Examples with SamlValidationSpecificationFailure uk.gov.ida.saml.core.validation.SamlValidationSpecificationFailure used on opensource projects

Search in sources :

Example 6 with SamlValidationSpecificationFailure

use of uk.gov.ida.saml.core.validation.SamlValidationSpecificationFailure in project verify-hub by alphagov.

the class SamlEntityDescriptorValidator method validateRoleDescriptor.

private void validateRoleDescriptor(EntityDescriptor descriptor) {
    if (descriptor.getRoleDescriptors().isEmpty()) {
        SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.missingRoleDescriptor();
        throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
    }
    RoleDescriptor roleDescriptor = descriptor.getRoleDescriptors().get(0);
    if (roleDescriptor.getKeyDescriptors().isEmpty()) {
        SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.missingKeyDescriptor();
        throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
    }
    KeyInfo keyInfo = roleDescriptor.getKeyDescriptors().get(0).getKeyInfo();
    if (keyInfo == null) {
        SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.missingKeyInfo();
        throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
    }
    if (keyInfo.getX509Datas().isEmpty()) {
        SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.missingX509Data();
        throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
    }
    X509Data x509Data = keyInfo.getX509Datas().get(0);
    if (x509Data.getX509Certificates().isEmpty()) {
        SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.missingX509Certificate();
        throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
    }
    X509Certificate x509Certificate = x509Data.getX509Certificates().get(0);
    if (StringUtils.isEmpty(x509Certificate.getValue())) {
        SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.emptyX509Certificiate();
        throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
    }
}
Also used : SamlValidationSpecificationFailure(uk.gov.ida.saml.core.validation.SamlValidationSpecificationFailure) KeyInfo(org.opensaml.xmlsec.signature.KeyInfo) SamlTransformationErrorException(uk.gov.ida.saml.core.validation.SamlTransformationErrorException) RoleDescriptor(org.opensaml.saml.saml2.metadata.RoleDescriptor) X509Data(org.opensaml.xmlsec.signature.X509Data) X509Certificate(org.opensaml.xmlsec.signature.X509Certificate)

Example 7 with SamlValidationSpecificationFailure

use of uk.gov.ida.saml.core.validation.SamlValidationSpecificationFailure in project verify-hub by alphagov.

the class SamlMessageReceiverApi method handleRequestPost.

@POST
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@Timed
@ResponseMetered
public Response handleRequestPost(SamlRequestDto samlRequestDto) {
    relayStateValidator.validate(samlRequestDto.getRelayState());
    AuthnRequest authnRequest = stringSamlAuthnRequestTransformer.apply(samlRequestDto.getSamlRequest());
    SamlValidationResponse signatureValidationResponse = authnRequestSignatureValidator.validate(authnRequest, SPSSODescriptor.DEFAULT_ELEMENT_NAME);
    authnRequestsFromEntities.labels(authnRequest.getIssuer().getValue()).inc();
    protectiveMonitoringLogger.logAuthnRequest(authnRequest, Direction.INBOUND, SignatureStatus.fromValidationResponse(signatureValidationResponse));
    if (!signatureValidationResponse.isOK()) {
        SamlValidationSpecificationFailure failure = signatureValidationResponse.getSamlValidationSpecificationFailure();
        throw new SamlTransformationErrorException(String.format("Invalid authn request from issuer \"%s\". %s", authnRequest.getIssuer().getValue(), failure.getErrorMessage()), signatureValidationResponse.getCause(), Level.ERROR);
    }
    SamlAuthnRequestContainerDto samlAuthnRequestContainerDto = new SamlAuthnRequestContainerDto(samlRequestDto.getSamlRequest(), Optional.ofNullable(samlRequestDto.getRelayState()), samlRequestDto.getPrincipalIpAsSeenByFrontend());
    SessionId sessionId = sessionProxy.createSession(samlAuthnRequestContainerDto);
    return Response.ok(sessionId).build();
}
Also used : SamlValidationResponse(uk.gov.ida.saml.core.validation.SamlValidationResponse) SamlValidationSpecificationFailure(uk.gov.ida.saml.core.validation.SamlValidationSpecificationFailure) SamlAuthnRequestContainerDto(uk.gov.ida.hub.samlproxy.domain.SamlAuthnRequestContainerDto) AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest) SamlTransformationErrorException(uk.gov.ida.saml.core.validation.SamlTransformationErrorException) SessionId(uk.gov.ida.common.SessionId) ResponseMetered(com.codahale.metrics.annotation.ResponseMetered) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) Timed(com.codahale.metrics.annotation.Timed)

