Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate Audience for SAML2TokenHandler with New Model #2863

Merged
merged 18 commits into from
Oct 14, 2024
+440 −95
Merged

Validate Audience for SAML2TokenHandler with New Model #2863

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
2ffcc26
Initial test to check for painpoints integrating Wilson validation mo…
Oct 2, 2024
f5f987b
Added more test cases and removed duplicate skipDelegates.cs
Oct 3, 2024
2f5808f
Merge branch 'dev' into francofung/NewModelValidateAudienceRegression…
FuPingFranco Oct 4, 2024
89f7268
removed failing non-applicable test
Oct 4, 2024
6005d7d
Merge branch 'francofung/NewModelValidateAudienceRegressionTestsForSA…
Oct 4, 2024
0947155
Merge branch 'dev' into francofung/NewModelValidateAudienceRegression…
FuPingFranco Oct 6, 2024
96aa713
Merge branch 'dev' into francofung/NewModelValidateAudienceRegression…
FuPingFranco Oct 7, 2024
ce4d688
Address PR feedback part 1
Oct 8, 2024
fa550ff
Merge branch 'dev' into francofung/NewModelValidateAudienceRegression…
FuPingFranco Oct 8, 2024
19f2bc3
Added new ValidateTokeAsync method to InternalAPI.Unshipped.txt
Oct 8, 2024
67551de
Clean up PR feedback
Oct 8, 2024
632ba63
Simplify test into comparisson only tests.
Oct 9, 2024
e04c94c
Update test/Microsoft.IdentityModel.Tokens.Saml.Tests/Saml2SecurityTo…
FuPingFranco Oct 9, 2024
a205ce5
Merge branch 'dev' into francofung/NewModelValidateAudienceRegression…
FuPingFranco Oct 10, 2024
09e69c2
Merge branch 'dev' into francofung/NewModelValidateAudienceRegression…
FuPingFranco Oct 10, 2024
d94f3f4
Merge branch 'dev' into francofung/NewModelValidateAudienceRegression…
FuPingFranco Oct 11, 2024
3dfc8dd
Addressing PR feedback
Oct 11, 2024
73497d1
Addressing PR feedback
Oct 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
138 changes: 138 additions & 0 deletions ...osoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ValidateToken.Internal.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.

using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Threading;
using System.Threading.Tasks;

#nullable enable
namespace Microsoft.IdentityModel.Tokens.Saml2
{
/// <summary>
/// A <see cref="SecurityTokenHandler"/> designed for creating and validating Saml2 Tokens. See: http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
/// </summary>
public partial class Saml2SecurityTokenHandler : SecurityTokenHandler
{

FuPingFranco marked this conversation as resolved.
Show resolved Hide resolved
#pragma warning disable CS1998 // Async method lacks 'await' operators and will run synchronously
FuPingFranco marked this conversation as resolved.
Show resolved Hide resolved
internal async Task<ValidationResult<ValidatedToken>> ValidateTokenAsync(
#pragma warning restore CS1998 // Async method lacks 'await' operators and will run synchronously
Saml2SecurityToken samlToken,
ValidationParameters validationParameters,
CallContext callContext,
#pragma warning disable CA1801 // Review unused parameters
CancellationToken cancellationToken)
FuPingFranco marked this conversation as resolved.
Show resolved Hide resolved
#pragma warning restore CA1801 // Review unused parameters
{
var conditionsResult = ValidateConditions(samlToken, validationParameters, callContext);

if (!conditionsResult.IsSuccess)
{
return conditionsResult.UnwrapError().AddStackFrame(new StackFrame(true));
}

