@Nullable @Override public Credential apply(String keyName) { final CriteriaSet cs = new CriteriaSet(); cs.add(new EntityIdCriterion(keyName)); try { return resolver.resolveSingle(cs); } catch (Throwable cause) { return Exceptions.throwUnsafely(cause); } } }
/** * Build the dynamic {@link CriteriaSet} instance to be used for TLS trust evaluation. * * @param request the HTTP client request * @param operationContext the current operation context * @return the new criteria set instance */ @Nonnull protected CriteriaSet buildTLSCriteriaSet(@Nonnull final HttpUriRequest request, @Nonnull final InOutOperationContext operationContext) { CriteriaSet criteriaSet = new CriteriaSet(); if (getTLSCriteriaSetStrategy() != null) { CriteriaSet resolved = getTLSCriteriaSetStrategy().apply(operationContext); if (resolved != null) { criteriaSet.addAll(resolved); } } if (!criteriaSet.contains(UsageType.class)) { criteriaSet.add(new UsageCriterion(UsageType.SIGNING)); } return criteriaSet; }
/** * Build entity criteria for signing credential. * * @param profileRequest the profile request * @param criteriaSet the criteria set */ protected void buildEntityCriteriaForSigningCredential(final RequestAbstractType profileRequest, final CriteriaSet criteriaSet) { criteriaSet.add(new EntityIdCriterion(SamlIdPUtils.getIssuerFromSamlObject(profileRequest))); criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME)); }
@Override protected void buildEntityCriteriaForSigningCredential(final RequestAbstractType profileRequest, final CriteriaSet criteriaSet) { criteriaSet.add(new EntityIdCriterion(casSamlIdPMetadataResolver.getId())); criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME)); } }
/** * Resolve the subject confirmation credentials. * * @param requestContext the current request context * @return the subject confirmation credentials, or null if not resolveable or there is an error */ private List<Credential> resolveConfirmationCredentials(@Nonnull final ProfileRequestContext requestContext) { final CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add(new RoleDescriptorCriterion(roleDescriptor)); criteriaSet.add(new UsageCriterion(UsageType.SIGNING)); // Add an entityID criterion just in case don't have a MetadataCredentialResolver, // and want to resolve via entityID + usage only, e.g. from a CollectionCredentialResolver // or other more general resolver type. criteriaSet.add(new EntityIdCriterion(relyingPartyId)); final ArrayList<Credential> creds = new ArrayList<>(); try { for (final Credential cred : credentialResolver.resolve(criteriaSet)) { if (cred != null) { creds.add(cred); } } return creds; } catch (final ResolverException e) { log.warn("Error resolving subject confirmation credentials for relying party: {}", relyingPartyId, e); return null; } }
/** {@inheritDoc} */ @Override @Nonnull protected CriteriaSet buildCriteriaSet(@Nullable final String entityID, @Nonnull final MessageContext messageContext) throws MessageHandlerException { final CriteriaSet criteriaSet = new CriteriaSet(); if (!Strings.isNullOrEmpty(entityID)) { criteriaSet.add(new EntityIdCriterion(entityID) ); } criteriaSet.add(new EntityRoleCriterion(peerContext.getRole())); criteriaSet.add(new ProtocolCriterion(samlProtocolContext.getProtocol())); criteriaSet.add( new UsageCriterion(UsageType.SIGNING) ); final SecurityParametersContext secParamsContext = messageContext.getSubcontext(SecurityParametersContext.class); if (secParamsContext != null && secParamsContext.getSignatureValidationParameters() != null) { criteriaSet.add( new SignatureValidationParametersCriterion(secParamsContext.getSignatureValidationParameters())); } return criteriaSet; }
@Nullable @Override public Credential apply(String keyName) { final CriteriaSet cs = new CriteriaSet(); cs.add(new EntityIdCriterion(keyName)); try { return resolver.resolveSingle(cs); } catch (Throwable cause) { return Exceptions.throwUnsafely(cause); } } }
/** * Build a criteria set suitable for input to the trust engine. * * @param entityID the candidate issuer entity ID which is being evaluated * @param messageContext the message context which is being evaluated * @return a newly constructly set of criteria suitable for the configured trust engine * @throws MessageHandlerException thrown if criteria set can not be constructed */ @Nonnull protected CriteriaSet buildCriteriaSet(@Nullable final String entityID, @Nonnull final MessageContext messageContext) throws MessageHandlerException { final CriteriaSet criteriaSet = new CriteriaSet(); if (!Strings.isNullOrEmpty(entityID)) { criteriaSet.add(new EntityIdCriterion(entityID)); } criteriaSet.add(new EntityRoleCriterion(peerContext.getRole())); criteriaSet.add(new ProtocolCriterion(samlProtocolContext.getProtocol())); criteriaSet.add(new UsageCriterion(UsageType.SIGNING)); final SecurityParametersContext secParamsContext = messageContext.getSubcontext(SecurityParametersContext.class); if (secParamsContext != null && secParamsContext.getSignatureValidationParameters() != null) { criteriaSet.add( new SignatureValidationParametersCriterion(secParamsContext.getSignatureValidationParameters())); } return criteriaSet; }
