SAML2AttributeHandler.java

/*
 * JBoss, Home of Professional Open Source
 *
 * Copyright 2013 Red Hat, Inc. and/or its affiliates.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.picketlink.identity.federation.web.handlers.saml2;

import org.picketlink.common.constants.GeneralConstants;
import org.picketlink.common.exceptions.ConfigurationException;
import org.picketlink.common.exceptions.ProcessingException;
import org.picketlink.common.util.StringUtil;
import org.picketlink.config.federation.IDPType;
import org.picketlink.identity.federation.core.impl.DelegatedAttributeManager;
import org.picketlink.identity.federation.core.impl.EmptyAttributeManager;
import org.picketlink.identity.federation.core.interfaces.AttributeManager;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2AttributeManager;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerChainConfig;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerConfig;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerRequest;
import org.picketlink.identity.federation.core.saml.v2.interfaces.SAML2HandlerResponse;
import org.picketlink.identity.federation.core.saml.v2.util.StatementUtil;
import org.picketlink.identity.federation.saml.v2.SAML2Object;
import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType.ASTChoiceType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeType;
import org.picketlink.identity.federation.saml.v2.assertion.StatementAbstractType;
import org.picketlink.identity.federation.saml.v2.protocol.AuthnRequestType;
import org.picketlink.identity.federation.saml.v2.protocol.LogoutRequestType;
import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
import org.picketlink.identity.federation.web.core.HTTPContext;

import javax.servlet.http.HttpSession;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;

import static org.picketlink.common.constants.GeneralConstants.SESSION_ATTRIBUTE_MAP;

/**
 * <p>
 * Handler dealing with attributes for SAML2
 * </p>
 * <p>
 * <b>Configuration for handler:</b>
 * </p>
 * <p>
 * <ul>
 * <li>ATTRIBUTE_MANAGER: a fqn of the attribute manager class. This is an IDP setting.</li>
 * <li>ATTRIBUTE_KEYS: a comma separated list of string values representing attributes to be sent. IDP setting.</li>
 * <li>ATTRIBUTE_CHOOSE_FRIENDLY_NAME : set to true if you require attributes to be keyed by friendly name rather than
 * default
 * name. SP Setting.</li>
 * </ul>
 * </p>
 *
 * @author Anil.Saldhana@redhat.com
 * @since Oct 12, 2009
 */
public class SAML2AttributeHandler extends BaseSAML2Handler {

    protected SAML2AttributeManager attribManager = new DelegatedAttributeManager(new EmptyAttributeManager(), null);

    protected List<String> attributeKeys = new ArrayList<String>();

    protected boolean chooseFriendlyName = false;

    @Override
    public void initChainConfig(SAML2HandlerChainConfig handlerChainConfig) throws ConfigurationException {
        super.initChainConfig(handlerChainConfig);

        Object config = this.handlerChainConfig.getParameter(GeneralConstants.CONFIGURATION);

        // if the GeneralConstants.ATTIBUTE_MANAGER parameter is defined for this handler, ignore the PicketLinkIDP AttributeManager attribute.
        if (config instanceof IDPType && getAttributeManager() == null) {
            IDPType idpType = (IDPType) config;
            String attribStr = idpType.getAttributeManager();
            insantiateAttributeManager(attribStr);
        }
    }

    private Object getAttributeManager() {
        if (this.handlerConfig == null) {
            return null;
        }

        return this.handlerConfig.getParameter(GeneralConstants.ATTIBUTE_MANAGER);
    }

    @Override
    public void initHandlerConfig(SAML2HandlerConfig handlerConfig) throws ConfigurationException {
        super.initHandlerConfig(handlerConfig);

        String attribStr = (String) getAttributeManager();
        this.insantiateAttributeManager(attribStr);
        // Get a list of attributes we are interested in
        String attribList = (String) this.handlerConfig.getParameter(GeneralConstants.ATTRIBUTE_KEYS);
        if (StringUtil.isNotNull(attribList)) {
            this.attributeKeys.addAll(StringUtil.tokenize(attribList));
        }

