KEYCLOAK-7316: Default back to false if isPassive is missing in request.

2018-06-07 16:00:49 +10:00 · 2018-06-07 16:00:49 +10:00 · c8c76cc03f
commit c8c76cc03f
parent dffe70e40a
6 changed files with 90 additions and 4 deletions
--- a/saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLParserTest.java
+++ b/saml-core/src/test/java/org/keycloak/saml/processing/core/parsers/saml/SAMLParserTest.java
@ -96,12 +96,13 @@ import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.not;
 import static org.hamcrest.Matchers.notNullValue;
 import static org.hamcrest.Matchers.nullValue;
+
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
-
+import static org.junit.Assert.assertFalse;
 /**
 * Test class for SAML parser.
 *
@ -680,6 +681,28 @@ public class SAMLParserTest {
        assertThat(req.getRequestedAuthnContext().getAuthnContextDeclRef(), hasItem(is("urn:kc:SAML:2.0:ac:ref:demo:decl")));
    }

+    @Test //https://issues.jboss.org/browse/KEYCLOAK-7316
+    public void testAuthnRequestOptionalIsPassive() throws Exception {
+        AuthnRequestType req = assertParsed("KEYCLOAK-7316-noAtrributes.xml", AuthnRequestType.class);
+
+        assertThat("Not null!", req.isIsPassive(), nullValue());
+        assertThat("Not null!", req.isForceAuthn(), nullValue());
+
+        req = assertParsed("KEYCLOAK-7316-withTrueAttributes.xml", AuthnRequestType.class);
+
+        assertThat(req.isIsPassive(), notNullValue());
+        assertTrue("Wrong value!", req.isIsPassive().booleanValue());
+        assertThat(req.isForceAuthn(), notNullValue());
+        assertTrue("Wrong value!", req.isForceAuthn().booleanValue());
+
+        req = assertParsed("KEYCLOAK-7316-withFalseAttributes.xml", AuthnRequestType.class);
+
+        assertThat(req.isIsPassive(), notNullValue());
+        assertFalse("Wrong value!", req.isIsPassive().booleanValue());
+        assertThat(req.isForceAuthn(), notNullValue());
+        assertFalse("Wrong value!", req.isForceAuthn().booleanValue());
+    }
+
    @Test
    public void testAuthnRequestInvalidPerXsdWithValidationDisabled() throws Exception {
        AuthnRequestType req = assertParsed("saml20-authnrequest-invalid-per-xsd.xml", AuthnRequestType.class);
--- a/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/KEYCLOAK-7316-noAtrributes.xml
+++ b/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/KEYCLOAK-7316-noAtrributes.xml
@ -0,0 +1,14 @@
+<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+                    ID="_c327a0622c69920a4bdefa8a2fd98847b67cf18473"
+                    Version="2.0"
+                    IssueInstant="2017-11-16T07:09:05Z"
+                    Destination="https://idp.example.com/auth/realms/MYIDP/protocol/saml"
+                    AssertionConsumerServiceURL="https://iif.example.com/idp/module.php/saml/sp/saml2-acs.php/default-sp"
+                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                    >
+    <saml:Issuer>https://iif.example.com/idp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
+    <samlp:Scoping>
+        <samlp:RequesterID>https://some.domain/sp</samlp:RequesterID>
+    </samlp:Scoping>
+</samlp:AuthnRequest>
--- a/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/KEYCLOAK-7316-withFalseAttributes.xml
+++ b/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/KEYCLOAK-7316-withFalseAttributes.xml
@ -0,0 +1,16 @@
+<samlp:AuthnRequest ForceAuthn="false"
+                    IsPassive="false"
+                    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+                    ID="_c327a0622c69920a4bdefa8a2fd98847b67cf18473"
+                    Version="2.0"
+                    IssueInstant="2017-11-16T07:09:05Z"
+                    Destination="https://idp.example.com/auth/realms/MYIDP/protocol/saml"
+                    AssertionConsumerServiceURL="https://iif.example.com/idp/module.php/saml/sp/saml2-acs.php/default-sp"
+                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                    >
+    <saml:Issuer>https://iif.example.com/idp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
+    <samlp:Scoping>
+        <samlp:RequesterID>https://some.domain/sp</samlp:RequesterID>
+    </samlp:Scoping>
+</samlp:AuthnRequest>
--- a/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/KEYCLOAK-7316-withTrueAttributes.xml
+++ b/saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/KEYCLOAK-7316-withTrueAttributes.xml
@ -0,0 +1,16 @@
+<samlp:AuthnRequest IsPassive="true"
+                    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+                    ID="_c327a0622c69920a4bdefa8a2fd98847b67cf18473"
+                    Version="2.0"
+                    IssueInstant="2017-11-16T07:09:05Z"
+                    Destination="https://idp.example.com/auth/realms/MYIDP/protocol/saml"
+                    AssertionConsumerServiceURL="https://iif.example.com/idp/module.php/saml/sp/saml2-acs.php/default-sp"
+                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                    ForceAuthn="true"
+                    >
+    <saml:Issuer>https://iif.example.com/idp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
+    <samlp:Scoping>
+        <samlp:RequesterID>https://some.domain/sp</samlp:RequesterID>
+    </samlp:Scoping>
+</samlp:AuthnRequest>
--- a/services/src/main/java/org/keycloak/protocol/saml/SamlService.java
+++ b/services/src/main/java/org/keycloak/protocol/saml/SamlService.java
@ -338,8 +338,10 @@ public class SamlService extends AuthorizationEndpointBase {

                }
            }
-
-            return newBrowserAuthentication(authSession, requestAbstractType.isIsPassive(), redirectToAuthentication);
+            //If unset we fall back to default "false"
+            final boolean isPassive = (null == requestAbstractType.isIsPassive() ?
+                    false : requestAbstractType.isIsPassive().booleanValue());
+            return newBrowserAuthentication(authSession, isPassive, redirectToAuthentication);
        }

        protected String getBindingType(AuthnRequestType requestAbstractType) {
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/AuthnRequestTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/AuthnRequestTest.java
@ -33,7 +33,6 @@ public class AuthnRequestTest extends AbstractSamlTest {

    // KEYCLOAK-7316
    @Test
-    @Ignore
    public void testIsPassiveNotSet() throws Exception {
        String res = new SamlClientBuilder()
          .authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, Binding.POST)
@ -48,6 +47,22 @@ public class AuthnRequestTest extends AbstractSamlTest {
        assertThat(res, containsString("login"));
    }

+    // KEYCLOAK-7316
+    @Test
+    public void testIsForceAuthNotSet() throws Exception {
+        String res = new SamlClientBuilder()
+                .authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, Binding.POST)
+                .transformObject(so -> {
+                    so.setForceAuthn(null);
+                    return so;
+                })
+                .build()
+
+                .executeAndTransform(resp -> EntityUtils.toString(resp.getEntity()));
+
+        assertThat(res, containsString("login"));
+    }
+
    // KEYCLOAK-7316
    @Test
    public void testIsPassiveFalse() throws Exception {