Add support for Metadata Deployment Profile for errorURL (#1841)

tvdijen · web-flow · commit 1225ea119df5 · 2023-08-11T17:58:16.000+02:00
Add support for Metadata Deployment Profile for errorURL
diff --git a/docs/simplesamlphp-reference-idp-hosted.md b/docs/simplesamlphp-reference-idp-hosted.md
@@ -88,6 +88,9 @@ entry matches.
 ],
 ```
 
+`errorURL`
+:   Overrides the errorURL in the IDP's published metadata.
+
 `host`
 :   The hostname for this IdP. One IdP can also have the `host`-option
     set to `__DEFAULT__`, and that IdP will be used when no other
diff --git a/modules/core/routing/routes/routes.yml b/modules/core/routing/routes/routes.yml
@@ -36,6 +36,13 @@ core-loginuserpassorg:
   }
   methods: [GET, POST]
 
+core-error:
+  path: /error/{code}
+  defaults: {
+    _controller: 'SimpleSAML\Module\core\Controller\Exception::error'
+  }
+  methods: [GET]
+
 core-error-nocookie:
   path: /error/nocookie
   defaults: {
diff --git a/modules/core/src/Controller/Exception.php b/modules/core/src/Controller/Exception.php
@@ -4,12 +4,17 @@
 
 namespace SimpleSAML\Module\core\Controller;
 
+use DATE_W3C;
+use SimpleSAML\Assert\Assert;
 use SimpleSAML\{Auth, Configuration, Error, Logger, Module, Session, Utils};
 use SimpleSAML\XHTML\Template;
 use Symfony\Component\HttpFoundation\{RedirectResponse, Request, Response};
 
 use function array_keys;
+use function date;
 use function implode;
+use function intval;
+use function strval;
 use function urlencode;
 
 /**
@@ -21,6 +26,9 @@
  */
 class Exception
 {
+    public const CODES = ['IDENTIFICATION_FAILURE', 'AUTHENTICATION_FAILURE', 'AUTHORIZATION_FAILURE', 'OTHER_ERROR'];
+
+
     /**
      * Controller constructor.
      *
@@ -38,6 +46,65 @@ public function __construct(
     }
 
 
+    /**
+     * Show Service Provider error.
+     *
+     * @param Request $request The request that lead to this login operation.
+     * @param string $code The error code
+     * @return \SimpleSAML\XHTML\Template  An HTML template
+     */
+    public function error(Request $request, string $code): Response
+    {
+        if ($code !== 'ERRORURL_CODE') {
+            Assert::oneOf($code, self::CODES);
+        }
+
+        $ts = $request->query->get('ts');
+        $rp = $request->query->get('rp');
+        $tid = $request->query->get('tid');
+        $ctx = $request->query->get('ctx');
+
+        if ($ts !== 'ERRORURL_TS') {
+            Assert::integerish($ts);
+            $ts = date(DATE_W3C, intval($ts));
+        } else {
+            $ts = null;
+        }
+
+        if ($rp === 'ERRORURL_RP') {
+            $rp = null;
+        }
+
+        if ($tid === 'ERRORURL_TID') {
+            $tid = null;
+        }
+
+        if ($ctx === 'ERRORURL_CTX') {
+            $ctx = null;
+        }
+
+        Logger::notice(sprintf(
+            "A Service Provider reported the following error during authentication:  "
+            . "Code: %s; Timestamp: %s; Relying party: %s; Transaction ID: %s; Context: [%s]",
+            $code,
+            $ts ?? 'null',
+            $rp ?? 'null',
+            $tid ?? 'null',
+            $ctx,
+        ));
+
+        $t = new Template($this->config, 'core:error.twig');
+
+        $t->data['code'] = $code;
+        $t->data['ts'] = $ts;
+        $t->data['rp'] = $rp;
+        $t->data['tid'] = $tid;
+        $t->data['ctx'] = $ctx;
+
+        return $t;
+    }
+
+
     /**
      * Show cardinality error.
