Example 41 with AttributeStatement
use of org.opensaml.saml.saml1.core.AttributeStatement in project cas by apereo.
the class WsFederationHelper method createCredentialFromToken.
/**
* createCredentialFromToken converts a SAML 1.1 assertion to a WSFederationCredential.
*
* @param assertion the provided assertion
* @return an equivalent credential.
*/
public WsFederationCredential createCredentialFromToken(final Assertion assertion) {
val retrievedOn = ZonedDateTime.now(clock);
LOGGER.trace("Retrieved on [{}]", retrievedOn);
val credential = new WsFederationCredential();
credential.setRetrievedOn(retrievedOn);
credential.setId(assertion.getID());
credential.setIssuer(assertion.getIssuer());
credential.setIssuedOn(DateTimeUtils.zonedDateTimeOf(assertion.getIssueInstant()));
val conditions = assertion.getConditions();
if (conditions != null) {
credential.setNotBefore(DateTimeUtils.zonedDateTimeOf(conditions.getNotBefore()));
credential.setNotOnOrAfter(DateTimeUtils.zonedDateTimeOf(conditions.getNotOnOrAfter()));
if (!conditions.getAudienceRestrictionConditions().isEmpty()) {
credential.setAudience(conditions.getAudienceRestrictionConditions().get(0).getAudiences().get(0).getURI());
}
}
if (!assertion.getAuthenticationStatements().isEmpty()) {
credential.setAuthenticationMethod(assertion.getAuthenticationStatements().get(0).getAuthenticationMethod());
}
val attributes = new HashMap<String, List<Object>>();
assertion.getAttributeStatements().stream().flatMap(attributeStatement -> attributeStatement.getAttributes().stream()).forEach(item -> {
LOGGER.trace("Processed attribute: [{}]", item.getAttributeName());
final List<Object> itemList = item.getAttributeValues().stream().map(xmlObject -> ((XSAny) xmlObject).getTextContent()).collect(Collectors.toList());
if (!itemList.isEmpty()) {
attributes.put(item.getAttributeName(), itemList);
}
});
credential.setAttributes(attributes);
LOGGER.debug("WsFederation Credential retrieved as: [{}]", credential);
return credential;
}
Also used :
lombok.val(lombok.val)
WsFederationCertificateProvider(org.apereo.cas.support.wsfederation.authentication.crypto.WsFederationCertificateProvider)
XSAny(org.opensaml.core.xml.schema.XSAny)
ChainingEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver)
ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine)
SneakyThrows(lombok.SneakyThrows)
Assertion(org.opensaml.saml.saml1.core.Assertion)
ZonedDateTime(java.time.ZonedDateTime)
RequiredArgsConstructor(lombok.RequiredArgsConstructor)
StaticCredentialResolver(org.opensaml.security.credential.impl.StaticCredentialResolver)
Security(java.security.Security)
StringUtils(org.apache.commons.lang3.StringUtils)
SamlUtils(org.apereo.cas.support.saml.SamlUtils)
LoggingUtils(org.apereo.cas.util.LoggingUtils)
FunctionUtils(org.apereo.cas.util.function.FunctionUtils)
Pair(org.apache.commons.lang3.tuple.Pair)
StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver)
ByteArrayInputStream(java.io.ByteArrayInputStream)
PEMEncryptedKeyPair(org.bouncycastle.openssl.PEMEncryptedKeyPair)
WsFederationCredential(org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential)
Unchecked(org.jooq.lambda.Unchecked)
UsageType(org.opensaml.security.credential.UsageType)
DateTimeUtils(org.apereo.cas.util.DateTimeUtils)
PEMParser(org.bouncycastle.openssl.PEMParser)
Collection(java.util.Collection)
ProtocolCriterion(org.opensaml.saml.criterion.ProtocolCriterion)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
Collectors(java.util.stream.Collectors)
StandardCharsets(java.nio.charset.StandardCharsets)
OpenSamlConfigBean(org.apereo.cas.support.saml.OpenSamlConfigBean)
Slf4j(lombok.extern.slf4j.Slf4j)
List(java.util.List)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
RequestedSecurityToken(org.opensaml.soap.wsfed.RequestedSecurityToken)
EncryptedData(org.opensaml.xmlsec.encryption.EncryptedData)
EncryptedElementTypeEncryptedKeyResolver(org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver)
EncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver)
Setter(lombok.Setter)
JcaPEMKeyConverter(org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter)
UsageCriterion(org.opensaml.security.criteria.UsageCriterion)
