Search in sources :

Example 1 with Conditions

use of com.sun.identity.saml.assertion.Conditions in project OpenAM by OpenRock.

the class FSAssertion method isTimeValid.

/**
     * Checks validity of time in the assertion.
     *
     * @return true if time is valid otherwise false.
     */
public boolean isTimeValid() {
    boolean isTimeValid = true;
    Conditions conditions = getConditions();
    if (conditions != null) {
        isTimeValid = conditions.checkDateValidity(System.currentTimeMillis());
    }
    return isTimeValid;
}
Also used : Conditions(com.sun.identity.saml.assertion.Conditions)

Example 2 with Conditions

use of com.sun.identity.saml.assertion.Conditions in project OpenAM by OpenRock.

the class FSAssertionManager method createFSAssertion.

/**
     * Creates an assertion artifact.
     * @param id session ID
     * @param artifact assertion artifact
     * @param realm the realm under which the entity resides.
     * @param spEntityID service provider's entity ID
     * @param spHandle service provider issued <code>NameIdentifier</code>
     * @param idpHandle identity provider issued <code>NameIdentifier</code>
     * @param inResponseTo value to InResponseTo attribute. It's the request ID.
     * @param assertionMinorVersion minor version the assertion should use
     * @exception FSException,SAMLException if error occurrs
     */
public FSAssertion createFSAssertion(String id, AssertionArtifact artifact, String realm, String spEntityID, NameIdentifier spHandle, NameIdentifier idpHandle, String inResponseTo, int assertionMinorVersion) throws FSException, SAMLException {
    FSUtils.debug.message("FSAssertionManager.createFSAssertion(id): Called");
    // check input
    if ((id == null) || (spEntityID == null)) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager: null input for" + " method createFSAssertion.");
        }
        throw new FSException("nullInput", null);
    }
    String destID = spEntityID;
    String authMethod = null;
    String authnContextStatementRef = null;
    String authnContextClassRef = null;
    Date authInstant = null;
    String securityDomain = null;
    Object token = null;
    String univId = null;
    SubjectLocality authLocality = null;
    FSSessionManager sessionManager = FSSessionManager.getInstance(metaAlias);
    IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
    Map attributes = new HashMap();
    if (metaManager != null) {
        BaseConfigType idpConfig = null;
        try {
            idpConfig = metaManager.getIDPDescriptorConfig(realm, hostEntityId);
        } catch (IDFFMetaException e) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionManager.createFSAssertion: exception while" + " obtaining idp extended meta:", e);
            }
            idpConfig = null;
        }
        if (idpConfig != null) {
            attributes = IDFFMetaUtils.getAttributes(idpConfig);
        }
    }
    try {
        SessionProvider sessionProvider = SessionManager.getProvider();
        token = sessionProvider.getSession(id);
        String[] strAuthInst = null;
        try {
            strAuthInst = sessionProvider.getProperty(token, SessionProvider.AUTH_INSTANT);
        } catch (UnsupportedOperationException ue) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", ue);
            }
        } catch (SessionException se) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", se);
            }
        }
        if ((strAuthInst != null) && (strAuthInst.length >= 1)) {
            try {
                authInstant = DateUtils.stringToDate(strAuthInst[0]);
            } catch (ParseException ex) {
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("FSAssertionManager." + "createFSAssertion(id): AuthInstant not found" + "in the Token");
                }
            }
        } else {
            authInstant = new java.util.Date();
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createFSAssertion(id):AuthInstant = " + authInstant);
        }
        try {
            String[] strAuthMethod = sessionProvider.getProperty(token, SessionProvider.AUTH_METHOD);
            if ((strAuthMethod != null) && (strAuthMethod.length >= 1)) {
                authMethod = strAuthMethod[0];
            }
        } catch (UnsupportedOperationException ue) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", ue);
            }
        } catch (SessionException se) {
            if (FSUtils.debug.warningEnabled()) {
                FSUtils.debug.warning("FSAssertionManager.createFSAssertion(id):", se);
            }
        }
        String assertionIssuer = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ASSERTION_ISSUER);
        if (assertionIssuer == null) {
            assertionIssuer = SystemConfigurationUtil.getProperty("com.iplanet.am.server.host");
        }
        try {
            String ipAddress = InetAddress.getByName(assertionIssuer).getHostAddress();
            authLocality = new SubjectLocality(ipAddress, assertionIssuer);
        } catch (UnknownHostException uhe) {
            FSUtils.debug.error("FSAssertionManager.constructor: couldn't" + " obtain the localhost's ipaddress:", uhe);
        }
        try {
            FSSession session = sessionManager.getSession(token);
            authnContextClassRef = session.getAuthnContext();
            authnContextStatementRef = authnContextClassRef;
        } catch (Exception ex) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionManager.createFSAssertion" + "(id): AuthnContextStatement for the token is null" + " Assertion will not contain any " + " AuthenticationStatement");
            }
            authnContextStatementRef = null;
        }
        if (authnContextStatementRef != null) {
            if (assertionMinorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
                authMethod = IFSConstants.AC_XML_NS;
            } else {