        String chooseFriendlyNameStr = (String) handlerConfig.getParameter(GeneralConstants.ATTRIBUTE_CHOOSE_FRIENDLY_NAME);
        if (StringUtil.isNotNull(chooseFriendlyNameStr)) {
            chooseFriendlyName = Boolean.parseBoolean(chooseFriendlyNameStr);
        }
    }

    @SuppressWarnings("unchecked")
    public void handleRequestType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException {
        // Do not handle log out request interaction
        SAML2Object saml2Object = request.getSAML2Object();

        if (saml2Object instanceof LogoutRequestType)
            return;

        // only handle IDP side
        if (getType() == HANDLER_TYPE.SP)
            return;

        HTTPContext httpContext = (HTTPContext) request.getContext();
        HttpSession session = httpContext.getRequest().getSession(false);

        Principal userPrincipal = (Principal) session.getAttribute(GeneralConstants.PRINCIPAL_ID);
        AuthnRequestType authnRequestType = (AuthnRequestType) saml2Object;

        if (userPrincipal == null) {
            userPrincipal = httpContext.getRequest().getUserPrincipal();
        }

        Map<String, Object> sessionAttributes = (Map<String, Object>) session.getAttribute(GeneralConstants.ATTRIBUTES);

        if (sessionAttributes == null) {
            Set<AttributeStatementType> attributes = this.attribManager.getAttributes(authnRequestType, userPrincipal);

            request.addOption(GeneralConstants.ATTRIBUTES, attributes);

            session.setAttribute(GeneralConstants.ATTRIBUTES, StatementUtil.asMap(attributes));
        }
    }

    @Override
    public void handleStatusResponseType(SAML2HandlerRequest request, SAML2HandlerResponse response) throws ProcessingException {
        // only handle SP side
        if (getType() == HANDLER_TYPE.IDP)
            return;
        handleIDPResponse(request);
    }

    private void insantiateAttributeManager(String attribStr) throws ConfigurationException {
        if (attribStr != null && !"".equals(attribStr)) {
            try {
                attribManager = new DelegatedAttributeManager((AttributeManager) SecurityActions.loadClass(getClass(), attribStr).newInstance(), null);
                logger.trace("AttributeManager set to " + attribStr);
            } catch (Exception e) {
                logger.attributeProviderInstationError(e);
                throw logger.configurationError(e);
            }
        }
    }

    @SuppressWarnings("unchecked")
    protected void handleIDPResponse(SAML2HandlerRequest request) {
        if (!(request.getSAML2Object() instanceof ResponseType)) {
            return;
        }

        HTTPContext httpContext = (HTTPContext) request.getContext();
        HttpSession session = httpContext.getRequest().getSession(false);

        AssertionType assertion = (AssertionType) request.getOptions().get(GeneralConstants.ASSERTION);
        if (assertion == null)
            throw logger.samlHandlerAssertionNotFound();

        Set<StatementAbstractType> statements = assertion.getStatements();
        for (StatementAbstractType statement : statements) {
            if (statement instanceof AttributeStatementType) {
                AttributeStatementType attrStat = (AttributeStatementType) statement;
                List<ASTChoiceType> attrs = attrStat.getAttributes();
                for (ASTChoiceType attrChoice : attrs) {
                    Map<String, List<Object>> attrMap = (Map<String, List<Object>>) session.getAttribute(SESSION_ATTRIBUTE_MAP);

                    if (attrMap == null) {
                        attrMap = new HashMap<String, List<Object>>();
                        session.setAttribute(SESSION_ATTRIBUTE_MAP, attrMap);
                    }

                    AttributeType attr = attrChoice.getAttribute();
                    String attributeName;

                    if (chooseFriendlyName) {
                        attributeName = attr.getFriendlyName();
                    } else {
                        attributeName = attr.getName();
                    }

                    List<Object> values = attrMap.get(attributeName);

                    if (values == null) {
                        values = new ArrayList<Object>();
                        attrMap.put(attributeName, values);
                    }

                    values.addAll(attr.getAttributeValue());
                }
            }
        }
    }

}