always expect

Author: zibet27

ktor-server/ktor-server-plugins/ktor-server-auth-saml/jvm/src/io/ktor/server/auth/saml/SamlAuthenticationProvider.kt

@@ -292,6 +292,11 @@ public class SamlAuthenticationProvider internal constructor(
             val samlResponse = parameters["SAMLResponse"]
 
             when {
+                samlRequest != null && samlResponse != null -> {
+                    logger.debug("SLO endpoint failed. Both `SAMLRequest` and `SAMLRequest` are present")
+                    call.respond(HttpStatusCode.BadRequest, "Malformed SAML request")
+                }
+
                 samlRequest != null -> handleIdpLogoutRequest(samlRequest, parameters)
                 samlResponse != null -> handleLogoutResponse(samlResponse, parameters)
                 else -> {

ktor-server/ktor-server-plugins/ktor-server-auth-saml/jvm/src/io/ktor/server/auth/saml/SamlLogoutProcessor.kt

@@ -164,12 +164,15 @@ internal class SamlLogoutProcessor(
         signatureParam: String? = null,
         signatureAlgorithmParam: String? = null
     ): LogoutResult {
-        val responseXml = samlResponseBase64.decodeSamlMessage(isDeflated = binding == SamlBinding.HttpRedirect)
-        val document: Document = LibSaml.parserPool.parse(responseXml.toByteArray().inputStream())
-        val logoutResponse = document.documentElement.unmarshall<LogoutResponse>()
+        val logoutResponse = withValidationException {
+            val responseXml = samlResponseBase64.decodeSamlMessage(isDeflated = binding == SamlBinding.HttpRedirect)
+            val document: Document = LibSaml.parserPool.parse(responseXml.toByteArray().inputStream())
+            document.documentElement.unmarshall<LogoutResponse>()
+        }
 
         val inResponseTo = logoutResponse.inResponseTo
-        samlAssert(expectedRequestId == null || inResponseTo == expectedRequestId) { "InResponseTo mismatch" }
+        samlRequire(expectedRequestId) { "Unexpected logout response" }
+        samlAssert(inResponseTo == expectedRequestId) { "InResponseTo mismatch" }
 
         // Issuer is required for security - ensures the response is from the expected IdP
         val issuer = samlRequire(logoutResponse.issuer?.value) { "LogoutResponse Issuer is required" }

ktor-server/ktor-server-plugins/ktor-server-auth-saml/jvm/src/io/ktor/server/auth/saml/SamlResponseProcessor.kt

@@ -98,36 +98,31 @@ internal class SamlResponseProcessor(
      * @throws SamlValidationException if validation fails
      */
     suspend fun processResponse(samlResponseBase64: String, expectedRequestId: String?): SamlCredential {
-        val samlResponseXml = String(bytes = Base64.decode(samlResponseBase64))
-        val response = parseResponse(samlResponseXml).also { it.validate(expectedRequestId) }
+        val response = parseResponse(samlResponseBase64).also { it.validate(expectedRequestId) }
         val assertion = response.extractAssertion().also { it.validate(expectedRequestId) }
         return SamlCredential(response, assertion)
     }
 
-    private fun parseResponse(xml: String): Response = withValidationException {
-        val document: Document = LibSaml.parserPool.parse(ByteArrayInputStream(xml.toByteArray()))
+    private fun parseResponse(samlResponseBase64: String): Response = withValidationException {
+        val xmlStream = ByteArrayInputStream(Base64.decode(source = samlResponseBase64))
+        val document: Document = LibSaml.parserPool.parse(xmlStream)
         document.documentElement.unmarshall<Response>()
     }
 
     private fun Response.validate(expectedRequestId: String?) {
         val statusCode = status?.statusCode?.value
-        if (statusCode != StatusCode.SUCCESS) {
+        samlAssert(statusCode == StatusCode.SUCCESS) {
             val statusMessage = status?.statusMessage?.value ?: "No message"
-            throw SamlValidationException("SAML response status is not Success: $statusCode - $statusMessage")
+            "SAML response status is not Success: $statusCode - $statusMessage"
         }
 
