From 42954e84d99417b8dd5b97181398e2a4cd68bf5d Mon Sep 17 00:00:00 2001
From: Hynek Mlnarik <hmlnarik@redhat.com>
Date: Thu, 9 Mar 2017 16:48:59 +0100
Subject: [PATCH] KEYCLOAK-4552

---
 .../saml/SAMLRequestAbstractParser.java       |  2 +
 .../saml/SAMLAttributeQueryParserTest.java    | 87 +++++++++++++++++++
 .../saml/SAMLAuthNRequestParserTest.java      | 84 ++++++++++++++++++
 .../saml/SAMLSloRequestParserTest.java        | 69 +++++++++++++++
 ...552-saml20-aslo-response-via-extension.xml |  9 ++
 .../saml20-attributequery-with-extension.xml  | 19 ++++
 .../parsers/saml/saml20-attributequery.xml    | 16 ++++
 .../saml20-authnrequest-with-extension.xml    |  8 ++
 .../core/parsers/saml/saml20-authnrequest.xml |  5 ++
 9 files changed, 299 insertions(+)
 create mode 100644 saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAttributeQueryParserTest.java
 create mode 100644 saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAuthNRequestParserTest.java
 create mode 100644 saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLSloRequestParserTest.java
 create mode 100644 saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/KEYCLOAK-4552-saml20-aslo-response-via-extension.xml
 create mode 100644 saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-attributequery-with-extension.xml
 create mode 100644 saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-attributequery.xml
 create mode 100644 saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-authnrequest-with-extension.xml
 create mode 100644 saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-authnrequest.xml

diff --git a/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLRequestAbstractParser.java b/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLRequestAbstractParser.java
index 457f33269b..4d722a522b 100755
--- a/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLRequestAbstractParser.java
+++ b/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLRequestAbstractParser.java
@@ -98,6 +98,8 @@ public abstract class SAMLRequestAbstractParser {
             request.setIssuer(issuer);
         } else if (JBossSAMLConstants.SIGNATURE.get().equals(elementName)) {
             request.setSignature(StaxParserUtil.getDOMElement(xmlEventReader));
+        } else if (JBossSAMLConstants.EXTENSIONS.get().equals(elementName)) {
+            request.setExtensions(new SAMLExtensionsParser().parse(xmlEventReader));
         }
     }
 
diff --git a/saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAttributeQueryParserTest.java b/saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAttributeQueryParserTest.java
new file mode 100644
index 0000000000..a7ea4c5eef
--- /dev/null
+++ b/saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAttributeQueryParserTest.java
@@ -0,0 +1,87 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.saml.processing.core.parsers.saml;
+
+
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.protocol.AttributeQueryType;
+import java.io.InputStream;
+
+import org.junit.Test;
+
+import org.junit.Before;
+import org.w3c.dom.Element;
+import static org.hamcrest.CoreMatchers.*;
+import static org.junit.Assert.assertThat;
+
+/**
+ * Test class for SAML AttributeQuery parser.
