KEYCLOAK-13181 Fix NPE in EAP 6 adapter

2020-03-03 10:50:32 +01:00 · 2020-03-03 10:50:32 +01:00 · 0cf0955318
commit 0cf0955318
parent c1bf183998
2 changed files with 23 additions and 0 deletions
--- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java
+++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java
@ -148,6 +148,10 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic
            postBinding = true;
            holder = SAMLRequestParser.parseRequestPostBinding(samlRequest);
        }
+        if (holder == null) {
+            log.error("Error parsing SAML document");
+            return AuthOutcome.FAILED;
+        }
        RequestAbstractType requestAbstractType = (RequestAbstractType) holder.getSamlObject();
        if (! destinationValidator.validate(requestUri, requestAbstractType.getDestination())) {
            log.error("expected destination '" + requestUri + "' got '" + requestAbstractType.getDestination() + "'");
@ -188,6 +192,24 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic
            postBinding = true;
            holder = extractPostBindingResponse(samlResponse);
        }
+        if (holder == null) {
+            log.error("Error parsing SAML document");
+            challenge = new AuthChallenge() {
+                @Override
+                public boolean challenge(HttpFacade exchange) {
+                    SamlAuthenticationError error = new SamlAuthenticationError(SamlAuthenticationError.Reason.EXTRACTION_FAILURE);
+                    exchange.getRequest().setError(error);
+                    exchange.getResponse().sendError(403);
+                    return true;
+                }
+
+                @Override
+                public int getResponseCode() {
+                    return 403;
+                }
+            };
+            return AuthOutcome.FAILED;
+        }
        final StatusResponseType statusResponse = (StatusResponseType) holder.getSamlObject();
        // validate destination
        if (! destinationValidator.validate(requestUri, statusResponse.getDestination())) {
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SamlSignatureTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SamlSignatureTest.java
@ -313,6 +313,7 @@ public class SamlSignatureTest extends AbstractAdapterTest {
        assertThat(response, Matchers.bodyHC(
          anyOf(
            containsString("INVALID_SIGNATURE"),
+            containsString("EXTRACTION_FAILURE"),
            containsString("There was an error")
          )
        ));