Search in sources :

Example 16 with XMLObject

use of org.opensaml.core.xml.XMLObject in project ddf by codice.

the class SimpleSignTest method testForceSign.

@Test
public void testForceSign() throws Exception {
    Document responseDoc = StaxUtils.read(new ByteArrayInputStream(cannedResponse.getBytes()));
    XMLObject responseXmlObject = OpenSAMLUtil.fromDom(responseDoc.getDocumentElement());
    org.opensaml.saml.saml2.core.Response response = (org.opensaml.saml.saml2.core.Response) responseXmlObject;
    response = simpleSign.forceSignSamlObject(response);
    simpleSign.validateSignature(response.getSignature(), response.getDOM().getOwnerDocument());
}
Also used : ByteArrayInputStream(java.io.ByteArrayInputStream) XMLObject(org.opensaml.core.xml.XMLObject) Document(org.w3c.dom.Document) Test(org.junit.Test)

Example 17 with XMLObject

use of org.opensaml.core.xml.XMLObject in project ddf by codice.

the class LogoutMessageImpl method sendSamlLogoutRequest.

@Override
public String sendSamlLogoutRequest(LogoutWrapper request, String targetUri, boolean isSoap, @Nullable Cookie cookie) throws IOException, LogoutSecurityException {
    XMLObject xmlObject = isSoap ? SamlProtocol.createSoapMessage((SignableSAMLObject) request.getMessage()) : (XMLObject) request;
    Element requestElement = getElementFromSaml(new LogoutWrapperImpl(xmlObject));
    String requestMessage = DOM2Writer.nodeToString(requestElement);
    try (CloseableHttpClient httpClient = HttpClients.createDefault()) {
        HttpPost post = new HttpPost(targetUri);
        post.addHeader("Cache-Control", "no-cache, no-store");
        post.addHeader("Pragma", "no-cache");
        post.addHeader("SOAPAction", SAML_SOAP_ACTION);
        post.addHeader("Content-Type", "application/soap+xml");
        post.setEntity(new StringEntity(requestMessage, "utf-8"));
        ResponseHandler<String> responseHandler = new BasicResponseHandler();
        BasicHttpContext context = new BasicHttpContext();
        if (cookie != null) {
            BasicClientCookie basicClientCookie = new BasicClientCookie(cookie.getName(), cookie.getValue());
            basicClientCookie.setDomain(cookie.getDomain());
            basicClientCookie.setPath(cookie.getPath());
            BasicCookieStore cookieStore = new BasicCookieStore();
            cookieStore.addCookie(basicClientCookie);
            context.setAttribute(HttpClientContext.COOKIE_STORE, cookieStore);
        }
        return httpClient.execute(post, responseHandler, context);
    }
}
Also used : CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) HttpPost(org.apache.http.client.methods.HttpPost) BasicHttpContext(org.apache.http.protocol.BasicHttpContext) Element(org.w3c.dom.Element) BasicResponseHandler(org.apache.http.impl.client.BasicResponseHandler) XMLObject(org.opensaml.core.xml.XMLObject) BasicClientCookie(org.apache.http.impl.cookie.BasicClientCookie) StringEntity(org.apache.http.entity.StringEntity) BasicCookieStore(org.apache.http.impl.client.BasicCookieStore) SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject)

Example 18 with XMLObject

use of org.opensaml.core.xml.XMLObject in project ddf by codice.

the class LogoutMessageImpl method extractXmlObject.

@Override
public LogoutWrapper<SignableSAMLObject> extractXmlObject(String samlLogoutResponse) throws LogoutSecurityException, XMLStreamException {
    try {
        Document responseDoc = StaxUtils.read(new ByteArrayInputStream(samlLogoutResponse.getBytes(StandardCharsets.UTF_8)));
        XMLObject xmlObject = OpenSAMLUtil.fromDom(responseDoc.getDocumentElement());
        if (xmlObject instanceof SignableSAMLObject) {
            return new LogoutWrapperImpl<>((SignableSAMLObject) xmlObject);
        }
        return null;
    } catch (WSSecurityException e) {
        throw new LogoutSecurityException(e);
    }
}
Also used : SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject) ByteArrayInputStream(java.io.ByteArrayInputStream) XMLObject(org.opensaml.core.xml.XMLObject) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) Document(org.w3c.dom.Document) LogoutSecurityException(ddf.security.samlp.LogoutSecurityException)

Example 19 with XMLObject

use of org.opensaml.core.xml.XMLObject in project ddf by codice.

the class LogoutMessageImpl method extractResponse.

