Skip to content
Permalink
Browse files
Merge remote-tracking branch 'cxf-fediz/master' into FEDIZ-250
Conflicts:
	pom.xml
  • Loading branch information
amarkevich committed Oct 8, 2020
2 parents 97da721 + cc9d860 commit 06478a3053e0fee20b63f98a14b6038c955723b8
Show file tree
Hide file tree
Showing 32 changed files with 303 additions and 312 deletions.
@@ -1,4 +1,4 @@
[![Build Status](https://builds.apache.org/view/A-D/view/CXF/job/CXF-Fediz/badge/icon?subject=Build)](https://builds.apache.org/view/A-D/view/CXF/job/CXF-Fediz/)
[![Build Status](https://ci-builds.apache.org/job/CXF/job/CXF-Fediz/badge/icon?subject=Build)](https://ci-builds.apache.org/job/CXF/job/CXF-Fediz/)
[![Maven Central](https://maven-badges.herokuapp.com/maven-central/org.apache.cxf.fediz/fediz/badge.svg)](https://maven-badges.herokuapp.com/maven-central/org.apache.cxf.fediz/fediz)
[![Total alerts](https://img.shields.io/lgtm/alerts/g/apache/cxf-fediz)](https://lgtm.com/projects/g/apache/cxf-fediz/alerts/)

@@ -36,7 +36,6 @@ public class FederationProtocol extends Protocol {
private Object authenticationType;
private Object homeRealm;
private Object freshness;
private Object signInQuery;
private Object signOutQuery;

public FederationProtocol(ProtocolType protocolType) {
@@ -120,27 +119,6 @@ public void setFreshness(Object value) {
}
}

public Object getSignInQuery() {
if (this.signInQuery != null) {
return this.signInQuery;
}
CallbackType cbt = getFederationProtocol().getSignInQuery();
this.signInQuery = ConfigUtils.loadCallbackType(cbt, "SignInQuery", getClassloader());
return this.signInQuery;
}

public void setSignInQuery(Object value) {
final boolean isString = value instanceof String;
final boolean isCallbackHandler = value instanceof CallbackHandler;
if (isString || isCallbackHandler) {
this.signInQuery = value;
} else {
LOG.error("Unsupported 'SignInQuery' object");
throw new IllegalArgumentException("Unsupported 'SignInQuery' object. Type must be "
+ "java.lang.String or javax.security.auth.callback.CallbackHandler.");
}
}

public Object getSignOutQuery() {
if (this.signOutQuery != null) {
return this.signOutQuery;
@@ -43,6 +43,7 @@ public abstract class Protocol {
private Object realm;
private List<TokenValidator> validators = new ArrayList<>();
private Object reply;
private Object signInQuery;

public Protocol(ProtocolType protocolType) {
this.protocolType = protocolType;
@@ -209,4 +210,25 @@ public void setReply(Object value) {
}
}

public Object getSignInQuery() {
if (this.signInQuery != null) {
return this.signInQuery;
}
CallbackType cbt = getProtocolType().getSignInQuery();
this.signInQuery = ConfigUtils.loadCallbackType(cbt, "SignInQuery", getClassloader());
return this.signInQuery;
}

public void setSignInQuery(Object value) {
final boolean isString = value instanceof String;
final boolean isCallbackHandler = value instanceof CallbackHandler;
if (isString || isCallbackHandler) {
this.signInQuery = value;
} else {
LOG.error("Unsupported 'SignInQuery' object");
throw new IllegalArgumentException("Unsupported 'SignInQuery' object. Type must be java.lang.String or "
+ "javax.security.auth.callback.CallbackHandler.");
}
}

