[6.8] Add SAML AuthN request signing tests (#48444) (#61586)

- Add a unit test for our signing code
- Change SAML IT to use signed authentication requests for Shibboleth to consume

Backport of #48444

Author: jkakavas

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthnRequestBuilderTests.java

@@ -16,8 +16,6 @@
 import org.opensaml.saml.saml2.core.AuthnRequest;
 import org.opensaml.saml.saml2.core.NameID;
 import org.opensaml.saml.saml2.metadata.EntityDescriptor;
-import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
-import org.opensaml.saml.saml2.metadata.SingleSignOnService;
 
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.greaterThan;
@@ -38,17 +36,7 @@ public class SamlAuthnRequestBuilderTests extends SamlTestCase {
     @Before
     public void init() throws Exception {
         SamlUtils.initialize(logger);
-
-        final SingleSignOnService sso = SamlUtils.buildObject(SingleSignOnService.class, SingleSignOnService.DEFAULT_ELEMENT_NAME);
-        sso.setLocation(IDP_URL);
-        sso.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
-
-        final IDPSSODescriptor idpRole = SamlUtils.buildObject(IDPSSODescriptor.class, IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
-        idpRole.getSingleSignOnServices().add(sso);
-
-        idpDescriptor = SamlUtils.buildObject(EntityDescriptor.class, EntityDescriptor.DEFAULT_ELEMENT_NAME);
-        idpDescriptor.setEntityID(IDP_ENTITY_ID);
-        idpDescriptor.getRoleDescriptors().add(idpRole);
+        idpDescriptor = buildIdPDescriptor(IDP_URL, IDP_ENTITY_ID);
     }
 
     public void testBuildRequestWithPersistentNameAndNoForceAuth() throws Exception {

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRedirectTests.java

@@ -7,9 +7,11 @@
 
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
+import org.opensaml.saml.common.xml.SAMLConstants;
 import org.opensaml.saml.saml2.core.Issuer;
 import org.opensaml.saml.saml2.core.LogoutRequest;
 import org.opensaml.saml.saml2.core.NameID;
+import org.opensaml.saml.saml2.metadata.EntityDescriptor;
 import org.opensaml.security.x509.X509Credential;
 
 import java.io.UnsupportedEncodingException;
@@ -19,7 +21,9 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.Signature;
 import java.security.SignatureException;
+import java.time.Clock;
 import java.util.Base64;
+import java.util.Collections;
 
 import static java.util.Collections.emptySet;
 import static java.util.Collections.singleton;
@@ -29,6 +33,9 @@
 public class SamlRedirectTests extends SamlTestCase {
 
     private static final String IDP_ENTITY_ID = "https://idp.test/";
+    private static final String SP_ENTITY_ID = "https://sp.example.com/";
+    private static final String ACS_URL = "https://sp.example.com/saml/acs";
+    private static final String IDP_URL = "https://idp.test/saml/sso/redirect";
     private static final String LOGOUT_URL = "https://idp.test/saml/logout";
 
