From fd6aecf8da0d0cf764a59972f0421e56467749db Mon Sep 17 00:00:00 2001
From: Josh Cummings <josh.cummings@gmail.com>
Date: Mon, 20 Mar 2023 13:58:09 -0600
Subject: [PATCH] Polish AuthnRequestsSigned support

Issue gh-12604
---
 .../RelyingPartyRegistration.java             | 34 +++++++++++++------
 ...OpenSamlAuthenticationRequestResolver.java |  6 ++--
 .../RelyingPartyRegistrationTests.java        |  3 +-
 3 files changed, 29 insertions(+), 14 deletions(-)

diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java
index 74ba53c940..05632bf0ea 100644
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistration.java
@@ -148,7 +148,7 @@ public class RelyingPartyRegistration {
 				.singleLogoutServiceLocation(this.singleLogoutServiceLocation)
 				.singleLogoutServiceResponseLocation(this.singleLogoutServiceResponseLocation)
 				.singleLogoutServiceBindings((c) -> c.addAll(this.singleLogoutServiceBindings))
-				.nameIdFormat(this.nameIdFormat)
+				.nameIdFormat(this.nameIdFormat).authnRequestsSigned(this.authnRequestsSigned)
 				.assertingPartyDetails((assertingParty) -> assertingParty.entityId(party.getEntityId())
 						.wantAuthnRequestsSigned(party.getWantAuthnRequestsSigned())
 						.signingAlgorithms((algorithms) -> algorithms.addAll(party.getSigningAlgorithms()))
@@ -285,12 +285,20 @@ public class RelyingPartyRegistration {
 	}
 
 	/**
-	 * Get the WantAuthnRequestsSigned setting
-	 * @return the WantAuthnRequestsSigned setting
-	 * @since 6.0
+	 * Get the <a href=
+	 * "https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf#page=18">
+	 * AuthnRequestsSigned</a> setting. If {@code true}, the relying party will sign all
+	 * AuthnRequests, regardless of asserting party preference.
+	 *
+	 * <p>
+	 * Note that Spring Security will sign the request if either
+	 * {@link #isAuthnRequestsSigned()} is {@code true} or
+	 * {@link AssertingPartyDetails#getWantAuthnRequestsSigned()} is {@code true}.
+	 * @return the relying-party preference
+	 * @since 6.1
 	 */
 	public boolean isAuthnRequestsSigned() {
-		return authnRequestsSigned;
+		return this.authnRequestsSigned;
 	}
 
 	/**
@@ -368,8 +376,7 @@ public class RelyingPartyRegistration {
 				.singleLogoutServiceLocation(registration.getSingleLogoutServiceLocation())
 				.singleLogoutServiceResponseLocation(registration.getSingleLogoutServiceResponseLocation())
 				.singleLogoutServiceBindings((c) -> c.addAll(registration.getSingleLogoutServiceBindings()))
-				.nameIdFormat(registration.getNameIdFormat())
-				.authnRequestsSigned(registration.isAuthnRequestsSigned())
+				.nameIdFormat(registration.getNameIdFormat()).authnRequestsSigned(registration.isAuthnRequestsSigned())
 				.assertingPartyDetails((assertingParty) -> assertingParty
 						.entityId(registration.getAssertingPartyDetails().getEntityId())
 						.wantAuthnRequestsSigned(registration.getAssertingPartyDetails().getWantAuthnRequestsSigned())
@@ -990,10 +997,17 @@ public class RelyingPartyRegistration {
 		}
 
 		/**
-		 * Set the AuthnRequestsSigned setting
-		 * @param authnRequestsSigned
+		 * Set the <a href=
+		 * "https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf#page=18">
+		 * AuthnRequestsSigned</a> setting. If {@code true}, the relying party will sign
+		 * all AuthnRequests, 301 asserting party preference.
+		 *
+		 * <p>
+		 * Note that Spring Security will sign the request if either
+		 * {@link #isAuthnRequestsSigned()} is {@code true} or
+		 * {@link AssertingPartyDetails#getWantAuthnRequestsSigned()} is {@code true}.
 		 * @return the {@link Builder} for further configuration
-		 * @since 6.0
+		 * @since 6.1
 		 */
 		public Builder authnRequestsSigned(Boolean authnRequestsSigned) {
 			this.authnRequestsSigned = authnRequestsSigned;
diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSamlAuthenticationRequestResolver.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSamlAuthenticationRequestResolver.java
index 0be80c5517..0df5002047 100644
--- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSamlAuthenticationRequestResolver.java
+++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/web/authentication/OpenSamlAuthenticationRequestResolver.java
@@ -142,7 +142,8 @@ class OpenSamlAuthenticationRequestResolver {
 		String relayState = this.relayStateResolver.convert(request);
 		Saml2MessageBinding binding = registration.getAssertingPartyDetails().getSingleSignOnServiceBinding();
 		if (binding == Saml2MessageBinding.POST) {
-			if (registration.getAssertingPartyDetails().getWantAuthnRequestsSigned() || registration.isAuthnRequestsSigned()) {
+			if (registration.getAssertingPartyDetails().getWantAuthnRequestsSigned()
+					|| registration.isAuthnRequestsSigned()) {
 				OpenSamlSigningUtils.sign(authnRequest, registration);
 			}
 			String xml = serialize(authnRequest);
@@ -156,7 +157,8 @@ class OpenSamlAuthenticationRequestResolver {
 			Saml2RedirectAuthenticationRequest.Builder builder = Saml2RedirectAuthenticationRequest
 					.withRelyingPartyRegistration(registration).samlRequest(deflatedAndEncoded).relayState(relayState)
 					.id(authnRequest.getID());
-			if (registration.getAssertingPartyDetails().getWantAuthnRequestsSigned() || registration.isAuthnRequestsSigned()) {
+			if (registration.getAssertingPartyDetails().getWantAuthnRequestsSigned()
+					|| registration.isAuthnRequestsSigned()) {
 				Map<String, String> parameters = OpenSamlSigningUtils.sign(registration)
 						.param(Saml2ParameterNames.SAML_REQUEST, deflatedAndEncoded)
 						.param(Saml2ParameterNames.RELAY_STATE, relayState).parameters();
diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistrationTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistrationTests.java
index 734e947e44..a526fda949 100644
--- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistrationTests.java
+++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistrationTests.java
@@ -29,8 +29,7 @@ public class RelyingPartyRegistrationTests {
 	@Test
 	public void withRelyingPartyRegistrationWorks() {
 		RelyingPartyRegistration registration = TestRelyingPartyRegistrations.relyingPartyRegistration()
-				.nameIdFormat("format")
-				.authnRequestsSigned(true)
+				.nameIdFormat("format").authnRequestsSigned(true)
 				.assertingPartyDetails((a) -> a.singleSignOnServiceBinding(Saml2MessageBinding.POST))
 				.assertingPartyDetails((a) -> a.wantAuthnRequestsSigned(false))
 				.assertingPartyDetails((a) -> a.signingAlgorithms((algs) -> algs.add("alg")))