/** {@inheritDoc} */ @Override public int hashCode() { return toString().hashCode(); }
/** * @param artifact * @return */ private RoleDescriptor resolvePeerRoleDescriptor(SAML2Artifact artifact) throws MessageDecodingException { CriteriaSet criteriaSet = new CriteriaSet( new ArtifactCriterion(artifact), new ProtocolCriterion(SAMLConstants.SAML20P_NS), new EntityRoleCriterion(getPeerEntityRole())); try { return roleDescriptorResolver.resolveSingle(criteriaSet); } catch (ResolverException e) { throw new MessageDecodingException("Error resolving peer entity RoleDescriptor", e); } }
/** * Create the set of criteria used to find a unique CAS service given a CAS service URL. * * @param serviceURL CAS service URL. * * @return Metadata resolver criteria set. */ @Nonnull protected CriteriaSet criteria(@Nonnull final String serviceURL) { final AssertionConsumerService loginACS = new AssertionConsumerServiceBuilder().buildObject(); loginACS.setBinding(LOGIN_BINDING); loginACS.setLocation(serviceURL); return new CriteriaSet( new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME), new EndpointCriterion<>(loginACS), new ProtocolCriterion(AbstractProtocolConfiguration.PROTOCOL_URI), new StartsWithLocationCriterion()); }
private static void setCASTLSTrustEngineCriteria( final HttpClientContext context, final URI requestUri, final Service service) { final String entityID; if (service.getEntityDescriptor() != null) { entityID = service.getEntityDescriptor().getEntityID(); } else { entityID = service.getName(); } final CriteriaSet criteria = new CriteriaSet( new EntityIdCriterion(entityID), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME), new ProtocolCriterion(AbstractProtocolConfiguration.PROTOCOL_URI), new UsageCriterion(UsageType.SIGNING), new TrustedNamesCriterion(Collections.singleton(requestUri.getHost()))); context.setAttribute(CONTEXT_KEY_CRITERIA_SET, criteria); } }
criteria.add(new EntityIdCriterion(peerCtx.getEntityId())); if (samlProtocol != null) { criteria.add(new ProtocolCriterion(samlProtocol)); criteria.add(new EntityRoleCriterion(peerRole)); if (metadataCtx != null && metadataCtx.getRoleDescriptor() != null) { log.debug("{} Adding role metadata to resolution criteria", getLogPrefix()); criteria.add(new RoleDescriptorCriterion(metadataCtx.getRoleDescriptor()));
/** * Build entity criteria for signing credential. * * @param profileRequest the profile request * @param criteriaSet the criteria set */ protected void buildEntityCriteriaForSigningCredential(final RequestAbstractType profileRequest, final CriteriaSet criteriaSet) { criteriaSet.add(new EntityIdCriterion(SamlIdPUtils.getIssuerFromSamlObject(profileRequest))); criteriaSet.add(new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME)); }
final RoleDescriptor roleDescriptor = criteriaSet.get(RoleDescriptorCriterion.class).getRole(); return resolveFromRoleDescriptor(criteriaSet, roleDescriptor, usage); } else if (criteriaSet.contains(EntityIdCriterion.class) && criteriaSet.contains(EntityRoleCriterion.class)) { final QName role = criteriaSet.get(EntityRoleCriterion.class).getRole(); protocol = protocolCriteria.getProtocol();
for (final EntityDescriptor entityDescriptor : entityDescriptors) { if (protocolCriterion != null) { aggregate.add(entityDescriptor.getRoleDescriptors(roleCriterion.getRole(), protocolCriterion.getProtocol())); } else { aggregate.add(entityDescriptor.getRoleDescriptors(roleCriterion.getRole()));
/** {@inheritDoc} */ @Nullable @NonnullElements @Unmodifiable @NotLive public Set<MetadataIndexKey> generateKeys(@Nonnull final CriteriaSet criteriaSet) { Constraint.isNotNull(criteriaSet, "CriteriaSet was null"); EntityRoleCriterion roleCrit = criteriaSet.get(EntityRoleCriterion.class); EndpointCriterion<Endpoint> endpointCrit = criteriaSet.get(EndpointCriterion.class); if (roleCrit != null && endpointCrit != null) { HashSet<MetadataIndexKey> result = new HashSet<>(); result.addAll(processCriteria(criteriaSet, roleCrit.getRole(), endpointCrit.getEndpoint())); return result; } else { return null; } }
/** * Resolve the RoleDescriptor from the criteria. * * @param criteria the input criteria * @return the input role descriptor criterion or null if could not be resolved */ private RoleDescriptor resolveRoleDescriptor(@Nonnull final CriteriaSet criteria) { if (criteria.contains(RoleDescriptorCriterion.class)) { return criteria.get(RoleDescriptorCriterion.class).getRole(); } return null; }
/** * Constructor. * * @param criterion the entity role criterion */ public EvaluableEntityRoleEntityDescriptorCriterion(EntityRoleCriterion criterion) { Constraint.isNotNull(criterion, "EntityRoleCriterion was null"); role = Constraint.isNotNull(criterion.getRole(), "Criterion role QName was null"); }
/** * Optimize the case of resolving a single endpoint if a populated endpoint is supplied via * criteria, and validation is unnecessary due to a signed request. Note that this endpoint may * turn out to be unusable by the caller, but that's immaterial because the requester must have * dictated the binding and location, so we're not allowed to ignore that. * * @param criteria input criteria set * * @return true iff the supplied endpoint via {@link EndpointCriterion} should be returned */ private boolean canUseRequestedEndpoint(@Nonnull final CriteriaSet criteria) { final EndpointCriterion epc = criteria.get(EndpointCriterion.class); if (epc.isTrusted()) { final EndpointType requestedEndpoint = (EndpointType) epc.getEndpoint(); if (requestedEndpoint.getBinding() != null && (requestedEndpoint.getLocation() != null || requestedEndpoint.getResponseLocation() != null)) { return true; } } return false; }
