Refine search
final DateTime now = new DateTime(); final DateTime issueInstant = response.getIssueInstant(); if (issueInstant == null) { throw new SamlException("failed to get IssueInstant attribute"); if (Math.abs(now.getMillis() - issueInstant.getMillis()) > MILLIS_IN_MINUTE) { final Issuer issuer = assertion.getIssuer(); if (issuer == null || issuer.getValue() == null) { throw new SamlException("failed to get an Issuer element from the assertion"); validateSignature(idp.signingCredential(), assertion); final List<AuthnStatement> authnStatements = assertion.getAuthnStatements(); if (authnStatements.isEmpty()) { continue; final Subject subject = assertion.getSubject(); if (subject == null) { continue; final Conditions conditions = assertion.getConditions(); if (conditions == null) { throw new SamlException("no condition found from the assertion"); conditions.getAudienceRestrictions().stream() .flatMap(r -> r.getAudiences().stream()) .filter(audience -> entityId.equals(audience.getAudienceURI()))
data.setNotOnOrAfter(DateTime.now().plusMinutes(1)); data.setRecipient(recipient); assertion.setSubject(subject); assertion.setIssuer(XMLObjectSupport.cloneXMLObject(issuer)); assertion.setIssueInstant(DateTime.now()); assertion.setID(requestIdManager.newId()); assertion.getAuthnStatements().add(authnStatement); conditions.setNotBefore(DateTime.now().minusMinutes(1)); conditions.setNotOnOrAfter(DateTime.now().plusMinutes(1)); conditions.getAudienceRestrictions().add(audienceRestriction); assertion.setConditions(conditions);
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext) { for (final Assertion assertion : assertions) { addDelegationRestriction(profileRequestContext, SAML2ActionSupport.addConditionsToAssertion(this, assertion)); log.debug("{} Added DelegationRestrictionType Condition to Assertion {}", getLogPrefix(), assertion.getID()); } }
/** * Get the subject to which the confirmation will be added. * * @param assertion the assertion being modified * * @return the subject to which the confirmation will be added */ @Nonnull private Subject getAssertionSubject(@Nonnull final Assertion assertion) { if (assertion.getSubject() != null) { return assertion.getSubject(); } final Subject subject = subjectBuilder.buildObject(); assertion.setSubject(subject); return subject; }
/** * Add Liberty SSOS service Endpoint Reference (EPR) attribute to Assertion's AttributeStatement. * * @param requestContext the current request context * @param assertion the delegated assertion being issued */ private void addLibertySSOSEPRAttribute(@Nonnull final ProfileRequestContext requestContext, @Nonnull final Assertion assertion) { final Attribute attribute = (Attribute) XMLObjectSupport.buildXMLObject(Attribute.DEFAULT_ELEMENT_NAME); attribute.setName(LibertyConstants.SERVICE_TYPE_SSOS); attribute.setNameFormat(Attribute.URI_REFERENCE); attribute.getAttributeValues().add(buildLibertSSOSEPRAttributeValue(requestContext, assertion)); final List<AttributeStatement> attributeStatements = assertion.getAttributeStatements(); AttributeStatement attributeStatement = null; if (attributeStatements.isEmpty()) { attributeStatement = (AttributeStatement) XMLObjectSupport.buildXMLObject(AttributeStatement.DEFAULT_ELEMENT_NAME); assertion.getAttributeStatements().add(attributeStatement); } else { attributeStatement = attributeStatements.get(0); } attributeStatement.getAttributes().add(attribute); }
/** * Apply function to an assertion. * * @param assertion assertion to operate on * * @return the format, or null */ @Nullable private String apply(@Nonnull final org.opensaml.saml.saml2.core.Assertion assertion) { if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) { return assertion.getSubject().getNameID().getFormat(); } return null; }
/** * Validates the <code>NotBefore</code> condition of the {@link SubjectConfirmationData}, if any is present. * * @param confirmation confirmation method, with {@link SubjectConfirmationData}, being validated * @param assertion assertion bearing the confirmation method * @param context current validation context * * @return the result of the validation evaluation * * @throws AssertionValidationException thrown if there is a problem determining the validity of the NotBefore */ @Nonnull protected ValidationResult validateNotBefore(@Nonnull final SubjectConfirmation confirmation, @Nonnull final Assertion assertion, @Nonnull final ValidationContext context) throws AssertionValidationException { DateTime skewedNow = new DateTime(ISOChronology.getInstanceUTC()).plus(SAML20AssertionValidator .getClockSkew(context)); DateTime notBefore = confirmation.getSubjectConfirmationData().getNotBefore(); log.debug("Evaluating SubjectConfirmationData NotBefore '{}' against 'skewed now' time '{}'", notBefore, skewedNow); if (notBefore != null && notBefore.isAfter(skewedNow)) { context.setValidationFailureMessage(String.format( "Subject confirmation, in assertion '%s', with NotBefore condition of '%s' is not yet valid", assertion.getID(), notBefore)); return ValidationResult.INVALID; } return ValidationResult.VALID; }
