Merge pull request #73 from miszobi/issue/72-allow-retrieving-assertion-details

Fixes #72: allow retrieving Assertion ID and NotOnOrAfter values

Author: pitbulk

core/pom.xml

@@ -12,6 +12,18 @@
 
 	<dependencies>
 		<!-- for test -->
+		<dependency>
+			<groupId>org.hamcrest</groupId>
+			<artifactId>hamcrest-core</artifactId>
+			<version>1.3</version>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.hamcrest</groupId>
+			<artifactId>hamcrest-library</artifactId>
+			<version>1.3</version>
+			<scope>test</scope>
+		</dependency>
 		<dependency>
 			<groupId>junit</groupId>
 			<artifactId>junit</artifactId>

core/src/main/java/com/onelogin/saml2/Auth.java

@@ -17,6 +17,7 @@
 
 import org.apache.commons.lang3.StringUtils;
 import org.joda.time.DateTime;
+import org.joda.time.Instant;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -64,7 +65,7 @@ public class Auth {
 
 	/**
      * NameID.
-     */	
+     */
 	private String nameid;
 
 	/**
@@ -77,6 +78,16 @@ public class Auth {
 	 */
 	private DateTime sessionExpiration;
 
+	/**
+	 * The ID of the last assertion processed
+	 */
+	private String lastAssertionId;
+
+	/**
+	 * The NotOnOrAfter values of the last assertion processed
+	 */
+	private List<Instant> lastAssertionNotOnOrAfter;
+
 	/**
      * User attributes data.
      */
@@ -364,6 +375,8 @@ public void processResponse(String requestId) throws Exception {
 				attributes = samlResponse.getAttributes();
 				sessionIndex = samlResponse.getSessionIndex();
 				sessionExpiration = samlResponse.getSessionNotOnOrAfter();
+				lastAssertionId = samlResponse.getAssertionId();
+				lastAssertionNotOnOrAfter = samlResponse.getAssertionNotOnOrAfter();
 				LOGGER.debug("processResponse success --> " + samlResponseParameter);
 			} else {
 				errors.add("invalid_response");
@@ -534,9 +547,23 @@ public final DateTime getSessionExpiration()
 	    return sessionExpiration;
 	}
 
-	/** 
-     * @return an array with the errors, the array is empty when the validation was successful
-     */
+	/**
+	 * @return The ID of the last assertion processed
+	 */
+	public String getLastAssertionId() {
+		return lastAssertionId;
+	}
+
+	/**
+	 * @return The NotOnOrAfter values of the last assertion processed
+	 */
+	public List<Instant> getLastAssertionNotOnOrAfter() {
+		return lastAssertionNotOnOrAfter;
+	}
+
+	/**
+	 * @return an array with the errors, the array is empty when the validation was successful
+	 */
     public List<String> getErrors()
     {
         return errors;

core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java

@@ -13,6 +13,7 @@
 import com.onelogin.saml2.model.SubjectConfirmationIssue;
 import org.apache.commons.lang3.ObjectUtils;
 import org.joda.time.DateTime;
+import org.joda.time.Instant;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
@@ -613,6 +614,29 @@ public String getSessionIndex() throws XPathExpressionException {
         return sessionIndex;
     }
 
+	/**
+	 * @return the ID of the assertion in the Response
+	 */
+	public String getAssertionId() throws XPathExpressionException {
+		validateNumAssertions();
+		final NodeList assertionNode = queryAssertion("");
+		return assertionNode.item(0).getAttributes().getNamedItem("ID").getNodeValue();
+	}
+
+	/**
+	 * @return a list of NotOnOrAfter values from SubjectConfirmationData nodes in this Response
+	 */
+	public List<Instant> getAssertionNotOnOrAfter() throws XPathExpressionException {
+		final NodeList notOnOrAfterNodes = queryAssertion("/saml:Subject/saml:SubjectConfirmation/saml:SubjectConfirmationData");
+		final ArrayList<Instant> notOnOrAfters = new ArrayList<>();
+		for (int i = 0; i < notOnOrAfterNodes.getLength(); i++) {
+			final Node notOnOrAfterAttribute = notOnOrAfterNodes.item(i).getAttributes().getNamedItem("NotOnOrAfter");
+			if (notOnOrAfterAttribute != null) {
+				notOnOrAfters.add(new Instant(notOnOrAfterAttribute.getNodeValue()));
+		}}
+		return notOnOrAfters;
+	}
+
 	/**
 	 * Verifies that the document only contains a single Assertion (encrypted or not).
 	 *

core/src/test/java/com/onelogin/saml2/test/AuthTest.java

@@ -1,11 +1,11 @@
 package com.onelogin.saml2.test;
 
