Validate XML based on SAML Schema, time validations and num assertions

Author: iguanajazz

src/main/java/com/onelogin/saml/Response.java

@@ -14,6 +14,8 @@
 import javax.xml.crypto.dsig.dom.DOMValidateContext;
 
 import org.apache.commons.codec.binary.Base64;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NamedNodeMap;
@@ -26,13 +28,20 @@
 
 public class Response {
 
-	private Document xmlDoc;
+	/**
+     * A DOMDocument class loaded from the SAML Response (Decrypted).
+     */
+	private Document document;
+	
 	private NodeList assertions;
 	private Element rootElement;
 	private final AccountSettings accountSettings;
 	private final Certificate certificate;
+	private String response;
 	private String currentUrl;
 	private StringBuffer error;
+	
+	private static final Logger log = LoggerFactory.getLogger(Response.class);
 
 	public Response(AccountSettings accountSettings) throws CertificateException {
 		error = new StringBuffer();
@@ -42,26 +51,29 @@ public Response(AccountSettings accountSettings) throws CertificateException {
 	}
 
 	public Response(AccountSettings accountSettings, String response) throws Exception {
-		this(accountSettings);
+		this(accountSettings);		
 		loadXmlFromBase64(response);
 	}
 
-	public void loadXmlFromBase64(String response) throws Exception {
+	public void loadXmlFromBase64(String responseStr) throws Exception {
 		Base64 base64 = new Base64();
-		byte[] decodedB = base64.decode(response);
-		String decodedS = new String(decodedB);
-		xmlDoc = Utils.loadXML(decodedS);
-		System.out.println("xmlDoc [ "+xmlDoc.getDocumentElement()+" ]");
+		byte[] decodedB = base64.decode(responseStr);
+		this.response = new String(decodedB);
+		this.document = Utils.loadXML(this.response);
+		if(this.document == null){
+			
+		}
 	}
 
 	// isValid() function should be called to make basic security checks to responses.
-	public boolean isValid(){
+	public boolean isValid(String... requestId){
 		try{
 
 			// Security Checks
-			rootElement = xmlDoc.getDocumentElement();		
-			assertions = xmlDoc.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Assertion");		
-			xmlDoc.getDocumentElement().normalize();
+			rootElement = document.getDocumentElement();
+			rootElement.normalize();
+			assertions = document.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Assertion");		
+			
 
 			// Check SAML version			
 			if (!rootElement.getAttribute("Version").equals("2.0")) {
@@ -75,14 +87,41 @@ public boolean isValid(){
 
 			checkStatus();
 
-			if (assertions == null || assertions.getLength() != 1) {
+			if (!this.validateNumAssertions()) {
 				throw new Exception("SAML Response must contain 1 Assertion.");
 			}
 
-			NodeList nodes = xmlDoc.getElementsByTagNameNS("*", "Signature");
-			if (nodes == null || nodes.getLength() == 0) {
-				throw new Exception("Can't find signature in Document.");
+			NodeList nodes = document.getElementsByTagName("Signature");
+			ArrayList<String> signedElements = new ArrayList<String>();
+			for (int i = 0; i < nodes.getLength(); i++) {
+				signedElements.add(nodes.item(i).getParentNode().getLocalName());
+			}
+			if (!signedElements.isEmpty()) {
+				if(!this.validateSignedElements(signedElements)){
+					throw new Exception("Found an unexpected Signature Element. SAML Response rejected");
+				}
+			}
+			
+			Document res = Utils.validateXML(this.document, "saml-schema-protocol-2.0.xsd");
+			
+			if(!(res instanceof Document)){
+				throw new Exception("Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd");
 			}
+			
+			if (rootElement.hasAttribute("InResponseTo")) {
+				String responseInResponseTo = document.getDocumentElement().getAttribute("InResponseTo");
+				if(requestId.length > 0 && responseInResponseTo.compareTo(requestId[0]) != 0){
+					throw new Exception("The InResponseTo of the Response: "+ responseInResponseTo + ", does not match the ID of the AuthNRequest sent by the SP: "+ requestId[0]);
+				}
+            }
+			
+			// Validate Asserion timestamps
+            if (!this.validateTimestamps()) {
+                throw new Exception("Timing issues (please check your clock settings)");
+            }
+			
+			// ------------ working validations until here!
+            //TODO: more validations
 
