Repository: cloudstack Updated Branches: refs/heads/master 9f5541129 -> 185f7e015
CLOUDSTACK-8037: Require signed AuthnRequest, adds more security Signed-off-by: Rohit Yadav <[email protected]> (cherry picked from commit 6bec69844d196e9b66fffa54f6998d8e45fc27e8) Signed-off-by: Rohit Yadav <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/b7b3a4fb Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/b7b3a4fb Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/b7b3a4fb Branch: refs/heads/master Commit: b7b3a4fb3c270595adeb79c974b9759066f2418f Parents: 9f55411 Author: Rohit Yadav <[email protected]> Authored: Wed Jan 14 02:19:10 2015 +0530 Committer: Rohit Yadav <[email protected]> Committed: Wed Jan 14 02:43:48 2015 +0530 ---------------------------------------------------------------------- .../api/command/GetServiceProviderMetaDataCmd.java | 12 ++++++++++-- .../org/apache/cloudstack/saml/SAML2AuthManager.java | 2 +- .../apache/cloudstack/saml/SAML2AuthManagerImpl.java | 5 ++++- .../src/org/apache/cloudstack/utils/auth/SAMLUtils.java | 8 ++++---- 4 files changed, 19 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b7b3a4fb/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java ---------------------------------------------------------------------- diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java index 87c9431..6ab80a1 100644 --- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java +++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java @@ -122,7 +122,7 @@ public class GetServiceProviderMetaDataCmd extends BaseCmd implements APIAuthent SPSSODescriptor spSSODescriptor = new SPSSODescriptorBuilder().buildObject(); spSSODescriptor.setWantAssertionsSigned(true); - spSSODescriptor.setAuthnRequestsSigned(false); + spSSODescriptor.setAuthnRequestsSigned(true); X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory(); keyInfoGeneratorFactory.setEmitEntityCertificate(true); @@ -135,7 +135,7 @@ public class GetServiceProviderMetaDataCmd extends BaseCmd implements APIAuthent signKeyDescriptor.setUse(UsageType.SIGNING); BasicX509Credential credential = new BasicX509Credential(); - credential.setEntityCertificate(_samlAuthManager.getSpX509Key()); + credential.setEntityCertificate(_samlAuthManager.getSpX509Certificate()); try { encKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(credential)); signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(credential)); @@ -149,6 +149,14 @@ public class GetServiceProviderMetaDataCmd extends BaseCmd implements APIAuthent nameIDFormat.setFormat(NameIDType.PERSISTENT); spSSODescriptor.getNameIDFormats().add(nameIDFormat); + NameIDFormat emailNameIDFormat = new NameIDFormatBuilder().buildObject(); + emailNameIDFormat.setFormat(NameIDType.EMAIL); + spSSODescriptor.getNameIDFormats().add(emailNameIDFormat); + + NameIDFormat transientNameIDFormat = new NameIDFormatBuilder().buildObject(); + transientNameIDFormat.setFormat(NameIDType.TRANSIENT); + spSSODescriptor.getNameIDFormats().add(transientNameIDFormat); + AssertionConsumerService assertionConsumerService = new AssertionConsumerServiceBuilder().buildObject(); assertionConsumerService.setIndex(0); assertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b7b3a4fb/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java ---------------------------------------------------------------------- diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java index 3ee7522..9c0d4b4 100644 --- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java +++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java @@ -28,7 +28,7 @@ public interface SAML2AuthManager extends PluggableAPIAuthenticator { public X509Certificate getIdpSigningKey(); public X509Certificate getIdpEncryptionKey(); - public X509Certificate getSpX509Key(); + public X509Certificate getSpX509Certificate(); public KeyPair getSpKeyPair(); public String getSpSingleSignOnUrl(); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b7b3a4fb/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java ---------------------------------------------------------------------- diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java index f175081..36c9da5 100644 --- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java +++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java @@ -202,6 +202,9 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage s_logger.error("SAML2 Authentication may be unavailable"); } catch (ConfigurationException | FactoryConfigurationError e) { s_logger.error("OpenSAML bootstrapping failed: error: " + e.getMessage()); + } catch (NullPointerException e) { + s_logger.error("Unable to setup SAML Auth Plugin due to NullPointerException" + + " please check the SAML IDP metadata URL and entity ID in global settings: " + e.getMessage()); } if (this.idpSingleLogOutUrl == null || this.idpSingleSignOnUrl == null) { @@ -259,7 +262,7 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage return Boolean.valueOf(_configDao.getValue(Config.SAMLIsPluginEnabled.key())); } - public X509Certificate getSpX509Key() { + public X509Certificate getSpX509Certificate() { return spX509Key; } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b7b3a4fb/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java ---------------------------------------------------------------------- diff --git a/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java b/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java index bb4af3a..c75422f 100644 --- a/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java +++ b/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java @@ -148,7 +148,7 @@ public class SAMLUtils { RequestedAuthnContextBuilder requestedAuthnContextBuilder = new RequestedAuthnContextBuilder(); RequestedAuthnContext requestedAuthnContext = requestedAuthnContextBuilder.buildObject(); requestedAuthnContext - .setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM); + .setComparison(AuthnContextComparisonTypeEnumeration.EXACT); requestedAuthnContext.getAuthnContextClassRefs().add( authnContextClassRef); @@ -166,7 +166,7 @@ public class SAMLUtils { authnRequest.setAssertionConsumerServiceURL(consumerUrl); authnRequest.setProviderName(spId); authnRequest.setNameIDPolicy(nameIdPolicy); - //authnRequest.setRequestedAuthnContext(requestedAuthnContext); + authnRequest.setRequestedAuthnContext(requestedAuthnContext); return authnRequest; } @@ -315,8 +315,8 @@ public class SAMLUtils { public static X509Certificate generateRandomX509Certificate(KeyPair keyPair) throws NoSuchAlgorithmException, NoSuchProviderException, CertificateEncodingException, SignatureException, InvalidKeyException { Date validityBeginDate = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000); - Date validityEndDate = new Date(System.currentTimeMillis() + 365 * 24 * 60 * 60 * 1000); - X500Principal dnName = new X500Principal("CN=Apache CloudStack"); + Date validityEndDate = new Date(System.currentTimeMillis() + 3 * 365 * 24 * 60 * 60 * 1000); + X500Principal dnName = new X500Principal("CN=ApacheCloudStack"); X509V1CertificateGenerator certGen = new X509V1CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setSubjectDN(dnName);
