Merge branch 'feature/requister-id-scoping' of https://github.com/Ope…

…nConext/spring-security-saml into feature/pr_batch #19
spring-attic · Mar 7, 2018 · a8b3720 · a8b3720
2 parents 4c544c4 + e42436e
commit a8b3720
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,4 @@
-.idea
+/.idea
 /**/*.ipr
 /**/*.iws
 /**/*.iml

diff --git a/core/src/main/java/org/springframework/security/saml/websso/WebSSOProfileImpl.java b/core/src/main/java/org/springframework/security/saml/websso/WebSSOProfileImpl.java
@@ -19,6 +19,7 @@
 import org.opensaml.common.SAMLRuntimeException;
 import org.opensaml.common.SAMLVersion;
 import org.opensaml.saml2.core.*;
+import org.opensaml.saml2.core.impl.RequesterIDBuilder;
 import org.opensaml.saml2.metadata.AssertionConsumerService;
 import org.opensaml.saml2.metadata.IDPSSODescriptor;
 import org.opensaml.saml2.metadata.SPSSODescriptor;
@@ -31,6 +32,7 @@
 import org.springframework.security.saml.metadata.MetadataManager;
 import org.springframework.security.saml.processor.SAMLProcessor;
 import org.springframework.security.saml.storage.SAMLMessageStorage;
+import org.springframework.util.CollectionUtils;
 
 import java.util.Collection;
 import java.util.List;
@@ -363,8 +365,20 @@ protected void buildScoping(AuthnRequest request, SingleSignOnService serviceURI
             Scoping scoping = scopingBuilder.buildObject();
             scoping.setIDPList(idpList);
             scoping.setProxyCount(options.getProxyCount());
+
+            if (!CollectionUtils.isEmpty(options.getRequesterIds())) {
+                RequesterIDBuilder requesterIDBuilder = new RequesterIDBuilder();
+                for (String id : options.getRequesterIds()) {
+                    RequesterID requesterID = requesterIDBuilder.buildObject();
+                    requesterID.setRequesterID(id);
+                    scoping.getRequesterIDs().add(requesterID);
+                }
+            }
+
             request.setScoping(scoping);
 
+
+
         }
 
     }

diff --git a/core/src/main/java/org/springframework/security/saml/websso/WebSSOProfileOptions.java b/core/src/main/java/org/springframework/security/saml/websso/WebSSOProfileOptions.java
@@ -44,6 +44,8 @@ public class WebSSOProfileOptions implements Serializable, Cloneable {
     private Collection<String> authnContexts;
     private AuthnContextComparisonTypeEnumeration authnContextComparison = AuthnContextComparisonTypeEnumeration.EXACT;
 
+    private Set<String> requesterIds;
+
     public WebSSOProfileOptions() {
     }
 
@@ -271,4 +273,20 @@ public void setRelayState(String relayState) {
         this.relayState = relayState;
     }
 
+    public Set<String> getRequesterIds() {
+        return requesterIds;
+    }
+
+    /**
+     * Identifies the set of requesting entities on whose behalf the requester is acting. Used to communicate
+     * the chain of requesters when proxying occurs.
+     * <p>
+     * Property includeScoping must be enabled for this value to take any effect.
+     * </p>
+     *
+     * @param requesterIds the names of the requester
+     */
+    public void setRequesterIds(Set<String> requesterIds) {
+        this.requesterIds = requesterIds;
+    }
 }
diff --git a/core/src/test/java/org/springframework/security/saml/websso/WebSSOProfileImplTest.java b/core/src/test/java/org/springframework/security/saml/websso/WebSSOProfileImplTest.java
@@ -19,6 +19,7 @@
 import org.opensaml.common.SAMLException;
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.RequesterID;
 import org.opensaml.saml2.metadata.IDPSSODescriptor;
 import org.opensaml.saml2.metadata.provider.MetadataProviderException;
 import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
@@ -37,6 +38,9 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
 
 import static junit.framework.Assert.assertNull;
 import static org.easymock.EasyMock.*;
@@ -359,6 +363,27 @@ public void testDisallowProxy() throws Exception {
         assertNull(authnRequest.getScoping().getProxyCount());
     }
 
+    /**
+     * Verifies that requesterIDs are added to the scoping element, if set in options.
+     *
+     * @throws Exception error
+     */
+    @Test
+    public void testRequesterIds() throws Exception {
+        options.setIncludeScoping(true);
+        List<String> ids = Arrays.asList("requesterId1", "requesterId2");
+        options.setRequesterIds(new HashSet<String>(ids));
+        storage.storeMessage((String) notNull(), (XMLObject) notNull());
+        replyMock();
+        profile.sendAuthenticationRequest(samlContext, options);
+        AuthnRequest authnRequest = (AuthnRequest) samlContext.getOutboundSAMLMessage();
+        verifyMock();
+        List<RequesterID> requesterIDs = authnRequest.getScoping().getRequesterIDs();
+        assertEquals(2, requesterIDs.size());
+        assertTrue(ids.contains(requesterIDs.get(0).getRequesterID()));
+        assertTrue(ids.contains(requesterIDs.get(1).getRequesterID()));
+    }
+
     private void verifyMock() {
         verify(response);
         verify(request);