diff options
Diffstat (limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation')
8 files changed, 735 insertions, 572 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/EAAFURICompare.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/EAAFURICompare.java deleted file mode 100644 index 30b7dcf9..00000000 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/EAAFURICompare.java +++ /dev/null @@ -1,60 +0,0 @@ -/******************************************************************************* - * Copyright 2017 Graz University of Technology - * EAAF-Core Components has been developed in a cooperation between EGIZ, - * A-SIT Plus, A-SIT, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * https://joinup.ec.europa.eu/news/understanding-eupl-v12 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -/******************************************************************************* - *******************************************************************************/ -/******************************************************************************* - *******************************************************************************/ -package at.gv.egiz.eaaf.modules.pvp2.impl.validation; - -import org.opensaml.common.binding.decoding.URIComparator; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - - -public class EAAFURICompare implements URIComparator { - private static final Logger log = LoggerFactory.getLogger(EAAFURICompare.class); - - private String serviceURL = ""; - - /** - * - * - * @param serviceURL public URL of the PVP S-Profile endpoint - */ - public EAAFURICompare(String serviceURL) { - this.serviceURL = serviceURL; - } - - public boolean compare(String uri1, String uri2) { - if (this.serviceURL.equals(uri1)) - return true; - - else { - log.warn("PVP request destination-endpoint: " + uri1 - + " does not match to IDP endpoint:" + serviceURL); - return false; - - } - } - -} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/EaafUriCompare.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/EaafUriCompare.java new file mode 100644 index 00000000..9015c40b --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/EaafUriCompare.java @@ -0,0 +1,53 @@ +/* + * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a + * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European + * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in + * compliance with the Licence. You may obtain a copy of the Licence at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software distributed under the Licence + * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the Licence for the specific language governing permissions and limitations under + * the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text file for details on the + * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative + * works that you distribute must include a readable copy of the "NOTICE" text file. +*/ + +package at.gv.egiz.eaaf.modules.pvp2.impl.validation; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import net.shibboleth.utilities.java.support.net.URIComparator; + +public class EaafUriCompare implements URIComparator { + private static final Logger log = LoggerFactory.getLogger(EaafUriCompare.class); + + private String serviceUrl = ""; + + /** + * SAML2 URL comperator. + * + * @param serviceUrl public URL of the PVP S-Profile endpoint + */ + public EaafUriCompare(final String serviceUrl) { + this.serviceUrl = serviceUrl; + } + + @Override + public boolean compare(final String uri1, final String uri2) { + if (this.serviceUrl.equals(uri1)) { + return true; + } else { + log.warn("PVP request destination-endpoint: " + uri1 + " does not match to IDP endpoint:" + + serviceUrl); + return false; + + } + } + +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java index 18ee5797..f0758706 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java @@ -1,65 +1,86 @@ -/******************************************************************************* - * Copyright 2017 Graz University of Technology - * EAAF-Core Components has been developed in a cooperation between EGIZ, - * A-SIT Plus, A-SIT, and Graz University of Technology. +/* + * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a + * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. * - * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European + * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in + * compliance with the Licence. You may obtain a copy of the Licence at: * https://joinup.ec.europa.eu/news/understanding-eupl-v12 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -/******************************************************************************* - *******************************************************************************/ -/******************************************************************************* - *******************************************************************************/ + * Unless required by applicable law or agreed to in writing, software distributed under the Licence + * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the Licence for the specific language governing permissions and limitations under + * the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text file for details on the + * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative + * works that you distribute must include a readable copy of the "NOTICE" text file. +*/ + package at.gv.egiz.eaaf.modules.pvp2.impl.validation; import java.util.ArrayList; import java.util.List; -import org.opensaml.saml2.metadata.provider.MetadataProvider; -import org.opensaml.security.MetadataCredentialResolver; -import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver; -import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver; -import