Implement a more specific exception class for handling some validation. Improve tests

Author: pitbulk

core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java

@@ -0,0 +1,26 @@
+package com.onelogin.saml2.exception;
+
+public class Error extends Exception {
+
+	private static final long serialVersionUID = 1L;
+
+    public static final int SETTINGS_FILE_NOT_FOUND = 1;
+    public static final int METADATA_SP_INVALID = 2;
+    public static final int SAML_RESPONSE_NOT_FOUND = 3;
+    public static final int SAML_LOGOUTMESSAGE_NOT_FOUND = 4;
+    public static final int SAML_LOGOUTREQUEST_INVALID = 5;
+    public static final int SAML_LOGOUTRESPONSE_INVALID = 6;
+    public static final int SAML_SINGLE_LOGOUT_NOT_SUPPORTED = 7;
+    
+    private int errorCode;
+	
+	public Error(String message, int errorCode) {
+		super(message);
+		this.errorCode = errorCode;
+	}
+	
+    public int getErrorCode() {
+        return errorCode;
+    }
+
+}

core/src/main/java/com/onelogin/saml2/exception/Error.java

@@ -4,8 +4,22 @@ public class SettingsException extends Exception {
 
 	private static final long serialVersionUID = 1L;
 
-	public SettingsException(String message) {
+    public static final int SETTINGS_INVALID_SYNTAX = 1;
+    public static final int SETTINGS_INVALID = 2;
+    public static final int CERT_NOT_FOUND = 3;
+    public static final int PRIVATE_KEY_NOT_FOUND = 4;
+    public static final int PUBLIC_CERT_FILE_NOT_FOUND = 5;    
+    public static final int PRIVATE_KEY_FILE_NOT_FOUND = 6;
+    
+    private int errorCode;
+	
+	public SettingsException(String message, int errorCode) {
 		super(message);
+		this.errorCode = errorCode;
 	}
+	
+    public int getErrorCode() {
+        return errorCode;
+    }
 
 }

core/src/main/java/com/onelogin/saml2/exception/SettingsException.java

@@ -0,0 +1,68 @@
+package com.onelogin.saml2.exception;
+
+public class ValidationError extends Exception {
+
+	private static final long serialVersionUID = 1L;
+
+	public static final int UNSUPPORTED_SAML_VERSION = 0;
+	public static final int MISSING_ID = 1;
+	public static final int WRONG_NUMBER_OF_ASSERTIONS = 2;
+	public static final int MISSING_STATUS = 3;
+	public static final int MISSING_STATUS_CODE = 4;
+	public static final int STATUS_CODE_IS_NOT_SUCCESS = 5;
+	public static final int WRONG_SIGNED_ELEMENT = 6;
+	public static final int ID_NOT_FOUND_IN_SIGNED_ELEMENT = 7;
+	public static final int DUPLICATED_ID_IN_SIGNED_ELEMENTS = 8;
+	public static final int INVALID_SIGNED_ELEMENT = 9;
+	public static final int DUPLICATED_REFERENCE_IN_SIGNED_ELEMENTS = 10;
+	public static final int UNEXPECTED_SIGNED_ELEMENTS = 11;
+	public static final int WRONG_NUMBER_OF_SIGNATURES_IN_RESPONSE = 12;
+	public static final int WRONG_NUMBER_OF_SIGNATURES_IN_ASSERTION = 13;
+	public static final int INVALID_XML_FORMAT = 14;
+	public static final int WRONG_INRESPONSETO = 15;
+	public static final int NO_ENCRYPTED_ASSERTION = 16;
+	public static final int NO_ENCRYPTED_NAMEID = 17;
+	public static final int MISSING_CONDITIONS = 18;
+	public static final int ASSERTION_TOO_EARLY = 19;
+	public static final int ASSERTION_EXPIRED = 20;
+	public static final int WRONG_NUMBER_OF_AUTHSTATEMENTS = 21;
+	public static final int NO_ATTRIBUTESTATEMENT = 22;
+	public static final int ENCRYPTED_ATTRIBUTES = 23;
+	public static final int WRONG_DESTINATION = 24;
+	public static final int EMPTY_DESTINATION = 25;
+	public static final int WRONG_AUDIENCE = 26;
+	public static final int ISSUER_NOT_FOUND_IN_RESPONSE = 27;
+	public static final int ISSUER_NOT_FOUND_IN_ASSERTION = 28;
+	public static final int WRONG_ISSUER = 29;
+	public static final int SESSION_EXPIRED = 30;
+	public static final int WRONG_SUBJECTCONFIRMATION = 31;
+	public static final int NO_SIGNED_MESSAGE = 32;
+	public static final int NO_SIGNED_ASSERTION = 33;
+	public static final int NO_SIGNATURE_FOUND = 34;
+	public static final int KEYINFO_NOT_FOUND_IN_ENCRYPTED_DATA = 35;
+	public static final int CHILDREN_NODE_NOT_FOUND_IN_KEYINFO = 36;
+	public static final int UNSUPPORTED_RETRIEVAL_METHOD = 37;
+	public static final int NO_NAMEID = 38;
+	public static final int EMPTY_NAMEID = 39;
+	public static final int SP_NAME_QUALIFIER_NAME_MISMATCH = 40;
+	public static final int DUPLICATED_ATTRIBUTE_NAME_FOUND = 41;
+	public static final int INVALID_SIGNATURE = 42;
+	public static final int WRONG_NUMBER_OF_SIGNATURES = 43;
+	public static final int RESPONSE_EXPIRED = 44;
+	public static final int UNEXPECTED_REFERENCE = 45;
+	public static final int NOT_SUPPORTED = 46;
+	public static final int KEY_ALGORITHM_ERROR = 47;
+	public static final int MISSING_ENCRYPTED_ELEMENT = 48;
+    
+    private int errorCode;
+	
+	public ValidationError(String message, int errorCode) {
+		super(message);
+		this.errorCode = errorCode;
+	}
+	
+    public int getErrorCode() {
+        return errorCode;
+    }
+
+}

