entp-ruby-openid 2.2

data/test/test_nonce.rb

@@ -0,0 +1,89 @@
+require "test_helper"
+require 'openid/store/nonce'
+
+module OpenID
+  class NonceTestCase < Test::Unit::TestCase
+
+     NONCE_RE = /\A\d{4}-\d\d-\d\dT\d\d:\d\d:\d\dZ/
+
+    def test_mk_nonce
+      nonce = Nonce::mk_nonce
+      assert(nonce.match(NONCE_RE))
+      assert(nonce.size == 26)
+    end
+
+    def test_mk_nonce_time
+      nonce = Nonce::mk_nonce(0)
+      assert(nonce.match(NONCE_RE))
+      assert(nonce.size == 26)
+      assert(nonce.match(/^1970-01-01T00:00:00Z/))
+    end
+
+    def test_split
+      s = '1970-01-01T00:00:00Z'
+      expected_t = 0
+      expected_salt = ''
+      actual_t, actual_salt = Nonce::split_nonce(s)
+      assert_equal(expected_t, actual_t)
+      assert_equal(expected_salt, actual_salt)
+    end
+
+    def test_mk_split
+      t = 42
+      nonce_str = Nonce::mk_nonce(t)
+      assert(nonce_str.match(NONCE_RE))
+      at, salt = Nonce::split_nonce(nonce_str)
+      assert_equal(6, salt.size)
+      assert_equal(t, at)
+    end
+
+    def test_bad_split
+      cases = [
+        '',
+        '1970-01-01T00:00:00+1:00',
+        '1969-01-01T00:00:00Z',
+        '1970-00-01T00:00:00Z',
+        '1970.01-01T00:00:00Z',
+        'Thu Sep  7 13:29:31 PDT 2006',
+        'monkeys',
+        ]
+      cases.each{|c|
+        assert_raises(ArgumentError, c.inspect) { Nonce::split_nonce(c) }
+      }
+    end
+
+    def test_check_timestamp
+      cases = [
+        # exact, no allowed skew
+        ['1970-01-01T00:00:00Z', 0, 0, true],
+
+        # exact, large skew
+        ['1970-01-01T00:00:00Z', 1000, 0, true],
+
+        # no allowed skew, one second old
+        ['1970-01-01T00:00:00Z', 0, 1, false],
+
+        # many seconds old, outside of skew
+        ['1970-01-01T00:00:00Z', 10, 50, false],
+
+        # one second old, one second skew allowed
+        ['1970-01-01T00:00:00Z', 1, 1, true],
+
+        # One second in the future, one second skew allowed
+        ['1970-01-01T00:00:02Z', 1, 1, true],
+
+        # two seconds in the future, one second skew allowed
+        ['1970-01-01T00:00:02Z', 1, 0, false],
+
+        # malformed nonce string
+        ['monkeys', 0, 0, false],
+      ]
+
+      cases.each{|c|
+        (nonce_str, allowed_skew, now, expected) = c
+        actual = Nonce::check_timestamp(nonce_str, allowed_skew, now)
+        assert_equal(expected, actual, c.inspect)
+      }
+    end
+  end
+end

data/test/test_oauth.rb

@@ -0,0 +1,176 @@
+require 'test_helper'
+require 'openid/extensions/oauth'
+require 'openid/message'
+require 'openid/server'
+require 'openid/consumer/responses'
+require 'openid/consumer/discovery'
+
+module OpenID
+  module OAuthTest
+    class OAuthRequestTestCase < Test::Unit::TestCase
+      def setup
+        @req = OAuth::Request.new
+      end
+
+      def test_construct
+        assert_nil(@req.consumer)
+        assert_nil(@req.scope)
+        assert_equal('oauth', @req.ns_alias)
+
+        req2 = OAuth::Request.new("CONSUMER","http://sample.com/some_scope")
+        assert_equal("CONSUMER",req2.consumer)
+        assert_equal("http://sample.com/some_scope",req2.scope)
+      end
+
+      def test_add_consumer
+        @req.consumer="CONSUMER"
+        assert_equal("CONSUMER",@req.consumer)
+      end
+
+      def test_add_scope
+        @req.scope="http://sample.com/some_scope"
+        assert_equal("http://sample.com/some_scope",@req.scope)
+      end
+
+      def test_get_extension_args
+        assert_equal({}, @req.get_extension_args)
+        @req.consumer="CONSUMER"
+        assert_equal({'consumer' => 'CONSUMER'}, @req.get_extension_args)
+        @req.scope="http://sample.com/some_scope"
+        assert_equal({'consumer' => 'CONSUMER', 'scope' => 'http://sample.com/some_scope'}, @req.get_extension_args)
+      end
+
+      def test_parse_extension_args
