forked from opensearch-project/security
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSaml2SettingsProvider.java
316 lines (253 loc) · 12.1 KB
/
Saml2SettingsProvider.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
/*
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*
* Modifications Copyright OpenSearch Contributors. See
* GitHub history for details.
*/
package com.amazon.dlic.auth.http.saml;
import java.security.AccessController;
import java.security.PrivateKey;
import java.security.PrivilegedAction;
import java.util.AbstractMap;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import com.onelogin.saml2.settings.Saml2Settings;
import com.onelogin.saml2.settings.SettingsBuilder;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.joda.time.DateTime;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.metadata.resolver.RefreshableMetadataResolver;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml.saml2.metadata.KeyDescriptor;
import org.opensaml.saml.saml2.metadata.SingleLogoutService;
import org.opensaml.saml.saml2.metadata.SingleSignOnService;
import org.opensaml.security.credential.UsageType;
import org.opensaml.xmlsec.signature.X509Certificate;
import org.opensaml.xmlsec.signature.X509Data;
import com.amazon.dlic.auth.http.jwt.keybyoidc.AuthenticatorUnavailableException;
import org.opensearch.SpecialPermission;
import org.opensearch.common.settings.Settings;
public class Saml2SettingsProvider {
protected final static Logger log = LogManager.getLogger(Saml2SettingsProvider.class);
private final Settings opensearchSettings;
private final MetadataResolver metadataResolver;
private final String idpEntityId;
private final PrivateKey spSignaturePrivateKey;
private Saml2Settings cachedSaml2Settings;
private DateTime metadataUpdateTime;
Saml2SettingsProvider(Settings opensearchSettings, MetadataResolver metadataResolver, PrivateKey spSignaturePrivateKey) {
this.opensearchSettings = opensearchSettings;
this.metadataResolver = metadataResolver;
this.idpEntityId = opensearchSettings.get("idp.entity_id");
this.spSignaturePrivateKey = spSignaturePrivateKey;
}
@SuppressWarnings("removal")
Saml2Settings get() throws SamlConfigException {
try {
HashMap<String, Object> configProperties = new HashMap<>();
EntityDescriptor entityDescriptor = this.metadataResolver
.resolveSingle(new CriteriaSet(new EntityIdCriterion(this.idpEntityId)));
if (entityDescriptor == null) {
throw new SamlConfigException("Could not find entity descriptor for " + this.idpEntityId);
}
IDPSSODescriptor idpSsoDescriptor = entityDescriptor
.getIDPSSODescriptor("urn:oasis:names:tc:SAML:2.0:protocol");
if (idpSsoDescriptor == null) {
throw new SamlConfigException("Could not find IDPSSODescriptor supporting SAML 2.0 in "
+ this.idpEntityId + "; role descriptors: " + entityDescriptor.getRoleDescriptors());
}
initIdpEndpoints(idpSsoDescriptor, configProperties);
initIdpCerts(idpSsoDescriptor, configProperties);
initSpEndpoints(configProperties);
initMisc(configProperties);
SettingsBuilder settingsBuilder = new SettingsBuilder();
// TODO allow overriding of IdP metadata?
settingsBuilder.fromValues(configProperties);
settingsBuilder.fromValues(new SamlSettingsMap(this.opensearchSettings));
SpecialPermission.check();
return AccessController.doPrivileged((PrivilegedAction<Saml2Settings>) () -> settingsBuilder.build());
} catch (ResolverException e) {
throw new AuthenticatorUnavailableException(e);
}
}
Saml2Settings getCached() throws SamlConfigException {
DateTime tempLastUpdate = null;
if (this.metadataResolver instanceof RefreshableMetadataResolver && this.isUpdateRequired()) {
this.cachedSaml2Settings = null;
tempLastUpdate = ((RefreshableMetadataResolver) this.metadataResolver).getLastUpdate();
}
if (this.cachedSaml2Settings == null) {
this.cachedSaml2Settings = this.get();
this.metadataUpdateTime = tempLastUpdate;
}
return this.cachedSaml2Settings;
}
private boolean isUpdateRequired() {
RefreshableMetadataResolver refreshableMetadataResolver = (RefreshableMetadataResolver) this.metadataResolver;
if (this.cachedSaml2Settings == null || this.metadataUpdateTime == null
|| refreshableMetadataResolver.getLastUpdate() == null) {
return true;
}
if (refreshableMetadataResolver.getLastUpdate().isAfter(this.metadataUpdateTime)) {
return true;
} else {
return false;
}
}
private void initMisc(HashMap<String, Object> configProperties) {
configProperties.put(SettingsBuilder.STRICT_PROPERTY_KEY, true);
configProperties.put(SettingsBuilder.SECURITY_REJECT_UNSOLICITED_RESPONSES_WITH_INRESPONSETO, true);
configProperties.put(SettingsBuilder.SP_PRIVATEKEY_PROPERTY_KEY, this.spSignaturePrivateKey);
}
private void initSpEndpoints(HashMap<String, Object> configProperties) {
configProperties.put(SettingsBuilder.SP_ASSERTION_CONSUMER_SERVICE_URL_PROPERTY_KEY,
this.buildAssertionConsumerEndpoint(this.opensearchSettings.get("kibana_url")));
configProperties.put(SettingsBuilder.SP_ASSERTION_CONSUMER_SERVICE_BINDING_PROPERTY_KEY,
