Example 51 with CriteriaSet
use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project cas by apereo.
the class SamlUtils method buildSignatureValidationFilterCriteria.
@SneakyThrows
private static CriteriaSet buildSignatureValidationFilterCriteria() {
val criteriaSet = new CriteriaSet();
val sigConfigs = new ArrayList<SignatureValidationConfiguration>();
sigConfigs.add(SecurityConfigurationSupport.getGlobalSignatureValidationConfiguration());
if (!sigConfigs.isEmpty()) {
val paramsResolver = new BasicSignatureValidationParametersResolver();
val configCriteria = new CriteriaSet(new SignatureValidationConfigurationCriterion(sigConfigs));
val params = paramsResolver.resolveSingle(configCriteria);
if (params != null) {
criteriaSet.add(new SignatureValidationParametersCriterion(params), true);
}
}
return criteriaSet;
}
Also used :
lombok.val(lombok.val)
BasicSignatureValidationParametersResolver(org.opensaml.xmlsec.impl.BasicSignatureValidationParametersResolver)
SignatureValidationParametersCriterion(org.opensaml.xmlsec.signature.support.SignatureValidationParametersCriterion)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
ArrayList(java.util.ArrayList)
SignatureValidationConfigurationCriterion(org.opensaml.xmlsec.criterion.SignatureValidationConfigurationCriterion)
SneakyThrows(lombok.SneakyThrows)
Example 52 with CriteriaSet
use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project cas by apereo.
the class WsFederationMetadataCertificateProvider method getSigningCredentials.
@Override
public List<Credential> getSigningCredentials() throws Exception {
try (val is = metadataResource.getInputStream()) {
val resolver = new InMemoryResourceMetadataResolver(is, openSamlConfigBean);
resolver.setId(UUID.randomUUID().toString());
resolver.initialize();
val criteria = new CriteriaSet(new EntityIdCriterion(configuration.getIdentityProviderIdentifier()), new EvaluableEntityRoleEntityDescriptorCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
LOGGER.debug("Locating entity descriptor in the metadata for [{}]", configuration.getIdentityProviderIdentifier());
val entityDescriptor = resolver.resolveSingle(criteria);
val roleDescriptors = entityDescriptor.getRoleDescriptors(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
val keyDescriptors = roleDescriptors.get(0).getKeyDescriptors();
val keyDescriptor = keyDescriptors.stream().filter(key -> key.getUse() == UsageType.SIGNING).findFirst().orElseThrow(() -> new RuntimeException("Unable to find key descriptor marked for signing usage"));
return keyDescriptor.getKeyInfo().getX509Datas().stream().map(X509Data::getX509Certificates).flatMap(List::stream).map(Unchecked.function(cert -> {
LOGGER.debug("Parsing signing certificate [{}]", cert.getValue());
val decode = EncodingUtils.decodeBase64(cert.getValue());
try (val value = new ByteArrayInputStream(decode)) {
return WsFederationCertificateProvider.readCredential(value);
}
})).collect(Collectors.toList());
}
}
Also used :
lombok.val(lombok.val)
EvaluableEntityRoleEntityDescriptorCriterion(org.opensaml.saml.metadata.criteria.entity.impl.EvaluableEntityRoleEntityDescriptorCriterion)
ByteArrayInputStream(java.io.ByteArrayInputStream)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
List(java.util.List)
InMemoryResourceMetadataResolver(org.apereo.cas.support.saml.InMemoryResourceMetadataResolver)
Example 53 with CriteriaSet
use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project cas by apereo.
the class WsFederationHelper method validateSignature.
/**
* validateSignature checks to see if the signature on an assertion is valid.
