Commit 55f56719 authored by michael.simon's avatar michael.simon
Browse files

AttributeQuery is working for now

parent 20d0ef74
...@@ -10,22 +10,38 @@ ...@@ -10,22 +10,38 @@
******************************************************************************/ ******************************************************************************/
package edu.kit.scc.webreg.service.saml; package edu.kit.scc.webreg.service.saml;
import java.io.IOException;
import java.io.Serializable; import java.io.Serializable;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List; import java.util.List;
import javax.enterprise.context.ApplicationScoped; import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject; import javax.inject.Inject;
import javax.inject.Named; import javax.inject.Named;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.apache.http.client.HttpClient; import org.apache.http.client.HttpClient;
import org.apache.http.impl.client.HttpClients; import org.apache.http.impl.client.HttpClients;
import org.joda.time.DateTime; import org.joda.time.DateTime;
import org.opensaml.core.xml.XMLObject; import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.messaging.context.InOutOperationContext; import org.opensaml.messaging.context.InOutOperationContext;
import org.opensaml.messaging.context.MessageContext; import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.pipeline.httpclient.BasicHttpClientMessagePipeline;
import org.opensaml.messaging.pipeline.httpclient.HttpClientMessagePipeline;
import org.opensaml.messaging.pipeline.httpclient.HttpClientMessagePipelineFactory;
import org.opensaml.saml.common.SAMLObject; import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.SAMLVersion; import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.common.messaging.SAMLMessageSecuritySupport;
import org.opensaml.saml.common.messaging.context.SAMLBindingContext;
import org.opensaml.saml.common.messaging.context.SAMLEndpointContext;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.criterion.RoleDescriptorCriterion;
import org.opensaml.saml.saml2.binding.decoding.impl.HttpClientResponseSOAP11Decoder;
import org.opensaml.saml.saml2.binding.encoding.impl.HttpClientRequestSOAP11Encoder;
import org.opensaml.saml.saml2.core.AttributeQuery; import org.opensaml.saml.saml2.core.AttributeQuery;
import org.opensaml.saml.saml2.core.Issuer; import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameID; import org.opensaml.saml.saml2.core.NameID;
...@@ -33,15 +49,25 @@ import org.opensaml.saml.saml2.core.Response; ...@@ -33,15 +49,25 @@ import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Subject; import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.metadata.AttributeService; import org.opensaml.saml.saml2.metadata.AttributeService;
import org.opensaml.saml.saml2.metadata.EntityDescriptor; import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.soap.client.http.PipelineFactoryHttpSOAPClient;
import org.opensaml.soap.messaging.context.SOAP11Context; import org.opensaml.soap.messaging.context.SOAP11Context;
import org.opensaml.soap.soap11.Body; import org.opensaml.soap.soap11.Body;
import org.opensaml.soap.soap11.Envelope; import org.opensaml.soap.soap11.Envelope;
import org.opensaml.xmlsec.SignatureSigningParameters;
import org.opensaml.xmlsec.config.DefaultSecurityConfigurationBootstrap;
import org.opensaml.xmlsec.context.SecurityParametersContext;
import org.opensaml.xmlsec.criterion.SignatureSigningConfigurationCriterion;
import org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration;
import org.slf4j.Logger; import org.slf4j.Logger;
import edu.kit.scc.webreg.entity.SamlMetadataEntity; import edu.kit.scc.webreg.entity.SamlMetadataEntity;
import edu.kit.scc.webreg.entity.SamlSpConfigurationEntity; import edu.kit.scc.webreg.entity.SamlSpConfigurationEntity;
import edu.kit.scc.webreg.entity.UserEntity; import edu.kit.scc.webreg.entity.UserEntity;
import edu.kit.scc.webreg.exc.MetadataException; import edu.kit.scc.webreg.exc.MetadataException;
import edu.kit.scc.webreg.exc.SamlAuthenticationException;