-        when {
-            expectedRequestId != null -> {
-                samlAssert(inResponseTo == expectedRequestId) { "InResponseTo mismatch" }
-            }
-
-            !allowIdpInitiatedSso -> throw SamlValidationException("IdP-initiated SSO is not allowed.")
+        if (expectedRequestId != null) {
+            samlAssert(inResponseTo == expectedRequestId) { "InResponseTo mismatch" }
+        } else {
+            samlAssert(allowIdpInitiatedSso) { "IdP-initiated SSO is not allowed." }
         }
 
-        val issuer = issuer?.value
-        samlAssert(issuer == idpMetadata.entityId) { "Response issuer mismatch" }
-
-        val destination = destination
+        samlAssert(issuer?.value == idpMetadata.entityId) { "Response issuer mismatch" }
         samlAssert(!requireDestination || destination != null) { "Response Destination is not present" }
         samlAssert(destination == null || destination == acsUrl) { "Response Destination mismatch" }
 

ktor-server/ktor-server-plugins/ktor-server-auth-saml/jvm/src/io/ktor/server/auth/saml/SamlUtils.kt

@@ -82,7 +82,11 @@ internal fun String.encodeSamlMessage(deflate: Boolean): String {
     }
     val bytesOut = ByteArrayOutputStream()
     val deflater = Deflater(Deflater.DEFLATED, true)
-    DeflaterOutputStream(bytesOut, deflater).use { it.write(bytes) }
+    try {
+        DeflaterOutputStream(bytesOut, deflater).use { it.write(bytes) }
+    } finally {
+        deflater.end()
+    }
     return Base64.encode(source = bytesOut.toByteArray())
 }
 
@@ -98,8 +102,12 @@ internal fun String.decodeSamlMessage(isDeflated: Boolean): String {
         return decodedBytes.toString(Charsets.UTF_8)
     }
     val inflater = Inflater(true)
-    val inflaterInputStream = InflaterInputStream(decodedBytes.inputStream(), inflater)
-    return inflaterInputStream.readBytes().toString(Charsets.UTF_8)
+    try {
+        val inflaterInputStream = InflaterInputStream(decodedBytes.inputStream(), inflater)
+        return inflaterInputStream.readBytes().toString(Charsets.UTF_8)
+    } finally {
+        inflater.end()
+    }
 }
 
 @Suppress("UNCHECKED_CAST")

ktor-server/ktor-server-plugins/ktor-server-auth-saml/jvm/test/io/ktor/server/auth/saml/SamlLogoutIntegrationTest.kt

@@ -123,33 +123,79 @@ class SamlLogoutIntegrationTest {
     fun `test LogoutResponse processing with success and failure status`() = testApplication {
         configureSamlAuth(enableSingleLogout = true)
 
+        val testClient = noRedirectsClient()
+
+        // Initiate SP-initiated logout to populate session with logoutRequestId
+        val initiateResponse = testClient.get("/test-logout")
+        assertEquals(HttpStatusCode.Found, initiateResponse.status)
+        val sessionCookie = initiateResponse.headers[HttpHeaders.SetCookie]
+        assertNotNull(sessionCookie, "Session cookie should be set")
+        val logoutRequestId = initiateResponse.headers["X-Logout-Request-Id"]
+        assertNotNull(logoutRequestId, "LogoutRequest ID should be returned in header")
+
+        // Test SUCCESS case: InResponseTo matches the stored logoutRequestId
         val successResponseXml = SamlTestUtils.createLogoutResponse(
-            inResponseTo = "_test_request_id",
+            inResponseTo = logoutRequestId,
             statusCode = StatusCode.SUCCESS,
             issuer = IDP_ENTITY_ID,
             destination = SLO_URL
         )
         val successBase64 = SamlTestUtils.encodeForPost(successResponseXml)
 
-        val successResponse = client.post(SLO_PATH) {
+        val successResponse = testClient.post(SLO_PATH) {
             contentType(ContentType.Application.FormUrlEncoded)
+            header(HttpHeaders.Cookie, sessionCookie.substringBefore(";"))
             setBody("SAMLResponse=${successBase64.encodeURLParameter()}")
         }
 
         assertEquals(HttpStatusCode.OK, successResponse.status)
         assertTrue(successResponse.bodyAsText().contains("Logout completed"))
 
