[1/5] cxf-fediz git commit: Return the IdP metadata if no realm is specified.

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[1/5] cxf-fediz git commit: Return the IdP metadata if no realm is specified.

coheigea
Administrator
Repository: cxf-fediz
Updated Branches:
  refs/heads/1.4.x-fixes 8ea7f5e73 -> f71e62006


Return the IdP metadata if no realm is specified.


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/f50c1f69
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/f50c1f69
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/f50c1f69

Branch: refs/heads/1.4.x-fixes
Commit: f50c1f69304e3d79749caf2cc8a27565da791b58
Parents: 8ea7f5e
Author: Colm O hEigeartaigh <[hidden email]>
Authored: Wed Aug 9 10:26:38 2017 +0100
Committer: Colm O hEigeartaigh <[hidden email]>
Committed: Wed Aug 9 15:28:38 2017 +0100

----------------------------------------------------------------------
 .../cxf/fediz/service/idp/MetadataServlet.java  | 20 +++++++++---
 .../apache/cxf/fediz/systests/idp/IdpTest.java  | 33 ++++++++++++++++++++
 2 files changed, 48 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f50c1f69/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
index dca1b46..1077f8b 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
@@ -63,15 +63,25 @@ public class MetadataServlet extends HttpServlet {
         Idp idpConfig = cs.getIDP(realm);
         try {
             if (request.getServletPath() != null && request.getServletPath().startsWith("/metadata")) {
-                String serviceRealm =
+                String parsedRealm =
                     request.getRequestURI().substring(request.getRequestURI().indexOf("/metadata")
                                                       + "/metadata".length());
-                if (serviceRealm != null && serviceRealm.charAt(0) == '/') {
-                    serviceRealm = serviceRealm.substring(1);
+                if (parsedRealm != null && !parsedRealm.isEmpty() && parsedRealm.charAt(0) == '/') {
+                    parsedRealm = parsedRealm.substring(1);
                 }
-                TrustedIdp trustedIdp = idpConfig.findTrustedIdp(serviceRealm);
+
+                // Default to writing out the metadata for the IdP
+                if (idpConfig.getRealm().equals(parsedRealm) || parsedRealm == null || parsedRealm.isEmpty()) {
+                    IdpMetadataWriter mw = new IdpMetadataWriter();
+                    Document metadata = mw.getMetaData(idpConfig);
+                    out.write(DOM2Writer.nodeToString(metadata));
+                    return;
+                }
+
+                // Otherwise try to find the metadata for the trusted third party IdP
+                TrustedIdp trustedIdp = idpConfig.findTrustedIdp(parsedRealm);
                 if (trustedIdp == null) {
-                    LOG.error("No TrustedIdp found for desired realm: " + serviceRealm);
+                    LOG.error("No TrustedIdp found for desired realm: " + parsedRealm);
                     response.sendError(HttpServletResponse.SC_BAD_REQUEST);
                     return;
                 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f50c1f69/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index 47434f4..a133c9b 100644
--- a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -298,6 +298,39 @@ public class IdpTest {
     }
 
     @Test
+    public void testIdPMetadataDefault() throws Exception {
+        String url = "https://localhost:" + getIdpHttpsPort()
+            + "/fediz-idp/metadata";
+
+        final WebClient webClient = new WebClient();
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getOptions().setSSLClientCertificate(
+            this.getClass().getClassLoader().getResource("client.jks"), "storepass", "jks");
+
+        final XmlPage rpPage = webClient.getPage(url);
+        final String xmlContent = rpPage.asXml();
+        Assert.assertTrue(xmlContent.startsWith("<md:EntityDescriptor"));
+
+        // Now validate the Signature
+        Document doc = rpPage.getXmlDocument();
+
+        doc.getDocumentElement().setIdAttributeNS(null, "ID", true);
+
+        Node signatureNode =
+            DOMUtils.getChild(doc.getDocumentElement(), "Signature");
+        Assert.assertNotNull(signatureNode);
+
+        XMLSignature signature = new XMLSignature((Element)signatureNode, "");
+        KeyInfo ki = signature.getKeyInfo();
+        Assert.assertNotNull(ki);
+        Assert.assertNotNull(ki.getX509Certificate());
+
+        Assert.assertTrue(signature.checkSignatureValue(ki.getX509Certificate()));
+
+        webClient.close();
+    }
+
+    @Test
     public void testIdPServiceMetadata() throws Exception {
         String url = "https://localhost:" + getIdpHttpsPort()
             + "/fediz-idp/metadata/urn:org:apache:cxf:fediz:idp:realm-B";

