Move IdP toward using metadata to determine whether assertions should be signed.
authorwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 1 Mar 2005 04:34:07 +0000 (04:34 +0000)
committerwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 1 Mar 2005 04:34:07 +0000 (04:34 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@1250 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/common/IdentityProvider.java
src/edu/internet2/middleware/shibboleth/common/ServiceProviderMapper.java
src/edu/internet2/middleware/shibboleth/common/ShibBrowserProfile.java
src/edu/internet2/middleware/shibboleth/idp/IdPResponder.java
src/edu/internet2/middleware/shibboleth/metadata/SPProviderRole.java
src/edu/internet2/middleware/shibboleth/metadata/provider/XMLMetadata.java
src/schemas/origin.xsd
tests/edu/internet2/middleware/shibboleth/hs/provider/NameMapperTests.java

index 66c9fe1..7ff1d8b 100644 (file)
@@ -42,35 +42,11 @@ public interface IdentityProvider {
        public String getProviderId();
 
        /**
-        * Returns the credential that this provider uses to sign SAML authentication responses to requests, or
-        * <code>null</code> if responses should not be signed.
+        * Returns the credential that this provider uses to sign SAML responses and assertions, or <code>null</code> if
+        * responses should not be signed.
         * 
         * @return the credential or <code>null</code>
         */
-       public Credential getAuthNResponseSigningCredential();
+       public Credential getSigningCredential();
 
-       /**
-        * Returns the credential that this provider uses to sign SAML authentication assertions, or <code>null</code> if
-        * assertions should not be signed.
-        * 
-        * @return the credential or <code>null</code>
-        */
-       public Credential getAuthNAssertionSigningCredential();
-
-       /**
-        * Returns the credential that this provider uses to sign SAML attribute responses to requests, or <code>null</code>
-        * if responses should not be signed.
-        * 
-        * @return the credential or <code>null</code>
-        */
-       public Credential getAttributeResponseSigningCredential();
-
-       /**
-        * Returns the credential that this provider uses to sign SAML attribute assertions, or <code>null</code> if
-        * assertions should not be signed.
-        * 
-        * @return the credential or <code>null</code>
-        */
-       public Credential getAttributeAssertionSigningCredential();
-
-}
+}
\ No newline at end of file
index 554872e..7d354c2 100644 (file)
@@ -299,57 +299,12 @@ public class ServiceProviderMapper {
                                }
                        }
 
-                       // Load credentials for signing
-                       Credential authNCredential = null;
-                       Credential attrCredential = null;
-
-                       boolean signAuthResponses = new Boolean(((Element) partyConfig).getAttribute("signAuthResponses"))
-                                       .booleanValue();
-                       boolean signAuthAssertions = new Boolean(((Element) partyConfig).getAttribute("signAuthAssertions"))
-                                       .booleanValue();
-                       boolean signAttrResponses = new Boolean(((Element) partyConfig).getAttribute("signAttrResponses"))
-                                       .booleanValue();
-                       boolean signAttrAssertions = new Boolean(((Element) partyConfig).getAttribute("signAttrAssertions"))
-                                       .booleanValue();
-
+                       // Load the credential for signing
                        String credentialName = ((Element) partyConfig).getAttribute("signingCredential");
-
-                       // Load the credential for AuthN signing
-                       if (signAuthResponses || signAuthAssertions) {
-
-                               authNCredential = credentials.getCredential(credentialName);
-                               if (authNCredential == null) {
-                                       if (credentialName == null || credentialName.equals("")) {
-                                               log.error("Relying Party credential not set.  Add a (signingCredential) "
-                                                               + "attribute to <RelyingParty>.");
-                                               throw new ServiceProviderMapperException("Required configuration not specified.");
-                                       } else {
-                                               log.error("Relying Party credential invalid.  Fix the (signingCredential) attribute "
-                                                               + "on <RelyingParty>.");
-                                               throw new ServiceProviderMapperException("Required configuration is invalid.");
-                                       }
-                               }
-                       }
-
-                       // Load the credential for Attribute signing
-                       if (signAttrAssertions || signAttrResponses) {
-                               String aaCredentialName = ((Element) partyConfig).getAttribute("AASigningCredential");
-                               attrCredential = credentials.getCredential(aaCredentialName);
-                               if (aaCredentialName == null || aaCredentialName.equals("")) {
-                                       if (authNCredential != null) {
-                                               attrCredential = authNCredential;
-                                       } else {
-                                               aaCredentialName = ((Element) partyConfig).getAttribute("signingCredential");
-                                               attrCredential = credentials.getCredential(aaCredentialName);
-                                       }
-                               } else {
-                                       log.debug("Using (AASigningCredential) for AA signing.");
-                               }
-                       }
-
-                       if ((attrCredential == null) && (signAttrResponses || signAttrAssertions)) {
+                       Credential signingCredential = credentials.getCredential(credentialName);
+                       if (signingCredential == null) {
                                if (credentialName == null || credentialName.equals("")) {
-                                       log.error("Relying Party credential not set.  Add a (AASigningCredential) or (signingCredential) "
+                                       log.error("Relying Party credential not set.  Add a (signingCredential) "
                                                        + "attribute to <RelyingParty>.");
                                        throw new ServiceProviderMapperException("Required configuration not specified.");
                                } else {
@@ -357,14 +312,13 @@ public class ServiceProviderMapper {
                                                        + "on <RelyingParty>.");
                                        throw new ServiceProviderMapperException("Required configuration is invalid.");
                                }
+
                        }
 
