Add support for validation of InResponseTo

fast-reflexes · jzheaux · commit 4aa942004709 · 2022-03-15T13:06:32.000-06:00
Whenever an InResponseTo is present in the SAML2 response and / or any of its assertions, it will be validated against the stored SAML2 request. If the request is missing or the ID of the request does not match the InResponseTo, validation fails. If there is no InResponseTo, no validation of it is done (as opposed to checking whether there is a saved request or not and then failing based on that). Closes gh-9174
diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/Saml2ErrorCodes.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/Saml2ErrorCodes.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,6 +31,13 @@ public interface Saml2ErrorCodes {
 	 */
 	String UNKNOWN_RESPONSE_CLASS = "unknown_response_class";
 
+	/**
+	 * The serialized AuthNRequest could not be deserialized correctly.
+	 *
+	 * @since 5.7
+	 */
+	String MALFORMED_REQUEST_DATA = "malformed_request_data";
+
 	/**
 	 * The response data is malformed or incomplete. An invalid XML object was received,
 	 * and XML unmarshalling failed.
@@ -116,4 +123,11 @@ public interface Saml2ErrorCodes {
 	 */
 	String RELYING_PARTY_REGISTRATION_NOT_FOUND = "relying_party_registration_not_found";
 
+	/**
+	 * The InResponseTo content of the response does not match the ID of the AuthNRequest.
+	 *
+	 * @since 5.7
+	 */
+	String INVALID_IN_RESPONSE_TO = "invalid_in_response_to";
+
 }
diff --git a/saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java b/saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java
@@ -37,6 +37,7 @@
 import org.opensaml.core.config.ConfigurationService;
 import org.opensaml.core.xml.XMLObject;
 import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
+import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
 import org.opensaml.core.xml.schema.XSAny;
 import org.opensaml.core.xml.schema.XSBoolean;
 import org.opensaml.core.xml.schema.XSBooleanValue;
@@ -57,13 +58,17 @@
 import org.opensaml.saml.saml2.core.Assertion;
 import org.opensaml.saml.saml2.core.Attribute;
 import org.opensaml.saml.saml2.core.AttributeStatement;
+import org.opensaml.saml.saml2.core.AuthnRequest;
 import org.opensaml.saml.saml2.core.AuthnStatement;
 import org.opensaml.saml.saml2.core.Condition;
 import org.opensaml.saml.saml2.core.EncryptedAssertion;
 import org.opensaml.saml.saml2.core.OneTimeUse;
 import org.opensaml.saml.saml2.core.Response;
 import org.opensaml.saml.saml2.core.StatusCode;
+import org.opensaml.saml.saml2.core.Subject;
 import org.opensaml.saml.saml2.core.SubjectConfirmation;
+import org.opensaml.saml.saml2.core.SubjectConfirmationData;
+import org.opensaml.saml.saml2.core.impl.AuthnRequestUnmarshaller;
 import org.opensaml.saml.saml2.core.impl.ResponseUnmarshaller;
 import org.opensaml.saml.saml2.encryption.Decrypter;
 import org.opensaml.saml.security.impl.SAMLSignatureProfileValidator;
@@ -85,6 +90,7 @@
 import org.springframework.security.saml2.core.Saml2ErrorCodes;
 import org.springframework.security.saml2.core.Saml2ResponseValidatorResult;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
+import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
 import org.springframework.util.Assert;
 import org.springframework.util.CollectionUtils;
 import org.springframework.util.StringUtils;
@@ -349,6 +355,37 @@ public void setResponseAuthenticationConverter(
 		this.responseAuthenticationConverter = responseAuthenticationConverter;
 	}
 
+	private static Saml2ResponseValidatorResult validateInResponseTo(AbstractSaml2AuthenticationRequest storedRequest,
+			String inResponseTo) {
+		if (!StringUtils.hasText(inResponseTo)) {
+			return Saml2ResponseValidatorResult.success();
+		}
+		AuthnRequest request;
+		try {
+			request = parseRequest(storedRequest);
+		}
+		catch (Exception ex) {
+			String message = "The stored AuthNRequest could not be properly deserialized [" + ex.getMessage() + "]";
+			return Saml2ResponseValidatorResult
+					.failure(new Saml2Error(Saml2ErrorCodes.MALFORMED_REQUEST_DATA, message));
+		}
+		if (request == null) {
+			String message = "The response contained an InResponseTo attribute [" + inResponseTo + "]"
+					+ " but no saved AuthNRequest request was found";
+			return Saml2ResponseValidatorResult
+					.failure(new Saml2Error(Saml2ErrorCodes.INVALID_IN_RESPONSE_TO, message));
+		}
+		else if (!request.getID().equals(inResponseTo)) {
+			String message = "The InResponseTo attribute [" + inResponseTo + "] does not match the ID of the "
+					+ "AuthNRequest [" + request.getID() + "]";
+			return Saml2ResponseValidatorResult
+					.failure(new Saml2Error(Saml2ErrorCodes.INVALID_IN_RESPONSE_TO, message));
+		}
+		else {
+			return Saml2ResponseValidatorResult.success();
+		}
+	}
+
 	/**
 	 * Construct a default strategy for validating the SAML 2.0 Response
 	 * @return the default response validator strategy
@@ -365,6 +402,10 @@ public static Converter<ResponseToken, Saml2ResponseValidatorResult> createDefau
 						response.getID());
 				result = result.concat(new Saml2Error(Saml2ErrorCodes.INVALID_RESPONSE, message));
 			}
+
+			String inResponseTo = response.getInResponseTo();
+			result = result.concat(validateInResponseTo(token.getAuthenticationRequest(), inResponseTo));
+
 			String issuer = response.getIssuer().getValue();
 			String destination = response.getDestination();
 			String location = token.getRelyingPartyRegistration().getAssertionConsumerServiceLocation();
@@ -447,7 +488,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		try {
 			Saml2AuthenticationToken token = (Saml2AuthenticationToken) authentication;
 			String serializedResponse = token.getSaml2Response();
-			Response response = parse(serializedResponse);
+			Response response = parseResponse(serializedResponse);
 			process(token, response);
 			AbstractAuthenticationToken authenticationResponse = this.responseAuthenticationConverter
 					.convert(new ResponseToken(response, token));
@@ -469,7 +510,7 @@ public boolean supports(Class<?> authentication) {
 		return authentication != null && Saml2AuthenticationToken.class.isAssignableFrom(authentication);
 	}
 
