net.shibboleth.idp.test.flows.saml2

Class SAML2TestResponseValidator

java.lang.Object

net.shibboleth.idp.test.flows.saml2.SAML2TestResponseValidator

public class SAML2TestResponseValidator
extends Object

Abstract SAML 2 flow test.

Field Summary

Fields

Modifier and Type	Field and Description
String	idpEntityID Expected IdP entity ID.
org.opensaml.saml.saml2.core.NameID	nameID Expected name identifier.
org.opensaml.security.credential.Credential	spCredential SP credential.
String	spEntityID Expected SP entity ID.
protected String	statusCode Expected status code.
protected String	statusCodeNested Expected nested status code when an error occurs.
protected String	statusMessage Expected status message when an error occurs.
String	subjectConfirmationMethod Expected subject confirmation method.
boolean	validateAuthnStatements Whether authn statements should be validated.
boolean	validateSubjectConfirmationData Whether subject confirmation data should be validated.

Constructor Summary

Constructors

Constructor and Description
SAML2TestResponseValidator() Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
void	assertAssertion(org.opensaml.saml.saml2.core.Assertion assertion) Assert that : the assertion ID is not null nor empty the assertion issue instant is not null the assertion version is SAMLVersion.VERSION_20 the issuer is the expected IdP entity ID
void	assertAssertions(List<org.opensaml.saml.saml2.core.Assertion> assertions) Assert that a single assertion is present.
void	assertAttributeName(org.opensaml.saml.saml2.core.Attribute attribute, String name, String nameFormat, String friendlyName) Assert that the attribute name, name format, and friendly name are the supplied names.
void	assertAttributes(List<org.opensaml.saml.saml2.core.Attribute> attributes) Assert that two attributes are present.
void	assertAttributeStatement(org.opensaml.saml.saml2.core.AttributeStatement attributeStatement) Assert that the attribute statement has attributes.
void	assertAttributeStatements(List<org.opensaml.saml.saml2.core.AttributeStatement> attributeStatements) Assert that a single attribute statement is present.
void	assertAttributeValue(org.opensaml.saml.saml2.core.Attribute attribute, String attributeValue) Assert that the attribute value is the supplied String value.
void	assertAudienceRestriction(org.opensaml.saml.saml2.core.AudienceRestriction audienceRestriction) Assert that the audience restriction has a single audience whose URI is the expected SP entity ID.
void	assertAudienceRestrictions(List<org.opensaml.saml.saml2.core.AudienceRestriction> audienceRestrictions) Assert that a single audience restriction is present.
void	assertAuthnContextClassRef(org.opensaml.saml.saml2.core.AuthnContextClassRef authnContextClassRef) Assert that the authn context class ref is AuthnContext.IP_AUTHN_CTX.
void	assertAuthnStatement(org.opensaml.saml.saml2.core.AuthnStatement authnStatement) Assert that the authn statement has an authn instant and authn context class ref.
void	assertAuthnStatements(List<org.opensaml.saml.saml2.core.AuthnStatement> authnStatements) Assert that a single authn statement is present.
void	assertConditions(org.opensaml.saml.saml2.core.Conditions conditions) Assert that the conditions has NotBefore and NotOnOrAfter attributes.
void	assertNameID(org.opensaml.saml.saml2.core.NameID id) Assert that : the NameID is not null the NameID value is not null the NameID format is the expected format the NameID value is the expected value if the format is not transient the NameID name qualifier is the expected name qualifier the NameID SP name qualifier is the expected SP name qualifier
void	assertResponse(org.opensaml.saml.saml2.core.Response response) Assert that : the response ID is not null nor empty the response issue instant is not null the response version is SAMLVersion.VERSION_20 the response issuer is the expected IdP entity ID
void	assertStatus(org.opensaml.saml.saml2.core.Status status) Assert that : the status is not null the status code is not null the status code is the expected status code the status message is the expected status message if the status code is not success the nested status message is the expected nested status message if the status is not success
void	assertSubject(org.opensaml.saml.saml2.core.Subject subject) Assert that the subject has a nameID and subject confirmations.
void	assertSubjectConfirmation(org.opensaml.saml.saml2.core.SubjectConfirmation subjectConfirmation) Assert that the subject confirmation has a confirmation method.
void	assertSubjectConfirmationData(org.opensaml.saml.saml2.core.SubjectConfirmationData subjectConfirmationData) Assert that : the subject confirmation data address is "127.0.0.1" the subject confirmation data NotOnOrAfter is not null the subject confirmation data recipient is not null nor empty
void	assertSubjectConfirmationMethod(org.opensaml.saml.saml2.core.SubjectConfirmation method) Assert that the subject confirmation method is SubjectConfirmation.METHOD_BEARER.
void	assertSubjectConfirmations(List<org.opensaml.saml.saml2.core.SubjectConfirmation> subjectConfirmations) Assert that a single subject confirmation is present.
private org.opensaml.saml.saml2.core.Assertion	decryptAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion encrypted)
void	validateAttributeStatements(org.opensaml.saml.saml2.core.Assertion assertion) Validate the assertion attribute statements.
void	validateAuthnStatements(org.opensaml.saml.saml2.core.Assertion assertion) Validate the assertion authentication statements.
void	validateConditions(org.opensaml.saml.saml2.core.Assertion assertion) Validate the assertion conditions.
void	validateResponse(org.opensaml.saml.saml2.core.Response response) Validate the response.
void	validateSubject(org.opensaml.saml.saml2.core.Subject subject) Validate the subject.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

