/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final SubjectCanonicalizationContext c14nContext) { final Set<NameIDPrincipal> nameIDs = c14nContext.getSubject().getPrincipals(NameIDPrincipal.class); final NameID nameID = nameIDs.iterator().next().getNameID(); try { c14nContext.setPrincipalName(decoder.decode(c14nContext, nameID)); if (c14nContext.getPrincipalName() == null) { ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_SUBJECT); } } catch (final NameDecoderException e) { c14nContext.setException(e); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.SUBJECT_C14N_ERROR); } }
subject.getPrincipals().add(new NameIDPrincipal(nameID)); final SubjectCanonicalizationContext c14n = new SubjectCanonicalizationContext(); c14n.setSubject(subject); c14n.setRequesterId(requesterEntityID); } else { log.warn("Unable to determine effective SAML requester for c14n, Subject c14n may fail, " c14n.setResponderId(responderLookupStrategy.apply(profileRequestContext));
/** {@inheritDoc} */ @Override protected boolean doPreExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final SubjectCanonicalizationContext c14nContext) { // Detect a previous attempted flow, and move it to the intermediate collection. // This will prevent re-selecting the same (probably failed) flow again. if (c14nContext.getAttemptedFlow() != null) { log.info("{} Moving incomplete flow {} to intermediate set, reselecting a different one", getLogPrefix(), c14nContext.getAttemptedFlow().getId()); c14nContext.getIntermediateFlows().put( c14nContext.getAttemptedFlow().getId(), c14nContext.getAttemptedFlow()); } return super.doPreExecute(profileRequestContext, c14nContext); }
/** * Performs this c14n action's pre-execute step. Default implementation just returns true iff a subject * is set. * * @param profileRequestContext the current IdP profile request context * @param c14nContext the current subject canonicalization context * * @return true iff execution should continue */ protected boolean doPreExecute( @Nonnull final ProfileRequestContext<InboundMessageType, OutboundMessageType> profileRequestContext, @Nonnull final SubjectCanonicalizationContext c14nContext) { if (c14nContext.getSubject() == null) { c14nContext.setException(new SubjectCanonicalizationException("No Subject found in context")); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_SUBJECT); return false; } return true; }
/** {@inheritDoc} */ @Override protected boolean doPreExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { if (!super.doPreExecute(profileRequestContext, authenticationContext)) { return false; } sessionCtx = sessionContextLookupStrategy.apply(profileRequestContext); if (sessionCtx == null || sessionCtx.getIdPSession() == null) { log.debug("{} No previous session found, nothing to do", getLogPrefix()); return false; } final SubjectCanonicalizationContext c14n = c14nContextLookupStrategy.apply(profileRequestContext); if (c14n == null || c14n.getPrincipalName() == null) { log.debug("{} Reusing identity from session, nothing to do", getLogPrefix()); return false; } newPrincipalName = c14n.getPrincipalName(); return true; }
log.error("{} Error resolving PrincipalConnector: Invalid Attribute resolver configuration.", getLogPrefix()); c14nContext.setException(new SubjectCanonicalizationException( "Error resolving PrincipalConnectore: Invalid Attribute resolver configuration.")); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_SUBJECT); if (!(attributeResolver instanceof LegacyPrincipalDecoder)) { log.info("{} Attribute Resolver did not implement LegacyPrincipalDecoder.", getLogPrefix()); c14nContext.setException(new SubjectCanonicalizationException( "Attribute Resolver did not implement LegacyPrincipalDecoder.")); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_SUBJECT); if (null == decodedPrincipal) { log.info("{} Legacy Principal Decoding returned no value", getLogPrefix()); c14nContext.setException(new SubjectCanonicalizationException( "Legacy Principal Decoding returned no value")); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_SUBJECT); c14nContext.setPrincipalName(decodedPrincipal); } catch (final ResolutionException e) { c14nContext.setException(e); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.SUBJECT_C14N_ERROR); } finally {
/** {@inheritDoc} */ @Override protected boolean doPreExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final SubjectCanonicalizationContext c14nContext) { if (embeddedPredicate.apply(profileRequestContext, c14nContext, true)) { usernamePrincipal = c14nContext.getSubject().getPrincipals(UsernamePrincipal.class).iterator().next(); return super.doPreExecute(profileRequestContext, c14nContext); } return false; }
/** {@inheritDoc} */ @Override protected void buildAuthenticationResult(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { super.buildAuthenticationResult(profileRequestContext, authenticationContext); // Bypass c14n. We already operate on a canonical name, so just re-confirm it. profileRequestContext.getSubcontext(SubjectCanonicalizationContext.class, true).setPrincipalName(username); }
/** {@inheritDoc} */ @Override protected boolean doPreExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final SubjectCanonicalizationContext c14nContext) { attributeCtx = attributeContextLookupStrategy.apply(profileRequestContext); if (attributeCtx == null || attributeCtx.getIdPAttributes().isEmpty()) { log.warn("{} No attributes found, canonicalization not possible", getLogPrefix()); c14nContext.setException(new SubjectCanonicalizationException("No attributes were found")); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_SUBJECT); return false; } return super.doPreExecute(profileRequestContext, c14nContext); }
