Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ISSUE-11725] Add secondary statusCode messages on error #14743

Merged
merged 5 commits into from
Mar 22, 2024
+139 −17
Merged

[ISSUE-11725] Add secondary statusCode messages on error #14743

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d0f762f
[ISSUE-11725] Add secondary statusCode messages on error
Mar 13, 2024
75b669b
Use Optional in case child status code is null
youngkih Mar 16, 2024
eedb377
Update copywrite to 2024
youngkih Mar 16, 2024
42e1843
Add test for status code returning parent and child status code
youngkih Mar 16, 2024
7877b38
Update to return List of StatusCodes and add Saml2Error to result obj…
Mar 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 47 additions & 16 deletions ...ework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -20,12 +20,15 @@
import java.nio.charset.StandardCharsets;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;

import javax.annotation.Nonnull;
Expand Down Expand Up @@ -168,6 +171,9 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv

private Converter<ResponseToken, ? extends AbstractAuthenticationToken> responseAuthenticationConverter = createDefaultResponseAuthenticationConverter();

private static final Set<String> includeChildStatusCodes = new HashSet<>(
Arrays.asList(StatusCode.REQUESTER, StatusCode.RESPONDER, StatusCode.VERSION_MISMATCH));

/**
* Creates an {@link OpenSaml4AuthenticationProvider}
*/
Expand Down Expand Up @@ -371,11 +377,13 @@ public static Converter<ResponseToken, Saml2ResponseValidatorResult> createDefau
Response response = responseToken.getResponse();
Saml2AuthenticationToken token = responseToken.getToken();
Saml2ResponseValidatorResult result = Saml2ResponseValidatorResult.success();
String statusCode = getStatusCode(response);
if (!StatusCode.SUCCESS.equals(statusCode)) {
String message = String.format("Invalid status [%s] for SAML response [%s]", statusCode,
response.getID());
result = result.concat(new Saml2Error(Saml2ErrorCodes.INVALID_RESPONSE, message));
List<String> statusCodes = getStatusCodes(response);
if (!isSuccess(statusCodes)) {
for (String statusCode : statusCodes) {
String message = String.format("Invalid status [%s] for SAML response [%s]", statusCode,
response.getID());
result = result.concat(new Saml2Error(Saml2ErrorCodes.INVALID_RESPONSE, message));
}
}

String inResponseTo = response.getInResponseTo();
Expand Down Expand Up @@ -404,6 +412,39 @@ public static Converter<ResponseToken, Saml2ResponseValidatorResult> createDefau
};
}

private static List<String> getStatusCodes(Response response) {
if (response.getStatus() == null) {
return Arrays.asList(StatusCode.SUCCESS);
}
if (response.getStatus().getStatusCode() == null) {
return Arrays.asList(StatusCode.SUCCESS);
}

StatusCode parentStatusCode = response.getStatus().getStatusCode();
String parentStatusCodeValue = parentStatusCode.getValue();
if (includeChildStatusCodes.contains(parentStatusCodeValue)) {
jzheaux marked this conversation as resolved.
Show resolved Hide resolved
StatusCode statusCode = parentStatusCode.getStatusCode();
if (statusCode != null) {
String childStatusCodeValue = statusCode.getValue();
if (childStatusCodeValue != null) {
return Arrays.asList(parentStatusCodeValue, childStatusCodeValue);
}
}
return Arrays.asList(parentStatusCodeValue);
}

return Arrays.asList(parentStatusCodeValue);
}

private static boolean isSuccess(List<String> statusCodes) {
if (statusCodes.size() != 1) {
return false;
}

String statusCode = statusCodes.get(0);
return StatusCode.SUCCESS.equals(statusCode);
}

private static Saml2ResponseValidatorResult validateInResponseTo(AbstractSaml2AuthenticationRequest storedRequest,
String inResponseTo) {
if (!StringUtils.hasText(inResponseTo)) {
Expand Down Expand Up @@ -614,16 +655,6 @@ private Consumer<ResponseToken> createDefaultResponseElementsDecrypter() {
};
}

private static String getStatusCode(Response response) {
if (response.getStatus() == null) {
return StatusCode.SUCCESS;
}
if (response.getStatus().getStatusCode() == null) {
return StatusCode.SUCCESS;
}
return response.getStatus().getStatusCode().getValue();
}

private Converter<AssertionToken, Saml2ResponseValidatorResult> createDefaultAssertionSignatureValidator() {
return createAssertionValidator(Saml2ErrorCodes.INVALID_SIGNATURE, (assertionToken) -> {
RelyingPartyRegistration registration = assertionToken.getToken().getRelyingPartyRegistration();
Expand Down
93 changes: 92 additions & 1 deletion .../security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -51,16 +51,20 @@
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.EncryptedAttribute;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.Issuer;
jzheaux marked this conversation as resolved.
Show resolved Hide resolved
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.OneTimeUse;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Status;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml.saml2.core.impl.AttributeBuilder;
import org.opensaml.saml.saml2.core.impl.EncryptedAssertionBuilder;
import org.opensaml.saml.saml2.core.impl.EncryptedIDBuilder;
import org.opensaml.saml.saml2.core.impl.NameIDBuilder;
import org.opensaml.saml.saml2.core.impl.StatusBuilder;
import org.opensaml.saml.saml2.core.impl.StatusCodeBuilder;
import org.opensaml.xmlsec.encryption.impl.EncryptedDataBuilder;
import org.opensaml.xmlsec.signature.support.SignatureConstants;
import org.w3c.dom.Element;
Expand Down Expand Up @@ -729,6 +733,93 @@ public void authenticateWhenCustomResponseValidatorThenUses() {
verify(validator).convert(any(OpenSaml4AuthenticationProvider.ResponseToken.class));
}

