public void AuthnStatement_Element()
{
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
AuthnStatement authnStmt =
(AuthnStatement)Array.Find(saml20Assertion.Items, delegate(StatementAbstract stmnt) { return(stmnt is AuthnStatement); });
// Mess around with the AuthnStatement.
{
string oldSessionIndex = authnStmt.SessionIndex;
authnStmt.SessionIndex = null;
TestAssertion(saml20Assertion, "The DK-SAML 2.0 profile requires that the \"AuthnStatement\" element contains the \"SessionIndex\" attribute.");
authnStmt.SessionIndex = oldSessionIndex;
}
{
int index =
Array.FindIndex(authnStmt.AuthnContext.Items,
delegate(object o) { return(o is string && o.ToString() == "urn:oasis:names:tc:SAML:2.0:ac:classes:X509"); });
object oldValue = authnStmt.AuthnContext.Items[index];
authnStmt.AuthnContext.Items[index] = "Hallelujagobble!!";
TestAssertion(saml20Assertion, "AuthnContextClassRef has a value which is not a wellformed absolute uri");
authnStmt.AuthnContext.Items[index] = oldValue;
}
// Remove it.
saml20Assertion = AssertionUtil.GetBasicAssertion();
List <StatementAbstract> statements = new List <StatementAbstract>(saml20Assertion.Items);
statements.RemoveAll(delegate(StatementAbstract stmnt) { return(stmnt is AuthnStatement); });
saml20Assertion.Items = statements.ToArray();
TestAssertion(saml20Assertion, "The DK-SAML 2.0 profile requires exactly one \"AuthnStatement\" element and one \"AttributeStatement\" element.");
}
/// <summary>
/// Returns the saml20Assertion as an XmlDocument as used by the Assertion class.
/// </summary>
/// <param name="assertion"></param>
/// <returns></returns>
public static XmlDocument ConvertAssertion(Assertion assertion)
{
if (assertion == null) throw new ArgumentNullException("assertion");
XmlDocument res = new XmlDocument();
res.PreserveWhitespace = true;
res.Load(new StringReader(Serialization.SerializeToXmlString(assertion)));
return res;
}
/// <summary>
/// Returns the saml20Assertion as an XmlDocument as used by the Assertion class.
/// </summary>
/// <param name="assertion"></param>
/// <returns></returns>
public static XmlDocument ConvertAssertion(Assertion assertion)
{
if (assertion == null)
{
throw new ArgumentNullException("assertion");
}
XmlDocument res = new XmlDocument();
res.PreserveWhitespace = true;
res.Load(new StringReader(Serialization.SerializeToXmlString(assertion)));
return(res);
}
private void TestAssertion(Assertion saml20Assertion, string exceptionMsg)
{
try
{
_validator.ValidateAssertion(saml20Assertion);
if (!string.IsNullOrEmpty(exceptionMsg))
{
Assert.Fail("A validation exception should have been thrown.");
}
}
catch (Saml20FormatException e)
{
Console.WriteLine('"' + e.Message.Replace("\"", "\\\"") + '"');
Assert.AreEqual(exceptionMsg, e.Message);
}
}
public void AttributeStatement_Invalid_EncryptedAttribute_DKSaml20()
{
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
List <StatementAbstract> statements = new List <StatementAbstract>(saml20Assertion.Items);
AttributeStatement sas = GetAttributeStatement(statements);
List <object> attributes = new List <object>(sas.Items);
EncryptedElement ee = new EncryptedElement();
ee.encryptedData = new EncryptedData();
ee.encryptedData.Type = Saml20Constants.XENC + "Element";
attributes.Add(ee);
sas.Items = attributes.ToArray();
saml20Assertion.Items = statements.ToArray();
XmlDocument doc = AssertionUtil.ConvertAssertion(saml20Assertion);
new Saml20Assertion(doc.DocumentElement, null, false);
}
public void Conditions_Element()
{
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
Assert.IsNotNull(saml20Assertion.Conditions);
List <ConditionAbstract> conditions =
new List <ConditionAbstract>(saml20Assertion.Conditions.Items);
int index = conditions.FindIndex(delegate(ConditionAbstract cond) { return(cond is AudienceRestriction); });
Assert.That(index != -1);
conditions.RemoveAt(index);
// Add another condition to avoid an empty list of conditions.