                        // Initialize and Identity Provider object for this use by this relying party
                        identityProvider = new RelyingPartyIdentityProvider(overridenOriginProviderId != null
                                        ? overridenOriginProviderId
-                                       : configuration.getProviderId(), signAuthResponses ? authNCredential : null, signAuthAssertions
-                                       ? authNCredential
-                                       : null, signAttrResponses ? attrCredential : null, signAttrAssertions ? attrCredential : null);
+                                       : configuration.getProviderId(), signingCredential);
 
                }
 
@@ -428,47 +382,29 @@ public class ServiceProviderMapper {
                protected class RelyingPartyIdentityProvider implements IdentityProvider {
 
                        private String providerId;
-                       private Credential authNResponseSigningCredential;
-                       private Credential authNAssertionSigningCredential;
-                       private Credential attributeResponseSigningCredential;
-                       private Credential attributeAssertionSigningCredential;
+                       private Credential credential;
 
-                       public RelyingPartyIdentityProvider(String providerId, Credential authNResponseSigningCredential,
-                                       Credential authNAssertionSigningCredential, Credential attributeResponseSigningCredential,
-                                       Credential attributeAssertionSigningCredential) {
+                       public RelyingPartyIdentityProvider(String providerId, Credential credential) {
 
                                this.providerId = providerId;
-                               this.authNResponseSigningCredential = authNResponseSigningCredential;
-                               this.authNAssertionSigningCredential = authNAssertionSigningCredential;
-                               this.attributeResponseSigningCredential = attributeResponseSigningCredential;
-                               this.attributeAssertionSigningCredential = attributeAssertionSigningCredential;
+                               this.credential = credential;
                        }
 
+                       /*
+                        * @see edu.internet2.middleware.shibboleth.common.IdentityProvider#getProviderId()
+                        */
                        public String getProviderId() {
 
                                return providerId;
                        }
 
-                       public Credential getAuthNResponseSigningCredential() {
+                       /*
+                        * @see edu.internet2.middleware.shibboleth.common.IdentityProvider#getSigningCredential()
+                        */
+                       public Credential getSigningCredential() {
 
-                               return authNResponseSigningCredential;
+                               return credential;
                        }
-
-                       public Credential getAuthNAssertionSigningCredential() {
-
-                               return authNAssertionSigningCredential;
-                       }
-
-                       public Credential getAttributeResponseSigningCredential() {
-
-                               return attributeResponseSigningCredential;
-                       }
-
-                       public Credential getAttributeAssertionSigningCredential() {
-
-                               return attributeAssertionSigningCredential;
-                       }
-
                }
        }
 
@@ -646,4 +582,4 @@ public class ServiceProviderMapper {
                        return ((RelyingParty) wrapped).getDefaultAuthMethod();
                }
        }
-}
+}
\ No newline at end of file
index 3fc4031..fe176d0 100644 (file)
@@ -38,10 +38,6 @@ import java.security.cert.PKIXCertPathBuilderResult;
 import java.security.cert.X509CertSelector;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Date;
 import java.util.Iterator;
 import java.util.Vector;
 import java.util.regex.Matcher;
@@ -53,22 +49,13 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.log4j.Logger;
 import org.apache.log4j.NDC;
 import org.apache.xml.security.signature.XMLSignature;
-import org.opensaml.InvalidCryptoException;
 import org.opensaml.NoSuchProviderException;
 import org.opensaml.ReplayCache;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLAudienceRestrictionCondition;
-import org.opensaml.SAMLAuthenticationStatement;
 import org.opensaml.SAMLBrowserProfile;
 import org.opensaml.SAMLBrowserProfileFactory;
-import org.opensaml.SAMLConfig;
 import org.opensaml.SAMLException;
-import org.opensaml.SAMLNameIdentifier;
-import org.opensaml.SAMLResponse;
 import org.opensaml.SAMLSignedObject;
-import org.opensaml.SAMLSubject;
 import org.opensaml.TrustException;
-import org.w3c.dom.Document;
 
 import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
 import edu.internet2.middleware.shibboleth.metadata.IDPProviderRole;
@@ -127,136 +114,6 @@ public class ShibBrowserProfile implements SAMLBrowserProfile {
     }
 
