Bump OpenSAML to 5.1.3

Signed-off-by: Andrey Pleskach <[email protected]>
willyborankin · Jan 17, 2025 · 6e787b2 · 6e787b2
1 parent 48be2af
commit 6e787b2
Show file tree

Hide file tree

Showing 10 changed files with 189 additions and 78 deletions.
diff --git a/build.gradle b/build.gradle
@@ -27,7 +27,8 @@ buildscript {
         common_utils_version = System.getProperty("common_utils.version", '3.0.0.0-SNAPSHOT')
 
         kafka_version  = '3.7.1'
-        open_saml_version = '4.3.2'
+        open_saml_version = '5.1.3'
+        open_saml_shib_version = "9.1.3"
         one_login_java_saml = '2.9.0'
         jjwt_version = '0.12.6'
         guava_version = '32.1.3-jre'
@@ -618,16 +619,21 @@ dependencies {
 
     testImplementation 'org.apache.camel:camel-xmlsecurity:3.22.3'
 
-    //OpenSAML
-    implementation 'net.shibboleth.utilities:java-support:8.4.2'
-    runtimeOnly "io.dropwizard.metrics:metrics-core:4.2.29"
+    //Onelogin OpenSaml
     implementation "com.onelogin:java-saml:${one_login_java_saml}"
     implementation "com.onelogin:java-saml-core:${one_login_java_saml}"
-    implementation "org.opensaml:opensaml-core:${open_saml_version}"
-    implementation "org.opensaml:opensaml-security-impl:${open_saml_version}"
+    //OpenSAML
+    runtimeOnly "io.dropwizard.metrics:metrics-core:4.2.29"
+    implementation "net.shibboleth:shib-support:${open_saml_shib_version}"
+    implementation "net.shibboleth:shib-security:${open_saml_shib_version}"
+    implementation "net.shibboleth:shib-networking:${open_saml_shib_version}"
+    implementation "org.opensaml:opensaml-core-api:${open_saml_version}"
+    implementation "org.opensaml:opensaml-core-impl:${open_saml_version}"
     implementation "org.opensaml:opensaml-security-api:${open_saml_version}"
+    implementation "org.opensaml:opensaml-security-impl:${open_saml_version}"
     implementation "org.opensaml:opensaml-xmlsec-api:${open_saml_version}"
     implementation "org.opensaml:opensaml-xmlsec-impl:${open_saml_version}"
+
     implementation "org.opensaml:opensaml-saml-api:${open_saml_version}"
     implementation ("org.opensaml:opensaml-saml-impl:${open_saml_version}") {
         exclude(group: 'org.apache.velocity', module: 'velocity')
@@ -638,6 +644,7 @@ dependencies {
     runtimeOnly "org.opensaml:opensaml-soap-impl:${open_saml_version}"
     implementation "org.opensaml:opensaml-storage-api:${open_saml_version}"
 
+
     implementation "com.nulab-inc:zxcvbn:1.9.0"
 
     runtimeOnly 'com.google.guava:failureaccess:1.0.2'
@@ -661,6 +668,7 @@ dependencies {
 
 
     testImplementation "org.opensaml:opensaml-messaging-impl:${open_saml_version}"
+    testImplementation "jakarta.servlet:jakarta.servlet-api:6.1.0"
     implementation "org.apache.commons:commons-lang3:${versions.commonslang}"
     testImplementation "org.opensearch:common-utils:${common_utils_version}"
     testImplementation "org.opensearch.plugin:reindex-client:${opensearch_version}"
@@ -671,11 +679,9 @@ dependencies {
     testImplementation "org.opensearch.plugin:aggs-matrix-stats-client:${opensearch_version}"
     testImplementation "org.opensearch.plugin:search-pipeline-common:${opensearch_version}"
     testImplementation "org.apache.logging.log4j:log4j-core:${versions.log4j}"
-    testImplementation 'javax.servlet:servlet-api:2.5'
     testImplementation 'com.unboundid:unboundid-ldapsdk:4.0.14'
     testImplementation 'com.github.stephenc.jcip:jcip-annotations:1.0-1'
     testImplementation 'com.unboundid:unboundid-ldapsdk:4.0.14'
-    testImplementation 'javax.servlet:servlet-api:2.5'
     testImplementation 'org.apache.httpcomponents:fluent-hc:4.5.14'
     testImplementation "org.apache.httpcomponents.client5:httpclient5-fluent:${versions.httpclient5}"
     testImplementation "org.apache.kafka:kafka_2.13:${kafka_version}"

diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java b/src/main/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticator.java
@@ -55,12 +55,13 @@
 import com.nimbusds.jose.jwk.JWK;
 import com.onelogin.saml2.authn.AuthnRequest;
 import com.onelogin.saml2.logout.LogoutRequest;
+import com.onelogin.saml2.logout.LogoutRequestParams;
 import com.onelogin.saml2.settings.Saml2Settings;
 import com.onelogin.saml2.util.Constants;
 import com.onelogin.saml2.util.Util;
-import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
-import net.shibboleth.utilities.java.support.component.DestructableComponent;
-import net.shibboleth.utilities.java.support.xml.BasicParserPool;
+import net.shibboleth.shared.component.ComponentInitializationException;
+import net.shibboleth.shared.component.DestructableComponent;
+import net.shibboleth.shared.xml.impl.BasicParserPool;
 import org.opensaml.core.config.InitializationException;
 import org.opensaml.core.config.InitializationService;
 import org.opensaml.core.config.Initializer;
@@ -409,7 +410,7 @@ String buildLogoutUrl(AuthCredentials authCredentials) {
             String nameIdFormat = SamlNameIdFormat.getByShortName(authCredentials.getAttributes().get("attr.jwt.saml_nif")).getUri();
             String sessionIndex = authCredentials.getAttributes().get("attr.jwt.saml_si");
 
-            LogoutRequest logoutRequest = new LogoutRequest(saml2Settings, null, nameId, sessionIndex, nameIdFormat);
+            LogoutRequest logoutRequest = new LogoutRequest(saml2Settings, new LogoutRequestParams(sessionIndex, nameId, nameIdFormat));
 
             return getSamlRequestRedirectBindingLocation(IdpEndpointType.SLO, saml2Settings, logoutRequest.getEncodedLogoutRequest(true));
 

diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/Saml2SettingsProvider.java b/src/main/java/com/amazon/dlic/auth/http/saml/Saml2SettingsProvider.java
@@ -32,8 +32,8 @@
 import com.amazon.dlic.auth.http.jwt.keybyoidc.AuthenticatorUnavailableException;
 import com.onelogin.saml2.settings.Saml2Settings;
 import com.onelogin.saml2.settings.SettingsBuilder;
-import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
-import net.shibboleth.utilities.java.support.resolver.ResolverException;
+import net.shibboleth.shared.resolver.CriteriaSet;
+import net.shibboleth.shared.resolver.ResolverException;
 import org.opensaml.core.criterion.EntityIdCriterion;
 import org.opensaml.saml.metadata.resolver.MetadataResolver;
 import org.opensaml.saml.metadata.resolver.RefreshableMetadataResolver;

diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/SamlFilesystemMetadataResolver.java b/src/main/java/com/amazon/dlic/auth/http/saml/SamlFilesystemMetadataResolver.java
@@ -20,7 +20,7 @@
 import org.opensearch.common.settings.Settings;
 import org.opensearch.env.Environment;
 
-import net.shibboleth.utilities.java.support.resolver.ResolverException;
+import net.shibboleth.shared.resolver.ResolverException;
 import org.opensaml.saml.metadata.resolver.impl.FilesystemMetadataResolver;
 
 public class SamlFilesystemMetadataResolver extends FilesystemMetadataResolver {
@@ -33,12 +33,7 @@ public class SamlFilesystemMetadataResolver extends FilesystemMetadataResolver {
     @SuppressWarnings("removal")
     protected byte[] fetchMetadata() throws ResolverException {
         try {
-            return AccessController.doPrivileged(new PrivilegedExceptionAction<byte[]>() {
-                @Override
-                public byte[] run() throws ResolverException {
-                    return SamlFilesystemMetadataResolver.super.fetchMetadata();
-                }
-            });
+            return AccessController.doPrivileged((PrivilegedExceptionAction<byte[]>) SamlFilesystemMetadataResolver.super::fetchMetadata);
         } catch (PrivilegedActionException e) {
 
             if (e.getCause() instanceof ResolverException) {

diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/SamlHTTPMetadataResolver.java b/src/main/java/com/amazon/dlic/auth/http/saml/SamlHTTPMetadataResolver.java
@@ -17,15 +17,16 @@
 import java.security.PrivilegedExceptionAction;
 import java.time.Duration;
 
