Skip to content

Commit

Permalink
Update CXF version to 3.4.5 (#1544)
Browse files Browse the repository at this point in the history 
(cherry-picked from commit f5a884)

Signed-off-by: Palash Hedau <phhedau@amazon.com>

Co-authored-by: Palash Hedau <phhedau@amazon.com>
  • Loading branch information
@palashhedau
palashhedau and Palash Hedau committed Dec 23, 2021
1 parent 4569984 commit f2704cb
Show file tree
Hide file tree
Showing 4 changed files with 135 additions and 4 deletions.
2 changes: 1 addition & 1 deletion pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@
<jjwt.version>0.10.5</jjwt.version>
<ldaptive.version>1.2.3</ldaptive.version>
<http.commons.version>4.5.13</http.commons.version>
<cxf.version>3.4.4</cxf.version>
<cxf.version>3.4.5</cxf.version>
<kafka.version>2.5.0</kafka.version>
<java-saml.version>2.5.0</java-saml.version>
<opensaml.version>3.4.5</opensaml.version>
Expand Down
7 changes: 5 additions & 2 deletions src/main/java/com/amazon/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
import java.util.Map.Entry;
import java.util.regex.Pattern;

import com.google.common.annotations.VisibleForTesting;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.http.HttpHeaders;
Expand Down Expand Up @@ -163,7 +164,8 @@ protected String getJwtTokenString(RestRequest request) {
return jwtToken;
}

protected String extractSubject(JwtClaims claims) {
@VisibleForTesting
public String extractSubject(JwtClaims claims) {
String subject = claims.getSubject();

if (subjectKey != null) {
Expand All @@ -189,7 +191,8 @@ protected String extractSubject(JwtClaims claims) {
}

@SuppressWarnings("unchecked")
protected String[] extractRoles(JwtClaims claims) {
@VisibleForTesting
public String[] extractRoles(JwtClaims claims) {
if (rolesKey == null) {
return new String[0];
}
Expand Down
4 changes: 3 additions & 1 deletion src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;

import com.google.common.annotations.VisibleForTesting;
import net.shibboleth.utilities.java.support.xml.BasicParserPool;
import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
Expand Down Expand Up @@ -95,7 +96,8 @@ public class HTTPSamlAuthenticator implements HTTPAuthenticator, Destroyable {
private Saml2SettingsProvider saml2SettingsProvider;
private MetadataResolver metadataResolver;
private AuthTokenProcessorHandler authTokenProcessorHandler;
private HTTPJwtAuthenticator httpJwtAuthenticator;
@VisibleForTesting
protected HTTPJwtAuthenticator httpJwtAuthenticator;
private Settings jwtSettings;

private static int resolverIdCounter = 0;
Expand Down
126 changes: 126 additions & 0 deletions src/test/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticatorTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,132 @@ public void decryptAssertionsTest() throws Exception {
Assert.assertEquals("horst", jwt.getClaim("sub"));
}

@Test
public void shouldUnescapeSamlEntitiesTest() throws Exception {
mockSamlIdpServer.setAuthenticateUser("ABC\\User1");
mockSamlIdpServer.setEndpointQueryString(null);
mockSamlIdpServer.setSpSignatureCertificate(spSigningCertificate);
mockSamlIdpServer.setEncryptAssertion(true);
mockSamlIdpServer.setAuthenticateUserRoles(Arrays.asList("ABC\\Admin"));

Settings settings = Settings.builder().put(IDP_METADATA_URL, mockSamlIdpServer.getMetadataUri())
.put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId())
.put("sp.signature_private_key", "-BEGIN PRIVATE KEY-\n"
+ Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded()) + "-END PRIVATE KEY-")
.put("exchange_key", "abc").put("roles_key", "roles").put("path.home", ".").build();

HTTPSamlAuthenticator samlAuthenticator = new HTTPSamlAuthenticator(settings, null);

AuthenticateHeaders authenticateHeaders = getAutenticateHeaders(samlAuthenticator);

String encodedSamlResponse = mockSamlIdpServer.handleSsoGetRequestURI(authenticateHeaders.location);

RestRequest tokenRestRequest = buildTokenExchangeRestRequest(encodedSamlResponse, authenticateHeaders);
TestRestChannel tokenRestChannel = new TestRestChannel(tokenRestRequest);

samlAuthenticator.reRequestAuthentication(tokenRestChannel, null);

String responseJson = new String(BytesReference.toBytes(tokenRestChannel.response.content()));
HashMap<String, Object> response = DefaultObjectMapper.objectMapper.readValue(responseJson,
new TypeReference<HashMap<String, Object>>() {
});
String authorization = (String) response.get("authorization");

Assert.assertNotNull("Expected authorization attribute in JSON: " + responseJson, authorization);

JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(authorization.replaceAll("\\s*bearer\\s*", ""));
JwtToken jwt = jwtConsumer.getJwtToken();

Assert.assertEquals("ABC\\User1", jwt.getClaim("sub"));
Assert.assertEquals("ABC\\User1", samlAuthenticator.httpJwtAuthenticator.extractSubject(jwt.getClaims()));
Assert.assertEquals("[ABC\\Admin]", String.valueOf(jwt.getClaim("roles")));
Assert.assertEquals("ABC\\Admin", samlAuthenticator.httpJwtAuthenticator.extractRoles(jwt.getClaims())[0]);
}

