Search in sources :

Example 21 with Conditions

use of org.opensaml.saml.saml1.core.Conditions in project identity-inbound-auth-oauth by wso2-extensions.

the class SAML1BearerGrantHandler method validateGrant.

/**
 * We're validating the SAML token that we receive from the request. Through the assertion parameter is the POST
 * request. A request format that we handle here looks like,
 * <p/>
 * POST /token.oauth2 HTTP/1.1
 * Host: as.example.com
 * Content-Type: application/x-www-form-urlencoded
 * <p/>
 * grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml1-bearer&
 * assertion=PHNhbWxwOl...[omitted for brevity]...ZT4
 *
 * @param tokReqMsgCtx Token message request context
 * @return true if validation is successful, false otherwise
 * @throws org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception
 */
@Override
public boolean validateGrant(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception {
    boolean validGrant = super.validateGrant(tokReqMsgCtx);
    Assertion assertion;
    IdentityProvider identityProvider = null;
    String tokenEndpointAlias = null;
    String tenantDomain = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getTenantDomain();
    if (tenantDomain == null || "".equals(tenantDomain)) {
        tenantDomain = MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
    }
    RequestParameter[] requestParameters = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getRequestParameters();
    for (RequestParameter requestParameter : requestParameters) {
        if (requestParameter.getKey().equals("assertion")) {
            String[] values = requestParameter.getValue();
            tokReqMsgCtx.getOauth2AccessTokenReqDTO().setAssertion(values[0]);
            break;
        }
    }
    if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable(IdentityConstants.IdentityTokens.SAML_ASSERTION)) {
        log.debug("Received SAML assertion : " + new String(Base64.decodeBase64(tokReqMsgCtx.getOauth2AccessTokenReqDTO().getAssertion()), StandardCharsets.UTF_8));
    }
    try {
        XMLObject samlObject = UnmarshallUtils.unmarshall(new String(Base64.decodeBase64(tokReqMsgCtx.getOauth2AccessTokenReqDTO().getAssertion()), StandardCharsets.UTF_8));
        // Validating for multiple assertions
        NodeList assertionList = samlObject.getDOM().getElementsByTagNameNS(SAMLConstants.SAML1_NS, "Assertion");
        if (assertionList.getLength() > 0) {
            if (log.isDebugEnabled()) {
                log.debug("Invalid schema for SAML Assertion. Nested assertions detected.");
            }
            return false;
        }
        if (samlObject instanceof Assertion) {
            assertion = (Assertion) samlObject;
        } else {
            if (log.isDebugEnabled()) {
                log.debug("Only Assertion objects are validated in SAML1Bearer Grant Type");
            }
            return false;
        }
    } catch (IdentityUnmarshallingException e) {
        if (log.isDebugEnabled()) {
            log.debug("Error occurred while unmarshalling SAML1.0 assertion", e);
        }
        return false;
    }
    /*
         * The Assertion MUST contain a <Subject> element.  The subject MAY identify the resource owner for whom
         * the access token is being requested.  For client authentication, the Subject MUST be the "client_id"
         * of the OAuth client.  When using an Assertion as an authorization grant, the Subject SHOULD identify
         * an authorized accessor for whom the access token is being requested (typically the resource owner, or
         * an authorized delegate).  Additional information identifying the subject/principal of the transaction
         * MAY be included in an <AttributeStatement>.
         */
    List<AuthenticationStatement> authenticationStatements = assertion.getAuthenticationStatements();
    Subject subject;
    if (authenticationStatements != null && authenticationStatements.size() > 0) {
        AuthenticationStatement authenticationStatement = authenticationStatements.get(0);
        subject = authenticationStatement.getSubject();
        if (subject != null) {
            String resourceOwnerUserName = subject.getNameIdentifier().getNameIdentifier();
            if (resourceOwnerUserName == null || resourceOwnerUserName.equals("")) {
                if (log.isDebugEnabled()) {
                    log.debug("NameID in Assertion cannot be empty");
                }
                return false;
            }
            AuthenticatedUser user = OAuth2Util.getUserFromUserName(resourceOwnerUserName);
