Search in sources :

Example 26 with Credential

use of org.opensaml.security.credential.Credential in project verify-hub by alphagov.

the class MatchingServiceRequestSenderTest method socketTimeoutRetryWithBackoffTests_thirdCallFailsAndThrowsException.

@Test
public void socketTimeoutRetryWithBackoffTests_thirdCallFailsAndThrowsException() {
    final String firstCallState = "Call 1 Complete";
    final String secondCallState = "Call 2 Complete";
    final String thirdCallState = "Call 3 Complete";
    final String scenarioName = "socket timeout scenario";
    errorSimulationServer.stubFor(post(urlEqualTo(attibute_query_resource)).inScenario(scenarioName).whenScenarioStateIs(Scenario.STARTED).willReturn(WireMock.aResponse().withFixedDelay(2000).withStatus(Response.Status.OK.getStatusCode()).withHeader("Content-Type", MediaType.TEXT_XML_TYPE.toString()).withBody(soapResponse)).willSetStateTo(firstCallState));
    errorSimulationServer.stubFor(post(urlEqualTo(attibute_query_resource)).inScenario(scenarioName).whenScenarioStateIs(firstCallState).willReturn(WireMock.aResponse().withFixedDelay(2000).withStatus(Response.Status.OK.getStatusCode()).withHeader("Content-Type", MediaType.TEXT_XML_TYPE.toString()).withBody(soapResponse)).willSetStateTo(secondCallState));
    errorSimulationServer.stubFor(post(urlEqualTo(attibute_query_resource)).inScenario(scenarioName).whenScenarioStateIs(secondCallState).willReturn(WireMock.aResponse().withStatus(Response.Status.OK.getStatusCode()).withFixedDelay(2000).withHeader("Content-Type", MediaType.TEXT_XML_TYPE.toString()).withBody(soapResponse)).willSetStateTo(thirdCallState));
    Credential signingCredential = hubSigningCredential;
    AttributeQueryContainerDto attributeQueryContainerDto = AttributeQueryContainerDtoBuilder.anAttributeQueryContainerDto(AttributeQueryBuilder.anAttributeQuery().withSignature(SignatureBuilder.aSignature().withSigningCredential(signingCredential).build()).withIssuer(IssuerBuilder.anIssuer().withIssuerId(HUB_ENTITY_ID).build()).build()).withIssuerId(HUB_ENTITY_ID).withMatchingServiceUri(msaStub.getAttributeQueryRequestUri()).build();
    long start = System.currentTimeMillis();
    SoapMessageManager soapMessageManager = new SoapMessageManager();
    Document requestDocument = soapMessageManager.wrapWithSoapEnvelope(convertToElementAndValidate(attributeQueryContainerDto));
    Entity entity = Entity.xml(requestDocument);
    try {
        backOffClient.target(URI.create(format("http://localhost:%d%s", errorSimulationServer.port(), attibute_query_resource))).request(MediaType.TEXT_XML_TYPE).post(entity);
    } catch (Exception ex) {
        assertThat(ex).isInstanceOf(ProcessingException.class);
        assertThat(ex.getCause()).isInstanceOf(SocketTimeoutException.class);
    }
    long end = System.currentTimeMillis();
    assertThat(getScenario(scenarioName).getState()).isEqualTo(thirdCallState);
    assertThat((end - start)).isGreaterThanOrEqualTo(getTotalBackoffPeriod(2, Duration.milliseconds(1000)));
}
Also used : AttributeQueryContainerDto(uk.gov.ida.hub.samlsoapproxy.domain.AttributeQueryContainerDto) Entity(javax.ws.rs.client.Entity) Credential(org.opensaml.security.credential.Credential) SocketTimeoutException(java.net.SocketTimeoutException) Document(org.w3c.dom.Document) SoapMessageManager(uk.gov.ida.hub.samlsoapproxy.soap.SoapMessageManager) SamlTransformationErrorException(uk.gov.ida.saml.core.validation.SamlTransformationErrorException) NoHttpResponseException(org.apache.http.NoHttpResponseException) SignatureException(org.opensaml.xmlsec.signature.support.SignatureException) SAXException(org.xml.sax.SAXException) ProcessingException(javax.ws.rs.ProcessingException) SocketException(java.net.SocketException) ConnectTimeoutException(org.apache.http.conn.ConnectTimeoutException) SocketTimeoutException(java.net.SocketTimeoutException) MarshallingException(org.opensaml.core.xml.io.MarshallingException) InvalidSamlRequestInAttributeQueryException(uk.gov.ida.hub.samlsoapproxy.exceptions.InvalidSamlRequestInAttributeQueryException) JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException) IOException(java.io.IOException) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) ProcessingException(javax.ws.rs.ProcessingException) JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException) Test(org.junit.jupiter.api.Test)

