lyrebird 1.0.0.alpha2 → 1.0.0

data/test/lyrebird/certificate_test.rb

@@ -5,83 +5,116 @@ require "test_helper"
 module Lyrebird
   class CertificateTest < Minitest::Test
     def setup
-      @certificate = Certificate.generate
+      unless defined?(@@shared)
+        @@shared = Certificate.build
+        @@created_at = Time.now.utc
+      end
+
+      @certificate = @@shared
+      @created_at = @@created_at
+    end
+
+    def test_key_is_rsa
+      assert_instance_of OpenSSL::PKey::RSA, @certificate.key
+    end
+
+    def test_key_defaults_to_2048_bits
+      assert_equal 2048, @certificate.key.n.num_bits
     end
 
-    def test_private_key_is_rsa
-      assert_instance_of OpenSSL::PKey::RSA, @certificate.private_key
+    def test_key_with_custom_bits
+      certificate = Certificate.build(bits: 4096)
+      assert_equal 4096, certificate.key.n.num_bits
     end
 
-    def test_private_key_defaults_to_2048_bits
-      assert_equal 2048, @certificate.private_key.n.num_bits
+    def test_x509_is_x509
+      assert_instance_of OpenSSL::X509::Certificate, @certificate.x509
     end
 
-    def test_private_key_with_custom_bits
-      certificate = Certificate.generate(bits: 4096)
-      assert_equal 4096, certificate.private_key.n.num_bits
+    def test_x509_version_is_v3
+      assert_equal 2, @certificate.x509.version
     end
 
-    def test_certificate_is_x509
-      assert_instance_of OpenSSL::X509::Certificate, @certificate.certificate
+    def test_x509_has_serial_number
+      refute_nil @certificate.x509.serial
+      assert @certificate.x509.serial.to_i > 0
     end
 
-    def test_certificate_not_before_is_now
-      assert_in_delta Time.now, @certificate.certificate.not_before, 1
+    def test_x509_not_before_is_now
+      assert_in_delta @created_at, @certificate.x509.not_before, 1
     end
 
-    def test_certificate_not_after_is_one_year_from_now
-      one_year = 365 * 24 * 60 * 60
-      assert_in_delta Time.now + one_year, @certificate.certificate.not_after, 1
+    def test_x509_not_after_is_one_year_from_now
+      expected = @created_at + (365 * 24 * 60 * 60)
+      assert_in_delta expected, @certificate.x509.not_after, 1
     end
 
-    def test_certificate_is_signed
-      assert @certificate.certificate.verify(@certificate.private_key)
+    def test_x509_is_signed
+      assert @certificate.x509.verify(@certificate.key)
     end
 
-    def test_certificate_with_custom_subject
-      certificate = Certificate.generate(cn: "Test", o: "Acme")
-      assert_equal "/CN=Test/O=Acme", certificate.certificate.subject.to_s
+    def test_sign
+      data = "test"
+      signature = @certificate.sign(data)
+      public_key = @certificate.x509.public_key
+      assert public_key.verify("SHA256", signature, data)
     end
 
-    def test_certificate_with_custom_valid_for
-      certificate = Certificate.generate(valid_for: 30).certificate
-      thirty_days = 30 * 24 * 60 * 60
-      assert_in_delta Time.now + thirty_days, certificate.not_after, 1
+    def test_x509_with_custom_subject
+      certificate = Certificate.build(cn: "Test", o: "Acme")
+      subject = certificate.x509.subject.to_s
+      assert_equal "/CN=Test/O=Acme", subject
     end
 
-    def test_certificate_with_valid_until
+    def test_x509_with_custom_valid_for
+      certificate = Certificate.build(valid_for: 30).x509
+      expected = Time.now.utc + (30 * 24 * 60 * 60)
+      assert_in_delta expected, certificate.not_after, 1
+    end
+
+    def test_x509_with_valid_until
       valid_until = Time.new(2030, 1, 1)
-      certificate = Certificate.generate(valid_until: valid_until)
-      assert_equal valid_until, certificate.certificate.not_after
+      certificate = Certificate.build(valid_until: valid_until)
+      assert_equal valid_until, certificate.x509.not_after
     end
 
-    def test_private_key_pem
-      assert @certificate.private_key_pem.start_with?("-----BEGIN")
+    def test_key_pem
+      assert @certificate.key_pem.start_with?("-----BEGIN")
     end
 
