Tidy null handling in SAML conditions validation

src/Microsoft.IdentityModel.Tokens.Saml/Saml/SamlSecurityTokenHandler.cs

@@ -1275,8 +1275,7 @@ private ClaimsPrincipal ValidateToken(SamlSecurityToken samlToken, string token,
             ValidateConditions(samlToken, validationParameters);
             var issuer = ValidateIssuer(samlToken.Issuer, samlToken, validationParameters);
 
-            if (samlToken.Assertion.Conditions != null)
-                ValidateTokenReplay(samlToken.Assertion.Conditions.NotOnOrAfter, samlToken.Assertion.CanonicalString, validationParameters);
+            ValidateTokenReplay(samlToken.Assertion.Conditions?.NotOnOrAfter, samlToken.Assertion.CanonicalString, validationParameters);
 
             ValidateIssuerSecurityKey(samlToken.SigningKey, samlToken, validationParameters);
             validatedToken = samlToken;

src/Microsoft.IdentityModel.Tokens.Saml/Saml2/Saml2SecurityTokenHandler.cs

@@ -274,8 +274,7 @@ private ClaimsPrincipal ValidateToken(Saml2SecurityToken samlToken, string token
             ValidateSubject(samlToken, validationParameters);
             var issuer = ValidateIssuer(samlToken.Issuer, samlToken, validationParameters);
 
-            if (samlToken.Assertion.Conditions != null)
-                ValidateTokenReplay(samlToken.Assertion.Conditions.NotOnOrAfter, samlToken.Assertion.CanonicalString, validationParameters);
+            ValidateTokenReplay(samlToken.Assertion.Conditions?.NotOnOrAfter, samlToken.Assertion.CanonicalString, validationParameters);
 
             ValidateIssuerSecurityKey(samlToken.SigningKey, samlToken, validationParameters);
             validatedToken = samlToken;

test/Microsoft.IdentityModel.TestUtils/ReferenceTokens.cs

@@ -83,6 +83,9 @@ public class ReferenceTokens
         public static string Saml2Token_NoConditions_NoSignature =
             @"<Assertion ID = ""_d60bd9ed-8aab-40c8-ba5f-f548c3401ae2"" IssueInstant=""2017-03-20T15:52:31.957Z"" Version=""2.0"" xmlns=""urn:oasis:names:tc:SAML:2.0:assertion""><Issuer>https://sts.windows.net/add29489-7269-41f4-8841-b63c95564420/</Issuer><Subject><NameID Format=""urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"">RrX3SPSxDw6z4KHaKB2V_mnv0G-LbRZdYvo1RQa1L7s</NameID><SubjectConfirmation Method=""urn:oasis:names:tc:SAML:2.0:cm:bearer"" /></Subject><AttributeStatement><Attribute Name=""http://schemas.microsoft.com/identity/claims/tenantid""><AttributeValue>add29489-7269-41f4-8841-b63c95564420</AttributeValue></Attribute><Attribute Name=""http://schemas.microsoft.com/identity/claims/objectidentifier""><AttributeValue>d1ad9ce7-b322-4221-ab74-1e1011e1bbcb</AttributeValue></Attribute><Attribute Name=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name""><AttributeValue>User1@Cyrano.onmicrosoft.com</AttributeValue></Attribute><Attribute Name=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname""><AttributeValue>1</AttributeValue></Attribute><Attribute Name=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname""><AttributeValue>User</AttributeValue></Attribute><Attribute Name=""http://schemas.microsoft.com/identity/claims/displayname""><AttributeValue>User1</AttributeValue></Attribute><Attribute Name=""http://schemas.microsoft.com/identity/claims/identityprovider""><AttributeValue>https://sts.windows.net/add29489-7269-41f4-8841-b63c95564420/</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant=""2017-03-20T15:52:31.551Z""><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>";
 
