WIP: Try to add saml2 logout with defaults (SamlConfig)

src/main/java/stirling/software/SPDF/EE/LicenseKeyChecker.java

@@ -46,7 +46,6 @@ public class LicenseKeyChecker {
                 log.info("License key is invalid.");
             }
         }
-        
     }
 
     public void updateLicenseKey(String newKey) throws IOException {

src/main/java/stirling/software/SPDF/config/security/SecurityConfiguration.java

@@ -1,5 +1,7 @@
 package stirling.software.SPDF.config.security;
 
+import static org.springframework.security.config.Customizer.withDefaults;
+
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.annotation.Bean;
@@ -204,8 +206,7 @@ public class SecurityConfiguration {
                             .equalsIgnoreCase("normal")) {
                 http.saml2Login(
                                 saml2 -> {
-                                    saml2.loginPage("/saml2")
+                                    saml2.relyingPartyRegistrationRepository(
-                                            .relyingPartyRegistrationRepository(
                                                     relyingPartyRegistrationRepository)
                                             .successHandler(
                                                     new CustomSAMLAuthenticationSuccessHandler(
@@ -215,6 +216,7 @@ public class SecurityConfiguration {
                                             .failureHandler(
                                                     new CustomSAMLAuthenticationFailureHandler());
                                 })
+                        .saml2Logout(withDefaults())
                         .addFilterBefore(
                                 userAuthenticationFilter, Saml2WebSsoAuthenticationFilter.class);
             }

src/main/java/stirling/software/SPDF/config/security/saml/ConvertResponseToAuthentication.java

@@ -1,10 +1,6 @@
 package stirling.software.SPDF.config.security.saml;
 
-import java.util.ArrayList;
+import java.util.*;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
-import java.util.Map;
 import java.util.stream.Collectors;
 
 import org.opensaml.saml.saml2.core.Assertion;
@@ -57,7 +53,12 @@ public class ConvertResponseToAuthentication
             return Collections.emptySet();
         }
 
-        final List<Object> groups = new ArrayList<>(attributes.get(authoritiesAttributeName));
+        List<Object> groups = new ArrayList<>();
+
+        if (attributes.get(authoritiesAttributeName) != null) {
+            groups = new ArrayList<>(attributes.get(authoritiesAttributeName));
+        }
+
         return groups.stream()
                 .filter(String.class::isInstance)
                 .map(String.class::cast)

src/main/java/stirling/software/SPDF/config/security/saml/SamlConfig.java

@@ -1,15 +1,21 @@
 package stirling.software.SPDF.config.security.saml;
 
+import java.io.IOException;
+import java.io.InputStream;
 import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPrivateKey;
 
+import org.opensaml.security.x509.X509Support;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
+import org.springframework.core.io.Resource;
-import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
+import org.springframework.core.io.ResourceLoader;
-import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
+import org.springframework.security.converter.RsaKeyConverters;
-import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
+import org.springframework.security.saml2.core.Saml2X509Credential;
+import org.springframework.security.saml2.provider.service.registration.*;
 
 import lombok.extern.slf4j.Slf4j;
 import stirling.software.SPDF.model.ApplicationProperties;
@@ -20,13 +26,39 @@ public class SamlConfig {
 
     @Autowired ApplicationProperties applicationProperties;
 
