From 48038b6787531fa6a5d182f5873f256a148a070d Mon Sep 17 00:00:00 2001 From: Scott Cantor Date: Fri, 6 Oct 2006 03:54:56 +0000 Subject: [PATCH] 2.0 POST binding and test --- .cdtproject | 3 +- saml/Makefile.am | 7 +- saml/binding/impl/MessageDecoder.cpp | 2 +- saml/saml.vcproj | 8 + saml/saml1/binding/impl/SAML1POSTDecoder.cpp | 43 ++--- saml/saml2/binding/SAML2POSTDecoder.h | 49 ++++++ saml/saml2/binding/impl/SAML2POSTDecoder.cpp | 229 ++++++++++++++++++++++++++ samltest/Makefile.am | 1 + samltest/data/saml2/binding/SAML2Response.xml | 14 ++ samltest/saml1/binding/.gitignore | 1 + samltest/saml1/binding/SAML1POSTTest.h | 2 + samltest/saml2/binding/.gitignore | 1 + samltest/saml2/binding/SAML2POSTTest.h | 147 +++++++++++++++++ samltest/samltest.vcproj | 26 +++ 14 files changed, 508 insertions(+), 25 deletions(-) create mode 100644 saml/saml2/binding/SAML2POSTDecoder.h create mode 100644 saml/saml2/binding/impl/SAML2POSTDecoder.cpp create mode 100644 samltest/data/saml2/binding/SAML2Response.xml create mode 100644 samltest/saml1/binding/.gitignore create mode 100644 samltest/saml2/binding/.gitignore create mode 100644 samltest/saml2/binding/SAML2POSTTest.h diff --git a/.cdtproject b/.cdtproject index 0361b54..0de9cbd 100644 --- a/.cdtproject +++ b/.cdtproject @@ -81,12 +81,13 @@ - + + diff --git a/saml/Makefile.am b/saml/Makefile.am index d0ebc77..eb10f70 100644 --- a/saml/Makefile.am +++ b/saml/Makefile.am @@ -64,6 +64,7 @@ saml1bindinclude_HEADERS = \ saml1/binding/SAMLArtifactType0001.h \ saml1/binding/SAMLArtifactType0002.h \ saml1/binding/SAML1ArtifactEncoder.h \ + saml1/binding/SAML1POSTDecoder.h \ saml1/binding/SAML1POSTEncoder.h saml2coreinclude_HEADERS = \ @@ -73,8 +74,9 @@ saml2coreinclude_HEADERS = \ saml2bindinclude_HEADERS = \ saml2/binding/SAML2Artifact.h \ saml2/binding/SAML2ArtifactType0004.h \ - saml1/binding/SAML2ArtifactEncoder.h \ - saml1/binding/SAML2POSTEncoder.h + saml2/binding/SAML2ArtifactEncoder.h \ + saml2/binding/SAML2POSTDecoder.h \ + saml2/binding/SAML2POSTEncoder.h saml2mdinclude_HEADERS = \ saml2/metadata/AbstractMetadataProvider.h \ @@ -121,6 +123,7 @@ libsaml_la_SOURCES = \ saml2/binding/impl/SAML2Artifact.cpp \ saml2/binding/impl/SAML2ArtifactType0004.cpp \ saml2/binding/impl/SAML2ArtifactEncoder.cpp \ + saml2/binding/impl/SAML2POSTDecoder.cpp \ saml2/binding/impl/SAML2POSTEncoder.cpp \ encryption/EncryptedKeyResolver.cpp \ security/impl/TrustEngine.cpp \ diff --git a/saml/binding/impl/MessageDecoder.cpp b/saml/binding/impl/MessageDecoder.cpp index 0b87270..e867ddb 100644 --- a/saml/binding/impl/MessageDecoder.cpp +++ b/saml/binding/impl/MessageDecoder.cpp @@ -44,5 +44,5 @@ void SAML_API opensaml::registerMessageDecoders() //conf.MessageDecoderManager.registerFactory(SAML1_ARTIFACT_DECODER, saml1p::SAML1ArtifactDecoderFactory); conf.MessageDecoderManager.registerFactory(SAML1_POST_DECODER, saml1p::SAML1POSTDecoderFactory); //conf.MessageDecoderManager.registerFactory(SAML2_ARTIFACT_DECODER, saml2p::SAML2ArtifactDecoderFactory); - //conf.MessageDecoderManager.registerFactory(SAML2_POST_DECODER, saml2p::SAML2POSTDecoderFactory); + conf.MessageDecoderManager.registerFactory(SAML2_POST_DECODER, saml2p::SAML2POSTDecoderFactory); } diff --git a/saml/saml.vcproj b/saml/saml.vcproj index cbfd019..135d2c9 100644 --- a/saml/saml.vcproj +++ b/saml/saml.vcproj @@ -399,6 +399,10 @@ + + @@ -622,6 +626,10 @@ > + + diff --git a/saml/saml1/binding/impl/SAML1POSTDecoder.cpp b/saml/saml1/binding/impl/SAML1POSTDecoder.cpp index 181d6f9..83f893c 100644 --- a/saml/saml1/binding/impl/SAML1POSTDecoder.cpp +++ b/saml/saml1/binding/impl/SAML1POSTDecoder.cpp @@ -98,6 +98,7 @@ Response* SAML1POSTDecoder::decode( if (!response) throw BindingException("Decoded message was not a SAML 1.x Response."); + const EntityDescriptor* provider=NULL; try { if (!m_validate) SchemaValidators.validate(xmlObject.get()); @@ -142,8 +143,7 @@ Response* SAML1POSTDecoder::decode( const vector& assertions=const_cast(response)->getAssertions(); if (!assertions.empty()) { log.debug("searching metadata for assertion issuer..."); - const EntityDescriptor* provider= - metadataProvider ? metadataProvider->getEntityDescriptor(assertions.front()->getIssuer()) : NULL; + provider=metadataProvider ? metadataProvider->getEntityDescriptor(assertions.front()->getIssuer()) : NULL; if (provider) { log.debug("matched assertion issuer against metadata, searching for applicable role..."); pair minor = response->getMinorVersion(); @@ -156,8 +156,10 @@ Response* SAML1POSTDecoder::decode( issuerTrusted = static_cast(trustEngine)->validate( *(response->getSignature()), *issuer, metadataProvider->getKeyResolver() ); - if (!issuerTrusted) + if (!issuerTrusted) { log.error("unable to verify signature on message with supplied trust engine"); + throw BindingException("Message signature failed verification."); + } } else { log.warn("unable to verify integrity of the message, leaving untrusted"); @@ -186,27 +188,26 @@ Response* SAML1POSTDecoder::decode( } catch (XMLToolingException& ex) { // Check for an Issuer. - const vector& assertions=const_cast(response)->getAssertions(); - if (!assertions.empty()) { - if (!metadataProvider) { + if (!provider) { + const vector& assertions=const_cast(response)->getAssertions(); + if (!assertions.empty() || !metadataProvider || + !(provider=metadataProvider->getEntityDescriptor(assertions.front()->getIssuer(), false))) { // Just record it. - auto_ptr_char issuer(assertions.front()->getIssuer()); - if (issuer.get()) - ex.addProperty("entityID", issuer.get()); - throw; - } - // Try and locate metadata for error handling. - const EntityDescriptor* provider=metadataProvider->getEntityDescriptor(assertions.front()->getIssuer(),false); - if (provider) { - pair minor = response->getMinorVersion(); - issuer=provider->getRoleDescriptor( - *role, - (minor.first && minor.second==0) ? SAMLConstants::SAML10_PROTOCOL_ENUM : SAMLConstants::SAML11_PROTOCOL_ENUM - ); - if (issuer) annotateException(&ex,issuer); // throws it - annotateException(&ex,provider); // throws it + auto_ptr_char iname(assertions.front()->getIssuer()); + if (iname.get()) + ex.addProperty("entityID", iname.get()); + throw; } } + if (!issuer) { + pair minor = response->getMinorVersion(); + issuer=provider->getRoleDescriptor( + *role, + (minor.first && minor.second==0) ? SAMLConstants::SAML10_PROTOCOL_ENUM : SAMLConstants::SAML11_PROTOCOL_ENUM + ); + } + if (issuer) annotateException(&ex,issuer); // throws it + annotateException(&ex,provider); // throws it } xmlObject.release(); diff --git a/saml/saml2/binding/SAML2POSTDecoder.h b/saml/saml2/binding/SAML2POSTDecoder.h new file mode 100644 index 0000000..4e49c2b --- /dev/null +++ b/saml/saml2/binding/SAML2POSTDecoder.h @@ -0,0 +1,49 @@ +/* + * Copyright 2001-2006 Internet2 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * @file saml/saml2/binding/SAML2POSTDecoder.h + * + * SAML 2.0 HTTP POST binding message decoder + */ + +#include + +namespace opensaml { + namespace saml2p { + + /** + * SAML 2.0 HTTP POST binding message decoder + */ + class SAML_API SAML2POSTDecoder : public MessageDecoder + { + public: + SAML2POSTDecoder(const DOMElement* e); + virtual ~SAML2POSTDecoder(); + + xmltooling::XMLObject* decode( + std::string& relayState, + const saml2md::RoleDescriptor*& issuer, + bool& issuerTrusted, + const HTTPRequest& httpRequest, + const