+        // Test FAILURE case: InResponseTo does NOT match the stored logoutRequestId
+        // Re-initiate logout to get a fresh session with logoutRequestId
+        val reinitiateResponse = testClient.get("/test-logout")
+        assertEquals(HttpStatusCode.Found, reinitiateResponse.status)
+        val freshSessionCookie = reinitiateResponse.headers[HttpHeaders.SetCookie]
+        assertNotNull(freshSessionCookie)
+
+        val mismatchedResponseXml = SamlTestUtils.createLogoutResponse(
+            inResponseTo = "_different_request_id",
+            statusCode = StatusCode.SUCCESS,
+            issuer = IDP_ENTITY_ID,
+            destination = SLO_URL
+        )
+        val mismatchedBase64 = SamlTestUtils.encodeForPost(mismatchedResponseXml)
+
+        val mismatchedResponse = testClient.post(SLO_PATH) {
+            contentType(ContentType.Application.FormUrlEncoded)
+            header(HttpHeaders.Cookie, freshSessionCookie.substringBefore(";"))
+            setBody("SAMLResponse=${mismatchedBase64.encodeURLParameter()}")
+        }
+
+        // Mismatched InResponseTo should result in BadRequest (InResponseTo mismatch is caught as validation error)
+        assertEquals(HttpStatusCode.BadRequest, mismatchedResponse.status)
+        assertTrue(mismatchedResponse.bodyAsText().contains("Invalid logout response"))
+
+        // Test IdP failure case: InResponseTo matches but IdP reports failure status
+        val reinitiateResponse2 = testClient.get("/test-logout")
+        assertEquals(HttpStatusCode.Found, reinitiateResponse2.status)
+        val freshSessionCookie2 = reinitiateResponse2.headers[HttpHeaders.SetCookie]
+        assertNotNull(freshSessionCookie2)
+        val logoutRequestId2 = reinitiateResponse2.headers["X-Logout-Request-Id"]
+        assertNotNull(logoutRequestId2)
+
         val failureResponseXml = SamlTestUtils.createLogoutResponse(
-            inResponseTo = "_test_request",
+            inResponseTo = logoutRequestId2,
             statusCode = StatusCode.RESPONDER,
             statusMessage = "Logout failed at IdP",
             issuer = IDP_ENTITY_ID,
             destination = SLO_URL
         )
         val failureBase64 = SamlTestUtils.encodeForPost(failureResponseXml)
 
-        val failureResponse = client.post(SLO_PATH) {
+        val failureResponse = testClient.post(SLO_PATH) {
             contentType(ContentType.Application.FormUrlEncoded)
+            header(HttpHeaders.Cookie, freshSessionCookie2.substringBefore(";"))
             setBody("SAMLResponse=${failureBase64.encodeURLParameter()}")
         }
 
@@ -162,16 +208,27 @@ class SamlLogoutIntegrationTest {
     fun `test LogoutResponse with RelayState redirects`() = testApplication {
         configureSamlAuth(enableSingleLogout = true)
 
+        val testClient = noRedirectsClient()
+
+        // Initiate SP-initiated logout to populate session with logoutRequestId
+        val initiateResponse = testClient.get("/test-logout")
+        assertEquals(HttpStatusCode.Found, initiateResponse.status)
+        val sessionCookie = initiateResponse.headers[HttpHeaders.SetCookie]
+        assertNotNull(sessionCookie)
+        val logoutRequestId = initiateResponse.headers["X-Logout-Request-Id"]
+        assertNotNull(logoutRequestId)
+
         val logoutResponseXml = SamlTestUtils.createLogoutResponse(
-            inResponseTo = "_test_request",
+            inResponseTo = logoutRequestId,
             statusCode = StatusCode.SUCCESS,
             issuer = IDP_ENTITY_ID,
             destination = SLO_URL
         )
         val base64Response = SamlTestUtils.encodeForPost(logoutResponseXml)
 
-        val response = noRedirectsClient().post(SLO_PATH) {
+        val response = testClient.post(SLO_PATH) {
             contentType(ContentType.Application.FormUrlEncoded)
+            header(HttpHeaders.Cookie, sessionCookie.substringBefore(";"))
             setBody("SAMLResponse=${base64Response.encodeURLParameter()}&RelayState=/post-logout-page")
         }
 
@@ -327,6 +384,8 @@ class SamlLogoutIntegrationTest {
                         spMetadata = spMetadata,
                         sessionIndex = "_session123"
                     )
+                    // Include the messageId in a header for tests to use when constructing LogoutResponse
+                    call.response.header("X-Logout-Request-Id", result.messageId)
                     call.respondRedirect(result.redirectUrl)
                 }