View Javadoc
1   /*
2    * Copyright (c) 2002-2014, Mairie de Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.plugins.mylutece.modules.saml.authentication.metadata;
35  
36  import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.config.ConfigProperties;
37  import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.config.Constants;
38  import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.exceptions.CertificateValidationException;
39  import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.exceptions.SAMLParsingException;
40  import fr.paris.lutece.plugins.mylutece.modules.saml.authentication.util.X509CertificateHelper;
41  import fr.paris.lutece.portal.service.util.AppLogService;
42  
43  import org.opensaml.common.xml.SAMLConstants;
44  
45  import org.opensaml.saml2.metadata.IDPSSODescriptor;
46  import org.opensaml.saml2.metadata.KeyDescriptor;
47  
48  import org.opensaml.xml.signature.KeyInfo;
49  import org.opensaml.xml.signature.X509Data;
50  
51  import java.io.IOException;
52  import java.io.InputStream;
53  
54  import java.security.cert.CertificateException;
55  import java.security.cert.X509Certificate;
56  
57  import java.util.ArrayList;
58  import java.util.List;
59  
60  
61  public class IDPMetadataManager extends MetadataManager
62  {
63      public IDPMetadataManager(  )
64      {
65          loadIDPCertificateChain(  );
66      }
67  
68      private void loadIDPCertificateChain(  )
69      {
70          // TODO not yet implemented
71      }
72  
73      @Override
74      public void loadMetadata( String inFilePath )
75      {
76          // IDP Metadata file path
77          if ( inFilePath == null )
78          {
79              inFilePath = ConfigProperties.getInstance(  ).getProperty( Constants.IDP_METADATA_FILE_PROP );
80          }
81  
82          InputStream stream = this.getClass(  ).getResourceAsStream( inFilePath );
83          loadMetadata( stream );
84      }
85  
86      @Override
87      protected void validateContent(  ) throws SAMLParsingException
88      {
89          // metadonn�es devraient contenir un IDPSSODescriptor
90          IDPSSODescriptor idpSSODescriptor = metaData.getIDPSSODescriptor( SAMLConstants.SAML20P_NS );
91  
92          if ( idpSSODescriptor == null )
93          {
94              String message = "Les metadonn�es devraient contenir un IDPSSODescriptor";
95              AppLogService.info( message );
96              throw new SAMLParsingException( message );
97          }
98  
99          // IDPSSODescriptor devrait contenir un et un seul KeyDescriptor
100         List<KeyDescriptor> keyDescriptor = idpSSODescriptor.getKeyDescriptors(  );
101 
102         if ( keyDescriptor.size(  ) != 1 )
103         {
104             String message = "L'IDPSSODescriptor devrait contenir un et un seul KeyDescriptor. Il en contient " +
105                 keyDescriptor.size(  );
106             AppLogService.info( message );
107             throw new SAMLParsingException( message );
108         }
109 
110         // KeyInfo devrait contenir un et un seul X509Data
111         List<X509Data> x509Data = keyDescriptor.get( 0 ).getKeyInfo(  ).getX509Datas(  );
112 
113         if ( x509Data.size(  ) != 1 )
114         {
115             String message = "Le KeyInfo devrait contenir un et un seul X509Data. Il en contient " + x509Data.size(  );
116             AppLogService.info( message );
117             throw new SAMLParsingException( message );
118         }
119 
120         // X509Data devrait contenir un et un seul X509Certificate
121         List<org.opensaml.xml.signature.X509Certificate> x509Certificate = x509Data.get( 0 ).getX509Certificates(  );
122 
123         if ( x509Certificate.size(  ) != 1 )
124         {
125             String message = "Le X509Data devrait contenir un et un seul X509Certificate";
126             AppLogService.info( message );
127             throw new SAMLParsingException( message );
128         }
129     }
130 
131     /**
132      * Extraction du certificat des Metadonn�e IDP.
133      *
134      * @return List<X509Certificate> r�duite � un �l�ment normalement
135      * @throws CertificateValidationException
136      * @throws SAMLParsingException
137      */
138     public List<X509Certificate> getCertificateWhiteList(  )
139         throws CertificateValidationException
140     {
141         List<X509Certificate> liste = new ArrayList<X509Certificate>(  );
142 
143         try
144         {
145             IDPSSODescriptor idpSSODescriptor = metaData.getIDPSSODescriptor( SAMLConstants.SAML20P_NS );
146             List<KeyDescriptor> keyDescriptor = idpSSODescriptor.getKeyDescriptors(  );
147             KeyInfo keyInfo = keyDescriptor.get( 0 ).getKeyInfo(  );
148             List<X509Data> x509Data = keyInfo.getX509Datas(  );
149             List<org.opensaml.xml.signature.X509Certificate> x509Certificate = x509Data.get( 0 ).getX509Certificates(  );
150             String b64MetadataCert = x509Certificate.get( 0 ).getValue(  );
151 
152             liste.add( X509CertificateHelper.buildX509Cert( b64MetadataCert ) );
153         }
154         catch ( CertificateException e )
155         {
156             String message = "Erreur lors de la recuperation du certificat des Metadonn�es" +
157                 e.getLocalizedMessage(  );
158             AppLogService.info( message );
159             throw new CertificateValidationException( message );
160         }
161         catch ( IOException e )
162         {
163             String message = "Erreur lors de la recuperation du certificat des Metadonn�es" +
164                 e.getLocalizedMessage(  );
165             AppLogService.info( message );
166             throw new CertificateValidationException( message );
167         }
168 
169         return liste;
170     }
171 }