From b3caa532978b6337b6015b08c17ec0466d6f9670 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 25 Jan 2021 19:03:25 +0100 Subject: refactor PVP2 IDP module to support more than one IPvpMetadataProvider in one application --- .../validation/SignatureTrustEngineDecorator.java | 41 ++++++++++++ .../pvp2/impl/validation/TrustEngineFactory.java | 15 ++--- .../impl/verification/SamlVerificationEngine.java | 75 +++++++++++----------- .../pvp2/idp/impl/AbstractPvp2XProtocol.java | 16 +++-- .../pvp2/idp/impl/AuthenticationAction.java | 16 +++-- .../test/resources/spring/test_eaaf_pvp.beans.xml | 1 + 6 files changed, 105 insertions(+), 59 deletions(-) create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/SignatureTrustEngineDecorator.java diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/SignatureTrustEngineDecorator.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/SignatureTrustEngineDecorator.java new file mode 100644 index 00000000..66393bb4 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/SignatureTrustEngineDecorator.java @@ -0,0 +1,41 @@ +package at.gv.egiz.eaaf.modules.pvp2.impl.validation; + +import org.opensaml.security.SecurityException; +import org.opensaml.security.credential.Credential; +import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver; +import org.opensaml.xmlsec.signature.Signature; +import org.opensaml.xmlsec.signature.support.SignatureTrustEngine; + +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import lombok.AllArgsConstructor; +import lombok.Getter; +import net.shibboleth.utilities.java.support.resolver.CriteriaSet; + +@AllArgsConstructor +public class SignatureTrustEngineDecorator implements SignatureTrustEngine { + + private SignatureTrustEngine trustEngine; + + @Getter + private IPvp2MetadataProvider metadataProvider; + + @Override + public boolean validate(Signature token, CriteriaSet trustBasisCriteria) throws SecurityException { + return trustEngine.validate(token, trustBasisCriteria); + + } + + @Override + public boolean validate(byte[] signature, byte[] content, String algorithmUri, + CriteriaSet trustBasisCriteria, Credential candidateCredential) throws SecurityException { + return trustEngine.validate(signature, content, algorithmUri, trustBasisCriteria, candidateCredential); + + } + + @Override + public KeyInfoCredentialResolver getKeyInfoResolver() { + return trustEngine.getKeyInfoResolver(); + + } + +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java index f0758706..fe941f74 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/validation/TrustEngineFactory.java @@ -22,9 +22,6 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.validation; import java.util.ArrayList; import java.util.List; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; - import org.opensaml.saml.metadata.resolver.impl.PredicateRoleDescriptorResolver; import org.opensaml.saml.security.impl.MetadataCredentialResolver; import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver; @@ -33,9 +30,10 @@ import org.opensaml.xmlsec.keyinfo.impl.KeyInfoProvider; import org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider; import org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider; import org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider; -import org.opensaml.xmlsec.signature.support.SignatureTrustEngine; import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; @@ -50,7 +48,7 @@ public class TrustEngineFactory { * @throws Pvp2InternalErrorException In case of a TrustEngine initialization * error */ - public static SignatureTrustEngine getSignatureKnownKeysTrustEngine( + public static SignatureTrustEngineDecorator getSignatureKnownKeysTrustEngine( final IPvp2MetadataProvider mdResolver) throws Pvp2InternalErrorException { try { final List keyInfoProvider = new ArrayList<>(); @@ -70,10 +68,9 @@ public class TrustEngineFactory { resolver.setKeyInfoCredentialResolver(keyInfoCredentialResolver); resolver.initialize(); - final ExplicitKeySignatureTrustEngine engine = - new ExplicitKeySignatureTrustEngine(resolver, keyInfoCredentialResolver); - - return engine; + return new SignatureTrustEngineDecorator( + new ExplicitKeySignatureTrustEngine(resolver, keyInfoCredentialResolver), + mdResolver); } catch (final ComponentInitializationException e) { log.warn("Initialization of SignatureTrustEngine FAILED.", e); diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java index e0a3ab8e..8bc770eb 100644 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java @@ -27,17 +27,6 @@ import javax.xml.transform.dom.DOMSource; import javax.xml.validation.Schema; import javax.xml.validation.Validator; -import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException; -import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; -import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption; -import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; -import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; - import org.apache.commons.lang3.StringUtils; import org.joda.time.DateTime; import org.opensaml.core.criterion.EntityIdCriterion; @@ -70,10 +59,20 @@ import org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyR import org.opensaml.xmlsec.keyinfo.impl.StaticKeyInfoCredentialResolver; import org.opensaml.xmlsec.signature.support.SignatureException; import org.opensaml.xmlsec.signature.support.SignatureTrustEngine; -import org.springframework.beans.factory.annotation.Autowired; import org.w3c.dom.Element; import org.xml.sax.SAXException; +import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException; +import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; +import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption; +import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse; +import at.gv.egiz.eaaf.modules.pvp2.impl.validation.SignatureTrustEngineDecorator; import lombok.extern.slf4j.Slf4j; import net.shibboleth.utilities.java.support.net.BasicURLComparator; import net.shibboleth.utilities.java.support.net.URIException; @@ -97,13 +96,7 @@ public class SamlVerificationEngine { */ private static final int TIME_JITTER = 3; - - - - - @Autowired(required = true) - IPvp2MetadataProvider metadataProvider; - + /** * Verify signature of a signed SAML2 object. * @@ -140,27 +133,36 @@ public class SamlVerificationEngine { log.debug("PVP2X message validation FAILED. Relead metadata for entityID: {}", msg.getEntityID()); - if (metadataProvider == null || !