Skip to content

Commit

Permalink
Bump OpenSAML to 4.3.0
Browse files Browse the repository at this point in the history 
Manually backported PRs:
 - opensearch-project#2987
 - opensearch-project#2927

Signed-off-by: Andrey Pleskach <ples@aiven.io>
  • Loading branch information
@willyborankin
willyborankin committed Nov 8, 2023
1 parent 8607989 commit 79104bd
Show file tree
Hide file tree
Showing 5 changed files with 33 additions and 26 deletions.
4 changes: 2 additions & 2 deletions build.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ buildscript {
common_utils_version = System.getProperty("common_utils.version", '2.9.0.0-SNAPSHOT')
kafka_version = '3.5.1'
apache_cxf_version = '4.0.3'
open_saml_version = '3.4.5'
open_saml_version = '4.3.0'
one_login_java_saml = '2.9.0'
jjwt_version = '0.12.3'
guava_version = '32.1.3-jre'
Expand Down Expand Up @@ -604,7 +604,7 @@ dependencies {
testImplementation 'org.apache.camel:camel-xmlsecurity:3.21.2'

//OpenSAML
implementation 'net.shibboleth.utilities:java-support:7.5.1'
implementation 'net.shibboleth.utilities:java-support:8.4.0'
implementation "com.onelogin:java-saml:${one_login_java_saml}"
implementation "com.onelogin:java-saml-core:${one_login_java_saml}"
implementation "org.opensaml:opensaml-core:${open_saml_version}"
Expand Down
4 changes: 4 additions & 0 deletions plugin-security.policy
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,10 @@ grant {

//Enable this permission to debug unauthorized de-serialization attempt
//permission java.io.SerializablePermission "enableSubstitution";

//SAML policy
permission java.util.PropertyPermission "*", "read,write";

};

grant codeBase "${codebase.netty-common}" {
Expand Down
6 changes: 3 additions & 3 deletions src/main/java/com/amazon/dlic/auth/http/saml/Saml2SettingsProvider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
import java.security.AccessController;
import java.security.PrivateKey;
import java.security.PrivilegedAction;
import java.time.Instant;
import java.util.AbstractMap;
import java.util.Collection;
import java.util.HashMap;
Expand All @@ -33,7 +34,6 @@
import com.onelogin.saml2.settings.SettingsBuilder;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.joda.time.DateTime;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.metadata.resolver.RefreshableMetadataResolver;
Expand All @@ -54,7 +54,7 @@ public class Saml2SettingsProvider {
private final String idpEntityId;
private final PrivateKey spSignaturePrivateKey;
private Saml2Settings cachedSaml2Settings;
private DateTime metadataUpdateTime;
private Instant metadataUpdateTime;

Saml2SettingsProvider(Settings opensearchSettings, MetadataResolver metadataResolver, PrivateKey spSignaturePrivateKey) {
this.opensearchSettings = opensearchSettings;
Expand Down Expand Up @@ -107,7 +107,7 @@ Saml2Settings get() throws SamlConfigException {
}

Saml2Settings getCached() throws SamlConfigException {
DateTime tempLastUpdate = null;
Instant tempLastUpdate = null;

if (this.metadataResolver instanceof RefreshableMetadataResolver && this.isUpdateRequired()) {
this.cachedSaml2Settings = null;
Expand Down
5 changes: 3 additions & 2 deletions src/main/java/com/amazon/dlic/auth/http/saml/SamlHTTPMetadataResolver.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.time.Duration;

import org.apache.http.client.HttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
Expand All @@ -31,8 +32,8 @@ public class SamlHTTPMetadataResolver extends HTTPMetadataResolver {

