GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Enabled SAML LogoutRequests with EncryptedID 

The OpenSamlLogoutRequestValidator validates the subject to be logged out.
Formerly this was done only using the NameID from the OpenSamlLogoutRequest.
Now the EncryptedID is also supported, Since the SAML2 Standard also allows
the EncryptedID as subject identifiers,

- added EncryptedID as valid subject in OpenSamlLogoutRequestValidator
- added test

Closes gh-10663
pull/10760/head
Robert Stoiber 4 years ago committed by Josh Cummings
parent
b2fe9149cf
commit
c1bea329ba
4 changed files with 150 additions and 7 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 81
      saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/LogoutRequestEncryptedIDUtils.java
  2. 37
      saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/OpenSamlLogoutRequestValidator.java
  3. 18
      saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/TestOpenSamlObjects.java
  4. 21
      saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/logout/OpenSamlLogoutRequestValidatorTests.java

81
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/LogoutRequestEncryptedIDUtils.java
Unescape View File

@ -0,0 +1,81 @@ @@ -0,0 +1,81 @@
/*
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.saml2.provider.service.authentication.logout;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.encryption.Decrypter;
import org.opensaml.saml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialSupport;
import org.opensaml.xmlsec.encryption.support.ChainingEncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.EncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.InlineEncryptedKeyResolver;
import org.opensaml.xmlsec.encryption.support.SimpleRetrievalMethodEncryptedKeyResolver;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.CollectionKeyInfoCredentialResolver;
import org.springframework.security.saml2.Saml2Exception;
import org.springframework.security.saml2.core.Saml2X509Credential;
import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
/**
* Utility methods for decrypting EncryptedID from SAML logout request with OpenSAML
*
* For internal use only.
*
* this is mainly a adapted copy of OpenSamlDecryptionUtils
*
* @author Robert Stoiber
*/
final class LogoutRequestEncryptedIDUtils {
private static final EncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(
Arrays.asList(new InlineEncryptedKeyResolver(), new EncryptedElementTypeEncryptedKeyResolver(),
new SimpleRetrievalMethodEncryptedKeyResolver()));
static SAMLObject decryptEncryptedID(EncryptedID encryptedID, RelyingPartyRegistration registration) {
Decrypter decrypter = decrypter(registration);
try {
return decrypter.decrypt(encryptedID);
}
catch (Exception ex) {
throw new Saml2Exception(ex);
}
}
private static Decrypter decrypter(RelyingPartyRegistration registration) {
Collection<Credential> credentials = new ArrayList<>();
for (Saml2X509Credential key : registration.getDecryptionX509Credentials()) {
Credential cred = CredentialSupport.getSimpleCredential(key.getCertificate(), key.getPrivateKey());
credentials.add(cred);
}
KeyInfoCredentialResolver resolver = new CollectionKeyInfoCredentialResolver(credentials);
Decrypter decrypter = new Decrypter(null, resolver, encryptedKeyResolver);
decrypter.setRootInNewDocument(true);
return decrypter;
}
private LogoutRequestEncryptedIDUtils() {
}
}

37
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/logout/OpenSamlLogoutRequestValidator.java
Unescape View File

@ -25,6 +25,8 @@ import net.shibboleth.utilities.java.support.xml.ParserPool; @@ -25,6 +25,8 @@ import net.shibboleth.utilities.java.support.xml.ParserPool;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.saml2.core.EncryptedID;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.impl.LogoutRequestUnmarshaller;
@ -118,7 +120,7 @@ public final class OpenSamlLogoutRequestValidator implements Saml2LogoutRequestV @@ -118,7 +120,7 @@ public final class OpenSamlLogoutRequestValidator implements Saml2LogoutRequestV
return (errors) -> {
validateIssuer(request, registration).accept(errors);
validateDestination(request, registration).accept(errors);
validateName(request, authentication).accept(errors);
validateSubject(request, registration, authentication).accept(errors);
};
}
@ -153,23 +155,44 @@ public final class OpenSamlLogoutRequestValidator implements Saml2LogoutRequestV @@ -153,23 +155,44 @@ public final class OpenSamlLogoutRequestValidator implements Saml2LogoutRequestV
};
}
private Consumer<Collection<Saml2Error>> validateName(LogoutRequest request, Authentication authentication) {
private Consumer<Collection<Saml2Error>> validateSubject(LogoutRequest request,
RelyingPartyRegistration registration, Authentication authentication) {
return (errors) -> {
if (authentication == null) {
return;
}
NameID nameId = request.getNameID();
if (nameId == null) {
EncryptedID encryptedID = request.getEncryptedID();
if (nameId == null && encryptedID == null) {
errors.add(
new Saml2Error(Saml2ErrorCodes.SUBJECT_NOT_FOUND, "Failed to find subject in LogoutRequest"));
return;
}
String name = nameId.getValue();
if (!name.equals(authentication.getName())) {
errors.add(new Saml2Error(Saml2ErrorCodes.INVALID_REQUEST,
"Failed to match subject in LogoutRequest with currently logged in user"));
if (nameId != null) {
validateNameID(nameId, authentication, errors);
}
else {
final NameID nameIDFromEncryptedID = decryptNameID(encryptedID, registration);
validateNameID(nameIDFromEncryptedID, authentication, errors);
}
};
}
private void validateNameID(NameID nameId, Authentication authentication, Collection<Saml2Error> errors) {
String name = nameId.getValue();
if (!name.equals(authentication.getName())) {
errors.add(new Saml2Error(Saml2ErrorCodes.INVALID_REQUEST,
"Failed to match subject in LogoutRequest with currently logged in user"));
}
}
private NameID decryptNameID(EncryptedID encryptedID, RelyingPartyRegistration registration) {
final SAMLObject decryptedId = LogoutRequestEncryptedIDUtils.decryptEncryptedID(encryptedID, registration);
if (decryptedId instanceof NameID) {
return ((NameID) decryptedId);
}
return null;
}
}

