EPMRPP-88378 || Remove old saml implementation

build.gradle

@@ -89,7 +89,8 @@ dependencies {
     implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
     implementation 'org.springframework.security:spring-security-ldap'
     // TODO: consider migration to spring-security-saml2-service-provider
-    implementation 'org.springframework.security.extensions:spring-security-saml2-core:2.0.0.M31'
+//    implementation 'org.springframework.security.extensions:spring-security-saml2-core:2.0.0.M31'
+    implementation 'org.springframework.security:spring-security-saml2-service-provider:5.8.14'
     implementation 'commons-collections:commons-collections:3.2.2'
     //Temporary fix of https://nvd.nist.gov/vuln/detail/CVE-2019-12400
     implementation 'org.apache.santuario:xmlsec:3.0.3'

src/main/java/com/epam/reportportal/auth/config/saml/Saml2AuthenticationConfigurer.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright 2024 EPAM Systems
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.epam.reportportal.auth.config.saml;
+
+
+import com.epam.reportportal.auth.AuthFailureHandler;
+import com.epam.reportportal.auth.integration.saml.ReportPortalSamlAuthenticationManager;
+import com.epam.reportportal.auth.integration.saml.SamlAuthSuccessHandler;
+import com.epam.reportportal.auth.integration.saml.SamlUserReplicator;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
+import org.springframework.security.saml2.provider.service.web.authentication.Saml2WebSsoAuthenticationFilter;
+import org.springframework.security.web.DefaultSecurityFilterChain;
+
+/**
+ * @author <a href="mailto:andrei_piankouski@epam.com">Andrei Piankouski</a>
+ */
+public class Saml2AuthenticationConfigurer extends
+    SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
+
+  private static final Logger LOGGER = LoggerFactory.getLogger(Saml2AuthenticationConfigurer.class);
+
+  private SamlAuthSuccessHandler successHandler;
+
+  private AuthFailureHandler failureHandler;
+
+  private SamlUserReplicator samlUserReplicator;
+
+  private RelyingPartyRegistrationRepository relyingPartyRegistrationRepository;
+
+  public Saml2AuthenticationConfigurer(SamlAuthSuccessHandler successHandler,
+      AuthFailureHandler failureHandler, SamlUserReplicator samlUserReplicator,
+      RelyingPartyRegistrationRepository relyingPartyRegistrationRepository) {
+    this.successHandler = successHandler;
+    this.failureHandler = failureHandler;
+    this.samlUserReplicator = samlUserReplicator;
+    this.relyingPartyRegistrationRepository = relyingPartyRegistrationRepository;
+  }
+
+  @Override
+  public void configure(HttpSecurity http) {
+    LOGGER.error("Saml2AuthenticationConfigurer: " + http);
+    Saml2WebSsoAuthenticationFilter saml2Filter = new Saml2WebSsoAuthenticationFilter(relyingPartyRegistrationRepository);
+    saml2Filter.setAuthenticationManager(new ReportPortalSamlAuthenticationManager(samlUserReplicator));
+    saml2Filter.setAuthenticationSuccessHandler(successHandler);
+    saml2Filter.setAuthenticationFailureHandler(failureHandler);
+
+    http.addFilterAfter(saml2Filter, Saml2WebSsoAuthenticationFilter.class);
+  }
+}

src/main/java/com/epam/reportportal/auth/config/saml/SamlSecurityConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2019 EPAM Systems
+ * Copyright 2024 EPAM Systems
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,36 +13,149 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
 package com.epam.reportportal.auth.config.saml;
 
-import static org.springframework.security.saml.provider.service.config.SamlServiceProviderSecurityDsl.serviceProvider;
+import static org.springframework.security.config.Customizer.withDefaults;
 
+import com.epam.reportportal.auth.AuthFailureHandler;
+import com.epam.reportportal.auth.integration.AuthIntegrationType;
+import com.epam.reportportal.auth.integration.parameter.SamlParameter;
+import com.epam.reportportal.auth.integration.saml.ReportPortalSamlAuthenticationManager;
+import com.epam.reportportal.auth.integration.saml.SamlAuthSuccessHandler;
+import com.epam.reportportal.auth.integration.saml.SamlUserReplicator;
+import com.epam.reportportal.auth.util.CertificationUtil;
+import com.epam.ta.reportportal.dao.IntegrationRepository;
+import com.epam.ta.reportportal.dao.IntegrationTypeRepository;
+import com.epam.ta.reportportal.entity.integration.Integration;
+import com.epam.ta.reportportal.entity.integration.IntegrationType;
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.stream.Collectors;
+import javax.servlet.http.HttpServletRequest;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
+import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.saml.provider.SamlServerConfiguration;
-import org.springframework.security.saml.provider.service.config.SamlServiceProviderSecurityConfiguration;
-import org.springframework.security.saml.provider.service.config.SamlServiceProviderServerBeanConfiguration;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.saml2.core.Saml2X509Credential;
+import org.springframework.security.saml2.provider.service.metadata.OpenSamlMetadataResolver;
+import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
+import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
+import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
+import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
+import org.springframework.security.saml2.provider.service.web.Saml2MetadataFilter;
+import org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4AuthenticationRequestResolver;
 
