Adding API for generating SAML SP metadata

Resolves elastic#49018

Author: BigPandaToo

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java

@@ -22,6 +22,7 @@
 import org.elasticsearch.xpack.core.ilm.action.StopILMAction;
 import org.elasticsearch.xpack.core.security.action.DelegatePkiAuthenticationAction;
 import org.elasticsearch.xpack.core.security.action.GrantApiKeyAction;
+import org.elasticsearch.xpack.core.security.action.saml.SamlSpMetadataAction;
 import org.elasticsearch.xpack.core.security.action.token.InvalidateTokenAction;
 import org.elasticsearch.xpack.core.security.action.token.RefreshTokenAction;
 import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesAction;
@@ -45,7 +46,7 @@ public class ClusterPrivilegeResolver {
     // shared automatons
     private static final Set<String> ALL_SECURITY_PATTERN = Set.of("cluster:admin/xpack/security/*");
     private static final Set<String> MANAGE_SAML_PATTERN = Set.of("cluster:admin/xpack/security/saml/*",
-        InvalidateTokenAction.NAME, RefreshTokenAction.NAME);
+        InvalidateTokenAction.NAME, RefreshTokenAction.NAME, SamlSpMetadataAction.NAME);
     private static final Set<String> MANAGE_OIDC_PATTERN = Set.of("cluster:admin/xpack/security/oidc/*");
     private static final Set<String> MANAGE_TOKEN_PATTERN = Set.of("cluster:admin/xpack/security/token/*");
     private static final Set<String> MANAGE_API_KEY_PATTERN = Set.of("cluster:admin/xpack/security/api_key/*");

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommand.java

@@ -110,22 +110,22 @@ public SamlMetadataCommand(CheckedFunction<Environment, KeyStoreWrapper, Excepti
         attributeSpec = parser.accepts("attribute", "additional SAML attributes to request").withRequiredArg();
         orgNameSpec = parser.accepts("organisation-name", "the name of the organisation operating this service").withRequiredArg();
         orgDisplayNameSpec = parser.accepts("organisation-display-name", "the display-name of the organisation operating this service")
-            .availableIf(orgNameSpec).withRequiredArg();
+                .availableIf(orgNameSpec).withRequiredArg();
         orgUrlSpec = parser.accepts("organisation-url", "the URL of the organisation operating this service")
-            .requiredIf(orgNameSpec).withRequiredArg();
+                .requiredIf(orgNameSpec).withRequiredArg();
         contactsSpec = parser.accepts("contacts", "Include contact information in metadata").availableUnless(batchSpec);
         signingPkcs12PathSpec = parser.accepts("signing-bundle", "path to an existing key pair (in PKCS#12 format) to be used for " +
-            "signing ")
-            .withRequiredArg();
+                "signing ")
+                .withRequiredArg();
         signingCertPathSpec = parser.accepts("signing-cert", "path to an existing signing certificate")
-            .availableUnless(signingPkcs12PathSpec)
-            .withRequiredArg();
+                .availableUnless(signingPkcs12PathSpec)
+                .withRequiredArg();
         signingKeyPathSpec = parser.accepts("signing-key", "path to an existing signing private key")
-            .availableIf(signingCertPathSpec)
-            .requiredIf(signingCertPathSpec)
-            .withRequiredArg();
+                .availableIf(signingCertPathSpec)
+                .requiredIf(signingCertPathSpec)
+                .withRequiredArg();
         keyPasswordSpec = parser.accepts("signing-key-password", "password for an existing signing private key or keypair")
-            .withOptionalArg();
+                .withOptionalArg();
         this.keyStoreFunction = keyStoreFunction;
     }
 
@@ -159,19 +159,19 @@ EntityDescriptor buildEntityDescriptor(Terminal terminal, OptionSet options, Env
         final RealmConfig realm = findRealm(terminal, options, env);
         final Settings realmSettings = realm.settings().getByPrefix(RealmSettings.realmSettingPrefix(realm.identifier()));
         terminal.println(Terminal.Verbosity.VERBOSE,
-            "Using realm configuration\n=====\n" + realmSettings.toDelimitedString('\n') + "=====");
+                "Using realm configuration\n=====\n" + realmSettings.toDelimitedString('\n') + "=====");
         final Locale locale = findLocale(options);
         terminal.println(Terminal.Verbosity.VERBOSE, "Using locale: " + locale.toLanguageTag());
 
