Search in sources :

Example 1 with ApplicationType

use of com.tremolosecurity.config.xml.ApplicationType in project OpenUnison by TremoloSecurity.

the class LoadApplicationsFromK8s method addObject.

@Override
public void addObject(TremoloType cfg, JSONObject item) throws ProvisioningException {
    String rawJson = item.toJSONString();
    StringBuffer b = new StringBuffer();
    b.setLength(0);
    OpenUnisonConfigLoader.integrateIncludes(b, rawJson);
    try {
        JSONObject newRoot = (JSONObject) new JSONParser().parse(b.toString());
        JSONObject metadata = (JSONObject) newRoot.get("metadata");
        if (metadata == null) {
            throw new ProvisioningException("No metadata");
        }
        String name = (String) metadata.get("name");
        logger.info("Adding application " + name);
        try {
            synchronized (GlobalEntries.getGlobalEntries().getConfigManager()) {
                ApplicationType app = this.createApplication(item, name);
                GlobalEntries.getGlobalEntries().getConfigManager().initializeUrls(GlobalEntries.getGlobalEntries().getConfigManager().addApplication(app));
            }
        } catch (Exception e) {
            logger.warn("Could not initialize application " + name, e);
        }
    } catch (ParseException e) {
        throw new ProvisioningException("Could not parse application", e);
    }
}
Also used : ApplicationType(com.tremolosecurity.config.xml.ApplicationType) JSONObject(org.json.simple.JSONObject) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) JSONParser(org.json.simple.parser.JSONParser) ParseException(org.json.simple.parser.ParseException) ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException) ParseException(org.json.simple.parser.ParseException)

Example 2 with ApplicationType

use of com.tremolosecurity.config.xml.ApplicationType in project OpenUnison by TremoloSecurity.

the class OpenShiftTarget method initRemoteOidc.

private void initRemoteOidc(Map<String, Attribute> cfg, ConfigManager cfgMgr, String name) throws ProvisioningException {
    this.oidcIdp = this.loadOption("oidcIdp", cfg, false);
    this.oidcIssuerHost = this.loadOptionalAttributeValue("oidcIssuerHost", "oidcIssuerHost", cfg, null);
    this.oidcSub = this.loadOption("oidcSub", cfg, false);
    this.oidcAudience = this.loadOption("oidcAudience", cfg, false);
    for (ApplicationType at : cfgMgr.getCfg().getApplications().getApplication()) {
        if (at.getName().equals(this.oidcIdp)) {
            for (ParamType pt : at.getUrls().getUrl().get(0).getIdp().getParams()) {
                if (pt.getName().equals("jwtSigningKey")) {
                    this.oidcCertName = pt.getValue();
                }
            }
            if (this.oidcIssuerHost == null) {
                this.oidcIssuerHost = at.getUrls().getUrl().get(0).getHost().get(0);
            }
            this.oidcIssuer = "https://" + this.oidcIssuerHost + at.getUrls().getUrl().get(0).getUri();
        }
    }
}
Also used : ApplicationType(com.tremolosecurity.config.xml.ApplicationType) ParamType(com.tremolosecurity.config.xml.ParamType)

Example 3 with ApplicationType

use of com.tremolosecurity.config.xml.ApplicationType in project OpenUnison by TremoloSecurity.

the class OpenUnisonUtils method importIdpMetadata.

