Search in sources :

Example 36 with NodeList

use of org.wso2.ei.dashboard.core.rest.model.NodeList in project product-mi-tooling by wso2.

the class JDBCDatabaseManager method fetchArtifacts.

@Override
public Artifacts fetchArtifacts(String artifactType, String groupId, List<String> nodeList) {
    Artifacts artifacts = new Artifacts();
    String nodeSearch = "";
    String nodeSearchTmp = nodeSearch;
    nodeList.forEach(node -> nodeSearchTmp.concat("NODE_ID=? OR "));
    nodeSearch = nodeSearchTmp;
    for (int i = 0; i < nodeList.size(); i++) {
        nodeSearch = nodeSearch.concat("NODE_ID=? OR ");
    }
    if (!nodeSearch.equals("")) {
        nodeSearch = nodeSearch.substring(0, nodeSearch.length() - 4);
    }
    String tableName = getTableName(artifactType);
    String getDistinctNamesQuery = "SELECT DISTINCT NAME FROM " + tableName + " WHERE GROUP_ID=? " + "AND (" + nodeSearch + ");";
    String getDetailsQuery = "SELECT NODE_ID, DETAILS FROM " + tableName + " WHERE NAME=? AND GROUP_ID=? AND " + "(" + nodeSearch + ");";
    try (Connection con = getConnection();
        PreparedStatement statement = con.prepareStatement(getDistinctNamesQuery)) {
        statement.setString(1, groupId);
        for (int i = 0, j = 2; i < nodeList.size(); i++, j++) {
            statement.setString(j, nodeList.get(i));
        }
        ResultSet resultSet = statement.executeQuery();
        while (resultSet.next()) {
            ArtifactsInner artifactsInner = new ArtifactsInner();
            String artifactName = resultSet.getString("NAME");
            artifactsInner.setName(artifactName);
            List<ArtifactDetails> artifactDetails = getArtifactDetails(getDetailsQuery, artifactName, groupId, nodeList);
            artifactsInner.setNodes(artifactDetails);
            artifacts.add(artifactsInner);
        }
        return artifacts;
    } catch (SQLException e) {
        throw new DashboardServerException("Error occurred fetching " + artifactType, e);
    }
}
Also used : Artifacts(org.wso2.ei.dashboard.core.rest.model.Artifacts) SQLException(java.sql.SQLException) ArtifactsInner(org.wso2.ei.dashboard.core.rest.model.ArtifactsInner) Connection(java.sql.Connection) ResultSet(java.sql.ResultSet) ArtifactDetails(org.wso2.ei.dashboard.core.rest.model.ArtifactDetails) PreparedStatement(java.sql.PreparedStatement) DashboardServerException(org.wso2.ei.dashboard.core.exception.DashboardServerException)

Example 37 with NodeList

use of org.wso2.ei.dashboard.core.rest.model.NodeList in project identity-inbound-auth-oauth by wso2-extensions.

the class SAML1BearerGrantHandler method validateGrant.

