[1/5] cxf-fediz git commit: Return the IdP metadata if no realm is specified.

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[1/5] cxf-fediz git commit: Return the IdP metadata if no realm is specified.

coheigea
Administrator
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 947f73d11 -> 2db18ceff


Return the IdP metadata if no realm is specified.


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/cb4a0995
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/cb4a0995
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/cb4a0995

Branch: refs/heads/master
Commit: cb4a0995995126397c66a832eda972bb728b6592
Parents: 947f73d
Author: Colm O hEigeartaigh <[hidden email]>
Authored: Wed Aug 9 10:26:38 2017 +0100
Committer: Colm O hEigeartaigh <[hidden email]>
Committed: Wed Aug 9 10:26:38 2017 +0100

----------------------------------------------------------------------
 .../cxf/fediz/service/idp/MetadataServlet.java  | 20 +++++++++---
 .../apache/cxf/fediz/systests/idp/IdpTest.java  | 33 ++++++++++++++++++++
 2 files changed, 48 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cb4a0995/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
index dca1b46..1077f8b 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
@@ -63,15 +63,25 @@ public class MetadataServlet extends HttpServlet {
         Idp idpConfig = cs.getIDP(realm);
         try {
             if (request.getServletPath() != null && request.getServletPath().startsWith("/metadata")) {
-                String serviceRealm =
+                String parsedRealm =
                     request.getRequestURI().substring(request.getRequestURI().indexOf("/metadata")
                                                       + "/metadata".length());
-                if (serviceRealm != null && serviceRealm.charAt(0) == '/') {
-                    serviceRealm = serviceRealm.substring(1);
+                if (parsedRealm != null && !parsedRealm.isEmpty() && parsedRealm.charAt(0) == '/') {
+                    parsedRealm = parsedRealm.substring(1);
                 }
-                TrustedIdp trustedIdp = idpConfig.findTrustedIdp(serviceRealm);
+
+                // Default to writing out the metadata for the IdP
+                if (idpConfig.getRealm().equals(parsedRealm) || parsedRealm == null || parsedRealm.isEmpty()) {
+                    IdpMetadataWriter mw = new IdpMetadataWriter();
+                    Document metadata = mw.getMetaData(idpConfig);
+                    out.write(DOM2Writer.nodeToString(metadata));
+                    return;
+                }
+
+                // Otherwise try to find the metadata for the trusted third party IdP
+                TrustedIdp trustedIdp = idpConfig.findTrustedIdp(parsedRealm);
                 if (trustedIdp == null) {
-                    LOG.error("No TrustedIdp found for desired realm: " + serviceRealm);
+                    LOG.error("No TrustedIdp found for desired realm: " + parsedRealm);
                     response.sendError(HttpServletResponse.SC_BAD_REQUEST);
                     return;
                 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cb4a0995/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index d01ea3f..70db9ee 100644
--- a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -290,6 +290,39 @@ public class IdpTest {
     }
 
     @Test
+    public void testIdPMetadataDefault() throws Exception {
+        String url = "https://localhost:" + getIdpHttpsPort()
+            + "/fediz-idp/metadata";
+
+        final WebClient webClient = new WebClient();
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getOptions().setSSLClientCertificate(
+            this.getClass().getClassLoader().getResource("client.jks"), "storepass", "jks");
+
+        final XmlPage rpPage = webClient.getPage(url);
+        final String xmlContent = rpPage.asXml();
+        Assert.assertTrue(xmlContent.startsWith("<md:EntityDescriptor"));
+
+        // Now validate the Signature
+        Document doc = rpPage.getXmlDocument();
+
+        doc.getDocumentElement().setIdAttributeNS(null, "ID", true);
+
+        Node signatureNode =
+            DOMUtils.getChild(doc.getDocumentElement(), "Signature");
+        Assert.assertNotNull(signatureNode);
+
+        XMLSignature signature = new XMLSignature((Element)signatureNode, "");
+        KeyInfo ki = signature.getKeyInfo();
+        Assert.assertNotNull(ki);
+        Assert.assertNotNull(ki.getX509Certificate());
+
+        Assert.assertTrue(signature.checkSignatureValue(ki.getX509Certificate()));
+
+        webClient.close();
+    }
+
+    @Test
     public void testIdPServiceMetadata() throws Exception {
         String url = "https://localhost:" + getIdpHttpsPort()
             + "/fediz-idp/metadata/urn:org:apache:cxf:fediz:idp:realm-B";

