.flatMap(r -> r.getAudiences().stream()) .filter(audience -> entityId.equals(audience.getAudienceURI())) .findAny()
audienceRestriction.getAudiences().add(audience); conditions.getAudienceRestrictions().add(audienceRestriction);
private boolean matchSaml2AudienceRestriction( String appliesTo, List<AudienceRestriction> audienceRestrictions ) { boolean found = false; if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (audienceRestriction.getAudiences() != null) { for (org.opensaml.saml.saml2.core.Audience audience : audienceRestriction.getAudiences()) { if (appliesTo.equals(audience.getAudienceURI())) { return true; } } } } } return found; }
private boolean matchSaml2AudienceRestriction( String appliesTo, List<AudienceRestriction> audienceRestrictions ) { boolean found = false; if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (audienceRestriction.getAudiences() != null) { for (org.opensaml.saml.saml2.core.Audience audience : audienceRestriction.getAudiences()) { if (appliesTo.equals(audience.getAudienceURI())) { return true; } } } } } return found; }
/** {@inheritDoc} */ protected void processChildElement(XMLObject parentObject, XMLObject childObject) throws UnmarshallingException { AudienceRestriction audienceRestriction = (AudienceRestriction) parentObject; if (childObject instanceof Audience) { audienceRestriction.getAudiences().add((Audience) childObject); } else { super.processChildElement(parentObject, childObject); } } }
private boolean matchSaml2AudienceRestriction( String appliesTo, List<AudienceRestriction> audienceRestrictions ) { boolean oneMatchFound = false; if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) { for (AudienceRestriction audienceRestriction : audienceRestrictions) { if (audienceRestriction.getAudiences() != null) { boolean matchFound = false; for (org.opensaml.saml.saml2.core.Audience audience : audienceRestriction.getAudiences()) { if (appliesTo.equals(audience.getAudienceURI())) { matchFound = true; oneMatchFound = true; break; } } if (!matchFound) { return false; } } } } return oneMatchFound; }
protected List<AssertionCondition> getCriteria(List<org.opensaml.saml.saml2.core.Condition> conditions) { List<AssertionCondition> result = new LinkedList<>(); for (Condition c : conditions) { if (c instanceof org.opensaml.saml.saml2.core.AudienceRestriction) { org.opensaml.saml.saml2.core.AudienceRestriction aud = (org.opensaml.saml.saml2.core.AudienceRestriction) c; if (aud.getAudiences() != null) { result.add( new AudienceRestriction() .setAudiences( aud.getAudiences().stream().map( a -> a.getAudienceURI() ).collect(Collectors.toList()) ) ); } } else if (c instanceof org.opensaml.saml.saml2.core.OneTimeUse) { result.add(new OneTimeUse()); } } return result; }
/** * Validate audience by matching the SP entityId. * * @param audienceRestrictions the audience restrictions * @param spEntityId the sp entity id */ protected final void validateAudienceRestrictions(final List<AudienceRestriction> audienceRestrictions, final String spEntityId) { if (audienceRestrictions == null || audienceRestrictions.isEmpty()) { throw new SAMLAssertionAudienceException("Audience restrictions cannot be null or empty"); } final Set<String> audienceUris = new HashSet<>(); for (final AudienceRestriction audienceRestriction : audienceRestrictions) { if (audienceRestriction.getAudiences() != null) { for (final Audience audience : audienceRestriction.getAudiences()) { audienceUris.add(audience.getAudienceURI()); } } } if (!audienceUris.contains(spEntityId)) { throw new SAMLAssertionAudienceException("Assertion audience " + audienceUris + " does not match SP configuration " + spEntityId); } }
.stream() .filter(audienceRestriction -> (((audienceRestriction.getAudiences() != null) && (!audienceRestriction.getAudiences(). isEmpty()))) && (audienceRestriction.getAudiences() .stream() .filter(audience -> contextConfiguration.getIssuerId().equals(audience.
