Search in sources :

Example 1 with ConfigurationException

use of org.opensaml.xml.ConfigurationException in project cloudstack by apache.

the class SAML2LoginAPIAuthenticatorCmd method processSAMLResponse.

public Response processSAMLResponse(String responseMessage) {
    Response responseObject = null;
    try {
        DefaultBootstrap.bootstrap();
        responseObject = SAMLUtils.decodeSAMLResponse(responseMessage);
    } catch (ConfigurationException | FactoryConfigurationError | ParserConfigurationException | SAXException | IOException | UnmarshallingException e) {
        s_logger.error("SAMLResponse processing error: " + e.getMessage());
    }
    return responseObject;
}
Also used : LoginCmdResponse(org.apache.cloudstack.api.response.LoginCmdResponse) Response(org.opensaml.saml2.core.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) ConfigurationException(org.opensaml.xml.ConfigurationException) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) IOException(java.io.IOException) FactoryConfigurationError(javax.xml.stream.FactoryConfigurationError) UnmarshallingException(org.opensaml.xml.io.UnmarshallingException) SAXException(org.xml.sax.SAXException)

Example 2 with ConfigurationException

use of org.opensaml.xml.ConfigurationException in project cloudstack by apache.

the class SAML2AuthManagerImpl method setup.

private boolean setup() {
    if (!initSP()) {
        s_logger.error("SAML Plugin failed to initialize, please fix the configuration and restart management server");
        return false;
    }
    _timer = new Timer();
    final HttpClient client = new HttpClient();
    final String idpMetaDataUrl = getSAMLIdentityProviderMetadataURL();
    if (SAMLTimeout.value() != null && SAMLTimeout.value() > SAMLPluginConstants.SAML_REFRESH_INTERVAL) {
        _refreshInterval = SAMLTimeout.value();
    }
    try {
        DefaultBootstrap.bootstrap();
        if (idpMetaDataUrl.startsWith("http")) {
            _idpMetaDataProvider = new HTTPMetadataProvider(_timer, client, idpMetaDataUrl);
        } else {
            File metadataFile = PropertiesUtil.findConfigFile(idpMetaDataUrl);
            if (metadataFile == null) {
                s_logger.error("Provided Metadata is not a URL, Unable to locate metadata file from local path: " + idpMetaDataUrl);
                return false;
            } else {
                s_logger.debug("Provided Metadata is not a URL, trying to read metadata file from local path: " + metadataFile.getAbsolutePath());
                _idpMetaDataProvider = new FilesystemMetadataProvider(_timer, metadataFile);
            }
        }
        _idpMetaDataProvider.setRequireValidMetadata(true);
        _idpMetaDataProvider.setParserPool(new BasicParserPool());
        _idpMetaDataProvider.initialize();
        _timer.scheduleAtFixedRate(new MetadataRefreshTask(), 0, _refreshInterval * 1000);
    } catch (MetadataProviderException e) {
        s_logger.error("Unable to read SAML2 IDP MetaData URL, error:" + e.getMessage());
        s_logger.error("SAML2 Authentication may be unavailable");
        return false;
    } catch (ConfigurationException | FactoryConfigurationError e) {
        s_logger.error("OpenSAML bootstrapping failed: error: " + e.getMessage());
        return false;
    } catch (NullPointerException e) {
        s_logger.error("Unable to setup SAML Auth Plugin due to NullPointerException" + " please check the SAML global settings: " + e.getMessage());
        return false;
    }
    return true;
}
Also used : Timer(java.util.Timer) ConfigurationException(org.opensaml.xml.ConfigurationException) HttpClient(org.apache.commons.httpclient.HttpClient) BasicParserPool(org.opensaml.xml.parse.BasicParserPool) FilesystemMetadataProvider(org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider) HTTPMetadataProvider(org.opensaml.saml2.metadata.provider.HTTPMetadataProvider) File(java.io.File) MetadataProviderException(org.opensaml.saml2.metadata.provider.MetadataProviderException) FactoryConfigurationError(javax.xml.stream.FactoryConfigurationError)

Example 3 with ConfigurationException

use of org.opensaml.xml.ConfigurationException in project cloudstack by apache.

the class GetServiceProviderMetaDataCmd method authenticate.

