org.springframework.boot.autoconfigure.EnableAutoConfiguration=org.apereo.cas.custom.config.SelectiveDuoWebflowEventResolverConfiguration
package org.apereo.cas.custom.mfa;
import com.google.common.collect.ImmutableSet;import java.util.Map;import java.util.Optional;import java.util.Set;import org.apereo.cas.CentralAuthenticationService;import org.apereo.cas.authentication.Authentication;import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;import org.apereo.cas.authentication.AuthenticationSystemSupport;import org.apereo.cas.authentication.principal.Principal;import org.apereo.cas.services.MultifactorAuthenticationProvider;import org.apereo.cas.services.MultifactorAuthenticationProviderSelector;import org.apereo.cas.services.RegisteredService;import org.apereo.cas.services.ServicesManager;import org.apereo.cas.ticket.registry.TicketRegistrySupport;import org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver;import org.apereo.cas.web.support.WebUtils;import org.slf4j.Logger;import org.slf4j.LoggerFactory;import org.springframework.web.util.CookieGenerator;import org.springframework.webflow.execution.Event;import org.springframework.webflow.execution.RequestContext;
public class SelectiveDuoWebflowEventResolver extends AbstractCasWebflowEventResolver {
private static final Logger LOGGER = LoggerFactory.getLogger(SelectiveDuoWebflowEventResolver.class);
public SelectiveDuoWebflowEventResolver(AuthenticationSystemSupport authenticationSystemSupport, CentralAuthenticationService centralAuthenticationService, ServicesManager servicesManager, TicketRegistrySupport ticketRegistrySupport, CookieGenerator warnCookieGenerator, AuthenticationServiceSelectionPlan authenticationSelectionStrategies, MultifactorAuthenticationProviderSelector selector) { super(authenticationSystemSupport, centralAuthenticationService, servicesManager, ticketRegistrySupport, warnCookieGenerator, authenticationSelectionStrategies, selector); }
@Override public Set<Event> resolveInternal(RequestContext context) { final RegisteredService service = WebUtils.getRegisteredService(context); final Authentication authentication = WebUtils.getAuthentication(context); Set<String> attributeKeys = authentication.getAttributes().keySet(); for (String s : attributeKeys) { System.out.println("s: " + s + " " + authentication.getAttributes().get(s)); } Principal principal = authentication.getPrincipal(); attributeKeys = principal.getAttributes().keySet(); for (String s : attributeKeys) { System.out.println("p: " + s + " " + principal.getAttributes().get(s)); } if (userRequiresDUO()) { LOGGER.warn("Forcing MFA"); Optional<MultifactorAuthenticationProvider> mfaDuoForced = this.getMultifactorAuthenticationProviderFromApplicationContext("mfa-duo-force"); MultifactorAuthenticationProvider forcedProvider = mfaDuoForced.get(); final Map eventAttributes = buildEventAttributeMap(authentication.getPrincipal(), service, forcedProvider); final Event event = validateEventIdForMatchingTransitionInContext(forcedProvider.getId(), context, eventAttributes); return ImmutableSet.of(event); } else { LOGGER.warn("Not forcing MFA"); Optional<MultifactorAuthenticationProvider> mfaDuo = this.getMultifactorAuthenticationProviderFromApplicationContext("mfa-duo"); MultifactorAuthenticationProvider bypassableProvider = mfaDuo.get(); final Map eventAttributes = buildEventAttributeMap(authentication.getPrincipal(), service, bypassableProvider); final Event event = validateEventIdForMatchingTransitionInContext(bypassableProvider.getId(), context, eventAttributes); return ImmutableSet.of(event); } }}
package org.apereo.cas.custom.config;
import javax.annotation.PostConstruct;import org.apereo.cas.CentralAuthenticationService;import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;import org.apereo.cas.authentication.AuthenticationSystemSupport;import org.apereo.cas.configuration.CasConfigurationProperties;import org.apereo.cas.custom.mfa.SelectiveDuoWebflowEventResolver;import org.apereo.cas.services.MultifactorAuthenticationProviderSelector;import org.apereo.cas.services.ServicesManager;import org.apereo.cas.ticket.registry.TicketRegistrySupport;import org.apereo.cas.web.flow.authentication.RankedMultifactorAuthenticationProviderSelector;import org.apereo.cas.web.flow.resolver.CasDelegatingWebflowEventResolver;import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.beans.factory.annotation.Qualifier;import org.springframework.boot.context.properties.EnableConfigurationProperties;import org.springframework.cloud.context.config.annotation.RefreshScope;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import org.springframework.web.util.CookieGenerator;
