From 7d655f2cfc5797d5a356f07dc6c3e4ef9ae96df0 Mon Sep 17 00:00:00 2001 From: Andrey Pleskach Date: Thu, 26 Oct 2023 16:28:20 +0200 Subject: [PATCH] oooo --- build.gradle | 18 +- .../auth/http/saml/HTTPSamlAuthenticator.java | 15 +- .../auth/http/saml/Saml2SettingsProvider.java | 4 +- .../saml/SamlFilesystemMetadataResolver.java | 2 +- .../http/saml/SamlHTTPMetadataResolver.java | 30 +-- .../util/SettingsBasedSSLConfiguratorV4.java | 4 + .../auth/http/saml/MockSamlIdpServer.java | 191 ++++++++++++++---- 7 files changed, 186 insertions(+), 78 deletions(-) diff --git a/build.gradle b/build.gradle index 2b2358d9cf..4652c2d4bd 100644 --- a/build.gradle +++ b/build.gradle @@ -27,7 +27,8 @@ buildscript { common_utils_version = System.getProperty("common_utils.version", '3.0.0.0-SNAPSHOT') kafka_version = '3.6.0' apache_cxf_version = '4.0.3' - open_saml_version = '4.3.0' + open_saml_version = '5.0.0' + open_saml_shib_version = '9.0.0' one_login_java_saml = '2.9.0' jjwt_version = '0.11.5' guava_version = '32.1.3-jre' @@ -598,14 +599,22 @@ dependencies { testImplementation 'org.apache.camel:camel-xmlsecurity:3.21.1' //OpenSAML - implementation 'net.shibboleth.utilities:java-support:8.4.0' implementation "com.onelogin:java-saml:${one_login_java_saml}" implementation "com.onelogin:java-saml-core:${one_login_java_saml}" - implementation "org.opensaml:opensaml-core:${open_saml_version}" - implementation "org.opensaml:opensaml-security-impl:${open_saml_version}" + + implementation "net.shibboleth:shib-support:${open_saml_shib_version}" + implementation "net.shibboleth:shib-security:${open_saml_shib_version}" + implementation "net.shibboleth:shib-networking:${open_saml_shib_version}" + + implementation "org.opensaml:opensaml-core-api:${open_saml_version}" + implementation "org.opensaml:opensaml-core-impl:${open_saml_version}" + implementation "org.opensaml:opensaml-security-api:${open_saml_version}" + implementation "org.opensaml:opensaml-security-impl:${open_saml_version}" + implementation "org.opensaml:opensaml-xmlsec-api:${open_saml_version}" implementation "org.opensaml:opensaml-xmlsec-impl:${open_saml_version}" + implementation "org.opensaml:opensaml-saml-api:${open_saml_version}" implementation ("org.opensaml:opensaml-saml-impl:${open_saml_version}") { exclude(group: 'org.apache.velocity', module: 'velocity') @@ -640,6 +649,7 @@ dependencies { testImplementation "org.opensaml:opensaml-messaging-impl:${open_saml_version}" + testImplementation "jakarta.servlet:jakarta.servlet-api:6.0.0" implementation "org.apache.commons:commons-lang3:${versions.commonslang}" testImplementation "org.opensearch:common-utils:${common_utils_version}" testImplementation "org.opensearch.plugin:reindex-client:${opensearch_version}" diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java index 918e3be5ab..91ba4c8c08 100644 --- a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java +++ b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java @@ -33,9 +33,9 @@ import com.onelogin.saml2.settings.Saml2Settings; import com.onelogin.saml2.util.Constants; import com.onelogin.saml2.util.Util; -import net.shibboleth.utilities.java.support.component.ComponentInitializationException; -import net.shibboleth.utilities.java.support.component.DestructableComponent; -import net.shibboleth.utilities.java.support.xml.BasicParserPool; +import net.shibboleth.shared.component.ComponentInitializationException; +import net.shibboleth.shared.component.DestructableComponent; +import net.shibboleth.shared.xml.impl.BasicParserPool; import org.apache.commons.lang3.StringEscapeUtils; import org.apache.http.HttpStatus; import org.apache.logging.log4j.LogManager; @@ -350,12 +350,9 @@ private MetadataResolver createMetadataResolver(final Settings settings, final P } try { - AccessController.doPrivileged(new PrivilegedExceptionAction() { - @Override - public Void run() throws ComponentInitializationException { - metadataResolver.initialize(); - return null; - } + AccessController.doPrivileged((PrivilegedExceptionAction) () -> { + metadataResolver.initialize(); + return null; }); } catch (PrivilegedActionException e) { if (e.getCause() instanceof ComponentInitializationException) { diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/Saml2SettingsProvider.java b/src/main/java/com/amazon/dlic/auth/http/saml/Saml2SettingsProvider.java index 1b97242762..ade94a8c47 100644 --- a/src/main/java/com/amazon/dlic/auth/http/saml/Saml2SettingsProvider.java +++ b/src/main/java/com/amazon/dlic/auth/http/saml/Saml2SettingsProvider.java @@ -25,8 +25,8 @@ import com.onelogin.saml2.settings.Saml2Settings; import com.onelogin.saml2.settings.SettingsBuilder; -import net.shibboleth.utilities.java.support.resolver.CriteriaSet; -import net.shibboleth.utilities.java.support.resolver.ResolverException; +import net.shibboleth.shared.resolver.CriteriaSet; +import net.shibboleth.shared.resolver.ResolverException; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensaml.core.criterion.EntityIdCriterion; diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/SamlFilesystemMetadataResolver.java b/src/main/java/com/amazon/dlic/auth/http/saml/SamlFilesystemMetadataResolver.java index 302b1f41ea..4b130fcf26 100644 --- a/src/main/java/com/amazon/dlic/auth/http/saml/SamlFilesystemMetadataResolver.java +++ b/src/main/java/com/amazon/dlic/auth/http/saml/SamlFilesystemMetadataResolver.java @@ -17,7 +17,7 @@ import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; -import net.shibboleth.utilities.java.support.resolver.ResolverException; +import net.shibboleth.shared.resolver.ResolverException; import org.opensaml.saml.metadata.resolver.impl.FilesystemMetadataResolver; import org.opensearch.common.settings.Settings; diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/SamlHTTPMetadataResolver.java b/src/main/java/com/amazon/dlic/auth/http/saml/SamlHTTPMetadataResolver.java index 2a380539e6..bf31a8137d 100644 --- a/src/main/java/com/amazon/dlic/auth/http/saml/SamlHTTPMetadataResolver.java +++ b/src/main/java/com/amazon/dlic/auth/http/saml/SamlHTTPMetadataResolver.java @@ -17,10 +17,12 @@ import java.security.PrivilegedExceptionAction; import java.time.Duration; -import net.shibboleth.utilities.java.support.resolver.ResolverException; -import org.apache.http.client.HttpClient; -import org.apache.http.impl.client.HttpClientBuilder; -import org.apache.http.impl.client.HttpClients; +import net.shibboleth.shared.resolver.ResolverException; +import org.apache.hc.client5.http.classic.HttpClient; +import org.apache.hc.client5.http.impl.classic.HttpClientBuilder; +import org.apache.hc.client5.http.impl.classic.HttpClients; +import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder; +import org.apache.hc.client5.http.io.HttpClientConnectionManager; import org.opensaml.saml.metadata.resolver.impl.HTTPMetadataResolver; import com.amazon.dlic.util.SettingsBasedSSLConfiguratorV4; @@ -41,12 +43,7 @@ public class SamlHTTPMetadataResolver extends HTTPMetadataResolver { @SuppressWarnings("removal") protected byte[] fetchMetadata() throws ResolverException { try { - return AccessController.doPrivileged(new PrivilegedExceptionAction() { - @Override - public byte[] run() throws ResolverException { - return SamlHTTPMetadataResolver.super.fetchMetadata(); - } - }); + return AccessController.doPrivileged((PrivilegedExceptionAction) () -> SamlHTTPMetadataResolver.super.fetchMetadata()); } catch (PrivilegedActionException e) { if (e.getCause() instanceof ResolverException) { @@ -70,12 +67,7 @@ private static HttpClient createHttpClient(Settings settings, Path configPath) t sm.checkPermission(new SpecialPermission()); } - return AccessController.doPrivileged(new PrivilegedExceptionAction() { - @Override - public HttpClient run() throws Exception { - return createHttpClient0(settings, configPath); - } - }); + return AccessController.doPrivileged((PrivilegedExceptionAction) () -> createHttpClient0(settings, configPath)); } catch (PrivilegedActionException e) { if (e.getCause() instanceof Exception) { throw (Exception) e.getCause(); @@ -86,15 +78,15 @@ public HttpClient run() throws Exception { } private static HttpClient createHttpClient0(Settings settings, Path configPath) throws Exception { - HttpClientBuilder builder = HttpClients.custom(); - builder.useSystemProperties(); SettingsBasedSSLConfiguratorV4.SSLConfig sslConfig = getSSLConfig(settings, configPath); if (sslConfig != null) { - builder.setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory()); + builder.setConnectionManager(PoolingHttpClientConnectionManagerBuilder.create() + .setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory5()) + .build()); } return builder.build(); diff --git a/src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfiguratorV4.java b/src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfiguratorV4.java index c2de5d95a2..c46fc44523 100644 --- a/src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfiguratorV4.java +++ b/src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfiguratorV4.java @@ -479,6 +479,10 @@ public SSLConnectionSocketFactory toSSLConnectionSocketFactory() { return new SSLConnectionSocketFactory(sslContext, supportedProtocols, supportedCipherSuites, hostnameVerifier); } + public org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory toSSLConnectionSocketFactory5() { + return new org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory(sslContext, supportedProtocols, supportedCipherSuites, hostnameVerifier); + } + public boolean isStartTlsEnabled() { return startTlsEnabled; } diff --git a/src/test/java/com/amazon/dlic/auth/http/saml/MockSamlIdpServer.java b/src/test/java/com/amazon/dlic/auth/http/saml/MockSamlIdpServer.java index c984b4f670..659e6e23c2 100644 --- a/src/test/java/com/amazon/dlic/auth/http/saml/MockSamlIdpServer.java +++ b/src/test/java/com/amazon/dlic/auth/http/saml/MockSamlIdpServer.java @@ -36,8 +36,10 @@ import java.time.Instant; import java.time.temporal.ChronoUnit; import java.util.Arrays; +import java.util.Collection; import java.util.Collections; import java.util.Enumeration; +import java.util.HashMap; import java.util.List; import java.util.Locale; import java.util.Map; @@ -47,11 +49,6 @@ import javax.net.ssl.SSLContext; import javax.net.ssl.SSLParameters; import javax.net.ssl.TrustManagerFactory; -import javax.servlet.RequestDispatcher; -import javax.servlet.ServletInputStream; -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpSession; import javax.xml.namespace.QName; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -62,9 +59,25 @@ import javax.xml.transform.dom.DOMSource; import javax.xml.transform.stream.StreamResult; -import net.shibboleth.utilities.java.support.codec.Base64Support; -import net.shibboleth.utilities.java.support.codec.EncodingException; -import net.shibboleth.utilities.java.support.component.ComponentInitializationException; +import jakarta.servlet.AsyncContext; +import jakarta.servlet.DispatcherType; +import jakarta.servlet.ReadListener; +import jakarta.servlet.RequestDispatcher; +import jakarta.servlet.ServletConnection; +import jakarta.servlet.ServletContext; +import jakarta.servlet.ServletException; +import jakarta.servlet.ServletInputStream; +import jakarta.servlet.ServletRequest; +import jakarta.servlet.ServletResponse; +import jakarta.servlet.http.Cookie; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import jakarta.servlet.http.HttpSession; +import jakarta.servlet.http.HttpUpgradeHandler; +import jakarta.servlet.http.Part; +import net.shibboleth.shared.codec.Base64Support; +import net.shibboleth.shared.codec.EncodingException; +import net.shibboleth.shared.component.ComponentInitializationException; import org.apache.hc.core5.function.Callback; import org.apache.hc.core5.http.ClassicHttpRequest; import org.apache.hc.core5.http.ClassicHttpResponse; @@ -742,16 +755,25 @@ public SSLTestHttpServerConnection( static class FakeHttpServletRequest implements HttpServletRequest { private final HttpRequest delegate; - private final Map queryParams; + private final Map queryParams; private final URIBuilder uriBuilder; FakeHttpServletRequest(HttpRequest delegate) throws URISyntaxException { this.delegate = delegate; String uri = delegate.getRequestUri(); this.uriBuilder = new URIBuilder(uri); - this.queryParams = uriBuilder.getQueryParams() - .stream() - .collect(Collectors.toMap(NameValuePair::getName, NameValuePair::getValue)); + this.queryParams = new HashMap<>(); + uriBuilder.getQueryParams().forEach(nameValuePair -> { + final String[] params; + if (!queryParams.containsKey(nameValuePair.getName())) { + params = new String[] { nameValuePair.getValue() }; + } else { + final String[] current = queryParams.get(nameValuePair.getName()); + params = Arrays.copyOf(current, current.length + 1); + params[current.length] = nameValuePair.getValue(); + } + queryParams.put(nameValuePair.getName(), params); + }); } @Override @@ -759,9 +781,8 @@ public Object getAttribute(String arg0) { return null; } - @SuppressWarnings("rawtypes") @Override - public Enumeration getAttributeNames() { + public Enumeration getAttributeNames() { return Collections.emptyEnumeration(); } @@ -783,6 +804,11 @@ public int getContentLength() { } } + @Override + public long getContentLengthLong() { + return getContentLength(); + } + @Override public String getContentType() { if (delegate instanceof ClassicHttpRequest) { @@ -793,7 +819,7 @@ public String getContentType() { } @Override - public ServletInputStream getInputStream() throws IOException { + public