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[2/5] cxf-fediz git commit: Switch the SAML issuer to be the IDP URL as opposed to the realm

coheigea
Administrator
Switch the SAML issuer to be the IDP URL as opposed to the realm


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/f11cd174
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/f11cd174
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/f11cd174

Branch: refs/heads/1.4.x-fixes
Commit: f11cd17474d21761cefa52f95f9cc2f3700b0bf2
Parents: f50c1f6
Author: Colm O hEigeartaigh <[hidden email]>
Authored: Wed Aug 9 11:45:37 2017 +0100
Committer: Colm O hEigeartaigh <[hidden email]>
Committed: Wed Aug 9 15:28:46 2017 +0100

----------------------------------------------------------------------
 .../cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f11cd174/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
index dd0d65e..d5a13a2 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
@@ -100,7 +100,7 @@ public class SamlResponseCreator {
                                            String remoteAddr, String racs) throws Exception {
         // Create an AuthenticationAssertion
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
-        callbackHandler.setIssuer(idp.getRealm());
+        callbackHandler.setIssuer(idp.getIdpUrl().toString());
         callbackHandler.setSubject(receivedToken.getSaml2().getSubject());
 
         // Test Subject against received Subject (if applicable)
@@ -154,7 +154,7 @@ public class SamlResponseCreator {
                 "urn:oasis:names:tc:SAML:2.0:status:Success", null
             );
         Response response =
-            SAML2PResponseComponentBuilder.createSAMLResponse(requestID, idp.getRealm(), status);
+            SAML2PResponseComponentBuilder.createSAMLResponse(requestID, idp.getIdpUrl().toString(), status);
 
         response.getAssertions().add(assertion);
 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[3/5] cxf-fediz git commit: Fixing tests

coheigea
Administrator
In reply to this post by coheigea
Fixing tests


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/ee592a79
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/ee592a79
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/ee592a79

Branch: refs/heads/1.4.x-fixes
Commit: ee592a79e0d701ba336e5918457d2ae492e86550
Parents: f11cd17
Author: Colm O hEigeartaigh <[hidden email]>
Authored: Wed Aug 9 12:39:19 2017 +0100
Committer: Colm O hEigeartaigh <[hidden email]>
Committed: Wed Aug 9 15:28:54 2017 +0100

----------------------------------------------------------------------
 .../idp/beans/samlsso/SamlResponseCreator.java       | 15 +++++++++++++--
 .../src/test/resources/realmb/idp-servlet.xml        |  4 ++++
 .../wsfed/src/test/resources/realmb/idp-servlet.xml  |  4 ++++
 3 files changed, 21 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ee592a79/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
index d5a13a2..6824202 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/SamlResponseCreator.java
@@ -66,6 +66,7 @@ public class SamlResponseCreator {
 
     private static final Logger LOG = LoggerFactory.getLogger(SamlResponseCreator.class);
     private boolean supportDeflateEncoding;
+    private boolean useRealmForIssuer;
 
     public String createSAMLResponse(RequestContext context, Idp idp, Element rpToken,
                                      String consumerURL, String requestId, String requestIssuer)
@@ -100,7 +101,8 @@ public class SamlResponseCreator {
                                            String remoteAddr, String racs) throws Exception {
         // Create an AuthenticationAssertion
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
-        callbackHandler.setIssuer(idp.getIdpUrl().toString());
+        String issuer = useRealmForIssuer ? idp.getRealm() : idp.getIdpUrl().toString();
+        callbackHandler.setIssuer(issuer);
         callbackHandler.setSubject(receivedToken.getSaml2().getSubject());
 
         // Test Subject against received Subject (if applicable)
@@ -153,8 +155,9 @@ public class SamlResponseCreator {
             SAML2PResponseComponentBuilder.createStatus(
                 "urn:oasis:names:tc:SAML:2.0:status:Success", null
             );
+        String issuer = useRealmForIssuer ? idp.getRealm() : idp.getIdpUrl().toString();
         Response response =
-            SAML2PResponseComponentBuilder.createSAMLResponse(requestID, idp.getIdpUrl().toString(), status);
+            SAML2PResponseComponentBuilder.createSAMLResponse(requestID, issuer, status);
 
         response.getAssertions().add(assertion);
 
