Search in sources :

Example 1 with ValidationContext

use of org.opensaml.saml.common.assertion.ValidationContext in project spring-security by spring-projects.

the class OpenSamlAuthenticationProviderTests method authenticateWhenDelegatingToDefaultAssertionValidatorThenUses.

@Test
public void authenticateWhenDelegatingToDefaultAssertionValidatorThenUses() {
    OpenSamlAuthenticationProvider provider = new OpenSamlAuthenticationProvider();
    // @formatter:off
    provider.setAssertionValidator((assertionToken) -> OpenSamlAuthenticationProvider.createDefaultAssertionValidator((token) -> new ValidationContext()).convert(assertionToken).concat(new Saml2Error("wrong error", "wrong error")));
    // @formatter:on
    Response response = response();
    Assertion assertion = assertion();
    OneTimeUse oneTimeUse = build(OneTimeUse.DEFAULT_ELEMENT_NAME);
    assertion.getConditions().getConditions().add(oneTimeUse);
    response.getAssertions().add(assertion);
    TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), ASSERTING_PARTY_ENTITY_ID);
    Saml2AuthenticationToken token = token(response, verifying(registration()));
    // @formatter:off
    assertThatExceptionOfType(Saml2AuthenticationException.class).isThrownBy(() -> provider.authenticate(token)).isInstanceOf(Saml2AuthenticationException.class).satisfies((error) -> assertThat(error.getSaml2Error().getErrorCode()).isEqualTo(Saml2ErrorCodes.INVALID_ASSERTION));
// @formatter:on
}
Also used : Arrays(java.util.Arrays) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) EncryptedDataBuilder(org.opensaml.xmlsec.encryption.impl.EncryptedDataBuilder) EncryptedID(org.opensaml.saml.saml2.core.EncryptedID) Assertions.assertThat(org.assertj.core.api.Assertions.assertThat) RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) Attribute(org.opensaml.saml.saml2.core.Attribute) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) BDDMockito.given(org.mockito.BDDMockito.given) Map(java.util.Map) SignatureConstants(org.opensaml.xmlsec.signature.support.SignatureConstants) Marshaller(org.opensaml.core.xml.io.Marshaller) XSDateTimeBuilder(org.opensaml.core.xml.schema.impl.XSDateTimeBuilder) Response(org.opensaml.saml.saml2.core.Response) Saml2ResponseValidatorResult(org.springframework.security.saml2.core.Saml2ResponseValidatorResult) EncryptedAssertionBuilder(org.opensaml.saml.saml2.core.impl.EncryptedAssertionBuilder) Mockito.atLeastOnce(org.mockito.Mockito.atLeastOnce) Instant(java.time.Instant) EncryptedIDBuilder(org.opensaml.saml.saml2.core.impl.EncryptedIDBuilder) AttributeBuilder(org.opensaml.saml.saml2.core.impl.AttributeBuilder) SubjectConfirmationData(org.opensaml.saml.saml2.core.SubjectConfirmationData) Test(org.junit.jupiter.api.Test) List(java.util.List) XSDateTime(org.opensaml.core.xml.schema.XSDateTime) OneTimeUse(org.opensaml.saml.saml2.core.OneTimeUse) ValidationContext(org.opensaml.saml.common.assertion.ValidationContext) QName(javax.xml.namespace.QName) Authentication(org.springframework.security.core.Authentication) Mockito.mock(org.mockito.Mockito.mock) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) SubjectConfirmation(org.opensaml.saml.saml2.core.SubjectConfirmation) ByteArrayOutputStream(java.io.ByteArrayOutputStream) Duration(org.joda.time.Duration) HashMap(java.util.HashMap) Conditions(org.opensaml.saml.saml2.core.Conditions) LinkedHashMap(java.util.LinkedHashMap) StatusCode(org.opensaml.saml.saml2.core.StatusCode) SerializeSupport(net.shibboleth.utilities.java.support.xml.SerializeSupport) SAML2AssertionValidationParameters(org.opensaml.saml.saml2.assertion.SAML2AssertionValidationParameters) Assertion(org.opensaml.saml.saml2.core.Assertion) Assertions.assertThatExceptionOfType(org.assertj.core.api.Assertions.assertThatExceptionOfType) ObjectOutputStream(java.io.ObjectOutputStream) AttributeValue(org.opensaml.saml.saml2.core.AttributeValue) XMLObject(org.opensaml.core.xml.XMLObject) MarshallingException(org.opensaml.core.xml.io.MarshallingException) Converter(org.springframework.core.convert.converter.Converter) Saml2ErrorCodes(org.springframework.security.saml2.core.Saml2ErrorCodes) DateTime(org.joda.time.DateTime) Saml2Error(org.springframework.security.saml2.core.Saml2Error) EncryptedAttribute(org.opensaml.saml.saml2.core.EncryptedAttribute) Saml2Exception(org.springframework.security.saml2.Saml2Exception) IOException(java.io.IOException) TestSaml2X509Credentials(org.springframework.security.saml2.core.TestSaml2X509Credentials) XMLObjectProviderRegistrySupport(org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport) NameIDBuilder(org.opensaml.saml.saml2.core.impl.NameIDBuilder) Mockito.verify(org.mockito.Mockito.verify) Consumer(java.util.function.Consumer) Element(org.w3c.dom.Element) ResponseToken(org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.ResponseToken) Assertions.assertThatIllegalArgumentException(org.assertj.core.api.Assertions.assertThatIllegalArgumentException) Collections(java.util.Collections) TestRelyingPartyRegistrations(org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations) NameID(org.opensaml.saml.saml2.core.NameID) StringUtils(org.springframework.util.StringUtils) Saml2Error(org.springframework.security.saml2.core.Saml2Error) Response(org.opensaml.saml.saml2.core.Response) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) Assertion(org.opensaml.saml.saml2.core.Assertion) OneTimeUse(org.opensaml.saml.saml2.core.OneTimeUse) ValidationContext(org.opensaml.saml.common.assertion.ValidationContext) Test(org.junit.jupiter.api.Test)