/**
 * We're validating the SAML token that we receive from the request. Through the assertion parameter is the POST
 * request. A request format that we handle here looks like,
 * <p/>
 * POST /token.oauth2 HTTP/1.1
 * Host: as.example.com
 * Content-Type: application/x-www-form-urlencoded
 * <p/>
 * grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml1-bearer&
 * assertion=PHNhbWxwOl...[omitted for brevity]...ZT4
 *
 * @param tokReqMsgCtx Token message request context
 * @return true if validation is successful, false otherwise
 * @throws org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception
 */
@Override
public boolean validateGrant(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception {
    boolean validGrant = super.validateGrant(tokReqMsgCtx);
    Assertion assertion;
    IdentityProvider identityProvider = null;
    String tokenEndpointAlias = null;
    String tenantDomain = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getTenantDomain();
    if (tenantDomain == null || "".equals(tenantDomain)) {
        tenantDomain = MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
    }
    RequestParameter[] requestParameters = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getRequestParameters();
    for (RequestParameter requestParameter : requestParameters) {
        if (requestParameter.getKey().equals("assertion")) {
            String[] values = requestParameter.getValue();
            tokReqMsgCtx.getOauth2AccessTokenReqDTO().setAssertion(values[0]);
            break;
        }
    }
    if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable(IdentityConstants.IdentityTokens.SAML_ASSERTION)) {
        log.debug("Received SAML assertion : " + new String(Base64.decodeBase64(tokReqMsgCtx.getOauth2AccessTokenReqDTO().getAssertion()), StandardCharsets.UTF_8));
    }
    try {
        XMLObject samlObject = UnmarshallUtils.unmarshall(new String(Base64.decodeBase64(tokReqMsgCtx.getOauth2AccessTokenReqDTO().getAssertion()), StandardCharsets.UTF_8));
        // Validating for multiple assertions
        NodeList assertionList = samlObject.getDOM().getElementsByTagNameNS(SAMLConstants.SAML1_NS, "Assertion");
        if (assertionList.getLength() > 0) {
            if (log.isDebugEnabled()) {
                log.debug("Invalid schema for SAML Assertion. Nested assertions detected.");
            }
            return false;
        }
        if (samlObject instanceof Assertion) {
            assertion = (Assertion) samlObject;
        } else {
            if (log.isDebugEnabled()) {
                log.debug("Only Assertion objects are validated in SAML1Bearer Grant Type");
            }
            return false;
        }
    } catch (IdentityUnmarshallingException e) {
        if (log.isDebugEnabled()) {
            log.debug("Error occurred while unmarshalling SAML1.0 assertion", e);
        }
        return false;
    }
    /*
         * The Assertion MUST contain a <Subject> element.  The subject MAY identify the resource owner for whom
         * the access token is being requested.  For client authentication, the Subject MUST be the "client_id"
         * of the OAuth client.  When using an Assertion as an authorization grant, the Subject SHOULD identify
         * an authorized accessor for whom the access token is being requested (typically the resource owner, or
         * an authorized delegate).  Additional information identifying the subject/principal of the transaction
         * MAY be included in an <AttributeStatement>.
         */
    List<AuthenticationStatement> authenticationStatements = assertion.getAuthenticationStatements();
    Subject subject;
    if (authenticationStatements != null && authenticationStatements.size() > 0) {
        AuthenticationStatement authenticationStatement = authenticationStatements.get(0);
        subject = authenticationStatement.getSubject();
        if (subject != null) {
            String resourceOwnerUserName = subject.getNameIdentifier().getNameIdentifier();
            if (resourceOwnerUserName == null || resourceOwnerUserName.equals("")) {
                if (log.isDebugEnabled()) {
                    log.debug("NameID in Assertion cannot be empty");
                }
                return false;
            }
            AuthenticatedUser user = OAuth2Util.getUserFromUserName(resourceOwnerUserName);
            user.setAuthenticatedSubjectIdentifier(resourceOwnerUserName);
            user.setFederatedUser(true);
            tokReqMsgCtx.setAuthorizedUser(user);
            if (log.isDebugEnabled()) {
                log.debug("Resource Owner User Name is set to " + resourceOwnerUserName);
            }
        } else {
            if (log.isDebugEnabled()) {
