) value).entrySet()) {
+ Object deserializedObj = fromJsSerializableInternal(entry.getValue(), context);
+ tempMap.putMember(entry.getKey(), deserializedObj);
+ }
+ //remove from bindings
+ context.getBindings(POLYGLOT_LANGUAGE).removeMember("_tempMap");
+ return tempMap;
+ } else if (value instanceof List) {
+ Value deserializedValue = context.eval(POLYGLOT_LANGUAGE, "[]");
+ List valueList = (List) value;
+ int listSize = valueList.size();
+ for (int index = 0; index < listSize; index++) {
+ Object deserializedObject = fromJsSerializableInternal(valueList.get(index), context);
+ deserializedValue.setArrayElement(index, deserializedObject);
+ }
+ return deserializedValue;
+ }
+ return value;
+ }
+}
diff --git a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/graaljs/JsGraalGraphBuilder.java b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/graaljs/JsGraalGraphBuilder.java
new file mode 100644
index 000000000000..3791f4529236
--- /dev/null
+++ b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/graaljs/JsGraalGraphBuilder.java
@@ -0,0 +1,787 @@
+/*
+ * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.authentication.framework.config.model.graph.graaljs;
+
+import org.apache.commons.collections.MapUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.graalvm.polyglot.Context;
+import org.graalvm.polyglot.HostAccess;
+import org.graalvm.polyglot.PolyglotException;
+import org.graalvm.polyglot.Source;
+import org.graalvm.polyglot.Value;
+import org.wso2.carbon.identity.application.authentication.framework.AsyncProcess;
+import org.wso2.carbon.identity.application.authentication.framework.AuthenticationDecisionEvaluator;
+import org.wso2.carbon.identity.application.authentication.framework.JsFunctionRegistry;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.AuthGraphNode;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.AuthenticationGraph;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.BaseSerializableJsFunction;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.DynamicDecisionNode;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.FailNode;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.GenericSerializableJsFunction;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.JSExecutionMonitorData;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.JSExecutionSupervisor;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.JsGraphBuilder;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.LongWaitNode;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.ShowPromptNode;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.StepConfigGraphNode;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.graaljs.JsGraalAuthenticationContext;
+import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
+import org.wso2.carbon.identity.application.authentication.framework.internal.FrameworkServiceDataHolder;
+
+import java.io.IOException;
+import java.io.Serializable;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.UUID;
+import java.util.stream.Collectors;
+import java.util.stream.IntStream;
+
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.AdaptiveAuthentication.PROP_EXECUTION_SUPERVISOR_RESULT;
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.JSAttributes.AUTHENTICATION_OPTIONS;
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.JSAttributes.AUTHENTICATOR_PARAMS;
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.JSAttributes.JS_AUTH_FAILURE;
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.JSAttributes.JS_FUNC_EXECUTE_STEP;
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.JSAttributes.JS_FUNC_LOAD_FUNC_LIB;
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.JSAttributes.JS_FUNC_ON_LOGIN_REQUEST;
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.JSAttributes.JS_FUNC_SEND_ERROR;
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.JSAttributes.JS_FUNC_SHOW_PROMPT;
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.JSAttributes.POLYGLOT_LANGUAGE;
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.JSAttributes.POLYGLOT_SOURCE;
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.JSAttributes.PROP_CURRENT_NODE;
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.JSAttributes.STEP_OPTIONS;
+
+/**
+ * Translate the authentication graph config to runtime model.
+ * This is not thread safe. Should be discarded after each build.
+ *
+ * Since Nashorn is deprecated in JDK 11 and onwards. We are introducing GraalJS engine.
+ */
+public class JsGraalGraphBuilder extends JsGraphBuilder {
+
+ private static final Log log = LogFactory.getLog(JsGraalGraphBuilder.class);
+ protected Context context;
+
+ private static final String REMOVE_FUNCTIONS = "var quit=function(){Log.error('quit function is restricted.')};" +
+ "var exit=function(){Log.error('exit function is restricted.')};" +
+ "var print=function(){Log.error('print function is restricted.')};" +
+ "var echo=function(){Log.error('echo function is restricted.')};" +
+ "var readFully=function(){Log.error('readFully function is restricted.')};" +
+ "var readLine=function(){Log.error('readLine function is restricted.')};" +
+ "var load=function(){Log.error('load function is restricted.')};" +
+ "var loadWithNewGlobal=function(){Log.error('loadWithNewGlobal function is restricted.')};" +
+ "var $ARG=null;var $ENV=null;var $EXEC=null;" +
+ "var $OPTIONS=null;var $OUT=null;var $ERR=null;var $EXIT=null;" +
+ "Object.defineProperty(this, 'engine', {});";
+
+ /**
+ * Constructs the builder with the given authentication context.
+ *
+ * @param authenticationContext current authentication context.
+ * @param stepConfigMap The Step map from the service provider configuration.
+ * @param context Polyglot Context.
+ */
+ public JsGraalGraphBuilder(AuthenticationContext authenticationContext, Map stepConfigMap,
+ Context context) {
+
+ this.authenticationContext = authenticationContext;
+ this.context = context;
+ stepNamedMap = stepConfigMap.entrySet()
+ .stream()
+ .collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue));
+ }
+
+ /**
+ * Constructs the builder with the given authentication context.
+ *
+ * @param authenticationContext current authentication context.
+ * @param stepConfigMap The Step map from the service provider configuration.
+ * @param context polyglot context.
+ * @param currentNode Current authentication graph node.
+ */
+ public JsGraalGraphBuilder(AuthenticationContext authenticationContext, Map stepConfigMap,
+ Context context, AuthGraphNode currentNode) {
+
+ this.authenticationContext = authenticationContext;
+ this.context = context;
+ this.currentNode = currentNode;
+ stepNamedMap = stepConfigMap.entrySet()
+ .stream()
+ .collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue));
+ }
+
+ /**
+ * Creates the graph with the given Script and step map.
+ *
+ * @param script the Dynamic authentication script.
+ */
+ @Override
+ public JsGraalGraphBuilder createWith(String script) {
+
+ try {
+ currentBuilder.set(this);
+ Value bindings = context.getBindings(POLYGLOT_LANGUAGE);
+
+ bindings.putMember(JS_FUNC_EXECUTE_STEP, new JsGraalStepExecuter());
+ bindings.putMember(JS_FUNC_SEND_ERROR, new SendErrorAsyncFunctionImpl());
+ bindings.putMember(JS_FUNC_SHOW_PROMPT, new JsGraalPromptExecutorImpl());
+ bindings.putMember(JS_FUNC_LOAD_FUNC_LIB, new JsGraalLoadExecutorImpl());
+ JsFunctionRegistry jsFunctionRegistrar = FrameworkServiceDataHolder.getInstance().getJsFunctionRegistry();
+ if (jsFunctionRegistrar != null) {
+ Map functionMap =
+ jsFunctionRegistrar.getSubsystemFunctionsMap(JsFunctionRegistry.Subsystem.SEQUENCE_HANDLER);
+ functionMap.forEach(bindings::putMember);
+ }
+ currentBuilder.set(this);
+ context.eval(Source
+ .newBuilder(POLYGLOT_LANGUAGE,
+ FrameworkServiceDataHolder.getInstance().getCodeForRequireFunction(),
+ POLYGLOT_SOURCE)
+ .build());
+
+ String identifier = UUID.randomUUID().toString();
+ Optional optionalScriptExecutionData;
+
+ try {
+ startScriptExecutionMonitor(identifier, authenticationContext);
+ context.eval(Source.newBuilder(POLYGLOT_LANGUAGE, script, POLYGLOT_SOURCE).build());
+
+ Value onLoginRequestFn = bindings.getMember(JS_FUNC_ON_LOGIN_REQUEST);
+ if (onLoginRequestFn == null) {
+ log.error("Could not find the entry function " + JS_FUNC_ON_LOGIN_REQUEST + " \n" + script);
+ result.setBuildSuccessful(false);
+ result.setErrorReason("Error in executing the Javascript. " + JS_FUNC_ON_LOGIN_REQUEST +
+ " function is not defined.");
+ return this;
+ }
+ onLoginRequestFn.executeVoid(new JsGraalAuthenticationContext(authenticationContext));
+ } finally {
+ optionalScriptExecutionData = Optional.ofNullable(endScriptExecutionMonitor(identifier));
+ }
+ optionalScriptExecutionData.ifPresent(
+ scriptExecutionData -> storeAuthScriptExecutionMonitorData(authenticationContext,
+ scriptExecutionData));
+ JsGraalGraphBuilderFactory.persistCurrentContext(authenticationContext, context);
+ } catch (PolyglotException e) {
+ result.setBuildSuccessful(false);
+ result.setErrorReason(
+ "Error in executing the Javascript. " + JS_FUNC_ON_LOGIN_REQUEST + " reason, " + e.getMessage());
+ if (log.isDebugEnabled()) {
+ log.debug("Error in executing the Javascript.", e);
+ }
+ } catch (IOException e) {
+ result.setBuildSuccessful(false);
+ result.setErrorReason("Error in building the Javascript source" + e.getMessage());
+ if (log.isDebugEnabled()) {
+ log.debug("Error in building the Javascript source", e);
+ }
+ } finally {
+ clearCurrentBuilder(context);
+ }
+ return this;
+ }
+
+ @Override
+ public AuthenticationDecisionEvaluator getScriptEvaluator(BaseSerializableJsFunction fn) {
+
+ return null;
+ }
+
+ private static void attachEventListeners(Map eventsMap, AuthGraphNode currentNode) {
+
+ if (eventsMap == null) {
+ return;
+ }
+ DynamicDecisionNode decisionNode = new DynamicDecisionNode();
+ addEventListeners(decisionNode, eventsMap);
+ if (!decisionNode.getGenericFunctionMap().isEmpty()) {
+ attachToLeaf(currentNode, decisionNode);
+ }
+ }
+
+ private void attachEventListeners(Map eventsMap) {
+
+ if (eventsMap == null) {
+ return;
+ }
+ DynamicDecisionNode decisionNode = new DynamicDecisionNode();
+ addEventListeners(decisionNode, eventsMap);
+ if (!decisionNode.getGenericFunctionMap().isEmpty()) {
+ attachToLeaf(currentNode, decisionNode);
+ currentNode = decisionNode;
+ }
+ }
+
+ /**
+ * Adds all the event listeners to the decision node.
