adal 1.0.0

data/spec/adal/client_assertion_certificate_spec.rb

@@ -0,0 +1,113 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../spec_helper'
+
+require 'jwt'
+
+include FakeData
+
+describe ADAL::ClientAssertionCertificate do
+  describe '#initialize' do
+    let(:auth) { ADAL::Authority.new(AUTHORITY, TENANT) }
+    let(:cert) { OpenSSL::X509::Certificate.new }
+
+    it "should fail if the public key isn't large enough" do
+      # The key is an integer number of bytes so we have to subtract at least 8.
+      too_few_bits = ADAL::ClientAssertionCertificate::MIN_KEY_SIZE_BITS - 8
+      key = OpenSSL::PKey::RSA.new(too_few_bits)
+      cert.public_key = key.public_key
+      pfx = OpenSSL::PKCS12.create('', '', key, cert)
+      expect do
+        ADAL::ClientAssertionCertificate.new(auth, CLIENT_ID, pfx)
+      end.to raise_error(ArgumentError)
+    end
+
+    it 'should succeed if the public key is the minimum size' do
+      just_enough_bits = ADAL::ClientAssertionCertificate::MIN_KEY_SIZE_BITS
+      key = OpenSSL::PKey::RSA.new(just_enough_bits)
+      cert.public_key = key.public_key
+      pfx = OpenSSL::PKCS12.create('', '', key, cert)
+      expect do
+        ADAL::ClientAssertionCertificate.new(auth, CLIENT_ID, pfx)
+      end.to_not raise_error
+    end
+
+    it 'should fail if the certificate is not PKCS12' do
+      pfx = 'Not an OpenSSL::PKCS12'
+      expect { ADAL::ClientAssertionCertificate.new(auth, CLIENT_ID, pfx) }
+        .to raise_error ArgumentError
+    end
+
+    it 'should fail if the pkcs12 does not use valid rsa' do
+      key = OpenSSL::PKey::DSA.new 2048
+      cert.public_key = key.public_key
+      pfx = OpenSSL::PKCS12.create('', '', key, cert)
+      expect { ADAL::ClientAssertionCertificate.new(auth, CLIENT_ID, pfx) }
+        .to raise_error ArgumentError
+    end
+
+    it 'should fail if the pkcs12 does not use valid x509' do
+      key = OpenSSL::PKey::RSA.new 2048
+      cert.public_key = key.public_key
+      pfx = OpenSSL::PKCS12.create('', '', key, cert)
+
+      # In practice, no one would ever do this. But we do check for it just in
+      # case.
+      pfx.instance_variable_set(:@certificate, 'Not an x509 certificate')
+      expect { ADAL::ClientAssertionCertificate.new(auth, CLIENT_ID, pfx) }
+        .to raise_error ArgumentError
+    end
+  end
+
+  describe '#request_params' do
+    ONE_YEAR_IN_SECONDS = 60 * 60 * 24 * 365
+    let(:cert) { OpenSSL::X509::Certificate.new }
+    before(:each) do
+      key = OpenSSL::PKey::RSA.new 2048
+      cert.public_key = key.public_key
+      @pfx = OpenSSL::PKCS12.create('', '', key, cert)
+      @assertion_cert = ADAL::ClientAssertionCertificate.new(
+        ADAL::Authority.new(AUTHORITY, TENANT), CLIENT_ID, @pfx)
+    end
+
+    it 'should contain client id, client assertion and client assertion type' do
+      params = @assertion_cert.request_params
+      expect(params.keys).to contain_exactly(
+        :client_id, :client_assertion, :client_assertion_type)
+    end
+
+    it 'should have client assertion type be JWT_BEARER' do
+      expect(
+        @assertion_cert.request_params[:client_assertion_type]
+      ).to eq('urn:ietf:params:oauth:grant-type:jwt-bearer')
+    end
+
+    it 'should have an assertion that is a decodable JWT' do
+      expect do
+        JWT.decode(@assertion_cert.request_params[:client_assertion],
+                   cert.public_key,
+                   options: { verify_not_before: false })
+      end.to_not raise_error
+    end
+  end
+end

