Assert that assertions containing an AuthnStatement also contain a subject

Author: tvdijen

src/XML/saml/Assertion.php

@@ -31,6 +31,7 @@
 use function array_merge;
 use function array_pop;
 use function array_values;
+use function count;
 use function strval;
 
 /**
@@ -84,9 +85,22 @@ public function __construct(
         Assert::true(
             $subject || !empty($statements),
             "Either a <saml:Subject> or some statement must be present in a <saml:Assertion>",
+            ProtocolViolationException::class,
         );
         Assert::maxCount($statements, C::UNBOUNDED_LIMIT);
         Assert::allIsInstanceOf($statements, AbstractStatementType::class);
+
+        $authnStatements = array_values(array_filter($statements, function ($statement) {
+            return $statement instanceof AuthnStatement;
+        }));
+
+        if (count($authnStatements) > 0) {
+            Assert::notNull(
+                $subject,
+                "Assertions containing an <AuthnStatement> element MUST contain a <Subject> element.",
+                ProtocolViolationException::class,
+            );
+        }
     }
 
 

tests/SAML2/Assertion/Validation/ConstraintValidator/NotBeforeTest.php

@@ -21,6 +21,8 @@
 use SimpleSAML\SAML2\XML\saml\AuthnStatement;
 use SimpleSAML\SAML2\XML\saml\Conditions;
 use SimpleSAML\SAML2\XML\saml\Issuer;
+use SimpleSAML\SAML2\XML\saml\NameID;
+use SimpleSAML\SAML2\XML\saml\Subject;
 use SimpleSAML\Test\SAML2\Constants as C;
 use SimpleSAML\XML\Type\IDValue;
 
@@ -36,6 +38,9 @@ final class NotBeforeTest extends TestCase
     /** @var \SimpleSAML\SAML2\XML\saml\Issuer */
     private static Issuer $issuer;
 
+    /** @var \SimpleSAML\SAML2\XML\saml\Subject */
+    private static Subject $subject;
+
     /** @var \SimpleSAML\SAML2\XML\saml\AuthnStatement */
     private static AuthnStatement $authnStatement;
 
@@ -62,6 +67,14 @@ public static function setUpBeforeClass(): void
             ),
             SAMLDateTimeValue::fromDateTime(self::$clock->now()),
         );
+
+        // Create Subject
+        self::$subject = new Subject(
+            new NameID(
+                value: SAMLStringValue::fromString("just_a_basic_identifier"),
+                Format: SAMLAnyURIValue::fromString(C::NAMEID_TRANSIENT),
+            ),
+        );
     }
 
 
@@ -80,6 +93,7 @@ public function testTimestampInTheFutureBeyondGraceperiodIsNotValid(): void
         // Create an assertion
         $assertion = new Assertion(
             id: IDValue::fromString('abc123'),
+            subject: self::$subject,
             issuer: self::$issuer,
             issueInstant: SAMLDateTimeValue::fromDateTime(self::$clock->now()),
             conditions: $conditions,
@@ -111,6 +125,7 @@ public function testTimeWithinGraceperiodIsValid(): void
         // Create an assertion
         $assertion = new Assertion(
             id: IDValue::fromString('abc123'),
+            subject: self::$subject,
             issuer: self::$issuer,
             issueInstant: SAMLDateTimeValue::fromDateTime(self::$clock->now()),
             conditions: $conditions,
@@ -139,6 +154,7 @@ public function testCurrentTimeIsValid(): void
         // Create an assertion
         $assertion = new Assertion(
             id: IDValue::fromString('abc123'),
+            subject: self::$subject,
             issuer: self::$issuer,
             issueInstant: SAMLDateTimeValue::fromDateTime(self::$clock->now()),
             conditions: $conditions,

tests/SAML2/Assertion/Validation/ConstraintValidator/NotOnOrAfterTest.php

@@ -21,6 +21,8 @@
 use SimpleSAML\SAML2\XML\saml\AuthnStatement;
 use SimpleSAML\SAML2\XML\saml\Conditions;
 use SimpleSAML\SAML2\XML\saml\Issuer;
+use SimpleSAML\SAML2\XML\saml\NameID;
+use SimpleSAML\SAML2\XML\saml\Subject;
 use SimpleSAML\Test\SAML2\Constants as C;
 use SimpleSAML\XML\Type\IDValue;
 