+ *
+ * @param eventsMap Map of events and event handler functions, which is handled by this execution.
+ * @return created Dynamic Decision node.
+ */
+ private static void addEventListeners(DynamicDecisionNode decisionNode, Map eventsMap) {
+
+ if (eventsMap == null) {
+ return;
+ }
+ eventsMap.forEach((key, value) -> {
+ if ((!(value instanceof GraalSerializableJsFunction))) {
+ GraalSerializableJsFunction jsFunction = GraalSerializableJsFunction.toSerializableForm(value);
+ if (jsFunction != null) {
+ decisionNode.addGenericFunction(key, jsFunction);
+ } else {
+ log.error("Event handler : " + key + " is not a function : " + value);
+ }
+ } else {
+ decisionNode.addGenericFunction(key, (GraalSerializableJsFunction) value);
+ }
+ });
+ }
+
+ private static void addHandlers(ShowPromptNode showPromptNode, Map handlersMap) {
+
+ if (handlersMap == null) {
+ return;
+ }
+ handlersMap.forEach((key, value) -> {
+ if (!(value instanceof GraalSerializableJsFunction)) {
+ GraalSerializableJsFunction jsFunction = GraalSerializableJsFunction.toSerializableForm(value);
+ if (jsFunction != null) {
+ showPromptNode.addGenericHandler(key, jsFunction);
+ } else {
+ log.error("Event handler : " + key + " is not a function : " + value);
+ }
+ } else {
+ showPromptNode.addGenericHandler(key, (GraalSerializableJsFunction) value);
+ }
+ });
+ }
+
+ /**
+ * Adds the step given by step ID tp the authentication graph.
+ *
+ * @param params params
+ */
+ @SuppressWarnings("unchecked")
+ @HostAccess.Export
+ public void executeStepInAsyncEvent(int stepId, Object... params) {
+
+ AuthenticationContext context = contextForJs.get();
+ AuthGraphNode currentNode = dynamicallyBuiltBaseNode.get();
+
+ if (log.isDebugEnabled()) {
+ log.debug("Execute Step on async event. Step ID : " + stepId);
+ }
+ AuthenticationGraph graph = context.getSequenceConfig().getAuthenticationGraph();
+ if (graph == null) {
+ log.error("The graph happens to be null on the sequence config. Can not execute step : " + stepId);
+ return;
+ }
+
+ StepConfig stepConfig = graph.getStepMap().get(stepId);
+ if (stepConfig == null) {
+ if (log.isDebugEnabled()) {
+ log.error("The stepConfig of the step ID : " + stepId + " is null");
+ }
+ return;
+ }
+ // Inorder to keep original stepConfig as a backup in AuthenticationGraph.
+ StepConfig clonedStepConfig = new StepConfig(stepConfig);
+ StepConfig stepConfigFromContext = null;
+ if (MapUtils.isNotEmpty(context.getSequenceConfig().getStepMap())) {
+ stepConfigFromContext = context.getSequenceConfig().getStepMap().values()
+ .stream()
+ .filter(contextStepConfig -> (stepConfig.getOrder() == contextStepConfig.getOrder()))
+ .findFirst()
+ .orElse(null);
+ }
+ clonedStepConfig.applyStateChangesToNewObjectFromContextStepMap(stepConfigFromContext);
+ if (log.isDebugEnabled()) {
+ log.debug("Found step for the Step ID : " + stepId + ", Step Config " + clonedStepConfig);
+ }
+ StepConfigGraphNode newNode = wrap(clonedStepConfig);
+ if (currentNode == null) {
+ if (log.isDebugEnabled()) {
+ log.debug("Setting a new node at the first time. Node : " + newNode.getName());
+ }
+ dynamicallyBuiltBaseNode.set(newNode);
+ } else {
+ attachToLeaf(currentNode, newNode);
+ }
+
+ if (params.length > 0) {
+ // if there is only one param, it is assumed to be the event listeners
+ if (params[params.length - 1] instanceof Map) {
+ attachEventListeners((Map) params[params.length - 1], newNode);
+ } else {
+ log.error("Invalid argument and hence ignored. Last argument should be a Map of event listeners.");
+ }
+ }
+
+ if (params.length == 2) {
+ // There is an argument with options present
+ if (params[0] instanceof Map) {
+ Map options = (Map) params[0];
+ handleOptionsAsyncEvent(options, clonedStepConfig, context.getSequenceConfig().getStepMap());
+ }
+ }
+ }
+
+
+ /**
+ * Executes the given script in an async event.
+ */
+ public class JsGraalStepExecuterInAsyncEvent implements StepExecutor {
+
+ @HostAccess.Export
+ public void executeStep(Integer stepId, Object... parameterMap) {
+
+ JsGraalGraphBuilder.this.executeStepInAsyncEvent(stepId, parameterMap);
+ }
+ }
+
+ @Override
+ public void addLongWaitProcessInternal(AsyncProcess asyncProcess, Map parameterMap) {
+
+ LongWaitNode newNode = new LongWaitNode(asyncProcess);
+
+ if (parameterMap != null) {
+ addEventListeners(newNode, parameterMap);
+ }
+ if (this.currentNode == null) {
+ this.result.setStartNode(newNode);
+ } else {
+ attachToLeaf(this.currentNode, newNode);
+ }
+
+ this.currentNode = newNode;
+ }
+
+ /**
+ * @param templateId Identifier of the template.
+ * @param parameters Parameters.
+ * @param handlers Handlers to run before and after the prompt.
+ * @param callbacks Callbacks to run after the prompt.
+ */
+ @SuppressWarnings("unchecked")
+ @Override
+ public void addPromptInternal(String templateId, Map parameters, Map handlers,
+ Map callbacks) {
+
+ ShowPromptNode newNode = new ShowPromptNode();
+ newNode.setTemplateId(templateId);
+ newNode.setParameters(parameters);
+
+ JsGraalGraphBuilder currentBuilder = getCurrentBuilder();
+ if (currentBuilder.currentNode == null) {
+ currentBuilder.result.setStartNode(newNode);
+ } else {
+ attachToLeaf(currentBuilder.currentNode, newNode);
+ }
+
+ currentBuilder.currentNode = newNode;
+ addEventListeners(newNode, callbacks);
+ addHandlers(newNode, handlers);
+ }
+
+ public AuthenticationDecisionEvaluator getScriptEvaluator(GenericSerializableJsFunction fn) {
+
+ return new JsBasedEvaluator((GraalSerializableJsFunction) fn);
+ }
+
+ public static void clearCurrentBuilder(Context context) {
+
+ context.close();
+ clearCurrentBuilder();
+ }
+
+ /**
+ * Adds the step given by step ID tp the authentication graph.
+ *
+ * @param stepId Step Id
+ * @param params params
+ */
+ @SuppressWarnings("unchecked")
+ @HostAccess.Export
+ public void executeStep(int stepId, Object... params) {
+
+ StepConfig stepConfig;
+ stepConfig = stepNamedMap.get(stepId);
+
+ if (stepConfig == null) {
+ log.error("Given Authentication Step :" + stepId + " is not in Environment");
+ return;
+ }
+ StepConfigGraphNode newNode = wrap(stepConfig);
+ if (currentNode == null) {
+ result.setStartNode(newNode);
+ } else {
+ attachToLeaf(currentNode, newNode);
+ }
+ currentNode = newNode;
+ if (params.length > 0) {
+ // if there are any params provided, last one is assumed to be the event listeners
+ if (params[params.length - 1] instanceof Map) {
+ attachEventListeners((Map) params[params.length - 1]);
+ } else {
+ log.error("Invalid argument and hence ignored. Last argument should be a Map of event listeners.");
+ }
+ }
+ if (params.length == 2) {
+ // There is an argument with options present
+ if (params[0] instanceof Map) {
+ Map options = (Map) params[0];
+ handleOptions(options, stepConfig);
+ }
+ }
+ }
+
+ /**
+ * Executes the given script.
+ */
+ public class JsGraalStepExecuter implements StepExecutor {
+
+ @HostAccess.Export
+ public void executeStep(Integer stepId, Object... parameterMap) {
+
+ JsGraalGraphBuilder.this.executeStep(stepId, parameterMap);
+ }
+ }
+
+ /**
+ * Handle options within executeStepInAsyncEvent function. This method will update step configs through context.
+ *
+ * @param options Map of authenticator options.
+ * @param stepConfig Current stepConfig.
+ * @param stepConfigMap Map of stepConfigs get from the context object.
+ */
+ @Override
+ @SuppressWarnings("unchecked")
+ protected void handleOptionsAsyncEvent(Map options, StepConfig stepConfig,
+ Map stepConfigMap) {
+
+ Object authenticationOptionsObj = options.get(AUTHENTICATION_OPTIONS);
+ if (authenticationOptionsObj instanceof List) {
+ List> authenticationOptionsList = (List>) authenticationOptionsObj;
+ authenticationOptionsObj = IntStream
+ .range(0, authenticationOptionsList.size())
+ .boxed()
+ .collect(Collectors.toMap(String::valueOf, authenticationOptionsList::get));
+ }
+
+ if (authenticationOptionsObj instanceof Map) {
+ filterOptions((Map>) authenticationOptionsObj, stepConfig);
+ } else {
+ log.debug("Authenticator options not provided or invalid, hence proceeding without filtering");
+ }
+
+ Object authenticatorParams = options.get(AUTHENTICATOR_PARAMS);
+ if (authenticatorParams instanceof Map) {
+ authenticatorParamsOptions((Map) authenticatorParams, stepConfig);
+ } else {
+ log.debug("Authenticator params not provided or invalid, hence proceeding without setting params");
+ }
+
+ Object stepOptions = options.get(STEP_OPTIONS);
+ if (stepOptions instanceof Map) {
+ handleStepOptions(stepConfig, (Map) stepOptions, stepConfigMap);
+ } else {
+ log.debug("Step options not provided or invalid, hence proceeding without handling");
+ }
+ }
+
+ @HostAccess.Export
+ public static void sendErrorAsync(String url, Map parameterMap) {
+
+ FailNode newNode = createFailNode(url, parameterMap, true);
+
+ AuthGraphNode currentNode = dynamicallyBuiltBaseNode.get();
+ if (currentNode == null) {
+ dynamicallyBuiltBaseNode.set(newNode);
+ } else {
+ attachToLeaf(currentNode, newNode);
+ }
+ }
+
+ /**
+ * Implementation of the SendErrorFunction interface as an adaptor for sendErrorAsync function.
