-
Notifications
You must be signed in to change notification settings - Fork 417
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
SAML and SAML2 new model validation: Read Token (#2980)
* Added ReadToken to SamlTokenHandler returning a ValidationResult. Added log messages for the malformed case, and SamlValidationError to return the correct exception. * Added ReadToken to Saml2TokenHandler returning a ValidationResult. Added log messages for the malformed case, and Saml2ValidationError to return the correct exception. * Addressed PR feedback
- Loading branch information
Showing
14 changed files
with
463 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26 changes: 26 additions & 0 deletions
26
src/Microsoft.IdentityModel.Tokens.Saml/Saml/Exceptions/SamlValidationError.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
// Copyright (c) Microsoft Corporation. All rights reserved. | ||
// Licensed under the MIT License. | ||
|
||
using System; | ||
using System.Diagnostics; | ||
|
||
namespace Microsoft.IdentityModel.Tokens.Saml | ||
{ | ||
internal class SamlValidationError : ValidationError | ||
{ | ||
internal SamlValidationError(MessageDetail messageDetail, ValidationFailureType failureType, Type exceptionType, StackFrame stackFrame, Exception innerException) : base(messageDetail, failureType, exceptionType, stackFrame, innerException) | ||
{ | ||
} | ||
|
||
internal override Exception GetException() | ||
{ | ||
if (ExceptionType == typeof(SamlSecurityTokenReadException)) | ||
{ | ||
var exception = new SamlSecurityTokenReadException(MessageDetail.Message, InnerException); | ||
return exception; | ||
} | ||
|
||
return base.GetException(); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
57 changes: 57 additions & 0 deletions
57
src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlSecurityTokenHandler.ReadToken.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
// Copyright (c) Microsoft Corporation. All rights reserved. | ||
// Licensed under the MIT License. | ||
|
||
using System; | ||
using System.Text; | ||
using System.Xml; | ||
using Microsoft.IdentityModel.Logging; | ||
using TokenLogMessages = Microsoft.IdentityModel.Tokens.LogMessages; | ||
|
||
namespace Microsoft.IdentityModel.Tokens.Saml | ||
{ | ||
public partial class SamlSecurityTokenHandler : SecurityTokenHandler | ||
{ | ||
/// <summary> | ||
/// Converts a string into an instance of <see cref="SamlSecurityToken"/>. | ||
/// </summary> | ||
/// <param name="token">a Saml token as a string.</param> | ||
/// <param name="callContext">An opaque context used to store work when working with authentication artifacts.</param> | ||
/// <returns>A <see cref="SamlSecurityToken"/></returns> | ||
/// <exception cref="ArgumentNullException">If <paramref name="token"/> is null or empty.</exception> | ||
/// <exception cref="ArgumentException">If 'token.Length' is greater than <see cref="TokenHandler.MaximumTokenSizeInBytes"/>.</exception> | ||
internal virtual ValidationResult<SamlSecurityToken> ReadSamlToken(string token, CallContext callContext) | ||
{ | ||
if (string.IsNullOrEmpty(token)) | ||
return ValidationError.NullParameter(nameof(token), ValidationError.GetCurrentStackFrame()); | ||
|
||
if (token.Length > MaximumTokenSizeInBytes) | ||
return new ValidationError( | ||
new MessageDetail( | ||
TokenLogMessages.IDX10209, | ||
LogHelper.MarkAsNonPII(token.Length), | ||
LogHelper.MarkAsNonPII(MaximumTokenSizeInBytes)), | ||
ValidationFailureType.TokenExceedsMaximumSize, | ||
typeof(ArgumentOutOfRangeException), | ||
ValidationError.GetCurrentStackFrame()); | ||
|
||
try | ||
{ | ||
using (var reader = XmlDictionaryReader.CreateTextReader(Encoding.UTF8.GetBytes(token), XmlDictionaryReaderQuotas.Max)) | ||
{ | ||
return ReadSamlToken(reader); | ||
} | ||
} | ||
#pragma warning disable CA1031 // Do not catch general exception types | ||
catch (Exception ex) | ||
#pragma warning restore CA1031 // Do not catch general exception types | ||
