diff options
Diffstat (limited to 'eaaf_modules')
38 files changed, 349 insertions, 306 deletions
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IPvp2MetadataProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IPvp2MetadataProvider.java index b213425d..ca3aa844 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IPvp2MetadataProvider.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/metadata/IPvp2MetadataProvider.java @@ -22,12 +22,12 @@ package at.gv.egiz.eaaf.modules.pvp2.api.metadata; import javax.annotation.Nonnull; import javax.annotation.Nullable; -import org.opensaml.saml.metadata.resolver.ExtendedRefreshableMetadataResolver; +import org.opensaml.saml.metadata.resolver.RefreshableMetadataResolver; import org.opensaml.saml.saml2.metadata.EntityDescriptor; import net.shibboleth.utilities.java.support.resolver.ResolverException; -public interface IPvp2MetadataProvider extends ExtendedRefreshableMetadataResolver { +public interface IPvp2MetadataProvider extends RefreshableMetadataResolver { /** * Get a SAML2 EntityDescriptor with an EntityId from metadata provider. diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/AbstractBinding.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/AbstractBinding.java index 3543d85a..80697ee9 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/AbstractBinding.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/AbstractBinding.java @@ -2,29 +2,12 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.binding; import javax.xml.namespace.QName; -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; -import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; -import at.gv.egiz.eaaf.modules.pvp2.api.message.InboundMessageInterface; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlBindingException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMessageValidationException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; -import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; -import at.gv.egiz.eaaf.modules.pvp2.impl.verification.PvpSamlMessageHandlerChain; - import org.opensaml.core.config.ConfigurationService; import org.opensaml.messaging.context.BaseContext; import org.opensaml.messaging.context.MessageContext; import org.opensaml.messaging.decoder.MessageDecodingException; import org.opensaml.messaging.decoder.servlet.HttpServletRequestMessageDecoder; import org.opensaml.messaging.handler.MessageHandlerException; -import org.opensaml.saml.common.SAMLObject; import org.opensaml.saml.common.SignableSAMLObject; import org.opensaml.saml.common.binding.SAMLBindingSupport; import org.opensaml.saml.common.binding.encoding.SAMLMessageEncoder; @@ -48,6 +31,22 @@ import com.google.common.base.Optional; import com.google.common.base.Predicates; import com.google.common.base.Throwables; import com.google.common.collect.FluentIterable; + +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.message.InboundMessageInterface; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlBindingException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMessageValidationException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.verification.PvpSamlMessageHandlerChain; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; @@ -65,8 +64,8 @@ public abstract class AbstractBinding { public abstract String getSaml2BindingName(); - protected MessageContext<SAMLObject> internalMessageDecode( - HttpServletRequestMessageDecoder<SAMLObject> decoder, + protected MessageContext internalMessageDecode( + HttpServletRequestMessageDecoder decoder, String binding) throws Pvp2Exception { try { decoder.initialize(); @@ -97,9 +96,9 @@ public abstract class AbstractBinding { } - protected MessageContext<SAMLObject> buildBasicMessageContext( + protected MessageContext buildBasicMessageContext( SAMLMessageEncoder encoder, SignableSAMLObject response) { - final MessageContext<SAMLObject> messageContext = new MessageContext<>(); + final MessageContext messageContext = new MessageContext(); messageContext.setMessage(response); encoder.setMessageContext(messageContext); return messageContext; @@ -139,7 +138,7 @@ public abstract class AbstractBinding { } - protected void injectInboundMessageContexts(MessageContext<SAMLObject> messageContext, + protected void injectInboundMessageContexts(MessageContext messageContext, IPvp2MetadataProvider metadataProvider, QName peerEntityRole) throws Pvp2InternalErrorException { final SAMLPeerEntityContext peerEntityContext = new SAMLPeerEntityContext(); peerEntityContext.setRole(peerEntityRole); @@ -164,7 +163,7 @@ public abstract class AbstractBinding { } protected void performMessageValidation(PvpSamlMessageHandlerChain messageValidatorChain, - MessageContext<SAMLObject> messageContext) throws Pvp2Exception { + MessageContext messageContext) throws Pvp2Exception { try { messageValidatorChain.initialize(); messageValidatorChain.invoke(messageContext); @@ -191,7 +190,7 @@ public abstract class AbstractBinding { } protected InboundMessageInterface performMessageDecodePostProcessing( - MessageContext<SAMLObject> messageContext, boolean isVerified) { + MessageContext messageContext, boolean isVerified) { InboundMessage msg = null; if (messageContext.getMessage() instanceof RequestAbstractType) { final RequestAbstractType inboundMessage = diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/PostBinding.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/PostBinding.java index c679de20..829f771a 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/PostBinding.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/PostBinding.java @@ -23,6 +23,17 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.xml.namespace.QName; +import org.opensaml.messaging.context.MessageContext; +import org.opensaml.saml.common.binding.SAMLBindingSupport; +import org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler; +import org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler; +import org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler; +import org.opensaml.saml.common.messaging.SAMLMessageSecuritySupport; +import org.opensaml.saml.common.xml.SAMLConstants; +import org.opensaml.saml.saml2.core.RequestAbstractType; +import org.opensaml.saml.saml2.core.StatusResponseType; +import org.springframework.beans.factory.annotation.Autowired; + import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.gui.IGuiBuilderConfigurationFactory; import at.gv.egiz.eaaf.core.api.gui.IVelocityGuiBuilderConfiguration; @@ -41,19 +52,6 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafHttpPostDecoder; import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.HttpPostEncoderWithOwnTemplate; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.EaafSamlProtocolMessageXmlSignatureSecurityHandler; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.PvpSamlMessageHandlerChain; - -import org.opensaml.messaging.context.MessageContext; -import org.opensaml.saml.common.SAMLObject; -import org.opensaml.saml.common.binding.SAMLBindingSupport; -import org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler; -import org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler; -import org.opensaml.saml.common.binding.security.impl.ReceivedEndpointSecurityHandler; -import org.opensaml.saml.common.messaging.SAMLMessageSecuritySupport; -import org.opensaml.saml.common.xml.SAMLConstants; -import org.opensaml.saml.saml2.core.RequestAbstractType; -import org.opensaml.saml.saml2.core.StatusResponseType; -import org.springframework.beans.factory.annotation.Autowired; - import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.net.URIComparator; @@ -85,7 +83,7 @@ public class PostBinding extends AbstractBinding implements IDecoder, IEncoder { encoder.setHttpServletResponse(httpResp); // inject message context - final MessageContext<SAMLObject> messageContext = buildBasicMessageContext(encoder, request); + final MessageContext messageContext = buildBasicMessageContext(encoder, request); // inject signing context messageContext.addSubcontext(injectSigningInfos(credentials)); @@ -131,7 +129,7 @@ public class PostBinding extends AbstractBinding implements IDecoder, IEncoder { encoder.setHttpServletResponse(httpResp); // inject message context - final MessageContext<SAMLObject> messageContext = buildBasicMessageContext(encoder, response); + final MessageContext messageContext = buildBasicMessageContext(encoder, response); // inject signing context messageContext.addSubcontext(injectSigningInfos(credentials)); @@ -165,7 +163,7 @@ public class PostBinding extends AbstractBinding implements IDecoder, IEncoder { throws Pvp2Exception { final EaafHttpPostDecoder decode = new EaafHttpPostDecoder(req); - final MessageContext<SAMLObject> messageContext = internalMessageDecode(decode, PvpConstants.POST); + final MessageContext messageContext = internalMessageDecode(decode, PvpConstants.POST); // check if PVP2 AuthnRequest is signed if (!SAMLBindingSupport.isMessageSigned(messageContext)) { diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/RedirectBinding.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/RedirectBinding.java index f62f8a11..c66c773e 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/RedirectBinding.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/RedirectBinding.java @@ -23,6 +23,18 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.xml.namespace.QName; +import org.opensaml.messaging.context.MessageContext; +import org.opensaml.saml.common.binding.SAMLBindingSupport; +import org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler; +import org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler; +import org.opensaml.saml.common.messaging.context.SAMLBindingContext; +import org.opensaml.saml.common.xml.SAMLConstants; +import org.opensaml.saml.saml2.binding.encoding.impl.HTTPRedirectDeflateEncoder; +import org.opensaml.saml.saml2.core.RequestAbstractType; +import org.opensaml.saml.saml2.core.StatusResponseType; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; import at.gv.egiz.eaaf.modules.pvp2.api.binding.IDecoder; @@ -36,20 +48,6 @@ import at.gv.egiz.eaaf.modules.pvp2.exception.SamlBindingException; import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafHttpRedirectDeflateDecoder; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.EaafSaml2HttpRedirectDeflateSignatureSecurityHandler; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.PvpSamlMessageHandlerChain; - -import org.opensaml.messaging.context.MessageContext; -import org.opensaml.saml.common.SAMLObject; -import org.opensaml.saml.common.binding.SAMLBindingSupport; -import org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler; -import org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler; -import org.opensaml.saml.common.messaging.context.SAMLBindingContext; -import org.opensaml.saml.common.xml.SAMLConstants; -import org.opensaml.saml.saml2.binding.encoding.impl.HTTPRedirectDeflateEncoder; -import org.opensaml.saml.saml2.core.RequestAbstractType; -import org.opensaml.saml.saml2.core.StatusResponseType; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - import net.shibboleth.utilities.java.support.net.URIComparator; public class RedirectBinding extends AbstractBinding implements IDecoder, IEncoder { @@ -67,7 +65,7 @@ public class RedirectBinding extends AbstractBinding implements IDecoder, IEncod final HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder(); encoder.setHttpServletResponse(resp); - final MessageContext<SAMLObject> messageContext = buildBasicMessageContext(encoder, request); + final MessageContext messageContext = buildBasicMessageContext(encoder, request); // set endpoint url messageContext.addSubcontext(injectEndpointInfos(request, targetLocation)); @@ -104,7 +102,7 @@ public class RedirectBinding extends AbstractBinding implements IDecoder, IEncod final HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder(); encoder.setHttpServletResponse(resp); - final MessageContext<SAMLObject> messageContext = buildBasicMessageContext(encoder, response); + final MessageContext messageContext = buildBasicMessageContext(encoder, response); // set endpoint url messageContext.addSubcontext(injectEndpointInfos(response, targetLocation)); @@ -136,7 +134,7 @@ public class RedirectBinding extends AbstractBinding implements IDecoder, IEncod throws Pvp2Exception { final EaafHttpRedirectDeflateDecoder decode = new EaafHttpRedirectDeflateDecoder(req); - final MessageContext<SAMLObject> messageContext = internalMessageDecode(decode, PvpConstants.REDIRECT); + final MessageContext messageContext = internalMessageDecode(decode, PvpConstants.REDIRECT); final SAMLBindingContext bindingContext = messageContext.getSubcontext(SAMLBindingContext.class, true); if (!bindingContext.hasBindingSignature()) { diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/SoapBinding.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/SoapBinding.java index 49e93f0a..cd651a1e 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/SoapBinding.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/binding/SoapBinding.java @@ -23,6 +23,20 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.xml.namespace.QName; +import org.opensaml.messaging.context.MessageContext; +import org.opensaml.saml.common.binding.SAMLBindingSupport; +import org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler; +import org.opensaml.saml.common.binding.impl.SAMLProtocolAndRoleHandler; +import org.opensaml.saml.common.binding.impl.SAMLSOAPDecoderBodyHandler; +import org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler; +import org.opensaml.saml.common.messaging.SAMLMessageSecuritySupport; +import org.opensaml.saml.common.xml.SAMLConstants; +import org.opensaml.saml.saml2.binding.decoding.impl.HTTPSOAP11Decoder; +import org.opensaml.saml.saml2.binding.encoding.impl.HTTPSOAP11Encoder; +import org.opensaml.saml.saml2.core.RequestAbstractType; +import org.opensaml.saml.saml2.core.StatusResponseType; +import org.opensaml.soap.messaging.context.SOAP11Context; + import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; import at.gv.egiz.eaaf.modules.pvp2.api.binding.IDecoder; @@ -38,22 +52,6 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.EaafMessageContextInitializationHandler; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.EaafSamlProtocolMessageXmlSignatureSecurityHandler; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.PvpSamlMessageHandlerChain; - -import org.opensaml.messaging.context.MessageContext; -import org.opensaml.saml.common.SAMLObject; -import org.opensaml.saml.common.binding.SAMLBindingSupport; -import org.opensaml.saml.common.binding.impl.CheckMessageVersionHandler; -import org.opensaml.saml.common.binding.impl.SAMLProtocolAndRoleHandler; -import org.opensaml.saml.common.binding.impl.SAMLSOAPDecoderBodyHandler; -import org.opensaml.saml.common.binding.security.impl.MessageLifetimeSecurityHandler; -import org.opensaml.saml.common.messaging.SAMLMessageSecuritySupport; -import org.opensaml.saml.common.xml.SAMLConstants; -import org.opensaml.saml.saml2.binding.decoding.impl.HTTPSOAP11Decoder; -import org.opensaml.saml.saml2.binding.encoding.impl.HTTPSOAP11Encoder; -import org.opensaml.saml.saml2.core.RequestAbstractType; -import org.opensaml.saml.saml2.core.StatusResponseType; -import org.opensaml.soap.messaging.context.SOAP11Context; - import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; import net.shibboleth.utilities.java.support.net.URIComparator; @@ -72,7 +70,7 @@ public class SoapBinding extends AbstractBinding implements IDecoder, IEncoder { injectMessageHandlerChain(soapDecoder, metadataProvider, peerEntityRole); - final MessageContext<SAMLObject> messageContext = + final MessageContext messageContext = internalMessageDecode(soapDecoder, PvpConstants.SOAP); // check if PVP2 AuthnRequest is signed @@ -141,7 +139,7 @@ public class SoapBinding extends AbstractBinding implements IDecoder, IEncoder { encoder.setHttpServletResponse(resp); // inject message context - final MessageContext<SAMLObject> messageContext = buildBasicMessageContext(encoder, response); + final MessageContext messageContext = buildBasicMessageContext(encoder, response); //inject SOAP enveloped final SOAP11Context soap11Context = new SOAP11Context(); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PvpMetadataBuilder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PvpMetadataBuilder.java index 92922e09..05a7360b 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PvpMetadataBuilder.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PvpMetadataBuilder.java @@ -21,6 +21,8 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.builder; import java.io.IOException; import java.text.MessageFormat; +import java.time.Duration; +import java.time.Instant; import java.util.Collection; import java.util.List; @@ -29,15 +31,7 @@ import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactoryConfigurationError; -import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataBuilderConfiguration; -import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; - import org.apache.commons.lang3.StringUtils; -import org.joda.time.DateTime; import org.opensaml.core.xml.io.MarshallingException; import org.opensaml.core.xml.util.XMLObjectSupport; import org.opensaml.saml.common.SignableSAMLObject; @@ -67,6 +61,12 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.w3c.dom.Element; +import at.gv.egiz.eaaf.core.exceptions.EaafBuilderException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataBuilderConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; import net.shibboleth.utilities.java.support.xml.SerializeSupport; /** @@ -114,7 +114,7 @@ public class PvpMetadataBuilder { throws CredentialsNotAvailableException, EaafException, SecurityException, TransformerFactoryConfigurationError, MarshallingException, TransformerException, ParserConfigurationException, IOException, SignatureException { - final DateTime date = new DateTime(); + final Instant date = Instant.now(); final EntityDescriptor entityDescriptor = Saml2Utils.createSamlObject(EntityDescriptor.class); // set entityID @@ -161,19 +161,19 @@ public class PvpMetadataBuilder { } SignableSAMLObject metadataToSign; - + // build entities descriptor if (config.buildEntitiesDescriptorAsRootElement()) { final EntitiesDescriptor entitiesDescriptor = Saml2Utils.createSamlObject(EntitiesDescriptor.class); entitiesDescriptor.setName(config.getEntityFriendlyName()); entitiesDescriptor.setID(Saml2Utils.getSecureIdentifier()); - entitiesDescriptor.setValidUntil(date.plusHours(config.getMetadataValidUntil())); + entitiesDescriptor.setValidUntil(date.plus(Duration.ofHours(config.getMetadataValidUntil()))); entitiesDescriptor.getEntityDescriptors().add(entityDescriptor); metadataToSign = entitiesDescriptor; } else { - entityDescriptor.setValidUntil(date.plusHours(config.getMetadataValidUntil())); + entityDescriptor.setValidUntil(date.plus(Duration.ofHours(config.getMetadataValidUntil()))); entityDescriptor.setID(Saml2Utils.getSecureIdentifier()); metadataToSign = entityDescriptor; @@ -320,7 +320,7 @@ public class PvpMetadataBuilder { if (reqSpAttr != null && reqSpAttr.size() > 0) { log.debug("Add " + reqSpAttr.size() + " attributes to SP metadata"); - attributeService.getRequestAttributes().addAll(reqSpAttr); + attributeService.getRequestedAttributes().addAll(reqSpAttr); } else { log.debug("SP metadata contains NO requested attributes."); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java index 28f5d618..32e82ce4 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/AbstractChainingMetadataProvider.java @@ -21,6 +21,7 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.metadata; import java.io.IOException; import java.security.cert.CertificateException; +import java.time.Instant; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; @@ -34,7 +35,6 @@ import javax.annotation.Nullable; import javax.naming.ConfigurationException; import org.apache.commons.lang3.StringUtils; -import org.joda.time.DateTime; import org.opensaml.core.criterion.EntityIdCriterion; import org.opensaml.saml.metadata.resolver.ClearableMetadataResolver; import org.opensaml.saml.metadata.resolver.MetadataResolver; @@ -63,7 +63,7 @@ public abstract class AbstractChainingMetadataProvider implements IGarbageCollec @Nonnull @NonnullElements private final List<MetadataResolver> internalResolvers; - private DateTime lastRefeshTimestamp; + private Instant lastRefeshTimestamp; private boolean lastRefeshSuccessful; private static Object mutex = new Object(); @@ -110,10 +110,10 @@ public abstract class AbstractChainingMetadataProvider implements IGarbageCollec @Override public synchronized boolean refreshMetadataProvider(final String entityId) { try { - //if (resolveEntityDescriporForRefesh(entityId)) { - // return true; + // if (resolveEntityDescriporForRefesh(entityId)) { + // return true; // - //} + // } // reload metadata provider final String metadataUrl = getMetadataUrl(entityId); @@ -159,7 +159,6 @@ public abstract class AbstractChainingMetadataProvider implements IGarbageCollec } - @Override public final MetadataFilter getMetadataFilter() { log.warn("{} does NOT support {}", AbstractChainingMetadataProvider.class.getName(), @@ -274,17 +273,17 @@ public abstract class AbstractChainingMetadataProvider implements IGarbageCollec } } - this.lastRefeshTimestamp = DateTime.now(); + this.lastRefeshTimestamp = Instant.now(); this.lastRefeshSuccessful = true; } @Override @Nullable - public final DateTime getLastUpdate() { - DateTime ret = null; + public final Instant getLastUpdate() { + Instant ret = null; for (final MetadataResolver resolver : internalResolvers) { if (resolver instanceof RefreshableMetadataResolver) { - final DateTime lastUpdate = ((RefreshableMetadataResolver) resolver).getLastUpdate(); + final Instant lastUpdate = ((RefreshableMetadataResolver) resolver).getLastUpdate(); if (ret == null || ret.isBefore(lastUpdate)) { ret = lastUpdate; } @@ -296,11 +295,11 @@ public abstract class AbstractChainingMetadataProvider implements IGarbageCollec @Override @Nullable - public final DateTime getLastRefresh() { - DateTime ret = null; + public final Instant getLastRefresh() { + Instant ret = null; for (final MetadataResolver resolver : internalResolvers) { if (resolver instanceof RefreshableMetadataResolver) { - final DateTime lastRefresh = ((RefreshableMetadataResolver) resolver).getLastRefresh(); + final Instant lastRefresh = ((RefreshableMetadataResolver) resolver).getLastRefresh(); if (ret == null || ret.isBefore(lastRefresh)) { ret = lastRefresh; } @@ -311,7 +310,7 @@ public abstract class AbstractChainingMetadataProvider implements IGarbageCollec } @Override - public final DateTime getLastSuccessfulRefresh() { + public final Instant getLastSuccessfulRefresh() { return this.lastRefeshTimestamp; } @@ -346,6 +345,20 @@ public abstract class AbstractChainingMetadataProvider implements IGarbageCollec } + @Override + public final Throwable getLastFailureCause() { + for (final MetadataResolver resolver : internalResolvers) { + if (resolver instanceof RefreshableMetadataResolver) { + final RefreshableMetadataResolver refreshable = (RefreshableMetadataResolver) resolver; + if (refreshable.getLastFailureCause() != null) { + return refreshable.getLastFailureCause(); + } + } + } + + return null; + } + /** * Get the URL to metadata for a specific entityID. * diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverAdapter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverAdapter.java index 4115cc7c..f0291847 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverAdapter.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverAdapter.java @@ -1,8 +1,10 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.metadata; -import org.joda.time.DateTime; + +import java.time.Instant; + import org.opensaml.core.criterion.EntityIdCriterion; -import org.opensaml.saml.metadata.resolver.ExtendedRefreshableMetadataResolver; +import org.opensaml.saml.metadata.resolver.RefreshableMetadataResolver; import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; import org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver; import org.opensaml.saml.saml2.metadata.EntityDescriptor; @@ -16,9 +18,9 @@ import net.shibboleth.utilities.java.support.resolver.ResolverException; @Slf4j public class PvpMetadataResolverAdapter implements IPvp2MetadataProvider, IRefreshableMetadataProvider { - private final ExtendedRefreshableMetadataResolver internalProvider; + private final RefreshableMetadataResolver internalProvider; - public PvpMetadataResolverAdapter(ExtendedRefreshableMetadataResolver provider) { + public PvpMetadataResolverAdapter(RefreshableMetadataResolver provider) { this.internalProvider = provider; } @@ -29,13 +31,13 @@ public class PvpMetadataResolverAdapter implements IPvp2MetadataProvider, IRefre } @Override - public DateTime getLastRefresh() { + public Instant getLastRefresh() { return internalProvider.getLastRefresh(); } @Override - public DateTime getLastUpdate() { + public Instant getLastUpdate() { return internalProvider.getLastUpdate(); } @@ -88,7 +90,7 @@ public class PvpMetadataResolverAdapter implements IPvp2MetadataProvider, IRefre } @Override - public DateTime getLastSuccessfulRefresh() { + public Instant getLastSuccessfulRefresh() { return internalProvider.getLastSuccessfulRefresh(); } @@ -122,7 +124,11 @@ public class PvpMetadataResolverAdapter implements IPvp2MetadataProvider, IRefre internalProvider.getClass().getName()); } + } + public Throwable getLastFailureCause() { + return internalProvider.getLastFailureCause(); + } } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverFactory.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverFactory.java index d29f1a0e..bf541b67 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverFactory.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/metadata/PvpMetadataResolverFactory.java @@ -1,6 +1,7 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.metadata; import java.io.IOException; +import java.time.Duration; import java.util.Timer; import javax.annotation.Nonnull; @@ -10,7 +11,7 @@ import javax.net.ssl.SSLHandshakeException; import org.apache.http.client.HttpClient; import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; -import org.opensaml.saml.metadata.resolver.ExtendedRefreshableMetadataResolver; +import org.opensaml.saml.metadata.resolver.RefreshableMetadataResolver; import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; import org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver; import org.opensaml.saml.metadata.resolver.impl.HTTPMetadataResolver; @@ -102,7 +103,7 @@ public class PvpMetadataResolverFactory implements IDestroyableObject { @Nullable final MetadataFilter filter, @Nonnull final String idForLogging, @Nullable final ParserPool pool, @Nullable final HttpClient httpClient) throws Pvp2MetadataException { - ExtendedRefreshableMetadataResolver internalProvider = null; + RefreshableMetadataResolver internalProvider = null; try { if (metadataLocation.startsWith(URI_PREFIX_HTTP) @@ -181,7 +182,7 @@ public class PvpMetadataResolverFactory implements IDestroyableObject { * @throws ComponentInitializationException In case of a metadata resolver * initialization error */ - private ExtendedRefreshableMetadataResolver createNewFileSystemMetaDataProvider(final Resource metadataFile, + private RefreshableMetadataResolver createNewFileSystemMetaDataProvider(final Resource metadataFile, final MetadataFilter filter, final String idForLogging, final Timer timer, final ParserPool pool) throws IOException, ComponentInitializationException { ResourceBackedMetadataResolver fileSystemResolver = null; @@ -212,7 +213,7 @@ public class PvpMetadataResolverFactory implements IDestroyableObject { * @throws ResolverException In case of an internal OpenSAML * resolver error */ - private ExtendedRefreshableMetadataResolver createNewHttpMetaDataProvider(final String metadataUrl, + private RefreshableMetadataResolver createNewHttpMetaDataProvider(final String metadataUrl, final MetadataFilter filter, final String idForLogging, final Timer timer, final ParserPool pool, final HttpClient httpClient) throws ComponentInitializationException, ResolverException { @@ -241,8 +242,8 @@ public class PvpMetadataResolverFactory implements IDestroyableObject { } resolver.setRequireValidMetadata(true); - resolver.setMinRefreshDelay(1000 * 60 * 15); // 15 minutes - resolver.setMaxRefreshDelay(1000 * 60 * 60 * 24); // 24 hours + resolver.setMinRefreshDelay(Duration.ofMinutes(15)); + resolver.setMaxRefreshDelay(Duration.ofHours(24)); resolver.setMetadataFilter(filter); } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpPostDecoder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpPostDecoder.java index fdd44b9a..f9860839 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpPostDecoder.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpPostDecoder.java @@ -6,16 +6,17 @@ import java.io.UnsupportedEncodingException; import javax.servlet.http.HttpServletRequest; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SamlHttpUtils; - import org.opensaml.core.xml.XMLObject; import org.opensaml.messaging.decoder.MessageDecodingException; import org.opensaml.saml.saml2.binding.decoding.impl.HTTPPostDecoder; import com.google.common.base.Strings; + +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SamlHttpUtils; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.codec.Base64Support; +import net.shibboleth.utilities.java.support.codec.DecodingException; /** * SAML2 Post-Binding decoder with same EAAF specific hardening regarding http @@ -51,18 +52,26 @@ public class EaafHttpPostDecoder extends HTTPPostDecoder { throw new MessageDecodingException("No SAML message present in request"); } - log.trace("Base64 decoding SAML message: {}", encodedMessage); - final byte[] decodedBytes = Base64Support.decode(encodedMessage); - try { - log.trace("Decoded SAML message: {}", new String(decodedBytes, "UTF-8")); + log.trace("Base64 decoding SAML message: {}", encodedMessage); + final byte[] decodedBytes = Base64Support.decode(encodedMessage); - } catch (final UnsupportedEncodingException e) { - log.warn("Logging of incomming message failed", e); + try { + log.trace("Decoded SAML message: {}", new String(decodedBytes, "UTF-8")); - } + } catch (final UnsupportedEncodingException e) { + log.warn("Logging of incomming message failed", e); + + } + + return new ByteArrayInputStream(decodedBytes); + + } catch (final DecodingException e) { + log.error("Unable to Base64 decode SAML message"); + throw new MessageDecodingException("Unable to Base64 decode SAML message",e); + } + - return new ByteArrayInputStream(decodedBytes); } /** diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpRedirectDeflateDecoder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpRedirectDeflateDecoder.java index c5174f02..28f98d30 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpRedirectDeflateDecoder.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/EaafHttpRedirectDeflateDecoder.java @@ -4,9 +4,6 @@ import java.io.InputStream; import javax.servlet.http.HttpServletRequest; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SamlHttpUtils; - import org.opensaml.core.xml.XMLObject; import org.opensaml.messaging.context.MessageContext; import org.opensaml.messaging.decoder.MessageDecodingException; @@ -16,6 +13,9 @@ import org.opensaml.saml.common.xml.SAMLConstants; import org.opensaml.saml.saml2.binding.decoding.impl.HTTPRedirectDeflateDecoder; import com.google.common.base.Strings; + +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SamlHttpUtils; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.primitive.StringSupport; @@ -39,7 +39,7 @@ public class EaafHttpRedirectDeflateDecoder extends HTTPRedirectDeflateDecoder { @Override protected void doDecode() throws MessageDecodingException { - final MessageContext<SAMLObject> messageContext = new MessageContext<>(); + final MessageContext messageContext = new MessageContext(); final HttpServletRequest request = getHttpServletRequest(); if (!"GET".equalsIgnoreCase(request.getMethod())) { diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/HttpPostEncoderWithOwnTemplate.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/HttpPostEncoderWithOwnTemplate.java index fa77b73c..396b513f 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/HttpPostEncoderWithOwnTemplate.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/HttpPostEncoderWithOwnTemplate.java @@ -28,17 +28,15 @@ import java.io.Writer; import javax.servlet.http.HttpServletResponse; -import at.gv.egiz.eaaf.core.api.gui.IVelocityGuiBuilderConfiguration; -import at.gv.egiz.eaaf.core.api.gui.IVelocityGuiFormBuilder; -import at.gv.egiz.eaaf.core.impl.gui.velocity.VelocityProvider; - import org.apache.velocity.VelocityContext; import org.apache.velocity.app.Velocity; import org.opensaml.messaging.context.MessageContext; import org.opensaml.messaging.encoder.MessageEncodingException; -import org.opensaml.saml.common.SAMLObject; import org.opensaml.saml.saml2.binding.encoding.impl.HTTPPostEncoder; +import at.gv.egiz.eaaf.core.api.gui.IVelocityGuiBuilderConfiguration; +import at.gv.egiz.eaaf.core.api.gui.IVelocityGuiFormBuilder; +import at.gv.egiz.eaaf.core.impl.gui.velocity.VelocityProvider; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.net.HttpServletSupport; @@ -80,7 +78,7 @@ public class HttpPostEncoderWithOwnTemplate extends HTTPPostEncoder { * message */ @Override - protected void postEncode(final MessageContext<SAMLObject> messageContext, final String endpointUrl) + protected void postEncode(final MessageContext messageContext, final String endpointUrl) throws MessageEncodingException { log.debug("Invoking Velocity template to create POST body"); InputStream is = null; diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/StringRedirectDeflateEncoder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/StringRedirectDeflateEncoder.java index 38735fb8..e75be5de 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/StringRedirectDeflateEncoder.