Search in sources :

Example 61 with CriteriaSet

use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project cas by apereo.

the class SamlRegisteredServiceDefaultCachingMetadataResolverTests method getCriteriaFor.

private static CriteriaSet getCriteriaFor(final String entityId) {
    val criteriaSet1 = new CriteriaSet();
    criteriaSet1.add(new EntityIdCriterion(entityId));
    criteriaSet1.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
    return criteriaSet1;
}
Also used : lombok.val(lombok.val) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)

Example 62 with CriteriaSet

use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project cas by apereo.

the class SamlIdPUtils method determineNameIdNameQualifier.

/**
 * Determine name id name qualifier string.
 *
 * @param samlRegisteredService   the saml registered service
 * @param samlIdPMetadataResolver the saml id p metadata resolver
 * @return the string
 */
public static String determineNameIdNameQualifier(final SamlRegisteredService samlRegisteredService, final MetadataResolver samlIdPMetadataResolver) {
    if (StringUtils.isNotBlank(samlRegisteredService.getNameIdQualifier())) {
        return samlRegisteredService.getNameIdQualifier();
    }
    val nameQualifier = FunctionUtils.doIf(StringUtils.isNotBlank(samlRegisteredService.getIssuerEntityId()), samlRegisteredService::getIssuerEntityId, Unchecked.supplier(() -> {
        val criteriaSet = new CriteriaSet(new EvaluableEntityRoleEntityDescriptorCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME), new SamlIdPSamlRegisteredServiceCriterion(samlRegisteredService));
        LOGGER.trace("Resolving entity id from SAML2 IdP metadata to determine issuer for [{}]", samlRegisteredService.getName());
        val entityDescriptor = Objects.requireNonNull(samlIdPMetadataResolver.resolveSingle(criteriaSet));
        return entityDescriptor.getEntityID();
    })).get();
    LOGGER.debug("Using name qualifier [{}] for the Name ID", nameQualifier);
    return nameQualifier;
}
Also used : lombok.val(lombok.val) EvaluableEntityRoleEntityDescriptorCriterion(org.opensaml.saml.metadata.criteria.entity.impl.EvaluableEntityRoleEntityDescriptorCriterion) SamlIdPSamlRegisteredServiceCriterion(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)

Example 63 with CriteriaSet

use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project verify-hub by alphagov.

the class IdpSingleSignOnServiceHelper method getSingleSignOn.

public URI getSingleSignOn(String entityId) {
    EntityDescriptor idpEntityDescriptor;
    try {
        CriteriaSet criteria = new CriteriaSet(new EntityIdCriterion(entityId));
        idpEntityDescriptor = metadataProvider.resolveSingle(criteria);
    } catch (ResolverException e) {
        LOG.log(Level.SEVERE, format("Exception when accessing metadata: {0}", e));
        throw new RuntimeException(e);
    }
    if (idpEntityDescriptor != null) {
        final IDPSSODescriptor idpssoDescriptor = idpEntityDescriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS);
        final List<SingleSignOnService> singleSignOnServices = idpssoDescriptor.getSingleSignOnServices();
        if (singleSignOnServices.isEmpty()) {
            LOG.log(Level.SEVERE, format("No singleSignOnServices present for IDP entityId: {0}", entityId));
        } else {
            if (singleSignOnServices.size() > 1) {
                LOG.log(Level.WARNING, format("More than one singleSignOnService present: {0} for {1}", singleSignOnServices.size(), entityId));
            }
            return URI.create(singleSignOnServices.get(0).getLocation());
        }
    }
    throw ApplicationException.createUnauditedException(ExceptionType.NOT_FOUND, UUID.randomUUID(), new RuntimeException(format("no entity descriptor for IDP: {0}", entityId)));
}
Also used : EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor) ResolverException(net.shibboleth.utilities.java.support.resolver.ResolverException) IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) SingleSignOnService(org.opensaml.saml.saml2.metadata.SingleSignOnService)

Example 64 with CriteriaSet

use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project verify-hub by alphagov.

the class HubAsIdpMetadataHandler method getMetadataAsAnIdentityProvider.

