Merge branch 'feature/customizable_saml_dsig_algorithms_#127421237' i…

…nto develop [finishes #127421237] https://www.pivotaltracker.com/story/show/127421237 Signed-off-by: Jeremy Coffield <[email protected]>
sequenceiq · Oct 5, 2016 · edb84f8 · edb84f8
1 parent a2b00c8
commit edb84f8
Show file tree

Hide file tree

Showing 7 changed files with 114 additions and 5 deletions.
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlConfigurationBean.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlConfigurationBean.java
@@ -0,0 +1,41 @@
+// TODO: add legal boilerplate
+package org.cloudfoundry.identity.uaa.provider.saml;
+
+import org.opensaml.xml.Configuration;
+import org.opensaml.xml.security.BasicSecurityConfiguration;
+import org.opensaml.xml.signature.SignatureConstants;
+import org.springframework.beans.factory.InitializingBean;
+
+
+public class SamlConfigurationBean implements InitializingBean {
+  private SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.SHA1;
+
+  public void setSignatureAlgorithm(SignatureAlgorithm s) {
+    signatureAlgorithm = s;
+  }
+
+  @Override
+  public void afterPropertiesSet() throws Exception {
+    BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
+    switch (signatureAlgorithm) {
+      case SHA1:
+        config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1);
+        config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA1);
+        break;
+      case SHA256:
+        config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
+        config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA256);
+        break;
+      case SHA512:
+        config.registerSignatureAlgorithmURI("RSA", SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512);
+        config.setSignatureReferenceDigestMethod(SignatureConstants.ALGO_ID_DIGEST_SHA512);
+        break;
+    }
+  }
+
+  public enum SignatureAlgorithm {
+    SHA1,
+    SHA256,
+    SHA512
+  }
+}
diff --git a/uaa/src/main/resources/login.yml b/uaa/src/main/resources/login.yml
@@ -137,6 +137,8 @@ login:
     signRequest: true
     #Local/SP metadata - want incoming assertions signed
     #wantAssertionSigned: true
+    #Algorithm for SAML signatures. Defaults to SHA1.  Accepts SHA1, SHA256, SHA512
+    #signatureAlgorithm: SHA256
     socket:
       # URL metadata fetch - pool timeout
       connectionManagerTimeout: 10000

diff --git a/uaa/src/main/webapp/WEB-INF/spring/saml-idp.xml b/uaa/src/main/webapp/WEB-INF/spring/saml-idp.xml
@@ -133,4 +133,8 @@
         <constructor-arg name="zoneProvisioning" ref="identityZoneProvisioning"/>
         <property name="metadataManager" ref="idpMetadataManager" />
     </bean>
+
+    <bean id="defaultSamlConfig" class="org.cloudfoundry.identity.uaa.provider.saml.SamlConfigurationBean">
+        <property name="signatureAlgorithm" value="${login.saml.signatureAlgorithm:SHA1}" />
+    </bean>
 </beans>
diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/BootstrapTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/login/BootstrapTests.java
@@ -35,6 +35,7 @@
 import org.cloudfoundry.identity.uaa.provider.SamlIdentityProviderDefinition;
 import org.cloudfoundry.identity.uaa.provider.UaaIdentityProviderDefinition;
 import org.cloudfoundry.identity.uaa.provider.saml.BootstrapSamlIdentityProviderConfigurator;
+import org.cloudfoundry.identity.uaa.provider.saml.SamlConfigurationBean;
 import org.cloudfoundry.identity.uaa.provider.saml.ZoneAwareMetadataGenerator;
 import org.cloudfoundry.identity.uaa.resources.jdbc.SimpleSearchQueryConverter;
 import org.cloudfoundry.identity.uaa.scim.ScimGroup;
@@ -57,7 +58,10 @@
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
+import org.opensaml.xml.Configuration;
+import org.opensaml.xml.signature.SignatureConstants;
 import org.springframework.beans.BeansException;
+import org.springframework.beans.factory.BeanCreationException;
 import org.springframework.beans.factory.support.DefaultListableBeanFactory;
 import org.springframework.beans.factory.xml.ResourceEntityResolver;
 import org.springframework.beans.factory.xml.XmlBeanDefinitionReader;
@@ -162,19 +166,17 @@ public void cleanup() throws Exception {
     public void testRootContextDefaults() throws Exception {
         String originalSmtpHost = System.getProperty("smtp.host");
         System.setProperty("smtp.host","");
-        context = getServletContext(activeProfiles, "login.yml","uaa.yml", "file:./src/main/webapp/WEB-INF/spring-servlet.xml");
+        context = getServletContext(activeProfiles, "login.yml", "uaa.yml", "file:./src/main/webapp/WEB-INF/spring-servlet.xml");
 
