Search in sources :

Example 6 with Conditions

use of com.sun.identity.saml.assertion.Conditions in project OpenAM by OpenRock.

the class FSAssertionArtifactHandler method validateAssertions.

protected Subject validateAssertions(List assertions) {
    FSUtils.debug.message("FSAssertionArtifactHandler.validateAssertions: Called");
    // loop to check assertions
    FSSubject subject = null;
    Iterator iter = assertions.iterator();
    FSAssertion assertion = null;
    String aIDString = null;
    String issuer = null;
    Iterator stmtIter = null;
    Statement statement = null;
    int stmtType = Statement.NOT_SUPPORTED;
    SubjectConfirmation subConf = null;
    Set confMethods = null;
    String confMethod = null;
    Date date = null;
    long time = System.currentTimeMillis() + 180000;
    while (iter.hasNext()) {
        assertion = (FSAssertion) iter.next();
        if (!authnRequest.getRequestID().equals(assertion.getInResponseTo())) {
            FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " assertion does not correspond to any valid request");
            return null;
        }
        if (FSServiceUtils.isSigningOn()) {
            if (!verifyAssertionSignature(assertion)) {
                FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " assertion signature verification failed");
                return null;
            }
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Assertion signature verified");
        }
        aIDString = assertion.getAssertionID();
        // make sure it's not being used            
        if (idTimeMap.containsKey(aIDString)) {
            FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion: Assertion: " + aIDString + " is used");
            return null;
        }
        // check issuer of the assertions
        issuer = assertion.getIssuer();
        try {
            if (idpEntityId != null) {
                if (!idpEntityId.equals(issuer)) {
                    FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is not the entity where " + "AuthnRequest was sent originally.");
                    return null;
                }
            } else {
                FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is: " + issuer);
                IDFFMetaManager metaManager = FSUtils.getIDFFMetaManager();
                IDPDescriptorType idpDesc = metaManager.getIDPDescriptor(realm, issuer);
                if (idpDesc == null) {
                    FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion:" + " Assertion issuer is not on the trust list");
                    return null;
                }
                setProviderDescriptor(idpDesc);
                setProviderEntityId(issuer);
            }
        } catch (Exception ex) {
            FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "Assertion issuer is not on the trust list");
            return null;
        }
        // must be valid(timewise)
        if (!assertion.isTimeValid()) {
            FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion:" + " Assertion's time is not valid.");
            return null;
        }
        // TODO: IssuerInstant of the assertion is within a few minutes
        // This is a MAY in spec. Which number to use for the few minutes?
        // if present, target of the assertions must == local server IP
        Conditions conds = assertion.getConditions();
        if (!forThisServer(conds)) {
            FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "assertion is not issued for this site.");
            return null;
        }
        //for each assertion, loop to check each statement
        boolean authnStatementFound = false;
        if (assertion.getStatement() != null) {
            stmtIter = assertion.getStatement().iterator();
            while (stmtIter.hasNext()) {
                statement = (Statement) stmtIter.next();
                stmtType = statement.getStatementType();
                if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
                    FSAuthenticationStatement authStatement = (FSAuthenticationStatement) statement;
                    authnStatementFound = true;
                    try {
                        if (FSUtils.debug.messageEnabled()) {
                            FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "validating AuthenticationStatement:" + authStatement.toXMLString());
                        }
                    } catch (FSException e) {
                        FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: Exception. " + "Invalid AuthenticationStatement: ", e);
