Search in sources :

Example 1 with ExternalServiceEndpoint

use of com.epam.pipeline.security.ExternalServiceEndpoint in project cloud-pipeline by epam.

the class SAMLProxyFilter method doFilterInternal.

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
    if (!urlMatches(request)) {
        filterChain.doFilter(request, response);
        return;
    }
    List<ExternalServiceEndpoint> externalServices = preferenceManager.getPreference(SYSTEM_EXTERNAL_SERVICES_ENDPOINTS);
    if (CollectionUtils.isEmpty(externalServices)) {
        LOGGER.warn(messageHelper.getMessage(MessageConstants.ERROR_PROXY_SECURITY_CONFIG_MISSING));
    } else {
        String samlResponse = request.getParameter("SAMLResponse");
        if (StringUtils.isNotBlank(samlResponse)) {
            try {
                Response decoded = CustomSamlClient.decodeSamlResponse(samlResponse);
                String audience = ListUtils.emptyIfNull(decoded.getAssertions()).stream().findFirst().map(Assertion::getConditions).map(conditions -> ListUtils.emptyIfNull(conditions.getAudienceRestrictions()).stream().findFirst()).flatMap(Function.identity()).map(audienceRestriction -> ListUtils.emptyIfNull(audienceRestriction.getAudiences()).stream().findFirst()).flatMap(Function.identity()).map(Audience::getAudienceURI).orElse(StringUtils.EMPTY);
                LOGGER.debug("Received SAMLResponse for audience: {}", audience);
                Optional<ExternalServiceEndpoint> endpointOpt = externalServices.stream().filter(e -> !StringUtils.EMPTY.equals(audience) && e.getEndpointId().equals(audience)).findFirst();
                if (endpointOpt.isPresent()) {
                    authenticate(samlResponse, decoded, audience, endpointOpt.get());
                }
            } catch (SAMLException e) {
                LOGGER.warn(e.getMessage(), e);
            }
        }
    }
    filterChain.doFilter(request, response);
}
Also used : Response(org.opensaml.saml2.core.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) SamlResponse(com.coveo.saml.SamlResponse) FilterChain(javax.servlet.FilterChain) UsernameNotFoundException(org.springframework.security.core.userdetails.UsernameNotFoundException) ServletException(javax.servlet.ServletException) MessageConstants(com.epam.pipeline.common.MessageConstants) LoggerFactory(org.slf4j.LoggerFactory) SYSTEM_EXTERNAL_SERVICES_ENDPOINTS(com.epam.pipeline.manager.preference.SystemPreferences.SYSTEM_EXTERNAL_SERVICES_ENDPOINTS) Autowired(org.springframework.beans.factory.annotation.Autowired) OncePerRequestFilter(org.springframework.web.filter.OncePerRequestFilter) StringUtils(org.apache.commons.lang3.StringUtils) Function(java.util.function.Function) CollectionUtils(org.apache.commons.collections4.CollectionUtils) HttpServletRequest(javax.servlet.http.HttpServletRequest) UserContext(com.epam.pipeline.security.UserContext) MessageHelper(com.epam.pipeline.common.MessageHelper) Response(org.opensaml.saml2.core.Response) ListUtils(org.apache.commons.collections4.ListUtils) AntPathMatcher(org.springframework.util.AntPathMatcher) Assertion(org.opensaml.saml2.core.Assertion) SecurityContextHolder(org.springframework.security.core.context.SecurityContextHolder) PipelineUser(com.epam.pipeline.entity.user.PipelineUser) SAMLException(org.opensaml.common.SAMLException) Audience(org.opensaml.saml2.core.Audience) PreferenceManager(com.epam.pipeline.manager.preference.PreferenceManager) Logger(org.slf4j.Logger) HttpServletResponse(javax.servlet.http.HttpServletResponse) IOException(java.io.IOException) ExternalServiceEndpoint(com.epam.pipeline.security.ExternalServiceEndpoint) File(java.io.File) SamlResponse(com.coveo.saml.SamlResponse) List(java.util.List) UserManager(com.epam.pipeline.manager.user.UserManager) Optional(java.util.Optional) FileReader(java.io.FileReader) Assertion(org.opensaml.saml2.core.Assertion) SAMLException(org.opensaml.common.SAMLException) ExternalServiceEndpoint(com.epam.pipeline.security.ExternalServiceEndpoint)

Example 2 with ExternalServiceEndpoint

use of com.epam.pipeline.security.ExternalServiceEndpoint in project cloud-pipeline by epam.

the class SAMLProxyAuthenticationProvider method authenticate.

