src/edu/internet2/middleware/shibboleth/idp/profile/saml2/ArtifactResolution.java

   1 /*
   2  * Copyright [2006] [University Corporation for Advanced Internet Development, Inc.]
   3  *
   4  * Licensed under the Apache License, Version 2.0 (the "License");
   5  * you may not use this file except in compliance with the License.
   6  * You may obtain a copy of the License at
   7  *
   8  * http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  * Unless required by applicable law or agreed to in writing, software
  11  * distributed under the License is distributed on an "AS IS" BASIS,
  12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  * See the License for the specific language governing permissions and
  14  * limitations under the License.
  15  */
  16
  17 package edu.internet2.middleware.shibboleth.idp.profile.saml2;
  18
  19 import org.joda.time.DateTime;
  20 import org.opensaml.common.SAMLObject;
  21 import org.opensaml.common.SAMLObjectBuilder;
  22 import org.opensaml.common.binding.BasicEndpointSelector;
  23 import org.opensaml.common.binding.artifact.SAMLArtifactMap;
  24 import org.opensaml.common.binding.artifact.SAMLArtifactMap.SAMLArtifactMapEntry;
  25 import org.opensaml.common.binding.decoding.SAMLMessageDecoder;
  26 import org.opensaml.common.xml.SAMLConstants;
  27 import org.opensaml.saml2.binding.SAML2ArtifactMessageContext;
  28 import org.opensaml.saml2.core.ArtifactResolve;
  29 import org.opensaml.saml2.core.ArtifactResponse;
  30 import org.opensaml.saml2.core.NameID;
  31 import org.opensaml.saml2.core.Status;
  32 import org.opensaml.saml2.core.StatusCode;
  33 import org.opensaml.saml2.metadata.AssertionConsumerService;
  34 import org.opensaml.saml2.metadata.AttributeAuthorityDescriptor;
  35 import org.opensaml.saml2.metadata.Endpoint;
  36 import org.opensaml.saml2.metadata.EntityDescriptor;
  37 import org.opensaml.saml2.metadata.SPSSODescriptor;
  38 import org.opensaml.saml2.metadata.provider.MetadataProvider;
  39 import org.opensaml.ws.message.decoder.MessageDecodingException;
  40 import org.opensaml.ws.transport.http.HTTPInTransport;
  41 import org.opensaml.ws.transport.http.HTTPOutTransport;
  42 import org.opensaml.xml.security.SecurityException;
  43 import org.slf4j.Logger;
  44 import org.slf4j.LoggerFactory;
  45
  46 import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
  47 import edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext;
  48 import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.ArtifactResolutionConfiguration;
  49
  50 /**
  51  * SAML 2.0 Artifact resolution profile handler.
  52  */
  53 public class ArtifactResolution extends AbstractSAML2ProfileHandler {
  54
  55     /** Class logger. */
  56     private final Logger log = LoggerFactory.getLogger(ArtifactResolution.class);
  57
  58     /** Map artifacts to SAML messages. */
  59     private SAMLArtifactMap artifactMap;
  60
  61     /** Artifact response object builder. */
  62     private SAMLObjectBuilder<ArtifactResponse> responseBuilder;
  63
  64     /** Builder of assertion consumer service endpoints. */
  65     private SAMLObjectBuilder<AssertionConsumerService> acsEndpointBuilder;
  66
  67     /**
  68      * Constructor.
  69      *
  70      * @param map ArtifactMap used to lookup artifacts to be resolved.
