/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.cxf.rt.security.saml.utils;
import java.net.URI;
import java.security.Principal;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.w3c.dom.Element;
import org.apache.cxf.common.security.SimpleGroup;
import org.apache.cxf.rt.security.claims.Claim;
import org.apache.cxf.rt.security.claims.ClaimCollection;
import org.apache.cxf.rt.security.saml.claims.SAMLClaim;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
public final class SAMLUtils {
private SAMLUtils() {
}
/**
* Extract Claims from a SAML Assertion
*/
public static ClaimCollection getClaims(SamlAssertionWrapper assertion) {
ClaimCollection claims = new ClaimCollection();
if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
List<AttributeStatement> statements = assertion.getSaml2().getAttributeStatements();
for (AttributeStatement as : statements) {
for (Attribute atr : as.getAttributes()) {
SAMLClaim claim = new SAMLClaim();
claim.setClaimType(URI.create(atr.getName()));
claim.setName(atr.getName());
claim.setNameFormat(atr.getNameFormat());
claim.setFriendlyName(atr.getFriendlyName());
for (XMLObject o : atr.getAttributeValues()) {
String attrValue = o.getDOM().getTextContent();
claim.getValues().add(attrValue);
}
claims.add(claim);
}
}
} else {
List<org.opensaml.saml.saml1.core.AttributeStatement> attributeStatements =
assertion.getSaml1().getAttributeStatements();
for (org.opensaml.saml.saml1.core.AttributeStatement statement : attributeStatements) {
for (org.opensaml.saml.saml1.core.Attribute atr : statement.getAttributes()) {
SAMLClaim claim = new SAMLClaim();
String claimType = atr.getAttributeName();
if (atr.getAttributeNamespace() != null) {
claimType = atr.getAttributeNamespace() + "/" + claimType;
}
claim.setClaimType(URI.create(claimType));
claim.setName(atr.getAttributeName());
claim.setNameFormat(atr.getAttributeNamespace());
for (XMLObject o : atr.getAttributeValues()) {
String attrValue = o.getDOM().getTextContent();
claim.getValues().add(attrValue);
}
claims.add(claim);
}
}
}
return claims;
}
/**
* Extract roles from the given Claims
*/
public static Set<Principal> parseRolesFromClaims(
ClaimCollection claims,
String name,
String nameFormat
) {
String roleAttributeName = name;
if (roleAttributeName == null) {
roleAttributeName = SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT;
}
Set<Principal> roles = new HashSet<>();
for (Claim claim : claims) {
if (claim instanceof SAMLClaim && ((SAMLClaim)claim).getName().equals(name)
&& (nameFormat == null
|| nameFormat.equals(((SAMLClaim)claim).getNameFormat()))) {
for (Object claimValue : claim.getValues()) {
if (claimValue instanceof String) {
roles.add(new SimpleGroup((String)claimValue));
}
}
if (claim.getValues().size() > 1) {
// Don't search for other attributes with the same name if > 1 claim value
break;
}
}
}
return roles;
}
public static String getIssuer(Object assertion) {
return ((SamlAssertionWrapper)assertion).getIssuerString();
}
public static Element getAssertionElement(Object assertion) {
return ((SamlAssertionWrapper)assertion).getElement();
}
}