Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EPMRPP-88378 || Remove old saml implementation #345

Open
wants to merge 13 commits into
base: develop
Choose a base branch
from
3 changes: 2 additions & 1 deletion build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,8 @@ dependencies {
implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
implementation 'org.springframework.security:spring-security-ldap'
// TODO: consider migration to spring-security-saml2-service-provider
implementation 'org.springframework.security.extensions:spring-security-saml2-core:2.0.0.M31'
// implementation 'org.springframework.security.extensions:spring-security-saml2-core:2.0.0.M31'
implementation 'org.springframework.security:spring-security-saml2-service-provider:5.8.14'
implementation 'commons-collections:commons-collections:3.2.2'
//Temporary fix of https://nvd.nist.gov/vuln/detail/CVE-2019-12400
implementation 'org.apache.santuario:xmlsec:3.0.3'
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
/*
* Copyright 2024 EPAM Systems
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.epam.reportportal.auth.config.saml;

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [reviewdog] <com.puppycrawl.tools.checkstyle.checks.whitespace.EmptyLineSeparatorCheck> reported by reviewdog 🐶
'package' should be separated from previous line.



import com.epam.reportportal.auth.AuthFailureHandler;
import com.epam.reportportal.auth.integration.saml.ReportPortalSamlAuthenticationManager;
import com.epam.reportportal.auth.integration.saml.SamlAuthSuccessHandler;
import com.epam.reportportal.auth.integration.saml.SamlUserReplicator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter;
import org.springframework.security.web.DefaultSecurityFilterChain;

/**

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [reviewdog] <com.puppycrawl.tools.checkstyle.checks.javadoc.SummaryJavadocCheck> reported by reviewdog 🐶
Summary javadoc is missing.

* @author <a href="mailto:andrei_piankouski@epam.com">Andrei Piankouski</a>
*/
public class Saml2AuthenticationConfigurer extends
SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {

private static final Logger LOGGER = LoggerFactory.getLogger(Saml2AuthenticationConfigurer.class);

private SamlAuthSuccessHandler successHandler;

private AuthFailureHandler failureHandler;

private SamlUserReplicator samlUserReplicator;

private RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;

public Saml2AuthenticationConfigurer(SamlAuthSuccessHandler successHandler,

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [reviewdog] <com.puppycrawl.tools.checkstyle.checks.javadoc.MissingJavadocMethodCheck> reported by reviewdog 🐶
Missing a Javadoc comment.

AuthFailureHandler failureHandler, SamlUserReplicator samlUserReplicator,
RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
this.successHandler = successHandler;
this.failureHandler = failureHandler;
this.samlUserReplicator = samlUserReplicator;
this.relyingPartyRegistrationRepository = relyingPartyRegistrationRepository;
}

@Override
public void configure(HttpSecurity http) {
LOGGER.error("Saml2AuthenticationConfigurer: " + http);
Saml2WebSsoAuthenticationFilter saml2Filter = new Saml2WebSsoAuthenticationFilter(relyingPartyRegistrationRepository);

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [reviewdog] <com.puppycrawl.tools.checkstyle.checks.sizes.LineLengthCheck> reported by reviewdog 🐶
Line is longer than 100 characters (found 122).

saml2Filter.setAuthenticationManager(new ReportPortalSamlAuthenticationManager(samlUserReplicator));

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [reviewdog] <com.puppycrawl.tools.checkstyle.checks.sizes.LineLengthCheck> reported by reviewdog 🐶
Line is longer than 100 characters (found 104).

