cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bhais...@apache.org
Subject [05/11] git commit: updated refs/heads/saml-production-grade to 89a290f
Date Fri, 29 May 2015 13:43:57 GMT
CLOUDSTACK-8461: Use unspecified x509 cert as a fallback encryption/signing key

In case a IDP's metadata does not clearly say if their certificates need to be
used as signing or encryption and we don't find that, fallback to use the
unspecified key itself.

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/f2466e37
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/f2466e37
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/f2466e37

Branch: refs/heads/saml-production-grade
Commit: f2466e376a1ba366bebb4ae5d1c5dd9c00ce86bb
Parents: bea84a7
Author: Rohit Yadav <rohit.yadav@shapeblue.com>
Authored: Fri May 29 15:36:11 2015 +0200
Committer: Rohit Yadav <rohit.yadav@shapeblue.com>
Committed: Fri May 29 15:43:33 2015 +0200

----------------------------------------------------------------------
 .../apache/cloudstack/saml/SAML2AuthManager.java   |  3 +++
 .../cloudstack/saml/SAML2AuthManagerImpl.java      | 17 +++++++++++++++--
 2 files changed, 18 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f2466e37/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
index 59b1607..468e9df 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
@@ -49,6 +49,9 @@ public interface SAML2AuthManager extends PluggableAPIAuthenticator {
     public static final ConfigKey<String> SAMLIdentityProviderMetadataURL = new ConfigKey<String>("Advanced",
String.class, "saml2.idp.metadata.url", "https://openidp.feide.no/simplesaml/saml2/idp/metadata.php",
             "SAML2 Identity Provider Metadata XML Url", true);
 
+    public static final ConfigKey<String> SAMLIdentityProviderId = new ConfigKey<String>("Advanced",
String.class, "saml2.idp.id", "https://openidp.feide.no",
+            "SAML2 Identity Provider Metadata XML Url", true);
+
     public static final ConfigKey<Integer> SAMLTimeout = new ConfigKey<Integer>("Advanced",
Integer.class, "saml2.timeout", "30000",
             "SAML2 IDP Metadata Downloading and parsing etc. activity timeout in milliseconds",
true);
 

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/f2466e37/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
index 0704971..6f5723e 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
@@ -148,7 +148,7 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
         }
 
         this.serviceProviderId = SAMLServiceProviderID.value();
-        this.identityProviderId = "https://openidp.feide.no"; // FIXME: SAMLIdentityProviderID.key();
+        this.identityProviderId = SAMLIdentityProviderId.value();
 
         this.spSingleSignOnUrl = SAMLServiceProviderSingleSignOnURL.value();
         this.spSingleLogOutUrl = SAMLServiceProviderSingleLogOutURL.value();
@@ -181,6 +181,7 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
                     }
                 }
 
+                X509Certificate unspecifiedKey = null;
                 for (KeyDescriptor kd: idpssoDescriptor.getKeyDescriptors()) {
                     if (kd.getUse() == UsageType.SIGNING) {
                         try {
@@ -194,6 +195,18 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
                         } catch (CertificateException ignored) {
                         }
                     }
+                    if (kd.getUse() == UsageType.UNSPECIFIED) {
+                        try {
+                            unspecifiedKey = KeyInfoHelper.getCertificates(kd.getKeyInfo()).get(0);
+                        } catch (CertificateException ignored) {
+                        }
+                    }
+                }
+                if (idpSigningKey == null && unspecifiedKey != null) {
+                    idpSigningKey = unspecifiedKey;
+                }
+                if (idpEncryptionKey == null && unspecifiedKey != null) {
+                    idpEncryptionKey = unspecifiedKey;
                 }
             } else {
                 s_logger.warn("Provided IDP XML Metadata does not contain IDPSSODescriptor,
SAML authentication may not work");
@@ -281,6 +294,6 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
     public ConfigKey<?>[] getConfigKeys() {
         return new ConfigKey<?>[]{SAMLIsPluginEnabled, SAMLUserAttributeName, SAMLCloudStackRedirectionUrl,
                 SAMLServiceProviderSingleSignOnURL, SAMLServiceProviderSingleLogOutURL,
-                SAMLServiceProviderID, SAMLIdentityProviderMetadataURL, SAMLTimeout};
+                SAMLServiceProviderID, SAMLIdentityProviderMetadataURL, SAMLIdentityProviderId,
SAMLTimeout};
     }
 }


Mime
View raw message