Search in sources :

Example 1 with ConditionsType

use of org.keycloak.dom.saml.v2.assertion.ConditionsType in project keycloak by keycloak.

the class SAMLConditionsParser method instantiateElement.

@Override
protected ConditionsType instantiateElement(XMLEventReader xmlEventReader, StartElement element) throws ParsingException {
    final ConditionsType conditions = new ConditionsType();
    conditions.setNotBefore(StaxParserUtil.getXmlTimeAttributeValue(element, SAMLAssertionQNames.ATTR_NOT_BEFORE));
    conditions.setNotOnOrAfter(StaxParserUtil.getXmlTimeAttributeValue(element, SAMLAssertionQNames.ATTR_NOT_ON_OR_AFTER));
    return conditions;
}
Also used : ConditionsType(org.keycloak.dom.saml.v2.assertion.ConditionsType)

Example 2 with ConditionsType

use of org.keycloak.dom.saml.v2.assertion.ConditionsType in project keycloak by keycloak.

the class SAMLConditionsParser method processSubElement.

@Override
protected void processSubElement(XMLEventReader xmlEventReader, ConditionsType target, SAMLAssertionQNames element, StartElement elementDetail) throws ParsingException {
    switch(element) {
        case AUDIENCE_RESTRICTION:
            AudienceRestrictionType audienceRestriction = SAMLAudienceRestrictionParser.getInstance().parse(xmlEventReader);
            target.addCondition(audienceRestriction);
            break;
        case ONE_TIME_USE:
            OneTimeUseType oneTimeUseCondition = new OneTimeUseType();
            target.addCondition(oneTimeUseCondition);
            break;
        case PROXY_RESTRICTION:
            ProxyRestrictionType proxyRestriction = SAMLProxyRestrictionParser.getInstance().parse(xmlEventReader);
            target.addCondition(proxyRestriction);
            break;
        default:
            throw LOGGER.parserUnknownTag(StaxParserUtil.getElementName(elementDetail), elementDetail.getLocation());
    }
}
Also used : OneTimeUseType(org.keycloak.dom.saml.v2.assertion.OneTimeUseType) ProxyRestrictionType(org.keycloak.dom.saml.v2.assertion.ProxyRestrictionType) AudienceRestrictionType(org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType)

Example 3 with ConditionsType

use of org.keycloak.dom.saml.v2.assertion.ConditionsType in project keycloak by keycloak.

the class AssertionUtil method createTimedConditions.

/**
 * <p>
 * Add validity conditions to the SAML2 Assertion
 * </p>
 * <p>
 * There is no clock skew added.
 *
 * @param assertion
 * @param durationInMilis
 *
 * @throws ConfigurationException
 * @throws IssueInstantMissingException
 * @see {{@link #createTimedConditions(AssertionType, long, long)}
 *      </p>
 */
public static void createTimedConditions(AssertionType assertion, long durationInMilis) throws ConfigurationException, IssueInstantMissingException {
    XMLGregorianCalendar issueInstant = assertion.getIssueInstant();
    if (issueInstant == null)
        throw new IssueInstantMissingException(ErrorCodes.NULL_ISSUE_INSTANT);
    XMLGregorianCalendar assertionValidityLength = XMLTimeUtil.add(issueInstant, durationInMilis);
    ConditionsType conditionsType = new ConditionsType();
    conditionsType.setNotBefore(issueInstant);
    conditionsType.setNotOnOrAfter(assertionValidityLength);
    assertion.setConditions(conditionsType);
}
Also used : XMLGregorianCalendar(javax.xml.datatype.XMLGregorianCalendar) ConditionsType(org.keycloak.dom.saml.v2.assertion.ConditionsType) SAML11ConditionsType(org.keycloak.dom.saml.v1.assertion.SAML11ConditionsType) IssueInstantMissingException(org.keycloak.saml.common.exceptions.fed.IssueInstantMissingException)

Example 4 with ConditionsType

use of org.keycloak.dom.saml.v2.assertion.ConditionsType in project keycloak by keycloak.

the class AssertionUtil method hasExpired.