                authMethod = IFSConstants.AC_12_XML_NS;
            }
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createFSAssertion(id):" + "AuthnContextStatement used for authenticating the user: " + authnContextStatementRef);
        }
        univId = sessionProvider.getPrincipalName(token);
        securityDomain = hostEntityId;
    } catch (Exception e) {
        FSUtils.debug.error("FSAssertionManager.createAssertion(id):" + " exception retrieving info from the session: ", e);
        throw new FSException("alliance_manager_no_local_descriptor", null, e);
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Creating Authentication Assertion for user with" + "opaqueHandle= " + spHandle.getName() + " And SecurityDomain= " + securityDomain);
    }
    SubjectConfirmation subConfirmation = null;
    String artString = null;
    if (artifact != null) {
        artString = artifact.getAssertionArtifact();
        if (assertionMinorVersion == IFSConstants.FF_11_ASSERTION_MINOR_VERSION) {
            subConfirmation = new SubjectConfirmation(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT);
        } else {
            subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT);
        }
        subConfirmation.setSubjectConfirmationData(artString);
    } else {
        // set to bearer for POST profile
        subConfirmation = new SubjectConfirmation(SAMLConstants.CONFIRMATION_METHOD_BEARER);
    }
    IDPProvidedNameIdentifier idpNi = null;
    if (assertionMinorVersion == IFSConstants.FF_12_POST_ASSERTION_MINOR_VERSION || assertionMinorVersion == IFSConstants.FF_12_ART_ASSERTION_MINOR_VERSION) {
        idpNi = new IDPProvidedNameIdentifier(idpHandle.getName(), idpHandle.getNameQualifier(), spHandle.getFormat());
        idpNi.setMinorVersion(IFSConstants.FF_12_PROTOCOL_MINOR_VERSION);
    } else {
        idpNi = new IDPProvidedNameIdentifier(idpHandle.getNameQualifier(), idpHandle.getName());
    }
    FSSubject sub = new FSSubject(spHandle, subConfirmation, idpNi);
    AuthnContext authnContext = new AuthnContext(authnContextClassRef, authnContextStatementRef);
    authnContext.setMinorVersion(assertionMinorVersion);
    FSAuthenticationStatement statement = new FSAuthenticationStatement(authMethod, authInstant, sub, authLocality, null, authnContext);
    FSSession session = sessionManager.getSession(univId, id);
    if (session == null) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createAssertion(id): " + "AssertionManager could not find a valid Session for" + "userId: " + univId + " SessionID: " + id);
        }
        return null;
    }
    String sessionIndex = session.getSessionIndex();
    if (sessionIndex == null) {
        sessionIndex = SAMLUtils.generateID();
        session.setSessionIndex(sessionIndex);
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id): SessionIndex: " + sessionIndex);
    }
    statement.setSessionIndex(sessionIndex);
    //setReauthenticateOnOrAfter date
    Date issueInstant = new Date();
    // get this period from the config
    FSUtils.debug.message("here before date");
    Date notAfter;
    if (artifact != null) {
        notAfter = new Date(issueInstant.getTime() + artifactTimeout);
    } else {
        notAfter = new Date(issueInstant.getTime() + assertionTimeout);
    }
    FSUtils.debug.message("here after date");
    statement.setReauthenticateOnOrAfter(notAfter);
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Authentication Statement: " + statement.toXMLString());
    }
    Conditions cond = new Conditions(null, notAfter);
    if ((destID != null) && (destID.length() != 0)) {
        List targets = new ArrayList();
        targets.add(destID);
        cond.addAudienceRestrictionCondition(new AudienceRestrictionCondition(targets));
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Authentication Statement: " + statement.toXMLString());
    }
    /**
         * This is added to create an attribute statement for the bootstrap
         * information.
         */
    AttributeStatement attribStatement = null;
    Advice advice = null;
    String generateBootstrapping = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.GENERATE_BOOTSTRAPPING);
    if (assertionMinorVersion != IFSConstants.FF_11_ASSERTION_MINOR_VERSION && (generateBootstrapping != null && generateBootstrapping.equals("true"))) {
        AuthnContext authContext = new AuthnContext(null, authnContextStatementRef);
        authContext.setMinorVersion(IFSConstants.FF_12_PROTOCOL_MINOR_VERSION);
        try {
            FSDiscoveryBootStrap bootStrap = new FSDiscoveryBootStrap(token, authContext, sub, univId, destID, realm);
            attribStatement = bootStrap.getBootStrapStatement();
            if (bootStrap.hasCredentials()) {
                advice = bootStrap.getCredentials();
            }
        } catch (Exception e) {
            FSUtils.debug.error("FSAssertionManager.createAssertion(id):" + "exception when generating bootstrapping resource " + "offering:", e);
        }
    }
    AssertionIDReference aID = new AssertionIDReference();
    Set statements = new HashSet();
    statements.add(statement);
    if (attribStatement != null) {
        statements.add(attribStatement);
    }
    String attributePluginImpl = IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ATTRIBUTE_PLUGIN);
    if ((attributePluginImpl != null) && (attributePluginImpl.length() != 0)) {
        try {
            Object pluginClass = Thread.currentThread().getContextClassLoader().loadClass(attributePluginImpl).newInstance();
            List attribStatements = null;
            if (pluginClass instanceof FSRealmAttributePlugin) {
                FSRealmAttributePlugin attributePlugin = (FSRealmAttributePlugin) pluginClass;
                attribStatements = attributePlugin.getAttributeStatements(realm, hostEntityId, destID, sub, token);