        /**
-        * Used by HS to generate a signed SAML response conforming to the POST profile
-        * <P>
-        * 
-        * @param recipient
-        *            URL of the assertion consumer
-        * @param relyingParty
-        *            the intended recipient of the response
-        * @param nameId
-        *            Name Identifier for the response
-        * @param subjectIP
-        *            Client address of subject (optional)
-        * @param authMethod
-        *            URI of authentication method being asserted
-        * @param authInstant
-        *            Date and time of authentication being asserted
-        * @param bindings
-        *            Set of SAML authorities the relying party may contact (optional)
-        * @return SAML response to send to accepting site
-        * @exception SAMLException
-        *                Base class of exceptions that may be thrown during processing
-        */
-       public SAMLResponse prepare(String recipient, RelyingParty relyingParty, SAMLNameIdentifier nameId,
-                       String subjectIP, String authMethod, Date authInstant, Collection bindings) throws SAMLException {
-
-               Document doc = org.opensaml.XML.parserPool.newDocument();
-
-               ArrayList audiences = new ArrayList();
-               if (relyingParty.getProviderId() != null) {
-                       audiences.add(relyingParty.getProviderId());
-               }
-               if (relyingParty.getName() != null && !relyingParty.getName().equals(relyingParty.getProviderId())) {
-                       audiences.add(relyingParty.getName());
-               }
-
-               String issuer = null;
-               if (relyingParty.isLegacyProvider()) {
-                       
-                       log.debug("Service Provider is running Shibboleth <= 1.1.  Using old style issuer.");
-                       if (relyingParty.getIdentityProvider().getAuthNResponseSigningCredential() == null
-                                       || relyingParty.getIdentityProvider().getAuthNResponseSigningCredential().getX509Certificate() == null) {
-                               throw new SAMLException("Cannot serve legacy style assertions without an X509 certificate");
-                       }
-                       issuer = getHostNameFromDN(relyingParty.getIdentityProvider().getAuthNResponseSigningCredential()
-                                       .getX509Certificate().getSubjectX500Principal());
-                       if (issuer == null || issuer.equals("")) {
-                               throw new SAMLException("Error parsing certificate DN while determining legacy issuer name.");
-                       }
-
-               } else {
-                       issuer = relyingParty.getIdentityProvider().getProviderId();
-               }
-
-        // XXX: Inlined the old prepare method, this whole method should probably be pulled out into the IdP package.
-        // At a minimum, artifact should be integrated in.
-        SAMLResponse r = new SAMLResponse(
-                null,
-                recipient,
-                Collections.singleton(
-                        new SAMLAssertion(
-                                issuer,
-                                new Date(),
-                                new Date(System.currentTimeMillis() + 1000 * SAMLConfig.instance().getIntProperty("org.opensaml.clock-skew")),
-                                Collections.singleton(
-                                        new SAMLAudienceRestrictionCondition(audiences)
-                                        ),
-                                null,
-                                Collections.singleton(
-                                        new SAMLAuthenticationStatement(
-                                                new SAMLSubject(
-                                                        nameId,
-                                                        Collections.singleton(SAMLSubject.CONF_BEARER),
-                                                        null,
-                                                        null
-                                                        ),
-                                                authMethod,
-                                                authInstant,
-                                                subjectIP,
-                                                null,
-                                                bindings
-                                                )
-                                        )
-                                )
-                        ),
-                null
-                );
-               r.toDOM(doc);
-
-               //Sign the assertions, if appropriate
-               if (relyingParty.getIdentityProvider().getAuthNAssertionSigningCredential() != null
-                               && relyingParty.getIdentityProvider().getAuthNAssertionSigningCredential().getPrivateKey() != null) {
-
-                       String assertionAlgorithm;
-                       if (relyingParty.getIdentityProvider().getAuthNAssertionSigningCredential().getCredentialType() == Credential.RSA) {
-                               assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
-                       } else if (relyingParty.getIdentityProvider().getAuthNAssertionSigningCredential().getCredentialType() == Credential.DSA) {
-                               assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
-                       } else {
-                               throw new InvalidCryptoException(SAMLException.RESPONDER,
-                                               "ShibPOSTProfile.prepare() currently only supports signing with RSA and DSA keys.");
-                       }
-
-                       ((SAMLAssertion) r.getAssertions().next()).sign(assertionAlgorithm, relyingParty.getIdentityProvider()
-                                       .getAuthNAssertionSigningCredential().getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider()
-                                       .getAuthNAssertionSigningCredential().getX509CertificateChain()));
-               }
-
-               //Sign the response, if appropriate
-               if (relyingParty.getIdentityProvider().getAuthNResponseSigningCredential() != null
-                               && relyingParty.getIdentityProvider().getAuthNResponseSigningCredential().getPrivateKey() != null) {
-
-                       String responseAlgorithm;
-                       if (relyingParty.getIdentityProvider().getAuthNResponseSigningCredential().getCredentialType() == Credential.RSA) {
-                               responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
-                       } else if (relyingParty.getIdentityProvider().getAuthNResponseSigningCredential().getCredentialType() == Credential.DSA) {
-                               responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
-                       } else {
-                               throw new InvalidCryptoException(SAMLException.RESPONDER,
-                                               "ShibPOSTProfile.prepare() currently only supports signing with RSA and DSA keys.");
-                       }
-
-                       r.sign(responseAlgorithm,
-                                       relyingParty.getIdentityProvider().getAuthNResponseSigningCredential().getPrivateKey(), Arrays
-                                                       .asList(relyingParty.getIdentityProvider().getAuthNResponseSigningCredential()
-                                                                       .getX509CertificateChain()));
-               }
-
-               return r;
-       }
-
-    /**
      * Given a key from Trust associated with a HS Role from a Metadata Entity Descriptor,
      * verify the SAML Signature.
      * 
index 857e4e1..e85732c 100644 (file)
@@ -115,7 +115,6 @@ public class IdPResponder extends TargetFederationComponent {
 