@Test
public void shouldUnescapeSamlEntitiesTest2() throws Exception {
mockSamlIdpServer.setAuthenticateUser("ABC\"User1");
mockSamlIdpServer.setEndpointQueryString(null);
mockSamlIdpServer.setSpSignatureCertificate(spSigningCertificate);
mockSamlIdpServer.setEncryptAssertion(true);
mockSamlIdpServer.setAuthenticateUserRoles(Arrays.asList("ABC\"Admin"));

Settings settings = Settings.builder().put(IDP_METADATA_URL, mockSamlIdpServer.getMetadataUri())
.put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId())
.put("sp.signature_private_key", "-BEGIN PRIVATE KEY-\n"
+ Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded()) + "-END PRIVATE KEY-")
.put("exchange_key", "abc").put("roles_key", "roles").put("path.home", ".").build();

HTTPSamlAuthenticator samlAuthenticator = new HTTPSamlAuthenticator(settings, null);

AuthenticateHeaders authenticateHeaders = getAutenticateHeaders(samlAuthenticator);

String encodedSamlResponse = mockSamlIdpServer.handleSsoGetRequestURI(authenticateHeaders.location);

RestRequest tokenRestRequest = buildTokenExchangeRestRequest(encodedSamlResponse, authenticateHeaders);
TestRestChannel tokenRestChannel = new TestRestChannel(tokenRestRequest);

samlAuthenticator.reRequestAuthentication(tokenRestChannel, null);

String responseJson = new String(BytesReference.toBytes(tokenRestChannel.response.content()));
HashMap<String, Object> response = DefaultObjectMapper.objectMapper.readValue(responseJson,
new TypeReference<HashMap<String, Object>>() {
});
String authorization = (String) response.get("authorization");

Assert.assertNotNull("Expected authorization attribute in JSON: " + responseJson, authorization);

JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(authorization.replaceAll("\\s*bearer\\s*", ""));
JwtToken jwt = jwtConsumer.getJwtToken();

Assert.assertEquals("ABC\"User1", jwt.getClaim("sub"));
Assert.assertEquals("ABC\"User1", samlAuthenticator.httpJwtAuthenticator.extractSubject(jwt.getClaims()));
Assert.assertEquals("[ABC\"Admin]", String.valueOf(jwt.getClaim("roles")));
Assert.assertEquals("ABC\"Admin", samlAuthenticator.httpJwtAuthenticator.extractRoles(jwt.getClaims())[0]);
}

@Test
public void shouldNotEscapeSamlEntities() throws Exception {
mockSamlIdpServer.setAuthenticateUser("ABC/User1");
mockSamlIdpServer.setEndpointQueryString(null);
mockSamlIdpServer.setSpSignatureCertificate(spSigningCertificate);
mockSamlIdpServer.setEncryptAssertion(true);
mockSamlIdpServer.setAuthenticateUserRoles(Arrays.asList("ABC/Admin"));

Settings settings = Settings.builder().put(IDP_METADATA_URL, mockSamlIdpServer.getMetadataUri())
.put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId())
.put("sp.signature_private_key", "-BEGIN PRIVATE KEY-\n"
+ Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded()) + "-END PRIVATE KEY-")
.put("exchange_key", "abc").put("roles_key", "roles").put("path.home", ".").build();

HTTPSamlAuthenticator samlAuthenticator = new HTTPSamlAuthenticator(settings, null);

AuthenticateHeaders authenticateHeaders = getAutenticateHeaders(samlAuthenticator);

String encodedSamlResponse = mockSamlIdpServer.handleSsoGetRequestURI(authenticateHeaders.location);

RestRequest tokenRestRequest = buildTokenExchangeRestRequest(encodedSamlResponse, authenticateHeaders);
TestRestChannel tokenRestChannel = new TestRestChannel(tokenRestRequest);

samlAuthenticator.reRequestAuthentication(tokenRestChannel, null);

String responseJson = new String(BytesReference.toBytes(tokenRestChannel.response.content()));
HashMap<String, Object> response = DefaultObjectMapper.objectMapper.readValue(responseJson,
new TypeReference<HashMap<String, Object>>() {
});
String authorization = (String) response.get("authorization");

Assert.assertNotNull("Expected authorization attribute in JSON: " + responseJson, authorization);

JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(authorization.replaceAll("\\s*bearer\\s*", ""));
JwtToken jwt = jwtConsumer.getJwtToken();

Assert.assertEquals("ABC/User1", jwt.getClaim("sub"));
Assert.assertEquals("ABC/User1", samlAuthenticator.httpJwtAuthenticator.extractSubject(jwt.getClaims()));
Assert.assertEquals("[ABC/Admin]", String.valueOf(jwt.getClaim("roles")));
Assert.assertEquals("ABC/Admin", samlAuthenticator.httpJwtAuthenticator.extractRoles(jwt.getClaims())[0]);
}

@Test
public void testMetadataBody() throws Exception {
mockSamlIdpServer.setSignResponses(true);
Expand Down

0 comments on commit f2704cb

Please sign in to comment.