@Nonnull public static Assertion buildAssertion(@Nonnull final AbstractProfileAction action, @Nonnull final IdentifierGenerationStrategy idGenerator, @Nullable final String issuer) { assertion.setID(idGenerator.generateIdentifier()); assertion.setIssueInstant(new DateTime()); assertion.setVersion(SAMLVersion.VERSION_20); final Issuer issuerObject = issuerBuilder.buildObject(); issuerObject.setValue(issuer); assertion.setIssuer(issuerObject); assertion.getID());
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final AuthenticationContext authenticationContext) { final Assertion assertion = assertionLookupStrategy.apply(profileRequestContext); if (assertion == null) { log.error("Unable to obtain Assertion to modify"); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_MSG_CTX); return; } final AuthnStatement statement = buildAuthnStatement(profileRequestContext, authenticationContext.getSubcontext(RequestedPrincipalContext.class)); assertion.getAuthnStatements().add(statement); log.debug("{} Added AuthenticationStatement to Assertion {}", getLogPrefix(), assertion.getID()); }
/** * Creates and adds a {@link Conditions} to a given {@link Assertion}. If the {@link Assertion} already contains an * {@link Conditions} this method just returns. * * @param action current action * @param assertion assertion to which the condition will be added * * @return the {@link Conditions} that already existed on, or the one that was added to, the {@link Assertion} */ @Nonnull public static Conditions addConditionsToAssertion(@Nonnull final AbstractProfileAction action, @Nonnull final Assertion assertion) { Conditions conditions = assertion.getConditions(); if (conditions == null) { final SAMLObjectBuilder<Conditions> conditionsBuilder = (SAMLObjectBuilder<Conditions>) XMLObjectProviderRegistrySupport.getBuilderFactory().<Conditions>getBuilderOrThrow( Conditions.DEFAULT_ELEMENT_NAME); conditions = conditionsBuilder.buildObject(); assertion.setConditions(conditions); getLogger().debug("Profile Action {}: Assertion {} did not already contain Conditions, one was added", action.getClass().getSimpleName(), assertion.getID()); } else { getLogger().debug("Profile Action {}: Assertion {} already contained Conditions, nothing was done", action.getClass().getSimpleName(), assertion.getID()); } return conditions; }
@Nonnull final ProfileRequestContext profileRequestContext) { if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) { for (final AuthnStatement statement : assertion.getAuthnStatements()) { if (statement.getSessionIndex() != null) { return new Pair<>(assertion, statement);
/** * Validates that the assertion is a {@link SAMLVersion#VERSION_20} assertion. * * @param assertion the assertion to validate * @param context current validation context * * @return result of the validation evaluation * * @throws AssertionValidationException thrown if there is a problem validating the version */ @Nonnull protected ValidationResult validateVersion(@Nonnull final Assertion assertion, @Nonnull final ValidationContext context) throws AssertionValidationException { if (assertion.getVersion() != SAMLVersion.VERSION_20) { context.setValidationFailureMessage(String.format( "Assertion '%s' is not a SAML 2.0 version Assertion", assertion.getID())); return ValidationResult.INVALID; } return ValidationResult.VALID; }
/** * Get the string value which will be tracked in the cache for purposes of one-time use detection. * * @param assertion the SAML 2 Assertion to evaluate * * @return the cache value * * @throws AssertionValidationException thrown if there is a problem calculating the cached value */ @Nonnull protected String getCacheValue(@Nonnull final Assertion assertion) throws AssertionValidationException { String issuer = null; if (assertion.getIssuer() != null && assertion.getIssuer().getValue() != null) { issuer = StringSupport.trimOrNull(assertion.getIssuer().getValue()); } if (issuer == null) { issuer = "NoIssuer"; } String id = StringSupport.trimOrNull(assertion.getID()); if (id == null) { id = "NoID"; } String value = String.format("%s--%s", issuer, id); log.debug("Generated one-time use cache value of: {}", value); return value; }
