Logout Request Reads EntityId
Closes gh-12843 Closes gh-12845
This commit is contained in:
Josh Cummings
parent
46452c0cae
commit
3f2816f745
|
|
@ -130,9 +130,9 @@ To add other values, you can use delegation, like so:
|
|||
[source,java]
|
||||
----
|
||||
@Bean
|
||||
Saml2LogoutRequestResolver logoutRequestResolver(RelyingPartyRegistrationResolver registrationResolver) {
|
||||
OpenSaml4LogoutRequestResolver logoutRequestResolver
|
||||
new OpenSaml4LogoutRequestResolver(registrationResolver);
|
||||
Saml2LogoutRequestResolver logoutRequestResolver(RelyingPartyRegistrationRepository registrations) {
|
||||
OpenSaml4LogoutRequestResolver logoutRequestResolver =
|
||||
new OpenSaml4LogoutRequestResolver(registrations);
|
||||
logoutRequestResolver.setParametersConsumer((parameters) -> {
|
||||
String name = ((Saml2AuthenticatedPrincipal) parameters.getAuthentication().getPrincipal()).getFirstAttribute("CustomAttribute");
|
||||
String format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient";
|
||||
|
|
@ -173,9 +173,9 @@ To add other values, you can use delegation, like so:
|
|||
[source,java]
|
||||
----
|
||||
@Bean
|
||||
public Saml2LogoutResponseResolver logoutResponseResolver(RelyingPartyRegistrationResolver registrationResolver) {
|
||||
public Saml2LogoutResponseResolver logoutResponseResolver(RelyingPartyRegistrationRepository registrations) {
|
||||
OpenSaml4LogoutResponseResolver logoutRequestResolver =
|
||||
new OpenSaml3LogoutResponseResolver(relyingPartyRegistrationResolver);
|
||||
new OpenSaml4LogoutResponseResolver(registrations);
|
||||
logoutRequestResolver.setParametersConsumer((parameters) -> {
|
||||
if (checkOtherPrevailingConditions(parameters.getRequest())) {
|
||||
parameters.getLogoutRequest().getStatus().getStatusCode().setCode(StatusCode.PARTIAL_LOGOUT);
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ import org.springframework.core.convert.converter.Converter;
|
|||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
|
||||
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
|
|
@ -47,6 +48,15 @@ public final class OpenSaml4LogoutRequestResolver implements Saml2LogoutRequestR
|
|||
|
||||
private Clock clock = Clock.systemUTC();
|
||||
|
||||
public OpenSaml4LogoutRequestResolver(RelyingPartyRegistrationRepository registrations) {
|
||||
this((request, id) -> {
|
||||
if (id == null) {
|
||||
return null;
|
||||
}
|
||||
return registrations.findByRegistrationId(id);
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a {@link OpenSaml4LogoutRequestResolver}
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -26,6 +26,7 @@ import org.opensaml.saml.saml2.core.LogoutResponse;
|
|||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
|
||||
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
|
|
@ -45,11 +46,20 @@ public final class OpenSaml4LogoutResponseResolver implements Saml2LogoutRespons
|
|||
|
||||
private Clock clock = Clock.systemUTC();
|
||||
|
||||
public OpenSaml4LogoutResponseResolver(RelyingPartyRegistrationRepository registrations) {
|
||||
this.logoutResponseResolver = new OpenSamlLogoutResponseResolver(registrations, (request, id) -> {
|
||||
if (id == null) {
|
||||
return null;
|
||||
}
|
||||
return registrations.findByRegistrationId(id);
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a {@link OpenSaml4LogoutResponseResolver}
|
||||
*/
|
||||
public OpenSaml4LogoutResponseResolver(RelyingPartyRegistrationResolver relyingPartyRegistrationResolver) {
|
||||
this.logoutResponseResolver = new OpenSamlLogoutResponseResolver(relyingPartyRegistrationResolver);
|
||||
this.logoutResponseResolver = new OpenSamlLogoutResponseResolver(null, relyingPartyRegistrationResolver);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -47,6 +47,8 @@ import org.springframework.security.saml2.provider.service.authentication.Saml2A
|
|||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
|
||||
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers;
|
||||
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers.UriResolver;
|
||||
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
|
||||
import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSamlSigningUtils.QueryParametersPartial;
|
||||
import org.springframework.util.Assert;
|
||||
|
|
@ -127,10 +129,12 @@ final class OpenSamlLogoutRequestResolver {
|
|||
if (registration.getAssertingPartyDetails().getSingleLogoutServiceLocation() == null) {
|
||||
return null;
|
||||
}
|
||||
UriResolver uriResolver = RelyingPartyRegistrationPlaceholderResolvers.uriResolver(request, registration);
|
||||
String entityId = uriResolver.resolve(registration.getEntityId());
|
||||
LogoutRequest logoutRequest = this.logoutRequestBuilder.buildObject();
|
||||
logoutRequest.setDestination(registration.getAssertingPartyDetails().getSingleLogoutServiceLocation());
|
||||
Issuer issuer = this.issuerBuilder.buildObject();
|
||||
issuer.setValue(registration.getEntityId());
|
||||
issuer.setValue(entityId);
|
||||
logoutRequest.setIssuer(issuer);
|
||||
NameID nameId = this.nameIdBuilder.buildObject();
|
||||
nameId.setValue(authentication.getName());
|
||||
|
|
|
|||
|
|
@ -0,0 +1,228 @@
|
|||
/*
|
||||
* Copyright 2002-2023 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.saml2.provider.service.web.authentication.logout;
