#63: better error message + test for multiple SubjectConfirmation issues

Author: miszobi

core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java

@@ -1,6 +1,5 @@
 package com.onelogin.saml2.authn;
 
-import java.io.IOException;
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@@ -9,13 +8,8 @@
 import java.util.Map;
 
 import javax.servlet.http.HttpServletRequest;
-import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.xpath.XPath;
-import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpressionException;
-import javax.xml.xpath.XPathFactory;
 
-import org.apache.commons.lang3.StringUtils;
 import org.joda.time.DateTime;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -24,7 +18,6 @@
 import org.w3c.dom.NamedNodeMap;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
-import org.xml.sax.SAXException;
 
 import com.onelogin.saml2.settings.Saml2Settings;
 import com.onelogin.saml2.model.SamlResponseStatus;
@@ -289,7 +282,7 @@ public boolean isValid(String requestId) {
 
 	// Check SubjectConfirmation, at least one SubjectConfirmation must be valid
 	private void validateSubjectConfirmation(String responseInResponseTo) throws Exception {
-		final List<String> subjectConfirmationDataIssues = new ArrayList<>();
+		final List<SubjectConfirmationIssue> validationIssues = new ArrayList<>();
 		boolean validSubjectConfirmation = false;
 		NodeList subjectConfirmationNodes = this.queryAssertion("/saml:Subject/saml:SubjectConfirmation");
 		for (int i = 0; i < subjectConfirmationNodes.getLength(); i++) {
@@ -306,50 +299,49 @@ private void validateSubjectConfirmation(String responseInResponseTo) throws Exc
 
 					Node recipient = subjectConfirmationDataNodes.item(c).getAttributes().getNamedItem("Recipient");
 					if (recipient == null) {
-						subjectConfirmationDataIssues.add("SubjectConfirmationData doesn't contain a Recipient");
+						validationIssues.add(new SubjectConfirmationIssue(i, "SubjectConfirmationData doesn't contain a Recipient"));
 						continue;
 					}
 
 					if (!recipient.getNodeValue().equals(currentUrl)) {
-						subjectConfirmationDataIssues.add("SubjectConfirmationData doesn't match a valid Recipient");
+						validationIssues.add(new SubjectConfirmationIssue(i, "SubjectConfirmationData doesn't match a valid Recipient"));
 						continue;
 					}
 
 					Node inResponseTo = subjectConfirmationDataNodes.item(c).getAttributes().getNamedItem("InResponseTo");
 					if (inResponseTo != null && !inResponseTo.getNodeValue().equals(responseInResponseTo)) {
-						subjectConfirmationDataIssues.add("SubjectConfirmationData has an invalid InResponseTo value");
+						validationIssues.add(new SubjectConfirmationIssue(i, "SubjectConfirmationData has an invalid InResponseTo value"));
 						continue;
 					}
 
 
 					Node notOnOrAfter = subjectConfirmationDataNodes.item(c).getAttributes().getNamedItem("NotOnOrAfter");
 					if (notOnOrAfter == null) {
-						subjectConfirmationDataIssues.add("SubjectConfirmationData doesn't contain a NotOnOrAfter attribute");
+						validationIssues.add(new SubjectConfirmationIssue(i, "SubjectConfirmationData doesn't contain a NotOnOrAfter attribute"));
 						continue;
 					}
 
 					DateTime noa = Util.parseDateTime(notOnOrAfter.getNodeValue());
 					if (noa.isEqualNow() || noa.isBeforeNow()) {
-						subjectConfirmationDataIssues.add("SubjectConfirmationData is no longer valid");
+						validationIssues.add(new SubjectConfirmationIssue(i, "SubjectConfirmationData is no longer valid"));
 						continue;
 					}
 
 					Node notBefore = subjectConfirmationDataNodes.item(c).getAttributes().getNamedItem("NotBefore");
 					if (notBefore != null) {
 						DateTime nb = Util.parseDateTime(notBefore.getNodeValue());
 						if (nb.isAfterNow()) {
-							subjectConfirmationDataIssues.add("SubjectConfirmationData is not yet valid");
+							validationIssues.add(new SubjectConfirmationIssue(i, "SubjectConfirmationData is not yet valid"));
 							continue;
 						}
 					}
 					validSubjectConfirmation = true;
 				}
 			}
 		}
+
 		if (!validSubjectConfirmation) {
-			String subjectConfirmationDataIssuesMsg = subjectConfirmationDataIssues.isEmpty() ? "" :
-					" - " + StringUtils.join(subjectConfirmationDataIssues, ", ");
-			throw new Exception("A valid SubjectConfirmation was not found on this Response" + subjectConfirmationDataIssuesMsg);
+			throw new Exception(SubjectConfirmationIssue.prettyPrint(validationIssues));
 		}
 	}
 