            } else if (pluginClass instanceof FSAttributePlugin) {
                FSAttributePlugin attributePlugin = (FSAttributePlugin) pluginClass;
                attribStatements = attributePlugin.getAttributeStatements(hostEntityId, destID, sub, token);
            }
            if ((attribStatements != null) && (attribStatements.size() != 0)) {
                Iterator iter = attribStatements.iterator();
                while (iter.hasNext()) {
                    statements.add((AttributeStatement) iter.next());
                }
            }
        } catch (Exception ex) {
            FSUtils.debug.error("FSAssertion.createAssertion(id):getAttributePlugin:", ex);
        }
    }
    if (IDFFMetaUtils.isAutoFedEnabled(attributes)) {
        AttributeStatement autoFedStatement = FSAttributeStatementHelper.getAutoFedAttributeStatement(realm, hostEntityId, sub, token);
        statements.add(autoFedStatement);
    }
    FSAssertion assertion = new FSAssertion(aID.getAssertionIDReference(), hostEntityId, issueInstant, cond, advice, statements, inResponseTo);
    assertion.setMinorVersion(assertionMinorVersion);
    assertion.setID(aID.getAssertionIDReference());
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Assertion created successfully: " + assertion.toXMLString());
    }
    String aIDString = assertion.getAssertionID();
    Entry entry = new Entry(assertion, destID, artString, token);
    Integer maxNumber = null;
    try {
        int temp = Integer.parseInt(IDFFMetaUtils.getFirstAttributeValue(attributes, IFSConstants.ASSERTION_LIMIT));
        maxNumber = new Integer(temp);
    } catch (Exception ex) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Assertion MAX number configuration not found in " + "FSConfig. Using Default");
        }
        maxNumber = null;
    }
    if (maxNumber == null) {
        maxNumber = new Integer(IFSConstants.ASSERTION_MAX_NUMBER_DEFAULT);
    }
    int maxValue = maxNumber.intValue();
    if ((maxValue != 0) && (idEntryMap.size() > maxValue)) {
        FSUtils.debug.error("FSAssertionManager.createAssertion: " + "reached maxNumber of assertions.");
        throw new FSException("errorCreateAssertion", null);
    }
    Object oldEntry = null;
    try {
        synchronized (idEntryMap) {
            oldEntry = idEntryMap.put(aIDString, entry);
        }
        if ((agent != null) && agent.isRunning() && (idffSvc != null)) {
            idffSvc.setAssertions((long) idEntryMap.size());
        }
    } catch (Exception e) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionManager: couldn't add " + "to idEntryMap.", e);
        }
        throw new FSException("errorCreateAssertion", null);
    }
    if (LogUtil.isAccessLoggable(Level.FINER)) {
        String[] data = { assertion.toString() };
        LogUtil.access(Level.FINER, LogUtil.CREATE_ASSERTION, data, token);
    } else {
        String[] data = { assertion.getAssertionID() };
        LogUtil.access(Level.INFO, LogUtil.CREATE_ASSERTION, data, token);
    }
    if (artString != null) {
        try {
            synchronized (artIdMap) {
                oldEntry = artIdMap.put(artString, aIDString);
            }
            if ((agent != null) && agent.isRunning() && (idffSvc != null)) {
                idffSvc.setArtifacts((long) artIdMap.size());
            }
        } catch (Exception e) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionManager: couldn't add " + "artifact to the artIdMap.", e);
            }
            throw new FSException("errorCreateArtifact", null);
        }
        if (oldEntry != null) {
            artifactTimeoutRunnable.removeElement(aIDString);
        }
        artifactTimeoutRunnable.addElement(aIDString);
    } else {
        if (oldEntry != null) {
            assertionTimeoutRunnable.removeElement(aIDString);
        }
        assertionTimeoutRunnable.addElement(aIDString);
    }
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSAssertionManager.createAssertion(id):" + " Returning Assertion: " + assertion.toXMLString());
    }
    return assertion;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) HashMap(java.util.HashMap) FSSubject(com.sun.identity.federation.message.FSSubject) Date(java.util.Date) ArrayList(java.util.ArrayList) SessionException(com.sun.identity.plugin.session.SessionException) SubjectLocality(com.sun.identity.saml.assertion.SubjectLocality) Conditions(com.sun.identity.saml.assertion.Conditions) AuthnContext(com.sun.identity.federation.message.common.AuthnContext) BaseConfigType(com.sun.identity.federation.jaxb.entityconfig.BaseConfigType) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) FSAssertion(com.sun.identity.federation.message.FSAssertion) FSException(com.sun.identity.federation.common.FSException) Iterator(java.util.Iterator) List(java.util.List) ArrayList(java.util.ArrayList) AudienceRestrictionCondition(com.sun.identity.saml.assertion.AudienceRestrictionCondition) SessionProvider(com.sun.identity.plugin.session.SessionProvider) HashSet(java.util.HashSet) UnknownHostException(java.net.UnknownHostException) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) Date(java.util.Date) SessionException(com.sun.identity.plugin.session.SessionException) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) ParseException(java.text.ParseException) SAMLException(com.sun.identity.saml.common.SAMLException) FSException(com.sun.identity.federation.common.FSException) UnknownHostException(java.net.UnknownHostException) IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager) AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement) ParseException(java.text.ParseException) Advice(com.sun.identity.saml.assertion.Advice) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier) AssertionIDReference(com.sun.identity.saml.assertion.AssertionIDReference) Map(java.util.Map) HashMap(java.util.HashMap)

