java source code of SubjectValidatorTest

verify-service-provider-master
- example-saml
  - example-saml-match-assertion.xml
  - example-saml-response.xml
- src
  - acceptance-test
    - java
      - uk
        gov
        ida
        verifyserviceprovider
        VersionNumberAcceptanceTest.java
        SuccessMatchAcceptanceTest.java
        services
        GenerateRequestService.java
        ComplianceToolService.java
        ComplianceToolModeAcceptanceTest.java
        builders
        ComplianceToolV1InitialisationRequestBuilder.java
        AssertionHelper.java
        VerifyServiceProviderAppRuleBuilder.java
        ComplianceToolV2InitialisationRequestBuilder.java
        UserAccountCreationResponseAcceptanceTest.java
        NoMatchAcceptanceTest.java
        AuthnFailedResponseAcceptanceTest.java
        NonMatchingEidasAcceptanceTest.java
        TranslateResponseMultiTenantedSetupAcceptanceTest.java
        Utils
        MdsValueChecker.java
        rules
        VerifyServiceProviderAppRule.java
        NonMatchingVerifyServiceProviderAppRule.java
        NoAuthnContextResponseAcceptanceTest.java
        ErrorResponseAcceptanceTest.java
        InvalidSamlAcceptanceTest.java
        NonMatchingAcceptanceTest.java
        SecondaryEncryptionKeyAcceptanceTest.java
        AuthnRequestAcceptanceTest.java
  - main
    - resources
      - default-test-identity-dataset.json
      - test-idp-truststore.ts
      - test-metadata-truststore.ts
      - prod-hub-truststore.ts
      - ida_metadata_truststore.ts
      - prod-metadata-truststore.ts
      - prod-idp-truststore.ts
      - test-hub-truststore.ts
      - banner.txt
    - java
      - uk
        gov
        ida
        verifyserviceprovider
        compliance
        dto
        MatchingAddress.java
        MatchingDataset.java
        MatchingAttribute.java
        ComplianceToolModeConfiguration.java
        RefreshDatasetResource.java
        KeysAndCert.java
        ComplianceToolClient.java
        ComplianceToolModeConfigurationFactory.java
        ComplianceToolMode.java
        IdentityDatasetArgumentResolver.java
        configuration
        ConfigurationConstants.java
        MsaMetadataConfiguration.java
        HubEnvironment.java
        PrivateKeyDeserializer.java
        HubMetadataConfiguration.java
        VerifyHubConfiguration.java
        VerifyServiceProviderConfiguration.java
        EuropeanIdentityConfiguration.java
        dto
        VerifiableAttribute.java
        Attributes.java
        RequestResponseBody.java
        Address.java
        MatchingScenario.java
        Scenario.java
        RequestGenerationBody.java
        TranslatedNonMatchingResponseBody.java
        LevelOfAssurance.java
        NonMatchingScenario.java
        TranslateSamlResponseBody.java
        TranslatedMatchingResponseBody.java
        TranslatedResponseBody.java
        TestTranslatedNonMatchingResponseBody.java
        utils
        ApplicationUrlsGenerator.java
        ConfigurationFileFinder.java
        DateTimeComparator.java
        StringTableFormatter.java
        DefaultObjectMapper.java
        HealthCheckTableFormatter.java
        UsefulApplicationUrlsTableFormatter.java
        services
        EidasUnsignedAssertionTranslator.java
        VerifyAssertionTranslator.java
        AssertionClassifier.java
        BaseEidasAssertionTranslator.java
        IdentityResponderCodeTranslator.java
        ClassifyingAssertionTranslator.java
        AssertionTranslator.java
        ResponseService.java
        IdentityAssertionTranslator.java
        MatchingResponderCodeTranslator.java
        EntityIdService.java
        EidasAssertionTranslator.java
        UnsignedAssertionsResponseHandler.java
        ResponderCodeTranslator.java
        MatchingAssertionTranslator.java
        AttributeTranslator.java
        resources
        GenerateAuthnRequestResource.java
        VersionNumberResource.java
        TranslateSamlResponseResource.java
        validators
        EidasAssertionTranslatorValidatorContainer.java
        InstantValidator.java
        ConditionsValidator.java
        SubjectValidator.java
        AssertionValidator.java
        LevelOfAssuranceValidator.java
        TimeRestrictionValidator.java
        ResponseSizeValidator.java
        EidasEncryptionAlgorithmValidatorHelper.java
        listeners
        VerifyServiceProviderServerListener.java
        VerifyServiceProviderApplication.java
        exceptions
        JsonProcessingExceptionMapper.java
        NoHashingEntityIdIsProvidedError.java
        JerseyViolationExceptionMapper.java
        AuthnContextMissingException.java
        FailedToRequestVerifiedException.java
        InvalidEntityIdExceptionMapper.java
        MissingUnsignedAssertionsHandlerException.java
        RequestedOnlyVerifiedException.java
        InvalidEntityIdException.java
        factories
        saml
        ResponseFactory.java
        AuthnRequestFactory.java
        SignatureValidatorFactory.java
        VerifyServiceProviderFactory.java
        EncrypterFactory.java
        logging
        AuthnRequestAttributesHelper.java
        healthcheck
        MetadataHealthCheck.java
  - test
    - resources
      - logback-test.xml
