Merge branch 'moa-id-3.0.0-snapshot' into moa-id-3.2_(OPB)

Conflicts: id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
author: Thomas Lenz <tlenz@iaik.tugraz.at> 2016-02-22 14:31:15 +0100
committer: Thomas Lenz <tlenz@iaik.tugraz.at> 2016-02-22 14:31:15 +0100
commit: f0efa491345c6df32cc645ec7ff3141b62b43b4e (patch)
tree: 25ee57d8433a705e2b0d080ca26ccf703d5c3395 /id/server/idserverlib
parent: 2fc3b03239590d98ad776710f84444d1b4f65df3 (diff)
parent: dd2be368cdceab6b02bf9a73b6db08a05be53e69 (diff)
download: moa-id-spss-f0efa491345c6df32cc645ec7ff3141b62b43b4e.tar.gz
moa-id-spss-f0efa491345c6df32cc645ec7ff3141b62b43b4e.tar.bz2
moa-id-spss-f0efa491345c6df32cc645ec7ff3141b62b43b4e.zip
1 files changed, 129 insertions, 108 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
index cc7afa842..bf9a61fe4 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java
@@ -22,34 +22,55 @@
  *******************************************************************************/
 package at.gv.egovernment.moa.id.protocols.pvp2x.verification;
 
+import java.util.ArrayList;
+import java.util.List;
+
 import javax.xml.namespace.QName;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.validation.Schema;
 import javax.xml.validation.Validator;
 
+import org.joda.time.DateTime;
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.common.xml.SAMLSchemaBuilder;
+import org.opensaml.saml2.core.Conditions;
+import org.opensaml.saml2.core.EncryptedAssertion;
 import org.opensaml.saml2.core.RequestAbstractType;
+import org.opensaml.saml2.core.Response;
+import org.opensaml.saml2.core.StatusCode;
 import org.opensaml.saml2.core.StatusResponseType;
+import org.opensaml.saml2.encryption.Decrypter;
+import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
 import org.opensaml.saml2.metadata.IDPSSODescriptor;
 import org.opensaml.saml2.metadata.SPSSODescriptor;
 import org.opensaml.security.MetadataCriteria;
 import org.opensaml.security.SAMLSignatureProfileValidator;
+import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver;
+import org.opensaml.xml.encryption.DecryptionException;
+import org.opensaml.xml.encryption.InlineEncryptedKeyResolver;
+import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver;
 import org.opensaml.xml.security.CriteriaSet;
 import org.opensaml.xml.security.credential.UsageType;
 import org.opensaml.xml.security.criteria.EntityIDCriteria;
 import org.opensaml.xml.security.criteria.UsageCriteria;
+import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver;
+import org.opensaml.xml.security.x509.X509Credential;
 import org.opensaml.xml.signature.SignatureTrustEngine;
 import org.opensaml.xml.validation.ValidationException;
 import org.w3c.dom.Element;
 import org.xml.sax.SAXException;
 
 import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage;
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
 import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 
@@ -158,114 +179,114 @@ public class SAMLVerificationEngine {
 		}
 	}
 	