@Test
public void authenticateWhenResponseStatusIsNotSuccessThenOnlyReturnParentStatusCodes() {
ResponseToken mockResponseToken = mock(ResponseToken.class);
Saml2AuthenticationToken mockSamlToken = mock(Saml2AuthenticationToken.class);
given(mockResponseToken.getToken()).willReturn(mockSamlToken);

RelyingPartyRegistration mockRelyingPartyRegistration = mock(RelyingPartyRegistration.class);
given(mockSamlToken.getRelyingPartyRegistration()).willReturn(mockRelyingPartyRegistration);

RelyingPartyRegistration.AssertingPartyDetails mockAssertingPartyDetails = mock(
RelyingPartyRegistration.AssertingPartyDetails.class);
given(mockRelyingPartyRegistration.getAssertingPartyDetails()).willReturn(mockAssertingPartyDetails);

Status parentStatus = new StatusBuilder().buildObject();
StatusCode parentStatusCode = new StatusCodeBuilder().buildObject();
parentStatusCode.setValue(StatusCode.AUTHN_FAILED);
StatusCode childStatusCode = new StatusCodeBuilder().buildObject();
childStatusCode.setValue(StatusCode.NO_PASSIVE);
parentStatusCode.setStatusCode(childStatusCode);
parentStatus.setStatusCode(parentStatusCode);

Response mockResponse = mock(Response.class);
given(mockResponse.getStatus()).willReturn(parentStatus);
Issuer mockIssuer = mock(Issuer.class);
given(mockIssuer.getValue()).willReturn("mockedIssuer");
given(mockResponse.getIssuer()).willReturn(mockIssuer);

given(mockResponseToken.getResponse()).willReturn(mockResponse);

Converter<ResponseToken, Saml2ResponseValidatorResult> validator = OpenSaml4AuthenticationProvider
.createDefaultResponseValidator();
Saml2ResponseValidatorResult result = validator.convert(mockResponseToken);

String expectedErrorMessage = String.format("Invalid status [%s] for SAML response",
parentStatusCode.getValue());
assertThat(
result.getErrors().stream().anyMatch((error) -> error.getDescription().contains(expectedErrorMessage)));
assertThat(result.getErrors()
.stream()
.noneMatch((error) -> error.getDescription().contains(childStatusCode.getValue())));
}

@Test
public void authenticateWhenResponseStatusIsNotSuccessThenReturnParentAndChildStatusCode() {
ResponseToken mockResponseToken = mock(ResponseToken.class);
Saml2AuthenticationToken mockSamlToken = mock(Saml2AuthenticationToken.class);
given(mockResponseToken.getToken()).willReturn(mockSamlToken);

RelyingPartyRegistration mockRelyingPartyRegistration = mock(RelyingPartyRegistration.class);
given(mockSamlToken.getRelyingPartyRegistration()).willReturn(mockRelyingPartyRegistration);

RelyingPartyRegistration.AssertingPartyDetails mockAssertingPartyDetails = mock(
RelyingPartyRegistration.AssertingPartyDetails.class);
given(mockRelyingPartyRegistration.getAssertingPartyDetails()).willReturn(mockAssertingPartyDetails);

Status parentStatus = new StatusBuilder().buildObject();
StatusCode parentStatusCode = new StatusCodeBuilder().buildObject();
parentStatusCode.setValue(StatusCode.REQUESTER);
StatusCode childStatusCode = new StatusCodeBuilder().buildObject();
childStatusCode.setValue(StatusCode.NO_PASSIVE);
parentStatusCode.setStatusCode(childStatusCode);
parentStatus.setStatusCode(parentStatusCode);

Response mockResponse = mock(Response.class);
given(mockResponse.getStatus()).willReturn(parentStatus);
Issuer mockIssuer = mock(Issuer.class);
given(mockIssuer.getValue()).willReturn("mockedIssuer");
given(mockResponse.getIssuer()).willReturn(mockIssuer);

given(mockResponseToken.getResponse()).willReturn(mockResponse);

Converter<ResponseToken, Saml2ResponseValidatorResult> validator = OpenSaml4AuthenticationProvider
.createDefaultResponseValidator();
Saml2ResponseValidatorResult result = validator.convert(mockResponseToken);

String expectedParentErrorMessage = String.format("Invalid status [%s] for SAML response",
parentStatusCode.getValue());
String expectedChildErrorMessage = String.format("Invalid status [%s] for SAML response",
childStatusCode.getValue());
assertThat(result.getErrors()
.stream()
.anyMatch((error) -> error.getDescription().contains(expectedParentErrorMessage)));
assertThat(result.getErrors()
.stream()
.anyMatch((error) -> error.getDescription().contains(expectedChildErrorMessage)));
}

@Test
public void authenticateWhenAssertionIssuerNotValidThenFailsWithInvalidIssuer() {
OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
Expand Down
Loading