Search in sources :

Example 1 with ValidatedResponse

use of uk.gov.ida.saml.security.validators.ValidatedResponse in project verify-hub by alphagov.

the class CountryAuthnResponseTranslatorServiceTest method setup.

@Before
public void setup() throws Exception {
    IdaSamlBootstrap.bootstrap();
    service = new CountryAuthnResponseTranslatorService(stringToOpenSamlResponseTransformer, responseFromCountryValidator, new IdpIdaStatusUnmarshaller(new IdpIdaStatus.IdpIdaStatusFactory(), new SamlStatusToIdpIdaStatusMappingsFactory()), responseAssertionsFromCountryValidator, validateSamlResponseIssuedByIdpDestination, assertionDecrypter, assertionBlobEncrypter, samlResponseSignatureValidator, samlAssertionsSignatureValidator, new PassthroughAssertionUnmarshaller(new XmlObjectToBase64EncodedStringTransformer<>(), new AuthnContextFactory()));
    Response eidasSAMLResponse = (Response) buildResponseFromFile();
    ValidatedResponse validateEIDASSAMLResponse = new ValidatedResponse(eidasSAMLResponse);
    List<Assertion> decryptedAssertions = eidasSAMLResponse.getAssertions();
    when(samlAuthnResponseTranslatorDto.getSamlResponse()).thenReturn("eidas");
    when(samlAuthnResponseTranslatorDto.getMatchingServiceEntityId()).thenReturn("mid");
    when(stringToOpenSamlResponseTransformer.apply("eidas")).thenReturn(eidasSAMLResponse);
    doNothing().when(responseFromCountryValidator).validate(eidasSAMLResponse);
    when(samlResponseSignatureValidator.validate(eidasSAMLResponse, IDPSSODescriptor.DEFAULT_ELEMENT_NAME)).thenReturn(validateEIDASSAMLResponse);
    when(assertionDecrypter.decryptAssertions(validateEIDASSAMLResponse)).thenReturn(decryptedAssertions);
    when(assertionBlobEncrypter.encryptAssertionBlob(eq("mid"), any(String.class))).thenReturn(identityUnderlyingAssertionBlob);
    when(samlAssertionsSignatureValidator.validate(decryptedAssertions, IDPSSODescriptor.DEFAULT_ELEMENT_NAME)).thenReturn(new ValidatedAssertions(decryptedAssertions));
}
Also used : IdpIdaStatus(uk.gov.ida.saml.hub.domain.IdpIdaStatus) Assertion(org.opensaml.saml.saml2.core.Assertion) ValidatedResponse(uk.gov.ida.saml.security.validators.ValidatedResponse) ValidatedResponse(uk.gov.ida.saml.security.validators.ValidatedResponse) Response(org.opensaml.saml.saml2.core.Response) PassthroughAssertionUnmarshaller(uk.gov.ida.saml.hub.transformers.inbound.PassthroughAssertionUnmarshaller) IdpIdaStatusUnmarshaller(uk.gov.ida.saml.hub.transformers.inbound.IdpIdaStatusUnmarshaller) ValidatedAssertions(uk.gov.ida.saml.security.validators.ValidatedAssertions) AuthnContextFactory(uk.gov.ida.saml.core.transformers.AuthnContextFactory) SamlStatusToIdpIdaStatusMappingsFactory(uk.gov.ida.saml.hub.transformers.inbound.SamlStatusToIdpIdaStatusMappingsFactory) Before(org.junit.Before)

Example 2 with ValidatedResponse

use of uk.gov.ida.saml.security.validators.ValidatedResponse in project verify-hub by alphagov.

the class CountryAuthnResponseTranslatorService method toModel.