//These TODO's follow the pattern of the current ValidateToken methods. They should be implemented in the future.
//TODO: ValidateSubject() - Skip for now
FuPingFranco marked this conversation as resolved.
Show resolved Hide resolved
//TODO: ValidateIssuer()
//TODO: ValidateIssuerSecurityKey()...etc

return new ValidatedToken(samlToken, this, validationParameters);
}


FuPingFranco marked this conversation as resolved.
Show resolved Hide resolved

// ValidatedConditions is basically a named tuple but using a record struct better expresses the intent.
internal record struct ValidatedConditions(string? ValidatedAudience, ValidatedLifetime? ValidatedLifetime);

internal virtual ValidationResult<ValidatedConditions> ValidateConditions(Saml2SecurityToken samlToken, ValidationParameters validationParameters, CallContext callContext)
{
if (samlToken == null)
return ValidationError.NullParameter(nameof(samlToken), new System.Diagnostics.StackFrame(true));
FuPingFranco marked this conversation as resolved.
Show resolved Hide resolved

if (validationParameters == null)
return ValidationError.NullParameter(nameof(validationParameters), new System.Diagnostics.StackFrame(true));

if (samlToken.Assertion == null)
return ValidationError.NullParameter(nameof(samlToken.Assertion), new System.Diagnostics.StackFrame(true));

// TokenValidationParameters.RequireAudience is only used for SAML.
// Should we add this to ValidationParameters?
FuPingFranco marked this conversation as resolved.
Show resolved Hide resolved
// Should it be just a field in Saml2SecurityTokenHandler?
bool requireAudience = true;

if (samlToken.Assertion.Conditions == null)
{
if (requireAudience)
return new ValidationError(
new MessageDetail(LogMessages.IDX13002),
ValidationFailureType.AudienceValidationFailed,
typeof(Saml2SecurityTokenException),
new System.Diagnostics.StackFrame(true));

return new ValidatedConditions(null, null); // no error occurred. There is no validated audience or lifetime.
}

var lifetimeValidationResult = validationParameters.LifetimeValidator(
samlToken.Assertion.Conditions.NotBefore, samlToken.Assertion.Conditions.NotOnOrAfter, samlToken, validationParameters, callContext);
if (!lifetimeValidationResult.IsSuccess)
return lifetimeValidationResult.UnwrapError();

if (samlToken.Assertion.Conditions.OneTimeUse)
{
//ValidateOneTimeUseCondition(samlToken, validationParameters);
// We can keep an overridable method for this, or rely on the TokenReplayValidator delegate.
var oneTimeUseValidationResult = validationParameters.TokenReplayValidator(
samlToken.Assertion.Conditions.NotOnOrAfter, samlToken.Assertion.CanonicalString, validationParameters, callContext);
if (!oneTimeUseValidationResult.IsSuccess)
return oneTimeUseValidationResult.UnwrapError();
}

if (samlToken.Assertion.Conditions.ProxyRestriction != null)
{
//throw LogExceptionMessage(new SecurityTokenValidationException(LogMessages.IDX13511));
FuPingFranco marked this conversation as resolved.
Show resolved Hide resolved
FuPingFranco marked this conversation as resolved.
Show resolved Hide resolved
var proxyValidationError = ValidateProxyRestriction(samlToken, validationParameters, callContext);
if (proxyValidationError is not null)
return proxyValidationError;
}

string? validatedAudience = null;
foreach (var audienceRestriction in samlToken.Assertion.Conditions.AudienceRestrictions)
{
// AudienceRestriction.Audiences is a List<string> but returned as ICollection<string>
// no conversion occurs, ToList() is never called but we have to account for the possibility.
if (!(audienceRestriction.Audiences is List<string> audiencesAsList))
FuPingFranco marked this conversation as resolved.
Show resolved Hide resolved
audiencesAsList = audienceRestriction.Audiences.ToList();

var audienceValidationResult = validationParameters.AudienceValidator(
audiencesAsList, samlToken, validationParameters, callContext);
if (!audienceValidationResult.IsSuccess)
return audienceValidationResult.UnwrapError();

