diff options
| author | Thomas <> | 2022-01-08 19:50:42 +0100 |
|---|---|---|
| committer | Thomas <> | 2022-01-08 19:50:42 +0100 |
| commit | 5bdcf4b0298da05efb06eb84acdb188e4313df75 (patch) | |
| tree | a1c40aef7914f58950d3ecc06e0811131430ddd3 /eaaf_modules/eaaf_module_pvp2_core/src/main/java/at | |
| parent | d7f9aa156ad76e5ddaf797a16f1155c37594bd91 (diff) | |
| parent | f59462296cf6eb0401be025a64b1be9ec8afc541 (diff) | |
| download | EAAF-Components-5bdcf4b0298da05efb06eb84acdb188e4313df75.tar.gz EAAF-Components-5bdcf4b0298da05efb06eb84acdb188e4313df75.tar.bz2 EAAF-Components-5bdcf4b0298da05efb06eb84acdb188e4313df75.zip | |
Merge branch 'opensaml_4.x' into nightlyBuild
# Conflicts:
# eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverAdapter.java
# eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
# eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/SoapBindingTest.java
# eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/dummy/DummyMetadataProvider.java
# eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java
# eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/PvpAuthnRequestBuilder.java
# pom.xml
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at')
23 files changed, 247 insertions, 209 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IPvp2MetadataProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IPvp2MetadataProvider.java index b213425d..ca3aa844 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IPvp2MetadataProvider.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IPvp2MetadataProvider.java @@ -22,12 +22,12 @@ package at.gv.egiz.eaaf.modules.pvp2.api.metadata; import javax.annotation.Nonnull; import javax.annotation.Nullable; -import org.opensaml.saml.metadata.resolver.ExtendedRefreshableMetadataResolver; +import org.opensaml.saml.metadata.resolver.RefreshableMetadataResolver; import org.opensaml.saml.saml2.metadata.EntityDescriptor; import net.shibboleth.utilities.java.support.resolver.ResolverException; -public interface IPvp2MetadataProvider extends ExtendedRefreshableMetadataResolver { +public interface IPvp2MetadataProvider extends RefreshableMetadataResolver { /** * Get a SAML2 EntityDescriptor with an EntityId from metadata provider. diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/AbstractBinding.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/AbstractBinding.java index 3543d85a..80697ee9 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/AbstractBinding.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/AbstractBinding.java @@ -2,29 +2,12 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.binding; import javax.xml.namespace.QName; -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; -import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; -import at.gv.egiz.eaaf.modules.pvp2.api.message.InboundMessageInterface; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlBindingException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMessageValidationException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; -import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; -import at.gv.egiz.eaaf.modules.pvp2.impl.verification.PvpSamlMessageHandlerChain; - import org.opensaml.core.config.ConfigurationService; import org.opensaml.messaging.context.BaseContext; import org.opensaml.messaging.context.MessageContext; import org.opensaml.messaging.decoder.MessageDecodingException; import org.opensaml.messaging.decoder.servlet.HttpServletRequestMessageDecoder; import org.opensaml.messaging.handler.MessageHandlerException; -import org.opensaml.saml.common.SAMLObject; import org.opensaml.saml.common.SignableSAMLObject; import org.opensaml.saml.common.binding.SAMLBindingSupport; import org.opensaml.saml.common.binding.encoding.SAMLMessageEncoder; @@ -48,6 +31,22 @@ import com.google.common.base.Optional; import com.google.common.base.Predicates; import com.google.common.base.Throwables; import com.google.common.collect.FluentIterable; + +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.message.InboundMessageInterface; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlBindingException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMessageValidationException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.verification.PvpSamlMessageHandlerChain; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; @@ -65,8 +64,8 @@ public abstract class AbstractBinding { public abstract String getSaml2BindingName(); - protected MessageContext<SAMLObject> internalMessageDecode( - HttpServletRequestMessageDecoder<SAMLObject> decoder, + protected MessageContext internalMessageDecode( + HttpServletRequestMessageDecoder decoder, String binding) throws Pvp2Exception { try { decoder.initialize(); @@ -97,9 +96,9 @@ public abstract class AbstractBinding { } - protected MessageContext<SAMLObject> buildBasicMessageContext( + protected MessageContext buildBasicMessageContext( SAMLMessageEncoder encoder, SignableSAMLObject response) { - final MessageContext<SAMLObject> messageContext = new MessageContext<>(); + final MessageContext messageContext = new MessageContext(); messageContext.setMessage(response); encoder.setMessageContext(messageContext); return messageContext; @@ -139,7 +138,7 @@ public abstract class AbstractBinding { } - protected void injectInboundMessageContexts(MessageContext<SAMLObject> messageContext, + protected void injectInboundMessageContexts(MessageContext messageContext, IPvp2MetadataProvider metadataProvider, QName peerEntityRole) throws Pvp2InternalErrorException { final SAMLPeerEntityContext peerEntityContext = new SAMLPeerEntityContext(); peerEntityContext.setRole(peerEntityRole); @@ -164,7 +163,7 @@ public abstract class AbstractBinding { } protected void performMessageValidation(PvpSamlMessageHandlerChain messageValidatorChain, - MessageContext<SAMLObject> messageContext) throws Pvp2Exception { + MessageContext messageContext) throws Pvp2Exception { try { messageValidatorChain.initialize(); messageValidatorChain.invoke(messageContext); @@ -191,7 +190,7 @@ public abstract class AbstractBinding { } protected InboundMessageInterface performMessageDecodePostProcessing( - MessageContext<SAMLObject> messageContext, boolean isVerified) { + MessageContext messageContext, boolean isVerified) { InboundMessage msg = null; if (messageContext.getMessage() instanceof RequestAbstractType) { final RequestAbstractType inboundMessage = diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/PostBinding.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/PostBinding.java index c679de20..829f771a 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/PostBinding.