conditions.Add(new OneTimeUse());
saml20Assertion.Conditions.Items = conditions;
TestAssertion(saml20Assertion, "The DK-SAML 2.0 profile requires that an \"AudienceRestriction\" element is present on the saml20Assertion.");
}
public void Subject_Element()
{
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
Assert.IsNotNull(saml20Assertion.Subject);
Assert.That(saml20Assertion.Subject.Items.Length > 0);
SubjectConfirmation subjectConfirmation =
(SubjectConfirmation)Array.Find(saml20Assertion.Subject.Items, delegate(object item) { return(item is SubjectConfirmation); });
Assert.IsNotNull(subjectConfirmation);
string originalMethod = subjectConfirmation.Method;
subjectConfirmation.Method = "IllegalMethod";
TestAssertion(saml20Assertion, "SubjectConfirmation element has Method attribute which is not a wellformed absolute uri.");
// Try a valid url.
subjectConfirmation.Method = "http://example.com";
TestAssertion(saml20Assertion, "The DK-SAML 2.0 Profile requires that a bearer \"SubjectConfirmation\" element is present.");
// Restore valid settings... And verify that it is restored.
subjectConfirmation.Method = originalMethod;
TestAssertion(saml20Assertion, null);
// Now, start messing with the <SubjectConfirmationData> element.
subjectConfirmation.SubjectConfirmationData.NotOnOrAfter = null;
TestAssertion(saml20Assertion, "The DK-SAML 2.0 Profile requires that the \"SubjectConfirmationData\" element contains the \"NotOnOrAfter\" attribute.");
subjectConfirmation.SubjectConfirmationData.NotOnOrAfter = DateTime.UtcNow;
subjectConfirmation.SubjectConfirmationData.NotBefore = DateTime.UtcNow.Subtract(new TimeSpan(5, 0, 0, 0));
TestAssertion(saml20Assertion, "The DK-SAML 2.0 Profile disallows the use of the \"NotBefore\" attribute of the \"SubjectConfirmationData\" element.");
subjectConfirmation.SubjectConfirmationData.NotBefore = null;
string originalRecipient = subjectConfirmation.SubjectConfirmationData.Recipient;
subjectConfirmation.SubjectConfirmationData.Recipient = null;
TestAssertion(saml20Assertion, "The DK-SAML 2.0 Profile requires that the \"SubjectConfirmationData\" element contains the \"Recipient\" attribute.");
subjectConfirmation.SubjectConfirmationData.Recipient = originalRecipient;
saml20Assertion.Subject = null;
TestAssertion(saml20Assertion, "AuthnStatement, AuthzDecisionStatement and AttributeStatement require a subject.");
}
public void AttributeStatement_Invalid_Statementtype()
{
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
AuthzDecisionStatement authzDecisionStatement = new AuthzDecisionStatement();
authzDecisionStatement.Decision = DecisionType.Permit;
authzDecisionStatement.Resource = "http://safewhere.net";
authzDecisionStatement.Action = new dk.nita.saml20.Schema.Core.Action[] { new dk.nita.saml20.Schema.Core.Action() };
authzDecisionStatement.Action[0].Namespace = "http://actionns.com";
authzDecisionStatement.Action[0].Value = "value";
List <StatementAbstract> statements = new List <StatementAbstract>(saml20Assertion.Items);
statements.Add(authzDecisionStatement);
saml20Assertion.Items = statements.ToArray();
new Saml20Assertion(AssertionUtil.ConvertAssertion(saml20Assertion).DocumentElement, null, false);
}
public void Issuer_Element_QuirksMode()
{
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
Assert.IsNotNull(saml20Assertion.Issuer);
saml20Assertion.Issuer = new NameID();
saml20Assertion.Issuer.Value = "http://safewhere.net";
saml20Assertion.Issuer.Format = "http://example.com";
DKSaml20AssertionValidator quirksModeValidator = new DKSaml20AssertionValidator(AssertionUtil.GetAudiences(), true);
try
{
quirksModeValidator.ValidateAssertion(saml20Assertion);
}
catch (Exception e)
{
Assert.That(false, "The above validation should not fail in quirksMode: " + e.ToString());
}
}
public void AttributeStatement_Element()
{
Predicate <StatementAbstract> findAttributeStatement =
delegate(StatementAbstract stmnt) { return(stmnt is AttributeStatement); };
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
AttributeStatement attributeStatement =
(AttributeStatement)Array.Find(saml20Assertion.Items, findAttributeStatement);
// Add an encrypted attribute.
