Merge pull request 'Improve SAML Logout' (#28) from feature/saml into develop

Author: fmichielssen

.gitignore

@@ -1,3 +1,6 @@
 /target/
 application.yml
 logs
+
+.idea
+*.iml

pom.xml

@@ -252,8 +252,7 @@
 		<!-- UI frameworks -->
 		<dependency>
 			<groupId>org.thymeleaf.extras</groupId>
-			<artifactId>thymeleaf-extras-springsecurity4</artifactId>
-			<version>3.0.2.RELEASE</version>
+			<artifactId>thymeleaf-extras-springsecurity5</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>org.webjars</groupId>

src/main/java/eu/openanalytics/containerproxy/auth/IAuthenticationBackend.java

@@ -59,7 +59,11 @@ public interface IAuthenticationBackend {
 	public default String getLogoutSuccessURL() {
 		return "/login";
 	}
-	
+
+	public default String getLogoutURL() {
+		return "/logout";
+	}
+
 	public default void customizeContainer(ContainerSpec spec) {
 		// Default: do nothing.
 	}

src/main/java/eu/openanalytics/containerproxy/auth/impl/SAMLAuthenticationBackend.java

@@ -42,6 +42,8 @@
 public class SAMLAuthenticationBackend implements IAuthenticationBackend {
 
 	public static final String NAME = "saml";
+
+	private static final String PROP_LOGOUT_URL = "proxy.saml.logout-url";
 
 	@Autowired(required = false)
 	private SAMLEntryPoint samlEntryPoint;
@@ -86,9 +88,17 @@ public void configureAuthenticationManagerBuilder(AuthenticationManagerBuilder a
         auth.authenticationProvider(samlAuthenticationProvider);
 	}
 
+	@Override
+	public String getLogoutURL() {
+		if (environment.getProperty(PROP_LOGOUT_URL) != null) {
+			return "/logout";
+		}
+		return "/saml/logout";
+	}
+
 	@Override
 	public String getLogoutSuccessURL() {
-		String logoutURL = environment.getProperty("proxy.saml.logout-url");
+		String logoutURL = environment.getProperty(PROP_LOGOUT_URL);
 		System.out.println("LogoutURL: " + logoutURL);
 		if (logoutURL == null || logoutURL.trim().isEmpty()) logoutURL = "/";
 		return logoutURL;

src/main/java/eu/openanalytics/containerproxy/auth/impl/saml/AttributeUtils.java

@@ -0,0 +1,83 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2020 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.auth.impl.saml;
+
+import org.apache.logging.log4j.Logger;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.xml.XMLObject;
+import org.opensaml.xml.schema.XSAny;
+import org.opensaml.xml.schema.XSString;
+import org.springframework.security.saml.SAMLCredential;
+
+import java.util.List;
+
+public class AttributeUtils {
+
+    public static String getAttributeValue(Attribute attribute) {
+        // copied from Attribute class ...
+        List<XMLObject> attributeValues = attribute.getAttributeValues();
+        if (attributeValues == null || attributeValues.size() == 0) {
+            return null;
+        }
+        XMLObject xmlValue = attributeValues.iterator().next();
+        return getString(xmlValue);
+    }
+
+    public static String[] getAttributeAsStringArray(Attribute attribute) {
+        if (attribute == null) {
+            return null;
+        }
+        List<XMLObject> attributeValues = attribute.getAttributeValues();
+        if (attributeValues == null || attributeValues.size() == 0) {
+            return new String[0];
+        }
+        String[] result = new String[attributeValues.size()];
+        int i = 0;
+        for (XMLObject attributeValue : attributeValues) {
+            result[i++] = getString(attributeValue);
+        }
+        return result;
+    }
+
+    private static String getString(XMLObject xmlValue) {
+        if (xmlValue instanceof XSString) {
+            return ((XSString) xmlValue).getValue();
+        } else if (xmlValue instanceof XSAny) {
+            return ((XSAny) xmlValue).getTextContent();
+        } else {
+            return null;
+        }
+    }
+
+    public static void logAttributes(Logger logger, SAMLCredential credential) {
+        String userID = credential.getNameID().getValue();
+        List<Attribute> attributes = credential.getAttributes();
+        attributes.forEach((attribute) -> {
+            logger.info(String.format("[SAML] User: \"%s\" => attribute => name=\"%s\"(\"%s\") => value \"%s\" - \"%s\"",
+                    userID,
+                    attribute.getName(),
+                    attribute.getFriendlyName(),
+                    getAttributeValue(attribute),
+                    String.join(", ", getAttributeAsStringArray(attribute))));
+        });
+
+    }
+}