 
-import static com.onelogin.saml2.util.Util.UNIQUE_ID_PREFIX;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.not;
 import static org.hamcrest.CoreMatchers.startsWith;
+import static org.hamcrest.Matchers.contains;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotEquals;
@@ -21,16 +21,15 @@
 
 import java.io.IOException;
 import java.net.URISyntaxException;
-import java.security.cert.CertificateEncodingException;
 import java.util.ArrayList;
-import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
+import org.joda.time.Instant;
 import org.junit.Test;
 
 import com.onelogin.saml2.Auth;
@@ -232,8 +231,8 @@ public void testSetStrict() throws IOException, SettingsException, URISyntaxExce
 	 */
 	@Test
 	public void testIsDebugActive() throws IOException, SettingsException, URISyntaxException {
-		HttpServletRequest request = mock(HttpServletRequest.class);
 		HttpServletResponse response = mock(HttpServletResponse.class);
+		HttpServletRequest request = mock(HttpServletRequest.class);
 		String samlResponseEncoded = Util.getFileAsString("data/responses/response1.xml.base64");
 		when(request.getParameter("SAMLResponse")).thenReturn(samlResponseEncoded);
 
@@ -811,6 +810,22 @@ public void testGetSessionIndex() throws Exception {
 		assertEquals("_6273d77b8cde0c333ec79d22a9fa0003b9fe2d75cb", auth2.getSessionIndex());
 	}
 
+	@Test
+	public void testGetAssertionDetails() throws Exception {
+		HttpServletResponse response = mock(HttpServletResponse.class);
+		HttpServletRequest request = mock(HttpServletRequest.class);
+		String samlResponseEncoded = Util.getFileAsString("data/responses/valid_response.xml.base64");
+		when(request.getParameter("SAMLResponse")).thenReturn(samlResponseEncoded);
+		when(request.getRequestURL()).thenReturn(new StringBuffer("http://localhost:8080/java-saml-jspsample/acs.jsp"));
+
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.my.properties").build();
+		Auth auth = new Auth(settings, request, response);
+		auth.processResponse();
+
+		assertThat(auth.getLastAssertionId(), is("pfxeac87197-11cb-ec12-c181-ae739b54debe"));
+		assertThat(auth.getLastAssertionNotOnOrAfter(), contains(new Instant("2023-08-23T06:57:01Z")));
+	}
+
 	/**
 	 * Tests the getSessionExpiration method of Auth
 	 *

core/src/test/java/com/onelogin/saml2/test/authn/AuthnResponseTest.java

@@ -2,6 +2,7 @@
 
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.not;
+import static org.hamcrest.Matchers.*;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertNull;
@@ -16,6 +17,7 @@
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.joda.time.Instant;
 import org.junit.Test;
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
@@ -474,6 +476,48 @@ public void testGetSessionIndex() throws Exception {
 		assertEquals("_7164a9a9f97828bfdb8d0ebc004a05d2e7d873f70c", samlResponse.getSessionIndex());
 	}
 
+	@Test
+	public void testGetAssertionDetails() throws Exception {
+		final SamlResponse samlResponse = new SamlResponse(
+				new SettingsBuilder().fromFile("config/config.my.properties").build(),
+				mockRequestWithSamlResponse(Util.getFileAsString("data/responses/response1.xml.base64"))
+		);
+		final List<Instant> notOnOrAfters = samlResponse.getAssertionNotOnOrAfter();
+
+		assertEquals("pfxa46574df-b3b0-a06a-23c8-636413198772", samlResponse.getAssertionId());
+		assertThat(notOnOrAfters, contains(new Instant("2010-11-18T22:02:37Z")));
+
+	}
+
+	@Test
+	public void testGetAssertionDetails_encrypted() throws Exception {
+		final SamlResponse samlResponse = new SamlResponse(
+				new SettingsBuilder().fromFile("config/config.my.properties").build(),
+				mockRequestWithSamlResponse(Util.getFileAsString("data/responses/valid_encrypted_assertion.xml.base64"))
+		);
+		final List<Instant> notOnOrAfters = samlResponse.getAssertionNotOnOrAfter();
+
+		assertEquals("_519c2712648ee09a06d1f9a08e9e835715fea60267", samlResponse.getAssertionId());
+		assertThat(notOnOrAfters, contains(new Instant("2055-06-07T20:17:08Z")));
+
+	}
+
+	@Test
+	public void testGetAssertionDetails_multiple() throws Exception {
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.my.properties").build();
+		settings.setWantAssertionsSigned(false);
+		settings.setWantMessagesSigned(true);
+
+		final SamlResponse samlResponse = new SamlResponse(
+				settings,
+				mockRequestWithSamlResponse(loadSignMessageAndEncode("data/responses/invalids/invalid_subjectconfirmation_multiple_issues.xml"))
+		);
+		final List<Instant> notOnOrAfters = samlResponse.getAssertionNotOnOrAfter();
+
+		assertEquals("pfx7841991c-c73f-4035-e2ee-c170c0e1d3e4", samlResponse.getAssertionId());
+		assertThat(notOnOrAfters, contains(new Instant("2120-06-17T14:53:44Z"), new Instant("2010-06-17T14:53:44Z")));
+	}
+
 	/**
 	 * Tests the getAttributes method of SamlResponse
 	 *