Skip to content

Commit

Permalink
Merge pull request #240 from simplesamlphp/bugfix/prevent-decryption-…
Browse files Browse the repository at this point in the history 
…of-unencrypted-assertions

Make processor aware of assertion types
  • Loading branch information
@MKodde
MKodde authored Aug 19, 2020
2 parents 51562b0 + 151a418 commit ff19d04
Show file tree
Hide file tree
Showing 2 changed files with 88 additions and 3 deletions.
10 changes: 7 additions & 3 deletions src/SAML2/Assertion/Processor.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
namespace SAML2\Assertion;

use Psr\Log\LoggerInterface;

use SAML2\Assertion;
use SAML2\Assertion\Exception\InvalidAssertionException;
use SAML2\Assertion\Exception\InvalidSubjectConfirmationException;
Expand All @@ -15,7 +14,6 @@
use SAML2\Configuration\IdentityProvider;
use SAML2\EncryptedAssertion;
use SAML2\Response\Exception\InvalidSignatureException;
use SAML2\Response\Exception\UnencryptedAssertionFoundException;
use SAML2\Signature\Validator;
use SAML2\Utilities\ArrayCollection;

Expand Down Expand Up @@ -95,7 +93,13 @@ public function decryptAssertions(ArrayCollection $assertions)
{
$decrypted = new ArrayCollection();
foreach ($assertions->getIterator() as $assertion) {
$decrypted->add($this->decryptAssertion($assertion));
if ($assertion instanceof EncryptedAssertion) {
$decrypted->add($this->decryptAssertion($assertion));
} elseif ($assertion instanceof Assertion) {
$decrypted->add($assertion);
} else {
throw new InvalidAssertionException('The assertion must be of type: EncryptedAssertion or Assertion');
}
}

return $decrypted;
Expand Down
81 changes: 81 additions & 0 deletions tests/SAML2/Assertion/ProcessorTest.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
<?php

declare(strict_types=1);

namespace SAML2\Assertion;

use Mockery as m;
use Mockery\Adapter\Phpunit\MockeryTestCase;

/**
* @runTestsInSeparateProcesses
*/
class ProcessorTest extends MockeryTestCase
{
/**
* @var Processor
*/
private $processor;

/**
* @var m\MockInterface&Decrypter
*/
private $decrypter;

protected function setUp(): void
{
$this->decrypter = m::mock(Decrypter::class);
$validator = m::mock(\SAML2\Signature\Validator::class);
$assertionValidator = m::mock(\SAML2\Assertion\Validation\AssertionValidator::class);
$subjectConfirmationValidator = m::mock(\SAML2\Assertion\Validation\SubjectConfirmationValidator::class);
$transformer = m::mock(\SAML2\Assertion\Transformer\Transformer::class);
$identityProvider = new \SAML2\Configuration\IdentityProvider([]);
$logger = m::mock(\Psr\Log\LoggerInterface::class);

$this->processor = new Processor(
$this->decrypter,
$validator,
$assertionValidator,
$subjectConfirmationValidator,
$transformer,
$identityProvider,
$logger
);
}

/**
* @test
*/
public function processor_correctly_encrypts_assertions(): void
{
$testData = [
[new \SAML2\Assertion()],
[new \SAML2\EncryptedAssertion()],
[new \SAML2\Assertion(), new \SAML2\EncryptedAssertion(), new \SAML2\Assertion()],
[new \SAML2\EncryptedAssertion(), new \SAML2\EncryptedAssertion(), new \SAML2\EncryptedAssertion()],
];

foreach ($testData as $assertions) {
$this->decrypter
->shouldReceive('decrypt')
->andReturn(new \SAML2\Assertion());

$collection = new \SAML2\Utilities\ArrayCollection($assertions);
$result = $this->processor->decryptAssertions($collection);
self::assertInstanceOf(\SAML2\Utilities\ArrayCollection::class, $result);
foreach ($result as $assertion) {
self::assertInstanceOf(\SAML2\Assertion::class, $assertion);
}
}
}

/**
* @test
*/
public function unsuported_assertions_are_rejected(): void
{
$this->expectException('\SAML2\Assertion\Exception\InvalidAssertionException');
$this->expectExceptionMessage('The assertion must be of type: EncryptedAssertion or Assertion');
$this->processor->decryptAssertions(new \SAML2\Utilities\ArrayCollection([new \stdClass()]));
}
}

0 comments on commit ff19d04

Please sign in to comment.