private InboundResponseFromCountry toModel(ValidatedResponse response, Optional<Assertion> validatedIdentityAssertionOptional, String matchingServiceEntityId) {
    Optional<PassthroughAssertion> passthroughAssertion = validatedIdentityAssertionOptional.map(validatedIdentityAssertion -> passthroughAssertionUnmarshaller.fromAssertion(validatedIdentityAssertion, true));
    Optional<LevelOfAssurance> levelOfAssurance = passthroughAssertion.flatMap(assertion -> assertion.getAuthnContext()).map(AuthnContext::name).filter(string -> !isNullOrEmpty(string)).map(LevelOfAssurance::valueOf);
    IdpIdaStatus status = statusUnmarshaller.fromSaml(response.getStatus());
    return new InboundResponseFromCountry(response.getIssuer().getValue(), validatedIdentityAssertionOptional.map(Assertion::getSubject).map(Subject::getNameID).map(NameID::getValue), Optional.ofNullable(status).map(IdpIdaStatus::getStatusCode).map(IdpIdaStatus.Status::name), status.getMessage(), passthroughAssertion.map(assertion -> assertionBlobEncrypter.encryptAssertionBlob(matchingServiceEntityId, assertion.getUnderlyingAssertionBlob())), levelOfAssurance);
}
Also used : LevelOfAssurance(uk.gov.ida.hub.samlengine.domain.LevelOfAssurance) StringToOpenSamlObjectTransformer(uk.gov.ida.saml.deserializers.StringToOpenSamlObjectTransformer) Strings.isNullOrEmpty(com.google.common.base.Strings.isNullOrEmpty) Subject(org.opensaml.saml.saml2.core.Subject) IdpIdaStatusUnmarshaller(uk.gov.ida.saml.hub.transformers.inbound.IdpIdaStatusUnmarshaller) ValidatedResponse(uk.gov.ida.saml.security.validators.ValidatedResponse) MdcHelper(uk.gov.ida.hub.samlengine.logging.MdcHelper) ResponseFromCountryValidator(uk.gov.ida.hub.samlengine.validation.country.ResponseFromCountryValidator) SamlResponseSignatureValidator(uk.gov.ida.saml.security.validators.signature.SamlResponseSignatureValidator) Inject(javax.inject.Inject) Assertion(org.opensaml.saml.saml2.core.Assertion) AssertionBlobEncrypter(uk.gov.ida.saml.core.transformers.outbound.decorators.AssertionBlobEncrypter) IDPSSODescriptor(org.opensaml.saml.saml2.metadata.IDPSSODescriptor) AuthnContext(uk.gov.ida.saml.core.domain.AuthnContext) ResponseAssertionsFromCountryValidator(uk.gov.ida.hub.samlengine.validation.country.ResponseAssertionsFromCountryValidator) Response(org.opensaml.saml.saml2.core.Response) PassthroughAssertionUnmarshaller(uk.gov.ida.saml.hub.transformers.inbound.PassthroughAssertionUnmarshaller) AssertionDecrypter(uk.gov.ida.saml.security.AssertionDecrypter) SamlAuthnResponseTranslatorDto(uk.gov.ida.hub.samlengine.contracts.SamlAuthnResponseTranslatorDto) InboundResponseFromCountry(uk.gov.ida.hub.samlengine.domain.InboundResponseFromCountry) List(java.util.List) PassthroughAssertion(uk.gov.ida.saml.core.domain.PassthroughAssertion) LevelOfAssurance(uk.gov.ida.hub.samlengine.domain.LevelOfAssurance) DestinationValidator(uk.gov.ida.saml.core.validators.DestinationValidator) Optional(java.util.Optional) IdpIdaStatus(uk.gov.ida.saml.hub.domain.IdpIdaStatus) NameID(org.opensaml.saml.saml2.core.NameID) SamlAssertionsSignatureValidator(uk.gov.ida.saml.security.SamlAssertionsSignatureValidator) InboundResponseFromCountry(uk.gov.ida.hub.samlengine.domain.InboundResponseFromCountry) PassthroughAssertion(uk.gov.ida.saml.core.domain.PassthroughAssertion) IdpIdaStatus(uk.gov.ida.saml.hub.domain.IdpIdaStatus) Subject(org.opensaml.saml.saml2.core.Subject) AuthnContext(uk.gov.ida.saml.core.domain.AuthnContext)

Example 3 with ValidatedResponse

use of uk.gov.ida.saml.security.validators.ValidatedResponse in project verify-hub by alphagov.

the class AssertionDecrypter method decryptAssertions.

