/** * @param artifact * @return */ private RoleDescriptor resolvePeerRoleDescriptor(SAML2Artifact artifact) throws MessageDecodingException { CriteriaSet criteriaSet = new CriteriaSet( new ArtifactCriterion(artifact), new ProtocolCriterion(SAMLConstants.SAML20P_NS), new EntityRoleCriterion(getPeerEntityRole())); try { return roleDescriptorResolver.resolveSingle(criteriaSet); } catch (ResolverException e) { throw new MessageDecodingException("Error resolving peer entity RoleDescriptor", e); } }
/** * Constructor. * * @param criterion the protocol criterion */ public EvaluableProtocolRoleDescriptorCriterion(@Nonnull final ProtocolCriterion criterion) { Constraint.isNotNull(criterion, "ProtocolCriterion was null"); protocol = Constraint.isNotNull(criterion.getProtocol(), "Criterion protocol was null"); }
protocolCriterion = new ProtocolCriterion(protocolCtx.getProtocol()); log.info("{} No metadata returned for {} in role {} with protocol {}", new Object[]{getLogPrefix(), entityCtx.getEntityId(), entityCtx.getRole(), protocolCriterion.getProtocol(),}); } else { log.info("{} No metadata returned for {} in role {}",
new EntityRoleCriterion(role)); if (protocol != null) { criteria.add(new ProtocolCriterion(protocol));
if (protocolCriterion != null) { aggregate.add(entityDescriptor.getRoleDescriptors(roleCriterion.getRole(), protocolCriterion.getProtocol())); } else { aggregate.add(entityDescriptor.getRoleDescriptors(roleCriterion.getRole()));
/** * Create the set of criteria used to find a unique CAS service given a CAS service URL. * * @param serviceURL CAS service URL. * * @return Metadata resolver criteria set. */ @Nonnull protected CriteriaSet criteria(@Nonnull final String serviceURL) { final AssertionConsumerService loginACS = new AssertionConsumerServiceBuilder().buildObject(); loginACS.setBinding(LOGIN_BINDING); loginACS.setLocation(serviceURL); return new CriteriaSet( new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME), new EndpointCriterion<>(loginACS), new ProtocolCriterion(AbstractProtocolConfiguration.PROTOCOL_URI), new StartsWithLocationCriterion()); }
/** {@inheritDoc} */ @Override @Nonnull public Set<String> resolveTrustedNames(final CriteriaSet criteriaSet) throws ResolverException { ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this); checkCriteriaRequirements(criteriaSet); final String entityID = criteriaSet.get(EntityIdCriterion.class).getEntityId(); final EntityRoleCriterion roleCriteria = criteriaSet.get(EntityRoleCriterion.class); final QName role = roleCriteria.getRole(); String protocol = null; final ProtocolCriterion protocolCriteria = criteriaSet.get(ProtocolCriterion.class); if (protocolCriteria != null) { protocol = protocolCriteria.getProtocol(); } final UsageCriterion usageCriteria = criteriaSet.get(UsageCriterion.class); UsageType usage = null; if (usageCriteria != null) { usage = usageCriteria.getUsage(); } else { usage = UsageType.UNSPECIFIED; } final Set<String> trustedNames = new HashSet<>(); trustedNames.addAll(retrieveTrustedNamesFromMetadata(criteriaSet, entityID, role, protocol, usage)); trustedNames.add(entityID); final TrustedNamesCriterion trustedNamesCriterion = criteriaSet.get(TrustedNamesCriterion.class); if (trustedNamesCriterion != null) { trustedNames.addAll(trustedNamesCriterion.getTrustedNames()); } return trustedNames; }
/** {@inheritDoc} */ @Override @Nonnull protected CriteriaSet buildCriteriaSet(@Nullable final String entityID, @Nonnull final MessageContext messageContext) throws MessageHandlerException { final CriteriaSet criteriaSet = super.buildCriteriaSet(entityID, messageContext); try { log.trace("Attempting to build criteria based on contents of entity contxt class of type: {}", entityContextClass.getName()); final AbstractAuthenticatableSAMLEntityContext entityContext = messageContext.getSubcontext(entityContextClass); Constraint.isNotNull(entityContext, "Required authenticatable SAML entity context was not present " + "in message context: " + entityContextClass.getName()); Constraint.isNotNull(entityContext.getRole(), "SAML entity role was null"); criteriaSet.add(new EntityRoleCriterion(entityContext.getRole())); final SAMLProtocolContext protocolContext = messageContext.getSubcontext(SAMLProtocolContext.class); Constraint.isNotNull(protocolContext, "SAMLProtocolContext was null"); Constraint.isNotNull(protocolContext.getProtocol(), "SAML protocol was null"); criteriaSet.add(new ProtocolCriterion(protocolContext.getProtocol())); } catch (final ConstraintViolationException e) { throw new MessageHandlerException(e); } return criteriaSet; }
protocolCriterion.getProtocol()); if (role != null) { return Collections.singletonList(role);
private static void setCASTLSTrustEngineCriteria( final HttpClientContext context, final URI requestUri, final Service service) { final String entityID; if (service.getEntityDescriptor() != null) { entityID = service.getEntityDescriptor().getEntityID(); } else { entityID = service.getName(); } final CriteriaSet criteria = new CriteriaSet( new EntityIdCriterion(entityID), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME), new ProtocolCriterion(AbstractProtocolConfiguration.PROTOCOL_URI), new UsageCriterion(UsageType.SIGNING), new TrustedNamesCriterion(Collections.singleton(requestUri.getHost()))); context.setAttribute(CONTEXT_KEY_CRITERIA_SET, criteria); } }
