fp oauth username injection

src/main/java/password/pwm/AppProperty.java

@@ -29,7 +29,7 @@ import java.util.ResourceBundle;
  * by an associated {@code AppProperty.properties} file.  Properties can be overridden by the application administrator in
  * the configuration using the setting {@link password.pwm.config.PwmSetting#APP_PROPERTY_OVERRIDES}.
  */
-public enum AppProperty {
+public enum     AppProperty {
 
     APPLICATION_FILELOCK_FILENAME                   ("application.fileLock.filename"),
     APPLICATION_FILELOCK_WAIT_SECONDS               ("application.fileLock.waitSeconds"),

src/main/java/password/pwm/config/PwmSetting.java

@@ -746,6 +746,8 @@ public enum PwmSetting {
             "recovery.oauth.idserver.secret", PwmSettingSyntax.PASSWORD, PwmSettingCategory.RECOVERY_OAUTH),
     RECOVERY_OAUTH_ID_DN_ATTRIBUTE_NAME(
             "recovery.oauth.idserver.dnAttributeName", PwmSettingSyntax.STRING, PwmSettingCategory.RECOVERY_OAUTH),
+    RECOVERY_OAUTH_ID_USERNAME_SEND_VALUE(
+            "recovery.oauth.idserver.usernameSendValue", PwmSettingSyntax.STRING, PwmSettingCategory.RECOVERY_OAUTH),
 
 
     // forgotten username

src/main/java/password/pwm/http/filter/AuthenticationFilter.java

@@ -555,7 +555,7 @@ public class AuthenticationFilter extends AbstractPwmFilter {
 
             final String originalURL = pwmRequest.getURLwithQueryString();
             final OAuthMachine oAuthMachine = new OAuthMachine(oauthSettings);
-            oAuthMachine.redirectUserToOAuthServer(pwmRequest, originalURL, null);
+            oAuthMachine.redirectUserToOAuthServer(pwmRequest, originalURL, null,null);
             redirected = true;
         }
 

src/main/java/password/pwm/http/servlet/forgottenpw/ForgottenPasswordServlet.java

@@ -63,7 +63,6 @@ import password.pwm.http.PwmSession;
 import password.pwm.http.bean.ForgottenPasswordBean;
 import password.pwm.http.filter.AuthenticationFilter;
 import password.pwm.http.servlet.AbstractPwmServlet;
-import password.pwm.util.CaptchaUtility;
 import password.pwm.http.servlet.PwmServletDefinition;
 import password.pwm.http.servlet.oauth.OAuthForgottenPasswordResults;
 import password.pwm.http.servlet.oauth.OAuthMachine;
@@ -85,6 +84,7 @@ import password.pwm.svc.stats.StatisticsManager;
 import password.pwm.svc.token.TokenPayload;
 import password.pwm.svc.token.TokenService;
 import password.pwm.svc.token.TokenType;
+import password.pwm.util.CaptchaUtility;
 import password.pwm.util.Helper;
 import password.pwm.util.JsonUtil;
 import password.pwm.util.PasswordData;
@@ -1680,7 +1680,8 @@ public class ForgottenPasswordServlet extends AbstractPwmServlet {
                 final OAuthSettings oAuthSettings = OAuthSettings.forForgottenPassword(forgottenPasswordProfile);
                 final OAuthMachine oAuthMachine = new OAuthMachine(oAuthSettings);
                 pwmRequest.getPwmApplication().getSessionStateService().saveSessionBeans(pwmRequest);
-                oAuthMachine.redirectUserToOAuthServer(pwmRequest, null, forgottenPasswordProfile.getIdentifier());
+                final UserIdentity userIdentity = forgottenPasswordBean.getUserIdentity();
+                oAuthMachine.redirectUserToOAuthServer(pwmRequest, null, userIdentity, forgottenPasswordProfile.getIdentifier());
                 break;
 
