[GitHub] [cloudstack] Luis-3M commented on a diff in pull request #6457: Fix SAML SSO plugin redirect URL

Tue, 28 Jun 2022 16:09:54 -0700 


Luis-3M commented on code in PR #6457:
URL: https://github.com/apache/cloudstack/pull/6457#discussion_r909065379


##########
plugins/user-authenticators/saml2/src/test/java/org/apache/cloudstack/SAMLUtilsTest.java:
##########
@@ -60,6 +62,32 @@ public void testBuildAuthnRequestObject() throws Exception {
         assertEquals(req.getIssuer().getValue(), spId);
     }
 
+    @Test
+    public void testBuildAuthnRequestUrlWithoutQueryParam() throws Exception {
+        String consumerUrl = "http://someurl.com";;
+        String idpUrl = "http://idp.domain.example";;
+        String spId = "cloudstack";
+        String authnId = SAMLUtils.generateSecureRandomId();
+        DefaultBootstrap.bootstrap();
+        AuthnRequest req = SAMLUtils.buildAuthnRequestObject(authnId, spId, 
idpUrl, consumerUrl);
+        String appendOperator = idpUrl.contains("?") ? "&" : "?";
+        String redirectUrl = idpUrl + appendOperator + 
SAMLUtils.generateSAMLRequestSignature("SAMLRequest=" + 
SAMLUtils.encodeSAMLRequest(req), null, 
SAML2AuthManager.SAMLSignatureAlgorithm.value());
+        assertEquals(redirectUrl, idpUrl + "?" + 
SAMLUtils.generateSAMLRequestSignature("SAMLRequest=" + 
SAMLUtils.encodeSAMLRequest(req), null, 
SAML2AuthManager.SAMLSignatureAlgorithm.value()));

Review Comment:
   > I suppose there would be some part that is unpredictable (e.g. a one time 
token) so whether and how to test this
   
   True we can not predict the value of the SAMLRequest.
   
   Based on the original issue, we know that the result of the 
`buildAuthnRequestUrl` method must have at least one query param: 
`SAMLRequest`. The original code was simply appending this same query param 
with `?`, therefore if the IDP URL already contains at least one query param, 
then `SAMLRequest` would actually be missing as seen here:
   
![](https://user-images.githubusercontent.com/26753403/173936665-b28e5c85-86ad-4116-8f27-a45d52e64db0.png)
   
   Think that we should at least test the existence of this and other 
parameters already part of the IDP URL, if any, as well as some basic URL 
components, e.g.:
   <img width="1024" alt="image" 
src="https://user-images.githubusercontent.com/26753403/176317972-39721780-8e59-430f-b940-eb7b98d72483.png";>
   
   Let me know your thoughts @DaanHoogland .



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to