Search in sources :

Example 26 with Attribute

use of org.opensaml.saml.saml1.core.Attribute in project verify-hub by alphagov.

the class EidasAttributeStatementAssertionValidator method validateAttributes.

private void validateAttributes(Assertion assertion) {
    final List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
    if (attributeStatements.isEmpty()) {
        SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.mdsStatementMissing();
        throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
    }
    if (attributeStatements.size() > 1) {
        SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.mdsMultipleStatements();
        throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
    }
    final List<Attribute> attributes = attributeStatements.get(0).getAttributes();
    if (attributes.isEmpty()) {
        SamlValidationSpecificationFailure failure = attributeStatementEmpty(assertion.getID());
        throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
    }
    Set<String> attributeNames = attributes.stream().map(Attribute::getName).collect(Collectors.toSet());
    if (!attributeNames.containsAll(MANDATORY_ATTRIBUTES.keySet())) {
        throw new SamlTransformationErrorException(String.format("Mandatory attributes not provided. Expected %s but got %s", MANDATORY_ATTRIBUTES.values().stream().collect(Collectors.joining(",")), attributes.stream().map(Attribute::getFriendlyName).collect(Collectors.joining(","))), Level.ERROR);
    }
    for (Attribute attribute : attributes) {
        final String attributeName = attribute.getName();
        if (!VALID_EIDAS_ATTRIBUTE_NAMES.contains(attributeName)) {
            SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.mdsAttributeNotRecognised(attributeName);
            throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
        }
        if (attribute.getAttributeValues().isEmpty()) {
            SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.emptyAttribute(attributeName);
            throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
        }
        if (!VALID_TYPE_FOR_ATTRIBUTE.get(attributeName).equals(attribute.getAttributeValues().get(0).getSchemaType())) {
            final QName schemaType = attribute.getAttributeValues().get(0).getSchemaType();
            SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.attributeWithIncorrectType(attributeName, VALID_TYPE_FOR_ATTRIBUTE.get(attributeName), schemaType);
            throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
        }
        if (!VALID_ATTRIBUTE_NAME_FORMATS.contains(attribute.getNameFormat())) {
            SamlTransformationErrorManager.warn(invalidAttributeNameFormat(attribute.getNameFormat()));
        }
    }
}
Also used : SamlValidationSpecificationFailure(uk.gov.ida.saml.core.validation.SamlValidationSpecificationFailure) Attribute(org.opensaml.saml.saml2.core.Attribute) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) SamlTransformationErrorException(uk.gov.ida.saml.core.validation.SamlTransformationErrorException) QName(javax.xml.namespace.QName)

Example 27 with Attribute

use of org.opensaml.saml.saml1.core.Attribute in project verify-hub by alphagov.

the class VerifiedAttributesLoggerTest method shouldLogDateOfBirthHistory.

@Test
public void shouldLogDateOfBirthHistory() throws Exception {
    Attribute dateOfBirthAttribute = new AttributeBuilder().buildObject();
    dateOfBirthAttribute.setName(IdaConstants.Attributes_1_1.DateOfBirth.NAME);
    AttributeValue oldDateOfBirthAttributeValue = new DateAttributeValueBuilder().withTo(DateTime.now().minusDays(1)).withVerified(true).build();
    AttributeValue currentDateOfBirthAttributeValue = new DateAttributeValueBuilder().withTo(null).build();
    dateOfBirthAttribute.getAttributeValues().add(oldDateOfBirthAttributeValue);
    dateOfBirthAttribute.getAttributeValues().add(currentDateOfBirthAttributeValue);
    List<Attribute> attributes = aMatchingDatasetAttributeStatement_1_1().withDateOfBirth(dateOfBirthAttribute).build().getAttributes();
    AttributeStatementLogData actual = mapper.readValue(formatAttributes("any-issuer", LEVEL_2, attributes), AttributeStatementLogData.class);
    Map<String, List<VerifiedAttributeLogData>> attributesMap = actual.getAttributes();
    assertThat(attributesMap.get(IdaConstants.Attributes_1_1.DateOfBirth.NAME)).isEqualTo(ImmutableList.of(new VerifiedAttributeLogData(true, "less than 180 days"), new VerifiedAttributeLogData(false, null)));
}
Also used : AttributeBuilder(org.opensaml.saml.saml2.core.impl.AttributeBuilder) AttributeValue(org.opensaml.saml.saml2.core.AttributeValue) Attribute(org.opensaml.saml.saml2.core.Attribute) AttributeStatementLogData(uk.gov.ida.hub.samlengine.logging.data.AttributeStatementLogData) List(java.util.List) ImmutableList(com.google.common.collect.ImmutableList) DateAttributeValueBuilder(uk.gov.ida.saml.core.test.builders.DateAttributeValueBuilder) VerifiedAttributeLogData(uk.gov.ida.hub.samlengine.logging.data.VerifiedAttributeLogData) Test(org.junit.Test)

Example 28 with Attribute

use of org.opensaml.saml.saml1.core.Attribute in project verify-hub by alphagov.

the class VerifiedAttributesLoggerTest method shouldLogPreviousAddressHistory.

