Search in sources :

Example 21 with EntityRoleCriterion

use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.

the class SamlIdPObjectSignatureValidator method buildEntityCriteriaForSigningCredential.

@Override
protected void buildEntityCriteriaForSigningCredential(final RequestAbstractType profileRequest, final CriteriaSet criteriaSet) {
    criteriaSet.add(new EntityIdCriterion(casSamlIdPMetadataResolver.getId()));
    criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
}
Also used : EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)

Example 22 with EntityRoleCriterion

use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.

the class SamlObjectSignatureValidator method buildEntityCriteriaForSigningCredential.

/**
 * Build entity criteria for signing credential.
 *
 * @param profileRequest the profile request
 * @param criteriaSet    the criteria set
 */
protected void buildEntityCriteriaForSigningCredential(final RequestAbstractType profileRequest, final CriteriaSet criteriaSet) {
    criteriaSet.add(new EntityIdCriterion(SamlIdPUtils.getIssuerFromSamlObject(profileRequest)));
    criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
}
Also used : EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)

Example 23 with EntityRoleCriterion

use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.

the class SamlObjectSignatureValidator method validateSignatureOnAuthenticationRequest.

private void validateSignatureOnAuthenticationRequest(final RequestAbstractType profileRequest, final HttpServletRequest request, final MessageContext context, final RoleDescriptorResolver roleDescriptorResolver) throws Exception {
    val peer = context.getSubcontext(SAMLPeerEntityContext.class, true);
    peer.setEntityId(SamlIdPUtils.getIssuerFromSamlObject(profileRequest));
    val peerEntityId = Objects.requireNonNull(peer.getEntityId());
    LOGGER.debug("Validating request signature for [{}]...", peerEntityId);
    val roleDescriptor = roleDescriptorResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(peerEntityId), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME)));
    peer.setRole(roleDescriptor.getElementQName());
    val protocol = context.getSubcontext(SAMLProtocolContext.class, true);
    protocol.setProtocol(SAMLConstants.SAML20P_NS);
    LOGGER.debug("Building security parameters context for signature validation of [{}]", peerEntityId);
    val secCtx = context.getSubcontext(SecurityParametersContext.class, true);
    val validationParams = new SignatureValidationParameters();
    if (overrideBlockedSignatureAlgorithms != null && !overrideBlockedSignatureAlgorithms.isEmpty()) {
        validationParams.setExcludedAlgorithms(this.overrideBlockedSignatureAlgorithms);
        LOGGER.debug("Validation override blocked algorithms are [{}]", this.overrideAllowedAlgorithms);
    }
    if (overrideAllowedAlgorithms != null && !overrideAllowedAlgorithms.isEmpty()) {
        validationParams.setIncludedAlgorithms(this.overrideAllowedAlgorithms);
        LOGGER.debug("Validation override allowed algorithms are [{}]", this.overrideAllowedAlgorithms);
    }
    LOGGER.debug("Resolving signing credentials for [{}]", peerEntityId);
    val credentials = getSigningCredential(roleDescriptorResolver, profileRequest);
    if (credentials.isEmpty()) {
        throw new SamlException("Signing credentials for validation could not be resolved");
    }
    var foundValidCredential = false;
    val it = credentials.iterator();
    while (!foundValidCredential && it.hasNext()) {
        val handler = new SAML2HTTPRedirectDeflateSignatureSecurityHandler();
        try {
            val credential = it.next();
            val resolver = new StaticCredentialResolver(credential);
            val keyResolver = new StaticKeyInfoCredentialResolver(credential);
            val trustEngine = new ExplicitKeySignatureTrustEngine(resolver, keyResolver);
            validationParams.setSignatureTrustEngine(trustEngine);
            secCtx.setSignatureValidationParameters(validationParams);
            handler.setHttpServletRequest(request);
            LOGGER.debug("Initializing [{}] to execute signature validation for [{}]", handler.getClass().getSimpleName(), peerEntityId);
            handler.initialize();
            LOGGER.debug("Invoking [{}] to handle signature validation for [{}]", handler.getClass().getSimpleName(), peerEntityId);
            handler.invoke(context);
            LOGGER.debug("Successfully validated request signature for [{}].", profileRequest.getIssuer());
            foundValidCredential = true;
        } catch (final Exception e) {
            LOGGER.debug(e.getMessage(), e);
        } finally {
            handler.destroy();
        }
    }
    if (!foundValidCredential) {
        LOGGER.error("No valid credentials could be found to verify the signature for [{}]", profileRequest.getIssuer());
        throw new SamlException("No valid signing credentials for validation could not be resolved");
    }
}
Also used : lombok.val(lombok.val) SignatureValidationParameters(org.opensaml.xmlsec.SignatureValidationParameters) StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver) StaticCredentialResolver(org.opensaml.security.credential.impl.StaticCredentialResolver) ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) SAML2HTTPRedirectDeflateSignatureSecurityHandler(org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler) SamlException(org.apereo.cas.support.saml.SamlException) SamlException(org.apereo.cas.support.saml.SamlException)

Example 24 with EntityRoleCriterion

use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.

the class SamlIdPUtilsTests method verifyMetadataForAllServices.

