OP-14834: invalidate session and throw SAMLAuthenticationException (s…

…pinnaker#209) (spinnaker#216)

* OP-14834: Check and update the token.

* OP-14834: Updated logs and packages.

* OP-14834: Only validates ExpiringUsernameAuthenticationToken.

* OP-14834: Only validates ExpiringUsernameAuthenticationToken.

* OP-14834: Added SamlAuthTokenUpdateFilter to the filter chain.

* OP-14834: Added SamlAuthTokenUpdateFilter to the filter chain after basic auth filter.

* OP-14834: redirect to logout

* OP-14834: throw AccessDeniedException

* OP-14834:redirect to /saml/login.

* OP-14834:redirect to /saml/sso.

* OP-14834: send html response

* OP-14834: clear context

* OP-14834: invalidate session

* OP-14834: and then logout

* OP-14834: clear context, invalidate session and redirect to log out url.

* OP-14834: invalidate session and throw SAMLAuthenticationException

* OP-14834: removed commented code.

* OP-14834: Updated the log message.

* OP-14834: Updated the certificate

gate-saml/src/main/groovy/com/netflix/spinnaker/gate/security/saml/SamlSsoConfig.groovy

@@ -24,6 +24,7 @@ import com.netflix.spinnaker.gate.security.SpinnakerAuthConfig
 import com.netflix.spinnaker.gate.services.PermissionService
 import com.netflix.spinnaker.kork.core.RetrySupport
 import com.netflix.spinnaker.security.User
+import com.opsmx.spinnaker.gate.security.saml.SamlAuthTokenUpdateFilter
 import groovy.util.logging.Slf4j
 import org.opensaml.saml2.core.Assertion
 import org.opensaml.saml2.core.Attribute
@@ -43,11 +44,12 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.core.userdetails.UsernameNotFoundException
 import org.springframework.security.extensions.saml2.config.SAMLConfigurer
-import org.springframework.security.saml.websso.WebSSOProfileConsumerImpl
 import org.springframework.security.saml.SAMLCredential
 import org.springframework.security.saml.userdetails.SAMLUserDetailsService
+import org.springframework.security.saml.websso.WebSSOProfileConsumerImpl
 import org.springframework.security.web.authentication.RememberMeServices
 import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter
 import org.springframework.session.web.http.DefaultCookieSerializer
 import org.springframework.stereotype.Component
 
@@ -168,7 +170,9 @@ class SamlSsoConfig extends WebSecurityConfigurerAdapter {
           .keyPassword(samlSecurityConfigProperties.keyStorePassword)
 
       saml.init(http)
-
+    SamlAuthTokenUpdateFilter authTokenUpdateFilter = new SamlAuthTokenUpdateFilter()
+    http.addFilterAfter(authTokenUpdateFilter,
+        BasicAuthenticationFilter.class)
     // @formatter:on
 
   }

gate-saml/src/main/java/com/opsmx/spinnaker/gate/security/saml/SAMLAuthenticationException.java

@@ -0,0 +1,13 @@
+package com.opsmx.spinnaker.gate.security.saml;
+
+import org.springframework.security.core.AuthenticationException;
+
+public class SAMLAuthenticationException extends AuthenticationException {
+  public SAMLAuthenticationException(String msg) {
+    super(msg);
+  }
+
+  public SAMLAuthenticationException(String msg, Throwable t) {
+    super(msg, t);
+  }
+}

gate-saml/src/main/java/com/opsmx/spinnaker/gate/security/saml/SamlAuthTokenUpdateFilter.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright 2022 OpsMx, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.opsmx.spinnaker.gate.security.saml;
+
+import java.io.IOException;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.providers.ExpiringUsernameAuthenticationToken;
+import org.springframework.web.filter.GenericFilterBean;
+
+public class SamlAuthTokenUpdateFilter extends GenericFilterBean {
+
+  public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
+      throws IOException, ServletException {
+    logger.debug("SamlAuthTokenUpdateFilter doFilter started");
+    HttpServletRequest request = (HttpServletRequest) req;
+    HttpServletResponse response = (HttpServletResponse) res;
+    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+
+    logger.debug("Previously Authenticated is : " + authentication);
+    if (authentication instanceof ExpiringUsernameAuthenticationToken
+        && !authentication.isAuthenticated()) {
+      if (logger.isDebugEnabled()) {
+        logger.debug(
+            "Previously Authenticated token Expired; redirecting to authentication entry point.");
+      }
+
+      HttpSession session = request.getSession();
+      if (session != null) {
+        session.invalidate();
+      }
+      throw new SAMLAuthenticationException("Previously Authenticated token Expired");
+    }
+    logger.debug("SamlAuthTokenUpdateFilter doFilter ended");
+
+    chain.doFilter(request, response);
+  }
+}