Example 3 with Conditions

use of com.sun.identity.saml.assertion.Conditions in project OpenAM by OpenRock.

the class CDCServlet method createAssertion.

private FSAssertion createAssertion(String destID, String sourceID, String tokenID, String authType, String strAuthInst, String userDN, String inResponseTo) throws FSException, SAMLException {
    debug.message("Entering CDCServlet.createAssertion Method");
    if ((destID == null) || (sourceID == null) || (tokenID == null) || (authType == null) || (userDN == null) || (inResponseTo == null)) {
        debug.message("CDCServlet,createAssertion: null input");
        throw new FSException(FSUtils.bundle.getString("nullInput"));
    }
    String securityDomain = sourceID;
    NameIdentifier idpHandle = new NameIdentifier(URLEncDec.encode(tokenID), sourceID);
    NameIdentifier spHandle = idpHandle;
    String authMethod = authType;
    Date authInstant = convertAuthInstanceToDate(strAuthInst);
    if (debug.messageEnabled()) {
        debug.message("CDCServlet.createAssertion " + "Creating Authentication Assertion for user with opaqueHandle =" + spHandle.getName() + " and SecurityDomain = " + securityDomain);
    }
    SubjectConfirmation subConfirmation = new SubjectConfirmation(IFSConstants.CONFIRMATION_METHOD_BEARER);
    IDPProvidedNameIdentifier idpNi = new IDPProvidedNameIdentifier(idpHandle.getNameQualifier(), idpHandle.getName());
    FSSubject sub = new FSSubject(spHandle, subConfirmation, idpNi);
    SubjectLocality authLocality = new SubjectLocality(IPAddress, DNSAddress);
    AuthnContext authnContextStmt = new AuthnContext(null, null);
    FSAuthenticationStatement statement = new FSAuthenticationStatement(authMethod, authInstant, sub, authLocality, null, authnContextStmt);
    //setReauthenticateOnOrAfter date
    Date issueInstant = new Date();
    // get this period from the config
    Integer assertionTimeout = new Integer(IFSConstants.ASSERTION_TIMEOUT_DEFAULT);
    long period = (assertionTimeout.intValue()) * 1000;
    if (period < IFSConstants.ASSERTION_TIMEOUT_ALLOWED_DIFFERENCE) {
        period = IFSConstants.ASSERTION_TIMEOUT_ALLOWED_DIFFERENCE;
    }
    Date notAfter = new Date(issueInstant.getTime() + period);
    statement.setReauthenticateOnOrAfter(notAfter);
    if (debug.messageEnabled()) {
        debug.message("CDCServlet.createAssertion: " + "Authentication Statement: " + statement.toXMLString());
    }
    Conditions cond = new Conditions(issueInstant, notAfter);
    if ((destID != null) && (destID.length() != 0)) {
        List targets = new ArrayList(1);
        targets.add(destID);
        cond.addAudienceRestrictionCondition(new AudienceRestrictionCondition(targets));
    }
    if (debug.messageEnabled()) {
        debug.message("CDCServlet.createAssertion: " + "Condition: " + cond.toString());
    }
    AssertionIDReference aID = new AssertionIDReference();
    Set statements = new HashSet(2);
    statements.add(statement);
    FSAssertion assertion = new FSAssertion(aID.getAssertionIDReference(), sourceID, issueInstant, cond, statements, inResponseTo);
    assertion.setID(aID.getAssertionIDReference());
    String[] params = { FSUtils.bundle.getString("assertionCreated") + ":" + assertion.toString() };
    LogUtil.access(Level.INFO, "CREATE_ASSERTION", params);
    if (debug.messageEnabled()) {
        debug.message("CDCServlet.createAssertion:" + " Returning Assertion: " + assertion.toXMLString());
    }
    return assertion;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier) FSSubject(com.sun.identity.federation.message.FSSubject) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) ArrayList(java.util.ArrayList) Date(java.util.Date) SubjectLocality(com.sun.identity.saml.assertion.SubjectLocality) Conditions(com.sun.identity.saml.assertion.Conditions) AuthnContext(com.sun.identity.federation.message.common.AuthnContext) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) FSAssertion(com.sun.identity.federation.message.FSAssertion) FSException(com.sun.identity.federation.common.FSException) List(java.util.List) ArrayList(java.util.ArrayList) AudienceRestrictionCondition(com.sun.identity.saml.assertion.AudienceRestrictionCondition) IDPProvidedNameIdentifier(com.sun.identity.federation.message.common.IDPProvidedNameIdentifier) AssertionIDReference(com.sun.identity.saml.assertion.AssertionIDReference) HashSet(java.util.HashSet)

