icn_saml_idp 0.4.1

data/spec/lib/saml_idp/logout_request_builder_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+require 'saml_idp/logout_request_builder'
+
+module SamlIdp
+  describe LogoutRequestBuilder do
+    before do
+      Timecop.freeze(Time.local(1990))
+    end
+
+    after do
+      Timecop.return
+    end
+
+    let(:response_id) { 'some_response_id' }
+    let(:issuer_uri) { 'http://example.com' }
+    let(:saml_slo_url) { 'http://localhost:3000/saml/logout' }
+    let(:name_id) { 'some_name_id' }
+    let(:algorithm) { OpenSSL::Digest::SHA256 }
+
+    subject do
+      described_class.new(
+        response_id,
+        issuer_uri,
+        saml_slo_url,
+        name_id,
+        algorithm
+      )
+    end
+
+    it "is a valid SloLogoutrequest" do
+      Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+        slo_request = OneLogin::RubySaml::SloLogoutrequest.new(
+          subject.encoded,
+          settings: saml_settings('localhost:3000')
+        )
+        slo_request.soft = false
+        expect(slo_request.is_valid?).to eq true
+      end
+    end
+  end
+end

data/spec/lib/saml_idp/logout_response_builder_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+require 'saml_idp/logout_response_builder'
+
+module SamlIdp
+  describe LogoutResponseBuilder do
+    before do
+      Timecop.freeze(Time.local(1990))
+    end
+
+    after do
+      Timecop.return
+    end
+
+    let(:response_id) { 'some_response_id' }
+    let(:issuer_uri) { 'http://example.com' }
+    let(:saml_slo_url) { 'http://localhost:3000/saml/logout' }
+    let(:request_id) { 'some_request_id' }
+    let(:algorithm) { OpenSSL::Digest::SHA256 }
+
+    subject do
+      described_class.new(
+        response_id,
+        issuer_uri,
+        saml_slo_url,
+        request_id,
+        algorithm
+      )
+    end
+
+    it "is a valid LogoutResponse" do
+      Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+        logout_response = OneLogin::RubySaml::Logoutresponse.new(
+          subject.encoded,
+          saml_settings('localhost:3000')
+        )
+        logout_response.soft = false
+        expect(logout_response.validate).to eq true
+      end
+    end
+  end
+end

data/spec/lib/saml_idp/metadata_builder_spec.rb

@@ -0,0 +1,19 @@
+require 'spec_helper'
+module SamlIdp
+  describe MetadataBuilder do
+    it "has a valid fresh" do
+      subject.fresh.should_not be_empty
+    end
+
+    it "signs valid xml" do
+      Saml::XML::Document.parse(subject.signed).valid_signature?(Default::FINGERPRINT).should be_truthy
+    end
+
+    it "includes logout element" do
+      subject.configurator.single_logout_service_post_location = 'https://example.com/saml/logout'
+      subject.fresh.should match(
+        '<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://example.com/saml/logout"/>'
+      )
+    end
+  end
+end

data/spec/lib/saml_idp/name_id_formatter_spec.rb

@@ -0,0 +1,42 @@
+require 'spec_helper'
+module SamlIdp
+  describe NameIdFormatter do
+    subject { described_class.new list }
+
+    describe "with one item" do
+      let(:list) { { email_address: ->() { "foo@example.com" } } }
+
+      it "has a valid all" do
+        subject.all.should == ["urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"]
+      end
+
+    end
+
+    describe "with hash describing versions" do
+      let(:list) {
+        {
+          "1.1" => { email_address: -> {} },
+          "2.0" => { undefined: -> {} },
+        }
+      }
+
+      it "has a valid all" do
+        subject.all.should == [
+          "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+          "urn:oasis:names:tc:SAML:2.0:nameid-format:undefined",
+        ]
+      end
+    end
+
+    describe "with actual list" do
+      let(:list) { [:email_address, :undefined] }
+
+      it "has a valid all" do
+        subject.all.should == [
+          "urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress",
+          "urn:oasis:names:tc:SAML:2.0:nameid-format:undefined",
+        ]
+      end
+    end
+  end
+end