}
@@ -25,6 +25,7 @@
import java.time.Instant;
import java.util.Collections;
import java.util.List;
import java.util.Map;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
@@ -38,10 +39,14 @@
import org.apache.cxf.fediz.core.spi.IDPCallback;
import org.apache.cxf.fediz.core.spi.RealmCallback;
import org.apache.cxf.fediz.core.spi.ReplyCallback;
import org.apache.cxf.fediz.core.spi.SignInQueryCallback;
import org.apache.cxf.fediz.core.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import static java.net.URLEncoder.encode;
import static java.nio.charset.StandardCharsets.UTF_8;

public abstract class AbstractFedizProcessor implements FedizProcessor {

private static final Logger LOG = LoggerFactory.getLogger(AbstractFedizProcessor.class);
@@ -180,4 +185,32 @@ protected void testForMandatoryClaims(String roleURI,
}
}
}

protected String resolveSignInQuery(HttpServletRequest request, FedizContext config) throws IOException,
UnsupportedCallbackException {
Object signInQueryObj = config.getProtocol().getSignInQuery();
String signInQuery = null;
if (signInQueryObj != null) {
if (signInQueryObj instanceof String) {
signInQuery = (String)signInQueryObj;
} else if (signInQueryObj instanceof CallbackHandler) {
CallbackHandler frCB = (CallbackHandler)signInQueryObj;
SignInQueryCallback callback = new SignInQueryCallback(request);
frCB.handle(new Callback[] {callback});
Map<String, String> signInQueryMap = callback.getSignInQueryParamMap();
if (signInQueryMap != null) {
StringBuilder sbQuery = new StringBuilder();
for (Map.Entry<String, String> entry : signInQueryMap.entrySet()) {
if (sbQuery.length() > 0) {
sbQuery.append('&');
}
sbQuery.append(entry.getKey()).append('=').append(encode(entry.getValue(), UTF_8.name()));
}
signInQuery = sbQuery.toString();
}

}
}
return signInQuery;
}
}
@@ -21,7 +21,6 @@

import java.io.IOException;
import java.io.StringReader;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.cert.Certificate;
@@ -61,7 +60,6 @@
import org.apache.cxf.fediz.core.spi.FreshnessCallback;
import org.apache.cxf.fediz.core.spi.HomeRealmCallback;
import org.apache.cxf.fediz.core.spi.ReplyConstraintCallback;
import org.apache.cxf.fediz.core.spi.SignInQueryCallback;
import org.apache.cxf.fediz.core.spi.SignOutQueryCallback;
import org.apache.cxf.fediz.core.spi.WAuthCallback;
import org.apache.cxf.fediz.core.spi.WReqCallback;
@@ -552,36 +550,6 @@ public RedirectionResponse createSignOutRequest(HttpServletRequest request, Saml
return response;
}

private String resolveSignInQuery(HttpServletRequest request, FedizContext config) throws IOException,
UnsupportedCallbackException, UnsupportedEncodingException {
Object signInQueryObj = ((FederationProtocol)config.getProtocol()).getSignInQuery();
String signInQuery = null;
if (signInQueryObj != null) {
if (signInQueryObj instanceof String) {
signInQuery = (String)signInQueryObj;
} else if (signInQueryObj instanceof CallbackHandler) {
CallbackHandler frCB = (CallbackHandler)signInQueryObj;
SignInQueryCallback callback = new SignInQueryCallback(request);
frCB.handle(new Callback[] {
callback
});
Map<String, String> signInQueryMap = callback.getSignInQueryParamMap();
if (signInQueryMap != null) {
StringBuilder sbQuery = new StringBuilder();
for (Entry<String, String> entry : signInQueryMap.entrySet()) {
if (sbQuery.length() > 0) {
sbQuery.append('&');
}
sbQuery.append(entry.getKey()).append('=').append(encode(entry.getValue(), UTF_8.name()));
}
signInQuery = sbQuery.toString();
}

}
}
return signInQuery;
}

private Pattern resolveLogoutRedirectToConstraint(HttpServletRequest request, FedizContext config)
throws IOException, UnsupportedCallbackException {
Object logoutConstraintObj = config.getLogoutRedirectToConstraint();
@@ -522,6 +522,8 @@ public RedirectionResponse createSignInRequest(HttpServletRequest request, Fediz
String urlEncodedRequest =
URLEncoder.encode(authnRequestEncoded, "UTF-8");