RegisteredServiceProperty(org.apereo.cas.services.RegisteredServiceProperty)
RegisteredServiceAccessStrategyUtils(org.apereo.cas.services.RegisteredServiceAccessStrategyUtils)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
Decrypter(org.opensaml.saml.saml2.encryption.Decrypter)
JcePEMDecryptorProviderBuilder(org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder)
X509CertParser(org.bouncycastle.jce.provider.X509CertParser)
SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)
Predicates(com.google.common.base.Predicates)
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
XMLObject(org.opensaml.core.xml.XMLObject)
X509CertificateObject(org.bouncycastle.jce.provider.X509CertificateObject)
SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants)
SignatureTrustEngine(org.opensaml.xmlsec.signature.support.SignatureTrustEngine)
ServicesManager(org.apereo.cas.services.ServicesManager)
InlineEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver)
RequestSecurityTokenResponse(org.opensaml.soap.wsfed.RequestSecurityTokenResponse)
Credential(org.opensaml.security.credential.Credential)
lombok.val(lombok.val)
InputStreamReader(java.io.InputStreamReader)
RegexUtils(org.apereo.cas.util.RegexUtils)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Service(org.apereo.cas.authentication.principal.Service)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
Clock(java.time.Clock)
PEMKeyPair(org.bouncycastle.openssl.PEMKeyPair)
BufferedReader(java.io.BufferedReader)
SimpleRetrievalMethodEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver)
HashMap(java.util.HashMap)
XMLObject(org.opensaml.core.xml.XMLObject)
X509CertificateObject(org.bouncycastle.jce.provider.X509CertificateObject)
WsFederationCredential(org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential)
XSAny(org.opensaml.core.xml.schema.XSAny)
Example 42 with AttributeStatement
use of org.opensaml.saml.saml1.core.AttributeStatement in project carbon-apimgt by wso2.
the class SystemScopeUtils method getRolesFromAssertion.
/**
* Get the role list from the SAML2 Assertion
*
* @param assertion SAML2 assertion
* @return Role list from the assertion
*/
public static String[] getRolesFromAssertion(Assertion assertion) {
List<String> roles = new ArrayList<String>();
String roleClaim = getRoleClaim();
List<AttributeStatement> attributeStatementList = assertion.getAttributeStatements();
if (attributeStatementList != null) {
for (AttributeStatement statement : attributeStatementList) {
List<Attribute> attributesList = statement.getAttributes();
for (Attribute attribute : attributesList) {
String attributeName = attribute.getName();
if (attributeName != null && roleClaim.equals(attributeName)) {
List<XMLObject> attributeValues = attribute.getAttributeValues();
if (attributeValues != null && attributeValues.size() == 1) {
String attributeValueString = getAttributeValue(attributeValues.get(0));
String multiAttributeSeparator = getAttributeSeparator();
String[] attributeValuesArray = attributeValueString.split(multiAttributeSeparator);
if (log.isDebugEnabled()) {
log.debug("Adding attributes for Assertion: " + assertion + " AttributeName : " + attributeName + ", AttributeValue : " + Arrays.toString(attributeValuesArray));
}
roles.addAll(Arrays.asList(attributeValuesArray));
} else if (attributeValues != null && attributeValues.size() > 1) {
for (XMLObject attributeValue : attributeValues) {
String attributeValueString = getAttributeValue(attributeValue);
if (log.isDebugEnabled()) {
log.debug("Adding attributes for Assertion: " + assertion + " AttributeName : " + attributeName + ", AttributeValue : " + attributeValue);
}
roles.add(attributeValueString);
}
}
}
}
}
}
if (log.isDebugEnabled()) {
log.debug("Role list found for assertion: " + assertion + ", roles: " + roles);
}
return roles.toArray(new String[roles.size()]);
}
Also used :
Attribute(org.opensaml.saml.saml2.core.Attribute)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
XMLObject(org.opensaml.core.xml.XMLObject)
XSString(org.opensaml.core.xml.schema.XSString)
Example 43 with AttributeStatement
use of org.opensaml.saml.saml1.core.AttributeStatement in project cxf by apache.
the class SAMLUtils method getSaml1Subject.