private static void importIdpMetadata(Options options, CommandLine cmd, String unisonXMLFile, TremoloType ttRead, TremoloType ttWrite, String ksPath, KeyStore ks) throws ParserConfigurationException, SAXException, IOException, FileNotFoundException, UnmarshallingException, Exception, Base64DecodingException, CertificateException, KeyStoreException, NoSuchAlgorithmException, JAXBException, PropertyException {
    logger.info("Import SP Metadata into the IdP");
    logger.info("Loading Metadata...");
    String metadataFile = loadOption(cmd, "pathToMetaData", options);
    InitializationService.initialize();
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    factory.setNamespaceAware(true);
    DocumentBuilder builder = factory.newDocumentBuilder();
    Element root = builder.parse(new InputSource(new InputStreamReader(new FileInputStream(metadataFile)))).getDocumentElement();
    EntityDescriptor ed = (EntityDescriptor) XMLObjectSupport.getUnmarshaller(root).unmarshall(root);
    logger.info("Loading IdP...");
    String idpName = loadOption(cmd, "idpName", options);
    ApplicationType idp = null;
    for (ApplicationType app : ttWrite.getApplications().getApplication()) {
        if (app.getName().equalsIgnoreCase(idpName)) {
            idp = app;
        }
    }
    if (idp == null) {
        throw new Exception("IdP '" + idpName + "' not found");
    }
    SPSSODescriptor sp = ed.getSPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
    TrustType trust = null;
    trust = new TrustType();
    if (sp.getID() == null) {
        trust.setName(ed.getEntityID());
    } else {
        trust.setName(sp.getID());
    }
    for (AssertionConsumerService svc : sp.getAssertionConsumerServices()) {
        if (svc.getBinding().equalsIgnoreCase("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST")) {
            ParamType pt = new ParamType();
            pt.setName("httpPostRespURL");
            pt.setValue(svc.getLocation());
            trust.getParam().add(pt);
        }
    }
    ParamType pt = new ParamType();
    pt.setName("signAssertion");
    pt.setValue(Boolean.toString(sp.getWantAssertionsSigned().booleanValue()));
    trust.getParam().add(pt);
    if (pt.getValue().equalsIgnoreCase("false")) {
        pt = new ParamType();
        pt.setName("signResponse");
        pt.setValue("true");
        trust.getParam().add(pt);
    } else {
        pt = new ParamType();
        pt.setName("signResponse");
        pt.setValue("false");
        trust.getParam().add(pt);
    }
    boolean first = true;
    for (NameIDFormat nameid : sp.getNameIDFormats()) {
        if (first) {
            pt = new ParamType();
            pt.setName("defaultNameId");
            pt.setValue(nameid.getFormat());
            trust.getParam().add(pt);
            first = false;
        }
        pt = new ParamType();
        pt.setName("nameIdMap");
        pt.setValue(nameid.getFormat() + "=");
        trust.getParam().add(pt);
    }
    boolean encryptAssertion = false;
    boolean signAssertion = false;
    for (KeyDescriptor kd : sp.getKeyDescriptors()) {
        if (kd.getUse().equals(UsageType.SIGNING)) {
            String base64 = kd.getKeyInfo().getX509Datas().get(0).getX509Certificates().get(0).getValue();
            String name = "verify-" + ed.getEntityID() + "-sp-sig";
            ByteArrayInputStream bais = new ByteArrayInputStream(Base64.decode(base64));
            CertificateFactory cf = CertificateFactory.getInstance("X.509");
            Collection<? extends Certificate> c = cf.generateCertificates(bais);
            if (c.size() > 1) {
                int j = 0;
                Iterator<? extends Certificate> i = c.iterator();
                while (i.hasNext()) {
                    Certificate certificate = (Certificate) i.next();
                    ks.setCertificateEntry(name + "-" + j, certificate);
                }
            } else {
                ks.setCertificateEntry(name, c.iterator().next());
            }
            pt = new ParamType();
            pt.setName("spSigKey");
            pt.setValue(name);
            trust.getParam().add(pt);
            signAssertion = true;
