Search in sources :

Example 6 with AudienceRestriction

use of com.sun.identity.saml2.assertion.AudienceRestriction in project OpenAM by OpenRock.

the class ConditionsImpl method makeImmutable.

/**
    * Makes the object immutable
    */
public void makeImmutable() {
    if (isMutable) {
        if (conditions != null) {
            int length = conditions.size();
            for (int i = 0; i < length; i++) {
                Condition condition = (Condition) conditions.get(i);
                condition.makeImmutable();
            }
            conditions = Collections.unmodifiableList(conditions);
        }
        if (audienceRestrictions != null) {
            int length = audienceRestrictions.size();
            for (int i = 0; i < length; i++) {
                AudienceRestriction ar = (AudienceRestriction) audienceRestrictions.get(i);
                ar.makeImmutable();
            }
            audienceRestrictions = Collections.unmodifiableList(audienceRestrictions);
        }
        if (oneTimeUses != null) {
            int length = oneTimeUses.size();
            for (int i = 0; i < length; i++) {
                OneTimeUse oneTimeUse = (OneTimeUse) oneTimeUses.get(i);
                oneTimeUse.makeImmutable();
            }
            oneTimeUses = Collections.unmodifiableList(oneTimeUses);
        }
        if (proxyRestrictions != null) {
            int length = proxyRestrictions.size();
            for (int i = 0; i < length; i++) {
                ProxyRestriction pr = (ProxyRestriction) proxyRestrictions.get(i);
                pr.makeImmutable();
            }
            proxyRestrictions = Collections.unmodifiableList(proxyRestrictions);
        }
        isMutable = false;
    }
}
Also used : Condition(com.sun.identity.saml2.assertion.Condition) AudienceRestriction(com.sun.identity.saml2.assertion.AudienceRestriction) OneTimeUse(com.sun.identity.saml2.assertion.OneTimeUse) ProxyRestriction(com.sun.identity.saml2.assertion.ProxyRestriction)

Example 7 with AudienceRestriction

use of com.sun.identity.saml2.assertion.AudienceRestriction in project OpenAM by OpenRock.

the class SAML2Utils method checkAudience.

private static void checkAudience(final Conditions conds, final String hostEntityId, final String assertionID) throws SAML2Exception {
    final String method = "SAML2Utils.checkAudience:";
    if (conds == null) {
        if (debug.messageEnabled()) {
            debug.message(method + "Conditions is missing from Assertion.");
        }
        String[] data = { assertionID };
        LogUtil.error(Level.INFO, LogUtil.MISSING_CONDITIONS, data, null);
        throw new SAML2Exception(bundle.getString("missingConditions"));
    }
    List restrictions = conds.getAudienceRestrictions();
    if (restrictions == null) {
        if (debug.messageEnabled()) {
            debug.message(method + "missing AudienceRestriction.");
        }
        String[] data = { assertionID };
        LogUtil.error(Level.INFO, LogUtil.MISSING_AUDIENCE_RESTRICTION, data, null);
        throw new SAML2Exception(bundle.getString("missingAudienceRestriction"));
    }
    Iterator restIter = restrictions.iterator();
    boolean found = false;
    while (restIter.hasNext()) {
        List audienceList = ((AudienceRestriction) restIter.next()).getAudience();
        if (audienceList.contains(hostEntityId)) {
            found = true;
            break;
        }
    }
    if (!found) {
        if (debug.messageEnabled()) {
            debug.message(method + "This SP is not the intended audience.");
        }
        String[] data = { assertionID };
        LogUtil.error(Level.INFO, LogUtil.WRONG_AUDIENCE, data, null);
        throw new SAML2Exception(bundle.getString("audienceNotMatch"));
    }
}
Also used : AudienceRestriction(com.sun.identity.saml2.assertion.AudienceRestriction) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) List(java.util.List)

Example 8 with AudienceRestriction

use of com.sun.identity.saml2.assertion.AudienceRestriction in project OpenAM by OpenRock.

the class Saml2GrantTypeHandler method validAssertion.