private LogoutWrapper<LogoutResponse> extractResponse(String samlObject) throws LogoutSecurityException, XMLStreamException {
    try {
        Document responseDoc = StaxUtils.read(new ByteArrayInputStream(samlObject.getBytes(StandardCharsets.UTF_8)));
        XMLObject responseXmlObject = OpenSAMLUtil.fromDom(responseDoc.getDocumentElement());
        if (LogoutResponse.class.isAssignableFrom(responseXmlObject.getClass())) {
            return new LogoutWrapperImpl<>((LogoutResponse) responseXmlObject);
        }
        return null;
    } catch (WSSecurityException e) {
        throw new LogoutSecurityException(e);
    }
}
Also used : ByteArrayInputStream(java.io.ByteArrayInputStream) XMLObject(org.opensaml.core.xml.XMLObject) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) Document(org.w3c.dom.Document) LogoutSecurityException(ddf.security.samlp.LogoutSecurityException)

Example 20 with XMLObject

use of org.opensaml.core.xml.XMLObject in project ddf by codice.

the class PaosInInterceptor method handleMessage.

@Override
public void handleMessage(Message message) throws Fault {
    List authHeader = (List) ((Map) message.getExchange().getOutMessage().get(Message.PROTOCOL_HEADERS)).get("Authorization");
    String authorization = null;
    if (authHeader != null && authHeader.size() > 0) {
        authorization = (String) authHeader.get(0);
    }
    InputStream content = message.getContent(InputStream.class);
    String contentType = (String) message.get(Message.CONTENT_TYPE);
    if (contentType == null || !contentType.contains(APPLICATION_VND_PAOS_XML)) {
        return;
    }
    try {
        SOAPPart soapMessage = SamlProtocol.parseSoapMessage(IOUtils.toString(content, StandardCharsets.UTF_8));
        Iterator iterator = soapMessage.getEnvelope().getHeader().examineAllHeaderElements();
        IDPEntry idpEntry = null;
        String relayState = "";
        String responseConsumerURL = "";
        String messageId = "";
        while (iterator.hasNext()) {
            Element soapHeaderElement = (SOAPHeaderElement) iterator.next();
            if (RELAY_STATE.equals(soapHeaderElement.getLocalName())) {
                relayState = DOM2Writer.nodeToString(soapHeaderElement);
            } else if (REQUEST.equals(soapHeaderElement.getLocalName()) && soapHeaderElement.getNamespaceURI().equals(URN_OASIS_NAMES_TC_SAML_2_0_PROFILES_SSO_ECP)) {
                try {
                    soapHeaderElement = SamlProtocol.convertDomImplementation(soapHeaderElement);
                    Request ecpRequest = (Request) OpenSAMLUtil.fromDom(soapHeaderElement);
                    IDPList idpList = ecpRequest.getIDPList();
                    if (idpList == null) {
                        throw new Fault(new AccessDeniedException(IDP_SERVER_FAILURE_MSG));
                    }
                    List<IDPEntry> idpEntrys = idpList.getIDPEntrys();
                    if (idpEntrys == null || idpEntrys.size() == 0) {
                        throw new Fault(new AccessDeniedException(IDP_SERVER_FAILURE_MSG));
                    }
                    // choose the right entry, probably need to do something better than select the first
                    // one
                    // but the spec doesn't specify how this is supposed to be done
                    idpEntry = idpEntrys.get(0);
                } catch (WSSecurityException e) {
                    // TODO figure out IdP alternatively
                    LOGGER.info("Unable to determine IdP appropriately. ECP connection will fail. SP may be incorrectly configured. Contact the administrator for the remote system.");
                }
            } else if (REQUEST.equals(soapHeaderElement.getLocalName()) && soapHeaderElement.getNamespaceURI().equals(URN_LIBERTY_PAOS_2003_08)) {
                responseConsumerURL = soapHeaderElement.getAttribute(RESPONSE_CONSUMER_URL);
                messageId = soapHeaderElement.getAttribute(MESSAGE_ID);
            }
        }
        if (idpEntry == null) {
            throw new Fault(new AccessDeniedException(IDP_SERVER_FAILURE_MSG));
        }
        String token = createToken(authorization);
        checkAuthnRequest(soapMessage);
        Element authnRequestElement = SamlProtocol.getDomElement(soapMessage.getEnvelope().getBody().getFirstChild());
        String loc = idpEntry.getLoc();
        String soapRequest = buildSoapMessage(token, relayState, authnRequestElement, null);
        HttpResponseWrapper httpResponse = getHttpResponse(loc, soapRequest, null);
        InputStream httpResponseContent = httpResponse.content;
        SOAPPart idpSoapResponse = SamlProtocol.parseSoapMessage(IOUtils.toString(httpResponseContent, StandardCharsets.UTF_8));
        Iterator responseHeaderElements = idpSoapResponse.getEnvelope().getHeader().examineAllHeaderElements();
        String newRelayState = "";