 

src/main/java/password/pwm/http/servlet/oauth/OAuthConsumerServlet.java

@@ -119,7 +119,7 @@ public class OAuthConsumerServlet extends AbstractPwmServlet {
         {
             final String oauthRequestError = pwmRequest.readParameterAsString("error");
             if (oauthRequestError != null && !oauthRequestError.isEmpty()) {
-                final String errorMsg = "error detected from oauth request parameter: " + oauthRequestError;
+                final String errorMsg = "incoming request from remote oauth server is indicating an error: " + oauthRequestError;
                 final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_OAUTH_ERROR, errorMsg, "Remote Error: " + oauthRequestError, null);
                 LOGGER.error(pwmSession, errorMsg);
                 pwmRequest.respondWithError(errorInformation);
@@ -163,29 +163,30 @@ public class OAuthConsumerServlet extends AbstractPwmServlet {
         final OAuthMachine oAuthMachine = new OAuthMachine(oAuthSettings);
 
         // make sure request was initiated in users current session
-        /*
         if (!oAuthRequestState.get().isSessionMatch()) {
             try{
                 switch (oAuthUseCaseCase) {
                     case Authentication:
                         LOGGER.debug(pwmSession, "oauth consumer reached but response is not for a request issued during the current session, will redirect back to oauth server for verification update");
                         final String nextURL = oauthState.getNextUrl();
-                        oAuthMachine.redirectUserToOAuthServer(pwmRequest, nextURL, null);
+                        oAuthMachine.redirectUserToOAuthServer(pwmRequest, nextURL, null, null);
                         return;
 
                     case ForgottenPassword:
                         LOGGER.debug(pwmSession, "oauth consumer reached but response is not for a request issued during the current session, will redirect back to forgotten password servlet");
                         pwmRequest.sendRedirect(PwmServletDefinition.ForgottenPassword);
                         return;
+
+                    default:
+                        Helper.unhandledSwitchStatement(oAuthUseCaseCase);
                 }
             } catch (PwmUnrecoverableException e) {
                 final String errorMsg = "unexpected error redirecting user to oauth page: " + e.toString();
-                ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_UNKNOWN, errorMsg);
+                final ErrorInformation errorInformation = new ErrorInformation(PwmError.ERROR_OAUTH_ERROR, errorMsg);
                 pwmRequest.setResponseError(errorInformation);
                 LOGGER.error(errorInformation.toDebugStr());
             }
         }
-        */
 
         final String requestCodeStr = pwmRequest.readParameterAsString(config.readAppProperty(AppProperty.HTTP_PARAM_OAUTH_CODE));
         LOGGER.trace(pwmSession,"received code from oauth server: " + requestCodeStr);

src/main/java/password/pwm/http/servlet/oauth/OAuthMachine.java

@@ -31,6 +31,7 @@ import org.apache.http.util.EntityUtils;
 import password.pwm.AppProperty;
 import password.pwm.PwmConstants;
 import password.pwm.bean.LoginInfoBean;
+import password.pwm.bean.UserIdentity;
 import password.pwm.config.Configuration;
 import password.pwm.config.PwmSetting;
 import password.pwm.error.ErrorInformation;
@@ -44,16 +45,20 @@ import password.pwm.http.client.PwmHttpClientConfiguration;
 import password.pwm.http.servlet.PwmServletDefinition;
 import password.pwm.util.BasicAuthInfo;
 import password.pwm.util.JsonUtil;
+import password.pwm.util.StringUtil;
 import password.pwm.util.TimeDuration;
 import password.pwm.util.logging.PwmLogger;
+import password.pwm.util.macro.MacroMachine;
 
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 
@@ -89,6 +94,7 @@ public class OAuthMachine {
     public void redirectUserToOAuthServer(
             final PwmRequest pwmRequest,
             final String nextUrl,
+            final UserIdentity userIdentity,
             final String forgottenPasswordProfile
     )
             throws PwmUnrecoverableException, IOException
@@ -108,6 +114,13 @@ public class OAuthMachine {
         urlParams.put(config.readAppProperty(AppProperty.HTTP_PARAM_OAUTH_STATE),state);
         urlParams.put(config.readAppProperty(AppProperty.HTTP_PARAM_OAUTH_REDIRECT_URI), redirectUri);
 
