cameleer/cameleer-saas
2
0
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: expand MfaEnforcementFilter for vendor policy and passkey checks

Browse Source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-27 08:48:09 +02:00
parent b3104dc410
commit 89c83ec7b8
1 changed files with 83 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
src/main/java/net/siegeln/cameleer/saas/config/MfaEnforcementFilter.java
View File

@@ -6,6 +6,7 @@ import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse; import jakarta.servlet.http.HttpServletResponse;
import net.siegeln.cameleer.saas.tenant.TenantService; import net.siegeln.cameleer.saas.tenant.TenantService;
import net.siegeln.cameleer.saas.vendor.VendorAuthPolicyRepository;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import org.springframework.http.MediaType; import org.springframework.http.MediaType;
@@ -23,26 +24,34 @@ import java.util.Set;
public class MfaEnforcementFilter extends OncePerRequestFilter { public class MfaEnforcementFilter extends OncePerRequestFilter {
private static final Logger log = LoggerFactory.getLogger(MfaEnforcementFilter.class); private static final Logger log = LoggerFactory.getLogger(MfaEnforcementFilter.class);
private static final String ERROR_CODE = "APP_MFA_REQUIRED";
private static final Set<String> EXEMPT_PREFIXES = Set.of( private static final Set<String> EXEMPT_PREFIXES = Set.of(
"/api/tenant/mfa/", "/api/tenant/mfa/",
"/api/config", "/api/config",
"/api/me", "/api/me",
"/api/onboarding" "/api/onboarding",
"/api/vendor/auth-policy",
"/api/tenant/auth-settings"
); );
private final TenantService tenantService; private final TenantService tenantService;
private final VendorAuthPolicyRepository vendorPolicyRepo;
private final ObjectMapper objectMapper; private final ObjectMapper objectMapper;
public MfaEnforcementFilter(TenantService tenantService, ObjectMapper objectMapper) { public MfaEnforcementFilter(TenantService tenantService,
VendorAuthPolicyRepository vendorPolicyRepo,
ObjectMapper objectMapper) {
this.tenantService = tenantService; this.tenantService = tenantService;
this.vendorPolicyRepo = vendorPolicyRepo;
this.objectMapper = objectMapper; this.objectMapper = objectMapper;
} }
@Override @Override
protected boolean shouldNotFilter(HttpServletRequest request) { protected boolean shouldNotFilter(HttpServletRequest request) {
String path = request.getServletPath(); String path = request.getServletPath();
if (!path.startsWith("/api/tenant/")) return true; boolean isProtected = path.startsWith("/api/tenant/")
|| path.startsWith("/api/vendor/")
|| path.startsWith("/api/portal/");
if (!isProtected) return true;
return EXEMPT_PREFIXES.stream().anyMatch(path::startsWith); return EXEMPT_PREFIXES.stream().anyMatch(path::startsWith);
} }
@@ -57,15 +66,46 @@ public class MfaEnforcementFilter extends OncePerRequestFilter {
} }
Jwt jwt = jwtAuth.getToken(); Jwt jwt = jwtAuth.getToken();
Boolean mfaEnrolled = jwt.getClaim("mfa_enrolled"); String path = request.getServletPath();
if (Boolean.TRUE.equals(mfaEnrolled)) { if (path.startsWith("/api/vendor/") || path.startsWith("/api/portal/")) {
enforceVendorPolicy(jwt, request, response, filterChain);
} else if (path.startsWith("/api/tenant/")) {
enforceTenantPolicy(jwt, request, response, filterChain);
} else {
filterChain.doFilter(request, response); filterChain.doFilter(request, response);
}
}
private void enforceVendorPolicy(Jwt jwt, HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
var policy = vendorPolicyRepo.getPolicy();
Boolean mfaEnrolled = jwt.getClaim("mfa_enrolled");
Boolean passkeyEnrolled = jwt.getClaim("passkey_enrolled");
if ("required".equals(policy.getMfaMode()) && !Boolean.TRUE.equals(mfaEnrolled)) {