|
||||
|
||||
import java.io.ByteArrayInputStream;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
|
||||
import jakarta.servlet.http.HttpServletRequest;
|
||||
import net.shibboleth.utilities.java.support.xml.ParserPool;
|
||||
import org.opensaml.core.config.ConfigurationService;
|
||||
import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
|
||||
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
|
||||
import org.opensaml.saml.saml2.core.LogoutRequest;
|
||||
import org.opensaml.saml.saml2.core.impl.LogoutRequestUnmarshaller;
|
||||
import org.w3c.dom.Document;
|
||||
import org.w3c.dom.Element;
|
||||
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.saml2.Saml2Exception;
|
||||
import org.springframework.security.saml2.core.OpenSamlInitializationService;
|
||||
import org.springframework.security.saml2.core.Saml2Error;
|
||||
import org.springframework.security.saml2.core.Saml2ErrorCodes;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlLogoutRequestValidator;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidatorParameters;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
|
||||
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
|
||||
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.OrRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* An OpenSAML-based implementation of
|
||||
* {@link Saml2LogoutRequestValidatorParametersResolver}
|
||||
*/
|
||||
public final class OpenSamlLogoutRequestValidatorParametersResolver
|
||||
implements Saml2LogoutRequestValidatorParametersResolver {
|
||||
|
||||
static {
|
||||
OpenSamlInitializationService.initialize();
|
||||
}
|
||||
|
||||
private RequestMatcher requestMatcher = new OrRequestMatcher(
|
||||
new AntPathRequestMatcher("/logout/saml2/slo/{registrationId}"),
|
||||
new AntPathRequestMatcher("/logout/saml2/slo"));
|
||||
|
||||
private final RelyingPartyRegistrationRepository registrations;
|
||||
|
||||
private final ParserPool parserPool;
|
||||
|
||||
private final LogoutRequestUnmarshaller unmarshaller;
|
||||
|
||||
/**
|
||||
* Constructs a {@link OpenSamlLogoutRequestValidator}
|
||||
*/
|
||||
public OpenSamlLogoutRequestValidatorParametersResolver(RelyingPartyRegistrationRepository registrations) {
|
||||
Assert.notNull(registrations, "relyingPartyRegistrationRepository cannot be null");
|
||||
XMLObjectProviderRegistry registry = ConfigurationService.get(XMLObjectProviderRegistry.class);
|
||||
this.parserPool = registry.getParserPool();
|
||||
this.unmarshaller = (LogoutRequestUnmarshaller) XMLObjectProviderRegistrySupport.getUnmarshallerFactory()
|
||||
.getUnmarshaller(LogoutRequest.DEFAULT_ELEMENT_NAME);
|
||||
this.registrations = registrations;
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct the parameters necessary for validating an asserting party's
|
||||
* {@code <saml2:LogoutRequest>} based on the given {@link HttpServletRequest}
|
||||
*
|
||||
* <p>
|
||||
* Uses the configured {@link RequestMatcher} to identify the processing request,
|
||||
* including looking for any indicated {@code registrationId}.
|
||||
*
|
||||
* <p>
|
||||
* If a {@code registrationId} is found in the request, it will attempt to use that,
|
||||
* erroring if no {@link RelyingPartyRegistration} is found.
|
||||
*
|
||||
* <p>
|
||||
* If no {@code registrationId} is found in the request, it will look for a currently
|
||||
* logged-in user and use the associated {@code registrationId}.
|
||||
*
|
||||
* <p>
|
||||
* In the event that neither the URL nor any logged in user could determine a
|
||||
* {@code registrationId}, this code then will try and derive a
|
||||
* {@link RelyingPartyRegistration} given the {@code <saml2:LogoutRequest>}'s
|
||||
* {@code Issuer} value.
|
||||
* @param request the HTTP request
|
||||
* @return a {@link Saml2LogoutRequestValidatorParameters} instance, or {@code null}
|
||||
* if one could not be resolved
|
||||
* @throws Saml2AuthenticationException if the {@link RequestMatcher} specifies a
|
||||
* non-existent {@code registrationId}
|
||||
*/
|
||||
@Override
|
||||
public Saml2LogoutRequestValidatorParameters resolve(HttpServletRequest request, Authentication authentication) {
|
||||
if (request.getParameter(Saml2ParameterNames.SAML_REQUEST) == null) {
|
||||
return null;
|
||||
}
|
||||
RequestMatcher.MatchResult result = this.requestMatcher.matcher(request);
|
||||
if (!result.isMatch()) {
|
||||
return null;
|
||||
}
|
||||
String registrationId = getRegistrationId(result, authentication);
|
||||
if (registrationId == null) {
|
||||
return logoutRequestByEntityId(request, authentication);
|
||||
}
|
||||
return logoutRequestById(request, authentication, registrationId);
|
||||
}
|
||||
|
||||
/**
|
||||
* The request matcher to use to identify a request to process a
|
||||
* {@code <saml2:LogoutRequest>}. By default, checks for {@code /logout/saml2/slo} and
|
||||
* {@code /logout/saml2/slo/{registrationId}}.
|
||||
*
|
||||
* <p>
|
||||
* Generally speaking, the URL does not need to have a {@code registrationId} in it
|
||||
* since either it can be looked up from the active logged in user or it can be
|
||||
* derived through the {@code Issuer} in the {@code <saml2:LogoutRequest>}.
