Work in progress on issue Sustainsys#31 - Validate InResponseTo

Implemented test Saml2Response_Validate_FalseOnMissingInResponseTo_IfDisallowed Add config value for AllowUnsolicitedAuthnResponse Add possibility to set AllowUnsolicitedAuthnResponse from code in tests
roswah · Apr 29, 2014 · 1ffb3c2 · 1ffb3c2
1 parent 09f62dc
commit 1ffb3c2
Show file tree

Hide file tree

Showing 8 changed files with 62 additions and 7 deletions.
diff --git a/CustomDictionary.xml b/CustomDictionary.xml
@@ -4,6 +4,7 @@
   </Unrecognized>
   <Recognized>
     <Word>Auth</Word>
+    <Word>Authn</Word>
     <Word>AuthnRequest</Word>
     <Word>Kentor</Word>
     <Word>Idp</Word>

diff --git a/Kentor.AuthServices.Tests/App.config b/Kentor.AuthServices.Tests/App.config
@@ -7,7 +7,8 @@
   <kentor.authServices assertionConsumerServiceUrl="http://localhost/Saml2AuthenticationModule/acs"
                              issuer="https://github.com/KentorIT/authservices"
                              returnUri="http://localhost/LoggedIn">
-    <identityProvider issuer="https://idp.example.com" destinationUri="https://idp.example.com/idp" binding="HttpRedirect">
+    <identityProvider issuer="https://idp.example.com" destinationUri="https://idp.example.com/idp" 
+                      allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
       <signingCertificate fileName="Kentor.AuthServices.Tests.pfx" />
     </identityProvider>
   </kentor.authServices>

diff --git a/Kentor.AuthServices.Tests/Kentor.AuthServices.Tests.csproj b/Kentor.AuthServices.Tests/Kentor.AuthServices.Tests.csproj
@@ -38,6 +38,7 @@
       <HintPath>..\packages\NSubstitute.1.6.1.0\lib\NET40\NSubstitute.dll</HintPath>
     </Reference>
     <Reference Include="System" />
+    <Reference Include="System.Configuration" />
     <Reference Include="System.IdentityModel" />
     <Reference Include="System.Security" />
     <Reference Include="System.Web" />

diff --git a/Kentor.AuthServices.Tests/Saml2ResponseTests.cs b/Kentor.AuthServices.Tests/Saml2ResponseTests.cs
@@ -12,6 +12,13 @@ namespace Kentor.AuthServices.Tests
     [TestClass]
     public class Saml2ResponseTests
     {
+
+        [TestInitializeAttribute]
+        public void TestInitialize()
+        {
+            KentorAuthServicesSection.Current.IdentityProviders.First().AllowUnsolicitedAuthnResponse = true;
+        }
+
         [TestMethod]
         public void Saml2Response_Read_BasicParams()
         {
@@ -650,12 +657,29 @@ public void Saml2Response_Validate_TrueOnCorrectInResponseTo()
             response.Validate(SignedXmlHelper.TestCert).Should().BeTrue();
         }
 
-        [Ignore]
         [TestMethod]
         public void Saml2Response_Validate_FalseOnMissingInResponseTo_IfDisallowed()
         {
-            // False if the configuration for the current Idp disallows
-            // unsolicited responses.
+            KentorAuthServicesSection.Current.IdentityProviders.First().AllowUnsolicitedAuthnResponse = false;
+            var idp = IdentityProvider.ConfiguredIdentityProviders.First().Value;
+
+            var request = idp.CreateAuthenticateRequest();
+
+            var responseXML =
+            @"<?xml version=""1.0"" encoding=""UTF-8""?>
+            <saml2p:Response xmlns:saml2p=""urn:oasis:names:tc:SAML:2.0:protocol""
+            ID = ""Saml2Response_Validate_TrueOnCorrectInResponseTo"" Version=""2.0"" IssueInstant=""2013-01-01T00:00:00Z""
+            Issuer = ""https://idp.example.com"">
+                <saml2p:Status>
+                    <saml2p:StatusCode Value=""urn:oasis:names:tc:SAML:2.0:status:Requester"" />
+                </saml2p:Status>
+            </saml2p:Response>";
+
+            responseXML = SignedXmlHelper.SignXml(responseXML);
+
+            var response = Saml2Response.Read(responseXML);
+
+            response.Validate(SignedXmlHelper.TestCert).Should().BeFalse();
         }
 
         [Ignore]

diff --git a/Kentor.AuthServices/Configuration/IdentityProviderElement.cs b/Kentor.AuthServices/Configuration/IdentityProviderElement.cs
@@ -11,6 +11,16 @@ namespace Kentor.AuthServices.Configuration
     /// </summary>
     public class IdentityProviderElement : ConfigurationElement
     {
+        /// <summary>
+        /// Allows local modification of the configuration for testing purposes
+        /// </summary>
+        /// <returns></returns>
+        public override bool IsReadOnly()
+        {
+            return false;
+        }
+
+
         /// <summary>
         /// Issuer as presented by the idp. Used as key to configuration.
         /// </summary>
@@ -58,5 +68,21 @@ public CertificateElement SigningCertificate
                 return (CertificateElement)base["signingCertificate"];
             }
         }
+
+        /// <summary>
+        /// Certificate location for the certificate the Idp uses to sign its messages.
+        /// </summary>
+        [ConfigurationProperty("allowUnsolicitedAuthnResponse", IsRequired = true)]
+        public bool AllowUnsolicitedAuthnResponse 
+        {
+            get
+            {
+                return (bool)base["allowUnsolicitedAuthnResponse"];
+            }
+            internal set
+            {
+                base["allowUnsolicitedAuthnResponse"] = value;
+            }
+        }
     }
 }
diff --git a/Kentor.AuthServices/Saml2Response.cs b/Kentor.AuthServices/Saml2Response.cs
@@ -269,7 +269,8 @@ public bool Validate(X509Certificate2 idpCertificate)
 
         private bool ValidateInResponseTo()
         {
-            if (InResponseTo == null)
+            if (InResponseTo == null && 
+                KentorAuthServicesSection.Current.IdentityProviders.First().AllowUnsolicitedAuthnResponse) // TODO: check correct IDP
             {
                 return true;
             }

diff --git a/SampleApplication/Web.config b/SampleApplication/Web.config
@@ -48,7 +48,8 @@
   <kentor.authServices assertionConsumerServiceUrl="http://localhost:17009/SamplePath/Saml2AuthenticationModule/Acs"
                              issuer="https://github.com/KentorIT/authservices"
                              returnUri="http://localhost:17009/SamplePath/">
-    <identityProvider issuer ="http://idp.example.com" destinationUri="https://idp.example.com" binding="HttpRedirect">
+    <identityProvider issuer ="http://idp.example.com" destinationUri="https://idp.example.com"
+                      allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
       <signingCertificate storeName="AddressBook" storeLocation="CurrentUser"
                           findValue="idp.example.com" x509FindType="FindBySubjectName" />
     </identityProvider>

diff --git a/SampleMvcApplication/Web.config b/SampleMvcApplication/Web.config
@@ -34,7 +34,7 @@
   <kentor.authServices issuer="http://localhost:2181/"
                        returnUri="http://localhost:2181/">
     <identityProvider issuer ="Kentor.AuthServices.StubIdp" destinationUri="https://idp.example.com"
-                      binding="HttpRedirect">
+                       allowUnsolicitedAuthnResponse="true" binding="HttpRedirect">
       <signingCertificate fileName="~/App_Data/Kentor.AuthServices.StubIdp.pfx" />
     </identityProvider>
   </kentor.authServices>