use of com.sun.identity.saml2.jaxb.metadata.XACMLAuthzDecisionQueryDescriptorElement in project OpenAM by OpenRock.
the class SAML2COTUtils method updateEntityConfig.
/**
* Updates the entity config to add the circle of turst name to the
* <code>cotlist</code> attribute. The Service Provider and Identity
* Provider Configuration are updated.
*
* @param realm the realm name where the entity configuration is.
* @param name the circle of trust name.
* @param entityId the name of the Entity identifier.
* @throws SAML2MetaException if there is a configuration error when
* updating the configuration.
* @throws JAXBException is there is an error updating the entity
* configuration.
*/
public void updateEntityConfig(String realm, String name, String entityId) throws SAML2MetaException, JAXBException {
String classMethod = "SAML2COTUtils.updateEntityConfig: ";
SAML2MetaManager metaManager = null;
if (callerSession == null) {
metaManager = new SAML2MetaManager();
} else {
metaManager = new SAML2MetaManager(callerSession);
}
ObjectFactory objFactory = new ObjectFactory();
// Check whether the entity id existed in the DS
EntityDescriptorElement edes = metaManager.getEntityDescriptor(realm, entityId);
if (edes == null) {
debug.error(classMethod + "No such entity: " + entityId);
String[] data = { realm, entityId };
throw new SAML2MetaException("entityid_invalid", data);
}
boolean isAffiliation = false;
if (metaManager.getAffiliationDescriptor(realm, entityId) != null) {
isAffiliation = true;
}
if (debug.messageEnabled()) {
debug.message(classMethod + "is " + entityId + " in realm " + realm + " an affiliation? " + isAffiliation);
}
EntityConfigElement eConfig = metaManager.getEntityConfig(realm, entityId);
if (eConfig == null) {
BaseConfigType bctype = null;
AttributeType atype = objFactory.createAttributeType();
atype.setName(SAML2Constants.COT_LIST);
atype.getValue().add(name);
// add to eConfig
EntityConfigElement ele = objFactory.createEntityConfigElement();
ele.setEntityID(entityId);
ele.setHosted(false);
if (isAffiliation) {
// handle affiliation case
bctype = objFactory.createAffiliationConfigElement();
bctype.getAttribute().add(atype);
ele.setAffiliationConfig(bctype);
} else {
List ll = ele.getIDPSSOConfigOrSPSSOConfigOrAuthnAuthorityConfig();
// Decide which role EntityDescriptorElement includes
List list = edes.getRoleDescriptorOrIDPSSODescriptorOrSPSSODescriptor();
for (Iterator iter = list.iterator(); iter.hasNext(); ) {
Object obj = iter.next();
if (obj instanceof SPSSODescriptorElement) {
bctype = objFactory.createSPSSOConfigElement();
bctype.getAttribute().add(atype);
ll.add(bctype);
} else if (obj instanceof IDPSSODescriptorElement) {
bctype = objFactory.createIDPSSOConfigElement();
bctype.getAttribute().add(atype);
ll.add(bctype);
} else if (obj instanceof XACMLPDPDescriptorElement) {
bctype = objFactory.createXACMLPDPConfigElement();
bctype.getAttribute().add(atype);
ll.add(bctype);
} else if (obj instanceof XACMLAuthzDecisionQueryDescriptorElement) {
bctype = objFactory.createXACMLAuthzDecisionQueryConfigElement();
bctype.getAttribute().add(atype);
ll.add(bctype);
} else if (obj instanceof AttributeAuthorityDescriptorElement) {
bctype = objFactory.createAttributeAuthorityConfigElement();
bctype.getAttribute().add(atype);
ll.add(bctype);
} else if (obj instanceof AttributeQueryDescriptorElement) {
bctype = objFactory.createAttributeQueryConfigElement();
bctype.getAttribute().add(atype);
ll.add(bctype);
} else if (obj instanceof AuthnAuthorityDescriptorElement) {
bctype = objFactory.createAuthnAuthorityConfigElement();
bctype.getAttribute().add(atype);
ll.add(bctype);
}
}
}
metaManager.setEntityConfig(realm, ele);
} else {
boolean needToSave = true;
List elist = null;
if (isAffiliation) {
AffiliationConfigElement affiliationCfgElm = metaManager.getAffiliationConfig(realm, entityId);
elist = new ArrayList();
elist.add(affiliationCfgElm);
} else {
elist = eConfig.getIDPSSOConfigOrSPSSOConfigOrAuthnAuthorityConfig();
}
