diaspora-vines 0.1.2

data/test/storage_test.rb

@@ -0,0 +1,85 @@
+# encoding: UTF-8
+
+require 'storage_tests'
+require 'test_helper'
+
+describe Vines::Storage do
+  ALICE = 'alice@wonderland.lit'.freeze
+
+  class MockLdapStorage < Vines::Storage
+    attr_reader :authenticate_calls, :find_user_calls, :save_user_calls
+
+    def initialize(found_user=nil)
+      @found_user = found_user
+      @authenticate_calls = @find_user_calls = @save_user_calls = 0
+      @ldap = Class.new do
+        attr_accessor :user, :auth
+        def authenticate(username, password)
+          @auth ||= []
+          @auth << [username, password]
+          @user
+        end
+      end.new
+    end
+
+    def authenticate(username, password)
+      @authenticate_calls += 1
+      nil
+    end
+    wrap_ldap :authenticate
+
+    def find_user(jid)
+      @find_user_calls += 1
+      @found_user
+    end
+
+    def save_user(user)
+      @save_user_calls += 1
+    end
+  end
+
+  describe '#authenticate_with_ldap' do
+    it 'fails when given a bad password' do
+      StorageTests::EMLoop.new do
+        storage = MockLdapStorage.new
+        storage.ldap.user = nil
+        user = storage.authenticate(ALICE, 'bogus')
+        assert_nil user
+        assert_equal 0, storage.authenticate_calls
+        assert_equal 0, storage.find_user_calls
+        assert_equal 0, storage.save_user_calls
+        assert_equal [ALICE, 'bogus'], storage.ldap.auth.first
+      end
+    end
+
+    it 'succeeds when user exists in database' do
+      StorageTests::EMLoop.new do
+        alice = Vines::User.new(:jid => ALICE)
+        storage = MockLdapStorage.new(alice)
+        storage.ldap.user = alice
+        user = storage.authenticate(ALICE, 'secr3t')
+        refute_nil user
+        assert_equal ALICE, user.jid.to_s
+        assert_equal 0, storage.authenticate_calls
+        assert_equal 1, storage.find_user_calls
+        assert_equal 0, storage.save_user_calls
+        assert_equal [ALICE, 'secr3t'], storage.ldap.auth.first
+      end
+    end
+
+    it 'succeeds and saves user to the database' do
+      StorageTests::EMLoop.new do
+        alice = Vines::User.new(:jid => ALICE)
+        storage = MockLdapStorage.new
+        storage.ldap.user = alice
+        user = storage.authenticate(ALICE, 'secr3t')
+        refute_nil user
+        assert_equal ALICE, user.jid.to_s
+        assert_equal 0, storage.authenticate_calls
+        assert_equal 1, storage.find_user_calls
+        assert_equal 1, storage.save_user_calls
+        assert_equal [ALICE, 'secr3t'], storage.ldap.auth.first
+      end
+    end
+  end
+end

