/*
- * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
- * All rights reserved Redistribution and use in source and binary forms, with or without modification, are permitted
- * provided that the following conditions are met: Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials
- * provided with the distribution, if any, must include the following acknowledgment: "This product includes software
- * developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu> Internet2 Project.
- * Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
- * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2, nor
- * the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
- * products derived from this software without specific prior written permission. For written permission, please contact
- * shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2, UCAID, or the
- * University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name, without prior
- * written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS PROVIDED BY THE
- * COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE
- * DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE. IN NO
- * EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC.
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
- * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * Copyright [2005] [University Corporation for Advanced Internet Development, Inc.]
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
*/
package edu.internet2.middleware.shibboleth.idp;
import java.util.Arrays;
import java.util.Iterator;
-import javax.servlet.http.HttpServletRequest;
-
import org.apache.log4j.Logger;
import org.apache.xml.security.signature.XMLSignature;
import org.opensaml.InvalidCryptoException;
import edu.internet2.middleware.shibboleth.aa.arp.ArpEngine;
import edu.internet2.middleware.shibboleth.aa.arp.ArpProcessingException;
import edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver;
+import edu.internet2.middleware.shibboleth.artifact.ArtifactMapper;
import edu.internet2.middleware.shibboleth.common.Credential;
import edu.internet2.middleware.shibboleth.common.NameMapper;
import edu.internet2.middleware.shibboleth.common.RelyingParty;
import edu.internet2.middleware.shibboleth.common.ServiceProviderMapper;
+import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
+import edu.internet2.middleware.shibboleth.common.provider.ShibbolethTrust;
+import edu.internet2.middleware.shibboleth.common.Trust;
+import edu.internet2.middleware.shibboleth.metadata.EntitiesDescriptor;
import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
import edu.internet2.middleware.shibboleth.metadata.Metadata;
import edu.internet2.middleware.shibboleth.metadata.MetadataException;
-import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
/**
+ * Delivers core IdP functionality (Attribute resolution, ARP filtering, Metadata lookup, Signing, Mapping between local &
+ * SAML identifiers, etc.) to components that process protocol-specific requests.
+ *
* @author Walter Hoehn
*/
public class IdPProtocolSupport implements Metadata {
private static Logger log = Logger.getLogger(IdPProtocolSupport.class.getName());
private Logger transactionLog;
private IdPConfig config;
- private ArrayList fedMetadata = new ArrayList();
+ private ArrayList metadata = new ArrayList();
private NameMapper nameMapper;
private ServiceProviderMapper spMapper;
private ArpEngine arpEngine;
private AttributeResolver resolver;
+ private ArtifactMapper artifactMapper;
+ private Semaphore throttle;
+ private Trust trust = new ShibbolethTrust();
IdPProtocolSupport(IdPConfig config, Logger transactionLog, NameMapper nameMapper, ServiceProviderMapper spMapper,
- ArpEngine arpEngine, AttributeResolver resolver) {
+ ArpEngine arpEngine, AttributeResolver resolver, ArtifactMapper artifactMapper)
+ throws ShibbolethConfigurationException {
this.transactionLog = transactionLog;
this.config = config;
spMapper.setMetadata(this);
this.arpEngine = arpEngine;
this.resolver = resolver;
- }
+ this.artifactMapper = artifactMapper;
- public static void validateEngineData(HttpServletRequest req) throws InvalidClientDataException {
-
- if ((req.getRemoteUser() == null) || (req.getRemoteUser().equals(""))) { throw new InvalidClientDataException(
- "Unable to authenticate remote user"); }
- if ((req.getRemoteAddr() == null) || (req.getRemoteAddr().equals(""))) { throw new InvalidClientDataException(
- "Unable to obtain client address."); }
