2 * Copyright [2006] [University Corporation for Advanced Internet Development, Inc.]
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 package edu.internet2.middleware.shibboleth.idp.profile.saml2;
19 import java.util.ArrayList;
21 import org.opensaml.common.SAMLObjectBuilder;
22 import org.opensaml.common.binding.BasicEndpointSelector;
23 import org.opensaml.common.binding.decoding.SAMLMessageDecoder;
24 import org.opensaml.common.xml.SAMLConstants;
25 import org.opensaml.saml2.core.AttributeQuery;
26 import org.opensaml.saml2.core.AttributeStatement;
27 import org.opensaml.saml2.core.Response;
28 import org.opensaml.saml2.core.Statement;
29 import org.opensaml.saml2.core.StatusCode;
30 import org.opensaml.saml2.core.Subject;
31 import org.opensaml.saml2.metadata.AssertionConsumerService;
32 import org.opensaml.saml2.metadata.AttributeAuthorityDescriptor;
33 import org.opensaml.saml2.metadata.Endpoint;
34 import org.opensaml.saml2.metadata.EntityDescriptor;
35 import org.opensaml.saml2.metadata.SPSSODescriptor;
36 import org.opensaml.saml2.metadata.provider.MetadataProvider;
37 import org.opensaml.ws.message.decoder.MessageDecodingException;
38 import org.opensaml.ws.transport.http.HTTPInTransport;
39 import org.opensaml.ws.transport.http.HTTPOutTransport;
40 import org.opensaml.xml.security.SecurityException;
41 import org.slf4j.Logger;
42 import org.slf4j.LoggerFactory;
44 import edu.internet2.middleware.shibboleth.common.profile.ProfileException;
45 import edu.internet2.middleware.shibboleth.common.profile.provider.BaseSAMLProfileRequestContext;
46 import edu.internet2.middleware.shibboleth.common.relyingparty.provider.saml2.AttributeQueryConfiguration;
47 import edu.internet2.middleware.shibboleth.idp.session.AuthenticationMethodInformation;
48 import edu.internet2.middleware.shibboleth.idp.session.Session;
50 /** SAML 2.0 Attribute Query profile handler. */
51 public class AttributeQueryProfileHandler extends AbstractSAML2ProfileHandler {
54 private static Logger log = LoggerFactory.getLogger(AttributeQueryProfileHandler.class);
56 /** Builder of assertion consumer service endpoints. */
57 private SAMLObjectBuilder<AssertionConsumerService> acsEndpointBuilder;
60 public AttributeQueryProfileHandler() {
63 acsEndpointBuilder = (SAMLObjectBuilder<AssertionConsumerService>) getBuilderFactory().getBuilder(
64 AssertionConsumerService.DEFAULT_ELEMENT_NAME);
68 public String getProfileId() {
69 return AttributeQueryConfiguration.PROFILE_ID;
73 public void processRequest(HTTPInTransport inTransport, HTTPOutTransport outTransport) throws ProfileException {
74 Response samlResponse;
76 AttributeQueryContext requestContext = decodeRequest(inTransport, outTransport);
79 if (requestContext.getProfileConfiguration() == null) {
80 log.error("SAML 2 Attribute Query profile is not configured for relying party "
81 + requestContext.getInboundMessageIssuer());
82 requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.REQUEST_DENIED_URI,
83 "SAML 2 Attribute Query profile is not configured for relying party "
84 + requestContext.getInboundMessageIssuer()));
85 samlResponse = buildErrorResponse(requestContext);
87 checkSamlVersion(requestContext);
89 // Resolve attribute query name id to principal name and place in context
90 resolvePrincipal(requestContext);
92 Session idpSession = getSessionManager().getSession(requestContext.getPrincipalName());
93 if (idpSession != null) {
94 AuthenticationMethodInformation authnInfo = idpSession.getAuthenticationMethods().get(
95 requestContext.getInboundMessageIssuer());
96 if (authnInfo != null) {
97 requestContext.setPrincipalAuthenticationMethod(authnInfo.getAuthenticationMethod());
101 resolveAttributes(requestContext);
102 requestContext.setReleasedAttributes(requestContext.getAttributes().keySet());
104 // Lookup principal name and attributes, create attribute statement from information
105 ArrayList<Statement> statements = new ArrayList<Statement>();
106 AttributeStatement attributeStatement = buildAttributeStatement(requestContext);
107 if (attributeStatement != null) {
108 statements.add(attributeStatement);
111 // create the SAML response
112 samlResponse = buildResponse(requestContext, "urn:oasis:names:tc:SAML:2.0:cm:sender-vouches",
115 } catch (ProfileException e) {
116 samlResponse = buildErrorResponse(requestContext);
119 requestContext.setOutboundSAMLMessage(samlResponse);
120 requestContext.setOutboundSAMLMessageId(samlResponse.getID());
121 requestContext.setOutboundSAMLMessageIssueInstant(samlResponse.getIssueInstant());
123 encodeResponse(requestContext);
124 writeAuditLogEntry(requestContext);
128 * Decodes an incoming request and populates a created request context with the resultant information.
