cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bhais...@apache.org
Subject [2/2] git commit: updated refs/heads/4.5 to 921ad05
Date Tue, 13 Jan 2015 21:12:50 GMT
CLOUDSTACK-8037: Require signed AuthnRequest, adds more security

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/6bec6984
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/6bec6984
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/6bec6984

Branch: refs/heads/4.5
Commit: 6bec69844d196e9b66fffa54f6998d8e45fc27e8
Parents: 2ed76b2
Author: Rohit Yadav <rohit.yadav@shapeblue.com>
Authored: Wed Jan 14 02:19:10 2015 +0530
Committer: Rohit Yadav <rohit.yadav@shapeblue.com>
Committed: Wed Jan 14 02:40:00 2015 +0530

----------------------------------------------------------------------
 .../api/command/GetServiceProviderMetaDataCmd.java      | 12 ++++++++++--
 .../org/apache/cloudstack/saml/SAML2AuthManager.java    |  2 +-
 .../apache/cloudstack/saml/SAML2AuthManagerImpl.java    |  5 ++++-
 .../src/org/apache/cloudstack/utils/auth/SAMLUtils.java |  8 ++++----
 4 files changed, 19 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6bec6984/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java
b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java
index 194d94f..995405d 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/GetServiceProviderMetaDataCmd.java
@@ -121,7 +121,7 @@ public class GetServiceProviderMetaDataCmd extends BaseCmd implements
APIAuthent
 
         SPSSODescriptor spSSODescriptor = new SPSSODescriptorBuilder().buildObject();
         spSSODescriptor.setWantAssertionsSigned(true);
-        spSSODescriptor.setAuthnRequestsSigned(false);
+        spSSODescriptor.setAuthnRequestsSigned(true);
 
         X509KeyInfoGeneratorFactory keyInfoGeneratorFactory = new X509KeyInfoGeneratorFactory();
         keyInfoGeneratorFactory.setEmitEntityCertificate(true);
@@ -134,7 +134,7 @@ public class GetServiceProviderMetaDataCmd extends BaseCmd implements
APIAuthent
         signKeyDescriptor.setUse(UsageType.SIGNING);
 
         BasicX509Credential credential = new BasicX509Credential();
-        credential.setEntityCertificate(_samlAuthManager.getSpX509Key());
+        credential.setEntityCertificate(_samlAuthManager.getSpX509Certificate());
         try {
             encKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(credential));
             signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(credential));
@@ -148,6 +148,14 @@ public class GetServiceProviderMetaDataCmd extends BaseCmd implements
APIAuthent
         nameIDFormat.setFormat(NameIDType.PERSISTENT);
         spSSODescriptor.getNameIDFormats().add(nameIDFormat);
 
+        NameIDFormat emailNameIDFormat = new NameIDFormatBuilder().buildObject();
+        emailNameIDFormat.setFormat(NameIDType.EMAIL);
+        spSSODescriptor.getNameIDFormats().add(emailNameIDFormat);
+
+        NameIDFormat transientNameIDFormat = new NameIDFormatBuilder().buildObject();
+        transientNameIDFormat.setFormat(NameIDType.TRANSIENT);
+        spSSODescriptor.getNameIDFormats().add(transientNameIDFormat);
+
         AssertionConsumerService assertionConsumerService = new AssertionConsumerServiceBuilder().buildObject();
         assertionConsumerService.setIndex(0);
         assertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6bec6984/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
index 3ee7522..9c0d4b4 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
@@ -28,7 +28,7 @@ public interface SAML2AuthManager extends PluggableAPIAuthenticator {
 
     public X509Certificate getIdpSigningKey();
     public X509Certificate getIdpEncryptionKey();
-    public X509Certificate getSpX509Key();
+    public X509Certificate getSpX509Certificate();
     public KeyPair getSpKeyPair();
 
     public String getSpSingleSignOnUrl();

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6bec6984/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
index f175081..36c9da5 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
@@ -202,6 +202,9 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
             s_logger.error("SAML2 Authentication may be unavailable");
         } catch (ConfigurationException | FactoryConfigurationError e) {
             s_logger.error("OpenSAML bootstrapping failed: error: " + e.getMessage());
+        } catch (NullPointerException e) {
+            s_logger.error("Unable to setup SAML Auth Plugin due to NullPointerException"
+
+                    " please check the SAML IDP metadata URL and entity ID in global settings:
" + e.getMessage());
         }
 
         if (this.idpSingleLogOutUrl == null || this.idpSingleSignOnUrl == null) {
@@ -259,7 +262,7 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
         return Boolean.valueOf(_configDao.getValue(Config.SAMLIsPluginEnabled.key()));
     }
 
-    public X509Certificate getSpX509Key() {
+    public X509Certificate getSpX509Certificate() {
         return spX509Key;
     }
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6bec6984/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java b/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
index bb4af3a..c75422f 100644
--- a/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
+++ b/utils/src/org/apache/cloudstack/utils/auth/SAMLUtils.java
@@ -148,7 +148,7 @@ public class SAMLUtils {
         RequestedAuthnContextBuilder requestedAuthnContextBuilder = new RequestedAuthnContextBuilder();
         RequestedAuthnContext requestedAuthnContext = requestedAuthnContextBuilder.buildObject();
         requestedAuthnContext
-                .setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);
+                .setComparison(AuthnContextComparisonTypeEnumeration.EXACT);
         requestedAuthnContext.getAuthnContextClassRefs().add(
                 authnContextClassRef);
 
@@ -166,7 +166,7 @@ public class SAMLUtils {
         authnRequest.setAssertionConsumerServiceURL(consumerUrl);
         authnRequest.setProviderName(spId);
         authnRequest.setNameIDPolicy(nameIdPolicy);
-        //authnRequest.setRequestedAuthnContext(requestedAuthnContext);
+        authnRequest.setRequestedAuthnContext(requestedAuthnContext);
 
         return authnRequest;
     }
@@ -315,8 +315,8 @@ public class SAMLUtils {
 
     public static X509Certificate generateRandomX509Certificate(KeyPair keyPair) throws NoSuchAlgorithmException,
NoSuchProviderException, CertificateEncodingException, SignatureException, InvalidKeyException
{
         Date validityBeginDate = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000);
-        Date validityEndDate = new Date(System.currentTimeMillis() + 365 * 24 * 60 * 60 *
1000);
-        X500Principal dnName = new X500Principal("CN=Apache CloudStack");
+        Date validityEndDate = new Date(System.currentTimeMillis() + 3 * 365 * 24 * 60 *
60 * 1000);
+        X500Principal dnName = new X500Principal("CN=ApacheCloudStack");
         X509V1CertificateGenerator certGen = new X509V1CertificateGenerator();
         certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
         certGen.setSubjectDN(dnName);


Mime
View raw message