spinnaker · mergify · May 8, 2024 · Nov 28, 2023 · Nov 28, 2023 · Dec 1, 2023
diff --git a/gate-core/src/main/java/com/netflix/spinnaker/gate/services/AuthenticationService.java b/gate-core/src/main/java/com/netflix/spinnaker/gate/services/AuthenticationService.java
@@ -0,0 +1,100 @@
+/*
+ * Copyright 2023 Apple, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package com.netflix.spinnaker.gate.services;
+
+import com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator;
+import com.netflix.spinnaker.fiat.shared.FiatService;
+import com.netflix.spinnaker.fiat.shared.FiatStatus;
+import com.netflix.spinnaker.security.AuthenticatedRequest;
+import io.micrometer.core.annotation.Counted;
+import java.util.Collection;
+import java.util.Set;
+import lombok.RequiredArgsConstructor;
+import lombok.Setter;
+import lombok.extern.log4j.Log4j2;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.stereotype.Service;
+
+/** Facade for logging in an authenticated user and obtaining Fiat authorities. */
+@Log4j2
+@Service
+@RequiredArgsConstructor
+public class AuthenticationService {
+  private final FiatStatus fiatStatus;
+  private final FiatService fiatService;
+  private final FiatPermissionEvaluator permissionEvaluator;
+
+  @Setter(
+      onParam_ = {@Qualifier("fiatLoginService")},
+      onMethod_ = {@Autowired(required = false)})
+  private FiatService fiatLoginService;
+
+  private FiatService getFiatServiceForLogin() {
+    return fiatLoginService != null ? fiatLoginService : fiatService;
+  }
+
+  @Counted("fiat.login")
+  public Collection<? extends GrantedAuthority> login(String userid) {
+    if (!fiatStatus.isEnabled()) {
+      return Set.of();
+    }
+
+    return AuthenticatedRequest.allowAnonymous(
+        () -> {
+          getFiatServiceForLogin().loginUser(userid, "");
+          return resolveAuthorities(userid);
+        });
+  }
+
+  @Counted("fiat.login")
+  public Collection<? extends GrantedAuthority> loginWithRoles(
+      String userid, Collection<String> roles) {
+    if (!fiatStatus.isEnabled()) {
+      return Set.of();
+    }
+
+    return AuthenticatedRequest.allowAnonymous(
+        () -> {
+          getFiatServiceForLogin().loginWithRoles(userid, roles);
+          return resolveAuthorities(userid);
+        });
+  }
+
+  @Counted("fiat.logout")
+  public void logout(String userid) {
+    if (!fiatStatus.isEnabled()) {
+      return;
+    }
+
+    getFiatServiceForLogin().logoutUser(userid);
+    permissionEvaluator.invalidatePermission(userid);
+  }
+
+  private Collection<? extends GrantedAuthority> resolveAuthorities(String userid) {
+    permissionEvaluator.invalidatePermission(userid);
+    var permission = permissionEvaluator.getPermission(userid);
+    if (permission == null) {
+      throw new UsernameNotFoundException(
+          String.format("No user found in Fiat named '%s'", userid));
+    }
+    return permission.toGrantedAuthorities();
+  }
+}
diff --git a/gate-saml/gate-saml.gradle b/gate-saml/gate-saml.gradle
@@ -1,13 +1,20 @@
-dependencies{
+dependencies {
+  constraints {
+    implementation 'org.opensaml:opensaml-core:4.1.0'
+    implementation 'org.opensaml:opensaml-saml-api:4.1.0'
+    implementation 'org.opensaml:opensaml-saml-impl:4.1.0'
+  }
+
   implementation project(':gate-core')
-  // RetrySupport is in kork-exceptions and not kork-core!