        // TODO Maybe should rethink the inheritance here, since there is only one
        // servlet
-       // TODO signing is broken... it doesn't distinguish between authn and attr signing
 
        private static Logger transactionLog = Logger.getLogger("Shibboleth-TRANSACTION");
        private static Logger log = Logger.getLogger(IdPResponder.class.getName());
@@ -263,7 +262,8 @@ public class IdPResponder extends TargetFederationComponent {
                        }
 
                        // If we have DEBUGing turned on, dump out the request to the log
-                       if (log.isDebugEnabled()) { // This takes some processing, so only do it if we need to
+                       // This takes some processing, so only do it if we need to
+                       if (log.isDebugEnabled()) {
                                try {
                                        log.debug("Dumping generated SAML Request:"
                                                        + System.getProperty("line.separator")
@@ -613,6 +613,8 @@ public class IdPResponder extends TargetFederationComponent {
                        SAMLAssertion[] assertions = activeHandler.processHook(request, relyingParty, provider, nameId,
                                        authenticationMethod, new Date(System.currentTimeMillis()));
 
+                       //TODO do assertion signing here
+
                        // SAML Artifact profile
                        if (useArtifactProfile(provider, acceptanceURL)) {
                                log.debug("Responding with Artifact profile.");
@@ -651,7 +653,7 @@ public class IdPResponder extends TargetFederationComponent {
                                request.setAttribute("target", activeHandler.getSAMLTargetParameter(request, relyingParty, provider));
 
                                SAMLResponse samlResponse = new SAMLResponse(null, acceptanceURL, Arrays.asList(assertions), null);
-                               addSignatures(samlResponse, relyingParty);
+                               addSignatures(samlResponse, relyingParty, provider, true);
                                createPOSTForm(request, response, samlResponse.toBase64());
 
                                // Make transaction log entry
@@ -910,7 +912,7 @@ public class IdPResponder extends TargetFederationComponent {
                                                then, Collections.singleton(condition), null, Collections.singleton(statement));
 
                                samlResponse = new SAMLResponse(samlRequest.getId(), null, Collections.singleton(sAssertion), exception);
-                               addSignatures(samlResponse, relyingParty);
+                               addSignatures(samlResponse, relyingParty, lookup(relyingParty.getProviderId()), false);
                        }
                } catch (SAMLException se) {
                        ourSE = se;
@@ -942,48 +944,64 @@ public class IdPResponder extends TargetFederationComponent {
                }
        }
 
-       private static void addSignatures(SAMLResponse reponse, RelyingParty relyingParty) throws SAMLException {
+       private static void addSignatures(SAMLResponse response, RelyingParty relyingParty, Provider provider,
+                       boolean signResponse) throws SAMLException {
 
-               // TODO make sure this signing optionally happens according to origin.xml params
-               // TODO this has to be made to work for both AuthN and Attr assertion types
+               if (provider != null) {
+                       boolean signAssertions = false;
 
-               // Sign the assertions, if appropriate
-               if (relyingParty.getIdentityProvider().getAuthNAssertionSigningCredential() != null
-                               && relyingParty.getIdentityProvider().getAttributeAssertionSigningCredential().getPrivateKey() != null) {
-
-                       String assertionAlgorithm;
-                       if (relyingParty.getIdentityProvider().getAttributeAssertionSigningCredential().getCredentialType() == Credential.RSA) {
-                               assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
-                       } else if (relyingParty.getIdentityProvider().getAttributeAssertionSigningCredential().getCredentialType() == Credential.DSA) {
-                               assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
-                       } else {
-                               throw new InvalidCryptoException(SAMLException.RESPONDER,
-                                               "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
+                       ProviderRole[] roles = provider.getRoles();
+                       if (roles.length == 0) {
+                               log.info("Inappropriate metadata for provider: " + provider.getId() + ".  Expected SPSSODescriptor.");
                        }
+                       for (int i = 0; roles.length > i; i++) {
+                               if (roles[i] instanceof SPProviderRole) {
+                                       if (((SPProviderRole) roles[i]).wantAssertionsSigned()) {
+                                               signAssertions = true;
+                                       }
+                               }
+                       }
+
+                       if (signAssertions && relyingParty.getIdentityProvider().getSigningCredential() != null
+                                       && relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() != null) {
+
+                               Iterator assertions = response.getAssertions();
+
+                               while (assertions.hasNext()) {
+                                       SAMLAssertion assertion = (SAMLAssertion) assertions.next();
+                                       String assertionAlgorithm;
+                                       if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
+                                               assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
+                                       } else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
+                                               assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
+                                       } else {
+                                               throw new InvalidCryptoException(SAMLException.RESPONDER,
+                                                               "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
+                                       }
 
