From f220f54579f5975586b4dcd7634668815c208eda Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Wed, 8 Apr 2020 16:23:51 +0200
Subject: refactor to OpenSAML 4.x

---
 .../EaafMessageContextInitializationHandler.java   | 12 +++----
 ...ttpRedirectDeflateSignatureSecurityHandler.java | 18 ++++++----
 .../verification/PvpSamlMessageHandlerChain.java   | 17 +++++-----
 .../impl/verification/SamlVerificationEngine.java  | 38 ++++++++++++----------
 4 files changed, 45 insertions(+), 40 deletions(-)

(limited to 'eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification')

diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafMessageContextInitializationHandler.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafMessageContextInitializationHandler.java
index aba0a68b..ff587f1b 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafMessageContextInitializationHandler.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafMessageContextInitializationHandler.java
@@ -2,15 +2,10 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.verification;
 
 import javax.annotation.Nonnull;
 
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException;
-import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory;
-
 import org.opensaml.core.config.ConfigurationService;
 import org.opensaml.messaging.context.MessageContext;
 import org.opensaml.messaging.handler.AbstractMessageHandler;
 import org.opensaml.messaging.handler.MessageHandlerException;
-import org.opensaml.saml.common.SAMLObject;
 import org.opensaml.saml.common.messaging.context.SAMLMessageInfoContext;
 import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
 import org.opensaml.xmlsec.SignatureValidationConfiguration;
@@ -18,11 +13,14 @@ import org.opensaml.xmlsec.SignatureValidationParameters;
 import org.opensaml.xmlsec.context.SecurityParametersContext;
 import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
 
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2InternalErrorException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory;
 import lombok.extern.slf4j.Slf4j;
 import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
 
 @Slf4j
-public class EaafMessageContextInitializationHandler extends AbstractMessageHandler<SAMLObject> {
+public class EaafMessageContextInitializationHandler extends AbstractMessageHandler {
 
   private final IPvp2MetadataProvider internalMetadataProvider;
   private SignatureTrustEngine trustEngine;
@@ -44,7 +42,7 @@ public class EaafMessageContextInitializationHandler extends AbstractMessageHand
 
 
   @Override
-  protected void doInvoke(MessageContext<SAMLObject> messageContext) throws MessageHandlerException {
+  protected void doInvoke(MessageContext messageContext) throws MessageHandlerException {
     log.trace("Injecting sub-context to SAML2 message ... ");
     messageContext.addSubcontext(new SAMLPeerEntityContext());
     messageContext.addSubcontext(new SAMLMessageInfoContext());
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafSaml2HttpRedirectDeflateSignatureSecurityHandler.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafSaml2HttpRedirectDeflateSignatureSecurityHandler.java
index 204229ee..36c8a1ee 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafSaml2HttpRedirectDeflateSignatureSecurityHandler.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/EaafSaml2HttpRedirectDeflateSignatureSecurityHandler.java
@@ -3,19 +3,20 @@ package at.gv.egiz.eaaf.modules.pvp2.impl.verification;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
-import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SamlHttpUtils;
-
 import org.opensaml.messaging.context.MessageContext;
 import org.opensaml.messaging.handler.MessageHandlerException;
 import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
 import org.opensaml.saml.saml2.binding.security.impl.SAML2HTTPRedirectDeflateSignatureSecurityHandler;
 
 import com.google.common.base.Strings;
+
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SamlHttpUtils;
 import lombok.extern.slf4j.Slf4j;
 import net.shibboleth.utilities.java.support.codec.Base64Support;
+import net.shibboleth.utilities.java.support.codec.DecodingException;
 
 /**
  * Always extracts the last http parameter with a specific name from request, if
@@ -95,7 +96,12 @@ public class EaafSaml2HttpRedirectDeflateSignatureSecurityHandler extends
       return null;
 
     }
-    return Base64Support.decode(signature);
+    try {
+      return Base64Support.decode(signature);
+      
+    } catch (DecodingException e) {
+      throw new MessageHandlerException("Base64 decoding error", e);
+    }
   }
 
   @Override
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PvpSamlMessageHandlerChain.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PvpSamlMessageHandlerChain.java
index a1365023..44ed2013 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PvpSamlMessageHandlerChain.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/PvpSamlMessageHandlerChain.java
@@ -7,25 +7,24 @@ import org.opensaml.messaging.context.MessageContext;
 import org.opensaml.messaging.handler.MessageHandler;
 import org.opensaml.messaging.handler.MessageHandlerChain;
 import org.opensaml.messaging.handler.MessageHandlerException;
-import org.opensaml.saml.common.SAMLObject;
 
 import lombok.extern.slf4j.Slf4j;
 import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
 
 @Slf4j
-public class PvpSamlMessageHandlerChain implements MessageHandlerChain<SAMLObject> {
-  private final List<MessageHandler<SAMLObject>> handlers = new ArrayList<>();
+public class PvpSamlMessageHandlerChain implements MessageHandlerChain {
+  private final List<MessageHandler> handlers = new ArrayList<>();
   private boolean isInitialized = false;
 
   @Override
-  public void invoke(MessageContext<SAMLObject> messageContext) throws MessageHandlerException {
+  public void invoke(MessageContext messageContext) throws MessageHandlerException {
     if (!isInitialized) {
       throw new RuntimeException("Component: "
           + PvpSamlMessageHandlerChain.class.getName() + " not initialized");
 
