Removing BOM character from SAML entity descriptor

Closes #30604 Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com> (cherry picked from commit c2c74faec0481c9cd6ee9506b65f42c08bb7442d)
2026-01-09 23:12:06 -03:30 · 2024-08-13 17:09:16 +02:00 · 2024-08-13 17:09:16 +02:00 · 21362ae8e6
commit 21362ae8e6
parent 57f035b67a
3 changed files with 69 additions and 7 deletions
--- a/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/SAMLMetadataUtil.java
+++ b/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/SAMLMetadataUtil.java
@ -45,6 +45,8 @@ import org.w3c.dom.NodeList;
 */
 public class SAMLMetadataUtil {

+    public static final String UTF8_BOM = "\uFEFF";
+
    /**
     * Get the {@link X509Certificate} from the KeyInfo
     *
@ -107,6 +109,7 @@ public class SAMLMetadataUtil {
    }

    public static EntityDescriptorType parseEntityDescriptorType(String descriptor) throws ParsingException {
+        descriptor = removeUTF8BOM(descriptor);
        Object parsedObject = SAMLParser.getInstance().parse(StaxParserUtil.getXMLEventReader(descriptor));
        EntityDescriptorType entityType;

@ -153,4 +156,11 @@ public class SAMLMetadataUtil {
        }
        return descriptor;
    }
-}
+
+    public static String removeUTF8BOM(String s) {
+        if (s.startsWith(UTF8_BOM)) {
+            s = s.substring(1);
+        }
+        return s;
+    }
+}
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/IdentityProviderTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/IdentityProviderTest.java
@ -176,7 +176,7 @@ public class IdentityProviderTest extends AbstractAdminTest {
        Response response = realm.identityProviders().create(newIdentityProvider);
        Assert.assertEquals(400, response.getStatus());
    }
-    
+
    @Test
    public void testCreate() {
        IdentityProviderRepresentation newIdentityProvider = createRep("new-identity-provider", "oidc");
@ -276,11 +276,11 @@ public class IdentityProviderTest extends AbstractAdminTest {
            }
        }
    }
-    
+
    @Test
    public void shouldFailWhenAliasHasSpaceDuringCreation() {
        IdentityProviderRepresentation newIdentityProvider = createRep("New Identity Provider", "oidc");
-        
+
        newIdentityProvider.getConfig().put(IdentityProviderModel.SYNC_MODE, "IMPORT");
        newIdentityProvider.getConfig().put("clientId", "clientId");
        newIdentityProvider.getConfig().put("clientSecret", "some secret value");
@ -703,7 +703,7 @@ public class IdentityProviderTest extends AbstractAdminTest {

    @Test
    public void importShouldFailDueAliasWithSpace() {
-        
+
        Map<String, Object> data = new HashMap<>();
        data.put("providerId", "saml");
        data.put("alias", "Alias With Space");
@ -728,6 +728,19 @@ public class IdentityProviderTest extends AbstractAdminTest {
        assertSamlExport(body);
    }

+    @Test
+    public void testSamlImportWithBom() throws URISyntaxException, IOException, ParsingException {
+        testSamlImport("saml-idp-metadata_utf8_bom.xml");
+
+        // Perform export, and make sure some of the values are like they're supposed to be
+        Response response = realm.identityProviders().get("saml").export("xml");
+        Assert.assertEquals(200, response.getStatus());
+        String body = response.readEntity(String.class);
+        response.close();
+
+        assertSamlExport(body);
+    }
+
    @Test
    public void testSamlImportWithAnyEncryptionMethod() throws URISyntaxException, IOException, ParsingException {
        testSamlImport("saml-idp-metadata-encryption-methods.xml");
@ -761,7 +774,7 @@ public class IdentityProviderTest extends AbstractAdminTest {
        assertEqual(rep, providers.get(0));

    }
-    
+
    @Test
    public void testSamlImportAndExportDisabled() throws URISyntaxException, IOException, ParsingException {

@ -784,7 +797,7 @@ public class IdentityProviderTest extends AbstractAdminTest {
        IdentityProviderResource provider = realm.identityProviders().get("saml");
        IdentityProviderRepresentation rep = provider.toRepresentation();
        assertCreatedSamlIdp(rep, false);
-        
+
    }


--- a/testsuite/integration-arquillian/tests/base/src/test/resources/admin-test/saml-idp-metadata_utf8_bom.xml
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/admin-test/saml-idp-metadata_utf8_bom.xml
@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor entityID="http://localhost:8080/auth/realms/master"
+                  xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+                  xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
+                  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+                  xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
+>
+     <Extensions>
+	 <mdattr:EntityAttributes>
+        <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
+          <saml:AttributeValue>http://refeds.org/category/hide-from-discovery</saml:AttributeValue>
+        </saml:Attribute>
+      </mdattr:EntityAttributes>
+      </Extensions>
+   <IDPSSODescriptor WantAuthnRequestsSigned="true"
+      protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+      <KeyDescriptor use="signing">
+          <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
+              <dsig:X509Data>
+                  <dsig:X509Certificate>
+                      MIICmzCCAYMCBgFUYnC0OjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMTYwNDI5MTQzMjEzWhcNMjYwNDI5MTQzMzUzWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCN25AW1poMEZRbuMAHG58AThZmCwMV6/Gcui4mjGacRFyudgqzLjQ2rxpoW41JAtLjbjeAhuWvirUcFVcOeS3gM/ZC27qCpYighAcylZz6MYocnEe1+e8rPPk4JlID6Wv62dgu+pL/vYsQpRhvD3Y2c/ytgr5D32xF+KnzDehUy5BSyzypvu12Wq9mS5vK5tzkN37EjkhpY2ZxaXPubjDIITCAL4Q8M/m5IlacBaUZbzI4AQrHnMP1O1IH2dHSWuMiBe+xSDTco72PmuYPJKTV4wQdeBUIkYbfLc4RxVmXEvgkQgyW86EoMPxlWJpj7+mTIR+l+2thZPr/VgwTs82rAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAA/Ip/Hi8RoVu5ouaFFlc5whT7ltuK8slfLGW4tM4vJXhInYwsqIRQKBNDYW/64xle3eII4u1yAH1OYRRwEs7Em1pr4QuFuTY1at+aE0sE46XDlyESI0txJjWxYoT133vM0We2pj1b2nxgU30rwjKA3whnKEfTEYT/n3JBSqNggy6l8ZGw/oPSgvPaR4+xeB1tfQFC4VrLoYKoqH6hAL530nKxL+qV8AIfL64NDEE8ankIAEDAAFe8x3CPUfXR/p4KOANKkpz8ieQaHDb1eITkAwUwjESj6UF9D1aePlhWls/HX0gujFXtWfWfrJ8CU/ogwlH8y1jgRuLjFQYZk6llc=
+                  </dsig:X509Certificate>
+              </dsig:X509Data>
+          </dsig:KeyInfo>
+      </KeyDescriptor>
+      <SingleLogoutService
+        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        Location="http://localhost:8080/auth/realms/master/protocol/saml" />
+      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
+      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
+      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
+      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        Location="http://localhost:8080/auth/realms/master/protocol/saml" />
+      <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+        Location="http://localhost:8080/auth/realms/master/protocol/saml/resolve"
+        index="0"/>
+   </IDPSSODescriptor>
+</EntityDescriptor>