RubyGems - lyrebird - Versions diffs - 0.0.0 → 1.0.0.alpha1 - Mend

lyrebird 0.0.0 → 1.0.0.alpha1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

checksums.yaml +4 -4
data/.github/workflows/ci.yml +25 -0
data/.github/workflows/publish.yml +20 -0
data/README.md +116 -17
data/Rakefile +8 -1
data/lib/lyrebird/assertion.rb +104 -0
data/lib/lyrebird/certificate.rb +68 -0
data/lib/lyrebird/defaults.rb +41 -0
data/lib/lyrebird/id.rb +9 -0
data/lib/lyrebird/namespaces.rb +14 -0
data/lib/lyrebird/response.rb +66 -0
data/lib/lyrebird/signature.rb +75 -0
data/lib/lyrebird/version.rb +1 -1
data/lib/lyrebird.rb +13 -1
data/lyrebird.gemspec +25 -0
data/test/lyrebird/assertion_test.rb +314 -0
data/test/lyrebird/certificate_test.rb +87 -0
data/test/lyrebird/defaults_test.rb +11 -0
data/test/lyrebird/id_test.rb +11 -0
data/test/lyrebird/response_test.rb +168 -0
data/test/lyrebird/signature_test.rb +137 -0
data/test/test_helper.rb +4 -0
metadata +87 -8

