diff options
author | Thomas <thomas.lenz@egiz.gv.at> | 2020-02-02 19:32:21 +0100 |
---|---|---|
committer | Thomas <thomas.lenz@egiz.gv.at> | 2020-02-02 19:32:21 +0100 |
commit | 41ea2fdf782cd64d7d29f73c2e83f9c255810818 (patch) | |
tree | 9710ca3937ae82391c6a2a0e5176923e0a49a5af /eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/AbstractRequestSignedSecurityPolicyRule.java | |
parent | d41afe91ee59daf6b5f5037cecac52900fe2ccb2 (diff) | |
download | EAAF-Components-41ea2fdf782cd64d7d29f73c2e83f9c255810818.tar.gz EAAF-Components-41ea2fdf782cd64d7d29f73c2e83f9c255810818.tar.bz2 EAAF-Components-41ea2fdf782cd64d7d29f73c2e83f9c255810818.zip |
some more OpenSAML3 refactoring stuff
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/AbstractRequestSignedSecurityPolicyRule.java')
-rw-r--r-- | eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/AbstractRequestSignedSecurityPolicyRule.java | 196 |
1 files changed, 0 insertions, 196 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/AbstractRequestSignedSecurityPolicyRule.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/AbstractRequestSignedSecurityPolicyRule.java deleted file mode 100644 index 380e735c..00000000 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/AbstractRequestSignedSecurityPolicyRule.java +++ /dev/null @@ -1,196 +0,0 @@ -/* - * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a - * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European - * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in - * compliance with the Licence. You may obtain a copy of the Licence at: - * https://joinup.ec.europa.eu/news/understanding-eupl-v12 - * - * Unless required by applicable law or agreed to in writing, software distributed under the Licence - * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express - * or implied. See the Licence for the specific language governing permissions and limitations under - * the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text file for details on the - * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative - * works that you distribute must include a readable copy of the "NOTICE" text file. -*/ - -package at.gv.egiz.eaaf.modules.pvp2.impl.verification; - -import javax.xml.namespace.QName; -import javax.xml.transform.dom.DOMSource; -import javax.xml.validation.Schema; -import javax.xml.validation.Validator; - -import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException; - -import org.apache.commons.lang3.StringUtils; -import org.opensaml.core.criterion.EntityIdCriterion; -import org.opensaml.saml.common.SignableSAMLObject; -import org.opensaml.saml.common.xml.SAMLConstants; -import org.opensaml.saml.common.xml.SAMLSchemaBuilder; -import org.opensaml.saml.common.xml.SAMLSchemaBuilder.SAML1Version; -import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator; -import org.opensaml.security.MetadataCriteria; -import org.opensaml.security.credential.UsageType; -import org.opensaml.security.criteria.UsageCriterion; -import org.opensaml.ws.security.SecurityPolicyException; -import org.opensaml.ws.security.SecurityPolicyRule; -import org.opensaml.xmlsec.signature.support.SignatureTrustEngine; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.w3c.dom.Element; -import org.xml.sax.SAXException; - -import net.shibboleth.utilities.java.support.resolver.CriteriaSet; - -/** - * Signature Policy for SAML2 redirect-binding. - * - * @author tlenz - * - */ -public abstract class AbstractRequestSignedSecurityPolicyRule implements SecurityPolicyRule { - - private static final Logger log = - LoggerFactory.getLogger(AbstractRequestSignedSecurityPolicyRule.class); - - private static SAMLSchemaBuilder schemaBuilder = new SAMLSchemaBuilder(SAML1Version.SAML_11); - - private SignatureTrustEngine trustEngine = null; - private QName peerEntityRole = null; - - /** - * Role initializer. - * - * @param peerEntityRole - * - */ - public AbstractRequestSignedSecurityPolicyRule(final SignatureTrustEngine trustEngine, - final QName peerEntityRole) { - this.trustEngine = trustEngine; - this.peerEntityRole = peerEntityRole; - - } - - /** - * Reload the PVP metadata for a given entity. - * - * @param entityID for which the metadata should be refreshed. - * @return true if the refresh was successful, otherwise false - */ - protected abstract boolean refreshMetadataProvider(String entityID); - - protected abstract SignableSAMLObject getSignedSamlObject(XMLObject inboundData); - - /* - * (non-Javadoc) - * - * @see - * org.opensaml.ws.security.SecurityPolicyRule#evaluate(org.opensaml.ws.message. - * MessageContext) - */ - @Override - public void evaluate(final MessageContext context) throws SecurityPolicyException { - try { - verifySignature(context); - - } catch (final SecurityPolicyException e) { - if (StringUtils.isEmpty(context.getInboundMessageIssuer())) { - throw e; - - } - log.debug("PVP2X message validation FAILED. Reload metadata for entityID: " - + context.getInboundMessageIssuer()); - if (!refreshMetadataProvider(context.getInboundMessageIssuer())) { - throw e; - } else { - log.trace("PVP2X metadata reload finished. Check validate message again."); - verifySignature(context); - - } - log.trace("Second PVP2X message validation finished"); - - } - - } - - private void verifySignature(final MessageContext context) throws SecurityPolicyException { - final SignableSAMLObject samlObj = getSignedSamlObject(context.getInboundMessage()); - if (samlObj != null && samlObj.getSignature() != null) { - - final SAMLSignatureProfileValidator profileValidator = new SAMLSignatureProfileValidator(); - try { - profileValidator.validate(samlObj.getSignature()); - performSchemaValidation(samlObj.getDOM()); - - } catch (final ValidationException e) { - log.warn("Signature is not conform to SAML signature profile", e); - throw new SecurityPolicyException("Signature is not conform to SAML signature profile"); - - } catch (final SchemaValidationException e) { - log.warn("Signature is not conform to SAML signature profile", e); - throw new SecurityPolicyException("Signature is not conform to SAML signature profile"); - - } - - final CriteriaSet criteriaSet = new CriteriaSet(); - criteriaSet.add(new EntityIdCriterion(context.getInboundMessageIssuer())); - criteriaSet.add(new MetadataCriteria(peerEntityRole, SAMLConstants.SAML20P_NS)); - criteriaSet.add(new UsageCriterion(UsageType.SIGNING)); - - try { - if (!trustEngine.validate(samlObj.getSignature(), criteriaSet)) { - throw new SecurityPolicyException("Signature validation FAILED."); - - } - log.debug("PVP message signature valid."); - - } catch (final org.opensaml.xml.security.SecurityException e) { - log.info("PVP2x message signature validation FAILED. Message:" + e.getMessage()); - throw new SecurityPolicyException("Signature validation FAILED."); - - } - - } else { - throw new SecurityPolicyException("PVP Message is not signed."); - - } - - } - - private void performSchemaValidation(final Element source) throws SchemaValidationException { - - String err = null; - try { - final Schema test = schemaBuilder.getSAMLSchema(); - final Validator val = test.newValidator(); - val.validate(new DOMSource(source)); - log.debug("Schema validation check done OK"); - return; - - } catch (final SAXException e) { - err = e.getMessage(); - if (log.isDebugEnabled() || log.isTraceEnabled()) { - log.warn("Schema validation FAILED with exception:", e); - } else { - log.warn("Schema validation FAILED with message: " + e.getMessage()); - } - - } catch (final Exception e) { - err = e.getMessage(); - if (log.isDebugEnabled() || log.isTraceEnabled()) { - log.warn("Schema validation FAILED with exception:", e); - } else { - log.warn("Schema validation FAILED with message: " + e.getMessage()); - } - - } - - throw new SchemaValidationException("pvp2.22", new Object[] { err }); - - } - -} |