+ */
+ public static class SendErrorAsyncFunctionImpl implements SendErrorFunction {
+
+ @HostAccess.Export
+ public void sendError(String url, Map parameterMap) {
+ sendErrorAsync(url, parameterMap);
+ }
+ }
+
+ /**
+ * Implementation of the SendErrorFunction interface as an adaptor for sendError function.
+ */
+ public class SendErrorFunctionImpl implements SendErrorFunction {
+
+ @HostAccess.Export
+ public void sendError(String url, Map parameterMap) {
+ JsGraalGraphBuilder.this.sendError(url, parameterMap);
+ }
+ }
+ private static FailNode createFailNode(String url, Map parameterMap, boolean isShowErrorPage) {
+
+ FailNode failNode = new FailNode();
+ if (isShowErrorPage && StringUtils.isNotBlank(url)) {
+ failNode.setErrorPageUri(url);
+ }
+ // setShowErrorPage is set to true as sendError function redirects to a specific error page.
+ failNode.setShowErrorPage(isShowErrorPage);
+
+ parameterMap.forEach((key, value) -> failNode.getFailureData().put(key, String.valueOf(value)));
+ return failNode;
+ }
+
+ /**
+ * Javascript based Decision Evaluator implementation.
+ * This is used to create the Authentication Graph structure dynamically on the fly while the authentication flow
+ * is happening.
+ * The graph is re-organized based on last execution of the decision.
+ */
+ public class JsBasedEvaluator implements AuthenticationDecisionEvaluator {
+
+ private static final long serialVersionUID = 6853505881096840344L;
+ private final GraalSerializableJsFunction jsFunction;
+
+ public JsBasedEvaluator(GraalSerializableJsFunction jsFunction) {
+
+ this.jsFunction = jsFunction;
+ }
+
+ @Override
+ @HostAccess.Export
+ public Object evaluate(AuthenticationContext authenticationContext, Object... params) {
+
+ JsGraalGraphBuilder graphBuilder = JsGraalGraphBuilder.this;
+ Object result = null;
+ if (jsFunction == null) {
+ return null;
+ }
+ if (!jsFunction.isFunction()) {
+ return jsFunction.getSource();
+ }
+ try {
+ currentBuilder.set(graphBuilder);
+ JsGraalGraphBuilderFactory.restoreCurrentContext(authenticationContext, context);
+ Context context = getContext();
+ Value bindings = context.getBindings(POLYGLOT_LANGUAGE);
+
+ bindings.putMember(JS_FUNC_EXECUTE_STEP, new JsGraalStepExecuterInAsyncEvent());
+ bindings.putMember(JS_FUNC_SEND_ERROR, new SendErrorFunctionImpl());
+ bindings.putMember(JS_AUTH_FAILURE, new FailAuthenticationFunctionImpl());
+ bindings.putMember(JS_FUNC_SHOW_PROMPT, new JsGraalPromptExecutorImpl());
+ bindings.putMember(JS_FUNC_LOAD_FUNC_LIB, new JsGraalLoadExecutorImpl());
+ JsFunctionRegistry jsFunctionRegistrar =
+ FrameworkServiceDataHolder.getInstance().getJsFunctionRegistry();
+ if (jsFunctionRegistrar != null) {
+ Map functionMap =
+ jsFunctionRegistrar.getSubsystemFunctionsMap(JsFunctionRegistry.Subsystem.SEQUENCE_HANDLER);
+ functionMap.forEach(bindings::putMember);
+ }
+ removeDefaultFunctions(context);
+ JsGraalGraphBuilder.contextForJs.set(authenticationContext);
+
+ String identifier = UUID.randomUUID().toString();
+ Optional optionalScriptExecutionData =
+ Optional.ofNullable(retrieveAuthScriptExecutionMonitorData(authenticationContext));
+ try {
+ startScriptExecutionMonitor(identifier, authenticationContext,
+ optionalScriptExecutionData.orElse(null));
+ result = jsFunction.apply(context, params);
+ } finally {
+ optionalScriptExecutionData = Optional.ofNullable(endScriptExecutionMonitor(identifier));
+ }
+ optionalScriptExecutionData.ifPresent(
+ scriptExecutionData -> storeAuthScriptExecutionMonitorData(authenticationContext,
+ scriptExecutionData));
+
+ JsGraalGraphBuilderFactory.persistCurrentContext(authenticationContext, context);
+
+ AuthGraphNode executingNode = (AuthGraphNode) authenticationContext.getProperty(PROP_CURRENT_NODE);
+ if (canInfuse(executingNode)) {
+ infuse(executingNode, dynamicallyBuiltBaseNode.get());
+ }
+
+ } catch (Throwable e) {
+ //We need to catch all the javascript errors here, then log and handle.
+ log.error("Error in executing the javascript for service provider : " +
+ authenticationContext.getServiceProviderName() + ", Javascript Fragment : \n" +
+ jsFunction.getSource(), e);
+ AuthGraphNode executingNode = (AuthGraphNode) authenticationContext.getProperty(PROP_CURRENT_NODE);
+ FailNode failNode = new FailNode();
+ attachToLeaf(executingNode, failNode);
+ } finally {
+ contextForJs.remove();
+ dynamicallyBuiltBaseNode.remove();
+ clearCurrentBuilder(context);
+ }
+ return result;
+ }
+ }
+
+ private Context getContext() {
+
+ return this.context;
+ }
+
+ /**
+ * Adds a function to show a prompt in Javascript code.
+ *
+ * @param templateId Identifier of the template
+ * @param parameters parameters
+ */
+ @SuppressWarnings("unchecked")
+ @HostAccess.Export
+ public void addShowPrompt(String templateId, Object... parameters) {
+
+ ShowPromptNode newNode = new ShowPromptNode();
+ newNode.setTemplateId(templateId);
+
+ if (parameters.length == 2) {
+ newNode.setData((Map) GraalSerializer.getInstance().toJsSerializable(parameters[0]));
+ }
+ if (currentNode == null) {
+ result.setStartNode(newNode);
+ } else {
+ attachToLeaf(currentNode, newNode);
+ }
+
+ currentNode = newNode;
+ if (parameters.length > 0) {
+ if (parameters[parameters.length - 1] instanceof Map) {
+ addEventListeners(newNode, (Map) parameters[parameters.length - 1]);
+ } else {
+ log.error("Invalid argument and hence ignored. Last argument should be a Map of event listeners.");
+ }
+
+ }
+ }
+
+ /**
+ * GraalJS specific prompt implementation
+ */
+ public class JsGraalPromptExecutorImpl implements PromptExecutor {
+
+ @HostAccess.Export
+ public void prompt(String templateId, Object... parameters) {
+
+ JsGraalGraphBuilder.this.addShowPrompt(templateId, parameters);
+ }
+ }
+
+ private boolean canInfuse(AuthGraphNode executingNode) {
+
+ return executingNode instanceof DynamicDecisionNode && dynamicallyBuiltBaseNode.get() != null;
+ }
+
+ @HostAccess.Export
+ public static void failAsync(Object... parameters) {
+
+ Map parameterMap;
+
+ if (parameters.length == 1) {
+ parameterMap = (Map) parameters[0];
+ } else {
+ parameterMap = Collections.EMPTY_MAP;
+ }
+
+ FailNode newNode = createFailNode(StringUtils.EMPTY, parameterMap, false);
+
+ AuthGraphNode currentNode = dynamicallyBuiltBaseNode.get();
+ if (currentNode == null) {
+ dynamicallyBuiltBaseNode.set(newNode);
+ } else {
+ attachToLeaf(currentNode, newNode);
+ }
+ }
+
+ /**
+ * Fail function implementation for GraalJS.