src/main/java/eu/openanalytics/containerproxy/auth/impl/saml/SAMLConfiguration.java

@@ -20,6 +20,7 @@
  */
 package eu.openanalytics.containerproxy.auth.impl.saml;
 
+import eu.openanalytics.containerproxy.auth.UserLogoutHandler;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -31,13 +32,19 @@
 import javax.inject.Inject;
 
 import org.apache.commons.httpclient.HttpClient;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.apache.velocity.app.VelocityEngine;
+import org.opensaml.saml2.core.Attribute;
 import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider;
 import org.opensaml.saml2.metadata.provider.MetadataProvider;
 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
 import org.opensaml.util.resource.ResourceException;
+import org.opensaml.xml.XMLObject;
 import org.opensaml.xml.parse.StaticBasicParserPool;
 import org.opensaml.xml.parse.XMLParserException;
+import org.opensaml.xml.schema.XSAny;
+import org.opensaml.xml.schema.XSString;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.Bean;
@@ -51,11 +58,7 @@
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
-import org.springframework.security.saml.SAMLAuthenticationProvider;
-import org.springframework.security.saml.SAMLBootstrap;
-import org.springframework.security.saml.SAMLCredential;
-import org.springframework.security.saml.SAMLEntryPoint;
-import org.springframework.security.saml.SAMLProcessingFilter;
+import org.springframework.security.saml.*;
 import org.springframework.security.saml.context.SAMLContextProvider;
 import org.springframework.security.saml.context.SAMLContextProviderImpl;
 import org.springframework.security.saml.key.EmptyKeyManager;
@@ -70,6 +73,8 @@
 import org.springframework.security.saml.processor.SAMLProcessorImpl;
 import org.springframework.security.saml.userdetails.SAMLUserDetailsService;
 import org.springframework.security.saml.util.VelocityFactory;
+import org.springframework.security.saml.websso.SingleLogoutProfile;
+import org.springframework.security.saml.websso.SingleLogoutProfileImpl;
 import org.springframework.security.saml.websso.WebSSOProfile;
 import org.springframework.security.saml.websso.WebSSOProfileConsumer;
 import org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl;
@@ -81,33 +86,86 @@
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
+import org.springframework.security.web.authentication.logout.LogoutHandler;
+import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
+import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 @Configuration
 @ConditionalOnProperty(name="proxy.authentication", havingValue="saml")
 public class SAMLConfiguration {
 
 	private static final String DEFAULT_NAME_ATTRIBUTE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";
-	
+
+	private static final String PROP_LOG_ATTRIBUTES = "proxy.saml.log-attributes";
+	private static final String PROP_FORCE_AUTHN = "proxy.saml.force-authn";
+	private static final String PROP_KEYSTORE = "proxy.saml.keystore";
+	private static final String PROP_ENCRYPTION_CERT_NAME = "proxy.saml.encryption-cert-name";
+	private static final String PROP_ENCRYPTION_CERT_PASSWORD = "proxy.saml.encryption-cert-password";
+	private static final String PROP_ENCRYPTION_KEYSTORE_PASSWORD = "proxy.saml.keystore-password";
+	private static final String PROP_APP_ENTITY_ID = "proxy.saml.app-entity-id";
+	private static final String PROP_BASE_URL = "proxy.saml.app-base-url";
+	private static final String PROP_METADATA_URL = "proxy.saml.idp-metadata-url";
+
 	@Inject
 	private Environment environment;
 
