Search in sources :

Example 26 with EntityRoleCriterion

use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.

the class InMemoryResourceMetadataResolverTests method verifyValidMetadataResource.

@Test
public void verifyValidMetadataResource() throws Exception {
    val resolver = new InMemoryResourceMetadataResolver(new ClassPathResource("metadata/metadata-valid.xml"), configBean);
    resolver.setId(UUID.randomUUID().toString());
    resolver.initialize();
    val criteriaSet = new CriteriaSet();
    criteriaSet.add(new EntityIdCriterion("urn:app.e2ma.net"));
    criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
    val resolved = resolver.resolve(criteriaSet);
    assertFalse(Iterables.isEmpty(resolved));
}
Also used : lombok.val(lombok.val) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) ClassPathResource(org.springframework.core.io.ClassPathResource) Test(org.junit.jupiter.api.Test) SpringBootTest(org.springframework.boot.test.context.SpringBootTest)

Example 27 with EntityRoleCriterion

use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.

the class WsFederationHelper method validateSignature.

/**
 * validateSignature checks to see if the signature on an assertion is valid.
 *
 * @param resultPair a provided assertion
 * @return true if the assertion's signature is valid, otherwise false
 */
public boolean validateSignature(final Pair<Assertion, WsFederationConfiguration> resultPair) {
    if (resultPair == null) {
        LOGGER.warn("No assertion or its configuration was provided to validate signatures");
        return false;
    }
    val configuration = resultPair.getValue();
    val assertion = resultPair.getKey();
    if (assertion == null || configuration == null) {
        LOGGER.warn("No signature or configuration was provided to validate signatures");
        return false;
    }
    val signature = assertion.getSignature();
    if (signature == null) {
        LOGGER.warn("No signature is attached to the assertion to validate");
        return false;
    }
    try {
        LOGGER.debug("Validating the signature...");
        val validator = new SAMLSignatureProfileValidator();
        validator.validate(signature);
        val criteriaSet = new CriteriaSet();
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME));
        criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS));
        criteriaSet.add(new EntityIdCriterion(configuration.getIdentityProviderIdentifier()));
        val engine = buildSignatureTrustEngine(configuration);
        LOGGER.debug("Validating signature via trust engine for [{}]", configuration.getIdentityProviderIdentifier());
        return engine.validate(signature, criteriaSet);
    } catch (final Exception e) {
        LoggingUtils.error(LOGGER, "Failed to validate assertion signature", e);
    }
    SamlUtils.logSamlObject(this.openSamlConfigBean, assertion);
    LOGGER.error("Signature doesn't match any signing credential and cannot be validated.");
    return false;
}
Also used : lombok.val(lombok.val) UsageCriterion(org.opensaml.security.criteria.UsageCriterion) ProtocolCriterion(org.opensaml.saml.criterion.ProtocolCriterion) SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)

Example 28 with EntityRoleCriterion

use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.

the class SamlRegisteredServiceMetadataExpirationPolicy method getCacheDurationForServiceProvider.

/**
 * Gets cache duration for service provider.
 *
 * @param service                  the service
 * @param chainingMetadataResolver the chaining metadata resolver
 * @return the cache duration for service provider
 */
protected long getCacheDurationForServiceProvider(final SamlRegisteredService service, final MetadataResolver chainingMetadataResolver) {
    try {
        if (StringUtils.isBlank(service.getServiceId())) {
            LOGGER.warn("Unable to determine duration for SAML service [{}] with no entity id", service.getName());
            return -1;
        }
        val set = new CriteriaSet();
        set.add(new EntityIdCriterion(service.getServiceId()));
        set.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
        val entitySp = chainingMetadataResolver.resolveSingle(set);
        if (entitySp != null && entitySp.getCacheDuration() != null) {
            LOGGER.debug("Located cache duration [{}] specified in SP metadata for [{}]", entitySp.getCacheDuration(), entitySp.getEntityID());
            return TimeUnit.MILLISECONDS.toNanos(entitySp.getCacheDuration().toMillis());
        }
        set.clear();
        set.add(new EntityIdCriterion(service.getServiceId()));
        val entity = chainingMetadataResolver.resolveSingle(set);
        if (entity != null && entity.getCacheDuration() != null) {
            LOGGER.debug("Located cache duration [{}] specified in entity metadata for [{}]", entity.getCacheDuration(), entity.getEntityID());
            return TimeUnit.MILLISECONDS.toNanos(entity.getCacheDuration().toMillis());
        }
    } catch (final Exception e) {
        LOGGER.debug(e.getMessage(), e);
    }
    return -1;
}
Also used : lombok.val(lombok.val) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)

Example 29 with EntityRoleCriterion

use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.

the class SamlRegisteredServiceCachedMetadataEndpoint method getCachedMetadataObject.

