/******************************************************************************* * Copyright 2017 Graz University of Technology * EAAF-Core Components has been developed in a cooperation between EGIZ, * A-SIT+, A-SIT, and Graz University of Technology. * * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * https://joinup.ec.europa.eu/news/understanding-eupl-v12 * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. *******************************************************************************/ /******************************************************************************* *******************************************************************************/ /******************************************************************************* *******************************************************************************/ package at.gv.egiz.eaaf.modules.pvp2.impl.validation.metadata; import java.util.ArrayList; import java.util.Iterator; import java.util.List; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.provider.MetadataFilter; import org.opensaml.xml.XMLObject; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2MetadataException; import at.gv.egiz.eaaf.modules.pvp2.exception.SignatureValidationException; public abstract class AbstractMetadataSignatureFilter implements MetadataFilter { private static final Logger log = LoggerFactory.getLogger(AbstractMetadataSignatureFilter.class); public void doFilter(XMLObject metadata) throws SignatureValidationException { try { if (metadata instanceof EntitiesDescriptor) { EntitiesDescriptor entitiesDescriptor = (EntitiesDescriptor) metadata; if(entitiesDescriptor.getSignature() == null) { throw new PVP2MetadataException("Root element of metadata file has to be signed", null); } processEntitiesDescriptor(entitiesDescriptor); if (entitiesDescriptor.getEntityDescriptors().size() == 0) { throw new PVP2MetadataException("No valid entity in metadata " + entitiesDescriptor.getName() + ". Metadata is not loaded.", null); } } else if (metadata instanceof EntityDescriptor) { EntityDescriptor entityDescriptor = (EntityDescriptor) metadata; processEntityDescriptorr(entityDescriptor); } else { throw new PVP2MetadataException("Invalid Metadata file Root element is no EntitiesDescriptor", null); } log.info("Metadata signature policy check done OK"); } catch (EAAFException e) { log.warn("Metadata signature policy check FAILED.", e); throw new SignatureValidationException(e); } } /** * Signature verification of a SAML2 EntityDescriptor element * * @param desc * @throws PVP2MetadataException if the signature is not valid or can not verified */ protected abstract void verify(EntityDescriptor desc) throws PVP2MetadataException; /** * Signature verification of a SAML2 EntitiesDescriptor element * * @param desc * @throws PVP2MetadataException if the signature is not valid or can not verified */ protected abstract void verify(EntitiesDescriptor desc) throws PVP2MetadataException; /** * Verify a EntityDescriptor element of an EntitiesDescriptor * * @param entity EntityDescriptor to verify * @param desc Full EntitiesDescriptor that contains the EntityDescriptor * @throws PVP2MetadataException */ protected abstract void verify(EntityDescriptor entity, EntitiesDescriptor desc) throws PVP2MetadataException; private void processEntityDescriptorr(EntityDescriptor desc) throws EAAFException { verify(desc); } private void processEntitiesDescriptor(EntitiesDescriptor desc) throws EAAFException { Iterator entID = desc.getEntitiesDescriptors().iterator(); if(desc.getSignature() != null) { verify(desc); } while(entID.hasNext()) { processEntitiesDescriptor(entID.next()); } Iterator entIT = desc.getEntityDescriptors().iterator(); List verifiedEntIT = new ArrayList(); //check every Entity while(entIT.hasNext()) { EntityDescriptor entity = entIT.next(); log.debug("Validate metadata for entityID: " + entity.getEntityID() + " ..... "); try { verify(entity, desc); //add entity to verified entity-list verifiedEntIT.add(entity); log.debug("Metadata for entityID: " + entity.getEntityID() + " valid"); } catch (Exception e) { //remove entity of signature can not be verified. log.info("Entity " + entity.getEntityID() + " is removed from metadata " + desc.getName() + ". Entity verification error: " + e.getMessage()); } } //set only verified entity elements desc.getEntityDescriptors().clear(); desc.getEntityDescriptors().addAll(verifiedEntIT); } }