 /**
- * @author <a href="mailto:ihar_kahadouski@epam.com">Ihar Kahadouski</a>
+ * @author <a href="mailto:andrei_piankouski@epam.com">Andrei Piankouski</a>
  */
 @Configuration
 @Order(4)
-public class SamlSecurityConfiguration extends SamlServiceProviderSecurityConfiguration {
+public class SamlSecurityConfiguration extends WebSecurityConfigurerAdapter {
 
-  private SamlServerConfiguration serverConfiguration;
+  @Value("${rp.auth.saml.base-path}")
+  private String basePath;
+
+  @Value("${rp.auth.saml.entity-id}")
+  private String entityId;
+
+  @Value("${rp.auth.saml.key-alias}")
+  private String keyAlias;
+
+  @Value("${rp.auth.saml.key-password}")
+  private String keyPassword;
+
+  @Value("${rp.auth.saml.key-store}")
+  private String keyStore;
+
+  @Value("${rp.auth.saml.key-store-password}")
+  private String keyStorePassword;
+
+  @Value("${rp.auth.saml.active-key-name}")
+  private String activeKeyName;
+
+  @Value("${rp.auth.saml.network-connection-timeout}")
+  private Integer networkConnectTimeout;
+
+  @Value("${rp.auth.saml.network-read-timeout}")
+  private Integer networkReadTimeout;
+
+  @Value("${rp.auth.saml.signed-requests}")
+  private Boolean signedRequests;
+
+  @Value("${rp.auth.saml.prefix}")
+  private String prefix;
+
+  @Autowired
+  private IntegrationTypeRepository integrationTypeRepository;
+
+  @Autowired
+  private IntegrationRepository integrationRepository;
+
+  @Autowired
+  private SamlAuthSuccessHandler successHandler;
+
+  @Autowired
+  private AuthFailureHandler failureHandler;
+
+  @Autowired
+  private SamlUserReplicator samlUserReplicator;
 
-  public SamlSecurityConfiguration(SamlServiceProviderServerBeanConfiguration configuration,
-      SamlServerConfiguration spConfiguration) {
-    super(configuration);
-    this.serverConfiguration = spConfiguration;
-  }
 
   @Override
   protected void configure(HttpSecurity http) throws Exception {
-    super.configure(http);
-    http.apply(serviceProvider()).configure(serverConfiguration);
+
+    // add auto-generation of ServiceProvider Metadata
+    Converter<HttpServletRequest, RelyingPartyRegistration> relyingPartyRegistrationResolver = new DefaultRelyingPartyRegistrationResolver(relyingParty());
+    Saml2MetadataFilter filter = new Saml2MetadataFilter(relyingPartyRegistrationResolver, new OpenSamlMetadataResolver());
+
+    http
+        // Configure SAML 2.0 Login
+        .saml2Login(
+            samlLogin ->
+                samlLogin.loginPage("/saml/sp/discovery")
+                    .successHandler(successHandler)
+                    .failureHandler(failureHandler)
+                    .authenticationManager(new ReportPortalSamlAuthenticationManager(samlUserReplicator))
+
+        )
+        .addFilterBefore(filter, Saml2WebSsoAuthenticationFilter.class)
+        .build();
+
+  }
+
+  @Bean
+  public RelyingPartyRegistrationRepository relyingParty() throws Exception {
+    IntegrationType samlIntegrationType = integrationTypeRepository.findByName(AuthIntegrationType.SAML.getName())
+        .orElseThrow(() -> new RuntimeException("SAML Integration Type not found"));
+
+    List<Integration> providers = integrationRepository.findAllGlobalByType(samlIntegrationType);
+
+    X509Certificate certificate = CertificationUtil.getCertificateByName(keyAlias, keyStore,
+        keyStorePassword);
+    Saml2X509Credential credential = Saml2X509Credential.verification(certificate);
+
+    List<RelyingPartyRegistration> registrations = providers.stream().map(provider -> {
+      RelyingPartyRegistration relyingPartyRegistration = RelyingPartyRegistrations
+          .fromMetadataLocation(SamlParameter.IDP_METADATA_URL.getParameter(provider).get())
+          .registrationId("report.portal.sp.id")
+          .entityId(entityId)
+          .assertionConsumerServiceLocation(SamlParameter.BASE_PATH.getParameter(provider).get())
+          .assertingPartyDetails(party -> party.entityId(SamlParameter.IDP_NAME.getParameter(provider).get())
+              .wantAuthnRequestsSigned(false)
+//              .singleSignOnServiceLocation(samlProperties.getAssertingpParty().getServiceLocation())
+              .singleSignOnServiceBinding(Saml2MessageBinding.POST))
+          .signingX509Credentials(c -> c.add(credential))
+          .build();
+      return relyingPartyRegistration;
+
+    }).collect(Collectors.toList());
+    return new InMemoryRelyingPartyRegistrationRepository(registrations);
   }
 }