Example 2 with ValidationContext

use of org.opensaml.saml.common.assertion.ValidationContext in project spring-security by spring-projects.

the class OpenSaml4AuthenticationProvider method createDefaultAssertionSignatureValidator.

private Converter<AssertionToken, Saml2ResponseValidatorResult> createDefaultAssertionSignatureValidator() {
    return createAssertionValidator(Saml2ErrorCodes.INVALID_SIGNATURE, (assertionToken) -> {
        RelyingPartyRegistration registration = assertionToken.getToken().getRelyingPartyRegistration();
        SignatureTrustEngine engine = OpenSamlVerificationUtils.trustEngine(registration);
        return SAML20AssertionValidators.createSignatureValidator(engine);
    }, (assertionToken) -> new ValidationContext(Collections.singletonMap(SAML2AssertionValidationParameters.SIGNATURE_REQUIRED, false)));
}
Also used : RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) SignatureTrustEngine(org.opensaml.xmlsec.signature.support.SignatureTrustEngine) ValidationContext(org.opensaml.saml.common.assertion.ValidationContext)

Example 3 with ValidationContext

use of org.opensaml.saml.common.assertion.ValidationContext in project spring-security by spring-projects.

the class OpenSaml4AuthenticationProvider method createValidationContext.

private static ValidationContext createValidationContext(AssertionToken assertionToken, Consumer<Map<String, Object>> paramsConsumer) {
    RelyingPartyRegistration relyingPartyRegistration = assertionToken.token.getRelyingPartyRegistration();
    String audience = relyingPartyRegistration.getEntityId();
    String recipient = relyingPartyRegistration.getAssertionConsumerServiceLocation();
    String assertingPartyEntityId = relyingPartyRegistration.getAssertingPartyDetails().getEntityId();
    Map<String, Object> params = new HashMap<>();
    params.put(SAML2AssertionValidationParameters.COND_VALID_AUDIENCES, Collections.singleton(audience));
    params.put(SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS, Collections.singleton(recipient));
    params.put(SAML2AssertionValidationParameters.VALID_ISSUERS, Collections.singleton(assertingPartyEntityId));
    paramsConsumer.accept(params);
    return new ValidationContext(params);
}
Also used : RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) XMLObject(org.opensaml.core.xml.XMLObject) XSString(org.opensaml.core.xml.schema.XSString) ValidationContext(org.opensaml.saml.common.assertion.ValidationContext)

Example 4 with ValidationContext

use of org.opensaml.saml.common.assertion.ValidationContext in project spring-security by spring-projects.

the class OpenSaml4AuthenticationProviderTests method authenticateWhenDelegatingToDefaultAssertionValidatorThenUses.