-                       ((SAMLAssertion) reponse.getAssertions().next()).sign(assertionAlgorithm, relyingParty
-                                       .getIdentityProvider().getAttributeAssertionSigningCredential().getPrivateKey(), Arrays
-                                       .asList(relyingParty.getIdentityProvider().getAttributeAssertionSigningCredential()
+                                       assertion.sign(assertionAlgorithm, relyingParty.getIdentityProvider().getSigningCredential()
+                                                       .getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential()
                                                        .getX509CertificateChain()));
+                               }
+                       }
                }
 
                // Sign the response, if appropriate
-               if (relyingParty.getIdentityProvider().getAttributeResponseSigningCredential() != null
-                               && relyingParty.getIdentityProvider().getAttributeResponseSigningCredential().getPrivateKey() != null) {
+               if (signResponse && relyingParty.getIdentityProvider().getSigningCredential() != null
+                               && relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() != null) {
 
                        String responseAlgorithm;
-                       if (relyingParty.getIdentityProvider().getAttributeResponseSigningCredential().getCredentialType() == Credential.RSA) {
+                       if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
                                responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
-                       } else if (relyingParty.getIdentityProvider().getAttributeResponseSigningCredential().getCredentialType() == Credential.DSA) {
+                       } else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
                                responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
                        } else {
                                throw new InvalidCryptoException(SAMLException.RESPONDER,
                                                "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
                        }
 
-                       reponse.sign(responseAlgorithm, relyingParty.getIdentityProvider().getAttributeResponseSigningCredential()
-                                       .getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider()
-                                       .getAttributeResponseSigningCredential().getX509CertificateChain()));
+                       response.sign(responseAlgorithm, relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey(),
+                                       Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential().getX509CertificateChain()));
                }
        }
 
index 4679998..ab32a53 100644 (file)
@@ -2,26 +2,25 @@
  * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
  * All rights reserved Redistribution and use in source and binary forms, with or without modification, are permitted
  * provided that the following conditions are met: Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the
- * above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other
- * materials provided with the distribution, if any, must include the following acknowledgment: "This product includes
- * software developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu>Internet2
- * Project. Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
- * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2,
- * nor the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
- * products derived from this software without specific prior written permission. For written permission, please
- * contact shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2,
- * UCAID, or the University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name,
- * without prior written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS
- * PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND
- * NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS
- * WITH LICENSEE. IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED
- * INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
- * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
- * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
+ * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials
+ * provided with the distribution, if any, must include the following acknowledgment: "This product includes software
+ * developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu>Internet2 Project.
+ * Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
+ * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2, nor
+ * the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
+ * products derived from this software without specific prior written permission. For written permission, please contact
+ * shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2, UCAID, or the
+ * University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name, without prior
+ * written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS PROVIDED BY THE
+ * COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE
+ * DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE. IN NO
+ * EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC.
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 package edu.internet2.middleware.shibboleth.metadata;
@@ -35,5 +34,7 @@ public interface SPProviderRole extends ProviderRole {
 
        public boolean getAuthnRequestsSigned();
 
+       public boolean wantAssertionsSigned();
+
        public Endpoint[] getAssertionConsumerServiceURLs();
-}
+}
\ No newline at end of file
index 3a83392..81563e7 100644 (file)
@@ -245,6 +245,10 @@ public class XMLMetadata implements Metadata {
                public KeyDescriptor[] getKeyDescriptors() {
                        return (KeyDescriptor[]) keyDescriptors.toArray(new KeyDescriptor[0]);
                }
+               
+               public boolean wantAssertionsSigned() {
+                       return false;
+               }
 
                class ShibEndpoint implements Endpoint {
 
@@ -296,7 +300,6 @@ public class XMLMetadata implements Metadata {
                                return new KeyInfo[]{keyInfo};
                        }
                }
-
        }
 
