aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java182
1 files changed, 159 insertions, 23 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
index 50f42d928..e5c897aa6 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java
@@ -23,12 +23,16 @@
package at.gv.egovernment.moa.id.protocols.pvp2x.builder;
import java.security.NoSuchAlgorithmException;
+import java.util.LinkedHashMap;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
import org.joda.time.DateTime;
+import org.opensaml.Configuration;
import org.opensaml.common.SAMLObject;
import org.opensaml.common.binding.BasicSAMLMessageContext;
import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
@@ -43,22 +47,32 @@ import org.opensaml.saml2.core.StatusCode;
import org.opensaml.saml2.core.StatusMessage;
import org.opensaml.saml2.core.StatusResponseType;
import org.opensaml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml2.metadata.IDPSSODescriptor;
-import org.opensaml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml2.metadata.SSODescriptor;
import org.opensaml.saml2.metadata.SingleLogoutService;
import org.opensaml.saml2.metadata.impl.SingleLogoutServiceBuilder;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
+import org.opensaml.xml.io.Marshaller;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.x509.X509Credential;
+import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.SignatureConstants;
+import org.opensaml.xml.signature.Signer;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+import org.w3c.dom.Document;
import at.gv.egovernment.moa.id.auth.exception.AuthenticationException;
-import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
-import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
+import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore;
+import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore;
+import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider;
+import at.gv.egovernment.moa.id.data.ISLOInformationContainer;
import at.gv.egovernment.moa.id.data.SLOInformationContainer;
import at.gv.egovernment.moa.id.data.SLOInformationImpl;
import at.gv.egovernment.moa.id.opemsaml.MOAStringRedirectDeflateEncoder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder;
import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
@@ -69,18 +83,20 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NOSLOServiceDescripto
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMetadataInformationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
-import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
-import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
import at.gv.egovernment.moa.logging.Logger;
/**
* @author tlenz
*
*/
+@Service("PVP_SingleLogOutBuilder")
public class SingleLogOutBuilder {
- public static void checkStatusCode(SLOInformationContainer sloContainer, LogoutResponse logOutResp) {
+ @Autowired private IDPCredentialProvider credentialProvider;
+
+ public void checkStatusCode(ISLOInformationContainer sloContainer, LogoutResponse logOutResp) {
Status status = logOutResp.getStatus();
if (!status.getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) {
String message = " Message: ";
@@ -106,12 +122,12 @@ public class SingleLogOutBuilder {
* @param relayState
* @return
*/
- public static String getFrontChannelSLOMessageURL(String serviceURL, String bindingType,
+ public String getFrontChannelSLOMessageURL(String serviceURL, String bindingType,
RequestAbstractType sloReq, HttpServletRequest httpReq,
HttpServletResponse httpResp, String relayState) throws MOAIDException {
try {
- X509Credential credentials = CredentialProvider
+ X509Credential credentials = credentialProvider
.getIDPAssertionSigningCredential();
Logger.debug("create SAML RedirectBinding response");
@@ -138,12 +154,12 @@ public class SingleLogOutBuilder {
}
}
- public static String getFrontChannelSLOMessageURL(SingleLogoutService service,
+ public String getFrontChannelSLOMessageURL(SingleLogoutService service,
StatusResponseType sloResp, HttpServletRequest httpReq,