|
||||
* @param requestMatcher the {@link RequestMatcher} to use
|
||||
*/
|
||||
public void setRequestMatcher(RequestMatcher requestMatcher) {
|
||||
Assert.notNull(requestMatcher, "requestMatcher cannot be null");
|
||||
this.requestMatcher = requestMatcher;
|
||||
}
|
||||
|
||||
private String getRegistrationId(RequestMatcher.MatchResult result, Authentication authentication) {
|
||||
String registrationId = result.getVariables().get("registrationId");
|
||||
if (registrationId != null) {
|
||||
return registrationId;
|
||||
}
|
||||
if (authentication == null) {
|
||||
return null;
|
||||
}
|
||||
if (authentication.getPrincipal() instanceof Saml2AuthenticatedPrincipal principal) {
|
||||
return principal.getRelyingPartyRegistrationId();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
private Saml2LogoutRequestValidatorParameters logoutRequestById(HttpServletRequest request,
|
||||
Authentication authentication, String registrationId) {
|
||||
RelyingPartyRegistration registration = this.registrations.findByRegistrationId(registrationId);
|
||||
if (registration == null) {
|
||||
throw new Saml2AuthenticationException(
|
||||
new Saml2Error(Saml2ErrorCodes.RELYING_PARTY_REGISTRATION_NOT_FOUND, "registration not found"),
|
||||
"registration not found");
|
||||
}
|
||||
return logoutRequestByRegistration(request, registration, authentication);
|
||||
}
|
||||
|
||||
private Saml2LogoutRequestValidatorParameters logoutRequestByEntityId(HttpServletRequest request,
|
||||
Authentication authentication) {
|
||||
String serialized = request.getParameter(Saml2ParameterNames.SAML_REQUEST);
|
||||
byte[] b = Saml2Utils.samlDecode(serialized);
|
||||
LogoutRequest logoutRequest = parse(inflateIfRequired(request, b));
|
||||
String issuer = logoutRequest.getIssuer().getValue();
|
||||
RelyingPartyRegistration registration = this.registrations.findUniqueByAssertingPartyEntityId(issuer);
|
||||
return logoutRequestByRegistration(request, registration, authentication);
|
||||
}
|
||||
|
||||
private Saml2LogoutRequestValidatorParameters logoutRequestByRegistration(HttpServletRequest request,
|
||||
RelyingPartyRegistration registration, Authentication authentication) {
|
||||
if (registration == null) {
|
||||
return null;
|
||||
}
|
||||
Saml2MessageBinding saml2MessageBinding = Saml2MessageBindingUtils.resolveBinding(request);
|
||||
registration = fromRequest(request, registration);
|
||||
String serialized = request.getParameter(Saml2ParameterNames.SAML_REQUEST);
|
||||
Saml2LogoutRequest logoutRequest = Saml2LogoutRequest.withRelyingPartyRegistration(registration)
|
||||
.samlRequest(serialized).relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE))
|
||||
.binding(saml2MessageBinding).location(registration.getSingleLogoutServiceLocation())
|
||||
.parameters((params) -> params.put(Saml2ParameterNames.SIG_ALG,
|
||||
request.getParameter(Saml2ParameterNames.SIG_ALG)))
|
||||
.parameters((params) -> params.put(Saml2ParameterNames.SIGNATURE,
|
||||
request.getParameter(Saml2ParameterNames.SIGNATURE)))
|
||||
.parametersQuery((params) -> request.getQueryString()).build();
|
||||
return new Saml2LogoutRequestValidatorParameters(logoutRequest, registration, authentication);
|
||||
}
|
||||
|
||||
private String inflateIfRequired(HttpServletRequest request, byte[] b) {
|
||||
if (HttpMethod.GET.equals(request.getMethod())) {
|
||||
return Saml2Utils.samlInflate(b);
|
||||
}
|
||||
return new String(b, StandardCharsets.UTF_8);
|
||||
}
|
||||
|
||||
private LogoutRequest parse(String request) throws Saml2Exception {
|
||||
try {
|
||||
Document document = this.parserPool
|
||||
.parse(new ByteArrayInputStream(request.getBytes(StandardCharsets.UTF_8)));
|
||||
Element element = document.getDocumentElement();
|
||||
return (LogoutRequest) this.unmarshaller.unmarshall(element);
|
||||
}
|
||||
catch (Exception ex) {
|
||||
throw new Saml2Exception("Failed to deserialize LogoutRequest", ex);
|
||||
}
|
||||
}
|
||||
|
||||
private RelyingPartyRegistration fromRequest(HttpServletRequest request, RelyingPartyRegistration registration) {
|
||||
RelyingPartyRegistrationPlaceholderResolvers.UriResolver uriResolver = RelyingPartyRegistrationPlaceholderResolvers
|
||||
.uriResolver(request, registration);
|
||||
String entityId = uriResolver.resolve(registration.getEntityId());
|
||||
String logoutLocation = uriResolver.resolve(registration.getSingleLogoutServiceLocation());
|
||||
String logoutResponseLocation = uriResolver.resolve(registration.getSingleLogoutServiceResponseLocation());
|
||||
return registration.mutate().entityId(entityId).singleLogoutServiceLocation(logoutLocation)
|
||||
.singleLogoutServiceResponseLocation(logoutResponseLocation).build();
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -51,7 +51,10 @@ import org.springframework.security.saml2.core.Saml2ParameterNames;
|
|||
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponse;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
|
||||
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
|
||||
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers;
|
||||
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers.UriResolver;
|
||||
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
|
||||
import org.springframework.security.saml2.provider.service.web.authentication.logout.OpenSamlSigningUtils.QueryParametersPartial;
|
||||
import org.springframework.util.Assert;