org.opensaml.xml.security.keyinfo.KeyInfoProvider; -import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider; -import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider; -import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider; -import org.opensaml.xml.signature.SignatureTrustEngine; -import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; + +import org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver; +import org.opensaml.saml.security.impl.MetadataCredentialResolver; +import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver; +import org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver; +import org.opensaml.xmlsec.keyinfo.impl.KeyInfoProvider; +import org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider; +import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider; +import org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider; +import org.opensaml.xmlsec.signature.support.SignatureTrustEngine; +import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine; +import lombok.extern.slf4j.Slf4j; +import net.shibboleth.utilities.java.support.component.ComponentInitializationException; + +@Slf4j public class TrustEngineFactory { - public static SignatureTrustEngine getSignatureKnownKeysTrustEngine(MetadataProvider provider) { - MetadataCredentialResolver resolver; + /** + * Get OpenSAML2 TrustEngine. + * + * @param mdResolver Metadata provider + * @return TrustEngine for SAML2 message validation + * @throws Pvp2InternalErrorException In case of a TrustEngine initialization + * error + */ + public static SignatureTrustEngine getSignatureKnownKeysTrustEngine( + final IPvp2MetadataProvider mdResolver) throws Pvp2InternalErrorException { + try { + final List<KeyInfoProvider> keyInfoProvider = new ArrayList<>(); + keyInfoProvider.add(new DSAKeyValueProvider()); + keyInfoProvider.add(new RSAKeyValueProvider()); + keyInfoProvider.add(new InlineX509DataProvider()); + final KeyInfoCredentialResolver keyInfoCredentialResolver = new BasicProviderKeyInfoCredentialResolver( + keyInfoProvider); + + final PredicateRoleDescriptorResolver roleDescriptorResolver = new PredicateRoleDescriptorResolver( + mdResolver); + roleDescriptorResolver.setRequireValidMetadata(true); + roleDescriptorResolver.initialize(); - resolver = new MetadataCredentialResolver(provider); + final MetadataCredentialResolver resolver = new MetadataCredentialResolver(); + resolver.setRoleDescriptorResolver(roleDescriptorResolver); + resolver.setKeyInfoCredentialResolver(keyInfoCredentialResolver); + resolver.initialize(); - List<KeyInfoProvider> keyInfoProvider = new ArrayList<KeyInfoProvider>(); - keyInfoProvider.add(new DSAKeyValueProvider()); - keyInfoProvider.add(new RSAKeyValueProvider()); - keyInfoProvider.add(new InlineX509DataProvider()); + final ExplicitKeySignatureTrustEngine engine = + new ExplicitKeySignatureTrustEngine(resolver, keyInfoCredentialResolver); - KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( - keyInfoProvider); + return engine; - ExplicitKeySignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine( - resolver, keyInfoResolver); + } catch (final ComponentInitializationException e) { + log.warn("Initialization of SignatureTrustEngine FAILED.", e); + throw new Pvp2InternalErrorException(e); - return engine; + } - } + } } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/AbstractMetadataSignatureFilter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/AbstractMetadataSignatureFilter.java index 424c4431..c28dd7fb 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/AbstractMetadataSignatureFilter.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/AbstractMetadataSignatureFilter.java @@ -1,154 +1,151 @@ -/******************************************************************************* - * Copyright 2017 Graz University of Technology - * EAAF-Core Components has been developed in a cooperation between EGIZ, - * A-SIT Plus, A-SIT, and Graz University of Technology. +/* + * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a + * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. * - * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European + * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in + * compliance with the Licence. You may obtain a copy of the Licence at: * https://joinup.ec.europa.eu/news/understanding-eupl-v12 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -/******************************************************************************* - *******************************************************************************/ -/******************************************************************************* - *******************************************************************************/ + * Unless required by applicable law or agreed to in writing, software distributed under the Licence + * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the Licence for the specific language governing permissions and limitations under + * the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text file for details on the + * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative + * works that you distribute must include a readable copy of the "NOTICE" text file. +*/ + package at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata; import java.util.ArrayList; import java.util.Iterator; import java.util.List; -import org.opensaml.saml2.metadata.EntitiesDescriptor; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.provider.MetadataFilter; -import org.opensaml.xml.XMLObject; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; +import javax.annotation.Nullable; -import at.gv.egiz.eaaf.core.exceptions.EAAFException; -import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2MetadataException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; import