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/PostBinding.java @@ -23,6 +23,17 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.xml.namespace.QName; +import org.opensaml.messaging.context.MessageContext; +import org.opensaml.saml.common.binding.SAMLBindingSupport; +import org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler; +import org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler; +import org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler; +import org.opensaml.saml.common.messaging.SAMLMessageSecuritySupport; +import org.opensaml.saml.common.xml.SAMLConstants; +import org.opensaml.saml.saml2.core.RequestAbstractType; +import org.opensaml.saml.saml2.core.StatusResponseType; +import org.springframework.beans.factory.annotation.Autowired; + import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.gui.IGuiBuilderConfigurationFactory; import at.gv.egiz.eaaf.core.api.gui.IVelocityGuiBuilderConfiguration; @@ -41,19 +52,6 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafHttpPostDecoder; import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.HttpPostEncoderWithOwnTemplate; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.EaafSamlProtocolMessageXmlSignatureSecurityHandler; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.PvpSamlMessageHandlerChain; - -import org.opensaml.messaging.context.MessageContext; -import org.opensaml.saml.common.SAMLObject; -import org.opensaml.saml.common.binding.SAMLBindingSupport; -import org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler; -import org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler; -import org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler; -import org.opensaml.saml.common.messaging.SAMLMessageSecuritySupport; -import org.opensaml.saml.common.xml.SAMLConstants; -import org.opensaml.saml.saml2.core.RequestAbstractType; -import org.opensaml.saml.saml2.core.StatusResponseType; -import org.springframework.beans.factory.annotation.Autowired; - import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.net.URIComparator; @@ -85,7 +83,7 @@ public class PostBinding extends AbstractBinding implements IDecoder, IEncoder { encoder.setHttpServletResponse(httpResp); // inject message context - final MessageContext<SAMLObject> messageContext = buildBasicMessageContext(encoder, request); + final MessageContext messageContext = buildBasicMessageContext(encoder, request); // inject signing context messageContext.addSubcontext(injectSigningInfos(credentials)); @@ -131,7 +129,7 @@ public class PostBinding extends AbstractBinding implements IDecoder, IEncoder { encoder.setHttpServletResponse(httpResp); // inject message context - final MessageContext<SAMLObject> messageContext = buildBasicMessageContext(encoder, response); + final MessageContext messageContext = buildBasicMessageContext(encoder, response); // inject signing context messageContext.addSubcontext(injectSigningInfos(credentials)); @@ -165,7 +163,7 @@ public class PostBinding extends AbstractBinding implements IDecoder, IEncoder { throws Pvp2Exception { final EaafHttpPostDecoder decode = new EaafHttpPostDecoder(req); - final MessageContext<SAMLObject> messageContext = internalMessageDecode(decode, PvpConstants.POST); + final MessageContext messageContext = internalMessageDecode(decode, PvpConstants.POST); // check if PVP2 AuthnRequest is signed if (!SAMLBindingSupport.isMessageSigned(messageContext)) { diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/RedirectBinding.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/RedirectBinding.java index f62f8a11..c66c773e 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/RedirectBinding.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/RedirectBinding.java @@ -23,6 +23,18 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.xml.namespace.QName; +import org.opensaml.messaging.context.MessageContext; +import org.opensaml.saml.common.binding.SAMLBindingSupport; +import org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler; +import org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler; +import org.opensaml.saml.common.messaging.context.SAMLBindingContext; +import org.opensaml.saml.common.xml.SAMLConstants; +import org.opensaml.saml.saml2.binding.encoding.impl.HTTPRedirectDeflateEncoder; +import org.opensaml.saml.saml2.core.RequestAbstractType; +import org.opensaml.saml.saml2.core.StatusResponseType; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; import at.gv.egiz.eaaf.modules.pvp2.api.binding.IDecoder; @@ -36,20 +48,6 @@ import at.gv.egiz.eaaf.modules.pvp2.exception.SamlBindingException; import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafHttpRedirectDeflateDecoder; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.EaafSaml2HttpRedirectDeflateSignatureSecurityHandler; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.PvpSamlMessageHandlerChain; - -import org.opensaml.messaging.context.MessageContext; -import org.opensaml.saml.common.SAMLObject; -import org.opensaml.saml.common.binding.SAMLBindingSupport; -import org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler; -import org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler; -import org.opensaml.saml.common.messaging.context.SAMLBindingContext; -import org.opensaml.saml.common.xml.SAMLConstants; -import org.opensaml.saml.saml2.binding.encoding.impl.HTTPRedirectDeflateEncoder; -import org.opensaml.saml.saml2.core.RequestAbstractType; -import org.opensaml.saml.saml2.core.StatusResponseType; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - import net.shibboleth.utilities.java.support.net.URIComparator; public class RedirectBinding extends AbstractBinding implements IDecoder, IEncoder { @@ -67,7 +65,7 @@ public class RedirectBinding extends AbstractBinding implements IDecoder, IEncod final HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder(); encoder.setHttpServletResponse(resp); - final MessageContext<SAMLObject> messageContext = buildBasicMessageContext(encoder, request); + final MessageContext messageContext = buildBasicMessageContext(encoder, request); // set endpoint url messageContext.addSubcontext(injectEndpointInfos(request, targetLocation)); @@ -104,7 +102,7 @@ public class RedirectBinding extends AbstractBinding implements IDecoder, IEncod final HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder(); encoder.setHttpServletResponse(resp); - final MessageContext<SAMLObject> messageContext = buildBasicMessageContext(encoder, response); + final MessageContext messageContext = buildBasicMessageContext(encoder, response); // set endpoint url messageContext.addSubcontext(injectEndpointInfos(response, targetLocation)); @@ -136,7 +134,7 @@ public class RedirectBinding extends AbstractBinding implements IDecoder, IEncod throws Pvp2Exception { final EaafHttpRedirectDeflateDecoder decode = new EaafHttpRedirectDeflateDecoder(req); - final MessageContext<SAMLObject> messageContext = internalMessageDecode(decode, PvpConstants.REDIRECT); + final MessageContext messageContext = internalMessageDecode(decode, PvpConstants.REDIRECT); final SAMLBindingContext bindingContext = messageContext.getSubcontext(SAMLBindingContext.class, true); if (!bindingContext.hasBindingSignature()) { diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/SoapBinding.