Search in sources :

Example 1 with LogoutRequest

use of org.opensaml.saml2.core.LogoutRequest in project cloudstack by apache.

the class SAMLUtilsTest method testBuildLogoutRequest.

@Test
public void testBuildLogoutRequest() throws Exception {
    String logoutUrl = "http://logoutUrl";
    String spId = "cloudstack";
    String nameId = "_12345";
    LogoutRequest req = SAMLUtils.buildLogoutRequest(logoutUrl, spId, nameId);
    assertEquals(req.getDestination(), logoutUrl);
    assertEquals(req.getIssuer().getValue(), spId);
}
Also used : LogoutRequest(org.opensaml.saml2.core.LogoutRequest) Test(org.junit.Test)

Example 2 with LogoutRequest

use of org.opensaml.saml2.core.LogoutRequest in project ddf by codice.

the class IdpEndpoint method processPostLogout.

@Override
@POST
@Path("/logout")
public Response processPostLogout(@FormParam(SAML_REQ) final String samlRequest, @FormParam(SAML_RESPONSE) final String samlResponse, @FormParam(RELAY_STATE) final String relayState, @Context final HttpServletRequest request) throws WSSecurityException, IdpException {
    LogoutState logoutState = getLogoutState(request);
    Cookie cookie = getCookie(request);
    try {
        if (samlRequest != null) {
            LogoutRequest logoutRequest = logoutMessage.extractSamlLogoutRequest(RestSecurity.inflateBase64(samlRequest));
            validatePost(request, logoutRequest);
            return handleLogoutRequest(cookie, logoutState, logoutRequest, SamlProtocol.Binding.HTTP_POST, relayState);
        } else if (samlResponse != null) {
            LogoutResponse logoutResponse = logoutMessage.extractSamlLogoutResponse(RestSecurity.inflateBase64(samlResponse));
            String requestId = logoutState != null ? logoutState.getCurrentRequestId() : null;
            validatePost(request, logoutResponse, requestId);
            return handleLogoutResponse(cookie, logoutState, logoutResponse, SamlProtocol.Binding.HTTP_POST);
        }
    } catch (IOException | XMLStreamException e) {
        throw new IdpException("Unable to inflate Saml Object", e);
    } catch (ValidationException e) {
        throw new IdpException("Unable to validate Saml Object", e);
    }
    throw new IdpException("Unable to process logout");
}
Also used : NewCookie(javax.ws.rs.core.NewCookie) Cookie(javax.servlet.http.Cookie) ValidationException(ddf.security.samlp.ValidationException) LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse) XMLStreamException(javax.xml.stream.XMLStreamException) LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest) IOException(java.io.IOException) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST)

Example 3 with LogoutRequest

use of org.opensaml.saml2.core.LogoutRequest in project ddf by codice.

the class IdpEndpoint method continueLogout.

private Response continueLogout(LogoutState logoutState, Cookie cookie, SamlProtocol.Binding incomingBinding) throws IdpException {
    if (logoutState == null) {
        throw new IdpException("Cannot continue a Logout that doesn't exist!");
    }
    try {
        SignableSAMLObject logoutObject;
        String relay = "";
        String entityId = "";
        SamlProtocol.Type samlType;
        Optional<String> nextTarget = logoutState.getNextTarget();
        if (nextTarget.isPresent()) {
            // Another target exists, log them out
            entityId = nextTarget.get();
            if (logoutState.getOriginalIssuer().equals(entityId)) {
                return continueLogout(logoutState, cookie, incomingBinding);
            }
            LogoutRequest logoutRequest = logoutMessage.buildLogoutRequest(logoutState.getNameId(), SystemBaseUrl.constructUrl("/idp/logout", true));
            logoutState.setCurrentRequestId(logoutRequest.getID());
            logoutObject = logoutRequest;
            samlType = SamlProtocol.Type.REQUEST;
            relay = "";
        } else {
            // No more targets, respond to original issuer
            entityId = logoutState.getOriginalIssuer();
            String status = logoutState.isPartialLogout() ? StatusCode.PARTIAL_LOGOUT : StatusCode.SUCCESS;
            logoutObject = logoutMessage.buildLogoutResponse(SystemBaseUrl.constructUrl("/idp/logout", true), status, logoutState.getOriginalRequestId());
            relay = logoutState.getInitialRelayState();
            LogoutState decode = logoutStates.decode(cookie.getValue(), true);
            samlType = SamlProtocol.Type.RESPONSE;
        }
        LOGGER.debug("Responding to [{}] with a [{}] and relay state [{}]", entityId, samlType, relay);
        EntityInformation.ServiceInfo entityServiceInfo = serviceProviders.get(entityId).getLogoutService(incomingBinding);
        if (entityServiceInfo == null) {
            LOGGER.info("Could not find entity service info for {}", entityId);
            return continueLogout(logoutState, cookie, incomingBinding);
        }
        switch(entityServiceInfo.getBinding()) {
            case HTTP_REDIRECT:
                return getSamlRedirectResponse(logoutObject, entityServiceInfo.getUrl(), relay, samlType);
            case HTTP_POST:
                return getSamlPostResponse(logoutObject, entityServiceInfo.getUrl(), relay, samlType);
            default:
                LOGGER.debug("No supported binding available for SP [{}].", entityId);
                logoutState.setPartialLogout(true);
                return continueLogout(logoutState, cookie, incomingBinding);
        }
    } catch (WSSecurityException | SimpleSign.SignatureException | IOException e) {
        LOGGER.debug("Error while processing logout", e);
    }
    throw new IdpException("Server error while processing logout");
}
Also used : WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) IOException(java.io.IOException) SamlProtocol(ddf.security.samlp.SamlProtocol) SignableSAMLObject(org.opensaml.saml.common.SignableSAMLObject) EntityInformation(ddf.security.samlp.impl.EntityInformation) LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest)