                log.debug("Subject element cannot be empty.");
            }
            return false;
        }
    } else {
        if (log.isDebugEnabled()) {
            log.debug("Authentication Statement cannot be empty");
        }
        return false;
    }
    if (assertion.getIssuer() == null || assertion.getIssuer().isEmpty()) {
        if (log.isDebugEnabled()) {
            log.debug("Issuer is empty in the SAML assertion");
        }
        return false;
    } else {
        try {
            if (log.isDebugEnabled()) {
                log.debug("Issuer is :" + assertion.getIssuer());
            }
            identityProvider = IdentityProviderManager.getInstance().getIdPByAuthenticatorPropertyValue("IdPEntityId", assertion.getIssuer(), tenantDomain, false);
            // resident IDP entitiID == issuer
            if (identityProvider != null) {
                if (IdentityApplicationConstants.RESIDENT_IDP_RESERVED_NAME.equals(identityProvider.getIdentityProviderName())) {
                    identityProvider = IdentityProviderManager.getInstance().getResidentIdP(tenantDomain);
                    FederatedAuthenticatorConfig[] fedAuthnConfigs = identityProvider.getFederatedAuthenticatorConfigs();
                    String idpEntityId = null;
                    // Get SAML authenticator
                    FederatedAuthenticatorConfig samlAuthenticatorConfig = IdentityApplicationManagementUtil.getFederatedAuthenticator(fedAuthnConfigs, IdentityApplicationConstants.Authenticator.SAML2SSO.NAME);
                    // Get Entity ID from SAML authenticator
                    Property samlProperty = IdentityApplicationManagementUtil.getProperty(samlAuthenticatorConfig.getProperties(), IdentityApplicationConstants.Authenticator.SAML2SSO.IDP_ENTITY_ID);
                    if (samlProperty != null) {
                        idpEntityId = samlProperty.getValue();
                    }
                    if (idpEntityId == null || !assertion.getIssuer().equals(idpEntityId)) {
                        if (log.isDebugEnabled()) {
                            log.debug("SAML Token Issuer verification failed or Issuer not registered");
                        }
                        return false;
                    }
                    // Get OpenIDConnect authenticator == OAuth
                    // authenticator
                    FederatedAuthenticatorConfig oauthAuthenticatorConfig = IdentityApplicationManagementUtil.getFederatedAuthenticator(fedAuthnConfigs, IdentityApplicationConstants.Authenticator.OIDC.NAME);
                    // Get OAuth token endpoint
                    Property oauthProperty = IdentityApplicationManagementUtil.getProperty(oauthAuthenticatorConfig.getProperties(), IdentityApplicationConstants.Authenticator.OIDC.OAUTH2_TOKEN_URL);
                    if (oauthProperty != null) {
                        tokenEndpointAlias = oauthProperty.getValue();
                    }
                } else {
                    // Get Alias from Federated IDP
                    tokenEndpointAlias = identityProvider.getAlias();
                }
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("SAML Token Issuer verification failed or Issuer not registered");
                }
                return false;
            }
        } catch (IdentityProviderManagementException e) {
            if (log.isDebugEnabled()) {
                log.debug("Error while getting Federated Identity Provider ", e);
            }
        }
    }
    if (audienceRestrictionValidationEnabled) {
        if (tokenEndpointAlias == null || tokenEndpointAlias.equals("")) {
            String errorMsg = "Token Endpoint alias of the local Identity Provider has not been " + "configured for " + identityProvider.getIdentityProviderName();
            if (log.isDebugEnabled()) {
                log.debug(errorMsg);
            }
            return false;
        }
        Conditions conditions = assertion.getConditions();
        if (conditions != null) {
            List<AudienceRestrictionCondition> audienceRestrictions = conditions.getAudienceRestrictionConditions();
            if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) {
                boolean audienceFound = false;
                for (AudienceRestrictionCondition audienceRestriction : audienceRestrictions) {
                    if (audienceRestriction.getAudiences() != null && audienceRestriction.getAudiences().size() > 0) {
                        for (Audience audience : audienceRestriction.getAudiences()) {
                            if (audience.getUri().equals(tokenEndpointAlias)) {
                                audienceFound = true;
                                break;
                            }
