From ee27708ffba3398c2cfa1c9dd5e54510604c790a Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Wed, 30 Mar 2022 04:59:44 +0200
Subject: [PATCH] SAML: replace first number with random alphabet if request ID
 starts with a number (#6165)

---
 .../java/org/apache/cloudstack/saml/SAMLUtils.java     |  5 ++++-
 .../test/java/org/apache/cloudstack/SAMLUtilsTest.java | 10 ++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java
index 6110cc52288..2a190f3e08f 100644
--- a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java
+++ b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java
@@ -100,8 +100,11 @@ import com.cloud.utils.HttpUtils;
 public class SAMLUtils {
     public static final Logger s_logger = Logger.getLogger(SAMLUtils.class);
 
+    static final String charset = "abcdefghijklmnopqrstuvwxyz";
+
     public static String generateSecureRandomId() {
-        return new BigInteger(160, new SecureRandom()).toString(32);
+        return new BigInteger(160, new SecureRandom()).toString(32).replaceFirst("^[0-9]",
+                String.valueOf(charset.charAt(new SecureRandom().nextInt(charset.length()))));
     }
 
     public static String getValueFromAttributeStatements(final List<AttributeStatement> attributeStatements, final String attributeKey) {
diff --git a/plugins/user-authenticators/saml2/src/test/java/org/apache/cloudstack/SAMLUtilsTest.java b/plugins/user-authenticators/saml2/src/test/java/org/apache/cloudstack/SAMLUtilsTest.java
index 47841347d67..433fdf3224a 100644
--- a/plugins/user-authenticators/saml2/src/test/java/org/apache/cloudstack/SAMLUtilsTest.java
+++ b/plugins/user-authenticators/saml2/src/test/java/org/apache/cloudstack/SAMLUtilsTest.java
@@ -22,6 +22,7 @@ package org.apache.cloudstack;
 import java.security.KeyPair;
 import java.security.PrivateKey;
 import java.security.PublicKey;
+import java.util.regex.Pattern;
 
 import org.apache.cloudstack.saml.SAMLUtils;
 import org.apache.cloudstack.utils.security.CertUtils;
@@ -38,6 +39,15 @@ public class SAMLUtilsTest extends TestCase {
         assertTrue(SAMLUtils.generateSecureRandomId().length() > 0);
     }
 
+    @Test
+    public void testGenerateSecureRandomId2() throws Exception {
+        for (int i = 0; i < 20; i++) {
+            String randomId = SAMLUtils.generateSecureRandomId();
+            System.out.println("randomId is " + randomId);
+            assertTrue(Pattern.compile("^[a-z]").matcher(randomId).find());
+        }
+    }
+
     @Test
     public void testBuildAuthnRequestObject() throws Exception {
         String consumerUrl = "http://someurl.com";