use of org.opensaml.core.criterion.EntityIdCriterion in project cas by apereo.
the class SamlRegisteredServiceCachedMetadataEndpoint method getCachedMetadataObject.
/**
* Gets cached metadata object.
*
* @param serviceId the service id
* @param entityId the entity id
* @return the cached metadata object
*/
@ReadOperation
@Operation(summary = "Get SAML2 cached metadata", parameters = { @Parameter(name = "serviceId", required = true), @Parameter(name = "entityId") })
public Map<String, Object> getCachedMetadataObject(final String serviceId, @Nullable final String entityId) {
try {
val registeredService = findRegisteredService(serviceId);
val issuer = StringUtils.defaultIfBlank(entityId, registeredService.getServiceId());
val criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIdCriterion(issuer));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
val metadataResolver = cachingMetadataResolver.resolve(registeredService, criteriaSet);
val iteration = metadataResolver.resolve(criteriaSet).spliterator();
return StreamSupport.stream(iteration, false).map(entity -> Pair.of(entity.getEntityID(), SamlUtils.transformSamlObject(openSamlConfigBean, entity).toString())).collect(Collectors.toMap(Pair::getLeft, Pair::getRight));
} catch (final Exception e) {
LoggingUtils.error(LOGGER, e);
return CollectionUtils.wrap("error", e.getMessage());
}
}
use of org.opensaml.core.criterion.EntityIdCriterion in project cas by apereo.
the class SamlRegisteredServiceCachedMetadataEndpoint method invalidate.
/**
* Invalidate.
*
* @param serviceId the service id
*/
@DeleteOperation
@Operation(summary = "Invalidate SAML2 metadata cache using an entity id.", parameters = { @Parameter(name = "serviceId") })
public void invalidate(@Nullable final String serviceId) {
if (StringUtils.isBlank(serviceId)) {
cachingMetadataResolver.invalidate();
} else {
val registeredService = findRegisteredService(serviceId);
val criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIdCriterion(serviceId));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
cachingMetadataResolver.invalidate(registeredService, criteriaSet);
}
}
use of org.opensaml.core.criterion.EntityIdCriterion in project cas by apereo.
the class SamlRegisteredServiceServiceProviderMetadataFacade method get.
@SneakyThrows
private static Optional<SamlRegisteredServiceServiceProviderMetadataFacade> get(final SamlRegisteredServiceCachingMetadataResolver resolver, final SamlRegisteredService registeredService, final String entityID, final CriteriaSet criterions) {
try {
LOGGER.trace("Adapting SAML metadata for CAS service [{}] issued by [{}]", registeredService.getName(), entityID);
criterions.add(new EntityIdCriterion(entityID), true);
LOGGER.debug("Locating metadata for entityID [{}] by attempting to run through the metadata chain...", entityID);
val chainingMetadataResolver = resolver.resolve(registeredService, criterions);
LOGGER.debug("Resolved metadata chain from [{}] using [{}]. Filtering the chain by entity ID [{}]", registeredService.getMetadataLocation(), chainingMetadataResolver.getId(), entityID);
val entityDescriptor = chainingMetadataResolver.resolveSingle(criterions);
if (entityDescriptor == null) {
LOGGER.warn("Cannot find entity [{}] in metadata provider for criteria [{}]", entityID, criterions);
return Optional.empty();
}
LOGGER.trace("Located entity descriptor in metadata for [{}]", entityID);
if (entityDescriptor.getValidUntil() != null) {
val expired = entityDescriptor.getValidUntil().isBefore(ZonedDateTime.now(ZoneOffset.UTC).toInstant());
if (expired) {
LOGGER.warn("Entity descriptor in the metadata has expired at [{}]", entityDescriptor.getValidUntil());
return Optional.empty();
}
}
return getServiceProviderSsoDescriptor(entityID, chainingMetadataResolver, entityDescriptor);
} catch (final Exception e) {
LoggingUtils.error(LOGGER, e);
}
return Optional.empty();
}
use of org.opensaml.core.criterion.EntityIdCriterion in project cas by apereo.
the class WsFederationMetadataCertificateProvider method getSigningCredentials.
@Override
public List<Credential> getSigningCredentials() throws Exception {
try (val is = metadataResource.getInputStream()) {
val resolver = new InMemoryResourceMetadataResolver(is, openSamlConfigBean);
resolver.setId(UUID.randomUUID().toString());
resolver.initialize();
val criteria = new CriteriaSet(new EntityIdCriterion(configuration.getIdentityProviderIdentifier()), new EvaluableEntityRoleEntityDescriptorCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
LOGGER.debug("Locating entity descriptor in the metadata for [{}]", configuration.getIdentityProviderIdentifier());
val entityDescriptor = resolver.resolveSingle(criteria);
val roleDescriptors = entityDescriptor.getRoleDescriptors(IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
val keyDescriptors = roleDescriptors.get(0).getKeyDescriptors();
val keyDescriptor = keyDescriptors.stream().filter(key -> key.getUse() == UsageType.SIGNING).findFirst().orElseThrow(() -> new RuntimeException("Unable to find key descriptor marked for signing usage"));
return keyDescriptor.getKeyInfo().getX509Datas().stream().map(X509Data::getX509Certificates).flatMap(List::stream).map(Unchecked.function(cert -> {
LOGGER.debug("Parsing signing certificate [{}]", cert.getValue());
val decode = EncodingUtils.decodeBase64(cert.getValue());
try (val value = new ByteArrayInputStream(decode)) {
return WsFederationCertificateProvider.readCredential(value);
}
})).collect(Collectors.toList());
}
}
use of org.opensaml.core.criterion.EntityIdCriterion in project cas by apereo.
the class WsFederationHelper method validateSignature.
/**
* validateSignature checks to see if the signature on an assertion is valid.
*
* @param resultPair a provided assertion
* @return true if the assertion's signature is valid, otherwise false
*/
public boolean validateSignature(final Pair<Assertion, WsFederationConfiguration> resultPair) {
if (resultPair == null) {
LOGGER.warn("No assertion or its configuration was provided to validate signatures");
return false;
}
val configuration = resultPair.getValue();
val assertion = resultPair.getKey();
if (assertion == null || configuration == null) {
LOGGER.warn("No signature or configuration was provided to validate signatures");
return false;
}
val signature = assertion.getSignature();
if (signature == null) {
LOGGER.warn("No signature is attached to the assertion to validate");
return false;
}
try {
LOGGER.debug("Validating the signature...");
val validator = new SAMLSignatureProfileValidator();
validator.validate(signature);
val criteriaSet = new CriteriaSet();
criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
criteriaSet.add(new EntityIdCriterion(configuration.getIdentityProviderIdentifier()));
val engine = buildSignatureTrustEngine(configuration);
LOGGER.debug("Validating signature via trust engine for [{}]", configuration.getIdentityProviderIdentifier());
return engine.validate(signature, criteriaSet);
} catch (final Exception e) {
LoggingUtils.error(LOGGER, "Failed to validate assertion signature", e);
}
SamlUtils.logSamlObject(this.openSamlConfigBean, assertion);
LOGGER.error("Signature doesn't match any signing credential and cannot be validated.");
return false;
}
Aggregations