Search in sources :

Example 36 with AttributeStatement

use of org.opensaml.saml.saml1.core.AttributeStatement in project cas by apereo.

the class AbstractSaml20ObjectBuilder method newAttributeStatement.

/**
 * New attribute statement.
 *
 * @param attributes             the attributes
 * @param attributeFriendlyNames the attribute friendly names
 * @param configuredNameFormats  the configured name formats
 * @param defaultNameFormat      the default name format
 * @return the attribute statement
 */
public AttributeStatement newAttributeStatement(final Map<String, Object> attributes, final Map<String, String> attributeFriendlyNames, final Map<String, String> configuredNameFormats, final String defaultNameFormat) {
    final AttributeStatement attrStatement = newSamlObject(AttributeStatement.class);
    for (final Map.Entry<String, Object> e : attributes.entrySet()) {
        if (e.getValue() instanceof Collection<?> && ((Collection<?>) e.getValue()).isEmpty()) {
            LOGGER.info("Skipping attribute [{}] because it does not have any values.", e.getKey());
            continue;
        }
        final String friendlyName = attributeFriendlyNames.getOrDefault(e.getKey(), null);
        final Attribute attribute = newAttribute(friendlyName, e, configuredNameFormats, defaultNameFormat);
        attrStatement.getAttributes().add(attribute);
    }
    return attrStatement;
}
Also used : Attribute(org.opensaml.saml.saml2.core.Attribute) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) XMLObject(org.opensaml.core.xml.XMLObject) Map(java.util.Map)

Example 37 with AttributeStatement

use of org.opensaml.saml.saml1.core.AttributeStatement in project verify-hub by alphagov.

the class EidasAttributeStatementAssertionValidator method validateAttributes.

private void validateAttributes(Assertion assertion) {
    final List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
    if (attributeStatements.isEmpty()) {
        SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.mdsStatementMissing();
        throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
    }
    if (attributeStatements.size() > 1) {
        SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.mdsMultipleStatements();
        throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
    }
    final List<Attribute> attributes = attributeStatements.get(0).getAttributes();
    if (attributes.isEmpty()) {
        SamlValidationSpecificationFailure failure = attributeStatementEmpty(assertion.getID());
        throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
    }
    Set<String> attributeNames = attributes.stream().map(Attribute::getName).collect(Collectors.toSet());
    if (!attributeNames.containsAll(MANDATORY_ATTRIBUTES.keySet())) {
        throw new SamlTransformationErrorException(String.format("Mandatory attributes not provided. Expected %s but got %s", MANDATORY_ATTRIBUTES.values().stream().collect(Collectors.joining(",")), attributes.stream().map(Attribute::getFriendlyName).collect(Collectors.joining(","))), Level.ERROR);
    }
    for (Attribute attribute : attributes) {
        final String attributeName = attribute.getName();
        if (!VALID_EIDAS_ATTRIBUTE_NAMES.contains(attributeName)) {
            SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.mdsAttributeNotRecognised(attributeName);
            throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
        }
        if (attribute.getAttributeValues().isEmpty()) {
            SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.emptyAttribute(attributeName);
            throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
        }
        if (!VALID_TYPE_FOR_ATTRIBUTE.get(attributeName).equals(attribute.getAttributeValues().get(0).getSchemaType())) {
            final QName schemaType = attribute.getAttributeValues().get(0).getSchemaType();
            SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.attributeWithIncorrectType(attributeName, VALID_TYPE_FOR_ATTRIBUTE.get(attributeName), schemaType);
            throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
        }
        if (!VALID_ATTRIBUTE_NAME_FORMATS.contains(attribute.getNameFormat())) {
            SamlTransformationErrorManager.warn(invalidAttributeNameFormat(attribute.getNameFormat()));
        }
    }
}
Also used : SamlValidationSpecificationFailure(uk.gov.ida.saml.core.validation.SamlValidationSpecificationFailure) Attribute(org.opensaml.saml.saml2.core.Attribute) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) SamlTransformationErrorException(uk.gov.ida.saml.core.validation.SamlTransformationErrorException) QName(javax.xml.namespace.QName)

Example 38 with AttributeStatement

use of org.opensaml.saml.saml1.core.AttributeStatement in project pac4j by pac4j.

the class SAML2DefaultResponseValidator method buildSAML2Credentials.

