Add MultiFactorAuthenticationProvider

Author: ynojima

config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/mfa/MultiFactorAuthenticationProviderConfigurer.java

@@ -0,0 +1,60 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.authentication.configurers.mfa;
+
+import org.springframework.security.authentication.*;
+import org.springframework.security.config.annotation.SecurityBuilder;
+import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.authentication.ProviderManagerBuilder;
+
+/**
+ *
+ * @param <B> the type of the {@link SecurityBuilder}
+ */
+public class MultiFactorAuthenticationProviderConfigurer<B extends ProviderManagerBuilder<B>>
+        extends SecurityConfigurerAdapter<AuthenticationManager, B> {
+
+    //~ Instance fields
+    // ================================================================================================
+    private AuthenticationProvider authenticationProvider;
+    private MFATokenEvaluator mfaTokenEvaluator = new MFATokenEvaluatorImpl();
+
+    /**
+     * Constructor
+     * @param authenticationProvider {@link AuthenticationProvider} to be delegated
+     */
+    public MultiFactorAuthenticationProviderConfigurer(AuthenticationProvider authenticationProvider) {
+        this.authenticationProvider = authenticationProvider;
+    }
+
+
+	public static MultiFactorAuthenticationProviderConfigurer multiFactorAuthenticationProvider(AuthenticationProvider authenticationProvider){
+		return new MultiFactorAuthenticationProviderConfigurer(authenticationProvider);
+	}
+
+    @Override
+    public void configure(B builder) {
+        MultiFactorAuthenticationProvider multiFactorAuthenticationProvider = new MultiFactorAuthenticationProvider(authenticationProvider, mfaTokenEvaluator);
+        multiFactorAuthenticationProvider = postProcess(multiFactorAuthenticationProvider);
+        builder.authenticationProvider(multiFactorAuthenticationProvider);
+    }
+
+    public MultiFactorAuthenticationProviderConfigurer<B> mfaTokenEvaluator(MFATokenEvaluator mfaTokenEvaluator) {
+        this.mfaTokenEvaluator = mfaTokenEvaluator;
+        return this;
+    }
+}

config/src/test/java/org/springframework/security/config/annotation/authentication/configurers/mfa/MultiFactorAuthenticationProviderConfigurerTests.java

@@ -0,0 +1,33 @@
+package org.springframework.security.config.annotation.authentication.configurers.mfa;
+
+import org.junit.Test;
+import org.mockito.ArgumentCaptor;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.MFATokenEvaluator;
+import org.springframework.security.authentication.MultiFactorAuthenticationProvider;
+import org.springframework.security.config.annotation.authentication.ProviderManagerBuilder;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.springframework.security.config.annotation.authentication.configurers.mfa.MultiFactorAuthenticationProviderConfigurer.multiFactorAuthenticationProvider;
+
+public class MultiFactorAuthenticationProviderConfigurerTests {
+
+	@Test
+	public void test(){
+		AuthenticationProvider delegatedAuthenticationProvider = mock(AuthenticationProvider.class);
+		MFATokenEvaluator mfaTokenEvaluator = mock(MFATokenEvaluator.class);
+		MultiFactorAuthenticationProviderConfigurer configurer
+				= multiFactorAuthenticationProvider(delegatedAuthenticationProvider);
+		configurer.mfaTokenEvaluator(mfaTokenEvaluator);
+		ProviderManagerBuilder providerManagerBuilder = mock(ProviderManagerBuilder.class);
+		configurer.configure(providerManagerBuilder);
+		ArgumentCaptor<AuthenticationProvider> argumentCaptor = ArgumentCaptor.forClass(AuthenticationProvider.class);
+		verify(providerManagerBuilder).authenticationProvider(argumentCaptor.capture());
+		MultiFactorAuthenticationProvider authenticationProvider = (MultiFactorAuthenticationProvider)argumentCaptor.getValue();
+
+		assertThat(authenticationProvider.getAuthenticationProvider()).isEqualTo(delegatedAuthenticationProvider);
+		assertThat(authenticationProvider.getMFATokenEvaluator()).isEqualTo(mfaTokenEvaluator);
+	}
+}

core/src/main/java/org/springframework/security/authentication/MFATokenEvaluator.java