+ */
+ public static class FailAuthenticationFunctionImpl implements FailAuthenticationFunction {
+
+ @HostAccess.Export
+ public void fail(Object... parameters) {
+
+ failAsync(parameters);
+ }
+ }
+
+ private void removeDefaultFunctions(Context context) throws IOException {
+
+ context.eval(Source.newBuilder(POLYGLOT_LANGUAGE, REMOVE_FUNCTIONS, POLYGLOT_SOURCE).build());
+ }
+
+ private JSExecutionSupervisor getJSExecutionSupervisor() {
+
+ return FrameworkServiceDataHolder.getInstance().getJsExecutionSupervisor();
+ }
+
+ private void storeAuthScriptExecutionMonitorData(AuthenticationContext context,
+ JSExecutionMonitorData jsExecutionMonitorData) {
+
+ context.setProperty(PROP_EXECUTION_SUPERVISOR_RESULT, jsExecutionMonitorData);
+ }
+
+ private JSExecutionMonitorData retrieveAuthScriptExecutionMonitorData(AuthenticationContext context) {
+
+ JSExecutionMonitorData jsExecutionMonitorData;
+ Object storedResult = context.getProperty(PROP_EXECUTION_SUPERVISOR_RESULT);
+ if (storedResult != null) {
+ jsExecutionMonitorData = (JSExecutionMonitorData) storedResult;
+ } else {
+ jsExecutionMonitorData = new JSExecutionMonitorData(0L, 0L);
+ }
+ return jsExecutionMonitorData;
+ }
+
+ private void startScriptExecutionMonitor(String identifier, AuthenticationContext context,
+ JSExecutionMonitorData previousExecutionResult) {
+
+ JSExecutionSupervisor jsExecutionSupervisor = getJSExecutionSupervisor();
+ if (jsExecutionSupervisor == null) {
+ return;
+ }
+ getJSExecutionSupervisor().monitor(identifier, context.getServiceProviderName(), context.getTenantDomain(),
+ previousExecutionResult.getElapsedTime(), previousExecutionResult.getConsumedMemory());
+ }
+
+ private void startScriptExecutionMonitor(String identifier, AuthenticationContext context) {
+
+ startScriptExecutionMonitor(identifier, context, new JSExecutionMonitorData(0L, 0L));
+ }
+
+ private JSExecutionMonitorData endScriptExecutionMonitor(String identifier) {
+
+ JSExecutionSupervisor executionSupervisor = getJSExecutionSupervisor();
+ if (executionSupervisor == null) {
+ return null;
+ }
+ return getJSExecutionSupervisor().completed(identifier);
+ }
+
+}
diff --git a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/graaljs/JsGraalGraphBuilderFactory.java b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/graaljs/JsGraalGraphBuilderFactory.java
new file mode 100644
index 000000000000..922657b1dea1
--- /dev/null
+++ b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/graaljs/JsGraalGraphBuilderFactory.java
@@ -0,0 +1,193 @@
+/*
+ * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.authentication.framework.config.model.graph.graaljs;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.graalvm.polyglot.Context;
+import org.graalvm.polyglot.HostAccess;
+import org.graalvm.polyglot.ResourceLimits;
+import org.graalvm.polyglot.Value;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.AuthGraphNode;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.JsBaseGraphBuilder;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.JsGenericGraphBuilderFactory;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.JsGenericSerializer;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.AbstractJSObjectWrapper;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsAuthenticatedUser;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsAuthenticationContext;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsLogger;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsServletRequest;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsServletResponse;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.graaljs.JsGraalAuthenticatedUser;
+import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
+import org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException;
+import org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.GraalSelectAcrFromFunction;
+import org.wso2.carbon.identity.core.util.IdentityUtil;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.AdaptiveAuthentication.DEFAULT_GRAALJS_SCRIPT_STATEMENTS_LIMIT;
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.AdaptiveAuthentication.GRAALJS_SCRIPT_STATEMENTS_LIMIT;
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.JSAttributes.JS_FUNC_SELECT_ACR_FROM;
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.JSAttributes.JS_LOG;
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.JSAttributes.POLYGLOT_LANGUAGE;
+
+/**
+ * Factory to create a Javascript based sequence builder.
+ * This factory is there to reuse of GraalJS Polyglot Context and any related expensive objects.
+ *
+ * Since Nashorn is deprecated in JDK 11 and onwards. We are introducing GraalJS engine.
+ */
+public class JsGraalGraphBuilderFactory implements JsGenericGraphBuilderFactory {
+
+ private static final Log LOG = LogFactory.getLog(JsGraalGraphBuilderFactory.class);
+ private static final String JS_BINDING_CURRENT_CONTEXT = "JS_BINDING_CURRENT_CONTEXT";
+ private int javascriptResourceLimit = 0;
+
+ public void init() {
+
+ setJavascriptResourceLimit();
+ }
+
+ @SuppressWarnings("unchecked")
+ public static void restoreCurrentContext(AuthenticationContext authContext, Context context)
+ throws FrameworkException {
+
+ Map map = (Map) authContext.getProperty(JS_BINDING_CURRENT_CONTEXT);
+ Value bindings = context.getBindings(POLYGLOT_LANGUAGE);
+ if (map != null) {
+ for (Map.Entry entry : map.entrySet()) {
+ Object deserializedValue = GraalSerializer.getInstance().fromJsSerializable(entry.getValue(), context);
+ if (deserializedValue instanceof AbstractJSObjectWrapper) {
+ ((AbstractJSObjectWrapper) deserializedValue).initializeContext(authContext);
+ }
+ bindings.putMember(entry.getKey(), deserializedValue);
+ }
+ }
+ }
+
+ public static void persistCurrentContext(AuthenticationContext authContext, Context context) {
+
+ Value engineBindings = context.getBindings(POLYGLOT_LANGUAGE);
+ Map persistableMap = new HashMap<>();
+ engineBindings.getMemberKeys().forEach((key) -> {
+ Value binding = engineBindings.getMember(key);
+ /*
+ * Since, we don't have a difference between global and engine scopes, we need to identify what are the
+ * custom functions and the logger object we added bindings to, and not persist them since we will anyways
+ * bind them again.
+ * The functions will be host objects and can be executed. The Logger object needs to be identified by name.
+ */
+ if (!((binding.isHostObject() && binding.canExecute()) || key.equals("Log"))) {
+ persistableMap.put(key, GraalSerializer.getInstance().toJsSerializable(binding));
+ }
+ });
+ authContext.setProperty(JS_BINDING_CURRENT_CONTEXT, persistableMap);
+ }
+
+ public Context createEngine(AuthenticationContext authenticationContext) {
+
+ Context context = Context.newBuilder(POLYGLOT_LANGUAGE)
+ .allowHostAccess(getHostAccess())
+ .resourceLimits(getResourceLimits())
+ .option("engine.WarnInterpreterOnly", "false")
+ .build();
+
+ Value bindings = context.getBindings(POLYGLOT_LANGUAGE);
+ bindings.putMember(JS_FUNC_SELECT_ACR_FROM, new GraalSelectAcrFromFunction());
+ bindings.putMember(JS_LOG, new JsLogger());
+ return context;
+ }
+
+ public ResourceLimits getResourceLimits() {
+
+ ResourceLimits.Builder resourceLimitsBuilder = ResourceLimits.newBuilder();
+ resourceLimitsBuilder.statementLimit(javascriptResourceLimit, null);
+ return resourceLimitsBuilder.build();
+ }
+
+ public HostAccess getHostAccess() {
+
+ /*
+ * We need to map the graaljs proxy objects be exposed as their abstract classes to be able to use the current
+ * functional interfaces we have for existing conditional authentication functions.
+ */
+ return HostAccess.newBuilder(HostAccess.EXPLICIT)
+ .targetTypeMapping(Value.class, JsAuthenticationContext.class,
+ (v) -> v.asProxyObject() instanceof JsAuthenticationContext,
+ (v) -> (JsAuthenticationContext) v.asProxyObject())
+ .targetTypeMapping(Value.class, JsAuthenticatedUser.class,
+ (v) -> v.asProxyObject() instanceof JsGraalAuthenticatedUser,
+ (v) -> (JsAuthenticatedUser) v.asProxyObject())
+ .targetTypeMapping(Value.class, JsServletRequest.class,
+ (v) -> v.asProxyObject() instanceof JsServletRequest,
+ (v) -> (JsServletRequest) v.asProxyObject())
+ .targetTypeMapping(Value.class, JsServletResponse.class,
+ (v) -> v.asProxyObject() instanceof JsServletResponse,
+ (v) -> (JsServletResponse) v.asProxyObject())
+ .build();
+ }
+
+ @Override
+ public JsGenericSerializer getJsUtil() {
+
+ return GraalSerializer.getInstance();
+ }
+
+ @Override
+ public JsBaseGraphBuilder getCurrentBuilder() {
+
+ return JsGraalGraphBuilder.getCurrentBuilder();
+ }
+
+ public JsGraalGraphBuilder createBuilder(AuthenticationContext authenticationContext,
+ Map stepConfigMap) {
+
+ return new JsGraalGraphBuilder(authenticationContext, stepConfigMap, createEngine(authenticationContext));
+ }
+
+ public JsGraalGraphBuilder createBuilder(AuthenticationContext authenticationContext,
+ Map stepConfigMap, AuthGraphNode currentNode) {
+
+ return new JsGraalGraphBuilder(authenticationContext, stepConfigMap, createEngine(authenticationContext),
+ currentNode);
+ }
+
+ private void setJavascriptResourceLimit() {
+
+ /*
+ * This sets the number of javascript statements that can be executed in a single execution.
+ * The default value is set to 0 which is equivalent to unlimited number of statement.
+ */
+ String statementLimit = IdentityUtil.getProperty(GRAALJS_SCRIPT_STATEMENTS_LIMIT);
+ if (statementLimit != null) {
+ try {
+ javascriptResourceLimit = Integer.parseInt(statementLimit);
+ } catch (NumberFormatException e) {
+ LOG.warn("Error while parsing the script statement limit. Defaulting to " +
+ DEFAULT_GRAALJS_SCRIPT_STATEMENTS_LIMIT, e);
+ javascriptResourceLimit = DEFAULT_GRAALJS_SCRIPT_STATEMENTS_LIMIT;
+ }
+ } else {
+ javascriptResourceLimit = DEFAULT_GRAALJS_SCRIPT_STATEMENTS_LIMIT;
+ }
+ }
+}
diff --git a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/graaljs/JsGraalWrapperFactory.java b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/graaljs/JsGraalWrapperFactory.java
new file mode 100644
index 000000000000..7222f58f2261
--- /dev/null
+++ b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/graaljs/JsGraalWrapperFactory.java
@@ -0,0 +1,152 @@
+/*
+ * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.authentication.framework.config.model.graph.graaljs;
+
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.JsWrapperBaseFactory;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.graaljs.JsGraalAuthenticatedUser;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.graaljs.JsGraalAuthenticationContext;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.graaljs.JsGraalClaims;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.graaljs.JsGraalCookie;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.graaljs.JsGraalHeaders;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.graaljs.JsGraalParameters;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.graaljs.JsGraalRuntimeClaims;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.graaljs.JsGraalServletRequest;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.graaljs.JsGraalServletResponse;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.graaljs.JsGraalStep;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.graaljs.JsGraalSteps;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.graaljs.JsGraalWritableParameters;
+import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
+import org.wso2.carbon.identity.application.authentication.framework.context.TransientObjectWrapper;
+import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
+
+import java.util.Map;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Factory to create a Javascript Object Wrappers for GraalJS execution.
