Josh Cummings
5 years ago
3 changed files with 337 additions and 0 deletions
@ -0,0 +1,201 @@
@@ -0,0 +1,201 @@
|
||||
/* |
||||
* Copyright 2002-2020 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.saml2.provider.service.registration; |
||||
|
||||
import java.io.IOException; |
||||
import java.io.InputStream; |
||||
import java.security.cert.CertificateException; |
||||
import java.security.cert.X509Certificate; |
||||
import java.util.ArrayList; |
||||
import java.util.Arrays; |
||||
import java.util.List; |
||||
|
||||
import net.shibboleth.utilities.java.support.xml.ParserPool; |
||||
import org.opensaml.core.config.ConfigurationService; |
||||
import org.opensaml.core.xml.config.XMLObjectProviderRegistry; |
||||
import org.opensaml.saml.saml2.metadata.EntityDescriptor; |
||||
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor; |
||||
import org.opensaml.saml.saml2.metadata.KeyDescriptor; |
||||
import org.opensaml.saml.saml2.metadata.SingleSignOnService; |
||||
import org.opensaml.saml.saml2.metadata.impl.EntityDescriptorUnmarshaller; |
||||
import org.opensaml.security.credential.UsageType; |
||||
import org.opensaml.xmlsec.keyinfo.KeyInfoSupport; |
||||
import org.w3c.dom.Document; |
||||
import org.w3c.dom.Element; |
||||
|
||||
import org.springframework.http.HttpInputMessage; |
||||
import org.springframework.http.HttpOutputMessage; |
||||
import org.springframework.http.MediaType; |
||||
import org.springframework.http.converter.HttpMessageConverter; |
||||
import org.springframework.http.converter.HttpMessageNotReadableException; |
||||
import org.springframework.http.converter.HttpMessageNotWritableException; |
||||
import org.springframework.security.saml2.Saml2Exception; |
||||
import org.springframework.security.saml2.core.OpenSamlInitializationService; |
||||
import org.springframework.security.saml2.core.Saml2X509Credential; |
||||
|
||||
import static java.lang.Boolean.TRUE; |
||||
import static org.opensaml.saml.common.xml.SAMLConstants.SAML20P_NS; |
||||
import static org.springframework.security.saml2.core.Saml2X509Credential.encryption; |
||||
import static org.springframework.security.saml2.core.Saml2X509Credential.verification; |
||||
import static org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.withRegistrationId; |
||||
|
||||
/** |
||||
* An {@link HttpMessageConverter} that takes an {@code IDPSSODescriptor} in an HTTP response |
||||
* and converts it into a {@link RelyingPartyRegistration.Builder}. |
||||
* |
||||
* The primary use case for this is constructing a {@link RelyingPartyRegistration} for inclusion in a |
||||
* {@link RelyingPartyRegistrationRepository}. To do so, you can include an instance of this converter in a |
||||
* {@link org.springframework.web.client.RestOperations} like so: |
||||
* |
||||
* <pre> |
||||
* RestOperations rest = new RestTemplate(Collections.singletonList( |
||||
* new RelyingPartyRegistrationsBuilderHttpMessageConverter())); |
||||
* RelyingPartyRegistration.Builder builder = rest.getForObject |
||||
* ("https://idp.example.org/metadata", RelyingPartyRegistration.Builder.class); |
||||
* RelyingPartyRegistration registration = builder.registrationId("registration-id").build(); |
||||
* </pre> |
||||
* |
||||
* Note that this will only configure the asserting party (IDP) half of the {@link RelyingPartyRegistration}, |
||||
* meaning where and how to send AuthnRequests, how to verify Assertions, etc. |
||||
* |
||||
* To further configure the {@link RelyingPartyRegistration} with relying party (SP) information, you may |
||||
* invoke the appropriate methods on the builder. |
||||
* |
||||
* @author Josh Cummings |
||||
* @since 5.4 |
||||
*/ |
||||