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/SoapBinding.java index 49e93f0a..cd651a1e 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/SoapBinding.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/SoapBinding.java @@ -23,6 +23,20 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.xml.namespace.QName; +import org.opensaml.messaging.context.MessageContext; +import org.opensaml.saml.common.binding.SAMLBindingSupport; +import org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler; +import org.opensaml.saml.common.binding.impl.SAMLProtocolAndRoleHandler; +import org.opensaml.saml.common.binding.impl.SAMLSOAPDecoderBodyHandler; +import org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler; +import org.opensaml.saml.common.messaging.SAMLMessageSecuritySupport; +import org.opensaml.saml.common.xml.SAMLConstants; +import org.opensaml.saml.saml2.binding.decoding.impl.HTTPSOAP11Decoder; +import org.opensaml.saml.saml2.binding.encoding.impl.HTTPSOAP11Encoder; +import org.opensaml.saml.saml2.core.RequestAbstractType; +import org.opensaml.saml.saml2.core.StatusResponseType; +import org.opensaml.soap.messaging.context.SOAP11Context; + import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; import at.gv.egiz.eaaf.modules.pvp2.api.binding.IDecoder; @@ -38,22 +52,6 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.EaafMessageContextInitializationHandler; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.EaafSamlProtocolMessageXmlSignatureSecurityHandler; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.PvpSamlMessageHandlerChain; - -import org.opensaml.messaging.context.MessageContext; -import org.opensaml.saml.common.SAMLObject; -import org.opensaml.saml.common.binding.SAMLBindingSupport; -import org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler; -import org.opensaml.saml.common.binding.impl.SAMLProtocolAndRoleHandler; -import org.opensaml.saml.common.binding.impl.SAMLSOAPDecoderBodyHandler; -import org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler; -import org.opensaml.saml.common.messaging.SAMLMessageSecuritySupport; -import org.opensaml.saml.common.xml.SAMLConstants; -import org.opensaml.saml.saml2.binding.decoding.impl.HTTPSOAP11Decoder; -import org.opensaml.saml.saml2.binding.encoding.impl.HTTPSOAP11Encoder; -import org.opensaml.saml.saml2.core.RequestAbstractType; -import org.opensaml.saml.saml2.core.StatusResponseType; -import org.opensaml.soap.messaging.context.SOAP11Context; - import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; import net.shibboleth.utilities.java.support.net.URIComparator; @@ -72,7 +70,7 @@ public class SoapBinding extends AbstractBinding implements IDecoder, IEncoder { injectMessageHandlerChain(soapDecoder, metadataProvider, peerEntityRole); - final MessageContext<SAMLObject> messageContext = + final MessageContext messageContext = internalMessageDecode(soapDecoder, PvpConstants.SOAP); // check if PVP2 AuthnRequest is signed @@ -141,7 +139,7 @@ public class SoapBinding extends AbstractBinding implements IDecoder, IEncoder { encoder.setHttpServletResponse(resp); // inject message context - final MessageContext<SAMLObject> messageContext = buildBasicMessageContext(encoder, response); + final MessageContext messageContext = buildBasicMessageContext(encoder, response); //inject SOAP enveloped final SOAP11Context soap11Context = new SOAP11Context(); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PvpMetadataBuilder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PvpMetadataBuilder.java index 92922e09..05a7360b 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PvpMetadataBuilder.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PvpMetadataBuilder.java @@ -21,6 +21,8 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.builder; import java.io.IOException; import java.text.MessageFormat; +import java.time.Duration; +import java.time.Instant; import java.util.Collection; import java.util.List; @@ -29,15 +31,7 @@ import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactoryConfigurationError; -import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataBuilderConfiguration; -import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; - import org.apache.commons.lang3.StringUtils; -import org.joda.time.DateTime; import org.opensaml.core.xml.io.MarshallingException; import org.opensaml.core.xml.util.XMLObjectSupport; import org.opensaml.saml.common.SignableSAMLObject; @@ -67,6 +61,12 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.w3c.dom.Element; +import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataBuilderConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; import net.shibboleth.utilities.java.support.xml.SerializeSupport; /** @@ -114,7 +114,7 @@ public class PvpMetadataBuilder { throws CredentialsNotAvailableException, EaafException, SecurityException, TransformerFactoryConfigurationError, MarshallingException, TransformerException, ParserConfigurationException, IOException, SignatureException { - final DateTime date = new DateTime(); + final Instant date = Instant.now(); final EntityDescriptor entityDescriptor = Saml2Utils.createSamlObject(EntityDescriptor.class); // set entityID @@ -161,19 +161,19 @@ public class PvpMetadataBuilder { } SignableSAMLObject metadataToSign; - + // build entities descriptor if (config.buildEntitiesDescriptorAsRootElement()) { final EntitiesDescriptor entitiesDescriptor = Saml2Utils.createSamlObject(EntitiesDescriptor.class); entitiesDescriptor.setName(config.getEntityFriendlyName()); entitiesDescriptor.setID(Saml2Utils.getSecureIdentifier()); - entitiesDescriptor.setValidUntil(date.plusHours(config.getMetadataValidUntil())); + entitiesDescriptor.setValidUntil(date.plus(Duration.ofHours(config.getMetadataValidUntil()))); entitiesDescriptor.getEntityDescriptors().add(entityDescriptor); metadataToSign = entitiesDescriptor; } else { - entityDescriptor.setValidUntil(date.plusHours(config.getMetadataValidUntil())); + entityDescriptor.setValidUntil(date.plus(Duration.ofHours(config.getMetadataValidUntil()))); entityDescriptor.setID(Saml2Utils.getSecureIdentifier()); metadataToSign = entityDescriptor; @@ -320,7 +320,7 @@ public class PvpMetadataBuilder { if (reqSpAttr != null && reqSpAttr.size() > 0) { log.debug("Add " + reqSpAttr.size() + " attributes to SP metadata"); - attributeService.getRequestAttributes().addAll(reqSpAttr); + attributeService.getRequestedAttributes().addAll(reqSpAttr); } else { log.debug("SP metadata contains NO requested attributes."); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java index 28f5d618..32e82ce4 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java @@ -21,6 +21,7 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.metadata; import java.io.IOException; import java.security.cert.CertificateException; +import java.time.Instant; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; @@ -34,7 +35,6 @@ import javax.annotation.Nullable; import javax.naming.ConfigurationException; import