oooo

willyborankin · Oct 26, 2023 · 7d655f2 · 7d655f2
1 parent 60c9a86
commit 7d655f2
Show file tree

Hide file tree

Showing 7 changed files with 186 additions and 78 deletions.
diff --git a/build.gradle b/build.gradle
@@ -27,7 +27,8 @@ buildscript {
         common_utils_version = System.getProperty("common_utils.version", '3.0.0.0-SNAPSHOT')
         kafka_version  = '3.6.0'
         apache_cxf_version = '4.0.3'
-        open_saml_version = '4.3.0'
+        open_saml_version = '5.0.0'
+        open_saml_shib_version = '9.0.0'
         one_login_java_saml = '2.9.0'
         jjwt_version = '0.11.5'
         guava_version = '32.1.3-jre'
@@ -598,14 +599,22 @@ dependencies {
     testImplementation 'org.apache.camel:camel-xmlsecurity:3.21.1'
 
     //OpenSAML
-    implementation 'net.shibboleth.utilities:java-support:8.4.0'
     implementation "com.onelogin:java-saml:${one_login_java_saml}"
     implementation "com.onelogin:java-saml-core:${one_login_java_saml}"
-    implementation "org.opensaml:opensaml-core:${open_saml_version}"
-    implementation "org.opensaml:opensaml-security-impl:${open_saml_version}"
+
+    implementation "net.shibboleth:shib-support:${open_saml_shib_version}"
+    implementation "net.shibboleth:shib-security:${open_saml_shib_version}"
+    implementation "net.shibboleth:shib-networking:${open_saml_shib_version}"
+
+    implementation "org.opensaml:opensaml-core-api:${open_saml_version}"
+    implementation "org.opensaml:opensaml-core-impl:${open_saml_version}"
+
     implementation "org.opensaml:opensaml-security-api:${open_saml_version}"
+    implementation "org.opensaml:opensaml-security-impl:${open_saml_version}"
+
     implementation "org.opensaml:opensaml-xmlsec-api:${open_saml_version}"
     implementation "org.opensaml:opensaml-xmlsec-impl:${open_saml_version}"
+
     implementation "org.opensaml:opensaml-saml-api:${open_saml_version}"
     implementation ("org.opensaml:opensaml-saml-impl:${open_saml_version}") {
         exclude(group: 'org.apache.velocity', module: 'velocity')
@@ -640,6 +649,7 @@ dependencies {
 
 
     testImplementation "org.opensaml:opensaml-messaging-impl:${open_saml_version}"
+    testImplementation "jakarta.servlet:jakarta.servlet-api:6.0.0"
     implementation "org.apache.commons:commons-lang3:${versions.commonslang}"
     testImplementation "org.opensearch:common-utils:${common_utils_version}"
     testImplementation "org.opensearch.plugin:reindex-client:${opensearch_version}"

diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java
@@ -33,9 +33,9 @@
 import com.onelogin.saml2.settings.Saml2Settings;
 import com.onelogin.saml2.util.Constants;
 import com.onelogin.saml2.util.Util;
-import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
-import net.shibboleth.utilities.java.support.component.DestructableComponent;
-import net.shibboleth.utilities.java.support.xml.BasicParserPool;
+import net.shibboleth.shared.component.ComponentInitializationException;
+import net.shibboleth.shared.component.DestructableComponent;
+import net.shibboleth.shared.xml.impl.BasicParserPool;
 import org.apache.commons.lang3.StringEscapeUtils;
 import org.apache.http.HttpStatus;
 import org.apache.logging.log4j.LogManager;
@@ -350,12 +350,9 @@ private MetadataResolver createMetadataResolver(final Settings settings, final P
         }
 
         try {
-            AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() {
-                @Override
-                public Void run() throws ComponentInitializationException {
-                    metadataResolver.initialize();
-                    return null;
-                }
+            AccessController.doPrivileged((PrivilegedExceptionAction<Void>) () -> {
+                metadataResolver.initialize();
+                return null;
             });
         } catch (PrivilegedActionException e) {
             if (e.getCause() instanceof ComponentInitializationException) {

diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/Saml2SettingsProvider.java b/src/main/java/com/amazon/dlic/auth/http/saml/Saml2SettingsProvider.java
@@ -25,8 +25,8 @@
 
 import com.onelogin.saml2.settings.Saml2Settings;
 import com.onelogin.saml2.settings.SettingsBuilder;
-import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
-import net.shibboleth.utilities.java.support.resolver.ResolverException;
+import net.shibboleth.shared.resolver.CriteriaSet;
+import net.shibboleth.shared.resolver.ResolverException;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.opensaml.core.criterion.EntityIdCriterion;

diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/SamlFilesystemMetadataResolver.java b/src/main/java/com/amazon/dlic/auth/http/saml/SamlFilesystemMetadataResolver.java
@@ -17,7 +17,7 @@
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
 
