etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CLOUDSTACK-8037: Require signed AuthnRequest, adds more security 

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
This commit is contained in:
Rohit Yadav 2015-01-14 02:19:10 +05:30
parent 2ed76b2a55
commit 6bec69844d
4 changed files with 19 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java
View File

@ -121,7 +121,7 @@ public class GetServiceProviderMetaDataCmd extends BaseCmd implements APIAuthent
SPSSODescriptor spSSODescriptor = new SPSSODescriptorBuilder().buildObject();
spSSODescriptor.setWantAssertionsSigned(true);
spSSODescriptor.setAuthnRequestsSigned(false);
spSSODescriptor.setAuthnRequestsSigned(true);
X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
keyInfoGeneratorFactory.setEmitEntityCertificate(true);
@ -134,7 +134,7 @@ public class GetServiceProviderMetaDataCmd extends BaseCmd implements APIAuthent
signKeyDescriptor.setUse(UsageType.SIGNING);
BasicX509Credential credential = new BasicX509Credential();
credential.setEntityCertificate(_samlAuthManager.getSpX509Key());
credential.setEntityCertificate(_samlAuthManager.getSpX509Certificate());
try {
encKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(credential));
signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(credential));
@ -148,6 +148,14 @@ public class GetServiceProviderMetaDataCmd extends BaseCmd implements APIAuthent
nameIDFormat.setFormat(NameIDType.PERSISTENT);
spSSODescriptor.getNameIDFormats().add(nameIDFormat);
NameIDFormat emailNameIDFormat = new NameIDFormatBuilder().buildObject();
emailNameIDFormat.setFormat(NameIDType.EMAIL);
spSSODescriptor.getNameIDFormats().add(emailNameIDFormat);
NameIDFormat transientNameIDFormat = new NameIDFormatBuilder().buildObject();
transientNameIDFormat.setFormat(NameIDType.TRANSIENT);
spSSODescriptor.getNameIDFormats().add(transientNameIDFormat);
AssertionConsumerService assertionConsumerService = new AssertionConsumerServiceBuilder().buildObject();
assertionConsumerService.setIndex(0);
assertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);

2
plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
View File

@ -28,7 +28,7 @@ public interface SAML2AuthManager extends PluggableAPIAuthenticator {
public X509Certificate getIdpSigningKey();
public X509Certificate getIdpEncryptionKey();
public X509Certificate getSpX509Key();
public X509Certificate getSpX509Certificate();
public KeyPair getSpKeyPair();
public String getSpSingleSignOnUrl();

5
plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
View File

@ -202,6 +202,9 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
s_logger.error("SAML2 Authentication may be unavailable");
} catch (ConfigurationException | FactoryConfigurationError e) {
s_logger.error("OpenSAML bootstrapping failed: error: " + e.getMessage());
} catch (NullPointerException e) {
s_logger.error("Unable to setup SAML Auth Plugin due to NullPointerException" +
" please check the SAML IDP metadata URL and entity ID in global settings: " + e.getMessage());
}
if (this.idpSingleLogOutUrl == null || this.idpSingleSignOnUrl == null) {
@ -259,7 +262,7 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
return Boolean.valueOf(_configDao.getValue(Config.SAMLIsPluginEnabled.key()));
}
public X509Certificate getSpX509Key() {
public X509Certificate getSpX509Certificate() {
return spX509Key;
}

8
utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
View File

@ -148,7 +148,7 @@ public class SAMLUtils {
RequestedAuthnContextBuilder requestedAuthnContextBuilder = new RequestedAuthnContextBuilder();
RequestedAuthnContext requestedAuthnContext = requestedAuthnContextBuilder.buildObject();
requestedAuthnContext
.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);
.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
requestedAuthnContext.getAuthnContextClassRefs().add(
authnContextClassRef);
@ -166,7 +166,7 @@ public class SAMLUtils {
authnRequest.setAssertionConsumerServiceURL(consumerUrl);
authnRequest.setProviderName(spId);
authnRequest.setNameIDPolicy(nameIdPolicy);
//authnRequest.setRequestedAuthnContext(requestedAuthnContext);
authnRequest.setRequestedAuthnContext(requestedAuthnContext);
return authnRequest;
}
@ -315,8 +315,8 @@ public class SAMLUtils {
public static X509Certificate generateRandomX509Certificate(KeyPair keyPair) throws NoSuchAlgorithmException, NoSuchProviderException, CertificateEncodingException, SignatureException, InvalidKeyException {
Date validityBeginDate = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
Date validityEndDate = new Date(System.currentTimeMillis() + 365 * 24 * 60 * 60 * 1000);
X500Principal dnName = new X500Principal("CN=Apache CloudStack");
Date validityEndDate = new Date(System.currentTimeMillis() + 3 * 365 * 24 * 60 * 60 * 1000);
X500Principal dnName = new X500Principal("CN=ApacheCloudStack");
X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setSubjectDN(dnName);