.filter(audience -> entityId.equals(audience.getAudienceURI())) .findAny() .orElseThrow(() -> new SamlException("no audience found from the assertion"));
final Audience audience = build(Audience.DEFAULT_ELEMENT_NAME); audience.setAudienceURI(spEntityId); audienceRestriction.getAudiences().add(audience); conditions.getAudienceRestrictions().add(audienceRestriction);
if (Objects.equals(responderId, StringSupport.trimOrNull(audience.getAudienceURI()))) { log.debug("Local entity ID '{}' already present in assertion AudienceRestriction set, skipping", responderId); idpAudience.setAudienceURI(responderId); audienceRestriction.getAudiences().add(idpAudience);
/** {@inheritDoc} */ protected void marshallElementContent(XMLObject samlObject, Element domElement) throws MarshallingException { Audience audience = (Audience) samlObject; ElementSupport.appendTextContent(domElement, audience.getAudienceURI()); } }
/** {@inheritDoc} */ protected void processElementContent(XMLObject samlObject, String elementContent) { Audience audience = (Audience) samlObject; audience.setAudienceURI(elementContent); } }
private boolean matchSaml2AudienceRestriction( String appliesTo, List<AudienceRestriction> audienceRestrictions ) { boolean found = false; if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (audienceRestriction.getAudiences() != null) { for (org.opensaml.saml.saml2.core.Audience audience : audienceRestriction.getAudiences()) { if (appliesTo.equals(audience.getAudienceURI())) { return true; } } } } } return found; }
/** * Add the audiences obtained from a lookup function to the {@link AudienceRestriction}. If no * {@link AudienceRestriction} exists on the given Conditions one is created and added. * * @param profileRequestContext current profile request context * @param conditions condition that has, or will receive the created, {@link AudienceRestriction} */ private void addAudienceRestriction(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final org.opensaml.saml.saml2.core.Conditions conditions) { final AudienceRestriction condition = getAudienceRestriction(conditions); final SAMLObjectBuilder<org.opensaml.saml.saml2.core.Audience> audienceBuilder = (SAMLObjectBuilder<org.opensaml.saml.saml2.core.Audience>) XMLObjectProviderRegistrySupport.getBuilderFactory( ).<org.opensaml.saml.saml2.core.Audience>getBuilderOrThrow( org.opensaml.saml.saml2.core.Audience.DEFAULT_ELEMENT_NAME); for (final String audienceId : audiences) { log.debug("{} Adding {} as an Audience of the AudienceRestriction", getLogPrefix(), audienceId); final org.opensaml.saml.saml2.core.Audience audience = audienceBuilder.buildObject(); audience.setAudienceURI(audienceId); condition.getAudiences().add(audience); } }
private boolean matchSaml2AudienceRestriction( String appliesTo, List<AudienceRestriction> audienceRestrictions ) { boolean found = false; if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (audienceRestriction.getAudiences() != null) { for (org.opensaml.saml.saml2.core.Audience audience : audienceRestriction.getAudiences()) { if (appliesTo.equals(audience.getAudienceURI())) { return true; } } } } } return found; }
/** * Add the audiences obtained from a lookup function to the {@link ProxyRestriction}. If no * {@link ProxyRestriction} exists on the given {@link Conditions} one is created and added. * * @param profileRequestContext current profile request context * @param conditions condition that has, or will receive the created, {@link ProxyRestriction} */ private void addProxyRestriction(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final Conditions conditions) { final ProxyRestriction condition = getProxyRestriction(conditions); final SAMLObjectBuilder<Audience> audienceBuilder = (SAMLObjectBuilder<Audience>) XMLObjectProviderRegistrySupport.getBuilderFactory().