log.info("MFA enforcement (vendor): blocking user {} — vendor policy requires MFA", jwt.getSubject());
writeError(response, "APP_MFA_REQUIRED", "mfa_enrollment_required",
"Platform authentication policy requires multi-factor authentication");
return; return;
} }
// TenantIsolationInterceptor runs after filters, so TenantContext is not populated yet. if (policy.isPasskeyEnabled() && "required".equals(policy.getPasskeyMode())
// Resolve the tenant directly from the JWT organization_id claim. && !Boolean.TRUE.equals(passkeyEnrolled)) {
log.info("Passkey enforcement (vendor): blocking user {} — vendor policy requires passkey", jwt.getSubject());
writeError(response, "APP_PASSKEY_REQUIRED", "passkey_enrollment_required",
"Platform authentication policy requires a passkey");
return;
}
filterChain.doFilter(request, response);
}
private void enforceTenantPolicy(Jwt jwt, HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
Boolean mfaEnrolled = jwt.getClaim("mfa_enrolled");
Boolean passkeyEnrolled = jwt.getClaim("passkey_enrolled");
String orgId = jwt.getClaimAsString("organization_id"); String orgId = jwt.getClaimAsString("organization_id");
if (orgId == null) { if (orgId == null) {
filterChain.doFilter(request, response); filterChain.doFilter(request, response);
@@ -73,19 +113,48 @@ public class MfaEnforcementFilter extends OncePerRequestFilter {
} }
var tenant = tenantService.getByLogtoOrgId(orgId).orElse(null); var tenant = tenantService.getByLogtoOrgId(orgId).orElse(null);
if (tenant == null || !Boolean.TRUE.equals(tenant.getSettings().get("mfaRequired"))) { if (tenant == null) {
filterChain.doFilter(request, response); filterChain.doFilter(request, response);
return; return;
} }
Map<String, Object> settings = tenant.getSettings() != null ? tenant.getSettings() : Map.of();
String mfaMode = settings.containsKey("mfaMode")
? String.valueOf(settings.get("mfaMode"))
: (Boolean.TRUE.equals(settings.get("mfaRequired")) ? "required" : "off");
if ("required".equals(mfaMode) && !Boolean.TRUE.equals(mfaEnrolled)) {
log.info("MFA enforcement: blocking user {} — tenant {} requires MFA", jwt.getSubject(), tenant.getSlug()); log.info("MFA enforcement: blocking user {} — tenant {} requires MFA", jwt.getSubject(), tenant.getSlug());
writeError(response, "APP_MFA_REQUIRED", "mfa_enrollment_required",
"Your organization requires multi-factor authentication");
return;
}
boolean passkeyEnabled = Boolean.TRUE.equals(settings.get("passkeyEnabled"));
String passkeyMode = settings.containsKey("passkeyMode")
? String.valueOf(settings.get("passkeyMode"))
: "optional";
if (passkeyEnabled && "required".equals(passkeyMode) && !Boolean.TRUE.equals(passkeyEnrolled)) {
log.info("Passkey enforcement: blocking user {} — tenant {} requires passkey", jwt.getSubject(), tenant.getSlug());
writeError(response, "APP_PASSKEY_REQUIRED", "passkey_enrollment_required",
"Your organization requires a passkey");
return;
}
filterChain.doFilter(request, response);
}
private void writeError(HttpServletResponse response, String errorCode, String code, String message)
throws IOException {
response.setStatus(HttpServletResponse.SC_FORBIDDEN); response.setStatus(HttpServletResponse.SC_FORBIDDEN);
response.setContentType(MediaType.APPLICATION_JSON_VALUE); response.setContentType(MediaType.APPLICATION_JSON_VALUE);
response.setHeader("X-Cameleer-Error", ERROR_CODE); response.setHeader("X-Cameleer-Error", errorCode);
objectMapper.writeValue(response.getOutputStream(), Map.of( objectMapper.writeValue(response.getOutputStream(), Map.of(
"error", ERROR_CODE, "error", errorCode,
"code", "mfa_enrollment_required", "code", code,
"message", "Your organization requires multi-factor authentication" "message", message
)); ));
} }
} }