        class XMLContactPerson implements ContactPerson {
index 3e9498f..428ef63 100644 (file)
                                                        <xs:attribute name="name" type="xs:string" use="required"/>
                                                        <xs:attribute name="providerId" type="xs:anyURI" use="optional"/>
                                                        <xs:attribute name="signingCredential" type="xs:string" use="optional"/>
-                                                       <xs:attribute name="AASigningCredential" type="xs:string" use="optional"/>
-                                                       <xs:attribute name="signAuthResponses" type="xs:boolean" use="optional" default="true"/>
-                                                       <xs:attribute name="signAuthAssertions" type="xs:boolean" use="optional" default="false"/>
-                                                       <xs:attribute name="signAttrAssertions" type="xs:boolean" use="optional" default="false"/>
-                                                       <xs:attribute name="signAttrResponses" type="xs:boolean" use="optional" default="false"/>
                                                        <xs:attribute name="AAUrl" type="xs:anyURI" use="optional"/>
                                                        <xs:attribute name="passThruErrors" type="xs:boolean" use="optional"/>
                                                        <xs:attribute name="defaultAuthMethod" type="xs:string" use="optional"/>
index d993874..1eb6da7 100644 (file)
@@ -46,8 +46,6 @@ import edu.internet2.middleware.shibboleth.common.NameMapper;
 import edu.internet2.middleware.shibboleth.common.ServiceProvider;
 import edu.internet2.middleware.shibboleth.xml.Parser;
 
-
-
 /**
  * Validation suite for the <code>NameMapper</code>.
  * 
@@ -92,12 +90,10 @@ public class NameMapperTests extends TestCase {
                                        + "             xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
                                        + "             xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" "
                                        + "                     id=\"cryptotest\" format=\"urn:mace:shibboleth:1.0:nameIdentifier\" "
-                                       + "                     type=\"CryptoHandleGenerator\" handleTTL=\"1800\">" 
-                                       + "             <KeyStorePath>" + file.toURL().toString() + "</KeyStorePath>" 
-                                       + "             <KeyStorePassword>shibhs</KeyStorePassword>"
+                                       + "                     type=\"CryptoHandleGenerator\" handleTTL=\"1800\">" + "         <KeyStorePath>"
+                                       + file.toURL().toString() + "</KeyStorePath>" + "               <KeyStorePassword>shibhs</KeyStorePassword>"
                                        + "             <KeyStoreKeyAlias>handlekey</KeyStoreKeyAlias>"
-                                       + "             <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>" 
-                                       + "     </NameMapping>";
+                                       + "             <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>" + "  </NameMapping>";
 
                        parser.parse(new InputSource(new StringReader(rawConfig)));
                        nameMapper.addNameMapping(parser.getDocument().getDocumentElement());
@@ -132,15 +128,12 @@ public class NameMapperTests extends TestCase {
                                        + "             xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
                                        + "             xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" "
                                        + "                     id=\"cryptotest\" format=\"urn:mace:shibboleth:1.0:nameIdentifier\" "
-                                       + "                     type=\"CryptoHandleGenerator\" handleTTL=\"1800\">" 
-                                       + "             <KeyStorePath>"+ file.toURL().toString() + "</KeyStorePath>" 
-                                       + "             <KeyStorePassword>shibhs</KeyStorePassword>"
+                                       + "                     type=\"CryptoHandleGenerator\" handleTTL=\"1800\">" + "         <KeyStorePath>"
+                                       + file.toURL().toString() + "</KeyStorePath>" + "               <KeyStorePassword>shibhs</KeyStorePassword>"
                                        + "             <KeyStoreKeyAlias>handlekey</KeyStoreKeyAlias>"
                                        + "             <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>"
-                                       + "             <Cipher>DESede/CBC/PKCS5Padding</Cipher>" 
-                                       + "             <MAC>HmacSHA1</MAC>"
-                                       + "             <KeyStoreType>JCEKS</KeyStoreType>" 
-                                       + "     </NameMapping>";
+                                       + "             <Cipher>DESede/CBC/PKCS5Padding</Cipher>" + "           <MAC>HmacSHA1</MAC>"
+                                       + "             <KeyStoreType>JCEKS</KeyStoreType>" + " </NameMapping>";
 
                        parser.parse(new InputSource(new StringReader(rawConfig)));
                        nameMapper.addNameMapping(parser.getDocument().getDocumentElement());
@@ -161,7 +154,7 @@ public class NameMapperTests extends TestCase {
                }
 
        }
-       
+
        public void testCryptoMappingBadQualifier() {
 
                try {
@@ -175,12 +168,10 @@ public class NameMapperTests extends TestCase {
                                        + "             xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
                                        + "             xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" "
                                        + "                     id=\"cryptotest\" format=\"urn:mace:shibboleth:1.0:nameIdentifier\" "
-                                       + "                     type=\"CryptoHandleGenerator\" handleTTL=\"1800\">" 
-                                       + "             <KeyStorePath>" + file.toURL().toString() + "</KeyStorePath>" 
-                                       + "             <KeyStorePassword>shibhs</KeyStorePassword>"
+                                       + "                     type=\"CryptoHandleGenerator\" handleTTL=\"1800\">" + "         <KeyStorePath>"
+                                       + file.toURL().toString() + "</KeyStorePath>" + "               <KeyStorePassword>shibhs</KeyStorePassword>"
                                        + "             <KeyStoreKeyAlias>handlekey</KeyStoreKeyAlias>"
-                                       + "             <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>" 
-                                       + "     </NameMapping>";
+                                       + "             <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>" + "  </NameMapping>";
 