@Test
public void authenticateWhenDelegatingToDefaultAssertionValidatorThenUses() {
    OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
    // @formatter:off
    provider.setAssertionValidator((assertionToken) -> OpenSaml4AuthenticationProvider.createDefaultAssertionValidator((token) -> new ValidationContext()).convert(assertionToken).concat(new Saml2Error("wrong error", "wrong error")));
    // @formatter:on
    Response response = response();
    Assertion assertion = assertion();
    OneTimeUse oneTimeUse = build(OneTimeUse.DEFAULT_ELEMENT_NAME);
    assertion.getConditions().getConditions().add(oneTimeUse);
    response.getAssertions().add(assertion);
    TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), ASSERTING_PARTY_ENTITY_ID);
    Saml2AuthenticationToken token = token(response, verifying(registration()));
    // @formatter:off
    assertThatExceptionOfType(Saml2AuthenticationException.class).isThrownBy(() -> provider.authenticate(token)).isInstanceOf(Saml2AuthenticationException.class).satisfies((error) -> assertThat(error.getSaml2Error().getErrorCode()).isEqualTo(Saml2ErrorCodes.INVALID_ASSERTION));
// @formatter:on
}
Also used : Arrays(java.util.Arrays) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) EncryptedDataBuilder(org.opensaml.xmlsec.encryption.impl.EncryptedDataBuilder) ResponseToken(org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken) EncryptedID(org.opensaml.saml.saml2.core.EncryptedID) Assertions.assertThat(org.assertj.core.api.Assertions.assertThat) RelyingPartyRegistration(org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration) Attribute(org.opensaml.saml.saml2.core.Attribute) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) BDDMockito.given(org.mockito.BDDMockito.given) Duration(java.time.Duration) Map(java.util.Map) SignatureConstants(org.opensaml.xmlsec.signature.support.SignatureConstants) Marshaller(org.opensaml.core.xml.io.Marshaller) XSDateTimeBuilder(org.opensaml.core.xml.schema.impl.XSDateTimeBuilder) Response(org.opensaml.saml.saml2.core.Response) Saml2ResponseValidatorResult(org.springframework.security.saml2.core.Saml2ResponseValidatorResult) EncryptedAssertionBuilder(org.opensaml.saml.saml2.core.impl.EncryptedAssertionBuilder) Mockito.atLeastOnce(org.mockito.Mockito.atLeastOnce) Instant(java.time.Instant) EncryptedIDBuilder(org.opensaml.saml.saml2.core.impl.EncryptedIDBuilder) AttributeBuilder(org.opensaml.saml.saml2.core.impl.AttributeBuilder) SubjectConfirmationData(org.opensaml.saml.saml2.core.SubjectConfirmationData) Test(org.junit.jupiter.api.Test) List(java.util.List) XSDateTime(org.opensaml.core.xml.schema.XSDateTime) OneTimeUse(org.opensaml.saml.saml2.core.OneTimeUse) ValidationContext(org.opensaml.saml.common.assertion.ValidationContext) QName(javax.xml.namespace.QName) Authentication(org.springframework.security.core.Authentication) Mockito.mock(org.mockito.Mockito.mock) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) SubjectConfirmation(org.opensaml.saml.saml2.core.SubjectConfirmation) ByteArrayOutputStream(java.io.ByteArrayOutputStream) HashMap(java.util.HashMap) Conditions(org.opensaml.saml.saml2.core.Conditions) LinkedHashMap(java.util.LinkedHashMap) StatusCode(org.opensaml.saml.saml2.core.StatusCode) SerializeSupport(net.shibboleth.utilities.java.support.xml.SerializeSupport) SAML2AssertionValidationParameters(org.opensaml.saml.saml2.assertion.SAML2AssertionValidationParameters) Assertion(org.opensaml.saml.saml2.core.Assertion) Assertions.assertThatExceptionOfType(org.assertj.core.api.Assertions.assertThatExceptionOfType) ObjectOutputStream(java.io.ObjectOutputStream) AttributeValue(org.opensaml.saml.saml2.core.AttributeValue) XMLObject(org.opensaml.core.xml.XMLObject) MarshallingException(org.opensaml.core.xml.io.MarshallingException) Converter(org.springframework.core.convert.converter.Converter) Saml2ErrorCodes(org.springframework.security.saml2.core.Saml2ErrorCodes) CustomOpenSamlObject(org.springframework.security.saml2.provider.service.authentication.TestCustomOpenSamlObjects.CustomOpenSamlObject) Saml2Error(org.springframework.security.saml2.core.Saml2Error) EncryptedAttribute(org.opensaml.saml.saml2.core.EncryptedAttribute) Saml2Exception(org.springframework.security.saml2.Saml2Exception) IOException(java.io.IOException) TestSaml2X509Credentials(org.springframework.security.saml2.core.TestSaml2X509Credentials) XMLObjectProviderRegistrySupport(org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport) NameIDBuilder(org.opensaml.saml.saml2.core.impl.NameIDBuilder) Mockito.verify(org.mockito.Mockito.verify) Consumer(java.util.function.Consumer) Element(org.w3c.dom.Element) Assertions.assertThatIllegalArgumentException(org.assertj.core.api.Assertions.assertThatIllegalArgumentException) Collections(java.util.Collections) TestRelyingPartyRegistrations(org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations) NameID(org.opensaml.saml.saml2.core.NameID) StringUtils(org.springframework.util.StringUtils) Saml2Error(org.springframework.security.saml2.core.Saml2Error) Response(org.opensaml.saml.saml2.core.Response) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) Assertion(org.opensaml.saml.saml2.core.Assertion) OneTimeUse(org.opensaml.saml.saml2.core.OneTimeUse) ValidationContext(org.opensaml.saml.common.assertion.ValidationContext) Test(org.junit.jupiter.api.Test)

