public function test_response()
{
$response = new Response();
$response->addAssertion($assertion = new Assertion())->setStatus(new Status(new StatusCode(SamlConstants::STATUS_SUCCESS)));
$assertion->setId(Helper::generateID())->setIssuer(new Issuer('https://issuer.com'));
$this->verify($response);
}
public function test_does_nothing_if_issuer_has_no_format()
{
$action = new AssertionIssuerFormatValidatorAction($loggerMock = TestHelper::getLoggerMock($this), $expectedIssuerFormat = SamlConstants::NAME_ID_FORMAT_EMAIL);
$context = TestHelper::getAssertionContext($assertion = new Assertion());
$assertion->setIssuer(new Issuer('http://issuer.com'));
$action->execute($context);
}
/**
* @param \DOMElement $dom
* @param DeserializationContext $deserializationContext
*
* @return Assertion
*/
protected function getAssertionFromDom(\DOMElement $dom, DeserializationContext $deserializationContext)
{
$deserializationContext->setDocument($dom->ownerDocument);
$assertion = new Assertion();
$assertion->deserialize($dom, $deserializationContext);
return $assertion;
}
public function test_logs_known_issuer()
{
$action = new KnownAssertionIssuerAction($loggerMock = TestHelper::getLoggerMock($this), $entityDescriptorStoreMock = TestHelper::getEntityDescriptorStoreMock($this));
$context = TestHelper::getAssertionContext($assertion = new Assertion());
$assertion->setIssuer(new Issuer($issuer = 'http://issuer.com'));
$entityDescriptorStoreMock->expects($this->once())->method('has')->with($issuer)->willReturn(true);
$loggerMock->expects($this->once())->method('debug')->with('Known assertion issuer: "http://issuer.com"');
$action->execute($context);
}
public function test_does_nothing_if_there_is_at_least_one_authn_statement()
{
$action = new HasAuthnStatementValidatorAction(TestHelper::getLoggerMock($this));
$context = new ProfileContext(Profiles::SSO_IDP_RECEIVE_AUTHN_REQUEST, ProfileContext::ROLE_IDP);
$context->getInboundContext()->setMessage($response = new Response());
$response->addAssertion($assertion = new Assertion());
$assertion->addItem(new AuthnStatement());
$action->execute($context);
}
public function test_pass()
{
$now = 1000;
$assertion = new Assertion();
$assertion->setSubject((new Subject())->addSubjectConfirmation((new SubjectConfirmation())->setSubjectConfirmationData((new SubjectConfirmationData())->setNotOnOrAfter(2000))));
$assertion->addItem((new AuthnStatement())->setSessionNotOnOrAfter(2000));
$assertion->setConditions((new Conditions())->setNotOnOrAfter(2000)->setNotBefore(900));
$validator = new AssertionTimeValidator();
$validator->validateTimeRestrictions($assertion, $now, 10);
}
public function test_success_response_with_xsd()
{
$response = new Response();
$response->setStatus(new Status(new StatusCode(SamlConstants::STATUS_SUCCESS)))->setInResponseTo(Helper::generateID())->setID(Helper::generateID())->setIssueInstant(new \DateTime())->setIssuer(new Issuer('https://idp.com'));
$response->addAssertion($assertion = new Assertion());
$assertion->setId(Helper::generateID())->setIssueInstant(new \DateTime())->setIssuer(new Issuer('https://idp.com'))->setSubject((new Subject())->setNameID(new NameID('*****@*****.**', SamlConstants::NAME_ID_FORMAT_EMAIL))->addSubjectConfirmation((new SubjectConfirmation())->setMethod(SamlConstants::CONFIRMATION_METHOD_BEARER)->setSubjectConfirmationData((new SubjectConfirmationData())->setInResponseTo(Helper::generateID())->setNotOnOrAfter(new \DateTime('+1 hour'))->setRecipient('https://sp.com/acs'))))->setConditions((new Conditions())->setNotBefore(new \DateTime())->setNotOnOrAfter(new \DateTime('+1 hour'))->addItem(new AudienceRestriction(['https://sp.com/acs'])))->addItem((new AttributeStatement())->addAttribute(new Attribute(ClaimTypes::EMAIL_ADDRESS, '*****@*****.**')))->addItem((new AuthnStatement())->setAuthnInstant(new \DateTime('-1 hour'))->setSessionIndex(Helper::generateID())->setAuthnContext((new AuthnContext())->setAuthnContextClassRef(SamlConstants::AUTHN_CONTEXT_PASSWORD_PROTECTED_TRANSPORT)));
