Add metadata_uri column to saml2_asserting_party_metadata table

chao.wang · jzheaux · commit c968d86f257b · 2025-06-05T15:24:30.000-06:00
diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/AssertingPartyMetadata.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/AssertingPartyMetadata.java
@@ -16,19 +16,11 @@
 
 package org.springframework.security.saml2.provider.service.registration;
 
-import java.io.IOException;
-import java.io.InputStream;
 import java.io.Serializable;
-import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 import java.util.function.Consumer;
 
-import org.opensaml.saml.common.xml.SAMLConstants;
-import org.opensaml.saml.saml2.metadata.EntityDescriptor;
-import org.springframework.core.io.DefaultResourceLoader;
-import org.springframework.core.io.ResourceLoader;
-import org.springframework.security.saml2.Saml2Exception;
 import org.springframework.security.saml2.core.Saml2X509Credential;
 
 /**
@@ -39,8 +31,6 @@
  */
 public interface AssertingPartyMetadata extends Serializable {
 
-	ResourceLoader resourceLoader = new DefaultResourceLoader();
-
 	/**
 	 * Get the asserting party's <a href=
 	 * "https://www.oasis-open.org/committees/download.php/51890/SAML%20MD%20simplified%20overview.pdf#2.9%20EntityDescriptor">EntityID</a>.
@@ -284,70 +274,4 @@ interface Builder<B extends Builder<B>> {
 
 	}
 
-	/**
-	 * Return a {@link Collection} of {@link Builder}s based off
-	 * of the given SAML 2.0 Asserting Party (IDP) metadata location.
-	 *
-	 * Valid locations can be classpath- or file-based or they can be HTTPS endpoints.
-	 * Some valid endpoints might include:
-	 *
-	 * <pre>
-	 *   metadataLocation = "classpath:asserting-party-metadata.xml";
-	 *   metadataLocation = "file:asserting-party-metadata.xml";
-	 *   metadataLocation = "https://ap.example.org/metadata";
-	 * </pre>
-	 *
-	 * @param location The classpath- or file-based locations or HTTPS endpoints of the
-	 * asserting party metadata file
-	 * @return the {@link Collection} of {@link Builder}s for
-	 * further configuration
-	 * @since 7.0
-	 */
-	 static Collection<Builder<?>> collectionFromMetadataLocation(String location) {
-		try (InputStream source = resourceLoader.getResource(location).getInputStream()) {
-			return collectionFromMetadata(source);
-		}
-		catch (IOException ex) {
-			if (ex.getCause() instanceof Saml2Exception) {
-				throw (Saml2Exception) ex.getCause();
-			}
-			throw new Saml2Exception(ex);
-		}
-	}
-
-	/**
-	 * Return a {@link Collection} of {@link Builder}s based off
-	 * of the given SAML 2.0 Asserting Party (IDP) metadata.
-	 *
-	 * <p>
-	 * This method is intended for scenarios when the metadata is looked up by a separate
-	 * mechanism. One such example is when the metadata is stored in a database.
-	 * </p>
-	 *
-	 * <p>
-	 * <strong>The callers of this method are accountable for closing the
-	 * {@code InputStream} source.</strong>
-	 * </p>
-	 *
-	 * @param source the {@link InputStream} source containing the asserting party
-	 * metadata
-	 * @return the {@link Collection} of {@link Builder}s for
-	 * further configuration
-	 * @since 7.0
-	 */
-	 static Collection<Builder<?>> collectionFromMetadata(InputStream source) {
-		Collection<Builder<?>> builders = new ArrayList<>();
-		for (EntityDescriptor descriptor : OpenSamlMetadataUtils.descriptors(source)) {
-			if (descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS) != null) {
-				OpenSamlAssertingPartyDetails.Builder builder = OpenSamlAssertingPartyDetails
-						.withEntityDescriptor(descriptor);
-				builders.add(builder);
-			}
-		}
-		if (builders.isEmpty()) {
-			throw new Saml2Exception("Metadata response is missing the necessary IDPSSODescriptor element");
-		}
-		return builders;
-	}
-
 }
diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/JdbcAssertingPartyMetadataRepository.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/JdbcAssertingPartyMetadataRepository.java
@@ -22,10 +22,10 @@
 import java.util.Collection;
 import java.util.Iterator;
 import java.util.List;
-import java.util.function.Consumer;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+
 import org.springframework.core.log.LogMessage;
 import org.springframework.core.serializer.DefaultDeserializer;
 import org.springframework.core.serializer.Deserializer;
@@ -37,7 +37,6 @@
 import org.springframework.security.saml2.core.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.AssertingPartyDetails;
 import org.springframework.util.Assert;
-import org.springframework.util.StringUtils;
 
