import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
/**
 * New authn statement.
 *
 * @param contextClassRef the context class ref such as {@link AuthnContext#PASSWORD_AUTHN_CTX}
 * @param authnInstant    the authn instant
 * @param sessionIndex    the session index
 * @return the authn statement
 */
public AuthnStatement newAuthnStatement(final String contextClassRef, final ZonedDateTime authnInstant,
                                        final String sessionIndex) {
    LOGGER.debug("Building authentication statement with context class ref [{}] @ [{}] with index [{}]",
            contextClassRef, authnInstant, sessionIndex);

    final AuthnStatement stmt = newSamlObject(AuthnStatement.class);
    final AuthnContext ctx = newSamlObject(AuthnContext.class);

    final AuthnContextClassRef classRef = newSamlObject(AuthnContextClassRef.class);
    classRef.setAuthnContextClassRef(contextClassRef);

    ctx.setAuthnContextClassRef(classRef);
    stmt.setAuthnContext(ctx);
    stmt.setAuthnInstant(DateTimeUtils.dateTimeOf(authnInstant));
    stmt.setSessionIndex(sessionIndex);
    return stmt;
}
 

import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
/**
 * Creates an authentication statement for the current request.
 *
 * @param assertion    the assertion
 * @param authnRequest the authn request
 * @param adaptor      the adaptor
 * @param service      the service
 * @return constructed authentication statement
 * @throws SamlException the saml exception
 */
private AuthnStatement buildAuthnStatement(final Assertion assertion, final AuthnRequest authnRequest,
                                           final SamlRegisteredServiceServiceProviderMetadataFacade adaptor,
                                           final SamlRegisteredService service) throws SamlException {

    final String authenticationMethod = this.authnContextClassRefBuilder.build(assertion, authnRequest, adaptor, service);
    final String id = '_' + String.valueOf(Math.abs(new SecureRandom().nextLong()));
    final AuthnStatement statement = newAuthnStatement(authenticationMethod, DateTimeUtils.zonedDateTimeOf(assertion.getAuthenticationDate()), id);
    if (assertion.getValidUntilDate() != null) {
        final ZonedDateTime dt = DateTimeUtils.zonedDateTimeOf(assertion.getValidUntilDate());
        statement.setSessionNotOnOrAfter(
                DateTimeUtils.dateTimeOf(dt.plusSeconds(casProperties.getAuthn().getSamlIdp().getResponse().getSkewAllowance())));
    }
    statement.setSubjectLocality(buildSubjectLocality(assertion, authnRequest, adaptor));
    return statement;
}
 

import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
@Before
public void setUp() {
    instantValidator = mock(InstantValidator.class);
    subjectValidator = mock(SubjectValidator.class);
    conditionsValidator = mock(ConditionsValidator.class);
    assertion = mock(Assertion.class);
    AuthnStatement authnStatement = mock(AuthnStatement.class);

    validator = new AssertionValidator(
        instantValidator,
        subjectValidator,
        conditionsValidator
    );

    when(assertion.getAuthnStatements()).thenReturn(ImmutableList.of(authnStatement));

    IdaSamlBootstrap.bootstrap();
}
 

import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
/**
 * Create a new SAML1 response object.
 *
 * @param authnStatement the authn statement
 * @param issuer the issuer
 * @param issuedAt the issued at
 * @param id the id
 * @return the assertion
 */
public Assertion newAssertion(final AuthnStatement authnStatement, final String issuer,
                              final DateTime issuedAt, final String id) {
    final Assertion assertion = newSamlObject(Assertion.class);
    assertion.setID(id);
    assertion.setIssueInstant(issuedAt);
    assertion.setIssuer(newIssuer(issuer));
    assertion.getAuthnStatements().add(authnStatement);
    return assertion;
}
 

import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
/**
 * New authn statement.
 *
 * @param contextClassRef the context class ref such as {@link AuthnContext#PASSWORD_AUTHN_CTX}
 * @param authnInstant the authn instant
 * @return the authn statement
 */
public AuthnStatement newAuthnStatement(final String contextClassRef, final DateTime authnInstant) {
    final AuthnStatement stmt = newSamlObject(AuthnStatement.class);
    final AuthnContext ctx = newSamlObject(AuthnContext.class);