protected final SAML2Credentials buildSAML2Credentials(final SAML2MessageContext context) {
    final NameID nameId = context.getSAMLSubjectNameIdentifierContext().getSAML2SubjectNameID();
    final Assertion subjectAssertion = context.getSubjectAssertion();
    final String sessionIndex = getSessionIndex(subjectAssertion);
    final String issuerEntityId = subjectAssertion.getIssuer().getValue();
    List<AuthnStatement> authnStatements = subjectAssertion.getAuthnStatements();
    List<String> authnContexts = new ArrayList<String>();
    for (AuthnStatement authnStatement : authnStatements) {
        authnContexts.add(authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef());
    }
    final List<Attribute> attributes = new ArrayList<Attribute>();
    for (final AttributeStatement attributeStatement : subjectAssertion.getAttributeStatements()) {
        for (final Attribute attribute : attributeStatement.getAttributes()) {
            attributes.add(attribute);
        }
        if (!attributeStatement.getEncryptedAttributes().isEmpty()) {
            if (decrypter == null) {
                logger.warn("Encrypted attributes returned, but no keystore was provided.");
            } else {
                for (final EncryptedAttribute encryptedAttribute : attributeStatement.getEncryptedAttributes()) {
                    try {
                        attributes.add(decrypter.decrypt(encryptedAttribute));
                    } catch (final DecryptionException e) {
                        logger.warn("Decryption of attribute failed, continue with the next one", e);
                    }
                }
            }
        }
    }
    return new SAML2Credentials(nameId, issuerEntityId, attributes, subjectAssertion.getConditions(), sessionIndex, authnContexts);
}
Also used : EncryptedAttribute(org.opensaml.saml.saml2.core.EncryptedAttribute) NameID(org.opensaml.saml.saml2.core.NameID) Attribute(org.opensaml.saml.saml2.core.Attribute) EncryptedAttribute(org.opensaml.saml.saml2.core.EncryptedAttribute) SAML2Credentials(org.pac4j.saml.credentials.SAML2Credentials) EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion) Assertion(org.opensaml.saml.saml2.core.Assertion) ArrayList(java.util.ArrayList) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement) DecryptionException(org.opensaml.xmlsec.encryption.support.DecryptionException) SAMLNameIdDecryptionException(org.pac4j.saml.exceptions.SAMLNameIdDecryptionException)

Example 39 with AttributeStatement

use of org.opensaml.saml.saml1.core.AttributeStatement in project syncope by apache.

the class SAML2SPLogic method validateLoginResponse.

@PreAuthorize("hasRole('" + StandardEntitlement.ANONYMOUS + "')")
public SAML2LoginResponseTO validateLoginResponse(final SAML2ReceivedResponseTO response) {
    check();
    // 1. first checks for the provided relay state
    if (response.getRelayState() == null) {
        throw new IllegalArgumentException("No Relay State was provided");
    }
    Boolean useDeflateEncoding = false;
    String requestId = null;
    if (!IDP_INITIATED_RELAY_STATE.equals(response.getRelayState())) {
        JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
        if (!relayState.verifySignatureWith(jwsSignatureVerifier)) {
            throw new IllegalArgumentException("Invalid signature found in Relay State");
        }
        useDeflateEncoding = Boolean.valueOf(relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
        requestId = relayState.getJwtClaims().getSubject();
        Long expiryTime = relayState.getJwtClaims().getExpiryTime();
        if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) {
            throw new IllegalArgumentException("Relay State is expired");
        }
    }
    // 2. parse the provided SAML response
    if (response.getSamlResponse() == null) {
        throw new IllegalArgumentException("No SAML Response was provided");
    }
    Response samlResponse;
    try {
        XMLObject responseObject = saml2rw.read(useDeflateEncoding, response.getSamlResponse());
        if (!(responseObject instanceof Response)) {
            throw new IllegalArgumentException("Expected " + Response.class.getName() + ", got " + responseObject.getClass().getName());
        }
        samlResponse = (Response) responseObject;
    } catch (Exception e) {
        LOG.error("While parsing AuthnResponse", e);
        SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
        sce.getElements().add(e.getMessage());
        throw sce;
    }
    // 3. validate the SAML response and, if needed, decrypt the provided assertion(s)
    if (samlResponse.getIssuer() == null || samlResponse.getIssuer().getValue() == null) {
        throw new IllegalArgumentException("The SAML Response must contain an Issuer");
    }
    final SAML2IdPEntity idp = getIdP(samlResponse.getIssuer().getValue());
    if (idp.getConnObjectKeyItem() == null) {
        throw new IllegalArgumentException("No mapping provided for SAML 2.0 IdP '" + idp.getId() + "'");
    }
    if (IDP_INITIATED_RELAY_STATE.equals(response.getRelayState()) && !idp.isSupportUnsolicited()) {
        throw new IllegalArgumentException("An unsolicited request is not allowed for idp: " + idp.getId());
    }
    SSOValidatorResponse validatorResponse = null;
    try {
        validatorResponse = saml2rw.validate(samlResponse, idp, getAssertionConsumerURL(response.getSpEntityID(), response.getUrlContext()), requestId, response.getSpEntityID());
    } catch (Exception e) {
        LOG.error("While validating AuthnResponse", e);
        SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
        sce.getElements().add(e.getMessage());
        throw sce;
    }
    // 4. prepare the result: find matching user (if any) and return the received attributes
    final SAML2LoginResponseTO responseTO = new SAML2LoginResponseTO();
    responseTO.setIdp(idp.getId());
    responseTO.setSloSupported(idp.getSLOLocation(idp.getBindingType()) != null);
    Assertion assertion = validatorResponse.getOpensamlAssertion();
    NameID nameID = assertion.getSubject().getNameID();
    if (nameID == null) {
        throw new IllegalArgumentException("NameID not found");
    }
    String keyValue = null;
    if (StringUtils.isNotBlank(nameID.getValue()) && idp.getConnObjectKeyItem().getExtAttrName().equals("NameID")) {
        keyValue = nameID.getValue();
    }
    if (assertion.getConditions().getNotOnOrAfter() != null) {
        responseTO.setNotOnOrAfter(assertion.getConditions().getNotOnOrAfter().toDate());
    }
    assertion.getAuthnStatements().forEach(authnStmt -> {
        responseTO.setSessionIndex(authnStmt.getSessionIndex());
        responseTO.setAuthInstant(authnStmt.getAuthnInstant().toDate());
        if (authnStmt.getSessionNotOnOrAfter() != null) {
            responseTO.setNotOnOrAfter(authnStmt.getSessionNotOnOrAfter().toDate());
        }
    });
    for (AttributeStatement attrStmt : assertion.getAttributeStatements()) {
        for (Attribute attr : attrStmt.getAttributes()) {
            if (!attr.getAttributeValues().isEmpty()) {
                String attrName = attr.getFriendlyName() == null ? attr.getName() : attr.getFriendlyName();
                if (attrName.equals(idp.getConnObjectKeyItem().getExtAttrName())) {
                    if (attr.getAttributeValues().get(0) instanceof XSString) {
                        keyValue = ((XSString) attr.getAttributeValues().get(0)).getValue();
                    } else if (attr.getAttributeValues().get(0) instanceof XSAny) {
                        keyValue = ((XSAny) attr.getAttributeValues().get(0)).getTextContent();
