Repository: syncope Updated Branches: refs/heads/2_0_X d31dc657c -> e99766a44 refs/heads/master fe826fc6b -> f912d90c2
SAML2SP improvements: allow to get SP metadata as authenticated user + validate URLs in SP metadata Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/e99766a4 Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/e99766a4 Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/e99766a4 Branch: refs/heads/2_0_X Commit: e99766a441260bb47dbac13efe069682dd4a442d Parents: d31dc65 Author: Francesco Chicchiriccò <ilgro...@apache.org> Authored: Mon Aug 14 17:12:20 2017 +0200 Committer: Francesco Chicchiriccò <ilgro...@apache.org> Committed: Mon Aug 14 17:12:20 2017 +0200 ---------------------------------------------------------------------- common/lib/pom.xml | 9 ++++++ .../syncope/ext/saml2lsp/agent/Metadata.java | 14 ++++++--- ext/saml2sp/logic/pom.xml | 7 ++++- .../apache/syncope/core/logic/SAML2SPLogic.java | 32 +++++++++++++++++--- pom.xml | 8 ++++- 5 files changed, 59 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/syncope/blob/e99766a4/common/lib/pom.xml ---------------------------------------------------------------------- diff --git a/common/lib/pom.xml b/common/lib/pom.xml index 279f03e..be9d35a 100644 --- a/common/lib/pom.xml +++ b/common/lib/pom.xml @@ -101,6 +101,15 @@ under the License. <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-checkstyle-plugin</artifactId> </plugin> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-compiler-plugin</artifactId> + <version>2.3.2</version> + <configuration> + <source>1.7</source> + <target>1.7</target> + </configuration> + </plugin> </plugins> </build> </project> http://git-wip-us.apache.org/repos/asf/syncope/blob/e99766a4/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/Metadata.java ---------------------------------------------------------------------- diff --git a/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/Metadata.java b/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/Metadata.java index 73229f7..c1fbaa8 100644 --- a/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/Metadata.java +++ b/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/Metadata.java @@ -46,11 +46,15 @@ public class Metadata extends HttpServlet { getAttribute(Constants.SYNCOPE_ANONYMOUS_CLIENT); SAML2SPService service = anonymous.getService(SAML2SPService.class); WebClient.client(service).accept(MediaType.APPLICATION_XML_TYPE).type(MediaType.APPLICATION_XML_TYPE); - Response metadataResponse = service.getMetadata( - StringUtils.substringBefore(request.getRequestURL().toString(), "/saml2sp"), "saml2sp"); + try { + Response metadataResponse = service.getMetadata( + StringUtils.substringBefore(request.getRequestURL().toString(), "/saml2sp"), "saml2sp"); - response.setContentType(metadataResponse.getMediaType().toString()); - IOUtils.copy((InputStream) metadataResponse.getEntity(), response.getOutputStream()); - ((InputStream) metadataResponse.getEntity()).close(); + response.setContentType(metadataResponse.getMediaType().toString()); + IOUtils.copy((InputStream) metadataResponse.getEntity(), response.getOutputStream()); + ((InputStream) metadataResponse.getEntity()).close(); + } catch (Exception e) { + throw new ServletException(e.getMessage()); + } } } http://git-wip-us.apache.org/repos/asf/syncope/blob/e99766a4/ext/saml2sp/logic/pom.xml ---------------------------------------------------------------------- diff --git a/ext/saml2sp/logic/pom.xml b/ext/saml2sp/logic/pom.xml index 8ac99cd..134b7c9 100644 --- a/ext/saml2sp/logic/pom.xml +++ b/ext/saml2sp/logic/pom.xml @@ -43,7 +43,7 @@ under the License. <artifactId>syncope-core-logic</artifactId> <version>${project.version}</version> </dependency> - + <dependency> <groupId>org.apache.syncope.ext.saml2sp</groupId> <artifactId>syncope-ext-saml2sp-provisioning-java</artifactId> @@ -64,6 +64,11 @@ under the License. <groupId>org.opensaml</groupId> <artifactId>opensaml-saml-impl</artifactId> </dependency> + + <dependency> + <groupId>commons-validator</groupId> + <artifactId>commons-validator</artifactId> + </dependency> </dependencies> <build> http://git-wip-us.apache.org/repos/asf/syncope/blob/e99766a4/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java ---------------------------------------------------------------------- diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java index 2264c64..d5e980a 100644 --- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java +++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java @@ -37,6 +37,7 @@ import javax.annotation.Resource; import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.tuple.Pair; import org.apache.commons.lang3.tuple.Triple; +import org.apache.commons.validator.routines.UrlValidator; import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer; import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; import org.apache.syncope.common.lib.AbstractBaseBean; @@ -129,6 +130,8 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> { private static final Encryptor ENCRYPTOR = Encryptor.getInstance(); + private static final UrlValidator URL_VALIDATOR = new UrlValidator(new String[] { "http", "https" }); + @Autowired private AccessTokenDataBinder accessTokenDataBinder; @@ -153,11 +156,29 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> { @Resource(name = "syncopeJWTSSOProviderDelegate") private JwsSignatureVerifier jwsSignatureVerifier; + private void validateUrl(final String url) { + boolean isValid = true; + if (url.contains("..")) { + isValid = false; + } + if (isValid) { + isValid = URL_VALIDATOR.isValid(url); + } + + if (!isValid) { + SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown); + sce.getElements().add("Invalid URL: " + url); + throw sce; + } + } + private String getAssertionConsumerURL(final String spEntityID, final String urlContext) { - return spEntityID + urlContext + "/assertion-consumer"; + String assertionConsumerUrl = spEntityID + urlContext + "/assertion-consumer"; + validateUrl(assertionConsumerUrl); + return assertionConsumerUrl; } - @PreAuthorize("hasRole('" + StandardEntitlement.ANONYMOUS + "')") + @PreAuthorize("isAuthenticated()") public void getMetadata(final String spEntityID, final String urlContext, final OutputStream os) { check(); @@ -194,10 +215,13 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> { spSSODescriptor.getAssertionConsumerServices().add(assertionConsumerService); spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor); + String sloUrl = spEntityID + urlContext + "/logout"; + validateUrl(sloUrl); + SingleLogoutService singleLogoutService = new SingleLogoutServiceBuilder().buildObject(); singleLogoutService.setBinding(bindingType.getUri()); - singleLogoutService.setLocation(spEntityID + urlContext + "/logout"); - singleLogoutService.setResponseLocation(spEntityID + urlContext + "/logout"); + singleLogoutService.setLocation(sloUrl); + singleLogoutService.setResponseLocation(sloUrl); spSSODescriptor.getSingleLogoutServices().add(singleLogoutService); } http://git-wip-us.apache.org/repos/asf/syncope/blob/e99766a4/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index ec7129e..4332731 100644 --- a/pom.xml +++ b/pom.xml @@ -403,6 +403,7 @@ under the License. <commons-lang.version>3.6</commons-lang.version> <commons-text.version>1.1</commons-text.version> <commons-collection.version>4.1</commons-collection.version> + <commons-validator.version>1.6</commons-validator.version> <commons-logging.version>1.1.3</commons-logging.version> <joda.version>2.9.9</joda.version> @@ -1001,7 +1002,12 @@ under the License. <artifactId>commons-collections4</artifactId> <version>${commons-collection.version}</version> </dependency> - + <dependency> + <groupId>commons-validator</groupId> + <artifactId>commons-validator</artifactId> + <version>${commons-validator.version}</version> + </dependency> + <dependency> <groupId>net.tirasa.connid</groupId> <artifactId>connector-framework</artifactId>