Example 51 with Assertion
use of org.opensaml.saml.saml1.core.Assertion in project verify-hub by alphagov.
the class CountryAuthnResponseTranslatorResourceTest method assertThatDecryptedAssertionsAreTheSame.
private void assertThatDecryptedAssertionsAreTheSame(InboundResponseFromCountry response, org.opensaml.saml.saml2.core.Response originalResponse) {
AssertionDecrypter hubDecrypter = new AssertionDecrypter(TestCertificateStrings.HUB_TEST_PRIVATE_ENCRYPTION_KEY, TestCertificateStrings.HUB_TEST_PUBLIC_ENCRYPTION_CERT);
List<Assertion> originalAssertions = hubDecrypter.decryptAssertions(originalResponse);
AssertionDecrypter rpDecrypter = new AssertionDecrypter(TestCertificateStrings.TEST_RP_MS_PRIVATE_ENCRYPTION_KEY, TestCertificateStrings.TEST_RP_PUBLIC_ENCRYPTION_CERT);
Assertion returnedAssertion = rpDecrypter.decryptAssertion(response.getEncryptedIdentityAssertionBlob().get());
assertThat(originalAssertions).hasSize(1);
Assertion originalAssertion = originalAssertions.get(0);
assertEquals(returnedAssertion, originalAssertion);
}
Also used :
AssertionDecrypter(uk.gov.ida.integrationtest.hub.samlengine.support.AssertionDecrypter)
Assertion(org.opensaml.saml.saml2.core.Assertion)
Example 52 with Assertion
use of org.opensaml.saml.saml1.core.Assertion in project verify-hub by alphagov.
the class CountryAuthnResponseTranslatorService method translate.
public InboundResponseFromCountry translate(SamlAuthnResponseTranslatorDto samlResponseDto) {
Response response = unmarshall(samlResponseDto);
ValidatedResponse validatedResponse = validateResponse(response);
List<Assertion> assertions = assertionDecrypter.decryptAssertions(validatedResponse);
Optional<Assertion> validatedIdentityAssertion = validateAssertion(validatedResponse, assertions);
return toModel(validatedResponse, validatedIdentityAssertion, samlResponseDto.getMatchingServiceEntityId());
}
Also used :
ValidatedResponse(uk.gov.ida.saml.security.validators.ValidatedResponse)
Response(org.opensaml.saml.saml2.core.Response)
Assertion(org.opensaml.saml.saml2.core.Assertion)
PassthroughAssertion(uk.gov.ida.saml.core.domain.PassthroughAssertion)
ValidatedResponse(uk.gov.ida.saml.security.validators.ValidatedResponse)
Example 53 with Assertion
use of org.opensaml.saml.saml1.core.Assertion in project cxf by apache.
the class SAMLTokenRenewer method validateAssertion.
private void validateAssertion(SamlAssertionWrapper assertion, ReceivedToken tokenToRenew, SecurityToken token, TokenRenewerParameters tokenParameters) throws WSSecurityException {
// Check the cached renewal properties
Map<String, Object> props = token.getProperties();
if (props == null) {
LOG.log(Level.WARNING, "Error in getting properties from cached token");
throw new STSException("Error in getting properties from cached token", STSException.REQUEST_FAILED);
}
String isAllowRenewal = (String) props.get(STSConstants.TOKEN_RENEWING_ALLOW);
String isAllowRenewalAfterExpiry = (String) props.get(STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY);
if (isAllowRenewal == null || !Boolean.valueOf(isAllowRenewal)) {
LOG.log(Level.WARNING, "The token is not allowed to be renewed");
throw new STSException("The token is not allowed to be renewed", STSException.REQUEST_FAILED);
}
// Check to see whether the token has expired greater than the configured max expiry time
if (tokenToRenew.getState() == STATE.EXPIRED) {
if (!allowRenewalAfterExpiry || isAllowRenewalAfterExpiry == null || !Boolean.valueOf(isAllowRenewalAfterExpiry)) {
LOG.log(Level.WARNING, "Renewal after expiry is not allowed");
throw new STSException("Renewal after expiry is not allowed", STSException.REQUEST_FAILED);
}
DateTime expiryDate = getExpiryDate(assertion);
DateTime currentDate = new DateTime();
if ((currentDate.getMillis() - expiryDate.getMillis()) > (maxExpiry * 1000L)) {
LOG.log(Level.WARNING, "The token expired too long ago to be renewed");
throw new STSException("The token expired too long ago to be renewed", STSException.REQUEST_FAILED);
}
}
// Verify Proof of Possession
ProofOfPossessionValidator popValidator = new ProofOfPossessionValidator();
if (verifyProofOfPossession) {
STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
Crypto sigCrypto = stsProperties.getSignatureCrypto();
CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
RequestData requestData = new RequestData();
requestData.setSigVerCrypto(sigCrypto);
WSSConfig wssConfig = WSSConfig.getNewInstance();
requestData.setWssConfig(wssConfig);
