Return-Path: 
 <commits-return-44476-apmail-cloudstack-commits-archive=cloudstack.apache.org@cloudstack.apache.org>
X-Original-To: apmail-cloudstack-commits-archive@www.apache.org
Delivered-To: apmail-cloudstack-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id B661F11BB3
	for <apmail-cloudstack-commits-archive@www.apache.org>;
 Fri, 12 Sep 2014 15:16:35 +0000 (UTC)
Received: (qmail 19378 invoked by uid 500); 12 Sep 2014 15:16:35 -0000
Delivered-To: apmail-cloudstack-commits-archive@cloudstack.apache.org
Received: (qmail 19335 invoked by uid 500); 12 Sep 2014 15:16:35 -0000
Mailing-List: contact commits-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:commits@cloudstack.apache.org>
List-Id: <commits.cloudstack.apache.org>
Reply-To: dev@cloudstack.apache.org
Delivered-To: mailing list commits@cloudstack.apache.org
Received: (qmail 19313 invoked by uid 99); 12 Sep 2014 15:16:35 -0000
Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org)
 (140.211.11.114)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 12 Sep 2014 15:16:35 +0000
Received: by tyr.zones.apache.org (Postfix, from userid 65534)
	id 3A020A1176C; Fri, 12 Sep 2014 15:16:35 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: bhaisaab@apache.org
To: commits@cloudstack.apache.org
Date: Fri, 12 Sep 2014 15:16:35 -0000
Message-Id: <d935dd7eff014e38b4f3cf01be01f7f4@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: [01/10] git commit: updated refs/heads/master to d46e459

Repository: cloudstack
Updated Branches:
  refs/heads/master aeec24b2c -> d46e45991


saml2: WIP X509 certificate auth stuff

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit f7d409e0f4d2b6f56ec82ae339eff5f477e4a832)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/f1440819
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/f1440819
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/f1440819

Branch: refs/heads/master
Commit: f1440819582ca4c30d337af53a17f31065405585
Parents: aeec24b
Author: Rohit Yadav <rohit.yadav@shapeblue.com>
Authored: Sat Aug 30 21:38:59 2014 +0200
Committer: Rohit Yadav <rohit.yadav@shapeblue.com>
Committed: Fri Sep 12 14:31:21 2014 +0200

----------------------------------------------------------------------
 .../command/SAML2LoginAPIAuthenticatorCmd.java  | 14 +++++---
 .../cloudstack/saml/SAML2AuthManagerImpl.java   | 38 ++++++++++++++++++++
 2 files changed, 48 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f1440819/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
index b279977..b204e72 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
@@ -55,7 +55,8 @@ import org.opensaml.xml.ConfigurationException;
 import org.opensaml.xml.io.MarshallingException;
 import org.opensaml.xml.io.UnmarshallingException;
 import org.opensaml.xml.security.x509.BasicX509Credential;
-import org.opensaml.xml.signature.Signature;
+import org.opensaml.xml.signature.SignatureConstants;
+import org.opensaml.xml.signature.SignatureException;
 import org.opensaml.xml.signature.SignatureValidator;
 import org.opensaml.xml.validation.ValidationException;
 import org.xml.sax.SAXException;
@@ -68,6 +69,10 @@ import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.stream.FactoryConfigurationError;
 import java.io.IOException;
 import java.net.URLEncoder;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.Signature;
 import java.util.List;
 import java.util.Map;
 