at.gv.egiz.eaaf.modules.pvp2.exception.SignatureValidationException; +import org.opensaml.core.xml.XMLObject; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; +import org.opensaml.saml.saml2.metadata.EntitiesDescriptor; +import org.opensaml.saml.saml2.metadata.EntityDescriptor; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + public abstract class AbstractMetadataSignatureFilter implements MetadataFilter { - private static final Logger log = LoggerFactory.getLogger(AbstractMetadataSignatureFilter.class); - - public void doFilter(XMLObject metadata) throws SignatureValidationException { - try { - if (metadata instanceof EntitiesDescriptor) { - EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata; - if(entitiesDescriptor.getSignature() == null) { - throw new PVP2MetadataException("pvp2.26", - new Object[] {"Root element of metadata file has to be signed"}); - } - processEntitiesDescriptor(entitiesDescriptor); - - - if (entitiesDescriptor.getEntityDescriptors().size() == 0) { - throw new PVP2MetadataException("pvp2.26", - new Object[] {"No valid entity in metadata " + entitiesDescriptor.getName()}); - } - - - } else if (metadata instanceof EntityDescriptor) { - EntityDescriptor entityDescriptor = (EntityDescriptor) metadata; - processEntityDescriptorr(entityDescriptor); - - } else - throw new PVP2MetadataException("pvp2.26", - new Object[] {"Invalid Metadata file Root element is unknown"}); - - - - log.info("Metadata signature policy check done OK"); - } catch (EAAFException e) { - log.warn("Metadata signature policy check FAILED.", e); - throw new SignatureValidationException(e); - - } - } - - /** - * Signature verification of a SAML2 EntityDescriptor element - * - * @param desc - * @throws PVP2MetadataException if the signature is not valid or can not verified - */ - protected abstract void verify(EntityDescriptor desc) throws PVP2MetadataException; - - /** - * Signature verification of a SAML2 EntitiesDescriptor element - * - * @param desc - * @throws PVP2MetadataException if the signature is not valid or can not verified - */ - protected abstract void verify(EntitiesDescriptor desc) throws PVP2MetadataException; - - /** - * Verify a EntityDescriptor element of an EntitiesDescriptor - * - * @param entity EntityDescriptor to verify - * @param desc Full EntitiesDescriptor that contains the EntityDescriptor - * @throws PVP2MetadataException - */ - protected abstract void verify(EntityDescriptor entity, EntitiesDescriptor desc) throws PVP2MetadataException; - - - private void processEntityDescriptorr(EntityDescriptor desc) throws EAAFException { - verify(desc); - - } - - private void processEntitiesDescriptor(EntitiesDescriptor desc) throws EAAFException { - Iterator<EntitiesDescriptor> entID = desc.getEntitiesDescriptors().iterator(); - - if(desc.getSignature() != null) { - verify(desc); - - } - - while(entID.hasNext()) { - processEntitiesDescriptor(entID.next()); - } - - Iterator<EntityDescriptor> entIT = desc.getEntityDescriptors().iterator(); - List<EntityDescriptor> verifiedEntIT = new ArrayList<EntityDescriptor>(); - - //check every Entity - while(entIT.hasNext()) { - EntityDescriptor entity = entIT.next(); - log.debug("Validate metadata for entityID: " + entity.getEntityID() + " ..... "); - try { - verify(entity, desc); - - //add entity to verified entity-list - verifiedEntIT.add(entity); - log.debug("Metadata for entityID: " + entity.getEntityID() + " valid"); - - - } catch (Exception e) { - //remove entity of signature can not be verified. - log.info("Entity " + entity.getEntityID() + " is removed from metadata " - + desc.getName() + ". Entity verification error: " + e.getMessage()); - - } - - } - - //set only verified entity elements - desc.getEntityDescriptors().clear(); - desc.getEntityDescriptors().addAll(verifiedEntIT); - } + private static final Logger log = LoggerFactory.getLogger(AbstractMetadataSignatureFilter.class); + + @Override + public XMLObject filter(@Nullable final XMLObject metadata) throws SignatureValidationException { + try { + if (metadata instanceof EntitiesDescriptor) { + final EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata; + if (entitiesDescriptor.getSignature() == null) { + throw new Pvp2MetadataException("pvp2.26", + new Object[] { "Root element of metadata file has to be signed" }); + } + processEntitiesDescriptor(entitiesDescriptor); + + if (entitiesDescriptor.getEntityDescriptors().size() == 0) { + throw new Pvp2MetadataException("pvp2.26", + new Object[] { "No valid entity in metadata " + entitiesDescriptor.getName() }); + } + + } else if (metadata instanceof EntityDescriptor) { + final EntityDescriptor entityDescriptor = (EntityDescriptor) metadata; + processEntityDescriptorr(entityDescriptor); + + } else { + throw new Pvp2MetadataException("pvp2.26", + new Object[] { "Invalid Metadata file Root element is unknown" }); + } + + log.info("Metadata signature policy check done OK"); + } catch (final EaafException e) { + log.warn("Metadata signature policy check FAILED.", e); + throw new SignatureValidationException(e); + + } + + return metadata; + + } + + /** + * Signature verification of a SAML2 EntityDescriptor element. + * + * @param desc EntityDescriptor + * @throws Pvp2MetadataException if the signature is not valid or can not + * verified + */ + protected abstract void verify(EntityDescriptor desc) throws Pvp2MetadataException; + + /** + * Signature verification of a SAML2 EntitiesDescriptor element. + * + * @param desc EntitiesDescriptor + * @throws Pvp2MetadataException if the signature is not valid or can not + * verified + */ + protected abstract void verify(EntitiesDescriptor desc) throws Pvp2MetadataException; + + /** + * Verify a EntityDescriptor element of an EntitiesDescriptor. + * + * @param entity