-import org.apache.http.client.HttpClient;
-import org.apache.http.impl.client.HttpClientBuilder;
-import org.apache.http.impl.client.HttpClients;
+import org.apache.hc.client5.http.classic.HttpClient;
+import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
+import org.apache.hc.client5.http.impl.classic.HttpClients;
+import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
 
 import org.opensearch.SpecialPermission;
 import org.opensearch.common.settings.Settings;
 
 import com.amazon.dlic.util.SettingsBasedSSLConfiguratorV4;
-import net.shibboleth.utilities.java.support.resolver.ResolverException;
+import net.shibboleth.shared.resolver.ResolverException;
 import org.opensaml.saml.metadata.resolver.impl.HTTPMetadataResolver;
 
 public class SamlHTTPMetadataResolver extends HTTPMetadataResolver {
@@ -41,7 +42,7 @@ public class SamlHTTPMetadataResolver extends HTTPMetadataResolver {
     @SuppressWarnings("removal")
     protected byte[] fetchMetadata() throws ResolverException {
         try {
-            return AccessController.doPrivileged((PrivilegedExceptionAction<byte[]>) () -> SamlHTTPMetadataResolver.super.fetchMetadata());
+            return AccessController.doPrivileged((PrivilegedExceptionAction<byte[]>) SamlHTTPMetadataResolver.super::fetchMetadata);
         } catch (PrivilegedActionException e) {
 
             if (e.getCause() instanceof ResolverException) {
@@ -65,12 +66,7 @@ private static HttpClient createHttpClient(Settings settings, Path configPath) t
                 sm.checkPermission(new SpecialPermission());
             }
 
-            return AccessController.doPrivileged(new PrivilegedExceptionAction<HttpClient>() {
-                @Override
-                public HttpClient run() throws Exception {
-                    return createHttpClient0(settings, configPath);
-                }
-            });
+            return AccessController.doPrivileged((PrivilegedExceptionAction<HttpClient>) () -> createHttpClient0(settings, configPath));
         } catch (PrivilegedActionException e) {
             if (e.getCause() instanceof Exception) {
                 throw (Exception) e.getCause();
@@ -81,15 +77,15 @@ public HttpClient run() throws Exception {
     }
 
     private static HttpClient createHttpClient0(Settings settings, Path configPath) throws Exception {
-
         HttpClientBuilder builder = HttpClients.custom();
-
         builder.useSystemProperties();
 
         SettingsBasedSSLConfiguratorV4.SSLConfig sslConfig = getSSLConfig(settings, configPath);
 
         if (sslConfig != null) {
-            builder.setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory());
+            builder.setConnectionManager(
+                PoolingHttpClientConnectionManagerBuilder.create().setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory5()).build()
+            );
         }
 
         return builder.build();

diff --git a/src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfiguratorV4.java b/src/main/java/com/amazon/dlic/util/SettingsBasedSSLConfiguratorV4.java
@@ -478,6 +478,15 @@ public SSLConnectionSocketFactory toSSLConnectionSocketFactory() {
             return new SSLConnectionSocketFactory(sslContext, supportedProtocols, supportedCipherSuites, hostnameVerifier);
         }
 
+        public org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory toSSLConnectionSocketFactory5() {
+            return new org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory(
+                sslContext,
+                supportedProtocols,
+                supportedCipherSuites,
+                hostnameVerifier
+            );
+        }
+
         public boolean isStartTlsEnabled() {
             return startTlsEnabled;
         }

diff --git a/src/main/java/org/opensearch/security/opensaml/integration/SecurityX509CRLImpl.java b/src/main/java/org/opensearch/security/opensaml/integration/SecurityX509CRLImpl.java
@@ -17,7 +17,7 @@
 import java.util.Objects;
 import javax.annotation.Nonnull;
 
-import net.shibboleth.utilities.java.support.collection.IndexingObjectStore;
+import net.shibboleth.shared.collection.IndexingObjectStore;
 import org.opensaml.core.xml.AbstractXMLObject;
 import org.opensaml.core.xml.XMLObject;
 import org.opensaml.xmlsec.signature.X509CRL;

diff --git a/src/main/java/org/opensearch/security/opensaml/integration/SecurityX509CertificateImpl.java b/src/main/java/org/opensearch/security/opensaml/integration/SecurityX509CertificateImpl.java
@@ -17,7 +17,7 @@
 import java.util.Objects;
 import javax.annotation.Nonnull;
 
-import net.shibboleth.utilities.java.support.collection.IndexingObjectStore;
+import net.shibboleth.shared.collection.IndexingObjectStore;
 import org.opensaml.core.xml.AbstractXMLObject;
 import org.opensaml.core.xml.XMLObject;
 import org.opensaml.xmlsec.signature.X509Certificate;

diff --git a/...va/org/opensearch/security/opensaml/integration/SecurityXMLObjectProviderInitializer.java b/...va/org/opensearch/security/opensaml/integration/SecurityXMLObjectProviderInitializer.java
@@ -17,7 +17,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
-import net.shibboleth.utilities.java.support.primitive.StringSupport;
+import net.shibboleth.shared.primitive.StringSupport;
 import org.opensaml.core.config.InitializationException;
 import org.opensaml.core.xml.config.XMLConfigurationException;
 import org.opensaml.core.xml.config.XMLConfigurator;