  71      */
  72     public ArtifactResolution(SAMLArtifactMap map) {
  73         super();
  74
  75         artifactMap = map;
  76
  77         responseBuilder = (SAMLObjectBuilder<ArtifactResponse>) getBuilderFactory().getBuilder(
  78                 ArtifactResponse.DEFAULT_ELEMENT_NAME);
  79         acsEndpointBuilder = (SAMLObjectBuilder<AssertionConsumerService>) getBuilderFactory().getBuilder(
  80                 AssertionConsumerService.DEFAULT_ELEMENT_NAME);
  81     }
  82
  83     /** {@inheritDoc} */
  84     public String getProfileId() {
  85         return ArtifactResolutionConfiguration.PROFILE_ID;
  86     }
  87
  88     /** {@inheritDoc} */
  89     public void processRequest(HTTPInTransport inTransport, HTTPOutTransport outTransport) throws ProfileException {
  90         ArtifactResponse samlResponse;
  91
  92         ArtifactResolutionRequestContext requestContext = decodeRequest(inTransport, outTransport);
  93
  94         try {
  95             if (requestContext.getProfileConfiguration() == null) {
  96                 log.error("SAML 2 Artifact Resolve profile is not configured for relying party "
  97                         + requestContext.getInboundMessageIssuer());
  98                 requestContext.setFailureStatus(buildStatus(StatusCode.SUCCESS_URI, StatusCode.REQUEST_DENIED_URI,
  99                         "SAML 2 Artifact Resolve profile is not configured for relying party "
 100                                 + requestContext.getInboundMessageIssuer()));
 101                 throw new ProfileException("SAML 2 Artifact Resolve profile is not configured for relying party "
 102                         + requestContext.getInboundMessageIssuer());
 103             }
 104
 105             checkSamlVersion(requestContext);
 106
 107             SAMLArtifactMapEntry artifactEntry = artifactMap.get(requestContext.getArtifact());
 108             if (artifactEntry == null || artifactEntry.isExpired()) {
 109                 log.error("Unknown artifact.");
 110                 requestContext.setFailureStatus(buildStatus(StatusCode.SUCCESS_URI, StatusCode.REQUEST_DENIED_URI,
 111                         "Unknown artifact."));
 112             }
 113
 114             if (!artifactEntry.getIssuerId().equals(requestContext.getLocalEntityId())) {
 115                 log.error("Artifact issuer mismatch.  Artifact issued by " + artifactEntry.getIssuerId()
 116                         + " but IdP has entity ID of " + requestContext.getLocalEntityId());
 117                 requestContext.setFailureStatus(buildStatus(StatusCode.SUCCESS_URI, StatusCode.REQUEST_DENIED_URI,
 118                         "Artifact issuer mismatch."));
 119             }
 120
 121             if (!artifactEntry.getRelyingPartyId().equals(requestContext.getInboundMessageIssuer())) {
 122                 log.error("Artifact requester mismatch.  Artifact was issued to " + artifactEntry.getRelyingPartyId()
 123                         + " but was resolve request came from " + requestContext.getInboundMessageIssuer());
 124                 requestContext.setFailureStatus(buildStatus(StatusCode.SUCCESS_URI, StatusCode.REQUEST_DENIED_URI,
 125                         "Artifact requester mismatch."));
 126             }
 127
 128             // create the SAML response
 129             requestContext.setReferencedMessage(artifactEntry.getSamlMessage());
 130             samlResponse = buildArtifactResponse(requestContext);
 131         } catch (ProfileException e) {
 132             samlResponse = buildArtifactErrorResponse(requestContext);
 133         }
 134
 135         requestContext.setOutboundSAMLMessage(samlResponse);
 136         requestContext.setOutboundSAMLMessageId(samlResponse.getID());
 137         requestContext.setOutboundSAMLMessageIssueInstant(samlResponse.getIssueInstant());
 138
 139         encodeResponse(requestContext);
 140         writeAuditLogEntry(requestContext);
 141     }
 142
 143     /**
 144      * Decodes an incoming request and populates a created request context with the resultant information.
