From 36a3ddc4e108efc7813b655b74e9919c00c9fd94 Mon Sep 17 00:00:00 2001 From: Andreas Fitzek Date: Thu, 2 May 2013 13:35:38 +0200 Subject: PVP2 basic authnrequest handling and assertion building --- .../moa/id/auth/AuthenticationServer.java | 14 +- .../auth/servlet/StartAuthenticationServlet.java | 4 +- .../moa/id/config/ConfigurationBuilder.java | 40 +-- .../moa/id/config/auth/OAAuthParameter.java | 32 +-- .../moa/id/entrypoints/DispatcherServlet.java | 44 ++- .../at/gv/egovernment/moa/id/moduls/IAction.java | 6 +- .../gv/egovernment/moa/id/moduls/IModulInfo.java | 5 +- .../id/protocols/pvp2x/AuthenticationAction.java | 10 +- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 67 ++++- .../id/protocols/pvp2x/PVPTargetConfiguration.java | 7 +- .../pvp2x/SAMLRequestNotSignedException.java | 17 ++ .../protocols/pvp2x/SAMLRequestNotSupported.java | 8 +- .../moa/id/protocols/pvp2x/binding/IDecoder.java | 4 +- .../moa/id/protocols/pvp2x/binding/IEncoder.java | 12 +- .../moa/id/protocols/pvp2x/binding/MOARequest.java | 40 +++ .../id/protocols/pvp2x/binding/MOAResponse.java | 38 +++ .../id/protocols/pvp2x/binding/PostBinding.java | 115 +++++++- .../protocols/pvp2x/binding/RedirectBinding.java | 176 ++++++++++-- .../pvp2x/metadata/MOAMetadataProvider.java | 76 ++++++ .../pvp2x/requestHandler/AuthnRequestHandler.java | 93 ++++++- .../pvp2x/requestHandler/IRequestHandler.java | 6 +- .../pvp2x/requestHandler/RequestManager.java | 9 +- .../moa/id/protocols/pvp2x/signer/SAMLSigner.java | 5 + .../id/protocols/pvp2x/utils/PrettyPrinter.java | 301 +++++++++++++++++++++ .../moa/id/protocols/pvp2x/utils/SAML2Utils.java | 44 +++ .../pvp2x/validation/ChainSAMLValidator.java | 28 ++ .../protocols/pvp2x/validation/ISAMLValidator.java | 9 + .../pvp2x/validation/SAMLSignatureValidator.java | 27 ++ .../pvp2x/verification/ChainSAMLVerifier.java | 28 ++ .../pvp2x/verification/ISAMLVerifier.java | 9 + .../pvp2x/verification/SAMLVerifierMOASP.java | 108 ++++++++ .../pvp2x/verification/TrustEngineFactory.java | 70 +++++ .../moa/id/protocols/saml1/GetArtifactAction.java | 4 + .../moa/id/protocols/saml1/SAML1Protocol.java | 5 + .../templates/pvp_postbinding_template.html | 51 ++++ 35 files changed, 1390 insertions(+), 122 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SAMLRequestNotSignedException.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOARequest.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAResponse.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/SAMLSigner.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/PrettyPrinter.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/ChainSAMLValidator.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/ISAMLValidator.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/SAMLSignatureValidator.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/ChainSAMLVerifier.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/ISAMLVerifier.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java create mode 100644 id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html (limited to 'id/server/idserverlib/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 57c14b15e..afd25dcad 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -27,7 +27,6 @@ import iaik.pki.PKIException; import iaik.x509.X509Certificate; import java.io.ByteArrayInputStream; -import java.io.File; import java.io.IOException; import java.io.InputStream; import java.security.GeneralSecurityException; @@ -66,7 +65,6 @@ import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.ParseException; import at.gv.egovernment.moa.id.ServiceException; import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder; -import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.builder.CertInfoVerifyXMLSignatureRequestBuilder; import at.gv.egovernment.moa.id.auth.builder.CreateXMLSignatureRequestBuilder; @@ -75,7 +73,6 @@ import at.gv.egovernment.moa.id.auth.builder.GetIdentityLinkFormBuilder; import at.gv.egovernment.moa.id.auth.builder.InfoboxReadRequestBuilder; import at.gv.egovernment.moa.id.auth.builder.InfoboxValidatorParamsBuilder; import at.gv.egovernment.moa.id.auth.builder.PersonDataBuilder; -import at.gv.egovernment.moa.id.auth.builder.SAMLArtifactBuilder; import at.gv.egovernment.moa.id.auth.builder.SelectBKUFormBuilder; import at.gv.egovernment.moa.id.auth.builder.VerifyXMLSignatureRequestBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; @@ -95,7 +92,6 @@ import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet; import at.gv.egovernment.moa.id.auth.stork.STORKAuthnRequestProcessor; -import at.gv.egovernment.moa.id.auth.stork.STORKException; import at.gv.egovernment.moa.id.auth.validator.CreateXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator; import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator; @@ -2871,15 +2867,17 @@ public class AuthenticationServer implements MOAIDAuthConstants { String issuerValue = HTTPUtils.getBaseURL(req); Logger.debug("Issuer value: " + issuerValue); - QualityAuthenticationAssuranceLevel qaaLevel = STORKMessagesBuilder.buildQualityAuthenticationAssuranceLevel(oaParam.getQaaLevel().getValue()); + + QualityAuthenticationAssuranceLevel qaaLevel = null;//TODO UNCOMMENT AGAIN !! = STORKMessagesBuilder.buildQualityAuthenticationAssuranceLevel(oaParam.getQaaLevel().getValue()); Logger.debug("QAALevel: " + qaaLevel.getValue()); - RequestedAttributes requestedAttributes; + RequestedAttributes requestedAttributes = null; - requestedAttributes = oaParam.getRequestedAttributes(); + //TODO UNCOMMENT AGAIN !! requestedAttributes = oaParam.getRequestedAttributes(); requestedAttributes.detach(); List reqAttributeList = new ArrayList(); - List oaReqAttributeList = new ArrayList(oaParam.getRequestedAttributes().getRequestedAttributes()); + List oaReqAttributeList = null; + //TODO UNCOMMENT AGAIN !! oaReqAttributeList = new ArrayList(oaParam.getRequestedAttributes().getRequestedAttributes()); //check if country specific attributes must be additionally requested if (!cpeps.getCountrySpecificRequestedAttributes().isEmpty()) { //add country specific attributes to be requested (Hierarchy: default oa attributes > country specific attributes > oa specific attributes diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java index 2133d0455..54d96ee2e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/StartAuthenticationServlet.java @@ -116,7 +116,7 @@ public class StartAuthenticationServlet extends AuthServlet { String modul = request.requestedModule();//req.getParameter(PARAM_MODUL); String action = request.requestedAction();//req.getParameter(PARAM_ACTION); - + request.getOAURL(); // escape parameter strings //TODO: use URLEncoder.encode!! target = StringEscapeUtils.escapeHtml(target); @@ -130,6 +130,8 @@ public class StartAuthenticationServlet extends AuthServlet { modul = StringEscapeUtils.escapeHtml(modul); action = StringEscapeUtils.escapeHtml(action); + oaURL = request.getOAURL(); + setNoCachingHeadersInHttpRespone(req, resp); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java index 839de48bf..2f138fbfc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationBuilder.java @@ -704,28 +704,28 @@ public List getTrustedTemplateURLs() { } //add STORK Configuration specific to OA (RequestedAttributes, QAALevel) - QualityAuthenticationAssuranceLevel qaaLevel = buildOaSTORKQAALevel(authComponent); - if (qaaLevel != null) { - oap.setQaaLevel(qaaLevel); - Logger.debug("Using non-MOA-default STORK QAALevel for this OA " + "(" + oap.getPublicURLPrefix() + "): " + qaaLevel.getValue()); - } - - RequestedAttributes additionalRequestedAttributes = buildOaSTORKRequestedAttributes(authComponent); + //QualityAuthenticationAssuranceLevel qaaLevel = buildOaSTORKQAALevel(authComponent); + //if (qaaLevel != null) { + // oap.setQaaLevel(qaaLevel); + // Logger.debug("Using non-MOA-default STORK QAALevel for this OA " + "(" + oap.getPublicURLPrefix() + "): " + qaaLevel.getValue()); + //} - if(!additionalRequestedAttributes.getRequestedAttributes().isEmpty()) { - //we have additional STORK attributes to request for this OA - Logger.debug("Using non-MOA-default STORK RequestedAttributes for this OA " + "(" + oap.getPublicURLPrefix() + "): "); - for (RequestedAttribute addReqAttr : additionalRequestedAttributes.getRequestedAttributes()) { - if (!SAMLUtil.containsAttribute(oap.getRequestedAttributes().getRequestedAttributes(),addReqAttr.getName())) { - addReqAttr.detach(); - oap.getRequestedAttributes().getRequestedAttributes().add(addReqAttr); - Logger.debug("Requesting additional attribute: " + addReqAttr.getName() + ", isRequired: " + addReqAttr.isRequired()); - } - } + //RequestedAttributes additionalRequestedAttributes = buildOaSTORKRequestedAttributes(authComponent); + // + //if(!additionalRequestedAttributes.getRequestedAttributes().isEmpty()) { + // //we have additional STORK attributes to request for this OA + // Logger.debug("Using non-MOA-default STORK RequestedAttributes for this OA " + "(" + oap.getPublicURLPrefix() + "): "); + // for (RequestedAttribute addReqAttr : additionalRequestedAttributes.getRequestedAttributes()) { + // if (!SAMLUtil.containsAttribute(oap.getRequestedAttributes().getRequestedAttributes(),addReqAttr.getName())) { + /// addReqAttr.detach(); + // oap.getRequestedAttributes().getRequestedAttributes().add(addReqAttr); + // Logger.debug("Requesting additional attribute: " + addReqAttr.getName() + ", isRequired: " + addReqAttr.isRequired()); + // } + // } - } else { - //do nothing, only request default attributes - } + //} else { + // //do nothing, only request default attributes + //} } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 091a01bf7..10dd2cfea 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -133,17 +133,17 @@ public class OAAuthParameter extends OAParameter { /** * STORK QAA Level, Default = 4 */ - private QualityAuthenticationAssuranceLevel qaaLevel = STORKMessagesBuilder.buildQualityAuthenticationAssuranceLevel(4); + // private QualityAuthenticationAssuranceLevel qaaLevel = STORKMessagesBuilder.buildQualityAuthenticationAssuranceLevel(4); /** * STORK RequestedAttributes for Online Application * Default RequestedAttributes are: eIdentifier, givenName, surname, dateOfBirth */ - private RequestedAttributes requestedAttributes = STORKMessagesBuilder.buildRequestedAttributes( - STORKMessagesBuilder.buildRequestedAttribute(STORKConstants.STORK_ATTRIBUTE_EIDENTIFIER, true, null), - STORKMessagesBuilder.buildRequestedAttribute(STORKConstants.STORK_ATTRIBUTE_GIVENNAME, true, null), - STORKMessagesBuilder.buildRequestedAttribute(STORKConstants.STORK_ATTRIBUTE_SURNAME, true, null), - STORKMessagesBuilder.buildRequestedAttribute(STORKConstants.STORK_ATTRIBUTE_DATEOFBIRTH, false, null)); + //private RequestedAttributes requestedAttributes = STORKMessagesBuilder.buildRequestedAttributes( +// STORKMessagesBuilder.buildRequestedAttribute(STORKConstants.STORK_ATTRIBUTE_EIDENTIFIER, true, null), +// STORKMessagesBuilder.buildRequestedAttribute(STORKConstants.STORK_ATTRIBUTE_GIVENNAME, true, null), +// STORKMessagesBuilder.buildRequestedAttribute(STORKConstants.STORK_ATTRIBUTE_SURNAME, true, null), +// STORKMessagesBuilder.buildRequestedAttribute(STORKConstants.STORK_ATTRIBUTE_DATEOFBIRTH, false, null)); /** @@ -469,33 +469,33 @@ public class OAAuthParameter extends OAParameter { * Returns the defined STORK QAALevel * @return STORK QAALevel */ - public QualityAuthenticationAssuranceLevel getQaaLevel() { + /*public QualityAuthenticationAssuranceLevel getQaaLevel() { return qaaLevel; - } + }*/ /** * Sets the STORK QAALevel * @param qaaLevel */ - public void setQaaLevel(QualityAuthenticationAssuranceLevel qaaLevel) { + /*public void setQaaLevel(QualityAuthenticationAssuranceLevel qaaLevel) { this.qaaLevel = qaaLevel; - } + }*/ /** * Returns the desired STORK Requested Attributes * @return STORK Requested Attributes */ - public RequestedAttributes getRequestedAttributes() { - return requestedAttributes; - } + //public RequestedAttributes getRequestedAttributes() { + // return requestedAttributes; + //} /** * Sets the desired STORK Requested Attributes * @param requestedAttributes */ - public void setRequestedAttributes(RequestedAttributes requestedAttributes) { - this.requestedAttributes = requestedAttributes; - } + //public void setRequestedAttributes(RequestedAttributes requestedAttributes) { + // this.requestedAttributes = requestedAttributes; + //} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java index 72ade4f25..27cd2b5a5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/entrypoints/DispatcherServlet.java @@ -1,6 +1,7 @@ package at.gv.egovernment.moa.id.entrypoints; import java.io.IOException; +import java.util.Iterator; import javax.servlet.ServletConfig; import javax.servlet.ServletException; @@ -142,18 +143,39 @@ public class DispatcherServlet extends AuthServlet { IModulInfo info = ModulStorage.getModuleByPath(module); + IAction moduleAction = null; + if (info == null) { - resp.sendError(HttpServletResponse.SC_NOT_FOUND); - Logger.error("Protocol " + module + " has no module registered"); - return; - } - IAction moduleAction = info.getAction(action); + Iterator modules = ModulStorage.getAllModules() + .iterator(); + while (modules.hasNext()) { + info = modules.next(); + moduleAction = info.canHandleRequest(req, resp); + if (moduleAction != null) { + action = moduleAction.getDefaultActionName(); + module = info.getPath(); + break; + } + info = null; + } + + if (moduleAction == null) { + resp.sendError(HttpServletResponse.SC_NOT_FOUND); + Logger.error("Protocol " + module + + " has no module registered"); + return; + } + } if (moduleAction == null) { - resp.sendError(HttpServletResponse.SC_NOT_FOUND); - Logger.error("Action " + action + " is not available!"); - return; + moduleAction = info.getAction(action); + + if (moduleAction == null) { + resp.sendError(HttpServletResponse.SC_NOT_FOUND); + Logger.error("Action " + action + " is not available!"); + return; + } } HttpSession httpSession = req.getSession(); @@ -175,7 +197,7 @@ public class DispatcherServlet extends AuthServlet { if (protocolRequest == null) { protocolRequest = info.preProcess(req, resp, action); - if(protocolRequest != null) { + if (protocolRequest != null) { protocolRequest.setAction(action); protocolRequest.setModule(module); } @@ -188,7 +210,7 @@ public class DispatcherServlet extends AuthServlet { } RequestStorage.setPendingRequest(httpSession, protocolRequest); - + if (moduleAction.needAuthentication(protocolRequest, req, resp)) { if (protocolRequest.isPassiv() && protocolRequest.forceAuth()) { @@ -230,7 +252,7 @@ public class DispatcherServlet extends AuthServlet { moduleAction.processRequest(protocolRequest, req, resp); RequestStorage.removePendingRequest(httpSession); - + } catch (Throwable e) { // Try handle module specific, if not possible rethrow if (!info.generateErrorMessage(e, req, resp)) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java index 10f3ff696..6630693a6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IAction.java @@ -3,9 +3,13 @@ package at.gv.egovernment.moa.id.moduls; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; public interface IAction extends MOAIDAuthConstants { - public void processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp); + public void processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp) + throws MOAIDException; public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp); + + public String getDefaultActionName(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IModulInfo.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IModulInfo.java index 0098ec5af..181955c2a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IModulInfo.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IModulInfo.java @@ -1,7 +1,5 @@ package at.gv.egovernment.moa.id.moduls; -import java.util.List; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -18,5 +16,8 @@ public interface IModulInfo { HttpServletResponse response, String action) throws MOAIDException; + public IAction canHandleRequest(HttpServletRequest request, + HttpServletResponse response); + public boolean generateErrorMessage(Throwable e,HttpServletRequest request, HttpServletResponse response); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java index efdfd9c47..17f1b631b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java @@ -3,14 +3,18 @@ package at.gv.egovernment.moa.id.protocols.pvp2x; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler.RequestManager; public class AuthenticationAction implements IAction { public void processRequest(IRequest req, HttpServletRequest httpReq, - HttpServletResponse httpResp) { + HttpServletResponse httpResp) throws MOAIDException { System.out.println("Process PVP2 auth request!"); + PVPTargetConfiguration pvpRequest = (PVPTargetConfiguration) req; + RequestManager.getInstance().handle(pvpRequest.request, httpReq, httpResp); } public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, @@ -18,4 +22,8 @@ public class AuthenticationAction implements IAction { return true; } + public String getDefaultActionName() { + return (PVP2XProtocol.REDIRECT); + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index fa5ff9ecf..847f1ae54 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -11,6 +11,8 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringEscapeUtils; +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.core.AuthnRequest; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.Status; @@ -27,9 +29,15 @@ import at.gv.egovernment.moa.id.moduls.NoPassivAuthenticationException; import at.gv.egovernment.moa.id.moduls.ServletInfo; import at.gv.egovernment.moa.id.moduls.ServletType; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.id.protocols.pvp2x.validation.ChainSAMLValidator; +import at.gv.egovernment.moa.id.protocols.pvp2x.validation.SAMLSignatureValidator; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.ChainSAMLVerifier; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerifierMOASP; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { @@ -46,6 +54,10 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { private static HashMap actions = new HashMap(); + private ChainSAMLVerifier samlVerifier = new ChainSAMLVerifier(); + + private ChainSAMLValidator samlValidator = new ChainSAMLValidator(); + static { servletList.add(new ServletInfo(PVPProcessor.class, REDIRECT, ServletType.AUTH)); @@ -94,6 +106,14 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { return null; } + public PVP2XProtocol() { + super(); + + samlVerifier.addVerifier(new SAMLVerifierMOASP()); + + samlValidator.addValidator(new SAMLSignatureValidator()); + } + public IRequest preProcess(HttpServletRequest request, HttpServletResponse response, String action) throws MOAIDException { @@ -104,15 +124,46 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { try { PVPTargetConfiguration config = new PVPTargetConfiguration(); - RequestAbstractType samlReq = decoder.decodeRequest(request, response); - - String oaURL = (String) request.getParameter(PARAM_OA); + MOARequest moaRequest = decoder.decodeRequest(request, response); + + RequestAbstractType samlReq = moaRequest.getSamlRequest(); + + //String xml = PrettyPrinter.prettyPrint(SAML2Utils.asDOMDocument(samlReq)); + + //Logger.info("SAML : " + xml); + + // TODO: verify samlReq + //samlValidator.validateRequest(samlReq); + + // TODO: validate samlReq for + //samlVerifier.verifyRequest(samlReq); + + // TODO: OAURL is AssertionConsumerService URL from entitydescriptor ... + + if(!(samlReq instanceof AuthnRequest)) { + throw new MOAIDException("Unsupported request", new Object[] {}); + } + + AuthnRequest authnRequest = (AuthnRequest)samlReq; + + Integer aIdx = authnRequest.getAssertionConsumerServiceIndex(); + int idx = 0; + + if(aIdx != null) { + idx = aIdx.intValue(); + } + + String oaURL = moaRequest.getEntityMetadata(). + getSPSSODescriptor(SAMLConstants.SAML20P_NS). + getAssertionConsumerServices().get(idx).getLocation(); + + //String oaURL = (String) request.getParameter(PARAM_OA); oaURL = StringEscapeUtils.escapeHtml(oaURL); if (!ParamValidatorUtils.isValidOA(oaURL)) throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); config.setOAURL(oaURL); - config.setRequest(samlReq); + config.setRequest(moaRequest); request.getSession().setAttribute(PARAM_OA, oaURL); return config; @@ -146,4 +197,12 @@ public class PVP2XProtocol implements IModulInfo, MOAIDAuthConstants { return actions.get(action); } + public IAction canHandleRequest(HttpServletRequest request, + HttpServletResponse response) { + if(request.getParameter("SAMLRequest") != null) { + return getAction(REDIRECT); + } + return null; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index 4f4dedc76..f19602c1e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -3,15 +3,16 @@ package at.gv.egovernment.moa.id.protocols.pvp2x; import org.opensaml.saml2.core.RequestAbstractType; import at.gv.egovernment.moa.id.moduls.RequestImpl; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; public class PVPTargetConfiguration extends RequestImpl { - RequestAbstractType request; + MOARequest request; - public RequestAbstractType getRequest() { + public MOARequest getRequest() { return request; } - public void setRequest(RequestAbstractType request) { + public void setRequest(MOARequest request) { this.request = request; } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SAMLRequestNotSignedException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SAMLRequestNotSignedException.java new file mode 100644 index 000000000..40f5685ad --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SAMLRequestNotSignedException.java @@ -0,0 +1,17 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x; + +import at.gv.egovernment.moa.id.MOAIDException; + +public class SAMLRequestNotSignedException extends MOAIDException { + + public SAMLRequestNotSignedException(String messageId, Object[] parameters) { + super(messageId, parameters); + // TODO Auto-generated constructor stub + } + + /** + * + */ + private static final long serialVersionUID = 1L; + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SAMLRequestNotSupported.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SAMLRequestNotSupported.java index 3a71495c1..16b388a09 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SAMLRequestNotSupported.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SAMLRequestNotSupported.java @@ -1,6 +1,12 @@ package at.gv.egovernment.moa.id.protocols.pvp2x; -public class SAMLRequestNotSupported extends Exception { +import at.gv.egovernment.moa.id.MOAIDException; + +public class SAMLRequestNotSupported extends MOAIDException { + + public SAMLRequestNotSupported(String messageId, Object[] parameters) { + super(messageId, parameters); + } /** * diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java index 0e7dd3377..8e27de7a5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java @@ -9,11 +9,11 @@ import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.xml.security.SecurityException; public interface IDecoder { - public RequestAbstractType decodeRequest(HttpServletRequest req, + public MOARequest decodeRequest(HttpServletRequest req, HttpServletResponse resp) throws MessageDecodingException, SecurityException; - public Response decodeRespone(HttpServletRequest req, + public MOAResponse decodeRespone(HttpServletRequest req, HttpServletResponse resp) throws MessageDecodingException, SecurityException; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java index 8df44c270..f2c392a2a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java @@ -4,16 +4,16 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.Response; -import org.opensaml.ws.message.decoder.MessageDecodingException; +import org.opensaml.saml2.core.StatusResponseType; +import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.xml.security.SecurityException; public interface IEncoder { public void encodeRequest(HttpServletRequest req, - HttpServletResponse resp, RequestAbstractType request) - throws MessageDecodingException, SecurityException; + HttpServletResponse resp, RequestAbstractType request, String targetLocation) + throws MessageEncodingException, SecurityException; public void encodeRespone(HttpServletRequest req, - HttpServletResponse resp, Response response) - throws MessageDecodingException, SecurityException; + HttpServletResponse resp, StatusResponseType response, String targetLocation) + throws MessageEncodingException, SecurityException; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOARequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOARequest.java new file mode 100644 index 000000000..946f62066 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOARequest.java @@ -0,0 +1,40 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.binding; + +import org.opensaml.saml2.core.RequestAbstractType; +import org.opensaml.saml2.metadata.EntityDescriptor; + +public class MOARequest { + private RequestAbstractType samlRequest; + private EntityDescriptor entityMetadata; + private boolean verified = false; + + public MOARequest(RequestAbstractType request) { + samlRequest = request; + } + + public RequestAbstractType getSamlRequest() { + return samlRequest; + } + + public void setSamlRequest(RequestAbstractType request) { + this.samlRequest = request; + } + + public boolean isVerified() { + return verified; + } + + public void setVerified(boolean verified) { + this.verified = verified; + } + + public EntityDescriptor getEntityMetadata() { + return entityMetadata; + } + + public void setEntityMetadata(EntityDescriptor entityMetadata) { + this.entityMetadata = entityMetadata; + } + + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAResponse.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAResponse.java new file mode 100644 index 000000000..47f935b0c --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/MOAResponse.java @@ -0,0 +1,38 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.binding; + +import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.metadata.EntityDescriptor; + +public class MOAResponse { + private Response samlResponse; + private EntityDescriptor entityMetadata; + private boolean verified = false; + + public MOAResponse(Response response) { + samlResponse = response; + } + + public Response getSamlResponse() { + return samlResponse; + } + + public void setSamlResponse(Response samlResponse) { + this.samlResponse = samlResponse; + } + + public boolean isVerified() { + return verified; + } + + public void setVerified(boolean verified) { + this.verified = verified; + } + + public EntityDescriptor getEntityMetadata() { + return entityMetadata; + } + + public void setEntityMetadata(EntityDescriptor entityMetadata) { + this.entityMetadata = entityMetadata; + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index cb0f0f8d8..06ce311cf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -1,40 +1,134 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.IOException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.UnrecoverableKeyException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; + import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.velocity.app.VelocityEngine; +import org.apache.velocity.runtime.RuntimeConstants; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; import org.opensaml.saml2.binding.decoding.HTTPPostDecoder; +import org.opensaml.saml2.binding.encoding.HTTPPostEncoder; +import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.StatusResponseType; +import org.opensaml.saml2.metadata.SingleSignOnService; +import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder; import org.opensaml.ws.message.decoder.MessageDecodingException; +import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.ws.transport.http.HttpServletRequestAdapter; +import org.opensaml.ws.transport.http.HttpServletResponseAdapter; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; +import org.opensaml.xml.security.credential.BasicCredential; +import org.opensaml.xml.security.credential.UsageType; +import org.opensaml.xml.signature.Signature; +import org.opensaml.xml.signature.SignatureConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; public class PostBinding implements IDecoder, IEncoder { public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request) throws MessageDecodingException, + RequestAbstractType request, String targetLocation) throws MessageEncodingException, SecurityException{ // TODO Auto-generated method stub } public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, - Response response) throws MessageDecodingException, + StatusResponseType response, String targetLocation) throws MessageEncodingException, SecurityException{ - // TODO Auto-generated method stub - + KeyStore keyStore; + + try { + keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); + + FileInputStream inputStream = new FileInputStream( + "/home/afitzek/server/moaid_conf/moaid/pvp.ks"); + keyStore.load(inputStream, "123456".toCharArray()); + inputStream.close(); + + BasicCredential credentials = new BasicCredential(); + PrivateKey key = (PrivateKey) keyStore.getKey("pvpIDP", + "123456".toCharArray()); + Certificate cert = keyStore.getCertificate("pvpIDP"); + credentials.setPublicKey(cert.getPublicKey()); + credentials.setPrivateKey(key); + credentials.setUsageType(UsageType.SIGNING); + + Signature signer = SAML2Utils.createSAMLObject(Signature.class); + signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1); + signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); + signer.setSigningCredential(credentials); + + response.setSignature(signer); + + VelocityEngine engine = new VelocityEngine(); + engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8"); + engine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8"); + engine.setProperty(RuntimeConstants.ENCODING_DEFAULT, "UTF-8"); + engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath"); + engine.setProperty("classpath.resource.loader.class", + "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader"); + engine.init(); + + HTTPPostEncoder encoder = new HTTPPostEncoder(engine, + "resources/templates/pvp_postbinding_template.html"); + HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( + resp, true); + BasicSAMLMessageContext context = new BasicSAMLMessageContext(); + SingleSignOnService service = new SingleSignOnServiceBuilder() + .buildObject(); + service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-REDIRECT"); + service.setLocation(targetLocation); + context.setOutboundSAMLMessageSigningCredential(credentials); + context.setPeerEntityEndpoint(service); + // context.setOutboundMessage(authReq); + context.setOutboundSAMLMessage(response); + context.setOutboundMessageTransport(responseAdapter); + + encoder.encode(context); + } catch (KeyStoreException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (FileNotFoundException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (NoSuchAlgorithmException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (CertificateException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (IOException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (UnrecoverableKeyException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } } - public RequestAbstractType decodeRequest(HttpServletRequest req, + public MOARequest decodeRequest(HttpServletRequest req, HttpServletResponse resp) throws MessageDecodingException, SecurityException{ + + HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool()); BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); @@ -45,11 +139,14 @@ public class PostBinding implements IDecoder, IEncoder { RequestAbstractType inboundMessage = (RequestAbstractType) messageContext .getInboundMessage(); - return inboundMessage; + + MOARequest request = new MOARequest(inboundMessage); + + return request; } - public Response decodeRespone(HttpServletRequest req, + public MOAResponse decodeRespone(HttpServletRequest req, HttpServletResponse resp) throws MessageDecodingException, SecurityException{ @@ -63,7 +160,9 @@ public class PostBinding implements IDecoder, IEncoder { Response inboundMessage = (Response) messageContext .getInboundMessage(); - return inboundMessage; + + MOAResponse moaResponse = new MOAResponse(inboundMessage); + return moaResponse; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index d2951baf0..2cae67e97 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -1,73 +1,193 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.IOException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.UnrecoverableKeyException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; + import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder; +import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder; +import org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.StatusResponseType; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.SingleSignOnService; +import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.opensaml.ws.message.decoder.MessageDecodingException; +import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.ws.security.SecurityPolicyResolver; +import org.opensaml.ws.security.provider.BasicSecurityPolicy; +import org.opensaml.ws.security.provider.StaticSecurityPolicyResolver; import org.opensaml.ws.transport.http.HttpServletRequestAdapter; +import org.opensaml.ws.transport.http.HttpServletResponseAdapter; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; +import org.opensaml.xml.security.credential.BasicCredential; +import org.opensaml.xml.security.credential.UsageType; +import org.opensaml.xml.signature.Signature; +import org.opensaml.xml.signature.SignatureConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; public class RedirectBinding implements IDecoder, IEncoder { public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request) throws MessageDecodingException, - SecurityException { - + RequestAbstractType request, String targetLocation) + throws MessageEncodingException, SecurityException { + } public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, - Response response) throws MessageDecodingException, - SecurityException { - // TODO Auto-generated method stub - + StatusResponseType response, String targetLocation) + throws MessageEncodingException, SecurityException { + KeyStore keyStore; + + try { + keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); + + FileInputStream inputStream = new FileInputStream( + "/home/afitzek/server/moaid_conf/moaid/pvp.ks"); + keyStore.load(inputStream, "123456".toCharArray()); + inputStream.close(); + + BasicCredential credentials = new BasicCredential(); + PrivateKey key = (PrivateKey) keyStore.getKey("pvpIDP", + "123456".toCharArray()); + Certificate cert = keyStore.getCertificate("pvpIDP"); + credentials.setPublicKey(cert.getPublicKey()); + credentials.setPrivateKey(key); + credentials.setUsageType(UsageType.SIGNING); + + Signature