-    def test_certificate_pem
-      assert @certificate.certificate_pem.start_with?("-----BEGIN")
+    def test_x509_pem
+      assert @certificate.x509_pem.start_with?("-----BEGIN")
     end
 
     def test_fingerprint
-      der = @certificate.certificate.to_der
+      der = @certificate.x509.to_der
       expected = OpenSSL::Digest::SHA256.hexdigest(der)
       assert_equal expected, @certificate.fingerprint
     end
 
     def test_base64
-      der = @certificate.certificate.to_der
+      der = @certificate.x509.to_der
       expected = Base64.strict_encode64(der)
       assert_equal expected, @certificate.base64
     end
 
+    def test_build_with_block
+      certificate = Certificate.build do |c|
+        c.cn = "Name"
+        c.o = "Org"
+      end
+
+      subject = certificate.x509.subject.to_s
+      assert_equal "/CN=Name/O=Org", subject
+    end
+
     def test_load
-      certificate = Certificate.load(
-        private_key_pem: @certificate.private_key_pem,
-        certificate_pem: @certificate.certificate_pem,
+      loaded = Certificate.load(
+        key_pem: @certificate.key_pem,
+        x509_pem: @certificate.x509_pem,
       )
 
-      assert_equal @certificate.fingerprint, certificate.fingerprint
+      assert_equal @certificate.fingerprint, loaded.fingerprint
     end
   end
 end

data/test/lyrebird/defaults_test.rb

@@ -7,5 +7,52 @@ module Lyrebird
     def test_issuer
       assert_equal "https://idp.example.com", DEFAULTS.issuer
     end
+
+    def test_name_id
+      assert_equal "user@example.com", DEFAULTS.name_id
+    end
+
+    def test_name_id_format
+      assert_equal NAMEID_EMAIL, DEFAULTS.name_id_format
+    end
+
+    def test_recipient
+      assert_equal "https://sp.example.com/acs", DEFAULTS.recipient
+    end
+
+    def test_in_response_to
+      assert_equal "_request_id", DEFAULTS.in_response_to
+    end
+
+    def test_valid_for
+      assert_equal 300, DEFAULTS.valid_for
+    end
+
+    def test_audience
+      assert_equal "https://sp.example.com", DEFAULTS.audience
+    end
+
+    def test_authn_context
+      expected = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+      assert_equal expected, DEFAULTS.authn_context
+    end
+
+    def test_attributes
+      expected = { first_name: "Test", last_name: "User" }
+      assert_equal expected, DEFAULTS.attributes
+    end
+  end
+
+  class ConfigureTest < Minitest::Test
+    def test_configure_yields_defaults
+      yielded = nil
+      Lyrebird.configure { |d| yielded = d }
+      assert_same DEFAULTS, yielded
+    end
+
+    def test_configure_freezes_defaults
+      Lyrebird.configure { |d| }
+      assert DEFAULTS.frozen?
+    end
   end
 end

data/test/lyrebird/encryption_test.rb

@@ -4,69 +4,82 @@ require "test_helper"
 
 module Lyrebird
   class EncryptionTest < Minitest::Test
+    NS = {
+      "saml" => SAML_ASSERTION_NS,
+      "xenc" => XMLENC_NS,
+      "ds" => XMLDSIG_NS
+    }.freeze
+
     def setup
-      @assertion = Assertion.new.document
-      @element = @assertion.root
-      @certificate = Certificate.generate
-      @encrypted = Encryption.new(@element, @certificate).encrypt
-      @ed = @encrypted.elements["xenc:EncryptedData"]
-      @ki = @ed.elements["ds:KeyInfo"]
-      @ek = @ki.elements["xenc:EncryptedKey"]
-      @cd = @ed.elements["xenc:CipherData"]
+      unless defined?(@@certificate)
+        @@assertion = Assertion.new.document
+        @@element = @@assertion.root
+        @@certificate = Certificate.build
+        @@encrypted = Encryption.new(@@element, @@certificate).encrypt
+      end
+
+      @assertion = @@assertion
+      @element = @@element
+      @certificate = @@certificate
+      @encrypted = @@encrypted
+      @ed = @encrypted.at_xpath("xenc:EncryptedData", NS)
+      @ki = @ed.at_xpath("ds:KeyInfo", NS)
+      @ek = @ki.at_xpath("xenc:EncryptedKey", NS)
+      @cd = @ed.at_xpath("xenc:CipherData", NS)
     end
 
     def test_returns_encrypted_assertion_element
       assert_equal "EncryptedAssertion", @encrypted.name
-      assert_equal "saml", @encrypted.prefix
+      assert_equal "saml", @encrypted.namespace.prefix
     end
 
     def test_encrypted_assertion_namespace
-      assert_equal SAML_ASSERTION_NS, @encrypted.namespace
+      assert_equal SAML_ASSERTION_NS, @encrypted.namespace.href
     end
 