+ *
+ * @author hmlnarik
+ */
+public class SAMLAttributeQueryParserTest {
+
+    private SAMLParser parser;
+
+    @Before
+    public void initParser() {
+        this.parser = new SAMLParser();
+    }
+
+    @Test(timeout = 2000)
+    public void testSaml20AttributeQuery() throws Exception {
+        try (InputStream is = SAMLAttributeQueryParserTest.class.getResourceAsStream("saml20-attributequery.xml")) {
+            Object parsedObject = parser.parse(is);
+            assertThat(parsedObject, instanceOf(AttributeQueryType.class));
+
+            AttributeQueryType query = (AttributeQueryType) parsedObject;
+            assertThat(query.getSignature(), nullValue());
+            assertThat(query.getConsent(), nullValue());
+            assertThat(query.getIssuer(), not(nullValue()));
+            assertThat(query.getIssuer().getValue(), is("https://sp/"));
+
+            NameIDType nameId = (NameIDType) query.getSubject().getSubType().getBaseID();
+            assertThat(nameId.getValue(), is("CN=trscavo@uiuc.edu,OU=User,O=NCSA-TEST,C=US"));
+        }
+    }
+
+    @Test(timeout = 2000)
+    public void testSaml20AttributeQueryWithExtension() throws Exception {
+        try (InputStream is = SAMLAttributeQueryParserTest.class.getResourceAsStream("saml20-attributequery-with-extension.xml")) {
+            Object parsedObject = parser.parse(is);
+            assertThat(parsedObject, instanceOf(AttributeQueryType.class));
+
+            AttributeQueryType query = (AttributeQueryType) parsedObject;
+            assertThat(query.getSignature(), nullValue());
+            assertThat(query.getConsent(), nullValue());
+            assertThat(query.getIssuer(), not(nullValue()));
+            assertThat(query.getIssuer().getValue(), is("https://sp/"));
+
+            NameIDType nameId = (NameIDType) query.getSubject().getSubType().getBaseID();
+            assertThat(nameId.getValue(), is("CN=trscavo@uiuc.edu,OU=User,O=NCSA-TEST,C=US"));
+
+            assertThat(query.getExtensions(), not(nullValue()));
+            assertThat(query.getExtensions().getAny().size(), is(1));
+            assertThat(query.getExtensions().getAny().get(0), instanceOf(Element.class));
+            Element el = (Element) query.getExtensions().getAny().get(0);
+            assertThat(el.getLocalName(), is("KeyInfo"));
+            assertThat(el.getNamespaceURI(), is("urn:keycloak:ext:key:1.0"));
+            assertThat(el.getAttribute("MessageSigningKeyId"), is("FJ86GcF3jTbNLOco4NvZkUCIUmfYCqoqtOQeMfbhNlE"));
+        }
+    }
+}
diff --git a/saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAuthNRequestParserTest.java b/saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAuthNRequestParserTest.java
new file mode 100644
index 0000000000..e16a3d0420
--- /dev/null
+++ b/saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAuthNRequestParserTest.java
@@ -0,0 +1,84 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.saml.processing.core.parsers.saml;
+
+
+import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
+import java.io.InputStream;
+
+import org.junit.Test;
+
+import org.junit.Before;
+import org.w3c.dom.Element;
+import static org.hamcrest.CoreMatchers.*;
+import static org.junit.Assert.assertThat;
+
+/**
+ * Test class for SAML AuthNRequest parser.
+ *
+ * @author hmlnarik
+ */
+public class SAMLAuthNRequestParserTest {
+
+    private SAMLParser parser;
+
+    @Before
+    public void initParser() {
+        this.parser = new SAMLParser();
+    }
+
+    @Test(timeout = 2000)
+    public void testSaml20AttributeQuery() throws Exception {
+        try (InputStream is = SAMLAuthNRequestParserTest.class.getResourceAsStream("saml20-authnrequest.xml")) {
+            Object parsedObject = parser.parse(is);
+            assertThat(parsedObject, instanceOf(AuthnRequestType.class));
+
+            AuthnRequestType req = (AuthnRequestType) parsedObject;
+            assertThat(req.getSignature(), nullValue());
+            assertThat(req.getConsent(), nullValue());
+            assertThat(req.getIssuer(), not(nullValue()));
+            assertThat(req.getIssuer().getValue(), is("https://sp/"));
+
+            assertThat(req.getNameIDPolicy().getFormat().toString(), is("urn:oasis:names:tc:SAML:2.0:nameid-format:transient"));
+        }
+    }
+
+    @Test(timeout = 2000)
+    public void testSaml20AttributeQueryWithExtension() throws Exception {
+        try (InputStream is = SAMLAuthNRequestParserTest.class.getResourceAsStream("saml20-authnrequest-with-extension.xml")) {
+            Object parsedObject = parser.parse(is);
+            assertThat(parsedObject, instanceOf(AuthnRequestType.class));
+
+            AuthnRequestType req = (AuthnRequestType) parsedObject;
+            assertThat(req.getSignature(), nullValue());
+            assertThat(req.getConsent(), nullValue());
+            assertThat(req.getIssuer(), not(nullValue()));
+            assertThat(req.getIssuer().getValue(), is("https://sp/"));
+
+            assertThat(req.getNameIDPolicy().getFormat().toString(), is("urn:oasis:names:tc:SAML:2.0:nameid-format:transient"));
+
+            assertThat(req.getExtensions(), not(nullValue()));
+            assertThat(req.getExtensions().getAny().size(), is(1));
+            assertThat(req.getExtensions().getAny().get(0), instanceOf(Element.class));
+            Element el = (Element) req.getExtensions().getAny().get(0);
+            assertThat(el.getLocalName(), is("KeyInfo"));
+            assertThat(el.getNamespaceURI(), is("urn:keycloak:ext:key:1.0"));
+            assertThat(el.getAttribute("MessageSigningKeyId"), is("FJ86GcF3jTbNLOco4NvZkUCIUmfYCqoqtOQeMfbhNlE"));
+        }
+    }
+}
diff --git a/saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLSloRequestParserTest.java b/saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLSloRequestParserTest.java
new file mode 100644
index 0000000000..6967465b08
--- /dev/null
+++ b/saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLSloRequestParserTest.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.saml.processing.core.parsers.saml;
+
+
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
+import java.io.InputStream;
+
+import org.junit.Test;
+
+import org.junit.Before;
+import org.w3c.dom.Element;
+import static org.hamcrest.CoreMatchers.*;
+import static org.junit.Assert.assertThat;
+
+/**
+ * Test class for SAML SLO parser.
+ *
+ * @author hmlnarik
+ */
+public class SAMLSloRequestParserTest {
+
+    private SAMLParser parser;
+
+    @Before
+    public void initParser() {
+        this.parser = new SAMLParser();
+    }
+
+    @Test(timeout = 2000)
+    public void testSaml20SloResponseWithExtension() throws Exception {
+        try (InputStream is = SAMLSloRequestParserTest.class.getResourceAsStream("KEYCLOAK-4552-saml20-aslo-response-via-extension.xml")) {
+            Object parsedObject = parser.parse(is);
+            assertThat(parsedObject, instanceOf(LogoutRequestType.class));
+
+            LogoutRequestType resp = (LogoutRequestType) parsedObject;
+            assertThat(resp.getSignature(), nullValue());
+            assertThat(resp.getConsent(), nullValue());
+            assertThat(resp.getIssuer(), not(nullValue()));
+            assertThat(resp.getIssuer().getValue(), is("https://sp/"));
+
+            NameIDType nameId = resp.getNameID();
+            assertThat(nameId.getValue(), is("G-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"));
+
+            assertThat(resp.getExtensions(), not(nullValue()));
+            assertThat(resp.getExtensions().getAny().size(), is(1));
+            assertThat(resp.getExtensions().getAny().get(0), instanceOf(Element.class));
+            Element el = (Element) resp.getExtensions().getAny().get(0);
+            assertThat(el.getLocalName(), is("Asynchronous"));
+            assertThat(el.getNamespaceURI(), is("urn:oasis:names:tc:SAML:2.0:protocol:ext:async-slo"));
+        }
+    }
+}
diff --git a/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/KEYCLOAK-4552-saml20-aslo-response-via-extension.xml b/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/KEYCLOAK-4552-saml20-aslo-response-via-extension.xml
new file mode 100644
index 0000000000..aa62a2fa0e
--- /dev/null
+++ b/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/KEYCLOAK-4552-saml20-aslo-response-via-extension.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0"?>