@@ -36,6 +38,9 @@ final class NotOnOrAfterTest extends TestCase
     /** @var \SimpleSAML\SAML2\XML\saml\Issuer */
     private static Issuer $issuer;
 
+    /** @var \SimpleSAML\SAML2\XML\saml\Subject */
+    private static Subject $subject;
+
     /** @var \SimpleSAML\SAML2\XML\saml\AuthnStatement */
     private static AuthnStatement $authnStatement;
 
@@ -51,6 +56,14 @@ public static function setUpBeforeClass(): void
             SAMLStringValue::fromString('urn:x-simplesamlphp:issuer'),
         );
 
+        // Create Subject
+        self::$subject = new Subject(
+            new NameID(
+                value: SAMLStringValue::fromString("just_a_basic_identifier"),
+                Format: SAMLAnyURIValue::fromString(C::NAMEID_TRANSIENT),
+            ),
+        );
+
         // Create the statements
         self::$authnStatement = new AuthnStatement(
             new AuthnContext(
@@ -81,6 +94,7 @@ public function testTimestampInThePastBeforeGraceperiodIsNotValid(): void
         // Create an assertion
         $assertion = new Assertion(
             id: IDValue::fromString('abc123'),
+            subject: self::$subject,
             issuer: self::$issuer,
             issueInstant: SAMLDateTimeValue::fromDateTime(self::$clock->now()),
             conditions: $conditions,
@@ -113,6 +127,7 @@ public function testTimeWithinGraceperiodIsValid(): void
         // Create an assertion
         $assertion = new Assertion(
             id: IDValue::fromString('abc123'),
+            subject: self::$subject,
             issuer: self::$issuer,
             issueInstant: SAMLDateTimeValue::fromDateTime(self::$clock->now()),
             conditions: $conditions,
@@ -142,6 +157,7 @@ public function testCurrentTimeIsValid(): void
         // Create an assertion
         $assertion = new Assertion(
             id: IDValue::fromString('abc123'),
+            subject: self::$subject,
             issuer: self::$issuer,
             issueInstant: SAMLDateTimeValue::fromDateTime(self::$clock->now()),
             conditions: $conditions,

tests/SAML2/Assertion/Validation/ConstraintValidator/SessionNotOnOrAfterTest.php

@@ -20,6 +20,8 @@
 use SimpleSAML\SAML2\XML\saml\AuthnContextClassRef;
 use SimpleSAML\SAML2\XML\saml\AuthnStatement;
 use SimpleSAML\SAML2\XML\saml\Issuer;
+use SimpleSAML\SAML2\XML\saml\NameID;
+use SimpleSAML\SAML2\XML\saml\Subject;
 use SimpleSAML\Test\SAML2\Constants as C;
 use SimpleSAML\XML\Type\IDValue;
 
@@ -35,6 +37,9 @@ final class SessionNotOnOrAfterTest extends TestCase
     /** @var \SimpleSAML\SAML2\XML\saml\Issuer */
     private static Issuer $issuer;
 
+    /** @var \SimpleSAML\SAML2\XML\saml\Subject */
+    private static Subject $subject;
+
 
     /**
      */
@@ -46,6 +51,14 @@ public static function setUpBeforeClass(): void
         self::$issuer = new Issuer(
             SAMLStringValue::fromString('urn:x-simplesamlphp:issuer'),
         );
+
+        // Create Subject
+        self::$subject = new Subject(
+            new NameID(
+                value: SAMLStringValue::fromString("just_a_basic_identifier"),
+                Format: SAMLAnyURIValue::fromString(C::NAMEID_TRANSIENT),
+            ),
+        );
     }
 