*
* @param resultPair a provided assertion
* @return true if the assertion's signature is valid, otherwise false
*/
public boolean validateSignature(final Pair<Assertion, WsFederationConfiguration> resultPair) {
if (resultPair == null) {
LOGGER.warn("No assertion or its configuration was provided to validate signatures");
return false;
}
val configuration = resultPair.getValue();
val assertion = resultPair.getKey();
if (assertion == null || configuration == null) {
LOGGER.warn("No signature or configuration was provided to validate signatures");
return false;
}
val signature = assertion.getSignature();
if (signature == null) {
LOGGER.warn("No signature is attached to the assertion to validate");
return false;
}
try {
LOGGER.debug("Validating the signature...");
val validator = new SAMLSignatureProfileValidator();
validator.validate(signature);
val criteriaSet = new CriteriaSet();
criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
criteriaSet.add(new EntityIdCriterion(configuration.getIdentityProviderIdentifier()));
val engine = buildSignatureTrustEngine(configuration);
LOGGER.debug("Validating signature via trust engine for [{}]", configuration.getIdentityProviderIdentifier());
return engine.validate(signature, criteriaSet);
} catch (final Exception e) {
LoggingUtils.error(LOGGER, "Failed to validate assertion signature", e);
}
SamlUtils.logSamlObject(this.openSamlConfigBean, assertion);
LOGGER.error("Signature doesn't match any signing credential and cannot be validated.");
return false;
}
Also used :
lombok.val(lombok.val)
UsageCriterion(org.opensaml.security.criteria.UsageCriterion)
ProtocolCriterion(org.opensaml.saml.criterion.ProtocolCriterion)
SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
Example 54 with CriteriaSet
use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project cas by apereo.
the class SamlRegisteredServiceMetadataExpirationPolicy method getCacheDurationForServiceProvider.
/**
* Gets cache duration for service provider.
*
* @param service the service
* @param chainingMetadataResolver the chaining metadata resolver
* @return the cache duration for service provider
*/
protected long getCacheDurationForServiceProvider(final SamlRegisteredService service, final MetadataResolver chainingMetadataResolver) {
try {
if (StringUtils.isBlank(service.getServiceId())) {
LOGGER.warn("Unable to determine duration for SAML service [{}] with no entity id", service.getName());
return -1;
}
val set = new CriteriaSet();
set.add(new EntityIdCriterion(service.getServiceId()));
set.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
val entitySp = chainingMetadataResolver.resolveSingle(set);
if (entitySp != null && entitySp.getCacheDuration() != null) {
LOGGER.debug("Located cache duration [{}] specified in SP metadata for [{}]", entitySp.getCacheDuration(), entitySp.getEntityID());
return TimeUnit.MILLISECONDS.toNanos(entitySp.getCacheDuration().toMillis());
}
set.clear();
set.add(new EntityIdCriterion(service.getServiceId()));
val entity = chainingMetadataResolver.resolveSingle(set);
if (entity != null && entity.getCacheDuration() != null) {
LOGGER.debug("Located cache duration [{}] specified in entity metadata for [{}]", entity.getCacheDuration(), entity.getEntityID());
return TimeUnit.MILLISECONDS.toNanos(entity.getCacheDuration().toMillis());
}
} catch (final Exception e) {
LOGGER.debug(e.getMessage(), e);
}
return -1;
}
Also used :
lombok.val(lombok.val)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
Example 55 with CriteriaSet
use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project cas by apereo.
the class SamlRegisteredServiceCachedMetadataEndpoint method getCachedMetadataObject.
/**
* Gets cached metadata object.
