ensure name identifier properly logged in audit log - SIDP-415
authorlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Mon, 20 Sep 2010 14:11:05 +0000 (14:11 +0000)
committerlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Mon, 20 Sep 2010 14:11:05 +0000 (14:11 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/branches/REL_2@2952 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

doc/RELEASE-NOTES.txt
src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/AbstractSAML1ProfileHandler.java
src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml2/AbstractSAML2ProfileHandler.java

index b74325a..3d0c7df 100644 (file)
@@ -1,5 +1,6 @@
 Changes in Release 2.2.0
 =============================================
+[SIDP-415] - SAML name identifier value not logged in audit log
 [SIDP-411] - Check for loginContext != null at login.jsp
 [SIDP-409] - Pass IdP w/o authenticating
 [SIDP-407] - Shibboleth SSO profile handler sets incorrect protocol string in outbound message context
index a626398..3e7f0ea 100644 (file)
@@ -373,6 +373,7 @@ public abstract class AbstractSAML1ProfileHandler extends AbstractSAMLProfileHan
         }
 
         BaseAttribute<?> nameIdAttribute = nameIdAttributeAndEncoder.getFirst();
+        requestContext.setNameIdentifierAttribute(nameIdAttribute);
         SAML1NameIdentifierEncoder nameIdEncoder = nameIdAttributeAndEncoder.getSecond();
 
         try {
@@ -682,6 +683,13 @@ public abstract class AbstractSAML1ProfileHandler extends AbstractSAMLProfileHan
         if (context.getReleasedAttributes() != null) {
             auditLogEntry.getReleasedAttributes().addAll(context.getReleasedAttributes());
         }
+        
+        if (context.getNameIdentifierAttribute() != null) {
+            Object idValue = context.getNameIdentifierAttribute().getValues().iterator().next();
+            if(idValue != null){
+                auditLogEntry.setNameIdValue(idValue.toString());
+            }
+        }
 
         getAduitLog().info(auditLogEntry.toString());
     }
@@ -714,32 +722,17 @@ public abstract class AbstractSAML1ProfileHandler extends AbstractSAMLProfileHan
         public String toString() {
             StringBuilder entryString = new StringBuilder(super.toString());
 
-            NameIdentifier nameIdentifier = null;
             StringBuilder assertionIds = new StringBuilder();
             List<Assertion> assertions = samlResponse.getAssertions();
             if (assertions != null && !assertions.isEmpty()) {
                 for (Assertion assertion : assertions) {
                     assertionIds.append(assertion.getID());
                     assertionIds.append(",");
-
-                    if (nameIdentifier == null) {
-                        List<Statement> statements = assertion.getStatements();
-                        if (statements != null && !statements.isEmpty()) {
-                            for (Statement statement : statements) {
-                                if (statement instanceof SubjectStatement) {
-                                    if (((SubjectStatement) statement).getSubject() != null) {
-                                        nameIdentifier = ((SubjectStatement) statement).getSubject()
-                                                .getNameIdentifier();
-                                    }
-                                }
-                            }
-                        }
-                    }
                 }
             }
 
-            if (nameIdentifier != null) {
-                entryString.append(nameIdentifier.getNameIdentifier());
+            if (getNameIdValue() != null) {
+                entryString.append(getNameIdValue());
             }
             entryString.append("|");
 
index 1672171..672282e 100644 (file)
@@ -266,8 +266,8 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
             signAssertion(requestContext, assertion);
 
             if (isEncryptAssertion(requestContext)) {
-                log.debug("Attempting to encrypt assertion to relying party '{}'", requestContext
-                        .getInboundMessageIssuer());
+                log.debug("Attempting to encrypt assertion to relying party '{}'",
+                        requestContext.getInboundMessageIssuer());
                 try {
                     Encrypter encrypter = getEncrypter(requestContext.getInboundMessageIssuer());
                     samlResponse.getEncryptedAssertions().add(encrypter.encrypt(assertion));
@@ -311,8 +311,8 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
                     || (requestContext.getProfileConfiguration().getEncryptAssertion() == CryptoOperationRequirementLevel.conditional && !encoder
                             .providesMessageConfidentiality(requestContext));
         } catch (MessageEncodingException e) {
-            log.error("Unable to determine if outbound encoding '{}' can provide confidentiality", encoder
-                    .getBindingURI());
+            log.error("Unable to determine if outbound encoding '{}' can provide confidentiality",
+                    encoder.getBindingURI());
             throw new ProfileException("Unable to determine if assertions should be encrypted");
         }
     }
@@ -461,10 +461,9 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
 
             requestContext.setAttributes(principalAttributes);
         } catch (AttributeRequestException e) {
-            log
-                    .warn(
-                            "Error resolving attributes for principal '{}'.  No name identifier or attribute statement will be included in response",
-                            requestContext.getPrincipalName());
+            log.warn(
+                    "Error resolving attributes for principal '{}'.  No name identifier or attribute statement will be included in response",
+                    requestContext.getPrincipalName());
         }
     }
 