                        }
                    }
                    if (audienceFound) {
                        break;
                    }
                }
                if (!audienceFound) {
                    if (log.isDebugEnabled()) {
                        log.debug("SAML Assertion Audience Restriction validation failed");
                    }
                    return false;
                }
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("SAML Assertion doesn't contain AudienceRestrictions");
                }
                return false;
            }
        } else {
            if (log.isDebugEnabled()) {
                log.debug("SAML Assertion doesn't contain Conditions");
            }
            return false;
        }
    }
    /*
         * The Assertion MUST have an expiry that limits the time window during which it can be used.  The expiry
         * can be expressed either as the NotOnOrAfter attribute of the <Conditions> element or as the NotOnOrAfter
         * attribute of a suitable <SubjectConfirmationData> element.
         */
    /*
         * The <Subject> element MUST contain at least one <SubjectConfirmation> element that allows the
         * authorization server to confirm it as a Bearer Assertion.  Such a <SubjectConfirmation> element MUST
         * have a Method attribute with a value of "urn:oasis:names:tc:SAML:1.0:cm:bearer".  The
         * <SubjectConfirmation> element MUST contain a <SubjectConfirmationData> element, unless the Assertion
         * has a suitable NotOnOrAfter attribute on the <Conditions> element, in which case the
         * <SubjectConfirmationData> element MAY be omitted.
         * The <SubjectConfirmationData> element MUST have a NotOnOrAfter attribute that limits the window during
         * which the Assertion can be confirmed.  The <SubjectConfirmationData> element MAY also contain an Address
         * attribute limiting the client address from which the Assertion can be delivered.  Verification of the
         * Address is at the discretion of the authorization server.
         */
    DateTime notOnOrAfterFromConditions = null;
    Set<DateTime> notOnOrAfterFromSubjectConfirmations = new HashSet<DateTime>();
    boolean bearerFound = false;
    if (assertion.getConditions() != null && assertion.getConditions().getNotOnOrAfter() != null) {
        notOnOrAfterFromConditions = assertion.getConditions().getNotOnOrAfter();
    }
    SubjectConfirmation subjectConfirmation = subject.getSubjectConfirmation();
    List<ConfirmationMethod> confirmationMethods = subjectConfirmation.getConfirmationMethods();
    for (ConfirmationMethod confirmationMethod : confirmationMethods) {
        if (OAuthConstants.OAUTH_SAML1_BEARER_METHOD.equals(confirmationMethod.getConfirmationMethod())) {
            bearerFound = true;
        }
    }
    if (!bearerFound) {
        if (log.isDebugEnabled()) {
            log.debug("Cannot find a subject confirmation with method " + OAuthConstants.OAUTH_SAML1_BEARER_METHOD + " in subject confirmation " + subject.getSubjectConfirmation());
        }
        return false;
    }
    XMLObject confirmationData = subject.getSubjectConfirmation().getSubjectConfirmationData();
    if (confirmationData == null) {
        log.warn("Subject confirmation data is missing.");
    }
    /*
         * The authorization server MUST verify that the NotOnOrAfter instant has not passed, subject to allowable
         * clock skew between systems.  An invalid NotOnOrAfter instant on the <Conditions> element invalidates
         * the entire Assertion.  An invalid NotOnOrAfter instant on a <SubjectConfirmationData> element only
         * invalidates the individual <SubjectConfirmation>.  The authorization server MAY reject Assertions with
         * a NotOnOrAfter instant that is unreasonably far in the future.  The authorization server MAY ensure
         * that Bearer Assertions are not replayed, by maintaining the set of used ID values for the length of
         * time for which the Assertion would be considered valid based on the applicable NotOnOrAfter instant.
         */
    long timestampSkewInMillis = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
    if (notOnOrAfterFromConditions != null && notOnOrAfterFromConditions.plus(timestampSkewInMillis).isBeforeNow()) {
        // notOnOrAfter is an expired timestamp
        if (log.isDebugEnabled()) {
            log.debug("NotOnOrAfter is having an expired timestamp in Conditions element");
        }
        return false;
    }
    boolean validSubjectConfirmationDataExists = false;
    if (!notOnOrAfterFromSubjectConfirmations.isEmpty()) {
        for (DateTime entry : notOnOrAfterFromSubjectConfirmations) {
            if (entry.plus(timestampSkewInMillis).isAfterNow()) {