@Test
public void shouldLogPreviousAddressHistory() throws Exception {
    AttributeValue previousAddressAttributeValue = new AddressAttributeValueBuilder_1_1().withFrom(DateTime.now().minusYears(10)).withTo(DateTime.now().minusYears(1)).withVerified(false).build();
    Attribute previousAddressAttribute = new AttributeBuilder().buildObject();
    previousAddressAttribute.setName(IdaConstants.Attributes_1_1.PreviousAddress.NAME);
    previousAddressAttribute.getAttributeValues().add(previousAddressAttributeValue);
    List<Attribute> attributes = aMatchingDatasetAttributeStatement_1_1().addPreviousAddress(previousAddressAttribute).build().getAttributes();
    AttributeStatementLogData actual = mapper.readValue(formatAttributes("any-issuer", LEVEL_2, attributes), AttributeStatementLogData.class);
    Map<String, List<VerifiedAttributeLogData>> attributesMap = actual.getAttributes();
    assertThat(attributesMap.get(IdaConstants.Attributes_1_1.PreviousAddress.NAME)).isEqualTo(ImmutableList.of(new VerifiedAttributeLogData(false, "more than 180 days")));
}
Also used : AttributeValue(org.opensaml.saml.saml2.core.AttributeValue) AddressAttributeValueBuilder_1_1(uk.gov.ida.saml.core.test.builders.AddressAttributeValueBuilder_1_1) AttributeBuilder(org.opensaml.saml.saml2.core.impl.AttributeBuilder) Attribute(org.opensaml.saml.saml2.core.Attribute) AttributeStatementLogData(uk.gov.ida.hub.samlengine.logging.data.AttributeStatementLogData) List(java.util.List) ImmutableList(com.google.common.collect.ImmutableList) VerifiedAttributeLogData(uk.gov.ida.hub.samlengine.logging.data.VerifiedAttributeLogData) Test(org.junit.Test)

Example 29 with Attribute

use of org.opensaml.saml.saml1.core.Attribute in project verify-hub by alphagov.

the class VerifiedAttributesLoggerTest method shouldLogFirstNameHistory.

@Test
public void shouldLogFirstNameHistory() throws Exception {
    AttributeValue oldFirstNameAttributeValue = new PersonNameAttributeValueBuilder().withTo(DateTime.now().minusDays(181)).withVerified(true).build();
    AttributeValue currentFirstNameAttributeValue = new PersonNameAttributeValueBuilder().withFrom(DateTime.now()).withTo(null).build();
    Attribute firstNameAttribute = new AttributeBuilder().buildObject();
    firstNameAttribute.setName(IdaConstants.Attributes_1_1.Firstname.NAME);
    firstNameAttribute.getAttributeValues().add(oldFirstNameAttributeValue);
    firstNameAttribute.getAttributeValues().add(currentFirstNameAttributeValue);
    List<Attribute> attributes = aMatchingDatasetAttributeStatement_1_1().withFirstname(firstNameAttribute).build().getAttributes();
    AttributeStatementLogData actual = mapper.readValue(formatAttributes("any-issuer", LEVEL_2, attributes), AttributeStatementLogData.class);
    Map<String, List<VerifiedAttributeLogData>> attributesMap = actual.getAttributes();
    assertThat(attributesMap.get(IdaConstants.Attributes_1_1.Firstname.NAME)).isEqualTo(ImmutableList.of(new VerifiedAttributeLogData(true, "more than 180 days"), new VerifiedAttributeLogData(false, null)));
}
Also used : AttributeValue(org.opensaml.saml.saml2.core.AttributeValue) AttributeBuilder(org.opensaml.saml.saml2.core.impl.AttributeBuilder) Attribute(org.opensaml.saml.saml2.core.Attribute) AttributeStatementLogData(uk.gov.ida.hub.samlengine.logging.data.AttributeStatementLogData) PersonNameAttributeValueBuilder(uk.gov.ida.saml.core.test.builders.PersonNameAttributeValueBuilder) List(java.util.List) ImmutableList(com.google.common.collect.ImmutableList) VerifiedAttributeLogData(uk.gov.ida.hub.samlengine.logging.data.VerifiedAttributeLogData) Test(org.junit.Test)

Example 30 with Attribute

use of org.opensaml.saml.saml1.core.Attribute in project cxf by apache.

the class SAMLClaimsTest method testSaml2StaticClaims.

/**
 * Test the creation of a SAML2 Assertion with StaticClaimsHandler
 */
@org.junit.Test
public void testSaml2StaticClaims() throws Exception {
    TokenProvider samlTokenProvider = new SAMLTokenProvider();
    TokenProviderParameters providerParameters = createProviderParameters(WSS4JConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, null);
    ClaimsManager claimsManager = new ClaimsManager();
    StaticClaimsHandler claimsHandler = new StaticClaimsHandler();
    Map<String, String> staticClaimsMap = new HashMap<>();
    staticClaimsMap.put(CLAIM_STATIC_COMPANY.toString(), CLAIM_STATIC_COMPANY_VALUE);
    claimsHandler.setGlobalClaims(staticClaimsMap);
    claimsManager.setClaimHandlers(Collections.singletonList((ClaimsHandler) claimsHandler));
    providerParameters.setClaimsManager(claimsManager);
    ClaimCollection claims = new ClaimCollection();
    Claim claim = new Claim();
    claim.setClaimType(CLAIM_STATIC_COMPANY);
    claims.add(claim);
    providerParameters.setRequestedPrimaryClaims(claims);
    assertTrue(samlTokenProvider.canHandleToken(WSS4JConstants.WSS_SAML2_TOKEN_TYPE));
    TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
    assertTrue(providerResponse != null);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
    Element token = (Element) providerResponse.getToken();
    String tokenString = DOM2Writer.nodeToString(token);
    assertTrue(tokenString.contains(providerResponse.getTokenId()));
    assertTrue(tokenString.contains("AttributeStatement"));
    assertTrue(tokenString.contains("alice"));
    assertTrue(tokenString.contains(SAML2Constants.CONF_BEARER));
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(token);
    List<Attribute> attributes = assertion.getSaml2().getAttributeStatements().get(0).getAttributes();
    assertEquals(attributes.size(), 1);
    assertEquals(attributes.get(0).getName(), CLAIM_STATIC_COMPANY.toString());
    XMLObject valueObj = attributes.get(0).getAttributeValues().get(0);
    assertEquals(valueObj.getDOM().getTextContent(), CLAIM_STATIC_COMPANY_VALUE);
}
Also used : StaticEndpointClaimsHandler(org.apache.cxf.sts.claims.StaticEndpointClaimsHandler) ClaimsHandler(org.apache.cxf.sts.claims.ClaimsHandler) StaticClaimsHandler(org.apache.cxf.sts.claims.StaticClaimsHandler) CustomClaimsHandler(org.apache.cxf.sts.common.CustomClaimsHandler) HashMap(java.util.HashMap) Attribute(org.opensaml.saml.saml2.core.Attribute) StaticClaimsHandler(org.apache.cxf.sts.claims.StaticClaimsHandler) Element(org.w3c.dom.Element) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) XMLObject(org.opensaml.core.xml.XMLObject) ClaimsManager(org.apache.cxf.sts.claims.ClaimsManager) ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection) Claim(org.apache.cxf.rt.security.claims.Claim)

Aggregations

Attribute (org.opensaml.saml.saml2.core.Attribute)24 XMLObject (org.opensaml.core.xml.XMLObject)11 AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)11 List (java.util.List)8 Test (org.junit.Test)7 AttributeStatementLogData (uk.gov.ida.hub.samlengine.logging.data.AttributeStatementLogData)7 ImmutableList (com.google.common.collect.ImmutableList)6 AttributeValue (org.opensaml.saml.saml2.core.AttributeValue)6 AttributeBuilder (org.opensaml.saml.saml2.core.impl.AttributeBuilder)6 VerifiedAttributeLogData (uk.gov.ida.hub.samlengine.logging.data.VerifiedAttributeLogData)6 Map (java.util.Map)5 HashMap (java.util.HashMap)4 Attribute (org.opensaml.saml2.core.Attribute)4 SecurityAssertion (ddf.security.assertion.SecurityAssertion)3 ClaimCollection (org.apache.cxf.rt.security.claims.ClaimCollection)3 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)3 Element (org.w3c.dom.Element)3 GuestPrincipal (ddf.security.principal.GuestPrincipal)2 Principal (java.security.Principal)2 ArrayList (java.util.ArrayList)2