+<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://keycloak/auth/realms/XXX/protocol/saml" ID="_b89618b16ed98fed3d2f90b2ddee8027" IssueInstant="2017-03-09T09:32:00Z" Version="2.0">
+  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp/</saml:Issuer>
+  <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">G-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</saml:NameID>
+  <samlp:Extensions>
+    <aslo:Asynchronous xmlns:aslo="urn:oasis:names:tc:SAML:2.0:protocol:ext:async-slo"/>
+  </samlp:Extensions>
+  <samlp:SessionIndex>a1b93b43-4652-4e76-937a-cf3b982d683a</samlp:SessionIndex>
+</samlp:LogoutRequest>
\ No newline at end of file
diff --git a/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-attributequery-with-extension.xml b/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-attributequery-with-extension.xml
new file mode 100644
index 0000000000..525e69246b
--- /dev/null
+++ b/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-attributequery-with-extension.xml
@@ -0,0 +1,19 @@
+<samlp:AttributeQuery
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+    ID="aaf23196-1773-2113-474a-fe114412ab72"
+    Version="2.0"
+    IssueInstant="2006-07-17T20:31:40">
+    <samlp:Extensions>
+        <kckey:KeyInfo xmlns:kckey="urn:keycloak:ext:key:1.0" MessageSigningKeyId="FJ86GcF3jTbNLOco4NvZkUCIUmfYCqoqtOQeMfbhNlE"/>
+    </samlp:Extensions>
+    <saml:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> 
+        https://sp/
+    </saml:Issuer>
+    <saml:Subject>
+        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> 
+            CN=trscavo@uiuc.edu,OU=User,O=NCSA-TEST,C=US
+        </saml:NameID>
+    </saml:Subject>
+    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" FriendlyName="givenName"/>
+</samlp:AttributeQuery>
\ No newline at end of file
diff --git a/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-attributequery.xml b/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-attributequery.xml
new file mode 100644
index 0000000000..0e64bbf1cd
--- /dev/null
+++ b/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-attributequery.xml
@@ -0,0 +1,16 @@
+<samlp:AttributeQuery
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+    ID="aaf23196-1773-2113-474a-fe114412ab72"
+    Version="2.0"
+    IssueInstant="2006-07-17T20:31:40">
+    <saml:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> 
+        https://sp/
+    </saml:Issuer>
+    <saml:Subject>
+        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"> 
+            CN=trscavo@uiuc.edu,OU=User,O=NCSA-TEST,C=US
+        </saml:NameID>
+    </saml:Subject>
+    <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" FriendlyName="givenName"/>
+</samlp:AttributeQuery>
\ No newline at end of file
diff --git a/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-authnrequest-with-extension.xml b/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-authnrequest-with-extension.xml
new file mode 100644
index 0000000000..655eae6d30
--- /dev/null
+++ b/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-authnrequest-with-extension.xml
@@ -0,0 +1,8 @@
+<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+                    ID="aaf23196-1773-2113-474a-fe114412ab72" Version="2.0" IssueInstant="2004-12-05T09:21:59">
+    <saml:Issuer>https://sp/</saml:Issuer>
+    <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
+    <samlp:Extensions>
+        <kckey:KeyInfo xmlns:kckey="urn:keycloak:ext:key:1.0" MessageSigningKeyId="FJ86GcF3jTbNLOco4NvZkUCIUmfYCqoqtOQeMfbhNlE"/>
+    </samlp:Extensions>
+</samlp:AuthnRequest>
\ No newline at end of file
diff --git a/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-authnrequest.xml b/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-authnrequest.xml
new file mode 100644
index 0000000000..7e63302498
--- /dev/null
+++ b/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-authnrequest.xml
@@ -0,0 +1,5 @@
+<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+                    ID="aaf23196-1773-2113-474a-fe114412ab72" Version="2.0" IssueInstant="2004-12-05T09:21:59">
+    <saml:Issuer>https://sp/</saml:Issuer>
+    <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
+</samlp:AuthnRequest>
\ No newline at end of file