         JdbcUaaUserDatabase userDatabase = context.getBean(JdbcUaaUserDatabase.class);
-        if (activeProfiles!=null && activeProfiles.contains("mysql")) {
+        if (activeProfiles != null && activeProfiles.contains("mysql")) {
             assertTrue(userDatabase.isCaseInsensitive());
             assertEquals("marissa", userDatabase.retrieveUserByName("marissa", OriginKeys.UAA).getUsername());
             assertEquals("marissa", userDatabase.retrieveUserByName("MArissA", OriginKeys.UAA).getUsername());
         } else {
             assertFalse(userDatabase.isCaseInsensitive());
         }
 
-
-
         assertNotNull(context.getBean("identityZoneHolderInitializer"));
 
         assertEquals(300, context.getBean(CachingPasswordEncoder.class).getExpiryInSeconds());
@@ -274,7 +276,7 @@ public void testRootContextDefaults() throws Exception {
         passcode = prompts.get(1);
         assertEquals("Password",passcode.getDetails()[1]);
         passcode = prompts.get(2);
-        assertEquals("One Time Code ( Get one at http://localhost:8080/uaa/passcode )",passcode.getDetails()[1]);
+        assertEquals("One Time Code ( Get one at http://localhost:8080/uaa/passcode )", passcode.getDetails()[1]);
 
         ZoneAwareMetadataGenerator zoneAwareMetadataGenerator = context.getBean(ZoneAwareMetadataGenerator.class);
         assertTrue(zoneAwareMetadataGenerator.isRequestSigned());
@@ -310,6 +312,9 @@ public void testRootContextDefaults() throws Exception {
             System.clearProperty("smtp.host");
         }
 
+        assertEquals(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1, Configuration.getGlobalSecurityConfiguration().getSignatureAlgorithmURI("RSA"));
+        assertEquals(SignatureConstants.ALGO_ID_DIGEST_SHA1, Configuration.getGlobalSecurityConfiguration().getSignatureReferenceDigestMethod());
+
     }
 
     @Test
@@ -469,6 +474,9 @@ public void testPropertyValuesWhenSetInYaml() throws Exception {
         assertEquals("Your Secret", passcode.getDetails()[1]);
         passcode = prompts.get(2);
         assertEquals("One Time Code ( Get one at https://login.some.test.domain.com:555/uaa/passcode )", passcode.getDetails()[1]);
+
+        assertEquals(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256, Configuration.getGlobalSecurityConfiguration().getSignatureAlgorithmURI("RSA"));
+        assertEquals(SignatureConstants.ALGO_ID_DIGEST_SHA256, Configuration.getGlobalSecurityConfiguration().getSignatureReferenceDigestMethod());
     }
 
     @Test
@@ -545,6 +553,11 @@ public void bootstrap_scim_groups_asMap_from_yaml() throws Exception {
         assertThat(scimGroups, PredicateMatcher.<ScimGroup>has(g -> g.getDisplayName().equals("cat") && "The cat".equals(g.getDescription())));
     }
 
