Saml2AuthenticationToken Takes RelyingPartyRegistration

Now that the credentials are split, it's a bit cleaner to keep all the details
with RelyingPartyRegistration instead of trying to split them out into different
contructor parameters

Issue spring-projectsgh-8777

Author: jzheaux

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationProvider.java

@@ -15,7 +15,6 @@
  */
 package org.springframework.security.saml2.provider.service.authentication;
 
-import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.ArrayList;
@@ -24,7 +23,6 @@
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
-import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -38,7 +36,6 @@
 import org.opensaml.core.xml.XMLObject;
 import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
 import org.opensaml.core.xml.io.Marshaller;
-
 import org.opensaml.core.xml.schema.XSAny;
 import org.opensaml.core.xml.schema.XSBoolean;
 import org.opensaml.core.xml.schema.XSBooleanValue;
@@ -95,6 +92,7 @@
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
 import org.springframework.security.saml2.Saml2Exception;
 import org.springframework.security.saml2.credentials.Saml2X509Credential;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
@@ -218,9 +216,9 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		try {
 			Saml2AuthenticationToken token = (Saml2AuthenticationToken) authentication;
 			Response response = parse(token.getSaml2Response());
-			List<Assertion> validAssertions = validateResponse(token, response);
+			List<Assertion> validAssertions = validateResponse(token.getRelyingPartyRegistration(), response);
 			Assertion assertion = validAssertions.get(0);
-			String username = getUsername(token, assertion);
+			String username = getUsername(token.getRelyingPartyRegistration(), assertion);
 			Map<String, List<Object>> attributes = getAssertionAttributes(assertion);
 			return new Saml2Authentication(
 					new SimpleSaml2AuthenticatedPrincipal(username, attributes), token.getSaml2Response(),
@@ -259,7 +257,7 @@ private Response parse(String response) throws Saml2Exception, Saml2Authenticati
 
 	}
 
-	private List<Assertion> validateResponse(Saml2AuthenticationToken token, Response response)
+	private List<Assertion> validateResponse(RelyingPartyRegistration relyingParty, Response response)
 			throws Saml2AuthenticationException {
 
 		List<Assertion> validAssertions = new ArrayList<>();
@@ -270,7 +268,7 @@ private List<Assertion> validateResponse(Saml2AuthenticationToken token, Respons
 
 		List<Assertion> assertions = new ArrayList<>(response.getAssertions());
 		for (EncryptedAssertion encryptedAssertion : response.getEncryptedAssertions()) {
-			Assertion assertion = decrypt(token, encryptedAssertion);
+			Assertion assertion = decrypt(relyingParty, encryptedAssertion);
 			assertions.add(assertion);
 		}
 		if (assertions.isEmpty()) {
@@ -282,7 +280,7 @@ private List<Assertion> validateResponse(Saml2AuthenticationToken token, Respons
 					"Please either sign the response or all of the assertions.");
 		}
 
-		SignatureTrustEngine signatureTrustEngine = buildSignatureTrustEngine(token);
+		SignatureTrustEngine signatureTrustEngine = buildSignatureTrustEngine(relyingParty);
 
 		Map<String, Saml2AuthenticationException> validationExceptions = new HashMap<>();
 		if (response.isSigned()) {
@@ -310,18 +308,18 @@ private List<Assertion> validateResponse(Saml2AuthenticationToken token, Respons
 		}
 
 		String destination = response.getDestination();
-		if (StringUtils.hasText(destination) && !destination.equals(token.getRecipientUri())) {
+		if (StringUtils.hasText(destination) && !destination.equals(relyingParty.getAssertionConsumerServiceLocation())) {
 			String message = "Invalid destination [" + destination + "] for SAML response [" + response.getID() + "]";
 			validationExceptions.put(INVALID_DESTINATION, authException(INVALID_DESTINATION, message));
 		}
 
-		if (!StringUtils.hasText(issuer) || !issuer.equals(token.getIdpEntityId())) {
+		if (!StringUtils.hasText(issuer) || !issuer.equals(relyingParty.getProviderDetails().getEntityId())) {
 			String message = String.format("Invalid issuer [%s] for SAML response [%s]", issuer, response.getID());
 			validationExceptions.put(INVALID_ISSUER, authException(INVALID_ISSUER, message));
 		}
 
 		SAML20AssertionValidator validator = buildSamlAssertionValidator(signatureTrustEngine);
-		ValidationContext context = buildValidationContext(token, response);
+		ValidationContext context = buildValidationContext(relyingParty, response);
 
 		if (logger.isDebugEnabled()) {
 			logger.debug("Validating " + assertions.size() + " assertions");
@@ -375,12 +373,12 @@ private boolean isSigned(Response samlResponse, List<Assertion> assertions) {
 		return true;
 	}
 
