Example 26 with EntityRoleCriterion
use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.
the class InMemoryResourceMetadataResolverTests method verifyValidMetadataResource.
@Test
public void verifyValidMetadataResource() throws Exception {
val resolver = new InMemoryResourceMetadataResolver(new ClassPathResource("metadata/metadata-valid.xml"), configBean);
resolver.setId(UUID.randomUUID().toString());
resolver.initialize();
val criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIdCriterion("urn:app.e2ma.net"));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
val resolved = resolver.resolve(criteriaSet);
assertFalse(Iterables.isEmpty(resolved));
}
Also used :
lombok.val(lombok.val)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
ClassPathResource(org.springframework.core.io.ClassPathResource)
Test(org.junit.jupiter.api.Test)
SpringBootTest(org.springframework.boot.test.context.SpringBootTest)
Example 27 with EntityRoleCriterion
use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.
the class WsFederationHelper method validateSignature.
/**
* validateSignature checks to see if the signature on an assertion is valid.
*
* @param resultPair a provided assertion
* @return true if the assertion's signature is valid, otherwise false
*/
public boolean validateSignature(final Pair<Assertion, WsFederationConfiguration> resultPair) {
if (resultPair == null) {
LOGGER.warn("No assertion or its configuration was provided to validate signatures");
return false;
}
val configuration = resultPair.getValue();
val assertion = resultPair.getKey();
if (assertion == null || configuration == null) {
LOGGER.warn("No signature or configuration was provided to validate signatures");
return false;
}
val signature = assertion.getSignature();
if (signature == null) {
LOGGER.warn("No signature is attached to the assertion to validate");
return false;
}
try {
LOGGER.debug("Validating the signature...");
val validator = new SAMLSignatureProfileValidator();
validator.validate(signature);
val criteriaSet = new CriteriaSet();
criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
criteriaSet.add(new EntityIdCriterion(configuration.getIdentityProviderIdentifier()));
val engine = buildSignatureTrustEngine(configuration);
LOGGER.debug("Validating signature via trust engine for [{}]", configuration.getIdentityProviderIdentifier());
return engine.validate(signature, criteriaSet);
} catch (final Exception e) {
LoggingUtils.error(LOGGER, "Failed to validate assertion signature", e);
}
SamlUtils.logSamlObject(this.openSamlConfigBean, assertion);
LOGGER.error("Signature doesn't match any signing credential and cannot be validated.");
return false;
}
Also used :
lombok.val(lombok.val)
UsageCriterion(org.opensaml.security.criteria.UsageCriterion)
ProtocolCriterion(org.opensaml.saml.criterion.ProtocolCriterion)
SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
Example 28 with EntityRoleCriterion
use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.
the class SamlRegisteredServiceMetadataExpirationPolicy method getCacheDurationForServiceProvider.
/**
* Gets cache duration for service provider.
*
* @param service the service
* @param chainingMetadataResolver the chaining metadata resolver
* @return the cache duration for service provider
*/
protected long getCacheDurationForServiceProvider(final SamlRegisteredService service, final MetadataResolver chainingMetadataResolver) {
try {
if (StringUtils.isBlank(service.getServiceId())) {
LOGGER.warn("Unable to determine duration for SAML service [{}] with no entity id", service.getName());
return -1;
}
val set = new CriteriaSet();
set.add(new EntityIdCriterion(service.getServiceId()));
set.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
val entitySp = chainingMetadataResolver.resolveSingle(set);
if (entitySp != null && entitySp.getCacheDuration() != null) {
LOGGER.debug("Located cache duration [{}] specified in SP metadata for [{}]", entitySp.getCacheDuration(), entitySp.getEntityID());
return TimeUnit.MILLISECONDS.toNanos(entitySp.getCacheDuration().toMillis());
}
set.clear();
set.add(new EntityIdCriterion(service.getServiceId()));
val entity = chainingMetadataResolver.resolveSingle(set);
if (entity != null && entity.getCacheDuration() != null) {
LOGGER.debug("Located cache duration [{}] specified in entity metadata for [{}]", entity.getCacheDuration(), entity.getEntityID());
return TimeUnit.MILLISECONDS.toNanos(entity.getCacheDuration().toMillis());
}
} catch (final Exception e) {
LOGGER.debug(e.getMessage(), e);
}
return -1;
}
Also used :
lombok.val(lombok.val)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
Example 29 with EntityRoleCriterion
use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.
the class SamlRegisteredServiceCachedMetadataEndpoint method getCachedMetadataObject.
/**
* Gets cached metadata object.
