[7.x] Refactor SamlAuthenticatorTests (#51089) (#57105)

- Use opensaml to sign and encrypt responses/assertions/attributes
instead of doing this manually
- Use opensaml to build response and assertion objects instead of
parsing xml strings
- Always use different keys for signing and encryption. Due to FIPS
140 requirements, BouncyCastle FIPS provider will block
RSA keys that have been used for signing from being used for
encryption and vice versa. This change adds new encryption specific
 keys to be used throughout the tests.
This commit is contained in:
Ioannis Kakavas 2020-05-25 14:09:42 +03:00 committed by GitHub
parent 6c832fe4e3
commit 174af2bb1a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 659 additions and 1539 deletions

View File

@ -230,7 +230,7 @@ class SamlAuthenticator extends SamlRequestHandler {
private List<Attribute> processAssertion(Assertion assertion, boolean requireSignature, Collection<String> allowedSamlRequestIds) {
if (logger.isTraceEnabled()) {
logger.trace("(Possibly decrypted) Assertion: {}", SamlUtils.getXmlContent(assertion));
logger.trace("(Possibly decrypted) Assertion: {}", SamlUtils.getXmlContent(assertion, true));
logger.trace(SamlUtils.describeSamlObject(assertion));
}
// Do not further process unsigned Assertions
@ -253,7 +253,7 @@ class SamlAuthenticator extends SamlRequestHandler {
for (EncryptedAttribute enc : statement.getEncryptedAttributes()) {
final Attribute attribute = decrypt(enc);
if (attribute != null) {
logger.trace("Successfully decrypted attribute: {}" + SamlUtils.getXmlContent(attribute));
logger.trace("Successfully decrypted attribute: {}" + SamlUtils.getXmlContent(attribute, true));
attributes.add(attribute);
}
}

View File

@ -656,7 +656,7 @@ public final class SamlRealm extends Realm implements Releasable {
.forceAuthn(forceAuthn)
.build();
if (logger.isTraceEnabled()) {
logger.trace("Constructed SAML Authentication Request: {}", SamlUtils.getXmlContent(authnRequest));
logger.trace("Constructed SAML Authentication Request: {}", SamlUtils.getXmlContent(authnRequest, true));
}
return authnRequest;
}
@ -672,7 +672,7 @@ public final class SamlRealm extends Realm implements Releasable {
final LogoutRequest logoutRequest = new SamlLogoutRequestMessageBuilder(
Clock.systemUTC(), serviceProvider, idpDescriptor.get(), nameId, session).build();
if (logoutRequest != null && logger.isTraceEnabled()) {
logger.trace("Constructed SAML Logout Request: {}", SamlUtils.getXmlContent(logoutRequest));
logger.trace("Constructed SAML Logout Request: {}", SamlUtils.getXmlContent(logoutRequest, true));
}
return logoutRequest;
} else {
@ -688,7 +688,7 @@ public final class SamlRealm extends Realm implements Releasable {
final LogoutResponse logoutResponse = new SamlLogoutResponseBuilder(
Clock.systemUTC(), serviceProvider, idpDescriptor.get(), inResponseTo, StatusCode.SUCCESS).build();
if (logoutResponse != null && logger.isTraceEnabled()) {
logger.trace("Constructed SAML Logout Response: {}", SamlUtils.getXmlContent(logoutResponse));
logger.trace("Constructed SAML Logout Response: {}", SamlUtils.getXmlContent(logoutResponse, true));
}
return logoutResponse;
}

View File

@ -162,9 +162,9 @@ public class SamlUtils {
serializer.transform(new DOMSource(element), new StreamResult(writer));
}
static String getXmlContent(SAMLObject object) {
static String getXmlContent(SAMLObject object, boolean pretty) {
try {
return toString(XMLObjectSupport.marshall(object), false);
return toString(XMLObjectSupport.marshall(object), pretty);
} catch (MarshallingException e) {
LOGGER.info("Error marshalling SAMLObject ", e);
return SAML_MARSHALLING_ERROR_STRING;
@ -202,7 +202,7 @@ public class SamlUtils {
sb.append("]");
return sb.toString();
}
return getXmlContent(object);
return getXmlContent(object, true);
}
@SuppressForbidden(reason = "This is the only allowed way to construct a Transformer")