+        public static string Saml2Token_ConditionsNoExpiration_NoSignature =
+            @"<Assertion ID = ""_d60bd9ed-8aab-40c8-ba5f-f548c3401ae2"" IssueInstant=""2017-03-20T15:52:31.957Z"" Version=""2.0"" xmlns=""urn:oasis:names:tc:SAML:2.0:assertion""><Issuer>https://sts.windows.net/add29489-7269-41f4-8841-b63c95564420/</Issuer><Subject><NameID Format=""urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"">RrX3SPSxDw6z4KHaKB2V_mnv0G-LbRZdYvo1RQa1L7s</NameID><SubjectConfirmation Method=""urn:oasis:names:tc:SAML:2.0:cm:bearer"" /></Subject><Conditions NotBefore=""2017-03-20T15:47:31.957Z""></Conditions><AttributeStatement><Attribute Name=""http://schemas.microsoft.com/identity/claims/tenantid""><AttributeValue>add29489-7269-41f4-8841-b63c95564420</AttributeValue></Attribute><Attribute Name=""http://schemas.microsoft.com/identity/claims/objectidentifier""><AttributeValue>d1ad9ce7-b322-4221-ab74-1e1011e1bbcb</AttributeValue></Attribute><Attribute Name=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name""><AttributeValue>User1@Cyrano.onmicrosoft.com</AttributeValue></Attribute><Attribute Name=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname""><AttributeValue>1</AttributeValue></Attribute><Attribute Name=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname""><AttributeValue>User</AttributeValue></Attribute><Attribute Name=""http://schemas.microsoft.com/identity/claims/displayname""><AttributeValue>User1</AttributeValue></Attribute><Attribute Name=""http://schemas.microsoft.com/identity/claims/identityprovider""><AttributeValue>https://sts.windows.net/add29489-7269-41f4-8841-b63c95564420/</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant=""2017-03-20T15:52:31.551Z""><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>";
+
         public static string Saml2Token_Actor_Claim =
             @"<Assertion ID = ""_d60bd9ed-8aab-40c8-ba5f-f548c3401ae2"" IssueInstant=""2017-03-20T15:52:31.957Z"" Version=""2.0"" xmlns=""urn:oasis:names:tc:SAML:2.0:assertion""><Issuer>https://sts.windows.net/add29489-7269-41f4-8841-b63c95564420/</Issuer><Subject><NameID Format=""urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"">RrX3SPSxDw6z4KHaKB2V_mnv0G-LbRZdYvo1RQa1L7s</NameID><SubjectConfirmation Method=""urn:oasis:names:tc:SAML:2.0:cm:bearer"" /></Subject><Conditions NotBefore=""2017-03-20T15:47:31.957Z"" NotOnOrAfter=""2017-03-20T16:47:31.957Z""><AudienceRestriction><Audience>spn:fe78e0b4-6fe7-47e6-812c-fb75cee266a4</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=""http://schemas.microsoft.com/identity/claims/tenantid""><AttributeValue>add29489-7269-41f4-8841-b63c95564420</AttributeValue></Attribute><Attribute Name=""http://schemas.microsoft.com/identity/claims/objectidentifier""><AttributeValue>d1ad9ce7-b322-4221-ab74-1e1011e1bbcb</AttributeValue></Attribute><Attribute Name=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name""><AttributeValue>User1@Cyrano.onmicrosoft.com</AttributeValue></Attribute><Attribute Name=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname""><AttributeValue>1</AttributeValue></Attribute><Attribute Name=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname""><AttributeValue>User</AttributeValue></Attribute><Attribute Name=""http://schemas.microsoft.com/identity/claims/displayname""><AttributeValue>User1</AttributeValue></Attribute><Attribute Name=""http://schemas.microsoft.com/identity/claims/identityprovider""><AttributeValue>https://sts.windows.net/add29489-7269-41f4-8841-b63c95564420/</AttributeValue></Attribute><Attribute Name=""http://schemas.xmlsoap.org/ws/2009/09/identity/claims/actor""><AttributeValue><Actor><Attribute Name=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"" xmlns=""urn:oasis:names:tc:SAML:2.0:assertion""><AttributeValue>TestActor</AttributeValue></Attribute><Attribute Name=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"" xmlns=""urn:oasis:names:tc:SAML:2.0:assertion""><AttributeValue>TestActor</AttributeValue></Attribute></Actor></AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant=""2017-03-20T15:52:31.551Z""><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion>";
 
@@ -201,6 +204,9 @@ public static string Saml2Token_Formated
         public static string SamlToken_NoConditions_NoSignature =
             @"<Assertion AssertionID=""_fa5e974c-e3e1-4fb5-9f0f-65efd861920c"" MajorVersion=""1"" MinorVersion=""1"" Issuer=""http://Default.Issuer.com"" IssueInstant=""2017-08-25T21:17:29.561Z"" xmlns=""urn:oasis:names:tc:SAML:1.0:assertion""><AttributeStatement><Subject><NameIdentifier>Bob</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><Attribute AttributeName=""country"" AttributeNamespace=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims"" OriginalIssuer=""http://Default.Issuer.com""><AttributeValue>USA</AttributeValue></Attribute><Attribute AttributeName=""emailaddress"" AttributeNamespace=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims"" OriginalIssuer=""http://Default.Issuer.com""><AttributeValue>Bob@contoso.com</AttributeValue></Attribute><Attribute AttributeName=""givenname"" AttributeNamespace=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims"" OriginalIssuer=""http://Default.Issuer.com""><AttributeValue>Bob</AttributeValue></Attribute><Attribute AttributeName=""homephone"" AttributeNamespace=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims"" OriginalIssuer=""http://Default.Issuer.com""><AttributeValue>555.1212</AttributeValue></Attribute><Attribute AttributeName=""role"" AttributeNamespace=""http://schemas.microsoft.com/ws/2008/06/identity/claims"" OriginalIssuer=""http://Default.Issuer.com""><AttributeValue>Developer</AttributeValue><AttributeValue>Sales</AttributeValue></Attribute><Attribute AttributeName=""name"" AttributeNamespace=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims"" OriginalIssuer=""http://Default.Issuer.com""><AttributeValue>Jean-Sébastien</AttributeValue></Attribute></AttributeStatement></Assertion>";
 
