public void ThrowsExceptionWhenAttributeStatementHasInvalidStatementType()
{
// Arrange
var validator = new DKSaml20AssertionValidator(AssertionUtil.GetAudiences(), false);
var saml20Assertion = AssertionUtil.GetBasicAssertion();
var authzDecisionStatement = new AuthzDecisionStatement
{
Decision = DecisionType.Permit,
Resource = "http://safewhere.net",
Action = new[] { new Action() }
};
authzDecisionStatement.Action[0].Namespace = "http://actionns.com";
authzDecisionStatement.Action[0].Value = "value";
var statements = new List <StatementAbstract>(saml20Assertion.Items)
{
authzDecisionStatement
};
saml20Assertion.Items = statements.ToArray();
// Act
validator.ValidateAssertion(saml20Assertion);
}
public void ValidatesAudienceRestrictionWithSeveralAudiences()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
foreach (var audienceCondition in assertion.Conditions.Items)
{
if (!(audienceCondition is AudienceRestriction))
{
continue;
}
var audienceRestriction = (AudienceRestriction)audienceCondition;
var audiences = new List <string>(audienceRestriction.Audience)
{
"http://well/formed.uri"
};
audienceRestriction.Audience = audiences;
break;
}
// Act
validator.ValidateAssertion(assertion);
}
public void ThrowsExceptionWhenAudienceRestrictionIsNotConfigured()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var validator = new Saml20AssertionValidator(null, false);
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateAssertion(assertion), "The service is not configured to meet any audience restrictions");
}
public void ValidatesAssertion()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
// Act
validator.ValidateAssertion(assertion);
}
public void ThrowsExceptionWhenAudienceRestrictionIsNotConfigured()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var validator = new Saml20AssertionValidator(null, false);
// Act
validator.ValidateAssertion(assertion);
}
public void ValidatesSubjectConfirmation()
{
// Arrange
var validator = new DKSaml20SubjectConfirmationValidator();
var saml20Assertion = AssertionUtil.GetBasicAssertion();
var subjectConfirmation = (SubjectConfirmation)Array.Find(saml20Assertion.Subject.Items, item => item is SubjectConfirmation);
// Act
validator.ValidateSubjectConfirmation(subjectConfirmation);
}
public void ValidatesTimeRestrictionBothNotBeforeAndNotOnOrAfter()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
assertion.Conditions.NotBefore = DateTime.UtcNow.AddDays(-1);
assertion.Conditions.NotOnOrAfter = DateTime.UtcNow.AddDays(1);
// Act
validator.ValidateAssertion(assertion);
}
public void ThrowsExceptionWhenIssuerFormatInvalid()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
assertion.Issuer.Format = "a non wellformed uri";
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
// Act
validator.ValidateAssertion(assertion);
}
public void ThrowsExceptionWhenSubjectConfirmationContainsElementsOfWrongIdentifier()
{
// Arrange
var saml20Assertion = AssertionUtil.GetBasicAssertion();
saml20Assertion.Subject.Items = new object[] { string.Empty, 24, new List <object>(1), new Advice() };
var validator = new Saml20SubjectValidator();
// Act
validator.ValidateSubject(saml20Assertion.Subject);
}
public void ThrowsExceptionWhenSubjectConfirmationDoesNotContainSubject()
{
// Arrange
var saml20Assertion = AssertionUtil.GetBasicAssertion();
saml20Assertion.Subject.Items = new object[] { };
var validator = new Saml20SubjectValidator();
// Act
validator.ValidateSubject(saml20Assertion.Subject);
}
//ExpectedMessage = "The service is not configured to meet any audience restrictions"
public void ThrowsExceptionWhenAudienceRestrictionIsNotConfigured()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var validator = new Saml20AssertionValidator(null, false);
// Act
Assert.Throws(typeof(Saml20FormatException), () =>
{
validator.ValidateAssertion(assertion, true);
});
}
public void ValidatesTimeRestrictionNotSpecified()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
assertion.Conditions.NotBefore = null;
assertion.Conditions.NotOnOrAfter = null;
// Act
validator.ValidateAssertion(assertion);
}
public void ThrowsExceptionWhenIssuerNull()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
assertion.Issuer = null;
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
// Act
validator.ValidateAssertion(assertion);
}
public void ThrowsExceptionWhenIssuerFormatInvalid()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
assertion.Issuer.Format = "a non wellformed uri";
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateAssertion(assertion), "NameID element has Format attribute which is not a wellformed absolute uri.");
}
public void ThrowsExceptionWhenWrongVersion()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
assertion.Version = "60";
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
// Act
validator.ValidateAssertion(assertion);
}
public void ThrowsExceptionWhenWrongVersion()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
assertion.Version = "60";
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateAssertion(assertion), "Wrong value of version attribute on Assertion element");
}
public void ThrowsExceptionWhenIssuerNull()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
assertion.Issuer = null;
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateAssertion(assertion), "Assertion element must have an issuer element.");