     def test_encrypted_data_element
       assert_equal "EncryptedData", @ed.name
-      assert_equal "xenc", @ed.prefix
+      assert_equal "xenc", @ed.namespace.prefix
     end
 
     def test_encrypted_data_namespace
-      assert_equal XMLENC_NS, @ed.namespace
+      assert_equal XMLENC_NS, @ed.namespace.href
     end
 
     def test_encrypted_data_type
-      assert_equal "#{XMLENC_NS}Element", @ed.attributes["Type"]
+      assert_equal "#{XMLENC_NS}Element", @ed["Type"]
     end
 
     def test_encryption_method_element
-      em = @ed.elements["xenc:EncryptionMethod"]
+      em = @ed.at_xpath("xenc:EncryptionMethod", NS)
       assert_equal "EncryptionMethod", em.name
-      assert_equal "xenc", em.prefix
+      assert_equal "xenc", em.namespace.prefix
     end
 
     def test_encryption_method_algorithm
-      em = @ed.elements["xenc:EncryptionMethod"]
-      assert_equal AES256_CBC, em.attributes["Algorithm"]
+      em = @ed.at_xpath("xenc:EncryptionMethod", NS)
+      assert_equal AES256_CBC, em["Algorithm"]
     end
 
     def test_cipher_data_element
       assert_equal "CipherData", @cd.name
-      assert_equal "xenc", @cd.prefix
+      assert_equal "xenc", @cd.namespace.prefix
     end
 
     def test_cipher_value_element
-      cv = @cd.elements["xenc:CipherValue"]
+      cv = @cd.at_xpath("xenc:CipherValue", NS)
       assert_equal "CipherValue", cv.name
-      assert_equal "xenc", cv.prefix
+      assert_equal "xenc", cv.namespace.prefix
     end
 
     def test_cipher_value_is_base64
-      cv = @cd.elements["xenc:CipherValue"]
+      cv = @cd.at_xpath("xenc:CipherValue", NS)
       decoded = Base64.strict_decode64(cv.text)
       assert decoded.bytesize > 16
     end
 
     def test_cipher_value_starts_with_iv
-      cv = @cd.elements["xenc:CipherValue"]
+      cv = @cd.at_xpath("xenc:CipherValue", NS)
       decoded = Base64.strict_decode64(cv.text)
       iv = decoded[0, 16]
       assert_equal 16, iv.bytesize
@@ -74,50 +87,50 @@ module Lyrebird
 
     def test_key_info_element
       assert_equal "KeyInfo", @ki.name
-      assert_equal "ds", @ki.prefix
+      assert_equal "ds", @ki.namespace.prefix
     end
 
     def test_key_info_namespace
-      assert_equal XMLDSIG_NS, @ki.namespace
+      assert_equal XMLDSIG_NS, @ki.namespace.href
     end
 
     def test_encrypted_key_element
       assert_equal "EncryptedKey", @ek.name
-      assert_equal "xenc", @ek.prefix
+      assert_equal "xenc", @ek.namespace.prefix
     end
 
     def test_encrypted_key_namespace
-      assert_equal XMLENC_NS, @ek.namespace
+      assert_equal XMLENC_NS, @ek.namespace.href
     end
 
     def test_encrypted_key_encryption_method
-      em = @ek.elements["xenc:EncryptionMethod"]
+      em = @ek.at_xpath("xenc:EncryptionMethod", NS)
       assert_equal "EncryptionMethod", em.name
-      assert_equal RSA_OAEP, em.attributes["Algorithm"]
+      assert_equal RSA_OAEP, em["Algorithm"]
     end
 
     def test_encrypted_key_cipher_data
-      cd = @ek.elements["xenc:CipherData"]
+      cd = @ek.at_xpath("xenc:CipherData", NS)
       assert_equal "CipherData", cd.name
-      assert_equal "xenc", cd.prefix
+      assert_equal "xenc", cd.namespace.prefix
     end
 
     def test_encrypted_key_cipher_value
-      cv = @ek.elements["xenc:CipherData/xenc:CipherValue"]
+      cv = @ek.at_xpath("xenc:CipherData/xenc:CipherValue", NS)
       assert_equal "CipherValue", cv.name
-      assert_equal "xenc", cv.prefix
+      assert_equal "xenc", cv.namespace.prefix
     end
 
     def test_encrypted_key_cipher_value_is_base64
-      cv = @ek.elements["xenc:CipherData/xenc:CipherValue"]
+      cv = @ek.at_xpath("xenc:CipherData/xenc:CipherValue", NS)
       decoded = Base64.strict_decode64(cv.text)
       assert decoded.bytesize > 0
     end
 
