Merge pull request #8 from gayanch/master

MBSS Authenticator

mbss-athenticator/README.txt

@@ -0,0 +1,100 @@
+================================================================
+Patch ID     :  patch_mig00093
+Public Jira  :  https://jira.wso2telco.com/jira/browse/INTGW-233
+Description  :  MBSS Basic Authenticator for MIG 2.2.0
+================================================================
+
+DESCRIPTION
+------------
+MBSS basic authenticator has following functionalities,
+    * Session limiting feature
+    * Configurable Login time restrictions (Work time authenticator)
+    * Periodic password change feature
+    * Detects suspended/locked accounts and prevents those accounts from authorizing.
+
+Please perform below modifications to the current deployment to reflect the changes.
+
+PRE-REQUISITES
+--------------
+
+System Requirements
+
+a) Java SE Development Kit 1.8
+b) wso2telcoids-2.2.0
+
+
+DEPENDANT PATCHES
+-------------------------
+This patch depends on following patches
+    * patch_mig00087
+    * patch_mig00088
+    * patch_dep00096
+
+
+INSTALLATION INSTRUCTIONS
+-------------------------
+1) Copy following artifacts from resources/ directory into <IS_HOME>/repository/components/dropins (replace existing ones if needed)
+    * com.wso2telco.mbss.authenticator-1.0.0.jar
+    * org.wso2.carbon.identity.data.publisher.session-1.0.0.jar
+    * password_history/password-history-manager-1.0.0.jar
+
+2) Copy following configuration files (replace existing ones if needed),
+    * resources/mbss-authenticator-config.xml into <IS_HOME>/repository/conf directory
+    * resources/password_history/password-history-identity-mgt.properties into <IS_HOME>/repository/conf/identity
+
+3) Copy resources/pwd-reset.jsp into <IS_HOME>/repository/deployment/server/webapps/authenticationendpoint/ directory.
+
+4) Copy 'patch00093' directory into <IS_HOME>/repository/components/patches directory.
+
+5) To create required database tables, execute following scripts on WSO2IDENTITY_DB
+    * resources/db_setup.mysql.sql
+    * resources/password_history/mysql.sql
+
+
+Configuration
+-------------------------------------------------------
+
+1) Open identity.xml file located at <IS_HOME>/repository/conf/identity directory and find the <EventListeners> section and insert the following snippet at the end of the section if not already present,
+
+    <EventListener
+        type="org.wso2.carbon.identity.core.handler.AbstractIdentityMessageHandler"        
+        name="org.wso2.carbon.identity.data.publisher.session.impl.DbSessionDataPublisherImpl"
+        orderId="11" enable="true"
+    />
+
+2) Various configurations options of MBSS Authenticator is defined in <IS_HOME>/repository/conf/mbss-authenticator-config.xml file. Change those configurations as needed.
+
+2) Configuration options of Password history manager is defined in <IS_HOME>/repository/conf/identity/password-history-identity-mgt.properties file. Modify as needed.
+
+3) Create following claims in IS using management console, Skip if already exists and leave the other fields in deafult state.
+
+    i)  Dialect:                http://wso2.org/claims
+        Display Name:	        UTC Offset
+        Description:	        UTC Offset
+        Claim Uri:	            http://wso2.org/claims/utcOffset
+        Mapped Attribute (s):	utcOffset
+        Supported by Default:	true
+
+   ii)  Dialect:                http://wso2.org/claims
+        Display Name:	        Day light saving time offset
+        Description:        	Day light saving time offset
+        Claim Uri:          	http://wso2.org/claims/dstOffset
+        Mapped Attribute (s):	dstOffset
+        Supported by Default:	true
+
+  iii)  Dialect:                http://wso2.org/claims
+        Display Name:	        Intitial Password Changed
+        Description:        	Intitial Password Changed
+        Claim Uri:          	http://wso2.org/claims/identity/initialPasswordChanged
+        Mapped Attribute (s):	initialPasswordChanged
+        Supported by Default:	false
+
+3) Create the roles defined in mbss-authenticator-config.xml (inside workingTime sections) on IS using management console or remove unecessary definitions from configuration file.
+
+4) Assign newly created roles to users as needed.
+
+5) Restart IS
+
+6) Now there will be an authenticator named 'MBSSBasicAuthenticator' in Authenticator configuration section of service providers. Assign MBSSBasicAuthenticator to a service provider. (NOTE: Make sure that the MBSSBasicAuthenticator is the only authenticator assigned to a particular SP)
+
+

mbss-athenticator/components/com.wso2telco.mbss.authenticator/pom.xml

@@ -52,12 +52,6 @@
             <artifactId>org.wso2.carbon.identity.application.authentication.framework</artifactId>
             <version>5.2.2</version>
         </dependency>
-
-        <dependency>
-            <groupId>com.google.guava</groupId>
-            <artifactId>guava</artifactId>
-            <version>24.1.1-jre</version>
-        </dependency>
     </dependencies>
     <build>
         <plugins>
@@ -99,7 +93,6 @@
                         <Import-Package>
                             javax.servlet,
                             javax.servlet.http,
-                            com.google.common.cache.*;version="[19.0,24.1.1-jre)",
                             *;resolution:=optional
                         </Import-Package>
                         <Private-Package>

mbss-athenticator/components/com.wso2telco.mbss.authenticator/src/main/java/com/wso2telco/mbss/authenticator/MBSSAuthenticatorConstants.java