@Override
public String authenticate(String command, Map<String, Object[]> params, HttpSession session, InetAddress remoteAddress, String responseType, StringBuilder auditTrailSb, final HttpServletRequest req, final HttpServletResponse resp) throws ServerApiException {
    SAMLMetaDataResponse response = new SAMLMetaDataResponse();
    response.setResponseName(getCommandName());
    try {
        DefaultBootstrap.bootstrap();
    } catch (ConfigurationException | FactoryConfigurationError e) {
        s_logger.error("OpenSAML Bootstrapping error: " + e.getMessage());
        throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "OpenSAML Bootstrapping error while creating SP MetaData", params, responseType));
    }
    final SAMLProviderMetadata spMetadata = _samlAuthManager.getSPMetadata();
    EntityDescriptor spEntityDescriptor = new EntityDescriptorBuilder().buildObject();
    spEntityDescriptor.setEntityID(spMetadata.getEntityId());
    SPSSODescriptor spSSODescriptor = new SPSSODescriptorBuilder().buildObject();
    spSSODescriptor.setWantAssertionsSigned(true);
    spSSODescriptor.setAuthnRequestsSigned(true);
    X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
    keyInfoGeneratorFactory.setEmitEntityCertificate(true);
    KeyInfoGenerator keyInfoGenerator = keyInfoGeneratorFactory.newInstance();
    KeyDescriptor signKeyDescriptor = new KeyDescriptorBuilder().buildObject();
    signKeyDescriptor.setUse(UsageType.SIGNING);
    KeyDescriptor encKeyDescriptor = new KeyDescriptorBuilder().buildObject();
    encKeyDescriptor.setUse(UsageType.ENCRYPTION);
    BasicX509Credential signingCredential = new BasicX509Credential();
    signingCredential.setEntityCertificate(spMetadata.getSigningCertificate());
    BasicX509Credential encryptionCredential = new BasicX509Credential();
    encryptionCredential.setEntityCertificate(spMetadata.getEncryptionCertificate());
    try {
        signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(signingCredential));
        encKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(encryptionCredential));
        spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor);
        spSSODescriptor.getKeyDescriptors().add(encKeyDescriptor);
    } catch (SecurityException e) {
        s_logger.warn("Unable to add SP X509 descriptors:" + e.getMessage());
    }
    NameIDFormat nameIDFormat = new NameIDFormatBuilder().buildObject();
    nameIDFormat.setFormat(NameIDType.PERSISTENT);
    spSSODescriptor.getNameIDFormats().add(nameIDFormat);
    NameIDFormat emailNameIDFormat = new NameIDFormatBuilder().buildObject();
    emailNameIDFormat.setFormat(NameIDType.EMAIL);
    spSSODescriptor.getNameIDFormats().add(emailNameIDFormat);
    NameIDFormat transientNameIDFormat = new NameIDFormatBuilder().buildObject();
    transientNameIDFormat.setFormat(NameIDType.TRANSIENT);
    spSSODescriptor.getNameIDFormats().add(transientNameIDFormat);
    AssertionConsumerService assertionConsumerService = new AssertionConsumerServiceBuilder().buildObject();
    assertionConsumerService.setIndex(1);
    assertionConsumerService.setIsDefault(true);
    assertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
    assertionConsumerService.setLocation(spMetadata.getSsoUrl());
    spSSODescriptor.getAssertionConsumerServices().add(assertionConsumerService);
    AssertionConsumerService assertionConsumerService2 = new AssertionConsumerServiceBuilder().buildObject();
    assertionConsumerService2.setIndex(2);
    assertionConsumerService2.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
    assertionConsumerService2.setLocation(spMetadata.getSsoUrl());
    spSSODescriptor.getAssertionConsumerServices().add(assertionConsumerService2);
    SingleLogoutService ssoService = new SingleLogoutServiceBuilder().buildObject();
    ssoService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
    ssoService.setLocation(spMetadata.getSloUrl());
    spSSODescriptor.getSingleLogoutServices().add(ssoService);
    SingleLogoutService ssoService2 = new SingleLogoutServiceBuilder().buildObject();
    ssoService2.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
    ssoService2.setLocation(spMetadata.getSloUrl());
    spSSODescriptor.getSingleLogoutServices().add(ssoService2);
    spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS);
    spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor);
    // Add technical contact
    GivenName givenName = new GivenNameBuilder().buildObject();
    givenName.setName(spMetadata.getContactPersonName());
    EmailAddress emailAddress = new EmailAddressBuilder().buildObject();
    emailAddress.setAddress(spMetadata.getContactPersonEmail());
    ContactPerson contactPerson = new ContactPersonBuilder().buildObject();
    contactPerson.setType(ContactPersonTypeEnumeration.TECHNICAL);
    contactPerson.setGivenName(givenName);
    contactPerson.getEmailAddresses().add(emailAddress);
    spEntityDescriptor.getContactPersons().add(contactPerson);
    // Add administrative/support contact
    GivenName givenNameAdmin = new GivenNameBuilder().buildObject();
    givenNameAdmin.setName(spMetadata.getContactPersonName());
    EmailAddress emailAddressAdmin = new EmailAddressBuilder().buildObject();
    emailAddressAdmin.setAddress(spMetadata.getContactPersonEmail());
    ContactPerson contactPersonAdmin = new ContactPersonBuilder().buildObject();
