Use OpenSAML API in authentication.logout

Issue spring-projectsgh-11658
nomoreFt · Aug 7, 2024 · 416859e · 416859e
1 parent 94431d1
commit 416859e
Show file tree

Hide file tree

Showing 18 changed files with 1,596 additions and 646 deletions.
diff --git a/...ringframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java b/...ringframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java
@@ -31,8 +31,8 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;
-import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlLogoutRequestValidator;
-import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlLogoutResponseValidator;
+import org.springframework.security.saml2.provider.service.authentication.logout.OpenSaml4LogoutRequestValidator;
+import org.springframework.security.saml2.provider.service.authentication.logout.OpenSaml4LogoutResponseValidator;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequestValidator;
 import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutResponseValidator;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
@@ -398,7 +398,7 @@ public Saml2LogoutConfigurer<H> and() {
 
 		private Saml2LogoutRequestValidator logoutRequestValidator() {
 			if (this.logoutRequestValidator == null) {
-				return new OpenSamlLogoutRequestValidator();
+				return new OpenSaml4LogoutRequestValidator();
 			}
 			return this.logoutRequestValidator;
 		}
@@ -474,7 +474,7 @@ public Saml2LogoutConfigurer<H> and() {
 
 		private Saml2LogoutResponseValidator logoutResponseValidator() {
 			if (this.logoutResponseValidator == null) {
-				return new OpenSamlLogoutResponseValidator();
+				return new OpenSaml4LogoutResponseValidator();
 			}
 			return this.logoutResponseValidator;
 		}

diff --git a/saml2/saml2-service-provider/spring-security-saml2-service-provider.gradle b/saml2/saml2-service-provider/spring-security-saml2-service-provider.gradle
@@ -1,5 +1,20 @@
 apply plugin: 'io.spring.convention.spring-module'
 
+sourceSets.configureEach { set ->
+	if (!set.name.containsIgnoreCase("main")) {
+		return
+	}
+	def from = copySpec {
+		from("$projectDir/src/$set.name/java/org/springframework/security/saml2/internal")
+	}
+
+	copy {
+		into "$projectDir/src/$set.name/java/org/springframework/security/saml2/provider/service/authentication/logout"
+		filter { line -> line.replaceAll(".saml2.internal", ".saml2.provider.service.authentication.logout") }
+		with from
+	}
+}
+
 dependencies {
 	management platform(project(":spring-security-dependencies"))
 	api project(':spring-security-web')