+        public static string SamlToken_ConditionsNoExpiration_NoSignature =
+            @"<Assertion AssertionID=""_fa5e974c-e3e1-4fb5-9f0f-65efd861920c"" MajorVersion=""1"" MinorVersion=""1"" Issuer=""http://Default.Issuer.com"" IssueInstant=""2017-08-25T21:17:29.561Z"" xmlns=""urn:oasis:names:tc:SAML:1.0:assertion""><Conditions NotBefore=""2017-08-25T21:17:29.554Z""></Conditions><AttributeStatement><Subject><NameIdentifier>Bob</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><Attribute AttributeName=""country"" AttributeNamespace=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims"" OriginalIssuer=""http://Default.Issuer.com""><AttributeValue>USA</AttributeValue></Attribute><Attribute AttributeName=""emailaddress"" AttributeNamespace=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims"" OriginalIssuer=""http://Default.Issuer.com""><AttributeValue>Bob@contoso.com</AttributeValue></Attribute><Attribute AttributeName=""givenname"" AttributeNamespace=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims"" OriginalIssuer=""http://Default.Issuer.com""><AttributeValue>Bob</AttributeValue></Attribute><Attribute AttributeName=""homephone"" AttributeNamespace=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims"" OriginalIssuer=""http://Default.Issuer.com""><AttributeValue>555.1212</AttributeValue></Attribute><Attribute AttributeName=""role"" AttributeNamespace=""http://schemas.microsoft.com/ws/2008/06/identity/claims"" OriginalIssuer=""http://Default.Issuer.com""><AttributeValue>Developer</AttributeValue><AttributeValue>Sales</AttributeValue></Attribute><Attribute AttributeName=""name"" AttributeNamespace=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims"" OriginalIssuer=""http://Default.Issuer.com""><AttributeValue>Jean-Sébastien</AttributeValue></Attribute></AttributeStatement></Assertion>";
+
         public static string SamlToken_Valid =
             @"<Assertion AssertionID=""_fa5e974c-e3e1-4fb5-9f0f-65efd861920c"" MajorVersion=""1"" MinorVersion=""1"" Issuer=""http://Default.Issuer.com"" IssueInstant=""2017-08-25T21:17:29.561Z"" xmlns=""urn:oasis:names:tc:SAML:1.0:assertion""><Conditions NotBefore=""2017-08-25T21:17:29.554Z"" NotOnOrAfter=""2017-08-26T21:17:29.554Z""><saml:AudienceRestrictionCondition xmlns:saml=""urn:oasis:names:tc:SAML:1.0:assertion""><saml:Audience>http://Default.Audience.com</saml:Audience></saml:AudienceRestrictionCondition></Conditions><AttributeStatement><Subject><NameIdentifier>Bob</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod></SubjectConfirmation></Subject><Attribute AttributeName=""country"" AttributeNamespace=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims"" OriginalIssuer=""http://Default.Issuer.com""><AttributeValue>USA</AttributeValue></Attribute><Attribute AttributeName=""emailaddress"" AttributeNamespace=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims"" OriginalIssuer=""http://Default.Issuer.com""><AttributeValue>Bob@contoso.com</AttributeValue></Attribute><Attribute