Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ISSUE-11725] Add secondary statusCode messages on error #14743

Merged
merged 5 commits into from
Mar 22, 2024
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 the original author or authors.
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -26,6 +26,10 @@
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.HashSet;
import java.util.Arrays;
import java.util.Optional;
import java.util.function.Consumer;

import javax.annotation.Nonnull;
Expand Down Expand Up @@ -94,6 +98,8 @@
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;

import static org.opensaml.saml.saml2.core.StatusCode.*;

/**
* Implementation of {@link AuthenticationProvider} for SAML authentications when
* receiving a {@code Response} object containing an {@code Assertion}. This
Expand Down Expand Up @@ -168,6 +174,8 @@ public final class OpenSaml4AuthenticationProvider implements AuthenticationProv

private Converter<ResponseToken, ? extends AbstractAuthenticationToken> responseAuthenticationConverter = createDefaultResponseAuthenticationConverter();

private static final Set<String> includeChildStatusCodes = new HashSet<>(Arrays.asList(REQUESTER, RESPONDER, VERSION_MISMATCH));

/**
* Creates an {@link OpenSaml4AuthenticationProvider}
*/
Expand Down Expand Up @@ -404,6 +412,26 @@ public static Converter<ResponseToken, Saml2ResponseValidatorResult> createDefau
};
}

private static String getStatusCode(Response response) {
if (response.getStatus() == null) {
return StatusCode.SUCCESS;
}
if (response.getStatus().getStatusCode() == null) {
return StatusCode.SUCCESS;
}

StatusCode parentStatusCode = response.getStatus().getStatusCode();
String parentStatusCodeValue = parentStatusCode.getValue();
if (includeChildStatusCodes.contains(parentStatusCodeValue)) {
jzheaux marked this conversation as resolved.
Show resolved Hide resolved
return Optional.ofNullable(parentStatusCode.getStatusCode())
jzheaux marked this conversation as resolved.
Show resolved Hide resolved
.map(StatusCode::getValue)
.map(childStatusCodeValue -> parentStatusCodeValue + childStatusCodeValue)
jzheaux marked this conversation as resolved.
Show resolved Hide resolved
.orElse(parentStatusCodeValue);
}

return parentStatusCodeValue;
}

private static Saml2ResponseValidatorResult validateInResponseTo(AbstractSaml2AuthenticationRequest storedRequest,
String inResponseTo) {
if (!StringUtils.hasText(inResponseTo)) {
Expand Down Expand Up @@ -614,16 +642,6 @@ private Consumer<ResponseToken> createDefaultResponseElementsDecrypter() {
};
}

private static String getStatusCode(Response response) {
if (response.getStatus() == null) {
return StatusCode.SUCCESS;
}
if (response.getStatus().getStatusCode() == null) {
return StatusCode.SUCCESS;
}
return response.getStatus().getStatusCode().getValue();
}

private Converter<AssertionToken, Saml2ResponseValidatorResult> createDefaultAssertionSignatureValidator() {
return createAssertionValidator(Saml2ErrorCodes.INVALID_SIGNATURE, (assertionToken) -> {
RelyingPartyRegistration registration = assertionToken.getToken().getRelyingPartyRegistration();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,16 +51,20 @@
import org.opensaml.saml.saml2.core.EncryptedAssertion;
import org.opensaml.saml.saml2.core.EncryptedAttribute;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.Issuer;
jzheaux marked this conversation as resolved.
Show resolved Hide resolved
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.OneTimeUse;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Status;
import org.opensaml.saml.saml2.core.StatusCode;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import org.opensaml.saml.saml2.core.SubjectConfirmationData;
import org.opensaml.saml.saml2.core.impl.AttributeBuilder;
import org.opensaml.saml.saml2.core.impl.EncryptedAssertionBuilder;
import org.opensaml.saml.saml2.core.impl.EncryptedIDBuilder;
import org.opensaml.saml.saml2.core.impl.NameIDBuilder;
import org.opensaml.saml.saml2.core.impl.StatusBuilder;
import org.opensaml.saml.saml2.core.impl.StatusCodeBuilder;
import org.opensaml.xmlsec.encryption.impl.EncryptedDataBuilder;
import org.opensaml.xmlsec.signature.support.SignatureConstants;
import org.w3c.dom.Element;
Expand All @@ -82,6 +86,8 @@
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.atLeastOnce;
Expand Down Expand Up @@ -729,6 +735,77 @@ public void authenticateWhenCustomResponseValidatorThenUses() {
verify(validator).convert(any(OpenSaml4AuthenticationProvider.ResponseToken.class));
}

