From af19aa6a92e51be5b54e9e31b3472717c1d56b93 Mon Sep 17 00:00:00 2001
From: Anders Abel <anders.abel@sustainsys.com>
Date: Sat, 3 Feb 2024 19:05:32 +0100
Subject: [PATCH] First steps on Assertion validation

---
 src/Sustainsys.Saml2/Saml/SamlAssertion.cs    | 18 +++++++++++
 .../Validation/ISamlAssertionValidator.cs     | 32 +++++++++++++++++++
 .../Validation/ISamlResponseValidator.cs      | 10 ++++--
 .../Validation/SamlAssertionValidator.cs      | 22 +++++++++++++
 .../Validators/SamlResponseValidatorTests.cs  |  5 ++-
 5 files changed, 84 insertions(+), 3 deletions(-)
 create mode 100644 src/Sustainsys.Saml2/Saml/SamlAssertion.cs
 create mode 100644 src/Sustainsys.Saml2/Validation/ISamlAssertionValidator.cs
 create mode 100644 src/Sustainsys.Saml2/Validation/SamlAssertionValidator.cs

diff --git a/src/Sustainsys.Saml2/Saml/SamlAssertion.cs b/src/Sustainsys.Saml2/Saml/SamlAssertion.cs
new file mode 100644
index 000000000..b7e089b58
--- /dev/null
+++ b/src/Sustainsys.Saml2/Saml/SamlAssertion.cs
@@ -0,0 +1,18 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Sustainsys.Saml2.Saml;
+
+/// <summary>
+/// A Saml assertion
+/// </summary>
+public class SamlAssertion
+{
+    /// <summary>
+    /// Issuer of the assertion.
+    /// </summary>
+    public NameId Issuer { get; set; } = default!;
+}
diff --git a/src/Sustainsys.Saml2/Validation/ISamlAssertionValidator.cs b/src/Sustainsys.Saml2/Validation/ISamlAssertionValidator.cs
new file mode 100644
index 000000000..e5aec00a2
--- /dev/null
+++ b/src/Sustainsys.Saml2/Validation/ISamlAssertionValidator.cs
@@ -0,0 +1,32 @@
+using Sustainsys.Saml2.Saml;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Sustainsys.Saml2.Validation;
+
+/// <summary>
+/// Validates an asseriton
+/// </summary>
+public interface ISamlAssertionValidator
+{
+    /// <summary>
+    /// Validate a Saml assertion
+    /// </summary>
+    /// <param name="assertion"></param>
+    /// <param name="parameters"></param>
+    void Validate(SamlAssertion assertion, SamlAssertionValidationParameters parameters);
+}
+
+/// <summary>
+/// DTO carrying parameters for Saml assertion validation
+/// </summary>
+public class SamlAssertionValidationParameters
+{
+    /// <summary>
+    /// Valid issuer of the response and assertions
+    /// </summary>
+    public NameId? ValidIssuer { get; set; }
+}
\ No newline at end of file
diff --git a/src/Sustainsys.Saml2/Validation/ISamlResponseValidator.cs b/src/Sustainsys.Saml2/Validation/ISamlResponseValidator.cs
index c9ae173db..44aecd091 100644
--- a/src/Sustainsys.Saml2/Validation/ISamlResponseValidator.cs
+++ b/src/Sustainsys.Saml2/Validation/ISamlResponseValidator.cs
@@ -28,7 +28,13 @@ public interface ISamlResponseValidator
 public class SamlResponseValidationParameters
 {
     /// <summary>
-    /// Valid issuer of the response and assertions
+    /// Validation parameters for assertions embedded in the response.
     /// </summary>
-    public NameId? ValidIssuer {  get; set; }
+    public required SamlAssertionValidationParameters AssertionValidationParameters { get; set; }
+
+    /// <summary>
+    /// Valid issuer of the response and assertions - returns the ValidIssuer
+    /// of the embedded SamlAssertionValidationParameters to ensure they are the same.
+    /// </summary>
+    public NameId? ValidIssuer { get => AssertionValidationParameters.ValidIssuer; }
 }
\ No newline at end of file
diff --git a/src/Sustainsys.Saml2/Validation/SamlAssertionValidator.cs b/src/Sustainsys.Saml2/Validation/SamlAssertionValidator.cs
new file mode 100644
index 000000000..c7992dc91
--- /dev/null
+++ b/src/Sustainsys.Saml2/Validation/SamlAssertionValidator.cs
@@ -0,0 +1,22 @@
+using Sustainsys.Saml2.Saml;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Sustainsys.Saml2.Validation;
+
+/// <summary>
+/// Saml Assertion validator
+/// </summary>
+public class SamlAssertionValidator : ISamlAssertionValidator
+{
+    /// <inheritdoc/>
+    public void Validate(
+        SamlAssertion assertion,
+        SamlAssertionValidationParameters parameters)
+    {
+        // TODO: Remember to validate issuer.
+    }
+}
diff --git a/src/Tests/Sustainsys.Saml2.Tests/Validators/SamlResponseValidatorTests.cs b/src/Tests/Sustainsys.Saml2.Tests/Validators/SamlResponseValidatorTests.cs
index 342aecc72..51e11397d 100644
--- a/src/Tests/Sustainsys.Saml2.Tests/Validators/SamlResponseValidatorTests.cs
+++ b/src/Tests/Sustainsys.Saml2.Tests/Validators/SamlResponseValidatorTests.cs
@@ -24,7 +24,10 @@ SamlResponse CreateSamlResponse() =>
     SamlResponseValidationParameters CreateValidationParameters() =>
         new SamlResponseValidationParameters()
         {
-            ValidIssuer = "https://idp.example.com/Saml2"
+            AssertionValidationParameters = new()
+            {
+                ValidIssuer = "https://idp.example.com/Saml2"
+            }
         };
 
     // The happy path that should just validate the default response