     private static final SigningConfiguration NO_SIGNING = new SigningConfiguration(emptySet(), null);
@@ -87,33 +94,58 @@ public void testLogoutRequestSigning() throws Exception {
         final SamlRedirect redirect = new SamlRedirect(buildLogoutRequest(LOGOUT_URL + "?"), spConfig);
         final String url = redirect.getRedirectUrl();
         final String queryParam = url.split("\\?")[1].split("&Signature")[0];
-        final String params[] = url.split("\\?")[1].split("&");
-        assert (params.length == 3);
-        String sigAlg = parseAndUrlDecodeParameter(params[1]);
-        // We currently only support signing with SHA256withRSA, this test should be updated if we add support for more
-        assertThat(sigAlg, equalTo("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"));
-        sigAlg = "SHA256withRSA";
-        final String signature = parseAndUrlDecodeParameter(params[2]);
-        assertThat(validateSignature(queryParam, sigAlg, signature, credential), equalTo(true));
-        assertThat(validateSignature(queryParam, sigAlg, signature, invalidCredential), equalTo(false));
-        assertThat(validateSignature(queryParam.substring(0, queryParam.length() - 5), sigAlg, signature, credential), equalTo(false));
+        final String signature = validateUrlAndGetSignature(redirect.getRedirectUrl());
+        assertThat(validateSignature(queryParam,  signature, credential), equalTo(true));
+        assertThat(validateSignature(queryParam,  signature, invalidCredential), equalTo(false));
+        assertThat(validateSignature(queryParam.substring(0, queryParam.length() - 5), signature, credential), equalTo(false));
+    }
+
+    public void testAuthnRequestSigning() throws Exception {
+        final X509Credential credential = (X509Credential) buildOpenSamlCredential(readRandomKeyPair()).get(0);
+        X509Credential invalidCredential = (X509Credential) buildOpenSamlCredential(readRandomKeyPair()).get(0);
+        while (invalidCredential.getEntityCertificate().getSerialNumber().equals(credential.getEntityCertificate().getSerialNumber())) {
+            invalidCredential = (X509Credential) buildOpenSamlCredential(readRandomKeyPair()).get(0);
+        }
+        final SigningConfiguration signingConfig = new SigningConfiguration(singleton("*"), credential);
+        SpConfiguration sp = new SpConfiguration(SP_ENTITY_ID, ACS_URL, LOGOUT_URL, signingConfig, null, Collections.emptyList());
+
+        EntityDescriptor idpDescriptor = buildIdPDescriptor(IDP_URL, IDP_ENTITY_ID);
+
+        final SamlRedirect redirect = new SamlRedirect(new SamlAuthnRequestBuilder(sp, SAMLConstants.SAML2_POST_BINDING_URI,
+            idpDescriptor, SAMLConstants.SAML2_REDIRECT_BINDING_URI, Clock.systemUTC()).build(), signingConfig);
+        final String url = redirect.getRedirectUrl();
+        final String queryParam = url.split("\\?")[1].split("&Signature")[0];
+        final String signature = validateUrlAndGetSignature(redirect.getRedirectUrl());
+        assertThat(validateSignature(queryParam, signature, credential), equalTo(true));
+        assertThat(validateSignature(queryParam, signature, invalidCredential), equalTo(false));
+        assertThat(validateSignature(queryParam.substring(0, queryParam.length() - 5), signature, credential),
+            equalTo(false));
     }
 
     private String parseAndUrlDecodeParameter(String parameter) throws UnsupportedEncodingException {
         final String value = parameter.split("=", 2)[1];
         return URLDecoder.decode(value, "UTF-8");
     }
 
-    private boolean validateSignature(String queryParam, String sigAlg, String signature, X509Credential credential) {
+    private String validateUrlAndGetSignature(String url) throws UnsupportedEncodingException {
+        final String params[] = url.split("\\?")[1].split("&");
+        assert (params.length == 3);
+        String sigAlg = parseAndUrlDecodeParameter(params[1]);
+        // We currently only support signing with SHA256withRSA, this test should be updated if we add support for more
+        assertThat(sigAlg, equalTo("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"));
+        return parseAndUrlDecodeParameter(params[2]);
+    }
+
+    private boolean validateSignature(String queryParam, String signature, X509Credential credential) {
         try {
-            Signature sig = Signature.getInstance(sigAlg);
+            // We currently only support signing with SHA256withRSA, this test should be updated if we add support for more
+            Signature sig = Signature.getInstance("SHA256withRSA");
             sig.initVerify(credential.getPublicKey());
             sig.update(queryParam.getBytes(StandardCharsets.UTF_8));
             return sig.verify(Base64.getDecoder().decode(signature));
         } catch (NoSuchAlgorithmException | InvalidKeyException | SignatureException e) {
             return false;
         }
-
     }
 
     private LogoutRequest buildLogoutRequest(String logoutUrl) {

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlTestCase.java

@@ -16,6 +16,10 @@
 import org.elasticsearch.xpack.core.ssl.PemUtils;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
+import org.opensaml.saml.common.xml.SAMLConstants;
+import org.opensaml.saml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
+import org.opensaml.saml.saml2.metadata.SingleSignOnService;
 import org.opensaml.security.credential.Credential;
 import org.opensaml.security.x509.impl.X509KeyManagerX509CredentialAdapter;
 