data/spec/lib/saml_idp/request_spec.rb

@@ -0,0 +1,106 @@
+require 'spec_helper'
+module SamlIdp
+  describe Request do
+    let(:raw_authn_request) { "<samlp:AuthnRequest AssertionConsumerServiceURL='http://localhost:3000/saml/consume' Destination='http://localhost:1337/saml/auth' ID='_af43d1a0-e111-0130-661a-3c0754403fdb' IssueInstant='2013-08-06T22:01:35Z' Version='2.0' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'><saml:Issuer xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>localhost:3000</saml:Issuer><samlp:NameIDPolicy AllowCreate='true' Format='urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress' xmlns:samlp='urn:oasis:names:tc:SAML:2.0:protocol'/><samlp:RequestedAuthnContext Comparison='exact'><saml:AuthnContextClassRef xmlns:saml='urn:oasis:names:tc:SAML:2.0:assertion'>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>" }
+
+    describe "deflated request" do
+      let(:deflated_request) { Base64.encode64(Zlib::Deflate.deflate(raw_authn_request, 9)[2..-5]) }
+
+      subject { described_class.from_deflated_request deflated_request }
+
+      it "inflates" do
+        subject.request_id.should == "_af43d1a0-e111-0130-661a-3c0754403fdb"
+      end
+
+      it "handles invalid SAML" do
+        req = described_class.from_deflated_request "bang!"
+        req.valid?.should == false
+      end
+    end
+
+    describe "authn request" do
+      subject { described_class.new raw_authn_request }
+
+      it "has a valid request_id" do
+        subject.request_id.should == "_af43d1a0-e111-0130-661a-3c0754403fdb"
+      end
+
+      it "has a valid acs_url" do
+        subject.acs_url.should == "http://localhost:3000/saml/consume"
+      end
+
+      it "has a valid service_provider" do
+        subject.service_provider.should be_a ServiceProvider
+      end
+
+      it "has a valid service_provider" do
+        subject.service_provider.should be_truthy
+      end
+
+      it "has a valid issuer" do
+        subject.issuer.should == "localhost:3000"
+      end
+
+      it "has a valid valid_signature" do
+        subject.valid_signature?.should be_truthy
+      end
+
+      it "should return acs_url for response_url" do
+        subject.response_url.should == subject.acs_url
+      end
+
+      it "is a authn request" do
+        subject.authn_request?.should == true
+      end
+
+      it "fetches internal request" do
+        subject.request['ID'].should == subject.request_id
+      end
+
+      it "has a valid authn context" do
+        subject.requested_authn_context.should == "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+      end
+
+      it "does not permit empty issuer" do
+        raw_req = raw_authn_request.gsub('localhost:3000', '')
+        authn_request = described_class.new raw_req
+        authn_request.issuer.should_not == ''
+        authn_request.issuer.should == nil
+      end
+    end
+
+    describe "logout request" do
+      let(:raw_logout_request) { "<LogoutRequest ID='_some_response_id' Version='2.0' IssueInstant='2010-06-01T13:00:00Z' Destination='http://localhost:3000/saml/logout' xmlns='urn:oasis:names:tc:SAML:2.0:protocol'><Issuer xmlns='urn:oasis:names:tc:SAML:2.0:assertion'>http://example.com</Issuer><NameID xmlns='urn:oasis:names:tc:SAML:2.0:assertion' Format='urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'>some_name_id</NameID><SessionIndex>abc123index</SessionIndex></LogoutRequest>" }
+
+      subject { described_class.new raw_logout_request }
+
+      it "has a valid request_id" do
+        subject.request_id.should == '_some_response_id'
+      end
+
+      it "should be flagged as a logout_request" do
+        subject.logout_request?.should == true
+      end
+
+      it "should have a valid name_id" do
+        subject.name_id.should == 'some_name_id'
+      end
+
+      it "should have a session index" do
+        subject.session_index.should == 'abc123index'
+      end
+
+      it "should have a valid issuer" do
+        subject.issuer.should == 'http://example.com'
+      end
+
+      it "fetches internal request" do
+        subject.request['ID'].should == subject.request_id
+      end
+
+      it "should return logout_url for response_url" do
+        subject.response_url.should == subject.logout_url
+      end
+    end
+  end
+end

