build(deps): bump opensaml2 from 2.6.6 to 4.0.1 #2908
Conversation
Tallicia
added
in progress
DO NOT MERGE
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/187710947 The labels on this github issue will be updated when the story is started. |
Tallicia
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
...ava/org/cloudfoundry/identity/uaa/provider/saml/SamlLegacyAliasResponseForwardingFilter.java
Fixed
Show fixed
Hide fixed
duanemay
force-pushed
the
new-saml-0530
branch
5 times, most recently
from
65b0d64
to
e67a40a
Compare
duanemay
force-pushed
the
new-saml-0530
branch
9 times, most recently
from
a761b67
to
7de27a1
Compare
duanemay
force-pushed
the
new-saml-0530
branch
2 times, most recently
from
0d3a595
to
f199f50
Compare
peterhaochen47
force-pushed
the
new-saml-0530
branch
from
46248b9
to
290f89c
Compare
duanemay
force-pushed
the
new-saml-0530
branch
2 times, most recently
from
46248b9
to
b6cb65b
Compare
peterhaochen47
force-pushed
the
new-saml-0530
branch
2 times, most recently
from
a97457f
to
745fff3
Compare
needed later for SLO
in case of decryption issue (wrong key) do not show class internals
Found in manual test with SAML SLO , POST Binding
…0-saml-session-index
…-index Store saml session index in UaaSamlPrincipal
strehle
added
scheduled
in_review
strehle
changed the title
* Cleanup libraries not needed anymore bound to old opensaml * Remove ESAPI finally this dependency is only there because of old saml * fix rebase
# Conflicts: # dependencies.gradle
Will add more coverage in Saml2Utils
Signed-off-by: Duane May <[email protected]>
| } | ||
|
|
||
| if (!identityProviderDefinitions.isEmpty()) { | ||
| SamlIdentityProviderDefinition identityProviderDefinition = identityProviderDefinitions.get(0); |
There was a problem hiding this comment.
This is an unexpected behavior, because we use then first found trust material to verify the incoming SAML message.
|
|
||
| for (SamlIdentityProviderDefinition identityProviderDefinition : identityProviderDefinitions) { | ||
| if (identityProviderDefinition.getIdpEntityAlias().equals(registrationId)) { | ||
| return createRelyingPartyRegistration(registrationId, identityProviderDefinition, currentZone); |
There was a problem hiding this comment.
This is a search by origin only. In case of SAML bearer we dont have the origin key in the token (SAML assertion) but only the issuer.
A loop is something I would like to omit because we now have an alternative , see #2825
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | ||
| <ds:X509Data> | ||
| <ds:X509Certificate> | ||
| MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk |
There was a problem hiding this comment.
Can we omit the key (default key) in the production ?
I found identitfied this xml as part of test package... if the template is needed isnt a constant string (without key) a better approach ?
|
|
||
| @Override | ||
| public Authentication convert(HttpServletRequest request) throws AuthenticationException { | ||
| RelyingPartyRegistration relyingPartyRegistration = relyingPartyRegistrationResolver.resolve(request, null); |
There was a problem hiding this comment.
This returns the dummy IdP registration.
| boolean addNew; | ||
| IdentityProvider<SamlIdentityProviderDefinition> idp; | ||
| SamlIdentityProviderDefinition samlConfig; | ||
| try { |
There was a problem hiding this comment.
a 2nd lookup in DB. right now dont have a better idea, but I would do it earlier, before signature validation
|
|
||
| Assertion assertion = parseAssertion(assertionXml); | ||
| Saml2AuthenticationToken authenticationToken = new Saml2AuthenticationToken(relyingPartyRegistration, assertionXml); | ||
| process(authenticationToken, assertion); |
There was a problem hiding this comment.
here we validate signature, but we are not confident that we have the correct IdP
Did not found a security problem, but the error messages are misleading because then you see always signature error message
| return Base64.getEncoder().encodeToString(b); | ||
| } | ||
|
|
||
| public static byte[] samlDecode(String s) { |
There was a problem hiding this comment.
missing methods for SAML bearer which needs UrlDecoder for Base64.
|
SAML2 bearer and IdP initated flows are similar and the IdP initiated flow still is not working. The resolver needs to be forked / implemented on Uaa side, I assume then we can resolve from issuer to idP . SAML2 bearer works now independent from amount of SAML2 trusts, #3132 |
Replacing the other feature branch #2862 for new SAML library replacement effort.
Sonar
https://sonarcloud.io/summary/new_code?id=cloudfoundry-identity-parent&pullRequest=2908