Example 6 with ParamWithValueType
use of com.tremolosecurity.config.xml.ParamWithValueType in project OpenUnison by TremoloSecurity.
the class PreAuthFilter method initFilter.
@Override
public void initFilter(HttpFilterConfig config) throws Exception {
this.postSAML = config.getAttribute("postSAML") != null && config.getAttribute("postSAML").getValues().get(0).equalsIgnoreCase("true");
if (postSAML) {
String idpName = config.getAttribute("idpName").getValues().get(0);
ApplicationType app = config.getConfigManager().getApp(idpName);
IdpType idp = app.getUrls().getUrl().get(0).getIdp();
for (ParamType pt : idp.getParams()) {
if (pt.getName().equalsIgnoreCase("sigKey")) {
this.keyAlias = pt.getValue();
}
}
TrustType tt = idp.getTrusts().getTrust().get(0);
for (ParamType pt : tt.getParam()) {
if (pt.getName().equalsIgnoreCase("signResponse")) {
this.signResponse = pt.getValue().equalsIgnoreCase("true");
} else if (pt.getName().equalsIgnoreCase("signAssertion")) {
this.signAssertion = pt.getValue().equalsIgnoreCase("true");
} else if (pt.getName().equalsIgnoreCase("httpPostRespURL")) {
this.assertionConsumerURL = pt.getValue();
} else if (pt.getName().equalsIgnoreCase("defaultNameId")) {
this.nameIDType = pt.getValue();
} else if (pt.getName().equalsIgnoreCase("nameIdMap")) {
this.nameIDAttribute = pt.getValue().substring(pt.getValue().indexOf('=') + 1);
} else if (pt.getName().equalsIgnoreCase("defaultAuthCtx")) {
this.authnCtxClassRef = pt.getValue();
}
}
String issuerHost = config.getAttribute("issuerHost").getValues().get(0);
String issuerPort = config.getAttribute("issuerPort").getValues().get(0);
boolean issuerSSL = config.getAttribute("issuerSSL").getValues().get(0).equalsIgnoreCase("true");
StringBuffer b = new StringBuffer();
if (issuerSSL) {
b.append("https://");
} else {
b.append("http://");
}
b.append(issuerHost);
if (!issuerPort.isEmpty()) {
b.append(':').append(issuerPort);
}
b.append("/auth/idp/").append(idpName);
this.issuer = b.toString();
// this.issuer = config.getAttribute("issuer").getValues().get(0);
this.audience = tt.getName();
this.relayState = config.getAttribute("relayState").getValues().get(0);
InitializationService.initialize();
this.url = this.assertionConsumerURL;
} else {
this.url = config.getAttribute("url").getValues().get(0);
}
URL nurl = new URL(this.url);
this.uri = nurl.getPath();
UrlType urlCfg = config.getConfigManager().findURL(this.url).getUrl();
for (FilterConfigType filterCfg : urlCfg.getFilterChain().getFilter()) {
if (filterCfg.getClazz().equalsIgnoreCase("com.tremolosecurity.proxy.filters.LastMile")) {
for (ParamWithValueType pt : filterCfg.getParam()) {
if (pt.getName().equalsIgnoreCase("encKeyAlias")) {
this.lastMileKeyAlias = pt.getValue();
} else if (pt.getName().equalsIgnoreCase("headerName")) {
this.headerName = pt.getValue();
} else if (pt.getName().equalsIgnoreCase("userAttribute")) {
this.loginAttribute = pt.getValue();
}
}
for (ParamWithValueType pt : filterCfg.getParam()) {
if (pt.getName().equalsIgnoreCase("attribs")) {
String param = pt.getValue();
String fromUser = param.substring(0, param.indexOf('='));
String toApp = param.substring(param.indexOf('=') + 1);
if (fromUser.equalsIgnoreCase(this.headerName)) {
this.headerName = toApp;
}
}
}
}
}
logger.info("URL : '" + this.url + "'");
logger.info("Key Alias : '" + this.lastMileKeyAlias + "'");
logger.info("Login ID Attribute : '" + this.loginAttribute + "'");
logger.info("Header Attribute : '" + this.headerName + "'");
if (this.postSAML) {
logger.info("Saml : true");
logger.info("Issuer : " + this.issuer);
}
}
Also used :
ApplicationType(com.tremolosecurity.config.xml.ApplicationType)
IdpType(com.tremolosecurity.config.xml.IdpType)
FilterConfigType(com.tremolosecurity.config.xml.FilterConfigType)
TrustType(com.tremolosecurity.config.xml.TrustType)
ParamWithValueType(com.tremolosecurity.config.xml.ParamWithValueType)
UrlType(com.tremolosecurity.config.xml.UrlType)
ParamType(com.tremolosecurity.config.xml.ParamType)
URL(java.net.URL)
Example 7 with ParamWithValueType
use of com.tremolosecurity.config.xml.ParamWithValueType in project OpenUnison by TremoloSecurity.
the class ScaleJSOperator method initFilter.