-import net.shibboleth.utilities.java.support.resolver.ResolverException;
+import net.shibboleth.shared.resolver.ResolverException;
 import org.opensaml.saml.metadata.resolver.impl.FilesystemMetadataResolver;
 
 import org.opensearch.common.settings.Settings;

diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/SamlHTTPMetadataResolver.java b/src/main/java/com/amazon/dlic/auth/http/saml/SamlHTTPMetadataResolver.java
@@ -17,10 +17,12 @@
 import java.security.PrivilegedExceptionAction;
 import java.time.Duration;
 
-import net.shibboleth.utilities.java.support.resolver.ResolverException;
-import org.apache.http.client.HttpClient;
-import org.apache.http.impl.client.HttpClientBuilder;
-import org.apache.http.impl.client.HttpClients;
+import net.shibboleth.shared.resolver.ResolverException;
+import org.apache.hc.client5.http.classic.HttpClient;
+import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
+import org.apache.hc.client5.http.impl.classic.HttpClients;
+import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
+import org.apache.hc.client5.http.io.HttpClientConnectionManager;
 import org.opensaml.saml.metadata.resolver.impl.HTTPMetadataResolver;
 
 import com.amazon.dlic.util.SettingsBasedSSLConfiguratorV4;
@@ -41,12 +43,7 @@ public class SamlHTTPMetadataResolver extends HTTPMetadataResolver {
     @SuppressWarnings("removal")
     protected byte[] fetchMetadata() throws ResolverException {
         try {
-            return AccessController.doPrivileged(new PrivilegedExceptionAction<byte[]>() {
-                @Override
-                public byte[] run() throws ResolverException {
-                    return SamlHTTPMetadataResolver.super.fetchMetadata();
-                }
-            });
+            return AccessController.doPrivileged((PrivilegedExceptionAction<byte[]>) () -> SamlHTTPMetadataResolver.super.fetchMetadata());
         } catch (PrivilegedActionException e) {
 
             if (e.getCause() instanceof ResolverException) {
@@ -70,12 +67,7 @@ private static HttpClient createHttpClient(Settings settings, Path configPath) t
                 sm.checkPermission(new SpecialPermission());
             }
 
-            return AccessController.doPrivileged(new PrivilegedExceptionAction<HttpClient>() {
-                @Override
-                public HttpClient run() throws Exception {
-                    return createHttpClient0(settings, configPath);
-                }
-            });
+            return AccessController.doPrivileged((PrivilegedExceptionAction<HttpClient>) () -> createHttpClient0(settings, configPath));
         } catch (PrivilegedActionException e) {
             if (e.getCause() instanceof Exception) {
                 throw (Exception) e.getCause();
@@ -86,15 +78,15 @@ public HttpClient run() throws Exception {
     }
 
     private static HttpClient createHttpClient0(Settings settings, Path configPath) throws Exception {
-
         HttpClientBuilder builder = HttpClients.custom();
-
         builder.useSystemProperties();
 
         SettingsBasedSSLConfiguratorV4.SSLConfig sslConfig = getSSLConfig(settings, configPath);
 
         if (sslConfig != null) {
-            builder.setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory());
+            builder.setConnectionManager(PoolingHttpClientConnectionManagerBuilder.create()
+                    .setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory5())
+                    .build());
         }
 
         return builder.build();

diff --git a/src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfiguratorV4.java b/src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfiguratorV4.java
@@ -479,6 +479,10 @@ public SSLConnectionSocketFactory toSSLConnectionSocketFactory() {
             return new SSLConnectionSocketFactory(sslContext, supportedProtocols, supportedCipherSuites, hostnameVerifier);
         }
 
+        public org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory toSSLConnectionSocketFactory5() {
+            return new org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory(sslContext, supportedProtocols, supportedCipherSuites, hostnameVerifier);
+        }
+
         public boolean isStartTlsEnabled() {
             return startTlsEnabled;
         }