Search in sources :

Example 31 with Response

use of org.opensaml.saml.saml2.ecp.Response in project ddf by codice.

the class LogoutRequestServiceTest method testSendLogoutRequestNoSupportedBindings.

@Test
public void testSendLogoutRequestNoSupportedBindings() throws Exception {
    String encryptedNameIdWithTime = nameId + "\n" + time;
    when(encryptionService.decrypt(any(String.class))).thenReturn(nameId + "\n" + time);
    when(idpMetadata.getSingleLogoutBinding()).thenReturn("urn:oasis:names:tc:SAML:2.0:bindings:SOAP");
    Response response = logoutRequestService.sendLogoutRequest(encryptedNameIdWithTime);
    assertEquals(Response.Status.SEE_OTHER.getStatusCode(), response.getStatus());
    String msg = "The identity provider does not support either POST or Redirect bindings.".replaceAll(" ", "+");
    assertTrue("Expected message containing " + msg, response.getLocation().getQuery().contains(msg));
}
Also used : LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse) Response(javax.ws.rs.core.Response) Matchers.anyString(org.mockito.Matchers.anyString) Test(org.junit.Test)

Example 32 with Response

use of org.opensaml.saml.saml2.ecp.Response in project ddf by codice.

the class LoginFilter method createIssuer.

/**
     * Creates the issuer object for the response.
     *
     * @param issuerValue
     * @return Issuer
     */
private static Issuer createIssuer(String issuerValue) {
    if (issuerBuilder == null) {
        issuerBuilder = (SAMLObjectBuilder<Issuer>) builderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
    }
    Issuer issuer = issuerBuilder.buildObject();
    issuer.setValue(issuerValue);
    return issuer;
}
Also used : Issuer(org.opensaml.saml.saml2.core.Issuer)

Example 33 with Response

use of org.opensaml.saml.saml2.ecp.Response in project ddf by codice.

the class PaosInInterceptor method getHttpResponse.

