Example 1 with XACMLAuthzDecisionQuery
use of com.sun.identity.xacml.saml2.XACMLAuthzDecisionQuery in project OpenAM by OpenRock.
the class XACMLAuthzDecisionQueryHandler method handleQuery.
/**
* Processes an XACMLAuthzDecisionQuery and retruns a SAML2 Response.
*
* @param pdpEntityId EntityID of PDP
* @param pepEntityId EntityID of PEP
* @param samlpRequest SAML2 Request, an XAMLAuthzDecisionQuery
* @param soapMessage SOAPMessage that carried the SAML2 Request
* @return SAML2 Response with an XAMLAuthzDecisionStatement
* @exception SAML2Exception if the query can not be handled
*/
public com.sun.identity.saml2.protocol.Response handleQuery(String pdpEntityId, String pepEntityId, RequestAbstract samlpRequest, SOAPMessage soapMessage) throws SAML2Exception {
//TODO: logging, i18n
//TODO: long term, allow different mapper impls for different
//combination of pdp, pep
SubjectMapper subjectMapper = new FMSubjectMapper();
subjectMapper.initialize(pdpEntityId, pepEntityId, null);
ResourceMapper resourceMapper = new FMResourceMapper();
resourceMapper.initialize(pdpEntityId, pepEntityId, null);
ActionMapper actionMapper = new FMActionMapper();
actionMapper.initialize(pdpEntityId, pepEntityId, null);
EnvironmentMapper environmentMapper = new FMEnvironmentMapper();
environmentMapper.initialize(pdpEntityId, pepEntityId, null);
ResultMapper resultMapper = new FMResultMapper();
resultMapper.initialize(pdpEntityId, pepEntityId, null);
boolean evaluationFailed = false;
String statusCodeValue = null;
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("XACMLAuthzDecisionQueryHandler.handleQuery(), entering" + ":pdpEntityId=" + pdpEntityId + ":pepEntityId=" + pepEntityId + ":samlpRequest=\n" + samlpRequest.toXMLString(true, true) + ":soapMessage=\n" + soapMessage);
}
Request xacmlRequest = ((XACMLAuthzDecisionQuery) samlpRequest).getRequest();
boolean returnContext = ((XACMLAuthzDecisionQuery) samlpRequest).getReturnContext();
SSOToken ssoToken = null;
String resourceName = null;
String serviceName = null;
String actionName = null;
Map environment = null;
boolean booleanDecision = false;
try {
//get native sso token
ssoToken = (SSOToken) subjectMapper.mapToNativeSubject(xacmlRequest.getSubjects());
if (ssoToken == null) {
//TODO: log message and fill missing attribute details
statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
evaluationFailed = true;
} else {
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("XACMLAuthzDecisionQueryHandler.handleQuery()," + "created ssoToken");
}
}
if (ssoToken != null) {
//get native service name, resource name
List resources = xacmlRequest.getResources();
Resource resource = null;
if (!resources.isEmpty()) {
//We deal with only one resource for now
resource = (Resource) resources.get(0);
}
if (resource != null) {
String[] resourceService = resourceMapper.mapToNativeResource(resource);
if (resourceService != null) {
if (resourceService.length > 0) {
resourceName = resourceService[0];
}
if (resourceService.length > 1) {
serviceName = resourceService[1];
}
}
}
if (resourceName == null) {
//TODO: log message and fill missing attribute details
statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
evaluationFailed = true;
}
if (serviceName == null) {
//TODO: log message and fill missing attribute details
throw new SAML2Exception(XACMLSDKUtils.xacmlResourceBundle.getString("missing_attribute"));
}
}
if (serviceName != null) {
//get native action name
if (serviceName != null) {
actionName = actionMapper.mapToNativeAction(xacmlRequest.getAction(), serviceName);
}
if (actionName == null) {
//TODO: log message and fill missing attribute details
statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
evaluationFailed = true;
}
}
//get environment map
/*
environment = environmentMapper.mapToNativeEnvironment(
xacmlRequest.getEnvironment(),
xacmlRequest.getSubjects());
*/
} catch (XACMLException xe) {
statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
evaluationFailed = true;
if (XACMLSDKUtils.debug.warningEnabled()) {
XACMLSDKUtils.debug.warning("XACMLAuthzDecisionQueryHandler.handleQuery()," + "caught exception", xe);
}
}
//get native policy deicison using native policy evaluator
if (!evaluationFailed) {
try {
PolicyEvaluator pe = new PolicyEvaluator(serviceName);
booleanDecision = pe.isAllowed(ssoToken, resourceName, actionName, environment);
} catch (SSOException ssoe) {
if (XACMLSDKUtils.debug.warningEnabled()) {
XACMLSDKUtils.debug.warning("XACMLAuthzDecisionQueryHandler.handleQuery()," + "caught exception", ssoe);