+ // Load a semaphore that throttles how many requests the IdP will handle at once
+ throttle = new Semaphore(config.getMaxThreads());
}
public Logger getTransactionLog() {
return spMapper;
}
- public static void addSignatures(SAMLResponse response, RelyingParty relyingParty, EntityDescriptor provider,
- boolean signResponse) throws SAMLException {
+ public void signAssertions(SAMLAssertion[] assertions, RelyingParty relyingParty) throws InvalidCryptoException,
+ SAMLException {
- if (provider != null) {
- boolean signAssertions = false;
+ if (relyingParty.getIdentityProvider().getSigningCredential() == null
+ || relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() == null) { throw new InvalidCryptoException(
+ SAMLException.RESPONDER, "Invalid signing credential."); }
- SPSSODescriptor sp = provider.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
- if (sp == null) {
- log.info("Inappropriate metadata for provider: " + provider.getId() + ". Expected SPSSODescriptor.");
- }
- if (sp.getWantAssertionsSigned()) {
- signAssertions = true;
- }
-
- if (signAssertions && relyingParty.getIdentityProvider().getSigningCredential() != null
- && relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() != null) {
-
- Iterator assertions = response.getAssertions();
-
- while (assertions.hasNext()) {
- SAMLAssertion assertion = (SAMLAssertion) assertions.next();
- String assertionAlgorithm;
- if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
- assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
- } else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
- assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
- } else {
- throw new InvalidCryptoException(SAMLException.RESPONDER,
- "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
- }
-
- assertion.sign(assertionAlgorithm, relyingParty.getIdentityProvider().getSigningCredential()
- .getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential()
- .getX509CertificateChain()));
- }
- }
- }
-
- // Sign the response, if appropriate
- if (signResponse && relyingParty.getIdentityProvider().getSigningCredential() != null
- && relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() != null) {
-
- String responseAlgorithm;
+ for (int i = 0; i < assertions.length; i++) {
+ String assertionAlgorithm;
if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
- responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
+ assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
} else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
- responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
+ assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
} else {
throw new InvalidCryptoException(SAMLException.RESPONDER,
"The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
}
+ try {
+ throttle.enter();
+ assertions[i].sign(assertionAlgorithm, relyingParty.getIdentityProvider().getSigningCredential()
+ .getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential()
+ .getX509CertificateChain()));
+ } finally {
+ throttle.exit();
+ }
+ }
+ }
+
+ public void signResponse(SAMLResponse response, RelyingParty relyingParty) throws SAMLException {
+
+ // Make sure we have an appropriate credential
+ if (relyingParty.getIdentityProvider().getSigningCredential() == null
+ || relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() == null) { throw new InvalidCryptoException(
+ SAMLException.RESPONDER, "Invalid signing credential."); }
+
+ // Sign the response
+ String responseAlgorithm;
+ if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
+ responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
+ } else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
+ responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
+ } else {
+ throw new InvalidCryptoException(SAMLException.RESPONDER,
+ "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
+ }
+ try {
+ throttle.enter();
response.sign(responseAlgorithm, relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey(),
Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential().getX509CertificateChain()));
+ } finally {
+ throttle.exit();
}
}
- protected void addFederationProvider(Element element) {
+ protected void addMetadataProvider(Element element) {
- log.debug("Found Federation Provider configuration element.");
- if (!element.getTagName().equals("FederationProvider")) {
- log.error("Error while attemtping to load Federation Provider. Malformed provider specificaion.");
+ log.debug("Found Metadata Provider configuration element.");
