From 3041d419bd4affe524a0813ca2de2fd1e64a8826 Mon Sep 17 00:00:00 2001
From: Misagh Moayyed <mmoayyed@unicon.net>
Date: Wed, 17 Jun 2015 12:54:31 -0700
Subject: [PATCH] added support for clearpass caching and MFA

---
 .../authentication/duo/DuoCredentials.groovy  | 34 +++++++++++-
 .../duo/DuoMultiFactorWebflowConfigurer.java  | 55 +++++++++++++++++++
 ...hainingCredentialsToPrincipalResolver.java | 42 ++++++++++++++
 .../WEB-INF/cas-servlet-override-context.xml  |  9 +++
 4 files changed, 138 insertions(+), 2 deletions(-)
 create mode 100644 cas-mfa-duo/src/main/groovy/net/unicon/cas/mfa/authentication/duo/DuoMultiFactorWebflowConfigurer.java
 create mode 100644 cas-mfa-java/src/main/java/net/unicon/cas/mfa/authentication/principal/ChainingCredentialsToPrincipalResolver.java

diff --git a/cas-mfa-duo/src/main/groovy/net/unicon/cas/mfa/authentication/duo/DuoCredentials.groovy b/cas-mfa-duo/src/main/groovy/net/unicon/cas/mfa/authentication/duo/DuoCredentials.groovy
index 9930a34..7d9d4b1 100644
--- a/cas-mfa-duo/src/main/groovy/net/unicon/cas/mfa/authentication/duo/DuoCredentials.groovy
+++ b/cas-mfa-duo/src/main/groovy/net/unicon/cas/mfa/authentication/duo/DuoCredentials.groovy
@@ -1,7 +1,37 @@
 package net.unicon.cas.mfa.authentication.duo
 
-import org.jasig.cas.authentication.principal.UsernamePasswordCredentials
+import org.jasig.cas.authentication.principal.Credentials
 
