cloudfoundry · duanemay · Jul 8, 2024 · Jul 5, 2024 · Jul 5, 2024
diff --git a/...oudfoundry/identity/uaa/provider/saml/ConfiguratorRelyingPartyRegistrationRepository.java b/...oudfoundry/identity/uaa/provider/saml/ConfiguratorRelyingPartyRegistrationRepository.java
@@ -3,6 +3,8 @@
 import lombok.extern.slf4j.Slf4j;
 import org.cloudfoundry.identity.uaa.provider.SamlIdentityProviderDefinition;
 import org.cloudfoundry.identity.uaa.util.KeyWithCert;
+import org.cloudfoundry.identity.uaa.zone.IdentityZone;
+import org.cloudfoundry.identity.uaa.zone.ZoneAware;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
@@ -11,7 +13,8 @@
 import java.util.List;
 
 @Slf4j
-public class ConfiguratorRelyingPartyRegistrationRepository implements RelyingPartyRegistrationRepository {
+public class ConfiguratorRelyingPartyRegistrationRepository
+        implements RelyingPartyRegistrationRepository, ZoneAware {
 
     private final SamlIdentityProviderConfigurator configurator;
     private final KeyWithCert keyWithCert;
@@ -46,6 +49,28 @@ public RelyingPartyRegistration findByRegistrationId(String registrationId) {
                         keyWithCert, identityProviderDefinition.getMetaDataLocation(), registrationId);
             }
         }
-        return null;
+        return buildDefaultRelyingPartyRegistration();
+    }
+
+    private RelyingPartyRegistration buildDefaultRelyingPartyRegistration() {
+        String samlEntityID, samlServiceUri;
+        IdentityZone zone = retrieveZone();
+        if (zone.isUaa()) {
+            samlEntityID = this.samlEntityID;
+            samlServiceUri = this.samlEntityID;
+        }
+        else if (zone.getConfig() != null && zone.getConfig().getSamlConfig() != null) {
+
+            samlEntityID = zone.getConfig().getSamlConfig().getEntityID();
+            samlServiceUri = zone.getSubdomain() + "." + this.samlEntityID;
+        }
+        else {
+            return null;
+        }
+
+        return RelyingPartyRegistrationBuilder.buildRelyingPartyRegistration(
+                samlEntityID, null, samlSignRequest,
+                keyWithCert, "dummy-saml-idp-metadata.xml", null,
+                samlServiceUri);
     }
 }
diff --git a/...cloudfoundry/identity/uaa/provider/saml/DelegatingRelyingPartyRegistrationRepository.java b/...cloudfoundry/identity/uaa/provider/saml/DelegatingRelyingPartyRegistrationRepository.java
@@ -1,5 +1,7 @@
 package org.cloudfoundry.identity.uaa.provider.saml;
 
+import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
+import org.cloudfoundry.identity.uaa.zone.ZoneAware;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
 import org.springframework.util.Assert;
@@ -34,9 +36,10 @@ public DelegatingRelyingPartyRegistrationRepository(RelyingPartyRegistrationRepo
      */
     @Override
     public RelyingPartyRegistration findByRegistrationId(String registrationId) {
+        boolean isDefaultZone = IdentityZoneHolder.isUaa();
         for (RelyingPartyRegistrationRepository repository : this.delegates) {
             RelyingPartyRegistration registration = repository.findByRegistrationId(registrationId);
-            if (registration != null) {
+            if (registration != null && (isDefaultZone || repository instanceof ZoneAware)) {
                 return registration;
             }
         }

diff --git a/...ain/java/org/cloudfoundry/identity/uaa/provider/saml/RelyingPartyRegistrationBuilder.java b/...ain/java/org/cloudfoundry/identity/uaa/provider/saml/RelyingPartyRegistrationBuilder.java
@@ -25,8 +25,18 @@ private RelyingPartyRegistrationBuilder() {
     }
 
     public static RelyingPartyRegistration buildRelyingPartyRegistration(
-            String samlEntityID, String samlSpNameId, boolean samlSignRequest, KeyWithCert keyWithCert,
+            String samlEntityID, String samlSpNameId, boolean samlSignRequest,
+            KeyWithCert keyWithCert,
             String metadataLocation, String rpRegstrationId) {
+        return buildRelyingPartyRegistration(samlEntityID, samlSpNameId,
+                samlSignRequest, keyWithCert, metadataLocation, rpRegstrationId,
+                samlEntityID);
+    }
+
+    public static RelyingPartyRegistration buildRelyingPartyRegistration(
+            String samlEntityID, String samlSpNameId, boolean samlSignRequest,
+            KeyWithCert keyWithCert, String metadataLocation,
+            String rpRegstrationId, String samlServiceUri) {
         SamlIdentityProviderDefinition.MetadataLocation type = SamlIdentityProviderDefinition.getType(metadataLocation);
 