 /**
  * A JDBC implementation of {@link AssertingPartyMetadataRepository}.
@@ -49,12 +48,11 @@ public final class JdbcAssertingPartyMetadataRepository implements AssertingPart
 
 	private final JdbcOperations jdbcOperations;
 
-	private RowMapper<AssertingPartyMetadata> assertingPartyMetadataRowMapper =
-			new AssertingPartyMetadataRowMapper(ResultSet::getBytes);
+	private RowMapper<AssertingPartyMetadata> assertingPartyMetadataRowMapper = new AssertingPartyMetadataRowMapper(
+			ResultSet::getBytes);
 
 	// @formatter:off
 	static final String COLUMN_NAMES = "entity_id, "
-			+ "metadata_uri, "
 			+ "singlesignon_url, "
 			+ "singlesignon_binding, "
 			+ "singlesignon_sign_request, "
@@ -82,7 +80,6 @@ public final class JdbcAssertingPartyMetadataRepository implements AssertingPart
 	/**
 	 * Constructs a {@code JdbcRelyingPartyRegistrationRepository} using the provided
 	 * parameters.
-	 *
 	 * @param jdbcOperations the JDBC operations
 	 */
 	public JdbcAssertingPartyMetadataRepository(JdbcOperations jdbcOperations) {
@@ -94,21 +91,18 @@ public JdbcAssertingPartyMetadataRepository(JdbcOperations jdbcOperations) {
 	 * Sets the {@link RowMapper} used for mapping the current row in
 	 * {@code java.sql.ResultSet} to {@link AssertingPartyMetadata}. The default is
 	 * {@link AssertingPartyMetadataRowMapper}.
-	 *
 	 * @param assertingPartyMetadataRowMapper the {@link RowMapper} used for mapping the
-	 *                                        current row in {@code java.sql.ResultSet} to {@link AssertingPartyMetadata}
+	 * current row in {@code java.sql.ResultSet} to {@link AssertingPartyMetadata}
 	 */
-	public void setAssertingPartyMetadataRowMapper(
-			RowMapper<AssertingPartyMetadata> assertingPartyMetadataRowMapper) {
+	public void setAssertingPartyMetadataRowMapper(RowMapper<AssertingPartyMetadata> assertingPartyMetadataRowMapper) {
 		Assert.notNull(assertingPartyMetadataRowMapper, "assertingPartyMetadataRowMapper cannot be null");
 		this.assertingPartyMetadataRowMapper = assertingPartyMetadataRowMapper;
 	}
 
 	@Override
 	public AssertingPartyMetadata findByEntityId(String entityId) {
 		Assert.hasText(entityId, "entityId cannot be empty");
-		SqlParameterValue[] parameters = new SqlParameterValue[]{
-				new SqlParameterValue(Types.VARCHAR, entityId)};
+		SqlParameterValue[] parameters = new SqlParameterValue[] { new SqlParameterValue(Types.VARCHAR, entityId) };
 		PreparedStatementSetter pss = new ArgumentPreparedStatementSetter(parameters);
 		List<AssertingPartyMetadata> result = this.jdbcOperations.query(LOAD_BY_ID_SQL, pss,
 				this.assertingPartyMetadataRowMapper);
@@ -126,7 +120,7 @@ public Iterator<AssertingPartyMetadata> iterator() {
 	 * The default {@link RowMapper} that maps the current row in
 	 * {@code java.sql.ResultSet} to {@link AssertingPartyMetadata}.
 	 */
-	private final static class AssertingPartyMetadataRowMapper implements RowMapper<AssertingPartyMetadata> {
+	private static final class AssertingPartyMetadataRowMapper implements RowMapper<AssertingPartyMetadata> {
 
 		private final Log logger = LogFactory.getLog(AssertingPartyMetadataRowMapper.class);
 