data/test/lyrebird/assertion_test.rb ADDED Viewed

@@ -0,0 +1,314 @@
+# frozen_string_literal: true
+require "test_helper"
+module Lyrebird
+  class AssertionTest < Minitest::Test
+    def setup
+      @assertion = Assertion.new.document
+      @root = @assertion.root
+      @subject = @root.elements["saml:Subject"]
+      @sc = @subject.elements["saml:SubjectConfirmation"]
+      @scd = @sc.elements["saml:SubjectConfirmationData"]
+      @conditions = @root.elements["saml:Conditions"]
+      @audience_restriction = @conditions.elements["saml:AudienceRestriction"]
+      @authn_statement = @root.elements["saml:AuthnStatement"]
+    end
+    def test_root_name
+      assert_equal "Assertion", @root.name
+      assert_equal "saml", @root.prefix
+    end
+    def test_root_namespace
+      assert_equal SAML_ASSERTION_NS, @root.namespace
+    end
+    def test_root_id
+      assert @root.attributes["ID"].start_with?("_")
+    end
+    def test_root_version
+      assert_equal "2.0", @root.attributes["Version"]
+    end
+    def test_root_issue_instant
+      instant = Time.iso8601(@root.attributes["IssueInstant"])
+      assert_in_delta Time.now.to_i, instant.to_i, 1
+    end
+    def test_issuer
+      issuer = @root.elements["saml:Issuer"]
+      assert_equal "Issuer", issuer.name
+      assert_equal "saml", issuer.prefix
+      assert_equal DEFAULTS.issuer, issuer.text
+    end
+    def test_issuer_override
+      assertion = Assertion.new(issuer: "https://test.example.com").document
+      issuer = assertion.root.elements["saml:Issuer"]
+      assert_equal "https://test.example.com", issuer.text
+    end
+    def test_subject
+      assert_equal "Subject", @subject.name
+      assert_equal "saml", @subject.prefix
+    end
+    def test_name_id
+      name_id = @subject.elements["saml:NameID"]
+      assert_equal "NameID", name_id.name
+      assert_equal "saml", name_id.prefix
+      assert_equal DEFAULTS.name_id, name_id.text
+    end
+    def test_name_id_format_default
+      name_id = @subject.elements["saml:NameID"]
+      assert_equal NAMEID_EMAIL, name_id.attributes["Format"]
+    end
+    def test_name_id_override
+      email = "user@test.com"
+      refute_equal email, DEFAULTS.name_id
+      assertion = Assertion.new(name_id: email).document
+      name_id = assertion.root.elements["saml:Subject/saml:NameID"]
+      assert_equal email, name_id.text
+    end
+    def test_name_id_format_override
+      format = NAMEID_PERSISTENT
+      refute_equal format, DEFAULTS.name_id_format
+      assertion = Assertion.new(name_id_format: format).document
+      name_id = assertion.root.elements["saml:Subject/saml:NameID"]
+      assert_equal format, name_id.attributes["Format"]
+    end
+    def test_subject_confirmation
+      assert_equal "SubjectConfirmation", @sc.name
+      assert_equal "saml", @sc.prefix
+    end
+    def test_subject_confirmation_method
+      assert_equal CM_BEARER, @sc.attributes["Method"]
+    end
+    def test_subject_confirmation_data
+      assert_equal "SubjectConfirmationData", @scd.name
+      assert_equal "saml", @scd.prefix
+    end
+    def test_valid_for_default
+      not_on_or_after = Time.iso8601(@scd.attributes["NotOnOrAfter"])
+      expected = Time.now.utc + DEFAULTS.valid_for
+      assert_in_delta expected.to_i, not_on_or_after.to_i, 1
+    end
+    def test_recipient_default
+      assert_equal DEFAULTS.recipient, @scd.attributes["Recipient"]
+    end
+    def test_in_response_to_default
+      assert_equal DEFAULTS.in_response_to, @scd.attributes["InResponseTo"]
+    end
+    def test_recipient_override
+      recipient = "https://custom.example.com/acs"
+      refute_equal recipient, DEFAULTS.recipient
+      assertion = Assertion.new(recipient: recipient).document
+      subject = assertion.root.elements["saml:Subject"]
+      sc = subject.elements["saml:SubjectConfirmation"]
+      scd = sc.elements["saml:SubjectConfirmationData"]
+      assert_equal recipient, scd.attributes["Recipient"]
+    end
+    def test_in_response_to_override
+      in_response_to = "_custom_request"
+      refute_equal in_response_to, DEFAULTS.in_response_to
+      assertion = Assertion.new(in_response_to: in_response_to).document
+      subject = assertion.root.elements["saml:Subject"]
+      sc = subject.elements["saml:SubjectConfirmation"]
+      scd = sc.elements["saml:SubjectConfirmationData"]
+      assert_equal in_response_to, scd.attributes["InResponseTo"]
+    end
+    def test_valid_for_override
+      valid_for = 600 # 10 minutes
+      refute_equal valid_for, DEFAULTS.valid_for
+      assertion = Assertion.new(valid_for: valid_for).document
+      subject = assertion.root.elements["saml:Subject"]
+      sc = subject.elements["saml:SubjectConfirmation"]
+      scd = sc.elements["saml:SubjectConfirmationData"]
+      not_on_or_after = Time.iso8601(scd.attributes["NotOnOrAfter"])
+      expected = Time.now.utc + valid_for
+      assert_in_delta expected.to_i, not_on_or_after.to_i, 1
+    end
+    def test_conditions
+      assert_equal "Conditions", @conditions.name
+      assert_equal "saml", @conditions.prefix
+    end
+    def test_conditions_not_before
+      not_before = Time.iso8601(@conditions.attributes["NotBefore"])
+      assert_in_delta Time.now.to_i, not_before.to_i, 1
+    end
+    def test_conditions_not_on_or_after
+      not_on_or_after = Time.iso8601(@conditions.attributes["NotOnOrAfter"])
+      expected = Time.now.utc + DEFAULTS.valid_for
+      assert_in_delta expected.to_i, not_on_or_after.to_i, 1
+    end
+    def test_conditions_valid_for_override
+      valid_for = 600 # 10 minutes
+      refute_equal valid_for, DEFAULTS.valid_for
+      assertion = Assertion.new(valid_for: valid_for).document
+      conditions = assertion.root.elements["saml:Conditions"]
