From 759ac5f42c6aff901dbeede4fbf1a1d2e08cad0f Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 4 Dec 2019 19:43:32 +0100 Subject: common EGIZ code-style refactoring --- .../pvp2/impl/builder/PvpMetadataBuilder.java | 458 +++++++++++++++++++++ 1 file changed, 458 insertions(+) create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PvpMetadataBuilder.java (limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PvpMetadataBuilder.java') diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PvpMetadataBuilder.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PvpMetadataBuilder.java new file mode 100644 index 00000000..1efa8745 --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/builder/PvpMetadataBuilder.java @@ -0,0 +1,458 @@ +/* + * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a + * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European + * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in + * compliance with the Licence. You may obtain a copy of the Licence at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software distributed under the Licence + * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the Licence for the specific language governing permissions and limitations under + * the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text file for details on the + * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative + * works that you distribute must include a readable copy of the "NOTICE" text file. +*/ + +package at.gv.egiz.eaaf.modules.pvp2.impl.builder; + +import java.io.IOException; +import java.io.StringWriter; +import java.util.Collection; +import java.util.List; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.transform.Transformer; +import javax.xml.transform.TransformerException; +import javax.xml.transform.TransformerFactory; +import javax.xml.transform.TransformerFactoryConfigurationError; +import javax.xml.transform.dom.DOMSource; +import javax.xml.transform.stream.StreamResult; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataBuilderConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafDefaultSaml2Bootstrap; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; +import org.apache.commons.httpclient.auth.CredentialsNotAvailableException; +import org.apache.commons.lang3.StringUtils; +import org.joda.time.DateTime; +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.metadata.AssertionConsumerService; +import org.opensaml.saml2.metadata.AttributeConsumingService; +import org.opensaml.saml2.metadata.ContactPerson; +import org.opensaml.saml2.metadata.EntitiesDescriptor; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.IDPSSODescriptor; +import org.opensaml.saml2.metadata.KeyDescriptor; +import org.opensaml.saml2.metadata.LocalizedString; +import org.opensaml.saml2.metadata.NameIDFormat; +import org.opensaml.saml2.metadata.Organization; +import org.opensaml.saml2.metadata.RequestedAttribute; +import org.opensaml.saml2.metadata.RoleDescriptor; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.ServiceName; +import org.opensaml.saml2.metadata.SingleLogoutService; +import org.opensaml.saml2.metadata.SingleSignOnService; +import org.opensaml.xml.io.Marshaller; +import org.opensaml.xml.io.MarshallingException; +import org.opensaml.xml.security.SecurityException; +import org.opensaml.xml.security.SecurityHelper; +import org.opensaml.xml.security.credential.Credential; +import org.opensaml.xml.security.credential.UsageType; +import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; +import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; +import org.opensaml.xml.signature.Signature; +import org.opensaml.xml.signature.SignatureException; +import org.opensaml.xml.signature.Signer; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.stereotype.Service; +import org.w3c.dom.Document; + +/** + * PVP metadata builder implementation. + * + * @author tlenz + * + */ + +@Service("PVPMetadataBuilder") +public class PvpMetadataBuilder { + + private static final Logger log = LoggerFactory.getLogger(PvpMetadataBuilder.class); + + X509KeyInfoGeneratorFactory keyInfoFactory = null; + + /** + * PVP metadata builder. + * + */ + public PvpMetadataBuilder() { + keyInfoFactory = new X509KeyInfoGeneratorFactory(); + keyInfoFactory.setEmitEntityIDAsKeyName(true); + keyInfoFactory.setEmitEntityCertificate(true); + + } + + + /** + * Build PVP 2.1 conform SAML2 metadata. + * + * @param config PVPMetadataBuilder configuration* + * @return PVP metadata as XML String + * @throws SecurityException In case of