EntityDescriptor to verify + * @param desc Full EntitiesDescriptor that contains the EntityDescriptor + * @throws Pvp2MetadataException In case of an verification error + */ + protected abstract void verify(EntityDescriptor entity, EntitiesDescriptor desc) + throws Pvp2MetadataException; + + private void processEntityDescriptorr(final EntityDescriptor desc) throws EaafException { + verify(desc); + + } + + private void processEntitiesDescriptor(final EntitiesDescriptor desc) throws EaafException { + final Iterator<EntitiesDescriptor> entID = desc.getEntitiesDescriptors().iterator(); + + if (desc.getSignature() != null) { + verify(desc); + + } + + while (entID.hasNext()) { + processEntitiesDescriptor(entID.next()); + } + + final Iterator<EntityDescriptor> entIT = desc.getEntityDescriptors().iterator(); + final List<EntityDescriptor> verifiedEntIT = new ArrayList<>(); + + // check every Entity + while (entIT.hasNext()) { + final EntityDescriptor entity = entIT.next(); + log.debug("Validate metadata for entityID: " + entity.getEntityID() + " ..... "); + try { + verify(entity, desc); + + // add entity to verified entity-list + verifiedEntIT.add(entity); + log.debug("Metadata for entityID: " + entity.getEntityID() + " valid"); + + } catch (final Exception e) { + // remove entity of signature can not be verified. + log.info("Entity " + entity.getEntityID() + " is removed from metadata " + desc.getName() + + ". Entity verification error: " + e.getMessage()); + + } + + } + + // set only verified entity elements + desc.getEntityDescriptors().clear(); + desc.getEntityDescriptors().addAll(verifiedEntIT); + } } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/PVPEntityCategoryFilter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/PVPEntityCategoryFilter.java deleted file mode 100644 index 87ab31fb..00000000 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/PVPEntityCategoryFilter.java +++ /dev/null @@ -1,236 +0,0 @@ -/******************************************************************************* - * Copyright 2017 Graz University of Technology - * EAAF-Core Components has been developed in a cooperation between EGIZ, - * A-SIT Plus, A-SIT, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * https://joinup.ec.europa.eu/news/understanding-eupl-v12 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -/******************************************************************************* - *******************************************************************************/ -/******************************************************************************* - *******************************************************************************/ -package at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata; - -import java.util.ArrayList; -import java.util.List; - -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.common.Extensions; -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.metadata.AttributeConsumingService; -import org.opensaml.saml2.metadata.EntitiesDescriptor; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.LocalizedString; -import org.opensaml.saml2.metadata.RequestedAttribute; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.saml2.metadata.ServiceName; -import org.opensaml.saml2.metadata.provider.FilterException; -import org.opensaml.saml2.metadata.provider.MetadataFilter; -import org.opensaml.samlext.saml2mdattr.EntityAttributes; -import org.opensaml.xml.XMLObject; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import at.gv.egiz.eaaf.core.impl.data.Trible; -import at.gv.egiz.eaaf.modules.pvp2.PVPConstants; -import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2MetadataException; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils; - -/** - * @author tlenz - * - */ -public class PVPEntityCategoryFilter implements MetadataFilter { - private static final Logger log = LoggerFactory.getLogger(PVPEntityCategoryFilter.class); - - private boolean isUsed = false; - - /** - * Filter to map PVP EntityCategories into a set of single PVP attributes - * - * @param isUsed if true PVP EntityCategories are mapped, otherwise they are ignored - * - */ - public PVPEntityCategoryFilter(boolean isUsed) { - this.isUsed = isUsed; - } - - - /* (non-Javadoc) - * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) - */ - @Override - public void doFilter(XMLObject metadata) throws FilterException { - - if (isUsed) { - log.trace("Map PVP EntityCategory to single PVP Attributes ... "); - String entityId = null; - try { - if (metadata instanceof EntitiesDescriptor) { - log.trace("Find EnitiesDescriptor ... "); - EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata; - if (entitiesDesc.getEntityDescriptors() != null) { - for (EntityDescriptor el : entitiesDesc.getEntityDescriptors()) - resolveEntityCategoriesToAttributes(el); - - } - - } else if (metadata instanceof EntityDescriptor) { - log.trace("Find EntityDescriptor"); - resolveEntityCategoriesToAttributes((EntityDescriptor)metadata); - - - } else - throw new PVP2MetadataException("pvp2.26", - new Object[] {"Invalid Metadata file Root element is no Entities- or EntityDescriptor"}); - - - - } catch (Exception e) { - log.warn("SAML2 Metadata processing FAILED: Can not resolve EntityCategories for metadata: " + entityId, e); - - } - - } else - log.trace("Filter to map PVP EntityCategory to single PVP Attributes is deactivated"); - - } - - private void resolveEntityCategoriesToAttributes(EntityDescriptor metadata) { - log.debug("Resolving EntityCategorie for Entity: " + metadata.getEntityID() + " ..."); - Extensions extensions = metadata.getExtensions(); - if (extensions != null) { - List<XMLObject> listOfExt = extensions.getUnknownXMLObjects(); - if (listOfExt != null && !listOfExt.isEmpty()) { - log.trace("Find #" + listOfExt.size() + " 