Example 4 with Conditions

use of com.sun.identity.saml.assertion.Conditions in project OpenAM by OpenRock.

the class SAMLUtils method checkCondition.

/**
     * Checks if the Assertion is time valid and
     * if the Assertion is allowed by AudienceRestrictionCondition.
     *
     * @param assertion an Assertion object
     * @return true if the operation is successful otherwise, return false
     * @exception IOException IOException
     */
private static boolean checkCondition(Assertion assertion) throws IOException {
    if (assertion == null) {
        return false;
    }
    if (!assertion.isSignatureValid()) {
        debug.error(bundle.getString("assertionSignatureNotValid"));
        return false;
    }
    // check if the Assertion is time valid
    if (!(assertion.isTimeValid())) {
        debug.error(bundle.getString("assertionTimeNotValid"));
        return false;
    }
    // check the Assertion is allowed by AudienceRestrictionCondition
    Conditions cnds = assertion.getConditions();
    Set audienceCnd = new HashSet();
    audienceCnd = cnds.getAudienceRestrictionCondition();
    Iterator it = null;
    if (audienceCnd != null) {
        if (!audienceCnd.isEmpty()) {
            it = audienceCnd.iterator();
            while (it.hasNext()) {
                if ((((AudienceRestrictionCondition) it.next()).evaluate()) == Condition.INDETERMINATE) {
                    if (debug.messageEnabled()) {
                        debug.message("Audience " + "RestrictionConditions is indeterminate.");
                    }
                } else {
                    debug.error("Failed AudienceRestrictionCondition");
                    return false;
                }
            }
        }
    }
    return true;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) CharacterIterator(java.text.CharacterIterator) Iterator(java.util.Iterator) StringCharacterIterator(java.text.StringCharacterIterator) AudienceRestrictionCondition(com.sun.identity.saml.assertion.AudienceRestrictionCondition) Conditions(com.sun.identity.saml.assertion.Conditions) HashSet(java.util.HashSet)

Example 5 with Conditions

use of com.sun.identity.saml.assertion.Conditions in project OpenAM by OpenRock.

the class FSSSOBrowserArtifactProfileHandler method createSAMLResponse.