private void validateAudience(Message message, Conditions cs) { String absoluteAddress = getAbsoluteTargetAddress(message); List<AudienceRestriction> restrictions = cs.getAudienceRestrictions(); for (AudienceRestriction ar : restrictions) { List<Audience> audiences = ar.getAudiences(); for (Audience a : audiences) { if (absoluteAddress.equals(a.getAudienceURI())) { return; } } } throw ExceptionUtils.toNotAuthorizedException(null, null); }
private void validateAudience(Message message, Conditions cs) { String absoluteAddress = getAbsoluteTargetAddress(message); List<AudienceRestriction> restrictions = cs.getAudienceRestrictions(); for (AudienceRestriction ar : restrictions) { List<Audience> audiences = ar.getAudiences(); for (Audience a : audiences) { if (absoluteAddress.equals(a.getAudienceURI())) { return; } } } throw ExceptionUtils.toNotAuthorizedException(null, null); }
/** * Add the audiences obtained from a lookup function to the {@link AudienceRestriction}. If no * {@link AudienceRestriction} exists on the given Conditions one is created and added. * * @param profileRequestContext current profile request context * @param conditions condition that has, or will receive the created, {@link AudienceRestriction} */ private void addAudienceRestriction(@Nonnull final ProfileRequestContext profileRequestContext, @Nonnull final org.opensaml.saml.saml2.core.Conditions conditions) { final AudienceRestriction condition = getAudienceRestriction(conditions); final SAMLObjectBuilder<org.opensaml.saml.saml2.core.Audience> audienceBuilder = (SAMLObjectBuilder<org.opensaml.saml.saml2.core.Audience>) XMLObjectProviderRegistrySupport.getBuilderFactory( ).<org.opensaml.saml.saml2.core.Audience>getBuilderOrThrow( org.opensaml.saml.saml2.core.Audience.DEFAULT_ELEMENT_NAME); for (final String audienceId : audiences) { log.debug("{} Adding {} as an Audience of the AudienceRestriction", getLogPrefix(), audienceId); final org.opensaml.saml.saml2.core.Audience audience = audienceBuilder.buildObject(); audience.setAudienceURI(audienceId); condition.getAudiences().add(audience); } }
for (final Audience audience : audienceRestriction.getAudiences()) { if (Objects.equals(responderId, StringSupport.trimOrNull(audience.getAudienceURI()))) { log.debug("Local entity ID '{}' already present in assertion AudienceRestriction set, skipping", audienceRestriction.getAudiences().add(idpAudience);
protected void addCondition(org.opensaml.saml.saml2.core.Conditions conditions, AssertionCondition c) { if (c instanceof AudienceRestriction) { org.opensaml.saml.saml2.core.AudienceRestriction ar = buildSAMLObject(org.opensaml.saml.saml2.core.AudienceRestriction.class); for (String audience : ((AudienceRestriction) c).getAudiences()) { Audience aud = buildSAMLObject(Audience.class); aud.setAudienceURI(audience); ar.getAudiences().add(aud); } conditions.getAudienceRestrictions().add(ar); } else if (c instanceof OneTimeUse) { org.opensaml.saml.saml2.core.OneTimeUse otu = buildSAMLObject(org.opensaml.saml.saml2.core.OneTimeUse.class); conditions.getConditions().add(otu); } }
List<Audience> audiences = audienceRestriction.getAudiences(); if (audiences == null || audiences.isEmpty()) { context.setValidationFailureMessage(String.format(
/** * New conditions element. * * @param notBefore the not before * @param notOnOrAfter the not on or after * @param audienceUri the service id * @return the conditions */ public Conditions newConditions(final DateTime notBefore, final DateTime notOnOrAfter, final String audienceUri) { final Conditions conditions = newSamlObject(Conditions.class); conditions.setNotBefore(notBefore); conditions.setNotOnOrAfter(notOnOrAfter); final AudienceRestriction audienceRestriction = newSamlObject(AudienceRestriction.class); final Audience audience = newSamlObject(Audience.class); audience.setAudienceURI(audienceUri); audienceRestriction.getAudiences().add(audience); conditions.getAudienceRestrictions().add(audienceRestriction); return conditions; }