+ * Since Nashorn is deprecated in JDK 11 and onwards. We are introducing GraalJS engine.
+ */
+public class JsGraalWrapperFactory implements JsWrapperBaseFactory {
+
+ @Override
+ public JsGraalAuthenticatedUser createJsAuthenticatedUser(AuthenticatedUser authenticatedUser) {
+
+ return new JsGraalAuthenticatedUser(authenticatedUser);
+ }
+
+ @Override
+ public JsGraalAuthenticatedUser createJsAuthenticatedUser(AuthenticationContext authenticationContext,
+ AuthenticatedUser authenticatedUser) {
+
+ return new JsGraalAuthenticatedUser(authenticationContext, authenticatedUser);
+ }
+
+ @Override
+ public JsGraalAuthenticatedUser createJsAuthenticatedUser(AuthenticationContext context,
+ AuthenticatedUser wrappedUser, int step, String idp) {
+
+ return new JsGraalAuthenticatedUser(context, wrappedUser, step, idp);
+ }
+
+ @Override
+ public JsGraalAuthenticationContext createJsAuthenticationContext
+ (AuthenticationContext authenticationContext) {
+
+ return new JsGraalAuthenticationContext(authenticationContext);
+ }
+
+ @Override
+ public JsGraalCookie createJsCookie(Cookie cookie) {
+
+ return new JsGraalCookie(cookie);
+ }
+
+ @Override
+ public JsGraalParameters createJsParameters(Map parameters) {
+
+ return new JsGraalParameters(parameters);
+ }
+
+ @Override
+ public JsGraalWritableParameters createJsWritableParameters(Map data) {
+
+ return new JsGraalWritableParameters(data);
+ }
+
+ @Override
+ public JsGraalServletRequest createJsServletRequest(TransientObjectWrapper wrapped) {
+
+ return new JsGraalServletRequest(wrapped);
+ }
+
+ @Override
+ public JsGraalServletResponse createJsServletResponse(TransientObjectWrapper wrapped) {
+
+ return new JsGraalServletResponse(wrapped);
+ }
+
+ @Override
+ public JsGraalClaims createJsClaims(AuthenticationContext context, int step, String idp,
+ boolean isRemoteClaimRequest) {
+
+ return new JsGraalClaims(context, step, idp, isRemoteClaimRequest);
+ }
+
+ @Override
+ public JsGraalClaims createJsClaims(AuthenticationContext context, AuthenticatedUser user,
+ boolean isRemoteClaimRequest) {
+
+ return new JsGraalClaims(context, user, isRemoteClaimRequest);
+ }
+
+ @Override
+ public JsGraalRuntimeClaims createJsRuntimeClaims(AuthenticationContext context, int step, String idp) {
+
+ return new JsGraalRuntimeClaims(context, step, idp);
+ }
+
+ @Override
+ public JsGraalRuntimeClaims createJsRuntimeClaims(AuthenticationContext context, AuthenticatedUser user) {
+
+ return new JsGraalRuntimeClaims(context, user);
+ }
+
+ @Override
+ public JsGraalStep createJsStep(AuthenticationContext context, int step, String authenticatedIdp,
+ String authenticatedAuthenticator) {
+
+ return new JsGraalStep(context, step, authenticatedIdp, authenticatedAuthenticator);
+ }
+
+ @Override
+ public JsGraalHeaders createJsHeaders(Map wrapped, HttpServletResponse response) {
+
+ return new JsGraalHeaders(wrapped, response);
+ }
+
+ @Override
+ public JsGraalSteps createJsSteps(AuthenticationContext context) {
+
+ return new JsGraalSteps(context);
+ }
+
+}
diff --git a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/AbstractJSContextMemberObject.java b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/AbstractJSContextMemberObject.java
index 0f918d307e8d..7247bf0dacdc 100644
--- a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/AbstractJSContextMemberObject.java
+++ b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/AbstractJSContextMemberObject.java
@@ -1,7 +1,7 @@
/*
- * Copyright (c) 2018, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2018-2024, WSO2 LLC. (http://www.wso2.org) All Rights Reserved.
*
- * WSO2 Inc. licenses this file to you under the Apache License,
+ * WSO2 LLC. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
@@ -21,6 +21,7 @@
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import java.io.Serializable;
+import java.util.Objects;
/**
* Represents the abstract class for all context objects
@@ -48,4 +49,10 @@ public AuthenticationContext getContext() {
return context;
}
+
+ public boolean hasMember (String name) {
+
+ Objects.requireNonNull(name);
+ return false;
+ }
}
diff --git a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/CommonJsHeaders.java b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/CommonJsHeaders.java
new file mode 100644
index 000000000000..aaca0d5e5a01
--- /dev/null
+++ b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/CommonJsHeaders.java
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js;
+
+import java.util.Map;
+
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Javascript wrapper for Java level HashMap of HTTP headers.
+ * This provides controlled access to HTTPServletResponse object's headers via provided javascript native syntax.
+ * Also it prevents writing an arbitrary values to the respective fields, keeping consistency on runtime.
+ */
+public class CommonJsHeaders {
+
+ private final Map wrapped;
+ private final HttpServletResponse response;
+
+ public CommonJsHeaders(Map wrapped, HttpServletResponse response) {
+
+ this.wrapped = wrapped;
+ this.response = response;
+ }
+
+ public Object getMember(String name) {
+
+ if (wrapped == null) {
+ return null;
+ }
+ return wrapped.get(name);
+ }
+
+ public Object getMemberKeys() {
+
+ return wrapped.keySet().toArray();
+ }
+
+ public boolean hasMember(String name) {
+
+ if (wrapped == null) {
+ return false;
+ }
+ return wrapped.get(name) != null;
+ }
+
+ public boolean removeMemberObject(String name) {
+
+ if (wrapped != null) {
+ wrapped.remove(name);
+ return true;
+ }
+ return false;
+ }
+
+ public boolean setMemberObject(String name, Object value) {
+
+ if (wrapped != null) {
+ wrapped.put(name, value);
+ // Adds a new header to the response.
+ response.addHeader(name, String.valueOf(value));
+ return true;
+ }
+ return false;
+ }
+}
diff --git a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsAuthenticatedUser.java b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsAuthenticatedUser.java
index d31a9b51ae22..c543da0d4bfd 100644
--- a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsAuthenticatedUser.java
+++ b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsAuthenticatedUser.java
@@ -19,8 +19,10 @@
package org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js;
import org.apache.commons.lang.ArrayUtils;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.JsWrapperFactoryProvider;
import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.base.JsBaseAuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
@@ -101,6 +103,71 @@ public JsAuthenticatedUser(AuthenticationContext context, AuthenticatedUser wrap
initializeContext(context);
}
+ public Object getMember(String name) {
+
+ switch (name) {
+ case FrameworkConstants.JSAttributes.JS_AUTHENTICATED_SUBJECT_IDENTIFIER:
+ return getWrapped().getAuthenticatedSubjectIdentifier();
+ case FrameworkConstants.JSAttributes.JS_USERNAME:
+ return getWrapped().getUserName();
+ case FrameworkConstants.JSAttributes.JS_UNIQUE_ID:
+ Object userId = null;
+ try {
+ userId = getWrapped().getUserId();
+ } catch (UserIdNotFoundException e) {
+ LOG.error("Error while retrieving user Id of user : " + getWrapped().getLoggableUserId(), e);
+ }
+ return userId;
+ case FrameworkConstants.JSAttributes.JS_USER_STORE_DOMAIN:
+ return getWrapped().getUserStoreDomain();
+ case FrameworkConstants.JSAttributes.JS_TENANT_DOMAIN:
+ return getWrapped().getTenantDomain();
+ case FrameworkConstants.JSAttributes.JS_LOCAL_CLAIMS:
+ if (StringUtils.isNotBlank(idp)) {
+ return JsWrapperFactoryProvider.getInstance().getWrapperFactory()
+ .createJsClaims(getContext(), step, idp, false);
+ }
+ // Represent step independent user
+ return JsWrapperFactoryProvider.getInstance().getWrapperFactory()
+ .createJsClaims(getContext(), getWrapped(), false);
+ case FrameworkConstants.JSAttributes.JS_REMOTE_CLAIMS:
+ if (StringUtils.isNotBlank(idp)) {
+ return JsWrapperFactoryProvider.getInstance().getWrapperFactory()
+ .createJsClaims(getContext(), step, idp, true);
+ }
+ // Represent step independent user
+ return JsWrapperFactoryProvider.getInstance().getWrapperFactory()
+ .createJsClaims(getContext(), getWrapped(), true);
+
+ case FrameworkConstants.JSAttributes.JS_LOCAL_ROLES:
+ return getLocalRoles();
+ case FrameworkConstants.JSAttributes.JS_CLAIMS:
+ if (StringUtils.isNotBlank(idp)) {
+ return JsWrapperFactoryProvider.getInstance().getWrapperFactory()
+ .createJsRuntimeClaims(getContext(), step, idp);
+ }
+ // Represent step independent user
+ return JsWrapperFactoryProvider.getInstance().getWrapperFactory()
+ .createJsRuntimeClaims(getContext(), getWrapped());
+ default:
+ return super.getMember(name);
+ }
+ }
+
+ public Object getMemberKeys() {
+
+ return new String[]{
+ FrameworkConstants.JSAttributes.JS_AUTHENTICATED_SUBJECT_IDENTIFIER,
+ FrameworkConstants.JSAttributes.JS_USERNAME,
+ FrameworkConstants.JSAttributes.JS_USER_STORE_DOMAIN,
+ FrameworkConstants.JSAttributes.JS_TENANT_DOMAIN,
+ FrameworkConstants.JSAttributes.JS_LOCAL_CLAIMS,
+ FrameworkConstants.JSAttributes.JS_REMOTE_CLAIMS,
+ FrameworkConstants.JSAttributes.JS_LOCAL_ROLES,
+ FrameworkConstants.JSAttributes.JS_CLAIMS
+ };
+ }
+
public void setMember(String name, Object value) {
switch (name) {
@@ -126,10 +193,10 @@ public boolean hasMember(String name) {
return getWrapped().getUserStoreDomain() != null;
