From 7b7ad1a931c67519b1bb70d1e0abe8220ec98165 Mon Sep 17 00:00:00 2001
From: Tim van Dijen <tvdijen@gmail.com>
Date: Sat, 27 Jul 2024 00:09:11 +0200
Subject: [PATCH] WIP: Create ResponseValidator + necessary helper-classes

---
 .../ConstraintValidationFailedException.php   | 12 +++++
 .../ConstraintValidatorInterface.php          | 19 +++++++
 .../Response/DestinationMatches.php           | 43 ++++++++++++++++
 .../IdentityProviderAwareInterface.php        | 15 ++++++
 .../Process/IdentityProviderAwareTrait.php    | 20 ++++++++
 .../Process/ServiceProviderAwareInterface.php | 15 ++++++
 .../Process/ServiceProviderAwareTrait.php     | 20 ++++++++
 .../Process/Validator/ResponseValidator.php   | 42 ++++++++++++++++
 .../Process/Validator/ValidatorInterface.php  | 26 ++++++++++
 .../Process/Validator/ValidatorTrait.php      | 49 +++++++++++++++++++
 10 files changed, 261 insertions(+)
 create mode 100644 src/SAML2/Exception/ConstraintValidationFailedException.php
 create mode 100644 src/SAML2/Process/ConstraintValidation/ConstraintValidatorInterface.php
 create mode 100644 src/SAML2/Process/ConstraintValidation/Response/DestinationMatches.php
 create mode 100644 src/SAML2/Process/IdentityProviderAwareInterface.php
 create mode 100644 src/SAML2/Process/IdentityProviderAwareTrait.php
 create mode 100644 src/SAML2/Process/ServiceProviderAwareInterface.php
 create mode 100644 src/SAML2/Process/ServiceProviderAwareTrait.php
 create mode 100644 src/SAML2/Process/Validator/ResponseValidator.php
 create mode 100644 src/SAML2/Process/Validator/ValidatorInterface.php
 create mode 100644 src/SAML2/Process/Validator/ValidatorTrait.php

diff --git a/src/SAML2/Exception/ConstraintValidationFailedException.php b/src/SAML2/Exception/ConstraintValidationFailedException.php
new file mode 100644
index 000000000..3ad396f44
--- /dev/null
+++ b/src/SAML2/Exception/ConstraintValidationFailedException.php
@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\SAML2\Exception;
+
+/**
+ * Exception to be raised when validation of a constraint fails.
+ */
+class ConstraintViolationFailedException extends RuntimeException
+{
+}
diff --git a/src/SAML2/Process/ConstraintValidation/ConstraintValidatorInterface.php b/src/SAML2/Process/ConstraintValidation/ConstraintValidatorInterface.php
new file mode 100644
index 000000000..be304ce75
--- /dev/null
+++ b/src/SAML2/Process/ConstraintValidation/ConstraintValidatorInterface.php
@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\SAML2\Process\ConstraintValidation;
+
+use SimpleSAML\XML\SerializableElementInterface;
+
+interface ConstraintValidatorInterface
+{
+    /**
+     * Runs the validation.
+     *
+     * If this function returns, the validation has been succesful.
+     *
+     * @throws \SimpleSAML\SAML2\Exception\ConstraintViolationFailedException when the condition fails.
+     */
+    public function validate(SerializableElementInterface $element): void;
+}
diff --git a/src/SAML2/Process/ConstraintValidation/Response/DestinationMatches.php b/src/SAML2/Process/ConstraintValidation/Response/DestinationMatches.php
new file mode 100644
index 000000000..839f6fddd
--- /dev/null
+++ b/src/SAML2/Process/ConstraintValidation/Response/DestinationMatches.php
@@ -0,0 +1,43 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\SAML2\Process\ConstraintValidation\Response;
+
+use SimpleSAML\SAML2\{Binding, Metadata};
+use SimpleSAML\SAML2\Exception\Protocol\ResourceNotRecognizedException;
+use SimpleSAML\SAML2\Process\{ServiceProviderAwareInterface, ServiceProviderAwareTrait};
+use SimpleSAML\SAML2\Process\ConstraintValidation\ConstraintValidatorInterface;
+use SimpleSAML\XML\SerializableElementInterface;
+
+final class DestinationMatches implements ConstraintValidatorInterface
+{
+    /**
+     * DestinationMatches constructor.