+    @Test(expected = BeanCreationException.class)
+    public void invalid_saml_signature_algorithm() throws Exception {
+        context = getServletContext(null, "login.yml", "test/bootstrap/config_with_invalid_saml_signature_algorithm.yml", "file:./src/main/webapp/WEB-INF/spring-servlet.xml");
+    }
+
     @Test
     public void bootstrap_idpDiscoveryEnabled_from_yml() throws Exception {
         context = getServletContext(null, "login.yml", "test/bootstrap/bootstrap-test.yml", "file:./src/main/webapp/WEB-INF/spring-servlet.xml");

diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlConfigurationBeanTest.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/provider/saml/SamlConfigurationBeanTest.java
@@ -0,0 +1,46 @@
+// TODO: add legal boilerplate
+package org.cloudfoundry.identity.uaa.provider.saml;
+
+import org.cloudfoundry.identity.uaa.mock.InjectedMockContextTest;
+import org.junit.Test;
+import org.opensaml.xml.Configuration;
+import org.opensaml.xml.security.BasicSecurityConfiguration;
+import org.opensaml.xml.signature.SignatureConstants;
+
+import static org.junit.Assert.assertEquals;
+
+public class SamlConfigurationBeanTest extends InjectedMockContextTest {
+  @Test
+  public void testSHA1SignatureAlgorithm() throws Exception {
+    SamlConfigurationBean samlConfigurationBean = new SamlConfigurationBean();
+    samlConfigurationBean.setSignatureAlgorithm(SamlConfigurationBean.SignatureAlgorithm.SHA1);
+    samlConfigurationBean.afterPropertiesSet();
+
+    BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
+    assertEquals(SignatureConstants.ALGO_ID_DIGEST_SHA1, config.getSignatureReferenceDigestMethod());
+    assertEquals(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1, config.getSignatureAlgorithmURI("RSA"));
+  }
+
+  @Test
+  public void testSHA256SignatureAlgorithm() throws Exception {
+    SamlConfigurationBean samlConfigurationBean = new SamlConfigurationBean();
+    samlConfigurationBean.setSignatureAlgorithm(SamlConfigurationBean.SignatureAlgorithm.SHA256 );
+    samlConfigurationBean.afterPropertiesSet();
+
+    BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
+    assertEquals(SignatureConstants.ALGO_ID_DIGEST_SHA256, config.getSignatureReferenceDigestMethod());
+    assertEquals(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256, config.getSignatureAlgorithmURI("RSA"));
+  }
+
+  @Test
+  public void testSHA512SignatureAlgorithm() throws Exception {
+    SamlConfigurationBean samlConfigurationBean = new SamlConfigurationBean();
+    samlConfigurationBean.setSignatureAlgorithm(SamlConfigurationBean.SignatureAlgorithm.SHA512 );
+    samlConfigurationBean.afterPropertiesSet();
+
+    BasicSecurityConfiguration config = (BasicSecurityConfiguration) Configuration.getGlobalSecurityConfiguration();
+    assertEquals(SignatureConstants.ALGO_ID_DIGEST_SHA512, config.getSignatureReferenceDigestMethod());
+    assertEquals(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512, config.getSignatureAlgorithmURI("RSA"));
+  }
+
+}
diff --git a/uaa/src/test/resources/test/bootstrap/bootstrap-test.yml b/uaa/src/test/resources/test/bootstrap/bootstrap-test.yml
@@ -15,6 +15,8 @@ zones:
       - test4.localhost
 
 login:
+  saml:
+    signatureAlgorithm: SHA256
   branding:
     companyName: test-company-branding-name
     squareLogo: |

diff --git a/uaa/src/test/resources/test/bootstrap/config_with_invalid_saml_signature_algorithm.yml b/uaa/src/test/resources/test/bootstrap/config_with_invalid_saml_signature_algorithm.yml
@@ -0,0 +1 @@
+login.saml.signatureAlgorithm: bunk