Example 5 with ValidationContext

use of org.opensaml.saml.common.assertion.ValidationContext in project spring-security by spring-projects.

the class OpenSamlAuthenticationProvider method createValidationContext.

private static ValidationContext createValidationContext(AssertionToken assertionToken, Consumer<Map<String, Object>> paramsConsumer) {
    String audience = assertionToken.token.getRelyingPartyRegistration().getEntityId();
    String recipient = assertionToken.token.getRelyingPartyRegistration().getAssertionConsumerServiceLocation();
    Map<String, Object> params = new HashMap<>();
    params.put(SAML2AssertionValidationParameters.COND_VALID_AUDIENCES, Collections.singleton(audience));
    params.put(SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS, Collections.singleton(recipient));
    paramsConsumer.accept(params);
    return new ValidationContext(params);
}
Also used : HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) XMLObject(org.opensaml.core.xml.XMLObject) XSString(org.opensaml.core.xml.schema.XSString) ValidationContext(org.opensaml.saml.common.assertion.ValidationContext)

Aggregations

ValidationContext (org.opensaml.saml.common.assertion.ValidationContext)8 RelyingPartyRegistration (org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration)7 HashMap (java.util.HashMap)6 LinkedHashMap (java.util.LinkedHashMap)6 XMLObject (org.opensaml.core.xml.XMLObject)6 ByteArrayOutputStream (java.io.ByteArrayOutputStream)4 IOException (java.io.IOException)4 ObjectOutputStream (java.io.ObjectOutputStream)4 Instant (java.time.Instant)4 Arrays (java.util.Arrays)4 Collections (java.util.Collections)4 List (java.util.List)4 Map (java.util.Map)4 Consumer (java.util.function.Consumer)4 QName (javax.xml.namespace.QName)4 SerializeSupport (net.shibboleth.utilities.java.support.xml.SerializeSupport)4 Assertions.assertThat (org.assertj.core.api.Assertions.assertThat)4 Assertions.assertThatExceptionOfType (org.assertj.core.api.Assertions.assertThatExceptionOfType)4 Assertions.assertThatIllegalArgumentException (org.assertj.core.api.Assertions.assertThatIllegalArgumentException)4 Test (org.junit.jupiter.api.Test)4