jakarta.servlet.ServletInputStream getInputStream() throws IOException { if (delegate instanceof ClassicHttpRequest) { final InputStream in = ((ClassicHttpRequest) delegate).getEntity().getContent(); @@ -810,6 +836,21 @@ public int available() throws IOException { public void close() throws IOException { in.close(); } + + @Override + public boolean isFinished() { + return false; + } + + @Override + public boolean isReady() { + return false; + } + + @Override + public void setReadListener(ReadListener readListener) { + + } }; } else { return null; @@ -831,43 +872,84 @@ public int getLocalPort() { return 0; } + @Override + public ServletContext getServletContext() { + return null; + } + + @Override + public AsyncContext startAsync() throws IllegalStateException { + return null; + } + + @Override + public AsyncContext startAsync(ServletRequest servletRequest, ServletResponse servletResponse) throws IllegalStateException { + return null; + } + + @Override + public boolean isAsyncStarted() { + return false; + } + + @Override + public boolean isAsyncSupported() { + return false; + } + + @Override + public AsyncContext getAsyncContext() { + return null; + } + + @Override + public DispatcherType getDispatcherType() { + return null; + } + + @Override + public String getRequestId() { + return null; + } + + @Override + public String getProtocolRequestId() { + return null; + } + + @Override + public ServletConnection getServletConnection() { + return null; + } + @Override public Locale getLocale() { return null; } - @SuppressWarnings("rawtypes") @Override - public Enumeration getLocales() { + public Enumeration getLocales() { return null; } @Override public String getParameter(String name) { - return this.queryParams.get(name); + return this.queryParams.containsKey(name) ? this.queryParams.get(name)[0] : null; } - @SuppressWarnings("rawtypes") @Override - public Map getParameterMap() { - return Collections.unmodifiableMap(this.queryParams); + public Map getParameterMap() { + return Map.copyOf(this.queryParams); } - @SuppressWarnings("rawtypes") @Override - public Enumeration getParameterNames() { + public Enumeration getParameterNames() { return Collections.enumeration(this.queryParams.keySet()); } @Override public String[] getParameterValues(String name) { - String value = this.queryParams.get(name); - - if (value != null) { - return new String[] { value }; - } else { - return null; - } + return this.queryParams.get(name); } @Override @@ -886,11 +968,6 @@ public BufferedReader getReader() throws IOException { } } - @Override - public String getRealPath(String arg0) { - return null; - } - @Override public String getRemoteAddr() { return null; @@ -977,19 +1054,17 @@ public String getHeader(String name) { } } - @SuppressWarnings("rawtypes") @Override - public Enumeration getHeaderNames() { + public Enumeration getHeaderNames() { return Collections.enumeration(Arrays.asList(delegate.getHeaders()).stream().map(Header::getName).collect(Collectors.toSet())); } - @SuppressWarnings("rawtypes") @Override - public Enumeration getHeaders(String name) { + public Enumeration getHeaders(String name) { Header[] headers = delegate.getHeaders(name); if (headers != null) { - return Collections.enumeration(Arrays.asList(headers).stream().map(Header::getName).collect(Collectors.toSet())); + return Collections.enumeration(Arrays.stream(headers).map(Header::getName).collect(Collectors.toSet())); } else { return null; } @@ -1077,19 +1152,49 @@ public boolean isRequestedSessionIdFromURL() { } @Override - public boolean isRequestedSessionIdFromUrl() { + public boolean isRequestedSessionIdValid() { return false; } @Override - public boolean isRequestedSessionIdValid() { + public boolean isUserInRole(String arg0) { return false; } @Override - public boolean isUserInRole(String arg0) { + public String changeSessionId() { + return null; + } + + @Override + public boolean authenticate(HttpServletResponse response) throws IOException, ServletException { return false; } + + @Override + public void login(String username, String password) throws ServletException { + + } + + @Override + public void logout() throws ServletException { + + } + + @Override + public Collection getParts() throws IOException, ServletException { + return null; + } + + @Override + public Part getPart(String name) throws IOException, ServletException { + return null; + } + + @Override + public T upgrade(Class handlerClass) throws IOException, ServletException { + return null; + } } public String getIdpEntityId() {