Add Attribute Consuming Services settings check

Now Saml2Settings.checkSPSettings() also checks that, if any Attribute
Consuming Service are declared, their configuration is consistent.

Author: mauromol

core/src/main/java/com/onelogin/saml2/settings/Saml2Settings.java

@@ -9,6 +9,8 @@
 import java.util.List;
 
 import com.onelogin.saml2.model.hsm.HSM;
+
+import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
@@ -947,6 +949,44 @@ private boolean checkIdpx509certRequired () {
 
 		return this.getIdpx509certMulti() != null && !this.getIdpx509certMulti().isEmpty();
 	}
+	
+	/*
+	 * Auxiliary method to check Attribute Consuming Services are properly
+	 * configured.
+	 * 
+	 * @param errors the list to add to when an error is encountered
+	 */
+	private void checkAttributeConsumingServices(List<String> errors) {
+		List<AttributeConsumingService> attributeConsumingServices = getSpAttributeConsumingServices();
+		if(!attributeConsumingServices.isEmpty()) {
+			String errorMsg;
+			// all Attribute Consuming Services must have a service name
+			if(attributeConsumingServices.stream().anyMatch(service -> StringUtils.isEmpty(service.getServiceName()))) {
+				errorMsg = "sp_attribute_consuming_service_not_enough_data";
+				errors.add(errorMsg);
+				LOGGER.error(errorMsg);
+			}
+			// all Attribute Consuming Services must have at least one requested attribute
+			if(attributeConsumingServices.stream().anyMatch(service -> service.getRequestedAttributes().isEmpty())) {
+				errorMsg = "sp_attribute_consuming_service_no_requested_attribute";
+				errors.add(errorMsg);
+				LOGGER.error(errorMsg);
+			}
+			// there must be at most one with default = true
+			if(attributeConsumingServices.stream().filter(service -> Boolean.TRUE.equals(service.isDefault())).count() > 1) {
+				errorMsg = "sp_attribute_consuming_service_multiple_defaults";
+				errors.add(errorMsg);
+				LOGGER.error(errorMsg);
+			}
+			// all requested attributes must have a name
+			if(attributeConsumingServices.stream().flatMap(service -> service.getRequestedAttributes().stream())
+					.anyMatch(attribute -> StringUtils.isEmpty(attribute.getName()))) {
+				errorMsg = "sp_attribute_consuming_service_not_enough_requested_attribute_data";
+				errors.add(errorMsg);
+				LOGGER.error(errorMsg);
+			}
+		}
+	}
 
 	/**
 	 * Checks the SP settings .
@@ -968,6 +1008,8 @@ public List<String> checkSPSettings() {
 			errors.add(errorMsg);
 			LOGGER.error(errorMsg);
 		}
+		
+		checkAttributeConsumingServices(errors);
 
 		if (this.getHsm() == null && (this.getAuthnRequestsSigned() || this.getLogoutRequestSigned()
 			|| this.getLogoutResponseSigned() || this.getWantAssertionsEncrypted() || this.getWantNameIdEncrypted()) && !this.checkSPCerts()) {

core/src/test/java/com/onelogin/saml2/test/settings/Saml2SettingsTest.java

@@ -116,6 +116,18 @@ public void testCheckSPSettingsAllErrors() throws IOException, Error {
 		assertThat(settingsErrors, hasItem("sp_cert_not_found_and_required"));
 		assertThat(settingsErrors, hasItem("contact_not_enough_data"));
 		assertThat(settingsErrors, hasItem("organization_not_enough_data"));
+
+		Saml2Settings settings2 = new SettingsBuilder().fromFile("config/config.sperrors_multi_attribute_consuming_services.properties").build();
+		List<String> settings2Errors = settings2.checkSPSettings();
+		assertFalse(settings2Errors.isEmpty());
+		assertThat(settings2Errors, hasItem("sp_entityId_not_found"));
+		assertThat(settings2Errors, hasItem("sp_attribute_consuming_service_not_enough_data"));
+		assertThat(settings2Errors, hasItem("sp_attribute_consuming_service_no_requested_attribute"));
+		assertThat(settings2Errors, hasItem("sp_attribute_consuming_service_multiple_defaults"));
+		assertThat(settings2Errors, hasItem("sp_attribute_consuming_service_not_enough_requested_attribute_data"));
+		assertThat(settings2Errors, hasItem("sp_cert_not_found_and_required"));
+		assertThat(settings2Errors, hasItem("contact_not_enough_data"));
+		assertThat(settings2Errors, hasItem("organization_not_enough_data"));
 	}
 
