net.shibboleth.idp.saml.saml2.profile.delegation.impl

Class EvaluateDelegationPolicy

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction<InboundMessageType,OutboundMessageType>

org.opensaml.profile.action.AbstractConditionalProfileAction<InboundMessageType,OutboundMessageType>

net.shibboleth.idp.profile.AbstractProfileAction

net.shibboleth.idp.saml.saml2.profile.delegation.impl.EvaluateDelegationPolicy

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, org.opensaml.profile.action.ProfileAction, org.springframework.beans.factory.Aware, org.springframework.context.MessageSource, org.springframework.context.MessageSourceAware, org.springframework.webflow.execution.Action

@Prototype
public class EvaluateDelegationPolicy
extends AbstractProfileAction

Action which implements policy controls to decide whether an SSO request based on a delegated Assertion token is allowed to proceed.

Two policy checks are performed:

1. The active SSOSProfileConfiguration is resolved and the predicate SSOSProfileConfiguration.getDelegationPredicate() is applied. If the predicate evaluates to false, the request is not allowed. An example predicate commonly used here is AllowedSAMLPresentersPredicate.
2. The length of the delegation chain as indicated in the inbound assertion token's DelegationRestrictionType condition is evaluated against a policy maximum resolved via the strategy set by setPolicyMaxChainLengthStrategy(Function), or from DEFAULT_POLICY_MAX_CHAIN_LENGTH if no value can otherwise be resolved. If the chain of Delegate child elements is greater than or equal to the resolved policy max chain length, the request is not allowed. The default policy resolution strategy is to look at the first DelegationPolicy contained within the inbound assertion token's Advice.

Event:

AuthnEventIds.NO_CREDENTIALS, EventIds.INVALID_PROFILE_CTX, EventIds.INVALID_SEC_CFG

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
class	EvaluateDelegationPolicy.PolicyMaxChainLengthStrategy Default strategy used to resolve the policy maximum token delegation chain length.

Field Summary

Fields

Modifier and Type	Field and Description
private org.opensaml.saml.saml2.core.Assertion	assertionToken The inbound delegated assertion token being evaluated.
private Function<org.opensaml.profile.context.ProfileRequestContext,org.opensaml.saml.saml2.core.Assertion>	assertionTokenStrategy Function used to resolve the assertion token to process.
static Long	DEFAULT_POLICY_MAX_CHAIN_LENGTH Default policy max chain length, when can't otherwise be derived.
private Predicate<org.opensaml.profile.context.ProfileRequestContext>	delegationPredicate The predicate used to determine whether the request is allowed to proceed.
private org.slf4j.Logger	log Logger.
private Long	policyMaxChainLength The policy maximum token delegation chain length.
private Function<org.opensaml.profile.context.ProfileRequestContext,Long>	policyMaxChainLengthStrategy Function used to resolve the policy maximum delegation chain length.
private Function<org.opensaml.profile.context.ProfileRequestContext,RelyingPartyContext>	relyingPartyContextLookupStrategy Strategy used to lookup the RelyingPartyContext.
private Long	tokenChainLength The actual token delegation chain length.

Constructor Summary

Constructors

Constructor and Description
EvaluateDelegationPolicy() Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
protected boolean	checkAllowedDelegate(org.opensaml.profile.context.ProfileRequestContext profileRequestContext) Apply policy control SSOSProfileConfiguration.getDelegationPredicate().
protected boolean	checkTokenDelegationChainLength(org.opensaml.profile.context.ProfileRequestContext profileRequestContext) Apply policy control which checks the actual token chain length against the policy maximum chain length.
protected void	doExecute(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)
protected boolean	doPreExecute(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)
protected boolean	doPreExecuteInbound(org.opensaml.profile.context.ProfileRequestContext profileRequestContext) Pre-execute actions on the inbound message.
protected boolean	doPreExecuteRelyingParty(org.opensaml.profile.context.ProfileRequestContext profileRequestContext) Pre-execute actions on the relying party context info.
protected org.opensaml.saml.ext.saml2delrestrict.DelegationRestrictionType	getDelegationRestrictionCondition(org.opensaml.saml.saml2.core.Conditions conditions) Get the DelegationRestrictionType Condition from the supplied Conditions, if present.
protected Long	getPolicyMaxDelegationChainLength(org.opensaml.profile.context.ProfileRequestContext profileRequestContext) Get the effective maximum delegation chain length allowed by policy.
protected Long	getTokenDelegationChainLength(org.opensaml.saml.saml2.core.Assertion token) Get the length of the delegation chain in the presented token.
void	setAssertionTokenStrategy(Function<org.opensaml.profile.context.ProfileRequestContext,org.opensaml.saml.saml2.core.Assertion> strategy) Set the strategy used to locate the inbound assertion token to process.
void	setPolicyMaxChainLengthStrategy(Function<org.opensaml.profile.context.ProfileRequestContext,Long> strategy) Set the strategy used to resolve the policy maximum delegation chain length.
void	setRelyingPartyContextLookupStrategy(Function<org.opensaml.profile.context.ProfileRequestContext,RelyingPartyContext> strategy) Set the strategy used to locate the current RelyingPartyContext.

