mirrors
/
sonarqube
mirror da https://github.com/SonarSource/sonarqube.git
Segui 1
Vota 0
Forka 0
Codice Problemi 0 Rilasci 237 Wiki Attività
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
29002 Commit
59 Rami (Branch)
Albero (Tree): 69dd7210a6
Rami (Branch) Tag
${ item.name }
Crea branch ${ searchTerm }
da '69dd7210a6'
${ noResults }
sonarqube/server/sonar-auth-saml/src/main/java/org/sonar/auth/saml/SamlIdentityProvider.java

SamlIdentityProvider.java 6.7KB
Originale Blame Cronologia

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2019 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.auth.saml;

  21. 

  22. import com.onelogin.saml2.Auth;

  23. import com.onelogin.saml2.exception.SettingsException;

  24. import com.onelogin.saml2.settings.Saml2Settings;

  25. import com.onelogin.saml2.settings.SettingsBuilder;

  26. import java.io.IOException;

  27. import java.util.Collection;

  28. import java.util.HashMap;

  29. import java.util.HashSet;

  30. import java.util.List;

  31. import java.util.Map;

  32. import java.util.Set;

  33. import javax.annotation.CheckForNull;

  34. import javax.annotation.Nullable;

  35. import javax.servlet.http.HttpServletRequest;

  36. import javax.servlet.http.HttpServletResponse;

  37. import org.sonar.api.server.ServerSide;

  38. import org.sonar.api.server.authentication.Display;

  39. import org.sonar.api.server.authentication.OAuth2IdentityProvider;

  40. import org.sonar.api.server.authentication.UnauthorizedException;

  41. import org.sonar.api.server.authentication.UserIdentity;

  42. import org.sonar.api.utils.log.Logger;

  43. import org.sonar.api.utils.log.Loggers;

  44. 

  45. import static java.util.Collections.emptySet;

  46. import static java.util.Objects.requireNonNull;

  47. 

  48. @ServerSide

  49. public class SamlIdentityProvider implements OAuth2IdentityProvider {

  50. 

  51.   private static final String KEY = "saml";

  52. 

  53.   private static final Logger LOGGER = Loggers.get(SamlIdentityProvider.class);

  54. 

  55.   private static final String ANY_URL = "http://anyurl";

  56.   private static final String STATE_REQUEST_PARAMETER = "RelayState";

  57. 

  58.   private final SamlSettings samlSettings;

  59. 

  60.   public SamlIdentityProvider(SamlSettings samlSettings) {

  61.     this.samlSettings = samlSettings;

  62.   }

  63. 

  64.   @Override

  65.   public String getKey() {

  66.     return KEY;

  67.   }

  68. 

  69.   @Override

  70.   public String getName() {

  71.     return samlSettings.getProviderName();

  72.   }

  73. 

  74.   @Override

  75.   public Display getDisplay() {

  76.     return Display.builder()

  77.       .setIconPath("/images/saml.png")

  78.       .setBackgroundColor("#444444")

  79.       .build();

  80.   }

  81. 

  82.   @Override

  83.   public boolean isEnabled() {

  84.     return samlSettings.isEnabled();

  85.   }

  86. 

  87.   @Override

  88.   public boolean allowsUsersToSignUp() {

  89.     return true;

  90.   }

  91. 

  92.   @Override

  93.   public void init(InitContext context) {

  94.     try {

  95.       Auth auth = newAuth(initSettings(context.getCallbackUrl()), context.getRequest(), context.getResponse());

  96.       auth.login(context.generateCsrfState());

  97.     } catch (IOException | SettingsException e) {

  98.       throw new IllegalStateException("Fail to intialize SAML authentication plugin", e);

  99.     }

  100.   }

  101. 

  102.   @Override

  103.   public void callback(CallbackContext context) {

  104.     Auth auth = newAuth(initSettings(null), context.getRequest(), context.getResponse());

  105.     processResponse(auth);

  106.     context.verifyCsrfState(STATE_REQUEST_PARAMETER);

  107. 

  108.     LOGGER.trace("Name ID : {}", auth.getNameId());

  109.     checkAuthentication(auth);

  110. 

