Merge pull request #27 from mlbiam/master

better tls support, better saml xml support
TremoloSecurity · Aug 21, 2020 · 77cbfe6 · 77cbfe6
2 parents 660744d + 724230d
commit 77cbfe6
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 7 deletions.
diff --git a/src/main/js/.deploy-upstream-k8s.js.swp b/src/main/js/.deploy-upstream-k8s.js.swp
diff --git a/src/main/js/deploy-upstream-k8s.js b/src/main/js/deploy-upstream-k8s.js
@@ -127,7 +127,7 @@ function create_k8s_deployment() {
                             "env": [
                                 {
                                     "name": "JAVA_OPTS",
-                                    "value": "-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom\n-DunisonEnvironmentFile=/etc/openunison/ou.env"
+                                    "value": "-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom -DunisonEnvironmentFile=/etc/openunison/ou.env -Djavax.net.ssl.trustStore=/etc/openunison/unisonKeyStore.p12"
                                 },
                                 {
                                     "name": "fortriggerupdates",

diff --git a/src/main/js/helpers.js b/src/main/js/helpers.js
@@ -409,6 +409,10 @@ function import_saml_idps() {
         if (remote_idp.source.url != null && remote_idp.source.url !== "") {
             print("Downloading metadata from : " + remote_idp.source.url + "'");
             xml_metadata = NetUtil.downloadFile(remote_idp.source.url);
+            print("XML Metadata :");
+            print("--------------");
+            print(xml_metadata);
+            print("--------------")
             print("Downloaded");
         } else {
             xml_metadata = remote_idp.source.xml;
@@ -419,13 +423,20 @@ function import_saml_idps() {
         }
 
         dbFactory = javax.xml.parsers.DocumentBuilderFactory.newInstance();
+        dbFactory.setNamespaceAware(true);
         dBuilder = dbFactory.newDocumentBuilder();
         doc = dBuilder.parse(new java.io.ByteArrayInputStream(xml_metadata.getBytes("UTF-8")));
 
+        xpath = javax.xml.xpath.XPathFactory.newInstance().newXPath();
+        node = xpath.compile("/*[local-name() = 'EntityDescriptor']").evaluate(doc,javax.xml.xpath.XPathConstants.NODE);
+
+
+
         //get entity id
-        entityId = doc.getElementsByTagName("EntityDescriptor").item(0).getAttribute("entityID");
+        entityId = node.getAttribute("entityID");
 
-        idp = doc.getElementsByTagName("IDPSSODescriptor").item(0);
+        xpathexpr = "//*[local-name() = 'IDPSSODescriptor']";
+        idp = xpath.compile(xpathexpr).evaluate(node,javax.xml.xpath.XPathConstants.NODE);
 
         singleLogoutURL = "";
         ssoGetURL = "";
@@ -437,7 +448,8 @@ function import_saml_idps() {
 
 
         //single logout
-        slos = idp.getElementsByTagName("SingleLogoutService");
+        xpathexpr = "//*[local-name() = 'SingleLogoutService']";
+        slos = xpath.compile(xpathexpr).evaluate(node,javax.xml.xpath.XPathConstants.NODESET);
 
         for (i = 0;i<slos.getLength();i++) {
             slo = slos.item(i);
@@ -447,7 +459,8 @@ function import_saml_idps() {
         }
 
         //single sign on
-        ssos = idp.getElementsByTagName("SingleSignOnService");
+        xpathexpr = "//*[local-name() = 'SingleSignOnService']";
+        ssos = xpath.compile(xpathexpr).evaluate(node,javax.xml.xpath.XPathConstants.NODESET);
 
         for (i = 0;i<ssos.getLength();i++) {
             sso = ssos.item(i);
@@ -458,13 +471,16 @@ function import_saml_idps() {
             }
         }
 
-        keys = idp.getElementsByTagName("KeyDescriptor");
+        xpathexpr = "//*[local-name() = 'KeyDescriptor']";
+        keys = xpath.compile(xpathexpr).evaluate(node,javax.xml.xpath.XPathConstants.NODESET);
 
         for (i=0;i<keys.getLength();i++) {
             key = keys.item(i);
 
             if (key.getAttribute("use").equalsIgnoreCase("signing")) {
-                sig_cert = key.getElementsByTagName("KeyInfo").item(0).getElementsByTagName("X509Data").item(0).getElementsByTagName("X509Certificate").item(0).getTextContent();
+                xpathexpr = "//*[local-name() = 'X509Certificate']";
+                cert_tag = xpath.compile(xpathexpr).evaluate(key,javax.xml.xpath.XPathConstants.NODE);
+                sig_cert = cert_tag.getTextContent();
                 sig_certs.push(sig_cert);
             }
         }
@@ -559,6 +575,9 @@ function generate_openunison_secret(event_json) {
 
     import_saml_idps();
 
+    print("Importing CACerts");
+    CertUtils.mergeCaCerts(ouKs);
+
 
     string_for_hash = java.util.Base64.getEncoder().encodeToString(k8s.json2yaml(JSON.stringify(cfg_obj.openunison_network_configuration) ).getBytes("UTF-8")  ) + k8s.encodeMap(inProp);
     bytes_for_hash = string_for_hash.getBytes("UTF-8");