data/test/store_test.rb

@@ -0,0 +1,130 @@
+# encoding: UTF-8
+
+require 'test_helper'
+
+describe Vines::Store do
+  before do
+    dir = 'conf/certs'
+
+    domain, key = certificate('wonderland.lit')
+    File.open("#{dir}/wonderland.lit.crt", 'w') {|f| f.write(domain) }
+    File.open("#{dir}/wonderland.lit.key", 'w') {|f| f.write(key) }
+
+    wildcard, key = certificate('*.wonderland.lit')
+    File.open("#{dir}/wildcard.lit.crt", 'w') {|f| f.write(wildcard) }
+    File.open("#{dir}/wildcard.lit.key", 'w') {|f| f.write(key) }
+
+    @store = Vines::Store.new('conf/certs')
+  end
+
+  after do
+    %w[wonderland.lit.crt wonderland.lit.key wildcard.lit.crt wildcard.lit.key].each do |f|
+      name = "conf/certs/#{f}"
+      File.delete(name) if File.exists?(name)
+    end
+  end
+
+  it 'parses certificate files' do
+    refute @store.certs.empty?
+    assert_equal OpenSSL::X509::Certificate, @store.certs.first.class
+  end
+
+  it 'ignores expired certificates' do
+    assert @store.certs.all? {|c| c.not_after > Time.new }
+  end
+
+  describe 'files_for_domain' do
+    it 'handles invalid input' do
+      assert_nil @store.files_for_domain(nil)
+      assert_nil @store.files_for_domain('')
+    end
+
+    it 'finds files by name' do
+      refute_nil @store.files_for_domain('wonderland.lit')
+      cert, key = @store.files_for_domain('wonderland.lit')
+      assert_certificate_matches_key cert, key
+      assert_equal 'wonderland.lit.crt', File.basename(cert)
+      assert_equal 'wonderland.lit.key', File.basename(key)
+    end
+
+    it 'finds files for wildcard' do
+      refute_nil @store.files_for_domain('foo.wonderland.lit')
+      cert, key = @store.files_for_domain('foo.wonderland.lit')
+      assert_certificate_matches_key cert, key
+      assert_equal 'wildcard.lit.crt', File.basename(cert)
+      assert_equal 'wildcard.lit.key', File.basename(key)
+    end
+  end
+
+  describe 'domain?' do
+    it 'handles invalid input' do
+      cert, key = certificate('wonderland.lit')
+      refute @store.domain?(nil, nil)
+      refute @store.domain?(cert, nil)
+      refute @store.domain?(cert, '')
+      refute @store.domain?(nil, '')
+      assert @store.domain?(cert, 'wonderland.lit')
+    end
+
+    it 'verifies certificate subject domains' do
+      cert, key = certificate('wonderland.lit')
+      refute @store.domain?(cert, 'bogus')
+      refute @store.domain?(cert, 'www.wonderland.lit')
+      assert @store.domain?(cert, 'wonderland.lit')
+    end
+
+    it 'verifies certificate subject alt domains' do
+      cert, key = certificate('wonderland.lit', 'www.wonderland.lit')
+      refute @store.domain?(cert, 'bogus')
+      refute @store.domain?(cert, 'tea.wonderland.lit')
+      assert @store.domain?(cert, 'www.wonderland.lit')
+      assert @store.domain?(cert, 'wonderland.lit')
+    end
+
+    it 'verifies certificate wildcard domains' do
+      cert, key = certificate('wonderland.lit', '*.wonderland.lit')
+      refute @store.domain?(cert, 'bogus')
+      refute @store.domain?(cert, 'one.two.wonderland.lit')
+      assert @store.domain?(cert, 'tea.wonderland.lit')
+      assert @store.domain?(cert, 'www.wonderland.lit')
+      assert @store.domain?(cert, 'wonderland.lit')
+    end
+  end
+
+  private
+
+  def assert_certificate_matches_key(cert, key)
+    refute_nil cert
+    refute_nil key
+    cert = OpenSSL::X509::Certificate.new(File.read(cert))
+    key = OpenSSL::PKey::RSA.new(File.read(key))
+    assert_equal cert.public_key.to_s, key.public_key.to_s
+  end
+
+  def certificate(domain, altname=nil)
+    # use small key so tests are fast
+    key = OpenSSL::PKey::RSA.generate(256)
+
+    name = OpenSSL::X509::Name.parse("/C=US/ST=Colorado/L=Denver/O=Test/CN=#{domain}")
+    cert = OpenSSL::X509::Certificate.new
+    cert.version = 2
+    cert.subject = name
+    cert.issuer = name
+    cert.serial = Time.now.to_i
+    cert.public_key = key.public_key
+    cert.not_before = Time.now
+    cert.not_after = Time.now + 3600
+
+    if altname
+      factory = OpenSSL::X509::ExtensionFactory.new
+      factory.subject_certificate = cert
+      factory.issuer_certificate = cert
+      cert.extensions = [
+        %w[subjectKeyIdentifier hash],
+        %w[subjectAltName] << [domain, altname].map {|n| "DNS:#{n}" }.join(',')
+      ].map {|k, v| factory.create_ext(k, v) }
+    end
+
+    [cert.to_pem, key.to_pem]
+  end
+end

