[1/3] cxf-fediz git commit: Improve error handling when failing to process a SAML Request

Mon, 11 Apr 2016 07:45:17 -0700 

Repository: cxf-fediz
Updated Branches:
  refs/heads/master 20ab01614 -> e106d24ec


Improve error handling when failing to process a SAML Request


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/8de90b1a
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/8de90b1a
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/8de90b1a

Branch: refs/heads/master
Commit: 8de90b1a8be6650627b8dad8289ffc4ee6ac0417
Parents: 20ab016
Author: Colm O hEigeartaigh <[email protected]>
Authored: Mon Apr 11 13:21:03 2016 +0100
Committer: Colm O hEigeartaigh <[email protected]>
Committed: Mon Apr 11 13:21:03 2016 +0100

----------------------------------------------------------------------
 .../WEB-INF/flows/saml-validate-request.xml     | 27 +++++++++--
 .../apache/cxf/fediz/systests/idp/IdpTest.java  | 51 ++++++++++++++++++++
 2 files changed, 74 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/8de90b1a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
----------------------------------------------------------------------
diff --git 
a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml 
b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
index ef6d813..ae05ae2 100644
--- a/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
+++ b/services/idp/src/main/webapp/WEB-INF/flows/saml-validate-request.xml
@@ -31,9 +31,9 @@
             <set name="flowScope.idpConfig" value="config.getIDP(null)" />
         </on-entry>
         <if test="requestParameters.RelayState == null or 
requestParameters.RelayState.length() == 0"
-            then="viewBadRequest" />
+            then="handleBadRequestError" />
         <if test="requestParameters.SAMLRequest != null and 
!requestParameters.SAMLRequest.isEmpty()"
-            then="signinSAMLRequest" else="viewBadRequest" />
+            then="signinSAMLRequest" else="handleBadRequestError" />
     </decision-state>
     
     <subflow-state id="signinSAMLRequest" subflow="signinSAMLRequest">
@@ -52,7 +52,7 @@
             <set name="flowScope.idpToken" 
value="currentEvent.attributes.idpToken" />
             <set name="flowScope.saml_authn_request" 
value="currentEvent.attributes.saml_authn_request" />
         </transition>
-        <transition on="viewBadRequest" to="viewBadRequest">
+        <transition on="viewBadRequest" to="handleBadRequestError">
             <set name="flowScope.saml_authn_request" 
value="currentEvent.attributes.saml_authn_request" />
         </transition>
         <transition on="scInternalServerError" to="scInternalServerError" />
@@ -69,7 +69,7 @@
         </on-entry>
         <evaluate 
expression="signinParametersCacheAction.storeRPConfigInSession(flowRequestContext)"/>
         <transition to="produceSAMLResponse" />
-        <transition 
on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" 
to="viewBadRequest" />
+        <transition 
on-exception="org.apache.cxf.fediz.core.exception.ProcessingException" 
to="handleBadRequestError" />
         <transition on-exception="java.lang.Throwable" 
to="scInternalServerError" />
     </action-state>
     
@@ -99,6 +99,16 @@
     </end-state>
 
     <!-- abnormal exit point -->
+    <decision-state id="handleBadRequestError">
+        <on-entry>
+            <evaluate 
expression="authnRequestParser.retrieveConsumerURL(flowRequestContext)" 
+                      result="requestScope.samlAction"/>
+        </on-entry>
+        <!-- See if we managed to at least parse the request to get the 
response URL -->
+        <if test="requestScope.samlAction == null or 
requestScope.samlAction.length() == 0"
+            then="viewBadRequestParsingError" else="viewBadRequest"/>
+    </decision-state>
+    
     <end-state id="viewBadRequest" view="samlsigninresponseform">
         <on-entry>
             <evaluate 
expression="authnRequestParser.retrieveConsumerURL(flowRequestContext)" 
@@ -111,6 +121,15 @@
                       result="requestScope.samlResponse"/>     
         </on-entry>
     </end-state>
+    
+    <!-- abnormal exit point : Http 400 Bad Request -->
+    <end-state id="viewBadRequestParsingError" view="genericerror">
+        <on-entry>
+            <evaluate
+                
expression="externalContext.nativeResponse.setStatus(400,'Error parsing SAML 
Request')" />
+            <set name="requestScope.reason" value="'Error parsing SAML 
Request'" />
+        </on-entry>
+    </end-state>
 
     <!-- abnormal exit point : Http 500 Internal Server Error -->
     <end-state id="scInternalServerError" view="genericerror">

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/8de90b1a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
----------------------------------------------------------------------
diff --git 
a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java 
b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
index bc1423e..3c34f55 100644
--- 
a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
+++ 
b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java
@@ -36,6 +36,7 @@ import javax.servlet.ServletException;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
+import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
 import com.gargoylesoftware.htmlunit.HttpMethod;
 import com.gargoylesoftware.htmlunit.WebClient;
 import com.gargoylesoftware.htmlunit.WebRequest;
@@ -565,6 +566,56 @@ public class IdpTest {
         webClient.close();
     }
     
+    @org.junit.Test
+    public void testProblemWithParsingRequest() throws Exception {
+        OpenSAMLUtil.initSamlEngine();
+        
+        // Create SAML AuthnRequest
+        Document doc = DOMUtils.createDocument();
+        doc.appendChild(doc.createElement("root"));
+        // Create the AuthnRequest
+        String consumerURL = "https://localhost:"; + getRpHttpsPort() + "/" 
+            + getServletContextName() + "/secure/fedservlet";
+        AuthnRequest authnRequest = 
+            new DefaultAuthnRequestBuilder().createAuthnRequest(
+                null, "urn:org:apache:cxf:fediz:fedizhelloworld-xyz", 
consumerURL
+            );
+        authnRequest.setDestination("https://localhost:"; + getIdpHttpsPort() + 
"/fediz-idp/saml");
+        signAuthnRequest(authnRequest);
+        
+        Element authnRequestElement = OpenSAMLUtil.toDom(authnRequest, doc);
+        
+        // Don't inflate the token...
+        String requestMessage = DOM2Writer.nodeToString(authnRequestElement);
+        String authnRequestEncoded =  
Base64Utility.encode(requestMessage.getBytes("UTF-8"));
+
+        String urlEncodedRequest = URLEncoder.encode(authnRequestEncoded, 
"UTF-8");
+
+        String relayState = UUID.randomUUID().toString();
+        String url = "https://localhost:"; + getIdpHttpsPort() + 
"/fediz-idp/saml?";
+        url += SSOConstants.RELAY_STATE + "=" + relayState;
+        url += "&" + SSOConstants.SAML_REQUEST + "=" + urlEncodedRequest;
+
+        String user = "alice";
+        String password = "ecila";
+
+        final WebClient webClient = new WebClient();
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+            new UsernamePasswordCredentials(user, password));
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+        try {
+            webClient.getPage(url);
+            Assert.fail("Failure expected on parsing the request in the IdP");
+        }  catch (FailingHttpStatusCodeException ex) {
+            Assert.assertEquals(ex.getStatusCode(), 400);
+        }
+        
+        webClient.close();
+    }
+    
     private String encodeAuthnRequest(Element authnRequest) throws IOException 
{
         String requestMessage = DOM2Writer.nodeToString(authnRequest);

Reply via email to