@@ -141,7 +135,6 @@ private final static class AssertingPartyMetadataRowMapper implements RowMapper<
 		@Override
 		public AssertingPartyMetadata mapRow(ResultSet rs, int rowNum) throws SQLException {
 			String entityId = rs.getString("entity_id");
-			String metadataUri = rs.getString("metadata_uri");
 			String singleSignOnUrl = rs.getString("singlesignon_url");
 			Saml2MessageBinding singleSignOnBinding = Saml2MessageBinding.from(rs.getString("singlesignon_binding"));
 			boolean singleSignOnSignRequest = rs.getBoolean("singlesignon_sign_request");
@@ -152,57 +145,40 @@ public AssertingPartyMetadata mapRow(ResultSet rs, int rowNum) throws SQLExcepti
 			byte[] verificationCredentialsBytes = this.getBytes.getBytes(rs, "verification_credentials");
 			byte[] encryptionCredentialsBytes = this.getBytes.getBytes(rs, "encryption_credentials");
 
-			boolean usingMetadata = StringUtils.hasText(metadataUri);
-			AssertingPartyMetadata.Builder<?> builder = (!usingMetadata) ? new AssertingPartyDetails.Builder().entityId(entityId)
-					: createBuilderUsingMetadata(entityId, metadataUri);
+			AssertingPartyMetadata.Builder<?> builder = new AssertingPartyDetails.Builder();
 			try {
 				if (signingAlgorithmsBytes != null) {
-					List<String> signingAlgorithms = (List<String>) deserializer.deserializeFromByteArray(signingAlgorithmsBytes);
-					builder.signingAlgorithms(algorithms -> algorithms.addAll(signingAlgorithms));
+					List<String> signingAlgorithms = (List<String>) this.deserializer
+						.deserializeFromByteArray(signingAlgorithmsBytes);
+					builder.signingAlgorithms((algorithms) -> algorithms.addAll(signingAlgorithms));
 				}
 				if (verificationCredentialsBytes != null) {
-					Collection<Saml2X509Credential> verificationCredentials = (Collection<Saml2X509Credential>) deserializer.deserializeFromByteArray(verificationCredentialsBytes);
-					builder.verificationX509Credentials(credentials -> credentials.addAll(verificationCredentials));
+					Collection<Saml2X509Credential> verificationCredentials = (Collection<Saml2X509Credential>) this.deserializer
+						.deserializeFromByteArray(verificationCredentialsBytes);
+					builder.verificationX509Credentials((credentials) -> credentials.addAll(verificationCredentials));
 				}
 				if (encryptionCredentialsBytes != null) {
-					Collection<Saml2X509Credential> encryptionCredentials = (Collection<Saml2X509Credential>) deserializer.deserializeFromByteArray(encryptionCredentialsBytes);
-					builder.encryptionX509Credentials(credentials -> credentials.addAll(encryptionCredentials));
+					Collection<Saml2X509Credential> encryptionCredentials = (Collection<Saml2X509Credential>) this.deserializer
+						.deserializeFromByteArray(encryptionCredentialsBytes);
+					builder.encryptionX509Credentials((credentials) -> credentials.addAll(encryptionCredentials));
 				}
-			} catch (Exception ex) {
-				this.logger.debug(
-						LogMessage.format("Parsing serialized credentials for entity %s failed", entityId), ex);
+			}
+			catch (Exception ex) {
+				this.logger.debug(LogMessage.format("Parsing serialized credentials for entity %s failed", entityId),
+						ex);
 				return null;
 			}
 
-			applyingWhenNonNull(singleSignOnUrl, builder::singleSignOnServiceLocation);
-			applyingWhenNonNull(singleSignOnBinding, builder::singleSignOnServiceBinding);
-			applyingWhenNonNull(singleSignOnSignRequest, builder::wantAuthnRequestsSigned);
-			applyingWhenNonNull(singleLogoutUrl, builder::singleLogoutServiceLocation);
-			applyingWhenNonNull(singleLogoutResponseUrl, builder::singleLogoutServiceResponseLocation);
-			applyingWhenNonNull(singleLogoutBinding, builder::singleLogoutServiceBinding);
+			builder.entityId(entityId)
+				.wantAuthnRequestsSigned(singleSignOnSignRequest)
+				.singleSignOnServiceLocation(singleSignOnUrl)
+				.singleSignOnServiceBinding(singleSignOnBinding)
+				.singleLogoutServiceLocation(singleLogoutUrl)
+				.singleLogoutServiceBinding(singleLogoutBinding)
+				.singleLogoutServiceResponseLocation(singleLogoutResponseUrl);
 			return builder.build();
 		}
 