|
||||
|
|
@ -82,12 +85,16 @@ final class OpenSamlLogoutResponseResolver {
|
|||
|
||||
private final StatusCodeBuilder statusCodeBuilder;
|
||||
|
||||
private final RelyingPartyRegistrationRepository registrations;
|
||||
|
||||
private final RelyingPartyRegistrationResolver relyingPartyRegistrationResolver;
|
||||
|
||||
/**
|
||||
* Construct a {@link OpenSamlLogoutResponseResolver}
|
||||
*/
|
||||
OpenSamlLogoutResponseResolver(RelyingPartyRegistrationResolver relyingPartyRegistrationResolver) {
|
||||
OpenSamlLogoutResponseResolver(RelyingPartyRegistrationRepository registrations,
|
||||
RelyingPartyRegistrationResolver relyingPartyRegistrationResolver) {
|
||||
this.registrations = registrations;
|
||||
this.relyingPartyRegistrationResolver = relyingPartyRegistrationResolver;
|
||||
XMLObjectProviderRegistry registry = ConfigurationService.get(XMLObjectProviderRegistry.class);
|
||||
this.parserPool = registry.getParserPool();
|
||||
|
|
@ -126,19 +133,25 @@ final class OpenSamlLogoutResponseResolver {
|
|||
|
||||
Saml2LogoutResponse resolve(HttpServletRequest request, Authentication authentication,
|
||||
BiConsumer<RelyingPartyRegistration, LogoutResponse> logoutResponseConsumer) {
|
||||
LogoutRequest logoutRequest = parse(extractSamlRequest(request));
|
||||
String registrationId = getRegistrationId(authentication);
|
||||
RelyingPartyRegistration registration = this.relyingPartyRegistrationResolver.resolve(request, registrationId);
|
||||
if (registration == null && this.registrations != null) {
|
||||
String issuer = logoutRequest.getIssuer().getValue();
|
||||
registration = this.registrations.findUniqueByAssertingPartyEntityId(issuer);
|
||||
}
|
||||
if (registration == null) {
|
||||
return null;
|
||||
}
|
||||
if (registration.getAssertingPartyDetails().getSingleLogoutServiceResponseLocation() == null) {
|
||||
return null;
|
||||
}
|
||||
LogoutRequest logoutRequest = parse(extractSamlRequest(request));
|
||||
UriResolver uriResolver = RelyingPartyRegistrationPlaceholderResolvers.uriResolver(request, registration);
|
||||
String entityId = uriResolver.resolve(registration.getEntityId());
|
||||
LogoutResponse logoutResponse = this.logoutResponseBuilder.buildObject();
|
||||
logoutResponse.setDestination(registration.getAssertingPartyDetails().getSingleLogoutServiceResponseLocation());
|
||||
Issuer issuer = this.issuerBuilder.buildObject();
|
||||
issuer.setValue(registration.getEntityId());
|
||||
issuer.setValue(entityId);
|
||||
logoutResponse.setIssuer(issuer);
|
||||
StatusCode code = this.statusCodeBuilder.buildObject();
|
||||
code.setValue(StatusCode.SUCCESS);
|
||||
|
|
|
|||
|
|
@ -30,8 +30,11 @@ import org.springframework.http.MediaType;
|
|||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
||||
import org.springframework.security.saml2.core.Saml2Error;
|
||||
import org.springframework.security.saml2.core.Saml2ErrorCodes;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidator;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidatorParameters;
|
||||
|
|
@ -39,6 +42,8 @@ import org.springframework.security.saml2.provider.service.authentication.logout
|
|||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutValidatorResult;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
|
||||
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers;
|
||||
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers.UriResolver;
|
||||
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
|
||||
import org.springframework.security.web.DefaultRedirectStrategy;
|
||||
import org.springframework.security.web.RedirectStrategy;
|
||||
|
|
@ -67,9 +72,9 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
|
|||
private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
|
||||
.getContextHolderStrategy();
|
||||
|
||||
private final Saml2LogoutRequestValidator logoutRequestValidator;
|
||||
private final Saml2LogoutRequestValidatorParametersResolver logoutRequestResolver;
|
||||
|
||||
private final RelyingPartyRegistrationResolver relyingPartyRegistrationResolver;
|
||||
private final Saml2LogoutRequestValidator logoutRequestValidator;
|
||||
|
||||
private final Saml2LogoutResponseResolver logoutResponseResolver;
|
||||
|
||||
|
|
@ -77,7 +82,14 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
|
|||
|
||||
private final RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
|
||||
|
||||
private RequestMatcher logoutRequestMatcher = new AntPathRequestMatcher("/logout/saml2/slo");
|
||||
public Saml2LogoutRequestFilter(Saml2LogoutRequestValidatorParametersResolver logoutRequestResolver,
|
||||
Saml2LogoutRequestValidator logoutRequestValidator, Saml2LogoutResponseResolver logoutResponseResolver,
|
||||
LogoutHandler... handlers) {
|
||||
this.logoutRequestResolver = logoutRequestResolver;
|
||||
this.logoutRequestValidator = logoutRequestValidator;
|
||||
this.logoutResponseResolver = logoutResponseResolver;
|
||||
this.handler = new CompositeLogoutHandler(handlers);
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructs a {@link Saml2LogoutResponseFilter} for accepting SAML 2.0 Logout
|
||||
|
|
@ -91,7 +103,7 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
|
|||
public Saml2LogoutRequestFilter(RelyingPartyRegistrationResolver relyingPartyRegistrationResolver,
|
||||
Saml2LogoutRequestValidator logoutRequestValidator, Saml2LogoutResponseResolver logoutResponseResolver,
|
||||
