From fd4541be0ce3a5a2c5c173edfe4b07d76c31c451 Mon Sep 17 00:00:00 2001
From: Josh Cummings <josh.cummings@gmail.com>
Date: Mon, 20 Mar 2023 13:58:58 -0600
Subject: [PATCH] Add AuthnRequstsSigned to OpenSaml implementations

Issue gh-12841
---
 .../OpenSamlRelyingPartyRegistration.java     | 11 +++++---
 ...amlAuthenticationRequestResolverTests.java | 26 ++++++++-----------
 2 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/OpenSamlRelyingPartyRegistration.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/OpenSamlRelyingPartyRegistration.java
index ceb63ddd9d..67bfae52fc 100644
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/OpenSamlRelyingPartyRegistration.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/OpenSamlRelyingPartyRegistration.java
@@ -37,8 +37,8 @@ public final class OpenSamlRelyingPartyRegistration extends RelyingPartyRegistra
 				registration.getAssertionConsumerServiceLocation(), registration.getAssertionConsumerServiceBinding(),
 				registration.getSingleLogoutServiceLocation(), registration.getSingleLogoutServiceResponseLocation(),
 				registration.getSingleLogoutServiceBindings(), registration.getAssertingPartyDetails(),
-				registration.getNameIdFormat(), registration.getDecryptionX509Credentials(),
-				registration.getSigningX509Credentials());
+				registration.getNameIdFormat(), registration.isAuthnRequestsSigned(),
+				registration.getDecryptionX509Credentials(), registration.getSigningX509Credentials());
 	}
 
 	/**
@@ -55,7 +55,7 @@ public final class OpenSamlRelyingPartyRegistration extends RelyingPartyRegistra
 				.singleLogoutServiceLocation(getSingleLogoutServiceLocation())
 				.singleLogoutServiceResponseLocation(getSingleLogoutServiceResponseLocation())
 				.singleLogoutServiceBindings((c) -> c.addAll(getSingleLogoutServiceBindings()))
-				.nameIdFormat(getNameIdFormat())
+				.nameIdFormat(getNameIdFormat()).authnRequestsSigned(isAuthnRequestsSigned())
 				.assertingPartyDetails((assertingParty) -> ((OpenSamlAssertingPartyDetails.Builder) assertingParty)
 						.entityId(party.getEntityId()).wantAuthnRequestsSigned(party.getWantAuthnRequestsSigned())
 						.signingAlgorithms((algorithms) -> algorithms.addAll(party.getSigningAlgorithms()))
@@ -152,6 +152,11 @@ public final class OpenSamlRelyingPartyRegistration extends RelyingPartyRegistra
 			return (Builder) super.nameIdFormat(nameIdFormat);
 		}
 
+		@Override
+		public Builder authnRequestsSigned(Boolean authnRequestsSigned) {
+			return (Builder) super.authnRequestsSigned(authnRequestsSigned);
+		}
+
 		@Override
 		public Builder assertingPartyDetails(Consumer<AssertingPartyDetails.Builder> assertingPartyDetails) {
 			return (Builder) super.assertingPartyDetails(assertingPartyDetails);
diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSamlAuthenticationRequestResolverTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSamlAuthenticationRequestResolverTests.java
index e93f82df95..35c3692e69 100644
--- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSamlAuthenticationRequestResolverTests.java
+++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSamlAuthenticationRequestResolverTests.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.saml2.provider.service.web.authentication;
 
+import java.util.stream.Stream;
+
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
@@ -35,8 +37,6 @@ import org.springframework.security.saml2.provider.service.registration.TestRely
 import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers;
 import org.springframework.security.saml2.provider.service.web.RelyingPartyRegistrationPlaceholderResolvers.UriResolver;
 
-import java.util.stream.Stream;
-
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 
@@ -54,13 +54,13 @@ public class OpenSamlAuthenticationRequestResolverTests {
 
 	@ParameterizedTest
 	@MethodSource("provideSignRequestFlags")
-	public void resolveAuthenticationRequestWhenSignedRedirectThenSignsAndRedirects(boolean wantAuthRequestsSigned, boolean authnRequestsSigned) {
+	public void resolveAuthenticationRequestWhenSignedRedirectThenSignsAndRedirects(boolean wantAuthRequestsSigned,
+			boolean authnRequestsSigned) {
 		MockHttpServletRequest request = new MockHttpServletRequest();
 		request.setPathInfo("/saml2/authenticate/registration-id");
 		RelyingPartyRegistration registration = this.relyingPartyRegistrationBuilder
 				.authnRequestsSigned(authnRequestsSigned)
-				.assertingPartyDetails(party -> party.wantAuthnRequestsSigned(wantAuthRequestsSigned))
-				.build();
+				.assertingPartyDetails((party) -> party.wantAuthnRequestsSigned(wantAuthRequestsSigned)).build();
 		OpenSamlAuthenticationRequestResolver resolver = authenticationRequestResolver(registration);
 		Saml2RedirectAuthenticationRequest result = resolver.resolve(request, (r, authnRequest) -> {
 			UriResolver uriResolver = RelyingPartyRegistrationPlaceholderResolvers.uriResolver(request, registration);
@@ -122,10 +122,9 @@ public class OpenSamlAuthenticationRequestResolverTests {
 	public void resolveAuthenticationRequestWhenUnsignedPostThenOnlyPosts() {
 		MockHttpServletRequest request = new MockHttpServletRequest();
 		request.setPathInfo("/saml2/authenticate/registration-id");
-		RelyingPartyRegistration registration = this.relyingPartyRegistrationBuilder
-				.assertingPartyDetails((party) -> party.singleSignOnServiceBinding(Saml2MessageBinding.POST).wantAuthnRequestsSigned(false))
-				.authnRequestsSigned(false)
-				.build();
+		RelyingPartyRegistration registration = this.relyingPartyRegistrationBuilder.assertingPartyDetails(
+				(party) -> party.singleSignOnServiceBinding(Saml2MessageBinding.POST).wantAuthnRequestsSigned(false))
+				.authnRequestsSigned(false).build();
 		OpenSamlAuthenticationRequestResolver resolver = authenticationRequestResolver(registration);
 		Saml2PostAuthenticationRequest result = resolver.resolve(request, (r, authnRequest) -> {
 			UriResolver uriResolver = RelyingPartyRegistrationPlaceholderResolvers.uriResolver(request, registration);
@@ -146,7 +145,8 @@ public class OpenSamlAuthenticationRequestResolverTests {
 
 	@ParameterizedTest
 	@MethodSource("provideSignRequestFlags")
-	public void resolveAuthenticationRequestWhenSignedPostThenSignsAndPosts(boolean wantAuthRequestsSigned, boolean authnRequestsSigned) {
+	public void resolveAuthenticationRequestWhenSignedPostThenSignsAndPosts(boolean wantAuthRequestsSigned,
+			boolean authnRequestsSigned) {
 		MockHttpServletRequest request = new MockHttpServletRequest();
 		request.setPathInfo("/saml2/authenticate/registration-id");
 		RelyingPartyRegistration registration = this.relyingPartyRegistrationBuilder
@@ -195,11 +195,7 @@ public class OpenSamlAuthenticationRequestResolverTests {
 	}
 
 	private static Stream<Arguments> provideSignRequestFlags() {
-		return Stream.of(
-				Arguments.of(true, true),
-				Arguments.of(true, false),
-				Arguments.of(false, true)
-		);
+		return Stream.of(Arguments.of(true, true), Arguments.of(true, false), Arguments.of(false, true));
 	}
 
 }