@Test
public void verifyMetadataForAllServices() throws Exception {
    val service = getSamlRegisteredServiceForTestShib();
    servicesManager.save(service);
    val md = SamlIdPUtils.getMetadataResolverForAllSamlServices(servicesManager, service.getServiceId(), samlRegisteredServiceCachingMetadataResolver);
    assertNotNull(md);
    val criteriaSet = new CriteriaSet();
    criteriaSet.add(new EntityIdCriterion(service.getServiceId()));
    criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
    criteriaSet.add(new BindingCriterion(CollectionUtils.wrap(SAMLConstants.SAML2_POST_BINDING_URI)));
    val it = md.resolve(criteriaSet).iterator();
    assertTrue(it.hasNext());
    assertEquals(service.getServiceId(), it.next().getEntityID());
}
Also used : lombok.val(lombok.val) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) BindingCriterion(org.opensaml.saml.criterion.BindingCriterion) Test(org.junit.jupiter.api.Test)

Example 25 with EntityRoleCriterion

use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.

the class DefaultDelegatedClientAuthenticationWebflowManagerTests method setupTestContextFor.

private Pair<SAML2Client, SAML2MessageContext> setupTestContextFor(final String spMetadataPath, final String spEntityId) throws Exception {
    val idpMetadata = new File("src/test/resources/idp-metadata.xml").getCanonicalPath();
    val keystorePath = new File(FileUtils.getTempDirectory(), "keystore").getCanonicalPath();
    val saml2ClientConfiguration = new SAML2Configuration(keystorePath, "changeit", "changeit", idpMetadata);
    saml2ClientConfiguration.setServiceProviderEntityId(spEntityId);
    saml2ClientConfiguration.setServiceProviderMetadataPath(spMetadataPath);
    saml2ClientConfiguration.setForceKeystoreGeneration(true);
    saml2ClientConfiguration.setForceServiceProviderMetadataGeneration(true);
    saml2ClientConfiguration.init();
    val saml2Client = new SAML2Client(saml2ClientConfiguration);
    saml2Client.setCallbackUrl("http://callback.example.org");
    saml2Client.init();
    val saml2MessageContext = new SAML2MessageContext();
    saml2MessageContext.setSaml2Configuration(saml2ClientConfiguration);
    saml2MessageContext.setWebContext(context);
    val peer = saml2MessageContext.getMessageContext().getSubcontext(SAMLPeerEntityContext.class, true);
    assertNotNull(peer);
    peer.setEntityId("https://cas.example.org/idp");
    val md = peer.getSubcontext(SAMLMetadataContext.class, true);
    assertNotNull(md);
    val roleDescriptorResolver = new PredicateRoleDescriptorResolver(saml2Client.getIdpMetadataResolver().resolve());
    roleDescriptorResolver.initialize();
    md.setRoleDescriptor(roleDescriptorResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(Objects.requireNonNull(peer.getEntityId())), new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME))));
    val self = saml2MessageContext.getMessageContext().getSubcontext(SAMLSelfEntityContext.class, true);
    assertNotNull(self);
    self.setEntityId(saml2ClientConfiguration.getServiceProviderEntityId());
    val sp = self.getSubcontext(SAMLMetadataContext.class, true);
    assertNotNull(sp);
    val spResolver = new PredicateRoleDescriptorResolver(saml2Client.getSpMetadataResolver().resolve());
    spResolver.initialize();
    sp.setRoleDescriptor(spResolver.resolveSingle(new CriteriaSet(new EntityIdCriterion(Objects.requireNonNull(self.getEntityId())), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME))));
    return Pair.of(saml2Client, saml2MessageContext);
}
Also used : lombok.val(lombok.val) SAML2MessageContext(org.pac4j.saml.context.SAML2MessageContext) SAML2Configuration(org.pac4j.saml.config.SAML2Configuration) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) SAML2Client(org.pac4j.saml.client.SAML2Client) PredicateRoleDescriptorResolver(org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver) File(java.io.File)

Aggregations

EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)32 EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)30 CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)28 lombok.val (lombok.val)21 UsageCriterion (org.opensaml.security.criteria.UsageCriterion)9 SamlRegisteredService (org.apereo.cas.support.saml.services.SamlRegisteredService)8 Test (org.junit.jupiter.api.Test)8 ArrayList (java.util.ArrayList)6 SamlException (org.apereo.cas.support.saml.SamlException)4 ProtocolCriterion (org.opensaml.saml.criterion.ProtocolCriterion)4 SAMLSignatureProfileValidator (org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)4 File (java.io.File)3 Slf4j (lombok.extern.slf4j.Slf4j)3 StringUtils (org.apache.commons.lang3.StringUtils)3 SamlIdPMetadataCredentialResolver (org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver)3 SamlIdPSamlRegisteredServiceCriterion (org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion)3 BasicProviderKeyInfoCredentialResolver (org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver)3 DEREncodedKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider)3 DSAKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider)3 InlineX509DataProvider (org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider)3