Example 27 with Credential

use of org.opensaml.security.credential.Credential in project verify-hub by alphagov.

the class MatchingServiceRequestSenderTest method sendHubMatchingServiceRequest_shouldAcceptAValidRequest.

@Test
public void sendHubMatchingServiceRequest_shouldAcceptAValidRequest() {
    Credential signingCredential = hubSigningCredential;
    AttributeQueryContainerDto attributeQueryContainerDto = AttributeQueryContainerDtoBuilder.anAttributeQueryContainerDto(AttributeQueryBuilder.anAttributeQuery().withSignature(SignatureBuilder.aSignature().withSigningCredential(signingCredential).build()).withIssuer(IssuerBuilder.anIssuer().withIssuerId(HUB_ENTITY_ID).build()).build()).withIssuerId(HUB_ENTITY_ID).withMatchingServiceUri(msaStub.getAttributeQueryRequestUri()).build();
    SessionId sessionId = SessionId.createNewSessionId();
    final URI uri = UriBuilder.fromPath(Urls.SamlSoapProxyUrls.MATCHING_SERVICE_REQUEST_SENDER_RESOURCE).queryParam(Urls.SharedUrls.SESSION_ID_PARAM, sessionId).build();
    String path = UriBuilder.fromPath(ATTRIBUTE_QUERY_RESPONSE_RESOURCE).build(sessionId).getPath();
    policyStub.register(path, 200);
    Response response = makepost(attributeQueryContainerDto, uri);
    assertThat(response.getStatus()).isEqualTo(Response.Status.ACCEPTED.getStatusCode());
    andPolicyShouldReceiveASuccess(sessionId);
}
Also used : RequestAndResponse(httpstub.RequestAndResponse) Response(javax.ws.rs.core.Response) ResponseBuilder.aResponse(uk.gov.ida.saml.core.test.builders.ResponseBuilder.aResponse) AttributeQueryContainerDto(uk.gov.ida.hub.samlsoapproxy.domain.AttributeQueryContainerDto) Credential(org.opensaml.security.credential.Credential) SessionId(uk.gov.ida.common.SessionId) URI(java.net.URI) Test(org.junit.jupiter.api.Test)

Example 28 with Credential

use of org.opensaml.security.credential.Credential in project verify-hub by alphagov.

the class MatchingServiceRequestSenderTest method socketTimeoutRetryWithBackoffTests_thirdCallSucceeds.