EncryptedElement encAtt = new EncryptedElement();
encAtt.encryptedData = new EncryptedData();
encAtt.encryptedData.CipherData = new CipherData();
encAtt.encryptedData.CipherData.Item = string.Empty;
encAtt.encryptedKey = new EncryptedKey[0];
attributeStatement.Items = new object[] { encAtt };
TestAssertion(saml20Assertion, "The DK-SAML 2.0 profile does not allow encrypted attributes.");
// Add an attribute with the wrong nameformat.
// Attribute att = DKSaml20EmailAttribute.create("*****@*****.**");
// att.NameFormat = "http://example.com";
// attributeStatement.Items = new object[] { att };
// testAssertion(saml20Assertion, "The DK-SAML 2.0 profile requires that an attribute's \"NameFormat\" element is urn:oasis:names:tc:SAML:2.0:attrname-format:uri.");
// Clear all the attributes.
attributeStatement.Items = new object[0];
TestAssertion(saml20Assertion, "AttributeStatement MUST contain at least one Attribute or EncryptedAttribute");
// Remove it.
saml20Assertion = AssertionUtil.GetBasicAssertion();
List <StatementAbstract> statements = new List <StatementAbstract>(saml20Assertion.Items);
statements.RemoveAll(findAttributeStatement);
saml20Assertion.Items = statements.ToArray();
TestAssertion(saml20Assertion, "The DK-SAML 2.0 profile requires exactly one \"AuthnStatement\" element and one \"AttributeStatement\" element.");
}
/// <summary>
/// Assembles our basic test assertion
/// </summary>
/// <returns></returns>
public static Assertion GetBasicAssertion()
{
Assertion assertion = new Assertion();
{
assertion.Issuer = new NameID();
assertion.ID = "_b8977dc86cda41493fba68b32ae9291d";
assertion.IssueInstant = DateTime.UtcNow;
assertion.Version = "2.0";
assertion.Issuer.Value = GetBasicIssuer();
}
{
assertion.Subject = new Subject();
SubjectConfirmation subjectConfirmation = new SubjectConfirmation();
subjectConfirmation.Method = SubjectConfirmation.BEARER_METHOD;
subjectConfirmation.SubjectConfirmationData = new SubjectConfirmationData();
subjectConfirmation.SubjectConfirmationData.NotOnOrAfter = new DateTime(2008, 12, 31, 12, 0, 0, 0);
subjectConfirmation.SubjectConfirmationData.Recipient = "http://borger.dk";
assertion.Subject.Items = new object[] { subjectConfirmation };
}
{
assertion.Conditions = new Conditions();
assertion.Conditions.NotOnOrAfter = new DateTime(2008, 12, 31, 12, 0, 0, 0);
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audience = GetAudiences();
assertion.Conditions.Items = new List<ConditionAbstract>(new ConditionAbstract[] { audienceRestriction });
}
AuthnStatement authnStatement;
{
authnStatement = new AuthnStatement();
assertion.Items = new StatementAbstract[] { authnStatement };
authnStatement.AuthnInstant = new DateTime(2008, 1, 8);
authnStatement.SessionIndex = "70225885";
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.Items = new object[] { "urn:oasis:names:tc:SAML:2.0:ac:classes:X509", "http://www.safewhere.net/authncontext/declref" };
authnStatement.AuthnContext.ItemsElementName = new ItemsChoiceType5[] { ItemsChoiceType5.AuthnContextClassRef, ItemsChoiceType5.AuthnContextDeclRef};
}
AttributeStatement attributeStatement;
{
attributeStatement = new AttributeStatement();
SamlAttribute surName = new SamlAttribute();
surName.FriendlyName = "SurName";
surName.Name = "urn:oid:2.5.4.4";
surName.NameFormat = SamlAttribute.NAMEFORMAT_URI;
surName.AttributeValue = new string[] { "Fry" };
SamlAttribute commonName = new SamlAttribute();
commonName.FriendlyName = "CommonName";
commonName.Name = "urn:oid:2.5.4.3";
commonName.NameFormat = SamlAttribute.NAMEFORMAT_URI;
commonName.AttributeValue = new string[] { "Philip J. Fry" };
SamlAttribute userName = new SamlAttribute();
userName.Name = "urn:oid:0.9.2342.19200300.100.1.1";
userName.NameFormat = SamlAttribute.NAMEFORMAT_URI;
userName.AttributeValue = new string[] { "fry" };
SamlAttribute eMail = new SamlAttribute();