         RelyingPartyRegistration.Builder builder;
@@ -41,14 +51,14 @@ public static RelyingPartyRegistration buildRelyingPartyRegistration(
             builder = RelyingPartyRegistrations.fromMetadataLocation(metadataLocation);
         }
 
+        builder.entityId(samlEntityID);
+        if (samlSpNameId != null) builder.nameIdFormat(samlSpNameId);
+        if (rpRegstrationId != null) builder.registrationId(rpRegstrationId);
         return builder
-                .entityId(samlEntityID)
-                .nameIdFormat(samlSpNameId)
-                .registrationId(rpRegstrationId)
-                .assertionConsumerServiceLocation(assertionConsumerServiceLocationFunction.apply(samlEntityID))
-                .singleLogoutServiceResponseLocation(singleLogoutServiceResponseLocationFunction.apply(samlEntityID))
-                .singleLogoutServiceLocation(singleLogoutServiceLocationFunction.apply(samlEntityID))
-                .singleLogoutServiceResponseLocation(singleLogoutServiceResponseLocationFunction.apply(samlEntityID))
+                .assertionConsumerServiceLocation(assertionConsumerServiceLocationFunction.apply(samlServiceUri))
+                .singleLogoutServiceResponseLocation(singleLogoutServiceResponseLocationFunction.apply(samlServiceUri))
+                .singleLogoutServiceLocation(singleLogoutServiceLocationFunction.apply(samlServiceUri))
+                .singleLogoutServiceResponseLocation(singleLogoutServiceResponseLocationFunction.apply(samlServiceUri))
                 // Accept both POST and REDIRECT bindings
                 .singleLogoutServiceBindings(c -> {
                     c.add(Saml2MessageBinding.REDIRECT);

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlMetadataEndpoint.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlMetadataEndpoint.java
@@ -1,5 +1,7 @@
 package org.cloudfoundry.identity.uaa.provider.saml;
 
+import org.cloudfoundry.identity.uaa.zone.IdentityZone;
+import org.cloudfoundry.identity.uaa.zone.ZoneAware;
 import org.opensaml.saml.common.xml.SAMLConstants;
 import org.opensaml.saml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
@@ -23,7 +25,7 @@
 import java.util.function.Consumer;
 
 @RestController
-public class SamlMetadataEndpoint {
+public class SamlMetadataEndpoint implements ZoneAware {
     public static final String DEFAULT_REGISTRATION_ID = "example";
     private static final String DEFAULT_FILE_NAME = "saml-sp.xml";
     private static final String APPLICATION_XML_CHARSET_UTF_8 = "application/xml; charset=UTF-8";
@@ -75,13 +77,30 @@ public ResponseEntity<String> metadataEndpoint(@PathVariable String registration
         String metadata = saml2MetadataResolver.resolve(relyingPartyRegistration);
 
         // @todo - fileName may need to be dynamic based on registrationID
+        String[] fileNames = retrieveZoneAwareFileNames();
         return ResponseEntity.ok()
-                .header(HttpHeaders.CONTENT_DISPOSITION, String.format(CONTENT_DISPOSITION_FORMAT, fileName, encodedFileName))
+                .header(HttpHeaders.CONTENT_DISPOSITION, String.format(
+                        CONTENT_DISPOSITION_FORMAT, fileNames[0], fileNames[1]))
                 .body(metadata);
     }
 
