From f220f54579f5975586b4dcd7634668815c208eda Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 8 Apr 2020 16:23:51 +0200 Subject: refactor to OpenSAML 4.x --- .../pvp2/idp/impl/AbstractPvp2XProtocol.java | 45 +++++++++--------- .../pvp2/idp/impl/AuthenticationAction.java | 5 +- .../pvp2/idp/impl/builder/AuthResponseBuilder.java | 17 ++++--- .../idp/impl/builder/Pvp2AssertionBuilder.java | 54 +++++++++++----------- .../pvp2/idp/test/AuthnResponseBuilderTest.java | 33 +++++++------ 5 files changed, 77 insertions(+), 77 deletions(-) (limited to 'eaaf_modules/eaaf_module_pvp2_idp/src') diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java index a56c8726..1e42ac9c 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java @@ -19,12 +19,32 @@ package at.gv.egiz.eaaf.modules.pvp2.idp.impl; +import java.time.Duration; +import java.time.Instant; import java.util.List; import javax.annotation.PostConstruct; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.StringEscapeUtils; +import org.apache.commons.lang3.StringUtils; +import org.opensaml.saml.common.xml.SAMLConstants; +import org.opensaml.saml.saml2.core.AuthnRequest; +import org.opensaml.saml.saml2.core.Issuer; +import org.opensaml.saml.saml2.core.NameIDType; +import org.opensaml.saml.saml2.core.Response; +import org.opensaml.saml.saml2.core.Status; +import org.opensaml.saml.saml2.core.StatusCode; +import org.opensaml.saml.saml2.core.StatusMessage; +import org.opensaml.saml.saml2.metadata.AssertionConsumerService; +import org.opensaml.saml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml.saml2.metadata.SPSSODescriptor; +import org.opensaml.xmlsec.signature.SignableXMLObject; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; + import at.gv.egiz.components.eventlog.api.EventConstants; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.data.EaafConstants; @@ -59,25 +79,6 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EaafUriCompare; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; -import org.apache.commons.lang.StringEscapeUtils; -import org.apache.commons.lang3.StringUtils; -import org.joda.time.DateTime; -import org.opensaml.saml.common.xml.SAMLConstants; -import org.opensaml.saml.saml2.core.AuthnRequest; -import org.opensaml.saml.saml2.core.Issuer; -import org.opensaml.saml.saml2.core.NameIDType; -import org.opensaml.saml.saml2.core.Response; -import org.opensaml.saml.saml2.core.Status; -import org.opensaml.saml.saml2.core.StatusCode; -import org.opensaml.saml.saml2.core.StatusMessage; -import org.opensaml.saml.saml2.metadata.AssertionConsumerService; -import org.opensaml.saml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml.saml2.metadata.SPSSODescriptor; -import org.opensaml.xmlsec.signature.SignableXMLObject; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; - public abstract class AbstractPvp2XProtocol extends AbstractController implements IModulInfo { private static final Logger log = LoggerFactory.getLogger(AbstractPvp2XProtocol.class); @@ -166,7 +167,7 @@ public abstract class AbstractPvp2XProtocol extends AbstractController implement final String remoteSessionID = Saml2Utils.getSecureIdentifier(); samlResponse.setID(remoteSessionID); - samlResponse.setIssueInstant(new DateTime()); + samlResponse.setIssueInstant(Instant.now()); final Issuer nissuer = Saml2Utils.createSamlObject(Issuer.class); nissuer.setValue(pvpBasicConfiguration.getIdpEntityId(pvpRequest.getAuthUrl())); nissuer.setFormat(NameIDType.ENTITY); @@ -457,8 +458,8 @@ public abstract class AbstractPvp2XProtocol extends AbstractController implement } - if (authnRequest.getIssueInstant().minusMinutes(EaafConstants.ALLOWED_TIME_JITTER) - .isAfterNow()) { + if (authnRequest.getIssueInstant().minus(Duration.ofMinutes(EaafConstants.ALLOWED_TIME_JITTER)) + .isAfter(Instant.now())) { log.warn("Unsupported request: No IssueInstant DateTime is not valid anymore."); throw new AuthnRequestValidatorException("pvp2.22", new Object[] { "Unsupported request: No IssueInstant DateTime is not valid anymore." }, diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java index f9d7767f..91e92d63 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AuthenticationAction.java @@ -19,11 +19,12 @@ package at.gv.egiz.eaaf.modules.pvp2.idp.impl; +import java.time.Instant; + import javax.annotation.PostConstruct; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.joda.time.DateTime; import org.opensaml.saml.common.xml.SAMLConstants; import org.opensaml.saml.saml2.core.Assertion; import org.opensaml.saml.saml2.core.AuthnRequest; @@ -102,7 +103,7 @@ public class AuthenticationAction implements IAction { consumerService.setBinding(pvpRequest.getBinding()); consumerService.setLocation(pvpRequest.getConsumerUrl()); - final DateTime date = new DateTime(); + final Instant date = Instant.now(); final SloInformationImpl sloInformation = new SloInformationImpl(); final String issuerEntityID = pvpBasicConfiguration.getIdpEntityId(pvpRequest.getAuthUrl()); diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/AuthResponseBuilder.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/AuthResponseBuilder.java index 482a2a09..500482b2 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/AuthResponseBuilder.