    final AuthnContextClassRef classRef = newSamlObject(AuthnContextClassRef.class);
    classRef.setAuthnContextClassRef(contextClassRef);

    ctx.setAuthnContextClassRef(classRef);
    stmt.setAuthnContext(ctx);
    stmt.setAuthnInstant(authnInstant);

    return stmt;
}
 

import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
/**
 * Construct SAML response.
 * <a href="http://bit.ly/1uI8Ggu">See this reference for more info.</a>
 * @return the SAML response
 */
private String constructSamlResponse() {
    final DateTime currentDateTime = DateTime.parse(new ISOStandardDateFormat().getCurrentDateAndTime());
    final DateTime notBeforeIssueInstant = DateTime.parse("2003-04-17T00:46:02Z");

    final RegisteredService svc = this.servicesManager.findServiceBy(this);
    final String userId = svc.getUsernameAttributeProvider().resolveUsername(getPrincipal(), this);

    final org.opensaml.saml.saml2.core.Response response = BUILDER.newResponse(
            BUILDER.generateSecureRandomId(),
            currentDateTime,
            getId(), this);
    response.setStatus(BUILDER.newStatus(StatusCode.SUCCESS, null));

    final AuthnStatement authnStatement = BUILDER.newAuthnStatement(
            AuthnContext.PASSWORD_AUTHN_CTX, currentDateTime);
    final Assertion assertion = BUILDER.newAssertion(authnStatement,
            "https://www.opensaml.org/IDP",
            notBeforeIssueInstant, BUILDER.generateSecureRandomId());

    final Conditions conditions = BUILDER.newConditions(notBeforeIssueInstant,
            currentDateTime, getId());
    assertion.setConditions(conditions);

    final Subject subject = BUILDER.newSubject(NameID.EMAIL, userId,
            getId(), currentDateTime, this.requestId);
    assertion.setSubject(subject);

    response.getAssertions().add(assertion);

    final StringWriter writer = new StringWriter();
    BUILDER.marshalSamlXmlObject(response, writer);

    final String result = writer.toString();
    logger.debug("Generated Google SAML response: {}", result);
    return result;
}
 

import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
public SamlProfileSamlAssertionBuilder(final OpenSamlConfigBean configBean,
                                       final SamlProfileObjectBuilder<AuthnStatement> samlProfileSamlAuthNStatementBuilder,
                                       final SamlProfileObjectBuilder<AttributeStatement> samlProfileSamlAttributeStatementBuilder,
                                       final SamlProfileObjectBuilder<Subject> samlProfileSamlSubjectBuilder,
                                       final SamlProfileObjectBuilder<Conditions> samlProfileSamlConditionsBuilder,
                                       final BaseSamlObjectSigner samlObjectSigner) {
    super(configBean);
    this.samlProfileSamlAuthNStatementBuilder = samlProfileSamlAuthNStatementBuilder;
    this.samlProfileSamlAttributeStatementBuilder = samlProfileSamlAttributeStatementBuilder;
    this.samlProfileSamlSubjectBuilder = samlProfileSamlSubjectBuilder;
    this.samlProfileSamlConditionsBuilder = samlProfileSamlConditionsBuilder;
    this.samlObjectSigner = samlObjectSigner;
}
 

import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
@Override
public AuthnStatement build(final AuthnRequest authnRequest, 
                            final HttpServletRequest request,
                            final HttpServletResponse response,
                            final Assertion assertion, 
                            final SamlRegisteredService service,
                            final SamlRegisteredServiceServiceProviderMetadataFacade adaptor,
                            final String binding) throws SamlException {
    return buildAuthnStatement(assertion, authnRequest, adaptor, service);
}
 

import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
/**
 * Construct SAML response.
 * <a href="http://bit.ly/1uI8Ggu">See this reference for more info.</a>
 *
 * @param service the service
 * @return the SAML response
 */
protected String constructSamlResponse(final GoogleAccountsService service) {
    final ZonedDateTime currentDateTime = ZonedDateTime.now(ZoneOffset.UTC);
    final ZonedDateTime notBeforeIssueInstant = ZonedDateTime.parse("2003-04-17T00:46:02Z");
    final RegisteredService registeredService = servicesManager.findServiceBy(service);
    if (registeredService == null || !registeredService.getAccessStrategy().isServiceAccessAllowed()) {
        throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE);
    }
    final String userId = registeredService.getUsernameAttributeProvider().resolveUsername(service.getPrincipal(), service, registeredService);