+        args = {'consumer' => 'CONSUMER', 'scope' => 'http://sample.com/some_scope'}
+        @req.parse_extension_args(args)
+        assert_equal("CONSUMER",@req.consumer)
+        assert_equal("http://sample.com/some_scope",@req.scope)
+      end
+
+      def test_parse_extension_args_empty
+        @req.parse_extension_args({})
+        assert_nil( @req.consumer )
+        assert_nil( @req.scope )
+      end
+
+      def test_from_openid_request
+        openid_req_msg = Message.from_openid_args({
+          'mode' => 'checkid_setup',
+          'ns' => OPENID2_NS,
+          'ns.oauth' => OAuth::NS_URI,
+          'oauth.consumer' => 'CONSUMER',
+          'oauth.scope' => "http://sample.com/some_scope"
+          })
+        oid_req = Server::OpenIDRequest.new
+        oid_req.message = openid_req_msg
+        req = OAuth::Request.from_openid_request(oid_req)
+        assert_equal("CONSUMER",req.consumer)
+        assert_equal("http://sample.com/some_scope",req.scope)
+      end
+
+      def test_from_openid_request_no_oauth
+        message = Message.new
+        openid_req = Server::OpenIDRequest.new
+        openid_req.message = message
+        oauth_req = OAuth::Request.from_openid_request(openid_req)
+        assert(oauth_req.nil?)
+      end
+
+    end
+
+    class DummySuccessResponse
+      attr_accessor :message
+
+      def initialize(message, signed_stuff)
+        @message = message
+        @signed_stuff = signed_stuff
+      end
+
+      def get_signed_ns(ns_uri)
+        return @signed_stuff
+      end
+
+    end
+
+    class OAuthResponseTestCase < Test::Unit::TestCase
+      def setup
+        @req = OAuth::Response.new
+      end
+
+      def test_construct
+        assert_nil(@req.request_token)
+        assert_nil(@req.scope)
+
+        req2 = OAuth::Response.new("REQUESTTOKEN","http://sample.com/some_scope")
+        assert_equal("REQUESTTOKEN",req2.request_token)
+        assert_equal("http://sample.com/some_scope",req2.scope)
+      end
+
+      def test_add_request_token
+        @req.request_token="REQUESTTOKEN"
+        assert_equal("REQUESTTOKEN",@req.request_token)
+      end
+
+      def test_add_scope
+        @req.scope="http://sample.com/some_scope"
+        assert_equal("http://sample.com/some_scope",@req.scope)
+      end
+
+      def test_get_extension_args
+        assert_equal({}, @req.get_extension_args)
+        @req.request_token="REQUESTTOKEN"
+        assert_equal({'request_token' => 'REQUESTTOKEN'}, @req.get_extension_args)
+        @req.scope="http://sample.com/some_scope"
+        assert_equal({'request_token' => 'REQUESTTOKEN', 'scope' => 'http://sample.com/some_scope'}, @req.get_extension_args)
+      end
+
+      def test_parse_extension_args
+        args = {'request_token' => 'REQUESTTOKEN', 'scope' => 'http://sample.com/some_scope'}
+        @req.parse_extension_args(args)
+        assert_equal("REQUESTTOKEN",@req.request_token)
+        assert_equal("http://sample.com/some_scope",@req.scope)
+      end
+
+      def test_parse_extension_args_empty
+        @req.parse_extension_args({})
+        assert_nil( @req.request_token )
+        assert_nil( @req.scope )
+      end
+
+      def test_from_success_response
+
+        openid_req_msg = Message.from_openid_args({
+          'mode' => 'id_res',
+          'ns' => OPENID2_NS,
+          'ns.oauth' => OAuth::NS_URI,
+          'ns.oauth' => OAuth::NS_URI,
+          'oauth.request_token' => 'REQUESTTOKEN',
+          'oauth.scope' => "http://sample.com/some_scope"
+        })
+        signed_stuff = {
+          'request_token' => 'REQUESTTOKEN',
+          'scope' => "http://sample.com/some_scope"
+        }
+        oid_req = DummySuccessResponse.new(openid_req_msg, signed_stuff)
+        req = OAuth::Response.from_success_response(oid_req)
+        assert_equal("REQUESTTOKEN",req.request_token)
+        assert_equal("http://sample.com/some_scope",req.scope)