org.apache.commons.lang3.StringUtils; -import org.joda.time.DateTime; import org.opensaml.core.criterion.EntityIdCriterion; import org.opensaml.saml.metadata.resolver.ClearableMetadataResolver; import org.opensaml.saml.metadata.resolver.MetadataResolver; @@ -63,7 +63,7 @@ public abstract class AbstractChainingMetadataProvider implements IGarbageCollec @Nonnull @NonnullElements private final List<MetadataResolver> internalResolvers; - private DateTime lastRefeshTimestamp; + private Instant lastRefeshTimestamp; private boolean lastRefeshSuccessful; private static Object mutex = new Object(); @@ -110,10 +110,10 @@ public abstract class AbstractChainingMetadataProvider implements IGarbageCollec @Override public synchronized boolean refreshMetadataProvider(final String entityId) { try { - //if (resolveEntityDescriporForRefesh(entityId)) { - // return true; + // if (resolveEntityDescriporForRefesh(entityId)) { + // return true; // - //} + // } // reload metadata provider final String metadataUrl = getMetadataUrl(entityId); @@ -159,7 +159,6 @@ public abstract class AbstractChainingMetadataProvider implements IGarbageCollec } - @Override public final MetadataFilter getMetadataFilter() { log.warn("{} does NOT support {}", AbstractChainingMetadataProvider.class.getName(), @@ -274,17 +273,17 @@ public abstract class AbstractChainingMetadataProvider implements IGarbageCollec } } - this.lastRefeshTimestamp = DateTime.now(); + this.lastRefeshTimestamp = Instant.now(); this.lastRefeshSuccessful = true; } @Override @Nullable - public final DateTime getLastUpdate() { - DateTime ret = null; + public final Instant getLastUpdate() { + Instant ret = null; for (final MetadataResolver resolver : internalResolvers) { if (resolver instanceof RefreshableMetadataResolver) { - final DateTime lastUpdate = ((RefreshableMetadataResolver) resolver).getLastUpdate(); + final Instant lastUpdate = ((RefreshableMetadataResolver) resolver).getLastUpdate(); if (ret == null || ret.isBefore(lastUpdate)) { ret = lastUpdate; } @@ -296,11 +295,11 @@ public abstract class AbstractChainingMetadataProvider implements IGarbageCollec @Override @Nullable - public final DateTime getLastRefresh() { - DateTime ret = null; + public final Instant getLastRefresh() { + Instant ret = null; for (final MetadataResolver resolver : internalResolvers) { if (resolver instanceof RefreshableMetadataResolver) { - final DateTime lastRefresh = ((RefreshableMetadataResolver) resolver).getLastRefresh(); + final Instant lastRefresh = ((RefreshableMetadataResolver) resolver).getLastRefresh(); if (ret == null || ret.isBefore(lastRefresh)) { ret = lastRefresh; } @@ -311,7 +310,7 @@ public abstract class AbstractChainingMetadataProvider implements IGarbageCollec } @Override - public final DateTime getLastSuccessfulRefresh() { + public final Instant getLastSuccessfulRefresh() { return this.lastRefeshTimestamp; } @@ -346,6 +345,20 @@ public abstract class AbstractChainingMetadataProvider implements IGarbageCollec } + @Override + public final Throwable getLastFailureCause() { + for (final MetadataResolver resolver : internalResolvers) { + if (resolver instanceof RefreshableMetadataResolver) { + final RefreshableMetadataResolver refreshable = (RefreshableMetadataResolver) resolver; + if (refreshable.getLastFailureCause() != null) { + return refreshable.getLastFailureCause(); + } + } + } + + return null; + } + /** * Get the URL to metadata for a specific entityID. * diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverAdapter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverAdapter.java index 4115cc7c..f0291847 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverAdapter.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverAdapter.java @@ -1,8 +1,10 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.metadata; -import org.joda.time.DateTime; + +import java.time.Instant; + import org.opensaml.core.criterion.EntityIdCriterion; -import org.opensaml.saml.metadata.resolver.ExtendedRefreshableMetadataResolver; +import org.opensaml.saml.metadata.resolver.RefreshableMetadataResolver; import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; import org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver; import org.opensaml.saml.saml2.metadata.EntityDescriptor; @@ -16,9 +18,9 @@ import net.shibboleth.utilities.java.support.resolver.ResolverException; @Slf4j public class PvpMetadataResolverAdapter implements IPvp2MetadataProvider, IRefreshableMetadataProvider { - private final ExtendedRefreshableMetadataResolver internalProvider; + private final RefreshableMetadataResolver internalProvider; - public PvpMetadataResolverAdapter(ExtendedRefreshableMetadataResolver provider) { + public PvpMetadataResolverAdapter(RefreshableMetadataResolver provider) { this.internalProvider = provider; } @@ -29,13 +31,13 @@ public class PvpMetadataResolverAdapter implements IPvp2MetadataProvider, IRefre } @Override - public DateTime getLastRefresh() { + public Instant getLastRefresh() { return internalProvider.getLastRefresh(); } @Override - public DateTime getLastUpdate() { + public Instant getLastUpdate() { return internalProvider.getLastUpdate(); } @@ -88,7 +90,7 @@ public class PvpMetadataResolverAdapter implements IPvp2MetadataProvider, IRefre } @Override - public DateTime getLastSuccessfulRefresh() { + public Instant getLastSuccessfulRefresh() { return internalProvider.getLastSuccessfulRefresh(); } @@ -122,7 +124,11 @@ public class PvpMetadataResolverAdapter implements IPvp2MetadataProvider, IRefre internalProvider.getClass().getName()); } + } + public Throwable getLastFailureCause() { + return internalProvider.getLastFailureCause(); + } } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverFactory.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverFactory.java index d29f1a0e..bf541b67 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverFactory.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverFactory.java @@ -1,6 +1,7 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.metadata; import java.io.IOException; +import java.time.Duration; import java.util.Timer; import javax.annotation.Nonnull; @@ -10,7 +11,7 @@ import javax.net.ssl.SSLHandshakeException; import org.apache.http.client.HttpClient; import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; -import org.opensaml.saml.metadata.resolver.ExtendedRefreshableMetadataResolver; +import org.opensaml.saml.metadata.resolver.RefreshableMetadataResolver; import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; import org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver; import org.opensaml.saml.metadata.resolver.impl.HTTPMetadataResolver; @@ -102,7 +103,7 @@ public class PvpMetadataResolverFactory implements IDestroyableObject { @Nullable final MetadataFilter filter, @Nonnull final String idForLogging, @Nullable final ParserPool pool, @Nullable final HttpClient httpClient) throws Pvp2MetadataException { - ExtendedRefreshableMetadataResolver