}
evaluationFailed = true;
} catch (PolicyException pe) {
if (XACMLSDKUtils.debug.warningEnabled()) {
XACMLSDKUtils.debug.warning("XACMLAuthzDecisionQueryHandler.handleQuery()," + "caught exception", pe);
}
evaluationFailed = true;
}
}
//decision: Indeterminate, Deny, Permit, NotApplicable
//status code: missing_attribute, syntax_error, processing_error, ok
Decision decision = ContextFactory.getInstance().createDecision();
Status status = ContextFactory.getInstance().createStatus();
StatusCode code = ContextFactory.getInstance().createStatusCode();
StatusMessage message = ContextFactory.getInstance().createStatusMessage();
StatusDetail detail = ContextFactory.getInstance().createStatusDetail();
detail.getElement().insertBefore(detail.getElement().cloneNode(true), null);
if (evaluationFailed) {
decision.setValue(XACMLConstants.INDETERMINATE);
if (statusCodeValue == null) {
statusCodeValue = XACMLConstants.STATUS_CODE_PROCESSING_ERROR;
}
code.setValue(statusCodeValue);
//TODO: i18n
message.setValue("processing_error");
} else if (booleanDecision) {
decision.setValue(XACMLConstants.PERMIT);
code.setValue(XACMLConstants.STATUS_CODE_OK);
//TODO: i18n
message.setValue("ok");
} else {
decision.setValue(XACMLConstants.DENY);
code.setValue(XACMLConstants.STATUS_CODE_OK);
//TODO: i18n
message.setValue("ok");
}
Result result = ContextFactory.getInstance().createResult();
String resourceId = resourceName;
List resources = xacmlRequest.getResources();
Resource resource = null;
if (!resources.isEmpty()) {
//We deal with only one resource for now
resource = (Resource) resources.get(0);
if (resource != null) {
List attributes = resource.getAttributes();
if (attributes != null) {
for (int count = 0; count < attributes.size(); count++) {
Attribute attr = (Attribute) attributes.get(count);
if (attr != null) {
URI tmpURI = attr.getAttributeId();
if (tmpURI.toString().equals(XACMLConstants.RESOURCE_ID)) {
Element element = (Element) attr.getAttributeValues().get(0);
resourceId = XMLUtils.getElementValue(element);
break;
}
}
}
}
}
}
result.setResourceId(resourceId);
result.setDecision(decision);
status.setStatusCode(code);
status.setStatusMessage(message);
status.setStatusDetail(detail);
result.setStatus(status);
Response response = ContextFactory.getInstance().createResponse();
response.addResult(result);
XACMLAuthzDecisionStatement statement = ContextFactory.getInstance().createXACMLAuthzDecisionStatement();
statement.setResponse(response);
if (returnContext) {
statement.setRequest(xacmlRequest);
}
com.sun.identity.saml2.protocol.Response samlpResponse = createSamlpResponse(statement, status.getStatusCode().getValue());
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("XACMLAuthzDecisionQueryHandler.handleQuery(), returning" + ":samlResponse=\n" + samlpResponse.toXMLString(true, true));
}
return samlpResponse;
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
Attribute(com.sun.identity.xacml.context.Attribute)
Element(org.w3c.dom.Element)
SSOException(com.iplanet.sso.SSOException)
StatusCode(com.sun.identity.xacml.context.StatusCode)
URI(java.net.URI)
Result(com.sun.identity.xacml.context.Result)
ResourceResult(com.sun.identity.policy.ResourceResult)
ActionMapper(com.sun.identity.xacml.spi.ActionMapper)
XACMLAuthzDecisionStatement(com.sun.identity.xacml.saml2.XACMLAuthzDecisionStatement)
PolicyEvaluator(com.sun.identity.policy.PolicyEvaluator)
SubjectMapper(com.sun.identity.xacml.spi.SubjectMapper)
PolicyException(com.sun.identity.policy.PolicyException)
ResourceMapper(com.sun.identity.xacml.spi.ResourceMapper)
ArrayList(java.util.ArrayList)
List(java.util.List)
Status(com.sun.identity.xacml.context.Status)
Request(com.sun.identity.xacml.context.Request)
Resource(com.sun.identity.xacml.context.Resource)
EnvironmentMapper(com.sun.identity.xacml.spi.EnvironmentMapper)
Decision(com.sun.identity.xacml.context.Decision)
XACMLException(com.sun.identity.xacml.common.XACMLException)
StatusMessage(com.sun.identity.xacml.context.StatusMessage)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Response(com.sun.identity.xacml.context.Response)
ResultMapper(com.sun.identity.xacml.spi.ResultMapper)
StatusDetail(com.sun.identity.xacml.context.StatusDetail)
XACMLAuthzDecisionQuery(com.sun.identity.xacml.saml2.XACMLAuthzDecisionQuery)
Map(java.util.Map)
Example 2 with XACMLAuthzDecisionQuery
use of com.sun.identity.xacml.saml2.XACMLAuthzDecisionQuery in project OpenAM by OpenRock.