         final SpConfiguration spConfig = SamlRealm.getSpConfiguration(realm);
         final SamlSpMetadataBuilder builder = new SamlSpMetadataBuilder(locale, spConfig.getEntityId())
-            .assertionConsumerServiceUrl(spConfig.getAscUrl())
-            .singleLogoutServiceUrl(spConfig.getLogoutUrl())
-            .encryptionCredentials(spConfig.getEncryptionCredentials())
-            .signingCredential(spConfig.getSigningConfiguration().getCredential())
-            .authnRequestsSigned(spConfig.getSigningConfiguration().shouldSign(AuthnRequest.DEFAULT_ELEMENT_LOCAL_NAME))
-            .nameIdFormat(realm.getSetting(SamlRealmSettings.NAMEID_FORMAT))
-            .serviceName(option(serviceNameSpec, options, env.settings().get("cluster.name")));
+                .assertionConsumerServiceUrl(spConfig.getAscUrl())
+                .singleLogoutServiceUrl(spConfig.getLogoutUrl())
+                .encryptionCredentials(spConfig.getEncryptionCredentials())
+                .signingCredential(spConfig.getSigningConfiguration().getCredential())
+                .authnRequestsSigned(spConfig.getSigningConfiguration().shouldSign(AuthnRequest.DEFAULT_ELEMENT_LOCAL_NAME))
+                .nameIdFormat(realm.getSetting(SamlRealmSettings.NAMEID_FORMAT))
+                .serviceName(option(serviceNameSpec, options, env.settings().get("cluster.name")));
 
         Map<String, String> attributes = getAttributeNames(options, realm);
         for (String attr : attributes.keySet()) {
@@ -185,22 +185,22 @@ EntityDescriptor buildEntityDescriptor(Terminal terminal, OptionSet options, Env
                     friendlyName = settingName;
                 } else {
                     friendlyName = terminal.readText("What is the friendly name for " +
-                        attributeSource
-                        + " attribute \"" + attr + "\" [default: " +
-                        (settingName == null ? "none" : settingName) +
-                        "] ");
+                            attributeSource
+                            + " attribute \"" + attr + "\" [default: " +
+                            (settingName == null ? "none" : settingName) +
+                            "] ");
                     if (Strings.isNullOrEmpty(friendlyName)) {
                         friendlyName = settingName;
                     }
                 }
             } else {
                 if (batch) {
                     throw new UserException(ExitCodes.CONFIG, "Option " + batchSpec.toString() + " is specified, but attribute "
-                        + attr + " appears to be a FriendlyName value");
+                            + attr + " appears to be a FriendlyName value");
                 }
                 friendlyName = attr;
                 name = requireText(terminal,
-                    "What is the standard (urn) name for " + attributeSource + " attribute \"" + attr + "\" (required): ");
+                        "What is the standard (urn) name for " + attributeSource + " attribute \"" + attr + "\" (required): ");
             }
             terminal.println(Terminal.Verbosity.VERBOSE, "Requesting attribute '" + name + "' (FriendlyName: '" + friendlyName + "')");
             builder.withAttribute(friendlyName, name);
@@ -225,7 +225,7 @@ EntityDescriptor buildEntityDescriptor(Terminal terminal, OptionSet options, Env
                         break;
                     } else {
                         terminal.errorPrintln("Type '" + type + "' is not valid. Valid values are "
-                            + Strings.collectionToCommaDelimitedString(ContactInfo.TYPES.keySet()));
+                                + Strings.collectionToCommaDelimitedString(ContactInfo.TYPES.keySet()));
                     }
                 }
                 builder.withContact(type, givenName, surName, email);
@@ -237,13 +237,13 @@ EntityDescriptor buildEntityDescriptor(Terminal terminal, OptionSet options, Env
 
     // package-protected for testing
     Element possiblySignDescriptor(Terminal terminal, OptionSet options, EntityDescriptor descriptor, Environment env)
-        throws UserException {
+            throws UserException {
         try {
             final EntityDescriptorMarshaller marshaller = new EntityDescriptorMarshaller();
             if (options.has(signingPkcs12PathSpec) || (options.has(signingCertPathSpec) && options.has(signingKeyPathSpec))) {
                 Signature signature = (Signature) XMLObjectProviderRegistrySupport.getBuilderFactory()
-                    .getBuilder(Signature.DEFAULT_ELEMENT_NAME)
-                    .buildObject(Signature.DEFAULT_ELEMENT_NAME);
+                        .getBuilder(Signature.DEFAULT_ELEMENT_NAME)
+                        .buildObject(Signature.DEFAULT_ELEMENT_NAME);
                 signature.setSigningCredential(buildSigningCredential(terminal, options, env));
                 signature.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
                 signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
@@ -279,18 +279,18 @@ private Path writeOutput(Terminal terminal, OptionSet options, Element element)
     }
 
     private Credential buildSigningCredential(Terminal terminal, OptionSet options, Environment env) throws
-        Exception {
+            Exception {
         X509Certificate signingCertificate;
         PrivateKey signingKey;
         char[] password = getChars(keyPasswordSpec.value(options));
         if (options.has(signingPkcs12PathSpec)) {
             Path p12Path = resolvePath(signingPkcs12PathSpec.value(options));
             Map<Certificate, Key> keys = withPassword("certificate bundle (" + p12Path + ")", password,
-                terminal, keyPassword -> CertParsingUtils.readPkcs12KeyPairs(p12Path, keyPassword, a -> keyPassword));
+                    terminal, keyPassword -> CertParsingUtils.readPkcs12KeyPairs(p12Path, keyPassword, a -> keyPassword));
 