@Override
public void initFilter(HttpFilterConfig config) throws Exception {
this.config = new OperatorsConfig();
Attribute bases = config.getAttribute("bases");
if (bases == null) {
throw new Exception("bases not set");
}
for (String base : bases.getValues()) {
String desc = base.substring(0, base.indexOf('='));
String ldap = base.substring(base.indexOf('=') + 1);
this.config.getBaseLabelToDN().put(desc, ldap);
this.config.getSearchBases().add(desc);
}
Attribute attr = config.getAttribute("searchableAttributes");
if (attr == null) {
throw new Exception("searchableAttributes not found");
}
for (String searchable : attr.getValues()) {
String name = searchable.substring(0, searchable.indexOf('='));
String label = searchable.substring(searchable.indexOf('=') + 1);
this.config.getSearchableAttributes().add(new AttributeConfig(name, label, ""));
}
attr = config.getAttribute("resultAttributes");
if (attr == null) {
throw new Exception("resultAttributes not found");
}
for (String resultAttr : attr.getValues()) {
String name = resultAttr.substring(0, resultAttr.indexOf('='));
String label = resultAttr.substring(resultAttr.indexOf('=') + 1);
this.config.getResultsAttributes().add(new AttributeConfig(name, label, ""));
}
this.config.setScaleJsMainUri(this.loadAttributeValue("scaleMainURI", "Scale Main URI", config));
this.config.setHomeUrl(this.loadAttributeValue("homeUrl", "Home URL", config));
this.scalejsAppName = this.loadAttributeValue("scaleMainAppName", "Scale Main Application", config);
ApplicationType app = null;
for (ApplicationType at : config.getConfigManager().getCfg().getApplications().getApplication()) {
if (at.getName().equalsIgnoreCase(scalejsAppName)) {
app = at;
}
}
if (app == null) {
throw new Exception(scalejsAppName + " does not exist");
}
for (UrlType url : app.getUrls().getUrl()) {
if (url.getUri().equalsIgnoreCase(this.config.getScaleJsMainUri())) {
this.scaleJsUrl = url;
}
}
if (this.scaleJsUrl == null) {
throw new Exception("Could not find url for ScaleJS Main");
}
this.scaleMainURL = "https://" + this.scaleJsUrl.getHost().get(0) + this.scaleJsUrl.getUri();
HashMap<String, Attribute> decCfg = new HashMap<String, Attribute>();
for (FilterConfigType filter : this.scaleJsUrl.getFilterChain().getFilter()) {
if (filter.getClazz().equalsIgnoreCase("com.tremolosecurity.scalejs.ws.ScaleMain")) {
for (ParamWithValueType pt : filter.getParam()) {
if (pt.getName().equalsIgnoreCase("uiHelperClassName")) {
this.dec = (UiDecisions) Class.forName(pt.getValue()).newInstance();
} else if (pt.getName().equalsIgnoreCase("uihelper.params")) {
String v = pt.getValue();
String name = v.substring(0, v.indexOf('='));
String value = v.substring(v.indexOf('=') + 1);
Attribute param = decCfg.get(name);
if (param == null) {
param = new Attribute(name);
decCfg.put(name, param);
}
param.getValues().add(value);
}
}
}
}
if (this.dec != null) {
this.dec.init(decCfg);
}
}
Also used :
ApplicationType(com.tremolosecurity.config.xml.ApplicationType)
LDAPAttribute(com.novell.ldap.LDAPAttribute)
Attribute(com.tremolosecurity.saml.Attribute)
HashMap(java.util.HashMap)
FilterConfigType(com.tremolosecurity.config.xml.FilterConfigType)
OperatorsConfig(com.tremolosecurity.scalejs.operators.config.OperatorsConfig)
ParamWithValueType(com.tremolosecurity.config.xml.ParamWithValueType)
AttributeConfig(com.tremolosecurity.scalejs.operators.config.AttributeConfig)
UrlType(com.tremolosecurity.config.xml.UrlType)
LDAPException(com.novell.ldap.LDAPException)
IOException(java.io.IOException)
Example 8 with ParamWithValueType
use of com.tremolosecurity.config.xml.ParamWithValueType in project OpenUnison by TremoloSecurity.