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

DEFAULT_POLICY_MAX_CHAIN_LENGTH

public static final Long DEFAULT_POLICY_MAX_CHAIN_LENGTH

Default policy max chain length, when can't otherwise be derived.

log

private org.slf4j.Logger log

Logger.

relyingPartyContextLookupStrategy

@Nonnull
private Function<org.opensaml.profile.context.ProfileRequestContext,RelyingPartyContext> relyingPartyContextLookupStrategy

Strategy used to lookup the RelyingPartyContext.

assertionTokenStrategy

@Nonnull
private Function<org.opensaml.profile.context.ProfileRequestContext,org.opensaml.saml.saml2.core.Assertion> assertionTokenStrategy

Function used to resolve the assertion token to process.

policyMaxChainLengthStrategy

@Nonnull
private Function<org.opensaml.profile.context.ProfileRequestContext,Long> policyMaxChainLengthStrategy

Function used to resolve the policy maximum delegation chain length.

assertionToken

private org.opensaml.saml.saml2.core.Assertion assertionToken

The inbound delegated assertion token being evaluated.

policyMaxChainLength

private Long policyMaxChainLength

The policy maximum token delegation chain length.

tokenChainLength

private Long tokenChainLength

The actual token delegation chain length.

delegationPredicate

private Predicate<org.opensaml.profile.context.ProfileRequestContext> delegationPredicate

The predicate used to determine whether the request is allowed to proceed.

Constructor Detail

EvaluateDelegationPolicy

public EvaluateDelegationPolicy()

Constructor.

Method Detail

setPolicyMaxChainLengthStrategy

public void setPolicyMaxChainLengthStrategy(@Nonnull
                                   Function<org.opensaml.profile.context.ProfileRequestContext,Long> strategy)

Set the strategy used to resolve the policy maximum delegation chain length.

Parameters:

strategy - the strategy

setAssertionTokenStrategy

public void setAssertionTokenStrategy(@Nonnull
                             Function<org.opensaml.profile.context.ProfileRequestContext,org.opensaml.saml.saml2.core.Assertion> strategy)

Set the strategy used to locate the inbound assertion token to process.

Parameters:

strategy - lookup strategy

setRelyingPartyContextLookupStrategy

public void setRelyingPartyContextLookupStrategy(@Nonnull
                                        Function<org.opensaml.profile.context.ProfileRequestContext,RelyingPartyContext> strategy)

Set the strategy used to locate the current RelyingPartyContext.

Parameters:

strategy - strategy used to locate the current RelyingPartyContext

doPreExecute

protected boolean doPreExecute(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)

Overrides:

doPreExecute in class org.opensaml.profile.action.AbstractConditionalProfileAction

doPreExecuteInbound

protected boolean doPreExecuteInbound(@Nonnull
                          org.opensaml.profile.context.ProfileRequestContext profileRequestContext)

Pre-execute actions on the inbound message.

Parameters:

profileRequestContext - the current profile request context

Returns:

true iff doExecute(ProfileRequestContext) should proceed

doPreExecuteRelyingParty

protected boolean doPreExecuteRelyingParty(@Nonnull
                               org.opensaml.profile.context.ProfileRequestContext profileRequestContext)

Pre-execute actions on the relying party context info.

Parameters:

profileRequestContext - the current profile request context

Returns:

true iff doExecute(ProfileRequestContext) should proceed

doExecute

protected void doExecute(@Nonnull
             org.opensaml.profile.context.ProfileRequestContext profileRequestContext)

Overrides:

doExecute in class org.opensaml.profile.action.AbstractProfileAction

checkAllowedDelegate

protected boolean checkAllowedDelegate(@Nonnull
                           org.opensaml.profile.context.ProfileRequestContext profileRequestContext)

Apply policy control SSOSProfileConfiguration.getDelegationPredicate().

Parameters:

profileRequestContext - the current request context

Returns:

true if check passes, false if not

checkTokenDelegationChainLength

protected boolean checkTokenDelegationChainLength(@Nonnull
                                      org.opensaml.profile.context.ProfileRequestContext profileRequestContext)

Apply policy control which checks the actual token chain length against the policy maximum chain length.

Parameters:

profileRequestContext - the current request context

Returns:

true if check passes, false if not

getTokenDelegationChainLength

protected Long getTokenDelegationChainLength(@Nonnull
                                 org.opensaml.saml.saml2.core.Assertion token)

Get the length of the delegation chain in the presented token.

Parameters:

token - the token to evaluate

Returns:

the token delegation chain length

getDelegationRestrictionCondition

protected org.opensaml.saml.ext.saml2delrestrict.DelegationRestrictionType getDelegationRestrictionCondition(@Nullable
                                                                                                 org.opensaml.saml.saml2.core.Conditions conditions)

Get the DelegationRestrictionType Condition from the supplied Conditions, if present.

Parameters:

conditions - the Assertion Conditions to process

Returns:

the DelegationRestrictionType Condition object, or null if not present

getPolicyMaxDelegationChainLength

@Nonnull
protected Long getPolicyMaxDelegationChainLength(@Nonnull
                                             org.opensaml.profile.context.ProfileRequestContext profileRequestContext)

Get the effective maximum delegation chain length allowed by policy.

Parameters:

profileRequestContext - the current request context

Returns:

the policy max delegation chain policy length