$this->sign($assertion);
$this->sign($response);
$this->validateProtocol($response);
}
public function test_does_nothing_if_there_is_bearer_assertion()
{
$action = new HasBearerAssertionsValidatorAction(TestHelper::getLoggerMock($this));
$context = new ProfileContext(Profiles::SSO_IDP_RECEIVE_AUTHN_REQUEST, ProfileContext::ROLE_IDP);
$context->getInboundContext()->setMessage($response = new Response());
$response->addAssertion($assertion = new Assertion());
$assertion->addItem(new AuthnStatement());
$assertion->setSubject($subject = new Subject());
$subject->addSubjectConfirmation($subjectConfirmation = new SubjectConfirmation());
$subjectConfirmation->setMethod(SamlConstants::CONFIRMATION_METHOD_BEARER);
$action->execute($context);
}
public function test_adds_known_in_response_to_request_state_to_context()
{
$action = new InResponseToValidatorAction(TestHelper::getLoggerMock($this), $requestStateMock = TestHelper::getRequestStateStoreMock($this));
$context = TestHelper::getAssertionContext($assertion = new Assertion());
$assertion->setSubject($subject = new Subject());
$subject->addSubjectConfirmation($subjectConfirmation = new SubjectConfirmation());
$subjectConfirmation->setSubjectConfirmationData(new SubjectConfirmationData());
$subjectConfirmation->getSubjectConfirmationData()->setInResponseTo($inResponseTo = '123123123');
$requestStateMock->expects($this->once())->method('get')->with($inResponseTo)->willReturn(new RequestState($inResponseTo));
$action->execute($context);
/** @var RequestStateContext $requestStateContext */
$requestStateContext = $context->getSubContext(ProfileContexts::REQUEST_STATE);
$this->assertInstanceOf(RequestStateContext::class, $requestStateContext);
$this->assertEquals($inResponseTo, $requestStateContext->getRequestState()->getId());
}
/**
* @param Assertion $assertion
* @param int $now
* @param int $allowedSecondsSkew
*/
protected function validateSubject(Assertion $assertion, $now, $allowedSecondsSkew)
{
if (false == $assertion->getSubject()) {
return;
}
foreach ($assertion->getSubject()->getAllSubjectConfirmations() as $subjectConfirmation) {
if ($subjectConfirmation->getSubjectConfirmationData()) {
if (false == Helper::validateNotBefore($subjectConfirmation->getSubjectConfirmationData()->getNotBeforeTimestamp(), $now, $allowedSecondsSkew)) {
throw new LightSamlValidationException('SubjectConfirmationData.NotBefore must not be in the future');
}
if (false == Helper::validateNotOnOrAfter($subjectConfirmation->getSubjectConfirmationData()->getNotOnOrAfterTimestamp(), $now, $allowedSecondsSkew)) {
throw new LightSamlValidationException('SubjectConfirmationData.NotOnOrAfter must not be in the past');
}
}
}
}
public function test_does_nothing_if_recipient_matches_own_acs_service_location()
{
$action = new RecipientValidatorAction($loggerMock = TestHelper::getLoggerMock($this), $endpointResolver = TestHelper::getEndpointResolverMock($this));
$assertionContext = TestHelper::getAssertionContext($assertion = new Assertion());
$assertion->addItem(new AuthnStatement());
$assertion->setSubject(new Subject());
$assertion->getSubject()->addSubjectConfirmation($subjectConfirmation = (new SubjectConfirmation())->setMethod(SamlConstants::CONFIRMATION_METHOD_BEARER));
$subjectConfirmation->setSubjectConfirmationData((new SubjectConfirmationData())->setRecipient($recipient = 'http://recipient.com'));
$profileContext = TestHelper::getProfileContext();
$profileContext->getOwnEntityContext()->setEntityDescriptor($ownEntityDescriptor = new EntityDescriptor());
$assertionContext->setParent($profileContext);
$endpointResolver->expects($this->once())->method('resolve')->willReturnCallback(function () use($recipient) {
return [TestHelper::getEndpointReferenceMock($this, new AssertionConsumerService())];
});
$action->execute($assertionContext);
}
public function test_get_all_attribute_statements()
{
$assertion = new Assertion();