                    }
                }
                AttrTO attrTO = new AttrTO();
                attrTO.setSchema(attrName);
                attr.getAttributeValues().stream().filter(value -> value.getDOM() != null).forEachOrdered(value -> {
                    attrTO.getValues().add(value.getDOM().getTextContent());
                });
                responseTO.getAttrs().add(attrTO);
            }
        }
    }
    final List<String> matchingUsers = keyValue == null ? Collections.<String>emptyList() : userManager.findMatchingUser(keyValue, idp.getKey());
    LOG.debug("Found {} matching users for {}", matchingUsers.size(), keyValue);
    String username;
    if (matchingUsers.isEmpty()) {
        if (idp.isCreateUnmatching()) {
            LOG.debug("No user matching {}, about to create", keyValue);
            username = AuthContextUtils.execWithAuthContext(AuthContextUtils.getDomain(), () -> userManager.create(idp, responseTO, nameID.getValue()));
        } else if (idp.isSelfRegUnmatching()) {
            responseTO.setNameID(nameID.getValue());
            UserTO userTO = new UserTO();
            userManager.fill(idp.getKey(), responseTO, userTO);
            responseTO.getAttrs().clear();
            responseTO.getAttrs().addAll(userTO.getPlainAttrs());
            responseTO.getAttrs().addAll(userTO.getVirAttrs());
            if (StringUtils.isNotBlank(userTO.getUsername())) {
                responseTO.setUsername(userTO.getUsername());
            }
            responseTO.setSelfReg(true);
            return responseTO;
        } else {
            throw new NotFoundException("User matching the provided value " + keyValue);
        }
    } else if (matchingUsers.size() > 1) {
        throw new IllegalArgumentException("Several users match the provided value " + keyValue);
    } else {
        if (idp.isUpdateMatching()) {
            LOG.debug("About to update {} for {}", matchingUsers.get(0), keyValue);
            username = AuthContextUtils.execWithAuthContext(AuthContextUtils.getDomain(), () -> userManager.update(matchingUsers.get(0), idp, responseTO));
        } else {
            username = matchingUsers.get(0);
        }
    }
    responseTO.setUsername(username);
    responseTO.setNameID(nameID.getValue());
    // 5. generate JWT for further access
    Map<String, Object> claims = new HashMap<>();
    claims.put(JWT_CLAIM_IDP_ENTITYID, idp.getId());
    claims.put(JWT_CLAIM_NAMEID_FORMAT, nameID.getFormat());
    claims.put(JWT_CLAIM_NAMEID_VALUE, nameID.getValue());
    claims.put(JWT_CLAIM_SESSIONINDEX, responseTO.getSessionIndex());
    byte[] authorities = null;
    try {
        authorities = ENCRYPTOR.encode(POJOHelper.serialize(authDataAccessor.getAuthorities(responseTO.getUsername())), CipherAlgorithm.AES).getBytes();
    } catch (Exception e) {
        LOG.error("Could not fetch authorities", e);
    }
    Pair<String, Date> accessTokenInfo = accessTokenDataBinder.create(responseTO.getUsername(), claims, authorities, true);
    responseTO.setAccessToken(accessTokenInfo.getLeft());
    responseTO.setAccessTokenExpiryTime(accessTokenInfo.getRight());
    return responseTO;
}
Also used : SAMLVersion(org.opensaml.saml.common.SAMLVersion) XSAny(org.opensaml.core.xml.schema.XSAny) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) Date(java.util.Date) PreAuthorize(org.springframework.security.access.prepost.PreAuthorize) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest) Autowired(org.springframework.beans.factory.annotation.Autowired) SAML2ReaderWriter(org.apache.syncope.core.logic.saml2.SAML2ReaderWriter) KeyDescriptor(org.opensaml.saml.saml2.metadata.KeyDescriptor) SAML2IdP(org.apache.syncope.core.persistence.api.entity.SAML2IdP) KeyInfoGenerator(org.opensaml.xmlsec.keyinfo.KeyInfoGenerator) StringUtils(org.apache.commons.lang3.StringUtils) AuthnRequestBuilder(org.opensaml.saml.saml2.core.impl.AuthnRequestBuilder) LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest) Attribute(org.opensaml.saml.saml2.core.Attribute) AuthnContextComparisonTypeEnumeration(org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration) Pair(org.apache.commons.lang3.tuple.Pair) SAML2ReceivedResponseTO(org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) Map(java.util.Map) RequestedAuthnContext(org.opensaml.saml.saml2.core.RequestedAuthnContext) SAML2IdPDAO(org.apache.syncope.core.persistence.api.dao.SAML2IdPDAO) AuthContextUtils(org.apache.syncope.core.spring.security.AuthContextUtils) XSString(org.opensaml.core.xml.schema.XSString) Method(java.lang.reflect.Method) Triple(org.apache.commons.lang3.tuple.Triple) Response(org.opensaml.saml.saml2.core.Response) AssertionConsumerServiceBuilder(org.opensaml.saml.saml2.metadata.impl.AssertionConsumerServiceBuilder) RandomBasedGenerator(com.fasterxml.uuid.impl.RandomBasedGenerator) AssertionConsumerService(org.opensaml.saml.saml2.metadata.AssertionConsumerService) NameIDFormat(org.opensaml.saml.saml2.metadata.NameIDFormat) Resource(javax.annotation.Resource