Merge pull request #164 from waterkip/GL-zs-tweaks-digid-testing

Fix artifact response status codes from assertions

Author: waterkip

Makefile.PL

@@ -77,7 +77,7 @@ my %WriteMakefileArgs = (
     "URI::URL" => 0,
     "XML::LibXML::XPathContext" => 0
   },
-  "VERSION" => "0.67",
+  "VERSION" => "0.68",
   "test" => {
     "TESTS" => "t/*.t t/author/*.t"
   }

README

@@ -2,7 +2,7 @@ NAME
     Net::SAML2 - SAML2 bindings and protocol implementation
 
 VERSION
-    version 0.67
+    version 0.68
 
 SYNOPSIS
       See TUTORIAL.md for implementation documentation and

lib/Net/SAML2/Protocol/Assertion.pm

@@ -14,6 +14,7 @@ use XML::Enc;
 use XML::LibXML;
 use List::Util qw(first);
 use URN::OASIS::SAML2 qw(STATUS_SUCCESS);
+use Carp qw(croak);
 
 with 'Net::SAML2::Role::ProtocolMessage';
 
@@ -177,8 +178,9 @@ sub new_from_xml {
         $nameid = $global->get_node(1);
     }
 
-    my $nodeset = $xpath->findnodes('/samlp:Response/samlp:Status/samlp:StatusCode');
-    croak("Unable to parse status from assertion") unless ($nodeset->size);
+    my $nodeset = $xpath->findnodes('/samlp:Response/samlp:Status/samlp:StatusCode|/samlp:ArtifactResponse/samlp:Status/samlp:StatusCode');
+
+    croak("Unable to parse status from assertion") unless $nodeset->size;
 
     my $status_node = $nodeset->get_node(1);
     my $status = $status_node->getAttribute('Value');

lib/Net/SAML2/SP.pm

@@ -630,22 +630,15 @@ sub _generate_key_descriptors {
         && !$self->want_assertions_signed
         && !$self->sign_metadata;
 
+    my $key = $use eq 'signing' ? $self->_cert_text : $self->_encryption_key_text;
+
     return $x->KeyDescriptor(
         $md,
         { use => $use },
         $x->KeyInfo(
             $ds,
-            $x->X509Data(
-                $ds,
-                $x->X509Certificate(
-                    $ds,
-                    $use eq 'signing' ? $self->_cert_text : $self->_encryption_key_text,
-                )
-            ),
-            $x->KeyName(
-                $ds,
-                Digest::MD5::md5_hex($use eq 'signing' ? $self->_cert_text : $self->_encryption_key_text)
-            ),
+            $x->X509Data($ds, $x->X509Certificate($ds, $key)),
+            $x->KeyName($ds, Digest::MD5::md5_hex($key)),
         ),
     );
 }

t/03-assertions.t

@@ -179,4 +179,11 @@ is(
     "... and the sub status yay"
 );
 
+
+{
+    my $xml = path('t/data/digid-live.xml')->slurp;
+    my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(xml => $xml);
+    isa_ok($assertion, 'Net::SAML2::Protocol::Assertion');
+}
+
 done_testing;

t/data/digid-live.xml

@@ -0,0 +1,83 @@
+<?xml version="1.0"?>
+<samlp:ArtifactResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" ID="_7667e303c2457eae23023e10a9f8d22c47eed001" Version="2.0" IssueInstant="2023-03-29T14:45:41Z" InResponseTo="NETSAML2_76120c74b8b337c66bf34382392f85563099f5415e9638ffa6703d475dc49c35">
+  <saml:Issuer>https://some.idp.tld/saml/idp/metadata</saml:Issuer>
+  <ds:Signature>
+    <ds:SignedInfo>
+      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+      <ds:Reference URI="#_7667e303c2457eae23023e10a9f8d22c47eed001">
+        <ds:Transforms>
+          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+            <ec:InclusiveNamespaces PrefixList="ds saml samlp xs"/>
+          </ds:Transform>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+        <ds:DigestValue></ds:DigestValue>
+      </ds:Reference>
+    </ds:SignedInfo>
+    <ds:SignatureValue>
+    </ds:SignatureValue>
+    <ds:KeyInfo>
+      <ds:KeyName></ds:KeyName>
+      <ds:X509Data>
+          <ds:X509Certificate>
+</ds:X509Certificate>
+      </ds:X509Data>
+    </ds:KeyInfo>
+  </ds:Signature>
+  <samlp:Status>
+    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+  </samlp:Status>
+  <samlp:Response ID="_824e2af075f407300cc16718bef3cff2af56860e" Version="2.0" IssueInstant="2023-03-29T14:45:41Z" InResponseTo="NETSAML2_d30c7b67c92a1aa880ddd72696fc2a69d8b04899bdcefb55d01ffd4a1495f2d2">
+    <saml:Issuer>https://some.idp.tld/saml/idp/metadata</saml:Issuer>
+    <samlp:Status>
+      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+    </samlp:Status>
+    <saml:Assertion ID="_be45c8d0431bc0b79600b48e6b21cb4f4d3b39a3" Version="2.0" IssueInstant="2023-03-29T14:45:41Z">
+      <saml:Issuer>https://some.idp.tld/saml/idp/metadata</saml:Issuer>
+      <ds:Signature>
+        <ds:SignedInfo>
+          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+          <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+          <ds:Reference URI="#_be45c8d0431bc0b79600b48e6b21cb4f4d3b39a3">
+            <ds:Transforms>
+              <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+                <ec:InclusiveNamespaces PrefixList="ds saml samlp xs"/>
+              </ds:Transform>
+            </ds:Transforms>
+            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+            <ds:DigestValue></ds:DigestValue>
+          </ds:Reference>
+        </ds:SignedInfo>
+        <ds:SignatureValue>
+        </ds:SignatureValue>
+        <ds:KeyInfo>
+          <ds:KeyName></ds:KeyName>
+          <ds:X509Data>
+              <ds:X509Certificate>
+</ds:X509Certificate>
+          </ds:X509Data>
+        </ds:KeyInfo>
+      </ds:Signature>
+      <saml:Subject>
+        <saml:NameID>s00000000:900060025</saml:NameID>
+        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+          <saml:SubjectConfirmationData NotOnOrAfter="2023-03-29T14:47:41Z" Recipient="https://some.sp.tld/auth/saml/consumer-post" InResponseTo="NETSAML2_d30c7b67c92a1aa880ddd72696fc2a69d8b04899bdcefb55d01ffd4a1495f2d2"/>
+        </saml:SubjectConfirmation>
+      </saml:Subject>
+      <saml:Conditions NotBefore="2023-03-29T14:43:41Z" NotOnOrAfter="2023-03-29T14:47:41Z">
+        <saml:AudienceRestriction>
+          <saml:Audience>https://some.sp.tld/auth/saml</saml:Audience>
+        </saml:AudienceRestriction>
+      </saml:Conditions>
+      <saml:AuthnStatement AuthnInstant="2023-03-29T14:45:41Z" SessionIndex="12a5de5dbc2eed357dd31d2ab321dcb823442157">
+        <saml:SubjectLocality Address="186.189.151.69"/>
+        <saml:AuthnContext>
+          <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
+        </saml:AuthnContext>
+      </saml:AuthnStatement>
+    </saml:Assertion>
+  </samlp:Response>
+</samlp:ArtifactResponse>