src/edu/internet2/middleware/shibboleth/idp/profile/saml1/AttributeQueryProfileHandler.java

   1 /*
   2  * Copyright [2006] [University Corporation for Advanced Internet Development, Inc.]
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  * http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 package edu.internet2.middleware.shibboleth.idp.profile.saml1;
  18
  19 import java.util.ArrayList;
  20
  21 import javax.servlet.ServletRequest;
  22 import javax.servlet.ServletResponse;
  23
  24 import org.apache.log4j.Logger;
  25 import org.opensaml.common.binding.BindingException;
  26 import org.opensaml.common.binding.decoding.MessageDecoder;
  27 import org.opensaml.common.binding.encoding.MessageEncoder;
  28 import org.opensaml.common.binding.security.SAMLSecurityPolicy;
  29 import org.opensaml.common.xml.SAMLConstants;
  30 import org.opensaml.saml1.binding.decoding.HTTPSOAP11Decoder;
  31 import org.opensaml.saml1.binding.encoding.HTTPSOAP11Encoder;
  32 import org.opensaml.saml1.core.AttributeQuery;
  33 import org.opensaml.saml1.core.Response;
  34 import org.opensaml.saml1.core.Statement;
  35 import org.opensaml.saml1.core.StatusCode;
  36 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
  37 import org.opensaml.ws.security.SecurityPolicyException;
  38
  39 import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
  40 import edu.internet2.middleware.shibboleth.common.profile.ProfileRequest;
  41 import edu.internet2.middleware.shibboleth.common.profile.ProfileResponse;
  42 import edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartyConfiguration;
  43 import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml1.AttributeQueryConfiguration;
  44
  45 /**
  46  * SAML 1 Attribute Query profile handler.
  47  */
  48 public class AttributeQueryProfileHandler extends AbstractSAML1ProfileHandler {
  49
  50     /** Class logger. */
  51     private final Logger log = Logger.getLogger(AttributeQueryProfileHandler.class);
  52
  53     /** {@inheritDoc} */
  54     public String getProfileId() {
  55         return "urn:mace:shibboleth:2.0:idp:profiles:saml1:query:attribute";
  56     }
  57
  58     /** {@inheritDoc} */
  59     public void processRequest(ProfileRequest<ServletRequest> request, ProfileResponse<ServletResponse> response)
  60             throws ProfileException {
  61
  62         AttributeQueryContext requestContext = new AttributeQueryContext(request, response);
  63
  64         Response samlResponse;
  65         try {
  66             decodeRequest(requestContext);
  67
  68             resolvePrincipal(requestContext);
  69
  70             ArrayList<Statement> statements = new ArrayList<Statement>();
  71             statements.add(buildAttributeStatement(requestContext, "urn:oasis:names:tc:SAML:1.0:cm:sender-vouches"));
  72
  73             samlResponse = buildResponse(requestContext, statements);
  74         } catch (ProfileException e) {
  75             samlResponse = buildErrorResponse(requestContext);
  76         }
  77     }
  78
  79     /**
  80      * Decodes the message in the request and adds it to the request context.