diff --git a/...rity/saml2/provider/service/authentication/logout/BaseOpenSamlLogoutRequestValidator.java b/...rity/saml2/provider/service/authentication/logout/BaseOpenSamlLogoutRequestValidator.java
@@ -0,0 +1,152 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.authentication.logout;
+
+import java.util.Collection;
+import java.util.function.Consumer;
+
+import org.opensaml.saml.saml2.core.LogoutRequest;
+import org.opensaml.saml.saml2.core.NameID;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.saml2.core.OpenSamlInitializationService;
+import org.springframework.security.saml2.core.Saml2Error;
+import org.springframework.security.saml2.core.Saml2ErrorCodes;
+import org.springframework.security.saml2.core.Saml2X509Credential;
+import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlOperations.VerificationConfigurer;
+import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlOperations.VerificationConfigurer.RedirectParameters;
+import org.springframework.security.saml2.provider.service.registration.AssertingPartyMetadata;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
+import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
+
+class BaseOpenSamlLogoutRequestValidator implements Saml2LogoutRequestValidator {
+
+	static {
+		OpenSamlInitializationService.initialize();
+	}
+
+	private final OpenSamlOperations saml;
+
+	BaseOpenSamlLogoutRequestValidator(OpenSamlOperations saml) {
+		this.saml = saml;
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public Saml2LogoutValidatorResult validate(Saml2LogoutRequestValidatorParameters parameters) {
+		Saml2LogoutRequest request = parameters.getLogoutRequest();
+		RelyingPartyRegistration registration = parameters.getRelyingPartyRegistration();
+		Authentication authentication = parameters.getAuthentication();
+		LogoutRequest logoutRequest = this.saml.deserialize(Saml2Utils.withEncoded(request.getSamlRequest())
+			.inflate(request.getBinding() == Saml2MessageBinding.REDIRECT)
+			.decode());
+		return Saml2LogoutValidatorResult.withErrors()
+			.errors(verifySignature(request, logoutRequest, registration))
+			.errors(validateRequest(logoutRequest, registration, authentication))
+			.build();
+	}
+
+	private Consumer<Collection<Saml2Error>> verifySignature(Saml2LogoutRequest request, LogoutRequest logoutRequest,
+			RelyingPartyRegistration registration) {
+		AssertingPartyMetadata details = registration.getAssertingPartyMetadata();
+		Collection<Saml2X509Credential> credentials = details.getVerificationX509Credentials();
+		VerificationConfigurer verify = this.saml.withVerificationKeys(credentials).entityId(details.getEntityId());
+		return (errors) -> {
+			if (logoutRequest.isSigned()) {
+				errors.addAll(verify.verify(logoutRequest));
+			}
+			else {
+				RedirectParameters params = new RedirectParameters(request.getParameters(),
+						request.getParametersQuery(), logoutRequest);
+				errors.addAll(verify.verify(params));
+			}
+		};
+	}
+
+	private Consumer<Collection<Saml2Error>> validateRequest(LogoutRequest request,
+			RelyingPartyRegistration registration, Authentication authentication) {
+		return (errors) -> {
+			validateIssuer(request, registration).accept(errors);
+			validateDestination(request, registration).accept(errors);
+			validateSubject(request, registration, authentication).accept(errors);
+		};
+	}
+
+	private Consumer<Collection<Saml2Error>> validateIssuer(LogoutRequest request,
+			RelyingPartyRegistration registration) {
+		return (errors) -> {
+			if (request.getIssuer() == null) {
+				errors.add(new Saml2Error(Saml2ErrorCodes.INVALID_ISSUER, "Failed to find issuer in LogoutRequest"));
+				return;
+			}
+			String issuer = request.getIssuer().getValue();
+			if (!issuer.equals(registration.getAssertingPartyMetadata().getEntityId())) {
+				errors
+					.add(new Saml2Error(Saml2ErrorCodes.INVALID_ISSUER, "Failed to match issuer to configured issuer"));
+			}
+		};
+	}
+
+	private Consumer<Collection<Saml2Error>> validateDestination(LogoutRequest request,
+			RelyingPartyRegistration registration) {
+		return (errors) -> {
+			if (request.getDestination() == null) {
+				errors.add(new Saml2Error(Saml2ErrorCodes.INVALID_DESTINATION,
+						"Failed to find destination in LogoutRequest"));
+				return;
+			}
+			String destination = request.getDestination();
+			if (!destination.equals(registration.getSingleLogoutServiceLocation())) {
+				errors.add(new Saml2Error(Saml2ErrorCodes.INVALID_DESTINATION,
+						"Failed to match destination to configured destination"));
+			}
+		};
+	}
+
+	private Consumer<Collection<Saml2Error>> validateSubject(LogoutRequest request,
+			RelyingPartyRegistration registration, Authentication authentication) {
+		return (errors) -> {
+			if (authentication == null) {
+				return;
+			}
+			NameID nameId = getNameId(request, registration);
+			if (nameId == null) {
+				errors
+					.add(new Saml2Error(Saml2ErrorCodes.SUBJECT_NOT_FOUND, "Failed to find subject in LogoutRequest"));
+				return;
+			}
+
+			validateNameId(nameId, authentication, errors);
+		};
+	}
+
+	private NameID getNameId(LogoutRequest request, RelyingPartyRegistration registration) {
+		this.saml.withDecryptionKeys(registration.getDecryptionX509Credentials()).decrypt(request);
+		return request.getNameID();
+	}
+
+	private void validateNameId(NameID nameId, Authentication authentication, Collection<Saml2Error> errors) {
+		String name = nameId.getValue();
+		if (!name.equals(authentication.getName())) {
+			errors.add(new Saml2Error(Saml2ErrorCodes.INVALID_REQUEST,
+					"Failed to match subject in LogoutRequest with currently logged in user"));
