diff options
author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2021-01-25 21:32:01 +0100 |
---|---|---|
committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2021-01-25 21:32:01 +0100 |
commit | 09648a93840d3ced36c1f1d018abca3ae08bda12 (patch) | |
tree | 34fcfac0709ca46c4da7fcefa988fb20c997603d /eaaf_modules | |
parent | 0727e7447a08e63f500bcf0d4273c50c4b120f4e (diff) | |
parent | a818e2f207ef8255d27e8c2201c013c009a0107a (diff) | |
download | EAAF-Components-09648a93840d3ced36c1f1d018abca3ae08bda12.tar.gz EAAF-Components-09648a93840d3ced36c1f1d018abca3ae08bda12.tar.bz2 EAAF-Components-09648a93840d3ced36c1f1d018abca3ae08bda12.zip |
Merge branch 'feature/smal_changes' into 'nightlyBuild'
Feature/smal changes
See merge request egiz/eaaf_components!14
Diffstat (limited to 'eaaf_modules')
7 files changed, 112 insertions, 66 deletions
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20ResponseUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20ResponseUtils.java index 4bb91634..c3826087 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20ResponseUtils.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20ResponseUtils.java @@ -11,17 +11,17 @@ import java.util.UUID; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egiz.eaaf.core.api.data.EaafConstants; -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; -import at.gv.egiz.eaaf.modules.auth.sl20.Constants; -import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception; - import org.apache.commons.lang3.StringUtils; import org.apache.http.client.utils.URIBuilder; import org.apache.http.entity.ContentType; import com.fasterxml.jackson.databind.node.ObjectNode; + +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.modules.auth.sl20.Constants; +import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception; import lombok.extern.slf4j.Slf4j; @Slf4j @@ -134,7 +134,7 @@ public class SL20ResponseUtils { } else { log.info("SL2.0 DataURL communication needs http header: '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE + "'"); - log.debug("Client request containts is no native client ... "); + log.debug("Client request is no a native client. SL2.0 anwser will be a http redirect ... "); final URIBuilder clientRedirectUri = new URIBuilder(fullRedirectUrl); response.setStatus(Integer.parseInt(authConfig.getBasicConfiguration(Constants.CONFIG_PROP_HTTP_REDIRECT_CODE, Constants.CONFIG_PROP_HTTP_REDIRECT_CODE_DEFAULT_VALUE))); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/SignatureTrustEngineDecorator.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/SignatureTrustEngineDecorator.java new file mode 100644 index 00000000..66393bb4 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/SignatureTrustEngineDecorator.java @@ -0,0 +1,41 @@ +package at.gv.egiz.eaaf.modules.pvp2.impl.validation; + +import org.opensaml.security.SecurityException; +import org.opensaml.security.credential.Credential; +import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver; +import org.opensaml.xmlsec.signature.Signature; +import org.opensaml.xmlsec.signature.support.SignatureTrustEngine; + +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import lombok.AllArgsConstructor; +import lombok.Getter; +import net.shibboleth.utilities.java.support.resolver.CriteriaSet; + +@AllArgsConstructor +public class SignatureTrustEngineDecorator implements SignatureTrustEngine { + + private SignatureTrustEngine trustEngine; + + @Getter + private IPvp2MetadataProvider metadataProvider; + + @Override + public boolean validate(Signature token, CriteriaSet trustBasisCriteria) throws SecurityException { + return trustEngine.validate(token, trustBasisCriteria); + + } + + @Override + public boolean validate(byte[] signature, byte[] content, String algorithmUri, + CriteriaSet trustBasisCriteria, Credential candidateCredential) throws SecurityException { + return trustEngine.validate(signature, content, algorithmUri, trustBasisCriteria, candidateCredential); + + } + + @Override + public KeyInfoCredentialResolver getKeyInfoResolver() { + return trustEngine.getKeyInfoResolver(); + + } + +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java index f0758706..fe941f74 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java @@ -22,9 +22,6 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.validation; import java.util.ArrayList; import java.util.List; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; - import org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver; import org.opensaml.saml.security.impl.MetadataCredentialResolver; import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver; @@ -33,9 +30,10 @@ import org.opensaml.xmlsec.keyinfo.impl.KeyInfoProvider; import org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider; import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider; import org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider; -import org.opensaml.xmlsec.signature.support.SignatureTrustEngine; import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; @@ -50,7 +48,7 @@ public class TrustEngineFactory { * @throws Pvp2InternalErrorException In case of a TrustEngine initialization * error */ - public static SignatureTrustEngine getSignatureKnownKeysTrustEngine( + public static SignatureTrustEngineDecorator getSignatureKnownKeysTrustEngine( final IPvp2MetadataProvider mdResolver) throws Pvp2InternalErrorException { try { final List<KeyInfoProvider> keyInfoProvider = new ArrayList<>(); @@ -70,10 +68,9 @@ public class TrustEngineFactory { resolver.setKeyInfoCredentialResolver(keyInfoCredentialResolver); resolver.initialize(); - final ExplicitKeySignatureTrustEngine engine = - new ExplicitKeySignatureTrustEngine(resolver, keyInfoCredentialResolver); - - return engine; + return new SignatureTrustEngineDecorator( + new ExplicitKeySignatureTrustEngine(resolver, keyInfoCredentialResolver), + mdResolver); } catch (final ComponentInitializationException e) { log.warn("Initialization of SignatureTrustEngine FAILED.", e); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java index e0a3ab8e..8bc770eb 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java @@ -27,17 +27,6 @@ import javax.xml.transform.dom.DOMSource; import javax.xml.validation.Schema; import javax.xml.validation.Validator; -import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException; -import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; -import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption; -import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; - import org.apache.commons.lang3.StringUtils; import org.joda.time.DateTime; import org.opensaml.core.criterion.EntityIdCriterion; @@ -70,10 +59,20 @@ import org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyR import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver; import org.opensaml.xmlsec.signature.support.SignatureException; import org.opensaml.xmlsec.signature.support.SignatureTrustEngine; -import org.springframework.beans.factory.annotation.Autowired; import org.w3c.dom.Element; import org.xml.sax.SAXException; +import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException; +import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption; +import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.SignatureTrustEngineDecorator; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.net.BasicURLComparator; import net.shibboleth.utilities.java.support.net.URIException; @@ -97,13 +96,7 @@ public class SamlVerificationEngine { */ private static final int TIME_JITTER = 3; - - - - - @Autowired(required = true) - IPvp2MetadataProvider metadataProvider; - + /** * Verify signature of a signed SAML2 object. * @@ -140,27 +133,36 @@ public class SamlVerificationEngine { log.debug("PVP2X message validation FAILED. Relead metadata for entityID: {}", msg.getEntityID()); - if (metadataProvider == null || !(metadataProvider instanceof IRefreshableMetadataProvider) - || !((IRefreshableMetadataProvider) metadataProvider) - .refreshMetadataProvider(msg.getEntityID())) { - throw e; - - } else { - log.trace("PVP2X metadata reload finished. Check validate message again."); - - if (msg instanceof PvpSProfileRequest - && ((PvpSProfileRequest) msg).getSamlRequest() instanceof RequestAbstractType) { - verifyRequest((RequestAbstractType) ((PvpSProfileRequest) msg).getSamlRequest(), - sigTrustEngine); + if (sigTrustEngine instanceof SignatureTrustEngineDecorator) { + IPvp2MetadataProvider metadataProvider = + ((SignatureTrustEngineDecorator) sigTrustEngine).getMetadataProvider(); + if (metadataProvider == null || !(metadataProvider instanceof IRefreshableMetadataProvider) + || !