Example 21 with Assertion
use of org.opensaml.saml.saml2.core.Assertion in project ddf by codice.
the class AttributeQueryClaimsHandler method getAttributes.
/**
* Gets the attributes for the supplied user from the external attribute store.
* Returns null if the AttributeQueryClient is null.
*
* @param nameId used for the request.
* @return The collection of attributes retrieved from the external attribute store.
* @throws URISyntaxException
*/
protected ProcessedClaimCollection getAttributes(String nameId) throws URISyntaxException {
ProcessedClaimCollection claimCollection = new ProcessedClaimCollection();
LOGGER.debug("Sending AttributeQuery Request.");
AttributeQueryClient attributeQueryClient;
Assertion assertion;
try {
attributeQueryClient = createAttributeQueryClient(simpleSign, externalAttributeStoreUrl, issuer, destination);
if (attributeQueryClient == null) {
return null;
}
assertion = attributeQueryClient.query(nameId);
if (assertion != null) {
createClaims(claimCollection, assertion);
}
} catch (AttributeQueryException ex) {
LOGGER.info("Error occurred in AttributeQueryClient, did not retrieve response. Set log level for \"org.codice.ddf.security.claims.attributequery.common\" to DEBUG for more information.");
LOGGER.debug("Error occurred in AttributeQueryClient, did not retrieve response.", ex);
}
return claimCollection;
}
Also used :
ProcessedClaimCollection(org.apache.cxf.sts.claims.ProcessedClaimCollection)
Assertion(org.opensaml.saml.saml2.core.Assertion)
Example 22 with Assertion
use of org.opensaml.saml.saml2.core.Assertion in project ddf by codice.
the class AbstractAuthorizingRealm method doGetAuthorizationInfo.
/**
* Takes the security attributes about the subject of the incoming security token and builds
* sets of permissions and roles for use in further checking.
*
* @param principalCollection holds the security assertions for the primary principal of this request
* @return a new collection of permissions and roles corresponding to the security assertions
* @throws AuthorizationException if there are no security assertions associated with this principal collection or
* if the token cannot be processed successfully.
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
LOGGER.debug("Retrieving authorization info for {}", principalCollection.getPrimaryPrincipal());
SecurityAssertion assertion = principalCollection.oneByType(SecurityAssertion.class);
if (assertion == null) {
String msg = "No assertion found, cannot retrieve authorization info.";
throw new AuthorizationException(msg);
}
List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
Set<Permission> permissions = new HashSet<>();
Set<String> roles = new HashSet<>();
Map<String, Set<String>> permissionsMap = new HashMap<>();
Collection<Expansion> expansionServices = getUserExpansionServices();
for (AttributeStatement curStatement : attributeStatements) {
addAttributesToMap(curStatement.getAttributes(), permissionsMap, expansionServices);
}
for (Map.Entry<String, Set<String>> entry : permissionsMap.entrySet()) {
permissions.add(new KeyValuePermission(entry.getKey(), entry.getValue()));
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("Adding permission: {} : {}", entry.getKey(), StringUtils.join(entry.getValue(), ","));
}
}
if (permissionsMap.containsKey(SAML_ROLE)) {
roles.addAll(permissionsMap.get(SAML_ROLE));
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("Adding roles to authorization info: {}", StringUtils.join(roles, ","));
}
}
info.setObjectPermissions(permissions);
info.setRoles(roles);
return info;
}
Also used :
SimpleAuthorizationInfo(org.apache.shiro.authz.SimpleAuthorizationInfo)
HashSet(java.util.HashSet)
Set(java.util.Set)
AuthorizationException(org.apache.shiro.authz.AuthorizationException)
HashMap(java.util.HashMap)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
XSString(org.opensaml.core.xml.schema.XSString)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
Permission(org.apache.shiro.authz.Permission)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
Expansion(ddf.security.expansion.Expansion)
HashMap(java.util.HashMap)
Map(java.util.Map)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
HashSet(java.util.HashSet)
Example 23 with Assertion
use of org.opensaml.saml.saml2.core.Assertion in project cas by apereo.
the class Saml10ObjectBuilder method newAssertion.
