/******************************************************************************* * Copyright 2017 Graz University of Technology * EAAF-Core Components has been developed in a cooperation between EGIZ, * A-SIT Plus, A-SIT, and Graz University of Technology. * * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * https://joinup.ec.europa.eu/news/understanding-eupl-v12 * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. *******************************************************************************/ /******************************************************************************* *******************************************************************************/ /******************************************************************************* *******************************************************************************/ package at.gv.egiz.eaaf.modules.pvp2.idp.impl; import javax.annotation.PostConstruct; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.joda.time.DateTime; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.AuthnRequest; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.metadata.AssertionConsumerService; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.xml.security.SecurityException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Service; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.IAction; import at.gv.egiz.eaaf.core.api.idp.IAuthData; import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.api.idp.slo.SLOInformationInterface; import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger; import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.data.SLOInformationImpl; import at.gv.egiz.eaaf.modules.pvp2.api.IPVP2BasicConfiguration; import at.gv.egiz.eaaf.modules.pvp2.api.binding.IEncoder; import at.gv.egiz.eaaf.modules.pvp2.api.metadata.IPVPMetadataProvider; import at.gv.egiz.eaaf.modules.pvp2.exception.BindingNotSupportedException; import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException; import at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder.AuthResponseBuilder; import at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder.PVP2AssertionBuilder; import at.gv.egiz.eaaf.modules.pvp2.impl.binding.PostBinding; import at.gv.egiz.eaaf.modules.pvp2.impl.binding.RedirectBinding; import at.gv.egiz.eaaf.modules.pvp2.impl.message.PVPSProfileRequest; import at.gv.egiz.eaaf.modules.pvp2.impl.utils.AbstractCredentialProvider; import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils; @Service("PVPAuthenticationRequestAction") public class AuthenticationAction implements IAction { private static final Logger log = LoggerFactory.getLogger(AuthenticationAction.class); private static final String CONFIG_PROPERTY_PVP2_ENABLE_ENCRYPTION = "protocols.pvp2.assertion.encryption.active"; @Autowired(required=true) private IPVPMetadataProvider metadataProvider; @Autowired(required=true) ApplicationContext springContext; @Autowired(required=true) IConfiguration authConfig; @Autowired(required=true) PVP2AssertionBuilder assertionBuilder; @Autowired(required=true) IPVP2BasicConfiguration pvpBasicConfiguration; @Autowired(required=true) IRevisionLogger revisionsLogger; private AbstractCredentialProvider pvpIDPCredentials; /** * Sets a specific credential provider for PVP S-Profile IDP component. * @param pvpIDPCredentials credential provider */ public void setPvpIDPCredentials(AbstractCredentialProvider pvpIDPCredentials) { this.pvpIDPCredentials = pvpIDPCredentials; } public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws ResponderErrorException { PVPSProfilePendingRequest pvpRequest = (PVPSProfilePendingRequest) req; try { //get basic information PVPSProfileRequest moaRequest = (PVPSProfileRequest) pvpRequest.getRequest(); AuthnRequest authnRequest = (AuthnRequest) moaRequest.getSamlRequest(); EntityDescriptor peerEntity = moaRequest.getEntityMetadata(metadataProvider); AssertionConsumerService consumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class); consumerService.setBinding(pvpRequest.getBinding()); consumerService.setLocation(pvpRequest.getConsumerURL()); DateTime date = new DateTime(); SLOInformationImpl sloInformation = new SLOInformationImpl(); String issuerEntityID = pvpBasicConfiguration.getIDPEntityId(pvpRequest.getAuthURL()); //build Assertion Assertion assertion = assertionBuilder.buildAssertion(issuerEntityID, pvpRequest, authnRequest, authData, peerEntity, date, consumerService, sloInformation); Response authResponse = AuthResponseBuilder.buildResponse( metadataProvider, issuerEntityID, authnRequest, date, assertion, authConfig.getBasicMOAIDConfigurationBoolean( CONFIG_PROPERTY_PVP2_ENABLE_ENCRYPTION, true)); IEncoder binding = null; if (consumerService.getBinding().equals( SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { binding = springContext.getBean("PVPRedirectBinding", RedirectBinding.class); } else if (consumerService.getBinding().equals( SAMLConstants.SAML2_POST_BINDING_URI)) { binding = springContext.getBean("PVPPOSTBinding", PostBinding.class); } if (binding == null) { throw new BindingNotSupportedException(consumerService.getBinding()); } binding.encodeRespone(httpReq, httpResp, authResponse, consumerService.getLocation(), moaRequest.getRelayState(), pvpIDPCredentials.getIDPAssertionSigningCredential(), req); revisionsLogger.logEvent(req, 3105, authResponse.getID()); //set protocol type sloInformation.setProtocolType(req.requestedModule()); sloInformation.setSpEntityID(req.getServiceProviderConfiguration().getUniqueIdentifier()); return sloInformation; } catch (MessageEncodingException | SecurityException e) { log.warn("Message Encoding exception", e); throw new ResponderErrorException("pvp2.01", null, e); } catch (EAAFException e) { log.info("Response generation error: Msg: ", e.getMessage()); throw new ResponderErrorException(e.getErrorId(), e.getParams(), e); } catch (Exception e) { log.warn("Response generation error", e); throw new ResponderErrorException("pvp2.01", null, e); } } public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp) { return true; } public String getDefaultActionName() { return "PVPAuthenticationRequestAction"; } @PostConstruct private void verifyInitialization() { if (pvpIDPCredentials == null) { log.error("No SAML2 credentialProvider injected!"); throw new RuntimeException("No SAML2 credentialProvider injected!"); } } }