Merge branch 'master' into resp-sign-idp

wso2-extensions · Jul 28, 2023 · 391e341 · 391e341
2 parents 0ccb894 + 6826ee6
commit 391e341
Show file tree

Hide file tree

Showing 17 changed files with 165 additions and 36 deletions.
diff --git a/components/org.wso2.carbon.identity.query.saml/pom.xml b/components/org.wso2.carbon.identity.query.saml/pom.xml
@@ -21,7 +21,7 @@
  <groupId>org.wso2.carbon.identity.inbound.auth.saml2</groupId>
  <artifactId>identity-inbound-auth-saml</artifactId>
  <relativePath>../../pom.xml</relativePath>
- <version>5.11.17-SNAPSHOT</version>
+ <version>5.11.19-SNAPSHOT</version>
  </parent>
  <modelVersion>4.0.0</modelVersion>
  <artifactId>org.wso2.carbon.identity.query.saml</artifactId>

diff --git a/components/org.wso2.carbon.identity.sso.saml.common/pom.xml b/components/org.wso2.carbon.identity.sso.saml.common/pom.xml
@@ -22,7 +22,7 @@
  <groupId>org.wso2.carbon.identity.inbound.auth.saml2</groupId>
  <artifactId>identity-inbound-auth-saml</artifactId>
  <relativePath>../../pom.xml</relativePath>
- <version>5.11.17-SNAPSHOT</version>
+ <version>5.11.19-SNAPSHOT</version>
  </parent>
 
  <modelVersion>4.0.0</modelVersion>

diff --git a/components/org.wso2.carbon.identity.sso.saml.stub/pom.xml b/components/org.wso2.carbon.identity.sso.saml.stub/pom.xml
@@ -22,7 +22,7 @@
  <groupId>org.wso2.carbon.identity.inbound.auth.saml2</groupId>
  <artifactId>identity-inbound-auth-saml</artifactId>
  <relativePath>../../pom.xml</relativePath>
- <version>5.11.17-SNAPSHOT</version>
+ <version>5.11.19-SNAPSHOT</version>
  </parent>
 
  <modelVersion>4.0.0</modelVersion>

diff --git a/components/org.wso2.carbon.identity.sso.saml.ui/pom.xml b/components/org.wso2.carbon.identity.sso.saml.ui/pom.xml
@@ -22,7 +22,7 @@
  <groupId>org.wso2.carbon.identity.inbound.auth.saml2</groupId>
  <artifactId>identity-inbound-auth-saml</artifactId>
  <relativePath>../../pom.xml</relativePath>
- <version>5.11.17-SNAPSHOT</version>
+ <version>5.11.19-SNAPSHOT</version>
  </parent>
 
  <modelVersion>4.0.0</modelVersion>

diff --git a/components/org.wso2.carbon.identity.sso.saml/pom.xml b/components/org.wso2.carbon.identity.sso.saml/pom.xml
@@ -22,7 +22,7 @@
  <groupId>org.wso2.carbon.identity.inbound.auth.saml2</groupId>
  <artifactId>identity-inbound-auth-saml</artifactId>
  <relativePath>../../pom.xml</relativePath>
- <version>5.11.17-SNAPSHOT</version>
+ <version>5.11.19-SNAPSHOT</version>
  </parent>
 
  <modelVersion>4.0.0</modelVersion>
@@ -293,6 +293,11 @@
  <artifactId>slf4j-api</artifactId>
  <scope>test</scope>
  </dependency>
+ <dependency>
+ <groupId>com.fasterxml.jackson.core</groupId>
+ <artifactId>jackson-databind</artifactId>
+ <scope>provided</scope>
+ </dependency>
  <dependency>
  <groupId>org.apache.felix</groupId>
  <artifactId>org.apache.felix.scr.ds-annotations</artifactId>

diff --git a/...src/main/java/org/wso2/carbon/identity/sso/saml/SAMLInboundSessionContextMgtListener.java b/...src/main/java/org/wso2/carbon/identity/sso/saml/SAMLInboundSessionContextMgtListener.java
@@ -23,11 +23,11 @@
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
 import org.wso2.carbon.identity.application.authentication.framework.listener.SessionContextMgtListener;
-import org.wso2.carbon.registry.core.utils.UUIDGenerator;
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
 
 import java.util.HashMap;
 import java.util.Map;
+import java.util.UUID;
 
