org.opensaml.saml.common.profile.impl.SignAssertions Maven / Gradle / Ivy
/*
* Licensed to the University Corporation for Advanced Internet Development,
* Inc. (UCAID) under one or more contributor license agreements. See the
* NOTICE file distributed with this work for additional information regarding
* copyright ownership. The UCAID licenses this file to You under the Apache
* License, Version 2.0 (the "License"); you may not use this file except in
* compliance with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.opensaml.saml.common.profile.impl;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.messaging.context.navigate.MessageLookup;
import org.opensaml.profile.action.AbstractProfileAction;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.action.EventIds;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.OutboundMessageContextLookup;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.saml2.core.ArtifactResponse;
import org.opensaml.security.SecurityException;
import org.opensaml.xmlsec.SignatureSigningParameters;
import org.opensaml.xmlsec.context.SecurityParametersContext;
import org.opensaml.xmlsec.signature.support.SignatureException;
import org.opensaml.xmlsec.signature.support.SignatureSupport;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;
import com.google.common.base.Function;
import com.google.common.base.Functions;
/**
* Action that signs assertions in a SAML 1/2 Response returned by a lookup strategy,
* by default the message returned by {@link ProfileRequestContext#getOutboundMessageContext()}.
*
* The {@link SecurityParametersContext} governing the signing process is located by a lookup
* strategy, by default a child of the profile request context.
*
* @event {@link EventIds#PROCEED_EVENT_ID}
* @event {@link EventIds#INVALID_MSG_CTX}
*/
public class SignAssertions extends AbstractProfileAction {
/** Class logger. */
@Nonnull private final Logger log = LoggerFactory.getLogger(SignAssertions.class);
/** Strategy used to locate the response to operate on. */
@Nonnull private Function responseLookupStrategy;
/** Strategy used to locate the {@link SecurityParametersContext} to use for signing. */
@Nonnull private Function securityParametersLookupStrategy;
/** The signature signing parameters. */
@Nullable private SignatureSigningParameters signatureSigningParameters;
/** The response containing the assertions to be signed. */
@Nullable private SAMLObject response;
/** Constructor. */
public SignAssertions() {
responseLookupStrategy =
Functions.compose(new MessageLookup<>(SAMLObject.class), new OutboundMessageContextLookup());
securityParametersLookupStrategy = new ChildContextLookup<>(SecurityParametersContext.class);
}
/**
* Set the strategy used to locate the response to operate on.
*
* @param strategy lookup strategy
*/
public void setResponseLookupStrategy(@Nonnull final Function strategy) {
ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
responseLookupStrategy = Constraint.isNotNull(strategy, "Response lookup strategy cannot be null");
}
/**
* Set the strategy used to locate the {@link SecurityParametersContext} to use.
*
* @param strategy lookup strategy
*/
public void setSecurityParametersLookupStrategy(
@Nonnull final Function strategy) {
ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
securityParametersLookupStrategy = Constraint.isNotNull(strategy,
"SecurityParameterContext lookup strategy cannot be null");
}
/** {@inheritDoc} */
@Override
protected boolean doPreExecute(@Nonnull final ProfileRequestContext profileRequestContext) {
response = responseLookupStrategy.apply(profileRequestContext);
if (response == null) {
log.debug("{} No SAML Response located in current profile request context", getLogPrefix());
ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_MSG_CTX);
return false;
}
// Step down into ArtifactResponses.
if (response instanceof ArtifactResponse) {
response = ((ArtifactResponse) response).getMessage();
}
if (response instanceof org.opensaml.saml.saml1.core.Response) {
if (((org.opensaml.saml.saml1.core.Response) response).getAssertions().isEmpty()) {
log.debug("{} No assertions available, nothing to do", getLogPrefix());
return false;
}
} else if (response instanceof org.opensaml.saml.saml2.core.Response) {
if (((org.opensaml.saml.saml2.core.Response) response).getAssertions().isEmpty()) {
log.debug("{} No assertions available, nothing to do", getLogPrefix());
return false;
}
} else {
log.debug("{} Message returned by lookup strategy was not a SAML Response", getLogPrefix());
ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_MSG_CTX);
return false;
}
final SecurityParametersContext secParamCtx = securityParametersLookupStrategy.apply(profileRequestContext);
if (secParamCtx == null) {
log.debug("{} Will not sign assertions because no security parameters context is available",
getLogPrefix());
return false;
}
signatureSigningParameters = secParamCtx.getSignatureSigningParameters();
if (signatureSigningParameters == null) {
log.debug("{} Will not sign assertions because no signature signing parameters available", getLogPrefix());
return false;
}
return super.doPreExecute(profileRequestContext);
}
/** {@inheritDoc} */
@Override
protected void doExecute(@Nonnull final ProfileRequestContext profileRequestContext) {
try {
// TODO Maybe the response should not be logged ?
if (log.isTraceEnabled()) {
logResponse("Response before signing:");
}
if (response instanceof org.opensaml.saml.saml1.core.Response) {
for (final org.opensaml.saml.saml1.core.Assertion assertion :
((org.opensaml.saml.saml1.core.Response) response).getAssertions()) {
SignatureSupport.signObject(assertion, signatureSigningParameters);
}
} else if (response instanceof org.opensaml.saml.saml2.core.Response) {
for (final org.opensaml.saml.saml2.core.Assertion assertion :
((org.opensaml.saml.saml2.core.Response) response).getAssertions()) {
SignatureSupport.signObject(assertion, signatureSigningParameters);
}
}
// TODO Maybe the response should not be logged ?
if (log.isTraceEnabled()) {
logResponse("Response after signing:");
}
} catch (final SecurityException | MarshallingException | SignatureException e) {
log.warn("{} Error encountered while signing assertions", getLogPrefix(), e);
ActionSupport.buildEvent(profileRequestContext, EventIds.UNABLE_TO_SIGN);
}
}
/**
* Log the Response with the given message at trace level.
*
* @param message the log message
*/
private void logResponse(@Nonnull final String message) {
if (message != null && response != null) {
try {
final Element dom = XMLObjectSupport.marshall(response);
log.trace(message + "\n" + SerializeSupport.prettyPrintXML(dom));
} catch (final MarshallingException e) {
log.warn("Unable to marshall message for logging purposes", e);
}
}
}
}