Refactor. Add test. Add support in LogoutResponse

pitbulk · pitbulk · commit 1e4534df6fd4 · 2020-10-05T18:29:59.000+02:00
diff --git a/core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java b/core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java
@@ -81,6 +81,11 @@ public class SamlResponse {
 	 */ 
 	private Exception validationException;
 
+	/**
+	 * The respone status code and messages
+	 */
+	private SamlResponseStatus responseStatus;
+
 	/**
 	 * Constructor to have a Response object fully built and ready to validate the saml response.
 	 *
@@ -107,11 +112,6 @@ public SamlResponse(Saml2Settings settings, String currentUrl, String samlRespon
 		loadXmlFromBase64(samlResponse);
 	}
 
-	/**
-	 * The respone status code and messages
-	 */
-	private SamlResponseStatus responseStatus;
-
 	/**
 	 * Constructor to have a Response object fully built and ready to validate the saml response.
 	 *
@@ -126,6 +126,7 @@ public SamlResponse(Saml2Settings settings, String currentUrl, String samlRespon
 	 * @throws SAXException
 	 * @throws ParserConfigurationException
 	 * @throws XPathExpressionException
+	 * @throws NullPointerException
      *
 	 */
 	public SamlResponse(Saml2Settings settings, HttpRequest request) throws XPathExpressionException, ParserConfigurationException, SAXException, IOException, SettingsException, ValidationError {
@@ -603,7 +604,7 @@ public HashMap<String, List<String>> getAttributes() throws XPathExpressionExcep
 	}
 
 	/**
-	 * Returns the latest response status
+	 * Returns the ResponseStatus object
 	 * 
 	 * @return
 	 */
diff --git a/core/src/main/java/com/onelogin/saml2/logout/LogoutResponse.java b/core/src/main/java/com/onelogin/saml2/logout/LogoutResponse.java
@@ -84,6 +84,11 @@ public class LogoutResponse {
 	 */
 	private Exception validationException;
 
+	/**
+	 * The respone status code and messages
+	 */
+	private SamlResponseStatus responseStatus;
+
 	/**
 	 * Constructs the LogoutResponse object.
 	 *
@@ -323,7 +328,7 @@ public String getStatus() throws XPathExpressionException
      */
     public SamlResponseStatus getSamlResponseStatus() throws ValidationError
     {
-		String statusXpath = "/samlp:Response/samlp:Status";
+		String statusXpath = "/samlp:LogoutResponse/samlp:Status";
 		return Util.getStatus(statusXpath, this.logoutResponseDocument);
     }
 
diff --git a/core/src/test/java/com/onelogin/saml2/test/authn/AuthnResponseTest.java b/core/src/test/java/com/onelogin/saml2/test/authn/AuthnResponseTest.java
@@ -1345,9 +1345,8 @@ public void testValidateTimestampsNB() throws ValidationError, XPathExpressionEx
 	@Test
 	public void testNullRequest() throws IOException, Error, XPathExpressionException, ParserConfigurationException, SAXException, SettingsException, ValidationError {
 		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.min.properties").build();
+		expectedEx.expect(NullPointerException.class);
 		SamlResponse samlResponse = new SamlResponse(settings, null);
-		assertFalse(samlResponse.isValid());
-		assertEquals("SAML Response is not loaded", samlResponse.getError());
 	}
 
 	/**
diff --git a/toolkit/src/main/java/com/onelogin/saml2/Auth.java b/toolkit/src/main/java/com/onelogin/saml2/Auth.java
@@ -754,17 +754,17 @@ public void processResponse(String requestId) throws Exception {
 				validationException = samlResponse.getValidationException();
 				SamlResponseStatus samlResponseStatus = samlResponse.getResponseStatus();
 				if (samlResponseStatus.getStatusCode() == null || !samlResponseStatus.getStatusCode().equals(Constants.STATUS_SUCCESS)) {
-          errors.add("response_not_success");
-          LOGGER.error("processResponse error. sso_not_success");
-				  LOGGER.debug(" --> " + samlResponseParameter);
+					errors.add("response_not_success");
+					LOGGER.error("processResponse error. sso_not_success");
+					LOGGER.debug(" --> " + samlResponseParameter);
 					errors.add(samlResponseStatus.getStatusCode());
- 				  if (samlResponseStatus.getSubStatusCode() != null) {
-					    errors.add(samlResponseStatus.getSubStatusCode());
-				  }
+					if (samlResponseStatus.getSubStatusCode() != null) {
+						errors.add(samlResponseStatus.getSubStatusCode());
+					}
 				} else {
-          errors.add("invalid_response");
-          LOGGER.error("processResponse error. invalid_response");
-				  LOGGER.debug(" --> " + samlResponseParameter);
+					errors.add("invalid_response");
+					LOGGER.error("processResponse error. invalid_response");
+					LOGGER.debug(" --> " + samlResponseParameter);
         }
 			}
 		} else {
@@ -810,11 +810,16 @@ public void processSLO(Boolean keepLocalSession, String requestId) throws Except
 				errorReason = logoutResponse.getError();
 				validationException = logoutResponse.getValidationException();
 			} else {
-				String status = logoutResponse.getStatus();
+				SamlResponseStatus samlResponseStatus = logoutResponse.getSamlResponseStatus();
+				String status = samlResponseStatus.getStatusCode();
 				if (status == null || !status.equals(Constants.STATUS_SUCCESS)) {
 					errors.add("logout_not_success");
 					LOGGER.error("processSLO error. logout_not_success");
 					LOGGER.debug(" --> " + samlResponseParameter);
+					errors.add(samlResponseStatus.getStatusCode());
+					if (samlResponseStatus.getSubStatusCode() != null) {
+						errors.add(samlResponseStatus.getSubStatusCode());
+					}
 				} else {
 					lastMessageId = logoutResponse.getId();
 					LOGGER.debug("processSLO success --> " + samlResponseParameter);
diff --git a/toolkit/src/test/java/com/onelogin/saml2/test/AuthTest.java b/toolkit/src/test/java/com/onelogin/saml2/test/AuthTest.java
@@ -64,6 +64,7 @@
 import com.onelogin.saml2.util.Util;
 