+		}
+	}
+
+}
diff --git a/...ity/saml2/provider/service/authentication/logout/BaseOpenSamlLogoutResponseValidator.java b/...ity/saml2/provider/service/authentication/logout/BaseOpenSamlLogoutResponseValidator.java
@@ -0,0 +1,152 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.authentication.logout;
+
+import java.util.Collection;
+import java.util.function.Consumer;
+
+import org.opensaml.saml.saml2.core.LogoutResponse;
+import org.opensaml.saml.saml2.core.StatusCode;
+
+import org.springframework.security.saml2.core.OpenSamlInitializationService;
+import org.springframework.security.saml2.core.Saml2Error;
+import org.springframework.security.saml2.core.Saml2ErrorCodes;
+import org.springframework.security.saml2.core.Saml2X509Credential;
+import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlOperations.VerificationConfigurer;
+import org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlOperations.VerificationConfigurer.RedirectParameters;
+import org.springframework.security.saml2.provider.service.registration.AssertingPartyMetadata;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
+import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
+
+class BaseOpenSamlLogoutResponseValidator implements Saml2LogoutResponseValidator {
+
+	static {
+		OpenSamlInitializationService.initialize();
+	}
+
+	private final OpenSamlOperations saml;
+
+	BaseOpenSamlLogoutResponseValidator(OpenSamlOperations saml) {
+		this.saml = saml;
+	}
+
+	@Override
+	public Saml2LogoutValidatorResult validate(Saml2LogoutResponseValidatorParameters parameters) {
+		Saml2LogoutResponse response = parameters.getLogoutResponse();
+		Saml2LogoutRequest request = parameters.getLogoutRequest();
+		RelyingPartyRegistration registration = parameters.getRelyingPartyRegistration();
+		LogoutResponse logoutResponse = this.saml.deserialize(Saml2Utils.withEncoded(response.getSamlResponse())
+			.inflate(response.getBinding() == Saml2MessageBinding.REDIRECT)
+			.decode());
+		return Saml2LogoutValidatorResult.withErrors()
+			.errors(verifySignature(response, logoutResponse, registration))
+			.errors(validateRequest(logoutResponse, registration))
+			.errors(validateLogoutRequest(logoutResponse, request.getId()))
+			.build();
+	}
+
+	private Consumer<Collection<Saml2Error>> verifySignature(Saml2LogoutResponse response,
+			LogoutResponse logoutResponse, RelyingPartyRegistration registration) {
+		return (errors) -> {
+			AssertingPartyMetadata details = registration.getAssertingPartyMetadata();
+			Collection<Saml2X509Credential> credentials = details.getVerificationX509Credentials();
+			VerificationConfigurer verify = this.saml.withVerificationKeys(credentials)
+				.entityId(details.getEntityId())
+				.entityId(details.getEntityId());
+			if (logoutResponse.isSigned()) {
+				errors.addAll(verify.verify(logoutResponse));
+			}
+			else {
+				RedirectParameters params = new RedirectParameters(response.getParameters(),
+						response.getParametersQuery(), logoutResponse);
+				errors.addAll(verify.verify(params));
+			}
+		};
+	}
+
+	private Consumer<Collection<Saml2Error>> validateRequest(LogoutResponse response,
+			RelyingPartyRegistration registration) {
+		return (errors) -> {
+			validateIssuer(response, registration).accept(errors);
+			validateDestination(response, registration).accept(errors);
+			validateStatus(response).accept(errors);
+		};
+	}
+
+	private Consumer<Collection<Saml2Error>> validateIssuer(LogoutResponse response,
+			RelyingPartyRegistration registration) {
+		return (errors) -> {
+			if (response.getIssuer() == null) {
+				errors.add(new Saml2Error(Saml2ErrorCodes.INVALID_ISSUER, "Failed to find issuer in LogoutResponse"));
+				return;
+			}
+			String issuer = response.getIssuer().getValue();
+			if (!issuer.equals(registration.getAssertingPartyMetadata().getEntityId())) {
+				errors
+					.add(new Saml2Error(Saml2ErrorCodes.INVALID_ISSUER, "Failed to match issuer to configured issuer"));
+			}
+		};
+	}
+
+	private Consumer<Collection<Saml2Error>> validateDestination(LogoutResponse response,
+			RelyingPartyRegistration registration) {
+		return (errors) -> {
+			if (response.getDestination() == null) {
+				errors.add(new Saml2Error(Saml2ErrorCodes.INVALID_DESTINATION,
+						"Failed to find destination in LogoutResponse"));
+				return;
+			}
+			String destination = response.getDestination();
+			if (!destination.equals(registration.getSingleLogoutServiceResponseLocation())) {
+				errors.add(new Saml2Error(Saml2ErrorCodes.INVALID_DESTINATION,
+						"Failed to match destination to configured destination"));
+			}
+		};
+	}
+
+	private Consumer<Collection<Saml2Error>> validateStatus(LogoutResponse response) {
+		return (errors) -> {
+			if (response.getStatus() == null) {
+				return;
+			}
+			if (response.getStatus().getStatusCode() == null) {
+				return;
+			}
+			if (StatusCode.SUCCESS.equals(response.getStatus().getStatusCode().getValue())) {
+				return;
+			}
+			if (StatusCode.PARTIAL_LOGOUT.equals(response.getStatus().getStatusCode().getValue())) {
+				return;
+			}
+			errors.add(new Saml2Error(Saml2ErrorCodes.INVALID_RESPONSE, "Response indicated logout failed"));
+		};
+	}
+
+	private Consumer<Collection<Saml2Error>> validateLogoutRequest(LogoutResponse response, String id) {
+		return (errors) -> {
+			if (response.getInResponseTo() == null) {
+				return;
+			}
+			if (response.getInResponseTo().equals(id)) {
+				return;
+			}
+			errors.add(new Saml2Error(Saml2ErrorCodes.INVALID_RESPONSE,
+					"LogoutResponse InResponseTo doesn't match ID of associated LogoutRequest"));
+		};
+	}
+
+}