            user.setAuthenticatedSubjectIdentifier(resourceOwnerUserName);
            user.setFederatedUser(true);
            tokReqMsgCtx.setAuthorizedUser(user);
            if (log.isDebugEnabled()) {
                log.debug("Resource Owner User Name is set to " + resourceOwnerUserName);
            }
        } else {
            if (log.isDebugEnabled()) {
                log.debug("Subject element cannot be empty.");
            }
            return false;
        }
    } else {
        if (log.isDebugEnabled()) {
            log.debug("Authentication Statement cannot be empty");
        }
        return false;
    }
    if (assertion.getIssuer() == null || assertion.getIssuer().isEmpty()) {
        if (log.isDebugEnabled()) {
            log.debug("Issuer is empty in the SAML assertion");
        }
        return false;
    } else {
        try {
            if (log.isDebugEnabled()) {
                log.debug("Issuer is :" + assertion.getIssuer());
            }
            identityProvider = IdentityProviderManager.getInstance().getIdPByAuthenticatorPropertyValue("IdPEntityId", assertion.getIssuer(), tenantDomain, false);
            // resident IDP entitiID == issuer
            if (identityProvider != null) {
                if (IdentityApplicationConstants.RESIDENT_IDP_RESERVED_NAME.equals(identityProvider.getIdentityProviderName())) {
                    identityProvider = IdentityProviderManager.getInstance().getResidentIdP(tenantDomain);
                    FederatedAuthenticatorConfig[] fedAuthnConfigs = identityProvider.getFederatedAuthenticatorConfigs();
                    String idpEntityId = null;
                    // Get SAML authenticator
                    FederatedAuthenticatorConfig samlAuthenticatorConfig = IdentityApplicationManagementUtil.getFederatedAuthenticator(fedAuthnConfigs, IdentityApplicationConstants.Authenticator.SAML2SSO.NAME);
                    // Get Entity ID from SAML authenticator
                    Property samlProperty = IdentityApplicationManagementUtil.getProperty(samlAuthenticatorConfig.getProperties(), IdentityApplicationConstants.Authenticator.SAML2SSO.IDP_ENTITY_ID);
                    if (samlProperty != null) {
                        idpEntityId = samlProperty.getValue();
                    }
                    if (idpEntityId == null || !assertion.getIssuer().equals(idpEntityId)) {
                        if (log.isDebugEnabled()) {
                            log.debug("SAML Token Issuer verification failed or Issuer not registered");
                        }
                        return false;
                    }
                    // Get OpenIDConnect authenticator == OAuth
                    // authenticator
                    FederatedAuthenticatorConfig oauthAuthenticatorConfig = IdentityApplicationManagementUtil.getFederatedAuthenticator(fedAuthnConfigs, IdentityApplicationConstants.Authenticator.OIDC.NAME);
                    // Get OAuth token endpoint
                    Property oauthProperty = IdentityApplicationManagementUtil.getProperty(oauthAuthenticatorConfig.getProperties(), IdentityApplicationConstants.Authenticator.OIDC.OAUTH2_TOKEN_URL);
                    if (oauthProperty != null) {
                        tokenEndpointAlias = oauthProperty.getValue();
                    }
                } else {
                    // Get Alias from Federated IDP
                    tokenEndpointAlias = identityProvider.getAlias();
                }
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("SAML Token Issuer verification failed or Issuer not registered");
                }
                return false;
            }
        } catch (IdentityProviderManagementException e) {
            if (log.isDebugEnabled()) {
                log.debug("Error while getting Federated Identity Provider ", e);
            }
        }
    }
    if (audienceRestrictionValidationEnabled) {
        if (tokenEndpointAlias == null || tokenEndpointAlias.equals("")) {
            String errorMsg = "Token Endpoint alias of the local Identity Provider has not been " + "configured for " + identityProvider.getIdentityProviderName();
            if (log.isDebugEnabled()) {
                log.debug(errorMsg);
            }
            return false;
        }
        Conditions conditions = assertion.getConditions();
        if (conditions != null) {
            List<AudienceRestrictionCondition> audienceRestrictions = conditions.getAudienceRestrictionConditions();
            if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) {
