src/edu/internet2/middleware/shibboleth/idp/IdPProtocolSupport.java

   1 /*
   2  * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
   3  * All rights reserved Redistribution and use in source and binary forms, with or without modification, are permitted
   4  * provided that the following conditions are met: Redistributions of source code must retain the above copyright
   5  * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above
   6  * copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials
   7  * provided with the distribution, if any, must include the following acknowledgment: "This product includes software
   8  * developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu> Internet2 Project.
   9  * Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
  10  * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2, nor
  11  * the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
  12  * products derived from this software without specific prior written permission. For written permission, please contact
  13  * shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2, UCAID, or the
  14  * University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name, without prior
  15  * written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS PROVIDED BY THE
  16  * COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  17  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE
  18  * DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE. IN NO
  19  * EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC.
  20  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  21  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  22  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
  23  * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  24  */
  25
  26 package edu.internet2.middleware.shibboleth.idp;
  27
  28 import java.net.URI;
  29 import java.net.URL;
  30 import java.security.Principal;
  31 import java.util.ArrayList;
  32 import java.util.Arrays;
  33 import java.util.Iterator;
  34
  35 import javax.servlet.http.HttpServletRequest;
  36
  37 import org.apache.log4j.Logger;
  38 import org.apache.xml.security.signature.XMLSignature;
  39 import org.opensaml.InvalidCryptoException;
  40 import org.opensaml.SAMLAssertion;
  41 import org.opensaml.SAMLAttribute;
  42 import org.opensaml.SAMLException;
  43 import org.opensaml.SAMLResponse;
  44 import org.opensaml.artifact.Artifact;
  45 import org.w3c.dom.Element;
  46
  47 import edu.internet2.middleware.shibboleth.aa.AAAttribute;
  48 import edu.internet2.middleware.shibboleth.aa.AAAttributeSet;
  49 import edu.internet2.middleware.shibboleth.aa.AAException;
  50 import edu.internet2.middleware.shibboleth.aa.arp.ArpEngine;
  51 import edu.internet2.middleware.shibboleth.aa.arp.ArpProcessingException;
  52 import edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver;
  53 import edu.internet2.middleware.shibboleth.common.Credential;
  54 import edu.internet2.middleware.shibboleth.common.NameMapper;
  55 import edu.internet2.middleware.shibboleth.common.RelyingParty;
  56 import edu.internet2.middleware.shibboleth.common.ServiceProviderMapper;
  57 import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
  58 import edu.internet2.middleware.shibboleth.metadata.Metadata;
  59 import edu.internet2.middleware.shibboleth.metadata.MetadataException;
  60 import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
  61
  62 /**
  63  * @author Walter Hoehn
  64  */
  65 public class IdPProtocolSupport implements Metadata {
  66
  67         private static Logger                   log                     = Logger.getLogger(IdPProtocolSupport.class.getName());
  68         private Logger                                  transactionLog;
  69         private IdPConfig                               config;
  70         private ArrayList                               fedMetadata     = new ArrayList();
  71         private NameMapper                              nameMapper;
  72         private ServiceProviderMapper   spMapper;
  73         private ArpEngine                               arpEngine;
  74         private AttributeResolver               resolver;
  75
  76         IdPProtocolSupport(IdPConfig config, Logger transactionLog, NameMapper nameMapper, ServiceProviderMapper spMapper,
  77                         ArpEngine arpEngine, AttributeResolver resolver) {
  78
  79                 this.transactionLog = transactionLog;
  80                 this.config = config;
  81                 this.nameMapper = nameMapper;
  82                 this.spMapper = spMapper;
  83                 spMapper.setMetadata(this);
  84                 this.arpEngine = arpEngine;
  85                 this.resolver = resolver;
  86         }
  87
  88         public static void validateEngineData(HttpServletRequest req) throws InvalidClientDataException {
  89
  90                 //TODO this should be pulled out into handlers
  91
  92                 if ((req.getRemoteAddr() == null) || (req.getRemoteAddr().equals(""))) { throw new InvalidClientDataException(
  93                                 "Unable to obtain client address."); }
  94         }
  95
  96         public Logger getTransactionLog() {
  97
  98                 return transactionLog;
  99         }
 100
 101         public IdPConfig getIdPConfig() {
 102
 103                 return config;
 104         }
 105
 106         public NameMapper getNameMapper() {
 107
 108                 return nameMapper;
 109         }
 110
 111         public ServiceProviderMapper getServiceProviderMapper() {
 112
 113                 return spMapper;
 114         }
 115
 116         public static void addSignatures(SAMLResponse response, RelyingParty relyingParty, EntityDescriptor provider,
 117                         boolean signResponse) throws SAMLException {
 118
 119                 if (provider != null) {
 120                         boolean signAssertions = false;
 121
 122                         SPSSODescriptor sp = provider.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
 123                         if (sp == null) {
 124                                 log.info("Inappropriate metadata for provider: " + provider.getId() + ".  Expected SPSSODescriptor.");
 125                         }
 126                         if (sp.getWantAssertionsSigned()) {
 127                                 signAssertions = true;
 128                         }
 129
 130                         if (signAssertions && relyingParty.getIdentityProvider().getSigningCredential() != null
 131                                         && relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() != null) {
 132
 133                                 Iterator assertions = response.getAssertions();
 134
 135                                 while (assertions.hasNext()) {
 136                                         SAMLAssertion assertion = (SAMLAssertion) assertions.next();
 137                                         String assertionAlgorithm;
 138                                         if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