}
public void ThrowsExceptionWhenSubjectConfirmationContainsElementsOfWrongIdentifier()
{
// Arrange
var saml20Assertion = AssertionUtil.GetBasicAssertion();
saml20Assertion.Subject.Items = new object[] { string.Empty, 24, new List <object>(1), new Advice() };
var validator = new Saml20SubjectValidator();
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateSubject(saml20Assertion.Subject),
"Subject must have either NameID, EncryptedID or SubjectConfirmation subelement.");
}
public void ThrowsWhenSessionIndexElementIsNotPresent()
{
// Arrange
var validator = new DKSaml20StatementValidator();
var saml20Assertion = AssertionUtil.GetBasicAssertion();
var authnStatement = (AuthnStatement)Array.Find(saml20Assertion.Items, stmnt => stmnt is AuthnStatement);
authnStatement.SessionIndex = null;
// Act
validator.ValidateStatement(authnStatement);
}
public void ThrowsExceptionWhenAudienceRestrictionDoesNotMatch()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var allowedAudienceUris = new List <Uri>
{
new Uri("uri:lalal")
};
var validator = new Saml20AssertionValidator(allowedAudienceUris, false);
// Act
validator.ValidateAssertion(assertion);
}
public void ThrowsWhenSubjectConfirmationElementIsNotPresent()
{
// Arrange
var validator = new DKSaml20SubjectValidator();
var saml20Assertion = AssertionUtil.GetBasicAssertion();
var subjectConfirmation = (SubjectConfirmation)Array.Find(saml20Assertion.Subject.Items, item => item is SubjectConfirmation);
subjectConfirmation.Method = "http://example.com";
// Act
validator.ValidateSubject(saml20Assertion.Subject);
}
public void ThrowsExceptionWhenTimeRestrictionNotBeforeIsInvalid()
{
// Arrange
// Test with NotBefore that post-dates now
var assertion = AssertionUtil.GetBasicAssertion();
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
assertion.Conditions.NotBefore = DateTime.Now.AddDays(1);
assertion.Conditions.NotOnOrAfter = null;
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateTimeRestrictions(assertion, new TimeSpan()), "Conditions.NotBefore must not be in the future");
}
public void ThrowsExceptionWhenSubjectConfirmationDoesNotContainSubject()
{
// Arrange
var saml20Assertion = AssertionUtil.GetBasicAssertion();
saml20Assertion.Subject.Items = new object[] { };
var validator = new Saml20SubjectValidator();
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateSubject(saml20Assertion.Subject),
"Subject MUST contain either an identifier or a subject confirmation");
}
public void ThrowsExceptionWhenTimeRestrictionNotOnOrAfterYesterday()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
// Test with NotOnOrAfter that pre-dates now
assertion.Conditions.NotBefore = null;
assertion.Conditions.NotOnOrAfter = DateTime.UtcNow.AddDays(-1);
// Act
validator.ValidateTimeRestrictions(assertion, new TimeSpan());
}
public void ThrowsExceptionWhenAudienceRestrictionDoesNotMatch()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var allowedAudienceUris = new List <string>
{
"uri:lalal"
};
var validator = new Saml20AssertionValidator(allowedAudienceUris, false);
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateAssertion(assertion), "The service is not configured to meet the given audience restrictions");
}
public void ThrowsExceptionWhenTimeRestrictionNotOnOrAfterNow()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
// Test with NotOnOrAfter that pre-dates now
assertion.Conditions.NotBefore = null;
assertion.Conditions.NotOnOrAfter = DateTime.UtcNow;
// Act
Assert.Throws <Saml20FormatException>(() => validator.ValidateTimeRestrictions(assertion, new TimeSpan()), "Conditions.NotOnOrAfter must not be in the past");
}
public void ThrowsWhenNotOnOrAfterElementIsNotPresent()
{
// Arrange
var validator = new DKSaml20SubjectConfirmationValidator();
var saml20Assertion = AssertionUtil.GetBasicAssertion();
var subjectConfirmation = (SubjectConfirmation)Array.Find(saml20Assertion.Subject.Items, item => item is SubjectConfirmation);
subjectConfirmation.SubjectConfirmationData.NotOnOrAfter = null;
// Act
validator.ValidateSubjectConfirmation(subjectConfirmation);
}
public void ValidatesTimeRestrictionNotOnOrAfterTomorrow()
{
// Arrange
var assertion = AssertionUtil.GetBasicAssertion();
var validator = new Saml20AssertionValidator(AssertionUtil.GetAudiences(), false);
// Test with NotOnOrAfter that post-dates now
assertion.Conditions.NotBefore = null;
assertion.Conditions.NotOnOrAfter = DateTime.UtcNow.AddDays(1);
// Act
validator.ValidateAssertion(assertion);
}
public void ThrowsExceptionWhenAuthnStatementIsNotPresent()
{
// Arrange
var validator = new DKSaml20AssertionValidator(AssertionUtil.GetAudiences(), false);
var saml20Assertion = AssertionUtil.GetBasicAssertion();
var statements = new List <StatementAbstract>(saml20Assertion.Items);
statements.RemoveAll(stmnt => stmnt is AuthnStatement);
saml20Assertion.Items = statements.ToArray();
// Act
validator.ValidateAssertion(saml20Assertion);
}
public void CanValidateNameIdElementInQuirksMode()
{
// Arrange
var quirksModeValidator = new DKSaml20AssertionValidator(AssertionUtil.GetAudiences(), true);
var saml20Assertion = AssertionUtil.GetBasicAssertion();
saml20Assertion.Issuer = new NameId {
Value = "http://safewhere.net", Format = "http://example.com"
};
// Act
quirksModeValidator.ValidateAssertion(saml20Assertion);
}