-class DuoCredentials extends UsernamePasswordCredentials {
+class DuoCredentials implements Credentials {
+
+    String username
     String signedDuoResponse
+
+    @Override
+    String toString() {
+        return "[username: " + this.username + "]"
+    }
+
+    @Override
+    public boolean equals(final Object o) {
+        if (this == o) {
+            return true
+        }
+        if (o == null || getClass() != o.getClass()) {
+        return false
+        }
+
+        final DuoCredentials that = (DuoCredentials) o;
+        if (username != null ? !username.equals(that.username) : that.username != null) {
+            return false
+        }
+
+        return true
+    }
+
+    @Override
+    int hashCode() {
+        username != null ? username.hashCode() : 0;
+    }
+
 }
diff --git a/cas-mfa-duo/src/main/groovy/net/unicon/cas/mfa/authentication/duo/DuoMultiFactorWebflowConfigurer.java b/cas-mfa-duo/src/main/groovy/net/unicon/cas/mfa/authentication/duo/DuoMultiFactorWebflowConfigurer.java
new file mode 100644
index 0000000..2cb6526
--- /dev/null
+++ b/cas-mfa-duo/src/main/groovy/net/unicon/cas/mfa/authentication/duo/DuoMultiFactorWebflowConfigurer.java
@@ -0,0 +1,55 @@
+package net.unicon.cas.mfa.authentication.duo;
+
+import org.jasig.cas.authentication.principal.AbstractPersonDirectoryCredentialsToPrincipalResolver;
+import org.jasig.cas.authentication.principal.Credentials;
+import org.jasig.cas.authentication.principal.CredentialsToPrincipalResolver;
+import org.jasig.cas.authentication.principal.Principal;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.stereotype.Component;
+import org.springframework.web.context.WebApplicationContext;
+
+import javax.annotation.PostConstruct;
+import java.util.List;
+
+/**
+ * Initialize the application context with the needed webflow mfa configuration
+ * as much as possible to simplify adding mfa into an existing overlay.
+ *
+ * @author Misagh Moayyed
+ */
+@Component
+public class DuoMultiFactorWebflowConfigurer implements InitializingBean {
+    private static final Logger LOGGER = LoggerFactory.getLogger(DuoMultiFactorWebflowConfigurer.class);
+
+    @Autowired
+    private WebApplicationContext context;
+
+
+    @PostConstruct
+    public void afterPropertiesSet() throws Exception {
+        try {
+            final List resolvers = this.context.getBean("mfaCredentialsToPrincipalResolvers", List.class);
+            resolvers.add(new DuoCredentialsToPrincipalResolver());
+        } catch (final Exception e) {
+            LOGGER.error(e.getMessage(), e);
+        }
+    }
+
+    private class DuoCredentialsToPrincipalResolver extends AbstractPersonDirectoryCredentialsToPrincipalResolver {
+
+        @Override
+        protected String extractPrincipalId(final Credentials credentials) {
+            final DuoCredentials duoCredentials = (DuoCredentials) credentials;
+            return duoCredentials.getUsername();
+        }
+
+        @Override
+        public boolean supports(final Credentials credentials) {
+            return credentials != null && credentials instanceof DuoCredentials;
+        }
+    }
+}
diff --git a/cas-mfa-java/src/main/java/net/unicon/cas/mfa/authentication/principal/ChainingCredentialsToPrincipalResolver.java b/cas-mfa-java/src/main/java/net/unicon/cas/mfa/authentication/principal/ChainingCredentialsToPrincipalResolver.java
new file mode 100644
index 0000000..1a2f2bb
--- /dev/null
+++ b/cas-mfa-java/src/main/java/net/unicon/cas/mfa/authentication/principal/ChainingCredentialsToPrincipalResolver.java
@@ -0,0 +1,42 @@
+package net.unicon.cas.mfa.authentication.principal;
+
+import org.jasig.cas.authentication.principal.Credentials;
+import org.jasig.cas.authentication.principal.CredentialsToPrincipalResolver;
+import org.jasig.cas.authentication.principal.Principal;
+
+import java.util.Iterator;
+import java.util.List;
+
+/**
+ * This is {@link ChainingCredentialsToPrincipalResolver} that chains a number of
+ * principal resolvers together.
+ *
+ * @author Misagh Moayyed
+ */
+public final class ChainingCredentialsToPrincipalResolver implements CredentialsToPrincipalResolver {
+    private List<CredentialsToPrincipalResolver> chain;
+
+    @Override
+    public Principal resolvePrincipal(final Credentials credentials) {
+        final Iterator<CredentialsToPrincipalResolver> it = this.chain.iterator();
+        while (it.hasNext()) {
+            final CredentialsToPrincipalResolver resolver = it.next();
+            if (resolver.supports(credentials)) {
+                final Principal p = resolver.resolvePrincipal(credentials);
+                if (p != null) {
+                    return p;
+                }
+            }
+        }
+        return null;
+    }
+
+    @Override
+    public boolean supports(final Credentials credentials) {
+        return true;
+    }
+
+    public void setChain(final List<CredentialsToPrincipalResolver> chain) {
+        this.chain = chain;
+    }
+}
diff --git a/cas-mfa-web/src/main/webapp/WEB-INF/cas-servlet-override-context.xml b/cas-mfa-web/src/main/webapp/WEB-INF/cas-servlet-override-context.xml
index 756c82c..8673f96 100644
--- a/cas-mfa-web/src/main/webapp/WEB-INF/cas-servlet-override-context.xml
+++ b/cas-mfa-web/src/main/webapp/WEB-INF/cas-servlet-override-context.xml
@@ -71,8 +71,17 @@
                 <bean class="net.unicon.cas.mfa.authentication.RememberAuthenticationMethodMetaDataPopulator"/>
             </list>
         </property>
+        <property name="credentialsToPrincipalResolvers">
+            <list merge="true" >
+                <bean class="net.unicon.cas.mfa.authentication.principal.ChainingCredentialsToPrincipalResolver"
+                      p:chain-ref="mfaCredentialsToPrincipalResolvers" />
+            </list>
+        </property>
     </bean>
 
+    <!-- This will be automatically populated at runtime, when necessary, by each module -->
+    <util:list id="mfaCredentialsToPrincipalResolvers" />
+
     <bean id="principalAttributeMfaRequestResolver"
           class="net.unicon.cas.mfa.authentication.principal.PrincipalAttributeMultiFactorAuthenticationRequestResolver"
           c:authenticationMethodAttributeName="${mfa.method.userAttribute:authn_method}"