Merge branch 'pelaxa-master'

pitbulk · pitbulk · commit baec1c7e4e02 · 2020-10-05T18:31:02.000+02:00
diff --git a/core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java b/core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java
@@ -81,6 +81,11 @@ public class SamlResponse {
 	 */ 
 	private Exception validationException;
 
+	/**
+	 * The respone status code and messages
+	 */
+	private SamlResponseStatus responseStatus;
+
 	/**
 	 * Constructor to have a Response object fully built and ready to validate the saml response.
 	 *
@@ -121,6 +126,7 @@ public SamlResponse(Saml2Settings settings, String currentUrl, String samlRespon
 	 * @throws SAXException
 	 * @throws ParserConfigurationException
 	 * @throws XPathExpressionException
+	 * @throws NullPointerException
      *
 	 */
 	public SamlResponse(Saml2Settings settings, HttpRequest request) throws XPathExpressionException, ParserConfigurationException, SAXException, IOException, SettingsException, ValidationError {
@@ -597,19 +603,27 @@ public HashMap<String, List<String>> getAttributes() throws XPathExpressionExcep
 		return attributes;
 	}
 
+	/**
+	 * Returns the ResponseStatus object
+	 * 
+	 * @return
+	 */
+	public SamlResponseStatus getResponseStatus() {
+		return this.responseStatus;
+	}
+
 	/**
 	 * Checks the Status
 	 *
-	 * @throws ValidationError
-	 *             If status is not success
+	 * @throws ValidationError If status is not success
 	 */
 	public void checkStatus() throws ValidationError {
-		SamlResponseStatus responseStatus = getStatus(samlResponseDocument);
-		if (!responseStatus.is(Constants.STATUS_SUCCESS)) {
+		this.responseStatus = getStatus(samlResponseDocument);
+		if (!this.responseStatus.is(Constants.STATUS_SUCCESS)) {
 			String statusExceptionMsg = "The status code of the Response was not Success, was "
-					+ responseStatus.getStatusCode();
-			if (responseStatus.getStatusMessage() != null) {
-				statusExceptionMsg += " -> " + responseStatus.getStatusMessage();
+					+ this.responseStatus.getStatusCode();
+			if (this.responseStatus.getStatusMessage() != null) {
+				statusExceptionMsg += " -> " + this.responseStatus.getStatusMessage();
 			}
 			throw new ValidationError(statusExceptionMsg, ValidationError.STATUS_CODE_IS_NOT_SUCCESS);
 		}
diff --git a/core/src/main/java/com/onelogin/saml2/logout/LogoutResponse.java b/core/src/main/java/com/onelogin/saml2/logout/LogoutResponse.java
@@ -84,6 +84,11 @@ public class LogoutResponse {
 	 */
 	private Exception validationException;
 
+	/**
+	 * The respone status code and messages
+	 */
+	private SamlResponseStatus responseStatus;
+
 	/**
 	 * Constructs the LogoutResponse object.
 	 *
@@ -323,7 +328,7 @@ public String getStatus() throws XPathExpressionException
      */
     public SamlResponseStatus getSamlResponseStatus() throws ValidationError
     {
-		String statusXpath = "/samlp:Response/samlp:Status";
+		String statusXpath = "/samlp:LogoutResponse/samlp:Status";
 		return Util.getStatus(statusXpath, this.logoutResponseDocument);
     }
 
diff --git a/core/src/test/java/com/onelogin/saml2/test/authn/AuthnResponseTest.java b/core/src/test/java/com/onelogin/saml2/test/authn/AuthnResponseTest.java
@@ -1345,9 +1345,8 @@ public void testValidateTimestampsNB() throws ValidationError, XPathExpressionEx
 	@Test
 	public void testNullRequest() throws IOException, Error, XPathExpressionException, ParserConfigurationException, SAXException, SettingsException, ValidationError {
 		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.min.properties").build();
+		expectedEx.expect(NullPointerException.class);
 		SamlResponse samlResponse = new SamlResponse(settings, null);
-		assertFalse(samlResponse.isValid());
-		assertEquals("SAML Response is not loaded", samlResponse.getError());
 	}
 
