You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by bh...@apache.org on 2015/06/04 16:14:10 UTC
git commit: updated refs/heads/saml-production-grade to de9407e
Repository: cloudstack
Updated Branches:
refs/heads/saml-production-grade b8b21aa99 -> de9407e13
CLOUDSTACK-8538: Add new global config for SAML request sig algorithm
Signed-off-by: Rohit Yadav <ro...@shapeblue.com>
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/de9407e1
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/de9407e1
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/de9407e1
Branch: refs/heads/saml-production-grade
Commit: de9407e13e6b41ea21532e6082bdadee2078d91a
Parents: b8b21aa
Author: Rohit Yadav <ro...@shapeblue.com>
Authored: Thu Jun 4 16:07:27 2015 +0200
Committer: Rohit Yadav <ro...@shapeblue.com>
Committed: Thu Jun 4 16:07:27 2015 +0200
----------------------------------------------------------------------
.../command/SAML2LoginAPIAuthenticatorCmd.java | 2 +-
.../cloudstack/saml/SAML2AuthManager.java | 3 +++
.../cloudstack/saml/SAML2AuthManagerImpl.java | 2 +-
.../org/apache/cloudstack/saml/SAMLUtils.java | 25 ++++++++++++++++----
4 files changed, 25 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/de9407e1/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
index ee7bfc9..43b4da2 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
@@ -154,7 +154,7 @@ public class SAML2LoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthent
"IdP ID (" + idpId + ") is not found in our list of supported IdPs, cannot proceed.",
params, responseType));
}
- String redirectUrl = SAMLUtils.buildAuthnRequestUrl(spMetadata, idpMetadata);
+ String redirectUrl = SAMLUtils.buildAuthnRequestUrl(spMetadata, idpMetadata, SAML2AuthManager.SAMLSignatureAlgorithm.value());
resp.sendRedirect(redirectUrl);
return "";
} if (params.containsKey("SAMLart")) {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/de9407e1/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
index 6c856d5..3b0998b 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManager.java
@@ -63,6 +63,9 @@ public interface SAML2AuthManager extends PluggableAPIAuthenticator {
public static final ConfigKey<String> SAMLDefaultIdentityProviderId = new ConfigKey<String>("Advanced", String.class, "saml2.default.idpid", "https://openidp.feide.no",
"The default IdP entity ID to use only in case of multiple IdPs", true);
+ public static final ConfigKey<String> SAMLSignatureAlgorithm = new ConfigKey<String>("Advanced", String.class, "saml2.sigalg", "SHA1",
+ "The algorithm to use to when signing a SAML request. Default is SHA1, allowed algorithms: SHA1, SHA256, SHA384, SHA512", true);
+
public static final ConfigKey<Integer> SAMLTimeout = new ConfigKey<Integer>("Advanced", Integer.class, "saml2.timeout", "30000",
"SAML2 IDP Metadata Downloading and parsing etc. activity timeout in milliseconds", true);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/de9407e1/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
index 6797bed..fdbf089 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java
@@ -384,6 +384,6 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
SAMLCloudStackRedirectionUrl, SAMLUserAttributeName,
SAMLDefaultDomain,
SAMLIdentityProviderMetadataURL, SAMLDefaultIdentityProviderId,
- SAMLTimeout};
+ SAMLSignatureAlgorithm, SAMLTimeout};
}
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/de9407e1/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAMLUtils.java b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAMLUtils.java
index e2a9dbc..fde57fc 100644
--- a/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAMLUtils.java
+++ b/plugins/user-authenticators/saml2/src/org/apache/cloudstack/saml/SAMLUtils.java
@@ -133,7 +133,7 @@ public class SAMLUtils {
return null;
}
- public static String buildAuthnRequestUrl(SAMLProviderMetadata spMetadata, SAMLProviderMetadata idpMetadata) {
+ public static String buildAuthnRequestUrl(final SAMLProviderMetadata spMetadata, final SAMLProviderMetadata idpMetadata, final String signatureAlgorithm) {
String redirectUrl = "";
try {
DefaultBootstrap.bootstrap();
@@ -142,7 +142,7 @@ public class SAMLUtils {
if (spMetadata.getKeyPair() != null) {
privateKey = spMetadata.getKeyPair().getPrivate();
}
- redirectUrl = idpMetadata.getSsoUrl() + "?" + SAMLUtils.generateSAMLRequestSignature("SAMLRequest=" + SAMLUtils.encodeSAMLRequest(authnRequest), privateKey);
+ redirectUrl = idpMetadata.getSsoUrl() + "?" + SAMLUtils.generateSAMLRequestSignature("SAMLRequest=" + SAMLUtils.encodeSAMLRequest(authnRequest), privateKey, signatureAlgorithm);
} catch (ConfigurationException | FactoryConfigurationError | MarshallingException | IOException | NoSuchAlgorithmException | InvalidKeyException | java.security.SignatureException e) {
s_logger.error("SAML AuthnRequest message building error: " + e.getMessage());
}
@@ -233,13 +233,28 @@ public class SAMLUtils {
return (Response) unmarshaller.unmarshall(element);
}
- public static String generateSAMLRequestSignature(String urlEncodedString, PrivateKey signingKey)
+ public static String generateSAMLRequestSignature(final String urlEncodedString, final PrivateKey signingKey, final String sigAlgorithmName)
throws NoSuchAlgorithmException, SignatureException, InvalidKeyException, UnsupportedEncodingException {
if (signingKey == null) {
return urlEncodedString;
}
- String url = urlEncodedString + "&SigAlg=" + URLEncoder.encode(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1, HttpUtils.UTF_8);
- Signature signature = Signature.getInstance("SHA1withRSA");
+
+ String opensamlAlgoIdSignature = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
+ String javaSignatureAlgorithmName = "SHA1withRSA";
+
+ if (sigAlgorithmName.equalsIgnoreCase("SHA256")) {
+ opensamlAlgoIdSignature = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256;
+ javaSignatureAlgorithmName = "SHA256withRSA";
+ } else if (sigAlgorithmName.equalsIgnoreCase("SHA384")) {
+ opensamlAlgoIdSignature = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA384;
+ javaSignatureAlgorithmName = "SHA384withRSA";
+ } else if (sigAlgorithmName.equalsIgnoreCase("SHA512")) {
+ opensamlAlgoIdSignature = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA512;
+ javaSignatureAlgorithmName = "SHA512withRSA";
+ }
+
+ String url = urlEncodedString + "&SigAlg=" + URLEncoder.encode(opensamlAlgoIdSignature, HttpUtils.UTF_8);
+ Signature signature = Signature.getInstance(javaSignatureAlgorithmName);
signature.initSign(signingKey);
signature.update(url.getBytes());
String signatureString = Base64.encodeBytes(signature.sign(), Base64.DONT_BREAK_LINES);