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[2/5] cxf-fediz git commit: Switch the SAML issuer to be the IDP URL as opposed to the realm

coheigea
Administrator
Switch the SAML issuer to be the IDP URL as opposed to the realm


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/cd97daed
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/cd97daed
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/cd97daed

Branch: refs/heads/master
Commit: cd97daed2705105fb960bfbe8adccab3d5870be4
Parents: cb4a099
Author: Colm O hEigeartaigh <[hidden email]>
Authored: Wed Aug 9 11:45:37 2017 +0100
Committer: Colm O hEigeartaigh <[hidden email]>
Committed: Wed Aug 9 12:39:14 2017 +0100

----------------------------------------------------------------------
 .../cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/cd97daed/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
index dd0d65e..d5a13a2 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
@@ -100,7 +100,7 @@ public class SamlResponseCreator {
                                            String remoteAddr, String racs) throws Exception {
         // Create an AuthenticationAssertion
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
-        callbackHandler.setIssuer(idp.getRealm());
+        callbackHandler.setIssuer(idp.getIdpUrl().toString());
         callbackHandler.setSubject(receivedToken.getSaml2().getSubject());
 
         // Test Subject against received Subject (if applicable)
@@ -154,7 +154,7 @@ public class SamlResponseCreator {
                 "urn:oasis:names:tc:SAML:2.0:status:Success", null
             );
         Response response =
-            SAML2PResponseComponentBuilder.createSAMLResponse(requestID, idp.getRealm(), status);
+            SAML2PResponseComponentBuilder.createSAMLResponse(requestID, idp.getIdpUrl().toString(), status);
 
         response.getAssertions().add(assertion);
 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[3/5] cxf-fediz git commit: Fixing tests

coheigea
Administrator
In reply to this post by coheigea
Fixing tests


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/110cac03
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/110cac03
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/110cac03

Branch: refs/heads/master
Commit: 110cac03b7b57e6a1c6d2d50cacafe5e3470a5eb
Parents: cd97dae
Author: Colm O hEigeartaigh <[hidden email]>
Authored: Wed Aug 9 12:39:19 2017 +0100
Committer: Colm O hEigeartaigh <[hidden email]>
Committed: Wed Aug 9 12:39:19 2017 +0100

----------------------------------------------------------------------
 .../idp/beans/samlsso/SamlResponseCreator.java       | 15 +++++++++++++--
 .../src/test/resources/realmb/idp-servlet.xml        |  4 ++++
 .../wsfed/src/test/resources/realmb/idp-servlet.xml  |  4 ++++
 3 files changed, 21 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/110cac03/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
index d5a13a2..6824202 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
@@ -66,6 +66,7 @@ public class SamlResponseCreator {
 
     private static final Logger LOG = LoggerFactory.getLogger(SamlResponseCreator.class);
     private boolean supportDeflateEncoding;
+    private boolean useRealmForIssuer;
 
     public String createSAMLResponse(RequestContext context, Idp idp, Element rpToken,
                                      String consumerURL, String requestId, String requestIssuer)
@@ -100,7 +101,8 @@ public class SamlResponseCreator {
                                            String remoteAddr, String racs) throws Exception {
         // Create an AuthenticationAssertion
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
-        callbackHandler.setIssuer(idp.getIdpUrl().toString());
+        String issuer = useRealmForIssuer ? idp.getRealm() : idp.getIdpUrl().toString();
+        callbackHandler.setIssuer(issuer);
         callbackHandler.setSubject(receivedToken.getSaml2().getSubject());
 
         // Test Subject against received Subject (if applicable)
@@ -153,8 +155,9 @@ public class SamlResponseCreator {
             SAML2PResponseComponentBuilder.createStatus(
                 "urn:oasis:names:tc:SAML:2.0:status:Success", null
             );
+        String issuer = useRealmForIssuer ? idp.getRealm() : idp.getIdpUrl().toString();
         Response response =
-            SAML2PResponseComponentBuilder.createSAMLResponse(requestID, idp.getIdpUrl().toString(), status);
+            SAML2PResponseComponentBuilder.createSAMLResponse(requestID, issuer, status);
 
         response.getAssertions().add(assertion);
 