the class QueryClient method processXACMLQuery.
/**
* Returns SAMLv2 <code>Response</code>.
* SAMLv2 request is sent enclosed in the body of a SOAP Message
* to a SOAP endpoint.
* Prior to sending the request query, attributes required for completeness
* of the SAMLv2 Request will be set (eg. Issuer) if not already set.
* Message will be signed if signing is enabled.
* SAMLv2 Query Request will be enclosed in the SOAP Body to create a SOAP
* message to send to the server.
*
* @param request the SAMLv2 <code>RequestAbstract</code> object.
* @param pepEntityID entity identifier of the hosted query requester.
* @param pdpEntityID entity identifier of the remote server.
* @return SAMLv2 <code>Response</code> received from the
* Query Responder.
* @throws SAML2Exception if there is an error processing the query.
*/
public static Response processXACMLQuery(RequestAbstract request, String pepEntityID, String pdpEntityID) throws SAML2Exception {
String classMethod = "QueryClient:processXACMLQuery";
String realm = "/";
Response samlResponse = null;
Response response = null;
// retreive pepEntityID metadata
if (pepEntityID == null || pepEntityID.length() == 0) {
debug.error(classMethod + "PEP Identifier is null");
String[] data = { pepEntityID };
LogUtil.error(Level.INFO, LogUtil.INVALID_PEP_ID, data);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullPEP"));
}
// retreive pdpEntityID metadata
if (pdpEntityID == null || pdpEntityID.length() == 0) {
debug.error(classMethod + "PDP Identifier is null");
String[] data = { pdpEntityID };
LogUtil.error(Level.INFO, LogUtil.INVALID_PDP_ID, data);
throw new SAML2Exception(SAML2SDKUtils.bundle.getString("nullPDP"));
}
if (request != null) {
// set properties in the request.
XACMLAuthzDecisionQuery xacmlQuery = (XACMLAuthzDecisionQuery) request;
if (xacmlQuery != null) {
// set Issuer
Issuer issuer = createIssuer(pepEntityID);
xacmlQuery.setIssuer(issuer);
//generate ID
String requestID = SAML2SDKUtils.generateID();
xacmlQuery.setID(requestID);
xacmlQuery.setVersion(SAML2Constants.VERSION_2_0);
xacmlQuery.setIssueInstant(new Date());
XACMLPDPConfigElement pdpConfig = getPDPConfig(realm, pdpEntityID);
if (pdpConfig != null) {
String wantQuerySigned = getAttributeValueFromPDPConfig(pdpConfig, "wantXACMLAuthzDecisionQuerySigned");
if (wantQuerySigned != null && wantQuerySigned.equals("true")) {
signAttributeQuery(xacmlQuery, realm, pepEntityID, false);
}
}
String xmlString = xacmlQuery.toXMLString(true, true);
if (debug.messageEnabled()) {
debug.message(classMethod + "XACML Query XML String :" + xmlString);
}
// retrieve endpoint from meta data
String endPoint = null;
XACMLAuthzDecisionQueryConfigElement pepConfig = getPEPConfig(realm, pepEntityID);
endPoint = getPDPEndPoint(pdpEntityID);
if (debug.messageEnabled()) {
debug.message(classMethod + " ResponseLocation is :" + endPoint);
}
// create SOAP message
try {
String soapMessage = SAML2SDKUtils.createSOAPMessageString(xmlString);
endPoint = SAML2SDKUtils.fillInBasicAuthInfo(pepConfig, endPoint);
String[] urls = { endPoint };
SOAPClient soapClient = new SOAPClient(urls);
if (debug.messageEnabled()) {
debug.message(classMethod + "soapMessage :" + soapMessage);
}
InputStream soapIn = soapClient.call(soapMessage, null, null);
StringBuffer reply = new StringBuffer();
String line;
BufferedReader reader = new BufferedReader(new InputStreamReader(soapIn, "UTF-8"));
while ((line = reader.readLine()) != null) {
reply.append(line).append("\n");
}
// check the SOAP message for any SOAP related errors
