Add wildcard service providers to IdP (#54477)

This adds the ability for the IdP to define wildcard service
providers in a JSON file within the ES node's config directory.

If a request is made for a service provider that has not been
registered, then the set of wildcard services is consulted. If the
SP entity-id and ACS match one of the wildcard patterns, then a
dynamic service provider is defined from the associated mustache
template.

Backport of: #54148

Author: tvernum

x-pack/plugin/identity-provider/qa/idp-rest-tests/build.gradle

@@ -27,6 +27,7 @@ testClusters.integTest {
   extraConfigFile 'roles.yml', file('src/test/resources/roles.yml')
   extraConfigFile 'idp-sign.crt', file('src/test/resources/idp-sign.crt')
   extraConfigFile 'idp-sign.key', file('src/test/resources/idp-sign.key')
+  extraConfigFile 'wildcard_services.json', file('src/test/resources/wildcard_services.json')
 
   user username: "admin_user", password: "admin-password"
   user username: "idp_user", password: "idp-password", role: "idp_role"

x-pack/plugin/identity-provider/qa/idp-rest-tests/src/test/java/org/elasticsearch/xpack/idp/IdpRestTestCase.java

@@ -5,15 +5,34 @@
  */
 package org.elasticsearch.xpack.idp;
 
+import org.elasticsearch.client.RequestOptions;
+import org.elasticsearch.client.RestHighLevelClient;
+import org.elasticsearch.client.security.DeleteRoleRequest;
+import org.elasticsearch.client.security.DeleteUserRequest;
+import org.elasticsearch.client.security.PutRoleRequest;
+import org.elasticsearch.client.security.PutUserRequest;
+import org.elasticsearch.client.security.RefreshPolicy;
+import org.elasticsearch.client.security.user.User;
+import org.elasticsearch.client.security.user.privileges.ApplicationResourcePrivileges;
+import org.elasticsearch.client.security.user.privileges.IndicesPrivileges;
+import org.elasticsearch.client.security.user.privileges.Role;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.test.rest.ESRestTestCase;
 
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Collections;
+
+import static java.util.Arrays.asList;
+import static java.util.Collections.emptyMap;
 import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
 
 public abstract class IdpRestTestCase extends ESRestTestCase {
 
+    private RestHighLevelClient highLevelAdminClient;
+
     @Override
     protected Settings restAdminSettings() {
         String token = basicAuthHeaderValue("admin_user", new SecureString("admin-password".toCharArray()));
@@ -29,4 +48,48 @@ protected Settings restClientSettings() {
             .put(ThreadContext.PREFIX + ".Authorization", token)
             .build();
     }
+
+    private RestHighLevelClient getHighLevelAdminClient() {
+        if (highLevelAdminClient == null) {
+            highLevelAdminClient = new RestHighLevelClient(
+                adminClient(),
+                ignore -> {
+                },
+                Collections.emptyList()) {
+            };
+        }
+        return highLevelAdminClient;
+    }
+
+    protected User createUser(String username, SecureString password, String... roles) throws IOException {
+        final RestHighLevelClient client = getHighLevelAdminClient();
+        final User user = new User(username, asList(roles), emptyMap(), username + " in " + getTestName(), username + "@test.example.com");
+        final PutUserRequest request = PutUserRequest.withPassword(user, password.getChars(), true, RefreshPolicy.WAIT_UNTIL);
+        client.security().putUser(request, RequestOptions.DEFAULT);
+        return user;
+    }
+
+    protected void deleteUser(String username) throws IOException {
+        final RestHighLevelClient client = getHighLevelAdminClient();
+        final DeleteUserRequest request = new DeleteUserRequest(username, RefreshPolicy.WAIT_UNTIL);
+        client.security().deleteUser(request, RequestOptions.DEFAULT);
+    }
+
+    protected void createRole(String name, Collection<String> clusterPrivileges, Collection<IndicesPrivileges> indicesPrivileges,
+                              Collection<ApplicationResourcePrivileges> applicationPrivileges) throws IOException {
+        final RestHighLevelClient client = getHighLevelAdminClient();
+        final Role role = Role.builder()
+            .name(name)
+            .clusterPrivileges(clusterPrivileges)
+            .indicesPrivileges(indicesPrivileges)
+            .applicationResourcePrivileges(applicationPrivileges)
+            .build();
+        client.security().putRole(new PutRoleRequest(role, null), RequestOptions.DEFAULT);
+    }
+
+    protected void deleteRole(String name) throws IOException {
+        final RestHighLevelClient client = getHighLevelAdminClient();
+        final DeleteRoleRequest request = new DeleteRoleRequest(name, RefreshPolicy.WAIT_UNTIL);
+        client.security().deleteRole(request, RequestOptions.DEFAULT);
+    }
 }

x-pack/plugin/identity-provider/qa/idp-rest-tests/src/test/java/org/elasticsearch/xpack/idp/WildcardServiceProviderRestIT.java