                validSubjectConfirmationDataExists = true;
            }
        }
    }
    if (notOnOrAfterFromConditions == null && !validSubjectConfirmationDataExists) {
        if (log.isDebugEnabled()) {
            log.debug("No valid NotOnOrAfter element found in SubjectConfirmations");
        }
        return false;
    }
    try {
        profileValidator.validate(assertion.getSignature());
    } catch (SignatureException e) {
        // Indicates signature did not conform to SAML1.0 Signature profile
        if (log.isDebugEnabled()) {
            log.debug("Signature did not conform to SAML1.0 Signature profile", e);
        }
        return false;
    }
    X509Certificate x509Certificate = null;
    try {
        x509Certificate = (X509Certificate) IdentityApplicationManagementUtil.decodeCertificate(identityProvider.getCertificate());
    } catch (CertificateException e) {
        String message = "Error occurred while decoding public certificate of Identity Provider " + identityProvider.getIdentityProviderName() + " for tenant domain " + tenantDomain;
        throw new IdentityOAuth2Exception(message, e);
    }
    try {
        X509Credential x509Credential = new X509CredentialImpl(x509Certificate);
        SignatureValidator.validate(assertion.getSignature(), x509Credential);
        if (log.isDebugEnabled()) {
            log.debug("Signature validation successful");
        }
    } catch (SignatureException e) {
        if (log.isDebugEnabled()) {
            log.debug("Signature validation failure:" + e.getMessage(), e);
        }
        return false;
    }
    tokReqMsgCtx.setScope(tokReqMsgCtx.getOauth2AccessTokenReqDTO().getScope());
    // Storing the Assertion. This will be used in OpenID Connect for example
    tokReqMsgCtx.addProperty(OAuthConstants.OAUTH_SAML2_ASSERTION, assertion);
    // Invoking extension
    SAML2TokenCallbackHandler callback = OAuthServerConfiguration.getInstance().getSAML2TokenCallbackHandler();
    if (callback != null) {
        if (log.isDebugEnabled()) {
            log.debug("Invoking the SAML2 Token callback handler");
        }
        callback.handleSAML2Token(tokReqMsgCtx);
    }
    return validGrant;
}
Also used : FederatedAuthenticatorConfig(org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig) ConfirmationMethod(org.opensaml.saml.saml1.core.ConfirmationMethod) CertificateException(java.security.cert.CertificateException) IdentityUnmarshallingException(org.wso2.carbon.identity.saml.common.util.exception.IdentityUnmarshallingException) SignatureException(org.opensaml.xmlsec.signature.support.SignatureException) AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser) AuthenticationStatement(org.opensaml.saml.saml1.core.AuthenticationStatement) Conditions(org.opensaml.saml.saml1.core.Conditions) DateTime(org.joda.time.DateTime) SubjectConfirmation(org.opensaml.saml.saml1.core.SubjectConfirmation) IdentityOAuth2Exception(org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception) X509CredentialImpl(org.wso2.carbon.identity.oauth2.util.X509CredentialImpl) AudienceRestrictionCondition(org.opensaml.saml.saml1.core.AudienceRestrictionCondition) Property(org.wso2.carbon.identity.application.common.model.Property) HashSet(java.util.HashSet) Audience(org.opensaml.saml.saml1.core.Audience) RequestParameter(org.wso2.carbon.identity.oauth2.model.RequestParameter) NodeList(org.w3c.dom.NodeList) Assertion(org.opensaml.saml.saml1.core.Assertion) XMLObject(org.opensaml.core.xml.XMLObject) IdentityProvider(org.wso2.carbon.identity.application.common.model.IdentityProvider) Subject(org.opensaml.saml.saml1.core.Subject) X509Certificate(java.security.cert.X509Certificate) X509Credential(org.opensaml.security.x509.X509Credential) IdentityProviderManagementException(org.wso2.carbon.idp.mgt.IdentityProviderManagementException)

Aggregations

NodeList (org.w3c.dom.NodeList)20 Element (org.w3c.dom.Element)12 Node (org.w3c.dom.Node)11 NodeList (org.wso2.ei.dashboard.core.rest.model.NodeList)10 IOException (java.io.IOException)7 ArrayList (java.util.ArrayList)6 List (java.util.List)5 ParserConfigurationException (javax.xml.parsers.ParserConfigurationException)5 CloseableHttpResponse (org.apache.http.client.methods.CloseableHttpResponse)5 JsonObject (com.google.gson.JsonObject)4 QName (javax.xml.namespace.QName)4 DocumentBuilder (javax.xml.parsers.DocumentBuilder)4 Document (org.w3c.dom.Document)4 NodeListInner (org.wso2.ei.dashboard.core.rest.model.NodeListInner)4 SAXException (org.xml.sax.SAXException)4 JsonElement (com.google.gson.JsonElement)3 Connection (java.sql.Connection)3 PreparedStatement (java.sql.PreparedStatement)3 ResultSet (java.sql.ResultSet)3 SQLException (java.sql.SQLException)3