    contactPersonAdmin.setType(ContactPersonTypeEnumeration.ADMINISTRATIVE);
    contactPersonAdmin.setGivenName(givenNameAdmin);
    contactPersonAdmin.getEmailAddresses().add(emailAddressAdmin);
    spEntityDescriptor.getContactPersons().add(contactPersonAdmin);
    Organization organization = new OrganizationBuilder().buildObject();
    OrganizationName organizationName = new OrganizationNameBuilder().buildObject();
    organizationName.setName(new LocalizedString(spMetadata.getOrganizationName(), Locale.getDefault().getLanguage()));
    OrganizationURL organizationURL = new OrganizationURLBuilder().buildObject();
    organizationURL.setURL(new LocalizedString(spMetadata.getOrganizationUrl(), Locale.getDefault().getLanguage()));
    organization.getOrganizationNames().add(organizationName);
    organization.getURLs().add(organizationURL);
    spEntityDescriptor.setOrganization(organization);
    StringWriter stringWriter = new StringWriter();
    try {
        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        DocumentBuilder builder = factory.newDocumentBuilder();
        Document document = builder.newDocument();
        Marshaller out = Configuration.getMarshallerFactory().getMarshaller(spEntityDescriptor);
        out.marshall(spEntityDescriptor, document);
        Transformer transformer = TransformerFactory.newInstance().newTransformer();
        StreamResult streamResult = new StreamResult(stringWriter);
        DOMSource source = new DOMSource(document);
        transformer.transform(source, streamResult);
        stringWriter.close();
        response.setMetadata(stringWriter.toString());
    } catch (ParserConfigurationException | IOException | MarshallingException | TransformerException e) {
        if (responseType.equals(HttpUtils.JSON_CONTENT_TYPE)) {
            response.setMetadata("Error creating Service Provider MetaData XML: " + e.getMessage());
        } else {
            return "Error creating Service Provider MetaData XML: " + e.getMessage();
        }
    }
    // For JSON type return serialized response object
    if (responseType.equals(HttpUtils.RESPONSE_TYPE_JSON)) {
        return ApiResponseSerializer.toSerializedString(response, responseType);
    }
    // For other response types return XML
    return stringWriter.toString();
}
Also used : OrganizationName(org.opensaml.saml2.metadata.OrganizationName) EmailAddressBuilder(org.opensaml.saml2.metadata.impl.EmailAddressBuilder) DOMSource(javax.xml.transform.dom.DOMSource) SAMLMetaDataResponse(org.apache.cloudstack.api.response.SAMLMetaDataResponse) Organization(org.opensaml.saml2.metadata.Organization) OrganizationNameBuilder(org.opensaml.saml2.metadata.impl.OrganizationNameBuilder) DocumentBuilderFactory(javax.xml.parsers.DocumentBuilderFactory) Transformer(javax.xml.transform.Transformer) SPSSODescriptorBuilder(org.opensaml.saml2.metadata.impl.SPSSODescriptorBuilder) KeyDescriptor(org.opensaml.saml2.metadata.KeyDescriptor) GivenName(org.opensaml.saml2.metadata.GivenName) NameIDFormatBuilder(org.opensaml.saml2.metadata.impl.NameIDFormatBuilder) LocalizedString(org.opensaml.saml2.metadata.LocalizedString) Document(org.w3c.dom.Document) EntityDescriptorBuilder(org.opensaml.saml2.metadata.impl.EntityDescriptorBuilder) ContactPerson(org.opensaml.saml2.metadata.ContactPerson) SPSSODescriptor(org.opensaml.saml2.metadata.SPSSODescriptor) KeyInfoGenerator(org.opensaml.xml.security.keyinfo.KeyInfoGenerator) ServerApiException(org.apache.cloudstack.api.ServerApiException) StringWriter(java.io.StringWriter) MarshallingException(org.opensaml.xml.io.MarshallingException) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) ConfigurationException(org.opensaml.xml.ConfigurationException) SingleLogoutServiceBuilder(org.opensaml.saml2.metadata.impl.SingleLogoutServiceBuilder) AssertionConsumerService(org.opensaml.saml2.metadata.AssertionConsumerService) OrganizationBuilder(org.opensaml.saml2.metadata.impl.OrganizationBuilder) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) SAMLProviderMetadata(org.apache.cloudstack.saml.SAMLProviderMetadata) FactoryConfigurationError(javax.xml.stream.FactoryConfigurationError) GivenNameBuilder(org.opensaml.saml2.metadata.impl.GivenNameBuilder) TransformerException(javax.xml.transform.TransformerException) X509KeyInfoGeneratorFactory(org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory) Marshaller(org.opensaml.xml.io.Marshaller) OrganizationURLBuilder(org.opensaml.saml2.metadata.impl.OrganizationURLBuilder) StreamResult(javax.xml.transform.stream.StreamResult) SingleLogoutService(org.opensaml.saml2.metadata.SingleLogoutService) AssertionConsumerServiceBuilder(org.opensaml.saml2.metadata.impl.AssertionConsumerServiceBuilder) SecurityException(org.opensaml.xml.security.SecurityException) IOException(java.io.IOException) EmailAddress(org.opensaml.saml2.metadata.EmailAddress) ContactPersonBuilder(org.opensaml.saml2.metadata.impl.ContactPersonBuilder) EntityDescriptor(org.opensaml.saml2.metadata.EntityDescriptor) NameIDFormat(org.opensaml.saml2.metadata.NameIDFormat) BasicX509Credential(org.opensaml.xml.security.x509.BasicX509Credential) DocumentBuilder(javax.xml.parsers.DocumentBuilder) KeyDescriptorBuilder(org.opensaml.saml2.metadata.impl.KeyDescriptorBuilder) OrganizationURL(org.opensaml.saml2.metadata.OrganizationURL)

