From a17cf9e814a38aa15f8d3d71e3016bfa544495ef Mon Sep 17 00:00:00 2001 From: Elias Lousseief Date: Thu, 10 Mar 2022 08:08:05 +0100 Subject: [PATCH] Refactored OpenSaml4AuthenticationProviderTests Factored out repeatedly used code for signing a request. --- .../OpenSaml4AuthenticationProviderTests.java | 100 ++++++------------ 1 file changed, 31 insertions(+), 69 deletions(-) diff --git a/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java b/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java index ed3ad288f7..fdff0619bf 100644 --- a/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java +++ b/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java @@ -39,6 +39,7 @@ import org.opensaml.core.xml.io.Marshaller; import org.opensaml.core.xml.io.MarshallingException; import org.opensaml.core.xml.schema.XSDateTime; import org.opensaml.core.xml.schema.impl.XSDateTimeBuilder; +import org.opensaml.saml.common.SignableSAMLObject; import org.opensaml.saml.common.assertion.ValidationContext; import org.opensaml.saml.saml2.assertion.SAML2AssertionValidationParameters; import org.opensaml.saml.saml2.core.Assertion; @@ -144,9 +145,7 @@ public class OpenSaml4AuthenticationProviderTests { public void authenticateWhenInvalidDestinationThenThrowAuthenticationException() { Response response = response(DESTINATION + "invalid", ASSERTING_PARTY_ENTITY_ID); response.getAssertions().add(assertion()); - TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), - RELYING_PARTY_ENTITY_ID); - Saml2AuthenticationToken token = token(response, verifying(registration())); + Saml2AuthenticationToken token = token(signed(response), verifying(registration())); assertThatExceptionOfType(Saml2AuthenticationException.class) .isThrownBy(() -> this.provider.authenticate(token)) .satisfies(errorOf(Saml2ErrorCodes.INVALID_DESTINATION)); @@ -176,9 +175,7 @@ public class OpenSaml4AuthenticationProviderTests { Assertion assertion = assertion(); assertion.getSubject().getSubjectConfirmations().get(0).getSubjectConfirmationData() .setNotOnOrAfter(Instant.now().minus(Duration.ofDays(3))); - TestOpenSamlObjects.signed(assertion, TestSaml2X509Credentials.assertingPartySigningCredential(), - RELYING_PARTY_ENTITY_ID); - response.getAssertions().add(assertion); + response.getAssertions().add(signed(assertion)); Saml2AuthenticationToken token = token(response, verifying(registration())); assertThatExceptionOfType(Saml2AuthenticationException.class) .isThrownBy(() -> this.provider.authenticate(token)) @@ -190,9 +187,7 @@ public class OpenSaml4AuthenticationProviderTests { Response response = response(); Assertion assertion = assertion(); assertion.setSubject(null); - TestOpenSamlObjects.signed(assertion, TestSaml2X509Credentials.assertingPartySigningCredential(), - RELYING_PARTY_ENTITY_ID); - response.getAssertions().add(assertion); + response.getAssertions().add(signed(assertion)); Saml2AuthenticationToken token = token(response, verifying(registration())); assertThatExceptionOfType(Saml2AuthenticationException.class) .isThrownBy(() -> this.provider.authenticate(token)) @@ -204,9 +199,7 @@ public class OpenSaml4AuthenticationProviderTests { Response response = response(); Assertion assertion = assertion(); assertion.getSubject().getNameID().setValue(null); - TestOpenSamlObjects.signed(assertion, TestSaml2X509Credentials.assertingPartySigningCredential(), - RELYING_PARTY_ENTITY_ID); - response.getAssertions().add(assertion); + response.getAssertions().add(signed(assertion)); Saml2AuthenticationToken token = token(response, verifying(registration())); assertThatExceptionOfType(Saml2AuthenticationException.class) .isThrownBy(() -> this.provider.authenticate(token)) @@ -219,9 +212,7 @@ public class OpenSaml4AuthenticationProviderTests { Assertion assertion = assertion(); assertion.getSubject().getSubjectConfirmations() .forEach((sc) -> sc.getSubjectConfirmationData().setAddress("10.10.10.10")); - TestOpenSamlObjects.signed(assertion, TestSaml2X509Credentials.assertingPartySigningCredential(), - RELYING_PARTY_ENTITY_ID); - response.getAssertions().add(assertion); + response.getAssertions().add(signed(assertion)); Saml2AuthenticationToken token = token(response, verifying(registration())); this.provider.authenticate(token); } @@ -232,9 +223,7 @@ public class OpenSaml4AuthenticationProviderTests { Assertion assertion = assertion(); List attributes = attributeStatements(); assertion.getAttributeStatements().addAll(attributes); - TestOpenSamlObjects.signed(assertion, TestSaml2X509Credentials.assertingPartySigningCredential(), - RELYING_PARTY_ENTITY_ID); - response.getAssertions().add(assertion); + response.getAssertions().add(signed(assertion)); Saml2AuthenticationToken token = token(response, verifying(registration())); Authentication authentication = this.provider.authenticate(token); Saml2AuthenticatedPrincipal principal = (Saml2AuthenticatedPrincipal) authentication.getPrincipal(); @@ -258,9 +247,7 @@ public class OpenSaml4AuthenticationProviderTests { AttributeStatement attribute = TestOpenSamlObjects.customAttributeStatement("Address", TestCustomOpenSamlObjects.instance()); assertion.getAttributeStatements().add(attribute); - TestOpenSamlObjects.signed(assertion, TestSaml2X509Credentials.assertingPartySigningCredential(), - RELYING_PARTY_ENTITY_ID); - response.getAssertions().add(assertion); + response.getAssertions().add(signed(assertion)); Saml2AuthenticationToken token = token(response, verifying(registration())); Authentication authentication = this.provider.authenticate(token); Saml2AuthenticatedPrincipal principal = (Saml2AuthenticatedPrincipal) authentication.getPrincipal(); @@ -291,9 +278,7 @@ public class OpenSaml4AuthenticationProviderTests { EncryptedAssertion encryptedAssertion = TestOpenSamlObjects.encrypted(assertion, TestSaml2X509Credentials.assertingPartyEncryptingCredential()); response.getEncryptedAssertions().add(encryptedAssertion); - TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), - RELYING_PARTY_ENTITY_ID); - Saml2AuthenticationToken token = token(response, decrypting(verifying(registration()))); + Saml2AuthenticationToken token = token(signed(response), decrypting(verifying(registration()))); this.provider.authenticate(token); } @@ -303,9 +288,7 @@ public class OpenSaml4AuthenticationProviderTests { EncryptedAssertion encryptedAssertion = TestOpenSamlObjects.encrypted(assertion(), TestSaml2X509Credentials.assertingPartyEncryptingCredential()); response.getEncryptedAssertions().add(encryptedAssertion); - TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), - RELYING_PARTY_ENTITY_ID); - Saml2AuthenticationToken token = token(response, decrypting(verifying(registration()))); + Saml2AuthenticationToken token = token(signed(response), decrypting(verifying(registration()))); this.provider.authenticate(token); } @@ -318,9 +301,7 @@ public class OpenSaml4AuthenticationProviderTests { TestSaml2X509Credentials.assertingPartyEncryptingCredential()); assertion.getSubject().setNameID(null); assertion.getSubject().setEncryptedID(encryptedID); - response.getAssertions().add(assertion); - TestOpenSamlObjects.signed(assertion, TestSaml2X509Credentials.assertingPartySigningCredential(), - RELYING_PARTY_ENTITY_ID); + response.getAssertions().add(signed(assertion)); Saml2AuthenticationToken token = token(response, decrypting(verifying(registration()))); this.provider.authenticate(token); } @@ -335,9 +316,7 @@ public class OpenSaml4AuthenticationProviderTests { statement.getEncryptedAttributes().add(attribute); assertion.getAttributeStatements().add(statement); response.getAssertions().add(assertion); - TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), - RELYING_PARTY_ENTITY_ID); - Saml2AuthenticationToken token = token(response, decrypting(verifying(registration()))); + Saml2AuthenticationToken token = token(signed(response), decrypting(verifying(registration()))); Saml2Authentication authentication = (Saml2Authentication) this.provider.authenticate(token); Saml2AuthenticatedPrincipal principal = (Saml2AuthenticatedPrincipal) authentication.getPrincipal(); assertThat(principal.getAttribute("name")).containsExactly("value"); @@ -349,9 +328,7 @@ public class OpenSaml4AuthenticationProviderTests { EncryptedAssertion encryptedAssertion = TestOpenSamlObjects.encrypted(assertion(), TestSaml2X509Credentials.assertingPartyEncryptingCredential()); response.getEncryptedAssertions().add(encryptedAssertion); - TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), - RELYING_PARTY_ENTITY_ID); - Saml2AuthenticationToken token = token(response, verifying(registration())); + Saml2AuthenticationToken token = token(signed(response), verifying(registration())); assertThatExceptionOfType(Saml2AuthenticationException.class) .isThrownBy(() -> this.provider.authenticate(token)) .satisfies(errorOf(Saml2ErrorCodes.DECRYPTION_ERROR, "Failed to decrypt EncryptedData")); @@ -363,9 +340,7 @@ public class OpenSaml4AuthenticationProviderTests { EncryptedAssertion encryptedAssertion = TestOpenSamlObjects.encrypted(assertion(), TestSaml2X509Credentials.assertingPartyEncryptingCredential()); response.getEncryptedAssertions().add(encryptedAssertion); - TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), - RELYING_PARTY_ENTITY_ID); - Saml2AuthenticationToken token = token(response, registration() + Saml2AuthenticationToken token = token(signed(response), registration() .decryptionX509Credentials((c) -> c.add(TestSaml2X509Credentials.assertingPartyPrivateCredential()))); assertThatExceptionOfType(Saml2AuthenticationException.class) .isThrownBy(() -> this.provider.authenticate(token)) @@ -378,9 +353,7 @@ public class OpenSaml4AuthenticationProviderTests { Assertion assertion = assertion(); assertion.getSubject().getSubjectConfirmations() .forEach((sc) -> sc.getSubjectConfirmationData().setAddress("10.10.10.10")); - TestOpenSamlObjects.signed(assertion, TestSaml2X509Credentials.assertingPartySigningCredential(), - RELYING_PARTY_ENTITY_ID); - response.getAssertions().add(assertion); + response.getAssertions().add(signed(assertion)); Saml2AuthenticationToken token = token(response, verifying(registration())); token.setDetails("some-details"); Authentication authentication = this.provider.authenticate(token); @@ -395,9 +368,7 @@ public class OpenSaml4AuthenticationProviderTests { EncryptedAssertion encryptedAssertion = TestOpenSamlObjects.encrypted(assertion, TestSaml2X509Credentials.assertingPartyEncryptingCredential()); response.getEncryptedAssertions().add(encryptedAssertion); - TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), - RELYING_PARTY_ENTITY_ID); - Saml2AuthenticationToken token = token(response, decrypting(verifying(registration()))); + Saml2AuthenticationToken token = token(signed(response), decrypting(verifying(registration()))); Saml2Authentication authentication = (Saml2Authentication) this.provider.authenticate(token); // the following code will throw an exception if authentication isn't serializable ByteArrayOutputStream byteStream = new ByteArrayOutputStream(1024); @@ -432,9 +403,7 @@ public class OpenSaml4AuthenticationProviderTests { OneTimeUse oneTimeUse = build(OneTimeUse.DEFAULT_ELEMENT_NAME); assertion.getConditions().getConditions().add(oneTimeUse); response.getAssertions().add(assertion); - TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), - ASSERTING_PARTY_ENTITY_ID); - Saml2AuthenticationToken token = token(response, verifying(registration())); + Saml2AuthenticationToken token = token(signed(response), verifying(registration())); // @formatter:off assertThatExceptionOfType(Saml2AuthenticationException.class) .isThrownBy(() -> provider.authenticate(token)).isInstanceOf(Saml2AuthenticationException.class) @@ -456,9 +425,7 @@ public class OpenSaml4AuthenticationProviderTests { Response response = response(); Assertion assertion = assertion(); response.getAssertions().add(assertion); - TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), - ASSERTING_PARTY_ENTITY_ID); - Saml2AuthenticationToken token = token(response, verifying(registration())); + Saml2AuthenticationToken token = token(signed(response), verifying(registration())); given(validator.convert(any(OpenSaml4AuthenticationProvider.AssertionToken.class))) .willReturn(Saml2ResponseValidatorResult.success()); provider.authenticate(token); @@ -475,9 +442,7 @@ public class OpenSaml4AuthenticationProviderTests { RELYING_PARTY_ENTITY_ID); // broken // signature response.getAssertions().add(assertion); - TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), - ASSERTING_PARTY_ENTITY_ID); - Saml2AuthenticationToken