From a2ee5133c2593b8f0e4e1a8e929d83bbd26c60ca Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 12 Dec 2019 14:34:01 +0100 Subject: refactor PVP2 IDP to allow generic post-processing of SAML2 AuthnRequests --- .../api/validation/IAuthnRequestPostProcessor.java | 55 ++++++++++++++++++++++ .../api/validation/IAuthnRequestValidator.java | 35 -------------- .../pvp2/idp/impl/AbstractPvp2XProtocol.java | 21 +++++++-- 3 files changed, 71 insertions(+), 40 deletions(-) create mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/validation/IAuthnRequestPostProcessor.java delete mode 100644 eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/validation/IAuthnRequestValidator.java (limited to 'eaaf_modules') diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/validation/IAuthnRequestPostProcessor.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/validation/IAuthnRequestPostProcessor.java new file mode 100644 index 00000000..b23c230e --- /dev/null +++ b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/validation/IAuthnRequestPostProcessor.java @@ -0,0 +1,55 @@ +/* + * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a + * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European + * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in + * compliance with the Licence. You may obtain a copy of the Licence at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software distributed under the Licence + * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the Licence for the specific language governing permissions and limitations under + * the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text file for details on the + * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative + * works that you distribute must include a readable copy of the "NOTICE" text file. +*/ + +package at.gv.egiz.eaaf.modules.pvp2.api.validation; + +import javax.servlet.http.HttpServletRequest; + +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException; + +import org.opensaml.saml2.core.AuthnRequest; +import org.opensaml.saml2.metadata.SPSSODescriptor; + +/** + * SAML2 Authn. request post-processor. + * + *

+ * Implementations of this interface are executed before user authentication starts. + *

+ * + * @author tlenz + * + */ +public interface IAuthnRequestPostProcessor { + + /** + * Authn. request post-processor + * + * @param httpReq http request + * @param pendingReq current pending request + * @param authReq received SAML2 authentication request + * @param spSsoDescriptor Metadata descriptor of the requested SP + * @throws AuthnRequestValidatorException In case of a validation error, + * if post processor implements additional validation + */ + void process(HttpServletRequest httpReq, IRequest pendingReq, AuthnRequest authReq, + SPSSODescriptor spSsoDescriptor) throws AuthnRequestValidatorException; + +} diff --git a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/validation/IAuthnRequestValidator.java b/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/validation/IAuthnRequestValidator.java deleted file mode 100644 index 90195f1d..00000000 --- a/eaaf_modules/eaaf_module_pvp2_core/src/main/java/at/gv/egiz/eaaf/modules/pvp2/api/validation/IAuthnRequestValidator.java +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a - * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European - * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in - * compliance with the Licence. You may obtain a copy of the Licence at: - * https://joinup.ec.europa.eu/news/understanding-eupl-v12 - * - * Unless required by applicable law or agreed to in writing, software distributed under the Licence - * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express - * or implied. See the Licence for the specific language governing permissions and limitations under - * the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text file for details on the - * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative - * works that you distribute must include a readable copy of the "NOTICE" text file. -*/ - -package at.gv.egiz.eaaf.modules.pvp2.api.validation; - -import javax.servlet.http.HttpServletRequest; - -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.metadata.SPSSODescriptor; - -import at.gv.egiz.eaaf.core.api.IRequest; -import at.gv.egiz.eaaf.core.exceptions.AuthnRequestValidatorException; - -public interface IAuthnRequestValidator { - - void validate(HttpServletRequest httpReq, IRequest pendingReq, AuthnRequest authReq, - SPSSODescriptor spSsoDescriptor) throws AuthnRequestValidatorException; - -} diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java index f38ed43b..f8a39b61 100644 --- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java +++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/AbstractPvp2XProtocol.java @@ -20,9 +20,11 @@ package at.gv.egiz.eaaf.modules.pvp2.idp.impl; import java.util.List; + import javax.annotation.PostConstruct; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; + import at.gv.egiz.components.eventlog.api.EventConstants; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.data.EaafConstants; @@ -38,7 +40,7 @@ import at.gv.egiz.eaaf.modules.pvp2.PvpEventConstants; import at.gv.egiz.eaaf.modules.pvp2.api.IPvp2BasicConfiguration; import at.gv.egiz.eaaf.modules.pvp2.api.binding.IEncoder; import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPvpMetadataProvider; -import at.gv.egiz.eaaf.modules.pvp2.api.validation.IAuthnRequestValidator; +import at.gv.egiz.eaaf.modules.pvp2.api.validation.IAuthnRequestPostProcessor; import at.gv.egiz.eaaf.modules.pvp2.exception.InvalidPvpRequestException; import at.gv.egiz.eaaf.modules.pvp2.exception.NameIdFormatNotSupportedException; import at.gv.egiz.eaaf.modules.pvp2.exception.NoMetadataInformationException; @@ -54,6 +56,7 @@ import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.EaafUriCompare; import at.gv.egiz.eaaf.modules.pvp2.impl.validation.TrustEngineFactory; import at.gv.egiz.eaaf.modules.pvp2.impl.verification.SamlVerificationEngine; + import org.apache.commons.lang.StringEscapeUtils; import org.apache.commons.lang3.StringUtils; import org.joda.time.DateTime; @@ -84,8 +87,8 @@ public abstract class AbstractPvp2XProtocol extends AbstractController implement protected IPvpMetadataProvider metadataProvider; @Autowired(required = true) protected SamlVerificationEngine samlVerificationEngine; - @Autowired(required = true) - protected IAuthnRequestValidator authRequestValidator; + @Autowired(required = false) + protected List authRequestPostProcessors; private AbstractCredentialProvider pvpIdpCredentials; @@ -433,7 +436,7 @@ public abstract class AbstractPvp2XProtocol extends AbstractController implement * @param pendingReq current pending request * @throws Throwable in case of an error */ - private void preProcessAuthRequest(final HttpServletRequest request, + protected void preProcessAuthRequest(final HttpServletRequest request, final PvpSProfilePendingRequest pendingReq) throws Throwable { @@ -538,8 +541,16 @@ public abstract class AbstractPvp2XProtocol extends AbstractController implement // set protocol action, which should be executed after authentication pendingReq.setAction(AuthenticationAction.class.getName()); + // do post-processing if required log.trace("Starting extended AuthnRequest validation and processing ... "); - authRequestValidator.validate(request, pendingReq, authReq, spSsoDescriptor); + if (authRequestPostProcessors != null) { + for (final IAuthnRequestPostProcessor processor : authRequestPostProcessors) { + log.trace("Post-process AuthnRequest with module: {}", processor.getClass().getSimpleName()); + processor.process(request, pendingReq, authReq, spSsoDescriptor); + + } + } + log.debug("Extended AuthnRequest validation and processing finished"); // write revisionslog entry -- cgit v1.2.3