use of org.opensaml.core.criterion.EntityIdCriterion in project cas by apereo.
the class AuthnRequestRequestedAttributesAttributeReleasePolicyTests method initialize.
@BeforeEach
public void initialize() throws Exception {
val idpMetadata = new File("src/test/resources/metadata/idp-metadata.xml").getCanonicalPath();
val keystorePath = new File(FileUtils.getTempDirectory(), "keystore").getCanonicalPath();
val spMetadataPath = new File(FileUtils.getTempDirectory(), "sp-metadata.xml").getCanonicalPath();
saml2Configuration = new SAML2Configuration(keystorePath, "changeit", "changeit", idpMetadata);
saml2Configuration.setServiceProviderEntityId("cas:example:sp");
saml2Configuration.setServiceProviderMetadataPath(spMetadataPath);
saml2Configuration.init();
val saml2Client = new SAML2Client(saml2Configuration);
saml2Client.setCallbackUrl("http://callback.example.org");
saml2Client.init();
saml2MessageContext = new SAML2MessageContext();
saml2MessageContext.setSaml2Configuration(saml2Configuration);
saml2MessageContext.setWebContext(new JEEContext(new MockHttpServletRequest(), new MockHttpServletResponse()));
val peer = saml2MessageContext.getMessageContext().getSubcontext(SAMLPeerEntityContext.class, true);
assertNotNull(peer);
peer.setEntityId("https://cas.example.org/idp");
val md = peer.getSubcontext(SAMLMetadataContext.class, true);
assertNotNull(md);
val idpResolver = SamlIdPUtils.getRoleDescriptorResolver(casSamlIdPMetadataResolver, true);
md.setRoleDescriptor(idpResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(Objects.requireNonNull(peer.getEntityId())), new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME))));
val self = saml2MessageContext.getMessageContext().getSubcontext(SAMLSelfEntityContext.class, true);
assertNotNull(self);
self.setEntityId(saml2Configuration.getServiceProviderEntityId());
val sp = self.getSubcontext(SAMLMetadataContext.class, true);
assertNotNull(sp);
val spRes = new InMemoryResourceMetadataResolver(new File(spMetadataPath), openSamlConfigBean);
spRes.setId(getClass().getSimpleName());
spRes.initialize();
val spResolver = SamlIdPUtils.getRoleDescriptorResolver(spRes, true);
sp.setRoleDescriptor(spResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(Objects.requireNonNull(self.getEntityId())), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME))));
}
use of org.opensaml.core.criterion.EntityIdCriterion in project cas by apereo.
the class SamlIdPObjectEncrypter method configureKeyDecryptionCredential.
/**
* Configure key decryption credential credential.
*
* @param peerEntityId the peer entity id
* @param adaptor the adaptor
* @param service the service
* @param decryptionConfiguration the decryption configuration
* @return the credential
* @throws Exception the exception
*/
protected Credential configureKeyDecryptionCredential(final String peerEntityId, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final SamlRegisteredService service, final BasicDecryptionConfiguration decryptionConfiguration) throws Exception {
val mdCredentialResolver = new SamlIdPMetadataCredentialResolver();
val providers = new ArrayList<KeyInfoProvider>(5);
providers.add(new RSAKeyValueProvider());
providers.add(new DSAKeyValueProvider());
providers.add(new InlineX509DataProvider());
providers.add(new DEREncodedKeyValueProvider());
providers.add(new KeyInfoReferenceProvider());
val keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(providers);
mdCredentialResolver.setKeyInfoCredentialResolver(keyInfoResolver);
val roleDescriptorResolver = SamlIdPUtils.getRoleDescriptorResolver(adaptor, samlIdPProperties.getMetadata().getCore().isRequireValidMetadata());
mdCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
mdCredentialResolver.initialize();
val criteriaSet = new CriteriaSet();
criteriaSet.add(new DecryptionConfigurationCriterion(decryptionConfiguration));
