saml: purge token after first response and improve setting description (#9377)

* saml: purge token after first response and improve setting description

This improves the description of a saml signature checking global
setting, and purges the SAML token upon handling the first SAML
response.

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

* fix failing unit test

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

---------

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
This commit is contained in:
Rohit Yadav 2024-07-15 09:45:28 +05:30 committed by GitHub
parent 50586a9481
commit 2cfb541a1d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 20 additions and 11 deletions

View File

@ -228,6 +228,7 @@ public class SAML2LoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthent
"Received SAML response for a SSO request that we may not have made or has expired, please try logging in again", "Received SAML response for a SSO request that we may not have made or has expired, please try logging in again",
params, responseType)); params, responseType));
} }
samlAuthManager.purgeToken(token);
// Set IdpId for this session // Set IdpId for this session
session.setAttribute(SAMLPluginConstants.SAML_IDPID, issuer.getValue()); session.setAttribute(SAMLPluginConstants.SAML_IDPID, issuer.getValue());

View File

@ -71,16 +71,17 @@ public interface SAML2AuthManager extends PluggableAPIAuthenticator, PluggableSe
"SAML2 IDP Metadata refresh interval in seconds, minimum value is set to 300", true); "SAML2 IDP Metadata refresh interval in seconds, minimum value is set to 300", true);
ConfigKey<Boolean> SAMLCheckSignature = new ConfigKey<Boolean>("Advanced", Boolean.class, "saml2.check.signature", "true", ConfigKey<Boolean> SAMLCheckSignature = new ConfigKey<Boolean>("Advanced", Boolean.class, "saml2.check.signature", "true",
"Whether SAML2 signature must be checked, when enforced and when the SAML response does not have a signature would lead to login exception", true); "When enabled (default and recommended), SAML2 signature checks are enforced and lack of signature in the SAML SSO response will cause login exception. Disabling this is not advisable but provided for backward compatibility for users who are able to accept the risks.", false);
public SAMLProviderMetadata getSPMetadata(); SAMLProviderMetadata getSPMetadata();
public SAMLProviderMetadata getIdPMetadata(String entityId); SAMLProviderMetadata getIdPMetadata(String entityId);
public Collection<SAMLProviderMetadata> getAllIdPMetadata(); Collection<SAMLProviderMetadata> getAllIdPMetadata();
public boolean isUserAuthorized(Long userId, String entityId); boolean isUserAuthorized(Long userId, String entityId);
public boolean authorizeUser(Long userId, String entityId, boolean enable); boolean authorizeUser(Long userId, String entityId, boolean enable);
public void saveToken(String authnId, String domain, String entity); void saveToken(String authnId, String domain, String entity);
public SAMLTokenVO getToken(String authnId); SAMLTokenVO getToken(String authnId);
public void expireTokens(); void purgeToken(SAMLTokenVO token);
void expireTokens();
} }

View File

@ -487,6 +487,13 @@ public class SAML2AuthManagerImpl extends AdapterBase implements SAML2AuthManage
return _samlTokenDao.findByUuid(authnId); return _samlTokenDao.findByUuid(authnId);
} }
@Override
public void purgeToken(SAMLTokenVO token) {
if (token != null) {
_samlTokenDao.remove(token.getId());
}
}
@Override @Override
public void expireTokens() { public void expireTokens() {
_samlTokenDao.expireTokens(); _samlTokenDao.expireTokens();

View File

@ -279,7 +279,7 @@ public class SAML2LoginAPIAuthenticatorCmdTest {
@Test @Test
public void testFailOnSAMLSignatureCheckWhenFalse() throws NoSuchFieldException, IllegalAccessException { public void testFailOnSAMLSignatureCheckWhenFalse() throws NoSuchFieldException, IllegalAccessException {
overrideDefaultConfigValue(SAML2AuthManager.SAMLCheckSignature, "_defaultValue", "false"); overrideDefaultConfigValue(SAML2AuthManager.SAMLCheckSignature, "_value", false);
SAML2LoginAPIAuthenticatorCmd cmd = new SAML2LoginAPIAuthenticatorCmd(); SAML2LoginAPIAuthenticatorCmd cmd = new SAML2LoginAPIAuthenticatorCmd();
try { try {
cmd.checkAndFailOnMissingSAMLSignature(null); cmd.checkAndFailOnMissingSAMLSignature(null);
@ -290,7 +290,7 @@ public class SAML2LoginAPIAuthenticatorCmdTest {
@Test(expected = ServerApiException.class) @Test(expected = ServerApiException.class)
public void testFailOnSAMLSignatureCheckWhenTrue() throws NoSuchFieldException, IllegalAccessException { public void testFailOnSAMLSignatureCheckWhenTrue() throws NoSuchFieldException, IllegalAccessException {
overrideDefaultConfigValue(SAML2AuthManager.SAMLCheckSignature, "_defaultValue", "true"); overrideDefaultConfigValue(SAML2AuthManager.SAMLCheckSignature, "_value", true);
SAML2LoginAPIAuthenticatorCmd cmd = new SAML2LoginAPIAuthenticatorCmd(); SAML2LoginAPIAuthenticatorCmd cmd = new SAML2LoginAPIAuthenticatorCmd();
cmd.checkAndFailOnMissingSAMLSignature(null); cmd.checkAndFailOnMissingSAMLSignature(null);
} }