        }
        if (kd.getUse().equals(UsageType.ENCRYPTION)) {
            String base64 = kd.getKeyInfo().getX509Datas().get(0).getX509Certificates().get(0).getValue();
            String name = "verify-" + ed.getEntityID() + "-sp-enc";
            ByteArrayInputStream bais = new ByteArrayInputStream(Base64.decode(base64));
            CertificateFactory cf = CertificateFactory.getInstance("X.509");
            Collection<? extends Certificate> c = cf.generateCertificates(bais);
            if (c.size() > 1) {
                int j = 0;
                Iterator<? extends Certificate> i = c.iterator();
                while (i.hasNext()) {
                    Certificate certificate = (Certificate) i.next();
                    ks.setCertificateEntry(name + "-" + j, certificate);
                }
            } else {
                ks.setCertificateEntry(name, c.iterator().next());
            }
            pt = new ParamType();
            pt.setName("spEncKey");
            pt.setValue(name);
            trust.getParam().add(pt);
            encryptAssertion = true;
        }
    }
    pt = new ParamType();
    pt.setName("encAssertion");
    pt.setValue(encryptAssertion ? "true" : "false");
    trust.getParam().add(pt);
    if (!signAssertion) {
        pt = new ParamType();
        pt.setName("spSigKey");
        pt.setValue("");
        trust.getParam().add(pt);
    }
    if (!encryptAssertion) {
        pt = new ParamType();
        pt.setName("spEncKey");
        pt.setValue("");
        trust.getParam().add(pt);
    }
    pt = new ParamType();
    pt.setName("defaultAuthCtx");
    pt.setValue("");
    trust.getParam().add(pt);
    TrustType cur = null;
    for (TrustType trustType : idp.getUrls().getUrl().get(0).getIdp().getTrusts().getTrust()) {
        if (trustType.getName().equals(trust.getName())) {
            cur = trustType;
            break;
        }
    }
    if (cur != null) {
        idp.getUrls().getUrl().get(0).getIdp().getTrusts().getTrust().remove(cur);
    }
    idp.getUrls().getUrl().get(0).getIdp().getTrusts().getTrust().add(trust);
    OpenUnisonUtils.storeMethod(unisonXMLFile, ttWrite, ksPath, ks);
}
Also used : InputSource(org.xml.sax.InputSource) DocumentBuilderFactory(javax.xml.parsers.DocumentBuilderFactory) InputStreamReader(java.io.InputStreamReader) KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor) JAXBElement(javax.xml.bind.JAXBElement) Element(org.w3c.dom.Element) TrustType(com.tremolosecurity.config.xml.TrustType) CertificateFactory(java.security.cert.CertificateFactory) FileInputStream(java.io.FileInputStream) KeyStoreException(java.security.KeyStoreException) SignatureException(org.opensaml.xmlsec.signature.support.SignatureException) SecurityException(org.opensaml.security.SecurityException) UnmarshallingException(org.opensaml.core.xml.io.UnmarshallingException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) CertificateEncodingException(java.security.cert.CertificateEncodingException) MarshallingException(org.opensaml.core.xml.io.MarshallingException) IOException(java.io.IOException) Base64DecodingException(org.apache.xml.security.exceptions.Base64DecodingException) ServletException(javax.servlet.ServletException) PropertyException(javax.xml.bind.PropertyException) JAXBException(javax.xml.bind.JAXBException) FileNotFoundException(java.io.FileNotFoundException) SAXException(org.xml.sax.SAXException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) CertificateException(java.security.cert.CertificateException) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) AuthMechParamType(com.tremolosecurity.config.xml.AuthMechParamType) ParamType(com.tremolosecurity.config.xml.ParamType) EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor) ApplicationType(com.tremolosecurity.config.xml.ApplicationType) SPSSODescriptor(org.opensaml.saml.saml2.metadata.SPSSODescriptor) NameIDFormat(org.opensaml.saml.saml2.metadata.NameIDFormat) DocumentBuilder(javax.xml.parsers.DocumentBuilder) ByteArrayInputStream(java.io.ByteArrayInputStream) AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Example 4 with ApplicationType