HttpServletResponse httpResp, String relayState) throws MOAIDException {
try {
- X509Credential credentials = CredentialProvider
+ X509Credential credentials = credentialProvider
.getIDPAssertionSigningCredential();
Logger.debug("create SAML RedirectBinding response");
@@ -166,7 +182,7 @@ public class SingleLogOutBuilder {
}
}
- public static void sendFrontChannelSLOMessage(SingleLogoutService consumerService,
+ public void sendFrontChannelSLOMessage(SingleLogoutService consumerService,
LogoutResponse sloResp, HttpServletRequest req, HttpServletResponse resp,
String relayState) throws MOAIDException {
IEncoder binding = null;
@@ -186,7 +202,8 @@ public class SingleLogOutBuilder {
try {
binding.encodeRespone(req, resp, sloResp,
- consumerService.getLocation(), relayState);
+ consumerService.getLocation(), relayState,
+ credentialProvider.getIDPAssertionSigningCredential());
} catch (MessageEncodingException e) {
Logger.error("Message Encoding exception", e);
@@ -200,7 +217,7 @@ public class SingleLogOutBuilder {
}
- public static LogoutRequest buildSLORequestMessage(SLOInformationImpl sloInfo) throws ConfigurationException, MOAIDException {
+ public LogoutRequest buildSLORequestMessage(SLOInformationImpl sloInfo) throws ConfigurationException, MOAIDException {
LogoutRequest sloReq = SAML2Utils.createSAMLObject(LogoutRequest.class);
SecureRandomIdentifierGenerator gen;
@@ -215,8 +232,8 @@ public class SingleLogOutBuilder {
}
DateTime now = new DateTime();
- Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
+ issuer.setValue(PVPConfiguration.getInstance().getIDPSSOMetadataService(sloInfo.getAuthURL()));
issuer.setFormat(NameID.ENTITY);
sloReq.setIssuer(issuer);
sloReq.setIssueInstant(now);
@@ -228,11 +245,39 @@ public class SingleLogOutBuilder {
nameID.setFormat(sloInfo.getUserNameIDFormat());
nameID.setValue(sloInfo.getUserNameIdentifier());
sloReq.setNameID(nameID );
-
+
+ //sign message
+ try {
+ X509Credential idpSigningCredential = credentialProvider.getIDPAssertionSigningCredential();
+
+ Signature signer = SAML2Utils.createSAMLObject(Signature.class);
+ signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
+ signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+ signer.setSigningCredential(idpSigningCredential);
+ sloReq.setSignature(signer);
+
+ DocumentBuilder builder;
+ DocumentBuilderFactory factory = DocumentBuilderFactory
+ .newInstance();
+
+ builder = factory.newDocumentBuilder();
+ Document document = builder.newDocument();
+ Marshaller out = Configuration.getMarshallerFactory()
+ .getMarshaller(sloReq);
+ out.marshall(sloReq, document);
+
+ Signer.signObject(signer);
+
+ } catch (Exception e) {
+ Logger.error("Single LogOut request signing FAILED!", e);
+ throw new MOAIDException("pvp2.19", null);
+
+ }
+
return sloReq;
}
- public static LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest, String firstLevelStatusCode) throws ConfigurationException, MOAIDException {
+ public LogoutResponse buildSLOErrorResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest, String firstLevelStatusCode) throws ConfigurationException, MOAIDException {
LogoutResponse sloResp = buildBasicResponse(sloService, spRequest);
Status status = SAML2Utils.createSAMLObject(Status.class);
@@ -249,7 +294,7 @@ public class SingleLogOutBuilder {
return sloResp;
}
- public static LogoutResponse buildSLOResponseMessage(SingleLogoutService sloService, PVPTargetConfiguration spRequest, List<String> failedOAs) throws MOAIDException {
+ public LogoutResponse buildSLOResponseMessage(SingleLogoutService sloService, PVPTargetConfiguration spRequest, List<String> failedOAs) throws MOAIDException {
LogoutResponse sloResp = buildBasicResponse(sloService, spRequest);
Status status;
@@ -274,10 +319,11 @@ public class SingleLogOutBuilder {
}
- private static LogoutResponse buildBasicResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException, MOAIDException {
+ private LogoutResponse buildBasicResponse(SingleLogoutService sloService, PVPTargetConfiguration spRequest) throws ConfigurationException, MOAIDException {