@@ -521,8 +520,8 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
             throw new ProfileException(msg);
         }
         SAML2AttributeAuthority attributeAuthority = profileConfiguration.getAttributeAuthority();
-        log.debug("Resolving principal name for subject of SAML request '{}' from relying party '{}'", requestContext
-                .getInboundSAMLMessageId(), requestContext.getInboundMessageIssuer());
+        log.debug("Resolving principal name for subject of SAML request '{}' from relying party '{}'",
+                requestContext.getInboundSAMLMessageId(), requestContext.getInboundMessageIssuer());
 
         try {
             String principal = attributeAuthority.getPrincipal(requestContext);
@@ -550,8 +549,8 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
      */
     protected void signAssertion(BaseSAML2ProfileRequestContext<?, ?, ?> requestContext, Assertion assertion)
             throws ProfileException {
-        log.debug("Determining if SAML assertion to relying party '{}' should be signed", requestContext
-                .getInboundMessageIssuer());
+        log.debug("Determining if SAML assertion to relying party '{}' should be signed",
+                requestContext.getInboundMessageIssuer());
 
         boolean signAssertion = isSignAssertion(requestContext);
 
@@ -561,8 +560,8 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
 
         AbstractSAML2ProfileConfiguration profileConfig = requestContext.getProfileConfiguration();
 
-        log.debug("Determining signing credntial for assertion to relying party '{}'", requestContext
-                .getInboundMessageIssuer());
+        log.debug("Determining signing credntial for assertion to relying party '{}'",
+                requestContext.getInboundMessageIssuer());
         Credential signatureCredential = profileConfig.getSigningCredential();
         if (signatureCredential == null) {
             signatureCredential = requestContext.getRelyingPartyConfiguration().getDefaultSigningCredential();
@@ -630,15 +629,15 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
                 SPSSODescriptor ssoDescriptor = (SPSSODescriptor) requestContext.getPeerEntityRoleMetadata();
                 if (ssoDescriptor.getWantAssertionsSigned() != null) {
                     signAssertion = ssoDescriptor.getWantAssertionsSigned().booleanValue();
-                    log.debug("Entity metadata for relying party '{} 'indicates to sign assertions: {}", requestContext
-                            .getInboundMessageIssuer(), signAssertion);
+                    log.debug("Entity metadata for relying party '{} 'indicates to sign assertions: {}",
+                            requestContext.getInboundMessageIssuer(), signAssertion);
                 }
             }
 
             return signAssertion;
         } catch (MessageEncodingException e) {
-            log.error("Unable to determine if outbound encoding '{}' provides message integrity protection", encoder
-                    .getBindingURI());
+            log.error("Unable to determine if outbound encoding '{}' provides message integrity protection",
+                    encoder.getBindingURI());
             throw new ProfileException("Unable to determine if outbound assertion should be signed");
         }
     }
@@ -831,9 +830,11 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
         }
 
         BaseAttribute<?> nameIdAttribute = nameIdAttributeAndEncoder.getFirst();
+        requestContext.setNameIdentifierAttribute(nameIdAttribute);
         SAML2NameIDEncoder nameIdEncoder = nameIdAttributeAndEncoder.getSecond();
 
-        log.debug("Using attribute '{}' supporting NameID format '{}' to create the NameID for relying party '{}'",
+        log.debug(
+                "Using attribute '{}' supporting NameID format '{}' to create the NameID for relying party '{}'",
                 new Object[] { nameIdAttribute.getId(), nameIdEncoder.getNameFormat(),
                         requestContext.getInboundMessageIssuer(), });
         try {
@@ -937,6 +938,13 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
             auditLogEntry.getReleasedAttributes().addAll(context.getReleasedAttributes());
         }
 
+        if (context.getNameIdentifierAttribute() != null) {
+            Object idValue = context.getNameIdentifierAttribute().getValues().iterator().next();
+            if(idValue != null){
+                auditLogEntry.setNameIdValue(idValue.toString());
+            }
+        }
+
         getAduitLog().info(auditLogEntry.toString());
     }
 
@@ -946,9 +954,6 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
         /** The response to the SAML request. */
         private StatusResponseType samlResponse;
 
-        /** The unencrypted NameID for the SAML response. */
-        private NameID unencryptedNameId;
-
         /**
          * Gets the response to the SAML request.
          * 
@@ -967,24 +972,6 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
             samlResponse = response;
         }
 
-        /**
-         * Gets the unencrypted NameID for the SAML response.
-         * 
-         * @return unencrypted NameID for the SAML response
-         */
-        public NameID getUnencryptedNameId() {
-            return unencryptedNameId;
-        }
-
-        /**
-         * Sets the unencrypted NameID for the SAML response.
-         * 
-         * @param id unencrypted NameID for the SAML response
-         */
-        public void setUnencryptedNameId(NameID id) {
-            unencryptedNameId = id;
-        }
-
         /** {@inheritDoc} */
         public String toString() {
             StringBuilder entryString = new StringBuilder(super.toString());
@@ -1001,8 +988,8 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
                 }
             }
 
-            if (unencryptedNameId != null) {
-                entryString.append(unencryptedNameId.getValue());
+            if (getNameIdValue() != null) {
+                entryString.append(getNameIdValue());
             }
             entryString.append("|");