'Extension' elements "); - for (XMLObject el : listOfExt) { - log.trace("Find ExtensionElement: " + el.getElementQName().toString()); - if (el instanceof EntityAttributes) { - EntityAttributes entityAttrElem = (EntityAttributes)el; - if (entityAttrElem.getAttributes() != null) { - log.trace("Find EntityAttributes. Start attribute processing ..."); - for (Attribute entityAttr : entityAttrElem.getAttributes()) { - if (entityAttr.getName().equals(PVPConstants.ENTITY_CATEGORY_ATTRIBITE)) { - if (!entityAttr.getAttributeValues().isEmpty()) { - String entityAttrValue = entityAttr.getAttributeValues().get(0).getDOM().getTextContent(); - if (PVPConstants.EGOVTOKEN.equals(entityAttrValue)) { - log.debug("Find 'EGOVTOKEN' EntityAttribute. Adding single pvp attributes ... "); - addAttributesToEntityDescriptor(metadata, - buildAttributeList(PVPConstants.EGOVTOKEN_PVP_ATTRIBUTES), - entityAttrValue); - - - } else if (PVPConstants.CITIZENTOKEN.equals(entityAttrValue)) { - log.debug("Find 'CITIZENTOKEN' EntityAttribute. Adding single pvp attributes ... "); - addAttributesToEntityDescriptor(metadata, - buildAttributeList(PVPConstants.CITIZENTOKEN_PVP_ATTRIBUTES), - entityAttrValue); - - } else - log.info("EntityAttributeValue: " + entityAttrValue + " is UNKNOWN!"); - - } else - log.info("EntityAttribute: No attribute value"); - - } else - log.info("EntityAttribute: " + entityAttr.getName() + " is NOT supported"); - - } - - } else - log.info("Can NOT resolve EntityAttributes! Reason: Only EntityAttributes are supported!"); - - } - } - - } else - log.trace("'Extension' element is 'null' or empty"); - - } else - log.trace("No 'Extension' element found"); - - } - - /** - * @param metadata - * @param attrList - */ - private void addAttributesToEntityDescriptor(EntityDescriptor metadata, List<RequestedAttribute> attrList, String entityAttr) { - SPSSODescriptor spSSODesc = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); - if (spSSODesc != null) { - if (spSSODesc.getAttributeConsumingServices() == null || - spSSODesc.getAttributeConsumingServices().isEmpty()) { - log.trace("No 'AttributeConsumingServices' found. Added it ..."); - - AttributeConsumingService attributeService = SAML2Utils.createSAMLObject(AttributeConsumingService.class); - attributeService.setIndex(0); - attributeService.setIsDefault(true); - ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class); - serviceName.setName(new LocalizedString("Default Service", "en")); - attributeService.getNames().add(serviceName); - - if (attrList != null && !attrList.isEmpty()) { - attributeService.getRequestAttributes().addAll(attrList); - log.info("Add " + attrList.size() + " attributes for 'EntityAttribute': " + entityAttr); - - } - - spSSODesc.getAttributeConsumingServices().add(attributeService); - - } else { - log.debug("Find 'AttributeConsumingServices'. Starting updating process ... "); - for (AttributeConsumingService el : spSSODesc.getAttributeConsumingServices()) { - log.debug("Update 'AttributeConsumingService' with Index: " + el.getIndex()); - - //load currently requested attributes - List<String> currentlyReqAttr = new ArrayList<String>(); - for (RequestedAttribute reqAttr : el.getRequestAttributes()) - currentlyReqAttr.add(reqAttr.getName()); - - - //check against EntityAttribute List - for (RequestedAttribute entityAttrListEl : attrList) { - if (!currentlyReqAttr.contains(entityAttrListEl.getName())) { - el.getRequestAttributes().add(entityAttrListEl); - - } else - log.debug("'AttributeConsumingService' already contains attr: " + entityAttrListEl.getName()); - - } - - } - - } - - } else - log.info("Can ONLY add 'EntityAttributes' to 'SPSSODescriptor'"); - - } - - private List<RequestedAttribute> buildAttributeList(List<Trible<String, String, Boolean>> attrSet) { - List<RequestedAttribute> requestedAttributes = new ArrayList<RequestedAttribute>(); - for (Trible<String, String, Boolean> el : attrSet) - requestedAttributes.add(PVPAttributeBuilder.buildReqAttribute(el.getFirst(), el.getSecond(), el.getThird())); - - return requestedAttributes; - - - } - -} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/PvpEntityCategoryFilter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/PvpEntityCategoryFilter.java new file mode 100644 index 00000000..efbeb7e5 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/PvpEntityCategoryFilter.java @@ -0,0 +1,252 @@ +/* + * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a + * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European + * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in + * compliance with the Licence. You may obtain a copy of the Licence at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software distributed under the Licence + * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the Licence for the specific language governing permissions and limitations under + * the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text file for details on the + * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative + * works that you distribute must include a readable copy of the "NOTICE" text file. +*/ + +package at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata; + +import java.util.ArrayList; +import java.util.List; + +import at.gv.egiz.eaaf.core.impl.data.Triple; +import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; + +import org.opensaml.core.xml.XMLObject; +import org.opensaml.saml.common.xml.SAMLConstants; +import org.opensaml.saml.ext.saml2mdattr.EntityAttributes; +import org.opensaml.saml.metadata.resolver.filter.FilterException; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; +import org.opensaml.saml.saml2.core.Attribute; +import org.opensaml.saml.saml2.metadata.AttributeConsumingService; +import org.opensaml.saml.saml2.metadata.EntitiesDescriptor; +import