View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  
20  package org.apache.wss4j.dom.processor;
21  
22  import java.util.Collections;
23  import java.util.LinkedList;
24  import java.util.List;
25  
26  import javax.xml.namespace.QName;
27  
28  import org.w3c.dom.Element;
29  import org.w3c.dom.Node;
30  import org.apache.wss4j.common.ext.WSSecurityException;
31  import org.apache.wss4j.common.util.XMLUtils;
32  import org.apache.wss4j.dom.WSConstants;
33  import org.apache.wss4j.dom.WSDataRef;
34  import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
35  import org.apache.wss4j.dom.handler.RequestData;
36  
37  /**
38   * This will process incoming <code>saml2:EncryptedAssertion</code> elements.
39   */
40  public class EncryptedAssertionProcessor implements Processor {
41  
42      private static final org.slf4j.Logger LOG =
43          org.slf4j.LoggerFactory.getLogger(EncryptedAssertionProcessor.class);
44  
45      public List<WSSecurityEngineResult> handleToken(
46          Element elem,
47          RequestData request
48      ) throws WSSecurityException {
49          LOG.debug("Found EncryptedAssertion element");
50  
51          Element encryptedDataElement =
52              XMLUtils.getDirectChildElement(elem, WSConstants.ENC_DATA_LN, WSConstants.ENC_NS);
53          if (encryptedDataElement == null) {
54              // Maybe it has already been decrypted...
55              return Collections.emptyList();
56          }
57  
58          List<WSSecurityEngineResult> completeResults = new LinkedList<>();
59  
60          // Check all EncryptedKey elements
61          for (Node currentChild = elem.getFirstChild();
62              currentChild != null;
63              currentChild = currentChild.getNextSibling()
64          ) {
65              if (Node.ELEMENT_NODE == currentChild.getNodeType()
66                      && "EncryptedKey".equals(currentChild.getLocalName())
67                      && WSConstants.ENC_NS.equals(currentChild.getNamespaceURI())) {
68                  QName el =
69                      new QName(((Element)currentChild).getNamespaceURI(),
70                                ((Element)currentChild).getLocalName());
71                  Processor proc = request.getWssConfig().getProcessor(el);
72                  if (proc != null) {
73                      completeResults.addAll(proc.handleToken((Element)currentChild, request));
74                  }
75              }
76          }
77  
78          // If we have processed EncryptedKey elements, then the Assertion is already decrypted
79          // at this point. Process it accordingly.
80          if (!completeResults.isEmpty()) {
81              for (WSSecurityEngineResult r : completeResults) {
82                  @SuppressWarnings("unchecked")
83                  List<WSDataRef> dataRefs =
84                      (List<WSDataRef>)r.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
85                  if (dataRefs != null) {
86                      for (WSDataRef dataRef : dataRefs) {
87                          if (WSConstants.SAML_TOKEN.equals(dataRef.getName())
88                              || WSConstants.SAML2_TOKEN.equals(dataRef.getName())) {
89                              // Get hold of the plain text element
90                              Element decryptedElem = dataRef.getProtectedElement();
91                              QName el = new QName(decryptedElem.getNamespaceURI(), decryptedElem.getLocalName());
92                              Processor proc = request.getWssConfig().getProcessor(el);
93                              if (proc != null) {
94                                  LOG.debug("Processing decrypted element with: {}", proc.getClass().getName());
95                                  List<WSSecurityEngineResult> results = proc.handleToken(decryptedElem, request);
96                                  completeResults.addAll(0, results);
97                                  return completeResults;
98                              }
99                          }
100                     }
101                 }
102             }
103         }
104 
105         // Otherwise decrypt the element ourselves
106 
107         // Type must be "Element" if specified
108         String typeStr = encryptedDataElement.getAttributeNS(null, "Type");
109         if (typeStr != null && !(WSConstants.ENC_NS + "Element").equals(typeStr)) {
110             throw new WSSecurityException(
111                 WSSecurityException.ErrorCode.INVALID_SECURITY, "badElement",
112                 new Object[] {"Element", typeStr}
113             );
114         }
115 
116         // Now hand it off to another processor (EncryptedDataProcessor)
117         QName el =
118             new QName(encryptedDataElement.getNamespaceURI(), encryptedDataElement.getLocalName());
119         Processor proc = request.getWssConfig().getProcessor(el);
120         if (proc != null) {
121             LOG.debug("Processing decrypted element with: {}", proc.getClass().getName());
122             return proc.handleToken(encryptedDataElement, request);
123         }
124 
125         return Collections.emptyList();
126     }
127 
128 }