@Configuration("selectiveDuoWebflowEventResolverConfiguration")@EnableConfigurationProperties(CasConfigurationProperties.class)public class SelectiveDuoWebflowEventResolverConfiguration {
@Autowired @Qualifier("initialAuthenticationAttemptWebflowEventResolver") private CasDelegatingWebflowEventResolver initialEventResolver;
@Autowired @Qualifier("centralAuthenticationService") private CentralAuthenticationService centralAuthenticationService;
@Autowired @Qualifier("defaultAuthenticationSystemSupport") private AuthenticationSystemSupport authenticationSystemSupport;
@Autowired @Qualifier("defaultTicketRegistrySupport") private TicketRegistrySupport ticketRegistrySupport;
@Autowired @Qualifier("servicesManager") private ServicesManager servicesManager;
@Autowired(required = false) @Qualifier("multifactorAuthenticationProviderSelector") private final MultifactorAuthenticationProviderSelector multifactorAuthenticationProviderSelector = new RankedMultifactorAuthenticationProviderSelector();
@Autowired @Qualifier("warnCookieGenerator") private CookieGenerator warnCookieGenerator;
@Autowired @Qualifier("authenticationServiceSelectionPlan") private AuthenticationServiceSelectionPlan authenticationRequestServiceSelectionStrategies;
@RefreshScope @Bean public CasWebflowEventResolver selectiveDuoWebflowEventResolver() { return new SelectiveDuoWebflowEventResolver(authenticationSystemSupport, centralAuthenticationService, servicesManager, ticketRegistrySupport, warnCookieGenerator, authenticationRequestServiceSelectionStrategies, multifactorAuthenticationProviderSelector); }
@PostConstruct public void initialize() { initialEventResolver.addDelegate(selectiveDuoWebflowEventResolver()); }
}
2018-02-01 10:25:29,433 WARN [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Transition definition cannot be found for event [mfa-duo-force|mfa-duo]>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/263f6a6c-9f2b-446f-9707-3c23b96a3f65%40apereo.org.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
# Activate MFA globally based on authentication metadata attributes
# cas.authn.mfa.globalAuthenticationAttributeNameTriggers=memberOf,eduPersonPrimaryAffiliation
# cas.authn.mfa.globalAuthenticationAttributeValueRegex=faculty|staff
# Activate MFA globally based on principal attributes
# cas.authn.mfa.globalPrincipalAttributeNameTriggers=memberOf,eduPersonPrimaryAffiliation
# Specify the regular expression pattern to trigger multifactor when working with a single provider.
# Comment out the setting when working with multiple multifactor providers
# cas.authn.mfa.globalPrincipalAttributeValueRegex=faculty|staff
# Activate MFA globally based on principal attributes and a groovy-based predicate
# cas.authn.mfa.globalPrincipalAttributePredicate=file:/etc/cas/PredicateExample.groovy
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ea1c8c9e-e871-458c-bb74-38e3ed896421%40apereo.org.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ea1c8c9e-e871-458c-bb74-38e3ed896421%40apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ea1c8c9e-e871-458c-bb74-38e3ed896421%40apereo.org.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mid4RVozXqMAivmt%2BTFbduDud8054NkJFEdO8CM0tY6rTA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f690f841-79e4-4df3-baa8-a69db84857cb%40apereo.org.
def String run(final Object... args) {
def authentication = args[0]
def principal = args[1]
def service = args[2]
def provider = args[3]
def logger = args[4]
def httpRequest = args[5]
logger.info("Evaluating principal attributes ${principal.attributes}")
def bypass = principal.attributes['uid']
if (bypass.contains("testuid")) {
logger.info("Skipping bypass for principal ${principal.id}
return false
}
return true
}
cas.authn.mfa.duo[0].rank=0
cas.authn.mfa.duo[0].duoApiHost=REMOVED
cas.authn.mfa.duo[0].duoIntegrationKey=REMOVED
cas.authn.mfa.duo[0].duoSecretKey=REMOVED
cas.authn.mfa.duo[0].duoApplicationKey=REMOVED
cas.authn.mfa.duo[0].id=mfa-duo
cas.authn.mfa.globalProviderId=mfa-duo
cas.authn.mfa.globalPrincipalAttributePredicate=file:///etc/cas/selectiveDuo.groovy
cas.authn.mfa.providerSelectorGroovyScript=file:/etc/cas/wathever.groovy
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9ade320d-4c96-4c23-b22b-a830387cf692%40apereo.org.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9ade320d-4c96-4c23-b22b-a830387cf692%40apereo.org.