| // Copyright 2014 Google Inc. All Rights Reserved. |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| |
| package com.google.enterprise.adaptor.sharepoint; |
| |
| import com.google.common.annotations.VisibleForTesting; |
| import com.google.common.base.Strings; |
| import com.google.enterprise.adaptor.sharepoint.SamlAuthenticationHandler.HttpPostClient; |
| import com.google.enterprise.adaptor.sharepoint.SamlAuthenticationHandler.HttpPostClientImpl; |
| import com.google.enterprise.adaptor.sharepoint.SamlAuthenticationHandler.PostResponseInfo; |
| import com.google.enterprise.adaptor.sharepoint.SamlAuthenticationHandler.SamlHandshakeManager; |
| |
| import java.io.IOException; |
| import java.io.StringReader; |
| import java.io.StringWriter; |
| import java.net.URL; |
| import java.net.URLEncoder; |
| import java.util.HashMap; |
| import java.util.Map; |
| import java.util.logging.Level; |
| import java.util.logging.Logger; |
| |
| import javax.xml.parsers.DocumentBuilder; |
| import javax.xml.parsers.DocumentBuilderFactory; |
| import javax.xml.parsers.ParserConfigurationException; |
| import javax.xml.transform.Transformer; |
| import javax.xml.transform.TransformerConfigurationException; |
| import javax.xml.transform.TransformerException; |
| import javax.xml.transform.TransformerFactory; |
| import javax.xml.transform.dom.DOMSource; |
| import javax.xml.transform.stream.StreamResult; |
| |
| import org.w3c.dom.Document; |
| import org.w3c.dom.Node; |
| import org.w3c.dom.NodeList; |
| import org.xml.sax.InputSource; |
| import org.xml.sax.SAXException; |
| |
| /** |
| * SamlHandshakeManager implementation to support ADFS 2.0 |
| * to request ADFS authentication token and extract authentication cookie. |
| */ |
| public class AdfsHandshakeManager implements SamlHandshakeManager { |
| private static final Logger log |
| = Logger.getLogger(AdfsHandshakeManager.class.getName()); |
| |
| private static final String DEFAULT_LOGIN = "/_layouts/Authenticate.aspx"; |
| private static final String DEFAULT_TRUST = "/_trust"; |
| |
| protected final String login; |
| protected final String username; |
| protected final String password; |
| protected final String sharePointUrl; |
| protected final String stsendpoint; |
| protected final String stsrealm; |
| protected final HttpPostClient httpClient; |
| protected final String trustLocation; |
| private static final String reqXML |
| = "<?xml version=\"1.0\" encoding=\"utf-8\" ?>" |
| + "<s:Envelope xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\" " |
| + "xmlns:a=\"http://www.w3.org/2005/08/addressing\" " |
| + "xmlns:u=\"http://docs.oasis-open.org/wss/2004/01/" |
| + "oasis-200401-wss-wssecurity-utility-1.0.xsd\"><s:Header>" |
| + "<a:Action s:mustUnderstand=\"1\">" |
| + "http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>" |
| + "<a:ReplyTo><a:Address>" |
| + "http://www.w3.org/2005/08/addressing/anonymous</a:Address>" |
| + "</a:ReplyTo><a:To s:mustUnderstand=\"1\">" |
| + "%s</a:To>" // stsendpont |
| + "<o:Security s:mustUnderstand=\"1\" " |
| + "xmlns:o=\"http://docs.oasis-open.org/wss/2004/01/" |
| + "oasis-200401-wss-wssecurity-secext-1.0.xsd\">" |
| + "<o:UsernameToken><o:Username>%s</o:Username>" //username |
| + "<o:Password>%s</o:Password></o:UsernameToken>" //password |
| + "</o:Security></s:Header><s:Body>" |
| + "<t:RequestSecurityToken " |
| + "xmlns:t=\"http://schemas.xmlsoap.org/ws/2005/02/trust\">" |
| + "<wsp:AppliesTo xmlns:wsp=\"" |
| + "http://schemas.xmlsoap.org/ws/2004/09/policy\">" |
| + "<a:EndpointReference><a:Address>%s</a:Address>" //stsrealm |
| + "</a:EndpointReference></wsp:AppliesTo>" |
| + "<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey" |
| + "</t:KeyType>" |
| + "<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue" |
| + "</t:RequestType>" |
| + "<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>" |
| + "</t:RequestSecurityToken></s:Body></s:Envelope>"; |
| |
| @VisibleForTesting |
| AdfsHandshakeManager(String sharePointUrl, String username, |
| String password, String stsendpoint, String stsrealm, String login, |
| String trustLocation, HttpPostClient httpClient) { |
| this.sharePointUrl = sharePointUrl; |
| this.username = username; |
| this.password = password; |
| this.stsendpoint = stsendpoint; |
| this.stsrealm = stsrealm; |
| this.login = login; |
| this.trustLocation = trustLocation; |
| this.httpClient = httpClient; |
| } |
| |
| public static class Builder { |
| private final String username; |
| private final String password; |
| private final String sharePointUrl; |
| private final String stsendpoint; |
| private final String stsrealm; |
| private final HttpPostClient httpClient; |
