Search in sources :

Example 11 with CriteriaSet

use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project cas by apereo.

the class AuthnRequestRequestedAttributesAttributeReleasePolicyTests method initialize.

@BeforeEach
public void initialize() throws Exception {
    val idpMetadata = new File("src/test/resources/metadata/idp-metadata.xml").getCanonicalPath();
    val keystorePath = new File(FileUtils.getTempDirectory(), "keystore").getCanonicalPath();
    val spMetadataPath = new File(FileUtils.getTempDirectory(), "sp-metadata.xml").getCanonicalPath();
    saml2Configuration = new SAML2Configuration(keystorePath, "changeit", "changeit", idpMetadata);
    saml2Configuration.setServiceProviderEntityId("cas:example:sp");
    saml2Configuration.setServiceProviderMetadataPath(spMetadataPath);
    saml2Configuration.init();
    val saml2Client = new SAML2Client(saml2Configuration);
    saml2Client.setCallbackUrl("http://callback.example.org");
    saml2Client.init();
    saml2MessageContext = new SAML2MessageContext();
    saml2MessageContext.setSaml2Configuration(saml2Configuration);
    saml2MessageContext.setWebContext(new JEEContext(new MockHttpServletRequest(), new MockHttpServletResponse()));
    val peer = saml2MessageContext.getMessageContext().getSubcontext(SAMLPeerEntityContext.class, true);
    assertNotNull(peer);
    peer.setEntityId("https://cas.example.org/idp");
    val md = peer.getSubcontext(SAMLMetadataContext.class, true);
    assertNotNull(md);
    val idpResolver = SamlIdPUtils.getRoleDescriptorResolver(casSamlIdPMetadataResolver, true);
    md.setRoleDescriptor(idpResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(Objects.requireNonNull(peer.getEntityId())), new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME))));
    val self = saml2MessageContext.getMessageContext().getSubcontext(SAMLSelfEntityContext.class, true);
    assertNotNull(self);
    self.setEntityId(saml2Configuration.getServiceProviderEntityId());
    val sp = self.getSubcontext(SAMLMetadataContext.class, true);
    assertNotNull(sp);
    val spRes = new InMemoryResourceMetadataResolver(new File(spMetadataPath), openSamlConfigBean);
    spRes.setId(getClass().getSimpleName());
    spRes.initialize();
    val spResolver = SamlIdPUtils.getRoleDescriptorResolver(spRes, true);
    sp.setRoleDescriptor(spResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(Objects.requireNonNull(self.getEntityId())), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME))));
}
Also used : lombok.val(lombok.val) SAML2MessageContext(org.pac4j.saml.context.SAML2MessageContext) SAML2Configuration(org.pac4j.saml.config.SAML2Configuration) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) JEEContext(org.pac4j.core.context.JEEContext) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) SAML2Client(org.pac4j.saml.client.SAML2Client) File(java.io.File) InMemoryResourceMetadataResolver(org.apereo.cas.support.saml.InMemoryResourceMetadataResolver) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) BeforeEach(org.junit.jupiter.api.BeforeEach)

Example 12 with CriteriaSet

use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project cas by apereo.

the class SamlIdPObjectEncrypter method configureKeyDecryptionCredential.