    final org.opensaml.saml.saml2.core.Response response = this.samlObjectBuilder.newResponse(
            this.samlObjectBuilder.generateSecureRandomId(), currentDateTime, null, service);
    response.setStatus(this.samlObjectBuilder.newStatus(StatusCode.SUCCESS, null));

    final String sessionIndex = '_' + String.valueOf(Math.abs(new SecureRandom().nextLong()));
    final AuthnStatement authnStatement = this.samlObjectBuilder.newAuthnStatement(AuthnContext.PASSWORD_AUTHN_CTX, currentDateTime, sessionIndex);
    final Assertion assertion = this.samlObjectBuilder.newAssertion(authnStatement, casServerPrefix,
            notBeforeIssueInstant, this.samlObjectBuilder.generateSecureRandomId());

    final Conditions conditions = this.samlObjectBuilder.newConditions(notBeforeIssueInstant,
            currentDateTime.plusSeconds(this.skewAllowance), service.getId());
    assertion.setConditions(conditions);

    final Subject subject = this.samlObjectBuilder.newSubject(NameID.EMAIL, userId,
            service.getId(), currentDateTime.plusSeconds(this.skewAllowance), service.getRequestId());
    assertion.setSubject(subject);

    response.getAssertions().add(assertion);

    final StringWriter writer = new StringWriter();
    this.samlObjectBuilder.marshalSamlXmlObject(response, writer);

    final String result = writer.toString();
    LOGGER.debug("Generated Google SAML response: [{}]", result);
    return result;
}
 

import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
public TranslatedResponseBody translate(
    List<Assertion> assertions,
    String expectedInResponseTo,
    LevelOfAssurance expectedLevelOfAssurance,
    String entityId
) {
    validateAssertions(assertions);
    Assertion assertion = assertions.get(0);

    assertionValidator.validate(assertion, expectedInResponseTo, entityId);
    assertionsSignatureValidator.validate(assertions, IDPSSODescriptor.DEFAULT_ELEMENT_NAME);

    AuthnStatement authnStatement = assertion.getAuthnStatements().get(0);

    LevelOfAssurance levelOfAssurance = extractLevelOfAssurance(authnStatement);
    LevelOfAssuranceValidator levelOfAssuranceValidator = new LevelOfAssuranceValidator();
    levelOfAssuranceValidator.validate(levelOfAssurance, expectedLevelOfAssurance);

    String nameID = assertion.getSubject().getNameID().getValue();
    List<AttributeStatement> attributeStatements = assertion.getAttributeStatements();
    if (isUserAccountCreation(attributeStatements)) {
        return new TranslatedResponseBody(
            ACCOUNT_CREATION,
            nameID,
            levelOfAssurance,
            AttributeTranslationService.translateAttributes(attributeStatements.get(0))
        );

    }

    return new TranslatedResponseBody(SUCCESS_MATCH, nameID, levelOfAssurance, null);
}
 

import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
private LevelOfAssurance extractLevelOfAssurance(AuthnStatement authnStatement) {
    String levelOfAssuranceString = ofNullable(authnStatement.getAuthnContext())
        .map(AuthnContext::getAuthnContextClassRef)
        .map(AuthnContextClassRef::getAuthnContextClassRef)
        .orElseThrow(() -> new SamlResponseValidationException("Expected a level of assurance."));

    try {
        return LevelOfAssurance.fromSamlValue(levelOfAssuranceString);
    } catch (Exception ex) {
        throw new SamlResponseValidationException(String.format("Level of assurance '%s' is not supported.", levelOfAssuranceString));
    }
}
 

import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
@Test
public void shouldThrowExceptionWhenLevelOfAssuranceNotPresent() {
    expectedException.expect(SamlResponseValidationException.class);
    expectedException.expectMessage("Expected a level of assurance.");

