opendistro-for-elasticsearch · jcleezer · Aug 2, 2019 · Aug 2, 2019 · Jan 29, 2020
diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java
@@ -69,7 +69,6 @@ public class HTTPSamlAuthenticator implements HTTPAuthenticator, Destroyable {
     private String idpMetadataFile;
     private String spSignatureAlgorithm;
     private Boolean useForceAuthn;
-    private PrivateKey spSignaturePrivateKey;
     private Saml2SettingsProvider saml2SettingsProvider;
     private MetadataResolver metadataResolver;
     private AuthTokenProcessorHandler authTokenProcessorHandler;
@@ -86,7 +85,6 @@ public HTTPSamlAuthenticator(final Settings settings, final Path configPath) {
             idpMetadataUrl = settings.get("idp.metadata_url");
             idpMetadataFile = settings.get("idp.metadata_file");
             spSignatureAlgorithm = settings.get("sp.signature_algorithm", Constants.RSA_SHA256);
-            spSignaturePrivateKey = getSpSignaturePrivateKey(settings, configPath);
             useForceAuthn = settings.getAsBoolean("sp.forceAuthn", null);
 
             if (rolesKey == null || rolesKey.length() == 0) {
@@ -110,7 +108,7 @@ public HTTPSamlAuthenticator(final Settings settings, final Path configPath) {
 
             this.metadataResolver = createMetadataResolver(settings, configPath);
 
-            this.saml2SettingsProvider = new Saml2SettingsProvider(settings, this.metadataResolver);
+            this.saml2SettingsProvider = new Saml2SettingsProvider(settings, this.metadataResolver, configPath);
 
             try {
                 this.saml2SettingsProvider.getCached();
@@ -199,22 +197,6 @@ private AuthnRequest buildAuthnRequest(Saml2Settings saml2Settings) {
         return new AuthnRequest(saml2Settings, forceAuthn, false, true);
     }
 
-    private PrivateKey getSpSignaturePrivateKey(Settings settings, Path configPath) throws Exception {
-        try {
-            PrivateKey result = PemKeyReader.loadKeyFromStream(settings.get("sp.signature_private_key_password"),
-                    PemKeyReader.resolveStream("sp.signature_private_key", settings));
-
-            if (result == null) {
-                result = PemKeyReader.loadKeyFromFile(settings.get("sp.signature_private_key_password"),
-                        PemKeyReader.resolve("sp.signature_private_key_filepath", settings, configPath, false));
-            }
-
-            return result;
-        } catch (Exception e) {
-            throw new Exception("Invalid value for sp.signature_private_key", e);
-        }
-    }
-
     private URL getIdpUrl(IdpEndpointType endpointType, Saml2Settings saml2Settings) {
         if (endpointType == IdpEndpointType.SSO) {
             return saml2Settings.getIdpSingleSignOnServiceUrl();
@@ -377,24 +359,25 @@ private String getSamlRequestRedirectBindingLocation(IdpEndpointType idpEndpoint
 
     private String getSamlRequestQueryString(String samlRequest) throws Exception {
 
-        if (this.spSignaturePrivateKey == null) {
+        Saml2Settings saml2Settings = this.saml2SettingsProvider.getCached();
+        if (saml2Settings.getSPkey() == null) {
             return "SAMLRequest=" + Util.urlEncoder(samlRequest);
         }
 
         String queryString = "SAMLRequest=" + Util.urlEncoder(samlRequest) + "&SigAlg="
                 + Util.urlEncoder(this.spSignatureAlgorithm);
 
-        String signature = getSamlRequestQueryStringSignature(queryString);
+        String signature = getSamlRequestQueryStringSignature(queryString,saml2Settings.getSPkey());
 
         queryString += "&Signature=" + Util.urlEncoder(signature);
 
         return queryString;
     }
 
-    private String getSamlRequestQueryStringSignature(String samlRequestQueryString) throws Exception {
+    private String getSamlRequestQueryStringSignature(String samlRequestQueryString, PrivateKey spKey) throws Exception {
         try {
             return Util.base64encoder(
-                    Util.sign(samlRequestQueryString, this.spSignaturePrivateKey, this.spSignatureAlgorithm));
+                    Util.sign(samlRequestQueryString, spKey, this.spSignatureAlgorithm));
         } catch (Exception e) {
             throw new Exception("Error while signing SAML request", e);
         }

diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/Saml2SettingsProvider.java b/src/main/java/com/amazon/dlic/auth/http/saml/Saml2SettingsProvider.java
@@ -15,6 +15,8 @@
 
 package com.amazon.dlic.auth.http.saml;
 
+import java.nio.file.Path;
+import java.security.PrivateKey;
 import java.util.AbstractMap;
 import java.util.Collection;
 import java.util.HashMap;
@@ -23,6 +25,7 @@
 import java.util.Set;
 import java.util.stream.Collectors;
 
+import com.amazon.opendistroforelasticsearch.security.support.PemKeyReader;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.common.settings.Settings;
@@ -54,11 +57,13 @@ public class Saml2SettingsProvider {
     private String idpEntityId;
     private Saml2Settings cachedSaml2Settings;
     private DateTime metadataUpdateTime;
+    private Path configPath;
 
-    Saml2SettingsProvider(Settings esSettings, MetadataResolver metadataResolver) {
+    Saml2SettingsProvider(Settings esSettings, MetadataResolver metadataResolver, Path configPath) {
         this.esSettings = esSettings;
         this.metadataResolver = metadataResolver;
         this.idpEntityId = esSettings.get("idp.entity_id");
+        this.configPath = configPath;
     }
 
     Saml2Settings get() throws SamlConfigException {
@@ -86,6 +91,7 @@ Saml2Settings get() throws SamlConfigException {
             initSpEndpoints(configProperties);
 
             initMisc(configProperties);
+            initSpSignaturePrivateKey(esSettings,configProperties);
 
             SettingsBuilder settingsBuilder = new SettingsBuilder();
 
@@ -143,6 +149,23 @@ private void initSpEndpoints(HashMap<String, Object> configProperties) {
         configProperties.put(SettingsBuilder.SP_ENTITYID_PROPERTY_KEY, this.esSettings.get("sp.entity_id"));
     }
 
+    private void initSpSignaturePrivateKey(Settings settings, HashMap<String, Object> configProperties) throws SamlConfigException {
+        try {
+            PrivateKey result = PemKeyReader.loadKeyFromStream(settings.get("sp.signature_private_key_password"),
+                    PemKeyReader.resolveStream("sp.signature_private_key", settings));
+
+            if (result == null) {
+                result = PemKeyReader.loadKeyFromFile(settings.get("sp.signature_private_key_password"),
+                        PemKeyReader.resolve("sp.signature_private_key_filepath", settings, configPath, false));
+            }
+
+            configProperties.put(SettingsBuilder.SP_PRIVATEKEY_PROPERTY_KEY,result);
+
+        } catch (Exception e) {
+            throw new SamlConfigException("Invalid value for sp.signature_private_key", e);
+        }
+    }
+
     private void initIdpEndpoints(IDPSSODescriptor idpSsoDescriptor, HashMap<String, Object> configProperties)
             throws SamlConfigException {
         SingleSignOnService singleSignOnService = this.findSingleSignOnService(idpSsoDescriptor,