             if (keys.size() != 1) {
                 throw new IllegalArgumentException("expected a single key in file [" + p12Path.toAbsolutePath() + "] but found [" +
-                    keys.size() + "]");
+                        keys.size() + "]");
             }
             final Map.Entry<Certificate, Key> pair = keys.entrySet().iterator().next();
             signingCertificate = (X509Certificate) pair.getKey();
@@ -302,7 +302,7 @@ private Credential buildSigningCredential(Terminal terminal, OptionSet options,
             Certificate[] certificates = CertParsingUtils.readCertificates(Collections.singletonList(resolvedSigningCertPath), env);
             if (certificates.length != 1) {
                 throw new IllegalArgumentException("expected a single certificate in file [" + resolvedSigningCertPath + "] but found [" +
-                    certificates.length + "]");
+                        certificates.length + "]");
             }
             signingCertificate = (X509Certificate) certificates[0];
             signingKey = readSigningKey(key, password, terminal);
@@ -329,7 +329,7 @@ private static char[] getChars(String password) {
     }
 
     private static PrivateKey readSigningKey(Path path, char[] password, Terminal terminal)
-        throws Exception {
+            throws Exception {
         AtomicReference<char[]> passwordReference = new AtomicReference<>(password);
         try {
             return PemUtils.readPrivateKey(path, () -> {
@@ -447,18 +447,18 @@ private RealmConfig findRealm(Terminal terminal, OptionSet options, Environment
             }
         } else {
             final List<Map.Entry<RealmConfig.RealmIdentifier, Settings>> saml = realms.entrySet().stream()
-                .filter(entry -> isSamlRealm(entry.getKey()))
-                .collect(Collectors.toList());
+                    .filter(entry -> isSamlRealm(entry.getKey()))
+                    .collect(Collectors.toList());
             if (saml.isEmpty()) {
                 throw new UserException(ExitCodes.CONFIG, "There is no SAML realm configured in " + env.configFile());
             }
             if (saml.size() > 1) {
                 terminal.errorPrintln("Using configuration in " + env.configFile());
                 terminal.errorPrintln("Found multiple SAML realms: "
-                    + saml.stream().map(Map.Entry::getKey).map(Object::toString).collect(Collectors.joining(", ")));
+                        + saml.stream().map(Map.Entry::getKey).map(Object::toString).collect(Collectors.joining(", ")));
                 terminal.errorPrintln("Use the -" + optionName(realmSpec) + " option to specify an explicit realm");
                 throw new UserException(ExitCodes.CONFIG,
-                    "Found multiple SAML realms, please specify one with '-" + optionName(realmSpec) + "'");
+                        "Found multiple SAML realms, please specify one with '-" + optionName(realmSpec) + "'");
             }
             final Map.Entry<RealmConfig.RealmIdentifier, Settings> entry = saml.get(0);
             terminal.println("Building metadata for SAML realm " + entry.getKey());

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlRealm.java

@@ -208,6 +208,10 @@ public static SamlRealm create(RealmConfig config, SSLService sslService, Resour
         return realm;
     }
 
+    public SpConfiguration getServiceProvider() {
+        return serviceProvider;
+    }
+
     // For testing
     SamlRealm(
         RealmConfig config,

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/saml/SamlSpMetadataBuilder.java

@@ -100,7 +100,7 @@ public SamlSpMetadataBuilder(Locale locale, String entityId) {
      * @param samlRealm   SamlRealm for which SP Metadata is built
      */
     public SamlSpMetadataBuilder(SamlRealm samlRealm) {
-        final SpConfiguration spConfig = samlRealm.getLogoutHandler().getSpConfiguration();
+        final SpConfiguration spConfig = samlRealm.getServiceProvider();
         this.locale = Locale.getDefault();
         this.entityId = spConfig.getEntityId();
         this.attributeNames = null;

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/saml/RestSamlSpMetadataAction.java

@@ -44,8 +44,8 @@ public String getName() {
 
     @Override
     public RestChannelConsumer innerPrepareRequest(RestRequest request, NodeClient client) throws IOException {
-        final SamlSpMetadataRequest SamlSpRequest = new SamlSpMetadataRequest(request.param("realm"));
-        return channel -> client.execute(SamlSpMetadataAction.INSTANCE, SamlSpRequest,
+        final SamlSpMetadataRequest SamlSpMetadataRequest = new SamlSpMetadataRequest(request.param("realm"));
+        return channel -> client.execute(SamlSpMetadataAction.INSTANCE, SamlSpMetadataRequest,
             new RestBuilderListener<SamlSpMetadataResponse>(channel) {
             @Override
             public RestResponse buildResponse(SamlSpMetadataResponse response, XContentBuilder builder) throws Exception {