-	private SignatureTrustEngine buildSignatureTrustEngine(Saml2AuthenticationToken token) {
+	private SignatureTrustEngine buildSignatureTrustEngine(RelyingPartyRegistration relyingParty) {
 		Set<Credential> credentials = new HashSet<>();
-		for (X509Certificate key : getVerificationCertificates(token)) {
-			BasicX509Credential cred = new BasicX509Credential(key);
+		for (Saml2X509Credential credential : relyingParty.getProviderDetails().getVerificationX509Credentials()) {
+			BasicX509Credential cred = new BasicX509Credential(credential.getCertificate());
 			cred.setUsageType(UsageType.SIGNING);
-			cred.setEntityId(token.getIdpEntityId());
+			cred.setEntityId(relyingParty.getProviderDetails().getEntityId());
 			credentials.add(cred);
 		}
 		CredentialResolver credentialsResolver = new CollectionCredentialResolver(credentials);
@@ -390,13 +388,15 @@ private SignatureTrustEngine buildSignatureTrustEngine(Saml2AuthenticationToken
 		);
 	}
 
-	private ValidationContext buildValidationContext(Saml2AuthenticationToken token, Response response) {
+	private ValidationContext buildValidationContext(RelyingPartyRegistration relyingParty, Response response) {
 		Map<String, Object> validationParams = new HashMap<>();
 		validationParams.put(SIGNATURE_REQUIRED, !response.isSigned());
 		validationParams.put(CLOCK_SKEW, this.responseTimeValidationSkew.toMillis());
-		validationParams.put(COND_VALID_AUDIENCES, singleton(token.getLocalSpEntityId()));
-		if (StringUtils.hasText(token.getRecipientUri())) {
-			validationParams.put(SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS, singleton(token.getRecipientUri()));
+		validationParams.put(COND_VALID_AUDIENCES, singleton(relyingParty.getEntityId()));
+		String assertionConsumerServiceLocation = relyingParty.getAssertionConsumerServiceLocation();
+		if (StringUtils.hasText(assertionConsumerServiceLocation)) {
+			validationParams.put(SAML2AssertionValidationParameters.SC_VALID_RECIPIENTS,
+					singleton(assertionConsumerServiceLocation));
 		}
 		return new ValidationContext(validationParams);
 	}
@@ -422,11 +422,11 @@ private Assertion validateAssertion(Assertion assertion,
 		return assertion;
 	}
 
-	private Assertion decrypt(Saml2AuthenticationToken token, EncryptedAssertion assertion)
+	private Assertion decrypt(RelyingPartyRegistration relyingParty, EncryptedAssertion assertion)
 			throws Saml2AuthenticationException {
 
 		Saml2AuthenticationException last = null;
-		List<Saml2X509Credential> decryptionCredentials = getDecryptionCredentials(token);
+		Collection<Saml2X509Credential> decryptionCredentials = relyingParty.getDecryptionX509Credentials();
 		if (decryptionCredentials.isEmpty()) {
 			throw authException(DECRYPTION_ERROR, "No valid decryption credentials found.");
 		}
@@ -450,27 +450,7 @@ private Decrypter getDecrypter(Saml2X509Credential key) {
 		return decrypter;
 	}
 
-	private List<Saml2X509Credential> getDecryptionCredentials(Saml2AuthenticationToken token) {
-		List<Saml2X509Credential> result = new LinkedList<>();
-		for (Saml2X509Credential c : token.getX509Credentials()) {
-			if (c.isDecryptionCredential()) {
-				result.add(c);
-			}
-		}
-		return result;
-	}
-
-	private List<X509Certificate> getVerificationCertificates(Saml2AuthenticationToken token) {
-		List<X509Certificate> result = new LinkedList<>();
-		for (Saml2X509Credential c : token.getX509Credentials()) {
-			if (c.isSignatureVerficationCredential()) {
-				result.add(c.getCertificate());
-			}
-		}
-		return result;
-	}
-
-	private String getUsername(Saml2AuthenticationToken token, Assertion assertion)
+	private String getUsername(RelyingPartyRegistration relyingParty, Assertion assertion)
 			throws Saml2AuthenticationException {
 
 		String username = null;
@@ -482,7 +462,7 @@ private String getUsername(Saml2AuthenticationToken token, Assertion assertion)
 			username = subject.getNameID().getValue();
 		}
 		else if (subject.getEncryptedID() != null) {
-			NameID nameId = decrypt(token, subject.getEncryptedID());
+			NameID nameId = decrypt(relyingParty, subject.getEncryptedID());
 			username = nameId.getValue();
 		}
 		if (username == null) {
@@ -491,11 +471,11 @@ else if (subject.getEncryptedID() != null) {
 		return username;
 	}
 
