/** * Resolve the EntityDescriptor from the criteria. * * @param criteria the input criteria * @return the input entity descriptor criterion, or null if could not be resolved */ private EntityDescriptor resolveEntityDescriptor(@Nonnull final CriteriaSet criteria) { final RoleDescriptor rd = resolveRoleDescriptor(criteria); if (rd != null && rd.getParent() != null && rd.getParent() instanceof EntityDescriptor) { return (EntityDescriptor)rd.getParent(); } return null; }
/** {@inheritDoc} */ public boolean apply(RoleDescriptor input) { if (input == null) { return false; } QName schemaType = input.getSchemaType(); if (schemaType != null && Objects.equals(role, schemaType)) { return true; } return Objects.equals(role, input.getElementQName()); }
/** {@inheritDoc} */ protected void processChildElement(XMLObject parentSAMLObject, XMLObject childSAMLObject) throws UnmarshallingException { RoleDescriptor roleDescriptor = (RoleDescriptor) parentSAMLObject; if (childSAMLObject instanceof Extensions) { roleDescriptor.setExtensions((Extensions) childSAMLObject); } else if (childSAMLObject instanceof Signature) { roleDescriptor.setSignature((Signature) childSAMLObject); } else if (childSAMLObject instanceof KeyDescriptor) { roleDescriptor.getKeyDescriptors().add((KeyDescriptor) childSAMLObject); } else if (childSAMLObject instanceof Organization) { roleDescriptor.setOrganization((Organization) childSAMLObject); } else if (childSAMLObject instanceof ContactPerson) { roleDescriptor.getContactPersons().add((ContactPerson) childSAMLObject); } else { super.processChildElement(parentSAMLObject, childSAMLObject); } }
/** {@inheritDoc} */ protected void processAttribute(XMLObject samlObject, Attr attribute) throws UnmarshallingException { RoleDescriptor roleDescriptor = (RoleDescriptor) samlObject; if (attribute.getLocalName().equals(RoleDescriptor.ID_ATTRIB_NAME)) { roleDescriptor.setID(attribute.getValue()); attribute.getOwnerElement().setIdAttributeNode(attribute, true); } else if (attribute.getLocalName().equals(TimeBoundSAMLObject.VALID_UNTIL_ATTRIB_NAME) && !Strings.isNullOrEmpty(attribute.getValue())) { roleDescriptor.setValidUntil(new DateTime(attribute.getValue(), ISOChronology.getInstanceUTC())); } else if (attribute.getLocalName().equals(CacheableSAMLObject.CACHE_DURATION_ATTRIB_NAME)) { roleDescriptor.setCacheDuration(DOMTypeSupport.durationToLong(attribute.getValue())); } else if (attribute.getLocalName().equals(RoleDescriptor.PROTOCOL_ENUMERATION_ATTRIB_NAME)) { StringTokenizer protocolTokenizer = new StringTokenizer(attribute.getValue(), " "); while (protocolTokenizer.hasMoreTokens()) { roleDescriptor.addSupportedProtocol(protocolTokenizer.nextToken()); } } else if (attribute.getLocalName().equals(RoleDescriptor.ERROR_URL_ATTRIB_NAME)) { roleDescriptor.setErrorURL(attribute.getValue()); } else { processUnknownAttribute(roleDescriptor, attribute); } } }
roleDescriptor.setCacheDuration(p.getCacheDuration().getTimeInMillis(new Date(now))); roleDescriptor.setValidUntil(p.getValidUntil()); roleDescriptor.addSupportedProtocol(NS_PROTOCOL); roleDescriptor.setID(ofNullable(p.getId()).orElse(UUID.randomUUID().toString())); roleDescriptor.getKeyDescriptors().add(getKeyDescriptor(key)); ExtensionsBuilder extensionsBuilder = (ExtensionsBuilder) getBuilderFactory().getBuilder (Extensions.DEFAULT_ELEMENT_NAME); roleDescriptor.setExtensions(extensionsBuilder.buildObject()); init.setLocation(requestInitiation.getLocation()); init.setResponseLocation(requestInitiation.getResponseLocation()); roleDescriptor.getExtensions().getUnknownXMLObjects().add(init); response.setIsDefault(discovery.isDefault()); response.setIndex(discovery.getIndex()); roleDescriptor.getExtensions().getUnknownXMLObjects().add(response);
Extensions extensions = roleDescriptor.getExtensions(); if (extensions != null) { List<XMLObject> children = extensions.getUnknownXMLObjects(SourceID.DEFAULT_ELEMENT_NAME); if (children != null && !children.isEmpty()) { QName role = descriptor.getSchemaType() != null ? roleDescriptor.getSchemaType() : roleDescriptor.getElementQName(); log.trace("Processing SourceID extensions for entityID '{}' with role '{}'", descriptor.getEntityID(), role);