@SneakyThrows private static Optional<SamlRegisteredServiceServiceProviderMetadataFacade> get(final SamlRegisteredServiceCachingMetadataResolver resolver, final SamlRegisteredService registeredService, final String entityID, final CriteriaSet criterions) { LOGGER.debug("Adapting SAML metadata for CAS service [{}] issued by [{}]", registeredService.getName(), entityID); criterions.add(new EntityIdCriterion(entityID), true); LOGGER.debug("Locating metadata for entityID [{}] by attempting to run through the metadata chain...", entityID); val chainingMetadataResolver = resolver.resolve(registeredService); LOGGER.info("Resolved metadata chain for service [{}]. Filtering the chain by entity ID [{}]", registeredService.getServiceId(), entityID); val entityDescriptor = chainingMetadataResolver.resolveSingle(criterions); if (entityDescriptor == null) { LOGGER.warn("Cannot find entity [{}] in metadata provider Ensure the metadata is valid and has not expired.", entityID); return Optional.empty(); } LOGGER.trace("Located entity descriptor in metadata for [{}]", entityID); if (entityDescriptor.getValidUntil() != null && entityDescriptor.getValidUntil().isBeforeNow()) { LOGGER.warn("Entity descriptor in the metadata has expired at [{}]", entityDescriptor.getValidUntil()); return Optional.empty(); } return getServiceProviderSsoDescriptor(entityID, chainingMetadataResolver, entityDescriptor); }
@Override public final Credential getCredential() { try { final CriteriaSet cs = new CriteriaSet(); final EntityIdCriterion criteria = new EntityIdCriterion(this.privateKey); cs.add(criteria); final X509Credential creds = (X509Credential) this.credentialResolver.resolveSingle(cs); return creds; } catch (final ResolverException e) { throw new SAMLException("Can't obtain SP private key", e); } }
/** * Validate the given digital signature by checking its profile and value. * * @param signature the signature * @param idpEntityId the idp entity id * @param trustEngine the trust engine */ protected final void validateSignature(final Signature signature, final String idpEntityId, final SignatureTrustEngine trustEngine) { final SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator(); try { validator.validate(signature); } catch (final SignatureException e) { throw new SAMLSignatureValidationException("SAMLSignatureProfileValidator failed to validate signature", e); } final CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add(new UsageCriterion(UsageType.SIGNING)); criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME)); criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS)); criteriaSet.add(new EntityIdCriterion(idpEntityId)); final boolean valid; try { valid = trustEngine.validate(signature, criteriaSet); } catch (final SecurityException e) { throw new SAMLSignatureValidationException("An error occurred during signature validation", e); } if (!valid) { throw new SAMLSignatureValidationException("Signature is not trusted"); } }
/** * Build signature signing parameters signature signing parameters. * * @param descriptor the descriptor * @param service the service * @return the signature signing parameters */ @SneakyThrows protected SignatureSigningParameters buildSignatureSigningParameters(final RoleDescriptor descriptor, final SamlRegisteredService service) { val criteria = new CriteriaSet(); val signatureSigningConfiguration = getSignatureSigningConfiguration(descriptor, service); criteria.add(new SignatureSigningConfigurationCriterion(signatureSigningConfiguration)); criteria.add(new RoleDescriptorCriterion(descriptor)); val resolver = new SAMLMetadataSignatureSigningParametersResolver(); LOGGER.trace("Resolving signature signing parameters for [{}]", descriptor.getElementQName().getLocalPart()); @NonNull val params = resolver.resolveSingle(criteria); LOGGER.trace("Created signature signing parameters." + "\nSignature algorithm: [{}]" + "\nSignature canonicalization algorithm: [{}]" + "\nSignature reference digest methods: [{}]", params.getSignatureAlgorithm(), params.getSignatureCanonicalizationAlgorithm(), params.getSignatureReferenceDigestMethod()); return params; }