data/test/stream/client/auth_test.rb

@@ -0,0 +1,137 @@
+# encoding: UTF-8
+
+require 'test_helper'
+
+describe Vines::Stream::Client::Auth do
+  # disable logging for tests
+  Class.new.extend(Vines::Log).log.level = Logger::FATAL
+
+  class MockStorage < Vines::Storage
+    def initialize(raise_error=false)
+      @raise_error = raise_error
+    end
+
+    def authenticate(username, password)
+      username = username.to_s
+      raise 'temp auth fail' if @raise_error
+      user = Vines::User.new(jid: 'alice@wonderland.lit')
+      users = {'alice@wonderland.lit' => 'secr3t'}
+      (users.key?(username) && (users[username] == password)) ? user : nil
+    end
+
+    def find_user(jid)
+    end
+
+    def save_user(user)
+    end
+  end
+
+  subject      { Vines::Stream::Client::Auth.new(stream) }
+  let(:stream) { MiniTest::Mock.new }
+
+  describe 'error handling' do
+    it 'rejects invalid element' do
+      node = node('<bogus/>')
+      -> { subject.node(node) }.must_raise Vines::StreamErrors::NotAuthorized
+    end
+
+    it 'rejects invalid element in sasl namespace' do
+      node = node(%Q{<bogus xmlns="#{Vines::NAMESPACES[:sasl]}"/>})
+      -> { subject.node(node) }.must_raise Vines::StreamErrors::NotAuthorized
+    end
+
+    it 'rejects auth elements missing sasl namespace' do
+      node = node('<auth/>')
+      -> { subject.node(node) }.must_raise Vines::StreamErrors::NotAuthorized
+    end
+
+    it 'rejects auth element with invalid namespace' do
+      node = node('<auth xmlns="bogus"/>')
+      -> { subject.node(node) }.must_raise Vines::StreamErrors::NotAuthorized
+    end
+
+    it 'rejects valid auth element missing mechanism' do
+      stream.expect :error, nil, [Vines::SaslErrors::InvalidMechanism]
+      stream.expect :authentication_mechanisms, ['PLAIN']
+      node = node(%Q{<auth xmlns="#{Vines::NAMESPACES[:sasl]}">tokens</auth>})
+      subject.node(node)
+      stream.verify
+    end
+
+    it 'rejects valid auth element with invalid mechanism' do
+      stream.expect :error, nil, [Vines::SaslErrors::InvalidMechanism]
+      stream.expect :authentication_mechanisms, ['PLAIN']
+      node = node(%Q{<auth xmlns="#{Vines::NAMESPACES[:sasl]}" mechanism="bogus">tokens</auth>})
+      subject.node(node)
+      stream.verify
+    end
+  end
+
+  describe 'plain auth' do
+    it 'rejects valid mechanism missing base64 text' do
+      stream.expect :error, nil, [Vines::SaslErrors::MalformedRequest]
+      node = plain('')
+      subject.node(node)
+      stream.verify
+    end
+
+    it 'rejects invalid base64 text' do
+      stream.expect :error, nil, [Vines::SaslErrors::IncorrectEncoding]
+      stream.expect :authentication_mechanisms, ['PLAIN']
+      node = plain('tokens')
+      subject.node(node)
+      stream.verify
+    end
+
+    it 'rejects invalid password' do
+      stream.expect :storage, MockStorage.new
+      stream.expect :domain, 'wonderland.lit'
+      stream.expect :error, nil, [Vines::SaslErrors::NotAuthorized]
+      stream.expect :authentication_mechanisms, ['PLAIN']
+      node = plain(Base64.strict_encode64("\x00alice\x00bogus"))
+      subject.node(node)
+      stream.verify
+    end
+
+    it 'passes with valid password' do
+      user = Vines::User.new(jid: 'alice@wonderland.lit')
+      stream.expect :reset, nil
+      stream.expect :domain, 'wonderland.lit'
+      stream.expect :storage, MockStorage.new
+      stream.expect :user=, nil, [user]
+      stream.expect :write, nil, [%Q{<success xmlns="#{Vines::NAMESPACES[:sasl]}"/>}]
+      stream.expect :advance, nil, [Vines::Stream::Client::BindRestart]
+      stream.expect :authentication_mechanisms, ['PLAIN']
+      node = plain(Base64.strict_encode64("\x00alice\x00secr3t"))
+      subject.node(node)
+      stream.verify
+    end
+
+    it 'raises policy-violation after max auth attempts is reached' do
+      stream.expect :domain, 'wonderland.lit'
+      stream.expect :storage, MockStorage.new
+      node = -> { plain(Base64.strict_encode64("\x00alice\x00bogus")) }
+
+      stream.expect :authentication_mechanisms, ['PLAIN']
+      stream.expect :error, nil, [Vines::SaslErrors::NotAuthorized]
+      subject.node(node.call)
+      stream.verify
+
+      stream.expect :authentication_mechanisms, ['PLAIN']
+      stream.expect :error, nil, [Vines::SaslErrors::NotAuthorized]
+      subject.node(node.call)
+      stream.verify
+
+      stream.expect :authentication_mechanisms, ['PLAIN']
+      stream.expect :error, nil, [Vines::StreamErrors::PolicyViolation]
+      subject.node(node.call)
+      stream.verify
+    end
+  end
+
+  private
+
+  def plain(authzid)
+    node(%Q{<auth xmlns="#{Vines::NAMESPACES[:sasl]}" mechanism="PLAIN">#{authzid}</auth>})
+  end
+end

