From cca35bdd93514996c9434c0b652e4342d3aeb2ab Mon Sep 17 00:00:00 2001
From: Marcus Da Coregio <marcusdacoregio@gmail.com>
Date: Mon, 13 Dec 2021 16:33:23 -0300
Subject: [PATCH] Make Saml2AuthenticationRequests serializable

Closes gh-10550
---
 .../AbstractSaml2AuthenticationRequest.java   |  8 ++-
 .../Saml2PostAuthenticationRequestTests.java  | 56 +++++++++++++++++++
 ...ml2RedirectAuthenticationRequestTests.java | 56 +++++++++++++++++++
 3 files changed, 118 insertions(+), 2 deletions(-)
 create mode 100644 saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/Saml2PostAuthenticationRequestTests.java
 create mode 100644 saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/Saml2RedirectAuthenticationRequestTests.java

diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/AbstractSaml2AuthenticationRequest.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/AbstractSaml2AuthenticationRequest.java
index 028ecd6bae..cb2df00a8a 100644
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/AbstractSaml2AuthenticationRequest.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/AbstractSaml2AuthenticationRequest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,8 +16,10 @@
 
 package org.springframework.security.saml2.provider.service.authentication;
 
+import java.io.Serializable;
 import java.nio.charset.Charset;
 
+import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
 import org.springframework.util.Assert;
 
@@ -34,7 +36,9 @@ import org.springframework.util.Assert;
  * @see Saml2AuthenticationRequestFactory#createPostAuthenticationRequest(Saml2AuthenticationRequestContext)
  * @see Saml2AuthenticationRequestFactory#createRedirectAuthenticationRequest(Saml2AuthenticationRequestContext)
  */
-public abstract class AbstractSaml2AuthenticationRequest {
+public abstract class AbstractSaml2AuthenticationRequest implements Serializable {
+
+	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
 
 	private final String samlRequest;
 
diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/Saml2PostAuthenticationRequestTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/Saml2PostAuthenticationRequestTests.java
new file mode 100644
index 0000000000..748bfcdc66
--- /dev/null
+++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/Saml2PostAuthenticationRequestTests.java
@@ -0,0 +1,56 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.authentication;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.util.SerializationUtils;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class Saml2PostAuthenticationRequestTests {
+
+	private static final String IDP_SSO_URL = "https://sso-url.example.com/IDP/SSO";
+
+	@Test
+	void serializeWhenDeserializeThenSameFields() {
+		Saml2PostAuthenticationRequest authenticationRequest = getAuthenticationRequestBuilder().build();
+		byte[] bytes = SerializationUtils.serialize(authenticationRequest);
+		Saml2PostAuthenticationRequest deserializedAuthenticationRequest = (Saml2PostAuthenticationRequest) SerializationUtils
+				.deserialize(bytes);
+		assertThat(deserializedAuthenticationRequest).usingRecursiveComparison().isEqualTo(authenticationRequest);
+	}
+
+	@Test
+	void serializeWhenDeserializeAndCompareToOtherThenNotSame() {
+		Saml2PostAuthenticationRequest authenticationRequest = getAuthenticationRequestBuilder().build();
+		Saml2PostAuthenticationRequest otherAuthenticationRequest = getAuthenticationRequestBuilder()
+				.relayState("relay").build();
+		byte[] bytes = SerializationUtils.serialize(otherAuthenticationRequest);
+		Saml2PostAuthenticationRequest deserializedAuthenticationRequest = (Saml2PostAuthenticationRequest) SerializationUtils
+				.deserialize(bytes);
+		assertThat(deserializedAuthenticationRequest).usingRecursiveComparison().isNotEqualTo(authenticationRequest);
+	}
+
+	private Saml2PostAuthenticationRequest.Builder getAuthenticationRequestBuilder() {
+		return Saml2PostAuthenticationRequest
+				.withAuthenticationRequestContext(
+						TestSaml2AuthenticationRequestContexts.authenticationRequestContext().build())
+				.samlRequest("request").authenticationRequestUri(IDP_SSO_URL);
+	}
+
+}
diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/Saml2RedirectAuthenticationRequestTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/Saml2RedirectAuthenticationRequestTests.java
new file mode 100644
index 0000000000..e2878455d8
--- /dev/null
+++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/Saml2RedirectAuthenticationRequestTests.java
@@ -0,0 +1,56 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.authentication;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.util.SerializationUtils;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class Saml2RedirectAuthenticationRequestTests {
+
+	private static final String IDP_SSO_URL = "https://sso-url.example.com/IDP/SSO";
+
+	@Test
+	void serializeWhenDeserializeThenSameFields() {
+		Saml2RedirectAuthenticationRequest authenticationRequest = getAuthenticationRequestBuilder().build();
+		byte[] bytes = SerializationUtils.serialize(authenticationRequest);
+		Saml2RedirectAuthenticationRequest deserializedAuthenticationRequest = (Saml2RedirectAuthenticationRequest) SerializationUtils
+				.deserialize(bytes);
+		assertThat(deserializedAuthenticationRequest).usingRecursiveComparison().isEqualTo(authenticationRequest);
+	}
+
+	@Test
+	void serializeWhenDeserializeAndCompareToOtherThenNotSame() {
+		Saml2RedirectAuthenticationRequest authenticationRequest = getAuthenticationRequestBuilder().build();
+		Saml2RedirectAuthenticationRequest otherAuthenticationRequest = getAuthenticationRequestBuilder()
+				.relayState("relay").build();
+		byte[] bytes = SerializationUtils.serialize(otherAuthenticationRequest);
+		Saml2RedirectAuthenticationRequest deserializedAuthenticationRequest = (Saml2RedirectAuthenticationRequest) SerializationUtils
+				.deserialize(bytes);
+		assertThat(deserializedAuthenticationRequest).usingRecursiveComparison().isNotEqualTo(authenticationRequest);
+	}
+
+	private Saml2RedirectAuthenticationRequest.Builder getAuthenticationRequestBuilder() {
+		return Saml2RedirectAuthenticationRequest
+				.withAuthenticationRequestContext(
+						TestSaml2AuthenticationRequestContexts.authenticationRequestContext().build())
+				.samlRequest("request").authenticationRequestUri(IDP_SSO_URL);
+	}
+
+}