// before passing control to SAML processor
xmlString = reply.toString();
if (debug.messageEnabled()) {
debug.message("Response Message:\n" + xmlString);
}
samlResponse = getSAMLResponse(xmlString);
issuer = samlResponse.getIssuer();
String issuerID = null;
if (issuer != null) {
issuerID = issuer.getValue().trim();
}
boolean isTrusted = verifyResponseIssuer(realm, pepEntityID, issuerID);
if (!isTrusted) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Issuer in Request is not valid.");
}
String[] args = { realm, pepEntityID, pdpEntityID };
LogUtil.error(Level.INFO, LogUtil.INVALID_ISSUER_IN_PEP_REQUEST, args);
throw new SAML2Exception("invalidIssuerInRequest");
}
if (samlResponse != null) {
xmlString = samlResponse.toXMLString(true, true);
if (debug.messageEnabled()) {
debug.message(classMethod + "Response: " + xmlString);
}
response = verifyResponse(realm, pepEntityID, samlResponse);
if (debug.messageEnabled()) {
debug.message(classMethod + "Response with decrypted Assertion: " + response.toXMLString(true, true));
}
}
} catch (SOAPException soae) {
if (debug.messageEnabled()) {
debug.message(classMethod + "SOAPException :", soae);
}
throw new SAML2Exception(soae.getMessage());
} catch (Exception e) {
if (debug.messageEnabled()) {
debug.message(classMethod + "Exception ", e);
}
throw new SAML2Exception(e.getMessage());
}
}
}
return response;
}
Also used :
InputStreamReader(java.io.InputStreamReader)
Issuer(com.sun.identity.saml2.assertion.Issuer)
InputStream(java.io.InputStream)
XACMLPDPConfigElement(com.sun.identity.saml2.jaxb.entityconfig.XACMLPDPConfigElement)
Date(java.util.Date)
SOAPException(javax.xml.soap.SOAPException)
SAML2MetaException(com.sun.identity.saml2.meta.SAML2MetaException)
IOException(java.io.IOException)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
Response(com.sun.identity.saml2.protocol.Response)
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
SOAPClient(com.sun.identity.shared.jaxrpc.SOAPClient)
SOAPException(javax.xml.soap.SOAPException)
BufferedReader(java.io.BufferedReader)
XACMLAuthzDecisionQuery(com.sun.identity.xacml.saml2.XACMLAuthzDecisionQuery)
XACMLAuthzDecisionQueryConfigElement(com.sun.identity.saml2.jaxb.entityconfig.XACMLAuthzDecisionQueryConfigElement)
Example 3 with XACMLAuthzDecisionQuery
use of com.sun.identity.xacml.saml2.XACMLAuthzDecisionQuery in project OpenAM by OpenRock.
the class XACMLRequestProcessor method createXACMLAuthzDecisionQuery.
//TODO: clean up and fix
private XACMLAuthzDecisionQuery createXACMLAuthzDecisionQuery(Request xacmlRequest) throws XACMLException, SAML2Exception {
XACMLAuthzDecisionQuery query = ContextFactory.getInstance().createXACMLAuthzDecisionQuery();
query.setID("query-1");
query.setVersion("2.0");
query.setIssueInstant(new Date());
query.setDestination("destination-uri");
query.setConsent("consent-uri");
Issuer issuer = AssertionFactory.getInstance().createIssuer();
issuer.setValue("issuer-1");
issuer.setNameQualifier("name-qualifier");
//issuer.setSPProvidedID("sp-provided-id");
issuer.setSPNameQualifier("sp-name-qualifier");
issuer.setSPNameQualifier("sp-name-qualifier");
issuer.setFormat("format");
query.setIssuer(issuer);
query.setRequest(xacmlRequest);
return query;
}
Also used :
Issuer(com.sun.identity.saml2.assertion.Issuer)
XACMLAuthzDecisionQuery(com.sun.identity.xacml.saml2.XACMLAuthzDecisionQuery)
Date(java.util.Date)
Example 4 with XACMLAuthzDecisionQuery
use of com.sun.identity.xacml.saml2.XACMLAuthzDecisionQuery in project OpenAM by OpenRock.
the class XACMLRequestProcessor method processRequest.
