changes some properties of sso shortcircuiting

Author: gislikonrad

src/Solid.Identity.Protocols.Saml2p/Authentication/Saml2pAuthenticationHandler.cs

@@ -17,6 +17,7 @@
 using Solid.Identity.Protocols.Saml2p.Providers;
 using System.Security.Claims;
 using Solid.Identity.Protocols.Saml2p.Options;
+using Solid.Identity.Protocols.Saml2p.Exceptions;
 
 namespace Solid.Identity.Protocols.Saml2p.Authentication
 {
@@ -43,7 +44,8 @@ protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync
             try
             {
                 var result = await Context.FinishSsoAsync();
-                if(!result.IsSuccessful)
+                if (!result.IsSuccessful)
+                    throw new SamlResponseException(result.PartnerId, result.Status, result.SubStatus);
 
                 var properties = new AuthenticationProperties
                 {

src/Solid.Identity.Protocols.Saml2p/Cache/Saml2pCache.cs

@@ -25,13 +25,7 @@ public Task CacheRequestAsync(string key, AuthnRequest request)
             return _inner.SetAsync(key, json);
         }
 
-        public Task CacheStatusAsync(string key, SamlResponseStatus status)
-            => CacheStatusAsync(key, status, null);
-
-        public Task CacheStatusAsync(string key, SamlResponseStatus status, SamlResponseStatus? subStatus)
-            => CacheStatusAsync(key, (Status: status, SubStatus: subStatus));
-
-        private Task CacheStatusAsync(string key, (SamlResponseStatus Status, SamlResponseStatus? SubStatus) status)
+        public Task CacheStatusAsync(string key, Status status)
         {
             var json = JsonSerializer.SerializeToUtf8Bytes(status);
             return _inner.SetAsync($"{key}_status", json);
@@ -45,12 +39,12 @@ public async Task<AuthnRequest> FetchRequestAsync(string key)
             return JsonSerializer.Deserialize<AuthnRequest>(json);
         }
 
-        public async Task<(SamlResponseStatus Status, SamlResponseStatus? SubStatus)?> FetchStatusAsync(string key)
+        public async Task<Status> FetchStatusAsync(string key)
         {
             var json = await _inner.GetAsync($"{key}_status");
             if (json == null) return null;
 
-            return JsonSerializer.Deserialize<(SamlResponseStatus Status, SamlResponseStatus? SubStatus)>(json);
+            return JsonSerializer.Deserialize<Status>(json);
         }
 
         public async Task RemoveAsync(string key)

src/Solid.Identity.Protocols.Saml2p/Extensions/EnumExtensions.cs

@@ -1,4 +1,5 @@
-using System;
+using Solid.Identity.Protocols.Saml2p.Models.Protocol;
+using System;
 using System.Collections.Generic;
 using System.Text;
 
@@ -17,6 +18,23 @@ public static string ToProtocolBindingString(this BindingType bindingType)
             throw new ArgumentException($"Unsupported binding type: {bindingType}");
         }
 
+        public static Status ToStatus(this SamlResponseStatus status, SamlResponseStatus? subStatus = null)
+        {
+            var s = new Status
+            {
+                StatusCode = new StatusCode
+                {
+                    Value = status.ToStatusUri()
+                }
+            };
+            if (subStatus != null)
+                s.StatusCode.SubCode = new StatusCode
+                {
+                    Value = subStatus.Value.ToStatusUri()
+                };
+            return s;
+        }
+
         public static Uri ToStatusUri(this SamlResponseStatus status)
         {
             switch (status)

src/Solid.Identity.Protocols.Saml2p/Factories/SamlResponseFactory.cs

@@ -20,6 +20,9 @@ public SamlResponseFactory(IOptions<Saml2pOptions> options)
         }
 
         public SamlResponse Create(ISaml2pServiceProvider partner, string authnRequestId = null, string relayState = null, SamlResponseStatus status = SamlResponseStatus.Success, SamlResponseStatus? subStatus = null, Saml2SecurityToken token = null)
+            => Create(partner, status.ToStatus(subStatus), authnRequestId: authnRequestId, relayState: relayState, token: token);
+        
+        public SamlResponse Create(ISaml2pServiceProvider partner, Status status, string authnRequestId = null, string relayState = null, Saml2SecurityToken token = null)
         {
             var destination = new Uri(partner.BaseUrl, partner.AssertionConsumerServiceEndpoint);
             if (token != null)
@@ -34,42 +37,42 @@ public SamlResponse Create(ISaml2pServiceProvider partner, string authnRequestId
             var response = new SamlResponse
             {
                 Id = $"_{Guid.NewGuid()}", // TODO: create id factory
-                SecurityToken = token, 
+                SecurityToken = token,
                 Destination = destination,
                 IssueInstant = token?.Assertion.IssueInstant,
                 Issuer = partner.ExpectedIssuer ?? _options.DefaultIssuer,
-                Status = Convert(status, subStatus),
+                Status = status,
                 InResponseTo = authnRequestId,
                 RelayState = relayState
             };
 
