Skip to content

Commit

Permalink
feat: support random generated relayState parameter (#299)
Browse files Browse the repository at this point in the history
  • Loading branch information
kuisathaverat authored Dec 12, 2022
1 parent 745feb1 commit 4dea915
Show file tree
Hide file tree
Showing 6 changed files with 50 additions and 3 deletions.
2 changes: 2 additions & 0 deletions doc/CONFIGURE.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,8 @@ you also could set the sessions on Jenkins to be shorter than those on your IdP.
rather than its default. Check with the IdP administrators to find out which authentication contexts are available
* **SP Entity ID** - If this field is not empty, it overrides the default Entity ID for this Service Provider.
Service Provider Entity IDs are usually a URL, like ***http://jenkins.example.org/securityRealm/finishLogin***.
* **Use cache for configuration files** - The SP metadata is written on every login, enable this setting change the behaviour to use cache, and save the file only if it has changes.
* **Use Random relayState value** - When you enable this option the value of the relayState parameter sent to the IdP is a random generated value. The default value of relayState is `JENKINS_URL/securityRealm/finishLogin`
* **Encryption** - If your provider requires encryption or signing, you can specify the keystore details here that should be used.
If you do not specify a keystore, the plugin would create one with a key that is valid for a year,
this key would be recreated when it expires, by default the key is not exposed in the SP metadata if you do not enable signing.
Expand Down
8 changes: 6 additions & 2 deletions src/main/java/org/jenkinsci/plugins/saml/OpenSAMLWrapper.java
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,14 @@

package org.jenkinsci.plugins.saml;

import java.io.IOException;
import java.util.Arrays;
import java.util.logging.Logger;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.stapler.StaplerRequest;
import org.kohsuke.stapler.StaplerResponse;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.config.InitializationService;
import org.pac4j.core.util.generator.RandomValueGenerator;
import org.pac4j.jee.context.JEEContext;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.exception.TechnicalException;
Expand Down Expand Up @@ -130,7 +130,8 @@ protected SAML2Client createSAML2Client() {
// tolerate missing SAML response Destination attribute https://github.com/pac4j/pac4j/pull/1871
config.setResponseDestinationAttributeMandatory(false);

if (samlPluginConfig.getAdvancedConfiguration() != null) {
SamlAdvancedConfiguration advancedConfiguration = samlPluginConfig.getAdvancedConfiguration();
if (advancedConfiguration != null) {

// request forced authentication at the IdP, if selected
config.setForceAuth(samlPluginConfig.getForceAuthn());
Expand Down Expand Up @@ -158,6 +159,9 @@ protected SAML2Client createSAML2Client() {
SAML2Client saml2Client = new SAML2Client(config);
saml2Client.setCallbackUrl(samlPluginConfig.getConsumerServiceUrl());
saml2Client.setCallbackUrlResolver(new NoParameterCallbackUrlResolver());
if(advancedConfiguration != null && advancedConfiguration.getRandomRelayState()){
saml2Client.setStateGenerator(new RandomValueGenerator());
}
saml2Client.init();

if (LOG.isLoggable(FINE)) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ public class SamlAdvancedConfiguration extends AbstractDescribableImpl<SamlAdvan

private Boolean useDiskCache = false;

private Boolean randomRelayState = false;

@DataBoundConstructor
public SamlAdvancedConfiguration(Boolean forceAuthn,
String authnContextClassRef,
Expand Down Expand Up @@ -78,13 +80,23 @@ public void setUseDiskCache(Boolean useDiskCache) {
this.useDiskCache = useDiskCache;
}

public Boolean getRandomRelayState() {
return randomRelayState != null ? randomRelayState : false;
}

@DataBoundSetter
public void setRandomRelayState(Boolean randomRelayState) {
this.randomRelayState = randomRelayState;
}

@Override
public String toString() {
return "SamlAdvancedConfiguration{" + "forceAuthn=" + getForceAuthn() + ", authnContextClassRef='"
+ StringUtils.defaultIfBlank(getAuthnContextClassRef(), "none") + '\'' + ", spEntityId='"
+ StringUtils.defaultIfBlank(getSpEntityId(), "none") + '\'' + ", nameIdPolicyFormat='"
+ StringUtils.defaultIfBlank(getNameIdPolicyFormat(), "none") + '\''
+ "useDiskCache=" + getUseDiskCache() + '}';
+ ", useDiskCache=" + getUseDiskCache()
+ ", randomRelayState=" + getRandomRelayState() + '}';
}

@SuppressWarnings("unused")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,7 @@
<f:entry title="Use cache for configuration files" field="useDiskCache" help="/plugin/saml/help/useDiskCache.html">
<f:checkbox/>
</f:entry>
<f:entry title="Use Random relayState value" field="randomRelayState" help="/plugin/saml/help/randomRelayState.html">
<f:checkbox/>
</f:entry>
</j:jelly>
4 changes: 4 additions & 0 deletions src/main/webapp/help/randomRelayState.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
<div>
When you enable this option the value of the relayState parameter sent to the IdP is a random generated value.
The default value of relayState is <b>JENKINS_URL/securityRealm/finishLogin</b>
</div>
22 changes: 22 additions & 0 deletions src/test/java/org/jenkinsci/plugins/saml/LiveTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,28 @@ public void run(JenkinsRule r) throws Throwable {
}
}

@Test
public void authenticationRelayStateRandom() throws Throwable {
then(() -> new AuthenticationRelayStateRandom(readIdPMetadataFromURL()));
}
private static class AuthenticationRelayStateRandom implements RealJenkinsRule.Step {
private final String idpMetadata;
AuthenticationRelayStateRandom(String idpMetadata) {
this.idpMetadata = idpMetadata;
}
@Override
public void run(JenkinsRule r) throws Throwable {
IdpMetadataConfiguration idpMetadataConfiguration = new IdpMetadataConfiguration(idpMetadata);
SamlAdvancedConfiguration advancedConfiguration = new SamlAdvancedConfiguration(
false, null, SERVICE_PROVIDER_ID, null);
advancedConfiguration.setRandomRelayState(true);
SamlSecurityRealm realm = configureBasicSettings(idpMetadataConfiguration, advancedConfiguration, SAML2_REDIRECT_BINDING_URI);
r.jenkins.setSecurityRealm(realm);
configureAuthorization();
makeLoginWithUser1(r);
}
}

@Test
public void authenticationOKFromURL() throws Throwable {
then(() -> new AuthenticationOKFromURL(createIdPMetadataURL()));
Expand Down

0 comments on commit 4dea915

Please sign in to comment.