@@ -135,4 +139,18 @@ protected ElasticsearchSecurityException expectSamlException(ThrowingRunnable ru
         assertThat("Exception " + exception + " should be a SAML exception", SamlUtils.isSamlException(exception), is(true));
         return exception;
     }
+
+    protected EntityDescriptor buildIdPDescriptor(String idpUrl, String idpEntityId) {
+        final SingleSignOnService sso = SamlUtils.buildObject(SingleSignOnService.class, SingleSignOnService.DEFAULT_ELEMENT_NAME);
+        sso.setLocation(idpUrl);
+        sso.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI);
+
+        final IDPSSODescriptor idpRole = SamlUtils.buildObject(IDPSSODescriptor.class, IDPSSODescriptor.DEFAULT_ELEMENT_NAME);
+        idpRole.getSingleSignOnServices().add(sso);
+
+        EntityDescriptor idpDescriptor = SamlUtils.buildObject(EntityDescriptor.class, EntityDescriptor.DEFAULT_ELEMENT_NAME);
+        idpDescriptor.setEntityID(idpEntityId);
+        idpDescriptor.getRoleDescriptors().add(idpRole);
+        return idpDescriptor;
+    }
 }

x-pack/qa/saml-idp-tests/build.gradle

@@ -17,7 +17,8 @@ testFixtures.useFixture ":x-pack:test:idp-fixture"
 
 String outputDir = "${project.buildDir}/generated-resources/${project.name}"
 task copyIdpFiles(type: Copy) {
-    from idpFixtureProject.files('idp/shibboleth-idp/credentials/idp-browser.pem', 'idp/shibboleth-idp/metadata/idp-metadata.xml');
+    from idpFixtureProject.files('idp/shibboleth-idp/credentials/idp-browser.pem', 'idp/shibboleth-idp/metadata/idp-metadata.xml',
+    'idp/shibboleth-idp/credentials/sp-signing.key', 'idp/shibboleth-idp/credentials/sp-signing.crt');
     into outputDir
 }
 project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpFiles)
@@ -62,22 +63,39 @@ integTestCluster {
   setting 'xpack.security.authc.realms.shibboleth.sp.acs', 'http://localhost:54321/saml/acs1'
   setting 'xpack.security.authc.realms.shibboleth.attributes.principal', 'uid'
   setting 'xpack.security.authc.realms.shibboleth.attributes.name', 'urn:oid:2.5.4.3'
+  setting 'xpack.security.authc.realms.shibboleth.signing.key', 'sp-signing.key'
+  setting 'xpack.security.authc.realms.shibboleth.signing.certificate', 'sp-signing.crt'
   // SAML realm 2 (uses authorization_realms)
-  setting 'xpack.security.authc.realms.shibboleth_native.type', 'saml'
   setting 'xpack.security.authc.realms.shibboleth_native.order', '2'
+  setting 'xpack.security.authc.realms.shibboleth_native.type', 'saml'
   setting 'xpack.security.authc.realms.shibboleth_native.idp.entity_id', 'https://test.shibboleth.elastic.local/'
   setting 'xpack.security.authc.realms.shibboleth_native.idp.metadata.path', 'idp-metadata.xml'
   setting 'xpack.security.authc.realms.shibboleth_native.sp.entity_id', 'http://mock2.http.elastic.local/'
   setting 'xpack.security.authc.realms.shibboleth_native.sp.acs', 'http://localhost:54321/saml/acs2'
   setting 'xpack.security.authc.realms.shibboleth_native.attributes.principal', 'uid'
   setting 'xpack.security.authc.realms.shibboleth_native.authorization_realms', 'native'
+  setting 'xpack.security.authc.realms.shibboleth_native.signing.key', 'sp-signing.key'
+  setting 'xpack.security.authc.realms.shibboleth_native.signing.certificate', 'sp-signing.crt'
+  // SAML realm 3 (used for negative tests with multiple realms)
+  setting 'xpack.security.authc.realms.shibboleth_negative.order', '3'
+  setting 'xpack.security.authc.realms.shibboleth_negative.type', 'saml'
+  setting 'xpack.security.authc.realms.shibboleth_negative.idp.entity_id', 'https://test.shibboleth.elastic.local/'
+  setting 'xpack.security.authc.realms.shibboleth_negative.idp.metadata.path', 'idp-metadata.xml'
+  setting 'xpack.security.authc.realms.shibboleth_negative.sp.entity_id', 'somethingwronghere'
+  setting 'xpack.security.authc.realms.shibboleth_negative.sp.acs', 'http://localhost:54321/saml/acs3'
+  setting 'xpack.security.authc.realms.shibboleth_negative.attributes.principal', 'uid'
+  setting 'xpack.security.authc.realms.shibboleth_negative.authorization_realms', 'native'
+  setting 'xpack.security.authc.realms.shibboleth_negative.signing.key', 'sp-signing.key'
+  setting 'xpack.security.authc.realms.shibboleth_negative.signing.certificate', 'sp-signing.crt'
+  setting 'xpack.security.authc.realms.native.order', '4'
   setting 'xpack.security.authc.realms.native.type', 'native'
-  setting 'xpack.security.authc.realms.native.order', '3'
 