/** * Determine whether a delegation token was requested via the inbound AuthnRequest's * Conditions' AudienceRestriction. * * @param requestContext the current request context * @return true if the AudienceRestrictions condition contained the local entity Id, false otherwise */ private boolean isDelegationRequestedByAudience(@Nonnull final ProfileRequestContext requestContext) { if (!(requestContext.getInboundMessageContext().getMessage() instanceof AuthnRequest)) { log.debug("Inbound SAML message was not an AuthnRequest: {}", requestContext.getInboundMessageContext().getMessage().getClass().getName()); return false; } final AuthnRequest authnRequest = (AuthnRequest) requestContext.getInboundMessageContext().getMessage(); if (authnRequest.getConditions() != null) { final Conditions conditions = authnRequest.getConditions(); for (final AudienceRestriction ar : conditions.getAudienceRestrictions()) { for (final Audience audience : ar.getAudiences()) { final String audienceValue = StringSupport.trimOrNull(audience.getAudienceURI()); if (Objects.equals(audienceValue, responderId)) { log.debug("Saw an AuthnRequest/Conditions/AudienceRestriction/Audience with value of '{}'", responderId); return true; } } } } return false; }
protected List<String> getAudienceRestrictions(SamlAssertionWrapper assertion) { List<String> addresses = new ArrayList<>(); if (assertion.getSaml1() != null) { for (AudienceRestrictionCondition restriction : assertion.getSaml1().getConditions().getAudienceRestrictionConditions()) { for (org.opensaml.saml.saml1.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getUri()); } } } else if (assertion.getSaml2() != null) { for (org.opensaml.saml.saml2.core.AudienceRestriction restriction : assertion.getSaml2().getConditions().getAudienceRestrictions()) { for (org.opensaml.saml.saml2.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getAudienceURI()); } } } return addresses; }
protected List<String> getAudienceRestrictions(SamlAssertionWrapper assertion) { List<String> addresses = new ArrayList<>(); if (assertion.getSaml1() != null) { for (AudienceRestrictionCondition restriction : assertion.getSaml1().getConditions().getAudienceRestrictionConditions()) { for (org.opensaml.saml.saml1.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getUri()); } } } else if (assertion.getSaml2() != null) { for (org.opensaml.saml.saml2.core.AudienceRestriction restriction : assertion.getSaml2().getConditions().getAudienceRestrictions()) { for (org.opensaml.saml.saml2.core.Audience audience : restriction.getAudiences()) { addresses.add(audience.getAudienceURI()); } } } return addresses; }
/** * Create an AudienceRestriction object * * @param audienceRestrictionBean of type AudienceRestrictionBean * @return an AudienceRestriction object */ @SuppressWarnings("unchecked") public static AudienceRestriction createAudienceRestriction( AudienceRestrictionBean audienceRestrictionBean ) { if (audienceRestrictionBuilder == null) { audienceRestrictionBuilder = (SAMLObjectBuilder<AudienceRestriction>) builderFactory.getBuilder(AudienceRestriction.DEFAULT_ELEMENT_NAME); } if (audienceBuilder == null) { audienceBuilder = (SAMLObjectBuilder<Audience>) builderFactory.getBuilder(Audience.DEFAULT_ELEMENT_NAME); } AudienceRestriction audienceRestriction = audienceRestrictionBuilder.buildObject(); for (String audienceURI : audienceRestrictionBean.getAudienceURIs()) { Audience audience = audienceBuilder.buildObject(); audience.setAudienceURI(audienceURI); audienceRestriction.getAudiences().add(audience); } return audienceRestriction; }