Merge pull request #252 from robfletcher/master

SPIN-1817 verify required roles in SAML auth
spinnaker · Jun 28, 2016 · 9dc3125 · 9dc3125
2 parents afcb3d2 + d8bd2de
commit 9dc3125
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/saml/SamlSsoConfig.groovy b/gate-web/src/main/groovy/com/netflix/spinnaker/gate/security/saml/SamlSsoConfig.groovy
@@ -16,13 +16,13 @@
 
 package com.netflix.spinnaker.gate.security.saml
 
+import groovy.util.logging.Slf4j
 import com.netflix.spinnaker.gate.security.AuthConfig
 import com.netflix.spinnaker.gate.security.SpinnakerAuthConfig
 import com.netflix.spinnaker.gate.security.rolesprovider.UserRolesProvider
 import com.netflix.spinnaker.gate.services.CredentialsService
 import com.netflix.spinnaker.gate.services.internal.ClouddriverService
 import com.netflix.spinnaker.security.User
-import groovy.util.logging.Slf4j
 import org.opensaml.saml2.core.Assertion
 import org.opensaml.saml2.core.Attribute
 import org.opensaml.xml.schema.XSString
@@ -34,6 +34,7 @@ import org.springframework.boot.context.properties.ConfigurationProperties
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.context.annotation.Import
+import org.springframework.security.authentication.BadCredentialsException
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
 import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity
@@ -44,7 +45,6 @@ import org.springframework.security.saml.userdetails.SAMLUserDetailsService
 import org.springframework.security.web.authentication.RememberMeServices
 import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices
 import org.springframework.stereotype.Component
-
 import static org.springframework.security.extensions.saml2.config.SAMLConfigurer.saml
 
 @ConditionalOnExpression('${saml.enabled:false}')
@@ -74,6 +74,7 @@ class SamlSsoConfig extends WebSecurityConfigurerAdapter {
     // The application identifier given to the IdP for this app.
     String issuerId
 
+    List<String> requiredRoles
     UserAttributeMapping userAttributeMapping = new UserAttributeMapping()
   }
 
@@ -155,6 +156,12 @@ class SamlSsoConfig extends WebSecurityConfigurerAdapter {
         def email = assertion.getSubject().nameID.value
         def roles = extractRoles(email, attributes, userAttributeMapping)
 
+        if (samlSecurityConfigProperties.requiredRoles) {
+          if (!samlSecurityConfigProperties.requiredRoles.any { it in roles }) {
+            throw new BadCredentialsException("User $email does not have all roles $samlSecurityConfigProperties.requiredRoles")
+          }
+        }
+
         new User(email: email,
           firstName: attributes[userAttributeMapping.firstName]?.get(0),
           lastName: attributes[userAttributeMapping.lastName]?.get(0),