((IRefreshableMetadataProvider) metadataProvider).refreshMetadataProvider(msg.getEntityID())) { + + throw e; } else { - verifyIdpResponse(((PvpSProfileResponse) msg).getResponse(), sigTrustEngine); + log.trace("PVP2X metadata reload finished. Check validate message again."); - } + if (msg instanceof PvpSProfileRequest + && ((PvpSProfileRequest) msg).getSamlRequest() instanceof RequestAbstractType) { + verifyRequest((RequestAbstractType) ((PvpSProfileRequest) msg).getSamlRequest(), + sigTrustEngine); - } - log.trace("Second PVP2X message validation finished"); + } else { + verifyIdpResponse(((PvpSProfileResponse) msg).getResponse(), sigTrustEngine); + } + + } + log.trace("Second PVP2X message validation finished"); + + } else { + log.debug("TrustEninge is not of type: {} Dynamic SAML2 metadata refresh not possibile.", + SignatureTrustEngineDecorator.class); + throw e; + + } } } @@ -270,9 +272,6 @@ public class SamlVerificationEngine { throw new SamlAssertionValidationExeption(ERROR_16, new Object[] { e.getMessage() }, e); -// } catch (final ConfigurationException e) { -// throw new AssertionValidationExeption("pvp.12", -// new Object[]{loggerName, e.getMessage()}, e); } } diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java index 8da76265..50fd0f44 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java @@ -43,6 +43,7 @@ import org.opensaml.xmlsec.signature.SignableXMLObject; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.util.Assert; import at.gv.egiz.components.eventlog.api.EventConstants; import at.gv.egiz.eaaf.core.api.IRequest; @@ -77,6 +78,7 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EaafUriCompare; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; +import lombok.Setter; public abstract class AbstractPvp2XProtocol extends AbstractController implements IModulInfo { private static final Logger log = LoggerFactory.getLogger(AbstractPvp2XProtocol.class); @@ -87,12 +89,16 @@ public abstract class AbstractPvp2XProtocol extends AbstractController implement @Autowired(required = true) protected IPvp2BasicConfiguration pvpBasicConfiguration; @Autowired(required = true) - protected IPvp2MetadataProvider metadataProvider; - @Autowired(required = true) protected SamlVerificationEngine samlVerificationEngine; @Autowired(required = false) protected List<IAuthnRequestPostProcessor> authRequestPostProcessors; + /** + * SAML2 metadata provider that should be used in this component. + */ + @Setter + protected IPvp2MetadataProvider metadataProvider; + private IPvp2CredentialProvider pvpIdpCredentials; /** @@ -554,11 +560,9 @@ public abstract class AbstractPvp2XProtocol extends AbstractController implement @PostConstruct private void verifyInitialization() { - if (pvpIdpCredentials == null) { - log.error("No SAML2 credentialProvider injected!"); - throw new RuntimeException("No SAML2 credentialProvider injected!"); + Assert.notNull(metadataProvider, "No SAML2 MetadataProvider injected!"); + Assert.notNull(pvpIdpCredentials, "No SAML2 credentialProvider injected!"); - } } } diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java index f9d7767f..68ba39a3 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java @@ -35,6 +35,7 @@ import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Service; +import org.springframework.util.Assert; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.IAction; @@ -56,14 +57,13 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding; import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding; import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import lombok.Setter; @Service("PVPAuthenticationRequestAction") public class AuthenticationAction implements IAction { private static final Logger log = LoggerFactory.getLogger(AuthenticationAction.class); @Autowired(required = true) - private IPvp2MetadataProvider metadataProvider; - @Autowired(required = true) ApplicationContext springContext; @Autowired(required = true) IConfiguration authConfig; @@ -74,6 +74,12 @@ public class AuthenticationAction implements IAction { @Autowired(required = true) IRevisionLogger revisionsLogger; + /** + * SAML2 metadata provider that should be used in this component. + */ + @Setter + protected IPvp2MetadataProvider metadataProvider; + private IPvp2CredentialProvider pvpIdpCredentials; /** @@ -168,11 +174,9 @@ public class AuthenticationAction implements IAction { @PostConstruct private void verifyInitialization() { - if (pvpIdpCredentials == null) { - log.error("No SAML2 credentialProvider injected!"); - throw new RuntimeException("No SAML2 credentialProvider injected!"); + Assert.notNull(metadataProvider, "No SAML2 MetadataProvider injected!"); + Assert.notNull(pvpIdpCredentials, "No SAML2 credentialProvider injected!"); - } } } diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml b/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml index 2bddd629..760f290e 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml @@ -38,6 +38,7 @@ <bean id="PVPAuthenticationRequestAction" class="at.gv.egiz.eaaf.modules.pvp2.idp.impl.AuthenticationAction"> <property name="pvpIdpCredentials" ref="dummyCredentialProvider" /> + <property name="metadataProvider" ref="dummyChainingMetadataResolver" /> </bean> <bean id="pvpMetadataService" |