+      not_on_or_after = Time.iso8601(conditions.attributes["NotOnOrAfter"])
+      expected = Time.now.utc + valid_for
+      assert_in_delta expected.to_i, not_on_or_after.to_i, 1
+    end
+    def test_audience_restriction
+      assert_equal "AudienceRestriction", @audience_restriction.name
+      assert_equal "saml", @audience_restriction.prefix
+    end
+    def test_audience
+      audience = @audience_restriction.elements["saml:Audience"]
+      assert_equal "Audience", audience.name
+      assert_equal "saml", audience.prefix
+      assert_equal DEFAULTS.audience, audience.text
+    end
+    def test_audience_override
+      audience = "https://custom.sp.example.com"
+      refute_equal audience, DEFAULTS.audience
+      assertion = Assertion.new(audience: audience).document
+      conditions = assertion.root.elements["saml:Conditions"]
+      ar = conditions.elements["saml:AudienceRestriction"]
+      assert_equal audience, ar.elements["saml:Audience"].text
+    end
+    def test_authn_statement
+      assert_equal "AuthnStatement", @authn_statement.name
+      assert_equal "saml", @authn_statement.prefix
+    end
+    def test_authn_statement_authn_instant
+      authn_instant = Time.iso8601(@authn_statement.attributes["AuthnInstant"])
+      assert_in_delta Time.now.to_i, authn_instant.to_i, 1
+    end
+    def test_authn_statement_session_index
+      assert @authn_statement.attributes["SessionIndex"].start_with?("_")
+    end
+    def test_authn_context
+      authn_context = @authn_statement.elements["saml:AuthnContext"]
+      assert_equal "AuthnContext", authn_context.name
+      assert_equal "saml", authn_context.prefix
+    end
+    def test_authn_context_class_ref
+      ac = @authn_statement.elements["saml:AuthnContext"]
+      class_ref = ac.elements["saml:AuthnContextClassRef"]
+      assert_equal "AuthnContextClassRef", class_ref.name
+      assert_equal "saml", class_ref.prefix
+      assert_equal DEFAULTS.authn_context, class_ref.text
+    end
+    def test_authn_context_override
+      custom_ref = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+      refute_equal custom_ref, DEFAULTS.authn_context
+      assertion = Assertion.new(authn_context: custom_ref).document
+      as = assertion.root.elements["saml:AuthnStatement"]
+      ac = as.elements["saml:AuthnContext"]
+      class_ref = ac.elements["saml:AuthnContextClassRef"]
+      assert_equal custom_ref, class_ref.text
+    end
+    def test_default_attributes
+      as = @root.elements["saml:AttributeStatement"]
+      attrs = as.elements.to_a("saml:Attribute")
+      assert_equal 2, attrs.size
+      first = attrs.find { |a| a.attributes["Name"] == "first_name" }
+      assert_equal "Test", first.elements["saml:AttributeValue"].text
+      last = attrs.find { |a| a.attributes["Name"] == "last_name" }
+      assert_equal "User", last.elements["saml:AttributeValue"].text
+    end
+    def test_no_attribute_statement_when_empty
+      assertion = Assertion.new(attributes: {}).document
+      assert_nil assertion.root.elements["saml:AttributeStatement"]
+    end
+    def test_attribute_statement_with_single_value
+      attributes = { "email" => "user@example.com" }
+      assertion = Assertion.new(attributes: attributes).document
+      as = assertion.root.elements["saml:AttributeStatement"]
+      assert_equal "AttributeStatement", as.name
+      assert_equal "saml", as.prefix
+    end
+    def test_attribute_name_and_format
+      attributes = { "email" => "user@example.com" }
+      assertion = Assertion.new(attributes: attributes).document
+      attr = assertion.root.elements["saml:AttributeStatement/saml:Attribute"]
+      assert_equal "Attribute", attr.name
+      assert_equal "saml", attr.prefix
+      assert_equal "email", attr.attributes["Name"]
+      assert_equal ATTR_NAME_FORMAT, attr.attributes["NameFormat"]
+    end
+    def test_attribute_single_value
+      attributes = { "email" => "user@example.com" }
+      assertion = Assertion.new(attributes: attributes).document
+      attr = assertion.root.elements["saml:AttributeStatement/saml:Attribute"]
+      value = attr.elements["saml:AttributeValue"]
+      assert_equal "AttributeValue", value.name
+      assert_equal "saml", value.prefix
+      assert_equal "user@example.com", value.text
+    end
+    def test_attribute_multi_value
+      attributes = { "groups" => ["admin", "users", "developers"] }
+      assertion = Assertion.new(attributes: attributes).document
+      attr = assertion.root.elements["saml:AttributeStatement/saml:Attribute"]
+      values = attr.elements.to_a("saml:AttributeValue")
+      assert_equal 3, values.size
+      assert_equal "admin", values[0].text
+      assert_equal "users", values[1].text
+      assert_equal "developers", values[2].text
+    end
+    def test_multiple_attributes
+      attributes = {
+        email: "user@example.com",
+        name: "Test User",
+        groups: ["admin", "users"]
+      }
+      assertion = Assertion.new(attributes: attributes).document
+      as = assertion.root.elements["saml:AttributeStatement"]
+      attrs = as.elements.to_a("saml:Attribute")
+      assert_equal 3, attrs.size
+      email_attr = attrs.find { |a| a.attributes["Name"] == "email" }
+      email_value = email_attr.elements["saml:AttributeValue"].text
+      assert_equal "user@example.com", email_value
+      name_attr = attrs.find { |a| a.attributes["Name"] == "name" }
+      name_value = name_attr.elements["saml:AttributeValue"].text
+      assert_equal "Test User", name_value
+      groups_attr = attrs.find { |a| a.attributes["Name"] == "groups" }
+      group_values = groups_attr.elements.to_a("saml:AttributeValue")
+      assert_equal 2, group_values.size
+      assert_equal "admin", group_values[0].text
+      assert_equal "users", group_values[1].text
+    end
+  end
+end