internalProvider = null; + RefreshableMetadataResolver internalProvider = null; try { if (metadataLocation.startsWith(URI_PREFIX_HTTP) @@ -181,7 +182,7 @@ public class PvpMetadataResolverFactory implements IDestroyableObject { * @throws ComponentInitializationException In case of a metadata resolver * initialization error */ - private ExtendedRefreshableMetadataResolver createNewFileSystemMetaDataProvider(final Resource metadataFile, + private RefreshableMetadataResolver createNewFileSystemMetaDataProvider(final Resource metadataFile, final MetadataFilter filter, final String idForLogging, final Timer timer, final ParserPool pool) throws IOException, ComponentInitializationException { ResourceBackedMetadataResolver fileSystemResolver = null; @@ -212,7 +213,7 @@ public class PvpMetadataResolverFactory implements IDestroyableObject { * @throws ResolverException In case of an internal OpenSAML * resolver error */ - private ExtendedRefreshableMetadataResolver createNewHttpMetaDataProvider(final String metadataUrl, + private RefreshableMetadataResolver createNewHttpMetaDataProvider(final String metadataUrl, final MetadataFilter filter, final String idForLogging, final Timer timer, final ParserPool pool, final HttpClient httpClient) throws ComponentInitializationException, ResolverException { @@ -241,8 +242,8 @@ public class PvpMetadataResolverFactory implements IDestroyableObject { } resolver.setRequireValidMetadata(true); - resolver.setMinRefreshDelay(1000 * 60 * 15); // 15 minutes - resolver.setMaxRefreshDelay(1000 * 60 * 60 * 24); // 24 hours + resolver.setMinRefreshDelay(Duration.ofMinutes(15)); + resolver.setMaxRefreshDelay(Duration.ofHours(24)); resolver.setMetadataFilter(filter); } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpPostDecoder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpPostDecoder.java index fdd44b9a..f9860839 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpPostDecoder.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpPostDecoder.java @@ -6,16 +6,17 @@ import java.io.UnsupportedEncodingException; import javax.servlet.http.HttpServletRequest; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SamlHttpUtils; - import org.opensaml.core.xml.XMLObject; import org.opensaml.messaging.decoder.MessageDecodingException; import org.opensaml.saml.saml2.binding.decoding.impl.HTTPPostDecoder; import com.google.common.base.Strings; + +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SamlHttpUtils; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.codec.Base64Support; +import net.shibboleth.utilities.java.support.codec.DecodingException; /** * SAML2 Post-Binding decoder with same EAAF specific hardening regarding http @@ -51,18 +52,26 @@ public class EaafHttpPostDecoder extends HTTPPostDecoder { throw new MessageDecodingException("No SAML message present in request"); } - log.trace("Base64 decoding SAML message: {}", encodedMessage); - final byte[] decodedBytes = Base64Support.decode(encodedMessage); - try { - log.trace("Decoded SAML message: {}", new String(decodedBytes, "UTF-8")); + log.trace("Base64 decoding SAML message: {}", encodedMessage); + final byte[] decodedBytes = Base64Support.decode(encodedMessage); - } catch (final UnsupportedEncodingException e) { - log.warn("Logging of incomming message failed", e); + try { + log.trace("Decoded SAML message: {}", new String(decodedBytes, "UTF-8")); - } + } catch (final UnsupportedEncodingException e) { + log.warn("Logging of incomming message failed", e); + + } + + return new ByteArrayInputStream(decodedBytes); + + } catch (final DecodingException e) { + log.error("Unable to Base64 decode SAML message"); + throw new MessageDecodingException("Unable to Base64 decode SAML message",e); + } + - return new ByteArrayInputStream(decodedBytes); } /** diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpRedirectDeflateDecoder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpRedirectDeflateDecoder.java index c5174f02..28f98d30 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpRedirectDeflateDecoder.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpRedirectDeflateDecoder.java @@ -4,9 +4,6 @@ import java.io.InputStream; import javax.servlet.http.HttpServletRequest; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SamlHttpUtils; - import org.opensaml.core.xml.XMLObject; import org.opensaml.messaging.context.MessageContext; import org.opensaml.messaging.decoder.MessageDecodingException; @@ -16,6 +13,9 @@ import org.opensaml.saml.common.xml.SAMLConstants; import org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder; import com.google.common.base.Strings; + +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SamlHttpUtils; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.primitive.StringSupport; @@ -39,7 +39,7 @@ public class EaafHttpRedirectDeflateDecoder extends HTTPRedirectDeflateDecoder { @Override protected void doDecode() throws MessageDecodingException { - final MessageContext<SAMLObject> messageContext = new MessageContext<>(); + final MessageContext messageContext = new MessageContext(); final HttpServletRequest request = getHttpServletRequest(); if (!"GET".equalsIgnoreCase(request.getMethod())) { diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/HttpPostEncoderWithOwnTemplate.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/HttpPostEncoderWithOwnTemplate.java index fa77b73c..396b513f 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/HttpPostEncoderWithOwnTemplate.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/HttpPostEncoderWithOwnTemplate.java @@ -28,17 +28,15 @@ import java.io.Writer; import javax.servlet.http.HttpServletResponse; -import at.gv.egiz.eaaf.core.api.gui.IVelocityGuiBuilderConfiguration; -import at.gv.egiz.eaaf.core.api.gui.IVelocityGuiFormBuilder; -import at.gv.egiz.eaaf.core.impl.gui.velocity.VelocityProvider; - import org.apache.velocity.VelocityContext; import org.apache.velocity.app.Velocity; import org.opensaml.messaging.context.MessageContext; import org.opensaml.messaging.encoder.MessageEncodingException; -import org.opensaml.saml.common.SAMLObject; import org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder; +import at.gv.egiz.eaaf.core.api.gui.IVelocityGuiBuilderConfiguration; +import at.gv.egiz.eaaf.core.api.gui.IVelocityGuiFormBuilder; +import at.gv.egiz.eaaf.core.impl.gui.velocity.VelocityProvider; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.net.HttpServletSupport; @@ -80,7 +78,7 @@ public class HttpPostEncoderWithOwnTemplate extends HTTPPostEncoder { * message */ @Override - protected void postEncode(final MessageContext<SAMLObject> messageContext, final String endpointUrl) + protected void postEncode(final MessageContext messageContext, final String endpointUrl) throws MessageEncodingException { log.debug("Invoking Velocity template to create POST body"); InputStream is = null; diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/StringRedirectDeflateEncoder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/StringRedirectDeflateEncoder.java index 38735fb8..e75be5de 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/StringRedirectDeflateEncoder.