LogoutHandler... handlers) {
|
||||
this.relyingPartyRegistrationResolver = relyingPartyRegistrationResolver;
|
||||
this.logoutRequestResolver = new Saml2AssertingPartyLogoutRequestResolver(relyingPartyRegistrationResolver);
|
||||
this.logoutRequestValidator = logoutRequestValidator;
|
||||
this.logoutResponseResolver = logoutResponseResolver;
|
||||
this.handler = new CompositeLogoutHandler(handlers);
|
||||
|
|
@ -100,26 +112,21 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
|
|||
@Override
|
||||
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
|
||||
throws ServletException, IOException {
|
||||
|
||||
if (!this.logoutRequestMatcher.matches(request)) {
|
||||
chain.doFilter(request, response);
|
||||
return;
|
||||
}
|
||||
|
||||
if (request.getParameter(Saml2ParameterNames.SAML_REQUEST) == null) {
|
||||
chain.doFilter(request, response);
|
||||
return;
|
||||
}
|
||||
|
||||
Authentication authentication = this.securityContextHolderStrategy.getContext().getAuthentication();
|
||||
RelyingPartyRegistration registration = this.relyingPartyRegistrationResolver.resolve(request,
|
||||
getRegistrationId(authentication));
|
||||
if (registration == null) {
|
||||
this.logger
|
||||
.trace("Did not process logout request since failed to find associated RelyingPartyRegistration");
|
||||
Saml2LogoutRequestValidatorParameters parameters;
|
||||
try {
|
||||
parameters = this.logoutRequestResolver.resolve(request, authentication);
|
||||
}
|
||||
catch (Saml2AuthenticationException ex) {
|
||||
this.logger.trace("Did not process logout request since failed to find requested RelyingPartyRegistration");
|
||||
response.sendError(HttpServletResponse.SC_BAD_REQUEST);
|
||||
return;
|
||||
}
|
||||
if (parameters == null) {
|
||||
chain.doFilter(request, response);
|
||||
return;
|
||||
}
|
||||
RelyingPartyRegistration registration = parameters.getRelyingPartyRegistration();
|
||||
if (registration.getSingleLogoutServiceLocation() == null) {
|
||||
this.logger.trace(
|
||||
"Did not process logout request since RelyingPartyRegistration has not been configured with a logout request endpoint");
|
||||
|
|
@ -134,17 +141,6 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
|
|||
return;
|
||||
}
|
||||
|
||||
String serialized = request.getParameter(Saml2ParameterNames.SAML_REQUEST);
|
||||
Saml2LogoutRequest logoutRequest = Saml2LogoutRequest.withRelyingPartyRegistration(registration)
|
||||
.samlRequest(serialized).relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE))
|
||||
.binding(saml2MessageBinding).location(registration.getSingleLogoutServiceLocation())
|
||||
.parameters((params) -> params.put(Saml2ParameterNames.SIG_ALG,
|
||||
request.getParameter(Saml2ParameterNames.SIG_ALG)))
|
||||
.parameters((params) -> params.put(Saml2ParameterNames.SIGNATURE,
|
||||
request.getParameter(Saml2ParameterNames.SIGNATURE)))
|
||||
.parametersQuery((params) -> request.getQueryString()).build();
|
||||
Saml2LogoutRequestValidatorParameters parameters = new Saml2LogoutRequestValidatorParameters(logoutRequest,
|
||||
registration, authentication);
|
||||
Saml2LogoutValidatorResult result = this.logoutRequestValidator.validate(parameters);
|
||||
if (result.hasErrors()) {
|
||||
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, result.getErrors().iterator().next().toString());
|
||||
|
|
@ -168,7 +164,10 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
|
|||
|
||||
public void setLogoutRequestMatcher(RequestMatcher logoutRequestMatcher) {
|
||||
Assert.notNull(logoutRequestMatcher, "logoutRequestMatcher cannot be null");
|
||||
this.logoutRequestMatcher = logoutRequestMatcher;
|
||||
Assert.isInstanceOf(Saml2AssertingPartyLogoutRequestResolver.class, this.logoutRequestResolver,
|
||||
"saml2LogoutRequestResolver and logoutRequestMatcher cannot both be set. Please set the request matcher in the saml2LogoutRequestResolver itself.");
|
||||
((Saml2AssertingPartyLogoutRequestResolver) this.logoutRequestResolver)
|
||||
.setLogoutRequestMatcher(logoutRequestMatcher);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -182,17 +181,6 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
|
|||
this.securityContextHolderStrategy = securityContextHolderStrategy;
|
||||
}
|
||||
|
||||
private String getRegistrationId(Authentication authentication) {
|
||||
if (authentication == null) {
|
||||
return null;
|
||||
}
|
||||
Object principal = authentication.getPrincipal();
|
||||
if (principal instanceof Saml2AuthenticatedPrincipal) {
|
||||
return ((Saml2AuthenticatedPrincipal) principal).getRelyingPartyRegistrationId();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
private void doRedirect(HttpServletRequest request, HttpServletResponse response,
|
||||
Saml2LogoutResponse logoutResponse) throws IOException {
|
||||
String location = logoutResponse.getResponseLocation();
|
||||
|
|
@ -252,4 +240,73 @@ public final class Saml2LogoutRequestFilter extends OncePerRequestFilter {
|
|||
return html.toString();
|
||||
}
|
||||
|
||||
private static class Saml2AssertingPartyLogoutRequestResolver
|
||||
implements Saml2LogoutRequestValidatorParametersResolver {
|
||||
|
||||
private final RelyingPartyRegistrationResolver relyingPartyRegistrationResolver;
|
||||
|
||||
private RequestMatcher logoutRequestMatcher = new AntPathRequestMatcher("/logout/saml2/slo");
|
||||
|
||||
Saml2AssertingPartyLogoutRequestResolver(RelyingPartyRegistrationResolver relyingPartyRegistrationResolver) {