idpEntityID

@Nonnull
public String idpEntityID

Expected IdP entity ID.

spEntityID

@Nonnull
public String spEntityID

Expected SP entity ID.

spCredential

@Nullable
public org.opensaml.security.credential.Credential spCredential

SP credential.

nameID

@Nonnull
public org.opensaml.saml.saml2.core.NameID nameID

Expected name identifier.

statusCode

@Nonnull
protected String statusCode

Expected status code.

statusCodeNested

@Nonnull
protected String statusCodeNested

Expected nested status code when an error occurs.

statusMessage

@Nonnull
protected String statusMessage

Expected status message when an error occurs.

subjectConfirmationMethod

@Nonnull
public String subjectConfirmationMethod

Expected subject confirmation method.

validateAuthnStatements

@Nonnull
public boolean validateAuthnStatements

Whether authn statements should be validated.

validateSubjectConfirmationData

@Nonnull
public boolean validateSubjectConfirmationData

Whether subject confirmation data should be validated.

Constructor Detail

SAML2TestResponseValidator

public SAML2TestResponseValidator()

Constructor.

Method Detail

decryptAssertion

private org.opensaml.saml.saml2.core.Assertion decryptAssertion(org.opensaml.saml.saml2.core.EncryptedAssertion encrypted)
                                                         throws org.opensaml.xmlsec.encryption.support.DecryptionException

Throws:

org.opensaml.xmlsec.encryption.support.DecryptionException

validateResponse

public void validateResponse(@Nullable
                    org.opensaml.saml.saml2.core.Response response)

Validate the response.

Calls validate methods :

• validateSubject(Subject)
• validateConditions(Assertion)
• validateAuthnStatements(Assertion)
• validateAttributeStatements(Assertion)

Calls assert methods :

• assertResponse(Response)
• assertStatus(Status)
• assertAssertions(List)
• assertAssertion(Assertion)

Parameters:

response - the flow execution result

validateSubject

public void validateSubject(@Nullable
                   org.opensaml.saml.saml2.core.Subject subject)

Validate the subject.