 	@Inject
 	@Lazy
 	private AuthenticationManager authenticationManager;
+
+	@Inject
+	private UserLogoutHandler userLogoutHandler;
 
 	@Bean
 	public SAMLEntryPoint samlEntryPoint() {
 		SAMLEntryPoint samlEntryPoint = new SAMLEntryPoint();
 		samlEntryPoint.setDefaultProfileOptions(defaultWebSSOProfileOptions());
 		return samlEntryPoint;
 	}
+
+	@Bean
+	public SingleLogoutProfile logoutProfile() {
+		return new SingleLogoutProfileImpl();
+	}
+
+	@Bean
+	public SAMLLogoutFilter samlLogoutFilter() {
+		return new SAMLLogoutFilter(successLogoutHandler(),
+				new LogoutHandler[]{userLogoutHandler, securityContextLogoutHandler()},
+				new LogoutHandler[]{userLogoutHandler, securityContextLogoutHandler()});
+	}
+
+	/**
+	 * Filter responsible for the `/saml/SingleLogout` endpoint. This makes it possible for users to logout in the IDP
+	 * or any other application and get automatically logged out in ShinyProxy as well.
+	 */
+	@Bean
+	public SAMLLogoutProcessingFilter samlLogoutProcessingFilter() {
+		return new SAMLLogoutProcessingFilter(successLogoutHandler(),
+				securityContextLogoutHandler());
+	}
+
+	@Bean
+	public SecurityContextLogoutHandler securityContextLogoutHandler() {
+		SecurityContextLogoutHandler logoutHandler = new SecurityContextLogoutHandler();
+		logoutHandler.setInvalidateHttpSession(true);
+		logoutHandler.setClearAuthentication(true);
+		return logoutHandler;
+	}
+
+	@Bean
+	public SimpleUrlLogoutSuccessHandler successLogoutHandler() {
+		SimpleUrlLogoutSuccessHandler successLogoutHandler = new SimpleUrlLogoutSuccessHandler();
+		successLogoutHandler.setDefaultTargetUrl("/");
+		return successLogoutHandler;
+	}
 
 	@Bean
 	public WebSSOProfileOptions defaultWebSSOProfileOptions() {
 		WebSSOProfileOptions webSSOProfileOptions = new WebSSOProfileOptions();
 		webSSOProfileOptions.setIncludeScoping(false);
-		webSSOProfileOptions.setForceAuthN(Boolean.valueOf(environment.getProperty("proxy.saml.force-authn", "false")));
+		webSSOProfileOptions.setForceAuthN(Boolean.valueOf(environment.getProperty(PROP_FORCE_AUTHN, "false")));
 		return webSSOProfileOptions;
 	}
 
@@ -123,13 +181,13 @@ public WebSSOProfile webSSOprofile() {
 
 	@Bean
 	public KeyManager keyManager() {
-		String keystore = environment.getProperty("proxy.saml.keystore");
+		String keystore = environment.getProperty(PROP_KEYSTORE);
 		if (keystore == null || keystore.isEmpty()) {
 			return new EmptyKeyManager();
 		} else {
-			String certName = environment.getProperty("proxy.saml.encryption-cert-name");
-			String certPW = environment.getProperty("proxy.saml.encryption-cert-password");
-			String keystorePW = environment.getProperty("proxy.saml.keystore-password", certPW);
+			String certName = environment.getProperty(PROP_ENCRYPTION_CERT_NAME);
+			String certPW = environment.getProperty(PROP_ENCRYPTION_CERT_PASSWORD);
+			String keystorePW = environment.getProperty(PROP_ENCRYPTION_KEYSTORE_PASSWORD, certPW);
 
 			Resource keystoreFile = new FileSystemResource(keystore);
 			Map<String, String> passwords = new HashMap<>();
@@ -193,8 +251,8 @@ public MetadataDisplayFilter metadataDisplayFilter() throws MetadataProviderExce
 
