public void AuthnStatement_Element()
{
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
AuthnStatement authnStmt =
(AuthnStatement)Array.Find(saml20Assertion.Items, delegate(StatementAbstract stmnt) { return(stmnt is AuthnStatement); });
// Mess around with the AuthnStatement.
{
string oldSessionIndex = authnStmt.SessionIndex;
authnStmt.SessionIndex = null;
TestAssertion(saml20Assertion, "The DK-SAML 2.0 profile requires that the \"AuthnStatement\" element contains the \"SessionIndex\" attribute.");
authnStmt.SessionIndex = oldSessionIndex;
}
{
int index =
Array.FindIndex(authnStmt.AuthnContext.Items,
delegate(object o) { return(o is string && o.ToString() == "urn:oasis:names:tc:SAML:2.0:ac:classes:X509"); });
object oldValue = authnStmt.AuthnContext.Items[index];
authnStmt.AuthnContext.Items[index] = "Hallelujagobble!!";
TestAssertion(saml20Assertion, "AuthnContextClassRef has a value which is not a wellformed absolute uri");
authnStmt.AuthnContext.Items[index] = oldValue;
}
// Remove it.
saml20Assertion = AssertionUtil.GetBasicAssertion();
List <StatementAbstract> statements = new List <StatementAbstract>(saml20Assertion.Items);
statements.RemoveAll(delegate(StatementAbstract stmnt) { return(stmnt is AuthnStatement); });
saml20Assertion.Items = statements.ToArray();
TestAssertion(saml20Assertion, "The DK-SAML 2.0 profile requires exactly one \"AuthnStatement\" element and one \"AttributeStatement\" element.");
}
public void AttributeStatement_Invalid_EncryptedAttribute_DKSaml20()
{
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
List <StatementAbstract> statements = new List <StatementAbstract>(saml20Assertion.Items);
AttributeStatement sas = GetAttributeStatement(statements);
List <object> attributes = new List <object>(sas.Items);
EncryptedElement ee = new EncryptedElement();
ee.encryptedData = new EncryptedData();
ee.encryptedData.Type = Saml20Constants.XENC + "Element";
attributes.Add(ee);
sas.Items = attributes.ToArray();
saml20Assertion.Items = statements.ToArray();
XmlDocument doc = AssertionUtil.ConvertAssertion(saml20Assertion);
new Saml20Assertion(doc.DocumentElement, null, false);
}
public void Conditions_Element()
{
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
Assert.IsNotNull(saml20Assertion.Conditions);
List <ConditionAbstract> conditions =
new List <ConditionAbstract>(saml20Assertion.Conditions.Items);
int index = conditions.FindIndex(delegate(ConditionAbstract cond) { return(cond is AudienceRestriction); });
Assert.That(index != -1);
conditions.RemoveAt(index);
// Add another condition to avoid an empty list of conditions.
conditions.Add(new OneTimeUse());
saml20Assertion.Conditions.Items = conditions;
TestAssertion(saml20Assertion, "The DK-SAML 2.0 profile requires that an \"AudienceRestriction\" element is present on the saml20Assertion.");
}
public void Subject_Element()
{
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
Assert.IsNotNull(saml20Assertion.Subject);
Assert.That(saml20Assertion.Subject.Items.Length > 0);
SubjectConfirmation subjectConfirmation =
(SubjectConfirmation)Array.Find(saml20Assertion.Subject.Items, delegate(object item) { return(item is SubjectConfirmation); });
Assert.IsNotNull(subjectConfirmation);
string originalMethod = subjectConfirmation.Method;
subjectConfirmation.Method = "IllegalMethod";
TestAssertion(saml20Assertion, "SubjectConfirmation element has Method attribute which is not a wellformed absolute uri.");
// Try a valid url.
subjectConfirmation.Method = "http://example.com";
TestAssertion(saml20Assertion, "The DK-SAML 2.0 Profile requires that a bearer \"SubjectConfirmation\" element is present.");
// Restore valid settings... And verify that it is restored.
subjectConfirmation.Method = originalMethod;
TestAssertion(saml20Assertion, null);
// Now, start messing with the <SubjectConfirmationData> element.