{ | ||
return new SamlValidationError( | ||
new MessageDetail(LogMessages.IDX11402, ex.Message), | ||
ValidationFailureType.TokenReadingFailed, | ||
typeof(SamlSecurityTokenReadException), | ||
ValidationError.GetCurrentStackFrame(), | ||
ex); | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26 changes: 26 additions & 0 deletions
26
src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Exceptions/Saml2ValidationError.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
// Copyright (c) Microsoft Corporation. All rights reserved. | ||
// Licensed under the MIT License. | ||
|
||
using System; | ||
using System.Diagnostics; | ||
|
||
namespace Microsoft.IdentityModel.Tokens.Saml2 | ||
{ | ||
internal class Saml2ValidationError : ValidationError | ||
{ | ||
internal Saml2ValidationError(MessageDetail messageDetail, ValidationFailureType failureType, Type exceptionType, StackFrame stackFrame, Exception innerException) : base(messageDetail, failureType, exceptionType, stackFrame, innerException) | ||
{ | ||
} | ||
|
||
internal override Exception GetException() | ||
{ | ||
if (ExceptionType == typeof(Saml2SecurityTokenReadException)) | ||
{ | ||
var exception = new Saml2SecurityTokenReadException(MessageDetail.Message, InnerException); | ||
return exception; | ||
} | ||
|
||
return base.GetException(); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
59 changes: 59 additions & 0 deletions
59
src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.ReadToken.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
// Copyright (c) Microsoft Corporation. All rights reserved. | ||
// Licensed under the MIT License. | ||
|
||
using System; | ||
using System.Text; | ||
using System.Xml; | ||
using Microsoft.IdentityModel.Logging; | ||
using Microsoft.IdentityModel.Tokens.Saml; | ||
|
||
using TokenLogMessages = Microsoft.IdentityModel.Tokens.LogMessages; | ||
|
||
namespace Microsoft.IdentityModel.Tokens.Saml2 | ||
{ | ||
public partial class Saml2SecurityTokenHandler : SecurityTokenHandler | ||
{ | ||
/// <summary> | ||
/// Converts a string into an instance of <see cref="SamlSecurityToken"/>. | ||
/// </summary> | ||
/// <param name="token">a Saml token as a string.</param> | ||
/// <param name="callContext">An opaque context used to store work when working with authentication artifacts.</param> | ||
/// <returns>A <see cref="SamlSecurityToken"/></returns> | ||
/// <exception cref="ArgumentNullException">If <paramref name="token"/> is null or empty.</exception> | ||
/// <exception cref="ArgumentException">If 'token.Length' is greater than <see cref="TokenHandler.MaximumTokenSizeInBytes"/>.</exception> | ||
internal virtual ValidationResult<Saml2SecurityToken> ReadSaml2Token(string token, CallContext callContext) | ||
{ | ||
if (string.IsNullOrEmpty(token)) | ||
return ValidationError.NullParameter(nameof(token), ValidationError.GetCurrentStackFrame()); | ||
|
||
if (token.Length > MaximumTokenSizeInBytes) | ||
return new ValidationError( | ||
new MessageDetail( | ||
TokenLogMessages.IDX10209, | ||
LogHelper.MarkAsNonPII(token.Length), | ||
LogHelper.MarkAsNonPII(MaximumTokenSizeInBytes)), | ||
ValidationFailureType.TokenReadingFailed, | ||
typeof(ArgumentException), | ||
ValidationError.GetCurrentStackFrame()); | ||
|
||
try | ||
{ | ||
using (var reader = XmlDictionaryReader.CreateTextReader(Encoding.UTF8.GetBytes(token), XmlDictionaryReaderQuotas.Max)) | ||
{ | ||
return ReadSaml2Token(reader); | ||
} | ||
} | ||
#pragma warning disable CA1031 // Do not catch general exception types | ||
catch (Exception ex) | ||
#pragma warning restore CA1031 // Do not catch general exception types | ||
{ | ||
return new Saml2ValidationError( | ||
new MessageDetail(LogMessages.IDX13003, ex.Message), | ||
ValidationFailureType.TokenReadingFailed, | ||
typeof(Saml2SecurityTokenReadException), | ||
ValidationError.GetCurrentStackFrame(), | ||
ex); | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.