saml2md::MetadataProvider* metadataProvider=NULL, + const xmltooling::QName* role=NULL, + const X509TrustEngine* trustEngine=NULL + ) const; + }; + + }; +}; diff --git a/saml/saml2/binding/impl/SAML2POSTDecoder.cpp b/saml/saml2/binding/impl/SAML2POSTDecoder.cpp new file mode 100644 index 0000000..bf7b55d --- /dev/null +++ b/saml/saml2/binding/impl/SAML2POSTDecoder.cpp @@ -0,0 +1,229 @@ +/* + * Copyright 2001-2006 Internet2 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * SAML2POSTDecoder.cpp + * + * SAML 2.0 HTTP POST binding message encoder + */ + +#include "internal.h" +#include "exceptions.h" +#include "saml/binding/ReplayCache.h" +#include "saml2/binding/SAML2POSTDecoder.h" +#include "saml2/core/Protocols.h" +#include "saml2/metadata/Metadata.h" +#include "saml2/metadata/MetadataProvider.h" +#include "security/X509TrustEngine.h" + +#include +#include +#include + +using namespace opensaml::saml2md; +using namespace opensaml::saml2p; +using namespace opensaml::saml2; +using namespace opensaml; +using namespace xmlsignature; +using namespace xmltooling; +using namespace log4cpp; +using namespace std; + +namespace opensaml { + namespace saml2p { + MessageDecoder* SAML_DLLLOCAL SAML2POSTDecoderFactory(const DOMElement* const & e) + { + return new SAML2POSTDecoder(e); + } + }; +}; + +SAML2POSTDecoder::SAML2POSTDecoder(const DOMElement* e) {} + +SAML2POSTDecoder::~SAML2POSTDecoder() {} + +XMLObject* SAML2POSTDecoder::decode( + string& relayState, + const RoleDescriptor*& issuer, + bool& issuerTrusted, + const HTTPRequest& httpRequest, + const MetadataProvider* metadataProvider, + const QName* role, + const X509TrustEngine* trustEngine + ) const +{ +#ifdef _DEBUG + xmltooling::NDC ndc("decode"); +#endif + Category& log = Category::getInstance(SAML_LOGCAT".MessageDecoder.SAML2POST"); + + log.debug("validating input"); + if (strcmp(httpRequest.getMethod(),"POST")) + return NULL; + const char* msg = httpRequest.getParameter("SAMLResponse"); + if (!msg) + msg = httpRequest.getParameter("SAMLRequest"); + if (!msg) + return NULL; + const char* state = httpRequest.getParameter("RelayState"); + if (state) + relayState = state; + else + relayState.erase(); + + // Decode the base64 into SAML. + unsigned int x; + XMLByte* decoded=Base64::decode(reinterpret_cast(msg),&x); + if (!decoded) + throw BindingException("Unable to decode base64 in POST binding message."); + log.debug("decoded SAML message:\n%s", decoded); + istringstream is(reinterpret_cast(decoded)); + XMLString::release(&decoded); + + // Parse and bind the document into an XMLObject. + DOMDocument* doc = (m_validate ? XMLToolingConfig::getConfig().getValidatingParser() + : XMLToolingConfig::getConfig().getParser()).parse(is); + XercesJanitor janitor(doc); + auto_ptr xmlObject(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(), true)); + janitor.release(); + + StatusResponseType* response = NULL; + RequestAbstractType* request = dynamic_cast(xmlObject.get()); + if (!request) { + response = dynamic_cast(xmlObject.get()); + if (!response) + throw BindingException("XML content for SAML 2.0 HTTP-POST Decoder must be a SAML 2.0 protocol message."); + } + + /* For SAML 2, the issuer can be established either from the message, or in some profiles + * it's possible to omit it and defer to assertions in a Response. + * The Issuer is later matched against metadata, and then trust checking can be applied. + */ + const Issuer* claimedIssuer = request ? request->getIssuer() : response->getIssuer(); + if (!claimedIssuer) { + // Check assertion option. I cannot resist the variable name, for the sake of google. + const Response* assbag = dynamic_cast(response); + if (assbag) { + const vector& assertions=assbag->getAssertions(); + if (!assertions.empty()) + claimedIssuer = assertions.front()->getIssuer(); + } + } + + const EntityDescriptor* provider=NULL; + try { + if (!m_validate) + SchemaValidators.validate(xmlObject.get()); + + Signature* signature = request ? request->getSignature() : response->getSignature(); + + // Check destination URL. + auto_ptr_char dest(request ? request->getDestination() : response->getDestination()); + const char* dest2 = httpRequest.getRequestURL(); + if (signature && !dest.get() || !*(dest.get())) { + log.error("signed SAML message missing Destination attribute"); + throw BindingException("Signed SAML message missing Destination attribute identifying intended destination."); + } + else if (dest.get() && (!dest2 || !*dest2 || strcmp(dest.get(),dest2))) { + log.error("POST targeted at (%s), but delivered to (%s)", dest.get(), dest2 ? dest2 : "none"); + throw BindingException("SAML message delivered with POST to incorrect server URL."); + } + + // Check freshness. + time_t now = time(NULL); + if ((request ? request->getIssueInstant()->getEpoch() : response->getIssueInstant()->getEpoch()) + < now-(2*XMLToolingConfig::getConfig().clock_skew_secs)) + throw BindingException("Detected expired POST binding message."); + + // Check replay. + ReplayCache* replayCache = SAMLConfig::getConfig().getReplayCache(); + if (replayCache) { + auto_ptr_char id(xmlObject->getXMLID()); + if (!replayCache->check("SAML2POST", id.get(), response->getIssueInstant()->getEpoch() + (2*XMLToolingConfig::getConfig().clock_skew_secs))) { + log.error("replay detected of response ID (%s)", id.get()); + throw BindingException("Rejecting replayed response ID ($1).", params(1,id.get())); + } + } + else + log.warn("replay cache was not provided, this is a serious security risk!"); + + issuer = NULL; + issuerTrusted = false; + log.debug("attempting to establish issuer and integrity of message..."); + + // If we can't identify the issuer, we're done, since we can't lookup or verify anything. + if (!claimedIssuer || !claimedIssuer->getName()) { + log.warn("unable to establish identity of message issuer"); + return xmlObject.release(); + } + else if (claimedIssuer->getFormat() && !XMLString::equals(claimedIssuer->getFormat(), NameIDType::ENTITY)) { + auto_ptr_char iformat(claimedIssuer->getFormat()); + log.warn("message issuer was in an unsupported format (%s)", iformat.get()); + return xmlObject.release(); + } + + log.debug("searching metadata for assertion issuer..."); + provider=metadataProvider ? metadataProvider->getEntityDescriptor(claimedIssuer->getName()) : NULL; + if (provider) { + log.debug("matched assertion issuer against metadata, searching for applicable role..."); + issuer=provider->getRoleDescriptor(*role, SAMLConstants::SAML20P_NS); + if (issuer) { + if (trustEngine && signature) { + issuerTrusted = static_cast(trustEngine)->validate( + *signature, *issuer, metadataProvider->getKeyResolver() + ); + if (!issuerTrusted) { + log.error("unable to verify signature on message with supplied trust engine"); + throw BindingException("Message signature failed verification."); + } + } + else { + log.warn("unable to verify integrity of the message, leaving untrusted"); + } + } + else { + log.warn("unable to find compatible SAML 2.0 role (%s) in metadata", role->toString().c_str()); + } + if (log.isDebugEnabled()) { + auto_ptr_char iname(provider->getEntityID()); + log.debug("message from (%s), integrity %sverified", iname.get(), issuerTrusted ? "" : "NOT "); + } + } + else { + auto_ptr_char temp(claimedIssuer->getName()); + log.warn("no metadata found, can't establish identity of issuer (%s)", temp.get()); + } + } + catch (XMLToolingException& ex) { + if (!provider) { + if (!claimedIssuer || !claimedIssuer->getName()) + throw; + if (!metadataProvider || !