001/*
002 * (C) Copyright 2014-2018 Nuxeo (http://nuxeo.com/) and others.
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *     http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 *
016 * Contributors:
017 *     Nelson Silva <nelson.silva@inevo.pt>
018 */
019package org.nuxeo.ecm.platform.auth.saml.sso;
020
021import java.io.Serializable;
022import java.util.ArrayList;
023import java.util.LinkedList;
024import java.util.List;
025
026import javax.servlet.http.HttpServletRequest;
027
028import org.apache.commons.lang3.StringUtils;
029import org.joda.time.DateTime;
030import org.nuxeo.ecm.platform.auth.saml.AbstractSAMLProfile;
031import org.nuxeo.ecm.platform.auth.saml.SAMLConfiguration;
032import org.nuxeo.ecm.platform.auth.saml.SAMLCredential;
033import org.opensaml.common.SAMLException;
034import org.opensaml.common.SAMLObject;
035import org.opensaml.common.SAMLVersion;
036import org.opensaml.common.binding.SAMLMessageContext;
037import org.opensaml.saml2.core.Assertion;
038import org.opensaml.saml2.core.Attribute;
039import org.opensaml.saml2.core.AttributeStatement;
040import org.opensaml.saml2.core.AuthnContextClassRef;
041import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
042import org.opensaml.saml2.core.AuthnRequest;
043import org.opensaml.saml2.core.AuthnStatement;
044import org.opensaml.saml2.core.EncryptedAssertion;
045import org.opensaml.saml2.core.EncryptedAttribute;
046import org.opensaml.saml2.core.Issuer;
047import org.opensaml.saml2.core.NameID;
048import org.opensaml.saml2.core.NameIDPolicy;
049import org.opensaml.saml2.core.NameIDType;
050import org.opensaml.saml2.core.RequestedAuthnContext;
051import org.opensaml.saml2.core.Response;
052import org.opensaml.saml2.core.StatusCode;
053import org.opensaml.saml2.core.Subject;
054import org.opensaml.saml2.metadata.SPSSODescriptor;
055import org.opensaml.saml2.metadata.SingleSignOnService;
056import org.opensaml.xml.encryption.DecryptionException;
057import org.opensaml.xml.signature.Signature;
058
059/**
060 * WebSSO (Single Sign On) profile implementation.
061 *
062 * @since 6.0
063 */
064public class WebSSOProfileImpl extends AbstractSAMLProfile implements WebSSOProfile {
065
066    public WebSSOProfileImpl(SingleSignOnService sso) {
067        super(sso);
068    }
069
070    @Override
071    public String getProfileIdentifier() {
072        return PROFILE_URI;
073    }
074
075    @Override
076    public SAMLCredential processAuthenticationResponse(SAMLMessageContext context) throws SAMLException {
077        SAMLObject message = context.getInboundSAMLMessage();
078
079        // Validate type
080        if (!(message instanceof Response)) {
081            log.debug("Received response is not of a Response object type");
082            throw new SAMLException("Received response is not of a Response object type");
083        }
084        Response response = (Response) message;
085
086        // Validate status
087        String statusCode = response.getStatus().getStatusCode().getValue();
088        if (!StringUtils.equals(statusCode, StatusCode.SUCCESS_URI)) {
089            log.debug("StatusCode was not a success: " + statusCode);
090            throw new SAMLException("StatusCode was not a success: " + statusCode);
091        }
092
093        // Validate signature of the response if present
094        if (response.getSignature() != null) {
095            log.debug("Verifying message signature");
096            validateSignature(response.getSignature(), context.getPeerEntityId());
097            context.setInboundSAMLMessageAuthenticated(true);
098        }
099
100        // TODO(nfgs) - Verify issue time ?!