 	/**
@@ -132,6 +144,15 @@ public void testCheckSPSettingsOk() throws IOException, Error {
 		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.all.properties").build();
 		List<String> settingsErrors = settings.checkSPSettings();
 		assertTrue(settingsErrors.isEmpty());
+		
+		Saml2Settings settings2 = new SettingsBuilder().fromFile("config/config.all_multi_attribute_consuming_services.properties").build();
+		List<String> settings2Errors = settings2.checkSPSettings();
+		assertTrue(settings2Errors.isEmpty());
+		
+		// no attribute consuming services at all
+		Saml2Settings settings3 = new SettingsBuilder().fromFile("config/config.min.properties").build();
+		List<String> settings3Errors = settings3.checkSPSettings();
+		assertTrue(settings3Errors.isEmpty());
 	}
 
 	/**
@@ -157,6 +178,22 @@ public void testCheckSettingsAllErrors() throws IOException, Error {
 		assertThat(settingsErrors, hasItem("idp_sso_url_invalid"));
 		assertThat(settingsErrors, hasItem("idp_cert_or_fingerprint_not_found_and_required"));
 		assertThat(settingsErrors, hasItem("idp_cert_not_found_and_required"));
+
+		Saml2Settings settings2 = new SettingsBuilder().fromFile("config/config.allerrors_multi_attribute_consuming_services.properties").build();
+		List<String> settings2Errors = settings2.checkSettings();
+		assertFalse(settings2Errors.isEmpty());
+		assertThat(settings2Errors, hasItem("sp_entityId_not_found"));
+		assertThat(settings2Errors, hasItem("sp_attribute_consuming_service_not_enough_data"));
+		assertThat(settings2Errors, hasItem("sp_attribute_consuming_service_no_requested_attribute"));
+		assertThat(settings2Errors, hasItem("sp_attribute_consuming_service_multiple_defaults"));
+		assertThat(settings2Errors, hasItem("sp_attribute_consuming_service_not_enough_requested_attribute_data"));
+		assertThat(settings2Errors, hasItem("sp_cert_not_found_and_required"));
+		assertThat(settings2Errors, hasItem("contact_not_enough_data"));
+		assertThat(settings2Errors, hasItem("organization_not_enough_data"));
+		assertThat(settings2Errors, hasItem("idp_entityId_not_found"));
+		assertThat(settings2Errors, hasItem("idp_sso_url_invalid"));
+		assertThat(settings2Errors, hasItem("idp_cert_or_fingerprint_not_found_and_required"));
+		assertThat(settings2Errors, hasItem("idp_cert_not_found_and_required"));
 	}
 
 	/**
@@ -285,6 +322,49 @@ public void testGetSPMetadataUnsigned() throws Exception {
 		assertThat(metadataStr, containsString("<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>"));
 	}
 