@@ -134,8 +139,9 @@ public class SAML2LoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthent
         try {
             DefaultBootstrap.bootstrap();
             AuthnRequest authnRequest = SAMLUtils.buildAuthnRequestObject(spId, identityProviderUrl, consumerUrl);
-            redirectUrl = identityProviderUrl + "?SAMLRequest=" + SAMLUtils.encodeSAMLRequest(authnRequest);
-        } catch (ConfigurationException | FactoryConfigurationError | MarshallingException | IOException e) {
+            redirectUrl = "SAMLRequest=" + SAMLUtils.encodeSAMLRequest(authnRequest);
+            redirectUrl = identityProviderUrl + "?" + SAMLUtils.generateSAMLRequestSignature(redirectUrl, privateKey);
+        } catch (ConfigurationException | FactoryConfigurationError | MarshallingException | IOException | SignatureException | NoSuchAlgorithmException | InvalidKeyException | java.security.SignatureException e) {
             s_logger.error("SAML AuthnRequest message building error: " + e.getMessage());
         }
         return redirectUrl;
@@ -176,7 +182,7 @@ public class SAML2LoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthent
                 }
 
                 if (_samlAuthManager.getIdpSigningKey() != null) {
-                    Signature sig = processedSAMLResponse.getSignature();
+                    org.opensaml.xml.signature.Signature sig = processedSAMLResponse.getSignature();
                     BasicX509Credential credential = new BasicX509Credential();
                     credential.setEntityCertificate(_samlAuthManager.getIdpSigningKey());
                     SignatureValidator validator = new SignatureValidator(credential);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f1440819/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
index aa06320..fa4a695 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
@@ -23,6 +23,9 @@ import org.apache.cloudstack.api.command.GetServiceProviderMetaDataCmd;
 import org.apache.cloudstack.api.command.SAML2LoginAPIAuthenticatorCmd;
 import org.apache.cloudstack.api.command.SAML2LogoutAPIAuthenticatorCmd;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import org.apache.cloudstack.framework.security.keystore.KeystoreDao;
+import org.apache.cloudstack.framework.security.keystore.KeystoreVO;
+import org.apache.cloudstack.utils.auth.SAMLUtils;
 import org.apache.log4j.Logger;
 import org.opensaml.DefaultBootstrap;
 import org.opensaml.common.xml.SAMLConstants;
@@ -42,8 +45,17 @@ import org.springframework.stereotype.Component;
 import javax.ejb.Local;
 import javax.inject.Inject;
 import javax.xml.stream.FactoryConfigurationError;
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
+import java.security.SignatureException;
+import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.spec.RSAPrivateKeySpec;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -69,6 +81,9 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
     @Inject
     ConfigurationDao _configDao;
 
+    @Inject
+    private KeystoreDao _ksDao;
+
     @Override
     public boolean start() {
         if (isSAMLPluginEnabled()) {
@@ -80,6 +95,29 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
     private boolean setup() {
         // TODO: In future if need added logic to get SP X509 cert for Idps that need signed requests
 
+        KeystoreVO keyStoreVO = _ksDao.findByName(SAMLUtils.CERTIFICATE_NAME);
+        if (keyStoreVO == null) {
+            try {
+                KeyPair keyPair = SAMLUtils.generateRandomKeyPair();
+                _ksDao.save(SAMLUtils.CERTIFICATE_NAME, keyPair.getPrivate().getEncoded().toString(), keyPair.getPublic().getEncoded().toString(), "saml-sp");
+                keyStoreVO = _ksDao.findByName(SAMLUtils.CERTIFICATE_NAME);
+            } catch (NoSuchProviderException | NoSuchAlgorithmException e) {
+                s_logger.error("Unable to create and save SAML keypair");
+            }
+        }
+
+        if (keyStoreVO != null) {
+            PrivateKey privateKey = new RSAPrivateKeySpec();
+            KeyPair keyPair = new KeyPair();
+        }
+
+        try {
+
+            X509Certificate spCert = SAMLUtils.generateRandomX509Certificate();
+        } catch (NoSuchAlgorithmException | NoSuchProviderException | CertificateEncodingException | SignatureException | InvalidKeyException e) {
+            e.printStackTrace();
+        }
+
         this.serviceProviderId = _configDao.getValue(Config.SAMLServiceProviderID.key());
         this.identityProviderId = _configDao.getValue(Config.SAMLIdentityProviderID.key());