cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bhais...@apache.org
Subject [1/2] git commit: updated refs/heads/master to 185f7e0
Date Tue, 13 Jan 2015 21:14:09 GMT
Repository: cloudstack
Updated Branches:
  refs/heads/master 9f5541129 -> 185f7e015


CLOUDSTACK-8037: Require signed AuthnRequest, adds more security

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit 6bec69844d196e9b66fffa54f6998d8e45fc27e8)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/b7b3a4fb
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/b7b3a4fb
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/b7b3a4fb

Branch: refs/heads/master
Commit: b7b3a4fb3c270595adeb79c974b9759066f2418f
Parents: 9f55411
Author: Rohit Yadav <rohit.yadav@shapeblue.com>
Authored: Wed Jan 14 02:19:10 2015 +0530
Committer: Rohit Yadav <rohit.yadav@shapeblue.com>
Committed: Wed Jan 14 02:43:48 2015 +0530

----------------------------------------------------------------------
 .../api/command/GetServiceProviderMetaDataCmd.java      | 12 ++++++++++--
 .../org/apache/cloudstack/saml/SAML2AuthManager.java    |  2 +-
 .../apache/cloudstack/saml/SAML2AuthManagerImpl.java    |  5 ++++-
 .../src/org/apache/cloudstack/utils/auth/SAMLUtils.java |  8 ++++----
 4 files changed, 19 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b7b3a4fb/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java
b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java
index 87c9431..6ab80a1 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java
@@ -122,7 +122,7 @@ public class GetServiceProviderMetaDataCmd extends BaseCmd implements
APIAuthent
 
         SPSSODescriptor spSSODescriptor = new SPSSODescriptorBuilder().buildObject();
         spSSODescriptor.setWantAssertionsSigned(true);
-        spSSODescriptor.setAuthnRequestsSigned(false);
+        spSSODescriptor.setAuthnRequestsSigned(true);
 
         X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
         keyInfoGeneratorFactory.setEmitEntityCertificate(true);
@@ -135,7 +135,7 @@ public class GetServiceProviderMetaDataCmd extends BaseCmd implements
APIAuthent
         signKeyDescriptor.setUse(UsageType.SIGNING);
 
         BasicX509Credential credential = new BasicX509Credential();
-        credential.setEntityCertificate(_samlAuthManager.getSpX509Key());
+        credential.setEntityCertificate(_samlAuthManager.getSpX509Certificate());
         try {
             encKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(credential));
             signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(credential));
@@ -149,6 +149,14 @@ public class GetServiceProviderMetaDataCmd extends BaseCmd implements
APIAuthent
         nameIDFormat.setFormat(NameIDType.PERSISTENT);
         spSSODescriptor.getNameIDFormats().add(nameIDFormat);
 
+        NameIDFormat emailNameIDFormat = new NameIDFormatBuilder().buildObject();
+        emailNameIDFormat.setFormat(NameIDType.EMAIL);
+        spSSODescriptor.getNameIDFormats().add(emailNameIDFormat);
+
+        NameIDFormat transientNameIDFormat = new NameIDFormatBuilder().buildObject();
+        transientNameIDFormat.setFormat(NameIDType.TRANSIENT);
+        spSSODescriptor.getNameIDFormats().add(transientNameIDFormat);
+
         AssertionConsumerService assertionConsumerService = new AssertionConsumerServiceBuilder().buildObject();
         assertionConsumerService.setIndex(0);
         assertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b7b3a4fb/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
index 3ee7522..9c0d4b4 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
@@ -28,7 +28,7 @@ public interface SAML2AuthManager extends PluggableAPIAuthenticator {
 
     public X509Certificate getIdpSigningKey();
     public X509Certificate getIdpEncryptionKey();
-    public X509Certificate getSpX509Key();
+    public X509Certificate getSpX509Certificate();
     public KeyPair getSpKeyPair();
 
     public String getSpSingleSignOnUrl();

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b7b3a4fb/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
index f175081..36c9da5 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
@@ -202,6 +202,9 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
             s_logger.error("SAML2 Authentication may be unavailable");
         } catch (ConfigurationException | FactoryConfigurationError e) {
             s_logger.error("OpenSAML bootstrapping failed: error: " + e.getMessage());
+        } catch (NullPointerException e) {
+            s_logger.error("Unable to setup SAML Auth Plugin due to NullPointerException"
+
+                    " please check the SAML IDP metadata URL and entity ID in global settings:
" + e.getMessage());
         }
 
         if (this.idpSingleLogOutUrl == null || this.idpSingleSignOnUrl == null) {
@@ -259,7 +262,7 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
         return Boolean.valueOf(_configDao.getValue(Config.SAMLIsPluginEnabled.key()));
     }
 
-    public X509Certificate getSpX509Key() {
+    public X509Certificate getSpX509Certificate() {
         return spX509Key;
     }
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/b7b3a4fb/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java b/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
index bb4af3a..c75422f 100644
--- a/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
+++ b/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
@@ -148,7 +148,7 @@ public class SAMLUtils {
         RequestedAuthnContextBuilder requestedAuthnContextBuilder = new RequestedAuthnContextBuilder();
         RequestedAuthnContext requestedAuthnContext = requestedAuthnContextBuilder.buildObject();
         requestedAuthnContext
-                .setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);
+                .setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
         requestedAuthnContext.getAuthnContextClassRefs().add(
                 authnContextClassRef);
 
@@ -166,7 +166,7 @@ public class SAMLUtils {
         authnRequest.setAssertionConsumerServiceURL(consumerUrl);
         authnRequest.setProviderName(spId);
         authnRequest.setNameIDPolicy(nameIdPolicy);
-        //authnRequest.setRequestedAuthnContext(requestedAuthnContext);
+        authnRequest.setRequestedAuthnContext(requestedAuthnContext);
 
         return authnRequest;
     }
@@ -315,8 +315,8 @@ public class SAMLUtils {
 
     public static X509Certificate generateRandomX509Certificate(KeyPair keyPair) throws NoSuchAlgorithmException,
NoSuchProviderException, CertificateEncodingException, SignatureException, InvalidKeyException
{
         Date validityBeginDate = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
-        Date validityEndDate = new Date(System.currentTimeMillis() + 365 * 24 * 60 * 60 *
1000);
-        X500Principal dnName = new X500Principal("CN=Apache CloudStack");
+        Date validityEndDate = new Date(System.currentTimeMillis() + 3 * 365 * 24 * 60 *
60 * 1000);
+        X500Principal dnName = new X500Principal("CN=ApacheCloudStack");
         X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
         certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
         certGen.setSubjectDN(dnName);


Mime
View raw message