@@ -18,8 +18,8 @@ public abstract class MBSSAuthenticatorConstants {
 
     public static final String ACCOUNT_SUSPENDED_CLAIM = "http://wso2.org/claims/identity/accountSuspended";
     public static final String LAST_PASSWORD_CHANGE_CLAIM = "http://wso2.org/claims/identity/lastPasswordUpdateTime";
-    public static final String UTC_OFFSET_CLAIM = "http://wso2.org/claims/identity/utcOffset";
-    public static final String DST_OFFSET_CLAIM = "http://wso2.org/claims/identity/dstOffset";
+    public static final String UTC_OFFSET_CLAIM = "http://wso2.org/claims/utcOffset";
+    public static final String DST_OFFSET_CLAIM = "http://wso2.org/claims/dstOffset";
     public static final String INITIAL_PASSWORD_CHANGED_CLAIM = "http://wso2.org/claims/identity/initialPasswordChanged";
 
     public static final String FAILED_REASON = "authorizationFailedReason";

mbss-athenticator/components/com.wso2telco.mbss.authenticator/src/main/java/com/wso2telco/mbss/authenticator/MBSSBasicAuthenticator.java

@@ -368,13 +368,15 @@ private boolean isNewSessionAllowed(HttpServletRequest request, HttpServletRespo
 
         final int maximumSessionCount = ConfigLoader.getInstance().getMbssAuthenticatorConfig().getFeatureConfig()
                 .getMaximumSessionLimit();
+        final long sessionTimeout  = ConfigLoader.getInstance().getMbssAuthenticatorConfig().getFeatureConfig()
+                .getSessionTimeout();
 
         String username = request.getParameter(MBSSAuthenticatorConstants.USER_NAME);
         String serviceProviderName = context.getServiceProviderName();
         boolean allowed = false;
         try {
             int cachedActiveSessions = MBSSAuthenticatorDbUtil.getActiveSessionCount(username + ":"
-                    + serviceProviderName);
+                    + serviceProviderName, sessionTimeout);
             if (cachedActiveSessions < maximumSessionCount) {
                 allowed = true;
             } else {

mbss-athenticator/components/com.wso2telco.mbss.authenticator/src/main/java/com/wso2telco/mbss/authenticator/model/MBSSAuthenticatorConfig.java

@@ -79,6 +79,7 @@ public static class FeatureConfig {
         private boolean loginTimeRestrictionEnabled;
         private boolean periodicPasswordChangeEnabled;
         private int maximumSessionLimit;
+        private long sessionTimeout;
 
         @XmlElement(name = "accountSuspensionFeature")
         public boolean isAccountSuspensionEnabled() {
@@ -124,6 +125,15 @@ public int getMaximumSessionLimit() {
         public void setMaximumSessionLimit(int maximumSessionLimit) {
             this.maximumSessionLimit = maximumSessionLimit;
         }
+
+        @XmlElement(name = "sessionTimeout")
+        public long getSessionTimeout() {
+            return sessionTimeout;
+        }
+
+        public void setSessionTimeout(long sessionTimeout) {
+            this.sessionTimeout = sessionTimeout;
+        }
     }
 
     public static class ErrorMessagesConfig {

mbss-athenticator/components/com.wso2telco.mbss.authenticator/src/main/java/com/wso2telco/mbss/authenticator/util/MBSSAuthenticatorDbUtil.java

@@ -52,18 +52,22 @@ private static void closeResources (Connection con, PreparedStatement prep, Resu
         }
     }
 
-    public static int getActiveSessionCount(String key) throws SQLException {
+    public static int getActiveSessionCount(String key, long sessionTimeout) throws SQLException {
         String keys[] = key.split(":");
         String username = keys[0];
         String serviceProviderName = keys[1];
 
+        long currentTime = System.currentTimeMillis();
+
         String sql = "SELECT COUNT(SESSION_ID) FROM IDN_AUTH_SESSION_INFO WHERE USERNAME = ? AND " +
                 "SERVICE_PROVIDER = ? AND " +
-                "floor(TERMINATION_TIME/1000) > unix_timestamp()";
+                "(START_TIME + ?) > ?";
         Connection con = getIdentityDbConnection();
         PreparedStatement prep = con.prepareStatement(sql);
         prep.setString(1, username);
         prep.setString(2, serviceProviderName);
+        prep.setLong(3, sessionTimeout * 1000); //converting session timeout to milliseconds
+        prep.setLong(4, currentTime);
         ResultSet res = prep.executeQuery();
 
         int activeSessionCount = -1;

mbss-athenticator/components/com.wso2telco.mbss.authenticator/src/main/java/com/wso2telco/mbss/authenticator/util/TimeZoneUtils.java