public HubIdentityProviderMetadataDto getMetadataAsAnIdentityProvider() {
    URI hubFrontend = samlProxyConfiguration.getFrontendExternalUri();
    SamlEndpointDto binding = new SamlEndpointDto(SamlEndpointDto.Binding.POST, URI.create(hubFrontend + SAML2_SSO_REQUEST_ENDPOINT));
    Iterable<EntityDescriptor> entityDescriptors;
    try {
        CriteriaSet criteria = new CriteriaSet(new EntitiesDescriptorNameCriterion(hubFederationId));
        entityDescriptors = metadataResolver.resolve(criteria);
        LOG.info("Retrieved metadata from " + samlProxyConfiguration.getMetadataConfiguration().getUri());
    } catch (ResolverException e) {
        throw ApplicationException.createUnauditedException(ExceptionType.METADATA_PROVIDER_EXCEPTION, e.getMessage(), e);
    }
    final Iterable<EntityDescriptor> idpEntityDescriptors = StreamSupport.stream(entityDescriptors.spliterator(), false).filter(input -> input.getIDPSSODescriptor(SAMLConstants.SAML20P_NS) != null).collect(Collectors.toList());
    final Iterable<EntityDescriptor> hubEntityDescriptors = StreamSupport.stream(entityDescriptors.spliterator(), false).filter(input -> input.getEntityID().equals(hubEntityId)).collect(Collectors.toList());
    final Iterable<List<Certificate>> idpSigningCertificates = StreamSupport.stream(idpEntityDescriptors.spliterator(), false).map(this::getIDPSigningCertificates).collect(Collectors.toList());
    final Iterable<Certificate> hubEncryptionCertificate = StreamSupport.stream(hubEntityDescriptors.spliterator(), false).map(this::getHubEncryptionCertificate).collect(Collectors.toList());
    final Iterable<List<Certificate>> hubSigningCertificates = StreamSupport.stream(hubEntityDescriptors.spliterator(), false).map(this::getHubSigningCertificates).collect(Collectors.toList());
    return new HubIdentityProviderMetadataDto(singletonList(binding), hubEntityId, organisationDto, Collections.emptySet(), ImmutableList.copyOf(Iterables.concat(idpSigningCertificates)), DateTime.now().plus(samlProxyConfiguration.getMetadataValidDuration().toMilliseconds()), ImmutableList.copyOf(Iterables.concat(hubSigningCertificates)), hubEncryptionCertificate.iterator().next());
}
Also used : Iterables(com.google.common.collect.Iterables) ExceptionType(uk.gov.ida.common.ExceptionType) KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor) Collections.singletonList(java.util.Collections.singletonList) Inject(javax.inject.Inject) HubIdentityProviderMetadataDto(uk.gov.ida.saml.metadata.domain.HubIdentityProviderMetadataDto) ImmutableList(com.google.common.collect.ImmutableList) StreamSupport(java.util.stream.StreamSupport) Named(javax.inject.Named) URI(java.net.URI) SamlEndpointDto(uk.gov.ida.saml.metadata.domain.SamlEndpointDto) SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants) ApplicationException(uk.gov.ida.exceptions.ApplicationException) ResolverException(net.shibboleth.utilities.java.support.resolver.ResolverException) UsageType(org.opensaml.security.credential.UsageType) DateTime(org.joda.time.DateTime) MetadataResolver(org.opensaml.saml.metadata.resolver.MetadataResolver) OrganisationDto(uk.gov.ida.saml.metadata.domain.OrganisationDto) Logger(java.util.logging.Logger) Collectors(java.util.stream.Collectors) List(java.util.List) X509Certificate(org.opensaml.xmlsec.signature.X509Certificate) X509Data(org.opensaml.xmlsec.signature.X509Data) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor) Collections(java.util.Collections) Certificate(uk.gov.ida.common.shared.security.Certificate) SamlProxyConfiguration(uk.gov.ida.hub.samlproxy.SamlProxyConfiguration) EntitiesDescriptorNameCriterion(uk.gov.ida.saml.metadata.EntitiesDescriptorNameCriterion) SAML2_SSO_REQUEST_ENDPOINT(uk.gov.ida.hub.samlproxy.Urls.FrontendUrls.SAML2_SSO_REQUEST_ENDPOINT) SamlEndpointDto(uk.gov.ida.saml.metadata.domain.SamlEndpointDto) ResolverException(net.shibboleth.utilities.java.support.resolver.ResolverException) EntitiesDescriptorNameCriterion(uk.gov.ida.saml.metadata.EntitiesDescriptorNameCriterion) URI(java.net.URI) EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor) HubIdentityProviderMetadataDto(uk.gov.ida.saml.metadata.domain.HubIdentityProviderMetadataDto) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) Collections.singletonList(java.util.Collections.singletonList) ImmutableList(com.google.common.collect.ImmutableList) List(java.util.List) X509Certificate(org.opensaml.xmlsec.signature.X509Certificate) Certificate(uk.gov.ida.common.shared.security.Certificate)