String signInQuery = resolveSignInQuery(request, config);

StringBuilder sb = new StringBuilder();
sb.append(SAMLSSOConstants.SAML_REQUEST).append('=').append(urlEncodedRequest);
sb.append('&').append(SAMLSSOConstants.RELAY_STATE).append('=').append(relayState);
@@ -531,6 +533,11 @@ public RedirectionResponse createSignInRequest(HttpServletRequest request, Fediz
sb.append('&').append(SAMLSSOConstants.SIGNATURE).append('=').append(signature);
}

// add signin query extensions
if (signInQuery != null && signInQuery.length() > 0) {
sb.append('&').append(signInQuery);
}

RedirectionResponse response = new RedirectionResponse();
response.addHeader("Cache-Control", "no-cache, no-store");
response.addHeader("Pragma", "no-cache");
@@ -155,7 +155,6 @@
<xs:element ref="homeRealm" />
<xs:element ref="freshness" />
<xs:element ref="request" />
<xs:element ref="signInQuery" />
<xs:element ref="signOutQuery" />
</xs:sequence>
<xs:attribute name="version" use="required" type="xs:string" />
@@ -205,6 +204,7 @@
<xs:element ref="tokenValidators" />
<xs:element ref="metadataURI" />
<xs:element ref="reply" />
<xs:element ref="signInQuery" />
</xs:sequence>
</xs:complexType>

@@ -174,13 +174,13 @@ private FedizConfig createConfigWithoutCB(boolean federation) throws JAXBExcepti
tokenRequest.setType(ArgumentType.STRING);
tokenRequest.setValue(TestCallbackHandler.TEST_WREQ);
((FederationProtocolType)protocol).setRequest(tokenRequest);

CallbackType signInQueryType = new CallbackType();
signInQueryType.setType(ArgumentType.STRING);
signInQueryType.setValue(TEST_SIGNIN_QUERY);
((FederationProtocolType)protocol).setSignInQuery(signInQueryType);
}

CallbackType signInQueryType = new CallbackType();
signInQueryType.setType(ArgumentType.STRING);
signInQueryType.setValue(TEST_SIGNIN_QUERY);
protocol.setSignInQuery(signInQueryType);

return config;
}

@@ -215,17 +215,17 @@ private FedizConfig createConfigCB(boolean federation) throws JAXBException {
tokenRequest.setValue(CALLBACKHANDLER_CLASS);
((FederationProtocolType)protocol).setRequest(tokenRequest);

CallbackType signInQueryType = new CallbackType();
signInQueryType.setType(ArgumentType.CLASS);
signInQueryType.setValue(CALLBACKHANDLER_CLASS);
((FederationProtocolType)protocol).setSignInQuery(signInQueryType);

CallbackType replyType = new CallbackType();
replyType.setType(ArgumentType.CLASS);
replyType.setValue(CALLBACKHANDLER_CLASS);
((FederationProtocolType)protocol).setReply(replyType);
}

CallbackType signInQueryType = new CallbackType();
signInQueryType.setType(ArgumentType.CLASS);
signInQueryType.setValue(CALLBACKHANDLER_CLASS);
protocol.setSignInQuery(signInQueryType);

return config;
}

@@ -328,6 +328,16 @@ public void testParamsWithCallbackHandlerSAML() throws Exception {
issuerCB.handle(new Callback[] {callbackIDP});
String issuerURL = callbackIDP.getIssuerUrl().toString();
Assert.assertEquals(TestCallbackHandler.TEST_IDP, issuerURL);

Object signInQueryObj = protocol.getSignInQuery();
Assert.assertTrue(signInQueryObj instanceof CallbackHandler);
CallbackHandler siqCB = (CallbackHandler)signInQueryObj;
SignInQueryCallback callbackSIQ = new SignInQueryCallback(null);
siqCB.handle(new Callback[] {callbackSIQ});
Map<String, String> signinQueryMap = callbackSIQ.getSignInQueryParamMap();
Assert.assertEquals(2, signinQueryMap.size());
Assert.assertEquals("myid", signinQueryMap.get("pubid"));
Assert.assertEquals("<=>", signinQueryMap.get("testenc"));
}