/**
 * Check whether the assertion has expired.
 * Processing rules defined in Section 2.5.1.2 of saml-core-2.0-os.pdf.
 *
 * @param assertion
 *
 * @return
 *
 * @throws ConfigurationException
 */
public static boolean hasExpired(AssertionType assertion) throws ConfigurationException {
    boolean expiry = false;
    // Check for validity of assertion
    ConditionsType conditionsType = assertion.getConditions();
    if (conditionsType != null) {
        XMLGregorianCalendar now = XMLTimeUtil.getIssueInstant();
        XMLGregorianCalendar notBefore = conditionsType.getNotBefore();
        XMLGregorianCalendar notOnOrAfter = conditionsType.getNotOnOrAfter();
        if (notBefore != null) {
            logger.trace("Assertion: " + assertion.getID() + " ::Now=" + now.toXMLFormat() + " ::notBefore=" + notBefore.toXMLFormat());
        }
        if (notOnOrAfter != null) {
            logger.trace("Assertion: " + assertion.getID() + " ::Now=" + now.toXMLFormat() + " ::notOnOrAfter=" + notOnOrAfter);
        }
        expiry = !XMLTimeUtil.isValid(now, notBefore, notOnOrAfter);
        if (expiry) {
            logger.samlAssertionExpired(assertion.getID());
        }
    }
    // TODO: if conditions do not exist, assume the assertion to be everlasting?
    return expiry;
}
Also used : XMLGregorianCalendar(javax.xml.datatype.XMLGregorianCalendar) ConditionsType(org.keycloak.dom.saml.v2.assertion.ConditionsType) SAML11ConditionsType(org.keycloak.dom.saml.v1.assertion.SAML11ConditionsType)

Example 5 with ConditionsType

use of org.keycloak.dom.saml.v2.assertion.ConditionsType in project keycloak by keycloak.

the class AssertionUtil method hasExpired.

/**
 * Verify whether the assertion has expired. You can add in a clock skew to adapt to conditions where in the IDP and
 * SP are
 * out of sync.
 *
 * @param assertion
 * @param clockSkewInMilis in miliseconds
 *
 * @return
 *
 * @throws ConfigurationException
 */
public static boolean hasExpired(AssertionType assertion, long clockSkewInMilis) throws ConfigurationException {
    boolean expiry = false;
    // Check for validity of assertion
    ConditionsType conditionsType = assertion.getConditions();
    if (conditionsType != null) {
        XMLGregorianCalendar now = XMLTimeUtil.getIssueInstant();
        XMLGregorianCalendar notBefore = conditionsType.getNotBefore();
        XMLGregorianCalendar updatedNotBefore = XMLTimeUtil.subtract(notBefore, clockSkewInMilis);
        XMLGregorianCalendar notOnOrAfter = conditionsType.getNotOnOrAfter();
        XMLGregorianCalendar updatedOnOrAfter = XMLTimeUtil.add(notOnOrAfter, clockSkewInMilis);
        logger.trace("Now=" + now.toXMLFormat() + " ::notBefore=" + notBefore.toXMLFormat() + " ::notOnOrAfter=" + notOnOrAfter);
        expiry = !XMLTimeUtil.isValid(now, updatedNotBefore, updatedOnOrAfter);
        if (expiry) {
            logger.samlAssertionExpired(assertion.getID());
        }
    }
    // TODO: if conditions do not exist, assume the assertion to be everlasting?
    return expiry;
}
Also used : XMLGregorianCalendar(javax.xml.datatype.XMLGregorianCalendar) ConditionsType(org.keycloak.dom.saml.v2.assertion.ConditionsType) SAML11ConditionsType(org.keycloak.dom.saml.v1.assertion.SAML11ConditionsType)

Aggregations

ConditionsType (org.keycloak.dom.saml.v2.assertion.ConditionsType)12 XMLGregorianCalendar (javax.xml.datatype.XMLGregorianCalendar)6 OneTimeUseType (org.keycloak.dom.saml.v2.assertion.OneTimeUseType)5 ResponseType (org.keycloak.dom.saml.v2.protocol.ResponseType)5 SAML11ConditionsType (org.keycloak.dom.saml.v1.assertion.SAML11ConditionsType)4 AssertionType (org.keycloak.dom.saml.v2.assertion.AssertionType)4 AudienceRestrictionType (org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType)4 ConditionAbstractType (org.keycloak.dom.saml.v2.assertion.ConditionAbstractType)4 StatementAbstractType (org.keycloak.dom.saml.v2.assertion.StatementAbstractType)4 AuthnStatementType (org.keycloak.dom.saml.v2.assertion.AuthnStatementType)3 NameIDType (org.keycloak.dom.saml.v2.assertion.NameIDType)3 SubjectConfirmationDataType (org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType)3 URI (java.net.URI)2 List (java.util.List)2 QName (javax.xml.namespace.QName)2 Matchers.is (org.hamcrest.Matchers.is)2 Assert (org.junit.Assert)2 Test (org.junit.Test)2 SAML2Object (org.keycloak.dom.saml.v2.SAML2Object)2 AttributeStatementType (org.keycloak.dom.saml.v2.assertion.AttributeStatementType)2