the class AuthManagerImpl method buildMechList.
private static List<AuthMechType> buildMechList(List<AuthMechType> origMechs, ConfigManager cfg) {
List<AuthMechType> newList = new ArrayList<AuthMechType>();
for (AuthMechType amt : origMechs) {
MechanismType mt = cfg.getAuthMechs().get(amt.getName());
if (mt != null && mt.getClassName().trim().equalsIgnoreCase("com.tremolosecurity.proxy.auth.IncludeChain")) {
ParamWithValueType pt = amt.getParams().getParam().get(0);
String chainName = "";
if (pt.getValue() != null && !pt.getValue().isBlank()) {
chainName = pt.getValue();
} else {
chainName = pt.getValueAttribute();
}
AuthChainType toInclude = cfg.getAuthChains().get(chainName);
if (toInclude == null) {
logger.warn(new StringBuilder().append("Could not load chain '").append(chainName).append("', forcing to fail").toString());
toInclude = cfg.getAuthFailChain();
}
newList.addAll(buildMechList(toInclude.getAuthMech(), cfg));
} else {
newList.add(amt);
}
}
return newList;
}
Also used :
ArrayList(java.util.ArrayList)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
MechanismType(com.tremolosecurity.config.xml.MechanismType)
ParamWithValueType(com.tremolosecurity.config.xml.ParamWithValueType)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
Example 9 with ParamWithValueType
use of com.tremolosecurity.config.xml.ParamWithValueType in project OpenUnison by TremoloSecurity.
the class SAML2Auth method procLogoutResp.
private String procLogoutResp(HttpServletRequest request, HttpServletResponse response, DocumentBuilderFactory factory, String saml, String relayState, String url) throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, Exception, UnsupportedEncodingException, NoSuchAlgorithmException, InvalidKeyException, SignatureException, ServletException {
LogoutResponseUnmarshaller marshaller = new LogoutResponseUnmarshaller();
DocumentBuilder builder = factory.newDocumentBuilder();
Element root = builder.parse(new InputSource(new StringReader(saml))).getDocumentElement();
LogoutResponse logout = (LogoutResponse) marshaller.unmarshall(root);
String issuer = logout.getIssuer().getValue();
boolean found = false;
String algType = null;
String logoutURL = null;
List<String> sigKeys = new ArrayList<String>();
// Search for the right mechanism configuration
for (String chainname : cfgMgr.getAuthChains().keySet()) {
AuthChainType act = cfgMgr.getAuthChains().get(chainname);
for (AuthMechType amt : act.getAuthMech()) {
for (ParamWithValueType pt : amt.getParams().getParam()) {
String value = "";
if (pt.getValue() != null && !pt.getValue().isBlank()) {
value = pt.getValue();
} else {
value = pt.getValueAttribute();
}
if (pt.getName().equalsIgnoreCase("entityID") && value.equalsIgnoreCase(issuer)) {
// found the correct mechanism
found = true;
for (ParamWithValueType ptx : amt.getParams().getParam()) {
String valuex = "";
if (ptx.getValue() != null && !ptx.getValue().isBlank()) {
valuex = pt.getValue();
} else {
valuex = ptx.getValueAttribute();
}
if (ptx.getName().equalsIgnoreCase("sigAlg")) {
algType = valuex;
} else if (ptx.getName().equalsIgnoreCase("logoutURL")) {
logoutURL = valuex;
} else if (ptx.getName().equalsIgnoreCase("idpSigKeyName")) {
sigKeys.add(valuex);
}
}
break;
}
}
if (found) {
break;
}
}
if (found) {
break;
}
}
if (!found) {
throw new ServletException("Entity ID '" + issuer + "' not found");
}
String authnSig = request.getParameter("Signature");
if (authnSig != null) {
String sigAlg = request.getParameter("SigAlg");
StringBuffer query = new StringBuffer();
String qs = request.getQueryString();
query.append(OpenSAMLUtils.getRawQueryStringParameter(qs, "SAMLResponse"));
query.append('&');
query.append(OpenSAMLUtils.getRawQueryStringParameter(qs, "RelayState"));
query.append('&');
query.append(OpenSAMLUtils.getRawQueryStringParameter(qs, "SigAlg"));
boolean validated = false;
for (String sigKeyName : sigKeys) {
java.security.cert.X509Certificate cert = this.cfgMgr.getCertificate(sigKeyName);
if (cert == null) {
continue;
}
String xmlAlg = SAML2Auth.xmlDigSigAlgs.get(algType);
if (!sigAlg.equalsIgnoreCase(xmlAlg)) {