-//	public static void validateAssertion(Response samlResp, boolean validateDestination) throws AssertionValidationExeption {
-//		try {
-//			if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
-//				List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
-//				
-//				List<String> allowedPublicURLPrefix = 
-//						AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
-//				boolean isValidDestination = false;
-//				for (String allowedPreFix : allowedPublicURLPrefix) {
-//					if (validateDestination && samlResp.getDestination().startsWith(
-//							allowedPreFix)) {
-//							isValidDestination = true;
-//							break;
-//					
-//					}
-//				}
-//				if (!isValidDestination) {
-//					Logger.warn("PVP 2.1 assertion destination does not match to IDP URL");
-//					throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null);					
-//					
-//				}
-//				
-//				//check encrypted Assertion
-//				List<EncryptedAssertion> encryAssertionList = samlResp.getEncryptedAssertions();
-//				if (encryAssertionList != null && encryAssertionList.size() > 0) {
-//					//decrypt assertions
-//					
-//					Logger.debug("Found encryped assertion. Start decryption ...");
-//									
-//					X509Credential authDecCredential = CredentialProvider.getIDPAssertionEncryptionCredential();
-//									
-//					StaticKeyInfoCredentialResolver skicr =
-//							  new StaticKeyInfoCredentialResolver(authDecCredential);
-//					
-//					ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
-//					encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
-//					encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
-//					encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
-//					
-//					Decrypter samlDecrypter =
-//							  new Decrypter(null, skicr, encryptedKeyResolver);
-//					
-//					for (EncryptedAssertion encAssertion : encryAssertionList) {							
-//						saml2assertions.add(samlDecrypter.decrypt(encAssertion));
-//	
-//					}
-//					
-//					Logger.debug("Assertion decryption finished. ");
-//					
-//				} else {
-//					saml2assertions.addAll(samlResp.getAssertions());
-//			
-//				}
-//				
-//				List<org.opensaml.saml2.core.Assertion> validatedassertions = new ArrayList<org.opensaml.saml2.core.Assertion>();				
-//				for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
-//					
-//					try {
-//						performSchemaValidation(saml2assertion.getDOM());
-//											
-//						Conditions conditions = saml2assertion.getConditions();
-//					DateTime notbefore = conditions.getNotBefore().minusMinutes(5);
-//					DateTime notafter = conditions.getNotOnOrAfter();
-//					if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) {
-//						Logger.warn("PVP2 Assertion is out of Date. "
-//								+ "{ Current : " + new DateTime() 
-//								+ " NotBefore: " + notbefore 
-//								+ " NotAfter : " + notafter
-//								+ " }");;
-//											
-//						} else {
-//							validatedassertions.add(saml2assertion);
-//						
-//						}
-//						
-//					} catch (SchemaValidationException e) {
-//						
-//					}
-//				}
-//				
-//				if (validatedassertions.isEmpty()) {
-//					Logger.info("No valid PVP 2.1 assertion received.");
-//					throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null);
-//				}
-//					
-//				samlResp.getAssertions().clear();
-//				samlResp.getEncryptedAssertions().clear();
-//				samlResp.getAssertions().addAll(validatedassertions);
-//				
-//			} else {
-//				Logger.info("PVP 2.1 assertion includes an error. Receive errorcode " 
-//						+ samlResp.getStatus().getStatusCode().getValue());
-//				throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode " 
-//						+ samlResp.getStatus().getStatusCode().getValue(), null);
-//			}
-//			
-//		} catch (CredentialsNotAvailableException e) {
-//			Logger.warn("Assertion decrypt FAILED - No Credentials", e);
-//			throw new AssertionValidationExeption("Assertion decrypt FAILED - No Credentials", null, e);
-//			
-//		} catch (DecryptionException e) {
-//			Logger.warn("Assertion decrypt FAILED.", e);
-//			throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e);
-//			
-//		} catch (ConfigurationException e) {
-//			throw new AssertionValidationExeption("pvp.12", null, e);
-//		} 		
-//	}
+	public static void validateAssertion(Response samlResp, boolean validateDestination) throws AssertionValidationExeption {
+		try {
+			if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
+				List<org.opensaml.saml2.core.Assertion> saml2assertions = new ArrayList<org.opensaml.saml2.core.Assertion>();
