WIP: Try to add saml2 logout with defaults (SamlConfig)

WIP: Try to add saml2 logout with defaults
WIP: login process works properly
2024-10-07 23:21:36 +03:00 · 2024-10-07 23:20:54 +03:00 · 2024-10-07 19:12:56 +03:00 · 2024-10-07 18:46:19 +03:00 · 2024-10-05 20:52:09 +03:00
6 changed files with 100 additions and 53 deletions
--- a/src/main/java/stirling/software/SPDF/EE/LicenseKeyChecker.java
+++ b/src/main/java/stirling/software/SPDF/EE/LicenseKeyChecker.java
@@ -46,7 +46,6 @@ public class LicenseKeyChecker {
                log.info("License key is invalid.");
            }
        }
-        
    }

    public void updateLicenseKey(String newKey) throws IOException {
--- a/src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java
+++ b/src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java
@@ -1,5 +1,7 @@
 package stirling.software.SPDF.config.security;

+import static org.springframework.security.config.Customizer.withDefaults;
+
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.annotation.Bean;
@@ -204,8 +206,7 @@ public class SecurityConfiguration {
                            .equalsIgnoreCase("normal")) {
                http.saml2Login(
                                saml2 -> {
-                                    saml2.loginPage("/saml2")
-                                            .relyingPartyRegistrationRepository(
+                                    saml2.relyingPartyRegistrationRepository(
                                                    relyingPartyRegistrationRepository)
                                            .successHandler(
                                                    new CustomSAMLAuthenticationSuccessHandler(
@@ -215,6 +216,7 @@ public class SecurityConfiguration {
                                            .failureHandler(
                                                    new CustomSAMLAuthenticationFailureHandler());
                                })
+                        .saml2Logout(withDefaults())
                        .addFilterBefore(
                                userAuthenticationFilter, Saml2WebSsoAuthenticationFilter.class);
            }
--- a/src/main/java/stirling/software/SPDF/config/security/saml/ConvertResponseToAuthentication.java
+++ b/src/main/java/stirling/software/SPDF/config/security/saml/ConvertResponseToAuthentication.java
@@ -1,10 +1,6 @@
 package stirling.software.SPDF.config.security.saml;

-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 import java.util.stream.Collectors;

 import org.opensaml.saml.saml2.core.Assertion;
@@ -57,7 +53,12 @@ public class ConvertResponseToAuthentication
            return Collections.emptySet();
        }

-        final List<Object> groups = new ArrayList<>(attributes.get(authoritiesAttributeName));
+        List<Object> groups = new ArrayList<>();
+
+        if (attributes.get(authoritiesAttributeName) != null) {
+            groups = new ArrayList<>(attributes.get(authoritiesAttributeName));
+        }
+
        return groups.stream()
                .filter(String.class::isInstance)
                .map(String.class::cast)
--- a/src/main/java/stirling/software/SPDF/config/security/saml/SamlConfig.java
+++ b/src/main/java/stirling/software/SPDF/config/security/saml/SamlConfig.java
@@ -1,15 +1,21 @@
 package stirling.software.SPDF.config.security.saml;

+import java.io.IOException;
+import java.io.InputStream;
 import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPrivateKey;

+import org.opensaml.security.x509.X509Support;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
-import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
-import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
-import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
+import org.springframework.core.io.Resource;
+import org.springframework.core.io.ResourceLoader;
+import org.springframework.security.converter.RsaKeyConverters;
+import org.springframework.security.saml2.core.Saml2X509Credential;
+import org.springframework.security.saml2.provider.service.registration.*;

 import lombok.extern.slf4j.Slf4j;
 import stirling.software.SPDF.model.ApplicationProperties;
@@ -20,23 +26,60 @@ public class SamlConfig {

    @Autowired ApplicationProperties applicationProperties;

+    @Autowired ResourceLoader resourceLoader;
+
    @Bean
    @ConditionalOnProperty(
            value = "security.saml.enabled",
            havingValue = "true",
            matchIfMissing = false)
    public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository()
-            throws CertificateException {
-        RelyingPartyRegistration registration =
-                RelyingPartyRegistrations.fromMetadataLocation(
-                                applicationProperties
-                                        .getSecurity()
-                                        .getSaml()
-                                        .getIdpMetadataLocation())
-                        .entityId(applicationProperties.getSecurity().getSaml().getEntityId())
-                        .registrationId(
-                                applicationProperties.getSecurity().getSaml().getRegistrationId())
-                        .build();
-        return new InMemoryRelyingPartyRegistrationRepository(registration);
+            throws CertificateException, IOException {
+
+        //        Resource signingCertResource = new ClassPathResource(this.rpSigningCertLocation);
+        Resource signingCertResource =
+                resourceLoader.getResource(
+                        this.applicationProperties
+                                .getSecurity()
+                                .getSaml()
+                                .getCertificateLocation());
+        //        Resource signingKeyResource = new ClassPathResource(this.rpSigningKeyLocation);
+        Resource signingKeyResource =
+                resourceLoader.getResource(
+                        this.applicationProperties.getSecurity().getSaml().getPrivateKeyLocation());
+        try (InputStream is = signingKeyResource.getInputStream();
+                InputStream certIS = signingCertResource.getInputStream(); ) {
+            X509Certificate rpCertificate = X509Support.decodeCertificate(certIS.readAllBytes());
+            RSAPrivateKey rpKey = RsaKeyConverters.pkcs8().convert(is);
+            final Saml2X509Credential rpSigningCredentials =
+                    Saml2X509Credential.signing(rpKey, rpCertificate);
+
+            X509Certificate apCert =
+                    X509Support.decodeCertificate(
+                            applicationProperties.getSecurity().getSaml().getSigningCertificate());
+            Saml2X509Credential apCredential = Saml2X509Credential.verification(apCert);
+
+            RelyingPartyRegistration registration =
+                    RelyingPartyRegistrations.fromMetadataLocation(
+                                    applicationProperties
+                                            .getSecurity()
+                                            .getSaml()
+                                            .getIdpMetadataLocation())
+                            .entityId(applicationProperties.getSecurity().getSaml().getEntityId())
+                            .registrationId(
+                                    applicationProperties
+                                            .getSecurity()
+                                            .getSaml()
+                                            .getRegistrationId())
+                            .signingX509Credentials(c -> c.add(rpSigningCredentials))
+                            .assertingPartyDetails(
+                                    party ->
+                                            party.wantAuthnRequestsSigned(true)
+                                                    .verificationX509Credentials(
+                                                            c -> c.add(apCredential)))
+                            .singleLogoutServiceLocation("http://localhost:8090/logout/saml2/slo")
+                            .build();
+            return new InMemoryRelyingPartyRegistrationRepository(registration);
+        }
    }
 }
--- a/src/main/java/stirling/software/SPDF/model/ApplicationProperties.java
+++ b/src/main/java/stirling/software/SPDF/model/ApplicationProperties.java
@@ -13,9 +13,6 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.PropertySource;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
-import org.springframework.core.io.ClassPathResource;
-import org.springframework.core.io.FileSystemResource;
-import org.springframework.core.io.Resource;

