From 082aafa9ca8df305a77e82967117e9696482009d Mon Sep 17 00:00:00 2001
From: Scott Battaglia <scott.battaglia@gmail.com>
Date: Tue, 24 Jul 2012 22:13:25 -0400
Subject: [PATCH] CASC-184

improved SAML support.  Also execute old AND new XML in the unit tests.

cr for the first round of changes: serac
---
 .../validation/Saml11TicketValidator.java     | 53 +++++++++++--------
 .../Saml11TicketValidatorTests.java           | 45 ++++++++++++++--
 2 files changed, 70 insertions(+), 28 deletions(-)

diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/validation/Saml11TicketValidator.java b/cas-client-core/src/main/java/org/jasig/cas/client/validation/Saml11TicketValidator.java
index 9213f91..dcfa8cf 100644
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/Saml11TicketValidator.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/Saml11TicketValidator.java
@@ -23,10 +23,14 @@ import org.jasig.cas.client.authentication.AttributePrincipal;
 import org.jasig.cas.client.authentication.AttributePrincipalImpl;
 import org.jasig.cas.client.util.CommonUtils;
 import org.joda.time.DateTime;
+import org.joda.time.DateTimeZone;
+import org.joda.time.Interval;
 import org.opensaml.*;
 import org.opensaml.common.IdentifierGenerator;
 import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
 import org.opensaml.saml1.core.*;
+import org.opensaml.ws.soap.soap11.Envelope;
+import org.opensaml.xml.ConfigurationException;
 import org.opensaml.xml.io.Unmarshaller;
 import org.opensaml.xml.io.UnmarshallerFactory;
 import org.opensaml.xml.io.UnmarshallingException;
@@ -52,6 +56,15 @@ import javax.net.ssl.HttpsURLConnection;
  */
 public final class Saml11TicketValidator extends AbstractUrlBasedTicketValidator {
 
+    static {
+        try {
+            // we really only need to do this once, so this is why its here.
+            DefaultBootstrap.bootstrap();
+        } catch (final ConfigurationException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
     /** Time tolerance to allow for time drifting. */
     private long tolerance = 1000L;
 
@@ -62,10 +75,10 @@ public final class Saml11TicketValidator extends AbstractUrlBasedTicketValidator
 
     public Saml11TicketValidator(final String casServerUrlPrefix) {
         super(casServerUrlPrefix);
+        this.basicParserPool = new BasicParserPool();
+        this.basicParserPool.setNamespaceAware(true);
+
         try {
-            DefaultBootstrap.bootstrap();
-            this.basicParserPool = new BasicParserPool();
-            this.basicParserPool.setNamespaceAware(true);
             this.identifierGenerator = new SecureRandomIdentifierGenerator();
         } catch (final Exception e) {
             throw new RuntimeException(e);
@@ -100,14 +113,13 @@ public final class Saml11TicketValidator extends AbstractUrlBasedTicketValidator
 
     protected Assertion parseResponseFromServer(final String response) throws TicketValidationException {
         try {
-        	final String removeStartOfSoapBody = response.substring(response.indexOf("<SOAP-ENV:Body>") + 15);
-        	final String removeEndOfSoapBody = removeStartOfSoapBody.substring(0, removeStartOfSoapBody.indexOf("</SOAP-ENV:Body>"));
-            final Document responseDocument = this.basicParserPool.parse(new ByteArrayInputStream(getBytes(removeEndOfSoapBody)));
+
+            final Document responseDocument = this.basicParserPool.parse(new ByteArrayInputStream(getBytes(response)));
             final Element responseRoot = responseDocument.getDocumentElement();
             final UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory();
             final Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(responseRoot);
-
-            final Response samlResponse = (Response) unmarshaller.unmarshall(responseRoot);
+            final Envelope envelope = (Envelope) unmarshaller.unmarshall(responseRoot);
+            final Response samlResponse = (Response) envelope.getBody().getOrderedChildren().get(0);
 
             final List<org.opensaml.saml1.core.Assertion> assertions = samlResponse.getAssertions();
             if (assertions.isEmpty()) {
@@ -164,19 +176,21 @@ public final class Saml11TicketValidator extends AbstractUrlBasedTicketValidator
             return false;
         }
 
-        final long currentTime = getCurrentTimeInUtc().getTime();
+        final DateTime currentTime = new DateTime(DateTimeZone.UTC);
+        final Interval validityRange = new Interval(notBefore.minus(this.tolerance), notOnOrAfter.plus(this.tolerance));
 
-        if (currentTime + tolerance < notBefore.getMillis()) {
+        if (validityRange.contains(currentTime)) {
+            log.debug("Current time is within the interval validity.");
+            return true;
+        }
+
+        if (currentTime.isBefore(validityRange.getStart())) {
             log.debug("skipping assertion that's not yet valid...");
             return false;
         }
 
-        if (notOnOrAfter.getMillis() <= currentTime - tolerance) {
-            log.debug("skipping expired assertion...");
-            return false;
-        }
-
-        return true;
+        log.debug("skipping expired assertion...");
+        return false;
     }
 
     private AuthenticationStatement getSAMLAuthenticationStatement(final org.opensaml.saml1.core.Assertion assertion) {
@@ -202,19 +216,12 @@ public final class Saml11TicketValidator extends AbstractUrlBasedTicketValidator
 
     private List<?> getValuesFrom(final Attribute attribute) {
         final List<Object> list = new ArrayList<Object>();
-        // TODO I'm not actually sure if this is safe!
         for (final Object o : attribute.getAttributeValues()) {
             list.add(o.toString());
         }
         return list;
     }
 
-    private Date getCurrentTimeInUtc() {
-        final Calendar c = Calendar.getInstance();
-        c.setTimeZone(TimeZone.getTimeZone("UTC"));
-        return c.getTime();
-    }
-
     protected String retrieveResponseFromServer(final URL validationUrl, final String ticket) {
         final String MESSAGE_TO_SEND = "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request xmlns:samlp=\"urn:oasis:names:tc:SAML:1.0:protocol\"  MajorVersion=\"1\" MinorVersion=\"1\" RequestID=\"" + this.identifierGenerator.generateIdentifier() + "\" IssueInstant=\"" + CommonUtils.formatForUtcTime(new Date()) + "\">"
                 + "<samlp:AssertionArtifact>" + ticket
diff --git a/cas-client-core/src/test/java/org/jasig/cas/client/validation/Saml11TicketValidatorTests.java b/cas-client-core/src/test/java/org/jasig/cas/client/validation/Saml11TicketValidatorTests.java
index d55b548..8ec7977 100644
--- a/cas-client-core/src/test/java/org/jasig/cas/client/validation/Saml11TicketValidatorTests.java
+++ b/cas-client-core/src/test/java/org/jasig/cas/client/validation/Saml11TicketValidatorTests.java
@@ -21,6 +21,9 @@ package org.jasig.cas.client.validation;
 
 import org.jasig.cas.client.PublicTestHttpServer;
 import org.jasig.cas.client.util.CommonUtils;
+import org.joda.time.DateTime;
+import org.joda.time.DateTimeZone;
+import org.joda.time.Interval;
 import org.junit.*;
 
 import java.io.UnsupportedEncodingException;
@@ -52,7 +55,7 @@ public final class Saml11TicketValidatorTests extends AbstractTicketValidatorTes
     }*/
 
     @Test
-    public void testValidationFailedResponse() throws UnsupportedEncodingException {
+    public void testCompatibilityValidationFailedResponse() throws UnsupportedEncodingException {
         final String RESPONSE = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><SOAP-ENV:Envelope\n" +
                 " xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"><SOAP-ENV:Header/><SOAP-ENV:Body><Response\n" +
                 " xmlns=\"urn:oasis:names:tc:SAML:1.0:protocol\"\n" +
@@ -75,11 +78,10 @@ public final class Saml11TicketValidatorTests extends AbstractTicketValidatorTes
     }
 
     @Test
-    public void testValidationSuccessWithNoAttributes() throws UnsupportedEncodingException {
+    public void testCompatibilityValidationSuccessWithNoAttributes() throws UnsupportedEncodingException {
+        final Interval range = currentTimeRangeInterval();
         final Date now = new Date();
-        final Date before = new Date(now.getTime() - 5000);
-        final Date after = new Date(now.getTime() + 200000000);
-        final String RESPONSE = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"><SOAP-ENV:Header/><SOAP-ENV:Body><Response xmlns=\"urn:oasis:names:tc:SAML:1.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:1.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:1.0:protocol\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" IssueInstant=\"" + CommonUtils.formatForUtcTime(now) + "\" MajorVersion=\"1\" MinorVersion=\"1\" Recipient=\"test\" ResponseID=\"_e1e2124c08ab456eab0bbab3e1c0c433\"><Status><StatusCode Value=\"samlp:Success\"></StatusCode></Status><Assertion xmlns=\"urn:oasis:names:tc:SAML:1.0:assertion\" AssertionID=\"_d2fd0d6e4da6a6d7d2ba5274ab570d5c\" IssueInstant=\"" + CommonUtils.formatForUtcTime(now) + "\" Issuer=\"testIssuer\" MajorVersion=\"1\" MinorVersion=\"1\"><Conditions NotBefore=\"" + CommonUtils.formatForUtcTime(before) + "\" NotOnOrAfter=\"" + CommonUtils.formatForUtcTime(after) + "\"><AudienceRestrictionCondition><Audience>test</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement AuthenticationInstant=\"2008-06-19T14:34:44.426Z\" AuthenticationMethod=\"urn:ietf:rfc:2246\"><Subject><NameIdentifier>testPrincipal</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response></SOAP-ENV:Body></SOAP-ENV:Envelope>";
+        final String RESPONSE = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"><SOAP-ENV:Header/><SOAP-ENV:Body><Response xmlns=\"urn:oasis:names:tc:SAML:1.0:protocol\" xmlns:saml=\"urn:oasis:names:tc:SAML:1.0:assertion\" xmlns:samlp=\"urn:oasis:names:tc:SAML:1.0:protocol\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" IssueInstant=\"" + CommonUtils.formatForUtcTime(now) + "\" MajorVersion=\"1\" MinorVersion=\"1\" Recipient=\"test\" ResponseID=\"_e1e2124c08ab456eab0bbab3e1c0c433\"><Status><StatusCode Value=\"samlp:Success\"></StatusCode></Status><Assertion xmlns=\"urn:oasis:names:tc:SAML:1.0:assertion\" AssertionID=\"_d2fd0d6e4da6a6d7d2ba5274ab570d5c\" IssueInstant=\"" + CommonUtils.formatForUtcTime(now) + "\" Issuer=\"testIssuer\" MajorVersion=\"1\" MinorVersion=\"1\"><Conditions NotBefore=\"" + CommonUtils.formatForUtcTime(range.getStart().toDate()) + "\" NotOnOrAfter=\"" + CommonUtils.formatForUtcTime(range.getEnd().toDate()) + "\"><AudienceRestrictionCondition><Audience>test</Audience></AudienceRestrictionCondition></Conditions><AuthenticationStatement AuthenticationInstant=\"2008-06-19T14:34:44.426Z\" AuthenticationMethod=\"urn:ietf:rfc:2246\"><Subject><NameIdentifier>testPrincipal</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></Response></SOAP-ENV:Body></SOAP-ENV:Envelope>";
         server.content = RESPONSE.getBytes(server.encoding);
 		try {
 		    final Assertion a = this.validator.validate("test", "test");
@@ -88,4 +90,37 @@ public final class Saml11TicketValidatorTests extends AbstractTicketValidatorTes
 		    fail(e.toString());
 		}
     }
+
+    @Test
+    public void openSaml2GeneratedResponse() throws UnsupportedEncodingException {
