summaryrefslogtreecommitdiff
path: root/eaaf_modules
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2021-01-25 21:32:01 +0100
committerThomas Lenz <thomas.lenz@egiz.gv.at>2021-01-25 21:32:01 +0100
commit09648a93840d3ced36c1f1d018abca3ae08bda12 (patch)
tree34fcfac0709ca46c4da7fcefa988fb20c997603d /eaaf_modules
parent0727e7447a08e63f500bcf0d4273c50c4b120f4e (diff)
parenta818e2f207ef8255d27e8c2201c013c009a0107a (diff)
downloadEAAF-Components-09648a93840d3ced36c1f1d018abca3ae08bda12.tar.gz
EAAF-Components-09648a93840d3ced36c1f1d018abca3ae08bda12.tar.bz2
EAAF-Components-09648a93840d3ced36c1f1d018abca3ae08bda12.zip
Merge branch 'feature/smal_changes' into 'nightlyBuild'
Feature/smal changes See merge request egiz/eaaf_components!14
Diffstat (limited to 'eaaf_modules')
-rw-r--r--eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20ResponseUtils.java14
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/SignatureTrustEngineDecorator.java41
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java15
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java75
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java16
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java16
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml1
7 files changed, 112 insertions, 66 deletions
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20ResponseUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20ResponseUtils.java
index 4bb91634..c3826087 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20ResponseUtils.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/SL20ResponseUtils.java
@@ -11,17 +11,17 @@ import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import at.gv.egiz.eaaf.core.api.IRequest;
-import at.gv.egiz.eaaf.core.api.data.EaafConstants;
-import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
-import at.gv.egiz.eaaf.modules.auth.sl20.Constants;
-import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception;
-
import org.apache.commons.lang3.StringUtils;
import org.apache.http.client.utils.URIBuilder;
import org.apache.http.entity.ContentType;
import com.fasterxml.jackson.databind.node.ObjectNode;
+
+import at.gv.egiz.eaaf.core.api.IRequest;
+import at.gv.egiz.eaaf.core.api.data.EaafConstants;
+import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.modules.auth.sl20.Constants;
+import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception;
import lombok.extern.slf4j.Slf4j;
@Slf4j
@@ -134,7 +134,7 @@ public class SL20ResponseUtils {
} else {
log.info("SL2.0 DataURL communication needs http header: '" + SL20Constants.HTTP_HEADER_SL20_CLIENT_TYPE + "'");
- log.debug("Client request containts is no native client ... ");
+ log.debug("Client request is no a native client. SL2.0 anwser will be a http redirect ... ");
final URIBuilder clientRedirectUri = new URIBuilder(fullRedirectUrl);
response.setStatus(Integer.parseInt(authConfig.getBasicConfiguration(Constants.CONFIG_PROP_HTTP_REDIRECT_CODE,
Constants.CONFIG_PROP_HTTP_REDIRECT_CODE_DEFAULT_VALUE)));
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/SignatureTrustEngineDecorator.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/SignatureTrustEngineDecorator.java
new file mode 100644
index 00000000..66393bb4
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/SignatureTrustEngineDecorator.java
@@ -0,0 +1,41 @@
+package at.gv.egiz.eaaf.modules.pvp2.impl.validation;
+
+import org.opensaml.security.SecurityException;
+import org.opensaml.security.credential.Credential;
+import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
+import org.opensaml.xmlsec.signature.Signature;
+import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
+
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
+
+@AllArgsConstructor
+public class SignatureTrustEngineDecorator implements SignatureTrustEngine {
+
+ private SignatureTrustEngine trustEngine;
+
+ @Getter
+ private IPvp2MetadataProvider metadataProvider;
+
+ @Override
+ public boolean validate(Signature token, CriteriaSet trustBasisCriteria) throws SecurityException {
+ return trustEngine.validate(token, trustBasisCriteria);
+
+ }
+
+ @Override
+ public boolean validate(byte[] signature, byte[] content, String algorithmUri,
+ CriteriaSet trustBasisCriteria, Credential candidateCredential) throws SecurityException {
+ return trustEngine.validate(signature, content, algorithmUri, trustBasisCriteria, candidateCredential);
+
+ }
+
+ @Override
+ public KeyInfoCredentialResolver getKeyInfoResolver() {
+ return trustEngine.getKeyInfoResolver();
+
+ }
+
+}
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java
index f0758706..fe941f74 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java
@@ -22,9 +22,6 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.validation;
