Skip to content

Commit

Permalink
modifying of schema for saml authentication module
Browse files Browse the repository at this point in the history
  • Loading branch information
@skublik
skublik committed Sep 22, 2021
1 parent 15340e0 commit e6624b2
Show file tree
Hide file tree
Showing 8 changed files with 180 additions and 208 deletions.
4 changes: 2 additions & 2 deletions ...i/src/main/java/com/evolveum/midpoint/web/security/factory/module/Saml2ModuleFactory.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,10 +97,10 @@ public AuthModule createModuleFilter(AbstractAuthenticationModuleType moduleType
public ModuleAuthentication createEmptyModuleAuthentication(SamlModuleWebSecurityConfiguration configuration) {
Saml2ModuleAuthentication moduleAuthentication = new Saml2ModuleAuthentication();
List<IdentityProvider> providers = new ArrayList<>();
((Iterable<RelyingPartyRegistration>)configuration.getRelyingPartyRegistrationRepository()).forEach(
configuration.getRelyingPartyRegistrationRepository().forEach(
p -> {
String authRequestPrefixUrl = "/midpoint" + configuration.getPrefix() + SamlModuleWebSecurityConfiguration.REQUEST_PROCESSING_URL_SUFFIX;
SamlMidpointAdditionalConfiguration config = configuration.getAdditionalConfiguration().get(p.getAssertingPartyDetails().getEntityId());
SamlMidpointAdditionalConfiguration config = configuration.getAdditionalConfiguration().get(p.getRegistrationId());
IdentityProvider mp = new IdentityProvider()
.setLinkText(config.getLinkText())
.setRedirectLink(authRequestPrefixUrl.replace("{registrationId}", p.getRegistrationId()));
Expand Down
4 changes: 2 additions & 2 deletions .../src/main/java/com/evolveum/midpoint/web/security/module/SamlModuleWebSecurityConfig.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ protected Authentication createNewAuthentication(AnonymousAuthenticationToken an

MidpointSaml2LoginConfigurer configurer = new MidpointSaml2LoginConfigurer(auditProvider);
configurer.relyingPartyRegistrationRepository(relyingPartyRegistrations())
.loginProcessingUrl(getConfiguration().getPrefix() + SamlModuleWebSecurityConfiguration.RESPONSE_PROCESSING_URL_SUFFIX)
.loginProcessingUrl(getConfiguration().getPrefix() + SamlModuleWebSecurityConfiguration.SSO_LOCATION_URL_SUFFIX)
.successHandler(getObjectPostProcessor().postProcess(
new MidPointAuthenticationSuccessHandler().setPrefix(getConfiguration().getPrefix())))
.failureHandler(new MidpointAuthenticationFailureHandler());
Expand All @@ -116,7 +116,7 @@ protected Authentication createNewAuthentication(AnonymousAuthenticationToken an

Saml2MetadataFilter filter = new Saml2MetadataFilter(new MidpointMetadataRelyingPartyRegistrationResolver(relyingPartyRegistrations()),
new OpenSamlMetadataResolver());
filter.setRequestMatcher(new AntPathRequestMatcher( getConfiguration().getPrefix() + "/metadata"));
filter.setRequestMatcher(new AntPathRequestMatcher( getConfiguration().getPrefix() + "/metadata/*"));
http.addFilterAfter(filter, Saml2WebSsoAuthenticationFilter.class);
}

Expand Down
3 changes: 2 additions & 1 deletion ...a/com/evolveum/midpoint/web/security/module/authentication/Saml2ModuleAuthentication.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken;

import java.io.Serializable;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
Expand All @@ -23,7 +24,7 @@
* @author skublik
*/

public class Saml2ModuleAuthentication extends ModuleAuthentication {
public class Saml2ModuleAuthentication extends ModuleAuthentication implements Serializable {

private List<IdentityProvider> providers = new ArrayList<IdentityProvider>();
private Map<String, SamlMidpointAdditionalConfiguration> additionalConfiguration;
Expand Down
248 changes: 126 additions & 122 deletions ...olveum/midpoint/web/security/module/configuration/SamlModuleWebSecurityConfiguration.java
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/provider/Saml2Provider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ protected Authentication internalAuthentication(Authentication authentication, L
samlAuthenticationToken.setDetails(principal);
Map<String, List<Object>> attributes = principal.getAttributes();
String enteredUsername = "";
SamlMidpointAdditionalConfiguration config = samlModule.getAdditionalConfiguration().get(samlAuthenticationToken.getRelyingPartyRegistration().getAssertingPartyDetails().getEntityId());
SamlMidpointAdditionalConfiguration config = samlModule.getAdditionalConfiguration().get(samlAuthenticationToken.getRelyingPartyRegistration().getRegistrationId());
String nameOfSamlAttribute = config.getNameOfUsernameAttribute();
if (!attributes.containsKey(nameOfSamlAttribute)){
LOGGER.error("Couldn't find attribute for username in saml response");
Expand Down
73 changes: 8 additions & 65 deletions ...evolveum/midpoint/web/security/saml/MidpointMetadataRelyingPartyRegistrationResolver.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,91 +7,34 @@

package com.evolveum.midpoint.web.security.saml;

import java.util.HashMap;
import java.util.Map;
import java.util.function.Function;

import javax.servlet.http.HttpServletRequest;

import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.util.UriComponents;
import org.springframework.web.util.UriComponentsBuilder;

/**
* @author skublik
*/
public class MidpointMetadataRelyingPartyRegistrationResolver implements RelyingPartyRegistrationResolver {

private static final char PATH_DELIMITER = '/';

private final InMemoryRelyingPartyRegistrationRepository relyingPartyRegistrationRepository;
private final DefaultRelyingPartyRegistrationResolver defaultResolver;

public MidpointMetadataRelyingPartyRegistrationResolver(
InMemoryRelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
Assert.notNull(relyingPartyRegistrationRepository, "relyingPartyRegistrationRepository cannot be null");
this.relyingPartyRegistrationRepository = relyingPartyRegistrationRepository;
}

protected Function<String, String> templateResolver(String applicationUri, RelyingPartyRegistration relyingParty) {
return (template) -> resolveUrlTemplate(template, applicationUri, relyingParty);
}

private static String resolveUrlTemplate(String template, String baseUrl, RelyingPartyRegistration relyingParty) {
String entityId = relyingParty.getAssertingPartyDetails().getEntityId();
String registrationId = relyingParty.getRegistrationId();
Map<String, String> uriVariables = new HashMap<>();
UriComponents uriComponents = UriComponentsBuilder.fromHttpUrl(baseUrl).replaceQuery(null).fragment(null)
.build();
String scheme = uriComponents.getScheme();
uriVariables.put("baseScheme", (scheme != null) ? scheme : "");
String host = uriComponents.getHost();
uriVariables.put("baseHost", (host != null) ? host : "");
// following logic is based on HierarchicalUriComponents#toUriString()
int port = uriComponents.getPort();
uriVariables.put("basePort", (port == -1) ? "" : ":" + port);
String path = uriComponents.getPath();
if (StringUtils.hasLength(path) && path.charAt(0) != PATH_DELIMITER) {
path = PATH_DELIMITER + path;
}
uriVariables.put("basePath", (path != null) ? path : "");
uriVariables.put("baseUrl", uriComponents.toUriString());
uriVariables.put("entityId", StringUtils.hasText(entityId) ? entityId : "");
uriVariables.put("registrationId", StringUtils.hasText(registrationId) ? registrationId : "");
return UriComponentsBuilder.fromUriString(template).buildAndExpand(uriVariables).toUriString();
}

protected static String getApplicationUri(HttpServletRequest request) {
UriComponents uriComponents = UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
.replacePath(request.getContextPath()).replaceQuery(null).fragment(null).build();
return uriComponents.toUriString();
this.defaultResolver = new DefaultRelyingPartyRegistrationResolver(relyingPartyRegistrationRepository);
}

@Override
public RelyingPartyRegistration resolve(HttpServletRequest request, String relyingPartyRegistrationId) {
if (!this.relyingPartyRegistrationRepository.iterator().hasNext()) {
return null;
}
RelyingPartyRegistration relyingPartyRegistration = this.relyingPartyRegistrationRepository.iterator().next();
if (relyingPartyRegistration == null) {
return null;
}
String applicationUri = getApplicationUri(request);
Function<String, String> templateResolver = templateResolver(applicationUri, relyingPartyRegistration);
String relyingPartyEntityId = templateResolver.apply(relyingPartyRegistration.getEntityId());
String assertionConsumerServiceLocation = templateResolver
.apply(relyingPartyRegistration.getAssertionConsumerServiceLocation());
String singleLogoutServiceLocation = templateResolver
.apply(relyingPartyRegistration.getSingleLogoutServiceLocation());
RelyingPartyRegistration relyingPartyRegistration = defaultResolver.resolve(request, relyingPartyRegistrationId);

return RelyingPartyRegistration
.withRelyingPartyRegistration(relyingPartyRegistration)
.entityId(relyingPartyEntityId)
.assertionConsumerServiceLocation(assertionConsumerServiceLocation)
.singleLogoutServiceLocation(singleLogoutServiceLocation)
.entityId(relyingPartyRegistration.getEntityId())
.assertionConsumerServiceLocation(relyingPartyRegistration.getAssertionConsumerServiceLocation())
.singleLogoutServiceLocation(relyingPartyRegistration.getSingleLogoutServiceLocation())
.singleLogoutServiceResponseLocation("")
.build();
}
Expand Down
46 changes: 35 additions & 11 deletions infra/schema/src/main/resources/xml/ns/public/common/common-security-3.xsd
View file
Original file line number Diff line number Diff line change
Expand Up @@ -491,10 +491,11 @@
<xsd:annotation>
<xsd:appinfo>
<a:deprecated>true</a:deprecated>
<a:plannedRemoval>4.5</a:plannedRemoval>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
<xsd:element name="serviceProvider" type="tns:Saml2ServiceProviderAuthenticationModuleType" minOccurs="1" maxOccurs="1"/>
<xsd:element name="serviceProvider" type="tns:Saml2ServiceProviderAuthenticationModuleType" minOccurs="1" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
Expand Down Expand Up @@ -539,9 +540,13 @@
<xsd:documentation>
Unique alias used to identify the selected local service provider based on used URL.
</xsd:documentation>
<xsd:appinfo>
<a:deprecated>true</a:deprecated>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
<xsd:element name="aliasForPath" type="xsd:string" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>
Alias used for AssertionConsumerServiceURL.
</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="defaultSigningAlgorithm" type="tns:Saml2SigningAlgorithmAuthenticationModuleType" minOccurs="0" maxOccurs="1">
Expand All @@ -558,6 +563,7 @@
</xsd:documentation>
<xsd:appinfo>
<a:deprecated>true</a:deprecated>
<a:plannedRemoval>4.5</a:plannedRemoval>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
Expand All @@ -575,6 +581,7 @@
</xsd:documentation>
<xsd:appinfo>
<a:deprecated>true</a:deprecated>
<a:plannedRemoval>4.5</a:plannedRemoval>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
Expand All @@ -585,6 +592,7 @@
</xsd:documentation>
<xsd:appinfo>
<a:deprecated>true</a:deprecated>
<a:plannedRemoval>4.5</a:plannedRemoval>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
Expand All @@ -598,6 +606,7 @@
</xsd:documentation>
<xsd:appinfo>
<a:deprecated>true</a:deprecated>
<a:plannedRemoval>4.5</a:plannedRemoval>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
Expand All @@ -609,6 +618,17 @@
</xsd:annotation>
</xsd:element>
<xsd:element name="provider" type="tns:Saml2ProviderAuthenticationModuleType" minOccurs="1" maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>
Possible identity providers for this service provider.
</xsd:documentation>
<xsd:appinfo>
<a:deprecated>true</a:deprecated>
<a:plannedRemoval>4.5</a:plannedRemoval>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
<xsd:element name="identityProvider" type="tns:Saml2ProviderAuthenticationModuleType" minOccurs="1" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>
Possible identity providers for this service provider.
Expand All @@ -622,6 +642,7 @@
</xsd:documentation>
<xsd:appinfo>
<a:deprecated>true</a:deprecated>
<a:plannedRemoval>4.5</a:plannedRemoval>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
Expand All @@ -634,6 +655,8 @@
Possible NameId.
</xsd:documentation>
<xsd:appinfo>
<a:deprecated>true</a:deprecated>
<a:plannedRemoval>4.5</a:plannedRemoval>
<jaxb:typesafeEnumClass/>
</xsd:appinfo>
</xsd:annotation>
Expand Down Expand Up @@ -682,6 +705,8 @@
Possible digest method.
</xsd:documentation>
<xsd:appinfo>
<a:deprecated>true</a:deprecated>
<a:plannedRemoval>4.5</a:plannedRemoval>
<jaxb:typesafeEnumClass/>
</xsd:appinfo>
</xsd:annotation>
Expand Down Expand Up @@ -920,13 +945,10 @@
<xsd:documentation>
Unique alias used to identify the selected local service provider based on used URL.
</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="aliasForPath" type="xsd:string" minOccurs="0" maxOccurs="1">
<xsd:annotation>
<xsd:documentation>
Alias used for AssertionConsumerServiceURL.
</xsd:documentation>
<xsd:appinfo>
<a:deprecated>true</a:deprecated>
<a:plannedRemoval>4.5</a:plannedRemoval>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
<xsd:element name="metadata" type="tns:Saml2ProviderMetadataAuthenticationModuleType" minOccurs="1" maxOccurs="1">
Expand All @@ -940,6 +962,7 @@
<xsd:annotation>
<xsd:appinfo>
<a:deprecated>true</a:deprecated>
<a:plannedRemoval>4.5</a:plannedRemoval>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
Expand All @@ -950,6 +973,7 @@
</xsd:documentation>
<xsd:appinfo>
<a:deprecated>true</a:deprecated>
<a:plannedRemoval>4.5</a:plannedRemoval>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
Expand Down
8 changes: 4 additions & 4 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,7 @@
<selenium.version>3.141.59</selenium.version>
<slf4j.version>1.7.30</slf4j.version>
<logback.version>1.2.3e1</logback.version>
<spring-security.version>5.6.0-SNAPSHOT</spring-security.version>
<spring-security.version>5.6.0-M3</spring-security.version>
<opensaml.version>4.1.1</opensaml.version>
<cache2k.version>2.0.0.Final</cache2k.version>
<testng.version>7.4.0</testng.version>
Expand Down Expand Up @@ -1554,9 +1554,9 @@
<url>https://nexus.evolveum.com/nexus/content/repositories/snapshots/</url>
</repository>
<repository>
<id>spring-snapshots</id>
<name>Spring Snapshots Repository</name>
<url>https://repo.spring.io/snapshot</url>
<id>spring-milestone</id>
<name>Spring Milestone Repository</name>
<url>https://repo.spring.io/milestone</url>
</repository>

<!--
Expand Down

0 comments on commit e6624b2

Please sign in to comment.