+        final Interval range = currentTimeRangeInterval();
+        final Date now = new Date();
+        
+        final String response = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><soap11:Envelope xmlns:soap11=\"http://schemas.xmlsoap.org/soap/envelope/\"><soap11:Body>"
+        + "<saml1p:Response xmlns:saml1p=\"urn:oasis:names:tc:SAML:1.0:protocol\" InResponseTo=\"_fd1632b5dfa921623e7ca6f9ab727161\" IssueInstant=\"" + CommonUtils.formatForUtcTime(now) + "\" MajorVersion=\"1\" MinorVersion=\"1\" Recipient=\"https://example.com/test-client/secure/?TARGET=https%3A%2F%2Fexample.com%2Ftest-client%2Fsecure%2F\" ResponseID=\"_436dbb2cca5166af29250f431a07888f\">"
+        + "<saml1p:Status><saml1p:StatusCode Value=\"saml1p:Success\"/></saml1p:Status>"
+        + "<saml1:Assertion xmlns:saml1=\"urn:oasis:names:tc:SAML:1.0:assertion\" IssueInstant=\"" + CommonUtils.formatForUtcTime(now) + "\" Issuer=\"localhost\" MajorVersion=\"1\" MinorVersion=\"1\">"
+        + "<saml1:Conditions NotBefore=\"" + CommonUtils.formatForUtcTime(range.getStart().toDate()) + "\" NotOnOrAfter=\"" + CommonUtils.formatForUtcTime(range.getEnd().toDate()) + "\">"
+        + "<saml1:AudienceRestrictionCondition><saml1:Audience>https://example.com/test-client/secure/</saml1:Audience></saml1:AudienceRestrictionCondition></saml1:Conditions>"
+        + "<saml1:AuthenticationStatement AuthenticationInstant=\"" + CommonUtils.formatForUtcTime(now) + "\" AuthenticationMethod=\"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport\">"
+        + "<saml1:Subject><saml1:NameIdentifier>testPrincipal</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement><saml1:AttributeStatement><saml1:Subject><saml1:NameIdentifier>testPrincipal</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject><saml1:Attribute AttributeName=\"uid\" AttributeNamespace=\"http://www.ja-sig.org/products/cas/\"><saml1:AttributeValue xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">12345</saml1:AttributeValue>"
+        + "</saml1:Attribute><saml1:Attribute AttributeName=\"accountState\" AttributeNamespace=\"http://www.ja-sig.org/products/cas/\">"
+        + "<saml1:AttributeValue xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">ACTIVE</saml1:AttributeValue>"
+        + "</saml1:Attribute><saml1:Attribute AttributeName=\"eduPersonAffiliation\" AttributeNamespace=\"http://www.ja-sig.org/products/cas/\">"
+        + "<saml1:AttributeValue xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">employee</saml1:AttributeValue>"
+        + "<saml1:AttributeValue xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">staff</saml1:AttributeValue>"
+        + "<saml1:AttributeValue xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"xs:string\">student</saml1:AttributeValue></saml1:Attribute></saml1:AttributeStatement></saml1:Assertion></saml1p:Response></soap11:Body></soap11:Envelope>";
+
+        server.content = response.getBytes(server.encoding);
+        try {
+      		    final Assertion a = this.validator.validate("test", "test");
+      		    assertEquals("testPrincipal", a.getPrincipal().getName());
+      		} catch (final TicketValidationException e) {
+      		    fail(e.toString());
+      		}
+    }
+
+    private Interval currentTimeRangeInterval() {
+        return new Interval(new DateTime(DateTimeZone.UTC).minus(5000), new DateTime(DateTimeZone.UTC).plus(200000000));
+    }
 }