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/AuthResponseBuilder.java @@ -19,17 +19,10 @@ package at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder; +import java.time.Instant; import java.util.ArrayList; import java.util.List; -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; -import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; -import at.gv.egiz.eaaf.modules.pvp2.idp.exception.InvalidAssertionEncryptionException; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; - -import org.joda.time.DateTime; import org.opensaml.core.criterion.EntityIdCriterion; import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; import org.opensaml.core.xml.io.MarshallingException; @@ -67,6 +60,12 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.w3c.dom.Element; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlSigningException; +import at.gv.egiz.eaaf.modules.pvp2.idp.exception.InvalidAssertionEncryptionException; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; import net.shibboleth.utilities.java.support.component.ComponentInitializationException; import net.shibboleth.utilities.java.support.resolver.CriteriaSet; import net.shibboleth.utilities.java.support.resolver.ResolverException; @@ -94,7 +93,7 @@ public class AuthResponseBuilder { * @throws InvalidAssertionEncryptionException In case of an error */ public static Response buildResponse(final IPvp2MetadataProvider metadataProvider, - final String issuerEntityID, final RequestAbstractType req, final DateTime date, + final String issuerEntityID, final RequestAbstractType req, final Instant date, final Assertion assertion, IConfiguration authConfig) throws InvalidAssertionEncryptionException { final Response authResponse = Saml2Utils.createSamlObject(Response.class); diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java index b7b18f0f..21912592 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java @@ -20,34 +20,14 @@ package at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder; import java.security.MessageDigest; +import java.time.Instant; import java.util.ArrayList; import java.util.Iterator; import java.util.List; import javax.naming.ConfigurationException; -import at.gv.egiz.eaaf.core.api.data.EaafConstants; -import at.gv.egiz.eaaf.core.api.data.ILoALevelMapper; -import at.gv.egiz.eaaf.core.api.idp.IAuthData; -import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; -import at.gv.egiz.eaaf.core.api.idp.slo.SloInformationInterface; -import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; -import at.gv.egiz.eaaf.core.impl.data.Pair; -import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; -import at.gv.egiz.eaaf.core.impl.utils.Random; -import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception; -import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotSupportedException; -import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator; -import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException; -import at.gv.egiz.eaaf.modules.pvp2.idp.exception.UnprovideableAttributeException; -import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PvpSProfilePendingRequest; -import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.QaaLevelVerifier; -import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; - import org.apache.commons.lang3.StringUtils; -import org.joda.time.DateTime; import org.opensaml.saml.common.xml.SAMLConstants; import org.opensaml.saml.saml2.core.Assertion; import org.opensaml.saml.saml2.core.Attribute; @@ -79,6 +59,26 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import org.springframework.util.Base64Utils; +import at.gv.egiz.eaaf.core.api.data.EaafConstants; +import at.gv.egiz.eaaf.core.api.data.ILoALevelMapper; +import at.gv.egiz.eaaf.core.api.idp.IAuthData; +import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration; +import at.gv.egiz.eaaf.core.api.idp.slo.SloInformationInterface; +import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; +import at.gv.egiz.eaaf.core.impl.utils.Random; +import at.gv.egiz.eaaf.modules.pvp2.PvpConstants; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception; +import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotSupportedException; +import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator; +import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException; +import at.gv.egiz.eaaf.modules.pvp2.idp.exception.UnprovideableAttributeException; +import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PvpSProfilePendingRequest; +import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.QaaLevelVerifier; +import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; + @Service("PVP2AssertionBuilder") public class Pvp2AssertionBuilder implements PvpConstants { @@ -102,7 +102,7 @@ public class Pvp2AssertionBuilder implements PvpConstants { * @throws Pvp2Exception In case of an error */ public Assertion buildAssertion(final String issuerEntityID, final AttributeQuery attrQuery, - final List attrList, final DateTime now, final DateTime validTo, + final List attrList, final Instant now, final Instant validTo, final String qaaLevel, final String sessionIndex) throws Pvp2Exception { final AuthnContextClassRef authnContextClassRef = @@ -140,7 +140,7 @@ public class Pvp2AssertionBuilder implements PvpConstants { */ public Assertion buildAssertion(final String issuerEntityID, final PvpSProfilePendingRequest pendingReq, final AuthnRequest authnRequest, - final IAuthData authData, final EntityDescriptor peerEntity, final DateTime date, + final IAuthData