case FrameworkConstants.JSAttributes.JS_TENANT_DOMAIN:
return getWrapped().getTenantDomain() != null;
+ case FrameworkConstants.JSAttributes.JS_CLAIMS:
case FrameworkConstants.JSAttributes.JS_LOCAL_CLAIMS:
- return idp != null;
case FrameworkConstants.JSAttributes.JS_REMOTE_CLAIMS:
- return idp != null && !FrameworkConstants.LOCAL.equals(idp);
+ return true;
default:
return super.hasMember(name);
}
diff --git a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsAuthenticationContext.java b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsAuthenticationContext.java
index ca88bee0e9cc..e988d7508798 100644
--- a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsAuthenticationContext.java
+++ b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsAuthenticationContext.java
@@ -19,9 +19,12 @@
package org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js;
import org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.JsWrapperFactoryProvider;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.base.JsBaseAuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.base.JsBaseAuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.context.TransientObjectWrapper;
+import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
import java.util.Map;
@@ -70,21 +73,91 @@ public boolean hasMember(String name) {
return !getWrapped().getSequenceConfig().getStepMap().isEmpty();
case FrameworkConstants.JSAttributes.JS_ENDPOINT_PARAMS:
return getWrapped().getEndpointParams() != null;
+ case FrameworkConstants.JSAttributes.JS_CURRENT_STEP:
+ case FrameworkConstants.JSAttributes.JS_RETRY_STEP:
+ return true;
+ case FrameworkConstants.JSAttributes.JS_CURRENT_KNOWN_SUBJECT:
+ return getCurrentSubjectIdentifierStep() != null;
default:
return super.hasMember(name);
}
}
- @Override
- public void setMember(String name, Object value) {
+ public Object getMember(String name) {
switch (name) {
- case FrameworkConstants.JSAttributes.JS_SELECTED_ACR:
- getWrapped().setSelectedAcr(String.valueOf(value));
- break;
+ case FrameworkConstants.JSAttributes.JS_REQUESTED_ACR:
+ return getWrapped().getRequestedAcr();
+ case FrameworkConstants.JSAttributes.JS_TENANT_DOMAIN:
+ return getWrapped().getTenantDomain();
+ case FrameworkConstants.JSAttributes.JS_SERVICE_PROVIDER_NAME:
+ return getWrapped().getServiceProviderName();
+ case FrameworkConstants.JSAttributes.JS_LAST_LOGIN_FAILED_USER:
+ return getLastLoginFailedUserFromWrappedContext();
+ case FrameworkConstants.JSAttributes.JS_REQUEST:
+ return JsWrapperFactoryProvider.getInstance().getWrapperFactory()
+ .createJsServletRequest((TransientObjectWrapper) getWrapped()
+ .getParameter(FrameworkConstants.RequestAttribute.HTTP_REQUEST));
+ case FrameworkConstants.JSAttributes.JS_RESPONSE:
+ return JsWrapperFactoryProvider.getInstance().getWrapperFactory()
+ .createJsServletResponse((TransientObjectWrapper) getWrapped()
+ .getParameter(FrameworkConstants.RequestAttribute.HTTP_RESPONSE));
+ case FrameworkConstants.JSAttributes.JS_STEPS:
+ return JsWrapperFactoryProvider.getInstance().getWrapperFactory().createJsSteps(getWrapped());
+ case FrameworkConstants.JSAttributes.JS_CURRENT_STEP:
+ return JsWrapperFactoryProvider.getInstance().getWrapperFactory()
+ .createJsStep(getContext(), getContext().getCurrentStep(), getAuthenticatedIdPOfCurrentStep(),
+ getAuthenticatedAuthenticatorOfCurrentStep());
+ case FrameworkConstants.JSAttributes.JS_CURRENT_KNOWN_SUBJECT:
+ StepConfig stepConfig = getCurrentSubjectIdentifierStep();
+ if (stepConfig != null) {
+ return JsWrapperFactoryProvider.getInstance().getWrapperFactory()
+ .createJsAuthenticatedUser(this.getContext(), stepConfig.getAuthenticatedUser(),
+ stepConfig.getOrder(), stepConfig.getAuthenticatedIdP());
+ }
+ return null;
+ case FrameworkConstants.JSAttributes.JS_RETRY_STEP:
+ return getWrapped().isRetrying();
+ case FrameworkConstants.JSAttributes.JS_ENDPOINT_PARAMS:
+ return JsWrapperFactoryProvider.getInstance().getWrapperFactory()
+ .createJsWritableParameters(getContext().getEndpointParams());
default:
- super.setMember(name, value);
+ return super.getMember(name);
+ }
+ }
+
+ public Object getMemberKeys() {
+
+ return new String[]{
+ FrameworkConstants.JSAttributes.JS_REQUESTED_ACR,
+ FrameworkConstants.JSAttributes.JS_TENANT_DOMAIN,
+ FrameworkConstants.JSAttributes.JS_SERVICE_PROVIDER_NAME,
+ FrameworkConstants.JSAttributes.JS_LAST_LOGIN_FAILED_USER,
+ FrameworkConstants.JSAttributes.JS_REQUEST,
+ FrameworkConstants.JSAttributes.JS_RESPONSE,
+ FrameworkConstants.JSAttributes.JS_STEPS,
+ FrameworkConstants.JSAttributes.JS_CURRENT_STEP,
+ FrameworkConstants.JSAttributes.JS_CURRENT_KNOWN_SUBJECT,
+ FrameworkConstants.JSAttributes.JS_RETRY_STEP};
+ }
+
+ public boolean setMemberObject(String name, Object value) {
+
+ if (name.equals(FrameworkConstants.JSAttributes.JS_SELECTED_ACR)) {
+ getWrapped().setSelectedAcr(String.valueOf(value));
+ } else {
+ super.setMember(name, value);
+ }
+ return true;
+ }
+
+ public boolean removeMemberObject(String name) {
+
+ if (name.equals(FrameworkConstants.JSAttributes.JS_SELECTED_ACR)) {
+ getWrapped().setSelectedAcr(null);
+ return true;
}
+ return false;
}
private boolean hasTransientValueInParameters(String key) {
@@ -93,18 +166,6 @@ private boolean hasTransientValueInParameters(String key) {
return transientObjectWrapper != null && transientObjectWrapper.getWrapped() != null;
}
-// protected JsAbstractAuthenticatedUser getLastLoginFailedUserFromWrappedContext() {
-//
-// Object lastLoginFailedUser
-// = getWrapped().getProperty(FrameworkConstants.JSAttributes.JS_LAST_LOGIN_FAILED_USER);
-// if (lastLoginFailedUser instanceof AuthenticatedUser) {
-// return new JsAbstractAuthenticatedUser(getWrapped(), (AuthenticatedUser) lastLoginFailedUser);
-// } else {
-// return null;
-// }
-// }
-
-
protected String getAuthenticatedIdPOfCurrentStep() {
if (getContext().getSequenceConfig() == null) {
@@ -121,6 +182,19 @@ protected String getAuthenticatedIdPOfCurrentStep() {
}
+ protected String getAuthenticatedAuthenticatorOfCurrentStep() {
+
+ if (getContext().getSequenceConfig() == null) {
+ // Sequence config is not yet initialized.
+ return null;
+ }
+
+ StepConfig stepConfig = getContext().getSequenceConfig().getStepMap()
+ .get(getContext().getCurrentStep());
+
+ return stepConfig != null ? stepConfig.getAuthenticatedAutenticator().getName() : null;
+ }
+
protected StepConfig getCurrentSubjectIdentifierStep() {
if (getContext().getSequenceConfig() == null) {
@@ -136,8 +210,18 @@ protected StepConfig getCurrentSubjectIdentifierStep() {
return subjectIdentifierStep.get();
} else if (getContext().getCurrentStep() > 0) {
return stepConfigs.get(getContext().getCurrentStep());
- } else {
- return null;
}
+ return null;
+ }
+
+ protected JsBaseAuthenticatedUser getLastLoginFailedUserFromWrappedContext() {
+
+ Object lastLoginFailedUser
+ = getWrapped().getProperty(FrameworkConstants.JSAttributes.JS_LAST_LOGIN_FAILED_USER);
+ if (lastLoginFailedUser instanceof AuthenticatedUser) {
+ return JsWrapperFactoryProvider.getInstance().getWrapperFactory()
+ .createJsAuthenticatedUser(getWrapped(), (AuthenticatedUser) lastLoginFailedUser);
+ }
+ return null;
}
}
diff --git a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsClaims.java b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsClaims.java
new file mode 100644
index 000000000000..99b82ba49fa0
--- /dev/null
+++ b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsClaims.java
@@ -0,0 +1,474 @@
+/*
+ * Copyright (c) 2024, WSO2 LLC. (http://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator;
+import org.wso2.carbon.identity.application.authentication.framework.config.ConfigurationFacade;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.ExternalIdPConfig;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.base.JsBaseClaims;
+import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
+import org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException;
+import org.wso2.carbon.identity.application.authentication.framework.internal.FrameworkServiceDataHolder;
+import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
+import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
+import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
+import org.wso2.carbon.identity.application.common.model.ClaimMapping;
+import org.wso2.carbon.identity.application.mgt.ApplicationConstants;
+import org.wso2.carbon.identity.base.IdentityException;
+import org.wso2.carbon.identity.claim.metadata.mgt.ClaimMetadataHandler;
+import org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException;
+import org.wso2.carbon.identity.core.IdentityClaimManager;
+import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
+import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
+import org.wso2.carbon.idp.mgt.IdentityProviderManager;
+import org.wso2.carbon.user.api.UserRealm;
+import org.wso2.carbon.user.api.UserStoreException;
+import org.wso2.carbon.user.core.UserStoreClientException;
+import org.wso2.carbon.user.core.claim.Claim;
+import org.wso2.carbon.user.core.common.AbstractUserStoreManager;
+import org.wso2.carbon.user.core.service.RealmService;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Optional;
+
+/**
+ * Represent the user's claim for Javascript Execution. This contains the common methods for all script engines.