View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDPYibRzsMz8aIb
1MGD0O29icUZtoB+l6Tdkvzt03gtNHBjz4hVFfi+JJez5yyhCWt9KV6czqgWxfml
3lp9vxZBLuU6AqzbcsoxY3GuyrEPrP5PScHC5WnUkbi+ywBCmZHQvgwieCRj2XBr
KkQSHcJTzxYA9ja1lLRVUv6CzJu9Fh8zzEwTit5AvAvCtcAAOrCYYChdH0z5aWef
17EIcvAQ64tKkXbaCwd/Y7XM4/ws/twYiRIUsfIG4DOXKp0cH/qcKX2MoCUWx1pl
iZZmWKy/yQburIMWgCUw3m/Pyz8Mx8JJPbivkoIx49t4y4n9anSYOiedu1IaF1Ub
BYG9IljtAgMBAAECggEAUmTWs4kIeTzJgXE4KVz699Ei5CJkTueE8xuRLhRUrPEm
riEoM1X1a+Yx96IjUx/g+utS0c4xbkrd8w6yuT8QYnl1TWT+tHmY56Jw6ldRnb7H
k0zklMB9GZ2D3xncUpmdG2hGffNp0dn0Fj/Gp8P3D0E5pswr1FzugO/meqU8QxUt
aEdfieRdAnycN8i5rpGE4jMGXgOl3+yecFabP7LTYWlEdBM/FbAKSIGW4po9Fpyz
b0Q8C11waH+BnA294PRI8t/HWQBbKB/wMR8ONkYR9ua26fH6kpN7UixUOlrrUgcj
Ek4proFDSg+emm1CV82GPaklwDOW5Fde1FigKXUvqQKBgQD3SZOROyvOw96bXdCu
xVxOcZ+DwOFqRiWj3xSKtPABeEh2M6j93BA8GmVsZMcKhNJwuloTwzPaLcVIA58e
VmzFcoo8dgmMk/aWW9Tg6Y2m3gqjdw996KAqPHezgYpfC8H6T+PDh5/W7CZYlpBI
nwAw6InuJ43ZIMRoRys/ayd/dwKBgQDWsKieC5iMQ6/kK1mURmE15DY+yDqfW1MK
KKeBvTjZR1JiacDv/KGo6zzcuWkuw0+yBPkkReBfuBI6VVDrCHTL5GEnjqgsZV5N
EBqcssRLspVzaGyfg1oXkY5VhHlpNQIxCr3UO5AY+2w3LbObxX4p2zrClQQ/OQL7
L0skgmrruwKBgEbHUmtxKjrGKUMC+SXs61ywfN2zKVHHviJHSZPh8ggZq3PZmXb/
s83gKEN8HNRP7APD8uBRMNgz3ZGdJ8ABMKTbAeIITvdjqmKi6i1t69NlHlpnS5HY
MW+lWwWQAFDwBpdkomZmvUNA2EDm52lByUY2aLQ3sgwBqvXF2QUP4IBFAoGAX4R9
oMN7/Xvn99YppsShX37He6tOGbRh/7USwbBUaKdIyixPAPcfXa47h+CeIYYYIRYB
WtgT+cJFqdpnhAphHI3hg93+iLIZAKRXkrwehadQwuYE3ftsy+ugrf+gnOROs08a
IiDV/advACW/MWDuvuShAg2WtCJDZ0olXnr/4x0CgYAsqUGPZ/DPvtuZ9R7z+m+v
9LHVwBq3SyoqzhJySudcGdxbzMkDFmrayOzu+hduZvGpHjmmSVR8CZlgfhvBVLBB
3ZhsvKffmxcQ06mRWkaoPjF1pAVsvv2B/mv3UOk4BMCVfubvwkAuALCpwtb/eNb6
9Oy43AY6nWvVTdzofHkqLQ==
-----END PRIVATE KEY-----

