Example 46 with Attribute
use of org.opensaml.saml2.core.Attribute in project cas by apereo.
the class AbstractSaml20ObjectBuilder method newAttribute.
/**
* New attribute.
*
* @param attributeFriendlyName the attribute friendly name
* @param e the entry to process and turn into a saml attribute
* @param configuredNameFormats the configured name formats. If an attribute is found in this
* collection, the linked name format will be used.
* @param defaultNameFormat the default name format
* @return the attribute
*/
protected Attribute newAttribute(final String attributeFriendlyName, final Map.Entry<String, Object> e, final Map<String, String> configuredNameFormats, final String defaultNameFormat) {
final Attribute attribute = newSamlObject(Attribute.class);
attribute.setName(e.getKey());
if (StringUtils.isNotBlank(attributeFriendlyName)) {
attribute.setFriendlyName(attributeFriendlyName);
} else {
attribute.setFriendlyName(e.getKey());
}
addAttributeValuesToSaml2Attribute(e.getKey(), e.getValue(), attribute.getAttributeValues());
if (!configuredNameFormats.isEmpty() && configuredNameFormats.containsKey(attribute.getName())) {
final String nameFormat = configuredNameFormats.get(attribute.getName());
LOGGER.debug("Found name format [{}] for attribute [{}]", nameFormat, attribute.getName());
configureAttributeNameFormat(attribute, nameFormat);
LOGGER.debug("Attribute [{}] is assigned the name format of [{}]", attribute.getName(), attribute.getNameFormat());
} else {
LOGGER.debug("Skipped name format, as no name formats are defined or none is found for attribute [{}]", attribute.getName());
configureAttributeNameFormat(attribute, defaultNameFormat);
}
LOGGER.debug("Attribute [{}] has [{}] value(s)", attribute.getName(), attribute.getAttributeValues().size());
return attribute;
}
Also used :
Attribute(org.opensaml.saml.saml2.core.Attribute)
Example 47 with Attribute
use of org.opensaml.saml2.core.Attribute in project cas by apereo.
the class AbstractSaml20ObjectBuilder method newAttributeStatement.
/**
* New attribute statement.
*
* @param attributes the attributes
* @param attributeFriendlyNames the attribute friendly names
* @param configuredNameFormats the configured name formats
* @param defaultNameFormat the default name format
* @return the attribute statement
*/
public AttributeStatement newAttributeStatement(final Map<String, Object> attributes, final Map<String, String> attributeFriendlyNames, final Map<String, String> configuredNameFormats, final String defaultNameFormat) {
final AttributeStatement attrStatement = newSamlObject(AttributeStatement.class);
for (final Map.Entry<String, Object> e : attributes.entrySet()) {
if (e.getValue() instanceof Collection<?> && ((Collection<?>) e.getValue()).isEmpty()) {
LOGGER.info("Skipping attribute [{}] because it does not have any values.", e.getKey());
continue;
}
final String friendlyName = attributeFriendlyNames.getOrDefault(e.getKey(), null);
final Attribute attribute = newAttribute(friendlyName, e, configuredNameFormats, defaultNameFormat);
attrStatement.getAttributes().add(attribute);
}
return attrStatement;
}
Also used :
Attribute(org.opensaml.saml.saml2.core.Attribute)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
XMLObject(org.opensaml.core.xml.XMLObject)
Map(java.util.Map)
Example 48 with Attribute
use of org.opensaml.saml2.core.Attribute in project verify-hub by alphagov.
the class EidasAttributeStatementAssertionValidator method validateAttributes.
