SAML 2 Attribute query unit test and bug fixes
authorlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 7 Sep 2007 22:43:11 +0000 (22:43 +0000)
committerlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 7 Sep 2007 22:43:11 +0000 (22:43 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@2376 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/idp/profile/saml2/AttributeQueryProfileHandler.java
test/edu/internet2/middleware/shibboleth/idp/system/conf1/SAML2AttributeQueryTestCase.java

index 945eda4..e85447b 100644 (file)
@@ -19,13 +19,17 @@ package edu.internet2.middleware.shibboleth.idp.profile.saml2;
 import java.util.ArrayList;
 
 import org.apache.log4j.Logger;
+import org.opensaml.common.SAMLObjectBuilder;
+import org.opensaml.common.binding.BasicEndpointSelector;
 import org.opensaml.common.binding.decoding.SAMLMessageDecoder;
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.core.AttributeQuery;
 import org.opensaml.saml2.core.Response;
 import org.opensaml.saml2.core.Statement;
 import org.opensaml.saml2.core.StatusCode;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
 import org.opensaml.saml2.metadata.AttributeAuthorityDescriptor;
+import org.opensaml.saml2.metadata.Endpoint;
 import org.opensaml.saml2.metadata.SPSSODescriptor;
 import org.opensaml.saml2.metadata.provider.MetadataProvider;
 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
@@ -43,6 +47,17 @@ public class AttributeQueryProfileHandler extends AbstractSAML2ProfileHandler {
 
     /** Class logger. */
     private static Logger log = Logger.getLogger(AttributeQueryProfileHandler.class);
+    
+    /** Builder of assertion consumer service endpoints. */
+    private SAMLObjectBuilder<AssertionConsumerService> acsEndpointBuilder;
+
+    /** Constructor. */
+    public AttributeQueryProfileHandler() {
+        super();
+
+        acsEndpointBuilder = (SAMLObjectBuilder<AssertionConsumerService>) getBuilderFactory().getBuilder(
+                AssertionConsumerService.DEFAULT_ELEMENT_NAME);
+    }
 
     /** {@inheritDoc} */
     public String getProfileId() {
@@ -56,7 +71,7 @@ public class AttributeQueryProfileHandler extends AbstractSAML2ProfileHandler {
         AttributeQueryContext requestContext = decodeRequest(inTransport, outTransport);
 
         try {
-            if (requestContext.getRelyingPartyConfiguration() == null) {
+            if (requestContext.getProfileConfiguration() == null) {
                 log.error("SAML 2 Attribute Query profile is not configured for relying party "
                         + requestContext.getInboundMessageIssuer());
                 requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, StatusCode.REQUEST_DENIED_URI,
@@ -139,9 +154,13 @@ public class AttributeQueryProfileHandler extends AbstractSAML2ProfileHandler {
         } finally {
             // Set as much information as can be retrieved from the decoded message
             try {
+                AttributeQuery query = requestContext.getInboundSAMLMessage();
+                requestContext.setSubjectNameIdentifier(query.getSubject().getNameID());
+                
                 String relyingPartyId = requestContext.getInboundMessageIssuer();
                 RelyingPartyConfiguration rpConfig = getRelyingPartyConfiguration(relyingPartyId);
                 requestContext.setRelyingPartyConfiguration(rpConfig);
+                requestContext.setPeerEntityEndpoint(selectEndpoint(requestContext));
 
                 String assertingPartyId = requestContext.getRelyingPartyConfiguration().getProviderId();
                 requestContext.setLocalEntityId(assertingPartyId);
@@ -152,14 +171,15 @@ public class AttributeQueryProfileHandler extends AbstractSAML2ProfileHandler {
 
