Polish "Configure SAML 2.0 Service Provider via Metadata"

See gh-23045
4 years ago · 681abcc185
parent 5187c01e39
commit 681abcc185
5 changed files with 27 additions and 23 deletions
--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyProperties.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyProperties.java
@ -141,7 +141,7 @@ public class Saml2RelyingPartyProperties {
 		private String entityId;

 		/**
-		 * Endpoint for discovery-based configuration.
+		 * URI to the metadata endpoint for discovery-based configuration.
 		 */
 		private String metadataUri;

--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyRegistrationConfiguration.java
@ -22,6 +22,7 @@ import java.security.cert.X509Certificate;
 import java.security.interfaces.RSAPrivateKey;
 import java.util.List;
 import java.util.Map;
+import java.util.function.Consumer;
 import java.util.stream.Collectors;

 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
@ -37,6 +38,8 @@ import org.springframework.security.converter.RsaKeyConverters;
 import org.springframework.security.saml2.core.Saml2X509Credential;
 import org.springframework.security.saml2.provider.service.registration.InMemoryRelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.AssertingPartyDetails;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
 import org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter;
@ -67,26 +70,13 @@ class Saml2RelyingPartyRegistrationConfiguration {
 	}

 	private RelyingPartyRegistration asRegistration(String id, Registration properties) {
-		RelyingPartyRegistration.Builder builder;
 		boolean usingMetadata = StringUtils.hasText(properties.getIdentityprovider().getMetadataUri());
-		if (usingMetadata) {
-			builder = RelyingPartyRegistrations.fromMetadataLocation(properties.getIdentityprovider().getMetadataUri())
-					.registrationId(id);
-		}
-		else {
-			builder = RelyingPartyRegistration.withRegistrationId(id);
-		}
+		Builder builder = (usingMetadata) ? RelyingPartyRegistrations
+				.fromMetadataLocation(properties.getIdentityprovider().getMetadataUri()).registrationId(id)
+				: RelyingPartyRegistration.withRegistrationId(id);
 		builder.assertionConsumerServiceLocation(
 				"{baseUrl}" + Saml2WebSsoAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI);
-		Saml2RelyingPartyProperties.Identityprovider identityprovider = properties.getIdentityprovider();
-		PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
-		builder.assertingPartyDetails((details) -> {
-			map.from(identityprovider::getEntityId).to(details::entityId);
-			map.from(identityprovider.getSinglesignon()::getBinding).to(details::singleSignOnServiceBinding);
-			map.from(identityprovider.getSinglesignon()::getUrl).to(details::singleSignOnServiceLocation);
-			map.from(identityprovider.getSinglesignon()::isSignRequest).when((signRequest) -> !usingMetadata)
-					.to(details::wantAuthnRequestsSigned);
-		});
+		builder.assertingPartyDetails(mapIdentityProvider(properties, usingMetadata));
 		builder.signingX509Credentials((credentials) -> properties.getSigning().getCredentials().stream()
 				.map(this::asSigningCredential).forEach(credentials::add));
 		builder.assertingPartyDetails((details) -> details
@ -99,6 +89,19 @@ class Saml2RelyingPartyRegistrationConfiguration {
 		return registration;
 	}

+	private Consumer<AssertingPartyDetails.Builder> mapIdentityProvider(Registration properties,
+			boolean usingMetadata) {
+		PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
+		Saml2RelyingPartyProperties.Identityprovider identityprovider = properties.getIdentityprovider();
+		return (details) -> {
+			map.from(identityprovider::getEntityId).to(details::entityId);
+			map.from(identityprovider.getSinglesignon()::getBinding).to(details::singleSignOnServiceBinding);
+			map.from(identityprovider.getSinglesignon()::getUrl).to(details::singleSignOnServiceLocation);
+			map.from(identityprovider.getSinglesignon()::isSignRequest).when((signRequest) -> !usingMetadata)
+					.to(details::wantAuthnRequestsSigned);
+		};
+	}
+
 	private void validateSigningCredentials(Registration properties, boolean signRequest) {
 		if (signRequest) {
 			Assert.state(!properties.getSigning().getCredentials().isEmpty(),
--- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyAutoConfigurationTests.java
@ -35,6 +35,7 @@ import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.io.ClassPathResource;
+import org.springframework.core.io.Resource;
 import org.springframework.security.config.BeanIds;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@ -122,7 +123,7 @@ class Saml2RelyingPartyAutoConfigurationTests {
 		try (MockWebServer server = new MockWebServer()) {
 			server.start();
 			String metadataUrl = server.url("").toString();
-			setupMockResponse(server);
+			setupMockResponse(server, new ClassPathResource("saml/idp-metadata"));
 			this.contextRunner.withPropertyValues(PREFIX + ".foo.identityprovider.metadata-uri=" + metadataUrl)
 					.run((context) -> {
 						assertThat(context).hasSingleBean(RelyingPartyRegistrationRepository.class);
@ -195,8 +196,8 @@ class Saml2RelyingPartyAutoConfigurationTests {
 		return filters.stream().anyMatch(filter::isInstance);
 	}

-	private void setupMockResponse(MockWebServer server) throws Exception {
-		try (InputStream metadataSource = new ClassPathResource("saml/idp-metadata").getInputStream()) {
+	private void setupMockResponse(MockWebServer server, Resource resourceBody) throws Exception {
+		try (InputStream metadataSource = resourceBody.getInputStream()) {
 			Buffer metadataBuffer = new Buffer().readFrom(metadataSource);
 			MockResponse metadataResponse = new MockResponse().setBody(metadataBuffer);
 			server.enqueue(metadataResponse);
--- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyPropertiesTests.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/saml2/Saml2RelyingPartyPropertiesTests.java
@ -103,7 +103,7 @@ class Saml2RelyingPartyPropertiesTests {
 	}

 	@Test
-	void customizeIdentityProviderMetadataUrl() {
+	void customizeIdentityProviderMetadataUri() {
 		bind("spring.security.saml2.relyingparty.registration.simplesamlphp.identityprovider.metadata-uri",
 				"https://idp.example.org/metadata");
 		assertThat(this.properties.getRegistration().get("simplesamlphp").getIdentityprovider().getMetadataUri())