@org.junit.Test
@@ -392,6 +402,11 @@ public void testParamsWithoutCallbackHandlerSAML() throws Exception {
Assert.assertTrue(issuerObj instanceof String);
String issuerURL = (String)issuerObj;
Assert.assertEquals(TestCallbackHandler.TEST_IDP, issuerURL);

Object signInQueryObj = protocol.getSignInQuery();
Assert.assertTrue(signInQueryObj instanceof String);
String signInQuery = (String)signInQueryObj;
Assert.assertEquals(TestCallbackHandler.TEST_SIGNIN_QUERY, signInQuery);
}


@@ -371,38 +371,6 @@ private String createSamlResponseStr(AbstractSAMLCallbackHandler saml2CallbackHa
return encodeResponse(response);
}

private Element createSamlResponse(SamlAssertionWrapper assertion, String alias,
boolean sign, String requestID)
throws IOException, UnsupportedCallbackException, WSSecurityException, Exception {
WSPasswordCallback[] cb = {
new WSPasswordCallback(alias, WSPasswordCallback.SIGNATURE)
};
cbPasswordHandler.handle(cb);
String password = cb[0].getPassword();

if (sign) {
assertion.signAssertion(alias, password, crypto, false);
}

DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();

Status status =
SAML2PResponseComponentBuilder.createStatus(
"urn:oasis:names:tc:SAML:2.0:status:Success", null
);
Response response =
SAML2PResponseComponentBuilder.createSAMLResponse(requestID,
assertion.getIssuerString(),
status);
response.getAssertions().add(assertion.getSaml2());

Document doc = docBuilder.newDocument();
Element policyElement = OpenSAMLUtil.toDom(response, doc);
doc.appendChild(policyElement);

return policyElement;
}

private Element createEncryptedSamlResponse(SamlAssertionWrapper assertion, String alias,
boolean sign, String requestID)
throws IOException, UnsupportedCallbackException, WSSecurityException, Exception {
@@ -47,11 +47,11 @@
<cxf.build-utils.version>3.4.4</cxf.build-utils.version>
<easymock.version>4.0.2</easymock.version>
<ehcache.version>2.10.6</ehcache.version>
<ehcache3.version>3.0.3</ehcache3.version>
<ehcache3.version>3.8.1</ehcache3.version>
<jcache.version>1.0.0</jcache.version>
<hsqldb.version>2.5.1</hsqldb.version>
<htmlunit.version>2.43.0</htmlunit.version>
<jackson.version>2.10.4</jackson.version>
<jackson.version>2.10.5</jackson.version>
<jaxb.version>2.3.2</jaxb.version>
<jetty9.version>9.4.30.v20200611</jetty9.version>
<junit.version>4.13</junit.version>
@@ -64,7 +64,7 @@
<spring-ldap-core.version>2.3.3.RELEASE</spring-ldap-core.version>
<spring.security.version>5.3.4.RELEASE</spring.security.version>
<spring-webflow.version>2.5.1.RELEASE</spring-webflow.version>
<tomcat.version>9.0.37</tomcat.version>
<tomcat.version>9.0.38</tomcat.version>
<validation-api.version>2.0.2</validation-api.version>
<wss4j.version>2.2.5</wss4j.version>

@@ -87,7 +87,7 @@
<td>
<input type="checkbox"
<%
if (perm.isDefault() || authorizedScopes.contains(perm.getPermission())) {
if (perm.isDefaultPermission() || authorizedScopes.contains(perm.getPermission())) {
%>
disabled="disabled"
<%
@@ -98,7 +98,7 @@
value="allow"
><big><big><%= perm.getDescription() %></big></big></input>
<%
if (perm.isDefault()) {
if (perm.isDefaultPermission()) {
%>
<input type="hidden" name="<%= perm.getPermission()%>_status" value="allow" />
<%

0 comments on commit 06478a3

Please sign in to comment.