@@ -36,4 +36,16 @@ public interface MFATokenEvaluator {
 	 * in the middle of multi factor authentication process, <code>false</code> otherwise
 	 */
 	boolean isMultiFactorAuthentication(Authentication authentication);
+
+	/**
+	 * Indicates whether the principal associated with the <code>Authentication</code>
+	 * token is allowed to login with only single factor.
+	 *
+	 * @param authentication to test (may be <code>null</code> in which case the method
+	 * will always return <code>false</code>)
+	 *
+	 * @return <code>true</code> the principal associated with thepassed authentication
+	 * token is allowed to login with only single factor, <code>false</code> otherwise
+	 */
+	boolean isSingleFactorAuthenticationAllowed(Authentication authentication);
 }

core/src/main/java/org/springframework/security/authentication/MFATokenEvaluatorImpl.java

@@ -17,6 +17,7 @@
 package org.springframework.security.authentication;
 
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.userdetails.MFAUserDetails;
 
 /**
  * Basic implementation of {@link MFATokenEvaluator}.
@@ -32,8 +33,7 @@
 public class MFATokenEvaluatorImpl implements MFATokenEvaluator {
 
 	private Class<? extends Authentication> multiFactorClass = MultiFactorAuthenticationToken.class;
-
-	Class<? extends Authentication> getMultiFactorClass() { return multiFactorClass; }
+	private boolean singleFactorAuthenticationAllowed = true;
 
 	@Override
 	public boolean isMultiFactorAuthentication(Authentication authentication) {
@@ -44,6 +44,33 @@ public boolean isMultiFactorAuthentication(Authentication authentication) {
 		return multiFactorClass.isAssignableFrom(authentication.getClass());
 	}
 
+	@Override
+	public boolean isSingleFactorAuthenticationAllowed(Authentication authentication) {
+		if(singleFactorAuthenticationAllowed && authentication.getPrincipal() instanceof MFAUserDetails){
+			MFAUserDetails webAuthnUserDetails = (MFAUserDetails) authentication.getPrincipal();
+			return webAuthnUserDetails.isSingleFactorAuthenticationAllowed();
+		}
+		return false;
+	}
+
+	Class<? extends Authentication> getMultiFactorClass() { return multiFactorClass; }
+
 	public void setMultiFactorClass(Class<? extends Authentication> multiFactorClass) {this.multiFactorClass = multiFactorClass; }
 
+	/**
+	 * Check if single factor authentication is allowed
+	 * @return true if single factor authentication is allowed
+	 */
+	public boolean isSingleFactorAuthenticationAllowed() {
+		return singleFactorAuthenticationAllowed;
+	}
+
+	/**
+	 * Set single factor authentication is allowed
+	 * @param singleFactorAuthenticationAllowed true if single factor authentication is allowed
+	 */
+	public void setSingleFactorAuthenticationAllowed(boolean singleFactorAuthenticationAllowed) {
+		this.singleFactorAuthenticationAllowed = singleFactorAuthenticationAllowed;
+	}
+
 }

core/src/main/java/org/springframework/security/authentication/MultiFactorAuthenticationProvider.java

@@ -0,0 +1,94 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authentication;
+
+import org.springframework.context.support.MessageSourceAccessor;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.SpringSecurityMessageSource;
+import org.springframework.util.Assert;
+
+import java.util.Collections;
+
+/**
+ * An {@link AuthenticationProvider} implementation for the first factor(step) of multi factor authentication.
+ * Authentication itself is delegated to another {@link AuthenticationProvider}.
+ */
+public class MultiFactorAuthenticationProvider implements AuthenticationProvider {
+
+
+    // ~ Instance fields
+    // ================================================================================================
+    protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
+
+    /**
+     * {@link AuthenticationProvider} to be delegated
+     */
+    private AuthenticationProvider authenticationProvider;
+    private MFATokenEvaluator mfaTokenEvaluator;
+
+    /**
+     * Constructor
+     * @param authenticationProvider {@link AuthenticationProvider} to be delegated
+     */
+    public MultiFactorAuthenticationProvider(AuthenticationProvider authenticationProvider, MFATokenEvaluator mfaTokenEvaluator) {
+        Assert.notNull(authenticationProvider, "authenticationProvider must be set");
+		Assert.notNull(mfaTokenEvaluator, "mfaTokenEvaluator must be set");
+        this.authenticationProvider = authenticationProvider;
+        this.mfaTokenEvaluator = mfaTokenEvaluator;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public Authentication authenticate(Authentication authentication) {
+        if (!supports(authentication.getClass())) {
+            throw new IllegalArgumentException("Not supported AuthenticationToken " + authentication.getClass() + " was attempted");
+        }
+
+        Authentication result = authenticationProvider.authenticate(authentication);
+
+        if(mfaTokenEvaluator.isSingleFactorAuthenticationAllowed(result)){
+            return result;
+        }
+
+        return new MultiFactorAuthenticationToken(
+                result.getPrincipal(),
+                result.getCredentials(),
+                Collections.emptyList() // result.getAuthorities() is not used as not to inherit authorities from result
+        );
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return authenticationProvider.supports(authentication);
+    }
+
+	/**
+	 * {@link AuthenticationProvider} to be delegated
+	 */
+	public AuthenticationProvider getAuthenticationProvider() {
+		return authenticationProvider;
+	}
+
+	public MFATokenEvaluator getMFATokenEvaluator() {
+		return mfaTokenEvaluator;
+	}
+}