/**
 * Gets cached metadata object.
 *
 * @param serviceId the service id
 * @param entityId  the entity id
 * @return the cached metadata object
 */
@ReadOperation
@Operation(summary = "Get SAML2 cached metadata", parameters = { @Parameter(name = "serviceId", required = true), @Parameter(name = "entityId") })
public Map<String, Object> getCachedMetadataObject(final String serviceId, @Nullable final String entityId) {
    try {
        val registeredService = findRegisteredService(serviceId);
        val issuer = StringUtils.defaultIfBlank(entityId, registeredService.getServiceId());
        val criteriaSet = new CriteriaSet();
        criteriaSet.add(new EntityIdCriterion(issuer));
        criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
        val metadataResolver = cachingMetadataResolver.resolve(registeredService, criteriaSet);
        val iteration = metadataResolver.resolve(criteriaSet).spliterator();
        return StreamSupport.stream(iteration, false).map(entity -> Pair.of(entity.getEntityID(), SamlUtils.transformSamlObject(openSamlConfigBean, entity).toString())).collect(Collectors.toMap(Pair::getLeft, Pair::getRight));
    } catch (final Exception e) {
        LoggingUtils.error(LOGGER, e);
        return CollectionUtils.wrap("error", e.getMessage());
    }
}
Also used : lombok.val(lombok.val) CasConfigurationProperties(org.apereo.cas.configuration.CasConfigurationProperties) ReadOperation(org.springframework.boot.actuate.endpoint.annotation.ReadOperation) SamlRegisteredServiceCachingMetadataResolver(org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver) StringUtils(org.apache.commons.lang3.StringUtils) DeleteOperation(org.springframework.boot.actuate.endpoint.annotation.DeleteOperation) SamlUtils(org.apereo.cas.support.saml.SamlUtils) LoggingUtils(org.apereo.cas.util.LoggingUtils) Operation(io.swagger.v3.oas.annotations.Operation) SamlRegisteredService(org.apereo.cas.support.saml.services.SamlRegisteredService) Pair(org.apache.commons.lang3.tuple.Pair) Map(java.util.Map) CollectionUtils(org.apereo.cas.util.CollectionUtils) Nullable(org.springframework.lang.Nullable) StreamSupport(java.util.stream.StreamSupport) ServicesManager(org.apereo.cas.services.ServicesManager) AuditableContext(org.apereo.cas.audit.AuditableContext) Endpoint(org.springframework.boot.actuate.endpoint.annotation.Endpoint) Collection(java.util.Collection) lombok.val(lombok.val) Collectors(java.util.stream.Collectors) RegisteredService(org.apereo.cas.services.RegisteredService) BaseCasActuatorEndpoint(org.apereo.cas.web.BaseCasActuatorEndpoint) SPSSODescriptor(org.opensaml.saml.saml2.metadata.SPSSODescriptor) OpenSamlConfigBean(org.apereo.cas.support.saml.OpenSamlConfigBean) Parameter(io.swagger.v3.oas.annotations.Parameter) Slf4j(lombok.extern.slf4j.Slf4j) AuditableExecution(org.apereo.cas.audit.AuditableExecution) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) NumberUtils(org.apache.commons.lang3.math.NumberUtils) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) ReadOperation(org.springframework.boot.actuate.endpoint.annotation.ReadOperation) ReadOperation(org.springframework.boot.actuate.endpoint.annotation.ReadOperation) DeleteOperation(org.springframework.boot.actuate.endpoint.annotation.DeleteOperation) Operation(io.swagger.v3.oas.annotations.Operation)

Example 30 with EntityRoleCriterion

use of org.opensaml.saml.criterion.EntityRoleCriterion in project cas by apereo.

the class SamlRegisteredServiceCachedMetadataEndpoint method invalidate.

/**
 * Invalidate.
 *
 * @param serviceId the service id
 */
@DeleteOperation
@Operation(summary = "Invalidate SAML2 metadata cache using an entity id.", parameters = { @Parameter(name = "serviceId") })
public void invalidate(@Nullable final String serviceId) {
    if (StringUtils.isBlank(serviceId)) {
        cachingMetadataResolver.invalidate();
    } else {
        val registeredService = findRegisteredService(serviceId);
        val criteriaSet = new CriteriaSet();
        criteriaSet.add(new EntityIdCriterion(serviceId));
        criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME));
        cachingMetadataResolver.invalidate(registeredService, criteriaSet);
    }
}
Also used : lombok.val(lombok.val) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion) EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion) DeleteOperation(org.springframework.boot.actuate.endpoint.annotation.DeleteOperation) ReadOperation(org.springframework.boot.actuate.endpoint.annotation.ReadOperation) DeleteOperation(org.springframework.boot.actuate.endpoint.annotation.DeleteOperation) Operation(io.swagger.v3.oas.annotations.Operation)

Aggregations

EntityRoleCriterion (org.opensaml.saml.criterion.EntityRoleCriterion)32 EntityIdCriterion (org.opensaml.core.criterion.EntityIdCriterion)30 CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)28 lombok.val (lombok.val)21 UsageCriterion (org.opensaml.security.criteria.UsageCriterion)9 SamlRegisteredService (org.apereo.cas.support.saml.services.SamlRegisteredService)8 Test (org.junit.jupiter.api.Test)8 ArrayList (java.util.ArrayList)6 SamlException (org.apereo.cas.support.saml.SamlException)4 ProtocolCriterion (org.opensaml.saml.criterion.ProtocolCriterion)4 SAMLSignatureProfileValidator (org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)4 File (java.io.File)3 Slf4j (lombok.extern.slf4j.Slf4j)3 StringUtils (org.apache.commons.lang3.StringUtils)3 SamlIdPMetadataCredentialResolver (org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataCredentialResolver)3 SamlIdPSamlRegisteredServiceCriterion (org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion)3 BasicProviderKeyInfoCredentialResolver (org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver)3 DEREncodedKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DEREncodedKeyValueProvider)3 DSAKeyValueProvider (org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider)3 InlineX509DataProvider (org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider)3