From 4c9c9b5cbe97d67e5ddc59d535a09281848951b1 Mon Sep 17 00:00:00 2001 From: Dimitrios Kaitantzidis Date: Sat, 5 Oct 2024 20:52:09 +0300 Subject: [PATCH] WIP: trying to make it work --- .../software/SPDF/EE/LicenseKeyChecker.java | 1 - .../SPDF/config/security/saml/SamlConfig.java | 38 +++++++++++++++- .../SPDF/model/ApplicationProperties.java | 44 ++++++++++--------- .../software/SPDF/utils/GeneralUtils.java | 14 +++--- 4 files changed, 66 insertions(+), 31 deletions(-) diff --git a/src/main/java/stirling/software/SPDF/EE/LicenseKeyChecker.java b/src/main/java/stirling/software/SPDF/EE/LicenseKeyChecker.java index 1b1e8cf6b..ec1a51b96 100644 --- a/src/main/java/stirling/software/SPDF/EE/LicenseKeyChecker.java +++ b/src/main/java/stirling/software/SPDF/EE/LicenseKeyChecker.java @@ -46,7 +46,6 @@ public class LicenseKeyChecker { log.info("License key is invalid."); } } - } public void updateLicenseKey(String newKey) throws IOException { diff --git a/src/main/java/stirling/software/SPDF/config/security/saml/SamlConfig.java b/src/main/java/stirling/software/SPDF/config/security/saml/SamlConfig.java index 358c44886..4c40cce8b 100644 --- a/src/main/java/stirling/software/SPDF/config/security/saml/SamlConfig.java +++ b/src/main/java/stirling/software/SPDF/config/security/saml/SamlConfig.java @@ -1,11 +1,20 @@ package stirling.software.SPDF.config.security.saml; +import java.io.IOException; +import java.io.InputStream; import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.security.interfaces.RSAPrivateKey; +import org.opensaml.security.x509.X509Support; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.core.io.ClassPathResource; +import org.springframework.core.io.Resource; +import org.springframework.security.converter.RsaKeyConverters; +import org.springframework.security.saml2.core.Saml2X509Credential; import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository; import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration; import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository; @@ -20,14 +29,34 @@ public class SamlConfig { @Autowired ApplicationProperties applicationProperties; + + @Bean @ConditionalOnProperty( value = "security.saml.enabled", havingValue = "true", matchIfMissing = false) public RelyingPartyRegistrationRepository relyingPartyRegistrationRepository() - throws CertificateException { - RelyingPartyRegistration registration = + throws CertificateException, IOException { + + +// Resource signingCertResource = new ClassPathResource(this.rpSigningCertLocation); + Resource signingCertResource = new ClassPathResource(this.applicationProperties.getSecurity().getSaml().getCertificateLocation()); +// Resource signingKeyResource = new ClassPathResource(this.rpSigningKeyLocation); + Resource signingKeyResource = new ClassPathResource(this.applicationProperties.getSecurity().getSaml().getPrivateKeyLocation()); + try ( + InputStream is = signingKeyResource.getInputStream(); + InputStream certIS = signingCertResource.getInputStream(); + ) { + X509Certificate rpCertificate = X509Support.decodeCertificate(certIS.readAllBytes()); + RSAPrivateKey rpKey = RsaKeyConverters.pkcs8().convert(is); + final Saml2X509Credential rpSigningCredentials = Saml2X509Credential.signing(rpKey, rpCertificate); + + X509Certificate apCert = X509Support.decodeCertificate(rpCertificate.toString()); + Saml2X509Credential apCredential = Saml2X509Credential.verification(apCert); + + + RelyingPartyRegistration registration = RelyingPartyRegistrations.fromMetadataLocation( applicationProperties .getSecurity() @@ -36,6 +65,11 @@ public class SamlConfig { .entityId(applicationProperties.getSecurity().getSaml().getEntityId()) .registrationId( applicationProperties.getSecurity().getSaml().getRegistrationId()) + .signingX509Credentials(c -> c.add(rpSigningCredentials)) + .assertingPartyDetails(party -> party + .wantAuthnRequestsSigned(true) + .verificationX509Credentials(c -> c.add(apCredential)) + ) .build(); return new InMemoryRelyingPartyRegistrationRepository(registration); } diff --git a/src/main/java/stirling/software/SPDF/model/ApplicationProperties.java b/src/main/java/stirling/software/SPDF/model/ApplicationProperties.java index 758e6e8ce..0bd8dad31 100644 --- a/src/main/java/stirling/software/SPDF/model/ApplicationProperties.java +++ b/src/main/java/stirling/software/SPDF/model/ApplicationProperties.java @@ -13,9 +13,6 @@ import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.PropertySource; import org.springframework.core.Ordered; import org.springframework.core.annotation.Order; -import org.springframework.core.io.ClassPathResource; -import org.springframework.core.io.FileSystemResource; -import org.springframework.core.io.Resource; import lombok.Data; import lombok.ToString; @@ -81,25 +78,30 @@ public class ApplicationProperties { private String registrationId; private String spBaseUrl; private String idpMetadataLocation; - private KeyStore keystore; + // private KeyStore keystore; + private String privateKeyLocation; + private String certificateLocation; + private String singleLogoutBinding; + private String singleLogoutResponseUri; + private String signingCertificate; - @Data - public static class KeyStore { - private String keystoreLocation; - private String keystorePassword; - private String keyAlias; - private String keyPassword; - private String realmCertificateAlias; - - public Resource getKeystoreResource() { - if (keystoreLocation.startsWith("classpath:")) { - return new ClassPathResource( - keystoreLocation.substring("classpath:".length())); - } else { - return new FileSystemResource(keystoreLocation); - } - } - } + // @Data + // public static class KeyStore { + // private String keystoreLocation; + // private String keystorePassword; + // private String keyAlias; + // private String keyPassword; + // private String realmCertificateAlias; + // + // public Resource getKeystoreResource() { + // if (keystoreLocation.startsWith("classpath:")) { + // return new ClassPathResource( + // keystoreLocation.substring("classpath:".length())); + // } else { + // return new FileSystemResource(keystoreLocation); + // } + // } + // } } @Data diff --git a/src/main/java/stirling/software/SPDF/utils/GeneralUtils.java b/src/main/java/stirling/software/SPDF/utils/GeneralUtils.java index 85e1bb79c..8e56c8df6 100644 --- a/src/main/java/stirling/software/SPDF/utils/GeneralUtils.java +++ b/src/main/java/stirling/software/SPDF/utils/GeneralUtils.java @@ -5,16 +5,21 @@ import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.net.HttpURLConnection; +import java.net.InetAddress; import java.net.MalformedURLException; +import java.net.NetworkInterface; import java.net.URI; import java.net.URL; +import java.nio.charset.StandardCharsets; import java.nio.file.FileVisitResult; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; import java.nio.file.SimpleFileVisitor; import java.nio.file.attribute.BasicFileAttributes; +import java.security.MessageDigest; import java.util.ArrayList; +import java.util.Enumeration; import java.util.List; import java.util.UUID; @@ -30,11 +35,6 @@ import com.fathzer.soft.javaluator.DoubleEvaluator; import io.github.pixee.security.HostValidator; import io.github.pixee.security.Urls; -import java.net.InetAddress; -import java.net.NetworkInterface; -import java.nio.charset.StandardCharsets; -import java.security.MessageDigest; -import java.util.Enumeration; public class GeneralUtils { @@ -306,7 +306,7 @@ public class GeneralUtils { } settingsYml.save(); } - + public static String generateMachineFingerprint() { try { // Get the MAC address @@ -346,7 +346,7 @@ public class GeneralUtils { return fingerprint.toString(); } catch (Exception e) { - return "GenericID"; + return "GenericID"; } } }