@@ -185,4 +188,12 @@ public class SamlResponseCreator {
     public void setSupportDeflateEncoding(boolean supportDeflateEncoding) {
         this.supportDeflateEncoding = supportDeflateEncoding;
     }
+
+    public boolean isUseRealmForIssuer() {
+        return useRealmForIssuer;
+    }
+
+    public void setUseRealmForIssuer(boolean useRealmForIssuer) {
+        this.useRealmForIssuer = useRealmForIssuer;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ee592a79/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml
----------------------------------------------------------------------
diff --git a/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml b/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml
index c556808..479c493 100644
--- a/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml
+++ b/systests/federation/samlsso/src/test/resources/realmb/idp-servlet.xml
@@ -36,5 +36,9 @@
         <property name="wsdlEndpoint" value="Transport_Port" />
         <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
     </bean>
+    
+    <bean id="samlResponseCreator" class="org.apache.cxf.fediz.service.idp.beans.samlsso.SamlResponseCreator">
+        <property name="useRealmForIssuer" value="true"/>
+    </bean>
 
 </beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ee592a79/systests/federation/wsfed/src/test/resources/realmb/idp-servlet.xml
----------------------------------------------------------------------
diff --git a/systests/federation/wsfed/src/test/resources/realmb/idp-servlet.xml b/systests/federation/wsfed/src/test/resources/realmb/idp-servlet.xml
index c556808..8c44885 100644
--- a/systests/federation/wsfed/src/test/resources/realmb/idp-servlet.xml
+++ b/systests/federation/wsfed/src/test/resources/realmb/idp-servlet.xml
@@ -37,4 +37,8 @@
         <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" />
     </bean>
 
+    <bean id="samlResponseCreator" class="org.apache.cxf.fediz.service.idp.beans.samlsso.SamlResponseCreator">
+        <property name="useRealmForIssuer" value="true"/>
+    </bean>
+
 </beans>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[4/5] cxf-fediz git commit: FEDIZ-205 - Support creating IdP Metadata for SAML SSO

coheigea
Administrator
In reply to this post by coheigea
FEDIZ-205 - Support creating IdP Metadata for SAML SSO


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/ea3124e2
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/ea3124e2
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/ea3124e2

Branch: refs/heads/1.4.x-fixes
Commit: ea3124e252f649631507bfbfe187b41428e5fc99
Parents: ee592a7
Author: Colm O hEigeartaigh <[hidden email]>
Authored: Wed Aug 9 12:41:34 2017 +0100
Committer: Colm O hEigeartaigh <[hidden email]>
Committed: Wed Aug 9 15:29:02 2017 +0100

----------------------------------------------------------------------
 .../cxf/fediz/service/idp/MetadataServlet.java  |  9 +-
 .../service/idp/metadata/IdpMetadataWriter.java | 89 +++++++++++++++++---
 .../apache/cxf/fediz/systests/idp/IdpTest.java  | 38 +++++++++
 3 files changed, 121 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ea3124e2/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
index 1077f8b..f09bd08 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/MetadataServlet.java
@@ -52,7 +52,6 @@ public class MetadataServlet extends HttpServlet {
     private ApplicationContext applicationContext;
     private String realm;
 
-
     @Override
     protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException,
         IOException {
@@ -62,6 +61,8 @@ public class MetadataServlet extends HttpServlet {
         ConfigService cs = (ConfigService)getApplicationContext().getBean("config");
         Idp idpConfig = cs.getIDP(realm);
         try {
+            boolean isSamlRequest = request.getQueryString() != null
+                && request.getQueryString().contains("protocol=saml");
             if (request.getServletPath() != null && request.getServletPath().startsWith("/metadata")) {
                 String parsedRealm =
                     request.getRequestURI().substring(request.getRequestURI().indexOf("/metadata")
@@ -73,7 +74,7 @@ public class MetadataServlet extends HttpServlet {
                 // Default to writing out the metadata for the IdP
                 if (idpConfig.getRealm().equals(parsedRealm) || parsedRealm == null || parsedRealm.isEmpty()) {
                     IdpMetadataWriter mw = new IdpMetadataWriter();
-                    Document metadata = mw.getMetaData(idpConfig);
+                    Document metadata = mw.getMetaData(idpConfig, isSamlRequest);
                     out.write(DOM2Writer.nodeToString(metadata));
                     return;
                 }
@@ -92,7 +93,7 @@ public class MetadataServlet extends HttpServlet {
                 // Otherwise return the Metadata for the Idp
                 LOG.debug(idpConfig.toString());
                 IdpMetadataWriter mw = new IdpMetadataWriter();
-                Document metadata = mw.getMetaData(idpConfig);
+                Document metadata = mw.getMetaData(idpConfig, isSamlRequest);
                 out.write(DOM2Writer.nodeToString(metadata));
             }
         } catch (Exception ex) {
@@ -118,4 +119,6 @@ public class MetadataServlet extends HttpServlet {
         return applicationContext;
     }
 
