Merge branch 'master' of https://github.com/juazugas/java-saml into juazugas-master

Author: pitbulk

README.md

@@ -361,7 +361,7 @@ onelogin.saml2.contacts.support.email_address = support@example.com
 
 ##### KeyStores
 
-The Auth constructor supports the ability to read SP public cert/private key from a KeyStore. A KeyStoreSettings object must be provided with the KeyStore, the Alias and the storePass if any.
+The Auth constructor supports the ability to read SP public cert/private key from a KeyStore. A KeyStoreSettings object must be provided with the KeyStore, the Alias and the KeyEntry password.
 
 ```java
 import java.io.FileInputStream;
@@ -370,13 +370,14 @@ import com.onelogin.saml2.Auth
 import com.onelogin.saml2.model.KeyStoreSettings
 
 String keyStoreFile = "oneloginTestKeystore.jks";
-String alias = "onelogintest";
+String alias = "keywithpassword";
 String storePass = "changeit";
+String keyPassword = "keypassword";
 
 KeyStore ks = KeyStore.getInstance("JKS");
-ks.load(new FileInputStream(keyStoreFile), password.toCharArray());
+ks.load(new FileInputStream(keyStoreFile), storePass.toCharArray());
 
-KeyStoreSettings keyStoreSettings =  new keyStoreSettings(ks, alias, storePass);
+KeyStoreSettings keyStoreSettings =  new keyStoreSettings(ks, alias, keyPassword);
 Auth auth = new Auth(KeyStoreSettings keyStoreSetting);
 ```
 

core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java

@@ -8,10 +8,8 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
-
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.xpath.XPathExpressionException;
-
 import org.joda.time.DateTime;
 import org.joda.time.Instant;
 import org.slf4j.Logger;
@@ -22,7 +20,8 @@
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 import org.xml.sax.SAXException;
-
+import com.onelogin.saml2.exception.SettingsException;
+import com.onelogin.saml2.exception.ValidationError;
 import com.onelogin.saml2.http.HttpRequest;
 import com.onelogin.saml2.model.SamlResponseStatus;
 import com.onelogin.saml2.model.SubjectConfirmationIssue;
@@ -31,9 +30,6 @@
 import com.onelogin.saml2.util.SchemaFactory;
 import com.onelogin.saml2.util.Util;
 
-import com.onelogin.saml2.exception.SettingsException;
-import com.onelogin.saml2.exception.ValidationError;
-
 /**
  * SamlResponse class of OneLogin's Java Toolkit.
  *
@@ -553,18 +549,24 @@ public HashMap<String, List<String>> getAttributes() throws XPathExpressionExcep
 			for (int i = 0; i < nodes.getLength(); i++) {
 				NamedNodeMap attrName = nodes.item(i).getAttributes();
 				String attName = attrName.getNamedItem("Name").getNodeValue();
-				if (attributes.containsKey(attName)) {
+				if (attributes.containsKey(attName) && !settings.isSpAllowRepeatAttributeName()) {
 					throw new ValidationError("Found an Attribute element with duplicated Name", ValidationError.DUPLICATED_ATTRIBUTE_NAME_FOUND);
 				}
 
 				NodeList childrens = nodes.item(i).getChildNodes();
 
-				List<String> attrValues = new ArrayList<String>();
+				List<String> attrValues = null;
+				if (attributes.containsKey(attName) && settings.isSpAllowRepeatAttributeName()) {
+					attrValues = attributes.get(attName);
+				} else {
+					attrValues = new ArrayList<String>();
+				}
 				for (int j = 0; j < childrens.getLength(); j++) {
 					if ("AttributeValue".equals(childrens.item(j).getLocalName())) {
 						attrValues.add(childrens.item(j).getTextContent());
 					}
 				}
+
 				attributes.put(attName, attrValues);
 			}
 			LOGGER.debug("SAMLResponse has attributes: " + attributes.toString());

core/src/main/java/com/onelogin/saml2/logout/LogoutRequest.java

@@ -321,10 +321,15 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 		if (nameIdFormat != null && nameIdFormat.equals(Constants.NAMEID_UNSPECIFIED)) {
 			nameIdFormat = null;
 		}
-		
+
 		X509Certificate cert = null;
 		if (settings.getNameIdEncrypted()) {
 			cert = settings.getIdpx509cert();
+			if (cert == null) {
+				List<X509Certificate> multipleCertList = settings.getIdpx509certMulti();
+				if (multipleCertList != null && !multipleCertList.isEmpty())
+				cert = multipleCertList.get(0);
+			}
 		}
 
 		String nameIdStr = Util.generateNameId(nameId, spNameQualifier, nameIdFormat, nameQualifier, cert);
@@ -429,19 +434,22 @@ public Boolean isValid() throws Exception {
 
 			if (signature != null && !signature.isEmpty()) {
 				X509Certificate cert = settings.getIdpx509cert();
-				if (cert == null) {
-					throw new SettingsException("In order to validate the sign on the Logout Request, the x509cert of the IdP is required", SettingsException.CERT_NOT_FOUND);
-				}
-
+				
 				List<X509Certificate> certList = new ArrayList<X509Certificate>();
 				List<X509Certificate> multipleCertList = settings.getIdpx509certMulti();
 
 				if (multipleCertList != null && multipleCertList.size() != 0) {
 					certList.addAll(multipleCertList);
 				}
 