throw new Exception("Invalid signature algorithm : '" + sigAlg + "'");
}
/*if (! logout.getDestination().equals(request.getRequestURL().toString())) {
throw new Exception("Invalid destination");
}*/
java.security.Signature sigv = java.security.Signature.getInstance(SAML2Auth.javaDigSigAlgs.get(algType));
sigv.initVerify(cert.getPublicKey());
sigv.update(query.toString().getBytes("UTF-8"));
if (sigv.verify(Base64.decodeBase64(authnSig.getBytes("UTF-8")))) {
validated = true;
}
}
if (!validated) {
throw new Exception("Signature verification failed");
}
}
response.sendRedirect(logoutURL);
return logoutURL;
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
InputSource(org.xml.sax.InputSource)
LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse)
Element(org.w3c.dom.Element)
ArrayList(java.util.ArrayList)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
XSString(org.opensaml.core.xml.schema.XSString)
UnmarshallingException(org.opensaml.core.xml.io.UnmarshallingException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
LDAPException(com.novell.ldap.LDAPException)
MarshallingException(org.opensaml.core.xml.io.MarshallingException)
IOException(java.io.IOException)
Base64DecodingException(org.apache.xml.security.exceptions.Base64DecodingException)
ServletException(javax.servlet.ServletException)
SignatureException(java.security.SignatureException)
SAXException(org.xml.sax.SAXException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
InitializationException(org.opensaml.core.config.InitializationException)
MalformedURLException(java.net.MalformedURLException)
CertificateException(java.security.cert.CertificateException)
ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)
LogoutResponseUnmarshaller(org.opensaml.saml.saml2.core.impl.LogoutResponseUnmarshaller)
ServletException(javax.servlet.ServletException)
DocumentBuilder(javax.xml.parsers.DocumentBuilder)
StringReader(java.io.StringReader)
ParamWithValueType(com.tremolosecurity.config.xml.ParamWithValueType)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
Example 10 with ParamWithValueType
use of com.tremolosecurity.config.xml.ParamWithValueType in project OpenUnison by TremoloSecurity.
the class SAML2Auth method procLogoutReq.
private String procLogoutReq(HttpServletRequest request, HttpServletResponse response, DocumentBuilderFactory factory, String saml, String relayState, String url) throws ParserConfigurationException, SAXException, IOException, UnmarshallingException, Exception, UnsupportedEncodingException, NoSuchAlgorithmException, InvalidKeyException, SignatureException, ServletException {
LogoutRequestUnmarshaller marshaller = new LogoutRequestUnmarshaller();
DocumentBuilder builder = factory.newDocumentBuilder();
Element root = builder.parse(new InputSource(new StringReader(saml))).getDocumentElement();
org.opensaml.saml.saml2.core.impl.LogoutRequestImpl logout = (org.opensaml.saml.saml2.core.impl.LogoutRequestImpl) marshaller.unmarshall(root);
String issuer = logout.getIssuer().getValue();
boolean found = false;
String algType = null;
String logoutURL = null;
String entityID = null;
List<String> sigKeys = new ArrayList<String>();
// Search for the right mechanism configuration
for (String chainname : cfgMgr.getAuthChains().keySet()) {
AuthChainType act = cfgMgr.getAuthChains().get(chainname);
for (AuthMechType amt : act.getAuthMech()) {
for (ParamWithValueType pt : amt.getParams().getParam()) {
String value = "";
if (pt.getValue() != null && !pt.getValue().isBlank()) {
value = pt.getValue();
} else {
value = pt.getValueAttribute();
}
if (pt.getName().equalsIgnoreCase("entityID") && value.equalsIgnoreCase(issuer)) {
// found the correct mechanism
found = true;
for (ParamWithValueType ptx : amt.getParams().getParam()) {
String valuex = "";
if (ptx.getValue() != null && !ptx.getValue().isBlank()) {
valuex = pt.getValue();
} else {
valuex = ptx.getValueAttribute();
}
if (ptx.getName().equalsIgnoreCase("sigAlg")) {
algType = valuex;
} else if (ptx.getName().equalsIgnoreCase("triggerLogoutURL")) {
logoutURL = valuex;
} else if (ptx.getName().equalsIgnoreCase("idpSigKeyName")) {
sigKeys.add(valuex);
}
}
break;
}
}
