From dcc2194add8d0eab3a60d408b4e8fb3e380f2e07 Mon Sep 17 00:00:00 2001
From: Dario Ghunney Ware <dariogware@gmail.com>
Date: Sun, 2 Feb 2025 12:14:43 +0000
Subject: [PATCH] wip configuring saml2

---
 ...stomSaml2AuthenticationFailureHandler.java |  2 +-
 .../security/saml2/SAML2Configuration.java    |  8 ++++----
 .../controller/web/AccountWebController.java  |  4 ++--
 .../SPDF/model/ApplicationProperties.java     |  2 +-
 src/main/resources/settings.yml.template      | 20 +++++++++----------
 src/main/resources/templates/login.html       |  2 +-
 6 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/src/main/java/stirling/software/SPDF/config/security/saml2/CustomSaml2AuthenticationFailureHandler.java b/src/main/java/stirling/software/SPDF/config/security/saml2/CustomSaml2AuthenticationFailureHandler.java
index b6c2deae..2c5363db 100644
--- a/src/main/java/stirling/software/SPDF/config/security/saml2/CustomSaml2AuthenticationFailureHandler.java
+++ b/src/main/java/stirling/software/SPDF/config/security/saml2/CustomSaml2AuthenticationFailureHandler.java
@@ -32,6 +32,6 @@ public class CustomSaml2AuthenticationFailureHandler extends SimpleUrlAuthentica
                             response,
                             "/login?errorOAuth=not_authentication_provider_found");
         }
-        log.error("AuthenticationException: " + exception);
+        log.error("Authentication error", exception);
     }
 }
diff --git a/src/main/java/stirling/software/SPDF/config/security/saml2/SAML2Configuration.java b/src/main/java/stirling/software/SPDF/config/security/saml2/SAML2Configuration.java
index c58bd974..ef55ea71 100644
--- a/src/main/java/stirling/software/SPDF/config/security/saml2/SAML2Configuration.java
+++ b/src/main/java/stirling/software/SPDF/config/security/saml2/SAML2Configuration.java
@@ -2,8 +2,8 @@ package stirling.software.SPDF.config.security.saml2;
 
 import java.security.cert.X509Certificate;
 import java.util.Collections;
-import java.util.UUID;
 
+import java.util.UUID;
 import org.opensaml.saml.saml2.core.AuthnRequest;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.Bean;
@@ -37,7 +37,7 @@ public class SAML2Configuration {
     @ConditionalOnProperty(name = "security.saml2.enabled", havingValue = "true")
     public RelyingPartyRegistrationRepository relyingPartyRegistrations() throws Exception {
         SAML2 samlConf = applicationProperties.getSecurity().getSaml2();
-        X509Certificate idpCert = CertificateUtils.readCertificate(samlConf.getidpCert());
+        X509Certificate idpCert = CertificateUtils.readCertificate(samlConf.getIdpCert());
         Saml2X509Credential verificationCredential = Saml2X509Credential.verification(idpCert);
         Resource privateKeyResource = samlConf.getPrivateKey();
         Resource certificateResource = samlConf.getSpCert();
@@ -73,9 +73,9 @@ public class SAML2Configuration {
                 customizer -> {
                     log.debug("Customizing SAML Authentication request");
                     AuthnRequest authnRequest = customizer.getAuthnRequest();
-                    log.debug("AuthnRequest ID: {}", authnRequest.getID());
+                                        log.debug("AuthnRequest ID: {}", authnRequest.getID());
                     if (authnRequest.getID() == null) {
-                        authnRequest.setID("ARQ" + UUID.randomUUID().toString());
+                        authnRequest.setID("ARQ" + UUID.randomUUID()); // fixme: SubjectConfirmationData@InResponseTo
                     }
                     log.debug("AuthnRequest new ID after set: {}", authnRequest.getID());
                     log.debug("AuthnRequest IssueInstant: {}", authnRequest.getIssueInstant());
diff --git a/src/main/java/stirling/software/SPDF/controller/web/AccountWebController.java b/src/main/java/stirling/software/SPDF/controller/web/AccountWebController.java
index faa2597f..d6b36ecd 100644
--- a/src/main/java/stirling/software/SPDF/controller/web/AccountWebController.java
+++ b/src/main/java/stirling/software/SPDF/controller/web/AccountWebController.java
@@ -111,11 +111,11 @@ public class AccountWebController {
         }
 
         // Remove any null keys/values from the providerList
+        // providerList might be empty on browser side? Button not showing up
         providerList
                 .entrySet()
                 .removeIf(entry -> entry.getKey() == null || entry.getValue() == null);
-        model.addAttribute(
-                "providerList", providerList); // todo: might need to change back to 'providerlist'
+        model.addAttribute("providerList", providerList);
         model.addAttribute("loginMethod", securityProps.getLoginMethod());
 
         boolean altLogin = !providerList.isEmpty() ? securityProps.isAltLogin() : false;
diff --git a/src/main/java/stirling/software/SPDF/model/ApplicationProperties.java b/src/main/java/stirling/software/SPDF/model/ApplicationProperties.java
index badc676a..945ac043 100644
--- a/src/main/java/stirling/software/SPDF/model/ApplicationProperties.java
+++ b/src/main/java/stirling/software/SPDF/model/ApplicationProperties.java
@@ -197,7 +197,7 @@ public class ApplicationProperties {
                 }
             }
 
