Fixed IDP keystore management

mujina-common/src/main/java/mujina/api/SharedConfiguration.java

@@ -35,6 +35,11 @@ public SharedConfiguration(JKSKeyManager keyManager) {
     this.keyManager = keyManager;
   }
 
+  public SharedConfiguration(JKSKeyManager keyManager, String password) {
+    this.keyManager = keyManager;
+    this.keystorePassword = password;
+  }
+
   public abstract void reset();
 
   public void setEntityId(String newEntityId, boolean addTokenToStore) {

mujina-idp/src/main/java/mujina/api/IdpConfiguration.java

@@ -34,8 +34,9 @@ public IdpConfiguration(JKSKeyManager keyManager,
                           @Value("${idp.entity_id}") String defaultEntityId,
                           @Value("${idp.private_key}") String idpPrivateKey,
                           @Value("${idp.certificate}") String idpCertificate,
+                          @Value("${idp.passphrase}") String keyStorePassword,
                           @Value("${idp.auth_method}") String authMethod) {
-    super(keyManager);
+    super(keyManager, keyStorePassword);
     this.defaultEntityId = defaultEntityId;
     this.idpPrivateKey = idpPrivateKey;
     this.idpCertificate = idpCertificate;
@@ -45,7 +46,8 @@ public IdpConfiguration(JKSKeyManager keyManager,
 
   @Override
   public void reset() {
-    setEntityId(defaultEntityId);
+    // addTokenToStore can be false as key store is reset shortly after anyway
+    setEntityId(defaultEntityId, false);
     resetAttributes();
     resetKeyStore(defaultEntityId, idpPrivateKey, idpCertificate);
     resetUsers();
@@ -74,6 +76,11 @@ private void resetAttributes() {
     putAttribute("urn:mace:dir:attribute-def:eduPersonPrincipalName", "[email protected]");
   }
 
+  @Override
+  public void setEntityId(String entityId) {
+    super.setEntityId(entityId, true);
+  }
+
   private void putAttribute(String key, String... values) {
     this.attributes.put(key, Arrays.asList(values));
   }

mujina-idp/src/main/java/mujina/idp/WebSecurityConfigurer.java

@@ -39,7 +39,11 @@
 import java.security.cert.CertificateException;
 import java.security.spec.InvalidKeySpecException;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.Collections;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Set;
 
 @Configuration
 @EnableWebSecurity
@@ -94,7 +98,7 @@
                                   @Value("${idp.passphrase}") String idpPassphrase) throws InvalidKeySpecException, CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, XMLStreamException {
     KeyStore keyStore = KeyStoreLocator.createKeyStore(idpPassphrase);
     KeyStoreLocator.addPrivateKey(keyStore, idpEntityId, idpPrivateKey, idpCertificate, idpPassphrase);
-    return new JKSKeyManager(keyStore, Collections.singletonMap(idpEntityId, idpPassphrase), idpEntityId);
+    return new JKSKeyManager(keyStore, new FakePasswordMap(idpPassphrase), idpEntityId);
   }
 
   @Bean
@@ -156,4 +160,92 @@
     }
   }
 
+  static class FakePasswordMap implements Map<String, String> {
+
+    private final String value;
+
+    FakePasswordMap(String value) {
+      this.value = value;
+    }
+
+    @Override
+    public int size() {
+      return 1;
+    }
+
+    @Override
+    public boolean isEmpty() {
+      return false;
+    }
+
+    @Override
+    public boolean containsKey(Object o) {
+      return true;
+    }
+
+    @Override
+    public boolean containsValue(Object o) {
+      return Objects.equals(o, value);
+    }
+
+    @Override
+    public String get(Object o) {
+      return value;
+    }
+
+    @Override
+    public String put(String s, String s2) {
+      throw readOnly();
+    }
+
+    private IllegalStateException readOnly() {
+      return new IllegalStateException("Map is read-only");
+    }
+
+    @Override
+    public String remove(Object o) {
+      throw readOnly();
+    }
+
+    @Override
+    public void putAll(Map<? extends String, ? extends String> map) {
+      throw readOnly();
+    }
+
+    @Override
+    public void clear() {
+      throw readOnly();
+    }
+
+    @Override
+    public Set<String> keySet() {
+      return Collections.singleton("");
+    }
+
+    @Override
+    public Collection<String> values() {
+      return Collections.singleton(value);
+    }
+
+    @Override
+    public Set<Entry<String, String>> entrySet() {
+      return Collections.singleton(new Map.Entry<String, String>() {
+        @Override
+        public String getKey() {
+          return "";
+        }
+
+        @Override
+        public String getValue() {
+          return value;
+        }
+
+        @Override
+        public String setValue(String s) {
+          throw readOnly();
+        }
+      });
+    }
+  }
+
 }