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    SAMLProxyAuthentication auth = (SAMLProxyAuthentication) authentication;
    List<ExternalServiceEndpoint> externalServices = preferenceManager.getPreference(SYSTEM_EXTERNAL_SERVICES_ENDPOINTS);
    if (CollectionUtils.isEmpty(externalServices)) {
        throw new AuthenticationServiceException(messageHelper.getMessage(MessageConstants.ERROR_PROXY_SECURITY_CONFIG_MISSING));
    }
    if (StringUtils.isNotBlank(auth.getRawSamlResponse())) {
        try {
            Response decoded = CustomSamlClient.decodeSamlResponse(auth.getRawSamlResponse());
            String endpointId = // cut out SSO endpoint
            decoded.getDestination().substring(0, decoded.getDestination().length() - CustomSamlClient.SSO_ENDPOINT.length());
            Optional<ExternalServiceEndpoint> endpointOpt = externalServices.stream().filter(e -> e.getEndpointId().equals(endpointId)).findFirst();
            if (endpointOpt.isPresent()) {
                return validateAuthentication(auth, decoded, endpointId, endpointOpt.get());
            } else {
                throw new AuthenticationServiceException("Authentication error: unexpected external service");
            }
        } catch (SAMLException e) {
            throw new AuthenticationServiceException("Authentication error: ", e);
        }
    } else {
        throw new AuthenticationServiceException("Authentication error: missing SAML token");
    }
}
Also used : Response(org.opensaml.saml2.core.Response) PreferenceManager(com.epam.pipeline.manager.preference.PreferenceManager) MessageConstants(com.epam.pipeline.common.MessageConstants) AuthenticationServiceException(org.springframework.security.authentication.AuthenticationServiceException) SYSTEM_EXTERNAL_SERVICES_ENDPOINTS(com.epam.pipeline.manager.preference.SystemPreferences.SYSTEM_EXTERNAL_SERVICES_ENDPOINTS) Autowired(org.springframework.beans.factory.annotation.Autowired) AuthenticationProvider(org.springframework.security.authentication.AuthenticationProvider) IOException(java.io.IOException) ExternalServiceEndpoint(com.epam.pipeline.security.ExternalServiceEndpoint) StringUtils(org.apache.commons.lang3.StringUtils) File(java.io.File) CollectionUtils(org.apache.commons.collections4.CollectionUtils) List(java.util.List) MessageHelper(com.epam.pipeline.common.MessageHelper) Response(org.opensaml.saml2.core.Response) Optional(java.util.Optional) AuthenticationException(org.springframework.security.core.AuthenticationException) FileReader(java.io.FileReader) Authentication(org.springframework.security.core.Authentication) SAMLException(org.opensaml.common.SAMLException) SAMLException(org.opensaml.common.SAMLException) AuthenticationServiceException(org.springframework.security.authentication.AuthenticationServiceException) ExternalServiceEndpoint(com.epam.pipeline.security.ExternalServiceEndpoint)

Aggregations

MessageConstants (com.epam.pipeline.common.MessageConstants)2 MessageHelper (com.epam.pipeline.common.MessageHelper)2 PreferenceManager (com.epam.pipeline.manager.preference.PreferenceManager)2 SYSTEM_EXTERNAL_SERVICES_ENDPOINTS (com.epam.pipeline.manager.preference.SystemPreferences.SYSTEM_EXTERNAL_SERVICES_ENDPOINTS)2 ExternalServiceEndpoint (com.epam.pipeline.security.ExternalServiceEndpoint)2 File (java.io.File)2 FileReader (java.io.FileReader)2 IOException (java.io.IOException)2 List (java.util.List)2 Optional (java.util.Optional)2 CollectionUtils (org.apache.commons.collections4.CollectionUtils)2 StringUtils (org.apache.commons.lang3.StringUtils)2 SAMLException (org.opensaml.common.SAMLException)2 Response (org.opensaml.saml2.core.Response)2 Autowired (org.springframework.beans.factory.annotation.Autowired)2 SamlResponse (com.coveo.saml.SamlResponse)1 PipelineUser (com.epam.pipeline.entity.user.PipelineUser)1 UserManager (com.epam.pipeline.manager.user.UserManager)1 UserContext (com.epam.pipeline.security.UserContext)1 Function (java.util.function.Function)1