                boolean audienceFound = false;
                for (AudienceRestrictionCondition audienceRestriction : audienceRestrictions) {
                    if (audienceRestriction.getAudiences() != null && audienceRestriction.getAudiences().size() > 0) {
                        for (Audience audience : audienceRestriction.getAudiences()) {
                            if (audience.getUri().equals(tokenEndpointAlias)) {
                                audienceFound = true;
                                break;
                            }
                        }
                    }
                    if (audienceFound) {
                        break;
                    }
                }
                if (!audienceFound) {
                    if (log.isDebugEnabled()) {
                        log.debug("SAML Assertion Audience Restriction validation failed");
                    }
                    return false;
                }
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("SAML Assertion doesn't contain AudienceRestrictions");
                }
                return false;
            }
        } else {
            if (log.isDebugEnabled()) {
                log.debug("SAML Assertion doesn't contain Conditions");
            }
            return false;
        }
    }
    /*
         * The Assertion MUST have an expiry that limits the time window during which it can be used.  The expiry
         * can be expressed either as the NotOnOrAfter attribute of the <Conditions> element or as the NotOnOrAfter
         * attribute of a suitable <SubjectConfirmationData> element.
         */
    /*
         * The <Subject> element MUST contain at least one <SubjectConfirmation> element that allows the
         * authorization server to confirm it as a Bearer Assertion.  Such a <SubjectConfirmation> element MUST
         * have a Method attribute with a value of "urn:oasis:names:tc:SAML:1.0:cm:bearer".  The
         * <SubjectConfirmation> element MUST contain a <SubjectConfirmationData> element, unless the Assertion
         * has a suitable NotOnOrAfter attribute on the <Conditions> element, in which case the
         * <SubjectConfirmationData> element MAY be omitted.
         * The <SubjectConfirmationData> element MUST have a NotOnOrAfter attribute that limits the window during
         * which the Assertion can be confirmed.  The <SubjectConfirmationData> element MAY also contain an Address
         * attribute limiting the client address from which the Assertion can be delivered.  Verification of the
         * Address is at the discretion of the authorization server.
         */
    DateTime notOnOrAfterFromConditions = null;
    Set<DateTime> notOnOrAfterFromSubjectConfirmations = new HashSet<DateTime>();
    boolean bearerFound = false;
    if (assertion.getConditions() != null && assertion.getConditions().getNotOnOrAfter() != null) {
        notOnOrAfterFromConditions = assertion.getConditions().getNotOnOrAfter();
    }
    SubjectConfirmation subjectConfirmation = subject.getSubjectConfirmation();
    List<ConfirmationMethod> confirmationMethods = subjectConfirmation.getConfirmationMethods();
    for (ConfirmationMethod confirmationMethod : confirmationMethods) {
        if (OAuthConstants.OAUTH_SAML1_BEARER_METHOD.equals(confirmationMethod.getConfirmationMethod())) {
            bearerFound = true;
        }
    }
    if (!bearerFound) {
        if (log.isDebugEnabled()) {
            log.debug("Cannot find a subject confirmation with method " + OAuthConstants.OAUTH_SAML1_BEARER_METHOD + " in subject confirmation " + subject.getSubjectConfirmation());
        }
        return false;
    }
    XMLObject confirmationData = subject.getSubjectConfirmation().getSubjectConfirmationData();
    if (confirmationData == null) {
        log.warn("Subject confirmation data is missing.");
    }
    /*
         * The authorization server MUST verify that the NotOnOrAfter instant has not passed, subject to allowable
         * clock skew between systems.  An invalid NotOnOrAfter instant on the <Conditions> element invalidates
         * the entire Assertion.  An invalid NotOnOrAfter instant on a <SubjectConfirmationData> element only
         * invalidates the individual <SubjectConfirmation>.  The authorization server MAY reject Assertions with
         * a NotOnOrAfter instant that is unreasonably far in the future.  The authorization server MAY ensure
         * that Bearer Assertions are not replayed, by maintaining the set of used ID values for the length of