+     *
+     * @param \SimpleSAML\SAML2\Metadata\ServiceProvider $spMetadata
+     * @param \SimpleSAML\SAML2\Binding $binding
+     */
+    public function __construct(
+        private Metadata\ServiceProvider $spMetadata,
+        private Binding $binding,
+    ) {
+    }
+
+
+    /**
+     * @param \SimpleSAML\XML\SerializableElementInterface $response
+     */
+    public function validate(SerializableElementInterface $response): void
+    {
+        // Validate that the destination matches the appropriate endpoint from the SP-metadata
+        foreach ($this->spMetadata->getAssertionConsumerService() as $assertionConsumerService) {
+            if ($assertionConsumerService->getLocation() === $response->getDestination()) {
+                if (Binding::getBinding($assertionConsumerService->getBinding()) instanceof $this->binding) {
+                    return;
+                }
+            }
+        }
+        throw new ResourceNotRecognizedException();
+    }
+}
diff --git a/src/SAML2/Process/IdentityProviderAwareInterface.php b/src/SAML2/Process/IdentityProviderAwareInterface.php
new file mode 100644
index 000000000..d45021828
--- /dev/null
+++ b/src/SAML2/Process/IdentityProviderAwareInterface.php
@@ -0,0 +1,15 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\SAML2\Process;
+
+use SimpleSAML\SAML2\Metadata;
+
+interface IdentityProviderAwareInterface
+{
+    /**
+     * Set the IdP metadata.
+     */
+    public function setIdPMetadata(Metadata\IdentityProvider $idpMetadata): void;
+}
diff --git a/src/SAML2/Process/IdentityProviderAwareTrait.php b/src/SAML2/Process/IdentityProviderAwareTrait.php
new file mode 100644
index 000000000..d2077bbae
--- /dev/null
+++ b/src/SAML2/Process/IdentityProviderAwareTrait.php
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\SAML2\Process;
+
+use SimpleSAML\SAML2\Metadata;
+
+trait IdentityProviderAwareTrait
+{
+    protected Metadata\IdentityProvider $idpMetadata;
+
+    /**
+     * Set the IdP metadata.
+     */
+    public function setIdPMetadata(Metadata\IdentityProvider $idpMetadata): void
+    {
+        $this->idpMetadata = $idpMetadata;
+    }
+}
diff --git a/src/SAML2/Process/ServiceProviderAwareInterface.php b/src/SAML2/Process/ServiceProviderAwareInterface.php
new file mode 100644
index 000000000..7c04a265c
--- /dev/null
+++ b/src/SAML2/Process/ServiceProviderAwareInterface.php
@@ -0,0 +1,15 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\SAML2\Process;
+
+use SimpleSAML\SAML2\Metadata;
+
+interface ServiceProviderAwareInterface
+{
+    /**
+     * Set the SP metadata.
+     */
+    public function setSPMetadata(Metadata\ServiceProvider $spMetadata): void;
+}
diff --git a/src/SAML2/Process/ServiceProviderAwareTrait.php b/src/SAML2/Process/ServiceProviderAwareTrait.php
new file mode 100644
index 000000000..627b6d9bb
--- /dev/null
+++ b/src/SAML2/Process/ServiceProviderAwareTrait.php
@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\SAML2\Process;
+
+use SimpleSAML\SAML2\Metadata;
+
+trait ServiceProviderAwareTrait
+{
+    protected Metadata\ServiceProvider $spMetadata;
+
+    /**
+     * Set the SP metadata.