+ */
+public abstract class JsClaims extends AbstractJSContextMemberObject implements JsBaseClaims {
+
+ private static final Log LOG = LogFactory.getLog(JsClaims.class);
+ private String idp;
+ private boolean isRemoteClaimRequest;
+ private int step;
+ protected transient AuthenticatedUser authenticatedUser;
+
+ /**
+ * Constructor to get the user authenticated in step 'n'.
+ *
+ * @param step The authentication step
+ * @param idp The authenticated IdP
+ * @param isRemoteClaimRequest Whether the request is for remote claim (false for local claim request)
+ */
+ public JsClaims(AuthenticationContext context, int step, String idp, boolean isRemoteClaimRequest) {
+
+ this(step, idp, isRemoteClaimRequest);
+ initializeContext(context);
+ }
+
+ public JsClaims(int step, String idp, boolean isRemoteClaimRequest) {
+
+ this.isRemoteClaimRequest = isRemoteClaimRequest;
+ this.idp = idp;
+ this.step = step;
+ }
+
+ public JsClaims() {
+
+ }
+
+ @Override
+ public void initializeContext(AuthenticationContext context) {
+
+ super.initializeContext(context);
+ if (StringUtils.isNotBlank(idp) && getContext().getCurrentAuthenticatedIdPs().containsKey(idp)) {
+ this.authenticatedUser = getContext().getCurrentAuthenticatedIdPs().get(idp).getUser();
+ } else {
+ this.authenticatedUser = getAuthenticatedUserFromSubjectIdentifierStep();
+ }
+ }
+
+ /**
+ * Get authenticated user from step config of current subject identifier.
+ *
+ * @return AuthenticatedUser.
+ */
+ private AuthenticatedUser getAuthenticatedUserFromSubjectIdentifierStep() {
+
+ AuthenticatedUser authenticatedUser = null;
+ StepConfig stepConfig = getCurrentSubjectIdentifierStep();
+ if (stepConfig != null) {
+ authenticatedUser = getCurrentSubjectIdentifierStep().getAuthenticatedUser();
+ }
+ return authenticatedUser;
+ }
+
+ /**
+ * Retrieve step config of current subject identifier.
+ *
+ * @return StepConfig.
+ */
+ private StepConfig getCurrentSubjectIdentifierStep() {
+
+ if (getContext().getSequenceConfig() == null) {
+ // Sequence config is not yet initialized.
+ return null;
+ }
+ Map stepConfigs = getContext().getSequenceConfig().getStepMap();
+ Optional subjectIdentifierStep = stepConfigs.values().stream()
+ .filter(stepConfig -> (stepConfig.isCompleted() && stepConfig.isSubjectIdentifierStep())).findFirst();
+ if (subjectIdentifierStep.isPresent()) {
+ return subjectIdentifierStep.get();
+ } else if (getContext().getCurrentStep() > 0) {
+ return stepConfigs.get(getContext().getCurrentStep());
+ }
+ return null;
+ }
+
+ /**
+ * Constructor to get user who is not directly from an authentication step. E.g. Associated user of authenticated
+ * federated user in an authentication step.
+ *
+ * @param authenticatedUser Authenticated user
+ * @param isRemoteClaimRequest Whether the request is for remote claim (false for local claim request)
+ */
+ public JsClaims(AuthenticatedUser authenticatedUser, boolean isRemoteClaimRequest) {
+
+ this.isRemoteClaimRequest = isRemoteClaimRequest;
+ this.authenticatedUser = authenticatedUser;
+ }
+
+ public JsClaims(AuthenticationContext context, AuthenticatedUser authenticatedUser, boolean isRemoteClaimRequest) {
+
+ this(authenticatedUser, isRemoteClaimRequest);
+ initializeContext(context);
+ }
+
+ public Object getMember(String claimUri) {
+
+ if (authenticatedUser != null) {
+ if (isRemoteClaimRequest) {
+ return getFederatedClaim(claimUri);
+ } else {
+ return getLocalClaim(claimUri);
+ }
+ }
+ return null;
+ }
+
+ public boolean hasMember(String claimUri) {
+
+ if (authenticatedUser != null) {
+ if (isRemoteClaimRequest) {
+ return hasFederatedClaim(claimUri);
+ } else {
+ return hasLocalClaim(claimUri);
+ }
+ }
+ return false;
+ }
+
+ public boolean setMemberObject(String claimUri, Object claimValue) {
+
+ if (authenticatedUser != null) {
+ if (isRemoteClaimRequest) {
+ setFederatedClaim(claimUri, String.valueOf(claimValue));
+ } else {
+ setLocalClaim(claimUri, String.valueOf(claimValue));
+ }
+ return true;
+ }
+ return false;
+ }
+
+ /**
+ * Get the claim by local claim URI.
+ *
+ * @param claimUri Local claim URI
+ * @param claimValue Claim Value
+ */
+ private void setLocalClaim(String claimUri, String claimValue) {
+
+ if (isFederatedIdP()) {
+ setLocalMappedClaim(claimUri, claimValue);
+ } else {
+ /* This covers step with a local authenticator, and the scenarios where step/idp is not set
+ if the step/idp is not set, user is assumed to be a local user. */
+ setLocalUserClaim(claimUri, claimValue);
+ }
+ }
+
+ /**
+ * Sets the remote claim value that is mapped to the give local claim.
+ *
+ * @param localClaimURI Local claim URI
+ * @param claimValue Value to be set
+ */
+ private void setLocalMappedClaim(String localClaimURI, String claimValue) {
+
+ Map idpAttributesMap = authenticatedUser.getUserAttributes();
+ Map remoteMapping = FrameworkUtils.getClaimMappings(idpAttributesMap, false);
+ String mappedRemoteClaim = getRemoteClaimMappedToLocalClaim(localClaimURI, remoteMapping);
+ if (mappedRemoteClaim != null) {
+ setFederatedClaim(mappedRemoteClaim, claimValue);
+ }
+ }
+
+ /**
+ * Sets a local claim directly at the userstore for the given user by given claim uri.
+ *
+ * @param claimUri Local claim URI
+ * @param claimValue Claim value
+ */
+ private void setLocalUserClaim(String claimUri, Object claimValue) {
+
+ int usersTenantId = IdentityTenantUtil.getTenantId(authenticatedUser.getTenantDomain());
+ RealmService realmService = FrameworkServiceDataHolder.getInstance().getRealmService();
+ try {
+ UserRealm userRealm = realmService.getTenantUserRealm(usersTenantId);
+ Map claimUriMap = new HashMap<>();
+ claimUriMap.put(claimUri, String.valueOf(claimValue));
+ ((AbstractUserStoreManager) userRealm.getUserStoreManager())
+ .setUserClaimValuesWithID(authenticatedUser.getUserId(), claimUriMap, null);
+ } catch (UserStoreClientException e) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(String.format("Error when setting claim : %s of user: %s to value: %s. Error Message: %s",
+ claimUri, authenticatedUser, claimValue, e.getMessage()));
+ }
+ } catch (UserStoreException e) {
+ LOG.error(String.format("Error when setting claim : %s of user: %s to value: %s", claimUri,
+ authenticatedUser, claimValue), e);
+ } catch (UserIdNotFoundException e) {
+ LOG.error("User id is not available for the user: " + authenticatedUser.getLoggableMaskedUserId(), e);
+ }
+ }
+
+ /**
+ * Gets the remote claim that is mapped to the given local claim.
+ *
+ * @param localClaim local claim URI
+ * @param remoteClaimsMap Remote claim URI - value map
+ * @return Mapped remote claim URI if present. null otherwise
+ */
+ private String getRemoteClaimMappedToLocalClaim(String localClaim, Map remoteClaimsMap) {
+
+ String authenticatorDialect = null;
+ Map localToIdpClaimMapping;
+ String tenantDomain = getContext().getTenantDomain();
+ try {
+ /* Check if the IDP use a standard dialect (like oidc), If it does, dialect claim mapping are
+ prioritized over IdP claim mapping. */
+ ApplicationAuthenticator authenticator =
+ getContext().getSequenceConfig().getStepMap().get(step).getAuthenticatedAutenticator()
+ .getApplicationAuthenticator();
+ authenticatorDialect = authenticator.getClaimDialectURI();
+ ExternalIdPConfig idPConfig = ConfigurationFacade.getInstance().getIdPConfigByName(idp, tenantDomain);
+ boolean useDefaultIdpDialect = idPConfig.useDefaultLocalIdpDialect();
+
+ if (authenticatorDialect != null || useDefaultIdpDialect) {
+ if (authenticatorDialect == null) {
+ authenticatorDialect = ApplicationConstants.LOCAL_IDP_DEFAULT_CLAIM_DIALECT;
+ }
+ localToIdpClaimMapping = ClaimMetadataHandler.getInstance()
+ .getMappingsMapFromOtherDialectToCarbon(authenticatorDialect, remoteClaimsMap.keySet(),
+ tenantDomain, true);
+ } else {
+ localToIdpClaimMapping = IdentityProviderManager.getInstance()
+ .getMappedIdPClaimsMap(idp, tenantDomain, Collections.singletonList(localClaim));
+ }
+ if (localToIdpClaimMapping != null) {
+ return localToIdpClaimMapping.get(localClaim);
+ }
+ } catch (IdentityProviderManagementException e) {
+ LOG.error(String.format("Error when getting claim : %s of user: %s", localClaim, authenticatedUser), e);
+ } catch (ClaimMetadataException e) {
+ LOG.error("Error when getting claim mappings from " + authenticatorDialect + " for tenant domain: " +
+ tenantDomain);
+ }
+ return null;
+ }
+
+ protected boolean hasLocalClaim(String claimUri) {
+
+ int usersTenantId = IdentityTenantUtil.getTenantId(authenticatedUser.getTenantDomain());
+ RealmService realmService = FrameworkServiceDataHolder.getInstance().getRealmService();
+ try {
+ UserRealm userRealm = realmService.getTenantUserRealm(usersTenantId);
+ Claim[] supportedClaims = IdentityClaimManager.getInstance()
+ .getAllSupportedClaims((org.wso2.carbon.user.core.UserRealm) userRealm);
+ for (Claim claim : supportedClaims) {
+ if (claim.getClaimUri().equals(claimUri)) {
+ return true;
+ }
+ }
+ } catch (UserStoreException e) {
+ LOG.error("Error when retrieving user realm for tenant : " + usersTenantId, e);
+ } catch (IdentityException e) {
+ LOG.error("Error when initializing identity claim manager.", e);
+ }
+ return false;
+ }
+
+ /**
+ * Check if the user has a federated claim with given name.