final HashSet<MetadataIndexKey> result = new HashSet<>(); for (final RoleDescriptor role : descriptor.getRoleDescriptors()) { QName roleType = role.getSchemaType(); if (roleType == null) { roleType = role.getElementQName(); for (final Endpoint endpoint : role.getEndpoints()) { QName endpointType = endpoint.getSchemaType(); if (endpointType == null) {
@Nonnull final QName extensionName) { List<XMLObject> result; Extensions extensions = roleDescriptor.getExtensions(); if (extensions != null) { result = extensions.getUnknownXMLObjects(extensionName); if (roleDescriptor.getParent() instanceof EntityDescriptor) { extensions = ((EntityDescriptor)roleDescriptor.getParent()).getExtensions(); if (extensions != null) { result = extensions.getUnknownXMLObjects(extensionName);
protected List<SimpleKey> getProviderKeys(RoleDescriptor descriptor) { List<SimpleKey> result = new LinkedList<>(); for (KeyDescriptor desc : ofNullable(descriptor.getKeyDescriptors()).orElse(emptyList())) { if (desc != null) { result.addAll(getKeyFromDescriptor(desc)); } } return result; }
/** * Get a string token for logging/debugging purposes that contains role information and containing entityID. * * @param entityID the containing entityID * @param role the role descriptor * * @return the constructed role ID token. */ protected String getRoleIDToken(@Nonnull @NotEmpty final String entityID, @Nonnull final RoleDescriptor role) { final String roleName = role.getElementQName().getLocalPart(); return "[Role: " + entityID + "::" + roleName + "]"; }
while (roleIter.hasNext()) { final RoleDescriptor roleChild = roleIter.next(); if (!roleChild.isSigned()) { log.trace("RoleDescriptor member '{}' was not signed, skipping signature processing...", roleChild.getElementQName()); continue; } else { log.trace("Processing signed RoleDescriptor member: {}", roleChild.getElementQName()); log.error("RoleDescriptor '{}' subordinate to entity '{}' failed signature verification, " + "removing from metadata provider", roleChild.getElementQName(), entityID);
protected Endpoint getRequestInitiation(RoleDescriptor desc) { if (desc.getExtensions() == null) { return null; } Endpoint result = null; for (XMLObject obj : desc.getExtensions().getUnknownXMLObjects()) { if (obj instanceof RequestInitiator) { RequestInitiator req = (RequestInitiator) obj; result = new Endpoint() .setIndex(0) .setDefault(false) .setBinding(Binding.fromUrn(req.getBinding())) .setLocation(req.getLocation()) .setResponseLocation(req.getResponseLocation()); } } return result; }
final List<Endpoint> endpoints = role.getRole().getEndpoints(endpointType); if (endpoints.isEmpty()) { log.debug("{} No endpoints in metadata of type {}", getLogPrefix(), endpointType);
/** * Process a RoleDescriptor by examing each of its KeyDescriptors. * * @param accumulator the set of credentials being accumulated for return to the caller * @param roleDescriptor the KeyDescriptor being processed * @param entityID the entity ID of the KeyDescriptor being processed * @param usage the credential usage type specified as resolve input * * @throws ResolverException if there is a problem resolving credentials from the KeyDescriptor's KeyInfo element */ protected void processRoleDescriptor(@Nonnull final HashSet<Credential> accumulator, @Nonnull final RoleDescriptor roleDescriptor, @Nullable final String entityID, @Nonnull final UsageType usage) throws ResolverException { final List<KeyDescriptor> keyDescriptors = roleDescriptor.getKeyDescriptors(); for (final KeyDescriptor keyDescriptor : keyDescriptors) { UsageType mdUsage = keyDescriptor.getUse(); if (mdUsage == null) { mdUsage = UsageType.UNSPECIFIED; } if (matchUsage(mdUsage, usage)) { if (keyDescriptor.getKeyInfo() != null) { extractCredentials(accumulator, keyDescriptor, entityID, mdUsage); } } } }