Calls assert methods :

• assertSubject(Subject)
• assertNameID(NameID)
• assertSubjectConfirmations(List)
• assertSubjectConfirmation(SubjectConfirmation)
• assertSubjectConfirmationMethod(SubjectConfirmation)
• assertSubjectConfirmationData(SubjectConfirmationData)

Parameters:

subject - the subject

validateConditions

public void validateConditions(@Nullable
                      org.opensaml.saml.saml2.core.Assertion assertion)

Validate the assertion conditions.

Calls assert methods :

• assertConditions(Conditions)
• assertAudienceRestrictions(List)
• assertAudienceRestriction(AudienceRestriction)

Parameters:

assertion - the assertion

validateAuthnStatements

public void validateAuthnStatements(@Nullable
                           org.opensaml.saml.saml2.core.Assertion assertion)

Validate the assertion authentication statements.

Calls assert methods :

• assertAuthnStatements(List)
• assertAuthnStatement(AuthnStatement)
• assertAuthnContextClassRef(AuthnContextClassRef)

Parameters:

assertion - the assertion

validateAttributeStatements

public void validateAttributeStatements(@Nullable
                               org.opensaml.saml.saml2.core.Assertion assertion)

Validate the assertion attribute statements.

Calls assert methods :

• assertAttributeStatements(List)
• assertAttributeStatement(AttributeStatement)
• assertAttributes(List)

Parameters:

assertion - the assertion

assertResponse

public void assertResponse(@Nullable
                  org.opensaml.saml.saml2.core.Response response)

Assert that :

• the response ID is not null nor empty
• the response issue instant is not null
• the response version is SAMLVersion.VERSION_20
• the response issuer is the expected IdP entity ID

Parameters:

response - the response

assertStatus

public void assertStatus(@Nullable
                org.opensaml.saml.saml2.core.Status status)

Assert that :

• the status is not null
• the status code is not null
• the status code is the expected status code
• the status message is the expected status message if the status code is not success
• the nested status message is the expected nested status message if the status is not success

Parameters:

status - the status

assertAssertions

public void assertAssertions(@Nullable
                    List<org.opensaml.saml.saml2.core.Assertion> assertions)

Assert that a single assertion is present.

Parameters:

assertions - the assertions

assertAssertion

public void assertAssertion(@Nullable
                   org.opensaml.saml.saml2.core.Assertion assertion)

Assert that :

• the assertion ID is not null nor empty
• the assertion issue instant is not null
• the assertion version is SAMLVersion.VERSION_20
• the issuer is the expected IdP entity ID

Parameters:

assertion - the assertion

assertSubject

public void assertSubject(@Nullable
                 org.opensaml.saml.saml2.core.Subject subject)

Assert that the subject has a nameID and subject confirmations.

Parameters:

subject - the subject

assertSubjectConfirmations

public void assertSubjectConfirmations(@Nullable
                              List<org.opensaml.saml.saml2.core.SubjectConfirmation> subjectConfirmations)

Assert that a single subject confirmation is present.

Parameters:

subjectConfirmations - the subject confirmations

assertSubjectConfirmation

public void assertSubjectConfirmation(@Nullable
                             org.opensaml.saml.saml2.core.SubjectConfirmation subjectConfirmation)

Assert that the subject confirmation has a confirmation method.

Parameters:

subjectConfirmation - the subject confirmation

assertSubjectConfirmationMethod

public void assertSubjectConfirmationMethod(@Nullable
                                   org.opensaml.saml.saml2.core.SubjectConfirmation method)

Assert that the subject confirmation method is SubjectConfirmation.METHOD_BEARER.

Parameters:

subjectConfirmation - the subject confirmation

assertSubjectConfirmationData

public void assertSubjectConfirmationData(@Nullable
                                 org.opensaml.saml.saml2.core.SubjectConfirmationData subjectConfirmationData)

Assert that :

• the subject confirmation data address is "127.0.0.1"
• the subject confirmation data NotOnOrAfter is not null
• the subject confirmation data recipient is not null nor empty

Parameters:

subjectConfirmationData - the subject confirmation data

assertNameID

public void assertNameID(@Nullable
                org.opensaml.saml.saml2.core.NameID id)

Assert that :

• the NameID is not null
• the NameID value is not null
• the NameID format is the expected format
• the NameID value is the expected value if the format is not transient
• the NameID name qualifier is the expected name qualifier
• the NameID SP name qualifier is the expected SP name qualifier

Parameters:

nameID - the NameID

assertConditions

public void assertConditions(@Nullable
                    org.opensaml.saml.saml2.core.Conditions conditions)

Assert that the conditions has NotBefore and NotOnOrAfter attributes.