+
+
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ea3124e2/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/metadata/IdpMetadataWriter.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/metadata/IdpMetadataWriter.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/metadata/IdpMetadataWriter.java
index 97bcfcb..44eb6cb 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/metadata/IdpMetadataWriter.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/metadata/IdpMetadataWriter.java
@@ -46,8 +46,11 @@ public class IdpMetadataWriter {
 
     private static final Logger LOG = LoggerFactory.getLogger(IdpMetadataWriter.class);
 
-    //CHECKSTYLE:OFF
-    public Document getMetaData(Idp config) throws RuntimeException {
+    public Document getMetaData(Idp config) {
+        return getMetaData(config, false);
+    }
+
+    public Document getMetaData(Idp config, boolean saml) {
         try {
             //Return as text/xml
             Crypto crypto = CertsUtils.getCryptoFromFile(config.getCertificate());
@@ -63,12 +66,13 @@ public class IdpMetadataWriter {
             writer.writeAttribute("entityID", config.getIdpUrl().toString());
 
             writer.writeNamespace("md", SAML2_METADATA_NS);
-            writer.writeNamespace("fed", WS_FEDERATION_NS);
-            writer.writeNamespace("wsa", WS_ADDRESSING_NS);
-            writer.writeNamespace("auth", WS_FEDERATION_NS);
             writer.writeNamespace("xsi", SCHEMA_INSTANCE_NS);
 
-            writeFederationMetadata(writer, config, crypto);
+            if (saml) {
+                writeSAMLSSOMetadata(writer, config, crypto);
+            } else {
+                writeFederationMetadata(writer, config, crypto);
+            }
 
             writer.writeEndElement(); // EntityDescriptor
 
@@ -101,13 +105,17 @@ public class IdpMetadataWriter {
         XMLStreamWriter writer, Idp config, Crypto crypto
     ) throws XMLStreamException {
 
+        writer.writeNamespace("fed", WS_FEDERATION_NS);
+        writer.writeNamespace("wsa", WS_ADDRESSING_NS);
+        writer.writeNamespace("auth", WS_FEDERATION_NS);
+
         writer.writeStartElement("md", "RoleDescriptor", WS_FEDERATION_NS);
         writer.writeAttribute(SCHEMA_INSTANCE_NS, "type", "fed:SecurityTokenServiceType");
         writer.writeAttribute("protocolSupportEnumeration", WS_FEDERATION_NS);
-        if (config.getServiceDescription() != null && config.getServiceDescription().length() > 0 ) {
+        if (config.getServiceDescription() != null && config.getServiceDescription().length() > 0) {
             writer.writeAttribute("ServiceDescription", config.getServiceDescription());
         }
-        if (config.getServiceDisplayName() != null && config.getServiceDisplayName().length() > 0 ) {
+        if (config.getServiceDisplayName() != null && config.getServiceDisplayName().length() > 0) {
             writer.writeAttribute("ServiceDisplayName", config.getServiceDisplayName());
         }
 
@@ -115,11 +123,12 @@ public class IdpMetadataWriter {
         //missing organization, contactperson
 
         //KeyDescriptor
-        writer.writeStartElement("", "KeyDescriptor", SAML2_METADATA_NS);
+        writer.writeStartElement("md", "KeyDescriptor", SAML2_METADATA_NS);
         writer.writeAttribute("use", "signing");
-        writer.writeStartElement("", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
-        writer.writeStartElement("", "X509Data", "http://www.w3.org/2000/09/xmldsig#");
-        writer.writeStartElement("", "X509Certificate", "http://www.w3.org/2000/09/xmldsig#");
+        writer.writeStartElement("ds", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
+        writer.writeNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
+        writer.writeStartElement("ds", "X509Data", "http://www.w3.org/2000/09/xmldsig#");
+        writer.writeStartElement("ds", "X509Certificate", "http://www.w3.org/2000/09/xmldsig#");
 
         try {
             String keyAlias = crypto.getDefaultX509Identifier();
@@ -176,5 +185,61 @@ public class IdpMetadataWriter {
         writer.writeEndElement(); // RoleDescriptor
     }
 