import java.util.ArrayList;
import java.util.List;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException;
-
import org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver;
import org.opensaml.saml.security.impl.MetadataCredentialResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
@@ -33,9 +30,10 @@ import org.opensaml.xmlsec.keyinfo.impl.KeyInfoProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider;
import org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider;
-import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException;
import lombok.extern.slf4j.Slf4j;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
@@ -50,7 +48,7 @@ public class TrustEngineFactory {
* @throws Pvp2InternalErrorException In case of a TrustEngine initialization
* error
*/
- public static SignatureTrustEngine getSignatureKnownKeysTrustEngine(
+ public static SignatureTrustEngineDecorator getSignatureKnownKeysTrustEngine(
final IPvp2MetadataProvider mdResolver) throws Pvp2InternalErrorException {
try {
final List<KeyInfoProvider> keyInfoProvider = new ArrayList<>();
@@ -70,10 +68,9 @@ public class TrustEngineFactory {
resolver.setKeyInfoCredentialResolver(keyInfoCredentialResolver);
resolver.initialize();
- final ExplicitKeySignatureTrustEngine engine =
- new ExplicitKeySignatureTrustEngine(resolver, keyInfoCredentialResolver);
-
- return engine;
+ return new SignatureTrustEngineDecorator(
+ new ExplicitKeySignatureTrustEngine(resolver, keyInfoCredentialResolver),
+ mdResolver);
} catch (final ComponentInitializationException e) {
log.warn("Initialization of SignatureTrustEngine FAILED.", e);
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
index e0a3ab8e..8bc770eb 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
@@ -27,17 +27,6 @@ import javax.xml.transform.dom.DOMSource;
import javax.xml.validation.Schema;
import javax.xml.validation.Validator;
-import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException;
-import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
-import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption;
-import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse;
-
import org.apache.commons.lang3.StringUtils;
import org.joda.time.DateTime;
import org.opensaml.core.criterion.EntityIdCriterion;
@@ -70,10 +59,20 @@ import org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyR
import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
-import org.springframework.beans.factory.annotation.Autowired;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;
+import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException;
+import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
+import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.SignatureTrustEngineDecorator;
import lombok.extern.slf4j.Slf4j;
import net.shibboleth.utilities.java.support.net.BasicURLComparator;
import net.shibboleth.utilities.java.support.net.URIException;
@@ -97,13 +96,7 @@ public class SamlVerificationEngine {
*/
private static final int TIME_JITTER = 3;
-
-
-
-
- @Autowired(required = true)
- IPvp2MetadataProvider metadataProvider;
-
+
/**
* Verify signature of a signed SAML2 object.
*
@@ -140,27 +133,36 @@ public class SamlVerificationEngine {
log.debug("PVP2X message validation FAILED. Relead metadata for entityID: {}",
msg.getEntityID());
- if (metadataProvider == null || !(metadataProvider instanceof IRefreshableMetadataProvider)
- || !((IRefreshableMetadataProvider) metadataProvider)
- .refreshMetadataProvider(msg.getEntityID())) {
- throw e;
-
- } else {
- log.trace("PVP2X metadata reload finished. Check validate message again.");
-
- if (msg instanceof PvpSProfileRequest
- && ((PvpSProfileRequest) msg).getSamlRequest() instanceof RequestAbstractType) {
- verifyRequest((RequestAbstractType) ((PvpSProfileRequest) msg).getSamlRequest(),
- sigTrustEngine);
+ if (sigTrustEngine instanceof SignatureTrustEngineDecorator) {
+ IPvp2MetadataProvider metadataProvider =
+ ((SignatureTrustEngineDecorator) sigTrustEngine).getMetadataProvider();
+ if (metadataProvider == null || !(metadataProvider instanceof IRefreshableMetadataProvider)
+ || !((IRefreshableMetadataProvider) metadataProvider).refreshMetadataProvider(msg.getEntityID())) {
+
+ throw e;
} else {
- verifyIdpResponse(((PvpSProfileResponse) msg).getResponse(), sigTrustEngine);
+ log.trace("PVP2X metadata reload finished. Check validate message again.");
- }
+ if (msg instanceof PvpSProfileRequest
+ && ((PvpSProfileRequest) msg).getSamlRequest() instanceof RequestAbstractType) {
+ verifyRequest((RequestAbstractType) ((PvpSProfileRequest) msg).getSamlRequest(),
+ sigTrustEngine);
- }
- log.trace("Second PVP2X message validation finished");
+ } else {