     def test_encrypted_key_can_be_decrypted
-      cv = @ek.elements["xenc:CipherData/xenc:CipherValue"]
+      cv = @ek.at_xpath("xenc:CipherData/xenc:CipherValue", NS)
       encrypted_key = Base64.strict_decode64(cv.text)
-      private_key = @certificate.private_key
+      private_key = @certificate.key
       padding = OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
       decrypted_key = private_key.private_decrypt(encrypted_key, padding)
       assert_equal 32, decrypted_key.bytesize

data/test/lyrebird/id_test.rb

@@ -7,5 +7,12 @@ module Lyrebird
     def test_generate_starts_with_underscore
       assert ID.generate.start_with?("_")
     end
+
+    def test_generate_contains_uuid
+      id = ID.generate
+      uuid = id[1..]
+      uuid_pattern = /\A[0-9a-f-]{36}\z/
+      assert_match uuid_pattern, uuid
+    end
   end
 end

data/test/lyrebird/integration_test.rb

@@ -0,0 +1,243 @@
+# frozen_string_literal: true
+
+require "test_helper"
+require "onelogin/ruby-saml"
+
+module Lyrebird
+  class IntegrationTest < Minitest::Test
+    def setup
+      unless defined?(@@idp_cert)
+        @@idp_cert = Certificate.build
+        @@sp_cert = Certificate.build
+      end
+
+      @idp_cert = @@idp_cert
+      @sp_cert = @@sp_cert
+    end
+
+    def test_ruby_saml_parses_signed_response
+      name_id = "user@example.com"
+
+      response = Response.build(sign_with: @idp_cert) do |r|
+        r.name_id = name_id
+      end
+
+      settings = OneLogin::RubySaml::Settings.new.tap do |s|
+        s.idp_cert = @idp_cert.x509_pem
+        s.sp_entity_id = DEFAULTS.audience
+        s.assertion_consumer_service_url = DEFAULTS.recipient
+      end
+
+      saml_response = OneLogin::RubySaml::Response.new(
+        response.mimic,
+        settings: settings
+      )
+
+      assert saml_response.is_valid?, saml_response.errors
+      assert_equal name_id, saml_response.nameid
+    end
+
+    def test_ruby_saml_decrypts_signed_and_encrypted_response
+      name_id = "user@example.com"
+      email = "test@example.com"
+      role = "admin"
+
+      response = Response.build(
+        sign_with: @idp_cert,
+        encrypt_with: @sp_cert
+      ) do |r|
+        r.name_id = name_id
+
+        r.attributes do |a|
+          a.email = email
+          a.role = role
+        end
+      end
+
+      settings = OneLogin::RubySaml::Settings.new.tap do |s|
+        s.idp_cert = @idp_cert.x509_pem
+        s.private_key = @sp_cert.key_pem
+        s.sp_entity_id = DEFAULTS.audience
+        s.assertion_consumer_service_url = DEFAULTS.recipient
+      end
+
+      saml_response = OneLogin::RubySaml::Response.new(
+        response.mimic,
+        settings: settings
+      )
+
+      assert saml_response.is_valid?, saml_response.errors
+      assert_equal name_id, saml_response.nameid
+      assert_equal email, saml_response.attributes["email"]
+      assert_equal role, saml_response.attributes["role"]
+    end
+
+    def test_ruby_saml_parses_idp_initiated_response
+      name_id = "user@example.com"
+      email = "test@example.com"
+
+      response = Response.build(sign_with: @idp_cert) do |r|
+        r.in_response_to = nil
+        r.destination = nil
+        r.name_id = name_id
+
+        r.attributes do |a|
+          a.email = email
+        end
+      end
+
+      settings = OneLogin::RubySaml::Settings.new.tap do |s|
+        s.idp_cert = @idp_cert.x509_pem
+        s.sp_entity_id = DEFAULTS.audience
+        s.assertion_consumer_service_url = DEFAULTS.recipient
+      end
+
+      saml_response = OneLogin::RubySaml::Response.new(
+        response.mimic,
+        settings: settings
+      )
+
+      assert saml_response.is_valid?, saml_response.errors
+      assert_equal name_id, saml_response.nameid
+      assert_equal email, saml_response.attributes["email"]
+    end
+
+    def test_ruby_saml_parses_multi_value_attributes
+      name_id = "user@example.com"
+      groups = ["admin", "users", "developers"]
+      roles = ["editor", "viewer"]
+
+      response = Response.build(sign_with: @idp_cert) do |r|