      - verify-service-provider-with-msa-and-eidas.yml
      - verify-service-provider-with-msa.yml
    - java
      - common
        uk
        gov
        ida
        verifyserviceprovider
        utils
        SamlResponseHelper.java
        EnvironmentHelper.java
        servers
        MockMetadataAggregatorServer.java
        MockTrustAnchorServer.java
        MockMsaServer.java
        MockVerifyHubServer.java
      - feature
        uk
        gov
        ida
        verifyserviceprovider
        configuration
        VerifyHubConfigurationFeatureTests.java
        ApplicationConfigurationFeatureTests.java
        MsaMetadataFeatureTest.java
        HubMetadataFeatureTest.java
      - uk
        gov
        ida
        verifyserviceprovider
        compliance
        dto
        MatchingDatasetBuilder.java
        ComplianceToolModeTest.java
        RefreshDatasetResourceTest.java
        configuration
        EuropeanIdentityConfigurationTest.java
        services
        MatchingResponderCodeTranslatorTest.java
        IdentityResponderCodeTranslatorTest.java
      - unit
        uk
        gov
        ida
        verifyserviceprovider
        configuration
        MsaMetadataConfigurationTest.java
        HubEnvironmentTest.java
        utils
        DateTimeComparatorTest.java
        StringTableFormatterTest.java
        services
        UnsignedAssertionResponseHandlerTest.java
        EntityIdServiceTest.java
        EidasUnsignedAssertionTranslatorTest.java
        MatchingAssertionTranslatorTest.java
        VerifyAssertionTranslatorTest.java
        ResponseServiceTest.java
        EidasAssertionTranslatorTest.java
        AssertionClassifierTests.java
        AttributeTranslatorTests.java
        ClassifyingAssertionTranslatorTest.java
        BaseEidasAssertionTranslatorTestBase.java
        resources
        TranslateSamlResponseResourceTest.java
        GenerateAuthnRequestResourceTest.java
        VersionNumberResourceTest.java
        validators
        InstantValidatorTest.java
        SubjectValidatorTest.java
        LevelOfAssuranceValidatorTest.java
        ConditionsValidatorTest.java
        AssertionValidatorTest.java
        TimeRestrictionValidatorTest.java
        saml
        ResponseFactoryTest.java
        factories
        saml
        AuthnRequestFactoryTest.java
        VerifyServiceProviderConfigurationTest.java
- configuration
  - vsp-with-matching.yml
  - vsp-no-eidas.yml
  - vsp-eidas-without-matching.yml
  - vsp-with-matching-custom.yml
- gradle
  - wrapper
    - gradle-wrapper.properties
- gradlew.bat
- LICENSE
- gradlew
- Dockerfile.internal
- startup.sh
- CONTRIBUTING.md
- local-running
  - local-vsp-only.env
  - local-config.yml
- stub-msa-metadata
  - manifest.yml
  - metadata.xml
- build.gradle
- architecture-decisions
  - verify-service-provider-api.swagger.yml
- .adr-dir
- .travis.yml
- README.md
- pre-commit.sh
- integration-deployment.sh
- scripts
  - init-compliance-tool-for-environment.sh
  - genKey.sh
- ci
  - production-manifest.yml
  - dev-manifest-with-msa.yml
  - staging-manifest.yml
  - dev-manifest-multi-tenant.yml
  - dev-manifest.yml
  - integration-manifest.yml
- verify-service-provider.yml
- RELEASE_NOTES.md
- dev-deployment.sh
- settings.gradle
- .gitignore
- docs
  - development
    - Advanced_Configuration.md
    - Using_Local_Compliance_Tool.md
  - diagrams
    - service_architecture.graffle
    - request_flow.graffle
    - response_flow.graffle
    - stub_service_architecture.graffle
  - api
    - verify-service-provider-with-matching-api.swagger.yml
    - verify-service-provider-api.swagger.yml
  - adr
    - 0003-use-files-to-store-private-keys.md
    - 0015-we-will-depend-on-a-minimal-set-of-verify-saml-libs.md
    - 0025-we-will-only-release-one-configuration-file.md
    - 0017-we-will-pass-the-request-id-to-the-client.md
    - 0005-sp-will-generate-request-id.md
    - .keep
    - 0002-how-do-we-secure-the-api.md
    - 0021-we-will-use-http-200-for-valid-saml.md
    - 0019-we-will-validate-assertion-details.md
    - 0004-users-will-be-able-to-provide-relay-state.md
    - 0018-we-will-have-hubssolocation-as-a-configuration.md
    - 0009-we-will-not-use-a-dependency-injection-framework.md
    - 0024-release-process-for-verify-service-provider.md
    - 0012-we-will-use-the-full-profile.md
    - 0007-we-will-document-a-strawman-api.md
    - 0020-we-will-put-verified-status-inside-json-object.md
    - 0006-we-will-build-a-js-client.md
    - 0011-we-will-use-a-secure-token-to-validate-inresponseto.md
    - 0013-we-will-write-acceptance-tests-against-compliance-tool.md
    - 0010-we-will-keep-the-config-as-simple-as-possible.md
    - 0023-we-will-report-the-version-in-a-saml-extension.md
    - 0022-we-will-not-validate-the-recipient.md
    - 0001-record-architecture-decisions.md
    - 0026-development-mode-for-the-verify-service-provider.md
    - 0016-we-will-have-a-healthcheck-endpoint.md
    - 0014-html-will-not-be-generated-by-the-verify-service-provider.md
    - 0008-provide-an-end-to-end-stub.md
- .dockerignore
- test-keys-and-certs
  - vsp-signing.crt
  - vsp-encryption.pk8
  - msa-signing.pk8
  - msa-signing.crt
  - vsp-signing.pk8
  - vsp-encryption.crt