data/test/stream/client/ready_test.rb

@@ -0,0 +1,47 @@
+# encoding: UTF-8
+
+require 'test_helper'
+
+describe Vines::Stream::Client::Ready do
+  STANZAS = []
+
+  before do
+    @stream = MiniTest::Mock.new
+    @state = Vines::Stream::Client::Ready.new(@stream, nil)
+    def @state.to_stanza(node)
+      if node.name == 'bogus'
+        nil
+      else
+        stanza = MiniTest::Mock.new
+        stanza.expect(:process, nil)
+        stanza.expect(:validate_to, nil)
+        stanza.expect(:validate_from, nil)
+        STANZAS << stanza
+        stanza
+      end
+    end
+  end
+
+  after do
+    STANZAS.clear
+  end
+
+  it 'processes a valid node' do
+    node = node('<message/>')
+    @state.node(node)
+    assert_equal 1, STANZAS.size
+    assert STANZAS.map {|s| s.verify }.all?
+  end
+
+  it 'raises an unsupported-stanza-type stream error for invalid node' do
+    node = node('<bogus/>')
+    assert_raises(Vines::StreamErrors::UnsupportedStanzaType) { @state.node(node) }
+    assert STANZAS.empty?
+  end
+
+  private
+
+  def node(xml)
+    Nokogiri::XML(xml).root
+  end
+end

data/test/stream/client/session_test.rb

@@ -0,0 +1,27 @@
+# encoding: UTF-8
+
+require 'test_helper'
+
+describe Vines::Stream::Client::Session do
+  subject       { Vines::Stream::Client::Session.new(stream) }
+  let(:another) { Vines::Stream::Client::Session.new(stream) }
+  let(:stream)  { OpenStruct.new(config: nil) }
+
+  describe 'session equality checks' do
+    it 'uses class in equality check' do
+      (subject <=> 42).must_be_nil
+    end
+
+    it 'is equal to itself' do
+      assert subject == subject
+      assert subject.eql?(subject)
+      assert subject.hash == subject.hash
+    end
+
+    it 'is not equal to another session' do
+      refute subject == another
+      refute subject.eql?(another)
+      refute subject.hash == another.hash
+    end
+  end
+end

data/test/stream/component/handshake_test.rb

@@ -0,0 +1,52 @@
+# encoding: UTF-8
+
+require 'test_helper'
+
+describe Vines::Stream::Component::Handshake do
+  subject      { Vines::Stream::Component::Handshake.new(stream) }
+  let(:stream) { MiniTest::Mock.new }
+
+  describe 'when invalid element is received' do
+    it 'raises a not-authorized stream error' do
+      node = node('<message/>')
+       -> { subject.node(node) }.must_raise Vines::StreamErrors::NotAuthorized
+    end
+  end
+
+  describe 'when handshake with no text is received' do
+    it 'raises a not-authorized stream error' do
+      stream.expect :secret, 'secr3t'
+      node = node('<handshake/>')
+      -> { subject.node(node) }.must_raise Vines::StreamErrors::NotAuthorized
+      stream.verify
+    end
+  end
+
+  describe 'when handshake with invalid secret is received' do
+    it 'raises a not-authorized stream error' do
+      stream.expect :secret, 'secr3t'
+      node = node('<handshake>bogus</handshake>')
+      -> { subject.node(node) }.must_raise Vines::StreamErrors::NotAuthorized
+      stream.verify
+    end
+  end
+
+  describe 'when good handshake is received' do
+    let(:router) { MiniTest::Mock.new }
+
+    before do
+      router.expect :<<, nil, [stream]
+      stream.expect :router, router
+      stream.expect :secret, 'secr3t'
+      stream.expect :write, nil, ['<handshake/>']
+      stream.expect :advance, nil, [Vines::Stream::Component::Ready.new(stream)]
+    end
+
+    it 'completes the handshake and advances the stream into the ready state' do
+      node = node('<handshake>secr3t</handshake>')
+      subject.node(node)
+      stream.verify
+      router.verify
+    end
+  end
+end

