001/* 002 * (C) Copyright 2014-2018 Nuxeo (http://nuxeo.com/) and others. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 * 016 * Contributors: 017 * Nelson Silva <[email protected]> 018 */ 019package org.nuxeo.ecm.platform.auth.saml.sso; 020 021import java.io.Serializable; 022import java.util.ArrayList; 023import java.util.LinkedList; 024import java.util.List; 025 026import javax.servlet.http.HttpServletRequest; 027 028import org.apache.commons.lang3.StringUtils; 029import org.joda.time.DateTime; 030import org.nuxeo.ecm.platform.auth.saml.AbstractSAMLProfile; 031import org.nuxeo.ecm.platform.auth.saml.SAMLConfiguration; 032import org.nuxeo.ecm.platform.auth.saml.SAMLCredential; 033import org.opensaml.common.SAMLException; 034import org.opensaml.common.SAMLObject; 035import org.opensaml.common.SAMLVersion; 036import org.opensaml.common.binding.SAMLMessageContext; 037import org.opensaml.saml2.core.Assertion; 038import org.opensaml.saml2.core.Attribute; 039import org.opensaml.saml2.core.AttributeStatement; 040import org.opensaml.saml2.core.AuthnContextClassRef; 041import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; 042import org.opensaml.saml2.core.AuthnRequest; 043import org.opensaml.saml2.core.AuthnStatement; 044import org.opensaml.saml2.core.EncryptedAssertion; 045import org.opensaml.saml2.core.EncryptedAttribute; 046import org.opensaml.saml2.core.Issuer; 047import org.opensaml.saml2.core.NameID; 048import org.opensaml.saml2.core.NameIDPolicy; 049import org.opensaml.saml2.core.NameIDType; 050import org.opensaml.saml2.core.RequestedAuthnContext; 051import org.opensaml.saml2.core.Response; 052import org.opensaml.saml2.core.StatusCode; 053import org.opensaml.saml2.core.Subject; 054import org.opensaml.saml2.metadata.SPSSODescriptor; 055import org.opensaml.saml2.metadata.SingleSignOnService; 056import org.opensaml.xml.encryption.DecryptionException; 057import org.opensaml.xml.security.SecurityException; 058import org.opensaml.xml.signature.Signature; 059import org.opensaml.xml.validation.ValidationException; 060 061/** 062 * WebSSO (Single Sign On) profile implementation. 063 * 064 * @since 6.0 065 */ 066public class WebSSOProfileImpl extends AbstractSAMLProfile implements WebSSOProfile { 067 068 public WebSSOProfileImpl(SingleSignOnService sso) { 069 super(sso); 070 } 071 072 @Override 073 public String getProfileIdentifier() { 074 return PROFILE_URI; 075 } 076 077 @Override 078 public SAMLCredential processAuthenticationResponse(SAMLMessageContext context) throws SAMLException { 079 SAMLObject message = context.getInboundSAMLMessage(); 080 081 // Validate type 082 if (!(message instanceof Response)) { 083 log.debug("Received response is not of a Response object type"); 084 throw new SAMLException("Received response is not of a Response object type"); 085 } 086 Response response = (Response) message; 087 088 // Validate status 089 String statusCode = response.getStatus().getStatusCode().getValue(); 090 if (!StringUtils.equals(statusCode, StatusCode.SUCCESS_URI)) { 091 log.debug("StatusCode was not a success: " + statusCode); 092 throw new SAMLException("StatusCode was not a success: " + statusCode); 093 } 094 095 // Validate signature of the response if present 096 if (response.getSignature() != null) { 097 log.debug("Verifying message signature"); 098 validateSignature(response.getSignature(), context.getPeerEntityId()); 099 context.setInboundSAMLMessageAuthenticated(true); 100 } 101 102 // TODO(nfgs) - Verify issue time ?! 103 104 // TODO(nfgs) - Verify endpoint requested 105 // Endpoint endpoint = context.getLocalEntityEndpoint(); 106 // validateEndpoint(response, ssoService); 107 108 // Verify issuer 109 if (response.getIssuer() != null) { 110 log.debug("Verifying issuer of the message"); 111 Issuer issuer = response.getIssuer(); 112 validateIssuer(issuer, context); 113 } 114 115 List<Attribute> attributes = new LinkedList<>(); 116 List<Assertion> assertions = response.getAssertions(); 117 118 // Decrypt encrypted assertions 119 List<EncryptedAssertion> encryptedAssertionList = response.getEncryptedAssertions(); 120 for (EncryptedAssertion ea : encryptedAssertionList) { 121 try { 122 log.debug("Decrypting assertion"); 123 assertions.add(getDecrypter().decrypt(ea)); 124 } catch (DecryptionException e) { 125 log.debug("Decryption of received assertion failed, assertion will be skipped", e); 126 } 127 } 128 129 Subject subject = null; 130 List<String> sessionIndexes = new ArrayList<>(); 131 132 // Find the assertion to be used for session