(provider=metadataProvider->getEntityDescriptor(claimedIssuer->getName(), false))) { + // Just record it. + auto_ptr_char iname(claimedIssuer->getName()); + if (iname.get()) + ex.addProperty("entityID", iname.get()); + throw; + } + } + if (!issuer) + issuer=provider->getRoleDescriptor(*role, SAMLConstants::SAML20P_NS); + if (issuer) annotateException(&ex,issuer); // throws it + annotateException(&ex,provider); // throws it + } + + return xmlObject.release(); +} diff --git a/samltest/Makefile.am b/samltest/Makefile.am index f4f7be6..965f91d 100644 --- a/samltest/Makefile.am +++ b/samltest/Makefile.am @@ -31,6 +31,7 @@ samltest_h = \ saml1/core/impl/AudienceRestrictionConditionTest.h \ saml1/core/impl/AudienceTest.h \ saml1/core/impl/AuthenticationStatementTest.h \ + saml2/binding/impl/SAML2POSTTest.h \ saml2/core/impl/Action20Test.h \ saml2/core/impl/Advice20Test.h \ saml2/core/impl/Artifact20Test.h \ diff --git a/samltest/data/saml2/binding/SAML2Response.xml b/samltest/data/saml2/binding/SAML2Response.xml new file mode 100644 index 0000000..feaf0c4 --- /dev/null +++ b/samltest/data/saml2/binding/SAML2Response.xml @@ -0,0 +1,14 @@ + + https://idp.example.org/ + + + https://idp.example.org/ + John Doe + + + foo + + + + diff --git a/samltest/saml1/binding/.gitignore b/samltest/saml1/binding/.gitignore new file mode 100644 index 0000000..e16b497 --- /dev/null +++ b/samltest/saml1/binding/.gitignore @@ -0,0 +1 @@ +/*.cpp diff --git a/samltest/saml1/binding/SAML1POSTTest.h b/samltest/saml1/binding/SAML1POSTTest.h index 2d6da7a..27e96ee 100644 --- a/samltest/saml1/binding/SAML1POSTTest.h +++ b/samltest/saml1/binding/SAML1POSTTest.h @@ -59,6 +59,7 @@ public: bool trusted=false; QName idprole(SAMLConstants::SAML20MD_NS, IDPSSODescriptor::LOCAL_NAME); auto_ptr decoder(SAMLConfig::getConfig().MessageDecoderManager.newPlugin(SAML1_POST_DECODER, NULL)); + Locker locker(m_metadata); auto_ptr response( dynamic_cast( decoder->decode(relayState,issuer,trusted,*this,m_metadata,&idprole,m_trust) @@ -106,6 +107,7 @@ public: bool trusted=false; QName idprole(SAMLConstants::SAML20MD_NS, IDPSSODescriptor::LOCAL_NAME); auto_ptr decoder(SAMLConfig::getConfig().MessageDecoderManager.newPlugin(SAML1_POST_DECODER, NULL)); + Locker locker(m_metadata); auto_ptr response( dynamic_cast( decoder->decode(relayState,issuer,trusted,*this,m_metadata,&idprole) diff --git a/samltest/saml2/binding/.gitignore b/samltest/saml2/binding/.gitignore new file mode 100644 index 0000000..e16b497 --- /dev/null +++ b/samltest/saml2/binding/.gitignore @@ -0,0 +1 @@ +/*.cpp diff --git a/samltest/saml2/binding/SAML2POSTTest.h b/samltest/saml2/binding/SAML2POSTTest.h new file mode 100644 index 0000000..4e2ed8e --- /dev/null +++ b/samltest/saml2/binding/SAML2POSTTest.h @@ -0,0 +1,147 @@ +/* + * Copyright 2001-2005 Internet2 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "binding.h" + +#include + +using namespace opensaml::saml2p; +using namespace opensaml::saml2; + +class SAML2POSTTest : public CxxTest::TestSuite, public SAMLBindingBaseTestCase { +public: + void setUp() { + m_fields.clear(); + SAMLBindingBaseTestCase::setUp(); + } + + void tearDown() { + m_fields.clear(); + SAMLBindingBaseTestCase::tearDown(); + } + + void testSAML2POSTTrusted() { + try { + // Read message to use from file. + string path = data_path + "saml2/binding/SAML2Response.xml"; + ifstream in(path.c_str()); + DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in); + XercesJanitor janitor(doc); + auto_ptr