+        if (userIdentity != null) {
+            final String parametersValue = figureUsernameGrantParam(pwmRequest, userIdentity);
+            if (StringUtil.isEmpty(parametersValue)) {
+                urlParams.put("parameters", parametersValue);
+            }
+        }
+
         final String redirectUrl = PwmURL.appendAndEncodeUrlParameters(settings.getLoginURL(), urlParams);
 
         try{
@@ -402,4 +415,48 @@ public class OAuthMachine {
         final String jsonValue = JsonUtil.serialize(oAuthState);
         return pwmRequest.getPwmApplication().getSecureService().encryptToString(jsonValue);
     }
+
+    private String figureUsernameGrantParam(
+            final PwmRequest pwmRequest,
+            final UserIdentity userIdentity
+    )
+            throws IOException, PwmUnrecoverableException
+    {
+        if (userIdentity == null) {
+            return null;
+        }
+
+        final String macroText = settings.getUsernameSendValue();
+        if (StringUtil.isEmpty(macroText)) {
+            return null;
+        }
+
+        final MacroMachine macroMachine = MacroMachine.forUser(pwmRequest, userIdentity);
+        final String username = macroMachine.expandMacros(macroText);
+        LOGGER.debug(pwmRequest, "calculated username value for user as: " + username);
+
+        final String grantUrl = settings.getLoginURL();
+        final String signUrl = grantUrl.replace("/grant","/sign");
+
+        final Map<String, String> requestPayload;
+        {
+            final Map<String, String> dataPayload = new HashMap<>();
+            dataPayload.put("username", username);
+
+            final List<Map<String,String>> listWrapper = new ArrayList<>();
+            listWrapper.add(dataPayload);
+
+            requestPayload = new HashMap<>();
+            requestPayload.put("data",  JsonUtil.serializeCollection(listWrapper));
+        }
+
+        LOGGER.debug(pwmRequest, "preparing to send username to OAuth /sign endpoint for future injection to /grant redirect");
+        final RestResults restResults = makeHttpRequest(pwmRequest, "OAuth pre-inject username signing service",settings, signUrl, requestPayload);
+
+        final String resultBody = restResults.getResponseBody();
+        final Map<String,String> resultBodyMap = JsonUtil.deserializeStringMap(resultBody);
+        final String data = resultBodyMap.get("data");
+        LOGGER.debug(pwmRequest, "oauth /sign endpoint returned signed username data: " + data);
+        return data;
+    }
 }

src/main/java/password/pwm/http/servlet/oauth/OAuthSettings.java

@@ -39,6 +39,9 @@ public class OAuthSettings implements Serializable {
     private String dnAttributeName;
     private OAuthUseCase use;
     private X509Certificate[] certificates;
+    private String usernameSendValue;
+
+
 
     private OAuthSettings() {
     }
@@ -81,6 +84,10 @@ public class OAuthSettings implements Serializable {
         return certificates;
     }
 
+    public String getUsernameSendValue() {
+        return usernameSendValue;
+    }
+
     public boolean oAuthIsConfigured() {
         return (loginURL != null && !loginURL.isEmpty())
                 && (codeResolveUrl != null && !codeResolveUrl.isEmpty())
@@ -113,6 +120,7 @@ public class OAuthSettings implements Serializable {
         settings.dnAttributeName = config.readSettingAsString(PwmSetting.RECOVERY_OAUTH_ID_DN_ATTRIBUTE_NAME);
         settings.certificates = config.readSettingAsCertificate(PwmSetting.RECOVERY_OAUTH_ID_CERTIFICATE);
         settings.use = OAuthUseCase.ForgottenPassword;
+        settings.usernameSendValue = config.readSettingAsString(PwmSetting.RECOVERY_OAUTH_ID_USERNAME_SEND_VALUE);
         return settings;
     }
 }

src/main/resources/password/pwm/config/PwmSetting.xml

@@ -2170,6 +2170,11 @@
     <setting hidden="false" key="recovery.oauth.idserver.dnAttributeName" level="2">
         <default/>
     </setting>
+    <setting hidden="false" key="recovery.oauth.idserver.usernameSendValue" level="2">
+        <flag>MacroSupport</flag>
+        <example>@LDAP:DN@</example>
+        <default/>
+    </setting>
     <setting hidden="false" key="recovery.enable" level="1">
         <default>
             <value>true</value>

