/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.cxf.fediz.core;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.message.WSSecEncryptedKey;
import org.apache.ws.security.saml.ext.SAMLCallback;
import org.apache.ws.security.saml.ext.bean.ActionBean;
import org.apache.ws.security.saml.ext.bean.AttributeBean;
import org.apache.ws.security.saml.ext.bean.AttributeStatementBean;
import org.apache.ws.security.saml.ext.bean.AuthDecisionStatementBean;
import org.apache.ws.security.saml.ext.bean.AuthenticationStatementBean;
import org.apache.ws.security.saml.ext.bean.ConditionsBean;
import org.apache.ws.security.saml.ext.bean.KeyInfoBean;
import org.apache.ws.security.saml.ext.bean.KeyInfoBean.CERT_IDENTIFIER;
import org.apache.ws.security.saml.ext.bean.SubjectBean;
import org.apache.ws.security.saml.ext.bean.SubjectConfirmationDataBean;
import org.apache.ws.security.saml.ext.bean.SubjectLocalityBean;
/**
* A base implementation of a Callback Handler for a SAML assertion. By default it creates an
* authentication assertion.
*/
public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
public enum Statement {
AUTHN, ATTR, AUTHZ
};
public enum MultiValue {
MULTI_VALUE, MULTI_ATTR, ENC_VALUE
};
protected String subjectName;
protected String subjectQualifier;
protected String confirmationMethod;
protected X509Certificate[] certs;
protected Statement statement = Statement.AUTHN;
protected CERT_IDENTIFIER certIdentifier = CERT_IDENTIFIER.X509_CERT;
protected byte[] ephemeralKey;
protected String issuer;
protected String subjectNameIDFormat;
protected String subjectLocalityIpAddress;
protected String subjectLocalityDnsAddress;
protected String resource;
protected List<?> customAttributeValues;
protected ConditionsBean conditions;
protected SubjectConfirmationDataBean subjectConfirmationData;
protected List<String> roles = Arrays.asList("User", "Admin");
protected Map<String, String> claims;
protected MultiValue multiValueType = MultiValue.MULTI_VALUE;
protected String roleSeperator = ",";
public void setSubjectConfirmationData(SubjectConfirmationDataBean subjectConfirmationData) {
this.subjectConfirmationData = subjectConfirmationData;
}
public void setConditions(ConditionsBean conditionsBean) {
this.conditions = conditionsBean;
}
public void setConfirmationMethod(String confMethod) {
confirmationMethod = confMethod;
}
public void setStatement(Statement statement) {
this.statement = statement;
}
public void setCertIdentifier(CERT_IDENTIFIER certIdentifier) {
this.certIdentifier = certIdentifier;
}
public void setCerts(X509Certificate[] certs) {
this.certs = certs;
}
public byte[] getEphemeralKey() {
return ephemeralKey;
}
public void setIssuer(String issuer) {
this.issuer = issuer;
}
public void setSubjectNameIDFormat(String subjectNameIDFormat) {
this.subjectNameIDFormat = subjectNameIDFormat;
}
public void setSubjectName(String subjectName) {
this.subjectName = subjectName;
}
public void setSubjectLocality(String ipAddress, String dnsAddress) {
this.subjectLocalityIpAddress = ipAddress;
this.subjectLocalityDnsAddress = dnsAddress;
}
public void setResource(String resource) {
this.resource = resource;
}
public void setCustomAttributeValues(List<?> customAttributeValues) {
this.customAttributeValues = customAttributeValues;
}
public void setRoles(List<String> roles) {
this.roles = roles;
}
public void setClaims(Map<String, String> claims) {
this.claims = claims;
}
public void setMultiValueType(MultiValue multiValueType) {
this.multiValueType = multiValueType;
}
/**
* Note that the SubjectBean parameter should be null for SAML2.0
*/
protected void createAndSetStatement(SubjectBean subjectBean, SAMLCallback callback) {
if (statement == Statement.AUTHN) {
AuthenticationStatementBean authBean = new AuthenticationStatementBean();
if (subjectBean != null) {
authBean.setSubject(subjectBean);
}
if (subjectLocalityIpAddress != null || subjectLocalityDnsAddress != null) {
SubjectLocalityBean subjectLocality = new SubjectLocalityBean();
subjectLocality.setIpAddress(subjectLocalityIpAddress);
subjectLocality.setDnsAddress(subjectLocalityDnsAddress);
authBean.setSubjectLocality(subjectLocality);
}
authBean.setAuthenticationMethod("Password");
callback.setAuthenticationStatementData(Collections.singletonList(authBean));
} else if (statement == Statement.ATTR) {
AttributeStatementBean attrStateBean = new AttributeStatementBean();
if (this.roles == null) {
AttributeBean attributeBean = new AttributeBean();
if (subjectBean != null) {