package unit.uk.gov.ida.verifyserviceprovider.validators;

import com.google.common.collect.ImmutableList;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.core.SubjectConfirmation;
import uk.gov.ida.saml.core.IdaSamlBootstrap;
import uk.gov.ida.saml.core.validation.SamlResponseValidationException;
import uk.gov.ida.verifyserviceprovider.validators.SubjectValidator;
import uk.gov.ida.verifyserviceprovider.validators.TimeRestrictionValidator;

import static uk.gov.ida.saml.core.test.builders.SubjectBuilder.aSubject;
import static uk.gov.ida.saml.core.test.builders.SubjectConfirmationBuilder.aSubjectConfirmation;
import static uk.gov.ida.saml.core.test.builders.SubjectConfirmationDataBuilder.aSubjectConfirmationData;

@RunWith(MockitoJUnitRunner.class)
public class SubjectValidatorTest {
    private static final String IN_RESPONSE_TO = "_some-request-id";
    private SubjectValidator subjectValidator;

    @Rule
    public ExpectedException expectedException = ExpectedException.none();

    @Mock
    private TimeRestrictionValidator timeRestrictionValidator;

    @Before
    public void setUp() {
        IdaSamlBootstrap.bootstrap();
        subjectValidator = new SubjectValidator(timeRestrictionValidator);
    }

    @Test
    public void shouldThrowExceptionWhenSubjectIsMissing() throws Exception {
        expectedException.expect(SamlResponseValidationException.class);
        expectedException.expectMessage("Subject is missing from the assertion.");

        subjectValidator.validate(null, IN_RESPONSE_TO);
    }

    @Test
    public void shouldThrowExceptionWhenMultipleSubjectConfirmation() throws Exception {
        expectedException.expect(SamlResponseValidationException.class);
        expectedException.expectMessage("Exactly one subject confirmation is expected.");