         * time for which the Assertion would be considered valid based on the applicable NotOnOrAfter instant.
         */
    long timestampSkewInMillis = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
    if (notOnOrAfterFromConditions != null && notOnOrAfterFromConditions.plus(timestampSkewInMillis).isBeforeNow()) {
        // notOnOrAfter is an expired timestamp
        if (log.isDebugEnabled()) {
            log.debug("NotOnOrAfter is having an expired timestamp in Conditions element");
        }
        return false;
    }
    boolean validSubjectConfirmationDataExists = false;
    if (!notOnOrAfterFromSubjectConfirmations.isEmpty()) {
        for (DateTime entry : notOnOrAfterFromSubjectConfirmations) {
            if (entry.plus(timestampSkewInMillis).isAfterNow()) {
                validSubjectConfirmationDataExists = true;
            }
        }
    }
    if (notOnOrAfterFromConditions == null && !validSubjectConfirmationDataExists) {
        if (log.isDebugEnabled()) {
            log.debug("No valid NotOnOrAfter element found in SubjectConfirmations");
        }
        return false;
    }
    try {
        profileValidator.validate(assertion.getSignature());
    } catch (SignatureException e) {
        // Indicates signature did not conform to SAML1.0 Signature profile
        if (log.isDebugEnabled()) {
            log.debug("Signature did not conform to SAML1.0 Signature profile", e);
        }
        return false;
    }
    X509Certificate x509Certificate = null;
    try {
        x509Certificate = (X509Certificate) IdentityApplicationManagementUtil.decodeCertificate(identityProvider.getCertificate());
    } catch (CertificateException e) {
        String message = "Error occurred while decoding public certificate of Identity Provider " + identityProvider.getIdentityProviderName() + " for tenant domain " + tenantDomain;
        throw new IdentityOAuth2Exception(message, e);
    }
    try {
        X509Credential x509Credential = new X509CredentialImpl(x509Certificate);
        SignatureValidator.validate(assertion.getSignature(), x509Credential);
        if (log.isDebugEnabled()) {
            log.debug("Signature validation successful");
        }
    } catch (SignatureException e) {
        if (log.isDebugEnabled()) {
            log.debug("Signature validation failure:" + e.getMessage(), e);
        }
        return false;
    }
    tokReqMsgCtx.setScope(tokReqMsgCtx.getOauth2AccessTokenReqDTO().getScope());
    // Storing the Assertion. This will be used in OpenID Connect for example
    tokReqMsgCtx.addProperty(OAuthConstants.OAUTH_SAML2_ASSERTION, assertion);
    // Invoking extension
    SAML2TokenCallbackHandler callback = OAuthServerConfiguration.getInstance().getSAML2TokenCallbackHandler();
    if (callback != null) {
        if (log.isDebugEnabled()) {
            log.debug("Invoking the SAML2 Token callback handler");
        }
        callback.handleSAML2Token(tokReqMsgCtx);
    }
    return validGrant;
}
Also used : FederatedAuthenticatorConfig(org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig) ConfirmationMethod(org.opensaml.saml.saml1.core.ConfirmationMethod) CertificateException(java.security.cert.CertificateException) IdentityUnmarshallingException(org.wso2.carbon.identity.saml.common.util.exception.IdentityUnmarshallingException) SignatureException(org.opensaml.xmlsec.signature.support.SignatureException) AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser) AuthenticationStatement(org.opensaml.saml.saml1.core.AuthenticationStatement) Conditions(org.opensaml.saml.saml1.core.Conditions) DateTime(org.joda.time.DateTime) SubjectConfirmation(org.opensaml.saml.saml1.core.SubjectConfirmation) IdentityOAuth2Exception(org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception) X509CredentialImpl(org.wso2.carbon.identity.oauth2.util.X509CredentialImpl) AudienceRestrictionCondition(org.opensaml.saml.saml1.core.AudienceRestrictionCondition) Property(org.wso2.carbon.identity.application.common.model.Property) HashSet(java.util.HashSet) Audience(org.opensaml.saml.saml1.core.Audience) RequestParameter(org.wso2.carbon.identity.oauth2.model.RequestParameter) NodeList(org.w3c.dom.NodeList) Assertion(org.opensaml.saml.saml1.core.Assertion) XMLObject(org.opensaml.core.xml.XMLObject) IdentityProvider(org.wso2.carbon.identity.application.common.model.IdentityProvider) Subject(org.opensaml.saml.saml1.core.Subject) X509Certificate(java.security.cert.X509Certificate) X509Credential(org.opensaml.security.x509.X509Credential) IdentityProviderManagementException(org.wso2.carbon.idp.mgt.IdentityProviderManagementException)