use of com.tremolosecurity.config.xml.ApplicationType in project OpenUnison by TremoloSecurity.

the class UnisonConfigManagerImpl method deleteApp.

@Override
public void deleteApp(String name) {
    ApplicationType appToDel = null;
    for (ApplicationType app : this.cfg.getApplications().getApplication()) {
        if (app.getName().equals(name)) {
            appToDel = app;
            List<UrlHolder> appURLs = this.appUrls.get(app.getName());
            if (appURLs != null) {
                this.appUrls.remove(app.getName());
                Map<String, List<UrlHolder>> urlsByHost = new HashMap<String, List<UrlHolder>>();
                for (UrlHolder url : appURLs) {
                    for (String host : url.getUrl().getHost()) {
                        List<UrlHolder> urlsForHost = urlsByHost.get(host);
                        if (urlsForHost == null) {
                            urlsForHost = new ArrayList<UrlHolder>();
                            urlsByHost.put(host, urlsForHost);
                        }
                        urlsForHost.add(url);
                    }
                }
                for (String host : urlsByHost.keySet()) {
                    List<UrlHolder> urls = this.byHost.get(host);
                    if (urls != null) {
                        urls.removeAll(urlsByHost.get(host));
                    }
                }
            }
        }
    }
    if (appToDel != null) {
        this.cfg.getApplications().getApplication().remove(appToDel);
    }
    this.apps.remove(name);
    if (!appToDel.isIsApp()) {
        IDP.getIdp().removeIdP(name);
    }
}
Also used : ApplicationType(com.tremolosecurity.config.xml.ApplicationType) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) List(java.util.List)

Example 5 with ApplicationType

use of com.tremolosecurity.config.xml.ApplicationType in project OpenUnison by TremoloSecurity.

the class PreAuthFilter method initFilter.