authData, final EntityDescriptor peerEntity, final Instant date, final AssertionConsumerService assertionConsumerService, final SloInformationInterface sloInformation) throws Pvp2Exception { @@ -249,7 +249,7 @@ public class Pvp2AssertionBuilder implements PvpConstants { if (attributeConsumingService != null) { final Iterator it = - attributeConsumingService.getRequestAttributes().iterator(); + attributeConsumingService.getRequestedAttributes().iterator(); while (it.hasNext()) { final RequestedAttribute reqAttribut = it.next(); try { @@ -364,7 +364,7 @@ public class Pvp2AssertionBuilder implements PvpConstants { Saml2Utils.createSamlObject(SubjectConfirmationData.class); subjectConfirmationData.setInResponseTo(authnRequest.getID()); subjectConfirmationData - .setNotOnOrAfter(new DateTime(authData.getSsoSessionValidTo().getTime())); + .setNotOnOrAfter(Instant.ofEpochMilli(authData.getSsoSessionValidTo().getTime())); // set 'recipient' attribute in subjectConformationData subjectConfirmationData.setRecipient(assertionConsumerService.getLocation()); @@ -403,10 +403,10 @@ public class Pvp2AssertionBuilder implements PvpConstants { * @throws ConfigurationException In case on an error */ - public Assertion buildGenericAssertion(String issuer, final String entityID, final DateTime date, + public Assertion buildGenericAssertion(String issuer, final String entityID, final Instant date, final AuthnContextClassRef authnContextClassRef, final List attrList, final NameID subjectNameID, final SubjectConfirmationData subjectConfirmationData, - final String sessionIndex, final DateTime isValidTo) throws ResponderErrorException { + final String sessionIndex, final Instant isValidTo) throws ResponderErrorException { final Assertion assertion = Saml2Utils.createSamlObject(Assertion.class); final AuthnContext authnContext = Saml2Utils.createSamlObject(AuthnContext.class); diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/AuthnResponseBuilderTest.java b/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/AuthnResponseBuilderTest.java index b2e528c4..799002ed 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/AuthnResponseBuilderTest.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/test/java/at/gv/egiz/eaaf/modules/pvp2/idp/test/AuthnResponseBuilderTest.java @@ -1,25 +1,11 @@ package at.gv.egiz.eaaf.modules.pvp2.idp.test; import java.io.IOException; +import java.time.Instant; import javax.xml.transform.TransformerException; -import at.gv.egiz.eaaf.core.impl.idp.module.test.DummyAuthConfig; -import at.gv.egiz.eaaf.core.impl.utils.DomUtils; -import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; -import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; -import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption; -import at.gv.egiz.eaaf.modules.pvp2.idp.exception.InvalidAssertionEncryptionException; -import at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder.AuthResponseBuilder; -import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; -import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; -import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; -import at.gv.egiz.eaaf.modules.pvp2.test.binding.PostBindingTest; -import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; - import org.apache.commons.lang3.RandomStringUtils; -import org.joda.time.DateTime; import org.junit.Assert; import org.junit.BeforeClass; import org.junit.Test; @@ -37,6 +23,19 @@ import org.springframework.test.context.TestPropertySource; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import org.w3c.dom.Element; +import at.gv.egiz.eaaf.core.impl.idp.module.test.DummyAuthConfig; +import at.gv.egiz.eaaf.core.impl.utils.DomUtils; +import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvp2MetadataProvider; +import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; +import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2MetadataException; +import at.gv.egiz.eaaf.modules.pvp2.exception.SamlAssertionValidationExeption; +import at.gv.egiz.eaaf.modules.pvp2.idp.exception.InvalidAssertionEncryptionException; +import at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder.AuthResponseBuilder; +import at.gv.egiz.eaaf.modules.pvp2.impl.metadata.PvpMetadataResolverFactory; +import at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.initialize.EaafOpenSaml3xInitializer; +import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; +import at.gv.egiz.eaaf.modules.pvp2.test.binding.PostBindingTest; +import at.gv.egiz.eaaf.modules.pvp2.test.dummy.DummyCredentialProvider; import net.shibboleth.utilities.java.support.xml.XMLParserException; @RunWith(SpringJUnit4ClassRunner.class) @@ -80,7 +79,7 @@ public class AuthnResponseBuilderTest { PostBindingTest.class.getResourceAsStream("/data/Assertion_1.xml")); //build response - final DateTime now = DateTime.now(); + final Instant now = Instant.now(); final Response response = AuthResponseBuilder.buildResponse( metadataProvider, issuerEntityID, authnReq, now, assertion, authConfig); @@ -125,7 +124,7 @@ public class AuthnResponseBuilderTest { PostBindingTest.class.getResourceAsStream("/data/Assertion_1.xml")); //build response - final DateTime now = DateTime.now(); + final Instant now = Instant.now(); final Response response = AuthResponseBuilder.buildResponse( metadataProvider, issuerEntityID, authnReq, now, assertion, authConfig); -- cgit v1.2.3