  111.     LOGGER.trace("Attributes received : {}", auth.getAttributes());

  112.     String login = getNonNullFirstAttribute(auth, samlSettings.getUserLogin());

  113.     UserIdentity.Builder userIdentityBuilder = UserIdentity.builder()

  114.       .setLogin(login)

  115.       .setProviderLogin(login)

  116.       .setName(getNonNullFirstAttribute(auth, samlSettings.getUserName()));

  117.     samlSettings.getUserEmail().ifPresent(

  118.       email -> userIdentityBuilder.setEmail(getFirstAttribute(auth, email)));

  119.     samlSettings.getGroupName().ifPresent(

  120.       group -> userIdentityBuilder.setGroups(getGroups(auth, group)));

  121.     context.authenticate(userIdentityBuilder.build());

  122.     context.redirectToRequestedPage();

  123.   }

  124. 

  125.   private static Auth newAuth(Saml2Settings saml2Settings, HttpServletRequest request, HttpServletResponse response) {

  126.     try {

  127.       return new Auth(saml2Settings, request, response);

  128.     } catch (SettingsException e) {

  129.       throw new IllegalStateException("Fail to create Auth", e);

  130.     }

  131.   }

  132. 

  133.   private static void processResponse(Auth auth) {

  134.     try {

  135.       auth.processResponse();

  136.     } catch (Exception e) {

  137.       throw new IllegalStateException("Fail to process response", e);

  138.     }

  139.   }

  140. 

  141.   private static void checkAuthentication(Auth auth) {

  142.     List<String> errors = auth.getErrors();

  143.     if (auth.isAuthenticated() && errors.isEmpty()) {

  144.       return;

  145.     }

  146.     String errorReason = auth.getLastErrorReason();

  147.     throw new UnauthorizedException(errorReason != null && !errorReason.isEmpty() ? errorReason : "Unknown error reason");

  148.   }

  149. 

  150.   private static String getNonNullFirstAttribute(Auth auth, String key) {

  151.     String attribute = getFirstAttribute(auth, key);

  152.     requireNonNull(attribute, String.format("%s is missing", key));

  153.     return attribute;

  154.   }

  155. 

  156.   @CheckForNull

  157.   private static String getFirstAttribute(Auth auth, String key) {

  158.     Collection<String> attribute = auth.getAttribute(key);

  159.     if (attribute == null || attribute.isEmpty()) {

  160.       return null;

  161.     }

  162.     return attribute.iterator().next();

  163.   }

  164. 

  165.   private static Set<String> getGroups(Auth auth, String groupAttribute) {

  166.     Collection<String> attribute = auth.getAttribute(groupAttribute);

  167.     if (attribute == null || attribute.isEmpty()) {

  168.       return emptySet();

  169.     }

  170.     return new HashSet<>(attribute);

  171.   }

  172. 

  173.   private Saml2Settings initSettings(@Nullable String callbackUrl) {

  174.     Map<String, Object> samlData = new HashMap<>();

  175.     // TODO strict mode is unfortunately not compatible with HTTPS configuration on reverse proxy =>

  176.     // https://jira.sonarsource.com/browse/SQAUTHSAML-8

  177.     samlData.put("onelogin.saml2.strict", false);

  178. 

  179.     samlData.put("onelogin.saml2.idp.entityid", samlSettings.getProviderId());

  180.     samlData.put("onelogin.saml2.idp.single_sign_on_service.url", samlSettings.getLoginUrl());

  181.     samlData.put("onelogin.saml2.idp.x509cert", samlSettings.getCertificate());

  182. 

  183.     samlData.put("onelogin.saml2.sp.entityid", samlSettings.getApplicationId());

  184.     // During callback, the callback URL is by definition not needed, but the Saml2Settings does never allow this setting to be empty...

  185.     samlData.put("onelogin.saml2.sp.assertion_consumer_service.url", callbackUrl != null ? callbackUrl : ANY_URL);

  186.     SettingsBuilder builder = new SettingsBuilder();

  187.     return builder

  188.       .fromValues(samlData)

  189.       .build();

  190.   }

  191. }