View File

@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC5Erxu5Z/N376Z
8YVPiKx7aEdwiF2hVnHwtmJgsNzSTFS+/uMudl6V2+S8x89RYwZBAwBMgOiWTsO2
4u3vX/YhF0I4ZP+xRT7oPhX1o/iQR+f55WKIefeWpVGmg3bM1YWw/R6VK6kgah7d
5zW/Su6Vz8Cf031pECyNVoTCzD5JPjlVkHgA5Wfi7Ixg7KPCpiesMBldjHJXhLo1
yrAqVExIwYbhOuK6jnSJ+WlGmD/pEttyw03YSjINLf3Ctx3kcZYeRRPUTVjpzdxy
J9wB58RWvEOLpU4cS7mkpOcgpdiIBg37+OTFBIxrN+7EhGdvsS/Xxeoqwt6kkB2n
REw+APfwJz4zIK7q4R72MQ94Ut3UBMmhqmmeZrw47Smckr1TCrhskIXowX5Ak+Dy
p59pyX9vHA0XLoKkXBYbG6THHbkW9x8v2UA4s+FXe3KCmawiKiD2LmXwqUh9ZteG
sqq6mZwlrk3nIWKSiSKVye7U73pJBO3IGDvIM1bKwAPjlRHEYgNWpjp8Iyv0Tq9P
nnTKGLwUJ0L0oT9nlvnfby/3C7XkvNk9TjLGXULwOmse8c7K2rvvwYyDiR1OvGwH
SOD1aFefUZhHysG+sD0COQqAFjQaJuLDRE1QOslk8cSR5YKmzmbkr332enS1rM8v
l5qogsYQFnYjfmZre0RZC0HRJb+DQwIDAQABAoICAGTBdYKuUkzDlcG7gkclcjmR
MOtr4gV2yXsx3+ciAmYfFjgRDd96o83UM/guk4iMb5gvKRd9SqKh6N0FOGIMjTPA
tNV87tM0jqXjPxNHHIh4DSu4HOeN9yO1hvkvMxsa17jeZKrzZRT3kSxftpwZEEDR
JN4eRnVPT+H2izp99R7s2Evj5eEfA2rAO0B9ND5BNPICEZ0jXBCXesTUPwoccJdf
fK3b4BmOepWvCghb1Ndv47bb6uJoqk0Qj8lU5do7mG2MT9pR7akD4RLo7la/Nd2+
istYyGiRNVUUTZwxjeun2C8odmtoKYYpojyslJ9zCEfhQLXc91cB+pLYlOVgo5nV
WO59/iCoNO/k6r90x+iLPJ05IEJ33aVt9YX/DEQqSCYjKGWv2lYK2po1QpYpv9Mq
Z+kDca3/TuyfX5rE0sLHhtUA35cURJgK4s4iuMe0EJRjIQe+NjLnNhqFsoT4RGbA
JXyeunGuTk+eYXdsqqE/4T2LLmdAn1lu2A1Urj0boaKTn3AMYv0thqpezsPWoS3z
8i5uogprDAr/+FFvyYyxeNC21KSqfskm/5GvD/B4LHg8tYhDxm/kD4MokA8tUgAu
miV5DNvqW/vKCJMJbo2fch+Tkiv3cchTr4E+RBNdSPpM54Wqn8of/0+1kiXFM5RQ
uZ7U6cScn452XDZLWjORAoIBAQDzWO2t9BB4yE+10EqPpatT6XWd8BFu2XSq6nG1
DIs75CiQbZSMo3S5KtQvaEKE3TDdHWNPCg8SxNcaeKEm8c1UXpATyy8Dg7OLt0+Q
oVF/G3SJgwgLPJ5CHJz7kFwph0B3CAplXHGvKPSWGw9lixs7oN0BmR7hs2q8BQ2q
