Merge pull request #157 from waterkip/GL-sub-status_for_consumers_in_assertion

waterkip · web-flow · commit d03bb2345ec5 · 2023-02-02T07:15:10.000-04:00
Get the substatus of a failed assertion
diff --git a/lib/Net/SAML2/Protocol/Assertion.pm b/lib/Net/SAML2/Protocol/Assertion.pm
@@ -1,5 +1,3 @@
-use strict;
-use warnings;
 package Net::SAML2::Protocol::Assertion;
 # VERSION
 
@@ -13,6 +11,8 @@ use Net::SAML2::XML::Util qw/ no_comments /;
 use Net::SAML2::XML::Sig;
 use XML::Enc;
 use XML::LibXML;
+use List::Util qw(first);
+use URN::OASIS::SAML2 qw(STATUS_SUCCESS);
 
 with 'Net::SAML2::Role::ProtocolMessage';
 
@@ -37,12 +37,13 @@ has 'not_before' => (isa => DateTime,          is => 'ro', required => 1);
 has 'session'         => (isa => 'Str', is => 'ro', required => 1);
 has 'in_response_to'  => (isa => 'Str', is => 'ro', required => 1);
 has 'response_status' => (isa => 'Str', is => 'ro', required => 1);
+has 'response_substatus' => (isa => 'Str', is => 'ro');
 has 'xpath' => (isa => 'XML::LibXML::XPathContext', is => 'ro', required => 1);
 has 'nameid_object' => (
-    isa      => 'XML::LibXML::Element',
-    is       => 'ro',
-    required => 0,
-    init_arg => 'nameid',
+    isa       => 'XML::LibXML::Element',
+    is        => 'ro',
+    required  => 0,
+    init_arg  => 'nameid',
     predicate => 'has_nameid',
 );
 
@@ -175,6 +176,17 @@ sub new_from_xml {
         $nameid = $global->get_node(1);
     }
 
+    my $nodeset = $xpath->findnodes('/samlp:Response/samlp:Status/samlp:StatusCode');
+    croak("Unable to parse status from assertion") unless ($nodeset->size);
+
+    my $status_node = $nodeset->get_node(1);
+    my $status = $status_node->getAttribute('Value');
+    my $sub_status;
+
+    if (my $s = first { $_->isa('XML::LibXML::Element') } $status_node->childNodes) {
+        $sub_status = $s->getAttribute('Value');
+    }
+
     my $self = $class->new(
         id             => $xpath->findvalue('//saml:Assertion/@ID'),
         issuer         => $xpath->findvalue('//saml:Assertion/saml:Issuer'),
@@ -187,21 +199,32 @@ sub new_from_xml {
         not_after      => $not_after,
         xpath          => $xpath,
         in_response_to => $xpath->findvalue('//saml:Subject/saml:SubjectConfirmation/saml:SubjectConfirmationData/@InResponseTo'),
-        response_status => $xpath->findvalue('//samlp:Response/samlp:Status/samlp:StatusCode/@Value'),
+        response_status => $status,
+        $sub_status ? (response_substatus => $sub_status) : (),
     );
 
     return $self;
 }
 
-=head2 name( )
+=head2 response_status
+
+Returns the response status
+
+=head2 response_substatus
+
+SAML errors are usually "nested" ("Responder -> RequestDenied" for instance,
+means that the responder in this transaction (the IdP) denied the login
+request). For proper error message generation, both levels are needed.
+
+=head2 name
 
 Returns the CN attribute, if provided.
 
 =cut
 
 sub name {
-    my($self) = @_;
-    return $self->attributes->{CN}->[0];
+    my $self = shift;
+    return $self->attributes->{CN}[0];
 }
 
 =head2 nameid
@@ -296,4 +319,17 @@ sub valid {
     return 1;
 }
 
+=head2 success
+
+Returns true if the response status is a success, returns false otherwise.
+In case the assertion isn't successfull, the L</response_status> and L</response_substatus> calls can be use to see why the assertion wasn't successful.
+
+=cut
+
+sub success {
+    my $self = shift;
+    return 1 if $self->response_status eq STATUS_SUCCESS;
+    return 0;
+}
+
 1;
diff --git a/t/03-assertions.t b/t/03-assertions.t
@@ -159,4 +159,24 @@ lives_ok(
     "Correct parsing of plain ADFS"
 );
 
+lives_ok(
+    sub {
+       my  $xml = path('t/data/failed-assertion.xml')->slurp;
+       $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(xml => $xml);
+    },
+    "Correct parsing of failed assertion"
+);
+
+ok(!$assertion->success, ".. not a success");
+is(
+    $assertion->response_status,
+    "main status",
+    "... and the status also indicates not a success"
+);
+is(
+    $assertion->response_substatus,
+    "sub status",
+    "... and the sub status yay"
+);
+
 done_testing;
diff --git a/t/data/failed-assertion.xml b/t/data/failed-assertion.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0"?>
+<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_f0b0652f-1382-43af-a70e-97254820f180" Version="2.0" IssueInstant="2018-07-25T08:02:24.342Z" Destination="https://testsuite.zaaksysteem.nl/auth/saml/consumer-post" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_c217d2c8502884bf418552907827f430d745fa6c">
+  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.dev.mintlab.nl/adfs/services/trust</Issuer>
+  <samlp:Status>
+    <samlp:StatusCode Value="main status">
+      <samlp:StatusCode Value="sub status"/>
+    </samlp:StatusCode>
+    <samlp:StatusMessage>Authentication Failed</samlp:StatusMessage>
+    <samlp:StatusDetail>
+      <Cause>org.sourceid.websso.profiles.idp.FailedAuthnSsoException</Cause>
+    </samlp:StatusDetail>
+  </samlp:Status>
+  <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_0024c3a6-3b4e-4920-8c59-0602ae4a3c5d" IssueInstant="2018-07-25T08:02:24.341Z" Version="2.0">
+    <Issuer>http://adfs.dev.mintlab.nl/adfs/services/trust</Issuer>
+    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+      <ds:SignedInfo>
+        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+        <ds:Reference URI="#_0024c3a6-3b4e-4920-8c59-0602ae4a3c5d">
+          <ds:Transforms>
+            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+          </ds:Transforms>
+          <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+          <ds:DigestValue>/UGIkccgX9xPwusXApqxm7KDyLpgx7W/tp6gANTvNsw=</ds:DigestValue>
+        </ds:Reference>
+      </ds:SignedInfo>
+      <ds:SignatureValue/>
+      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate/>
+        </ds:X509Data>
+      </KeyInfo>
+    </ds:Signature>
+    <Subject>
+      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+        <SubjectConfirmationData InResponseTo="_c217d2c8502884bf418552907827f430d745fa6c" NotOnOrAfter="2018-07-25T08:07:24.342Z" Recipient="https://testsuite.zaaksysteem.nl/auth/saml/consumer-post"/>
+      </SubjectConfirmation>
+    </Subject>
+    <Conditions NotBefore="2018-07-25T08:02:24.338Z" NotOnOrAfter="2018-07-25T09:02:24.338Z">
+      <AudienceRestriction>
+        <Audience>TestUPN</Audience>
+      </AudienceRestriction>
+    </Conditions>
+    <AuthnStatement AuthnInstant="2018-07-25T07:54:35.599Z">
+      <AuthnContext>
+        <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
+      </AuthnContext>
+    </AuthnStatement>
+  </Assertion>
+</samlp:Response>