@SneakyThrows private Set<Credential> getSigningCredential(final RoleDescriptorResolver resolver, final RequestAbstractType profileRequest) { val kekCredentialResolver = new MetadataCredentialResolver(); val config = getSignatureValidationConfiguration(); kekCredentialResolver.setRoleDescriptorResolver(resolver); kekCredentialResolver.setKeyInfoCredentialResolver( DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver()); kekCredentialResolver.initialize(); val criteriaSet = new CriteriaSet(); criteriaSet.add(new SignatureValidationConfigurationCriterion(config)); criteriaSet.add(new UsageCriterion(UsageType.SIGNING)); buildEntityCriteriaForSigningCredential(profileRequest, criteriaSet); return Sets.newLinkedHashSet(kekCredentialResolver.resolve(criteriaSet)); }
/** {@inheritDoc} */ @Override @Nonnull protected CriteriaSet buildCriteriaSet(@Nullable final String entityID, @Nonnull final MessageContext messageContext) throws MessageHandlerException { final CriteriaSet criteriaSet = super.buildCriteriaSet(entityID, messageContext); try { log.trace("Attempting to build criteria based on contents of entity contxt class of type: {}", entityContextClass.getName()); final AbstractAuthenticatableSAMLEntityContext entityContext = messageContext.getSubcontext(entityContextClass); Constraint.isNotNull(entityContext, "Required authenticatable SAML entity context was not present " + "in message context: " + entityContextClass.getName()); Constraint.isNotNull(entityContext.getRole(), "SAML entity role was null"); criteriaSet.add(new EntityRoleCriterion(entityContext.getRole())); final SAMLProtocolContext protocolContext = messageContext.getSubcontext(SAMLProtocolContext.class); Constraint.isNotNull(protocolContext, "SAMLProtocolContext was null"); Constraint.isNotNull(protocolContext.getProtocol(), "SAML protocol was null"); criteriaSet.add(new ProtocolCriterion(protocolContext.getProtocol())); } catch (final ConstraintViolationException e) { throw new MessageHandlerException(e); } return criteriaSet; }
public Credential getCredential(SimpleKey key, KeyStoreCredentialResolver resolver) { try { CriteriaSet cs = new CriteriaSet(); EntityIdCriterion criteria = new EntityIdCriterion(key.getName()); cs.add(criteria); return resolver.resolveSingle(cs); } catch (ResolverException e) { throw new SamlKeyException("Can't obtain SP private key", e); } }
try { val set = new CriteriaSet(); set.add(new EntityIdCriterion(service.getServiceId())); set.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME)); val entitySp = chainingMetadataResolver.resolveSingle(set); if (entitySp != null && entitySp.getCacheDuration() != null) { set.add(new EntityIdCriterion(service.getServiceId())); val entity = chainingMetadataResolver.resolveSingle(set); if (entity != null && entity.getCacheDuration() != null) {
@Override public SignatureSigningParameters build(final SSODescriptor descriptor) { try { final CriteriaSet criteria = new CriteriaSet(); criteria.add(new SignatureSigningConfigurationCriterion( getSignatureSigningConfiguration())); criteria.add(new RoleDescriptorCriterion(descriptor)); final SAMLMetadataSignatureSigningParametersResolver resolver = new SAMLMetadataSignatureSigningParametersResolver(); final SignatureSigningParameters params = resolver.resolveSingle(criteria); augmentSignatureSigningParameters(params); if (params == null) { throw new SAMLException("Could not determine the signature parameters"); } logger.info("Created signature signing parameters." + "\nSignature algorithm: {}" + "\nSignature canonicalization algorithm: {}" + "\nSignature reference digest methods: {}", params.getSignatureAlgorithm(), params.getSignatureCanonicalizationAlgorithm(), params.getSignatureReferenceDigestMethod()); return params; } catch (final Exception e) { throw new SAMLException(e); } }
protected final void addContext(final SAML2MetadataResolver entityId, final BaseContext parentContext, final QName elementName) { final EntityDescriptor entityDescriptor; final RoleDescriptor roleDescriptor; try { final CriteriaSet set = new CriteriaSet(); set.add(new EntityIdCriterion(entityId.getEntityId())); entityDescriptor = this.metadata.resolveSingle(set); if (entityDescriptor == null) { throw new SAMLException("Cannot find entity " + entityId.getEntityId() + " in metadata provider"); } final List<RoleDescriptor> list = entityDescriptor.getRoleDescriptors(elementName, SAMLConstants.SAML20P_NS); roleDescriptor = CommonHelper.isNotEmpty(list) ? list.get(0) : null; if (roleDescriptor == null) { throw new SAMLException("Cannot find entity " + entityId + " or role " + elementName + " in metadata provider"); } } catch (final ResolverException e) { throw new SAMLException("An error occured while getting IDP descriptors", e); } final SAMLMetadataContext mdCtx = parentContext.getSubcontext(SAMLMetadataContext.class, true); mdCtx.setEntityDescriptor(entityDescriptor); mdCtx.setRoleDescriptor(roleDescriptor); } }