                        parser.parse(new InputSource(new StringReader(rawConfig)));
                        nameMapper.addNameMapping(parser.getDocument().getDocumentElement());
@@ -190,15 +181,15 @@ public class NameMapperTests extends TestCase {
 
                        AuthNPrincipal principal = nameMapper.getPrincipal(nameId, new BasicServiceProvider(),
                                        new BasicIdentityProvider("urn-x:bad"));
-               
+
                        fail("Expected failure for bad name qualifier.");
-                       
+
                } catch (NameIdentifierMappingException e) {
                        //This exception should be generated by this test
-                       
+
                } catch (MalformedURLException e) {
                        fail("Error in test specification: " + e.getMessage());
-               
+
                } catch (Exception e) {
                        fail("Error exercising NameMaper: " + e.getMessage());
                }
@@ -239,12 +230,10 @@ public class NameMapperTests extends TestCase {
                                        + "             xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
                                        + "             xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" "
                                        + "                     format=\"urn:mace:shibboleth:1.0:nameIdentifier\""
-                                       + "             type=\"CryptoHandleGenerator\" handleTTL=\"1800\">" 
-                                       + "             <KeyStorePath>" + file.toURL().toString() + "</KeyStorePath>" 
-                                       + "             <KeyStorePassword>shibhs</KeyStorePassword>"
+                                       + "             type=\"CryptoHandleGenerator\" handleTTL=\"1800\">" + "         <KeyStorePath>"
+                                       + file.toURL().toString() + "</KeyStorePath>" + "               <KeyStorePassword>shibhs</KeyStorePassword>"
                                        + "             <KeyStoreKeyAlias>handlekey</KeyStoreKeyAlias>"
-                                       + "             <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>" 
-                                       + "     </NameMapping>";
+                                       + "             <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>" + "  </NameMapping>";
 
                        parser.parse(new InputSource(new StringReader(rawConfig)));
                        nameMapper.addNameMapping(parser.getDocument().getDocumentElement());
@@ -282,12 +271,10 @@ public class NameMapperTests extends TestCase {
                                        + "             xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
                                        + "             xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" "
                                        + "                     format=\"urn:mace:shibboleth:1.0:nameIdentifier\""
-                                       + "             type=\"CryptoHandleGenerator\" handleTTL=\"1800\">" 
-                                       + "             <KeyStorePath>" + file.toURL().toString() + "</KeyStorePath>" 
-                                       + "             <KeyStorePassword>shibhs</KeyStorePassword>"
+                                       + "             type=\"CryptoHandleGenerator\" handleTTL=\"1800\">" + "         <KeyStorePath>"
+                                       + file.toURL().toString() + "</KeyStorePath>" + "               <KeyStorePassword>shibhs</KeyStorePassword>"
                                        + "             <KeyStoreKeyAlias>handlekey</KeyStoreKeyAlias>"
-                                       + "             <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>" 
-                                       + "     </NameMapping>";
+                                       + "             <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>" + "  </NameMapping>";
 
                        parser.parse(new InputSource(new StringReader(rawConfig)));
                        nameMapper.addNameMapping(parser.getDocument().getDocumentElement());
@@ -296,13 +283,11 @@ public class NameMapperTests extends TestCase {
                                        + "<NameMapping xmlns=\"urn:mace:shibboleth:namemapper:1.0\""
                                        + "             xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
                                        + "             xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" "
-                                       + "                     format=\"urn-x:testNameIdentifier\"" 
-                                       + "             type=\"CryptoHandleGenerator\" handleTTL=\"1800\">"
+                                       + "                     format=\"urn-x:testNameIdentifier\"" + "                type=\"CryptoHandleGenerator\" handleTTL=\"1800\">"
                                        + "             <KeyStorePath>" + file.toURL().toString() + "</KeyStorePath>"
                                        + "             <KeyStorePassword>shibhs</KeyStorePassword>"
                                        + "             <KeyStoreKeyAlias>handlekey</KeyStoreKeyAlias>"
-                                       + "             <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>" 
-                                       + "     </NameMapping>";
+                                       + "             <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>" + "  </NameMapping>";
 
                        parser.parse(new InputSource(new StringReader(rawConfig2)));
 
@@ -332,8 +317,7 @@ public class NameMapperTests extends TestCase {
                                        + "<NameMapping xmlns=\"urn:mace:shibboleth:namemapper:1.0\""
                                        + "             xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
                                        + "             xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" "
-                                       + "                     id=\"memorytest\" " 
-                                       + "             format=\"urn:mace:shibboleth:1.0:nameIdentifier\""
+                                       + "                     id=\"memorytest\" " + "         format=\"urn:mace:shibboleth:1.0:nameIdentifier\""
                                        + "             type=\"SharedMemoryShibHandle\" handleTTL=\"1800\"/>";
 
