use of org.keycloak.dom.saml.v2.assertion.StatementAbstractType in project keycloak by keycloak.
the class StatementUtil method asMap.
public static Map<String, Object> asMap(Set<AttributeStatementType> attributeStatementTypes) {
Map<String, Object> attrMap = new HashMap<>();
if (attributeStatementTypes != null && !attributeStatementTypes.isEmpty()) {
attrMap = new HashMap<>();
for (StatementAbstractType statement : attributeStatementTypes) {
if (statement instanceof AttributeStatementType) {
AttributeStatementType attrStat = (AttributeStatementType) statement;
List<ASTChoiceType> attrs = attrStat.getAttributes();
for (ASTChoiceType attrChoice : attrs) {
AttributeType attr = attrChoice.getAttribute();
String attributeName = attr.getFriendlyName();
if (attributeName == null) {
attributeName = attr.getName();
}
List<Object> values = attr.getAttributeValue();
if (values != null) {
if (values.size() == 1) {
attrMap.put(attributeName, values.get(0));
} else {
attrMap.put(attributeName, values);
}
}
}
}
}
}
return attrMap;
}
use of org.keycloak.dom.saml.v2.assertion.StatementAbstractType in project keycloak by keycloak.
the class SAMLAssertionWriter method write.
/**
* Write an {@code AssertionType} to stream
*
* @param assertion
*
* @throws org.keycloak.saml.common.exceptions.ProcessingException
*/
public void write(AssertionType assertion) throws ProcessingException {
StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.ASSERTION.get(), ASSERTION_NSURI.get());
StaxUtil.writeNameSpace(writer, ASSERTION_PREFIX, ASSERTION_NSURI.get());
StaxUtil.writeDefaultNameSpace(writer, ASSERTION_NSURI.get());
// Attributes
StaxUtil.writeAttribute(writer, JBossSAMLConstants.ID.get(), assertion.getID());
StaxUtil.writeAttribute(writer, JBossSAMLConstants.VERSION.get(), assertion.getVersion());
StaxUtil.writeAttribute(writer, JBossSAMLConstants.ISSUE_INSTANT.get(), assertion.getIssueInstant().toString());
NameIDType issuer = assertion.getIssuer();
if (issuer != null)
write(issuer, new QName(ASSERTION_NSURI.get(), JBossSAMLConstants.ISSUER.get(), ASSERTION_PREFIX));
SubjectType subject = assertion.getSubject();
if (subject != null) {
write(subject);
}
ConditionsType conditions = assertion.getConditions();
if (conditions != null) {
StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.CONDITIONS.get(), ASSERTION_NSURI.get());
if (conditions.getNotBefore() != null) {
StaxUtil.writeAttribute(writer, JBossSAMLConstants.NOT_BEFORE.get(), conditions.getNotBefore().toString());
}
if (conditions.getNotOnOrAfter() != null) {
StaxUtil.writeAttribute(writer, JBossSAMLConstants.NOT_ON_OR_AFTER.get(), conditions.getNotOnOrAfter().toString());
}
List<ConditionAbstractType> typeOfConditions = conditions.getConditions();
if (typeOfConditions != null) {
for (ConditionAbstractType typeCondition : typeOfConditions) {
if (typeCondition instanceof AudienceRestrictionType) {
AudienceRestrictionType art = (AudienceRestrictionType) typeCondition;
StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.AUDIENCE_RESTRICTION.get(), ASSERTION_NSURI.get());
List<URI> audiences = art.getAudience();
if (audiences != null) {
for (URI audience : audiences) {
StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.AUDIENCE.get(), ASSERTION_NSURI.get());
StaxUtil.writeCharacters(writer, audience.toString());
StaxUtil.writeEndElement(writer);
}
}
StaxUtil.writeEndElement(writer);
}
if (typeCondition instanceof OneTimeUseType) {
StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.ONE_TIME_USE.get(), ASSERTION_NSURI.get());
StaxUtil.writeEndElement(writer);
}
}
}
StaxUtil.writeEndElement(writer);
}
AdviceType advice = assertion.getAdvice();
if (advice != null)
throw logger.notImplementedYet("Advice");
Set<StatementAbstractType> statements = assertion.getStatements();
if (statements != null) {
for (StatementAbstractType statement : statements) {
if (statement instanceof AuthnStatementType) {
write((AuthnStatementType) statement, false);
} else if (statement instanceof AttributeStatementType) {
write((AttributeStatementType) statement);
} else
throw logger.writerUnknownTypeError(statement.getClass().getName());
}
}
StaxUtil.writeEndElement(writer);
StaxUtil.flush(writer);
}
use of org.keycloak.dom.saml.v2.assertion.StatementAbstractType in project keycloak by keycloak.
the class SAMLAssertionFactory method createAssertion.
/**
* <p>
* Creates a SAMLV2 {@code AssertionType} with the specified values.
* </p>
*
* @param id a {@code String} representing the assertion ID.
* @param issuerID a {@code NameIDType} that identifies the assertion issuer.
* @param issueInstant the assertion time of creation.
* @param conditions the {@code ConditionsType} that specify the conditions under which the assertion is to be
* considered
* valid
* @param subject the {@code SubjectType} that identifies the authenticated principal.