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/StringRedirectDeflateEncoder.java @@ -39,8 +39,8 @@ public class StringRedirectDeflateEncoder extends HTTPRedirectDeflateEncoder { @Override protected void doEncode() throws MessageEncodingException { - final MessageContext<SAMLObject> messageContext = getMessageContext(); - final SAMLObject outboundMessage = messageContext.getMessage(); + final MessageContext messageContext = getMessageContext(); + final SAMLObject outboundMessage = (SAMLObject) messageContext.getMessage(); final String endpointUrl = getEndpointURL(messageContext).toString(); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafOpenSaml3xInitializer.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafOpenSaml3xInitializer.java index 5c6d861d..2c90bc57 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafOpenSaml3xInitializer.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/opensaml/initialize/EaafOpenSaml3xInitializer.java @@ -25,15 +25,6 @@ import java.util.Map; import javax.annotation.Nonnull; import javax.xml.XMLConstants; -import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; -import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeBuilder; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeMarshaller; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeUnmarshaller; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesBuilder; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesMarshaller; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesUnmarshaller; - import org.opensaml.core.config.ConfigurationService; import org.opensaml.core.config.InitializationException; import org.opensaml.core.config.InitializationService; @@ -43,6 +34,14 @@ import org.opensaml.xmlsec.EncryptionConfiguration; import org.opensaml.xmlsec.SignatureSigningConfiguration; import org.opensaml.xmlsec.SignatureValidationConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeMarshaller; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributeUnmarshaller; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesMarshaller; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestedAttributesUnmarshaller; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; import net.shibboleth.utilities.java.support.xml.BasicParserPool; @@ -66,16 +65,16 @@ public class EaafOpenSaml3xInitializer extends InitializationService { */ public static synchronized void eaafInitialize() throws InitializationException, ComponentInitializationException { - log.debug("Initializing OpenSAML 3.x ... "); + log.debug("Initializing OpenSAML 4.x ... "); initialize(); - log.debug("Injecting EAAF-specific configuration into OpenSAML 3.x ... "); + log.debug("Injecting EAAF-specific configuration into OpenSAML 4.x ... "); injectEaafSecurityProperty(); injectEaafExtenstions(); XMLObjectProviderRegistrySupport.setParserPool(eaafSecuredBasicParserPool()); - log.info("OpenSAML3.x with EAAF extensions initialized"); + log.info("OpenSAML 4.x with EAAF extensions initialized"); } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EaafRequestedAttributeImpl.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EaafRequestedAttributeImpl.java index e391bb31..bde67205 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EaafRequestedAttributeImpl.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EaafRequestedAttributeImpl.java @@ -23,15 +23,15 @@ import java.util.ArrayList; import java.util.Collections; import java.util.List; -import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; - +import org.opensaml.core.xml.AbstractXMLObject; import org.opensaml.core.xml.XMLObject; import org.opensaml.core.xml.schema.XSBooleanValue; import org.opensaml.core.xml.util.AttributeMap; import org.opensaml.core.xml.util.XMLObjectChildrenList; -import org.opensaml.saml.common.AbstractSAMLObject; -public class EaafRequestedAttributeImpl extends AbstractSAMLObject +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; + +public class EaafRequestedAttributeImpl extends AbstractXMLObject implements EaafRequestedAttribute { private final XMLObjectChildrenList<XMLObject> attributeValues; diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EaafRequestedAttributesImpl.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EaafRequestedAttributesImpl.java index 9c251233..a370b305 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EaafRequestedAttributesImpl.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/reqattr/EaafRequestedAttributesImpl.java @@ -23,14 +23,14 @@ import java.util.ArrayList; import java.util.Collections; import java.util.List; -import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; -import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes; - +import org.opensaml.core.xml.AbstractXMLObject; import org.opensaml.core.xml.XMLObject; import org.opensaml.core.xml.util.IndexedXMLObjectChildrenList; -import org.opensaml.saml.common.AbstractSAMLObject; -public class EaafRequestedAttributesImpl extends AbstractSAMLObject +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttribute; +import at.gv.egiz.eaaf.modules.pvp2.api.reqattr.EaafRequestedAttributes; + +public class EaafRequestedAttributesImpl extends AbstractXMLObject implements EaafRequestedAttributes { private final IndexedXMLObjectChildrenList<XMLObject> indexedChildren; diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/AbstractMetadataSignatureFilter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/AbstractMetadataSignatureFilter.java index c28dd7fb..fe619ef0 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/AbstractMetadataSignatureFilter.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/AbstractMetadataSignatureFilter.java @@ -23,24 +23,28 @@ import java.util.ArrayList; import java.util.Iterator; import java.util.List; +import javax.annotation.Nonnull; import javax.annotation.Nullable; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SignatureValidationException; - import org.opensaml.core.xml.XMLObject; +import org.opensaml.saml.metadata.resolver.filter.FilterException; import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilterContext; import org.opensaml.saml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml.saml2.metadata.EntityDescriptor; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SignatureValidationException; + public abstract class AbstractMetadataSignatureFilter implements MetadataFilter { private static final Logger log = LoggerFactory.getLogger(AbstractMetadataSignatureFilter.class); @Override - public XMLObject filter(@Nullable final XMLObject metadata) throws SignatureValidationException { + public XMLObject filter(@Nullable final XMLObject metadata, + @Nonnull final MetadataFilterContext context) throws FilterException { try { if (metadata instanceof EntitiesDescriptor) { final EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata; diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/PvpEntityCategoryFilter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/PvpEntityCategoryFilter.java index efbeb7e5..7317e7ba 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/PvpEntityCategoryFilter.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/PvpEntityCategoryFilter.java @@ -22,17 +22,15 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata; import java.util.ArrayList; import java.util.List; -import at.gv.egiz.eaaf.core.impl.data.Triple; -import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import javax.annotation.Nonnull; +import javax.annotation.Nullable; import org.opensaml.core.xml.XMLObject; import org.opensaml.saml.common.xml.SAMLConstants; import org.opensaml.saml.ext.saml2mdattr.EntityAttributes; import org.opensaml.saml.metadata.resolver.filter.FilterException; import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilterContext; import org.opensaml.saml.saml2.core.Attribute; import org.opensaml.saml.saml2.metadata.AttributeConsumingService; import org.opensaml.saml.saml2.metadata.EntitiesDescriptor; @@ -44,6 +42,12 @@ import org.opensaml.saml.saml2.metadata.ServiceName; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import at.gv.egiz.eaaf.core.impl.data.Triple; +import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; + /** * Metadata filter that inject requested attributes based on Metadata * EntityCategories. @@ -75,7 +79,8 @@ public class PvpEntityCategoryFilter implements MetadataFilter { * .XMLObject) */ @Override - public XMLObject filter(final XMLObject metadata) throws FilterException { + public XMLObject filter(@Nullable final XMLObject metadata, + @Nonnull final MetadataFilterContext context) throws FilterException { if (isUsed) { log.trace("Map PVP EntityCategory to single PVP Attributes ... "); @@ -197,7 +202,7 @@ public class PvpEntityCategoryFilter implements MetadataFilter { attributeService.getNames().add(serviceName); if (attrList != null && !attrList.isEmpty()) { - attributeService.getRequestAttributes().addAll(attrList); + attributeService.getRequestedAttributes().addAll(attrList); log.info("Add " + attrList.size() + " attributes for 'EntityAttribute': " + entityAttr); } @@ -211,14 +216,14 @@ public class PvpEntityCategoryFilter implements MetadataFilter { // load currently requested attributes final List<String> currentlyReqAttr = new ArrayList<>(); - for (final RequestedAttribute reqAttr : el.getRequestAttributes()) { + for (final RequestedAttribute reqAttr : el.getRequestedAttributes()) { currentlyReqAttr.add(reqAttr.getName()); } // check against EntityAttribute List for (final RequestedAttribute entityAttrListEl : attrList) { if (!currentlyReqAttr.contains(entityAttrListEl.getName())) { - el.getRequestAttributes().add(entityAttrListEl); + el.getRequestedAttributes().add(entityAttrListEl); } else { log.debug("'AttributeConsumingService' already contains attr: " diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SchemaValidationFilter.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SchemaValidationFilter.java index b9e0c37f..2c7892f9 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SchemaValidationFilter.