private FSResponse createSAMLResponse(FSSAMLRequest samlRequest) throws FSException {
    FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler.createSAMLResponse: Called");
    FSResponse retResponse = null;
    String respID = FSUtils.generateID();
    String inResponseTo = samlRequest.getRequestID();
    List contents = new ArrayList();
    String message = null;
    int length;
    Status status;
    String remoteAddr = ClientUtils.getClientIPAddress(request);
    String respPrefix = FSUtils.bundle.getString("responseLogMessage") + " " + remoteAddr;
    int reqType = samlRequest.getContentType();
    if (reqType == Request.NOT_SUPPORTED) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: " + "Found element in the request which are not supported");
        }
        message = FSUtils.bundle.getString("unsupportedElement");
        try {
            status = new Status(new StatusCode("samlp:Responder"), message, null);
            retResponse = new FSResponse(respID, inResponseTo, status, contents);
            retResponse.setMinorVersion(samlRequest.getMinorVersion());
        } catch (SAMLException se) {
            FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: " + "Fatal error, cannot create status or response: ", se);
        }
        if (LogUtil.isAccessLoggable(Level.FINER)) {
            String[] data = { respPrefix, retResponse.toString() };
            LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
        } else {
            String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
            LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
        }
        return retResponse;
    }
    FSAssertionManager am = null;
    try {
        am = FSAssertionManager.getInstance(metaAlias);
    } catch (FSException se) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Cannot instantiate " + "FSAssertionManager");
        }
        message = se.getMessage();
        try {
            status = new Status(new StatusCode("samlp:Responder"), message, null);
            retResponse = new FSResponse(respID, inResponseTo, status, contents);
            retResponse.setMinorVersion(samlRequest.getMinorVersion());
        } catch (SAMLException sse) {
            FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: " + "Fatal error, cannot create status or response: ", sse);
        }
        if (LogUtil.isAccessLoggable(Level.FINER)) {
            String[] data = { respPrefix, retResponse.toString() };
            LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
        } else {
            String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
            LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
        }
        return retResponse;
    }
    List artifacts = null;
    List assertions = new ArrayList();
    if (reqType == Request.ASSERTION_ARTIFACT) {
        artifacts = samlRequest.getAssertionArtifact();
        length = artifacts.size();
        // ensure that all the artifacts have the same sourceID
        String sourceID = null;
        String providerID = null;
        AssertionArtifact art = null;
        for (int j = 0; j < length; j++) {
            art = (AssertionArtifact) artifacts.get(j);
            if (sourceID != null) {
                if (!sourceID.equals(art.getSourceID())) {
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Artifacts not from " + "the same source");
                    }
                    message = FSUtils.bundle.getString("mismatchSourceID");
                    try {
                        /**
                            * Need a second level status for the federation
                            * does not exist. 
                            */
                        status = new Status(new StatusCode("samlp:Requester", new StatusCode(IFSConstants.FEDERATION_NOT_EXISTS_STATUS, null)), message, null);
                        retResponse = new FSResponse(respID, inResponseTo, status, contents);
                        retResponse.setMinorVersion(samlRequest.getMinorVersion());
                    } catch (SAMLException ex) {
                        FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Fatal error, " + "cannot create status or response: ", ex);
                    }
                    if (LogUtil.isAccessLoggable(Level.FINER)) {
                        String[] data = { respPrefix, retResponse.toString() };
                        LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
                    } else {
                        String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
                        LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
                    }
                    return retResponse;
                } else {
                    //sourceids are equal
                    continue;
                }
            } else {
                // sourceID == null
                sourceID = art.getSourceID();
            }
        }
        // while loop to go through artifacts to check for sourceID
        if (art != null) {
            try {
                providerID = am.getDestIdForArtifact(art);
            } catch (FSException ex) {
                FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: FSException Occured while " + "retrieving sp's providerID for the artifact: ", ex);
                providerID = null;
            }
            if (providerID == null) {
                FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: " + "artifact received does not correspond to any SP");
                message = FSUtils.bundle.getString("invalidSource");
                try {
                    /**
                         * Need a second level status for the federation
                         * does not exist. 
                         */
                    /**
                         * First, let's check we haven't recorded a status
                         * beforehand (by another call) related to this
                         * artifact. If so, use it.
                         */
                    Status sorig = am.getErrorStatus(art);
                    if (sorig != null) {
                        status = sorig;
                    } else {
                        status = new Status(new StatusCode("samlp:Requester", new StatusCode(IFSConstants.FEDERATION_NOT_EXISTS_STATUS, null)), message, null);
                    }
                    retResponse = new FSResponse(respID, inResponseTo, status, contents);
                    retResponse.setMinorVersion(samlRequest.getMinorVersion());
                    return retResponse;
                } catch (SAMLException sse) {
                    FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse:Fatal error, " + "cannot create status or response: ", sse);
                    return null;
                }
            //return error response
            } else {
                try {
                    if (!metaManager.isTrustedProvider(realm, hostedEntityId, providerID)) {
                        FSUtils.debug.error("FSSSOAndFedHandler.processAuthnRequest: " + "RemoteProvider is not trusted");
                        message = FSUtils.bundle.getString("AuthnRequestProcessingFailed");
                        status = new Status(new StatusCode("samlp:Requester"), message, null);
                        retResponse = new FSResponse(respID, inResponseTo, status, contents);
                        retResponse.setMinorVersion(samlRequest.getMinorVersion());
                        return retResponse;
                    }
                    spDescriptor = metaManager.getSPDescriptor(realm, providerID);
                    spEntityId = providerID;
                    remoteAddr = providerID;
                } catch (Exception ae) {
                    FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: " + "FSAllianceManagementException " + "Occured while getting", ae);
                    message = ae.getMessage();
                    try {
                        status = new Status(new StatusCode("samlp:Requester"), message, null);
                        retResponse = new FSResponse(respID, inResponseTo, status, contents);
                        retResponse.setMinorVersion(samlRequest.getMinorVersion());
                        return retResponse;
                    } catch (SAMLException sse) {
                        FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse:Fatal error, " + "cannot create status or response: ", sse);
                        return null;
                    }
                }
            }
            //Verify signature
            if (FSServiceUtils.isSigningOn()) {
                if (!verifySAMLRequestSignature(samlRequestElement, soapMsg)) {
                    FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: " + "SAMLRequest signature verification failed");
                    message = FSUtils.bundle.getString("signatureVerificationFailed");
                    try {
                        status = new Status(new StatusCode("samlp:Requester"), message, null);
                        retResponse = new FSResponse(respID, inResponseTo, status, contents);