ITBOa5Y0onRKYaDWEBqnTm5/BjJMnDxPmBJLfdcKUjjYd5zsPXmi/3Aw/3AVKsy5
Td+QvrRkscwoDpEDzs74MnHfe96r7K+IKdCBQ1EY2lJLgOwkaEbcWYlQs2hhpDev
ffqWcQ4Zlbeh1DWxhqaORS0AKXWWnMhQzz+Bcmc6+/F1sPo7AoIBAQDCsiZhbSKW
KViYzbWPyvr/uLowaU8llx4X/jRawfTFMNXq/xaMk7/T2O6esmlE8xXiYmLgw8Zg
4Ykgk4Eif+mnC8IBes6U4V9us+UcLca5eFj/0gilLcfBxXDS13MAzsQT0a9UNtvM
2hiBPu7YR1jRoJHTyRS1UT+j5WCMrwdAgrwB9rcqCnBIWzATZ4RwLlGw+jTk6WpW
uXyx5yAEdGJpq8VHTJi2tCqViUXIIUr5pnBmUei6KPQ/jZr8h9s2IrI6YtE6mu/g
EIAc0gqMNwsJzlkmXdetm95CXS0WqSvljyMQ0Vh+/+iswYuXdYf4iCTEs6AkJqX0
7OwcJt9pOIKZAoIBAQCLL8k6nwew3fnhp1KOWRbmtvjELmT6Pzzg6ZnCEXut9PFS
sqqtymxf4ORefUbW0eE6B64erkUy2g2ioW6jZNipsjC8cZHhc7oFZwMGWY7QofaF
FMJMEw7+B3mu1cIxKqAvtRSlJzwLEOTc2nty/B7Ge1sNp/Qm6kVZZ5aKQdNsd1MB
pg3X4YFqDun/2fePhg7NDOveJsAIF+EgkSjcf4XtBbiGB463J9OG9+UC9Ey0cK+j
jKKWIsbFI8vz4H6LckFJmuZHfos49DT1fyJk90eaB17IeBn3Y7aHarNDGE51MBL9
hUn0MPnJIZgwddaoag5M6D4XIoNTWgk7jpFsXJ6zAoIBAGqP003zy8BgdOt9e+ht
8p9QXiftG7K5WXFMYx9hlTTwm8T5RUBABfhPfZtCjzd7zPiRXQkkXkncZ4967G0T
kbEqUE87BiKaj/8pWzbnHyOYaS3rqWuu+Oxnwm7EGV/Ry6QFWm8/b2JZ5Juo9FVQ
B58EwYwnPLxY8fokq4mUquV2KKzyeiH6gKY5ssCMIgK8d13kNFsuHlPFRiihFfca
NFsd9uYlWFh3l+8sqRL2lfC6Vj7KihSKIdU/Dhs1yJeCugYW2+m1r6D1pwkfNUK1
RcdiN402Q7vz2dx83xbOFQaaJ1knG8a3DoSvklWdsIQpD+bRYc8nkCHUIw7tf845
bdECggEBAIKh8eC6YWsfm4y/h6DbzbdxZsWuaPoyQ4Ny07Ofxtxm5S0IhzBmfDlY
amRz5f289u2hel2V0ljLlPhk5/BU3G6pq7xBqOlmrgfFZPm+JEbFek8DDVshKbkv
XY2vLNtuibBHG1c6FOQKedoBihKZuQUW0LE152aFYgQka4rc134l2Ujk7wscS4/e
UaKCTDYfVDIaKWAYy8Edu1N64W5EiSDAGv67QVGBPyoRsNqc6oXXRZ7MlTr2YM3X
lHKxmO3gVJiknRdezT3HGUTKIEZqm2BUcSJOvTQBDAoeFwpwMH9dHGPo7ixWncse
qmQ0yETAlrzaSjpGSmB7Fn6ojrmCn9U=
-----END PRIVATE KEY-----