+ verifyIdpResponse(((PvpSProfileResponse) msg).getResponse(), sigTrustEngine);
+ }
+
+ }
+ log.trace("Second PVP2X message validation finished");
+
+ } else {
+ log.debug("TrustEninge is not of type: {} Dynamic SAML2 metadata refresh not possibile.",
+ SignatureTrustEngineDecorator.class);
+ throw e;
+
+ }
}
}
@@ -270,9 +272,6 @@ public class SamlVerificationEngine {
throw new SamlAssertionValidationExeption(ERROR_16,
new Object[] { e.getMessage() }, e);
-// } catch (final ConfigurationException e) {
-// throw new AssertionValidationExeption("pvp.12",
-// new Object[]{loggerName, e.getMessage()}, e);
}
}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java
index 8da76265..50fd0f44 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java
@@ -43,6 +43,7 @@ import org.opensaml.xmlsec.signature.SignableXMLObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.util.Assert;
import at.gv.egiz.components.eventlog.api.EventConstants;
import at.gv.egiz.eaaf.core.api.IRequest;
@@ -77,6 +78,7 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EaafUriCompare;
import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory;
import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine;
+import lombok.Setter;
public abstract class AbstractPvp2XProtocol extends AbstractController implements IModulInfo {
private static final Logger log = LoggerFactory.getLogger(AbstractPvp2XProtocol.class);
@@ -87,12 +89,16 @@ public abstract class AbstractPvp2XProtocol extends AbstractController implement
@Autowired(required = true)
protected IPvp2BasicConfiguration pvpBasicConfiguration;
@Autowired(required = true)
- protected IPvp2MetadataProvider metadataProvider;
- @Autowired(required = true)
protected SamlVerificationEngine samlVerificationEngine;
@Autowired(required = false)
protected List<IAuthnRequestPostProcessor> authRequestPostProcessors;
+ /**
+ * SAML2 metadata provider that should be used in this component.
+ */
+ @Setter
+ protected IPvp2MetadataProvider metadataProvider;
+
private IPvp2CredentialProvider pvpIdpCredentials;
/**
@@ -554,11 +560,9 @@ public abstract class AbstractPvp2XProtocol extends AbstractController implement
@PostConstruct
private void verifyInitialization() {
- if (pvpIdpCredentials == null) {
- log.error("No SAML2 credentialProvider injected!");
- throw new RuntimeException("No SAML2 credentialProvider injected!");
+ Assert.notNull(metadataProvider, "No SAML2 MetadataProvider injected!");
+ Assert.notNull(pvpIdpCredentials, "No SAML2 credentialProvider injected!");
- }
}
}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java
index f9d7767f..68ba39a3 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java
@@ -35,6 +35,7 @@ import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.stereotype.Service;
+import org.springframework.util.Assert;
import at.gv.egiz.eaaf.core.api.IRequest;
import at.gv.egiz.eaaf.core.api.idp.IAction;
@@ -56,14 +57,13 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding;
import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding;
import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
+import lombok.Setter;
@Service("PVPAuthenticationRequestAction")
public class AuthenticationAction implements IAction {
private static final Logger log = LoggerFactory.getLogger(AuthenticationAction.class);
@Autowired(required = true)
- private IPvp2MetadataProvider metadataProvider;
- @Autowired(required = true)
ApplicationContext springContext;
@Autowired(required = true)
IConfiguration authConfig;
@@ -74,6 +74,12 @@ public class AuthenticationAction implements IAction {
@Autowired(required = true)
IRevisionLogger revisionsLogger;
+ /**
+ * SAML2 metadata provider that should be used in this component.
+ */
+ @Setter
+ protected IPvp2MetadataProvider metadataProvider;
+
private IPvp2CredentialProvider pvpIdpCredentials;
/**
@@ -168,11 +174,9 @@ public class AuthenticationAction implements IAction {
@PostConstruct
private void verifyInitialization() {
- if (pvpIdpCredentials == null) {
- log.error("No SAML2 credentialProvider injected!");
- throw new RuntimeException("No SAML2 credentialProvider injected!");
+ Assert.notNull(metadataProvider, "No SAML2 MetadataProvider injected!");
+ Assert.notNull(pvpIdpCredentials, "No SAML2 credentialProvider injected!");
- }
}
}
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml b/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml
index 2bddd629..760f290e 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml
@@ -38,6 +38,7 @@
<bean id="PVPAuthenticationRequestAction"
class="at.gv.egiz.eaaf.modules.pvp2.idp.impl.AuthenticationAction">
<property name="pvpIdpCredentials" ref="dummyCredentialProvider" />
+ <property name="metadataProvider" ref="dummyChainingMetadataResolver" />
</bean>
<bean id="pvpMetadataService"