-            public Resource getidpCert() {
+            public Resource getIdpCert() {
                 if (idpCert == null) return null;
                 if (idpCert.startsWith("classpath:")) {
                     return new ClassPathResource(idpCert.substring("classpath:".length()));
diff --git a/src/main/resources/settings.yml.template b/src/main/resources/settings.yml.template
index 42cb937d..54bfc7b2 100644
--- a/src/main/resources/settings.yml.template
+++ b/src/main/resources/settings.yml.template
@@ -17,7 +17,7 @@ security:
   loginAttemptCount: 5 # lock user account after 5 tries; when using e.g. Fail2Ban you can deactivate the function with -1
   loginResetTimeMinutes: 120 # lock account for 2 hours after x attempts
   loginMethod: saml2 # Accepts values like 'all' and 'normal'(only Login with Username/Password), 'oauth2'(only Login with OAuth2) or 'saml2'(only Login with SAML2)
-  customGlobalAPIKey: 3R3T-WFPY-UNRW-LJFA-MMXM-YVJK-WCKY-PCRT # todo: this is in ApplicationProperties but not here. Should we add it
+  customGlobalAPIKey: 3R3T-WFPY-UNRW-LJFA-MMXM-YVJK-WCKY-PCRT # todo: this is in ApplicationProperties but not here. Should we add it?
   initialLogin:
     username: '' # initial username for the first login
     password: '' # initial password for the first login
@@ -52,14 +52,14 @@ security:
     enabled: false # Only enabled for paid enterprise clients (enterpriseEdition.enabled must be true)
     autoCreateUser: true # set to 'true' to allow auto-creation of non-existing users
     blockRegistration: false # set to 'true' to deny login with SSO without prior registration by an admin
-    registrationId: stirling
-    idpMetadataUri: https://dev-XXXXXXXX.okta.com/app/externalKey/sso/saml/metadata
-    idpSingleLogoutUrl: https://dev-XXXXXXXX.okta.com/app/dev-XXXXXXXX_stirlingpdf_1/externalKey/slo/saml
-    idpSingleLoginUrl: https://dev-XXXXXXXX.okta.com/app/dev-XXXXXXXX_stirlingpdf_1/externalKey/sso/saml
-    idpIssuer: http://www.okta.com/externalKey
-    idpCert: classpath:okta.crt
-    privateKey: classpath:saml-private-key.key
-    spCert: classpath:saml-public-cert.crt
+    registrationId: stirlingpdf-dario-saml
+    idpMetadataUri: https://authentik.dev.stirlingpdf.com/api/v3/providers/saml/5/metadata/?download
+    idpSingleLoginUrl: https://authentik.dev.stirlingpdf.com/application/saml/stirlingpdf-dario-saml/sso/binding/post/
+    idpSingleLogoutUrl: https://authentik.dev.stirlingpdf.com/application/saml/stirlingpdf-dario-saml/slo/binding/post/
+    idpIssuer: authentik
+    idpCert: classpath:authentik-Self-signed_Certificate_certificate.pem
+    privateKey: classpath:private_key.key
+    spCert: classpath:certificate.crt
 
 enterpriseEdition:
   enabled: false # set to 'true' to enable enterprise edition
@@ -81,7 +81,7 @@ legal:
 system:
   defaultLocale: en-US # set the default language (e.g. 'de-DE', 'fr-FR', etc)
   googlevisibility: false # 'true' to allow Google visibility (via robots.txt), 'false' to disallow
-  enableAlphaFunctionality: false # set to enable functionality which might need more testing before it fully goes live (this feature might make no changes)
+  enableAlphaFunctionality: true # set to enable functionality which might need more testing before it fully goes live (this feature might make no changes)
   showUpdate: false # see when a new update is available
   showUpdateOnlyAdmin: false # only admins can see when a new update is available, depending on showUpdate it must be set to 'true'
   customHTMLFiles: false # enable to have files placed in /customFiles/templates override the existing template HTML files
diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html
index dfd44822..912389bc 100644
--- a/src/main/resources/templates/login.html
+++ b/src/main/resources/templates/login.html
@@ -98,7 +98,7 @@
           <img class="my-4" th:src="@{'/favicon.svg'}" alt="favicon" width="144" height="144">
 
           <h1 class="h1 mb-3 fw-normal" th:text="${@appName}">Stirling-PDF</h1>
-          <div th:if="${altLogin} and (${loginMethod} == 'all' or ${loginMethod} == 'oauth2')">
+          <div th:if="${altLogin} and (${loginMethod} == 'all' or ${loginMethod} == 'oauth2' or ${loginMethod} == 'saml2')">
             <a href="#" class="w-100 btn btn-lg btn-primary" data-bs-toggle="modal" data-bs-target="#loginsModal" th:text="#{login.ssoSignIn}">Login Via SSO</a>
             <br>
             <br>