+	/**
+	 * Tests the getSPMetadata method of the Saml2Settings
+	 * <p>
+	 * Case Unsigned metadata with multiple Attribute Consuming Services
+	 *
+	 * @throws Exception
+	 *
+	 * @see com.onelogin.saml2.settings.Saml2Settings#getSPMetadata
+	 */
+	@Test
+	public void testGetSPMetadataUnsignedMultiAttributeConsumingServices() throws Exception {
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.min_multi_attribute_consuming_services.properties").build();
+
+		String metadataStr = settings.getSPMetadata();
+
+		Document metadataDoc = Util.loadXML(metadataStr);
+		assertTrue(metadataDoc instanceof Document);
+
+		assertEquals("md:EntityDescriptor", metadataDoc.getDocumentElement().getNodeName());
+		assertEquals("md:SPSSODescriptor", metadataDoc.getDocumentElement().getFirstChild().getNodeName());
+
+		assertTrue(Util.validateXML(metadataDoc, SchemaFactory.SAML_SCHEMA_METADATA_2_0));
+
+		assertThat(metadataStr, containsString("<md:SPSSODescriptor"));
+		assertThat(metadataStr, containsString("entityID=\"http://localhost:8080/java-saml-jspsample/metadata.jsp\""));
+		assertThat(metadataStr, containsString("AuthnRequestsSigned=\"false\""));
+		assertThat(metadataStr, containsString("WantAssertionsSigned=\"false\""));
+		assertThat(metadataStr, not(containsString("<md:KeyDescriptor use=\"signing\">")));
+		assertThat(metadataStr, containsString("<md:AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://localhost:8080/java-saml-jspsample/acs.jsp\" index=\"1\"/>"));
+		assertThat(metadataStr, containsString("<md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://localhost:8080/java-saml-jspsample/sls.jsp\"/>"));
+		assertThat(metadataStr, containsString("<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>"));
+		assertThat(metadataStr, containsString("<md:AttributeConsumingService index=\"0\">"));
+		assertThat(metadataStr, containsString("<md:ServiceName xml:lang=\"en\">Just e-mail</md:ServiceName>"));
+		assertThat(metadataStr, containsString("<md:RequestedAttribute Name=\"Email\" NameFormat=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\" FriendlyName=\"E-mail address\" isRequired=\"true\">"));
+		assertThat(metadataStr, containsString("<saml:AttributeValue xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">[email protected]</saml:AttributeValue>"));
+		assertThat(metadataStr, containsString("<saml:AttributeValue xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">[email protected]</saml:AttributeValue>"));
+		assertThat(metadataStr, containsString("<md:AttributeConsumingService index=\"1\" isDefault=\"true\">"));
+		assertThat(metadataStr, containsString("<md:ServiceName xml:lang=\"it\">Anagrafica</md:ServiceName>"));
+		assertThat(metadataStr, containsString("<md:ServiceDescription xml:lang=\"it\">Servizio completo</md:ServiceDescription>"));
+		assertThat(metadataStr, containsString("<md:RequestedAttribute Name=\"FirstName\" />"));
+		assertThat(metadataStr, containsString("<md:RequestedAttribute Name=\"LastName\" isRequired=\"true\" />"));
+	}
+
 	/**
 	 * Tests the getSPMetadata method of the Saml2Settings
 	 * * Case Unsigned metadata No SLS

core/src/test/resources/config/config.allerrors_multi_attribute_consuming_services.properties

@@ -0,0 +1,38 @@
+# we have some Attribute Consuming Services with missing information and multiple defaults
+onelogin.saml2.sp.attribute_consuming_service[0].name = Just e-mail
+onelogin.saml2.sp.attribute_consuming_service[0].default = true
+onelogin.saml2.sp.attribute_consuming_service[0].attribute[0].name = 
+onelogin.saml2.sp.attribute_consuming_service[0].attribute[0].name_format = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+onelogin.saml2.sp.attribute_consuming_service[0].attribute[0].friendly_name = E-mail address
+onelogin.saml2.sp.attribute_consuming_service[0].attribute[0].required = true
+onelogin.saml2.sp.attribute_consuming_service[0].attribute[0].value[0] = [email protected]
+onelogin.saml2.sp.attribute_consuming_service[0].attribute[0].value[1] = [email protected]
+onelogin.saml2.sp.attribute_consuming_service[1].name = 
+onelogin.saml2.sp.attribute_consuming_service[1].default = true
+onelogin.saml2.sp.attribute_consuming_service[1].attribute[0].name = FirstName
+onelogin.saml2.sp.attribute_consuming_service[1].attribute[1].name = LastName
+onelogin.saml2.sp.attribute_consuming_service[1].attribute[1].required = true
+onelogin.saml2.sp.attribute_consuming_service[2].name = No requested attributes
+
+# Usually x509cert and privateKey of the SP are provided by files placed at
+# the certs folder. But we can also provide them with the following parameters
+onelogin.saml2.sp.x509cert = -----BEGIN CERTIFICATE-----MIICeDCCAeGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBZMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lTG9naW4gSW5jMR4wHAYDVQQDDBVqYXZhLXNhbWwuZXhhbXBsZS5jb20wHhcNMTUxMDE4MjAxMjM1WhcNMTgwNzE0MjAxMjM1WjBZMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lTG9naW4gSW5jMR4wHAYDVQQDDBVqYXZhLXNhbWwuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALvwEktX1+4y2AhEqxVwOO6HO7Wtzi3hr5becRkfLYGjNSyhzZCjI1DsNL61JSWDO3nviZd9fSkFnRC4akFUm0CS6GJ7TZe4T5o+9aowQ6N8e8cts9XPXyP6Inz7q4sD8pO2EInlfwHYPQCqFmz/SDW7cDgIC8vb0ygOsiXdreANAgMBAAGjUDBOMB0GA1UdDgQWBBTifMwN3CQ5ZOPkV5tDJsutU8teFDAfBgNVHSMEGDAWgBTifMwN3CQ5ZOPkV5tDJsutU8teFDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAG3nAEUjJaA75SkzID5FKLolsxG5TE/0HU0+yEUAVkXiqvqN4mPWq/JjoK5+uP4LEZIb4pRrCqI3iHp+vazLLYSeyV3kaGN7q35Afw8nk8WM0f7vImbQ69j1S8GQ+6E0PEI26qBLykGkMn3GUVtBBWSdpP093NuNLJiOomnHqhqj-----END CERTIFICATE-----
+
+# Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
+# <samlp:LogoutResponse> elements received by this SP to be signed.
+onelogin.saml2.security.want_messages_signed = true
+
+# Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
+# will be encrypted.
+onelogin.saml2.security.nameid_encrypted = true
+
+# Indicates whether the <samlp:AuthnRequest> messages sent by this SP
+# will be signed.              [The Metadata of the SP will offer this info]
+onelogin.saml2.security.authnrequest_signed = true
+
+# Organization
+onelogin.saml2.organization.name = SP Java
+onelogin.saml2.organization.url = http://sp.example.com
+
+# Contacts
+onelogin.saml2.contacts.support.email_address = [email protected]