 import lombok.Data;
 import lombok.ToString;
@@ -81,25 +78,30 @@ public class ApplicationProperties {
            private String registrationId;
            private String spBaseUrl;
            private String idpMetadataLocation;
-            private KeyStore keystore;
+            //            private KeyStore keystore;
+            private String privateKeyLocation;
+            private String certificateLocation;
+            private String singleLogoutBinding;
+            private String singleLogoutResponseUri;
+            private String signingCertificate;

-            @Data
-            public static class KeyStore {
-                private String keystoreLocation;
-                private String keystorePassword;
-                private String keyAlias;
-                private String keyPassword;
-                private String realmCertificateAlias;
-
-                public Resource getKeystoreResource() {
-                    if (keystoreLocation.startsWith("classpath:")) {
-                        return new ClassPathResource(
-                                keystoreLocation.substring("classpath:".length()));
-                    } else {
-                        return new FileSystemResource(keystoreLocation);
-                    }
-                }
-            }
+            //            @Data
+            //            public static class KeyStore {
+            //                private String keystoreLocation;
+            //                private String keystorePassword;
+            //                private String keyAlias;
+            //                private String keyPassword;
+            //                private String realmCertificateAlias;
+            //
+            //                public Resource getKeystoreResource() {
+            //                    if (keystoreLocation.startsWith("classpath:")) {
+            //                        return new ClassPathResource(
+            //                                keystoreLocation.substring("classpath:".length()));
+            //                    } else {
+            //                        return new FileSystemResource(keystoreLocation);
+            //                    }
+            //                }
+            //            }
        }

        @Data
--- a/src/main/java/stirling/software/SPDF/utils/GeneralUtils.java
+++ b/src/main/java/stirling/software/SPDF/utils/GeneralUtils.java
@@ -5,16 +5,21 @@ import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.HttpURLConnection;
+import java.net.InetAddress;
 import java.net.MalformedURLException;
+import java.net.NetworkInterface;
 import java.net.URI;
 import java.net.URL;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.FileVisitResult;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.nio.file.SimpleFileVisitor;
 import java.nio.file.attribute.BasicFileAttributes;
+import java.security.MessageDigest;
 import java.util.ArrayList;
+import java.util.Enumeration;
 import java.util.List;
 import java.util.UUID;

@@ -30,11 +35,6 @@ import com.fathzer.soft.javaluator.DoubleEvaluator;

 import io.github.pixee.security.HostValidator;
 import io.github.pixee.security.Urls;
-import java.net.InetAddress;
-import java.net.NetworkInterface;
-import java.nio.charset.StandardCharsets;
-import java.security.MessageDigest;
-import java.util.Enumeration;

 public class GeneralUtils {

@@ -306,7 +306,7 @@ public class GeneralUtils {
        }
        settingsYml.save();
    }
-    
+
    public static String generateMachineFingerprint() {
        try {
            // Get the MAC address
@@ -346,7 +346,7 @@ public class GeneralUtils {
            return fingerprint.toString();

        } catch (Exception e) {
-        	return "GenericID";
+            return "GenericID";
        }
    }
 }
Author	SHA1	Message	Date
Dimitrios Kaitantzidis	92c0ddf63b	WIP: Try to add saml2 logout with defaults (SamlConfig)	2024-10-07 23:21:36 +03:00
Dimitrios Kaitantzidis	7297e9e62d	WIP: Try to add saml2 logout with defaults	2024-10-07 23:20:54 +03:00
Dimitrios Kaitantzidis	f8944fd2a9	WIP: login process works properly	2024-10-07 19:12:56 +03:00
Dimitrios Kaitantzidis	3fd44fe7af	WIP: adds certificate properties	2024-10-07 18:46:19 +03:00
Dimitrios Kaitantzidis	4c9c9b5cbe	WIP: trying to make it work	2024-10-05 20:52:09 +03:00