From 1a8d620c33a739a5d7e3a7e83f4d48163ce577b6 Mon Sep 17 00:00:00 2001
From: Jason Leezer <jleezer@paypal.com>
Date: Fri, 2 Aug 2019 10:01:42 -0500
Subject: [PATCH] Set spKey in Saml2Settings

---
 .../auth/http/saml/HTTPSamlAuthenticator.java | 30 +++++--------------
 .../auth/http/saml/Saml2SettingsProvider.java | 25 +++++++++++++++-
 2 files changed, 31 insertions(+), 24 deletions(-)

diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java
index de08053..9534a74 100644
--- a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java
+++ b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java
@@ -69,7 +69,6 @@ public class HTTPSamlAuthenticator implements HTTPAuthenticator, Destroyable {
     private String idpMetadataFile;
     private String spSignatureAlgorithm;
     private Boolean useForceAuthn;
-    private PrivateKey spSignaturePrivateKey;
     private Saml2SettingsProvider saml2SettingsProvider;
     private MetadataResolver metadataResolver;
     private AuthTokenProcessorHandler authTokenProcessorHandler;
@@ -86,7 +85,6 @@ public HTTPSamlAuthenticator(final Settings settings, final Path configPath) {
             idpMetadataUrl = settings.get("idp.metadata_url");
             idpMetadataFile = settings.get("idp.metadata_file");
             spSignatureAlgorithm = settings.get("sp.signature_algorithm", Constants.RSA_SHA256);
-            spSignaturePrivateKey = getSpSignaturePrivateKey(settings, configPath);
             useForceAuthn = settings.getAsBoolean("sp.forceAuthn", null);
 
             if (rolesKey == null || rolesKey.length() == 0) {
@@ -110,7 +108,8 @@ public HTTPSamlAuthenticator(final Settings settings, final Path configPath) {
 
             this.metadataResolver = createMetadataResolver(settings, configPath);
 
-            this.saml2SettingsProvider = new Saml2SettingsProvider(settings, this.metadataResolver);
+            this.saml2SettingsProvider = new Saml2SettingsProvider(settings, this.metadataResolver, configPath);
+
             this.saml2SettingsProvider.getCached();
 
             this.jwtSettings = this.createJwtAuthenticatorSettings(settings);
@@ -194,22 +193,6 @@ private AuthnRequest buildAuthnRequest(Saml2Settings saml2Settings) {
         return new AuthnRequest(saml2Settings, forceAuthn, false, true);
     }
 
-    private PrivateKey getSpSignaturePrivateKey(Settings settings, Path configPath) throws Exception {
-        try {
-            PrivateKey result = PemKeyReader.loadKeyFromStream(settings.get("sp.signature_private_key_password"),
-                    PemKeyReader.resolveStream("sp.signature_private_key", settings));
-
-            if (result == null) {
-                result = PemKeyReader.loadKeyFromFile(settings.get("sp.signature_private_key_password"),
-                        PemKeyReader.resolve("sp.signature_private_key_filepath", settings, configPath, false));
-            }
-
-            return result;
-        } catch (Exception e) {
-            throw new Exception("Invalid value for sp.signature_private_key", e);
-        }
-    }
-
     private URL getIdpUrl(IdpEndpointType endpointType, Saml2Settings saml2Settings) {
         if (endpointType == IdpEndpointType.SSO) {
             return saml2Settings.getIdpSingleSignOnServiceUrl();
@@ -372,24 +355,25 @@ private String getSamlRequestRedirectBindingLocation(IdpEndpointType idpEndpoint
 
     private String getSamlRequestQueryString(String samlRequest) throws Exception {
 
-        if (this.spSignaturePrivateKey == null) {
+        Saml2Settings saml2Settings = this.saml2SettingsProvider.getCached();
+        if (saml2Settings.getSPkey() == null) {
             return "SAMLRequest=" + Util.urlEncoder(samlRequest);
         }
 
         String queryString = "SAMLRequest=" + Util.urlEncoder(samlRequest) + "&SigAlg="
                 + Util.urlEncoder(this.spSignatureAlgorithm);
 
