From 6bec69844d196e9b66fffa54f6998d8e45fc27e8 Mon Sep 17 00:00:00 2001
From: Rohit Yadav <rohit.yadav@shapeblue.com>
Date: Wed, 14 Jan 2015 02:19:10 +0530
Subject: [PATCH] CLOUDSTACK-8037: Require signed AuthnRequest, adds more
 security

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
---
 .../api/command/GetServiceProviderMetaDataCmd.java   | 12 ++++++++++--
 .../org/apache/cloudstack/saml/SAML2AuthManager.java |  2 +-
 .../apache/cloudstack/saml/SAML2AuthManagerImpl.java |  5 ++++-
 .../org/apache/cloudstack/utils/auth/SAMLUtils.java  |  8 ++++----
 4 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java
index 194d94f9d29..995405dbdea 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java
@@ -121,7 +121,7 @@ public class GetServiceProviderMetaDataCmd extends BaseCmd implements APIAuthent
 
         SPSSODescriptor spSSODescriptor = new SPSSODescriptorBuilder().buildObject();
         spSSODescriptor.setWantAssertionsSigned(true);
-        spSSODescriptor.setAuthnRequestsSigned(false);
+        spSSODescriptor.setAuthnRequestsSigned(true);
 
         X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
         keyInfoGeneratorFactory.setEmitEntityCertificate(true);
@@ -134,7 +134,7 @@ public class GetServiceProviderMetaDataCmd extends BaseCmd implements APIAuthent
         signKeyDescriptor.setUse(UsageType.SIGNING);
 
         BasicX509Credential credential = new BasicX509Credential();
-        credential.setEntityCertificate(_samlAuthManager.getSpX509Key());
+        credential.setEntityCertificate(_samlAuthManager.getSpX509Certificate());
         try {
             encKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(credential));
             signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(credential));
@@ -148,6 +148,14 @@ public class GetServiceProviderMetaDataCmd extends BaseCmd implements APIAuthent
         nameIDFormat.setFormat(NameIDType.PERSISTENT);
         spSSODescriptor.getNameIDFormats().add(nameIDFormat);
 
+        NameIDFormat emailNameIDFormat = new NameIDFormatBuilder().buildObject();
+        emailNameIDFormat.setFormat(NameIDType.EMAIL);
+        spSSODescriptor.getNameIDFormats().add(emailNameIDFormat);
+
+        NameIDFormat transientNameIDFormat = new NameIDFormatBuilder().buildObject();
+        transientNameIDFormat.setFormat(NameIDType.TRANSIENT);
+        spSSODescriptor.getNameIDFormats().add(transientNameIDFormat);
+
         AssertionConsumerService assertionConsumerService = new AssertionConsumerServiceBuilder().buildObject();
         assertionConsumerService.setIndex(0);
         assertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
index 3ee7522a9c6..9c0d4b42fc6 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
@@ -28,7 +28,7 @@ public interface SAML2AuthManager extends PluggableAPIAuthenticator {
 
     public X509Certificate getIdpSigningKey();
     public X509Certificate getIdpEncryptionKey();
-    public X509Certificate getSpX509Key();
+    public X509Certificate getSpX509Certificate();
     public KeyPair getSpKeyPair();
 
     public String getSpSingleSignOnUrl();
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
index f175081f60a..36c9da5e1e0 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
@@ -202,6 +202,9 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
             s_logger.error("SAML2 Authentication may be unavailable");
         } catch (ConfigurationException | FactoryConfigurationError e) {
             s_logger.error("OpenSAML bootstrapping failed: error: " + e.getMessage());
+        } catch (NullPointerException e) {
+            s_logger.error("Unable to setup SAML Auth Plugin due to NullPointerException" +
+                    " please check the SAML IDP metadata URL and entity ID in global settings: " + e.getMessage());
         }
 
         if (this.idpSingleLogOutUrl == null || this.idpSingleSignOnUrl == null) {
@@ -259,7 +262,7 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
         return Boolean.valueOf(_configDao.getValue(Config.SAMLIsPluginEnabled.key()));
     }
 
-    public X509Certificate getSpX509Key() {
+    public X509Certificate getSpX509Certificate() {
         return spX509Key;
     }
 
diff --git a/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java b/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
index bb4af3a57d5..c75422f8774 100644
--- a/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
+++ b/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
@@ -148,7 +148,7 @@ public class SAMLUtils {
         RequestedAuthnContextBuilder requestedAuthnContextBuilder = new RequestedAuthnContextBuilder();
         RequestedAuthnContext requestedAuthnContext = requestedAuthnContextBuilder.buildObject();
         requestedAuthnContext
-                .setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);
+                .setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
         requestedAuthnContext.getAuthnContextClassRefs().add(
                 authnContextClassRef);
 
@@ -166,7 +166,7 @@ public class SAMLUtils {
         authnRequest.setAssertionConsumerServiceURL(consumerUrl);
         authnRequest.setProviderName(spId);
         authnRequest.setNameIDPolicy(nameIdPolicy);
-        //authnRequest.setRequestedAuthnContext(requestedAuthnContext);
+        authnRequest.setRequestedAuthnContext(requestedAuthnContext);
 
         return authnRequest;
     }
@@ -315,8 +315,8 @@ public class SAMLUtils {
 
     public static X509Certificate generateRandomX509Certificate(KeyPair keyPair) throws NoSuchAlgorithmException, NoSuchProviderException, CertificateEncodingException, SignatureException, InvalidKeyException {
         Date validityBeginDate = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
-        Date validityEndDate = new Date(System.currentTimeMillis() + 365 * 24 * 60 * 60 * 1000);
-        X500Principal dnName = new X500Principal("CN=Apache CloudStack");
+        Date validityEndDate = new Date(System.currentTimeMillis() + 3 * 365 * 24 * 60 * 60 * 1000);
+        X500Principal dnName = new X500Principal("CN=ApacheCloudStack");
         X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
         certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
         certGen.setSubjectDN(dnName);