-				if (certList.isEmpty() || !certList.contains(cert)) {
-					certList.add(0, cert);
+				if (cert != null) {
+					if (certList.isEmpty() || !certList.contains(cert)) {
+						certList.add(0, cert);
+					}
+				}
+
+				if (certList.isEmpty()) {
+					throw new SettingsException("In order to validate the sign on the Logout Request, the x509cert of the IdP is required", SettingsException.CERT_NOT_FOUND);
 				}
 
 				String signAlg = request.getParameter("SigAlg");

core/src/main/java/com/onelogin/saml2/logout/LogoutResponse.java

@@ -32,7 +32,7 @@
  * LogoutResponse class of OneLogin's Java Toolkit.
  *
  * A class that implements SAML 2 Logout Response builder/parser/validator
- */ 
+ */
 public class LogoutResponse {
 	/**
      * Private property to construct a logger for this class.
@@ -42,7 +42,7 @@ public class LogoutResponse {
 	/**
 	 * SAML LogoutResponse string
 	 */
-	private String logoutResponseString;	
+	private String logoutResponseString;
 
 	/**
 	 * A DOMDocument object loaded from the SAML Response.
@@ -81,7 +81,7 @@ public class LogoutResponse {
 
 	/**
 	 * After validation, if it fails this property has the cause of the problem
-	 */ 
+	 */
 	private String error;
 
 	/**
@@ -96,7 +96,7 @@ public class LogoutResponse {
 	public LogoutResponse(Saml2Settings settings, HttpRequest request) {
 		this.settings = settings;
 		this.request = request;
-		
+
 		String samlLogoutResponse = null;
 		if (request != null) {
 			currentUrl = request.getRequestURL();
@@ -112,10 +112,10 @@ public LogoutResponse(Saml2Settings settings, HttpRequest request) {
 	/**
 	 * @return the base64 encoded unsigned Logout Response (deflated or not)
 	 *
-	 * @param deflated 
+	 * @param deflated
      *				If deflated or not the encoded Logout Response
      *
-	 * @throws IOException 
+	 * @throws IOException
 	 */
 	public String getEncodedLogoutResponse(Boolean deflated) throws IOException {
 		String encodedLogoutResponse;
@@ -133,7 +133,7 @@ public String getEncodedLogoutResponse(Boolean deflated) throws IOException {
 	/**
 	 * @return the base64 encoded, unsigned Logout Response (deflated or not)
 	 *
-	 * @throws IOException 
+	 * @throws IOException
 	 */
 	public String getEncodedLogoutResponse() throws IOException {
 		return getEncodedLogoutResponse(null);
@@ -230,9 +230,6 @@ public Boolean isValid(String requestId) {
 
 			if (signature != null && !signature.isEmpty()) {
 				X509Certificate cert = settings.getIdpx509cert();
-				if (cert == null) {
-					throw new SettingsException("In order to validate the sign on the Logout Response, the x509cert of the IdP is required", SettingsException.CERT_NOT_FOUND);
-				}
 
 				List<X509Certificate> certList = new ArrayList<X509Certificate>();
 				List<X509Certificate> multipleCertList = settings.getIdpx509certMulti();
@@ -241,8 +238,14 @@ public Boolean isValid(String requestId) {
 					certList.addAll(multipleCertList);
 				}
 
-				if (certList.isEmpty() || !certList.contains(cert)) {
-					certList.add(0, cert);
+				if (cert != null) {
+					if (certList.isEmpty() || !certList.contains(cert)) {
+						certList.add(0, cert);
+					}
+				}
+
+				if (certList.isEmpty()) {
+					throw new SettingsException("In order to validate the sign on the Logout Response, the x509cert of the IdP is required", SettingsException.CERT_NOT_FOUND);
 				}
 
 				String signAlg = request.getParameter("SigAlg");
@@ -274,13 +277,13 @@ public Boolean isValid(String requestId) {
 		}
 	}
 
-	public Boolean isValid() {		
+	public Boolean isValid() {
 		return isValid(null);
 	}
 
 	/**
 	 * Gets the Issuer from Logout Response.
-	 * 
+	 *
 	 * @return the issuer of the logout response
 	 *
 	 * @throws XPathExpressionException
@@ -290,7 +293,7 @@ public String getIssuer() throws XPathExpressionException {
 		NodeList issuers = this.query("/samlp:LogoutResponse/saml:Issuer");
 		if (issuers.getLength() == 1) {
 			issuer = issuers.item(0).getTextContent();
-		}    	
+		}
         return issuer;
     }
 