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
configProperties.put(SettingsBuilder.SP_ENTITYID_PROPERTY_KEY, this.opensearchSettings.get("sp.entity_id"));
}
private void initIdpEndpoints(IDPSSODescriptor idpSsoDescriptor, HashMap<String, Object> configProperties)
throws SamlConfigException {
SingleSignOnService singleSignOnService = this.findSingleSignOnService(idpSsoDescriptor,
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
configProperties.put(SettingsBuilder.IDP_SINGLE_SIGN_ON_SERVICE_URL_PROPERTY_KEY,
singleSignOnService.getLocation());
configProperties.put(SettingsBuilder.IDP_SINGLE_SIGN_ON_SERVICE_BINDING_PROPERTY_KEY,
singleSignOnService.getBinding());
configProperties.put(SettingsBuilder.IDP_ENTITYID_PROPERTY_KEY, this.opensearchSettings.get("idp.entity_id"));
SingleLogoutService singleLogoutService = this.findSingleLogoutService(idpSsoDescriptor,
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
if (singleLogoutService != null) {
configProperties.put(SettingsBuilder.IDP_SINGLE_LOGOUT_SERVICE_URL_PROPERTY_KEY,
singleLogoutService.getLocation());
configProperties.put(SettingsBuilder.IDP_SINGLE_LOGOUT_SERVICE_BINDING_PROPERTY_KEY,
singleLogoutService.getBinding());
} else {
log.warn(
"The IdP does not provide a Single Logout Service. In order to ensure that users have to re-enter their password after logging out, OpenSearch Security will issue all SAML authentication requests with a mandatory password input (ForceAuthn=true)");
}
}
private void initIdpCerts(IDPSSODescriptor idpSsoDescriptor, HashMap<String, Object> configProperties) {
int i = 0;
for (KeyDescriptor keyDescriptor : idpSsoDescriptor.getKeyDescriptors()) {
if (UsageType.SIGNING.equals(keyDescriptor.getUse())
|| UsageType.UNSPECIFIED.equals(keyDescriptor.getUse())) {
for (X509Data x509data : keyDescriptor.getKeyInfo().getX509Datas()) {
for (X509Certificate x509Certificate : x509data.getX509Certificates()) {
configProperties.put(SettingsBuilder.IDP_X509CERTMULTI_PROPERTY_KEY + "." + (i++),
x509Certificate.getValue());
}
}
}
}
}
private SingleSignOnService findSingleSignOnService(IDPSSODescriptor idpSsoDescriptor, String binding)
throws SamlConfigException {
for (SingleSignOnService singleSignOnService : idpSsoDescriptor.getSingleSignOnServices()) {
if (binding.equals(singleSignOnService.getBinding())) {
return singleSignOnService;
}
}
throw new SamlConfigException("Could not find SingleSignOnService endpoint for binding " + binding
+ "; available services: " + idpSsoDescriptor.getSingleSignOnServices());
}
private SingleLogoutService findSingleLogoutService(IDPSSODescriptor idpSsoDescriptor, String binding)
throws SamlConfigException {
for (SingleLogoutService singleLogoutService : idpSsoDescriptor.getSingleLogoutServices()) {
if (binding.equals(singleLogoutService.getBinding())) {
return singleLogoutService;
}
}
return null;
}
private String buildAssertionConsumerEndpoint(String dashboardsRoot) {
if (dashboardsRoot.endsWith("/")) {
return dashboardsRoot + "_opendistro/_security/saml/acs";
} else {
return dashboardsRoot + "/_opendistro/_security/saml/acs";
}
}
static class SamlSettingsMap implements Map<String, Object> {
private static final String KEY_PREFIX = "onelogin.saml2.";
private Settings settings;
SamlSettingsMap(Settings settings) {
this.settings = settings.getAsSettings("validator");
}
@Override
public int size() {
return this.settings.size();
}
@Override
public boolean isEmpty() {
return this.settings.isEmpty();
}
@Override
public boolean containsKey(Object key) {
return this.settings.hasValue(this.adaptKey(key));
}
@Override
public boolean containsValue(Object value) {
throw new UnsupportedOperationException();
}
@Override
public Object get(Object key) {
return this.settings.get(this.adaptKey(key));
}
@Override
public Object put(String key, Object value) {
throw new UnsupportedOperationException();
}
@Override
public Object remove(Object key) {
throw new UnsupportedOperationException();
}
@Override
public void putAll(Map<? extends String, ? extends Object> m) {
throw new UnsupportedOperationException();
}
@Override
public void clear() {
throw new UnsupportedOperationException();
}
@Override
public Set<String> keySet() {
return this.settings.keySet().stream().map((s) -> KEY_PREFIX + s).collect(Collectors.toSet());
}
@Override
public Collection<Object> values() {
throw new UnsupportedOperationException();
}
@Override
public Set<Entry<String, Object>> entrySet() {
Set<Entry<String, Object>> result = new HashSet<>();
for (String key : this.settings.keySet()) {
result.add(new AbstractMap.SimpleEntry<String, Object>(KEY_PREFIX + key, this.settings.get(key)));
}
return result;
}
private String adaptKey(Object keyObject) {
if (keyObject == null) {
return null;
}
String key = String.valueOf(keyObject);
if (key.startsWith(KEY_PREFIX)) {
return key.substring(KEY_PREFIX.length());
} else {
return key;
}
}
}
}