 145      *
 146      * @param inTransport inbound message transport
 147      * @param outTransport outbound message transport
 148      *
 149      * @return the created request context
 150      *
 151      * @throws ProfileException throw if there is a problem decoding the request
 152      */
 153     protected ArtifactResolutionRequestContext decodeRequest(HTTPInTransport inTransport, HTTPOutTransport outTransport)
 154             throws ProfileException {
 155         log.debug("Decoding message with decoder binding {}", getInboundBinding());
 156
 157         ArtifactResolutionRequestContext requestContext = new ArtifactResolutionRequestContext();
 158
 159         MetadataProvider metadataProvider = getMetadataProvider();
 160         requestContext.setMetadataProvider(metadataProvider);
 161
 162         requestContext.setInboundMessageTransport(inTransport);
 163         requestContext.setInboundSAMLProtocol(SAMLConstants.SAML20P_NS);
 164         requestContext.setSecurityPolicyResolver(getSecurityPolicyResolver());
 165         requestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
 166
 167         requestContext.setOutboundMessageTransport(outTransport);
 168         requestContext.setOutboundSAMLProtocol(SAMLConstants.SAML20P_NS);
 169
 170         try {
 171             SAMLMessageDecoder decoder = getMessageDecoders().get(getInboundBinding());
 172             requestContext.setMessageDecoder(decoder);
 173             decoder.decode(requestContext);
 174             log.debug("Decoded request");
 175             return requestContext;
 176         } catch (MessageDecodingException e) {
 177             log.error("Error decoding artifact resolve message", e);
 178             requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null, "Error decoding message"));
 179             throw new ProfileException("Error decoding artifact resolve message");
 180         } catch (SecurityException e) {
 181             log.error("Message did not meet security requirements", e);
 182             requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.REQUEST_DENIED_URI,
 183                     "Message did not meet security requirements"));
 184             throw new ProfileException("Message did not meet security requirements", e);
 185         } finally {
 186             populateRequestContext(requestContext);
 187             populateSAMLMessageInformation(requestContext);
 188             populateProfileInformation(requestContext);
 189         }
 190     }
 191
 192     /** {@inheritDoc} */
 193     protected void populateRelyingPartyInformation(BaseSAMLProfileRequestContext requestContext)
 194             throws ProfileException {
 195         super.populateRelyingPartyInformation(requestContext);
 196
 197         EntityDescriptor relyingPartyMetadata = requestContext.getPeerEntityMetadata();
 198         if (relyingPartyMetadata != null) {
 199             requestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
 200             requestContext.setPeerEntityRoleMetadata(relyingPartyMetadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS));
 201         }
 202     }
 203
 204     /** {@inheritDoc} */
 205     protected void populateAssertingPartyInformation(BaseSAMLProfileRequestContext requestContext)
 206             throws ProfileException {
 207         super.populateAssertingPartyInformation(requestContext);
 208
 209         EntityDescriptor localEntityDescriptor = requestContext.getLocalEntityMetadata();
 210         if (localEntityDescriptor != null) {
 211             requestContext.setLocalEntityRole(AttributeAuthorityDescriptor.DEFAULT_ELEMENT_NAME);
 212             requestContext.setLocalEntityRoleMetadata(localEntityDescriptor
 213                     .getAttributeAuthorityDescriptor(SAMLConstants.SAML20P_NS));
 214         }
 215     }
 216
 217     /**
 218      * Populates the request context with information from the inbound SAML message.
 219      *
 220      * This method requires the the following request context properties to be populated: inbound saml message
 221      *
 222      * This methods populates the following request context properties: subject name identifier
 223      *
 224      * @param requestContext current request context
 225      *
 226      * @throws ProfileException thrown if the inbound SAML message or subject identifier is null
 227      */
 228     protected void populateSAMLMessageInformation(BaseSAMLProfileRequestContext requestContext) throws ProfileException {
 229         ArtifactResolve samlMessage = (ArtifactResolve) requestContext.getInboundSAMLMessage();
 230         ((ArtifactResolutionRequestContext) requestContext).setArtifact(samlMessage.getArtifact().getArtifact());
 231     }
 232
 233     /**
 234      * Selects the appropriate endpoint for the relying party and stores it in the request context.