/** * Build signature signing parameters signature signing parameters. * * @param descriptor the descriptor * @param service the service * @return the signature signing parameters */ @SneakyThrows protected SignatureSigningParameters buildSignatureSigningParameters(final RoleDescriptor descriptor, final SamlRegisteredService service) { val criteria = new CriteriaSet(); val signatureSigningConfiguration = getSignatureSigningConfiguration(descriptor, service); criteria.add(new SignatureSigningConfigurationCriterion(signatureSigningConfiguration)); criteria.add(new RoleDescriptorCriterion(descriptor)); val resolver = new SAMLMetadataSignatureSigningParametersResolver(); LOGGER.trace("Resolving signature signing parameters for [{}]", descriptor.getElementQName().getLocalPart()); @NonNull val params = resolver.resolveSingle(criteria); LOGGER.trace("Created signature signing parameters." + "\nSignature algorithm: [{}]" + "\nSignature canonicalization algorithm: [{}]" + "\nSignature reference digest methods: [{}]", params.getSignatureAlgorithm(), params.getSignatureCanonicalizationAlgorithm(), params.getSignatureReferenceDigestMethod()); return params; }
protected Endpoint getDiscovery(RoleDescriptor desc) { if (desc.getExtensions() == null) { return null; } Endpoint result = null; for (XMLObject obj : desc.getExtensions().getUnknownXMLObjects()) { if (obj instanceof DiscoveryResponse) { DiscoveryResponse resp = (DiscoveryResponse) obj; result = new Endpoint() .setDefault(resp.isDefault()) .setIndex(resp.getIndex()) .setBinding(Binding.fromUrn(resp.getBinding())) .setLocation(resp.getLocation()) .setResponseLocation(resp.getResponseLocation()); } } return result; }
/** * Gets the effective name for the role. This is either the element QName for roles defined within the SAML metadata * specification or the element schema type QName for those that are not. * * @param role role to get the effective name for * * @return effective name of the role * * @throws FilterException thrown if the effective role name can not be determined */ protected QName getRoleName(@Nonnull final RoleDescriptor role) throws FilterException { QName roleName = role.getElementQName(); if (extRoleDescriptor.equals(roleName)) { roleName = role.getSchemaType(); if (roleName == null) { throw new FilterException("Role descriptor element was " + extRoleDescriptor + " but did not contain a schema type. This is illegal."); } } return roleName; }
/** * Resolves credentials using a supplied instance of {@link RoleDescriptor}. * * @param criteriaSet the criteria set being processed * @param roleDescriptor the role descriptor being processed * @param usage intended usage of resolved credentials * * @return the resolved credentials or null * * @throws ResolverException thrown if the key, certificate, or CRL information is represented in an unsupported * format */ @Nonnull protected Collection<Credential> resolveFromRoleDescriptor(@Nonnull final CriteriaSet criteriaSet, @Nonnull final RoleDescriptor roleDescriptor, @Nonnull final UsageType usage) throws ResolverException { // EntityID here is optional. Not used in resolution, just info stored on the resolved credential(s). String entityID = null; if (roleDescriptor.getParent() instanceof EntityDescriptor) { entityID = ((EntityDescriptor)roleDescriptor.getParent()).getEntityID(); } log.debug("Resolving credentials from supplied RoleDescriptor using usage: {}. Effective entityID was: {}", usage, entityID); final HashSet<Credential> credentials = new HashSet<>(3); processRoleDescriptor(credentials, roleDescriptor, entityID, usage); return credentials; }
final List<KeyDescriptor> keyDescriptors = roleDescriptor.getKeyDescriptors(); for (final KeyDescriptor keyDescriptor : keyDescriptors) { UsageType mdUsage = keyDescriptor.getUse();
new CriteriaSet(new EntityIdCriterion(peerEntityId), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME))); peer.setRole(roleDescriptor.getElementQName()); val protocol = context.getSubcontext(SAMLProtocolContext.class, true); protocol.setProtocol(SAMLConstants.SAML20P_NS);