criteriaSet.add(new EntityIdCriterion(peerEntityId));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
criteriaSet.add(new SamlIdPSamlRegisteredServiceCriterion(service));
LOGGER.debug("Attempting to resolve the decryption key for entity id [{}]", peerEntityId);
val credential = Objects.requireNonNull(mdCredentialResolver.resolveSingle(criteriaSet));
val encryptinKey = samlIdPMetadataLocator.resolveEncryptionKey(Optional.ofNullable(service));
val bean = new PrivateKeyFactoryBean();
bean.setSingleton(false);
bean.setLocation(encryptinKey);
val privateKey = Objects.requireNonNull(bean.getObject());
val basicCredential = new BasicCredential(Objects.requireNonNull(credential.getPublicKey()), privateKey);
decryptionConfiguration.setKEKKeyInfoCredentialResolver(new StaticKeyInfoCredentialResolver(basicCredential));
val list = new ArrayList<EncryptedKeyResolver>(3);
list.add(new InlineEncryptedKeyResolver());
list.add(new EncryptedElementTypeEncryptedKeyResolver());
list.add(new SimpleRetrievalMethodEncryptedKeyResolver());
val encryptedKeyResolver = new ChainingEncryptedKeyResolver(list);
decryptionConfiguration.setEncryptedKeyResolver(encryptedKeyResolver);
return credential;
}
use of org.opensaml.core.criterion.EntityIdCriterion in project cas by apereo.
the class SamlIdPObjectEncrypter method configureKeyEncryptionCredential.
/**
* Gets key encryption credential.
*
* @param peerEntityId the peer entity id
* @param adaptor the adaptor
* @param service the service
* @param encryptionConfiguration the encryption configuration
* @return the key encryption credential
* @throws Exception the exception
*/
protected Credential configureKeyEncryptionCredential(final String peerEntityId, final SamlRegisteredServiceServiceProviderMetadataFacade adaptor, final SamlRegisteredService service, final BasicEncryptionConfiguration encryptionConfiguration) throws Exception {
val mdCredentialResolver = new SamlIdPMetadataCredentialResolver();
val providers = new ArrayList<KeyInfoProvider>(5);
providers.add(new RSAKeyValueProvider());
providers.add(new DSAKeyValueProvider());
providers.add(new InlineX509DataProvider());
providers.add(new DEREncodedKeyValueProvider());
providers.add(new KeyInfoReferenceProvider());
val keyInfoResolver = new BasicProviderKeyInfoCredentialResolver(providers);
mdCredentialResolver.setKeyInfoCredentialResolver(keyInfoResolver);
val roleDescriptorResolver = SamlIdPUtils.getRoleDescriptorResolver(adaptor, samlIdPProperties.getMetadata().getCore().isRequireValidMetadata());
mdCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
mdCredentialResolver.initialize();
val criteriaSet = new CriteriaSet();
criteriaSet.add(new EncryptionConfigurationCriterion(encryptionConfiguration));
criteriaSet.add(new EntityIdCriterion(peerEntityId));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
criteriaSet.add(new SamlIdPSamlRegisteredServiceCriterion(service));
LOGGER.debug("Attempting to resolve the encryption key for entity id [{}]", peerEntityId);
val credential = mdCredentialResolver.resolveSingle(criteriaSet);
if (credential == null || credential.getPublicKey() == null) {
if (service.isEncryptionOptional()) {
LOGGER.warn("Unable to resolve the encryption [public] key for entity id [{}]", peerEntityId);
return null;
}
throw new SamlException("Unable to resolve the encryption [public] key for entity id " + peerEntityId);
}
val encodedKey = EncodingUtils.encodeBase64(credential.getPublicKey().getEncoded());
LOGGER.debug("Found encryption public key: [{}]", encodedKey);
encryptionConfiguration.setKeyTransportEncryptionCredentials(CollectionUtils.wrapList(credential));
return credential;
}
use of org.opensaml.core.criterion.EntityIdCriterion in project cas by apereo.
the class DefaultSamlIdPObjectSigner method getSignatureSigningConfiguration.
/**
* Gets signature signing configuration.