signer = SAML2Utils.createSAMLObject(Signature.class); + signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1); + signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); + signer.setSigningCredential(credentials); + + response.setSignature(signer); + + HTTPRedirectDeflateEncoder encoder = new HTTPRedirectDeflateEncoder(); + HttpServletResponseAdapter responseAdapter = new HttpServletResponseAdapter( + resp, true); + BasicSAMLMessageContext context = new BasicSAMLMessageContext(); + SingleSignOnService service = new SingleSignOnServiceBuilder() + .buildObject(); + service.setBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-REDIRECT"); + service.setLocation(targetLocation); + context.setOutboundSAMLMessageSigningCredential(credentials); + context.setPeerEntityEndpoint(service); + // context.setOutboundMessage(authReq); + context.setOutboundSAMLMessage(response); + context.setOutboundMessageTransport(responseAdapter); + + encoder.encode(context); + } catch (KeyStoreException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (FileNotFoundException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (NoSuchAlgorithmException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (CertificateException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (IOException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (UnrecoverableKeyException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + } - public RequestAbstractType decodeRequest(HttpServletRequest req, + public MOARequest decodeRequest(HttpServletRequest req, HttpServletResponse resp) throws MessageDecodingException, SecurityException { - + HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder( new BasicParserPool()); - BasicSAMLMessageContext messageContext = - new BasicSAMLMessageContext(); + BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); messageContext - .setInboundMessageTransport(new HttpServletRequestAdapter( - req)); - + .setInboundMessageTransport(new HttpServletRequestAdapter(req)); + + try { + messageContext.setMetadataProvider(new MOAMetadataProvider()); + } catch (MetadataProviderException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + + SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( + TrustEngineFactory.getSignatureKnownKeysTrustEngine()); + + BasicSecurityPolicy policy = new BasicSecurityPolicy(); + policy.getPolicyRules().add(signatureRule); + SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver( + policy); + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + messageContext.setSecurityPolicyResolver(resolver); decode.decode(messageContext); - RequestAbstractType inboundMessage = (RequestAbstractType)messageContext.getInboundMessage(); - - return inboundMessage; + signatureRule.evaluate(messageContext); + + RequestAbstractType inboundMessage = (RequestAbstractType) messageContext + .getInboundMessage(); + MOARequest request = new MOARequest(inboundMessage); + request.setVerified(true); + request.setEntityMetadata(messageContext.getPeerEntityMetadata()); + return request; } - public Response decodeRespone(HttpServletRequest req, + public MOAResponse decodeRespone(HttpServletRequest req, HttpServletResponse resp) throws MessageDecodingException, SecurityException { - + HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder( new BasicParserPool()); - BasicSAMLMessageContext messageContext = - new BasicSAMLMessageContext(); + BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); messageContext - .setInboundMessageTransport(new HttpServletRequestAdapter( - req)); - + .setInboundMessageTransport(new HttpServletRequestAdapter(req)); + + // TODO: used to verify signature! + SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( + TrustEngineFactory.getSignatureKnownKeysTrustEngine()); + + // signatureRule.evaluate(messageContext); + BasicSecurityPolicy policy = new BasicSecurityPolicy(); + policy.getPolicyRules().add(signatureRule); + SecurityPolicyResolver resolver = new StaticSecurityPolicyResolver( + policy); + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + messageContext.setSecurityPolicyResolver(resolver); + decode.decode(messageContext); - Response inboundMessage = (Response)messageContext.getInboundMessage(); - - return inboundMessage; + Response inboundMessage = (Response) messageContext.getInboundMessage(); + + MOAResponse moaResponse = new MOAResponse(inboundMessage); + moaResponse.setVerified(true); + moaResponse.setEntityMetadata(messageContext.getPeerEntityMetadata()); + return moaResponse; } - + public boolean handleDecode(String action) { return (action.equals(PVP2XProtocol.REDIRECT)); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java new file mode 100644 index 000000000..8dad932e2 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -0,0 +1,76 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.metadata; + +import java.io.File; +import java.util.List; + +import javax.xml.namespace.QName; + +import org.opensaml.DefaultBootstrap; +import org.opensaml.saml2.metadata.EntitiesDescriptor; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.RoleDescriptor; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.saml2.metadata.provider.MetadataProvider; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider; +import org.opensaml.xml.ConfigurationException; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.parse.BasicParserPool; + +public class MOAMetadataProvider implements MetadataProvider { + + MetadataProvider internalProvider; + + private static final String MD_FILE = "/home/afitzek/server/moaid_conf/moaid/metadata/samplePVP_MD.xml"; + //private static final String MD_FILE = "/home/afitzek/server/moaid_conf/moaid/metadata/md_provider.xml"; + + public MOAMetadataProvider() throws MetadataProviderException { + FilesystemMetadataProvider fsProvider = new FilesystemMetadataProvider( + new File(MD_FILE)); + fsProvider.setParserPool(new BasicParserPool()); + internalProvider = fsProvider; + fsProvider.initialize(); + } + + public boolean requireValidMetadata() { + return internalProvider.requireValidMetadata(); + } + + public void setRequireValidMetadata(boolean requireValidMetadata) { + internalProvider.setRequireValidMetadata(requireValidMetadata); + } + + public MetadataFilter getMetadataFilter() { + return internalProvider.getMetadataFilter(); + } + + public void setMetadataFilter(MetadataFilter newFilter) + throws MetadataProviderException { + internalProvider.setMetadataFilter(newFilter); + } + + public XMLObject getMetadata() throws MetadataProviderException { + return internalProvider.getMetadata(); + } + + public EntitiesDescriptor getEntitiesDescriptor(String name) + throws MetadataProviderException { + return internalProvider.getEntitiesDescriptor(name); + } + + public EntityDescriptor getEntityDescriptor(String entityID) + throws MetadataProviderException { + return internalProvider.getEntityDescriptor(entityID); + } + + public List getRole(String entityID, QName roleName) + throws MetadataProviderException { + return internalProvider.getRole(entityID, roleName); + } + + public RoleDescriptor getRole(String entityID, QName roleName, + String supportedProtocol) throws MetadataProviderException { + return internalProvider.getRole(entityID, roleName, supportedProtocol); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java index cdc0a9914..4af35e325 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/AuthnRequestHandler.java @@ -3,22 +3,109 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.requestHandler; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.joda.time.DateTime; +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.core.ArtifactResponse; +import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.AuthnContext; +import org.opensaml.saml2.core.AuthnContextClassRef; import org.opensaml.saml2.core.AuthnRequest; +import org.opensaml.saml2.core.AuthnStatement; +import org.opensaml.saml2.core.BaseID; +import org.opensaml.saml2.core.Issuer; +import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.core.RequestAbstractType; +import org.opensaml.saml2.core.Subject; +import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.xml.security.SecurityException; + +import edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.StoredIDStore.PersistentIdEntry; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.moduls.AuthenticationManager; +import at.gv.egovernment.moa.id.moduls.AuthenticationSessionStore; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.id.util.HTTPUtils; public class AuthnRequestHandler implements IRequestHandler { - public boolean handleObject(RequestAbstractType obj) { - return (obj instanceof AuthnRequest); + public boolean handleObject(MOARequest obj) { + return (obj.getSamlRequest() instanceof