Search in sources :

Example 6 with EntityIdCriterion

use of org.opensaml.core.criterion.EntityIdCriterion in project pac4j by pac4j.

the class SAML2DefaultResponseValidator method validateSignature.

/**
 * Validate the given digital signature by checking its profile and value.
 *
 * @param signature   the signature
 * @param idpEntityId the idp entity id
 * @param trustEngine the trust engine
 */
protected final void validateSignature(final Signature signature, final String idpEntityId, final SignatureTrustEngine trustEngine) {
    final SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator();
    try {
        validator.validate(signature);
    } catch (final SignatureException e) {
        throw new SAMLSignatureValidationException("SAMLSignatureProfileValidator failed to validate signature", e);
    }
    final CriteriaSet criteriaSet = new CriteriaSet();
    criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
    criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
    criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
    criteriaSet.add(new EntityIdCriterion(idpEntityId));
    final boolean valid;
    try {
        valid = trustEngine.validate(signature, criteriaSet);
    } catch (final SecurityException e) {
        throw new SAMLSignatureValidationException("An error occurred during signature validation", e);
    }
    if (!valid) {
        throw new SAMLSignatureValidationException("Signature is not trusted");
    }
}
Also used : UsageCriterion(org.opensaml.security.criteria.UsageCriterion) ProtocolCriterion(org.opensaml.saml.criterion.ProtocolCriterion) SAMLSignatureValidationException(org.pac4j.saml.exceptions.SAMLSignatureValidationException) SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) SecurityException(org.opensaml.security.SecurityException) SignatureException(org.opensaml.xmlsec.signature.support.SignatureException)

Example 7 with EntityIdCriterion

use of org.opensaml.core.criterion.EntityIdCriterion in project pac4j by pac4j.

the class SAML2ContextProvider method addContext.

protected final void addContext(final SAML2MetadataResolver entityId, final BaseContext parentContext, final QName elementName) {
    final EntityDescriptor entityDescriptor;
    final RoleDescriptor roleDescriptor;
    try {
        final CriteriaSet set = new CriteriaSet();
        set.add(new EntityIdCriterion(entityId.getEntityId()));
        entityDescriptor = this.metadata.resolveSingle(set);
        if (entityDescriptor == null) {
            throw new SAMLException("Cannot find entity " + entityId + " in metadata provider");
        }
        final List<RoleDescriptor> list = entityDescriptor.getRoleDescriptors(elementName, SAMLConstants.SAML20P_NS);
        roleDescriptor = CommonHelper.isNotEmpty(list) ? list.get(0) : null;
        if (roleDescriptor == null) {
            throw new SAMLException("Cannot find entity " + entityId + " or role " + elementName + " in metadata provider");
        }
    } catch (final ResolverException e) {
        throw new SAMLException("An error occured while getting IDP descriptors", e);
    }
    final SAMLMetadataContext mdCtx = parentContext.getSubcontext(SAMLMetadataContext.class, true);
    mdCtx.setEntityDescriptor(entityDescriptor);
    mdCtx.setRoleDescriptor(roleDescriptor);
}
Also used : EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor) ResolverException(net.shibboleth.utilities.java.support.resolver.ResolverException) RoleDescriptor(org.opensaml.saml.saml2.metadata.RoleDescriptor) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) SAMLMetadataContext(org.opensaml.saml.common.messaging.context.SAMLMetadataContext) SAMLException(org.pac4j.saml.exceptions.SAMLException)

Example 8 with EntityIdCriterion

use of org.opensaml.core.criterion.EntityIdCriterion in project pac4j by pac4j.

the class KeyStoreCredentialProvider method getCredential.

@Override
public final Credential getCredential() {
    try {
        final CriteriaSet cs = new CriteriaSet();
        final EntityIdCriterion criteria = new EntityIdCriterion(this.privateKey);
        cs.add(criteria);
        final X509Credential creds = (X509Credential) this.credentialResolver.resolveSingle(cs);
        return creds;
    } catch (final ResolverException e) {
        throw new SAMLException("Can't obtain SP private key", e);
    }
}
Also used : X509Credential(org.opensaml.security.x509.X509Credential) ResolverException(net.shibboleth.utilities.java.support.resolver.ResolverException) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) SAMLException(org.pac4j.saml.exceptions.SAMLException)

Example 9 with EntityIdCriterion

use of org.opensaml.core.criterion.EntityIdCriterion in project cas by apereo.

the class SamlObjectSignatureValidatorTests method setupTestContextFor.