@@ -26,7 +26,17 @@ public static TimeOffset decodeOffsetString(String offset) {
 
         int minutes = 0;
         if (hoursAndMinutes.length == 2 && isNumeric(hoursAndMinutes[1])) {
-            minutes = hours < 0 ? Integer.parseInt(hoursAndMinutes[1]) * -1 : Integer.parseInt(hoursAndMinutes[1]);
+            char sign = offset.charAt(0);
+            switch (sign) {
+                case '-':
+                    minutes = Integer.parseInt(hoursAndMinutes[1]) * -1;
+                    break;
+
+                case '+':
+                default:
+                    minutes = Integer.parseInt(hoursAndMinutes[1]);
+                    break;
+            }
         }
 
         timeOffset.setHours(hours);

mbss-athenticator/components/com.wso2telco.mbss.authenticator/src/main/resources/mbss-authenticator-config.xml

@@ -4,8 +4,8 @@
         <!--The following wotkingTime definitions are samples. Feel free to change according to your requirements.-->
         <workingTime>
             <role>engineerRole</role> <!--Create this role first from management console UI-->
-            <start>0800</start> <!--Start of work time in 24H format-->
-            <end>1600</end> <!--End of work time in 24H format-->
+            <start>0300</start> <!--Start of work time in 24H format-->
+            <end>0430</end> <!--End of work time in 24H format-->
         </workingTime>
 
         <workingTime>
@@ -24,7 +24,7 @@
     <!--Error message contents-->
     <errorMessages>
         <accountSuspendedMessage>User account is suspended for inactivity. Please contact administrator.</accountSuspendedMessage>
-        <sessionLimitExceededMessage>Login failed because there are other active sessions. End other sessions before trying agaiin.</sessionLimitExceededMessage>
+        <sessionLimitExceededMessage>Login failed because there are other active sessions. End other sessions before trying again.</sessionLimitExceededMessage>
         <invalidCredentialsMessage>Unauthorized use of Celcoms applications is prohibited.</invalidCredentialsMessage>
         <accountLockedMessage>User account is locked. Please contact administrator.</accountLockedMessage>
         <loginTimeRestrictedMessage>Login failed due to login time restrictions. Contact administrator for more details.</loginTimeRestrictedMessage>
@@ -41,9 +41,10 @@
     <featureConfig>
         <accountSuspensionFeature>true</accountSuspensionFeature>        
         <loginTimeRestrictionFeature>true</loginTimeRestrictionFeature>
-        <periodicPasswordChangeFeature>false</periodicPasswordChangeFeature>
+        <periodicPasswordChangeFeature>true</periodicPasswordChangeFeature>
         <sessionLimitingFeature>true</sessionLimitingFeature>
         <maximumSessionLimit>1</maximumSessionLimit>
+        <sessionTimeout>1800</sessionTimeout> <!--In seconds-->
     </featureConfig>
 
     <periodicPasswordChangeConfig>

mbss-athenticator/components/org.wso2.carbon.identity.data.publisher.session/src/main/java/org/wso2/carbon/identity/data/publisher/session/AbstractAuthenticationDataPublisher.java

@@ -1,21 +1,3 @@
-/*
- * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
- *
- * WSO2 Inc. licenses this file to you under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except
- * in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
 package org.wso2.carbon.identity.data.publisher.session;
 
 import org.apache.commons.lang.StringUtils;

mbss-athenticator/components/org.wso2.carbon.identity.data.publisher.session/src/main/java/org/wso2/carbon/identity/data/publisher/session/AuthPublisherConstants.java

@@ -1,21 +1,3 @@
-/*
- * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
- *
- * WSO2 Inc. licenses this file to you under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except
- * in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
 package org.wso2.carbon.identity.data.publisher.session;
 
 public class AuthPublisherConstants {

mbss-athenticator/components/org.wso2.carbon.identity.data.publisher.session/src/main/java/org/wso2/carbon/identity/data/publisher/session/AuthnDataPublisherProxy.java

@@ -1,21 +1,3 @@
-/*
- * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
- *
- * WSO2 Inc. licenses this file to you under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except
- * in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
 package org.wso2.carbon.identity.data.publisher.session;
 
 import org.wso2.carbon.identity.application.authentication.framework.AuthenticationDataPublisher;

mbss-athenticator/components/org.wso2.carbon.identity.data.publisher.session/src/main/java/org/wso2/carbon/identity/data/publisher/session/AuthnDataPublisherUtils.java

@@ -1,21 +1,3 @@
-/*
- * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
- *
- * WSO2 Inc. licenses this file to you under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except
- * in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
 package org.wso2.carbon.identity.data.publisher.session;
 
 import org.apache.axiom.om.util.Base64;

mbss-athenticator/components/org.wso2.carbon.identity.data.publisher.session/src/main/java/org/wso2/carbon/identity/data/publisher/session/impl/DbLoginDataPublisherImpl.java

@@ -1,21 +1,3 @@
-/*
- * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
- *
- * WSO2 Inc. licenses this file to you under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except
- * in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
 package org.wso2.carbon.identity.data.publisher.session.impl;
 
 import org.apache.commons.lang.StringUtils;