+      end
+
+      def test_from_success_response_unsigned
+        openid_req_msg = Message.from_openid_args({
+          'mode' => 'id_res',
+          'ns' => OPENID2_NS,
+          'ns.oauth' => OAuth::NS_URI,
+          'oauth.request_token' => 'REQUESTTOKEN',
+          'oauth.scope' => "http://sample.com/some_scope"
+          })
+        signed_stuff = {}
+        endpoint = OpenIDServiceEndpoint.new
+        oid_req = Consumer::SuccessResponse.new(endpoint, openid_req_msg, signed_stuff)
+        req = OAuth::Response.from_success_response(oid_req)
+        assert(req.nil?, req.inspect)
+      end
+    end
+  end
+end

data/test/test_openid_yadis.rb

@@ -0,0 +1,177 @@
+require "test_helper"
+require 'openid/consumer/discovery'
+require 'openid/yadis/services'
+
+module OpenID
+
+  XRDS_BOILERPLATE = <<EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<xrds:XRDS xmlns:xrds="xri://$xrds"
+           xmlns="xri://$xrd*($v*2.0)"
+           xmlns:openid="http://openid.net/xmlns/1.0">
+    <XRD>
+%s
+    </XRD>
+</xrds:XRDS>
+EOF
+
+  def self.mkXRDS(services)
+    return sprintf(XRDS_BOILERPLATE, services)
+  end
+
+  def self.mkService(uris=nil, type_uris=nil, local_id=nil, dent="        ")
+    chunks = [dent, "<Service>\n"]
+    dent2 = dent + "    "
+    if type_uris
+      type_uris.each { |type_uri|
+        chunks += [dent2 + "<Type>", type_uri, "</Type>\n"]
+      }
+    end
+
+    if uris
+      uris.each { |uri|
+        if uri.is_a?(Array)
+          uri, prio = uri
+        else
+          prio = nil
+        end
+
+        chunks += [dent2, "<URI"]
+        if !prio.nil?
+          chunks += [" priority='", str(prio), "'"]
+        end
+        chunks += [">", uri, "</URI>\n"]
+      }
+    end
+
+    if local_id
+      chunks += [dent2, "<openid:Delegate>", local_id, "</openid:Delegate>\n"]
+    end
+
+    chunks += [dent, "</Service>\n"]
+
+    return chunks.join("")
+  end
+
+  # Different sets of server URLs for use in the URI tag
+  SERVER_URL_OPTIONS = [
+                        [], # This case should not generate an endpoint object
+                        ['http://server.url/'],
+                        ['https://server.url/'],
+                        ['https://server.url/', 'http://server.url/'],
+                        ['https://server.url/',
+                         'http://server.url/',
+                         'http://example.server.url/'],
+                       ]
+
+  # Used for generating test data
+  def OpenID.subsets(l)
+    subsets_list = [[]]
+    l.each { |x|
+      subsets_list += subsets_list.collect { |t| [x] + t }
+    }
+
+    return subsets_list
+  end
+
+  # A couple of example extension type URIs. These are not at all
+  # official, but are just here for testing.
+  EXT_TYPES = [
+               'http://janrain.com/extension/blah',
+               'http://openid.net/sreg/1.0',
+              ]
+
+  # Range of valid Delegate tag values for generating test data
+  LOCAL_ID_OPTIONS = [
+                      nil,
+                      'http://vanity.domain/',
+                      'https://somewhere/yadis/',
+                     ]
+
+  class OpenIDYadisTest
+    def initialize(uris, type_uris, local_id)
+      super()
+      @uris = uris
+      @type_uris = type_uris
+      @local_id = local_id
+
+      @yadis_url = 'http://unit.test/'
+
+      # Create an XRDS document to parse
+      services = OpenID.mkService(@uris,
+                                  @type_uris,
+                                  @local_id)
+      @xrds = OpenID.mkXRDS(services)
+    end
+
+    def runTest(testcase)
+      # Parse into endpoint objects that we will check
+      endpoints = Yadis.apply_filter(@yadis_url, @xrds, OpenIDServiceEndpoint)
+
+      # make sure there are the same number of endpoints as URIs. This
+      # assumes that the type_uris contains at least one OpenID type.
