java source code of VerifyServiceProviderFactory

verify-service-provider-master
- example-saml
  - example-saml-match-assertion.xml
  - example-saml-response.xml
- src
  - acceptance-test
    - java
      - uk
        gov
        ida
        verifyserviceprovider
        VersionNumberAcceptanceTest.java
        SuccessMatchAcceptanceTest.java
        services
        GenerateRequestService.java
        ComplianceToolService.java
        ComplianceToolModeAcceptanceTest.java
        builders
        ComplianceToolV1InitialisationRequestBuilder.java
        AssertionHelper.java
        VerifyServiceProviderAppRuleBuilder.java
        ComplianceToolV2InitialisationRequestBuilder.java
        UserAccountCreationResponseAcceptanceTest.java
        NoMatchAcceptanceTest.java
        AuthnFailedResponseAcceptanceTest.java
        NonMatchingEidasAcceptanceTest.java
        TranslateResponseMultiTenantedSetupAcceptanceTest.java
        Utils
        MdsValueChecker.java
        rules
        VerifyServiceProviderAppRule.java
        NonMatchingVerifyServiceProviderAppRule.java
        NoAuthnContextResponseAcceptanceTest.java
        ErrorResponseAcceptanceTest.java
        InvalidSamlAcceptanceTest.java
        NonMatchingAcceptanceTest.java
        SecondaryEncryptionKeyAcceptanceTest.java
        AuthnRequestAcceptanceTest.java
  - main
    - resources
      - default-test-identity-dataset.json
      - test-idp-truststore.ts
      - test-metadata-truststore.ts
      - prod-hub-truststore.ts
      - ida_metadata_truststore.ts
      - prod-metadata-truststore.ts
      - prod-idp-truststore.ts
      - test-hub-truststore.ts
      - banner.txt
    - java
      - uk
        gov
        ida
        verifyserviceprovider
        compliance
        dto
        MatchingAddress.java
        MatchingDataset.java
        MatchingAttribute.java
        ComplianceToolModeConfiguration.java
        RefreshDatasetResource.java
        KeysAndCert.java
        ComplianceToolClient.java
        ComplianceToolModeConfigurationFactory.java
        ComplianceToolMode.java
        IdentityDatasetArgumentResolver.java
        configuration
        ConfigurationConstants.java
        MsaMetadataConfiguration.java
        HubEnvironment.java
        PrivateKeyDeserializer.java
        HubMetadataConfiguration.java
        VerifyHubConfiguration.java
        VerifyServiceProviderConfiguration.java
        EuropeanIdentityConfiguration.java
        dto
        VerifiableAttribute.java
        Attributes.java
        RequestResponseBody.java
        Address.java
        MatchingScenario.java
        Scenario.java
        RequestGenerationBody.java
        TranslatedNonMatchingResponseBody.java
        LevelOfAssurance.java
        NonMatchingScenario.java
        TranslateSamlResponseBody.java
        TranslatedMatchingResponseBody.java
        TranslatedResponseBody.java
        TestTranslatedNonMatchingResponseBody.java
        utils
        ApplicationUrlsGenerator.java
        ConfigurationFileFinder.java
        DateTimeComparator.java
        StringTableFormatter.java
        DefaultObjectMapper.java
        HealthCheckTableFormatter.java
        UsefulApplicationUrlsTableFormatter.java
        services
        EidasUnsignedAssertionTranslator.java
        VerifyAssertionTranslator.java
        AssertionClassifier.java
        BaseEidasAssertionTranslator.java
        IdentityResponderCodeTranslator.java
        ClassifyingAssertionTranslator.java
        AssertionTranslator.java
        ResponseService.java
        IdentityAssertionTranslator.java
        MatchingResponderCodeTranslator.java
        EntityIdService.java
        EidasAssertionTranslator.java
        UnsignedAssertionsResponseHandler.java
        ResponderCodeTranslator.java
        MatchingAssertionTranslator.java
        AttributeTranslator.java
        resources
        GenerateAuthnRequestResource.java
        VersionNumberResource.java
        TranslateSamlResponseResource.java
        validators
        EidasAssertionTranslatorValidatorContainer.java
        InstantValidator.java
        ConditionsValidator.java
        SubjectValidator.java
        AssertionValidator.java
        LevelOfAssuranceValidator.java
        TimeRestrictionValidator.java
        ResponseSizeValidator.java
        EidasEncryptionAlgorithmValidatorHelper.java
        listeners
        VerifyServiceProviderServerListener.java
        VerifyServiceProviderApplication.java
        exceptions
        JsonProcessingExceptionMapper.java
        NoHashingEntityIdIsProvidedError.java
        JerseyViolationExceptionMapper.java
        AuthnContextMissingException.java
        FailedToRequestVerifiedException.java
        InvalidEntityIdExceptionMapper.java
        MissingUnsignedAssertionsHandlerException.java
        RequestedOnlyVerifiedException.java
        InvalidEntityIdException.java
        factories
        saml
        ResponseFactory.java
        AuthnRequestFactory.java
        SignatureValidatorFactory.java
        VerifyServiceProviderFactory.java
        EncrypterFactory.java
        logging
        AuthnRequestAttributesHelper.java
        healthcheck
        MetadataHealthCheck.java
  - test
    - resources
      - logback-test.xml
      - verify-service-provider-with-msa-and-eidas.yml
      - verify-service-provider-with-msa.yml
    - java
      - common
        uk
        gov
        ida
        verifyserviceprovider
        utils
        SamlResponseHelper.java
        EnvironmentHelper.java
        servers
        MockMetadataAggregatorServer.java
        MockTrustAnchorServer.java
        MockMsaServer.java
        MockVerifyHubServer.java
      - feature
        uk
        gov
        ida
        verifyserviceprovider
        configuration
        VerifyHubConfigurationFeatureTests.java
        ApplicationConfigurationFeatureTests.java
        MsaMetadataFeatureTest.java
        HubMetadataFeatureTest.java
      - uk
        gov
        ida
        verifyserviceprovider
        compliance
        dto
        MatchingDatasetBuilder.java
        ComplianceToolModeTest.java
        RefreshDatasetResourceTest.java
        configuration
        EuropeanIdentityConfigurationTest.java
        services
        MatchingResponderCodeTranslatorTest.java
        IdentityResponderCodeTranslatorTest.java
      - unit
        uk
        gov
        ida
        verifyserviceprovider
        configuration
        MsaMetadataConfigurationTest.java
        HubEnvironmentTest.java
        utils
        DateTimeComparatorTest.java
        StringTableFormatterTest.java
        services
        UnsignedAssertionResponseHandlerTest.java
        EntityIdServiceTest.java
        EidasUnsignedAssertionTranslatorTest.java
        MatchingAssertionTranslatorTest.java
        VerifyAssertionTranslatorTest.java
        ResponseServiceTest.java
        EidasAssertionTranslatorTest.java
        AssertionClassifierTests.java
        AttributeTranslatorTests.java
        ClassifyingAssertionTranslatorTest.java
        BaseEidasAssertionTranslatorTestBase.java
        resources
        TranslateSamlResponseResourceTest.java
        GenerateAuthnRequestResourceTest.java
        VersionNumberResourceTest.java
        validators
        InstantValidatorTest.java
        SubjectValidatorTest.java
        LevelOfAssuranceValidatorTest.java
        ConditionsValidatorTest.java
        AssertionValidatorTest.java
        TimeRestrictionValidatorTest.java
        saml
        ResponseFactoryTest.java
        factories
        saml
        AuthnRequestFactoryTest.java
        VerifyServiceProviderConfigurationTest.java
- configuration
  - vsp-with-matching.yml
  - vsp-no-eidas.yml
  - vsp-eidas-without-matching.yml
  - vsp-with-matching-custom.yml
- gradle
  - wrapper
    - gradle-wrapper.properties
- gradlew.bat
- LICENSE
- gradlew
- Dockerfile.internal
- startup.sh
- CONTRIBUTING.md
- local-running
  - local-vsp-only.env
  - local-config.yml
- stub-msa-metadata
  - manifest.yml
  - metadata.xml
- build.gradle
- architecture-decisions
  - verify-service-provider-api.swagger.yml
- .adr-dir
- .travis.yml
- README.md
- pre-commit.sh
- integration-deployment.sh
- scripts
  - init-compliance-tool-for-environment.sh
  - genKey.sh
- ci
  - production-manifest.yml
  - dev-manifest-with-msa.yml
  - staging-manifest.yml
  - dev-manifest-multi-tenant.yml
  - dev-manifest.yml
  - integration-manifest.yml
- verify-service-provider.yml
- RELEASE_NOTES.md
- dev-deployment.sh
- settings.gradle
- .gitignore
- docs
  - development
    - Advanced_Configuration.md
    - Using_Local_Compliance_Tool.md
  - diagrams
    - service_architecture.graffle
    - request_flow.graffle
    - response_flow.graffle
    - stub_service_architecture.graffle
  - api
    - verify-service-provider-with-matching-api.swagger.yml
    - verify-service-provider-api.swagger.yml
  - adr
    - 0003-use-files-to-store-private-keys.md
    - 0015-we-will-depend-on-a-minimal-set-of-verify-saml-libs.md
    - 0025-we-will-only-release-one-configuration-file.md
    - 0017-we-will-pass-the-request-id-to-the-client.md
    - 0005-sp-will-generate-request-id.md
    - .keep
    - 0002-how-do-we-secure-the-api.md
    - 0021-we-will-use-http-200-for-valid-saml.md
    - 0019-we-will-validate-assertion-details.md
    - 0004-users-will-be-able-to-provide-relay-state.md
    - 0018-we-will-have-hubssolocation-as-a-configuration.md
    - 0009-we-will-not-use-a-dependency-injection-framework.md
    - 0024-release-process-for-verify-service-provider.md
    - 0012-we-will-use-the-full-profile.md
    - 0007-we-will-document-a-strawman-api.md
    - 0020-we-will-put-verified-status-inside-json-object.md
    - 0006-we-will-build-a-js-client.md
    - 0011-we-will-use-a-secure-token-to-validate-inresponseto.md
    - 0013-we-will-write-acceptance-tests-against-compliance-tool.md
    - 0010-we-will-keep-the-config-as-simple-as-possible.md
    - 0023-we-will-report-the-version-in-a-saml-extension.md
    - 0022-we-will-not-validate-the-recipient.md
    - 0001-record-architecture-decisions.md
    - 0026-development-mode-for-the-verify-service-provider.md
    - 0016-we-will-have-a-healthcheck-endpoint.md
    - 0014-html-will-not-be-generated-by-the-verify-service-provider.md
    - 0008-provide-an-end-to-end-stub.md
- .dockerignore
- test-keys-and-certs
  - vsp-signing.crt
  - vsp-encryption.pk8
  - msa-signing.pk8
  - msa-signing.crt
  - vsp-signing.pk8
  - vsp-encryption.crt

package uk.gov.ida.verifyserviceprovider.factories;

import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml.security.impl.MetadataCredentialResolver;
import org.opensaml.security.crypto.KeySupport;
import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
import uk.gov.ida.saml.metadata.EidasMetadataConfiguration;
import uk.gov.ida.saml.metadata.EidasMetadataResolverRepository;
import uk.gov.ida.saml.metadata.EidasTrustAnchorResolver;
import uk.gov.ida.saml.metadata.MetadataResolverConfigBuilder;
import uk.gov.ida.saml.metadata.bundle.MetadataResolverBundle;
import uk.gov.ida.saml.metadata.factories.DropwizardMetadataResolverFactory;
import uk.gov.ida.saml.metadata.factories.MetadataSignatureTrustEngineFactory;
import uk.gov.ida.saml.security.EidasValidatorFactory;
import uk.gov.ida.saml.security.IdaKeyStore;
import uk.gov.ida.saml.security.IdaKeyStoreCredentialRetriever;
import uk.gov.ida.saml.security.MetadataBackedEncryptionCredentialResolver;
import uk.gov.ida.saml.security.SamlAssertionsSignatureValidator;
import uk.gov.ida.saml.security.SecretKeyDecryptorFactory;
import uk.gov.ida.shared.utils.manifest.ManifestReader;
import uk.gov.ida.verifyserviceprovider.configuration.EuropeanIdentityConfiguration;
import uk.gov.ida.verifyserviceprovider.configuration.VerifyServiceProviderConfiguration;
import uk.gov.ida.verifyserviceprovider.factories.saml.AuthnRequestFactory;
import uk.gov.ida.verifyserviceprovider.factories.saml.ResponseFactory;
import uk.gov.ida.verifyserviceprovider.factories.saml.SignatureValidatorFactory;
import uk.gov.ida.verifyserviceprovider.resources.GenerateAuthnRequestResource;
import uk.gov.ida.verifyserviceprovider.resources.TranslateSamlResponseResource;
import uk.gov.ida.verifyserviceprovider.resources.VersionNumberResource;
import uk.gov.ida.verifyserviceprovider.services.AssertionTranslator;
import uk.gov.ida.verifyserviceprovider.services.ClassifyingAssertionTranslator;
import uk.gov.ida.verifyserviceprovider.services.EidasAssertionTranslator;
import uk.gov.ida.verifyserviceprovider.services.EidasUnsignedAssertionTranslator;
import uk.gov.ida.verifyserviceprovider.services.EntityIdService;
import uk.gov.ida.verifyserviceprovider.services.ResponseService;
import uk.gov.ida.verifyserviceprovider.services.UnsignedAssertionsResponseHandler;
import uk.gov.ida.verifyserviceprovider.services.VerifyAssertionTranslator;
import uk.gov.ida.verifyserviceprovider.utils.DateTimeComparator;
import uk.gov.ida.verifyserviceprovider.validators.InstantValidator;

import javax.ws.rs.client.Client;
import java.security.KeyException;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.util.List;
import java.util.Optional;
import java.util.Timer;

import static java.util.Arrays.asList;
import static java.util.Collections.singletonList;
import static uk.gov.ida.verifyserviceprovider.factories.saml.ResponseFactory.createStringToResponseTransformer;
import static uk.gov.ida.verifyserviceprovider.validators.EidasEncryptionAlgorithmValidatorHelper.anEidasEncryptionAlgorithmValidator;

public class VerifyServiceProviderFactory {

    private final VerifyServiceProviderConfiguration configuration;
    private final ResponseFactory responseFactory;

    private final DateTimeComparator dateTimeComparator;
    private final EntityIdService entityIdService;
    private final MetadataResolverBundle<VerifyServiceProviderConfiguration> verifyMetadataBundler;
    private final MetadataResolverBundle<VerifyServiceProviderConfiguration> msaMetadataBundle;
    private final ManifestReader manifestReader;
    private final Client client;
    private final IdaKeyStore keyStore;
    private final SamlAssertionsSignatureValidator hubSignatureValidator;

    public VerifyServiceProviderFactory(
            VerifyServiceProviderConfiguration configuration,
            MetadataResolverBundle<VerifyServiceProviderConfiguration> verifyMetadataBundler,
            MetadataResolverBundle<VerifyServiceProviderConfiguration> msaMetadataBundle,
            Client client) throws KeyException {
        this.configuration = configuration;
        List<KeyPair> decryptionKeyPairs = getDecryptionKeyPairs(
                configuration.getSamlPrimaryEncryptionKey(),
                configuration.getSamlSecondaryEncryptionKey()
        );
        this.keyStore = new IdaKeyStore(null, decryptionKeyPairs);
        this.responseFactory = new ResponseFactory(decryptionKeyPairs);
        this.dateTimeComparator = new DateTimeComparator(configuration.getClockSkew());
        this.entityIdService = new EntityIdService(configuration.getServiceEntityIds());
        this.verifyMetadataBundler = verifyMetadataBundler;
        this.msaMetadataBundle = msaMetadataBundle;
        this.manifestReader = new ManifestReader();
        this.client = client;
        this.hubSignatureValidator = new SignatureValidatorFactory().getSignatureValidator(getHubSignatureTrustEngine());
    }

    private List<KeyPair> getDecryptionKeyPairs(PrivateKey primary, PrivateKey secondary) throws KeyException {
        if (secondary == null) {
            return singletonList(createKeyPair(primary));
        } else {
            return asList(createKeyPair(primary), createKeyPair(secondary));
        }
    }

    private KeyPair createKeyPair(PrivateKey key) throws KeyException {
        return new KeyPair(KeySupport.derivePublicKey(key), key);
    }

    public GenerateAuthnRequestResource getGenerateAuthnRequestResource() throws Exception {
        MetadataCredentialResolver metadataCredentialResolver = getHubMetadataCredentialResolver();
        MetadataBackedEncryptionCredentialResolver encryptionCredentialResolver = new MetadataBackedEncryptionCredentialResolver(metadataCredentialResolver, SPSSODescriptor.DEFAULT_ELEMENT_NAME);
        EncrypterFactory encrypterFactory = new EncrypterFactory(encryptionCredentialResolver, configuration.getVerifyHubMetadata().getExpectedEntityId());

        PrivateKey signingKey = configuration.getSamlSigningKey();

        AuthnRequestFactory authnRequestFactory = new AuthnRequestFactory(
                configuration.getHubSsoLocation(),
                createKeyPair(signingKey),
                manifestReader, encrypterFactory
        );

        return new GenerateAuthnRequestResource(
            authnRequestFactory,
            configuration.getHubSsoLocation(),
            entityIdService
        );
    }

    public TranslateSamlResponseResource getTranslateSamlResponseResource() {
        if (configuration.getMsaMetadata().isPresent()) {
            return getTranslateMatchingSamlResponseResource();
        } else if (isEidasEnabled()){
            return getEidasEnabledTranslateNonMatchingSamlResponseResource();
        } else {
            return getTranslateNonMatchingSamlResponseResource();
        }
    }

    private TranslateSamlResponseResource getTranslateMatchingSamlResponseResource() {
        ResponseService matchingResponseService = responseFactory.createMatchingResponseService(
                getHubSignatureTrustEngine(),
                responseFactory.createMsaAssertionTranslator(getMsaSignatureTrustEngine(), new SignatureValidatorFactory(), dateTimeComparator),
                dateTimeComparator
        );
        return new TranslateSamlResponseResource(matchingResponseService, entityIdService);
    }

    private TranslateSamlResponseResource getEidasEnabledTranslateNonMatchingSamlResponseResource() {
        VerifyAssertionTranslator verifyAssertionTranslator = responseFactory.createVerifyIdpAssertionTranslator(
                hubSignatureValidator,
                dateTimeComparator,
                configuration.getHashingEntityId()
        );

        EidasMetadataResolverRepository eidasMetadataResolverRepository = getEidasMetadataResolverRepository();
        IdaKeyStoreCredentialRetriever idaKeyStoreCredentialRetriever = new IdaKeyStoreCredentialRetriever(keyStore);
        UnsignedAssertionsResponseHandler unsignedAssertionsResponseHandler = new UnsignedAssertionsResponseHandler(
                new EidasValidatorFactory(eidasMetadataResolverRepository),
                createStringToResponseTransformer(),
                new InstantValidator(dateTimeComparator),
                new SecretKeyDecryptorFactory(idaKeyStoreCredentialRetriever),
                anEidasEncryptionAlgorithmValidator(),
                hubSignatureValidator
        );

        EidasAssertionTranslator eidasAssertionTranslator = responseFactory.createEidasAssertionTranslator(
                dateTimeComparator,
                eidasMetadataResolverRepository,
                configuration.getEuropeanIdentity().get(),
                configuration.getHashingEntityId()
        );

        EidasUnsignedAssertionTranslator eidasUnsignedAssertionTranslator = responseFactory.createEidasUnsignedAssertionTranslator(
                dateTimeComparator,
                eidasMetadataResolverRepository,
                configuration.getEuropeanIdentity().get(),
                configuration.getHashingEntityId()
        );

        AssertionTranslator assertionTranslator = new ClassifyingAssertionTranslator(
                verifyAssertionTranslator,
                eidasAssertionTranslator,
                eidasUnsignedAssertionTranslator);

        return new TranslateSamlResponseResource(
                responseFactory.createNonMatchingResponseService(
                        getHubSignatureTrustEngine(),
                        assertionTranslator,
                        dateTimeComparator,
                        unsignedAssertionsResponseHandler
                ),
                entityIdService);
    }

    private TranslateSamlResponseResource getTranslateNonMatchingSamlResponseResource() {
        VerifyAssertionTranslator assertionTranslator = responseFactory.createVerifyIdpAssertionTranslator(
                hubSignatureValidator,
                dateTimeComparator,
                configuration.getHashingEntityId()
        );

        return new TranslateSamlResponseResource(
                responseFactory.createNonMatchingResponseService(
                        getHubSignatureTrustEngine(),
                        assertionTranslator,
                        dateTimeComparator,
                        null
                ),
                entityIdService);
    }

    public VersionNumberResource getVersionNumberResource() {
        return new VersionNumberResource(manifestReader);
    }

    private ExplicitKeySignatureTrustEngine getHubSignatureTrustEngine() {
        return verifyMetadataBundler.getSignatureTrustEngine();
    }

    private MetadataCredentialResolver getHubMetadataCredentialResolver() {
        return verifyMetadataBundler.getMetadataCredentialResolver();
    }

    private ExplicitKeySignatureTrustEngine getMsaSignatureTrustEngine() {
        return msaMetadataBundle.getSignatureTrustEngine();
    }

    private EidasMetadataResolverRepository getEidasMetadataResolverRepository() {
        return new EidasMetadataResolverRepository(
                getEidasTrustAnchorResolver(),
                configuration.getEuropeanIdentity().get(),
                new DropwizardMetadataResolverFactory(),
                new Timer(),
                new MetadataSignatureTrustEngineFactory(),
                new MetadataResolverConfigBuilder(),
                client
            );
    }

    private EidasTrustAnchorResolver getEidasTrustAnchorResolver() {
        EidasMetadataConfiguration metadataConfiguration = configuration.getEuropeanIdentity().get();
        return new EidasTrustAnchorResolver(metadataConfiguration.getTrustAnchorUri(), client, metadataConfiguration.getTrustStore());
    }

    private boolean isEidasEnabled() {
        Optional<EuropeanIdentityConfiguration> eidasConfig = configuration.getEuropeanIdentity();
        return eidasConfig.map(EuropeanIdentityConfiguration::isEnabled).orElse(false);
    }
}