Example 81 with Assertion
use of org.opensaml.saml.saml1.core.Assertion in project carbon-apimgt by wso2.
the class SAMLGroupIDExtractorImpl method getGroupingIdentifiers.
public String getGroupingIdentifiers(String loginResponse) {
if (log.isDebugEnabled()) {
log.debug("Login response " + loginResponse);
}
ByteArrayInputStream samlResponseStream = null;
DocumentBuilder docBuilder;
String username = "";
String organization = "";
try {
APIManagerConfiguration config = ServiceReferenceHolder.getInstance().getAPIManagerConfigurationService().getAPIManagerConfiguration();
String claim = config.getFirstProperty(APIConstants.API_STORE_GROUP_EXTRACTOR_CLAIM_URI);
if (StringUtils.isBlank(claim)) {
claim = "http://wso2.org/claims/organization";
}
samlResponseStream = getByteArrayInputStream(loginResponse);
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
builderFactory.setNamespaceAware(true);
docBuilder = builderFactory.newDocumentBuilder();
Document document = docBuilder.parse(samlResponseStream);
Element element = document.getDocumentElement();
UnmarshallerFactory unmarshallerFactory = XMLObjectProviderRegistrySupport.getUnmarshallerFactory();
Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element);
Response response = (Response) unmarshaller.unmarshall(element);
List<Assertion> assertions = response.getAssertions();
if (assertions != null && assertions.size() > 0) {
Subject subject = assertions.get(0).getSubject();
if (subject != null) {
if (subject.getNameID() != null) {
username = subject.getNameID().getValue();
}
}
}
RealmService realmService = ServiceReferenceHolder.getInstance().getRealmService();
String tenantDomain = MultitenantUtils.getTenantDomain(username);
int tenantId = ServiceReferenceHolder.getInstance().getRealmService().getTenantManager().getTenantId(tenantDomain);
UserRealm realm = (UserRealm) realmService.getTenantUserRealm(tenantId);
UserStoreManager manager = realm.getUserStoreManager();
organization = manager.getUserClaimValue(MultitenantUtils.getTenantAwareUsername(username), claim, null);
if (log.isDebugEnabled()) {
log.debug("User organization " + organization);
}
if (organization != null) {
organization = tenantDomain + "/" + organization.trim();
}
} catch (ParserConfigurationException e) {
String msg = "Error while parsing SAML Assertion";
log.error(msg, e);
} catch (UnmarshallingException e) {
String msg = "Error while unmarshalling the SAML Assertion";
log.error(msg, e);
} catch (SAXException e) {
String msg = "Parsing exception occur while unmarshalling the SAML Assertion";
log.error(msg, e);
} catch (IOException e) {
String msg = "IO exception happen while unmarshalling the SAML Assertion";
log.error(msg, e);
} catch (UserStoreException e) {
log.error("User store exception occurred for user" + username, e);
} catch (org.wso2.carbon.user.api.UserStoreException e) {
log.error("Error while checking user existence for " + username, e);
} finally {
if (samlResponseStream != null) {
try {
samlResponseStream.close();
} catch (IOException e) {
// Ignore
log.error("ERROR_CLOSING_STREAM");
}
}
}
return organization;
}
Also used :
DocumentBuilderFactory(javax.xml.parsers.DocumentBuilderFactory)
Element(org.w3c.dom.Element)
XSString(org.opensaml.core.xml.schema.XSString)
Document(org.w3c.dom.Document)
SAXException(org.xml.sax.SAXException)
UserRealm(org.wso2.carbon.user.core.UserRealm)
UserStoreException(org.wso2.carbon.user.core.UserStoreException)
ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)
Unmarshaller(org.opensaml.core.xml.io.Unmarshaller)
UnmarshallingException(org.opensaml.core.xml.io.UnmarshallingException)
Assertion(org.opensaml.saml.saml2.core.Assertion)
UnmarshallerFactory(org.opensaml.core.xml.io.UnmarshallerFactory)
UserStoreManager(org.wso2.carbon.user.core.UserStoreManager)
IOException(java.io.IOException)
Subject(org.opensaml.saml.saml2.core.Subject)
Response(org.opensaml.saml.saml2.core.Response)
ByteArrayInputStream(java.io.ByteArrayInputStream)
DocumentBuilder(javax.xml.parsers.DocumentBuilder)
RealmService(org.wso2.carbon.user.core.service.RealmService)
Example 82 with Assertion
use of org.opensaml.saml.saml1.core.Assertion in project carbon-apimgt by wso2.
the class SAMLGroupIDExtractorImplTest method getGroupingIdentifierListTestCase.