@@ -341,16 +344,28 @@ private NodeList query (String query) throws XPathExpressionException {
      *
      * @param inResponseTo
      *				InResponseTo attribute value to bet set at the Logout Response. 
+	 * @param statusCode
+	 * 				String StatusCode to be set on the LogoutResponse
      */
-	public void build(String inResponseTo) {
+	public void build(String inResponseTo, String statusCode) {
 		id = Util.generateUniqueID(settings.getUniqueIDPrefix());
 		issueInstant = Calendar.getInstance();
 		this.inResponseTo = inResponseTo;
 
-		StrSubstitutor substitutor = generateSubstitutor(settings);
+		StrSubstitutor substitutor = generateSubstitutor(settings, statusCode);
 		this.logoutResponseString = substitutor.replace(getLogoutResponseTemplate());
 	}
 
+    /**
+     * Generates a Logout Response XML string.
+     *
+     * @param inResponseTo
+     *				InResponseTo attribute value to bet set at the Logout Response. 
+     */
+	public void build(String inResponseTo) {
+		build(inResponseTo, Constants.STATUS_SUCCESS);
+	}
+	
     /**
      * Generates a Logout Response XML string.
      *
@@ -364,13 +379,15 @@ public void build() {
 	 *
 	 * @param settings
 	 * 				Saml2Settings object. Setting data
-	 * 
-	 * @return the StrSubstitutor object of the LogoutResponse 
+	 * @param statusCode
+	 * 				String StatusCode to be set on the LogoutResponse
+	 *
+	 * @return the StrSubstitutor object of the LogoutResponse
 	 */
-	private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
+	private StrSubstitutor generateSubstitutor(Saml2Settings settings, String statusCode) {
 		Map<String, String> valueMap = new HashMap<String, String>();
 
-		valueMap.put("id", id);		
+		valueMap.put("id", id);
 
 		String issueInstantString = Util.formatDateTime(issueInstant.getTimeInMillis());
 		valueMap.put("issueInstant", issueInstantString);
@@ -388,11 +405,29 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 		}
 		valueMap.put("inResponseStr", inResponseStr);		
 
+		String statusStr = "";
+		if (statusCode != null) {
+			statusStr = "Value=\"" + statusCode + "\"";
+		}
+		valueMap.put("statusStr", statusStr);
+
 		valueMap.put("issuer", settings.getSpEntityId());
 
 		return new StrSubstitutor(valueMap);
 	}
 
+	/**
+	 * Substitutes LogoutResponse variables within a string by values.
+	 *
+	 * @param settings
+	 * 				Saml2Settings object. Setting data
+	 *
+	 * @return the StrSubstitutor object of the LogoutResponse
+	 */
+	private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
+		return generateSubstitutor(settings, Constants.STATUS_SUCCESS);
+	}
+
 	/**
 	 * @return the LogoutResponse's template
 	 */
@@ -404,7 +439,7 @@ private static StringBuilder getLogoutResponseTemplate() {
 		template.append("IssueInstant=\"${issueInstant}\"${destinationStr}${inResponseStr} >");
 		template.append("<saml:Issuer>${issuer}</saml:Issuer>");
 		template.append("<samlp:Status>");
-		template.append("<samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\" />");
+		template.append("<samlp:StatusCode ${statusStr} />");
 		template.append("</samlp:Status>");
 		template.append("</samlp:LogoutResponse>");
 		return template;
@@ -413,7 +448,7 @@ private static StringBuilder getLogoutResponseTemplate() {
 	/**
      * After execute a validation process, if fails this method returns the cause
      *
-     * @return the cause of the validation error 
+     * @return the cause of the validation error
      */
 	public String getError() {
 		return error;

core/src/main/java/com/onelogin/saml2/model/KeyStoreSettings.java

@@ -19,9 +19,9 @@ public class KeyStoreSettings {
     private final String spAlias;
 
     /**
-     * Password for KeyStore
+     * Password for KeyEntry in KeyStore
      */
-    private final String storePass;
+    private final String spKeyPass;
 
     /**
      * Constructor
@@ -32,13 +32,13 @@ public class KeyStoreSettings {
      * @param spAlias
      *            Alias for SP key entry
      *
-     * @param storePass
-     *            password to access KeyStore
+     * @param spKeyPass
+     *            password to access Private KeyEntry in KeyStore
      */
-    public KeyStoreSettings(KeyStore keyStore, String spAlias, String storePass) {
+    public KeyStoreSettings(KeyStore keyStore, String spAlias, String spKeyPass) {
         this.keyStore = keyStore;
         this.spAlias = spAlias;
-        this.storePass = storePass;
+        this.spKeyPass = spKeyPass;
     }
 
     /**
@@ -56,10 +56,10 @@ public final String getSpAlias() {
     }
 
     /**
-     * @return the storePass
+     * @return the spKeyPass
      */
-    public final String getStorePass() {
-        return storePass;
+    public final String getSpKeyPass() {
+        return spKeyPass;
     }
 
 }