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
@@ -66,9 +66,9 @@ public Map<String, String> onPreCreateSession(String sessionId, HttpServletReque
  }
  if (IdentityTenantUtil.isTenantedSessionsEnabled()) {
  // Add suffix to the session id for identify saml sso token id cookies which has a tenanted path.
- sessionId = UUIDGenerator.generateUUID() + SAMLSSOConstants.TENANT_QUALIFIED_TOKEN_ID_COOKIE_SUFFIX;
+ sessionId = UUID.randomUUID() + SAMLSSOConstants.TENANT_QUALIFIED_TOKEN_ID_COOKIE_SUFFIX;
  } else {
- sessionId = UUIDGenerator.generateUUID();
+ sessionId = UUID.randomUUID().toString();
  }
  }
  Map<String, String> map = new HashMap<>();

diff --git a/...n.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java b/...n.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java
@@ -201,6 +201,15 @@ private StatusCodes() {
  }
  }
 
+ /**
+ * Group the constants related to logs.
+ */
+ public static class LogConstants {
+
+ public static final String CREATE_SAML_APPLICATION = "CREATE SAML APPLICATION";
+ public static final String DELETE_SAML_APPLICATION = "DELETE SAML APPLICATION";
+ }
+
  public static class SingleLogoutCodes {
  public static final String LOGOUT_USER = "urn:oasis:names:tc:SAML:2.0:logout:user";
  public static final String LOGOUT_ADMIN = "urn:oasis:names:tc:SAML:2.0:logout:admin";

diff --git a/...ty.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/admin/SAMLSSOConfigAdmin.java b/...ty.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/admin/SAMLSSOConfigAdmin.java
@@ -18,20 +18,25 @@
 
 package org.wso2.carbon.identity.sso.saml.admin;
 
+import com.google.gson.Gson;
+import com.google.gson.reflect.TypeToken;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.opensaml.saml.saml1.core.NameIdentifier;
 import org.wso2.carbon.base.MultitenantConstants;
 import org.wso2.carbon.context.CarbonContext;
 import org.wso2.carbon.core.util.KeyStoreManager;
+import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
+import org.wso2.carbon.identity.application.mgt.ApplicationMgtUtil;
 import org.wso2.carbon.identity.base.IdentityException;
 import org.wso2.carbon.identity.core.model.SAMLSSOServiceProviderDO;
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
 import org.wso2.carbon.identity.sp.metadata.saml2.exception.InvalidMetadataException;
 import org.wso2.carbon.identity.sp.metadata.saml2.util.Parser;
 import org.wso2.carbon.identity.sso.saml.Error;
+import org.wso2.carbon.identity.sso.saml.SAMLSSOConstants;
 import org.wso2.carbon.identity.sso.saml.SSOServiceProviderConfigManager;
 import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOServiceProviderDTO;
 import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOServiceProviderInfoDTO;
@@ -41,10 +46,18 @@
 import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
 import org.wso2.carbon.registry.core.Registry;
 import org.wso2.carbon.registry.core.session.UserRegistry;
+import org.wso2.carbon.user.core.util.UserCoreUtil;
+import org.wso2.carbon.utils.AuditLog;
 
 import java.security.KeyStore;
 import java.security.cert.CertificateException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Optional;
 
+import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.LogConstants.USER;
+import static org.wso2.carbon.identity.application.mgt.ApplicationConstants.LogConstants.TARGET_APPLICATION;
+import static org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils.triggerAuditLogEvent;
 import static org.wso2.carbon.identity.sso.saml.Error.CONFLICTING_SAML_ISSUER;
 import static org.wso2.carbon.identity.sso.saml.Error.INVALID_REQUEST;
 
@@ -86,8 +99,22 @@ public boolean addRelyingPartyServiceProvider(SAMLSSOServiceProviderDTO serviceP
  log.error(message);
  return false;
  }
- return IdentitySAMLSSOServiceComponentHolder.getInstance().getSAMLSSOServiceProviderManager()
+ boolean isSuccess = IdentitySAMLSSOServiceComponentHolder.getInstance().getSAMLSSOServiceProviderManager()
  .addServiceProvider(serviceProviderDO, tenantId);
+ if (isSuccess && ApplicationMgtUtil.isLegacyAuditLogsDisabledInAppMgt()) {
+ Optional<String> initiatorId = getInitiatorId();
+ if (initiatorId.isPresent()) {
+ AuditLog.AuditLogBuilder auditLogBuilder = new AuditLog.AuditLogBuilder(
+ initiatorId.get(), USER,
+ issuer, TARGET_APPLICATION,
+ SAMLSSOConstants.LogConstants.CREATE_SAML_APPLICATION)
+ .data(buildSPData(serviceProviderDO));
+ triggerAuditLogEvent(auditLogBuilder, true);
+ } else {
+ log.error("Error getting the logged in userId");
+ }
+ }
+ return isSuccess;
  } catch (IdentityException e) {
  String message = "Error obtaining a registry for adding a new service provider";
  throw new IdentityException(message, e);
@@ -140,7 +167,21 @@ public SAMLSSOServiceProviderDTO addSAMLServiceProvider(SAMLSSOServiceProviderDT
  String message = "A Service Provider with the name: " + issuer + " is already loaded from the file system.";
  throw buildClientException(CONFLICTING_SAML_ISSUER, message);
  }
- return persistSAMLServiceProvider(serviceProviderDO);
+ SAMLSSOServiceProviderDTO samlssoServiceProviderDTO = persistSAMLServiceProvider(serviceProviderDO);
+ if (ApplicationMgtUtil.isLegacyAuditLogsDisabledInAppMgt()) {
+ Optional<String> initiatorId = getInitiatorId();
+ if (initiatorId.isPresent()) {
+ AuditLog.AuditLogBuilder auditLogBuilder = new AuditLog.AuditLogBuilder(
+ initiatorId.get(), USER,
+ issuer, TARGET_APPLICATION,
+ SAMLSSOConstants.LogConstants.CREATE_SAML_APPLICATION)
+ .data(buildSPData(serviceProviderDO));
+ triggerAuditLogEvent(auditLogBuilder, true);
+ } else {
+ log.error("Error getting the logged in userId");
+ }
+ }
+ return samlssoServiceProviderDTO;
  } catch (IdentitySAML2ClientException e){
  throw e;
  } catch (IdentityException e) {
@@ -149,6 +190,47 @@ public SAMLSSOServiceProviderDTO addSAMLServiceProvider(SAMLSSOServiceProviderDT
  }
  }
 
