opensearch-project · palashhedau · Dec 22, 2021 · Dec 20, 2021 · vrozov · Dec 21, 2021
@@ -80,7 +80,7 @@
         <jjwt.version>0.10.5</jjwt.version>
         <ldaptive.version>1.2.3</ldaptive.version>
         <http.commons.version>4.5.13</http.commons.version>
-        <cxf.version>3.4.4</cxf.version>
+        <cxf.version>3.4.5</cxf.version>
         <kafka.version>2.5.0</kafka.version>
         <java-saml.version>2.5.0</java-saml.version>
         <opensaml.version>3.4.5</opensaml.version>

@@ -22,6 +22,7 @@
 import java.util.Map.Entry;
 import java.util.regex.Pattern;
 
+import com.google.common.annotations.VisibleForTesting;
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.http.HttpHeaders;
@@ -163,7 +164,8 @@ protected String getJwtTokenString(RestRequest request) {
         return jwtToken;
     }
 
-    protected String extractSubject(JwtClaims claims) {
+    @VisibleForTesting
+    public String extractSubject(JwtClaims claims) {
         String subject = claims.getSubject();
 
         if (subjectKey != null) {
@@ -189,7 +191,8 @@ protected String extractSubject(JwtClaims claims) {
     }
 
     @SuppressWarnings("unchecked")
-    protected String[] extractRoles(JwtClaims claims) {
+    @VisibleForTesting
+    public String[] extractRoles(JwtClaims claims) {
         if (rolesKey == null) {
             return new String[0];
         }

@@ -22,6 +22,7 @@
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
 
+import com.google.common.annotations.VisibleForTesting;
 import net.shibboleth.utilities.java.support.xml.BasicParserPool;
 import org.apache.commons.lang3.StringEscapeUtils;
 import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
@@ -95,7 +96,8 @@ public class HTTPSamlAuthenticator implements HTTPAuthenticator, Destroyable {
     private Saml2SettingsProvider saml2SettingsProvider;
     private MetadataResolver metadataResolver;
     private AuthTokenProcessorHandler authTokenProcessorHandler;
-    private HTTPJwtAuthenticator httpJwtAuthenticator;
+    @VisibleForTesting
+    protected HTTPJwtAuthenticator httpJwtAuthenticator;
     private Settings jwtSettings;
 
     private static int resolverIdCounter = 0;

@@ -193,6 +193,132 @@ public void decryptAssertionsTest() throws Exception {
         Assert.assertEquals("horst", jwt.getClaim("sub"));
     }
 