private void validateAttributes(Assertion assertion) {
final List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
if (attributeStatements.isEmpty()) {
SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.mdsStatementMissing();
throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
}
if (attributeStatements.size() > 1) {
SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.mdsMultipleStatements();
throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
}
final List<Attribute> attributes = attributeStatements.get(0).getAttributes();
if (attributes.isEmpty()) {
SamlValidationSpecificationFailure failure = attributeStatementEmpty(assertion.getID());
throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
}
Set<String> attributeNames = attributes.stream().map(Attribute::getName).collect(Collectors.toSet());
if (!attributeNames.containsAll(MANDATORY_ATTRIBUTES.keySet())) {
throw new SamlTransformationErrorException(String.format("Mandatory attributes not provided. Expected %s but got %s", MANDATORY_ATTRIBUTES.values().stream().collect(Collectors.joining(",")), attributes.stream().map(Attribute::getFriendlyName).collect(Collectors.joining(","))), Level.ERROR);
}
for (Attribute attribute : attributes) {
final String attributeName = attribute.getName();
if (!VALID_EIDAS_ATTRIBUTE_NAMES.contains(attributeName)) {
SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.mdsAttributeNotRecognised(attributeName);
throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
}
if (attribute.getAttributeValues().isEmpty()) {
SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.emptyAttribute(attributeName);
throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
}
if (!VALID_TYPE_FOR_ATTRIBUTE.get(attributeName).equals(attribute.getAttributeValues().get(0).getSchemaType())) {
final QName schemaType = attribute.getAttributeValues().get(0).getSchemaType();
SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.attributeWithIncorrectType(attributeName, VALID_TYPE_FOR_ATTRIBUTE.get(attributeName), schemaType);
throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
}
if (!VALID_ATTRIBUTE_NAME_FORMATS.contains(attribute.getNameFormat())) {
SamlTransformationErrorManager.warn(invalidAttributeNameFormat(attribute.getNameFormat()));
}
}
}
Also used :
SamlValidationSpecificationFailure(uk.gov.ida.saml.core.validation.SamlValidationSpecificationFailure)
Attribute(org.opensaml.saml.saml2.core.Attribute)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
SamlTransformationErrorException(uk.gov.ida.saml.core.validation.SamlTransformationErrorException)
QName(javax.xml.namespace.QName)
Example 49 with Attribute
use of org.opensaml.saml2.core.Attribute in project pac4j by pac4j.
the class SAML2DefaultResponseValidator method buildSAML2Credentials.
protected final SAML2Credentials buildSAML2Credentials(final SAML2MessageContext context) {
final NameID nameId = context.getSAMLSubjectNameIdentifierContext().getSAML2SubjectNameID();
final Assertion subjectAssertion = context.getSubjectAssertion();
final String sessionIndex = getSessionIndex(subjectAssertion);
final String issuerEntityId = subjectAssertion.getIssuer().getValue();
List<AuthnStatement> authnStatements = subjectAssertion.getAuthnStatements();
List<String> authnContexts = new ArrayList<String>();
for (AuthnStatement authnStatement : authnStatements) {
authnContexts.add(authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef());
}
final List<Attribute> attributes = new ArrayList<Attribute>();
for (final AttributeStatement attributeStatement : subjectAssertion.getAttributeStatements()) {
for (final Attribute attribute : attributeStatement.getAttributes()) {
attributes.add(attribute);
}
if (!attributeStatement.getEncryptedAttributes().isEmpty()) {
if (decrypter == null) {
logger.warn("Encrypted attributes returned, but no keystore was provided.");
} else {
for (final EncryptedAttribute encryptedAttribute : attributeStatement.getEncryptedAttributes()) {
try {
attributes.add(decrypter.decrypt(encryptedAttribute));
} catch (final DecryptionException e) {
logger.warn("Decryption of attribute failed, continue with the next one", e);
}
}
}
}
}
return new SAML2Credentials(nameId, issuerEntityId, attributes, subjectAssertion.getConditions(), sessionIndex, authnContexts);
}
Also used :
EncryptedAttribute(org.opensaml.saml.saml2.core.EncryptedAttribute)
NameID(org.opensaml.saml.saml2.core.NameID)
Attribute(org.opensaml.saml.saml2.core.Attribute)
EncryptedAttribute(org.opensaml.saml.saml2.core.EncryptedAttribute)
SAML2Credentials(org.pac4j.saml.credentials.SAML2Credentials)
EncryptedAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion)
Assertion(org.opensaml.saml.saml2.core.Assertion)
ArrayList(java.util.ArrayList)
AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement)
AuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement)
DecryptionException(org.opensaml.xmlsec.encryption.support.DecryptionException)
SAMLNameIdDecryptionException(org.pac4j.saml.exceptions.SAMLNameIdDecryptionException)
Example 50 with Attribute
use of org.opensaml.saml2.core.Attribute in project pac4j by pac4j.
the class SAML2Authenticator method validate.