data/test/lyrebird/certificate_test.rb ADDED Viewed

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+require "test_helper"
+module Lyrebird
+  class CertificateTest < Minitest::Test
+    def setup
+      @certificate = Certificate.generate
+    end
+    def test_private_key_is_rsa
+      assert_instance_of OpenSSL::PKey::RSA, @certificate.private_key
+    end
+    def test_private_key_defaults_to_2048_bits
+      assert_equal 2048, @certificate.private_key.n.num_bits
+    end
+    def test_private_key_with_custom_bits
+      certificate = Certificate.generate(bits: 4096)
+      assert_equal 4096, certificate.private_key.n.num_bits
+    end
+    def test_certificate_is_x509
+      assert_instance_of OpenSSL::X509::Certificate, @certificate.certificate
+    end
+    def test_certificate_not_before_is_now
+      assert_in_delta Time.now, @certificate.certificate.not_before, 1
+    end
+    def test_certificate_not_after_is_one_year_from_now
+      one_year = 365 * 24 * 60 * 60
+      assert_in_delta Time.now + one_year, @certificate.certificate.not_after, 1
+    end
+    def test_certificate_is_signed
+      assert @certificate.certificate.verify(@certificate.private_key)
+    end
+    def test_certificate_with_custom_subject
+      certificate = Certificate.generate(cn: "Test", o: "Acme")
+      assert_equal "/CN=Test/O=Acme", certificate.certificate.subject.to_s
+    end
+    def test_certificate_with_custom_valid_for
+      certificate = Certificate.generate(valid_for: 30).certificate
+      thirty_days = 30 * 24 * 60 * 60
+      assert_in_delta Time.now + thirty_days, certificate.not_after, 1
+    end
+    def test_certificate_with_valid_until
+      valid_until = Time.new(2030, 1, 1)
+      certificate = Certificate.generate(valid_until: valid_until)
+      assert_equal valid_until, certificate.certificate.not_after
+    end
+    def test_private_key_pem
+      assert @certificate.private_key_pem.start_with?("-----BEGIN")
+    end
+    def test_certificate_pem
+      assert @certificate.certificate_pem.start_with?("-----BEGIN")
+    end
+    def test_fingerprint
+      der = @certificate.certificate.to_der
+      expected = OpenSSL::Digest::SHA256.hexdigest(der)
+      assert_equal expected, @certificate.fingerprint
+    end
+    def test_base64
+      der = @certificate.certificate.to_der
+      expected = Base64.strict_encode64(der)
+      assert_equal expected, @certificate.base64
+    end
+    def test_load
+      certificate = Certificate.load(
+        private_key_pem: @certificate.private_key_pem,
+        certificate_pem: @certificate.certificate_pem,
+      )
+      assert_equal @certificate.fingerprint, certificate.fingerprint
+    end
+  end
+end

data/test/lyrebird/defaults_test.rb ADDED Viewed

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+require "test_helper"
+module Lyrebird
+  class DefaultsTest < Minitest::Test
+    def test_issuer
+      assert_equal "https://idp.example.com", DEFAULTS.issuer
+    end
+  end
+end

data/test/lyrebird/id_test.rb ADDED Viewed

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+require "test_helper"
+module Lyrebird
+  class IDTest < Minitest::Test
+    def test_generate_starts_with_underscore
+      assert ID.generate.start_with?("_")
+    end
+  end
+end