+ private static Map<String, Object> buildSPData(SAMLSSOServiceProviderDO app) {
+
+ if (app == null) {
+ return new HashMap<>();
+ }
+
+ Gson gson = new Gson();
+ String json = gson.toJson(app);
+ return gson.fromJson(json, new TypeToken<Map<String, Object>>() {
+ }.getType());
+ }
+
+ /**
+ * This method is used to retrieve logged in tenant domain.
+ * @return logged in tenant domain.
+ */
+ private String getLoggedInTenantDomain() {
+
+ if (!IdentityTenantUtil.isTenantedSessionsEnabled()) {
+ return getTenantDomain();
+ }
+ return IdentityTenantUtil.getTenantDomainFromContext();
+ }
+
+ private Optional<AuthenticatedUser> getLoggedInUser(String tenantDomain) {
+
+ String tenantAwareLoggedInUsername = CarbonContext.getThreadLocalCarbonContext().getUsername();
+ return Optional.ofNullable(tenantAwareLoggedInUsername)
+ .filter(StringUtils::isNotEmpty)
+ .map(username -> buildAuthenticatedUser(username, tenantDomain));
+ }
+
+ private AuthenticatedUser buildAuthenticatedUser(String tenantAwareUser, String tenantDomain) {
+
+ AuthenticatedUser user = new AuthenticatedUser();
+ user.setUserName(UserCoreUtil.removeDomainFromName(tenantAwareUser));
+ user.setTenantDomain(tenantDomain);
+ user.setUserStoreDomain(IdentityUtil.extractDomainFromName(tenantAwareUser));
+ return user;
+ }
+
  /**
  * Update a service provider if it exists.
  *
@@ -283,8 +365,21 @@ public SAMLSSOServiceProviderDTO uploadRelyingPartyServiceProvider(String metada
  throw new IdentityException("Error occurred while setting certificate and alias", e);
  }
  }
-
- return persistSAMLServiceProvider(samlssoServiceProviderDO);
+ SAMLSSOServiceProviderDTO samlssoServiceProviderDTO = persistSAMLServiceProvider(samlssoServiceProviderDO);
+ if (ApplicationMgtUtil.isLegacyAuditLogsDisabledInAppMgt()) {
+ Optional<String> initiatorId = getInitiatorId();
+ if (initiatorId.isPresent()) {
+ AuditLog.AuditLogBuilder auditLogBuilder = new AuditLog.AuditLogBuilder(
+ initiatorId.get(), USER,
+ samlssoServiceProviderDO.getIssuer(), TARGET_APPLICATION,
+ SAMLSSOConstants.LogConstants.CREATE_SAML_APPLICATION)
+ .data(buildSPData(samlssoServiceProviderDO));
+ triggerAuditLogEvent(auditLogBuilder, true);
+ } else {
+ log.error("Error getting the logged in userId");
+ }
+ }
+ return samlssoServiceProviderDTO;
  }
 