@@ -185,4 +188,12 @@ public class SamlResponseCreator {
     public void setSupportDeflateEncoding(boolean supportDeflateEncoding) {
         this.supportDeflateEncoding = supportDeflateEncoding;
     }
+
+    public boolean isUseRealmForIssuer() {
+        return useRealmForIssuer;
+    }
+
+    public void setUseRealmForIssuer(boolean useRealmForIssuer) {
+        this.useRealmForIssuer = useRealmForIssuer;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/110cac03/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml b/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml
index c556808..479c493 100644
--- a/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml
+++ b/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml
@@ -36,5 +36,9 @@
         <property name="wsdlEndpoint" value="Transport_Port" />
         <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
     </bean>
+    
+    <bean id="samlResponseCreator" class="org.apache.cxf.fediz.service.idp.beans.samlsso.SamlResponseCreator">
+        <property name="useRealmForIssuer" value="true"/>
+    </bean>
 
 </beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/110cac03/systests/federation/wsfed/src/test/resources/realmb/idp-servlet.xml
----------------------------------------------------------------------
diff --git a/systests/federation/wsfed/src/test/resources/realmb/idp-servlet.xml b/systests/federation/wsfed/src/test/resources/realmb/idp-servlet.xml
index c556808..8c44885 100644
--- a/systests/federation/wsfed/src/test/resources/realmb/idp-servlet.xml
+++ b/systests/federation/wsfed/src/test/resources/realmb/idp-servlet.xml
@@ -37,4 +37,8 @@
         <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
     </bean>
 
+    <bean id="samlResponseCreator" class="org.apache.cxf.fediz.service.idp.beans.samlsso.SamlResponseCreator">
+        <property name="useRealmForIssuer" value="true"/>
+    </bean>
+
 </beans>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[4/5] cxf-fediz git commit: FEDIZ-205 - Support creating IdP Metadata for SAML SSO

coheigea
Administrator
In reply to this post by coheigea
FEDIZ-205 - Support creating IdP Metadata for SAML SSO


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/4808a7b4
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/4808a7b4
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/4808a7b4

Branch: refs/heads/master
Commit: 4808a7b49a7948e459c57d7ba1d228ea873cdcd7
Parents: 110cac0
Author: Colm O hEigeartaigh <[hidden email]>
Authored: Wed Aug 9 12:41:34 2017 +0100
Committer: Colm O hEigeartaigh <[hidden email]>
Committed: Wed Aug 9 12:41:34 2017 +0100

----------------------------------------------------------------------
 .../cxf/fediz/service/idp/MetadataServlet.java  |  9 +-
 .../service/idp/metadata/IdpMetadataWriter.java | 89 +++++++++++++++++---
 .../cxf/fediz/systests/samlsso/IdpTest.java     | 38 +++++++++
 3 files changed, 121 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4808a7b4/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
index 1077f8b..f09bd08 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
@@ -52,7 +52,6 @@ public class MetadataServlet extends HttpServlet {
     private ApplicationContext applicationContext;
     private String realm;
 
-
     @Override
     protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException,
         IOException {
@@ -62,6 +61,8 @@ public class MetadataServlet extends HttpServlet {
         ConfigService cs = (ConfigService)getApplicationContext().getBean("config");
         Idp idpConfig = cs.getIDP(realm);
         try {
+            boolean isSamlRequest = request.getQueryString() != null
+                && request.getQueryString().contains("protocol=saml");
             if (request.getServletPath() != null && request.getServletPath().startsWith("/metadata")) {
                 String parsedRealm =
                     request.getRequestURI().substring(request.getRequestURI().indexOf("/metadata")
@@ -73,7 +74,7 @@ public class MetadataServlet extends HttpServlet {
                 // Default to writing out the metadata for the IdP
                 if (idpConfig.getRealm().equals(parsedRealm) || parsedRealm == null || parsedRealm.isEmpty()) {
                     IdpMetadataWriter mw = new IdpMetadataWriter();
-                    Document metadata = mw.getMetaData(idpConfig);
+                    Document metadata = mw.getMetaData(idpConfig, isSamlRequest);
                     out.write(DOM2Writer.nodeToString(metadata));
                     return;
                 }
@@ -92,7 +93,7 @@ public class MetadataServlet extends HttpServlet {
                 // Otherwise return the Metadata for the Idp
                 LOG.debug(idpConfig.toString());
                 IdpMetadataWriter mw = new IdpMetadataWriter();
-                Document metadata = mw.getMetaData(idpConfig);
+                Document metadata = mw.getMetaData(idpConfig, isSamlRequest);
                 out.write(DOM2Writer.nodeToString(metadata));
             }
         } catch (Exception ex) {
@@ -118,4 +119,6 @@ public class MetadataServlet extends HttpServlet {
         return applicationContext;
     }
 