(metadataProvider instanceof IRefreshableMetadataProvider) - || !((IRefreshableMetadataProvider) metadataProvider) - .refreshMetadataProvider(msg.getEntityID())) { - throw e; - - } else { - log.trace("PVP2X metadata reload finished. Check validate message again."); - - if (msg instanceof PvpSProfileRequest - && ((PvpSProfileRequest) msg).getSamlRequest() instanceof RequestAbstractType) { - verifyRequest((RequestAbstractType) ((PvpSProfileRequest) msg).getSamlRequest(), - sigTrustEngine); + if (sigTrustEngine instanceof SignatureTrustEngineDecorator) { + IPvp2MetadataProvider metadataProvider = + ((SignatureTrustEngineDecorator) sigTrustEngine).getMetadataProvider(); + if (metadataProvider == null || !(metadataProvider instanceof IRefreshableMetadataProvider) + || !((IRefreshableMetadataProvider) metadataProvider).refreshMetadataProvider(msg.getEntityID())) { + + throw e; } else { - verifyIdpResponse(((PvpSProfileResponse) msg).getResponse(), sigTrustEngine); + log.trace("PVP2X metadata reload finished. Check validate message again."); - } + if (msg instanceof PvpSProfileRequest + && ((PvpSProfileRequest) msg).getSamlRequest() instanceof RequestAbstractType) { + verifyRequest((RequestAbstractType) ((PvpSProfileRequest) msg).getSamlRequest(), + sigTrustEngine); - } - log.trace("Second PVP2X message validation finished"); + } else { + verifyIdpResponse(((PvpSProfileResponse) msg).getResponse(), sigTrustEngine); + } + + } + log.trace("Second PVP2X message validation finished"); + + } else { + log.debug("TrustEninge is not of type: {} Dynamic SAML2 metadata refresh not possibile.", + SignatureTrustEngineDecorator.class); + throw e; + + } } } @@ -270,9 +272,6 @@ public class SamlVerificationEngine { throw new SamlAssertionValidationExeption(ERROR_16, new Object[] { e.getMessage() }, e); -// } catch (final ConfigurationException e) { -// throw new AssertionValidationExeption("pvp.12", -// new Object[]{loggerName, e.getMessage()}, e); } } diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java index 8da76265..50fd0f44 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java @@ -43,6 +43,7 @@ import org.opensaml.xmlsec.signature.SignableXMLObject; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.util.Assert; import at.gv.egiz.components.eventlog.api.EventConstants; import at.gv.egiz.eaaf.core.api.IRequest; @@ -77,6 +78,7 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EaafUriCompare; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; +import lombok.Setter; public abstract class AbstractPvp2XProtocol extends AbstractController implements IModulInfo { private static final Logger log = LoggerFactory.getLogger(AbstractPvp2XProtocol.class); @@ -87,12 +89,16 @@ public abstract class AbstractPvp2XProtocol extends AbstractController implement @Autowired(required = true) protected IPvp2BasicConfiguration pvpBasicConfiguration; @Autowired(required = true) - protected IPvp2MetadataProvider metadataProvider; - @Autowired(required = true) protected SamlVerificationEngine samlVerificationEngine; @Autowired(required = false) protected List authRequestPostProcessors; + /** + * SAML2 metadata provider that should be used in this component. + */ + @Setter + protected IPvp2MetadataProvider metadataProvider; + private IPvp2CredentialProvider pvpIdpCredentials; /** @@ -554,11 +560,9 @@ public abstract class AbstractPvp2XProtocol extends AbstractController implement @PostConstruct private void verifyInitialization() { - if (pvpIdpCredentials == null) { - log.error("No SAML2 credentialProvider injected!"); - throw new RuntimeException("No SAML2 credentialProvider injected!"); + Assert.notNull(metadataProvider, "No SAML2 MetadataProvider injected!"); + Assert.notNull(pvpIdpCredentials, "No SAML2 credentialProvider injected!"); - } } } diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java index f9d7767f..68ba39a3 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java @@ -35,6 +35,7 @@ import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Service; +import org.springframework.util.Assert; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.IAction; @@ -56,13 +57,12 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding; import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding; import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest; import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import lombok.Setter; @Service("PVPAuthenticationRequestAction") public class AuthenticationAction implements IAction { private static final Logger log = LoggerFactory.getLogger(AuthenticationAction.class); - @Autowired(required = true) - private IPvp2MetadataProvider metadataProvider; @Autowired(required = true) ApplicationContext springContext; @Autowired(required = true) @@ -74,6 +74,12 @@ public class AuthenticationAction implements IAction { @Autowired(required = true) IRevisionLogger revisionsLogger; + /** + * SAML2 metadata provider that should be used in this component. + */ + @Setter + protected IPvp2MetadataProvider metadataProvider; + private IPvp2CredentialProvider pvpIdpCredentials; /** @@ -168,11 +174,9 @@ public class AuthenticationAction implements IAction { @PostConstruct private void verifyInitialization() { - if (pvpIdpCredentials == null) { - log.error("No SAML2 credentialProvider injected!"); - throw new RuntimeException("No SAML2 credentialProvider injected!"); + Assert.notNull(metadataProvider, "No SAML2 MetadataProvider injected!"); + Assert.notNull(pvpIdpCredentials, "No SAML2 credentialProvider injected!"); - } } } diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml b/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml index 2bddd629..760f290e 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/test/resources/spring/test_eaaf_pvp.beans.xml @@ -38,6 +38,7 @@ +