    AuthnStatement authnStatement = anAuthnStatement().withAuthnContext(
        anAuthnContext().withAuthnContextClassRef(null).build())
        .build();
    Assertion assertion = aSignedAssertion()
        .addAuthnStatement(authnStatement
        ).buildUnencrypted();

    translator.translate(ImmutableList.of(assertion), IN_RESPONSE_TO, LEVEL_2, VERIFY_SERVICE_PROVIDER_ENTITY_ID);
}
 

import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
/**
 * Searches the sessionIndex in the assertion
 * 
 * @param subjectAssertion assertion from the response
 * @return the sessionIndex if found in the assertion
 */
private final String getSessionIndex(Assertion subjectAssertion) {
    List<AuthnStatement> authnStatements = subjectAssertion.getAuthnStatements();
    if(authnStatements != null && authnStatements.size() > 0) {
    	AuthnStatement statement = authnStatements.get(0);
    	if(statement != null) {
    		return statement.getSessionIndex();
    	}
    }
    return null;
}
 

import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
/**
 * Validate the given authnStatements:
 *  - authnInstant
 *  - sessionNotOnOrAfter
 *
 * @param authnStatements the authn statements
 * @param context the context
 */
protected final void validateAuthenticationStatements(final List<AuthnStatement> authnStatements,
                                                      final SAML2MessageContext context) {

    for (final AuthnStatement statement : authnStatements) {
        if (!isAuthnInstantValid(statement.getAuthnInstant())) {
            throw new SAMLException("Authentication issue instant is too old or in the future");
        }
        if (statement.getSessionNotOnOrAfter() != null && statement.getSessionNotOnOrAfter().isBeforeNow()) {
            throw new SAMLException("Authentication session between IDP and subject has ended");
        }
        // TODO implement authnContext validation
    }
}
 

import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
public AuthnStatement transform(MatchingServiceAuthnStatement idaAuthnStatement) {
    AuthnStatement authnStatement = openSamlXmlObjectFactory.createAuthnStatement();
    AuthnContext authnContext = openSamlXmlObjectFactory.createAuthnContext();
    authnContext.setAuthnContextClassRef(openSamlXmlObjectFactory.createAuthnContextClassReference(idaAuthnStatement.getAuthnContext().getUri()));
    authnStatement.setAuthnContext(authnContext);
    authnStatement.setAuthnInstant(DateTime.now());
    return authnStatement;
}
 

import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
public AuthnStatementValidator(Function<T, AuthnStatement> valueProvider, DateTimeComparator dateTimeComparator) {
    super(
        true,
        valueProvider,
        new RequiredValidator<>(AUTHN_STATEMENT_NOT_PRESENT),
        TimeRestrictionValidators.notInFutureValidator(dateTimeComparator, AuthnStatement::getAuthnInstant, AUTHN_INSTANT_IN_FUTURE),
        TimeRestrictionValidators.notInPastValidator(dateTimeComparator, as -> as.getAuthnInstant().plusMinutes(AUTHN_INSTANT_VALIDITY_DURATION_IN_MINUTES), AUTHN_INSTANT_TOO_OLD)
    );
}
 

import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
private void verifyLevel(AuthnContext requestedLevel, String expectedLevel) {
    MatchingServiceAuthnStatement matchingServiceAuthnStatement = MatchingServiceAuthnStatement.createIdaAuthnStatement(requestedLevel);

    AuthnStatement authnStatement = transformer.transform(matchingServiceAuthnStatement);

    assertThat(authnStatement.getAuthnInstant()).isEqualTo(DateTime.now());
    Assertions.assertThat(authnStatement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef()).isEqualTo(expectedLevel);
}
 

import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
/**
 * Construct SAML response.
 * <a href="http://bit.ly/1uI8Ggu">See this reference for more info.</a>
 * @return the SAML response
 */
private String constructSamlResponse() {
    final DateTime currentDateTime = new DateTime();
    final DateTime notBeforeIssueInstant = DateTime.parse("2003-04-17T00:46:02Z");

    final ApplicationContext context = ApplicationContextProvider.getApplicationContext();
    final ServicesManager servicesManager = context.getBean("servicesManager", ServicesManager.class);
    final RegisteredService svc = servicesManager.findServiceBy(this);
    final String userId = svc.getUsernameAttributeProvider().resolveUsername(getPrincipal(), this);