+				
+				List<String> allowedPublicURLPrefix = 
+						AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix();
+				boolean isValidDestination = false;
+				for (String allowedPreFix : allowedPublicURLPrefix) {
+					if (validateDestination && samlResp.getDestination().startsWith(
+							allowedPreFix)) {
+							isValidDestination = true;
+							break;
+					
+					}
+				}
+				if (!isValidDestination && validateDestination) {
+					Logger.warn("PVP 2.1 assertion destination does not match to IDP URL");
+					throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null);					
+					
+				}
+				
+				//check encrypted Assertion
+				List<EncryptedAssertion> encryAssertionList = samlResp.getEncryptedAssertions();
+				if (encryAssertionList != null && encryAssertionList.size() > 0) {
+					//decrypt assertions
+					
+					Logger.debug("Found encryped assertion. Start decryption ...");
+									
+					X509Credential authDecCredential = CredentialProvider.getIDPAssertionEncryptionCredential();
+									
+					StaticKeyInfoCredentialResolver skicr =
+							  new StaticKeyInfoCredentialResolver(authDecCredential);
+					
+					ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver();
+					encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() );
+					encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() );
+					encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() );
+					
+					Decrypter samlDecrypter =
+							  new Decrypter(null, skicr, encryptedKeyResolver);
+					
+					for (EncryptedAssertion encAssertion : encryAssertionList) {							
+						saml2assertions.add(samlDecrypter.decrypt(encAssertion));
+	
+					}
+					
+					Logger.debug("Assertion decryption finished. ");
+					
+				} else {
+					saml2assertions.addAll(samlResp.getAssertions());
+			
+				}
+				
+				List<org.opensaml.saml2.core.Assertion> validatedassertions = new ArrayList<org.opensaml.saml2.core.Assertion>();				
+				for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) {
+					
+					try {
+						performSchemaValidation(saml2assertion.getDOM());
+											
+						Conditions conditions = saml2assertion.getConditions();
+					DateTime notbefore = conditions.getNotBefore().minusMinutes(5);
+					DateTime notafter = conditions.getNotOnOrAfter();
+					if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) {
+						Logger.warn("PVP2 Assertion is out of Date. "
+								+ "{ Current : " + new DateTime() 
+								+ " NotBefore: " + notbefore 
+								+ " NotAfter : " + notafter
+								+ " }");;
+											
+						} else {
+							validatedassertions.add(saml2assertion);
+						
+						}
+						
+					} catch (SchemaValidationException e) {
+						
+					}
+				}
+				
+				if (validatedassertions.isEmpty()) {
+					Logger.info("No valid PVP 2.1 assertion received.");
+					throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null);
+				}
+					
+				samlResp.getAssertions().clear();
+				samlResp.getEncryptedAssertions().clear();
+				samlResp.getAssertions().addAll(validatedassertions);
+				
+			} else {
+				Logger.info("PVP 2.1 assertion includes an error. Receive errorcode " 
+						+ samlResp.getStatus().getStatusCode().getValue());
+				throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode " 
+						+ samlResp.getStatus().getStatusCode().getValue(), null);
+			}
+			
+		} catch (CredentialsNotAvailableException e) {
+			Logger.warn("Assertion decrypt FAILED - No Credentials", e);
+			throw new AssertionValidationExeption("Assertion decrypt FAILED - No Credentials", null, e);
+			
+		} catch (DecryptionException e) {
+			Logger.warn("Assertion decrypt FAILED.", e);
+			throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e);
+			
+		} catch (ConfigurationException e) {
+			throw new AssertionValidationExeption("pvp.12", null, e);
+		} 		
+	}
 	
 	private static void performSchemaValidation(Element source) throws SchemaValidationException {
author	Thomas Lenz <tlenz@iaik.tugraz.at>	2016-02-22 14:31:15 +0100
committer	Thomas Lenz <tlenz@iaik.tugraz.at>	2016-02-22 14:31:15 +0100
commit	f0efa491345c6df32cc645ec7ff3141b62b43b4e (patch)
tree	25ee57d8433a705e2b0d080ca26ccf703d5c3395 /id/server/idserverlib
parent	2fc3b03239590d98ad776710f84444d1b4f65df3 (diff)
parent	dd2be368cdceab6b02bf9a73b6db08a05be53e69 (diff)
download	moa-id-spss-f0efa491345c6df32cc645ec7ff3141b62b43b4e.tar.gz moa-id-spss-f0efa491345c6df32cc645ec7ff3141b62b43b4e.tar.bz2 moa-id-spss-f0efa491345c6df32cc645ec7ff3141b62b43b4e.zip