+      testcase.assert_equal(@uris.length, endpoints.length)
+
+      # So that we can check equality on the endpoint types
+      type_uris = @type_uris.dup
+      type_uris.sort!
+
+      seen_uris = []
+      endpoints.each { |endpoint|
+        seen_uris << endpoint.server_url
+
+        # All endpoints will have same yadis_url
+        testcase.assert_equal(@yadis_url, endpoint.claimed_id)
+
+        # and local_id
+        testcase.assert_equal(@local_id, endpoint.local_id)
+
+        # and types
+        actual_types = endpoint.type_uris.dup
+        actual_types.sort!
+        testcase.assert_equal(type_uris, actual_types, actual_types.inspect)
+      }
+
+      # So that they will compare equal, because we don't care what
+      # order they are in
+      seen_uris.sort!
+      uris = @uris.dup
+      uris.sort!
+
+      # Make sure we saw all URIs, and saw each one once
+      testcase.assert_equal(uris, seen_uris)
+    end
+  end
+
+  class OpenIDYadisTests < Test::Unit::TestCase
+    def test_openid_yadis
+      data = []
+
+      # All valid combinations of Type tags that should produce an
+      # OpenID endpoint
+      type_uri_options = []
+
+      OpenID.subsets([OPENID_1_0_TYPE, OPENID_1_1_TYPE]).each { |ts|
+        OpenID.subsets(EXT_TYPES).each { |exts|
+          if !ts.empty?
+            type_uri_options << exts + ts
+          end
+        }
+      }
+
+      # All combinations of valid URIs, Type URIs and Delegate tags
+      SERVER_URL_OPTIONS.each { |uris|
+        type_uri_options.each { |type_uris|
+          LOCAL_ID_OPTIONS.each { |local_id|
+            data << [uris, type_uris, local_id]
+          }
+        }
+      }
+
+      data.each { |args|
+        t = OpenIDYadisTest.new(*args)
+        t.runTest(self)
+      }
+    end
+  end
+end

data/test/test_pape.rb

@@ -0,0 +1,248 @@
+require 'test_helper'
+require 'openid/extensions/pape'
+require 'openid/message'
+require 'openid/server'
+require 'openid/consumer/responses'
+
+module OpenID
+  module PAPETest
+    class PapeRequestTestCase < Test::Unit::TestCase
+      def setup
+        @req = PAPE::Request.new
+      end
+
+      def test_construct
+        assert_equal([], @req.preferred_auth_policies)
+        assert_equal(nil, @req.max_auth_age)
+        assert_equal('pape', @req.ns_alias)
+
+        req2 = PAPE::Request.new([PAPE::AUTH_MULTI_FACTOR], 1000)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR], req2.preferred_auth_policies)
+        assert_equal(1000, req2.max_auth_age)
+      end
+
+      def test_add_policy_uri
+        assert_equal([], @req.preferred_auth_policies)
+        @req.add_policy_uri(PAPE::AUTH_MULTI_FACTOR)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR], @req.preferred_auth_policies)
+        @req.add_policy_uri(PAPE::AUTH_MULTI_FACTOR)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR], @req.preferred_auth_policies)
+        @req.add_policy_uri(PAPE::AUTH_PHISHING_RESISTANT)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR, PAPE::AUTH_PHISHING_RESISTANT], @req.preferred_auth_policies)
+        @req.add_policy_uri(PAPE::AUTH_MULTI_FACTOR)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR, PAPE::AUTH_PHISHING_RESISTANT], @req.preferred_auth_policies)
+      end
+
+      def test_get_extension_args
+        assert_equal({'preferred_auth_policies' => ''}, @req.get_extension_args)
+        @req.add_policy_uri('http://uri')
+        assert_equal({'preferred_auth_policies' => 'http://uri'}, @req.get_extension_args)
+        @req.add_policy_uri('http://zig')
+        assert_equal({'preferred_auth_policies' => 'http://uri http://zig'}, @req.get_extension_args)
+        @req.max_auth_age = 789
+        assert_equal({'preferred_auth_policies' => 'http://uri http://zig', 'max_auth_age' => '789'}, @req.get_extension_args)
+      end
+
+      def test_parse_extension_args
+        args = {'preferred_auth_policies' => 'http://foo http://bar',
+                'max_auth_age' => '9'}
+        @req.parse_extension_args(args)
+        assert_equal(9, @req.max_auth_age)
+        assert_equal(['http://foo','http://bar'], @req.preferred_auth_policies)
+      end
+
+      def test_parse_extension_args_empty
+        @req.parse_extension_args({})
+        assert_equal(nil, @req.max_auth_age)
+        assert_equal([], @req.preferred_auth_policies)
+      end
+
+      def test_from_openid_request
+        openid_req_msg = Message.from_openid_args({
+          'mode' => 'checkid_setup',
+          'ns' => OPENID2_NS,
+          'ns.pape' => PAPE::NS_URI,
+          'pape.preferred_auth_policies' => [PAPE::AUTH_MULTI_FACTOR, PAPE::AUTH_PHISHING_RESISTANT].join(' '),
+          'pape.max_auth_age' => '5476'
+          })
+        oid_req = Server::OpenIDRequest.new
+        oid_req.message = openid_req_msg
+        req = PAPE::Request.from_openid_request(oid_req)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR, PAPE::AUTH_PHISHING_RESISTANT], req.preferred_auth_policies)
+        assert_equal(5476, req.max_auth_age)
+      end
+
+      def test_from_openid_request_no_pape
+        message = Message.new
+        openid_req = Server::OpenIDRequest.new
+        openid_req.message = message
+        pape_req = PAPE::Request.from_openid_request(openid_req)
+        assert(pape_req.nil?)