/**
 * Configure key decryption credential credential.
 *
 * @param peerEntityId            the peer entity id
 * @param adaptor                 the adaptor
 * @param service                 the service
 * @param decryptionConfiguration the decryption configuration
 * @return the credential
 * @throws Exception the exception
 */
protected Credential configureKeyDecryptionCredential(final String peerEntityId, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final SamlRegisteredService service, final BasicDecryptionConfiguration decryptionConfiguration) throws Exception {
    val mdCredentialResolver = new SamlIdPMetadataCredentialResolver();
    val providers = new ArrayList<KeyInfoProvider>(5);
    providers.add(new RSAKeyValueProvider());
    providers.add(new DSAKeyValueProvider());
    providers.add(new InlineX509DataProvider());
    providers.add(new DEREncodedKeyValueProvider());
    providers.add(new KeyInfoReferenceProvider());
    val keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(providers);
    mdCredentialResolver.setKeyInfoCredentialResolver(keyInfoResolver);
    val roleDescriptorResolver = SamlIdPUtils.getRoleDescriptorResolver(adaptor, samlIdPProperties.getMetadata().getCore().isRequireValidMetadata());
    mdCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
    mdCredentialResolver.initialize();
    val criteriaSet = new CriteriaSet();
    criteriaSet.add(new DecryptionConfigurationCriterion(decryptionConfiguration));
    criteriaSet.add(new EntityIdCriterion(peerEntityId));
    criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
    criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
    criteriaSet.add(new SamlIdPSamlRegisteredServiceCriterion(service));
    LOGGER.debug("Attempting to resolve the decryption key for entity id [{}]", peerEntityId);
    val credential = Objects.requireNonNull(mdCredentialResolver.resolveSingle(criteriaSet));
    val encryptinKey = samlIdPMetadataLocator.resolveEncryptionKey(Optional.ofNullable(service));
    val bean = new PrivateKeyFactoryBean();
    bean.setSingleton(false);
    bean.setLocation(encryptinKey);
    val privateKey = Objects.requireNonNull(bean.getObject());
    val basicCredential = new BasicCredential(Objects.requireNonNull(credential.getPublicKey()), privateKey);
    decryptionConfiguration.setKEKKeyInfoCredentialResolver(new StaticKeyInfoCredentialResolver(basicCredential));
    val list = new ArrayList<EncryptedKeyResolver>(3);
    list.add(new InlineEncryptedKeyResolver());
    list.add(new EncryptedElementTypeEncryptedKeyResolver());
    list.add(new SimpleRetrievalMethodEncryptedKeyResolver());
    val encryptedKeyResolver = new ChainingEncryptedKeyResolver(list);
    decryptionConfiguration.setEncryptedKeyResolver(encryptedKeyResolver);
    return credential;
}
Also used : lombok.val(lombok.val) UsageCriterion(org.opensaml.security.criteria.UsageCriterion) RSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider) SamlIdPSamlRegisteredServiceCriterion(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion) ArrayList(java.util.ArrayList) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) InlineX509DataProvider(org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider) KeyInfoReferenceProvider(org.opensaml.xmlsec.keyinfo.impl.provider.KeyInfoReferenceProvider) DecryptionConfigurationCriterion(org.opensaml.xmlsec.criterion.DecryptionConfigurationCriterion) ChainingEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver) SamlIdPMetadataCredentialResolver(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver) BasicProviderKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver) SimpleRetrievalMethodEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) PrivateKeyFactoryBean(org.apereo.cas.util.crypto.PrivateKeyFactoryBean) EncryptedElementTypeEncryptedKeyResolver(org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) DSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider) DEREncodedKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider) InlineEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver) BasicCredential(org.opensaml.security.credential.BasicCredential)

Example 13 with CriteriaSet

use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project cas by apereo.

the class SamlIdPObjectEncrypter method configureKeyEncryptionCredential.

/**
 * Gets key encryption credential.
 *
 * @param peerEntityId            the peer entity id
 * @param adaptor                 the adaptor
 * @param service                 the service
 * @param encryptionConfiguration the encryption configuration
 * @return the key encryption credential
 * @throws Exception the exception
 */
protected Credential configureKeyEncryptionCredential(final String peerEntityId, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final SamlRegisteredService service, final BasicEncryptionConfiguration encryptionConfiguration) throws Exception {
    val mdCredentialResolver = new SamlIdPMetadataCredentialResolver();
    val providers = new ArrayList<KeyInfoProvider>(5);
    providers.add(new RSAKeyValueProvider());
    providers.add(new DSAKeyValueProvider());
    providers.add(new InlineX509DataProvider());
    providers.add(new DEREncodedKeyValueProvider());
    providers.add(new KeyInfoReferenceProvider());
    val keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(providers);
    mdCredentialResolver.setKeyInfoCredentialResolver(keyInfoResolver);
    val roleDescriptorResolver = SamlIdPUtils.getRoleDescriptorResolver(adaptor, samlIdPProperties.getMetadata().getCore().isRequireValidMetadata());
    mdCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
    mdCredentialResolver.initialize();
    val criteriaSet = new CriteriaSet();
    criteriaSet.add(new EncryptionConfigurationCriterion(encryptionConfiguration));
    criteriaSet.add(new EntityIdCriterion(peerEntityId));
    criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
    criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
    criteriaSet.add(new SamlIdPSamlRegisteredServiceCriterion(service));
    LOGGER.debug("Attempting to resolve the encryption key for entity id [{}]", peerEntityId);
    val credential = mdCredentialResolver.resolveSingle(criteriaSet);
    if (credential == null || credential.getPublicKey() == null) {
        if (service.isEncryptionOptional()) {
            LOGGER.warn("Unable to resolve the encryption [public] key for entity id [{}]", peerEntityId);
            return null;
        }
        throw new SamlException("Unable to resolve the encryption [public] key for entity id " + peerEntityId);
    }
    val encodedKey = EncodingUtils.encodeBase64(credential.getPublicKey().getEncoded());
    LOGGER.debug("Found encryption public key: [{}]", encodedKey);
    encryptionConfiguration.setKeyTransportEncryptionCredentials(CollectionUtils.wrapList(credential));
    return credential;
}
Also used : lombok.val(lombok.val) UsageCriterion(org.opensaml.security.criteria.UsageCriterion) RSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider) SamlIdPSamlRegisteredServiceCriterion(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion) EncryptionConfigurationCriterion(org.opensaml.xmlsec.criterion.EncryptionConfigurationCriterion) ArrayList(java.util.ArrayList) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) SamlException(org.apereo.cas.support.saml.SamlException) InlineX509DataProvider(org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider) KeyInfoReferenceProvider(org.opensaml.xmlsec.keyinfo.impl.provider.KeyInfoReferenceProvider) SamlIdPMetadataCredentialResolver(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver) BasicProviderKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) DSAKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider) DEREncodedKeyValueProvider(org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider)