core/src/main/java/org/springframework/security/core/userdetails/MFAUserDetails.java

@@ -0,0 +1,7 @@
+package org.springframework.security.core.userdetails;
+
+public interface MFAUserDetails extends UserDetails {
+
+	boolean isSingleFactorAuthenticationAllowed();
+
+}

core/src/test/java/org/springframework/security/authentication/MultiFactorAuthenticationProviderTests.java

@@ -0,0 +1,70 @@
+package org.springframework.security.authentication;
+
+
+import org.junit.Test;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.MFAUserDetails;
+
+import java.util.Collections;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+public class MultiFactorAuthenticationProviderTests {
+
+	@Test
+	public void authenticate_with_singleFactorAuthenticationAllowedOption_false_test(){
+		AuthenticationProvider delegatedAuthenticationProvider = mock(AuthenticationProvider.class);
+		MFAUserDetails userDetails = mock(MFAUserDetails.class);
+		when(userDetails.isSingleFactorAuthenticationAllowed()).thenReturn(true);
+		UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(userDetails, null, Collections.emptyList());
+		authenticationToken.setDetails(userDetails);
+		when(delegatedAuthenticationProvider.supports(any())).thenReturn(true);
+		when(delegatedAuthenticationProvider.authenticate(any()))
+				.thenReturn(new UsernamePasswordAuthenticationToken(
+						"principal",
+						"credentials",
+						Collections.singletonList(new SimpleGrantedAuthority("ROLE_DUMMY"))
+				));
+
+		MultiFactorAuthenticationProvider provider = new MultiFactorAuthenticationProvider(delegatedAuthenticationProvider, new MFATokenEvaluatorImpl());
+		Authentication result = provider.authenticate(new UsernamePasswordAuthenticationToken("dummy", "dummy"));
+
+		assertThat(result).isInstanceOf(MultiFactorAuthenticationToken.class);
+		assertThat(result.getPrincipal()).isEqualTo("principal");
+		assertThat(result.getCredentials()).isEqualTo("credentials");
+		assertThat(result.getAuthorities()).isEmpty();
+
+	}
+
+	@Test
+	public void authenticate_with_singleFactorAuthenticationAllowedOption_true_test(){
+		AuthenticationProvider delegatedAuthenticationProvider = mock(AuthenticationProvider.class);
+		MFAUserDetails userDetails = mock(MFAUserDetails.class);
+		when(userDetails.isSingleFactorAuthenticationAllowed()).thenReturn(true);
+		UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(userDetails, null, Collections.emptyList());
+		authenticationToken.setDetails(userDetails);
+		when(delegatedAuthenticationProvider.supports(any())).thenReturn(true);
+		when(delegatedAuthenticationProvider.authenticate(any()))
+				.thenReturn(authenticationToken);
+
+		MultiFactorAuthenticationProvider provider = new MultiFactorAuthenticationProvider(delegatedAuthenticationProvider, new MFATokenEvaluatorImpl());
+		Authentication result = provider.authenticate(new UsernamePasswordAuthenticationToken("dummy", "dummy"));
+
+		assertThat(result).isInstanceOf(UsernamePasswordAuthenticationToken.class);
+		assertThat(result).isEqualTo(result);
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void authenticate_with_invalid_AuthenticationToken_test(){
+		AuthenticationProvider delegatedAuthenticationProvider = mock(AuthenticationProvider.class);
+		when(delegatedAuthenticationProvider.supports(any())).thenReturn(false);
+
+		MultiFactorAuthenticationProvider provider = new MultiFactorAuthenticationProvider(delegatedAuthenticationProvider, new MFATokenEvaluatorImpl());
+		provider.authenticate(new TestingAuthenticationToken("dummy", "dummy"));
+	}
+
+}