HttpResponseWrapper getHttpResponse(String responseConsumerURL, String soapResponse, Message message) throws IOException {
    //This used to use the ApacheHttpTransport which appeared to not work with 2 way TLS auth but this one does
    HttpTransport httpTransport = new NetHttpTransport();
    HttpContent httpContent = new InputStreamContent(TEXT_XML, new ByteArrayInputStream(soapResponse.getBytes("UTF-8")));
    //this handles redirects for us
    ((InputStreamContent) httpContent).setRetrySupported(true);
    HttpRequest httpRequest = httpTransport.createRequestFactory().buildPostRequest(new GenericUrl(responseConsumerURL), httpContent);
    HttpUnsuccessfulResponseHandler httpUnsuccessfulResponseHandler = (request, response, supportsRetry) -> {
        String redirectLocation = response.getHeaders().getLocation();
        if (request.getFollowRedirects() && HttpStatusCodes.isRedirect(response.getStatusCode()) && redirectLocation != null) {
            String method = (String) message.get(Message.HTTP_REQUEST_METHOD);
            HttpContent content = null;
            if (!isRedirectable(method)) {
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                message.setContent(OutputStream.class, byteArrayOutputStream);
                BodyWriter bodyWriter = new BodyWriter();
                bodyWriter.handleMessage(message);
                content = new InputStreamContent((String) message.get(Message.CONTENT_TYPE), new ByteArrayInputStream(byteArrayOutputStream.toByteArray()));
            }
            // resolve the redirect location relative to the current location
            request.setUrl(new GenericUrl(request.getUrl().toURL(redirectLocation)));
            request.setRequestMethod(method);
            request.setContent(content);
            // remove Authorization and If-* headers
            request.getHeaders().setAuthorization((String) null);
            request.getHeaders().setIfMatch(null);
            request.getHeaders().setIfNoneMatch(null);
            request.getHeaders().setIfModifiedSince(null);
            request.getHeaders().setIfUnmodifiedSince(null);
            request.getHeaders().setIfRange(null);
            request.getHeaders().setCookie((String) ((List) response.getHeaders().get("set-cookie")).get(0));
            return true;
        }
        return false;
    };
    httpRequest.setUnsuccessfulResponseHandler(httpUnsuccessfulResponseHandler);
    httpRequest.getHeaders().put(SOAP_ACTION, HTTP_WWW_OASIS_OPEN_ORG_COMMITTEES_SECURITY);
    //has 20 second timeout by default
    HttpResponse httpResponse = httpRequest.execute();
    HttpResponseWrapper httpResponseWrapper = new HttpResponseWrapper();
    httpResponseWrapper.statusCode = httpResponse.getStatusCode();
    httpResponseWrapper.content = httpResponse.getContent();
    return httpResponseWrapper;
}
Also used : HttpRequest(com.google.api.client.http.HttpRequest) RestSecurity(org.codice.ddf.security.common.jaxrs.RestSecurity) StringUtils(org.apache.commons.lang.StringUtils) ByteArrayOutputStream(java.io.ByteArrayOutputStream) SOAPHeaderElement(javax.xml.soap.SOAPHeaderElement) DOMUtils(org.apache.cxf.helpers.DOMUtils) ResponseBuilder(ddf.security.liberty.paos.impl.ResponseBuilder) SOAPException(javax.xml.soap.SOAPException) DOM2Writer(org.apache.wss4j.common.util.DOM2Writer) IDPList(org.opensaml.saml.saml2.core.IDPList) LoggerFactory(org.slf4j.LoggerFactory) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest) AbstractPhaseInterceptor(org.apache.cxf.phase.AbstractPhaseInterceptor) HttpRequest(com.google.api.client.http.HttpRequest) SamlProtocol(ddf.security.samlp.SamlProtocol) HttpResponse(com.google.api.client.http.HttpResponse) IDPEntry(org.opensaml.saml.saml2.core.IDPEntry) ByteArrayInputStream(java.io.ByteArrayInputStream) Charset(java.nio.charset.Charset) Fault(org.apache.cxf.interceptor.Fault) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) Document(org.w3c.dom.Document) Map(java.util.Map) XMLStreamException(javax.xml.stream.XMLStreamException) Node(org.w3c.dom.Node) HttpUnsuccessfulResponseHandler(com.google.api.client.http.HttpUnsuccessfulResponseHandler) GenericUrl(com.google.api.client.http.GenericUrl) OpenSAMLUtil(org.apache.wss4j.common.saml.OpenSAMLUtil) XMLObject(org.opensaml.core.xml.XMLObject) HttpContent(com.google.api.client.http.HttpContent) OutputStream(java.io.OutputStream) NetHttpTransport(com.google.api.client.http.javanet.NetHttpTransport) Response(ddf.security.liberty.paos.Response) Logger(org.slf4j.Logger) Iterator(java.util.Iterator) Message(org.apache.cxf.message.Message) HttpTransport(com.google.api.client.http.HttpTransport) IOException(java.io.IOException) AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException) StandardCharsets(java.nio.charset.StandardCharsets) Request(org.opensaml.saml.saml2.ecp.Request) IOUtils(org.apache.commons.io.IOUtils) Base64(java.util.Base64) List(java.util.List) SOAPPart(javax.xml.soap.SOAPPart) Element(org.w3c.dom.Element) HttpStatusCodes(com.google.api.client.http.HttpStatusCodes) InputStreamContent(com.google.api.client.http.InputStreamContent) InputStream(java.io.InputStream) ByteArrayOutputStream(java.io.ByteArrayOutputStream) OutputStream(java.io.OutputStream) HttpUnsuccessfulResponseHandler(com.google.api.client.http.HttpUnsuccessfulResponseHandler) HttpResponse(com.google.api.client.http.HttpResponse) GenericUrl(com.google.api.client.http.GenericUrl) ByteArrayOutputStream(java.io.ByteArrayOutputStream) NetHttpTransport(com.google.api.client.http.javanet.NetHttpTransport) HttpTransport(com.google.api.client.http.HttpTransport) ByteArrayInputStream(java.io.ByteArrayInputStream) NetHttpTransport(com.google.api.client.http.javanet.NetHttpTransport) InputStreamContent(com.google.api.client.http.InputStreamContent) HttpContent(com.google.api.client.http.HttpContent)

Example 34 with Response

use of org.opensaml.saml.saml2.ecp.Response in project ddf by codice.

the class PaosInInterceptor method handleMessage.