public class OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter |
||||
implements HttpMessageConverter<RelyingPartyRegistration.Builder> { |
||||
|
||||
static { |
||||
OpenSamlInitializationService.initialize(); |
||||
} |
||||
|
||||
private final EntityDescriptorUnmarshaller unmarshaller; |
||||
private final ParserPool parserPool; |
||||
|
||||
/** |
||||
* Creates a {@link OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter} |
||||
*/ |
||||
public OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter() { |
||||
XMLObjectProviderRegistry registry = ConfigurationService.get(XMLObjectProviderRegistry.class); |
||||
this.unmarshaller = (EntityDescriptorUnmarshaller) registry.getUnmarshallerFactory() |
||||
.getUnmarshaller(EntityDescriptor.DEFAULT_ELEMENT_NAME); |
||||
this.parserPool = registry.getParserPool(); |
||||
} |
||||
|
||||
/** |
||||
* {@inheritDoc} |
||||
*/ |
||||
@Override |
||||
public boolean canRead(Class<?> clazz, MediaType mediaType) { |
||||
return RelyingPartyRegistration.Builder.class.isAssignableFrom(clazz); |
||||
} |
||||
|
||||
/** |
||||
* {@inheritDoc} |
||||
*/ |
||||
@Override |
||||
public boolean canWrite(Class<?> clazz, MediaType mediaType) { |
||||
return false; |
||||
} |
||||
|
||||
/** |
||||
* {@inheritDoc} |
||||
*/ |
||||
@Override |
||||
public List<MediaType> getSupportedMediaTypes() { |
||||
return Arrays.asList(MediaType.APPLICATION_XML, MediaType.TEXT_XML); |
||||
} |
||||
|
||||
/** |
||||
* {@inheritDoc} |
||||
*/ |
||||
@Override |
||||
public RelyingPartyRegistration.Builder read(Class<? extends RelyingPartyRegistration.Builder> clazz, HttpInputMessage inputMessage) |
||||
throws IOException, HttpMessageNotReadableException { |
||||
|
||||
EntityDescriptor descriptor = entityDescriptor(inputMessage.getBody()); |
||||
IDPSSODescriptor idpssoDescriptor = descriptor.getIDPSSODescriptor(SAML20P_NS); |
||||
if (idpssoDescriptor == null) { |
||||
throw new Saml2Exception("Metadata response is missing the necessary IDPSSODescriptor element"); |
||||
} |
||||
List<Saml2X509Credential> verification = new ArrayList<>(); |
||||
List<Saml2X509Credential> encryption = new ArrayList<>(); |
||||
for (KeyDescriptor keyDescriptor : idpssoDescriptor.getKeyDescriptors()) { |
||||
if (keyDescriptor.getUse().equals(UsageType.SIGNING)) { |
||||
List<X509Certificate> certificates = certificates(keyDescriptor); |
||||
for (X509Certificate certificate : certificates) { |
||||
verification.add(verification(certificate)); |
||||
} |
||||
} |
||||
if (keyDescriptor.getUse().equals(UsageType.ENCRYPTION)) { |
||||
List<X509Certificate> certificates = certificates(keyDescriptor); |
||||
for (X509Certificate certificate : certificates) { |
||||
encryption.add(encryption(certificate)); |
||||
} |
||||
} |
||||
} |
||||
if (verification.isEmpty()) { |
||||
throw new Saml2Exception("Metadata response is missing verification certificates, necessary for verifying SAML assertions"); |
||||
} |
||||
RelyingPartyRegistration.Builder builder = withRegistrationId(descriptor.getEntityID()) |
||||
.assertingPartyDetails(party -> party |
||||
.entityId(descriptor.getEntityID()) |
||||
.wantAuthnRequestsSigned(TRUE.equals(idpssoDescriptor.getWantAuthnRequestsSigned())) |
||||
.verificationX509Credentials(c -> c.addAll(verification)) |
||||
.encryptionX509Credentials(c -> c.addAll(encryption))); |
||||
for (SingleSignOnService singleSignOnService : idpssoDescriptor.getSingleSignOnServices()) { |
||||
Saml2MessageBinding binding; |
||||
if (singleSignOnService.getBinding().equals(Saml2MessageBinding.POST.getUrn())) { |
||||
binding = Saml2MessageBinding.POST; |
||||
} else if (singleSignOnService.getBinding().equals(Saml2MessageBinding.REDIRECT.getUrn())) { |