core/src/main/java/com/onelogin/saml2/exception/ValidationError.java

@@ -20,7 +20,9 @@
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
 
+import com.onelogin.saml2.exception.ValidationError;
 import com.onelogin.saml2.exception.XMLEntityException;
+import com.onelogin.saml2.exception.SettingsException;
 import com.onelogin.saml2.http.HttpRequest;
 import com.onelogin.saml2.settings.Saml2Settings;
 import com.onelogin.saml2.util.Util;
@@ -94,8 +96,8 @@ public class LogoutRequest {
 	 *              The NameID that will be set in the LogoutRequest.
 	 * @param sessionIndex
 	 *              The SessionIndex (taken from the SAML Response in the SSO process).
-	 *
 	 * @throws XMLEntityException 
+	 *
 	 */
 	public LogoutRequest(Saml2Settings settings, HttpRequest request, String nameId, String sessionIndex) throws XMLEntityException {
 		this.settings = settings;
@@ -256,14 +258,14 @@ private static StringBuilder getLogoutRequestTemplate() {
      *
      * @return true if the SAML LogoutRequest is valid
      *
-	 * @throws XMLEntityException 
+	 * @throws Exception
      */
-	public Boolean isValid() throws XMLEntityException {
+	public Boolean isValid() throws Exception {
 		error = null;
 
 		try {
 			if (this.logoutRequestString == null || logoutRequestString.isEmpty()) {
-				throw new Exception("SAML Logout Request is not loaded");
+				throw new ValidationError("SAML Logout Request is not loaded", ValidationError.INVALID_XML_FORMAT);
 			}
 
 			if (this.request == null) {
@@ -284,7 +286,7 @@ public Boolean isValid() throws XMLEntityException {
 
 				if (settings.getWantXMLValidation()) {
 					if (!Util.validateXML(logoutRequestDocument, SchemaFactory.SAML_SCHEMA_PROTOCOL_2_0)) {
-						throw new Exception("Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd");
+						throw new ValidationError("Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd", ValidationError.INVALID_XML_FORMAT);
 					}
 				}
 