+      end
+
+      def test_preferred_types
+        @req.add_policy_uri(PAPE::AUTH_PHISHING_RESISTANT)
+        @req.add_policy_uri(PAPE::AUTH_MULTI_FACTOR)
+        pt = @req.preferred_types([PAPE::AUTH_MULTI_FACTOR,
+                                   PAPE::AUTH_MULTI_FACTOR_PHYSICAL])
+        assert_equal([PAPE::AUTH_MULTI_FACTOR], pt)
+      end
+    end
+
+    class DummySuccessResponse
+      attr_accessor :message
+
+      def initialize(message, signed_stuff)
+        @message = message
+        @signed_stuff = signed_stuff
+      end
+
+      def get_signed_ns(ns_uri)
+        return @signed_stuff
+      end
+
+    end
+
+    class PapeResponseTestCase < Test::Unit::TestCase
+      def setup
+        @req = PAPE::Response.new
+      end
+
+      def test_construct
+        assert_equal([], @req.auth_policies)
+        assert_equal(nil, @req.auth_time)
+        assert_equal('pape', @req.ns_alias)
+        assert_equal(nil, @req.nist_auth_level)
+
+        req2 = PAPE::Response.new([PAPE::AUTH_MULTI_FACTOR], "1983-11-05T12:30:24Z", 3)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR], req2.auth_policies)
+        assert_equal("1983-11-05T12:30:24Z", req2.auth_time)
+        assert_equal(3, req2.nist_auth_level)
+      end
+
+      def test_add_policy_uri
+        assert_equal([], @req.auth_policies)
+        @req.add_policy_uri(PAPE::AUTH_MULTI_FACTOR)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR], @req.auth_policies)
+        @req.add_policy_uri(PAPE::AUTH_MULTI_FACTOR)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR], @req.auth_policies)
+        @req.add_policy_uri(PAPE::AUTH_PHISHING_RESISTANT)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR, PAPE::AUTH_PHISHING_RESISTANT], @req.auth_policies)
+        @req.add_policy_uri(PAPE::AUTH_MULTI_FACTOR)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR, PAPE::AUTH_PHISHING_RESISTANT], @req.auth_policies)
+      end
+
+      def test_get_extension_args
+        assert_equal({'auth_policies' => 'none'}, @req.get_extension_args)
+        @req.add_policy_uri('http://uri')
+        assert_equal({'auth_policies' => 'http://uri'}, @req.get_extension_args)
+        @req.add_policy_uri('http://zig')
+        assert_equal({'auth_policies' => 'http://uri http://zig'}, @req.get_extension_args)
+        @req.auth_time =  "1983-11-05T12:30:24Z"
+        assert_equal({'auth_policies' => 'http://uri http://zig', 'auth_time' => "1983-11-05T12:30:24Z"}, @req.get_extension_args)
+        @req.nist_auth_level = 3
+        assert_equal({'auth_policies' => 'http://uri http://zig', 'auth_time' => "1983-11-05T12:30:24Z", 'nist_auth_level' => '3'}, @req.get_extension_args)
+      end
+
+      def test_get_extension_args_error_auth_age
+        @req.auth_time = "the beginning of time"
+        assert_raises(ArgumentError) { @req.get_extension_args }
+      end
+
+      def test_get_extension_args_error_nist_auth_level
+        @req.nist_auth_level = "high as a kite"
+        assert_raises(ArgumentError) { @req.get_extension_args }
+        @req.nist_auth_level = 5
+        assert_raises(ArgumentError) { @req.get_extension_args }
+        @req.nist_auth_level = -1
+        assert_raises(ArgumentError) { @req.get_extension_args }
+      end
+
+      def test_parse_extension_args
+        args = {'auth_policies' => 'http://foo http://bar',
+                'auth_time' => '1983-11-05T12:30:24Z'}