+
+
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4808a7b4/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/metadata/IdpMetadataWriter.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/metadata/IdpMetadataWriter.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/metadata/IdpMetadataWriter.java
index 97bcfcb..44eb6cb 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/metadata/IdpMetadataWriter.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/metadata/IdpMetadataWriter.java
@@ -46,8 +46,11 @@ public class IdpMetadataWriter {
 
     private static final Logger LOG = LoggerFactory.getLogger(IdpMetadataWriter.class);
 
-    //CHECKSTYLE:OFF
-    public Document getMetaData(Idp config) throws RuntimeException {
+    public Document getMetaData(Idp config) {
+        return getMetaData(config, false);
+    }
+
+    public Document getMetaData(Idp config, boolean saml) {
         try {
             //Return as text/xml
             Crypto crypto = CertsUtils.getCryptoFromFile(config.getCertificate());
@@ -63,12 +66,13 @@ public class IdpMetadataWriter {
             writer.writeAttribute("entityID", config.getIdpUrl().toString());
 
             writer.writeNamespace("md", SAML2_METADATA_NS);
-            writer.writeNamespace("fed", WS_FEDERATION_NS);
-            writer.writeNamespace("wsa", WS_ADDRESSING_NS);
-            writer.writeNamespace("auth", WS_FEDERATION_NS);
             writer.writeNamespace("xsi", SCHEMA_INSTANCE_NS);
 
-            writeFederationMetadata(writer, config, crypto);
+            if (saml) {
+                writeSAMLSSOMetadata(writer, config, crypto);
+            } else {
+                writeFederationMetadata(writer, config, crypto);
+            }
 
             writer.writeEndElement(); // EntityDescriptor
 
@@ -101,13 +105,17 @@ public class IdpMetadataWriter {
         XMLStreamWriter writer, Idp config, Crypto crypto
     ) throws XMLStreamException {
 
+        writer.writeNamespace("fed", WS_FEDERATION_NS);
+        writer.writeNamespace("wsa", WS_ADDRESSING_NS);
+        writer.writeNamespace("auth", WS_FEDERATION_NS);
+
         writer.writeStartElement("md", "RoleDescriptor", WS_FEDERATION_NS);
         writer.writeAttribute(SCHEMA_INSTANCE_NS, "type", "fed:SecurityTokenServiceType");
         writer.writeAttribute("protocolSupportEnumeration", WS_FEDERATION_NS);
-        if (config.getServiceDescription() != null && config.getServiceDescription().length() > 0 ) {
+        if (config.getServiceDescription() != null && config.getServiceDescription().length() > 0) {
             writer.writeAttribute("ServiceDescription", config.getServiceDescription());
         }
-        if (config.getServiceDisplayName() != null && config.getServiceDisplayName().length() > 0 ) {
+        if (config.getServiceDisplayName() != null && config.getServiceDisplayName().length() > 0) {
             writer.writeAttribute("ServiceDisplayName", config.getServiceDisplayName());
         }
 
@@ -115,11 +123,12 @@ public class IdpMetadataWriter {
         //missing organization, contactperson
 
         //KeyDescriptor
-        writer.writeStartElement("", "KeyDescriptor", SAML2_METADATA_NS);
+        writer.writeStartElement("md", "KeyDescriptor", SAML2_METADATA_NS);
         writer.writeAttribute("use", "signing");
-        writer.writeStartElement("", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
-        writer.writeStartElement("", "X509Data", "http://www.w3.org/2000/09/xmldsig#");
-        writer.writeStartElement("", "X509Certificate", "http://www.w3.org/2000/09/xmldsig#");
+        writer.writeStartElement("ds", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
+        writer.writeNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
+        writer.writeStartElement("ds", "X509Data", "http://www.w3.org/2000/09/xmldsig#");
+        writer.writeStartElement("ds", "X509Certificate", "http://www.w3.org/2000/09/xmldsig#");
 
         try {
             String keyAlias = crypto.getDefaultX509Identifier();
@@ -176,5 +185,61 @@ public class IdpMetadataWriter {
         writer.writeEndElement(); // RoleDescriptor
     }
 