) AccessTokenDataBinder(org.apache.syncope.core.provisioning.api.data.AccessTokenDataBinder) AuthnContextClassRef(org.opensaml.saml.saml2.core.AuthnContextClassRef) SSOValidatorResponse(org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse) NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException) StandardCharsets(java.nio.charset.StandardCharsets) IssuerBuilder(org.opensaml.saml.saml2.core.impl.IssuerBuilder) SPSSODescriptor(org.opensaml.saml.saml2.metadata.SPSSODescriptor) List(java.util.List) Issuer(org.opensaml.saml.saml2.core.Issuer) NameIDFormatBuilder(org.opensaml.saml.saml2.metadata.impl.NameIDFormatBuilder) EntityDescriptor(org.opensaml.saml.saml2.metadata.EntityDescriptor) AuthnContextClassRefBuilder(org.opensaml.saml.saml2.core.impl.AuthnContextClassRefBuilder) AbstractBaseBean(org.apache.syncope.common.lib.AbstractBaseBean) AuthnContext(org.opensaml.saml.saml2.core.AuthnContext) StandardEntitlement(org.apache.syncope.common.lib.types.StandardEntitlement) POJOHelper(org.apache.syncope.core.provisioning.api.serialization.POJOHelper) AttrTO(org.apache.syncope.common.lib.to.AttrTO) SAML2RequestTO(org.apache.syncope.common.lib.to.SAML2RequestTO) SAML2BindingType(org.apache.syncope.common.lib.types.SAML2BindingType) LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse) HashMap(java.util.HashMap) NameIDPolicyBuilder(org.opensaml.saml.saml2.core.impl.NameIDPolicyBuilder) StatusCode(org.opensaml.saml.saml2.core.StatusCode) SPSSODescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.SPSSODescriptorBuilder) EntityDescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.EntityDescriptorBuilder) SingleLogoutServiceBuilder(org.opensaml.saml.saml2.metadata.impl.SingleLogoutServiceBuilder) SAML2LoginResponseTO(org.apache.syncope.common.lib.to.SAML2LoginResponseTO) Assertion(org.opensaml.saml.saml2.core.Assertion) OutputStreamWriter(java.io.OutputStreamWriter) ClientExceptionType(org.apache.syncope.common.lib.types.ClientExceptionType) SAML2IdPCache(org.apache.syncope.core.logic.saml2.SAML2IdPCache) XMLObject(org.opensaml.core.xml.XMLObject) SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants) CipherAlgorithm(org.apache.syncope.common.lib.types.CipherAlgorithm) OutputStream(java.io.OutputStream) KeyDescriptorBuilder(org.opensaml.saml.saml2.metadata.impl.KeyDescriptorBuilder) Encryptor(org.apache.syncope.core.spring.security.Encryptor) SingleLogoutService(org.opensaml.saml.saml2.metadata.SingleLogoutService) DateTime(org.joda.time.DateTime) SessionIndexBuilder(org.opensaml.saml.saml2.core.impl.SessionIndexBuilder) SAML2UserManager(org.apache.syncope.core.logic.saml2.SAML2UserManager) LogoutRequestBuilder(org.opensaml.saml.saml2.core.impl.LogoutRequestBuilder) AuthDataAccessor(org.apache.syncope.core.spring.security.AuthDataAccessor) AccessTokenDAO(org.apache.syncope.core.persistence.api.dao.AccessTokenDAO) JwsSignatureVerifier(org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier) NameIDBuilder(org.opensaml.saml.saml2.core.impl.NameIDBuilder) ResourceUtils(org.springframework.util.ResourceUtils) SessionIndex(org.opensaml.saml.saml2.core.SessionIndex) URLEncoder(java.net.URLEncoder) Component(org.springframework.stereotype.Component) X509KeyInfoGeneratorFactory(org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory) RequestedAuthnContextBuilder(org.opensaml.saml.saml2.core.impl.RequestedAuthnContextBuilder) NameIDType(org.opensaml.saml.saml2.core.NameIDType) Generators(com.fasterxml.uuid.Generators) NameIDPolicy(org.opensaml.saml.saml2.core.NameIDPolicy) UserTO(org.apache.syncope.common.lib.to.UserTO) Collections(java.util.Collections) NameID(org.opensaml.saml.saml2.core.NameID) SAML2IdPEntity(org.apache.syncope.core.logic.saml2.SAML2IdPEntity) Attribute(org.opensaml.saml.saml2.core.Attribute) HashMap(java.util.HashMap) AttrTO(org.apache.syncope.common.lib.to.AttrTO) NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException) XSString(org.opensaml.core.xml.schema.XSString) XSAny(org.opensaml.core.xml.schema.XSAny) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) SSOValidatorResponse(org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse) SAML2LoginResponseTO(org.apache.syncope.common.lib.to.SAML2LoginResponseTO) NameID(org.opensaml.saml.saml2.core.NameID) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) Assertion(org.opensaml.saml.saml2.core.Assertion) XMLObject(org.opensaml.core.xml.XMLObject) XSString(org.opensaml.core.xml.schema.XSString) Date(java.util.Date) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException) Response(org.opensaml.saml.saml2.core.Response) SSOValidatorResponse(org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse) LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse) SAML2IdPEntity(org.apache.syncope.core.logic.saml2.SAML2IdPEntity) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) UserTO(org.apache.syncope.common.lib.to.UserTO) XMLObject(org.opensaml.core.xml.XMLObject) PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)