 
@@ -72,6 +85,7 @@ public function timestampInThePastBeforeGraceperiodIsNotValid(): void
         // Create an assertion
         $assertion = new Assertion(
             issuer: self::$issuer,
+            subject: self::$subject,
             issueInstant: SAMLDateTimeValue::fromDateTime(self::$clock->now()),
             id: IDValue::fromString('abc123'),
             statements: [$authnStatement],
@@ -110,6 +124,7 @@ public function timeWithinGraceperiodIsValid(): void
         // Create an assertion
         $assertion = new Assertion(
             id: IDValue::fromString('abc123'),
+            subject: $subject,
             issuer: self::$issuer,
             issueInstant: SAMLDateTimeValue::fromDateTime(self::$clock->now()),
             statements: [$authnStatement],
@@ -145,6 +160,7 @@ public function testCurrentTimeIsValid(): void
         // Create an assertion
         $assertion = new Assertion(
             id: IDValue::fromString('abc123'),
+            subject: self::$subject,
             issuer: self::$issuer,
             issueInstant: SAMLDateTimeValue::fromDateTime(self::$clock->now()),
             statements: [$authnStatement],

tests/SAML2/Assertion/Validation/ConstraintValidator/SpIsValidAudienceTest.php

@@ -25,6 +25,8 @@
 use SimpleSAML\SAML2\XML\saml\AuthnStatement;
 use SimpleSAML\SAML2\XML\saml\Conditions;
 use SimpleSAML\SAML2\XML\saml\Issuer;
+use SimpleSAML\SAML2\XML\saml\NameID;
+use SimpleSAML\SAML2\XML\saml\Subject;
 use SimpleSAML\Test\SAML2\Constants as C;
 use SimpleSAML\XML\Type\IDValue;
 
@@ -46,6 +48,9 @@ final class SpIsValidAudienceTest extends MockeryTestCase
     /** @var \SimpleSAML\SAML2\XML\saml\Issuer */
     private static Issuer $issuer;
 
+    /** @var \SimpleSAML\SAML2\XML\saml\Subject */
+    private static Subject $subject;
+
     /** @var \Mockery\MockInterface */
     private MockInterface $serviceProvider;
 
@@ -64,6 +69,14 @@ public static function setUpBeforeClass(): void
             SAMLStringValue::fromString(C::ENTITY_IDP),
         );
 
+        // Create Subject
+        self::$subject = new Subject(
+            new NameID(
+                value: SAMLStringValue::fromString("just_a_basic_identifier"),
+                Format: SAMLAnyURIValue::fromString(C::NAMEID_TRANSIENT),
+            ),
+        );
+
         // Create the conditions
         self::$conditions = new Conditions(
             null,
@@ -107,6 +120,7 @@ public function testWhenNoValidAudiencesAreGivenTheAssertionIsValid(): void
         // Create an assertion
         $assertion = new Assertion(
             id: IDValue::fromString('abc123'),
+            subject: self::$subject,
             issuer: self::$issuer,
             issueInstant: SAMLDateTimeValue::fromDateTime(self::$clock->now()),
             statements: [self::$authnStatement],
@@ -132,6 +146,7 @@ public function testIfTheSpEntityIdIsNotInTheValidAudiencesTheAssertionIsInvalid
         // Create an assertion
         $assertion = new Assertion(
             id: IDValue::fromString('abc123'),
+            subject: self::$subject,
             issuer: self::$issuer,
             issueInstant: SAMLDateTimeValue::fromDateTime(self::$clock->now()),
             conditions: self::$conditions,
@@ -159,6 +174,7 @@ public function testTheAssertionIsValidWhenTheCurrentSpEntityIdIsAValidAudience(
         // Create an assertion
         $assertion = new Assertion(
             id: IDValue::fromString('abc123'),
+            subject: self::$subject,
             issuer: self::$issuer,
             issueInstant: SAMLDateTimeValue::fromDateTime(self::$clock->now()),
             conditions: self::$conditions,