+        r.name_id = name_id
+
+        r.attributes do |a|
+          a.groups = groups
+          a.roles = roles
+        end
+      end
+
+      settings = OneLogin::RubySaml::Settings.new.tap do |s|
+        s.idp_cert = @idp_cert.x509_pem
+        s.sp_entity_id = DEFAULTS.audience
+        s.assertion_consumer_service_url = DEFAULTS.recipient
+      end
+
+      saml_response = OneLogin::RubySaml::Response.new(
+        response.mimic,
+        settings: settings
+      )
+
+      assert saml_response.is_valid?, saml_response.errors
+      assert_equal name_id, saml_response.nameid
+      assert_equal groups, saml_response.attributes.multi("groups")
+      assert_equal roles, saml_response.attributes.multi("roles")
+    end
+
+    def test_ruby_saml_validates_custom_validity_period
+      name_id = "user@example.com"
+      not_before = Time.now.utc - 60
+      valid_for = 600
+
+      response = Response.build(sign_with: @idp_cert) do |r|
+        r.name_id = name_id
+        r.not_before = not_before
+        r.valid_for = valid_for
+      end
+
+      settings = OneLogin::RubySaml::Settings.new.tap do |s|
+        s.idp_cert = @idp_cert.x509_pem
+        s.sp_entity_id = DEFAULTS.audience
+        s.assertion_consumer_service_url = DEFAULTS.recipient
+      end
+
+      saml_response = OneLogin::RubySaml::Response.new(
+        response.mimic,
+        settings: settings
+      )
+
+      assert saml_response.is_valid?, saml_response.errors
+      assert_equal name_id, saml_response.nameid
+    end
+
+    def test_ruby_saml_rejects_expired_assertion
+      name_id = "user@example.com"
+
+      response = Response.build(sign_with: @idp_cert) do |r|
+        r.name_id = name_id
+        r.valid_for = -10
+      end
+
+      settings = OneLogin::RubySaml::Settings.new.tap do |s|
+        s.idp_cert = @idp_cert.x509_pem
+        s.sp_entity_id = DEFAULTS.audience
+        s.assertion_consumer_service_url = DEFAULTS.recipient
+      end
+
+      saml_response = OneLogin::RubySaml::Response.new(
+        response.mimic,
+        settings: settings
+      )
+
+      assert_operator Time.now.utc, :>=, saml_response.not_on_or_after
+      refute saml_response.is_valid?
+    end
+
+    def test_ruby_saml_rejects_not_yet_valid_assertion
+      name_id = "user@example.com"
+      not_before = Time.now.utc + 600
+
+      response = Response.build(sign_with: @idp_cert) do |r|
+        r.name_id = name_id
+        r.not_before = not_before
+      end
+
+      settings = OneLogin::RubySaml::Settings.new.tap do |s|
+        s.idp_cert = @idp_cert.x509_pem
+        s.sp_entity_id = DEFAULTS.audience
+        s.assertion_consumer_service_url = DEFAULTS.recipient
+      end
+
+      saml_response = OneLogin::RubySaml::Response.new(
+        response.mimic,
+        settings: settings
+      )
+
+      assert_operator Time.now.utc, :<, saml_response.not_before
+      refute saml_response.is_valid?
+    end
+
+    def test_ruby_saml_rejects_tampered_signed_response
+      original_email = "user@example.com"
+      tampered_email = "attacker@evil.com"
+
+      response = Response.build(sign_with: @idp_cert) do |r|
+        r.name_id = "user@example.com"
+
+        r.attributes do |a|
+          a.email = original_email
+          a.role = "user"
+        end
+      end
+
+      doc = Nokogiri::XML(Base64.strict_decode64(response.mimic))
+      xpath = "//saml:Attribute[@Name='email']/saml:AttributeValue"
+      email_attr = doc.at_xpath(xpath, { "saml" => SAML_ASSERTION_NS })
+      email_attr.content = tampered_email
+      tampered = Base64.strict_encode64(doc.to_xml(save_with: 0))
+
+      settings = OneLogin::RubySaml::Settings.new.tap do |s|
+        s.idp_cert = @idp_cert.x509_pem
+        s.sp_entity_id = DEFAULTS.audience
+        s.assertion_consumer_service_url = DEFAULTS.recipient
+      end
+
+      saml_response = OneLogin::RubySaml::Response.new(
+        tampered,
+        settings: settings
+      )
+
+      refute saml_response.is_valid?
+      assert_includes saml_response.errors.join(" "), "Signature"
+    end
+  end
+end