 			// Check destination
 			String destinationUrl = rootElement.getAttribute("Destination");
@@ -93,7 +132,7 @@ public boolean isValid(){
 			}
 
 			// Check Audience 
-			NodeList nodeAudience = xmlDoc.getElementsByTagNameNS("*", "Audience");
+			NodeList nodeAudience = document.getElementsByTagNameNS("*", "Audience");
 			String audienceUrl = nodeAudience.item(0).getChildNodes().item(0).getNodeValue();
 			if (audienceUrl != null) {
 				if(!audienceUrl.equals(currentUrl)){
@@ -102,7 +141,7 @@ public boolean isValid(){
 			}
 
 			// Check SubjectConfirmation, at least one SubjectConfirmation must be valid
-			NodeList nodeSubConf = xmlDoc.getElementsByTagNameNS("*", "SubjectConfirmation");
+			NodeList nodeSubConf = document.getElementsByTagNameNS("*", "SubjectConfirmation");
 			boolean validSubjectConfirmation = true;
 			for(int i = 0; i < nodeSubConf.getLength(); i++){
 				Node method = nodeSubConf.item(i).getAttributes().getNamedItem("Method");			
@@ -112,30 +151,12 @@ public boolean isValid(){
 				NodeList childs = nodeSubConf.item(i).getChildNodes();			
 				for(int c = 0; c < childs.getLength(); c++){				
 					if(childs.item(c).getLocalName().equals("SubjectConfirmationData")){
-						Node inResponseTo = childs.item(c).getAttributes().getNamedItem("InResponseTo");					
-	//					if(inResponseTo != null && !inResponseTo.getNodeValue().equals("ID of the AuthNRequest")){
-	//						validSubjectConfirmation = false;
-	//					}
+						
 						Node recipient = childs.item(c).getAttributes().getNamedItem("Recipient");					
 						if(recipient != null && !recipient.getNodeValue().equals(currentUrl)){
 							validSubjectConfirmation = false;
 						}
-						Node notOnOrAfter = childs.item(c).getAttributes().getNamedItem("NotOnOrAfter");
-						if(notOnOrAfter != null){						
-							final Calendar notOnOrAfterDate = javax.xml.bind.DatatypeConverter.parseDateTime(notOnOrAfter.getNodeValue());
-							Calendar now = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
-							if(notOnOrAfterDate.before(now)){
-								validSubjectConfirmation = false;
-							}
-						}
-						Node notBefore = childs.item(c).getAttributes().getNamedItem("NotBefore");
-						if(notBefore != null){						
-							final Calendar notBeforeDate = javax.xml.bind.DatatypeConverter.parseDateTime(notBefore.getNodeValue());
-							Calendar now = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
-							if(notBeforeDate.before(now)){
-								validSubjectConfirmation = false;
-							}
-						}
+						
 					}
 				}
 			}
@@ -165,7 +186,7 @@ public boolean isValid(){
 	}
 
 	public String getNameId() throws Exception {
-		NodeList nodes = xmlDoc.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "NameID");
+		NodeList nodes = document.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "NameID");
 		if (nodes.getLength() == 0) {
 			throw new Exception("No name id found in Document.");
 		}
@@ -182,7 +203,7 @@ public String getAttribute(String name) {
 
 	public HashMap getAttributes() {
 		HashMap<String, ArrayList> attributes = new HashMap<String, ArrayList>();
-		NodeList nodes = xmlDoc.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Attribute");
+		NodeList nodes = document.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Attribute");
 
 		if (nodes.getLength() != 0) {
 			for (int i = 0; i < nodes.getLength(); i++) {
@@ -208,7 +229,7 @@ public HashMap getAttributes() {
 	 * @throws $statusExceptionMsg If status is not success
      */
 	public Map<String, String>  checkStatus() throws Exception{
-		Map<String, String> status = Utils.getStatus(xmlDoc);
+		Map<String, String> status = Utils.getStatus(document);
 		if(status.containsKey("code") && !status.get("code").equals(Constants.STATUS_SUCCESS) ){
 			String statusExceptionMsg = "The status code of the Response was not Success, was " + 
 					status.get("code").substring(status.get("code").lastIndexOf(':') + 1);
@@ -221,6 +242,83 @@ public Map<String, String>  checkStatus() throws Exception{
 		return status;
 
 	}
+	
+	/**
+     * Verifies that the document only contains a single Assertion (encrypted or not).
+     *
+     * @return true if the document passes.
+     */
+	public boolean validateNumAssertions(){
+		NodeList assertionNodes = this.document.getElementsByTagNameNS("urn:oasis:names:tc:SAML:2.0:assertion", "Assertion");
+		if(assertionNodes != null && assertionNodes.getLength() == 1)
+			return true;
+		return false;
+	}
+	
+	/**
+     * Verifies that the document has the expected signed nodes.
+     *
+     * @return true if is valid
+     */
+	public boolean validateSignedElements(ArrayList<String> signedElements){
+		if(signedElements.size() > 2){
+			return false;
+		}
+		Map<String, Integer> occurrences = new HashMap<String, Integer>();
+		for(String e:signedElements){
+			if(occurrences.containsKey(e)){
+				occurrences.put(e, occurrences.get(e).intValue() + 1);
+			}else{
+				occurrences.put(e, 1);
+			}
+		}
+		
+		if((occurrences.containsKey("Response") && occurrences.get("Response") > 1) ||
+		  (occurrences.containsKey("Assertion") && occurrences.get("Assertion") > 1) ||
+          !occurrences.containsKey("Response") && !occurrences.containsKey("Assertion")
+      ) {
+          return false;
+      }
+      return true;
+	}
+	
+	/**
+     * Verifies that the document is still valid according Conditions Element.
+     *
+     * @return true if still valid
+     */
+    public boolean validateTimestamps()
+    {
+    	NodeList timestampNodes = document.getElementsByTagNameNS("*", "Conditions");
+    	if (timestampNodes.getLength() != 0) {
+			for (int i = 0; i < timestampNodes.getLength(); i++) {
+				NamedNodeMap attrName = timestampNodes.item(i).getAttributes();
+				Node nbAttribute = attrName.getNamedItem("NotBefore");
+				Node naAttribute = attrName.getNamedItem("NotOnOrAfter");
+				Calendar now = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
+				log.debug("now :"+ now.get(Calendar.HOUR_OF_DAY) + ":" + now.get(Calendar.MINUTE)+ ":" + now.get(Calendar.SECOND));
+				// validate NotOnOrAfter using UTC
+				if(naAttribute != null){						
+					final Calendar notOnOrAfterDate = javax.xml.bind.DatatypeConverter.parseDateTime(naAttribute.getNodeValue());
+					log.debug("notOnOrAfterDate :"+ notOnOrAfterDate.get(Calendar.HOUR_OF_DAY) + ":" + notOnOrAfterDate.get(Calendar.MINUTE)+ ":" + notOnOrAfterDate.get(Calendar.SECOND));
+					if(now.equals(notOnOrAfterDate) || now.after(notOnOrAfterDate)){
+						return false;
+					}
+				}
+				// validate NotBefore using UTC
+				if(nbAttribute != null){						
+					final Calendar notBeforeDate = javax.xml.bind.DatatypeConverter.parseDateTime(nbAttribute.getNodeValue());
+					log.debug("notBeforeDate :"+ notBeforeDate.get(Calendar.HOUR_OF_DAY) + ":" + notBeforeDate.get(Calendar.MINUTE)+ ":" + notBeforeDate.get(Calendar.SECOND));
+					if(now.before(notBeforeDate)){
+						return false;
+					}
+				}
+			}
+		}
+        return true;
+    }
+
+	
 
 	private boolean setIdAttributeExists() {
 		for (Method method : Element.class.getDeclaredMethods()) {
@@ -244,6 +342,6 @@ public String getError() {
 			return error.toString();
 		return "";
 	}
-
+	
 
 }