AttributeName=""givenname"" AttributeNamespace=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims"" OriginalIssuer=""http://Default.Issuer.com""><AttributeValue>Bob</AttributeValue></Attribute><Attribute AttributeName=""homephone"" AttributeNamespace=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims"" OriginalIssuer=""http://Default.Issuer.com""><AttributeValue>555.1212</AttributeValue></Attribute><Attribute AttributeName=""role"" AttributeNamespace=""http://schemas.microsoft.com/ws/2008/06/identity/claims"" OriginalIssuer=""http://Default.Issuer.com""><AttributeValue>Developer</AttributeValue><AttributeValue>Sales</AttributeValue></Attribute><Attribute AttributeName=""name"" AttributeNamespace=""http://schemas.xmlsoap.org/ws/2005/05/identity/claims"" OriginalIssuer=""http://Default.Issuer.com""><AttributeValue>Jean-Sébastien</AttributeValue></Attribute></AttributeStatement><Signature xmlns =""http://www.w3.org/2000/09/xmldsig#""><SignedInfo><CanonicalizationMethod Algorithm=""http://www.w3.org/2001/10/xml-exc-c14n#""/><SignatureMethod Algorithm=""http://www.w3.org/2001/04/xmldsig-more#rsa-sha256""/><Reference Id=""_fa5e974c-e3e1-4fb5-9f0f-65efd861920c""><Transforms><Transform Algorithm=""http://www.w3.org/2000/09/xmldsig#enveloped-signature""/><Transform Algorithm=""http://www.w3.org/2001/10/xml-exc-c14n#""/></Transforms><DigestMethod Algorithm=""http://www.w3.org/2001/04/xmlenc#sha256""/><DigestValue>z+4mubehpI9sLNVwGGIuy3jiGhP9k+PHiRyO0Mqd/YM=</DigestValue></Reference></SignedInfo><SignatureValue>hWd3ALlvaNuHz2JbCnSuVly/pZwtVZzLQwsMvvn03dl6URoFQhvYpldE+6ZpzL77XMrsC0VmPaQbw76fkztK2P/0tp4hzaW///Jdr/E+HcSfG0Cdt+NWuybyGkJljbh0tif6BbxIaDNc/5dx6SoCyItP3IqU5JciwaTsOGQTmcUzoI3lIY9N7pv2ChD3fczWo1O8W+T0Caka69cxhb037HpUWLmjekED9sqBKfLKDsVH8rpef7cGroTILaZ4xOHwOEmrV6xOrCq3erupnLhw5eVC4wDuhL/0KrbfgfTExM5iUnyfrnm+C74M6WnnfqpzWHWuCv10W32W1L8mlQtVZQ==</SignatureValue><KeyInfo><X509Data><X509Certificate>MIIDJTCCAg2gAwIBAgIQGzlg2gNmfKRKBa6dqqZXxzANBgkqhkiG9w0BAQQFADAiMSAwHgYDVQQDExdLZXlTdG9yZVRlc3RDZXJ0aWZpY2F0ZTAeFw0xMTExMDkxODE5MDZaFw0zOTEyMzEyMzU5NTlaMCIxIDAeBgNVBAMTF0tleVN0b3JlVGVzdENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAns1cm8RU1hKZILPI6pB5Zoxn9mW2tSS0atV+o9FCn9NyeOktEOj1kEXOeIz0KfnqxgPMF1GpshuZBAhgjkyy2kNGE6Zx50CCJgq6XUatvVVJpMp8/FV18ynPf+/TRlF8V2HO3IVJ0XqRJ9fGA2f5xpOweWsdLYitdHbaDCl6IBNSXo52iNuqWAcB1k7jBlsnlXpuvslhLIzj60dnghAVA4ltS3NlFyw1Tz3pGlZQDt7x83IBHe7DA9bV3aJs1trkm1NzI1HoRS4vOqU3n4fn+DlfAE2vYKNkSi/PjuAX+1YQCq6e5uN/hOeSEqji8SsWC2nk/bMTKPwD67rn3jNC9wIDAQABo1cwVTBTBgNVHQEETDBKgBA3gSuALjvEuAVmF/x8knXvoSQwIjEgMB4GA1UEAxMXS2V5U3RvcmVUZXN0Q2VydGlmaWNhdGWCEBs5YNoDZnykSgWunaqmV8cwDQYJKoZIhvcNAQEEBQADggEBAFZvDA7PBh/vvFZb/QCBelTyD2Yqij16v3tk30A3Akli6UIILdbbOcA5BiPktT1kJxcsgSXNHUODlfG2Fy9HTqwunr8G7FYniOUXPVrRL+HwhKOzRFDMUS3+On+ZDzum7rbpm3SYlnJDyNb8wynPw/bXQw72jGjt63uh6OnkYE8fJ8iPfVWOenZkP/IXPIXK/bBwLMDJ1y77ZauPYbp7oiQ/991pn0c7F4ugT9LYmbAdJKhiainOaoBTvIHN8/lMZ8gHUuxvOJhPrbgo3NTqvT1/3kfD0AISP4R3pH0QL/0m7cO34nK4rFFLZs1sFUguYUJhfkyq1N8MiyyAqRmrvBQ=</X509Certificate></X509Data></KeyInfo></Signature></Assertion>";