From 5d5fa04c8ba848b57511f07139f968ba253f5167 Mon Sep 17 00:00:00 2001 From: Marcus Sorensen Date: Mon, 3 Apr 2023 03:46:03 -0600 Subject: [PATCH] saml: Add EncryptedElementType key resolver to SAML plugin (#7268) There are multiple ways in which a SAML response can be formatted, especially when encryption is enabled. This PR removes the hardcoding of EncryptedKeyResolver= InlineEncryptedKeyResolver in favor of using a ChainingEncryptedKeyResolver which will try multiple resolvers. It preserves the InlineEncryptedKeyResolver as the first option but adds EncryptedElementTypeEncryptedKeyResolver to the chain of resolvers to try. ChainingEncryptedKeyResolver is a bit finicky in that you can't provide it a list of resolvers, you can only fetch its internal list and add to it. Theoretically we could add all of the resolver types to the chain, but for now just preserving the ones known to be in use. Co-authored-by: Marcus Sorensen --- .../api/command/SAML2LoginAPIAuthenticatorCmd.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java index 4dd9fdf278e..6bb3e788a95 100644 --- a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java +++ b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java @@ -55,9 +55,10 @@ import org.opensaml.saml2.core.Issuer; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.encryption.Decrypter; +import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; import org.opensaml.xml.ConfigurationException; +import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver; import org.opensaml.xml.encryption.DecryptionException; -import org.opensaml.xml.encryption.EncryptedKeyResolver; import org.opensaml.xml.encryption.InlineEncryptedKeyResolver; import org.opensaml.xml.io.UnmarshallingException; import org.opensaml.xml.security.SecurityHelper; @@ -253,7 +254,9 @@ public class SAML2LoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthent Credential credential = SecurityHelper.getSimpleCredential(idpMetadata.getEncryptionCertificate().getPublicKey(), spMetadata.getKeyPair().getPrivate()); StaticKeyInfoCredentialResolver keyInfoResolver = new StaticKeyInfoCredentialResolver(credential); - EncryptedKeyResolver keyResolver = new InlineEncryptedKeyResolver(); + ChainingEncryptedKeyResolver keyResolver = new ChainingEncryptedKeyResolver(); + keyResolver.getResolverChain().add(new InlineEncryptedKeyResolver()); + keyResolver.getResolverChain().add(new EncryptedElementTypeEncryptedKeyResolver()); Decrypter decrypter = new Decrypter(null, keyInfoResolver, keyResolver); decrypter.setRootInNewDocument(true); List encryptedAssertions = processedSAMLResponse.getEncryptedAssertions();