eMail.FriendlyName = "Email";
eMail.Name = "urn:oid:0.9.2342.19200300.100.1.3";
eMail.NameFormat = SamlAttribute.NAMEFORMAT_URI;
eMail.AttributeValue = new string[] { "*****@*****.**" };
attributeStatement.Items = new object[] { surName, commonName, userName, eMail };
}
assertion.Items = new StatementAbstract[] { authnStatement, attributeStatement };
return assertion;
}
private static void CreateSaml20Token(Assertion saml20Assertion)
{
XmlDocument doc = AssertionUtil.ConvertAssertion(saml20Assertion);
new Saml20Assertion(doc.DocumentElement, null, false);
}
private void TestAssertion(Assertion saml20Assertion, string exceptionMsg)
{
try
{
_validator.ValidateAssertion(saml20Assertion);
if (!string.IsNullOrEmpty(exceptionMsg))
Assert.Fail("A validation exception should have been thrown.");
}
catch (Saml20FormatException e)
{
Console.WriteLine('"' + e.Message.Replace("\"", "\\\"") + '"');
Assert.AreEqual(exceptionMsg, e.Message);
}
}
/// <summary>
/// Assembles our basic test assertion
/// </summary>
/// <returns></returns>
public static Assertion GetBasicAssertion()
{
Assertion assertion = new Assertion();
{
assertion.Issuer = new NameID();
assertion.ID = "_b8977dc86cda41493fba68b32ae9291d";
assertion.IssueInstant = DateTime.UtcNow;
assertion.Version = "2.0";
assertion.Issuer.Value = GetBasicIssuer();
}
{
assertion.Subject = new Subject();
SubjectConfirmation subjectConfirmation = new SubjectConfirmation();
subjectConfirmation.Method = SubjectConfirmation.BEARER_METHOD;
subjectConfirmation.SubjectConfirmationData = new SubjectConfirmationData();
subjectConfirmation.SubjectConfirmationData.NotOnOrAfter = DateTime.UtcNow.AddMinutes(1);
subjectConfirmation.SubjectConfirmationData.Recipient = "http://borger.dk";
assertion.Subject.Items = new object[] { subjectConfirmation };
}
{
assertion.Conditions = new Conditions();
assertion.Conditions.NotOnOrAfter = DateTime.UtcNow.AddMinutes(1);
AudienceRestriction audienceRestriction = new AudienceRestriction();
audienceRestriction.Audience = GetAudiences();
assertion.Conditions.Items = new List <ConditionAbstract>(new ConditionAbstract[] { audienceRestriction });
}
AuthnStatement authnStatement;
{
authnStatement = new AuthnStatement();
assertion.Items = new StatementAbstract[] { authnStatement };
authnStatement.AuthnInstant = new DateTime(2008, 1, 8);
authnStatement.SessionIndex = "70225885";
authnStatement.AuthnContext = new AuthnContext();
authnStatement.AuthnContext.Items = new object[] { "urn:oasis:names:tc:SAML:2.0:ac:classes:X509", "http://www.safewhere.net/authncontext/declref" };
authnStatement.AuthnContext.ItemsElementName = new ItemsChoiceType5[] { ItemsChoiceType5.AuthnContextClassRef, ItemsChoiceType5.AuthnContextDeclRef };
}
AttributeStatement attributeStatement;
{
attributeStatement = new AttributeStatement();
SamlAttribute surName = new SamlAttribute();
surName.FriendlyName = "SurName";
surName.Name = "urn:oid:2.5.4.4";
surName.NameFormat = SamlAttribute.NAMEFORMAT_URI;
surName.AttributeValue = new string[] { "Fry" };
SamlAttribute commonName = new SamlAttribute();
commonName.FriendlyName = "CommonName";
commonName.Name = "urn:oid:2.5.4.3";
commonName.NameFormat = SamlAttribute.NAMEFORMAT_URI;
commonName.AttributeValue = new string[] { "Philip J. Fry" };
SamlAttribute userName = new SamlAttribute();
userName.Name = "urn:oid:0.9.2342.19200300.100.1.1";
userName.NameFormat = SamlAttribute.NAMEFORMAT_URI;
userName.AttributeValue = new string[] { "fry" };
SamlAttribute eMail = new SamlAttribute();
eMail.FriendlyName = "Email";
eMail.Name = "urn:oid:0.9.2342.19200300.100.1.3";
eMail.NameFormat = SamlAttribute.NAMEFORMAT_URI;
eMail.AttributeValue = new string[] { "*****@*****.**" };
attributeStatement.Items = new object[] { surName, commonName, userName, eMail };
}
assertion.Items = new StatementAbstract[] { authnStatement, attributeStatement };
return(assertion);
}