org.opensaml.saml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml.saml2.metadata.Extensions; +import org.opensaml.saml.saml2.metadata.RequestedAttribute; +import org.opensaml.saml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml.saml2.metadata.ServiceName; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * Metadata filter that inject requested attributes based on Metadata + * EntityCategories. + * + * @author tlenz + * + */ +public class PvpEntityCategoryFilter implements MetadataFilter { + private static final Logger log = LoggerFactory.getLogger(PvpEntityCategoryFilter.class); + + private boolean isUsed = false; + + /** + * Filter to map PVP EntityCategories into a set of single PVP attributes. + * + * @param isUsed if true PVP EntityCategories are mapped, otherwise they are + * ignored + * + */ + public PvpEntityCategoryFilter(final boolean isUsed) { + this.isUsed = isUsed; + } + + /* + * (non-Javadoc) + * + * @see + * org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml + * .XMLObject) + */ + @Override + public XMLObject filter(final XMLObject metadata) throws FilterException { + + if (isUsed) { + log.trace("Map PVP EntityCategory to single PVP Attributes ... "); + final String entityId = null; + try { + if (metadata instanceof EntitiesDescriptor) { + log.trace("Find EnitiesDescriptor ... "); + final EntitiesDescriptor entitiesDesc = (EntitiesDescriptor) metadata; + if (entitiesDesc.getEntityDescriptors() != null) { + for (final EntityDescriptor el : entitiesDesc.getEntityDescriptors()) { + resolveEntityCategoriesToAttributes(el); + } + + } + + } else if (metadata instanceof EntityDescriptor) { + log.trace("Find EntityDescriptor"); + resolveEntityCategoriesToAttributes((EntityDescriptor) metadata); + + } else { + throw new Pvp2MetadataException("pvp2.26", new Object[] { + "Invalid Metadata file Root element is no Entities- or EntityDescriptor" }); + } + + } catch (final Exception e) { + log.warn("SAML2 Metadata processing FAILED: Can not resolve EntityCategories for metadata: " + + entityId, e); + + } + + } else { + log.trace("Filter to map PVP EntityCategory to single PVP Attributes is deactivated"); + + } + + return metadata; + + } + + private void resolveEntityCategoriesToAttributes(final EntityDescriptor metadata) { + log.debug("Resolving EntityCategorie for Entity: " + metadata.getEntityID() + " ..."); + final Extensions extensions = metadata.getExtensions(); + if (extensions != null) { + final List<XMLObject> listOfExt = extensions.getUnknownXMLObjects(); + if (listOfExt != null && !listOfExt.isEmpty()) { + log.trace("Find #" + listOfExt.size() + " 'Extension' elements "); + for (final XMLObject el : listOfExt) { + log.trace("Find ExtensionElement: " + el.getElementQName().toString()); + if (el instanceof EntityAttributes) { + final EntityAttributes entityAttrElem = (EntityAttributes) el; + if (entityAttrElem.getAttributes() != null) { + log.trace("Find EntityAttributes. Start attribute processing ..."); + for (final Attribute entityAttr : entityAttrElem.getAttributes()) { + if (entityAttr.getName().equals(PvpConstants.ENTITY_CATEGORY_ATTRIBITE)) { + if (!entityAttr.getAttributeValues().isEmpty()) { + final String entityAttrValue = + entityAttr.getAttributeValues().get(0).getDOM().getTextContent(); + if (PvpConstants.EGOVTOKEN.equals(entityAttrValue)) { + log.debug( + "Find 'EGOVTOKEN' EntityAttribute. Adding single pvp attributes ... "); + addAttributesToEntityDescriptor(metadata, + buildAttributeList(PvpConstants.EGOVTOKEN_PVP_ATTRIBUTES), + entityAttrValue); + + } else if (PvpConstants.CITIZENTOKEN.equals(entityAttrValue)) { + log.debug( + "Find 'CITIZENTOKEN' EntityAttribute. Adding single pvp attributes ... "); + addAttributesToEntityDescriptor(metadata, + buildAttributeList(PvpConstants.CITIZENTOKEN_PVP_ATTRIBUTES), + entityAttrValue); + + } else { + log.info("EntityAttributeValue: " + entityAttrValue + " is UNKNOWN!"); + } + + } else { + log.info("EntityAttribute: No attribute value"); + } + + } else { + log.info("EntityAttribute: " + entityAttr.getName() + " is NOT supported"); + } + + } + + } else { + log.info( + "Can NOT resolve EntityAttributes! Reason: Only EntityAttributes are supported!"); + } + + } + } + + } else { + log.trace("'Extension' element is 'null' or empty"); + } + + } else { + log.trace("No 'Extension' element found"); + } + + } + + private void addAttributesToEntityDescriptor(final EntityDescriptor metadata, + final List<RequestedAttribute> attrList, final String entityAttr) { + final SPSSODescriptor spSsoDesc = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS); + if (spSsoDesc != null) { + if (spSsoDesc.getAttributeConsumingServices() == null + || spSsoDesc.getAttributeConsumingServices().isEmpty()) { + log.trace("No 'AttributeConsumingServices' found. Added it ..."); + + final AttributeConsumingService attributeService = + Saml2Utils.createSamlObject(AttributeConsumingService.class); + attributeService.setIndex(0); + attributeService.setIsDefault(true); + final ServiceName serviceName = Saml2Utils.createSamlObject(ServiceName.class); + serviceName.setValue("Default Service"); + serviceName.setXMLLang("en"); + attributeService.getNames().add(serviceName); + + if (attrList != null && !attrList.isEmpty()) { + attributeService.getRequestAttributes().addAll(attrList); + log.info("Add " + attrList.size() + " attributes for 'EntityAttribute': " + entityAttr); + + } + + spSsoDesc.getAttributeConsumingServices().add(attributeService); + + } else { + log.debug("Find 'AttributeConsumingServices'. Starting updating process ... "); + for (final AttributeConsumingService el : spSsoDesc.getAttributeConsumingServices()) { + log.debug("Update 'AttributeConsumingService' with Index: " + el.getIndex()); + + // load currently