                        retResponse.setMinorVersion(samlRequest.getMinorVersion());
                        return retResponse;
                    } catch (SAMLException sse) {
                        FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse:Fatal error, " + "cannot create status or response: " + sse.getMessage());
                    }
                } else {
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSSSOBrowserArtProfileHandler.createSAMLResp:" + " SAMLRequest signature verified");
                    }
                }
            }
        //end signature verification
        } else {
            FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: No artifact found in samlRequest");
            message = FSUtils.bundle.getString("missingArtifact");
            try {
                status = new Status(new StatusCode("samlp:Requester"), message, null);
                retResponse = new FSResponse(respID, inResponseTo, status, contents);
                retResponse.setMinorVersion(samlRequest.getMinorVersion());
                return retResponse;
            } catch (SAMLException sse) {
                FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse:Fatal error, " + "cannot create status or response: ", sse);
                return null;
            }
        }
        for (int i = 0; i < length; i++) {
            AssertionArtifact artifact = (AssertionArtifact) artifacts.get(i);
            Assertion assertion = null;
            try {
                assertion = am.getAssertion(artifact, spEntityId);
            } catch (FSException e) {
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler.createSAML" + "Response:could not find matching assertion:", e);
                }
                message = e.getMessage();
                try {
                    status = new Status(new StatusCode("samlp:Success"), message, null);
                    retResponse = new FSResponse(respID, inResponseTo, status, contents);
                    retResponse.setMinorVersion(samlRequest.getMinorVersion());
                } catch (SAMLException sse) {
                    FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse:Fatal error, " + "cannot create status or response: ", sse);
                }
                if (LogUtil.isAccessLoggable(Level.FINER)) {
                    String[] data = { respPrefix, retResponse.toString() };
                    LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
                } else {
                    String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
                    LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
                }
                return retResponse;
            }
            if (assertion != null) {
                assertions.add(i, assertion);
            }
        }
    }
    int assertionSize = assertions.size();
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: found " + assertionSize + "assertions.");
    }
    // inside the assertion has the calling host's address in it.
    for (int i = 0; i < assertionSize; i++) {
        Assertion assn = (Assertion) assertions.get(i);
        Conditions conds = assn.getConditions();
        Set trcs = conds.getAudienceRestrictionCondition();
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: checking to see if assertions" + " are for host:" + remoteAddr);
        }
        if (trcs != null && !trcs.isEmpty()) {
            Iterator trcsIterator = trcs.iterator();
            while (trcsIterator.hasNext()) {
                if (!((AudienceRestrictionCondition) trcsIterator.next()).containsAudience(remoteAddr)) {
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: removing TRC not" + "meant for this host");
                    }
                    assertions.remove(assn);
                }
            }
        }
    }
    assertionSize = assertions.size();
    if (assertionSize == 0) {
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Matching Assertions(s) not " + "created for this host");
        }
        message = FSUtils.bundle.getString("mismatchDest");
        try {
            status = new Status(new StatusCode("samlp:Success"), message, null);
            retResponse = new FSResponse(respID, inResponseTo, status, contents);
            retResponse.setMinorVersion(samlRequest.getMinorVersion());
        } catch (SAMLException se) {
            FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Fatal error, " + "cannot create status or response:", se);
        }
        if (LogUtil.isAccessLoggable(Level.FINER)) {
            String[] data = { respPrefix, retResponse.toString() };
            LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
        } else {
            String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
            LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
        }
        return retResponse;
    }
    if (reqType == Request.ASSERTION_ARTIFACT) {
        if (assertions.size() == artifacts.size()) {
            message = null;
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Matching Assertion found");
            }
            try {
                status = new Status(new StatusCode("samlp:Success"), message, null);
                retResponse = new FSResponse(respID, inResponseTo, status, assertions);
                retResponse.setMinorVersion(samlRequest.getMinorVersion());
            } catch (SAMLException se) {
                FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Fatal error, " + "cannot create status or response:", se);
                return null;
            } catch (Exception e) {
                FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Fatal error, " + "cannot create status or response:", e);
                return null;
            }
            if (LogUtil.isAccessLoggable(Level.FINER)) {
                String[] data = { respPrefix, retResponse.toString() };
                LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
            } else {
                String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
                LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
            }
            return retResponse;
        } else {
            message = FSUtils.bundle.getString("unequalMatch");
            try {
                status = new Status(new StatusCode("samlp:Success"), message, null);
                retResponse = new FSResponse(respID, inResponseTo, status, assertions);
                retResponse.setMinorVersion(samlRequest.getMinorVersion());
            } catch (SAMLException se) {
                FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Fatal error, " + "cannot create status or response:", se);
            }
            if (LogUtil.isAccessLoggable(Level.FINER)) {
                String[] data = { respPrefix, retResponse.toString() };
                LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
            } else {
                String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
                LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
            }
            return retResponse;
        }
    } else {
        // build response for all the other type of request
        try {
            message = null;
            status = new Status(new StatusCode("samlp:Success"), message, null);
            retResponse = new FSResponse(respID, inResponseTo, status, assertions);
            retResponse.setMinorVersion(samlRequest.getMinorVersion());
        } catch (SAMLException se) {
            FSUtils.debug.error("FSSSOBrowserArtifactProfileHandler." + "createSAMLResponse: Fatal error, " + "cannot create status or response:", se);
        }
    }
    if (LogUtil.isAccessLoggable(Level.FINER)) {
        String[] data = { respPrefix, retResponse.toString() };
        LogUtil.access(Level.FINER, LogUtil.CREATE_SAML_RESPONSE, data);
    } else {
        String[] data = { respPrefix, FSUtils.bundle.getString("responseID") + "=" + retResponse.getResponseID() + "," + FSUtils.bundle.getString("inResponseTo") + "=" + retResponse.getInResponseTo() };
        LogUtil.access(Level.INFO, LogUtil.CREATE_SAML_RESPONSE, data);
    }
    return retResponse;
}
Also used : Status(com.sun.identity.saml.protocol.Status) Set(java.util.Set) ArrayList(java.util.ArrayList) Assertion(com.sun.identity.saml.assertion.Assertion) StatusCode(com.sun.identity.saml.protocol.StatusCode) SAMLException(com.sun.identity.saml.common.SAMLException) AssertionArtifact(com.sun.identity.saml.protocol.AssertionArtifact) FSAssertionArtifact(com.sun.identity.federation.message.FSAssertionArtifact) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException) SessionException(com.sun.identity.plugin.session.SessionException) SAMLException(com.sun.identity.saml.common.SAMLException) FSException(com.sun.identity.federation.common.FSException) Conditions(com.sun.identity.saml.assertion.Conditions) FSAssertionManager(com.sun.identity.federation.services.FSAssertionManager) FSResponse(com.sun.identity.federation.message.FSResponse) FSException(com.sun.identity.federation.common.FSException) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) List(java.util.List)