WSDocInfo docInfo = new WSDocInfo(((Element) tokenToRenew.getToken()).getOwnerDocument());
requestData.setWsDocInfo(docInfo);
// Parse the HOK subject if it exists
assertion.parseSubject(new WSSSAMLKeyInfoProcessor(requestData), sigCrypto, callbackHandler);
SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo();
if (keyInfo == null) {
keyInfo = new SAMLKeyInfo((byte[]) null);
}
if (!popValidator.checkProofOfPossession(tokenParameters, keyInfo)) {
throw new STSException("Failed to verify the proof of possession of the key associated with the " + "saml token. No matching key found in the request.", STSException.INVALID_REQUEST);
}
}
// Check the AppliesTo address
String appliesToAddress = tokenParameters.getAppliesToAddress();
if (appliesToAddress != null) {
if (assertion.getSaml1() != null) {
List<AudienceRestrictionCondition> restrConditions = assertion.getSaml1().getConditions().getAudienceRestrictionConditions();
if (!matchSaml1AudienceRestriction(appliesToAddress, restrConditions)) {
LOG.log(Level.WARNING, "The AppliesTo address does not match the Audience Restriction");
throw new STSException("The AppliesTo address does not match the Audience Restriction", STSException.INVALID_REQUEST);
}
} else {
List<AudienceRestriction> audienceRestrs = assertion.getSaml2().getConditions().getAudienceRestrictions();
if (!matchSaml2AudienceRestriction(appliesToAddress, audienceRestrs)) {
LOG.log(Level.WARNING, "The AppliesTo address does not match the Audience Restriction");
throw new STSException("The AppliesTo address does not match the Audience Restriction", STSException.INVALID_REQUEST);
}
}
}
}
Also used :
WSDocInfo(org.apache.wss4j.dom.WSDocInfo)
CallbackHandler(javax.security.auth.callback.CallbackHandler)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
DateTime(org.joda.time.DateTime)
Crypto(org.apache.wss4j.common.crypto.Crypto)
AudienceRestriction(org.opensaml.saml.saml2.core.AudienceRestriction)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean)
WSSConfig(org.apache.wss4j.dom.engine.WSSConfig)
RequestData(org.apache.wss4j.dom.handler.RequestData)
AudienceRestrictionCondition(org.opensaml.saml.saml1.core.AudienceRestrictionCondition)
WSSSAMLKeyInfoProcessor(org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor)
Example 54 with Assertion
use of org.opensaml.saml.saml1.core.Assertion in project cxf by apache.
the class OnBehalfOfValidator method validate.
@Override
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
Credential validatedCredential = super.validate(credential, data);
SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion();
Assertion saml2Assertion = assertion.getSaml2();
if (saml2Assertion == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements();
if (attributeStatements == null || attributeStatements.isEmpty()) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
Subject subject = saml2Assertion.getSubject();
NameID nameID = subject.getNameID();
String subjectName = nameID.getValue();
if ("alice".equals(subjectName) || "bob".equals(subjectName)) {
return validatedCredential;
}
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
Also used :
Credential(org.apache.wss4j.dom.validate.Credential)
NameID(org.opensaml.saml.saml2.core.NameID)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
Assertion(org.opensaml.saml.saml2.core.Assertion)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Subject(org.opensaml.saml.saml2.core.Subject)
Aggregations
Assertion (org.opensaml.saml.saml2.core.Assertion)33
Test (org.junit.Test)16
Assertion (org.opensaml.saml.saml1.core.Assertion)13
AssertionBuilder.anAssertion (uk.gov.ida.saml.core.test.builders.AssertionBuilder.anAssertion)9
Response (org.opensaml.saml.saml2.core.Response)8
DateTime (org.joda.time.DateTime)6
Assertion (org.opensaml.saml2.core.Assertion)6
Element (org.w3c.dom.Element)6
PassthroughAssertion (uk.gov.ida.saml.core.domain.PassthroughAssertion)6
Subject (org.opensaml.saml.saml2.core.Subject)5
MetricRegistry (com.codahale.metrics.MetricRegistry)4
ZonedDateTime (java.time.ZonedDateTime)4
ArrayList (java.util.ArrayList)4
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)4
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)4
Credential (org.apache.wss4j.dom.validate.Credential)4
Service (org.apereo.cas.authentication.principal.Service)4
RegisteredService (org.apereo.cas.services.RegisteredService)4
WsFederationCredential (org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential)4
XMLObject (org.opensaml.core.xml.XMLObject)4