* The resolved used is {@link SamlIdPMetadataCredentialResolver} that
* allows the entire criteria set to be passed to the role descriptor resolver.
* This behavior allows the passing of {@link SamlIdPSamlRegisteredServiceCriterion}
* so signing configuration, etc can be fetched for a specific service as an override,
* if on is in fact defined for the service.
*
* @param service the service
* @return the signature signing configuration
* @throws Exception the exception
*/
protected SignatureSigningConfiguration getSignatureSigningConfiguration(final SamlRegisteredService service) throws Exception {
val config = configureSignatureSigningSecurityConfiguration(service);
val samlIdp = casProperties.getAuthn().getSamlIdp();
val privateKey = getSigningPrivateKey(service);
val mdCredentialResolver = new SamlIdPMetadataCredentialResolver();
val roleDescriptorResolver = SamlIdPUtils.getRoleDescriptorResolver(samlIdPMetadataResolver, samlIdp.getMetadata().getCore().isRequireValidMetadata());
mdCredentialResolver.setRoleDescriptorResolver(roleDescriptorResolver);
mdCredentialResolver.setKeyInfoCredentialResolver(DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
mdCredentialResolver.initialize();
val criteriaSet = new CriteriaSet();
criteriaSet.add(new SignatureSigningConfigurationCriterion(config));
criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
val entityIdCriteriaSet = new CriteriaSet(new EvaluableEntityRoleEntityDescriptorCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME), new SamlIdPSamlRegisteredServiceCriterion(service));
LOGGER.trace("Resolving entity id from SAML2 IdP metadata for signature signing configuration is [{}]", service.getName());
val entityId = Objects.requireNonNull(samlIdPMetadataResolver.resolveSingle(entityIdCriteriaSet)).getEntityID();
LOGGER.trace("Resolved entity id from SAML2 IdP metadata is [{}]", entityId);
criteriaSet.add(new EntityIdCriterion(entityId));
criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new SamlIdPSamlRegisteredServiceCriterion(service));
LOGGER.trace("Resolved signing credentials based on criteria [{}]", criteriaSet);
val credentials = Sets.newLinkedHashSet(mdCredentialResolver.resolve(criteriaSet));
LOGGER.trace("Resolved [{}] signing credentials", credentials.size());
val finalCredentials = new ArrayList<Credential>();
credentials.stream().map(c -> getResolvedSigningCredential(c, privateKey, service)).filter(Objects::nonNull).filter(c -> doesCredentialFingerprintMatch(c, service)).forEach(finalCredentials::add);
if (finalCredentials.isEmpty()) {
LOGGER.error("Unable to locate any signing credentials for service [{}]", service.getName());
throw new IllegalArgumentException("Unable to locate signing credentials");
}
config.setSigningCredentials(finalCredentials);
LOGGER.trace("Signature signing credentials configured with [{}] credentials", finalCredentials.size());
return config;
}
use of org.opensaml.core.criterion.EntityIdCriterion in project cas by apereo.
the class JsonResourceMetadataResolverTests method verifyResolverResolves.
@Test
public void verifyResolverResolves() throws Exception {
val props = new SamlIdPProperties();
val dir = new FileSystemResource(FileUtils.getTempDirectory());
props.getMetadata().getFileSystem().setLocation(dir.getFile().getCanonicalPath());
FileUtils.copyFile(new ClassPathResource("saml-sp-metadata.json").getFile(), new File(FileUtils.getTempDirectory(), "saml-sp-metadata.json"));
val service = new SamlRegisteredService();
val resolver = new JsonResourceMetadataResolver(props, openSamlConfigBean);
service.setName("Example");
service.setId(1000);
service.setServiceId("https://example.org/saml");
service.setMetadataLocation("json://");
assertTrue(resolver.isAvailable(service));
assertTrue(resolver.supports(service));
val results = resolver.resolve(service);
assertFalse(results.isEmpty());
val metadataResolver = results.iterator().next();
val resolved = metadataResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion("https://example.org/saml")));
assertNotNull(resolved);
resolver.destroy();
}
Aggregations