From f220f54579f5975586b4dcd7634668815c208eda Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Wed, 8 Apr 2020 16:23:51 +0200
Subject: refactor to OpenSAML 4.x

---
 .../impl/verification/SamlVerificationEngine.java  | 38 ++++++++++++----------
 1 file changed, 20 insertions(+), 18 deletions(-)

(limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java')

diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
index e0a3ab8e..9758ff83 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
@@ -19,6 +19,8 @@
 
 package at.gv.egiz.eaaf.modules.pvp2.impl.verification;
 
+import java.time.Duration;
+import java.time.Instant;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -27,17 +29,6 @@ import javax.xml.transform.dom.DOMSource;
 import javax.xml.validation.Schema;
 import javax.xml.validation.Validator;
 
-import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException;
-import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
-import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption;
-import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse;
-
 import org.apache.commons.lang3.StringUtils;
 import org.joda.time.DateTime;
 import org.opensaml.core.criterion.EntityIdCriterion;
@@ -74,9 +65,19 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.w3c.dom.Element;
 import org.xml.sax.SAXException;
 
+import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException;
+import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
+import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse;
 import lombok.extern.slf4j.Slf4j;
-import net.shibboleth.utilities.java.support.net.BasicURLComparator;
 import net.shibboleth.utilities.java.support.net.URIException;
+import net.shibboleth.utilities.java.support.net.impl.BasicURLComparator;
 import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
 
 @Slf4j
@@ -93,7 +94,7 @@ public class SamlVerificationEngine {
   private static final Object SIG_VAL_ERROR_MSG = "Signature verification return false";
 
   /**
-   * 5 allow 3 minutes time jitter in before validation.
+   * allow 3 minutes time jitter in before validation.
    */
   private static final int TIME_JITTER = 3;
 
@@ -286,10 +287,11 @@ public class SamlVerificationEngine {
       // validate DateTime conditions
       final Conditions conditions = saml2assertion.getConditions();
       if (conditions != null) {
-        final DateTime notbefore = conditions.getNotBefore().minusMinutes(5);
-        final DateTime notafter = conditions.getNotOnOrAfter();
+        final Instant notbefore = conditions.getNotBefore().minus(Duration.ofMinutes(5));
+        final Instant notafter = conditions.getNotOnOrAfter();
+        final Instant now = Instant.now();
         if (validateDateTime
-            && (notbefore.isAfterNow() || notafter.isBeforeNow())) {
+            && (notbefore.isAfter(now) || notafter.isBefore(now))) {
           isAssertionValid = false;
           log.info("Assertion with ID:{} is out of Date. [ Current:{}  NotBefore:{} NotAfter:{} ]",
               saml2assertion.getID(), new DateTime(), notbefore, notafter);
@@ -479,14 +481,14 @@ public class SamlVerificationEngine {
       throws SamlAssertionValidationExeption {
     if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS)) {
       // validate response issueInstant
-      final DateTime issueInstant = samlResp.getIssueInstant();
+      final Instant issueInstant = samlResp.getIssueInstant();
       if (issueInstant == null) {
         log.warn("PVP response does not include a 'IssueInstant' attribute");
         throw new SamlAssertionValidationExeption(ERROR_14,
             new Object[] { loggerName, "'IssueInstant' attribute is not included" });
 
       }
-      if (validateDateTime && issueInstant.minusMinutes(TIME_JITTER).isAfterNow()) {
+      if (validateDateTime && issueInstant.minus(Duration.ofMinutes(TIME_JITTER)).isAfter(Instant.now())) {
         log.warn("PVP response: IssueInstant DateTime is not valid anymore.");
         throw new SamlAssertionValidationExeption(ERROR_14,
             new Object[] { loggerName, "'IssueInstant' Time is not valid any more" });
-- 
cgit v1.2.3