        Subject subject = aSubject().build();
        SubjectConfirmation subjectConfirmation = aSubjectConfirmation().build();
        subject.getSubjectConfirmations().addAll(ImmutableList.of(subjectConfirmation, subjectConfirmation));

        subjectValidator.validate(subject, IN_RESPONSE_TO);
    }

    @Test
    public void shouldThrowExceptionWhenSubjectConfirmationMethodIsNotBearer() throws Exception {
        expectedException.expect(SamlResponseValidationException.class);
        expectedException.expectMessage("Subject confirmation method must be 'bearer'.");

        Subject subject = aSubject()
                .withSubjectConfirmation(aSubjectConfirmation().withMethod("anything-but-not-bearer").build())
                .build();

        subjectValidator.validate(subject, IN_RESPONSE_TO);
    }

    @Test
    public void shouldThrowExceptionWhenSubjectConfirmationDataMissing() throws Exception {
        expectedException.expect(SamlResponseValidationException.class);
        expectedException.expectMessage("Subject confirmation data is missing from the assertion.");

        Subject subject = aSubject()
                .withSubjectConfirmation(aSubjectConfirmation().withSubjectConfirmationData(null).build())
                .build();

        subjectValidator.validate(subject, IN_RESPONSE_TO);
    }

    @Test
    public void shouldThrowExceptionWhenSubjectConfirmationDataNotOnOrAfterIsMissing() throws Exception {
        expectedException.expect(SamlResponseValidationException.class);
        expectedException.expectMessage("Subject confirmation data must contain 'NotOnOrAfter'.");

        SubjectConfirmation subjectConfirmation = aSubjectConfirmation().withSubjectConfirmationData(
                aSubjectConfirmationData().withNotOnOrAfter(null).build()).build();
        Subject subject = aSubject()
                .withSubjectConfirmation(subjectConfirmation)
                .build();

        subjectValidator.validate(subject, IN_RESPONSE_TO);
    }

    @Test
    public void shouldThrowExceptionWhenSubjectConfirmationDataHasNoInResponseTo() throws Exception {
        expectedException.expect(SamlResponseValidationException.class);
        expectedException.expectMessage("Subject confirmation data must contain 'InResponseTo'.");

        SubjectConfirmation subjectConfirmation = aSubjectConfirmation().withSubjectConfirmationData(
                aSubjectConfirmationData()
                        .withInResponseTo(null)
                        .build()).build();
        Subject subject = aSubject()
                .withSubjectConfirmation(subjectConfirmation)
                .build();

        subjectValidator.validate(subject, IN_RESPONSE_TO);
    }

    @Test
    public void shouldThrowExceptionWhenInResponseToRequestIdDoesNotMatchTheRequestId() throws Exception {
        String expectedInResponseTo = "some-non-matching-request-id";
        expectedException.expect(SamlResponseValidationException.class);
        expectedException.expectMessage("'InResponseTo' must match requestId. Expected " + expectedInResponseTo + " but was " + IN_RESPONSE_TO);

        SubjectConfirmation subjectConfirmation = aSubjectConfirmation().withSubjectConfirmationData(
                aSubjectConfirmationData()
                        .withInResponseTo(IN_RESPONSE_TO)
                        .build()).build();
        Subject subject = aSubject()
                .withSubjectConfirmation(subjectConfirmation)
                .build();

        subjectValidator.validate(subject, expectedInResponseTo);
    }

    @Test
    public void shouldThrowExceptionWhenNameIdIsMissing() throws Exception {
        expectedException.expect(SamlResponseValidationException.class);
        expectedException.expectMessage("NameID is missing from the subject of the assertion.");

        SubjectConfirmation subjectConfirmation = aSubjectConfirmation().withSubjectConfirmationData(
                aSubjectConfirmationData()
                        .withInResponseTo(IN_RESPONSE_TO)
                        .build()).build();
        Subject subject = aSubject()
                .withSubjectConfirmation(subjectConfirmation)
                .withNameId(null)
                .build();

        subjectValidator.validate(subject, IN_RESPONSE_TO);
    }


}