@Override
public SignableXMLObject setSignature(
SignableXMLObject signableXMLObject,
String signatureAlgorithm,
String digestAlgorithm,
X509Credential cred)
throws IdentityException {
Signature signature = (Signature) buildXMLObject(Signature.DEFAULT_ELEMENT_NAME);
signature.setSigningCredential(cred);
signature.setSignatureAlgorithm(signatureAlgorithm);
signature.setCanonicalizationAlgorithm(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
KeyInfo keyInfo = (KeyInfo) buildXMLObject(KeyInfo.DEFAULT_ELEMENT_NAME);
X509Data data = (X509Data) buildXMLObject(X509Data.DEFAULT_ELEMENT_NAME);
X509Certificate cert = (X509Certificate) buildXMLObject(X509Certificate.DEFAULT_ELEMENT_NAME);
String value;
try {
value = org.apache.xml.security.utils.Base64.encode(cred.getEntityCertificate().getEncoded());
} catch (CertificateEncodingException e) {
throw IdentityException.error("Error occurred while retrieving encoded cert", e);
}
cert.setValue(value);
data.getX509Certificates().add(cert);
keyInfo.getX509Datas().add(data);
signature.setKeyInfo(keyInfo);
signableXMLObject.setSignature(signature);
((SAMLObjectContentReference) signature.getContentReferences().get(0))
.setDigestAlgorithm(digestAlgorithm);
List<Signature> signatureList = new ArrayList<Signature>();
signatureList.add(signature);
MarshallerFactory marshallerFactory = org.opensaml.xml.Configuration.getMarshallerFactory();
Marshaller marshaller = marshallerFactory.getMarshaller(signableXMLObject);
try {
marshaller.marshall(signableXMLObject);
} catch (MarshallingException e) {
throw IdentityException.error("Unable to marshall the request", e);
}
org.apache.xml.security.Init.init();
try {
Signer.signObjects(signatureList);
} catch (SignatureException e) {
throw IdentityException.error("Error occurred while signing request", e);
}
return signableXMLObject;
}
/**
* @param ppid
* @throws IdentityException
*/
public void registerOAuthConsumer(OAuthConsumerDO consumer) throws IdentityException {
Collection userResource = null;
if (log.isDebugEnabled()) {
log.debug("Creating or updating OAuth consumer value");
}
try {
boolean transactionStarted = Transaction.isStarted();
try {
if (!transactionStarted) {
registry.beginTransaction();
}
if (!registry.resourceExists(RegistryConstants.PROFILES_PATH + consumer.getConsumerKey())) {
userResource = registry.newCollection();
registry.put(RegistryConstants.PROFILES_PATH + consumer.getConsumerKey(), userResource);
} else {
userResource =
(Collection)
registry.get(RegistryConstants.PROFILES_PATH + consumer.getConsumerKey());
userResource.removeProperty(IdentityRegistryResources.OAUTH_CONSUMER_PATH);
}
userResource.addProperty(
IdentityRegistryResources.OAUTH_CONSUMER_PATH, consumer.getConsumerSecret());
registry.put(RegistryConstants.PROFILES_PATH + consumer.getConsumerKey(), userResource);
if (!transactionStarted) {
registry.commitTransaction();
}
} catch (Exception e) {
if (!transactionStarted) {
registry.rollbackTransaction();
}
if (e instanceof RegistryException) {
throw (RegistryException) e;
} else {
throw IdentityException.error("Error while creating or updating OAuth consumer", e);
}
}
} catch (RegistryException e) {
log.error("Error while creating or updating OAuth consumer", e);
throw IdentityException.error("Error while creating or updating OAuth consumer", e);
}
}
/**
* Builds SAML Elements
*
* @param objectQName
* @return
* @throws IdentityException
*/
private XMLObject buildXMLObject(QName objectQName) throws IdentityException {
XMLObjectBuilder builder =
org.opensaml.xml.Configuration.getBuilderFactory().getBuilder(objectQName);
if (builder == null) {
throw IdentityException.error("Unable to retrieve builder for object QName " + objectQName);
}
return builder.buildObject(
objectQName.getNamespaceURI(), objectQName.getLocalPart(), objectQName.getPrefix());
}
/**
* Validates the authentication request according to IdP Initiated SAML SSO Web Browser
* Specification
*
* @return SAMLSSOSignInResponseDTO
* @throws org.wso2.carbon.identity.base.IdentityException
*/
public SAMLSSOReqValidationResponseDTO validate() throws IdentityException {
SAMLSSOReqValidationResponseDTO validationResponse = new SAMLSSOReqValidationResponseDTO();
try {
// spEntityID MUST NOT be null
if (StringUtils.isNotBlank(spEntityID)) {
validationResponse.setIssuer(spEntityID);
} else {
String errorResp =
SAMLSSOUtil.buildErrorResponse(
SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR,
"spEntityID parameter not found in request",
null);
if (log.isDebugEnabled()) {
log.debug("spEntityID parameter not found in request");
}
validationResponse.setResponse(errorResp);
validationResponse.setValid(false);
return validationResponse;
}
if (!SAMLSSOUtil.isSAMLIssuerExists(
spEntityID, SAMLSSOUtil.getTenantDomainFromThreadLocal())) {
String message =
"A Service Provider with the Issuer '"
+ spEntityID
+ "' is not registered. Service "
+ "Provider should be registered in advance";
log.error(message);
String errorResp =
SAMLSSOUtil.buildErrorResponse(
SAMLSSOConstants.StatusCodes.REQUESTOR_ERROR, message, null);
validationResponse.setResponse(errorResp);
validationResponse.setValid(false);
return validationResponse;
}
// If SP has multiple ACS
if (StringUtils.isNotBlank(acs)) {
validationResponse.setAssertionConsumerURL(acs);
}
if (StringUtils.isBlank(SAMLSSOUtil.getTenantDomainFromThreadLocal())) {
SAMLSSOUtil.setTenantDomainInThreadLocal(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);
}
validationResponse.setValid(true);
if (log.isDebugEnabled()) {
log.debug("IdP Initiated SSO request validation is successful");
}
return validationResponse;
} catch (Exception e) {
throw IdentityException.error("Error validating the IdP Initiated SSO request", e);
}
}
@Override
public boolean validateXMLSignature(
RequestAbstractType request, X509Credential cred, String alias) throws IdentityException {
boolean isSignatureValid = false;
if (request.getSignature() != null) {
try {
SignatureValidator validator = new SignatureValidator(cred);
validator.validate(request.getSignature());
isSignatureValid = true;
} catch (ValidationException e) {
throw IdentityException.error(
"Signature Validation Failed for the SAML Assertion : Signature is " + "invalid.", e);
}
}
return isSignatureValid;
}
/**
* @param ppid
* @return
* @throws IdentityException
*/
public String getOAuthConsumerSecret(String consumerKey) throws IdentityException {
String path = null;
Resource resource = null;
if (log.isDebugEnabled()) {
log.debug("Retreiving user for OAuth consumer key " + consumerKey);
}
try {
path = RegistryConstants.PROFILES_PATH + consumerKey;
if (registry.resourceExists(path)) {
resource = registry.get(path);
return resource.getProperty(IdentityRegistryResources.OAUTH_CONSUMER_PATH);
} else {
return null;
}
} catch (RegistryException e) {
log.error("Error while retreiving user for OAuth consumer key " + consumerKey, e);
throw IdentityException.error(
"Error while retreiving user for OAuth consumer key " + consumerKey, e);
}
}