an error + * @throws ConfigurationException In case of an error + * @throws CredentialsNotAvailableException In case of an error + * @throws TransformerFactoryConfigurationError In case of an error + * @throws MarshallingException In case of an error + * @throws TransformerException In case of an error + * @throws ParserConfigurationException In case of an error + * @throws IOException In case of an error + * @throws SignatureException In case of an error + */ + public String buildPvpMetadata(final IPvpMetadataBuilderConfiguration config) + throws CredentialsNotAvailableException, EaafException, SecurityException, + TransformerFactoryConfigurationError, MarshallingException, TransformerException, + ParserConfigurationException, IOException, SignatureException { + final DateTime date = new DateTime(); + final EntityDescriptor entityDescriptor = Saml2Utils.createSamlObject(EntityDescriptor.class); + + // set entityID + entityDescriptor.setEntityID(config.getEntityID()); + + // set contact and organisation information + final List contactPersons = config.getContactPersonInformation(); + if (contactPersons != null) { + entityDescriptor.getContactPersons().addAll(contactPersons); + } + + final Organization organisation = config.getOrgansiationInformation(); + if (organisation != null) { + entityDescriptor.setOrganization(organisation); + } + + // set IDP metadata + if (config.buildIdpSsoDescriptor()) { + final RoleDescriptor idpSsoDesc = generateIdpMetadata(config); + if (idpSsoDesc != null) { + entityDescriptor.getRoleDescriptors().add(idpSsoDesc); + } + + } + + // set SP metadata for interfederation + if (config.buildSpSsoDescriptor()) { + final RoleDescriptor spSsoDesc = generateSpMetadata(config); + if (spSsoDesc != null) { + entityDescriptor.getRoleDescriptors().add(spSsoDesc); + } + + } + + // set metadata signature parameters + final Credential metadataSignCred = config.getMetadataSigningCredentials(); + final Signature signature = AbstractCredentialProvider.getIdpSignature(metadataSignCred); + SecurityHelper.prepareSignatureParams(signature, metadataSignCred, null, null); + + // initialize XML document builder + DocumentBuilder builder; + final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + + builder = factory.newDocumentBuilder(); + final Document document = builder.newDocument(); + + + // build entities descriptor + if (config.buildEntitiesDescriptorAsRootElement()) { + final EntitiesDescriptor entitiesDescriptor = + Saml2Utils.createSamlObject(EntitiesDescriptor.class); + entitiesDescriptor.setName(config.getEntityFriendlyName()); + entitiesDescriptor.setID(Saml2Utils.getSecureIdentifier()); + entitiesDescriptor.setValidUntil(date.plusHours(config.getMetadataValidUntil())); + entitiesDescriptor.getEntityDescriptors().add(entityDescriptor); + + // load default PVP security configurations + EaafDefaultSaml2Bootstrap.initializeDefaultPvpConfiguration(); + entitiesDescriptor.setSignature(signature); + + + // marshall document + final Marshaller out = + org.opensaml.xml.Configuration.getMarshallerFactory().getMarshaller(entitiesDescriptor); + out.marshall(entitiesDescriptor, document); + + } else { + entityDescriptor.setValidUntil(date.plusHours(config.getMetadataValidUntil())); + entityDescriptor.setID(Saml2Utils.getSecureIdentifier()); + + entityDescriptor.setSignature(signature); + + + + // marshall document + final Marshaller out = + org.opensaml.xml.Configuration.getMarshallerFactory().getMarshaller(entityDescriptor); + out.marshall(entityDescriptor, document); + + } + + // sign metadata + Signer.signObject(signature); + + // transform metadata object to XML string + final Transformer transformer = TransformerFactory.newInstance().newTransformer(); + + final StringWriter sw = new StringWriter(); + final StreamResult sr = new StreamResult(sw); + final DOMSource source = new DOMSource(document); + transformer.transform(source, sr); + sw.close(); + + return sw.toString(); + } + + + private RoleDescriptor generateSpMetadata(final IPvpMetadataBuilderConfiguration config) + throws CredentialsNotAvailableException, SecurityException, EaafException { + final SPSSODescriptor spSsoDescriptor = Saml2Utils.createSamlObject(SPSSODescriptor.class); + spSsoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); + spSsoDescriptor.setAuthnRequestsSigned(config.wantAuthnRequestSigned()); + spSsoDescriptor.setWantAssertionsSigned(config.wantAssertionSigned()); + + final KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance(); + + // Set AuthRequest Signing certificate + final Credential authcredential = config.getRequestorResponseSigningCredentials(); + if (authcredential == null) { + log.warn("SP Metadata generation FAILED! --> Builder has NO request signing-credential. "); + return null; + + } else { + final KeyDescriptor signKeyDescriptor = Saml2Utils.createSamlObject(KeyDescriptor.class); + signKeyDescriptor.setUse(UsageType.SIGNING); + signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authcredential)); + spSsoDescriptor.getKeyDescriptors().add(signKeyDescriptor); + + } + + // Set assertion encryption credentials + final Credential authEncCredential = config.getEncryptionCredentials(); + + if (authEncCredential != null) { + final KeyDescriptor encryKeyDescriptor = Saml2Utils.createSamlObject(KeyDescriptor.class); + encryKeyDescriptor.setUse(UsageType.ENCRYPTION); + encryKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authEncCredential)); + spSsoDescriptor.getKeyDescriptors().add(encryKeyDescriptor); + + } else { + log.warn("No Assertion Encryption-Key defined. This setting is not recommended!"); + + } + + // check nameID formates + if (config.getSpAllowedNameIdTypes() == null || config.getSpAllowedNameIdTypes().size() == 0) { + log.warn( + "SP Metadata generation FAILED! --> Builder has NO provideable SAML2 nameIDFormats. "); + return null; + + } else { + for (final String format : config.getSpAllowedNameIdTypes()) { + final NameIDFormat nameIdFormat = Saml2Utils.createSamlObject(NameIDFormat.class); + nameIdFormat.setFormat(format); + spSsoDescriptor.getNameIDFormats().add(nameIdFormat); + + } + } + + + // add POST-Binding assertion consumer services + if (StringUtils.isNotEmpty(config.getSpAssertionConsumerServicePostBindingUrl())) { + final AssertionConsumerService postassertionConsumerService = + Saml2Utils.createSamlObject(AssertionConsumerService.class); + postassertionConsumerService.setIndex(0); + postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); + postassertionConsumerService + .setLocation(config.getSpAssertionConsumerServicePostBindingUrl()); + postassertionConsumerService.setIsDefault(true); + spSsoDescriptor.getAssertionConsumerServices().add(postassertionConsumerService); + + } + + // add POST-Binding assertion consumer services + if (StringUtils.isNotEmpty(config.getSpAssertionConsumerServiceRedirectBindingUrl())) { + final AssertionConsumerService redirectassertionConsumerService = + Saml2Utils.createSamlObject(AssertionConsumerService.class); + redirectassertionConsumerService.setIndex(1); + redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + redirectassertionConsumerService + .setLocation(config.getSpAssertionConsumerServiceRedirectBindingUrl()); + spSsoDescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService); + + } + + // validate WebSSO endpoints + if (spSsoDescriptor.getAssertionConsumerServices().size() == 0) { + log.warn( + "SP Metadata generation FAILED! --> NO SAML2 AssertionConsumerService endpoint found. "); + return null; + + } + + // add POST-Binding SLO descriptor + if (StringUtils.isNotEmpty(config.getSpSloPostBindingUrl())) { + final SingleLogoutService postSloService = + Saml2Utils.createSamlObject(SingleLogoutService.class); + postSloService.setLocation(config.getSpSloPostBindingUrl()); + postSloService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); + spSsoDescriptor.getSingleLogoutServices().add(postSloService); + + } + + // add POST-Binding SLO descriptor + if (StringUtils.isNotEmpty(config.getSpSloRedirectBindingUrl())) { + final SingleLogoutService redirectSloService = + Saml2Utils.createSamlObject(SingleLogoutService.class); + redirectSloService.setLocation(config.getSpSloRedirectBindingUrl()); + redirectSloService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + spSsoDescriptor.getSingleLogoutServices().add(redirectSloService); + + } + + // add POST-Binding SLO descriptor + if (StringUtils.isNotEmpty(config.getSpSloSoapBindingUrl())) { + final SingleLogoutService soapSloService = + Saml2Utils.createSamlObject(SingleLogoutService.class); + soapSloService.setLocation(config.getSpSloSoapBindingUrl()); + soapSloService.