                        return null;
                    }
                    //check ReauthenticateOnOrAfter
                    reAuthnOnOrAfterDate = authStatement.getReauthenticateOnOrAfter();
                    //process SessionIndex
                    idpSessionIndex = authStatement.getSessionIndex();
                    authnContextStmt = authStatement.getAuthnContext();
                    subject = (FSSubject) authStatement.getSubject();
                    if (subject == null) {
                        FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: Subject is null");
                        return null;
                    } else {
                        try {
                            if (FSUtils.debug.messageEnabled()) {
                                FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "found Authentication Statement. " + "Subject = " + subject.toXMLString());
                            }
                        } catch (FSException e) {
                            FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + " Exception. Invalid subject: ", e);
                            continue;
                        }
                    }
                    //bearer
                    if (((subConf = subject.getSubjectConfirmation()) == null) || ((confMethods = subConf.getConfirmationMethod()) == null) || (confMethods.size() != 1)) {
                        FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: " + "missing or extra ConfirmationMethod.");
                        return null;
                    }
                    if (((confMethod = (String) confMethods.iterator().next()) == null) || !((confMethod.equals(SAMLConstants.CONFIRMATION_METHOD_BEARER)) || (confMethod.equals(SAMLConstants.CONFIRMATION_METHOD_ARTIFACT)) || (confMethod.equals(SAMLConstants.DEPRECATED_CONFIRMATION_METHOD_ARTIFACT)))) {
                        FSUtils.debug.error("FSAssertionArtifactHandler." + "validateAssertion: wrong " + "ConfirmationMethod");
                        return null;
                    }
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Confirmation method: " + confMethod);
                    }
                } else if (stmtType == Statement.ATTRIBUTE_STATEMENT) {
                    AttributeStatement attrStatement = (AttributeStatement) statement;
                    if (!checkForAttributeStatement(attrStatement)) {
                        attrStatements.add(attrStatement);
                    }
                }
            }
        }
        if (!authnStatementFound) {
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: " + "No Authentication statement found in the Assertion. " + "User is not authenticated by the IDP");
            }
            return null;
        }
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSAssertionArtifactHandler." + "validateAssertion: Adding " + aIDString + " to idTimeMap.");
        }
        // add the assertion to idTimeMap
        if ((date = conds.getNotOnorAfter()) != null) {
            cGoThrough.addElement(aIDString);
            idTimeMap.put(aIDString, new Long(date.getTime()));
        } else {
            cPeriodic.addElement(aIDString);
            // it doesn't matter what we store for the value.
            idTimeMap.put(aIDString, aIDString);
        }
        securityAssertions = assertion.getDiscoveryCredential();
    }
    if (subject == null) {
        FSUtils.debug.error("FSAssertionArtifactHandler.validateAssertion:" + " couldn't find Subject.");
        return null;
    }
    return subject;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) FSSubject(com.sun.identity.federation.message.FSSubject) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) Statement(com.sun.identity.saml.assertion.Statement) AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) Date(java.util.Date) SessionException(com.sun.identity.plugin.session.SessionException) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException) SAMLResponderException(com.sun.identity.saml.common.SAMLResponderException) SAMLException(com.sun.identity.saml.common.SAMLException) FSException(com.sun.identity.federation.common.FSException) IOException(java.io.IOException) Conditions(com.sun.identity.saml.assertion.Conditions) IDPDescriptorType(com.sun.identity.liberty.ws.meta.jaxb.IDPDescriptorType) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager) AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement) FSAssertion(com.sun.identity.federation.message.FSAssertion) Iterator(java.util.Iterator) FSException(com.sun.identity.federation.common.FSException)