for (Iterator iter = elist.iterator(); iter.hasNext(); ) {
boolean foundCOT = false;
BaseConfigType bConfig = (BaseConfigType) iter.next();
List list = bConfig.getAttribute();
for (Iterator iter2 = list.iterator(); iter2.hasNext(); ) {
AttributeType avp = (AttributeType) iter2.next();
if (avp.getName().trim().equalsIgnoreCase(SAML2Constants.COT_LIST)) {
foundCOT = true;
List avpl = avp.getValue();
if (avpl.isEmpty() || !containsValue(avpl, name)) {
avpl.add(name);
needToSave = true;
break;
}
}
}
// no cot_list in the original entity config
if (!foundCOT) {
AttributeType atype = objFactory.createAttributeType();
atype.setName(SAML2Constants.COT_LIST);
atype.getValue().add(name);
list.add(atype);
needToSave = true;
}
}
if (needToSave) {
metaManager.setEntityConfig(realm, eConfig);
}
}
}
use of com.sun.identity.saml2.jaxb.metadata.XACMLAuthzDecisionQueryDescriptorElement in project OpenAM by OpenRock.
the class QueryHandlerServlet method processXACMLResponse.
/**
* Returns the received Response to the Requester.
* Validates the message signature if signed and invokes the
* Request Handler to pass the request for futher processing.
*
* @param realm realm of the entity.
* @param pdpEntityID entity identifier of Policy Decision Point (PDP).
* @param samlRequest the <code>RequestAbstract</code> object.
* @param request the <code>HttpServletRequest</code> object.
* @param soapMsg the <code>SOAPMessage</code> object.
* @exception <code>SAML2Exception</code> if there is an error processing
* the request and returning a response.
*/
Response processXACMLResponse(String realm, String pdpEntityID, RequestAbstract samlRequest, HttpServletRequest request, SOAPMessage soapMsg) throws SAML2Exception {
String classMethod = "QueryHandlerServlet:processXACMLResponse";
Response samlResponse = null;
String path = request.getPathInfo();
String key = path.substring(path.indexOf(METAALIAS_KEY) + 10);
String pepEntityID = samlRequest.getIssuer().getValue();
if (debug.messageEnabled()) {
debug.message(classMethod + "SOAPMessage KEY . :" + key);
debug.message(classMethod + "pepEntityID is :" + pepEntityID);
}
//Retreive metadata
boolean pdpWantAuthzQuerySigned = SAML2Utils.getWantXACMLAuthzDecisionQuerySigned(realm, pdpEntityID, SAML2Constants.PDP_ROLE);
if (debug.messageEnabled()) {
debug.message(classMethod + "PDP wantAuthzQuerySigned:" + pdpWantAuthzQuerySigned);
}
if (pdpWantAuthzQuerySigned) {
if (samlRequest.isSigned()) {
XACMLAuthzDecisionQueryDescriptorElement pep = SAML2Utils.getSAML2MetaManager().getPolicyEnforcementPointDescriptor(realm, pepEntityID);
Set<X509Certificate> verificationCerts = KeyUtil.getPEPVerificationCerts(pep, pepEntityID);
if (verificationCerts.isEmpty() || !samlRequest.isSignatureValid(verificationCerts)) {
// error
debug.error(classMethod + "Invalid signature in message");
throw new SAML2Exception("invalidQuerySignature");
} else {
debug.message(classMethod + "Valid signature found");
}
} else {
debug.error("Request not signed");
throw new SAML2Exception("nullSig");
}
}
//getRequestHandlerClass
RequestHandler handler = (RequestHandler) SOAPBindingService.handlers.get(key);
if (handler != null) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Found handler");
}
samlResponse = handler.handleQuery(pdpEntityID, pepEntityID, samlRequest, soapMsg);
// set response attributes
samlResponse.setID(SAML2Utils.generateID());
samlResponse.setVersion(SAML2Constants.VERSION_2_0);
samlResponse.setIssueInstant(new Date());
Issuer issuer = AssertionFactory.getInstance().createIssuer();
issuer.setValue(pdpEntityID);
samlResponse.setIssuer(issuer);
// end set Response Attributes
//set Assertion attributes
List assertionList = samlResponse.getAssertion();
Assertion assertion = (Assertion) assertionList.get(0);
assertion.setID(SAML2Utils.generateID());
assertion.setVersion(SAML2Constants.VERSION_2_0);
assertion.setIssueInstant(new Date());
assertion.setIssuer(issuer);
// end assertion set attributes
// check if assertion needs to be encrypted,signed.