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); + spSsoDescriptor.getSingleLogoutServices().add(soapSloService); + + } + + + // add required attributes + final Collection reqSpAttr = config.getSpRequiredAttributes(); + final AttributeConsumingService attributeService = + Saml2Utils.createSamlObject(AttributeConsumingService.class); + + attributeService.setIndex(0); + attributeService.setIsDefault(true); + final ServiceName serviceName = Saml2Utils.createSamlObject(ServiceName.class); + serviceName.setName(new LocalizedString("Default Service", "en")); + attributeService.getNames().add(serviceName); + + if (reqSpAttr != null && reqSpAttr.size() > 0) { + log.debug("Add " + reqSpAttr.size() + " attributes to SP metadata"); + attributeService.getRequestAttributes().addAll(reqSpAttr); + + } else { + log.debug("SP metadata contains NO requested attributes."); + + } + + spSsoDescriptor.getAttributeConsumingServices().add(attributeService); + + return spSsoDescriptor; + } + + private IDPSSODescriptor generateIdpMetadata(final IPvpMetadataBuilderConfiguration config) + throws EaafException, CredentialsNotAvailableException, SecurityException { + // check response signing credential + final Credential responseSignCred = config.getRequestorResponseSigningCredentials(); + if (responseSignCred == null) { + log.warn("IDP Metadata generation FAILED! --> Builder has NO Response signing credential. "); + return null; + + } + + // check nameID formates + if (config.getIdpPossibleNameIdTypes() == null + || config.getIdpPossibleNameIdTypes().size() == 0) { + log.warn( + "IDP Metadata generation FAILED! --> Builder has NO provideable SAML2 nameIDFormats. "); + return null; + + } + + // build SAML2 IDP-SSO descriptor element + final IDPSSODescriptor idpSsoDescriptor = Saml2Utils.createSamlObject(IDPSSODescriptor.class); + + idpSsoDescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); + + // set ass default value, because PVP 2.x specification defines this feature as MUST + idpSsoDescriptor.setWantAuthnRequestsSigned(config.wantAuthnRequestSigned()); + + // add WebSSO descriptor for POST-Binding + if (StringUtils.isNotEmpty(config.getIdpWebSsoPostBindingUrl())) { + final SingleSignOnService postSingleSignOnService = + Saml2Utils.createSamlObject(SingleSignOnService.class); + postSingleSignOnService.setLocation(config.getIdpWebSsoPostBindingUrl()); + postSingleSignOnService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); + idpSsoDescriptor.getSingleSignOnServices().add(postSingleSignOnService); + + } + + // add WebSSO descriptor for Redirect-Binding + if (StringUtils.isNotEmpty(config.getIdpWebSsoRedirectBindingUrl())) { + final SingleSignOnService postSingleSignOnService = + Saml2Utils.createSamlObject(SingleSignOnService.class); + postSingleSignOnService.setLocation(config.getIdpWebSsoRedirectBindingUrl()); + postSingleSignOnService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + idpSsoDescriptor.getSingleSignOnServices().add(postSingleSignOnService); + + } + + // add Single LogOut POST-Binding endpoing + if (StringUtils.isNotEmpty(config.getIdpSloPostBindingUrl())) { + final SingleLogoutService postSloService = + Saml2Utils.createSamlObject(SingleLogoutService.class); + postSloService.setLocation(config.getIdpSloPostBindingUrl()); + postSloService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); + idpSsoDescriptor.getSingleLogoutServices().add(postSloService); + + } + + // add Single LogOut Redirect-Binding endpoing + if (StringUtils.isNotEmpty(config.getIdpSloRedirectBindingUrl())) { + final SingleLogoutService redirectSloService = + Saml2Utils.createSamlObject(SingleLogoutService.class); + redirectSloService.setLocation(config.getIdpSloRedirectBindingUrl()); + redirectSloService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + idpSsoDescriptor.getSingleLogoutServices().add(redirectSloService); + + } + + // validate WebSSO endpoints + if (idpSsoDescriptor.getSingleSignOnServices().size() == 0) { + log.warn("IDP Metadata generation FAILED! --> NO SAML2 SingleSignOnService endpoint found. "); + return null; + + } + + // set assertion signing key + final KeyDescriptor signKeyDescriptor = Saml2Utils.createSamlObject(KeyDescriptor.class); + signKeyDescriptor.setUse(UsageType.SIGNING); + final KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance(); + signKeyDescriptor + .setKeyInfo(keyInfoGenerator.generate(config.getRequestorResponseSigningCredentials())); + idpSsoDescriptor.getKeyDescriptors().add(signKeyDescriptor); + + // set IDP attribute set + idpSsoDescriptor.getAttributes().addAll(config.getIdpPossibleAttributes()); + + // set providable nameID formats + for (final String format : config.getIdpPossibleNameIdTypes()) { + final NameIDFormat nameIdFormat = Saml2Utils.createSamlObject(NameIDFormat.class); + nameIdFormat.setFormat(format); + idpSsoDescriptor.getNameIDFormats().add(nameIdFormat); + + } + + return idpSsoDescriptor; + + } + +} -- cgit v1.2.3