Example 7 with Conditions

use of com.sun.identity.saml.assertion.Conditions in project OpenAM by OpenRock.

the class SAMLUtils method verifyAssertionAndGetSSMap.

/**
     * Checks response and get back a Map of relevant data including,
     * Subject, SOAPEntry for the partner and the List of Assertions.
     * @param response <code>Response</code> object
     * @return Map of data including Subject, SOAPEntry, and list of assertions.
     */
public static Map verifyAssertionAndGetSSMap(Response response) {
    // loop to check assertions
    com.sun.identity.saml.assertion.Subject subject = null;
    SAMLServiceManager.SOAPEntry srcSite = null;
    List assertions = response.getAssertion();
    Iterator iter = assertions.iterator();
    Assertion assertion = null;
    String aIDString = null;
    String issuer = null;
    Iterator stmtIter = null;
    Statement statement = null;
    int stmtType = Statement.NOT_SUPPORTED;
    com.sun.identity.saml.assertion.Subject sub = null;
    SubjectConfirmation subConf = null;
    Set confMethods = null;
    String confMethod = null;
    Date date = null;
    while (iter.hasNext()) {
        assertion = (Assertion) iter.next();
        aIDString = assertion.getAssertionID();
        // make sure it's not being used
        if (idTimeMap.containsKey(aIDString)) {
            debug.error("verifyAssertion " + "AndGetSSMap: Assertion: " + aIDString + " is used.");
            return null;
        }
        // check issuer of the assertions
        issuer = assertion.getIssuer();
        if ((srcSite = SAMLUtils.getSourceSite(issuer)) == null) {
            debug.error("verifyAsserti " + "onAndGetSSMap: issuer is not on the Partner list.");
            return null;
        }
        if (!assertion.isSignatureValid()) {
            debug.error("verifyAssertion " + "AndGetSSMap: assertion's signature is not valid.");
            return null;
        }
        // must be valid (timewise)
        if (!assertion.isTimeValid()) {
            debug.error("verifyAssertion " + "AndGetSSMap: assertion's time is not valid.");
            return null;
        }
        // TODO: IssuerInstant of the assertion is within a few minutes
        // This is a MAY in spec. Which number to use for the few minutes?
        // TODO: check AudienceRestrictionCondition
        //for each assertion, loop to check each statement
        stmtIter = assertion.getStatement().iterator();
        while (stmtIter.hasNext()) {
            statement = (Statement) stmtIter.next();
            stmtType = statement.getStatementType();
            if ((stmtType == Statement.AUTHENTICATION_STATEMENT) || (stmtType == Statement.ATTRIBUTE_STATEMENT) || (stmtType == Statement.AUTHORIZATION_DECISION_STATEMENT)) {
                sub = ((SubjectStatement) statement).getSubject();
                // ConfirmationMethod of each subject must be set to bearer
                if (((subConf = sub.getSubjectConfirmation()) == null) || ((confMethods = subConf.getConfirmationMethod()) == null) || (confMethods.size() != 1)) {
                    debug.error("verify " + "AssertionAndGetSSMap: missing or extra " + "ConfirmationMethod.");
                    return null;
                }
                if (((confMethod = (String) confMethods.iterator().next()) == null) || (!confMethod.equals(SAMLConstants.CONFIRMATION_METHOD_BEARER))) {
                    debug.error("verify " + "AssertionAndGetSSMap:wrong ConfirmationMethod.");
                    return null;
                }
                if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
                    // browser IP. This is a MAY item in the spec.
                    if (subject == null) {
                        subject = sub;
                    }
                }
            }
        }
        // add the assertion to idTimeMap
        if (debug.messageEnabled()) {
            debug.message("Adding " + aIDString + " to idTimeMap.");
        }
        Conditions conds = assertion.getConditions();
        if ((conds != null) && ((date = conds.getNotOnorAfter()) != null)) {
            cGoThrough.addElement(aIDString);
            idTimeMap.put(aIDString, new Long(date.getTime()));
        } else {
            cPeriodic.addElement(aIDString);
            // it doesn't matter what we store for the value.
            idTimeMap.put(aIDString, aIDString);
        }
    }
    // must have at least one SSO assertion
    if ((subject == null) || (srcSite == null)) {
        debug.error("verifyAssertion AndGetSSMap: couldn't find Subject.");
        return null;
    }
    Map ssMap = new HashMap();
    ssMap.put(SAMLConstants.SUBJECT, subject);
    ssMap.put(SAMLConstants.SOURCE_SITE_SOAP_ENTRY, srcSite);
    ssMap.put(SAMLConstants.POST_ASSERTION, assertions);
    return ssMap;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) HashMap(java.util.HashMap) Statement(com.sun.identity.saml.assertion.Statement) AuthenticationStatement(com.sun.identity.saml.assertion.AuthenticationStatement) AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement) SubjectStatement(com.sun.identity.saml.assertion.SubjectStatement) Assertion(com.sun.identity.saml.assertion.Assertion) Subject(com.sun.identity.saml.assertion.Subject) Date(java.util.Date) Conditions(com.sun.identity.saml.assertion.Conditions) SubjectConfirmation(com.sun.identity.saml.assertion.SubjectConfirmation) CharacterIterator(java.text.CharacterIterator) Iterator(java.util.Iterator) StringCharacterIterator(java.text.StringCharacterIterator) List(java.util.List) ArrayList(java.util.ArrayList) Map(java.util.Map) HashMap(java.util.HashMap)

Example 8 with Conditions

use of com.sun.identity.saml.assertion.Conditions in project OpenAM by OpenRock.

the class LibSecurityTokenProvider method getSAMLToken.

