#62: check InResponseTo in Response more strictly

- reject Responses with no InResponseTo if one was provided as an
  argument to validate
- reject Responses with a InResponseTo if null was provided as an
  argument to validate (enabled by
  Saml2Settings.rejectUnsolicitedResponsesWithInResponseTo)
- reject SubjectConfirmationData without a InResponseTo, when the
  Response has one

Author: miszobi

core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java

@@ -11,6 +11,7 @@
 import javax.xml.xpath.XPathExpressionException;
 
 import com.onelogin.saml2.model.SubjectConfirmationIssue;
+import org.apache.commons.lang3.ObjectUtils;
 import org.joda.time.DateTime;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -172,13 +173,16 @@ public boolean isValid(String requestId) {
 					}
 				}
 
-				String responseInResponseTo = rootElement.getAttribute("InResponseTo");
+				String responseInResponseTo = rootElement.hasAttribute("InResponseTo") ? rootElement.getAttribute("InResponseTo") : null;
+				if (requestId == null && responseInResponseTo != null && settings.isRejectUnsolicitedResponsesWithInResponseTo()) {
+					throw new Exception("The Response has an InResponseTo attribute: " + responseInResponseTo +
+							" while no InResponseTo was expected");
+				}
+
 				// Check if the InResponseTo of the Response matches the ID of the AuthNRequest (requestId) if provided
-				if (requestId != null && !requestId.isEmpty() && rootElement.hasAttribute("InResponseTo")) {
-					if (!responseInResponseTo.equals(requestId)) {
+				if (requestId != null && !ObjectUtils.equals(responseInResponseTo, requestId)) {
 						throw new Exception("The InResponseTo of the Response: " + responseInResponseTo
 								+ ", does not match the ID of the AuthNRequest sent by the SP: " + requestId);
-					}
 				}
 
 				if (!this.encrypted && settings.getWantAssertionsEncrypted()) {
@@ -310,8 +314,9 @@ private void validateSubjectConfirmation(String responseInResponseTo) throws Exc
 					}
 
 					Node inResponseTo = subjectConfirmationDataNodes.item(c).getAttributes().getNamedItem("InResponseTo");
-					if (inResponseTo != null && !inResponseTo.getNodeValue().equals(responseInResponseTo)) {
-						validationIssues.add(new SubjectConfirmationIssue(i, "SubjectConfirmationData has an invalid InResponseTo value"));
+					if (inResponseTo == null && responseInResponseTo != null ||
+							inResponseTo != null && !inResponseTo.getNodeValue().equals(responseInResponseTo)) {
+						validationIssues.add(new SubjectConfirmationIssue(i, "SubjectConfirmationData has an invalid InResponseTo value"));;
 						continue;
 					}
 

core/src/main/java/com/onelogin/saml2/settings/Saml2Settings.java

@@ -8,6 +8,8 @@
 import java.util.LinkedList;
 import java.util.List;
 
+import com.onelogin.saml2.authn.SamlResponse;
+import com.onelogin.saml2.logout.LogoutResponse;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
@@ -70,6 +72,7 @@ public class Saml2Settings {
 	private String requestedAuthnContextComparison = "exact";
 	private Boolean wantXMLValidation = true;
 	private String signatureAlgorithm = Constants.RSA_SHA1;
+	private boolean rejectUnsolicitedResponsesWithInResponseTo = false;
 
 	// Misc
 	private List<Contact> contacts = new LinkedList<Contact>();
@@ -634,6 +637,28 @@ public void setSignatureAlgorithm(String signatureAlgorithm) {
 		this.signatureAlgorithm = signatureAlgorithm;
 	}
 
+	/**
+	 * Controls if unsolicited Responses are rejected if they contain an InResponseTo value.
+	 *
+	 * If false using a validate method {@link SamlResponse#isValid(String)} with a null argument will
+	 * accept messages with any (or none) InResponseTo value.
+	 *
+	 * If true using these methods with a null argument will only accept messages with no InRespoonseTo value,
+	 * and reject messages where the value is set.
+	 *
+	 * In all cases using validate with a specified request ID will only accept responses that have the same
+	 * InResponseTo id set.
+	 *
+	 * @param rejectUnsolicitedResponsesWithInResponseTo whether to strictly check the InResponseTo attribute
+	 */
+	public void setRejectUnsolicitedResponsesWithInResponseTo(boolean rejectUnsolicitedResponsesWithInResponseTo) {
+		this.rejectUnsolicitedResponsesWithInResponseTo = rejectUnsolicitedResponsesWithInResponseTo;
+	}
+
+	public boolean isRejectUnsolicitedResponsesWithInResponseTo() {
+		return rejectUnsolicitedResponsesWithInResponseTo;
+	}
+
 	/**
 	 * Set contacts info that will be listed on the Service Provider metadata
 	 * 

core/src/main/java/com/onelogin/saml2/settings/SettingsBuilder.java

@@ -82,6 +82,7 @@ public class SettingsBuilder {
 	public final static String SECURITY_REQUESTED_AUTHNCONTEXTCOMPARISON = "onelogin.saml2.security.requested_authncontextcomparison";
 	public final static String SECURITY_WANT_XML_VALIDATION = "onelogin.saml2.security.want_xml_validation";
 	public final static String SECURITY_SIGNATURE_ALGORITHM = "onelogin.saml2.security.signature_algorithm";
+	public final static String SECURITY_REJECT_UNSOLICITED_RESPONSES_WITH_INRESPONSETO = "onelogin.saml2.security.reject_unsolicited_responses_with_inresponseto";
 
