Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve authentication and logout request input params API #350

Merged
merged 5 commits into from
Jul 26, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
99 changes: 51 additions & 48 deletions core/src/main/java/com/onelogin/saml2/authn/AuthnRequest.java
Original file line number Diff line number Diff line change
Expand Up @@ -42,26 +42,6 @@ public class AuthnRequest {
*/
private final Saml2Settings settings;

/**
* When true the AuthNRequest will set the ForceAuthn='true'
*/
private final boolean forceAuthn;

/**
* When true the AuthNRequest will set the IsPassive='true'
*/
private final boolean isPassive;

/**
* When true the AuthNReuqest will set a nameIdPolicy
*/
private final boolean setNameIdPolicy;

/**
* Indicates to the IdP the subject that should be authenticated
*/
private final String nameIdValueReq;

/**
* Time stamp that indicates when the AuthNRequest was created
*/
Expand All @@ -72,55 +52,73 @@ public class AuthnRequest {
*
* @param settings
* OneLogin_Saml2_Settings
* @see #AuthnRequest(Saml2Settings, AuthnRequestParams)
*/
public AuthnRequest(Saml2Settings settings) {
this(settings, false, false, true);
this(settings, new AuthnRequestParams(false, false, true));
}

/**
* Constructs the AuthnRequest object.
*
* @param settings
* OneLogin_Saml2_Settings
* OneLogin_Saml2_Settings
* @param forceAuthn
* When true the AuthNReuqest will set the ForceAuthn='true'
* When true the AuthNReuqest will set the ForceAuthn='true'
* @param isPassive
* When true the AuthNReuqest will set the IsPassive='true'
* When true the AuthNReuqest will set the IsPassive='true'
* @param setNameIdPolicy
* When true the AuthNReuqest will set a nameIdPolicy
* When true the AuthNReuqest will set a nameIdPolicy
* @param nameIdValueReq
* Indicates to the IdP the subject that should be authenticated
* Indicates to the IdP the subject that should be authenticated
* @deprecated use {@link #AuthnRequest(Saml2Settings, AuthnRequestParams)} with
* {@link AuthnRequestParams#AuthnRequestParams(boolean, boolean, boolean, String)}
* instead
*/
@Deprecated
public AuthnRequest(Saml2Settings settings, boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy, String nameIdValueReq) {
this.id = Util.generateUniqueID(settings.getUniqueIDPrefix());
issueInstant = Calendar.getInstance();
this.isPassive = isPassive;
this.settings = settings;
this.forceAuthn = forceAuthn;
this.setNameIdPolicy = setNameIdPolicy;
this.nameIdValueReq = nameIdValueReq;

StrSubstitutor substitutor = generateSubstitutor(settings);
authnRequestString = postProcessXml(substitutor.replace(getAuthnRequestTemplate()), settings);
LOGGER.debug("AuthNRequest --> " + authnRequestString);
this(settings, new AuthnRequestParams(forceAuthn, isPassive, setNameIdPolicy, nameIdValueReq));
}

/**
* Constructs the AuthnRequest object.
*
* @param settings
* OneLogin_Saml2_Settings
* OneLogin_Saml2_Settings
* @param forceAuthn
* When true the AuthNReuqest will set the ForceAuthn='true'
* When true the AuthNReuqest will set the ForceAuthn='true'
* @param isPassive
* When true the AuthNReuqest will set the IsPassive='true'
* When true the AuthNReuqest will set the IsPassive='true'
* @param setNameIdPolicy
* When true the AuthNReuqest will set a nameIdPolicy
* When true the AuthNReuqest will set a nameIdPolicy
* @deprecated use {@link #AuthnRequest(Saml2Settings, AuthnRequestParams)} with
* {@link AuthnRequestParams#AuthnRequestParams(boolean, boolean, boolean)}
* instead
*/
@Deprecated
public AuthnRequest(Saml2Settings settings, boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy) {
this(settings, forceAuthn, isPassive, setNameIdPolicy, null);
}

/**
* Constructs the AuthnRequest object.
*
* @param settings
* OneLogin_Saml2_Settings
* @param params
* a set of authentication request input parameters that shape the
* request to create
*/
public AuthnRequest(Saml2Settings settings, AuthnRequestParams params) {
this.id = Util.generateUniqueID(settings.getUniqueIDPrefix());
issueInstant = Calendar.getInstance();
this.settings = settings;

StrSubstitutor substitutor = generateSubstitutor(params, settings);
authnRequestString = postProcessXml(substitutor.replace(getAuthnRequestTemplate()), params, settings);
LOGGER.debug("AuthNRequest --> " + authnRequestString);
}

/**
* Allows for an extension class to post-process the AuthnRequest XML generated
* for this request, in order to customize the result.
Expand All @@ -132,15 +130,17 @@ public AuthnRequest(Saml2Settings settings, boolean forceAuthn, boolean isPassiv
* @param authnRequestXml
* the XML produced for this AuthnRequest by the standard
* implementation provided by {@link AuthnRequest}
* @param params
* the authentication request input parameters
* @param settings
* the settings
* @return the post-processed XML for this AuthnRequest, which will then be
* returned by any call to {@link #getAuthnRequestXml()}
*/
protected String postProcessXml(final String authnRequestXml, final Saml2Settings settings) {
protected String postProcessXml(final String authnRequestXml, final AuthnRequestParams params, final Saml2Settings settings) {
return authnRequestXml;
}

/**
* @return the base64 encoded unsigned AuthnRequest (deflated or not)
*
Expand Down Expand Up @@ -181,22 +181,24 @@ public String getAuthnRequestXml() {
/**
* Substitutes AuthnRequest variables within a string by values.
*
* @param params
* the authentication request input parameters
* @param settings
* Saml2Settings object. Setting data
*
* @return the StrSubstitutor object of the AuthnRequest
*/
private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
private StrSubstitutor generateSubstitutor(AuthnRequestParams params, Saml2Settings settings) {

Map<String, String> valueMap = new HashMap<String, String>();

String forceAuthnStr = "";
if (forceAuthn) {
if (params.isForceAuthn()) {
forceAuthnStr = " ForceAuthn=\"true\"";
}

String isPassiveStr = "";
if (isPassive) {
if (params.isPassive()) {
isPassiveStr = " IsPassive=\"true\"";
}

Expand All @@ -211,6 +213,7 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
valueMap.put("destinationStr", destinationStr);

String subjectStr = "";
String nameIdValueReq = params.getNameIdValueReq();
if (nameIdValueReq != null && !nameIdValueReq.isEmpty()) {
String nameIDFormat = settings.getSpNameIDFormat();
subjectStr = "<saml:Subject>";
Expand All @@ -221,7 +224,7 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
valueMap.put("subjectStr", subjectStr);

String nameIDPolicyStr = "";
if (setNameIdPolicy) {
if (params.isSetNameIdPolicy()) {
String nameIDPolicyFormat = settings.getSpNameIDFormat();
if (settings.getWantNameIdEncrypted()) {
nameIDPolicyFormat = Constants.NAMEID_ENCRYPTED;
Expand Down
105 changes: 105 additions & 0 deletions core/src/main/java/com/onelogin/saml2/authn/AuthnRequestParams.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
package com.onelogin.saml2.authn;

/**
* Input parameters for a SAML 2 authentication request.
*/
public class AuthnRequestParams {

/**
* When true the AuthNRequest will set the ForceAuthn='true'
*/
private final boolean forceAuthn;
/**
* When true the AuthNRequest will set the IsPassive='true'
*/
private final boolean isPassive;
/**
* When true the AuthNReuqest will set a nameIdPolicy
*/
private final boolean setNameIdPolicy;
/**
* Indicates to the IdP the subject that should be authenticated
*/
private final String nameIdValueReq;

/**
* Create a set of authentication request input parameters.
*
* @param forceAuthn
* whether the <code>ForceAuthn</code> attribute should be set to
* <code>true</code>
* @param isPassive
* whether the <code>isPassive</code> attribute should be set to
* <code>true</code>
* @param setNameIdPolicy
* whether a <code>NameIDPolicy</code> should be set
*/
public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy) {
this(forceAuthn, isPassive, setNameIdPolicy, null);
}

/**
* Create a set of authentication request input parameters.
*
* @param forceAuthn
* whether the <code>ForceAuthn</code> attribute should be set to
* <code>true</code>
* @param isPassive
* whether the <code>isPassive</code> attribute should be set to
* <code>true</code>
* @param setNameIdPolicy
* whether a <code>NameIDPolicy</code> should be set
* @param nameIdValueReq
* the subject that should be authenticated
*/
public AuthnRequestParams(boolean forceAuthn, boolean isPassive, boolean setNameIdPolicy, String nameIdValueReq) {
this.forceAuthn = forceAuthn;
this.isPassive = isPassive;
this.setNameIdPolicy = setNameIdPolicy;
this.nameIdValueReq = nameIdValueReq;
}

/**
* Create a set of authentication request input parameters, by copying them from
* another set.
*
* @param source
* the source set of authentication request input parameters
*/
protected AuthnRequestParams(AuthnRequestParams source) {
this.forceAuthn = source.isForceAuthn();
this.isPassive = source.isPassive();
this.setNameIdPolicy = source.isSetNameIdPolicy();
this.nameIdValueReq = source.getNameIdValueReq();
}

/**
* @return whether the <code>ForceAuthn</code> attribute should be set to
* <code>true</code>
*/
protected boolean isForceAuthn() {
return forceAuthn;
}

/**
* @return whether the <code>isPassive</code> attribute should be set to
* <code>true</code>
*/
protected boolean isPassive() {
return isPassive;
}

/**
* @return whether a <code>NameIDPolicy</code> should be set
*/
protected boolean isSetNameIdPolicy() {
return setNameIdPolicy;
}

/**
* @return the subject that should be authenticated
*/
protected String getNameIdValueReq() {
return nameIdValueReq;
}
}
Loading