core/src/main/java/com/onelogin/saml2/authn/SubjectConfirmationIssue.java

@@ -0,0 +1,34 @@
+package com.onelogin.saml2.authn;
+
+import java.util.List;
+
+class SubjectConfirmationIssue {
+    private final int subjectConfirmationIndex;
+    private final String message;
+
+    SubjectConfirmationIssue(int subjectConfirmationIndex, String message) {
+        this.subjectConfirmationIndex = subjectConfirmationIndex;
+        this.message = message;
+    }
+
+    static String prettyPrint(List<SubjectConfirmationIssue> subjectConfirmationDataIssues) {
+        StringBuilder subjectConfirmationDataIssuesMsg = new StringBuilder("A valid SubjectConfirmation was not found on this Response");
+        if (subjectConfirmationDataIssues.size() > 0) {
+            subjectConfirmationDataIssuesMsg.append(" - ");
+        }
+        for (int i = 0; i < subjectConfirmationDataIssues.size(); i++) {
+            final SubjectConfirmationIssue issue = subjectConfirmationDataIssues.get(i);
+            subjectConfirmationDataIssuesMsg.append(issue.message);
+            if (subjectConfirmationDataIssues.size() > 1) {
+                subjectConfirmationDataIssuesMsg.append(" [")
+                        .append(issue.subjectConfirmationIndex)
+                        .append("]");
+            }
+            if (i != subjectConfirmationDataIssues.size() - 1) {
+                subjectConfirmationDataIssuesMsg.append(", ");
+            }
+        }
+
+        return subjectConfirmationDataIssuesMsg.toString();
+    }
+}

core/src/test/java/com/onelogin/saml2/test/authn/AuthnResponseTest.java

@@ -1086,7 +1086,6 @@ public void testIsValidSubjectConfirmation_notYetValid() throws Exception {
 
 	@Test
 	public void testIsValidSubjectConfirmation_missingRecipient() throws Exception {
-		// having
 		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.my.properties").build();
 		settings.setWantAssertionsSigned(false);
 		settings.setWantMessagesSigned(true);
@@ -1105,13 +1104,27 @@ public void testIsValidSubjectConfirmation_missingNotOnOrAfter() throws Exceptio
 		settings.setWantMessagesSigned(true);
 
 		final String samlResponseEncoded = loadSignMessageAndEncode("data/responses/invalids/invalid_subjectconfirmation_no_notonorafter.xml");
-		HttpServletRequest request = mockRequestWithSamlResponse(samlResponseEncoded);
 
 		assertResponseValid(settings, samlResponseEncoded, false, true, null);
 		assertResponseValid(settings, samlResponseEncoded, true, false,
 				"A valid SubjectConfirmation was not found on this Response - SubjectConfirmationData doesn't contain a NotOnOrAfter attribute");
 	}
 
+	@Test
+	public void testIsValidSubjectConfirmation_multipleIssues() throws Exception {
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.my.properties").build();
+		settings.setWantAssertionsSigned(false);
+		settings.setWantMessagesSigned(true);
+
+		final String samlResponseEncoded = loadSignMessageAndEncode("data/responses/invalids/invalid_subjectconfirmation_multiple_issues.xml");
+
+		assertResponseValid(settings, samlResponseEncoded, false, true, null);
+		assertResponseValid(settings, samlResponseEncoded, true, false,
+				"A valid SubjectConfirmation was not found on this Response - SubjectConfirmationData doesn't contain a NotOnOrAfter attribute [0], " +
+						"SubjectConfirmationData doesn't contain a Recipient [1], " +
+						"SubjectConfirmationData is no longer valid [2]");
+	}
+
 	/**
 	 * Tests the isValid method of SamlResponse
 	 * Case: Datetime with Miliseconds

core/src/test/resources/data/responses/invalids/invalid_subjectconfirmation_multiple_issues.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxc32aed67-820f-4296-0c20-205a10dd5787" Version="2.0" IssueInstant="2011-06-17T14:54:14Z" Destination="http://localhost:8080/java-saml-jspsample/acs.jsp" InResponseTo="_57bcbf70-7b1f-012e-c821-782bcb13bb38">
+    <saml:Issuer>https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php</saml:Issuer>
+    <samlp:Status>
+        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+    </samlp:Status>
+    <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="pfx7841991c-c73f-4035-e2ee-c170c0e1d3e4" Version="2.0" IssueInstant="2011-06-17T14:54:14Z">
+        <saml:Issuer>https://pitbulk.no-ip.org/simplesaml/saml2/idp/metadata.php</saml:Issuer>
+        <saml:Subject>
+            <saml:NameID SPNameQualifier="hello.com" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">someone@example.com</saml:NameID>
+            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+                <saml:SubjectConfirmationData Recipient="http://localhost:8080/java-saml-jspsample/acs.jsp"/>
+            </saml:SubjectConfirmation>
+            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+                <saml:SubjectConfirmationData NotOnOrAfter="2120-06-17T14:53:44Z"/>
+            </saml:SubjectConfirmation>
+            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+                <saml:SubjectConfirmationData NotOnOrAfter="2010-06-17T14:53:44Z" Recipient="http://localhost:8080/java-saml-jspsample/acs.jsp"/>
+            </saml:SubjectConfirmation>
+        </saml:Subject>
+        <saml:Conditions NotBefore="2010-06-17T14:53:44Z" NotOnOrAfter="2121-06-17T14:59:14Z">
+            <saml:AudienceRestriction>
+                <saml:Audience>http://localhost:8080/java-saml-jspsample/metadata.jsp</saml:Audience>
+            </saml:AudienceRestriction>
+        </saml:Conditions>
+        <saml:AuthnStatement AuthnInstant="2011-06-17T14:54:07Z" SessionNotOnOrAfter="2121-06-17T22:54:14Z" SessionIndex="_51be37965feb5579d803141076936dc2e9d1d98ebf">
+            <saml:AuthnContext>
+                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
+            </saml:AuthnContext>
+        </saml:AuthnStatement>
+        <saml:AttributeStatement>
+            <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+                <saml:AttributeValue xsi:type="xs:string">someone@example.com</saml:AttributeValue>
+            </saml:Attribute>
+        </saml:AttributeStatement>
+    </saml:Assertion>
+</samlp:Response>