saml2Filter.setAuthenticationSuccessHandler(successHandler);
saml2Filter.setAuthenticationFailureHandler(failureHandler);

http.addFilterAfter(saml2Filter, Saml2WebSsoAuthenticationFilter.class);
}
}
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2019 EPAM Systems
* Copyright 2024 EPAM Systems
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -13,36 +13,148 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package com.epam.reportportal.auth.config.saml;

import static org.springframework.security.saml.provider.service.config.SamlServiceProviderSecurityDsl.serviceProvider;
import static org.springframework.security.config.Customizer.withDefaults;

import com.epam.reportportal.auth.AuthFailureHandler;
import com.epam.reportportal.auth.integration.parameter.SamlParameter;
import com.epam.reportportal.auth.integration.saml.ReportPortalSamlAuthenticationManager;
import com.epam.reportportal.auth.integration.saml.SamlAuthSuccessHandler;
import com.epam.reportportal.auth.integration.saml.SamlUserReplicator;
import com.epam.reportportal.auth.util.CertificationUtil;
import com.epam.ta.reportportal.dao.IntegrationRepository;
import com.epam.ta.reportportal.dao.IntegrationTypeRepository;
import com.epam.ta.reportportal.entity.integration.Integration;
import com.epam.ta.reportportal.entity.integration.IntegrationType;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.saml.provider.SamlServerConfiguration;
import org.springframework.security.saml.provider.service.config.SamlServiceProviderSecurityConfiguration;
import org.springframework.security.saml.provider.service.config.SamlServiceProviderServerBeanConfiguration;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.security.saml2.provider.service.metadata.OpenSamlMetadataResolver;
import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
import org.springframework.security.saml2.provider.service.web.Saml2MetadataFilter;
import org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4AuthenticationRequestResolver;

/**
* @author <a href="mailto:ihar_kahadouski@epam.com">Ihar Kahadouski</a>
* @author <a href="mailto:andrei_piankouski@epam.com">Andrei Piankouski</a>
*/
@Configuration
@Order(4)
public class SamlSecurityConfiguration extends SamlServiceProviderSecurityConfiguration {
public class SamlSecurityConfiguration extends WebSecurityConfigurerAdapter {

private SamlServerConfiguration serverConfiguration;
@Value("${rp.auth.saml.base-path}")
private String basePath;

@Value("${rp.auth.saml.entity-id}")
private String entityId;

@Value("${rp.auth.saml.key-alias}")
private String keyAlias;

@Value("${rp.auth.saml.key-password}")
private String keyPassword;

@Value("${rp.auth.saml.key-store}")
private String keyStore;

@Value("${rp.auth.saml.key-store-password}")
private String keyStorePassword;

@Value("${rp.auth.saml.active-key-name}")
private String activeKeyName;

@Value("${rp.auth.saml.network-connection-timeout}")
private Integer networkConnectTimeout;

@Value("${rp.auth.saml.network-read-timeout}")
private Integer networkReadTimeout;

@Value("${rp.auth.saml.signed-requests}")
private Boolean signedRequests;

@Value("${rp.auth.saml.prefix}")
private String prefix;

@Autowired
private IntegrationTypeRepository integrationTypeRepository;

@Autowired
private IntegrationRepository integrationRepository;

@Autowired
private SamlAuthSuccessHandler successHandler;

@Autowired
private AuthFailureHandler failureHandler;

@Autowired
private SamlUserReplicator samlUserReplicator;

public SamlSecurityConfiguration(SamlServiceProviderServerBeanConfiguration configuration,
SamlServerConfiguration spConfiguration) {
super(configuration);
this.serverConfiguration = spConfiguration;
}

@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.apply(serviceProvider()).configure(serverConfiguration);

// add auto-generation of ServiceProvider Metadata
Converter<HttpServletRequest, RelyingPartyRegistration> relyingPartyRegistrationResolver = new DefaultRelyingPartyRegistrationResolver(relyingParty());

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [reviewdog] <com.puppycrawl.tools.checkstyle.checks.sizes.LineLengthCheck> reported by reviewdog 🐶
Line is longer than 100 characters (found 155).