-	private Response parse(String response) throws Saml2Exception, Saml2AuthenticationException {
+	private Response parseResponse(String response) throws Saml2Exception, Saml2AuthenticationException {
 		try {
 			Document document = this.parserPool
 					.parse(new ByteArrayInputStream(response.getBytes(StandardCharsets.UTF_8)));
@@ -481,6 +522,28 @@ private Response parse(String response) throws Saml2Exception, Saml2Authenticati
 		}
 	}
 
+	private static AuthnRequest parseRequest(AbstractSaml2AuthenticationRequest request) throws Exception {
+		if (request == null) {
+			return null;
+		}
+		String samlRequest = request.getSamlRequest();
+		if (!StringUtils.hasText(samlRequest)) {
+			return null;
+		}
+		if (request.getBinding() == Saml2MessageBinding.REDIRECT) {
+			samlRequest = Saml2Utils.samlInflate(Saml2Utils.samlDecode(samlRequest));
+		}
+		else {
+			samlRequest = new String(Saml2Utils.samlDecode(samlRequest), StandardCharsets.UTF_8);
+		}
+		Document document = XMLObjectProviderRegistrySupport.getParserPool()
+				.parse(new ByteArrayInputStream(samlRequest.getBytes(StandardCharsets.UTF_8)));
+		Element element = document.getDocumentElement();
+		AuthnRequestUnmarshaller unmarshaller = (AuthnRequestUnmarshaller) XMLObjectProviderRegistrySupport
+				.getUnmarshallerFactory().getUnmarshaller(AuthnRequest.DEFAULT_ELEMENT_NAME);
+		return (AuthnRequest) unmarshaller.unmarshall(element);
+	}
+
 	private void process(Saml2AuthenticationToken token, Response response) {
 		String issuer = response.getIssuer().getValue();
 		this.logger.debug(LogMessage.format("Processing SAML response from %s", issuer));
@@ -685,13 +748,41 @@ private static Converter<AssertionToken, Saml2ResponseValidatorResult> createAss
 		};
 	}
 
+	private static boolean assertionContainsInResponseTo(Assertion assertion) {
+		Subject subject = (assertion != null) ? assertion.getSubject() : null;
+		List<SubjectConfirmation> confirmations = (subject != null) ? subject.getSubjectConfirmations()
+				: new ArrayList<>();
+		return confirmations.stream().filter((confirmation) -> {
+			SubjectConfirmationData confirmationData = confirmation.getSubjectConfirmationData();
+			return confirmationData != null && StringUtils.hasText(confirmationData.getInResponseTo());
+		}).findFirst().orElse(null) != null;
+	}
+
+	private static void addRequestIdToValidationContext(AbstractSaml2AuthenticationRequest storedRequest,
+			Map<String, Object> context) {
+		String requestId = null;
+		try {
+			AuthnRequest request = parseRequest(storedRequest);
+			requestId = (request != null) ? request.getID() : null;
+		}
+		catch (Exception ex) {
+		}
+		if (StringUtils.hasText(requestId)) {
+			context.put(SAML2AssertionValidationParameters.SC_VALID_IN_RESPONSE_TO, requestId);
+		}
+	}
+
 	private static ValidationContext createValidationContext(AssertionToken assertionToken,
 			Consumer<Map<String, Object>> paramsConsumer) {
 		RelyingPartyRegistration relyingPartyRegistration = assertionToken.token.getRelyingPartyRegistration();
 		String audience = relyingPartyRegistration.getEntityId();
 		String recipient = relyingPartyRegistration.getAssertionConsumerServiceLocation();
 		String assertingPartyEntityId = relyingPartyRegistration.getAssertingPartyDetails().getEntityId();
 		Map<String, Object> params = new HashMap<>();
+		Assertion assertion = assertionToken.getAssertion();
+		if (assertionContainsInResponseTo(assertion)) {
+			addRequestIdToValidationContext(assertionToken.token.getAuthenticationRequest(), params);
+		}
 		params.put(SAML2AssertionValidationParameters.COND_VALID_AUDIENCES, Collections.singleton(audience));
 		params.put(SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS, Collections.singleton(recipient));
 		params.put(SAML2AssertionValidationParameters.VALID_ISSUERS, Collections.singleton(assertingPartyEntityId));
@@ -733,13 +824,6 @@ protected ValidationResult validateAddress(SubjectConfirmation confirmation, Ass
 					// applications should validate their own addresses - gh-7514
 					return ValidationResult.VALID;
 				}
-
-				@Override
-				protected ValidationResult validateInResponseTo(SubjectConfirmation confirmation, Assertion assertion,
-						ValidationContext context, boolean required) {
-					// applications should validate their own in response to
-					return ValidationResult.VALID;
-				}
 			});
 		}
 
diff --git a/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java b/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java