@Test
public void getGroupingIdentifierListTestCase() throws ParserConfigurationException, IOException, SAXException, UnmarshallingException, UserStoreException {
String claim = "http://wso2.org/claims/organization";
String organizationValue = "organization";
SAMLGroupIDExtractorImpl samlGroupIDExtractor = new SAMLGroupIDExtractorImplWrapper();
Mockito.when(DocumentBuilderFactory.newInstance()).thenReturn(documentBuilderFactory);
Mockito.when(documentBuilderFactory.newDocumentBuilder()).thenReturn(documentBuilder);
Mockito.when(documentBuilder.parse(samlGroupIDExtractor.getByteArrayInputStream("test"))).thenReturn(document);
Mockito.when(document.getDocumentElement()).thenReturn(element);
ServiceReferenceHolder serviceReferenceHolder = Mockito.mock(ServiceReferenceHolder.class);
PowerMockito.mockStatic(ServiceReferenceHolder.class);
PowerMockito.mockStatic(XMLObjectProviderRegistrySupport.class);
Response response = Mockito.mock(Response.class);
List<Assertion> assertion = new ArrayList();
Subject subject = Mockito.mock(Subject.class);
NameID nameID = Mockito.mock(NameID.class);
Assertion assertion1 = Mockito.mock(Assertion.class);
assertion.add(assertion1);
Mockito.when(XMLObjectProviderRegistrySupport.getUnmarshallerFactory()).thenReturn(unmarshallerFactory);
Mockito.when(unmarshallerFactory.getUnmarshaller(element)).thenReturn(unmarshaller);
Mockito.when(unmarshaller.unmarshall(element)).thenReturn(response);
Mockito.when(response.getAssertions()).thenReturn(assertion);
Mockito.when(assertion.get(0).getSubject()).thenReturn(subject);
Mockito.when(subject.getNameID()).thenReturn(nameID);
Mockito.when(nameID.getValue()).thenReturn("user");
System.setProperty(APIConstants.READ_ORGANIZATION_FROM_SAML_ASSERTION, "true");
APIManagerConfigurationService apiManagerConfigService = Mockito.mock(APIManagerConfigurationService.class);
Mockito.when(ServiceReferenceHolder.getInstance()).thenReturn(serviceReferenceHolder);
Mockito.when(serviceReferenceHolder.getAPIManagerConfigurationService()).thenReturn(apiManagerConfigService);
APIManagerConfiguration apiManagerConfig = Mockito.mock(APIManagerConfiguration.class);
Mockito.when(apiManagerConfigService.getAPIManagerConfiguration()).thenReturn(apiManagerConfig);
Mockito.when(apiManagerConfig.getFirstProperty(APIConstants.API_STORE_GROUP_EXTRACTOR_CLAIM_URI)).thenReturn("http://wso2.org/claims/organization");
System.setProperty("carbon.home", "");
PrivilegedCarbonContext carbonContext;
carbonContext = Mockito.mock(PrivilegedCarbonContext.class);
PowerMockito.mockStatic(PrivilegedCarbonContext.class);
PowerMockito.when(PrivilegedCarbonContext.getThreadLocalCarbonContext()).thenReturn(carbonContext);
PowerMockito.when(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId()).thenReturn(-1234);
PowerMockito.doNothing().when(carbonContext).setTenantDomain("carbon.super", true);
AttributeStatement mockAttributeStatement = PowerMockito.mock(AttributeStatement.class);
List<AttributeStatement> attributeStatementList = Collections.singletonList(mockAttributeStatement);
PowerMockito.when(assertion1.getAttributeStatements()).thenReturn(attributeStatementList);
Attribute mockAttribute = PowerMockito.mock(Attribute.class);
List<Attribute> attributesList = Collections.singletonList(mockAttribute);
PowerMockito.when(mockAttributeStatement.getAttributes()).thenReturn(attributesList);
XMLObject rawAttribute = PowerMockito.mock(XMLObject.class);
PowerMockito.when(rawAttribute.toString()).thenReturn(organizationValue);
List<XMLObject> mockedAttributeValues = Collections.singletonList(rawAttribute);
AttributedStringImpl mockedAttributedStringImpl = new AttributedStringImpl("nameSpaceURI", "elementLocalName", "namespacePrefix");
String sampleAttrValue = "MockedAuthParamSampleAttribute";
mockedAttributedStringImpl.setValue(sampleAttrValue);