data/test/lyrebird/response_test.rb ADDED Viewed

@@ -0,0 +1,168 @@
+# frozen_string_literal: true
+require "test_helper"
+module Lyrebird
+  class ResponseTest < Minitest::Test
+    def setup
+      @response = Response.new
+      @root = @response.document.root
+    end
+    def test_mimic_returns_base64
+      encoded = @response.mimic
+      decoded = Base64.strict_decode64(encoded)
+      assert decoded.include?("<samlp:Response")
+      assert decoded.include?("<saml:Assertion")
+    end
+    def test_root_name
+      assert_equal "Response", @root.name
+      assert_equal "samlp", @root.prefix
+    end
+    def test_root_namespace
+      assert_equal SAML_PROTOCOL_NS, @root.namespace
+    end
+    def test_saml_namespace_declared
+      assert_equal SAML_ASSERTION_NS, @root.namespace("saml")
+    end
+    def test_root_id
+      assert @root.attributes["ID"].start_with?("_")
+    end
+    def test_root_version
+      assert_equal "2.0", @root.attributes["Version"]
+    end
+    def test_root_issue_instant
+      instant = Time.iso8601(@root.attributes["IssueInstant"])
+      assert_in_delta Time.now.to_i, instant.to_i, 1
+    end
+    def test_destination_default
+      assert_equal DEFAULTS.recipient, @root.attributes["Destination"]
+    end
+    def test_destination_override
+      destination = "https://test.example.com/acs"
+      refute_equal destination, DEFAULTS.recipient
+      root = Response.new(destination: destination).document.root
+      assert_equal destination, root.attributes["Destination"]
+    end
+    def test_in_response_to_default
+      assert_equal DEFAULTS.in_response_to, @root.attributes["InResponseTo"]
+    end
+    def test_in_response_to_override
+      in_response_to = "_test_request"
+      refute_equal in_response_to, DEFAULTS.in_response_to
+      root = Response.new(in_response_to: in_response_to).document.root
+      assert_equal in_response_to, root.attributes["InResponseTo"]
+    end
+    def test_issuer
+      issuer = @root.elements["saml:Issuer"]
+      assert_equal "Issuer", issuer.name
+      assert_equal "saml", issuer.prefix
+      assert_equal DEFAULTS.issuer, issuer.text
+    end
+    def test_issuer_override
+      url = "https://test.idp.example.com"
+      refute_equal url, DEFAULTS.issuer
+      root = Response.new(issuer: url).document.root
+      issuer = root.elements["saml:Issuer"]
+      assert_equal url, issuer.text
+    end
+    def test_status
+      status = @root.elements["samlp:Status"]
+      assert_equal "Status", status.name
+      assert_equal "samlp", status.prefix
+    end
+    def test_status_code
+      status_code = @root.elements["samlp:Status/samlp:StatusCode"]
+      assert_equal "StatusCode", status_code.name
+      assert_equal "samlp", status_code.prefix
+      assert_equal STATUS_SUCCESS, status_code.attributes["Value"]
+    end
+    def test_assertion_embedded
+      assertion = @root.elements["saml:Assertion"]
+      assert_equal "Assertion", assertion.name
+      assert_equal "saml", assertion.prefix
+    end
+    def test_assertion_has_id
+      assertion = @root.elements["saml:Assertion"]
+      assert assertion.attributes["ID"].start_with?("_")
+    end
+    def test_assertion_inherits_issuer
+      url = "https://test.idp.example.com"
+      refute_equal url, DEFAULTS.issuer
+      root = Response.new(issuer: url).document.root
+      assertion = root.elements["saml:Assertion"]
+      issuer = assertion.elements["saml:Issuer"]
+      assert_equal url, issuer.text
+    end
+    def test_assertion_options_flow_through
+      email = "test@example.com"
+      refute_equal email, DEFAULTS.name_id
+      root = Response.new(name_id: email).document.root
+      assertion = root.elements["saml:Assertion"]
+      name_id = assertion.elements["saml:Subject/saml:NameID"]
+      assert_equal email, name_id.text
+    end
+    def test_assertion_unsigned_by_default
+      assertion = @root.elements["saml:Assertion"]
+      assert_nil assertion.elements["ds:Signature"]
+    end
+    def test_sign_assertion_adds_signature
+      cert = Certificate.generate
+      root = Response.new(certificate: cert, sign_assertion: true).document.root
+      assertion = root.elements["saml:Assertion"]
+      signature = assertion.elements["ds:Signature"]
+      assert_equal "Signature", signature.name
+      assert_equal "ds", signature.prefix
+    end
+    def test_response_unsigned_by_default
+      assert_nil @root.elements["ds:Signature"]
+    end
+    def test_sign_response_adds_signature
+      args = { certificate: Certificate.generate, sign_response: true }
+      root = Response.new(**args).document.root
+      signature = root.elements["ds:Signature"]
+      assert_equal "Signature", signature.name
+      assert_equal "ds", signature.prefix
+    end
+    def test_sign_both_response_and_assertion
+      args = {
+        certificate: Certificate.generate,
+        sign_assertion: true,
+        sign_response: true
+      }
+      root = Response.new(**args).document.root
+      refute_nil root.elements["ds:Signature"]
+      refute_nil root.elements["saml:Assertion/ds:Signature"]
+    end
+    def test_sign_neither_response_nor_assertion
+      root = Response.new(certificate: Certificate.generate).document.root
+      assert_nil root.elements["ds:Signature"]
+      assert_nil root.elements["saml:Assertion/ds:Signature"]
+    end
+  end
+end