Examples with SamlResponse - com.coveo.saml.SamlResponse

Example 1 with SamlResponse

use of com.coveo.saml.SamlResponse in project cloud-pipeline by epam.

the class CustomSamlClient method decodeSamlResponse.

/**
 * Decode SAMLResponse with no validation
 * @param encodedResponse the encoded response returned by the identity provider.
 * @return An {@link Response} object containing information decoded from the SAML response.
 * @throws SAMLException
 */
public static Response decodeSamlResponse(String encodedResponse) throws SAMLException {
    String decodedResponse;
    try {
        decodedResponse = new String(Base64.decode(encodedResponse), "UTF-8");
    } catch (UnsupportedEncodingException ex) {
        throw new SAMLException("Cannot decode base64 encoded response", ex);
    }
    logger.trace("Validating SAML response: " + decodedResponse);
    try {
        DOMParser parser = createDOMParser();
        parser.parse(new InputSource(new StringReader(decodedResponse)));
        return (Response) Configuration.getUnmarshallerFactory().getUnmarshaller(parser.getDocument().getDocumentElement()).unmarshall(parser.getDocument().getDocumentElement());
    } catch (IOException | SAXException | UnmarshallingException ex) {
        throw new SAMLException("Cannot decode xml encoded response", ex);
    }
}

Also used : Response(org.opensaml.saml2.core.Response) SamlResponse(com.coveo.saml.SamlResponse) InputSource(org.xml.sax.InputSource) StringReader(java.io.StringReader) UnsupportedEncodingException(java.io.UnsupportedEncodingException) DOMParser(com.sun.org.apache.xerces.internal.parsers.DOMParser) IOException(java.io.IOException) SAMLException(org.opensaml.common.SAMLException) UnmarshallingException(org.opensaml.xml.io.UnmarshallingException) SAXException(org.xml.sax.SAXException)

Example 2 with SamlResponse

use of com.coveo.saml.SamlResponse in project cloud-pipeline by epam.

the class SAMLProxyFilter method authenticate.

private void authenticate(String samlResponse, Response decoded, String endpointId, ExternalServiceEndpoint endpoint) throws IOException, SAMLException {
    try (FileReader metadataReader = new FileReader(new File(endpoint.getMetadataPath()))) {
        CustomSamlClient client = CustomSamlClient.fromMetadata(endpointId, metadataReader, RESPONSE_SKEW);
        client.setMaxAuthenticationAge(MAX_AUTHENTICATION_AGE);
        SamlResponse parsedResponse = client.validate(decoded);
        String userName = parsedResponse.getNameID().toUpperCase();
        PipelineUser loadedUser = userManager.loadUserByName(userName);
        if (loadedUser == null) {
            throw new UsernameNotFoundException(messageHelper.getMessage(MessageConstants.ERROR_USER_NAME_NOT_FOUND, userName));
        }
        LOGGER.debug("Found user by name {}", userName);
        UserContext userContext = new UserContext(loadedUser);
        userContext.setExternal(endpoint.isExternal());
        SecurityContextHolder.getContext().setAuthentication(new SAMLProxyAuthentication(samlResponse, parsedResponse, userContext));
    }
}

Also used : UsernameNotFoundException(org.springframework.security.core.userdetails.UsernameNotFoundException) PipelineUser(com.epam.pipeline.entity.user.PipelineUser) UserContext(com.epam.pipeline.security.UserContext) FileReader(java.io.FileReader) SamlResponse(com.coveo.saml.SamlResponse) File(java.io.File)

Example 3 with SamlResponse

use of com.coveo.saml.SamlResponse in project cloud-pipeline by epam.

the class CustomSamlClient method validate.

/**
 * Validates SAML response
 * @param response a response to validate
 * @return An {@link SamlResponse} object containing information decoded from the SAML response.
 * @throws SamlException if the signature is invalid, or if any other error occurs.
 */
public SamlResponse validate(Response response) throws SAMLException {
    validateResponse(response);
    validateSignature(response);
    validateIssueTime(response);
    validateAssertion(response);
    validateDestination(response);
    Assertion assertion = response.getAssertions().get(0);
    return new SamlResponse(assertion);
}

Also used : Assertion(org.opensaml.saml2.core.Assertion) SamlResponse(com.coveo.saml.SamlResponse)

Example 4 with SamlResponse

use of com.coveo.saml.SamlResponse in project cloud-pipeline by epam.

the class SAMLProxyFilter method doFilterInternal.