Example 14 with CriteriaSet

use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project cas by apereo.

the class SamlProfileSaml2ResponseBuilder method buildResponse.

@Override
public Response buildResponse(final Assertion assertion, final SamlProfileBuilderContext context) throws Exception {
    val id = '_' + String.valueOf(RandomUtils.nextLong());
    val samlResponse = newResponse(id, ZonedDateTime.now(ZoneOffset.UTC), context.getSamlRequest().getID(), null);
    samlResponse.setVersion(SAMLVersion.VERSION_20);
    val issuerId = FunctionUtils.doIf(StringUtils.isNotBlank(context.getRegisteredService().getIssuerEntityId()), context.getRegisteredService()::getIssuerEntityId, Unchecked.supplier(() -> {
        val criteriaSet = new CriteriaSet(new EvaluableEntityRoleEntityDescriptorCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME), new SamlIdPSamlRegisteredServiceCriterion(context.getRegisteredService()));
        LOGGER.trace("Resolving entity id from SAML2 IdP metadata to determine issuer for [{}]", context.getRegisteredService().getName());
        val entityDescriptor = Objects.requireNonNull(getConfigurationContext().getSamlIdPMetadataResolver().resolveSingle(criteriaSet));
        return entityDescriptor.getEntityID();
    })).get();
    samlResponse.setIssuer(buildSamlResponseIssuer(issuerId));
    val acs = SamlIdPUtils.determineEndpointForRequest(Pair.of(context.getSamlRequest(), context.getMessageContext()), context.getAdaptor(), context.getBinding());
    val location = StringUtils.isBlank(acs.getResponseLocation()) ? acs.getLocation() : acs.getResponseLocation();
    samlResponse.setDestination(location);
    if (getConfigurationContext().getCasProperties().getAuthn().getSamlIdp().getCore().isAttributeQueryProfileEnabled()) {
        storeAttributeQueryTicketInRegistry(assertion, context);
    }
    val finalAssertion = encryptAssertion(assertion, context);
    if (finalAssertion instanceof EncryptedAssertion) {
        LOGGER.trace("Built assertion is encrypted, so the response will add it to the encrypted assertions collection");
        samlResponse.getEncryptedAssertions().add(EncryptedAssertion.class.cast(finalAssertion));
    } else {
        LOGGER.trace("Built assertion is not encrypted, so the response will add it to the assertions collection");
        samlResponse.getAssertions().add(Assertion.class.cast(finalAssertion));
    }
    val status = newStatus(StatusCode.SUCCESS, null);
    samlResponse.setStatus(status);
    SamlUtils.logSamlObject(this.openSamlConfigBean, samlResponse);
    if (context.getRegisteredService().isSignResponses()) {
        LOGGER.debug("SAML entity id [{}] indicates that SAML responses should be signed", context.getAdaptor().getEntityId());
        val samlResponseSigned = getConfigurationContext().getSamlObjectSigner().encode(samlResponse, context.getRegisteredService(), context.getAdaptor(), context.getHttpResponse(), context.getHttpRequest(), context.getBinding(), context.getSamlRequest(), context.getMessageContext());
        SamlUtils.logSamlObject(openSamlConfigBean, samlResponseSigned);
        return samlResponseSigned;
    }
    return samlResponse;
}
Also used : lombok.val(lombok.val) EvaluableEntityRoleEntityDescriptorCriterion(org.opensaml.saml.metadata.criteria.entity.impl.EvaluableEntityRoleEntityDescriptorCriterion) SamlIdPSamlRegisteredServiceCriterion(org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) Assertion(org.opensaml.saml.saml2.core.Assertion)

Example 15 with CriteriaSet

use of net.shibboleth.utilities.java.support.resolver.CriteriaSet in project cas by apereo.

the class GitSamlRegisteredServiceMetadataResolver method resolve.