|
||||
this.relyingPartyRegistrationResolver = relyingPartyRegistrationResolver;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Saml2LogoutRequestValidatorParameters resolve(HttpServletRequest request,
|
||||
Authentication authentication) {
|
||||
String serialized = request.getParameter(Saml2ParameterNames.SAML_REQUEST);
|
||||
if (serialized == null) {
|
||||
return null;
|
||||
}
|
||||
RequestMatcher.MatchResult result = this.logoutRequestMatcher.matcher(request);
|
||||
if (!result.isMatch()) {
|
||||
return null;
|
||||
}
|
||||
String registrationId = getRegistrationId(result, authentication);
|
||||
RelyingPartyRegistration registration = this.relyingPartyRegistrationResolver.resolve(request,
|
||||
registrationId);
|
||||
if (registration == null) {
|
||||
throw new Saml2AuthenticationException(
|
||||
new Saml2Error(Saml2ErrorCodes.RELYING_PARTY_REGISTRATION_NOT_FOUND, "registration not found"),
|
||||
"registration not found");
|
||||
}
|
||||
UriResolver uriResolver = RelyingPartyRegistrationPlaceholderResolvers.uriResolver(request, registration);
|
||||
String entityId = uriResolver.resolve(registration.getEntityId());
|
||||
String logoutLocation = uriResolver.resolve(registration.getSingleLogoutServiceLocation());
|
||||
String logoutResponseLocation = uriResolver.resolve(registration.getSingleLogoutServiceResponseLocation());
|
||||
registration = registration.mutate().entityId(entityId).singleLogoutServiceLocation(logoutLocation)
|
||||
.singleLogoutServiceResponseLocation(logoutResponseLocation).build();
|
||||
Saml2MessageBinding saml2MessageBinding = Saml2MessageBindingUtils.resolveBinding(request);
|
||||
Saml2LogoutRequest logoutRequest = Saml2LogoutRequest.withRelyingPartyRegistration(registration)
|
||||
.samlRequest(serialized).relayState(request.getParameter(Saml2ParameterNames.RELAY_STATE))
|
||||
.binding(saml2MessageBinding).location(registration.getSingleLogoutServiceLocation())
|
||||
.parameters((params) -> params.put(Saml2ParameterNames.SIG_ALG,
|
||||
request.getParameter(Saml2ParameterNames.SIG_ALG)))
|
||||
.parameters((params) -> params.put(Saml2ParameterNames.SIGNATURE,
|
||||
request.getParameter(Saml2ParameterNames.SIGNATURE)))
|
||||
.parametersQuery((params) -> request.getQueryString()).build();
|
||||
return new Saml2LogoutRequestValidatorParameters(logoutRequest, registration, authentication);
|
||||
}
|
||||
|
||||
void setLogoutRequestMatcher(RequestMatcher logoutRequestMatcher) {
|
||||
Assert.notNull(logoutRequestMatcher, "logoutRequestMatcher cannot be null");
|
||||
this.logoutRequestMatcher = logoutRequestMatcher;
|
||||
}
|
||||
|
||||
private String getRegistrationId(RequestMatcher.MatchResult result, Authentication authentication) {
|
||||
String registrationId = result.getVariables().get("registrationId");
|
||||
if (registrationId != null) {
|
||||
return registrationId;
|
||||
}
|
||||
if (authentication == null) {
|
||||
return null;
|
||||
}
|
||||
if (authentication.getPrincipal() instanceof Saml2AuthenticatedPrincipal principal) {
|
||||
return principal.getRelyingPartyRegistrationId();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,45 @@
|
|||
/*
|
||||
* Copyright 2002-2023 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.saml2.provider.service.web.authentication.logout;
|
||||
|
||||
import jakarta.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidatorParameters;
|
||||
|
||||
/**
|
||||
* Resolved a SAML 2.0 Logout Request and associated validation parameters from the given
|
||||
* {@link HttpServletRequest} and current {@link Authentication}.
|
||||
*
|
||||
* The returned logout request is suitable for validating, logging out the logged-in user,
|
||||
* and initiating the construction of a {@code LogoutResponse}.
|
||||
*
|
||||
* @author Josh Cummings
|
||||
* @since 6.1
|
||||
*/
|
||||
public interface Saml2LogoutRequestValidatorParametersResolver {
|
||||
|
||||
/**
|
||||
* Resolve any SAML 2.0 Logout Request and associated
|
||||
* {@link org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration}
|
||||
* @param request the HTTP request
|
||||
* @param authentication the current user, if any; may be null
|
||||
* @return a SAML 2.0 Logout Request, if any; may be null
|
||||
*/
|
||||
Saml2LogoutRequestValidatorParameters resolve(HttpServletRequest request, Authentication authentication);
|
||||
|
||||
}
|
||||
|
|
@ -35,7 +35,10 @@ import org.springframework.security.saml2.provider.service.authentication.logout
|
|||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponseValidatorParameters;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutValidatorResult;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
|
||||
import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
|
||||
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers;
|
||||
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers.UriResolver;
|
||||
import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationResolver;
|
||||
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
|
|
@ -71,6 +74,18 @@ public final class Saml2LogoutResponseFilter extends OncePerRequestFilter {
|
|||
|
||||
private RequestMatcher logoutRequestMatcher = new AntPathRequestMatcher("/logout/saml2/slo");
|
||||
|
||||
public Saml2LogoutResponseFilter(RelyingPartyRegistrationRepository registrations,
|
||||