     public void setFileName(String fileName) {
         encodedFileName = URLEncoder.encode(fileName, StandardCharsets.UTF_8);
         this.fileName = fileName;
     }
+
+    private String[] retrieveZoneAwareFileNames() {
+        IdentityZone zone = retrieveZone();
+        String[] fileNames = new String[2];
+        if (zone.isUaa()) {
+            fileNames[0] = fileName;
+            fileNames[1] = encodedFileName;
+        }
+        else {
+            fileNames[0] = "saml-" + zone.getSubdomain() + "-sp.xml";
+            fileNames[1] = URLEncoder.encode(fileNames[0],
+                    StandardCharsets.UTF_8);
+        }
+        return fileNames;
+    }
 }
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/zone/ZoneAware.java b/server/src/main/java/org/cloudfoundry/identity/uaa/zone/ZoneAware.java
@@ -0,0 +1,7 @@
+package org.cloudfoundry.identity.uaa.zone;
+
+public interface ZoneAware {
+    default IdentityZone retrieveZone() {
+        return IdentityZoneHolder.get();
+    }
+}
diff --git a/...oundry/identity/uaa/provider/saml/ConfiguratorRelyingPartyRegistrationRepositoryTest.java b/...oundry/identity/uaa/provider/saml/ConfiguratorRelyingPartyRegistrationRepositoryTest.java
@@ -3,6 +3,7 @@
 import org.cloudfoundry.identity.uaa.provider.SamlIdentityProviderDefinition;
 import org.cloudfoundry.identity.uaa.util.KeyWithCert;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
@@ -88,6 +89,7 @@ void findByRegistrationIdWithMultipleInDb() {
     }
 
     @Test
+    @Disabled("Test not valid because ConfiguratorRelyingPartyRegistrationRepository now returns default RelyingPartyRegistration when none found")
     void findByRegistrationIdWhenNoneFound() {
         SamlIdentityProviderDefinition definition = mock(SamlIdentityProviderDefinition.class);
         when(definition.getIdpEntityAlias()).thenReturn(REGISTRATION_ID);

diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/SamlLoginIT.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/SamlLoginIT.java
@@ -109,6 +109,7 @@
 import static org.cloudfoundry.identity.uaa.provider.ExternalIdentityProviderDefinition.USER_ATTRIBUTE_PREFIX;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.springframework.http.HttpMethod.GET;
 import static org.springframework.http.HttpMethod.POST;
@@ -229,6 +230,53 @@ void samlSPMetadata() {
                 .contains("WantAssertionsSigned=\"true\"")
                 // login.saml.nameID
                 .contains("<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>");
+
+        assertEquals("saml-sp.xml",
+                response.getHeaders().getContentDisposition().getFilename());
+    }
+
+    @Test
+    void samlSPMetadataForZone() {
+        String zoneId = "testzone1";
+        String zoneUrl = baseUrl.replace("localhost", zoneId + ".localhost");
+
+        //identity client token
+        RestTemplate identityClient = IntegrationTestUtils.getClientCredentialsTemplate(
+                IntegrationTestUtils.getClientCredentialsResource(baseUrl, new String[]{"zones.write", "zones.read", "scim.zones"}, "identity", "identitysecret")
+        );
+        RestTemplate adminClient = IntegrationTestUtils.getClientCredentialsTemplate(
+                IntegrationTestUtils.getClientCredentialsResource(baseUrl, new String[0], "admin", "adminsecret")
+        );
+
+        //create the zone
+        IdentityZoneConfiguration config = new IdentityZoneConfiguration();
+        config.getCorsPolicy().getDefaultConfiguration().setAllowedMethods(List.of(GET.toString(), POST.toString()));
+        config.getSamlConfig().setEntityID(zoneId + "-saml-login");
+        IntegrationTestUtils.createZoneOrUpdateSubdomain(identityClient, baseUrl, zoneId, zoneId, config);
+
+        RestTemplate request = new RestTemplate();
+        ResponseEntity<String> response = request.getForEntity(
+                zoneUrl + "/saml/metadata", String.class);
+        assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK);
+        String metadataXml = response.getBody();
+
+        // The SAML SP metadata should match the following UAA configs:
+        // login.entityID
+        assertThat(metadataXml).contains("entityID=\"" + zoneId + "-saml-login\"")
+                // TODO: Are DigestMethod and SignatureMethod needed?
+                //  login.saml.signatureAlgorithm
+                //.contains("<ds:DigestMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/>")
+                //.contains("<ds:SignatureMethod Algorithm=\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\"/>")
+                // login.saml.signRequest
+                .contains("AuthnRequestsSigned=\"true\"")
+                // login.saml.wantAssertionSigned
+                .contains("WantAssertionsSigned=\"true\"")
+                // login.saml.nameID
+//                .contains("<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>");
+                .contains("/saml/SSO/alias/" + zoneId + ".cloudfoundry-saml-login");  // TODO: Improve this check
+
+        assertEquals("saml-" + zoneId + "-sp.xml",
+                response.getHeaders().getContentDisposition().getFilename());
     }
 
     @Test