18
saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/TestOpenSamlObjects.java
Unescape View File

@ -365,6 +365,24 @@ public final class TestOpenSamlObjects { @@ -365,6 +365,24 @@ public final class TestOpenSamlObjects {
return logoutRequest;
}
public static LogoutRequest assertingPartyLogoutRequestNameIdInEncryptedId(RelyingPartyRegistration registration) {
LogoutRequestBuilder logoutRequestBuilder = new LogoutRequestBuilder();
LogoutRequest logoutRequest = logoutRequestBuilder.buildObject();
logoutRequest.setID("id");
NameIDBuilder nameIdBuilder = new NameIDBuilder();
NameID nameId = nameIdBuilder.buildObject();
nameId.setValue("user");
logoutRequest.setNameID(null);
logoutRequest.setEncryptedID(encrypted(nameId,
registration.getAssertingPartyDetails().getEncryptionX509Credentials().stream().findFirst().get()));
IssuerBuilder issuerBuilder = new IssuerBuilder();
Issuer issuer = issuerBuilder.buildObject();
issuer.setValue(registration.getAssertingPartyDetails().getEntityId());
logoutRequest.setIssuer(issuer);
logoutRequest.setDestination(registration.getSingleLogoutServiceLocation());
return logoutRequest;
}
public static LogoutResponse assertingPartyLogoutResponse(RelyingPartyRegistration registration) {
LogoutResponseBuilder logoutResponseBuilder = new LogoutResponseBuilder();
LogoutResponse logoutResponse = logoutResponseBuilder.buildObject();

21
saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/authentication/logout/OpenSamlLogoutRequestValidatorTests.java
Unescape View File

@ -60,6 +60,21 @@ public class OpenSamlLogoutRequestValidatorTests { @@ -60,6 +60,21 @@ public class OpenSamlLogoutRequestValidatorTests {
assertThat(result.hasErrors()).isFalse();
}
@Test
public void handleWhenNameIdInEncryptedIdPostThenValidates() {
RelyingPartyRegistration registration = registrationWithEncryption()
.assertingPartyDetails((party) -> party.singleLogoutServiceBinding(Saml2MessageBinding.POST)).build();
LogoutRequest logoutRequest = TestOpenSamlObjects.assertingPartyLogoutRequestNameIdInEncryptedId(registration);
sign(logoutRequest, registration);
Saml2LogoutRequest request = post(logoutRequest, registration);
Saml2LogoutRequestValidatorParameters parameters = new Saml2LogoutRequestValidatorParameters(request,
registration, authentication(registration));
Saml2LogoutValidatorResult result = this.manager.validate(parameters);
assertThat(result.hasErrors()).withFailMessage(() -> result.getErrors().toString()).isFalse().isFalse();
}
@Test
public void handleWhenRedirectBindingThenValidatesSignatureParameter() {
RelyingPartyRegistration registration = registration()
@ -134,6 +149,12 @@ public class OpenSamlLogoutRequestValidatorTests { @@ -134,6 +149,12 @@ public class OpenSamlLogoutRequestValidatorTests {
.assertingPartyDetails((party) -> party.singleLogoutServiceBinding(Saml2MessageBinding.POST));
}
private RelyingPartyRegistration.Builder registrationWithEncryption() {
return signing(verifying(TestRelyingPartyRegistrations.full()))
.assertingPartyDetails((party) -> party.encryptionX509Credentials(
(c) -> c.add(TestSaml2X509Credentials.assertingPartyEncryptingCredential())));
}
private RelyingPartyRegistration.Builder verifying(RelyingPartyRegistration.Builder builder) {
return builder.assertingPartyDetails((party) -> party
.verificationX509Credentials((c) -> c.add(TestSaml2X509Credentials.relyingPartyVerifyingCredential())));

Write Preview
Loading…
Cancel
Save