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/metadata/SchemaValidationFilter.java @@ -19,20 +19,23 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata; +import javax.annotation.Nonnull; +import javax.annotation.Nullable; import javax.xml.transform.dom.DOMSource; import javax.xml.validation.Schema; import javax.xml.validation.Validator; -import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException; - import org.opensaml.core.xml.XMLObject; import org.opensaml.saml.common.xml.SAMLSchemaBuilder; import org.opensaml.saml.common.xml.SAMLSchemaBuilder.SAML1Version; import org.opensaml.saml.metadata.resolver.filter.FilterException; import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilterContext; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException; + public class SchemaValidationFilter implements MetadataFilter { private static final Logger log = LoggerFactory.getLogger(SchemaValidationFilter.class); private boolean isActive = true; @@ -64,13 +67,14 @@ public class SchemaValidationFilter implements MetadataFilter { * .XMLObject) */ @Override - public XMLObject filter(final XMLObject arg0) throws FilterException { + public XMLObject filter(@Nullable final XMLObject metadata, + @Nonnull final MetadataFilterContext context) throws FilterException { if (isActive) { try { final Schema test = schemaBuilder.getSAMLSchema(); final Validator val = test.newValidator(); - final DOMSource source = new DOMSource(arg0.getDOM()); + final DOMSource source = new DOMSource(metadata.getDOM()); val.validate(source); log.info("Metadata Schema validation check done OK"); @@ -90,7 +94,7 @@ public class SchemaValidationFilter implements MetadataFilter { } - return arg0; + return metadata; } } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafMessageContextInitializationHandler.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafMessageContextInitializationHandler.java index aba0a68b..ff587f1b 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafMessageContextInitializationHandler.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafMessageContextInitializationHandler.java @@ -2,15 +2,10 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.verification; import javax.annotation.Nonnull; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; -import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; - import org.opensaml.core.config.ConfigurationService; import org.opensaml.messaging.context.MessageContext; import org.opensaml.messaging.handler.AbstractMessageHandler; import org.opensaml.messaging.handler.MessageHandlerException; -import org.opensaml.saml.common.SAMLObject; import org.opensaml.saml.common.messaging.context.SAMLMessageInfoContext; import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext; import org.opensaml.xmlsec.SignatureValidationConfiguration; @@ -18,11 +13,14 @@ import org.opensaml.xmlsec.SignatureValidationParameters; import org.opensaml.xmlsec.context.SecurityParametersContext; import org.opensaml.xmlsec.signature.support.SignatureTrustEngine; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; @Slf4j -public class EaafMessageContextInitializationHandler extends AbstractMessageHandler<SAMLObject> { +public class EaafMessageContextInitializationHandler extends AbstractMessageHandler { private final IPvp2MetadataProvider internalMetadataProvider; private SignatureTrustEngine trustEngine; @@ -44,7 +42,7 @@ public class EaafMessageContextInitializationHandler extends AbstractMessageHand @Override - protected void doInvoke(MessageContext<SAMLObject> messageContext) throws MessageHandlerException { + protected void doInvoke(MessageContext messageContext) throws MessageHandlerException { log.trace("Injecting sub-context to SAML2 message ... "); messageContext.addSubcontext(new SAMLPeerEntityContext()); messageContext.addSubcontext(new SAMLMessageInfoContext()); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafSaml2HttpRedirectDeflateSignatureSecurityHandler.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafSaml2HttpRedirectDeflateSignatureSecurityHandler.java index 204229ee..36c8a1ee 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafSaml2HttpRedirectDeflateSignatureSecurityHandler.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafSaml2HttpRedirectDeflateSignatureSecurityHandler.java @@ -3,19 +3,20 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.verification; import javax.annotation.Nonnull; import javax.annotation.Nullable; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SamlHttpUtils; - import org.opensaml.messaging.context.MessageContext; import org.opensaml.messaging.handler.MessageHandlerException; import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext; import org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler; import com.google.common.base.Strings; + +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SamlHttpUtils; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.codec.Base64Support; +import net.shibboleth.utilities.java.support.codec.DecodingException; /** * Always extracts the last http parameter with a specific name from request, if @@ -95,7 +96,12 @@ public class EaafSaml2HttpRedirectDeflateSignatureSecurityHandler extends return null; } - return Base64Support.decode(signature); + try { + return Base64Support.decode(signature); + + } catch (DecodingException e) { + throw new MessageHandlerException("Base64 decoding error", e); + } } @Override diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PvpSamlMessageHandlerChain.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PvpSamlMessageHandlerChain.java index a1365023..44ed2013 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PvpSamlMessageHandlerChain.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PvpSamlMessageHandlerChain.java @@ -7,25 +7,24 @@ import org.opensaml.messaging.context.MessageContext; import org.opensaml.messaging.handler.MessageHandler; import org.opensaml.messaging.handler.MessageHandlerChain; import org.opensaml.messaging.handler.MessageHandlerException; -import org.opensaml.saml.common.SAMLObject; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; @Slf4j -public class PvpSamlMessageHandlerChain implements MessageHandlerChain<SAMLObject> { - private final List<MessageHandler<SAMLObject>> handlers = new ArrayList<>(); +public class PvpSamlMessageHandlerChain implements MessageHandlerChain { + private final List<MessageHandler> handlers = new ArrayList<>(); private boolean isInitialized = false; @Override - public void invoke(MessageContext<SAMLObject> messageContext) throws MessageHandlerException { + public void invoke(MessageContext messageContext) throws MessageHandlerException { if (!isInitialized) { throw new RuntimeException("Component: " + PvpSamlMessageHandlerChain.class.getName() + " not initialized"); } - for (final MessageHandler<SAMLObject> handler : getHandlers()) { + for (final MessageHandler handler : getHandlers()) { log.trace("Initializing SAML message handler: {}", handler.getClass().getName()); handler.invoke(messageContext); @@ -41,7 +40,7 @@ public class PvpSamlMessageHandlerChain implements MessageHandlerChain<SAMLObjec @Override public void initialize() throws ComponentInitializationException { if (!isInitialized) { - for (final MessageHandler<SAMLObject> handler : getHandlers()) { + for (final MessageHandler handler : getHandlers()) { log.trace("Initializing SAML message handler: {}", handler.getClass().getName()); handler.initialize(); @@ -53,17 +52,17 @@ public class PvpSamlMessageHandlerChain implements MessageHandlerChain<SAMLObjec } @Override - public List<MessageHandler<SAMLObject>> getHandlers() { + public List<MessageHandler> getHandlers() { return handlers; } - public void addHandler(MessageHandler<SAMLObject> handler) { + public void addHandler(MessageHandler handler) { handlers.add(handler); } - public void addHandlers(List<MessageHandler<SAMLObject>> handlerList) { + public void addHandlers(List<MessageHandler> handlerList) { handlers.addAll(handlerList); } diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java index a209a131..2257eba9 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java @@ -19,6 +19,8 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.verification; +import java.time.Duration; +import java.time.Instant; import java.util.ArrayList; import java.util.List; @@ -76,8 +78,8 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.SignatureTrustEngineDecorator; import lombok.extern.slf4j.Slf4j; -import net.shibboleth.utilities.java.support.net.BasicURLComparator; import net.shibboleth.utilities.java.support.net.URIException; +import net.shibboleth.utilities.java.support.net.impl.BasicURLComparator; import net.shibboleth.utilities.java.support.resolver.CriteriaSet; import net.shibboleth.utilities.java.support.xml.SerializeSupport; @@ -95,7 +97,7 @@ public class SamlVerificationEngine { private static final Object SIG_VAL_ERROR_MSG = "Signature verification return false"; /** - * 5 allow 3 minutes time jitter in before validation. + * allow 3 minutes time jitter in before validation. */ private static final int TIME_JITTER = 3; @@ -302,10 +304,11 @@ public class SamlVerificationEngine { // validate DateTime conditions final Conditions conditions = saml2assertion.getConditions(); if (conditions != null) { - final DateTime notbefore = conditions.getNotBefore().minusMinutes(5); - final DateTime notafter = conditions.getNotOnOrAfter(); + final Instant notbefore = conditions.getNotBefore().minus(Duration.ofMinutes(5)); + final Instant notafter = conditions.getNotOnOrAfter(); + final Instant now = Instant.now(); if (validateDateTime - && (notbefore.isAfterNow() || notafter.isBeforeNow())) { + && (notbefore.isAfter(now) || notafter.isBefore(now))) { isAssertionValid = false; log.info("Assertion with ID:{} is out of Date. [ Current:{} NotBefore:{} NotAfter:{} ]", saml2assertion.getID(), new DateTime(), notbefore, notafter); @@ -495,14 +498,14 @@ public class SamlVerificationEngine { throws SamlAssertionValidationExeption { if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS)) { // validate response issueInstant - final DateTime issueInstant = samlResp.getIssueInstant(); + final Instant issueInstant = samlResp.getIssueInstant(); if (issueInstant == null) { log.warn("PVP response does not include a 'IssueInstant' attribute"); throw new SamlAssertionValidationExeption(ERROR_14, new Object[] { loggerName, "'IssueInstant' attribute is not included" }); } - if (validateDateTime && issueInstant.minusMinutes(TIME_JITTER).isAfterNow()) { + if (validateDateTime && issueInstant.minus(Duration.ofMinutes(TIME_JITTER)).isAfter(Instant.now())) { log.warn("PVP response: IssueInstant DateTime is not valid anymore."); throw new SamlAssertionValidationExeption(ERROR_14, new Object[] { loggerName, "'IssueInstant' Time is not valid any more" }); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java index e593c1d4..abbfb1ea 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/AbstractSamlVerificationEngine.java @@ -1,10 +1,10 @@ package at.gv.egiz.eaaf.modules.pvp2.test; +import java.time.Instant; import java.util.ArrayList; import java.util.List; import org.apache.xml.security.algorithms.JCEMapper; -import org.joda.time.DateTime; import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Test; @@ -264,7 +264,7 @@ public abstract class AbstractSamlVerificationEngine { final Response authnReq = (Response) XMLObjectSupport.unmarshallFromInputStream( XMLObjectProviderRegistrySupport.getParserPool(), AbstractSamlVerificationEngine.class.getResourceAsStream(authnReqPath)); - authnReq.setIssueInstant(DateTime.now()); + authnReq.setIssueInstant(Instant.now()); final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); issuer.setValue(spEntityId); authnReq.setIssuer(issuer); @@ -285,7 +285,7 @@ public abstract class AbstractSamlVerificationEngine { final AuthnRequest authnReq = (AuthnRequest) XMLObjectSupport.unmarshallFromInputStream( XMLObjectProviderRegistrySupport.getParserPool(), AbstractSamlVerificationEngine.class.getResourceAsStream(authnReqPath)); - authnReq.setIssueInstant(DateTime.now()); + authnReq.setIssueInstant(Instant.now()); final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); issuer.setValue(spEntityId); authnReq.setIssuer(issuer); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineEidasTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineEidasTest.java index 4785879e..4577b94b 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineEidasTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineEidasTest.java @@ -1,7 +1,8 @@ package at.gv.egiz.eaaf.modules.pvp2.test; +import java.time.Instant; + import org.apache.xml.security.algorithms.JCEMapper; -import org.joda.time.DateTime; import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Ignore; @@ -102,7 +103,7 @@ public class SamlVerificationEngineEidasTest { final Response response = (Response) XMLObjectSupport.unmarshallFromInputStream( XMLObjectProviderRegistrySupport.getParserPool(), AbstractSamlVerificationEngine.class.getResourceAsStream(authnReqPath)); - response.setIssueInstant(DateTime.now()); + response.setIssueInstant(Instant.now()); final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); issuer.setValue(spEntityId); response.setIssuer(issuer); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java index 57c4b93a..1f010d06 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/SamlVerificationEngineTest.java @@ -1,6 +1,8 @@ package at.gv.egiz.eaaf.modules.pvp2.test; -import org.joda.time.DateTime; +import java.time.Duration; +import java.time.Instant; + import org.junit.Test; import org.junit.runner.RunWith; import org.opensaml.core.xml.io.UnmarshallingException; @@ -219,7 +221,7 @@ public class SamlVerificationEngineTest extends AbstractSamlVerificationEngine { credentialProvider.getMetaDataSigningCredential()); final Response response = inputMsg.getFirst(); - response.setIssueInstant(DateTime.now().plusMinutes(10)); + response.setIssueInstant(Instant.now().plus(Duration.ofMinutes(10))); try { verifyEngine.validateAssertion(response, credentialProvider.getMetaDataSigningCredential(), @@ -293,8 +295,8 @@ public class SamlVerificationEngineTest extends AbstractSamlVerificationEngine { credentialProvider.getMetaDataSigningCredential()); final Response response = inputMsg.getFirst(); - response.getAssertions().get(0).getConditions().setNotBefore(DateTime.now()); - response.getAssertions().get(0).getConditions().setNotOnOrAfter(DateTime.now().plusMinutes(15)); + response.getAssertions().get(0).getConditions().setNotBefore(Instant.now()); + response.getAssertions().get(0).getConditions().setNotOnOrAfter(Instant.now().plus(Duration.ofMinutes(15))); response.getAssertions().get(0).getConditions().getAudienceRestrictions().clear(); try { @@ -320,8 +322,8 @@ public class SamlVerificationEngineTest extends AbstractSamlVerificationEngine { credentialProvider.getMetaDataSigningCredential()); final Response response = inputMsg.getFirst(); - response.getAssertions().get(0).getConditions().setNotBefore(DateTime.now().plusMinutes(10)); - response.getAssertions().get(0).getConditions().setNotOnOrAfter(DateTime.now().plusMinutes(15)); + response.getAssertions().get(0).getConditions().setNotBefore(Instant.now().plus(Duration.ofMinutes(10))); + response.getAssertions().get(0).getConditions().setNotOnOrAfter(Instant.now().plus(Duration.ofMinutes(15))); try { verifyEngine.validateAssertion(response, credentialProvider.getMetaDataSigningCredential(), @@ -346,8 +348,8 @@ public class SamlVerificationEngineTest extends AbstractSamlVerificationEngine { credentialProvider.getMetaDataSigningCredential()); final Response response = inputMsg.getFirst(); - response.getAssertions().get(0).getConditions().setNotBefore(DateTime.now()); - response.getAssertions().get(0).getConditions().setNotOnOrAfter(DateTime.now().minusMinutes(5)); + response.getAssertions().get(0).getConditions().setNotBefore(Instant.now()); + response.getAssertions().get(0).getConditions().setNotOnOrAfter(Instant.now().minus(Duration.ofMinutes(5))); try { verifyEngine.validateAssertion(response, credentialProvider.getMetaDataSigningCredential(), @@ -372,8 +374,8 @@ public class SamlVerificationEngineTest extends AbstractSamlVerificationEngine { credentialProvider.getMetaDataSigningCredential()); final Response response = inputMsg.getFirst(); - response.getAssertions().get(0).getConditions().setNotBefore(DateTime.now()); - response.getAssertions().get(0).getConditions().setNotOnOrAfter(DateTime.now().plusMinutes(5)); + response.getAssertions().get(0).getConditions().setNotBefore(Instant.now()); + response.getAssertions().get(0).getConditions().setNotOnOrAfter(Instant.now().plus(Duration.ofMinutes(5))); verifyEngine.validateAssertion(response, credentialProvider.getMetaDataSigningCredential(), @@ -414,8 +416,8 @@ public class SamlVerificationEngineTest extends AbstractSamlVerificationEngine { credentialProvider.getMetaDataSigningCredential()); final Response response = inputMsg.getFirst(); - response.getAssertions().get(0).getConditions().setNotBefore(DateTime.now()); - response.getAssertions().get(0).getConditions().setNotOnOrAfter(DateTime.now().plusMinutes(5)); + response.getAssertions().get(0).getConditions().setNotBefore(Instant.now()); + response.getAssertions().get(0).getConditions().setNotOnOrAfter(Instant.now().plus(Duration.ofMinutes(5))); final Element secAssertionElement = XMLObjectSupport.marshall(response.getAssertions().get(0)); @@ -447,8 +449,8 @@ public class SamlVerificationEngineTest extends AbstractSamlVerificationEngine { credentialProvider.getMetaDataSigningCredential()); final Response response = inputMsg.getFirst(); - response.getAssertions().get(0).getConditions().setNotBefore(DateTime.now()); - response.getAssertions().get(0).getConditions().setNotOnOrAfter(DateTime.now().plusMinutes(5)); + response.getAssertions().get(0).getConditions().setNotBefore(Instant.now()); + response.getAssertions().get(0).getConditions().setNotOnOrAfter(Instant.now().plus(Duration.ofMinutes(5))); final Element secAssertionElement = XMLObjectSupport.marshall(response.getAssertions().get(0)); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/PostBindingTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/PostBindingTest.java index 7d700b43..e7c59459 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/PostBindingTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/PostBindingTest.java @@ -4,6 +4,7 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.io.UnsupportedEncodingException; +import java.time.Instant; import java.util.Base64; import java.util.Map; @@ -11,7 +12,6 @@ import javax.xml.parsers.ParserConfigurationException; import org.apache.commons.io.IOUtils; import org.apache.commons.lang3.RandomStringUtils; -import org.joda.time.DateTime; import org.junit.Assert; import org.junit.Before; import org.junit.BeforeClass; @@ -364,7 +364,7 @@ public class PostBindingTest { final RequestAbstractType authnReq = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream( XMLObjectProviderRegistrySupport.getParserPool(), PostBindingTest.class.getResourceAsStream("/data/eIDAS_connector_authn.xml")); - authnReq.setIssueInstant(DateTime.now()); + authnReq.setIssueInstant(Instant.now()); final Issuer issuer = Saml2Utils.createSamlObject(Issuer.class); issuer.setValue("https://demo.egiz.gv.at/demoportal_demologin/"); authnReq.setIssuer(issuer); @@ -736,7 +736,7 @@ public class PostBindingTest { final RequestAbstractType authnReq = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream( XMLObjectProviderRegistrySupport.getParserPool(), PostBindingTest.class.getResourceAsStream("/data/AuthRequest_without_sig_1.xml")); - authnReq.setIssueInstant(DateTime.now()); + authnReq.setIssueInstant(Instant.now()); bindingImpl.encodeRequest(intHttpReq, intHttpResp, authnReq, "http://testservice.org", null, credentials, pendingReq); @@ -758,7 +758,7 @@ public class PostBindingTest { final StatusResponseType response = (StatusResponseType) XMLObjectSupport.unmarshallFromInputStream( XMLObjectProviderRegistrySupport.getParserPool(), PostBindingTest.class.getResourceAsStream("/data/Response_without_sig_1.xml")); - response.setIssueInstant(DateTime.now()); + response.setIssueInstant(Instant.now()); bindingImpl.encodeResponse(intHttpReq, intHttpResp, response, "http://testservice.org", null, credentials, pendingReq); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/RedirectBindingTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/RedirectBindingTest.java index cbeca4c3..bfa4a072 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/RedirectBindingTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/RedirectBindingTest.java @@ -2,31 +2,12 @@ package at.gv.egiz.eaaf.modules.pvp2.test.binding; import java.io.IOException; import java.net.URLDecoder; +import java.time.Instant; import javax.xml.parsers.ParserConfigurationException; -import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory; -import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl; -import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; -import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; -import at.gv.egiz.eaaf.modules.pvp2.api.message.InboundMessageInterface; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMessageValidationException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; -import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding; -import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; -import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; -import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EaafUriCompare; -import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; -import at.gv.egiz.eaaf.modules.pvp2.test.metadata.MetadataResolverTest; - import org.apache.commons.io.IOUtils; import org.apache.commons.lang3.RandomStringUtils; -import org.joda.time.DateTime; import org.junit.Assert; import org.junit.Before; import org.junit.BeforeClass; @@ -48,6 +29,24 @@ import org.springframework.test.context.TestPropertySource; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import org.xml.sax.SAXException; +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory; +import at.gv.egiz.eaaf.core.impl.idp.module.test.TestRequestImpl; +import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.message.InboundMessageInterface; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlMessageValidationException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EaafUriCompare; +import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; +import