@Nonnull protected ValidationResult performSignatureValidation(@Nonnull final Assertion token, @Nonnull final ValidationContext context) throws AssertionValidationException { Signature signature = token.getSignature(); if (token.getIssuer() != null) { tokenIssuer = token.getIssuer().getValue(); token.getID(), tokenIssuer); if (trustEngine.validate(signature, criteriaSet)) { log.debug("Validation of signature of Assertion '{}' from Issuer '{}' was successful", token.getID(), tokenIssuer); return ValidationResult.VALID; } else { String msg = String.format( "Signature of Assertion '%s' from Issuer '%s' was not valid", token.getID(), tokenIssuer); log.warn(msg); context.setValidationFailureMessage(msg); String msg = String.format( "A problem was encountered evaluating the signature over Assertion with ID '%s': %s", token.getID(), e.getMessage()); log.warn(msg); context.setValidationFailureMessage(msg);
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext) { try { final AttributeStatement statement = buildAttributeStatement(profileRequestContext, getAttributeContext().getIdPAttributes().values()); if (statement == null) { log.debug("{} No AttributeStatement was built, nothing to do", getLogPrefix()); return; } final Assertion assertion = assertionLookupStrategy.apply(profileRequestContext); if (assertion == null) { log.error("Unable to obtain Assertion to modify"); ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_MSG_CTX); return; } assertion.getAttributeStatements().add(statement); log.debug("{} Adding constructed AttributeStatement to Assertion {} ", getLogPrefix(), assertion.getID()); } catch (final AttributeEncodingException e) { ActionSupport.buildEvent(profileRequestContext, IdPEventIds.UNABLE_ENCODE_ATTRIBUTE); } } //CheckStyle: ReturnCount ON
/** * Constructs and adds a {@link Assertion} to the given {@link Response}. The {@link Assertion} is constructed * using the parameters supplied, and its issue instant is set to the issue instant of the given {@link Response}. * * @param action the current action * @param response the response to which the assertion will be added * @param idGenerator source of assertion ID * @param issuer value for assertion * * @return the assertion that was added to the response */ @Nonnull public static Assertion addAssertionToResponse(@Nonnull final AbstractProfileAction action, @Nonnull final Response response, @Nonnull final IdentifierGenerationStrategy idGenerator, @Nullable final String issuer) { final Assertion assertion = buildAssertion(action, idGenerator, issuer); assertion.setIssueInstant(response.getIssueInstant()); getLogger().debug("Profile Action {}: Added Assertion {} to Response {}", new Object[] {action.getClass().getSimpleName(), assertion.getID(), response.getID(),}); response.getAssertions().add(assertion); return assertion; }
/** * Get the length of the delegation chain in the presented token. * * @param token the token to evaluate * @return the token delegation chain length */ protected Long getTokenDelegationChainLength(@Nonnull final Assertion token) { final DelegationRestrictionType delRestrict = getDelegationRestrictionCondition(token.getConditions()); if (delRestrict != null && delRestrict.getDelegates() != null) { return (long) delRestrict.getDelegates().size(); } return null; }
/** {@inheritDoc} */ @Override protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext) { final SAMLObjectBuilder<OneTimeUse> conditionBuilder = (SAMLObjectBuilder<OneTimeUse>) XMLObjectProviderRegistrySupport.getBuilderFactory().<OneTimeUse>getBuilderOrThrow( OneTimeUse.DEFAULT_ELEMENT_NAME); for (final Assertion assertion : response.getAssertions()) { final Conditions conditions = SAML2ActionSupport.addConditionsToAssertion(this, assertion); if (conditions.getOneTimeUse() == null) { conditions.getConditions().add(conditionBuilder.buildObject()); log.debug("{} Added OneTimeUse condition to Assertion {}", getLogPrefix(), assertion.getID()); } else { log.debug("{} Assertion {} already contained OneTimeUse condition, another was not added", getLogPrefix(), assertion.getID()); } } }
throws IdentitySAML2QueryException { DateTime currentTime = new DateTime(); DateTime notOnOrAfter = new DateTime(currentTime.getMillis() + (long) SAMLSSOUtil.getSAMLResponseValidityPeriod() * 60 * 1000); Assertion samlAssertion = new AssertionBuilder().buildObject(); samlAssertion.setID(SAMLSSOUtil.createID()); samlAssertion.setVersion(SAMLVersion.VERSION_20); samlAssertion.setIssuer(OpenSAML3Util.getIssuer("carbon.super")); samlAssertion.setIssueInstant(currentTime); Subject subject = new SubjectBuilder().buildObject(); NameID nameId = new NameIDBuilder().buildObject(); samlAssertion.setSubject(subject); authContext.setAuthnContextClassRef(authCtxClassRef); authStmt.setAuthnContext(authContext); samlAssertion.getAuthnStatements().add(authStmt); conditions.setNotBefore(currentTime); conditions.setNotOnOrAfter(notOnOrAfter); conditions.getAudienceRestrictions().add(audienceRestriction); samlAssertion.setConditions(conditions); samlAssertion.getAuthzDecisionStatements().add(authzDecisionStatement);