use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.
the class InMemoryResourceMetadataResolverTests method verifyValidMetadataResource.
@Test
public void verifyValidMetadataResource() throws Exception {
val resolver = new InMemoryResourceMetadataResolver(new ClassPathResource("metadata/metadata-valid.xml"), configBean);
resolver.setId(UUID.randomUUID().toString());
resolver.initialize();
val criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIdCriterion("urn:app.e2ma.net"));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
val resolved = resolver.resolve(criteriaSet);
assertFalse(Iterables.isEmpty(resolved));
}
use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.
the class WsFederationHelper method validateSignature.
/**
* validateSignature checks to see if the signature on an assertion is valid.
*
* @param resultPair a provided assertion
* @return true if the assertion's signature is valid, otherwise false
*/
public boolean validateSignature(final Pair<Assertion, WsFederationConfiguration> resultPair) {
if (resultPair == null) {
LOGGER.warn("No assertion or its configuration was provided to validate signatures");
return false;
}
val configuration = resultPair.getValue();
val assertion = resultPair.getKey();
if (assertion == null || configuration == null) {
LOGGER.warn("No signature or configuration was provided to validate signatures");
return false;
}
val signature = assertion.getSignature();
if (signature == null) {
LOGGER.warn("No signature is attached to the assertion to validate");
return false;
}
try {
LOGGER.debug("Validating the signature...");
val validator = new SAMLSignatureProfileValidator();
validator.validate(signature);
val criteriaSet = new CriteriaSet();
criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
criteriaSet.add(new EntityIdCriterion(configuration.getIdentityProviderIdentifier()));
val engine = buildSignatureTrustEngine(configuration);
LOGGER.debug("Validating signature via trust engine for [{}]", configuration.getIdentityProviderIdentifier());
return engine.validate(signature, criteriaSet);
} catch (final Exception e) {
LoggingUtils.error(LOGGER, "Failed to validate assertion signature", e);
}
SamlUtils.logSamlObject(this.openSamlConfigBean, assertion);
LOGGER.error("Signature doesn't match any signing credential and cannot be validated.");
return false;
}
use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.
the class SamlRegisteredServiceMetadataExpirationPolicy method getCacheDurationForServiceProvider.
/**
* Gets cache duration for service provider.
*
* @param service the service
* @param chainingMetadataResolver the chaining metadata resolver
* @return the cache duration for service provider
*/
protected long getCacheDurationForServiceProvider(final SamlRegisteredService service, final MetadataResolver chainingMetadataResolver) {
try {
if (StringUtils.isBlank(service.getServiceId())) {
LOGGER.warn("Unable to determine duration for SAML service [{}] with no entity id", service.getName());
return -1;
}
val set = new CriteriaSet();
set.add(new EntityIdCriterion(service.getServiceId()));
set.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
val entitySp = chainingMetadataResolver.resolveSingle(set);
if (entitySp != null && entitySp.getCacheDuration() != null) {
LOGGER.debug("Located cache duration [{}] specified in SP metadata for [{}]", entitySp.getCacheDuration(), entitySp.getEntityID());
return TimeUnit.MILLISECONDS.toNanos(entitySp.getCacheDuration().toMillis());
}
set.clear();
set.add(new EntityIdCriterion(service.getServiceId()));
val entity = chainingMetadataResolver.resolveSingle(set);
if (entity != null && entity.getCacheDuration() != null) {
LOGGER.debug("Located cache duration [{}] specified in entity metadata for [{}]", entity.getCacheDuration(), entity.getEntityID());
return TimeUnit.MILLISECONDS.toNanos(entity.getCacheDuration().toMillis());
}
} catch (final Exception e) {
LOGGER.debug(e.getMessage(), e);
}
return -1;
}
use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.
the class SamlRegisteredServiceCachedMetadataEndpoint method getCachedMetadataObject.
/**
* Gets cached metadata object.
*
* @param serviceId the service id
* @param entityId the entity id
* @return the cached metadata object
*/
@ReadOperation
@Operation(summary = "Get SAML2 cached metadata", parameters = { @Parameter(name = "serviceId", required = true), @Parameter(name = "entityId") })
public Map<String, Object> getCachedMetadataObject(final String serviceId, @Nullable final String entityId) {
try {
val registeredService = findRegisteredService(serviceId);
val issuer = StringUtils.defaultIfBlank(entityId, registeredService.getServiceId());
val criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIdCriterion(issuer));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
val metadataResolver = cachingMetadataResolver.resolve(registeredService, criteriaSet);
val iteration = metadataResolver.resolve(criteriaSet).spliterator();
return StreamSupport.stream(iteration, false).map(entity -> Pair.of(entity.getEntityID(), SamlUtils.transformSamlObject(openSamlConfigBean, entity).toString())).collect(Collectors.toMap(Pair::getLeft, Pair::getRight));
} catch (final Exception e) {
LoggingUtils.error(LOGGER, e);
return CollectionUtils.wrap("error", e.getMessage());
}
}
use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.
the class SamlRegisteredServiceCachedMetadataEndpoint method invalidate.
/**
* Invalidate.
*
* @param serviceId the service id
*/
@DeleteOperation
@Operation(summary = "Invalidate SAML2 metadata cache using an entity id.", parameters = { @Parameter(name = "serviceId") })
public void invalidate(@Nullable final String serviceId) {
if (StringUtils.isBlank(serviceId)) {
cachingMetadataResolver.invalidate();
} else {
val registeredService = findRegisteredService(serviceId);
val criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIdCriterion(serviceId));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
cachingMetadataResolver.invalidate(registeredService, criteriaSet);
}
}
Aggregations