/**
* Create a new SAML1 response object.
*
* @param authnStatement the authn statement
* @param issuer the issuer
* @param issuedAt the issued at
* @param id the id
* @return the assertion
*/
public Assertion newAssertion(final AuthenticationStatement authnStatement, final String issuer, final ZonedDateTime issuedAt, final String id) {
final Assertion assertion = newSamlObject(Assertion.class);
assertion.setID(id);
assertion.setIssueInstant(DateTimeUtils.dateTimeOf(issuedAt));
assertion.setIssuer(issuer);
assertion.getAuthenticationStatements().add(authnStatement);
return assertion;
}
Also used :
Assertion(org.opensaml.saml.saml1.core.Assertion)
Example 24 with Assertion
use of org.opensaml.saml.saml2.core.Assertion in project cas by apereo.
the class Saml10SuccessResponseView method prepareResponse.
@Override
protected void prepareResponse(final Response response, final Map<String, Object> model) {
final ZonedDateTime issuedAt = DateTimeUtils.zonedDateTimeOf(response.getIssueInstant());
final Service service = getAssertionFrom(model).getService();
LOGGER.debug("Preparing SAML response for service [{}]", service);
final Authentication authentication = getPrimaryAuthenticationFrom(model);
final Collection<Object> authnMethods = CollectionUtils.toCollection(authentication.getAttributes().get(SamlAuthenticationMetaDataPopulator.ATTRIBUTE_AUTHENTICATION_METHOD));
LOGGER.debug("Authentication methods found are [{}]", authnMethods);
final Principal principal = getPrincipal(model);
final AuthenticationStatement authnStatement = this.samlObjectBuilder.newAuthenticationStatement(authentication.getAuthenticationDate(), authnMethods, principal.getId());
LOGGER.debug("Built authentication statement for [{}] dated at [{}]", principal, authentication.getAuthenticationDate());
final Assertion assertion = this.samlObjectBuilder.newAssertion(authnStatement, this.issuer, issuedAt, this.samlObjectBuilder.generateSecureRandomId());
LOGGER.debug("Built assertion for issuer [{}] dated at [{}]", this.issuer, issuedAt);
final Conditions conditions = this.samlObjectBuilder.newConditions(issuedAt, service.getId(), this.skewAllowance);
assertion.setConditions(conditions);
LOGGER.debug("Built assertion conditions for issuer [{}] and service [{}] ", this.issuer, service.getId());
final Subject subject = this.samlObjectBuilder.newSubject(principal.getId());
LOGGER.debug("Built subject for principal [{}]", principal);
final Map<String, Object> attributesToSend = prepareSamlAttributes(model, service);
LOGGER.debug("Authentication statement shall include these attributes [{}]", attributesToSend);
if (!attributesToSend.isEmpty()) {
assertion.getAttributeStatements().add(this.samlObjectBuilder.newAttributeStatement(subject, attributesToSend, this.defaultAttributeNamespace));
}
response.setStatus(this.samlObjectBuilder.newStatus(StatusCode.SUCCESS, null));
LOGGER.debug("Set response status code to [{}]", response.getStatus());
response.getAssertions().add(assertion);
}
Also used :
ZonedDateTime(java.time.ZonedDateTime)
Authentication(org.apereo.cas.authentication.Authentication)
Assertion(org.opensaml.saml.saml1.core.Assertion)
RegisteredService(org.apereo.cas.services.RegisteredService)
Service(org.apereo.cas.authentication.principal.Service)
Principal(org.apereo.cas.authentication.principal.Principal)
AuthenticationStatement(org.opensaml.saml.saml1.core.AuthenticationStatement)
Conditions(org.opensaml.saml.saml1.core.Conditions)
Subject(org.opensaml.saml.saml1.core.Subject)
Example 25 with Assertion
use of org.opensaml.saml.saml2.core.Assertion in project cas by apereo.
the class WsFederationHelper method createCredentialFromToken.