+    private void writeSAMLSSOMetadata(
+        XMLStreamWriter writer, Idp config, Crypto crypto
+    ) throws XMLStreamException {
+
+        writer.writeStartElement("md", "IDPSSODescriptor", SAML2_METADATA_NS);
+        writer.writeAttribute("WantAuthnRequestsSigned", "true");
+        writer.writeAttribute("protocolSupportEnumeration", "urn:oasis:names:tc:SAML:2.0:protocol");
+
+        //KeyDescriptor
+        writer.writeStartElement("md", "KeyDescriptor", SAML2_METADATA_NS);
+        writer.writeAttribute("use", "signing");
+        writer.writeStartElement("ds", "KeyInfo", "http://www.w3.org/2000/09/xmldsig#");
+        writer.writeNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
+        writer.writeStartElement("ds", "X509Data", "http://www.w3.org/2000/09/xmldsig#");
+        writer.writeStartElement("ds", "X509Certificate", "http://www.w3.org/2000/09/xmldsig#");
+
+        try {
+            String keyAlias = crypto.getDefaultX509Identifier();
+            X509Certificate cert = CertsUtils.getX509CertificateFromCrypto(crypto, keyAlias);
+            writer.writeCharacters(Base64.encode(cert.getEncoded()));
+        } catch (Exception ex) {
+            LOG.error("Failed to add certificate information to metadata. Metadata incomplete", ex);
+        }
+
+        writer.writeEndElement(); // X509Certificate
+        writer.writeEndElement(); // X509Data
+        writer.writeEndElement(); // KeyInfo
+        writer.writeEndElement(); // KeyDescriptor
+
+
+        writer.writeStartElement("md", "NameIDFormat", SAML2_METADATA_NS);
+        writer.writeCharacters("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent");
+        writer.writeEndElement(); // NameIDFormat
+
+        writer.writeStartElement("md", "NameIDFormat", SAML2_METADATA_NS);
+        writer.writeCharacters("urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified");
+        writer.writeEndElement(); // NameIDFormat
+
+        writer.writeStartElement("md", "NameIDFormat", SAML2_METADATA_NS);
+        writer.writeCharacters("urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress");
+        writer.writeEndElement(); // NameIDFormat
+
+        // SingleSignOnService
+        writer.writeStartElement("md", "SingleSignOnService", SAML2_METADATA_NS);
+        writer.writeAttribute("Binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
+        writer.writeAttribute("Location", config.getIdpUrl().toString());
+        writer.writeEndElement(); // SingleSignOnService
+
+        // SingleSignOnService
+        writer.writeStartElement("md", "SingleSignOnService", SAML2_METADATA_NS);
+        writer.writeAttribute("Binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
+        writer.writeAttribute("Location", config.getIdpUrl().toString());
+        writer.writeEndElement(); // SingleSignOnService
+
+        writer.writeEndElement(); // IDPSSODescriptor
+    }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/ea3124e2/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index 9e0a4f9..5358318 100644
--- a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -37,6 +37,7 @@ import javax.servlet.ServletException;
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
+import org.w3c.dom.Node;
 
 import com.gargoylesoftware.htmlunit.CookieManager;
 import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
@@ -47,6 +48,7 @@ import com.gargoylesoftware.htmlunit.html.DomElement;
 import com.gargoylesoftware.htmlunit.html.DomNodeList;
 import com.gargoylesoftware.htmlunit.html.HtmlPage;
 import com.gargoylesoftware.htmlunit.util.NameValuePair;
+import com.gargoylesoftware.htmlunit.xml.XmlPage;
 
 import org.apache.catalina.LifecycleException;
 import org.apache.catalina.LifecycleState;
@@ -68,10 +70,12 @@ import org.apache.wss4j.common.crypto.CryptoType;
 import org.apache.wss4j.common.saml.OpenSAMLUtil;
 import org.apache.wss4j.common.util.DOM2Writer;
 import org.apache.wss4j.dom.engine.WSSConfig;
+import org.apache.xml.security.signature.XMLSignature;
 import org.apache.xml.security.utils.Base64;
 import org.junit.AfterClass;
 import org.junit.Assert;
 import org.junit.BeforeClass;
+import org.junit.Test;
 import org.opensaml.core.xml.XMLObject;
 import org.opensaml.saml.common.SAMLVersion;
 import org.opensaml.saml.common.SignableSAMLObject;
@@ -225,6 +229,40 @@ public class IdpTest {
 
