Response validation

- Validate version - Add comments with spec references on validations to do
Sustainsys · Feb 10, 2024 · 9ad4827 · 9ad4827
1 parent 4211c17
commit 9ad4827
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 1 deletion.
diff --git a/src/Sustainsys.Saml2/Validation/ISamlResponseValidator.cs b/src/Sustainsys.Saml2/Validation/ISamlResponseValidator.cs
@@ -18,6 +18,7 @@ public interface ISamlResponseValidator
     /// </summary>
     /// <param name="samlResponse"></param>
     /// <param name="parameters">Expected values and settings for validation</param>
+    /// <exception cref="SamlValidationException">On validation failure</exception>
     void Validate(SamlResponse samlResponse, SamlResponseValidationParameters parameters);
 }
 

diff --git a/src/Sustainsys.Saml2/Validation/SamlResponseValidator.cs b/src/Sustainsys.Saml2/Validation/SamlResponseValidator.cs
@@ -18,7 +18,12 @@ public void Validate(
         SamlResponse samlResponse,
         SamlResponseValidationParameters validationParameters)
     {
-        // TODO: Validate Version
+        // Core 2.5.1
+        ValidateConditions(samlResponse, validationParameters);
+        // Core 2.7.2 AuthnStatement
+        ValidateVersion(samlResponse);
+
+        // Profile 4.1.4.2, 4.1.4.3
         ValidateIssuer(samlResponse, validationParameters);
         ValidateStatusCode(samlResponse);
     }
@@ -27,6 +32,7 @@ public void Validate(
     /// Validate that the status code is <see cref="Constants.StatusCodes.Success"/>
     /// </summary>
     /// <param name="samlResponse">Saml Response</param>
+    /// <exception cref="SamlValidationException">On validation failure</exception>
     protected void ValidateStatusCode(SamlResponse samlResponse)
     {
         if (samlResponse.Status?.StatusCode?.Value != Constants.StatusCodes.Success)
@@ -40,6 +46,7 @@ protected void ValidateStatusCode(SamlResponse samlResponse)
     /// </summary>
     /// <param name="samlResponse">Saml response</param>
     /// <param name="validationParameters">Validation parameters</param>
+    /// <exception cref="SamlValidationException">On validation failure</exception>
     protected virtual void ValidateIssuer(
         SamlResponse samlResponse,
         SamlResponseValidationParameters validationParameters)
@@ -51,4 +58,34 @@ protected virtual void ValidateIssuer(
                 $"Response issuer {samlResponse.Issuer} does not match expected {validationParameters.ValidIssuer}");
         }
     }
+
+    /// <summary>
+    /// Validate the version
+    /// </summary>
+    /// <param name="samlResponse">Saml response</param>
+    /// <exception cref="SamlValidationException">On validation failure</exception>
+    protected virtual void ValidateVersion(SamlResponse samlResponse)
+    {
+        if (samlResponse.Version != "2.0")
+        {
+            throw new SamlValidationException($"Saml version \"{samlResponse.Version}\" is incorrect, it must be exactly \"2.0\"");
+        }
+    }
+
+    /// <summary>
+    /// 
+    /// </summary>
+    /// <param name="samlResponse">Saml response</param>
+    /// <param name="validationParameters">Validation parameters</param>
+    /// <exception cref="SamlValidationException">On validation failure</exception>
+    protected virtual void ValidateConditions(
+        SamlResponse samlResponse,
+        SamlResponseValidationParameters validationParameters)
+    {
+        // Core 2.5.1.2 NotBefore, NotOnOrAfter
+        // Core 2.5.1.4 AudienceRestriction, Audience
+        // Core 2.5.1.5 OneTimeUse
+        // Core 2.5.1.6 ProxyRestriction
+    }
+
 }
diff --git a/src/Tests/Sustainsys.Saml2.Tests/Validators/SamlResponseValidatorTests.cs b/src/Tests/Sustainsys.Saml2.Tests/Validators/SamlResponseValidatorTests.cs
@@ -65,6 +65,31 @@ public void Validate_Issuer_IsMissing()
         subject.Validate(response, parameters);
     }
 
+    [Theory]
+    [InlineData("2.0", true)]
+    [InlineData("2.1", false)]
+    [InlineData(null, false)]
+    public void Validate_Version(string version, bool valid)
+    {
+        var subject = new SamlResponseValidator();
+
+        var response = CreateSamlResponse();
+        response.Version = version;
+
+        var parameters = CreateValidationParameters();
+
+        if (valid)
+        {
+            subject.Validate(response, parameters);
+        }
+        else
+        {
+            subject.Invoking(s => s.Validate(response, parameters))
+                .Should().Throw<SamlValidationException>()
+                .WithMessage("*version*incorrect*");
+        }
+    }
+
     [Fact]
     public void Validate_Issuer_IsIncorrect()
     {