$assertion->addItem(new AuthnStatement());
$assertion->addItem($attributeStatement1 = new AttributeStatement());
$assertion->addItem(new AuthnStatement());
$assertion->addItem($attributeStatement2 = new AttributeStatement());
$arr = $assertion->getAllAttributeStatements();
$this->assertCount(2, $arr);
$this->assertSame($attributeStatement1, $arr[0]);
$this->assertSame($attributeStatement2, $arr[1]);
}
/**
* @param Assertion $assertion
*
* @return null|string
*/
private function getUsernameFromAssertion(Assertion $assertion)
{
foreach ($this->attributes as $attributeName) {
if (self::NAME_ID == $attributeName) {
if ($assertion->getSubject() && $assertion->getSubject()->getNameID() && $assertion->getSubject()->getNameID()->getValue()) {
return $assertion->getSubject()->getNameID()->getValue();
}
} else {
foreach ($assertion->getAllAttributeStatements() as $attributeStatement) {
$attribute = $attributeStatement->getFirstAttributeByName($attributeName);
if ($attribute && $attribute->getFirstAttributeValue()) {
return $attribute->getFirstAttributeValue();
}
}
}
}
return null;
}
/**
* @param Assertion $assertion
*/
protected function validateStatements(Assertion $assertion)
{
if (false == $assertion->getAllItems()) {
return;
}
foreach ($assertion->getAllItems() as $statement) {
$this->statementValidator->validateStatement($statement);
}
}
/**
* @param SamlMessage|EntityDescriptor|EntitiesDescriptor|Assertion $object
*/
protected function sign($object)
{
$object->setSignature(new SignatureWriter($this->getX509Certificate(), KeyHelper::createPrivateKey(__DIR__ . '/../../../../../resources/sample/Certificate/saml.pem', '', true)));
}
/**
* @param SsoState $ssoState
* @param Assertion $assertion
* @param string $ownEntityId
* @param string $partyEntityId
*
* @return \LightSaml\State\Sso\SsoSessionState[]
*/
protected function filterSessions(SsoState $ssoState, Assertion $assertion, $ownEntityId, $partyEntityId)
{
return $ssoState->filter($partyEntityId, $ownEntityId, $assertion->getSubject()->getNameID()->getValue(), $assertion->getSubject()->getNameID()->getFormat(), $assertion->getFirstAuthnStatement()->getSessionIndex());
}
public function test_sets_unknown_assertion_id_to_store()
{
$action = new RepeatedIdValidatorAction($loggerMock = TestHelper::getLoggerMock($this), $idStoreMock = TestHelper::getIdStoreMock($this));
$assertionContext = TestHelper::getAssertionContext($assertion = new Assertion());
$assertion->setId($assertionId = '123');
$assertion->setIssuer(new Issuer($issuer = 'http://issuer.com'));
$assertion->addItem(new AuthnStatement());
$assertion->setSubject(new Subject());
$assertion->getSubject()->addSubjectConfirmation($subjectConfirmation = new SubjectConfirmation());
$subjectConfirmation->setMethod(SamlConstants::CONFIRMATION_METHOD_BEARER);
$subjectConfirmation->setSubjectConfirmationData(new SubjectConfirmationData());
$subjectConfirmation->getSubjectConfirmationData()->setNotOnOrAfter(new \DateTime());
$idStoreMock->expects($this->once())->method('has')->with($issuer, $assertionId)->willReturn(false);
$idStoreMock->expects($this->once())->method('set')->with($issuer, $assertionId, $this->isInstanceOf(\DateTime::class));
$action->execute($assertionContext);
}
public function test_statement_validator_is_called_for_authn_statement()
{
$nameIdValidatorMock = $this->getNameIdValidatorMock();
$subjectValidatorMock = $this->getSubjectValidatorMock();
$statementValidatorMock = $this->getStatementValidatorMock();
$validator = new AssertionValidator($nameIdValidatorMock, $subjectValidatorMock, $statementValidatorMock);
$authnStatement = new AuthnStatement();
$statementValidatorMock->expects($this->once())->method('validateStatement')->with($authnStatement);
$assertion = new Assertion();
$assertion->setId('1234567890123456')->setIssueInstant(1000)->setIssuer(new Issuer('issuer'))->setSubject(new Subject())->addItem($authnStatement);
$validator->validateAssertion($assertion);
}