+     */
+    public function setSPMetadata(Metadata\ServiceProvider $spMetadata): void
+    {
+        $this->spMetadata = $spMetadata;
+    }
+}
diff --git a/src/SAML2/Process/Validator/ResponseValidator.php b/src/SAML2/Process/Validator/ResponseValidator.php
new file mode 100644
index 000000000..4e84af67f
--- /dev/null
+++ b/src/SAML2/Process/Validator/ResponseValidator.php
@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\SAML2\Process\Validator;
+
+use SimpleSAML\SAML2\{Binding, Metadata};
+use SimpleSAML\SAML2\Process\ConstraintValidation\Response\{DestinationMatches, IsSuccessful};
+
+class ResponseValidator implements ValidatorInterface
+{
+    use ValidatorTrait;
+
+    /**
+     * @param \SimpleSAML\SAML2\Metadata\IdentityProvider  The IdP-metadata
+     * @param \SimpleSAML\SAML2\Metadata\ServiceProvider  The SP-metadata
+     */
+    private function __construct(
+        protected ?Metadata\IdentityProvider $idpMetadata,
+        protected Metadata\ServiceProvider $spMetadata,
+    ) {
+    }
+
+
+    /**
+     * @param \SimpleSAML\SAML2\Metadata\IdentityProvider|null $idpMetadata
+     * @param \SimpleSAML\SAML2\Metadata\ServiceProvider $spMetadata
+     * @param string $binding
+     * @return \SimpleSAML\SAML2\Validator\ResponseValidator
+     */
+    public static function createResponseValidator(
+        ?Metadata\IdentityProvider $idpMetadata,
+        Metadata\ServiceProvider $spMetadata,
+        Binding $binding,
+    ): ResponseValidator {
+        $validator = new self($idpMetadata, $spMetadata);
+        $validator->addConstraintValidator(new DestinationMatches($spMetadata, $binding));
+//        $validator->addConstraintValidator(new IsSuccesful());
+
+        return $validator;
+    }
+}
diff --git a/src/SAML2/Process/Validator/ValidatorInterface.php b/src/SAML2/Process/Validator/ValidatorInterface.php
new file mode 100644
index 000000000..6e9bccada
--- /dev/null
+++ b/src/SAML2/Process/Validator/ValidatorInterface.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\SAML2\Process\Validator;
+
+use SimpleSAML\SAML2\Process\ConstraintValidation\ConstraintValidatorInterface;
+use SimpleSAML\XML\SerializableElementInterface;
+
+interface ValidatorInterface
+{
+    /**
+     * Runs all the validations in the validation chain.
+     *
+     * If this function returns, all validations have been succesful.
+     *
+     * @throws \SimpleSAML\SAML2\Exception\ConstraintValidationFailedException when one of the conditions fail.
+     */
+    public function validate(SerializableElementInterface $element): void;
+
+
+    /**
+     * Add a validation to the chain.
+     */
+    public function addConstraintValidator(ConstraintValidatorInterface $validation);
+}
diff --git a/src/SAML2/Process/Validator/ValidatorTrait.php b/src/SAML2/Process/Validator/ValidatorTrait.php
new file mode 100644
index 000000000..c692563bd
--- /dev/null
+++ b/src/SAML2/Process/Validator/ValidatorTrait.php
@@ -0,0 +1,49 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\SAML2\Process\Validator;
+
+use SimpleSAML\SAML2\Process\{IdentityProviderAwareInterface, ServiceProviderAwareInterface};
+use SimpleSAML\SAML2\Process\ConstraintValidation\ConstraintValidatorInterface;
+use SimpleSAML\XML\SerializableElementInterface;
+
+trait ValidatorTrait
+{
+    /** @var array<\SimpleSAML\SAML2\Process\ConstraintValidation\ConstraintValidatorInterface> */
+    protected array $validators;
+
+
+    /**
+     * Add a validation to the chain.
+     *
+     * @param \SimpleSAML\SAML2\Process\ConstraintValidation\ConstraintValidatorInterface $validation
+     */
+    public function addConstraintValidator(ConstraintValidatorInterface $validator)
+    {
+        if ($validator instanceof IdentityProviderAwareInterface) {
+            $validator->setIdentityProvider($this->idpMetadata);
+        }
+
+        if ($validator instanceof ServiceProviderAwareInterface) {
+            $validator->setServiceProvider($this->spMetadata);
+        }
+
+        $this->validators[] = $validator;
+    }
+
+
+    /**
+     * Runs all the validations in the validation chain.
+     *
+     * If this function returns, all validations have been succesful.
+     *
+     * @throws \SimpleSAML\SAML2\Exception\ConstraintViolationFailedException when one of the conditions fail.
+     */
+    public function validate(SerializableElementInterface $element): void
+    {
+        foreach ($this->validators as $validator) {
+            $validator->validate($element);
+        }
+    }
+}