Merge branch 'bugfix-6' into 3.7.2-open-aselect-release

Author: oharsta

library/EngineBlock/Corto/Module/Bindings.php

@@ -559,7 +559,11 @@ protected function _verifySignatureMessage($message, $key)
         return ($verified === 1);
     }
 
-    protected function _verifySignatureXMLElement($publicKey, $xml, $element)
+    /**
+     * Note: this method is only public to make it unit testable, it would be better to move it's content to one or more separate classes
+     * which can be tested separately
+     */
+    public function _verifySignatureXMLElement($publicKey, $xml, $element)
     {
         if (!isset($element['ds:Signature'])) {
             throw new EngineBlock_Corto_Module_Bindings_Exception(
@@ -606,11 +610,7 @@ protected function _verifySignatureXMLElement($publicKey, $xml, $element)
             );
         }
         $referencedElement = $xpathResults->item(0);
-        $referencedDocument  = new DomDocument();
-        $importedNode = $referencedDocument->importNode($referencedElement->cloneNode(true), true);
-        $referencedDocument->appendChild($importedNode);
-
-        $referencedDocumentXml = $referencedDocument->saveXML();
+        $referencedDocumentXml = $document->saveXML($referencedElement->cloneNode(true));
 
         // First process any transforms
         if (isset($reference['ds:Transforms']['ds:Transform'])) {

library/EngineBlock/Corto/ProxyServer.php

@@ -1003,6 +1003,11 @@ protected function callAttributeFilter($callback, array &$response, array $reque
 
         $responseAssertionAttributes = &$response['saml:Assertion']['saml:AttributeStatement'][0]['saml:Attribute'];
 
+        // Workaround When response does not contain an Assertion -> $responseAssertionAttributes will be null
+        // EngineBlock_Corto_XmlToArray::attributes2array parameter is type hinted to be an array
+        if (empty($responseAssertionAttributes)) {
+            $responseAssertionAttributes = array();
+        }
         // Take the attributes out
         $responseAttributes = EngineBlock_Corto_XmlToArray::attributes2array($responseAssertionAttributes);
         // Pass em along

library/EngineBlock/Saml/MessageSerializer.php

@@ -13,11 +13,11 @@ class EngineBlock_Saml_MessageSerializer
     public function serialize(SAML2_Message $samlMessage)
     {
         if ($samlMessage->getSignatureKey()) {
-            $samlMessagetDomElement = $samlMessage->toSignedXML();
+            $samlMessageDomElement = $samlMessage->toSignedXML();
         } else {
-            $samlMessagetDomElement = $samlMessage->toUnsignedXML();
+            $samlMessageDomElement = $samlMessage->toUnsignedXML();
         }
-        return $samlMessagetDomElement->ownerDocument->saveXML($samlMessagetDomElement);
+        return $samlMessageDomElement->ownerDocument->saveXML($samlMessageDomElement);
     }
 
     /**

tests/library/EngineBlock/Test/Corto/Module/BindingsTest.php

@@ -4,11 +4,16 @@
  */
 class EngineBlock_Test_Corto_Module_BindingsTest extends PHPUnit_Framework_TestCase
 {
+    /**
+     * @var EngineBlock_Corto_Module_Bindings
+     */
     private $bindings;
 
     public function setup()
     {
         $proxyServer = Phake::mock('EngineBlock_Corto_ProxyServer');
+        $log = Phake::mock('EngineBlock_Log');
+        Phake::when($proxyServer)->getSessionLog()->thenReturn($log);
         $this->bindings = new EngineBlock_Corto_Module_Bindings($proxyServer);
     }
 