at.gv.egiz.eaaf.modules.pvp2.test.metadata.MetadataResolverTest; import net.shibboleth.utilities.java.support.net.URIComparator; import net.shibboleth.utilities.java.support.net.URISupport; import net.shibboleth.utilities.java.support.xml.XMLParserException; @@ -818,7 +817,7 @@ public class RedirectBindingTest { final RequestAbstractType authnReq = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream( XMLObjectProviderRegistrySupport.getParserPool(), RedirectBindingTest.class.getResourceAsStream("/data/AuthRequest_without_sig_1.xml")); - authnReq.setIssueInstant(DateTime.now()); + authnReq.setIssueInstant(Instant.now()); bindingImpl.encodeRequest(intHttpReq, intHttpResp, authnReq, "http://testservice.org", null, credential, pendingReq); @@ -839,7 +838,7 @@ public class RedirectBindingTest { final StatusResponseType authnReq = (StatusResponseType) XMLObjectSupport.unmarshallFromInputStream( XMLObjectProviderRegistrySupport.getParserPool(), RedirectBindingTest.class.getResourceAsStream("/data/Response_without_sig_1.xml")); - authnReq.setIssueInstant(DateTime.now()); + authnReq.setIssueInstant(Instant.now()); bindingImpl.encodeResponse(intHttpReq, intHttpResp, authnReq, "http://testservice.org", null, credential, pendingReq); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/SoapBindingTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/SoapBindingTest.java index 5393179d..97a896f5 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/SoapBindingTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/binding/SoapBindingTest.java @@ -2,8 +2,8 @@ package at.gv.egiz.eaaf.modules.pvp2.test.binding; import java.io.ByteArrayOutputStream; import java.io.UnsupportedEncodingException; +import java.time.Instant; -import org.joda.time.DateTime; import org.junit.Assert; import org.junit.Before; import org.junit.BeforeClass; @@ -92,7 +92,7 @@ public class SoapBindingTest { final RequestAbstractType payload = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream( XMLObjectProviderRegistrySupport.getParserPool(), PostBindingTest.class.getResourceAsStream("/data/AuthRequest_without_sig_1.xml")); - payload.setIssueInstant(DateTime.now()); + payload.setIssueInstant(Instant.now()); final Envelope enveloped = Saml2Utils.buildSoap11Envelope(payload); final Marshaller marshaller = Constraint.isNotNull( XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(enveloped), @@ -126,7 +126,7 @@ public class SoapBindingTest { final RequestAbstractType payload = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream( XMLObjectProviderRegistrySupport.getParserPool(), PostBindingTest.class.getResourceAsStream("/data/AuthRequest_with_sig_1.xml")); - payload.setIssueInstant(DateTime.now()); + payload.setIssueInstant(Instant.now()); final Envelope enveloped = Saml2Utils.buildSoap11Envelope(payload); final Marshaller marshaller = Constraint.isNotNull( XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(enveloped), @@ -161,7 +161,7 @@ public class SoapBindingTest { final RequestAbstractType payload = (RequestAbstractType) XMLObjectSupport.unmarshallFromInputStream( XMLObjectProviderRegistrySupport.getParserPool(), PostBindingTest.class.getResourceAsStream("/data/AuthRequest_with_sig_1.xml")); - payload.setIssueInstant(DateTime.now()); + payload.setIssueInstant(Instant.now()); final RequestAbstractType signedPayload = Saml2Utils.signSamlObject( payload, credentialProvider.getMetaDataSigningCredential(), true); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/dummy/DummyMetadataProvider.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/dummy/DummyMetadataProvider.java index 7ac1d4c5..91da692c 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/dummy/DummyMetadataProvider.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/dummy/DummyMetadataProvider.java @@ -5,17 +5,17 @@ import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.List; +import org.opensaml.saml.metadata.resolver.MetadataResolver; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; +import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain; +import org.springframework.beans.factory.annotation.Autowired; + import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; import at.gv.egiz.eaaf.core.impl.http.IHttpClientFactory; import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.AbstractChainingMetadataProvider; import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; -import org.opensaml.saml.metadata.resolver.MetadataResolver; -import org.opensaml.saml.metadata.resolver.filter.MetadataFilter; -import org.opensaml.saml.metadata.resolver.filter.MetadataFilterChain; -import org.springframework.beans.factory.annotation.Autowired; - public class DummyMetadataProvider extends AbstractChainingMetadataProvider { private final List<String> configuredMetadataUrls = new ArrayList<>(); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/metadata/MetadataResolverTest.java b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/metadata/MetadataResolverTest.java index 72d6ebb8..8af53e23 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/metadata/MetadataResolverTest.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/test/java/at/gv/egiz/eaaf/modules/pvp2/test/metadata/MetadataResolverTest.java @@ -8,6 +8,8 @@ import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; +import java.time.Duration; +import java.time.Instant; import java.util.ArrayList; import java.util.List; @@ -15,7 +17,6 @@ import javax.xml.transform.TransformerException; import org.apache.commons.io.IOUtils; import org.apache.commons.lang3.RandomStringUtils; -import org.joda.time.DateTime; import org.junit.Assert; import org.junit.Before; import org.junit.BeforeClass; @@ -295,7 +296,7 @@ public class MetadataResolverTest { final EntityDescriptor metadata = (EntityDescriptor) XMLObjectSupport.unmarshallFromInputStream( XMLObjectProviderRegistrySupport.getParserPool(), MetadataResolverTest.class.getResourceAsStream("/data/pvp_metadata_moaid_test.xml")); - metadata.setValidUntil(DateTime.now().plusDays(1)); + metadata.setValidUntil(Instant.now().plus(Duration.ofDays(1))); metadata.setSignature(null); metadata.setEntityID(RandomStringUtils.randomAlphabetic(10)); final EntityDescriptor signedMatadata = @@ -344,7 +345,7 @@ public class MetadataResolverTest { final EntityDescriptor metadata = (EntityDescriptor) XMLObjectSupport.unmarshallFromInputStream( XMLObjectProviderRegistrySupport.getParserPool(), MetadataResolverTest.class.getResourceAsStream("/data/pvp_metadata_valid_with_entityCategory.xml")); - metadata.setValidUntil(DateTime.now().plusDays(1)); + metadata.setValidUntil(Instant.now().plus(Duration.ofDays(1))); metadata.setSignature(null); metadata.setEntityID(RandomStringUtils.randomAlphabetic(10)); final EntityDescriptor signedMatadata = @@ -382,7 +383,7 @@ public class MetadataResolverTest { Assert.assertNotNull("No EntityDescripter", descr); final List<RequestedAttribute> reqAttr = descr.getSPSSODescriptor(SAMLConstants.SAML20P_NS) - .getAttributeConsumingServices().get(0).getRequestAttributes(); + .getAttributeConsumingServices().get(0).getRequestedAttributes(); Assert.assertNotNull("Req. attributes are null", reqAttr); Assert.assertEquals("# of req. attributes", 20, reqAttr.size()); @@ -398,7 +399,7 @@ public class MetadataResolverTest { XMLObjectProviderRegistrySupport.getParserPool(), MetadataResolverTest.class.getResourceAsStream( "/data/pvp_metadata_valid_with_entityCategory_egov.xml")); - metadata.setValidUntil(DateTime.now().plusDays(1)); + metadata.setValidUntil(Instant.now().plus(Duration.ofDays(1))); metadata.setSignature(null); metadata.setEntityID(RandomStringUtils.randomAlphabetic(10)); final EntityDescriptor signedMatadata = @@ -436,7 +437,7 @@ public class MetadataResolverTest { Assert.assertNotNull("No EntityDescripter", descr); final List<RequestedAttribute> reqAttr = descr.getSPSSODescriptor(SAMLConstants.SAML20P_NS) - .getAttributeConsumingServices().get(0).getRequestAttributes(); + .getAttributeConsumingServices().get(0).getRequestedAttributes(); Assert.assertNotNull("Req. attributes are null", reqAttr); Assert.assertEquals("# of req. attributes", 9, reqAttr.size()); @@ -451,7 +452,7 @@ public class MetadataResolverTest { final EntityDescriptor metadata = (EntityDescriptor) XMLObjectSupport.unmarshallFromInputStream( XMLObjectProviderRegistrySupport.getParserPool(), MetadataResolverTest.class.getResourceAsStream("/data/pvp_metadata_valid.xml")); - metadata.setValidUntil(DateTime.now().minusDays(2)); + metadata.setValidUntil(Instant.now().minus(Duration.ofDays(2))); metadata.setSignature(null); Saml2Utils.signSamlObject(metadata, credentialProvider.getMetaDataSigningCredential(), true); final Element metadataElement = XMLObjectSupport.marshall(metadata); @@ -607,7 +608,7 @@ public class MetadataResolverTest { final EntityDescriptor entityId = mdResolver.getEntityDescriptor(entityIdToResolve); Assert.assertNotNull("No EntityDescripter", entityId); - final DateTime lastRefreshSucess = mdResolver.getLastSuccessfulRefresh(); + final Instant lastRefreshSucess = mdResolver.getLastSuccessfulRefresh(); try { mdResolver.refresh(); diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java index 85977193..2e30dcd9 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java @@ -19,6 +19,8 @@ package at.gv.egiz.eaaf.modules.pvp2.idp.impl; +import java.time.Duration; +import java.time.Instant; import java.util.List; import javax.annotation.PostConstruct; @@ -27,7 +29,6 @@ import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringEscapeUtils; import org.apache.commons.lang3.StringUtils; -import org.joda.time.DateTime; import org.opensaml.saml.common.xml.SAMLConstants; import org.opensaml.saml.saml2.core.AuthnRequest; import org.opensaml.saml.saml2.core.Issuer; @@ -173,12 +174,13 @@ public abstract class AbstractPvp2XProtocol extends AbstractController implement //set status-message if availabe if (statusMessage.getMessage() != null) { status.setStatusMessage(statusMessage); + } - status.setStatusCode(statusCode); - + status.setStatusCode(statusCode); samlResponse.setStatus(status); samlResponse.setID(Saml2Utils.getSecureIdentifier()); - samlResponse.setIssueInstant(new DateTime()); + samlResponse.setIssueInstant(Instant.now()); + final Issuer nissuer = Saml2Utils.createSamlObject(Issuer.class); nissuer.setValue(pvpBasicConfiguration.getIdpEntityId(pvpRequest.getAuthUrl())); nissuer.setFormat(NameIDType.ENTITY); @@ -469,8 +471,8 @@ public abstract class AbstractPvp2XProtocol extends AbstractController implement } - if (authnRequest.getIssueInstant().minusMinutes(EaafConstants.ALLOWED_TIME_JITTER) - .isAfterNow()) { + if (authnRequest.getIssueInstant().minus(Duration.ofMinutes(EaafConstants.ALLOWED_TIME_JITTER)) + .isAfter(Instant.now())) { log.warn("Unsupported request: No IssueInstant DateTime is not valid anymore."); throw new AuthnRequestValidatorException("pvp2.22", new Object[] { "Unsupported request: No IssueInstant DateTime is not valid anymore." }, diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java index 68ba39a3..a3c6cb5d 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java @@ -19,11 +19,12 @@ package at.gv.egiz.eaaf.modules.pvp2.idp.impl; +import java.time.Instant; + import javax.annotation.PostConstruct; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.joda.time.DateTime; import org.opensaml.saml.common.xml.SAMLConstants; import org.opensaml.saml.saml2.core.Assertion; import org.opensaml.saml.saml2.core.AuthnRequest; @@ -108,7 +109,7 @@ public class AuthenticationAction implements IAction { consumerService.setBinding(pvpRequest.getBinding()); consumerService.setLocation(pvpRequest.getConsumerUrl()); - final DateTime date = new DateTime(); + final Instant date = Instant.now(); final SloInformationImpl sloInformation = new SloInformationImpl(); final String issuerEntityID = pvpBasicConfiguration.getIdpEntityId(pvpRequest.getAuthUrl()); diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/AuthResponseBuilder.