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
    if (!urlMatches(request)) {
        filterChain.doFilter(request, response);
        return;
    }
    List<ExternalServiceEndpoint> externalServices = preferenceManager.getPreference(SYSTEM_EXTERNAL_SERVICES_ENDPOINTS);
    if (CollectionUtils.isEmpty(externalServices)) {
        LOGGER.warn(messageHelper.getMessage(MessageConstants.ERROR_PROXY_SECURITY_CONFIG_MISSING));
    } else {
        String samlResponse = request.getParameter("SAMLResponse");
        if (StringUtils.isNotBlank(samlResponse)) {
            try {
                Response decoded = CustomSamlClient.decodeSamlResponse(samlResponse);
                String audience = ListUtils.emptyIfNull(decoded.getAssertions()).stream().findFirst().map(Assertion::getConditions).map(conditions -> ListUtils.emptyIfNull(conditions.getAudienceRestrictions()).stream().findFirst()).flatMap(Function.identity()).map(audienceRestriction -> ListUtils.emptyIfNull(audienceRestriction.getAudiences()).stream().findFirst()).flatMap(Function.identity()).map(Audience::getAudienceURI).orElse(StringUtils.EMPTY);
                LOGGER.debug("Received SAMLResponse for audience: {}", audience);
                Optional<ExternalServiceEndpoint> endpointOpt = externalServices.stream().filter(e -> !StringUtils.EMPTY.equals(audience) && e.getEndpointId().equals(audience)).findFirst();
                if (endpointOpt.isPresent()) {
                    authenticate(samlResponse, decoded, audience, endpointOpt.get());
                }
            } catch (SAMLException e) {
                LOGGER.warn(e.getMessage(), e);
            }
        }
    }
    filterChain.doFilter(request, response);
}

Also used : Response(org.opensaml.saml2.core.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) SamlResponse(com.coveo.saml.SamlResponse) FilterChain(javax.servlet.FilterChain) UsernameNotFoundException(org.springframework.security.core.userdetails.UsernameNotFoundException) ServletException(javax.servlet.ServletException) MessageConstants(com.epam.pipeline.common.MessageConstants) LoggerFactory(org.slf4j.LoggerFactory) SYSTEM_EXTERNAL_SERVICES_ENDPOINTS(com.epam.pipeline.manager.preference.SystemPreferences.SYSTEM_EXTERNAL_SERVICES_ENDPOINTS) Autowired(org.springframework.beans.factory.annotation.Autowired) OncePerRequestFilter(org.springframework.web.filter.OncePerRequestFilter) StringUtils(org.apache.commons.lang3.StringUtils) Function(java.util.function.Function) CollectionUtils(org.apache.commons.collections4.CollectionUtils) HttpServletRequest(javax.servlet.http.HttpServletRequest) UserContext(com.epam.pipeline.security.UserContext) MessageHelper(com.epam.pipeline.common.MessageHelper) Response(org.opensaml.saml2.core.Response) ListUtils(org.apache.commons.collections4.ListUtils) AntPathMatcher(org.springframework.util.AntPathMatcher) Assertion(org.opensaml.saml2.core.Assertion) SecurityContextHolder(org.springframework.security.core.context.SecurityContextHolder) PipelineUser(com.epam.pipeline.entity.user.PipelineUser) SAMLException(org.opensaml.common.SAMLException) Audience(org.opensaml.saml2.core.Audience) PreferenceManager(com.epam.pipeline.manager.preference.PreferenceManager) Logger(org.slf4j.Logger) HttpServletResponse(javax.servlet.http.HttpServletResponse) IOException(java.io.IOException) ExternalServiceEndpoint(com.epam.pipeline.security.ExternalServiceEndpoint) File(java.io.File) SamlResponse(com.coveo.saml.SamlResponse) List(java.util.List) UserManager(com.epam.pipeline.manager.user.UserManager) Optional(java.util.Optional) FileReader(java.io.FileReader) Assertion(org.opensaml.saml2.core.Assertion) SAMLException(org.opensaml.common.SAMLException) ExternalServiceEndpoint(com.epam.pipeline.security.ExternalServiceEndpoint)

Aggregations

SamlResponse (com.coveo.saml.SamlResponse)4 PipelineUser (com.epam.pipeline.entity.user.PipelineUser)2 UserContext (com.epam.pipeline.security.UserContext)2 File (java.io.File)2 FileReader (java.io.FileReader)2 IOException (java.io.IOException)2 SAMLException (org.opensaml.common.SAMLException)2 Assertion (org.opensaml.saml2.core.Assertion)2 Response (org.opensaml.saml2.core.Response)2 UsernameNotFoundException (org.springframework.security.core.userdetails.UsernameNotFoundException)2 MessageConstants (com.epam.pipeline.common.MessageConstants)1 MessageHelper (com.epam.pipeline.common.MessageHelper)1 PreferenceManager (com.epam.pipeline.manager.preference.PreferenceManager)1 SYSTEM_EXTERNAL_SERVICES_ENDPOINTS (com.epam.pipeline.manager.preference.SystemPreferences.SYSTEM_EXTERNAL_SERVICES_ENDPOINTS)1 UserManager (com.epam.pipeline.manager.user.UserManager)1 ExternalServiceEndpoint (com.epam.pipeline.security.ExternalServiceEndpoint)1 DOMParser (com.sun.org.apache.xerces.internal.parsers.DOMParser)1 StringReader (java.io.StringReader)1 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1 List (java.util.List)1