@@ -0,0 +1,122 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.idp;
+
+import org.elasticsearch.client.Request;
+import org.elasticsearch.client.Response;
+import org.elasticsearch.client.security.user.User;
+import org.elasticsearch.client.security.user.privileges.ApplicationResourcePrivileges;
+import org.elasticsearch.common.bytes.BytesReference;
+import org.elasticsearch.common.collect.MapBuilder;
+import org.elasticsearch.common.settings.SecureString;
+import org.elasticsearch.common.xcontent.XContentBuilder;
+import org.elasticsearch.common.xcontent.XContentType;
+import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
+
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Map;
+
+import static org.hamcrest.Matchers.containsInAnyOrder;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.instanceOf;
+import static org.hamcrest.Matchers.notNullValue;
+
+public class WildcardServiceProviderRestIT extends IdpRestTestCase {
+
+    // From build.gradle
+    private final String IDP_ENTITY_ID = "https://idp.test.es.elasticsearch.org/";
+    // From SAMLConstants
+    private final String REDIRECT_BINDING = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect";
+
+    public void testGetWildcardServiceProviderMetadata() throws Exception {
+        final String owner = randomAlphaOfLength(8);
+        final String service = randomAlphaOfLength(8);
+        // From "wildcard_services.json"
+        final String entityId = "service:" + owner + ":" + service;
+        final String acs = "https://" + service + ".services.example.com/saml/acs";
+        getMetaData(entityId, acs);
+    }
+
+    public void testInitSingleSignOnToWildcardServiceProvider() throws Exception {
+        final String owner = randomAlphaOfLength(8);
+        final String service = randomAlphaOfLength(8);
+        // From "wildcard_services.json"
+        final String entityId = "service:" + owner + ":" + service;
+        final String acs = "https://" + service + ".services.example.com/api/v1/saml";
+
+        final String username = randomAlphaOfLength(6);
+        final SecureString password = new SecureString((randomAlphaOfLength(6) + randomIntBetween(10, 99)).toCharArray());
+        final String roleName = username + "_role";
+        final User user = createUser(username, password, roleName);
+
+        final ApplicationResourcePrivileges applicationPrivilege = new ApplicationResourcePrivileges(
+            "elastic-cloud", Collections.singletonList("sso:admin"), Collections.singletonList("sso:" + entityId)
+        );
+        createRole(roleName, Collections.emptyList(), Collections.emptyList(), Collections.singletonList(applicationPrivilege));
+
+        final String samlResponse = initSso(entityId, acs, new UsernamePasswordToken(username, password));
+
+        for (String attr : Arrays.asList("principal", "email", "name", "roles")) {
+            assertThat(samlResponse, containsString("Name=\"saml:attribute:" + attr + "\""));
+            assertThat(samlResponse, containsString("FriendlyName=\"" + attr + "\""));
+        }
+
+        assertThat(samlResponse, containsString(user.getUsername()));
+        assertThat(samlResponse, containsString(user.getEmail()));
+        assertThat(samlResponse, containsString(user.getFullName()));
+        assertThat(samlResponse, containsString(">admin<"));
+
+        deleteUser(username);
+        deleteRole(roleName);
+    }
+
+    private void getMetaData(String entityId, String acs) throws IOException {
+        final Map<String, Object> map = getAsMap("/_idp/saml/metadata/" + encode(entityId) + "?acs=" + encode(acs));
+        assertThat(map, notNullValue());
+        assertThat(map.keySet(), containsInAnyOrder("metadata"));
+        final Object metadata = map.get("metadata");
+        assertThat(metadata, notNullValue());
+        assertThat(metadata, instanceOf(String.class));
+        assertThat((String) metadata, containsString(IDP_ENTITY_ID));
+        assertThat((String) metadata, containsString(REDIRECT_BINDING));
+    }
+
+    private String initSso(String entityId, String acs, UsernamePasswordToken secondaryAuth) throws IOException {
+        final Request request = new Request("POST", "/_idp/saml/init/");
+        request.setJsonEntity(toJson(MapBuilder.<String, Object>newMapBuilder().put("entity_id", entityId).put("acs", acs).map()));
+        request.setOptions(request.getOptions().toBuilder().addHeader("es-secondary-authorization",
+            UsernamePasswordToken.basicAuthHeaderValue(secondaryAuth.principal(), secondaryAuth.credentials())));
+        Response response = client().performRequest(request);
+
+        final Map<String, Object> map = entityAsMap(response);
+        assertThat(map, notNullValue());
+        assertThat(map.keySet(), containsInAnyOrder("post_url", "saml_response", "service_provider"));
+        assertThat(map.get("post_url"), equalTo(acs));
+        assertThat(map.get("saml_response"), instanceOf(String.class));
+
+        final String samlResponse = (String) map.get("saml_response");
+        assertThat(samlResponse, containsString(entityId));
+        assertThat(samlResponse, containsString(acs));
+
+        return samlResponse;
+    }
+
+    private String toJson(Map<String, Object> body) throws IOException {
+        try (XContentBuilder builder = XContentBuilder.builder(XContentType.JSON.xContent()).map(body)) {
+            return BytesReference.bytes(builder).utf8ToString();
+        }
+    }
+
+    private String encode(String param) throws UnsupportedEncodingException {
+        return URLEncoder.encode(param, "UTF-8");
+    }
+
+}