subjectConfirmation.SubjectConfirmationData.NotOnOrAfter = null;
TestAssertion(saml20Assertion, "The DK-SAML 2.0 Profile requires that the \"SubjectConfirmationData\" element contains the \"NotOnOrAfter\" attribute.");
subjectConfirmation.SubjectConfirmationData.NotOnOrAfter = DateTime.UtcNow;
subjectConfirmation.SubjectConfirmationData.NotBefore = DateTime.UtcNow.Subtract(new TimeSpan(5, 0, 0, 0));
TestAssertion(saml20Assertion, "The DK-SAML 2.0 Profile disallows the use of the \"NotBefore\" attribute of the \"SubjectConfirmationData\" element.");
subjectConfirmation.SubjectConfirmationData.NotBefore = null;
string originalRecipient = subjectConfirmation.SubjectConfirmationData.Recipient;
subjectConfirmation.SubjectConfirmationData.Recipient = null;
TestAssertion(saml20Assertion, "The DK-SAML 2.0 Profile requires that the \"SubjectConfirmationData\" element contains the \"Recipient\" attribute.");
subjectConfirmation.SubjectConfirmationData.Recipient = originalRecipient;
saml20Assertion.Subject = null;
TestAssertion(saml20Assertion, "AuthnStatement, AuthzDecisionStatement and AttributeStatement require a subject.");
}
public void AttributeStatement_Invalid_Statementtype()
{
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
AuthzDecisionStatement authzDecisionStatement = new AuthzDecisionStatement();
authzDecisionStatement.Decision = DecisionType.Permit;
authzDecisionStatement.Resource = "http://safewhere.net";
authzDecisionStatement.Action = new dk.nita.saml20.Schema.Core.Action[] { new dk.nita.saml20.Schema.Core.Action() };
authzDecisionStatement.Action[0].Namespace = "http://actionns.com";
authzDecisionStatement.Action[0].Value = "value";
List <StatementAbstract> statements = new List <StatementAbstract>(saml20Assertion.Items);
statements.Add(authzDecisionStatement);
saml20Assertion.Items = statements.ToArray();
new Saml20Assertion(AssertionUtil.ConvertAssertion(saml20Assertion).DocumentElement, null, false);
}
public void Issuer_Element_QuirksMode()
{
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
Assert.IsNotNull(saml20Assertion.Issuer);
saml20Assertion.Issuer = new NameID();
saml20Assertion.Issuer.Value = "http://safewhere.net";
saml20Assertion.Issuer.Format = "http://example.com";
DKSaml20AssertionValidator quirksModeValidator = new DKSaml20AssertionValidator(AssertionUtil.GetAudiences(), true);
try
{
quirksModeValidator.ValidateAssertion(saml20Assertion);
}
catch (Exception e)
{
Assert.That(false, "The above validation should not fail in quirksMode: " + e.ToString());
}
}
public void AttributeStatement_Element()
{
Predicate <StatementAbstract> findAttributeStatement =
delegate(StatementAbstract stmnt) { return(stmnt is AttributeStatement); };
Assertion saml20Assertion = AssertionUtil.GetBasicAssertion();
AttributeStatement attributeStatement =
(AttributeStatement)Array.Find(saml20Assertion.Items, findAttributeStatement);
// Add an encrypted attribute.
EncryptedElement encAtt = new EncryptedElement();
encAtt.encryptedData = new EncryptedData();
encAtt.encryptedData.CipherData = new CipherData();
encAtt.encryptedData.CipherData.Item = string.Empty;
encAtt.encryptedKey = new EncryptedKey[0];
attributeStatement.Items = new object[] { encAtt };
TestAssertion(saml20Assertion, "The DK-SAML 2.0 profile does not allow encrypted attributes.");
// Add an attribute with the wrong nameformat.
// Attribute att = DKSaml20EmailAttribute.create("*****@*****.**");
// att.NameFormat = "http://example.com";
// attributeStatement.Items = new object[] { att };
// testAssertion(saml20Assertion, "The DK-SAML 2.0 profile requires that an attribute's \"NameFormat\" element is urn:oasis:names:tc:SAML:2.0:attrname-format:uri.");
// Clear all the attributes.
attributeStatement.Items = new object[0];
TestAssertion(saml20Assertion, "AttributeStatement MUST contain at least one Attribute or EncryptedAttribute");
// Remove it.
saml20Assertion = AssertionUtil.GetBasicAssertion();
List <StatementAbstract> statements = new List <StatementAbstract>(saml20Assertion.Items);
statements.RemoveAll(findAttributeStatement);
saml20Assertion.Items = statements.ToArray();
TestAssertion(saml20Assertion, "The DK-SAML 2.0 profile requires exactly one \"AuthnStatement\" element and one \"AttributeStatement\" element.");
}