AuthnRequest); } - public void process(RequestAbstractType obj, HttpServletRequest req, + public void process(MOARequest obj, HttpServletRequest req, HttpServletResponse resp) { if(!handleObject(obj)) { // TODO: throw exception return; } + AuthnRequest authnRequest = (AuthnRequest)obj.getSamlRequest(); + + Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class); + + AuthnContextClassRef authnContextClassRef = SAML2Utils.createSAMLObject(AuthnContextClassRef.class); + authnContextClassRef.setAuthnContextClassRef(AuthnContext.SMARTCARD_PKI_AUTHN_CTX); + + AuthnContext authnContext = SAML2Utils.createSAMLObject(AuthnContext.class); + authnContext.setAuthnContextClassRef(authnContextClassRef); + + AuthnStatement authnStatement = SAML2Utils.createSAMLObject(AuthnStatement.class); + + authnStatement.setAuthnInstant(new DateTime()); + authnStatement.setAuthnContext(authnContext); + + assertion.getAuthnStatements().add(authnStatement); + + AuthenticationSession authSession = + AuthenticationManager.getAuthenticationSession(req.getSession()); + + Subject subject = SAML2Utils.createSAMLObject(Subject.class); + NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); + subjectNameID.setFormat(NameID.PERSISTENT); + subjectNameID.setValue(authSession.getAuthData().getIdentificationValue()); + subject.setNameID(subjectNameID); + + Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); + issuer.setValue("pvpIDP"); + assertion.setIssuer(issuer); + assertion.setSubject(subject); + + ArtifactResponse authResponse = SAML2Utils.createSAMLObject(ArtifactResponse.class); + + Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); + nissuer.setValue("pvpIDP"); + authResponse.setIssuer(nissuer); + authResponse.setInResponseTo(authnRequest.getID()); + authResponse.setMessage(assertion); + authResponse.setStatus(SAML2Utils.getSuccessStatus()); + + Integer aIdx = authnRequest.getAssertionConsumerServiceIndex(); + int idx = 0; + + if(aIdx != null) { + idx = aIdx.intValue(); + } + + String oaURL = obj.getEntityMetadata(). + getSPSSODescriptor(SAMLConstants.SAML20P_NS). + getAssertionConsumerServices().get(idx).getLocation(); + + IEncoder binding = new PostBinding(); + try { + binding.encodeRespone(req, resp, authResponse, oaURL); + } catch (MessageEncodingException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (SecurityException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + System.out.println("AuthnRequest"); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java index a73737f15..74e8d8d4b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/IRequestHandler.java @@ -5,9 +5,11 @@ import javax.servlet.http.HttpServletResponse; import org.opensaml.saml2.core.RequestAbstractType; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; + public interface IRequestHandler { - public boolean handleObject(RequestAbstractType obj); + public boolean handleObject(MOARequest obj); - public void process(RequestAbstractType obj, HttpServletRequest req, + public void process(MOARequest obj, HttpServletRequest req, HttpServletResponse resp); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java index 2fe24b707..3f1049482 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/requestHandler/RequestManager.java @@ -7,9 +7,8 @@ import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.opensaml.saml2.core.RequestAbstractType; - import at.gv.egovernment.moa.id.protocols.pvp2x.SAMLRequestNotSupported; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOARequest; public class RequestManager { @@ -26,10 +25,10 @@ public class RequestManager { private RequestManager() { handler = new ArrayList(); - + handler.add(new AuthnRequestHandler()); } - public void handle(RequestAbstractType obj, HttpServletRequest req, HttpServletResponse resp) + public void handle(MOARequest obj, HttpServletRequest req, HttpServletResponse resp) throws SAMLRequestNotSupported { Iterator it = handler.iterator(); while(it.hasNext()) { @@ -41,6 +40,6 @@ public class RequestManager { } // not handled - throw new SAMLRequestNotSupported(); + throw new SAMLRequestNotSupported("NOTSUPPORTED", null); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/SAMLSigner.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/SAMLSigner.java new file mode 100644 index 000000000..b88998cd1 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/SAMLSigner.java @@ -0,0 +1,5 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.signer; + +public class SAMLSigner { + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/PrettyPrinter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/PrettyPrinter.java new file mode 100644 index 000000000..807da0ebe --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/PrettyPrinter.java @@ -0,0 +1,301 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.utils; + +import java.io.*; +import javax.xml.parsers.*; +import javax.xml.transform.*; +import javax.xml.transform.dom.*; +import javax.xml.transform.stream.*; + +import org.w3c.dom.Document; + +import org.xml.sax.*; +import org.xml.sax.helpers.*; + + +/** +This class "pretty prints" an XML stream to something more human-readable. +It duplicates the character content with some modifications to whitespace, +restoring line breaks and a simple pattern of indenting child elements. + +This version of the class acts as a SAX 2.0 DefaultHandler, +so to provide the unformatted XML just pass a new instance to a SAX parser. +Its output is via the {@link #toString toString} method. + +One major limitation: we gather character data for elements in a single +buffer, so mixed-content documents will lose a lot of data! This works +best with data-centric documents where elements either have single values +or child elements, but not both. + +@author Will Provost +*/ +/* +Copyright 2002-2003 by Will Provost. +All rights reserved. +*/ +public class PrettyPrinter + extends DefaultHandler +{ + /** + Convenience method to wrap pretty-printing SAX pass over existing content. + */ + public static String prettyPrint (byte[] content) + { + try + { + PrettyPrinter pretty = new PrettyPrinter (); + SAXParserFactory factory = SAXParserFactory.newInstance (); + factory.setFeature + ("http://xml.org/sax/features/namespace-prefixes", true); + factory.newSAXParser ().parse + (new ByteArrayInputStream (content), pretty); + return pretty.toString (); + } + catch (Exception ex) + { + ex.printStackTrace (); + return "EXCEPTION: " + ex.getClass ().getName () + " saying \"" + + ex.getMessage () + "\""; + } + } + + /** + Convenience method to wrap pretty-printing SAX pass over existing content. + */ + public static String prettyPrint (String content) + { + try + { + PrettyPrinter pretty = new PrettyPrinter (); + SAXParserFactory factory = SAXParserFactory.newInstance (); + factory.setFeature + ("http://xml.org/sax/features/namespace-prefixes", true); + factory.newSAXParser ().parse (content, pretty); + return pretty.toString (); + } + catch (Exception ex) + { + ex.printStackTrace (); + return "EXCEPTION: " + ex.getClass ().getName () + " saying \"" + + ex.getMessage () + "\""; + } + } + + /** + Convenience method to wrap pretty-printing SAX pass over existing content. + */ + public static String prettyPrint (InputStream content) + { + try + { + PrettyPrinter pretty = new PrettyPrinter (); + SAXParserFactory factory = SAXParserFactory.newInstance (); + factory.setFeature + ("http://xml.org/sax/features/namespace-prefixes", true); + factory.newSAXParser ().parse (content, pretty); + return pretty.toString (); + } + catch (Exception ex) + { + ex.printStackTrace (); + return "EXCEPTION: " + ex.getClass ().getName () + " saying \"" + + ex.getMessage () + "\""; + } + } + + /** + Convenience method to wrap pretty-printing SAX pass over existing content. + */ + public static String prettyPrint (Document doc) + throws TransformerException + { + try + { + ByteArrayOutputStream buffer = new ByteArrayOutputStream (); + TransformerFactory.newInstance ().newTransformer() + .transform (new DOMSource (doc), new StreamResult (buffer)); + byte[] rawResult = buffer.toByteArray (); + buffer.close (); + + return prettyPrint (rawResult); + } + catch (Exception ex) + { + ex.printStackTrace (); + return "EXCEPTION: " + ex.getClass ().getName () + " saying \"" + + ex.getMessage () + "\""; + } + } + + public static class StreamAdapter + extends OutputStream + { + public StreamAdapter (Writer finalDestination) + { + this.finalDestination = finalDestination; + } + + public void write (int b) + { + out.write (b); + } + + public void flushPretty () + throws IOException + { + PrintWriter finalPrinter = new PrintWriter (finalDestination); + finalPrinter.println + (PrettyPrinter.prettyPrint (out.toByteArray ())); + finalPrinter.close (); + out.close (); + } + + private ByteArrayOutputStream out = new ByteArrayOutputStream (); + Writer finalDestination; + } + + /** + Call this to get the formatted XML post-parsing. + */ + public String toString () + { + return output.toString (); + } + + /** + Prints the XML declaration. + */ + public void startDocument () + throws SAXException + { + output.append ("") + .append (endLine); + } + + /** + Prints a blank line at the end of the reformatted document. + */ + public void endDocument () throws SAXException + { + output.append (endLine); + } + + /** + Writes the start tag for the element. + Attributes are written out, one to a text line. Starts gathering + character data for the element. + */ + public void startElement + (String URI, String name, String qName, Attributes attributes) + throws SAXException + { + if (justHitStartTag) + output.append ('>'); + + output.append (endLine) + .append (indent) + .append ('<') + .append (qName); + + int length = attributes.getLength (); + for (int a = 0; a < length; ++a) + output.append (endLine) + .append (indent) + .append (standardIndent) + .append (attributes.getQName (a)) + .append ("=\"") + .append (attributes.getValue (a)) + .append ('\"'); + + if (length > 0) + output.append (endLine) + .append (indent); + + indent += standardIndent; + currentValue = new StringBuffer (); + justHitStartTag = true; + } + + /** + Checks the {@link #currentValue} buffer to gather element content. + Writes this out if it is available. Writes the element end tag. + */ + public void endElement (String URI, String name, String qName) + throws SAXException + { + indent = indent.substring + (0, indent.length () - standardIndent.length ()); + + if (currentValue == null) + output.append (endLine) + .append (indent) + .append ("'); + else if (currentValue.length () != 0) + output.append ('>') + .append (currentValue.toString ()) + .append ("'); + else + output.append ("/>"); + + currentValue = null; + justHitStartTag = false; + } + + /** + When the {@link #currentValue} buffer is enabled, appends character + data into it, to be gathered when the element end tag is encountered. + */ + public void characters (char[] chars, int start, int length) + throws SAXException + { + if (currentValue != null) + currentValue.append (escape (chars, start, length)); + } + + /** + Filter to pass strings to output, escaping < and & + characters to &lt; and &amp; respectively. + */ + private static String escape (char[] chars, int start, int length) + { + StringBuffer result = new StringBuffer (); + for (int c = start; c < start + length; ++c) + if (chars[c] == '<') + result.append ("<"); + else if (chars[c] == '&') + result.append ("&"); + else + result.append (chars[c]); + + return result.toString (); + } + + /** + This whitespace string is expanded and collapsed to manage the output + indenting. + */ + private String indent = ""; + + /** + A buffer for character data. It is "enabled" in + {@link #startElement startElement} by being initialized to a + new StringBuffer, and then read and reset to + null in {@link #endElement endElement}. + */ + private StringBuffer currentValue = null; + + /** + The primary buffer for accumulating the formatted XML. + */ + private StringBuffer output = new StringBuffer (); + + private boolean justHitStartTag; + + private static final String standardIndent = " "; + private static final String endLine = + System.getProperty ("line.separator"); +} + diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java index 203d743be..fa2ce4f79 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/SAML2Utils.java @@ -1,9 +1,24 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.utils; +import java.io.IOException; + import javax.xml.namespace.QName; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.transform.TransformerException; import org.opensaml.Configuration; +import org.opensaml.saml2.core.Status; +import org.opensaml.saml2.core.StatusCode; +import org.opensaml.saml2.core.StatusMessage; +import org.opensaml.xml.XMLObject; import org.opensaml.xml.XMLObjectBuilderFactory; +import org.opensaml.xml.io.Marshaller; +import org.opensaml.xml.io.MarshallingException; +import org.w3c.dom.Document; + +import at.gv.egovernment.moa.id.moduls.NoPassivAuthenticationException; public class SAML2Utils { @@ -22,4 +37,33 @@ public class SAML2Utils { return null; } } + + private static DocumentBuilder builder; + static { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setNamespaceAware(true); + try { + builder = factory.newDocumentBuilder(); + } catch (ParserConfigurationException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + } + + public static Document asDOMDocument(XMLObject object) throws IOException, + MarshallingException, TransformerException { + Document document = builder.newDocument(); + Marshaller out = Configuration.getMarshallerFactory().getMarshaller( + object); + out.marshall(object, document); + return document; + } + + public static Status getSuccessStatus() { + Status status = SAML2Utils.createSAMLObject(Status.class); + StatusCode statusCode = SAML2Utils.createSAMLObject(StatusCode.class); + statusCode.setValue(StatusCode.SUCCESS_URI); + status.setStatusCode(statusCode); + return status; + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/ChainSAMLValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/ChainSAMLValidator.java new file mode 100644 index 000000000..bf30c72cb --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/ChainSAMLValidator.java @@ -0,0 +1,28 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.validation; + +import java.util.ArrayList; +import java.util.Iterator; +import java.util.List; + +import org.opensaml.saml2.core.RequestAbstractType; + +import at.gv.egovernment.moa.id.MOAIDException; + +public class ChainSAMLValidator implements ISAMLValidator { + +private List validator = new ArrayList(); + + public void addValidator(ISAMLValidator validator) { + this.validator.add(validator); + } + + public void validateRequest(RequestAbstractType request) + throws MOAIDException { + Iterator validatorIterator = validator.iterator(); + while(validatorIterator.hasNext()) { + ISAMLValidator validator = validatorIterator.next(); + validator.validateRequest(request); + } + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/ISAMLValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/ISAMLValidator.java new file mode 100644 index 000000000..525a0870e --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/ISAMLValidator.java @@ -0,0 +1,9 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.validation; + +import org.opensaml.saml2.core.RequestAbstractType; + +import at.gv.egovernment.moa.id.MOAIDException; + +public interface ISAMLValidator { + public void validateRequest(RequestAbstractType request) throws MOAIDException; +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/SAMLSignatureValidator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/SAMLSignatureValidator.java new file mode 100644 index 000000000..95c548389 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/SAMLSignatureValidator.java @@ -0,0 +1,27 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.validation; + +import org.opensaml.saml2.core.RequestAbstractType; +import org.opensaml.security.SAMLSignatureProfileValidator; +import org.opensaml.xml.validation.ValidationException; + +import at.gv.egovernment.moa.id.MOAIDException; +import at.gv.egovernment.moa.id.protocols.pvp2x.SAMLRequestNotSignedException; + +public class SAMLSignatureValidator implements ISAMLValidator { + + public void validateRequest(RequestAbstractType request) + throws MOAIDException { + if(request.getSignature() == null) { + throw new SAMLRequestNotSignedException("NOT SIGNED", new Object[] {}); + } + + try { + SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); + sigValidator.validate(request.getSignature()); + } catch (ValidationException e) { + e.printStackTrace(); + throw new MOAIDException("SIGNATURE VALIDATOR", new Object[] {}); + } + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/ChainSAMLVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/ChainSAMLVerifier.java new file mode 100644 index 000000000..5cea607bc --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/ChainSAMLVerifier.java @@ -0,0 +1,28 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification; + +import java.util.ArrayList; +import java.util.Iterator; +import java.util.List; + +import org.opensaml.saml2.core.RequestAbstractType; + +import at.gv.egovernment.moa.id.MOAIDException; + +public class ChainSAMLVerifier implements ISAMLVerifier { + + private List verifier = new ArrayList(); + + public void addVerifier(ISAMLVerifier verifier) { + this.verifier.add(verifier); + } + + public void verifyRequest(RequestAbstractType request) + throws MOAIDException { + Iterator verifyIterator = verifier.iterator(); + while(verifyIterator.hasNext()) { + ISAMLVerifier verifier = verifyIterator.next(); + verifier.verifyRequest(request); + } + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/ISAMLVerifier.