1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34 package fr.paris.lutece.plugins.mylutece.modules.saml.authentication.checkers;
35
36 import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.config.ConfigProperties;
37 import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.config.Constants;
38 import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.engine.BootStrap;
39 import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.engine.SAMLResponseManager;
40 import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.exceptions.SAMLCheckerException;
41 import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.exceptions.SAMLParsingException;
42 import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.exceptions.SAMLReponseCheckerException;
43 import fr.paris.lutece.portal.service.util.AppLogService;
44
45 import org.joda.time.DateTime;
46
47
48 public class SAMLAssertionChecker implements SAMLChecker
49 {
50 public void check( SAMLResponseManager responseManager )
51 throws SAMLCheckerException, SAMLParsingException
52 {
53
54 checkIssuer( responseManager );
55
56
57 checkSubject( responseManager );
58
59
60 checkConditions( responseManager );
61
62
63
64
65
66
67 }
68
69
70
71
72
73
74 private void checkIssuer( SAMLResponseManager responseManager )
75 throws SAMLReponseCheckerException
76 {
77 String issuer = responseManager.getAssertion( ).getIssuer( ).getValue( );
78 String entityID = BootStrap.getInstance( ).getIdpMetaDataManager( ).getMetaData( ).getEntityID( );
79
80 if ( !issuer.equals( entityID ) )
81 {
82 String message = "L'Issuer de l'Assertion [" + issuer + "] n'est conforme aux m�tadonn�es [" +
83 entityID + "]";
84 AppLogService.info( message );
85 throw new SAMLReponseCheckerException( message );
86 }
87 }
88
89
90
91
92
93
94
95
96 private void checkSubject( SAMLResponseManager responseManager )
97 throws SAMLReponseCheckerException
98 {
99 String recipient = responseManager.getAssertion( ).getSubject( ).getSubjectConfirmations( ).get( 0 )
100 .getSubjectConfirmationData( ).getRecipient( );
101 String location = BootStrap.getInstance( ).getSpMetaDataManager( ).getAssertionConsumerService( )
102 .getLocation( );
103
104 if ( !recipient.equals( location ) )
105 {
106 String message = "Le Recipient de l'Assertion [" + recipient + "] n'est conforme aux m�tadonn�es [" +
107 location + "]";
108 AppLogService.info( message );
109 throw new SAMLReponseCheckerException( message );
110 }
111 }
112
113
114
115
116
117
118
119
120 private void checkConditions( SAMLResponseManager responseManager )
121 throws SAMLReponseCheckerException
122 {
123 DateTime notAfter = responseManager.getAssertion( ).getConditions( ).getNotOnOrAfter( );
124 DateTime notBefore = responseManager.getAssertion( ).getConditions( ).getNotBefore( );
125 DateTime now = new DateTime( );
126 long allowedTimeShiftInMillis = 1000 * new Integer( ConfigProperties.getInstance( )
127 .getProperty( Constants.LUTECE_CLOCK_SKEW_PROP ) );
128
129 if ( now.isAfter( notAfter.getMillis( ) + allowedTimeShiftInMillis ) )
130 {
131 String message = "La dur�e de validit� de l'Assertion est expir�e";
132 AppLogService.info( message );
133 throw new SAMLReponseCheckerException( message );
134 }
135
136 if ( now.isBefore( notBefore.getMillis( ) - allowedTimeShiftInMillis ) )
137 {
138 String message = "L'Assertion n'est pas encore valide";
139 AppLogService.info( message );
140 throw new SAMLReponseCheckerException( message );
141 }
142
143 String audience = responseManager.getAssertion( ).getConditions( ).getAudienceRestrictions( ).get( 0 )
144 .getAudiences( ).get( 0 ).getAudienceURI( );
145 String entityID = BootStrap.getInstance( ).getSpMetaDataManager( ).getMetaData( ).getEntityID( );
146
147 if ( !audience.equals( entityID ) )
148 {
149 String message = "L'Audience de l'Assertion [" + audience + "] n'est pas conforme aux m�tadonn�es [" +
150 entityID + "]";
151 AppLogService.info( message );
152 throw new SAMLReponseCheckerException( message );
153 }
154 }
155 }