-	private NameID decrypt(Saml2AuthenticationToken token, EncryptedID assertion)
+	private NameID decrypt(RelyingPartyRegistration relyingParty, EncryptedID assertion)
 			throws Saml2AuthenticationException {
 
 		Saml2AuthenticationException last = null;
-		List<Saml2X509Credential> decryptionCredentials = getDecryptionCredentials(token);
+		Collection<Saml2X509Credential> decryptionCredentials = relyingParty.getDecryptionX509Credentials();
 		if (decryptionCredentials.isEmpty()) {
 			throw authException(DECRYPTION_ERROR, "No valid decryption credentials found.");
 		}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2AuthenticationToken.java

@@ -16,10 +16,13 @@
 
 package org.springframework.security.saml2.provider.service.authentication;
 
+import java.util.Collections;
+import java.util.List;
+
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.saml2.credentials.Saml2X509Credential;
-
-import java.util.List;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
+import org.springframework.util.Assert;
 
 /**
  * Represents an incoming SAML 2.0 response containing an assertion that has not been validated.
@@ -28,11 +31,56 @@
  */
 public class Saml2AuthenticationToken extends AbstractAuthenticationToken {
 
+	private final RelyingPartyRegistration relyingPartyRegistration;
 	private final String saml2Response;
-	private final String recipientUri;
-	private String idpEntityId;
-	private String localSpEntityId;
-	private List<Saml2X509Credential> credentials;
+
+	/**
+	 * Construct a {@link Saml2AuthenticationToken} with the provided parameters
+	 *
+	 * <p>
+	 * Note that the {@link RelyingPartyRegistration} should have any placeholders resolved to be included
+	 * in this token. This can be achieved with {@link RelyingPartyRegistration#withRelyingPartyRegistration}:
+	 *
+	 * <pre>
+	 * 	RelyingPartyRegistration resolved = withRelyingPartyRegistration(unresolved)
+	 * 			.entityId(...)
+	 * 			.assertionConsumerServiceLocation(...)
+	 * 			.build();
+	 * 	Saml2AuthenticationToken token = new Saml2AuthenticationToken(resolved, saml2Response);
+	 * </pre>
+	 *
+	 * @param relyingPartyRegistration The {@link RelyingPartyRegistration} associated with this token
+	 * @param saml2Response The serialized SAML 2.0 Response associated with this token
+	 * @since 5.4
+	 */
+	public Saml2AuthenticationToken(RelyingPartyRegistration relyingPartyRegistration, String saml2Response) {
+		super(Collections.emptyList());
+		Assert.isTrue(isResolved(relyingPartyRegistration.getAssertionConsumerServiceLocation()),
+				"relyingPartyRegistration must have its placeholders resolved for inclusion in this token");
+		Assert.isTrue(isResolved(relyingPartyRegistration.getEntityId()),
+				"relyingPartyRegistration must have its placeholders resolved for inclusion in this token");
+		this.relyingPartyRegistration = relyingPartyRegistration;
+		this.saml2Response = saml2Response;
+	}
+
+	private static boolean isResolved(String template) {
+		if (template.contains("{registrationId}")) {
+			return false;
+		}
+		if (template.contains("{baseUrl}")) {
+			return false;
+		}
+		if (template.contains("{baseScheme}")) {
+			return false;
+		}
+		if (template.contains("{baseHost}")) {
+			return false;
+		}
+		if (template.contains("{basePort}")) {
+			return false;
+		}
+		return true;
+	}
 
 	/**
 	 * Creates an authentication token from an incoming SAML 2 Response object
@@ -41,18 +89,31 @@ public class Saml2AuthenticationToken extends AbstractAuthenticationToken {
 	 * @param idpEntityId the entity ID of the asserting entity
 	 * @param localSpEntityId the configured local SP, the relying party, entity ID
 	 * @param credentials the credentials configured for signature verification and decryption
+	 * @deprecated Use {@link Saml2AuthenticationToken(RelyingPartyRegistration, String)} instead
 	 */
+	@Deprecated
 	public Saml2AuthenticationToken(String saml2Response,
 									String recipientUri,
 									String idpEntityId,
 									String localSpEntityId,
 									List<Saml2X509Credential> credentials) {
-		super(null);
-		this.saml2Response = saml2Response;
-		this.recipientUri = recipientUri;
-		this.idpEntityId = idpEntityId;
-		this.localSpEntityId = localSpEntityId;
-		this.credentials = credentials;
+		this(RelyingPartyRegistration.withRegistrationId(localSpEntityId)
+				.entityId(localSpEntityId)
+				.credentials(c -> c.addAll(credentials))
+				.assertionConsumerServiceLocation(recipientUri)
+				.providerDetails(ap -> ap.entityId(idpEntityId))
+				.build(),
+			saml2Response);
+	}
+
+	/**
+	 * Get the {@link RelyingPartyRegistration} associated with this authentication token
+	 *
+	 * @return the {@link RelyingPartyRegistration} associated with this authentication token
+	 * @since 5.4
+	 */
+	public RelyingPartyRegistration getRelyingPartyRegistration() {
+		return this.relyingPartyRegistration;
 	}
 
 	/**
@@ -84,25 +145,31 @@ public String getSaml2Response() {
 	/**
 	 * Returns the URI that the SAML 2 Response object came in on
 	 * @return URI as a string
+	 * @deprecated Use {@link #getRelyingPartyRegistration().getAssertionConsumerServiceUrlTemplate()} instead
 	 */
+	@Deprecated
 	public String getRecipientUri() {
-		return this.recipientUri;
+		return this.relyingPartyRegistration.getAssertionConsumerServiceLocation();
 	}
 
 	/**
 	 * Returns the configured entity ID of the receiving relying party, SP
 	 * @return an entityID for the configured local relying party
+	 * @deprecated Use {@link #getRelyingPartyRegistration().getEntityId()} instead
 	 */
+	@Deprecated
 	public String getLocalSpEntityId() {
-		return this.localSpEntityId;
+		return this.relyingPartyRegistration.getEntityId();
 	}
 
 	/**
 	 * Returns all the credentials associated with the relying party configuraiton
 	 * @return
+	 * @deprecated Use {@link #getRelyingPartyRegistration()} instead
 	 */
+	@Deprecated
 	public List<Saml2X509Credential> getX509Credentials() {
-		return this.credentials;
+		return this.relyingPartyRegistration.getCredentials();
 	}
 
 	/**
@@ -126,8 +193,10 @@ public void setAuthenticated(boolean authenticated) {
 	/**
 	 * Returns the configured IDP, asserting party, entity ID
 	 * @return a string representing the entity ID
+	 * @deprecated Use {@link #getRelyingPartyRegistration().getProviderDetails.getEntityId()} instead
 	 */
+	@Deprecated
 	public String getIdpEntityId() {
-		return this.idpEntityId;
+		return this.relyingPartyRegistration.getProviderDetails().getEntityId();
 	}
 }

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/servlet/filter/Saml2WebSsoAuthenticationFilter.java

@@ -35,6 +35,7 @@
 
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.springframework.security.saml2.provider.service.authentication.Saml2ErrorCodes.RELYING_PARTY_REGISTRATION_NOT_FOUND;
+import static org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.withRelyingPartyRegistration;
 import static org.springframework.util.StringUtils.hasText;
 
 /**
@@ -90,22 +91,23 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 
 		String responseXml = inflateIfRequired(request, b);
 		String registrationId = this.matcher.matcher(request).getVariables().get("registrationId");
-		RelyingPartyRegistration rp =
+		RelyingPartyRegistration relyingPartyRegistration =
 				this.relyingPartyRegistrationRepository.findByRegistrationId(registrationId);
-		if (rp == null) {
+		if (relyingPartyRegistration == null) {
 			Saml2Error saml2Error = new Saml2Error(RELYING_PARTY_REGISTRATION_NOT_FOUND,
 					"Relying Party Registration not found with ID: " + registrationId);
 			throw new Saml2AuthenticationException(saml2Error);
 		}
 		String applicationUri = Saml2ServletUtils.getApplicationUri(request);
-		String localSpEntityId = Saml2ServletUtils.resolveUrlTemplate(rp.getEntityId(), applicationUri, rp);
-		final Saml2AuthenticationToken authentication = new Saml2AuthenticationToken(
-				responseXml,
-				request.getRequestURL().toString(),
-				rp.getProviderDetails().getEntityId(),
-				localSpEntityId,
-				rp.getCredentials()
-		);
+		String localSpEntityId = Saml2ServletUtils.resolveUrlTemplate(
+				relyingPartyRegistration.getEntityId(), applicationUri, relyingPartyRegistration);
+		RelyingPartyRegistration resolvedRelyingPartyRegistration =
+				withRelyingPartyRegistration(relyingPartyRegistration)
+						.assertionConsumerServiceLocation(request.getRequestURL().toString())
+						.entityId(localSpEntityId)
+						.build();
+		Saml2AuthenticationToken authentication =
+				new Saml2AuthenticationToken(resolvedRelyingPartyRegistration, responseXml);
 		return getAuthenticationManager().authenticate(authentication);
 	}