You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2017/08/14 15:12:43 UTC

[2/2] syncope git commit: SAML2SP improvements: allow to get SP metadata as authenticated user + validate URLs in SP metadata

SAML2SP improvements: allow to get SP metadata as authenticated user + validate URLs in SP metadata


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/f912d90c
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/f912d90c
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/f912d90c

Branch: refs/heads/master
Commit: f912d90c2aa23c055cfb2e143e865f02025154bd
Parents: fe826fc
Author: Francesco Chicchiriccò <il...@apache.org>
Authored: Mon Aug 14 17:12:20 2017 +0200
Committer: Francesco Chicchiriccò <il...@apache.org>
Committed: Mon Aug 14 17:12:34 2017 +0200

----------------------------------------------------------------------
 common/lib/pom.xml                              |  9 ++++++
 .../syncope/ext/saml2lsp/agent/Metadata.java    | 14 ++++++---
 ext/saml2sp/logic/pom.xml                       |  7 ++++-
 .../apache/syncope/core/logic/SAML2SPLogic.java | 32 +++++++++++++++++---
 pom.xml                                         |  8 ++++-
 5 files changed, 59 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/f912d90c/common/lib/pom.xml
----------------------------------------------------------------------
diff --git a/common/lib/pom.xml b/common/lib/pom.xml
index 810f45f..f21bf35 100644
--- a/common/lib/pom.xml
+++ b/common/lib/pom.xml
@@ -93,6 +93,15 @@ under the License.
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-checkstyle-plugin</artifactId>
       </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>2.3.2</version>
+        <configuration>
+          <source>1.7</source>
+          <target>1.7</target>
+        </configuration>
+      </plugin>
     </plugins>
   </build>
 </project>

http://git-wip-us.apache.org/repos/asf/syncope/blob/f912d90c/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/Metadata.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/Metadata.java b/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/Metadata.java
index 73229f7..c1fbaa8 100644
--- a/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/Metadata.java
+++ b/ext/saml2sp/agent/src/main/java/org/apache/syncope/ext/saml2lsp/agent/Metadata.java
@@ -46,11 +46,15 @@ public class Metadata extends HttpServlet {
                 getAttribute(Constants.SYNCOPE_ANONYMOUS_CLIENT);
         SAML2SPService service = anonymous.getService(SAML2SPService.class);
         WebClient.client(service).accept(MediaType.APPLICATION_XML_TYPE).type(MediaType.APPLICATION_XML_TYPE);
-        Response metadataResponse = service.getMetadata(
-                StringUtils.substringBefore(request.getRequestURL().toString(), "/saml2sp"), "saml2sp");
+        try {
+            Response metadataResponse = service.getMetadata(
+                    StringUtils.substringBefore(request.getRequestURL().toString(), "/saml2sp"), "saml2sp");
 
-        response.setContentType(metadataResponse.getMediaType().toString());
-        IOUtils.copy((InputStream) metadataResponse.getEntity(), response.getOutputStream());
-        ((InputStream) metadataResponse.getEntity()).close();
+            response.setContentType(metadataResponse.getMediaType().toString());
+            IOUtils.copy((InputStream) metadataResponse.getEntity(), response.getOutputStream());
+            ((InputStream) metadataResponse.getEntity()).close();
+        } catch (Exception e) {
+            throw new ServletException(e.getMessage());
+        }
     }
 }

http://git-wip-us.apache.org/repos/asf/syncope/blob/f912d90c/ext/saml2sp/logic/pom.xml
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/pom.xml b/ext/saml2sp/logic/pom.xml
index 3c6d7eb..4aa7b86 100644
--- a/ext/saml2sp/logic/pom.xml
+++ b/ext/saml2sp/logic/pom.xml
@@ -43,7 +43,7 @@ under the License.
       <artifactId>syncope-core-logic</artifactId>
       <version>${project.version}</version>
     </dependency>
-    
+      
     <dependency>
       <groupId>org.apache.syncope.ext.saml2sp</groupId>
       <artifactId>syncope-ext-saml2sp-provisioning-java</artifactId>
@@ -59,6 +59,11 @@ under the License.
       <groupId>org.opensaml</groupId>
       <artifactId>opensaml-saml-impl</artifactId>
     </dependency>
+
+    <dependency>
+      <groupId>commons-validator</groupId>
+      <artifactId>commons-validator</artifactId>
+    </dependency>
   </dependencies>
 
   <build>

http://git-wip-us.apache.org/repos/asf/syncope/blob/f912d90c/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
----------------------------------------------------------------------
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
index 07e8e19..0809020 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/SAML2SPLogic.java
@@ -35,6 +35,7 @@ import javax.annotation.Resource;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.tuple.Pair;
 import org.apache.commons.lang3.tuple.Triple;
+import org.apache.commons.validator.routines.UrlValidator;
 import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 import org.apache.cxf.rs.security.saml.sso.SSOValidatorResponse;
@@ -128,6 +129,8 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
 
     private static final Encryptor ENCRYPTOR = Encryptor.getInstance();
 
+    private static final UrlValidator URL_VALIDATOR = new UrlValidator(new String[] { "http", "https" });
+
     @Autowired
     private AccessTokenDataBinder accessTokenDataBinder;
 
@@ -152,11 +155,29 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
     @Resource(name = "syncopeJWTSSOProviderDelegate")
     private JwsSignatureVerifier jwsSignatureVerifier;
 
+    private void validateUrl(final String url) {
+        boolean isValid = true;
+        if (url.contains("..")) {
+            isValid = false;
+        }
+        if (isValid) {
+            isValid = URL_VALIDATOR.isValid(url);
+        }
+
+        if (!isValid) {
+            SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
+            sce.getElements().add("Invalid URL: " + url);
+            throw sce;
+        }
+    }
+
     private String getAssertionConsumerURL(final String spEntityID, final String urlContext) {
-        return spEntityID + urlContext + "/assertion-consumer";
+        String assertionConsumerUrl = spEntityID + urlContext + "/assertion-consumer";
+        validateUrl(assertionConsumerUrl);
+        return assertionConsumerUrl;
     }
 
-    @PreAuthorize("hasRole('" + StandardEntitlement.ANONYMOUS + "')")
+    @PreAuthorize("isAuthenticated()")
     public void getMetadata(final String spEntityID, final String urlContext, final OutputStream os) {
         check();
 
@@ -193,10 +214,13 @@ public class SAML2SPLogic extends AbstractSAML2Logic<AbstractBaseBean> {
                 spSSODescriptor.getAssertionConsumerServices().add(assertionConsumerService);
                 spEntityDescriptor.getRoleDescriptors().add(spSSODescriptor);
 
+                String sloUrl = spEntityID + urlContext + "/logout";
+                validateUrl(sloUrl);
+
                 SingleLogoutService singleLogoutService = new SingleLogoutServiceBuilder().buildObject();
                 singleLogoutService.setBinding(bindingType.getUri());
-                singleLogoutService.setLocation(spEntityID + urlContext + "/logout");
-                singleLogoutService.setResponseLocation(spEntityID + urlContext + "/logout");
+                singleLogoutService.setLocation(sloUrl);
+                singleLogoutService.setResponseLocation(sloUrl);
                 spSSODescriptor.getSingleLogoutServices().add(singleLogoutService);
             }
 

http://git-wip-us.apache.org/repos/asf/syncope/blob/f912d90c/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 1df04b5..74a71f9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -402,6 +402,7 @@ under the License.
     <commons-lang.version>3.6</commons-lang.version>
     <commons-text.version>1.1</commons-text.version>
     <commons-collection.version>4.1</commons-collection.version>
+    <commons-validator.version>1.6</commons-validator.version>
     <commons-logging.version>1.1.3</commons-logging.version>
 
     <joda.version>2.9.9</joda.version>
@@ -975,7 +976,12 @@ under the License.
         <artifactId>commons-collections4</artifactId>
         <version>${commons-collection.version}</version>
       </dependency>
-            
+      <dependency>
+        <groupId>commons-validator</groupId>
+        <artifactId>commons-validator</artifactId>
+        <version>${commons-validator.version}</version>
+      </dependency>
+
       <dependency>
         <groupId>net.tirasa.connid</groupId>
         <artifactId>connector-framework</artifactId>