@Named("attributeQueryHelper") @Named("attributeQueryHelper")
@ApplicationScoped @ApplicationScoped
...@@ -69,81 +95,77 @@ public class AttributeQueryHelper implements Serializable { ...@@ -69,81 +95,77 @@ public class AttributeQueryHelper implements Serializable {
AttributeQuery attrQuery = buildAttributeQuery( AttributeQuery attrQuery = buildAttributeQuery(
persistentId, spEntity.getEntityId()); persistentId, spEntity.getEntityId());
Envelope envelope = buildSOAP11Envelope(attrQuery);
MessageContext<SAMLObject> inbound = new MessageContext<SAMLObject>(); MessageContext<SAMLObject> inbound = new MessageContext<SAMLObject>();
MessageContext<Envelope> outbound = new MessageContext<Envelope>(); MessageContext<SAMLObject> outbound = new MessageContext<SAMLObject>();
outbound.setMessage(envelope); outbound.setMessage(attrQuery);
SAMLPeerEntityContext entityContext = new SAMLPeerEntityContext();
entityContext.setEntityId(idpEntity.getEntityId());
SAMLEndpointContext endpointContext = new SAMLEndpointContext();
endpointContext.setEndpoint(attributeService);
entityContext.addSubcontext(endpointContext);
outbound.addSubcontext(entityContext);
SAMLBindingContext bindingContext = new SAMLBindingContext();
bindingContext.setHasBindingSignature(true);
outbound.addSubcontext(bindingContext);
SOAP11Context soapContext = new SOAP11Context(); SOAP11Context soapContext = new SOAP11Context();
soapContext.setEnvelope(envelope);
outbound.addSubcontext(soapContext); outbound.addSubcontext(soapContext);
InOutOperationContext<SAMLObject, Envelope> inOutContext =
new InOutOperationContext<SAMLObject, Envelope>(inbound, outbound);
// BasicSOAPMessageContext soapContext = new BasicSOAPMessageContext();
// soapContext.setOutboundMessage(envelope);
/*
BasicX509Credential signingCredential;
X509Certificate x509Cert;
PrivateKey privateKey; PrivateKey privateKey;
X509Certificate publicKey;
try { try {
x509Cert = cryptoHelper.getCertificate(spEntity.getCertificate());
privateKey = cryptoHelper.getPrivateKey(spEntity.getPrivateKey()); privateKey = cryptoHelper.getPrivateKey(spEntity.getPrivateKey());
signingCredential = SecurityHelper.getSimpleCredential(x509Cert, privateKey); publicKey = cryptoHelper.getCertificate(spEntity.getCertificate());
} catch (IOException e1) { } catch (IOException e) {
throw new MetadataException("No signing credential for SP " + spEntity.getEntityId(), e1); throw new SamlAuthenticationException("Private key is not set up properly", e);
}
*/
// HttpClientBuilder clientBuilder = new HttpClientBuilder();
/*
try {
clientBuilder.setHttpsProtocolSocketFactory(new CustomSecureProtocolSocketFactory(x509Cert, privateKey));
} catch (KeyManagementException e) {
logger.info("Cannot spawn CustomSecureProtocolSocketFactory: {}", e.getMessage());
} catch (NoSuchAlgorithmException e) {
logger.info("Cannot spawn CustomSecureProtocolSocketFactory: {}", e.getMessage());
} }
*/
/* BasicX509Credential credential = new BasicX509Credential(publicKey, privateKey);
Signature signature = (Signature) samlHelper.getBuilderFactory() List<Credential> credentialList = new ArrayList<Credential>();
.getBuilder(Signature.DEFAULT_ELEMENT_NAME) credentialList.add(credential);
.buildObject(Signature.DEFAULT_ELEMENT_NAME);
SignatureSigningConfiguration ssc = ConfigurationService.get(SignatureSigningConfiguration.class); BasicSignatureSigningConfiguration ssConfig = DefaultSecurityConfigurationBootstrap.buildDefaultSignatureSigningConfiguration();
ssConfig.setSigningCredentials(credentialList);
CriteriaSet criteriaSet = new CriteriaSet();
criteriaSet.add(new SignatureSigningConfigurationCriterion(ssConfig));
criteriaSet.add(new RoleDescriptorCriterion(idpEntityDescriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS)));
SAMLMetadataSignatureSigningParametersResolver smsspr = new SAMLMetadataSignatureSigningParametersResolver();
SignatureSigningParameters ssp = smsspr.resolveSingle(criteriaSet);
SecurityParametersContext securityContext = new SecurityParametersContext();
securityContext.setSignatureSigningParameters(ssp);
