Merge pull request #3122 from cloudfoundry/new-saml-0530-saml-session…

…-index Store saml session index in UaaSamlPrincipal
cloudfoundry · Nov 12, 2024 · acf805d · acf805d
2 parents 5faaeb4 + 2ca7bae
commit acf805d
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 5 deletions.
diff --git a/dependencies.gradle b/dependencies.gradle
@@ -14,7 +14,7 @@ versions.springBootVersion = "2.7.18"
 versions.springFrameworkVersion = "5.3.39"
 versions.springSecurityVersion = "5.8.15"
 versions.springSecuritySamlVersion = "1.0.10.RELEASE"
-versions.tomcatCargoVersion = "9.0.96"
+versions.tomcatCargoVersion = "9.0.97"
 versions.guavaVersion = "33.3.1-jre"
 versions.seleniumVersion = "4.26.0"
 versions.braveVersion = "6.0.3"

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaSamlPrincipal.java b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaSamlPrincipal.java
@@ -15,12 +15,14 @@
 
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import lombok.ToString;
 import org.cloudfoundry.identity.uaa.user.UaaUser;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
 
 import java.io.Serializable;
+import java.util.List;
 
 /**
  * UaaSamlPrincipal extends {@link UaaPrincipal} and adds the {@link Saml2AuthenticatedPrincipal} interface.
@@ -32,8 +34,13 @@
 @ToString(callSuper = true)
 @JsonIgnoreProperties({"relyingPartyRegistrationId", "sessionIndexes", "attributes"})
 public class UaaSamlPrincipal extends UaaPrincipal implements Saml2AuthenticatedPrincipal, Serializable {
-    public UaaSamlPrincipal(UaaUser user) {
+
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private final List<String>  sessionIndexes;
+
+    public UaaSamlPrincipal(UaaUser user, List<String> sessionIndexes) {
         super(user);
+        this.sessionIndexes = sessionIndexes;
     }
 
     @JsonCreator
@@ -42,13 +49,18 @@ public UaaSamlPrincipal(
             @JsonProperty("name") String username,
             @JsonProperty("email") String email,
             @JsonProperty("origin") String origin,
+            @JsonProperty("sessionIndexes") List<String> sessionIndexes,
             @JsonProperty("externalId") String externalId,
             @JsonProperty("zoneId") String zoneId) {
         super(id, username, email, origin, externalId, zoneId);
+        this.sessionIndexes = sessionIndexes;
     }
 
     @Override
     public String getRelyingPartyRegistrationId() {
         return getOrigin();
     }
+
+    @Override
+    public List<String> getSessionIndexes() { return sessionIndexes; }
 }
diff --git a/.../org/cloudfoundry/identity/uaa/provider/saml/Saml2BearerGrantAuthenticationConverter.java b/.../org/cloudfoundry/identity/uaa/provider/saml/Saml2BearerGrantAuthenticationConverter.java
@@ -222,7 +222,7 @@ public Authentication convert(HttpServletRequest request) throws AuthenticationE
 
         UaaUser user = userManager.createIfMissing(initialPrincipal, addNew, List.of(), userAttributes);
         UaaAuthentication authentication = new UaaAuthentication(
-                new UaaSamlPrincipal(user),
+                new UaaSamlPrincipal(user, null),
                 authenticationToken.getCredentials(),
                 user.getAuthorities(),
                 Set.of(),

diff --git a/...a/org/cloudfoundry/identity/uaa/provider/saml/SamlUaaResponseAuthenticationConverter.java b/...a/org/cloudfoundry/identity/uaa/provider/saml/SamlUaaResponseAuthenticationConverter.java
@@ -36,6 +36,7 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
+import java.util.Objects;
 import java.util.Set;
 
 import static org.cloudfoundry.identity.uaa.constants.OriginKeys.NotANumber;
@@ -114,8 +115,9 @@ public UaaAuthentication convert(OpenSaml4AuthenticationProvider.ResponseToken r
         UaaUser user = userManager.createIfMissing(initialPrincipal, addNew, getMappedAuthorities(
                 idp, samlAuthorities), userAttributes);
 
+        List<String> sessionIndexes = assertions.stream().flatMap(assertion -> assertion.getAuthnStatements().stream().filter(Objects::nonNull).map(s -> s.getSessionIndex()).filter(Objects::nonNull)).toList();
         UaaAuthentication authentication = new UaaAuthentication(
-                new UaaSamlPrincipal(user),
+                new UaaSamlPrincipal(user, sessionIndexes),
                 authenticationToken.getCredentials(),
                 user.getAuthorities(),
                 authoritiesConverter.filterSamlAuthorities(samlConfig, samlAuthorities),

diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/UaaSamlPrincipalTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/authentication/UaaSamlPrincipalTest.java
@@ -2,12 +2,14 @@
 
 import org.junit.jupiter.api.Test;
 
+import java.util.List;
+
 import static org.assertj.core.api.Assertions.assertThat;
 
 class UaaSamlPrincipalTest {
     @Test
     void testUaaSamlPrincipal() {
-        UaaSamlPrincipal uaaSamlPrincipal = new UaaSamlPrincipal("id", "name", "email", "origin", "externalId", "zoneId");
+        UaaSamlPrincipal uaaSamlPrincipal = new UaaSamlPrincipal("id", "name", "email", "origin", List.of("sessionIndexes"), "externalId", "zoneId");
         assertThat(uaaSamlPrincipal).returns("id", UaaSamlPrincipal::getId)
                 .returns("name", UaaSamlPrincipal::getName)
                 .returns("email", UaaSamlPrincipal::getEmail)