+    @Autowired ResourceLoader resourceLoader;
+
     @Bean
     @ConditionalOnProperty(
             value = "security.saml.enabled",
             havingValue = "true",
             matchIfMissing = false)
     public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository()
-            throws CertificateException {
+            throws CertificateException, IOException {
+
+        //        Resource signingCertResource = new ClassPathResource(this.rpSigningCertLocation);
+        Resource signingCertResource =
+                resourceLoader.getResource(
+                        this.applicationProperties
+                                .getSecurity()
+                                .getSaml()
+                                .getCertificateLocation());
+        //        Resource signingKeyResource = new ClassPathResource(this.rpSigningKeyLocation);
+        Resource signingKeyResource =
+                resourceLoader.getResource(
+                        this.applicationProperties.getSecurity().getSaml().getPrivateKeyLocation());
+        try (InputStream is = signingKeyResource.getInputStream();
+                InputStream certIS = signingCertResource.getInputStream(); ) {
+            X509Certificate rpCertificate = X509Support.decodeCertificate(certIS.readAllBytes());
+            RSAPrivateKey rpKey = RsaKeyConverters.pkcs8().convert(is);
+            final Saml2X509Credential rpSigningCredentials =
+                    Saml2X509Credential.signing(rpKey, rpCertificate);
+
+            X509Certificate apCert =
+                    X509Support.decodeCertificate(
+                            applicationProperties.getSecurity().getSaml().getSigningCertificate());
+            Saml2X509Credential apCredential = Saml2X509Credential.verification(apCert);
+
             RelyingPartyRegistration registration =
                     RelyingPartyRegistrations.fromMetadataLocation(
                                     applicationProperties
@@ -35,8 +67,19 @@ public class SamlConfig {
                                             .getIdpMetadataLocation())
                             .entityId(applicationProperties.getSecurity().getSaml().getEntityId())
                             .registrationId(
-                                applicationProperties.getSecurity().getSaml().getRegistrationId())
+                                    applicationProperties
+                                            .getSecurity()
+                                            .getSaml()
+                                            .getRegistrationId())
+                            .signingX509Credentials(c -> c.add(rpSigningCredentials))
+                            .assertingPartyDetails(
+                                    party ->
+                                            party.wantAuthnRequestsSigned(true)
+                                                    .verificationX509Credentials(
+                                                            c -> c.add(apCredential)))
+                            .singleLogoutServiceLocation("http://localhost:8090/logout/saml2/slo")
                             .build();
             return new InMemoryRelyingPartyRegistrationRepository(registration);
         }
     }
+}

src/main/java/stirling/software/SPDF/model/ApplicationProperties.java

@@ -13,9 +13,6 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.PropertySource;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
-import org.springframework.core.io.ClassPathResource;
-import org.springframework.core.io.FileSystemResource;
-import org.springframework.core.io.Resource;
 
 import lombok.Data;
 import lombok.ToString;
@@ -81,25 +78,30 @@ public class ApplicationProperties {
             private String registrationId;
             private String spBaseUrl;
             private String idpMetadataLocation;
-            private KeyStore keystore;
+            //            private KeyStore keystore;
+            private String privateKeyLocation;
+            private String certificateLocation;
+            private String singleLogoutBinding;
+            private String singleLogoutResponseUri;
+            private String signingCertificate;
 
-            @Data
+            //            @Data
-            public static class KeyStore {
+            //            public static class KeyStore {
-                private String keystoreLocation;
+            //                private String keystoreLocation;
-                private String keystorePassword;
+            //                private String keystorePassword;
-                private String keyAlias;
+            //                private String keyAlias;
-                private String keyPassword;
+            //                private String keyPassword;
-                private String realmCertificateAlias;
+            //                private String realmCertificateAlias;
-
+            //
-                public Resource getKeystoreResource() {
+            //                public Resource getKeystoreResource() {
-                    if (keystoreLocation.startsWith("classpath:")) {
+            //                    if (keystoreLocation.startsWith("classpath:")) {
-                        return new ClassPathResource(
+            //                        return new ClassPathResource(
-                                keystoreLocation.substring("classpath:".length()));
+            //                                keystoreLocation.substring("classpath:".length()));
-                    } else {
+            //                    } else {
-                        return new FileSystemResource(keystoreLocation);
+            //                        return new FileSystemResource(keystoreLocation);
-                    }
+            //                    }
-                }
+            //                }
-            }
+            //            }
         }
 
         @Data

src/main/java/stirling/software/SPDF/utils/GeneralUtils.java

@@ -5,16 +5,21 @@ import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.HttpURLConnection;
+import java.net.InetAddress;
 import java.net.MalformedURLException;
+import java.net.NetworkInterface;
 import java.net.URI;
 import java.net.URL;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.FileVisitResult;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.nio.file.SimpleFileVisitor;
 import java.nio.file.attribute.BasicFileAttributes;
+import java.security.MessageDigest;
 import java.util.ArrayList;
+import java.util.Enumeration;
 import java.util.List;
 import java.util.UUID;
 
@@ -30,11 +35,6 @@ import com.fathzer.soft.javaluator.DoubleEvaluator;
 
 import io.github.pixee.security.HostValidator;
 import io.github.pixee.security.Urls;
-import java.net.InetAddress;
-import java.net.NetworkInterface;
-import java.nio.charset.StandardCharsets;
-import java.security.MessageDigest;
-import java.util.Enumeration;
 
 public class GeneralUtils {