outbound.addSubcontext(securityContext);
InOutOperationContext<SAMLObject, SAMLObject> inOutContext =
new InOutOperationContext<SAMLObject, SAMLObject>(inbound, outbound);
SAMLMessageSecuritySupport.signMessage(outbound);
X509KeyInfoGeneratorFactory keyInfoFac = (X509KeyInfoGeneratorFactory) ssc
.getKeyInfoGeneratorManager().getDefaultManager()
.getFactory(signingCredential);
keyInfoFac.setEmitEntityCertificate(false);
keyInfoFac.setEmitEntityCertificateChain(false);
KeyInfoGenerator keyInfoGen = keyInfoFac.newInstance();
KeyInfo keyInfo;
try {
keyInfo = keyInfoGen.generate(signingCredential);
} catch (SecurityException e1) {
throw new MetadataException("Cannot generate keyInfo for SP " + spEntity.getEntityId(), e1);
}
signature.setSigningCredential(signingCredential);
signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
signature.setCanonicalizationAlgorithm(SignatureConstants.TRANSFORM_C14N_EXCL_WITH_COMMENTS);
signature.setKeyInfo(keyInfo);
attrQuery.setSignature(signature);
*/
HttpClient client = HttpClients.custom().build(); HttpClient client = HttpClients.custom().build();
HttpSignableSoapClient soapClient = new HttpSignableSoapClient( PipelineFactoryHttpSOAPClient<SAMLObject, SAMLObject> pf = new PipelineFactoryHttpSOAPClient<SAMLObject, SAMLObject>();
client, samlHelper.getBasicParserPool()); pf.setHttpClient(client);
pf.setPipelineFactory(new HttpClientMessagePipelineFactory<SAMLObject, SAMLObject>() {
soapClient.send(attributeService.getLocation(), inOutContext);
@Override
public HttpClientMessagePipeline<SAMLObject, SAMLObject> newInstance(
String pipelineName) {
return new BasicHttpClientMessagePipeline<SAMLObject, SAMLObject>(new HttpClientRequestSOAP11Encoder(), new HttpClientResponseSOAP11Decoder());
}
@Override
public HttpClientMessagePipeline<SAMLObject, SAMLObject> newInstance() {
return new BasicHttpClientMessagePipeline<SAMLObject, SAMLObject>(new HttpClientRequestSOAP11Encoder(), new HttpClientResponseSOAP11Decoder());
}
});
pf.send(attributeService.getLocation(), inOutContext);
Envelope returnEnvelope = (Envelope) inOutContext.getInboundMessageContext().getMessage(); Response returnResponse = (Response) inOutContext.getInboundMessageContext().getMessage();
return getResponseFromEnvelope(returnEnvelope); return returnResponse;
} }
public Response query(UserEntity entity, SamlMetadataEntity idpEntity, public Response query(UserEntity entity, SamlMetadataEntity idpEntity,
...@@ -173,20 +195,6 @@ public class AttributeQueryHelper implements Serializable { ...@@ -173,20 +195,6 @@ public class AttributeQueryHelper implements Serializable {
return attrQuery; return attrQuery;
} }
public Envelope buildSOAP11Envelope(XMLObject payload) {
XMLObjectBuilderFactory bf = samlHelper.getBuilderFactory();
Envelope envelope = (Envelope) bf.getBuilder(
Envelope.DEFAULT_ELEMENT_NAME).buildObject(
Envelope.DEFAULT_ELEMENT_NAME);
Body body = (Body) bf.getBuilder(Body.DEFAULT_ELEMENT_NAME)
.buildObject(Body.DEFAULT_ELEMENT_NAME);
body.getUnknownXMLObjects().add(payload);
envelope.setBody(body);
return envelope;
}
public Subject createSubject(String persistentId) { public Subject createSubject(String persistentId) {
NameID nameID = samlHelper.create(NameID.class, NameID.DEFAULT_ELEMENT_NAME); NameID nameID = samlHelper.create(NameID.class, NameID.DEFAULT_ELEMENT_NAME);
nameID.setValue(persistentId); nameID.setValue(persistentId);
......
...@@ -44,12 +44,12 @@ ...@@ -44,12 +44,12 @@
<dependency> <dependency>
<groupId>org.opensaml</groupId> <groupId>org.opensaml</groupId>
<artifactId>opensaml-saml-api</artifactId> <artifactId>opensaml-saml-api</artifactId>
<version>3.1.1</version> <version>3.2.0</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.opensaml</groupId> <groupId>org.opensaml</groupId>
<artifactId>opensaml-saml-impl</artifactId> <artifactId>opensaml-saml-impl</artifactId>
<version>3.1.1</version> <version>3.2.0</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.apache.velocity</groupId> <groupId>org.apache.velocity</groupId>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment