Skip to content

Commit 290d72d

Browse files
tvdijentvdijen
committed
Add assertions to ensure NotBefore is before NotOnOrAfter
1 parent 7a158e3 commit 290d72d

File tree

5 files changed

+48
-1
lines changed

5 files changed

+48
-1
lines changed

src/XML/saml/AbstractSubjectConfirmationData.php

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@
88
use SimpleSAML\Assert\AssertionFailedException;
99
use SimpleSAML\SAML2\Assert\Assert;
1010
use SimpleSAML\SAML2\Constants as C;
11+
use SimpleSAML\SAML2\Exception\ProtocolViolationException;
1112
use SimpleSAML\SAML2\Type\EntityIDValue;
1213
use SimpleSAML\SAML2\Type\SAMLDateTimeValue;
1314
use SimpleSAML\SAML2\Type\SAMLStringValue;
@@ -61,6 +62,15 @@ public function __construct(
6162
array $children = [],
6263
array $namespacedAttributes = [],
6364
) {
65+
/** SAML 2.0 Core specifications paragraph 2.4.1.2 */
66+
if ($notBefore !== null && $notOnOrAfter !== null) {
67+
Assert::true(
68+
$notBefore->toDateTime() < $notOnOrAfter->toDateTime(),
69+
"The value for NotBefore MUST be less than (earlier than) the value for NotOnOrAfter.",
70+
ProtocolViolationException::class,
71+
);
72+
}
73+
6474
if ($address !== null) {
6575
try {
6676
/**

src/XML/saml/Conditions.php

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,15 @@ public function __construct(
4343
protected ?OneTimeUse $oneTimeUse = null,
4444
protected ?ProxyRestriction $proxyRestriction = null,
4545
) {
46+
/** SAML 2.0 Core specifications paragraph 2.5.1.2 */
47+
if ($notBefore !== null && $notOnOrAfter !== null) {
48+
Assert::true(
49+
$notBefore->toDateTime() < $notOnOrAfter->toDateTime(),
50+
"The value for NotBefore MUST be less than (earlier than) the value for NotOnOrAfter.",
51+
ProtocolViolationException::class,
52+
);
53+
}
54+
4655
Assert::maxCount($condition, C::UNBOUNDED_LIMIT);
4756
Assert::allIsInstanceOf($condition, AbstractCondition::class);
4857
Assert::maxCount($audienceRestriction, C::UNBOUNDED_LIMIT);

tests/SAML2/XML/saml/AssertionTest.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -528,7 +528,7 @@ public function testCorrectSignatureMethodCanBeExtracted(): void
528528
<saml:SubjectConfirmationData NotOnOrAfter="2011-08-31T08:51:05Z" Recipient="https://sp.example.com/assertion_consumer" InResponseTo="_13603a6565a69297e9809175b052d115965121c8" />
529529
</saml:SubjectConfirmation>
530530
</saml:Subject>
531-
<saml:Conditions NotOnOrAfter="2011-08-31T08:51:05Z" NotBefore="2011-08-31T08:51:05Z">
531+
<saml:Conditions NotOnOrAfter="2011-08-31T08:51:05Z" NotBefore="2011-08-31T08:51:04Z">
532532
<saml:AudienceRestriction>
533533
<saml:Audience>urn:test:ServiceProvider</saml:Audience>
534534
</saml:AudienceRestriction>

tests/SAML2/XML/saml/ConditionsTest.php

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@
88
use PHPUnit\Framework\Attributes\Group;
99
use PHPUnit\Framework\TestCase;
1010
use SimpleSAML\SAML2\Constants as C;
11+
use SimpleSAML\SAML2\Exception\ProtocolViolationException;
1112
use SimpleSAML\SAML2\Type\SAMLAnyURIValue;
1213
use SimpleSAML\SAML2\Type\SAMLDateTimeValue;
1314
use SimpleSAML\SAML2\XML\saml\AbstractSamlElement;
@@ -88,6 +89,19 @@ public function testMarshalling(): void
8889
}
8990

9091

92+
/**
93+
*/
94+
public function testMarshallingNotBeforeAfterNotOnOrAfter(): void
95+
{
96+
$this->expectException(ProtocolViolationException::class);
97+
98+
new Conditions(
99+
SAMLDateTimeValue::fromString('2024-01-18T06:21:48Z'),
100+
SAMLDateTimeValue::fromString('2014-07-17T01:01:18Z'),
101+
);
102+
}
103+
104+
91105
/**
92106
* Adding no contents to a Conditions element should yield an empty element. If there were contents already
93107
* there, those should be left untouched.

tests/SAML2/XML/saml/SubjectConfirmationDataTest.php

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@
77
use PHPUnit\Framework\Attributes\CoversClass;
88
use PHPUnit\Framework\Attributes\Group;
99
use PHPUnit\Framework\TestCase;
10+
use SimpleSAML\SAML2\Exception\ProtocolViolationException;
1011
use SimpleSAML\SAML2\Type\EntityIDValue;
1112
use SimpleSAML\SAML2\Type\SAMLDateTimeValue;
1213
use SimpleSAML\SAML2\Type\SAMLStringValue;
@@ -88,6 +89,19 @@ public function testMarshalling(): void
8889
}
8990

9091

92+
/**
93+
*/
94+
public function testMarshallingNotBeforeAfterNotOnOrAfter(): void
95+
{
96+
$this->expectException(ProtocolViolationException::class);
97+
98+
new SubjectConfirmationData(
99+
SAMLDateTimeValue::fromString('2009-02-13T23:31:30Z'),
100+
SAMLDateTimeValue::fromString('2001-04-19T04:25:21Z'),
101+
);
102+
}
103+
104+
91105
/**
92106
*/
93107
public function testMarshallingWithNonIPAddress(): void

0 commit comments

Comments
 (0)