/** {@inheritDoc} */ @Override public boolean equals(Object obj) { if (this == obj) { return true; } if (obj == null) { return false; } if (obj instanceof EndpointCriterion) { final Endpoint endpoint2 = ((EndpointCriterion) obj).getEndpoint(); if (!Objects.equals(endpoint.getElementQName(), endpoint2.getElementQName())) { return false; } else if (!Objects.equals(endpoint.getBinding(), endpoint2.getBinding())) { return false; } else if (!Objects.equals(endpoint.getLocation(), endpoint2.getLocation())) { return false; } else if (!Objects.equals(endpoint.getResponseLocation(), endpoint2.getResponseLocation())) { return false; } return true; } return false; } }
/** * Constructor. * * @param criterion the protocol criterion */ public EvaluableProtocolRoleDescriptorCriterion(@Nonnull final ProtocolCriterion criterion) { Constraint.isNotNull(criterion, "ProtocolCriterion was null"); protocol = Constraint.isNotNull(criterion.getProtocol(), "Criterion protocol was null"); }
/** * Validate the given digital signature by checking its profile and value. * * @param signature the signature * @param idpEntityId the idp entity id * @param trustEngine the trust engine */ protected final void validateSignature(final Signature signature, final String idpEntityId, final SignatureTrustEngine trustEngine) { final SAMLSignatureProfileValidator validator = new SAMLSignatureProfileValidator(); try { validator.validate(signature); } catch (final SignatureException e) { throw new SAMLSignatureValidationException("SAMLSignatureProfileValidator failed to validate signature", e); } final CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add(new UsageCriterion(UsageType.SIGNING)); criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME)); criteriaSet.add(new ProtocolCriterion(SAMLConstants.SAML20P_NS)); criteriaSet.add(new EntityIdCriterion(idpEntityId)); final boolean valid; try { valid = trustEngine.validate(signature, criteriaSet); } catch (final SecurityException e) { throw new SAMLSignatureValidationException("An error occurred during signature validation", e); } if (!valid) { throw new SAMLSignatureValidationException("Signature is not trusted"); } }
@Override protected void buildEntityCriteriaForSigningCredential(final RequestAbstractType profileRequest, final CriteriaSet criteriaSet) { criteriaSet.add(new EntityIdCriterion(casSamlIdPMetadataResolver.getId())); criteriaSet.add(new EntityRoleCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME)); } }
/** {@inheritDoc} */ @Override public Iterable<PKIXValidationInformation> resolve(final CriteriaSet criteriaSet) throws ResolverException { ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this); checkCriteriaRequirements(criteriaSet); final String entityID = criteriaSet.get(EntityIdCriterion.class).getEntityId(); final EntityRoleCriterion roleCriteria = criteriaSet.get(EntityRoleCriterion.class); final QName role = roleCriteria.getRole(); String protocol = null; final ProtocolCriterion protocolCriteria = criteriaSet.get(ProtocolCriterion.class); if (protocolCriteria != null) { protocol = protocolCriteria.getProtocol(); } return retrievePKIXInfoFromMetadata(criteriaSet, entityID, role, protocol); }
/** * Constructor. * * @param criterion the entity role criterion */ public EvaluableEntityRoleDescriptorCriterion(@Nonnull final EntityRoleCriterion criterion) { Constraint.isNotNull(criterion, "EntityRoleCriterion was null"); role = Constraint.isNotNull(criterion.getRole(), "Criterion entity role was null"); }
/** {@inheritDoc} */ @Override @Nullable public EndpointType resolveSingle(@Nullable final CriteriaSet criteria) throws ResolverException { validateCriteria(criteria); if (canUseRequestedEndpoint(criteria)) { final EndpointType endpoint = (EndpointType) criteria.get(EndpointCriterion.class).getEndpoint(); if (doCheckEndpoint(criteria, endpoint)) { return endpoint; } else { log.debug("{} Requested endpoint was rejected by extended validation process", getLogPrefix()); return null; } } for (final EndpointType candidate : getCandidatesFromMetadata(criteria)) { if (doCheckEndpoint(criteria, candidate)) { return candidate; } } log.debug("{} No candidate endpoints met criteria", getLogPrefix()); return null; }
/** * Check that all necessary criteria are available. * * @param criteriaSet the criteria set to evaluate */ protected void checkCriteriaRequirements(final CriteriaSet criteriaSet) { final EntityIdCriterion entityCriteria = Constraint.isNotNull(criteriaSet.get(EntityIdCriterion.class), "EntityIdCriterion must be supplied"); Constraint.isNotNull(StringSupport.trimOrNull(entityCriteria.getEntityId()), "Credential owner entity ID criteria value must be supplied"); final EntityRoleCriterion roleCriteria = Constraint .isNotNull(criteriaSet.get(EntityRoleCriterion.class), "EntityRoleCriterion must be supplied"); Constraint.isNotNull(roleCriteria.getRole(), "Credential entity role criteria value must be supplied"); }