data/spec/lib/saml_idp/response_builder_spec.rb

@@ -0,0 +1,42 @@
+require 'spec_helper'
+module SamlIdp
+  describe ResponseBuilder do
+    let(:response_id) { "abc" }
+    let(:issuer_uri) { "http://example.com" }
+    let(:saml_acs_url) { "http://sportngin.com" }
+    let(:saml_request_id) { "134" }
+    let(:assertion_and_signature) { "<Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2013-07-31T05:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><signature>stuff</signature><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">jon.phenow@sportngin.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2013-07-31T05:03:00Z\" Recipient=\"http://saml.acs.url\"/></SubjectConfirmation></Subject><Conditions NotBefore=\"2013-07-31T04:59:55Z\" NotOnOrAfter=\"2013-07-31T06:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\"><AttributeValue>jon.phenow@sportngin.com</AttributeValue></Attribute></AttributeStatement><AuthnStatment AuthnInstant=\"2013-07-31T05:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatment></Assertion>" }
+    subject { described_class.new(
+      response_id,
+      issuer_uri,
+      saml_acs_url,
+      saml_request_id,
+      assertion_and_signature
+    ) }
+
+    before do
+      Timecop.freeze(Time.local(1990))
+    end
+
+    after do
+      Timecop.return
+    end
+
+
+    it "builds a legit raw XML file" do
+      Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+        subject.raw.should == "<samlp:Response ID=\"_abc\" Version=\"2.0\" IssueInstant=\"2010-06-01T13:00:00Z\" Destination=\"http://sportngin.com\" Consent=\"urn:oasis:names:tc:SAML:2.0:consent:unspecified\" InResponseTo=\"134\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"><Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\">http://example.com</Issuer><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/></samlp:Status><Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2013-07-31T05:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><signature>stuff</signature><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">jon.phenow@sportngin.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2013-07-31T05:03:00Z\" Recipient=\"http://saml.acs.url\"/></SubjectConfirmation></Subject><Conditions NotBefore=\"2013-07-31T04:59:55Z\" NotOnOrAfter=\"2013-07-31T06:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\"><AttributeValue>jon.phenow@sportngin.com</AttributeValue></Attribute></AttributeStatement><AuthnStatment AuthnInstant=\"2013-07-31T05:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatment></Assertion></samlp:Response>"
+      end
+    end
+
+    context "No request ID" do
+      let(:saml_request_id) { nil }
+
+      it "builds a legit raw XML file without a request ID" do
+        Timecop.travel(Time.zone.local(2010, 6, 1, 13, 0, 0)) do
+          subject.raw.should == "<samlp:Response ID=\"_abc\" Version=\"2.0\" IssueInstant=\"2010-06-01T13:00:00Z\" Destination=\"http://sportngin.com\" Consent=\"urn:oasis:names:tc:SAML:2.0:consent:unspecified\" xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"><Issuer xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\">http://example.com</Issuer><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/></samlp:Status><Assertion xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"_abc\" IssueInstant=\"2013-07-31T05:00:00Z\" Version=\"2.0\"><Issuer>http://sportngin.com</Issuer><signature>stuff</signature><Subject><NameID Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\">jon.phenow@sportngin.com</NameID><SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"><SubjectConfirmationData InResponseTo=\"123\" NotOnOrAfter=\"2013-07-31T05:03:00Z\" Recipient=\"http://saml.acs.url\"/></SubjectConfirmation></Subject><Conditions NotBefore=\"2013-07-31T04:59:55Z\" NotOnOrAfter=\"2013-07-31T06:00:00Z\"><AudienceRestriction><Audience>http://example.com</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\"><AttributeValue>jon.phenow@sportngin.com</AttributeValue></Attribute></AttributeStatement><AuthnStatment AuthnInstant=\"2013-07-31T05:00:00Z\" SessionIndex=\"_abc\"><AuthnContext><AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef></AuthnContext></AuthnStatment></Assertion></samlp:Response>"
+        end
+      end
+    end
+  end
+end

data/spec/lib/saml_idp/saml_response_spec.rb

@@ -0,0 +1,68 @@
+require 'spec_helper'
+module SamlIdp
+  describe SamlResponse do
+    let(:reference_id) { "123" }
+    let(:response_id) { "abc" }
+    let(:issuer_uri) { "localhost" }
+    let(:name_id) { "name" }
+    let(:audience_uri) { "localhost/audience" }
+    let(:saml_request_id) { "abc123" }
+    let(:saml_acs_url) { "localhost/acs" }
+    let(:algorithm) { :sha1 }
+    let(:secret_key) { Default::SECRET_KEY }
+    let(:x509_certificate) { Default::X509_CERTIFICATE }
+    let(:xauthn) { Default::X509_CERTIFICATE }
+    let(:authn_context_classref) {
+      Saml::XML::Namespaces::AuthnContext::ClassRef::PASSWORD
+    }
+    let(:expiry) { 3 * 60 * 60 }
+    let (:encryption_opts) do
+      {
+        cert: Default::X509_CERTIFICATE,
+        block_encryption: 'aes256-cbc',
+        key_transport: 'rsa-oaep-mgf1p',
+      }
+    end
+    let(:subject_encrypted) { described_class.new(reference_id,
+                                  response_id,
+                                  issuer_uri,
+                                  name_id,
+                                  audience_uri,
+                                  saml_request_id,
+                                  saml_acs_url,
+                                  algorithm,
+                                  authn_context_classref,
+                                  expiry,
+                                  encryption_opts
+                                 )
+    }
+
+    subject { described_class.new(reference_id,
+                                  response_id,
+                                  issuer_uri,
+                                  name_id,
+                                  audience_uri,
+                                  saml_request_id,
+                                  saml_acs_url,
+                                  algorithm,
+                                  authn_context_classref,
+                                  expiry
+                                 )
+    }
+
+    it "has a valid build" do
+      subject.build.should be_present
+    end
+
+    it "builds encrypted" do
+      subject_encrypted.build.should_not match(audience_uri)
+      encoded_xml = subject_encrypted.build
+      resp_settings = saml_settings(saml_acs_url)
+      resp_settings.private_key = Default::SECRET_KEY
+      resp_settings.issuer = audience_uri
+      saml_resp = OneLogin::RubySaml::Response.new(encoded_xml, settings: resp_settings)
+      saml_resp.soft = false
+      saml_resp.is_valid?.should == true
+    end
+  end
+end