*
* @param serviceId the service id
* @param entityId the entity id
* @return the cached metadata object
*/
@ReadOperation
@Operation(summary = "Get SAML2 cached metadata", parameters = { @Parameter(name = "serviceId", required = true), @Parameter(name = "entityId") })
public Map<String, Object> getCachedMetadataObject(final String serviceId, @Nullable final String entityId) {
try {
val registeredService = findRegisteredService(serviceId);
val issuer = StringUtils.defaultIfBlank(entityId, registeredService.getServiceId());
val criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIdCriterion(issuer));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
val metadataResolver = cachingMetadataResolver.resolve(registeredService, criteriaSet);
val iteration = metadataResolver.resolve(criteriaSet).spliterator();
return StreamSupport.stream(iteration, false).map(entity -> Pair.of(entity.getEntityID(), SamlUtils.transformSamlObject(openSamlConfigBean, entity).toString())).collect(Collectors.toMap(Pair::getLeft, Pair::getRight));
} catch (final Exception e) {
LoggingUtils.error(LOGGER, e);
return CollectionUtils.wrap("error", e.getMessage());
}
}
Also used :
lombok.val(lombok.val)
CasConfigurationProperties(org.apereo.cas.configuration.CasConfigurationProperties)
ReadOperation(org.springframework.boot.actuate.endpoint.annotation.ReadOperation)
SamlRegisteredServiceCachingMetadataResolver(org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver)
StringUtils(org.apache.commons.lang3.StringUtils)
DeleteOperation(org.springframework.boot.actuate.endpoint.annotation.DeleteOperation)
SamlUtils(org.apereo.cas.support.saml.SamlUtils)
LoggingUtils(org.apereo.cas.util.LoggingUtils)
Operation(io.swagger.v3.oas.annotations.Operation)
SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService)
Pair(org.apache.commons.lang3.tuple.Pair)
Map(java.util.Map)
CollectionUtils(org.apereo.cas.util.CollectionUtils)
Nullable(org.springframework.lang.Nullable)
StreamSupport(java.util.stream.StreamSupport)
ServicesManager(org.apereo.cas.services.ServicesManager)
AuditableContext(org.apereo.cas.audit.AuditableContext)
Endpoint(org.springframework.boot.actuate.endpoint.annotation.Endpoint)
Collection(java.util.Collection)
lombok.val(lombok.val)
Collectors(java.util.stream.Collectors)
RegisteredService(org.apereo.cas.services.RegisteredService)
BaseCasActuatorEndpoint(org.apereo.cas.web.BaseCasActuatorEndpoint)
SPSSODescriptor(org.opensaml.saml.saml2.metadata.SPSSODescriptor)
OpenSamlConfigBean(org.apereo.cas.support.saml.OpenSamlConfigBean)
Parameter(io.swagger.v3.oas.annotations.Parameter)
Slf4j(lombok.extern.slf4j.Slf4j)
AuditableExecution(org.apereo.cas.audit.AuditableExecution)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
NumberUtils(org.apache.commons.lang3.math.NumberUtils)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
ReadOperation(org.springframework.boot.actuate.endpoint.annotation.ReadOperation)
ReadOperation(org.springframework.boot.actuate.endpoint.annotation.ReadOperation)
DeleteOperation(org.springframework.boot.actuate.endpoint.annotation.DeleteOperation)
Operation(io.swagger.v3.oas.annotations.Operation)
Example 30 with EntityRoleCriterion
use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.
the class SamlRegisteredServiceCachedMetadataEndpoint method invalidate.
/**
* Invalidate.
*
* @param serviceId the service id
*/
@DeleteOperation
@Operation(summary = "Invalidate SAML2 metadata cache using an entity id.", parameters = { @Parameter(name = "serviceId") })
public void invalidate(@Nullable final String serviceId) {
if (StringUtils.isBlank(serviceId)) {
cachingMetadataResolver.invalidate();
} else {
val registeredService = findRegisteredService(serviceId);
val criteriaSet = new CriteriaSet();
criteriaSet.add(new EntityIdCriterion(serviceId));
criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
cachingMetadataResolver.invalidate(registeredService, criteriaSet);
}
}
Also used :
lombok.val(lombok.val)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
DeleteOperation(org.springframework.boot.actuate.endpoint.annotation.DeleteOperation)
ReadOperation(org.springframework.boot.actuate.endpoint.annotation.ReadOperation)
DeleteOperation(org.springframework.boot.actuate.endpoint.annotation.DeleteOperation)
Operation(io.swagger.v3.oas.annotations.Operation)
Aggregations
EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)32
EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)30
CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)28
lombok.val (lombok.val)21
UsageCriterion (org.opensaml.security.criteria.UsageCriterion)9
SamlRegisteredService (org.apereo.cas.support.saml.services.SamlRegisteredService)8
Test (org.junit.jupiter.api.Test)8
ArrayList (java.util.ArrayList)6
SamlException (org.apereo.cas.support.saml.SamlException)4
ProtocolCriterion (org.opensaml.saml.criterion.ProtocolCriterion)4
SAMLSignatureProfileValidator (org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)4
File (java.io.File)3
Slf4j (lombok.extern.slf4j.Slf4j)3
StringUtils (org.apache.commons.lang3.StringUtils)3
SamlIdPMetadataCredentialResolver (org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver)3
SamlIdPSamlRegisteredServiceCriterion (org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion)3
BasicProviderKeyInfoCredentialResolver (org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver)3
DEREncodedKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider)3
DSAKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider)3
InlineX509DataProvider (org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider)3