attrStateBean.setSubject(subjectBean);
attributeBean.setSimpleName("name");
attributeBean.setQualifiedName("dummy-ns");
} else {
attributeBean.setQualifiedName("dummy-ns");
}
attributeBean.setAttributeValues(Collections.singletonList("myvalue"));
attrStateBean.setSamlAttributes(Collections.singletonList(attributeBean));
callback.setAttributeStatementData(Collections.singletonList(attrStateBean));
return;
}
if (this.multiValueType.equals(MultiValue.MULTI_VALUE)
|| this.multiValueType.equals(MultiValue.ENC_VALUE)) {
// <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
// AttributeNamespace="http://schemas.xmlsoap.org/claims" AttributeName="roles">
// <saml:AttributeValue>Value1</saml:AttributeValue>
// <saml:AttributeValue>Value2</saml:AttributeValue>
// </saml:Attribute>
// or
// <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
// AttributeNamespace="http://schemas.xmlsoap.org/claims" AttributeName="roles">
// <saml:AttributeValue>Value1,Value2</saml:AttributeValue>
// </saml:Attribute>
AttributeBean attributeBean = new AttributeBean();
if (subjectBean != null) {
attrStateBean.setSubject(subjectBean);
attributeBean.setSimpleName("role");
attributeBean.setQualifiedName(FederationConstants.DEFAULT_ROLE_URI.toString());
} else {
attributeBean.setQualifiedName(FederationConstants.DEFAULT_ROLE_URI.toString());
}
if (this.multiValueType.equals(MultiValue.MULTI_VALUE)) {
attributeBean.setAttributeValues(roles);
} else {
StringBuffer sb = new StringBuffer();
for (String role: roles) {
sb.append(role).append(this.roleSeperator);
}
String value = sb.substring(0, sb.length() - this.roleSeperator.length());
attributeBean.setAttributeValues(Collections.singletonList(value));
}
attrStateBean.setSamlAttributes(Collections.singletonList(attributeBean));
} else if (this.multiValueType.equals(MultiValue.MULTI_ATTR)) {
// <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
// AttributeNamespace="http://schemas.xmlsoap.org/claims" AttributeName="roles">
// <saml:AttributeValue>Value1</saml:AttributeValue>
// </saml:Attribute>
// <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
// AttributeNamespace="http://schemas.xmlsoap.org/claims" AttributeName="roles">
// <saml:AttributeValue>Value2</saml:AttributeValue>
// </saml:Attribute>
List<AttributeBean> attrBeans = new ArrayList<AttributeBean>();
for (String role: roles) {
AttributeBean attributeBean = new AttributeBean();
if (subjectBean != null) {
attrStateBean.setSubject(subjectBean);
attributeBean.setSimpleName("role");
attributeBean.setQualifiedName(FederationConstants.DEFAULT_ROLE_URI.toString());
} else {
attributeBean.setQualifiedName(FederationConstants.DEFAULT_ROLE_URI.toString());
}
attributeBean.setAttributeValues(Collections.singletonList(role));
attrBeans.add(attributeBean);
}
attrStateBean.setSamlAttributes(attrBeans);
}
callback.setAttributeStatementData(Collections.singletonList(attrStateBean));
} else {
AuthDecisionStatementBean authzBean = new AuthDecisionStatementBean();
if (subjectBean != null) {
authzBean.setSubject(subjectBean);
}
ActionBean actionBean = new ActionBean();
actionBean.setContents("Read");
authzBean.setActions(Collections.singletonList(actionBean));
authzBean.setResource("endpoint");
authzBean.setDecision(AuthDecisionStatementBean.Decision.PERMIT);
authzBean.setResource(resource);
callback.setAuthDecisionStatementData(Collections.singletonList(authzBean));
}
}
protected KeyInfoBean createKeyInfo() throws Exception {
KeyInfoBean keyInfo = new KeyInfoBean();
if (statement == Statement.AUTHN) {
keyInfo.setCertificate(certs[0]);
keyInfo.setCertIdentifer(certIdentifier);
} else if (statement == Statement.ATTR) {
// Build a new Document
DocumentBuilderFactory docBuilderFactory =
DocumentBuilderFactory.newInstance();
docBuilderFactory.setNamespaceAware(true);
DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
Document doc = docBuilder.newDocument();
// Create an Encrypted Key
WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
encrKey.setUseThisCert(certs[0]);
encrKey.prepare(doc, null);
ephemeralKey = encrKey.getEphemeralKey();
Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
// Append the EncryptedKey to a KeyInfo element
Element keyInfoElement =
doc.createElementNS(
WSConstants.SIG_NS, WSConstants.SIG_PREFIX + ":" + WSConstants.KEYINFO_LN
);
keyInfoElement.setAttributeNS(
WSConstants.XMLNS_NS, "xmlns:" + WSConstants.SIG_PREFIX, WSConstants.SIG_NS
);
keyInfoElement.appendChild(encryptedKeyElement);
keyInfo.setElement(keyInfoElement);
}
return keyInfo;
}
}