Saml2RelyingPartyRegistrationConfiguration

最新推荐文章于 2022-11-15 23:17:17 发布

sunshinebo

最新推荐文章于 2022-11-15 23:17:17 发布

阅读量480

点赞数

分类专栏：笔记

本文链接：https://blog.csdn.net/sunshinebo/article/details/115273691

版权

笔记专栏收录该内容

47 篇文章 0 订阅

订阅专栏

/**
 * {@link Configuration @Configuration} used to map {@link Saml2RelyingPartyProperties} to
 * relying party registrations in a {@link RelyingPartyRegistrationRepository}.
 *
 * @author Madhura Bhave
 * @author Phillip Webb
 */
@Configuration(proxyBeanMethods = false)
@Conditional(RegistrationConfiguredCondition.class)
@ConditionalOnMissingBean(RelyingPartyRegistrationRepository.class)
class Saml2RelyingPartyRegistrationConfiguration {

	@Bean
	RelyingPartyRegistrationRepository relyingPartyRegistrationRepository(Saml2RelyingPartyProperties properties) {
		List<RelyingPartyRegistration> registrations = properties.getRegistration().entrySet().stream()
				.map(this::asRegistration).collect(Collectors.toList());
		return new InMemoryRelyingPartyRegistrationRepository(registrations);
	}

	private RelyingPartyRegistration asRegistration(Map.Entry<String, Registration> entry) {
		return asRegistration(entry.getKey(), entry.getValue());
	}

	private RelyingPartyRegistration asRegistration(String id, Registration properties) {
		boolean usingMetadata = StringUtils.hasText(properties.getIdentityprovider().getMetadataUri());
		Builder builder = (usingMetadata) ? RelyingPartyRegistrations
				.fromMetadataLocation(properties.getIdentityprovider().getMetadataUri()).registrationId(id)
				: RelyingPartyRegistration.withRegistrationId(id);
		builder.assertionConsumerServiceLocation(properties.getAcs().getLocation());
		builder.assertionConsumerServiceBinding(properties.getAcs().getBinding());
		builder.assertingPartyDetails(mapIdentityProvider(properties, usingMetadata));
		builder.signingX509Credentials((credentials) -> properties.getSigning().getCredentials().stream()
				.map(this::asSigningCredential).forEach(credentials::add));
		builder.decryptionX509Credentials((credentials) -> properties.getDecryption().getCredentials().stream()
				.map(this::asDecryptionCredential).forEach(credentials::add));
		builder.assertingPartyDetails((details) -> details
				.verificationX509Credentials((credentials) -> properties.getIdentityprovider().getVerification()
						.getCredentials().stream().map(this::asVerificationCredential).forEach(credentials::add)));
		builder.entityId(properties.getEntityId());
		RelyingPartyRegistration registration = builder.build();
		boolean signRequest = registration.getAssertingPartyDetails().getWantAuthnRequestsSigned();
		validateSigningCredentials(properties, signRequest);
		return registration;
	}

	private Consumer<AssertingPartyDetails.Builder> mapIdentityProvider(Registration properties,
			boolean usingMetadata) {
		PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
		Saml2RelyingPartyProperties.Identityprovider identityprovider = properties.getIdentityprovider();
		return (details) -> {
			map.from(identityprovider::getEntityId).to(details::entityId);
			map.from(identityprovider.getSinglesignon()::getBinding).to(details::singleSignOnServiceBinding);
			map.from(identityprovider.getSinglesignon()::getUrl).to(details::singleSignOnServiceLocation);
			map.from(identityprovider.getSinglesignon()::isSignRequest).when((signRequest) -> !usingMetadata)
					.to(details::wantAuthnRequestsSigned);
		};
	}

	private void validateSigningCredentials(Registration properties, boolean signRequest) {
		if (signRequest) {
			Assert.state(!properties.getSigning().getCredentials().isEmpty(),
					"Signing credentials must not be empty when authentication requests require signing.");
		}
	}

	private Saml2X509Credential asSigningCredential(Signing.Credential properties) {
		RSAPrivateKey privateKey = readPrivateKey(properties.getPrivateKeyLocation());
		X509Certificate certificate = readCertificate(properties.getCertificateLocation());
		return new Saml2X509Credential(privateKey, certificate, Saml2X509CredentialType.SIGNING);
	}

	private Saml2X509Credential asDecryptionCredential(Decryption.Credential properties) {
		RSAPrivateKey privateKey = readPrivateKey(properties.getPrivateKeyLocation());
		X509Certificate certificate = readCertificate(properties.getCertificateLocation());
		return new Saml2X509Credential(privateKey, certificate, Saml2X509CredentialType.DECRYPTION);
	}

	private Saml2X509Credential asVerificationCredential(Verification.Credential properties) {
		X509Certificate certificate = readCertificate(properties.getCertificateLocation());
		return new Saml2X509Credential(certificate, Saml2X509Credential.Saml2X509CredentialType.ENCRYPTION,
				Saml2X509Credential.Saml2X509CredentialType.VERIFICATION);
	}

	private RSAPrivateKey readPrivateKey(Resource location) {
		Assert.state(location != null, "No private key location specified");
		Assert.state(location.exists(), () -> "Private key location '" + location + "' does not exist");
		try (InputStream inputStream = location.getInputStream()) {
			return RsaKeyConverters.pkcs8().convert(inputStream);
		}
		catch (Exception ex) {
			throw new IllegalArgumentException(ex);
		}
	}

	private X509Certificate readCertificate(Resource location) {
		Assert.state(location != null, "No certificate location specified");
		Assert.state(location.exists(), () -> "Certificate  location '" + location + "' does not exist");
		try (InputStream inputStream = location.getInputStream()) {
			return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(inputStream);
		}
		catch (Exception ex) {
			throw new IllegalArgumentException(ex);
		}
	}

}