 139                                                 assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
 140                                         } else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
 141                                                 assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
 142                                         } else {
 143                                                 throw new InvalidCryptoException(SAMLException.RESPONDER,
 144                                                                 "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
 145                                         }
 146
 147                                         assertion.sign(assertionAlgorithm, relyingParty.getIdentityProvider().getSigningCredential()
 148                                                         .getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential()
 149                                                         .getX509CertificateChain()));
 150                                 }
 151                         }
 152                 }
 153
 154                 // Sign the response, if appropriate
 155                 if (signResponse && relyingParty.getIdentityProvider().getSigningCredential() != null
 156                                 && relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() != null) {
 157
 158                         String responseAlgorithm;
 159                         if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
 160                                 responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
 161                         } else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
 162                                 responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
 163                         } else {
 164                                 throw new InvalidCryptoException(SAMLException.RESPONDER,
 165                                                 "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
 166                         }
 167
 168                         response.sign(responseAlgorithm, relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey(),
 169                                         Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential().getX509CertificateChain()));
 170                 }
 171         }
 172
 173         protected void addFederationProvider(Element element) {
 174
 175                 log.debug("Found Federation Provider configuration element.");
 176                 if (!element.getTagName().equals("FederationProvider")) {
 177                         log.error("Error while attemtping to load Federation Provider.  Malformed provider specificaion.");
 178                         return;
 179                 }
 180
 181                 try {
 182                         fedMetadata.add(FederationProviderFactory.loadProvider(element));
 183                 } catch (MetadataException e) {
 184                         log.error("Unable to load Federation Provider.  Skipping...");
 185                 }
 186         }
 187
 188         public int providerCount() {
 189
 190                 return fedMetadata.size();
 191         }
 192
 193         public EntityDescriptor lookup(String providerId) {
 194
 195                 Iterator iterator = fedMetadata.iterator();
 196                 while (iterator.hasNext()) {
 197                         EntityDescriptor provider = ((Metadata) iterator.next()).lookup(providerId);
 198                         if (provider != null) { return provider; }
 199                 }
 200                 return null;
 201         }
 202
 203         public EntityDescriptor lookup(Artifact artifact) {
 204
 205                 Iterator iterator = fedMetadata.iterator();
 206                 while (iterator.hasNext()) {
 207                         EntityDescriptor provider = ((Metadata) iterator.next()).lookup(artifact);
 208                         if (provider != null) { return provider; }
 209                 }
 210                 return null;
 211         }
 212
 213         public SAMLAttribute[] getReleaseAttributes(Principal principal, String requester, URL resource) throws AAException {
 214
 215                 try {
 216                         URI[] potentialAttributes = arpEngine.listPossibleReleaseAttributes(principal, requester, resource);
 217                         return getReleaseAttributes(principal, requester, resource, potentialAttributes);
 218
 219                 } catch (ArpProcessingException e) {
 220                         log.error("An error occurred while processing the ARPs for principal (" + principal.getName() + ") :"
 221                                         + e.getMessage());
 222                         throw new AAException("Error retrieving data for principal.");
 223                 }
 224         }
 225
 226         public SAMLAttribute[] getReleaseAttributes(Principal principal, String requester, URL resource,
 227                         URI[] attributeNames) throws AAException {
 228
 229                 try {
 230                         AAAttributeSet attributeSet = new AAAttributeSet();
 231                         for (int i = 0; i < attributeNames.length; i++) {
 232                                 AAAttribute attribute = new AAAttribute(attributeNames[i].toString());
 233                                 attributeSet.add(attribute);
 234                         }
 235
 236                         return resolveAttributes(principal, requester, resource, attributeSet);
 237
 238                 } catch (SAMLException e) {
 239                         log.error("An error occurred while creating attributes for principal (" + principal.getName() + ") :"
 240                                         + e.getMessage());
 241                         throw new AAException("Error retrieving data for principal.");
 242
 243                 } catch (ArpProcessingException e) {
 244                         log.error("An error occurred while processing the ARPs for principal (" + principal.getName() + ") :"
 245                                         + e.getMessage());
 246                         throw new AAException("Error retrieving data for principal.");
 247                 }
 248         }
 249
 250         private SAMLAttribute[] resolveAttributes(Principal principal, String requester, URL resource,
 251                         AAAttributeSet attributeSet) throws ArpProcessingException {
 252
 253                 resolver.resolveAttributes(principal, requester, attributeSet);
 254                 arpEngine.filterAttributes(attributeSet, principal, requester, resource);
 255                 return attributeSet.getAttributes();
 256         }
 257
 258         /**
 259          * Cleanup resources that won't be released when this object is garbage-collected
 260          */
 261         public void destroy() {
 262
 263                 resolver.destroy();
 264                 arpEngine.destroy();
 265         }
 266 }