+  implementation 'io.spinnaker.kork:kork-core'
+  implementation 'io.spinnaker.kork:kork-crypto'
+  implementation 'io.spinnaker.kork:kork-exceptions'
+  implementation 'io.spinnaker.kork:kork-security'
   implementation "io.spinnaker.fiat:fiat-api:$fiatVersion"
-  implementation "io.spinnaker.kork:kork-exceptions"
-  implementation "io.spinnaker.kork:kork-security"
-  implementation 'org.springframework:spring-context'
+  implementation 'org.springframework.boot:spring-boot-starter-security'
+  implementation 'org.springframework.boot:spring-boot-starter-validation'
+  implementation 'org.springframework.security:spring-security-saml2-service-provider'
   implementation 'org.springframework.session:spring-session-core'
-  implementation 'org.springframework.boot:spring-boot-autoconfigure'
 
-  implementation "org.springframework.security.extensions:spring-security-saml2-core"
-  implementation "org.springframework.security.extensions:spring-security-saml-dsl-core"
+  testImplementation 'org.springframework.boot:spring-boot-starter-test'
 }
diff --git a/...rc/main/java/com/netflix/spinnaker/gate/security/saml/DefaultUserIdentifierExtractor.java b/...rc/main/java/com/netflix/spinnaker/gate/security/saml/DefaultUserIdentifierExtractor.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright 2023 Apple, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package com.netflix.spinnaker.gate.security.saml;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
+
+/**
+ * Default implementation for extracting the user id from an authenticated SAML user. This uses the
+ * settings in {@link SecuritySamlProperties.UserAttributeMapping#getUsername()}
+ */
+@RequiredArgsConstructor
+public class DefaultUserIdentifierExtractor implements UserIdentifierExtractor {
+  private final SecuritySamlProperties properties;
+
+  @Override
+  public String fromPrincipal(Saml2AuthenticatedPrincipal principal) {
+    String userid = principal.getFirstAttribute(properties.getUserAttributeMapping().getUsername());
+    return userid != null ? userid : principal.getName();
+  }
+}
diff --git a/...aml/src/main/java/com/netflix/spinnaker/gate/security/saml/DefaultUserRolesExtractor.java b/...aml/src/main/java/com/netflix/spinnaker/gate/security/saml/DefaultUserRolesExtractor.java
@@ -0,0 +1,82 @@
+/*
+ * Copyright 2023 Apple, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package com.netflix.spinnaker.gate.security.saml;
+
+import com.netflix.spinnaker.kork.exceptions.ConfigurationException;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Locale;
+import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
+
+/**
+ * Default implementation for extracting roles from an authenticated SAML user. This uses the
+ * settings in {@link SecuritySamlProperties} related to roles. If role names appear to be
+ * distinguished names (i.e., they contain the substring {@code CN=}), then they will be parsed as
+ * DNs to extract the common name (CN) attribute.
+ */
+@RequiredArgsConstructor
+public class DefaultUserRolesExtractor implements UserRolesExtractor {
+  private final SecuritySamlProperties properties;
+
+  @Override
+  public Set<String> getRoles(Saml2AuthenticatedPrincipal principal) {
+    var userAttributeMapping = properties.getUserAttributeMapping();
+    List<String> roles = principal.getAttribute(userAttributeMapping.getRoles());
+    Stream<String> roleStream = roles != null ? roles.stream() : Stream.empty();
+    String delimiter = userAttributeMapping.getRolesDelimiter();
+    roleStream =
+        delimiter != null
+            ? roleStream.flatMap(role -> Stream.of(role.split(delimiter)))
+            : roleStream;
+    roleStream = roleStream.map(DefaultUserRolesExtractor::parseRole);
+    if (properties.isForceLowercaseRoles()) {
+      roleStream = roleStream.map(role -> role.toLowerCase(Locale.ROOT));
+    }
+    if (properties.isSortRoles()) {
+      roleStream = roleStream.sorted();
+    }
+    return roleStream.collect(Collectors.toCollection(LinkedHashSet::new));
+  }
+
+  private static String parseRole(String role) {
+    if (!role.contains("CN=")) {
+      return role;
+    }
+    try {
+      return new LdapName(role)
+          .getRdns().stream()
+              .filter(rdn -> rdn.getType().equals("CN"))
+              .map(rdn -> (String) rdn.getValue())
+              .findFirst()