View File

@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDKBjyGdzvQOfph
FyM2YwNbgaBXC6qig8o+b+A1sEUgtL1pjMDE2RdZL5lsC/h5AVg30KBSqnVMAIb0
TazSF8Ql9LultHTpbkSR9F4Jik9UTpa4tUSCk1POjfnN8qhDV1ntldb3emoqY0Bi
8ziw6XInL1VxiIaqRG91aeWceHdxOCcZbBwNrOKtm7v7YSnK/TePHHF75o7/j4NF
b+YoMek2Vkxjc2CQAu+iLdZuP/mwkuB7UYB6viY6Jx90pjYQv46hqbP/o//DF/xB
NCkl65FTMZLQWf80xIdBXzqoQF2VHo8iC2ajPorTVLVPNg70k/WkxZK3s3hnBHXV
V4Z1YmLiE70BP4jCxD7cxtGzx1H+INi4R9tfrC6DsQvYJXYQr3hsXrpPIxTrmV9J
uRvrvEJZMKs9p5bAb+hSrAQPgSY9aj1jHcAY0nVDdsySEfWZG4dm89+Lb02olzqu
s9ZXte0pp4rH55kWcU97gH+NGptPacE8HC7x6mU87jwh8imopJwNDUJJJvrkhF5o
xvKr1UYcL/rIS9tnlInPutFSK0wzxBZCtlAHReME6veKpVJCnEoPc6rI3m805oEj
tJ8wnPpqlPW2nvd91SBuxqVqMduEqvsPzjS55aAg+rQyAAJJ54/0BL/K2CwCEc8M
Wh9GuCk5+TvPTXQY6qsttErXJCso3QIDAQABAoICAHTzZUhmb+7cEXDxRwYuDXyE
rwCVFWPdLVA1zbLm5y3G07vtqo6KKjUMFCHzUBUkzSAKmzUfzqV/zKBS8w/wiDF8
2sBTljaoCfQAZgvZ0JC6qhAlh5KbnTF/CTTLG9NYFwwt6PL9H8aIDHb73D619cpv
YWRHJ8YbtfZfpneNWX/mhOP3rMnR4quj8w/UMLB9JBOp4JxcXT3eo5yn6bItKpe1
H6WW3jigKn9VT8QlLvOkI2XgSaNEvrZ9fX021yec7QHzTutX0jDrirFoc8Wq+EcT
9Ky+3Ll8Z9xVN4y9Li+sMCoCNZmdFBrA9/DyF3hIyzRm18eWksX4VAp8D6+WlCzK
6lv8WB+awof30by7//yPAjuIbaYuzNZnlXHLxHwuKKVc2aLaoGRi2hsrhadnqJH0
MUN36tzv0Eq/IowBuPg29yZfa2aVKlb1Vm+8EHhRHVzeP4ZMG+P1ibXBYWQ78nXL
/BClerYRXd491eJlsNUcvxMaWN9KW7Y9Cf7yxKwLm1eGcggfOd29XHWJ3S03wlTb
uNbJw2EzauXo3ksDd9t/PMKSpJD7Cz6Dm0ABi8gjw8hIykr8Al7eujlGiDEyNWF+
+uRMCOvU2rmKp/fthenDEV/YCL9IbwM7IPa4AeVLt6mFkuk4cEAv4pQ1i+NcnkKv
b+wAecw2cGHIY+vtLqIBAoIBAQDoILukVgXl7oMcGeUOtFnY8WW5V9xay4Oe6BRL
+VJpjF0UP1jgoht8JYiLoVbkj86AH2Gf7hK7TtmI+WUcut1L/Ck0mPB3pPRNfpEl
9LtUnGPE4TKz54ic/EZGApi1MWOwgEjPDXqIo2de5ydONYLvhaqe2OMQKpXfqO9m