    final org.opensaml.saml.saml2.core.Response response = BUILDER.newResponse(
            BUILDER.generateSecureRandomId(),
            currentDateTime,
            getId(), this);
    response.setStatus(BUILDER.newStatus(StatusCode.SUCCESS, null));

    final AuthnStatement authnStatement = BUILDER.newAuthnStatement(
            AuthnContext.PASSWORD_AUTHN_CTX, currentDateTime);
    final Assertion assertion = BUILDER.newAssertion(authnStatement,
            "https://www.opensaml.org/IDP",
            notBeforeIssueInstant, BUILDER.generateSecureRandomId());

    final Conditions conditions = BUILDER.newConditions(notBeforeIssueInstant,
            currentDateTime.plusSeconds(this.skewAllowance), getId());
    assertion.setConditions(conditions);

    final Subject subject = BUILDER.newSubject(NameID.EMAIL, userId,
            getId(), currentDateTime.plusSeconds(this.skewAllowance), this.requestId);
    assertion.setSubject(subject);

    response.getAssertions().add(assertion);

    final StringWriter writer = new StringWriter();
    BUILDER.marshalSamlXmlObject(response, writer);

    final String result = writer.toString();
    logger.debug("Generated Google SAML response: {}", result);
    return result;
}
 

import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
/**
 * Construct SAML response.
 * <a href="http://bit.ly/1uI8Ggu">See this reference for more info.</a>
 * @param service the service
 * @return the SAML response
 */
protected String constructSamlResponse(final GoogleAccountsService service) {
    final DateTime currentDateTime = new DateTime();
    final DateTime notBeforeIssueInstant = DateTime.parse("2003-04-17T00:46:02Z");

    /*
     * Must be looked up directly from the context
     * because the services manager is not serializable
     * and cannot be class field.
     */
    final ApplicationContext context = ApplicationContextProvider.getApplicationContext();
    final ServicesManager servicesManager = context.getBean("servicesManager", ServicesManager.class);
    final RegisteredService registeredService = servicesManager.findServiceBy(service);
    if (registeredService == null || !registeredService.getAccessStrategy().isServiceAccessAllowed()) {
        throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE);
    }
    final String userId = registeredService.getUsernameAttributeProvider()
                .resolveUsername(service.getPrincipal(), service);

    final org.opensaml.saml.saml2.core.Response response = samlObjectBuilder.newResponse(
        samlObjectBuilder.generateSecureRandomId(), currentDateTime, service.getId(), service);
    response.setStatus(samlObjectBuilder.newStatus(StatusCode.SUCCESS, null));

    final AuthnStatement authnStatement = samlObjectBuilder.newAuthnStatement(
        AuthnContext.PASSWORD_AUTHN_CTX, currentDateTime);
    final Assertion assertion = samlObjectBuilder.newAssertion(authnStatement,
        "https://www.opensaml.org/IDP",
        notBeforeIssueInstant, samlObjectBuilder.generateSecureRandomId());

    final Conditions conditions = samlObjectBuilder.newConditions(notBeforeIssueInstant,
            currentDateTime.plusSeconds(this.skewAllowance), service.getId());
    assertion.setConditions(conditions);

    final Subject subject = samlObjectBuilder.newSubject(NameID.EMAIL, userId,
        service.getId(), currentDateTime.plusSeconds(this.skewAllowance), service.getRequestId());
    assertion.setSubject(subject);

    response.getAssertions().add(assertion);

    final StringWriter writer = new StringWriter();
    samlObjectBuilder.marshalSamlXmlObject(response, writer);

    final String result = writer.toString();
    LOGGER.debug("Generated Google SAML response: {}", result);
    return result;
}
 

import org.opensaml.saml.saml2.core.AuthnStatement; //导入依赖的package包/类
@ConditionalOnMissingBean(name = "samlProfileSamlAuthNStatementBuilder")
@Bean
@RefreshScope
public SamlProfileObjectBuilder<AuthnStatement> samlProfileSamlAuthNStatementBuilder() {
    return new SamlProfileSamlAuthNStatementBuilder(openSamlConfigBean, defaultAuthnContextClassRefBuilder());
}