Saml2MetadataFilter filter = new Saml2MetadataFilter(relyingPartyRegistrationResolver, new OpenSamlMetadataResolver());

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [reviewdog] <com.puppycrawl.tools.checkstyle.checks.sizes.LineLengthCheck> reported by reviewdog 🐶
Line is longer than 100 characters (found 123).


http
// Configure SAML 2.0 Login
.saml2Login(
samlLogin ->
samlLogin.loginPage("/saml/sp/discovery")
.successHandler(successHandler)
.failureHandler(failureHandler)
.authenticationManager(new ReportPortalSamlAuthenticationManager(samlUserReplicator))

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [reviewdog] <com.puppycrawl.tools.checkstyle.checks.sizes.LineLengthCheck> reported by reviewdog 🐶
Line is longer than 100 characters (found 105).


)
.addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class)
.build();

}

@Bean

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [reviewdog] <com.puppycrawl.tools.checkstyle.checks.javadoc.MissingJavadocMethodCheck> reported by reviewdog 🐶
Missing a Javadoc comment.

public RelyingPartyRegistrationRepository relyingParty() throws Exception {
IntegrationType samlIntegrationType = integrationTypeRepository.findByName("SAML")
.orElseThrow(() -> new RuntimeException("SAML Integration Type not found"));

List<Integration> providers = integrationRepository.findAllGlobalByType(samlIntegrationType);

X509Certificate certificate = CertificationUtil.getCertificateByName(keyAlias, keyStore,
keyStorePassword);
Saml2X509Credential credential = Saml2X509Credential.verification(certificate);

List<RelyingPartyRegistration> registrations = providers.stream().map(provider -> {
RelyingPartyRegistration relyingPartyRegistration = RelyingPartyRegistrations
.fromMetadataLocation(SamlParameter.IDP_METADATA_URL.getParameter(provider).get())
.registrationId("report.portal.sp.id")
.entityId(entityId)
.assertionConsumerServiceLocation(SamlParameter.BASE_PATH.getParameter(provider).get())
.assertingPartyDetails(party -> party.entityId(SamlParameter.IDP_NAME.getParameter(provider).get())

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [reviewdog] <com.puppycrawl.tools.checkstyle.checks.sizes.LineLengthCheck> reported by reviewdog 🐶
Line is longer than 100 characters (found 109).

.wantAuthnRequestsSigned(false)
// .singleSignOnServiceLocation(samlProperties.getAssertingpParty().getServiceLocation())

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [reviewdog] <com.puppycrawl.tools.checkstyle.checks.sizes.LineLengthCheck> reported by reviewdog 🐶
Line is longer than 100 characters (found 102).

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [reviewdog] <com.puppycrawl.tools.checkstyle.checks.indentation.CommentsIndentationCheck> reported by reviewdog 🐶
Comment has incorrect indentation level 0, expected is 14, indentation should be the same level as line 152.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [reviewdog] <com.puppycrawl.tools.checkstyle.checks.indentation.CommentsIndentationCheck> reported by reviewdog 🐶
Comment has incorrect indentation level 0, expected is 14, indentation should be the same level as line 153.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [reviewdog] <com.puppycrawl.tools.checkstyle.checks.indentation.CommentsIndentationCheck> reported by reviewdog 🐶
Comment has incorrect indentation level 0, expected is 14, indentation should be the same level as line 150.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [reviewdog] <com.puppycrawl.tools.checkstyle.checks.indentation.CommentsIndentationCheck> reported by reviewdog 🐶
Comment has incorrect indentation level 0, expected is 14, indentation should be the same level as line 151.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [reviewdog] <com.puppycrawl.tools.checkstyle.checks.indentation.CommentsIndentationCheck> reported by reviewdog 🐶
Comment has incorrect indentation level 0, expected is 14, indentation should be the same level as line 156.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ [reviewdog] <com.puppycrawl.tools.checkstyle.checks.indentation.CommentsIndentationCheck> reported by reviewdog 🐶
Comment has incorrect indentation level 0, expected is 14, indentation should be the same level as line 157.

.singleSignOnServiceBinding(Saml2MessageBinding.POST))
.signingX509Credentials(c -> c.add(credential))
.build();
return relyingPartyRegistration;

}).collect(Collectors.toList());
return new InMemoryRelyingPartyRegistrationRepository(registrations);
}
}
Loading
Loading