MID-11049 implementation for otp, not working yet, no otp setup

Author: 1azyman

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/login/module/PageOtpCode.html

@@ -24,7 +24,5 @@
 
         <div wicket:id="csrfField"/>
     </form>
-
 </wicket:extend>
-
 </html>

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/login/module/PageOtpCode.java

@@ -8,10 +8,10 @@
 
 import java.io.Serial;
 
-import com.evolveum.midpoint.authentication.api.util.AuthenticationModuleNameConstants;
-
+import org.apache.wicket.markup.html.form.NumberTextField;
 import org.apache.wicket.markup.html.form.TextField;
 import org.apache.wicket.model.IModel;
+import org.apache.wicket.validation.ValidatorAdapter;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 
@@ -20,6 +20,7 @@
 import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
 import com.evolveum.midpoint.authentication.api.config.ModuleAuthentication;
 import com.evolveum.midpoint.authentication.api.util.AuthUtil;
+import com.evolveum.midpoint.authentication.api.util.AuthenticationModuleNameConstants;
 import com.evolveum.midpoint.web.component.form.MidpointForm;
 import com.evolveum.midpoint.web.component.util.EnableBehaviour;
 
@@ -29,38 +30,43 @@
         },
         permitAll = true,
         loginPage = true,
-authModule = AuthenticationModuleNameConstants.OTP)
-//TODO ModuleAuthentication because it might be either credentials or ldap module authentication
+        authModule = AuthenticationModuleNameConstants.OTP)
+@SuppressWarnings("unused")
 public class PageOtpCode extends PageAbstractAuthenticationModule<ModuleAuthentication> {
 
     @Serial private static final long serialVersionUID = 1L;
 
-    private static final String ID_CODE = "code";
+    private static final String DEFAULT_FORM_URL = "./spring_security_login";
+    private static final String OTP_FORM_URL = "/otp_verify";
 
-    public PageOtpCode() {
-        super(null);
-    }
+    private static final String ID_CODE = "code";
 
     @Override
     protected void initModuleLayout(MidpointForm form) {
         TextField<String> code = new TextField<>(ID_CODE);
         code.add(new EnableBehaviour(() -> searchUser() != null));
+        // todo range validator
         form.add(code);
     }
 
     protected String getUrlProcessingLogin() {
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
         if (!(authentication instanceof MidpointAuthentication mpa)) {
-            return "./spring_security_login";
+            return DEFAULT_FORM_URL;
         }
 
         ModuleAuthentication moduleAuthentication = mpa.getProcessingModuleAuthentication();
         if (isModuleApplicable(moduleAuthentication)) {
             String prefix = moduleAuthentication.getPrefix();
-            return AuthUtil.stripSlashes(prefix) + "/spring_security_login";
+            return AuthUtil.stripSlashes(prefix) + OTP_FORM_URL;
         }
 
-        return "./spring_security_login";
+        return DEFAULT_FORM_URL;
+    }
+
+    @Override
+    protected boolean isModuleApplicable(ModuleAuthentication moduleAuthentication) {
+        return AuthenticationModuleNameConstants.OTP.equals(moduleAuthentication.getModuleTypeName());
     }
 
     @Override
@@ -77,14 +83,14 @@ protected IModel<String> getDefaultLoginPanelDescriptionModel() {
 
     private boolean severalLoginFormModulesExist() {
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-        if (authentication instanceof MidpointAuthentication mpAuthentication) {
-            int loginFormModulesCount = (int) mpAuthentication.getAuthModules()
-                    .stream()
-                    .filter(module -> module != null && isModuleApplicable(module.getBaseModuleAuthentication()))
-                    .count();
-            return loginFormModulesCount > 1;
+        if (!(authentication instanceof MidpointAuthentication ma)) {
+            return false;
         }
-        return false;
+
+        int loginFormModulesCount = (int) ma.getAuthModules().stream()
+                .filter(module -> module != null && isModuleApplicable(module.getBaseModuleAuthentication()))
+                .count();
+        return loginFormModulesCount > 1;
     }
 
     private String getProcessingModuleName() {

infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd

@@ -2460,20 +2460,20 @@
                 </xsd:annotation>
             </xsd:element>
             <xsd:element name="attributeVerification" type="tns:AttributeVerificationCredentialsType" minOccurs="0" />
-            <xsd:element name="otp" type="tns:OtpCredentialsType" minOccurs="0" maxOccurs="unbounded"/>
+            <xsd:element name="otps" type="tns:OtpCredentialsType" minOccurs="0"/>
             <!-- More credential types may be here, such as OTP seeds, X.509 credentials, etc. -->
         </xsd:sequence>
         <xsd:attribute name="id" type="xsd:long"/>
     </xsd:complexType>
     <xsd:element name="credentials" type="tns:CredentialsType"/>
 
-    <xsd:complexType name="OtpCredentialsType">
+    <xsd:complexType name="OtpCredentialType">
         <xsd:annotation>
             <xsd:documentation>
                 <!-- todo -->
             </xsd:documentation>
             <xsd:appinfo>
-                <a:since>4.10</a:since>
+                <a:since>4.11</a:since>
                 <a:container/>
             </xsd:appinfo>
         </xsd:annotation>
@@ -2508,6 +2508,25 @@
         </xsd:complexContent>
     </xsd:complexType>
 