  /**
@@ -599,13 +694,36 @@ public SAMLSSOServiceProviderInfoDTO getServiceProviders() throws IdentityExcept
  */
  public boolean removeServiceProvider(String issuer) throws IdentityException {
  try {
- return IdentitySAMLSSOServiceComponentHolder.getInstance()
+ boolean isSuccess = IdentitySAMLSSOServiceComponentHolder.getInstance()
  .getSAMLSSOServiceProviderManager().removeServiceProvider(issuer, tenantId);
+ if (isSuccess) {
+ if (ApplicationMgtUtil.isLegacyAuditLogsDisabledInAppMgt()) {
+ Optional<String> initiatorId = getInitiatorId();
+ if (initiatorId.isPresent()) {
+ AuditLog.AuditLogBuilder auditLogBuilder = new AuditLog.AuditLogBuilder(initiatorId.get(),
+ USER, issuer, TARGET_APPLICATION,
+ SAMLSSOConstants.LogConstants.DELETE_SAML_APPLICATION);
+ triggerAuditLogEvent(auditLogBuilder, true);
+ } else {
+ log.error("Error getting the logged in userId");
+ }
+ }
+ }
+ return isSuccess;
  } catch (IdentityException e) {
  throw new IdentityException("Error removing a Service Provider with issuer: " + issuer, e);
  }
  }
 
+ private Optional<String> getInitiatorId() {
+
+ return Optional.ofNullable(CarbonContext.getThreadLocalCarbonContext().getUserId())
+ .filter(StringUtils::isNotBlank)
+ .or(() -> getLoggedInUser(getLoggedInTenantDomain())
+ .map(loggedInUser -> IdentityUtil.getInitiatorId(loggedInUser.getUserName(),
+ getLoggedInTenantDomain())));
+ }
+
  protected String getTenantDomain() {
 
  return CarbonContext.getThreadLocalCarbonContext().getTenantDomain();

diff --git a/.../src/main/java/org/wso2/carbon/identity/sso/saml/internal/SAMLApplicationMgtListener.java b/.../src/main/java/org/wso2/carbon/identity/sso/saml/internal/SAMLApplicationMgtListener.java
@@ -21,8 +21,6 @@
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.wso2.carbon.context.PrivilegedCarbonContext;
-import org.wso2.carbon.context.RegistryType;
 import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.StandardInboundProtocols;
 import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
 import org.wso2.carbon.identity.application.common.IdentityApplicationManagementValidationException;
@@ -34,7 +32,6 @@
 import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOServiceProviderDTO;
 import org.wso2.carbon.identity.sso.saml.dto.SAMLSSOServiceProviderInfoDTO;
 import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
-import org.wso2.carbon.registry.core.Registry;
 
 import java.io.ByteArrayInputStream;
 import java.io.StringWriter;
@@ -284,12 +281,6 @@ public void doExportServiceProvider(ServiceProvider serviceProvider, Boolean exp
  }
  }
 
- private Registry getConfigSystemRegistry() {
-
- return (Registry) PrivilegedCarbonContext.getThreadLocalCarbonContext().getRegistry(RegistryType
- .SYSTEM_CONFIGURATION);
- }
-
  /**
  * Validate inbound auth SAML configurations.
  *

diff --git a/...in/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java b/...in/java/org/wso2/carbon/identity/sso/saml/processors/IdPInitSSOAuthnRequestProcessor.java
@@ -34,10 +34,10 @@
 import org.wso2.carbon.identity.sso.saml.internal.IdentitySAMLSSOServiceComponentHolder;
 import org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager;
 import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
-import org.wso2.carbon.registry.core.utils.UUIDGenerator;
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.UUID;
 
 public class IdPInitSSOAuthnRequestProcessor implements SSOAuthnRequestProcessor {
 
@@ -116,7 +116,7 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
  sessionIndexId = sessionPersistenceManager.getSessionIndexFromTokenId(sessionId,
  authnReqDTO.getLoggedInTenantDomain());
  } else {
- sessionIndexId = UUIDGenerator.generateUUID();
+ sessionIndexId = UUID.randomUUID().toString();
  sessionPersistenceManager.persistSession(sessionId, sessionIndexId,
  authnReqDTO.getLoggedInTenantDomain());
  }

diff --git a/...ain/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java b/...ain/java/org/wso2/carbon/identity/sso/saml/processors/SPInitSSOAuthnRequestProcessor.java
@@ -37,10 +37,10 @@
 import org.wso2.carbon.identity.sso.saml.internal.IdentitySAMLSSOServiceComponentHolder;
 import org.wso2.carbon.identity.sso.saml.session.SSOSessionPersistenceManager;
 import org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil;
-import org.wso2.carbon.registry.core.utils.UUIDGenerator;
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.UUID;
 
 public class SPInitSSOAuthnRequestProcessor implements SSOAuthnRequestProcessor{
 
@@ -103,7 +103,7 @@ public SAMLSSORespDTO process(SAMLSSOAuthnReqDTO authnReqDTO, String sessionId,
  sessionIndexId = sessionPersistenceManager.getSessionIndexFromTokenId(sessionId,
  authnReqDTO.getLoggedInTenantDomain());
  } else {
- sessionIndexId = UUIDGenerator.generateUUID();
+ sessionIndexId = UUID.randomUUID().toString();
  sessionPersistenceManager.persistSession(sessionId, sessionIndexId,
  authnReqDTO.getLoggedInTenantDomain());
  }