3 * Copyright (C) 2009-2024 SonarSource SA
4 * mailto:info AT sonarsource DOT com
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 3 of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public License
17 * along with this program; if not, write to the Free Software Foundation,
18 * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
20 package org.sonar.server.authentication;
22 import com.google.common.io.Resources;
23 import java.io.IOException;
26 import java.nio.charset.StandardCharsets;
27 import javax.annotation.Nullable;
28 import org.apache.commons.lang3.StringUtils;
29 import org.sonar.api.internal.apachecommons.lang.StringEscapeUtils;
30 import org.sonar.api.platform.Server;
31 import org.sonar.api.server.http.HttpRequest;
32 import org.sonar.api.server.http.HttpResponse;
33 import org.sonar.api.web.FilterChain;
34 import org.sonar.api.web.HttpFilter;
35 import org.sonar.api.web.UrlPattern;
37 import static org.sonar.server.authentication.AuthenticationFilter.CALLBACK_PATH;
39 public class SamlValidationRedirectionFilter extends HttpFilter {
41 public static final String VALIDATION_RELAY_STATE = "validation-query";
42 public static final String SAML_VALIDATION_CONTROLLER_CONTEXT = "saml";
43 public static final String SAML_VALIDATION_KEY = "validation";
44 private static final String RELAY_STATE_PARAMETER = "RelayState";
45 private static final String SAML_RESPONSE_PARAMETER = "SAMLResponse";
46 private String redirectionPageTemplate;
47 private final Server server;
49 public SamlValidationRedirectionFilter(Server server) {
54 public UrlPattern doGetPattern() {
55 return UrlPattern.create(CALLBACK_PATH + "saml");
60 this.redirectionPageTemplate = extractTemplate("validation-redirection.html");
63 String extractTemplate(String templateLocation) {
65 URL url = Resources.getResource(templateLocation);
66 return Resources.toString(url, StandardCharsets.UTF_8);
67 } catch (IOException | IllegalArgumentException e) {
68 throw new IllegalStateException("Cannot read the template " + templateLocation, e);
73 public void doFilter(HttpRequest request, HttpResponse response, FilterChain chain) throws IOException {
74 String relayState = request.getParameter(RELAY_STATE_PARAMETER);
76 if (isSamlValidation(relayState)) {
78 URI redirectionEndpointUrl = URI.create(server.getContextPath() + "/")
79 .resolve(SAML_VALIDATION_CONTROLLER_CONTEXT + "/")
80 .resolve(SAML_VALIDATION_KEY);
81 String samlResponse = StringEscapeUtils.escapeHtml(request.getParameter(SAML_RESPONSE_PARAMETER));
82 String csrfToken = getCsrfTokenFromRelayState(relayState);
84 String nonce = SamlValidationCspHeaders.addCspHeadersWithNonceToResponse(response);
86 String template = StringUtils.replaceEachRepeatedly(redirectionPageTemplate,
87 new String[]{"%NONCE%", "%WEB_CONTEXT%", "%VALIDATION_URL%", "%SAML_RESPONSE%", "%CSRF_TOKEN%"},
88 new String[]{nonce, server.getContextPath(), redirectionEndpointUrl.toString(), samlResponse, csrfToken});
90 response.setContentType("text/html");
91 response.getWriter().print(template);
94 chain.doFilter(request, response);
97 private static boolean isSamlValidation(@Nullable String relayState) {
98 if (relayState != null) {
99 return VALIDATION_RELAY_STATE.equals(relayState.split("/")[0]) && !getCsrfTokenFromRelayState(relayState).isEmpty();
104 private static String getCsrfTokenFromRelayState(@Nullable String relayState) {
105 if (relayState != null && relayState.contains("/")) {
106 return StringEscapeUtils.escapeHtml(relayState.split("/")[1]);
projects / sonarqube.git / blob