<Audience>getBuilderOrThrow( Audience.DEFAULT_ELEMENT_NAME); for (final String audienceId : audiences) { log.debug("{} Adding {} as an Audience of the ProxyRestriction", getLogPrefix(), audienceId); final Audience audience = audienceBuilder.buildObject(); audience.setAudienceURI(audienceId); condition.getAudiences().add(audience); } final Long count = proxyCountLookupStrategy.apply(profileRequestContext); condition.setProxyCount(count != null ? count.intValue() : 0); }
private boolean matchSaml2AudienceRestriction( String appliesTo, List<AudienceRestriction> audienceRestrictions ) { boolean oneMatchFound = false; if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (audienceRestriction.getAudiences() != null) { boolean matchFound = false; for (org.opensaml.saml.saml2.core.Audience audience : audienceRestriction.getAudiences()) { if (appliesTo.equals(audience.getAudienceURI())) { matchFound = true; oneMatchFound = true; break; } } if (!matchFound) { return false; } } } } return oneMatchFound; }
protected void addCondition(org.opensaml.saml.saml2.core.Conditions conditions, AssertionCondition c) { if (c instanceof AudienceRestriction) { org.opensaml.saml.saml2.core.AudienceRestriction ar = buildSAMLObject(org.opensaml.saml.saml2.core.AudienceRestriction.class); for (String audience : ((AudienceRestriction) c).getAudiences()) { Audience aud = buildSAMLObject(Audience.class); aud.setAudienceURI(audience); ar.getAudiences().add(aud); } conditions.getAudienceRestrictions().add(ar); } else if (c instanceof OneTimeUse) { org.opensaml.saml.saml2.core.OneTimeUse otu = buildSAMLObject(org.opensaml.saml.saml2.core.OneTimeUse.class); conditions.getConditions().add(otu); } }
protected List<AssertionCondition> getCriteria(List<org.opensaml.saml.saml2.core.Condition> conditions) { List<AssertionCondition> result = new LinkedList<>(); for (Condition c : conditions) { if (c instanceof org.opensaml.saml.saml2.core.AudienceRestriction) { org.opensaml.saml.saml2.core.AudienceRestriction aud = (org.opensaml.saml.saml2.core.AudienceRestriction) c; if (aud.getAudiences() != null) { result.add( new AudienceRestriction() .setAudiences( aud.getAudiences().stream().map( a -> a.getAudienceURI() ).collect(Collectors.toList()) ) ); } } else if (c instanceof org.opensaml.saml.saml2.core.OneTimeUse) { result.add(new OneTimeUse()); } } return result; }
/** * New conditions element. * * @param notBefore the not before * @param notOnOrAfter the not on or after * @param audienceUri the service id * @return the conditions */ public Conditions newConditions(final DateTime notBefore, final DateTime notOnOrAfter, final String audienceUri) { final Conditions conditions = newSamlObject(Conditions.class); conditions.setNotBefore(notBefore); conditions.setNotOnOrAfter(notOnOrAfter); final AudienceRestriction audienceRestriction = newSamlObject(AudienceRestriction.class); final Audience audience = newSamlObject(Audience.class); audience.setAudienceURI(audienceUri); audienceRestriction.getAudiences().add(audience); conditions.getAudienceRestrictions().add(audienceRestriction); return conditions; }
private void validateAudience(Message message, Conditions cs) { String absoluteAddress = getAbsoluteTargetAddress(message); List<AudienceRestriction> restrictions = cs.getAudienceRestrictions(); for (AudienceRestriction ar : restrictions) { List<Audience> audiences = ar.getAudiences(); for (Audience a : audiences) { if (absoluteAddress.equals(a.getAudienceURI())) { return; } } } throw ExceptionUtils.toNotAuthorizedException(null, null); }