/**
* Processes an XACML context Request and returns an XACML context
* Response.
*
* @param xacmlRequest XACML context Request. This describes the
* Resource(s), Subject(s), Action, Environment of the request
* and corresponds to XACML context schema element Request.
* One would contruct this Request object using XACML client SDK.
*
* @param pdpEntityId EntityID of PDP
* @param pepEntityId EntityID of PEP
* @return XACML context Response. This corresponds to
* XACML context schema element Response
* @exception XACMLException if request could not be processed
*/
public Response processRequest(Request xacmlRequest, String pdpEntityId, String pepEntityId) throws XACMLException, SAML2Exception {
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("XACMLRequestProcessor.processRequest(), entering" + ":pdpEntityId=" + pdpEntityId + ":pepEntityId=" + pepEntityId + ":xacmlRequest=\n" + xacmlRequest.toXMLString(true, true));
}
XACMLAuthzDecisionQuery samlpQuery = createXACMLAuthzDecisionQuery(xacmlRequest);
//set InputContextOnly
samlpQuery.setInputContextOnly(true);
//set ReturnContext
samlpQuery.setReturnContext(true);
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("XACMLRequestProcessor.processRequest()," + "samlpQuery=\n" + samlpQuery.toXMLString(true, true));
}
com.sun.identity.saml2.protocol.Response samlpResponse = QueryClient.processXACMLQuery(samlpQuery, pepEntityId, pdpEntityId);
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("XACMLRequestProcessor.processRequest()," + ":samlpResponse=\n" + samlpResponse.toXMLString(true, true));
}
Response xacmlResponse = null;
List assertions = samlpResponse.getAssertion();
if (assertions != null) {
Assertion assertion = (Assertion) (assertions.get(0));
if (assertion != null) {
List statements = assertion.getStatements();
if (statements.size() > 0) {
String statementString = (String) (statements.get(0));
if (statementString != null) {
XACMLAuthzDecisionStatement statement = ContextFactory.getInstance().createXACMLAuthzDecisionStatement(statementString);
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("XACMLRequestProcessor.processRequest()," + ":xacmlAuthzDecisionStatement=\n" + statement.toXMLString(true, true));
}
if (statement != null) {
xacmlResponse = statement.getResponse();
if (xacmlResponse != null) {
if (XACMLSDKUtils.debug.messageEnabled()) {
XACMLSDKUtils.debug.message("XACMLRequestProcessor.processRequest()" + ",returning :xacmlResponse=\n" + xacmlResponse.toXMLString(true, true));
}
return xacmlResponse;
}
}
}
}
}
}
return null;
}
Also used :
Response(com.sun.identity.xacml.context.Response)
XACMLAuthzDecisionStatement(com.sun.identity.xacml.saml2.XACMLAuthzDecisionStatement)
Assertion(com.sun.identity.saml2.assertion.Assertion)
XACMLAuthzDecisionQuery(com.sun.identity.xacml.saml2.XACMLAuthzDecisionQuery)
List(java.util.List)
Aggregations
XACMLAuthzDecisionQuery (com.sun.identity.xacml.saml2.XACMLAuthzDecisionQuery)4
Issuer (com.sun.identity.saml2.assertion.Issuer)2
SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)2
Response (com.sun.identity.xacml.context.Response)2
XACMLAuthzDecisionStatement (com.sun.identity.xacml.saml2.XACMLAuthzDecisionStatement)2
Date (java.util.Date)2
List (java.util.List)2
SSOException (com.iplanet.sso.SSOException)1
SSOToken (com.iplanet.sso.SSOToken)1
PolicyEvaluator (com.sun.identity.policy.PolicyEvaluator)1
PolicyException (com.sun.identity.policy.PolicyException)1
ResourceResult (com.sun.identity.policy.ResourceResult)1
Assertion (com.sun.identity.saml2.assertion.Assertion)1
XACMLAuthzDecisionQueryConfigElement (com.sun.identity.saml2.jaxb.entityconfig.XACMLAuthzDecisionQueryConfigElement)1
XACMLPDPConfigElement (com.sun.identity.saml2.jaxb.entityconfig.XACMLPDPConfigElement)1
SAML2MetaException (com.sun.identity.saml2.meta.SAML2MetaException)1
Response (com.sun.identity.saml2.protocol.Response)1
SOAPClient (com.sun.identity.shared.jaxrpc.SOAPClient)1
XACMLException (com.sun.identity.xacml.common.XACMLException)1
Attribute (com.sun.identity.xacml.context.Attribute)1