 	/**
diff --git a/toolkit/src/main/java/com/onelogin/saml2/Auth.java b/toolkit/src/main/java/com/onelogin/saml2/Auth.java
@@ -30,6 +30,7 @@
 import com.onelogin.saml2.http.HttpRequest;
 import com.onelogin.saml2.logout.LogoutRequest;
 import com.onelogin.saml2.logout.LogoutResponse;
+import com.onelogin.saml2.model.SamlResponseStatus;
 import com.onelogin.saml2.model.KeyStoreSettings;
 import com.onelogin.saml2.servlet.ServletUtils;
 import com.onelogin.saml2.settings.Saml2Settings;
@@ -749,11 +750,22 @@ public void processResponse(String requestId) throws Exception {
 				lastAssertionNotOnOrAfter = samlResponse.getAssertionNotOnOrAfter();
 				LOGGER.debug("processResponse success --> " + samlResponseParameter);
 			} else {
-				errors.add("invalid_response");
-				LOGGER.error("processResponse error. invalid_response");
-				LOGGER.debug(" --> " + samlResponseParameter);
 				errorReason = samlResponse.getError();
 				validationException = samlResponse.getValidationException();
+				SamlResponseStatus samlResponseStatus = samlResponse.getResponseStatus();
+				if (samlResponseStatus.getStatusCode() == null || !samlResponseStatus.getStatusCode().equals(Constants.STATUS_SUCCESS)) {
+					errors.add("response_not_success");
+					LOGGER.error("processResponse error. sso_not_success");
+					LOGGER.debug(" --> " + samlResponseParameter);
+					errors.add(samlResponseStatus.getStatusCode());
+					if (samlResponseStatus.getSubStatusCode() != null) {
+						errors.add(samlResponseStatus.getSubStatusCode());
+					}
+				} else {
+					errors.add("invalid_response");
+					LOGGER.error("processResponse error. invalid_response");
+					LOGGER.debug(" --> " + samlResponseParameter);
+        }
 			}
 		} else {
 			errors.add("invalid_binding");
@@ -798,11 +810,16 @@ public void processSLO(Boolean keepLocalSession, String requestId) throws Except
 				errorReason = logoutResponse.getError();
 				validationException = logoutResponse.getValidationException();
 			} else {
-				String status = logoutResponse.getStatus();
+				SamlResponseStatus samlResponseStatus = logoutResponse.getSamlResponseStatus();
+				String status = samlResponseStatus.getStatusCode();
 				if (status == null || !status.equals(Constants.STATUS_SUCCESS)) {
 					errors.add("logout_not_success");
 					LOGGER.error("processSLO error. logout_not_success");
 					LOGGER.debug(" --> " + samlResponseParameter);
+					errors.add(samlResponseStatus.getStatusCode());
+					if (samlResponseStatus.getSubStatusCode() != null) {
+						errors.add(samlResponseStatus.getSubStatusCode());
+					}
 				} else {
 					lastMessageId = logoutResponse.getId();
 					LOGGER.debug("processSLO success --> " + samlResponseParameter);
diff --git a/toolkit/src/test/java/com/onelogin/saml2/test/AuthTest.java b/toolkit/src/test/java/com/onelogin/saml2/test/AuthTest.java
@@ -64,6 +64,7 @@
 import com.onelogin.saml2.util.Util;
 
 import org.mockito.ArgumentCaptor;
+import org.w3c.dom.Document;
 
 public class AuthTest {
 
@@ -563,6 +564,38 @@ public void testProcessResponse() throws Exception {
 		assertEquals(keys, auth2.getAttributesName());
 	}
 
+	/**
+	 * Tests the processResponse methods of Auth
+	 * Case: process Response, status code Responder and sub status
+	 *
+	 * @throws Exception
+	 *
+	 * @see com.onelogin.saml2.Auth#processSLO
+	 */
+	@Test
+	public void testProcessResponseStatusResponder() throws Exception {
+		HttpServletRequest request = mock(HttpServletRequest.class);
+		HttpServletResponse response = mock(HttpServletResponse.class);
+		HttpSession session = mock(HttpSession.class);
+		when(request.getRequestURL()).thenReturn(new StringBuffer("https://example.com/opensso/Consumer/metaAlias/sp"));
+		when(request.getSession()).thenReturn(session);
+
+		String samlResponseEncoded = Util.getFileAsString("data/responses/invalids/status_code_and_sub_status_code_responder_and_msg.xml.base64");
+		Document samlResponseDoc = Util.loadXML(new String(Util.base64decoder(samlResponseEncoded)));
+		when(request.getParameterMap()).thenReturn(singletonMap("SAMLResponse", new String[]{samlResponseEncoded}));
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.min.properties").build();
+		Auth auth = new Auth(settings, request, response);
+		assertFalse(auth.isAuthenticated());
+		assertTrue(auth.getErrors().isEmpty());
+		auth.processResponse();
+		verify(session, times(0)).invalidate();
+		assertFalse(auth.getErrors().isEmpty());
+		assertEquals("The status code of the Response was not Success, was urn:oasis:names:tc:SAML:2.0:status:Responder -> something_is_wrong", auth.getLastErrorReason());
+		assertTrue(auth.getErrors().contains("response_not_success"));
+		assertTrue(auth.getErrors().contains(Constants.STATUS_RESPONDER));
+		assertTrue(auth.getErrors().contains(Constants.STATUS_AUTHNFAILED));
+	}
+
 	/**
 	 * Tests the processSLO methods of Auth
 	 *
@@ -825,6 +858,7 @@ public void testProcessSLOResponseStatusResponder() throws Exception {
 		verify(session, times(0)).invalidate();
 		assertFalse(auth.getErrors().isEmpty());
 		assertTrue(auth.getErrors().contains("logout_not_success"));
+		assertTrue(auth.getErrors().contains(Constants.STATUS_RESPONDER));
 	}
 
 	/**

Original file line number	Diff line number	Diff line change
`@@ -84,6 +84,11 @@ public class LogoutResponse {`
`84`	`84`	`*/`
`85`	`85`	`private Exception validationException;`
`86`	`86`
	`87`	`+ /**`
	`88`	`+ * The respone status code and messages`
	`89`	`+ */`
	`90`	`+ private SamlResponseStatus responseStatus;`
	`91`	`+`
`87`	`92`	`/**`
`88`	`93`	`* Constructs the LogoutResponse object.`
`89`	`94`	`*`
`@@ -323,7 +328,7 @@ public String getStatus() throws XPathExpressionException`
`323`	`328`	`*/`
`324`	`329`	`public SamlResponseStatus getSamlResponseStatus() throws ValidationError`
`325`	`330`	`{`
`326`		`- String statusXpath = "/samlp:Response/samlp:Status";`
	`331`	`+ String statusXpath = "/samlp:LogoutResponse/samlp:Status";`
`327`	`332`	`return Util.getStatus(statusXpath, this.logoutResponseDocument);`
`328`	`333`	`}`
`329`	`334`