List<XMLObject> mockedXSSAttributeValues = Collections.singletonList((XMLObject) mockedAttributedStringImpl);
XSAnyImpl mockedXSAnyImpl = Mockito.mock(XSAnyImpl.class);
PowerMockito.when(mockedXSAnyImpl.getTextContent()).thenReturn(sampleAttrValue);
List<XMLObject> mockedXSAnyImplAttributeValues = Collections.singletonList((XMLObject) mockedXSAnyImpl);
List<XMLObject> multiMockedAttributeValues = Arrays.asList(rawAttribute, PowerMockito.mock(XMLObject.class));
AuthenticatorsConfiguration.AuthenticatorConfig mockedAuthenticatorConfig = Mockito.mock(AuthenticatorsConfiguration.AuthenticatorConfig.class);
PowerMockito.when(mockAttribute.getAttributeValues()).thenReturn(mockedAttributeValues, multiMockedAttributeValues, mockedXSSAttributeValues, mockedXSAnyImplAttributeValues);
PowerMockito.mockStatic(AuthenticatorsConfiguration.class);
AuthenticatorsConfiguration mockedAuthenticatorsConfiguration = PowerMockito.mock(AuthenticatorsConfiguration.class);
PowerMockito.when(AuthenticatorsConfiguration.getInstance()).thenReturn(mockedAuthenticatorsConfiguration);
Map<String, String> mockedConfigParameters = new HashMap<String, String>();
mockedConfigParameters.put(APIConstants.ORGANIZATION_CLAIM_ATTRIBUTE, claim);
PowerMockito.when(mockedAuthenticatorConfig.getParameters()).thenReturn(mockedConfigParameters);
PowerMockito.when(mockedAuthenticatorsConfiguration.getAuthenticatorConfig(APIConstants.SAML2_SSO_AUTHENTICATOR_NAME)).thenReturn(mockedAuthenticatorConfig);
PowerMockito.when(mockAttribute.getName()).thenReturn(claim);
String[] organizations = samlGroupIDExtractor.getGroupingIdentifierList("test");
Assert.assertEquals(organizationValue, organizations[0]);
}
Also used :
ServiceReferenceHolder(org.wso2.carbon.apimgt.impl.internal.ServiceReferenceHolder)
Attribute(org.opensaml.saml.saml2.core.Attribute)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
XSAnyImpl(org.opensaml.core.xml.schema.impl.XSAnyImpl)
AttributedStringImpl(org.opensaml.soap.wssecurity.impl.AttributedStringImpl)
NameID(org.opensaml.saml.saml2.core.NameID)
AuthenticatorsConfiguration(org.wso2.carbon.core.security.AuthenticatorsConfiguration)
Assertion(org.opensaml.saml.saml2.core.Assertion)
XMLObject(org.opensaml.core.xml.XMLObject)
PrivilegedCarbonContext(org.wso2.carbon.context.PrivilegedCarbonContext)
Subject(org.opensaml.saml.saml2.core.Subject)
Response(org.opensaml.saml.saml2.core.Response)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)
Test(org.junit.Test)
Example 83 with Assertion
use of org.opensaml.saml.saml1.core.Assertion in project carbon-apimgt by wso2.
the class SystemScopesIssuer method getScopes.
/**
* This method is used to retrieve the authorized scopes with respect to a token.
*
* @param tokReqMsgCtx token message context
* @return authorized scopes list
*/
public List<String> getScopes(OAuthTokenReqMessageContext tokReqMsgCtx) {
List<String> authorizedScopes = null;
List<String> requestedScopes = new ArrayList<>(Arrays.asList(tokReqMsgCtx.getScope()));
String clientId = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getClientId();
AuthenticatedUser authenticatedUser = tokReqMsgCtx.getAuthorizedUser();
Map<String, String> appScopes = getAppScopes(clientId, authenticatedUser, requestedScopes);
if (appScopes != null) {
// If no scopes can be found in the context of the application
if (isAppScopesEmpty(appScopes, clientId)) {
return getAllowedScopes(requestedScopes);
}
String grantType = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getGrantType();
String[] userRoles = null;
// If GrantType is SAML20_BEARER and CHECK_ROLES_FROM_SAML_ASSERTION is true, or if GrantType is
// JWT_BEARER and retrieveRolesFromUserStoreForScopeValidation system property is true,
// use user roles from assertion or jwt otherwise use roles from userstore.
String isSAML2Enabled = System.getProperty(APIConstants.SystemScopeConstants.CHECK_ROLES_FROM_SAML_ASSERTION);
String isRetrieveRolesFromUserStoreForScopeValidation = System.getProperty(APIConstants.SystemScopeConstants.RETRIEVE_ROLES_FROM_USERSTORE_FOR_SCOPE_VALIDATION);
if (GrantType.SAML20_BEARER.toString().equals(grantType) && Boolean.parseBoolean(isSAML2Enabled)) {
authenticatedUser.setUserStoreDomain("FEDERATED");
tokReqMsgCtx.setAuthorizedUser(authenticatedUser);
Assertion assertion = (Assertion) tokReqMsgCtx.getProperty(APIConstants.SystemScopeConstants.SAML2_ASSERTION);
userRoles = getRolesFromAssertion(assertion);
} else if (APIConstants.SystemScopeConstants.OAUTH_JWT_BEARER_GRANT_TYPE.equals(grantType) && !(Boolean.parseBoolean(isRetrieveRolesFromUserStoreForScopeValidation))) {
configureForJWTGrant(tokReqMsgCtx);
Map<ClaimMapping, String> userAttributes = authenticatedUser.getUserAttributes();
if (tokReqMsgCtx.getProperty(APIConstants.SystemScopeConstants.ROLE_CLAIM) != null) {
userRoles = getRolesFromUserAttribute(userAttributes, tokReqMsgCtx.getProperty(APIConstants.SystemScopeConstants.ROLE_CLAIM).toString());
}
} else {
userRoles = getUserRoles(authenticatedUser);
}
authorizedScopes = getAuthorizedScopes(userRoles, requestedScopes, appScopes);
}
return authorizedScopes;
}
Also used :
Assertion(org.opensaml.saml.saml2.core.Assertion)
AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)
Example 84 with Assertion
use of org.opensaml.saml.saml1.core.Assertion in project cxf by apache.
the class ActAsValidator method validate.
@Override
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
Credential validatedCredential = super.validate(credential, data);
SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion();
Assertion saml2Assertion = assertion.getSaml2();
if (saml2Assertion == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
// The technical user should be in the Subject
Subject subject = saml2Assertion.getSubject();
if (subject == null || subject.getNameID() == null || !subject.getNameID().getValue().contains("www.client.com")) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements();
if (attributeStatements == null || attributeStatements.isEmpty()) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
for (AttributeStatement statement : attributeStatements) {
List<Attribute> attributes = statement.getAttributes();
for (Attribute attribute : attributes) {
if (!"CustomActAs".equals(attribute.getName()) && !"ActAs".equals(attribute.getName())) {
continue;
}
for (XMLObject attributeValue : attribute.getAttributeValues()) {
Element attributeValueElement = attributeValue.getDOM();
String text = attributeValueElement.getTextContent();
if (text.contains("alice") || text.contains("bob")) {
return validatedCredential;
}
}
}
}
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
Also used :
Credential(org.apache.wss4j.dom.validate.Credential)
Attribute(org.opensaml.saml.saml2.core.Attribute)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
Element(org.w3c.dom.Element)
Assertion(org.opensaml.saml.saml2.core.Assertion)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
XMLObject(org.opensaml.core.xml.XMLObject)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Subject(org.opensaml.saml.saml2.core.Subject)
Example 85 with Assertion
use of org.opensaml.saml.saml1.core.Assertion in project cxf by apache.
the class DifferentRealmValidator method validate.
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
Credential validatedCredential = super.validate(credential, data);
SamlAssertionWrapper transformedToken = validatedCredential.getTransformedToken();
if (transformedToken == null || transformedToken.getSaml2() == null || !"B-Issuer".equals(transformedToken.getIssuerString())) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
}
Assertion assertion = transformedToken.getSaml2();
if (!"B-Principal".equals(assertion.getSubject().getNameID().getValue())) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
}
return validatedCredential;
}
Also used :
Credential(org.apache.wss4j.dom.validate.Credential)
Assertion(org.opensaml.saml.saml2.core.Assertion)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Aggregations
Assertion (org.opensaml.saml.saml2.core.Assertion)175
Test (org.junit.jupiter.api.Test)118
Response (org.opensaml.saml.saml2.core.Response)62
AssertionBuilder.anAssertion (uk.gov.ida.saml.core.test.builders.AssertionBuilder.anAssertion)61
EncryptedAssertion (org.opensaml.saml.saml2.core.EncryptedAssertion)58
AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)43
Attribute (org.opensaml.saml.saml2.core.Attribute)25
DateTime (org.joda.time.DateTime)23
Element (org.w3c.dom.Element)22
NameID (org.opensaml.saml.saml2.core.NameID)20
XMLObject (org.opensaml.core.xml.XMLObject)19
PassthroughAssertion (uk.gov.ida.saml.core.domain.PassthroughAssertion)17
ValidatedResponse (uk.gov.ida.saml.security.validators.ValidatedResponse)15
Authentication (org.springframework.security.core.Authentication)14
SubjectConfirmation (org.opensaml.saml.saml2.core.SubjectConfirmation)13
Test (org.junit.Test)12
AuthnStatement (org.opensaml.saml.saml2.core.AuthnStatement)12
Conditions (org.opensaml.saml.saml2.core.Conditions)12
NameIDBuilder (org.opensaml.saml.saml2.core.impl.NameIDBuilder)11
Saml2ResponseValidatorResult (org.springframework.security.saml2.core.Saml2ResponseValidatorResult)11