/** {@inheritDoc} */ @Override public Iterable<PKIXValidationInformation> resolve(final CriteriaSet criteriaSet) throws ResolverException { ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this); checkCriteriaRequirements(criteriaSet); final String entityID = criteriaSet.get(EntityIdCriterion.class).getEntityId(); final EntityRoleCriterion roleCriteria = criteriaSet.get(EntityRoleCriterion.class); final QName role = roleCriteria.getRole(); String protocol = null; final ProtocolCriterion protocolCriteria = criteriaSet.get(ProtocolCriterion.class); if (protocolCriteria != null) { protocol = protocolCriteria.getProtocol(); } return retrievePKIXInfoFromMetadata(criteriaSet, entityID, role, protocol); }
criteriaSet.add(new UsageCriterion(UsageType.SIGNING)); criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME)); criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS)); criteriaSet.add(new EntityIdCriterion(configuration.getIdentityProviderIdentifier())); try {
final ProtocolCriterion protocolCriteria = criteriaSet.get(ProtocolCriterion.class); if (protocolCriteria != null) { protocol = protocolCriteria.getProtocol();
/** {@inheritDoc} */ @Override @Nonnull protected CriteriaSet buildCriteriaSet(@Nullable final String entityID, @Nonnull final MessageContext messageContext) throws MessageHandlerException { final CriteriaSet criteriaSet = new CriteriaSet(); if (!Strings.isNullOrEmpty(entityID)) { criteriaSet.add(new EntityIdCriterion(entityID) ); } criteriaSet.add(new EntityRoleCriterion(peerContext.getRole())); criteriaSet.add(new ProtocolCriterion(samlProtocolContext.getProtocol())); criteriaSet.add( new UsageCriterion(UsageType.SIGNING) ); final SecurityParametersContext secParamsContext = messageContext.getSubcontext(SecurityParametersContext.class); if (secParamsContext != null && secParamsContext.getSignatureValidationParameters() != null) { criteriaSet.add( new SignatureValidationParametersCriterion(secParamsContext.getSignatureValidationParameters())); } return criteriaSet; }
/** * Build a criteria set suitable for input to the trust engine. * * @param entityID the candidate issuer entity ID which is being evaluated * @param messageContext the message context which is being evaluated * @return a newly constructly set of criteria suitable for the configured trust engine * @throws MessageHandlerException thrown if criteria set can not be constructed */ @Nonnull protected CriteriaSet buildCriteriaSet(@Nullable final String entityID, @Nonnull final MessageContext messageContext) throws MessageHandlerException { final CriteriaSet criteriaSet = new CriteriaSet(); if (!Strings.isNullOrEmpty(entityID)) { criteriaSet.add(new EntityIdCriterion(entityID)); } criteriaSet.add(new EntityRoleCriterion(peerContext.getRole())); criteriaSet.add(new ProtocolCriterion(samlProtocolContext.getProtocol())); criteriaSet.add(new UsageCriterion(UsageType.SIGNING)); final SecurityParametersContext secParamsContext = messageContext.getSubcontext(SecurityParametersContext.class); if (secParamsContext != null && secParamsContext.getSignatureValidationParameters() != null) { criteriaSet.add( new SignatureValidationParametersCriterion(secParamsContext.getSignatureValidationParameters())); } return criteriaSet; }
final String protocol = sessionTypeProtocolMap.get(spSession.getClass()); if (protocol != null) { protocolCriterion = new ProtocolCriterion(protocol);
criteria.add(new EntityIdCriterion(peerCtx.getEntityId())); if (samlProtocol != null) { criteria.add(new ProtocolCriterion(samlProtocol));
criteriaSet.add(new UsageCriterion(UsageType.SIGNING)); criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME)); criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS)); criteriaSet.add(new EntityIdCriterion(wsFederationConfiguration.getIdentityProviderIdentifier()));
/** * Validate the given digital signature by checking its profile and value. * * @param signature the signature * @param idpEntityId the idp entity id * @param trustEngine the trust engine */ protected final void validateSignature(final Signature signature, final String idpEntityId, final SignatureTrustEngine trustEngine) { final SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator(); try { validator.validate(signature); } catch (final SignatureException e) { throw new SAMLSignatureValidationException("SAMLSignatureProfileValidator failed to validate signature", e); } final CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add(new UsageCriterion(UsageType.SIGNING)); criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME)); criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS)); criteriaSet.add(new EntityIdCriterion(idpEntityId)); final boolean valid; try { valid = trustEngine.validate(signature, criteriaSet); } catch (final SecurityException e) { throw new SAMLSignatureValidationException("An error occurred during signature validation", e); } if (!valid) { throw new SAMLSignatureValidationException("Signature is not trusted"); } }