@Override
public void handleMessage(Message message) throws Fault {
    List authHeader = (List) ((Map) message.getExchange().getOutMessage().get(Message.PROTOCOL_HEADERS)).get("Authorization");
    String authorization = null;
    if (authHeader != null && authHeader.size() > 0) {
        authorization = (String) authHeader.get(0);
    }
    InputStream content = message.getContent(InputStream.class);
    String contentType = (String) message.get(Message.CONTENT_TYPE);
    if (contentType == null || !contentType.contains(APPLICATION_VND_PAOS_XML)) {
        return;
    }
    try {
        SOAPPart soapMessage = SamlProtocol.parseSoapMessage(IOUtils.toString(content, Charset.forName("UTF-8")));
        Iterator iterator = soapMessage.getEnvelope().getHeader().examineAllHeaderElements();
        IDPEntry idpEntry = null;
        String relayState = "";
        String responseConsumerURL = "";
        String messageId = "";
        while (iterator.hasNext()) {
            Element soapHeaderElement = (SOAPHeaderElement) iterator.next();
            if (RELAY_STATE.equals(soapHeaderElement.getLocalName())) {
                relayState = DOM2Writer.nodeToString(soapHeaderElement);
            } else if (REQUEST.equals(soapHeaderElement.getLocalName()) && soapHeaderElement.getNamespaceURI().equals(URN_OASIS_NAMES_TC_SAML_2_0_PROFILES_SSO_ECP)) {
                try {
                    soapHeaderElement = SamlProtocol.convertDomImplementation(soapHeaderElement);
                    Request ecpRequest = (Request) OpenSAMLUtil.fromDom(soapHeaderElement);
                    IDPList idpList = ecpRequest.getIDPList();
                    if (idpList == null) {
                        throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. Unable to determine IdP server."));
                    }
                    List<IDPEntry> idpEntrys = idpList.getIDPEntrys();
                    if (idpEntrys == null || idpEntrys.size() == 0) {
                        throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. Unable to determine IdP server."));
                    }
                    //choose the right entry, probably need to do something better than select the first one
                    //but the spec doesn't specify how this is supposed to be done
                    idpEntry = idpEntrys.get(0);
                } catch (WSSecurityException e) {
                    //TODO figure out IdP alternatively
                    LOGGER.info("Unable to determine IdP appropriately. ECP connection will fail. SP may be incorrectly configured. Contact the administrator for the remote system.");
                }
            } else if (REQUEST.equals(soapHeaderElement.getLocalName()) && soapHeaderElement.getNamespaceURI().equals(URN_LIBERTY_PAOS_2003_08)) {
                responseConsumerURL = soapHeaderElement.getAttribute(RESPONSE_CONSUMER_URL);
                messageId = soapHeaderElement.getAttribute(MESSAGE_ID);
            }
        }
        if (idpEntry == null) {
            throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. Unable to determine IdP server."));
        }
        String token = createToken(authorization);
        checkAuthnRequest(soapMessage);
        Element authnRequestElement = SamlProtocol.getDomElement(soapMessage.getEnvelope().getBody().getFirstChild());
        String loc = idpEntry.getLoc();
        String soapRequest = buildSoapMessage(token, relayState, authnRequestElement, null);
        HttpResponseWrapper httpResponse = getHttpResponse(loc, soapRequest, null);
        InputStream httpResponseContent = httpResponse.content;
        SOAPPart idpSoapResponse = SamlProtocol.parseSoapMessage(IOUtils.toString(httpResponseContent, Charset.forName("UTF-8")));
        Iterator responseHeaderElements = idpSoapResponse.getEnvelope().getHeader().examineAllHeaderElements();
        String newRelayState = "";
        while (responseHeaderElements.hasNext()) {
            SOAPHeaderElement soapHeaderElement = (SOAPHeaderElement) responseHeaderElements.next();
            if (RESPONSE.equals(soapHeaderElement.getLocalName())) {
                String assertionConsumerServiceURL = soapHeaderElement.getAttribute(ASSERTION_CONSUMER_SERVICE_URL);
                if (!responseConsumerURL.equals(assertionConsumerServiceURL)) {
                    String soapFault = buildSoapFault(ECP_RESPONSE, "The responseConsumerURL does not match the assertionConsumerServiceURL.");
                    httpResponse = getHttpResponse(responseConsumerURL, soapFault, null);
                    message.setContent(InputStream.class, httpResponse.content);
                    return;
                }
            } else if (RELAY_STATE.equals(soapHeaderElement.getLocalName())) {
                newRelayState = DOM2Writer.nodeToString(soapHeaderElement);
                if (StringUtils.isNotEmpty(relayState) && !relayState.equals(newRelayState)) {
                    LOGGER.debug("RelayState does not match between ECP request and response");
                }
                if (StringUtils.isNotEmpty(relayState)) {
                    newRelayState = relayState;
                }
            }
        }
        checkSamlpResponse(idpSoapResponse);
        Element samlpResponseElement = SamlProtocol.getDomElement(idpSoapResponse.getEnvelope().getBody().getFirstChild());
        Response paosResponse = null;
        if (StringUtils.isNotEmpty(messageId)) {
            paosResponse = getPaosResponse(messageId);
        }
        String soapResponse = buildSoapMessage(null, newRelayState, samlpResponseElement, paosResponse);
        httpResponse = getHttpResponse(responseConsumerURL, soapResponse, message.getExchange().getOutMessage());
        if (httpResponse.statusCode < 400) {
            httpResponseContent = httpResponse.content;
            message.setContent(InputStream.class, httpResponseContent);
        } else {
            throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection due to an error."));
        }
    } catch (IOException e) {
        LOGGER.debug("Error encountered while performing ECP handshake.", e);
    } catch (XMLStreamException | SOAPException e) {
        throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. The server's response was not in the correct format."));
    } catch (WSSecurityException e) {
        throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. Unable to send SOAP request messages."));
    }
}
Also used : SOAPHeaderElement(javax.xml.soap.SOAPHeaderElement) AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException) ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) SOAPHeaderElement(javax.xml.soap.SOAPHeaderElement) Element(org.w3c.dom.Element) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest) HttpRequest(com.google.api.client.http.HttpRequest) Request(org.opensaml.saml.saml2.ecp.Request) IDPList(org.opensaml.saml.saml2.core.IDPList) Fault(org.apache.cxf.interceptor.Fault) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) IOException(java.io.IOException) HttpResponse(com.google.api.client.http.HttpResponse) Response(ddf.security.liberty.paos.Response) XMLStreamException(javax.xml.stream.XMLStreamException) SOAPException(javax.xml.soap.SOAPException) SOAPPart(javax.xml.soap.SOAPPart) Iterator(java.util.Iterator) IDPList(org.opensaml.saml.saml2.core.IDPList) List(java.util.List) IDPEntry(org.opensaml.saml.saml2.core.IDPEntry)

