You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2020/08/13 13:33:12 UTC

[cxf-fediz] branch master updated: Actually validate the signature for SAML SSO even if signatures are not required

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git


The following commit(s) were added to refs/heads/master by this push:
     new 3c0a616  Actually validate the signature for SAML SSO even if signatures are not required
3c0a616 is described below

commit 3c0a616d4a2b5dabc351471ca2e49f4515039ebd
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Aug 13 13:06:22 2020 +0100

    Actually validate the signature for SAML SSO even if signatures are not required
---
 .../cxf/fediz/core/saml/SAMLTokenValidator.java    | 17 ++++----
 .../core/samlsso/SAMLEncryptedResponseTest.java    | 50 ++++++++++++++++++++++
 2 files changed, 59 insertions(+), 8 deletions(-)

diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
index b7f5b22..125011b 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
@@ -99,17 +99,18 @@ public class SAMLTokenValidator implements TokenValidator {
             // PasswordCallbackHandler(password));
 
             SamlAssertionWrapper assertion = new SamlAssertionWrapper(token);
-            
+
             boolean doNotEnforceAssertionsSigned = !request.isEnforceTokenSigned();
-            
+
             boolean trusted = doNotEnforceAssertionsSigned;
             String assertionIssuer = assertion.getIssuerString();
-            
-            if (!doNotEnforceAssertionsSigned) {
-                if (!assertion.isSigned()) {
-                    LOG.warn("Assertion is not signed");
-                    throw new ProcessingException(TYPE.TOKEN_NO_SIGNATURE);
-                }
+
+            if (!doNotEnforceAssertionsSigned && !assertion.isSigned()) {
+                LOG.warn("Assertion is not signed");
+                throw new ProcessingException(TYPE.TOKEN_NO_SIGNATURE);
+            }
+
+            if (assertion.isSigned()) {
                 // Verify the signature
                 Signature sig = assertion.getSignature();
                 KeyInfo keyInfo = sig.getKeyInfo();
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLEncryptedResponseTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLEncryptedResponseTest.java
index 882df46..fb1e001 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLEncryptedResponseTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLEncryptedResponseTest.java
@@ -200,6 +200,56 @@ public class SAMLEncryptedResponseTest {
     }
 
     @org.junit.Test
+    public void validateSignedButNotRequiredEncryptedSAMLResponse() throws Exception {
+        // Mock up a Request
+        FedizContext config =
+                getFederationConfigurator().getFedizContext("ROOT_DECRYPTION_ALLOW_UNSIGNED");
+
+        String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+        String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+        RequestState requestState = new RequestState(TEST_REQUEST_URL,
+                TEST_IDP_ISSUER,
+                requestId,
+                TEST_REQUEST_URL,
+                (String)config.getProtocol().getIssuer(),
+                null,
+                relayState,
+                System.currentTimeMillis());
+
+        // Create SAML Response
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setAlsoAddAuthnStatement(true);
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        callbackHandler.setIssuer(TEST_IDP_ISSUER);
+        callbackHandler.setSubjectName(TEST_USER);
+        String responseStr = createSamlResponseStr(callbackHandler, requestId, true);
+
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+        EasyMock.replay(req);
+
+        FedizRequest wfReq = new FedizRequest();
+        wfReq.setResponseToken(responseStr);
+        wfReq.setState(relayState);
+        wfReq.setRequest(req);
+        wfReq.setRequestState(requestState);
+
+        FedizProcessor wfProc = new SAMLProcessorImpl();
+        FedizResponse wfRes = wfProc.processRequest(wfReq, config);
+
+        Assert.assertEquals("Principal name wrong", TEST_USER,
+                wfRes.getUsername());
+        Assert.assertEquals("Issuer wrong", TEST_IDP_ISSUER, wfRes.getIssuer());
+        Assert.assertEquals("Two roles must be found", 2, wfRes.getRoles()
+                .size());
+        Assert.assertEquals("Audience wrong", TEST_REQUEST_URL, wfRes.getAudience());
+        assertClaims(wfRes.getClaims(), ClaimTypes.COUNTRY);
+    }
+
+    @org.junit.Test
     public void validateUnsignedEncryptedSAMLResponse() throws Exception {
         // Mock up a Request
         FedizContext config =