SamlHTTPMetadataResolver(String idpMetadataUrl, Settings opensearchSettings, Path configPath) throws Exception {
super(createHttpClient(opensearchSettings, configPath), idpMetadataUrl);
setMinRefreshDelay(opensearchSettings.getAsLong("idp.min_refresh_delay", 60L * 1000L));
setMaxRefreshDelay(opensearchSettings.getAsLong("idp.max_refresh_delay", 14400000L));
setMinRefreshDelay(Duration.ofMillis(opensearchSettings.getAsLong("idp.min_refresh_delay", 60L * 1000L)));
setMaxRefreshDelay(Duration.ofMillis(opensearchSettings.getAsLong("idp.max_refresh_delay", 14400000L)));
setRefreshDelayFactor(opensearchSettings.getAsFloat("idp.refresh_delay_factor", 0.75f));
}

Expand Down
40 changes: 21 additions & 19 deletions src/test/java/com/amazon/dlic/auth/http/saml/MockSamlIdpServer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import java.net.URISyntaxException;
import java.nio.charset.CharsetDecoder;
import java.nio.charset.CharsetEncoder;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
Expand All @@ -33,6 +34,8 @@
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
Expand Down Expand Up @@ -89,8 +92,8 @@
import org.opensearch.security.test.helper.network.SocketUtils;

import net.shibboleth.utilities.java.support.codec.Base64Support;
import net.shibboleth.utilities.java.support.codec.EncodingException;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import org.joda.time.DateTime;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
Expand All @@ -100,7 +103,6 @@
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext;
import org.opensaml.saml.common.messaging.context.SAMLProtocolContext;
Expand Down Expand Up @@ -350,11 +352,11 @@ public String handleSsoGetRequestBase(HttpRequest request) {

HTTPRedirectDeflateDecoder decoder = new HTTPRedirectDeflateDecoder();
decoder.setParserPool(XMLObjectProviderRegistrySupport.getParserPool());
decoder.setHttpServletRequest(httpServletRequest);
decoder.setHttpServletRequestSupplier(() -> httpServletRequest);
decoder.initialize();
decoder.decode();

MessageContext<SAMLObject> messageContext = decoder.getMessageContext();
MessageContext messageContext = decoder.getMessageContext();

if (!(messageContext.getMessage() instanceof AuthnRequest)) {
throw new RuntimeException("Expected AuthnRequest; received: " + messageContext.getMessage());
Expand Down Expand Up @@ -384,11 +386,11 @@ public void handleSloGetRequestBase(HttpRequest request) {

HTTPRedirectDeflateDecoder decoder = new HTTPRedirectDeflateDecoder();
decoder.setParserPool(XMLObjectProviderRegistrySupport.getParserPool());
decoder.setHttpServletRequest(httpServletRequest);
decoder.setHttpServletRequestSupplier(() -> httpServletRequest);
decoder.initialize();
decoder.decode();

MessageContext<SAMLObject> messageContext = decoder.getMessageContext();
MessageContext messageContext = decoder.getMessageContext();

if (!(messageContext.getMessage() instanceof LogoutRequest)) {
throw new RuntimeException("Expected LogoutRequest; received: " + messageContext.getMessage());
Expand All @@ -410,7 +412,7 @@ public void handleSloGetRequestBase(HttpRequest request) {

validationParams.setSignatureTrustEngine(buildSignatureTrustEngine(this.spSignatureCertificate));
securityParametersContext.setSignatureValidationParameters(validationParams);
signatureSecurityHandler.setHttpServletRequest(httpServletRequest);
signatureSecurityHandler.setHttpServletRequestSupplier(() -> httpServletRequest);
signatureSecurityHandler.initialize();
signatureSecurityHandler.invoke(messageContext);

Expand All @@ -434,18 +436,18 @@ private String createSamlAuthResponse(AuthnRequest authnRequest) {

response.setVersion(SAMLVersion.VERSION_20);
response.setStatus(createStatus(StatusCode.SUCCESS));
response.setIssueInstant(new DateTime());
response.setIssueInstant(Instant.now());

Assertion assertion = createSamlElement(Assertion.class);

assertion.setID(nextId());
assertion.setIssueInstant(new DateTime());
assertion.setIssueInstant(Instant.now());
assertion.setIssuer(createIssuer());

AuthnStatement authnStatement = createSamlElement(AuthnStatement.class);
assertion.getAuthnStatements().add(authnStatement);

authnStatement.setAuthnInstant(new DateTime());
authnStatement.setAuthnInstant(Instant.now());
authnStatement.setSessionIndex(nextId());
authnStatement.setAuthnContext(createAuthnCotext());

Expand All @@ -459,7 +461,7 @@ private String createSamlAuthResponse(AuthnRequest authnRequest) {
.add(
createSubjectConfirmation(
"urn:oasis:names:tc:SAML:2.0:cm:bearer",
new DateTime().plusMinutes(1),
Instant.now().plus(1, ChronoUnit.MINUTES),
authnRequest.getID(),
authnRequest.getAssertionConsumerServiceURL()
)
Expand All @@ -469,7 +471,7 @@ private String createSamlAuthResponse(AuthnRequest authnRequest) {
.add(
createSubjectConfirmation(
"urn:oasis:names:tc:SAML:2.0:cm:bearer",
new DateTime().plusMinutes(1),
Instant.now().plus(1, ChronoUnit.MINUTES),
null,
defaultAssertionConsumerService
)
Expand All @@ -479,8 +481,8 @@ private String createSamlAuthResponse(AuthnRequest authnRequest) {
Conditions conditions = createSamlElement(Conditions.class);
assertion.setConditions(conditions);

conditions.setNotBefore(new DateTime());
conditions.setNotOnOrAfter(new DateTime().plusMinutes(1));
conditions.setNotBefore(Instant.now());
conditions.setNotOnOrAfter(Instant.now().plus(1, ChronoUnit.MINUTES));

if (authenticateUserRoles != null) {
AttributeStatement attributeStatement = createSamlElement(AttributeStatement.class);
Expand Down Expand Up @@ -520,9 +522,9 @@ private String createSamlAuthResponse(AuthnRequest authnRequest) {

String marshalledXml = marshallSamlXml(response);

return Base64Support.encode(marshalledXml.getBytes("UTF-8"), Base64Support.UNCHUNKED);
return Base64Support.encode(marshalledXml.getBytes(StandardCharsets.UTF_8), Base64Support.UNCHUNKED);

} catch (MarshallingException | SignatureException | UnsupportedEncodingException | EncryptionException e) {
} catch (MarshallingException | SignatureException | EncryptionException | EncodingException e) {
throw new RuntimeException(e);
}
}
Expand Down Expand Up @@ -566,7 +568,7 @@ private NameIDFormat createNameIDFormat(String format) {

NameIDFormat nameIdFormat = createSamlElement(NameIDFormat.class);

nameIdFormat.setFormat("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");
nameIdFormat.setURI("urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified");

return nameIdFormat;
}
Expand All @@ -586,7 +588,7 @@ private NameID createNameID(String format, String value) {
return nameID;
}

private SubjectConfirmation createSubjectConfirmation(String method, DateTime notOnOrAfter, String inResponseTo, String recipient) {
private SubjectConfirmation createSubjectConfirmation(String method, Instant notOnOrAfter, String inResponseTo, String recipient) {
SubjectConfirmation result = createSamlElement(SubjectConfirmation.class);
result.setMethod(method);

Expand All @@ -610,7 +612,7 @@ private Issuer createIssuer() {
private AuthnContext createAuthnCotext() {
AuthnContext authnContext = createSamlElement(AuthnContext.class);
AuthnContextClassRef authnContextClassRef = createSamlElement(AuthnContextClassRef.class);
authnContextClassRef.setAuthnContextClassRef(AuthnContext.UNSPECIFIED_AUTHN_CTX);
authnContextClassRef.setURI(AuthnContext.UNSPECIFIED_AUTHN_CTX);
authnContext.setAuthnContextClassRef(authnContextClassRef);
return authnContext;
}
Expand Down

0 comments on commit 79104bd

Please sign in to comment.