 235      *
 236      * @param requestContext current request context
 237      *
 238      * @return Endpoint selected from the information provided in the request context
 239      */
 240     protected Endpoint selectEndpoint(BaseSAMLProfileRequestContext requestContext) {
 241         Endpoint endpoint;
 242
 243         if (getInboundBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) {
 244             endpoint = acsEndpointBuilder.buildObject();
 245             endpoint.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI);
 246         } else {
 247             BasicEndpointSelector endpointSelector = new BasicEndpointSelector();
 248             endpointSelector.setEndpointType(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
 249             endpointSelector.setMetadataProvider(getMetadataProvider());
 250             endpointSelector.setEntityMetadata(requestContext.getPeerEntityMetadata());
 251             endpointSelector.setEntityRoleMetadata(requestContext.getPeerEntityRoleMetadata());
 252             endpointSelector.setSamlRequest(requestContext.getInboundSAMLMessage());
 253             endpointSelector.getSupportedIssuerBindings().addAll(getSupportedOutboundBindings());
 254             endpoint = endpointSelector.selectEndpoint();
 255         }
 256
 257         return endpoint;
 258     }
 259
 260     /**
 261      * Constructs a artifact resolution response with the derferenced SAML message inside.
 262      *
 263      * @param requestContext current request context
 264      *
 265      * @return constructed response
 266      */
 267     protected ArtifactResponse buildArtifactResponse(ArtifactResolutionRequestContext requestContext) {
 268         DateTime issueInstant = new DateTime();
 269
 270         // create the SAML response and add the assertion
 271         ArtifactResponse samlResponse = responseBuilder.buildObject();
 272         samlResponse.setIssueInstant(issueInstant);
 273         populateStatusResponse(requestContext, samlResponse);
 274
 275         if (requestContext.getFailureStatus() == null) {
 276             Status status = buildStatus(StatusCode.SUCCESS_URI, null, null);
 277             samlResponse.setStatus(status);
 278             samlResponse.setMessage(requestContext.getReferencedMessage());
 279         } else {
 280             samlResponse.setStatus(requestContext.getFailureStatus());
 281         }
 282
 283         return samlResponse;
 284     }
 285
 286     /**
 287      * Constructs an artifact resolution response with an error status as content.
 288      *
 289      * @param requestContext current request context
 290      *
 291      * @return constructed response
 292      */
 293     protected ArtifactResponse buildArtifactErrorResponse(ArtifactResolutionRequestContext requestContext) {
 294         ArtifactResponse samlResponse = responseBuilder.buildObject();
 295         samlResponse.setIssueInstant(new DateTime());
 296         populateStatusResponse(requestContext, samlResponse);
 297
 298         samlResponse.setStatus(requestContext.getFailureStatus());
 299
 300         return samlResponse;
 301     }
 302
 303     /** Represents the internal state of a SAML 2.0 Artiface resolver request while it's being processed by the IdP. */
 304     public class ArtifactResolutionRequestContext extends
 305             BaseSAML2ProfileRequestContext<ArtifactResolve, ArtifactResponse, ArtifactResolutionConfiguration>
 306             implements SAML2ArtifactMessageContext<ArtifactResolve, ArtifactResponse, NameID> {
 307
 308         /** Artifact to be resolved. */
 309         private String artifact;
 310
 311         /** Message referenced by the SAML artifact. */
 312         private SAMLObject referencedMessage;
 313
 314         /** {@inheritDoc} */
 315         public String getArtifact() {
 316             return artifact;
 317         }
 318
 319         /** {@inheritDoc} */
 320         public void setArtifact(String saml2Artifact) {
 321             this.artifact = saml2Artifact;
 322         }
 323
 324         /** {@inheritDoc} */
 325         public SAMLObject getReferencedMessage() {
 326             return referencedMessage;
 327         }
 328
 329         /** {@inheritDoc} */
 330         public void setReferencedMessage(SAMLObject message) {
 331             referencedMessage = message;
 332         }
 333     }
 334 }