@Test
public void setsOnlyParentStatusCodeOnResultDescription() {
jzheaux marked this conversation as resolved.
Show resolved Hide resolved
ResponseToken mockResponseToken = mock(ResponseToken.class);
Saml2AuthenticationToken mockSamlToken = mock(Saml2AuthenticationToken.class);
given(mockResponseToken.getToken()).willReturn(mockSamlToken);

RelyingPartyRegistration mockRelyingPartyRegistration = mock(RelyingPartyRegistration.class);
given(mockSamlToken.getRelyingPartyRegistration()).willReturn(mockRelyingPartyRegistration);

RelyingPartyRegistration.AssertingPartyDetails mockAssertingPartyDetails = mock(RelyingPartyRegistration.AssertingPartyDetails.class);
given(mockRelyingPartyRegistration.getAssertingPartyDetails()).willReturn(mockAssertingPartyDetails);

Status parentStatus = new StatusBuilder().buildObject();
StatusCode parentStatusCode = new StatusCodeBuilder().buildObject();
parentStatusCode.setValue(StatusCode.AUTHN_FAILED);
StatusCode childStatusCode = new StatusCodeBuilder().buildObject();
childStatusCode.setValue(StatusCode.NO_PASSIVE);
parentStatusCode.setStatusCode(childStatusCode);
parentStatus.setStatusCode(parentStatusCode);

Response mockResponse = mock(Response.class);
given(mockResponse.getStatus()).willReturn(parentStatus);
Issuer mockIssuer = mock(Issuer.class);
given(mockIssuer.getValue()).willReturn("mockedIssuer");
given(mockResponse.getIssuer()).willReturn(mockIssuer);

given(mockResponseToken.getResponse()).willReturn(mockResponse);

Converter<ResponseToken, Saml2ResponseValidatorResult> validator = OpenSaml4AuthenticationProvider.createDefaultResponseValidator();
Saml2ResponseValidatorResult result = validator.convert(mockResponseToken);

String expectedErrorMessage = String.format("Invalid status [%s] for SAML response", parentStatusCode.getValue());
assertTrue(result.getErrors().stream().anyMatch(error -> error.getDescription().contains(expectedErrorMessage)));
assertFalse(result.getErrors().stream().anyMatch(error -> error.getDescription().contains(childStatusCode.getValue())));
}

@Test
public void setsParentAndChildStatusCodeOnResultDescription() {
ResponseToken mockResponseToken = mock(ResponseToken.class);
Saml2AuthenticationToken mockSamlToken = mock(Saml2AuthenticationToken.class);
given(mockResponseToken.getToken()).willReturn(mockSamlToken);

RelyingPartyRegistration mockRelyingPartyRegistration = mock(RelyingPartyRegistration.class);
given(mockSamlToken.getRelyingPartyRegistration()).willReturn(mockRelyingPartyRegistration);

RelyingPartyRegistration.AssertingPartyDetails mockAssertingPartyDetails = mock(RelyingPartyRegistration.AssertingPartyDetails.class);
given(mockRelyingPartyRegistration.getAssertingPartyDetails()).willReturn(mockAssertingPartyDetails);

Status parentStatus = new StatusBuilder().buildObject();
StatusCode parentStatusCode = new StatusCodeBuilder().buildObject();
parentStatusCode.setValue(StatusCode.REQUESTER);
StatusCode childStatusCode = new StatusCodeBuilder().buildObject();
childStatusCode.setValue(StatusCode.NO_PASSIVE);
parentStatusCode.setStatusCode(childStatusCode);
parentStatus.setStatusCode(parentStatusCode);

Response mockResponse = mock(Response.class);
given(mockResponse.getStatus()).willReturn(parentStatus);
Issuer mockIssuer = mock(Issuer.class);
given(mockIssuer.getValue()).willReturn("mockedIssuer");
given(mockResponse.getIssuer()).willReturn(mockIssuer);

given(mockResponseToken.getResponse()).willReturn(mockResponse);

Converter<ResponseToken, Saml2ResponseValidatorResult> validator = OpenSaml4AuthenticationProvider.createDefaultResponseValidator();
Saml2ResponseValidatorResult result = validator.convert(mockResponseToken);

String expectedErrorMessage = String.format("Invalid status [%s] for SAML response", parentStatusCode.getValue() + childStatusCode.getValue());
assertTrue(result.getErrors().stream().anyMatch(error -> error.getDescription().contains(expectedErrorMessage)));
}

@Test
public void authenticateWhenAssertionIssuerNotValidThenFailsWithInvalidIssuer() {
OpenSaml4AuthenticationProvider provider = new OpenSaml4AuthenticationProvider();
Expand Down