|
18 | 18 |
|
19 | 19 | import org.junit.jupiter.api.BeforeEach; |
20 | 20 | import org.junit.jupiter.api.Test; |
| 21 | +import org.mockito.Answers; |
| 22 | +import org.mockito.MockedStatic; |
21 | 23 | import org.opensaml.xmlsec.signature.support.SignatureConstants; |
22 | 24 |
|
23 | 25 | import org.springframework.mock.web.MockHttpServletRequest; |
24 | 26 | import org.springframework.security.saml2.Saml2Exception; |
| 27 | +import org.springframework.security.saml2.core.Saml2ParameterNames; |
25 | 28 | import org.springframework.security.saml2.core.Saml2X509Credential; |
26 | 29 | import org.springframework.security.saml2.core.TestSaml2X509Credentials; |
27 | 30 | import org.springframework.security.saml2.provider.service.authentication.Saml2PostAuthenticationRequest; |
|
32 | 35 |
|
33 | 36 | import static org.assertj.core.api.Assertions.assertThat; |
34 | 37 | import static org.assertj.core.api.Assertions.assertThatExceptionOfType; |
| 38 | +import static org.mockito.ArgumentMatchers.any; |
| 39 | +import static org.mockito.ArgumentMatchers.eq; |
| 40 | +import static org.mockito.Mockito.mockStatic; |
| 41 | +import static org.mockito.Mockito.never; |
| 42 | +import static org.mockito.Mockito.spy; |
| 43 | +import static org.mockito.Mockito.verify; |
35 | 44 |
|
36 | 45 | /** |
37 | 46 | * Tests for {@link OpenSamlAuthenticationRequestResolver} |
@@ -103,8 +112,8 @@ public void resolveAuthenticationRequestWhenSignedThenCredentialIsRequired() { |
103 | 112 | .build(); |
104 | 113 | OpenSamlAuthenticationRequestResolver resolver = authenticationRequestResolver(registration); |
105 | 114 | assertThatExceptionOfType(Saml2Exception.class) |
106 | | - .isThrownBy(() -> resolver.resolve(request, (r, authnRequest) -> { |
107 | | - })); |
| 115 | + .isThrownBy(() -> resolver.resolve(request, (r, authnRequest) -> { |
| 116 | + })); |
108 | 117 | } |
109 | 118 |
|
110 | 119 | @Test |
@@ -172,6 +181,58 @@ public void resolveAuthenticationRequestWhenSHA1SignRequestThenSigns() { |
172 | 181 | assertThat(result.getBinding()).isEqualTo(Saml2MessageBinding.REDIRECT); |
173 | 182 | } |
174 | 183 |
|
| 184 | + @Test |
| 185 | + public void resolveAuthenticationRequestWhenSignedAndRelayStateIsNullThenSignsWithoutRelayState() { |
| 186 | + try (MockedStatic<OpenSamlSigningUtils> openSamlSigningUtilsMockedStatic = mockStatic( |
| 187 | + OpenSamlSigningUtils.class, Answers.CALLS_REAL_METHODS)) { |
| 188 | + MockHttpServletRequest request = new MockHttpServletRequest(); |
| 189 | + request.setPathInfo("/saml2/authenticate/registration-id"); |
| 190 | + RelyingPartyRegistration registration = this.relyingPartyRegistrationBuilder |
| 191 | + .assertingPartyDetails((party) -> party.wantAuthnRequestsSigned(true)) |
| 192 | + .build(); |
| 193 | + OpenSamlSigningUtils.QueryParametersPartial queryParametersPartialSpy = spy( |
| 194 | + new OpenSamlSigningUtils.QueryParametersPartial(registration)); |
| 195 | + openSamlSigningUtilsMockedStatic.when(() -> OpenSamlSigningUtils.sign(any())) |
| 196 | + .thenReturn(queryParametersPartialSpy); |
| 197 | + OpenSamlAuthenticationRequestResolver resolver = authenticationRequestResolver(registration); |
| 198 | + resolver.setRelayStateResolver((source) -> null); |
| 199 | + Saml2RedirectAuthenticationRequest result = resolver.resolve(request, (r, authnRequest) -> { |
| 200 | + }); |
| 201 | + assertThat(result.getSamlRequest()).isNotEmpty(); |
| 202 | + assertThat(result.getRelayState()).isNull(); |
| 203 | + assertThat(result.getSigAlg()).isNotNull(); |
| 204 | + assertThat(result.getSignature()).isNotNull(); |
| 205 | + assertThat(result.getBinding()).isEqualTo(Saml2MessageBinding.REDIRECT); |
| 206 | + verify(queryParametersPartialSpy, never()).param(eq(Saml2ParameterNames.RELAY_STATE), any()); |
| 207 | + } |
| 208 | + } |
| 209 | + |
| 210 | + @Test |
| 211 | + public void resolveAuthenticationRequestWhenSignedAndRelayStateIsEmptyThenSignsWithEmptyRelayState() { |
| 212 | + try (MockedStatic<OpenSamlSigningUtils> openSamlSigningUtilsMockedStatic = mockStatic( |
| 213 | + OpenSamlSigningUtils.class, Answers.CALLS_REAL_METHODS)) { |
| 214 | + MockHttpServletRequest request = new MockHttpServletRequest(); |
| 215 | + request.setPathInfo("/saml2/authenticate/registration-id"); |
| 216 | + RelyingPartyRegistration registration = this.relyingPartyRegistrationBuilder |
| 217 | + .assertingPartyDetails((party) -> party.wantAuthnRequestsSigned(true)) |
| 218 | + .build(); |
| 219 | + OpenSamlSigningUtils.QueryParametersPartial queryParametersPartialSpy = spy( |
| 220 | + new OpenSamlSigningUtils.QueryParametersPartial(registration)); |
| 221 | + openSamlSigningUtilsMockedStatic.when(() -> OpenSamlSigningUtils.sign(any())) |
| 222 | + .thenReturn(queryParametersPartialSpy); |
| 223 | + OpenSamlAuthenticationRequestResolver resolver = authenticationRequestResolver(registration); |
| 224 | + resolver.setRelayStateResolver((source) -> ""); |
| 225 | + Saml2RedirectAuthenticationRequest result = resolver.resolve(request, (r, authnRequest) -> { |
| 226 | + }); |
| 227 | + assertThat(result.getSamlRequest()).isNotEmpty(); |
| 228 | + assertThat(result.getRelayState()).isEmpty(); |
| 229 | + assertThat(result.getSigAlg()).isNotNull(); |
| 230 | + assertThat(result.getSignature()).isNotNull(); |
| 231 | + assertThat(result.getBinding()).isEqualTo(Saml2MessageBinding.REDIRECT); |
| 232 | + verify(queryParametersPartialSpy).param(eq(Saml2ParameterNames.RELAY_STATE), eq("")); |
| 233 | + } |
| 234 | + } |
| 235 | + |
175 | 236 | private OpenSamlAuthenticationRequestResolver authenticationRequestResolver(RelyingPartyRegistration registration) { |
176 | 237 | return new OpenSamlAuthenticationRequestResolver((request, id) -> registration); |
177 | 238 | } |
|
0 commit comments