Saml2LogoutResponseValidator logoutResponseValidator, LogoutSuccessHandler logoutSuccessHandler) {
|
||||
this.relyingPartyRegistrationResolver = (request, id) -> {
|
||||
if (id == null) {
|
||||
return null;
|
||||
}
|
||||
return registrations.findByRegistrationId(id);
|
||||
};
|
||||
this.logoutResponseValidator = logoutResponseValidator;
|
||||
this.logoutSuccessHandler = logoutSuccessHandler;
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructs a {@link Saml2LogoutResponseFilter} for accepting SAML 2.0 Logout
|
||||
* Responses from the asserting party
|
||||
|
|
@ -125,7 +140,12 @@ public final class Saml2LogoutResponseFilter extends OncePerRequestFilter {
|
|||
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
|
||||
return;
|
||||
}
|
||||
|
||||
UriResolver uriResolver = RelyingPartyRegistrationPlaceholderResolvers.uriResolver(request, registration);
|
||||
String entityId = uriResolver.resolve(registration.getEntityId());
|
||||
String logoutLocation = uriResolver.resolve(registration.getSingleLogoutServiceLocation());
|
||||
String logoutResponseLocation = uriResolver.resolve(registration.getSingleLogoutServiceResponseLocation());
|
||||
registration = registration.mutate().entityId(entityId).singleLogoutServiceLocation(logoutLocation)
|
||||
.singleLogoutServiceResponseLocation(logoutResponseLocation).build();
|
||||
Saml2MessageBinding saml2MessageBinding = Saml2MessageBindingUtils.resolveBinding(request);
|
||||
if (!registration.getSingleLogoutServiceBindings().contains(saml2MessageBinding)) {
|
||||
this.logger.trace("Did not process logout response since used incorrect binding");
|
||||
|
|
|
|||
|
|
@ -101,6 +101,8 @@ public final class TestOpenSamlObjects {
|
|||
|
||||
private static String DESTINATION = "https://localhost/login/saml2/sso/idp-alias";
|
||||
|
||||
private static String LOGOUT_DESTINATION = "http://localhost/logout/saml2/slo";
|
||||
|
||||
public static String RELYING_PARTY_ENTITY_ID = "https://localhost/saml2/service-provider-metadata/idp-alias";
|
||||
|
||||
private static String ASSERTING_PARTY_ENTITY_ID = "https://some.idp.test/saml2/idp";
|
||||
|
|
@ -204,6 +206,18 @@ public final class TestOpenSamlObjects {
|
|||
return authnRequest;
|
||||
}
|
||||
|
||||
public static LogoutRequest logoutRequest() {
|
||||
Issuer issuer = build(Issuer.DEFAULT_ELEMENT_NAME);
|
||||
issuer.setValue(ASSERTING_PARTY_ENTITY_ID);
|
||||
NameID nameId = build(NameID.DEFAULT_ELEMENT_NAME);
|
||||
nameId.setValue("user");
|
||||
LogoutRequest logoutRequest = build(LogoutRequest.DEFAULT_ELEMENT_NAME);
|
||||
logoutRequest.setIssuer(issuer);
|
||||
logoutRequest.setDestination(LOGOUT_DESTINATION);
|
||||
logoutRequest.setNameID(nameId);
|
||||
return logoutRequest;
|
||||
}
|
||||
|
||||
static Credential getSigningCredential(Saml2X509Credential credential, String entityId) {
|
||||
BasicCredential cred = getBasicCredential(credential);
|
||||
cred.setEntityId(entityId);
|
||||
|
|
|
|||
|
|
@ -0,0 +1,40 @@
|
|||
/*
|
||||
* Copyright 2002-2023 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.saml2.provider.service.authentication;
|
||||
|
||||
import java.util.Collections;
|
||||
|
||||
import org.springframework.security.core.authority.AuthorityUtils;
|
||||
|
||||
/**
|
||||
* Tests instances for {@link Saml2Authentication}
|
||||
*
|
||||
* @author Josh Cummings
|
||||
*/
|
||||
public final class TestSaml2Authentications {
|
||||
|
||||
private TestSaml2Authentications() {
|
||||
}
|
||||
|
||||
public static Saml2Authentication authentication() {
|
||||
DefaultSaml2AuthenticatedPrincipal principal = new DefaultSaml2AuthenticatedPrincipal("user",
|
||||
Collections.emptyMap());
|
||||
principal.setRelyingPartyRegistrationId("simplesamlphp");
|
||||
return new Saml2Authentication(principal, "response", AuthorityUtils.createAuthorityList("ROLE_USER"));
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -0,0 +1,143 @@
|
|||
/*
|
||||
* Copyright 2002-2023 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.saml2.provider.service.web.authentication.logout;
|
||||
|
||||
import java.nio.charset.StandardCharsets;
|
||||
|
||||
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.api.extension.ExtendWith;
|
||||
import org.mockito.Mock;
|
||||
import org.mockito.junit.jupiter.MockitoExtension;
|
||||
import org.opensaml.core.xml.XMLObject;
|
||||
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
|
||||
import org.opensaml.core.xml.io.Marshaller;
|
||||
import org.opensaml.core.xml.io.MarshallingException;
|
||||
import org.w3c.dom.Element;
|
||||
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.saml2.Saml2Exception;
|
||||
import org.springframework.security.saml2.core.Saml2ParameterNames;
|
||||
import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException;
|
||||
import org.springframework.security.saml2.provider.service.authentication.TestOpenSamlObjects;
|
||||
import org.springframework.security.saml2.provider.service.authentication.TestSaml2Authentications;
|
||||
import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidatorParameters;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
|
||||
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
|
||||
import org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
|
||||
@ExtendWith(MockitoExtension.class)
|
||||
public final class OpenSamlLogoutRequestValidatorParametersResolverTests {
|
||||
|
||||
@Mock
|
||||
RelyingPartyRegistrationRepository registrations;
|
