From d3548f8029f24dbba76ef7d89ec2519bf1fa379e Mon Sep 17 00:00:00 2001 From: strehle Date: Fri, 29 Nov 2024 16:31:08 +0100 Subject: [PATCH 1/3] Support SAML keypair without a password --- .../uaa/zone/GeneralIdentityZoneConfigurationValidator.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/zone/GeneralIdentityZoneConfigurationValidator.java b/server/src/main/java/org/cloudfoundry/identity/uaa/zone/GeneralIdentityZoneConfigurationValidator.java index 69a03c3e8c3..7d078aee14c 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/zone/GeneralIdentityZoneConfigurationValidator.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/zone/GeneralIdentityZoneConfigurationValidator.java @@ -98,9 +98,9 @@ private void validateRegexStrings(List uris, String fieldName) throws In private void failIfPartialCertKeyInfo(String samlSpCert, String samlSpKey, String samlSpkeyPassphrase) throws InvalidIdentityZoneConfigurationException { if ((samlSpCert == null && samlSpKey == null && samlSpkeyPassphrase == null) || - (samlSpCert != null && samlSpKey != null && samlSpkeyPassphrase != null)) { + (samlSpCert != null && samlSpKey != null && samlSpkeyPassphrase == null)) { return; } - throw new InvalidIdentityZoneConfigurationException("Identity zone cannot be udpated with partial Saml CertKey config.", null); + throw new InvalidIdentityZoneConfigurationException("Identity zone cannot be updated with partial Saml CertKey config.", null); } } From fb47e384b136619d0968e7daebd7d65c6a85757a Mon Sep 17 00:00:00 2001 From: strehle Date: Sat, 30 Nov 2024 10:05:57 +0100 Subject: [PATCH 2/3] Fix check and add a test for it --- ...eneralIdentityZoneConfigurationValidator.java | 2 +- .../IdentityZoneConfigurationBootstrapTests.java | 16 ++++++++++++++++ .../zones/IdentityZoneEndpointsMockMvcTests.java | 2 +- 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/zone/GeneralIdentityZoneConfigurationValidator.java b/server/src/main/java/org/cloudfoundry/identity/uaa/zone/GeneralIdentityZoneConfigurationValidator.java index 7d078aee14c..6f0b026834f 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/zone/GeneralIdentityZoneConfigurationValidator.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/zone/GeneralIdentityZoneConfigurationValidator.java @@ -98,7 +98,7 @@ private void validateRegexStrings(List uris, String fieldName) throws In private void failIfPartialCertKeyInfo(String samlSpCert, String samlSpKey, String samlSpkeyPassphrase) throws InvalidIdentityZoneConfigurationException { if ((samlSpCert == null && samlSpKey == null && samlSpkeyPassphrase == null) || - (samlSpCert != null && samlSpKey != null && samlSpkeyPassphrase == null)) { + (samlSpCert != null && samlSpKey != null)) { return; } throw new InvalidIdentityZoneConfigurationException("Identity zone cannot be updated with partial Saml CertKey config.", null); diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/config/IdentityZoneConfigurationBootstrapTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/config/IdentityZoneConfigurationBootstrapTests.java index 42783edc4f1..5953a882be2 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/config/IdentityZoneConfigurationBootstrapTests.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/config/IdentityZoneConfigurationBootstrapTests.java @@ -134,6 +134,22 @@ void keyIdNullException() { assertThatExceptionOfType(InvalidIdentityZoneDetailsException.class).isThrownBy(() -> bootstrap.afterPropertiesSet()); } + @Test + void passphraseOnlyException() { + bootstrap.setSamlSpPrivateKey(key1()); + bootstrap.setSamlSpCertificate(certificate1()); + bootstrap.setSamlSpPrivateKeyPassphrase(passphrase1()); + Map> keys = new HashMap<>(); + Map key1 = new HashMap<>(); + key1.put("passphrase", passphrase1()); + keys.put("key1", key1); + bootstrap.setActiveKeyId(null); + bootstrap.setSamlKeys(keys); + assertThatExceptionOfType(InvalidIdentityZoneDetailsException.class) + .isThrownBy(() -> bootstrap.afterPropertiesSet()) + .withMessage("The zone configuration is invalid. Identity zone cannot be updated with partial Saml CertKey config."); + } + @Test void samlKeysAndSigningConfigs() throws Exception { bootstrap.setSamlSpPrivateKey(key1()); diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/zones/IdentityZoneEndpointsMockMvcTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/zones/IdentityZoneEndpointsMockMvcTests.java index c1215cde525..2185452cc65 100644 --- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/zones/IdentityZoneEndpointsMockMvcTests.java +++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/zones/IdentityZoneEndpointsMockMvcTests.java @@ -781,7 +781,7 @@ void testUpdateWithPartialSamlKeyCertPair() throws Exception { samlConfig.setPrivateKey(serviceProviderKey); samlConfig.setPrivateKeyPassword(null); samlConfig.setCertificate(serviceProviderCertificate); - updateZone(created, HttpStatus.UNPROCESSABLE_ENTITY, identityClientToken); + updateZone(created, HttpStatus.OK, identityClientToken); samlConfig = created.getConfig().getSamlConfig(); samlConfig.setPrivateKey(null); From d72326564845597dd35f37e382bc8a99d54dc8c0 Mon Sep 17 00:00:00 2001 From: Markus Strehle <11627201+strehle@users.noreply.github.com> Date: Mon, 2 Dec 2024 19:51:17 +0100 Subject: [PATCH 3/3] Update uaa.yml --- scripts/cargo/uaa.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/scripts/cargo/uaa.yml b/scripts/cargo/uaa.yml index 3f73eb91a3b..4a6ccbe2ad7 100644 --- a/scripts/cargo/uaa.yml +++ b/scripts/cargo/uaa.yml @@ -73,7 +73,6 @@ login: N+l4lnMda79eSp3OMmq9AkA0p79BvYsLshUJJnvbk76pCjR28PK4dV1gSDUEqQMB qy45ptdwJLqLJCeNoR0JUcDNIRhOCuOPND7pcMtX6hI/ -----END RSA PRIVATE KEY----- - passphrase: password certificate: | -----BEGIN CERTIFICATE----- MIIDSTCCArKgAwIBAgIBADANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJhdzEO @@ -128,4 +127,4 @@ ratelimit: - name: EverythingElse global: 200r/s pathSelectors: - - "other" \ No newline at end of file + - "other"