 	// Misc
 	public final static String CONTACT_TECHNICAL_GIVEN_NAME = "onelogin.saml2.contacts.technical.given_name";
@@ -268,6 +269,11 @@ private void loadSecuritySetting() {
 		String signatureAlgorithm = loadStringProperty(SECURITY_SIGNATURE_ALGORITHM);
 		if (signatureAlgorithm != null && !signatureAlgorithm.isEmpty())
 			saml2Setting.setSignatureAlgorithm(signatureAlgorithm);
+
+		Boolean rejectUnsolicitedResponsesWithInResponseTo = loadBooleanProperty(SECURITY_REJECT_UNSOLICITED_RESPONSES_WITH_INRESPONSETO);
+		if (rejectUnsolicitedResponsesWithInResponseTo != null) {
+			saml2Setting.setRejectUnsolicitedResponsesWithInResponseTo(rejectUnsolicitedResponsesWithInResponseTo);
+		}
 	}
 
 	/**

core/src/test/java/com/onelogin/saml2/test/authn/AuthnResponseTest.java

@@ -1057,6 +1057,19 @@ public void testIsValidSubjectConfirmation_invalidInResponseTo() throws Exceptio
 		assertResponseValid(settings, samlResponseEncoded, true, false, "A valid SubjectConfirmation was not found on this Response: SubjectConfirmationData has an invalid InResponseTo value");
 	}
 
+	@Test
+	public void testIsValidSubjectConfirmation_unmatchedInResponseTo() throws Exception {
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.my.properties").build();
+		settings.setWantAssertionsSigned(false);
+		settings.setWantMessagesSigned(true);
+
+		final String samlResponseEncoded = loadSignMessageAndEncode("data/responses/invalids/invalid_unpaired_inresponsesto.xml");
+
+		assertResponseValid(settings, samlResponseEncoded, true, false,
+				"A valid SubjectConfirmation was not found on this Response - SubjectConfirmationData has an invalid InResponseTo value");
+		assertResponseValid(settings, samlResponseEncoded, false, true, null);
+	}
+
 	@Test
 	public void testIsValidSubjectConfirmation_invalidRecipient() throws Exception {
 		final Saml2Settings settings = new SettingsBuilder().fromFile("config/config.min.properties").build();
@@ -1177,6 +1190,34 @@ public void testIsInValidRequestId() throws Exception {
 		assertThat(samlResponse.getError(), containsString("The InResponseTo of the Response"));		
 	}
 
+	@Test
+	public void testUnexpectedRequestId() throws Exception {
+		Saml2Settings acceptingUnexpectedInResponseTo = new SettingsBuilder().fromFile("config/config.my.properties").build();
+		Saml2Settings rejectingUnexpectedInResponseTo = new SettingsBuilder().fromFile("config/config.my.properties").build();
+		rejectingUnexpectedInResponseTo.setRejectUnsolicitedResponsesWithInResponseTo(true);
+
+		final String samlResponseEncoded = Util.getFileAsString("data/responses/valid_response.xml.base64");
+
+		assertResponseValid(acceptingUnexpectedInResponseTo, samlResponseEncoded, true, true, null);
+		assertResponseValid(rejectingUnexpectedInResponseTo, samlResponseEncoded, true, false,
+				"The Response has an InResponseTo attribute: ONELOGIN_5fe9d6e499b2f0913206aab3f7191729049bb807 while no InResponseTo was expected");
+	}
+
+	@Test
+	public void testMissingExpectedRequestId() throws Exception {
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.my.properties").build();
+		settings.setWantMessagesSigned(true);
+		settings.setWantAssertionsSigned(false);
+		settings.setStrict(true);
+
+		// message with no InResponseTo
+		final String samlResponseEncoded = loadSignMessageAndEncode("data/responses/valid_idp_initiated_response.xml");
+
+		final SamlResponse samlResponse = new SamlResponse(settings, mockRequestWithSamlResponse(samlResponseEncoded));
+		assertFalse(samlResponse.isValid("expected-id"));
+		assertEquals(samlResponse.getError(), "The InResponseTo of the Response: null, does not match the ID of the AuthNRequest sent by the SP: expected-id");
+	}
+
 	/**
 	 * Tests the isValid method of SamlResponse
 	 * Case: invalid signing issues