+    <xsd:complexType name="OtpCredentialsType">
+        <xsd:annotation>
+            <xsd:documentation>
+                <!-- todo -->
+            </xsd:documentation>
+            <xsd:appinfo>
+                <a:since>4.11</a:since>
+                <a:container/>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:complexContent>
+            <xsd:extension base="tns:AbstractCredentialType">
+                <xsd:sequence>
+                    <xsd:element name="otp" type="tns:OtpCredentialType" minOccurs="0" maxOccurs="unbounded"/>
+                </xsd:sequence>
+            </xsd:extension>
+        </xsd:complexContent>
+    </xsd:complexType>
+
     <xsd:complexType name="BehaviorType">
         <xsd:annotation>
             <xsd:documentation>

infra/schema/src/main/resources/xml/ns/public/common/common-security-3.xsd

@@ -2373,6 +2373,7 @@
                 </xsd:annotation>
             </xsd:element>
             <xsd:element name="attributeVerification" type="tns:AttributeVerificationCredentialsPolicyType" minOccurs="0"/>
+            <xsd:element name="otp" type="tns:OtpCredentialsPolicyType" minOccurs="0"/>
             <!-- More credential types may come here in the future. -->
         </xsd:sequence>
         <xsd:attribute name="id" type="xsd:long"/>

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/otp/OtpAuthenticationContext.java

@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2010-2026 Evolveum and contributors
+ *
+ * Licensed under the EUPL-1.2 or later.
+ */
+
+package com.evolveum.midpoint.authentication.impl.otp;
+
+import java.util.List;
+
+import com.evolveum.midpoint.authentication.api.AuthenticationChannel;
+import com.evolveum.midpoint.authentication.api.evaluator.context.AbstractAuthenticationContext;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.OtpCredentialsPolicyType;
+
+public class OtpAuthenticationContext extends AbstractAuthenticationContext {
+
+    private final Integer code;
+
+    private OtpCredentialsPolicyType policy;
+
+    public OtpAuthenticationContext(
+            String username,
+            Class<? extends FocusType> principalType,
+            Integer code,
+            List<ObjectReferenceType> requireAssignment,
+            AuthenticationChannel channel) {
+
+        super(username, principalType, requireAssignment, channel);
+
+        this.code = code;
+    }
+
+    @Override
+    public Integer getEnteredCredential() {
+        return getCode();
+    }
+
+    public Integer getCode() {
+        return code;
+    }
+
+    public OtpCredentialsPolicyType getPolicy() {
+        return policy;
+    }
+
+    public void setPolicy(OtpCredentialsPolicyType policy) {
+        this.policy = policy;
+    }
+}

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/otp/OtpAuthenticationEvaluator.java

@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) 2010-2026 Evolveum and contributors
+ *
+ * Licensed under the EUPL-1.2 or later.
+ */
+
+package com.evolveum.midpoint.authentication.impl.otp;
+
+import java.util.List;
+
+import org.jetbrains.annotations.NotNull;
+import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+
+import com.evolveum.midpoint.authentication.api.util.AuthUtil;
+import com.evolveum.midpoint.authentication.impl.evaluator.CredentialsAuthenticationEvaluatorImpl;
+import com.evolveum.midpoint.security.api.ConnectionEnvironment;
+import com.evolveum.midpoint.security.api.MidPointPrincipal;
+import com.evolveum.midpoint.security.api.SecurityUtil;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
+import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
+
+@Component
+public class OtpAuthenticationEvaluator
+        extends CredentialsAuthenticationEvaluatorImpl<OtpCredentialsType, OtpAuthenticationContext> {
+
+    @Override
+    protected void checkEnteredCredentials(ConnectionEnvironment env, OtpAuthenticationContext ctx) {
+        if (ctx.getEnteredCredential() == null) {
+            recordModuleAuthenticationFailure(ctx.getUsername(), null, env, null, "empty otp code provided");
+            throw new BadCredentialsException(AuthUtil.generateBadCredentialsMessageKey(SecurityContextHolder.getContext().getAuthentication()));
+        }
+    }
+
+    @Override
+    protected boolean supportsAuthzCheck() {
+        return true;
+    }
+
+    @Override
+    protected OtpCredentialsType getCredential(CredentialsType credentials) {
+        return credentials.getOtps();
+    }
+
+    @Override
+    protected void validateCredentialNotNull(ConnectionEnvironment connEnv, @NotNull MidPointPrincipal principal, OtpCredentialsType credentials) {
+        List<OtpCredentialType> securityQuestionsAnswers = credentials.getOtp();
+
+        if (securityQuestionsAnswers == null || securityQuestionsAnswers.isEmpty()) {
+            recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "no stored security questions");
+            throw new AuthenticationCredentialsNotFoundException("web.security.provider.securityQuestion.bad");
+        }
+    }
+
+    @Override
+    protected boolean passwordMatches(
+            ConnectionEnvironment env,
+            @NotNull MidPointPrincipal principal,
+            OtpCredentialsType otpCredentials,
+            OtpAuthenticationContext ctx) {
+
+        if (otpCredentials == null) {
+            return false;
+        }
+
+        final Integer code = ctx.getEnteredCredential();
+        if (code == null) {
+            return false;
+        }
+
+        OtpService service; // todo initialize service
+
+        for (OtpCredentialType otp : otpCredentials.getOtp()) {
+            ProtectedStringType secret = otp.getSecret();
+            if (secret == null) {
+                return false;
+            }
+
+//            service.verifyCode(secret, )
+        }
+
+        return false;
+    }
+
+    @Override
+    protected CredentialPolicyType getEffectiveCredentialPolicy(SecurityPolicyType securityPolicy, OtpAuthenticationContext ctx) {
+        OtpCredentialsPolicyType policy = ctx.getPolicy();
+        if (policy == null) {
+            policy = SecurityUtil.getEffectiveOtpCredentialsPolicy(securityPolicy);
+        }
+        ctx.setPolicy(policy);
+        return policy;
+    }
+
+    @Override
+    protected boolean supportsActivation() {
+        return true;
+    }
+}