/** * Create an AudienceRestriction object * * @param audienceRestrictionBean of type AudienceRestrictionBean * @return an AudienceRestriction object */ @SuppressWarnings("unchecked") public static AudienceRestriction createAudienceRestriction( AudienceRestrictionBean audienceRestrictionBean ) { if (audienceRestrictionBuilder == null) { audienceRestrictionBuilder = (SAMLObjectBuilder<AudienceRestriction>) builderFactory.getBuilder(AudienceRestriction.DEFAULT_ELEMENT_NAME); } if (audienceBuilder == null) { audienceBuilder = (SAMLObjectBuilder<Audience>) builderFactory.getBuilder(Audience.DEFAULT_ELEMENT_NAME); } AudienceRestriction audienceRestriction = audienceRestrictionBuilder.buildObject(); for (String audienceURI : audienceRestrictionBean.getAudienceURIs()) { Audience audience = audienceBuilder.buildObject(); audience.setAudienceURI(audienceURI); audienceRestriction.getAudiences().add(audience); } return audienceRestriction; }
private void validateAudience(Message message, Conditions cs) { String absoluteAddress = getAbsoluteTargetAddress(message); List<AudienceRestriction> restrictions = cs.getAudienceRestrictions(); for (AudienceRestriction ar : restrictions) { List<Audience> audiences = ar.getAudiences(); for (Audience a : audiences) { if (absoluteAddress.equals(a.getAudienceURI())) { return; } } } throw ExceptionUtils.toNotAuthorizedException(null, null); }
/** * Create a ProxyRestriction object * * @return a ProxyRestriction object */ @SuppressWarnings("unchecked") public static ProxyRestriction createProxyRestriction(ProxyRestrictionBean proxyRestrictionBean) { if (proxyRestrictionBuilder == null) { proxyRestrictionBuilder = (SAMLObjectBuilder<ProxyRestriction>) builderFactory.getBuilder(ProxyRestriction.DEFAULT_ELEMENT_NAME); } ProxyRestriction proxyRestriction = proxyRestrictionBuilder.buildObject(); if (proxyRestrictionBean.getCount() > 0) { proxyRestriction.setProxyCount(proxyRestrictionBean.getCount()); } if (!proxyRestrictionBean.getAudienceURIs().isEmpty()) { if (audienceBuilder == null) { audienceBuilder = (SAMLObjectBuilder<Audience>) builderFactory.getBuilder(Audience.DEFAULT_ELEMENT_NAME); } for (String audienceURI : proxyRestrictionBean.getAudienceURIs()) { Audience audience = audienceBuilder.buildObject(); audience.setAudienceURI(audienceURI); proxyRestriction.getAudiences().add(audience); } } return proxyRestriction; }
/** * Validate audience by matching the SP entityId. * * @param audienceRestrictions the audience restrictions * @param spEntityId the sp entity id */ protected final void validateAudienceRestrictions(final List<AudienceRestriction> audienceRestrictions, final String spEntityId) { if (audienceRestrictions == null || audienceRestrictions.isEmpty()) { throw new SAMLAssertionAudienceException("Audience restrictions cannot be null or empty"); } final Set<String> audienceUris = new HashSet<>(); for (final AudienceRestriction audienceRestriction : audienceRestrictions) { if (audienceRestriction.getAudiences() != null) { for (final Audience audience : audienceRestriction.getAudiences()) { audienceUris.add(audience.getAudienceURI()); } } } if (!audienceUris.contains(spEntityId)) { throw new SAMLAssertionAudienceException("Assertion audience " + audienceUris + " does not match SP configuration " + spEntityId); } }
issuerAudience.setAudienceURI(ssoIdPConfigs.getIssuer()); audienceRestriction.getAudiences().add(issuerAudience); if (ssoIdPConfigs.getRequestedAudiences() != null) { for (String requestedAudience : ssoIdPConfigs.getRequestedAudiences()) { Audience audience = new AudienceBuilder().buildObject(); audience.setAudienceURI(requestedAudience); audienceRestriction.getAudiences().add(audience);
.stream() .filter(audience -> contextConfiguration.getIssuerId().equals(audience. getAudienceURI()))) .count() > 0);