@Nonnull final SubjectCanonicalizationContext c14nContext) { final SubjectCanonicalizationFlowDescriptor flowDescriptor = c14nContext.getAttemptedFlow();
@Nonnull final SubjectCanonicalizationContext c14nContext, final boolean duringAction) { if (c14nContext.getSubject() != null) { final Set<X509Certificate> certificates = c14nContext.getSubject().getPublicCredentials(X509Certificate.class); if (certificates != null && certificates.size() == 1) { return true; final Set<X500Principal> principals = c14nContext.getSubject().getPrincipals(X500Principal.class); if (principals != null && principals.size() == 1) { return true; c14nContext.setException(new SubjectCanonicalizationException( "Neither a single X509Certificate nor X500Principal were found")); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_SUBJECT);
/** {@inheritDoc} */ @Override public String apply(final ProfileRequestContext input) { if (input != null) { final SubjectCanonicalizationContext c14nContext = input.getSubcontext(SubjectCanonicalizationContext.class); if (c14nContext != null && c14nContext.getPrincipalName() != null) { return c14nContext.getPrincipalName(); } final SessionContext sessionContext = input.getSubcontext(SessionContext.class); if (sessionContext != null && sessionContext.getIdPSession() != null) { return sessionContext.getIdPSession().getPrincipalName(); } } return null; }
c14nContext.setPrincipalName(applyTransforms(((StringAttributeValue) val).getValue())); return; } else if (val instanceof ScopedStringAttributeValue) { log.debug("{} Using attribute {} scoped value {} as input to transforms", getLogPrefix(), id, withScope); c14nContext.setPrincipalName(applyTransforms(withScope)); return; } else { c14nContext.setException(new SubjectCanonicalizationException("No usable attribute values were found")); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_SUBJECT);
if (c14nContext.getSubject() == null) { return null; c14nContext.getSubject().getPrincipals(NameIdentifierPrincipal.class); if (nameIdentifierPrincipals != null && !nameIdentifierPrincipals.isEmpty()) { if (nameIdentifierPrincipals.size() > 1) { final Set<NameIDPrincipal> nameIDPrincipals = c14nContext.getSubject().getPrincipals(NameIDPrincipal.class); if (nameIDPrincipals != null && !nameIDPrincipals.isEmpty()) { if (nameIDPrincipals.size() > 1) {
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final SubjectCanonicalizationContext c14nContext) { c14nContext.setPrincipalName(applyTransforms(usernamePrincipal.getName())); }
@Nonnull final SubjectCanonicalizationContext c14nContext) { final SubjectCanonicalizationFlowDescriptor flowDescriptor = c14nContext.getAttemptedFlow();
final SubjectCanonicalizationContext c14n = new SubjectCanonicalizationContext(); c14n.setSubject(result.getSubject()); if (requesterLookupStrategy != null) { c14n.setRequesterId(requesterLookupStrategy.apply(profileRequestContext)); c14n.setResponderId(responderLookupStrategy.apply(profileRequestContext));
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final SubjectCanonicalizationContext c14nContext) { final Set<NameIdentifierPrincipal> nameIdentifiers = c14nContext.getSubject().getPrincipals(NameIdentifierPrincipal.class); final NameIdentifier nameIdentifier = nameIdentifiers.iterator().next().getNameIdentifier(); try { c14nContext.setPrincipalName(decoder.decode(c14nContext, nameIdentifier)); if (c14nContext.getPrincipalName() == null) { ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_SUBJECT); } } catch (final NameDecoderException e) { c14nContext.setException(e); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.SUBJECT_C14N_ERROR); } }
/** {@inheritDoc} */ @Override protected boolean doPreExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final SubjectCanonicalizationContext c14nContext) { final Set<X509Certificate> certificates = c14nContext.getSubject().getPublicCredentials(X509Certificate.class); if (certificates != null && certificates.size() == 1) { certificate = certificates.iterator().next(); x500Principal = certificate.getSubjectX500Principal(); } else { final Set<X500Principal> principals = c14nContext.getSubject().getPrincipals(X500Principal.class); if (principals != null && principals.size() == 1) { x500Principal = principals.iterator().next(); } } if (x500Principal != null) { return super.doPreExecute(profileRequestContext, c14nContext); } c14nContext.setException(new SubjectCanonicalizationException( "Neither a single X509Certificate nor X500Principal were found")); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_SUBJECT); return false; }
/** {@inheritDoc} */ @Override protected boolean doPreExecute(@Nonnull final ProfileRequestContext profileRequestContext) { final SubjectCanonicalizationContext c14nCtx = profileRequestContext.getSubcontext(SubjectCanonicalizationContext.class); if (c14nCtx == null) { log.debug("{} No SubjectCanonicalizationContext available", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_SUBJECT_C14N_CTX); return false; } canonicalPrincipalName = c14nCtx.getPrincipalName(); profileRequestContext.removeSubcontext(c14nCtx); if (canonicalPrincipalName == null) { log.debug("{} No principal name in SubjectCanonicalizationContext", getLogPrefix()); ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_SUBJECT_C14N_CTX); return false; } return super.doPreExecute(profileRequestContext); }