Example 40 with AttributeStatement

use of org.opensaml.saml.saml1.core.AttributeStatement in project ddf by codice.

the class SamlAssertionValidatorImplTest method createAssertion.

private Assertion createAssertion(boolean sign, boolean validSignature, String issuerString, DateTime notOnOrAfter) throws Exception {
    Assertion assertion = new AssertionBuilder().buildObject();
    assertion.setID(UUID.randomUUID().toString());
    assertion.setIssueInstant(new DateTime());
    Issuer issuer = new IssuerBuilder().buildObject();
    issuer.setValue(issuerString);
    assertion.setIssuer(issuer);
    NameID nameID = new NameIDBuilder().buildObject();
    nameID.setFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
    nameID.setNameQualifier("http://cxf.apache.org/sts");
    nameID.setValue("admin");
    SubjectConfirmation subjectConfirmation = new SubjectConfirmationBuilder().buildObject();
    subjectConfirmation.setMethod("urn:oasis:names:tc:SAML:2.0:cm:bearer");
    Subject subject = new SubjectBuilder().buildObject();
    subject.setNameID(nameID);
    subject.getSubjectConfirmations().add(subjectConfirmation);
    assertion.setSubject(subject);
    Conditions conditions = new ConditionsBuilder().buildObject();
    conditions.setNotBefore(new DateTime().minusDays(3));
    conditions.setNotOnOrAfter(notOnOrAfter);
    assertion.setConditions(conditions);
    AuthnStatement authnStatement = new AuthnStatementBuilder().buildObject();
    authnStatement.setAuthnInstant(new DateTime());
    AuthnContext authnContext = new AuthnContextBuilder().buildObject();
    AuthnContextClassRef authnContextClassRef = new AuthnContextClassRefBuilder().buildObject();
    authnContextClassRef.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified");
    authnContext.setAuthnContextClassRef(authnContextClassRef);
    authnStatement.setAuthnContext(authnContext);
    assertion.getAuthnStatements().add(authnStatement);
    AttributeStatement attributeStatement = new AttributeStatementBuilder().buildObject();
    Attribute attribute = new AttributeBuilder().buildObject();
    AttributeValueType attributeValue = new AttributeValueTypeImplBuilder().buildObject();
    attributeValue.setValue("admin");
    attribute.setName("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role");
    attribute.setNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified");
    attribute.getAttributeValues().add(attributeValue);
    attributeStatement.getAttributes().add(attribute);
    assertion.getAttributeStatements().add(attributeStatement);
    if (sign) {
        Signature signature = OpenSAMLUtil.buildSignature();
        signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
        signature.setSignatureAlgorithm(WSS4JConstants.RSA);
        BasicX509Credential signingCredential;
        if (validSignature) {
            signingCredential = new BasicX509Credential(certificate);
            signingCredential.setPrivateKey(privateKey);
            signature.setSigningCredential(signingCredential);
        } else {
            try (InputStream inputStream = getClass().getResourceAsStream("/localhost.crt")) {
                CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                X509Certificate cert = (X509Certificate) certificateFactory.generateCertificate(inputStream);
                signingCredential = new BasicX509Credential(cert);
                signature.setSigningCredential(signingCredential);
            }
        }
        X509KeyInfoGeneratorFactory x509KeyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
        x509KeyInfoGeneratorFactory.setEmitEntityCertificate(true);
        KeyInfo keyInfo = x509KeyInfoGeneratorFactory.newInstance().generate(signingCredential);
        signature.setKeyInfo(keyInfo);
        assertion.setSignature(signature);
    }
    return assertion;
}
Also used : Issuer(org.opensaml.saml.saml2.core.Issuer) Attribute(org.opensaml.saml.saml2.core.Attribute) AuthnStatementBuilder(org.opensaml.saml.saml2.core.impl.AuthnStatementBuilder) AuthnContextClassRefBuilder(org.opensaml.saml.saml2.core.impl.AuthnContextClassRefBuilder) CertificateFactory(java.security.cert.CertificateFactory) DateTime(org.joda.time.DateTime) Conditions(org.opensaml.saml.saml2.core.Conditions) AuthnContext(org.opensaml.saml.saml2.core.AuthnContext) NameIDBuilder(org.opensaml.saml.saml2.core.impl.NameIDBuilder) SubjectConfirmation(org.opensaml.saml.saml2.core.SubjectConfirmation) KeyInfo(org.opensaml.xmlsec.signature.KeyInfo) SubjectBuilder(org.opensaml.saml.saml2.core.impl.SubjectBuilder) SubjectConfirmationBuilder(org.opensaml.saml.saml2.core.impl.SubjectConfirmationBuilder) X509KeyInfoGeneratorFactory(org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory) AttributeStatementBuilder(org.opensaml.saml.saml2.core.impl.AttributeStatementBuilder) AttributeBuilder(org.opensaml.saml.saml2.core.impl.AttributeBuilder) NameID(org.opensaml.saml.saml2.core.NameID) AttributeValueType(org.opensaml.xacml.ctx.AttributeValueType) InputStream(java.io.InputStream) AuthnContextBuilder(org.opensaml.saml.saml2.core.impl.AuthnContextBuilder) Assertion(org.opensaml.saml.saml2.core.Assertion) AuthnContextClassRef(org.opensaml.saml.saml2.core.AuthnContextClassRef) AssertionBuilder(org.opensaml.saml.saml2.core.impl.AssertionBuilder) Subject(org.opensaml.saml.saml2.core.Subject) X509Certificate(java.security.cert.X509Certificate) ConditionsBuilder(org.opensaml.saml.saml2.core.impl.ConditionsBuilder) BasicX509Credential(org.opensaml.security.x509.BasicX509Credential) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) Signature(org.opensaml.xmlsec.signature.Signature) AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement) IssuerBuilder(org.opensaml.saml.saml2.core.impl.IssuerBuilder) AttributeValueTypeImplBuilder(org.opensaml.xacml.ctx.impl.AttributeValueTypeImplBuilder)

