Correct signature handling for SAML2 AuthNRequest

Implements the following bindings for AuthNRequest
- REDIRECT
- POST (future PR)

Has been tested with
- Keycloak
- SSOCircle
- Okta
- SimpleSAMLPhp

Fixes gh-7711

Author: fhanik

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/AbstractSaml2AuthenticationRequest.java

@@ -0,0 +1,148 @@
+/*
+ * Copyright 2002-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.authentication;
+
+import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding;
+import org.springframework.util.Assert;
+
+import java.nio.charset.Charset;
+
+/**
+ * Data holder for {@code AuthNRequest} parameters to be sent using either the
+ * {@link Saml2MessageBinding#POST} or {@link Saml2MessageBinding#REDIRECT} binding.
+ * Data will be encoded and possibly deflated, but will not be escaped for transport,
+ * ie URL encoded, {@link org.springframework.web.util.UriUtils#encode(String, Charset)}
+ * or HTML encoded, {@link org.springframework.web.util.HtmlUtils#htmlEscape(String)}.
+ * https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf (line 2031)
+ *
+ * @see Saml2AuthenticationRequestFactory#createPostAuthenticationRequest(Saml2AuthenticationRequestContext)
+ * @see Saml2AuthenticationRequestFactory#createRedirectAuthenticationRequest(Saml2AuthenticationRequestContext)
+ * @since 5.3
+ */
+abstract class AbstractSaml2AuthenticationRequest {
+
+	private final String samlRequest;
+	private final String relayState;
+	private final String authenticationRequestUri;
+
+	/**
+	 * Mandatory constructor for the {@link AbstractSaml2AuthenticationRequest}
+	 * @param samlRequest - the SAMLRequest XML data, SAML encoded, cannot be empty or null
+	 * @param relayState - RelayState value that accompanies the request, may be null
+	 * @param authenticationRequestUri - The authenticationRequestUri, a URL, where to send the XML message, cannot be empty or null
+	 */
+	AbstractSaml2AuthenticationRequest(
+			String samlRequest,
+			String relayState,
+			String authenticationRequestUri) {
+		Assert.hasText(samlRequest, "samlRequest cannot be null or empty");
+		Assert.hasText(authenticationRequestUri, "authenticationRequestUri cannot be null or empty");
+		this.authenticationRequestUri = authenticationRequestUri;
+		this.samlRequest = samlRequest;
+		this.relayState = relayState;
+	}
+
+	/**
+	 * Returns the AuthNRequest XML value to be sent. This value is already encoded for transport.
+	 * If {@link #getBinding()} is {@link Saml2MessageBinding#REDIRECT} the value is deflated and SAML encoded.
+	 * If {@link #getBinding()} is {@link Saml2MessageBinding#POST} the value is SAML encoded.
+	 * @return the SAMLRequest parameter value
+	 */
+	public String getSamlRequest() {
+		return this.samlRequest;
+	}
+
+	/**
+	 * Returns the RelayState value, if present in the parameters
+	 * @return the RelayState value, or null if not available
+	 */
+	public String getRelayState() {
+		return this.relayState;
+	}
+
+	/**
+	 * Returns the URI endpoint that this AuthNRequest should be sent to.
+	 * @return the URI endpoint for this message
+	 */
+	public String getAuthenticationRequestUri() {
+		return this.authenticationRequestUri;
+	}
+
+	/**
+	 * Returns the binding this AuthNRequest will be sent and
+	 * encoded with. If {@link Saml2MessageBinding#REDIRECT} is used, the DEFLATE encoding will be automatically applied.
+	 * @return the binding this message will be sent with.
+	 */
+	public abstract Saml2MessageBinding getBinding();
+
+	/**
+	 * A builder for {@link AbstractSaml2AuthenticationRequest} and its subclasses.
+	 */
+	static class Builder<T extends Builder<T>> {
+		String authenticationRequestUri;
+		String samlRequest;
+		String relayState;
+
+		protected Builder() {
+		}
+
+		/**
+		 * Casting the return as the generic subtype, when returning itself
+		 * @return this object
+		 */
+		@SuppressWarnings("unchecked")
+		protected final T _this() {
+			return (T) this;
+		}
+
+
+		/**
+		 * Sets the {@code RelayState} parameter that will accompany this AuthNRequest
+		 *
+		 * @param relayState the relay state value, unencoded. if null or empty, the parameter will be removed from the
+		 * map.
+		 * @return this object
+		 */
+		public T relayState(String relayState) {
+			this.relayState = relayState;
+			return _this();
+		}
+
+		/**
+		 * Sets the {@code SAMLRequest} parameter that will accompany this AuthNRequest
+		 *
+		 * @param samlRequest the SAMLRequest parameter.
+		 * @return this object
+		 */
+		public T samlRequest(String samlRequest) {
+			this.samlRequest = samlRequest;
+			return _this();
+		}
+
+		/**
+		 * Sets the {@code authenticationRequestUri}, a URL that will receive the AuthNRequest message
+		 *
+		 * @param authenticationRequestUri the relay state value, unencoded.
+		 * @return this object
+		 */
+		public T authenticationRequestUri(String authenticationRequestUri) {
+			this.authenticationRequestUri = authenticationRequestUri;
+			return _this();
+		}
+	}
+
+}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/OpenSamlAuthenticationRequestFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,17 +16,25 @@
 
 package org.springframework.security.saml2.provider.service.authentication;
 