101
102        // TODO(nfgs) - Verify endpoint requested
103        // Endpoint endpoint = context.getLocalEntityEndpoint();
104        // validateEndpoint(response, ssoService);
105
106        // Verify issuer
107        if (response.getIssuer() != null) {
108            log.debug("Verifying issuer of the message");
109            Issuer issuer = response.getIssuer();
110            validateIssuer(issuer, context);
111        }
112
113        List<Attribute> attributes = new LinkedList<>();
114        List<Assertion> assertions = response.getAssertions();
115
116        // Decrypt encrypted assertions
117        List<EncryptedAssertion> encryptedAssertionList = response.getEncryptedAssertions();
118        for (EncryptedAssertion ea : encryptedAssertionList) {
119            try {
120                log.debug("Decrypting assertion");
121                assertions.add(getDecrypter().decrypt(ea));
122            } catch (DecryptionException e) {
123                log.debug("Decryption of received assertion failed, assertion will be skipped", e);
124            }
125        }
126
127        Subject subject = null;
128        List<String> sessionIndexes = new ArrayList<>();
129
130        // Find the assertion to be used for session creation, other assertions are ignored
131        for (Assertion a : assertions) {
132
133            // We're only interested in assertions with AuthnStatement
134            if (a.getAuthnStatements().size() > 0) {
135                try {
136                    // Verify that the assertion is valid
137                    validateAssertion(a, context);
138
139                    // Store session indexes for logout
140                    for (AuthnStatement statement : a.getAuthnStatements()) {
141                        sessionIndexes.add(statement.getSessionIndex());
142                    }
143
144                } catch (SAMLException e) {
145                    log.debug("Validation of received assertion failed, assertion will be skipped", e);
146                    continue;
147                }
148            }
149
150            subject = a.getSubject();
151
152            // Process all attributes
153            for (AttributeStatement attStatement : a.getAttributeStatements()) {
154                for (Attribute att : attStatement.getAttributes()) {
155                    attributes.add(att);
156                }
157                // Decrypt attributes
158                for (EncryptedAttribute att : attStatement.getEncryptedAttributes()) {
159                    try {
160                        attributes.add(getDecrypter().decrypt(att));
161                    } catch (DecryptionException e) {
162                        log.error("Failed to decrypt assertion");
163                    }
164                }
165            }
166
167            break;
168        }
169
170        // Make sure that at least one storage contains authentication statement and subject with bearer confirmation
171        if (subject == null) {
172            log.debug("Response doesn't have any valid assertion which would pass subject validation");
173            throw new SAMLException("Error validating SAML response");
174        }
175
176        // Was the subject confirmed by this confirmation data? If so let's store the subject in the context.
177        NameID nameID = null;
178        if (subject.getEncryptedID() != null) {
179            // TODO(nfgs) - Decrypt NameID
180        } else {
181            nameID = subject.getNameID();
182        }
183
184        if (nameID == null) {
185            log.debug("NameID element must be present as part of the Subject in "
186                    + "the Response message, please enable it in the IDP configuration");
187            throw new SAMLException("NameID element must be present as part of the Subject "
188                    + "in the Response message, please enable it in the IDP configuration");
189        }
190
191        // Populate custom data, if any
192        Serializable additionalData = null; // processAdditionalData(context);
193
194        // Create the credential
195        return new SAMLCredential(nameID, sessionIndexes, context.getPeerEntityMetadata().getEntityID(),
196                context.getRelayState(), attributes, context.getLocalEntityId(), additionalData);
197
198    }
199
200    @Override
201    public AuthnRequest buildAuthRequest(HttpServletRequest httpRequest, String... authnContexts) throws SAMLException {
202
203        AuthnRequest request = build(AuthnRequest.DEFAULT_ELEMENT_NAME);
204        request.setID(newUUID());
205        request.setVersion(SAMLVersion.VERSION_20);
206        request.setIssueInstant(new DateTime());
207        // Let the IdP pick a protocol binding
208        // request.setProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI);
209
210        // Fill the assertion consumer URL
211        request.setAssertionConsumerServiceURL(getStartPageURL(httpRequest));
212
213        Issuer issuer = build(Issuer.DEFAULT_ELEMENT_NAME);
214        issuer.setValue(SAMLConfiguration.getEntityId());
215        request.setIssuer(issuer);
216
217        NameIDPolicy nameIDPolicy = build(NameIDPolicy.DEFAULT_ELEMENT_NAME);
218        nameIDPolicy.setFormat(NameIDType.UNSPECIFIED);
219        request.setNameIDPolicy(nameIDPolicy);
220
221        // fill the AuthNContext
222        if (authnContexts.length > 0) {
223            RequestedAuthnContext requestedAuthnContext = build(RequestedAuthnContext.DEFAULT_ELEMENT_NAME);
224            requestedAuthnContext.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
225            request.setRequestedAuthnContext(requestedAuthnContext);
226            for (String context : authnContexts) {
227                AuthnContextClassRef authnContextClassRef = build(AuthnContextClassRef.DEFAULT_ELEMENT_NAME);
228                authnContextClassRef.setAuthnContextClassRef(context);
229                requestedAuthnContext.getAuthnContextClassRefs().add(authnContextClassRef);
230            }
231        }
232
233        return request;
234    }
235
236    @Override
237    protected void validateAssertion(Assertion assertion, SAMLMessageContext context) throws SAMLException {
238        super.validateAssertion(assertion, context);
239        Signature signature = assertion.getSignature();
240        if (signature == null) {
241            SPSSODescriptor roleMetadata = (SPSSODescriptor) context.getLocalEntityRoleMetadata();
242
243            if (roleMetadata != null && roleMetadata.getWantAssertionsSigned()) {
244                if (!context.isInboundSAMLMessageAuthenticated()) {
245                    throw new SAMLException("Metadata includes wantAssertionSigned, "
246                            + "but neither Response nor included Assertion is signed");
247                }
248            }
249        }
250    }
251}