Example 35 with Response

use of org.opensaml.saml.saml2.ecp.Response in project ddf by codice.

the class AttributeQueryClaimsHandler method getAttributes.

/**
     * Gets the attributes for the supplied user from the external attribute store.
     * Returns null if the AttributeQueryClient is null.
     *
     * @param nameId used for the request.
     * @return The collection of attributes retrieved from the external attribute store.
     * @throws URISyntaxException
     */
protected ProcessedClaimCollection getAttributes(String nameId) throws URISyntaxException {
    ProcessedClaimCollection claimCollection = new ProcessedClaimCollection();
    LOGGER.debug("Sending AttributeQuery Request.");
    AttributeQueryClient attributeQueryClient;
    Assertion assertion;
    try {
        attributeQueryClient = createAttributeQueryClient(simpleSign, externalAttributeStoreUrl, issuer, destination);
        if (attributeQueryClient == null) {
            return null;
        }
        assertion = attributeQueryClient.query(nameId);
        if (assertion != null) {
            createClaims(claimCollection, assertion);
        }
    } catch (AttributeQueryException ex) {
        LOGGER.info("Error occurred in AttributeQueryClient, did not retrieve response. Set log level for \"org.codice.ddf.security.claims.attributequery.common\" to DEBUG for more information.");
        LOGGER.debug("Error occurred in AttributeQueryClient, did not retrieve response.", ex);
    }
    return claimCollection;
}
Also used : ProcessedClaimCollection(org.apache.cxf.sts.claims.ProcessedClaimCollection) Assertion(org.opensaml.saml.saml2.core.Assertion)

Aggregations

Response (org.opensaml.saml.saml2.core.Response)82 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)41 Test (org.junit.Test)41 Element (org.w3c.dom.Element)35 Document (org.w3c.dom.Document)31 DateTime (org.joda.time.DateTime)30 Status (org.opensaml.saml.saml2.core.Status)30 Response (javax.ws.rs.core.Response)29 ResponseBuilder.aResponse (uk.gov.ida.saml.core.test.builders.ResponseBuilder.aResponse)27 LogoutResponse (org.opensaml.saml.saml2.core.LogoutResponse)25 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)23 SamlValidationResponse (uk.gov.ida.saml.core.validation.SamlValidationResponse)21 Matchers.anyString (org.mockito.Matchers.anyString)20 SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)18 SubjectConfirmationDataBean (org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)18 Assertion (org.opensaml.saml.saml2.core.Assertion)18 AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)18 InputStream (java.io.InputStream)15 IOException (java.io.IOException)13 Crypto (org.apache.wss4j.common.crypto.Crypto)13