x-pack/plugin/identity-provider/qa/idp-rest-tests/src/test/resources/wildcard_services.json

@@ -0,0 +1,45 @@
+{
+  "services": {
+    "wildcard-app1": {
+      "entity_id": "service:(?<owner>\\w+):(?<service>\\w+)",
+      "acs": "https://(?<service>\\w+).services.example.com/saml/acs",
+      "tokens": [ "service" ],
+      "template": {
+        "name": "Application 1 ({{service}})",
+        "privileges": {
+          "resource": "sso:{{entity_id}}",
+          "roles": {
+            "admin": "sso:admin"
+          }
+        },
+        "attributes": {
+          "principal": "saml:attribute:principal",
+          "name": "saml:attribute:name",
+          "email": "saml:attribute:email",
+          "roles": "saml:attribute:roles"
+        }
+      }
+    },
+    "wildcard-app2": {
+      "entity_id": "service:(?<owner>\\w+):(?<service>\\w+)",
+      "acs": "https://(?<service>\\w+).services.example.com/api/v1/saml",
+      "tokens": [ "service" ],
+      "template": {
+        "name": "Application 2 ({{service}})",
+        "privileges": {
+          "resource": "sso:{{entity_id}}",
+          "roles": {
+            "admin": "sso:admin"
+          }
+        },
+        "attributes": {
+          "principal": "saml:attribute:principal",
+          "name": "saml:attribute:name",
+          "email": "saml:attribute:email",
+          "roles": "saml:attribute:roles"
+        }
+      }
+    }
+  }
+}
+

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/IdentityProviderPlugin.java

@@ -45,18 +45,21 @@
 import org.elasticsearch.xpack.idp.action.TransportSamlMetadataAction;
 import org.elasticsearch.xpack.idp.action.TransportSamlValidateAuthnRequestAction;
 import org.elasticsearch.xpack.idp.privileges.UserPrivilegeResolver;
-import org.elasticsearch.xpack.idp.saml.rest.action.RestDeleteSamlServiceProviderAction;
 import org.elasticsearch.xpack.idp.saml.idp.SamlIdentityProvider;
-import org.elasticsearch.xpack.idp.saml.sp.ServiceProviderDefaults;
 import org.elasticsearch.xpack.idp.saml.idp.SamlIdentityProviderBuilder;
-import org.elasticsearch.xpack.idp.saml.rest.action.RestSamlMetadataAction;
+import org.elasticsearch.xpack.idp.saml.rest.action.RestDeleteSamlServiceProviderAction;
+import org.elasticsearch.xpack.idp.saml.rest.action.RestPutSamlServiceProviderAction;
 import org.elasticsearch.xpack.idp.saml.rest.action.RestSamlInitiateSingleSignOnAction;
+import org.elasticsearch.xpack.idp.saml.rest.action.RestSamlMetadataAction;
 import org.elasticsearch.xpack.idp.saml.rest.action.RestSamlValidateAuthenticationRequestAction;
-import org.elasticsearch.xpack.idp.saml.support.SamlFactory;
-import org.elasticsearch.xpack.idp.saml.support.SamlInit;
-import org.elasticsearch.xpack.idp.saml.rest.action.RestPutSamlServiceProviderAction;
+import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProviderFactory;
 import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProviderIndex;
 import org.elasticsearch.xpack.idp.saml.sp.SamlServiceProviderResolver;
+import org.elasticsearch.xpack.idp.saml.sp.ServiceProviderCacheSettings;
+import org.elasticsearch.xpack.idp.saml.sp.ServiceProviderDefaults;
+import org.elasticsearch.xpack.idp.saml.sp.WildcardServiceProviderResolver;
+import org.elasticsearch.xpack.idp.saml.support.SamlFactory;
+import org.elasticsearch.xpack.idp.saml.support.SamlInit;
 