-		private <T> void applyingWhenNonNull(T value, Consumer<T> consumer) {
-			if (value != null) {
-				consumer.accept(value);
-			}
-		}
-
-		private AssertingPartyMetadata.Builder<?> createBuilderUsingMetadata(String entityId, String metadataUri) {
-			Collection<AssertingPartyMetadata.Builder<?>> candidates = AssertingPartyMetadata
-					.collectionFromMetadataLocation(metadataUri);
-			for (AssertingPartyMetadata.Builder<?> candidate : candidates) {
-				if (entityId == null || entityId.equals(getEntityId(candidate))) {
-					return candidate;
-				}
-			}
-			throw new IllegalStateException("No asserting party metadata with Entity ID '" + entityId + "' found");
-		}
-
-		private Object getEntityId(AssertingPartyMetadata.Builder<?> candidate) {
-			return candidate.build().getEntityId();
-		}
 	}
 
 	private interface GetBytes {
diff --git a/saml2/saml2-service-provider/src/main/resources/org/springframework/security/saml2/saml2-asserting-party-metadata-schema-postgres.sql b/saml2/saml2-service-provider/src/main/resources/org/springframework/security/saml2/saml2-asserting-party-metadata-schema-postgres.sql
@@ -1,14 +1,14 @@
 CREATE TABLE saml2_asserting_party_metadata
 (
     entity_id                 VARCHAR(1000) NOT NULL,
-    singlesignon_url          VARCHAR(1000),
-    singlesignon_binding      VARCHAR(200),
-    singlesignon_sign_request VARCHAR(1000),
+    singlesignon_url          VARCHAR(1000) NOT NULL,
+    singlesignon_binding      VARCHAR(100),
+    singlesignon_sign_request boolean,
     signing_algorithms        BYTEA,
-    verification_credentials  BYTEA,
+    verification_credentials  BYTEA         NOT NULL,
     encryption_credentials    BYTEA,
     singlelogout_url          VARCHAR(1000),
     singlelogout_response_url VARCHAR(1000),
-    singlelogout_binding      VARCHAR(200),
+    singlelogout_binding      VARCHAR(100),
     PRIMARY KEY (entity_id)
 );
diff --git a/saml2/saml2-service-provider/src/main/resources/org/springframework/security/saml2/saml2-asserting-party-metadata-schema.sql b/saml2/saml2-service-provider/src/main/resources/org/springframework/security/saml2/saml2-asserting-party-metadata-schema.sql
@@ -1,15 +1,14 @@
 CREATE TABLE saml2_asserting_party_metadata
 (
     entity_id                 VARCHAR(1000) NOT NULL,
-    metadata_uri              VARCHAR(1000),
-    singlesignon_url          VARCHAR(1000),
-    singlesignon_binding      VARCHAR(200),
-    singlesignon_sign_request VARCHAR(1000),
+    singlesignon_url          VARCHAR(1000) NOT NULL,
+    singlesignon_binding      VARCHAR(100),
+    singlesignon_sign_request boolean,
     signing_algorithms        blob,
-    verification_credentials  blob,
+    verification_credentials  blob          NOT NULL,
     encryption_credentials    blob,
     singlelogout_url          VARCHAR(1000),
     singlelogout_response_url VARCHAR(1000),
-    singlelogout_binding      VARCHAR(200),
+    singlelogout_binding      VARCHAR(100),
     PRIMARY KEY (entity_id)
 );
diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/registration/JdbcAssertingPartyMetadataRepositoryTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/registration/JdbcAssertingPartyMetadataRepositoryTests.java
diff --git a/saml2/saml2-service-provider/src/test/resources/rsa.key b/saml2/saml2-service-provider/src/test/resources/rsa.key