Example 4 with ConfigurationException

use of org.opensaml.xml.ConfigurationException in project cloudstack by apache.

the class SAMLUtils method buildAuthnRequestUrl.

public static String buildAuthnRequestUrl(final String authnId, final SAMLProviderMetadata spMetadata, final SAMLProviderMetadata idpMetadata, final String signatureAlgorithm) {
    String redirectUrl = "";
    try {
        DefaultBootstrap.bootstrap();
        AuthnRequest authnRequest = SAMLUtils.buildAuthnRequestObject(authnId, spMetadata.getEntityId(), idpMetadata.getSsoUrl(), spMetadata.getSsoUrl());
        PrivateKey privateKey = null;
        if (spMetadata.getKeyPair() != null) {
            privateKey = spMetadata.getKeyPair().getPrivate();
        }
        redirectUrl = idpMetadata.getSsoUrl() + "?" + SAMLUtils.generateSAMLRequestSignature("SAMLRequest=" + SAMLUtils.encodeSAMLRequest(authnRequest), privateKey, signatureAlgorithm);
    } catch (ConfigurationException | FactoryConfigurationError | MarshallingException | IOException | NoSuchAlgorithmException | InvalidKeyException | java.security.SignatureException e) {
        s_logger.error("SAML AuthnRequest message building error: " + e.getMessage());
    }
    return redirectUrl;
}
Also used : PrivateKey(java.security.PrivateKey) AuthnRequest(org.opensaml.saml2.core.AuthnRequest) MarshallingException(org.opensaml.xml.io.MarshallingException) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) ConfigurationException(org.opensaml.xml.ConfigurationException) IOException(java.io.IOException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) SignatureException(java.security.SignatureException) InvalidKeyException(java.security.InvalidKeyException) FactoryConfigurationError(javax.xml.stream.FactoryConfigurationError)

Example 5 with ConfigurationException

use of org.opensaml.xml.ConfigurationException in project cloudstack by apache.

the class SAML2LogoutAPIAuthenticatorCmd method authenticate.