     }
     */
+
+    @Test
+    public void testIdPMetadata() throws Exception {
+        String url = "https://localhost:" + getIdpHttpsPort()
+            + "/fediz-idp/metadata?protocol=saml";
+
+        final WebClient webClient = new WebClient();
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getOptions().setSSLClientCertificate(
+            this.getClass().getClassLoader().getResource("client.jks"), "storepass", "jks");
+
+        final XmlPage rpPage = webClient.getPage(url);
+        final String xmlContent = rpPage.asXml();
+        Assert.assertTrue(xmlContent.startsWith("<md:EntityDescriptor"));
+
+        // Now validate the Signature
+        Document doc = rpPage.getXmlDocument();
+
+        doc.getDocumentElement().setIdAttributeNS(null, "ID", true);
+
+        Node signatureNode =
+            DOMUtils.getChild(doc.getDocumentElement(), "Signature");
+        Assert.assertNotNull(signatureNode);
+
+        XMLSignature signature = new XMLSignature((Element)signatureNode, "");
+        org.apache.xml.security.keys.KeyInfo ki = signature.getKeyInfo();
+        Assert.assertNotNull(ki);
+        Assert.assertNotNull(ki.getX509Certificate());
+
+        Assert.assertTrue(signature.checkSignatureValue(ki.getX509Certificate()));
+
+        webClient.close();
+    }
+
     @org.junit.Test
     public void testSuccessfulInvokeOnIdP() throws Exception {
         OpenSAMLUtil.initSamlEngine();

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[5/5] cxf-fediz git commit: Fix to default to taking the RACS URL from the application configuration.

coheigea
Administrator
In reply to this post by coheigea
Fix to default to taking the RACS URL from the application configuration.


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/f71e6200
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/f71e6200
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/f71e6200

Branch: refs/heads/1.4.x-fixes
Commit: f71e62006bda7f83f113a52e90a16e613d0837ba
Parents: ea3124e
Author: Colm O hEigeartaigh <[hidden email]>
Authored: Wed Aug 9 15:25:45 2017 +0100
Committer: Colm O hEigeartaigh <[hidden email]>
Committed: Wed Aug 9 15:29:10 2017 +0100

----------------------------------------------------------------------
 .../fediz/service/idp/beans/EndpointAddressValidator.java |  4 ++--
 .../service/idp/beans/samlsso/AuthnRequestParser.java     | 10 ++++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f71e6200/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/EndpointAddressValidator.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/EndpointAddressValidator.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/EndpointAddressValidator.java
index de193b8..6a19554 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/EndpointAddressValidator.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/EndpointAddressValidator.java
@@ -46,7 +46,7 @@ public class EndpointAddressValidator {
         Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(context, "idpConfig");
         Application serviceConfig = idpConfig.findApplication(realm);
         if (serviceConfig == null) {
-            LOG.warn("No service config found for " + realm);
+            LOG.warn("No service config found for {}", realm);
             return false;
         }
 
@@ -66,7 +66,7 @@ public class EndpointAddressValidator {
 
         Application serviceConfig = idpConfig.findApplication(realm);
         if (serviceConfig == null) {
-            LOG.warn("No service config found for " + realm);
+            LOG.warn("No service config found for {}", realm);
             return false;
         }
 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/f71e6200/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java
----------------------------------------------------------------------
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java
index 3110eb1..92d0d7a 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/beans/samlsso/AuthnRequestParser.java
@@ -131,6 +131,16 @@ public class AuthnRequestParser {
         }
 
         LOG.debug("No AuthnRequest available to be parsed");
+
+        Idp idpConfig = (Idp) WebUtils.getAttributeFromFlowScope(context, "idpConfig");
+        String realm = retrieveRealm(context);
+        Application serviceConfig = idpConfig.findApplication(realm);
+        if (serviceConfig != null) {
+            String racs = serviceConfig.getPassiveRequestorEndpoint();
+            LOG.debug("Attempting to use the configured passive requestor endpoint instead: {}", racs);
+            return racs;
+        }
+
         return null;
     }
 

Loading...