ詳解

◆ appConfiguration

◆ deviceRegistrationService

◆ errorResponseFactory

◆ log

◆ service

◆ sessionIdService

◆ u2fRegistrationService

◆ u2fValidationService

◆ userService

◆ userSessionIdService