@Override
public String authenticate(String command, Map<String, Object[]> params, HttpSession session, InetAddress remoteAddress, String responseType, StringBuilder auditTrailSb, final HttpServletRequest req, final HttpServletResponse resp) throws ServerApiException {
    auditTrailSb.append("=== SAML SLO Logging out ===");
    LogoutCmdResponse response = new LogoutCmdResponse();
    response.setDescription("success");
    response.setResponseName(getCommandName());
    String responseString = ApiResponseSerializer.toSerializedString(response, responseType);
    if (session == null) {
        try {
            resp.sendRedirect(SAML2AuthManager.SAMLCloudStackRedirectionUrl.value());
        } catch (IOException ignored) {
            s_logger.info("[ignored] sending redirected failed.", ignored);
        }
        return responseString;
    }
    try {
        DefaultBootstrap.bootstrap();
    } catch (ConfigurationException | FactoryConfigurationError e) {
        s_logger.error("OpenSAML Bootstrapping error: " + e.getMessage());
        throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "OpenSAML Bootstrapping error while creating SP MetaData", params, responseType));
    }
    if (params != null && params.containsKey("SAMLResponse")) {
        try {
            final String samlResponse = ((String[]) params.get(SAMLPluginConstants.SAML_RESPONSE))[0];
            Response processedSAMLResponse = SAMLUtils.decodeSAMLResponse(samlResponse);
            String statusCode = processedSAMLResponse.getStatus().getStatusCode().getValue();
            if (!statusCode.equals(StatusCode.SUCCESS_URI)) {
                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.INTERNAL_ERROR.getHttpCode(), "SAML SLO LogoutResponse status is not Success", params, responseType));
            }
        } catch (ConfigurationException | FactoryConfigurationError | ParserConfigurationException | SAXException | IOException | UnmarshallingException e) {
            s_logger.error("SAMLResponse processing error: " + e.getMessage());
        }
        try {
            resp.sendRedirect(SAML2AuthManager.SAMLCloudStackRedirectionUrl.value());
        } catch (IOException ignored) {
            s_logger.info("[ignored] second redirected sending failed.", ignored);
        }
        return responseString;
    }
    String idpId = (String) session.getAttribute(SAMLPluginConstants.SAML_IDPID);
    SAMLProviderMetadata idpMetadata = _samlAuthManager.getIdPMetadata(idpId);
    String nameId = (String) session.getAttribute(SAMLPluginConstants.SAML_NAMEID);
    if (idpMetadata == null || nameId == null || nameId.isEmpty()) {
        try {
            resp.sendRedirect(SAML2AuthManager.SAMLCloudStackRedirectionUrl.value());
        } catch (IOException ignored) {
            s_logger.info("[ignored] final redirected failed.", ignored);
        }
        return responseString;
    }
    LogoutRequest logoutRequest = SAMLUtils.buildLogoutRequest(idpMetadata.getSloUrl(), _samlAuthManager.getSPMetadata().getEntityId(), nameId);
    try {
        String redirectUrl = idpMetadata.getSloUrl() + "?SAMLRequest=" + SAMLUtils.encodeSAMLRequest(logoutRequest);
        resp.sendRedirect(redirectUrl);
    } catch (MarshallingException | IOException e) {
        s_logger.error("SAML SLO error: " + e.getMessage());
        throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, _apiServer.getSerializedApiError(ApiErrorCode.ACCOUNT_ERROR.getHttpCode(), "SAML Single Logout Error", params, responseType));
    }
    return responseString;
}
Also used : IOException(java.io.IOException) SAXException(org.xml.sax.SAXException) Response(org.opensaml.saml2.core.Response) LogoutCmdResponse(org.apache.cloudstack.api.response.LogoutCmdResponse) HttpServletResponse(javax.servlet.http.HttpServletResponse) ServerApiException(org.apache.cloudstack.api.ServerApiException) MarshallingException(org.opensaml.xml.io.MarshallingException) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) ConfigurationException(org.opensaml.xml.ConfigurationException) LogoutRequest(org.opensaml.saml2.core.LogoutRequest) ParserConfigurationException(javax.xml.parsers.ParserConfigurationException) SAMLProviderMetadata(org.apache.cloudstack.saml.SAMLProviderMetadata) LogoutCmdResponse(org.apache.cloudstack.api.response.LogoutCmdResponse) FactoryConfigurationError(javax.xml.stream.FactoryConfigurationError) UnmarshallingException(org.opensaml.xml.io.UnmarshallingException)

Aggregations

FactoryConfigurationError (javax.xml.stream.FactoryConfigurationError)5 ConfigurationException (org.opensaml.xml.ConfigurationException)5 IOException (java.io.IOException)4 ParserConfigurationException (javax.xml.parsers.ParserConfigurationException)4 MarshallingException (org.opensaml.xml.io.MarshallingException)3 HttpServletResponse (javax.servlet.http.HttpServletResponse)2 ServerApiException (org.apache.cloudstack.api.ServerApiException)2 SAMLProviderMetadata (org.apache.cloudstack.saml.SAMLProviderMetadata)2 Response (org.opensaml.saml2.core.Response)2 File (java.io.File)1 StringWriter (java.io.StringWriter)1 InvalidKeyException (java.security.InvalidKeyException)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 PrivateKey (java.security.PrivateKey)1 SignatureException (java.security.SignatureException)1 Timer (java.util.Timer)1 DocumentBuilder (javax.xml.parsers.DocumentBuilder)1 DocumentBuilderFactory (javax.xml.parsers.DocumentBuilderFactory)1 Transformer (javax.xml.transform.Transformer)1 TransformerException (javax.xml.transform.TransformerException)1