Aggregations

Conditions (com.sun.identity.saml.assertion.Conditions)8 Set (java.util.Set)7 HashSet (java.util.HashSet)6 ArrayList (java.util.ArrayList)5 Date (java.util.Date)5 Iterator (java.util.Iterator)5 List (java.util.List)5 FSException (com.sun.identity.federation.common.FSException)4 SessionException (com.sun.identity.plugin.session.SessionException)4 AttributeStatement (com.sun.identity.saml.assertion.AttributeStatement)4 AudienceRestrictionCondition (com.sun.identity.saml.assertion.AudienceRestrictionCondition)4 SubjectConfirmation (com.sun.identity.saml.assertion.SubjectConfirmation)4 SAMLException (com.sun.identity.saml.common.SAMLException)4 FSAssertion (com.sun.identity.federation.message.FSAssertion)3 FSAuthenticationStatement (com.sun.identity.federation.message.FSAuthenticationStatement)3 FSSubject (com.sun.identity.federation.message.FSSubject)3 AuthnContext (com.sun.identity.federation.message.common.AuthnContext)2 IDPProvidedNameIdentifier (com.sun.identity.federation.message.common.IDPProvidedNameIdentifier)2 IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)2 IDFFMetaManager (com.sun.identity.federation.meta.IDFFMetaManager)2