data/spec/adal/client_assertion_spec.rb

@@ -0,0 +1,38 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../spec_helper'
+
+include FakeData
+
+describe ADAL::ClientAssertion do
+  describe '#initialize' do
+    it 'should fail if any parameters are nil' do
+      expect do
+        ADAL::ClientAssertion.new(nil, ASSERTION)
+      end.to raise_error(ArgumentError)
+      expect do
+        ADAL::ClientAssertion.new(CLIENT_ID, nil)
+      end.to raise_error(ArgumentError)
+    end
+  end
+end

data/spec/adal/core_ext/hash_spec.rb

@@ -0,0 +1,47 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require 'spec_helper'
+
+using ADAL::CoreExt
+
+describe Hash do
+  describe '#reverse_merge' do
+    it 'should work on empty hashes' do
+      expect({}.reverse_merge({})).to eq({})
+    end
+
+    it 'should work just like merge if the keys do not conflict' do
+      hash1 = { a: 5, b: 10 }
+      hash2 = { c: 8, d: 12 }
+      expect(hash1.reverse_merge(hash2)).to eq(hash1.merge(hash2))
+      expect(hash2.reverse_merge(hash1)).to eq(hash2.merge(hash1))
+    end
+
+    it "should prefer self's values to other_hash's values" do
+      hash1 = { a: 5, c: 10 }
+      hash2 = { a: 6, b: 15 }
+      expect(hash1.reverse_merge(hash2)).to eq(a: 5, b: 15, c: 10)
+      expect(hash2.reverse_merge(hash1)).to eq(a: 6, b: 15, c: 10)
+    end
+  end
+end

data/spec/adal/logging_spec.rb

@@ -0,0 +1,48 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../spec_helper'
+
+describe ADAL::Logging do
+  describe '::log_level=' do
+    context 'with an invalid log level' do
+      it 'should throw an error' do
+        expect { ADAL::Logging.log_level = 'abc' }.to raise_error(ArgumentError)
+      end
+    end
+
+    context 'with a valid log level' do
+      it 'should not throw an error' do
+        expect { ADAL::Logging.log_level = ADAL::Logger::VERBOSE }
+          .to_not raise_error
+        expect { ADAL::Logging.log_level = ADAL::Logger::INFO }
+          .to_not raise_error
+        expect { ADAL::Logging.log_level = ADAL::Logger::WARN }
+          .to_not raise_error
+        expect { ADAL::Logging.log_level = ADAL::Logger::ERROR }
+          .to_not raise_error
+        expect { ADAL::Logging.log_level = ADAL::Logger::FATAL }
+          .to_not raise_error
+      end
+    end
+  end
+end