@@ -26,4 +31,69 @@ public function testResponseRedirectIsNotSupported()
         $remoteEntity = array();
         $this->bindings->send($message, $remoteEntity);
     }
-}
+
+    /**
+     * @param string $xmlFile
+     * @param string $certificateFile
+     *
+     * @dataProvider responseProvider
+     */
+    public function testResponseVerifies($xmlFile, $certificateFile)
+    {
+        $xml2array = new EngineBlock_Corto_XmlToArray();
+        $xml = file_get_contents($xmlFile);
+
+        $element = $xml2array->xml2array($xml);
+
+        $publicCertificate = file_get_contents($certificateFile);
+
+        $publicKey = openssl_pkey_get_public($publicCertificate);
+
+        if (isset($element['ds:Signature'])) {
+            $this->assertTrue(
+                $this->bindings->_verifySignatureXMLElement(
+                    $publicKey,
+                    $xml,
+                    $element
+                )
+            );
+        }
+
+        if (isset($element['saml:Assertion']['ds:Signature'])) {
+            $this->assertTrue(
+                $this->bindings->_verifySignatureXMLElement(
+                    $publicKey,
+                    $xml,
+                    $element['saml:Assertion']
+                )
+            );
+        }
+    }
+
+    /**
+     * Provides a list of paths to response xml files and certificate files
+     * 
+     * @return array
+     */
+    public function responseProvider()
+    {
+        $responseFiles = array();
+        $certificateFiles = array();
+        $responsesDir = new DirectoryIterator(TEST_RESOURCES_DIR . '/saml/responses');
+        /** @var $responseFile DirectoryIterator */
+        foreach($responsesDir as $responseFile) {
+            if ($responseFile->isFile() && !$responseFile->isDot()) {
+                $extension = substr($responseFile->getFilename(), -3);
+                $fileNameWithoutExtension = substr($responseFile->getFilename(), 0, -4);
+
+                if ($extension == 'cer') {
+                    $certificateFiles[$fileNameWithoutExtension] = $responseFile->getRealPath();
+                } elseif ($extension == 'xml') {
+                    $responseFiles[$fileNameWithoutExtension] = $responseFile->getRealPath();
+                }
+            }
+        }
+
+        return array_merge_recursive($responseFiles, $certificateFiles);
+    }
+}

tests/resources/saml/responses/engineblock-dummy-idp.cer

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDrzCCApegAwIBAgIJAOaOFTs6UrvPMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNV
+BAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MRAwDgYD
+VQQKDAdTdXJmbmV0MRMwEQYDVQQLDApPcGVuQ29uZXh0MRQwEgYDVQQDDAtFbmdp
+bmVCbG9jazAeFw0xMzA4MTYwNzQxMDVaFw00MTAxMDEwNzQxMDVaMG4xCzAJBgNV
+BAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MRAwDgYD
+VQQKDAdTdXJmbmV0MRMwEQYDVQQLDApPcGVuQ29uZXh0MRQwEgYDVQQDDAtFbmdp
+bmVCbG9jazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALRDrSUvOMwa
+Lg2UbZaPbxvpRublp5m8kSFRg8hlMnStXPPPSpBbD7hzaV+Ey8bgTcw5mmoxf0wQ
+ar2HsH/99W9lvbhVrbhwPJygcSEmPVbjjCZaUx9b/52wjJby6omC0LkXkeJkQYBF
+YLHPqc32HdlvALSxcW146LWQR8X9cblJuEx9Iz18vHCNnRLI+/w3o5qyI2EG4kJF
+7vBdhbLMUnaDl6XGvHWyXej35feAhJByeCckxpmqAm79W1a+s6I7dUfLHtFWaHH1
++r4dsiOmoViqKGVqtQY18FM2nTfR6VZ+Gj0uvGwCUUrIs7NjGqeWVL1EHQ9uSWhE
+/BSDKd3ugpcCAwEAAaNQME4wHQYDVR0OBBYEFMdjB4+yV5QG4Ct9RvXSus5dYv+q
+MB8GA1UdIwQYMBaAFMdjB4+yV5QG4Ct9RvXSus5dYv+qMAwGA1UdEwQFMAMBAf8w
+DQYJKoZIhvcNAQEFBQADggEBAFyq+F3zM+BU85ROM7SZv5poUxKeQ8pP12Sx7LzA
+sJVZUMtfQwK7WlFkIJXasolL/iuwj/9Y9OMgqUl6IdHrMPNI5znn+Er7wmo2RCbe
+nNAYw9/ywWP/kNa28nb8FVhgX43+0oBf2s8dJngBiLB87Jp/ZGc7CIMqbADJ+ZVG
+C/6DN9yRXModL4mqnlkXaUVwGoU6EsDbr5WoJyEdpy69HotE7CiIZniMjeVSQ//8
+enkp7d/rsOAlGCQLD5ajUzaAm3ymIzkMLPGdSpsNjTcMPgEc64ZcOu2gzn8M8/b3
+6nfr3xMS9MutksOPHIO/So7DgFAwvKwiWGk0FUereNM+yMg=
+-----END CERTIFICATE-----