                 AttributeQueryConfiguration profileConfig = (AttributeQueryConfiguration) rpConfig
                         .getProfileConfiguration(AttributeQueryConfiguration.PROFILE_ID);
-                requestContext.setProfileConfiguration(profileConfig);
-                requestContext.setOutboundMessageArtifactType(profileConfig.getOutboundArtifactType());
-                if (profileConfig.getSigningCredential() != null) {
-                    requestContext.setOutboundSAMLMessageSigningCredential(profileConfig.getSigningCredential());
-                } else if (rpConfig.getDefaultSigningCredential() != null) {
-                    requestContext.setOutboundSAMLMessageSigningCredential(rpConfig.getDefaultSigningCredential());
+                if(profileConfig != null){
+                    requestContext.setProfileConfiguration(profileConfig);
+                    requestContext.setOutboundMessageArtifactType(profileConfig.getOutboundArtifactType());
+                    if (profileConfig.getSigningCredential() != null) {
+                        requestContext.setOutboundSAMLMessageSigningCredential(profileConfig.getSigningCredential());
+                    } else if (rpConfig.getDefaultSigningCredential() != null) {
+                        requestContext.setOutboundSAMLMessageSigningCredential(rpConfig.getDefaultSigningCredential());
+                    }
                 }
-
             } catch (MetadataProviderException e) {
                 log.error("Unable to locate metadata for asserting or relying party");
                 requestContext.setFailureStatus(buildStatus(StatusCode.RESPONDER_URI, null,
@@ -168,6 +188,33 @@ public class AttributeQueryProfileHandler extends AbstractSAML2ProfileHandler {
             }
         }
     }
+    
+    /**
+     * Selects the appropriate endpoint for the relying party and stores it in the request context.
+     * 
+     * @param requestContext current request context
+     * 
+     * @return Endpoint selected from the information provided in the request context
+     */
+    protected Endpoint selectEndpoint(AttributeQueryContext requestContext) {
+        Endpoint endpoint;
+
+        if (getInboundBinding().equals(SAMLConstants.SAML2_SOAP11_BINDING_URI)) {
+            endpoint = acsEndpointBuilder.buildObject();
+            endpoint.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI);
+        } else {
+            BasicEndpointSelector endpointSelector = new BasicEndpointSelector();
+            endpointSelector.setEndpointType(AssertionConsumerService.DEFAULT_ELEMENT_NAME);
+            endpointSelector.setMetadataProvider(getMetadataProvider());
+            endpointSelector.setEntityMetadata(requestContext.getPeerEntityMetadata());
+            endpointSelector.setEntityRoleMetadata(requestContext.getPeerEntityRoleMetadata());
+            endpointSelector.setSamlRequest(requestContext.getInboundSAMLMessage());
+            endpointSelector.getSupportedIssuerBindings().addAll(getSupportedOutboundBindings());
+            endpoint = endpointSelector.selectEndpoint();
+        }
+
+        return endpoint;
+    }
 
     /** Basic data structure used to accumulate information as a request is being processed. */
     protected class AttributeQueryContext extends
index 5e59708..f9a9a94 100644 (file)
@@ -24,7 +24,6 @@ import org.opensaml.common.SAMLVersion;
 import org.opensaml.saml2.core.AttributeQuery;
 import org.opensaml.saml2.core.Issuer;
 import org.opensaml.saml2.core.NameID;
-import org.opensaml.saml2.core.StatusCode;
 import org.opensaml.saml2.core.Subject;
 import org.opensaml.ws.soap.common.SOAPObjectBuilder;
 import org.opensaml.ws.soap.soap11.Body;
@@ -48,13 +47,13 @@ import edu.internet2.middleware.shibboleth.common.profile.ProfileHandlerManager;
  */
 public class SAML2AttributeQueryTestCase extends BaseConf1TestCase {
 
-    /** Tests a request where the Issuer can not be authenticated. */
-    public void testUnathenticatedIssuer() throws Exception {
-        AttributeQuery query = buildAttributeQuery("urn:example.org:unitTest:sp1");
+    /** Tests that the attribute query handler correctly handles an incomming query. */
+    public void testAttributeQuery() throws Exception{
+        AttributeQuery query = buildAttributeQuery("urn:example.org:sp1");
         String soapMessage = getSOAPMessage(query);
 
         MockHttpServletRequest servletRequest = new MockHttpServletRequest();
-        servletRequest.setPathInfo("/IdP/saml2/SOAP/AttributeQuery");
+        servletRequest.setPathInfo("/saml2/SOAP/AttributeQuery");
         servletRequest.setContent(soapMessage.getBytes());
 