data/test/stream/component/ready_test.rb

@@ -0,0 +1,103 @@
+# encoding: UTF-8
+
+require 'test_helper'
+
+describe Vines::Stream::Component::Ready do
+  subject      { Vines::Stream::Component::Ready.new(stream, nil) }
+  let(:alice)  { Vines::User.new(jid: 'alice@tea.wonderland.lit') }
+  let(:hatter) { Vines::User.new(jid: 'hatter@wonderland.lit') }
+  let(:stream) { MiniTest::Mock.new }
+  let(:config) do
+    Vines::Config.new do
+      host 'wonderland.lit' do
+        storage(:fs) { dir Dir.tmpdir }
+      end
+    end
+  end
+
+  before do
+    class << stream
+      attr_accessor :config
+    end
+    stream.config = config
+  end
+
+  describe 'when missing to and from addresses' do
+    it 'raises an improper-addressing stream error' do
+      node = node('<message/>')
+      -> { subject.node(node) }.must_raise Vines::StreamErrors::ImproperAddressing
+      stream.verify
+    end
+  end
+
+  describe 'when missing from address' do
+    it 'raises an improper-addressing stream error' do
+      node = node(%q{<message to="hatter@wonderland.lit"/>})
+      -> { subject.node(node) }.must_raise Vines::StreamErrors::ImproperAddressing
+      stream.verify
+    end
+  end
+
+  describe 'when missing to address' do
+    it 'raises an improper-addressing stream error' do
+      node = node(%q{<message from="alice@tea.wonderland.lit"/>})
+      -> { subject.node(node) }.must_raise Vines::StreamErrors::ImproperAddressing
+      stream.verify
+    end
+  end
+
+  describe 'when from address domain does not match component domain' do
+    it 'raises and invalid-from stream error' do
+      stream.expect :remote_domain, 'tea.wonderland.lit'
+      node = node(%q{<message from="alice@bogus.wonderland.lit" to="hatter@wonderland.lit"/>})
+      -> { subject.node(node) }.must_raise Vines::StreamErrors::InvalidFrom
+      stream.verify
+    end
+  end
+
+  describe 'when unrecognized element is received' do
+    it 'raises an unsupported-stanza-type stream error' do
+      node = node('<bogus/>')
+      -> { subject.node(node) }.must_raise Vines::StreamErrors::UnsupportedStanzaType
+      stream.verify
+    end
+  end
+
+  describe 'when addressed to a remote jid' do
+    let(:router) { MiniTest::Mock.new }
+    let(:xml) { node(%q{<message from="alice@tea.wonderland.lit" to="romeo@verona.lit"/>}) }
+
+    before do
+      router.expect :route, nil, [xml]
+      stream.expect :remote_domain, 'tea.wonderland.lit'
+      stream.expect :user=, nil, [alice]
+      stream.expect :router, router
+    end
+
+    it 'routes rather than handle locally' do
+      subject.node(xml)
+      stream.verify
+      router.verify
+    end
+  end
+
+  describe 'when addressed to a local jid' do
+    let(:recipient) { MiniTest::Mock.new }
+    let(:xml) { node(%q{<message from="alice@tea.wonderland.lit" to="hatter@wonderland.lit"/>}) }
+
+    before do
+      recipient.expect :user, hatter
+      recipient.expect :write, nil, [xml]
+      stream.expect :remote_domain, 'tea.wonderland.lit'
+      stream.expect :user=, nil, [alice]
+      stream.expect :user, alice
+      stream.expect :connected_resources, [recipient], [hatter.jid]
+    end
+
+    it 'sends the message to the connected stream' do
+      subject.node(xml)
+      stream.verify
+      recipient.verify
+    end
+  end
+end