Aggregations

AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)61 Attribute (org.opensaml.saml.saml2.core.Attribute)38 Assertion (org.opensaml.saml.saml2.core.Assertion)36 Test (org.junit.jupiter.api.Test)24 AssertionBuilder.anAssertion (uk.gov.ida.saml.core.test.builders.AssertionBuilder.anAssertion)17 XMLObject (org.opensaml.core.xml.XMLObject)15 EncryptedAttribute (org.opensaml.saml.saml2.core.EncryptedAttribute)10 SimpleStringAttributeBuilder.aSimpleStringAttribute (uk.gov.ida.saml.core.test.builders.SimpleStringAttributeBuilder.aSimpleStringAttribute)9 ArrayList (java.util.ArrayList)8 SamlTransformationErrorFactory.emptyAttribute (uk.gov.ida.saml.core.errors.SamlTransformationErrorFactory.emptyAttribute)8 XSString (org.opensaml.core.xml.schema.XSString)7 NameID (org.opensaml.saml.saml2.core.NameID)7 Response (org.opensaml.saml.saml2.core.Response)7 Subject (org.opensaml.saml.saml2.core.Subject)7 EncryptedAssertion (org.opensaml.saml.saml2.core.EncryptedAssertion)6 AttributeBuilder (org.opensaml.saml.saml2.core.impl.AttributeBuilder)6 AttributeStatement (org.opensaml.saml2.core.AttributeStatement)6 HashMap (java.util.HashMap)5 List (java.util.List)5 Map (java.util.Map)5