*
* @param serviceId the service id
* @param entityId the entity id
* @return the cached metadata object
*/
@ReadOperation
@Operation(summary = "Get SAML2 cached metadata", parameters = { @Parameter(name = "serviceId", required = true), @Parameter(name = "entityId") })
public Map<String, Object> getCachedMetadataObject(final String serviceId, @Nullable final String entityId) {
try {
val registeredService = findRegisteredService(serviceId);
val issuer = StringUtils.defaultIfBlank(entityId, registeredService.getServiceId());
val criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIdCriterion(issuer));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
val metadataResolver = cachingMetadataResolver.resolve(registeredService, criteriaSet);
val iteration = metadataResolver.resolve(criteriaSet).spliterator();
return StreamSupport.stream(iteration, false).map(entity -> Pair.of(entity.getEntityID(), SamlUtils.transformSamlObject(openSamlConfigBean, entity).toString())).collect(Collectors.toMap(Pair::getLeft, Pair::getRight));
} catch (final Exception e) {
LoggingUtils.error(LOGGER, e);
return CollectionUtils.wrap("error", e.getMessage());
}
}
Also used :
lombok.val(lombok.val)
CasConfigurationProperties(org.apereo.cas.configuration.CasConfigurationProperties)
ReadOperation(org.springframework.boot.actuate.endpoint.annotation.ReadOperation)
SamlRegisteredServiceCachingMetadataResolver(org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver)
StringUtils(org.apache.commons.lang3.StringUtils)
DeleteOperation(org.springframework.boot.actuate.endpoint.annotation.DeleteOperation)
SamlUtils(org.apereo.cas.support.saml.SamlUtils)
LoggingUtils(org.apereo.cas.util.LoggingUtils)
Operation(io.swagger.v3.oas.annotations.Operation)
SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService)
Pair(org.apache.commons.lang3.tuple.Pair)
Map(java.util.Map)
CollectionUtils(org.apereo.cas.util.CollectionUtils)
Nullable(org.springframework.lang.Nullable)
StreamSupport(java.util.stream.StreamSupport)
ServicesManager(org.apereo.cas.services.ServicesManager)
AuditableContext(org.apereo.cas.audit.AuditableContext)
Endpoint(org.springframework.boot.actuate.endpoint.annotation.Endpoint)
Collection(java.util.Collection)
lombok.val(lombok.val)
Collectors(java.util.stream.Collectors)
RegisteredService(org.apereo.cas.services.RegisteredService)
BaseCasActuatorEndpoint(org.apereo.cas.web.BaseCasActuatorEndpoint)
SPSSODescriptor(org.opensaml.saml.saml2.metadata.SPSSODescriptor)
OpenSamlConfigBean(org.apereo.cas.support.saml.OpenSamlConfigBean)
Parameter(io.swagger.v3.oas.annotations.Parameter)
Slf4j(lombok.extern.slf4j.Slf4j)
AuditableExecution(org.apereo.cas.audit.AuditableExecution)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
NumberUtils(org.apache.commons.lang3.math.NumberUtils)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
ReadOperation(org.springframework.boot.actuate.endpoint.annotation.ReadOperation)
ReadOperation(org.springframework.boot.actuate.endpoint.annotation.ReadOperation)
DeleteOperation(org.springframework.boot.actuate.endpoint.annotation.DeleteOperation)
Operation(io.swagger.v3.oas.annotations.Operation)
Aggregations
CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)68
lombok.val (lombok.val)44
EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)40
EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)28
SamlRegisteredService (org.apereo.cas.support.saml.services.SamlRegisteredService)18
Test (org.junit.jupiter.api.Test)16
UsageCriterion (org.opensaml.security.criteria.UsageCriterion)11
SamlIdPProperties (org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)10
EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)10
ArrayList (java.util.ArrayList)9
SignatureSigningConfigurationCriterion (org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion)9
MetadataResolver (org.opensaml.saml.metadata.resolver.MetadataResolver)8
SAMLMetadataSignatureSigningParametersResolver (org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver)8
SneakyThrows (lombok.SneakyThrows)7
StringUtils (org.apache.commons.lang3.StringUtils)7
SignatureSigningParameters (org.opensaml.xmlsec.SignatureSigningParameters)7
FileSystemResource (org.springframework.core.io.FileSystemResource)7
SamlException (org.apereo.cas.support.saml.SamlException)6
EvaluableEntityRoleEntityDescriptorCriterion (org.opensaml.saml.metadata.criteria.entity.impl.EvaluableEntityRoleEntityDescriptorCriterion)6
Credential (org.opensaml.security.credential.Credential)6