             return response;
         }
 
-        private Status Convert(SamlResponseStatus status, SamlResponseStatus? subStatus)
-        {
-            var converted = new Status
-            {
-                StatusCode = new StatusCode
-                {
-                    Value = Convert(status)
-                }
-            };
+        //private Status Convert(SamlResponseStatus status, SamlResponseStatus? subStatus)
+        //{
+        //    var converted = new Status
+        //    {
+        //        StatusCode = new StatusCode
+        //        {
+        //            Value = Convert(status)
+        //        }
+        //    };
 
-            var sub = Convert(subStatus);
-            if (sub != null)
-                converted.StatusCode.SubCode = new StatusCode
-                {
-                    Value = sub
-                };
+        //    var sub = Convert(subStatus);
+        //    if (sub != null)
+        //        converted.StatusCode.SubCode = new StatusCode
+        //        {
+        //            Value = sub
+        //        };
 
-            return converted;
-        }
+        //    return converted;
+        //}
 
-        private Uri Convert(SamlResponseStatus? status)
-        {
-            if (status.HasValue) return status.Value.ToStatusUri();
-            return null;
-        }
+        //private Uri Convert(SamlResponseStatus? status)
+        //{
+        //    if (status.HasValue) return status.Value.ToStatusUri();
+        //    return null;
+        //}
     }
 }

src/Solid.Identity.Protocols.Saml2p/Middleware/Idp/AcceptSsoEndpointMiddleware.cs

@@ -67,7 +67,8 @@ public override async Task InvokeAsync(HttpContext context)
 
             if (!IsValid(ssoContext, out var status, out var subStatus) && status.HasValue)
             {
-                await Cache.CacheStatusAsync(request.Id, status.Value, subStatus);
+                Logger.LogWarning($"SAMLRequest failed validation. Resulting error: '{(subStatus ?? status)}'");
+                await Cache.CacheStatusAsync(request.Id, status.Value.ToStatus(subStatus));
                 context.Response.Redirect(ssoContext.ReturnUrl);
             }
             else if (ssoContext.AuthenticationScheme != null)

src/Solid.Identity.Protocols.Saml2p/Middleware/Idp/CompleteSsoEndpointMiddleware.cs

@@ -62,7 +62,6 @@ public override async Task InvokeAsync(HttpContext context)
 
             var response = null as SamlResponse;
 
-            var status = await Cache.FetchStatusAsync(id);
             var user = context.User;
             var request = await Cache.FetchRequestAsync(id);
             if (request == null)
@@ -79,10 +78,11 @@ public override async Task InvokeAsync(HttpContext context)
             //if (!partner.Enabled)
             //    throw new SecurityException($"Partner '{partnerId}' is disabled.");
 
-            if (status.HasValue)
+            var status = await Cache.FetchStatusAsync(id);
+            if (status != null)
             {
-                var tuple = status.Value;
-                response = _responseFactory.Create(partner, authnRequestId: request.Id, relayState: request.RelayState, status: tuple.Status, subStatus: tuple.SubStatus);
+                Trace("Found cached Status.", request.RelayState, status);
+                response = _responseFactory.Create(partner, status, authnRequestId: request.Id, relayState: request.RelayState);
             }
             else if (user.Identity.IsAuthenticated)
             {

src/Solid.Identity.Protocols.Saml2p/Middleware/Saml2pEndpointMiddleware.cs

@@ -4,6 +4,7 @@
 using Microsoft.Extensions.Options;
 using Microsoft.Extensions.Primitives;
 using Solid.Identity.Protocols.Saml2p.Cache;
+using Solid.Identity.Protocols.Saml2p.Logging;
 using Solid.Identity.Protocols.Saml2p.Models;
 using Solid.Identity.Protocols.Saml2p.Models.Protocol;
 using Solid.Identity.Protocols.Saml2p.Options;
@@ -195,6 +196,13 @@ private string GetRelayState(HttpContext context, BindingType binding)
             return value.ToString();
         }
 
+        protected void Trace(string prefix, string relayState, Status status)
+        {
+            if (!Logger.IsEnabled(LogLevel.Trace)) return;
+            var format = $"{prefix} | RelayState: '{{relayState}}'" + Environment.NewLine + "{request}";
+            Logger.LogTrace(format, relayState, new WrappedLogMessageState(status));
+        }
+
         protected void Trace(string prefix, AuthnRequest request)
         {
             if (!Logger.IsEnabled(LogLevel.Trace)) return;