requested attributes + final List<String> currentlyReqAttr = new ArrayList<>(); + for (final RequestedAttribute reqAttr : el.getRequestAttributes()) { + currentlyReqAttr.add(reqAttr.getName()); + } + + // check against EntityAttribute List + for (final RequestedAttribute entityAttrListEl : attrList) { + if (!currentlyReqAttr.contains(entityAttrListEl.getName())) { + el.getRequestAttributes().add(entityAttrListEl); + + } else { + log.debug("'AttributeConsumingService' already contains attr: " + + entityAttrListEl.getName()); + } + + } + + } + + } + + } else { + log.info("Can ONLY add 'EntityAttributes' to 'SPSSODescriptor'"); + } + + } + + private List<RequestedAttribute> buildAttributeList( + final List<Triple<String, String, Boolean>> attrSet) { + final List<RequestedAttribute> requestedAttributes = new ArrayList<>(); + for (final Triple<String, String, Boolean> el : attrSet) { + requestedAttributes + .add(PvpAttributeBuilder.buildReqAttribute(el.getFirst(), el.getSecond(), el.getThird())); + } + + return requestedAttributes; + + } + +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SchemaValidationFilter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SchemaValidationFilter.java index b5de4b21..b9e0c37f 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SchemaValidationFilter.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SchemaValidationFilter.java @@ -1,106 +1,96 @@ -/******************************************************************************* - * Copyright 2017 Graz University of Technology - * EAAF-Core Components has been developed in a cooperation between EGIZ, - * A-SIT Plus, A-SIT, and Graz University of Technology. +/* + * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a + * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. * - * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European + * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in + * compliance with the Licence. You may obtain a copy of the Licence at: * https://joinup.ec.europa.eu/news/understanding-eupl-v12 * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ -/******************************************************************************* - *******************************************************************************/ -/******************************************************************************* - *******************************************************************************/ + * Unless required by applicable law or agreed to in writing, software distributed under the Licence + * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the Licence for the specific language governing permissions and limitations under + * the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text file for details on the + * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative + * works that you distribute must include a readable copy of the "NOTICE" text file. +*/ + package at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata; import javax.xml.transform.dom.DOMSource; import javax.xml.validation.Schema; import javax.xml.validation.Validator; -import org.opensaml.common.xml.SAMLSchemaBuilder; -import org.opensaml.saml2.metadata.provider.FilterException; -import org.opensaml.saml2.metadata.provider.MetadataFilter; -import org.opensaml.xml.XMLObject; +import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException; + +import org.opensaml.core.xml.XMLObject; +import org.opensaml.saml.common.xml.SAMLSchemaBuilder; +import org.opensaml.saml.common.xml.SAMLSchemaBuilder.SAML1Version; +import org.opensaml.saml.metadata.resolver.filter.FilterException; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.xml.sax.SAXException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException; - -/** - * @author tlenz - * - */ public class SchemaValidationFilter implements MetadataFilter { - private static final Logger log = LoggerFactory.getLogger(SchemaValidationFilter.class); - private boolean isActive = true; - - public SchemaValidationFilter() { - } - - /** - * - */ - public SchemaValidationFilter(boolean useSchemaValidation) { - this.isActive = useSchemaValidation; - } - - - /* (non-Javadoc) - * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) - */ - @Override - public void doFilter(XMLObject arg0) throws FilterException { - - String errString = null; - - if (isActive) { - try { - Schema test = SAMLSchemaBuilder.getSAML11Schema(); - Validator val = test.newValidator(); - DOMSource source = new DOMSource(arg0.getDOM()); - val.validate(source); - log.info("Metadata Schema validation check done OK"); - return; - - } catch (SAXException e) { - if (log.isDebugEnabled() || log.isTraceEnabled()) - log.warn("Metadata Schema validation FAILED with exception:", e); - else - log.warn("Metadata Schema validation FAILED with message: "+ e.getMessage()); - - errString = e.getMessage(); - - } catch (Exception e) { - if (log.isDebugEnabled() || log.isTraceEnabled()) - log.warn("Metadata Schema validation FAILED with exception:", e); - else - log.warn("Metadata Schema validation FAILED with message: "+ e.getMessage()); - - errString = e.getMessage(); - - } - - throw new FilterException( - new SchemaValidationException("pvp2.26", - new Object[] {"Metadata Schema validation FAILED with message: " + errString})); - - } else - log.info("Metadata Schema validation check is DEACTIVATED!"); - - } + private static final Logger log = LoggerFactory.getLogger(SchemaValidationFilter.class); + private boolean isActive = true; + + private static SAMLSchemaBuilder schemaBuilder = new SAMLSchemaBuilder(SAML1Version.SAML_11); + + /** + * XML Schema validation filter for SAML2 metadata. + * <p>Schemavalidation is active by default</p> + */ + public SchemaValidationFilter() { + + } + + /** + * XML Schema validation