130 * @param inTransport inbound message transport
131 * @param outTransport outbound message transport
133 * @return the created request context
135 * @throws ProfileException throw if there is a problem decoding the request
137 protected AttributeQueryContext decodeRequest(HTTPInTransport inTransport, HTTPOutTransport outTransport)
138 throws ProfileException {
139 log.debug("Decoding message with decoder binding {}", getInboundBinding());
141 AttributeQueryContext requestContext = new AttributeQueryContext();
143 MetadataProvider metadataProvider = getMetadataProvider();
144 requestContext.setMetadataProvider(metadataProvider);
146 requestContext.setInboundMessageTransport(inTransport);
147 requestContext.setInboundSAMLProtocol(SAMLConstants.SAML20P_NS);
148 requestContext.setSecurityPolicyResolver(getSecurityPolicyResolver());
149 requestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
151 requestContext.setOutboundMessageTransport(outTransport);
152 requestContext.setOutboundSAMLProtocol(SAMLConstants.SAML20P_NS);
155 SAMLMessageDecoder decoder = getMessageDecoders().get(getInboundBinding());
156 requestContext.setMessageDecoder(decoder);
157 decoder.decode(requestContext);
158 log.debug("Decoded request");
160 if (!(requestContext.getInboundSAMLMessage() instanceof AttributeQuery)) {
161 log.error("Incoming message was not a AttributeQuery, it was a {}", requestContext
162 .getInboundSAMLMessage().getClass().getName());
163 requestContext.setFailureStatus(buildStatus(StatusCode.REQUESTER_URI, null,
164 "Invalid SAML AttributeQuery message."));
165 throw new ProfileException("Invalid SAML AttributeQuery message.");
168 return requestContext;
169 } catch (MessageDecodingException e) {
170 log.error("Error decoding attribute query message", e);
171 requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null, "Error decoding message"));
172 throw new ProfileException("Error decoding attribute query message");
173 } catch (SecurityException e) {
174 log.error("Message did not meet security requirements", e);
175 requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.REQUEST_DENIED_URI,
176 "Message did not meet security requirements"));
177 throw new ProfileException("Message did not meet security requirements", e);
179 // Set as much information as can be retrieved from the decoded message
180 populateRequestContext(requestContext);
181 populateSAMLMessageInformation(requestContext);
182 populateProfileInformation(requestContext);
187 protected void populateRelyingPartyInformation(BaseSAMLProfileRequestContext requestContext)
188 throws ProfileException {
189 super.populateRelyingPartyInformation(requestContext);
191 EntityDescriptor relyingPartyMetadata = requestContext.getPeerEntityMetadata();
192 if (relyingPartyMetadata != null) {
193 requestContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME);
194 requestContext.setPeerEntityRoleMetadata(relyingPartyMetadata.getSPSSODescriptor(SAMLConstants.SAML20P_NS));
199 protected void populateAssertingPartyInformation(BaseSAMLProfileRequestContext requestContext)
200 throws ProfileException {
201 super.populateAssertingPartyInformation(requestContext);
203 EntityDescriptor localEntityDescriptor = requestContext.getLocalEntityMetadata();
204 if (localEntityDescriptor != null) {
205 requestContext.setLocalEntityRole(AttributeAuthorityDescriptor.DEFAULT_ELEMENT_NAME);
206 requestContext.setLocalEntityRoleMetadata(localEntityDescriptor
207 .getAttributeAuthorityDescriptor(SAMLConstants.SAML20P_NS));
212 * Populates the request context with information from the inbound SAML message.
214 * This method requires the the following request context properties to be populated: inbound saml message
216 * This methods populates the following request context properties: subject name identifier
218 * @param requestContext current request context
220 * @throws ProfileException thrown if the inbound SAML message or subject identifier is null
222 protected void populateSAMLMessageInformation(BaseSAMLProfileRequestContext requestContext) throws ProfileException {
223 AttributeQuery query = (AttributeQuery) requestContext.getInboundSAMLMessage();
225 Subject subject = query.getSubject();
226 if (subject == null) {
227 log.error("Attribute query did not contain a proper subject");
228 ((AttributeQueryContext) requestContext).setFailureStatus(buildStatus(StatusCode.REQUESTER_URI, null,
229 "Attribute query did not contain a proper subject"));
230 throw new ProfileException("Attribute query did not contain a proper subject");
232 requestContext.setSubjectNameIdentifier(subject.getNameID());
237 * Selects the appropriate endpoint for the relying party and stores it in the request context.
239 * @param requestContext current request context
241 * @return Endpoint selected from the information provided in the request context
243 protected Endpoint selectEndpoint(BaseSAMLProfileRequestContext requestContext) {
246 if (getInboundBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) {
247 endpoint = acsEndpointBuilder.buildObject();
248 endpoint.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI);
250 BasicEndpointSelector endpointSelector = new BasicEndpointSelector();
251 endpointSelector.setEndpointType(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
252 endpointSelector.setMetadataProvider(getMetadataProvider());
253 endpointSelector.setEntityMetadata(requestContext.getPeerEntityMetadata());
254 endpointSelector.setEntityRoleMetadata(requestContext.getPeerEntityRoleMetadata());
255 endpointSelector.setSamlRequest(requestContext.getInboundSAMLMessage());
256 endpointSelector.getSupportedIssuerBindings().addAll(getSupportedOutboundBindings());
257 endpoint = endpointSelector.selectEndpoint();
263 /** Basic data structure used to accumulate information as a request is being processed. */
264 protected class AttributeQueryContext extends
265 BaseSAML2ProfileRequestContext<AttributeQuery, Response, AttributeQueryConfiguration> {