     }
 
-    for (final MessageHandler<SAMLObject> handler : getHandlers()) {
+    for (final MessageHandler handler : getHandlers()) {
       log.trace("Initializing SAML message handler: {}", handler.getClass().getName());
       handler.invoke(messageContext);
 
@@ -41,7 +40,7 @@ public class PvpSamlMessageHandlerChain implements MessageHandlerChain<SAMLObjec
   @Override
   public void initialize() throws ComponentInitializationException {
     if (!isInitialized) {
-      for (final MessageHandler<SAMLObject> handler : getHandlers()) {
+      for (final MessageHandler handler : getHandlers()) {
         log.trace("Initializing SAML message handler: {}", handler.getClass().getName());
         handler.initialize();
 
@@ -53,17 +52,17 @@ public class PvpSamlMessageHandlerChain implements MessageHandlerChain<SAMLObjec
   }
 
   @Override
-  public List<MessageHandler<SAMLObject>> getHandlers() {
+  public List<MessageHandler> getHandlers() {
     return handlers;
 
   }
 
-  public void addHandler(MessageHandler<SAMLObject> handler) {
+  public void addHandler(MessageHandler handler) {
     handlers.add(handler);
 
   }
 
-  public void addHandlers(List<MessageHandler<SAMLObject>> handlerList) {
+  public void addHandlers(List<MessageHandler> handlerList) {
     handlers.addAll(handlerList);
 
   }
diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
index e0a3ab8e..9758ff83 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
+++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/impl/verification/SamlVerificationEngine.java
@@ -19,6 +19,8 @@
 
 package at.gv.egiz.eaaf.modules.pvp2.impl.verification;
 
+import java.time.Duration;
+import java.time.Instant;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -27,17 +29,6 @@ import javax.xml.transform.dom.DOMSource;
 import javax.xml.validation.Schema;
 import javax.xml.validation.Validator;
 
-import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException;
-import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
-import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider;
-import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption;
-import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
-import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse;
-
 import org.apache.commons.lang3.StringUtils;
 import org.joda.time.DateTime;
 import org.opensaml.core.criterion.EntityIdCriterion;
@@ -74,9 +65,19 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.w3c.dom.Element;
 import org.xml.sax.SAXException;
 
+import at.gv.egiz.eaaf.core.exceptions.EaafProtocolException;
+import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException;
+import at.gv.egiz.eaaf.modules.pvp2.api.credential.EaafX509Credential;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IRefreshableMetadataProvider;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption;
+import at.gv.egiz.eaaf.modules.pvp2.exception.SchemaValidationException;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.InboundMessage;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileRequest;
+import at.gv.egiz.eaaf.modules.pvp2.impl.message.PvpSProfileResponse;
 import lombok.extern.slf4j.Slf4j;
-import net.shibboleth.utilities.java.support.net.BasicURLComparator;
 import net.shibboleth.utilities.java.support.net.URIException;
+import net.shibboleth.utilities.java.support.net.impl.BasicURLComparator;
 import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
 
 @Slf4j
@@ -93,7 +94,7 @@ public class SamlVerificationEngine {
   private static final Object SIG_VAL_ERROR_MSG = "Signature verification return false";
 
   /**
-   * 5 allow 3 minutes time jitter in before validation.
+   * allow 3 minutes time jitter in before validation.
    */
   private static final int TIME_JITTER = 3;
 
@@ -286,10 +287,11 @@ public class SamlVerificationEngine {
       // validate DateTime conditions
       final Conditions conditions = saml2assertion.getConditions();
       if (conditions != null) {
-        final DateTime notbefore = conditions.getNotBefore().minusMinutes(5);
-        final DateTime notafter = conditions.getNotOnOrAfter();
+        final Instant notbefore = conditions.getNotBefore().minus(Duration.ofMinutes(5));
+        final Instant notafter = conditions.getNotOnOrAfter();
+        final Instant now = Instant.now();
         if (validateDateTime
-            && (notbefore.isAfterNow() || notafter.isBeforeNow())) {
+            && (notbefore.isAfter(now) || notafter.isBefore(now))) {
           isAssertionValid = false;
           log.info("Assertion with ID:{} is out of Date. [ Current:{}  NotBefore:{} NotAfter:{} ]",
               saml2assertion.getID(), new DateTime(), notbefore, notafter);
@@ -479,14 +481,14 @@ public class SamlVerificationEngine {
       throws SamlAssertionValidationExeption {
     if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS)) {
       // validate response issueInstant
-      final DateTime issueInstant = samlResp.getIssueInstant();
+      final Instant issueInstant = samlResp.getIssueInstant();
       if (issueInstant == null) {
         log.warn("PVP response does not include a 'IssueInstant' attribute");
         throw new SamlAssertionValidationExeption(ERROR_14,
             new Object[] { loggerName, "'IssueInstant' attribute is not included" });
 
       }
-      if (validateDateTime && issueInstant.minusMinutes(TIME_JITTER).isAfterNow()) {
+      if (validateDateTime && issueInstant.minus(Duration.ofMinutes(TIME_JITTER)).isAfter(Instant.now())) {
         log.warn("PVP response: IssueInstant DateTime is not valid anymore.");
         throw new SamlAssertionValidationExeption(ERROR_14,
             new Object[] { loggerName, "'IssueInstant' Time is not valid any more" });
-- 
cgit v1.2.3