From 321cad4cbe26fea1a394dfa5796ed7c8a9e367f8 Mon Sep 17 00:00:00 2001 From: Danny Faught Date: Tue, 23 Jan 2024 16:15:05 -0800 Subject: [PATCH] remove: SAML extension library dependency Co-authored-by: Peter Chen Co-authored-by: Bruce Ricard Co-authored-by: Danny Faught --- dependencies.gradle | 2 +- server/build.gradle | 8 +- ...ibleTokenEndpointAuthenticationFilter.java | 28 +- .../RedirectSavingSamlContextProvider.java | 70 +- .../authentication/SamlAssertionBinding.java | 54 +- .../authentication/SamlAssertionDecoder.java | 140 +- .../SamlResponseLoggerBinding.java | 102 +- .../uaa/authentication/UaaAuthentication.java | 24 +- .../authentication/UaaSamlLogoutFilter.java | 66 +- .../identity/uaa/home/HomeController.java | 18 +- .../uaa/passcode/PasscodeInformation.java | 4 +- .../provider/IdentityProviderEndpoints.java | 22 +- .../uaa/provider/saml/ComparableProvider.java | 44 +- .../provider/saml/ConfigMetadataProvider.java | 34 +- .../saml/FilesystemMetadataProvider.java | 18 +- .../saml/FixedHttpMetaDataProvider.java | 8 +- .../saml/LoginSamlAuthenticationProvider.java | 554 +++---- .../saml/LoginSamlAuthenticationToken.java | 56 +- .../uaa/provider/saml/LoginSamlDiscovery.java | 94 +- .../provider/saml/LoginSamlEntryPoint.java | 134 +- .../MetadataProviderNotFoundException.java | 10 +- .../NonCachingMetadataCredentialResolver.java | 24 +- .../saml/NonSnarlMetadataManager.java | 1238 +++++++-------- .../provider/saml/SPWebSSOProfileImpl.java | 56 +- .../SamlBindingNotSupportedException.java | 10 +- .../provider/saml/SamlConfigurationBean.java | 36 +- .../SamlIdentityProviderConfigurator.java | 152 +- .../provider/saml/SamlKeyManagerFactory.java | 94 +- .../uaa/provider/saml/SamlRedirectUtils.java | 68 +- .../saml/SamlSessionStorageFactory.java | 26 +- .../provider/saml/ZoneAwareKeyManager.java | 78 +- .../saml/ZoneAwareMetadataDisplayFilter.java | 72 +- .../saml/ZoneAwareMetadataGenerator.java | 192 +-- .../identity/uaa/zone/IdentityZoneHolder.java | 40 +- server/src/main/resources/spring/login-ui.xml | 15 +- ...TokenEndpointAuthenticationFilterTest.java | 47 +- .../SamlAssertionBindingTests.java | 26 +- .../SamlResponseLoggerBindingTest.java | 82 +- .../uaa/login/HomeControllerViewTests.java | 23 +- .../uaa/login/LoginInfoEndpointTests.java | 7 +- .../login/SamlLoginServerKeyManagerTests.java | 497 +++--- .../identity/uaa/oauth/TokenTestSupport.java | 2 +- .../oauth/token/Saml2TokenGranterTest.java | 124 +- .../uaa/passcode/PasscodeInformationTest.java | 53 +- .../IdentityProviderEndpointsTest.java | 14 +- .../provider/saml/ComparableProviderTest.java | 10 +- .../saml/ConfigMetadataProviderTest.java | 27 +- .../LoginSamlAuthenticationProviderTests.java | 1337 +++++++++-------- .../saml/SamlConfigurationBeanTest.java | 56 +- ...SamlIdentityProviderConfiguratorTests.java | 281 ++-- .../saml/SamlKeyManagerFactoryTests.java | 131 +- .../saml/SamlSessionStorageFactoryTests.java | 15 +- .../saml/ZoneAwareMetadataGeneratorTests.java | 250 +-- .../uaa/provider/saml/idp/SamlTestUtils.java | 492 +++--- .../uaa/zone/IdentityZoneHolderTest.java | 203 +-- uaa/build.gradle | 2 +- .../main/webapp/WEB-INF/spring-servlet.xml | 2 +- .../webapp/WEB-INF/spring/oauth-endpoints.xml | 2 +- .../webapp/WEB-INF/spring/saml-providers.xml | 610 ++++---- .../uaa/integration/feature/OIDCLoginIT.java | 174 ++- .../identity/uaa/login/BootstrapTests.java | 110 +- .../uaa/login/PasscodeMockMvcTests.java | 132 +- .../identity/uaa/login/TokenEndpointDocs.java | 356 ++--- .../token/Saml2BearerGrantMockMvcTests.java | 20 +- .../saml/SamlInitializationMockMvcTests.java | 65 +- 65 files changed, 4393 insertions(+), 4348 deletions(-) diff --git a/dependencies.gradle b/dependencies.gradle index 7bcaef3e28f..1a411199ae2 100644 --- a/dependencies.gradle +++ b/dependencies.gradle @@ -104,7 +104,7 @@ libraries.springSecurityConfig = "org.springframework.security:spring-security-c libraries.springSecurityCore = "org.springframework.security:spring-security-core:${versions.springSecurityVersion}" libraries.springSecurityLdap = "org.springframework.security:spring-security-ldap:${versions.springSecurityVersion}" libraries.springSecurityOauth = "org.springframework.security.oauth:spring-security-oauth2:${versions.springSecurityOAuthVersion}" -libraries.springSecuritySaml = "org.springframework.security.extensions:spring-security-saml2-core:${versions.springSecuritySamlVersion}" +//libraries.springSecuritySaml = "org.springframework.security.extensions:spring-security-saml2-core:${versions.springSecuritySamlVersion}" libraries.springSecurityTaglibs = "org.springframework.security:spring-security-taglibs:${versions.springSecurityVersion}" libraries.springSecurityTest = "org.springframework.security:spring-security-test:${versions.springSecurityVersion}" libraries.springSecurityWeb = "org.springframework.security:spring-security-web:${versions.springSecurityVersion}" diff --git a/server/build.gradle b/server/build.gradle index 0b9629f083a..e2559de4483 100644 --- a/server/build.gradle +++ b/server/build.gradle @@ -25,10 +25,10 @@ dependencies { implementation(libraries.owaspEsapi) { transitive = false } - implementation(libraries.springSecuritySaml) { - exclude(module: "bcprov-ext-jdk15on") - exclude(module: "xalan") - } +// implementation(libraries.springSecuritySaml) { +// exclude(module: "bcprov-ext-jdk15on") +// exclude(module: "xalan") +// } implementation(libraries.jodaTime) implementation(libraries.commonsHttpClient) implementation(libraries.xmlSecurity) diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/BackwardsCompatibleTokenEndpointAuthenticationFilter.java b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/BackwardsCompatibleTokenEndpointAuthenticationFilter.java index 92b11c32bd2..342a0f371e9 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/BackwardsCompatibleTokenEndpointAuthenticationFilter.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/BackwardsCompatibleTokenEndpointAuthenticationFilter.java @@ -32,7 +32,7 @@ import org.springframework.security.oauth2.provider.OAuth2Request; import org.springframework.security.oauth2.provider.OAuth2RequestFactory; import org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint; -import org.springframework.security.saml.SAMLProcessingFilter; +//import org.springframework.security.saml.SAMLProcessingFilter; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; @@ -66,25 +66,25 @@ public class BackwardsCompatibleTokenEndpointAuthenticationFilter implements Fil private final OAuth2RequestFactory oAuth2RequestFactory; - private final SAMLProcessingFilter samlAuthenticationFilter; +// private final SAMLProcessingFilter samlAuthenticationFilter; private final ExternalOAuthAuthenticationManager externalOAuthAuthenticationManager; public BackwardsCompatibleTokenEndpointAuthenticationFilter(AuthenticationManager authenticationManager, OAuth2RequestFactory oAuth2RequestFactory) { - this(authenticationManager, oAuth2RequestFactory, null, null); + this(authenticationManager, oAuth2RequestFactory, null); } /** * @param authenticationManager an AuthenticationManager for the incoming request */ public BackwardsCompatibleTokenEndpointAuthenticationFilter(AuthenticationManager authenticationManager, OAuth2RequestFactory oAuth2RequestFactory, - SAMLProcessingFilter samlAuthenticationFilter, +// SAMLProcessingFilter samlAuthenticationFilter, ExternalOAuthAuthenticationManager externalOAuthAuthenticationManager) { super(); this.authenticationManager = authenticationManager; this.oAuth2RequestFactory = oAuth2RequestFactory; - this.samlAuthenticationFilter = samlAuthenticationFilter; +// this.samlAuthenticationFilter = samlAuthenticationFilter; this.externalOAuthAuthenticationManager = externalOAuthAuthenticationManager; } @@ -218,15 +218,15 @@ protected Authentication attemptTokenAuthentication(HttpServletRequest request, return authResult; } else if (GRANT_TYPE_SAML2_BEARER.equals(grantType)) { - logger.debug(GRANT_TYPE_SAML2_BEARER +" found. Attempting authentication with assertion"); - String assertion = request.getParameter("assertion"); - if (assertion != null && samlAuthenticationFilter != null) { - logger.debug("Attempting SAML authentication for token endpoint."); - authResult = samlAuthenticationFilter.attemptAuthentication(request, response); - } else { - logger.debug("No assertion or filter, not attempting SAML authentication for token endpoint."); - throw new InsufficientAuthenticationException("SAML Assertion is missing"); - } +// logger.debug(GRANT_TYPE_SAML2_BEARER +" found. Attempting authentication with assertion"); +// String assertion = request.getParameter("assertion"); +// if (assertion != null && samlAuthenticationFilter != null) { +// logger.debug("Attempting SAML authentication for token endpoint."); +// authResult = samlAuthenticationFilter.attemptAuthentication(request, response); +// } else { +// logger.debug("No assertion or filter, not attempting SAML authentication for token endpoint."); +// throw new InsufficientAuthenticationException("SAML Assertion is missing"); +// } } else if (GRANT_TYPE_JWT_BEARER.equals(grantType)) { logger.debug(GRANT_TYPE_JWT_BEARER +" found. Attempting authentication with assertion"); String assertion = request.getParameter("assertion"); diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/RedirectSavingSamlContextProvider.java b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/RedirectSavingSamlContextProvider.java index 6bb782f1664..9bc9f20faab 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/RedirectSavingSamlContextProvider.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/RedirectSavingSamlContextProvider.java @@ -2,45 +2,45 @@ import org.cloudfoundry.identity.uaa.util.JsonUtils; import org.flywaydb.core.internal.util.StringUtils; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; -import org.springframework.security.saml.context.SAMLContextProvider; -import org.springframework.security.saml.context.SAMLMessageContext; +//import org.opensaml.saml2.metadata.provider.MetadataProviderException; +//import org.springframework.security.saml.context.SAMLContextProvider; +//import org.springframework.security.saml.context.SAMLMessageContext; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.util.HashMap; import java.util.Map; -public class RedirectSavingSamlContextProvider implements SAMLContextProvider { - - private final SAMLContextProvider contextProviderDelegate; - - public RedirectSavingSamlContextProvider(SAMLContextProvider contextProviderDelegate) { - this.contextProviderDelegate = contextProviderDelegate; - } - - @Override - public SAMLMessageContext getLocalEntity(HttpServletRequest request, HttpServletResponse response) throws MetadataProviderException { - SAMLMessageContext context = contextProviderDelegate.getLocalEntity(request, response); - return setRelayState(request, context); - } - - @Override - public SAMLMessageContext getLocalAndPeerEntity(HttpServletRequest request, HttpServletResponse response) throws MetadataProviderException { - SAMLMessageContext context = contextProviderDelegate.getLocalAndPeerEntity(request, response); - return setRelayState(request, context); - } - - private static SAMLMessageContext setRelayState(HttpServletRequest request, SAMLMessageContext context) { - Map params = new HashMap<>(); - - String redirectUri = request.getParameter("redirect"); - if(StringUtils.hasText(redirectUri)) { params.put("redirect", redirectUri); } - - String clientId = request.getParameter("client_id"); - if(StringUtils.hasText(clientId)) { params.put("client_id", clientId); } - - context.setRelayState(JsonUtils.writeValueAsString(params)); - return context; - } +public class RedirectSavingSamlContextProvider /* implements SAMLContextProvider */ { + +// private final SAMLContextProvider contextProviderDelegate; + +// public RedirectSavingSamlContextProvider(SAMLContextProvider contextProviderDelegate) { +// this.contextProviderDelegate = contextProviderDelegate; +// } + +// @Override +// public SAMLMessageContext getLocalEntity(HttpServletRequest request, HttpServletResponse response) throws MetadataProviderException { +// SAMLMessageContext context = contextProviderDelegate.getLocalEntity(request, response); +// return setRelayState(request, context); +// } + +// @Override +// public SAMLMessageContext getLocalAndPeerEntity(HttpServletRequest request, HttpServletResponse response) throws MetadataProviderException { +// SAMLMessageContext context = contextProviderDelegate.getLocalAndPeerEntity(request, response); +// return setRelayState(request, context); +// } + +// private static SAMLMessageContext setRelayState(HttpServletRequest request, SAMLMessageContext context) { +// Map params = new HashMap<>(); +// +// String redirectUri = request.getParameter("redirect"); +// if(StringUtils.hasText(redirectUri)) { params.put("redirect", redirectUri); } +// +// String clientId = request.getParameter("client_id"); +// if(StringUtils.hasText(clientId)) { params.put("client_id", clientId); } +// +// context.setRelayState(JsonUtils.writeValueAsString(params)); +// return context; +// } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/SamlAssertionBinding.java b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/SamlAssertionBinding.java index 5f11c0d3b1c..fc802bc60be 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/SamlAssertionBinding.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/SamlAssertionBinding.java @@ -15,24 +15,24 @@ package org.cloudfoundry.identity.uaa.authentication; -import org.opensaml.ws.message.decoder.MessageDecoder; -import org.opensaml.ws.message.encoder.MessageEncoder; -import org.opensaml.ws.transport.InTransport; -import org.opensaml.ws.transport.http.HTTPInTransport; -import org.opensaml.ws.transport.http.HTTPTransport; -import org.opensaml.xml.parse.ParserPool; -import org.springframework.security.saml.processor.HTTPPostBinding; +//import org.opensaml.ws.message.decoder.MessageDecoder; +//import org.opensaml.ws.message.encoder.MessageEncoder; +//import org.opensaml.ws.transport.InTransport; +//import org.opensaml.ws.transport.http.HTTPInTransport; +//import org.opensaml.ws.transport.http.HTTPTransport; +//import org.opensaml.xml.parse.ParserPool; +//import org.springframework.security.saml.processor.HTTPPostBinding; -public class SamlAssertionBinding extends HTTPPostBinding { +public class SamlAssertionBinding /* extends HTTPPostBinding */ { /** * Creates default implementation of the binding. * * @param parserPool parserPool for message deserialization */ - public SamlAssertionBinding(ParserPool parserPool) { - this(parserPool, new SamlAssertionDecoder(parserPool), null); - } +// public SamlAssertionBinding(ParserPool parserPool) { +// this(parserPool, new SamlAssertionDecoder(parserPool), null); +// } /** * Implementation of the binding with custom encoder and decoder. @@ -41,22 +41,22 @@ public SamlAssertionBinding(ParserPool parserPool) { * @param decoder custom decoder implementation * @param encoder custom encoder implementation */ - public SamlAssertionBinding(ParserPool parserPool, MessageDecoder decoder, MessageEncoder encoder) { - super(parserPool, decoder, encoder); - } +// public SamlAssertionBinding(ParserPool parserPool, MessageDecoder decoder, MessageEncoder encoder) { +// super(parserPool, decoder, encoder); +// } - @Override - public boolean supports(InTransport transport) { - if (transport instanceof HTTPInTransport) { - HTTPTransport t = (HTTPTransport) transport; - return "POST".equalsIgnoreCase(t.getHTTPMethod()) && t.getParameterValue("assertion") != null; - } else { - return false; - } - } +// @Override +// public boolean supports(InTransport transport) { +// if (transport instanceof HTTPInTransport) { +// HTTPTransport t = (HTTPTransport) transport; +// return "POST".equalsIgnoreCase(t.getHTTPMethod()) && t.getParameterValue("assertion") != null; +// } else { +// return false; +// } +// } - @Override - public String getBindingURI() { - return "urn:oasis:names:tc:SAML:2.0:bindings:URI"; - } +// @Override +// public String getBindingURI() { +// return "urn:oasis:names:tc:SAML:2.0:bindings:URI"; +// } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/SamlAssertionDecoder.java b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/SamlAssertionDecoder.java index ccfbf170d94..4feb84f4ae1 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/SamlAssertionDecoder.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/SamlAssertionDecoder.java @@ -16,15 +16,15 @@ package org.cloudfoundry.identity.uaa.authentication; import org.cloudfoundry.identity.uaa.provider.saml.SamlRedirectUtils; -import org.opensaml.common.binding.SAMLMessageContext; -import org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder; -import org.opensaml.saml2.core.Assertion; -import org.opensaml.saml2.core.Response; -import org.opensaml.ws.message.MessageContext; -import org.opensaml.ws.message.decoder.MessageDecodingException; -import org.opensaml.ws.transport.http.HTTPInTransport; -import org.opensaml.xml.parse.ParserPool; -import org.opensaml.xml.util.DatatypeHelper; +//import org.opensaml.common.binding.SAMLMessageContext; +//import org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder; +//import org.opensaml.saml2.core.Assertion; +//import org.opensaml.saml2.core.Response; +//import org.opensaml.ws.message.MessageContext; +//import org.opensaml.ws.message.decoder.MessageDecodingException; +//import org.opensaml.ws.transport.http.HTTPInTransport; +//import org.opensaml.xml.parse.ParserPool; +//import org.opensaml.xml.util.DatatypeHelper; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -39,7 +39,7 @@ * 2. The unmarshalling of the object gets wrapped in a SamlResponse object */ -public class SamlAssertionDecoder extends BaseSAML2MessageDecoder { +public class SamlAssertionDecoder /* extends BaseSAML2MessageDecoder */ { /** Class logger. */ private final Logger log = LoggerFactory.getLogger(SamlAssertionDecoder.class); @@ -54,9 +54,9 @@ public SamlAssertionDecoder() { * * @param pool parser pool used to deserialize messages */ - public SamlAssertionDecoder(ParserPool pool) { - super(pool); - } +// public SamlAssertionDecoder(ParserPool pool) { +// super(pool); +// } /** {@inheritDoc} */ public String getBindingURI() { @@ -64,44 +64,44 @@ public String getBindingURI() { } /** {@inheritDoc} */ - protected boolean isIntendedDestinationEndpointURIRequired(SAMLMessageContext samlMsgCtx) { - return isMessageSigned(samlMsgCtx); - } +// protected boolean isIntendedDestinationEndpointURIRequired(SAMLMessageContext samlMsgCtx) { +// return isMessageSigned(samlMsgCtx); +// } /** {@inheritDoc} */ - protected void doDecode(MessageContext messageContext) throws MessageDecodingException { - if (!(messageContext instanceof SAMLMessageContext)) { - log.error("Invalid message context type, this decoder only support SAMLMessageContext"); - throw new MessageDecodingException( - "Invalid message context type, this decoder only support SAMLMessageContext"); - } - - if (!(messageContext.getInboundMessageTransport() instanceof HTTPInTransport)) { - log.error("Invalid inbound message transport type, this decoder only support HTTPInTransport"); - throw new MessageDecodingException( - "Invalid inbound message transport type, this decoder only support HTTPInTransport"); - } - - SAMLMessageContext samlMsgCtx = (SAMLMessageContext) messageContext; - - HTTPInTransport inTransport = (HTTPInTransport) samlMsgCtx.getInboundMessageTransport(); - if (!inTransport.getHTTPMethod().equalsIgnoreCase("POST")) { - throw new MessageDecodingException("This message decoder only supports the HTTP POST method"); - } - - String relayState = inTransport.getParameterValue("RelayState"); - samlMsgCtx.setRelayState(relayState); - log.debug("Decoded SAML relay state of: {}", relayState); - - InputStream base64DecodedMessage = getBase64DecodedMessage(inTransport); - Assertion inboundMessage = (Assertion) unmarshallMessage(base64DecodedMessage); - Response response = SamlRedirectUtils.wrapAssertionIntoResponse(inboundMessage, inboundMessage.getIssuer().getValue()); - samlMsgCtx.setInboundMessage(response); - samlMsgCtx.setInboundSAMLMessage(response); - log.debug("Decoded SAML message"); - - populateMessageContext(samlMsgCtx); - } +// protected void doDecode(MessageContext messageContext) throws MessageDecodingException { +// if (!(messageContext instanceof SAMLMessageContext)) { +// log.error("Invalid message context type, this decoder only support SAMLMessageContext"); +// throw new MessageDecodingException( +// "Invalid message context type, this decoder only support SAMLMessageContext"); +// } +// +// if (!(messageContext.getInboundMessageTransport() instanceof HTTPInTransport)) { +// log.error("Invalid inbound message transport type, this decoder only support HTTPInTransport"); +// throw new MessageDecodingException( +// "Invalid inbound message transport type, this decoder only support HTTPInTransport"); +// } +// +// SAMLMessageContext samlMsgCtx = (SAMLMessageContext) messageContext; +// +// HTTPInTransport inTransport = (HTTPInTransport) samlMsgCtx.getInboundMessageTransport(); +// if (!inTransport.getHTTPMethod().equalsIgnoreCase("POST")) { +// throw new MessageDecodingException("This message decoder only supports the HTTP POST method"); +// } +// +// String relayState = inTransport.getParameterValue("RelayState"); +// samlMsgCtx.setRelayState(relayState); +// log.debug("Decoded SAML relay state of: {}", relayState); +// +// InputStream base64DecodedMessage = getBase64DecodedMessage(inTransport); +// Assertion inboundMessage = (Assertion) unmarshallMessage(base64DecodedMessage); +// Response response = SamlRedirectUtils.wrapAssertionIntoResponse(inboundMessage, inboundMessage.getIssuer().getValue()); +// samlMsgCtx.setInboundMessage(response); +// samlMsgCtx.setInboundSAMLMessage(response); +// log.debug("Decoded SAML message"); +// +// populateMessageContext(samlMsgCtx); +// } /** * Gets the Base64 encoded message from the request and decodes it. @@ -112,25 +112,25 @@ protected void doDecode(MessageContext messageContext) throws MessageDecodingExc * * @throws MessageDecodingException thrown if the message does not contain a base64 encoded SAML message */ - protected InputStream getBase64DecodedMessage(HTTPInTransport transport) throws MessageDecodingException { - log.debug("Getting Base64 encoded message from request"); - String encodedMessage = transport.getParameterValue("assertion"); - - - if (DatatypeHelper.isEmpty(encodedMessage)) { - log.error("Request did not contain either a SAMLRequest or " - + "SAMLResponse parameter. Invalid request for SAML 2 HTTP POST binding."); - throw new MessageDecodingException("No SAML message present in request"); - } - - log.trace("Base64 decoding SAML message:\n{}", encodedMessage); - byte[] decodedBytes = org.apache.commons.codec.binary.Base64.decodeBase64(encodedMessage.getBytes(StandardCharsets.UTF_8)); - if(decodedBytes == null){ - log.error("Unable to Base64 decode SAML message"); - throw new MessageDecodingException("Unable to Base64 decode SAML message"); - } - - log.trace("Decoded SAML message:\n{}", new String(decodedBytes)); - return new ByteArrayInputStream(decodedBytes); - } +// protected InputStream getBase64DecodedMessage(HTTPInTransport transport) throws MessageDecodingException { +// log.debug("Getting Base64 encoded message from request"); +// String encodedMessage = transport.getParameterValue("assertion"); +// +// +// if (DatatypeHelper.isEmpty(encodedMessage)) { +// log.error("Request did not contain either a SAMLRequest or " +// + "SAMLResponse parameter. Invalid request for SAML 2 HTTP POST binding."); +// throw new MessageDecodingException("No SAML message present in request"); +// } +// +// log.trace("Base64 decoding SAML message:\n{}", encodedMessage); +// byte[] decodedBytes = org.apache.commons.codec.binary.Base64.decodeBase64(encodedMessage.getBytes(StandardCharsets.UTF_8)); +// if(decodedBytes == null){ +// log.error("Unable to Base64 decode SAML message"); +// throw new MessageDecodingException("Unable to Base64 decode SAML message"); +// } +// +// log.trace("Decoded SAML message:\n{}", new String(decodedBytes)); +// return new ByteArrayInputStream(decodedBytes); +// } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/SamlResponseLoggerBinding.java b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/SamlResponseLoggerBinding.java index f9d5afa7f48..a971fc347b7 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/SamlResponseLoggerBinding.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/SamlResponseLoggerBinding.java @@ -1,15 +1,15 @@ package org.cloudfoundry.identity.uaa.authentication; -import org.opensaml.ws.message.decoder.MessageDecoder; -import org.opensaml.ws.message.encoder.MessageEncoder; -import org.opensaml.ws.security.SecurityPolicyRule; -import org.opensaml.ws.transport.InTransport; -import org.opensaml.ws.transport.OutTransport; -import org.opensaml.ws.transport.http.HttpServletRequestAdapter; +//import org.opensaml.ws.message.decoder.MessageDecoder; +//import org.opensaml.ws.message.encoder.MessageEncoder; +//import org.opensaml.ws.security.SecurityPolicyRule; +//import org.opensaml.ws.transport.InTransport; +//import org.opensaml.ws.transport.OutTransport; +//import org.opensaml.ws.transport.http.HttpServletRequestAdapter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.springframework.security.saml.context.SAMLMessageContext; -import org.springframework.security.saml.processor.SAMLBinding; +//import org.springframework.security.saml.context.SAMLMessageContext; +//import org.springframework.security.saml.processor.SAMLBinding; import org.springframework.stereotype.Component; import javax.servlet.http.HttpServletRequest; @@ -19,37 +19,37 @@ import java.util.stream.Collectors; @Component("samlResponseLoggerBinding") -public class SamlResponseLoggerBinding implements SAMLBinding { +public class SamlResponseLoggerBinding /* implements SAMLBinding */ { private static final Logger LOGGER = LoggerFactory.getLogger(SamlResponseLoggerBinding.class); public static final String X_VCAP_REQUEST_ID_HEADER = "X-Vcap-Request-Id"; - @Override - public boolean supports(InTransport transport) { - if (!(transport instanceof HttpServletRequestAdapter)) { - return false; - } - - HttpServletRequest httpServletRequest = ((HttpServletRequestAdapter) transport).getWrappedRequest(); - LOGGER.warn("Malformed SAML response. More details at log level DEBUG."); - - if (httpServletRequest == null) { - LOGGER.debug("HttpServletRequest is null - no information to log"); - return false; - } - - if (LOGGER.isDebugEnabled()) { - LOGGER.debug("Method: {}, Params (name/size): {}, Content-type: {}, Request-size: {}, {}: {}", - httpServletRequest.getMethod(), - describeParameters(httpServletRequest), - httpServletRequest.getContentType(), - httpServletRequest.getContentLength(), - X_VCAP_REQUEST_ID_HEADER, - httpServletRequest.getHeader(X_VCAP_REQUEST_ID_HEADER)); - } - return false; - } +// @Override +// public boolean supports(InTransport transport) { +// if (!(transport instanceof HttpServletRequestAdapter)) { +// return false; +// } +// +// HttpServletRequest httpServletRequest = ((HttpServletRequestAdapter) transport).getWrappedRequest(); +// LOGGER.warn("Malformed SAML response. More details at log level DEBUG."); +// +// if (httpServletRequest == null) { +// LOGGER.debug("HttpServletRequest is null - no information to log"); +// return false; +// } +// +// if (LOGGER.isDebugEnabled()) { +// LOGGER.debug("Method: {}, Params (name/size): {}, Content-type: {}, Request-size: {}, {}: {}", +// httpServletRequest.getMethod(), +// describeParameters(httpServletRequest), +// httpServletRequest.getContentType(), +// httpServletRequest.getContentLength(), +// X_VCAP_REQUEST_ID_HEADER, +// httpServletRequest.getHeader(X_VCAP_REQUEST_ID_HEADER)); +// } +// return false; +// } private static String describeParameters(HttpServletRequest t) { if (t == null || t.getParameterMap() == null) { @@ -82,28 +82,28 @@ private static String formatParam(Map.Entry p) { return String.join(" ", formattedParams); } - @Override - public boolean supports(OutTransport transport) { - return false; - } +// @Override +// public boolean supports(OutTransport transport) { +// return false; +// } - @Override - public MessageDecoder getMessageDecoder() { - return null; - } +// @Override +// public MessageDecoder getMessageDecoder() { +// return null; +// } - @Override - public MessageEncoder getMessageEncoder() { - return null; - } +// @Override +// public MessageEncoder getMessageEncoder() { +// return null; +// } - @Override +// @Override public String getBindingURI() { return "NON_NULL_BINDING_URI_UNUSED_SamlResponseLoggerBinding"; } - @Override - public void getSecurityPolicy(List securityPolicy, SAMLMessageContext samlContext) { - - } +// @Override +// public void getSecurityPolicy(List securityPolicy, SAMLMessageContext samlContext) { +// +// } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthentication.java b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthentication.java index bcc7837e1ad..91849376b61 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthentication.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthentication.java @@ -24,7 +24,7 @@ import com.fasterxml.jackson.databind.annotation.JsonSerialize; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.saml.context.SAMLMessageContext; +//import org.springframework.security.saml.context.SAMLMessageContext; import org.springframework.util.LinkedMultiValueMap; import org.springframework.util.MultiValueMap; @@ -62,7 +62,7 @@ public UaaAuthentication setLastLoginSuccessTime(Long lastLoginSuccessTime) { //This is used when UAA acts as a SAML IdP @JsonIgnore - private transient SAMLMessageContext samlMessageContext; +// private transient SAMLMessageContext samlMessageContext; /** * Creates a token with the supplied array of authorities. @@ -213,16 +213,16 @@ public void setUserAttributes(MultiValueMap userAttributes) { this.userAttributes.put(entry.getKey(), entry.getValue()); } } - - @JsonIgnore - public SAMLMessageContext getSamlMessageContext() { - return samlMessageContext; - } - - @JsonIgnore - public void setSamlMessageContext(SAMLMessageContext samlMessageContext) { - this.samlMessageContext = samlMessageContext; - } +// +// @JsonIgnore +// public SAMLMessageContext getSamlMessageContext() { +// return samlMessageContext; +// } +// +// @JsonIgnore +// public void setSamlMessageContext(SAMLMessageContext samlMessageContext) { +// this.samlMessageContext = samlMessageContext; +// } public Set getAuthenticationMethods() { return authenticationMethods; diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaSamlLogoutFilter.java b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaSamlLogoutFilter.java index 75eea3fb59f..09cd4193af4 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaSamlLogoutFilter.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaSamlLogoutFilter.java @@ -1,14 +1,14 @@ package org.cloudfoundry.identity.uaa.authentication; -import org.opensaml.saml2.metadata.IDPSSODescriptor; -import org.opensaml.saml2.metadata.SingleLogoutService; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; +//import org.opensaml.saml2.metadata.IDPSSODescriptor; +//import org.opensaml.saml2.metadata.SingleLogoutService; +//import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.saml.SAMLConstants; -import org.springframework.security.saml.SAMLCredential; -import org.springframework.security.saml.SAMLLogoutFilter; -import org.springframework.security.saml.context.SAMLMessageContext; +//import org.springframework.security.saml.SAMLConstants; +//import org.springframework.security.saml.SAMLCredential; +//import org.springframework.security.saml.SAMLLogoutFilter; +//import org.springframework.security.saml.context.SAMLMessageContext; import org.springframework.security.web.authentication.logout.LogoutHandler; import org.springframework.security.web.authentication.logout.LogoutSuccessHandler; @@ -16,34 +16,34 @@ import javax.servlet.http.HttpServletResponse; import java.util.List; -public class UaaSamlLogoutFilter extends SAMLLogoutFilter { +public class UaaSamlLogoutFilter /* extends SAMLLogoutFilter */ { - public UaaSamlLogoutFilter(LogoutSuccessHandler logoutSuccessHandler, LogoutHandler... handlers) { - super(logoutSuccessHandler, handlers, handlers); - setFilterProcessesUrl("/logout.do"); - } +// public UaaSamlLogoutFilter(LogoutSuccessHandler logoutSuccessHandler, LogoutHandler... handlers) { +// super(logoutSuccessHandler, handlers, handlers); +// setFilterProcessesUrl("/logout.do"); +// } - @Override - protected boolean isGlobalLogout(HttpServletRequest request, Authentication auth) { - SAMLMessageContext context; - try { - SAMLCredential credential = (SAMLCredential) auth.getCredentials(); - request.setAttribute(SAMLConstants.LOCAL_ENTITY_ID, credential.getLocalEntityID()); - request.setAttribute(SAMLConstants.PEER_ENTITY_ID, credential.getRemoteEntityID()); - context = contextProvider.getLocalAndPeerEntity(request, null); - IDPSSODescriptor idp = (IDPSSODescriptor) context.getPeerEntityRoleMetadata(); - List singleLogoutServices = idp.getSingleLogoutServices(); - return singleLogoutServices.size() != 0; - } catch (MetadataProviderException e) { - logger.debug("Error processing metadata", e); - return false; - } - } +// @Override +// protected boolean isGlobalLogout(HttpServletRequest request, Authentication auth) { +// SAMLMessageContext context; +// try { +// SAMLCredential credential = (SAMLCredential) auth.getCredentials(); +// request.setAttribute(SAMLConstants.LOCAL_ENTITY_ID, credential.getLocalEntityID()); +// request.setAttribute(SAMLConstants.PEER_ENTITY_ID, credential.getRemoteEntityID()); +// context = contextProvider.getLocalAndPeerEntity(request, null); +// IDPSSODescriptor idp = (IDPSSODescriptor) context.getPeerEntityRoleMetadata(); +// List singleLogoutServices = idp.getSingleLogoutServices(); +// return singleLogoutServices.size() != 0; +// } catch (MetadataProviderException e) { +// logger.debug("Error processing metadata", e); +// return false; +// } +// } - @Override - protected boolean requiresLogout(HttpServletRequest request, HttpServletResponse response) { - Authentication auth = SecurityContextHolder.getContext().getAuthentication(); - return auth != null && auth.getCredentials() instanceof SAMLCredential && super.requiresLogout(request, response); - } +// @Override +// protected boolean requiresLogout(HttpServletRequest request, HttpServletResponse response) { +// Authentication auth = SecurityContextHolder.getContext().getAuthentication(); +// return auth != null && auth.getCredentials() instanceof SAMLCredential && super.requiresLogout(request, response); +// } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/home/HomeController.java b/server/src/main/java/org/cloudfoundry/identity/uaa/home/HomeController.java index cb78f6498d4..001540a875d 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/home/HomeController.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/home/HomeController.java @@ -23,8 +23,8 @@ import org.cloudfoundry.identity.uaa.zone.IdentityZoneConfiguration; import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder; import org.cloudfoundry.identity.uaa.zone.Links; -import org.opensaml.common.SAMLException; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; +//import org.opensaml.common.SAMLException; +//import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Qualifier; @@ -129,13 +129,13 @@ public String error500(Model model, HttpServletRequest request, HttpServletRespo logger.error("Internal error", genericException); // check for common SAML related exceptions and redirect these to bad_request - if (nonNull(genericException) && - (genericException.getCause() instanceof SAMLException || genericException.getCause() instanceof MetadataProviderException)) { - Exception samlException = (Exception) genericException.getCause(); - model.addAttribute("saml_error", samlException.getMessage()); - response.setStatus(400); - return EXTERNAL_AUTH_ERROR; - } +// if (nonNull(genericException) && +// (genericException.getCause() instanceof SAMLException || genericException.getCause() instanceof MetadataProviderException)) { +// Exception samlException = (Exception) genericException.getCause(); +// model.addAttribute("saml_error", samlException.getMessage()); +// response.setStatus(400); +// return EXTERNAL_AUTH_ERROR; +// } populateBuildAndLinkInfo(model); return ERROR; diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/passcode/PasscodeInformation.java b/server/src/main/java/org/cloudfoundry/identity/uaa/passcode/PasscodeInformation.java index 1d2138faa8a..7651a1e4858 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/passcode/PasscodeInformation.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/passcode/PasscodeInformation.java @@ -61,8 +61,8 @@ public PasscodeInformation(Principal principal, Map authorizatio uaaPrincipal = getUaaPrincipal(castUaaPrincipal); } else if (principal instanceof UaaAuthentication castUaaAuthentication) { uaaPrincipal = getUaaPrincipal(castUaaAuthentication.getPrincipal()); - } else if (principal instanceof final LoginSamlAuthenticationToken samlTokenPrincipal) { - uaaPrincipal = getUaaPrincipal(samlTokenPrincipal.getUaaPrincipal()); +// } else if (principal instanceof final LoginSamlAuthenticationToken samlTokenPrincipal) { +// uaaPrincipal = getUaaPrincipal(samlTokenPrincipal.getUaaPrincipal()); } else if ( principal instanceof Authentication castAuthentication && castAuthentication.getPrincipal() instanceof UaaPrincipal castUaaPrincipal diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpoints.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpoints.java index c83d415dd4c..ed433d0154e 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpoints.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpoints.java @@ -49,7 +49,7 @@ import org.cloudfoundry.identity.uaa.util.JsonUtils; import org.cloudfoundry.identity.uaa.util.ObjectUtils; import org.cloudfoundry.identity.uaa.zone.beans.IdentityZoneManager; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; +//import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Qualifier; @@ -120,7 +120,7 @@ public IdentityProviderEndpoints( } @RequestMapping(method = POST) - public ResponseEntity createIdentityProvider(@RequestBody IdentityProvider body, @RequestParam(required = false, defaultValue = "false") boolean rawConfig) throws MetadataProviderException{ + public ResponseEntity createIdentityProvider(@RequestBody IdentityProvider body, @RequestParam(required = false, defaultValue = "false") boolean rawConfig) /* throws MetadataProviderException */ { body.setSerializeConfigRaw(rawConfig); String zoneId = identityZoneManager.getCurrentIdentityZoneId(); body.setIdentityZoneId(zoneId); @@ -220,7 +220,7 @@ public ResponseEntity deleteIdentityProvider(@PathVariable Str } @RequestMapping(value = "{id}", method = PUT) - public ResponseEntity updateIdentityProvider(@PathVariable String id, @RequestBody IdentityProvider body, @RequestParam(required = false, defaultValue = "false") boolean rawConfig) throws MetadataProviderException { + public ResponseEntity updateIdentityProvider(@PathVariable String id, @RequestBody IdentityProvider body, @RequestParam(required = false, defaultValue = "false") boolean rawConfig) /* throws MetadataProviderException */ { body.setSerializeConfigRaw(rawConfig); String zoneId = identityZoneManager.getCurrentIdentityZoneId(); IdentityProvider existing = identityProviderProvisioning.retrieve(id, zoneId); @@ -364,14 +364,14 @@ public ResponseEntity testIdentityProvider(@RequestBody IdentityProvider return new ResponseEntity<>(JsonUtils.writeValueAsString(exception), status); } - @ExceptionHandler(MetadataProviderException.class) - public ResponseEntity handleMetadataProviderException(MetadataProviderException e) { - if (e.getMessage().contains("Duplicate")) { - return new ResponseEntity<>(e.getMessage(), CONFLICT); - } else { - return new ResponseEntity<>(e.getMessage(), HttpStatus.BAD_REQUEST); - } - } +// @ExceptionHandler(MetadataProviderException.class) +// public ResponseEntity handleMetadataProviderException(MetadataProviderException e) { +// if (e.getMessage().contains("Duplicate")) { +// return new ResponseEntity<>(e.getMessage(), CONFLICT); +// } else { +// return new ResponseEntity<>(e.getMessage(), HttpStatus.BAD_REQUEST); +// } +// } @ExceptionHandler(JsonUtils.JsonUtilException.class) public ResponseEntity handleMetadataProviderException() { diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ComparableProvider.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ComparableProvider.java index 22d26fb17c6..ca942b629a5 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ComparableProvider.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ComparableProvider.java @@ -13,36 +13,36 @@ */ package org.cloudfoundry.identity.uaa.provider.saml; -import org.opensaml.saml2.metadata.EntitiesDescriptor; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; -import org.opensaml.xml.XMLObject; +//import org.opensaml.saml2.metadata.EntitiesDescriptor; +//import org.opensaml.saml2.metadata.EntityDescriptor; +//import org.opensaml.saml2.metadata.provider.MetadataProviderException; +//import org.opensaml.xml.XMLObject; public interface ComparableProvider extends Comparable { String getAlias(); String getZoneId(); - XMLObject doGetMetadata() throws MetadataProviderException; +// XMLObject doGetMetadata() throws MetadataProviderException; byte[] fetchMetadata(); - default String getEntityID() throws MetadataProviderException { - fetchMetadata(); - XMLObject metadata = doGetMetadata(); - if (metadata instanceof EntityDescriptor) { - EntityDescriptor entityDescriptor = (EntityDescriptor) metadata; - return entityDescriptor.getEntityID(); - } else if (metadata instanceof EntitiesDescriptor) { - EntitiesDescriptor desc = (EntitiesDescriptor)metadata; - if (desc.getEntityDescriptors().size()!=1) { - throw new MetadataProviderException("Invalid metadata. Number of descriptors must be 1, but is "+desc.getEntityDescriptors().size()); - } else { - return desc.getEntityDescriptors().get(0).getEntityID(); - } - } else { - throw new MetadataProviderException("Unknown descriptor class:"+metadata.getClass().getName()); - } - } +// default String getEntityID() /* throws MetadataProviderException */ { +// fetchMetadata(); +// XMLObject metadata = doGetMetadata(); +// if (metadata instanceof EntityDescriptor) { +// EntityDescriptor entityDescriptor = (EntityDescriptor) metadata; +// return entityDescriptor.getEntityID(); +// } else if (metadata instanceof EntitiesDescriptor) { +// EntitiesDescriptor desc = (EntitiesDescriptor)metadata; +// if (desc.getEntityDescriptors().size()!=1) { +// throw new MetadataProviderException("Invalid metadata. Number of descriptors must be 1, but is "+desc.getEntityDescriptors().size()); +// } else { +// return desc.getEntityDescriptors().get(0).getEntityID(); +// } +// } else { +// throw new MetadataProviderException("Unknown descriptor class:"+metadata.getClass().getName()); +// } +// } default int compareTo(ComparableProvider that) { int result = 0; diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ConfigMetadataProvider.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ConfigMetadataProvider.java index e1f31ba9314..450f62ff9cc 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ConfigMetadataProvider.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ConfigMetadataProvider.java @@ -1,9 +1,9 @@ package org.cloudfoundry.identity.uaa.provider.saml; -import org.opensaml.saml2.metadata.provider.AbstractMetadataProvider; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.io.UnmarshallingException; +//import org.opensaml.saml2.metadata.provider.AbstractMetadataProvider; +//import org.opensaml.saml2.metadata.provider.MetadataProviderException; +//import org.opensaml.xml.XMLObject; +//import org.opensaml.xml.io.UnmarshallingException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -11,7 +11,7 @@ import java.io.InputStream; import java.nio.charset.StandardCharsets; -public class ConfigMetadataProvider extends AbstractMetadataProvider implements ComparableProvider { +public class ConfigMetadataProvider /* extends AbstractMetadataProvider */ implements ComparableProvider { private final Logger log = LoggerFactory.getLogger(ConfigMetadataProvider.class); @@ -30,19 +30,19 @@ public byte[] fetchMetadata() { } @Override - public XMLObject doGetMetadata() throws MetadataProviderException { +// public XMLObject doGetMetadata() throws MetadataProviderException { +// +// InputStream stream = new ByteArrayInputStream(metadata.getBytes(StandardCharsets.UTF_8)); +// +// try { +// return unmarshallMetadata(stream); +// } catch (UnmarshallingException e) { +// log.error("Unable to unmarshall metadata", e); +// throw new MetadataProviderException(e); +// } +// } - InputStream stream = new ByteArrayInputStream(metadata.getBytes(StandardCharsets.UTF_8)); - - try { - return unmarshallMetadata(stream); - } catch (UnmarshallingException e) { - log.error("Unable to unmarshall metadata", e); - throw new MetadataProviderException(e); - } - } - - @Override +// @Override public boolean equals(Object o) { if (this == o) return true; if (o == null || !(o instanceof ComparableProvider)) return false; diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/FilesystemMetadataProvider.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/FilesystemMetadataProvider.java index bba0ecb3f2d..c95e21567e7 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/FilesystemMetadataProvider.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/FilesystemMetadataProvider.java @@ -13,19 +13,19 @@ package org.cloudfoundry.identity.uaa.provider.saml; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; +//import org.opensaml.saml2.metadata.provider.MetadataProviderException; import java.io.File; import java.util.Timer; -public class FilesystemMetadataProvider extends org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider { +public class FilesystemMetadataProvider /* extends org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider */ { - public FilesystemMetadataProvider(Timer backgroundTaskTimer, File metadata) throws MetadataProviderException { - super(backgroundTaskTimer, metadata); - } +// public FilesystemMetadataProvider(Timer backgroundTaskTimer, File metadata) throws MetadataProviderException { +// super(backgroundTaskTimer, metadata); +// } - @Override - public byte[] fetchMetadata() throws MetadataProviderException { - return super.fetchMetadata(); - } +// @Override +// public byte[] fetchMetadata() throws MetadataProviderException { +// return super.fetchMetadata(); +// } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/FixedHttpMetaDataProvider.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/FixedHttpMetaDataProvider.java index 77ca1a0a039..06f3db2fc03 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/FixedHttpMetaDataProvider.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/FixedHttpMetaDataProvider.java @@ -1,7 +1,7 @@ package org.cloudfoundry.identity.uaa.provider.saml; import org.cloudfoundry.identity.uaa.cache.UrlContentCache; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; +//import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.springframework.web.client.RestTemplate; import java.net.URI; @@ -22,7 +22,7 @@ public FixedHttpMetaDataProvider( this.cache = cache; } - public byte[] fetchMetadata(String metadataURL, boolean isSkipSSLValidation) throws MetadataProviderException { + public byte[] fetchMetadata(String metadataURL, boolean isSkipSSLValidation) /* throws MetadataProviderException */ { validateMetadataURL(metadataURL); if (isSkipSSLValidation) { @@ -31,11 +31,11 @@ public byte[] fetchMetadata(String metadataURL, boolean isSkipSSLValidation) thr return cache.getUrlContent(metadataURL, nonTrustingRestTemplate); } - private void validateMetadataURL(String metadataURL) throws MetadataProviderException { + private void validateMetadataURL(String metadataURL) /* throws MetadataProviderException */ { try { new URI(metadataURL); } catch (URISyntaxException e) { - throw new MetadataProviderException("Illegal URL syntax", e); +// throw new MetadataProviderException("Illegal URL syntax", e); } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.java index 5092ee78d05..4422ccdb6bb 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.java @@ -23,17 +23,17 @@ import org.cloudfoundry.identity.uaa.zone.IdentityZone; import org.cloudfoundry.identity.uaa.zone.beans.IdentityZoneManager; import org.joda.time.DateTime; -import org.opensaml.saml2.core.AuthnStatement; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.schema.XSAny; -import org.opensaml.xml.schema.XSBase64Binary; -import org.opensaml.xml.schema.XSBoolean; -import org.opensaml.xml.schema.XSBooleanValue; -import org.opensaml.xml.schema.XSDateTime; -import org.opensaml.xml.schema.XSInteger; -import org.opensaml.xml.schema.XSQName; -import org.opensaml.xml.schema.XSString; -import org.opensaml.xml.schema.XSURI; +//import org.opensaml.saml2.core.AuthnStatement; +//import org.opensaml.xml.XMLObject; +//import org.opensaml.xml.schema.XSAny; +//import org.opensaml.xml.schema.XSBase64Binary; +//import org.opensaml.xml.schema.XSBoolean; +//import org.opensaml.xml.schema.XSBooleanValue; +//import org.opensaml.xml.schema.XSDateTime; +//import org.opensaml.xml.schema.XSInteger; +//import org.opensaml.xml.schema.XSQName; +//import org.opensaml.xml.schema.XSString; +//import org.opensaml.xml.schema.XSURI; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.context.ApplicationEvent; @@ -47,12 +47,12 @@ import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.UsernameNotFoundException; -import org.springframework.security.providers.ExpiringUsernameAuthenticationToken; -import org.springframework.security.saml.SAMLAuthenticationProvider; -import org.springframework.security.saml.SAMLAuthenticationToken; -import org.springframework.security.saml.SAMLCredential; -import org.springframework.security.saml.context.SAMLMessageContext; -import org.springframework.security.saml.userdetails.SAMLUserDetailsService; +//import org.springframework.security.providers.ExpiringUsernameAuthenticationToken; +//import org.springframework.security.saml.SAMLAuthenticationProvider; +//import org.springframework.security.saml.SAMLAuthenticationToken; +//import org.springframework.security.saml.SAMLCredential; +//import org.springframework.security.saml.context.SAMLMessageContext; +//import org.springframework.security.saml.userdetails.SAMLUserDetailsService; import org.springframework.stereotype.Component; import org.springframework.util.LinkedMultiValueMap; import org.springframework.util.MultiValueMap; @@ -85,110 +85,110 @@ * SAML Authentication Provider responsible for validating of received SAML messages */ @Component("samlAuthenticationProvider") -public class LoginSamlAuthenticationProvider extends SAMLAuthenticationProvider implements ApplicationEventPublisherAware { +public class LoginSamlAuthenticationProvider /* extends SAMLAuthenticationProvider */ implements ApplicationEventPublisherAware { private final static Logger logger = LoggerFactory.getLogger(LoginSamlAuthenticationProvider.class); - private final IdentityZoneManager identityZoneManager; - private final UaaUserDatabase userDatabase; - private final IdentityProviderProvisioning identityProviderProvisioning; - private final ScimGroupExternalMembershipManager externalMembershipManager; +// private final IdentityZoneManager identityZoneManager; +// private final UaaUserDatabase userDatabase; +// private final IdentityProviderProvisioning identityProviderProvisioning; +// private final ScimGroupExternalMembershipManager externalMembershipManager; private ApplicationEventPublisher eventPublisher; - public LoginSamlAuthenticationProvider( - final IdentityZoneManager identityZoneManager, - final UaaUserDatabase userDatabase, - final JdbcIdentityProviderProvisioning identityProviderProvisioning, - final ScimGroupExternalMembershipManager externalMembershipManager) { - this.identityZoneManager = identityZoneManager; - this.userDatabase = userDatabase; - this.identityProviderProvisioning = identityProviderProvisioning; - this.externalMembershipManager = externalMembershipManager; - } - - @Override - public void setUserDetails(SAMLUserDetailsService userDetails) { - super.setUserDetails(userDetails); - } +// public LoginSamlAuthenticationProvider( +// final IdentityZoneManager identityZoneManager, +// final UaaUserDatabase userDatabase, +// final JdbcIdentityProviderProvisioning identityProviderProvisioning, +// final ScimGroupExternalMembershipManager externalMembershipManager) { +// this.identityZoneManager = identityZoneManager; +// this.userDatabase = userDatabase; +// this.identityProviderProvisioning = identityProviderProvisioning; +// this.externalMembershipManager = externalMembershipManager; +// } + +// @Override +// public void setUserDetails(SAMLUserDetailsService userDetails) { +// super.setUserDetails(userDetails); +// } @Override public void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher) { this.eventPublisher = eventPublisher; } - @Override - public Authentication authenticate(Authentication authentication) throws AuthenticationException { - if (!supports(authentication.getClass())) { - throw new IllegalArgumentException("Only SAMLAuthenticationToken is supported, " + authentication.getClass() + " was attempted"); - } - - IdentityZone zone = identityZoneManager.getCurrentIdentityZone(); - logger.debug(String.format("Initiating SAML authentication in zone '%s' domain '%s'", zone.getId(), zone.getSubdomain())); - SAMLAuthenticationToken token = (SAMLAuthenticationToken) authentication; - SAMLMessageContext context = token.getCredentials(); - String alias = context.getPeerExtendedMetadata().getAlias(); - String relayState = context.getRelayState(); - boolean addNew; - IdentityProvider idp; - SamlIdentityProviderDefinition samlConfig; - try { - idp = identityProviderProvisioning.retrieveByOrigin(alias, identityZoneManager.getCurrentIdentityZoneId()); - samlConfig = idp.getConfig(); - addNew = samlConfig.isAddShadowUserOnLogin(); - if (!idp.isActive()) { - throw new ProviderNotFoundException("Identity Provider has been disabled by administrator for alias:" + alias); - } - } catch (EmptyResultDataAccessException x) { - throw new ProviderNotFoundException("No SAML identity provider found in zone for alias:" + alias); - } - - ExpiringUsernameAuthenticationToken result = getExpiringUsernameAuthenticationToken(authentication); - UaaPrincipal samlPrincipal = new UaaPrincipal(NotANumber, result.getName(), result.getName(), alias, result.getName(), zone.getId()); - logger.debug( - String.format( - "Mapped SAML authentication to IDP with origin '%s' and username '%s'", - idp.getOriginKey(), - samlPrincipal.getName() - ) - ); - - Collection samlAuthorities = retrieveSamlAuthorities(samlConfig, (SAMLCredential) result.getCredentials()); - - Collection authorities = null; - SamlIdentityProviderDefinition.ExternalGroupMappingMode groupMappingMode = idp.getConfig().getGroupMappingMode(); - switch (groupMappingMode) { - case EXPLICITLY_MAPPED: - authorities = mapAuthorities(idp.getOriginKey(), samlAuthorities); - break; - case AS_SCOPES: - authorities = new LinkedList<>(samlAuthorities); - break; - } - - Set filteredExternalGroups = filterSamlAuthorities(samlConfig, samlAuthorities); - MultiValueMap userAttributes = retrieveUserAttributes(samlConfig, (SAMLCredential) result.getCredentials()); - - if (samlConfig.getAuthnContext() != null) { - if (Collections.disjoint(userAttributes.get(AUTHENTICATION_CONTEXT_CLASS_REFERENCE), samlConfig.getAuthnContext())) { - throw new BadCredentialsException("Identity Provider did not authenticate with the requested AuthnContext."); - } - } - - UaaUser user = createIfMissing(samlPrincipal, addNew, authorities, userAttributes); - UaaPrincipal principal = new UaaPrincipal(user); - UaaAuthentication resultUaaAuthentication = new LoginSamlAuthenticationToken(principal, result).getUaaAuthentication(user.getAuthorities(), filteredExternalGroups, userAttributes); - publish(new IdentityProviderAuthenticationSuccessEvent(user, resultUaaAuthentication, OriginKeys.SAML, identityZoneManager.getCurrentIdentityZoneId())); - if (samlConfig.isStoreCustomAttributes()) { - userDatabase.storeUserInfo(user.getId(), - new UserInfo() - .setUserAttributes(resultUaaAuthentication.getUserAttributes()) - .setRoles(new LinkedList(resultUaaAuthentication.getExternalGroups())) - ); - } - configureRelayRedirect(relayState); - - return resultUaaAuthentication; - } +// @Override +// public Authentication authenticate(Authentication authentication) throws AuthenticationException { +// if (!supports(authentication.getClass())) { +// throw new IllegalArgumentException("Only SAMLAuthenticationToken is supported, " + authentication.getClass() + " was attempted"); +// } +// +// IdentityZone zone = identityZoneManager.getCurrentIdentityZone(); +// logger.debug(String.format("Initiating SAML authentication in zone '%s' domain '%s'", zone.getId(), zone.getSubdomain())); +// SAMLAuthenticationToken token = (SAMLAuthenticationToken) authentication; +// SAMLMessageContext context = token.getCredentials(); +// String alias = context.getPeerExtendedMetadata().getAlias(); +// String relayState = context.getRelayState(); +// boolean addNew; +// IdentityProvider idp; +// SamlIdentityProviderDefinition samlConfig; +// try { +// idp = identityProviderProvisioning.retrieveByOrigin(alias, identityZoneManager.getCurrentIdentityZoneId()); +// samlConfig = idp.getConfig(); +// addNew = samlConfig.isAddShadowUserOnLogin(); +// if (!idp.isActive()) { +// throw new ProviderNotFoundException("Identity Provider has been disabled by administrator for alias:" + alias); +// } +// } catch (EmptyResultDataAccessException x) { +// throw new ProviderNotFoundException("No SAML identity provider found in zone for alias:" + alias); +// } +// +// ExpiringUsernameAuthenticationToken result = getExpiringUsernameAuthenticationToken(authentication); +// UaaPrincipal samlPrincipal = new UaaPrincipal(NotANumber, result.getName(), result.getName(), alias, result.getName(), zone.getId()); +// logger.debug( +// String.format( +// "Mapped SAML authentication to IDP with origin '%s' and username '%s'", +// idp.getOriginKey(), +// samlPrincipal.getName() +// ) +// ); +// +// Collection samlAuthorities = retrieveSamlAuthorities(samlConfig, (SAMLCredential) result.getCredentials()); +// +// Collection authorities = null; +// SamlIdentityProviderDefinition.ExternalGroupMappingMode groupMappingMode = idp.getConfig().getGroupMappingMode(); +// switch (groupMappingMode) { +// case EXPLICITLY_MAPPED: +// authorities = mapAuthorities(idp.getOriginKey(), samlAuthorities); +// break; +// case AS_SCOPES: +// authorities = new LinkedList<>(samlAuthorities); +// break; +// } +// +// Set filteredExternalGroups = filterSamlAuthorities(samlConfig, samlAuthorities); +// MultiValueMap userAttributes = retrieveUserAttributes(samlConfig, (SAMLCredential) result.getCredentials()); +// +// if (samlConfig.getAuthnContext() != null) { +// if (Collections.disjoint(userAttributes.get(AUTHENTICATION_CONTEXT_CLASS_REFERENCE), samlConfig.getAuthnContext())) { +// throw new BadCredentialsException("Identity Provider did not authenticate with the requested AuthnContext."); +// } +// } +// +// UaaUser user = createIfMissing(samlPrincipal, addNew, authorities, userAttributes); +// UaaPrincipal principal = new UaaPrincipal(user); +// UaaAuthentication resultUaaAuthentication = new LoginSamlAuthenticationToken(principal, result).getUaaAuthentication(user.getAuthorities(), filteredExternalGroups, userAttributes); +// publish(new IdentityProviderAuthenticationSuccessEvent(user, resultUaaAuthentication, OriginKeys.SAML, identityZoneManager.getCurrentIdentityZoneId())); +// if (samlConfig.isStoreCustomAttributes()) { +// userDatabase.storeUserInfo(user.getId(), +// new UserInfo() +// .setUserAttributes(resultUaaAuthentication.getUserAttributes()) +// .setRoles(new LinkedList(resultUaaAuthentication.getExternalGroups())) +// ); +// } +// configureRelayRedirect(relayState); +// +// return resultUaaAuthentication; +// } public void configureRelayRedirect(String relayState) { //configure relay state @@ -202,9 +202,9 @@ public void configureRelayRedirect(String relayState) { } } - protected ExpiringUsernameAuthenticationToken getExpiringUsernameAuthenticationToken(Authentication authentication) { - return (ExpiringUsernameAuthenticationToken) super.authenticate(authentication); - } +// protected ExpiringUsernameAuthenticationToken getExpiringUsernameAuthenticationToken(Authentication authentication) { +// return (ExpiringUsernameAuthenticationToken) super.authenticate(authentication); +// } protected void publish(ApplicationEvent event) { if (eventPublisher != null) { @@ -220,42 +220,42 @@ protected Set filterSamlAuthorities(SamlIdentityProviderDefinition defin return result; } - protected Collection mapAuthorities(String origin, Collection authorities) { - Collection result = new LinkedList<>(); - logger.debug("Mapping SAML authorities:" + authorities); - for (GrantedAuthority authority : authorities) { - String externalGroup = authority.getAuthority(); - logger.debug("Attempting to map external group: " + externalGroup); - for (ScimGroupExternalMember internalGroup : externalMembershipManager.getExternalGroupMapsByExternalGroup(externalGroup, origin, identityZoneManager.getCurrentIdentityZoneId())) { - String internalName = internalGroup.getDisplayName(); - logger.debug(String.format("Mapped external: '%s' to internal: '%s'", externalGroup, internalName)); - result.add(new SimpleGrantedAuthority(internalName)); - } - } - return result; - } - - private Collection retrieveSamlAuthorities(SamlIdentityProviderDefinition definition, SAMLCredential credential) { - if (definition.getAttributeMappings().get(GROUP_ATTRIBUTE_NAME) != null) { - List groupAttributeNames = getGroupAttributeNames(definition); - - Collection authorities = new ArrayList<>(); - credential.getAttributes().stream() - .filter(attribute -> groupAttributeNames.contains(attribute.getName()) || groupAttributeNames.contains(attribute.getFriendlyName())) - .filter(attribute -> attribute.getAttributeValues() != null) - .filter(attribute -> attribute.getAttributeValues().size() > 0) - .forEach(attribute -> { - for (XMLObject group : attribute.getAttributeValues()) { - authorities.add(new SamlUserAuthority(getStringValue(attribute.getName(), - definition, - group))); - } - }); - - return authorities; - } - return new ArrayList<>(); - } +// protected Collection mapAuthorities(String origin, Collection authorities) { +// Collection result = new LinkedList<>(); +// logger.debug("Mapping SAML authorities:" + authorities); +// for (GrantedAuthority authority : authorities) { +// String externalGroup = authority.getAuthority(); +// logger.debug("Attempting to map external group: " + externalGroup); +// for (ScimGroupExternalMember internalGroup : externalMembershipManager.getExternalGroupMapsByExternalGroup(externalGroup, origin, identityZoneManager.getCurrentIdentityZoneId())) { +// String internalName = internalGroup.getDisplayName(); +// logger.debug(String.format("Mapped external: '%s' to internal: '%s'", externalGroup, internalName)); +// result.add(new SimpleGrantedAuthority(internalName)); +// } +// } +// return result; +// } + +// private Collection retrieveSamlAuthorities(SamlIdentityProviderDefinition definition, SAMLCredential credential) { +// if (definition.getAttributeMappings().get(GROUP_ATTRIBUTE_NAME) != null) { +// List groupAttributeNames = getGroupAttributeNames(definition); +// +// Collection authorities = new ArrayList<>(); +// credential.getAttributes().stream() +// .filter(attribute -> groupAttributeNames.contains(attribute.getName()) || groupAttributeNames.contains(attribute.getFriendlyName())) +// .filter(attribute -> attribute.getAttributeValues() != null) +// .filter(attribute -> attribute.getAttributeValues().size() > 0) +// .forEach(attribute -> { +// for (XMLObject group : attribute.getAttributeValues()) { +// authorities.add(new SamlUserAuthority(getStringValue(attribute.getName(), +// definition, +// group))); +// } +// }); +// +// return authorities; +// } +// return new ArrayList<>(); +// } private List getGroupAttributeNames(SamlIdentityProviderDefinition definition) { List attributeNames = new LinkedList<>(); @@ -268,134 +268,134 @@ private List getGroupAttributeNames(SamlIdentityProviderDefinition defin return attributeNames; } - public MultiValueMap retrieveUserAttributes(SamlIdentityProviderDefinition definition, SAMLCredential credential) { - logger.debug(String.format("Retrieving SAML user attributes [zone:%s, origin:%s]", definition.getZoneId(), definition.getIdpEntityAlias())); - MultiValueMap userAttributes = new LinkedMultiValueMap<>(); - if (definition != null && definition.getAttributeMappings() != null) { - for (Entry attributeMapping : definition.getAttributeMappings().entrySet()) { - if (attributeMapping.getValue() instanceof String) { - if (credential.getAttribute((String) attributeMapping.getValue()) != null) { - String key = attributeMapping.getKey(); - for (XMLObject xmlObject : credential.getAttribute((String) attributeMapping.getValue()).getAttributeValues()) { - String value = getStringValue(key, definition, xmlObject); - if (value != null) { - userAttributes.add(key, value); - } - } - } - } - } - } - if (credential.getAuthenticationAssertion() != null && credential.getAuthenticationAssertion().getAuthnStatements() != null) { - for (AuthnStatement statement : credential.getAuthenticationAssertion().getAuthnStatements()) { - if (statement.getAuthnContext() != null && statement.getAuthnContext().getAuthnContextClassRef() != null) { - userAttributes.add(AUTHENTICATION_CONTEXT_CLASS_REFERENCE, statement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef()); - } - } - } - return userAttributes; - } - - protected String getStringValue(String key, SamlIdentityProviderDefinition definition, XMLObject xmlObject) { - String value = null; - if (xmlObject instanceof XSString) { - value = ((XSString) xmlObject).getValue(); - } else if (xmlObject instanceof XSAny) { - value = ((XSAny) xmlObject).getTextContent(); - } else if (xmlObject instanceof XSInteger) { - Integer i = ((XSInteger) xmlObject).getValue(); - value = i != null ? i.toString() : null; - } else if (xmlObject instanceof XSBoolean) { - XSBooleanValue b = ((XSBoolean) xmlObject).getValue(); - value = b != null && b.getValue() != null ? b.getValue().toString() : null; - } else if (xmlObject instanceof XSDateTime) { - DateTime d = ((XSDateTime) xmlObject).getValue(); - value = d != null ? d.toString() : null; - } else if (xmlObject instanceof XSQName) { - QName name = ((XSQName) xmlObject).getValue(); - value = name != null ? name.toString() : null; - } else if (xmlObject instanceof XSURI) { - value = ((XSURI) xmlObject).getValue(); - } else if (xmlObject instanceof XSBase64Binary) { - value = ((XSBase64Binary) xmlObject).getValue(); - } - - if (value != null) { - logger.debug(String.format("Found SAML user attribute %s of value %s [zone:%s, origin:%s]", key, value, definition.getZoneId(), definition.getIdpEntityAlias())); - return value; - } else if (xmlObject != null) { - logger.debug(String.format("SAML user attribute %s at is not of type XSString or other recognizable type, %s [zone:%s, origin:%s]", key, xmlObject.getClass().getName(), definition.getZoneId(), definition.getIdpEntityAlias())); - } - return null; - } - - protected UaaUser createIfMissing(UaaPrincipal samlPrincipal, boolean addNew, Collection authorities, MultiValueMap userAttributes) { - UaaUser user = null; - String invitedUserId = null; - boolean is_invitation_acceptance = isAcceptedInvitationAuthentication(); - if (is_invitation_acceptance) { - invitedUserId = (String) RequestContextHolder.currentRequestAttributes().getAttribute("user_id", RequestAttributes.SCOPE_SESSION); - user = userDatabase.retrieveUserById(invitedUserId); - if (userAttributes.getFirst(EMAIL_ATTRIBUTE_NAME) != null) { - if (!userAttributes.getFirst(EMAIL_ATTRIBUTE_NAME).equalsIgnoreCase(user.getEmail())) { - throw new BadCredentialsException("SAML User email mismatch. Authenticated email doesn't match invited email."); - } - } else { - userAttributes = new LinkedMultiValueMap<>(userAttributes); - userAttributes.add(EMAIL_ATTRIBUTE_NAME, user.getEmail()); - } - addNew = false; - if (user.getUsername().equals(user.getEmail()) && !user.getUsername().equals(samlPrincipal.getName())) { - user = user.modifyUsername(samlPrincipal.getName()); - } - publish(new InvitedUserAuthenticatedEvent(user)); - user = userDatabase.retrieveUserById(invitedUserId); - } - - boolean userModified = false; - UaaUser userWithSamlAttributes = getUser(samlPrincipal, userAttributes); - try { - if (user == null) { - user = userDatabase.retrieveUserByName(samlPrincipal.getName(), samlPrincipal.getOrigin()); - } - } catch (UsernameNotFoundException e) { - UaaUserPrototype uaaUser = userDatabase.retrieveUserPrototypeByEmail(userWithSamlAttributes.getEmail(), samlPrincipal.getOrigin()); - if (uaaUser != null) { - userModified = true; - user = new UaaUser(uaaUser.withUsername(samlPrincipal.getName())); - } else { - if (!addNew) { - throw new LoginSAMLException("SAML user does not exist. " - + "You can correct this by creating a shadow user for the SAML user.", e); - } - publish(new NewUserAuthenticatedEvent(userWithSamlAttributes)); - try { - user = new UaaUser(userDatabase.retrieveUserPrototypeByName(samlPrincipal.getName(), samlPrincipal.getOrigin())); - } catch (UsernameNotFoundException ex) { - throw new BadCredentialsException("Unable to establish shadow user for SAML user:" + samlPrincipal.getName()); - } - } - } - if (haveUserAttributesChanged(user, userWithSamlAttributes)) { - userModified = true; - user = user.modifyAttributes(userWithSamlAttributes.getEmail(), - userWithSamlAttributes.getGivenName(), - userWithSamlAttributes.getFamilyName(), - userWithSamlAttributes.getPhoneNumber(), - userWithSamlAttributes.getExternalId(), - user.isVerified() || userWithSamlAttributes.isVerified()); - } - publish( - new ExternalGroupAuthorizationEvent( - user, - userModified, - authorities, - true - ) - ); - user = userDatabase.retrieveUserById(user.getId()); - return user; - } +// public MultiValueMap retrieveUserAttributes(SamlIdentityProviderDefinition definition, SAMLCredential credential) { +// logger.debug(String.format("Retrieving SAML user attributes [zone:%s, origin:%s]", definition.getZoneId(), definition.getIdpEntityAlias())); +// MultiValueMap userAttributes = new LinkedMultiValueMap<>(); +// if (definition != null && definition.getAttributeMappings() != null) { +// for (Entry attributeMapping : definition.getAttributeMappings().entrySet()) { +// if (attributeMapping.getValue() instanceof String) { +// if (credential.getAttribute((String) attributeMapping.getValue()) != null) { +// String key = attributeMapping.getKey(); +// for (XMLObject xmlObject : credential.getAttribute((String) attributeMapping.getValue()).getAttributeValues()) { +// String value = getStringValue(key, definition, xmlObject); +// if (value != null) { +// userAttributes.add(key, value); +// } +// } +// } +// } +// } +// } +// if (credential.getAuthenticationAssertion() != null && credential.getAuthenticationAssertion().getAuthnStatements() != null) { +// for (AuthnStatement statement : credential.getAuthenticationAssertion().getAuthnStatements()) { +// if (statement.getAuthnContext() != null && statement.getAuthnContext().getAuthnContextClassRef() != null) { +// userAttributes.add(AUTHENTICATION_CONTEXT_CLASS_REFERENCE, statement.getAuthnContext().getAuthnContextClassRef().getAuthnContextClassRef()); +// } +// } +// } +// return userAttributes; +// } + +// protected String getStringValue(String key, SamlIdentityProviderDefinition definition, XMLObject xmlObject) { +// String value = null; +// if (xmlObject instanceof XSString) { +// value = ((XSString) xmlObject).getValue(); +// } else if (xmlObject instanceof XSAny) { +// value = ((XSAny) xmlObject).getTextContent(); +// } else if (xmlObject instanceof XSInteger) { +// Integer i = ((XSInteger) xmlObject).getValue(); +// value = i != null ? i.toString() : null; +// } else if (xmlObject instanceof XSBoolean) { +// XSBooleanValue b = ((XSBoolean) xmlObject).getValue(); +// value = b != null && b.getValue() != null ? b.getValue().toString() : null; +// } else if (xmlObject instanceof XSDateTime) { +// DateTime d = ((XSDateTime) xmlObject).getValue(); +// value = d != null ? d.toString() : null; +// } else if (xmlObject instanceof XSQName) { +// QName name = ((XSQName) xmlObject).getValue(); +// value = name != null ? name.toString() : null; +// } else if (xmlObject instanceof XSURI) { +// value = ((XSURI) xmlObject).getValue(); +// } else if (xmlObject instanceof XSBase64Binary) { +// value = ((XSBase64Binary) xmlObject).getValue(); +// } +// +// if (value != null) { +// logger.debug(String.format("Found SAML user attribute %s of value %s [zone:%s, origin:%s]", key, value, definition.getZoneId(), definition.getIdpEntityAlias())); +// return value; +// } else if (xmlObject != null) { +// logger.debug(String.format("SAML user attribute %s at is not of type XSString or other recognizable type, %s [zone:%s, origin:%s]", key, xmlObject.getClass().getName(), definition.getZoneId(), definition.getIdpEntityAlias())); +// } +// return null; +// } + +// protected UaaUser createIfMissing(UaaPrincipal samlPrincipal, boolean addNew, Collection authorities, MultiValueMap userAttributes) { +// UaaUser user = null; +// String invitedUserId = null; +// boolean is_invitation_acceptance = isAcceptedInvitationAuthentication(); +// if (is_invitation_acceptance) { +// invitedUserId = (String) RequestContextHolder.currentRequestAttributes().getAttribute("user_id", RequestAttributes.SCOPE_SESSION); +// user = userDatabase.retrieveUserById(invitedUserId); +// if (userAttributes.getFirst(EMAIL_ATTRIBUTE_NAME) != null) { +// if (!userAttributes.getFirst(EMAIL_ATTRIBUTE_NAME).equalsIgnoreCase(user.getEmail())) { +// throw new BadCredentialsException("SAML User email mismatch. Authenticated email doesn't match invited email."); +// } +// } else { +// userAttributes = new LinkedMultiValueMap<>(userAttributes); +// userAttributes.add(EMAIL_ATTRIBUTE_NAME, user.getEmail()); +// } +// addNew = false; +// if (user.getUsername().equals(user.getEmail()) && !user.getUsername().equals(samlPrincipal.getName())) { +// user = user.modifyUsername(samlPrincipal.getName()); +// } +// publish(new InvitedUserAuthenticatedEvent(user)); +// user = userDatabase.retrieveUserById(invitedUserId); +// } +// +// boolean userModified = false; +// UaaUser userWithSamlAttributes = getUser(samlPrincipal, userAttributes); +// try { +// if (user == null) { +// user = userDatabase.retrieveUserByName(samlPrincipal.getName(), samlPrincipal.getOrigin()); +// } +// } catch (UsernameNotFoundException e) { +// UaaUserPrototype uaaUser = userDatabase.retrieveUserPrototypeByEmail(userWithSamlAttributes.getEmail(), samlPrincipal.getOrigin()); +// if (uaaUser != null) { +// userModified = true; +// user = new UaaUser(uaaUser.withUsername(samlPrincipal.getName())); +// } else { +// if (!addNew) { +// throw new LoginSAMLException("SAML user does not exist. " +// + "You can correct this by creating a shadow user for the SAML user.", e); +// } +// publish(new NewUserAuthenticatedEvent(userWithSamlAttributes)); +// try { +// user = new UaaUser(userDatabase.retrieveUserPrototypeByName(samlPrincipal.getName(), samlPrincipal.getOrigin())); +// } catch (UsernameNotFoundException ex) { +// throw new BadCredentialsException("Unable to establish shadow user for SAML user:" + samlPrincipal.getName()); +// } +// } +// } +// if (haveUserAttributesChanged(user, userWithSamlAttributes)) { +// userModified = true; +// user = user.modifyAttributes(userWithSamlAttributes.getEmail(), +// userWithSamlAttributes.getGivenName(), +// userWithSamlAttributes.getFamilyName(), +// userWithSamlAttributes.getPhoneNumber(), +// userWithSamlAttributes.getExternalId(), +// user.isVerified() || userWithSamlAttributes.isVerified()); +// } +// publish( +// new ExternalGroupAuthorizationEvent( +// user, +// userModified, +// authorities, +// true +// ) +// ); +// user = userDatabase.retrieveUserById(user.getId()); +// return user; +// } protected UaaUser getUser(UaaPrincipal principal, MultiValueMap userAttributes) { if (principal.getName() == null && userAttributes.getFirst(EMAIL_ATTRIBUTE_NAME) == null) { diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationToken.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationToken.java index 500f87661ea..64495c83963 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationToken.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationToken.java @@ -15,7 +15,7 @@ import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication; import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal; import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.providers.ExpiringUsernameAuthenticationToken; +//import org.springframework.security.providers.ExpiringUsernameAuthenticationToken; import org.springframework.util.LinkedMultiValueMap; import org.springframework.util.MultiValueMap; @@ -28,37 +28,37 @@ import static org.cloudfoundry.identity.uaa.provider.ExternalIdentityProviderDefinition.USER_ATTRIBUTE_PREFIX; -public class LoginSamlAuthenticationToken extends ExpiringUsernameAuthenticationToken { +public class LoginSamlAuthenticationToken /* extends ExpiringUsernameAuthenticationToken */ { public static final String AUTHENTICATION_CONTEXT_CLASS_REFERENCE = "acr"; - private final UaaPrincipal uaaPrincipal; +// private final UaaPrincipal uaaPrincipal; - public LoginSamlAuthenticationToken(UaaPrincipal uaaPrincipal, ExpiringUsernameAuthenticationToken token) { - super(token.getTokenExpiration(), uaaPrincipal, token.getCredentials(), token.getAuthorities()); - this.uaaPrincipal = uaaPrincipal; +// public LoginSamlAuthenticationToken(UaaPrincipal uaaPrincipal, ExpiringUsernameAuthenticationToken token) { +// super(token.getTokenExpiration(), uaaPrincipal, token.getCredentials(), token.getAuthorities()); +// this.uaaPrincipal = uaaPrincipal; +// +// } - } +// public UaaPrincipal getUaaPrincipal() { +// return uaaPrincipal; +// } - public UaaPrincipal getUaaPrincipal() { - return uaaPrincipal; - } - - public UaaAuthentication getUaaAuthentication(List uaaAuthorityList, - Set externalGroups, - MultiValueMap userAttributes) { - LinkedMultiValueMap customAttributes = new LinkedMultiValueMap<>(); - for (Map.Entry> entry : userAttributes.entrySet()) { - if (entry.getKey().startsWith(USER_ATTRIBUTE_PREFIX)) { - customAttributes.put(entry.getKey().substring(USER_ATTRIBUTE_PREFIX.length()), entry.getValue()); - } - } - UaaAuthentication authentication = new UaaAuthentication(getUaaPrincipal(), getCredentials(), uaaAuthorityList, externalGroups, customAttributes, null, isAuthenticated(), System.currentTimeMillis(), getTokenExpiration()==null ? -1l : getTokenExpiration().getTime()); - authentication.setAuthenticationMethods(Collections.singleton("ext")); - List acrValues = userAttributes.get(AUTHENTICATION_CONTEXT_CLASS_REFERENCE); - if (acrValues !=null) { - authentication.setAuthContextClassRef(new HashSet<>(acrValues)); - } - return authentication; - } +// public UaaAuthentication getUaaAuthentication(List uaaAuthorityList, +// Set externalGroups, +// MultiValueMap userAttributes) { +// LinkedMultiValueMap customAttributes = new LinkedMultiValueMap<>(); +// for (Map.Entry> entry : userAttributes.entrySet()) { +// if (entry.getKey().startsWith(USER_ATTRIBUTE_PREFIX)) { +// customAttributes.put(entry.getKey().substring(USER_ATTRIBUTE_PREFIX.length()), entry.getValue()); +// } +// } +// UaaAuthentication authentication = new UaaAuthentication(getUaaPrincipal(), getCredentials(), uaaAuthorityList, externalGroups, customAttributes, null, isAuthenticated(), System.currentTimeMillis(), getTokenExpiration()==null ? -1l : getTokenExpiration().getTime()); +// authentication.setAuthenticationMethods(Collections.singleton("ext")); +// List acrValues = userAttributes.get(AUTHENTICATION_CONTEXT_CLASS_REFERENCE); +// if (acrValues !=null) { +// authentication.setAuthContextClassRef(new HashSet<>(acrValues)); +// } +// return authentication; +// } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlDiscovery.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlDiscovery.java index fbd35275528..875f7d274fb 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlDiscovery.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlDiscovery.java @@ -24,24 +24,24 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; +//import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.security.saml.SAMLDiscovery; -import org.springframework.security.saml.SAMLEntryPoint; -import org.springframework.security.saml.context.SAMLContextProvider; -import org.springframework.security.saml.metadata.ExtendedMetadata; -import org.springframework.security.saml.metadata.MetadataManager; +//import org.springframework.security.saml.SAMLDiscovery; +//import org.springframework.security.saml.SAMLEntryPoint; +//import org.springframework.security.saml.context.SAMLContextProvider; +//import org.springframework.security.saml.metadata.ExtendedMetadata; +//import org.springframework.security.saml.metadata.MetadataManager; -public class LoginSamlDiscovery extends SAMLDiscovery { +public class LoginSamlDiscovery /* extends SAMLDiscovery */ { private static final Logger logger = LoggerFactory.getLogger(LoginSamlDiscovery.class); - private MetadataManager metadata; +// private MetadataManager metadata; - @Override +// @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { try { - super.doFilter(request, response, chain); +// super.doFilter(request, response, chain); } catch (UnableToFindSamlIDPException x) { logger.warn("Unable to find SAML IDP", x); HttpServletResponse httpServletResponse = (HttpServletResponse)response; @@ -59,48 +59,48 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha } - @Override - protected String getPassiveIDP(HttpServletRequest request) { - String paramName = request.getParameter(RETURN_ID_PARAM); +// @Override +// protected String getPassiveIDP(HttpServletRequest request) { +// String paramName = request.getParameter(RETURN_ID_PARAM); //we have received the alias in our request //so we need to translate that into an entityID - String idpAlias = request.getParameter(paramName==null?"idp":paramName); - if ( idpAlias!=null ) { - Set idps = metadata.getIDPEntityNames(); - for (String idp : idps) { - try { - ExtendedMetadata emd = metadata.getExtendedMetadata(idp); - if (emd!=null && idpAlias.equals(emd.getAlias())) { - return idp; - } - } catch (MetadataProviderException e) { - String message = "Unable to read extended metadata for alias["+idpAlias+"] IDP["+idp+"]"; - throw new UnableToFindSamlIDPException(message, e); - } - } - } - throw new UnableToFindSamlIDPException("Unable to locate IDP provider for alias:"+idpAlias); +// String idpAlias = request.getParameter(paramName==null?"idp":paramName); +// if ( idpAlias!=null ) { +// Set idps = metadata.getIDPEntityNames(); +// for (String idp : idps) { +// try { +// ExtendedMetadata emd = metadata.getExtendedMetadata(idp); +// if (emd!=null && idpAlias.equals(emd.getAlias())) { +// return idp; +// } +// } catch (MetadataProviderException e) { +// String message = "Unable to read extended metadata for alias["+idpAlias+"] IDP["+idp+"]"; +// throw new UnableToFindSamlIDPException(message, e); +// } +// } +// } +// throw new UnableToFindSamlIDPException("Unable to locate IDP provider for alias:"+idpAlias); //return super.getPassiveIDP(request); - } - - @Override - @Autowired - public void setMetadata(MetadataManager metadata) { - super.setMetadata(metadata); - this.metadata = metadata; - } +// } - @Override - @Autowired(required = false) - public void setSamlEntryPoint(SAMLEntryPoint samlEntryPoint) { - super.setSamlEntryPoint(samlEntryPoint); - } +// @Override +// @Autowired +// public void setMetadata(MetadataManager metadata) { +// super.setMetadata(metadata); +// this.metadata = metadata; +// } - @Override - @Autowired - public void setContextProvider(SAMLContextProvider contextProvider) { - super.setContextProvider(contextProvider); - } +// @Override +// @Autowired(required = false) +// public void setSamlEntryPoint(SAMLEntryPoint samlEntryPoint) { +// super.setSamlEntryPoint(samlEntryPoint); +// } +// +// @Override +// @Autowired +// public void setContextProvider(SAMLContextProvider contextProvider) { +// super.setContextProvider(contextProvider); +// } public static class UnableToFindSamlIDPException extends RuntimeException { public UnableToFindSamlIDPException(String message) { diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlEntryPoint.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlEntryPoint.java index 837392f19a8..1307233682b 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlEntryPoint.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlEntryPoint.java @@ -15,14 +15,14 @@ import org.cloudfoundry.identity.uaa.provider.SamlIdentityProviderDefinition; import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder; -import org.opensaml.common.SAMLException; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; -import org.opensaml.ws.message.encoder.MessageEncodingException; +//import org.opensaml.common.SAMLException; +//import org.opensaml.saml2.metadata.provider.MetadataProviderException; +//import org.opensaml.ws.message.encoder.MessageEncodingException; import org.springframework.security.core.AuthenticationException; -import org.springframework.security.saml.SAMLEntryPoint; -import org.springframework.security.saml.context.SAMLMessageContext; -import org.springframework.security.saml.metadata.ExtendedMetadata; -import org.springframework.security.saml.websso.WebSSOProfileOptions; +//import org.springframework.security.saml.SAMLEntryPoint; +//import org.springframework.security.saml.context.SAMLMessageContext; +//import org.springframework.security.saml.metadata.ExtendedMetadata; +//import org.springframework.security.saml.websso.WebSSOProfileOptions; import org.springframework.security.web.WebAttributes; import javax.servlet.ServletException; @@ -30,7 +30,7 @@ import javax.servlet.http.HttpServletResponse; import java.io.IOException; -public class LoginSamlEntryPoint extends SAMLEntryPoint { +public class LoginSamlEntryPoint /* extends SAMLEntryPoint */ { private SamlIdentityProviderConfigurator providerDefinitionList; @@ -43,66 +43,66 @@ public void setProviderDefinitionList(SamlIdentityProviderConfigurator providerD this.providerDefinitionList = providerDefinitionList; } - public WebSSOProfileOptions getDefaultProfileOptions() { - return defaultOptions; - } - - @Override - public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException { - try { +// public WebSSOProfileOptions getDefaultProfileOptions() { +// return defaultOptions; +// } - SAMLMessageContext context = contextProvider.getLocalAndPeerEntity(request, response); - - if (isECP(context)) { - initializeECP(context, e); - } else if (isDiscovery(context)) { - initializeDiscovery(context); - } else { - initializeSSO(context, e); - } - } catch (SamlBindingNotSupportedException e1) { - request.setAttribute("error_message_code", "error.sso.supported.binding"); - request.getSession(true).setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, e1); - response.setStatus(400); - request.getRequestDispatcher("/saml_error").include(request, response); - } catch (SAMLException | MessageEncodingException | MetadataProviderException e1) { - logger.debug("Error initializing entry point", e1); - throw new ServletException(e1); - } - } +// @Override +// public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException { +// try { +// +// SAMLMessageContext context = contextProvider.getLocalAndPeerEntity(request, response); +// +// if (isECP(context)) { +// initializeECP(context, e); +// } else if (isDiscovery(context)) { +// initializeDiscovery(context); +// } else { +// initializeSSO(context, e); +// } +// } catch (SamlBindingNotSupportedException e1) { +// request.setAttribute("error_message_code", "error.sso.supported.binding"); +// request.getSession(true).setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, e1); +// response.setStatus(400); +// request.getRequestDispatcher("/saml_error").include(request, response); +// } catch (SAMLException | MessageEncodingException | MetadataProviderException e1) { +// logger.debug("Error initializing entry point", e1); +// throw new ServletException(e1); +// } +// } - @Override - protected WebSSOProfileOptions getProfileOptions(SAMLMessageContext context, AuthenticationException exception) throws MetadataProviderException { - WebSSOProfileOptions options = super.getProfileOptions(context, exception); - String idpEntityId = context.getPeerEntityId(); - if (idpEntityId!=null) { - ExtendedMetadata extendedMetadata = this.metadata.getExtendedMetadata(idpEntityId); - if (extendedMetadata!=null) { - String alias = extendedMetadata.getAlias(); - SamlIdentityProviderDefinition def = getIDPDefinition(alias); - if (def.getNameID()!=null) { - options.setNameID(def.getNameID()); - } - if (def.getAssertionConsumerIndex()>=0) { - options.setAssertionConsumerIndex(def.getAssertionConsumerIndex()); - } +// @Override +// protected WebSSOProfileOptions getProfileOptions(SAMLMessageContext context, AuthenticationException exception) throws MetadataProviderException { +// WebSSOProfileOptions options = super.getProfileOptions(context, exception); +// String idpEntityId = context.getPeerEntityId(); +// if (idpEntityId!=null) { +// ExtendedMetadata extendedMetadata = this.metadata.getExtendedMetadata(idpEntityId); +// if (extendedMetadata!=null) { +// String alias = extendedMetadata.getAlias(); +// SamlIdentityProviderDefinition def = getIDPDefinition(alias); +// if (def.getNameID()!=null) { +// options.setNameID(def.getNameID()); +// } +// if (def.getAssertionConsumerIndex()>=0) { +// options.setAssertionConsumerIndex(def.getAssertionConsumerIndex()); +// } +// +// if (def.getAuthnContext() != null) { +// options.setAuthnContexts(def.getAuthnContext()); +// } +// } +// } +// return options; +// } - if (def.getAuthnContext() != null) { - options.setAuthnContexts(def.getAuthnContext()); - } - } - } - return options; - } - - private SamlIdentityProviderDefinition getIDPDefinition(String alias) throws MetadataProviderException { - if (alias!=null) { - for (SamlIdentityProviderDefinition def : getProviderDefinitionList().getIdentityProviderDefinitions()) { - if (alias.equals(def.getIdpEntityAlias()) && IdentityZoneHolder.get().getId().equals(def.getZoneId())) { - return def; - } - } - } - throw new MetadataProviderNotFoundException("Unable to find SAML provider for alias:"+alias); - } +// private SamlIdentityProviderDefinition getIDPDefinition(String alias) /* throws MetadataProviderException */ { +// if (alias!=null) { +// for (SamlIdentityProviderDefinition def : getProviderDefinitionList().getIdentityProviderDefinitions()) { +// if (alias.equals(def.getIdpEntityAlias()) && IdentityZoneHolder.get().getId().equals(def.getZoneId())) { +// return def; +// } +// } +// } +// throw new MetadataProviderNotFoundException("Unable to find SAML provider for alias:"+alias); +// } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/MetadataProviderNotFoundException.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/MetadataProviderNotFoundException.java index fd9f94c3636..38542a7aae3 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/MetadataProviderNotFoundException.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/MetadataProviderNotFoundException.java @@ -14,21 +14,21 @@ package org.cloudfoundry.identity.uaa.provider.saml; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; +//import org.opensaml.saml2.metadata.provider.MetadataProviderException; -public class MetadataProviderNotFoundException extends MetadataProviderException { +public class MetadataProviderNotFoundException /* extends MetadataProviderException */ { public MetadataProviderNotFoundException() { } public MetadataProviderNotFoundException(String message) { - super(message); +// super(message); } public MetadataProviderNotFoundException(String message, Exception wrappedException) { - super(message, wrappedException); +// super(message, wrappedException); } public MetadataProviderNotFoundException(Exception wrappedException) { - super(wrappedException); +// super(wrappedException); } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/NonCachingMetadataCredentialResolver.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/NonCachingMetadataCredentialResolver.java index 22ddbfd2ac7..29cecf5f474 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/NonCachingMetadataCredentialResolver.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/NonCachingMetadataCredentialResolver.java @@ -15,22 +15,22 @@ package org.cloudfoundry.identity.uaa.provider.saml; -import org.opensaml.xml.security.credential.Credential; -import org.springframework.security.saml.key.KeyManager; -import org.springframework.security.saml.metadata.MetadataManager; -import org.springframework.security.saml.trust.MetadataCredentialResolver; +//import org.opensaml.xml.security.credential.Credential; +//import org.springframework.security.saml.key.KeyManager; +//import org.springframework.security.saml.metadata.MetadataManager; +//import org.springframework.security.saml.trust.MetadataCredentialResolver; import java.util.Collection; -public class NonCachingMetadataCredentialResolver extends MetadataCredentialResolver { +public class NonCachingMetadataCredentialResolver /* extends MetadataCredentialResolver */ { - public NonCachingMetadataCredentialResolver(MetadataManager metadataProvider, KeyManager keyManager) { - super(metadataProvider, keyManager); - } +// public NonCachingMetadataCredentialResolver(MetadataManager metadataProvider, KeyManager keyManager) { +// super(metadataProvider, keyManager); +// } - @Override - protected void cacheCredentials(MetadataCacheKey cacheKey, Collection credentials) { - //no op - } +// @Override +// protected void cacheCredentials(MetadataCacheKey cacheKey, Collection credentials) { +// //no op +// } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/NonSnarlMetadataManager.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/NonSnarlMetadataManager.java index bc1817c6b66..abd7528bbe9 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/NonSnarlMetadataManager.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/NonSnarlMetadataManager.java @@ -19,51 +19,51 @@ import org.cloudfoundry.identity.uaa.zone.IdentityZone; import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder; import org.joda.time.DateTime; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.common.Extensions; -import org.opensaml.saml2.metadata.EntitiesDescriptor; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.IDPSSODescriptor; -import org.opensaml.saml2.metadata.RoleDescriptor; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.saml2.metadata.provider.MetadataFilter; -import org.opensaml.saml2.metadata.provider.MetadataFilterChain; -import org.opensaml.saml2.metadata.provider.MetadataProvider; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; -import org.opensaml.saml2.metadata.provider.SignatureValidationFilter; -import org.opensaml.xml.Configuration; -import org.opensaml.xml.Namespace; -import org.opensaml.xml.NamespaceManager; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.schema.XSBooleanValue; -import org.opensaml.xml.security.x509.BasicPKIXValidationInformation; -import org.opensaml.xml.security.x509.BasicX509CredentialNameEvaluator; -import org.opensaml.xml.security.x509.CertPathPKIXValidationOptions; -import org.opensaml.xml.security.x509.PKIXValidationInformation; -import org.opensaml.xml.security.x509.PKIXValidationInformationResolver; -import org.opensaml.xml.security.x509.StaticPKIXValidationInformationResolver; -import org.opensaml.xml.signature.Signature; -import org.opensaml.xml.signature.SignatureTrustEngine; -import org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine; -import org.opensaml.xml.util.IDIndex; -import org.opensaml.xml.util.LazySet; -import org.opensaml.xml.validation.ValidationException; -import org.opensaml.xml.validation.Validator; +//import org.opensaml.common.xml.SAMLConstants; +//import org.opensaml.saml2.common.Extensions; +//import org.opensaml.saml2.metadata.EntitiesDescriptor; +//import org.opensaml.saml2.metadata.EntityDescriptor; +//import org.opensaml.saml2.metadata.IDPSSODescriptor; +//import org.opensaml.saml2.metadata.RoleDescriptor; +//import org.opensaml.saml2.metadata.SPSSODescriptor; +//import org.opensaml.saml2.metadata.provider.MetadataFilter; +//import org.opensaml.saml2.metadata.provider.MetadataFilterChain; +//import org.opensaml.saml2.metadata.provider.MetadataProvider; +//import org.opensaml.saml2.metadata.provider.MetadataProviderException; +//import org.opensaml.saml2.metadata.provider.SignatureValidationFilter; +//import org.opensaml.xml.Configuration; +//import org.opensaml.xml.Namespace; +//import org.opensaml.xml.NamespaceManager; +//import org.opensaml.xml.XMLObject; +//import org.opensaml.xml.schema.XSBooleanValue; +//import org.opensaml.xml.security.x509.BasicPKIXValidationInformation; +//import org.opensaml.xml.security.x509.BasicX509CredentialNameEvaluator; +//import org.opensaml.xml.security.x509.CertPathPKIXValidationOptions; +//import org.opensaml.xml.security.x509.PKIXValidationInformation; +//import org.opensaml.xml.security.x509.PKIXValidationInformationResolver; +//import org.opensaml.xml.security.x509.StaticPKIXValidationInformationResolver; +//import org.opensaml.xml.signature.Signature; +//import org.opensaml.xml.signature.SignatureTrustEngine; +//import org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine; +//import org.opensaml.xml.util.IDIndex; +//import org.opensaml.xml.util.LazySet; +//import org.opensaml.xml.validation.ValidationException; +//import org.opensaml.xml.validation.Validator; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.BeansException; import org.springframework.beans.factory.DisposableBean; import org.springframework.beans.factory.InitializingBean; import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.security.saml.key.KeyManager; -import org.springframework.security.saml.metadata.ExtendedMetadata; -import org.springframework.security.saml.metadata.ExtendedMetadataDelegate; -import org.springframework.security.saml.metadata.ExtendedMetadataProvider; -import org.springframework.security.saml.metadata.MetadataManager; -import org.springframework.security.saml.metadata.MetadataMemoryProvider; -import org.springframework.security.saml.trust.AllowAllSignatureTrustEngine; -import org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer; -import org.springframework.security.saml.util.SAMLUtil; +//import org.springframework.security.saml.key.KeyManager; +//import org.springframework.security.saml.metadata.ExtendedMetadata; +//import org.springframework.security.saml.metadata.ExtendedMetadataDelegate; +//import org.springframework.security.saml.metadata.ExtendedMetadataProvider; +//import org.springframework.security.saml.metadata.MetadataManager; +//import org.springframework.security.saml.metadata.MetadataMemoryProvider; +//import org.springframework.security.saml.trust.AllowAllSignatureTrustEngine; +//import org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer; +//import org.springframework.security.saml.util.SAMLUtil; import org.springframework.util.StringUtils; import org.springframework.web.client.RestClientException; import org.w3c.dom.Element; @@ -79,294 +79,294 @@ import java.util.Set; -public class NonSnarlMetadataManager extends MetadataManager implements ExtendedMetadataProvider, InitializingBean, DisposableBean { +public class NonSnarlMetadataManager /* extends MetadataManager */ implements /* ExtendedMetadataProvider, InitializingBean, */ DisposableBean { // Class logger protected final Logger log = LoggerFactory.getLogger(NonSnarlMetadataManager.class); - private ExtendedMetadata defaultExtendedMetadata; +// private ExtendedMetadata defaultExtendedMetadata; // Storage for cryptographic data used to verify metadata signatures - protected KeyManager keyManager; +// protected KeyManager keyManager; - private final SamlIdentityProviderConfigurator configurator; +// private final SamlIdentityProviderConfigurator configurator; private ZoneAwareMetadataGenerator generator; - public NonSnarlMetadataManager(SamlIdentityProviderConfigurator configurator) throws MetadataProviderException { - super(Collections.EMPTY_LIST); - this.configurator = configurator; - this.defaultExtendedMetadata = new ExtendedMetadata(); - super.setRefreshCheckInterval(0); - } +// public NonSnarlMetadataManager(SamlIdentityProviderConfigurator configurator) throws MetadataProviderException { +// super(Collections.EMPTY_LIST); +// this.configurator = configurator; +// this.defaultExtendedMetadata = new ExtendedMetadata(); +// super.setRefreshCheckInterval(0); +// } @Override public void destroy() { } - @Override - public void setProviders(List newProviders) { - } +// @Override +// public void setProviders(List newProviders) { +// } - @Override +// @Override public void refreshMetadata() { } - public ExtendedMetadataDelegate getLocalServiceProvider() throws MetadataProviderException { - EntityDescriptor descriptor = generator.generateMetadata(); - ExtendedMetadata extendedMetadata = generator.generateExtendedMetadata(); - log.info("Initialized local service provider for entityID: " + descriptor.getEntityID()); - MetadataMemoryProvider memoryProvider = new MetadataMemoryProvider(descriptor); - memoryProvider.initialize(); - return new ExtendedMetadataDelegate(memoryProvider, extendedMetadata); - } - - @Override - public void addMetadataProvider(MetadataProvider newProvider) { - //no op - } - - @Override - public void removeMetadataProvider(MetadataProvider provider) { - //no op - } - - public List getProviders() { - return new ArrayList<>(getAvailableProviders()); - } - - public List getAvailableProviders() { - IdentityZone zone = IdentityZoneHolder.get(); - List result = new ArrayList<>(); - try { - result.add(getLocalServiceProvider()); - } catch (MetadataProviderException e) { - throw new IllegalStateException(e); - } - for (SamlIdentityProviderDefinition definition : configurator.getIdentityProviderDefinitions()) { - log.info("Adding SAML IDP zone[" + zone.getId() + "] alias[" + definition.getIdpEntityAlias() + "]"); - try { - ExtendedMetadataDelegate delegate = configurator.getExtendedMetadataDelegate(definition); - initializeProvider(delegate); - initializeProviderData(delegate); - initializeProviderFilters(delegate); - result.add(delegate); - } catch (RestClientException | MetadataProviderException e) { - log.error("Invalid SAML IDP zone[" + zone.getId() + "] alias[" + definition.getIdpEntityAlias() + "]", e); - } - } - return result; - } - - @Override - protected void initializeProvider(ExtendedMetadataDelegate provider) throws MetadataProviderException { - // Initialize provider and perform signature verification - log.debug("Initializing extendedMetadataDelegate {}", provider); - provider.initialize(); - - } - - protected String getProviderIdpAlias(ExtendedMetadataDelegate provider) throws MetadataProviderException { - List stringSet = parseProvider(provider); - for (String key : stringSet) { - RoleDescriptor idpRoleDescriptor = provider.getRole(key, IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS); - if (idpRoleDescriptor != null) { - return key; - } - } - return null; - } - - protected String getProviderSpAlias(ExtendedMetadataDelegate provider) throws MetadataProviderException { - List stringSet = parseProvider(provider); - for (String key : stringSet) { - RoleDescriptor spRoleDescriptor = provider.getRole(key, SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS); - if (spRoleDescriptor != null) { - return key; - } - } - return null; - } - - protected String getHostedSpName(ExtendedMetadataDelegate provider) throws MetadataProviderException { - List stringSet = parseProvider(provider); - for (String key : stringSet) { - RoleDescriptor spRoleDescriptor = provider.getRole(key, SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS); - if (spRoleDescriptor != null) { - ExtendedMetadata extendedMetadata = getExtendedMetadata(key, provider); - if (extendedMetadata != null) { - if (extendedMetadata.isLocal()) { - return key; - } - } - } - } - return null; - } - - protected String getProviderAlias(ExtendedMetadataDelegate provider) throws MetadataProviderException { - List stringSet = parseProvider(provider); - for (String key : stringSet) { - // Verify extended metadata - ExtendedMetadata extendedMetadata = getExtendedMetadata(key, provider); - if (extendedMetadata != null) { - if (extendedMetadata.isLocal()) { - // Parse alias - String alias = extendedMetadata.getAlias(); - if (alias != null) { - // Verify alias is valid - SAMLUtil.verifyAlias(alias, key); - return alias; - } else { - log.debug("Local entity {} doesn't have an alias", key); - - } - } else { - log.debug("Remote entity {} available", key); - } - } else { - log.debug("No extended metadata available for entity {}", key); - } - } - return null; - } +// public ExtendedMetadataDelegate getLocalServiceProvider() throws MetadataProviderException { +// EntityDescriptor descriptor = generator.generateMetadata(); +// ExtendedMetadata extendedMetadata = generator.generateExtendedMetadata(); +// log.info("Initialized local service provider for entityID: " + descriptor.getEntityID()); +// MetadataMemoryProvider memoryProvider = new MetadataMemoryProvider(descriptor); +// memoryProvider.initialize(); +// return new ExtendedMetadataDelegate(memoryProvider, extendedMetadata); +// } + +// @Override +// public void addMetadataProvider(MetadataProvider newProvider) { +// //no op +// } + +// @Override +// public void removeMetadataProvider(MetadataProvider provider) { +// //no op +// } + +// public List getProviders() { +// return new ArrayList<>(getAvailableProviders()); +// } + +// public List getAvailableProviders() { +// IdentityZone zone = IdentityZoneHolder.get(); +// List result = new ArrayList<>(); +// try { +// result.add(getLocalServiceProvider()); +// } catch (MetadataProviderException e) { +// throw new IllegalStateException(e); +// } +// for (SamlIdentityProviderDefinition definition : configurator.getIdentityProviderDefinitions()) { +// log.info("Adding SAML IDP zone[" + zone.getId() + "] alias[" + definition.getIdpEntityAlias() + "]"); +// try { +// ExtendedMetadataDelegate delegate = configurator.getExtendedMetadataDelegate(definition); +// initializeProvider(delegate); +// initializeProviderData(delegate); +// initializeProviderFilters(delegate); +// result.add(delegate); +// } catch (RestClientException | MetadataProviderException e) { +// log.error("Invalid SAML IDP zone[" + zone.getId() + "] alias[" + definition.getIdpEntityAlias() + "]", e); +// } +// } +// return result; +// } + +// @Override +// protected void initializeProvider(ExtendedMetadataDelegate provider) throws MetadataProviderException { +// // Initialize provider and perform signature verification +// log.debug("Initializing extendedMetadataDelegate {}", provider); +// provider.initialize(); +// +// } + +// protected String getProviderIdpAlias(ExtendedMetadataDelegate provider) throws MetadataProviderException { +// List stringSet = parseProvider(provider); +// for (String key : stringSet) { +// RoleDescriptor idpRoleDescriptor = provider.getRole(key, IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS); +// if (idpRoleDescriptor != null) { +// return key; +// } +// } +// return null; +// } + +// protected String getProviderSpAlias(ExtendedMetadataDelegate provider) throws MetadataProviderException { +// List stringSet = parseProvider(provider); +// for (String key : stringSet) { +// RoleDescriptor spRoleDescriptor = provider.getRole(key, SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS); +// if (spRoleDescriptor != null) { +// return key; +// } +// } +// return null; +// } + +// protected String getHostedSpName(ExtendedMetadataDelegate provider) throws MetadataProviderException { +// List stringSet = parseProvider(provider); +// for (String key : stringSet) { +// RoleDescriptor spRoleDescriptor = provider.getRole(key, SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS); +// if (spRoleDescriptor != null) { +// ExtendedMetadata extendedMetadata = getExtendedMetadata(key, provider); +// if (extendedMetadata != null) { +// if (extendedMetadata.isLocal()) { +// return key; +// } +// } +// } +// } +// return null; +// } + +// protected String getProviderAlias(ExtendedMetadataDelegate provider) throws MetadataProviderException { +// List stringSet = parseProvider(provider); +// for (String key : stringSet) { +// // Verify extended metadata +// ExtendedMetadata extendedMetadata = getExtendedMetadata(key, provider); +// if (extendedMetadata != null) { +// if (extendedMetadata.isLocal()) { +// // Parse alias +// String alias = extendedMetadata.getAlias(); +// if (alias != null) { +// // Verify alias is valid +// SAMLUtil.verifyAlias(alias, key); +// return alias; +// } else { +// log.debug("Local entity {} doesn't have an alias", key); +// +// } +// } else { +// log.debug("Remote entity {} available", key); +// } +// } else { +// log.debug("No extended metadata available for entity {}", key); +// } +// } +// return null; +// } /** * Method populates local storage of IDP and SP names and verifies any name conflicts which might arise. * * @param provider provider to initialize */ - protected void initializeProviderData(ExtendedMetadataDelegate provider) { - } - - @Override - protected void initializeProviderFilters(ExtendedMetadataDelegate provider) throws MetadataProviderException { - boolean requireSignature = provider.isMetadataRequireSignature(); - SignatureTrustEngine trustEngine = getTrustEngine(provider); - SignatureValidationFilter filter = new SignatureValidationFilter(trustEngine); - filter.setRequireSignature(requireSignature); - - log.debug("Created new trust manager for metadata provider {}", provider); - - // Combine any existing filters with the signature verification - MetadataFilter currentFilter = provider.getMetadataFilter(); - if (currentFilter != null) { - if (currentFilter instanceof MetadataFilterChain) { - log.debug("Adding signature filter into existing chain"); - MetadataFilterChain chain = (MetadataFilterChain) currentFilter; - chain.getFilters().add(filter); - } else { - log.debug("Combining signature filter with the existing in a new chain"); - MetadataFilterChain chain = new MetadataFilterChain(); - chain.getFilters().add(currentFilter); - chain.getFilters().add(filter); - } - } else { - log.debug("Adding signature filter"); - provider.setMetadataFilter(filter); - } - } - - @Override - protected SignatureTrustEngine getTrustEngine(MetadataProvider provider) { - - Set trustedKeys = null; - boolean verifyTrust = true; - boolean forceRevocationCheck = false; - - if (provider instanceof ExtendedMetadataDelegate) { - ExtendedMetadataDelegate metadata = (ExtendedMetadataDelegate) provider; - trustedKeys = metadata.getMetadataTrustedKeys(); - verifyTrust = metadata.isMetadataTrustCheck(); - forceRevocationCheck = metadata.isForceMetadataRevocationCheck(); - } - - if (verifyTrust) { - - log.debug("Setting trust verification for metadata provider {}", provider); - - CertPathPKIXValidationOptions pkixOptions = new CertPathPKIXValidationOptions(); - - if (forceRevocationCheck) { - log.debug("Revocation checking forced to true"); - pkixOptions.setForceRevocationEnabled(true); - } else { - log.debug("Revocation checking not forced"); - pkixOptions.setForceRevocationEnabled(false); - } - - return new PKIXSignatureTrustEngine( - getPKIXResolver(provider, trustedKeys, null), - Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver(), - new org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator(pkixOptions), - new BasicX509CredentialNameEvaluator()); - - } else { - - log.debug("Trust verification skipped for metadata provider {}", provider); - return new AllowAllSignatureTrustEngine(Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver()); - - } - - } - - @Override - protected PKIXValidationInformationResolver getPKIXResolver(MetadataProvider provider, Set trustedKeys, Set trustedNames) { - - // Use all available keys - if (trustedKeys == null) { - trustedKeys = keyManager.getAvailableCredentials(); - } - - // Resolve allowed certificates to build the anchors - List certificates = new LinkedList(); - for (String key : trustedKeys) { - log.debug("Adding PKIX trust anchor {} for metadata verification of provider {}", key, provider); - X509Certificate certificate = keyManager.getCertificate(key); - if (certificate != null) { - certificates.add(certificate); - } else { - log.warn("Cannot construct PKIX trust anchor for key with alias {} for provider {}, key isn't included in the keystore", key, provider); - } - } - - List info = new LinkedList(); - info.add(new BasicPKIXValidationInformation(certificates, null, 4)); - return new StaticPKIXValidationInformationResolver(info, trustedNames); - - } - - @Override - protected List parseProvider(MetadataProvider provider) throws MetadataProviderException { - - List result = new LinkedList(); - - XMLObject object = provider.getMetadata(); - if (object instanceof EntityDescriptor) { - addDescriptor(result, (EntityDescriptor) object); - } else if (object instanceof EntitiesDescriptor) { - addDescriptors(result, (EntitiesDescriptor) object); - } - - return result; - - } - - private void addDescriptors(List result, EntitiesDescriptor descriptors) throws MetadataProviderException { - - log.debug("Found metadata EntitiesDescriptor with ID", descriptors.getID()); - - if (descriptors.getEntitiesDescriptors() != null) { - for (EntitiesDescriptor descriptor : descriptors.getEntitiesDescriptors()) { - addDescriptors(result, descriptor); - } - } - if (descriptors.getEntityDescriptors() != null) { - for (EntityDescriptor descriptor : descriptors.getEntityDescriptors()) { - addDescriptor(result, descriptor); - } - } - - } +// protected void initializeProviderData(ExtendedMetadataDelegate provider) { +// } + +// @Override +// protected void initializeProviderFilters(ExtendedMetadataDelegate provider) throws MetadataProviderException { +// boolean requireSignature = provider.isMetadataRequireSignature(); +// SignatureTrustEngine trustEngine = getTrustEngine(provider); +// SignatureValidationFilter filter = new SignatureValidationFilter(trustEngine); +// filter.setRequireSignature(requireSignature); +// +// log.debug("Created new trust manager for metadata provider {}", provider); +// +// // Combine any existing filters with the signature verification +// MetadataFilter currentFilter = provider.getMetadataFilter(); +// if (currentFilter != null) { +// if (currentFilter instanceof MetadataFilterChain) { +// log.debug("Adding signature filter into existing chain"); +// MetadataFilterChain chain = (MetadataFilterChain) currentFilter; +// chain.getFilters().add(filter); +// } else { +// log.debug("Combining signature filter with the existing in a new chain"); +// MetadataFilterChain chain = new MetadataFilterChain(); +// chain.getFilters().add(currentFilter); +// chain.getFilters().add(filter); +// } +// } else { +// log.debug("Adding signature filter"); +// provider.setMetadataFilter(filter); +// } +// } + +// @Override +// protected SignatureTrustEngine getTrustEngine(MetadataProvider provider) { +// +// Set trustedKeys = null; +// boolean verifyTrust = true; +// boolean forceRevocationCheck = false; +// +// if (provider instanceof ExtendedMetadataDelegate) { +// ExtendedMetadataDelegate metadata = (ExtendedMetadataDelegate) provider; +// trustedKeys = metadata.getMetadataTrustedKeys(); +// verifyTrust = metadata.isMetadataTrustCheck(); +// forceRevocationCheck = metadata.isForceMetadataRevocationCheck(); +// } +// +// if (verifyTrust) { +// +// log.debug("Setting trust verification for metadata provider {}", provider); +// +// CertPathPKIXValidationOptions pkixOptions = new CertPathPKIXValidationOptions(); +// +// if (forceRevocationCheck) { +// log.debug("Revocation checking forced to true"); +// pkixOptions.setForceRevocationEnabled(true); +// } else { +// log.debug("Revocation checking not forced"); +// pkixOptions.setForceRevocationEnabled(false); +// } +// +// return new PKIXSignatureTrustEngine( +// getPKIXResolver(provider, trustedKeys, null), +// Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver(), +// new org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator(pkixOptions), +// new BasicX509CredentialNameEvaluator()); +// +// } else { +// +// log.debug("Trust verification skipped for metadata provider {}", provider); +// return new AllowAllSignatureTrustEngine(Configuration.getGlobalSecurityConfiguration().getDefaultKeyInfoCredentialResolver()); +// +// } +// +// } + +// @Override +// protected PKIXValidationInformationResolver getPKIXResolver(MetadataProvider provider, Set trustedKeys, Set trustedNames) { +// +// // Use all available keys +// if (trustedKeys == null) { +// trustedKeys = keyManager.getAvailableCredentials(); +// } +// +// // Resolve allowed certificates to build the anchors +// List certificates = new LinkedList(); +// for (String key : trustedKeys) { +// log.debug("Adding PKIX trust anchor {} for metadata verification of provider {}", key, provider); +// X509Certificate certificate = keyManager.getCertificate(key); +// if (certificate != null) { +// certificates.add(certificate); +// } else { +// log.warn("Cannot construct PKIX trust anchor for key with alias {} for provider {}, key isn't included in the keystore", key, provider); +// } +// } +// +// List info = new LinkedList(); +// info.add(new BasicPKIXValidationInformation(certificates, null, 4)); +// return new StaticPKIXValidationInformationResolver(info, trustedNames); +// +// } + +// @Override +// protected List parseProvider(MetadataProvider provider) throws MetadataProviderException { +// +// List result = new LinkedList(); +// +// XMLObject object = provider.getMetadata(); +// if (object instanceof EntityDescriptor) { +// addDescriptor(result, (EntityDescriptor) object); +// } else if (object instanceof EntitiesDescriptor) { +// addDescriptors(result, (EntitiesDescriptor) object); +// } +// +// return result; +// +// } + +// private void addDescriptors(List result, EntitiesDescriptor descriptors) throws MetadataProviderException { +// +// log.debug("Found metadata EntitiesDescriptor with ID", descriptors.getID()); +// +// if (descriptors.getEntitiesDescriptors() != null) { +// for (EntitiesDescriptor descriptor : descriptors.getEntitiesDescriptors()) { +// addDescriptors(result, descriptor); +// } +// } +// if (descriptors.getEntityDescriptors() != null) { +// for (EntityDescriptor descriptor : descriptors.getEntityDescriptors()) { +// addDescriptor(result, descriptor); +// } +// } +// +// } /** * Parses entityID from the descriptor and adds it to the result set. Signatures on all found entities @@ -375,132 +375,132 @@ private void addDescriptors(List result, EntitiesDescriptor descriptors) * @param result result set * @param descriptor descriptor to parse */ - private void addDescriptor(List result, EntityDescriptor descriptor) { - - String entityID = descriptor.getEntityID(); - log.debug("Found metadata EntityDescriptor with ID", entityID); - result.add(entityID); - - } - - @Override +// private void addDescriptor(List result, EntityDescriptor descriptor) { +// +// String entityID = descriptor.getEntityID(); +// log.debug("Found metadata EntityDescriptor with ID", entityID); +// result.add(entityID); +// +// } + +// @Override public Set getIDPEntityNames() { Set result = new HashSet<>(); - for (ExtendedMetadataDelegate delegate : getAvailableProviders()) { - try { - String idp = getProviderIdpAlias(delegate); - if (StringUtils.hasText(idp)) { - result.add(idp); - } - } catch (MetadataProviderException e) { - log.error("Unable to get IDP alias for:"+delegate, e); - } - } +// for (ExtendedMetadataDelegate delegate : getAvailableProviders()) { +// try { +// String idp = getProviderIdpAlias(delegate); +// if (StringUtils.hasText(idp)) { +// result.add(idp); +// } +// } catch (MetadataProviderException e) { +// log.error("Unable to get IDP alias for:"+delegate, e); +// } +// } return result; } - @Override +// @Override public Set getSPEntityNames() { Set result = new HashSet<>(); - for (ExtendedMetadataDelegate delegate : getAvailableProviders()) { - try { - String sp = getHostedSpName(delegate); - if (StringUtils.hasText(sp)) { - result.add(sp); - } - } catch (MetadataProviderException e) { - log.error("Unable to get IDP alias for:"+delegate, e); - } - } +// for (ExtendedMetadataDelegate delegate : getAvailableProviders()) { +// try { +// String sp = getHostedSpName(delegate); +// if (StringUtils.hasText(sp)) { +// result.add(sp); +// } +// } catch (MetadataProviderException e) { +// log.error("Unable to get IDP alias for:"+delegate, e); +// } +// } return result; } - @Override +// @Override public boolean isIDPValid(String idpID) { return getIDPEntityNames().contains(idpID); } - @Override +// @Override public boolean isSPValid(String spID) { return getIDPEntityNames().contains(spID); } - @Override +// @Override public String getHostedSPName() { - for (ExtendedMetadataDelegate delegate : getAvailableProviders()) { - try { - String spName = getHostedSpName(delegate); - if (StringUtils.hasText(spName)) { - return spName; - } - } catch (MetadataProviderException e) { - log.error("Unable to find hosted SP name:"+delegate, e); - } - } +// for (ExtendedMetadataDelegate delegate : getAvailableProviders()) { +// try { +// String spName = getHostedSpName(delegate); +// if (StringUtils.hasText(spName)) { +// return spName; +// } +// } catch (MetadataProviderException e) { +// log.error("Unable to find hosted SP name:"+delegate, e); +// } +// } return null; } - @Override +// @Override public void setHostedSPName(String hostedSPName) { } - @Override - public String getDefaultIDP() throws MetadataProviderException { - Iterator iterator = getIDPEntityNames().iterator(); - if (iterator.hasNext()) { - return iterator.next(); - } else { - throw new MetadataProviderException("No IDP was configured, please update included metadata with at least one IDP"); - } - } +// @Override +// public String getDefaultIDP() /* throws MetadataProviderException */ { +// Iterator iterator = getIDPEntityNames().iterator(); +// if (iterator.hasNext()) { +// return iterator.next(); +// } else { +// throw new MetadataProviderException("No IDP was configured, please update included metadata with at least one IDP"); +// } +// } - @Override +// @Override public void setDefaultIDP(String defaultIDP) { //no op } - @Override - public ExtendedMetadata getExtendedMetadata(String entityID) throws MetadataProviderException { - for (MetadataProvider provider : getProviders()) { - ExtendedMetadata extendedMetadata = getExtendedMetadata(entityID, provider); - if (extendedMetadata != null) { - return extendedMetadata; - } - } - return getDefaultExtendedMetadata().clone(); - } - - private ExtendedMetadata getExtendedMetadata(String entityID, MetadataProvider provider) throws MetadataProviderException { - if (provider instanceof ExtendedMetadataProvider) { - ExtendedMetadataProvider extendedProvider = (ExtendedMetadataProvider) provider; - ExtendedMetadata extendedMetadata = extendedProvider.getExtendedMetadata(entityID); - if (extendedMetadata != null) { - return extendedMetadata.clone(); - } - } - return null; - } - - @Override - public EntityDescriptor getEntityDescriptor(byte[] hash) throws MetadataProviderException { - for (String idp : getIDPEntityNames()) { - if (SAMLUtil.compare(hash, idp)) { - return getEntityDescriptor(idp); - } - } - - for (String sp : getSPEntityNames()) { - if (SAMLUtil.compare(hash, sp)) { - return getEntityDescriptor(sp); - } - } - - return null; - } - - @Override - public String getEntityIdForAlias(String entityAlias) throws MetadataProviderException { +// @Override +// public ExtendedMetadata getExtendedMetadata(String entityID) throws MetadataProviderException { +// for (MetadataProvider provider : getProviders()) { +// ExtendedMetadata extendedMetadata = getExtendedMetadata(entityID, provider); +// if (extendedMetadata != null) { +// return extendedMetadata; +// } +// } +// return getDefaultExtendedMetadata().clone(); +// } + +// private ExtendedMetadata getExtendedMetadata(String entityID, MetadataProvider provider) throws MetadataProviderException { +// if (provider instanceof ExtendedMetadataProvider) { +// ExtendedMetadataProvider extendedProvider = (ExtendedMetadataProvider) provider; +// ExtendedMetadata extendedMetadata = extendedProvider.getExtendedMetadata(entityID); +// if (extendedMetadata != null) { +// return extendedMetadata.clone(); +// } +// } +// return null; +// } + +// @Override +// public EntityDescriptor getEntityDescriptor(byte[] hash) throws MetadataProviderException { +// for (String idp : getIDPEntityNames()) { +// if (SAMLUtil.compare(hash, idp)) { +// return getEntityDescriptor(idp); +// } +// } +// +// for (String sp : getSPEntityNames()) { +// if (SAMLUtil.compare(hash, sp)) { +// return getEntityDescriptor(sp); +// } +// } +// +// return null; +// } + +// @Override + public String getEntityIdForAlias(String entityAlias) /* throws MetadataProviderException */ { if (entityAlias == null) { return null; } @@ -508,191 +508,191 @@ public String getEntityIdForAlias(String entityAlias) throws MetadataProviderExc String entityId = null; for (String idp : getIDPEntityNames()) { - ExtendedMetadata extendedMetadata = getExtendedMetadata(idp); - if (extendedMetadata.isLocal() && entityAlias.equals(extendedMetadata.getAlias())) { - if (entityId != null && !entityId.equals(idp)) { - throw new MetadataProviderException("Alias " + entityAlias + " is used both for entity " + entityId + " and " + idp); - } else { - entityId = idp; - } - } +// ExtendedMetadata extendedMetadata = getExtendedMetadata(idp); +// if (extendedMetadata.isLocal() && entityAlias.equals(extendedMetadata.getAlias())) { +// if (entityId != null && !entityId.equals(idp)) { +// throw new MetadataProviderException("Alias " + entityAlias + " is used both for entity " + entityId + " and " + idp); +// } else { +// entityId = idp; +// } +// } } for (String sp : getSPEntityNames()) { - ExtendedMetadata extendedMetadata = getExtendedMetadata(sp); - if (extendedMetadata.isLocal() && entityAlias.equals(extendedMetadata.getAlias())) { - if (entityId != null && !entityId.equals(sp)) { - throw new MetadataProviderException("Alias " + entityAlias + " is used both for entity " + entityId + " and " + sp); - } else { - entityId = sp; - } - } +// ExtendedMetadata extendedMetadata = getExtendedMetadata(sp); +// if (extendedMetadata.isLocal() && entityAlias.equals(extendedMetadata.getAlias())) { +// if (entityId != null && !entityId.equals(sp)) { +// throw new MetadataProviderException("Alias " + entityAlias + " is used both for entity " + entityId + " and " + sp); +// } else { +// entityId = sp; +// } +// } } return entityId; } - @Override - public ExtendedMetadata getDefaultExtendedMetadata() { - return defaultExtendedMetadata; - } +// @Override +// public ExtendedMetadata getDefaultExtendedMetadata() { +// return defaultExtendedMetadata; +// } - @Override - public void setDefaultExtendedMetadata(ExtendedMetadata defaultExtendedMetadata) { - this.defaultExtendedMetadata = defaultExtendedMetadata; - } +// @Override +// public void setDefaultExtendedMetadata(ExtendedMetadata defaultExtendedMetadata) { +// this.defaultExtendedMetadata = defaultExtendedMetadata; +// } - @Override +// @Override public boolean isRefreshRequired() { return false; } - @Override +// @Override public void setRefreshRequired(boolean refreshRequired) { //no op } - @Override +// @Override public void setRefreshCheckInterval(long refreshCheckInterval) { - super.setRefreshCheckInterval(0); - } - - public void setKeyManager(KeyManager keyManager) { - this.keyManager = keyManager; - super.setKeyManager(keyManager); - } - - @Autowired(required = false) - public void setTLSConfigurer(TLSProtocolConfigurer configurer) { - // Only explicit dependency - } - - public EntitiesDescriptor getEntitiesDescriptor(String name) { - EntitiesDescriptor descriptor = null; - for (MetadataProvider provider : getProviders()) { - log.debug("Checking child metadata provider for entities descriptor with name: {}", name); - try { - descriptor = provider.getEntitiesDescriptor(name); - if (descriptor != null) { - break; - } - } catch (MetadataProviderException e) { - log.warn("Error retrieving metadata from provider of type {}, proceeding to next provider", - provider.getClass().getName(), e); - continue; - } - } - return descriptor; - } +// super.setRefreshCheckInterval(0); + } + +// public void setKeyManager(KeyManager keyManager) { +// this.keyManager = keyManager; +// super.setKeyManager(keyManager); +// } + +// @Autowired(required = false) +// public void setTLSConfigurer(TLSProtocolConfigurer configurer) { +// // Only explicit dependency +// } + +// public EntitiesDescriptor getEntitiesDescriptor(String name) { +// EntitiesDescriptor descriptor = null; +// for (MetadataProvider provider : getProviders()) { +// log.debug("Checking child metadata provider for entities descriptor with name: {}", name); +// try { +// descriptor = provider.getEntitiesDescriptor(name); +// if (descriptor != null) { +// break; +// } +// } catch (MetadataProviderException e) { +// log.warn("Error retrieving metadata from provider of type {}, proceeding to next provider", +// provider.getClass().getName(), e); +// continue; +// } +// } +// return descriptor; +// } /** {@inheritDoc} */ - public EntityDescriptor getEntityDescriptor(String entityID) { - EntityDescriptor descriptor = null; - for (MetadataProvider provider : getProviders()) { - log.debug("Checking child metadata provider for entity descriptor with entity ID: {}", entityID); - try { - descriptor = provider.getEntityDescriptor(entityID); - if (descriptor != null) { - break; - } - } catch (MetadataProviderException e) { - log.warn("Error retrieving metadata from provider of type {}, proceeding to next provider", - provider.getClass().getName(), e); - continue; - } - } - return descriptor; - } +// public EntityDescriptor getEntityDescriptor(String entityID) { +// EntityDescriptor descriptor = null; +// for (MetadataProvider provider : getProviders()) { +// log.debug("Checking child metadata provider for entity descriptor with entity ID: {}", entityID); +// try { +// descriptor = provider.getEntityDescriptor(entityID); +// if (descriptor != null) { +// break; +// } +// } catch (MetadataProviderException e) { +// log.warn("Error retrieving metadata from provider of type {}, proceeding to next provider", +// provider.getClass().getName(), e); +// continue; +// } +// } +// return descriptor; +// } /** {@inheritDoc} */ - public List getRole(String entityID, QName roleName) { - List roleDescriptors = null; - for (MetadataProvider provider : getProviders()) { - log.debug("Checking child metadata provider for entity descriptor with entity ID: {}", entityID); - try { - roleDescriptors = provider.getRole(entityID, roleName); - if (roleDescriptors != null && !roleDescriptors.isEmpty()) { - break; - } - } catch (MetadataProviderException e) { - log.warn("Error retrieving metadata from provider of type {}, proceeding to next provider", - provider.getClass().getName(), e); - continue; - } - } - return roleDescriptors; - } +// public List getRole(String entityID, QName roleName) { +// List roleDescriptors = null; +// for (MetadataProvider provider : getProviders()) { +// log.debug("Checking child metadata provider for entity descriptor with entity ID: {}", entityID); +// try { +// roleDescriptors = provider.getRole(entityID, roleName); +// if (roleDescriptors != null && !roleDescriptors.isEmpty()) { +// break; +// } +// } catch (MetadataProviderException e) { +// log.warn("Error retrieving metadata from provider of type {}, proceeding to next provider", +// provider.getClass().getName(), e); +// continue; +// } +// } +// return roleDescriptors; +// } /** {@inheritDoc} */ - public RoleDescriptor getRole(String entityID, QName roleName, String supportedProtocol) { - RoleDescriptor roleDescriptor = null; - for (MetadataProvider provider : getProviders()) { - log.debug("Checking child metadata provider for entity descriptor with entity ID: {}", entityID); - try { - roleDescriptor = provider.getRole(entityID, roleName, supportedProtocol); - if (roleDescriptor != null) { - break; - } - } catch (MetadataProviderException e) { - log.warn("Error retrieving metadata from provider of type {}, proceeding to next provider", - provider.getClass().getName(), e); - continue; - } - } - return roleDescriptor; - } - - @Override - public XMLObject getMetadata() throws MetadataProviderException { - return new ChainingEntitiesDescriptor(); - } +// public RoleDescriptor getRole(String entityID, QName roleName, String supportedProtocol) { +// RoleDescriptor roleDescriptor = null; +// for (MetadataProvider provider : getProviders()) { +// log.debug("Checking child metadata provider for entity descriptor with entity ID: {}", entityID); +// try { +// roleDescriptor = provider.getRole(entityID, roleName, supportedProtocol); +// if (roleDescriptor != null) { +// break; +// } +// } catch (MetadataProviderException e) { +// log.warn("Error retrieving metadata from provider of type {}, proceeding to next provider", +// provider.getClass().getName(), e); +// continue; +// } +// } +// return roleDescriptor; +// } + +// @Override +// public XMLObject getMetadata() throws MetadataProviderException { +// return new ChainingEntitiesDescriptor(); +// } public void setMetadataGenerator(ZoneAwareMetadataGenerator generator) throws BeansException { this.generator = generator; } - public class ChainingEntitiesDescriptor implements EntitiesDescriptor { + public class ChainingEntitiesDescriptor /* implements EntitiesDescriptor */ { /** Metadata from the child metadata providers. */ - private ArrayList childDescriptors; +// private ArrayList childDescriptors; /** Constructor. */ - public ChainingEntitiesDescriptor() throws MetadataProviderException { - childDescriptors = new ArrayList(); - for (MetadataProvider provider : getProviders()) { - childDescriptors.add(provider.getMetadata()); - } - } - - /** {@inheritDoc} */ - public List getEntitiesDescriptors() { - ArrayList descriptors = new ArrayList<>(); - for (XMLObject descriptor : childDescriptors) { - if (descriptor instanceof EntitiesDescriptor) { - descriptors.add((EntitiesDescriptor) descriptor); - } - } - - return descriptors; - } - - /** {@inheritDoc} */ - public List getEntityDescriptors() { - ArrayList descriptors = new ArrayList<>(); - for (XMLObject descriptor : childDescriptors) { - if (descriptor instanceof EntityDescriptor) { - descriptors.add((EntityDescriptor) descriptor); - } - } - - return descriptors; - } - - /** {@inheritDoc} */ - public Extensions getExtensions() { - return null; - } +// public ChainingEntitiesDescriptor() throws MetadataProviderException { +// childDescriptors = new ArrayList(); +// for (MetadataProvider provider : getProviders()) { +// childDescriptors.add(provider.getMetadata()); +// } +// } + + /** {@inheritDoc} */ +// public List getEntitiesDescriptors() { +// ArrayList descriptors = new ArrayList<>(); +// for (XMLObject descriptor : childDescriptors) { +// if (descriptor instanceof EntitiesDescriptor) { +// descriptors.add((EntitiesDescriptor) descriptor); +// } +// } +// +// return descriptors; +// } + + /** {@inheritDoc} */ +// public List getEntityDescriptors() { +// ArrayList descriptors = new ArrayList<>(); +// for (XMLObject descriptor : childDescriptors) { +// if (descriptor instanceof EntityDescriptor) { +// descriptors.add((EntityDescriptor) descriptor); +// } +// } +// +// return descriptors; +// } + + /** {@inheritDoc} */ +// public Extensions getExtensions() { +// return null; +// } /** {@inheritDoc} */ public String getID() { @@ -705,9 +705,9 @@ public String getName() { } /** {@inheritDoc} */ - public void setExtensions(Extensions extensions) { - - } +// public void setExtensions(Extensions extensions) { +// +// } /** {@inheritDoc} */ public void setID(String newID) { @@ -725,9 +725,9 @@ public String getSignatureReferenceID() { } /** {@inheritDoc} */ - public Signature getSignature() { - return null; - } +// public Signature getSignature() { +// return null; +// } /** {@inheritDoc} */ public boolean isSigned() { @@ -735,14 +735,14 @@ public boolean isSigned() { } /** {@inheritDoc} */ - public void setSignature(Signature newSignature) { - - } +// public void setSignature(Signature newSignature) { +// +// } /** {@inheritDoc} */ - public void addNamespace(Namespace namespace) { - - } +// public void addNamespace(Namespace namespace) { +// +// } /** {@inheritDoc} */ public void detach() { @@ -755,24 +755,24 @@ public Element getDOM() { } /** {@inheritDoc} */ - public QName getElementQName() { - return EntitiesDescriptor.DEFAULT_ELEMENT_NAME; - } +// public QName getElementQName() { +// return EntitiesDescriptor.DEFAULT_ELEMENT_NAME; +// } /** {@inheritDoc} */ - public IDIndex getIDIndex() { - return null; - } +// public IDIndex getIDIndex() { +// return null; +// } /** {@inheritDoc} */ - public NamespaceManager getNamespaceManager() { - return null; - } +// public NamespaceManager getNamespaceManager() { +// return null; +// } /** {@inheritDoc} */ - public Set getNamespaces() { - return new LazySet<>(); - } +// public Set getNamespaces() { +// return new LazySet<>(); +// } /** {@inheritDoc} */ public String getNoNamespaceSchemaLocation() { @@ -780,23 +780,23 @@ public String getNoNamespaceSchemaLocation() { } /** {@inheritDoc} */ - public List getOrderedChildren() { - ArrayList descriptors = new ArrayList<>(); - try { - for (MetadataProvider provider : getProviders()) { - descriptors.add(provider.getMetadata()); - } - } catch (MetadataProviderException e) { - log.error("Unable to generate list of child descriptors", e); - } - - return descriptors; - } +// public List getOrderedChildren() { +// ArrayList descriptors = new ArrayList<>(); +// try { +// for (MetadataProvider provider : getProviders()) { +// descriptors.add(provider.getMetadata()); +// } +// } catch (MetadataProviderException e) { +// log.error("Unable to generate list of child descriptors", e); +// } +// +// return descriptors; +// } /** {@inheritDoc} */ - public XMLObject getParent() { - return null; - } +// public XMLObject getParent() { +// return null; +// } /** {@inheritDoc} */ public String getSchemaLocation() { @@ -804,14 +804,14 @@ public String getSchemaLocation() { } /** {@inheritDoc} */ - public QName getSchemaType() { - return EntitiesDescriptor.TYPE_NAME; - } +// public QName getSchemaType() { +// return EntitiesDescriptor.TYPE_NAME; +// } /** {@inheritDoc} */ - public boolean hasChildren() { - return !getOrderedChildren().isEmpty(); - } +// public boolean hasChildren() { +// return !getOrderedChildren().isEmpty(); +// } /** {@inheritDoc} */ public boolean hasParent() { @@ -834,19 +834,19 @@ public void releaseParentDOM(boolean propagateRelease) { } /** {@inheritDoc} */ - public void removeNamespace(Namespace namespace) { - - } +// public void removeNamespace(Namespace namespace) { +// +// } /** {@inheritDoc} */ - public XMLObject resolveID(String id) { - return null; - } +// public XMLObject resolveID(String id) { +// return null; +// } /** {@inheritDoc} */ - public XMLObject resolveIDFromRoot(String id) { - return null; - } +// public XMLObject resolveIDFromRoot(String id) { +// return null; +// } /** {@inheritDoc} */ public void setDOM(Element dom) { @@ -859,9 +859,9 @@ public void setNoNamespaceSchemaLocation(String location) { } /** {@inheritDoc} */ - public void setParent(XMLObject parent) { - - } +// public void setParent(XMLObject parent) { +// +// } /** {@inheritDoc} */ public void setSchemaLocation(String location) { @@ -869,18 +869,18 @@ public void setSchemaLocation(String location) { } /** {@inheritDoc} */ - public void deregisterValidator(Validator validator) { - - } +// public void deregisterValidator(Validator validator) { +// +// } /** {@inheritDoc} */ - public List getValidators() { - return new ArrayList(); - } +// public List getValidators() { +// return new ArrayList(); +// } /** {@inheritDoc} */ - public void registerValidator(Validator validator) { - } +// public void registerValidator(Validator validator) { +// } /** {@inheritDoc} */ public void validate(boolean validateDescendants) { @@ -917,9 +917,9 @@ public Boolean isNil() { } /** {@inheritDoc} */ - public XSBooleanValue isNilXSBoolean() { - return new XSBooleanValue(Boolean.FALSE, false); - } +// public XSBooleanValue isNilXSBoolean() { +// return new XSBooleanValue(Boolean.FALSE, false); +// } /** {@inheritDoc} */ public void setNil(Boolean arg0) { @@ -927,9 +927,9 @@ public void setNil(Boolean arg0) { } /** {@inheritDoc} */ - public void setNil(XSBooleanValue arg0) { - // do nothing - } +// public void setNil(XSBooleanValue arg0) { +// // do nothing +// } } } \ No newline at end of file diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SPWebSSOProfileImpl.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SPWebSSOProfileImpl.java index 678105b5a65..d974c3625b8 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SPWebSSOProfileImpl.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SPWebSSOProfileImpl.java @@ -12,24 +12,24 @@ *******************************************************************************/ package org.cloudfoundry.identity.uaa.provider.saml; -import org.opensaml.saml2.metadata.IDPSSODescriptor; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.saml2.metadata.SingleSignOnService; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; -import org.springframework.security.saml.metadata.MetadataManager; -import org.springframework.security.saml.processor.SAMLProcessor; -import org.springframework.security.saml.websso.WebSSOProfileImpl; -import org.springframework.security.saml.websso.WebSSOProfileOptions; +//import org.opensaml.saml2.metadata.IDPSSODescriptor; +//import org.opensaml.saml2.metadata.SPSSODescriptor; +//import org.opensaml.saml2.metadata.SingleSignOnService; +//import org.opensaml.saml2.metadata.provider.MetadataProviderException; +//import org.springframework.security.saml.metadata.MetadataManager; +//import org.springframework.security.saml.processor.SAMLProcessor; +//import org.springframework.security.saml.websso.WebSSOProfileImpl; +//import org.springframework.security.saml.websso.WebSSOProfileOptions; -import static org.opensaml.common.xml.SAMLConstants.SAML2_POST_BINDING_URI; -import static org.opensaml.common.xml.SAMLConstants.SAML2_REDIRECT_BINDING_URI; +//import static org.opensaml.common.xml.SAMLConstants.SAML2_POST_BINDING_URI; +//import static org.opensaml.common.xml.SAMLConstants.SAML2_REDIRECT_BINDING_URI; -public class SPWebSSOProfileImpl extends WebSSOProfileImpl { +public class SPWebSSOProfileImpl /* extends WebSSOProfileImpl */ { public SPWebSSOProfileImpl () {} - public SPWebSSOProfileImpl(SAMLProcessor processor, MetadataManager manager) { - super(processor, manager); - } +// public SPWebSSOProfileImpl(SAMLProcessor processor, MetadataManager manager) { +// super(processor, manager); +// } /** * Determines whether given SingleSignOn service can be used together with this profile. Bindings POST, Artifact @@ -38,19 +38,19 @@ public SPWebSSOProfileImpl(SAMLProcessor processor, MetadataManager manager) { * @param endpoint endpoint * @return true if endpoint is supported */ - @Override - protected boolean isEndpointSupported(SingleSignOnService endpoint) { - return - SAML2_POST_BINDING_URI.equals(endpoint.getBinding()) || - SAML2_REDIRECT_BINDING_URI.equals(endpoint.getBinding()); - } +// @Override +// protected boolean isEndpointSupported(SingleSignOnService endpoint) { +// return +// SAML2_POST_BINDING_URI.equals(endpoint.getBinding()) || +// SAML2_REDIRECT_BINDING_URI.equals(endpoint.getBinding()); +// } - @Override - protected SingleSignOnService getSingleSignOnService(WebSSOProfileOptions options, IDPSSODescriptor idpssoDescriptor, SPSSODescriptor spDescriptor) throws MetadataProviderException { - try { - return super.getSingleSignOnService(options, idpssoDescriptor, spDescriptor); - } catch (MetadataProviderException e) { - throw new SamlBindingNotSupportedException(e.getMessage(), e); - } - } +// @Override +// protected SingleSignOnService getSingleSignOnService(WebSSOProfileOptions options, IDPSSODescriptor idpssoDescriptor, SPSSODescriptor spDescriptor) throws MetadataProviderException { +// try { +// return super.getSingleSignOnService(options, idpssoDescriptor, spDescriptor); +// } catch (MetadataProviderException e) { +// throw new SamlBindingNotSupportedException(e.getMessage(), e); +// } +// } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlBindingNotSupportedException.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlBindingNotSupportedException.java index 91e03c24437..4122909832e 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlBindingNotSupportedException.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlBindingNotSupportedException.java @@ -15,21 +15,21 @@ package org.cloudfoundry.identity.uaa.provider.saml; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; +//import org.opensaml.saml2.metadata.provider.MetadataProviderException; -public class SamlBindingNotSupportedException extends MetadataProviderException { +public class SamlBindingNotSupportedException /* extends MetadataProviderException */ { public SamlBindingNotSupportedException() { } public SamlBindingNotSupportedException(String message) { - super(message); +// super(message); } public SamlBindingNotSupportedException(Exception wrappedException) { - super(wrappedException); +// super(wrappedException); } public SamlBindingNotSupportedException(String message, Exception wrappedException) { - super(message, wrappedException); +// super(message, wrappedException); } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlConfigurationBean.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlConfigurationBean.java index 56bfd7679b2..54eafd9c30e 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlConfigurationBean.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlConfigurationBean.java @@ -14,9 +14,9 @@ */ package org.cloudfoundry.identity.uaa.provider.saml; -import org.opensaml.xml.Configuration; -import org.opensaml.xml.security.BasicSecurityConfiguration; -import org.opensaml.xml.signature.SignatureConstants; +//import org.opensaml.xml.Configuration; +//import org.opensaml.xml.security.BasicSecurityConfiguration; +//import org.opensaml.xml.signature.SignatureConstants; import org.springframework.beans.factory.InitializingBean; @@ -33,21 +33,21 @@ public SignatureAlgorithm getSignatureAlgorithm() { @Override public void afterPropertiesSet() { - BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration(); - switch (signatureAlgorithm) { - case SHA1: - config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1); - config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA1); - break; - case SHA256: - config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); - config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256); - break; - case SHA512: - config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512); - config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA512); - break; - } +// BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration(); +// switch (signatureAlgorithm) { +// case SHA1: +// config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1); +// config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA1); +// break; +// case SHA256: +// config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); +// config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256); +// break; +// case SHA512: +// config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512); +// config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA512); +// break; +// } } public enum SignatureAlgorithm { diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlIdentityProviderConfigurator.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlIdentityProviderConfigurator.java index 1cedd620cfc..758b0e49bde 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlIdentityProviderConfigurator.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlIdentityProviderConfigurator.java @@ -8,11 +8,11 @@ import org.cloudfoundry.identity.uaa.provider.SamlIdentityProviderDefinition; import org.cloudfoundry.identity.uaa.zone.IdentityZone; import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; -import org.opensaml.xml.parse.BasicParserPool; +//import org.opensaml.saml2.metadata.provider.MetadataProviderException; +//import org.opensaml.xml.parse.BasicParserPool; import org.springframework.beans.factory.annotation.Qualifier; -import org.springframework.security.saml.metadata.ExtendedMetadata; -import org.springframework.security.saml.metadata.ExtendedMetadataDelegate; +//import org.springframework.security.saml.metadata.ExtendedMetadata; +//import org.springframework.security.saml.metadata.ExtendedMetadataDelegate; import org.springframework.stereotype.Component; import org.springframework.util.StringUtils; @@ -26,17 +26,17 @@ @Component("metaDataProviders") public class SamlIdentityProviderConfigurator { - private final BasicParserPool parserPool; +// private final BasicParserPool parserPool; private final IdentityProviderProvisioning providerProvisioning; - private final FixedHttpMetaDataProvider fixedHttpMetaDataProvider; +// private final FixedHttpMetaDataProvider fixedHttpMetaDataProvider; public SamlIdentityProviderConfigurator( - final BasicParserPool parserPool, - final @Qualifier("identityProviderProvisioning") IdentityProviderProvisioning providerProvisioning, - final FixedHttpMetaDataProvider fixedHttpMetaDataProvider) { - this.parserPool = parserPool; +// final BasicParserPool parserPool, + final @Qualifier("identityProviderProvisioning") IdentityProviderProvisioning providerProvisioning + /* final FixedHttpMetaDataProvider fixedHttpMetaDataProvider*/) { +// this.parserPool = parserPool; this.providerProvisioning = providerProvisioning; - this.fixedHttpMetaDataProvider = fixedHttpMetaDataProvider; +// this.fixedHttpMetaDataProvider = fixedHttpMetaDataProvider; } public List getIdentityProviderDefinitions() { @@ -73,8 +73,8 @@ public List getIdentityProviderDefinitions(List< * @param providerDefinition - the provider to be added * @throws MetadataProviderException if the system fails to fetch meta data for this provider */ - public synchronized void validateSamlIdentityProviderDefinition(SamlIdentityProviderDefinition providerDefinition) throws MetadataProviderException { - ExtendedMetadataDelegate added, deleted = null; + public synchronized void validateSamlIdentityProviderDefinition(SamlIdentityProviderDefinition providerDefinition) /* throws MetadataProviderException */ { +// ExtendedMetadataDelegate added, deleted = null; if (providerDefinition == null) { throw new NullPointerException(); } @@ -85,61 +85,61 @@ public synchronized void validateSamlIdentityProviderDefinition(SamlIdentityProv throw new NullPointerException("IDP Zone Id must be set"); } SamlIdentityProviderDefinition clone = providerDefinition.clone(); - added = getExtendedMetadataDelegate(clone); - String entityIDToBeAdded = ((ConfigMetadataProvider) added.getDelegate()).getEntityID(); - if (!StringUtils.hasText(entityIDToBeAdded)) { - throw new MetadataProviderException("Emtpy entityID for SAML provider with zoneId:" + providerDefinition.getZoneId() + " and origin:" + providerDefinition.getIdpEntityAlias()); - } +// added = getExtendedMetadataDelegate(clone); +// String entityIDToBeAdded = ((ConfigMetadataProvider) added.getDelegate()).getEntityID(); +// if (!StringUtils.hasText(entityIDToBeAdded)) { +// throw new MetadataProviderException("Emtpy entityID for SAML provider with zoneId:" + providerDefinition.getZoneId() + " and origin:" + providerDefinition.getIdpEntityAlias()); +// } boolean entityIDexists = false; - for (SamlIdentityProviderDefinition existing : getIdentityProviderDefinitions()) { - ConfigMetadataProvider existingProvider = (ConfigMetadataProvider) getExtendedMetadataDelegate(existing).getDelegate(); - if (entityIDToBeAdded.equals(existingProvider.getEntityID()) && - !(existing.getUniqueAlias().equals(clone.getUniqueAlias()))) { - entityIDexists = true; - break; - } - } - - if (entityIDexists) { - throw new MetadataProviderException("Duplicate entity ID:" + entityIDToBeAdded); - } +// for (SamlIdentityProviderDefinition existing : getIdentityProviderDefinitions()) { +//// ConfigMetadataProvider existingProvider = (ConfigMetadataProvider) getExtendedMetadataDelegate(existing).getDelegate(); +//// if (entityIDToBeAdded.equals(existingProvider.getEntityID()) && +//// !(existing.getUniqueAlias().equals(clone.getUniqueAlias()))) { +//// entityIDexists = true; +//// break; +//// } +// } + +// if (entityIDexists) { +// throw new MetadataProviderException("Duplicate entity ID:" + entityIDToBeAdded); +// } } - public ExtendedMetadataDelegate getExtendedMetadataDelegateFromCache(SamlIdentityProviderDefinition def) throws MetadataProviderException { - return getExtendedMetadataDelegate(def); - } - - public ExtendedMetadataDelegate getExtendedMetadataDelegate(SamlIdentityProviderDefinition def) throws MetadataProviderException { - ExtendedMetadataDelegate metadata; - switch (def.getType()) { - case DATA: { - metadata = configureXMLMetadata(def); - break; - } - case URL: { - metadata = configureURLMetadata(def); - break; - } - default: { - throw new MetadataProviderException("Invalid metadata type for alias[" + def.getIdpEntityAlias() + "]:" + def.getMetaDataLocation()); - } - } - return metadata; - } - - protected ExtendedMetadataDelegate configureXMLMetadata(SamlIdentityProviderDefinition def) { - ConfigMetadataProvider configMetadataProvider = new ConfigMetadataProvider(def.getZoneId(), def.getIdpEntityAlias(), def.getMetaDataLocation()); - configMetadataProvider.setParserPool(parserPool); - ExtendedMetadata extendedMetadata = new ExtendedMetadata(); - extendedMetadata.setLocal(false); - extendedMetadata.setAlias(def.getIdpEntityAlias()); - ExtendedMetadataDelegate delegate = new ExtendedMetadataDelegate(configMetadataProvider, extendedMetadata); - delegate.setMetadataTrustCheck(def.isMetadataTrustCheck()); - - return delegate; - } +// public ExtendedMetadataDelegate getExtendedMetadataDelegateFromCache(SamlIdentityProviderDefinition def) throws MetadataProviderException { +// return getExtendedMetadataDelegate(def); +// } + +// public ExtendedMetadataDelegate getExtendedMetadataDelegate(SamlIdentityProviderDefinition def) throws MetadataProviderException { +// ExtendedMetadataDelegate metadata; +// switch (def.getType()) { +// case DATA: { +// metadata = configureXMLMetadata(def); +// break; +// } +// case URL: { +// metadata = configureURLMetadata(def); +// break; +// } +// default: { +// throw new MetadataProviderException("Invalid metadata type for alias[" + def.getIdpEntityAlias() + "]:" + def.getMetaDataLocation()); +// } +// } +// return metadata; +// } + +// protected ExtendedMetadataDelegate configureXMLMetadata(SamlIdentityProviderDefinition def) { +// ConfigMetadataProvider configMetadataProvider = new ConfigMetadataProvider(def.getZoneId(), def.getIdpEntityAlias(), def.getMetaDataLocation()); +// configMetadataProvider.setParserPool(parserPool); +// ExtendedMetadata extendedMetadata = new ExtendedMetadata(); +// extendedMetadata.setLocal(false); +// extendedMetadata.setAlias(def.getIdpEntityAlias()); +// ExtendedMetadataDelegate delegate = new ExtendedMetadataDelegate(configMetadataProvider, extendedMetadata); +// delegate.setMetadataTrustCheck(def.isMetadataTrustCheck()); +// +// return delegate; +// } protected String adjustURIForPort(String uri) throws URISyntaxException { @@ -157,17 +157,17 @@ protected String adjustURIForPort(String uri) throws URISyntaxException { return uri; } - protected ExtendedMetadataDelegate configureURLMetadata(SamlIdentityProviderDefinition def) throws MetadataProviderException { - try { - def = def.clone(); - String adjustedMetatadataURIForPort = adjustURIForPort(def.getMetaDataLocation()); - - byte[] metadata = fixedHttpMetaDataProvider.fetchMetadata(adjustedMetatadataURIForPort, def.isSkipSslValidation()); - - def.setMetaDataLocation(new String(metadata, StandardCharsets.UTF_8)); - return configureXMLMetadata(def); - } catch (URISyntaxException e) { - throw new MetadataProviderException("Invalid socket factory(invalid URI):" + def.getMetaDataLocation(), e); - } - } +// protected ExtendedMetadataDelegate configureURLMetadata(SamlIdentityProviderDefinition def) throws MetadataProviderException { +// try { +// def = def.clone(); +// String adjustedMetatadataURIForPort = adjustURIForPort(def.getMetaDataLocation()); +// +// byte[] metadata = fixedHttpMetaDataProvider.fetchMetadata(adjustedMetatadataURIForPort, def.isSkipSslValidation()); +// +// def.setMetaDataLocation(new String(metadata, StandardCharsets.UTF_8)); +// return configureXMLMetadata(def); +// } catch (URISyntaxException e) { +// throw new MetadataProviderException("Invalid socket factory(invalid URI):" + def.getMetaDataLocation(), e); +// } +// } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlKeyManagerFactory.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlKeyManagerFactory.java index b6aa0247c7d..ea2bb83c159 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlKeyManagerFactory.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlKeyManagerFactory.java @@ -17,8 +17,8 @@ import org.cloudfoundry.identity.uaa.zone.SamlConfig; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.springframework.security.saml.key.JKSKeyManager; -import org.springframework.security.saml.key.KeyManager; +//import org.springframework.security.saml.key.JKSKeyManager; +//import org.springframework.security.saml.key.KeyManager; import java.security.KeyStore; import java.security.PrivateKey; @@ -37,49 +37,49 @@ public final class SamlKeyManagerFactory { public SamlKeyManagerFactory() { } - public KeyManager getKeyManager(SamlConfig config) { - return getKeyManager(config.getKeys(), config.getActiveKeyId()); - } - - private KeyManager getKeyManager(Map keys, String activeKeyId) { - SamlKey activeKey = keys.get(activeKeyId); - - if (activeKey == null) { - return null; - } - - try { - KeyStore keystore = KeyStore.getInstance("JKS"); - keystore.load(null); - Map aliasPasswordMap = new HashMap<>(); - for (Map.Entry entry : keys.entrySet()) { - Supplier passProvider = () -> ofNullable(entry.getValue().getPassphrase()).orElse(""); - KeyWithCert keyWithCert = entry.getValue().getKey() == null ? - new KeyWithCert(entry.getValue().getCertificate()) : - new KeyWithCert(entry.getValue().getKey(), passProvider.get(), entry.getValue().getCertificate()); - - X509Certificate certificate = keyWithCert.getCertificate(); - - String alias = entry.getKey(); - keystore.setCertificateEntry(alias, certificate); - - PrivateKey privateKey = keyWithCert.getPrivateKey(); - if (privateKey != null) { - keystore.setKeyEntry(alias, privateKey, passProvider.get().toCharArray(), new Certificate[]{certificate}); - aliasPasswordMap.put(alias, passProvider.get()); - } - } - - JKSKeyManager keyManager = new JKSKeyManager(keystore, aliasPasswordMap, activeKeyId); - - logger.info("Loaded service provider certificate " + keyManager.getDefaultCredentialName()); - - return keyManager; - } catch (Throwable t) { - logger.error("Could not load certificate", t); - throw new IllegalArgumentException( - "Could not load service provider certificate. Check serviceProviderKey and certificate parameters", - t); - } - } +// public KeyManager getKeyManager(SamlConfig config) { +// return getKeyManager(config.getKeys(), config.getActiveKeyId()); +// } + +// private KeyManager getKeyManager(Map keys, String activeKeyId) { +// SamlKey activeKey = keys.get(activeKeyId); +// +// if (activeKey == null) { +// return null; +// } +// +// try { +// KeyStore keystore = KeyStore.getInstance("JKS"); +// keystore.load(null); +// Map aliasPasswordMap = new HashMap<>(); +// for (Map.Entry entry : keys.entrySet()) { +// Supplier passProvider = () -> ofNullable(entry.getValue().getPassphrase()).orElse(""); +// KeyWithCert keyWithCert = entry.getValue().getKey() == null ? +// new KeyWithCert(entry.getValue().getCertificate()) : +// new KeyWithCert(entry.getValue().getKey(), passProvider.get(), entry.getValue().getCertificate()); +// +// X509Certificate certificate = keyWithCert.getCertificate(); +// +// String alias = entry.getKey(); +// keystore.setCertificateEntry(alias, certificate); +// +// PrivateKey privateKey = keyWithCert.getPrivateKey(); +// if (privateKey != null) { +// keystore.setKeyEntry(alias, privateKey, passProvider.get().toCharArray(), new Certificate[]{certificate}); +// aliasPasswordMap.put(alias, passProvider.get()); +// } +// } +// +// JKSKeyManager keyManager = new JKSKeyManager(keystore, aliasPasswordMap, activeKeyId); +// +// logger.info("Loaded service provider certificate " + keyManager.getDefaultCredentialName()); +// +// return keyManager; +// } catch (Throwable t) { +// logger.error("Could not load certificate", t); +// throw new IllegalArgumentException( +// "Could not load service provider certificate. Check serviceProviderKey and certificate parameters", +// t); +// } +// } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlRedirectUtils.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlRedirectUtils.java index b2f84de179f..8e07b56ccb4 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlRedirectUtils.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlRedirectUtils.java @@ -18,18 +18,18 @@ import org.cloudfoundry.identity.uaa.util.UaaUrlUtils; import org.cloudfoundry.identity.uaa.zone.IdentityZone; import org.joda.time.DateTime; -import org.opensaml.common.SAMLVersion; -import org.opensaml.saml2.core.Assertion; -import org.opensaml.saml2.core.Issuer; -import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.Status; -import org.opensaml.saml2.core.StatusCode; -import org.opensaml.saml2.core.StatusMessage; -import org.opensaml.saml2.core.impl.IssuerBuilder; -import org.opensaml.saml2.core.impl.ResponseBuilder; -import org.opensaml.saml2.core.impl.StatusBuilder; -import org.opensaml.saml2.core.impl.StatusCodeBuilder; -import org.opensaml.saml2.core.impl.StatusMessageBuilder; +//import org.opensaml.common.SAMLVersion; +//import org.opensaml.saml2.core.Assertion; +//import org.opensaml.saml2.core.Issuer; +//import org.opensaml.saml2.core.Response; +//import org.opensaml.saml2.core.Status; +//import org.opensaml.saml2.core.StatusCode; +//import org.opensaml.saml2.core.StatusMessage; +//import org.opensaml.saml2.core.impl.IssuerBuilder; +//import org.opensaml.saml2.core.impl.ResponseBuilder; +//import org.opensaml.saml2.core.impl.StatusBuilder; +//import org.opensaml.saml2.core.impl.StatusCodeBuilder; +//import org.opensaml.saml2.core.impl.StatusMessageBuilder; import org.springframework.web.util.UriComponentsBuilder; public class SamlRedirectUtils { @@ -60,27 +60,27 @@ public static String getZonifiedEntityId(String entityID, IdentityZone identityZ } } - public static Response wrapAssertionIntoResponse(Assertion assertion, String assertionIssuer) { - Response response = new ResponseBuilder().buildObject(); - Issuer issuer = new IssuerBuilder().buildObject(); - issuer.setValue(assertionIssuer); - response.setIssuer(issuer); - response.setID("id-" + System.currentTimeMillis()); - Status stat = new StatusBuilder().buildObject(); - // Set the status code - StatusCode statCode = new StatusCodeBuilder().buildObject(); - statCode.setValue("urn:oasis:names:tc:SAML:2.0:status:Success"); - stat.setStatusCode(statCode); - // Set the status Message - StatusMessage statMesssage = new StatusMessageBuilder().buildObject(); - statMesssage.setMessage(null); - stat.setStatusMessage(statMesssage); - response.setStatus(stat); - response.setVersion(SAMLVersion.VERSION_20); - response.setIssueInstant(new DateTime()); - response.getAssertions().add(assertion); - //XMLHelper.adoptElement(assertion.getDOM(), assertion.getDOM().getOwnerDocument()); - return response; - } +// public static Response wrapAssertionIntoResponse(Assertion assertion, String assertionIssuer) { +// Response response = new ResponseBuilder().buildObject(); +// Issuer issuer = new IssuerBuilder().buildObject(); +// issuer.setValue(assertionIssuer); +// response.setIssuer(issuer); +// response.setID("id-" + System.currentTimeMillis()); +// Status stat = new StatusBuilder().buildObject(); +// // Set the status code +// StatusCode statCode = new StatusCodeBuilder().buildObject(); +// statCode.setValue("urn:oasis:names:tc:SAML:2.0:status:Success"); +// stat.setStatusCode(statCode); +// // Set the status Message +// StatusMessage statMesssage = new StatusMessageBuilder().buildObject(); +// statMesssage.setMessage(null); +// stat.setStatusMessage(statMesssage); +// response.setStatus(stat); +// response.setVersion(SAMLVersion.VERSION_20); +// response.setIssueInstant(new DateTime()); +// response.getAssertions().add(assertion); +// //XMLHelper.adoptElement(assertion.getDOM(), assertion.getDOM().getOwnerDocument()); +// return response; +// } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlSessionStorageFactory.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlSessionStorageFactory.java index faac61fefad..03fe1cbf433 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlSessionStorageFactory.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlSessionStorageFactory.java @@ -16,21 +16,21 @@ package org.cloudfoundry.identity.uaa.provider.saml; import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder; -import org.springframework.security.saml.storage.HttpSessionStorage; -import org.springframework.security.saml.storage.SAMLMessageStorage; -import org.springframework.security.saml.storage.SAMLMessageStorageFactory; +//import org.springframework.security.saml.storage.HttpSessionStorage; +//import org.springframework.security.saml.storage.SAMLMessageStorage; +//import org.springframework.security.saml.storage.SAMLMessageStorageFactory; import javax.servlet.http.HttpServletRequest; -public class SamlSessionStorageFactory implements SAMLMessageStorageFactory { +public class SamlSessionStorageFactory /* implements SAMLMessageStorageFactory */ { - @Override - public synchronized SAMLMessageStorage getMessageStorage(HttpServletRequest request) { - if (IdentityZoneHolder.get().getConfig().getSamlConfig().isDisableInResponseToCheck()) { - //add the ability to disable inResponseTo check - //https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html - return null; - } - return new HttpSessionStorage(request); - } +// @Override +// public synchronized SAMLMessageStorage getMessageStorage(HttpServletRequest request) { +// if (IdentityZoneHolder.get().getConfig().getSamlConfig().isDisableInResponseToCheck()) { +// //add the ability to disable inResponseTo check +// //https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html +// return null; +// } +// return new HttpSessionStorage(request); +// } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareKeyManager.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareKeyManager.java index d11386c198f..e9ebf18f4bf 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareKeyManager.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareKeyManager.java @@ -13,11 +13,11 @@ package org.cloudfoundry.identity.uaa.provider.saml; import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder; -import org.opensaml.xml.security.CriteriaSet; -import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.credential.Credential; +//import org.opensaml.xml.security.CriteriaSet; +//import org.opensaml.xml.security.SecurityException; +//import org.opensaml.xml.security.credential.Credential; import org.springframework.context.annotation.DependsOn; -import org.springframework.security.saml.key.KeyManager; +//import org.springframework.security.saml.key.KeyManager; import org.springframework.stereotype.Component; import java.security.cert.X509Certificate; @@ -25,39 +25,39 @@ @Component("zoneAwareSamlSpKeyManager") @DependsOn("identityZoneHolderInitializer") -public class ZoneAwareKeyManager implements KeyManager { - @Override - public Credential getCredential(String keyName) { - return IdentityZoneHolder.getSamlSPKeyManager().getCredential(keyName); - } - - @Override - public Credential getDefaultCredential() { - return IdentityZoneHolder.getSamlSPKeyManager().getDefaultCredential(); - } - - @Override - public String getDefaultCredentialName() { - return IdentityZoneHolder.getSamlSPKeyManager().getDefaultCredentialName(); - } - - @Override - public Set getAvailableCredentials() { - return IdentityZoneHolder.getSamlSPKeyManager().getAvailableCredentials(); - } - - @Override - public X509Certificate getCertificate(String alias) { - return IdentityZoneHolder.getSamlSPKeyManager().getCertificate(alias); - } - - @Override - public Iterable resolve(CriteriaSet criteria) throws SecurityException { - return IdentityZoneHolder.getSamlSPKeyManager().resolve(criteria); - } - - @Override - public Credential resolveSingle(CriteriaSet criteria) throws SecurityException { - return IdentityZoneHolder.getSamlSPKeyManager().resolveSingle(criteria); - } +public class ZoneAwareKeyManager /* implements KeyManager */ { +// @Override +// public Credential getCredential(String keyName) { +// return IdentityZoneHolder.getSamlSPKeyManager().getCredential(keyName); +// } +// +// @Override +// public Credential getDefaultCredential() { +// return IdentityZoneHolder.getSamlSPKeyManager().getDefaultCredential(); +// } +// +// @Override +// public String getDefaultCredentialName() { +// return IdentityZoneHolder.getSamlSPKeyManager().getDefaultCredentialName(); +// } +// +// @Override +// public Set getAvailableCredentials() { +// return IdentityZoneHolder.getSamlSPKeyManager().getAvailableCredentials(); +// } +// +// @Override +// public X509Certificate getCertificate(String alias) { +// return IdentityZoneHolder.getSamlSPKeyManager().getCertificate(alias); +// } +// +// @Override +// public Iterable resolve(CriteriaSet criteria) throws SecurityException { +// return IdentityZoneHolder.getSamlSPKeyManager().resolve(criteria); +// } +// +// @Override +// public Credential resolveSingle(CriteriaSet criteria) throws SecurityException { +// return IdentityZoneHolder.getSamlSPKeyManager().resolveSingle(criteria); +// } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataDisplayFilter.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataDisplayFilter.java index 81cdc225236..6805e6a3b86 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataDisplayFilter.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataDisplayFilter.java @@ -15,10 +15,10 @@ package org.cloudfoundry.identity.uaa.provider.saml; import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.xml.io.MarshallingException; -import org.springframework.security.saml.metadata.MetadataDisplayFilter; -import org.springframework.security.saml.metadata.MetadataGenerator; +//import org.opensaml.saml2.metadata.EntityDescriptor; +//import org.opensaml.xml.io.MarshallingException; +//import org.springframework.security.saml.metadata.MetadataDisplayFilter; +//import org.springframework.security.saml.metadata.MetadataGenerator; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; @@ -26,40 +26,40 @@ import java.io.IOException; import java.io.PrintWriter; -public class ZoneAwareMetadataDisplayFilter extends MetadataDisplayFilter { +public class ZoneAwareMetadataDisplayFilter /* extends MetadataDisplayFilter */ { - protected final MetadataGenerator generator; +// protected final MetadataGenerator generator; - public ZoneAwareMetadataDisplayFilter(MetadataGenerator generator) { - this.generator = generator; - } +// public ZoneAwareMetadataDisplayFilter(MetadataGenerator generator) { +// this.generator = generator; +// } +// +// public MetadataGenerator getGenerator() { +// return generator; +// } - public MetadataGenerator getGenerator() { - return generator; - } +// @Override +// protected void processMetadataDisplay(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { +// super.processMetadataDisplay(request, response); +// response.setHeader("Content-Disposition", String.format("attachment; filename=\"saml-%ssp.xml\"", +// !IdentityZoneHolder.isUaa() ? IdentityZoneHolder.get().getSubdomain() + "-" : "")); +// } - @Override - protected void processMetadataDisplay(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { - super.processMetadataDisplay(request, response); - response.setHeader("Content-Disposition", String.format("attachment; filename=\"saml-%ssp.xml\"", - !IdentityZoneHolder.isUaa() ? IdentityZoneHolder.get().getSubdomain() + "-" : "")); - } - - @Override - protected void displayMetadata(String spEntityName, PrintWriter writer) throws ServletException { - try { - EntityDescriptor descriptor = getGenerator().generateMetadata(); - if (descriptor == null) { - throw new ServletException("Metadata entity with ID " + manager.getHostedSPName() + " wasn't found"); - } else { - writer.print(getMetadataAsString(descriptor)); - } - } catch (MarshallingException e) { - log.error("Error marshalling entity descriptor", e); - throw new ServletException(e); - } catch (Exception e) { - log.error("Error retrieving metadata", e); - throw new ServletException("Error retrieving metadata", e); - } - } +// @Override +// protected void displayMetadata(String spEntityName, PrintWriter writer) throws ServletException { +// try { +// EntityDescriptor descriptor = getGenerator().generateMetadata(); +// if (descriptor == null) { +// throw new ServletException("Metadata entity with ID " + manager.getHostedSPName() + " wasn't found"); +// } else { +// writer.print(getMetadataAsString(descriptor)); +// } +// } catch (MarshallingException e) { +// log.error("Error marshalling entity descriptor", e); +// throw new ServletException(e); +// } catch (Exception e) { +// log.error("Error retrieving metadata", e); +// throw new ServletException("Error retrieving metadata", e); +// } +// } } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataGenerator.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataGenerator.java index b27cc165470..b014e5dd696 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataGenerator.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataGenerator.java @@ -17,71 +17,71 @@ import org.cloudfoundry.identity.uaa.zone.IdentityZone; import org.cloudfoundry.identity.uaa.zone.IdentityZoneConfiguration; import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.xml.security.credential.UsageType; -import org.springframework.security.saml.key.KeyManager; -import org.springframework.security.saml.metadata.ExtendedMetadata; -import org.springframework.security.saml.metadata.MetadataGenerator; -import org.springframework.security.saml.util.SAMLUtil; +//import org.opensaml.saml2.metadata.EntityDescriptor; +//import org.opensaml.saml2.metadata.SPSSODescriptor; +//import org.opensaml.xml.security.credential.UsageType; +//import org.springframework.security.saml.key.KeyManager; +//import org.springframework.security.saml.metadata.ExtendedMetadata; +//import org.springframework.security.saml.metadata.MetadataGenerator; +//import org.springframework.security.saml.util.SAMLUtil; import java.util.Collection; import java.util.Collections; import java.util.HashSet; import java.util.Set; -public class ZoneAwareMetadataGenerator extends MetadataGenerator { - - @Override - public ExtendedMetadata generateExtendedMetadata() { - ExtendedMetadata metadata = super.generateExtendedMetadata(); - metadata.setAlias(UaaUrlUtils.getSubdomain(IdentityZoneHolder.get().getSubdomain())+metadata.getAlias()); - return metadata; - } - - @Override - public String getEntityId() { - if (!IdentityZoneHolder.isUaa()) { - String url = getZoneDefinition().getSamlConfig().getEntityID(); - if (url != null) { - return url; - } - } - - String entityId = super.getEntityId(); - - if (UaaUrlUtils.isUrl(entityId)) { - return UaaUrlUtils.addSubdomainToUrl(entityId, IdentityZoneHolder.get().getSubdomain()); - } else { - return UaaUrlUtils.getSubdomain(IdentityZoneHolder.get().getSubdomain()) + entityId; - } - } - - @Override - public String getEntityBaseURL() { - return UaaUrlUtils.addSubdomainToUrl(super.getEntityBaseURL(), IdentityZoneHolder.get().getSubdomain()); - } - - @Override - protected String getEntityAlias() { - return UaaUrlUtils.getSubdomain(IdentityZoneHolder.get().getSubdomain()) + super.getEntityAlias(); - } - - @Override - public boolean isRequestSigned() { - if (!IdentityZoneHolder.isUaa()) { - return getZoneDefinition().getSamlConfig().isRequestSigned(); - } - return super.isRequestSigned(); - } - - @Override - public boolean isWantAssertionSigned() { - if (!IdentityZoneHolder.isUaa()) { - return getZoneDefinition().getSamlConfig().isWantAssertionSigned(); - } - return super.isWantAssertionSigned(); - } +public class ZoneAwareMetadataGenerator /* extends MetadataGenerator */ { + +// @Override +// public ExtendedMetadata generateExtendedMetadata() { +// ExtendedMetadata metadata = super.generateExtendedMetadata(); +// metadata.setAlias(UaaUrlUtils.getSubdomain(IdentityZoneHolder.get().getSubdomain())+metadata.getAlias()); +// return metadata; +// } + +// @Override +// public String getEntityId() { +// if (!IdentityZoneHolder.isUaa()) { +// String url = getZoneDefinition().getSamlConfig().getEntityID(); +// if (url != null) { +// return url; +// } +// } +// +// String entityId = super.getEntityId(); +// +// if (UaaUrlUtils.isUrl(entityId)) { +// return UaaUrlUtils.addSubdomainToUrl(entityId, IdentityZoneHolder.get().getSubdomain()); +// } else { +// return UaaUrlUtils.getSubdomain(IdentityZoneHolder.get().getSubdomain()) + entityId; +// } +// } + +// @Override +// public String getEntityBaseURL() { +// return UaaUrlUtils.addSubdomainToUrl(super.getEntityBaseURL(), IdentityZoneHolder.get().getSubdomain()); +// } + +// @Override +// protected String getEntityAlias() { +// return UaaUrlUtils.getSubdomain(IdentityZoneHolder.get().getSubdomain()) + super.getEntityAlias(); +// } + +// @Override +// public boolean isRequestSigned() { +// if (!IdentityZoneHolder.isUaa()) { +// return getZoneDefinition().getSamlConfig().isRequestSigned(); +// } +// return super.isRequestSigned(); +// } + +// @Override +// public boolean isWantAssertionSigned() { +// if (!IdentityZoneHolder.isUaa()) { +// return getZoneDefinition().getSamlConfig().isWantAssertionSigned(); +// } +// return super.isWantAssertionSigned(); +// } protected IdentityZoneConfiguration getZoneDefinition() { IdentityZone zone = IdentityZoneHolder.get(); @@ -89,43 +89,43 @@ protected IdentityZoneConfiguration getZoneDefinition() { return definition!=null ? definition : new IdentityZoneConfiguration(); } - @Override - public EntityDescriptor generateMetadata() { - EntityDescriptor result = super.generateMetadata(); - result.setID(SAMLUtil.getNCNameString(result.getEntityID())); - return result; - } - - @Override - protected SPSSODescriptor buildSPSSODescriptor(String entityBaseURL, String entityAlias, boolean requestSigned, boolean wantAssertionSigned, Collection includedNameID) { - SPSSODescriptor result = super.buildSPSSODescriptor(entityBaseURL, entityAlias, requestSigned, wantAssertionSigned, includedNameID); - - //metadata should not contain inactive keys - KeyManager samlSPKeyManager = IdentityZoneHolder.getSamlSPKeyManager(); - if (samlSPKeyManager != null && samlSPKeyManager.getAvailableCredentials()!=null) { - Set allKeyAliases = new HashSet(samlSPKeyManager.getAvailableCredentials()); - String activeKeyAlias = samlSPKeyManager.getDefaultCredentialName(); - allKeyAliases.remove(activeKeyAlias); - for (String keyAlias : allKeyAliases) { - result.getKeyDescriptors().add(getKeyDescriptor(UsageType.SIGNING, getServerKeyInfo(keyAlias))); - } - }//add inactive keys as signing verification keys - - int index = result.getAssertionConsumerServices().size(); - result.getAssertionConsumerServices() - .add( - getAssertionConsumerService( - getEntityBaseURL(), - getEntityAlias(), - false, - index, - "/oauth/token", - "urn:oasis:names:tc:SAML:2.0:bindings:URI" - )); - return result; - } - - @Override +// @Override +// public EntityDescriptor generateMetadata() { +// EntityDescriptor result = super.generateMetadata(); +// result.setID(SAMLUtil.getNCNameString(result.getEntityID())); +// return result; +// } + +// @Override +// protected SPSSODescriptor buildSPSSODescriptor(String entityBaseURL, String entityAlias, boolean requestSigned, boolean wantAssertionSigned, Collection includedNameID) { +// SPSSODescriptor result = super.buildSPSSODescriptor(entityBaseURL, entityAlias, requestSigned, wantAssertionSigned, includedNameID); +// +// //metadata should not contain inactive keys +// KeyManager samlSPKeyManager = IdentityZoneHolder.getSamlSPKeyManager(); +// if (samlSPKeyManager != null && samlSPKeyManager.getAvailableCredentials()!=null) { +// Set allKeyAliases = new HashSet(samlSPKeyManager.getAvailableCredentials()); +// String activeKeyAlias = samlSPKeyManager.getDefaultCredentialName(); +// allKeyAliases.remove(activeKeyAlias); +// for (String keyAlias : allKeyAliases) { +// result.getKeyDescriptors().add(getKeyDescriptor(UsageType.SIGNING, getServerKeyInfo(keyAlias))); +// } +// }//add inactive keys as signing verification keys +// +// int index = result.getAssertionConsumerServices().size(); +// result.getAssertionConsumerServices() +// .add( +// getAssertionConsumerService( +// getEntityBaseURL(), +// getEntityAlias(), +// false, +// index, +// "/oauth/token", +// "urn:oasis:names:tc:SAML:2.0:bindings:URI" +// )); +// return result; +// } + +// @Override public Collection getBindingsSSO() { return Collections.singleton("post"); } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneHolder.java b/server/src/main/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneHolder.java index 5efed55ac6b..9c3536760c3 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneHolder.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneHolder.java @@ -1,7 +1,7 @@ package org.cloudfoundry.identity.uaa.zone; import org.cloudfoundry.identity.uaa.provider.saml.SamlKeyManagerFactory; -import org.springframework.security.saml.key.KeyManager; +//import org.springframework.security.saml.key.KeyManager; /** * @Deprecated Use {@link org.cloudfoundry.identity.uaa.zone.beans.IdentityZoneManager} instead @@ -24,24 +24,22 @@ public static IdentityZone get() { return IDENTITY_ZONE_THREAD_LOCAL.get(); } - private static final ThreadLocal KEY_MANAGER_THREAD_LOCAL = InheritableThreadLocal.withInitial(() -> null); - - public static KeyManager getSamlSPKeyManager() { - KeyManager keyManager = KEY_MANAGER_THREAD_LOCAL.get(); - if (keyManager != null) { - return keyManager; - } - - keyManager = samlKeyManagerFactory.getKeyManager(IDENTITY_ZONE_THREAD_LOCAL.get().getConfig().getSamlConfig()); - if (keyManager != null) { - KEY_MANAGER_THREAD_LOCAL.set(keyManager); - return keyManager; - } - - keyManager = samlKeyManagerFactory.getKeyManager(getUaaZone(provisioning).getConfig().getSamlConfig()); - KEY_MANAGER_THREAD_LOCAL.set(keyManager); - return keyManager; - } +// public static KeyManager getSamlSPKeyManager() { +// KeyManager keyManager = KEY_MANAGER_THREAD_LOCAL.get(); +// if (keyManager != null) { +// return keyManager; +// } +// +// keyManager = samlKeyManagerFactory.getKeyManager(IDENTITY_ZONE_THREAD_LOCAL.get().getConfig().getSamlConfig()); +// if (keyManager != null) { +// KEY_MANAGER_THREAD_LOCAL.set(keyManager); +// return keyManager; +// } +// +// keyManager = samlKeyManagerFactory.getKeyManager(getUaaZone(provisioning).getConfig().getSamlConfig()); +// KEY_MANAGER_THREAD_LOCAL.set(keyManager); +// return keyManager; +// } public static IdentityZone getUaaZone() { return getUaaZone(provisioning); @@ -56,12 +54,12 @@ private static IdentityZone getUaaZone(IdentityZoneProvisioning provisioning) { public static void set(IdentityZone zone) { IDENTITY_ZONE_THREAD_LOCAL.set(zone); - KEY_MANAGER_THREAD_LOCAL.set(null); +// KEY_MANAGER_THREAD_LOCAL.set(null); } public static void clear() { IDENTITY_ZONE_THREAD_LOCAL.remove(); - KEY_MANAGER_THREAD_LOCAL.remove(); +// KEY_MANAGER_THREAD_LOCAL.remove(); } public static boolean isUaa() { diff --git a/server/src/main/resources/spring/login-ui.xml b/server/src/main/resources/spring/login-ui.xml index 744205f1c15..afae468cc00 100644 --- a/server/src/main/resources/spring/login-ui.xml +++ b/server/src/main/resources/spring/login-ui.xml @@ -143,7 +143,7 @@ - + @@ -224,9 +224,10 @@ + httpsHeaderFilter"/> + + + @@ -258,9 +259,9 @@ - + - + - + diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/BackwardsCompatibleTokenEndpointAuthenticationFilterTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/BackwardsCompatibleTokenEndpointAuthenticationFilterTest.java index 7937520f3a2..a3a48ec6fd4 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/BackwardsCompatibleTokenEndpointAuthenticationFilterTest.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/BackwardsCompatibleTokenEndpointAuthenticationFilterTest.java @@ -36,7 +36,7 @@ import org.springframework.security.oauth2.provider.OAuth2Authentication; import org.springframework.security.oauth2.provider.OAuth2Request; import org.springframework.security.oauth2.provider.OAuth2RequestFactory; -import org.springframework.security.saml.SAMLProcessingFilter; +//import org.springframework.security.saml.SAMLProcessingFilter; import org.springframework.security.web.AuthenticationEntryPoint; import javax.servlet.FilterChain; @@ -53,6 +53,7 @@ import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.anyMap; import static org.mockito.ArgumentMatchers.same; @@ -70,7 +71,7 @@ public class BackwardsCompatibleTokenEndpointAuthenticationFilterTest { private AuthenticationManager passwordAuthManager; private OAuth2RequestFactory requestFactory; - private SAMLProcessingFilter samlAuthFilter; +// private SAMLProcessingFilter samlAuthFilter; private ExternalOAuthAuthenticationManager externalOAuthAuthenticationManager; private BackwardsCompatibleTokenEndpointAuthenticationFilter filter; private MockHttpServletRequest request; @@ -84,14 +85,14 @@ public void setUp() { passwordAuthManager = mock(AuthenticationManager.class); requestFactory = mock(OAuth2RequestFactory.class); - samlAuthFilter = mock(SAMLProcessingFilter.class); +// samlAuthFilter = mock(SAMLProcessingFilter.class); externalOAuthAuthenticationManager = mock(ExternalOAuthAuthenticationManager.class); filter = spy( new BackwardsCompatibleTokenEndpointAuthenticationFilter( passwordAuthManager, requestFactory, - samlAuthFilter, +// samlAuthFilter, externalOAuthAuthenticationManager ) ); @@ -173,28 +174,30 @@ public void attempt_password_authentication_with_details() throws Exception { @Test public void attempt_saml_assertion_authentication() throws Exception { - request.addParameter(GRANT_TYPE, GRANT_TYPE_SAML2_BEARER); - request.addParameter("assertion", "saml-assertion-value-here"); - filter.doFilter(request, response, chain); - verify(filter, times(1)).attemptTokenAuthentication(same(request), same(response)); - verify(samlAuthFilter, times(1)).attemptAuthentication(same(request), same(response)); - verifyNoInteractions(passwordAuthManager); - verifyNoInteractions(externalOAuthAuthenticationManager); + fail(); +// request.addParameter(GRANT_TYPE, GRANT_TYPE_SAML2_BEARER); +// request.addParameter("assertion", "saml-assertion-value-here"); +// filter.doFilter(request, response, chain); +// verify(filter, times(1)).attemptTokenAuthentication(same(request), same(response)); +// verify(samlAuthFilter, times(1)).attemptAuthentication(same(request), same(response)); +// verifyNoInteractions(passwordAuthManager); +// verifyNoInteractions(externalOAuthAuthenticationManager); } @Test public void saml_assertion_missing() throws Exception { - request.addParameter(GRANT_TYPE, GRANT_TYPE_SAML2_BEARER); - filter.doFilter(request, response, chain); - verify(filter, times(1)).attemptTokenAuthentication(same(request), same(response)); - verifyNoInteractions(externalOAuthAuthenticationManager); - verifyNoInteractions(passwordAuthManager); - verifyNoInteractions(externalOAuthAuthenticationManager); - ArgumentCaptor exceptionArgumentCaptor = ArgumentCaptor.forClass(AuthenticationException.class); - verify(entryPoint, times(1)).commence(same(request), same(response), exceptionArgumentCaptor.capture()); - assertNotNull(exceptionArgumentCaptor.getValue()); - assertEquals("SAML Assertion is missing", exceptionArgumentCaptor.getValue().getMessage()); - assertTrue(exceptionArgumentCaptor.getValue() instanceof InsufficientAuthenticationException); + fail(); +// request.addParameter(GRANT_TYPE, GRANT_TYPE_SAML2_BEARER); +// filter.doFilter(request, response, chain); +// verify(filter, times(1)).attemptTokenAuthentication(same(request), same(response)); +// verifyNoInteractions(externalOAuthAuthenticationManager); +// verifyNoInteractions(passwordAuthManager); +// verifyNoInteractions(externalOAuthAuthenticationManager); +// ArgumentCaptor exceptionArgumentCaptor = ArgumentCaptor.forClass(AuthenticationException.class); +// verify(entryPoint, times(1)).commence(same(request), same(response), exceptionArgumentCaptor.capture()); +// assertNotNull(exceptionArgumentCaptor.getValue()); +// assertEquals("SAML Assertion is missing", exceptionArgumentCaptor.getValue().getMessage()); +// assertTrue(exceptionArgumentCaptor.getValue() instanceof InsufficientAuthenticationException); } @Test diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/SamlAssertionBindingTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/SamlAssertionBindingTests.java index d36f3a4ce60..cd4f5302e5b 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/SamlAssertionBindingTests.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/SamlAssertionBindingTests.java @@ -17,8 +17,8 @@ import org.junit.Before; import org.junit.Test; -import org.opensaml.ws.transport.http.HTTPInTransport; -import org.opensaml.xml.parse.BasicParserPool; +//import org.opensaml.ws.transport.http.HTTPInTransport; +//import org.opensaml.xml.parse.BasicParserPool; import static org.junit.Assert.*; import static org.mockito.Mockito.mock; @@ -33,24 +33,26 @@ public class SamlAssertionBindingTests { @Before public void setUp() { - binding = new SamlAssertionBinding(new BasicParserPool()); +// binding = new SamlAssertionBinding(new BasicParserPool()); } @Test public void supports() { - HTTPInTransport transport = mock(HTTPInTransport.class); - assertFalse(binding.supports(transport)); - - when(transport.getHTTPMethod()).thenReturn("POST"); - assertFalse(binding.supports(transport)); - - when(transport.getParameterValue("assertion")).thenReturn("some assertion"); - assertTrue(binding.supports(transport)); + fail(); +// HTTPInTransport transport = mock(HTTPInTransport.class); +// assertFalse(binding.supports(transport)); +// +// when(transport.getHTTPMethod()).thenReturn("POST"); +// assertFalse(binding.supports(transport)); +// +// when(transport.getParameterValue("assertion")).thenReturn("some assertion"); +// assertTrue(binding.supports(transport)); } @Test public void getBindingURI() { - assertEquals("urn:oasis:names:tc:SAML:2.0:bindings:URI", binding.getBindingURI()); + fail(); +// assertEquals("urn:oasis:names:tc:SAML:2.0:bindings:URI", binding.getBindingURI()); } } \ No newline at end of file diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/SamlResponseLoggerBindingTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/SamlResponseLoggerBindingTest.java index 323f048ddc5..1a6305ab4d9 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/SamlResponseLoggerBindingTest.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/SamlResponseLoggerBindingTest.java @@ -7,8 +7,8 @@ import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; -import org.opensaml.ws.transport.InputStreamInTransportAdapter; -import org.opensaml.ws.transport.http.HttpServletRequestAdapter; +//import org.opensaml.ws.transport.InputStreamInTransportAdapter; +//import org.opensaml.ws.transport.http.HttpServletRequestAdapter; import org.slf4j.LoggerFactory; import javax.servlet.http.HttpServletRequest; @@ -20,6 +20,7 @@ import static org.apache.logging.log4j.Level.DEBUG; import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.core.Is.is; +import static org.junit.Assert.fail; import static org.junit.jupiter.api.Assertions.assertDoesNotThrow; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; @@ -50,44 +51,45 @@ void xVcapRequestId() { @Test void doesNotFailWithSomethingOtherThanHttpServletRequestAdapter() { - InputStreamInTransportAdapter inputStreamInTransportAdapter = new InputStreamInTransportAdapter(null); - - assertDoesNotThrow(() -> samlResponseLoggerBinding.supports(inputStreamInTransportAdapter)); - } - - @Test - void doesNotFailWithNullServletRequest() { - HttpServletRequestAdapter httpServletRequestAdapter = new HttpServletRequestAdapter(null); - - Configurator.setRootLevel(DEBUG); - - assertDoesNotThrow(() -> samlResponseLoggerBinding.supports(httpServletRequestAdapter)); + fail(); +// InputStreamInTransportAdapter inputStreamInTransportAdapter = new InputStreamInTransportAdapter(null); +// +// assertDoesNotThrow(() -> samlResponseLoggerBinding.supports(inputStreamInTransportAdapter)); } - @Test - void doesNotFailWithNullParameterMap() { - HttpServletRequest mockHttpServletRequest = mock(HttpServletRequest.class); - when(mockHttpServletRequest.getParameterMap()).thenReturn(null); - HttpServletRequestAdapter httpServletRequestAdapter = new HttpServletRequestAdapter(mockHttpServletRequest); - - Configurator.setRootLevel(DEBUG); - - assertDoesNotThrow(() -> samlResponseLoggerBinding.supports(httpServletRequestAdapter)); - } - - @Test - void doesNotFailWithNullParameter() { - HttpServletRequest mockHttpServletRequest = mock(HttpServletRequest.class); - Map parameters = new HashMap<>(); - parameters.put(null, null); - parameters.put("key1", null); - parameters.put("key2", new String[]{null}); - parameters.put("key3", new String[]{"value", null}); - when(mockHttpServletRequest.getParameterMap()).thenReturn(parameters); - HttpServletRequestAdapter httpServletRequestAdapter = new HttpServletRequestAdapter(mockHttpServletRequest); - - Configurator.setRootLevel(DEBUG); - - assertDoesNotThrow(() -> samlResponseLoggerBinding.supports(httpServletRequestAdapter)); - } +// @Test +// void doesNotFailWithNullServletRequest() { +// HttpServletRequestAdapter httpServletRequestAdapter = new HttpServletRequestAdapter(null); +// +// Configurator.setRootLevel(DEBUG); +// +// assertDoesNotThrow(() -> samlResponseLoggerBinding.supports(httpServletRequestAdapter)); +// } +// +// @Test +// void doesNotFailWithNullParameterMap() { +// HttpServletRequest mockHttpServletRequest = mock(HttpServletRequest.class); +// when(mockHttpServletRequest.getParameterMap()).thenReturn(null); +// HttpServletRequestAdapter httpServletRequestAdapter = new HttpServletRequestAdapter(mockHttpServletRequest); +// +// Configurator.setRootLevel(DEBUG); +// +// assertDoesNotThrow(() -> samlResponseLoggerBinding.supports(httpServletRequestAdapter)); +// } +// +// @Test +// void doesNotFailWithNullParameter() { +// HttpServletRequest mockHttpServletRequest = mock(HttpServletRequest.class); +// Map parameters = new HashMap<>(); +// parameters.put(null, null); +// parameters.put("key1", null); +// parameters.put("key2", new String[]{null}); +// parameters.put("key3", new String[]{"value", null}); +// when(mockHttpServletRequest.getParameterMap()).thenReturn(parameters); +// HttpServletRequestAdapter httpServletRequestAdapter = new HttpServletRequestAdapter(mockHttpServletRequest); +// +// Configurator.setRootLevel(DEBUG); +// +// assertDoesNotThrow(() -> samlResponseLoggerBinding.supports(httpServletRequestAdapter)); +// } } diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/login/HomeControllerViewTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/login/HomeControllerViewTests.java index 574a06577be..8d29cc50c34 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/login/HomeControllerViewTests.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/login/HomeControllerViewTests.java @@ -13,8 +13,8 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.ValueSource; -import org.opensaml.common.SAMLException; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; +//import org.opensaml.common.SAMLException; +//import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Import; @@ -42,6 +42,7 @@ import static org.hamcrest.CoreMatchers.containsString; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.fail; import static org.mockito.ArgumentMatchers.anyString; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; @@ -173,18 +174,20 @@ void error500WithGenericException() throws Exception { @Test void error500WithSAMLExceptionAsCause() throws Exception { - mockMvc.perform(get("/error500").requestAttr("javax.servlet.error.exception", new Exception(new SAMLException("bad")))) - .andExpect(status().isBadRequest()) - .andExpect(content().string(containsString(customFooterText))) - .andExpect(content().string(containsString(base64ProductLogo))); + fail("dependency on SAMLException"); +// mockMvc.perform(get("/error500").requestAttr("javax.servlet.error.exception", new Exception(new SAMLException("bad")))) +// .andExpect(status().isBadRequest()) +// .andExpect(content().string(containsString(customFooterText))) +// .andExpect(content().string(containsString(base64ProductLogo))); } @Test void error500WithMetadataProviderExceptionCause() throws Exception { - mockMvc.perform(get("/error500").requestAttr("javax.servlet.error.exception", new Exception(new MetadataProviderException("bad")))) - .andExpect(status().isBadRequest()) - .andExpect(content().string(containsString(customFooterText))) - .andExpect(content().string(containsString(base64ProductLogo))); + fail("dependency on MetadataProviderException"); +// mockMvc.perform(get("/error500").requestAttr("javax.servlet.error.exception", new Exception(new MetadataProviderException("bad")))) +// .andExpect(status().isBadRequest()) +// .andExpect(content().string(containsString(customFooterText))) +// .andExpect(content().string(containsString(base64ProductLogo))); } @ParameterizedTest diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java index 14c8887d9ee..665931cbd46 100755 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/login/LoginInfoEndpointTests.java @@ -77,12 +77,7 @@ import static org.hamcrest.Matchers.not; import static org.hamcrest.Matchers.notNullValue; import static org.hamcrest.Matchers.startsWith; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertNull; -import static org.junit.Assert.assertThat; -import static org.junit.Assert.assertTrue; +import static org.junit.Assert.*; import static org.junit.jupiter.api.Assertions.assertThrows; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.anyBoolean; diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/login/SamlLoginServerKeyManagerTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/login/SamlLoginServerKeyManagerTests.java index fd1e6de73d8..9f9d6bcf70e 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/login/SamlLoginServerKeyManagerTests.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/login/SamlLoginServerKeyManagerTests.java @@ -17,14 +17,15 @@ import org.junit.Assert; import org.junit.BeforeClass; import org.junit.Test; -import org.opensaml.xml.security.credential.Credential; -import org.springframework.security.saml.key.KeyManager; +//import org.opensaml.xml.security.credential.Credential; +//import org.springframework.security.saml.key.KeyManager; import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.fail; public class SamlLoginServerKeyManagerTests { - private KeyManager keyManager = null; +// private KeyManager keyManager = null; public static final String KEY = "-----BEGIN RSA PRIVATE KEY-----\n" + "Proc-Type: 4,ENCRYPTED\n" + "DEK-Info: DES-EDE3-CBC,5771044F3450A262\n" + @@ -64,269 +65,275 @@ public static void setUpBC() { @Test public void testWithWorkingCertificate() { + fail(); - SamlConfig config = new SamlConfig(); - config.setPrivateKey(KEY); - config.setPrivateKeyPassword(PASSWORD); - config.setCertificate(CERTIFICATE); - keyManager = new SamlKeyManagerFactory().getKeyManager(config); - Credential credential = keyManager.getDefaultCredential(); - assertNotNull(credential.getPrivateKey()); - assertNotNull(credential.getPublicKey()); - assertNotNull(credential); +// SamlConfig config = new SamlConfig(); +// config.setPrivateKey(KEY); +// config.setPrivateKeyPassword(PASSWORD); +// config.setCertificate(CERTIFICATE); +// keyManager = new SamlKeyManagerFactory().getKeyManager(config); +// Credential credential = keyManager.getDefaultCredential(); +// assertNotNull(credential.getPrivateKey()); +// assertNotNull(credential.getPublicKey()); +// assertNotNull(credential); } @Test(expected = IllegalArgumentException.class) - public void testWithWorkingCertificateInvalidPassword() { - String key = "-----BEGIN RSA PRIVATE KEY-----\n" + - "Proc-Type: 4,ENCRYPTED\n" + - "DEK-Info: DES-EDE3-CBC,5771044F3450A262\n" + - "\n" + - "VfRgIdzq/TUFdIwTOxochDs02sSQXA/Z6mRnffYTQMwXpQ5f5nRuqcY8zECGMaDe\n" + - "aLrndpWzGbxiePKgN5AxuIDYNnKMrDRgyCzaaPx66rb87oMwtuq1HM18qqs+yN5v\n" + - "CdsoS2uz57fCDI24BuJkIDSIeumLXc5MdN0HUeaxOVzmpbpsbBXjRYa24gW38mUh\n" + - "DzmOAsNDxfoSTox02Cj+GV024e+PiWR6AMA7RKhsKPf9F4ctWwozvEHrV8fzTy5B\n" + - "+KM361P7XwJYueiV/gMZW2DXSujNRBEVfC1CLaxDV3eVsFX5iIiUbc4JQYOM6oQ3\n" + - "KxGPImcRQPY0asKgEDIaWtysUuBoDSbfQ/FxGWeqwR6P/Vth4dXzVGheYLu1V1CU\n" + - "o6M+EXC/VUhERKwi13EgqXLKrDI352/HgEKG60EhM6xIJy9hLHy0UGjdHDcA+cF6\n" + - "NEl6E3CivddMHIPQWil5x4AMaevGa3v/gcZI0DN8t7L1g4fgjtSPYzvwmOxoxHGi\n" + - "7V7PdzaD4GWV75fv99sBlq2e0KK9crNUzs7vbFA/m6tgNA628SGhU1uAc/5xOskI\n" + - "0Ez6kjgHoh4U7t/fu7ey1MbFQt6byHY9lk27nW1ub/QMAaRJ+EDnrReB/NN6q5Vu\n" + - "h9eQNniNOeQfflzFyPB9omLNsVJkENn+lZNNrrlbn8OmJ0pT58Iaetfh79rDZPw9\n" + - "zmHVqmMynmecTWAcA9ATf7+lh+xV88JDjQkLcG/3WEXNH7HXKO00pUa8+JtyxbAb\n" + - "dAwGgrjJkbbk1qLLScOqY4mA5WXa5+80LMkCYO44vVTp2VKmnxj8Mw==\n" + - "-----END RSA PRIVATE KEY-----"; - String certificate = "-----BEGIN CERTIFICATE-----\n" + - "MIIB1TCCAT4CCQCpQCfJYT8ZJTANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDFCRz\n" + - "YW1sX2xvZ2luLE9VPXRlbXBlc3QsTz12bXdhcmUsTz1jb20wHhcNMTMwNzAyMDAw\n" + - "MzM3WhcNMTQwNzAyMDAwMzM3WjAvMS0wKwYDVQQDFCRzYW1sX2xvZ2luLE9VPXRl\n" + - "bXBlc3QsTz12bXdhcmUsTz1jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB\n" + - "ANK8mv+mUzhPH/8iTdMsZ6mY4r4At/GZIFS34L+/I0V2g6PkZ84VBgodqqV6Z6NY\n" + - "OSk0lcjrzU650zbES7yn4MjuvP0N5T9LydlvjOEzfA+uRETiy8d+DsS3rThRY+Ja\n" + - "dvmS0PswJ8cvHAksYmGNUWfTU+Roxcv0ZDqD+cUNi1+NAgMBAAEwDQYJKoZIhvcN\n" + - "AQEFBQADgYEAy54UVlZifk1PPdTg9OJuumdxgzZk3QEWZGjdJYEc134MeKKsIX50\n" + - "+6y5GDyXmxvJx33ySTZuRaaXClOuAtXRWpz0KlceujYuwboyUxhn46SUASD872nb\n" + - "cN0E1UrhDloFcftXEXudDL2S2cSQjsyxLNbBop63xq+U6MYG/uFe7GQ=\n" + - "-----END CERTIFICATE-----"; - String password = "vmware"; - - try { - SamlConfig config = new SamlConfig(); - config.setPrivateKey(key); - config.setPrivateKeyPassword(password); - config.setCertificate(certificate); - keyManager = new SamlKeyManagerFactory().getKeyManager(config); - Assert.fail("Password invalid. Should not reach this line."); - } catch (Exception x) { - if (x.getClass().getName().equals("org.bouncycastle.openssl.EncryptionException")) { - throw new IllegalArgumentException(x); - } else if (x.getClass().equals(IllegalArgumentException.class)) { - throw x; - } - } + public void tesotWithWorkingCertificateInvalidPassword() { + fail(); +// String key = "-----BEGIN RSA PRIVATE KEY-----\n" + +// "Proc-Type: 4,ENCRYPTED\n" + +// "DEK-Info: DES-EDE3-CBC,5771044F3450A262\n" + +// "\n" + +// "VfRgIdzq/TUFdIwTOxochDs02sSQXA/Z6mRnffYTQMwXpQ5f5nRuqcY8zECGMaDe\n" + +// "aLrndpWzGbxiePKgN5AxuIDYNnKMrDRgyCzaaPx66rb87oMwtuq1HM18qqs+yN5v\n" + +// "CdsoS2uz57fCDI24BuJkIDSIeumLXc5MdN0HUeaxOVzmpbpsbBXjRYa24gW38mUh\n" + +// "DzmOAsNDxfoSTox02Cj+GV024e+PiWR6AMA7RKhsKPf9F4ctWwozvEHrV8fzTy5B\n" + +// "+KM361P7XwJYueiV/gMZW2DXSujNRBEVfC1CLaxDV3eVsFX5iIiUbc4JQYOM6oQ3\n" + +// "KxGPImcRQPY0asKgEDIaWtysUuBoDSbfQ/FxGWeqwR6P/Vth4dXzVGheYLu1V1CU\n" + +// "o6M+EXC/VUhERKwi13EgqXLKrDI352/HgEKG60EhM6xIJy9hLHy0UGjdHDcA+cF6\n" + +// "NEl6E3CivddMHIPQWil5x4AMaevGa3v/gcZI0DN8t7L1g4fgjtSPYzvwmOxoxHGi\n" + +// "7V7PdzaD4GWV75fv99sBlq2e0KK9crNUzs7vbFA/m6tgNA628SGhU1uAc/5xOskI\n" + +// "0Ez6kjgHoh4U7t/fu7ey1MbFQt6byHY9lk27nW1ub/QMAaRJ+EDnrReB/NN6q5Vu\n" + +// "h9eQNniNOeQfflzFyPB9omLNsVJkENn+lZNNrrlbn8OmJ0pT58Iaetfh79rDZPw9\n" + +// "zmHVqmMynmecTWAcA9ATf7+lh+xV88JDjQkLcG/3WEXNH7HXKO00pUa8+JtyxbAb\n" + +// "dAwGgrjJkbbk1qLLScOqY4mA5WXa5+80LMkCYO44vVTp2VKmnxj8Mw==\n" + +// "-----END RSA PRIVATE KEY-----"; +// String certificate = "-----BEGIN CERTIFICATE-----\n" + +// "MIIB1TCCAT4CCQCpQCfJYT8ZJTANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDFCRz\n" + +// "YW1sX2xvZ2luLE9VPXRlbXBlc3QsTz12bXdhcmUsTz1jb20wHhcNMTMwNzAyMDAw\n" + +// "MzM3WhcNMTQwNzAyMDAwMzM3WjAvMS0wKwYDVQQDFCRzYW1sX2xvZ2luLE9VPXRl\n" + +// "bXBlc3QsTz12bXdhcmUsTz1jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB\n" + +// "ANK8mv+mUzhPH/8iTdMsZ6mY4r4At/GZIFS34L+/I0V2g6PkZ84VBgodqqV6Z6NY\n" + +// "OSk0lcjrzU650zbES7yn4MjuvP0N5T9LydlvjOEzfA+uRETiy8d+DsS3rThRY+Ja\n" + +// "dvmS0PswJ8cvHAksYmGNUWfTU+Roxcv0ZDqD+cUNi1+NAgMBAAEwDQYJKoZIhvcN\n" + +// "AQEFBQADgYEAy54UVlZifk1PPdTg9OJuumdxgzZk3QEWZGjdJYEc134MeKKsIX50\n" + +// "+6y5GDyXmxvJx33ySTZuRaaXClOuAtXRWpz0KlceujYuwboyUxhn46SUASD872nb\n" + +// "cN0E1UrhDloFcftXEXudDL2S2cSQjsyxLNbBop63xq+U6MYG/uFe7GQ=\n" + +// "-----END CERTIFICATE-----"; +// String password = "vmware"; +// +// try { +// SamlConfig config = new SamlConfig(); +// config.setPrivateKey(key); +// config.setPrivateKeyPassword(password); +// config.setCertificate(certificate); +// keyManager = new SamlKeyManagerFactory().getKeyManager(config); +// fail("Password invalid. Should not reach this line."); +// } catch (Exception x) { +// if (x.getClass().getName().equals("org.bouncycastle.openssl.EncryptionException")) { +// throw new IllegalArgumentException(x); +// } else if (x.getClass().equals(IllegalArgumentException.class)) { +// throw x; +// } +// } } @Test public void testWithWorkingCertificateNullPassword() { - String key = "-----BEGIN RSA PRIVATE KEY-----\n" + - "MIICXgIBAAKBgQDfTLadf6QgJeS2XXImEHMsa+1O7MmIt44xaL77N2K+J/JGpfV3\n" + - "AnkyB06wFZ02sBLB7hko42LIsVEOyTuUBird/3vlyHFKytG7UEt60Fl88SbAEfsU\n" + - "JN1i1aSUlunPS/NCz+BKwwKFP9Ss3rNImE9Uc2LMvGy153LHFVW2zrjhTwIDAQAB\n" + - "AoGBAJDh21LRcJITRBQ3CUs9PR1DYZPl+tUkE7RnPBMPWpf6ny3LnDp9dllJeHqz\n" + - "a3ACSgleDSEEeCGzOt6XHnrqjYCKa42Z+Opnjx/OOpjyX1NAaswRtnb039jwv4gb\n" + - "RlwT49Y17UAQpISOo7JFadCBoMG0ix8xr4ScY+zCSoG5v0BhAkEA8llNsiWBJF5r\n" + - "LWQ6uimfdU2y1IPlkcGAvjekYDkdkHiRie725Dn4qRiXyABeaqNm2bpnD620Okwr\n" + - "sf7LY+BMdwJBAOvgt/ZGwJrMOe/cHhbujtjBK/1CumJ4n2r5V1zPBFfLNXiKnpJ6\n" + - "J/sRwmjgg4u3Anu1ENF3YsxYabflBnvOP+kCQCQ8VBCp6OhOMcpErT8+j/gTGQUL\n" + - "f5zOiPhoC2zTvWbnkCNGlqXDQTnPUop1+6gILI2rgFNozoTU9MeVaEXTuLsCQQDC\n" + - "AGuNpReYucwVGYet+LuITyjs/krp3qfPhhByhtndk4cBA5H0i4ACodKyC6Zl7Tmf\n" + - "oYaZoYWi6DzbQQUaIsKxAkEA2rXQjQFsfnSm+w/9067ChWg46p4lq5Na2NpcpFgH\n" + - "waZKhM1W0oB8MX78M+0fG3xGUtywTx0D4N7pr1Tk2GTgNw==\n" + - "-----END RSA PRIVATE KEY-----"; - String certificate = "-----BEGIN CERTIFICATE-----\n" + - "MIIEJTCCA46gAwIBAgIJANIqfxWTfhpkMA0GCSqGSIb3DQEBBQUAMIG+MQswCQYD\n" + - "VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j\n" + - "aXNjbzEdMBsGA1UEChMUUGl2b3RhbCBTb2Z0d2FyZSBJbmMxJDAiBgNVBAsTG0Ns\n" + - "b3VkIEZvdW5kcnkgSWRlbnRpdHkgVGVhbTEcMBoGA1UEAxMTaWRlbnRpdHkuY2Yt\n" + - "YXBwLmNvbTEfMB0GCSqGSIb3DQEJARYQbWFyaXNzYUB0ZXN0Lm9yZzAeFw0xNTA1\n" + - "MTQxNzE5MTBaFw0yNTA1MTExNzE5MTBaMIG+MQswCQYDVQQGEwJVUzETMBEGA1UE\n" + - "CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEdMBsGA1UEChMU\n" + - "UGl2b3RhbCBTb2Z0d2FyZSBJbmMxJDAiBgNVBAsTG0Nsb3VkIEZvdW5kcnkgSWRl\n" + - "bnRpdHkgVGVhbTEcMBoGA1UEAxMTaWRlbnRpdHkuY2YtYXBwLmNvbTEfMB0GCSqG\n" + - "SIb3DQEJARYQbWFyaXNzYUB0ZXN0Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAw\n" + - "gYkCgYEA30y2nX+kICXktl1yJhBzLGvtTuzJiLeOMWi++zdivifyRqX1dwJ5MgdO\n" + - "sBWdNrASwe4ZKONiyLFRDsk7lAYq3f975chxSsrRu1BLetBZfPEmwBH7FCTdYtWk\n" + - "lJbpz0vzQs/gSsMChT/UrN6zSJhPVHNizLxstedyxxVVts644U8CAwEAAaOCAScw\n" + - "ggEjMB0GA1UdDgQWBBSvWY/TyHysYGxKvII95wD/CzE1AzCB8wYDVR0jBIHrMIHo\n" + - "gBSvWY/TyHysYGxKvII95wD/CzE1A6GBxKSBwTCBvjELMAkGA1UEBhMCVVMxEzAR\n" + - "BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xHTAbBgNV\n" + - "BAoTFFBpdm90YWwgU29mdHdhcmUgSW5jMSQwIgYDVQQLExtDbG91ZCBGb3VuZHJ5\n" + - "IElkZW50aXR5IFRlYW0xHDAaBgNVBAMTE2lkZW50aXR5LmNmLWFwcC5jb20xHzAd\n" + - "BgkqhkiG9w0BCQEWEG1hcmlzc2FAdGVzdC5vcmeCCQDSKn8Vk34aZDAMBgNVHRME\n" + - "BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAL5j1JCN5EoXMOOBSBUL8KeVZFQD3Nfy\n" + - "YkYKBatFEKdBFlAKLBdG+5KzE7sTYesn7EzBISHXFz3DhdK2tg+IF1DeSFVmFl2n\n" + - "iVxQ1sYjo4kCugHBsWo+MpFH9VBLFzsMlP3eIDuVKe8aPXFKYCGhctZEJdQTKlja\n" + - "lshe50nayKrT\n" + - "-----END CERTIFICATE-----"; - String password = null; - - SamlConfig config = new SamlConfig(); - config.setPrivateKey(key); - config.setPrivateKeyPassword(password); - config.setCertificate(certificate); - keyManager = new SamlKeyManagerFactory().getKeyManager(config); - Credential credential = keyManager.getDefaultCredential(); - assertNotNull(credential.getPrivateKey()); - assertNotNull(credential.getPublicKey()); - assertNotNull(credential); + fail(); +// String key = "-----BEGIN RSA PRIVATE KEY-----\n" + +// "MIICXgIBAAKBgQDfTLadf6QgJeS2XXImEHMsa+1O7MmIt44xaL77N2K+J/JGpfV3\n" + +// "AnkyB06wFZ02sBLB7hko42LIsVEOyTuUBird/3vlyHFKytG7UEt60Fl88SbAEfsU\n" + +// "JN1i1aSUlunPS/NCz+BKwwKFP9Ss3rNImE9Uc2LMvGy153LHFVW2zrjhTwIDAQAB\n" + +// "AoGBAJDh21LRcJITRBQ3CUs9PR1DYZPl+tUkE7RnPBMPWpf6ny3LnDp9dllJeHqz\n" + +// "a3ACSgleDSEEeCGzOt6XHnrqjYCKa42Z+Opnjx/OOpjyX1NAaswRtnb039jwv4gb\n" + +// "RlwT49Y17UAQpISOo7JFadCBoMG0ix8xr4ScY+zCSoG5v0BhAkEA8llNsiWBJF5r\n" + +// "LWQ6uimfdU2y1IPlkcGAvjekYDkdkHiRie725Dn4qRiXyABeaqNm2bpnD620Okwr\n" + +// "sf7LY+BMdwJBAOvgt/ZGwJrMOe/cHhbujtjBK/1CumJ4n2r5V1zPBFfLNXiKnpJ6\n" + +// "J/sRwmjgg4u3Anu1ENF3YsxYabflBnvOP+kCQCQ8VBCp6OhOMcpErT8+j/gTGQUL\n" + +// "f5zOiPhoC2zTvWbnkCNGlqXDQTnPUop1+6gILI2rgFNozoTU9MeVaEXTuLsCQQDC\n" + +// "AGuNpReYucwVGYet+LuITyjs/krp3qfPhhByhtndk4cBA5H0i4ACodKyC6Zl7Tmf\n" + +// "oYaZoYWi6DzbQQUaIsKxAkEA2rXQjQFsfnSm+w/9067ChWg46p4lq5Na2NpcpFgH\n" + +// "waZKhM1W0oB8MX78M+0fG3xGUtywTx0D4N7pr1Tk2GTgNw==\n" + +// "-----END RSA PRIVATE KEY-----"; +// String certificate = "-----BEGIN CERTIFICATE-----\n" + +// "MIIEJTCCA46gAwIBAgIJANIqfxWTfhpkMA0GCSqGSIb3DQEBBQUAMIG+MQswCQYD\n" + +// "VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j\n" + +// "aXNjbzEdMBsGA1UEChMUUGl2b3RhbCBTb2Z0d2FyZSBJbmMxJDAiBgNVBAsTG0Ns\n" + +// "b3VkIEZvdW5kcnkgSWRlbnRpdHkgVGVhbTEcMBoGA1UEAxMTaWRlbnRpdHkuY2Yt\n" + +// "YXBwLmNvbTEfMB0GCSqGSIb3DQEJARYQbWFyaXNzYUB0ZXN0Lm9yZzAeFw0xNTA1\n" + +// "MTQxNzE5MTBaFw0yNTA1MTExNzE5MTBaMIG+MQswCQYDVQQGEwJVUzETMBEGA1UE\n" + +// "CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEdMBsGA1UEChMU\n" + +// "UGl2b3RhbCBTb2Z0d2FyZSBJbmMxJDAiBgNVBAsTG0Nsb3VkIEZvdW5kcnkgSWRl\n" + +// "bnRpdHkgVGVhbTEcMBoGA1UEAxMTaWRlbnRpdHkuY2YtYXBwLmNvbTEfMB0GCSqG\n" + +// "SIb3DQEJARYQbWFyaXNzYUB0ZXN0Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAw\n" + +// "gYkCgYEA30y2nX+kICXktl1yJhBzLGvtTuzJiLeOMWi++zdivifyRqX1dwJ5MgdO\n" + +// "sBWdNrASwe4ZKONiyLFRDsk7lAYq3f975chxSsrRu1BLetBZfPEmwBH7FCTdYtWk\n" + +// "lJbpz0vzQs/gSsMChT/UrN6zSJhPVHNizLxstedyxxVVts644U8CAwEAAaOCAScw\n" + +// "ggEjMB0GA1UdDgQWBBSvWY/TyHysYGxKvII95wD/CzE1AzCB8wYDVR0jBIHrMIHo\n" + +// "gBSvWY/TyHysYGxKvII95wD/CzE1A6GBxKSBwTCBvjELMAkGA1UEBhMCVVMxEzAR\n" + +// "BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xHTAbBgNV\n" + +// "BAoTFFBpdm90YWwgU29mdHdhcmUgSW5jMSQwIgYDVQQLExtDbG91ZCBGb3VuZHJ5\n" + +// "IElkZW50aXR5IFRlYW0xHDAaBgNVBAMTE2lkZW50aXR5LmNmLWFwcC5jb20xHzAd\n" + +// "BgkqhkiG9w0BCQEWEG1hcmlzc2FAdGVzdC5vcmeCCQDSKn8Vk34aZDAMBgNVHRME\n" + +// "BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAL5j1JCN5EoXMOOBSBUL8KeVZFQD3Nfy\n" + +// "YkYKBatFEKdBFlAKLBdG+5KzE7sTYesn7EzBISHXFz3DhdK2tg+IF1DeSFVmFl2n\n" + +// "iVxQ1sYjo4kCugHBsWo+MpFH9VBLFzsMlP3eIDuVKe8aPXFKYCGhctZEJdQTKlja\n" + +// "lshe50nayKrT\n" + +// "-----END CERTIFICATE-----"; +// String password = null; +// +// SamlConfig config = new SamlConfig(); +// config.setPrivateKey(key); +// config.setPrivateKeyPassword(password); +// config.setCertificate(certificate); +// keyManager = new SamlKeyManagerFactory().getKeyManager(config); +// Credential credential = keyManager.getDefaultCredential(); +// assertNotNull(credential.getPrivateKey()); +// assertNotNull(credential.getPublicKey()); +// assertNotNull(credential); } @Test(expected = IllegalArgumentException.class) public void testWithWorkingCertificateIllegalKey() { - String key = "-----BEGIN RSA PRIVATE KEY-----\n" + - "Proc-Type: 4,ENCRYPTED\n" + - "DEK-Info: DES-EDE3-CBC,5771044F3450A262\n" + - "\n" + - "VfRgIdzq/TUFdIwTOxochDs02sSQXA/Z6mRnffYTQMwXpQ5f5nRuqcY8zECGMaDe\n" + - "aLrndpWzGbxiePKgN5AxuIDYNnKMrDRgyCzaaPx66rb87oMwtuq1HM18qqs+yN5v\n" + - "CdsoS2uz57fCDI24BuJkIDSIeumLXc5MdN0HUeaxOVzmpbpsbBXjRYa24gW38mUh\n" + - "DzmOAsNDxfoSTox02Cj+GV024e+PiWR6AMA7RKhsKPf9F4ctWwozvEHrV8fzTy5B\n" + - "+KM361P7XwJYueiV/gMZW2DXSujNRBEVfC1CLaxDV3eVsFX5iIiUbc4JQYOM6oQ3\n" + - "KxGPImcRQPY0asKgEDIaWtysUuBoDSbfQ/FxGWeqwR6P/Vth4dXzVGheYLu1V1CU\n" + - "o6M+EXC/VUhERKwi13EgqXLKrDI352/HgEKG60EhM6xIJy9hLHy0UGjdHDcA+cF6\n" + - "7V7PdzaD4GWV75fv99sBlq2e0KK9crNUzs7vbFA/m6tgNA628SGhU1uAc/5xOskI\n" + - "0Ez6kjgHoh4U7t/fu7ey1MbFQt6byHY9lk27nW1ub/QMAaRJ+EDnrReB/NN6q5Vu\n" + - "h9eQNniNOeQfflzFyPB9omLNsVJkENn+lZNNrrlbn8OmJ0pT58Iaetfh79rDZPw9\n" + - "zmHVqmMynmecTWAcA9ATf7+lh+xV88JDjQkLcG/3WEXNH7HXKO00pUa8+JtyxbAb\n" + - "dAwGgrjJkbbk1qLLScOqY4mA5WXa5+80LMkCYO44vVTp2VKmnxj8Mw==\n" + - "-----END RSA PRIVATE KEY-----"; - String certificate = "-----BEGIN CERTIFICATE-----\n" + - "MIIB1TCCAT4CCQCpQCfJYT8ZJTANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDFCRz\n" + - "YW1sX2xvZ2luLE9VPXRlbXBlc3QsTz12bXdhcmUsTz1jb20wHhcNMTMwNzAyMDAw\n" + - "MzM3WhcNMTQwNzAyMDAwMzM3WjAvMS0wKwYDVQQDFCRzYW1sX2xvZ2luLE9VPXRl\n" + - "bXBlc3QsTz12bXdhcmUsTz1jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB\n" + - "ANK8mv+mUzhPH/8iTdMsZ6mY4r4At/GZIFS34L+/I0V2g6PkZ84VBgodqqV6Z6NY\n" + - "OSk0lcjrzU650zbES7yn4MjuvP0N5T9LydlvjOEzfA+uRETiy8d+DsS3rThRY+Ja\n" + - "dvmS0PswJ8cvHAksYmGNUWfTU+Roxcv0ZDqD+cUNi1+NAgMBAAEwDQYJKoZIhvcN\n" + - "AQEFBQADgYEAy54UVlZifk1PPdTg9OJuumdxgzZk3QEWZGjdJYEc134MeKKsIX50\n" + - "+6y5GDyXmxvJx33ySTZuRaaXClOuAtXRWpz0KlceujYuwboyUxhn46SUASD872nb\n" + - "cN0E1UrhDloFcftXEXudDL2S2cSQjsyxLNbBop63xq+U6MYG/uFe7GQ=\n" + - "-----END CERTIFICATE-----"; - String password = "password"; - - SamlConfig config = new SamlConfig(); - config.setPrivateKey(key); - config.setPrivateKeyPassword(password); - config.setCertificate(certificate); - keyManager = new SamlKeyManagerFactory().getKeyManager(config); + fail(); +// String key = "-----BEGIN RSA PRIVATE KEY-----\n" + +// "Proc-Type: 4,ENCRYPTED\n" + +// "DEK-Info: DES-EDE3-CBC,5771044F3450A262\n" + +// "\n" + +// "VfRgIdzq/TUFdIwTOxochDs02sSQXA/Z6mRnffYTQMwXpQ5f5nRuqcY8zECGMaDe\n" + +// "aLrndpWzGbxiePKgN5AxuIDYNnKMrDRgyCzaaPx66rb87oMwtuq1HM18qqs+yN5v\n" + +// "CdsoS2uz57fCDI24BuJkIDSIeumLXc5MdN0HUeaxOVzmpbpsbBXjRYa24gW38mUh\n" + +// "DzmOAsNDxfoSTox02Cj+GV024e+PiWR6AMA7RKhsKPf9F4ctWwozvEHrV8fzTy5B\n" + +// "+KM361P7XwJYueiV/gMZW2DXSujNRBEVfC1CLaxDV3eVsFX5iIiUbc4JQYOM6oQ3\n" + +// "KxGPImcRQPY0asKgEDIaWtysUuBoDSbfQ/FxGWeqwR6P/Vth4dXzVGheYLu1V1CU\n" + +// "o6M+EXC/VUhERKwi13EgqXLKrDI352/HgEKG60EhM6xIJy9hLHy0UGjdHDcA+cF6\n" + +// "7V7PdzaD4GWV75fv99sBlq2e0KK9crNUzs7vbFA/m6tgNA628SGhU1uAc/5xOskI\n" + +// "0Ez6kjgHoh4U7t/fu7ey1MbFQt6byHY9lk27nW1ub/QMAaRJ+EDnrReB/NN6q5Vu\n" + +// "h9eQNniNOeQfflzFyPB9omLNsVJkENn+lZNNrrlbn8OmJ0pT58Iaetfh79rDZPw9\n" + +// "zmHVqmMynmecTWAcA9ATf7+lh+xV88JDjQkLcG/3WEXNH7HXKO00pUa8+JtyxbAb\n" + +// "dAwGgrjJkbbk1qLLScOqY4mA5WXa5+80LMkCYO44vVTp2VKmnxj8Mw==\n" + +// "-----END RSA PRIVATE KEY-----"; +// String certificate = "-----BEGIN CERTIFICATE-----\n" + +// "MIIB1TCCAT4CCQCpQCfJYT8ZJTANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDFCRz\n" + +// "YW1sX2xvZ2luLE9VPXRlbXBlc3QsTz12bXdhcmUsTz1jb20wHhcNMTMwNzAyMDAw\n" + +// "MzM3WhcNMTQwNzAyMDAwMzM3WjAvMS0wKwYDVQQDFCRzYW1sX2xvZ2luLE9VPXRl\n" + +// "bXBlc3QsTz12bXdhcmUsTz1jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB\n" + +// "ANK8mv+mUzhPH/8iTdMsZ6mY4r4At/GZIFS34L+/I0V2g6PkZ84VBgodqqV6Z6NY\n" + +// "OSk0lcjrzU650zbES7yn4MjuvP0N5T9LydlvjOEzfA+uRETiy8d+DsS3rThRY+Ja\n" + +// "dvmS0PswJ8cvHAksYmGNUWfTU+Roxcv0ZDqD+cUNi1+NAgMBAAEwDQYJKoZIhvcN\n" + +// "AQEFBQADgYEAy54UVlZifk1PPdTg9OJuumdxgzZk3QEWZGjdJYEc134MeKKsIX50\n" + +// "+6y5GDyXmxvJx33ySTZuRaaXClOuAtXRWpz0KlceujYuwboyUxhn46SUASD872nb\n" + +// "cN0E1UrhDloFcftXEXudDL2S2cSQjsyxLNbBop63xq+U6MYG/uFe7GQ=\n" + +// "-----END CERTIFICATE-----"; +// String password = "password"; +// +// SamlConfig config = new SamlConfig(); +// config.setPrivateKey(key); +// config.setPrivateKeyPassword(password); +// config.setCertificate(certificate); +// keyManager = new SamlKeyManagerFactory().getKeyManager(config); } @Test(expected = IllegalArgumentException.class) public void testWithNonWorkingCertificate() { - String key = "-----BEGIN RSA PRIVATE KEY-----\n" + - "Proc-Type: 4,ENCRYPTED\n" + - "DEK-Info: DES-EDE3-CBC,5771044F3450A262\n" + - "\n" + - "VfRgIdzq/TUFdIwTOxochDs02sSQXA/Z6mRnffYTQMwXpQ5f5nRuqcY8zECGMaDe\n" + - "aLrndpWzGbxiePKgN5AxuIDYNnKMrDRgyCzaaPx66rb87oMwtuq1HM18qqs+yN5v\n" + - "CdsoS2uz57fCDI24BuJkIDSIeumLXc5MdN0HUeaxOVzmpbpsbBXjRYa24gW38mUh\n" + - "DzmOAsNDxfoSTox02Cj+GV024e+PiWR6AMA7RKhsKPf9F4ctWwozvEHrV8fzTy5B\n" + - "+KM361P7XwJYueiV/gMZW2DXSujNRBEVfC1CLaxDV3eVsFX5iIiUbc4JQYOM6oQ3\n" + - "KxGPImcRQPY0asKgEDIaWtysUuBoDSbfQ/FxGWeqwR6P/Vth4dXzVGheYLu1V1CU\n" + - "o6M+EXC/VUhERKwi13EgqXLKrDI352/HgEKG60EhM6xIJy9hLHy0UGjdHDcA+cF6\n" + - "NEl6E3CivddMHIPQWil5x4AMaevGa3v/gcZI0DN8t7L1g4fgjtSPYzvwmOxoxHGi\n" + - "7V7PdzaD4GWV75fv99sBlq2e0KK9crNUzs7vbFA/m6tgNA628SGhU1uAc/5xOskI\n" + - "0Ez6kjgHoh4U7t/fu7ey1MbFQt6byHY9lk27nW1ub/QMAaRJ+EDnrReB/NN6q5Vu\n" + - "h9eQNniNOeQfflzFyPB9omLNsVJkENn+lZNNrrlbn8OmJ0pT58Iaetfh79rDZPw9\n" + - "zmHVqmMynmecTWAcA9ATf7+lh+xV88JDjQkLcG/3WEXNH7HXKO00pUa8+JtyxbAb\n" + - "dAwGgrjJkbbk1qLLScOqY4mA5WXa5+80LMkCYO44vVTp2VKmnxj8Mw==\n" + - "-----END RSA PRIVATE KEY-----"; - String certificate = "-----BEGIN CERTIFICATE-----\n" + - "MIIB1TCCAT4CCQCpQCfJYT8ZJTANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDFCRz\n" + - "YW1sX2xvZ2luLE9VPXRlbXBlc3QsTz12bXdhcmUsTz1jb20wHhcNMTMwNzAyMDAw\n" + - "MzM3WhcNMTQwNzAyMDAwMzM3WjAvMS0wKwYDVQQDFCRzYW1sX2xvZ2luLE9VPXRl\n" + - "bXBlc3QsTz12bXdhcmUsTz1jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB\n" + - "OSk0lcjrzU650zbES7yn4MjuvP0N5T9LydlvjOEzfA+uRETiy8d+DsS3rThRY+Ja\n" + - "dvmS0PswJ8cvHAksYmGNUWfTU+Roxcv0ZDqD+cUNi1+NAgMBAAEwDQYJKoZIhvcN\n" + - "AQEFBQADgYEAy54UVlZifk1PPdTg9OJuumdxgzZk3QEWZGjdJYEc134MeKKsIX50\n" + - "+6y5GDyXmxvJx33ySTZuRaaXClOuAtXRWpz0KlceujYuwboyUxhn46SUASD872nb\n" + - "cN0E1UrhDloFcftXEXudDL2S2cSQjsyxLNbBop63xq+U6MYG/uFe7GQ=\n" + - "-----END CERTIFICATE-----"; - String password = "password"; - - try { - SamlConfig config = new SamlConfig(); - config.setPrivateKey(key); - config.setPrivateKeyPassword(password); - config.setCertificate(certificate); - keyManager = new SamlKeyManagerFactory().getKeyManager(config); - Assert.fail("Key/Cert pair is invalid. Should not reach this line."); - } catch (Exception x) { - if (x.getClass().getName().equals("org.bouncycastle.openssl.PEMException")) { - throw new IllegalArgumentException(x); - } else if (x.getClass().getName().equals("org.bouncycastle.openssl.EncryptionException")) { - throw new IllegalArgumentException(x); - } else if (x.getClass().equals(IllegalArgumentException.class)) { - throw x; - } - } + fail(); +// String key = "-----BEGIN RSA PRIVATE KEY-----\n" + +// "Proc-Type: 4,ENCRYPTED\n" + +// "DEK-Info: DES-EDE3-CBC,5771044F3450A262\n" + +// "\n" + +// "VfRgIdzq/TUFdIwTOxochDs02sSQXA/Z6mRnffYTQMwXpQ5f5nRuqcY8zECGMaDe\n" + +// "aLrndpWzGbxiePKgN5AxuIDYNnKMrDRgyCzaaPx66rb87oMwtuq1HM18qqs+yN5v\n" + +// "CdsoS2uz57fCDI24BuJkIDSIeumLXc5MdN0HUeaxOVzmpbpsbBXjRYa24gW38mUh\n" + +// "DzmOAsNDxfoSTox02Cj+GV024e+PiWR6AMA7RKhsKPf9F4ctWwozvEHrV8fzTy5B\n" + +// "+KM361P7XwJYueiV/gMZW2DXSujNRBEVfC1CLaxDV3eVsFX5iIiUbc4JQYOM6oQ3\n" + +// "KxGPImcRQPY0asKgEDIaWtysUuBoDSbfQ/FxGWeqwR6P/Vth4dXzVGheYLu1V1CU\n" + +// "o6M+EXC/VUhERKwi13EgqXLKrDI352/HgEKG60EhM6xIJy9hLHy0UGjdHDcA+cF6\n" + +// "NEl6E3CivddMHIPQWil5x4AMaevGa3v/gcZI0DN8t7L1g4fgjtSPYzvwmOxoxHGi\n" + +// "7V7PdzaD4GWV75fv99sBlq2e0KK9crNUzs7vbFA/m6tgNA628SGhU1uAc/5xOskI\n" + +// "0Ez6kjgHoh4U7t/fu7ey1MbFQt6byHY9lk27nW1ub/QMAaRJ+EDnrReB/NN6q5Vu\n" + +// "h9eQNniNOeQfflzFyPB9omLNsVJkENn+lZNNrrlbn8OmJ0pT58Iaetfh79rDZPw9\n" + +// "zmHVqmMynmecTWAcA9ATf7+lh+xV88JDjQkLcG/3WEXNH7HXKO00pUa8+JtyxbAb\n" + +// "dAwGgrjJkbbk1qLLScOqY4mA5WXa5+80LMkCYO44vVTp2VKmnxj8Mw==\n" + +// "-----END RSA PRIVATE KEY-----"; +// String certificate = "-----BEGIN CERTIFICATE-----\n" + +// "MIIB1TCCAT4CCQCpQCfJYT8ZJTANBgkqhkiG9w0BAQUFADAvMS0wKwYDVQQDFCRz\n" + +// "YW1sX2xvZ2luLE9VPXRlbXBlc3QsTz12bXdhcmUsTz1jb20wHhcNMTMwNzAyMDAw\n" + +// "MzM3WhcNMTQwNzAyMDAwMzM3WjAvMS0wKwYDVQQDFCRzYW1sX2xvZ2luLE9VPXRl\n" + +// "bXBlc3QsTz12bXdhcmUsTz1jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB\n" + +// "OSk0lcjrzU650zbES7yn4MjuvP0N5T9LydlvjOEzfA+uRETiy8d+DsS3rThRY+Ja\n" + +// "dvmS0PswJ8cvHAksYmGNUWfTU+Roxcv0ZDqD+cUNi1+NAgMBAAEwDQYJKoZIhvcN\n" + +// "AQEFBQADgYEAy54UVlZifk1PPdTg9OJuumdxgzZk3QEWZGjdJYEc134MeKKsIX50\n" + +// "+6y5GDyXmxvJx33ySTZuRaaXClOuAtXRWpz0KlceujYuwboyUxhn46SUASD872nb\n" + +// "cN0E1UrhDloFcftXEXudDL2S2cSQjsyxLNbBop63xq+U6MYG/uFe7GQ=\n" + +// "-----END CERTIFICATE-----"; +// String password = "password"; +// +// try { +// SamlConfig config = new SamlConfig(); +// config.setPrivateKey(key); +// config.setPrivateKeyPassword(password); +// config.setCertificate(certificate); +// keyManager = new SamlKeyManagerFactory().getKeyManager(config); +// fail("Key/Cert pair is invalid. Should not reach this line."); +// } catch (Exception x) { +// if (x.getClass().getName().equals("org.bouncycastle.openssl.PEMException")) { +// throw new IllegalArgumentException(x); +// } else if (x.getClass().getName().equals("org.bouncycastle.openssl.EncryptionException")) { +// throw new IllegalArgumentException(x); +// } else if (x.getClass().equals(IllegalArgumentException.class)) { +// throw x; +// } +// } } @Test(expected = IllegalArgumentException.class) public void testKeyPairValidated() { - String key = "-----BEGIN RSA PRIVATE KEY-----\n" + - "Proc-Type: 4,ENCRYPTED\n" + - "DEK-Info: DES-EDE3-CBC,5771044F3450A262\n" + - "\n" + - "VfRgIdzq/TUFdIwTOxochDs02sSQXA/Z6mRnffYTQMwXpQ5f5nRuqcY8zECGMaDe\n" + - "aLrndpWzGbxiePKgN5AxuIDYNnKMrDRgyCzaaPx66rb87oMwtuq1HM18qqs+yN5v\n" + - "CdsoS2uz57fCDI24BuJkIDSIeumLXc5MdN0HUeaxOVzmpbpsbBXjRYa24gW38mUh\n" + - "DzmOAsNDxfoSTox02Cj+GV024e+PiWR6AMA7RKhsKPf9F4ctWwozvEHrV8fzTy5B\n" + - "+KM361P7XwJYueiV/gMZW2DXSujNRBEVfC1CLaxDV3eVsFX5iIiUbc4JQYOM6oQ3\n" + - "KxGPImcRQPY0asKgEDIaWtysUuBoDSbfQ/FxGWeqwR6P/Vth4dXzVGheYLu1V1CU\n" + - "o6M+EXC/VUhERKwi13EgqXLKrDI352/HgEKG60EhM6xIJy9hLHy0UGjdHDcA+cF6\n" + - "NEl6E3CivddMHIPQWil5x4AMaevGa3v/gcZI0DN8t7L1g4fgjtSPYzvwmOxoxHGi\n" + - "7V7PdzaD4GWV75fv99sBlq2e0KK9crNUzs7vbFA/m6tgNA628SGhU1uAc/5xOskI\n" + - "0Ez6kjgHoh4U7t/fu7ey1MbFQt6byHY9lk27nW1ub/QMAaRJ+EDnrReB/NN6q5Vu\n" + - "h9eQNniNOeQfflzFyPB9omLNsVJkENn+lZNNrrlbn8OmJ0pT58Iaetfh79rDZPw9\n" + - "zmHVqmMynmecTWAcA9ATf7+lh+xV88JDjQkLcG/3WEXNH7HXKO00pUa8+JtyxbAb\n" + - "dAwGgrjJkbbk1qLLScOqY4mA5WXa5+80LMkCYO44vVTp2VKmnxj8Mw==\n" + - "-----END RSA PRIVATE KEY-----\n"; - String certificate = "-----BEGIN CERTIFICATE-----\n" + - "MIIEbzCCA1egAwIBAgIQCTPRC15ZcpIxJwdwiMVDSjANBgkqhkiG9w0BAQUFADA2\n" + - "MQswCQYDVQQGEwJOTDEPMA0GA1UEChMGVEVSRU5BMRYwFAYDVQQDEw1URVJFTkEg\n" + - "U1NMIENBMB4XDTEzMDczMDAwMDAwMFoXDTE2MDcyOTIzNTk1OVowPzEhMB8GA1UE\n" + - "CxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRowGAYDVQQDExFlZHVyb2FtLmJi\n" + - "ay5hYy51azCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANrSBWTl56O2\n" + - "VJbahURgPznums43Nnn/smJ6cGywPu4mtJHUHSmONlBDTAWFS1fLkh8YHIQmdwYg\n" + - "FY4pHjZmKVtJ6ZOFhDNN1R2VMka4ZtREWn3XX8pUacol5KjEIh6U/FvMHyRv7sV5\n" + - "9J6JUK+n5R7ZsSu7XRi6TrT3xhfu0KoWo8RM/salKo2theIcyqLPHiFLEtA7ISLV\n" + - "q7I49uj9h9Hni/iCpBey+Gn5yDub4nrv81aDfD6zDoW/vXIOrcXFYRK3lXWOOFi4\n" + - "cfmu4SQQwMV1jBOer8JgfsQ3EQMgwauSMLUR31wPM83eMbOC72HhW9SJUtFDj42c\n" + - "PIEWd+rTA8ECAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFAy9k2gM896ro0lrKzdX\n" + - "R+qQ47ntMB0GA1UdDgQWBBQgoU+Pbgk2MthczZt7TviUiIWyrjAOBgNVHQ8BAf8E\n" + - "BAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH\n" + - "AwIwIgYDVR0gBBswGTANBgsrBgEEAbIxAQICHTAIBgZngQwBAgEwOgYDVR0fBDMw\n" + - "MTAvoC2gK4YpaHR0cDovL2NybC50Y3MudGVyZW5hLm9yZy9URVJFTkFTU0xDQS5j\n" + - "cmwwbQYIKwYBBQUHAQEEYTBfMDUGCCsGAQUFBzAChilodHRwOi8vY3J0LnRjcy50\n" + - "ZXJlbmEub3JnL1RFUkVOQVNTTENBLmNydDAmBggrBgEFBQcwAYYaaHR0cDovL29j\n" + - "c3AudGNzLnRlcmVuYS5vcmcwHAYDVR0RBBUwE4IRZWR1cm9hbS5iYmsuYWMudWsw\n" + - "DQYJKoZIhvcNAQEFBQADggEBAHTw5b1lrTBqnx/QSO50Mww+OPYgV4b4NSu2rqxG\n" + - "I2hHLiD4l7Sk3WOdXPAQMmTlo6N10Lt6p8gLLxKsOAw+nK+z9aLcgKk9/kYoe4C8\n" + - "jHzwTy6eO+sCKnJfTqEX8p3b8l736lUWwPgMjjEN+d49ZegqCwH6SEz7h0+DwGmF\n" + - "LLfFM8J1SozgPVXgmfCv0XHpFyYQPhXligeWk39FouC2DfhXDTDOgc0n/UQjETNl\n" + - "r2Jawuw1VG6/+EFf4qjwr0/hIrxc/0XEd9+qLHKef1rMjb9pcZA7Dti+DoKHsxWi\n" + - "yl3DnNZlj0tFP0SBcwjg/66VAekmFtJxsLx3hKxtYpO3m8c=\n" + - "-----END CERTIFICATE-----\n"; - - String password = "password"; - - SamlConfig config = new SamlConfig(); - config.setPrivateKey(key); - config.setPrivateKeyPassword(password); - config.setCertificate(certificate); - keyManager = new SamlKeyManagerFactory().getKeyManager(config); + fail(); +// String key = "-----BEGIN RSA PRIVATE KEY-----\n" + +// "Proc-Type: 4,ENCRYPTED\n" + +// "DEK-Info: DES-EDE3-CBC,5771044F3450A262\n" + +// "\n" + +// "VfRgIdzq/TUFdIwTOxochDs02sSQXA/Z6mRnffYTQMwXpQ5f5nRuqcY8zECGMaDe\n" + +// "aLrndpWzGbxiePKgN5AxuIDYNnKMrDRgyCzaaPx66rb87oMwtuq1HM18qqs+yN5v\n" + +// "CdsoS2uz57fCDI24BuJkIDSIeumLXc5MdN0HUeaxOVzmpbpsbBXjRYa24gW38mUh\n" + +// "DzmOAsNDxfoSTox02Cj+GV024e+PiWR6AMA7RKhsKPf9F4ctWwozvEHrV8fzTy5B\n" + +// "+KM361P7XwJYueiV/gMZW2DXSujNRBEVfC1CLaxDV3eVsFX5iIiUbc4JQYOM6oQ3\n" + +// "KxGPImcRQPY0asKgEDIaWtysUuBoDSbfQ/FxGWeqwR6P/Vth4dXzVGheYLu1V1CU\n" + +// "o6M+EXC/VUhERKwi13EgqXLKrDI352/HgEKG60EhM6xIJy9hLHy0UGjdHDcA+cF6\n" + +// "NEl6E3CivddMHIPQWil5x4AMaevGa3v/gcZI0DN8t7L1g4fgjtSPYzvwmOxoxHGi\n" + +// "7V7PdzaD4GWV75fv99sBlq2e0KK9crNUzs7vbFA/m6tgNA628SGhU1uAc/5xOskI\n" + +// "0Ez6kjgHoh4U7t/fu7ey1MbFQt6byHY9lk27nW1ub/QMAaRJ+EDnrReB/NN6q5Vu\n" + +// "h9eQNniNOeQfflzFyPB9omLNsVJkENn+lZNNrrlbn8OmJ0pT58Iaetfh79rDZPw9\n" + +// "zmHVqmMynmecTWAcA9ATf7+lh+xV88JDjQkLcG/3WEXNH7HXKO00pUa8+JtyxbAb\n" + +// "dAwGgrjJkbbk1qLLScOqY4mA5WXa5+80LMkCYO44vVTp2VKmnxj8Mw==\n" + +// "-----END RSA PRIVATE KEY-----\n"; +// String certificate = "-----BEGIN CERTIFICATE-----\n" + +// "MIIEbzCCA1egAwIBAgIQCTPRC15ZcpIxJwdwiMVDSjANBgkqhkiG9w0BAQUFADA2\n" + +// "MQswCQYDVQQGEwJOTDEPMA0GA1UEChMGVEVSRU5BMRYwFAYDVQQDEw1URVJFTkEg\n" + +// "U1NMIENBMB4XDTEzMDczMDAwMDAwMFoXDTE2MDcyOTIzNTk1OVowPzEhMB8GA1UE\n" + +// "CxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRowGAYDVQQDExFlZHVyb2FtLmJi\n" + +// "ay5hYy51azCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANrSBWTl56O2\n" + +// "VJbahURgPznums43Nnn/smJ6cGywPu4mtJHUHSmONlBDTAWFS1fLkh8YHIQmdwYg\n" + +// "FY4pHjZmKVtJ6ZOFhDNN1R2VMka4ZtREWn3XX8pUacol5KjEIh6U/FvMHyRv7sV5\n" + +// "9J6JUK+n5R7ZsSu7XRi6TrT3xhfu0KoWo8RM/salKo2theIcyqLPHiFLEtA7ISLV\n" + +// "q7I49uj9h9Hni/iCpBey+Gn5yDub4nrv81aDfD6zDoW/vXIOrcXFYRK3lXWOOFi4\n" + +// "cfmu4SQQwMV1jBOer8JgfsQ3EQMgwauSMLUR31wPM83eMbOC72HhW9SJUtFDj42c\n" + +// "PIEWd+rTA8ECAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFAy9k2gM896ro0lrKzdX\n" + +// "R+qQ47ntMB0GA1UdDgQWBBQgoU+Pbgk2MthczZt7TviUiIWyrjAOBgNVHQ8BAf8E\n" + +// "BAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH\n" + +// "AwIwIgYDVR0gBBswGTANBgsrBgEEAbIxAQICHTAIBgZngQwBAgEwOgYDVR0fBDMw\n" + +// "MTAvoC2gK4YpaHR0cDovL2NybC50Y3MudGVyZW5hLm9yZy9URVJFTkFTU0xDQS5j\n" + +// "cmwwbQYIKwYBBQUHAQEEYTBfMDUGCCsGAQUFBzAChilodHRwOi8vY3J0LnRjcy50\n" + +// "ZXJlbmEub3JnL1RFUkVOQVNTTENBLmNydDAmBggrBgEFBQcwAYYaaHR0cDovL29j\n" + +// "c3AudGNzLnRlcmVuYS5vcmcwHAYDVR0RBBUwE4IRZWR1cm9hbS5iYmsuYWMudWsw\n" + +// "DQYJKoZIhvcNAQEFBQADggEBAHTw5b1lrTBqnx/QSO50Mww+OPYgV4b4NSu2rqxG\n" + +// "I2hHLiD4l7Sk3WOdXPAQMmTlo6N10Lt6p8gLLxKsOAw+nK+z9aLcgKk9/kYoe4C8\n" + +// "jHzwTy6eO+sCKnJfTqEX8p3b8l736lUWwPgMjjEN+d49ZegqCwH6SEz7h0+DwGmF\n" + +// "LLfFM8J1SozgPVXgmfCv0XHpFyYQPhXligeWk39FouC2DfhXDTDOgc0n/UQjETNl\n" + +// "r2Jawuw1VG6/+EFf4qjwr0/hIrxc/0XEd9+qLHKef1rMjb9pcZA7Dti+DoKHsxWi\n" + +// "yl3DnNZlj0tFP0SBcwjg/66VAekmFtJxsLx3hKxtYpO3m8c=\n" + +// "-----END CERTIFICATE-----\n"; +// +// String password = "password"; +// +// SamlConfig config = new SamlConfig(); +// config.setPrivateKey(key); +// config.setPrivateKeyPassword(password); +// config.setCertificate(certificate); +// keyManager = new SamlKeyManagerFactory().getKeyManager(config); } } diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/TokenTestSupport.java b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/TokenTestSupport.java index 103da10555f..1a6a0c3e508 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/TokenTestSupport.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/TokenTestSupport.java @@ -49,7 +49,7 @@ import org.cloudfoundry.identity.uaa.zone.TokenPolicy; import org.cloudfoundry.identity.uaa.zone.beans.IdentityZoneManager; import org.mockito.stubbing.Answer; -import org.opensaml.saml2.core.AuthnContext; +//import org.opensaml.saml2.core.AuthnContext; import org.springframework.dao.EmptyResultDataAccessException; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/Saml2TokenGranterTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/Saml2TokenGranterTest.java index 87225d39b82..c599d89f5ac 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/Saml2TokenGranterTest.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/token/Saml2TokenGranterTest.java @@ -25,19 +25,19 @@ import org.junit.Rule; import org.junit.Test; import org.junit.rules.ExpectedException; -import org.opensaml.Configuration; -import org.opensaml.DefaultBootstrap; -import org.opensaml.saml2.core.Assertion; -import org.opensaml.saml2.core.impl.AssertionMarshaller; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.xml.ConfigurationException; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.io.Unmarshaller; -import org.opensaml.xml.io.UnmarshallerFactory; -import org.opensaml.xml.io.UnmarshallingException; -import org.opensaml.xml.parse.BasicParserPool; -import org.opensaml.xml.parse.XMLParserException; -import org.opensaml.xml.util.XMLHelper; +//import org.opensaml.Configuration; +//import org.opensaml.DefaultBootstrap; +//import org.opensaml.saml2.core.Assertion; +//import org.opensaml.saml2.core.impl.AssertionMarshaller; +//import org.opensaml.saml2.metadata.EntityDescriptor; +//import org.opensaml.xml.ConfigurationException; +//import org.opensaml.xml.XMLObject; +//import org.opensaml.xml.io.Unmarshaller; +//import org.opensaml.xml.io.UnmarshallerFactory; +//import org.opensaml.xml.io.UnmarshallingException; +//import org.opensaml.xml.parse.BasicParserPool; +//import org.opensaml.xml.parse.XMLParserException; +//import org.opensaml.xml.util.XMLHelper; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.security.authentication.InsufficientAuthenticationException; import org.springframework.security.core.authority.AuthorityUtils; @@ -50,8 +50,8 @@ import org.springframework.security.oauth2.provider.TokenRequest; import org.springframework.security.oauth2.provider.client.BaseClientDetails; import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices; -import org.springframework.security.saml.SAMLAuthenticationToken; -import org.springframework.security.saml.context.SAMLMessageContext; +//import org.springframework.security.saml.SAMLAuthenticationToken; +//import org.springframework.security.saml.context.SAMLMessageContext; import org.springframework.util.StringUtils; import org.springframework.web.context.request.RequestContextHolder; import org.springframework.web.context.request.ServletRequestAttributes; @@ -99,19 +99,19 @@ public class Saml2TokenGranterTest { private BaseClientDetails requestingClient; private BaseClientDetails receivingClient; private BaseClientDetails passwordClient; - private SAMLAuthenticationToken samltoken; - private SAMLMessageContext samlcontext; +// private SAMLAuthenticationToken samltoken; +// private SAMLMessageContext samlcontext; private UaaUserDatabase uaaUserDatabase = mock(UaaUserDatabase.class); @Before public void setup() { - try { DefaultBootstrap.bootstrap(); - } catch (ConfigurationException ignored) { } +// try { DefaultBootstrap.bootstrap(); +// } catch (ConfigurationException ignored) { } tokenServices = mock(AuthorizationServerTokenServices.class); clientDetailsService = mock(MultitenantClientServices.class); requestFactory = mock(OAuth2RequestFactory.class); authentication = mock(UaaOauth2Authentication.class); - samlcontext = mock(SAMLMessageContext.class); +// samlcontext = mock(SAMLMessageContext.class); mockSecurityAccessor = mock(DefaultSecurityContextAccessor.class); MockHttpServletRequest request = new MockHttpServletRequest(); ServletRequestAttributes attrs = new ServletRequestAttributes(request); @@ -124,7 +124,7 @@ public void setup() { clientDetailsService, requestFactory, mockSecurityAccessor); - samltoken = new SAMLAuthenticationToken(samlcontext); +// samltoken = new SAMLAuthenticationToken(samlcontext); SecurityContextHolder.getContext().setAuthentication(authentication); requestingClient = new BaseClientDetails("requestingId",null,"uaa.user",GRANT_TYPE_SAML2_BEARER, null); @@ -248,52 +248,52 @@ public PublicTokenRequest() { } } - EntityDescriptor getMetadata(String xml) { - try { - return (EntityDescriptor)unmarshallObject(xml); - } catch(Exception ignored) { - } - return null; - } +// EntityDescriptor getMetadata(String xml) { +// try { +// return (EntityDescriptor)unmarshallObject(xml); +// } catch(Exception ignored) { +// } +// return null; +// } - Assertion getAssertion(String xml) { - try { - return (Assertion)unmarshallObject(xml); - } catch(Exception ignored) { - } - return null; - } +// Assertion getAssertion(String xml) { +// try { +// return (Assertion)unmarshallObject(xml); +// } catch(Exception ignored) { +// } +// return null; +// } - String getAssertionXml(Assertion assertion) { - try { - AssertionMarshaller marshaller = new AssertionMarshaller(); - Element plaintextElement = marshaller.marshall(assertion); - return XMLHelper.nodeToString(plaintextElement); - } catch(Exception ignored) { - } - return null; - } +// String getAssertionXml(Assertion assertion) { +// try { +// AssertionMarshaller marshaller = new AssertionMarshaller(); +// Element plaintextElement = marshaller.marshall(assertion); +// return XMLHelper.nodeToString(plaintextElement); +// } catch(Exception ignored) { +// } +// return null; +// } /* * Unmarshall XML string to OpenSAML XMLObject */ - private XMLObject unmarshallObject(String xmlString) throws UnmarshallingException, XMLParserException { - BasicParserPool parser = new BasicParserPool(); - parser.setNamespaceAware(true); - /* Base64URL encoded */ - byte[] bytes = xmlString.getBytes(UTF_8); - if (bytes == null || bytes.length == 0) - throw new InsufficientAuthenticationException("Invalid assertion encoding"); - Reader reader = new InputStreamReader(new ByteArrayInputStream(bytes)); - Document doc = parser.parse(reader); - Element samlElement = doc.getDocumentElement(); - - UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); - Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(samlElement); - if (unmarshaller == null) { - throw new InsufficientAuthenticationException("Unsuccessful to unmarshal assertion string"); - } - return unmarshaller.unmarshall(samlElement); - } +// private XMLObject unmarshallObject(String xmlString) throws UnmarshallingException, XMLParserException { +// BasicParserPool parser = new BasicParserPool(); +// parser.setNamespaceAware(true); +// /* Base64URL encoded */ +// byte[] bytes = xmlString.getBytes(UTF_8); +// if (bytes == null || bytes.length == 0) +// throw new InsufficientAuthenticationException("Invalid assertion encoding"); +// Reader reader = new InputStreamReader(new ByteArrayInputStream(bytes)); +// Document doc = parser.parse(reader); +// Element samlElement = doc.getDocumentElement(); +// +// UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); +// Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(samlElement); +// if (unmarshaller == null) { +// throw new InsufficientAuthenticationException("Unsuccessful to unmarshal assertion string"); +// } +// return unmarshaller.unmarshall(samlElement); +// } } \ No newline at end of file diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/passcode/PasscodeInformationTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/passcode/PasscodeInformationTest.java index 43842a1b158..0dd4fa5ecc9 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/passcode/PasscodeInformationTest.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/passcode/PasscodeInformationTest.java @@ -8,7 +8,7 @@ import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; -import org.springframework.security.providers.ExpiringUsernameAuthenticationToken; +//import org.springframework.security.providers.ExpiringUsernameAuthenticationToken; import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication; import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails; @@ -18,6 +18,7 @@ import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; +import static org.junit.Assert.fail; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertNull; import static org.junit.jupiter.api.Assertions.assertThrows; @@ -81,35 +82,37 @@ void buildPasscodeInformationFromUaaAuthentication() { @Test void buildPasscodeFromExpiringToken() { - ExpiringUsernameAuthenticationToken expiringUsernameAuthenticationToken = - new ExpiringUsernameAuthenticationToken(uaaPrincipal, ""); - - final PasscodeInformation passcodeInformation = - new PasscodeInformation(expiringUsernameAuthenticationToken, authorizationParameters); - - assertNull(passcodeInformation.getPasscode()); - assertEquals(uaaPrincipal.getName(), passcodeInformation.getUsername()); - assertEquals(uaaPrincipal.getOrigin(), passcodeInformation.getOrigin()); - assertEquals(uaaPrincipal.getId(), passcodeInformation.getUserId()); + fail("needs the SAML library"); +// ExpiringUsernameAuthenticationToken expiringUsernameAuthenticationToken = +// new ExpiringUsernameAuthenticationToken(uaaPrincipal, ""); +// +// final PasscodeInformation passcodeInformation = +// new PasscodeInformation(expiringUsernameAuthenticationToken, authorizationParameters); +// +// assertNull(passcodeInformation.getPasscode()); +// assertEquals(uaaPrincipal.getName(), passcodeInformation.getUsername()); +// assertEquals(uaaPrincipal.getOrigin(), passcodeInformation.getOrigin()); +// assertEquals(uaaPrincipal.getId(), passcodeInformation.getUserId()); } @Test void buildPasscodeInformationFromSamlToken() { + fail("needs the SAML library"); Principal principal = mock(Principal.class); - ExpiringUsernameAuthenticationToken expiringUsernameAuthenticationToken = - new ExpiringUsernameAuthenticationToken(principal, ""); - LoginSamlAuthenticationToken samlAuthenticationToken = new LoginSamlAuthenticationToken( - uaaPrincipal, - expiringUsernameAuthenticationToken - ); - - final PasscodeInformation passcodeInformation = - new PasscodeInformation(samlAuthenticationToken, authorizationParameters); - - assertNull(passcodeInformation.getPasscode()); - assertEquals(uaaPrincipal.getName(), passcodeInformation.getUsername()); - assertEquals(uaaPrincipal.getOrigin(), passcodeInformation.getOrigin()); - assertEquals(uaaPrincipal.getId(), passcodeInformation.getUserId()); +// ExpiringUsernameAuthenticationToken expiringUsernameAuthenticationToken = +// new ExpiringUsernameAuthenticationToken(principal, ""); +// LoginSamlAuthenticationToken samlAuthenticationToken = new LoginSamlAuthenticationToken( +// uaaPrincipal, +// expiringUsernameAuthenticationToken +// ); +// +// final PasscodeInformation passcodeInformation = +// new PasscodeInformation(samlAuthenticationToken, authorizationParameters); +// +// assertNull(passcodeInformation.getPasscode()); +// assertEquals(uaaPrincipal.getName(), passcodeInformation.getUsername()); +// assertEquals(uaaPrincipal.getOrigin(), passcodeInformation.getOrigin()); +// assertEquals(uaaPrincipal.getId(), passcodeInformation.getUserId()); } @Test diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpointsTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpointsTest.java index 9c7b20c0e3c..77c32292325 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpointsTest.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpointsTest.java @@ -57,7 +57,7 @@ import org.mockito.Mock; import org.mockito.Mockito; import org.mockito.junit.jupiter.MockitoExtension; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; +//import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.springframework.context.ApplicationEventPublisher; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; @@ -382,7 +382,7 @@ private void arrangeCurrentIdentityZone(final String zoneId) { @Nested class Create { @Test - void shouldReturnOriginalIdpWithAliasId_WhenAliasPropertiesAreValid() throws MetadataProviderException { + void shouldReturnOriginalIdpWithAliasId_WhenAliasPropertiesAreValid() /* throws MetadataProviderException */ { arrangeCurrentIdentityZone(UAA); final IdentityProvider requestBody = getExternalOAuthProvider(); @@ -417,7 +417,7 @@ void shouldReturnOriginalIdpWithAliasId_WhenAliasPropertiesAreValid() throws Met } @Test - void shouldRespondWith422_WhenAliasPropertiesAreNotValid() throws MetadataProviderException { + void shouldRespondWith422_WhenAliasPropertiesAreNotValid() /* throws MetadataProviderException */ { arrangeCurrentIdentityZone(UAA); final IdentityProvider requestBody = getExternalOAuthProvider(); @@ -442,7 +442,7 @@ void shouldRespondWith422_WhenAliasPropertiesAreNotValid() throws MetadataProvid void shouldRespondWithErrorCode_WhenExceptionIsThrownDuringAliasCreation( final Exception thrownException, final HttpStatus expectedStatusCode - ) throws MetadataProviderException { + ) /* throws MetadataProviderException */ { arrangeCurrentIdentityZone(UAA); final IdentityProvider requestBody = getExternalOAuthProvider(); @@ -484,7 +484,7 @@ private static Stream shouldRespondWithErrorCode_WhenExceptionIsThrow @Nested class Update { @Test - void shouldReturnOriginalIdpWithAliasId_WhenAliasPropertiesAreValid() throws MetadataProviderException { + void shouldReturnOriginalIdpWithAliasId_WhenAliasPropertiesAreValid() /* throws MetadataProviderException */ { arrangeCurrentIdentityZone(UAA); final String originalIdpId = UUID.randomUUID().toString(); @@ -526,7 +526,7 @@ void shouldReturnOriginalIdpWithAliasId_WhenAliasPropertiesAreValid() throws Met } @Test - void shouldRespondWith422_WhenAliasPropertiesAreNotValid() throws MetadataProviderException { + void shouldRespondWith422_WhenAliasPropertiesAreNotValid() /* throws MetadataProviderException */ { arrangeCurrentIdentityZone(UAA); final String originalIdpId = UUID.randomUUID().toString(); @@ -558,7 +558,7 @@ void shouldRespondWith422_WhenAliasPropertiesAreNotValid() throws MetadataProvid void shouldRespondWithErrorCode_WhenExceptionIsThrownDuringAliasCreation( final Exception thrownException, final HttpStatus expectedException - ) throws MetadataProviderException { + ) /* throws MetadataProviderException */ { arrangeCurrentIdentityZone(UAA); final String originalIdpId = UUID.randomUUID().toString(); diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/ComparableProviderTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/ComparableProviderTest.java index c15ba0e7f96..bbb80a473ad 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/ComparableProviderTest.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/ComparableProviderTest.java @@ -12,7 +12,7 @@ *******************************************************************************/ import org.junit.Test; -import org.opensaml.xml.XMLObject; +//import org.opensaml.xml.XMLObject; import static org.junit.Assert.*; @@ -32,10 +32,10 @@ public String getZoneId() { return zoneId; } - @Override - public XMLObject doGetMetadata() { - return null; - } +// @Override +// public XMLObject doGetMetadata() { +// return null; +// } @Override public byte[] fetchMetadata() { diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/ConfigMetadataProviderTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/ConfigMetadataProviderTest.java index 3710ce68033..19bab332027 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/ConfigMetadataProviderTest.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/ConfigMetadataProviderTest.java @@ -2,10 +2,10 @@ import org.cloudfoundry.identity.uaa.zone.IdentityZone; import org.junit.Test; -import org.opensaml.DefaultBootstrap; -import org.opensaml.saml2.metadata.impl.EntityDescriptorImpl; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.parse.BasicParserPool; +//import org.opensaml.DefaultBootstrap; +//import org.opensaml.saml2.metadata.impl.EntityDescriptorImpl; +//import org.opensaml.xml.XMLObject; +//import org.opensaml.xml.parse.BasicParserPool; import java.io.File; import java.util.Scanner; @@ -15,14 +15,15 @@ public class ConfigMetadataProviderTest { @Test public void testDoGetMetadata() throws Exception { - String metadataString = new Scanner(new File("../uaa/src/test/resources/idp.xml")).useDelimiter("\\Z").next(); - ConfigMetadataProvider provider = new ConfigMetadataProvider(IdentityZone.getUaaZoneId(), "testalias", metadataString); - ConfigMetadataProvider provider2 = new ConfigMetadataProvider(IdentityZone.getUaaZoneId(), "testalias", metadataString); - DefaultBootstrap.bootstrap(); - provider.setParserPool(new BasicParserPool()); - XMLObject xmlObject = provider.doGetMetadata(); - assertNotNull(xmlObject); - assertEquals("http://openam.example.com:8181/openam", ((EntityDescriptorImpl) xmlObject).getEntityID()); - assertEquals(provider, provider2); + fail(); +// String metadataString = new Scanner(new File("../uaa/src/test/resources/idp.xml")).useDelimiter("\\Z").next(); +// ConfigMetadataProvider provider = new ConfigMetadataProvider(IdentityZone.getUaaZoneId(), "testalias", metadataString); +// ConfigMetadataProvider provider2 = new ConfigMetadataProvider(IdentityZone.getUaaZoneId(), "testalias", metadataString); +// DefaultBootstrap.bootstrap(); +// provider.setParserPool(new BasicParserPool()); +// XMLObject xmlObject = provider.doGetMetadata(); +// assertNotNull(xmlObject); +// assertEquals("http://openam.example.com:8181/openam", ((EntityDescriptorImpl) xmlObject).getEntityID()); +// assertEquals(provider, provider2); } } \ No newline at end of file diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProviderTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProviderTests.java index c2ce3b1ddda..f634fcc4d90 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProviderTests.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProviderTests.java @@ -39,29 +39,29 @@ import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; -import org.opensaml.common.SAMLException; -import org.opensaml.saml2.core.Assertion; -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.core.AuthnContext; -import org.opensaml.saml2.core.AuthnContextClassRef; -import org.opensaml.saml2.core.AuthnStatement; -import org.opensaml.saml2.core.NameID; -import org.opensaml.ws.wsaddressing.impl.AttributedURIImpl; -import org.opensaml.ws.wssecurity.impl.AttributedStringImpl; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.encryption.DecryptionException; -import org.opensaml.xml.schema.XSBoolean; -import org.opensaml.xml.schema.XSBooleanValue; -import org.opensaml.xml.schema.impl.XSAnyImpl; -import org.opensaml.xml.schema.impl.XSBase64BinaryImpl; -import org.opensaml.xml.schema.impl.XSBooleanBuilder; -import org.opensaml.xml.schema.impl.XSBooleanImpl; -import org.opensaml.xml.schema.impl.XSDateTimeImpl; -import org.opensaml.xml.schema.impl.XSIntegerImpl; -import org.opensaml.xml.schema.impl.XSQNameImpl; -import org.opensaml.xml.schema.impl.XSURIImpl; -import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.validation.ValidationException; +//import org.opensaml.common.SAMLException; +//import org.opensaml.saml2.core.Assertion; +//import org.opensaml.saml2.core.Attribute; +//import org.opensaml.saml2.core.AuthnContext; +//import org.opensaml.saml2.core.AuthnContextClassRef; +//import org.opensaml.saml2.core.AuthnStatement; +//import org.opensaml.saml2.core.NameID; +//import org.opensaml.ws.wsaddressing.impl.AttributedURIImpl; +//import org.opensaml.ws.wssecurity.impl.AttributedStringImpl; +//import org.opensaml.xml.XMLObject; +//import org.opensaml.xml.encryption.DecryptionException; +//import org.opensaml.xml.schema.XSBoolean; +//import org.opensaml.xml.schema.XSBooleanValue; +//import org.opensaml.xml.schema.impl.XSAnyImpl; +//import org.opensaml.xml.schema.impl.XSBase64BinaryImpl; +//import org.opensaml.xml.schema.impl.XSBooleanBuilder; +//import org.opensaml.xml.schema.impl.XSBooleanImpl; +//import org.opensaml.xml.schema.impl.XSDateTimeImpl; +//import org.opensaml.xml.schema.impl.XSIntegerImpl; +//import org.opensaml.xml.schema.impl.XSQNameImpl; +//import org.opensaml.xml.schema.impl.XSURIImpl; +//import org.opensaml.xml.security.SecurityException; +//import org.opensaml.xml.validation.ValidationException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.ApplicationContext; import org.springframework.context.ApplicationEvent; @@ -75,13 +75,13 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.crypto.password.PasswordEncoder; -import org.springframework.security.saml.SAMLAuthenticationToken; -import org.springframework.security.saml.SAMLConstants; -import org.springframework.security.saml.SAMLCredential; -import org.springframework.security.saml.context.SAMLMessageContext; -import org.springframework.security.saml.log.SAMLLogger; -import org.springframework.security.saml.metadata.ExtendedMetadata; -import org.springframework.security.saml.websso.WebSSOProfileConsumer; +//import org.springframework.security.saml.SAMLAuthenticationToken; +//import org.springframework.security.saml.SAMLConstants; +//import org.springframework.security.saml.SAMLCredential; +//import org.springframework.security.saml.context.SAMLMessageContext; +//import org.springframework.security.saml.log.SAMLLogger; +//import org.springframework.security.saml.metadata.ExtendedMetadata; +//import org.springframework.security.saml.websso.WebSSOProfileConsumer; import org.springframework.util.LinkedMultiValueMap; import org.springframework.web.context.request.RequestAttributes; import org.springframework.web.context.request.RequestContextHolder; @@ -148,8 +148,8 @@ class LoginSamlAuthenticationProviderTests { private CreateUserPublisher publisher; private JdbcUaaUserDatabase userDatabase; private LoginSamlAuthenticationProvider authprovider; - private WebSSOProfileConsumer consumer; - private SAMLLogger samlLogger = mock(SAMLLogger.class); +// private WebSSOProfileConsumer consumer; +// private SAMLLogger samlLogger = mock(SAMLLogger.class); private SamlIdentityProviderDefinition providerDefinition; private IdentityProvider provider; private ScimUserProvisioning userProvisioning; @@ -168,7 +168,7 @@ class LoginSamlAuthenticationProviderTests { private PasswordEncoder passwordEncoder; @BeforeEach - void configureProvider() throws SAMLException, SecurityException, DecryptionException, ValidationException, SQLException { + void configureProvider() throws /*SAMLException*/ SecurityException, /*DecryptionException*/ /*ValidationException,*/ SQLException { identityZoneManager = new IdentityZoneManagerImpl(); RequestContextHolder.resetRequestAttributes(); MockHttpServletRequest request = new MockHttpServletRequest(mock(ServletContext.class)); @@ -203,10 +203,10 @@ void configureProvider() throws SAMLException, SecurityException, DecryptionExce externalManager.mapExternalGroup(uaaSamlAdmin.getId(), SAML_ADMIN, OriginKeys.SAML, identityZoneManager.getCurrentIdentityZone().getId()); externalManager.mapExternalGroup(uaaSamlTest.getId(), SAML_TEST, OriginKeys.SAML, identityZoneManager.getCurrentIdentityZone().getId()); - consumer = mock(WebSSOProfileConsumer.class); - SAMLCredential credential = getUserCredential("marissa-saml", "Marissa", "Bloggs", "marissa.bloggs@test.com", "1234567890"); - - when(consumer.processAuthenticationResponse(any())).thenReturn(credential); +// consumer = mock(WebSSOProfileConsumer.class); +// SAMLCredential credential = getUserCredential("marissa-saml", "Marissa", "Bloggs", "marissa.bloggs@test.com", "1234567890"); +// +// when(consumer.processAuthenticationResponse(any())).thenReturn(credential); TimeService timeService = mock(TimeService.class); DatabaseUrlModifier databaseUrlModifier = mock(DatabaseUrlModifier.class); @@ -216,14 +216,14 @@ void configureProvider() throws SAMLException, SecurityException, DecryptionExce providerProvisioning = new JdbcIdentityProviderProvisioning(jdbcTemplate); publisher = new CreateUserPublisher(bootstrap); - authprovider = new LoginSamlAuthenticationProvider( - identityZoneManager, - userDatabase, - providerProvisioning, - externalManager); - authprovider.setApplicationEventPublisher(publisher); - authprovider.setConsumer(consumer); - authprovider.setSamlLogger(samlLogger); +// authprovider = new LoginSamlAuthenticationProvider( +// identityZoneManager, +// userDatabase, +// providerProvisioning, +// externalManager); +// authprovider.setApplicationEventPublisher(publisher); +// authprovider.setConsumer(consumer); +// authprovider.setSamlLogger(samlLogger); provider = new IdentityProvider(); provider.setIdentityZoneId(IdentityZone.getUaaZoneId()); @@ -243,16 +243,17 @@ void tearDown(@Autowired ApplicationContext applicationContext) throws SQLExcept RequestContextHolder.resetRequestAttributes(); } - @Test - void testAuthenticateSimple() { - authprovider.authenticate(mockSamlAuthentication()); - } +// @Test +// void testAuthenticateSimple() { +// authprovider.authenticate(mockSamlAuthentication()); +// } @Test void testAuthenticationEvents() { - authprovider.authenticate(mockSamlAuthentication()); - assertEquals(3, publisher.events.size()); - assertTrue(publisher.events.get(2) instanceof IdentityProviderAuthenticationSuccessEvent); + fail(); +// authprovider.authenticate(mockSamlAuthentication()); +// assertEquals(3, publisher.events.size()); +// assertTrue(publisher.events.get(2) instanceof IdentityProviderAuthenticationSuccessEvent); } @Test @@ -265,208 +266,212 @@ void relay_sets_attribute() { @Test void test_relay_state_when_url() { - String redirectUrl = "https://www.cloudfoundry.org"; - SAMLAuthenticationToken samlAuthenticationToken = mockSamlAuthentication(); - when(samlAuthenticationToken.getCredentials().getRelayState()).thenReturn(redirectUrl); - Authentication authentication = authprovider.authenticate(samlAuthenticationToken); - assertNotNull(authentication, "Authentication cannot be null"); - assertTrue(authentication instanceof UaaAuthentication, "Authentication should be of type:" + UaaAuthentication.class.getName()); - UaaAuthentication uaaAuthentication = (UaaAuthentication) authentication; - assertThat(uaaAuthentication.getAuthContextClassRef(), containsInAnyOrder(AuthnContext.PASSWORD_AUTHN_CTX)); - SAMLMessageContext context = samlAuthenticationToken.getCredentials(); - verify(context, times(1)).getRelayState(); - assertEquals(redirectUrl, RequestContextHolder.currentRequestAttributes().getAttribute(UaaSavedRequestAwareAuthenticationSuccessHandler.URI_OVERRIDE_ATTRIBUTE, RequestAttributes.SCOPE_REQUEST)); + fail(); +// String redirectUrl = "https://www.cloudfoundry.org"; +// SAMLAuthenticationToken samlAuthenticationToken = mockSamlAuthentication(); +// when(samlAuthenticationToken.getCredentials().getRelayState()).thenReturn(redirectUrl); +// Authentication authentication = authprovider.authenticate(samlAuthenticationToken); +// assertNotNull(authentication, "Authentication cannot be null"); +// assertTrue(authentication instanceof UaaAuthentication, "Authentication should be of type:" + UaaAuthentication.class.getName()); +// UaaAuthentication uaaAuthentication = (UaaAuthentication) authentication; +// assertThat(uaaAuthentication.getAuthContextClassRef(), containsInAnyOrder(AuthnContext.PASSWORD_AUTHN_CTX)); +// SAMLMessageContext context = samlAuthenticationToken.getCredentials(); +// verify(context, times(1)).getRelayState(); +// assertEquals(redirectUrl, RequestContextHolder.currentRequestAttributes().getAttribute(UaaSavedRequestAwareAuthenticationSuccessHandler.URI_OVERRIDE_ATTRIBUTE, RequestAttributes.SCOPE_REQUEST)); } @Test void saml_authentication_contains_acr() { - SAMLAuthenticationToken samlAuthenticationToken = mockSamlAuthentication(); - Authentication authentication = authprovider.authenticate(samlAuthenticationToken); - assertNotNull(authentication, "Authentication cannot be null"); - assertTrue(authentication instanceof UaaAuthentication, "Authentication should be of type:" + UaaAuthentication.class.getName()); - UaaAuthentication uaaAuthentication = (UaaAuthentication) authentication; - assertThat(uaaAuthentication.getAuthContextClassRef(), containsInAnyOrder(AuthnContext.PASSWORD_AUTHN_CTX)); - - SAMLMessageContext context = samlAuthenticationToken.getCredentials(); - verify(context, times(1)).getRelayState(); - assertNull(RequestContextHolder.currentRequestAttributes().getAttribute(UaaSavedRequestAwareAuthenticationSuccessHandler.URI_OVERRIDE_ATTRIBUTE, RequestAttributes.SCOPE_REQUEST)); - } - - @Test - void test_multiple_group_attributes() { - providerDefinition.addAttributeMapping(GROUP_ATTRIBUTE_NAME, Arrays.asList("2ndgroups", "groups")); - provider.setConfig(providerDefinition); - providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - UaaAuthentication authentication = getAuthentication(authprovider); - assertEquals(4, authentication.getAuthorities().size(), "Four authorities should have been granted!"); - assertThat(authentication.getAuthorities(), - containsInAnyOrder( - new SimpleGrantedAuthority(UAA_SAML_ADMIN), - new SimpleGrantedAuthority(UAA_SAML_USER), - new SimpleGrantedAuthority(UAA_SAML_TEST), - new SimpleGrantedAuthority(UaaAuthority.UAA_USER.getAuthority()) - ) - ); - } - - @Test - void authenticationContainsAmr() { - UaaAuthentication authentication = getAuthentication(authprovider); - assertThat(authentication.getAuthenticationMethods(), containsInAnyOrder("ext")); - } - - @Test - void test_external_groups_as_scopes() { - providerDefinition.setGroupMappingMode(SamlIdentityProviderDefinition.ExternalGroupMappingMode.AS_SCOPES); - providerDefinition.addAttributeMapping(GROUP_ATTRIBUTE_NAME, Arrays.asList("2ndgroups", "groups")); - provider.setConfig(providerDefinition); - providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - UaaAuthentication authentication = getAuthentication(authprovider); - assertThat(authentication.getAuthorities(), - containsInAnyOrder( - new SimpleGrantedAuthority(SAML_ADMIN), - new SimpleGrantedAuthority(SAML_USER), - new SimpleGrantedAuthority(SAML_TEST), - new SimpleGrantedAuthority(SAML_NOT_MAPPED), - new SimpleGrantedAuthority(UaaAuthority.UAA_USER.getAuthority()) - ) - ); - } - - @Test - void test_group_mapping() { - providerDefinition.addAttributeMapping(GROUP_ATTRIBUTE_NAME, "groups"); - provider.setConfig(providerDefinition); - providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - UaaAuthentication authentication = getAuthentication(authprovider); - assertEquals(3, authentication.getAuthorities().size(), "Three authorities should have been granted!"); - assertThat(authentication.getAuthorities(), - containsInAnyOrder( - new SimpleGrantedAuthority(UAA_SAML_ADMIN), - new SimpleGrantedAuthority(UAA_SAML_USER), - new SimpleGrantedAuthority(UaaAuthority.UAA_USER.getAuthority()) - ) - ); - } - - @Test - void test_non_string_attributes() { - providerDefinition.addAttributeMapping(USER_ATTRIBUTE_PREFIX + "XSURI", "XSURI"); - providerDefinition.addAttributeMapping(USER_ATTRIBUTE_PREFIX + "XSAny", "XSAny"); - providerDefinition.addAttributeMapping(USER_ATTRIBUTE_PREFIX + "XSQName", "XSQName"); - providerDefinition.addAttributeMapping(USER_ATTRIBUTE_PREFIX + "XSInteger", "XSInteger"); - providerDefinition.addAttributeMapping(USER_ATTRIBUTE_PREFIX + "XSBoolean", "XSBoolean"); - providerDefinition.addAttributeMapping(USER_ATTRIBUTE_PREFIX + "XSDateTime", "XSDateTime"); - providerDefinition.addAttributeMapping(USER_ATTRIBUTE_PREFIX + "XSBase64Binary", "XSBase64Binary"); - - provider.setConfig(providerDefinition); - providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - UaaAuthentication authentication = getAuthentication(authprovider); - assertEquals("http://localhost:8080/someuri", authentication.getUserAttributes().getFirst("XSURI")); - assertEquals("XSAnyValue", authentication.getUserAttributes().getFirst("XSAny")); - assertEquals("XSQNameValue", authentication.getUserAttributes().getFirst("XSQName")); - assertEquals("3", authentication.getUserAttributes().getFirst("XSInteger")); - assertEquals("true", authentication.getUserAttributes().getFirst("XSBoolean")); - assertEquals(new DateTime(0).toString(), authentication.getUserAttributes().getFirst("XSDateTime")); - assertEquals("00001111", authentication.getUserAttributes().getFirst("XSBase64Binary")); - } - - @Test - void externalGroup_NotMapped_ToScope() { - try { - externalManager.unmapExternalGroup(uaaSamlUser.getId(), SAML_USER, OriginKeys.SAML, identityZoneManager.getCurrentIdentityZone().getId()); - externalManager.unmapExternalGroup(uaaSamlAdmin.getId(), SAML_ADMIN, OriginKeys.SAML, identityZoneManager.getCurrentIdentityZone().getId()); - providerDefinition.addAttributeMapping(GROUP_ATTRIBUTE_NAME, "groups"); - provider.setConfig(providerDefinition); - providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - UaaAuthentication authentication = getAuthentication(authprovider); - assertEquals(1, authentication.getAuthorities().size(), "Three authorities should have been granted!"); - assertThat(authentication.getAuthorities(), - not(containsInAnyOrder( - new SimpleGrantedAuthority(UAA_SAML_ADMIN), - new SimpleGrantedAuthority(UAA_SAML_USER) - )) - ); - } finally { - externalManager.mapExternalGroup(uaaSamlUser.getId(), SAML_USER, OriginKeys.SAML, identityZoneManager.getCurrentIdentityZone().getId()); - externalManager.mapExternalGroup(uaaSamlAdmin.getId(), SAML_ADMIN, OriginKeys.SAML, identityZoneManager.getCurrentIdentityZone().getId()); - } - } - - @Test - void test_group_attribute_not_set() { - UaaAuthentication uaaAuthentication = getAuthentication(authprovider); - assertEquals(1, uaaAuthentication.getAuthorities().size(), "Only uaa.user should have been granted"); - assertEquals(UaaAuthority.UAA_USER.getAuthority(), uaaAuthentication.getAuthorities().iterator().next().getAuthority()); - } - - @Test - void dontAdd_external_groups_to_authentication_without_whitelist() { - providerDefinition.addAttributeMapping(GROUP_ATTRIBUTE_NAME, "groups"); - provider.setConfig(providerDefinition); - providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - - UaaAuthentication authentication = getAuthentication(authprovider); - assertEquals(Collections.EMPTY_SET, authentication.getExternalGroups()); - } - - @Test - void add_external_groups_to_authentication_with_whitelist() { - providerDefinition.addAttributeMapping(GROUP_ATTRIBUTE_NAME, "groups"); - providerDefinition.addWhiteListedGroup(SAML_ADMIN); - provider.setConfig(providerDefinition); - providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - - UaaAuthentication authentication = getAuthentication(authprovider); - assertEquals(Collections.singleton(SAML_ADMIN), authentication.getExternalGroups()); - } - - @Test - void add_external_groups_to_authentication_with_wildcard_whitelist() { - providerDefinition.addAttributeMapping(GROUP_ATTRIBUTE_NAME, "groups"); - providerDefinition.addWhiteListedGroup("saml*"); - provider.setConfig(providerDefinition); - providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - UaaAuthentication authentication = getAuthentication(authprovider); - assertThat(authentication.getExternalGroups(), containsInAnyOrder(SAML_USER, SAML_ADMIN, SAML_NOT_MAPPED)); + fail(); +// SAMLAuthenticationToken samlAuthenticationToken = mockSamlAuthentication(); +// Authentication authentication = authprovider.authenticate(samlAuthenticationToken); +// assertNotNull(authentication, "Authentication cannot be null"); +// assertTrue(authentication instanceof UaaAuthentication, "Authentication should be of type:" + UaaAuthentication.class.getName()); +// UaaAuthentication uaaAuthentication = (UaaAuthentication) authentication; +// assertThat(uaaAuthentication.getAuthContextClassRef(), containsInAnyOrder(AuthnContext.PASSWORD_AUTHN_CTX)); +// +// SAMLMessageContext context = samlAuthenticationToken.getCredentials(); +// verify(context, times(1)).getRelayState(); +// assertNull(RequestContextHolder.currentRequestAttributes().getAttribute(UaaSavedRequestAwareAuthenticationSuccessHandler.URI_OVERRIDE_ATTRIBUTE, RequestAttributes.SCOPE_REQUEST)); } +// +// @Test +// void test_multiple_group_attributes() { +// providerDefinition.addAttributeMapping(GROUP_ATTRIBUTE_NAME, Arrays.asList("2ndgroups", "groups")); +// provider.setConfig(providerDefinition); +// providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// UaaAuthentication authentication = getAuthentication(authprovider); +// assertEquals(4, authentication.getAuthorities().size(), "Four authorities should have been granted!"); +// assertThat(authentication.getAuthorities(), +// containsInAnyOrder( +// new SimpleGrantedAuthority(UAA_SAML_ADMIN), +// new SimpleGrantedAuthority(UAA_SAML_USER), +// new SimpleGrantedAuthority(UAA_SAML_TEST), +// new SimpleGrantedAuthority(UaaAuthority.UAA_USER.getAuthority()) +// ) +// ); +// } +// +// @Test +// void authenticationContainsAmr() { +// UaaAuthentication authentication = getAuthentication(authprovider); +// assertThat(authentication.getAuthenticationMethods(), containsInAnyOrder("ext")); +// } +// +// @Test +// void test_external_groups_as_scopes() { +// providerDefinition.setGroupMappingMode(SamlIdentityProviderDefinition.ExternalGroupMappingMode.AS_SCOPES); +// providerDefinition.addAttributeMapping(GROUP_ATTRIBUTE_NAME, Arrays.asList("2ndgroups", "groups")); +// provider.setConfig(providerDefinition); +// providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// UaaAuthentication authentication = getAuthentication(authprovider); +// assertThat(authentication.getAuthorities(), +// containsInAnyOrder( +// new SimpleGrantedAuthority(SAML_ADMIN), +// new SimpleGrantedAuthority(SAML_USER), +// new SimpleGrantedAuthority(SAML_TEST), +// new SimpleGrantedAuthority(SAML_NOT_MAPPED), +// new SimpleGrantedAuthority(UaaAuthority.UAA_USER.getAuthority()) +// ) +// ); +// } +// +// @Test +// void test_group_mapping() { +// providerDefinition.addAttributeMapping(GROUP_ATTRIBUTE_NAME, "groups"); +// provider.setConfig(providerDefinition); +// providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// UaaAuthentication authentication = getAuthentication(authprovider); +// assertEquals(3, authentication.getAuthorities().size(), "Three authorities should have been granted!"); +// assertThat(authentication.getAuthorities(), +// containsInAnyOrder( +// new SimpleGrantedAuthority(UAA_SAML_ADMIN), +// new SimpleGrantedAuthority(UAA_SAML_USER), +// new SimpleGrantedAuthority(UaaAuthority.UAA_USER.getAuthority()) +// ) +// ); +// } +// +// @Test +// void test_non_string_attributes() { +// providerDefinition.addAttributeMapping(USER_ATTRIBUTE_PREFIX + "XSURI", "XSURI"); +// providerDefinition.addAttributeMapping(USER_ATTRIBUTE_PREFIX + "XSAny", "XSAny"); +// providerDefinition.addAttributeMapping(USER_ATTRIBUTE_PREFIX + "XSQName", "XSQName"); +// providerDefinition.addAttributeMapping(USER_ATTRIBUTE_PREFIX + "XSInteger", "XSInteger"); +// providerDefinition.addAttributeMapping(USER_ATTRIBUTE_PREFIX + "XSBoolean", "XSBoolean"); +// providerDefinition.addAttributeMapping(USER_ATTRIBUTE_PREFIX + "XSDateTime", "XSDateTime"); +// providerDefinition.addAttributeMapping(USER_ATTRIBUTE_PREFIX + "XSBase64Binary", "XSBase64Binary"); +// +// provider.setConfig(providerDefinition); +// providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// UaaAuthentication authentication = getAuthentication(authprovider); +// assertEquals("http://localhost:8080/someuri", authentication.getUserAttributes().getFirst("XSURI")); +// assertEquals("XSAnyValue", authentication.getUserAttributes().getFirst("XSAny")); +// assertEquals("XSQNameValue", authentication.getUserAttributes().getFirst("XSQName")); +// assertEquals("3", authentication.getUserAttributes().getFirst("XSInteger")); +// assertEquals("true", authentication.getUserAttributes().getFirst("XSBoolean")); +// assertEquals(new DateTime(0).toString(), authentication.getUserAttributes().getFirst("XSDateTime")); +// assertEquals("00001111", authentication.getUserAttributes().getFirst("XSBase64Binary")); +// } +// +// @Test +// void externalGroup_NotMapped_ToScope() { +// try { +// externalManager.unmapExternalGroup(uaaSamlUser.getId(), SAML_USER, OriginKeys.SAML, identityZoneManager.getCurrentIdentityZone().getId()); +// externalManager.unmapExternalGroup(uaaSamlAdmin.getId(), SAML_ADMIN, OriginKeys.SAML, identityZoneManager.getCurrentIdentityZone().getId()); +// providerDefinition.addAttributeMapping(GROUP_ATTRIBUTE_NAME, "groups"); +// provider.setConfig(providerDefinition); +// providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// UaaAuthentication authentication = getAuthentication(authprovider); +// assertEquals(1, authentication.getAuthorities().size(), "Three authorities should have been granted!"); +// assertThat(authentication.getAuthorities(), +// not(containsInAnyOrder( +// new SimpleGrantedAuthority(UAA_SAML_ADMIN), +// new SimpleGrantedAuthority(UAA_SAML_USER) +// )) +// ); +// } finally { +// externalManager.mapExternalGroup(uaaSamlUser.getId(), SAML_USER, OriginKeys.SAML, identityZoneManager.getCurrentIdentityZone().getId()); +// externalManager.mapExternalGroup(uaaSamlAdmin.getId(), SAML_ADMIN, OriginKeys.SAML, identityZoneManager.getCurrentIdentityZone().getId()); +// } +// } +// +// @Test +// void test_group_attribute_not_set() { +// UaaAuthentication uaaAuthentication = getAuthentication(authprovider); +// assertEquals(1, uaaAuthentication.getAuthorities().size(), "Only uaa.user should have been granted"); +// assertEquals(UaaAuthority.UAA_USER.getAuthority(), uaaAuthentication.getAuthorities().iterator().next().getAuthority()); +// } +// +// @Test +// void dontAdd_external_groups_to_authentication_without_whitelist() { +// providerDefinition.addAttributeMapping(GROUP_ATTRIBUTE_NAME, "groups"); +// provider.setConfig(providerDefinition); +// providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// +// UaaAuthentication authentication = getAuthentication(authprovider); +// assertEquals(Collections.EMPTY_SET, authentication.getExternalGroups()); +// } +// +// @Test +// void add_external_groups_to_authentication_with_whitelist() { +// providerDefinition.addAttributeMapping(GROUP_ATTRIBUTE_NAME, "groups"); +// providerDefinition.addWhiteListedGroup(SAML_ADMIN); +// provider.setConfig(providerDefinition); +// providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// +// UaaAuthentication authentication = getAuthentication(authprovider); +// assertEquals(Collections.singleton(SAML_ADMIN), authentication.getExternalGroups()); +// } +// +// @Test +// void add_external_groups_to_authentication_with_wildcard_whitelist() { +// providerDefinition.addAttributeMapping(GROUP_ATTRIBUTE_NAME, "groups"); +// providerDefinition.addWhiteListedGroup("saml*"); +// provider.setConfig(providerDefinition); +// providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// UaaAuthentication authentication = getAuthentication(authprovider); +// assertThat(authentication.getExternalGroups(), containsInAnyOrder(SAML_USER, SAML_ADMIN, SAML_NOT_MAPPED)); +// } @Test void update_invitedUser_whose_username_is_notEmail() throws Exception { - ScimUser scimUser = getInvitedUser(); - - SAMLCredential credential = getUserCredential("marissa-invited", "Marissa-invited", null, "marissa.invited@test.org", null); - when(consumer.processAuthenticationResponse(any())).thenReturn(credential); - getAuthentication(authprovider); - - UaaUser user = userDatabase.retrieveUserById(scimUser.getId()); - assertFalse(user.isVerified()); - assertEquals("marissa-invited", user.getUsername()); - assertEquals("marissa.invited@test.org", user.getEmail()); - - RequestContextHolder.resetRequestAttributes(); + fail(); +// ScimUser scimUser = getInvitedUser(); +// +// SAMLCredential credential = getUserCredential("marissa-invited", "Marissa-invited", null, "marissa.invited@test.org", null); +// when(consumer.processAuthenticationResponse(any())).thenReturn(credential); +// getAuthentication(authprovider); +// +// UaaUser user = userDatabase.retrieveUserById(scimUser.getId()); +// assertFalse(user.isVerified()); +// assertEquals("marissa-invited", user.getUsername()); +// assertEquals("marissa.invited@test.org", user.getEmail()); +// +// RequestContextHolder.resetRequestAttributes(); } @Test void invitedUser_authentication_whenAuthenticatedEmailDoesNotMatchInvitedEmail() throws Exception { - Map attributeMappings = new HashMap<>(); - attributeMappings.put("email", "emailAddress"); - providerDefinition.setAttributeMappings(attributeMappings); - provider.setConfig(providerDefinition); - providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - - ScimUser scimUser = getInvitedUser(); - - SAMLCredential credential = getUserCredential("marissa-invited", "Marissa-invited", null, "different@test.org", null); - when(consumer.processAuthenticationResponse(any())).thenReturn(credential); - try { - getAuthentication(authprovider); - fail(); - } catch (BadCredentialsException e) { - UaaUser user = userDatabase.retrieveUserById(scimUser.getId()); - assertFalse(user.isVerified()); - } - RequestContextHolder.resetRequestAttributes(); + fail(); +// Map attributeMappings = new HashMap<>(); +// attributeMappings.put("email", "emailAddress"); +// providerDefinition.setAttributeMappings(attributeMappings); +// provider.setConfig(providerDefinition); +// providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// +// ScimUser scimUser = getInvitedUser(); +// +// SAMLCredential credential = getUserCredential("marissa-invited", "Marissa-invited", null, "different@test.org", null); +// when(consumer.processAuthenticationResponse(any())).thenReturn(credential); +// try { +// getAuthentication(authprovider); +// fail(); +// } catch (BadCredentialsException e) { +// UaaUser user = userDatabase.retrieveUserById(scimUser.getId()); +// assertFalse(user.isVerified()); +// } +// RequestContextHolder.resetRequestAttributes(); } private ScimUser getInvitedUser() { @@ -486,284 +491,286 @@ private ScimUser getInvitedUser() { @Test void update_existingUser_if_attributes_different() throws Exception { - try { - userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); - fail("user should not exist"); - } catch (UsernameNotFoundException ignored) { - } - getAuthentication(authprovider); - UaaUser user = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); - assertFalse(user.isVerified()); - Map attributeMappings = new HashMap<>(); - attributeMappings.put("given_name", "firstName"); - attributeMappings.put("email", "emailAddress"); - attributeMappings.put("email_verified", "emailVerified"); - providerDefinition.setAttributeMappings(attributeMappings); - provider.setConfig(providerDefinition); - providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - - SAMLCredential credential = getUserCredential("marissa-saml", "Marissa-changed", null, "marissa.bloggs@change.org", null); - when(consumer.processAuthenticationResponse(any())).thenReturn(credential); - getAuthentication(authprovider); - - user = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); - assertEquals("Marissa-changed", user.getGivenName()); - assertEquals("marissa.bloggs@change.org", user.getEmail()); - assertFalse(user.isVerified()); - - credential = getUserCredential("marissa-saml", "Marissa-changed", null, "marissa.bloggs@change.org", null, true); - when(consumer.processAuthenticationResponse(any())).thenReturn(credential); - getAuthentication(authprovider); - - user = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); - assertEquals("Marissa-changed", user.getGivenName()); - assertEquals("marissa.bloggs@change.org", user.getEmail()); - assertTrue(user.isVerified()); + fail(); +// try { +// userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); +// fail("user should not exist"); +// } catch (UsernameNotFoundException ignored) { +// } +// getAuthentication(authprovider); +// UaaUser user = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); +// assertFalse(user.isVerified()); +// Map attributeMappings = new HashMap<>(); +// attributeMappings.put("given_name", "firstName"); +// attributeMappings.put("email", "emailAddress"); +// attributeMappings.put("email_verified", "emailVerified"); +// providerDefinition.setAttributeMappings(attributeMappings); +// provider.setConfig(providerDefinition); +// providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// +// SAMLCredential credential = getUserCredential("marissa-saml", "Marissa-changed", null, "marissa.bloggs@change.org", null); +// when(consumer.processAuthenticationResponse(any())).thenReturn(credential); +// getAuthentication(authprovider); +// +// user = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); +// assertEquals("Marissa-changed", user.getGivenName()); +// assertEquals("marissa.bloggs@change.org", user.getEmail()); +// assertFalse(user.isVerified()); +// +// credential = getUserCredential("marissa-saml", "Marissa-changed", null, "marissa.bloggs@change.org", null, true); +// when(consumer.processAuthenticationResponse(any())).thenReturn(credential); +// getAuthentication(authprovider); +// +// user = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); +// assertEquals("Marissa-changed", user.getGivenName()); +// assertEquals("marissa.bloggs@change.org", user.getEmail()); +// assertTrue(user.isVerified()); } @Test void update_existingUser_if_username_different() { - Map attributeMappings = new HashMap<>(); - attributeMappings.put("given_name", "firstName"); - attributeMappings.put("family_name", "lastName"); - attributeMappings.put("email", "emailAddress"); - attributeMappings.put("phone_number", "phone"); - providerDefinition.setAttributeMappings(attributeMappings); - provider.setConfig(providerDefinition); - providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - - getAuthentication(authprovider); - - UaaUser originalUser = userDatabase.retrieveUserByEmail("marissa.bloggs@test.com", OriginKeys.SAML); - assertNotNull(originalUser); - assertEquals("marissa-saml", originalUser.getUsername()); - - LinkedMultiValueMap attributes = new LinkedMultiValueMap<>(); - attributes.add(GIVEN_NAME_ATTRIBUTE_NAME, "Marissa"); - attributes.add(FAMILY_NAME_ATTRIBUTE_NAME, "Bloggs"); - attributes.add(EMAIL_ATTRIBUTE_NAME, "marissa.bloggs@test.com"); - attributes.add(PHONE_NUMBER_ATTRIBUTE_NAME, "1234567890"); - - UaaPrincipal samlPrincipal = new UaaPrincipal(OriginKeys.NotANumber, "marissa-saml-changed", "marissa.bloggs@test.com", OriginKeys.SAML, "marissa-saml-changed", identityZoneManager.getCurrentIdentityZone().getId()); - UaaUser user = authprovider.createIfMissing(samlPrincipal, false, new ArrayList(), attributes); - - assertNotNull(user); - assertEquals("marissa-saml-changed", user.getUsername()); - } - - @Test - void dont_update_existingUser_if_attributes_areTheSame() { - getAuthentication(authprovider); - UaaUser user = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); - - getAuthentication(authprovider); - UaaUser existingUser = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); - - assertEquals(existingUser.getModified(), user.getModified()); - } - - @Test - void have_attributes_changed() { - getAuthentication(authprovider); - UaaUser existing = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); - UaaUser modified = new UaaUser(new UaaUserPrototype(existing)); - assertFalse(authprovider.haveUserAttributesChanged(existing, modified), "Nothing modified"); - modified = new UaaUser(new UaaUserPrototype(existing).withEmail("other-email")); - assertTrue(authprovider.haveUserAttributesChanged(existing, modified), "Email modified"); - modified = new UaaUser(new UaaUserPrototype(existing).withPhoneNumber("other-phone")); - assertTrue(authprovider.haveUserAttributesChanged(existing, modified), "Phone number modified"); - modified = new UaaUser(new UaaUserPrototype(existing).withVerified(!existing.isVerified())); - assertTrue(authprovider.haveUserAttributesChanged(existing, modified), "Verified email modified"); - modified = new UaaUser(new UaaUserPrototype(existing).withGivenName("other-given")); - assertTrue(authprovider.haveUserAttributesChanged(existing, modified), "First name modified"); - modified = new UaaUser(new UaaUserPrototype(existing).withFamilyName("other-family")); - assertTrue(authprovider.haveUserAttributesChanged(existing, modified), "Last name modified"); + fail(); +// Map attributeMappings = new HashMap<>(); +// attributeMappings.put("given_name", "firstName"); +// attributeMappings.put("family_name", "lastName"); +// attributeMappings.put("email", "emailAddress"); +// attributeMappings.put("phone_number", "phone"); +// providerDefinition.setAttributeMappings(attributeMappings); +// provider.setConfig(providerDefinition); +// providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// +// getAuthentication(authprovider); +// +// UaaUser originalUser = userDatabase.retrieveUserByEmail("marissa.bloggs@test.com", OriginKeys.SAML); +// assertNotNull(originalUser); +// assertEquals("marissa-saml", originalUser.getUsername()); +// +// LinkedMultiValueMap attributes = new LinkedMultiValueMap<>(); +// attributes.add(GIVEN_NAME_ATTRIBUTE_NAME, "Marissa"); +// attributes.add(FAMILY_NAME_ATTRIBUTE_NAME, "Bloggs"); +// attributes.add(EMAIL_ATTRIBUTE_NAME, "marissa.bloggs@test.com"); +// attributes.add(PHONE_NUMBER_ATTRIBUTE_NAME, "1234567890"); +// +// UaaPrincipal samlPrincipal = new UaaPrincipal(OriginKeys.NotANumber, "marissa-saml-changed", "marissa.bloggs@test.com", OriginKeys.SAML, "marissa-saml-changed", identityZoneManager.getCurrentIdentityZone().getId()); +// UaaUser user = authprovider.createIfMissing(samlPrincipal, false, new ArrayList(), attributes); +// +// assertNotNull(user); +// assertEquals("marissa-saml-changed", user.getUsername()); } - @Test - void shadowAccount_createdWith_MappedUserAttributes() { - Map attributeMappings = new HashMap<>(); - attributeMappings.put("given_name", "firstName"); - attributeMappings.put("family_name", "lastName"); - attributeMappings.put("email", "emailAddress"); - attributeMappings.put("phone_number", "phone"); - providerDefinition.setAttributeMappings(attributeMappings); - provider.setConfig(providerDefinition); - providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - - getAuthentication(authprovider); - UaaUser user = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); - assertEquals("Marissa", user.getGivenName()); - assertEquals("Bloggs", user.getFamilyName()); - assertEquals("marissa.bloggs@test.com", user.getEmail()); - assertEquals("1234567890", user.getPhoneNumber()); - } - - @Test - void custom_user_attributes_stored_if_configured() { - Map attributeMappings = new HashMap<>(); - attributeMappings.put("given_name", "firstName"); - attributeMappings.put("family_name", "lastName"); - attributeMappings.put("email", "emailAddress"); - attributeMappings.put("phone_number", "phone"); - attributeMappings.put(USER_ATTRIBUTE_PREFIX + "secondary_email", "emailAddress"); - providerDefinition.setAttributeMappings(attributeMappings); - providerDefinition.setStoreCustomAttributes(false); - provider.setConfig(providerDefinition); - provider = providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - - UaaAuthentication authentication = getAuthentication(authprovider); - UaaUser user = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); - assertEquals("Marissa", user.getGivenName()); - assertEquals("Bloggs", user.getFamilyName()); - assertEquals("marissa.bloggs@test.com", user.getEmail()); - assertEquals("1234567890", user.getPhoneNumber()); - assertEquals("marissa.bloggs@test.com", authentication.getUserAttributes().getFirst("secondary_email")); - - UserInfo userInfo = userDatabase.getUserInfo(user.getId()); - assertNull(userInfo); - - providerDefinition.addAttributeMapping(GROUP_ATTRIBUTE_NAME, "groups"); - providerDefinition.addWhiteListedGroup(SAML_ADMIN); - providerDefinition.setStoreCustomAttributes(true); - provider.setConfig(providerDefinition); - provider = providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - authentication = getAuthentication(authprovider); - assertEquals("marissa.bloggs@test.com", authentication.getUserAttributes().getFirst("secondary_email")); - userInfo = userDatabase.getUserInfo(user.getId()); - assertNotNull(userInfo); - assertEquals("marissa.bloggs@test.com", userInfo.getUserAttributes().getFirst("secondary_email")); - assertNotNull(userInfo.getRoles()); - assertEquals(1, userInfo.getRoles().size()); - assertEquals(SAML_ADMIN, userInfo.getRoles().get(0)); - } - - @Test - void authnContext_isvalidated_fail() { - providerDefinition.setAuthnContext(Arrays.asList("some-context", "another-context")); - provider.setConfig(providerDefinition); - providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - - try { - getAuthentication(authprovider); - fail("Expected authentication to throw BadCredentialsException"); - } catch (BadCredentialsException ignored) { - - } - } - - @Test - void authnContext_isvalidated_good() { - providerDefinition.setAuthnContext(Collections.singletonList(AuthnContext.PASSWORD_AUTHN_CTX)); - provider.setConfig(providerDefinition); - providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - - try { - getAuthentication(authprovider); - } catch (BadCredentialsException ex) { - fail("Expected authentication to succeed"); - } - } - - @Test - void shadowAccountNotCreated_givenShadowAccountCreationDisabled() { - Map attributeMappings = new HashMap<>(); - attributeMappings.put("given_name", "firstName"); - attributeMappings.put("family_name", "lastName"); - attributeMappings.put("email", "emailAddress"); - attributeMappings.put("phone_number", "phone"); - providerDefinition.setAttributeMappings(attributeMappings); - providerDefinition.setAddShadowUserOnLogin(false); - provider.setConfig(providerDefinition); - providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - - try { - getAuthentication(authprovider); - fail("Expected authentication to throw LoginSAMLException"); - } catch (LoginSAMLException ignored) { - - } - - try { - userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); - fail("Expected user not to exist in database"); - } catch (UsernameNotFoundException ignored) { - - } - } - - @Test - void should_NotCreateShadowAccount_AndInstead_UpdateExistingUserUsername_if_userWithEmailExists() { - Map attributeMappings = new HashMap<>(); - attributeMappings.put("email", "emailAddress"); - providerDefinition.setAttributeMappings(attributeMappings); - provider.setConfig(providerDefinition); - providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - - ScimUser createdUser = createSamlUser("marissa.bloggs@test.com", identityZoneManager.getCurrentIdentityZone().getId(), userProvisioning); - - getAuthentication(authprovider); - - UaaUser uaaUser = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); - assertEquals(createdUser.getId(), uaaUser.getId()); - assertEquals("marissa-saml", uaaUser.getUsername()); - } - - @Test - void error_when_multipleUsers_with_sameEmail() { - Map attributeMappings = new HashMap<>(); - attributeMappings.put("email", "emailAddress"); - providerDefinition.setAttributeMappings(attributeMappings); - provider.setConfig(providerDefinition); - providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - - createSamlUser("marissa.bloggs@test.com", identityZoneManager.getCurrentIdentityZone().getId(), userProvisioning); - createSamlUser("marissa.bloggs", identityZoneManager.getCurrentIdentityZone().getId(), userProvisioning); - - assertThrows(IncorrectResultSizeDataAccessException.class, () -> getAuthentication(authprovider)); - } - - @Test - void shadowUser_GetsCreatedWithDefaultValues_IfAttributeNotMapped() { - Map attributeMappings = new HashMap<>(); - attributeMappings.put("surname", "lastName"); - attributeMappings.put("email", "emailAddress"); - providerDefinition.setAttributeMappings(attributeMappings); - provider.setConfig(providerDefinition); - providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - - UaaAuthentication authentication = getAuthentication(authprovider); - UaaUser user = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); - assertEquals("marissa.bloggs", user.getGivenName()); - assertEquals("test.com", user.getFamilyName()); - assertEquals("marissa.bloggs@test.com", user.getEmail()); - assertEquals(0, authentication.getUserAttributes().size(), "No custom attributes have been mapped"); - } - - @Test - void user_authentication_contains_custom_attributes() { - String COST_CENTERS = COST_CENTER + "s"; - String MANAGERS = MANAGER + "s"; - - Map attributeMappings = new HashMap<>(); - - attributeMappings.put(USER_ATTRIBUTE_PREFIX + COST_CENTERS, COST_CENTER); - attributeMappings.put(USER_ATTRIBUTE_PREFIX + MANAGERS, MANAGER); - - providerDefinition.setAttributeMappings(attributeMappings); - provider.setConfig(providerDefinition); - providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); - - UaaAuthentication authentication = getAuthentication(authprovider); - - assertEquals(2, authentication.getUserAttributes().size(), "Expected two user attributes"); - assertNotNull(authentication.getUserAttributes().get(COST_CENTERS), "Expected cost center attribute"); - assertEquals(DENVER_CO, authentication.getUserAttributes().getFirst(COST_CENTERS)); - - assertNotNull(authentication.getUserAttributes().get(MANAGERS), "Expected manager attribute"); - assertEquals(2, authentication.getUserAttributes().get(MANAGERS).size(), "Expected 2 manager attribute values"); - assertThat(authentication.getUserAttributes().get(MANAGERS), containsInAnyOrder(JOHN_THE_SLOTH, KARI_THE_ANT_EATER)); - } +// @Test +// void dont_update_existingUser_if_attributes_areTheSame() { +// getAuthentication(authprovider); +// UaaUser user = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); +// +// getAuthentication(authprovider); +// UaaUser existingUser = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); +// +// assertEquals(existingUser.getModified(), user.getModified()); +// } +// +// @Test +// void have_attributes_changed() { +// getAuthentication(authprovider); +// UaaUser existing = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); +// UaaUser modified = new UaaUser(new UaaUserPrototype(existing)); +// assertFalse(authprovider.haveUserAttributesChanged(existing, modified), "Nothing modified"); +// modified = new UaaUser(new UaaUserPrototype(existing).withEmail("other-email")); +// assertTrue(authprovider.haveUserAttributesChanged(existing, modified), "Email modified"); +// modified = new UaaUser(new UaaUserPrototype(existing).withPhoneNumber("other-phone")); +// assertTrue(authprovider.haveUserAttributesChanged(existing, modified), "Phone number modified"); +// modified = new UaaUser(new UaaUserPrototype(existing).withVerified(!existing.isVerified())); +// assertTrue(authprovider.haveUserAttributesChanged(existing, modified), "Verified email modified"); +// modified = new UaaUser(new UaaUserPrototype(existing).withGivenName("other-given")); +// assertTrue(authprovider.haveUserAttributesChanged(existing, modified), "First name modified"); +// modified = new UaaUser(new UaaUserPrototype(existing).withFamilyName("other-family")); +// assertTrue(authprovider.haveUserAttributesChanged(existing, modified), "Last name modified"); +// } +// +// @Test +// void shadowAccount_createdWith_MappedUserAttributes() { +// Map attributeMappings = new HashMap<>(); +// attributeMappings.put("given_name", "firstName"); +// attributeMappings.put("family_name", "lastName"); +// attributeMappings.put("email", "emailAddress"); +// attributeMappings.put("phone_number", "phone"); +// providerDefinition.setAttributeMappings(attributeMappings); +// provider.setConfig(providerDefinition); +// providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// +// getAuthentication(authprovider); +// UaaUser user = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); +// assertEquals("Marissa", user.getGivenName()); +// assertEquals("Bloggs", user.getFamilyName()); +// assertEquals("marissa.bloggs@test.com", user.getEmail()); +// assertEquals("1234567890", user.getPhoneNumber()); +// } +// +// @Test +// void custom_user_attributes_stored_if_configured() { +// Map attributeMappings = new HashMap<>(); +// attributeMappings.put("given_name", "firstName"); +// attributeMappings.put("family_name", "lastName"); +// attributeMappings.put("email", "emailAddress"); +// attributeMappings.put("phone_number", "phone"); +// attributeMappings.put(USER_ATTRIBUTE_PREFIX + "secondary_email", "emailAddress"); +// providerDefinition.setAttributeMappings(attributeMappings); +// providerDefinition.setStoreCustomAttributes(false); +// provider.setConfig(providerDefinition); +// provider = providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// +// UaaAuthentication authentication = getAuthentication(authprovider); +// UaaUser user = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); +// assertEquals("Marissa", user.getGivenName()); +// assertEquals("Bloggs", user.getFamilyName()); +// assertEquals("marissa.bloggs@test.com", user.getEmail()); +// assertEquals("1234567890", user.getPhoneNumber()); +// assertEquals("marissa.bloggs@test.com", authentication.getUserAttributes().getFirst("secondary_email")); +// +// UserInfo userInfo = userDatabase.getUserInfo(user.getId()); +// assertNull(userInfo); +// +// providerDefinition.addAttributeMapping(GROUP_ATTRIBUTE_NAME, "groups"); +// providerDefinition.addWhiteListedGroup(SAML_ADMIN); +// providerDefinition.setStoreCustomAttributes(true); +// provider.setConfig(providerDefinition); +// provider = providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// authentication = getAuthentication(authprovider); +// assertEquals("marissa.bloggs@test.com", authentication.getUserAttributes().getFirst("secondary_email")); +// userInfo = userDatabase.getUserInfo(user.getId()); +// assertNotNull(userInfo); +// assertEquals("marissa.bloggs@test.com", userInfo.getUserAttributes().getFirst("secondary_email")); +// assertNotNull(userInfo.getRoles()); +// assertEquals(1, userInfo.getRoles().size()); +// assertEquals(SAML_ADMIN, userInfo.getRoles().get(0)); +// } +// +// @Test +// void authnContext_isvalidated_fail() { +// providerDefinition.setAuthnContext(Arrays.asList("some-context", "another-context")); +// provider.setConfig(providerDefinition); +// providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// +// try { +// getAuthentication(authprovider); +// fail("Expected authentication to throw BadCredentialsException"); +// } catch (BadCredentialsException ignored) { +// +// } +// } +// +// @Test +// void authnContext_isvalidated_good() { +// providerDefinition.setAuthnContext(Collections.singletonList(AuthnContext.PASSWORD_AUTHN_CTX)); +// provider.setConfig(providerDefinition); +// providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// +// try { +// getAuthentication(authprovider); +// } catch (BadCredentialsException ex) { +// fail("Expected authentication to succeed"); +// } +// } +// +// @Test +// void shadowAccountNotCreated_givenShadowAccountCreationDisabled() { +// Map attributeMappings = new HashMap<>(); +// attributeMappings.put("given_name", "firstName"); +// attributeMappings.put("family_name", "lastName"); +// attributeMappings.put("email", "emailAddress"); +// attributeMappings.put("phone_number", "phone"); +// providerDefinition.setAttributeMappings(attributeMappings); +// providerDefinition.setAddShadowUserOnLogin(false); +// provider.setConfig(providerDefinition); +// providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// +// try { +// getAuthentication(authprovider); +// fail("Expected authentication to throw LoginSAMLException"); +// } catch (LoginSAMLException ignored) { +// +// } +// +// try { +// userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); +// fail("Expected user not to exist in database"); +// } catch (UsernameNotFoundException ignored) { +// +// } +// } +// +// @Test +// void should_NotCreateShadowAccount_AndInstead_UpdateExistingUserUsername_if_userWithEmailExists() { +// Map attributeMappings = new HashMap<>(); +// attributeMappings.put("email", "emailAddress"); +// providerDefinition.setAttributeMappings(attributeMappings); +// provider.setConfig(providerDefinition); +// providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// +// ScimUser createdUser = createSamlUser("marissa.bloggs@test.com", identityZoneManager.getCurrentIdentityZone().getId(), userProvisioning); +// +// getAuthentication(authprovider); +// +// UaaUser uaaUser = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); +// assertEquals(createdUser.getId(), uaaUser.getId()); +// assertEquals("marissa-saml", uaaUser.getUsername()); +// } +// +// @Test +// void error_when_multipleUsers_with_sameEmail() { +// Map attributeMappings = new HashMap<>(); +// attributeMappings.put("email", "emailAddress"); +// providerDefinition.setAttributeMappings(attributeMappings); +// provider.setConfig(providerDefinition); +// providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// +// createSamlUser("marissa.bloggs@test.com", identityZoneManager.getCurrentIdentityZone().getId(), userProvisioning); +// createSamlUser("marissa.bloggs", identityZoneManager.getCurrentIdentityZone().getId(), userProvisioning); +// +// assertThrows(IncorrectResultSizeDataAccessException.class, () -> getAuthentication(authprovider)); +// } +// +// @Test +// void shadowUser_GetsCreatedWithDefaultValues_IfAttributeNotMapped() { +// Map attributeMappings = new HashMap<>(); +// attributeMappings.put("surname", "lastName"); +// attributeMappings.put("email", "emailAddress"); +// providerDefinition.setAttributeMappings(attributeMappings); +// provider.setConfig(providerDefinition); +// providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// +// UaaAuthentication authentication = getAuthentication(authprovider); +// UaaUser user = userDatabase.retrieveUserByName("marissa-saml", OriginKeys.SAML); +// assertEquals("marissa.bloggs", user.getGivenName()); +// assertEquals("test.com", user.getFamilyName()); +// assertEquals("marissa.bloggs@test.com", user.getEmail()); +// assertEquals(0, authentication.getUserAttributes().size(), "No custom attributes have been mapped"); +// } +// +// @Test +// void user_authentication_contains_custom_attributes() { +// String COST_CENTERS = COST_CENTER + "s"; +// String MANAGERS = MANAGER + "s"; +// +// Map attributeMappings = new HashMap<>(); +// +// attributeMappings.put(USER_ATTRIBUTE_PREFIX + COST_CENTERS, COST_CENTER); +// attributeMappings.put(USER_ATTRIBUTE_PREFIX + MANAGERS, MANAGER); +// +// providerDefinition.setAttributeMappings(attributeMappings); +// provider.setConfig(providerDefinition); +// providerProvisioning.update(provider, identityZoneManager.getCurrentIdentityZone().getId()); +// +// UaaAuthentication authentication = getAuthentication(authprovider); +// +// assertEquals(2, authentication.getUserAttributes().size(), "Expected two user attributes"); +// assertNotNull(authentication.getUserAttributes().get(COST_CENTERS), "Expected cost center attribute"); +// assertEquals(DENVER_CO, authentication.getUserAttributes().getFirst(COST_CENTERS)); +// +// assertNotNull(authentication.getUserAttributes().get(MANAGERS), "Expected manager attribute"); +// assertEquals(2, authentication.getUserAttributes().get(MANAGERS).size(), "Expected 2 manager attribute values"); +// assertThat(authentication.getUserAttributes().get(MANAGERS), containsInAnyOrder(JOHN_THE_SLOTH, KARI_THE_ANT_EATER)); +// } @Test void getUserByDefaultUsesTheAvailableData() { @@ -858,23 +865,23 @@ private static ScimUser createSamlUser(String username, String zoneId, ScimUserP return userProvisioning.createUser(user, "", zoneId); } - private static UaaAuthentication getAuthentication(LoginSamlAuthenticationProvider authprovider) { - SAMLAuthenticationToken authentication1 = mockSamlAuthentication(); - Authentication authentication = authprovider.authenticate(authentication1); - assertNotNull(authentication, "Authentication should exist"); - assertTrue(authentication instanceof UaaAuthentication, "Authentication should be UaaAuthentication"); - return (UaaAuthentication) authentication; - } - - private static SAMLAuthenticationToken mockSamlAuthentication() { - ExtendedMetadata metadata = mock(ExtendedMetadata.class); - when(metadata.getAlias()).thenReturn(OriginKeys.SAML); - SAMLMessageContext contxt = mock(SAMLMessageContext.class); - - when(contxt.getPeerExtendedMetadata()).thenReturn(metadata); - when(contxt.getCommunicationProfileId()).thenReturn(SAMLConstants.SAML2_WEBSSO_PROFILE_URI); - return new SAMLAuthenticationToken(contxt); - } +// private static UaaAuthentication getAuthentication(LoginSamlAuthenticationProvider authprovider) { +// SAMLAuthenticationToken authentication1 = mockSamlAuthentication(); +// Authentication authentication = authprovider.authenticate(authentication1); +// assertNotNull(authentication, "Authentication should exist"); +// assertTrue(authentication instanceof UaaAuthentication, "Authentication should be UaaAuthentication"); +// return (UaaAuthentication) authentication; +// } + +// private static SAMLAuthenticationToken mockSamlAuthentication() { +// ExtendedMetadata metadata = mock(ExtendedMetadata.class); +// when(metadata.getAlias()).thenReturn(OriginKeys.SAML); +// SAMLMessageContext contxt = mock(SAMLMessageContext.class); +// +// when(contxt.getPeerExtendedMetadata()).thenReturn(metadata); +// when(contxt.getCommunicationProfileId()).thenReturn(SAMLConstants.SAML2_WEBSSO_PROFILE_URI); +// return new SAMLAuthenticationToken(contxt); +// } public static class CreateUserPublisher implements ApplicationEventPublisher { final ScimUserBootstrap bootstrap; @@ -901,138 +908,138 @@ public void publishEvent(Object event) { private static final String IDP_META_DATA = getResourceAsString(LoginSamlAuthenticationProviderTests.class, "IDP_META_DATA.xml"); - private static List getAttributes(Map values) { - List result = new LinkedList<>(); - for (Map.Entry entry : values.entrySet()) { - result.addAll(getAttributes(entry.getKey(), entry.getValue())); - } - return result; - } - - private static List getAttributes(final String name, Object value) { - Attribute attribute = mock(Attribute.class); - when(attribute.getName()).thenReturn(name); - when(attribute.getFriendlyName()).thenReturn(name); - - List xmlObjects = new LinkedList<>(); - if ("XSURI".equals(name)) { - XSURIImpl impl = new AttributedURIImpl("", "", ""); - impl.setValue((String) value); - xmlObjects.add(impl); - } else if ("XSAny".equals(name)) { - XSAnyImpl impl = new XSAnyImpl("", "", "") { - }; - impl.setTextContent((String) value); - xmlObjects.add(impl); - } else if ("XSQName".equals(name)) { - XSQNameImpl impl = new XSQNameImpl("", "", "") { - }; - impl.setValue(new QName("", (String) value)); - xmlObjects.add(impl); - } else if ("XSInteger".equals(name)) { - XSIntegerImpl impl = new XSIntegerImpl("", "", "") { - }; - impl.setValue((Integer) value); - xmlObjects.add(impl); - } else if ("XSBoolean".equals(name)) { - XSBooleanImpl impl = new XSBooleanImpl("", "", "") { - }; - impl.setValue(new XSBooleanValue((Boolean) value, false)); - xmlObjects.add(impl); - } else if ("XSDateTime".equals(name)) { - XSDateTimeImpl impl = new XSDateTimeImpl("", "", "") { - }; - impl.setValue((DateTime) value); - xmlObjects.add(impl); - } else if ("XSBase64Binary".equals(name)) { - XSBase64BinaryImpl impl = new XSBase64BinaryImpl("", "", "") { - }; - impl.setValue((String) value); - xmlObjects.add(impl); - } else if (value instanceof List) { - for (String s : (List) value) { - if (SAML_USER.equals(s)) { - XSAnyImpl impl = new XSAnyImpl("", "", "") { - }; - impl.setTextContent(s); - xmlObjects.add(impl); - } else { - AttributedStringImpl impl = new AttributedStringImpl("", "", ""); - impl.setValue(s); - xmlObjects.add(impl); - } - } - } else if (value instanceof Boolean) { - XSBoolean impl = new XSBooleanBuilder().buildObject("", "", ""); - impl.setValue(new XSBooleanValue((Boolean) value, false)); - xmlObjects.add(impl); - } else { - AttributedStringImpl impl = new AttributedStringImpl("", "", ""); - impl.setValue((String) value); - xmlObjects.add(impl); - } - when(attribute.getAttributeValues()).thenReturn(xmlObjects); - return Collections.singletonList(attribute); - } - - private static SAMLCredential getUserCredential(String username, String firstName, String lastName, String emailAddress, String phoneNumber) { - return getUserCredential(username, - firstName, - lastName, - emailAddress, - phoneNumber, - null); - } - - private static SAMLCredential getUserCredential(String username, - String firstName, - String lastName, - String emailAddress, - String phoneNumber, - Boolean emailVerified) { - NameID usernameID = mock(NameID.class); - when(usernameID.getValue()).thenReturn(username); - - Map attributes = new HashMap<>(); - attributes.put("firstName", firstName); - attributes.put("lastName", lastName); - attributes.put("emailAddress", emailAddress); - attributes.put("phone", phoneNumber); - attributes.put("groups", Arrays.asList(SAML_USER, SAML_ADMIN, SAML_NOT_MAPPED)); - attributes.put("2ndgroups", Collections.singletonList(SAML_TEST)); - attributes.put(COST_CENTER, Collections.singletonList(DENVER_CO)); - attributes.put(MANAGER, Arrays.asList(JOHN_THE_SLOTH, KARI_THE_ANT_EATER)); - if (emailVerified != null) { - attributes.put("emailVerified", emailVerified); - } - - //test different types - attributes.put("XSURI", "http://localhost:8080/someuri"); - attributes.put("XSAny", "XSAnyValue"); - attributes.put("XSQName", "XSQNameValue"); - attributes.put("XSInteger", 3); - attributes.put("XSBoolean", Boolean.TRUE); - attributes.put("XSDateTime", new DateTime(0)); - attributes.put("XSBase64Binary", "00001111"); - - - AuthnContextClassRef contextClassRef = mock(AuthnContextClassRef.class); - when(contextClassRef.getAuthnContextClassRef()).thenReturn(AuthnContext.PASSWORD_AUTHN_CTX); - - AuthnContext authenticationContext = mock(AuthnContext.class); - when(authenticationContext.getAuthnContextClassRef()).thenReturn(contextClassRef); - - AuthnStatement statement = mock(AuthnStatement.class); - when(statement.getAuthnContext()).thenReturn(authenticationContext); - - Assertion authenticationAssertion = mock(Assertion.class); - when(authenticationAssertion.getAuthnStatements()).thenReturn(Collections.singletonList(statement)); - - return new SAMLCredential( - usernameID, - authenticationAssertion, - "remoteEntityID", - getAttributes(attributes), - "localEntityID"); - } +// private static List getAttributes(Map values) { +// List result = new LinkedList<>(); +// for (Map.Entry entry : values.entrySet()) { +// result.addAll(getAttributes(entry.getKey(), entry.getValue())); +// } +// return result; +// } + +// private static List getAttributes(final String name, Object value) { +// Attribute attribute = mock(Attribute.class); +// when(attribute.getName()).thenReturn(name); +// when(attribute.getFriendlyName()).thenReturn(name); +// +// List xmlObjects = new LinkedList<>(); +// if ("XSURI".equals(name)) { +// XSURIImpl impl = new AttributedURIImpl("", "", ""); +// impl.setValue((String) value); +// xmlObjects.add(impl); +// } else if ("XSAny".equals(name)) { +// XSAnyImpl impl = new XSAnyImpl("", "", "") { +// }; +// impl.setTextContent((String) value); +// xmlObjects.add(impl); +// } else if ("XSQName".equals(name)) { +// XSQNameImpl impl = new XSQNameImpl("", "", "") { +// }; +// impl.setValue(new QName("", (String) value)); +// xmlObjects.add(impl); +// } else if ("XSInteger".equals(name)) { +// XSIntegerImpl impl = new XSIntegerImpl("", "", "") { +// }; +// impl.setValue((Integer) value); +// xmlObjects.add(impl); +// } else if ("XSBoolean".equals(name)) { +// XSBooleanImpl impl = new XSBooleanImpl("", "", "") { +// }; +// impl.setValue(new XSBooleanValue((Boolean) value, false)); +// xmlObjects.add(impl); +// } else if ("XSDateTime".equals(name)) { +// XSDateTimeImpl impl = new XSDateTimeImpl("", "", "") { +// }; +// impl.setValue((DateTime) value); +// xmlObjects.add(impl); +// } else if ("XSBase64Binary".equals(name)) { +// XSBase64BinaryImpl impl = new XSBase64BinaryImpl("", "", "") { +// }; +// impl.setValue((String) value); +// xmlObjects.add(impl); +// } else if (value instanceof List) { +// for (String s : (List) value) { +// if (SAML_USER.equals(s)) { +// XSAnyImpl impl = new XSAnyImpl("", "", "") { +// }; +// impl.setTextContent(s); +// xmlObjects.add(impl); +// } else { +// AttributedStringImpl impl = new AttributedStringImpl("", "", ""); +// impl.setValue(s); +// xmlObjects.add(impl); +// } +// } +// } else if (value instanceof Boolean) { +// XSBoolean impl = new XSBooleanBuilder().buildObject("", "", ""); +// impl.setValue(new XSBooleanValue((Boolean) value, false)); +// xmlObjects.add(impl); +// } else { +// AttributedStringImpl impl = new AttributedStringImpl("", "", ""); +// impl.setValue((String) value); +// xmlObjects.add(impl); +// } +// when(attribute.getAttributeValues()).thenReturn(xmlObjects); +// return Collections.singletonList(attribute); +// } + +// private static SAMLCredential getUserCredential(String username, String firstName, String lastName, String emailAddress, String phoneNumber) { +// return getUserCredential(username, +// firstName, +// lastName, +// emailAddress, +// phoneNumber, +// null); +// } + +// private static SAMLCredential getUserCredential(String username, +// String firstName, +// String lastName, +// String emailAddress, +// String phoneNumber, +// Boolean emailVerified) { +// NameID usernameID = mock(NameID.class); +// when(usernameID.getValue()).thenReturn(username); +// +// Map attributes = new HashMap<>(); +// attributes.put("firstName", firstName); +// attributes.put("lastName", lastName); +// attributes.put("emailAddress", emailAddress); +// attributes.put("phone", phoneNumber); +// attributes.put("groups", Arrays.asList(SAML_USER, SAML_ADMIN, SAML_NOT_MAPPED)); +// attributes.put("2ndgroups", Collections.singletonList(SAML_TEST)); +// attributes.put(COST_CENTER, Collections.singletonList(DENVER_CO)); +// attributes.put(MANAGER, Arrays.asList(JOHN_THE_SLOTH, KARI_THE_ANT_EATER)); +// if (emailVerified != null) { +// attributes.put("emailVerified", emailVerified); +// } +// +// //test different types +// attributes.put("XSURI", "http://localhost:8080/someuri"); +// attributes.put("XSAny", "XSAnyValue"); +// attributes.put("XSQName", "XSQNameValue"); +// attributes.put("XSInteger", 3); +// attributes.put("XSBoolean", Boolean.TRUE); +// attributes.put("XSDateTime", new DateTime(0)); +// attributes.put("XSBase64Binary", "00001111"); +// +// +// AuthnContextClassRef contextClassRef = mock(AuthnContextClassRef.class); +// when(contextClassRef.getAuthnContextClassRef()).thenReturn(AuthnContext.PASSWORD_AUTHN_CTX); +// +// AuthnContext authenticationContext = mock(AuthnContext.class); +// when(authenticationContext.getAuthnContextClassRef()).thenReturn(contextClassRef); +// +// AuthnStatement statement = mock(AuthnStatement.class); +// when(statement.getAuthnContext()).thenReturn(authenticationContext); +// +// Assertion authenticationAssertion = mock(Assertion.class); +// when(authenticationAssertion.getAuthnStatements()).thenReturn(Collections.singletonList(statement)); +// +// return new SAMLCredential( +// usernameID, +// authenticationAssertion, +// "remoteEntityID", +// getAttributes(attributes), +// "localEntityID"); +// } } diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlConfigurationBeanTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlConfigurationBeanTest.java index 0716eec6959..9645067f205 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlConfigurationBeanTest.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlConfigurationBeanTest.java @@ -17,54 +17,58 @@ import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; import org.junit.BeforeClass; import org.junit.Test; -import org.opensaml.DefaultBootstrap; -import org.opensaml.xml.Configuration; -import org.opensaml.xml.security.BasicSecurityConfiguration; -import org.opensaml.xml.signature.SignatureConstants; +//import org.opensaml.DefaultBootstrap; +//import org.opensaml.xml.Configuration; +//import org.opensaml.xml.security.BasicSecurityConfiguration; +//import org.opensaml.xml.signature.SignatureConstants; import java.security.Security; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.fail; public class SamlConfigurationBeanTest { @BeforeClass public static void initVM() throws Exception { Security.addProvider(new BouncyCastleFipsProvider()); - DefaultBootstrap.bootstrap(); +// DefaultBootstrap.bootstrap(); } @Test public void testSHA1SignatureAlgorithm() { - SamlConfigurationBean samlConfigurationBean = new SamlConfigurationBean(); - samlConfigurationBean.setSignatureAlgorithm(SamlConfigurationBean.SignatureAlgorithm.SHA1); - samlConfigurationBean.afterPropertiesSet(); - - BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration(); - assertEquals(SignatureConstants.ALGO_ID_DIGEST_SHA1, config.getSignatureReferenceDigestMethod()); - assertEquals(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1, config.getSignatureAlgorithmURI("RSA")); + fail(); +// SamlConfigurationBean samlConfigurationBean = new SamlConfigurationBean(); +// samlConfigurationBean.setSignatureAlgorithm(SamlConfigurationBean.SignatureAlgorithm.SHA1); +// samlConfigurationBean.afterPropertiesSet(); +// +// BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration(); +// assertEquals(SignatureConstants.ALGO_ID_DIGEST_SHA1, config.getSignatureReferenceDigestMethod()); +// assertEquals(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1, config.getSignatureAlgorithmURI("RSA")); } @Test public void testSHA256SignatureAlgorithm() { - SamlConfigurationBean samlConfigurationBean = new SamlConfigurationBean(); - samlConfigurationBean.setSignatureAlgorithm(SamlConfigurationBean.SignatureAlgorithm.SHA256); - samlConfigurationBean.afterPropertiesSet(); - - BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration(); - assertEquals(SignatureConstants.ALGO_ID_DIGEST_SHA256, config.getSignatureReferenceDigestMethod()); - assertEquals(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256, config.getSignatureAlgorithmURI("RSA")); + fail(); +// SamlConfigurationBean samlConfigurationBean = new SamlConfigurationBean(); +// samlConfigurationBean.setSignatureAlgorithm(SamlConfigurationBean.SignatureAlgorithm.SHA256); +// samlConfigurationBean.afterPropertiesSet(); +// +// BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration(); +// assertEquals(SignatureConstants.ALGO_ID_DIGEST_SHA256, config.getSignatureReferenceDigestMethod()); +// assertEquals(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256, config.getSignatureAlgorithmURI("RSA")); } @Test public void testSHA512SignatureAlgorithm() { - SamlConfigurationBean samlConfigurationBean = new SamlConfigurationBean(); - samlConfigurationBean.setSignatureAlgorithm(SamlConfigurationBean.SignatureAlgorithm.SHA512); - samlConfigurationBean.afterPropertiesSet(); - - BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration(); - assertEquals(SignatureConstants.ALGO_ID_DIGEST_SHA512, config.getSignatureReferenceDigestMethod()); - assertEquals(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512, config.getSignatureAlgorithmURI("RSA")); + fail(); +// SamlConfigurationBean samlConfigurationBean = new SamlConfigurationBean(); +// samlConfigurationBean.setSignatureAlgorithm(SamlConfigurationBean.SignatureAlgorithm.SHA512); +// samlConfigurationBean.afterPropertiesSet(); +// +// BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration(); +// assertEquals(SignatureConstants.ALGO_ID_DIGEST_SHA512, config.getSignatureReferenceDigestMethod()); +// assertEquals(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512, config.getSignatureAlgorithmURI("RSA")); } } diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlIdentityProviderConfiguratorTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlIdentityProviderConfiguratorTests.java index 8311107a454..dc04b7d3f6b 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlIdentityProviderConfiguratorTests.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlIdentityProviderConfiguratorTests.java @@ -25,10 +25,10 @@ import org.junit.Rule; import org.junit.jupiter.api.*; import org.junit.rules.ExpectedException; -import org.opensaml.DefaultBootstrap; -import org.opensaml.xml.parse.BasicParserPool; +//import org.opensaml.DefaultBootstrap; +//import org.opensaml.xml.parse.BasicParserPool; import org.springframework.security.oauth2.common.util.RandomValueStringGenerator; -import org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory; +//import org.springframework.security.saml.trust.httpclient.TLSProtocolSocketFactory; import java.util.Arrays; import java.util.Collections; @@ -55,9 +55,9 @@ public class SamlIdentityProviderConfiguratorTests { @BeforeAll public static void initializeOpenSAML() throws Exception { - if (!org.apache.xml.security.Init.isInitialized()) { - DefaultBootstrap.bootstrap(); - } +// if (!org.apache.xml.security.Init.isInitialized()) { +// DefaultBootstrap.bootstrap(); +// } } public static final String xmlWithoutID = @@ -143,145 +143,146 @@ public void setUp() { .setZoneId("uaa"); fixedHttpMetaDataProvider = mock(FixedHttpMetaDataProvider.class); - configurator = new SamlIdentityProviderConfigurator( - new BasicParserPool(), provisioning, fixedHttpMetaDataProvider); +// configurator = new SamlIdentityProviderConfigurator( +// new BasicParserPool(), provisioning, fixedHttpMetaDataProvider); } @Test public void testAddNullProvider() { - Assertions.assertThrows(NullPointerException.class, () -> configurator.validateSamlIdentityProviderDefinition(null)); + fail(); +// Assertions.assertThrows(NullPointerException.class, () -> configurator.validateSamlIdentityProviderDefinition(null)); } - @Test - public void testAddNullProviderAlias() { - singleAdd.setIdpEntityAlias(null); - - Assertions.assertThrows(NullPointerException.class, () -> { - configurator.validateSamlIdentityProviderDefinition(singleAdd); - }); - } - - @Test - public void testGetEntityID() throws Exception { - - Timer t = new Timer(); - bootstrap.setIdentityProviders(BootstrapSamlIdentityProviderDataTests.parseYaml(BootstrapSamlIdentityProviderDataTests.sampleYaml)); - bootstrap.afterPropertiesSet(); - for (SamlIdentityProviderDefinition def : bootstrap.getIdentityProviderDefinitions()) { - switch (def.getIdpEntityAlias()) { - case "okta-local": { - ComparableProvider provider = (ComparableProvider) configurator.getExtendedMetadataDelegateFromCache(def).getDelegate(); - assertEquals("http://www.okta.com/k2lvtem0VAJDMINKEYJW", provider.getEntityID()); - break; - } - case "okta-local-3": { - ComparableProvider provider = (ComparableProvider) configurator.getExtendedMetadataDelegateFromCache(def).getDelegate(); - assertEquals("http://www.okta.com/k2lvtem0VAJDMINKEYJX", provider.getEntityID()); - break; - } - case "okta-local-2": { - ComparableProvider provider = (ComparableProvider) configurator.getExtendedMetadataDelegateFromCache(def).getDelegate(); - assertEquals("http://www.okta.com/k2lw4l5bPODCMIIDBRYZ", provider.getEntityID()); - break; - } - case "simplesamlphp-url": { - when(fixedHttpMetaDataProvider.fetchMetadata(any(), anyBoolean())).thenReturn(getSimpleSamlPhpMetadata("http://simplesamlphp.somewhere.com").getBytes()); - ComparableProvider provider = (ComparableProvider) configurator.getExtendedMetadataDelegateFromCache(def).getDelegate(); - assertEquals("http://simplesamlphp.somewhere.com/saml2/idp/metadata.php", provider.getEntityID()); - break; - } - case "custom-authncontext": { - ComparableProvider provider = (ComparableProvider) configurator.getExtendedMetadataDelegateFromCache(def).getDelegate(); - assertEquals("http://www.okta.com/k2lvtem0VAJDMINKEYJW", provider.getEntityID()); - break; - } - default: - fail(String.format("Unknown provider %s", def.getIdpEntityAlias())); - } - } - t.cancel(); - } - - - @Test - public void testIdentityProviderDefinitionSocketFactoryTest() { - singleAdd.setMetaDataLocation("http://www.test.org/saml/metadata"); - assertNull(singleAdd.getSocketFactoryClassName()); - singleAdd.setMetaDataLocation("https://www.test.org/saml/metadata"); - assertNull(singleAdd.getSocketFactoryClassName()); - singleAdd.setSocketFactoryClassName(TLSProtocolSocketFactory.class.getName()); - assertNull(singleAdd.getSocketFactoryClassName()); - } - - protected List getSamlIdentityProviderDefinitions(List clientIdpAliases) { - SamlIdentityProviderDefinition def1 = new SamlIdentityProviderDefinition() - .setMetaDataLocation(xml) - .setIdpEntityAlias("simplesamlphp-url") - .setNameID("sample-nameID") - .setAssertionConsumerIndex(1) - .setMetadataTrustCheck(true) - .setLinkText("sample-link-test") - .setIconUrl("sample-icon-url") - .setZoneId("other-zone-id"); - IdentityProvider idp1 = mock(IdentityProvider.class); - when(idp1.getType()).thenReturn(OriginKeys.SAML); - when(idp1.getConfig()).thenReturn(def1); - - IdentityProvider idp2 = mock(IdentityProvider.class); - when(idp2.getType()).thenReturn(OriginKeys.SAML); - when(idp2.getConfig()).thenReturn(def1.clone().setIdpEntityAlias("okta-local-2")); - - IdentityProvider idp3 = mock(IdentityProvider.class); - when(idp3.getType()).thenReturn(OriginKeys.SAML); - when(idp3.getConfig()).thenReturn(def1.clone().setIdpEntityAlias("okta-local-3")); - - when(provisioning.retrieveActive(anyString())).thenReturn(Arrays.asList(idp1, idp2)); - - return configurator.getIdentityProviderDefinitions(clientIdpAliases, IdentityZoneHolder.get()); - } - - @Test - public void testGetIdentityProviderDefinititonsForAllowedProviders() { - List clientIdpAliases = asList("simplesamlphp-url", "okta-local-2"); - List clientIdps = getSamlIdentityProviderDefinitions(clientIdpAliases); - assertEquals(2, clientIdps.size()); - assertTrue(clientIdpAliases.contains(clientIdps.get(0).getIdpEntityAlias())); - assertTrue(clientIdpAliases.contains(clientIdps.get(1).getIdpEntityAlias())); - } - - @Test - public void testReturnNoIdpsInZoneForClientWithNoAllowedProviders() { - List clientIdpAliases = Collections.singletonList("non-existent"); - List clientIdps = getSamlIdentityProviderDefinitions(clientIdpAliases); - assertEquals(0, clientIdps.size()); - } - - @Rule - public ExpectedException expectedException = ExpectedException.none(); - - @BeforeEach - public void setupHttp() { - slowHttpServer = new SlowHttpServer(); - } - - @AfterEach - public void stopHttp() { - slowHttpServer.stop(); - } - - @Test - public void shouldTimeoutWhenFetchingMetadataURL() { - slowHttpServer.run(); - - expectedException.expect(NullPointerException.class); - - SamlIdentityProviderDefinition def = new SamlIdentityProviderDefinition(); - def.setMetaDataLocation("https://localhost:23439"); - def.setSkipSslValidation(true); - - Assertions.assertTimeout(ofSeconds(1), () -> { - Assertions.assertThrows(NullPointerException.class, () -> configurator.configureURLMetadata(def)); - }); - } +// @Test +// public void testAddNullProviderAlias() { +// singleAdd.setIdpEntityAlias(null); +// +// Assertions.assertThrows(NullPointerException.class, () -> { +// configurator.validateSamlIdentityProviderDefinition(singleAdd); +// }); +// } +// +// @Test +// public void testGetEntityID() throws Exception { +// +// Timer t = new Timer(); +// bootstrap.setIdentityProviders(BootstrapSamlIdentityProviderDataTests.parseYaml(BootstrapSamlIdentityProviderDataTests.sampleYaml)); +// bootstrap.afterPropertiesSet(); +// for (SamlIdentityProviderDefinition def : bootstrap.getIdentityProviderDefinitions()) { +// switch (def.getIdpEntityAlias()) { +// case "okta-local": { +// ComparableProvider provider = (ComparableProvider) configurator.getExtendedMetadataDelegateFromCache(def).getDelegate(); +// assertEquals("http://www.okta.com/k2lvtem0VAJDMINKEYJW", provider.getEntityID()); +// break; +// } +// case "okta-local-3": { +// ComparableProvider provider = (ComparableProvider) configurator.getExtendedMetadataDelegateFromCache(def).getDelegate(); +// assertEquals("http://www.okta.com/k2lvtem0VAJDMINKEYJX", provider.getEntityID()); +// break; +// } +// case "okta-local-2": { +// ComparableProvider provider = (ComparableProvider) configurator.getExtendedMetadataDelegateFromCache(def).getDelegate(); +// assertEquals("http://www.okta.com/k2lw4l5bPODCMIIDBRYZ", provider.getEntityID()); +// break; +// } +// case "simplesamlphp-url": { +// when(fixedHttpMetaDataProvider.fetchMetadata(any(), anyBoolean())).thenReturn(getSimpleSamlPhpMetadata("http://simplesamlphp.somewhere.com").getBytes()); +// ComparableProvider provider = (ComparableProvider) configurator.getExtendedMetadataDelegateFromCache(def).getDelegate(); +// assertEquals("http://simplesamlphp.somewhere.com/saml2/idp/metadata.php", provider.getEntityID()); +// break; +// } +// case "custom-authncontext": { +// ComparableProvider provider = (ComparableProvider) configurator.getExtendedMetadataDelegateFromCache(def).getDelegate(); +// assertEquals("http://www.okta.com/k2lvtem0VAJDMINKEYJW", provider.getEntityID()); +// break; +// } +// default: +// fail(String.format("Unknown provider %s", def.getIdpEntityAlias())); +// } +// } +// t.cancel(); +// } +// +// +// @Test +// public void testIdentityProviderDefinitionSocketFactoryTest() { +// singleAdd.setMetaDataLocation("http://www.test.org/saml/metadata"); +// assertNull(singleAdd.getSocketFactoryClassName()); +// singleAdd.setMetaDataLocation("https://www.test.org/saml/metadata"); +// assertNull(singleAdd.getSocketFactoryClassName()); +// singleAdd.setSocketFactoryClassName(TLSProtocolSocketFactory.class.getName()); +// assertNull(singleAdd.getSocketFactoryClassName()); +// } +// +// protected List getSamlIdentityProviderDefinitions(List clientIdpAliases) { +// SamlIdentityProviderDefinition def1 = new SamlIdentityProviderDefinition() +// .setMetaDataLocation(xml) +// .setIdpEntityAlias("simplesamlphp-url") +// .setNameID("sample-nameID") +// .setAssertionConsumerIndex(1) +// .setMetadataTrustCheck(true) +// .setLinkText("sample-link-test") +// .setIconUrl("sample-icon-url") +// .setZoneId("other-zone-id"); +// IdentityProvider idp1 = mock(IdentityProvider.class); +// when(idp1.getType()).thenReturn(OriginKeys.SAML); +// when(idp1.getConfig()).thenReturn(def1); +// +// IdentityProvider idp2 = mock(IdentityProvider.class); +// when(idp2.getType()).thenReturn(OriginKeys.SAML); +// when(idp2.getConfig()).thenReturn(def1.clone().setIdpEntityAlias("okta-local-2")); +// +// IdentityProvider idp3 = mock(IdentityProvider.class); +// when(idp3.getType()).thenReturn(OriginKeys.SAML); +// when(idp3.getConfig()).thenReturn(def1.clone().setIdpEntityAlias("okta-local-3")); +// +// when(provisioning.retrieveActive(anyString())).thenReturn(Arrays.asList(idp1, idp2)); +// +// return configurator.getIdentityProviderDefinitions(clientIdpAliases, IdentityZoneHolder.get()); +// } +// +// @Test +// public void testGetIdentityProviderDefinititonsForAllowedProviders() { +// List clientIdpAliases = asList("simplesamlphp-url", "okta-local-2"); +// List clientIdps = getSamlIdentityProviderDefinitions(clientIdpAliases); +// assertEquals(2, clientIdps.size()); +// assertTrue(clientIdpAliases.contains(clientIdps.get(0).getIdpEntityAlias())); +// assertTrue(clientIdpAliases.contains(clientIdps.get(1).getIdpEntityAlias())); +// } +// +// @Test +// public void testReturnNoIdpsInZoneForClientWithNoAllowedProviders() { +// List clientIdpAliases = Collections.singletonList("non-existent"); +// List clientIdps = getSamlIdentityProviderDefinitions(clientIdpAliases); +// assertEquals(0, clientIdps.size()); +// } +// +// @Rule +// public ExpectedException expectedException = ExpectedException.none(); +// +// @BeforeEach +// public void setupHttp() { +// slowHttpServer = new SlowHttpServer(); +// } +// +// @AfterEach +// public void stopHttp() { +// slowHttpServer.stop(); +// } +// +// @Test +// public void shouldTimeoutWhenFetchingMetadataURL() { +// slowHttpServer.run(); +// +// expectedException.expect(NullPointerException.class); +// +// SamlIdentityProviderDefinition def = new SamlIdentityProviderDefinition(); +// def.setMetaDataLocation("https://localhost:23439"); +// def.setSkipSslValidation(true); +// +// Assertions.assertTimeout(ofSeconds(1), () -> { +// Assertions.assertThrows(NullPointerException.class, () -> configurator.configureURLMetadata(def)); +// }); +// } } \ No newline at end of file diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlKeyManagerFactoryTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlKeyManagerFactoryTests.java index cd994f10ce3..0c8000b74eb 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlKeyManagerFactoryTests.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlKeyManagerFactoryTests.java @@ -9,7 +9,7 @@ import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; -import org.springframework.security.saml.key.JKSKeyManager; +//import org.springframework.security.saml.key.JKSKeyManager; import org.springframework.test.util.ReflectionTestUtils; import java.security.KeyStore; @@ -197,69 +197,70 @@ void clear() { @Test void multipleKeysLegacyIsActiveKey() { - String alias = SamlConfig.LEGACY_KEY_ID; - JKSKeyManager manager = (JKSKeyManager) samlKeyManagerFactory.getKeyManager(config); - assertEquals(alias, manager.getDefaultCredentialName()); - assertEquals(3, manager.getAvailableCredentials().size()); - assertThat(manager.getAvailableCredentials(), containsInAnyOrder(SamlConfig.LEGACY_KEY_ID, "key-1", "key-2")); - } - - @Test - void multipleKeysWithActiveKey() { - config.setActiveKeyId("key-1"); - String alias = "key-1"; - JKSKeyManager manager = (JKSKeyManager) samlKeyManagerFactory.getKeyManager(config); - assertEquals(alias, manager.getDefaultCredentialName()); - assertEquals(3, manager.getAvailableCredentials().size()); - assertThat(manager.getAvailableCredentials(), containsInAnyOrder(SamlConfig.LEGACY_KEY_ID + "", "key-1", "key-2")); - } - - @Test - void addActiveKey() { - config.addAndActivateKey("key-3", new SamlKey(key1, passphrase1, certificate1)); - String alias = "key-3"; - JKSKeyManager manager = (JKSKeyManager) samlKeyManagerFactory.getKeyManager(config); - assertEquals(alias, manager.getDefaultCredentialName()); - assertEquals(4, manager.getAvailableCredentials().size()); - assertThat(manager.getAvailableCredentials(), containsInAnyOrder(SamlConfig.LEGACY_KEY_ID, "key-1", "key-2", alias)); - } - - @Test - void multipleKeysWithActiveKeyInOtherZone() { - IdentityZoneHolder.set(MultitenancyFixture.identityZone("other-zone-id", "domain")); - config.setActiveKeyId("key-1"); - String alias = "key-1"; - JKSKeyManager manager = (JKSKeyManager) samlKeyManagerFactory.getKeyManager(config); - assertEquals(alias, manager.getDefaultCredentialName()); - assertEquals(3, manager.getAvailableCredentials().size()); - assertThat(manager.getAvailableCredentials(), containsInAnyOrder(SamlConfig.LEGACY_KEY_ID, "key-1", "key-2")); - } - - @Test - void keystoreImplsIsNotASingleton() throws KeyStoreException { - assertNotSame(KeyStore.getInstance("JKS"), KeyStore.getInstance("JKS")); - JKSKeyManager manager1 = (JKSKeyManager) samlKeyManagerFactory.getKeyManager(config); - config.setKeys(new HashMap<>()); - config.setPrivateKey(key1); - config.setPrivateKeyPassword("password"); - config.setCertificate(certificate1); - - JKSKeyManager manager2 = (JKSKeyManager) samlKeyManagerFactory.getKeyManager(config); - KeyStore ks1 = (KeyStore) ReflectionTestUtils.getField(manager1, JKSKeyManager.class, "keyStore"); - KeyStore ks2 = (KeyStore) ReflectionTestUtils.getField(manager2, JKSKeyManager.class, "keyStore"); - - String alias = SamlConfig.LEGACY_KEY_ID; - - assertNotEquals(ks1.getCertificate(alias), ks2.getCertificate(alias)); - assertEquals(ks1.getCertificate(alias), ks1.getCertificate(alias)); - } - - @Test - void testAddCertsKeysOnly() { - config.setKeys(new HashMap<>()); - config.addAndActivateKey("cert-only", new SamlKey(null, null, certificate1)); - JKSKeyManager manager1 = (JKSKeyManager) samlKeyManagerFactory.getKeyManager(config); - assertNotNull(manager1.getDefaultCredential().getPublicKey()); - assertNull(manager1.getDefaultCredential().getPrivateKey()); + fail(); +// String alias = SamlConfig.LEGACY_KEY_ID; +// JKSKeyManager manager = (JKSKeyManager) samlKeyManagerFactory.getKeyManager(config); +// assertEquals(alias, manager.getDefaultCredentialName()); +// assertEquals(3, manager.getAvailableCredentials().size()); +// assertThat(manager.getAvailableCredentials(), containsInAnyOrder(SamlConfig.LEGACY_KEY_ID, "key-1", "key-2")); } +// +// @Test +// void multipleKeysWithActiveKey() { +// config.setActiveKeyId("key-1"); +// String alias = "key-1"; +// JKSKeyManager manager = (JKSKeyManager) samlKeyManagerFactory.getKeyManager(config); +// assertEquals(alias, manager.getDefaultCredentialName()); +// assertEquals(3, manager.getAvailableCredentials().size()); +// assertThat(manager.getAvailableCredentials(), containsInAnyOrder(SamlConfig.LEGACY_KEY_ID + "", "key-1", "key-2")); +// } +// +// @Test +// void addActiveKey() { +// config.addAndActivateKey("key-3", new SamlKey(key1, passphrase1, certificate1)); +// String alias = "key-3"; +// JKSKeyManager manager = (JKSKeyManager) samlKeyManagerFactory.getKeyManager(config); +// assertEquals(alias, manager.getDefaultCredentialName()); +// assertEquals(4, manager.getAvailableCredentials().size()); +// assertThat(manager.getAvailableCredentials(), containsInAnyOrder(SamlConfig.LEGACY_KEY_ID, "key-1", "key-2", alias)); +// } +// +// @Test +// void multipleKeysWithActiveKeyInOtherZone() { +// IdentityZoneHolder.set(MultitenancyFixture.identityZone("other-zone-id", "domain")); +// config.setActiveKeyId("key-1"); +// String alias = "key-1"; +// JKSKeyManager manager = (JKSKeyManager) samlKeyManagerFactory.getKeyManager(config); +// assertEquals(alias, manager.getDefaultCredentialName()); +// assertEquals(3, manager.getAvailableCredentials().size()); +// assertThat(manager.getAvailableCredentials(), containsInAnyOrder(SamlConfig.LEGACY_KEY_ID, "key-1", "key-2")); +// } +// +// @Test +// void keystoreImplsIsNotASingleton() throws KeyStoreException { +// assertNotSame(KeyStore.getInstance("JKS"), KeyStore.getInstance("JKS")); +// JKSKeyManager manager1 = (JKSKeyManager) samlKeyManagerFactory.getKeyManager(config); +// config.setKeys(new HashMap<>()); +// config.setPrivateKey(key1); +// config.setPrivateKeyPassword("password"); +// config.setCertificate(certificate1); +// +// JKSKeyManager manager2 = (JKSKeyManager) samlKeyManagerFactory.getKeyManager(config); +// KeyStore ks1 = (KeyStore) ReflectionTestUtils.getField(manager1, JKSKeyManager.class, "keyStore"); +// KeyStore ks2 = (KeyStore) ReflectionTestUtils.getField(manager2, JKSKeyManager.class, "keyStore"); +// +// String alias = SamlConfig.LEGACY_KEY_ID; +// +// assertNotEquals(ks1.getCertificate(alias), ks2.getCertificate(alias)); +// assertEquals(ks1.getCertificate(alias), ks1.getCertificate(alias)); +// } +// +// @Test +// void testAddCertsKeysOnly() { +// config.setKeys(new HashMap<>()); +// config.addAndActivateKey("cert-only", new SamlKey(null, null, certificate1)); +// JKSKeyManager manager1 = (JKSKeyManager) samlKeyManagerFactory.getKeyManager(config); +// assertNotNull(manager1.getDefaultCredential().getPublicKey()); +// assertNull(manager1.getDefaultCredential().getPrivateKey()); +// } } diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlSessionStorageFactoryTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlSessionStorageFactoryTests.java index 1955cc9ce56..019c11b46e1 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlSessionStorageFactoryTests.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlSessionStorageFactoryTests.java @@ -7,8 +7,7 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.springframework.mock.web.MockHttpServletRequest; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertNull; +import static org.junit.Assert.*; @ExtendWith(PollutionPreventionExtension.class) class SamlSessionStorageFactoryTests { @@ -26,15 +25,17 @@ void setUp() { @Test void get_storage_creates_session() { - assertNull(request.getSession(false)); - factory.getMessageStorage(request); - assertNotNull(request.getSession(false)); + fail(); +// assertNull(request.getSession(false)); +// factory.getMessageStorage(request); +// assertNotNull(request.getSession(false)); } @Test void disable_message_storage() { - IdentityZoneHolder.get().getConfig().getSamlConfig().setDisableInResponseToCheck(true); - assertNull(factory.getMessageStorage(request)); + fail(); +// IdentityZoneHolder.get().getConfig().getSamlConfig().setDisableInResponseToCheck(true); +// assertNull(factory.getMessageStorage(request)); } } \ No newline at end of file diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataGeneratorTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataGeneratorTests.java index 25ac5b0d0e2..af456d5c9f4 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataGeneratorTests.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/ZoneAwareMetadataGeneratorTests.java @@ -12,15 +12,15 @@ import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; -import org.opensaml.Configuration; -import org.opensaml.DefaultBootstrap; -import org.opensaml.xml.io.MarshallingException; -import org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager; -import org.springframework.security.saml.SAMLConstants; -import org.springframework.security.saml.key.KeyManager; -import org.springframework.security.saml.metadata.ExtendedMetadata; -import org.springframework.security.saml.metadata.MetadataManager; -import org.springframework.security.saml.util.SAMLUtil; +//import org.opensaml.Configuration; +//import org.opensaml.DefaultBootstrap; +//import org.opensaml.xml.io.MarshallingException; +//import org.opensaml.xml.security.keyinfo.NamedKeyInfoGeneratorManager; +//import org.springframework.security.saml.SAMLConstants; +//import org.springframework.security.saml.key.KeyManager; +//import org.springframework.security.saml.metadata.ExtendedMetadata; +//import org.springframework.security.saml.metadata.MetadataManager; +//import org.springframework.security.saml.util.SAMLUtil; import java.security.Security; import java.util.List; @@ -38,8 +38,8 @@ public class ZoneAwareMetadataGeneratorTests { private ZoneAwareMetadataGenerator generator; private IdentityZone otherZone; private IdentityZoneConfiguration otherZoneDefinition; - private KeyManager keyManager; - private ExtendedMetadata extendedMetadata; +// private KeyManager keyManager; +// private ExtendedMetadata extendedMetadata; public static final SamlKey samlKey1 = new SamlKey(key1, passphrase1, certificate1); public static final SamlKey samlKey2 = new SamlKey(key2, passphrase2, certificate2); @@ -50,9 +50,9 @@ public class ZoneAwareMetadataGeneratorTests { @BeforeAll static void bootstrap() throws Exception { Security.addProvider(new BouncyCastleFipsProvider()); - DefaultBootstrap.bootstrap(); - NamedKeyInfoGeneratorManager keyInfoGeneratorManager = Configuration.getGlobalSecurityConfiguration().getKeyInfoGeneratorManager(); - keyInfoGeneratorManager.getManager(SAMLConstants.SAML_METADATA_KEY_INFO_GENERATOR); +// DefaultBootstrap.bootstrap(); +// NamedKeyInfoGeneratorManager keyInfoGeneratorManager = Configuration.getGlobalSecurityConfiguration().getKeyInfoGeneratorManager(); +// keyInfoGeneratorManager.getManager(SAMLConstants.SAML_METADATA_KEY_INFO_GENERATOR); } @BeforeEach @@ -70,17 +70,17 @@ void setUp() { otherZone.setConfig(otherZoneDefinition); generator = new ZoneAwareMetadataGenerator(); - generator.setEntityBaseURL("http://localhost:8080/uaa"); - generator.setEntityId("entityIdValue"); +// generator.setEntityBaseURL("http://localhost:8080/uaa"); +// generator.setEntityId("entityIdValue"); - extendedMetadata = new org.springframework.security.saml.metadata.ExtendedMetadata(); - extendedMetadata.setIdpDiscoveryEnabled(true); - extendedMetadata.setAlias("entityAlias"); - extendedMetadata.setSignMetadata(true); - generator.setExtendedMetadata(extendedMetadata); +// extendedMetadata = new org.springframework.security.saml.metadata.ExtendedMetadata(); +// extendedMetadata.setIdpDiscoveryEnabled(true); +// extendedMetadata.setAlias("entityAlias"); +// extendedMetadata.setSignMetadata(true); +// generator.setExtendedMetadata(extendedMetadata); - keyManager = new ZoneAwareKeyManager(); - generator.setKeyManager(keyManager); +// keyManager = new ZoneAwareKeyManager(); +// generator.setKeyManager(keyManager); } @AfterEach @@ -90,133 +90,141 @@ void tearDown() { @Test void testRequestAndWantAssertionSignedInAnotherZone() { - generator.setRequestSigned(true); - generator.setWantAssertionSigned(true); - assertTrue(generator.isRequestSigned()); - assertTrue(generator.isWantAssertionSigned()); - - generator.setRequestSigned(false); - generator.setWantAssertionSigned(false); - assertFalse(generator.isRequestSigned()); - assertFalse(generator.isWantAssertionSigned()); - - IdentityZoneHolder.set(otherZone); - - assertTrue(generator.isRequestSigned()); - assertTrue(generator.isWantAssertionSigned()); + fail(); +// generator.setRequestSigned(true); +// generator.setWantAssertionSigned(true); +// assertTrue(generator.isRequestSigned()); +// assertTrue(generator.isWantAssertionSigned()); +// +// generator.setRequestSigned(false); +// generator.setWantAssertionSigned(false); +// assertFalse(generator.isRequestSigned()); +// assertFalse(generator.isWantAssertionSigned()); +// +// IdentityZoneHolder.set(otherZone); +// +// assertTrue(generator.isRequestSigned()); +// assertTrue(generator.isWantAssertionSigned()); } @Test void testMetadataContainsSamlBearerGrantEndpoint() throws Exception { - String metadata = getMetadata(otherZone, keyManager, generator, extendedMetadata); - assertThat(metadata, containsString("md:AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:URI\" Location=\"http://zone-id.localhost:8080/uaa/oauth/token/alias/zone-id.entityAlias\" index=\"1\"/>")); + fail(); +// String metadata = getMetadata(otherZone, keyManager, generator, extendedMetadata); +// assertThat(metadata, containsString("md:AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:URI\" Location=\"http://zone-id.localhost:8080/uaa/oauth/token/alias/zone-id.entityAlias\" index=\"1\"/>")); } @Test void testZonifiedEntityID() { - generator.setEntityId("local-name"); - assertEquals("local-name", generator.getEntityId()); - assertEquals("local-name", SamlRedirectUtils.getZonifiedEntityId(generator.getEntityId(), IdentityZoneHolder.get())); - - generator.setEntityId(null); - assertNotNull(generator.getEntityId()); - assertNotNull(SamlRedirectUtils.getZonifiedEntityId(generator.getEntityId(), IdentityZoneHolder.get())); - - IdentityZoneHolder.set(otherZone); - - assertNotNull(generator.getEntityId()); - assertNotNull(SamlRedirectUtils.getZonifiedEntityId(generator.getEntityId(), IdentityZoneHolder.get())); + fail(); +// generator.setEntityId("local-name"); +// assertEquals("local-name", generator.getEntityId()); +// assertEquals("local-name", SamlRedirectUtils.getZonifiedEntityId(generator.getEntityId(), IdentityZoneHolder.get())); +// +// generator.setEntityId(null); +// assertNotNull(generator.getEntityId()); +// assertNotNull(SamlRedirectUtils.getZonifiedEntityId(generator.getEntityId(), IdentityZoneHolder.get())); +// +// IdentityZoneHolder.set(otherZone); +// +// assertNotNull(generator.getEntityId()); +// assertNotNull(SamlRedirectUtils.getZonifiedEntityId(generator.getEntityId(), IdentityZoneHolder.get())); } @Test void testZonifiedValidAndInvalidEntityID() { - IdentityZone newZone = new IdentityZone(); - newZone.setId("new-zone-id"); - newZone.setName("new-zone-id"); - newZone.setSubdomain("new-zone-id"); - newZone.getConfig().getSamlConfig().setEntityID("local-name"); - IdentityZoneHolder.set(newZone); - - // valid entityID from SamlConfig - assertEquals("local-name", generator.getEntityId()); - assertEquals("local-name", SamlRedirectUtils.getZonifiedEntityId("local-name", IdentityZoneHolder.get())); - assertNotNull(generator.getEntityId()); - - // remove SamlConfig - newZone.getConfig().setSamlConfig(null); - assertNotNull(SamlRedirectUtils.getZonifiedEntityId("local-idp", IdentityZoneHolder.get())); - // now the entityID is generated id as before this change - assertEquals("new-zone-id.local-name", SamlRedirectUtils.getZonifiedEntityId("local-name", IdentityZoneHolder.get())); + fail(); +// IdentityZone newZone = new IdentityZone(); +// newZone.setId("new-zone-id"); +// newZone.setName("new-zone-id"); +// newZone.setSubdomain("new-zone-id"); +// newZone.getConfig().getSamlConfig().setEntityID("local-name"); +// IdentityZoneHolder.set(newZone); +// +// // valid entityID from SamlConfig +// assertEquals("local-name", generator.getEntityId()); +// assertEquals("local-name", SamlRedirectUtils.getZonifiedEntityId("local-name", IdentityZoneHolder.get())); +// assertNotNull(generator.getEntityId()); +// +// // remove SamlConfig +// newZone.getConfig().setSamlConfig(null); +// assertNotNull(SamlRedirectUtils.getZonifiedEntityId("local-idp", IdentityZoneHolder.get())); +// // now the entityID is generated id as before this change +// assertEquals("new-zone-id.local-name", SamlRedirectUtils.getZonifiedEntityId("local-name", IdentityZoneHolder.get())); } @Test void defaultKeys() throws Exception { - String metadata = getMetadata(otherZone, keyManager, generator, extendedMetadata); - - List encryptionKeys = SamlTestUtils.getCertificates(metadata, "encryption"); - assertEquals(1, encryptionKeys.size()); - assertEquals(cert1Plain, encryptionKeys.get(0)); - - List signingVerificationCerts = SamlTestUtils.getCertificates(metadata, "signing"); - assertEquals(1, signingVerificationCerts.size()); - assertEquals(cert1Plain, signingVerificationCerts.get(0)); + fail(); +// String metadata = getMetadata(otherZone, keyManager, generator, extendedMetadata); +// +// List encryptionKeys = SamlTestUtils.getCertificates(metadata, "encryption"); +// assertEquals(1, encryptionKeys.size()); +// assertEquals(cert1Plain, encryptionKeys.get(0)); +// +// List signingVerificationCerts = SamlTestUtils.getCertificates(metadata, "signing"); +// assertEquals(1, signingVerificationCerts.size()); +// assertEquals(cert1Plain, signingVerificationCerts.get(0)); } @Test void multipleKeys() throws Exception { - otherZoneDefinition.getSamlConfig().addKey("key2", samlKey2); - String metadata = getMetadata(otherZone, keyManager, generator, extendedMetadata); - - List encryptionKeys = SamlTestUtils.getCertificates(metadata, "encryption"); - assertEquals(1, encryptionKeys.size()); - assertEquals(cert1Plain, encryptionKeys.get(0)); - - List signingVerificationCerts = SamlTestUtils.getCertificates(metadata, "signing"); - assertEquals(2, signingVerificationCerts.size()); - assertThat(signingVerificationCerts, contains(cert1Plain, cert2Plain)); + fail(); +// otherZoneDefinition.getSamlConfig().addKey("key2", samlKey2); +// String metadata = getMetadata(otherZone, keyManager, generator, extendedMetadata); +// +// List encryptionKeys = SamlTestUtils.getCertificates(metadata, "encryption"); +// assertEquals(1, encryptionKeys.size()); +// assertEquals(cert1Plain, encryptionKeys.get(0)); +// +// List signingVerificationCerts = SamlTestUtils.getCertificates(metadata, "signing"); +// assertEquals(2, signingVerificationCerts.size()); +// assertThat(signingVerificationCerts, contains(cert1Plain, cert2Plain)); } @Test void changeActiveKey() throws Exception { - multipleKeys(); - otherZoneDefinition.getSamlConfig().addAndActivateKey("key2", samlKey2); - String metadata = getMetadata(otherZone, keyManager, generator, extendedMetadata); - - List encryptionKeys = SamlTestUtils.getCertificates(metadata, "encryption"); - assertEquals(1, encryptionKeys.size()); - assertEquals(cert2Plain, encryptionKeys.get(0)); - - List signingVerificationCerts = SamlTestUtils.getCertificates(metadata, "signing"); - assertEquals(2, signingVerificationCerts.size()); - assertThat(signingVerificationCerts, contains(cert2Plain, cert1Plain)); + fail(); +// multipleKeys(); +// otherZoneDefinition.getSamlConfig().addAndActivateKey("key2", samlKey2); +// String metadata = getMetadata(otherZone, keyManager, generator, extendedMetadata); +// +// List encryptionKeys = SamlTestUtils.getCertificates(metadata, "encryption"); +// assertEquals(1, encryptionKeys.size()); +// assertEquals(cert2Plain, encryptionKeys.get(0)); +// +// List signingVerificationCerts = SamlTestUtils.getCertificates(metadata, "signing"); +// assertEquals(2, signingVerificationCerts.size()); +// assertThat(signingVerificationCerts, contains(cert2Plain, cert1Plain)); } @Test void removeKey() throws Exception { - changeActiveKey(); - otherZoneDefinition.getSamlConfig().removeKey("key-1"); - String metadata = getMetadata(otherZone, keyManager, generator, extendedMetadata); - - List encryptionKeys = SamlTestUtils.getCertificates(metadata, "encryption"); - assertEquals(1, encryptionKeys.size()); - assertEquals(cert2Plain, encryptionKeys.get(0)); - - List signingVerificationCerts = SamlTestUtils.getCertificates(metadata, "signing"); - assertEquals(1, signingVerificationCerts.size()); - assertThat(signingVerificationCerts, contains(cert2Plain)); + fail(); +// changeActiveKey(); +// otherZoneDefinition.getSamlConfig().removeKey("key-1"); +// String metadata = getMetadata(otherZone, keyManager, generator, extendedMetadata); +// +// List encryptionKeys = SamlTestUtils.getCertificates(metadata, "encryption"); +// assertEquals(1, encryptionKeys.size()); +// assertEquals(cert2Plain, encryptionKeys.get(0)); +// +// List signingVerificationCerts = SamlTestUtils.getCertificates(metadata, "signing"); +// assertEquals(1, signingVerificationCerts.size()); +// assertThat(signingVerificationCerts, contains(cert2Plain)); } - private static String getMetadata( - IdentityZone otherZone, - KeyManager keyManager, - ZoneAwareMetadataGenerator generator, - ExtendedMetadata extendedMetadata) throws MarshallingException { - IdentityZoneHolder.set(otherZone); - return SAMLUtil.getMetadataAsString( - mock(MetadataManager.class), - keyManager, - generator.generateMetadata(), - extendedMetadata); - } +// private static String getMetadata( +// IdentityZone otherZone, +// KeyManager keyManager, +// ZoneAwareMetadataGenerator generator, +// ExtendedMetadata extendedMetadata) throws MarshallingException { +// IdentityZoneHolder.set(otherZone); +// return SAMLUtil.getMetadataAsString( +// mock(MetadataManager.class), +// keyManager, +// generator.generateMetadata(), +// extendedMetadata); +// } } diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/idp/SamlTestUtils.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/idp/SamlTestUtils.java index 43443eaa32c..bafb36bc582 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/idp/SamlTestUtils.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/idp/SamlTestUtils.java @@ -20,13 +20,13 @@ import org.springframework.security.core.GrantedAuthority; import org.springframework.security.oauth2.common.util.RandomValueStringGenerator; -import org.springframework.security.saml.context.SAMLMessageContext; -import org.springframework.security.saml.key.KeyManager; -import org.springframework.security.saml.metadata.ExtendedMetadata; -import org.springframework.security.saml.metadata.MetadataGenerator; +//import org.springframework.security.saml.context.SAMLMessageContext; +//import org.springframework.security.saml.key.KeyManager; +//import org.springframework.security.saml.metadata.ExtendedMetadata; +//import org.springframework.security.saml.metadata.MetadataGenerator; import org.apache.commons.codec.binary.Base64; -import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.StringUtils; import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication; import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal; import org.cloudfoundry.identity.uaa.constants.OriginKeys; @@ -38,36 +38,36 @@ import org.cloudfoundry.identity.uaa.zone.IdentityZone; import org.cloudfoundry.identity.uaa.zone.SamlConfig; import org.joda.time.DateTime; -import org.opensaml.Configuration; -import org.opensaml.DefaultBootstrap; -import org.opensaml.common.SAMLObject; -import org.opensaml.common.SAMLObjectBuilder; -import org.opensaml.common.SAMLVersion; -import org.opensaml.saml2.core.Assertion; -import org.opensaml.saml2.core.Audience; -import org.opensaml.saml2.core.AudienceRestriction; -import org.opensaml.saml2.core.AuthnContext; -import org.opensaml.saml2.core.AuthnContextClassRef; -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.AuthnStatement; -import org.opensaml.saml2.core.Conditions; -import org.opensaml.saml2.core.Issuer; -import org.opensaml.saml2.core.NameID; -import org.opensaml.saml2.core.Subject; -import org.opensaml.saml2.core.SubjectConfirmation; -import org.opensaml.saml2.core.SubjectConfirmationData; -import org.opensaml.saml2.core.impl.AssertionMarshaller; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.xml.ConfigurationException; -import org.opensaml.xml.XMLObjectBuilderFactory; -import org.opensaml.xml.io.Marshaller; -import org.opensaml.xml.security.SecurityHelper; -import org.opensaml.xml.security.credential.Credential; -import org.opensaml.xml.signature.Signature; -import org.opensaml.xml.signature.Signer; -import org.opensaml.xml.signature.impl.SignatureBuilder; -import org.opensaml.xml.util.XMLHelper; +//import org.opensaml.Configuration; +//import org.opensaml.DefaultBootstrap; +//import org.opensaml.common.SAMLObject; +//import org.opensaml.common.SAMLObjectBuilder; +//import org.opensaml.common.SAMLVersion; +//import org.opensaml.saml2.core.Assertion; +//import org.opensaml.saml2.core.Audience; +//import org.opensaml.saml2.core.AudienceRestriction; +//import org.opensaml.saml2.core.AuthnContext; +//import org.opensaml.saml2.core.AuthnContextClassRef; +//import org.opensaml.saml2.core.AuthnRequest; +//import org.opensaml.saml2.core.AuthnStatement; +//import org.opensaml.saml2.core.Conditions; +//import org.opensaml.saml2.core.Issuer; +//import org.opensaml.saml2.core.NameID; +//import org.opensaml.saml2.core.Subject; +//import org.opensaml.saml2.core.SubjectConfirmation; +//import org.opensaml.saml2.core.SubjectConfirmationData; +//import org.opensaml.saml2.core.impl.AssertionMarshaller; +//import org.opensaml.saml2.metadata.EntityDescriptor; +//import org.opensaml.saml2.metadata.SPSSODescriptor; +//import org.opensaml.xml.ConfigurationException; +//import org.opensaml.xml.XMLObjectBuilderFactory; +//import org.opensaml.xml.io.Marshaller; +//import org.opensaml.xml.security.SecurityHelper; +//import org.opensaml.xml.security.credential.Credential; +//import org.opensaml.xml.signature.Signature; +//import org.opensaml.xml.signature.Signer; +//import org.opensaml.xml.signature.impl.SignatureBuilder; +//import org.opensaml.xml.util.XMLHelper; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.NodeList; @@ -78,7 +78,7 @@ import static org.mockito.Mockito.doReturn; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; -import static org.opensaml.common.xml.SAMLConstants.SAML20P_NS; +//import static org.opensaml.common.xml.SAMLConstants.SAML20P_NS; // TODO this class seems to be used more broadly than what its location indicates (uaa as saml idp); need to move it // also remove unused code in here @@ -268,19 +268,19 @@ public class SamlTestUtils { "" + ""; - private XMLObjectBuilderFactory builderFactory; +// private XMLObjectBuilderFactory builderFactory; - public void initializeSimple() { - builderFactory = Configuration.getBuilderFactory(); - } +// public void initializeSimple() { +// builderFactory = Configuration.getBuilderFactory(); +// } - public void initialize() throws ConfigurationException { + public void initialize() /* throws ConfigurationException */ { IdentityZone.getUaa().getConfig().getSamlConfig().setPrivateKey(PROVIDER_PRIVATE_KEY); IdentityZone.getUaa().getConfig().getSamlConfig().setPrivateKeyPassword(PROVIDER_PRIVATE_KEY_PASSWORD); IdentityZone.getUaa().getConfig().getSamlConfig().setCertificate(PROVIDER_CERTIFICATE); AddBcProvider.noop(); - DefaultBootstrap.bootstrap(); - initializeSimple(); +// DefaultBootstrap.bootstrap(); +// initializeSimple(); } void setupZoneWithSamlConfig(IdentityZone zone) { @@ -308,215 +308,215 @@ public static SamlIdentityProviderDefinition createLocalSamlIdpDefinition(String return def; } - @SuppressWarnings("unchecked") - SAMLMessageContext mockSamlMessageContext() { - return mockSamlMessageContext(mockAuthnRequest()); - } - - @SuppressWarnings("unchecked") - SAMLMessageContext mockSamlMessageContext(AuthnRequest authnRequest) { - SAMLMessageContext context = new SAMLMessageContext(); - - context.setPeerEntityId(SP_ENTITY_ID); - context.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - EntityDescriptor spMetadata = mockSpMetadata(); - context.setPeerEntityMetadata(spMetadata); - SPSSODescriptor spDescriptor = spMetadata.getSPSSODescriptor(SAML20P_NS); - context.setPeerEntityRoleMetadata(spDescriptor); - context.setInboundSAMLMessage(authnRequest); - - SamlConfig config = new SamlConfig(); - config.setPrivateKey(PROVIDER_PRIVATE_KEY); - config.setPrivateKeyPassword(PROVIDER_PRIVATE_KEY_PASSWORD); - config.setCertificate(PROVIDER_CERTIFICATE); - KeyManager keyManager = new SamlKeyManagerFactory().getKeyManager(config); - context.setLocalSigningCredential(keyManager.getDefaultCredential()); - return context; - } - - private EntityDescriptor mockSpMetadata() { - ExtendedMetadata extendedMetadata = new ExtendedMetadata(); - - MetadataGenerator metadataGenerator = new MetadataGenerator(); - metadataGenerator.setExtendedMetadata(extendedMetadata); - metadataGenerator.setEntityId(SP_ENTITY_ID); - metadataGenerator.setEntityBaseURL("http://localhost:8080/uaa/saml"); - metadataGenerator.setWantAssertionSigned(false); - - KeyManager keyManager = mock(KeyManager.class); - when(keyManager.getDefaultCredentialName()).thenReturn(null); - metadataGenerator.setKeyManager(keyManager); - return metadataGenerator.generateMetadata(); - } - - private AuthnRequest mockAuthnRequest() { - return mockAuthnRequest(null); - } - - public String mockAssertionEncoded(Assertion assertion) throws Exception { - AssertionMarshaller marshaller = new AssertionMarshaller(); - Element plaintextElement = marshaller.marshall(assertion); - String serializedElement = XMLHelper.nodeToString(plaintextElement); - return Base64.encodeBase64URLSafeString(serializedElement.getBytes(StandardCharsets.UTF_8)); - } - - public String mockAssertionEncoded( - String issuerEntityId, - String format, - String username, - String spEndpoint, - String audienceEntityID) throws Exception { - final Assertion assertion = mockAssertion(issuerEntityId, format, username, spEndpoint, audienceEntityID); - signAssertion(assertion, PROVIDER_PRIVATE_KEY, PROVIDER_PRIVATE_KEY_PASSWORD, PROVIDER_CERTIFICATE); - return mockAssertionEncoded(assertion); - } - - private Assertion mockAssertion( - String issuerEntityId, - String format, - String username, - String spEndpoint, - String audienceEntityID) { - final DateTime now = new DateTime(); - final DateTime until = now.plusHours(1); - - Assertion assertion = (Assertion) buildSamlObject(Assertion.DEFAULT_ELEMENT_NAME); - - { - assertion.setIssueInstant(now); - } - - { - final Issuer issuer = (Issuer) buildSamlObject(Issuer.DEFAULT_ELEMENT_NAME); - issuer.setValue(issuerEntityId); - assertion.setIssuer(issuer); - } - - { - final NameID nameId = (NameID) buildSamlObject(NameID.DEFAULT_ELEMENT_NAME); - nameId.setValue(username); - nameId.setNameQualifier(NameID.UNSPECIFIED); - nameId.setFormat(format); - - final SubjectConfirmationData confirmationMethod = (SubjectConfirmationData) buildSamlObject(SubjectConfirmationData.DEFAULT_ELEMENT_NAME); - confirmationMethod.setNotOnOrAfter(until); - confirmationMethod.setRecipient(spEndpoint); - - final SubjectConfirmation subjectConfirmation = (SubjectConfirmation) buildSamlObject(SubjectConfirmation.DEFAULT_ELEMENT_NAME); - subjectConfirmation.setSubjectConfirmationData(confirmationMethod); - subjectConfirmation.setMethod("urn:oasis:names:tc:SAML:2.0:cm:bearer"); - - final Subject subject = (Subject) buildSamlObject(Subject.DEFAULT_ELEMENT_NAME); - subject.setNameID(nameId); - subject.getSubjectConfirmations().add(subjectConfirmation); - - subject.getSubjectConfirmations().get(0).getSubjectConfirmationData().setInResponseTo(null); - subject.getSubjectConfirmations().get(0).getSubjectConfirmationData().setNotOnOrAfter(until); - - assertion.setSubject(subject); - } - - { - final Audience audience = (Audience) buildSamlObject(Audience.DEFAULT_ELEMENT_NAME); - audience.setAudienceURI(audienceEntityID); - - final AudienceRestriction audienceRestriction = (AudienceRestriction) buildSamlObject(AudienceRestriction.DEFAULT_ELEMENT_NAME); - audienceRestriction.getAudiences().add(audience); - - final Conditions conditions = (Conditions) buildSamlObject(Conditions.DEFAULT_ELEMENT_NAME); - conditions.getAudienceRestrictions().add(audienceRestriction); - conditions.setNotBefore(new DateTime().minusSeconds(2)); - conditions.setNotOnOrAfter(until); - - assertion.setConditions(conditions); - } - - { - final AuthnContextClassRef authnContextClassRef = (AuthnContextClassRef) buildSamlObject(AuthnContextClassRef.DEFAULT_ELEMENT_NAME); - authnContextClassRef.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:Password"); - - final AuthnContext authnContext = (AuthnContext) buildSamlObject(AuthnContext.DEFAULT_ELEMENT_NAME); - authnContext.setAuthnContextClassRef(authnContextClassRef); - - final AuthnStatement authnStatement = (AuthnStatement) buildSamlObject(AuthnStatement.DEFAULT_ELEMENT_NAME); - authnStatement.setAuthnInstant(now); - authnStatement.setSessionIndex("a358a06c15ja8d7a1idjaj07jb52gdi"); - authnStatement.setSessionNotOnOrAfter(until); - authnStatement.setAuthnContext(authnContext); - - assertion.getAuthnStatements().add(authnStatement); - } - - return assertion; - } - - private SAMLObject buildSamlObject(QName elementName) { - SAMLObjectBuilder issuerBuilder = (SAMLObjectBuilder) builderFactory.getBuilder(elementName); - return issuerBuilder.buildObject(); - } - - public void signAssertion( - Assertion assertion, - String privateKey, - String keyPassword, - String certificate) - throws Exception { - - final Signature signature = generateSignature(privateKey, keyPassword, certificate); - assertion.setSignature(signature); - Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(assertion); - marshaller.marshall(assertion); - Signer.signObject(signature); - } - - private Signature generateSignature(String privateKey, String keyPassword, String certificate) - throws org.opensaml.xml.security.SecurityException { - SamlConfig config = new SamlConfig(); - config.addAndActivateKey("active-key", new SamlKey(privateKey, keyPassword, certificate)); - KeyManager keyManager = new SamlKeyManagerFactory().getKeyManager(config); - SignatureBuilder signatureBuilder = (SignatureBuilder) builderFactory.getBuilder(Signature.DEFAULT_ELEMENT_NAME); - Signature signature = signatureBuilder.buildObject(); - final Credential defaultCredential = keyManager.getDefaultCredential(); - signature.setSigningCredential(defaultCredential); - SecurityHelper.prepareSignatureParams(signature, defaultCredential, null, null); - return signature; - } - - AuthnRequest mockAuthnRequest(String nameIDFormat) { - @SuppressWarnings("unchecked") - SAMLObjectBuilder builder = (SAMLObjectBuilder) builderFactory - .getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME); - AuthnRequest request = builder.buildObject(); - request.setVersion(SAMLVersion.VERSION_20); - request.setID(generateID()); - request.setIssuer(getIssuer(SP_ENTITY_ID)); - request.setVersion(SAMLVersion.VERSION_20); - request.setIssueInstant(new DateTime()); - if (null != nameIDFormat) { - NameID nameID = ((SAMLObjectBuilder) builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME)) - .buildObject(); - nameID.setFormat(nameIDFormat); - Subject subject = ((SAMLObjectBuilder) builderFactory.getBuilder(Subject.DEFAULT_ELEMENT_NAME)) - .buildObject(); - subject.setNameID(nameID); - request.setSubject(subject); - } - return request; - } +// @SuppressWarnings("unchecked") +// SAMLMessageContext mockSamlMessageContext() { +// return mockSamlMessageContext(mockAuthnRequest()); +// } + +// @SuppressWarnings("unchecked") +// SAMLMessageContext mockSamlMessageContext(AuthnRequest authnRequest) { +// SAMLMessageContext context = new SAMLMessageContext(); +// +// context.setPeerEntityId(SP_ENTITY_ID); +// context.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); +// EntityDescriptor spMetadata = mockSpMetadata(); +// context.setPeerEntityMetadata(spMetadata); +// SPSSODescriptor spDescriptor = spMetadata.getSPSSODescriptor(SAML20P_NS); +// context.setPeerEntityRoleMetadata(spDescriptor); +// context.setInboundSAMLMessage(authnRequest); +// +// SamlConfig config = new SamlConfig(); +// config.setPrivateKey(PROVIDER_PRIVATE_KEY); +// config.setPrivateKeyPassword(PROVIDER_PRIVATE_KEY_PASSWORD); +// config.setCertificate(PROVIDER_CERTIFICATE); +// KeyManager keyManager = new SamlKeyManagerFactory().getKeyManager(config); +// context.setLocalSigningCredential(keyManager.getDefaultCredential()); +// return context; +// } + +// private EntityDescriptor mockSpMetadata() { +// ExtendedMetadata extendedMetadata = new ExtendedMetadata(); +// +// MetadataGenerator metadataGenerator = new MetadataGenerator(); +// metadataGenerator.setExtendedMetadata(extendedMetadata); +// metadataGenerator.setEntityId(SP_ENTITY_ID); +// metadataGenerator.setEntityBaseURL("http://localhost:8080/uaa/saml"); +// metadataGenerator.setWantAssertionSigned(false); +// +// KeyManager keyManager = mock(KeyManager.class); +// when(keyManager.getDefaultCredentialName()).thenReturn(null); +// metadataGenerator.setKeyManager(keyManager); +// return metadataGenerator.generateMetadata(); +// } + +// private AuthnRequest mockAuthnRequest() { +// return mockAuthnRequest(null); +// } + +// public String mockAssertionEncoded(Assertion assertion) throws Exception { +// AssertionMarshaller marshaller = new AssertionMarshaller(); +// Element plaintextElement = marshaller.marshall(assertion); +// String serializedElement = XMLHelper.nodeToString(plaintextElement); +// return Base64.encodeBase64URLSafeString(serializedElement.getBytes(StandardCharsets.UTF_8)); +// } + +// public String mockAssertionEncoded( +// String issuerEntityId, +// String format, +// String username, +// String spEndpoint, +// String audienceEntityID) throws Exception { +// final Assertion assertion = mockAssertion(issuerEntityId, format, username, spEndpoint, audienceEntityID); +// signAssertion(assertion, PROVIDER_PRIVATE_KEY, PROVIDER_PRIVATE_KEY_PASSWORD, PROVIDER_CERTIFICATE); +// return mockAssertionEncoded(assertion); +// } + +// private Assertion mockAssertion( +// String issuerEntityId, +// String format, +// String username, +// String spEndpoint, +// String audienceEntityID) { +// final DateTime now = new DateTime(); +// final DateTime until = now.plusHours(1); +// +// Assertion assertion = (Assertion) buildSamlObject(Assertion.DEFAULT_ELEMENT_NAME); +// +// { +// assertion.setIssueInstant(now); +// } +// +// { +// final Issuer issuer = (Issuer) buildSamlObject(Issuer.DEFAULT_ELEMENT_NAME); +// issuer.setValue(issuerEntityId); +// assertion.setIssuer(issuer); +// } +// +// { +// final NameID nameId = (NameID) buildSamlObject(NameID.DEFAULT_ELEMENT_NAME); +// nameId.setValue(username); +// nameId.setNameQualifier(NameID.UNSPECIFIED); +// nameId.setFormat(format); +// +// final SubjectConfirmationData confirmationMethod = (SubjectConfirmationData) buildSamlObject(SubjectConfirmationData.DEFAULT_ELEMENT_NAME); +// confirmationMethod.setNotOnOrAfter(until); +// confirmationMethod.setRecipient(spEndpoint); +// +// final SubjectConfirmation subjectConfirmation = (SubjectConfirmation) buildSamlObject(SubjectConfirmation.DEFAULT_ELEMENT_NAME); +// subjectConfirmation.setSubjectConfirmationData(confirmationMethod); +// subjectConfirmation.setMethod("urn:oasis:names:tc:SAML:2.0:cm:bearer"); +// +// final Subject subject = (Subject) buildSamlObject(Subject.DEFAULT_ELEMENT_NAME); +// subject.setNameID(nameId); +// subject.getSubjectConfirmations().add(subjectConfirmation); +// +// subject.getSubjectConfirmations().get(0).getSubjectConfirmationData().setInResponseTo(null); +// subject.getSubjectConfirmations().get(0).getSubjectConfirmationData().setNotOnOrAfter(until); +// +// assertion.setSubject(subject); +// } +// +// { +// final Audience audience = (Audience) buildSamlObject(Audience.DEFAULT_ELEMENT_NAME); +// audience.setAudienceURI(audienceEntityID); +// +// final AudienceRestriction audienceRestriction = (AudienceRestriction) buildSamlObject(AudienceRestriction.DEFAULT_ELEMENT_NAME); +// audienceRestriction.getAudiences().add(audience); +// +// final Conditions conditions = (Conditions) buildSamlObject(Conditions.DEFAULT_ELEMENT_NAME); +// conditions.getAudienceRestrictions().add(audienceRestriction); +// conditions.setNotBefore(new DateTime().minusSeconds(2)); +// conditions.setNotOnOrAfter(until); +// +// assertion.setConditions(conditions); +// } +// +// { +// final AuthnContextClassRef authnContextClassRef = (AuthnContextClassRef) buildSamlObject(AuthnContextClassRef.DEFAULT_ELEMENT_NAME); +// authnContextClassRef.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:Password"); +// +// final AuthnContext authnContext = (AuthnContext) buildSamlObject(AuthnContext.DEFAULT_ELEMENT_NAME); +// authnContext.setAuthnContextClassRef(authnContextClassRef); +// +// final AuthnStatement authnStatement = (AuthnStatement) buildSamlObject(AuthnStatement.DEFAULT_ELEMENT_NAME); +// authnStatement.setAuthnInstant(now); +// authnStatement.setSessionIndex("a358a06c15ja8d7a1idjaj07jb52gdi"); +// authnStatement.setSessionNotOnOrAfter(until); +// authnStatement.setAuthnContext(authnContext); +// +// assertion.getAuthnStatements().add(authnStatement); +// } +// +// return assertion; +// } + +// private SAMLObject buildSamlObject(QName elementName) { +// SAMLObjectBuilder issuerBuilder = (SAMLObjectBuilder) builderFactory.getBuilder(elementName); +// return issuerBuilder.buildObject(); +// } + +// public void signAssertion( +// Assertion assertion, +// String privateKey, +// String keyPassword, +// String certificate) +// throws Exception { +// +// final Signature signature = generateSignature(privateKey, keyPassword, certificate); +// assertion.setSignature(signature); +// Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(assertion); +// marshaller.marshall(assertion); +// Signer.signObject(signature); +// } + +// private Signature generateSignature(String privateKey, String keyPassword, String certificate) +// throws org.opensaml.xml.security.SecurityException { +// SamlConfig config = new SamlConfig(); +// config.addAndActivateKey("active-key", new SamlKey(privateKey, keyPassword, certificate)); +// KeyManager keyManager = new SamlKeyManagerFactory().getKeyManager(config); +// SignatureBuilder signatureBuilder = (SignatureBuilder) builderFactory.getBuilder(Signature.DEFAULT_ELEMENT_NAME); +// Signature signature = signatureBuilder.buildObject(); +// final Credential defaultCredential = keyManager.getDefaultCredential(); +// signature.setSigningCredential(defaultCredential); +// SecurityHelper.prepareSignatureParams(signature, defaultCredential, null, null); +// return signature; +// } + +// AuthnRequest mockAuthnRequest(String nameIDFormat) { +// @SuppressWarnings("unchecked") +// SAMLObjectBuilder builder = (SAMLObjectBuilder) builderFactory +// .getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME); +// AuthnRequest request = builder.buildObject(); +// request.setVersion(SAMLVersion.VERSION_20); +// request.setID(generateID()); +// request.setIssuer(getIssuer(SP_ENTITY_ID)); +// request.setVersion(SAMLVersion.VERSION_20); +// request.setIssueInstant(new DateTime()); +// if (null != nameIDFormat) { +// NameID nameID = ((SAMLObjectBuilder) builderFactory.getBuilder(NameID.DEFAULT_ELEMENT_NAME)) +// .buildObject(); +// nameID.setFormat(nameIDFormat); +// Subject subject = ((SAMLObjectBuilder) builderFactory.getBuilder(Subject.DEFAULT_ELEMENT_NAME)) +// .buildObject(); +// subject.setNameID(nameID); +// request.setSubject(subject); +// } +// return request; +// } private String generateID() { Random r = new Random(); return 'a' + Long.toString(Math.abs(r.nextLong()), 20) + Long.toString(Math.abs(r.nextLong()), 20); } - public Issuer getIssuer(String localEntityId) { - @SuppressWarnings("unchecked") - SAMLObjectBuilder issuerBuilder = (SAMLObjectBuilder) builderFactory - .getBuilder(Issuer.DEFAULT_ELEMENT_NAME); - Issuer issuer = issuerBuilder.buildObject(); - issuer.setValue(localEntityId); - return issuer; - } +// public Issuer getIssuer(String localEntityId) { +// @SuppressWarnings("unchecked") +// SAMLObjectBuilder issuerBuilder = (SAMLObjectBuilder) builderFactory +// .getBuilder(Issuer.DEFAULT_ELEMENT_NAME); +// Issuer issuer = issuerBuilder.buildObject(); +// issuer.setValue(localEntityId); +// return issuer; +// } private UaaAuthentication mockUaaAuthentication() { return mockUaaAuthentication(UUID.randomUUID().toString()); diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneHolderTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneHolderTest.java index fb873546cf7..281c9edc4c5 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneHolderTest.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneHolderTest.java @@ -19,7 +19,7 @@ import org.junit.jupiter.api.*; import org.junit.jupiter.api.extension.ExtendWith; import org.mockito.InOrder; -import org.springframework.security.saml.key.KeyManager; +//import org.springframework.security.saml.key.KeyManager; import org.springframework.test.util.ReflectionTestUtils; import java.util.UUID; @@ -27,6 +27,7 @@ import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.nullValue; +import static org.junit.Assert.fail; import static org.mockito.Mockito.*; @ExtendWith(PollutionPreventionExtension.class) @@ -37,23 +38,25 @@ class IdentityZoneHolderTest { @BeforeEach void setUp() { mockSamlKeyManagerFactory = mock(SamlKeyManagerFactory.class); - setSamlKeyManagerFactory(mockSamlKeyManagerFactory); +// setSamlKeyManagerFactory(mockSamlKeyManagerFactory); } - @AfterAll - static void tearDown() { - setSamlKeyManagerFactory(new SamlKeyManagerFactory()); - } +// @AfterAll +// static void tearDown() { +// setSamlKeyManagerFactory(new SamlKeyManagerFactory()); +// } + // IdentityZoneHolder has a lot of SAML functionality built-in + // Also, note that it's deprecated and we should migrate the code to use IdentityZoneManager @Test void set() { IdentityZone mockIdentityZone = mock(IdentityZone.class); - getKeyManagerThreadLocal().set(mock(KeyManager.class)); +// getKeyManagerThreadLocal().set(mock(KeyManager.class)); IdentityZoneHolder.set(mockIdentityZone); assertThat(IdentityZoneHolder.get(), is(mockIdentityZone)); - assertThat(getKeyManagerThreadLocal().get(), is(nullValue())); +// assertThat(getKeyManagerThreadLocal().get(), is(nullValue())); } @Test @@ -117,29 +120,30 @@ void getUaaZone() { @Test void getSamlSPKeyManager_WhenSecondCallWorks() { - IdentityZone mockIdentityZone = mock(IdentityZone.class); - IdentityZoneHolder.set(mockIdentityZone); - - IdentityZoneConfiguration mockIdentityZoneConfiguration = mock(IdentityZoneConfiguration.class); - when(mockIdentityZone.getConfig()).thenReturn(mockIdentityZoneConfiguration); - - SamlConfig mockSamlConfig = mock(SamlConfig.class); - when(mockIdentityZoneConfiguration.getSamlConfig()).thenReturn(mockSamlConfig); - - KeyManager expectedKeyManager = mock(KeyManager.class); - when(mockSamlKeyManagerFactory.getKeyManager(any())) - .thenReturn(null) - .thenReturn(expectedKeyManager); - - // Call several times! The value is cached in KEY_MANAGER_THREAD_LOCAL - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - - verify(mockSamlKeyManagerFactory).getKeyManager(mockSamlConfig); - verify(mockSamlKeyManagerFactory, times(2)).getKeyManager(any()); + fail(); +// IdentityZone mockIdentityZone = mock(IdentityZone.class); +// IdentityZoneHolder.set(mockIdentityZone); +// +// IdentityZoneConfiguration mockIdentityZoneConfiguration = mock(IdentityZoneConfiguration.class); +// when(mockIdentityZone.getConfig()).thenReturn(mockIdentityZoneConfiguration); +// +// SamlConfig mockSamlConfig = mock(SamlConfig.class); +// when(mockIdentityZoneConfiguration.getSamlConfig()).thenReturn(mockSamlConfig); +// +// KeyManager expectedKeyManager = mock(KeyManager.class); +// when(mockSamlKeyManagerFactory.getKeyManager(any())) +// .thenReturn(null) +// .thenReturn(expectedKeyManager); +// +// // Call several times! The value is cached in KEY_MANAGER_THREAD_LOCAL +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// +// verify(mockSamlKeyManagerFactory).getKeyManager(mockSamlConfig); +// verify(mockSamlKeyManagerFactory, times(2)).getKeyManager(any()); } } @@ -172,78 +176,81 @@ void getUaaZone() { @Test void getSamlSPKeyManager_WhenSecondCallWorks() { - IdentityZoneConfiguration mockIdentityZoneConfigurationFromProvisioning = mock(IdentityZoneConfiguration.class); - when(mockIdentityZoneFromProvisioning.getConfig()).thenReturn(mockIdentityZoneConfigurationFromProvisioning); - - SamlConfig mockSamlConfigFromProvisioning = mock(SamlConfig.class); - when(mockIdentityZoneConfigurationFromProvisioning.getSamlConfig()).thenReturn(mockSamlConfigFromProvisioning); - - IdentityZone mockIdentityZone = mock(IdentityZone.class); - IdentityZoneConfiguration mockIdentityZoneConfiguration = mock(IdentityZoneConfiguration.class); - SamlConfig mockSamlConfig = mock(SamlConfig.class); - when(mockIdentityZone.getConfig()).thenReturn(mockIdentityZoneConfiguration); - when(mockIdentityZoneConfiguration.getSamlConfig()).thenReturn(mockSamlConfig); - when(mockSamlKeyManagerFactory.getKeyManager(mockSamlConfig)) - .thenReturn(null); - IdentityZoneHolder.set(mockIdentityZone); - - KeyManager expectedKeyManager = mock(KeyManager.class); - when(mockSamlKeyManagerFactory.getKeyManager(mockSamlConfigFromProvisioning)) - .thenReturn(expectedKeyManager); - - // Call several times! The value is cached in KEY_MANAGER_THREAD_LOCAL - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - - InOrder inOrder = inOrder(mockSamlKeyManagerFactory); - - inOrder.verify(mockSamlKeyManagerFactory).getKeyManager(mockSamlConfig); - inOrder.verify(mockSamlKeyManagerFactory).getKeyManager(mockSamlConfigFromProvisioning); - verify(mockSamlKeyManagerFactory, times(2)).getKeyManager(any()); + fail(); +// IdentityZoneConfiguration mockIdentityZoneConfigurationFromProvisioning = mock(IdentityZoneConfiguration.class); +// when(mockIdentityZoneFromProvisioning.getConfig()).thenReturn(mockIdentityZoneConfigurationFromProvisioning); +// +// SamlConfig mockSamlConfigFromProvisioning = mock(SamlConfig.class); +// when(mockIdentityZoneConfigurationFromProvisioning.getSamlConfig()).thenReturn(mockSamlConfigFromProvisioning); +// +// IdentityZone mockIdentityZone = mock(IdentityZone.class); +// IdentityZoneConfiguration mockIdentityZoneConfiguration = mock(IdentityZoneConfiguration.class); +// SamlConfig mockSamlConfig = mock(SamlConfig.class); +// when(mockIdentityZone.getConfig()).thenReturn(mockIdentityZoneConfiguration); +// when(mockIdentityZoneConfiguration.getSamlConfig()).thenReturn(mockSamlConfig); +// when(mockSamlKeyManagerFactory.getKeyManager(mockSamlConfig)) +// .thenReturn(null); +// IdentityZoneHolder.set(mockIdentityZone); +// +// KeyManager expectedKeyManager = mock(KeyManager.class); +// when(mockSamlKeyManagerFactory.getKeyManager(mockSamlConfigFromProvisioning)) +// .thenReturn(expectedKeyManager); +// +// // Call several times! The value is cached in KEY_MANAGER_THREAD_LOCAL +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// +// InOrder inOrder = inOrder(mockSamlKeyManagerFactory); +// +// inOrder.verify(mockSamlKeyManagerFactory).getKeyManager(mockSamlConfig); +// inOrder.verify(mockSamlKeyManagerFactory).getKeyManager(mockSamlConfigFromProvisioning); +// verify(mockSamlKeyManagerFactory, times(2)).getKeyManager(any()); } } @Test void getSamlSPKeyManager_WhenKeyManagerIsNotNull() { - KeyManager expectedKeyManager = mock(KeyManager.class); - getKeyManagerThreadLocal().set(expectedKeyManager); - - // Call several times! The value is cached in KEY_MANAGER_THREAD_LOCAL - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - - verify(mockSamlKeyManagerFactory, never()).getKeyManager(any()); + fail(); +// KeyManager expectedKeyManager = mock(KeyManager.class); +// getKeyManagerThreadLocal().set(expectedKeyManager); +// +// // Call several times! The value is cached in KEY_MANAGER_THREAD_LOCAL +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// +// verify(mockSamlKeyManagerFactory, never()).getKeyManager(any()); } @Test void getSamlSPKeyManager_WhenFirstCallWorks() { - IdentityZone mockIdentityZone = mock(IdentityZone.class); - IdentityZoneHolder.set(mockIdentityZone); - - IdentityZoneConfiguration mockIdentityZoneConfiguration = mock(IdentityZoneConfiguration.class); - when(mockIdentityZone.getConfig()).thenReturn(mockIdentityZoneConfiguration); - - SamlConfig mockSamlConfig = mock(SamlConfig.class); - when(mockIdentityZoneConfiguration.getSamlConfig()).thenReturn(mockSamlConfig); - - KeyManager expectedKeyManager = mock(KeyManager.class); - when(mockSamlKeyManagerFactory.getKeyManager(any())).thenReturn(expectedKeyManager); - - // Call several times! The value is cached in KEY_MANAGER_THREAD_LOCAL - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); - - verify(mockSamlKeyManagerFactory).getKeyManager(mockSamlConfig); - verify(mockSamlKeyManagerFactory, times(1)).getKeyManager(any()); + fail(); +// IdentityZone mockIdentityZone = mock(IdentityZone.class); +// IdentityZoneHolder.set(mockIdentityZone); +// +// IdentityZoneConfiguration mockIdentityZoneConfiguration = mock(IdentityZoneConfiguration.class); +// when(mockIdentityZone.getConfig()).thenReturn(mockIdentityZoneConfiguration); +// +// SamlConfig mockSamlConfig = mock(SamlConfig.class); +// when(mockIdentityZoneConfiguration.getSamlConfig()).thenReturn(mockSamlConfig); +// +// KeyManager expectedKeyManager = mock(KeyManager.class); +// when(mockSamlKeyManagerFactory.getKeyManager(any())).thenReturn(expectedKeyManager); +// +// // Call several times! The value is cached in KEY_MANAGER_THREAD_LOCAL +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// assertThat(IdentityZoneHolder.getSamlSPKeyManager(), is(expectedKeyManager)); +// +// verify(mockSamlKeyManagerFactory).getKeyManager(mockSamlConfig); +// verify(mockSamlKeyManagerFactory, times(1)).getKeyManager(any()); } @Test @@ -264,9 +271,9 @@ private static void setSamlKeyManagerFactory( samlKeyManagerFactory); } - private static ThreadLocal getKeyManagerThreadLocal() { - return (ThreadLocal) - ReflectionTestUtils.getField(IdentityZoneHolder.class, "KEY_MANAGER_THREAD_LOCAL"); - } +// private static ThreadLocal getKeyManagerThreadLocal() { +// return (ThreadLocal) +// ReflectionTestUtils.getField(IdentityZoneHolder.class, "KEY_MANAGER_THREAD_LOCAL"); +// } } diff --git a/uaa/build.gradle b/uaa/build.gradle index 7c6616f4e32..866bb695b5e 100644 --- a/uaa/build.gradle +++ b/uaa/build.gradle @@ -86,7 +86,7 @@ dependencies { testImplementation(libraries.springSessionJdbc) testImplementation(libraries.springTest) testImplementation(libraries.springSecurityLdap) - testImplementation(libraries.springSecuritySaml) +// testImplementation(libraries.springSecuritySaml) testImplementation(libraries.springSecurityTest) testImplementation(libraries.springBootStarterMail) testImplementation(libraries.mockito) diff --git a/uaa/src/main/webapp/WEB-INF/spring-servlet.xml b/uaa/src/main/webapp/WEB-INF/spring-servlet.xml index 80944484569..94c61c7635a 100755 --- a/uaa/src/main/webapp/WEB-INF/spring-servlet.xml +++ b/uaa/src/main/webapp/WEB-INF/spring-servlet.xml @@ -438,7 +438,7 @@ value="#{@config['disableInternalUserManagement'] == null ? false : @config['disableInternalUserManagement']}"/> - + diff --git a/uaa/src/main/webapp/WEB-INF/spring/oauth-endpoints.xml b/uaa/src/main/webapp/WEB-INF/spring/oauth-endpoints.xml index b27d4731fd2..a5ce63e6177 100755 --- a/uaa/src/main/webapp/WEB-INF/spring/oauth-endpoints.xml +++ b/uaa/src/main/webapp/WEB-INF/spring/oauth-endpoints.xml @@ -250,7 +250,7 @@ class="org.cloudfoundry.identity.uaa.authentication.BackwardsCompatibleTokenEndpointAuthenticationFilter"> - + diff --git a/uaa/src/main/webapp/WEB-INF/spring/saml-providers.xml b/uaa/src/main/webapp/WEB-INF/spring/saml-providers.xml index f51367ac44c..6e97956606e 100644 --- a/uaa/src/main/webapp/WEB-INF/spring/saml-providers.xml +++ b/uaa/src/main/webapp/WEB-INF/spring/saml-providers.xml @@ -6,314 +6,314 @@ http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd"> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/OIDCLoginIT.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/OIDCLoginIT.java index 149c5345072..20ad5541b82 100644 --- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/OIDCLoginIT.java +++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/OIDCLoginIT.java @@ -90,12 +90,7 @@ import static org.hamcrest.Matchers.endsWith; import static org.hamcrest.Matchers.not; import static org.hamcrest.Matchers.startsWith; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNotEquals; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertNull; -import static org.junit.Assert.assertTrue; +import static org.junit.Assert.*; @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration(classes = DefaultIntegrationTestConfig.class) @@ -457,89 +452,90 @@ public void testShadowUserNameDefaultsToOIDCSubjectClaim() { @Test public void successfulLoginWithOIDC_and_SAML_Provider_PlusRefreshRotation() throws Exception { - SamlIdentityProviderDefinition saml = IntegrationTestUtils.createSimplePHPSamlIDP("simplesamlphp", OriginKeys.UAA); - saml.setLinkText("SAML Login"); - saml.setShowSamlLink(true); - IdentityProvider samlProvider = new IdentityProvider<>(); - samlProvider - .setName("SAML to default zone") - .setOriginKey(saml.getIdpEntityAlias()) - .setType(OriginKeys.SAML) - .setConfig(saml) - .setIdentityZoneId(saml.getZoneId()); - samlProvider = IntegrationTestUtils.createOrUpdateProvider(clientCredentialsToken, baseUrl, samlProvider); - try { - - /* - This test creates an OIDC provider. That provider in turn has a SAML provider. - The end user is authenticated using OIDC federating to SAML - */ - webDriver.get(zoneUrl + "/login"); - webDriver.findElement(By.linkText("My OIDC Provider")).click(); - Assert.assertThat(webDriver.getCurrentUrl(), containsString(baseUrl)); - - webDriver.findElement(By.linkText("SAML Login")).click(); - webDriver.findElement(By.xpath(SIMPLESAMLPHP_LOGIN_PROMPT_XPATH_EXPR)); - webDriver.findElement(By.name("username")).clear(); - webDriver.findElement(By.name("username")).sendKeys("marissa6"); - webDriver.findElement(By.name("password")).sendKeys("saml6"); - webDriver.findElement(By.id("submit_button")).click(); - - assertThat(webDriver.getCurrentUrl(), containsString(zoneUrl)); - assertThat(webDriver.findElement(By.cssSelector("h1")).getText(), containsString("Where to?")); - - Cookie cookie = webDriver.manage().getCookieNamed("JSESSIONID"); - - ServerRunning serverRunning = ServerRunning.isRunning(); - serverRunning.setHostName(zone.getSubdomain() + ".localhost"); - - Map authCodeTokenResponse = IntegrationTestUtils.getAuthorizationCodeTokenMap(serverRunning, - UaaTestAccounts.standard(serverRunning), - zoneClient.getClientId(), - "secret", - null, - null, - "token id_token", - cookie.getValue(), - null, - null, - false); - - //validate that we have an ID token, and that it contains costCenter and manager values - String idToken = authCodeTokenResponse.get("id_token"); - assertNotNull(idToken); - - Jwt idTokenClaims = JwtHelper.decode(idToken); - Map claims = JsonUtils.readValue(idTokenClaims.getClaims(), new TypeReference>() { - }); - - assertNotNull("id_token should contain ACR claim", claims.get(ClaimConstants.ACR)); - Map acr = (Map) claims.get(ClaimConstants.ACR); - assertNotNull("acr claim should contain values attribute", acr.get("values")); - assertThat((List) acr.get("values"), containsInAnyOrder(PASSWORD_AUTHN_CTX)); - - UserInfoResponse userInfo = IntegrationTestUtils.getUserInfo(zoneUrl, authCodeTokenResponse.get("access_token")); - - Map> userAttributeMap = userInfo.getUserAttributes(); - assertNotNull(userAttributeMap); - List clientIds = userAttributeMap.get("the_client_id"); - assertNotNull(clientIds); - assertEquals("identity", clientIds.get(0)); - setRefreshTokenRotate(false); - String refreshToken1 = getRefreshTokenResponse(serverRunning, authCodeTokenResponse.get("refresh_token")); - String refreshToken2 = getRefreshTokenResponse(serverRunning, refreshToken1); - assertEquals("New refresh token should be equal to the old one.", - refreshToken1, - refreshToken2); - setRefreshTokenRotate(true); - refreshToken1 = getRefreshTokenResponse(serverRunning, refreshToken2); - refreshToken2 = getRefreshTokenResponse(serverRunning, refreshToken1); - assertNotEquals("New access token should be different from the old one.", - refreshToken1, - refreshToken2); - } finally { - IntegrationTestUtils.deleteProvider(clientCredentialsToken, baseUrl, OriginKeys.UAA, samlProvider.getOriginKey()); - } + fail(); +// SamlIdentityProviderDefinition saml = IntegrationTestUtils.createSimplePHPSamlIDP("simplesamlphp", OriginKeys.UAA); +// saml.setLinkText("SAML Login"); +// saml.setShowSamlLink(true); +// IdentityProvider samlProvider = new IdentityProvider<>(); +// samlProvider +// .setName("SAML to default zone") +// .setOriginKey(saml.getIdpEntityAlias()) +// .setType(OriginKeys.SAML) +// .setConfig(saml) +// .setIdentityZoneId(saml.getZoneId()); +// samlProvider = IntegrationTestUtils.createOrUpdateProvider(clientCredentialsToken, baseUrl, samlProvider); +// try { +// +// /* +// This test creates an OIDC provider. That provider in turn has a SAML provider. +// The end user is authenticated using OIDC federating to SAML +// */ +// webDriver.get(zoneUrl + "/login"); +// webDriver.findElement(By.linkText("My OIDC Provider")).click(); +// Assert.assertThat(webDriver.getCurrentUrl(), containsString(baseUrl)); +// +// webDriver.findElement(By.linkText("SAML Login")).click(); +// webDriver.findElement(By.xpath(SIMPLESAMLPHP_LOGIN_PROMPT_XPATH_EXPR)); +// webDriver.findElement(By.name("username")).clear(); +// webDriver.findElement(By.name("username")).sendKeys("marissa6"); +// webDriver.findElement(By.name("password")).sendKeys("saml6"); +// webDriver.findElement(By.id("submit_button")).click(); +// +// assertThat(webDriver.getCurrentUrl(), containsString(zoneUrl)); +// assertThat(webDriver.findElement(By.cssSelector("h1")).getText(), containsString("Where to?")); +// +// Cookie cookie = webDriver.manage().getCookieNamed("JSESSIONID"); +// +// ServerRunning serverRunning = ServerRunning.isRunning(); +// serverRunning.setHostName(zone.getSubdomain() + ".localhost"); +// +// Map authCodeTokenResponse = IntegrationTestUtils.getAuthorizationCodeTokenMap(serverRunning, +// UaaTestAccounts.standard(serverRunning), +// zoneClient.getClientId(), +// "secret", +// null, +// null, +// "token id_token", +// cookie.getValue(), +// null, +// null, +// false); +// +// //validate that we have an ID token, and that it contains costCenter and manager values +// String idToken = authCodeTokenResponse.get("id_token"); +// assertNotNull(idToken); +// +// Jwt idTokenClaims = JwtHelper.decode(idToken); +// Map claims = JsonUtils.readValue(idTokenClaims.getClaims(), new TypeReference>() { +// }); +// +// assertNotNull("id_token should contain ACR claim", claims.get(ClaimConstants.ACR)); +// Map acr = (Map) claims.get(ClaimConstants.ACR); +// assertNotNull("acr claim should contain values attribute", acr.get("values")); +// assertThat((List) acr.get("values"), containsInAnyOrder(PASSWORD_AUTHN_CTX)); +// +// UserInfoResponse userInfo = IntegrationTestUtils.getUserInfo(zoneUrl, authCodeTokenResponse.get("access_token")); +// +// Map> userAttributeMap = userInfo.getUserAttributes(); +// assertNotNull(userAttributeMap); +// List clientIds = userAttributeMap.get("the_client_id"); +// assertNotNull(clientIds); +// assertEquals("identity", clientIds.get(0)); +// setRefreshTokenRotate(false); +// String refreshToken1 = getRefreshTokenResponse(serverRunning, authCodeTokenResponse.get("refresh_token")); +// String refreshToken2 = getRefreshTokenResponse(serverRunning, refreshToken1); +// assertEquals("New refresh token should be equal to the old one.", +// refreshToken1, +// refreshToken2); +// setRefreshTokenRotate(true); +// refreshToken1 = getRefreshTokenResponse(serverRunning, refreshToken2); +// refreshToken2 = getRefreshTokenResponse(serverRunning, refreshToken1); +// assertNotEquals("New access token should be different from the old one.", +// refreshToken1, +// refreshToken2); +// } finally { +// IntegrationTestUtils.deleteProvider(clientCredentialsToken, baseUrl, OriginKeys.UAA, samlProvider.getOriginKey()); +// } } @Test diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/BootstrapTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/BootstrapTests.java index 35f9fc5bd04..2ba347c35a1 100755 --- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/BootstrapTests.java +++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/BootstrapTests.java @@ -35,7 +35,7 @@ import org.springframework.mock.web.MockRequestDispatcher; import org.springframework.mock.web.MockServletConfig; import org.springframework.mock.web.MockServletContext; -import org.springframework.security.saml.log.SAMLDefaultLogger; +//import org.springframework.security.saml.log.SAMLDefaultLogger; import org.springframework.util.StringUtils; import org.springframework.web.context.support.AbstractRefreshableWebApplicationContext; import org.springframework.web.servlet.ViewResolver; @@ -51,6 +51,7 @@ import java.util.stream.Stream; import static org.hamcrest.MatcherAssert.assertThat; +import static org.junit.Assert.fail; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertNotNull; @@ -125,23 +126,24 @@ void xlegacyTestDeprecatedProperties() { @Test void legacySamlIdpAsTopLevelElement() { - System.setProperty(LOGIN_SAML_METADATA_TRUST_CHECK, "false"); - System.setProperty(LOGIN_IDP_METADATA_URL, "http://simplesamlphp.uaa.com/saml2/idp/metadata.php"); - System.setProperty(LOGIN_IDP_ENTITY_ALIAS, "testIDPFile"); - - context = getServletContext("default", "uaa.yml"); - assertNotNull(context.getBean("viewResolver", ViewResolver.class)); - assertNotNull(context.getBean("samlLogger", SAMLDefaultLogger.class)); - assertFalse(context.getBean(BootstrapSamlIdentityProviderData.class).isLegacyMetadataTrustCheck()); - List defs = context.getBean(BootstrapSamlIdentityProviderData.class).getIdentityProviderDefinitions(); - assertNotNull(findProvider(defs, "testIDPFile")); - assertEquals( - SamlIdentityProviderDefinition.MetadataLocation.URL, - findProvider(defs, "testIDPFile").getType()); - assertEquals( - SamlIdentityProviderDefinition.MetadataLocation.URL, - defs.get(defs.size() - 1).getType() - ); + fail(); +// System.setProperty(LOGIN_SAML_METADATA_TRUST_CHECK, "false"); +// System.setProperty(LOGIN_IDP_METADATA_URL, "http://simplesamlphp.uaa.com/saml2/idp/metadata.php"); +// System.setProperty(LOGIN_IDP_ENTITY_ALIAS, "testIDPFile"); +// +// context = getServletContext("default", "uaa.yml"); +// assertNotNull(context.getBean("viewResolver", ViewResolver.class)); +// assertNotNull(context.getBean("samlLogger", SAMLDefaultLogger.class)); +// assertFalse(context.getBean(BootstrapSamlIdentityProviderData.class).isLegacyMetadataTrustCheck()); +// List defs = context.getBean(BootstrapSamlIdentityProviderData.class).getIdentityProviderDefinitions(); +// assertNotNull(findProvider(defs, "testIDPFile")); +// assertEquals( +// SamlIdentityProviderDefinition.MetadataLocation.URL, +// findProvider(defs, "testIDPFile").getType()); +// assertEquals( +// SamlIdentityProviderDefinition.MetadataLocation.URL, +// defs.get(defs.size() - 1).getType() +// ); } @Test @@ -158,22 +160,23 @@ void legacySamlMetadataAsXml() throws Exception { @Test void legacySamlMetadataAsUrl() { - System.setProperty(LOGIN_SAML_METADATA_TRUST_CHECK, "false"); - System.setProperty(LOGIN_IDP_METADATA_URL, "http://simplesamlphp.uaa.com:80/saml2/idp/metadata.php"); - System.setProperty(LOGIN_IDP_ENTITY_ALIAS, "testIDPUrl"); - - context = getServletContext("default", "uaa.yml"); - assertNotNull(context.getBean("viewResolver", ViewResolver.class)); - assertNotNull(context.getBean("samlLogger", SAMLDefaultLogger.class)); - assertFalse(context.getBean(BootstrapSamlIdentityProviderData.class).isLegacyMetadataTrustCheck()); - List defs = context.getBean(BootstrapSamlIdentityProviderData.class).getIdentityProviderDefinitions(); - assertNull( - defs.get(defs.size() - 1).getSocketFactoryClassName() - ); - assertEquals( - SamlIdentityProviderDefinition.MetadataLocation.URL, - defs.get(defs.size() - 1).getType() - ); + fail(); +// System.setProperty(LOGIN_SAML_METADATA_TRUST_CHECK, "false"); +// System.setProperty(LOGIN_IDP_METADATA_URL, "http://simplesamlphp.uaa.com:80/saml2/idp/metadata.php"); +// System.setProperty(LOGIN_IDP_ENTITY_ALIAS, "testIDPUrl"); +// +// context = getServletContext("default", "uaa.yml"); +// assertNotNull(context.getBean("viewResolver", ViewResolver.class)); +// assertNotNull(context.getBean("samlLogger", SAMLDefaultLogger.class)); +// assertFalse(context.getBean(BootstrapSamlIdentityProviderData.class).isLegacyMetadataTrustCheck()); +// List defs = context.getBean(BootstrapSamlIdentityProviderData.class).getIdentityProviderDefinitions(); +// assertNull( +// defs.get(defs.size() - 1).getSocketFactoryClassName() +// ); +// assertEquals( +// SamlIdentityProviderDefinition.MetadataLocation.URL, +// defs.get(defs.size() - 1).getType() +// ); } @ParameterizedTest @@ -200,25 +203,26 @@ static Stream samlSignatureParameterProvider() { @Test void legacySamlUrlWithoutPort() { - System.setProperty(LOGIN_SAML_METADATA_TRUST_CHECK, "false"); - System.setProperty(LOGIN_IDP_METADATA_URL, "http://simplesamlphp.uaa.com/saml2/idp/metadata.php"); - System.setProperty(LOGIN_IDP_ENTITY_ALIAS, "testIDPUrl"); - - context = getServletContext("default", "uaa.yml"); - assertNotNull(context.getBean("viewResolver", ViewResolver.class)); - assertNotNull(context.getBean("samlLogger", SAMLDefaultLogger.class)); - assertFalse(context.getBean(BootstrapSamlIdentityProviderData.class).isLegacyMetadataTrustCheck()); - List defs = context.getBean(BootstrapSamlIdentityProviderData.class).getIdentityProviderDefinitions(); - assertFalse( - context.getBean(BootstrapSamlIdentityProviderData.class).getIdentityProviderDefinitions().isEmpty() - ); - assertNull( - defs.get(defs.size() - 1).getSocketFactoryClassName() - ); - assertEquals( - SamlIdentityProviderDefinition.MetadataLocation.URL, - defs.get(defs.size() - 1).getType() - ); + fail(); +// System.setProperty(LOGIN_SAML_METADATA_TRUST_CHECK, "false"); +// System.setProperty(LOGIN_IDP_METADATA_URL, "http://simplesamlphp.uaa.com/saml2/idp/metadata.php"); +// System.setProperty(LOGIN_IDP_ENTITY_ALIAS, "testIDPUrl"); +// +// context = getServletContext("default", "uaa.yml"); +// assertNotNull(context.getBean("viewResolver", ViewResolver.class)); +// assertNotNull(context.getBean("samlLogger", SAMLDefaultLogger.class)); +// assertFalse(context.getBean(BootstrapSamlIdentityProviderData.class).isLegacyMetadataTrustCheck()); +// List defs = context.getBean(BootstrapSamlIdentityProviderData.class).getIdentityProviderDefinitions(); +// assertFalse( +// context.getBean(BootstrapSamlIdentityProviderData.class).getIdentityProviderDefinitions().isEmpty() +// ); +// assertNull( +// defs.get(defs.size() - 1).getSocketFactoryClassName() +// ); +// assertEquals( +// SamlIdentityProviderDefinition.MetadataLocation.URL, +// defs.get(defs.size() - 1).getType() +// ); } private static SamlIdentityProviderDefinition findProvider( diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/PasscodeMockMvcTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/PasscodeMockMvcTests.java index 93f36d6c9f3..55a8300a6a8 100644 --- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/PasscodeMockMvcTests.java +++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/PasscodeMockMvcTests.java @@ -26,7 +26,7 @@ import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.oauth2.common.util.RandomValueStringGenerator; import org.springframework.security.oauth2.provider.OAuth2Authentication; -import org.springframework.security.providers.ExpiringUsernameAuthenticationToken; +//import org.springframework.security.providers.ExpiringUsernameAuthenticationToken; import org.springframework.security.web.DefaultSecurityFilterChain; import org.springframework.security.web.FilterChainProxy; import org.springframework.security.web.SecurityFilterChain; @@ -49,10 +49,7 @@ import java.util.Map; import static org.hamcrest.Matchers.containsInAnyOrder; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertThat; -import static org.junit.Assert.assertTrue; +import static org.junit.Assert.*; import static org.springframework.http.MediaType.APPLICATION_FORM_URLENCODED; import static org.springframework.http.MediaType.APPLICATION_JSON; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; @@ -102,68 +99,69 @@ void clearSecContext() { @Test void testLoginUsingPasscodeWithSamlToken() throws Exception { - ExpiringUsernameAuthenticationToken et = new ExpiringUsernameAuthenticationToken(USERNAME, null); - UaaAuthentication auth = new LoginSamlAuthenticationToken(marissa, et).getUaaAuthentication( - Collections.emptyList(), - Collections.emptySet(), - new LinkedMultiValueMap<>() - ); - final MockSecurityContext mockSecurityContext = new MockSecurityContext(auth); - - SecurityContextHolder.setContext(mockSecurityContext); - MockHttpSession session = new MockHttpSession(); - - session.setAttribute( - HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, - mockSecurityContext - ); - - - MockHttpServletRequestBuilder get = get("/passcode") - .accept(APPLICATION_JSON) - .session(session); - - String passcode = JsonUtils.readValue( - mockMvc.perform(get) - .andExpect(status().isOk()) - .andReturn().getResponse().getContentAsString(), - String.class); - - mockSecurityContext.setAuthentication(null); - session = new MockHttpSession(); - session.setAttribute( - HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, - mockSecurityContext - ); - - String basicDigestHeaderValue = "Basic " + new String(Base64.encodeBase64(("cf:").getBytes())); - MockHttpServletRequestBuilder post = post("/oauth/token") - .accept(APPLICATION_JSON) - .contentType(APPLICATION_FORM_URLENCODED) - .header("Authorization", basicDigestHeaderValue) - .param("grant_type", "password") - .param("passcode", passcode) - .param("response_type", "token"); - - - Map accessToken = - JsonUtils.readValue( - mockMvc.perform(post) - .andExpect(status().isOk()) - .andReturn().getResponse().getContentAsString(), - Map.class); - assertEquals("bearer", accessToken.get("token_type")); - assertNotNull(accessToken.get("access_token")); - assertNotNull(accessToken.get("refresh_token")); - String[] scopes = ((String) accessToken.get("scope")).split(" "); - assertThat(Arrays.asList(scopes), containsInAnyOrder("uaa.user", "scim.userids", "password.write", "cloud_controller.write", "openid", "cloud_controller.read")); - - Authentication authentication = captureSecurityContextFilter.getAuthentication(); - assertNotNull(authentication); - assertTrue(authentication instanceof OAuth2Authentication); - assertTrue(((OAuth2Authentication) authentication).getUserAuthentication() instanceof UsernamePasswordAuthenticationToken); - assertTrue(authentication.getPrincipal() instanceof UaaPrincipal); - assertEquals(marissa.getOrigin(), ((UaaPrincipal) authentication.getPrincipal()).getOrigin()); + fail(); +// ExpiringUsernameAuthenticationToken et = new ExpiringUsernameAuthenticationToken(USERNAME, null); +// UaaAuthentication auth = new LoginSamlAuthenticationToken(marissa, et).getUaaAuthentication( +// Collections.emptyList(), +// Collections.emptySet(), +// new LinkedMultiValueMap<>() +// ); +// final MockSecurityContext mockSecurityContext = new MockSecurityContext(auth); +// +// SecurityContextHolder.setContext(mockSecurityContext); +// MockHttpSession session = new MockHttpSession(); +// +// session.setAttribute( +// HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, +// mockSecurityContext +// ); +// +// +// MockHttpServletRequestBuilder get = get("/passcode") +// .accept(APPLICATION_JSON) +// .session(session); +// +// String passcode = JsonUtils.readValue( +// mockMvc.perform(get) +// .andExpect(status().isOk()) +// .andReturn().getResponse().getContentAsString(), +// String.class); +// +// mockSecurityContext.setAuthentication(null); +// session = new MockHttpSession(); +// session.setAttribute( +// HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, +// mockSecurityContext +// ); +// +// String basicDigestHeaderValue = "Basic " + new String(Base64.encodeBase64(("cf:").getBytes())); +// MockHttpServletRequestBuilder post = post("/oauth/token") +// .accept(APPLICATION_JSON) +// .contentType(APPLICATION_FORM_URLENCODED) +// .header("Authorization", basicDigestHeaderValue) +// .param("grant_type", "password") +// .param("passcode", passcode) +// .param("response_type", "token"); +// +// +// Map accessToken = +// JsonUtils.readValue( +// mockMvc.perform(post) +// .andExpect(status().isOk()) +// .andReturn().getResponse().getContentAsString(), +// Map.class); +// assertEquals("bearer", accessToken.get("token_type")); +// assertNotNull(accessToken.get("access_token")); +// assertNotNull(accessToken.get("refresh_token")); +// String[] scopes = ((String) accessToken.get("scope")).split(" "); +// assertThat(Arrays.asList(scopes), containsInAnyOrder("uaa.user", "scim.userids", "password.write", "cloud_controller.write", "openid", "cloud_controller.read")); +// +// Authentication authentication = captureSecurityContextFilter.getAuthentication(); +// assertNotNull(authentication); +// assertTrue(authentication instanceof OAuth2Authentication); +// assertTrue(((OAuth2Authentication) authentication).getUserAuthentication() instanceof UsernamePasswordAuthenticationToken); +// assertTrue(authentication.getPrincipal() instanceof UaaPrincipal); +// assertEquals(marissa.getOrigin(), ((UaaPrincipal) authentication.getPrincipal()).getOrigin()); } @Test diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/TokenEndpointDocs.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/TokenEndpointDocs.java index 2989bc2ac54..77ed401b2c0 100644 --- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/TokenEndpointDocs.java +++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/TokenEndpointDocs.java @@ -50,7 +50,7 @@ import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; -import org.opensaml.saml2.core.NameID; +//import org.opensaml.saml2.core.NameID; import static org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils.MockSecurityContext; import static org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils.getClientCredentialsOAuthAccessToken; @@ -67,6 +67,7 @@ import static org.cloudfoundry.identity.uaa.provider.saml.idp.SamlTestUtils.createLocalSamlIdpDefinition; import static org.cloudfoundry.identity.uaa.test.SnippetUtils.parameterWithName; import static org.hamcrest.Matchers.containsString; +import static org.junit.Assert.fail; import static org.springframework.http.HttpHeaders.AUTHORIZATION; import static org.springframework.http.HttpHeaders.HOST; import static org.springframework.http.MediaType.APPLICATION_FORM_URLENCODED; @@ -396,182 +397,183 @@ void getTokenUsingUserTokenGrant() throws Exception { @Test void getTokenUsingSaml2BearerGrant() throws Exception { - SamlTestUtils samlTestUtils = new SamlTestUtils(); - samlTestUtils.initializeSimple(); - - final String subdomain = "68uexx"; - //all our SAML defaults use :8080/uaa/ so we have to use that here too - final String host = subdomain + ".localhost"; - final String fullPath = "/uaa/oauth/token/alias/" + subdomain + ".cloudfoundry-saml-login"; - final String origin = subdomain + ".cloudfoundry-saml-login"; - - MockMvcUtils.IdentityZoneCreationResult zone = MockMvcUtils.createOtherIdentityZoneAndReturnResult(subdomain, mockMvc, this.webApplicationContext, null, IdentityZoneHolder.getCurrentZoneId()); - - //Mock an IDP metadata - String idpMetadata = "\n" + - "\n" + - " \n" + - " \n" + - " \n" + - " \n" + - " \n" + - " \n" + - " \n" + - " \n" + - " \n" + - " \n" + - " MNO5mOgijKliauTLhxL1pqT15s4=\n" + - " \n" + - " \n" + - " \n" + - " CwxB189hOth7P4g+jswYiG1XHyy0a8Pci6LahimDi0sSuWF5ui1Dw8MSamNDfi2GC5QGArrupPdxgX5F8BFFuio3XkmcQqRhsC01R2u1/NhpabGTgczrk1LYMpCaIOitaXRM2cEkqrmf/s6S3zXDQkQJTcJefc/0NrYgFN6Pisc=\n" + - " \n" + - " \n" + - " \n" + - " MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\n" + - " YXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\n" + - " BgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\n" + - " MjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\n" + - " ChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\n" + - " HTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n" + - " gQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\n" + - " 4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\n" + - " xhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\n" + - " GDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\n" + - " MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\n" + - " EwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\n" + - " MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\n" + - " 2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\n" + - " ePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=\n" + - " \n" + - " \n" + - " \n" + - " \n" + - " \n" + - " \n" + - " \n" + - " \n" + - " MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\n" + - " YXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\n" + - " BgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\n" + - " MjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\n" + - " ChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\n" + - " HTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n" + - " gQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\n" + - " 4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\n" + - " xhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\n" + - " GDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\n" + - " MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\n" + - " EwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\n" + - " MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\n" + - " 2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\n" + - " ePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=\n" + - " \n" + - " \n" + - " \n" + - " \n" + - " \n" + - " \n" + - " \n" + - " MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\n" + - " YXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\n" + - " BgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\n" + - " MjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\n" + - " ChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\n" + - " HTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n" + - " gQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\n" + - " 4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\n" + - " xhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\n" + - " GDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\n" + - " MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\n" + - " EwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\n" + - " MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\n" + - " 2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\n" + - " ePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=\n" + - " \n" + - " \n" + - " \n" + - " \n" + - " urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\n" + - " urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\n" + - " urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\n" + - " \n" + - " \n" + - " \n" + - ""; - - //create an IDP in the default zone - SamlIdentityProviderDefinition idpDef = createLocalSamlIdpDefinition(origin, zone.getIdentityZone().getId(), idpMetadata); - IdentityProvider provider = new IdentityProvider(); - provider.setConfig(idpDef); - provider.setActive(true); - provider.setIdentityZoneId(zone.getIdentityZone().getId()); - provider.setName(origin); - provider.setOriginKey(origin); - - IdentityZoneHolder.set(zone.getIdentityZone()); - identityProviderProvisioning.create(provider, zone.getIdentityZone().getId()); - IdentityZoneHolder.clear(); - - String assertion = samlTestUtils.mockAssertionEncoded( - origin, - NameID.UNSPECIFIED, - "Saml2BearerIntegrationUser", - "http://" + host + ":8080/uaa/oauth/token/alias/" + origin, - origin); - - //create client in default zone - String clientId = "testclient" + generator.generate(); - setUpClients(clientId, "uaa.none", "uaa.user,openid", GRANT_TYPE_SAML2_BEARER + ",password,refresh_token", true, TEST_REDIRECT_URI, null, 600, zone.getIdentityZone()); - - MockHttpServletRequestBuilder post = MockMvcRequestBuilders.post(fullPath) - .with(request -> { - request.setServerPort(8080); - request.setRequestURI(fullPath); - request.setServerName(host); - return request; - }) - .contextPath("/uaa") - .accept(APPLICATION_JSON) - .header(HOST, host) - .contentType(APPLICATION_FORM_URLENCODED) - .param("grant_type", TokenConstants.GRANT_TYPE_SAML2_BEARER) - .param("client_id", clientId) - .param("client_secret", "secret") - .param("client_assertion", "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjU4ZDU1YzUwMGNjNmI1ODM3OTYxN2UwNmU3ZGVjNmNhIn0.eyJzdWIiOiJsb2dpbiIsImlzcyI6ImxvZ2luIiwianRpIjoiNThkNTVjNTAwY2M2YjU4Mzc5NjE3ZTA2ZTdhZmZlZSIsImV4cCI6MTIzNDU2NzgsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4ifQ.jwWw0OKZecd4ZjtwQ_ievqBVrh2SieqMF6vY74Oo5H6v-Ibcmumq96NLNtoUEwaAEQQOHb8MWcC8Gwi9dVQdCrtpomC86b_LKkihRBSKuqpw0udL9RMH5kgtC04ctsN0yZNifUWMP85VHn97Ual5eZ2miaBFob3H5jUe98CcBj1TSRehr64qBFYuwt9vD19q6U-ONhRt0RXBPB7ayHAOMYtb1LFIzGAiKvqWEy9f-TBPXSsETjKkAtSuM-WVWi4EhACMtSvI6iJN15f7qlverRSkGIdh1j2vPXpKKBJoRhoLw6YqbgcUC9vAr17wfa_POxaRHvh9JPty0ZXLA4XPtA") - .param("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer") - .param("assertion", assertion) - .param("scope", "openid"); - - final ParameterDescriptor assertionFormatParameter = parameterWithName("assertion").required().type(STRING).description("An XML based SAML 2.0 bearer assertion, which is Base64URl encoded."); - Snippet requestParameters = requestParameters( - clientIdParameter.description("The client ID of the receiving client, this client must have `urn:ietf:params:oauth:grant-type:saml2-bearer` grant type"), - clientSecretParameter, - clientAssertion, - clientAssertionType, - grantTypeParameter.description("The type of token grant requested, in this case `" + GRANT_TYPE_SAML2_BEARER + "`"), - assertionFormatParameter, - scopeParameter - ); - - Snippet responseFields = responseFields( - accessTokenFieldDescriptor, - fieldWithPath("token_type").description("The type of the access token issued, always `bearer`"), - fieldWithPath("expires_in").description("Number of seconds of lifetime for an access_token, when retrieved"), - scopeFieldDescriptorWhenUserToken, - refreshTokenFieldDescriptor, - jtiFieldDescriptor - ); - - mockMvc.perform(post) - .andDo(document("{ClassName}/{methodName}", preprocessResponse(prettyPrint()), requestParameters, responseFields)) - .andExpect(status().isOk()) - .andExpect(jsonPath("$.access_token").exists()) - .andExpect(jsonPath("$.scope").value("openid")); + fail(); +// SamlTestUtils samlTestUtils = new SamlTestUtils(); +// samlTestUtils.initializeSimple(); +// +// final String subdomain = "68uexx"; +// //all our SAML defaults use :8080/uaa/ so we have to use that here too +// final String host = subdomain + ".localhost"; +// final String fullPath = "/uaa/oauth/token/alias/" + subdomain + ".cloudfoundry-saml-login"; +// final String origin = subdomain + ".cloudfoundry-saml-login"; +// +// MockMvcUtils.IdentityZoneCreationResult zone = MockMvcUtils.createOtherIdentityZoneAndReturnResult(subdomain, mockMvc, this.webApplicationContext, null, IdentityZoneHolder.getCurrentZoneId()); +// +// //Mock an IDP metadata +// String idpMetadata = "\n" + +// "\n" + +// " \n" + +// " \n" + +// " \n" + +// " \n" + +// " \n" + +// " \n" + +// " \n" + +// " \n" + +// " \n" + +// " \n" + +// " MNO5mOgijKliauTLhxL1pqT15s4=\n" + +// " \n" + +// " \n" + +// " \n" + +// " CwxB189hOth7P4g+jswYiG1XHyy0a8Pci6LahimDi0sSuWF5ui1Dw8MSamNDfi2GC5QGArrupPdxgX5F8BFFuio3XkmcQqRhsC01R2u1/NhpabGTgczrk1LYMpCaIOitaXRM2cEkqrmf/s6S3zXDQkQJTcJefc/0NrYgFN6Pisc=\n" + +// " \n" + +// " \n" + +// " \n" + +// " MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\n" + +// " YXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\n" + +// " BgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\n" + +// " MjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\n" + +// " ChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\n" + +// " HTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n" + +// " gQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\n" + +// " 4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\n" + +// " xhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\n" + +// " GDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\n" + +// " MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\n" + +// " EwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\n" + +// " MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\n" + +// " 2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\n" + +// " ePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=\n" + +// " \n" + +// " \n" + +// " \n" + +// " \n" + +// " \n" + +// " \n" + +// " \n" + +// " \n" + +// " MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\n" + +// " YXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\n" + +// " BgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\n" + +// " MjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\n" + +// " ChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\n" + +// " HTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n" + +// " gQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\n" + +// " 4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\n" + +// " xhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\n" + +// " GDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\n" + +// " MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\n" + +// " EwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\n" + +// " MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\n" + +// " 2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\n" + +// " ePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=\n" + +// " \n" + +// " \n" + +// " \n" + +// " \n" + +// " \n" + +// " \n" + +// " \n" + +// " MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEOMAwGA1UECBMF\n" + +// " YXJ1YmExDjAMBgNVBAoTBWFydWJhMQ4wDAYDVQQHEwVhcnViYTEOMAwGA1UECxMFYXJ1YmExDjAM\n" + +// " BgNVBAMTBWFydWJhMR0wGwYJKoZIhvcNAQkBFg5hcnViYUBhcnViYS5hcjAeFw0xNTExMjAyMjI2\n" + +// " MjdaFw0xNjExMTkyMjI2MjdaMHwxCzAJBgNVBAYTAmF3MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UE\n" + +// " ChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQLEwVhcnViYTEOMAwGA1UEAxMFYXJ1YmEx\n" + +// " HTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n" + +// " gQDHtC5gUXxBKpEqZTLkNvFwNGnNIkggNOwOQVNbpO0WVHIivig5L39WqS9u0hnA+O7MCA/KlrAR\n" + +// " 4bXaeVVhwfUPYBKIpaaTWFQR5cTR1UFZJL/OF9vAfpOwznoD66DDCnQVpbCjtDYWX+x6imxn8HCY\n" + +// " xhMol6ZnTbSsFW6VZjFMjQIDAQABo4HaMIHXMB0GA1UdDgQWBBTx0lDzjH/iOBnOSQaSEWQLx1sy\n" + +// " GDCBpwYDVR0jBIGfMIGcgBTx0lDzjH/iOBnOSQaSEWQLx1syGKGBgKR+MHwxCzAJBgNVBAYTAmF3\n" + +// " MQ4wDAYDVQQIEwVhcnViYTEOMAwGA1UEChMFYXJ1YmExDjAMBgNVBAcTBWFydWJhMQ4wDAYDVQQL\n" + +// " EwVhcnViYTEOMAwGA1UEAxMFYXJ1YmExHTAbBgkqhkiG9w0BCQEWDmFydWJhQGFydWJhLmFyggEA\n" + +// " MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAYvBJ0HOZbbHClXmGUjGs+GS+xC1FO/am\n" + +// " 2suCSYqNB9dyMXfOWiJ1+TLJk+o/YZt8vuxCKdcZYgl4l/L6PxJ982SRhc83ZW2dkAZI4M0/Ud3o\n" + +// " ePe84k8jm3A7EvH5wi5hvCkKRpuRBwn3Ei+jCRouxTbzKPsuCVB+1sNyxMTXzf0=\n" + +// " \n" + +// " \n" + +// " \n" + +// " \n" + +// " urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\n" + +// " urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\n" + +// " urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\n" + +// " \n" + +// " \n" + +// " \n" + +// ""; +// +// //create an IDP in the default zone +// SamlIdentityProviderDefinition idpDef = createLocalSamlIdpDefinition(origin, zone.getIdentityZone().getId(), idpMetadata); +// IdentityProvider provider = new IdentityProvider(); +// provider.setConfig(idpDef); +// provider.setActive(true); +// provider.setIdentityZoneId(zone.getIdentityZone().getId()); +// provider.setName(origin); +// provider.setOriginKey(origin); +// +// IdentityZoneHolder.set(zone.getIdentityZone()); +// identityProviderProvisioning.create(provider, zone.getIdentityZone().getId()); +// IdentityZoneHolder.clear(); +// +// String assertion = samlTestUtils.mockAssertionEncoded( +// origin, +// NameID.UNSPECIFIED, +// "Saml2BearerIntegrationUser", +// "http://" + host + ":8080/uaa/oauth/token/alias/" + origin, +// origin); +// +// //create client in default zone +// String clientId = "testclient" + generator.generate(); +// setUpClients(clientId, "uaa.none", "uaa.user,openid", GRANT_TYPE_SAML2_BEARER + ",password,refresh_token", true, TEST_REDIRECT_URI, null, 600, zone.getIdentityZone()); +// +// MockHttpServletRequestBuilder post = MockMvcRequestBuilders.post(fullPath) +// .with(request -> { +// request.setServerPort(8080); +// request.setRequestURI(fullPath); +// request.setServerName(host); +// return request; +// }) +// .contextPath("/uaa") +// .accept(APPLICATION_JSON) +// .header(HOST, host) +// .contentType(APPLICATION_FORM_URLENCODED) +// .param("grant_type", TokenConstants.GRANT_TYPE_SAML2_BEARER) +// .param("client_id", clientId) +// .param("client_secret", "secret") +// .param("client_assertion", "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjU4ZDU1YzUwMGNjNmI1ODM3OTYxN2UwNmU3ZGVjNmNhIn0.eyJzdWIiOiJsb2dpbiIsImlzcyI6ImxvZ2luIiwianRpIjoiNThkNTVjNTAwY2M2YjU4Mzc5NjE3ZTA2ZTdhZmZlZSIsImV4cCI6MTIzNDU2NzgsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4ifQ.jwWw0OKZecd4ZjtwQ_ievqBVrh2SieqMF6vY74Oo5H6v-Ibcmumq96NLNtoUEwaAEQQOHb8MWcC8Gwi9dVQdCrtpomC86b_LKkihRBSKuqpw0udL9RMH5kgtC04ctsN0yZNifUWMP85VHn97Ual5eZ2miaBFob3H5jUe98CcBj1TSRehr64qBFYuwt9vD19q6U-ONhRt0RXBPB7ayHAOMYtb1LFIzGAiKvqWEy9f-TBPXSsETjKkAtSuM-WVWi4EhACMtSvI6iJN15f7qlverRSkGIdh1j2vPXpKKBJoRhoLw6YqbgcUC9vAr17wfa_POxaRHvh9JPty0ZXLA4XPtA") +// .param("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer") +// .param("assertion", assertion) +// .param("scope", "openid"); +// +// final ParameterDescriptor assertionFormatParameter = parameterWithName("assertion").required().type(STRING).description("An XML based SAML 2.0 bearer assertion, which is Base64URl encoded."); +// Snippet requestParameters = requestParameters( +// clientIdParameter.description("The client ID of the receiving client, this client must have `urn:ietf:params:oauth:grant-type:saml2-bearer` grant type"), +// clientSecretParameter, +// clientAssertion, +// clientAssertionType, +// grantTypeParameter.description("The type of token grant requested, in this case `" + GRANT_TYPE_SAML2_BEARER + "`"), +// assertionFormatParameter, +// scopeParameter +// ); +// +// Snippet responseFields = responseFields( +// accessTokenFieldDescriptor, +// fieldWithPath("token_type").description("The type of the access token issued, always `bearer`"), +// fieldWithPath("expires_in").description("Number of seconds of lifetime for an access_token, when retrieved"), +// scopeFieldDescriptorWhenUserToken, +// refreshTokenFieldDescriptor, +// jtiFieldDescriptor +// ); +// +// mockMvc.perform(post) +// .andDo(document("{ClassName}/{methodName}", preprocessResponse(prettyPrint()), requestParameters, responseFields)) +// .andExpect(status().isOk()) +// .andExpect(jsonPath("$.access_token").exists()) +// .andExpect(jsonPath("$.scope").value("openid")); } @Test diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/Saml2BearerGrantMockMvcTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/Saml2BearerGrantMockMvcTests.java index 73d1a3357de..7dfd739dbfc 100644 --- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/Saml2BearerGrantMockMvcTests.java +++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/Saml2BearerGrantMockMvcTests.java @@ -7,12 +7,13 @@ import org.cloudfoundry.identity.uaa.provider.saml.idp.SamlTestUtils; import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder; import org.junit.jupiter.api.Test; -import org.opensaml.saml2.core.NameID; +//import org.opensaml.saml2.core.NameID; import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder; import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.GRANT_TYPE_SAML2_BEARER; import static org.cloudfoundry.identity.uaa.provider.saml.idp.SamlTestUtils.createLocalSamlIdpDefinition; +import static org.junit.Assert.fail; import static org.springframework.http.HttpHeaders.HOST; import static org.springframework.http.MediaType.APPLICATION_FORM_URLENCODED; import static org.springframework.http.MediaType.APPLICATION_JSON; @@ -22,8 +23,9 @@ public class Saml2BearerGrantMockMvcTests extends AbstractTokenMockMvcTests { @Test void getTokenUsingSaml2BearerGrant() throws Exception { + fail(); SamlTestUtils samlTestUtils = new SamlTestUtils(); - samlTestUtils.initializeSimple(); +// samlTestUtils.initializeSimple(); final String subdomain = "68uexx"; //all our SAML defaults use :8080/uaa/ so we have to use that here too @@ -149,12 +151,12 @@ void getTokenUsingSaml2BearerGrant() throws Exception { testZone.getIdentityZone().getId()); IdentityZoneHolder.clear(); - String assertion = samlTestUtils.mockAssertionEncoded( - origin, - NameID.UNSPECIFIED, - "Saml2BearerIntegrationUser", - "http://" + host + ":8080/uaa/oauth/token/alias/" + origin, - origin); +// String assertion = samlTestUtils.mockAssertionEncoded( +// origin, +// NameID.UNSPECIFIED, +// "Saml2BearerIntegrationUser", +// "http://" + host + ":8080/uaa/oauth/token/alias/" + origin, +// origin); //create client in test zone String clientId = "testclient" + generator.generate(); @@ -178,7 +180,7 @@ void getTokenUsingSaml2BearerGrant() throws Exception { .param("client_secret", "secret") .param("client_assertion", "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjU4ZDU1YzUwMGNjNmI1ODM3OTYxN2UwNmU3ZGVjNmNhIn0.eyJzdWIiOiJsb2dpbiIsImlzcyI6ImxvZ2luIiwianRpIjoiNThkNTVjNTAwY2M2YjU4Mzc5NjE3ZTA2ZTdhZmZlZSIsImV4cCI6MTIzNDU2NzgsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4ifQ.jwWw0OKZecd4ZjtwQ_ievqBVrh2SieqMF6vY74Oo5H6v-Ibcmumq96NLNtoUEwaAEQQOHb8MWcC8Gwi9dVQdCrtpomC86b_LKkihRBSKuqpw0udL9RMH5kgtC04ctsN0yZNifUWMP85VHn97Ual5eZ2miaBFob3H5jUe98CcBj1TSRehr64qBFYuwt9vD19q6U-ONhRt0RXBPB7ayHAOMYtb1LFIzGAiKvqWEy9f-TBPXSsETjKkAtSuM-WVWi4EhACMtSvI6iJN15f7qlverRSkGIdh1j2vPXpKKBJoRhoLw6YqbgcUC9vAr17wfa_POxaRHvh9JPty0ZXLA4XPtA") .param("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer") - .param("assertion", assertion) +// .param("assertion", assertion) .param("scope", "openid"); mockMvc.perform(post) diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlInitializationMockMvcTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlInitializationMockMvcTests.java index 1d98dbb3fc3..9f738dd3929 100644 --- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlInitializationMockMvcTests.java +++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlInitializationMockMvcTests.java @@ -8,16 +8,14 @@ import org.cloudfoundry.identity.uaa.zone.IdentityZoneProvisioning; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; -import org.opensaml.saml2.metadata.provider.MetadataProvider; +//import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.oauth2.common.util.RandomValueStringGenerator; -import org.springframework.security.saml.metadata.ExtendedMetadataDelegate; -import org.springframework.security.saml.metadata.MetadataMemoryProvider; +//import org.springframework.security.saml.metadata.ExtendedMetadataDelegate; +//import org.springframework.security.saml.metadata.MetadataMemoryProvider; import org.springframework.web.context.WebApplicationContext; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertTrue; +import static org.junit.Assert.*; @DefaultTestContext class SamlInitializationMockMvcTests { @@ -36,35 +34,36 @@ void setUp(@Autowired WebApplicationContext webApplicationContext) { @Test void sp_initialized_in_non_snarl_metadata_manager() throws Exception { - ExtendedMetadataDelegate localServiceProvider = spManager.getLocalServiceProvider(); - assertNotNull(localServiceProvider); - MetadataProvider provider = localServiceProvider.getDelegate(); - assertNotNull(provider); - assertTrue(provider instanceof MetadataMemoryProvider); - String providerSpAlias = spManager.getProviderSpAlias(localServiceProvider); - assertEquals(entityAlias, providerSpAlias); - assertEquals(entityID, spManager.getEntityIdForAlias(providerSpAlias)); + fail(); +// ExtendedMetadataDelegate localServiceProvider = spManager.getLocalServiceProvider(); +// assertNotNull(localServiceProvider); +// MetadataProvider provider = localServiceProvider.getDelegate(); +// assertNotNull(provider); +// assertTrue(provider instanceof MetadataMemoryProvider); +// String providerSpAlias = spManager.getProviderSpAlias(localServiceProvider); +// assertEquals(entityAlias, providerSpAlias); +// assertEquals(entityID, spManager.getEntityIdForAlias(providerSpAlias)); } - @Test - void sp_initialization_in_non_snarl_metadata_manager() throws Exception { - String subdomain = new RandomValueStringGenerator().generate().toLowerCase(); - IdentityZone zone = new IdentityZone(); - zone.setConfig(new IdentityZoneConfiguration()); - zone.setSubdomain(subdomain); - zone.setId(subdomain); - zone.setName(subdomain); - zone = zoneProvisioning.create(zone); - IdentityZoneHolder.set(zone); - ExtendedMetadataDelegate localServiceProvider = spManager.getLocalServiceProvider(); - assertNotNull(localServiceProvider); - MetadataProvider provider = localServiceProvider.getDelegate(); - assertNotNull(provider); - assertTrue(provider instanceof MetadataMemoryProvider); - String providerSpAlias = spManager.getProviderSpAlias(localServiceProvider); - assertEquals(subdomain + "." + entityAlias, providerSpAlias); - assertEquals(addSubdomainToEntityId(entityID, subdomain), spManager.getEntityIdForAlias(providerSpAlias)); - } +// @Test +// void sp_initialization_in_non_snarl_metadata_manager() throws Exception { +// String subdomain = new RandomValueStringGenerator().generate().toLowerCase(); +// IdentityZone zone = new IdentityZone(); +// zone.setConfig(new IdentityZoneConfiguration()); +// zone.setSubdomain(subdomain); +// zone.setId(subdomain); +// zone.setName(subdomain); +// zone = zoneProvisioning.create(zone); +// IdentityZoneHolder.set(zone); +// ExtendedMetadataDelegate localServiceProvider = spManager.getLocalServiceProvider(); +// assertNotNull(localServiceProvider); +// MetadataProvider provider = localServiceProvider.getDelegate(); +// assertNotNull(provider); +// assertTrue(provider instanceof MetadataMemoryProvider); +// String providerSpAlias = spManager.getProviderSpAlias(localServiceProvider); +// assertEquals(subdomain + "." + entityAlias, providerSpAlias); +// assertEquals(addSubdomainToEntityId(entityID, subdomain), spManager.getEntityIdForAlias(providerSpAlias)); +// } String addSubdomainToEntityId(String entityId, String subdomain) { if (UaaUrlUtils.isUrl(entityId)) {