data/spec/adal/memory_cache_spec.rb

@@ -0,0 +1,107 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../spec_helper'
+
+describe ADAL::MemoryCache do
+  let(:authority) { ADAL::Authority.new('login.windows.net', 'contoso.org') }
+  let(:client) { ADAL::ClientCredential.new('my client id', 'client secret') }
+  let(:cache) { ADAL::MemoryCache.new }
+
+  # Note that this test also relies on the correctness of TokenResponse#to_json
+  # and CachedTokenResponse#to_json.
+  describe '#to_json' do
+    subject { cache.to_json }
+
+    context 'when empty' do
+      it { is_expected.to eq '[]' }
+    end
+
+    context 'with many tokens' do
+      let(:expected_json) do
+        "[{\"access_token\":\"abc\",\"token_type\":\"JWT\"},{\"access_token\"" \
+        ":\"abc\",\"scope\":\"openid\"},{\"access_token\":\"abc\",\"resource" \
+        "\":\"http://graph.windows.net\"}]"
+      end
+      let(:expected_json) do
+        "[{\"authority\":[\"login.windows.net\",\"contoso.org\"],\"client_id" \
+        "\":\"my client id\",\"token_response\":{\"access_token\":\"abc\",\"t" \
+        "oken_type\":\"JWT\"}},{\"authority\":[\"login.windows.net\",\"contos" \
+        "o.org\"],\"client_id\":\"my client id\",\"token_response\":{\"access" \
+        "_token\":\"abc\",\"scope\":\"openid\"}},{\"authority\":[\"login.wind" \
+        "ows.net\",\"contoso.org\"],\"client_id\":\"my client id\",\"token_re" \
+        "sponse\":{\"access_token\":\"abc\",\"resource\":\"http://graph.windo" \
+        "ws.net\"}}]"
+      end
+      before(:each) do
+        cache_driver = ADAL::CacheDriver.new(authority, client, cache)
+        cache_driver.add(
+          ADAL::SuccessResponse.new(access_token: 'abc', token_type: 'JWT'))
+        cache_driver.add(
+          ADAL::SuccessResponse.new(access_token: 'abc', scope: 'openid'))
+        cache_driver.add(
+          ADAL::SuccessResponse.new(access_token: 'abc',
+                                    resource: 'http://graph.windows.net'))
+      end
+
+      it 'properly serializes the cache' do
+        expect(subject).to eq expected_json
+      end
+    end
+  end
+
+  describe '#from_json' do
+    subject { ADAL::MemoryCache.from_json(json) }
+
+    context 'when empty' do
+      let(:json) { '[]' }
+      it 'should contain no entries' do
+        expect(subject.entries.length).to eq 0
+      end
+    end
+
+    context 'with many tokens' do
+      let(:json) { cache.to_json }
+      before(:each) do
+        cache_driver = ADAL::CacheDriver.new(authority, client, cache)
+        cache_driver.add(
+          ADAL::SuccessResponse.new(access_token: 'abc', token_type: 'JWT'))
+        cache_driver.add(
+          ADAL::SuccessResponse.new(access_token: 'abc', scope: 'openid'))
+        cache_driver.add(
+          ADAL::SuccessResponse.new(access_token: 'abc',
+                                    resource: 'http://graph.windows.net'))
+      end
+
+      it 'has the correct number of entries' do
+        expect(subject.entries.length).to eq 3
+      end
+
+      it 'reconstructs the entries' do
+        subject.entries.each do |cache_entry|
+          expect(cache_entry.authority.host).to eq authority.host
+          expect(cache_entry.authority.tenant).to eq authority.tenant
+        end
+      end
+    end
+  end
+end

data/spec/adal/mex_request_spec.rb

@@ -0,0 +1,57 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../spec_helper'
+
+describe ADAL::MexRequest do
+  describe '#initialize' do
+    context 'with an invalid endpoint' do
+      let(:uri) { 'not a uri' }
+
+      it 'should raise an error' do
+        expect { ADAL::MexRequest.new(uri) }.to raise_error(
+          URI::InvalidURIError)
+      end
+    end
+  end
+
+  describe '#execute' do
+    let(:response_body) { 'response body' }
+    let(:uri) { 'https://abc.def/' }
+
+    before(:each) do
+      @http_request = nil
+      expect_any_instance_of(Net::HTTP).to receive(:request) do |_, req|
+        @http_request = req
+      end.and_return(double(body: response_body))
+      expect(ADAL::MexResponse).to receive(:parse)
+      ADAL::MexRequest.new(uri).execute
+    end
+
+    describe 'http request' do
+      subject { @http_request }
+
+      it { expect(subject['Content-Type']).to eq 'application/soap+xml' }
+      it { expect(subject.path).to eq '/' }
+    end
+  end
+end