filter for SAML2 metadata. + * + * @param useSchemaValidation <code>true</code> XML schema validation is active, otherwise <code>false</code> + */ + public SchemaValidationFilter(final boolean useSchemaValidation) { + this.isActive = useSchemaValidation; + } + + /* + * (non-Javadoc) + * + * @see + * org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml + * .XMLObject) + */ + @Override + public XMLObject filter(final XMLObject arg0) throws FilterException { + + if (isActive) { + try { + final Schema test = schemaBuilder.getSAMLSchema(); + final Validator val = test.newValidator(); + final DOMSource source = new DOMSource(arg0.getDOM()); + val.validate(source); + log.info("Metadata Schema validation check done OK"); + + } catch (final Exception e) { + if (log.isDebugEnabled() || log.isTraceEnabled()) { + log.warn("Metadata Schema validation FAILED with exception:", e); + } else { + log.warn("Metadata Schema validation FAILED with message: " + e.getMessage()); + } + + throw new FilterException(new SchemaValidationException("internal.pvp.03", + new Object[] { e.getMessage() }, e)); + } + + } else { + log.info("Metadata Schema validation check is DEACTIVATED!"); + + } + + return arg0; + } } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java new file mode 100644 index 00000000..ef09e5c4 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SimpleMetadataSignatureVerificationFilter.java @@ -0,0 +1,146 @@ +/* + * Copyright 2018 A-SIT Plus GmbH + * AT-specific eIDAS Connector has been developed in a cooperation between EGIZ, + * A-SIT Plus GmbH, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "License"); + * You may not use this work except in compliance with the License. + * You may obtain a copy of the License at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. +*/ + +package at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata; + +import java.util.ArrayList; +import java.util.List; + +import javax.annotation.Nonnull; + +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMetadataSignatureException; + +import org.opensaml.saml.common.SignableSAMLObject; +import org.opensaml.saml.saml2.metadata.EntitiesDescriptor; +import org.opensaml.saml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator; +import org.opensaml.security.x509.BasicX509Credential; +import org.opensaml.xmlsec.signature.support.SignatureException; +import org.opensaml.xmlsec.signature.support.SignatureValidator; + +import lombok.extern.slf4j.Slf4j; + +@Slf4j +public class SimpleMetadataSignatureVerificationFilter extends AbstractMetadataSignatureFilter { + + private final String metadataUrl; + private final List<BasicX509Credential> trustedCredential = new ArrayList<>(); + + private static final String ERROR_07 = "internal.pvp.07"; + private static final String ERROR_12 = "internal.pvp.12"; + private static final String ERROR_MSG_ENTITIESDESC = "EntitiesDescritors are NOT supported"; + private static final String ERROR_MSG_SIGNOTVALID = "Signature not valid or no trusted certificate found"; + + /** + * SAML2 metadata-signature verification-filter that uses a simple {@link List} + * of trusted {@link BasicX509Credential} as truststore. <br> + * <p> + * This filter only validates {@link EntityDescriptor} elements.<br> + * SAML2 metadata with {@link EntitiesDescriptor} <b>are not supported.</b> + * </p> + * + * @param credentials Trust X509 certificates + * @param metadataUrl Metadata URL for logging purposes + */ + public SimpleMetadataSignatureVerificationFilter(@Nonnull List<BasicX509Credential> credentials, + @Nonnull String metadataUrl) { + this.metadataUrl = metadataUrl; + this.trustedCredential.addAll(credentials); + + } + + @Override + protected void verify(EntityDescriptor desc) throws Pvp2MetadataException { + try { + internalVerify(desc); + + } catch (final EaafException e) { + log.info("Metadata verification FAILED for: {} Reason: {}", metadataUrl, e.getMessage()); + throw new Pvp2MetadataException(ERROR_07, + new Object[] { metadataUrl, e.getMessage() }, e); + + } + } + + @Override + protected void verify(EntitiesDescriptor desc) throws Pvp2MetadataException { + throw new Pvp2MetadataException(ERROR_07, + new Object[] { metadataUrl, ERROR_MSG_ENTITIESDESC }); + + } + + @Override + protected void verify(EntityDescriptor entity, EntitiesDescriptor desc) throws Pvp2MetadataException { + throw new Pvp2MetadataException(ERROR_07, + new Object[] { metadataUrl, ERROR_MSG_ENTITIESDESC }); + + } + + private void internalVerify(SignableSAMLObject signedElement) + throws EaafException { + // check if signature exists + if (signedElement.getSignature() == null) { + throw new Pvp2MetadataException(ERROR_12, + new Object[] { metadataUrl }); + + } + + // perform general signature validation + try { + final SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); + sigValidator.validate(signedElement.getSignature()); + + } catch (final SignatureException e) { + log.error("Failed to validate Signature", e); + throw new Pvp2MetadataException(ERROR_07, + new Object[] { metadataUrl, e.getMessage() }, e); + + } + + // perform cryptographic signature verification + boolean isTrusted = false; + for (final BasicX509Credential cred : trustedCredential) { + log.trace("Validating signature with credential: {} ... ", + cred.getEntityCertificate().getSubjectDN()); + try { + SignatureValidator.validate(signedElement.getSignature(), cred); + isTrusted = true; + + } catch (final SignatureException e) { + log.debug("Failed to verfiy Signature with cert: {} Reason: {}", + cred.getEntityCertificate().getSubjectDN(), e.getMessage()); + + } + } + + if (!isTrusted) { + log.info("PVP2 metadata: " + metadataUrl + " are NOT trusted!"); + throw new SamlMetadataSignatureException(metadataUrl, ERROR_MSG_SIGNOTVALID); + + } + + } + +} |