@Override
public Collection<? extends MetadataResolver> resolve(final SamlRegisteredService service, final CriteriaSet criteriaSet) throws Exception {
    if (gitRepository.pull()) {
        LOGGER.debug("Successfully pulled metadata changes from the remote repository");
    } else {
        LOGGER.warn("Unable to pull changes from the remote repository. Metadata files may be stale.");
    }
    val metadataFiles = gitRepository.getObjectsInRepository(new PathRegexPatternTreeFilter(PATTERN_METADATA_FILES));
    val signatureFiles = gitRepository.getObjectsInRepository(new PathRegexPatternTreeFilter(PATTERN_SIGNATURE_FILES));
    return metadataFiles.stream().filter(Objects::nonNull).map(object -> parseGitObjectContentIntoSamlMetadataDocument(object, signatureFiles)).map(doc -> buildMetadataResolverFrom(service, doc)).filter(Objects::nonNull).collect(Collectors.toCollection(ArrayList::new));
}
Also used : lombok.val(lombok.val) BooleanUtils(org.apache.commons.lang3.BooleanUtils) StringUtils(org.apache.commons.lang3.StringUtils) ArrayList(java.util.ArrayList) LoggingUtils(org.apereo.cas.util.LoggingUtils) SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService) BaseSamlRegisteredServiceMetadataResolver(org.apereo.cas.support.saml.services.idp.metadata.cache.resolver.BaseSamlRegisteredServiceMetadataResolver) GitRepository(org.apereo.cas.git.GitRepository) SamlMetadataDocument(org.apereo.cas.support.saml.services.idp.metadata.SamlMetadataDocument) PathRegexPatternTreeFilter(org.apereo.cas.git.PathRegexPatternTreeFilter) Collection(java.util.Collection) SamlIdPProperties(org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties) lombok.val(lombok.val) FileUtils(org.apache.commons.io.FileUtils) IOException(java.io.IOException) MetadataResolver(org.opensaml.saml.metadata.resolver.MetadataResolver) Collectors(java.util.stream.Collectors) File(java.io.File) StandardCharsets(java.nio.charset.StandardCharsets) RegexUtils(org.apereo.cas.util.RegexUtils) OpenSamlConfigBean(org.apereo.cas.support.saml.OpenSamlConfigBean) Objects(java.util.Objects) Slf4j(lombok.extern.slf4j.Slf4j) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) Pattern(java.util.regex.Pattern) FilenameUtils(org.apache.commons.io.FilenameUtils) PathRegexPatternTreeFilter(org.apereo.cas.git.PathRegexPatternTreeFilter) Objects(java.util.Objects)

Aggregations

CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)68 lombok.val (lombok.val)44 EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)40 EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)28 SamlRegisteredService (org.apereo.cas.support.saml.services.SamlRegisteredService)18 Test (org.junit.jupiter.api.Test)16 UsageCriterion (org.opensaml.security.criteria.UsageCriterion)11 SamlIdPProperties (org.apereo.cas.configuration.model.support.saml.idp.SamlIdPProperties)10 EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)10 ArrayList (java.util.ArrayList)9 SignatureSigningConfigurationCriterion (org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion)9 MetadataResolver (org.opensaml.saml.metadata.resolver.MetadataResolver)8 SAMLMetadataSignatureSigningParametersResolver (org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver)8 SneakyThrows (lombok.SneakyThrows)7 StringUtils (org.apache.commons.lang3.StringUtils)7 SignatureSigningParameters (org.opensaml.xmlsec.SignatureSigningParameters)7 FileSystemResource (org.springframework.core.io.FileSystemResource)7 SamlException (org.apereo.cas.support.saml.SamlException)6 EvaluableEntityRoleEntityDescriptorCriterion (org.opensaml.saml.metadata.criteria.entity.impl.EvaluableEntityRoleEntityDescriptorCriterion)6 Credential (org.opensaml.security.credential.Credential)6