private static org.opensaml.saml.saml1.core.Subject getSaml1Subject(SamlAssertionWrapper assertionW) {
for (Statement stmt : assertionW.getSaml1().getStatements()) {
final org.opensaml.saml.saml1.core.Subject samlSubject;
if (stmt instanceof AttributeStatement) {
AttributeStatement attrStmt = (AttributeStatement) stmt;
samlSubject = attrStmt.getSubject();
} else if (stmt instanceof AuthenticationStatement) {
AuthenticationStatement authStmt = (AuthenticationStatement) stmt;
samlSubject = authStmt.getSubject();
} else {
AuthorizationDecisionStatement authzStmt = (AuthorizationDecisionStatement) stmt;
samlSubject = authzStmt.getSubject();
}
if (samlSubject != null) {
return samlSubject;
}
}
return null;
}
Also used :
AttributeStatement(org.opensaml.saml.saml1.core.AttributeStatement)
Statement(org.opensaml.saml.saml1.core.Statement)
AuthorizationDecisionStatement(org.opensaml.saml.saml1.core.AuthorizationDecisionStatement)
AuthenticationStatement(org.opensaml.saml.saml1.core.AuthenticationStatement)
AttributeStatement(org.opensaml.saml.saml1.core.AttributeStatement)
AuthorizationDecisionStatement(org.opensaml.saml.saml1.core.AuthorizationDecisionStatement)
AuthenticationStatement(org.opensaml.saml.saml1.core.AuthenticationStatement)
Example 44 with AttributeStatement
use of org.opensaml.saml.saml1.core.AttributeStatement in project cxf by apache.
the class CustomSaml2Validator method validate.
@Override
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
Credential validatedCredential = super.validate(credential, data);
SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion();
if (!"sts".equals(assertion.getIssuerString())) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
Assertion saml2Assertion = assertion.getSaml2();
if (saml2Assertion == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements();
if (attributeStatements == null || attributeStatements.isEmpty()) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
return validatedCredential;
}
Also used :
Credential(org.apache.wss4j.dom.validate.Credential)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
Assertion(org.opensaml.saml.saml2.core.Assertion)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Example 45 with AttributeStatement
use of org.opensaml.saml.saml1.core.AttributeStatement in project cxf by apache.
the class OnBehalfOfValidator method validate.
@Override
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
Credential validatedCredential = super.validate(credential, data);
SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion();
Assertion saml2Assertion = assertion.getSaml2();
if (saml2Assertion == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements();
if (attributeStatements == null || attributeStatements.isEmpty()) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
Subject subject = saml2Assertion.getSubject();
NameID nameID = subject.getNameID();
String subjectName = nameID.getValue();
if ("alice".equals(subjectName) || "bob".equals(subjectName)) {
return validatedCredential;
}
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
Also used :
Credential(org.apache.wss4j.dom.validate.Credential)
NameID(org.opensaml.saml.saml2.core.NameID)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
Assertion(org.opensaml.saml.saml2.core.Assertion)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Subject(org.opensaml.saml.saml2.core.Subject)
Aggregations
AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)61
Attribute (org.opensaml.saml.saml2.core.Attribute)38
Assertion (org.opensaml.saml.saml2.core.Assertion)36
Test (org.junit.jupiter.api.Test)24
AssertionBuilder.anAssertion (uk.gov.ida.saml.core.test.builders.AssertionBuilder.anAssertion)17
XMLObject (org.opensaml.core.xml.XMLObject)15
EncryptedAttribute (org.opensaml.saml.saml2.core.EncryptedAttribute)10
SimpleStringAttributeBuilder.aSimpleStringAttribute (uk.gov.ida.saml.core.test.builders.SimpleStringAttributeBuilder.aSimpleStringAttribute)9
ArrayList (java.util.ArrayList)8
SamlTransformationErrorFactory.emptyAttribute (uk.gov.ida.saml.core.errors.SamlTransformationErrorFactory.emptyAttribute)8
XSString (org.opensaml.core.xml.schema.XSString)7
NameID (org.opensaml.saml.saml2.core.NameID)7
Response (org.opensaml.saml.saml2.core.Response)7
Subject (org.opensaml.saml.saml2.core.Subject)7
EncryptedAssertion (org.opensaml.saml.saml2.core.EncryptedAssertion)6
AttributeBuilder (org.opensaml.saml.saml2.core.impl.AttributeBuilder)6
AttributeStatement (org.opensaml.saml2.core.AttributeStatement)6
HashMap (java.util.HashMap)5
List (java.util.List)5
Map (java.util.Map)5