data/spec/lib/saml_idp/service_provider_spec.rb

@@ -0,0 +1,27 @@
+require 'spec_helper'
+module SamlIdp
+  describe ServiceProvider do
+    subject { described_class.new attributes }
+    let(:attributes) { {} }
+
+    it { should respond_to :fingerprint }
+    it { should respond_to :metadata_url }
+    it { should_not be_valid }
+
+    describe "with attributes" do
+      let(:attributes) { { fingerprint: fingerprint, metadata_url: metadata_url } }
+      let(:fingerprint) { Default::FINGERPRINT }
+      let(:metadata_url) { "http://localhost:3000/metadata" }
+
+      it "has a valid fingerprint" do
+        subject.fingerprint.should == fingerprint
+      end
+
+      it "has a valid metadata_url" do
+        subject.metadata_url.should == metadata_url
+      end
+
+      it { should be_valid }
+    end
+  end
+end

data/spec/lib/saml_idp/signable_spec.rb

@@ -0,0 +1,77 @@
+# encoding: utf-8
+require 'spec_helper'
+class MockSignable
+  include SamlIdp::Signable
+
+  def raw
+    builder = Builder::XmlMarkup.new
+    builder.body do |body|
+      sign body
+    end
+  end
+
+  def reference_id
+    "abc"
+  end
+
+  def digest
+    algorithm.digest raw
+  end
+
+  def algorithm
+    OpenSSL::Digest::SHA1
+  end
+end
+
+module SamlIdp
+  describe MockSignable do
+    let(:signature_regex) { %r{<ds:Signature xmlns:ds=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#\">} }
+    let(:info_regex) { %r{<ds:SignedInfo xmlns:ds=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#\">} }
+    let(:canon) do
+      %r{<ds:CanonicalizationMethod Algorithm=\"http:\/\/www.w3.org\/2001\/10\/xml-exc-c14n#\"><\/ds:CanonicalizationMethod>}
+    end
+    let(:sig_method) do
+      %r{<ds:SignatureMethod Algorithm=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#rsa-sha1\"><\/ds:SignatureMethod>}
+    end
+    let(:reference) { %r{<ds:Reference URI=\"#_abc\">} }
+    let(:transforms) { %r{<ds:Transforms>} }
+    let(:enveloped) { %r{<ds:Transform Algorithm=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#enveloped-signature\"><\/ds:Transform>} }
+    let(:c14n) { %r{<ds:Transform Algorithm=\"http:\/\/www.w3.org\/2001\/10\/xml-exc-c14n#\"><\/ds:Transform>} }
+    let(:end_transforms) { %r{<\/ds:Transforms>} }
+    let(:digest_method) { %r{<ds:DigestMethod Algorithm=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#sha1\"><\/ds:DigestMethod>} }
+    let(:digest_value) { %r{<ds:DigestValue>\S+<\/ds:DigestValue>} }
+    let(:end_reference) { %r{<\/ds:Reference>} }
+    let(:end_info) { %r{<\/ds:SignedInfo>} }
+    let(:sig_val) { %r{<ds:SignatureValue>\S+<\/ds:SignatureValue>} }
+    let(:key_info) { %r{<KeyInfo xmlns=\"http:\/\/www.w3.org\/2000\/09\/xmldsig#\">} }
+    let(:x509) { %r{<ds:X509Data><ds:X509Certificate>\S+<\/ds:X509Certificate><\/ds:X509Data>} }
+    let(:end_rest) { %r{<\/KeyInfo><\/ds:Signature>} }
+
+    let(:all_regex) do
+      Regexp.new [
+        signature_regex,
+        info_regex,
+        canon,
+        sig_method,
+        reference,
+        transforms,
+        enveloped,
+        c14n,
+        end_transforms,
+        digest_method,
+        digest_value,
+        end_reference,
+        end_info,
+        sig_val,
+        key_info,
+        x509,
+        end_rest,
+      ].map(&:to_s).join(".*")
+    end
+
+    it "has a valid signed" do
+      subject.signed.should match all_regex
+    end
+
+  end
+end