+ *
+ * @param claimUri Federated claim URI
+ * @return true if the IdP is federated, and it has a claim for user with given URI.
+ * false otherwise
+ */
+ protected boolean hasFederatedClaim(String claimUri) {
+
+ if (isFederatedIdP()) {
+ Map attributesMap = authenticatedUser.getUserAttributes();
+ Map remoteMapping = FrameworkUtils.getClaimMappings(attributesMap, false);
+ return remoteMapping.containsKey(claimUri);
+ }
+ // Can be a case where step is not set (e.g. associated local user)
+ return false;
+ }
+
+ /**
+ * Get the claim by federated claim URI.
+ *
+ * @param claimUri Federated claim URI
+ * @return Claim value if the Idp is a federated Idp, and has a claim by given url for the user.
+ * null otherwise.
+ */
+ protected String getFederatedClaim(String claimUri) {
+
+ // If the idp is local, return null
+ if (isFederatedIdP()) {
+ Map attributesMap = authenticatedUser.getUserAttributes();
+ Map remoteMapping = FrameworkUtils.getClaimMappings(attributesMap, false);
+ return remoteMapping.get(claimUri);
+ }
+ // Can be a case where step is not set (e.g. associated local user)
+ return null;
+ }
+
+ /**
+ * Get the claim by local claim URI.
+ *
+ * @param claimUri Local claim URI
+ * @return Local user's claim value if the Idp is local, Mapped remote claim if the Idp is federated.
+ */
+ protected String getLocalClaim(String claimUri) {
+
+ if (isFederatedIdP()) {
+ return getLocalMappedClaim(claimUri);
+ }
+ /* This covers step with a local authenticator, and the scenarios where step/idp is not set
+ if the step/idp is not set, user is assumed to be a local user. */
+ return getLocalUserClaim(claimUri);
+ }
+
+ /**
+ * Check if step's IdP is a federated IDP.
+ *
+ * @return true if the idp is federated
+ */
+ protected boolean isFederatedIdP() {
+
+ return StringUtils.isNotBlank(idp) && !FrameworkConstants.LOCAL.equals(idp);
+ }
+
+ /**
+ * Sets a custom remote claim to the user.
+ *
+ * @param claimUri Remote claim uri
+ * @param claimValue Claim value
+ */
+ private void setFederatedClaim(String claimUri, String claimValue) {
+
+ if (claimValue == null) {
+ claimValue = StringUtils.EMPTY;
+ }
+ ClaimMapping newClaimMapping = ClaimMapping.build(claimUri, claimUri, null, false);
+ authenticatedUser.getUserAttributes().put(newClaimMapping, claimValue);
+ }
+
+ /**
+ * Gets the mapped remote claim value for the given local claim URI.
+ *
+ * @param claimUri Local claim URI
+ * @return Mapped remote claim value from IdP
+ */
+ private String getLocalMappedClaim(String claimUri) {
+
+ Map idpAttributesMap = authenticatedUser.getUserAttributes();
+ Map remoteMapping = FrameworkUtils.getClaimMappings(idpAttributesMap, false);
+
+ String remoteMappedClaim = getRemoteClaimMappedToLocalClaim(claimUri, remoteMapping);
+ if (remoteMappedClaim != null) {
+ return remoteMapping.get(remoteMappedClaim);
+ }
+ return null;
+ }
+
+ /**
+ * Get the local user claim value specified by the Claim URI.
+ *
+ * @param claimUri Local claim URI
+ * @return Claim value of the given claim URI for the local user if available. Null Otherwise.
+ */
+ private String getLocalUserClaim(String claimUri) {
+
+ int usersTenantId = IdentityTenantUtil.getTenantId(authenticatedUser.getTenantDomain());
+ RealmService realmService = FrameworkServiceDataHolder.getInstance().getRealmService();
+ try {
+ UserRealm userRealm = realmService.getTenantUserRealm(usersTenantId);
+ Map claimValues =
+ ((AbstractUserStoreManager) userRealm.getUserStoreManager())
+ .getUserClaimValuesWithID(authenticatedUser.getUserId(), new String[] {claimUri}, null);
+ return claimValues.get(claimUri);
+ } catch (UserStoreException e) {
+ LOG.error(String.format("Error when getting claim : %s of user: %s", claimUri, authenticatedUser), e);
+ } catch (UserIdNotFoundException e) {
+ LOG.error("User id is not available for the user: " + authenticatedUser.getLoggableMaskedUserId(), e);
+ }
+ return null;
+ }
+
+ protected Object getRuntimeClaim(String claimUri) {
+
+ String runtimeClaimValue = getContext().getRuntimeClaim(claimUri);
+ if (runtimeClaimValue != null) {
+ return runtimeClaimValue;
+ }
+ if (isFederatedIdP()) {
+ return getFederatedClaim(claimUri);
+ }
+ return getLocalClaim(claimUri);
+ }
+
+ protected boolean hasRuntimeClaim(String claimUri) {
+
+ String claim = getContext().getRuntimeClaim(claimUri);
+ if (claim != null) {
+ return true;
+ }
+ if (isFederatedIdP()) {
+ return hasFederatedClaim(claimUri);
+ }
+ return hasLocalClaim(claimUri);
+ }
+
+ protected void setRuntimeClaim(String claimUri, Object claimValue) {
+
+ if (claimValue == null) {
+ claimValue = StringUtils.EMPTY;
+ }
+ getContext().addRuntimeClaim(claimUri, String.valueOf(claimValue));
+ }
+}
diff --git a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsCookie.java b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsCookie.java
index 487ce4404b5d..0f145a960e5f 100644
--- a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsCookie.java
+++ b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsCookie.java
@@ -18,9 +18,13 @@
package org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.base.JsBaseCookie;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
+import java.util.Arrays;
+
import javax.servlet.http.Cookie;
/**
@@ -32,6 +36,8 @@
*/
public abstract class JsCookie extends AbstractJSObjectWrapper implements JsBaseCookie {
+ protected static final Log LOG = LogFactory.getLog(JsCookie.class);
+
public JsCookie(Cookie cookie) {
super(cookie);
}
@@ -63,6 +69,17 @@ public Object getMember(String name) {
}
}
+ public Object getMemberKeys() {
+
+ String[] cookieProperties = new String[]{
+ FrameworkConstants.JSAttributes.JS_COOKIE_NAME, FrameworkConstants.JSAttributes.JS_COOKIE_VALUE,
+ FrameworkConstants.JSAttributes.JS_COOKIE_COMMENT, FrameworkConstants.JSAttributes.JS_COOKIE_DOMAIN,
+ FrameworkConstants.JSAttributes.JS_COOKIE_MAX_AGE, FrameworkConstants.JSAttributes.JS_COOKIE_PATH,
+ FrameworkConstants.JSAttributes.JS_COOKIE_SECURE, FrameworkConstants.JSAttributes.JS_COOKIE_VERSION,
+ FrameworkConstants.JSAttributes.JS_COOKIE_HTTP_ONLY};
+ return Arrays.stream(cookieProperties).filter(this::hasMember).toArray();
+ }
+
@Override
public boolean hasMember(String name) {
@@ -81,8 +98,16 @@ public boolean hasMember(String name) {
return getWrapped().getPath() != null;
case FrameworkConstants.JSAttributes.JS_COOKIE_VERSION:
return getWrapped().getVersion() != 0;
+ case FrameworkConstants.JSAttributes.JS_COOKIE_SECURE:
+ case FrameworkConstants.JSAttributes.JS_COOKIE_HTTP_ONLY:
+ return true;
default:
return super.hasMember(name);
}
}
+
+ public void setMember(String name, Object value) {
+
+ LOG.warn("Unsupported operation. Cookie is read only. Can't remove parameter " + name);
+ }
}
diff --git a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsLogger.java b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsLogger.java
index 5b121e9848fc..609cb0f96b38 100644
--- a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsLogger.java
+++ b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsLogger.java
@@ -20,6 +20,7 @@
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.graalvm.polyglot.HostAccess;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
import org.wso2.carbon.utils.DiagnosticLog;
@@ -49,6 +50,7 @@ public static JsLogger getInstance() {
*
* @param values
*/
+ @HostAccess.Export
public void log(Object... values) {
if (values != null) {
@@ -78,6 +80,7 @@ public void log(Object... values) {
}
}
+ @HostAccess.Export
public void debug(String value) {
logger.debug(value);
@@ -91,6 +94,7 @@ public void debug(String value) {
}
}
+ @HostAccess.Export
public void info(String value) {
logger.info(value);
@@ -104,6 +108,7 @@ public void info(String value) {
}
}
+ @HostAccess.Export
public void error(String value) {
logger.error(value);
@@ -117,6 +122,7 @@ public void error(String value) {
}
}
+ @HostAccess.Export
public void log(String message, Object... values) {
}
diff --git a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsParameters.java b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsParameters.java
index 872e71ebf9d2..0a6fdc9fcab1 100644
--- a/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsParameters.java
+++ b/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/config/model/graph/js/JsParameters.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2022, WSO2 LLC. (http://www.wso2.com).
+ * Copyright (c) 2022-2024, WSO2 LLC. (http://www.wso2.com).
*
* WSO2 LLC. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
@@ -20,6 +20,7 @@
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.JsWrapperFactoryProvider;
import org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.base.JsBaseParameters;
import java.util.Map;
@@ -32,7 +33,7 @@
*/
public abstract class JsParameters extends AbstractJSObjectWrapper