         MockHttpServletResponse servletResponse = new MockHttpServletResponse();
@@ -70,43 +69,18 @@ public class SAML2AttributeQueryTestCase extends BaseConf1TestCase {
         handler.processRequest(profileRequest, profileResponse);
 
         String response = servletResponse.getContentAsString();
-        assertTrue(response.contains(StatusCode.RESPONDER_URI));
-        assertTrue(response.contains(StatusCode.REQUEST_DENIED_URI));
+        assertTrue(response.contains("urn:oasis:names:tc:SAML:2.0:status:Success"));
+        assertTrue(response.contains("Name=\"principalName\""));
+        assertTrue(response.contains("testUser"));
     }
-
-    /** Test a request where the Issuer is authenticated and has not requested any specific attributes. */
-    public void testAuthenticatedIssuerNoProfileConfiguration() throws Exception {
-        AttributeQuery query = buildAttributeQuery("urn:example.org:unitTest:sp1");
-        String soapMessage = getSOAPMessage(query);
-
-        MockHttpServletRequest servletRequest = new MockHttpServletRequest();
-        servletRequest.setPathInfo("/IdP/saml2/SOAP/AttributeQueryNoAuth");
-        servletRequest.setContent(soapMessage.getBytes());
-
-        MockHttpServletResponse servletResponse = new MockHttpServletResponse();
-
-        ProfileHandlerManager handlerManager = (ProfileHandlerManager) getApplicationContext().getBean(
-                "shibboleth.HandlerManager");
-        ProfileHandler handler = handlerManager.getProfileHandler(servletRequest);
-        assertNotNull(handler);
-
-        // Process request
-        HTTPInTransport profileRequest = new HttpServletRequestAdapter(servletRequest);
-        HTTPOutTransport profileResponse = new HttpServletResponseAdapter(servletResponse);
-        handler.processRequest(profileRequest, profileResponse);
-
-        String response = servletResponse.getContentAsString();
-        assertTrue(response.contains(StatusCode.RESPONDER_URI));
-        assertTrue(response.contains(StatusCode.REQUEST_DENIED_URI));
-    }
-
-    /** Test a request where the Issuer is authenticated and has not requested any specific attributes. */
-    public void testAuthenticatedIssuerNoRequestAttributes() throws Exception {
-        AttributeQuery query = buildAttributeQuery("urn:example.org:unitTestFed:sp2");
+    
+    /** Tests that the attribute query handler correctly fails out if the profile is not configured. */
+    public void testAuthenticationWithoutConfiguredQuery() throws Exception{
+        AttributeQuery query = buildAttributeQuery("urn:example.org:BogusSP");
         String soapMessage = getSOAPMessage(query);
 
         MockHttpServletRequest servletRequest = new MockHttpServletRequest();
-        servletRequest.setPathInfo("/IdP/saml2/SOAP/AttributeQueryNoAuth");
+        servletRequest.setPathInfo("/saml2/SOAP/AttributeQuery");
         servletRequest.setContent(soapMessage.getBytes());
 
         MockHttpServletResponse servletResponse = new MockHttpServletResponse();
@@ -120,11 +94,10 @@ public class SAML2AttributeQueryTestCase extends BaseConf1TestCase {
         HTTPInTransport profileRequest = new HttpServletRequestAdapter(servletRequest);
         HTTPOutTransport profileResponse = new HttpServletResponseAdapter(servletResponse);
         handler.processRequest(profileRequest, profileResponse);
-
+            
         String response = servletResponse.getContentAsString();
-        assertTrue(response.contains(StatusCode.SUCCESS_URI));
-        assertTrue(response.contains("Name=\"cn\""));
-        assertTrue(response.contains("Name=\"uid\""));
+        assertTrue(response.contains("urn:oasis:names:tc:SAML:2.0:status:Responder"));
+        assertTrue(response.contains("urn:oasis:names:tc:SAML:2.0:status:RequestDenied"));
     }
 
     /**