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/StringRedirectDeflateEncoder.java @@ -39,8 +39,8 @@ public class StringRedirectDeflateEncoder extends HTTPRedirectDeflateEncoder { @Override protected void doEncode() throws MessageEncodingException { - final MessageContext<SAMLObject> messageContext = getMessageContext(); - final SAMLObject outboundMessage = messageContext.getMessage(); + final MessageContext messageContext = getMessageContext(); + final SAMLObject outboundMessage = (SAMLObject) messageContext.getMessage(); final String endpointUrl = getEndpointURL(messageContext).toString(); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafOpenSaml3xInitializer.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafOpenSaml3xInitializer.java index 5c6d861d..2c90bc57 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafOpenSaml3xInitializer.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafOpenSaml3xInitializer.java @@ -25,15 +25,6 @@ import java.util.Map; import javax.annotation.Nonnull; import javax.xml.XMLConstants; -import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; -import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeBuilder; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeMarshaller; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeUnmarshaller; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesBuilder; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesMarshaller; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesUnmarshaller; - import org.opensaml.core.config.ConfigurationService; import org.opensaml.core.config.InitializationException; import org.opensaml.core.config.InitializationService; @@ -43,6 +34,14 @@ import org.opensaml.xmlsec.EncryptionConfiguration; import org.opensaml.xmlsec.SignatureSigningConfiguration; import org.opensaml.xmlsec.SignatureValidationConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeMarshaller; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeUnmarshaller; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesMarshaller; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesUnmarshaller; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; import net.shibboleth.utilities.java.support.xml.BasicParserPool; @@ -66,16 +65,16 @@ public class EaafOpenSaml3xInitializer extends InitializationService { */ public static synchronized void eaafInitialize() throws InitializationException, ComponentInitializationException { - log.debug("Initializing OpenSAML 3.x ... "); + log.debug("Initializing OpenSAML 4.x ... "); initialize(); - log.debug("Injecting EAAF-specific configuration into OpenSAML 3.x ... "); + log.debug("Injecting EAAF-specific configuration into OpenSAML 4.x ... "); injectEaafSecurityProperty(); injectEaafExtenstions(); XMLObjectProviderRegistrySupport.setParserPool(eaafSecuredBasicParserPool()); - log.info("OpenSAML3.x with EAAF extensions initialized"); + log.info("OpenSAML 4.x with EAAF extensions initialized"); } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EaafRequestedAttributeImpl.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EaafRequestedAttributeImpl.java index e391bb31..bde67205 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EaafRequestedAttributeImpl.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EaafRequestedAttributeImpl.java @@ -23,15 +23,15 @@ import java.util.ArrayList; import java.util.Collections; import java.util.List; -import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; - +import org.opensaml.core.xml.AbstractXMLObject; import org.opensaml.core.xml.XMLObject; import org.opensaml.core.xml.schema.XSBooleanValue; import org.opensaml.core.xml.util.AttributeMap; import org.opensaml.core.xml.util.XMLObjectChildrenList; -import org.opensaml.saml.common.AbstractSAMLObject; -public class EaafRequestedAttributeImpl extends AbstractSAMLObject +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; + +public class EaafRequestedAttributeImpl extends AbstractXMLObject implements EaafRequestedAttribute { private final XMLObjectChildrenList<XMLObject> attributeValues; diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EaafRequestedAttributesImpl.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EaafRequestedAttributesImpl.java index 9c251233..a370b305 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EaafRequestedAttributesImpl.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EaafRequestedAttributesImpl.java @@ -23,14 +23,14 @@ import java.util.ArrayList; import java.util.Collections; import java.util.List; -import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; -import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes; - +import org.opensaml.core.xml.AbstractXMLObject; import org.opensaml.core.xml.XMLObject; import org.opensaml.core.xml.util.IndexedXMLObjectChildrenList; -import org.opensaml.saml.common.AbstractSAMLObject; -public class EaafRequestedAttributesImpl extends AbstractSAMLObject +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes; + +public class EaafRequestedAttributesImpl extends AbstractXMLObject implements EaafRequestedAttributes { private final IndexedXMLObjectChildrenList<XMLObject> indexedChildren; diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/AbstractMetadataSignatureFilter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/AbstractMetadataSignatureFilter.java index c28dd7fb..fe619ef0 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/AbstractMetadataSignatureFilter.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/AbstractMetadataSignatureFilter.java @@ -23,24 +23,28 @@ import java.util.ArrayList; import java.util.Iterator; import java.util.List; +import javax.annotation.Nonnull; import javax.annotation.Nullable; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SignatureValidationException; - import org.opensaml.core.xml.XMLObject; +import org.opensaml.saml.metadata.resolver.filter.FilterException; import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilterContext; import org.opensaml.saml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml.saml2.metadata.EntityDescriptor; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SignatureValidationException; + public abstract class AbstractMetadataSignatureFilter implements MetadataFilter { private static final Logger log = LoggerFactory.getLogger(AbstractMetadataSignatureFilter.class); @Override - public XMLObject filter(@Nullable final XMLObject metadata) throws SignatureValidationException { + public XMLObject filter(@Nullable final XMLObject metadata, + @Nonnull final MetadataFilterContext context) throws FilterException { try { if (metadata instanceof EntitiesDescriptor) { final EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata; diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/PvpEntityCategoryFilter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/PvpEntityCategoryFilter.java index efbeb7e5..7317e7ba 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/PvpEntityCategoryFilter.