@@ -293,7 +295,7 @@ public Boolean isValid() throws XMLEntityException {
 					String notOnOrAfter = rootElement.getAttribute("NotOnOrAfter");
 					DateTime notOnOrAfterDate = Util.parseDateTime(notOnOrAfter);
 					if (notOnOrAfterDate.isEqualNow() || notOnOrAfterDate.isBeforeNow()) {
-						throw new Exception("Timing issues (please check your clock settings)");
+						throw new ValidationError("Could not validate timestamp: expired. Check system clock.", ValidationError.RESPONSE_EXPIRED);
 					}
 				}
 
@@ -302,8 +304,8 @@ public Boolean isValid() throws XMLEntityException {
 					String destinationUrl = rootElement.getAttribute("Destination");
 					if (destinationUrl != null) {
 						if (!destinationUrl.isEmpty() && !destinationUrl.equals(currentUrl)) {
-							throw new Exception("The LogoutRequest was received at " + currentUrl + " instead of "
-									+ destinationUrl);
+							throw new ValidationError("The LogoutRequest was received at " + currentUrl + " instead of "
+									+ destinationUrl, ValidationError.WRONG_DESTINATION);
 						}
 					}
 				}
@@ -314,18 +316,18 @@ public Boolean isValid() throws XMLEntityException {
 				// Check the issuer
 				String issuer = getIssuer(logoutRequestDocument);
 				if (issuer != null && (issuer.isEmpty() || !issuer.equals(settings.getIdpEntityId()))) {
-					throw new Exception("Invalid issuer in the Logout Request");
+					throw new ValidationError("Invalid issuer in the Logout Request", ValidationError.WRONG_ISSUER);
 				}
 
                 if (settings.getWantMessagesSigned() && (signature == null || signature.isEmpty())) {
-                    throw new Exception("The Message of the Logout Request is not signed and the SP requires it");
+                    throw new ValidationError("The Message of the Logout Request is not signed and the SP requires it", ValidationError.NO_SIGNED_MESSAGE);
                 }
 			}
 
 			if (signature != null && !signature.isEmpty()) {
 				X509Certificate cert = settings.getIdpx509cert();
 				if (cert == null) {
-					throw new Exception("In order to validate the sign on the Logout Request, the x509cert of the IdP is required");
+					throw new SettingsException("In order to validate the sign on the Logout Request, the x509cert of the IdP is required", SettingsException.CERT_NOT_FOUND);
 				}
 
 				String signAlg = request.getParameter("SigAlg");
@@ -343,7 +345,7 @@ public Boolean isValid() throws XMLEntityException {
 				signedQuery += "&SigAlg=" + Util.urlEncoder(signAlg);
 
 				if (!Util.validateBinarySignature(signedQuery, Util.base64decoder(signature), cert, signAlg)) {
-					throw new Exception("Signature validation failed. Logout Request rejected");
+					throw new ValidationError("Signature validation failed. Logout Request rejected", ValidationError.INVALID_SIGNATURE);
 				}
 			}
 
@@ -383,9 +385,8 @@ public static String getId(Document samlLogoutRequestDocument) {
 	 *
      * @return the ID of the Logout Request.
      *
-     * @throws XMLEntityException 
      */
-	public static String getId(String samlLogoutRequestString) throws XMLEntityException {
+	public static String getId(String samlLogoutRequestString) {
 		Document doc = Util.loadXML(samlLogoutRequestString);
 		return getId(doc);
 	}
@@ -400,17 +401,16 @@ public static String getId(String samlLogoutRequestString) throws XMLEntityExcep
      *
      * @return the Name ID Data (Value, Format, NameQualifier, SPNameQualifier)
      *
-     * @throws IllegalArgumentException
 	 * @throws Exception
      */
-	public static Map<String, String> getNameIdData(Document samlLogoutRequestDocument, PrivateKey key) throws IllegalArgumentException, Exception {
+	public static Map<String, String> getNameIdData(Document samlLogoutRequestDocument, PrivateKey key) throws Exception {
 		NodeList encryptedIDNodes = Util.query(samlLogoutRequestDocument, "/samlp:LogoutRequest/saml:EncryptedID");
 		NodeList nameIdNodes;
 		Element nameIdElem;
 
 		if (encryptedIDNodes.getLength() == 1) {
 			if (key == null) {
-				throw new IllegalArgumentException("Key is required in order to decrypt the NameID");
+				throw new SettingsException("Key is required in order to decrypt the NameID", SettingsException.PRIVATE_KEY_NOT_FOUND);
 			}
 
 			Element encryptedData = (Element) encryptedIDNodes.item(0);
@@ -428,7 +428,7 @@ public static Map<String, String> getNameIdData(Document samlLogoutRequestDocume
 		if (nameIdNodes != null && nameIdNodes.getLength() == 1) {
 			nameIdElem = (Element) nameIdNodes.item(0);
 		} else {
-			throw new Exception("No name id found in Logout Request.");
+			throw new ValidationError("No name id found in Logout Request.", ValidationError.NO_NAMEID);
 		}
 
 		Map<String, String> nameIdData = new HashMap<String, String>();
@@ -459,10 +459,9 @@ public static Map<String, String> getNameIdData(Document samlLogoutRequestDocume
      *
      * @return the Name ID Data (Value, Format, NameQualifier, SPNameQualifier)
      *
-	 * @throws IllegalArgumentException if PrivateKey is not provided and the NameId is encrypted
 	 * @throws Exception
      */
-	public static Map<String, String> getNameIdData(String samlLogoutRequestString, PrivateKey key) throws IllegalArgumentException, Exception {
+	public static Map<String, String> getNameIdData(String samlLogoutRequestString, PrivateKey key) throws Exception {
 		Document doc = Util.loadXML(samlLogoutRequestString);
 		return getNameIdData(doc, key);
 	}
@@ -565,10 +564,9 @@ public static String getIssuer(Document samlLogoutRequestDocument) throws XPathE
 	 *
 	 * @return the issuer of the logout request
 	 * 
-	 * @throws XMLEntityException
 	 * @throws XPathExpressionException
 	 */
-    public static String getIssuer(String samlLogoutRequestString) throws XMLEntityException, XPathExpressionException
+    public static String getIssuer(String samlLogoutRequestString) throws XPathExpressionException
     {
 		Document doc = Util.loadXML(samlLogoutRequestString);
 		return getIssuer(doc);
@@ -603,10 +601,9 @@ public static List<String> getSessionIndexes(Document samlLogoutRequestDocument)
 	 * 				A Logout Request string.
      * @return the SessionIndexes
      *
-     * @throws XMLEntityException
      * @throws XPathExpressionException 
      */
-    public static List<String> getSessionIndexes(String samlLogoutRequestString) throws XMLEntityException, XPathExpressionException
+    public static List<String> getSessionIndexes(String samlLogoutRequestString) throws XPathExpressionException
     {
 		Document doc = Util.loadXML(samlLogoutRequestString);
 		return getSessionIndexes(doc);

core/src/main/java/com/onelogin/saml2/logout/LogoutRequest.java

@@ -17,7 +17,8 @@
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
 
-import com.onelogin.saml2.exception.XMLEntityException;
+import com.onelogin.saml2.exception.SettingsException;
+import com.onelogin.saml2.exception.ValidationError;
 import com.onelogin.saml2.http.HttpRequest;
 import com.onelogin.saml2.settings.Saml2Settings;
 import com.onelogin.saml2.util.Constants;
@@ -88,9 +89,8 @@ public class LogoutResponse {
 	 * @param request
      *              the HttpRequest object to be processed (Contains GET and POST parameters, request URL, ...).
      *
-	 * @throws XMLEntityException 
 	 */
-	public LogoutResponse(Saml2Settings settings, HttpRequest request) throws XMLEntityException {
+	public LogoutResponse(Saml2Settings settings, HttpRequest request) {
 		this.settings = settings;
 		this.request = request;
 