@Override
public void initFilter(HttpFilterConfig config) throws Exception {
    this.postSAML = config.getAttribute("postSAML") != null && config.getAttribute("postSAML").getValues().get(0).equalsIgnoreCase("true");
    if (postSAML) {
        String idpName = config.getAttribute("idpName").getValues().get(0);
        ApplicationType app = config.getConfigManager().getApp(idpName);
        IdpType idp = app.getUrls().getUrl().get(0).getIdp();
        for (ParamType pt : idp.getParams()) {
            if (pt.getName().equalsIgnoreCase("sigKey")) {
                this.keyAlias = pt.getValue();
            }
        }
        TrustType tt = idp.getTrusts().getTrust().get(0);
        for (ParamType pt : tt.getParam()) {
            if (pt.getName().equalsIgnoreCase("signResponse")) {
                this.signResponse = pt.getValue().equalsIgnoreCase("true");
            } else if (pt.getName().equalsIgnoreCase("signAssertion")) {
                this.signAssertion = pt.getValue().equalsIgnoreCase("true");
            } else if (pt.getName().equalsIgnoreCase("httpPostRespURL")) {
                this.assertionConsumerURL = pt.getValue();
            } else if (pt.getName().equalsIgnoreCase("defaultNameId")) {
                this.nameIDType = pt.getValue();
            } else if (pt.getName().equalsIgnoreCase("nameIdMap")) {
                this.nameIDAttribute = pt.getValue().substring(pt.getValue().indexOf('=') + 1);
            } else if (pt.getName().equalsIgnoreCase("defaultAuthCtx")) {
                this.authnCtxClassRef = pt.getValue();
            }
        }
        String issuerHost = config.getAttribute("issuerHost").getValues().get(0);
        String issuerPort = config.getAttribute("issuerPort").getValues().get(0);
        boolean issuerSSL = config.getAttribute("issuerSSL").getValues().get(0).equalsIgnoreCase("true");
        StringBuffer b = new StringBuffer();
        if (issuerSSL) {
            b.append("https://");
        } else {
            b.append("http://");
        }
        b.append(issuerHost);
        if (!issuerPort.isEmpty()) {
            b.append(':').append(issuerPort);
        }
        b.append("/auth/idp/").append(idpName);
        this.issuer = b.toString();
        // this.issuer = config.getAttribute("issuer").getValues().get(0);
        this.audience = tt.getName();
        this.relayState = config.getAttribute("relayState").getValues().get(0);
        InitializationService.initialize();
        this.url = this.assertionConsumerURL;
    } else {
        this.url = config.getAttribute("url").getValues().get(0);
    }
    URL nurl = new URL(this.url);
    this.uri = nurl.getPath();
    UrlType urlCfg = config.getConfigManager().findURL(this.url).getUrl();
    for (FilterConfigType filterCfg : urlCfg.getFilterChain().getFilter()) {
        if (filterCfg.getClazz().equalsIgnoreCase("com.tremolosecurity.proxy.filters.LastMile")) {
            for (ParamWithValueType pt : filterCfg.getParam()) {
                if (pt.getName().equalsIgnoreCase("encKeyAlias")) {
                    this.lastMileKeyAlias = pt.getValue();
                } else if (pt.getName().equalsIgnoreCase("headerName")) {
                    this.headerName = pt.getValue();
                } else if (pt.getName().equalsIgnoreCase("userAttribute")) {
                    this.loginAttribute = pt.getValue();
                }
            }
            for (ParamWithValueType pt : filterCfg.getParam()) {
                if (pt.getName().equalsIgnoreCase("attribs")) {
                    String param = pt.getValue();
                    String fromUser = param.substring(0, param.indexOf('='));
                    String toApp = param.substring(param.indexOf('=') + 1);
                    if (fromUser.equalsIgnoreCase(this.headerName)) {
                        this.headerName = toApp;
                    }
                }
            }
        }
    }
    logger.info("URL : '" + this.url + "'");
    logger.info("Key Alias : '" + this.lastMileKeyAlias + "'");
    logger.info("Login ID Attribute : '" + this.loginAttribute + "'");
    logger.info("Header Attribute : '" + this.headerName + "'");
    if (this.postSAML) {
        logger.info("Saml : true");
        logger.info("Issuer : " + this.issuer);
    }
}
Also used : ApplicationType(com.tremolosecurity.config.xml.ApplicationType) IdpType(com.tremolosecurity.config.xml.IdpType) FilterConfigType(com.tremolosecurity.config.xml.FilterConfigType) TrustType(com.tremolosecurity.config.xml.TrustType) ParamWithValueType(com.tremolosecurity.config.xml.ParamWithValueType) UrlType(com.tremolosecurity.config.xml.UrlType) ParamType(com.tremolosecurity.config.xml.ParamType) URL(java.net.URL)

Aggregations

ApplicationType (com.tremolosecurity.config.xml.ApplicationType)16 IOException (java.io.IOException)6 ParamType (com.tremolosecurity.config.xml.ParamType)5 ArrayList (java.util.ArrayList)5 HashMap (java.util.HashMap)5 ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)4 Attribute (com.tremolosecurity.saml.Attribute)4 ServletException (javax.servlet.ServletException)4 AuthMechParamType (com.tremolosecurity.config.xml.AuthMechParamType)3 FilterConfigType (com.tremolosecurity.config.xml.FilterConfigType)3 ParamWithValueType (com.tremolosecurity.config.xml.ParamWithValueType)3 TrustType (com.tremolosecurity.config.xml.TrustType)3 UrlType (com.tremolosecurity.config.xml.UrlType)3 LDAPAttribute (com.novell.ldap.LDAPAttribute)2 LDAPException (com.novell.ldap.LDAPException)2 AuthChainType (com.tremolosecurity.config.xml.AuthChainType)2 CustomAzRuleType (com.tremolosecurity.config.xml.CustomAzRuleType)2 UnsupportedEncodingException (java.io.UnsupportedEncodingException)2 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2 DateTime (org.joda.time.DateTime)2