Adding API for generating SAML SP metadata

Resolves elastic#49018

Author: BigPandaToo

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/saml/TransportSamlSpMetadataAction.java

@@ -20,6 +20,8 @@
 import org.elasticsearch.xpack.security.authc.saml.SamlRealm;
 import org.elasticsearch.xpack.security.authc.saml.SamlSpMetadataBuilder;
 import org.elasticsearch.xpack.security.authc.saml.SamlUtils;
+import org.elasticsearch.xpack.security.authc.saml.SpConfiguration;
+import org.opensaml.saml.saml2.core.AuthnRequest;
 import org.opensaml.saml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml.saml2.metadata.impl.EntityDescriptorMarshaller;
 import org.w3c.dom.Element;
@@ -29,6 +31,7 @@
 import javax.xml.transform.stream.StreamResult;
 import java.io.StringWriter;
 import java.util.List;
+import java.util.Locale;
 
 import static org.elasticsearch.xpack.security.authc.saml.SamlRealm.findSamlRealms;
 
@@ -63,7 +66,13 @@ protected void doExecute(Task task, SamlSpMetadataRequest request,
     private void prepareMetadata(SamlRealm realm, ActionListener<SamlSpMetadataResponse> listener) {
         try {
             final EntityDescriptorMarshaller marshaller = new EntityDescriptorMarshaller();
-            final SamlSpMetadataBuilder builder = new SamlSpMetadataBuilder(realm);
+            final SpConfiguration spConfig = realm.getServiceProvider();
+            final SamlSpMetadataBuilder builder = new SamlSpMetadataBuilder(Locale.getDefault(), spConfig.getEntityId())
+                .assertionConsumerServiceUrl(spConfig.getAscUrl())
+                .singleLogoutServiceUrl(spConfig.getLogoutUrl())
+                .encryptionCredentials(spConfig.getEncryptionCredentials())
+                .signingCredential(spConfig.getSigningConfiguration().getCredential())
+                .authnRequestsSigned(spConfig.getSigningConfiguration().shouldSign(AuthnRequest.DEFAULT_ELEMENT_LOCAL_NAME));
             final EntityDescriptor descriptor = builder.build();
             final Element element = marshaller.marshall(descriptor);
             final StringWriter writer = new StringWriter();

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlSpMetadataBuilder.java

@@ -96,30 +96,6 @@ public SamlSpMetadataBuilder(Locale locale, String entityId) {
         this.authnRequestsSigned = Boolean.FALSE;
     }
 
-    /**
-     * @param samlRealm   SamlRealm for which SP Metadata is built
-     */
-    public SamlSpMetadataBuilder(SamlRealm samlRealm) {
-        final SpConfiguration spConfig = samlRealm.getServiceProvider();
-        this.locale = Locale.getDefault();
-        this.entityId = spConfig.getEntityId();
-        this.attributeNames = null;
-        this.contacts = null;
-        this.serviceName = "Elasticsearch";
-        this.nameIdFormat = null;
-        this.authnRequestsSigned = Boolean.FALSE;
-        this.assertionConsumerServiceUrl = spConfig.getAscUrl();
-        this.singleLogoutServiceUrl = spConfig.getLogoutUrl();
-        if (spConfig.getEncryptionCredentials() != null) {
-            this.encryptionCertificates.addAll(spConfig.getEncryptionCredentials()
-                .stream().map(credential -> credential.getEntityCertificate()).collect(Collectors.toList()));
-        }
-        if(spConfig.getSigningConfiguration() != null && spConfig.getSigningConfiguration().getCredential() != null) {
-            this.signingCertificate = spConfig.getSigningConfiguration().getCredential().getEntityCertificate();
-        }
-        this.authnRequestsSigned = spConfig.getSigningConfiguration().shouldSign(AuthnRequest.DEFAULT_ELEMENT_LOCAL_NAME);
-    }
-
     /**
      * The format that the service provider expects for incoming NameID element.
      */

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SigningConfiguration.java

@@ -16,7 +16,7 @@
 /**
  * Encapsulates the rules and credentials for how and when Elasticsearch should sign outgoing SAML messages.
  */
-class SigningConfiguration {
+public class SigningConfiguration {
 
     private final Set<String> messageTypes;
     private final X509Credential credential;
@@ -30,7 +30,7 @@ boolean shouldSign(SAMLObject object) {
         return shouldSign(object.getElementQName().getLocalPart());
     }
 
-    boolean shouldSign(String elementName) {
+    public boolean shouldSign(String elementName) {
         if (credential == null) {
             return false;
         }
@@ -45,7 +45,7 @@ byte[] sign(byte[] content, String algo) throws SecurityException {
         return XMLSigningUtil.signWithURI(this.credential, algo, content);
     }
 
-    X509Credential getCredential() {
+    public X509Credential getCredential() {
         return credential;
     }
 }

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SpConfiguration.java

@@ -41,23 +41,23 @@ public SpConfiguration(final String entityId, final String ascUrl, final String
     /**
      * The SAML identifier (as a URI) for the Sp
      */
-    String getEntityId() {
+    public String getEntityId() {
         return entityId;
     }
 
-    String getAscUrl() {
+    public String getAscUrl() {
         return ascUrl;
     }
 
-    String getLogoutUrl() {
+    public String getLogoutUrl() {
         return logoutUrl;
     }
 
-    List<X509Credential> getEncryptionCredentials() {
+    public List<X509Credential> getEncryptionCredentials() {
         return encryptionCredentials;
     }
 
-    SigningConfiguration getSigningConfiguration() {
+    public SigningConfiguration getSigningConfiguration() {
         return signingConfiguration;
     }