+    private void writeSAMLSSOMetadata(
+        XMLStreamWriter writer, Idp config, Crypto crypto
+    ) throws XMLStreamException {
+
+        writer.writeStartElement("md", "IDPSSODescriptor", SAML2_METADATA_NS);
+        writer.writeAttribute("WantAuthnRequestsSigned", "true");
+        writer.writeAttribute("protocolSupportEnumeration", "urn:oasis:names:tc:SAML:2.0:protocol");
+
+        //KeyDescriptor
+        writer.writeStartElement("md", "KeyDescriptor", SAML2_METADATA_NS);
+        writer.writeAttribute("use", "signing");
+        writer.writeStartElement("ds", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
+        writer.writeNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
+        writer.writeStartElement("ds", "X509Data", "http://www.w3.org/2000/09/xmldsig#");
+        writer.writeStartElement("ds", "X509Certificate", "http://www.w3.org/2000/09/xmldsig#");
+
+        try {
+            String keyAlias = crypto.getDefaultX509Identifier();
+            X509Certificate cert = CertsUtils.getX509CertificateFromCrypto(crypto, keyAlias);
+            writer.writeCharacters(Base64.encode(cert.getEncoded()));
+        } catch (Exception ex) {
+            LOG.error("Failed to add certificate information to metadata. Metadata incomplete", ex);
+        }
+
+        writer.writeEndElement(); // X509Certificate
+        writer.writeEndElement(); // X509Data
+        writer.writeEndElement(); // KeyInfo
+        writer.writeEndElement(); // KeyDescriptor
+
+
+        writer.writeStartElement("md", "NameIDFormat", SAML2_METADATA_NS);
+        writer.writeCharacters("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");
+        writer.writeEndElement(); // NameIDFormat
+
+        writer.writeStartElement("md", "NameIDFormat", SAML2_METADATA_NS);
+        writer.writeCharacters("urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified");
+        writer.writeEndElement(); // NameIDFormat
+
+        writer.writeStartElement("md", "NameIDFormat", SAML2_METADATA_NS);
+        writer.writeCharacters("urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress");
+        writer.writeEndElement(); // NameIDFormat
+
+        // SingleSignOnService
+        writer.writeStartElement("md", "SingleSignOnService", SAML2_METADATA_NS);
+        writer.writeAttribute("Binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
+        writer.writeAttribute("Location", config.getIdpUrl().toString());
+        writer.writeEndElement(); // SingleSignOnService
+
+        // SingleSignOnService
+        writer.writeStartElement("md", "SingleSignOnService", SAML2_METADATA_NS);
+        writer.writeAttribute("Binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
+        writer.writeAttribute("Location", config.getIdpUrl().toString());
+        writer.writeEndElement(); // SingleSignOnService
+
+        writer.writeEndElement(); // IDPSSODescriptor
+    }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4808a7b4/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/IdpTest.java b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/IdpTest.java
index 6542eed..d0fa7b9 100644
--- a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/IdpTest.java
+++ b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/IdpTest.java
@@ -37,6 +37,7 @@ import javax.servlet.ServletException;
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
+import org.w3c.dom.Node;
 
 import com.gargoylesoftware.htmlunit.CookieManager;
 import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
@@ -47,6 +48,7 @@ import com.gargoylesoftware.htmlunit.html.DomElement;
 import com.gargoylesoftware.htmlunit.html.DomNodeList;
 import com.gargoylesoftware.htmlunit.html.HtmlPage;
 import com.gargoylesoftware.htmlunit.util.NameValuePair;
+import com.gargoylesoftware.htmlunit.xml.XmlPage;
 
 import org.apache.catalina.LifecycleException;
 import org.apache.catalina.LifecycleState;
@@ -68,10 +70,12 @@ import org.apache.wss4j.common.crypto.CryptoType;
 import org.apache.wss4j.common.saml.OpenSAMLUtil;
 import org.apache.wss4j.common.util.DOM2Writer;
 import org.apache.wss4j.dom.engine.WSSConfig;
+import org.apache.xml.security.signature.XMLSignature;
 import org.apache.xml.security.utils.Base64;
 import org.junit.AfterClass;
 import org.junit.Assert;
 import org.junit.BeforeClass;
+import org.junit.Test;
 import org.opensaml.core.xml.XMLObject;
 import org.opensaml.saml.common.SAMLVersion;
 import org.opensaml.saml.common.SignableSAMLObject;
@@ -216,6 +220,40 @@ public class IdpTest {
 