||||
binding = Saml2MessageBinding.REDIRECT; |
||||
} else { |
||||
continue; |
||||
} |
||||
builder.assertingPartyDetails(party -> party |
||||
.singleSignOnServiceLocation(singleSignOnService.getLocation()) |
||||
.singleSignOnServiceBinding(binding)); |
||||
return builder; |
||||
} |
||||
throw new Saml2Exception("Metadata response is missing a SingleSignOnService, necessary for sending AuthnRequests"); |
||||
} |
||||
|
||||
private List<X509Certificate> certificates(KeyDescriptor keyDescriptor) { |
||||
try { |
||||
return KeyInfoSupport.getCertificates(keyDescriptor.getKeyInfo()); |
||||
} catch (CertificateException e) { |
||||
throw new Saml2Exception(e); |
||||
} |
||||
} |
||||
|
||||
private EntityDescriptor entityDescriptor(InputStream inputStream) { |
||||
try { |
||||
Document document = this.parserPool.parse(inputStream); |
||||
Element element = document.getDocumentElement(); |
||||
return (EntityDescriptor) this.unmarshaller.unmarshall(element); |
||||
} catch (Exception e) { |
||||
throw new Saml2Exception(e); |
||||
} |
||||
} |
||||
|
||||
@Override |
||||
public void write(RelyingPartyRegistration.Builder builder, MediaType contentType, HttpOutputMessage outputMessage) throws HttpMessageNotWritableException { |
||||
throw new HttpMessageNotWritableException("This converter cannot write a RelyingPartyRegistration.Builder"); |
||||
} |
||||
} |
||||
@ -0,0 +1,135 @@
@@ -0,0 +1,135 @@
|
||||
/* |
||||
* Copyright 2002-2020 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.saml2.provider.service.registration; |
||||
|
||||
import java.io.ByteArrayInputStream; |
||||
import java.io.InputStream; |
||||
import java.security.cert.CertificateFactory; |
||||
import java.security.cert.X509Certificate; |
||||
import java.util.Base64; |
||||
|
||||
import org.junit.Before; |
||||
import org.junit.Test; |
||||
|
||||
import org.springframework.mock.http.client.MockClientHttpResponse; |
||||
import org.springframework.security.saml2.Saml2Exception; |
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat; |
||||
import static org.assertj.core.api.Assertions.assertThatCode; |
||||
import static org.springframework.http.HttpStatus.OK; |
||||
|
||||
public class OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverterTests { |
||||
private static final String CERTIFICATE = |
||||
"MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk"; |
||||
|
||||
private static final String ENTITY_DESCRIPTOR_TEMPLATE = |
||||
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" + |
||||
"<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" " + |
||||
"entityID=\"entity-id\" " + |
||||
"ID=\"_bf133aac099b99b3d81286e1a341f2d34188043a77fe15bf4bf1487dae9b2ea3\">\n%s" + |
||||
"</md:EntityDescriptor>"; |
||||
private static final String IDP_SSO_DESCRIPTOR_TEMPLATE = |
||||
"<md:IDPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n" + |
||||
"%s\n" + |
||||
"</md:IDPSSODescriptor>"; |
||||
private static final String KEY_DESCRIPTOR_TEMPLATE = |
||||
"<md:KeyDescriptor use=\"%s\">\n" + |
||||
"<ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">\n" + |
||||
"<ds:X509Data>\n" + |
||||
"<ds:X509Certificate>" + CERTIFICATE + "</ds:X509Certificate>\n" + |
||||
"</ds:X509Data>\n" + |
||||
"</ds:KeyInfo>\n" + |
||||
"</md:KeyDescriptor>"; |
||||
private static final String SINGLE_SIGN_ON_SERVICE_TEMPLATE = |
||||
"<md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" " + |
||||
"Location=\"sso-location\"/>"; |
||||
|
||||
private OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter converter; |
||||
|
||||
@Before |
||||
public void setup() { |
||||
this.converter = new OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter(); |