+ if (!element.getTagName().equals("MetadataProvider")) {
+ log.error("Error while attemtping to load Metadata Provider. Malformed provider specificaion.");
return;
}
try {
- fedMetadata.add(FederationProviderFactory.loadProvider(element));
+ metadata.add(MetadataProviderFactory.loadProvider(element));
} catch (MetadataException e) {
- log.error("Unable to load Federation Provider. Skipping...");
+ log.error("Unable to load Metadata Provider. Skipping...");
}
}
public int providerCount() {
- return fedMetadata.size();
+ return metadata.size();
}
- public EntityDescriptor lookup(String providerId) {
+ public EntityDescriptor lookup(String providerId, boolean strict) {
- Iterator iterator = fedMetadata.iterator();
+ Iterator iterator = metadata.iterator();
while (iterator.hasNext()) {
EntityDescriptor provider = ((Metadata) iterator.next()).lookup(providerId);
if (provider != null) { return provider; }
return null;
}
- public EntityDescriptor lookup(Artifact artifact) {
+ public EntityDescriptor lookup(Artifact artifact, boolean strict) {
- Iterator iterator = fedMetadata.iterator();
+ Iterator iterator = metadata.iterator();
while (iterator.hasNext()) {
EntityDescriptor provider = ((Metadata) iterator.next()).lookup(artifact);
if (provider != null) { return provider; }
return null;
}
- public SAMLAttribute[] getReleaseAttributes(Principal principal, String requester, URL resource) throws AAException {
+ public EntityDescriptor lookup(String id) {
+ return lookup(id,true);
+ }
+
+ public EntityDescriptor lookup(Artifact artifact) {
+ return lookup(artifact,true);
+ }
+
+ public EntityDescriptor getRootEntity() {
+ return null;
+ }
+
+ public EntitiesDescriptor getRootEntities() {
+ return null;
+ }
+
+ public SAMLAttribute[] getReleaseAttributes(Principal principal, RelyingParty relyingParty, String requester,
+ URL resource) throws AAException {
try {
URI[] potentialAttributes = arpEngine.listPossibleReleaseAttributes(principal, requester, resource);
- return getReleaseAttributes(principal, requester, resource, potentialAttributes);
+ return getReleaseAttributes(principal, relyingParty, requester, resource, potentialAttributes);
} catch (ArpProcessingException e) {
log.error("An error occurred while processing the ARPs for principal (" + principal.getName() + ") :"
}
}
- public SAMLAttribute[] getReleaseAttributes(Principal principal, String requester, URL resource,
- URI[] attributeNames) throws AAException {
+ public SAMLAttribute[] getReleaseAttributes(Principal principal, RelyingParty relyingParty, String requester,
+ URL resource, URI[] attributeNames) throws AAException {
try {
AAAttributeSet attributeSet = new AAAttributeSet();
for (int i = 0; i < attributeNames.length; i++) {
- AAAttribute attribute = new AAAttribute(attributeNames[i].toString());
+
+ AAAttribute attribute = null;
+ if (relyingParty.wantsSchemaHack()) {
+ attribute = new AAAttribute(attributeNames[i].toString(), true);
+ } else {
+ attribute = new AAAttribute(attributeNames[i].toString(), false);
+ }
+
attributeSet.add(attribute);
}
- return resolveAttributes(principal, requester, resource, attributeSet);
+ return resolveAttributes(principal, requester, relyingParty.getIdentityProvider().getProviderId(),
+ resource, attributeSet);
} catch (SAMLException e) {
log.error("An error occurred while creating attributes for principal (" + principal.getName() + ") :"
}
}
- private SAMLAttribute[] resolveAttributes(Principal principal, String requester, URL resource,
+ private SAMLAttribute[] resolveAttributes(Principal principal, String requester, String responder, URL resource,
AAAttributeSet attributeSet) throws ArpProcessingException {
- resolver.resolveAttributes(principal, requester, attributeSet);
+ resolver.resolveAttributes(principal, requester, responder, attributeSet);
arpEngine.filterAttributes(attributeSet, principal, requester, resource);
return attributeSet.getAttributes();
}
resolver.destroy();
arpEngine.destroy();
}
-}
+
+ public ArtifactMapper getArtifactMapper() {
+
+ return artifactMapper;
+ }
+
+ public Trust getTrust() {
+
+ return trust;
+ }
+
+ private class Semaphore {
+
+ private int value;
+
+ public Semaphore(int value) {
+
+ this.value = value;
+ }
+
+ public synchronized void enter() {
+
+ --value;
+ if (value < 0) {
+ try {
+ wait();
+ } catch (InterruptedException e) {
+ // squelch and continue
+ }
+ }
+ }
+
+ public synchronized void exit() {
+
+ ++value;
+ notify();
+ }
+ }
+}
\ No newline at end of file
projects / java-idp.git / blobdiff