     }
     */
+
+    @Test
+    public void testIdPMetadata() throws Exception {
+        String url = "https://localhost:" + getIdpHttpsPort()
+            + "/fediz-idp/metadata?protocol=saml";
+
+        final WebClient webClient = new WebClient();
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getOptions().setSSLClientCertificate(
+            this.getClass().getClassLoader().getResource("client.jks"), "storepass", "jks");
+
+        final XmlPage rpPage = webClient.getPage(url);
+        final String xmlContent = rpPage.asXml();
+        Assert.assertTrue(xmlContent.startsWith("<md:EntityDescriptor"));
+
+        // Now validate the Signature
+        Document doc = rpPage.getXmlDocument();
+
+        doc.getDocumentElement().setIdAttributeNS(null, "ID", true);
+
+        Node signatureNode =
+            DOMUtils.getChild(doc.getDocumentElement(), "Signature");
+        Assert.assertNotNull(signatureNode);
+
+        XMLSignature signature = new XMLSignature((Element)signatureNode, "");
+        org.apache.xml.security.keys.KeyInfo ki = signature.getKeyInfo();
+        Assert.assertNotNull(ki);
+        Assert.assertNotNull(ki.getX509Certificate());
+
+        Assert.assertTrue(signature.checkSignatureValue(ki.getX509Certificate()));
+
+        webClient.close();
+    }
+
     @org.junit.Test
     public void testSuccessfulInvokeOnIdP() throws Exception {
         OpenSAMLUtil.initSamlEngine();

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[5/5] cxf-fediz git commit: Fix to default to taking the RACS URL from the application configuration.

coheigea
Administrator
In reply to this post by coheigea
Fix to default to taking the RACS URL from the application configuration.


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/2db18cef
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/2db18cef
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/2db18cef

Branch: refs/heads/master
Commit: 2db18ceffdd1c6547e6a589d7ce3bd798eda5ed5
Parents: 4808a7b
Author: Colm O hEigeartaigh <[hidden email]>
Authored: Wed Aug 9 15:25:45 2017 +0100
Committer: Colm O hEigeartaigh <[hidden email]>
Committed: Wed Aug 9 15:25:45 2017 +0100

----------------------------------------------------------------------
 .../fediz/service/idp/beans/EndpointAddressValidator.java |  4 ++--
 .../service/idp/beans/samlsso/AuthnRequestParser.java     | 10 ++++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2db18cef/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/EndpointAddressValidator.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/EndpointAddressValidator.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/EndpointAddressValidator.java
index de193b8..6a19554 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/EndpointAddressValidator.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/EndpointAddressValidator.java
@@ -46,7 +46,7 @@ public class EndpointAddressValidator {
         Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(context, "idpConfig");
         Application serviceConfig = idpConfig.findApplication(realm);
         if (serviceConfig == null) {
-            LOG.warn("No service config found for " + realm);
+            LOG.warn("No service config found for {}", realm);
             return false;
         }
 
@@ -66,7 +66,7 @@ public class EndpointAddressValidator {
 
         Application serviceConfig = idpConfig.findApplication(realm);
         if (serviceConfig == null) {
-            LOG.warn("No service config found for " + realm);
+            LOG.warn("No service config found for {}", realm);
             return false;
         }
 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/2db18cef/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java
index 3110eb1..92d0d7a 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java
@@ -131,6 +131,16 @@ public class AuthnRequestParser {
         }
 
         LOG.debug("No AuthnRequest available to be parsed");
+
+        Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(context, "idpConfig");
+        String realm = retrieveRealm(context);
+        Application serviceConfig = idpConfig.findApplication(realm);
+        if (serviceConfig != null) {
+            String racs = serviceConfig.getPassiveRequestorEndpoint();
+            LOG.debug("Attempting to use the configured passive requestor endpoint instead: {}", racs);
+            return racs;
+        }
+
         return null;
     }
 

Loading...