src/main/resources/password/pwm/i18n/PwmSetting.properties

@@ -593,6 +593,7 @@ Setting_Description_recovery.oauth.idserver.dnAttributeName=Attribute to request
 Setting_Description_recovery.oauth.idserver.loginUrl=OAuth server login URL.  This is the URL to redirect the user to for authentication.
 Setting_Description_recovery.oauth.idserver.secret=OAuth shared secret.  This value will be provided by the OAuth identity service provider.
 Setting_Description_recovery.oauth.idserver.serverCerts=Certificate for the OAuth web service server.
+Setting_Description_recovery.oauth.idserver.usernameSendValue=Username value to send as part of the /grant redirect request.  The remote OAuth server must support the /sign endpoint for this to work.   
 Setting_Description_recovery.postActions=Actions to execute after a user has successfully completed the forgotten password sequence and the user's password has been modified.  You can use macros.
 Setting_Description_recovery.profile.list=A list of forgotten password policies.  This list is evaluated in the order shown here.  The first profile in the list to match on the setting <code>@PwmSettingReference\:recovery.queryMatch@</code> will be applied to a user.<br/><br/>Unless you need to define different forgotten password behavior for different users, you do not need to change this list from the default.
 Setting_Description_recovery.queryMatch=This setting defines the set of users that this profile will be assigned to.
@@ -1066,6 +1067,7 @@ Setting_Label_recovery.oauth.idserver.dnAttributeName=OAuth User Name/DN Login A
 Setting_Label_recovery.oauth.idserver.loginUrl=OAuth Login URL
 Setting_Label_recovery.oauth.idserver.secret=OAuth Shared Secret
 Setting_Label_recovery.oauth.idserver.serverCerts=OAUTH Web Service Server Certificate
+Setting_Label_recovery.oauth.idserver.usernameSendValue=OAuth Inject Username Value
 Setting_Label_recovery.postActions=Forgotten Password Post Actions
 Setting_Label_recovery.profile.list=Forgotten Password Profile
 Setting_Label_recovery.queryMatch=Forgotten Password Profile Match

src/main/webapp/public/resources/js/configeditor.js

@@ -818,9 +818,9 @@ PWM_CFGEDIT.displaySettingsCategory = function(category) {
     }
     var htmlSettingBody = '';
 
-    if (category == 'LDAP_PROFILE') {
+    if (category == 'LDAP_BASE') {
         htmlSettingBody += '<div style="width: 100%; text-align: center">'
-            + '<button class="btn" id="button-test-LDAP_PROFILE"><span class="btn-icon pwm-icon pwm-icon-bolt"></span>Test LDAP Profile</button>'
+            + '<button class="btn" id="button-test-LDAP_BASE"><span class="btn-icon pwm-icon pwm-icon-bolt"></span>Test LDAP Profile</button>'
             + '</div>';
     } else if (category == 'DATABASE_SETTINGS') {
         htmlSettingBody += '<div style="width: 100%; text-align: center">'
@@ -853,7 +853,7 @@ PWM_CFGEDIT.displaySettingsCategory = function(category) {
         })(loopSetting);
     }
     if (category == 'LDAP_BASE') {
-        PWM_MAIN.addEventHandler('button-test-LDAP_PROFILE', 'click', function(){PWM_CFGEDIT.ldapHealthCheck();});
+        PWM_MAIN.addEventHandler('button-test-LDAP_BASE', 'click', function(){PWM_CFGEDIT.ldapHealthCheck();});
     } else if (category == 'DATABASE_SETTINGS') {
         PWM_MAIN.addEventHandler('button-test-DATABASE_SETTINGS', 'click', function(){PWM_CFGEDIT.databaseHealthCheck();});
     } else if (category == 'SMS_GATEWAY') {

src/test/resources/password/pwm/manual/TestHelper.properties

@@ -23,6 +23,6 @@
 #applicationPath=/home/amb/dsk/t/test-appPath
 #localDBPath=/home/amb/dsk/t/test-appPath/LocalDB
 #configurationFile=/home/amb/dsk/t/test-appPath/PwmConfiguration.xml
-applicationPath=/home/amb/t/appPath
-localDBPath=/home/amb/t/appPath/LocalDB
-configurationFile=/home/amb/t/appPath/PwmConfiguration.xml
+applicationPath=/home/amb/t/appPath/edir
+localDBPath=/home/amb/t/appPath/edir/LocalDB
+configurationFile=/home/amb/t/appPath/edir/PwmConfiguration.xml