+        @req.parse_extension_args(args)
+        assert_equal('1983-11-05T12:30:24Z', @req.auth_time)
+        assert_equal(['http://foo','http://bar'], @req.auth_policies)
+      end
+
+      def test_parse_extension_args_empty
+        @req.parse_extension_args({})
+        assert_equal(nil, @req.auth_time)
+        assert_equal([], @req.auth_policies)
+      end
+
+      def test_parse_extension_args_strict_bogus1
+        args = {'auth_policies' => 'http://foo http://bar',
+                'auth_time' => 'this one time'}
+        assert_raises(ArgumentError) {
+          @req.parse_extension_args(args, true)
+        }
+      end
+
+      def test_parse_extension_args_strict_bogus2
+        args = {'auth_policies' => 'http://foo http://bar',
+                'auth_time' => '1983-11-05T12:30:24Z',
+                'nist_auth_level' => 'some'}
+        assert_raises(ArgumentError) {
+          @req.parse_extension_args(args, true)
+        }
+      end
+
+      def test_parse_extension_args_strict_good
+        args = {'auth_policies' => 'http://foo http://bar',
+                'auth_time' => '2007-10-11T05:25:18Z',
+                'nist_auth_level' => '0'}
+        @req.parse_extension_args(args, true)
+        assert_equal(['http://foo','http://bar'], @req.auth_policies)
+        assert_equal('2007-10-11T05:25:18Z', @req.auth_time)
+        assert_equal(0, @req.nist_auth_level)
+      end
+
+      def test_parse_extension_args_nostrict_bogus
+        args = {'auth_policies' => 'http://foo http://bar',
+                'auth_time' => 'some time ago',
+                'nist_auth_level' => 'some'}
+        @req.parse_extension_args(args)
+        assert_equal(['http://foo','http://bar'], @req.auth_policies)
+        assert_equal(nil, @req.auth_time)
+        assert_equal(nil, @req.nist_auth_level)
+      end
+
+
+      def test_from_success_response
+
+        openid_req_msg = Message.from_openid_args({
+          'mode' => 'id_res',
+          'ns' => OPENID2_NS,
+          'ns.pape' => PAPE::NS_URI,
+          'pape.auth_policies' => [PAPE::AUTH_MULTI_FACTOR, PAPE::AUTH_PHISHING_RESISTANT].join(' '),
+          'pape.auth_time' => '1983-11-05T12:30:24Z'
+          })
+        signed_stuff = {
+          'auth_policies' => [PAPE::AUTH_MULTI_FACTOR, PAPE::AUTH_PHISHING_RESISTANT].join(' '),
+          'auth_time' => '1983-11-05T12:30:24Z'
+        }
+        oid_req = DummySuccessResponse.new(openid_req_msg, signed_stuff)
+        req = PAPE::Response.from_success_response(oid_req)
+        assert_equal([PAPE::AUTH_MULTI_FACTOR, PAPE::AUTH_PHISHING_RESISTANT], req.auth_policies)
+        assert_equal('1983-11-05T12:30:24Z', req.auth_time)
+      end
+
+      def test_from_success_response_unsigned
+        openid_req_msg = Message.from_openid_args({
+          'mode' => 'id_res',
+          'ns' => OPENID2_NS,
+          'ns.pape' => PAPE::NS_URI,
+          'pape.auth_policies' => [PAPE::AUTH_MULTI_FACTOR, PAPE::AUTH_PHISHING_RESISTANT].join(' '),
+          'pape.auth_time' => '1983-11-05T12:30:24Z'
+          })
+        signed_stuff = {}
+        endpoint = OpenIDServiceEndpoint.new
+        oid_req = Consumer::SuccessResponse.new(endpoint, openid_req_msg, signed_stuff)
+        req = PAPE::Response.from_success_response(oid_req)
+        assert(req.nil?, req.inspect)
+      end
+    end
+  end
+end