        while (responseHeaderElements.hasNext()) {
            SOAPHeaderElement soapHeaderElement = (SOAPHeaderElement) responseHeaderElements.next();
            if (RESPONSE.equals(soapHeaderElement.getLocalName())) {
                String assertionConsumerServiceURL = soapHeaderElement.getAttribute(ASSERTION_CONSUMER_SERVICE_URL);
                if (!responseConsumerURL.equals(assertionConsumerServiceURL)) {
                    String soapFault = buildSoapFault(ECP_RESPONSE, "The responseConsumerURL does not match the assertionConsumerServiceURL.");
                    httpResponse = getHttpResponse(responseConsumerURL, soapFault, null);
                    message.setContent(InputStream.class, httpResponse.content);
                    return;
                }
            } else if (RELAY_STATE.equals(soapHeaderElement.getLocalName())) {
                newRelayState = DOM2Writer.nodeToString(soapHeaderElement);
                if (StringUtils.isNotEmpty(relayState) && !relayState.equals(newRelayState)) {
                    LOGGER.debug("RelayState does not match between ECP request and response");
                }
                if (StringUtils.isNotEmpty(relayState)) {
                    newRelayState = relayState;
                }
            }
        }
        checkSamlpResponse(idpSoapResponse);
        Element samlpResponseElement = SamlProtocol.getDomElement(idpSoapResponse.getEnvelope().getBody().getFirstChild());
        XMLObject paosResponse = null;
        if (StringUtils.isNotEmpty(messageId)) {
            paosResponse = getPaosResponse(messageId);
        }
        String soapResponse = buildSoapMessage(null, newRelayState, samlpResponseElement, paosResponse);
        httpResponse = getHttpResponse(responseConsumerURL, soapResponse, message.getExchange().getOutMessage());
        if (httpResponse.statusCode < 400) {
            httpResponseContent = httpResponse.content;
            message.setContent(InputStream.class, httpResponseContent);
            Map<String, List<String>> headers = new HashMap<>();
            message.put(Message.PROTOCOL_HEADERS, headers);
            httpResponse.headers.forEach((entry) -> headers.put(entry.getKey(), // CXF Expects pairs of <String, List<String>>
            entry.getValue() instanceof List ? ((List<Object>) entry.getValue()).stream().map(String::valueOf).collect(Collectors.toList()) : Lists.newArrayList(String.valueOf(entry.getValue()))));
        } else {
            throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection due to an error."));
        }
    } catch (IOException e) {
        LOGGER.debug("Error encountered while performing ECP handshake.", e);
    } catch (XMLStreamException | SOAPException e) {
        throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. The server's response was not in the correct format."));
    } catch (WSSecurityException e) {
        throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. Unable to send SOAP request messages."));
    }
}
Also used : SOAPHeaderElement(javax.xml.soap.SOAPHeaderElement) AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException) HashMap(java.util.HashMap) InputStream(java.io.InputStream) SOAPHeaderElement(javax.xml.soap.SOAPHeaderElement) Element(org.w3c.dom.Element) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest) Request(org.opensaml.saml.saml2.ecp.Request) HttpRequest(com.google.api.client.http.HttpRequest) IDPList(org.opensaml.saml.saml2.core.IDPList) XMLObject(org.opensaml.core.xml.XMLObject) Fault(org.apache.cxf.interceptor.Fault) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) IOException(java.io.IOException) XMLStreamException(javax.xml.stream.XMLStreamException) SOAPException(javax.xml.soap.SOAPException) SOAPPart(javax.xml.soap.SOAPPart) Iterator(java.util.Iterator) IDPList(org.opensaml.saml.saml2.core.IDPList) List(java.util.List) XMLObject(org.opensaml.core.xml.XMLObject) IDPEntry(org.opensaml.saml.saml2.core.IDPEntry)

Aggregations

XMLObject (org.opensaml.core.xml.XMLObject)68 Element (org.w3c.dom.Element)27 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)21 Document (org.w3c.dom.Document)21 ByteArrayInputStream (java.io.ByteArrayInputStream)19 Attribute (org.opensaml.saml.saml2.core.Attribute)14 AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)10 IOException (java.io.IOException)9 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)9 ArrayList (java.util.ArrayList)8 Test (org.junit.Test)8 XSString (org.opensaml.core.xml.schema.XSString)7 Assertion (org.opensaml.saml.saml2.core.Assertion)7 AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)7 HashMap (java.util.HashMap)6 List (java.util.List)6 XMLStreamException (javax.xml.stream.XMLStreamException)6 InputStream (java.io.InputStream)5 InputStreamReader (java.io.InputStreamReader)5 LogoutSecurityException (ddf.security.samlp.LogoutSecurityException)4