core/src/test/resources/data/responses/invalids/invalid_subjectconfirmation_no_notonorafter.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxc32aed67-820f-4296-0c20-205a10dd5787" Version="2.0" IssueInstant="2011-06-17T14:54:14Z" Destination="http://localhost:8080/java-saml-jspsample/acs.jsp" InResponseTo="_57bcbf70-7b1f-012e-c821-782bcb13bb38">
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxc32aed67-820f-4296-0c20-205a10dd5787" Version="2.0" IssueInstant="2011-06-17T14:54:14Z" Destination="http://localhost:8080/java-saml-jspsample/acs.jsp">
     <saml:Issuer>https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php</saml:Issuer>
     <samlp:Status>
         <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

core/src/test/resources/data/responses/invalids/invalid_unpaired_inresponsesto.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxc32aed67-820f-4296-0c20-205a10dd5787" Version="2.0" IssueInstant="2011-06-17T14:54:14Z" InResponseTo="unpaired" Destination="http://localhost:8080/java-saml-jspsample/acs.jsp">
+    <saml:Issuer>https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php</saml:Issuer>
+    <samlp:Status>
+        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+    </samlp:Status>
+    <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="pfx7841991c-c73f-4035-e2ee-c170c0e1d3e4" Version="2.0" IssueInstant="2011-06-17T14:54:14Z">
+        <saml:Issuer>https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php</saml:Issuer>
+        <saml:Subject>
+            <saml:NameID SPNameQualifier="hello.com" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">someone@example.com</saml:NameID>
+            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+                <saml:SubjectConfirmationData NotOnOrAfter="2020-06-17T14:59:14Z" Recipient="http://localhost:8080/java-saml-jspsample/acs.jsp"/>
+            </saml:SubjectConfirmation>
+        </saml:Subject>
+        <saml:Conditions NotBefore="2010-06-17T14:53:44Z" NotOnOrAfter="2021-06-17T14:59:14Z">
+            <saml:AudienceRestriction>
+                <saml:Audience>http://localhost:8080/java-saml-jspsample/metadata.jsp</saml:Audience>
+            </saml:AudienceRestriction>
+        </saml:Conditions>
+        <saml:AuthnStatement AuthnInstant="2011-06-17T14:54:07Z" SessionNotOnOrAfter="2021-06-17T22:54:14Z" SessionIndex="_51be37965feb5579d803141076936dc2e9d1d98ebf">
+            <saml:AuthnContext>
+                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
+            </saml:AuthnContext>
+        </saml:AuthnStatement>
+        <saml:AttributeStatement>
+            <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+                <saml:AttributeValue xsi:type="xs:string">someone@example.com</saml:AttributeValue>
+            </saml:Attribute>
+        </saml:AttributeStatement>
+    </saml:Assertion>
+</samlp:Response>

core/src/test/resources/data/responses/valid_idp_initiated_response.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxc32aed67-820f-4296-0c20-205a10dd5787" Version="2.0" IssueInstant="2011-06-17T14:54:14Z" Destination="http://localhost:8080/java-saml-jspsample/acs.jsp">
+    <saml:Issuer>https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php</saml:Issuer>
+    <samlp:Status>
+        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+    </samlp:Status>
+    <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="pfx7841991c-c73f-4035-e2ee-c170c0e1d3e4" Version="2.0" IssueInstant="2011-06-17T14:54:14Z">
+        <saml:Issuer>https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php</saml:Issuer>
+        <saml:Subject>
+            <saml:NameID SPNameQualifier="hello.com" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">someone@example.com</saml:NameID>
+            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+                <saml:SubjectConfirmationData NotOnOrAfter="2020-06-17T14:59:14Z" Recipient="http://localhost:8080/java-saml-jspsample/acs.jsp"/>
+            </saml:SubjectConfirmation>
+        </saml:Subject>
+        <saml:Conditions NotBefore="2010-06-17T14:53:44Z" NotOnOrAfter="2021-06-17T14:59:14Z">
+            <saml:AudienceRestriction>
+                <saml:Audience>http://localhost:8080/java-saml-jspsample/metadata.jsp</saml:Audience>
+            </saml:AudienceRestriction>
+        </saml:Conditions>
+        <saml:AuthnStatement AuthnInstant="2011-06-17T14:54:07Z" SessionNotOnOrAfter="2021-06-17T22:54:14Z" SessionIndex="_51be37965feb5579d803141076936dc2e9d1d98ebf">
+            <saml:AuthnContext>
+                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
+            </saml:AuthnContext>
+        </saml:AuthnStatement>
+        <saml:AttributeStatement>
+            <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+                <saml:AttributeValue xsi:type="xs:string">someone@example.com</saml:AttributeValue>
+            </saml:Attribute>
+        </saml:AttributeStatement>
+    </saml:Assertion>
+</samlp:Response>