-        String signature = getSamlRequestQueryStringSignature(queryString);
+        String signature = getSamlRequestQueryStringSignature(queryString,saml2Settings.getSPkey());
 
         queryString += "&Signature=" + Util.urlEncoder(signature);
 
         return queryString;
     }
 
-    private String getSamlRequestQueryStringSignature(String samlRequestQueryString) throws Exception {
+    private String getSamlRequestQueryStringSignature(String samlRequestQueryString, PrivateKey spKey) throws Exception {
         try {
             return Util.base64encoder(
-                    Util.sign(samlRequestQueryString, this.spSignaturePrivateKey, this.spSignatureAlgorithm));
+                    Util.sign(samlRequestQueryString, spKey, this.spSignatureAlgorithm));
         } catch (Exception e) {
             throw new Exception("Error while signing SAML request", e);
         }
diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/Saml2SettingsProvider.java b/src/main/java/com/amazon/dlic/auth/http/saml/Saml2SettingsProvider.java
index 0daf02b..4140e47 100644
--- a/src/main/java/com/amazon/dlic/auth/http/saml/Saml2SettingsProvider.java
+++ b/src/main/java/com/amazon/dlic/auth/http/saml/Saml2SettingsProvider.java
@@ -15,6 +15,8 @@
 
 package com.amazon.dlic.auth.http.saml;
 
+import java.nio.file.Path;
+import java.security.PrivateKey;
 import java.util.AbstractMap;
 import java.util.Collection;
 import java.util.HashMap;
@@ -23,6 +25,7 @@
 import java.util.Set;
 import java.util.stream.Collectors;
 
+import com.amazon.opendistroforelasticsearch.security.support.PemKeyReader;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.common.settings.Settings;
@@ -54,11 +57,13 @@ public class Saml2SettingsProvider {
     private String idpEntityId;
     private Saml2Settings cachedSaml2Settings;
     private DateTime metadataUpdateTime;
+    private Path configPath;
 
-    Saml2SettingsProvider(Settings esSettings, MetadataResolver metadataResolver) {
+    Saml2SettingsProvider(Settings esSettings, MetadataResolver metadataResolver, Path configPath) {
         this.esSettings = esSettings;
         this.metadataResolver = metadataResolver;
         this.idpEntityId = esSettings.get("idp.entity_id");
+        this.configPath = configPath;
     }
 
     Saml2Settings get() throws SamlConfigException {
@@ -86,6 +91,7 @@ Saml2Settings get() throws SamlConfigException {
             initSpEndpoints(configProperties);
 
             initMisc(configProperties);
+            initSpSignaturePrivateKey(esSettings,configProperties);
 
             SettingsBuilder settingsBuilder = new SettingsBuilder();
 
@@ -143,6 +149,23 @@ private void initSpEndpoints(HashMap<String, Object> configProperties) {
         configProperties.put(SettingsBuilder.SP_ENTITYID_PROPERTY_KEY, this.esSettings.get("sp.entity_id"));
     }
 
+    private void initSpSignaturePrivateKey(Settings settings, HashMap<String, Object> configProperties) throws SamlConfigException {
+        try {
+            PrivateKey result = PemKeyReader.loadKeyFromStream(settings.get("sp.signature_private_key_password"),
+                    PemKeyReader.resolveStream("sp.signature_private_key", settings));
+
+            if (result == null) {
+                result = PemKeyReader.loadKeyFromFile(settings.get("sp.signature_private_key_password"),
+                        PemKeyReader.resolve("sp.signature_private_key_filepath", settings, configPath, false));
+            }
+
+            configProperties.put(SettingsBuilder.SP_PRIVATEKEY_PROPERTY_KEY,result);
+
+        } catch (Exception e) {
+            throw new SamlConfigException("Invalid value for sp.signature_private_key", e);
+        }
+    }
+
     private void initIdpEndpoints(IDPSSODescriptor idpSsoDescriptor, HashMap<String, Object> configProperties)
             throws SamlConfigException {
         SingleSignOnService singleSignOnService = this.findSingleSignOnService(idpSsoDescriptor,