Recognize Attribute Push
[java-idp.git] / src / edu / internet2 / middleware / shibboleth / serviceprovider / AssertionConsumerServlet.java
index a928f3d..750de42 100644 (file)
@@ -60,11 +60,16 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.log4j.Logger;
+import org.opensaml.SAMLAssertion;
+import org.opensaml.SAMLAttributeStatement;
 import org.opensaml.SAMLAudienceRestrictionCondition;
 import org.opensaml.SAMLCondition;
 import org.opensaml.SAMLException;
 import org.opensaml.SAMLResponse;
+import org.opensaml.SAMLStatement;
 import org.opensaml.SAMLBrowserProfile.BrowserProfileResponse;
+
+import x0.maceShibbolethTargetConfig1.ApplicationDocument.Application;
 import x0.maceShibbolethTargetConfig1.SessionsDocument.Sessions;
 import edu.internet2.middleware.shibboleth.common.ShibBrowserProfile;
 import edu.internet2.middleware.shibboleth.metadata.MetadataException;
@@ -217,17 +222,24 @@ public class AssertionConsumerServlet extends HttpServlet {
         String sessionid=null;
         StringBuffer pproviderId = // Get back IdP Entity name from SAML
             new StringBuffer();
+        ServiceProviderConfig config = context.getServiceProviderConfig();
+        ApplicationInfo application = config.getApplication(applicationId);
+        Application applicationConfig = application.getApplicationConfig();
         
         ShibBrowserProfile profile = new ShibBrowserProfile(applicationId);
+        SPArtifactMapper mapper = new SPArtifactMapper(application,config);
         BrowserProfileResponse samldata = profile.receive(
                 pproviderId,
                 req,
                 shireURL,   // My URL (Why??) To prevent attackers from redirecting messages. 
                 context.getReplayCache(),
-                null,
+                mapper,
                 1
         );
         
+        String[] audienceArray = applicationConfig.getAudienceArray();
+        
+        
         Iterator conditions = samldata.assertion.getConditions();
         while (conditions.hasNext()) {
             SAMLCondition cond =
@@ -240,15 +252,36 @@ public class AssertionConsumerServlet extends HttpServlet {
                 if (audiences==null)
                     continue; // probably invalid
                 boolean matched = false;
-                while (audiences.hasNext()) {
+                StringBuffer audienceTests = new StringBuffer();
+                while (!matched && audiences.hasNext()) {
                     String audienceString = (String) audiences.next();
+                    audienceTests.append(audienceString);
+                    audienceTests.append(' ');
                     if (audienceString.equals(providerId)) {
                         matched=true;
-                        break;
+                    }
+                    if (audienceArray!=null) {
+                        for (int i=0;i<audienceArray.length;i++) {
+                            if (audienceString.equals(audienceArray[i])) {
+                                matched=true;
+                                break;
+                            }
+                        }
                     }
                 }
                 if (!matched) {
-                    throw new SAMLException("Assertion restricted to other audiences.");
+                    log.error("Assertion restricted to "+audienceTests.toString());
+                    StringBuffer audienceBuffer = new StringBuffer("Did not match ");
+                    audienceBuffer.append(providerId);
+                    if (audienceArray!=null && audienceArray.length>0) {
+                        audienceBuffer.append(" or ");
+                        for (int i=0;i<audienceArray.length;i++) {
+                            audienceBuffer.append(audienceArray[i]);
+                            audienceBuffer.append(' ');
+                        }
+                    }
+                    log.error(audienceBuffer.toString());
+                    throw new SAMLException("Assertion failed audience restriction test.");
                 }
             }
         }
@@ -269,16 +302,50 @@ public class AssertionConsumerServlet extends HttpServlet {
         // Very agressive attribute fetch rule 
         // Get the Attributes immediately! [good for debugging]
         Session session = sessionManager.findSession(sessionid, applicationId);
+        
+        checkForAttributePush(samldata, session);
+        
         AttributeRequestor.fetchAttributes(session);
 
         return sessionid;
     }
 
 
+    /**
+     * Scan the POST data for Attribute Assertions. If any are found,
+     * then attributes have been pushed and we don't need to go to 
+     * the AA to get them. 
+     * @param samldata The BrowserProfileResponse containing the SAMLResponse
+     * @param session The Session just created
+     */
+    private static void checkForAttributePush(BrowserProfileResponse samldata, Session session) {
+        SAMLResponse samlresponse = samldata.response;
+        Iterator assertions = samlresponse.getAssertions();
+        while (assertions.hasNext()) {
+            SAMLAssertion assertion = (SAMLAssertion) assertions.next();
+            Iterator statements = assertion.getStatements();
+            while (statements.hasNext()) {
+                SAMLStatement statement = (SAMLStatement) statements.next();
+                if (statement instanceof SAMLAttributeStatement) {
+                    log.info("Found Attributes with Authenticaiton data (Attribute Push).");
+                    session.setAttributeResponse(samlresponse);
+                    // Note, the Attribute Statements have not been checked for 
+                    // AAP or Signatures. AttributeRequestor will bypass calling
+                    // the AA and will reprocess the POST Response for Attributes.
+                    return;
+                }
+            }
+        }
+    }
+
 
+    /**
+     * Artifact comes as a GET
+     */
     protected void doGet(HttpServletRequest arg0, HttpServletResponse arg1)
        throws ServletException, IOException {
-       // Currently the Assertion Consumer does not receive a GET
+        log.debug("Received GET: "+ arg0.getQueryString());
+       doPost(arg0,arg1);
     }