/**
* createCredentialFromToken converts a SAML 1.1 assertion to a WSFederationCredential.
*
* @param assertion the provided assertion
* @return an equivalent credential.
*/
public WsFederationCredential createCredentialFromToken(final Assertion assertion) {
final ZonedDateTime retrievedOn = ZonedDateTime.now();
LOGGER.debug("Retrieved on [{}]", retrievedOn);
final WsFederationCredential credential = new WsFederationCredential();
credential.setRetrievedOn(retrievedOn);
credential.setId(assertion.getID());
credential.setIssuer(assertion.getIssuer());
credential.setIssuedOn(ZonedDateTime.parse(assertion.getIssueInstant().toDateTimeISO().toString()));
final Conditions conditions = assertion.getConditions();
if (conditions != null) {
credential.setNotBefore(ZonedDateTime.parse(conditions.getNotBefore().toDateTimeISO().toString()));
credential.setNotOnOrAfter(ZonedDateTime.parse(conditions.getNotOnOrAfter().toDateTimeISO().toString()));
if (!conditions.getAudienceRestrictionConditions().isEmpty()) {
credential.setAudience(conditions.getAudienceRestrictionConditions().get(0).getAudiences().get(0).getUri());
}
}
if (!assertion.getAuthenticationStatements().isEmpty()) {
credential.setAuthenticationMethod(assertion.getAuthenticationStatements().get(0).getAuthenticationMethod());
}
//retrieve an attributes from the assertion
final HashMap<String, List<Object>> attributes = new HashMap<>();
assertion.getAttributeStatements().stream().flatMap(attributeStatement -> attributeStatement.getAttributes().stream()).forEach(item -> {
LOGGER.debug("Processed attribute: [{}]", item.getAttributeName());
final List<Object> itemList = IntStream.range(0, item.getAttributeValues().size()).mapToObj(i -> ((XSAny) item.getAttributeValues().get(i)).getTextContent()).collect(Collectors.toList());
if (!itemList.isEmpty()) {
attributes.put(item.getAttributeName(), itemList);
}
});
credential.setAttributes(attributes);
LOGGER.debug("Credential: [{}]", credential);
return credential;
}
Also used :
XSAny(org.opensaml.core.xml.schema.XSAny)
ChainingEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver)
KeyPair(java.security.KeyPair)
ExplicitKeySignatureTrustEngine(org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine)
Assertion(org.opensaml.saml.saml1.core.Assertion)
ZonedDateTime(java.time.ZonedDateTime)
StaticCredentialResolver(org.opensaml.security.credential.impl.StaticCredentialResolver)
LoggerFactory(org.slf4j.LoggerFactory)
Security(java.security.Security)
SamlUtils(org.apereo.cas.support.saml.SamlUtils)
Conditions(org.opensaml.saml.saml1.core.Conditions)
StaticKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver)
ByteArrayInputStream(java.io.ByteArrayInputStream)
SignatureException(org.opensaml.xmlsec.signature.support.SignatureException)
Document(org.w3c.dom.Document)
PEMEncryptedKeyPair(org.bouncycastle.openssl.PEMEncryptedKeyPair)
WsFederationCredential(org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential)
UsageType(org.opensaml.security.credential.UsageType)
SecurityException(org.opensaml.security.SecurityException)
PEMParser(org.bouncycastle.openssl.PEMParser)
PEMDecryptorProvider(org.bouncycastle.openssl.PEMDecryptorProvider)
ProtocolCriterion(org.opensaml.saml.criterion.ProtocolCriterion)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
Collectors(java.util.stream.Collectors)
StandardCharsets(java.nio.charset.StandardCharsets)
OpenSamlConfigBean(org.apereo.cas.support.saml.OpenSamlConfigBean)
List(java.util.List)
KeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver)
EntityRoleCriterion(org.opensaml.saml.criterion.EntityRoleCriterion)
CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet)
RequestedSecurityToken(org.opensaml.soap.wsfed.RequestedSecurityToken)
UnmarshallerFactory(org.opensaml.core.xml.io.UnmarshallerFactory)
EncryptedData(org.opensaml.xmlsec.encryption.EncryptedData)
EncryptedElementTypeEncryptedKeyResolver(org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver)
IntStream(java.util.stream.IntStream)
EncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver)
JcaPEMKeyConverter(org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter)
UsageCriterion(org.opensaml.security.criteria.UsageCriterion)
HashMap(java.util.HashMap)
SignaturePrevalidator(org.opensaml.xmlsec.signature.support.SignaturePrevalidator)
ArrayList(java.util.ArrayList)
Decrypter(org.opensaml.saml.saml2.encryption.Decrypter)
JcePEMDecryptorProviderBuilder(org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder)
X509CertParser(org.bouncycastle.jce.provider.X509CertParser)
SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)
IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor)
XMLObject(org.opensaml.core.xml.XMLObject)
X509CertificateObject(org.bouncycastle.jce.provider.X509CertificateObject)
SAMLConstants(org.opensaml.saml.common.xml.SAMLConstants)
CredentialResolver(org.opensaml.security.credential.CredentialResolver)
SignatureTrustEngine(org.opensaml.xmlsec.signature.support.SignatureTrustEngine)
InlineEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver)
RequestSecurityTokenResponse(org.opensaml.soap.wsfed.RequestSecurityTokenResponse)
Logger(org.slf4j.Logger)
Credential(org.opensaml.security.credential.Credential)
Unmarshaller(org.opensaml.core.xml.io.Unmarshaller)
Throwables(com.google.common.base.Throwables)
InputStreamReader(java.io.InputStreamReader)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Element(org.w3c.dom.Element)
EntityIdCriterion(org.opensaml.core.criterion.EntityIdCriterion)
PEMKeyPair(org.bouncycastle.openssl.PEMKeyPair)
BufferedReader(java.io.BufferedReader)
SimpleRetrievalMethodEncryptedKeyResolver(org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver)
InputStream(java.io.InputStream)
ZonedDateTime(java.time.ZonedDateTime)
HashMap(java.util.HashMap)
List(java.util.List)
ArrayList(java.util.ArrayList)
XMLObject(org.opensaml.core.xml.XMLObject)
X509CertificateObject(org.bouncycastle.jce.provider.X509CertificateObject)
Conditions(org.opensaml.saml.saml1.core.Conditions)
WsFederationCredential(org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential)
XSAny(org.opensaml.core.xml.schema.XSAny)
Aggregations
Assertion (org.opensaml.saml.saml1.core.Assertion)11
Assertion (org.opensaml.saml.saml2.core.Assertion)10
Element (org.w3c.dom.Element)8
Test (org.junit.Test)7
ZonedDateTime (java.time.ZonedDateTime)6
Assertion (org.opensaml.saml2.core.Assertion)6
AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)5
SecurityAssertion (ddf.security.assertion.SecurityAssertion)4
SecureRandom (java.security.SecureRandom)4
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
WsFederationCredential (org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential)4
Response (org.opensaml.saml.saml2.core.Response)4
ByteArrayInputStream (java.io.ByteArrayInputStream)3
DateTime (org.joda.time.DateTime)3
EncryptedAssertion (org.opensaml.saml.saml2.core.EncryptedAssertion)3
Document (org.w3c.dom.Document)3
SecurityServiceException (ddf.security.service.SecurityServiceException)2
IOException (java.io.IOException)2
X509Certificate (java.security.cert.X509Certificate)2
ArrayList (java.util.ArrayList)2