   setting 'xpack.ml.enabled', 'false'
   setting 'logger.org.elasticsearch.xpack.security', 'TRACE'
 
   extraConfigFile 'idp-metadata.xml', file(outputDir + "/idp-metadata.xml")
+  extraConfigFile 'sp-signing.key', file(outputDir + "/sp-signing.key")
+  extraConfigFile 'sp-signing.crt', file(outputDir + "/sp-signing.crt")
 
   setupCommand 'setupTestAdmin',
             'bin/elasticsearch-users', 'useradd', "test_admin", '-p', 'x-pack-test-password', '-r', "superuser"

x-pack/qa/saml-idp-tests/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticationIT.java

@@ -240,7 +240,6 @@ public void setupNativeUser() throws IOException {
      * <li>Uses that token to verify the user details</li>
      * </ol>
      */
-    @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/44410")
     public void testLoginUserWithSamlRoleMapping() throws Exception {
         // this ACS comes from the config in build.gradle
         final Tuple<String, String> authTokens = loginViaSaml("http://localhost:54321" + SP_ACS_PATH_1);
@@ -249,7 +248,6 @@ public void testLoginUserWithSamlRoleMapping() throws Exception {
         verifyElasticsearchAccessTokenForRoleMapping(accessToken);
     }
 
-    @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/44410")
     public void testLoginUserWithAuthorizingRealm() throws Exception {
         // this ACS comes from the config in build.gradle
         final Tuple<String, String> authTokens = loginViaSaml("http://localhost:54321" + SP_ACS_PATH_2);

x-pack/test/idp-fixture/docker-compose.yml

@@ -37,4 +37,5 @@ services:
     volumes:
       - ./idp/shibboleth-idp/conf:/opt/shibboleth-idp/conf
       - ./idp/shibboleth-idp/credentials:/opt/shibboleth-idp/credentials
+      - ./idp/shibboleth-idp/metadata:/opt/shibboleth-idp/metadata
       - ./idp/shib-jetty-base/start.d/ssl.ini:/opt/shib-jetty-base/start.d/ssl.ini

x-pack/test/idp-fixture/idp/shibboleth-idp/conf/idp.properties

@@ -57,6 +57,7 @@ idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
 #idp.encryption.key.2 = %{idp.home}/credentials/idp-encryption-old.key
 #idp.encryption.cert.2 = %{idp.home}/credentials/idp-encryption-old.crt
 
+
 # Sets the bean ID to use as a default security configuration set
 #idp.security.config = shibboleth.DefaultSecurityConfiguration
 
@@ -72,13 +73,13 @@ idp.encryption.cert=%{idp.home}/credentials/idp-encryption.crt
 #idp.trust.signatures = shibboleth.ChainingSignatureTrustEngine
 # To pick only one set to one of:
 #   shibboleth.ExplicitKeySignatureTrustEngine, shibboleth.PKIXSignatureTrustEngine
-#idp.trust.certificates = shibboleth.ChainingX509TrustEngine
+#idp.trust.certificates = shibboleth.ExplicitKeyX509TrustEngine
 # To pick only one set to one of:
 #   shibboleth.ExplicitKeyX509TrustEngine, shibboleth.PKIXX509TrustEngine
 
 # If true, encryption will happen whenever a key to use can be located, but
 # failure to encrypt won't result in request failure.
-#idp.encryption.optional = false
+idp.encryption.optional = true
 
 # Configuration of client- and server-side storage plugins
 #idp.storage.cleanupInterval = PT10M

x-pack/test/idp-fixture/idp/shibboleth-idp/conf/metadata-providers.xml

@@ -59,9 +59,11 @@
     responsibility to ensure that the contents on disk are trustworthy.
     -->
 