if (found) {
break;
}
}
if (found) {
break;
}
}
if (!found) {
throw new ServletException("Entity ID '" + issuer + "' not found");
}
String authnSig = request.getParameter("Signature");
if (authnSig != null) {
String sigAlg = request.getParameter("SigAlg");
StringBuffer query = new StringBuffer();
String qs = request.getQueryString();
query.append(OpenSAMLUtils.getRawQueryStringParameter(qs, "SAMLRequest"));
query.append('&');
if (request.getParameter("RelayState") != null) {
query.append(OpenSAMLUtils.getRawQueryStringParameter(qs, "RelayState"));
query.append('&');
}
query.append(OpenSAMLUtils.getRawQueryStringParameter(qs, "SigAlg"));
boolean validated = false;
for (String sigKeyName : sigKeys) {
java.security.cert.X509Certificate cert = this.cfgMgr.getCertificate(sigKeyName);
if (cert == null) {
continue;
}
String xmlAlg = SAML2Auth.xmlDigSigAlgs.get(algType);
if (!sigAlg.equalsIgnoreCase(xmlAlg)) {
throw new Exception("Invalid signature algorithm : '" + sigAlg + "'");
}
/*if (! logout.getDestination().equals(request.getRequestURL().toString())) {
throw new Exception("Invalid destination");
}*/
java.security.Signature sigv = java.security.Signature.getInstance(SAML2Auth.javaDigSigAlgs.get(algType));
sigv.initVerify(cert.getPublicKey());
sigv.update(query.toString().getBytes("UTF-8"));
if (sigv.verify(Base64.decodeBase64(authnSig.getBytes("UTF-8")))) {
validated = true;
}
}
if (!validated) {
throw new Exception("Signature verification failed");
}
}
response.sendRedirect(new StringBuilder().append(logoutURL).append("?logoutreq=").append(URLEncoder.encode(logout.getID(), "UTF-8")).toString());
// return logoutURL;
return null;
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
InputSource(org.xml.sax.InputSource)
Element(org.w3c.dom.Element)
ArrayList(java.util.ArrayList)
LogoutRequestUnmarshaller(org.opensaml.saml.saml2.core.impl.LogoutRequestUnmarshaller)
XSString(org.opensaml.core.xml.schema.XSString)
ServletException(javax.servlet.ServletException)
StringReader(java.io.StringReader)
ParamWithValueType(com.tremolosecurity.config.xml.ParamWithValueType)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
AuthMechType(com.tremolosecurity.config.xml.AuthMechType)
UnmarshallingException(org.opensaml.core.xml.io.UnmarshallingException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
LDAPException(com.novell.ldap.LDAPException)
MarshallingException(org.opensaml.core.xml.io.MarshallingException)
IOException(java.io.IOException)
Base64DecodingException(org.apache.xml.security.exceptions.Base64DecodingException)
ServletException(javax.servlet.ServletException)
SignatureException(java.security.SignatureException)
SAXException(org.xml.sax.SAXException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
InitializationException(org.opensaml.core.config.InitializationException)
MalformedURLException(java.net.MalformedURLException)
CertificateException(java.security.cert.CertificateException)
ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)
DocumentBuilder(javax.xml.parsers.DocumentBuilder)
Aggregations
ParamWithValueType (com.tremolosecurity.config.xml.ParamWithValueType)18
AuthChainType (com.tremolosecurity.config.xml.AuthChainType)8
AuthMechType (com.tremolosecurity.config.xml.AuthMechType)8
IOException (java.io.IOException)5
Attribute (com.tremolosecurity.saml.Attribute)4
ArrayList (java.util.ArrayList)4
ServletException (javax.servlet.ServletException)4
JSONArray (org.json.simple.JSONArray)4
JSONObject (org.json.simple.JSONObject)4
LDAPException (com.novell.ldap.LDAPException)3
ApplicationType (com.tremolosecurity.config.xml.ApplicationType)3
MechanismType (com.tremolosecurity.config.xml.MechanismType)3
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3
CertificateEncodingException (java.security.cert.CertificateEncodingException)3
CertificateException (java.security.cert.CertificateException)3
X509Certificate (java.security.cert.X509Certificate)3
HashMap (java.util.HashMap)3
LDAPAttribute (com.novell.ldap.LDAPAttribute)2
AuthMechParamType (com.tremolosecurity.config.xml.AuthMechParamType)2
CustomTaskType (com.tremolosecurity.config.xml.CustomTaskType)2