Example 4 with LogoutRequest

use of org.opensaml.saml2.core.LogoutRequest in project ddf by codice.

the class LogoutRequestServiceTest method testGetLogoutRequestInvalidSignature.

@Test
public void testGetLogoutRequestInvalidSignature() throws Exception {
    String signature = "signature";
    String signatureAlgorithm = "sha1";
    String relayState = UUID.randomUUID().toString();
    String deflatedSamlRequest = RestSecurity.deflateAndBase64Encode("deflatedSamlRequest");
    LogoutRequest logoutRequest = mock(LogoutRequest.class);
    when(logoutMessage.extractSamlLogoutRequest(eq("deflatedSamlRequest"))).thenReturn(logoutRequest);
    LogoutRequestService lrs = new LogoutRequestService(simpleSign, idpMetadata, relayStates);
    lrs.setEncryptionService(encryptionService);
    lrs.setLogOutPageTimeOut(LOGOUT_PAGE_TIMEOUT);
    lrs.setLogoutMessage(logoutMessage);
    lrs.setRequest(request);
    lrs.setSessionFactory(sessionFactory);
    lrs.init();
    Response response = lrs.getLogoutRequest(deflatedSamlRequest, null, relayState, signatureAlgorithm, signature);
    assertEquals(Response.Status.SEE_OTHER.getStatusCode(), response.getStatus());
    String msg = "Unable to validate".replaceAll(" ", "+");
    assertTrue("Expected message containing " + msg, response.getLocation().getQuery().contains(msg));
}
Also used : LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse) Response(javax.ws.rs.core.Response) LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest) Matchers.anyString(org.mockito.Matchers.anyString) Test(org.junit.Test)

Example 5 with LogoutRequest

use of org.opensaml.saml2.core.LogoutRequest in project ddf by codice.

the class LogoutRequestServiceTest method testSendLogoutRequestGetPostRequest.

@Test
public void testSendLogoutRequestGetPostRequest() throws Exception {
    String encryptedNameIdWithTime = nameId + "\n" + time;
    when(encryptionService.decrypt(any(String.class))).thenReturn(nameId + "\n" + time);
    when(idpMetadata.getSingleLogoutBinding()).thenReturn(SamlProtocol.POST_BINDING);
    when(idpMetadata.getSingleLogoutLocation()).thenReturn(postLogoutUrl);
    LogoutRequest logoutRequest = new LogoutRequestBuilder().buildObject();
    when(logoutMessage.buildLogoutRequest(eq(nameId), anyString())).thenReturn(logoutRequest);
    Response response = logoutRequestService.sendLogoutRequest(encryptedNameIdWithTime);
    assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
    assertTrue("Expected logout url of " + postLogoutUrl, response.getEntity().toString().contains(postLogoutUrl));
}
Also used : LogoutResponse(org.opensaml.saml.saml2.core.LogoutResponse) Response(javax.ws.rs.core.Response) LogoutRequestBuilder(org.opensaml.saml.saml2.core.impl.LogoutRequestBuilder) LogoutRequest(org.opensaml.saml.saml2.core.LogoutRequest) Matchers.anyString(org.mockito.Matchers.anyString) Test(org.junit.Test)

Aggregations

LogoutRequest (org.opensaml.saml.saml2.core.LogoutRequest)13 LogoutResponse (org.opensaml.saml.saml2.core.LogoutResponse)8 IOException (java.io.IOException)6 Test (org.junit.Test)6 ValidationException (ddf.security.samlp.ValidationException)5 XMLStreamException (javax.xml.stream.XMLStreamException)5 Response (javax.ws.rs.core.Response)4 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)4 Matchers.anyString (org.mockito.Matchers.anyString)4 GET (javax.ws.rs.GET)3 Path (javax.ws.rs.Path)3 LogoutRequest (org.opensaml.saml2.core.LogoutRequest)3 Cookie (javax.servlet.http.Cookie)2 POST (javax.ws.rs.POST)2 NewCookie (javax.ws.rs.core.NewCookie)2 DateTime (org.joda.time.DateTime)2 SamlProtocol (ddf.security.samlp.SamlProtocol)1 EntityInformation (ddf.security.samlp.impl.EntityInformation)1 SamlValidator (ddf.security.samlp.impl.SamlValidator)1 URI (java.net.URI)1