/**
     * Returns the Security Assertion.
     */
private SecurityAssertion getSAMLToken(NameIdentifier senderIdentity, SessionContext invocatorSession, Object resourceID, boolean includeAuthN, boolean includeResourceAccessStatement, String recipientProviderID, boolean isBear) throws SecurityTokenException {
    if (debug.messageEnabled()) {
        debug.message("getSAMLToken: isBear = " + isBear);
    }
    if (senderIdentity == null) {
        debug.error("LibSecurityTokenProvider.getSAMLToken:senderIdentity is null");
        throw new SecurityTokenException(bundle.getString("nullSenderIdentity"));
    }
    boolean statementNotFound = true;
    SecurityAssertion assertion = null;
    Set statements = new HashSet();
    if (includeAuthN) {
        AuthenticationStatement authStatement = createAuthenticationStatement(senderIdentity, isBear);
        statements.add(authStatement);
        statementNotFound = false;
    }
    if (includeResourceAccessStatement) {
        ResourceAccessStatement ras = createResourceAccessStatement(senderIdentity, invocatorSession, resourceID, isBear);
        statements.add(ras);
        statementNotFound = false;
    } else {
        if (invocatorSession != null) {
            SessionContextStatement scs = createSessionContextStatement(senderIdentity, invocatorSession, isBear);
            statements.add(scs);
            statementNotFound = false;
        }
    }
    // make sure the statements is not empty
    if (statementNotFound) {
        debug.error("getSAMLAuthorizationToken: SAML statement should " + "not be null.");
        throw new SecurityTokenException(bundle.getString("nullStatement"));
    }
    String issuer = DiscoServiceManager.getDiscoProviderID();
    //Check for the attribute statements.
    attributePlugin = getAttributePlugin();
    if (attributePlugin != null) {
        List attributes = attributePlugin.getAttributes(senderIdentity, resourceID, issuer);
        if (attributes != null && attributes.size() != 0) {
            AttributeStatement attributeStatement = createAttributeStatement(senderIdentity, attributes, isBear);
            if (attributeStatement != null) {
                statements.add(attributeStatement);
            }
        }
    }
    Date issueInstant = new Date();
    try {
        if (recipientProviderID != null) {
            List audience = new ArrayList();
            audience.add(recipientProviderID);
            AudienceRestrictionCondition arc = new AudienceRestrictionCondition(audience);
            Conditions conditions = new Conditions();
            conditions.addAudienceRestrictionCondition(arc);
            assertion = new SecurityAssertion("", issuer, issueInstant, conditions, statements);
        } else {
            assertion = new SecurityAssertion("", issuer, issueInstant, statements);
        }
        assertion.signXML(DEFAULT_TA_CERT_ALIAS_VALUE);
    } catch (Exception e) {
        debug.error("getSAMLToken.signXML", e);
        throw new SecurityTokenException(bundle.getString("nullAssertion"));
    }
    return assertion;
}
Also used : HashSet(java.util.HashSet) Set(java.util.Set) ArrayList(java.util.ArrayList) AuthenticationStatement(com.sun.identity.saml.assertion.AuthenticationStatement) Date(java.util.Date) Conditions(com.sun.identity.saml.assertion.Conditions) SessionException(com.sun.identity.plugin.session.SessionException) SAMLException(com.sun.identity.saml.common.SAMLException) AttributeStatement(com.sun.identity.saml.assertion.AttributeStatement) ArrayList(java.util.ArrayList) List(java.util.List) AudienceRestrictionCondition(com.sun.identity.saml.assertion.AudienceRestrictionCondition) HashSet(java.util.HashSet)

Aggregations

Conditions (com.sun.identity.saml.assertion.Conditions)8 Set (java.util.Set)7 HashSet (java.util.HashSet)6 ArrayList (java.util.ArrayList)5 Date (java.util.Date)5 Iterator (java.util.Iterator)5 List (java.util.List)5 FSException (com.sun.identity.federation.common.FSException)4 SessionException (com.sun.identity.plugin.session.SessionException)4 AttributeStatement (com.sun.identity.saml.assertion.AttributeStatement)4 AudienceRestrictionCondition (com.sun.identity.saml.assertion.AudienceRestrictionCondition)4 SubjectConfirmation (com.sun.identity.saml.assertion.SubjectConfirmation)4 SAMLException (com.sun.identity.saml.common.SAMLException)4 FSAssertion (com.sun.identity.federation.message.FSAssertion)3 FSAuthenticationStatement (com.sun.identity.federation.message.FSAuthenticationStatement)3 FSSubject (com.sun.identity.federation.message.FSSubject)3 AuthnContext (com.sun.identity.federation.message.common.AuthnContext)2 IDPProvidedNameIdentifier (com.sun.identity.federation.message.common.IDPProvidedNameIdentifier)2 IDFFMetaException (com.sun.identity.federation.meta.IDFFMetaException)2 IDFFMetaManager (com.sun.identity.federation.meta.IDFFMetaManager)2