@Test
public void socketTimeoutRetryWithBackoffTests_thirdCallSucceeds() {
    final String firstCallState = "Call 1 Complete";
    final String secondCallState = "Call 2 Complete";
    final String thirdCallState = "Call 3 Complete";
    final String scenarioName = "socket timeout scenario";
    errorSimulationServer.stubFor(post(urlEqualTo(attibute_query_resource)).inScenario(scenarioName).whenScenarioStateIs(Scenario.STARTED).willReturn(WireMock.aResponse().withFixedDelay(2000).withStatus(Response.Status.OK.getStatusCode()).withHeader("Content-Type", MediaType.TEXT_XML_TYPE.toString()).withBody(soapResponse)).willSetStateTo(firstCallState));
    errorSimulationServer.stubFor(post(urlEqualTo(attibute_query_resource)).inScenario(scenarioName).whenScenarioStateIs(firstCallState).willReturn(WireMock.aResponse().withFixedDelay(2000).withStatus(Response.Status.OK.getStatusCode()).withHeader("Content-Type", MediaType.TEXT_XML_TYPE.toString()).withBody(soapResponse)).willSetStateTo(secondCallState));
    errorSimulationServer.stubFor(post(urlEqualTo(attibute_query_resource)).inScenario(scenarioName).whenScenarioStateIs(secondCallState).willReturn(WireMock.aResponse().withStatus(Response.Status.OK.getStatusCode()).withHeader("Content-Type", MediaType.TEXT_XML_TYPE.toString()).withBody(soapResponse)).willSetStateTo(thirdCallState));
    Credential signingCredential = hubSigningCredential;
    AttributeQueryContainerDto attributeQueryContainerDto = AttributeQueryContainerDtoBuilder.anAttributeQueryContainerDto(AttributeQueryBuilder.anAttributeQuery().withSignature(SignatureBuilder.aSignature().withSigningCredential(signingCredential).build()).withIssuer(IssuerBuilder.anIssuer().withIssuerId(HUB_ENTITY_ID).build()).build()).withIssuerId(HUB_ENTITY_ID).withMatchingServiceUri(msaStub.getAttributeQueryRequestUri()).build();
    long start = System.currentTimeMillis();
    SoapMessageManager soapMessageManager = new SoapMessageManager();
    Document requestDocument = soapMessageManager.wrapWithSoapEnvelope(convertToElementAndValidate(attributeQueryContainerDto));
    Entity entity = Entity.xml(requestDocument);
    Response response = backOffClient.target(URI.create(format("http://localhost:%d%s", errorSimulationServer.port(), attibute_query_resource))).request(MediaType.TEXT_XML_TYPE).post(entity);
    long end = System.currentTimeMillis();
    assertThat(response.getStatus()).isEqualTo(Response.Status.OK.getStatusCode());
    assertThat(getScenario(scenarioName).getState()).isEqualTo(thirdCallState);
    assertThat((end - start)).isGreaterThanOrEqualTo(getTotalBackoffPeriod(2, Duration.milliseconds(1000)));
}
Also used : RequestAndResponse(httpstub.RequestAndResponse) Response(javax.ws.rs.core.Response) ResponseBuilder.aResponse(uk.gov.ida.saml.core.test.builders.ResponseBuilder.aResponse) AttributeQueryContainerDto(uk.gov.ida.hub.samlsoapproxy.domain.AttributeQueryContainerDto) Entity(javax.ws.rs.client.Entity) Credential(org.opensaml.security.credential.Credential) Document(org.w3c.dom.Document) SoapMessageManager(uk.gov.ida.hub.samlsoapproxy.soap.SoapMessageManager) Test(org.junit.jupiter.api.Test)

Example 29 with Credential

use of org.opensaml.security.credential.Credential in project spring-security by spring-projects.

the class OpenSamlSigningUtils method resolveSigningCredentials.

private static List<Credential> resolveSigningCredentials(RelyingPartyRegistration relyingPartyRegistration) {
    List<Credential> credentials = new ArrayList<>();
    for (Saml2X509Credential x509Credential : relyingPartyRegistration.getSigningX509Credentials()) {
        X509Certificate certificate = x509Credential.getCertificate();
        PrivateKey privateKey = x509Credential.getPrivateKey();
        BasicCredential credential = CredentialSupport.getSimpleCredential(certificate, privateKey);
        credential.setEntityId(relyingPartyRegistration.getEntityId());
        credential.setUsageType(UsageType.SIGNING);
        credentials.add(credential);
    }
    return credentials;
}
Also used : BasicCredential(org.opensaml.security.credential.BasicCredential) Credential(org.opensaml.security.credential.Credential) Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential) PrivateKey(java.security.PrivateKey) ArrayList(java.util.ArrayList) Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential) X509Certificate(java.security.cert.X509Certificate) BasicCredential(org.opensaml.security.credential.BasicCredential)