-import org.opensaml.saml.common.xml.SAMLConstants;
-import org.springframework.util.Assert;
-
 import org.joda.time.DateTime;
+import org.opensaml.saml.common.xml.SAMLConstants;
 import org.opensaml.saml.saml2.core.AuthnRequest;
 import org.opensaml.saml.saml2.core.Issuer;
+import org.springframework.security.saml2.credentials.Saml2X509Credential;
+import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest.Builder;
+import org.springframework.util.Assert;
 
 import java.time.Clock;
 import java.time.Instant;
+import java.util.List;
+import java.util.Map;
 import java.util.UUID;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static java.util.Collections.emptyList;
+import static org.springframework.security.saml2.provider.service.authentication.Saml2Utils.samlDeflate;
+import static org.springframework.security.saml2.provider.service.authentication.Saml2Utils.samlEncode;
+
 /**
  * @since 5.2
  */
@@ -35,26 +43,65 @@ public class OpenSamlAuthenticationRequestFactory implements Saml2Authentication
 	private final OpenSamlImplementation saml = OpenSamlImplementation.getInstance();
 	private String protocolBinding = SAMLConstants.SAML2_POST_BINDING_URI;
 
+	@Override
+	@Deprecated
+	public String createAuthenticationRequest(Saml2AuthenticationRequest request) {
+		return createAuthenticationRequest(request, request.getCredentials());
+	}
+
 	/**
 	 * {@inheritDoc}
 	 */
 	@Override
-	public String createAuthenticationRequest(Saml2AuthenticationRequest request) {
+	public Saml2PostAuthenticationRequest createPostAuthenticationRequest(Saml2AuthenticationRequestContext context) {
+		String xml = createAuthenticationRequest(context, context.getRelyingPartyRegistration().getSigningCredentials());
+		return Saml2PostAuthenticationRequest.withAuthenticationRequestContext(context)
+				.samlRequest(samlEncode(xml.getBytes(UTF_8)))
+				.build();
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public Saml2RedirectAuthenticationRequest createRedirectAuthenticationRequest(Saml2AuthenticationRequestContext context) {
+		String xml = createAuthenticationRequest(context, emptyList());
+		List<Saml2X509Credential> signingCredentials = context.getRelyingPartyRegistration().getSigningCredentials();
+		Builder result = Saml2RedirectAuthenticationRequest.withAuthenticationRequestContext(context);
+
+		String deflatedAndEncoded = samlEncode(samlDeflate(xml));
+		Map<String, String> signedParams = this.saml.signQueryParameters(
+				signingCredentials,
+				deflatedAndEncoded,
+				context.getRelayState()
+		);
+		result.samlRequest(signedParams.get("SAMLRequest"))
+				.relayState(signedParams.get("RelayState"))
+				.sigAlg(signedParams.get("SigAlg"))
+				.signature(signedParams.get("Signature"));
+		return result.build();
+	}
+
+	private String createAuthenticationRequest(Saml2AuthenticationRequestContext request, List<Saml2X509Credential> credentials) {
+		return createAuthenticationRequest(Saml2AuthenticationRequest.withAuthenticationRequestContext(request).build(), credentials);
+	}
+
+	private String createAuthenticationRequest(Saml2AuthenticationRequest context, List<Saml2X509Credential> credentials) {
 		AuthnRequest auth = this.saml.buildSAMLObject(AuthnRequest.class);
 		auth.setID("ARQ" + UUID.randomUUID().toString().substring(1));
 		auth.setIssueInstant(new DateTime(this.clock.millis()));
 		auth.setForceAuthn(Boolean.FALSE);
 		auth.setIsPassive(Boolean.FALSE);
 		auth.setProtocolBinding(protocolBinding);
 		Issuer issuer = this.saml.buildSAMLObject(Issuer.class);
-		issuer.setValue(request.getIssuer());
+		issuer.setValue(context.getIssuer());
 		auth.setIssuer(issuer);
-		auth.setDestination(request.getDestination());
-		auth.setAssertionConsumerServiceURL(request.getAssertionConsumerServiceUrl());
+		auth.setDestination(context.getDestination());
+		auth.setAssertionConsumerServiceURL(context.getAssertionConsumerServiceUrl());
 		return this.saml.toXml(
 				auth,
-				request.getCredentials(),
-				request.getIssuer()
+				credentials,
+				context.getIssuer()
 		);
 	}
 
@@ -71,11 +118,14 @@ public void setClock(Clock clock) {
 	}
 
 	/**
-	 * Sets the {@code protocolBinding} to use when generating authentication requests
+	 * Sets the {@code protocolBinding} to use when generating authentication requests.
 	 * Acceptable values are {@link SAMLConstants#SAML2_POST_BINDING_URI} and
 	 * {@link SAMLConstants#SAML2_REDIRECT_BINDING_URI}
+	 * The IDP will be reading this value in the {@code AuthNRequest} to determine how to
+	 * send the Response/Assertion to the ACS URL, assertion consumer service URL.
 	 *
-	 * @param protocolBinding
+	 * @param protocolBinding either {@link SAMLConstants#SAML2_POST_BINDING_URI} or
+	 * {@link SAMLConstants#SAML2_REDIRECT_BINDING_URI}
 	 * @throws IllegalArgumentException if the protocolBinding is not valid
 	 */
 	public void setProtocolBinding(String protocolBinding) {