core/src/test/resources/config/config.sperrors_multi_attribute_consuming_services.properties

@@ -0,0 +1,49 @@
+# Identity Provider Data that we want connect with our SP
+# Identifier of the IdP entity  (must be a URI)
+onelogin.saml2.idp.entityid = http://idp.example.com/
+
+# SSO endpoint info of the IdP. (Authentication Request protocol)
+# URL Target of the IdP where the SP will send the Authentication Request Message
+onelogin.saml2.idp.single_sign_on_service.url = http://idp.example.com/simplesaml/saml2/idp/SSOService.php
+
+# SLO endpoint info of the IdP.
+# URL Location of the IdP where the SP will send the SLO Request
+onelogin.saml2.idp.single_logout_service.url = http://idp.example.com/simplesaml/saml2/idp/SingleLogoutService.php
+
+# we have some Attribute Consuming Services with missing information and multiple defaults
+onelogin.saml2.sp.attribute_consuming_service[0].name = Just e-mail
+onelogin.saml2.sp.attribute_consuming_service[0].default = true
+onelogin.saml2.sp.attribute_consuming_service[0].attribute[0].name = 
+onelogin.saml2.sp.attribute_consuming_service[0].attribute[0].name_format = urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+onelogin.saml2.sp.attribute_consuming_service[0].attribute[0].friendly_name = E-mail address
+onelogin.saml2.sp.attribute_consuming_service[0].attribute[0].required = true
+onelogin.saml2.sp.attribute_consuming_service[0].attribute[0].value[0] = [email protected]
+onelogin.saml2.sp.attribute_consuming_service[0].attribute[0].value[1] = [email protected]
+onelogin.saml2.sp.attribute_consuming_service[1].name = 
+onelogin.saml2.sp.attribute_consuming_service[1].default = true
+onelogin.saml2.sp.attribute_consuming_service[1].attribute[0].name = FirstName
+onelogin.saml2.sp.attribute_consuming_service[1].attribute[1].name = LastName
+onelogin.saml2.sp.attribute_consuming_service[1].attribute[1].required = true
+onelogin.saml2.sp.attribute_consuming_service[2].name = No requested attributes
+
+# Public x509 certificate of the IdP
+onelogin.saml2.idp.x509cert = -----BEGIN CERTIFICATE-----\nMIIBrTCCAaGgAwIBAgIBATA
+
+# Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
+# <samlp:LogoutResponse> elements received by this SP to be signed.
+onelogin.saml2.security.want_messages_signed = true
+
+# Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
+# will be encrypted.
+onelogin.saml2.security.nameid_encrypted = true
+
+# Indicates whether the <samlp:AuthnRequest> messages sent by this SP
+# will be signed.              [The Metadata of the SP will offer this info]
+onelogin.saml2.security.authnrequest_signed = true
+
+# Organization
+onelogin.saml2.organization.name = SP Java 
+onelogin.saml2.organization.displayname = SP Java Example
+
+# Contacts
+onelogin.saml2.contacts.support.given_name = Support Guy