data/test/stream/component/start_test.rb

@@ -0,0 +1,39 @@
+# encoding: UTF-8
+
+require 'test_helper'
+
+describe Vines::Stream::Component::Start do
+  before do
+    @stream = MiniTest::Mock.new
+    @state = Vines::Stream::Component::Start.new(@stream)
+  end
+
+  it 'raises not-authorized stream error for invalid element' do
+    node = node('<message/>')
+    assert_raises(Vines::StreamErrors::NotAuthorized) { @state.node(node) }
+  end
+
+  it 'raises not-authorized stream error for missing stream namespace' do
+    node = node('<stream:stream/>')
+    assert_raises(Vines::StreamErrors::NotAuthorized) { @state.node(node) }
+  end
+
+  it 'raises not-authorized stream error for invalid stream namespace' do
+    node = node('<stream:stream xmlns="bogus"/>')
+    assert_raises(Vines::StreamErrors::NotAuthorized) { @state.node(node) }
+  end
+
+  it 'advances the state machine for valid stream header' do
+    node = node(%q{<stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:component:accept" to="tea.wonderland.lit"/>})
+    @stream.expect(:start, nil, [node])
+    @stream.expect(:advance, nil, [Vines::Stream::Component::Handshake.new(@stream)])
+    @state.node(node)
+    assert @stream.verify
+  end
+
+  private
+
+  def node(xml)
+    Nokogiri::XML(xml).root
+  end
+end

data/test/stream/http/auth_test.rb

@@ -0,0 +1,70 @@
+# encoding: UTF-8
+
+require 'test_helper'
+
+describe Vines::Stream::Http::Auth do
+  before do
+    @stream = MiniTest::Mock.new
+    @state = Vines::Stream::Http::Auth.new(@stream, nil)
+  end
+
+  def test_missing_body_raises_error
+    node = node('<presence type="unavailable"/>')
+    @stream.expect(:valid_session?, true, [nil])
+    assert_raises(Vines::StreamErrors::NotAuthorized) { @state.node(node) }
+  end
+
+  def test_body_with_missing_namespace_raises_error
+    node = node('<body rid="42" sid="12"/>')
+    @stream.expect(:valid_session?, true, ['12'])
+    assert_raises(Vines::StreamErrors::NotAuthorized) { @state.node(node) }
+  end
+
+  def test_missing_rid_raises_error
+    node = node('<body xmlns="http://jabber.org/protocol/httpbind" sid="12"/>')
+    @stream.expect(:valid_session?, true, ['12'])
+    assert_raises(Vines::StreamErrors::NotAuthorized) { @state.node(node) }
+  end
+
+  def test_invalid_session_raises_error
+    @stream.expect(:valid_session?, false, ['12'])
+    node = node('<body xmlns="http://jabber.org/protocol/httpbind" rid="42" sid="12"/>')
+    assert_raises(Vines::StreamErrors::NotAuthorized) { @state.node(node) }
+    assert @stream.verify
+  end
+
+  def test_empty_body_raises_error
+    node = node('<body xmlns="http://jabber.org/protocol/httpbind" rid="42" sid="12"/>')
+    @stream.expect(:valid_session?, true, ['12'])
+    @stream.expect(:parse_body, [], [node])
+    assert_raises(Vines::StreamErrors::NotAuthorized) { @state.node(node) }
+    assert @stream.verify
+  end
+
+  def test_body_with_two_children_raises_error
+    node = node('<body xmlns="http://jabber.org/protocol/httpbind" rid="42" sid="12"><message/><message/></body>')
+    message = node('<message/>')
+    @stream.expect(:valid_session?, true, ['12'])
+    @stream.expect(:parse_body, [message, message], [node])
+    assert_raises(Vines::StreamErrors::NotAuthorized) { @state.node(node) }
+    assert @stream.verify
+  end
+
+  def test_valid_body_processes
+    auth = node(%Q{<auth xmlns="#{Vines::NAMESPACES[:sasl]}" mechanism="PLAIN"/>})
+    node = node('<body xmlns="http://jabber.org/protocol/httpbind" rid="42" sid="12"></body>')
+    node << auth
+    @stream.expect(:valid_session?, true, ['12'])
+    @stream.expect(:parse_body, [auth], [node])
+    # this error means we correctly called the parent method Client#node
+    @stream.expect(:error, nil, [Vines::SaslErrors::MalformedRequest.new])
+    @state.node(node)
+    assert @stream.verify
+  end
+
+  private
+
+  def node(xml)
+    Nokogiri::XML(xml).root
+  end
+end