||||
} |
||||
|
||||
@Test |
||||
public void readWhenMissingIDPSSODescriptorThenException() { |
||||
MockClientHttpResponse response = new MockClientHttpResponse |
||||
((String.format(ENTITY_DESCRIPTOR_TEMPLATE, "")).getBytes(), OK); |
||||
assertThatCode(() -> this.converter.read(RelyingPartyRegistration.Builder.class, response)) |
||||
.isInstanceOf(Saml2Exception.class) |
||||
.hasMessageContaining("Metadata response is missing the necessary IDPSSODescriptor element"); |
||||
} |
||||
|
||||
@Test |
||||
public void readWhenMissingVerificationKeyThenException() { |
||||
String payload = String.format(ENTITY_DESCRIPTOR_TEMPLATE, |
||||
String.format(IDP_SSO_DESCRIPTOR_TEMPLATE, "")); |
||||
MockClientHttpResponse response = new MockClientHttpResponse(payload.getBytes(), OK); |
||||
assertThatCode(() -> this.converter.read(RelyingPartyRegistration.Builder.class, response)) |
||||
.isInstanceOf(Saml2Exception.class) |
||||
.hasMessageContaining("Metadata response is missing verification certificates, necessary for verifying SAML assertions"); |
||||
} |
||||
|
||||
@Test |
||||
public void readWhenMissingSingleSignOnServiceThenException() { |
||||
String payload = String.format(ENTITY_DESCRIPTOR_TEMPLATE, |
||||
String.format(IDP_SSO_DESCRIPTOR_TEMPLATE, |
||||
String.format(KEY_DESCRIPTOR_TEMPLATE, "signing") |
||||
)); |
||||
MockClientHttpResponse response = new MockClientHttpResponse(payload.getBytes(), OK); |
||||
assertThatCode(() -> this.converter.read(RelyingPartyRegistration.Builder.class, response)) |
||||
.isInstanceOf(Saml2Exception.class) |
||||
.hasMessageContaining("Metadata response is missing a SingleSignOnService, necessary for sending AuthnRequests"); |
||||
} |
||||
|
||||
@Test |
||||
public void readWhenDescriptorFullySpecifiedThenConfigures() throws Exception { |
||||
String payload = String.format(ENTITY_DESCRIPTOR_TEMPLATE, |
||||
String.format(IDP_SSO_DESCRIPTOR_TEMPLATE, |
||||
String.format(KEY_DESCRIPTOR_TEMPLATE, "signing") + |
||||
String.format(KEY_DESCRIPTOR_TEMPLATE, "encryption") + |
||||
String.format(SINGLE_SIGN_ON_SERVICE_TEMPLATE) |
||||
)); |
||||
MockClientHttpResponse response = new MockClientHttpResponse(payload.getBytes(), OK); |
||||
RelyingPartyRegistration registration = |
||||
this.converter.read(RelyingPartyRegistration.Builder.class, response) |
||||
.registrationId("one") |
||||
.build(); |
||||
RelyingPartyRegistration.AssertingPartyDetails details = |
||||
registration.getAssertingPartyDetails(); |
||||
assertThat(details.getWantAuthnRequestsSigned()).isFalse(); |
||||
assertThat(details.getSingleSignOnServiceLocation()).isEqualTo("sso-location"); |
||||
assertThat(details.getSingleSignOnServiceBinding()).isEqualTo(Saml2MessageBinding.REDIRECT); |
||||
assertThat(details.getEntityId()).isEqualTo("entity-id"); |
||||
assertThat(details.getVerificationX509Credentials()).hasSize(1); |
||||
assertThat(details.getVerificationX509Credentials().iterator().next().getCertificate()) |
||||
.isEqualTo(x509Certificate(CERTIFICATE)); |
||||
assertThat(details.getEncryptionX509Credentials()).hasSize(1); |
||||
assertThat(details.getEncryptionX509Credentials().iterator().next().getCertificate()) |
||||
.isEqualTo(x509Certificate(CERTIFICATE)); |
||||
} |
||||
|
||||
X509Certificate x509Certificate(String data) { |
||||
try { |
||||
InputStream certificate = new ByteArrayInputStream(Base64.getDecoder().decode(data.getBytes())); |
||||
return (X509Certificate) CertificateFactory.getInstance("X.509") |
||||
.generateCertificate(certificate); |
||||
} catch (Exception e) { |
||||
throw new IllegalArgumentException(e); |
||||
} |
||||
} |
||||
} |
||||
Loading…
Reference in new issue