| private String login; |
| private String trustLocation; |
| |
| public Builder(String sharePointUrl, String username, |
| String password, String stsendpoint, String stsrealm) { |
| this(sharePointUrl, username, password, stsendpoint, stsrealm, |
| new HttpPostClientImpl()); |
| } |
| |
| @VisibleForTesting |
| Builder(String sharePointUrl, String username, |
| String password, String stsendpoint, String stsrealm, |
| HttpPostClient httpClient) { |
| if (sharePointUrl == null || username == null || password == null |
| || stsendpoint == null || httpClient == null || stsrealm == null) { |
| throw new NullPointerException(); |
| } |
| this.sharePointUrl = sharePointUrl; |
| this.username = username; |
| this.password = password; |
| this.stsendpoint = stsendpoint; |
| this.stsrealm = stsrealm; |
| this.httpClient = httpClient; |
| this.login = sharePointUrl + DEFAULT_LOGIN; |
| this.trustLocation = sharePointUrl + DEFAULT_TRUST; |
| } |
| |
| public Builder setLoginUrl(String login) { |
| this.login = login; |
| return this; |
| } |
| |
| public Builder setTrustLocation(String trustLocation) { |
| this.trustLocation = trustLocation; |
| return this; |
| } |
| |
| public AdfsHandshakeManager build() { |
| if (Strings.isNullOrEmpty(trustLocation) |
| || Strings.isNullOrEmpty(login)) { |
| throw new NullPointerException(); |
| } |
| return new AdfsHandshakeManager(sharePointUrl, username, |
| password, stsendpoint, stsrealm, login, trustLocation, httpClient); |
| } |
| } |
| |
| @Override |
| public String requestToken() throws IOException { |
| String saml = generateSamlRequest(); |
| URL u = new URL(stsendpoint); |
| Map<String, String> requestHeaders = new HashMap<String, String>(); |
| requestHeaders.put("SOAPAction", stsendpoint); |
| requestHeaders.put("Content-Type", |
| "application/soap+xml; charset=utf-8"); |
| PostResponseInfo postResponse |
| = httpClient.issuePostRequest(u, requestHeaders, saml); |
| String result = postResponse.getPostContents(); |
| return extractToken(result); |
| } |
| |
| @Override |
| public String getAuthenticationCookie(String token) throws IOException { |
| URL u = new URL(trustLocation); |
| String param = "wa=wsignin1.0" |
| + "&wctx=" + URLEncoder.encode(login,"UTF-8") |
| + "&wresult=" + URLEncoder.encode(token, "UTF-8"); |
| |
| Map<String, String> requestHeaders = new HashMap<String, String>(); |
| requestHeaders.put("SOAPAction", stsendpoint); |
| PostResponseInfo postResponse |
| = httpClient.issuePostRequest(u, requestHeaders, param); |
| String cookie = postResponse.getPostResponseHeaderField("Set-Cookie"); |
| return cookie; |
| } |
| |
| private String generateSamlRequest() { |
| return String.format(reqXML, escapeCdata(stsendpoint), |
| escapeCdata(username), escapeCdata(password), escapeCdata(stsrealm)); |
| } |
| |
| @VisibleForTesting |
| String extractToken(String tokenResponse) throws IOException { |
| if (tokenResponse == null) { |
| throw new IOException("tokenResponse is null"); |
| } |
| try { |
| DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); |
| dbf.setNamespaceAware(true); |
| DocumentBuilder db = dbf.newDocumentBuilder(); |
| Document document |
| = db.parse(new InputSource(new StringReader(tokenResponse))); |
| NodeList nodes |
| = document.getElementsByTagNameNS( |
| "http://schemas.xmlsoap.org/ws/2005/02/trust", |
| "RequestSecurityTokenResponse"); |
| if (nodes.getLength() == 0) { |
| log.log(Level.WARNING, |
| "ADFS token not available in response {0}", tokenResponse); |
| throw new IOException("ADFS token not available in response"); |
| } |
| Node responseToken = nodes.item(0); |
| String token = getOuterXml(responseToken); |
| log.log(Level.FINER, "ADFS Authentication Token {0}", token); |
| return token; |
| } catch (ParserConfigurationException ex) { |
| throw new IOException("Error parsing result", ex); |
| } catch (SAXException ex) { |
| throw new IOException("Error parsing result", ex); |
| } |
| } |
| |
| private String getOuterXml(Node node) throws IOException { |
| try { |
| Transformer transformer |
| = TransformerFactory.newInstance().newTransformer(); |
| transformer.setOutputProperty("omit-xml-declaration", "yes"); |
| StringWriter writer = new StringWriter(); |
| transformer.transform(new DOMSource(node), new StreamResult(writer)); |
| return writer.toString(); |
| } catch (TransformerConfigurationException ex) { |
| throw new IOException(ex); |
| } catch (TransformerException ex) { |
| throw new IOException(ex); |
| } |
| } |
| |
| @VisibleForTesting |
| String escapeCdata(String input) { |
| if (Strings.isNullOrEmpty(input)) { |
| return ""; |
| } |
| return "<![CDATA[" + input.replace("]]>", "]]]]><![CDATA[>") + "]]>"; |
| } |
| } |