-    <!--
-    <MetadataProvider id="LocalMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="PATH_TO_YOUR_METADATA"/>
-    -->
+    <!-- One metadada file per realm that we use in our elasticsearch/x-pack/qa/saml-idp-tests/build.gradle -->
+    <MetadataProvider id="LocalMetadata"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/sp-metadata.xml"/>
+    <MetadataProvider id="LocalMetadata2"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/sp-metadata2.xml"/>
+    <MetadataProvider id="LocalMetadata3"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/sp-metadata3.xml"/>
+
 
 
     <!--

x-pack/test/idp-fixture/idp/shibboleth-idp/credentials/sp-signing.crt

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIULAHFP2QmBv0Nwq85ggfJa3p1EjMwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTEwMTUxMzI0MzBaFw0xOTEx
+MTQxMzI0MzBaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCeNmv5oV+QsORglGd62oSAklrevH8sbiMW6wym42c5
+E6Fctq/jLJrY1oLdwOUMynSkaPmh9fAcZHtLUsjx6x4QcMEq/ODqBGvoJNZwomt+
+uyVbpKDGjtrXZowGnUXPz7hsM2yofRiDUIjTsujrvFp/HqCRw/9K4Uw2x8EYL5FU
+vaxxd36mjwbsZCXIjkOsi+jW/bM9RWQd3KF38Ar0vIP/wYK/5s9U+KSuOP3KsSOU
+HSH/pnBFiXciU6bVHcZA3IRYnxzaTT2EQZEXyryfQuk3TWe9YvVusXs6kd9uW4x+
+Lx/wovx4zy2iUpXhO/MVB1IG1SNM4w5ZE94mrLDtG+yOkGXqReesodPZYBC4OOaG
+rZi4rH05FouU6p7QA+iqBCFNNLTrg0f62M/UcAVsANJqQUfFqe7pr1gewF6jlhBw
+HEds19XDPmUHredOjDeGJMeJaH3GS8/M6s+MQpckffdmvF4WHwGAJvRf4AXW+G3a
+9CTjq+E5I29+dWSvuMIIY/howKxQ9Q+IQhZYGhTH/Y9vpdfOdwVZYBB18zAI2VqJ
+18iOCpmd0n/E6ZPyugCSlVZzSjSP+i/xz3c9rJnLkZ5dsOVwloNlw9jaVc/InCUN
+KYyRhoxwkPRa9dzuogdDo41lz95xwikxDunTSUEU9yNjfofmWpuQMz5kYHWPsFbS
+PQIDAQABo1MwUTAdBgNVHQ4EFgQUgowa3NlK8Dtl5KW1vL44+m0LnMAwHwYDVR0j
+BBgwFoAUgowa3NlK8Dtl5KW1vL44+m0LnMAwDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAgEAZLIRn3HnTkiP6wp0gSbKqWdThM47atKqeU5l0iBcyBte
+rNmkxnFD6z+6x6YkKtA1ttFTY4kzQ/lr0m+jRlWpMzNkBXU7bNvcbTA5LfrMq99l
+QJpPuJ8eFM/B2PbYm5o0SEiTKVyYyjNXHze/alkflUTtNYQMJtSKYjFPvhx8/mVx
+CHBC66K+oYydbuUgzR+WGrEhIkTOREeGmtVZ1M8zru8lbD1+I8T0eqcpBqPcRdmM
+zSJjJopr+fM0v9LIpi22c50yZtHCLj9iAv8bQRaYnm6aV3kCb1Qv/Wadqk/7oeie
+J16bv6VBSFLKyvez26HlYNNmsauz9cWN/h/LosURqmS6g+28bM+uH/UOp6CTgODp
+OYqRpKW6/rmVPVejx7RBp63nNa/NMhbEngsR3QsBT5qcaMv7NZbK8v/tZDik3z7T
+M4ld5hyUQw8WawopqhNAmTdu0ShBMQhWItQpZ3n12VNDFXXTbhdWxU/VY1hbesVu
+C9pRcZXpVgC+tgxjfiRrruETbQyRM73evfnaBCgIaWXcTcyBuHHKneL4dhyOuBkz
+4wgyJjVe88Cld/4VhPj2JqJasunfhgmknB6PmRdOQbFiIcYRIrdlk5ZblJzB+mnK
+BOe4cVwR3qN0Hi7WqK8loakPVNnnpu7kGUvBKOeiKrXCBMgslffMbTw2ViTtEJo=
+-----END CERTIFICATE-----