  81      *
  82      * @param requestContext request context contianing the request to decode
  83      *
  84      * @throws ProfileException throw if there is a problem decoding the request
  85      */
  86     protected void decodeRequest(AttributeQueryContext requestContext) throws ProfileException {
  87         if (log.isDebugEnabled()) {
  88             log.debug("Decoding incomming request");
  89         }
  90         MessageDecoder<ServletRequest> decoder = getMessageDecoderFactory().getMessageDecoder(
  91                 HTTPSOAP11Decoder.BINDING_URI);
  92         if (decoder == null) {
  93             throw new ProfileException("No request decoder was registered for binding type: "
  94                     + HTTPSOAP11Decoder.BINDING_URI);
  95         }
  96         super.populateMessageDecoder(decoder);
  97
  98         decoder.setRequest(requestContext.getProfileRequest().getRawRequest());
  99         requestContext.setMessageDecoder(decoder);
 100
 101         try {
 102             decoder.decode();
 103             if (log.isDebugEnabled()) {
 104                 log.debug("Decoded request");
 105             }
 106         } catch (BindingException e) {
 107             log.error("Error decoding attribute query message", e);
 108             requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, null, "Error decoding message"));
 109             throw new ProfileException("Error decoding attribute query message");
 110         } catch (SecurityPolicyException e) {
 111             log.error("Message did not meet security policy requirements", e);
 112             requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, StatusCode.REQUEST_DENIED,
 113                     "Message did not meet security policy requirements"));
 114             throw new ProfileException("Message did not meet security policy requirements", e);
 115         } finally {
 116             // Set as much information as can be retrieved from the decoded message
 117             SAMLSecurityPolicy securityPolicy = requestContext.getMessageDecoder().getSecurityPolicy();
 118             requestContext.setRelyingPartyId(securityPolicy.getIssuer());
 119
 120             try {
 121                 requestContext.setRelyingPartyMetadata(getMetadataProvider().getEntityDescriptor(
 122                         requestContext.getRelyingPartyId()));
 123
 124                 requestContext.setRelyingPartyRoleMetadata(requestContext.getRelyingPartyMetadata().getSPSSODescriptor(
 125                         SAMLConstants.SAML1P_NS));
 126
 127                 RelyingPartyConfiguration rpConfig = getRelyingPartyConfiguration(requestContext.getRelyingPartyId());
 128                 requestContext.setRelyingPartyConfiguration(rpConfig);
 129
 130                 requestContext.setAssertingPartyId(requestContext.getRelyingPartyConfiguration().getProviderId());
 131
 132                 requestContext.setAssertingPartyMetadata(getMetadataProvider().getEntityDescriptor(
 133                         requestContext.getAssertingPartyId()));
 134
 135                 requestContext.setAssertingPartyRoleMetadata(requestContext.getAssertingPartyMetadata()
 136                         .getAttributeAuthorityDescriptor(SAMLConstants.SAML1P_NS));
 137
 138                 requestContext.setProfileConfiguration((AttributeQueryConfiguration) rpConfig
 139                         .getProfileConfiguration(AttributeQueryConfiguration.PROFILE_ID));
 140
 141                 requestContext.setSamlRequest((AttributeQuery) requestContext.getMessageDecoder().getSAMLMessage());
 142             } catch (MetadataProviderException e) {
 143                 log.error("Unable to locate metadata for asserting or relying party");
 144                 requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER, null,
 145                         "Error locating party metadata"));
 146                 throw new ProfileException("Error locating party metadata");
 147             }
 148         }
 149     }
 150
 151     /**
 152      * Encodes the request's SAML response and writes it to the servlet response.
 153      *
 154      * @param requestContext current request context
 155      *
 156      * @throws ProfileException thrown if no message encoder is registered for this profiles binding
 157      */
 158     protected void encodeResponse(AttributeQueryContext requestContext) throws ProfileException {
 159         if (log.isDebugEnabled()) {
 160             log.debug("Encoding response to SAML request from relying party " + requestContext.getRelyingPartyId());
 161         }
 162         MessageEncoder<ServletResponse> encoder = getMessageEncoderFactory().getMessageEncoder(
 163                 HTTPSOAP11Encoder.BINDING_URI);
 164         if (encoder == null) {
 165             throw new ProfileException("No response encoder was registered for binding type: "
 166                     + HTTPSOAP11Encoder.BINDING_URI);
 167         }
 168
 169         super.populateMessageEncoder(encoder);
 170         encoder.setResponse(requestContext.getProfileResponse().getRawResponse());
 171         encoder.setSamlMessage(requestContext.getSamlResponse());
 172         requestContext.setMessageEncoder(encoder);
 173
 174         try {
 175             encoder.encode();
 176         } catch (BindingException e) {
 177             throw new ProfileException("Unable to encode response to relying party: "
 178                     + requestContext.getRelyingPartyId(), e);
 179         }
 180     }
 181
 182     /** Basic data structure used to accumulate information as a request is being processed. */
 183     protected class AttributeQueryContext extends
 184             SAML1ProfileRequestContext<AttributeQuery, Response, AttributeQueryConfiguration> {
 185
 186         /**
 187          * Constructor.
 188          *
 189          * @param request current profile request
 190          * @param response current profile response
 191          */
 192         public AttributeQueryContext(ProfileRequest<ServletRequest> request, ProfileResponse<ServletResponse> response) {
 193             super(request, response);
 194         }
 195     }
 196 }