      *
diff --git a/modules/core/templates/error.twig b/modules/core/templates/error.twig
@@ -0,0 +1,33 @@
+{% set pagetitle = 'An error has occurred'|trans %}
+{% extends "base.twig" %}
+
+{% block content %}
+    <h2>{{ pagetitle }}</h2>
+
+    {% if code is same as ('IDENTIFICATION_FAILURE') %}
+    <p>{{ 'The identification procesd has failed.' |trans }}</p>
+    {% elseif code is same as ('AUTHENTICATION_FAILURE') %}
+    <p>{{ 'The authentication procesd has failed.' |trans }}</p>
+    {% elseif code is same as ('AUTHORIZATION_FAILURE') %}
+    <p>{{ 'The authorization procesd has failed.' |trans }}</p>
+    {% else %}
+    <p>{{ 'There was an issue while signing you in.' |trans }}</p>
+    {% endif %}
+
+    {% if ts is defined or rp is defined or tid is defined or ctx is defined %}
+    <table id="table_with_attributes" class="attributes pure-table pure-table-striped pure-table-attributes" summary="attribute overview">
+      {% if ts is defined %}
+      <tr><td>Timestamp</td><td>{{ ts }}</td></tr>
+      {% endif %}
+      {% if rp is defined %}
+      <tr><td>Service Provider</td><td>{{ rp }}</td></tr>
+      {% endif %}
+      {% if tid is defined %}
+      <tr><td>Reference code</td><td>{{ tid }}</td></tr>
+      {% endif %}
+      {% if ctx is defined %}
+      <tr><td>Context</td><td>{{ ctx }}</td></tr>
+      {% endif %}
+    </table>
+    {% endif %}
+{% endblock %}
diff --git a/src/SimpleSAML/Metadata/SAMLBuilder.php b/src/SimpleSAML/Metadata/SAMLBuilder.php
@@ -5,7 +5,7 @@
 namespace SimpleSAML\Metadata;
 
 use DOMElement;
-use SimpleSAML\{Configuration, Logger, Utils};
+use SimpleSAML\{Configuration, Module, Logger, Utils};
 use SimpleSAML\Assert\{Assert, AssertionFailedException};
 use SimpleSAML\Module\adfs\SAML2\XML\fed\SecurityTokenServiceType;
 use SimpleSAML\SAML2\Constants as C;
@@ -476,6 +476,14 @@ public function addMetadataIdP20(array $metadata): void
             $e->setWantAuthnRequestsSigned($metadata->getBoolean('redirect.sign'));
         }
 
+        if ($metadata->hasValue('errorURL')) {
+            $e->setErrorURL($metadata->getString('errorURL'));
+        } else {
+            $e->setErrorURL(Module::getModuleURL(
+                'core/error/ERRORURL_CODE?ts=ERRORURL_TS&rp=ERRORURL_RP&tid=ERRORURL_TID&ctx=ERRORURL_CTX',
+            ));
+        }
+
         $this->addExtensions($metadata, $e);
 
         $this->addCertificate($e, $metadata);
diff --git a/tests/modules/core/src/Controller/ExceptionTest.php b/tests/modules/core/src/Controller/ExceptionTest.php
@@ -0,0 +1,160 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Test\Module\core\Controller;
+
+use DATE_W3C;
+use PHPUnit\Framework\TestCase;
+use SimpleSAML\Assert\AssertionFailedException;
+use SimpleSAML\{Configuration, Logger, Session};
+use SimpleSAML\Module\core\Controller;
+use SimpleSAML\TestUtils\ArrayLogger;
+use SimpleSAML\XHTML\Template;
+use Symfony\Component\HttpFoundation\Request;
+
+use function date;
+use function sprintf;
+use function time;
+
+/**
+ * Set of tests for the controllers in the "core" module.
+ *
+ * @covers \SimpleSAML\Module\core\Controller\Exception
+ * @package SimpleSAML\Test
+ */
+class ExceptionTest extends TestCase
+{
+    /** @var \SimpleSAML\Configuration */
+    protected Configuration $config;
+
+    /** @var \SimpleSAML\Session */
+    protected Session $session;
+
+
+    /**
+     * Set up for each test.