toSend( + dynamic_cast(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(),true)) + ); + janitor.release(); + + // Freshen timestamp. + toSend->setIssueInstant(time(NULL)); + + // Encode message. + auto_ptr encoder(SAMLConfig::getConfig().MessageEncoderManager.newPlugin(SAML2_POST_ENCODER, NULL)); + encoder->encode(m_fields,toSend.get(),"https://sp.example.org/","state",m_creds); + toSend.release(); + + // Decode message. + string relayState; + const RoleDescriptor* issuer=NULL; + bool trusted=false; + QName idprole(SAMLConstants::SAML20MD_NS, IDPSSODescriptor::LOCAL_NAME); + auto_ptr decoder(SAMLConfig::getConfig().MessageDecoderManager.newPlugin(SAML2_POST_DECODER, NULL)); + Locker locker(m_metadata); + auto_ptr response( + dynamic_cast( + decoder->decode(relayState,issuer,trusted,*this,m_metadata,&idprole,m_trust) + ) + ); + + // Test the results. + TSM_ASSERT_EQUALS("RelayState was not the expected result.", relayState, "state"); + TSM_ASSERT("SAML Response not decoded successfully.", response.get()); + TSM_ASSERT("Message was not verified.", issuer && trusted); + auto_ptr_char entityID(dynamic_cast(issuer->getParent())->getEntityID()); + TSM_ASSERT("Issuer was not expected.", !strcmp(entityID.get(),"https://idp.example.org/")); + TSM_ASSERT_EQUALS("Assertion count was not correct.", response->getAssertions().size(), 1); + } + catch (XMLToolingException& ex) { + TS_TRACE(ex.what()); + throw; + } + } + + void testSAML2POSTUntrusted() { + try { + // Read message to use from file. + string path = data_path + "saml2/binding/SAML2Response.xml"; + ifstream in(path.c_str()); + DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(in); + XercesJanitor janitor(doc); + auto_ptr toSend( + dynamic_cast(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(),true)) + ); + janitor.release(); + + // Freshen timestamp and clear ID. + toSend->setIssueInstant(time(NULL)); + toSend->setID(NULL); + + // Encode message. + auto_ptr encoder(SAMLConfig::getConfig().MessageEncoderManager.newPlugin(SAML2_POST_ENCODER, NULL)); + encoder->encode(m_fields,toSend.get(),"https://sp.example.org/","state"); + toSend.release(); + + // Decode message. + string relayState; + const RoleDescriptor* issuer=NULL; + bool trusted=false; + QName idprole(SAMLConstants::SAML20MD_NS, IDPSSODescriptor::LOCAL_NAME); + auto_ptr decoder(SAMLConfig::getConfig().MessageDecoderManager.newPlugin(SAML2_POST_DECODER, NULL)); + Locker locker(m_metadata); + auto_ptr response( + dynamic_cast( + decoder->decode(relayState,issuer,trusted,*this,m_metadata,&idprole) + ) + ); + + // Test the results. + TSM_ASSERT_EQUALS("RelayState was not the expected result.", relayState, "state"); + TSM_ASSERT("SAML Response not decoded successfully.", response.get()); + TSM_ASSERT("Message was verified.", issuer && !trusted); + auto_ptr_char entityID(dynamic_cast(issuer->getParent())->getEntityID()); + TSM_ASSERT("Issuer was not expected.", !strcmp(entityID.get(),"https://idp.example.org/")); + TSM_ASSERT_EQUALS("Assertion count was not correct.", response->getAssertions().size(), 1); + + // Trigger a replay. + TSM_ASSERT_THROWS("Did not catch the replay.", + decoder->decode(relayState,issuer,trusted,*this,m_metadata,&idprole,m_trust), + BindingException); + } + catch (XMLToolingException& ex) { + TS_TRACE(ex.what()); + throw; + } + } + + const char* getMethod() const { + return "POST"; + } + + const char* getRequestURL() const { + return "https://sp.example.org/SAML/POST"; + } + + const char* getQueryString() const { + return NULL; + } +}; diff --git a/samltest/samltest.vcproj b/samltest/samltest.vcproj index 98d301e..b282259 100644 --- a/samltest/samltest.vcproj +++ b/samltest/samltest.vcproj @@ -532,6 +532,10 @@ + + + + + + + + + +