||||
|
||||
private RelyingPartyRegistration registration = TestRelyingPartyRegistrations.relyingPartyRegistration().build();
|
||||
|
||||
private OpenSamlLogoutRequestValidatorParametersResolver resolver;
|
||||
|
||||
@BeforeEach
|
||||
void setup() {
|
||||
this.resolver = new OpenSamlLogoutRequestValidatorParametersResolver(this.registrations);
|
||||
}
|
||||
|
||||
@Test
|
||||
void saml2LogoutRegistrationIdResolveWhenMatchesThenParameters() {
|
||||
String registrationId = this.registration.getRegistrationId();
|
||||
MockHttpServletRequest request = post("/logout/saml2/slo/" + registrationId);
|
||||
Authentication authentication = new TestingAuthenticationToken("user", "pass");
|
||||
request.setParameter(Saml2ParameterNames.SAML_REQUEST, "request");
|
||||
given(this.registrations.findByRegistrationId(registrationId)).willReturn(this.registration);
|
||||
Saml2LogoutRequestValidatorParameters parameters = this.resolver.resolve(request, authentication);
|
||||
assertThat(parameters.getAuthentication()).isEqualTo(authentication);
|
||||
assertThat(parameters.getRelyingPartyRegistration().getRegistrationId()).isEqualTo(registrationId);
|
||||
assertThat(parameters.getLogoutRequest().getSamlRequest()).isEqualTo("request");
|
||||
}
|
||||
|
||||
@Test
|
||||
void saml2LogoutRegistrationIdWhenUnauthenticatedThenParameters() {
|
||||
String registrationId = this.registration.getRegistrationId();
|
||||
MockHttpServletRequest request = post("/logout/saml2/slo/" + registrationId);
|
||||
request.setParameter(Saml2ParameterNames.SAML_REQUEST, "request");
|
||||
given(this.registrations.findByRegistrationId(registrationId)).willReturn(this.registration);
|
||||
Saml2LogoutRequestValidatorParameters parameters = this.resolver.resolve(request, null);
|
||||
assertThat(parameters.getAuthentication()).isNull();
|
||||
assertThat(parameters.getRelyingPartyRegistration().getRegistrationId()).isEqualTo(registrationId);
|
||||
assertThat(parameters.getLogoutRequest().getSamlRequest()).isEqualTo("request");
|
||||
}
|
||||
|
||||
@Test
|
||||
void saml2LogoutResolveWhenAuthenticatedThenParameters() {
|
||||
String registrationId = this.registration.getRegistrationId();
|
||||
MockHttpServletRequest request = post("/logout/saml2/slo");
|
||||
Authentication authentication = TestSaml2Authentications.authentication();
|
||||
request.setParameter(Saml2ParameterNames.SAML_REQUEST, "request");
|
||||
given(this.registrations.findByRegistrationId(registrationId)).willReturn(this.registration);
|
||||
Saml2LogoutRequestValidatorParameters parameters = this.resolver.resolve(request, authentication);
|
||||
assertThat(parameters.getAuthentication()).isEqualTo(authentication);
|
||||
assertThat(parameters.getRelyingPartyRegistration().getRegistrationId()).isEqualTo(registrationId);
|
||||
assertThat(parameters.getLogoutRequest().getSamlRequest()).isEqualTo("request");
|
||||
}
|
||||
|
||||
@Test
|
||||
void saml2LogoutResolveWhenUnauthenticatedThenParameters() {
|
||||
String registrationId = this.registration.getRegistrationId();
|
||||
MockHttpServletRequest request = post("/logout/saml2/slo");
|
||||
String logoutRequest = serialize(TestOpenSamlObjects.logoutRequest());
|
||||
String encoded = Saml2Utils.samlEncode(logoutRequest.getBytes(StandardCharsets.UTF_8));
|
||||
request.setParameter(Saml2ParameterNames.SAML_REQUEST, encoded);
|
||||
given(this.registrations.findUniqueByAssertingPartyEntityId(TestOpenSamlObjects.ASSERTING_PARTY_ENTITY_ID))
|
||||
.willReturn(this.registration);
|
||||
Saml2LogoutRequestValidatorParameters parameters = this.resolver.resolve(request, null);
|
||||
assertThat(parameters.getAuthentication()).isNull();
|
||||
assertThat(parameters.getRelyingPartyRegistration().getRegistrationId()).isEqualTo(registrationId);
|
||||
assertThat(parameters.getLogoutRequest().getSamlRequest()).isEqualTo(encoded);
|
||||
}
|
||||
|
||||
@Test
|
||||
void saml2LogoutRegistrationIdResolveWhenNoMatchingRegistrationIdThenSaml2Exception() {
|
||||
MockHttpServletRequest request = post("/logout/saml2/slo/id");
|
||||
request.setParameter(Saml2ParameterNames.SAML_REQUEST, "request");
|
||||
assertThatExceptionOfType(Saml2AuthenticationException.class)
|
||||
.isThrownBy(() -> this.resolver.resolve(request, null));
|
||||
}
|
||||
|
||||
private MockHttpServletRequest post(String uri) {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("POST", uri);
|
||||
request.setServletPath(uri);
|
||||
return request;
|
||||
}
|
||||
|
||||
private String serialize(XMLObject object) {
|
||||
try {
|
||||
Marshaller marshaller = XMLObjectProviderRegistrySupport.getMarshallerFactory().getMarshaller(object);
|
||||
Element element = marshaller.marshall(object);
|
||||
return SerializeSupport.nodeToString(element);
|
||||
}
|
||||
catch (MarshallingException ex) {
|
||||
throw new Saml2Exception(ex);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -56,7 +56,7 @@ public class OpenSamlLogoutResponseResolverTests {
|
|||
|
||||
RelyingPartyRegistrationResolver relyingPartyRegistrationResolver = mock(RelyingPartyRegistrationResolver.class);
|
||||
|
||||
OpenSamlLogoutResponseResolver logoutResponseResolver = new OpenSamlLogoutResponseResolver(
|
||||
OpenSamlLogoutResponseResolver logoutResponseResolver = new OpenSamlLogoutResponseResolver(null,
|
||||
this.relyingPartyRegistrationResolver);
|
||||
|
||||
@Test
|
||||
|
|
|
|||
Loading…
Reference in New Issue