@Override
public void validate(final SAML2Credentials credentials, final WebContext context) {
init();
final SAML2Profile profile = getProfileDefinition().newProfile();
final NameID nameId = credentials.getNameId();
profile.setId(nameId.getValue());
profile.addAttribute(SESSION_INDEX, credentials.getSessionIndex());
profile.addAuthenticationAttribute(SAML_NAME_ID_FORMAT, nameId.getFormat());
profile.addAuthenticationAttribute(SAML_NAME_ID_NAME_QUALIFIER, nameId.getNameQualifier());
profile.addAuthenticationAttribute(SAML_NAME_ID_SP_NAME_QUALIFIER, nameId.getSPNameQualifier());
profile.addAuthenticationAttribute(SAML_NAME_ID_SP_PROVIDED_ID, nameId.getSPProvidedID());
for (final Attribute attribute : credentials.getAttributes()) {
logger.debug("Processing profile attribute {}", attribute);
final String name = attribute.getName();
final String friendlyName = attribute.getFriendlyName();
final List<String> values = new ArrayList<>();
for (final XMLObject attributeValue : attribute.getAttributeValues()) {
final Element attributeValueElement = attributeValue.getDOM();
if (attributeValueElement != null) {
final String value = attributeValueElement.getTextContent();
logger.debug("Adding attribute value {} for attribute {} / {}", value, name, friendlyName);
values.add(value);
} else {
logger.warn("Attribute value DOM element is null for {}", attribute);
}
}
if (!values.isEmpty()) {
getProfileDefinition().convertAndAdd(profile, PROFILE_ATTRIBUTE, name, values);
if (CommonHelper.isNotBlank(friendlyName)) {
getProfileDefinition().convertAndAdd(profile, PROFILE_ATTRIBUTE, friendlyName, values);
}
} else {
logger.debug("No attribute values found for {}", name);
}
}
// Add in issuerID and authnContexts
profile.addAuthenticationAttribute(ISSUER_ID, credentials.getIssuerId());
profile.addAuthenticationAttribute(AUTHN_CONTEXT, credentials.getAuthnContexts());
// Retrieve conditions attributes
// Adding them to both the "regular" and authentication attributes so we don't break anyone currently using it.
Conditions conditions = credentials.getConditions();
if (conditions != null) {
profile.addAttribute(SAML_CONDITION_NOT_BEFORE_ATTRIBUTE, conditions.getNotBefore());
profile.addAuthenticationAttribute(SAML_CONDITION_NOT_BEFORE_ATTRIBUTE, conditions.getNotBefore());
profile.addAttribute(SAML_CONDITION_NOT_ON_OR_AFTER_ATTRIBUTE, conditions.getNotOnOrAfter());
profile.addAuthenticationAttribute(SAML_CONDITION_NOT_ON_OR_AFTER_ATTRIBUTE, conditions.getNotOnOrAfter());
}
credentials.setUserProfile(profile);
}
Also used :
NameID(org.opensaml.saml.saml2.core.NameID)
Attribute(org.opensaml.saml.saml2.core.Attribute)
SAML2Profile(org.pac4j.saml.profile.SAML2Profile)
Element(org.w3c.dom.Element)
ArrayList(java.util.ArrayList)
XMLObject(org.opensaml.core.xml.XMLObject)
Conditions(org.opensaml.saml.saml2.core.Conditions)
Aggregations
Attribute (org.opensaml.saml.saml2.core.Attribute)63
AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)39
Test (org.junit.jupiter.api.Test)21
Assertion (org.opensaml.saml.saml2.core.Assertion)19
XMLObject (org.opensaml.core.xml.XMLObject)16
AttributeBuilder (org.opensaml.saml.saml2.core.impl.AttributeBuilder)13
List (java.util.List)10
EncryptedAttribute (org.opensaml.saml.saml2.core.EncryptedAttribute)10
XSString (org.opensaml.core.xml.schema.XSString)9
SimpleStringAttributeBuilder.aSimpleStringAttribute (uk.gov.ida.saml.core.test.builders.SimpleStringAttributeBuilder.aSimpleStringAttribute)9
Element (org.w3c.dom.Element)8
SamlTransformationErrorFactory.emptyAttribute (uk.gov.ida.saml.core.errors.SamlTransformationErrorFactory.emptyAttribute)8
ArrayList (java.util.ArrayList)7
AttributeStatementLogData (uk.gov.ida.hub.samlengine.logging.data.AttributeStatementLogData)7
AssertionBuilder.anAssertion (uk.gov.ida.saml.core.test.builders.AssertionBuilder.anAssertion)7
Map (java.util.Map)6
SAMLObjectBuilder (org.opensaml.common.SAMLObjectBuilder)6
AttributeValue (org.opensaml.saml.saml2.core.AttributeValue)6
NameID (org.opensaml.saml.saml2.core.NameID)6
VerifiedAttributeLogData (uk.gov.ida.hub.samlengine.logging.data.VerifiedAttributeLogData)6
