Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-31 09:12:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '5.8.x' into 6.0.x

Browse Source 
Closes gh-14037
This commit is contained in:
Marcus Da Coregio 2023-10-19 10:03:33 -03:00
commit 9b2b7e58b5
2 changed files with 67 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSamlAuthenticationRequestResolver.java
View File

@ -168,10 +168,12 @@ class OpenSamlAuthenticationRequestResolver {
.relayState(relayState)
.id(authnRequest.getID());
if (registration.getAssertingPartyDetails().getWantAuthnRequestsSigned()) {
Map<String, String> parameters = OpenSamlSigningUtils.sign(registration)
.param(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded)
.param(Saml2ParameterNames.RELAY_STATE, relayState)
.parameters();
OpenSamlSigningUtils.QueryParametersPartial parametersPartial = OpenSamlSigningUtils.sign(registration)
.param(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded);
if (relayState != null) {
parametersPartial = parametersPartial.param(Saml2ParameterNames.RELAY_STATE, relayState);
}
Map<String, String> parameters = parametersPartial.parameters();
builder.sigAlg(parameters.get(Saml2ParameterNames.SIG_ALG))
.signature(parameters.get(Saml2ParameterNames.SIGNATURE));
}

61
saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSamlAuthenticationRequestResolverTests.java
View File

@ -18,10 +18,13 @@ package org.springframework.security.saml2.provider.service.web.authentication;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.Answers;
import org.mockito.MockedStatic;
import org.opensaml.xmlsec.signature.support.SignatureConstants;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.security.saml2.Saml2Exception;
import org.springframework.security.saml2.core.Saml2ParameterNames;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.security.saml2.core.TestSaml2X509Credentials;
import org.springframework.security.saml2.provider.service.authentication.Saml2PostAuthenticationRequest;
@ -32,6 +35,12 @@ import org.springframework.security.saml2.provider.service.registration.TestRely
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.mockStatic;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.verify;
/**
* Tests for {@link OpenSamlAuthenticationRequestResolver}
@ -177,6 +186,58 @@ public class OpenSamlAuthenticationRequestResolverTests {
assertThat(result.getId()).isNotEmpty();
}
@Test
public void resolveAuthenticationRequestWhenSignedAndRelayStateIsNullThenSignsWithoutRelayState() {
try (MockedStatic<OpenSamlSigningUtils> openSamlSigningUtilsMockedStatic = mockStatic(
OpenSamlSigningUtils.class, Answers.CALLS_REAL_METHODS)) {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setPathInfo("/saml2/authenticate/registration-id");
RelyingPartyRegistration registration = this.relyingPartyRegistrationBuilder
.assertingPartyDetails((party) -> party.wantAuthnRequestsSigned(true))
.build();
OpenSamlSigningUtils.QueryParametersPartial queryParametersPartialSpy = spy(
new OpenSamlSigningUtils.QueryParametersPartial(registration));
openSamlSigningUtilsMockedStatic.when(() -> OpenSamlSigningUtils.sign(any()))
.thenReturn(queryParametersPartialSpy);
OpenSamlAuthenticationRequestResolver resolver = authenticationRequestResolver(registration);
resolver.setRelayStateResolver((source) -> null);
Saml2RedirectAuthenticationRequest result = resolver.resolve(request, (r, authnRequest) -> {
});
assertThat(result.getSamlRequest()).isNotEmpty();
assertThat(result.getRelayState()).isNull();
assertThat(result.getSigAlg()).isNotNull();
assertThat(result.getSignature()).isNotNull();
assertThat(result.getBinding()).isEqualTo(Saml2MessageBinding.REDIRECT);
verify(queryParametersPartialSpy, never()).param(eq(Saml2ParameterNames.RELAY_STATE), any());
}
}
@Test
public void resolveAuthenticationRequestWhenSignedAndRelayStateIsEmptyThenSignsWithEmptyRelayState() {
try (MockedStatic<OpenSamlSigningUtils> openSamlSigningUtilsMockedStatic = mockStatic(
OpenSamlSigningUtils.class, Answers.CALLS_REAL_METHODS)) {
MockHttpServletRequest request = new MockHttpServletRequest();
request.setPathInfo("/saml2/authenticate/registration-id");
RelyingPartyRegistration registration = this.relyingPartyRegistrationBuilder
.assertingPartyDetails((party) -> party.wantAuthnRequestsSigned(true))
.build();
OpenSamlSigningUtils.QueryParametersPartial queryParametersPartialSpy = spy(
new OpenSamlSigningUtils.QueryParametersPartial(registration));
openSamlSigningUtilsMockedStatic.when(() -> OpenSamlSigningUtils.sign(any()))
.thenReturn(queryParametersPartialSpy);
OpenSamlAuthenticationRequestResolver resolver = authenticationRequestResolver(registration);
resolver.setRelayStateResolver((source) -> "");
Saml2RedirectAuthenticationRequest result = resolver.resolve(request, (r, authnRequest) -> {
});
assertThat(result.getSamlRequest()).isNotEmpty();
assertThat(result.getRelayState()).isEmpty();
assertThat(result.getSigAlg()).isNotNull();
assertThat(result.getSignature()).isNotNull();
assertThat(result.getBinding()).isEqualTo(Saml2MessageBinding.REDIRECT);
verify(queryParametersPartialSpy).param(eq(Saml2ParameterNames.RELAY_STATE), eq(""));
}
}
private OpenSamlAuthenticationRequestResolver authenticationRequestResolver(RelyingPartyRegistration registration) {
return new OpenSamlAuthenticationRequestResolver((request, id) -> registration);
}