+    @Test
+    public void shouldUnescapeSamlEntitiesTest() throws Exception {
+        mockSamlIdpServer.setAuthenticateUser("ABC\\User1");
+        mockSamlIdpServer.setEndpointQueryString(null);
+        mockSamlIdpServer.setSpSignatureCertificate(spSigningCertificate);
+        mockSamlIdpServer.setEncryptAssertion(true);
+        mockSamlIdpServer.setAuthenticateUserRoles(Arrays.asList("ABC\\Admin"));
+
+        Settings settings = Settings.builder().put(IDP_METADATA_URL, mockSamlIdpServer.getMetadataUri())
+                .put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId())
+                .put("sp.signature_private_key", "-BEGIN PRIVATE KEY-\n"
+                        + Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded()) + "-END PRIVATE KEY-")
+                .put("exchange_key", "abc").put("roles_key", "roles").put("path.home", ".").build();
+
+        HTTPSamlAuthenticator samlAuthenticator = new HTTPSamlAuthenticator(settings, null);
+
+        AuthenticateHeaders authenticateHeaders = getAutenticateHeaders(samlAuthenticator);
+
+        String encodedSamlResponse = mockSamlIdpServer.handleSsoGetRequestURI(authenticateHeaders.location);
+
+        RestRequest tokenRestRequest = buildTokenExchangeRestRequest(encodedSamlResponse, authenticateHeaders);
+        TestRestChannel tokenRestChannel = new TestRestChannel(tokenRestRequest);
+
+        samlAuthenticator.reRequestAuthentication(tokenRestChannel, null);
+
+        String responseJson = new String(BytesReference.toBytes(tokenRestChannel.response.content()));
+        HashMap<String, Object> response = DefaultObjectMapper.objectMapper.readValue(responseJson,
+                new TypeReference<HashMap<String, Object>>() {
+                });
+        String authorization = (String) response.get("authorization");
+
+        Assert.assertNotNull("Expected authorization attribute in JSON: " + responseJson, authorization);
+
+        JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(authorization.replaceAll("\\s*bearer\\s*", ""));
+        JwtToken jwt = jwtConsumer.getJwtToken();
+
+        Assert.assertEquals("ABC\\User1", jwt.getClaim("sub"));
+        Assert.assertEquals("ABC\\User1",  samlAuthenticator.httpJwtAuthenticator.extractSubject(jwt.getClaims()));
+        Assert.assertEquals("[ABC\\Admin]", String.valueOf(jwt.getClaim("roles")));
+        Assert.assertEquals("ABC\\Admin", samlAuthenticator.httpJwtAuthenticator.extractRoles(jwt.getClaims())[0]);
+    }
+
+    @Test
+    public void shouldUnescapeSamlEntitiesTest2() throws Exception {
+        mockSamlIdpServer.setAuthenticateUser("ABC\"User1");
+        mockSamlIdpServer.setEndpointQueryString(null);
+        mockSamlIdpServer.setSpSignatureCertificate(spSigningCertificate);
+        mockSamlIdpServer.setEncryptAssertion(true);
+        mockSamlIdpServer.setAuthenticateUserRoles(Arrays.asList("ABC\"Admin"));
+
+        Settings settings = Settings.builder().put(IDP_METADATA_URL, mockSamlIdpServer.getMetadataUri())
+                .put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId())
+                .put("sp.signature_private_key", "-BEGIN PRIVATE KEY-\n"
+                        + Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded()) + "-END PRIVATE KEY-")
+                .put("exchange_key", "abc").put("roles_key", "roles").put("path.home", ".").build();
+
+        HTTPSamlAuthenticator samlAuthenticator = new HTTPSamlAuthenticator(settings, null);
+
+        AuthenticateHeaders authenticateHeaders = getAutenticateHeaders(samlAuthenticator);
+
+        String encodedSamlResponse = mockSamlIdpServer.handleSsoGetRequestURI(authenticateHeaders.location);
+
+        RestRequest tokenRestRequest = buildTokenExchangeRestRequest(encodedSamlResponse, authenticateHeaders);
+        TestRestChannel tokenRestChannel = new TestRestChannel(tokenRestRequest);
+
+        samlAuthenticator.reRequestAuthentication(tokenRestChannel, null);
+
+        String responseJson = new String(BytesReference.toBytes(tokenRestChannel.response.content()));
+        HashMap<String, Object> response = DefaultObjectMapper.objectMapper.readValue(responseJson,
+                new TypeReference<HashMap<String, Object>>() {
+                });
+        String authorization = (String) response.get("authorization");
+
+        Assert.assertNotNull("Expected authorization attribute in JSON: " + responseJson, authorization);
+
+        JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(authorization.replaceAll("\\s*bearer\\s*", ""));
+        JwtToken jwt = jwtConsumer.getJwtToken();
+
+        Assert.assertEquals("ABC\"User1", jwt.getClaim("sub"));
+        Assert.assertEquals("ABC\"User1",  samlAuthenticator.httpJwtAuthenticator.extractSubject(jwt.getClaims()));
+        Assert.assertEquals("[ABC\"Admin]", String.valueOf(jwt.getClaim("roles")));
+        Assert.assertEquals("ABC\"Admin", samlAuthenticator.httpJwtAuthenticator.extractRoles(jwt.getClaims())[0]);
+    }
+
+    @Test
+    public void shouldNotEscapeSamlEntities() throws Exception {
+        mockSamlIdpServer.setAuthenticateUser("ABC/User1");
+        mockSamlIdpServer.setEndpointQueryString(null);
+        mockSamlIdpServer.setSpSignatureCertificate(spSigningCertificate);
+        mockSamlIdpServer.setEncryptAssertion(true);
+        mockSamlIdpServer.setAuthenticateUserRoles(Arrays.asList("ABC/Admin"));
+
+        Settings settings = Settings.builder().put(IDP_METADATA_URL, mockSamlIdpServer.getMetadataUri())
+                .put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId())
+                .put("sp.signature_private_key", "-BEGIN PRIVATE KEY-\n"
+                        + Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded()) + "-END PRIVATE KEY-")
+                .put("exchange_key", "abc").put("roles_key", "roles").put("path.home", ".").build();
+
+        HTTPSamlAuthenticator samlAuthenticator = new HTTPSamlAuthenticator(settings, null);
+
+        AuthenticateHeaders authenticateHeaders = getAutenticateHeaders(samlAuthenticator);
+
+        String encodedSamlResponse = mockSamlIdpServer.handleSsoGetRequestURI(authenticateHeaders.location);
+
+        RestRequest tokenRestRequest = buildTokenExchangeRestRequest(encodedSamlResponse, authenticateHeaders);
+        TestRestChannel tokenRestChannel = new TestRestChannel(tokenRestRequest);
+
+        samlAuthenticator.reRequestAuthentication(tokenRestChannel, null);
+
+        String responseJson = new String(BytesReference.toBytes(tokenRestChannel.response.content()));
+        HashMap<String, Object> response = DefaultObjectMapper.objectMapper.readValue(responseJson,
+                new TypeReference<HashMap<String, Object>>() {
+                });
+        String authorization = (String) response.get("authorization");
+
+        Assert.assertNotNull("Expected authorization attribute in JSON: " + responseJson, authorization);
+
+        JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(authorization.replaceAll("\\s*bearer\\s*", ""));
+        JwtToken jwt = jwtConsumer.getJwtToken();
+
+        Assert.assertEquals("ABC/User1", jwt.getClaim("sub"));
+        Assert.assertEquals("ABC/User1",  samlAuthenticator.httpJwtAuthenticator.extractSubject(jwt.getClaims()));
+        Assert.assertEquals("[ABC/Admin]", String.valueOf(jwt.getClaim("roles")));
+        Assert.assertEquals("ABC/Admin", samlAuthenticator.httpJwtAuthenticator.extractRoles(jwt.getClaims())[0]);
+    }
+
     @Test
     public void testMetadataBody() throws Exception {
         mockSamlIdpServer.setSignResponses(true);