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -96,8 +99,12 @@ public Collection<Object> createComponents(Client client, ClusterService cluster
 
 
         final ServiceProviderDefaults serviceProviderDefaults = ServiceProviderDefaults.forSettings(settings);
-        final SamlServiceProviderResolver resolver = new SamlServiceProviderResolver(settings, index, serviceProviderDefaults);
-        final SamlIdentityProvider idp = SamlIdentityProvider.builder(resolver)
+        final SamlServiceProviderFactory serviceProviderFactory = new SamlServiceProviderFactory(serviceProviderDefaults);
+        final SamlServiceProviderResolver registeredServiceProviderResolver
+            = new SamlServiceProviderResolver(settings, index, serviceProviderFactory);
+        final WildcardServiceProviderResolver wildcardServiceProviderResolver
+            = WildcardServiceProviderResolver.create(environment, resourceWatcherService, scriptService, serviceProviderFactory);
+        final SamlIdentityProvider idp = SamlIdentityProvider.builder(registeredServiceProviderResolver, wildcardServiceProviderResolver)
             .fromSettings(environment)
             .serviceProviderDefaults(serviceProviderDefaults)
             .build();
@@ -148,7 +155,9 @@ public List<Setting<?>> getSettings() {
         List<Setting<?>> settings = new ArrayList<>();
         settings.add(ENABLED_SETTING);
         settings.addAll(SamlIdentityProviderBuilder.getSettings());
+        settings.addAll(ServiceProviderCacheSettings.getSettings());
         settings.addAll(ServiceProviderDefaults.getSettings());
+        settings.addAll(WildcardServiceProviderResolver.getSettings());
         settings.addAll(X509KeyPairSettings.withPrefix("xpack.idp.signing.", false).getAllSettings());
         settings.addAll(X509KeyPairSettings.withPrefix("xpack.idp.metadata_signing.", false).getAllSettings());
         return Collections.unmodifiableList(settings);

x-pack/plugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/action/SamlInitiateSingleSignOnRequest.java

@@ -13,18 +13,20 @@
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.xpack.idp.saml.support.SamlAuthenticationState;
 
-import static org.elasticsearch.action.ValidateActions.addValidationError;
-
 import java.io.IOException;
 
+import static org.elasticsearch.action.ValidateActions.addValidationError;
+
 public class SamlInitiateSingleSignOnRequest extends ActionRequest {
 
     private String spEntityId;
+    private String assertionConsumerService;
     private SamlAuthenticationState samlAuthenticationState;
 
     public SamlInitiateSingleSignOnRequest(StreamInput in) throws IOException {
         super(in);
         spEntityId = in.readString();
+        assertionConsumerService = in.readString();
         samlAuthenticationState = in.readOptionalWriteable(SamlAuthenticationState::new);
     }
 
@@ -37,12 +39,16 @@ public ActionRequestValidationException validate() {
         if (Strings.isNullOrEmpty(spEntityId)) {
             validationException = addValidationError("entity_id is missing", validationException);
         }
+        if (Strings.isNullOrEmpty(assertionConsumerService)) {
+            validationException = addValidationError("acs is missing", validationException);
+        }
         if (samlAuthenticationState != null) {
             final ValidationException authnStateException = samlAuthenticationState.validate();
-            if (validationException != null) {
-                ActionRequestValidationException actionRequestValidationException = new ActionRequestValidationException();
-                actionRequestValidationException.addValidationErrors(authnStateException.validationErrors());
-                validationException = addValidationError("entity_id is missing", actionRequestValidationException);
+            if (authnStateException != null && authnStateException.validationErrors().isEmpty() == false) {
+                if (validationException == null) {
+                    validationException = new ActionRequestValidationException();
+                }
+                validationException.addValidationErrors(authnStateException.validationErrors());
             }
         }
         return validationException;
@@ -56,6 +62,14 @@ public void setSpEntityId(String spEntityId) {
         this.spEntityId = spEntityId;
     }
 
+    public String getAssertionConsumerService() {
+        return assertionConsumerService;
+    }
+
+    public void setAssertionConsumerService(String assertionConsumerService) {
+        this.assertionConsumerService = assertionConsumerService;
+    }
+
     public SamlAuthenticationState getSamlAuthenticationState() {
         return samlAuthenticationState;
     }
@@ -68,11 +82,13 @@ public void setSamlAuthenticationState(SamlAuthenticationState samlAuthenticatio
     public void writeTo(StreamOutput out) throws IOException {
         super.writeTo(out);
         out.writeString(spEntityId);
+        out.writeString(assertionConsumerService);
         out.writeOptionalWriteable(samlAuthenticationState);
     }
 
     @Override
     public String toString() {
-        return getClass().getSimpleName() + "{spEntityId='" + spEntityId + "'}";
+        return getClass().getSimpleName() + "{spEntityId='" + spEntityId + "', acs='" + assertionConsumerService + "'}";
     }
+
 }