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/PvpEntityCategoryFilter.java @@ -22,17 +22,15 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata; import java.util.ArrayList; import java.util.List; -import at.gv.egiz.eaaf.core.impl.data.Triple; -import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import javax.annotation.Nonnull; +import javax.annotation.Nullable; import org.opensaml.core.xml.XMLObject; import org.opensaml.saml.common.xml.SAMLConstants; import org.opensaml.saml.ext.saml2mdattr.EntityAttributes; import org.opensaml.saml.metadata.resolver.filter.FilterException; import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilterContext; import org.opensaml.saml.saml2.core.Attribute; import org.opensaml.saml.saml2.metadata.AttributeConsumingService; import org.opensaml.saml.saml2.metadata.EntitiesDescriptor; @@ -44,6 +42,12 @@ import org.opensaml.saml.saml2.metadata.ServiceName; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import at.gv.egiz.eaaf.core.impl.data.Triple; +import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; + /** * Metadata filter that inject requested attributes based on Metadata * EntityCategories. @@ -75,7 +79,8 @@ public class PvpEntityCategoryFilter implements MetadataFilter { * .XMLObject) */ @Override - public XMLObject filter(final XMLObject metadata) throws FilterException { + public XMLObject filter(@Nullable final XMLObject metadata, + @Nonnull final MetadataFilterContext context) throws FilterException { if (isUsed) { log.trace("Map PVP EntityCategory to single PVP Attributes ... "); @@ -197,7 +202,7 @@ public class PvpEntityCategoryFilter implements MetadataFilter { attributeService.getNames().add(serviceName); if (attrList != null && !attrList.isEmpty()) { - attributeService.getRequestAttributes().addAll(attrList); + attributeService.getRequestedAttributes().addAll(attrList); log.info("Add " + attrList.size() + " attributes for 'EntityAttribute': " + entityAttr); } @@ -211,14 +216,14 @@ public class PvpEntityCategoryFilter implements MetadataFilter { // load currently requested attributes final List<String> currentlyReqAttr = new ArrayList<>(); - for (final RequestedAttribute reqAttr : el.getRequestAttributes()) { + for (final RequestedAttribute reqAttr : el.getRequestedAttributes()) { currentlyReqAttr.add(reqAttr.getName()); } // check against EntityAttribute List for (final RequestedAttribute entityAttrListEl : attrList) { if (!currentlyReqAttr.contains(entityAttrListEl.getName())) { - el.getRequestAttributes().add(entityAttrListEl); + el.getRequestedAttributes().add(entityAttrListEl); } else { log.debug("'AttributeConsumingService' already contains attr: " diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SchemaValidationFilter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SchemaValidationFilter.java index b9e0c37f..2c7892f9 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SchemaValidationFilter.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SchemaValidationFilter.java @@ -19,20 +19,23 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata; +import javax.annotation.Nonnull; +import javax.annotation.Nullable; import javax.xml.transform.dom.DOMSource; import javax.xml.validation.Schema; import javax.xml.validation.Validator; -import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException; - import org.opensaml.core.xml.XMLObject; import org.opensaml.saml.common.xml.SAMLSchemaBuilder; import org.opensaml.saml.common.xml.SAMLSchemaBuilder.SAML1Version; import org.opensaml.saml.metadata.resolver.filter.FilterException; import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilterContext; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException; + public class SchemaValidationFilter implements MetadataFilter { private static final Logger log = LoggerFactory.getLogger(SchemaValidationFilter.class); private boolean isActive = true; @@ -64,13 +67,14 @@ public class SchemaValidationFilter implements MetadataFilter { * .XMLObject) */ @Override - public XMLObject filter(final XMLObject arg0) throws FilterException { + public XMLObject filter(@Nullable final XMLObject metadata, + @Nonnull final MetadataFilterContext context) throws FilterException { if (isActive) { try { final Schema test = schemaBuilder.getSAMLSchema(); final Validator val = test.newValidator(); - final DOMSource source = new DOMSource(arg0.getDOM()); + final DOMSource source = new DOMSource(metadata.getDOM()); val.validate(source); log.info("Metadata Schema validation check done OK"); @@ -90,7 +94,7 @@ public class SchemaValidationFilter implements MetadataFilter { } - return arg0; + return metadata; } } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafMessageContextInitializationHandler.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafMessageContextInitializationHandler.java index aba0a68b..ff587f1b 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafMessageContextInitializationHandler.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafMessageContextInitializationHandler.java @@ -2,15 +2,10 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.verification; import javax.annotation.Nonnull; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; -import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; - import org.opensaml.core.config.ConfigurationService; import org.opensaml.messaging.context.MessageContext; import org.opensaml.messaging.handler.AbstractMessageHandler; import org.opensaml.messaging.handler.MessageHandlerException; -import org.opensaml.saml.common.SAMLObject; import org.opensaml.saml.common.messaging.context.SAMLMessageInfoContext; import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext; import org.opensaml.xmlsec.SignatureValidationConfiguration; @@ -18,11 +13,14 @@ import org.opensaml.xmlsec.SignatureValidationParameters; import org.opensaml.xmlsec.context.SecurityParametersContext; import org.opensaml.xmlsec.signature.support.SignatureTrustEngine; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; @Slf4j -public class EaafMessageContextInitializationHandler extends AbstractMessageHandler<SAMLObject> { +public class EaafMessageContextInitializationHandler extends AbstractMessageHandler { private final IPvp2MetadataProvider internalMetadataProvider; private SignatureTrustEngine trustEngine; @@ -44,7 +42,7 @@ public class EaafMessageContextInitializationHandler extends AbstractMessageHand @Override - protected void doInvoke(MessageContext<SAMLObject> messageContext) throws MessageHandlerException { + protected void doInvoke(MessageContext messageContext) throws MessageHandlerException { log.trace("Injecting sub-context to SAML2 message ... "); messageContext.addSubcontext(new SAMLPeerEntityContext()); messageContext.addSubcontext(new SAMLMessageInfoContext()); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafSaml2HttpRedirectDeflateSignatureSecurityHandler.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafSaml2HttpRedirectDeflateSignatureSecurityHandler.java index 204229ee..36c8a1ee 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafSaml2HttpRedirectDeflateSignatureSecurityHandler.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafSaml2HttpRedirectDeflateSignatureSecurityHandler.java @@ -3,19 +3,20 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.verification; import javax.annotation.Nonnull; import javax.annotation.Nullable; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SamlHttpUtils; - import org.opensaml.messaging.context.MessageContext; import org.opensaml.messaging.handler.MessageHandlerException; import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext; import org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler; import com.google.common.base.Strings; + +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SamlHttpUtils; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.codec.Base64Support; +import net.shibboleth.utilities.java.support.codec.DecodingException; /** * Always extracts the last http parameter with a specific name from request, if @@ -95,7 +96,12 @@ public class EaafSaml2HttpRedirectDeflateSignatureSecurityHandler extends return null; } - return Base64Support.decode(signature); + try { + return Base64Support.decode(signature); + + } catch (DecodingException e) { + throw new MessageHandlerException("Base64 decoding error", e); + } } @Override diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PvpSamlMessageHandlerChain.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PvpSamlMessageHandlerChain.java index a1365023..44ed2013 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PvpSamlMessageHandlerChain.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PvpSamlMessageHandlerChain.java @@ -7,25 +7,24 @@ import org.opensaml.messaging.context.MessageContext; import org.opensaml.messaging.handler.MessageHandler; import org.opensaml.messaging.handler.MessageHandlerChain; import org.opensaml.messaging.handler.MessageHandlerException; -import org.opensaml.saml.common.SAMLObject; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; @Slf4j -public class PvpSamlMessageHandlerChain implements MessageHandlerChain<SAMLObject> { - private final List<MessageHandler<SAMLObject>> handlers = new ArrayList<>(); +public class PvpSamlMessageHandlerChain implements MessageHandlerChain { + private final List<MessageHandler> handlers = new ArrayList<>(); private boolean isInitialized = false; @Override - public void invoke(MessageContext<SAMLObject> messageContext) throws MessageHandlerException { + public void invoke(MessageContext messageContext) throws MessageHandlerException { if (!isInitialized) { throw new RuntimeException("Component: " + PvpSamlMessageHandlerChain.class.getName() + " not initialized"); } - for (final MessageHandler<SAMLObject> handler : getHandlers()) { + for (final MessageHandler handler : getHandlers()) { log.trace("Initializing SAML message handler: {}", handler.getClass().getName()); handler.invoke(messageContext); @@ -41,7 +40,7 @@ public class PvpSamlMessageHandlerChain implements MessageHandlerChain<SAMLObjec @Override public void initialize() throws ComponentInitializationException { if (!isInitialized) { - for (final MessageHandler<SAMLObject> handler : getHandlers()) { + for (final MessageHandler handler : getHandlers()) { log.trace("Initializing SAML message handler: {}", handler.getClass().getName()); handler.initialize(); @@ -53,17 +52,17 @@ public class PvpSamlMessageHandlerChain implements MessageHandlerChain<SAMLObjec } @Override - public List<MessageHandler<SAMLObject>> getHandlers() { + public List<MessageHandler> getHandlers() { return handlers; } - public void addHandler(MessageHandler<SAMLObject> handler) { + public void addHandler(MessageHandler handler) { handlers.add(handler); } - public void addHandlers(List<MessageHandler<SAMLObject>> handlerList) { + public void addHandlers(List<MessageHandler> handlerList) { handlers.addAll(handlerList); } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java index a209a131..2257eba9 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java @@ -19,6 +19,8 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.verification; +import java.time.Duration; +import java.time.Instant; import java.util.ArrayList; import java.util.List; @@ -76,8 +78,8 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.SignatureTrustEngineDecorator; import lombok.extern.slf4j.Slf4j; -import net.shibboleth.utilities.java.support.net.BasicURLComparator; import net.shibboleth.utilities.java.support.net.URIException; +import net.shibboleth.utilities.java.support.net.impl.BasicURLComparator; import net.shibboleth.utilities.java.support.resolver.CriteriaSet; import net.shibboleth.utilities.java.support.xml.SerializeSupport; @@ -95,7 +97,7 @@ public class SamlVerificationEngine { private static final Object SIG_VAL_ERROR_MSG = "Signature verification return false"; /** - * 5 allow 3 minutes time jitter in before validation. + * allow 3 minutes time jitter in before validation. */ private static final int TIME_JITTER = 3; @@ -302,10 +304,11 @@ public class SamlVerificationEngine { // validate DateTime conditions final Conditions conditions = saml2assertion.getConditions(); if (conditions != null) { - final DateTime notbefore = conditions.getNotBefore().minusMinutes(5); - final DateTime notafter = conditions.getNotOnOrAfter(); + final Instant notbefore = conditions.getNotBefore().minus(Duration.ofMinutes(5)); + final Instant notafter = conditions.getNotOnOrAfter(); + final Instant now = Instant.now(); if (validateDateTime - && (notbefore.isAfterNow() || notafter.isBeforeNow())) { + && (notbefore.isAfter(now) || notafter.isBefore(now))) { isAssertionValid = false; log.info("Assertion with ID:{} is out of Date. [ Current:{} NotBefore:{} NotAfter:{} ]", saml2assertion.getID(), new DateTime(), notbefore, notafter); @@ -495,14 +498,14 @@ public class SamlVerificationEngine { throws SamlAssertionValidationExeption { if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS)) { // validate response issueInstant - final DateTime issueInstant = samlResp.getIssueInstant(); + final Instant issueInstant = samlResp.getIssueInstant(); if (issueInstant == null) { log.warn("PVP response does not include a 'IssueInstant' attribute"); throw new SamlAssertionValidationExeption(ERROR_14, new Object[] { loggerName, "'IssueInstant' attribute is not included" }); } - if (validateDateTime && issueInstant.minusMinutes(TIME_JITTER).isAfterNow()) { + if (validateDateTime && issueInstant.minus(Duration.ofMinutes(TIME_JITTER)).isAfter(Instant.now())) { log.warn("PVP response: IssueInstant DateTime is not valid anymore."); throw new SamlAssertionValidationExeption(ERROR_14, new Object[] { loggerName, "'IssueInstant' Time is not valid any more" }); |