AlPbfjKajFFd4Aqq//ZoSHT0lLzsrBTIH82oQ6l52CN+NhO2EfUT3aBiCKmPBWua
JfOj4FQIHYxVL4MRJ2uRZ5k75LmNx7Sqq82hnmJcWuC8KY5CaW90+xRC/N7tcr9k
G8DZDqfHhDfPYLidICr1kJt9UxjuGA8JGjf2CbaxA+Ci2CxdAoIBAQDezPa6WfnQ
bthHIY2l+whSaUCFv0zLLp3gOK/gAO43vxU9MbRW+uE0Uc9WNzoESwBWQRWE1S/q
4gwhz8VcY84UJqv9ZcM1xP4XGMjB81Px8X8/uaGhLtWB3hU5C7vxol66tgLmuZBQ
21CjvlvGNV88R/HPTpxsgVLcc6HFXqZertU7y2NQk/jRw1GDX8l28IooU1VcN6Fo
UNsUXPYCwXnTPip0yorl9Osv1MIMb7MaJuOqh9VGQWjNe2dV+FH6CYAeVBAJg/+f
cmCypJ1NJIk+psEBKEUFWPK5pNeKd5aMQUfwd9959MYvhWNrbP+jytTYFSjcKV8u
xzW7CCdG0yaBAoIBAQCXvXYL+jPG18CbKQ5EK38kQsEFhLrGG42B3iIOe//0gU4D
Q1m9Fhszb3GwHRqpNJx/woPVwRI7oVKwqJ8BReINntvsxyFChPEyi08k6bNfnw/V
DoVPd0YloP/rGh1rLMsHAQUXXK9CDNcxAZf/Fxntq4oaZpsf4Uaxu0QrgdABhqBb
yOgTnrY6jDIuf1b83xIVAHRhUfDlUr3BqZmiEoWWGm0DvHfwPcthc+CgFrkK4kTs
PSyULwfVudgmZ/uSXHUzil2+x6oXQWr5BmssdVnKbhPu+4aGN7kerUkRjtbkzSC+
Wt8E0Cw+gl2ywwHxzdVZJx8FCz+TtUvYsTkyGm/9AoIBAQCGvYnQ9S0hIoflrKMP
aBuGS2Tb/e8hSZXszht+6tEmIYdktLSNjbe4fmlXiJqrkfgoMcAjzxHliMMxh4eh
8jHk+eY1nt9Jm1LXAQQYV2HDBfugvFDFO5+fpIFNOI12+m0zmXNzuXFPlPLVs/+o
hQqNWC0i5DWxYRyNedixliYjSLRoLv5m8rYdlXOscbdTGPFUpeEPng0dGxkC3Z1h
2UQlvojKjNsnatD44kBgaQT1oeM5dGBE1rXc3u6FjWF2R1yV+tygBJYJBZD5OJhw
2NGvdAVw/7uOGlbgcpJviRcgxzIMeVJLXP6mKpMPmqGXmsjRzSoiy1pm3c7ex3WJ
XZUBAoIBAQCuQ7d9JPJiQRuoGFxkiPNQCYaFVwBo7O/dy2dOIDTOWxPjB2+Rpac/
A95kMWSqGsih15aHRoEwl3wnHHRWz1lhNy9dEDy9hd7FbDF6MSYJ6epLSJfNHw0Y
tfkvQEcy96vWxKlTsreU+F8hTmBIaJ+3QhNNavchiLxVtyM2g2f6K0ECZ05dzZaR
bLrxJeUwM86OBKyQf1aLzYPbal8JA1v/FsN4Lf8VfgSh0bXNfWqxRwea9viU8quL
23TK97v5w1/I3bbqG8F9Pjq0WBTaQ+cFUqdhHhBIAkrrO6KLpjupglAKncV6ny00
XYUhZdqN6Rr3NDMwUU4j8V4PZgR4JNOL
-----END PRIVATE KEY-----