private boolean validAssertion(Assertion assertion, String deploymentURL) throws SAML2Exception {
    //must contain issuer
    final Issuer issuer = assertion.getIssuer();
    if (issuer == null) {
        logger.error("Issuer does not exist");
        return false;
    }
    /**
         * The Assertion MUST contain <Conditions> element with an
         * <AudienceRestriction> element with an <Audience> element
         * containing a URI reference that identifies the authorization
         * server, or the service provider SAML entity of its controlling
         * domain, as an intended audience.  The token endpoint URL of the
         * authorization server MAY be used as an acceptable value for an
         *       <Audience> element.  The authorization server MUST verify that it
         * is an intended audience for the Assertion.
         *
         */
    final Conditions conditions = assertion.getConditions();
    if (conditions == null) {
        logger.error("Saml2BearerServerResource.validAssertion(): Conditions does not exist");
        return false;
    }
    final List<AudienceRestriction> audienceRestriction = conditions.getAudienceRestrictions();
    if (audienceRestriction == null || audienceRestriction.isEmpty()) {
        logger.error("Saml2BearerServerResource.validAssertion(): Audience Restriction does not exist");
        return false;
    }
    boolean found = false;
    logger.trace("Saml2BearerServerResource.validAssertion(): URL of authorization server: " + deploymentURL);
    for (final AudienceRestriction restriction : audienceRestriction) {
        final List<String> audiences = restriction.getAudience();
        if (audiences == null || audiences.isEmpty()) {
            continue;
        }
        for (final String audience : audiences) {
            String deployURL = deploymentURL;
            String aud = audience;
            //check for the url with and without trailing /
            if (deployURL.endsWith("/")) {
                deployURL = deploymentURL.substring(0, deployURL.length() - 1);
            }
            if (aud.endsWith("/")) {
                aud = aud.substring(0, aud.length() - 1);
            }
            if (aud.equalsIgnoreCase(deployURL)) {
                found = true;
            }
        }
    }
    if (found == false) {
        logger.error("Didn't find the oauth2 provider in audience restrictions");
        return false;
    }
    /**
         * The Assertion MUST contain a <Subject> element.  The subject MAY
         * identify the resource owner for whom the access token is being
         * requested.  For client authentication, the Subject MUST be the
         * "client_id" of the OAuth client.  When using an Assertion as an
         * authorization grant, the Subject SHOULD identify an authorized
         * accessor for whom the access token is being requested (typically
         * the resource owner, or an authorized delegate).  Additional
         * information identifying the subject/principal of the transaction
         * MAY be included in an <AttributeStatement>.
         */
    final Subject subject = assertion.getSubject();
    if (subject == null) {
        logger.error("Subject does not exist");
        return false;
    }
    final String resourceOwner = subject.getNameID().getValue();
    /**
         * The Assertion MUST have an expiry that limits the time window
         * during which it can be used.  The expiry can be expressed either
         * as the NotOnOrAfter attribute of the <Conditions> element or as
         * the NotOnOrAfter attribute of a suitable <SubjectConfirmationData>
         * element.
         */
    /**
         * The <Subject> element MUST contain at least one
         * <SubjectConfirmation> element that allows the authorization server
         * to confirm it as a Bearer Assertion.  Such a <SubjectConfirmation>
         * element MUST have a Method attribute with a value of
         * "urn:oasis:names:tc:SAML:2.0:cm:bearer".  The
         * <SubjectConfirmation> element MUST contain a
         * <SubjectConfirmationData> element, unless the Assertion has a
         * suitable NotOnOrAfter attribute on the <Conditions> element, in
         * which case the <SubjectConfirmationData> element MAY be omitted.
         * When present, the <SubjectConfirmationData> element MUST have a
         * Recipient attribute with a value indicating the token endpoint URL
         * of the authorization server (or an acceptable alias).  The
         * authorization server MUST verify that the value of the Recipient
         * attribute matches the token endpoint URL (or an acceptable alias)
         * to which the Assertion was delivered.  The
         * <SubjectConfirmationData> element MUST have a NotOnOrAfter
         * attribute that limits the window during which the Assertion can be
         * confirmed.  The <SubjectConfirmationData> element MAY also contain
         * an Address attribute limiting the client address from which the
         * Assertion can be delivered.  Verification of the Address is at the
         * discretion of the authorization server.
         */
    final List<SubjectConfirmation> subjectConfirmations = subject.getSubjectConfirmation();
    found = false;
    if (subjectConfirmations == null || subjectConfirmations.isEmpty()) {
        logger.error("Subject Confirmations does not exist");
        return false;
    }
    //if conditions is expired assertion is expired
    if (!assertion.isTimeValid()) {
        logger.error("Assertion expired");
        return false;
    } else {
        found = true;
    }
    for (final SubjectConfirmation subjectConfirmation : subjectConfirmations) {
        if (subjectConfirmation.getMethod() == null) {
            continue;
        }
        if (subjectConfirmation.getMethod().equalsIgnoreCase(OAuth2Constants.SAML20.SUBJECT_CONFIRMATION_METHOD)) {
            final SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
            if (subjectConfirmationData == null) {
                continue;
            } else if (subjectConfirmationData.getNotOnOrAfter().before(new Date()) && subjectConfirmationData.getRecipient().equalsIgnoreCase(deploymentURL)) {
                found = true;
            }
        //TODO check Client Address
        }
    }
    if (!found) {
        logger.error("Assertion expired or subject expired");
        return false;
    }
    if (!assertion.isSigned()) {
        logger.error("Assertion must be signed");
        return false;
    }
    if (!SAMLUtils.checkSignatureValid(assertion.toXMLString(), "ID", issuer.getValue())) {
        logger.error("Assertion signature verification failed");
        return false;
    }
    return true;
}
Also used : AudienceRestriction(com.sun.identity.saml2.assertion.AudienceRestriction) SubjectConfirmation(com.sun.identity.saml2.assertion.SubjectConfirmation) Issuer(com.sun.identity.saml2.assertion.Issuer) SubjectConfirmationData(com.sun.identity.saml2.assertion.SubjectConfirmationData) Conditions(com.sun.identity.saml2.assertion.Conditions) Subject(com.sun.identity.saml2.assertion.Subject) Date(java.util.Date)

Example 9 with AudienceRestriction

use of com.sun.identity.saml2.assertion.AudienceRestriction in project OpenAM by OpenRock.

the class DefaultConditionsProvider method get.

/**
     * @see org.forgerock.openam.sts.tokengeneration.saml2.statements.ConditionsProvider#get(
     * org.forgerock.openam.sts.config.user.SAML2Config, java.util.Date,
     * org.forgerock.openam.sts.token.SAML2SubjectConfirmation)
     */
public Conditions get(SAML2Config saml2Config, Date issueInstant, SAML2SubjectConfirmation saml2SubjectConfirmation) throws TokenCreationException {
    Conditions conditions = AssertionFactory.getInstance().createConditions();
    try {
        conditions.setNotBefore(issueInstant);
        conditions.setNotOnOrAfter(new Date(issueInstant.getTime() + (saml2Config.getTokenLifetimeInSeconds() * 1000)));
    } catch (SAML2Exception e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught setting token lifetime state in SAML2TokenGenerationImpl: " + e, e);
    }
    String audience = saml2Config.getSpEntityId();
    /*
         Section 4.1.4.2 of http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf specifies that
         Audiences specifying the entity ids of SPs, must be contained in the AudienceRestriction for bearer tokens.
         */
    if (((audience == null) || audience.isEmpty()) && SAML2SubjectConfirmation.BEARER.equals(saml2SubjectConfirmation)) {
        throw new TokenCreationException(ResourceException.BAD_REQUEST, "The audiences field in the SAML2Config is empty, " + "but the BEARER SubjectConfirmation is required. BEARER tokens must include Conditions with " + "AudienceRestrictions specifying the SP entity ids.");
    }
    if ((audience != null) && !audience.isEmpty()) {
        try {
            AudienceRestriction audienceRestriction = AssertionFactory.getInstance().createAudienceRestriction();
            List<String> audienceList = new ArrayList<String>(1);
            audienceList.add(audience);
            audienceRestriction.setAudience(audienceList);
            List<AudienceRestriction> audienceRestrictionList = new ArrayList<AudienceRestriction>(1);
            audienceRestrictionList.add(audienceRestriction);
            conditions.setAudienceRestrictions(audienceRestrictionList);
        } catch (SAML2Exception e) {
            throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught setting audience restriction state in SAML2TokenGenerationImpl: " + e, e);
        }
    }
    return conditions;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AudienceRestriction(com.sun.identity.saml2.assertion.AudienceRestriction) ArrayList(java.util.ArrayList) TokenCreationException(org.forgerock.openam.sts.TokenCreationException) Conditions(com.sun.identity.saml2.assertion.Conditions) Date(java.util.Date)

Example 10 with AudienceRestriction

use of com.sun.identity.saml2.assertion.AudienceRestriction in project OpenAM by OpenRock.

the class DefaultConditionsProviderTest method testBearerWithAudiences.

@Test
public void testBearerWithAudiences() throws TokenCreationException, UnsupportedEncodingException {
    Date issueInstant = new Date();
    ConditionsProvider conditionsProvider = new DefaultConditionsProvider();
    Conditions conditions = conditionsProvider.get(createSAML2Config(), issueInstant, SAML2SubjectConfirmation.BEARER);
    assertTrue(issueInstant.equals(conditions.getNotBefore()));
    assertTrue((issueInstant.getTime() + (TOKEN_LIFETIME_SECONDS * 1000)) == conditions.getNotOnOrAfter().getTime());
    AudienceRestriction audienceRestriction = (AudienceRestriction) conditions.getAudienceRestrictions().get(0);
    assertTrue(audienceRestriction.getAudience().contains(AM_SP_AUDIENCE));
}
Also used : AudienceRestriction(com.sun.identity.saml2.assertion.AudienceRestriction) Date(java.util.Date) Conditions(com.sun.identity.saml2.assertion.Conditions) Test(org.testng.annotations.Test)

Aggregations

AudienceRestriction (com.sun.identity.saml2.assertion.AudienceRestriction)8 ArrayList (java.util.ArrayList)5 Date (java.util.Date)5 Conditions (com.sun.identity.saml2.assertion.Conditions)4 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)4 List (java.util.List)4 Condition (com.sun.identity.saml2.assertion.Condition)2 OneTimeUse (com.sun.identity.saml2.assertion.OneTimeUse)2 ProxyRestriction (com.sun.identity.saml2.assertion.ProxyRestriction)2 Issuer (com.sun.identity.saml2.assertion.Issuer)1 Subject (com.sun.identity.saml2.assertion.Subject)1 SubjectConfirmation (com.sun.identity.saml2.assertion.SubjectConfirmation)1 SubjectConfirmationData (com.sun.identity.saml2.assertion.SubjectConfirmationData)1 Iterator (java.util.Iterator)1 TokenCreationException (org.forgerock.openam.sts.TokenCreationException)1 Test (org.testng.annotations.Test)1 Element (org.w3c.dom.Element)1 Node (org.w3c.dom.Node)1 NodeList (org.w3c.dom.NodeList)1