View Javadoc
1   /*
2    * Copyright (c) 2002-2014, Mairie de Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.plugins.mylutece.modules.saml.authentication.checkers;
35  
36  import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.config.ConfigProperties;
37  import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.config.Constants;
38  import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.engine.BootStrap;
39  import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.engine.SAMLResponseManager;
40  import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.exceptions.SAMLCheckerException;
41  import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.exceptions.SAMLParsingException;
42  import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.exceptions.SAMLReponseCheckerException;
43  import fr.paris.lutece.portal.service.util.AppLogService;
44  
45  import org.joda.time.DateTime;
46  
47  
48  public class SAMLAssertionChecker implements SAMLChecker
49  {
50      public void check( SAMLResponseManager responseManager )
51          throws SAMLCheckerException, SAMLParsingException
52      {
53          // Verifier Assertion/Issuer
54          checkIssuer( responseManager );
55  
56          // Verifier Assertion/Subject
57          checkSubject( responseManager );
58  
59          // Verifier Assertion/Conditions
60          checkConditions( responseManager );
61  
62          // Verifier Assertion/AuthnStatement
63          // Rien?
64  
65          // Verifier Assertion/AttributeStatement
66          // cf RequiredAttributes
67      }
68  
69      /**
70       * Verifier Assertion/Issuer vs EntityDescriptor/@entityID sur IDP
71       * @param responseManager
72       * @throws SAMLReponseCheckerException
73       */
74      private void checkIssuer( SAMLResponseManager responseManager )
75          throws SAMLReponseCheckerException
76      {
77          String issuer = responseManager.getAssertion(  ).getIssuer(  ).getValue(  );
78          String entityID = BootStrap.getInstance(  ).getIdpMetaDataManager(  ).getMetaData(  ).getEntityID(  );
79  
80          if ( !issuer.equals( entityID ) )
81          {
82              String message = "L'Issuer de l'Assertion [" + issuer + "] n'est conforme aux m�tadonn�es [" +
83                  entityID + "]";
84              AppLogService.info( message );
85              throw new SAMLReponseCheckerException( message );
86          }
87      }
88  
89      /**
90       * Verifier Subject/SubjectConfirmation/SubjectConfirmationData/@Recipient vs /SPSSODescriptor/AssertionConsumerService/@Location
91       * Subject/SubjectConfirmation/SubjectConfirmationData/@Recipient vs /SPSSODescriptor/AssertionConsumerService/@Location
92       * Subject/SubjectConfirmation/SubjectConfirmationData/@NotOnOrAfter vs now + decalage
93       * @param responseManager
94       * @throws SAMLReponseCheckerException
95       */
96      private void checkSubject( SAMLResponseManager responseManager )
97          throws SAMLReponseCheckerException
98      {
99          String recipient = responseManager.getAssertion(  ).getSubject(  ).getSubjectConfirmations(  ).get( 0 )
100                                           .getSubjectConfirmationData(  ).getRecipient(  );
101         String location = BootStrap.getInstance(  ).getSpMetaDataManager(  ).getAssertionConsumerService(  )
102                                    .getLocation(  );
103 
104         if ( !recipient.equals( location ) )
105         {
106             String message = "Le Recipient de l'Assertion [" + recipient + "] n'est conforme aux m�tadonn�es [" +
107                 location + "]";
108             AppLogService.info( message );
109             throw new SAMLReponseCheckerException( message );
110         }
111     }
112 
113     /**
114      * Verifier Conditions/NotBefore vs time
115      * Verifier Conditions/NotOnOrAfter vs time
116      * Verifier Conditions/AudienceRestriction/Audience vs /EntityDescriptor/@entityID sur SP
117      * @param responseManager
118      * @throws SAMLReponseCheckerException
119      */
120     private void checkConditions( SAMLResponseManager responseManager )
121         throws SAMLReponseCheckerException
122     {
123         DateTime notAfter = responseManager.getAssertion(  ).getConditions(  ).getNotOnOrAfter(  );
124         DateTime notBefore = responseManager.getAssertion(  ).getConditions(  ).getNotBefore(  );
125         DateTime now = new DateTime(  );
126         long allowedTimeShiftInMillis = 1000 * new Integer( ConfigProperties.getInstance(  )
127                                                                             .getProperty( Constants.LUTECE_CLOCK_SKEW_PROP ) );
128 
129         if ( now.isAfter( notAfter.getMillis(  ) + allowedTimeShiftInMillis ) )
130         {
131             String message = "La dur�e de validit� de l'Assertion est expir�e";
132             AppLogService.info( message );
133             throw new SAMLReponseCheckerException( message );
134         }
135 
136         if ( now.isBefore( notBefore.getMillis(  ) - allowedTimeShiftInMillis ) )
137         {
138             String message = "L'Assertion n'est pas encore valide";
139             AppLogService.info( message );
140             throw new SAMLReponseCheckerException( message );
141         }
142 
143         String audience = responseManager.getAssertion(  ).getConditions(  ).getAudienceRestrictions(  ).get( 0 )
144                                          .getAudiences(  ).get( 0 ).getAudienceURI(  );
145         String entityID = BootStrap.getInstance(  ).getSpMetaDataManager(  ).getMetaData(  ).getEntityID(  );
146 
147         if ( !audience.equals( entityID ) )
148         {
149             String message = "L'Audience de l'Assertion [" + audience + "] n'est pas conforme aux m�tadonn�es [" +
150                 entityID + "]";
151             AppLogService.info( message );
152             throw new SAMLReponseCheckerException( message );
153         }
154     }
155 }