Example 8 with SamlValidationSpecificationFailure

use of uk.gov.ida.saml.core.validation.SamlValidationSpecificationFailure in project verify-hub by alphagov.

the class EidasAttributeStatementAssertionValidator method validateAttributes.

private void validateAttributes(Assertion assertion) {
    final List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
    if (attributeStatements.isEmpty()) {
        SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.mdsStatementMissing();
        throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
    }
    if (attributeStatements.size() > 1) {
        SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.mdsMultipleStatements();
        throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
    }
    final List<Attribute> attributes = attributeStatements.get(0).getAttributes();
    if (attributes.isEmpty()) {
        SamlValidationSpecificationFailure failure = attributeStatementEmpty(assertion.getID());
        throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
    }
    Set<String> attributeNames = attributes.stream().map(Attribute::getName).collect(Collectors.toSet());
    if (!attributeNames.containsAll(MANDATORY_ATTRIBUTES.keySet())) {
        throw new SamlTransformationErrorException(String.format("Mandatory attributes not provided. Expected %s but got %s", MANDATORY_ATTRIBUTES.values().stream().collect(Collectors.joining(",")), attributes.stream().map(Attribute::getFriendlyName).collect(Collectors.joining(","))), Level.ERROR);
    }
    for (Attribute attribute : attributes) {
        final String attributeName = attribute.getName();
        if (!VALID_EIDAS_ATTRIBUTE_NAMES.contains(attributeName)) {
            SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.mdsAttributeNotRecognised(attributeName);
            throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
        }
        if (attribute.getAttributeValues().isEmpty()) {
            SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.emptyAttribute(attributeName);
            throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
        }
        if (!VALID_TYPE_FOR_ATTRIBUTE.get(attributeName).equals(attribute.getAttributeValues().get(0).getSchemaType())) {
            final QName schemaType = attribute.getAttributeValues().get(0).getSchemaType();
            SamlValidationSpecificationFailure failure = SamlTransformationErrorFactory.attributeWithIncorrectType(attributeName, VALID_TYPE_FOR_ATTRIBUTE.get(attributeName), schemaType);
            throw new SamlTransformationErrorException(failure.getErrorMessage(), failure.getLogLevel());
        }
        if (!VALID_ATTRIBUTE_NAME_FORMATS.contains(attribute.getNameFormat())) {
            SamlTransformationErrorManager.warn(invalidAttributeNameFormat(attribute.getNameFormat()));
        }
    }
}
Also used : SamlValidationSpecificationFailure(uk.gov.ida.saml.core.validation.SamlValidationSpecificationFailure) Attribute(org.opensaml.saml.saml2.core.Attribute) AttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement) SamlTransformationErrorException(uk.gov.ida.saml.core.validation.SamlTransformationErrorException) QName(javax.xml.namespace.QName)

Example 9 with SamlValidationSpecificationFailure

use of uk.gov.ida.saml.core.validation.SamlValidationSpecificationFailure in project verify-hub by alphagov.

the class SamlMessageReceiverApi method handleEidasResponsePost.