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/AuthResponseBuilder.java index 482a2a09..500482b2 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/AuthResponseBuilder.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/AuthResponseBuilder.java @@ -19,17 +19,10 @@ package at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder; +import java.time.Instant; import java.util.ArrayList; import java.util.List; -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; -import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; -import at.gv.egiz.eaaf.modules.pvp2.idp.exception.InvalidAssertionEncryptionException; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; - -import org.joda.time.DateTime; import org.opensaml.core.criterion.EntityIdCriterion; import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; import org.opensaml.core.xml.io.MarshallingException; @@ -67,6 +60,12 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.w3c.dom.Element; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import at.gv.egiz.eaaf.modules.pvp2.idp.exception.InvalidAssertionEncryptionException; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; import net.shibboleth.utilities.java.support.resolver.CriteriaSet; import net.shibboleth.utilities.java.support.resolver.ResolverException; @@ -94,7 +93,7 @@ public class AuthResponseBuilder { * @throws InvalidAssertionEncryptionException In case of an error */ public static Response buildResponse(final IPvp2MetadataProvider metadataProvider, - final String issuerEntityID, final RequestAbstractType req, final DateTime date, + final String issuerEntityID, final RequestAbstractType req, final Instant date, final Assertion assertion, IConfiguration authConfig) throws InvalidAssertionEncryptionException { final Response authResponse = Saml2Utils.createSamlObject(Response.class); diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java index d2ed2c11..21912592 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java @@ -20,6 +20,7 @@ package at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder; import java.security.MessageDigest; +import java.time.Instant; import java.util.ArrayList; import java.util.Iterator; import java.util.List; @@ -27,7 +28,6 @@ import java.util.List; import javax.naming.ConfigurationException; import org.apache.commons.lang3.StringUtils; -import org.joda.time.DateTime; import org.opensaml.saml.common.xml.SAMLConstants; import org.opensaml.saml.saml2.core.Assertion; import org.opensaml.saml.saml2.core.Attribute; @@ -102,7 +102,7 @@ public class Pvp2AssertionBuilder implements PvpConstants { * @throws Pvp2Exception In case of an error */ public Assertion buildAssertion(final String issuerEntityID, final AttributeQuery attrQuery, - final List<Attribute> attrList, final DateTime now, final DateTime validTo, + final List<Attribute> attrList, final Instant now, final Instant validTo, final String qaaLevel, final String sessionIndex) throws Pvp2Exception { final AuthnContextClassRef authnContextClassRef = @@ -140,7 +140,7 @@ public class Pvp2AssertionBuilder implements PvpConstants { */ public Assertion buildAssertion(final String issuerEntityID, final PvpSProfilePendingRequest pendingReq, final AuthnRequest authnRequest, - final IAuthData authData, final EntityDescriptor peerEntity, final DateTime date, + final IAuthData authData, final EntityDescriptor peerEntity, final Instant date, final AssertionConsumerService assertionConsumerService, final SloInformationInterface sloInformation) throws Pvp2Exception { @@ -249,7 +249,7 @@ public class Pvp2AssertionBuilder implements PvpConstants { if (attributeConsumingService != null) { final Iterator<RequestedAttribute> it = - attributeConsumingService.getRequestAttributes().iterator(); + attributeConsumingService.getRequestedAttributes().iterator(); while (it.hasNext()) { final RequestedAttribute reqAttribut = it.next(); try { @@ -364,7 +364,7 @@ public class Pvp2AssertionBuilder implements PvpConstants { Saml2Utils.createSamlObject(SubjectConfirmationData.class); subjectConfirmationData.setInResponseTo(authnRequest.getID()); subjectConfirmationData - .setNotOnOrAfter(new DateTime(authData.getSsoSessionValidTo().getTime())); + .setNotOnOrAfter(Instant.ofEpochMilli(authData.getSsoSessionValidTo().getTime())); // set 'recipient' attribute in subjectConformationData subjectConfirmationData.setRecipient(assertionConsumerService.getLocation()); @@ -403,10 +403,10 @@ public class Pvp2AssertionBuilder implements PvpConstants { * @throws ConfigurationException In case on an error */ - public Assertion buildGenericAssertion(String issuer, final String entityID, final DateTime date, + public Assertion buildGenericAssertion(String issuer, final String entityID, final Instant date, final AuthnContextClassRef authnContextClassRef, final List<Attribute> attrList, final NameID subjectNameID, final SubjectConfirmationData subjectConfirmationData, - final String sessionIndex, final DateTime isValidTo) throws ResponderErrorException { + final String sessionIndex, final Instant isValidTo) throws ResponderErrorException { final Assertion assertion = Saml2Utils.createSamlObject(Assertion.class); final AuthnContext authnContext = Saml2Utils.createSamlObject(AuthnContext.class); diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/AuthnResponseBuilderTest.java b/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/AuthnResponseBuilderTest.java index f2c843da..f2df5e8d 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/AuthnResponseBuilderTest.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/AuthnResponseBuilderTest.java @@ -1,11 +1,11 @@ package at.gv.egiz.eaaf.modules.pvp2.idp.test; import java.io.IOException; +import java.time.Instant; import javax.xml.transform.TransformerException; import org.apache.commons.lang3.RandomStringUtils; -import org.joda.time.DateTime; import org.junit.Assert; import org.junit.BeforeClass; import org.junit.Test; @@ -79,7 +79,7 @@ public class AuthnResponseBuilderTest { PostBindingTest.class.getResourceAsStream("/data/Assertion_1.xml")); //build response - final DateTime now = DateTime.now(); + final Instant now = Instant.now(); final Response response = AuthResponseBuilder.buildResponse( metadataProvider, issuerEntityID, authnReq, now, assertion, authConfig); @@ -124,7 +124,7 @@ public class AuthnResponseBuilderTest { PostBindingTest.class.getResourceAsStream("/data/Assertion_1.xml")); //build response - final DateTime now = DateTime.now(); + final Instant now = Instant.now(); final Response response = AuthResponseBuilder.buildResponse( metadataProvider, issuerEntityID, authnReq, now, assertion, authConfig); @@ -169,7 +169,7 @@ public class AuthnResponseBuilderTest { PostBindingTest.class.getResourceAsStream("/data/Assertion_1.xml")); //build response - final DateTime now = DateTime.now(); + final Instant now = Instant.now(); final Response response = AuthResponseBuilder.buildResponse( metadataProvider, issuerEntityID, authnReq, now, assertion, authConfig); diff --git a/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/PvpAuthnRequestBuilder.java b/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/PvpAuthnRequestBuilder.java index c6ca8d04..c48a0fd4 100644 --- a/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/PvpAuthnRequestBuilder.java +++ b/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/PvpAuthnRequestBuilder.java @@ -20,12 +20,12 @@ package at.gv.egiz.eaaf.modules.pvp2.sp.impl; import java.security.NoSuchAlgorithmException; +import java.time.Instant; import java.util.List; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang3.StringUtils; -import org.joda.time.DateTime; import org.opensaml.messaging.encoder.MessageEncodingException; import org.opensaml.saml.common.xml.SAMLConstants; import org.opensaml.saml.saml2.core.AuthnContextClassRef; @@ -60,7 +60,7 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.builder.reqattr.EaafRequestExtensionBui import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; import at.gv.egiz.eaaf.modules.pvp2.sp.api.IPvpAuthnRequestBuilderConfiguruation; import at.gv.egiz.eaaf.modules.pvp2.sp.exception.AuthnRequestBuildException; -import net.shibboleth.utilities.java.support.security.SecureRandomIdentifierGenerationStrategy; +import net.shibboleth.utilities.java.support.security.impl.SecureRandomIdentifierGenerationStrategy; /** * PVP2 S-Profil Authentication-Request builder-implementation. @@ -150,7 +150,7 @@ public class PvpAuthnRequestBuilder { } - authReq.setIssueInstant(new DateTime()); + authReq.setIssueInstant(Instant.now()); // set isPassive flag if (config.isPassivRequest() == null) { diff --git a/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/utils/AssertionAttributeExtractor.java b/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/utils/AssertionAttributeExtractor.java index cfa4c3d3..d59012a5 100644 --- a/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/utils/AssertionAttributeExtractor.java +++ b/eaaf_modules/eaaf_module_pvp2_sp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/sp/impl/utils/AssertionAttributeExtractor.java @@ -295,13 +295,13 @@ public class AssertionAttributeExtractor { && getFullAssertion().getAuthnStatements().size() > 0) { for (final AuthnStatement el : getFullAssertion().getAuthnStatements()) { if (el.getSessionNotOnOrAfter() != null) { - return el.getSessionNotOnOrAfter().toDate(); + return Date.from(el.getSessionNotOnOrAfter()); } } } - return getFullAssertion().getConditions().getNotOnOrAfter().toDate(); + return Date.from(getFullAssertion().getConditions().getNotOnOrAfter()); } @@ -316,7 +316,7 @@ public class AssertionAttributeExtractor { */ public Date getAssertionIssuingDate() { try { - return getFullAssertion().getIssueInstant().toDate(); + return Date.from(getFullAssertion().getIssueInstant()); } catch (final NullPointerException e) { return null; @@ -335,7 +335,7 @@ public class AssertionAttributeExtractor { */ public Date getAssertionNotBefore() { try { - return getFullAssertion().getConditions().getNotBefore().toDate(); + return Date.from(getFullAssertion().getConditions().getNotBefore()); } catch (final NullPointerException e) { return null; |