@@ -156,7 +156,7 @@ public Boolean isValid(String requestId) {
 
 		try {
 			if (this.logoutResponseDocument == null) {
-				throw new Exception("SAML Logout Response is not loaded");
+				throw new ValidationError("SAML Logout Response is not loaded", ValidationError.INVALID_XML_FORMAT);
 			}
 
 			if (this.currentUrl == null || this.currentUrl.isEmpty()) {
@@ -171,48 +171,48 @@ public Boolean isValid(String requestId) {
 
 				if (settings.getWantXMLValidation()) {
 					if (!Util.validateXML(this.logoutResponseDocument, SchemaFactory.SAML_SCHEMA_PROTOCOL_2_0)) {
-						throw new Exception("Invalid SAML Logout Response. Not match the saml-schema-protocol-2.0.xsd");
+						throw new ValidationError("Invalid SAML Logout Response. Not match the saml-schema-protocol-2.0.xsd", ValidationError.INVALID_XML_FORMAT);
 					}
 				}
 
 				String responseInResponseTo = rootElement.hasAttribute("InResponseTo") ? rootElement.getAttribute("InResponseTo") : null;
 				if (requestId == null && responseInResponseTo != null && settings.isRejectUnsolicitedResponsesWithInResponseTo()) {
-					throw new Exception("The Response has an InResponseTo attribute: " + responseInResponseTo +
-							" while no InResponseTo was expected");
+					throw new ValidationError("The Response has an InResponseTo attribute: " + responseInResponseTo +
+							" while no InResponseTo was expected", ValidationError.WRONG_INRESPONSETO);
 				}
 
 				// Check if the InResponseTo of the Response matches the ID of the AuthNRequest (requestId) if provided
 				if (requestId != null && !Objects.equals(responseInResponseTo, requestId)) {
-						throw new Exception("The InResponseTo of the Logout Response: " + responseInResponseTo
-								+ ", does not match the ID of the Logout request sent by the SP: " + requestId);
+						throw new ValidationError("The InResponseTo of the Logout Response: " + responseInResponseTo
+								+ ", does not match the ID of the Logout request sent by the SP: " + requestId, ValidationError.WRONG_INRESPONSETO);
 				}
 
 				// Check issuer
                 String issuer = getIssuer();
                 if (issuer != null && !issuer.isEmpty() && !issuer.equals(settings.getIdpEntityId())) {
-                    throw new Exception("Invalid issuer in the Logout Response");
+                    throw new ValidationError("Invalid issuer in the Logout Response", ValidationError.WRONG_ISSUER);
                 }
 
 				// Check destination
 				if (rootElement.hasAttribute("Destination")) {
 					String destinationUrl = rootElement.getAttribute("Destination");
 					if (destinationUrl != null) {
 						if (!destinationUrl.isEmpty() && !destinationUrl.equals(currentUrl)) {
-							throw new Exception("The LogoutResponse was received at " + currentUrl + " instead of "
-									+ destinationUrl);
+							throw new ValidationError("The LogoutResponse was received at " + currentUrl + " instead of "
+									+ destinationUrl, ValidationError.WRONG_DESTINATION);
 						}
 					}
 				}
 
                 if (settings.getWantMessagesSigned() && (signature == null || signature.isEmpty())) {
-                    throw new Exception("The Message of the Logout Response is not signed and the SP requires it");
+                    throw new ValidationError("The Message of the Logout Response is not signed and the SP requires it", ValidationError.NO_SIGNED_MESSAGE);
                 }
 			}
 
 			if (signature != null && !signature.isEmpty()) {
 				X509Certificate cert = settings.getIdpx509cert();
 				if (cert == null) {
-					throw new Exception("In order to validate the sign on the Logout Response, the x509cert of the IdP is required");
+					throw new SettingsException("In order to validate the sign on the Logout Response, the x509cert of the IdP is required", SettingsException.CERT_NOT_FOUND);
 				}
 
 				String signAlg = request.getParameter("SigAlg");
@@ -230,7 +230,7 @@ public Boolean isValid(String requestId) {
 				signedQuery += "&SigAlg=" + Util.urlEncoder(signAlg);
 
 				if (!Util.validateBinarySignature(signedQuery, Util.base64decoder(signature), cert, signAlg)) {
-					throw new Exception("Signature validation failed. Logout Response rejected");
+					throw new ValidationError("Signature validation failed. Logout Response rejected", ValidationError.INVALID_SIGNATURE);
 				}
 			}