Example 65 with CriteriaSet

use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project spring-security by spring-projects.

the class OpenSamlSigningUtils method resolveSigningParameters.

private static SignatureSigningParameters resolveSigningParameters(RelyingPartyRegistration relyingPartyRegistration) {
    List<Credential> credentials = resolveSigningCredentials(relyingPartyRegistration);
    List<String> algorithms = relyingPartyRegistration.getAssertingPartyDetails().getSigningAlgorithms();
    List<String> digests = Collections.singletonList(SignatureConstants.ALGO_ID_DIGEST_SHA256);
    String canonicalization = SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS;
    SignatureSigningParametersResolver resolver = new SAMLMetadataSignatureSigningParametersResolver();
    CriteriaSet criteria = new CriteriaSet();
    BasicSignatureSigningConfiguration signingConfiguration = new BasicSignatureSigningConfiguration();
    signingConfiguration.setSigningCredentials(credentials);
    signingConfiguration.setSignatureAlgorithms(algorithms);
    signingConfiguration.setSignatureReferenceDigestMethods(digests);
    signingConfiguration.setSignatureCanonicalizationAlgorithm(canonicalization);
    signingConfiguration.setKeyInfoGeneratorManager(buildSignatureKeyInfoGeneratorManager());
    criteria.add(new SignatureSigningConfigurationCriterion(signingConfiguration));
    try {
        SignatureSigningParameters parameters = resolver.resolveSingle(criteria);
        Assert.notNull(parameters, "Failed to resolve any signing credential");
        return parameters;
    } catch (Exception ex) {
        throw new Saml2Exception(ex);
    }
}
Also used : BasicCredential(org.opensaml.security.credential.BasicCredential) Credential(org.opensaml.security.credential.Credential) Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential) SAMLMetadataSignatureSigningParametersResolver(org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver) SignatureSigningParametersResolver(org.opensaml.xmlsec.SignatureSigningParametersResolver) SignatureSigningParameters(org.opensaml.xmlsec.SignatureSigningParameters) SAMLMetadataSignatureSigningParametersResolver(org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) SignatureSigningConfigurationCriterion(org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion) Saml2Exception(org.springframework.security.saml2.Saml2Exception) BasicSignatureSigningConfiguration(org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration) MarshallingException(org.opensaml.core.xml.io.MarshallingException) SecurityException(org.opensaml.security.SecurityException) Saml2Exception(org.springframework.security.saml2.Saml2Exception)

Aggregations

CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)68 lombok.val (lombok.val)44 EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)40 EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)28 SamlRegisteredService (org.apereo.cas.support.saml.services.SamlRegisteredService)18 Test (org.junit.jupiter.api.Test)16 UsageCriterion (org.opensaml.security.criteria.UsageCriterion)11 SamlIdPProperties (org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)10 EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)10 ArrayList (java.util.ArrayList)9 SignatureSigningConfigurationCriterion (org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion)9 MetadataResolver (org.opensaml.saml.metadata.resolver.MetadataResolver)8 SAMLMetadataSignatureSigningParametersResolver (org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver)8 SneakyThrows (lombok.SneakyThrows)7 StringUtils (org.apache.commons.lang3.StringUtils)7 SignatureSigningParameters (org.opensaml.xmlsec.SignatureSigningParameters)7 FileSystemResource (org.springframework.core.io.FileSystemResource)7 SamlException (org.apereo.cas.support.saml.SamlException)6 EvaluableEntityRoleEntityDescriptorCriterion (org.opensaml.saml.metadata.criteria.entity.impl.EvaluableEntityRoleEntityDescriptorCriterion)6 Credential (org.opensaml.security.credential.Credential)6