feat: support random generated relayState parameter (#299)

doc/CONFIGURE.md

@@ -49,6 +49,8 @@ you also could set the sessions on Jenkins to be shorter than those on your IdP.
   rather than its default. Check with the IdP administrators to find out which authentication contexts are available
   * **SP Entity ID** - If this field is not empty, it overrides the default Entity ID for this Service Provider.
   Service Provider Entity IDs are usually a URL, like ***http://jenkins.example.org/securityRealm/finishLogin***.
+  * **Use cache for configuration files** - The SP metadata is written on every login, enable this setting change the behaviour to use cache, and save the file only if it has changes.
+  * **Use Random relayState value** - When you enable this option the value of the relayState parameter sent to the IdP is a random generated value. The default value of relayState is `JENKINS_URL/securityRealm/finishLogin`
 * **Encryption** - If your provider requires encryption or signing, you can specify the keystore details here that should be used.
 If you do not specify a keystore, the plugin would create one with a key that is valid for a year,
 this key would be recreated when it expires, by default the key is not exposed in the SP metadata if you do not enable signing.

src/main/java/org/jenkinsci/plugins/saml/OpenSAMLWrapper.java

@@ -17,14 +17,14 @@
 
 package org.jenkinsci.plugins.saml;
 
-import java.io.IOException;
 import java.util.Arrays;
 import java.util.logging.Logger;
 import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
 import org.opensaml.core.config.InitializationException;
 import org.opensaml.core.config.InitializationService;
+import org.pac4j.core.util.generator.RandomValueGenerator;
 import org.pac4j.jee.context.JEEContext;
 import org.pac4j.core.context.WebContext;
 import org.pac4j.core.exception.TechnicalException;
@@ -130,7 +130,8 @@ protected SAML2Client createSAML2Client() {
         // tolerate missing SAML response Destination attribute https://github.com/pac4j/pac4j/pull/1871
         config.setResponseDestinationAttributeMandatory(false);
 
-        if (samlPluginConfig.getAdvancedConfiguration() != null) {
+        SamlAdvancedConfiguration advancedConfiguration = samlPluginConfig.getAdvancedConfiguration();
+        if (advancedConfiguration != null) {
 
             // request forced authentication at the IdP, if selected
             config.setForceAuth(samlPluginConfig.getForceAuthn());
@@ -158,6 +159,9 @@ protected SAML2Client createSAML2Client() {
         SAML2Client saml2Client = new SAML2Client(config);
         saml2Client.setCallbackUrl(samlPluginConfig.getConsumerServiceUrl());
         saml2Client.setCallbackUrlResolver(new NoParameterCallbackUrlResolver());
+        if(advancedConfiguration != null && advancedConfiguration.getRandomRelayState()){
+            saml2Client.setStateGenerator(new RandomValueGenerator());
+        }
         saml2Client.init();
 
         if (LOG.isLoggable(FINE)) {

src/main/java/org/jenkinsci/plugins/saml/SamlAdvancedConfiguration.java

@@ -42,6 +42,8 @@ public class SamlAdvancedConfiguration extends AbstractDescribableImpl<SamlAdvan
 
     private Boolean useDiskCache = false;
 
+    private Boolean randomRelayState = false;
+
     @DataBoundConstructor
     public SamlAdvancedConfiguration(Boolean forceAuthn,
                                      String authnContextClassRef,
@@ -78,13 +80,23 @@ public void setUseDiskCache(Boolean useDiskCache) {
         this.useDiskCache = useDiskCache;
     }
 
+    public Boolean getRandomRelayState() {
+        return randomRelayState != null ? randomRelayState : false;
+    }
+
+    @DataBoundSetter
+    public void setRandomRelayState(Boolean randomRelayState) {
+        this.randomRelayState = randomRelayState;
+    }
+
     @Override
     public String toString() {
         return "SamlAdvancedConfiguration{" + "forceAuthn=" + getForceAuthn() + ", authnContextClassRef='"
                + StringUtils.defaultIfBlank(getAuthnContextClassRef(), "none") + '\'' + ", spEntityId='"
                + StringUtils.defaultIfBlank(getSpEntityId(), "none") + '\'' + ", nameIdPolicyFormat='"
                + StringUtils.defaultIfBlank(getNameIdPolicyFormat(), "none") + '\''
-               + "useDiskCache=" + getUseDiskCache() + '}';
+               + ", useDiskCache=" + getUseDiskCache()
+               + ", randomRelayState=" + getRandomRelayState() + '}';
     }
 
     @SuppressWarnings("unused")

src/main/resources/org/jenkinsci/plugins/saml/SamlAdvancedConfiguration/config.jelly

@@ -17,4 +17,7 @@
     <f:entry title="Use cache for configuration files" field="useDiskCache" help="/plugin/saml/help/useDiskCache.html">
         <f:checkbox/>
     </f:entry>
+    <f:entry title="Use Random relayState value" field="randomRelayState" help="/plugin/saml/help/randomRelayState.html">
+        <f:checkbox/>
+    </f:entry>
 </j:jelly>

src/main/webapp/help/randomRelayState.html

@@ -0,0 +1,4 @@
+<div>
+    When you enable this option the value of the relayState parameter sent to the IdP is a random generated value.
+    The default value of relayState is <b>JENKINS_URL/securityRealm/finishLogin</b>
+</div>

src/test/java/org/jenkinsci/plugins/saml/LiveTest.java

@@ -84,6 +84,28 @@ public void run(JenkinsRule r) throws Throwable {
         }
     }
 
+    @Test
+    public void authenticationRelayStateRandom() throws Throwable {
+        then(() -> new AuthenticationRelayStateRandom(readIdPMetadataFromURL()));
+    }
+    private static class AuthenticationRelayStateRandom implements RealJenkinsRule.Step {
+        private final String idpMetadata;
+        AuthenticationRelayStateRandom(String idpMetadata) {
+            this.idpMetadata = idpMetadata;
+        }
+        @Override
+        public void run(JenkinsRule r) throws Throwable {
+            IdpMetadataConfiguration idpMetadataConfiguration = new IdpMetadataConfiguration(idpMetadata);
+            SamlAdvancedConfiguration advancedConfiguration = new SamlAdvancedConfiguration(
+                false, null, SERVICE_PROVIDER_ID, null);
+            advancedConfiguration.setRandomRelayState(true);
+            SamlSecurityRealm realm = configureBasicSettings(idpMetadataConfiguration, advancedConfiguration, SAML2_REDIRECT_BINDING_URI);
+            r.jenkins.setSecurityRealm(realm);
+            configureAuthorization();
+            makeLoginWithUser1(r);
+        }
+    }
+
     @Test
     public void authenticationOKFromURL() throws Throwable {
         then(() -> new AuthenticationOKFromURL(createIdPMetadataURL()));