creation, other assertions are ignored 133 for (Assertion a : assertions) { 134 135 // We're only interested in assertions with AuthnStatement 136 if (a.getAuthnStatements().size() > 0) { 137 try { 138 // Verify that the assertion is valid 139 validateAssertion(a, context); 140 141 // Store session indexes for logout 142 for (AuthnStatement statement : a.getAuthnStatements()) { 143 sessionIndexes.add(statement.getSessionIndex()); 144 } 145 146 } catch (SAMLException e) { 147 log.debug("Validation of received assertion failed, assertion will be skipped", e); 148 continue; 149 } 150 } 151 152 subject = a.getSubject(); 153 154 // Process all attributes 155 for (AttributeStatement attStatement : a.getAttributeStatements()) { 156 for (Attribute att : attStatement.getAttributes()) { 157 attributes.add(att); 158 } 159 // Decrypt attributes 160 for (EncryptedAttribute att : attStatement.getEncryptedAttributes()) { 161 try { 162 attributes.add(getDecrypter().decrypt(att)); 163 } catch (DecryptionException e) { 164 log.error("Failed to decrypt assertion"); 165 } 166 } 167 } 168 169 break; 170 } 171 172 // Make sure that at least one storage contains authentication statement and subject with bearer confirmation 173 if (subject == null) { 174 log.debug("Response doesn't have any valid assertion which would pass subject validation"); 175 throw new SAMLException("Error validating SAML response"); 176 } 177 178 // Was the subject confirmed by this confirmation data? If so let's store the subject in the context. 179 NameID nameID = null; 180 if (subject.getEncryptedID() != null) { 181 // TODO(nfgs) - Decrypt NameID 182 } else { 183 nameID = subject.getNameID(); 184 } 185 186 if (nameID == null) { 187 log.debug("NameID element must be present as part of the Subject in " 188 + "the Response message, please enable it in the IDP configuration"); 189 throw new SAMLException("NameID element must be present as part of the Subject " 190 + "in the Response message, please enable it in the IDP configuration"); 191 } 192 193 // Populate custom data, if any 194 Serializable additionalData = null; // processAdditionalData(context); 195 196 // Create the credential 197 return new SAMLCredential(nameID, sessionIndexes, context.getPeerEntityMetadata().getEntityID(), 198 context.getRelayState(), attributes, context.getLocalEntityId(), additionalData); 199 200 } 201 202 @Override 203 public AuthnRequest buildAuthRequest(HttpServletRequest httpRequest, String... authnContexts) throws SAMLException { 204 205 AuthnRequest request = build(AuthnRequest.DEFAULT_ELEMENT_NAME); 206 request.setID(newUUID()); 207 request.setVersion(SAMLVersion.VERSION_20); 208 request.setIssueInstant(new DateTime()); 209 // Let the IdP pick a protocol binding 210 // request.setProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI); 211 212 // Fill the assertion consumer URL 213 request.setAssertionConsumerServiceURL(getStartPageURL(httpRequest)); 214 215 Issuer issuer = build(Issuer.DEFAULT_ELEMENT_NAME); 216 issuer.setValue(SAMLConfiguration.getEntityId()); 217 request.setIssuer(issuer); 218 219 NameIDPolicy nameIDPolicy = build(NameIDPolicy.DEFAULT_ELEMENT_NAME); 220 nameIDPolicy.setFormat(NameIDType.UNSPECIFIED); 221 request.setNameIDPolicy(nameIDPolicy); 222 223 // fill the AuthNContext 224 if (authnContexts.length > 0) { 225 RequestedAuthnContext requestedAuthnContext = build(RequestedAuthnContext.DEFAULT_ELEMENT_NAME); 226 requestedAuthnContext.setComparison(AuthnContextComparisonTypeEnumeration.EXACT); 227 request.setRequestedAuthnContext(requestedAuthnContext); 228 for (String context : authnContexts) { 229 AuthnContextClassRef authnContextClassRef = build(AuthnContextClassRef.DEFAULT_ELEMENT_NAME); 230 authnContextClassRef.setAuthnContextClassRef(context); 231 requestedAuthnContext.getAuthnContextClassRefs().add(authnContextClassRef); 232 } 233 } 234 235 return request; 236 } 237 238 @Override 239 protected void validateAssertion(Assertion assertion, SAMLMessageContext context) throws SAMLException { 240 super.validateAssertion(assertion, context); 241 Signature signature = assertion.getSignature(); 242 if (signature == null) { 243 SPSSODescriptor roleMetadata = (SPSSODescriptor) context.getLocalEntityRoleMetadata(); 244 245 if (roleMetadata != null && roleMetadata.getWantAssertionsSigned()) { 246 if (!context.isInboundSAMLMessageAuthenticated()) { 247 throw new SAMLException("Metadata includes wantAssertionSigned, " 248 + "but neither Response nor included Assertion is signed"); 249 } 250 } 251 } 252 } 253}