token = token(response, verifying(registration())); + Saml2AuthenticationToken token = token(signed(response), verifying(registration())); // @formatter:off assertThatExceptionOfType(Saml2AuthenticationException.class) .isThrownBy(() -> provider.authenticate(token)) @@ -496,9 +461,7 @@ public class OpenSaml4AuthenticationProviderTests { OpenSaml4AuthenticationProvider.createDefaultAssertionValidator((assertionToken) -> context)); Response response = response(); Assertion assertion = assertion(); - response.getAssertions().add(assertion); - TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), - ASSERTING_PARTY_ENTITY_ID); + response.getAssertions().add(signed(assertion)); Saml2AuthenticationToken token = token(response, verifying(registration())); // @formatter:off assertThatExceptionOfType(Saml2AuthenticationException.class) @@ -570,13 +533,12 @@ public class OpenSaml4AuthenticationProviderTests { public void authenticateWhenCustomResponseElementsDecrypterThenDecryptsResponse() { Response response = response(); Assertion assertion = assertion(); - TestOpenSamlObjects.signed(assertion, TestSaml2X509Credentials.assertingPartySigningCredential(), - RELYING_PARTY_ENTITY_ID); response.getEncryptedAssertions().add(new EncryptedAssertionBuilder().buildObject()); TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), RELYING_PARTY_ENTITY_ID); Saml2AuthenticationToken token = token(response, verifying(registration())); - this.provider.setResponseElementsDecrypter((tuple) -> tuple.getResponse().getAssertions().add(assertion)); + this.provider + .setResponseElementsDecrypter((tuple) -> tuple.getResponse().getAssertions().add(signed(assertion))); Authentication authentication = this.provider.authenticate(token); assertThat(authentication.getName()).isEqualTo("test@saml.user"); } @@ -588,9 +550,7 @@ public class OpenSaml4AuthenticationProviderTests { EncryptedID id = new EncryptedIDBuilder().buildObject(); id.setEncryptedData(new EncryptedDataBuilder().buildObject()); assertion.getSubject().setEncryptedID(id); - TestOpenSamlObjects.signed(assertion, TestSaml2X509Credentials.assertingPartySigningCredential(), - RELYING_PARTY_ENTITY_ID); - response.getAssertions().add(assertion); + response.getAssertions().add(signed(assertion)); Saml2AuthenticationToken token = token(response, verifying(registration())); this.provider.setAssertionElementsDecrypter((tuple) -> { NameID name = new NameIDBuilder().buildObject(); @@ -639,9 +599,7 @@ public class OpenSaml4AuthenticationProviderTests { Response response = response(); Assertion assertion = assertion(); response.getAssertions().add(assertion); - TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), - ASSERTING_PARTY_ENTITY_ID); - Saml2AuthenticationToken token = token(response, verifying(registration())); + Saml2AuthenticationToken token = token(signed(response), verifying(registration())); given(validator.convert(any(OpenSaml4AuthenticationProvider.ResponseToken.class))) .willReturn(Saml2ResponseValidatorResult.success()); provider.authenticate(token); @@ -655,9 +613,7 @@ public class OpenSaml4AuthenticationProviderTests { Assertion assertion = assertion(); assertion.setIssuer(TestOpenSamlObjects.issuer("https://invalid.idp.test/saml2/idp")); response.getAssertions().add(assertion); - TestOpenSamlObjects.signed(response, TestSaml2X509Credentials.assertingPartySigningCredential(), - ASSERTING_PARTY_ENTITY_ID); - Saml2AuthenticationToken token = token(response, verifying(registration())); + Saml2AuthenticationToken token = token(signed(response), verifying(registration())); assertThatExceptionOfType(Saml2AuthenticationException.class).isThrownBy(() -> provider.authenticate(token)) .withMessageContaining("did not match any valid issuers"); } @@ -716,6 +672,12 @@ public class OpenSaml4AuthenticationProviderTests { return assertion; } + private T signed(T toSign) { + TestOpenSamlObjects.signed(toSign, TestSaml2X509Credentials.assertingPartySigningCredential(), + RELYING_PARTY_ENTITY_ID); + return toSign; + } + private List attributeStatements() { List attributeStatements = TestOpenSamlObjects.attributeStatements(); AttributeBuilder attributeBuilder = new AttributeBuilder();