 import org.mockito.ArgumentCaptor;
+import org.w3c.dom.Document;
 
 public class AuthTest {
 
@@ -563,6 +564,38 @@ public void testProcessResponse() throws Exception {
 		assertEquals(keys, auth2.getAttributesName());
 	}
 
+	/**
+	 * Tests the processResponse methods of Auth
+	 * Case: process Response, status code Responder and sub status
+	 *
+	 * @throws Exception
+	 *
+	 * @see com.onelogin.saml2.Auth#processSLO
+	 */
+	@Test
+	public void testProcessResponseStatusResponder() throws Exception {
+		HttpServletRequest request = mock(HttpServletRequest.class);
+		HttpServletResponse response = mock(HttpServletResponse.class);
+		HttpSession session = mock(HttpSession.class);
+		when(request.getRequestURL()).thenReturn(new StringBuffer("https://example.com/opensso/Consumer/metaAlias/sp"));
+		when(request.getSession()).thenReturn(session);
+
+		String samlResponseEncoded = Util.getFileAsString("data/responses/invalids/status_code_and_sub_status_code_responder_and_msg.xml.base64");
+		Document samlResponseDoc = Util.loadXML(new String(Util.base64decoder(samlResponseEncoded)));
+		when(request.getParameterMap()).thenReturn(singletonMap("SAMLResponse", new String[]{samlResponseEncoded}));
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.min.properties").build();
+		Auth auth = new Auth(settings, request, response);
+		assertFalse(auth.isAuthenticated());
+		assertTrue(auth.getErrors().isEmpty());
+		auth.processResponse();
+		verify(session, times(0)).invalidate();
+		assertFalse(auth.getErrors().isEmpty());
+		assertEquals("The status code of the Response was not Success, was urn:oasis:names:tc:SAML:2.0:status:Responder -> something_is_wrong", auth.getLastErrorReason());
+		assertTrue(auth.getErrors().contains("response_not_success"));
+		assertTrue(auth.getErrors().contains(Constants.STATUS_RESPONDER));
+		assertTrue(auth.getErrors().contains(Constants.STATUS_AUTHNFAILED));
+	}
+
 	/**
 	 * Tests the processSLO methods of Auth
 	 *
@@ -825,6 +858,7 @@ public void testProcessSLOResponseStatusResponder() throws Exception {
 		verify(session, times(0)).invalidate();
 		assertFalse(auth.getErrors().isEmpty());
 		assertTrue(auth.getErrors().contains("logout_not_success"));
+		assertTrue(auth.getErrors().contains(Constants.STATUS_RESPONDER));
 	}
 
 	/**
@@ -853,7 +887,6 @@ public void testIsAuthenticated() throws Exception {
 		assertFalse(auth.getErrors().isEmpty());
 		List<String> expectedErrors = new ArrayList<String>();
 		expectedErrors.add("invalid_response");
-		expectedErrors.add("urn:oasis:names:tc:SAML:2.0:status:Success");
 		assertEquals(expectedErrors, auth.getErrors());
 		assertEquals("SAML Response must contain 1 Assertion.", auth.getLastErrorReason());
 		assertTrue(auth.getLastValidationException() instanceof ValidationError);
@@ -868,7 +901,6 @@ public void testIsAuthenticated() throws Exception {
 		assertFalse(auth2.getErrors().isEmpty());
 		expectedErrors = new ArrayList<String>();
 		expectedErrors.add("invalid_response");
-		expectedErrors.add("urn:oasis:names:tc:SAML:2.0:status:Success");
 		assertEquals(expectedErrors, auth2.getErrors());
 		assertThat(auth2.getLastErrorReason(), containsString("Invalid issuer in the Assertion/Response"));
 		assertTrue(auth2.getLastValidationException() instanceof ValidationError);

Original file line number	Diff line number	Diff line change
`@@ -84,6 +84,11 @@ public class LogoutResponse {`
`84`	`84`	`*/`
`85`	`85`	`private Exception validationException;`
`86`	`86`
	`87`	`+ /**`
	`88`	`+ * The respone status code and messages`
	`89`	`+ */`
	`90`	`+ private SamlResponseStatus responseStatus;`
	`91`	`+`
`87`	`92`	`/**`
`88`	`93`	`* Constructs the LogoutResponse object.`
`89`	`94`	`*`
`@@ -323,7 +328,7 @@ public String getStatus() throws XPathExpressionException`
`323`	`328`	`*/`
`324`	`329`	`public SamlResponseStatus getSamlResponseStatus() throws ValidationError`
`325`	`330`	`{`
`326`		`- String statusXpath = "/samlp:Response/samlp:Status";`
	`331`	`+ String statusXpath = "/samlp:LogoutResponse/samlp:Status";`
`327`	`332`	`return Util.getStatus(statusXpath, this.logoutResponseDocument);`
`328`	`333`	`}`
`329`	`334`