private void setupTestContextFor(final String spMetadataPath, final String spEntityId) throws Exception {
    val idpMetadata = new File("src/test/resources/metadata/idp-metadata.xml").getCanonicalPath();
    val keystorePath = new File(FileUtils.getTempDirectory(), "keystore").getCanonicalPath();
    saml2ClientConfiguration = new SAML2Configuration(keystorePath, "changeit", "changeit", idpMetadata);
    saml2ClientConfiguration.setServiceProviderEntityId(spEntityId);
    saml2ClientConfiguration.setServiceProviderMetadataPath(spMetadataPath);
    saml2ClientConfiguration.init();
    val saml2Client = new SAML2Client(saml2ClientConfiguration);
    saml2Client.setCallbackUrl("http://callback.example.org");
    saml2Client.init();
    samlContext = new MessageContext();
    saml2MessageContext = new SAML2MessageContext();
    saml2MessageContext.setSaml2Configuration(saml2ClientConfiguration);
    saml2MessageContext.setWebContext(new JEEContext(new MockHttpServletRequest(), new MockHttpServletResponse()));
    val peer = saml2MessageContext.getMessageContext().getSubcontext(SAMLPeerEntityContext.class, true);
    assertNotNull(peer);
    peer.setEntityId("https://cas.example.org/idp");
    val md = peer.getSubcontext(SAMLMetadataContext.class, true);
    assertNotNull(md);
    val idpResolver = SamlIdPUtils.getRoleDescriptorResolver(casSamlIdPMetadataResolver, true);
    md.setRoleDescriptor(idpResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(Objects.requireNonNull(peer.getEntityId())), new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME))));
    val self = saml2MessageContext.getMessageContext().getSubcontext(SAMLSelfEntityContext.class, true);
    assertNotNull(self);
    self.setEntityId(saml2ClientConfiguration.getServiceProviderEntityId());
    val sp = self.getSubcontext(SAMLMetadataContext.class, true);
    assertNotNull(sp);
    val spRes = new InMemoryResourceMetadataResolver(saml2ClientConfiguration.getServiceProviderMetadataResource(), openSamlConfigBean);
    spRes.setId(getClass().getSimpleName());
    spRes.initialize();
    val spResolver = SamlIdPUtils.getRoleDescriptorResolver(spRes, true);
    sp.setRoleDescriptor(spResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(Objects.requireNonNull(self.getEntityId())), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME))));
    val service = new SamlRegisteredService();
    service.setName("Sample");
    service.setServiceId(saml2ClientConfiguration.getServiceProviderEntityId());
    service.setId(100);
    service.setDescription("SAML Service");
    service.setMetadataLocation(spMetadataPath);
    val facade = SamlRegisteredServiceServiceProviderMetadataFacade.get(samlRegisteredServiceCachingMetadataResolver, service, service.getServiceId());
    this.adaptor = facade.get();
}
Also used : lombok.val(lombok.val) SAML2Configuration(org.pac4j.saml.config.SAML2Configuration) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) JEEContext(org.pac4j.core.context.JEEContext) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) SAML2MessageContext(org.pac4j.saml.context.SAML2MessageContext) SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) SAML2Client(org.pac4j.saml.client.SAML2Client) MessageContext(org.opensaml.messaging.context.MessageContext) SAML2MessageContext(org.pac4j.saml.context.SAML2MessageContext) File(java.io.File) InMemoryResourceMetadataResolver(org.apereo.cas.support.saml.InMemoryResourceMetadataResolver) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse)

Example 10 with EntityIdCriterion

use of org.opensaml.core.criterion.EntityIdCriterion in project cas by apereo.

the class SamlIdPMetadataResolverTests method verifyOperationWithService.

@Test
public void verifyOperationWithService() throws Exception {
    val criteria = new CriteriaSet(new SamlIdPSamlRegisteredServiceCriterion(getSamlRegisteredServiceFor(UUID.randomUUID().toString())), new EntityIdCriterion(casProperties.getAuthn().getSamlIdp().getCore().getEntityId()));
    var locator = mock(SamlIdPMetadataLocator.class);
    when(locator.shouldGenerateMetadataFor(any())).thenReturn(true);
    when(locator.exists(any())).thenReturn(false);
    when(locator.resolveMetadata(any())).thenReturn(new ByteArrayResource(ArrayUtils.EMPTY_BYTE_ARRAY));
    val resolver = new SamlIdPMetadataResolver(locator, mock(SamlIdPMetadataGenerator.class), openSamlConfigBean, casProperties);
    val result1 = resolver.resolve(criteria);
    assertTrue(Iterables.isEmpty(result1));
}
Also used : lombok.val(lombok.val) SamlIdPMetadataGenerator(org.apereo.cas.support.saml.idp.metadata.generator.SamlIdPMetadataGenerator) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) ByteArrayResource(org.springframework.core.io.ByteArrayResource) RepeatedTest(org.junit.jupiter.api.RepeatedTest) Test(org.junit.jupiter.api.Test)

Aggregations

EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)44 CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)39 EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)30 lombok.val (lombok.val)25 Test (org.junit.jupiter.api.Test)9 UsageCriterion (org.opensaml.security.criteria.UsageCriterion)9 SamlRegisteredService (org.apereo.cas.support.saml.services.SamlRegisteredService)7 EntityDescriptor (org.opensaml.saml.saml2.metadata.EntityDescriptor)7 ArrayList (java.util.ArrayList)5 File (java.io.File)4 SamlException (org.apereo.cas.support.saml.SamlException)4 ProtocolCriterion (org.opensaml.saml.criterion.ProtocolCriterion)4 IDPSSODescriptor (org.opensaml.saml.saml2.metadata.IDPSSODescriptor)4 SAMLSignatureProfileValidator (org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)4 ResolverException (net.shibboleth.utilities.java.support.resolver.ResolverException)3 SamlIdPMetadataCredentialResolver (org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver)3 SamlIdPSamlRegisteredServiceCriterion (org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion)3 BasicProviderKeyInfoCredentialResolver (org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver)3 DEREncodedKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider)3 DSAKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider)3