public List<Assertion> decryptAssertions(Response response) {
    KeyPair encryptionKeyPair = new KeyPair(publicKey, privateKey);
    KeyPair signingKeyPair = new KeyPair(publicKey, privateKey);
    IdaKeyStore keyStore = new IdaKeyStore(signingKeyPair, Collections.singletonList(encryptionKeyPair));
    IdaKeyStoreCredentialRetriever idaKeyStoreCredentialRetriever = new IdaKeyStoreCredentialRetriever(keyStore);
    Decrypter decrypter = new DecrypterFactory().createDecrypter(idaKeyStoreCredentialRetriever.getDecryptingCredentials());
    uk.gov.ida.saml.security.AssertionDecrypter assertionDecrypter = new uk.gov.ida.saml.security.AssertionDecrypter(new EncryptionAlgorithmValidator(ImmutableSet.of(EncryptionConstants.ALGO_ID_BLOCKCIPHER_AES256_GCM)), decrypter);
    return assertionDecrypter.decryptAssertions(new ValidatedResponse(response));
}
Also used : KeyPair(java.security.KeyPair) EncryptionAlgorithmValidator(uk.gov.ida.saml.security.validators.encryptedelementtype.EncryptionAlgorithmValidator) Decrypter(org.opensaml.saml.saml2.encryption.Decrypter) ValidatedResponse(uk.gov.ida.saml.security.validators.ValidatedResponse) IdaKeyStore(uk.gov.ida.saml.security.IdaKeyStore) IdaKeyStoreCredentialRetriever(uk.gov.ida.saml.security.IdaKeyStoreCredentialRetriever) DecrypterFactory(uk.gov.ida.saml.security.DecrypterFactory)

Example 4 with ValidatedResponse

use of uk.gov.ida.saml.security.validators.ValidatedResponse in project verify-hub by alphagov.

the class CountryAuthnResponseTranslatorService method translate.

public InboundResponseFromCountry translate(SamlAuthnResponseTranslatorDto samlResponseDto) {
    Response response = unmarshall(samlResponseDto);
    ValidatedResponse validatedResponse = validateResponse(response);
    List<Assertion> assertions = assertionDecrypter.decryptAssertions(validatedResponse);
    Optional<Assertion> validatedIdentityAssertion = validateAssertion(validatedResponse, assertions);
    return toModel(validatedResponse, validatedIdentityAssertion, samlResponseDto.getMatchingServiceEntityId());
}
Also used : ValidatedResponse(uk.gov.ida.saml.security.validators.ValidatedResponse) Response(org.opensaml.saml.saml2.core.Response) Assertion(org.opensaml.saml.saml2.core.Assertion) PassthroughAssertion(uk.gov.ida.saml.core.domain.PassthroughAssertion) ValidatedResponse(uk.gov.ida.saml.security.validators.ValidatedResponse)

Aggregations

ValidatedResponse (uk.gov.ida.saml.security.validators.ValidatedResponse)4 Assertion (org.opensaml.saml.saml2.core.Assertion)3 Response (org.opensaml.saml.saml2.core.Response)3 PassthroughAssertion (uk.gov.ida.saml.core.domain.PassthroughAssertion)2 IdpIdaStatus (uk.gov.ida.saml.hub.domain.IdpIdaStatus)2 IdpIdaStatusUnmarshaller (uk.gov.ida.saml.hub.transformers.inbound.IdpIdaStatusUnmarshaller)2 PassthroughAssertionUnmarshaller (uk.gov.ida.saml.hub.transformers.inbound.PassthroughAssertionUnmarshaller)2 Strings.isNullOrEmpty (com.google.common.base.Strings.isNullOrEmpty)1 KeyPair (java.security.KeyPair)1 List (java.util.List)1 Optional (java.util.Optional)1 Inject (javax.inject.Inject)1 Before (org.junit.Before)1 NameID (org.opensaml.saml.saml2.core.NameID)1 Subject (org.opensaml.saml.saml2.core.Subject)1 Decrypter (org.opensaml.saml.saml2.encryption.Decrypter)1 IDPSSODescriptor (org.opensaml.saml.saml2.metadata.IDPSSODescriptor)1 SamlAuthnResponseTranslatorDto (uk.gov.ida.hub.samlengine.contracts.SamlAuthnResponseTranslatorDto)1 InboundResponseFromCountry (uk.gov.ida.hub.samlengine.domain.InboundResponseFromCountry)1 LevelOfAssurance (uk.gov.ida.hub.samlengine.domain.LevelOfAssurance)1