String wantAssertionEncrypted = SAML2Utils.getAttributeValueFromXACMLConfig(realm, SAML2Constants.PEP_ROLE, pepEntityID, SAML2Constants.WANT_ASSERTION_ENCRYPTED);
XACMLAuthzDecisionQueryDescriptorElement pepDescriptor = SAML2Utils.getSAML2MetaManager().getPolicyEnforcementPointDescriptor(realm, pepEntityID);
EncInfo encInfo = null;
boolean wantAssertionSigned = pepDescriptor.isWantAssertionsSigned();
if (debug.messageEnabled()) {
debug.message(classMethod + " wantAssertionSigned :" + wantAssertionSigned);
}
if (wantAssertionSigned) {
signAssertion(realm, pdpEntityID, assertion);
}
if (wantAssertionEncrypted != null && wantAssertionEncrypted.equalsIgnoreCase(SAML2Constants.TRUE)) {
encInfo = KeyUtil.getPEPEncInfo(pepDescriptor, pepEntityID);
// encrypt the Assertion
EncryptedAssertion encryptedAssertion = assertion.encrypt(encInfo.getWrappingKey(), encInfo.getDataEncAlgorithm(), encInfo.getDataEncStrength(), pepEntityID);
if (encryptedAssertion == null) {
debug.error(classMethod + "Assertion encryption failed.");
throw new SAML2Exception("FailedToEncryptAssertion");
}
assertionList = new ArrayList();
assertionList.add(encryptedAssertion);
samlResponse.setEncryptedAssertion(assertionList);
//reset Assertion list
samlResponse.setAssertion(new ArrayList());
if (debug.messageEnabled()) {
debug.message(classMethod + "Assertion encrypted.");
}
} else {
List assertionsList = new ArrayList();
assertionsList.add(assertion);
samlResponse.setAssertion(assertionsList);
}
signResponse(samlResponse, realm, pepEntityID, pdpEntityID);
} else {
// error - missing request handler.
debug.error(classMethod + "RequestHandler not found");
throw new SAML2Exception("missingRequestHandler");
}
return samlResponse;
}
use of com.sun.identity.saml2.jaxb.metadata.XACMLAuthzDecisionQueryDescriptorElement in project OpenAM by OpenRock.
the class SAMLv2ModelImpl method createExtendedObject.
/**
* Creates the extended config object when it does not exist.
* @param realm the realm to which the entity belongs.
* @param entityName is the entity id.
* @param location indicates whether hosted or remote
* @param role can be SP, IDP or SP/IDP.
* @throws SAML2MetaException, JAXBException,
* AMConsoleException if saving of attribute value fails.
*/
private void createExtendedObject(String realm, String entityName, String location, String role) throws SAML2MetaException, JAXBException, AMConsoleException {
SAML2MetaManager samlManager = getSAML2MetaManager();
EntityDescriptorElement entityDescriptor = samlManager.getEntityDescriptor(realm, entityName);
ObjectFactory objFactory = new ObjectFactory();
EntityConfigElement entityConfigElement = objFactory.createEntityConfigElement();
entityConfigElement.setEntityID(entityName);
if (location.equals("remote")) {
entityConfigElement.setHosted(false);
} else {
entityConfigElement.setHosted(true);
}
List configList = entityConfigElement.getIDPSSOConfigOrSPSSOConfigOrAuthnAuthorityConfig();
BaseConfigType baseConfigIDP = null;
BaseConfigType baseConfigSP = null;
BaseConfigType baseConfigAuth = null;
AttributeAuthorityDescriptorElement attrauthDescriptor = samlManager.getAttributeAuthorityDescriptor(realm, entityName);
AuthnAuthorityDescriptorElement authnauthDescriptor = samlManager.getAuthnAuthorityDescriptor(realm, entityName);
AttributeQueryDescriptorElement attrQueryDescriptor = samlManager.getAttributeQueryDescriptor(realm, entityName);
IDPSSODescriptorElement idpssoDesc = samlManager.getIDPSSODescriptor(realm, entityName);
SPSSODescriptorElement spssoDesc = samlManager.getSPSSODescriptor(realm, entityName);
XACMLAuthzDecisionQueryDescriptorElement xacmlAuthzDescriptor = samlManager.getPolicyEnforcementPointDescriptor(realm, entityName);
XACMLPDPDescriptorElement xacmlPDPDescriptor = samlManager.getPolicyDecisionPointDescriptor(realm, entityName);
if (isDualRole(entityDescriptor)) {
baseConfigIDP = objFactory.createIDPSSOConfigElement();
baseConfigSP = objFactory.createSPSSOConfigElement();
baseConfigIDP = addAttributeType(extendedMetaIdpMap, baseConfigIDP);
baseConfigSP = addAttributeType(extendedMetaSpMap, baseConfigSP);
configList.add(baseConfigIDP);
configList.add(baseConfigSP);
} else if (role.equals(EntityModel.IDENTITY_PROVIDER) || (idpssoDesc != null)) {
baseConfigIDP = objFactory.createIDPSSOConfigElement();
baseConfigIDP = addAttributeType(extendedMetaIdpMap, baseConfigIDP);
configList.add(baseConfigIDP);
} else if (role.equals(EntityModel.SERVICE_PROVIDER) || (spssoDesc != null)) {
baseConfigSP = objFactory.createSPSSOConfigElement();
baseConfigSP = addAttributeType(extendedMetaSpMap, baseConfigSP);
configList.add(baseConfigSP);
}
if (role.equals(EntityModel.SAML_ATTRAUTHORITY) || (attrauthDescriptor != null)) {
baseConfigAuth = objFactory.createAttributeAuthorityConfigElement();
baseConfigAuth = addAttributeType(extAttrAuthMap, baseConfigAuth);
configList.add(baseConfigAuth);
}
if (role.equals(EntityModel.SAML_AUTHNAUTHORITY) || (authnauthDescriptor != null)) {
baseConfigAuth = objFactory.createAuthnAuthorityConfigElement();
baseConfigAuth = addAttributeType(extAuthnAuthMap, baseConfigAuth);
configList.add(baseConfigAuth);
}
if (role.equals(EntityModel.SAML_ATTRQUERY) || (attrQueryDescriptor != null)) {
baseConfigAuth = objFactory.createAttributeQueryConfigElement();
baseConfigAuth = addAttributeType(extattrQueryMap, baseConfigAuth);
configList.add(baseConfigAuth);
}
if (role.equals(EntityModel.POLICY_DECISION_POINT_DESCRIPTOR) || (xacmlPDPDescriptor != null)) {
baseConfigAuth = objFactory.createXACMLPDPConfigElement();
baseConfigAuth = addAttributeType(xacmlPDPExtendedMeta, baseConfigAuth);
configList.add(baseConfigAuth);
}
if (role.equals(EntityModel.POLICY_ENFORCEMENT_POINT_DESCRIPTOR) || (xacmlAuthzDescriptor != null)) {
baseConfigAuth = objFactory.createXACMLAuthzDecisionQueryConfigElement();
baseConfigAuth = addAttributeType(xacmlPEPExtendedMeta, baseConfigAuth);
configList.add(baseConfigAuth);
}
samlManager.setEntityConfig(realm, entityConfigElement);
}
use of com.sun.identity.saml2.jaxb.metadata.XACMLAuthzDecisionQueryDescriptorElement in project OpenAM by OpenRock.
the class SAMLv2ModelImpl method getPEPDescriptor.
/**
* Returns a Map of PEP descriptor data.(Standard Metadata)
*
* @param realm realm of Entity
* @param entityName entity name of Entity Descriptor.
* @return key-value pair Map of PEP descriptor data.
* @throws AMConsoleException if unable to retrieve the PEP
* standard metadata attributes
*/
public Map getPEPDescriptor(String realm, String entityName) throws AMConsoleException {
String[] params = { realm, entityName, "SAMLv2", "XACML PEP" };
logEvent("ATTEMPT_GET_ENTITY_DESCRIPTOR_ATTR_VALUES", params);
Map data = null;
try {
SAML2MetaManager saml2Manager = getSAML2MetaManager();
XACMLAuthzDecisionQueryDescriptorElement xacmlAuthzDescriptor = saml2Manager.getPolicyEnforcementPointDescriptor(realm, entityName);
if (xacmlAuthzDescriptor != null) {
data = new HashMap(10);
//ProtocolSupportEnum
data.put(ATTR_TXT_PROTOCOL_SUPPORT_ENUM, returnEmptySetIfValueIsNull(xacmlAuthzDescriptor.getProtocolSupportEnumeration()));
if (xacmlAuthzDescriptor.isWantAssertionsSigned()) {
data.put(ATTR_WANT_ASSERTION_SIGNED, "true");
} else {
data.put(ATTR_WANT_ASSERTION_SIGNED, "false");
}
}
logEvent("SUCCEED_GET_ENTITY_DESCRIPTOR_ATTR_VALUES", params);
} catch (SAML2MetaException e) {
String strError = getErrorString(e);
String[] paramsEx = { realm, entityName, "SAMLv2", "XACML PEP", strError };
logEvent("FEDERATION_EXCEPTION_GET_ENTITY_DESCRIPTOR_ATTR_VALUES", paramsEx);
throw new AMConsoleException(strError);
}
return (data != null) ? data : Collections.EMPTY_MAP;
}
use of com.sun.identity.saml2.jaxb.metadata.XACMLAuthzDecisionQueryDescriptorElement in project OpenAM by OpenRock.
the class SAML2Test method importEntity.
@Test(groups = { "samlv2", "samlv2op" }, dependsOnMethods = { "createMetaTemplate" })
public void importEntity() throws CLIException, SAML2MetaException {
entering("importEntity", null);
String[] args = { "import-entity", CLIConstants.PREFIX_ARGUMENT_LONG + FedCLIConstants.ARGUMENT_METADATA, "meta", CLIConstants.PREFIX_ARGUMENT_LONG + FedCLIConstants.ARGUMENT_EXTENDED_DATA, "extended", CLIConstants.PREFIX_ARGUMENT_LONG + FedCLIConstants.ARGUMENT_COT, NAME_COT, CLIConstants.PREFIX_ARGUMENT_LONG + FedCLIConstants.SPECIFICATION_VERSION, FedCLIConstants.SAML2_SPECIFICATION };
CLIRequest req = new CLIRequest(null, args, getAdminSSOToken());
cmdManager.addToRequestQueue(req);
cmdManager.serviceRequestQueue();
SAML2MetaManager mgr = new SAML2MetaManager();
EntityDescriptorElement entity = mgr.getEntityDescriptor("/", NAME_IDP);
assert (entity != null);
SPSSODescriptorElement spElt = mgr.getSPSSODescriptor("/", NAME_IDP);
assert (spElt != null);
IDPSSODescriptorElement idpElt = mgr.getIDPSSODescriptor("/", NAME_IDP);
assert (idpElt != null);
XACMLPDPDescriptorElement pdpElt = mgr.getPolicyDecisionPointDescriptor("/", NAME_IDP);
assert (pdpElt != null);
XACMLAuthzDecisionQueryDescriptorElement pepElt = mgr.getPolicyEnforcementPointDescriptor("/", NAME_IDP);
assert (pepElt != null);
IDPSSOConfigElement idpConfig = mgr.getIDPSSOConfig("/", NAME_IDP);
assert (idpConfig != null);
SPSSOConfigElement spConfig = mgr.getSPSSOConfig("/", NAME_IDP);
assert (spConfig != null);
XACMLPDPConfigElement pdpConfig = mgr.getPolicyDecisionPointConfig("/", NAME_IDP);
assert (pdpConfig != null);
XACMLAuthzDecisionQueryConfigElement pepConfig = mgr.getPolicyEnforcementPointConfig("/", NAME_IDP);
assert (pepConfig != null);
exiting("importEntity");
}
Aggregations