+              .orElseThrow(
+                  () ->
+                      new ConfigurationException(
+                          String.format(
+                              "SAML role '%s' contains 'CN=' but cannot be parsed as a DN", role)));
+    } catch (InvalidNameException e) {
+      throw new ConfigurationException(
+          String.format("Unable to parse SAML role name '%s'", role), e);
+    }
+  }
+}
diff --git a/...c/main/java/com/netflix/spinnaker/gate/security/saml/ResponseAuthenticationConverter.java b/...c/main/java/com/netflix/spinnaker/gate/security/saml/ResponseAuthenticationConverter.java
@@ -0,0 +1,95 @@
+/*
+ * Copyright 2023 Apple, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package com.netflix.spinnaker.gate.security.saml;
+
+import com.netflix.spinnaker.gate.services.AuthenticationService;
+import com.netflix.spinnaker.security.User;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Set;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.log4j.Log4j2;
+import org.springframework.beans.factory.ObjectFactory;
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider;
+import org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.ResponseToken;
+import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
+import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+import org.springframework.util.CollectionUtils;
+
+/** Handles conversion of an authenticated SAML user into a Spinnaker user and populating Fiat. */
+@Log4j2
+@RequiredArgsConstructor
+public class ResponseAuthenticationConverter
+    implements Converter<ResponseToken, PreAuthenticatedAuthenticationToken> {
+  private final SecuritySamlProperties properties;
+  private final ObjectFactory<UserIdentifierExtractor> userIdentifierExtractorFactory;
+  private final ObjectFactory<UserRolesExtractor> userRolesExtractorFactory;
+  private final ObjectFactory<AuthenticationService> authenticationServiceFactory;
+
+  @Override
+  public PreAuthenticatedAuthenticationToken convert(ResponseToken source) {
+    UserIdentifierExtractor userIdentifierExtractor = userIdentifierExtractorFactory.getObject();
+    UserRolesExtractor userRolesExtractor = userRolesExtractorFactory.getObject();
+    AuthenticationService loginService = authenticationServiceFactory.getObject();
+    log.debug("Decoding SAML response: {}", source.getToken());
+
+    Saml2Authentication authentication = convertToken(source);
+    @SuppressWarnings("deprecation")
+    var user = new User();
+    Saml2AuthenticatedPrincipal principal =
+        (Saml2AuthenticatedPrincipal) authentication.getPrincipal();
+    String principalName = principal.getName();
+    var userAttributeMapping = properties.getUserAttributeMapping();
+    String email = principal.getFirstAttribute(userAttributeMapping.getEmail());
+    user.setEmail(email != null ? email : principalName);
+    String userid = userIdentifierExtractor.fromPrincipal(principal);
+    user.setUsername(userid);
+    user.setFirstName(principal.getFirstAttribute(userAttributeMapping.getFirstName()));
+    user.setLastName(principal.getFirstAttribute(userAttributeMapping.getLastName()));
+
+    Set<String> roles = userRolesExtractor.getRoles(principal);
+    user.setRoles(roles);
+
+    if (!CollectionUtils.isEmpty(properties.getRequiredRoles())) {
+      var requiredRoles = Set.copyOf(properties.getRequiredRoles());
+      // check for at least one common role in both sets
+      if (Collections.disjoint(roles, requiredRoles)) {
+        throw new BadCredentialsException(
+            String.format("User %s is not in any required role from %s", email, requiredRoles));
+      }
+    }
+
+    Collection<? extends GrantedAuthority> authorities = loginService.loginWithRoles(userid, roles);
+    return new PreAuthenticatedAuthenticationToken(user, principal, authorities);
+  }
+
+  private static final Converter<ResponseToken, Saml2Authentication> DEFAULT_CONVERTER =
+      OpenSaml4AuthenticationProvider.createDefaultResponseAuthenticationConverter();
+
+  private static Saml2Authentication convertToken(ResponseToken token) {
+    Saml2Authentication authentication = DEFAULT_CONVERTER.convert(token);
+    if (authentication == null) {
+      throw new IllegalArgumentException("Response token could not be converted");
+    }
+    return authentication;
+  }
+}