Example 30 with Credential

use of org.opensaml.security.credential.Credential in project spring-security by spring-projects.

the class OpenSamlSigningUtils method resolveSigningParameters.

private static SignatureSigningParameters resolveSigningParameters(RelyingPartyRegistration relyingPartyRegistration) {
    List<Credential> credentials = resolveSigningCredentials(relyingPartyRegistration);
    List<String> algorithms = relyingPartyRegistration.getAssertingPartyDetails().getSigningAlgorithms();
    List<String> digests = Collections.singletonList(SignatureConstants.ALGO_ID_DIGEST_SHA256);
    String canonicalization = SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS;
    SignatureSigningParametersResolver resolver = new SAMLMetadataSignatureSigningParametersResolver();
    CriteriaSet criteria = new CriteriaSet();
    BasicSignatureSigningConfiguration signingConfiguration = new BasicSignatureSigningConfiguration();
    signingConfiguration.setSigningCredentials(credentials);
    signingConfiguration.setSignatureAlgorithms(algorithms);
    signingConfiguration.setSignatureReferenceDigestMethods(digests);
    signingConfiguration.setSignatureCanonicalizationAlgorithm(canonicalization);
    signingConfiguration.setKeyInfoGeneratorManager(buildSignatureKeyInfoGeneratorManager());
    criteria.add(new SignatureSigningConfigurationCriterion(signingConfiguration));
    try {
        SignatureSigningParameters parameters = resolver.resolveSingle(criteria);
        Assert.notNull(parameters, "Failed to resolve any signing credential");
        return parameters;
    } catch (Exception ex) {
        throw new Saml2Exception(ex);
    }
}
Also used : BasicCredential(org.opensaml.security.credential.BasicCredential) Credential(org.opensaml.security.credential.Credential) Saml2X509Credential(org.springframework.security.saml2.core.Saml2X509Credential) SAMLMetadataSignatureSigningParametersResolver(org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver) SignatureSigningParametersResolver(org.opensaml.xmlsec.SignatureSigningParametersResolver) SignatureSigningParameters(org.opensaml.xmlsec.SignatureSigningParameters) SAMLMetadataSignatureSigningParametersResolver(org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver) CriteriaSet(net.shibboleth.utilities.java.support.resolver.CriteriaSet) SignatureSigningConfigurationCriterion(org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion) Saml2Exception(org.springframework.security.saml2.Saml2Exception) BasicSignatureSigningConfiguration(org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration) MarshallingException(org.opensaml.core.xml.io.MarshallingException) SecurityException(org.opensaml.security.SecurityException) Saml2Exception(org.springframework.security.saml2.Saml2Exception)

Aggregations

Credential (org.opensaml.security.credential.Credential)35 BasicCredential (org.opensaml.security.credential.BasicCredential)14 Saml2X509Credential (org.springframework.security.saml2.core.Saml2X509Credential)13 ArrayList (java.util.ArrayList)12 CriteriaSet (net.shibboleth.utilities.java.support.resolver.CriteriaSet)8 BasicSignatureSigningConfiguration (org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration)8 PrivateKey (java.security.PrivateKey)7 X509Certificate (java.security.cert.X509Certificate)6 BasicX509Credential (org.opensaml.security.x509.BasicX509Credential)6 SignatureSigningParameters (org.opensaml.xmlsec.SignatureSigningParameters)6 MarshallingException (org.opensaml.core.xml.io.MarshallingException)5 SignatureSigningConfigurationCriterion (org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion)5 Decrypter (org.opensaml.saml.saml2.encryption.Decrypter)4 SAMLMetadataSignatureSigningParametersResolver (org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver)4 SecurityException (org.opensaml.security.SecurityException)4 SignatureSigningParametersResolver (org.opensaml.xmlsec.SignatureSigningParametersResolver)4 Saml2Exception (org.springframework.security.saml2.Saml2Exception)4 SneakyThrows (lombok.SneakyThrows)3 SamlException (org.apereo.cas.support.saml.SamlException)3 Test (org.junit.jupiter.api.Test)3