Feature relaystate validation release 20241128

src/ServiceProvider/AuthFlowServiceInterface.php

@@ -32,9 +32,10 @@ public function getAuthenticatedUri(ServerRequestEx $request) : XUri;
 
     /**
      * @param XUri $returnUri
+     * @param bool $sha512EncryptionEnabled
      * @return XUri
      */
-    public function getLoginUri(XUri $returnUri) : XUri;
+    public function getLoginUri(XUri $returnUri, XMLSecurityKey $securityKey = XMLSecurityKey::RSA_SHA1) : XUri;
 
     /**
      * @param string $id - user identifier for downstream identity provider

src/ServiceProvider/OAuth/OAuthFlowService.php

@@ -228,7 +228,7 @@ public function getAuthenticatedUri(ServerRequestEx $request) : XUri {
         return $returnUri !== null ? $returnUri : $this->oauth->getDefaultReturnUri();
     }
 
-    public function getLoginUri(XUri $returnUri) : XUri {
+    public function getLoginUri(XUri $returnUri, XMLSecurityKey $securityKey = XMLSecurityKey::RSA_SHA1) : XUri {
         $clientId = $this->oauth->getRelyingPartyClientId();
         $state = $this->uuidFactory->uuid4()->toString();
         $uri = $this->oauth->getIdentityProviderAuthorizationUri()

src/ServiceProvider/Saml/Exception/SamlInvalidRelayStateUri.php

@@ -0,0 +1,20 @@
+<?php declare(strict_types=1);
+/**
+ * AuthForge
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+namespace modethirteen\AuthForge\ServiceProvider\Saml\Exception;
+
+class SamlInvalidRelayStateUri extends SamlException {
+}

src/ServiceProvider/Saml/RelayStateAuthFlowServiceTrait.php

@@ -18,6 +18,7 @@
 
 use modethirteen\AuthForge\Common\Exception\ServerRequestInterfaceParsedBodyException;
 use modethirteen\AuthForge\Common\Http\ServerRequestEx;
+use modethirteen\AuthForge\ServiceProvider\Saml\Exception\SamlInvalidRelayStateUri;
 use modethirteen\AuthForge\ServiceProvider\Saml\Http\HttpMessageInterface;
 use modethirteen\Http\Exception\MalformedPathQueryFragmentException;
 use modethirteen\Http\Exception\MalformedUriException;
@@ -45,9 +46,14 @@ protected function getRedirectUriFromRequestRelayState(SamlConfigurationInterfac
         if(!StringEx::isNullOrEmpty($relayState)) {
             $logger->debug('Found RelayState', ['RelayState' => $relayState]);
             try {
-                return XUri::isAbsoluteUrl($relayState)
-                    ? XUri::newFromString($relayState)
-                    : $saml->getRelayStateBaseUri()->atPath($relayState);
+                if(XUri::isAbsoluteUrl($relayState)) {
+                    if(!$saml->isValidRelayStateUri($relayState)) {
+                        throw new SamlInvalidRelayStateUri();
+                    }
+                    return XUri::newFromString($relayState);
+                } else {
+                    return $saml->getRelayStateBaseUri()->atPath($relayState);
+                }
             } catch(MalformedPathQueryFragmentException $e) {
                 $this->logger->warning('Could not append relative RelayState to service provider base URI, {{Error}}', [
                     'Error' => $e->getMessage()
@@ -57,6 +63,11 @@ protected function getRedirectUriFromRequestRelayState(SamlConfigurationInterfac
                     'Error' => $e->getMessage()
                 ]);
             }
+            catch(SamlInvalidRelayStateUri $e) {
+                $this->logger->warning('RelayState URI does not match service provider base URI, {{Uri}}', [
+                    'Uri' => $e->getMessage()
+                ]);
+            }
         }
         return $saml->getDefaultReturnUri();
     }

src/ServiceProvider/Saml/SamlConfigurationInterface.php

@@ -170,4 +170,9 @@ public function isNameIdFormatEnforcementEnabled() : bool;
      * @return bool
      */
     public function isStrictValidationRequired() : bool;
+
+    /**
+     * @return bool
+     */
+    public function isValidRelayStateUri(string $uri) : bool;
 }

src/ServiceProvider/Saml/SamlFlowService.php

@@ -209,9 +209,9 @@ public function getAuthenticatedUri(ServerRequestEx $request) : XUri {
      * {@inheritDoc}
      * @throws SamlFlowServiceException
      */
-    public function getLoginUri(XUri $returnUri) : XUri {
+    public function getLoginUri(XUri $returnUri, XMLSecurityKey $securityKey = XMLSecurityKey::RSA_SHA1) : XUri {
         try {
-            return $this->uriFactory->newAuthnRequestUri($returnUri);
+            return $this->uriFactory->newAuthnRequestUri($returnUri, $securityKey);
         } catch(
             SamlCannotDeflateOutgoingHttpMessageException |
             SamlCannotGenerateSignatureException |

src/ServiceProvider/Saml/SamlUriFactory.php

@@ -82,7 +82,7 @@ public function __construct(
      * @throws SamlCannotGenerateSignatureException
      * @throws SamlCannotLoadCryptoKeyException
      */
-    public function newAuthnRequestUri(XUri $returnUri) : XUri {
+    public function newAuthnRequestUri(XUri $returnUri, XMLSecurityKey $securityKey = XMLSecurityKey::RSA_SHA1) : XUri {
         $uri = $this->saml->getIdentityProviderSingleSignOnUri();
         $returnHref = $returnUri->toString();
         $id = $this->newId();
@@ -95,7 +95,7 @@ public function newAuthnRequestUri(XUri $returnUri) : XUri {
         // handle signing
         if($this->saml->isAuthnRequestSignatureRequired()) {
             $signature = $this->buildRequestSignature($samlRequest, $returnHref);
-            $parameters['SigAlg'] = XMLSecurityKey::RSA_SHA1;
+            $parameters['SigAlg'] = $securityKey;
             $parameters['Signature'] = $signature;
         }
         $this->logger->debug('Sending AuthnRequest', [

src/ServiceProvider/Saml/SamlUriFactoryInterface.php

@@ -22,9 +22,10 @@ interface SamlUriFactoryInterface {
 
     /**
      * @param XUri $returnUri
+     * @param XMLSecurityKey $securityKey
      * @return XUri
      */
-    public function newAuthnRequestUri(XUri $returnUri) : XUri;
+    public function newAuthnRequestUri(XUri $returnUri, XMLSecurityKey $securityKey = XMLSecurityKey::RSA_SHA1) : XUri;
 
     /**
      * @param string $username