                        parser.parse(new InputSource(new StringReader(rawConfig)));
@@ -355,7 +339,7 @@ public class NameMapperTests extends TestCase {
                        fail("Error exercising NameMaper: " + e.getMessage());
                }
        }
-       
+
        public void testMemoryMappingBadQualifier() {
 
                try {
@@ -366,27 +350,26 @@ public class NameMapperTests extends TestCase {
                                        + "<NameMapping xmlns=\"urn:mace:shibboleth:namemapper:1.0\""
                                        + "             xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
                                        + "             xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" "
-                                       + "                     id=\"memorytest\" " 
-                                       + "             format=\"urn:mace:shibboleth:1.0:nameIdentifier\""
+                                       + "                     id=\"memorytest\" " + "         format=\"urn:mace:shibboleth:1.0:nameIdentifier\""
                                        + "             type=\"SharedMemoryShibHandle\" handleTTL=\"1800\"/>";
 
                        parser.parse(new InputSource(new StringReader(rawConfig)));
                        nameMapper.addNameMapping(parser.getDocument().getDocumentElement());
 
-                       SAMLNameIdentifier nameId = nameMapper.getNameIdentifierName("memory", new AuthNPrincipal(
-                                       "testprincipal"), new BasicServiceProvider(), new BasicIdentityProvider("urn-x:good"));
+                       SAMLNameIdentifier nameId = nameMapper.getNameIdentifierName("memory", new AuthNPrincipal("testprincipal"),
+                                       new BasicServiceProvider(), new BasicIdentityProvider("urn-x:good"));
 
                        AuthNPrincipal principal = nameMapper.getPrincipal(nameId, new BasicServiceProvider(),
                                        new BasicIdentityProvider("urn-x:bad"));
-               
+
                        fail("Expected failure for bad name qualifier.");
-                       
+
                } catch (NameIdentifierMappingException e) {
                        //This exception should be generated by this test
-                       
+
                } catch (MalformedURLException e) {
                        fail("Error in test specification: " + e.getMessage());
-               
+
                } catch (Exception e) {
                        fail("Error exercising NameMaper: " + e.getMessage());
                }
@@ -402,8 +385,8 @@ public class NameMapperTests extends TestCase {
                        String rawConfig = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
                                        + "<NameMapping xmlns=\"urn:mace:shibboleth:namemapper:1.0\""
                                        + "             xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
-                                       + "             xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" " 
-                                       + "                     format=\"" + format + "\"" + "          type=\"Principal\"/>";
+                                       + "             xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" " + "                  format=\""
+                                       + format + "\"" + "             type=\"Principal\"/>";
 
                        parser.parse(new InputSource(new StringReader(rawConfig)));
                        nameMapper.addNameMapping(parser.getDocument().getDocumentElement());
@@ -423,7 +406,7 @@ public class NameMapperTests extends TestCase {
                }
 
        }
-       
+
        public void testPrincipalMappingBadQualifier() {
 
                try {
@@ -434,8 +417,8 @@ public class NameMapperTests extends TestCase {
                        String rawConfig = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
                                        + "<NameMapping xmlns=\"urn:mace:shibboleth:namemapper:1.0\""
                                        + "             xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
-                                       + "             xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" " 
-                                       + "                     format=\"" + format + "\"" + "          type=\"Principal\"/>";
+                                       + "             xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" " + "                  format=\""
+                                       + format + "\"" + "             type=\"Principal\"/>";
                        parser.parse(new InputSource(new StringReader(rawConfig)));
                        nameMapper.addNameMapping(parser.getDocument().getDocumentElement());
 
@@ -443,15 +426,15 @@ public class NameMapperTests extends TestCase {
 
                        AuthNPrincipal principal = nameMapper.getPrincipal(nameId, new BasicServiceProvider(),
                                        new BasicIdentityProvider("urn-x:bad"));
-               
+
                        fail("Expected failure for bad name qualifier.");
-                       
+
                } catch (NameIdentifierMappingException e) {
                        //This exception should be generated by this test
-                       
+
                } catch (MalformedURLException e) {
                        fail("Error in test specification: " + e.getMessage());
-               
+
                } catch (Exception e) {
                        fail("Error exercising NameMaper: " + e.getMessage());
                }
@@ -473,25 +456,29 @@ class BasicIdentityProvider implements IdentityProvider {
                return id;
        }
 
-
-       public Credential getAuthNResponseSigningCredential() {
+       public Credential getSigningCredential() {
 
                return null;
        }
 
-       public Credential getAuthNAssertionSigningCredential() {
+       public boolean signAuthNAssertions() {
 
-               return null;
+               return false;
        }
 
-       public Credential getAttributeResponseSigningCredential() {
+       public boolean signAuthNResponses() {
 
-               return null;
+               return false;
        }
 
-       public Credential getAttributeAssertionSigningCredential() {
+       public boolean signAttributeAssertions() {
 
-               return null;
+               return false;
+       }
+
+       public boolean signAttributeResponses() {
+
+               return false;
        }
 
 }