+     */
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->config = Configuration::loadFromArray(
+            [
+                'logging.handler' => ArrayLogger::class,
+                'errorreporting' => false,
+                'module.enable' => ['core' => true],
+            ],
+            '[ARRAY]',
+            'simplesaml'
+        );
+
+        Configuration::setPreLoadedConfig($this->config, 'config.php');
+
+        $this->session = Session::getSessionFromRequest();
+    }
+
+
+    /**
+     * Clean up after each test
+     */
+    protected function tearDown(): void
+    {
+        Logger::clearCapturedLog();
+    }
+
+
+    /**
+     * @dataProvider codeProvider
+     * @param string $code
+     * Test that we are presented with an 'error was reported' page
+     */
+    public function testErrorURL(string $code, string $ts, string $rp, string $tid, string $ctx): void
+    {
+        $request = Request::create(
+            sprintf('/error/%s?ts=%s&rp=%s&tid=%s&ctx=%s', $code, $ts, $rp, $tid, $ctx),
+            'GET',
+        );
+
+        $c = new Controller\Exception($this->config, $this->session);
+
+        Logger::setCaptureLog();
+        $response = $c->error($request, $code);
+        Logger::setCaptureLog(false);
+
+        $log = Logger::getCapturedLog();
+        self::assertCount(5, $log);
+
+        self::assertStringContainsString(
+            "A Service Provider reported the following error during authentication:  "
+            . sprintf(
+                "Code: %s; Timestamp: %s; Relying party: %s; Transaction ID: %s; Context: [%s]",
+                $code,
+                ($ts === 'ERRORURL_TS') ? 'null' : date(DATE_W3C, intval($ts)),
+                ($rp === 'ERRORURL_RP') ? 'null' : $rp,
+                ($tid === 'ERRORURL_TID') ? 'null' : $tid,
+                ($ctx === 'ERRORURL_CTX') ? '' : urldecode($ctx),
+            ),
+            $log[0],
+        );
+
+        $this->assertInstanceOf(Template::class, $response);
+        $this->assertTrue($response->isSuccessful());
+        $this->assertEquals('core:error.twig', $response->getTemplateName());
+    }
+
+
+    /**
+     */
+    public static function codeProvider(): array
+    {
+        $codes = [
+            'ERRORURL_CODE',
+            'IDENTIFICATION_FAILURE',
+            'AUTHENTICATION_FAILURE',
+            'AUTHORIZATION_FAILURE',
+            'OTHER_ERROR',
+        ];
+
+        $tss = ['ERRORURL_TS', strval(time())];
+        $rps = ['ERRORURL_RP', 'phpunit'];
+        $tids = ['ERRORURL_TID', '123456'];
+        $ctxs = ['ERRORURL_CTX', urlencode("phpunit did it's job")];
+
+        $matrix = [];
+        foreach ($codes as $code) {
+            foreach ($tss as $ts) {
+                foreach ($rps as $rp) {
+                    foreach ($tids as $tid) {
+                        foreach ($ctxs as $ctx) {
+                            $matrix[] = [$code, $ts, $rp, $tid, $ctx];
+                        }
+                    }
+                }
+            }
+        }
+
+        return $matrix;
+    }
+
+
+    /**
+     * Test that an exception was thrown when an invalid error code was used.
+     */
+    public function testErrorURLInvalidCode(): void
+    {
+        $request = Request::create(
+            '/error/doesNotExist',
+        );
+
+        $c = new Controller\Exception($this->config, $this->session);
+
+        $this->expectException(AssertionFailedException::class);
+        $this->expectExceptionMessage(
+            'Expected one of: "IDENTIFICATION_FAILURE", "AUTHENTICATION_FAILURE",'
+            . ' "AUTHORIZATION_FAILURE", "OTHER_ERROR". Got: "doesNotExist"'
+        );
+
+        $c->error($request, 'doesNotExist');
+    }
+}