data/spec/adal/mex_response_spec.rb

@@ -0,0 +1,143 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../spec_helper'
+
+MEX_FIXTURES = File.expand_path('../../fixtures/mex', __FILE__)
+
+describe ADAL::MexResponse do
+  describe '::parse' do
+    let(:response) { File.read(File.expand_path(file_name, MEX_FIXTURES)) }
+
+    context 'with both 1.3 and 2005 endpoints' do
+      let(:file_name) { 'microsoft.xml' }
+      let(:wstrust_url_13) do
+        'https://corp.sts.microsoft.com/adfs/services/trust/13/usernamemixed'
+      end
+
+      it 'should not raise an error' do
+        expect { ADAL::MexResponse.parse(response) }.to_not raise_error
+      end
+
+      it 'should prefer the 1.3 endpoint' do
+        expect(ADAL::MexResponse.parse(response).wstrust_url.to_s)
+          .to eq(wstrust_url_13)
+      end
+    end
+
+    context 'with only 1.3 wstrust endpoint' do
+      let(:file_name) { 'only_13.xml' }
+      let(:wstrust_13_url) do
+        'https://fs.ajmichael.net/adfs/services/trust/13/usernamemixed'
+      end
+
+      it 'should parse the 1.3 wstrust endpoint' do
+        expect(ADAL::MexResponse.parse(response).wstrust_url.to_s)
+          .to eq(wstrust_13_url)
+      end
+    end
+
+    context 'with only 2005 wstrust endpoint' do
+      let(:file_name) { 'only_2005.xml' }
+      let(:wstrust_2005_url) do
+        'https://fs.ajmichael.net/adfs/services/trust/2005/usernamemixed'
+      end
+
+      it 'should parse the 2005 wstrust endpoint' do
+        expect(ADAL::MexResponse.parse(response).wstrust_url.to_s)
+          .to eq(wstrust_2005_url)
+      end
+    end
+
+    context 'with a malformed response' do
+      let(:file_name) { 'malformed.xml' }
+
+      it 'should throw an error' do
+        expect { ADAL::MexResponse.parse(response) }
+          .to raise_error(
+            ADAL::MexResponse::MexError, /No username token policy nodes/)
+      end
+    end
+
+    context 'with insecure address' do
+      let(:file_name) { 'insecureaddress.xml' }
+
+      it 'should throw an error' do
+        expect { ADAL::MexResponse.parse(response) }
+          .to raise_error(ArgumentError)
+      end
+    end
+
+    context 'with invalid namespaces' do
+      let(:file_name) { 'invalid_namespaces.xml' }
+
+      it 'should throw an error' do
+        expect { ADAL::MexResponse.parse(response) }
+          .to raise_error(
+            ADAL::MexResponse::MexError, /No username token policy nodes/)
+      end
+    end
+
+    context 'with no policy nodes' do
+      let(:file_name) { 'no_username_token_policies.xml' }
+
+      it 'should throw an error' do
+        expect { ADAL::MexResponse.parse(response) }
+          .to raise_error(
+            ADAL::MexResponse::MexError, /No username token policy nodes/)
+      end
+    end
+
+    context 'with no wstrust endpoints' do
+      let(:file_name) { 'no_wstrust_endpoints.xml' }
+
+      it 'should throw an error' do
+        expect { ADAL::MexResponse.parse(response) }
+          .to raise_error(
+            ADAL::MexResponse::MexError, /No valid WS-Trust endpoints/)
+      end
+    end
+
+    context 'with no matching bindings' do
+      let(:file_name) { 'no_matching_bindings.xml' }
+
+      it 'should throw an error' do
+        expect { ADAL::MexResponse.parse(response) }
+          .to raise_error(ADAL::MexResponse::MexError, /No matching bindings/)
+      end
+    end
+
+    context 'with multiple valid endpoints' do
+      let(:file_name) { 'multiple_endpoints.xml' }
+      let(:first_wstrust_url) do
+        'https://this.is.first.com/adfs/services/trust/13/usernamemixed'
+      end
+      subject { ADAL::MexResponse.parse(response) }
+
+      it { expect { subject }.to_not raise_error }
+
+      it 'should use the first endpoint' do
+        expect(subject.wstrust_url.to_s).to eq(first_wstrust_url)
+      end
+    end
+  end
+end