@POST
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@Path(Urls.SamlProxyUrls.EIDAS_RESPONSE_POST_PATH)
@Timed
public Response handleEidasResponsePost(SamlRequestDto samlRequestDto) {
    if (eidasAuthnResponseSignatureValidator.isPresent()) {
        final SessionId sessionId = new SessionId(samlRequestDto.getRelayState());
        MDC.put("SessionId", sessionId);
        relayStateValidator.validate(samlRequestDto.getRelayState());
        org.opensaml.saml.saml2.core.Response samlResponse = stringSamlResponseTransformer.apply(samlRequestDto.getSamlRequest());
        SamlValidationResponse signatureValidationResponse = eidasAuthnResponseSignatureValidator.get().validate(samlResponse, IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
        protectiveMonitoringLogger.logAuthnResponse(samlResponse, Direction.INBOUND, signatureValidationResponse.isOK());
        if (!signatureValidationResponse.isOK()) {
            SamlValidationSpecificationFailure failure = signatureValidationResponse.getSamlValidationSpecificationFailure();
            throw new SamlTransformationErrorException(failure.getErrorMessage(), signatureValidationResponse.getCause(), Level.ERROR);
        }
        final SamlAuthnResponseContainerDto authnResponseDto = new SamlAuthnResponseContainerDto(samlRequestDto.getSamlRequest(), sessionId, samlRequestDto.getPrincipalIpAsSeenByFrontend());
        return Response.ok(sessionProxy.receiveAuthnResponseFromCountry(authnResponseDto, sessionId)).build();
    }
    return Response.status(Response.Status.NOT_FOUND).build();
}
Also used : SamlValidationResponse(uk.gov.ida.saml.core.validation.SamlValidationResponse) SamlValidationSpecificationFailure(uk.gov.ida.saml.core.validation.SamlValidationSpecificationFailure) SamlTransformationErrorException(uk.gov.ida.saml.core.validation.SamlTransformationErrorException) SamlAuthnResponseContainerDto(uk.gov.ida.hub.samlproxy.domain.SamlAuthnResponseContainerDto) SessionId(uk.gov.ida.common.SessionId) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) Timed(com.codahale.metrics.annotation.Timed)

Example 10 with SamlValidationSpecificationFailure

use of uk.gov.ida.saml.core.validation.SamlValidationSpecificationFailure in project verify-hub by alphagov.

the class MatchingServiceHealthChecker method validateRequestSignature.

private void validateRequestSignature(Element matchingServiceRequest) {
    AttributeQuery attributeQuery = elementToAttributeQueryTransformer.apply(matchingServiceRequest);
    SamlValidationResponse signatureValidationResponse = matchingRequestSignatureValidator.validate(attributeQuery, SPSSODescriptor.DEFAULT_ELEMENT_NAME);
    if (!signatureValidationResponse.isOK()) {
        SamlValidationSpecificationFailure failure = signatureValidationResponse.getSamlValidationSpecificationFailure();
        throw new SamlTransformationErrorException(failure.getErrorMessage(), signatureValidationResponse.getCause(), Level.ERROR);
    }
}
Also used : SamlValidationResponse(uk.gov.ida.saml.core.validation.SamlValidationResponse) SamlValidationSpecificationFailure(uk.gov.ida.saml.core.validation.SamlValidationSpecificationFailure) AttributeQuery(org.opensaml.saml.saml2.core.AttributeQuery) SamlTransformationErrorException(uk.gov.ida.saml.core.validation.SamlTransformationErrorException)

Aggregations

SamlValidationSpecificationFailure (uk.gov.ida.saml.core.validation.SamlValidationSpecificationFailure)15 SamlTransformationErrorException (uk.gov.ida.saml.core.validation.SamlTransformationErrorException)13 SamlValidationResponse (uk.gov.ida.saml.core.validation.SamlValidationResponse)8 Timed (com.codahale.metrics.annotation.Timed)3 Consumes (javax.ws.rs.Consumes)3 POST (javax.ws.rs.POST)3 Produces (javax.ws.rs.Produces)3 AttributeQuery (org.opensaml.saml.saml2.core.AttributeQuery)3 SessionId (uk.gov.ida.common.SessionId)3 ResponseMetered (com.codahale.metrics.annotation.ResponseMetered)2 Path (javax.ws.rs.Path)2 Attribute (org.opensaml.saml.saml2.core.Attribute)2 AttributeStatement (org.opensaml.saml.saml2.core.AttributeStatement)2 AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)2 SamlAuthnResponseContainerDto (uk.gov.ida.hub.samlproxy.domain.SamlAuthnResponseContainerDto)2 QName (javax.xml.namespace.QName)1 DateTime (org.joda.time.DateTime)1 Test (org.junit.jupiter.api.Test)1 Response (org.opensaml.saml.saml2.core.Response)1 StatusCode (org.opensaml.saml.saml2.core.StatusCode)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial