diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpoints.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpoints.java index 02556b687fb..cba64ea5852 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpoints.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderEndpoints.java @@ -112,7 +112,7 @@ public ResponseEntity createIdentityProvider(@RequestBody Iden SamlIdentityProviderDefinition definition = ObjectUtils.castInstance(body.getConfig(), SamlIdentityProviderDefinition.class); definition.setZoneId(zoneId); definition.setIdpEntityAlias(body.getOriginKey()); - samlConfigurator.addSamlIdentityProviderDefinition(definition); + samlConfigurator.validateSamlIdentityProviderDefinition(definition); body.setConfig(definition); } try { @@ -161,7 +161,7 @@ public ResponseEntity updateIdentityProvider(@PathVariable Str SamlIdentityProviderDefinition definition = ObjectUtils.castInstance(body.getConfig(), SamlIdentityProviderDefinition.class); definition.setZoneId(zoneId); definition.setIdpEntityAlias(body.getOriginKey()); - samlConfigurator.addSamlIdentityProviderDefinition(definition); + samlConfigurator.validateSamlIdentityProviderDefinition(definition); body.setConfig(definition); } IdentityProvider updatedIdp = identityProviderProvisioning.update(body); diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/SamlServiceProviderEndpoints.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/SamlServiceProviderEndpoints.java index d74f8bae1b6..3f257c379ff 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/SamlServiceProviderEndpoints.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/SamlServiceProviderEndpoints.java @@ -62,7 +62,7 @@ public ResponseEntity createServiceProvider(@RequestBody Sa String zoneId = IdentityZoneHolder.get().getId(); body.setIdentityZoneId(zoneId); - samlConfigurator.addSamlServiceProvider(body); + samlConfigurator.validateSamlServiceProvider(body); SamlServiceProvider createdSp = serviceProviderProvisioning.create(body); return new ResponseEntity<>(createdSp, HttpStatus.CREATED); @@ -80,7 +80,7 @@ public ResponseEntity updateServiceProvider(@PathVariable S } body.setEntityId(existing.getEntityId()); - samlConfigurator.addSamlServiceProvider(body); + samlConfigurator.validateSamlServiceProvider(body); SamlServiceProvider updatedSp = serviceProviderProvisioning.update(body); return new ResponseEntity<>(updatedSp, OK); diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlIdentityProviderConfigurator.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlIdentityProviderConfigurator.java index 0f1703f79dd..ad05097dd21 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlIdentityProviderConfigurator.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlIdentityProviderConfigurator.java @@ -105,10 +105,9 @@ public List getIdentityProviderDefinitions(List< /** * adds or replaces a SAML identity proviider * @param providerDefinition - the provider to be added - * @return an array consisting of {provider-added, provider-deleted} where provider-deleted may be null * @throws MetadataProviderException if the system fails to fetch meta data for this provider */ - public synchronized ExtendedMetadataDelegate[] addSamlIdentityProviderDefinition(SamlIdentityProviderDefinition providerDefinition) throws MetadataProviderException { + public synchronized void validateSamlIdentityProviderDefinition(SamlIdentityProviderDefinition providerDefinition) throws MetadataProviderException { ExtendedMetadataDelegate added, deleted=null; if (providerDefinition==null) { throw new NullPointerException(); @@ -140,8 +139,6 @@ public synchronized ExtendedMetadataDelegate[] addSamlIdentityProviderDefinition if (entityIDexists) { throw new MetadataProviderException("Duplicate entity ID:"+entityIDToBeAdded); } - - return new ExtendedMetadataDelegate[] {added, deleted}; } public synchronized ExtendedMetadataDelegate removeIdentityProviderDefinition(SamlIdentityProviderDefinition providerDefinition) { diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/idp/NonSnarlIdpMetadataManager.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/idp/NonSnarlIdpMetadataManager.java new file mode 100644 index 00000000000..5456dae5733 --- /dev/null +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/idp/NonSnarlIdpMetadataManager.java @@ -0,0 +1,438 @@ +package org.cloudfoundry.identity.uaa.provider.saml.idp; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.cloudfoundry.identity.uaa.provider.saml.ComparableProvider; +import org.cloudfoundry.identity.uaa.util.JsonUtils; +import org.cloudfoundry.identity.uaa.zone.IdentityZone; +import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder; +import org.cloudfoundry.identity.uaa.zone.IdentityZoneProvisioning; +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.metadata.*; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.saml2.metadata.provider.MetadataProvider; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.security.x509.PKIXValidationInformationResolver; +import org.opensaml.xml.signature.SignatureTrustEngine; +import org.springframework.beans.factory.BeanNameAware; +import org.springframework.beans.factory.DisposableBean; +import org.springframework.beans.factory.InitializingBean; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.saml.key.KeyManager; +import org.springframework.security.saml.metadata.ExtendedMetadata; +import org.springframework.security.saml.metadata.ExtendedMetadataDelegate; +import org.springframework.security.saml.metadata.ExtendedMetadataProvider; +import org.springframework.security.saml.metadata.MetadataMemoryProvider; +import org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer; +import org.springframework.security.saml.util.SAMLUtil; +import org.springframework.util.StringUtils; + +import javax.xml.namespace.QName; +import java.util.*; +import java.util.concurrent.ConcurrentHashMap; + + +public class NonSnarlIdpMetadataManager extends IdpMetadataManager implements ExtendedMetadataProvider, InitializingBean, DisposableBean, BeanNameAware { + private static final Log logger = LogFactory.getLog(NonSnarlIdpMetadataManager.class); + + private SamlServiceProviderConfigurator configurator; + + + private IdpMetadataGenerator generator; + private Map zoneHostedIdpNames; + private ExtendedMetadata defaultExtendedMetadata; + private String beanName = NonSnarlIdpMetadataManager.class.getName()+"-"+System.identityHashCode(this); + + public NonSnarlIdpMetadataManager(SamlServiceProviderConfigurator configurator) throws MetadataProviderException { + super(Collections.emptyList()); + this.configurator = configurator; + + super.setKeyManager(IdentityZoneHolder.getSamlSPKeyManager()); + //disable internal timer + super.setRefreshCheckInterval(0); + logger.info("-----> Internal Timer is disabled"); + this.defaultExtendedMetadata = new ExtendedMetadata(); + if (zoneHostedIdpNames==null) { + zoneHostedIdpNames = new ConcurrentHashMap<>(); + } + } + + @Override + public void setBeanName(String name) { + this.beanName = name; + } + + @Override + public void setProviders(List newProviders) throws MetadataProviderException { + } + + @Override + public void refreshMetadata() { + } + + @Override + public void addMetadataProvider(MetadataProvider newProvider) throws MetadataProviderException { + } + + @Override + public void removeMetadataProvider(MetadataProvider provider) { + } + + @Override + public List getProviders() { + List result = new ArrayList<>(); + for (ExtendedMetadataDelegate delegate : getAvailableProviders()) { + result.add(delegate); + } + return result; + } + + @Override + public List getAvailableProviders() { + IdentityZone zone = IdentityZoneHolder.get(); + List result = new ArrayList<>(); + try { + result.add(getLocalIdp()); + } catch (MetadataProviderException e) { + throw new IllegalStateException(e); + } + for (SamlServiceProviderHolder holder : configurator.getSamlServiceProviders()) { + log.info("Adding SAML SP zone[" + zone.getId() + "] alias[" + holder.getSamlServiceProvider().getEntityId() + "]"); + try { + ExtendedMetadataDelegate delegate = holder.getExtendedMetadataDelegate(); + initializeProvider(delegate); + initializeProviderData(delegate); + initializeProviderFilters(delegate); + result.add(delegate); + } catch (MetadataProviderException e) { + log.error("Invalid SAML IDP zone[" + zone.getId() + "] alias[" + holder.getSamlServiceProvider().getEntityId() + "]", e); + } + } + return result; + + } + + public ExtendedMetadataDelegate getLocalIdp() throws MetadataProviderException { + EntityDescriptor descriptor = generator.generateMetadata(); + ExtendedMetadata extendedMetadata = generator.generateExtendedMetadata(); + log.info("Initialized local identity provider for entityID: " + descriptor.getEntityID()); + MetadataMemoryProvider memoryProvider = new MetadataMemoryProvider(descriptor); + memoryProvider.initialize(); + return new ExtendedMetadataDelegate(memoryProvider, extendedMetadata); + } + + @Override + protected void initializeProvider(ExtendedMetadataDelegate provider) throws MetadataProviderException { + log.debug("Initializing extendedMetadataDelegate {}", provider); + provider.initialize(); + } + + @Override + protected void initializeProviderData(ExtendedMetadataDelegate provider) throws MetadataProviderException { + + } + +/* @Override + protected void initializeProviderFilters(ExtendedMetadataDelegate provider) throws MetadataProviderException { + getManager().initializeProviderFilters(provider); + + + }*/ + + @Override + public Set getIDPEntityNames() { + Set result = new HashSet<>(); + ExtendedMetadataDelegate delegate = null; + try{ + delegate = getLocalIdp(); + String idp = getProviderIdpAlias(delegate); + if (StringUtils.hasText(idp)) { + result.add(idp); + } + } catch (MetadataProviderException e) { + log.error("Unable to get IDP alias for:"+delegate, e); + } + return result; + } + + + protected String getProviderIdpAlias(ExtendedMetadataDelegate provider) throws MetadataProviderException { + List stringSet = parseProvider(provider); + for (String key : stringSet) { + RoleDescriptor idpRoleDescriptor = provider.getRole(key, IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS); + if (idpRoleDescriptor != null) { + return key; + } + } + return null; + } + + @Override + public Set getSPEntityNames() { + Set result = new HashSet<>(); + for (ExtendedMetadataDelegate delegate : getAvailableProviders()) { + try { + String sp = getSpName(delegate); + if (StringUtils.hasText(sp)) { + result.add(sp); + } + } catch (MetadataProviderException e) { + log.error("Unable to get IDP alias for:"+delegate, e); + } + } + return result; + } + + protected String getSpName(ExtendedMetadataDelegate provider) throws MetadataProviderException { + List stringSet = parseProvider(provider); + for (String key : stringSet) { + RoleDescriptor spRoleDescriptor = provider.getRole(key, SPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS); + if (spRoleDescriptor != null) { + ExtendedMetadata extendedMetadata = getExtendedMetadata(key, provider); + if (extendedMetadata != null) { + return key; + } + } + } + return null; + } + + protected String getHostedSpName(ExtendedMetadataDelegate provider) throws MetadataProviderException { + String key = getSpName(provider); + ExtendedMetadata extendedMetadata = getExtendedMetadata(key, provider); + if (extendedMetadata.isLocal()) { + return key; + } else { + return null; + } + } + + + /** {@inheritDoc} */ + public List getRole(String entityID, QName roleName) throws MetadataProviderException { + List roleDescriptors = null; + for (MetadataProvider provider : getProviders()) { + log.debug("Checking child metadata provider for entity descriptor with entity ID: {}", entityID); + try { + roleDescriptors = provider.getRole(entityID, roleName); + if (roleDescriptors != null && !roleDescriptors.isEmpty()) { + break; + } + } catch (MetadataProviderException e) { + log.warn("Error retrieving metadata from provider of type {}, proceeding to next provider", + provider.getClass().getName(), e); + continue; + } + } + return roleDescriptors; + } + + /** {@inheritDoc} */ + @Override + public RoleDescriptor getRole(String entityID, QName roleName, String supportedProtocol) + throws MetadataProviderException { + RoleDescriptor roleDescriptor = null; + for (MetadataProvider provider : getProviders()) { + log.debug("Checking child metadata provider for entity descriptor with entity ID: {}", entityID); + try { + roleDescriptor = provider.getRole(entityID, roleName, supportedProtocol); + if (roleDescriptor != null) { + break; + } + } catch (MetadataProviderException e) { + log.warn("Error retrieving metadata from provider of type {}, proceeding to next provider", + provider.getClass().getName(), e); + continue; + } + } + return roleDescriptor; + } + + @Override + public boolean isIDPValid(String idpID) { + return getIDPEntityNames().contains(idpID); + } + + @Override + public boolean isSPValid(String spID) { + return getSPEntityNames().contains(spID); + } + + @Override + public String getHostedIdpName() { + return zoneHostedIdpNames.get(IdentityZoneHolder.get().getId()); + } + + @Override + public void setHostedIdpName(String hostedIdpName) { + String zoneId = IdentityZoneHolder.get().getId(); + zoneHostedIdpNames.put(zoneId, hostedIdpName); + + } + + @Override + public String getHostedSPName() { + for (ExtendedMetadataDelegate delegate : getAvailableProviders()) { + try { + String spName = getHostedSpName(delegate); + if (StringUtils.hasText(spName)) { + return spName; + } + } catch (MetadataProviderException e) { + log.error("Unable to find hosted SP name:"+delegate, e); + } + } + return null; + } + + @Override + public void setHostedSPName(String hostedSPName) { + + } + + @Override + public String getDefaultIDP() throws MetadataProviderException { + Iterator iterator = getIDPEntityNames().iterator(); + if (iterator.hasNext()) { + return iterator.next(); + } else { + throw new MetadataProviderException("No IDP was configured, please update included metadata with at least one IDP"); + } + } + + @Override + public EntityDescriptor getEntityDescriptor(String entityID) throws MetadataProviderException { + EntityDescriptor descriptor = null; + for (MetadataProvider provider : getProviders()) { + log.debug("Checking child metadata provider for entity descriptor with entity ID: {}", entityID); + try { + descriptor = provider.getEntityDescriptor(entityID); + if (descriptor != null) { + break; + } + } catch (MetadataProviderException e) { + log.warn("Error retrieving metadata from provider of type {}, proceeding to next provider", + provider.getClass().getName(), e); + continue; + } + } + return descriptor; + } + + @Override + public EntityDescriptor getEntityDescriptor(byte[] hash) throws MetadataProviderException { + + for (String sp : getSPEntityNames()) { + if (SAMLUtil.compare(hash, sp)) { + return getEntityDescriptor(sp); + } + } + + for (String idp : getIDPEntityNames()) { + if (SAMLUtil.compare(hash, idp)) { + return getEntityDescriptor(idp); + } + } + + return null; + } + + @Override + public String getEntityIdForAlias(String entityAlias) throws MetadataProviderException { + if (entityAlias == null) { + return null; + } + String entityId = null; + + for (String sp : getSPEntityNames()) { + ExtendedMetadata extendedMetadata = getExtendedMetadata(sp); + if (entityAlias.equals(extendedMetadata.getAlias())) { + if (entityId != null && !entityId.equals(sp)) { + throw new MetadataProviderException("Alias " + entityAlias + " is used both for entity " + entityId + " and " + sp); + } else { + entityId = sp; + } + } + } + + for (String idp : getIDPEntityNames()) { + ExtendedMetadata extendedMetadata = getExtendedMetadata(idp); + if (entityAlias.equals(extendedMetadata.getAlias())) { + if (entityId != null && !entityId.equals(idp)) { + throw new MetadataProviderException("Alias " + entityAlias + " is used both for entity " + entityId + " and " + idp); + } else { + entityId = idp; + } + } + } + return entityId; + } + + @Override + public ExtendedMetadata getDefaultExtendedMetadata() { + return defaultExtendedMetadata; + } + + @Override + public void setDefaultExtendedMetadata(ExtendedMetadata defaultExtendedMetadata) { + this.defaultExtendedMetadata = defaultExtendedMetadata; + } + + @Override + public boolean isRefreshRequired() { + return false; + } + + @Override + public void setRefreshRequired(boolean refreshRequired) { + //no op + } + + @Override + public void setKeyManager(KeyManager keyManager) { + this.keyManager = keyManager; + super.setKeyManager(keyManager); + } + + @Autowired(required = false) + public void setTLSConfigurer(TLSProtocolConfigurer configurer) { + // Only explicit dependency + } + + @Override + public void destroy() { + + } + + @Override + public ExtendedMetadata getExtendedMetadata(String entityID) throws MetadataProviderException { + for (MetadataProvider provider : getAvailableProviders()) { + ExtendedMetadata extendedMetadata = getExtendedMetadata(entityID, provider); + if (extendedMetadata != null) { + return extendedMetadata; + } + } + return getDefaultExtendedMetadata().clone(); + } + + private ExtendedMetadata getExtendedMetadata(String entityID, MetadataProvider provider) throws MetadataProviderException { + if (provider instanceof ExtendedMetadataProvider) { + ExtendedMetadataProvider extendedProvider = (ExtendedMetadataProvider) provider; + ExtendedMetadata extendedMetadata = extendedProvider.getExtendedMetadata(entityID); + if (extendedMetadata != null) { + return extendedMetadata.clone(); + } + } + return null; + } + + public IdpMetadataGenerator getGenerator() { + return generator; + } + + public void setGenerator(IdpMetadataGenerator generator) { + this.generator = generator; + } +} diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/idp/SamlServiceProviderChangedListener.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/idp/SamlServiceProviderChangedListener.java deleted file mode 100644 index a38cdc16017..00000000000 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/idp/SamlServiceProviderChangedListener.java +++ /dev/null @@ -1,76 +0,0 @@ -/* - * ***************************************************************************** - * Cloud Foundry - * Copyright (c) [2009-2016] Pivotal Software, Inc. All Rights Reserved. - * This product is licensed to you under the Apache License, Version 2.0 (the "License"). - * You may not use this product except in compliance with the License. - * - * This product includes a number of subcomponents with - * separate copyright notices and license terms. Your use of these - * subcomponents is subject to the terms and conditions of the - * subcomponent's license, as noted in the LICENSE file. - * ***************************************************************************** - */ -package org.cloudfoundry.identity.uaa.provider.saml.idp; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.cloudfoundry.identity.uaa.zone.IdentityZone; -import org.cloudfoundry.identity.uaa.zone.IdentityZoneProvisioning; -import org.cloudfoundry.identity.uaa.zone.event.ServiceProviderModifiedEvent; -import org.opensaml.saml2.metadata.provider.MetadataProvider; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; -import org.springframework.context.ApplicationListener; -import org.springframework.security.saml.metadata.ExtendedMetadataDelegate; - -/** - * Listens to SAML service provider modified events from the RESTful service controller and updates the internal state and data persistence as necessary. - */ -public class SamlServiceProviderChangedListener implements ApplicationListener { - - private static final Log logger = LogFactory.getLog(SamlServiceProviderChangedListener.class); - private ZoneAwareIdpMetadataManager metadataManager = null; - private final SamlServiceProviderConfigurator configurator; - private final IdentityZoneProvisioning zoneProvisioning; - - public SamlServiceProviderChangedListener(SamlServiceProviderConfigurator configurator, - IdentityZoneProvisioning zoneProvisioning) { - this.configurator = configurator; - this.zoneProvisioning = zoneProvisioning; - } - - @Override - public void onApplicationEvent(ServiceProviderModifiedEvent event) { - if (metadataManager == null) { - return; - } - SamlServiceProvider changedSamlServiceProvider = (SamlServiceProvider) event.getSource(); - IdentityZone zone = zoneProvisioning.retrieve(changedSamlServiceProvider.getIdentityZoneId()); - ZoneAwareIdpMetadataManager.ExtensionMetadataManager manager = metadataManager.getManager(zone); - try { - if (changedSamlServiceProvider.isActive()) { - ExtendedMetadataDelegate[] delegates = configurator.addSamlServiceProvider(changedSamlServiceProvider); - if (delegates[1] != null) { - manager.removeMetadataProvider(delegates[1]); - } - manager.addMetadataProvider(delegates[0]); - } else { - ExtendedMetadataDelegate delegate = configurator.removeSamlServiceProvider(changedSamlServiceProvider.getEntityId()); - if (delegate != null) { - manager.removeMetadataProvider(delegate); - } - } - for (MetadataProvider provider : manager.getProviders()) { - provider.getMetadata(); - } - manager.refreshMetadata(); - metadataManager.getManager(zone).refreshMetadata(); - } catch (MetadataProviderException e) { - logger.error("Unable to add new SAML service provider: " + changedSamlServiceProvider, e); - } - } - - public void setMetadataManager(ZoneAwareIdpMetadataManager metadataManager) { - this.metadataManager = metadataManager; - } -} diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/idp/SamlServiceProviderConfigurator.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/idp/SamlServiceProviderConfigurator.java index 2fea7144ef5..59be9f6e38b 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/idp/SamlServiceProviderConfigurator.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/idp/SamlServiceProviderConfigurator.java @@ -16,6 +16,8 @@ import org.apache.commons.httpclient.params.HttpClientParams; import org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory; import org.apache.commons.httpclient.protocol.ProtocolSocketFactory; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; import org.apache.http.client.utils.URIBuilder; import org.cloudfoundry.identity.uaa.cache.UrlContentCache; import org.cloudfoundry.identity.uaa.provider.saml.ConfigMetadataProvider; @@ -38,26 +40,20 @@ import java.net.URISyntaxException; import java.nio.charset.StandardCharsets; import java.security.GeneralSecurityException; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collections; -import java.util.Date; -import java.util.HashMap; -import java.util.HashSet; -import java.util.List; -import java.util.Map; -import java.util.Set; -import java.util.Timer; -import java.util.TimerTask; +import java.util.*; /** * Holds internal state of available SAML Service Providers. */ public class SamlServiceProviderConfigurator { + private static final Log logger = LogFactory.getLog(SamlServiceProviderConfigurator.class); - private final Map> zoneServiceProviders = new HashMap<>(); private HttpClientParams clientParams; private BasicParserPool parserPool; + + + private SamlServiceProviderProvisioning providerProvisioning; + private Set supportedNameIDs = new HashSet<>(Arrays.asList(NameIDType.EMAIL, NameIDType.PERSISTENT, NameIDType.UNSPECIFIED)); private UrlContentCache contentCache; @@ -119,33 +115,21 @@ public SamlServiceProviderConfigurator() { } public List getSamlServiceProviders() { - Map serviceProviders = getOrCreateSamlServiceProviderMapForZone( - IdentityZoneHolder.get()); - return Collections.unmodifiableList(new ArrayList<>(serviceProviders.values())); + return getSamlServiceProvidersForZone(IdentityZoneHolder.get()); } public List getSamlServiceProvidersForZone(IdentityZone zone) { - Map serviceProviders = getOrCreateSamlServiceProviderMapForZone(zone); - return Collections.unmodifiableList(new ArrayList<>(serviceProviders.values())); - } - - public Map getSamlServiceProviderMapForZone(IdentityZone zone) { - Map serviceProviders = getOrCreateSamlServiceProviderMapForZone(zone); - return Collections.unmodifiableMap(serviceProviders); - } - - private Map getOrCreateSamlServiceProviderMapForZone(IdentityZone zone) { - Map serviceProviders = zoneServiceProviders.get(zone); - if (serviceProviders == null) { - synchronized (zoneServiceProviders) { - serviceProviders = zoneServiceProviders.get(zone); - if (serviceProviders == null) { - serviceProviders = new HashMap<>(); - zoneServiceProviders.put(zone, serviceProviders); - } + List result = new LinkedList<>(); + for (SamlServiceProvider provider: providerProvisioning.retrieveActive(zone.getId())) { + try { + SamlServiceProviderHolder samlServiceProviderHolder = + new SamlServiceProviderHolder(getExtendedMetadataDelegate(provider), provider); + result.add(samlServiceProviderHolder); + }catch(MetadataProviderException e) { + logger.error("Unable to configure SAML SP Metadata for ServiceProvider:" + provider.getEntityId(), e); } } - return serviceProviders; + return Collections.unmodifiableList(result); } /** @@ -153,16 +137,14 @@ private Map getOrCreateSamlServiceProviderMap * * @param provider * - the provider to be added - * @return an array consisting of {provider-added, provider-deleted} where - * provider-deleted may be null * @throws MetadataProviderException * if the system fails to fetch meta data for this provider */ - public ExtendedMetadataDelegate[] addSamlServiceProvider(SamlServiceProvider provider) throws MetadataProviderException { - return addSamlServiceProvider(provider, IdentityZoneHolder.get()); + public void validateSamlServiceProvider(SamlServiceProvider provider) throws MetadataProviderException { + validateSamlServiceProvider(provider, IdentityZoneHolder.get()); } - synchronized ExtendedMetadataDelegate[] addSamlServiceProvider(SamlServiceProvider provider, IdentityZone zone) + synchronized void validateSamlServiceProvider(SamlServiceProvider provider, IdentityZone zone) throws MetadataProviderException { if (provider == null) { @@ -201,33 +183,7 @@ else if (!metadataEntityId.equals(provider.getEntityId())) { + provider.getEntityId()); } } - Map serviceProviders = getOrCreateSamlServiceProviderMapForZone(zone); - - ExtendedMetadataDelegate deleted = null; - if (serviceProviders.containsKey(provider.getEntityId())) { - deleted = serviceProviders.remove(provider.getEntityId()).getExtendedMetadataDelegate(); - } - - SamlServiceProviderHolder holder = new SamlServiceProviderHolder(added, provider); - serviceProviders.put(provider.getEntityId(), holder); - return new ExtendedMetadataDelegate[] { added, deleted }; - } - - public synchronized ExtendedMetadataDelegate removeSamlServiceProvider(String entityId) { - Map serviceProviders = getOrCreateSamlServiceProviderMapForZone( - IdentityZoneHolder.get()); - - SamlServiceProviderHolder samlServiceProviderHolder = serviceProviders.remove(entityId); - return samlServiceProviderHolder == null ? null : samlServiceProviderHolder.getExtendedMetadataDelegate(); - } - - public ExtendedMetadataDelegate getExtendedMetadataDelegateFromCache(String entityId) - throws MetadataProviderException { - Map serviceProviders = getOrCreateSamlServiceProviderMapForZone( - IdentityZoneHolder.get()); - - SamlServiceProviderHolder samlServiceProviderHolder = serviceProviders.get(entityId); - return samlServiceProviderHolder == null ? null : samlServiceProviderHolder.getExtendedMetadataDelegate(); + List serviceProviders = getSamlServiceProvidersForZone(zone); } @@ -312,6 +268,10 @@ protected String adjustURIForPort(String uri) throws URISyntaxException { return uri; } + public SamlServiceProviderProvisioning getProviderProvisioning() { return providerProvisioning; } + + public void setProviderProvisioning(SamlServiceProviderProvisioning providerProvisioning) { this.providerProvisioning = providerProvisioning; } + public HttpClientParams getClientParams() { return clientParams; } diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/idp/ZoneAwareIdpMetadataManager.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/idp/ZoneAwareIdpMetadataManager.java deleted file mode 100644 index 1f2951b6121..00000000000 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/idp/ZoneAwareIdpMetadataManager.java +++ /dev/null @@ -1,735 +0,0 @@ -/* - * ***************************************************************************** - * Cloud Foundry - * Copyright (c) [2009-2016] Pivotal Software, Inc. All Rights Reserved. - * This product is licensed to you under the Apache License, Version 2.0 (the "License"). - * You may not use this product except in compliance with the License. - * - * This product includes a number of subcomponents with - * separate copyright notices and license terms. Your use of these - * subcomponents is subject to the terms and conditions of the - * subcomponent's license, as noted in the LICENSE file. - * ***************************************************************************** - */ - -package org.cloudfoundry.identity.uaa.provider.saml.idp; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; -import org.cloudfoundry.identity.uaa.provider.saml.ComparableProvider; -import org.cloudfoundry.identity.uaa.util.JsonUtils; -import org.cloudfoundry.identity.uaa.zone.IdentityZone; -import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder; -import org.cloudfoundry.identity.uaa.zone.IdentityZoneProvisioning; -import org.opensaml.saml2.metadata.EntitiesDescriptor; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.RoleDescriptor; -import org.opensaml.saml2.metadata.provider.MetadataFilter; -import org.opensaml.saml2.metadata.provider.MetadataProvider; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; -import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.security.x509.PKIXValidationInformationResolver; -import org.opensaml.xml.signature.SignatureTrustEngine; -import org.springframework.beans.factory.BeanNameAware; -import org.springframework.beans.factory.DisposableBean; -import org.springframework.beans.factory.InitializingBean; -import org.springframework.security.saml.key.KeyManager; -import org.springframework.security.saml.metadata.CachingMetadataManager; -import org.springframework.security.saml.metadata.ExtendedMetadata; -import org.springframework.security.saml.metadata.ExtendedMetadataDelegate; -import org.springframework.security.saml.metadata.ExtendedMetadataProvider; -import org.springframework.security.saml.trust.httpclient.TLSProtocolConfigurer; - -import javax.annotation.PostConstruct; -import javax.xml.namespace.QName; -import java.util.Collections; -import java.util.HashMap; -import java.util.HashSet; -import java.util.List; -import java.util.Map; -import java.util.Set; -import java.util.Timer; -import java.util.TimerTask; -import java.util.concurrent.ConcurrentHashMap; - -public class ZoneAwareIdpMetadataManager extends IdpMetadataManager implements ExtendedMetadataProvider, InitializingBean, DisposableBean, BeanNameAware { - - private static final Log logger = LogFactory.getLog(ZoneAwareIdpMetadataManager.class); - private SamlServiceProviderProvisioning providerDao; - private IdentityZoneProvisioning zoneDao; - private SamlServiceProviderConfigurator configurator; - private Map metadataManagers; - private long refreshInterval = 30000l; - private long lastRefresh = 0; - private Timer timer; - private String beanName = ZoneAwareIdpMetadataManager.class.getName()+"-"+System.identityHashCode(this); - - public ZoneAwareIdpMetadataManager(SamlServiceProviderProvisioning providerDao, - IdentityZoneProvisioning zoneDao, - SamlServiceProviderConfigurator configurator) throws MetadataProviderException { - super(Collections.emptyList()); - this.providerDao = providerDao; - this.zoneDao = zoneDao; - this.configurator = configurator; - - - super.setKeyManager(IdentityZoneHolder.getSamlSPKeyManager()); - //disable internal timer - super.setRefreshCheckInterval(0); - if (metadataManagers==null) { - metadataManagers = new ConcurrentHashMap<>(); - } - } - - private class RefreshTask extends TimerTask { - @Override - public void run() { - try { - refreshAllProviders(false); - }catch (Exception x) { - log.error("Unable to run SAML provider refresh task:", x); - } - } - } - - @Override - public void setBeanName(String name) { - this.beanName = name; - } - - @PostConstruct - public void checkAllProviders() throws MetadataProviderException { - for (Map.Entry entry : metadataManagers.entrySet()) { - entry.getValue().setKeyManager(keyManager); - } - refreshAllProviders(); - timer = new Timer("ZoneAwareMetadataManager.Refresh["+beanName+"]", true); - timer.schedule(new RefreshTask(),refreshInterval , refreshInterval); - } - - public void refreshAllProviders() throws MetadataProviderException { - refreshAllProviders(true); - } - - protected String getThreadNameAndId() { - return Thread.currentThread().getName()+"-"+System.identityHashCode(Thread.currentThread()); - } - - protected void refreshAllProviders(boolean ignoreTimestamp) throws MetadataProviderException { - logger.debug("Running SAML SP refresh[" + getThreadNameAndId() + "] - ignoreTimestamp=" + ignoreTimestamp); - for (IdentityZone zone : zoneDao.retrieveAll()) { - ExtensionMetadataManager manager = getManager(zone); - boolean hasChanges = false; - Map zoneProviderMap = - new HashMap(configurator.getSamlServiceProviderMapForZone(zone)); - for (SamlServiceProvider provider : providerDao.retrieveAll(false, zone.getId())) { - zoneProviderMap.remove(provider.getEntityId()); - if (ignoreTimestamp || lastRefresh < provider.getLastModified().getTime()) { - try { - try { - if (provider.isActive()) { - log.info("Adding SAML SP zone[" + zone.getId() + "] entityId[" - + provider.getEntityId() + "]"); - ExtendedMetadataDelegate[] delegates = configurator - .addSamlServiceProvider(provider, zone); - if (delegates[1] != null) { - manager.removeMetadataProvider(delegates[1]); - } - manager.addMetadataProvider(delegates[0]); - } else { - removeSamlServiceProvider(zone, manager, provider); - } - hasChanges = true; - } catch (MetadataProviderException e) { - logger.error("Unable to refresh SAML Service Provider: " + provider, e); - } - } catch (JsonUtils.JsonUtilException x) { - logger.error("Unable to load SAML Service Provider:" + provider, x); - } - } - } - // Remove anything that we did not find in persistent storage. - for (SamlServiceProviderHolder holder : zoneProviderMap.values()) { - removeSamlServiceProvider(zone, manager, holder.getSamlServiceProvider()); - hasChanges = true; - } - if (hasChanges) { - refreshZoneManager(manager); - } - } - lastRefresh = System.currentTimeMillis(); - } - - protected void removeSamlServiceProvider(IdentityZone zone, ExtensionMetadataManager manager, - SamlServiceProvider provider) { - log.info("Removing SAML SP zone[" + zone.getId() + "] entityId[" + provider.getEntityId() + "]"); - ExtendedMetadataDelegate delegate = configurator.removeSamlServiceProvider(provider.getEntityId()); - if (delegate != null) { - manager.removeMetadataProvider(delegate); - } - } - - @SuppressWarnings({ "unchecked", "rawtypes" }) - public ExtensionMetadataManager getManager(IdentityZone zone) { - if (metadataManagers==null) { //called during super constructor - metadataManagers = new ConcurrentHashMap<>(); - } - ExtensionMetadataManager manager = metadataManagers.get(zone); - if (manager==null) { - try { - manager = new ExtensionMetadataManager(Collections.emptyList()); - } catch (MetadataProviderException e) { - throw new IllegalStateException(e); - } - manager.setKeyManager(keyManager); - ((ConcurrentHashMap)metadataManagers).putIfAbsent(zone, manager); - } - return metadataManagers.get(zone); - } - public ExtensionMetadataManager getManager() { - return getManager(IdentityZoneHolder.get()); - } - - @Override - public void setProviders(List newProviders) throws MetadataProviderException { - getManager().setProviders(newProviders); - } - - @Override - public void refreshMetadata() { - getManager().refreshMetadata(); - } - - @Override - public void addMetadataProvider(MetadataProvider newProvider) throws MetadataProviderException { - getManager().addMetadataProvider(newProvider); - } - - @Override - public void removeMetadataProvider(MetadataProvider provider) { - getManager().removeMetadataProvider(provider); - } - - @Override - public List getProviders() { - return getManager().getProviders(); - } - - @Override - public List getAvailableProviders() { - return getManager().getAvailableProviders(); - } - - @Override - protected void initializeProvider(ExtendedMetadataDelegate provider) throws MetadataProviderException { - getManager().initializeProvider(provider); - } - - @Override - protected void initializeProviderData(ExtendedMetadataDelegate provider) throws MetadataProviderException { - getManager().initializeProviderData(provider); - } - - @Override - protected void initializeProviderFilters(ExtendedMetadataDelegate provider) throws MetadataProviderException { - getManager().initializeProviderFilters(provider); - } - - @Override - protected SignatureTrustEngine getTrustEngine(MetadataProvider provider) { - return getManager().getTrustEngine(provider); - } - - @Override - protected PKIXValidationInformationResolver getPKIXResolver(MetadataProvider provider, Set trustedKeys, Set trustedNames) { - return getManager().getPKIXResolver(provider, trustedKeys, trustedNames); - } - - @Override - protected List parseProvider(MetadataProvider provider) throws MetadataProviderException { - return getManager().parseProvider(provider); - } - - @Override - public Set getIDPEntityNames() { - return getManager().getIDPEntityNames(); - } - - @Override - public Set getSPEntityNames() { - return getManager().getSPEntityNames(); - } - - @Override - public boolean isIDPValid(String idpID) { - return getManager().isIDPValid(idpID); - } - - @Override - public boolean isSPValid(String spID) { - return getManager().isSPValid(spID); - } - - @Override - public String getHostedIdpName() { - return getManager().getHostedIdpName(); - } - - @Override - public void setHostedIdpName(String hostedIdpName) { - getManager().setHostedIdpName(hostedIdpName); - } - - @Override - public String getHostedSPName() { - return getManager().getHostedSPName(); - } - - @Override - public void setHostedSPName(String hostedSPName) { - getManager().setHostedSPName(hostedSPName); - } - - @Override - public String getDefaultIDP() throws MetadataProviderException { - return getManager().getDefaultIDP(); - } - - @Override - public void setDefaultIDP(String defaultIDP) { - getManager().setDefaultIDP(defaultIDP); - } - - @Override - public EntityDescriptor getEntityDescriptor(byte[] hash) throws MetadataProviderException { - return getManager().getEntityDescriptor(hash); - } - - @Override - public String getEntityIdForAlias(String entityAlias) throws MetadataProviderException { - return getManager().getEntityIdForAlias(entityAlias); - } - - @Override - public ExtendedMetadata getDefaultExtendedMetadata() { - return getManager().getDefaultExtendedMetadata(); - } - - @Override - public void setDefaultExtendedMetadata(ExtendedMetadata defaultExtendedMetadata) { - getManager().setDefaultExtendedMetadata(defaultExtendedMetadata); - } - - @Override - public boolean isRefreshRequired() { - return getManager().isRefreshRequired(); - } - - @Override - public void setRefreshRequired(boolean refreshRequired) { - getManager().setRefreshRequired(refreshRequired); - } - - @Override - public void setRefreshCheckInterval(long refreshCheckInterval) { - this.refreshInterval = refreshCheckInterval; - } - - @Override - public void setKeyManager(KeyManager keyManager) { - getManager().setKeyManager(keyManager); - } - - @Override - public void setTLSConfigurer(TLSProtocolConfigurer configurer) { - getManager().setTLSConfigurer(configurer); - } - - @Override - protected void doAddMetadataProvider(MetadataProvider provider, List providerList) { - getManager().doAddMetadataProvider(provider, providerList); - } - - @Override - public void setRequireValidMetadata(boolean requireValidMetadata) { - getManager().setRequireValidMetadata(requireValidMetadata); - } - - @Override - public MetadataFilter getMetadataFilter() { - return getManager().getMetadataFilter(); - } - - @Override - public void setMetadataFilter(MetadataFilter newFilter) throws MetadataProviderException { - getManager().setMetadataFilter(newFilter); - } - - @Override - public XMLObject getMetadata() throws MetadataProviderException { - return getManager().getMetadata(); - } - - @Override - public EntitiesDescriptor getEntitiesDescriptor(String name) throws MetadataProviderException { - return getManager().getEntitiesDescriptor(name); - } - - @Override - public EntityDescriptor getEntityDescriptor(String entityID) throws MetadataProviderException { - return getManager().getEntityDescriptor(entityID); - } - - @Override - public List getRole(String entityID, QName roleName) throws MetadataProviderException { - return getManager().getRole(entityID, roleName); - } - - @Override - public RoleDescriptor getRole(String entityID, QName roleName, String supportedProtocol) throws MetadataProviderException { - return getManager().getRole(entityID, roleName, supportedProtocol); - } - - @Override - public List getObservers() { - return getManager().getObservers(); - } - - @Override - protected void emitChangeEvent() { - getManager().emitChangeEvent(); - } - - @Override - public boolean requireValidMetadata() { - return getManager().requireValidMetadata(); - } - - @Override - public void destroy() { - if (timer != null) { - timer.cancel(); - timer.purge(); - timer = null; - } - for (Map.Entry manager : metadataManagers.entrySet()) { - //manager.getValue().destroy(); - } - metadataManagers.clear(); - super.destroy(); - } - - @Override - public ExtendedMetadata getExtendedMetadata(String entityID) throws MetadataProviderException { - return super.getExtendedMetadata(entityID); - } - - protected Set refreshZoneManager(ExtensionMetadataManager manager) { - Set result = new HashSet<>(); - try { - - log.trace("Executing metadata refresh task"); - - // Invoking getMetadata performs a refresh in case it's needed - // Potentially expensive operation, but other threads can still load existing cached data - for (MetadataProvider provider : manager.getProviders()) { - provider.getMetadata(); - } - - // Refresh the metadataManager if needed - if (manager.isRefreshRequired()) { - manager.refreshMetadata(); - } - - - for (MetadataProvider provider : manager.getProviders()) { - if (provider instanceof ComparableProvider) { - result.add((ComparableProvider)provider); - } else if (provider instanceof ExtendedMetadataDelegate && - ((ExtendedMetadataDelegate)provider).getDelegate() instanceof ComparableProvider) { - result.add((ComparableProvider)((ExtendedMetadataDelegate)provider).getDelegate()); - } - } - - } catch (Throwable e) { - log.warn("Metadata refreshing has failed", e); - } - return result; - } - - //just so that we can override protected methods - public static class ExtensionMetadataManager extends CachingMetadataManager { - private String hostedIdpName; - - public ExtensionMetadataManager(List providers) throws MetadataProviderException { - super(providers); - //disable internal timers (they only get created when afterPropertiesSet) - setRefreshCheckInterval(0); - } - - @Override - public EntityDescriptor getEntityDescriptor(String entityID) throws MetadataProviderException { - return super.getEntityDescriptor(entityID); - } - - @Override - public EntityDescriptor getEntityDescriptor(byte[] hash) throws MetadataProviderException { - return super.getEntityDescriptor(hash); - } - - @Override - public String getEntityIdForAlias(String entityAlias) throws MetadataProviderException { - return super.getEntityIdForAlias(entityAlias); - } - - @Override - public ExtendedMetadata getExtendedMetadata(String entityID) throws MetadataProviderException { - return super.getExtendedMetadata(entityID); - } - - @Override - public void refreshMetadata() { - super.refreshMetadata(); - } - - @Override - public void addMetadataProvider(MetadataProvider newProvider) throws MetadataProviderException { - ComparableProvider cp = null; - if (newProvider instanceof ExtendedMetadataDelegate && ((ExtendedMetadataDelegate)newProvider).getDelegate() instanceof ComparableProvider) { - cp = (ComparableProvider) ((ExtendedMetadataDelegate)newProvider).getDelegate(); - } else { - logger.warn("Adding Unknown SAML Provider type:"+(newProvider!=null?newProvider.getClass():null)+":"+newProvider); - } - - for (MetadataProvider provider : getAvailableProviders()) { - if (newProvider.equals(provider)) { - removeMetadataProvider(provider); - if (cp!=null) { - logger.debug("Found duplicate SAML provider, removing before readding zone["+cp.getZoneId()+"] alias["+cp.getAlias()+"]"); - } - } - } - super.addMetadataProvider(newProvider); - if (cp!=null) { - logger.debug("Added Metadata for SAML provider zone[" + cp.getZoneId() + "] alias[" + cp.getAlias() + "]"); - } - - } - - @Override - public void destroy() { - super.destroy(); - } - - @Override - public List getAvailableProviders() { - return super.getAvailableProviders(); - } - - @Override - public ExtendedMetadata getDefaultExtendedMetadata() { - return super.getDefaultExtendedMetadata(); - } - - @Override - public String getDefaultIDP() throws MetadataProviderException { - return super.getDefaultIDP(); - } - - public String getHostedIdpName() { - return hostedIdpName; - } - - @Override - public String getHostedSPName() { - return super.getHostedSPName(); - } - - @Override - public Set getIDPEntityNames() { - return super.getIDPEntityNames(); - } - - @Override - public PKIXValidationInformationResolver getPKIXResolver(MetadataProvider provider, Set trustedKeys, Set trustedNames) { - return super.getPKIXResolver(provider, trustedKeys, trustedNames); - } - - @Override - public List getProviders() { - return super.getProviders(); - } - - @Override - public Set getSPEntityNames() { - return super.getSPEntityNames(); - } - - @Override - public SignatureTrustEngine getTrustEngine(MetadataProvider provider) { - return super.getTrustEngine(provider); - } - - @Override - public void initializeProvider(ExtendedMetadataDelegate provider) throws MetadataProviderException { - super.initializeProvider(provider); - } - - @Override - public void initializeProviderData(ExtendedMetadataDelegate provider) throws MetadataProviderException { - super.initializeProviderData(provider); - } - - @Override - public void initializeProviderFilters(ExtendedMetadataDelegate provider) throws MetadataProviderException { - super.initializeProviderFilters(provider); - } - - @Override - public boolean isIDPValid(String idpID) { - return super.isIDPValid(idpID); - } - - @Override - public boolean isRefreshRequired() { - return super.isRefreshRequired(); - } - - @Override - public boolean isSPValid(String spID) { - return super.isSPValid(spID); - } - - @Override - public List parseProvider(MetadataProvider provider) throws MetadataProviderException { - return super.parseProvider(provider); - } - - @Override - public void removeMetadataProvider(MetadataProvider provider) { - - ComparableProvider cp = null; - if (provider instanceof ExtendedMetadataDelegate && ((ExtendedMetadataDelegate)provider).getDelegate() instanceof ComparableProvider) { - cp = (ComparableProvider) ((ExtendedMetadataDelegate)provider).getDelegate(); - } else { - logger.warn("Removing Unknown SAML Provider type:"+(provider!=null?provider.getClass():null)+":"+provider); - } - super.removeMetadataProvider(provider); - if (cp!=null) { - logger.debug("Removed Metadata for SAML provider zone[" + cp.getZoneId() + "] alias[" + cp.getAlias() + "]"); - } - } - - @Override - public void setDefaultExtendedMetadata(ExtendedMetadata defaultExtendedMetadata) { - super.setDefaultExtendedMetadata(defaultExtendedMetadata); - } - - @Override - public void setDefaultIDP(String defaultIDP) { - super.setDefaultIDP(defaultIDP); - } - - public void setHostedIdpName(String hostedIdpName) { - this.hostedIdpName = hostedIdpName; - } - - @Override - public void setHostedSPName(String hostedSPName) { - super.setHostedSPName(hostedSPName); - } - - @Override - public void setKeyManager(KeyManager keyManager) { - super.setKeyManager(keyManager); - } - - @Override - public void setProviders(List newProviders) throws MetadataProviderException { - super.setProviders(newProviders); - } - - @Override - public void setRefreshCheckInterval(long refreshCheckInterval) { - super.setRefreshCheckInterval(refreshCheckInterval); - } - - @Override - public void setRefreshRequired(boolean refreshRequired) { - super.setRefreshRequired(refreshRequired); - } - - @Override - public void setTLSConfigurer(TLSProtocolConfigurer configurer) { - super.setTLSConfigurer(configurer); - } - - @Override - public void doAddMetadataProvider(MetadataProvider provider, List providerList) { - super.doAddMetadataProvider(provider, providerList); - } - - @Override - public void emitChangeEvent() { - super.emitChangeEvent(); - } - - @Override - public EntitiesDescriptor getEntitiesDescriptor(String name) throws MetadataProviderException { - return super.getEntitiesDescriptor(name); - } - - @Override - public XMLObject getMetadata() throws MetadataProviderException { - return super.getMetadata(); - } - - @Override - public MetadataFilter getMetadataFilter() { - return super.getMetadataFilter(); - } - - @Override - public List getObservers() { - return super.getObservers(); - } - - @Override - public List getRole(String entityID, QName roleName) throws MetadataProviderException { - return super.getRole(entityID, roleName); - } - - @Override - public RoleDescriptor getRole(String entityID, QName roleName, String supportedProtocol) throws MetadataProviderException { - return super.getRole(entityID, roleName, supportedProtocol); - } - - @Override - public void setMetadataFilter(MetadataFilter newFilter) throws MetadataProviderException { - super.setMetadataFilter(newFilter); - } - - @Override - public void setRequireValidMetadata(boolean requireValidMetadata) { - super.setRequireValidMetadata(requireValidMetadata); - } - - @Override - public boolean requireValidMetadata() { - return super.requireValidMetadata(); - } - } - - public static class MetadataProviderObserver implements ObservableMetadataProvider.Observer { - private ExtensionMetadataManager manager; - - public MetadataProviderObserver(ExtensionMetadataManager manager) { - this.manager = manager; - } - - public void onEvent(MetadataProvider provider) { - manager.setRefreshRequired(true); - } - } -} diff --git a/server/src/main/resources/log4j.properties b/server/src/main/resources/log4j.properties index 50c85810bde..56d70e0baf9 100644 --- a/server/src/main/resources/log4j.properties +++ b/server/src/main/resources/log4j.properties @@ -54,3 +54,4 @@ log4j.category.org.springframework.beans.factory.support.DefaultListableBeanFact log4j.category.org.springframework.jmx.exportMBeanExporter=WARN log4j.category.org.springframework.security.oauth2.client.test.OAuth2ContextSetup=WARN log4j.category.org.springframework.web.servlet.mvc.method.annotation.HttpEntityMethodProcessor=INFO +log4j.category.org.springframework.security.saml.metadata=DEBUG diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/idp/NonSnarlIdpMetadataManagerTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/idp/NonSnarlIdpMetadataManagerTest.java index a016631d105..0645a2d1278 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/idp/NonSnarlIdpMetadataManagerTest.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/idp/NonSnarlIdpMetadataManagerTest.java @@ -1,11 +1,9 @@ package org.cloudfoundry.identity.uaa.provider.saml.idp; -import org.cloudfoundry.identity.uaa.provider.saml.SamlKeyManagerFactory; import org.cloudfoundry.identity.uaa.provider.saml.ZoneAwareKeyManager; import org.cloudfoundry.identity.uaa.zone.IdentityZone; import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder; import org.cloudfoundry.identity.uaa.zone.IdentityZoneProvisioning; -import org.cloudfoundry.identity.uaa.zone.SamlConfig; import org.junit.After; import org.junit.Before; import org.junit.Ignore; @@ -13,7 +11,6 @@ import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.xml.parse.BasicParserPool; -import org.springframework.security.saml.metadata.ExtendedMetadata; import org.springframework.security.saml.metadata.ExtendedMetadataDelegate; import java.util.List; diff --git a/uaa/src/main/webapp/WEB-INF/spring/multitenant-endpoints.xml b/uaa/src/main/webapp/WEB-INF/spring/multitenant-endpoints.xml index 6005560b545..a649c87598b 100644 --- a/uaa/src/main/webapp/WEB-INF/spring/multitenant-endpoints.xml +++ b/uaa/src/main/webapp/WEB-INF/spring/multitenant-endpoints.xml @@ -224,21 +224,6 @@ - - - - - - - - - - - diff --git a/uaa/src/main/webapp/WEB-INF/spring/saml-idp.xml b/uaa/src/main/webapp/WEB-INF/spring/saml-idp.xml index f99f738f3ff..34422859824 100644 --- a/uaa/src/main/webapp/WEB-INF/spring/saml-idp.xml +++ b/uaa/src/main/webapp/WEB-INF/spring/saml-idp.xml @@ -48,12 +48,12 @@ - - + class="org.cloudfoundry.identity.uaa.provider.saml.idp.NonSnarlIdpMetadataManager" + depends-on="spMetaDataProviders" destroy-method="destroy"> - + + + - + - - - - diff --git a/uaa/src/main/webapp/WEB-INF/spring/saml-providers.xml b/uaa/src/main/webapp/WEB-INF/spring/saml-providers.xml index 870a28ee385..c9b53e2f8aa 100644 --- a/uaa/src/main/webapp/WEB-INF/spring/saml-providers.xml +++ b/uaa/src/main/webapp/WEB-INF/spring/saml-providers.xml @@ -118,7 +118,7 @@ depends-on="idpBootstrap, metaDataProviders, identityZoneHolderInitializer" destroy-method="destroy"> - +