mujina-idp/src/main/resources/application.yml

@@ -24,7 +24,7 @@ idp:
   # Public certificate to verify the signature of the SAML response
   certificate: MIIDEzCCAfugAwIBAgIJAKoK/heBjcOYMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNVBAoMFU9yZ2FuaXphdGlvbiwgQ049T0lEQzAeFw0xNTExMTExMDEyMTVaFw0yNTExMTAxMDEyMTVaMCAxHjAcBgNVBAoMFU9yZ2FuaXphdGlvbiwgQ049T0lEQzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANBGwJ/qpTQNiSgUglSE2UzEkUow+wS8r67etxoEhlzJZfgK/k5TfG1wICDqapHAxEVgUM10aBHRctNocA5wmlHtxdidhzRZroqHwpKy2BmsKX5Z2oK25RLpsyusB1KroemgA/CjUnI6rIL1xxFn3KyOFh1ZBLUQtKNQeMS7HFGgSDAp+sXuTFujz12LFDugX0T0KB5a1+0l8y0PEa0yGa1oi6seONx849ZHxM0PRvUunWkuTM+foZ0jZpFapXe02yWMqhc/2iYMieE/3GvOguJchJt6R+cut8VBb6ubKUIGK7pmoq/TB6DVXpvsHqsDJXechxcicu4pdKVDHSec850CAwEAAaNQME4wHQYDVR0OBBYEFK7RqjoodSYVXGTVEdLf3kJflP/sMB8GA1UdIwQYMBaAFK7RqjoodSYVXGTVEdLf3kJflP/sMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADNZkxlFXh4F45muCbnQd+WmaXlGvb9tkUyAIxVL8AIu8J18F420vpnGpoUAE+Hy3evBmp2nkrFAgmr055fAjpHeZFgDZBAPCwYd3TNMDeSyMta3Ka+oS7GRFDePkMEm+kH4/rITNKUF1sOvWBTSowk9TudEDyFqgGntcdu/l/zRxvx33y3LMG5USD0x4X4IKjRrRN1BbcKgi8dq10C3jdqNancTuPoqT3WWzRvVtB/q34B7F74/6JzgEoOCEHufBMp4ZFu54P0yEGtWfTwTzuoZobrChVVBt4w/XZagrRtUCDNwRpHNbpjxYudbqLqpi1MQpV9oht/BpTHVJG2i0ro=
   # Passphrase of the keystore
-  passphrase: secret
+  passphrase: changeIt
   # The number of seconds before a lower time bound, or after an upper time bound, to consider still acceptable
   clock_skew: 300
   # Number of seconds after a message issue instant after which the message is considered expired

mujina-idp/src/test/java/mujina/idp/MetadataControllerTest.java

@@ -1,6 +1,7 @@
 package mujina.idp;
 
 import mujina.AbstractIntegrationTest;
+import org.junit.AfterClass;
 import org.junit.Test;
 import org.springframework.beans.factory.annotation.Value;
 
@@ -16,7 +17,22 @@ public class MetadataControllerTest extends AbstractIntegrationTest {
   private String idpBaseUrl;
 
   @Test
-  public void metadata() throws Exception {
+  public void metadata() {
+
+    checkMetadata();
+
+    given()
+      .header("content-type", "application/json")
+      .body("x")
+      .put("/api/entityid")
+      .then()
+      .statusCode(SC_OK);
+
+    checkMetadata();
+
+  }
+
+  private void checkMetadata() {
     given()
       .config(newConfig()
         .xmlConfig(xmlConfig().declareNamespace("md", "urn:oasis:names:tc:SAML:2.0:metadata")))
@@ -29,6 +45,16 @@ public void metadata() throws Exception {
         equalTo(idpBaseUrl + "/SingleSignOnService"));
   }
 
+  @AfterClass
+  public static void reset() {
+    given()
+      .header("Content-type", "application/json")
+      .post("/api/reset")
+      .then()
+      .statusCode(SC_OK);
+  }
+
+
 }