LogoutResponse sloResp = SAML2Utils.createSAMLObject(LogoutResponse.class);
Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
- issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
+ issuer.setValue(PVPConfiguration.getInstance().getIDPSSOMetadataService(
+ spRequest.getAuthURLWithOutSlash()));
issuer.setFormat(NameID.ENTITY);
sloResp.setIssuer(issuer);
sloResp.setIssueInstant(new DateTime());
@@ -305,7 +351,7 @@ public class SingleLogOutBuilder {
}
- public static SingleLogoutService getRequestSLODescriptor(String entityID) throws NOSLOServiceDescriptorException {
+ public SingleLogoutService getRequestSLODescriptor(String entityID) throws NOSLOServiceDescriptorException {
try {
EntityDescriptor entity = MOAMetadataProvider.getInstance().getEntityDescriptor(entityID);
SSODescriptor spsso = entity.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
@@ -346,7 +392,7 @@ public class SingleLogOutBuilder {
}
- public static SingleLogoutService getResponseSLODescriptor(PVPTargetConfiguration spRequest) throws NoMetadataInformationException, NOSLOServiceDescriptorException {
+ public SingleLogoutService getResponseSLODescriptor(PVPTargetConfiguration spRequest) throws NoMetadataInformationException, NOSLOServiceDescriptorException {
MOARequest moaReq = (MOARequest) spRequest.getRequest();
EntityDescriptor metadata = moaReq.getEntityMetadata();
SSODescriptor ssodesc = metadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS);
@@ -382,4 +428,94 @@ public class SingleLogOutBuilder {
return sloService;
}
+ public void parseActiveOAs(SLOInformationContainer container,
+ List<OASessionStore> dbOAs, String removeOAID) {
+ if (container.getActiveBackChannelOAs() == null)
+ container.setActiveBackChannelOAs(new LinkedHashMap<String, SLOInformationImpl>());
+ if (container.getActiveFrontChannalOAs() == null)
+ container.setActiveFrontChannalOAs(new LinkedHashMap<String, SLOInformationImpl>());
+
+
+ if (dbOAs != null) {
+ for (OASessionStore oa : dbOAs) {
+ if (!oa.getOaurlprefix().equals(removeOAID)) {
+
+ //Actually only PVP 2.1 support Single LogOut
+ if (PVP2XProtocol.NAME.equals(oa.getProtocolType())) {
+ SingleLogoutService sloDesc;
+ try {
+ sloDesc = getRequestSLODescriptor(oa.getOaurlprefix());
+
+ if (sloDesc.getBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI))
+ container.getActiveBackChannelOAs().put(oa.getOaurlprefix(),
+ new SLOInformationImpl(
+ oa.getAuthURL(),
+ oa.getOaurlprefix(),
+ oa.getAssertionSessionID(),
+ oa.getUserNameID(),
+ oa.getUserNameIDFormat(),
+ oa.getProtocolType(),
+ sloDesc));
+
+ else
+ container.getActiveFrontChannalOAs().put(oa.getOaurlprefix(),
+ new SLOInformationImpl(
+ oa.getAuthURL(),
+ oa.getOaurlprefix(),
+ oa.getAssertionSessionID(),
+ oa.getUserNameID(),
+ oa.getUserNameIDFormat(),
+ oa.getProtocolType(),
+ sloDesc));
+
+ } catch (NOSLOServiceDescriptorException e) {
+ container.putFailedOA(oa.getOaurlprefix());
+
+ }
+
+ } else
+ container.putFailedOA(oa.getOaurlprefix());
+ }
+ }
+ }
+ }
+
+ /**
+ * @param dbIDPs
+ * @param value
+ */
+ public void parseActiveIDPs(SLOInformationContainer container,
+ List<InterfederationSessionStore> dbIDPs, String removeIDP) {
+ if (container.getActiveBackChannelOAs() == null)
+ container.setActiveBackChannelOAs(new LinkedHashMap<String, SLOInformationImpl>());
+ if (container.getActiveFrontChannalOAs() == null)
+ container.setActiveFrontChannalOAs(new LinkedHashMap<String, SLOInformationImpl>());
+
+ if (dbIDPs != null) {
+ for (InterfederationSessionStore el : dbIDPs) {
+ if (!el.getIdpurlprefix().equals(removeIDP)) {
+
+ SingleLogoutService sloDesc;
+ try {
+ sloDesc = getRequestSLODescriptor(el.getIdpurlprefix());
+
+ container.getActiveFrontChannalOAs().put(el.getIdpurlprefix(),
+ new SLOInformationImpl(
+ el.getAuthURL(),
+ el.getIdpurlprefix(),
+ el.getSessionIndex(),
+ el.getUserNameID(),
+ NameID.TRANSIENT,
+ PVP2XProtocol.NAME,
+ sloDesc));
+
+ } catch (NOSLOServiceDescriptorException e) {
+ container.putFailedOA(el.getIdpurlprefix());
+
+ }
+ }
+ }
+ }
+ }
+
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-23 01:20:01 +0000