 	@Bean
 	public MetadataGenerator metadataGenerator() {
-		String appEntityId = environment.getProperty("proxy.saml.app-entity-id");
-		String appBaseURL = environment.getProperty("proxy.saml.app-base-url");
+		String appEntityId = environment.getProperty(PROP_APP_ENTITY_ID);
+		String appBaseURL = environment.getProperty(PROP_BASE_URL);
 
 		MetadataGenerator metadataGenerator = new MetadataGenerator();
 		metadataGenerator.setEntityId(appEntityId);
@@ -215,7 +273,7 @@ public ExtendedMetadata extendedMetadata() {
 
 	@Bean
 	public ExtendedMetadataDelegate idpMetadata() throws MetadataProviderException, ResourceException {
-		String metadataURL = environment.getProperty("proxy.saml.idp-metadata-url");
+		String metadataURL = environment.getProperty(PROP_METADATA_URL);
 
 		Timer backgroundTaskTimer = new Timer(true);
 		HTTPMetadataProvider httpMetadataProvider = new HTTPMetadataProvider(backgroundTaskTimer, new HttpClient(), metadataURL);   httpMetadataProvider.setParserPool(parserPool());
@@ -281,21 +339,32 @@ public WebSSOProfileConsumerHoKImpl hokWebSSOprofileConsumer() {
 	public SAMLFilterSet samlFilter() throws Exception {
 		List<SecurityFilterChain> chains = new ArrayList<SecurityFilterChain>();
 		chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/login/**"), samlEntryPoint()));
+		chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/logout/**"), samlLogoutFilter()));
+		chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SingleLogout/**"), samlLogoutProcessingFilter()));
 		chains.add(new DefaultSecurityFilterChain(new AntPathRequestMatcher("/saml/SSO/**"), samlWebSSOProcessingFilter()));
 		return new SAMLFilterSet(chains);
 	}
 
+	private final Logger log = LogManager.getLogger(getClass());
+
+
+
 	@Bean
 	public SAMLAuthenticationProvider samlAuthenticationProvider() {
 		SAMLAuthenticationProvider samlAuthenticationProvider = new SAMLAuthenticationProvider();
 	    samlAuthenticationProvider.setUserDetails(new SAMLUserDetailsService() {
 	    	@Override
 	    	public Object loadUserBySAML(SAMLCredential credential) throws UsernameNotFoundException {
-	    		String nameAttribute = environment.getProperty("proxy.saml.name-attribute", DEFAULT_NAME_ATTRIBUTE);
-	    		String nameValue = credential.getAttributeAsString(nameAttribute);
-	    		if (nameValue == null) throw new UsernameNotFoundException("Name attribute missing from SAML assertion: " + nameAttribute);
-	    		
-	    		List<GrantedAuthority> auth = new ArrayList<>();
+
+				if (Boolean.parseBoolean(environment.getProperty(PROP_LOG_ATTRIBUTES, "false"))) {
+                    AttributeUtils.logAttributes(log, credential);
+				}
+
+				String nameAttribute = environment.getProperty("proxy.saml.name-attribute", DEFAULT_NAME_ATTRIBUTE);
+				String nameValue = credential.getAttributeAsString(nameAttribute);
+				if (nameValue == null) throw new UsernameNotFoundException("Name attribute missing from SAML assertion: " + nameAttribute);
+
+				List<GrantedAuthority> auth = new ArrayList<>();
 	    		String rolesAttribute = environment.getProperty("proxy.saml.roles-attribute");
 	    		if (rolesAttribute != null  && !rolesAttribute.trim().isEmpty()) {
 	    			String[] roles = credential.getAttributeAsStringArray(rolesAttribute);

src/main/java/eu/openanalytics/containerproxy/security/WebSecurityConfig.java

@@ -135,6 +135,8 @@ protected void configure(HttpSecurity http) throws Exception {
 					.loginPage("/login")
 					.and()
 				.logout()
+					.logoutUrl(auth.getLogoutURL())
+					// important: set the next option after logoutUrl because it would otherwise get overwritten
 					.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
 					.addLogoutHandler(logoutHandler)
 					.logoutSuccessUrl(auth.getLogoutSuccessURL());