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/ISAMLVerifier.java new file mode 100644 index 000000000..a577f3f46 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/ISAMLVerifier.java @@ -0,0 +1,9 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification; + +import org.opensaml.saml2.core.RequestAbstractType; + +import at.gv.egovernment.moa.id.MOAIDException; + +public interface ISAMLVerifier { + public void verifyRequest(RequestAbstractType request) throws MOAIDException; +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java new file mode 100644 index 000000000..af77213df --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerifierMOASP.java @@ -0,0 +1,108 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification; + +import org.opensaml.saml2.core.RequestAbstractType; +import org.opensaml.security.SAMLSignatureProfileValidator; +import org.opensaml.xml.validation.ValidationException; +import org.w3c.dom.Element; + +import eu.stork.vidp.messages.util.SAMLUtil; +import eu.stork.vidp.messages.util.XMLUtil; + +import at.gv.egovernment.moa.id.BuildException; +import at.gv.egovernment.moa.id.MOAIDException; +import at.gv.egovernment.moa.id.ParseException; +import at.gv.egovernment.moa.id.ServiceException; +import at.gv.egovernment.moa.id.auth.builder.VerifyXMLSignatureRequestBuilder; +import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; +import at.gv.egovernment.moa.id.auth.invoke.SignatureVerificationInvoker; +import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.logging.Logger; + +public class SAMLVerifierMOASP implements ISAMLVerifier { + + public void verifyRequest(RequestAbstractType request) + throws MOAIDException { + // validate Signature + try { + if (request.isSigned()) { + + String trustProfileID = AuthConfigurationProvider.getInstance() + .getStorkConfig().getSignatureVerificationParameter() + .getTrustProfileID(); + + Logger.trace("Starting validation of Signature references"); + try { + SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); + sigValidator.validate(request.getSignature()); + } catch (ValidationException e) { + Logger.error("Validation of XML Signature refrences failed: " + + e.getMessage()); + throw new SecurityException(e); + } + Logger.debug("XML Signature references are OK."); + + Logger.debug("Invoking MOA-SP with TrustProfileID: " + + trustProfileID); + + // builds a for a call of MOA-SP + Element domVerifyXMLSignatureRequest = new VerifyXMLSignatureRequestBuilder() + .build(XMLUtil.printXML(request.getDOM()).getBytes(), + trustProfileID); + + Logger.trace("VerifyXMLSignatureRequest for MOA-SP succesfully built"); + + Logger.trace("Calling MOA-SP"); + // invokes the call + Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker() + .verifyXMLSignature(domVerifyXMLSignatureRequest); + + // parses the + VerifyXMLSignatureResponse verifyXMLSignatureResponse = new VerifyXMLSignatureResponseParser( + domVerifyXMLSignatureResponse).parseData(); + + Logger.trace("Received VerifyXMLSignatureResponse from MOA-SP"); + + if (verifyXMLSignatureResponse.getSignatureCheckCode() != 0) { + String msg = "Signature of SAMLResponse not valid"; + Logger.error(msg); + throw new SecurityException(msg); + } + + Logger.debug("Signature of SAML response successfully verified"); + + if (verifyXMLSignatureResponse.getCertificateCheckCode() != 0) { + String msg = "Certificate of SAMLResponse not valid"; + Logger.error(msg); + throw new SecurityException(msg); + } + + Logger.debug("Signing certificate of SAML response succesfully verified"); + + } else { + String msg = "SAML Response is not signed."; + throw new SecurityException(msg); + } + + } catch (ConfigurationException e) { + String msg = "Unable to load STORK configuration for STORK SAML Response signature verification."; + Logger.error(msg, e); + throw new SecurityException(msg, e); + } catch (ParseException e) { + String msg = "Unable to parse VerifyXMLSignature Request or Response."; + Logger.error(msg, e); + throw new SecurityException(msg, e); + } catch (BuildException e) { + String msg = "Unable to parse VerifyXMLSignature Request or Response."; + Logger.error(msg, e); + throw new SecurityException(msg, e); + } catch (ServiceException e) { + String msg = "Unable to invoke MOA-SP."; + Logger.error(msg, e); + throw new SecurityException(msg, e); + } + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java new file mode 100644 index 000000000..8e4e88031 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java @@ -0,0 +1,70 @@ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification; + +import java.util.ArrayList; +import java.util.List; + +import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.opensaml.security.MetadataCredentialResolver; +import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver; +import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver; +import org.opensaml.xml.security.keyinfo.KeyInfoProvider; +import org.opensaml.xml.security.keyinfo.provider.DSAKeyValueProvider; +import org.opensaml.xml.security.keyinfo.provider.InlineX509DataProvider; +import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider; +import org.opensaml.xml.signature.SignatureTrustEngine; +import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine; +import org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine; + +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; +import edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver; + +public class TrustEngineFactory { + + public static SignatureTrustEngine getSignatureTrustEngine() { + try { + MetadataPKIXValidationInformationResolver mdResolver = new MetadataPKIXValidationInformationResolver( + new MOAMetadataProvider()); + + List keyInfoProvider = new ArrayList(); + keyInfoProvider.add(new DSAKeyValueProvider()); + keyInfoProvider.add(new RSAKeyValueProvider()); + keyInfoProvider.add(new InlineX509DataProvider()); + + KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( + keyInfoProvider); + + PKIXSignatureTrustEngine engine = new PKIXSignatureTrustEngine( + mdResolver, keyInfoResolver); + + return engine; + + } catch (Exception e) { + e.printStackTrace(); + return null; + } + } + + public static SignatureTrustEngine getSignatureKnownKeysTrustEngine() { + MetadataCredentialResolver resolver; + try { + resolver = new MetadataCredentialResolver(new MOAMetadataProvider()); + + List keyInfoProvider = new ArrayList(); + keyInfoProvider.add(new DSAKeyValueProvider()); + keyInfoProvider.add(new RSAKeyValueProvider()); + keyInfoProvider.add(new InlineX509DataProvider()); + + KeyInfoCredentialResolver keyInfoResolver = new BasicProviderKeyInfoCredentialResolver( + keyInfoProvider); + + ExplicitKeySignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine( + resolver, keyInfoResolver); + + return engine; + } catch (MetadataProviderException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + return null; + } + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java index d4ee5f46c..5649e5260 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java @@ -124,4 +124,8 @@ public class GetArtifactAction implements IAction { return true; } + public String getDefaultActionName() { + return SAML1Protocol.GETARTIFACT; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index fbb296a9e..d184643c4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -85,4 +85,9 @@ public class SAML1Protocol implements IModulInfo, MOAIDAuthConstants { return actions.get(action); } + public IAction canHandleRequest(HttpServletRequest request, + HttpServletResponse response) { + return null; + } + } diff --git a/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html b/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html new file mode 100644 index 000000000..1215c2b58 --- /dev/null +++ b/id/server/idserverlib/src/main/resources/resources/templates/pvp_postbinding_template.html @@ -0,0 +1,51 @@ +## +## Velocity Template for SAML 2 HTTP-POST binding +## +## Velocity context may contain the following properties +## action - String - the action URL for the form +## RelayState - String - the relay state for the message +## SAMLRequest - String - the Base64 encoded SAML Request +## SAMLResponse - String - the Base64 encoded SAML Response + + + + + + + +
Your login is being processed. Thank you for waiting.
+ + + +
+
+ #if($RelayState)#end + + #if($SAMLRequest)#end + + #if($SAMLResponse)#end + +
+ +
+ + + \ No newline at end of file -- cgit v1.2.3