// Audience is valid, save it for later.
validatedAudience = audienceValidationResult.UnwrapResult();
brentschmaltz marked this conversation as resolved.
Show resolved Hide resolved
}

if (requireAudience && validatedAudience is null)
{
return new ValidationError(
new MessageDetail(LogMessages.IDX13002),
ValidationFailureType.AudienceValidationFailed,
typeof(Saml2SecurityTokenException),
new System.Diagnostics.StackFrame(true));
}

return new ValidatedConditions(validatedAudience, lifetimeValidationResult.UnwrapResult()); // no error occurred. There is nothing else to return.
FuPingFranco marked this conversation as resolved.
Show resolved Hide resolved
}

#pragma warning disable CA1801 // Review unused parameters
internal virtual ValidationError? ValidateProxyRestriction(Saml2SecurityToken samlToken, ValidationParameters validationParameters, CallContext callContext)
#pragma warning restore CA1801 // Review unused parameters
{
// return an error, or ignore and allow overriding?
FuPingFranco marked this conversation as resolved.
Show resolved Hide resolved
return null;
}
}
}
#nullable restore
95 changes: 1 addition & 94 deletions src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ namespace Microsoft.IdentityModel.Tokens.Saml2
/// <summary>
/// A <see cref="SecurityTokenHandler"/> designed for creating and validating Saml2 Tokens. See: http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
/// </summary>
public class Saml2SecurityTokenHandler : SecurityTokenHandler
public partial class Saml2SecurityTokenHandler : SecurityTokenHandler
{
private const string _actor = "Actor";
private const string _className = "Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler";
Expand Down Expand Up @@ -1048,99 +1048,6 @@ protected virtual void ValidateConditions(Saml2SecurityToken samlToken, TokenVal
throw LogExceptionMessage(new Saml2SecurityTokenException(LogMessages.IDX13002));
}

#nullable enable
// ValidatedConditions is basically a named tuple but using a record struct better expresses the intent.
internal record struct ValidatedConditions(string? ValidatedAudience, ValidatedLifetime? ValidatedLifetime);

internal virtual ValidationResult<ValidatedConditions> ValidateConditions(Saml2SecurityToken samlToken, ValidationParameters validationParameters, CallContext callContext)
{
if (samlToken == null)
return ValidationError.NullParameter(nameof(samlToken), new System.Diagnostics.StackFrame(true));

if (validationParameters == null)
return ValidationError.NullParameter(nameof(validationParameters), new System.Diagnostics.StackFrame(true));

if (samlToken.Assertion == null)
return ValidationError.NullParameter(nameof(samlToken.Assertion), new System.Diagnostics.StackFrame(true));

// TokenValidationParameters.RequireAudience is only used for SAML.
// Should we add this to ValidationParameters?
// Should it be just a field in Saml2SecurityTokenHandler?
bool requireAudience = true;

if (samlToken.Assertion.Conditions == null)
{
if (requireAudience)
return new ValidationError(
new MessageDetail(LogMessages.IDX13002),
ValidationFailureType.AudienceValidationFailed,
typeof(Saml2SecurityTokenException),
new System.Diagnostics.StackFrame(true));

return new ValidatedConditions(null, null); // no error occurred. There is no validated audience or lifetime.
}

var lifetimeValidationResult = validationParameters.LifetimeValidator(
samlToken.Assertion.Conditions.NotBefore, samlToken.Assertion.Conditions.NotOnOrAfter, samlToken, validationParameters, callContext);
if (!lifetimeValidationResult.IsSuccess)
return lifetimeValidationResult.UnwrapError();

if (samlToken.Assertion.Conditions.OneTimeUse)
{
//ValidateOneTimeUseCondition(samlToken, validationParameters);
// We can keep an overridable method for this, or rely on the TokenReplayValidator delegate.
var oneTimeUseValidationResult = validationParameters.TokenReplayValidator(
samlToken.Assertion.Conditions.NotOnOrAfter, samlToken.Assertion.CanonicalString, validationParameters, callContext);
if (!oneTimeUseValidationResult.IsSuccess)
return oneTimeUseValidationResult.UnwrapError();
}

if (samlToken.Assertion.Conditions.ProxyRestriction != null)
{
//throw LogExceptionMessage(new SecurityTokenValidationException(LogMessages.IDX13511));
var proxyValidationError = ValidateProxyRestriction(samlToken, validationParameters, callContext);
if (proxyValidationError is not null)
return proxyValidationError;
}

string? validatedAudience = null;
foreach (var audienceRestriction in samlToken.Assertion.Conditions.AudienceRestrictions)
{
// AudienceRestriction.Audiences is a List<string> but returned as ICollection<string>
// no conversion occurs, ToList() is never called but we have to account for the possibility.
if (!(audienceRestriction.Audiences is List<string> audiencesAsList))
audiencesAsList = audienceRestriction.Audiences.ToList();

var audienceValidationResult = validationParameters.AudienceValidator(
audiencesAsList, samlToken, validationParameters, callContext);
if (!audienceValidationResult.IsSuccess)
return audienceValidationResult.UnwrapError();

// Audience is valid, save it for later.
validatedAudience = audienceValidationResult.UnwrapResult();
}

if (requireAudience && validatedAudience is null)
{
return new ValidationError(
new MessageDetail(LogMessages.IDX13002),
ValidationFailureType.AudienceValidationFailed,
typeof(Saml2SecurityTokenException),
new System.Diagnostics.StackFrame(true));
}

return new ValidatedConditions(validatedAudience, lifetimeValidationResult.UnwrapResult()); // no error occurred. There is nothing else to return.
}

#pragma warning disable CA1801 // Review unused parameters
internal virtual ValidationError? ValidateProxyRestriction(Saml2SecurityToken samlToken, ValidationParameters validationParameters, CallContext callContext)
#pragma warning restore CA1801 // Review unused parameters
{
// return an error, or ignore and allow overriding?
return null;
}
#nullable restore

/// <summary>
/// Validates the OneTimeUse condition.
/// </summary>
Expand Down
1 change: 1 addition & 0 deletions test/Microsoft.IdentityModel.TestUtils/InternalsVisibleTo.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@

[assembly: System.Runtime.CompilerServices.InternalsVisibleTo("Microsoft.IdentityModel.JsonWebTokens.Tests, PublicKey=0024000004800000940000000602000000240000525341310004000001000100b5fc90e7027f67871e773a8fde8938c81dd402ba65b9201d60593e96c492651e889cc13f1415ebb53fac1131ae0bd333c5ee6021672d9718ea31a8aebd0da0072f25d87dba6fc90ffd598ed4da35e44c398c454307e8e33b8426143daec9f596836f97c8f74750e5975c64e2189f45def46b2a2b1247adc3652bf5c308055da9")]
[assembly: System.Runtime.CompilerServices.InternalsVisibleTo("Microsoft.IdentityModel.Tokens.Tests, PublicKey=0024000004800000940000000602000000240000525341310004000001000100b5fc90e7027f67871e773a8fde8938c81dd402ba65b9201d60593e96c492651e889cc13f1415ebb53fac1131ae0bd333c5ee6021672d9718ea31a8aebd0da0072f25d87dba6fc90ffd598ed4da35e44c398c454307e8e33b8426143daec9f596836f97c8f74750e5975c64e2189f45def46b2a2b1247adc3652bf5c308055da9")]
[assembly: System.Runtime.CompilerServices.InternalsVisibleTo("Microsoft.IdentityModel.Tokens.Saml.Tests, PublicKey=0024000004800000940000000602000000240000525341310004000001000100b5fc90e7027f67871e773a8fde8938c81dd402ba65b9201d60593e96c492651e889cc13f1415ebb53fac1131ae0bd333c5ee6021672d9718ea31a8aebd0da0072f25d87dba6fc90ffd598ed4da35e44c398c454307e8e33b8426143daec9f596836f97c8f74750e5975c64e2189f45def46b2a2b1247adc3652bf5c308055da9")]
Loading
Loading