tests/resources/saml/responses/engineblock-dummy-idp.xml

@@ -0,0 +1,5 @@
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6bad0f2fce7a4b50143fa12ea471bc5de213b230a1" Version="2.0" IssueInstant="2013-09-26T14:31:33Z" Destination="https://engine-test.demo.openconext.org/authentication/sp/consume-assertion" InResponseTo="CORTO7e72e589e307f786d8fa003e9d1e9a0a5a441151"><saml:Issuer>https://engine-test.demo.openconext.org/dummy/idp</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_b3e56fd292687fea47d9b1daa2e75bb7c7241729c2" Version="2.0" IssueInstant="2013-09-26T14:31:33Z"><saml:Issuer>https://engine-test.demo.openconext.org/dummy/idp</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+  <ds:Reference URI="#_b3e56fd292687fea47d9b1daa2e75bb7c7241729c2"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>hrv+zU3pLtEM0a11jbP5X5vUgvo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>gwdw+1cOwmZtID/6vItrvLCsv4RCIeXoBqQ2AMO2RW6h5+w1i3Z1wKVrIWJ+ta0hEUleqDcNmOEkpfkExukhAzuPkwSjLOxTWeVAbLl3FjaOxLqcFHKk/UZrCJqGlIKfNnakYb9grFbg9lihnG/7AWdb2EVE/XRCru0eq8m4DczXc9rXROX84ezj8thzz1gDGQTis7AgmS3Hb0XqSK3I/jil4QFRSHjppWChmyMyS9mibFPOL8K4BE5lky66Ro8yzN+K9H43FdfiLkzGtvwBimCzPw1/G6vyQhD3jUWKeeGfYpB2pyLRALwkqb7C9v53j11/ZCRRLI7M3+e2SvZxBQ==</ds:SignatureValue>
+<ds:KeyInfo><ds:X509Data><ds:X509Certificate>-----BEGINCERTIFICATE-----MIIDrzCCApegAwIBAgIJAOaOFTs6UrvPMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MRAwDgYDVQQKDAdTdXJmbmV0MRMwEQYDVQQLDApPcGVuQ29uZXh0MRQwEgYDVQQDDAtFbmdpbmVCbG9jazAeFw0xMzA4MTYwNzQxMDVaFw00MTAxMDEwNzQxMDVaMG4xCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MRAwDgYDVQQKDAdTdXJmbmV0MRMwEQYDVQQLDApPcGVuQ29uZXh0MRQwEgYDVQQDDAtFbmdpbmVCbG9jazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALRDrSUvOMwaLg2UbZaPbxvpRublp5m8kSFRg8hlMnStXPPPSpBbD7hzaV+Ey8bgTcw5mmoxf0wQar2HsH/99W9lvbhVrbhwPJygcSEmPVbjjCZaUx9b/52wjJby6omC0LkXkeJkQYBFYLHPqc32HdlvALSxcW146LWQR8X9cblJuEx9Iz18vHCNnRLI+/w3o5qyI2EG4kJF7vBdhbLMUnaDl6XGvHWyXej35feAhJByeCckxpmqAm79W1a+s6I7dUfLHtFWaHH1+r4dsiOmoViqKGVqtQY18FM2nTfR6VZ+Gj0uvGwCUUrIs7NjGqeWVL1EHQ9uSWhE/BSDKd3ugpcCAwEAAaNQME4wHQYDVR0OBBYEFMdjB4+yV5QG4Ct9RvXSus5dYv+qMB8GA1UdIwQYMBaAFMdjB4+yV5QG4Ct9RvXSus5dYv+qMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFyq+F3zM+BU85ROM7SZv5poUxKeQ8pP12Sx7LzAsJVZUMtfQwK7WlFkIJXasolL/iuwj/9Y9OMgqUl6IdHrMPNI5znn+Er7wmo2RCbenNAYw9/ywWP/kNa28nb8FVhgX43+0oBf2s8dJngBiLB87Jp/ZGc7CIMqbADJ+ZVGC/6DN9yRXModL4mqnlkXaUVwGoU6EsDbr5WoJyEdpy69HotE7CiIZniMjeVSQ//8enkp7d/rsOAlGCQLD5ajUzaAm3ymIzkMLPGdSpsNjTcMPgEc64ZcOu2gzn8M8/b36nfr3xMS9MutksOPHIO/So7DgFAwvKwiWGk0FUereNM+yMg=-----ENDCERTIFICATE-----</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">johndoe</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2013-09-26T14:36:33Z" Recipient="https://engine-test.demo.openconext.org/authentication/sp/consume-assertion" InResponseTo="CORTO7e72e589e307f786d8fa003e9d1e9a0a5a441151"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2013-09-26T14:31:33Z" NotOnOrAfter="2013-09-26T14:36:33Z"/><saml:AuthnStatement AuthnInstant="2013-09-26T14:31:33Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="urn:mace:dir:attribute-def:uid"><saml:AttributeValue xsi:type="xs:string">johndoe</saml:AttributeValue></saml:Attribute><saml:Attribute Name="urn:mace:terena.org:attribute-def:schacHomeOrganization"><saml:AttributeValue xsi:type="xs:string">example.com</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>