Example 22 with Conditions

use of org.opensaml.saml.saml1.core.Conditions in project identity-inbound-auth-oauth by wso2-extensions.

the class SAML2BearerGrantHandler method validateIdpEntityIdAliasFromSAMLSP.

/**
 * If the token issuer validation fails against the resident identity provider's IdP Entity ID, checks whether the
 * token issuer has been overriden by an "Idp Entity ID Alias" specified in a SAML SSO configuration. The check
 * is done against IdP Entity ID Alias values of SAML SSO configurations in the registry. The SAML SSO
 * configurations that needs to be checked are identified from the audience restrictions in the SAML assertion as
 * it contains the "issuer" of the SAML SSO configuration with respective to the SAML SP.
 *
 * @param assertion
 * @param tenantDomain
 * @return
 * @throws IdentityOAuth2Exception
 */
private Boolean validateIdpEntityIdAliasFromSAMLSP(Assertion assertion, String tenantDomain) throws IdentityOAuth2Exception {
    Conditions conditions = assertion.getConditions();
    List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
    validateAudienceRestriction(audienceRestrictions);
    for (AudienceRestriction audienceRestriction : audienceRestrictions) {
        if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) {
            for (Audience audience : audienceRestriction.getAudiences()) {
                SAMLSSOServiceProviderDO samlssoServiceProviderDO = getSAMLSSOServiceProvider(audience.getAudienceURI(), tenantDomain);
                if (samlssoServiceProviderDO != null) {
                    if (samlssoServiceProviderDO.getIdpEntityIDAlias() != null && samlssoServiceProviderDO.getIdpEntityIDAlias().equals(assertion.getIssuer().getValue())) {
                        if (log.isDebugEnabled()) {
                            log.debug("Token Issuer verified against IdP Entity ID Alias : " + samlssoServiceProviderDO.getIdpEntityIDAlias() + " of SAML Service Provider " + samlssoServiceProviderDO.getIssuer() + " in tenant : " + tenantDomain + ".");
                        }
                        return true;
                    }
                }
            }
        }
    }
    if (log.isDebugEnabled()) {
        log.debug("No SAML Service Provider configuration with IdP Entity ID Alias " + "similar to token issuer found.");
    }
    return false;
}
Also used : AudienceRestriction(org.opensaml.saml.saml2.core.AudienceRestriction) SAMLSSOServiceProviderDO(org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO) Audience(org.opensaml.saml.saml2.core.Audience) Conditions(org.opensaml.saml.saml2.core.Conditions)

Aggregations

Conditions (org.opensaml.saml.saml2.core.Conditions)16 DateTime (org.joda.time.DateTime)8 Assertion (org.opensaml.saml.saml2.core.Assertion)8 Subject (org.opensaml.saml.saml2.core.Subject)7 ArrayList (java.util.ArrayList)5 Attribute (org.opensaml.saml.saml2.core.Attribute)5 AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)5 AuthnStatement (org.opensaml.saml.saml2.core.AuthnStatement)5 SubjectConfirmation (org.opensaml.saml.saml2.core.SubjectConfirmation)5 EncryptedAssertion (org.opensaml.saml.saml2.core.EncryptedAssertion)4 Issuer (org.opensaml.saml.saml2.core.Issuer)4 NameID (org.opensaml.saml.saml2.core.NameID)4 ZonedDateTime (java.time.ZonedDateTime)3 XMLObject (org.opensaml.core.xml.XMLObject)3 AudienceRestriction (org.opensaml.saml.saml2.core.AudienceRestriction)3 AuthnContext (org.opensaml.saml.saml2.core.AuthnContext)3 AuthnContextClassRef (org.opensaml.saml.saml2.core.AuthnContextClassRef)3 SubjectConfirmationData (org.opensaml.saml.saml2.core.SubjectConfirmationData)3 AssertionBuilder (org.opensaml.saml.saml2.core.impl.AssertionBuilder)3 AttributeBuilder (org.opensaml.saml.saml2.core.impl.AttributeBuilder)3