* @param statements a list of statements associated with the authenticated principal.
*
* @return
*/
public static AssertionType createAssertion(String id, NameIDType issuerID, XMLGregorianCalendar issueInstant, ConditionsType conditions, SubjectType subject, List<StatementAbstractType> statements) {
AssertionType assertion = new AssertionType(id, issueInstant);
assertion.setIssuer(issuerID);
if (conditions != null)
assertion.setConditions(conditions);
if (subject != null)
assertion.setSubject(subject);
if (statements != null) {
for (StatementAbstractType statement : statements) {
assertion.addStatement(statement);
}
}
return assertion;
}
use of org.keycloak.dom.saml.v2.assertion.StatementAbstractType in project keycloak by keycloak.
the class KcSamlBrokerSessionNotOnOrAfterTest method testConsumerIdpInitiatedLoginContainsSessionNotOnOrAfter.
@Test
public void testConsumerIdpInitiatedLoginContainsSessionNotOnOrAfter() throws Exception {
SAMLDocumentHolder samlResponse = new SamlClientBuilder().idpInitiatedLogin(getConsumerSamlEndpoint(REALM_CONS_NAME), "sales-post").build().login().idp(IDP_SAML_ALIAS).build().processSamlResponse(// AuthnRequest to producer IdP
SamlClient.Binding.POST).targetAttributeSamlRequest().build().login().user(USER_LOGIN, USER_PASSWORD).build().processSamlResponse(SamlClient.Binding.POST).build().updateProfile().username(USER_LOGIN).email(USER_EMAIL).firstName("Firstname").lastName("Lastname").build().followOneRedirect().getSamlResponse(SamlClient.Binding.POST);
assertThat(samlResponse.getSamlObject(), Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
ResponseType resp = (ResponseType) samlResponse.getSamlObject();
Set<StatementAbstractType> statements = resp.getAssertions().get(0).getAssertion().getStatements();
AuthnStatementType authType = statements.stream().filter(statement -> statement instanceof AuthnStatementType).map(s -> (AuthnStatementType) s).findFirst().orElse(null);
assertThat(authType, notNullValue());
assertThat(authType.getSessionNotOnOrAfter(), notNullValue());
assertThat(authType.getSessionNotOnOrAfter(), is(XMLTimeUtil.add(authType.getAuthnInstant(), adminClient.realm(REALM_CONS_NAME).toRepresentation().getSsoSessionMaxLifespan() * 1000)));
}
use of org.keycloak.dom.saml.v2.assertion.StatementAbstractType in project keycloak by keycloak.
the class SessionNotOnOrAfterTest method checkSessionNotOnOrAfter.
private SAML2Object checkSessionNotOnOrAfter(SAML2Object ob, int ssoMaxLifespan, int accessCodeLifespan, int accessTokenLifespan) {
assertThat(ob, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
ResponseType resp = (ResponseType) ob;
Assert.assertNotNull(resp);
Assert.assertNotNull(resp.getAssertions());
Assert.assertThat(resp.getAssertions().size(), greaterThan(0));
Assert.assertNotNull(resp.getAssertions().get(0));
Assert.assertNotNull(resp.getAssertions().get(0).getAssertion());
// session lifespan
Assert.assertNotNull(resp.getAssertions().get(0).getAssertion().getStatements());
Set<StatementAbstractType> statements = resp.getAssertions().get(0).getAssertion().getStatements();
AuthnStatementType authType = statements.stream().filter(statement -> statement instanceof AuthnStatementType).map(s -> (AuthnStatementType) s).findFirst().orElse(null);
assertThat(authType, notNullValue());
assertThat(authType.getSessionNotOnOrAfter(), notNullValue());
assertThat(authType.getSessionNotOnOrAfter(), is(XMLTimeUtil.add(authType.getAuthnInstant(), ssoMaxLifespan * 1000L)));
// Conditions
Assert.assertNotNull(resp.getAssertions().get(0).getAssertion().getConditions());
Assert.assertNotNull(resp.getAssertions().get(0).getAssertion().getConditions());
ConditionsType condition = resp.getAssertions().get(0).getAssertion().getConditions();
Assert.assertEquals(XMLTimeUtil.add(condition.getNotBefore(), accessCodeLifespan * 1000L), condition.getNotOnOrAfter());
// SubjectConfirmation (confirmationData has no NotBefore, using the previous one because it's the same)
Assert.assertNotNull(resp.getAssertions().get(0).getAssertion().getSubject());
Assert.assertNotNull(resp.getAssertions().get(0).getAssertion().getSubject().getConfirmation());
List<SubjectConfirmationType> confirmations = resp.getAssertions().get(0).getAssertion().getSubject().getConfirmation();
SubjectConfirmationDataType confirmationData = confirmations.stream().map(c -> c.getSubjectConfirmationData()).filter(c -> c != null).findFirst().orElse(null);
Assert.assertNotNull(confirmationData);
Assert.assertEquals(XMLTimeUtil.add(condition.getNotBefore(), accessTokenLifespan * 1000L), confirmationData.getNotOnOrAfter());
return null;
}
Aggregations