Parameters:

conditions - the conditions

assertAudienceRestrictions

public void assertAudienceRestrictions(@Nullable
                              List<org.opensaml.saml.saml2.core.AudienceRestriction> audienceRestrictions)

Assert that a single audience restriction is present.

Parameters:

audienceRestrictions - the audience restrictions

assertAudienceRestriction

public void assertAudienceRestriction(@Nullable
                             org.opensaml.saml.saml2.core.AudienceRestriction audienceRestriction)

Assert that the audience restriction has a single audience whose URI is the expected SP entity ID.

Parameters:

audienceRestriction - the audience restriction

assertAuthnStatements

public void assertAuthnStatements(@Nullable
                         List<org.opensaml.saml.saml2.core.AuthnStatement> authnStatements)

Assert that a single authn statement is present.

Parameters:

authnStatements - the authn statements

assertAuthnStatement

public void assertAuthnStatement(@Nonnull
                        org.opensaml.saml.saml2.core.AuthnStatement authnStatement)

Assert that the authn statement has an authn instant and authn context class ref.

Parameters:

authnStatement - the authn statement

assertAuthnContextClassRef

public void assertAuthnContextClassRef(@Nullable
                              org.opensaml.saml.saml2.core.AuthnContextClassRef authnContextClassRef)

Assert that the authn context class ref is AuthnContext.IP_AUTHN_CTX.

Parameters:

authnContextClassRef - the authn context class ref

assertAttributeStatements

public void assertAttributeStatements(@Nullable
                             List<org.opensaml.saml.saml2.core.AttributeStatement> attributeStatements)

Assert that a single attribute statement is present.

Parameters:

attributeStatements - the attribute statements

assertAttributeStatement

public void assertAttributeStatement(@Nullable
                            org.opensaml.saml.saml2.core.AttributeStatement attributeStatement)

Assert that the attribute statement has attributes.

Parameters:

attributeStatement - the attribute statement

assertAttributes

public void assertAttributes(@Nullable
                    List<org.opensaml.saml.saml2.core.Attribute> attributes)

Assert that two attributes are present.

The first attribute is

• name : urn:oid:1.3.6.1.4.1.5923.1.1.1.1
• name format : Attribute.URI_REFERENCE
• friendly name : eduPersonAffiliation
• value : member

The second attribute is

• name : urn:oid:0.9.2342.19200300.100.1.3
• name format : Attribute.URI_REFERENCE
• friendly name : mail
• value : jdoe@shibboleth.net

Calls assert methods :

• assertAttributeName(Attribute, String, String, String)
• assertAttributeValue(Attribute, String)

Parameters:

attributes - the attributes

assertAttributeName

public void assertAttributeName(@Nullable
                       org.opensaml.saml.saml2.core.Attribute attribute,
                       @Nonnull
                       String name,
                       @Nonnull
                       String nameFormat,
                       @Nonnull
                       String friendlyName)

Assert that the attribute name, name format, and friendly name are the supplied names.

Parameters:

attribute - the attribute

name - the attribute name

nameFormat - the attribute name format

friendlyName - the attribute friendly name

assertAttributeValue

public void assertAttributeValue(@Nullable
                        org.opensaml.saml.saml2.core.Attribute attribute,
                        @Nonnull
                        String attributeValue)

Assert that the attribute value is the supplied String value.

Parameters:

attribute - the attribute

attributeValue - the attribute value